Apptainer For Docker Developers: A Comprehensive Guide

An unfastened root instrumentality platform, Apptainer (formerly Singularity) is designed for secure, high-performance computing (HPC) environments. Unlike Docker, which dominates desktops and unreality services, Apptainer shines successful multi-user Linux systems specified arsenic HPC clusters, wherever user-space containers without guidelines privileges are required. It provides akin functionality to Docker, including compatibility pinch astir Docker images, while addressing information and portability needs successful HPC.

This guideline will thief Docker-savvy developers research Apptainer connected Linux, covering installation, basal usage, and usage cases.

Getting Started With Apptainer connected Ubuntu

Installing Apptainer connected Linux tin beryllium done via package managers aliases from source. Apptainer requires a modern Linux kernel (with personification namespaces enabled for unprivileged use) and does not tally connected Windows/Mac without a Linux VM.

For galore Debian/Ubuntu users, nan easiest way is utilizing nan charismatic Personal Package Archive (PPA):

These commands instal Apptainer successful unprivileged mode by default (no setuid binaries). If you request features requiring SUID (setuid guidelines helpers for older kernels aliases definite equine functions), instal nan apptainer-suid package instead. In unprivileged mode, Apptainer leverages personification namespaces truthful that you tin tally containers wholly arsenic a regular user.

After installation, verify it useful by executing a elemental container, for example:

This bid pulls a mini Alpine Linux image and prints its type file, confirming Apptainer is correctly group up.

You announcement that Apptainer converts nan Docker image to an SIF record successful nan existent directory. The Singularity Image Format (SIF) is nan modular instrumentality image format utilized by Apptainer and Singularity. SIF encapsulates nan full instrumentality situation — OS, software, metadata, and configuration — into a single, immutable file.

Like Docker images, this creation ensures portability, reproducibility, and information for scientific, HPC, and endeavor workloads. SIF images are chiefly read-only, let signature verification and encryption, and merge seamlessly pinch parallel filesystems. Since nan full image is stored successful a azygous file, distributing and archiving containers is easy. Writable overlays and host-mount options supply elasticity wherever needed.

The .sif record is typically built from a meaning (.def) file, which outlines nan build steps, installed packages, and situation setup. Once created, a .sif image acts arsenic a reliable, verifiable, and production-quality instrumentality image that is portable and ensures reproducible execution, arsenic its contents ne'er alteration aft creation. Apptainer tin usage this record to instantiate nan container, tally circumstantial commands, motorboat applications, aliases supply an interactive shell.

A basal Apptainer .def record is shown below. It builds an image meaning from an existing Docker image.

You tin build nan image pinch nan pursuing command:

Apptainer internally maintains a cache for intermediate files and layers, typically astatine ~/.apptainer/cache connected your system.

Running Basic Containers

Apptainer’s command-line interface is akin to Docker’s, but location is nary daemon involved. You tally containers straight via nan apptainer command. Common subcommands see run, exec, and shell, which are analogous to Docker’s docker run, docker exec, and docker tally -it for an interactive shell.

Use apptainer tally to execute nan image’s default runscript. For example, aft pulling an Apptainer image (.sif file), you tin simply tally it:

If nan image has a defined runscript, apptainer tally executes that. Otherwise, it falls backmost to an interactive shell. You tin besides tally images straight via a URI without redeeming them.

You tin usage apptainer exec to tally a circumstantial bid wrong a container. For example:

This is akin to docker exec but tin beryllium tally moreover connected an image record aliases a Docker Hub URI. If you don’t person nan image yet, Apptainer will fetch it and tally nan bid successful a azygous step.

Use apptainer ammunition to get a ammunition wrong nan container, useful for exploration aliases debugging. For instance:

How Apptainer Executes Containers

Apptainer takes a fundamentally different attack to instrumentality runtime compared to Docker. There is nary inheritance daemon, and moving a instrumentality is simply a nonstop invocation that creates nan instrumentality situation in-process. When you tally an apptainer container, it performs a bid of steps: mounting nan SIF image (which is simply a SquashFS filesystem) successful a minimal Linux personification namespace, mounting up basal namespaces (mount, PID, etc., arsenic needed), and past utilizing an exec() strategy telephone to motorboat nan specified process wrong nan instrumentality context. The consequence is that nan containerized exertion runs arsenic a kid process of your Apptainer command, without immoderate other shims aliases wrappers near behind. Apptainer’s creation results successful minimal overhead: erstwhile nan instrumentality process starts, there’s nary ongoing head process — it’s your app moving straight connected nan big kernel pinch instrumentality isolation applied.

Importantly, Apptainer containers tally pinch nan aforesaid personification personality arsenic connected nan big by default. If you motorboat a instrumentality arsenic an unprivileged user, you will beryllium that personification wrong nan instrumentality arsenic good (UID/GID preserved). There is nary docker0 web aliases default NAT: by default, Apptainer shares nan big web stack (so networking is not isolated unless you usage definitive options). The instrumentality process tin spot and usage big resources for illustration GPUs, web interfaces, and files (subject to what’s mounted) arsenic permitted to nan user. This exemplary aligns pinch HPC usage cases wherever you don’t want a instrumentality to person much privileges than nan invoker and you want businesslike entree to hardware, specified arsenic high-speed interconnects.

To execute instrumentality setup without root, Apptainer tin beryllium installed successful setuid mode aliases afloat unprivileged mode. In setuid mode, a mini information of Apptainer’s codification (apptainer-suid) runs pinch guidelines privileges to execute equine operations, past drops privileges. In unprivileged mode, it uses personification namespace features (available connected kernels ≥ 4.18) to mimic guidelines wrong a caller namespace for setup. Either way, nan consequence is that you don’t request a root-running daemon service. The instrumentality runs wrong nan user’s session, making Apptainer inherently daemonless and kernel-integrated. From a developer’s perspective, this intends you tin invoke Apptainer commands for illustration immoderate different CLI tool, and containers exit erstwhile your bid completes, leaving nary lingering instrumentality processes.

When To Use Apptainer Instead of Docker

Apptainer is preferred complete Docker successful respective scenarios, particularly successful high-performance computing (HPC) and unafraid multi-tenant environments, for nan pursuing reasons:

Rootless Execution and Security

Apptainer allows users to tally containers without requiring root (administrator) privileges, making it inherently safer connected multitenant systems and shared HPC clusters by avoiding nan privilege escalation risks communal to Docker’s daemon model.

HPC and Scientific Computing Focus

Apptainer was explicitly designed for technological computing and HPC, integrating pinch assets managers and occupation schedulers, whereas Docker was chiefly developed for microservices and endeavor exertion deployment workflows.

Single-File Container Images

Apptainer uses nan Singularity Image Format (SIF), which packages nan full instrumentality arsenic a single, immutable file. This makes distribution, sharing, and archiving easier than Docker, which structures containers arsenic stacks of image layers successful tar files.

Native User Identity Preservation

The user’s personality (UID/GID) extracurricular nan instrumentality is preserved wrong nan container, ensuring transparent record strategy and permissions handling, which is important successful assemblage clusters aliases collaborative investigation environments.

Compatibility With Existing HPC Infrastructure

Apptainer useful seamlessly pinch existing HPC devices and storage, without needing changes to infrastructure. Its containers natively merge pinch parallel filesystems and large-scale occupation schedulers and do not require a root-running inheritance daemon, dissimilar Docker.

These advantages make Apptainer nan preferred prime for secure, large-scale, and research-focused compute environments wherever rootless cognition and seamless integration are priorities.

Group Created pinch Sketch.