https://github.com/sylabs/singularity - SingularityCE 4.3.3

This is a patch release in the 4.3 series, with dependency updates and the following changes:

Requirements / Packaging

• Requires Go 1.24.3 or above, due to various dependencies.
• Bundled squashfuse is now 0.6.1.

Changed defaults / behaviours

• Use OCI Manifest Schema 1 for ORAS pushes. Addresses errors pushing to Quay, which applies a must be restriction for the config.mediaType value on Docker Manifest Schema 2 (spec has a looser should generally be).

Bug fixes

• Don't set ineffective mode=777 on workdir bind. Fixes error in OCI-mode with --workdir and runc >= 1.2.0.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.3.tar.gz download below to obtain and install SingularityCE 4.3.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
• RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.25.0

- Go
Published by dtrudg 6 months ago

https://github.com/sylabs/singularity - SingularityCE 4.3.2

This is a patch release in the 4.3 series, with dependency updates and the following changes:

Requirements / Packaging

• Ubuntu 20.04 packages dropped - end-of-life.
• EL 10 (RHEL/AlmaLinux/Rocky Linux 10) packages introduced.
• Build bundled squashfuse against FUSE3 for all packages.
• Don't depend on fuse on Ubuntu - installing this package on 22.04 can cause conflicts with the Ubuntu Desktop package set.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.2.tar.gz download below to obtain and install SingularityCE 4.3.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
• RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.24.4

- Go
Published by dtrudg 8 months ago

https://github.com/sylabs/singularity - SingularityCE 4.3.1

This is a patch release in the 4.3 series.

Bug Fixes

• Update bundled squashfuse to 0.6.0, which includes ., .. entries in getdents() results, fixing errors with some applications.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.1.tar.gz download below to obtain and install SingularityCE 4.3.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.24.2

- Go
Published by dtrudg 11 months ago

https://github.com/sylabs/singularity - SingularityCE 4.3.0

SingularityCE 4.3.0

This is the first release in the 4.3 series. Please review the changes, fixes, and new features listed below.

The admin and user guides include a "What's New in 4.3" section, providing links to additional documentation:

• https://docs.sylabs.io/guides/4.3/admin-guide/new.html
• https://docs.sylabs.io/guides/4.3/user-guide/new.html

Behaviour Changes

• Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes` configuration option.
• In OCI mode, on a cgroups v2 system with functioning systemd cgroup management, a cgroup namespace is created for the container, and /sys/fs/cgroup is mounted. The cgroups mount is read-only by default, or read-write if the --keep-privs flag is used.
• In OCI mode, a cgroup is now created for the container when possible, even where resource limits have not been requested.

Bug Fixes

• Use correct username (not user's name) when computing singularity oci conmon / singularity state dir.
• Write StdErr messages from starter to terminal StdErr when an instance fails to start. Previously incorrectly written to terminal StdOut.
• Fix incorrect debug message in Cgroups checks.
• Skip invalid environment variables when pulling pulling OCI images to native SIF, so environment sourcing does not fail.
• Fix the Makefile generated by mconfig -b to work when the selected build directory is not a subdirectory of the source code.
• Check for existence of /run/systemd/system when verifying cgroups can be used via systemd manager.

New Features & Functionality

• Add support for libsubid. Sub[ug]id mappings will be retrieved from e.g. LDAP according to nssswitch.conf if Singularity is built with libsubid support (default). If built without libsubid support, Singularity will retrieve subid from /etc/subid and /etc/subgid regardless of system configuration. Note that singularity config fakeroot always modifies /etc/subid and /etc/subgidfiles.
• singularity sign now supports signing an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the --cosign flag, and provide a private key with the --key flag.
• singularity verify now supports verifying an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the --cosign flag, and provide a public key with the --key flag. Verification passes if at least one signature that can be validated with the provided key is present. The JSON payloads of all valid signatures are displayed.
• singularity push now supports pushing cosign signatures in an OCI-SIF to an OCI registry, via the --with-cosign flag.
• singularity pull now supports pulling cosign signatures from a registry to an OCI-SIF, via the --with-cosign flag when --oci is also specified. Signatures can only be pulled when the image in the registry is in SquashFS format. Converting layer formats, or squashing to a single layer, modifies the image manifest, and would invalidate any signatures.
• The new singularity key generate-cosign-key-pair subcommand can be used to generate a password-protected key-pair for signing OCI-SIF images with cosign-compatible signatures.
• Added dnf definition file bootstrap as an alias for yum.

Requirements / Packaging

• Go 1.23.4 or above is now required to build SingularityCE.
• libsubid headers are now required to build SingularityCE, unless the --without-libsubid flag is passed to mconfig.
• EL RPM packages are built with libsubid support.
• Ubuntu deb packages are built without libsubid support.
• The RPM spec file no longer includes rules for SLES / openSUSE package builds, which have been untested / unsupported for some time.
• Make binary builds more reproducible by deriving the GNU build ID from the Go build ID instead of using a randomly generated one.
• Conmon sources are no longer bundled and built with SingularityCE. Install the conmon package from your distribution, or upstream binary, if you need to use the singularity oci commands. Note that conmon is not required for --oci mode.
• Now compiles successfully with -std=c23.

