Add stricter containerization options when apptainer started

[prioux]

Given our processing model, it could be good to try to restrict our apptainer containers as much as possible. There are several command-line options that might be worth investigating. From the usage statement:

  -e, --cleanenv
clean environment before running  container
(Note: this will prevent environment variables set by the admins in the ToolConfig
object from being propagated, unless  the sysadmin names them APPTAINERENV_VARNAME)

  -c, --contain
use minimal /dev and empty other directories (e.g. /tmp and $HOME) instead
of sharing filesystems from your host

  -C, --containall
contain not only file systems, but also PID, IPC, and environment

      --cpus string
Number of CPUs available to container

      --hostname string
set container hostname
(Note: use the CBRAIN task's pretty name?)

      --no-eval
do not shell evaluate env vars or OCI container CMD/ENTRYPOINT/ARGS

      --no-home
do NOT mount users home directory if /home is not the current working directory
(Note: CBRAIN already uses -H so maybe not needed)

      --net --network none
(Note: very attractive option)

      -p, --pid
run container in a new PID namespace
(Note: might interfere with htop and other manual monitoring when on compute node)

[MontrealSergiy]

Do we need a way to overwrite those settings? For instance the number of cpu my vary from one 'extra qsub param' to another, not sure of --cpus , presently this value can be controlled by.

What about to create a whole panel with the appertain param lists, with above-mentioned param set by default?