top | item 40478584

(no title)

grudg3 | 1 year ago

I wonder why people aren't using Singularity containers instead which seem to be rootless by design.

discuss

sarusso|1 year ago

Oh man, Singularity… I once wrote: “In the shipping container analogy, you can think about Singularty containers as if they have no walls.” [1]

[1] https://sarusso.github.io/blog/container-engines-runtimes-or...

orhmeh09|1 year ago

Your claims here are inaccurate. You can pass flags or define environment variables to get the behavior you want. Please spend some more time hitting the man pages and the guide.

> It indeed does not enforce (or even permit) robust isolation between the containers and the host, leaving large portions exposed. … More in detail, directories as the /home folder, /tmp, /proc, /sys, and /dev are all shared with the host, environment variables are exported as they are set on host, the PID namespace is not created from scratch, and the network and sockets are as well shared with the host. Moreover, Singularity maps the user outside the container as the same user inside it, meaning that every time a container is run the user UID (and name) can change inside it, making it very hard to handle permissions.

IcyWindows|1 year ago

I think singularity is about keeping program dependencies together, not isolation.

grudg3|1 year ago

Well, I'm glad I asked, appreciate your response and great blog post.

smitty1110|1 year ago

Well, that blog post is getting a bookmark. Next time a junior dev asks me how this BS works, I'm going to show them your diagram.

yjftsjthsd-h|1 year ago

At the risk of showcasing my bubble: Lack of exposure; how many people even know what singularity is or how to use it? I know it's used in scientific HPC, but I don't see evidence of wider adoption.

grudg3|1 year ago

Definitely used in HPC environments where multi user is prevalent, I know of it because I used to admin a small HPC

firesteelrain|1 year ago

Never heard of it. Podman or bust

ratscylla|1 year ago

I think it is a few things together. The rootless and daemonless design leads to UX differences with Docker. Because of the differences, it isn't just a drop in replacement; porting applications can be a pain if they do anything weird (no network isolation, --containall isn't default and still is a bit different when on, etc). And Docker has a ton of momentum and usage.