apptainer shell
Run a shell within a container
Synopsis
apptainer shell supports the following formats:
- *.sif Singularity Image Format (SIF). Native to Singularity
(3.0+) and Apptainer (v1.0.0+)
*.sqsh SquashFS format. Native to Singularity 2.4+
*.img ext3 format. Native to Singularity versions < 2.4.
- directory/ sandbox format. Directory containing a valid root file
system and optionally Apptainer meta-data.
- instance://* A local running instance of a container. (See the instance
command group.)
library://* A SIF container hosted on a Library (no default)
- docker://* A Docker/OCI container hosted on Docker Hub or another
OCI registry.
shub://* A container hosted on Singularity Hub.
- oras://* A SIF container hosted on an OCI registry that supports
the OCI Registry As Storage (ORAS) specification.
apptainer shell [shell options...] <container>
Examples
$ apptainer shell /tmp/Debian.sif
Apptainer/Debian.sif> pwd
/home/gmk/test
Apptainer/Debian.sif> exit
$ apptainer shell -C /tmp/Debian.sif
Apptainer/Debian.sif> pwd
/home/gmk
Apptainer/Debian.sif> ls -l
total 0
Apptainer/Debian.sif> exit
$ sudo apptainer shell -w /tmp/Debian.sif
$ sudo apptainer shell --writable /tmp/Debian.sif
$ apptainer shell instance://my_instance
$ apptainer shell instance://my_instance
Apptainer: Invoking an interactive shell within container...
Apptainer container:~> ps -ef
UID PID PPID C STIME TTY TIME CMD
ubuntu 1 0 0 20:00 ? 00:00:00 /usr/local/bin/apptainer/bin/appinit
ubuntu 2 0 0 20:01 pts/8 00:00:00 /bin/bash --norc
ubuntu 3 2 0 20:02 pts/8 00:00:00 ps -ef
Options
--add-caps string a comma separated capability list to add
--allow-setuid allow setuid binaries in container (root only)
--app string set an application to run inside a container
--apply-cgroups string apply cgroups from file for container processes (root only)
-B, --bind stringArray a user-bind path specification. spec has the format src[:dest[:opts]], where src and dest are outside and inside paths. If dest is not given, it is set equal to src. Mount options ('opts') may be specified as 'ro' (read-only) or 'rw' (read/write, which is the default). Multiple bind paths can be given by a comma separated list.
--blkio-weight int Block IO relative weight in range 10-1000, 0 to disable
--blkio-weight-device strings Device specific block IO relative weight
-e, --cleanenv clean environment before running container
--compat apply settings for increased OCI/Docker compatibility. Infers --containall, --no-init, --no-umask, --no-eval, --writable-tmpfs.
-c, --contain use minimal /dev and empty other directories (e.g. /tmp and $HOME) instead of sharing filesystems from your host
-C, --containall contain not only file systems, but also PID, IPC, and environment
--cpu-shares int CPU shares for container (default -1)
--cpus string Number of CPUs available to container
--cpuset-cpus string List of host CPUs available to container
--cpuset-mems string List of host memory nodes available to container
--cwd string initial working directory for payload process inside the container (synonym for --pwd)
--disable-cache do not use or create cache
--dns string list of DNS server separated by commas to add in resolv.conf
--docker-host string specify a custom Docker daemon host
--docker-login login to a Docker Repository interactively
--drop-caps string a comma separated capability list to drop
--env stringToString pass environment variable to contained process (default [])
--env-file string pass environment variables from file to contained process
-f, --fakeroot run container with the appearance of running as root
--fusemount strings A FUSE filesystem mount specification of the form '<type>:<fuse command> <mountpoint>' - where <type> is 'container' or 'host', specifying where the mount will be performed ('container-daemon' or 'host-daemon' will run the FUSE process detached). <fuse command> is the path to the FUSE executable, plus options for the mount. <mountpoint> is the location in the container to which the FUSE mount will be attached. E.g. 'container:sshfs 10.0.0.1:/ /sshfs'. Implies --pid.
-h, --help help for shell
-H, --home string a home directory specification. spec can either be a src path or src:dest pair. src is the source path of the home directory outside the container and dest overrides the home directory within the container. (default "/home/runner")
--hostname string set container hostname
-i, --ipc run container in a new IPC namespace
--keep-privs let root user keep privileges in container (root only)
--memory string Memory limit in bytes
--memory-reservation string Memory soft limit in bytes
--memory-swap string Swap limit, use -1 for unlimited swap
--mount stringArray a mount specification e.g. 'type=bind,source=/opt,destination=/hostopt'.
-n, --net run container in a new network namespace (sets up a bridge network interface by default)
--network string specify desired network type separated by commas, each network will bring up a dedicated interface inside container
--network-args strings specify network arguments to pass to CNI plugins
--no-eval do not shell evaluate env vars or OCI container CMD/ENTRYPOINT/ARGS
--no-home do NOT mount users home directory if /home is not the current working directory
--no-https use http instead of https for docker:// oras:// and library://<hostname>/... URIs
--no-init do NOT start shim process with --pid
--no-mount strings disable one or more 'mount xxx' options set in apptainer.conf and/or specify absolute destination path to disable a bind path entry, or 'bind-paths' to disable all bind path entries.
--no-pid do not run container in a new PID namespace
--no-privs drop all privileges from root user in container)
--no-umask do not propagate umask to the container, set default 0022 umask
--nv enable Nvidia support
--nvccli use nvidia-container-cli for GPU setup (experimental)
--oom-kill-disable Disable OOM killer
-o, --overlay strings use an overlayFS image for persistent data storage or as read-only layer of container
--passphrase prompt for an encryption passphrase
--pem-path string enter an path to a PEM formatted RSA key for an encrypted container
-p, --pid run container in a new PID namespace
--pids-limit int Limit number of container PIDs, use -1 for unlimited
--rocm enable experimental Rocm support
-S, --scratch strings include a scratch directory within the container that is linked to a temporary dir (use -W to force location)
--security strings enable security features (SELinux, Apparmor, Seccomp)
--sharens share the namespace and image with other containers launched from the same parent process
-s, --shell string path to program to use for interactive shell
--unsquash Convert SIF file to temporary sandbox before running
-u, --userns run container in a new user namespace
--uts run container in a new UTS namespace
-W, --workdir string working directory to be used for /tmp, /var/tmp and $HOME (if -c/--contain was also used)
-w, --writable by default all Apptainer containers are available as read only. This option makes the file system accessible as read/write.
--writable-tmpfs makes the file system accessible as read-write with non persistent data (with overlay support only)