Merge pull request #280076 from SomeoneSerge/fix/apptainer-nv-cherry

apptainer: unbreak --nv (userns+nvliblist.conf variant)

1 files changed, 6 insertions, 1 deletions

diff --git a/nixos/modules/programs/singularity.nix b/nixos/modules/programs/singularity.nix
index 9fd37e1793a7..7f285ab05537 100644
--- a/nixos/modules/programs/singularity.nix
+++ b/nixos/modules/programs/singularity.nix
@@ -61,7 +61,12 @@ in
     };
     enableSuid = mkOption {
       type = types.bool;
-      default = true;
+      # SingularityCE requires SETUID for most things. Apptainer prefers user
+      # namespaces, e.g. `apptainer exec --nv` would fail if built
+      # `--with-suid`:
+      # > `FATAL: nvidia-container-cli not allowed in setuid mode`
+      default = cfg.package.projectName != "apptainer";
+      defaultText = literalExpression ''config.services.singularity.package.projectName != "apptainer"'';
       example = false;
       description = mdDoc ''
         Whether to enable the SUID support of Singularity/Apptainer.