Apptainer unprivileged install is no longer possible on modern Ubuntu

Apptainer / Singularity is a popular Docker alternative in the scientific computing community, thanks to support for running containers without elevated privileges and an approach to user identity that is better suited for shared environments (the user in an Apptainer container is the same user as on the host).

What made it even more appealing was that it did not only allow running containers without privileged permissions, it could also be installed without them! Simply downloading the binary was enough on many Linux systems, making Apptainer a great option for users of shared clusters as there was no need to pester the admins to install it.

For Ubuntu, however, this is no longer the case. Since version 24.04, unprivileged user namespace restrictions are enabled by default through AppArmor (which was first introduced as opt-in in 23.10).¹ Apptainer can still run rootless, but only if the executable is covered by an AppArmor profile that allows user namespaces for the exact binary path.²³ Ubuntu actually comes with such a profile for Apptainer out of the box, but it only matches the default install path (/usr/libexec/..., where the binary is placed by apt).

This means that truly unprivileged installation is no longer possible. One either needs to install via apt (which requires sudo) or, if installing locally, has to edit /etc/apparmor.d/apptainer to match the custom install path (which also requires sudo).⁴

So, long story short, if you want to use containers on a shared server running Ubuntu 24.04 or newer (or other distro with AppArmor), Apptainer can still run rootless, but a truly sudo-free install is no longer possible (and you have to go pester those admins after all).