Singularity can indeed build containers as normal users

[DrDaveD]

The document Containers on Summit says "Singularity also allows building images but ordinary users cannot utilize that on Summit due to additional permissions not allowed for regular users" but that must not be true. Since you have set up /etc/subuid and /etc/subgid for users, all you need is the singularity build --fakeroot command.

In addition, beginning in Apptainer 1.1.0 thanks to a recently merged PR containers will be able to be built by unprivileged users even without /etc/subuid and /etc/subgid.

[dtrudg]

In addition, beginning in Apptainer 1.1.0 thanks to a recently merged PR containers will be able to be built by unprivileged users even without /etc/subuid and /etc/subgid.

Note that this unreleased apptainer feature is useful in limited circumstances - as it requires host / container GLIBC compatibility. Attempting to build an Ubuntu 20.04 container on a host with newer glibc, for example, will fail:

 $ apptainer build test.sif test.def
...
/usr/bin/faked-tcp: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by /usr/bin/faked-tcp)
/usr/bin/faked-tcp: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /usr/bin/faked-tcp)
fakeroot: error while starting the `faked' daemon.
/usr/bin/fakeroot: 1: kill: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
FATAL:   While performing build: while running engine: exit status 1

I believe ORNL deploys SingularityPRO to production systems? Sylabs would certainly be pleased to discuss plans in this area, and we'd be very interested in exploring the remaining barriers to Singularity fakeroot builds if /etc/subuid /etc/subgid are deployed. We do understand that a signficant aspect of deploying podman for build is that it allows builds from Dockerfiles.

Thanks!