Removed Features

• Plugin fakerootcallback functionality for customizing fakeroot subid mappings has been removed.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.0.tar.gz download below to obtain and install SingularityCE 4.3.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.24.0

- Go
Published by dtrudg 12 months ago

https://github.com/sylabs/singularity -

SingularityCE 4.3.0-rc.1 Release Candidate

This is the first release candidate for the upcoming 4.3 series. All testing and feedback is welcome!

Behaviour Changes

• Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes` configuration option.
• In OCI mode, on a cgroups v2 system with functioning systemd cgroup management, a cgroup namespace is created for the container, and /sys/fs/cgroup is mounted. The cgroups mount is read-only by default, or read-write if the --keep-privs flag is used.
• In OCI mode, a cgroup is now created for the container when possible, even where resource limits have not been requested.

Bug Fixes

• Use correct username (not user's name) when computing singularity oci conmon / singularity state dir.
• Write StdErr messages from starter to terminal StdErr when an instance fails to start. Previously incorrectly written to terminal StdOut.
• Fix incorrect debug message in Cgroups checks.
• Skip invalid environment variables when pulling pulling OCI images to native SIF, so environment sourcing does not fail.
• Fix the Makefile generated by mconfig -b to work when the selected build directory is not a subdirectory of the source code.
• Check for existence of /run/systemd/system when verifying cgroups can be used via systemd manager.

New Features & Functionality

• Add support for libsubid. Sub[ug]id mappings will be retrieved from e.g. LDAP according to nssswitch.conf if Singularity is built with libsubid support (default). If built without libsubid support, Singularity will retrieve subid from /etc/subid and /etc/subgid regardless of system configuration. Note that singularity config fakeroot always modifies /etc/subid and /etc/subgidfiles.
• singularity sign now supports signing an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the --cosign flag, and provide a private key with the --key flag.
• singularity verify now supports verifying an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the --cosign flag, and provide a public key with the --key flag. Verification passes if at least one signature that can be validated with the provided key is present. The JSON payloads of all valid signatures are displayed.
• singularity push now supports pushing cosign signatures in an OCI-SIF to an OCI registry, via the --with-cosign flag.
• singularity pull now supports pulling cosign signatures from a registry to an OCI-SIF, via the --with-cosign flag when --oci is also specified. Signatures can only be pulled when the image in the registry is in SquashFS format. Converting layer formats, or squashing to a single layer, modifies the image manifest, and would invalidate any signatures.
• The new singularity key generate-cosign-key-pair subcommand can be used to generate a password-protected key-pair for signing OCI-SIF images with cosign-compatible signatures.
• Added dnf definition file bootstrap as an alias for yum.

Requirements / Packaging

• Go 1.23.4 or above is now required to build SingularityCE.
• libsubid headers are now required to build SingularityCE, unless the --without-libsubid flag is passed to mconfig.
• EL RPM packages are built with libsubid support.
• Ubuntu deb packages are built without libsubid support.
• The RPM spec file no longer includes rules for SLES / openSUSE package builds, which have been untested / unsupported for some time.
• Make binary builds more reproducible by deriving the GNU build ID from the Go build ID instead of using a randomly generated one.
• Conmon sources are no longer bundled and built with SingularityCE. Install the conmon package from your distribution, or upstream binary, if you need to use the singularity oci commands. Note that conmon is not required for --oci mode.
• Now compiles successfully with -std=c23.

Removed Features

• Plugin fakerootcallback functionality for customizing fakeroot subid mappings has been removed.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.0-rc.1.tar.gz download below to obtain and install SingularityCE 4.3.1-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.24.0

- Go
Published by dtrudg 12 months ago

https://github.com/sylabs/singularity - SingularityCE 4.2.2

SingularityCE 4.2.2 is a bugfix release in the 4.2 series.

Bug Fixes

• Fix regression from 4.1.5 that overwrites source image runscript, environment etc. in build from local image.
• Fall back to $TMPDIR as singularity-buildkitd root directory if ~/.singularity is on a filesystem that does not fully support overlay.
• Add more intuitive error message for rootless build --oci when required XDG_RUNTIME_DIR env var is not set.
• Avoid error in CNI network setup with newer versions of iptables that include a setuid caller check.

New Features & Functionality

• In OCI-Mode, accommodate systems configured so that they do not create a /run/user session directory. OCI-Mode will now attempt to use $TMPDIR/singularity-oci-<uid> for runtime state on systems where $XDG_RUNTIME_DIR is not set and the default user session path of /run/user/<uid> does not exist. Note that the $TMPDIR/singularity-oci-<uid> directory is shared between concurrent --oci mode invocations, and will not be removed on exit - an empty directory will remain.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.2.2.tar.gz download below to obtain and install SingularityCE 4.2.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.23.4

- Go
Published by dtrudg about 1 year ago

https://github.com/sylabs/singularity - SingularityCE 4.2.1

SingularityCE 4.2.1 is a bugfix release in the 4.2 series.

