Security Options
Apptainer implements security related options in the container runtime. This document describes the methods users have for specifying the security scope and context when running Apptainer containers.
Linux Capabilities
Note
It is extremely important to recognize that granting users Linux
capabilities with the capability
command group is usually
identical to granting those users root level access on the host
system. Most if not all capabilities will allow users to “break
out” of the container and become root on the host. This feature is
targeted toward special use cases (like cloud-native architectures)
where an admin/developer might want to limit the attack surface
within a container that normally runs as root. This is not a good
option in multi-tenant HPC environments where an admin wants to grant
a user special privileges within a container. For that and similar
use cases, the fakeroot feature is a better option.
Apptainer provides full support for granting and revoking Linux
capabilities on a user or group basis. For example, let us suppose that
an admin has decided to grant a user (named pinger
) capabilities to
open raw sockets so that they can use ping
in a container where the
binary is controlled via capabilities. For information about how to
manage capabilities as an admin please refer to the capability admin
docs.
This feature requires a setuid-root installation of Apptainer.
To take advantage of this granted capability as a user, pinger
must
also request the capability when executing a container with the
--add-caps
flag like so:
$ apptainer exec --add-caps CAP_NET_RAW oras://ghcr.io/apptainer/ubuntu_ping:v1.0 ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=73.1 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 73.178/73.178/73.178/0.000 ms
If the admin decides that it is no longer necessary to allow the user
pinger
to open raw sockets within Apptainer containers, they can
revoke the appropriate Linux capability and pinger
will not be able
to add that capability to their containers anymore:
$ apptainer exec --add-caps CAP_NET_RAW oras://ghcr.io/apptainer/ubuntu_ping:v1.0 ping -c 1 8.8.8.8
WARNING: not authorized to add capability: CAP_NET_RAW
ping: socket: Operation not permitted
Another scenario which is atypical of shared resource environments, but useful in cloud-native architectures is dropping capabilities when spawning containers as the root user to help minimize attack surfaces. With a default installation of Apptainer, containers created by the root user will maintain all capabilities. This behavior is configurable if desired. Check out the capability configuration and root default capabilities sections of the admin docs for more information.
Assuming the root user will execute containers with the CAP_NET_RAW
capability by default, executing the same container pinger
executed
above works without the need to grant capabilities:
# apptainer exec oras://ghcr.io/apptainer/ubuntu_ping:v1.0 ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=59.6 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 59.673/59.673/59.673/0.000 ms
Now we can manually drop the CAP_NET_RAW
capability like so:
# apptainer exec --drop-caps CAP_NET_RAW oras://ghcr.io/apptainer/ubuntu_ping:v1.0 ping -c 1 8.8.8.8
ping: socket: Operation not permitted
And now the container will not have the ability to create new sockets,
causing the ping
command to fail.
The --add-caps
and --drop-caps
options will accept the all
keyword. Of course appropriate caution should be exercised when using
this keyword.
Building encrypted containers
Apptainer can build and run encrypted containers. The containers are decrypted at runtime entirely in memory, meaning that no intermediate decrypted data is ever present on disk. See encrypted containers for more details.