Unless disabled by the system administrator, {Project} allows you to map directories on your host system to directories within your container using bind mounts. This allows you to read and write data on the host system with ease.
When {Project} 'swaps' the host operating system for the one inside your container, the host file systems becomes inaccessible. However, you may want to read and write files on the host system from within the container. To enable this functionality, {Project} will bind directories back into the container via two primary methods: system-defined bind paths and user-defined bind paths.
The system administrator has the ability to define which bind paths will be
included automatically inside each container. Some bind paths are derived (e.g.
a user's home directory), and some are statically defined with a bind path
entry in the {Project} configuration.
In the default configuration, the default bind mounts are:
- The user's home directory (
$HOME
) - The current working directory (
CWD
), unless its path contains symlinks resolving to different locations on the host vs inside the container. /dev
/etc/hosts
/etc/localtime
/proc
/sys
/tmp
/var/tmp
Additionally, customized system configuration files /etc/resolv.conf
,
/etc/group
, and /etc/passwd
are mounted into the container. These are
adapted at container startup to match the requested configuration of the
container.
The --no-mount
flag allows specific system mounts to be disabled, even if
they are set in the {command}.conf
configuration file by the
administrator.
For example, if {Project} has been configured with mount hostfs =
yes
then every filesystem on the host will be bind mounted to the
container by default. If, e.g. a /project
filesystem on your host
conflicts with a /project
directory in the container you are
running, you can disable the hostfs
binds:
$ {command} run --no-mount hostfs mycontainer.sif
Multiple system mounts can be disabled by specifying them separated by commas:
$ {command} run --no-mount tmp,sys,dev mycontainer.sif
When the administrator has configured custom bind path
entries in
{command}.conf
, to mount specific paths into the container by default, you
can disable them individually. To do this, specify the path(s) to disable with
the --no-mount
flag. For example, if the adminstrator has configured
{command}.conf
to always mount /data2
. you can disable this with
--no-mount /data2
:
$ {command} run --no-mount /data2 mycontainer.sif
To disable all bind path
entries set in {command}.conf
, use
--no-mount bind-paths
:
$ {command} run --no-mount bind-paths mycontainer.sif
Unless the system administrator has disabled user control of binds, you will be able to request your own bind paths within your container.
The {Project} action commands (run
, exec
, shell
, and
instance start
) will accept the --bind/-B
command-line option to
specify bind paths, and will also honor the ${ENVPREFIX}_BIND
and
${ENVPREFIX}_BINDPATH
environment variables (in that order).
The argument for this
option is a comma-delimited string of bind path specifications in the
format src[:dest[:opts]]
, where src
and dest
are paths
outside and inside of the container respectively. If dest
is not
given, it is set equal to src
. Mount options (opts
) may be
specified as ro
(read-only) or rw
(read/write, which is the
default). The --bind/-B
option can be specified multiple times, or a
comma-delimited string of bind path specifications can be used.
{Project} also has a --mount
flag, which provides a
longer-form method of specifying binds in --mount
type=bind,src=<source>,dst=<destination>[,<option>]...
format. This is
compatible with the --mount
syntax for binds in Docker and other OCI
runtimes.
Here's an example of using the --bind
option and binding /data
on the host to /mnt
in the container (/mnt
does not need to
already exist in the container):
$ ls /data bar foo $ {command} exec --bind /data:/mnt my_container.sif ls /mnt bar foo
You can bind multiple directories in a single command with this syntax:
$ {command} shell --bind /opt,/data:/mnt my_container.sif
This will bind /opt
on the host to /opt
in the container and
/data
on the host to /mnt
in the container.
Using the environment variable instead of the command line argument, this would be:
$ export {ENVPREFIX}_BINDPATH="/opt,/data:/mnt" $ {command} shell my_container.sif
Using the environment variable ${ENVPREFIX}_BINDPATH
, you can bind paths
even when you are running your container as an executable file with a
runscript. If you bind many directories into your {Project}
containers and they don't change, you could even benefit by setting this
variable in your .bashrc
file.
Note
Inside {aProject} container all the paths that were bound in are set
in the ${ENVPREFIX}_BIND
variable. That means they will be
automatically bound in again by default if another {command} command is
run nested inside the first container. You can change that variable
if you choose before that point, but if you want to avoid interfering
with nested containers it's better to use ${ENVPREFIX}_BINDPATH
.
The --mount
flag takes a mount specification in the format
type=bind,src=<source>,dst=<dest>
. Additional options can be
specified, comma delimited.
{Project} only supports the bind
type for --mount
, and will
infer type=bind
if it is not provided.
src
or source
can be used interchangeably. dst
,
destination
, or target
are also equivalent.