Bug Fixes

• Fix regression that led to an empty shell field in the /etc/passwd file.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.2.1.tar.gz download below to obtain and install SingularityCE 4.2.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.22.7

- Go
Published by dtrudg over 1 year ago

https://github.com/sylabs/singularity - SingularityCE 4.2.0

SingularityCE 4.2.0 is the first release in the 4.2 series, including various new features.

New Features & Functionality

• It is now possible to use multiple environment variable files using the --env-file flag, files can be specified as a comma-separated list or by using the flag multiple times. Variables defined in later files take precedence.
• singularity.conf now accepts setting new options regarding namespaces:
  • allow ipc ns : disable the use of the --ipc flag.
  • allow user ns : disable creation of user namespaces. This will prevent execution of containers with the --userns or --fakeroot flags, and unprivileged installations of SingularityCE.
  • allow uts ns : invalidate the use of the --uts and --hostname flags.
• A new singularity data package command allows files and directories to be packaged into an OCI-SIF data container.
• A new --layer-format flag for singularity push allows layers in an OCI-SIF image to be pushed to library:// and docker:// registries in squashfs (default) or tar format. Images pushed with --layer-format tar can be pulled and run by other OCI runtimes.
• A writable overlay can be added to an OCI-SIF file with the singularity overlay create command. The overlay will be applied read-only, by default, when executing the OCI-SIF. To write changes to the container into the overlay, use the --writable flag.
• A writable overlay is added to an OCI-SIF file as an ext3 format layer, appended to the encapsulated OCI image. After the overlay has been modified, use the singularity overlay sync command to synchronize the OCI digests with the overlay content.
• A new singularity overlay seal command converts a writable overlay inside an OCI-SIF image into a read-only squashfs layer. This seals changes made to the image via the overlay, so that they are permanent.
• Added a new instance run command that will execute the runscript when an instance is initiated instead of executing the startscript.
• The new --netns-path flag takes a path to a network namespace to join when starting a container. The root user may join any network namespace. An unprivileged user can only join a network namespace specified in the new allowed netns paths directive in singularity.conf, if they are also listed in allowed net users / allowed net groups. Not currently supported with --fakeroot, or in --oci mode.

Requirements

• Requires a minimum of Go 1.21.5 to build due to dependency updates.
• OCI-SIF embedded writable overlay functionality requires fuse2fs >= 1.46.6.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.2.0.tar.gz download below to obtain and install SingularityCE 4.2.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.22.6

- Go
Published by dtrudg over 1 year ago

https://github.com/sylabs/singularity - SingularityCE 4.1.5

SingularityCE 4.1.5 is a patch release in the 4.1 series, including various bug fixes.

Bug Fixes

• Fix fall-back to temporary sandbox rootfs bundle in OCI-Mode for OCI URIs (docker://) etc.
• Fix confusing error messages / incorrect fall-back attempt when explicit execution of an OCI-SIF fails.
• Fix failing builds from local images that have symbolic links for paths that are part of the base container environment (e.g. /var/tmp -> /tmp).
• Fix issue where --platform / --arch did not apply when pulling an OCI image to native SIF via image manifest, rather than image index.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.1.5.tar.gz download below to obtain and install SingularityCE 4.1.5. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.22.6

- Go
Published by dtrudg over 1 year ago

https://github.com/sylabs/singularity -

This is the first release candidate for the upcoming 4.2 series of SingularityCE. We welcome all feedback and testing. Please continue to use the latest 4.1 release for production systems.

New Features & Functionality

• It is now possible to use multiple environment variable files using the --env-file flag, files can be specified as a comma-separated list or by using the flag multiple times. Variables defined in later files take precedence.
• singularity.conf now accepts setting new options regarding namespaces:
  • allow ipc ns : disable the use of the --ipc flag.
  • allow user ns : disable creation of user namespaces. This will prevent execution of containers with the --userns or --fakeroot flags, and unprivileged installations of SingularityCE.
  • allow uts ns : invalidate the use of the --uts and --hostname flags.
• A new singularity data package command allows files and directories to be packaged into an OCI-SIF data container.
• A new --layer-format flag for singularity push allows layers in an OCI-SIF image to be pushed to library:// and docker:// registries in squashfs (default) or tar format. Images pushed with --layer-format tar can be pulled and run by other OCI runtimes.
• A writable overlay can be added to an OCI-SIF file with the singularity overlay create command. The overlay will be applied read-only, by default, when executing the OCI-SIF. To write changes to the container into the overlay, use the --writable flag.
• A writable overlay is added to an OCI-SIF file as an ext3 format layer, appended to the encapsulated OCI image. After the overlay has been modified, use the singularity overlay sync command to synchronize the OCI digests with the overlay content.
• A new singularity overlay seal command converts a writable overlay inside an OCI-SIF image into a read-only squashfs layer. This seals changes made to the image via the overlay, so that they are permanent.
• Added a new instance run command that will execute the runscript when an instance is initiated instead of executing the startscript.
• The new --netns-path flag takes a path to a network namespace to join when starting a container. The root user may join any network namespace. An unprivileged user can only join a network namespace specified in the new allowed netns paths directive in singularity.conf, if they are also listed in allowed net users / allowed net groups. Not currently supported with --fakeroot, or in --oci mode.

