Not really.
Singularity is designed for situations, particularly HPC environments, where you do not have "trusted users running trusted containers."
In particular, you want "untrusted users running untrusted containers."
This is usually expressed as "no way you are letting Docker near my HPC environment."
Thanks to Abbey Yacoe for putting together the gif.
Docker (typically) runs privileged, and it's not too hard to engineer root-in-the-container becoming root-outside-the-container.
This does tend to make security people twitchy, especially in traditional shared-server HPC models.
Singularity attempts to address this.
Runs a "container" where the user running the container root process is the (unprivileged) user on the host and the network is the system network context.
Yes, but there's also a PID namespace. So PID 1 in the Singularity container isn't PID 1 outside.
Singularity automatically bind-mounts $HOME, /tmp, and /var/tmp.
And can bind-mount whatever else you tell it to.
Singularity has three modes:
Singularity build specification file
Singularity can import Docker images.
This actually is a pretty cool tool for manipulating Docker image layers without needing to install Docker, if that's a thing you want to do.
Can save images to any of several formats, but mostly seems to do .img "Singularity Images" which are just filesystem images mounted via loopback. This actually can increase performance if your typical workload has many small writes, since you're just seeking in a file and your IO requests get batched up before going to an actual device.
Singularity does provide for a mode where you have an immutable container that you overlay with a mutable layer, so you can make changes that are then discarded after you're done. That plus bind mounts to save your results gives you something that is pretty much equivalent to a Docker container you run from an image and do not save when you're done.
Singularity is a chroot, running from a loop-mounted image, with some bind mounts, and a PID namespace. It uses setuid binaries to accomplish this, and the loop-mounted image can be a Docker image.
Sure, I guess, if what you want to do is run Docker images without using Docker.
Did you think Docker was a lot of hype for something that's a kind of crappy CLI wrapped around namespaces and cgroups? Then you're gonna really hate Singularity. It's a chroot with a PID namespace and some bind-mounts.
What's a Singularity? A black hole, of course:
Space | Forward |
---|---|
Right, Down, Page Down | Next slide |
Left, Up, Page Up | Previous slide |
G | Go to slide number |
P | Open presenter console |
H | Toggle this help |