To mount data
on the host to /mnt
inside the container:
$ {command} exec \ --mount type=bind,src=/data,dst=/mnt \ my_container.sif ls /mnt bar foo
To mount the same directory read-only in the container, add the ro
option:
$ {command} exec \ --mount type=bind,source=/data,dest=/mnt,ro \ my_container.sif touch /mnt/test touch: cannot touch '/mnt/test': Permission denied
You can bind multiple directories in a single command with multiple
--mount
flags:
$ {command} shell --mount type=bind,src=/opt,dst=/opt \ --mount type=bind,src=/data,dst=/data \ my_container.sif
This will bind /opt
on the host to /opt
in the container and
/data
on the host to /mnt
in the container.
The mount string can be quoted and escaped according to CSV rules,
wrapping each field in double quotes if necessary characters.
--mount
allows bind mounting paths that are not possible with the
--bind
flag. For example:
# Mount a path containing ':' (not possible with --bind) $ {command} run \ --mount type=bind,src=/my:path,dst=/mnt \ mycontainer.sif # Mount a path containing a ',' $ {command} run \ --mount type=bind,"src=/comma,dir",dst=/mnt \ mycontainer.sif
Mount specifications are also read from then environment variable
${ENVPREFIX}_MOUNT
. Multiple bind mounts set via this environment
variable should be separated by newlines (\n
).
To mount a bind path inside the container, a bind point must be defined within the container. The bind point is a directory or file within the container that {Project} can use as a destination to bind a directory or file from the host system. Under most circumstances, {Project} will automatically create any missing bind points within the container using an overlay.
However, binding paths to non-existent points within the container can
result in unexpected behavior when used in conjunction with the
--writable
flag, and is therefore disallowed. If you need to specify
bind paths in combination with the --writable
flag, please ensure
that the appropriate bind points exist within the container. If they do
not already exist, it will be necessary to modify the container and
create them.
When starting a container, {Project} allows you to mount your current
working directory (CWD
) without mounting your host $HOME
directory by
using the --no-home
flag. This is equivalent to --no-mount home
:
$ {command} shell --no-home my_container.sif -or- $ {command} shell --no-mount home my_container.sif
Disabling the mount of $HOME
may be useful if your container image has files
at $HOME
, which would otherwise be hidden by the bind mount from the host.
Note
If your current working directory is under $HOME
, and you do not want to
mount it, you will need to disable both cwd
and home
mounts:
$ {command} shell --no-mount home,cwd my_container.sif
When using the --contain
/ --containall
(or -c
/ -C
for short)
flags, $HOME
from the host is not mounted, and an in-memory temporary
directory is created at the $HOME
point inside the container instead. An
in-memory temporary directory is also used for /tmp
and /var/tmp
inside
the container.
If the container image includes files within $HOME
, the mounted temporary
directory will hide them unless you also specify --no-home
or --no-mount
home
:
$ {command} shell --containall my_container.sif {Project}> ls -lah $HOME total 4K drwxr-xr-x 2 user group 60 Sep 1 11:45 . drwxr-xr-x 1 user group 60 Sep 1 11:44 .. $ {command} shell --containall --no-home my_container.sif {Project}> ls -lah $HOME total 52K drwxr-xr-x 2 user group 60 Sep 1 11:45 . drwxr-xr-x 1 user group 60 Sep 1 11:44 .. drwxr-xr-x 1 user group 38672 Sep 1 11:44 mydata.csv drwxr-xr-x 1 user group 14235 Sep 1 11:44 myimage.jpg
Filesystem in Userspace (FUSE) is an interface to allow filesystems to
be mounted using code that runs in userspace, rather than in the Linux
Kernel. Unprivileged (non-root) users can mount filesystems that have
FUSE drivers. For example, the fuse-sshfs
package allows you to
mount a remote computer's filesystem to your local host, over ssh:
$ mount.fuse sshfs#ythel:/home/dave other_host/ # Now mounted to my local machine: $ ythel:/home/dave on /home/dave/other_host type fuse.sshfs (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
{Project} has a --fusemount
option, which allows
you to directly expose FUSE filesystems inside a container. The FUSE
command / driver that mounts a particular type of filesystem can be
located on the host, or in the container.
The FUSE command invoked with the --fusemount
option
must be based on libfuse3 3.3.0 or greater to work
correctly with {Project}. Older versions do not support the way in
which the {Project} runtime passes a pre-mounted file descriptor
into the container.
If you are using an older distribution that provides FUSE commands such
as sshfs
based on FUSE 2 then you can install FUSE 3 versions of the
commands you need inside your container.
A fusemount definition for {Project} consists of 3 parts:
--fusemount <type>:<fuse command> <container mountpoint>
- type specifies how and where the FUSE mount will be run. The
options are:
host
- use a FUSE command on the host, to mount a filesystem into the container, with the fuse process attached.container
- use a FUSE command inside the container, to mount a filesystem into the container, with the fuse process attached.host-daemon
- use a FUSE command on the host, to mount a filesystem into the container, with the fuse process detached.container-daemon
- use a FUSE command inside the container, to mount a filesystem into the container, with the fuse process detached.