Bug Fixes

• Fix fall-back to temporary sandbox rootfs bundle in OCI-Mode for OCI URIs (docker://) etc.
• Fix confusing error messages / incorrect fall-back attempt when explicit execution of an OCI-SIF fails.
• Fix failing builds from local images that have symbolic links for paths that are part of the base container environment (e.g. /var/tmp -> /tmp).
• Fix issue where --platform / --arch did not apply when pulling an OCI image to native SIF via image manifest, rather than image index.

Requirements

• Requires a minimum of Go 1.21.5 to build due to dependency updates.
• OCI-SIF embedded writable overlay functionality requires fuse2fs >= 1.46.6. ## Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.2.0-rc.1.tar.gz download below to obtain and install SingularityCE 4.2.0-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.22.6

- Go
Published by dtrudg over 1 year ago

https://github.com/sylabs/singularity - SingularityCE 4.1.4

SingularityCE 4.1.4 is a patch release in the 4.1 series, including various bug fixes.

Bug Fixes

• Use ABI 3 for Apparmor profile on Ubuntu <23.10.
• Avoid unnecessary copying / extraction of OCI images and Docker tarballs into a layout directory when they are directly accessible as a local file / directory.
• Avoid unnecessary intermediate temporary image layout when building from Dockerfile to OCI-SIF.
• %files from in a definition file will now correctly copy symlinks that point to a target above the destination directory, but inside the destination stage rootfs.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.1.4.tar.gz download below to obtain and install SingularityCE 4.1.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.22.4

- Go
Published by cyanezstange over 1 year ago

https://github.com/sylabs/singularity - SingularityCE 4.1.3

SingularityCE 4.1.3 is a patch release in the 4.1 series, including various bug fixes.

Packages provided with this release now include a .deb for Ubuntu 24.04 (noble).

Requirements

• Requires a minimum of Go 1.21 to build. Go 1.20 is end-of-life.

Note - compilation with Go 1.22 currently causes an issue when using the PID namespace on distributions using older versions of glibc. We recommend using Go 1.21 at this time.

Bug Fixes

• Set default PATH in container run in OCI-Mode when image does not set PATH.
• Fix storage of credentials for docker.io to behave the same as for index.docker.io.
• Improve documentation for remote list command.
• Don't fail with lack of descriptor capacity when writing OCI images with many layers to OCI-SIF.
• Ensure a fixed number of spare descriptors is present in the OCI-SIF when pulling an OCI image.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.1.3.tar.gz download below to obtain and install SingularityCE 4.1.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.21.10

- Go
Published by dtrudg almost 2 years ago

https://github.com/sylabs/singularity - SingularityCE 4.1.2

SingularityCE 4.1.2 is a patch release in the 4.1 series, including various bug fixes.

Bug Fixes

• Set OCI runtime-spec annotations that are required by the documented image-spec conversion process.
• In --oci mode always set inner ID map based on host user, not USER in OCI container. Fixes incorrect permissions for files owned by USER in the container.
• Provide warning / info message for OCI image-spec features (volumes, exposed ports) that are not supported by singularity.
• Honor WORKDIR by default for OCI images in --oci mode, as required by OCI image-spec.
• Restore previous --writable behaviour when running a container image from SIF/SquashFS in user namepace mode. The image will be extracted to a temporary sandbox, which is writable at runtime. Note that any changes are not made to the original image.
• Fix target: no such file or directory error in native mode when extracting layers from certain OCI images that manipulate hard links across layers.
• Fix extraction of OCI layers when run in a root mapped user namespace (e.g.. unshare -r).
• Use user namespace for wrapping of unsquashfs when singularity is run with --userns / -uflag. Fixes temporary sandbox extraction of images in non-root mapped user namespace (e.g.unshare -c`).

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.1.2.tar.gz download below to obtain and install SingularityCE 4.1.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.21.7

- Go
Published by dtrudg almost 2 years ago

https://github.com/sylabs/singularity - SingularityCE 4.1.1

SingularityCE 4.1.1 is a patch release in the 4.1 series, including security and bug fixes.

Security Related Fixes

• Update github.com/moby/buildkit dependency, used for --oci Dockerfile builds, addressing the following upstream CVEs:
  • CVE-2024-23650 Possible panic when incorrect parameters sent from frontend
  • CVE-2024-23651 Possible race condition with accessing subpaths from cache mounts.
  • CVE-2024-23652 Possible host system access from mount stub cleaner.
  • CVE-2024-23653 Interactive containers API does not validate entitlements check.

