Apptainer Provider
The apptainer provider runs each sandbox as a persistent local Apptainer instance. It shells out to the apptainer binary, so it does not require a daemon, Kubernetes, or a network sandbox service.
Setup
Install Apptainer on the host and make sure the apptainer binary is on PATH. The provider does not auto-install it; constructing the provider raises an error if the binary is missing.
Images can be local .sif files, Apptainer-compatible URIs such as docker://ubuntu:22.04, or bare Docker image names such as ubuntu:22.04. Bare names are resolved to docker://... before instance start.
Provider Config
Define a named provider block in a YAML config file that you own, such as configs/apptainer-sandbox.yaml in your checkout or application repo. Put the sandbox: block at the top level of that file, then reference it from an agent with sandbox_provider: sandbox.
NeMo Gym does not ship a default Apptainer provider config file. Create this file next to the other configs you pass to gym env start.
The provider constructor accepts three optional config sections:
Pass that config file alongside the agent and model configs:
SandboxSpec Provider Options
Use provider_options.binds for per-sandbox bind mounts. It accepts either a single bind string or a list of bind strings, using the Apptainer host:container[:opts] format.
These binds are added on top of the provider’s staging mount and exec.default_binds.
Relevant SandboxSpec Fields
Resource Mapping
SandboxResources is translated into Apptainer CLI flags:
CPU and memory enforcement requires cgroups support from the host. Set create.apply_resource_limits: false if the cluster does not delegate those controls.
Lifecycle
The provider creates one persistent Apptainer instance per sandbox:
Instances are named nemo-gym-<uuid>. State written by one command is visible to later commands in the same sandbox.
File Transfer
On create, the provider makes a temporary host staging directory and bind-mounts it into the container at create.mount_point, which defaults to /sandbox.
If a transfer path is under that mount point, uploads and downloads use the host-side staging directory directly. For paths outside the mount point, the provider stages bytes in the shared directory and runs an in-container copy command as root.
Download any files you need before stopping the sandbox. Stopping an Apptainer sandbox stops the instance and deletes the host staging directory.
User and Runtime Notes
The neutral user argument to exec() maps onto Apptainer behavior:
Running as root or another user depends on host fakeroot support. Numeric UIDs may not resolve inside the container; prefer named users when switching users.
Command failures return SandboxExecResult with the command’s exit code. Provider runtime failures such as a missing instance return code 125 with error_type="sandbox", and timeouts return code 125 with error_type="timeout".