- fuse command specifies the name of the executable that implements
the FUSE mount, and any arguments. E.g.
sshfs server:over-there/
for mounting a remote filesystem over SSH, where the remote source isover-there/
in my home directory on the machine calledserver
. - container mountpoint is an absolute path at which the FUSE filesystem will be mounted in the container.
To use a FUSE sshfs
mount in a container, where the fuse-sshfs
package has been installed on my host, I run with the host
mount
type:
$ {command} run --fusemount "host:sshfs server:/ /server" docker://ubuntu {Project}> cat /etc/hostname localhost.localdomain {Project}> cat /server/etc/hostname server
If the FUSE driver / command that you want to use for the mount has been
added to your container, you can use the container
mount type:
$ {command} run --fusemount "container:sshfs server:/ /server" sshfs.sif {Project}> cat /etc/hostname localhost.localdomain {Project}> cat /server/etc/hostname server
In {Project} you can mount a directory contained in an image file into a container. This may be useful if you want to distribute directories containing a large number of data files as a single image file.
You can mount from image files in ext3 format, squashfs format, or SIF format.
The ext3 image file format allows you to mount it into the container read/write and make changes, while the other formats are read-only. Note that you can only use a read/write image in a single container. You cannot mount it to multiple container runs at the same time.
To mount a directory from an image file, use the -B/--bind
option
and specify the bind in the format:
-B <image-file>:<dest>:image-src=<source>
Alternatively use the --mount
option, and specify the bind in the
format:
--mount type=bind,src=<image-file>,dst=<dest>,image-src=<source>
This will bind the <source>
path inside <image-file>
to
<dest>
in the container.
If you do not add :image-src=<source>
to your bind specification,
then the <image-file>
itself will be bound to <dest>
instead.
If you have a directory called inputs/
that holds data files you
wish to distribute in an image file that allows read/write:
# Create an image file 'inputs.img' of size 100MB and put the
# files inputs/ into it's root directory
$ mkfs.ext3 -d inputs/ inputs.img 100M
mke2fs 1.45.6 (20-Mar-2020)
Creating regular file inputs.img
Creating filesystem with 102400 1k blocks and 25688 inodes
Filesystem UUID: e23c29c9-7a49-4b82-89bf-2faf36b5a781
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Copying files into the device: done
Writing superblocks and filesystem accounting information: done
# Run {Project}, mounting my input data to '/input-data' in
# the container.
$ {command} run -B inputs.img:/input-data:image-src=/ mycontainer.sif
{Project}> ls /input-data
1 3 5 7 9
2 4 6 8 lost+found
# Or with --mount instead of -B
$ {command} run \
--mount type=bind,src=inputs.img,dst=/input-data,image-src=/ \
mycontainer.sif
If you have a directory called inputs/
that holds data files you
wish to distribute in an image file that is read-only, and compressed,
then the squashfs format is appropriate:
# Create an image file 'inputs.squashfs' and put the files from
# inputs/ into it's root directory
$ mksquashfs inputs/ inputs.squashfs
Parallel mksquashfs: Using 16 processors
Creating 4.0 filesystem on inputs.squashfs, block size 131072.
...
# Run {Project}, mounting my input data to '/input-data' in
# the container.
$ {command} run -B inputs.squashfs:/input-data:image-src=/ mycontainer.sif
{Project}> ls /input-data/
1 2 3 4 5 6 7 8 9
# Or with --mount instead of -B
$ {command} run \
--mount type=bind,src=src-inputs.squashfs,dst=/input-data,image-src=/ \
mycontainer.sif
Advanced users may wish to create a standalone SIF image, which contains
an ext3
or squashfs
data partition holding files, by using the
apptainer sif
commands similarly to the :ref:`persistent overlays
instructions <overlay-sif>`:
# Create a new empty SIF file
$ {command} sif new inputs.sif
# Add the squashfs data image from above to the SIF
$ {command} sif add --datatype 4 --partarch 2 --partfs 1 --parttype 3 inputs.sif inputs.squashfs
# Run {Project}, binding data from the SIF file
$ {command} run -B inputs.sif:/input-data:image-src=/ mycontainer.sif
{Project}> ls /input-data
1 2 3 4 5 6 7 8 9
# Or with --mount instead of -B
$ {command} run \
--mount type=bind,src=inputs.sif,dst=/input-data,image-src=/ \
mycontainer.sif
If your bind source is a SIF then {Project} will bind from the first
data partition in the SIF, or you may specify an alternative descriptor
by ID with the additional option id=n
, where n is the descriptor ID.