Singularity is Now Apptainer: Containers for HPC With Full Software Supply Chain Security

The Apptainer Story:
The Keyword Here is Cross-Pollination

With private-sector companies taking on more and more compute- and data-intensive activities like artificial intelligence, machine learning (AI/ML), and big data analytics, a long overdue cross-pollination is happening between so-called “High Performance Computing” or HPC (think: government labs doing fundamental scientific research) and the enterprise.

“Traditionally, there hasn’t been much sharing of capabilities between enterprise, cloud, and hyperscale with HPC. HPC has been an isolated island and it’s time for that to change. Every sector of the ecosystem has value to bring to the table.”

— Gregory Kurtzer, CEO, CIQ and Creator of Singularity (now Apptainer)

Take Apptainer: the 100% open source, secure, performant application container system which began life as “Singularity.” It was created at Lawrence Berkeley National Laboratory (by our CEO, Gregory Kurtzer) as a direct, HPC-tailored response to Docker. And, in relatively short order, it became the dominant HPC container system.

Because of HPC’s flat architecture—we’ll spare you the whole story of Beowulf—there had to be a new container system that, unlike Docker, would not give everyone root access. (Yeah. Think about that.) So Apptainer is a container system that is designed to be used by non-privileged users an a shared system.

In essence, a deep concern for security is in the DNA of Apptainer. Security is, to be clear, not the only story here. But it’s an important one.

Apptainer: Verifiable “Buckets” with Just Enough Bits

Apptainer is designed to securely execute applications with bare-metal performance while being portable and 100% reproducible. An Apptainer container packages up whatever you need into a single, verifiable file. From small laboratory clusters all the way to massively-scalable HPC clusters, Apptainer provides:

Market-leading containers for HPC:

Apptainer runs on the majority of HPC systems worldwide and facilitates new and innovative HPC use cases. 

100% Open Source:

Apptainer is maintained by the Linux Foundation and has broad community and institutional support. All development activities, goals, and milestones are publicly available and open.

Trust:

Apptainer enables trust in your software supply chain via cryptographic key validation and encryption.

Portable jobs and environments:

Apptainer allows you to bring your environments anywhere, creating extreme portability from system to system.

Optimization for applications:

While many container systems are built, designed, and optimized for microservices, Apptainer is for applications and computational use cases.

Support:

CIQ is the official support and services provider for Apptainer.

What Can You Do with Apptainer?

Apptainer enables you to easily create and run containers that package up pieces of software in a way that’s portable and reproducible. You can use it to build a container on your laptop, then run it on one of the largest HPC clusters in the world, on a single server, on company clusters… the possibilities are endless.

Bottom line: because the container is just a single file, it can run on any kind of computing infrastructure or platform.

Thanks to Apptainer now being maintained by the Linux Foundation, the user base continues to expand and organizations across all industries and academia are using it. Apptainer’s optimizations in performance and parallelization make it ideal for use cases such as artificial intelligence, machine learning, and compute- and data-driven analytics. In short, the cross-pollination mentioned earlier is happening at a rapid and accelerating pace.

Security Is Worth a Bit More Emphasis

Okay, this will get semi-geeky. Intuitively, you already know that stuff that is smaller and simpler gives hackers less “surface area” to exploit. Big things with lots of moving parts? Easier for the dark side to find something to unscrew or screw with.

So, version 1.1.0 of Apptainer delivers a smaller attack surface area with the implementation of a fully rootless container runtime. Which means? Apptainer no longer installs a setuid-root portion by default. Common operations can now be executed with only unprivileged user namespaces.

Resources

Contact ciq

Get Apptainer Service & Support from The Source.

Let us know a bit about yourself. We’ll contact you soon.