How to run sudo command inside Singularity container if I am not a sudo user in host?

[Heng-Zhou]

I need to run some sudo commands in Singularity container. If I run sudo ..., I got the following error:

sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

If I add sudo command into the Singularity container and run sudo -i, I got the following error:

sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.

If I run su, I was prompted password for root which I don't know.

So, can you please help me with the above three issues? Thanks a lot.

[dtrudg]

Escalating privilege (i.e. becoming root or another user with sudo) inside a container is blocked by default. This is by design, and is one of the core differences with Docker that enabled Singularity to be safely used, and become popular on HPC systems -
where it is vital that a user who runs a container is not able to get root access on the host.

https://docs.sylabs.io/guides/4.0/user-guide/security.html#runtime-user-privilege-model

In newer Linux distributions than were available when Singularity was first developed, the Linux kernel provides features that allow you to emulate root inside a container. You can act as root in the container, without having any root privileges on the host - or against files mounted from the host.

To become a 'fake root' user in the container, who can do thing as root only inside of the container, you need to run the container in Singularity's --fakeroot mode, which also enables sudo-ing to other uids etc. However, fakeroot uses user namespaces and subuid/subgid mapping which have important requirements / restrictions / limitations that are documented here:

https://docs.sylabs.io/guides/4.0/user-guide/fakeroot.html