Note also that in OCI-Mode, SingularityCE may call out to runc versions vulnerable to CVE-2024-21626. runc is not bundled with SingularityCE, and should be updated via your Linux distribution's package manager, or manually.

Bug Fixes

• Workaround segfault in crun v1.11+ when no resource limits are specified. https://github.com/containers/crun/issues/1402

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.1.1.tar.gz download below to obtain and install SingularityCE 4.1.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.21.6

- Go
Published by dtrudg about 2 years ago

https://github.com/sylabs/singularity - SingularityCE 4.1.0

SingularityCE 4.1.0 is the first release in the 4.1 series, introducing Dockerfile builds, multi-layer OCI-SIF images, and many other improvements. See the release notes below, and the user and admin guides for more information:

• https://docs.sylabs.io/guides/4.1/admin-guide/new.html
• https://docs.sylabs.io/guides/4.1/user-guide/new.html

Changed defaults / behaviours

• --oci mode containers and native mode instances can now be successfully started as a non-root user on cgroups v2 systems when both:
  • The system configuration / environment does not provide the correct information necessary to communicate with systemd via dbus.
  • Resource limits (e.g. --cpus) have not been requested.

The container / instance will be started in the current cgroup, and information about the configuration issue displayed to the user as warnings. - In native mode, SIF/SquashFS container images will now be mounted with squashfuse when kernel mounts are disabled in singularity.conf, or cannot be used (non-setuid / user namespace workflow). If the FUSE mount fails, Singularity will fall back to extracting the container to a temporary sandbox in order to run it. - In native mode, bare extfs container images will now be mounted with fuse2fs when kernel mounts are disabled in singularity.conf, or cannot be used (non-setuid / user namespace workflow).

New Features & Functionality

• The registry login and registry logout commands now support a --authfile <path> flag, which causes the OCI credentials to be written to / removed from a custom file located at <path> instead of the default location ($HOME/.singularity/docker-config.json). The commands pull, push, run, exec, shell, and instance start can now also be passed a --authfile <path> option, to read OCI registry credentials from this custom file.
• A new --keep-layers flag, for the pull and run/shell/exec/instance startcommands, allows individual layers to be preserved when an OCI-SIF image is created from an OCI source. Multi layer OCI-SIF images can be run with SingularityCE 4.1 and later.
• Singularity will now build OCI-SIF images from Dockerfiles, if the --oci flag is used with the build command. Provide a Dockerfile as the final argument to build, instead of a Singularity definition (.def) file. Supports --build-arg / --build-arg-file options, --arch for cross-architecture builds, --authfile and other authentication options, and more. See the user guide for more information.
• Docker-style SCIF containers (https://sci-f.github.io/tutorial-preview-install) are now supported. If the entrypoint of an OCI container is the scif executable, then the run / exec / shell commands in --oci mode can be given the --app <appname> flag, and will automatically invoke the relevant SCIF command.
• A new --tmp-sandbox flag has been added to the run / shell / exec / instance start commands. This will force Singularity to extract a container to a temporary sandbox before running it, when it would otherwise perform a kernel or FUSE mount.

Bug Fixes

• Added missing tmp sandbox directive to singularity.conf template.

Deprecated Functionality

• The experimental --sif-fuse flag, and sif fuse directive in singularity.conf are deprecated. The flag and directive were used to enable experimental mounting of SIF/SquashFS container images with FUSE in prior versions of Singularity. From 4.1, FUSE mounts are used automatically when kernel mounts are disabled / not available.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.1.0.tar.gz download below to obtain and install SingularityCE 4.1.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.21.6

- Go
Published by dtrudg about 2 years ago

https://github.com/sylabs/singularity - SingularityCE 4.1.0 Release Candidate 1

SingularityCE 4.1.0-rc.1 is the first release candidate for the upcoming SingularityCE 4.1.0 release. This release candidate is intended to allow testing of new functionality and existing workflows. We welcome any and all feedback you are able to provide.

The release candidate is not intented for production use. Please see the latest 4.0.3 stable release instead.

Changed defaults / behaviours

• In native mode, SIF/SquashFS container images will now be mounted with squashfuse when kernel mounts are disabled in singularity.conf, or cannot be used (non-setuid / user namespace workflow). If the FUSE mount fails, Singularity will fall back to extracting the container to a temporary sandbox in order to run it.
• In native mode, bare extfs container images will now be mounted with fuse2fs when kernel mounts are disabled in singularity.conf, or cannot be used (non-setuid / user namespace workflow).

