Admin docs dont explain how Apptainer works anywhere

[deliciouslytyped]

Incoming perspective: A few months back I did some preliminary work on introducing Singularity into one of my environments, but I haven't touched it since then and I've forgotten some things.

https://apptainer.org/docs/admin/latest/admin_quickstart.html#architecture-of-apptainer , i.e. https://github.com/apptainer/apptainer-admindocs/blob/51c41f75351bd1d81cd4805f09239f06a3bf92f8/admin_quickstart.rst?plain=1#L14 gives some design goals for Singularity, but I haven't been able to find anything anywhere explaining how Singularity/Apptainer is actually supposed to work and how it compares technologically to "standard" namespaces based containers. I've only found a couple instances of the word chroot in the documentation but none of them are about explaining Apptainers mechanisms.

This would also be helpful because my other major use case is being able to point someone else to something summarizing how the technology is supposed to work.

There is a very old FAQ mentioned here that I haven't been able to find any existing instances of https://stackoverflow.com/questions/45169598/chroot-vs-singularity -> http://singularity.lbl.gov/faq#how-is-singularity-different-from-chroot , the question just doesn't seem to exist anywhere.

[deliciouslytyped]

My understanding is that Apptainer/Singularity is supposed to provide "container" style / filesystem image based portability similar to "standard" Linux style containers, but without any privileged mechanisms (though now user namespace and related functionality is an optional feature).

The fakeroot and security documentation pages explain a lot of the security mechanisms (again, no mention of chroot), but it's not clear how Apptainer/Singularity is different from standard containers when:

• running in fully unprivileged mode (must use a different set of mechanisms than namespaces?)
• running in rootless (user namespace) mode (uses namespaces, but then how is it different from docker/podman? is it just inertia of the singularity supporting feature set?)
• running in suid mode (...?)

[DrDaveD]

If you're asking for an update to the docs, that will require someone willing to contribute the time to write that up.

If you're more interested in getting an answer to your questions than getting it into the documentation, I suggest raising the issue on one of the forums, that is, the mailing list or Slack.