I actually went into every single line of the manuals and even discussed the matter on the official Singularity Slack.
In that blog post I wrote that it does not enforce. It is true that you can achieve some level of isolation by setting certain flags and environment variables explicitly, but this is (was?) quite hard to get working, moreover the user mapping inside the container is always host-dependant and there is just no network isolation.
To achieve something close to the behaviour "I wanted", I had to use a combination of the command line flags you mentioned (and in particular -cleanenv, -containall and -pid) together with custom-made, ad-hoc runtime sandboxing for directories which required write access (as /tmp and /home).
However, this is not the default behaviour and it is not how Singularity is used in practice by its users. But yes, I was able to achieve something close to the behaviour I wanted [1].
This said, if I am missing something, or if the project has evolved to allow for a better level of isolation by default, please let me know. That blog post is dated 2022 after all.
In that blog post I wrote that it does not enforce. It is true that you can achieve some level of isolation by setting certain flags and environment variables explicitly, but this is (was?) quite hard to get working, moreover the user mapping inside the container is always host-dependant and there is just no network isolation.
To achieve something close to the behaviour "I wanted", I had to use a combination of the command line flags you mentioned (and in particular -cleanenv, -containall and -pid) together with custom-made, ad-hoc runtime sandboxing for directories which required write access (as /tmp and /home).
However, this is not the default behaviour and it is not how Singularity is used in practice by its users. But yes, I was able to achieve something close to the behaviour I wanted [1].
This said, if I am missing something, or if the project has evolved to allow for a better level of isolation by default, please let me know. That blog post is dated 2022 after all.
[1] https://www.sciencedirect.com/science/article/pii/S221313372...