New Features & Functionality

• The registry login and registry logout commands now support a --authfile <path> flag, which causes the OCI credentials to be written to / removed from a custom file located at <path> instead of the default location ($HOME/.singularity/docker-config.json). The commands pull, push, run, exec, shell, and instance start can now also be passed a --authfile <path> option, to read OCI registry credentials from this custom file.
• A new --keep-layers flag, for the pull and run/shell/exec/instance startcommands, allows individual layers to be preserved when an OCI-SIF image is created from an OCI source. Multi layer OCI-SIF images can be run with SingularityCE 4.1 and later.
• Singularity will now build OCI-SIF images from Dockerfiles, if the --oci flag is used with the build command. Provide a Dockerfile as the final argument to build, instead of a Singularity definition (.def) file. Supports --build-arg / --build-arg-file options, --arch for cross-architecture builds, --authfile and other authentication options, and more. See the user guide for more information.
• Docker-style SCIF containers (https://sci-f.github.io/tutorial-preview-install) are now supported. If the entrypoint of an OCI container is the scif executable, then the run / exec / shell commands in --oci mode can be given the --app <appname> flag, and will automatically invoke the relevant SCIF command.
• A new --tmp-sandbox flag has been added to the run / shell / exec / instance start commands. This will force Singularity to extract a container to a temporary sandbox before running it, when it would otherwise perform a kernel or FUSE mount.

Deprecated Functionality

• The experimental --sif-fuse flag, and sif fuse directive in singularity.conf are deprecated. The flag and directive were used to enable experimental mounting of SIF/SquashFS container images with FUSE in prior versions of Singularity. From 4.1, FUSE mounts are used automatically when kernel mounts are disabled / not available.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.1.0-rc.1.tar.gz download below to obtain and install SingularityCE 4.0.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.21.6

- Go
Published by dtrudg about 2 years ago

https://github.com/sylabs/singularity - SingularityCE 4.0.3

SingularityCE 4.0.3 is a patch release in the 4.0 series, with bug fixes along with dependency updates.

Bug Fixes

• Use kernel overlayfs instead of fuse-overlayfs when running as root user, regardless of unprivileged kernel overlay support.
• Execute correct %appstart script when using instance start with --app.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.0.3.tar.gz download below to obtain and install SingularityCE 4.0.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.21.6

- Go
Published by dtrudg about 2 years ago

https://github.com/sylabs/singularity - SingularityCE 4.0.2

SingularityCE 4.0.2 is a patch release in the 4.0 series, with bug fixes and minor updates.

Changed defaults / behaviours

• Added libnvidia-nvvm to nvliblist.conf. Newer NVIDIA Drivers (known with >= 525.85.05) require this lib to compile OpenCL programs against NVIDIA GPUs, i.e. libnvidia-opencl depends on libnvidia-nvvm.

Bug Fixes

• Support parentheses in test / [ commands in container startup scripts, via dependency update of mvdan.cc/sh.
• Fix incorrect client timeout during remote build context upload.
• When user requests a bind of /dev:/dev or /dev/xxx:/dev/xxx in OCI-mode, ensure that it is bind mounted with appropriate flags so that it is usable in the container.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.0.1.tar.gz download below to obtain and install SingularityCE 4.0.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.21.4

- Go
Published by dtrudg over 2 years ago

https://github.com/sylabs/singularity - SingularityCE 4.0.1

SingularityCE 4.0.1 is a patch release in the 4.0 series, with bug fixes and minor updates.

New Features & Functionality

• Added the upcoming NVIDIA driver library libnvidia-gpucomp.so to the list of libraries to add to NVIDIA GPU-enabled containers.

Bug Fixes

• Don't bind /var/tmp on top of /tmp in the container, where /var/tmp resolves to same location as /tmp.
• Fix problem where credentials locally stored with registry login command were not usable in some execution flows. Run registry login again with latest version to ensure credentials are stored correctly.
• Don't fail in a yum bootstrap on systems where the dbbackend rpm macros is not defined (EL <8).

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.0.1.tar.gz download below to obtain and install SingularityCE 4.0.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.21.3

- Go
Published by dtrudg over 2 years ago

https://github.com/sylabs/singularity - SingularityCE 4.0.0

We are pleased to announce the availability of SingularityCE 4.0.0. This is a new major version, with the new OCI-mode becoming fully supported and expanded to use OCI-SIF images. v4.0.0 also introduces a number of CLI improvements, templating support for definition files, improved platform/architecture handling for OCI images, and much more.

Please review the changelog carefully, as it highlights behavior changes that may impact some workflows. You may also wish to read the 'What's new in SingularityCE 4.0' sections of the:

• SingularityCE User Guide
• SingularityCE Administrator Guide

OCI-mode

Singularity 4 introduces OCI-mode as a fully supported feature. It is enabled by using the --oci flag with the run / shell / exec / pull commands, or by setting oci mode = yes in singularity.conf.

In OCI-mode:

• Container images from OCI sources will be pull-ed to an OCI-SIF file. An OCI-SIF file encapsulates the OCI image configuration and squashed filesystem using an OCI, rather than Singularity specific, structure.
• The run / shell / exec commands use a low-level OCI runtime (crun/runc) for container execution.
• Default operation is compatible with other OCI tools, similar to using --compat in Singularity's non-OCI native mode.
• OCI-modes support running existing Singularity non-OCI-SIF images, and can be made to imitate native mode default behavior by using the --no-compat flag.

OCI-mode changes from 3.11 to 4.0 include:

• run / shell / exec in OCI-mode now includes support for the following existing CLI flags:
  • --add-caps
  • --drop-caps
  • --keep-privs
  • --no-privs
  • --overlay from directories, bare squashfs and extfs images.
  • --workdir
  • --scratch
  • --no-home
  • --no-mount (dev cannot be disabled in OCI mode)
  • --no-umask (with --no-compat)
  • --writable-tmpfs (with --no-compat)
• Added --device flag to "action" commands (run/exec/shell) when run in OCI mode (--oci). Currently supports passing one or more (comma-separated) fully-qualified CDI device names, and those devices will then be made available inside the container.
• Added --cdi-dirs flag to override the default search locations for CDI json files, allowing, for example, users who don't have root access on their host machine to nevertheless create CDI mappings (into containers run with --fakeroot, for example).
• A container run as root, or with --fakeroot, has OCI default effective/permitted capabilities.
• An --env-file is evaluated with respect to the host environment, to match native mode behaviour.
• If the kernel does not support unprivileged overlays, OCI-mode will attempt to use fuse-overlayfs and fusermount for overlay mounting and unmounting.
• Support for thee SINGULARITY_CONTAINLIBS env var, to specify libraries to bind into /.singularity.d/libs/ in the container.
• Support for running OCI-SIF images directly from docker://, http://, https:// and oras:// URIs.
• A new --no-compat flag can be used with OCI-mode to mirror singularity's historic native mode behavior on a variety of settings, instead of setting them the way other OCI runtimes typically do:
  • $HOME, /tmp, /var/tmp are bind mounted from the host.
  • The full /dev is bind mounted from the host, unless mount dev = minimal in singularity.conf (requires crun, not applied with runc).
  • bind path entries in singularity.conf are mounted into the container.
  • The current working directory is mounted into the container, and is the entry point into the container.
  • The container is read-only unless --writable-tmpfs is also used.
  • The host umask is propagated into the container, unless --no-umask is also used.
  • When a native (non-OCI-SIF) image is run in OCI-mode, environment variables will be shell evaluated on container startup.
• The pull command now accepts a new flag --oci for OCI image sources. This will create an OCI-SIF image rather than convert to Singularity's native container format.
• OCI-SIF containers can be pushed/pulled to/from OCI registries as single file artifacts using oras:// URIs.
• OCI-SIF containers can be pushed/pulled to/from registries as OCI images, with a single squashfs layer, using docker:// URIs.
• A new oci mode directive in singularity.conf can be set to true to enable OCI-mode by default. It can be negated with a new --no-oci command line flag.

See the admin guide and user guide for full requirements of OCI-mode and usage information.

Changed defaults / behaviours

Packages / Requirements

• RPM packages now use /var/lib/singularity (rather than /var/singularity) to store local state files.
• Bash completions are now install to the modern share/bash-completion/completions location, rather than under etc.
• The --vm and related flags to start singularity inside a VM have been removed. This functionality was related to the retired Singularity Desktop / SyOS projects.
• Singularity uses squashfuse_ll / squashfuse, which is now built from a git submodule unless --without-squashfuse is specified as an argument to mconfig. When built with --without-squashfuse, squashfuse_ll or squashfuse will be located on PATH. Version 0.2.0 or later is required.

CLI

• The commands related to OCI/Docker registries that were under remote have been moved to their own, dedicated registry command. Run singularity help registry for more information.
• The remote list subcommand now outputs only remote endpoints (with keyservers and OCI/Docker registries having been moved to separate commands), and the output has been streamlined.
• Adding a new remote endpoint using the singularity remote add command will now set the new endpoint as default. This behavior can be suppressed by supplying the --no-default (or -n) flag to remote add.
• The keyserver-related commands that were under remote have been moved to their own, dedicated keyserver command. Run singularity help keyserver for more information.
• Improved the clarity of singularity key list output.
• --cwd is now the preferred form of the flag for setting the container's working directory, though --pwd is still supported for compatibility.

Runtime Behaviour

• The way --home is handled when running as root (e.g. sudo singularity) or with --fakeroot has changed. Previously, we were only modifying the HOME environment variable in these cases, while leaving the container's /etc/passwd file unchanged (with its homedir field pointing to /root, regardless of the value passed to --home). With this change, both the value of HOME and the contents of /etc/passwd in the container will reflect the value passed to --home.
• Bind mounts are now performed in the order of their occurrence on the command line, or within the value of the SINGULARITY_BIND environment variable. (Previously, image-mounts were always performed first, regardless of order.)
• Default OCI config generated with singularity mount no longer sets any inheritable / ambient capabilites, matching other OCI runtimes.
• singularity oci mount now uses, and requires, squashfuse_ll or squashfuse to mount a SIF image to an OCI bundle. Note that squashfuse_ll is built with singularity unless --without-squashfuse is passed to mconfig.
• The current working directory is created in the container when it doesn't exist, so that it can be entered. You must now specify --no-mount home,cwd instead of just --no-mount home to avoid mounting from $HOME if you run singularity from inside $HOME.
• If the path of the current working directory in the container and on the host contain symlinks to different locations, it will not be mounted.

New Features & Functionality

• Templating support for definition files: users can now define variables in definition files via a matching pair of double curly brackets. Variables of the form {{ variable }} will be replaced by a value defined either by a variable=value entry in the %arguments section of the definition file, or through new build options --build-arg or --build-arg-file.
• Added --secret flag (shorthand: -s) to key remove subcommand, to allow removal of a private key by fingerprint.
• Added --private as a synonym for --secret in key list, key export, and key remove subcommands.
• The remote status command will now print the username, realname, and email of the logged-in user, if available.
• The cache commands now accept --type oci-sif to list and clean cached OCI-SIF image conversions of OCI sources.
• The instance start command now accepts an optional --app <name> argument which invokes start script within the %appstart <name> section in the definition file. The instance stop command still only requires the instance name.
• A new --no-pid flag for singularity run/shell/exec disables the PID namespace inferred by --containall and --compat.
• A new --platform flag can be used to specify an OS/Architecture[/Variant] when pulling images from OCI or library sources. When pulling from library sources the optional variant is ignored.
• The --arch flag can now be used to specify a required architecture when pulling images from OCI, as well as library sources.
• Execution flows that unpack an image into a temporary sandbox dir can now be disabled, by setting "tmp sandbox = no" in singularity.conf or by passing --no-tmp-sandbox to the relevant run / shell / exec command.

Developer / API

• Support for image driver plugins, deprecated at 3.11, has been removed. Unprivileged kernel overlay is supported without a plugin. In singularity.conf, the image driver directive has been removed, and enable overlay no longer supports the driver option.
• Changes in pkg/build/types.Definition struct. New .FullRaw field introduced, which always contains the raw data for the entire definition file. Behavior of .Raw field has changed: for multi-stage builds parsed with pkg/build/types/parser.All(), .Raw contains the raw content of a single build stage. Otherwise, it is equal to .FullRaw.
• The SingularityCE go module is now github.com/sylabs/singularity/v4, reflecting the major version of the application.

Bug Fixes

• Fix interaction between --workdir when given relative path and --scratch.
• Set correct $HOME in --oci mode when mount home = no in singularity.conf.
• Lookup and store user/group information in stage one prior to entering any namespaces to fix issue with winbind not correctly lookup user/group information when using user namespace.
• Caching of OCI images is now architecture aware. This fixes behaviour where a user's home directory is shared between systems of different architectures.
• Fix compilation with the mconfig -b option (custom builddir).

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.0.0.tar.gz download below to obtain and install SingularityCE 4.0.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.21.1

- Go
Published by dtrudg over 2 years ago

https://github.com/sylabs/singularity - SingularityCE 3.11.5

SingularityCE 3.11.5 is a patch release in the 3.11 series, with changes detailed below.

Changed defaults / behaviours

• If commands that expect an image file are given an OCI-SIF image, an error will be generated advising the user that this format is only supported in versions 4.0 and up.

Bug Fixes

• Improved help text for compile and install subcommands of plugin command. Thanks to tonghuaroot (https://github.com/tonghuaroot) for the suggested improvements.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.5.tar.gz download below to obtain and install SingularityCE 3.11.5. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.21.1

- Go
Published by preminger over 2 years ago

https://github.com/sylabs/singularity - SingularityCE 4.0.0 Release Candidate 2

SingularityCE 4.0.0-rc.2 is a release candidate for the upcoming 4.0.0 release, with the changes detailed below relative to 4.0.0-rc.1.

See the 4.0.0-rc.1 release notes for a full changelog.

OCI-mode

• If system does not meet the requirements for using OCI-SIF, OCI mode will fall back to a filesystem-based strategy: the OCI container will be unpacked into a temporary sandbox dir and run from there.

New Features & Functionality

• Execution flows that unpack an image into a temporary sandbox dir can now be disabled, by setting "tmp sandbox = no" in singularity.conf or by passing --no-tmp-sandbox to the relevant run / shell / exec command.

Bug Fixes

• Improved help text for compile and install subcommands of plugin command. Thanks to tonghuaroot (https://github.com/tonghuaroot) for the suggested improvements.
• Fix compilation with the mconfig -b option (custom builddir).

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.0.0-rc.2.tar.gz download below to obtain and install SingularityCE 4.0.0-rc.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.21.0

- Go
Published by dtrudg over 2 years ago

https://github.com/sylabs/singularity - SingularityCE 4.0.0 Release Candidate 1

SingularityCE 4.0.0-rc.1 is a release candidate for the upcoming 4.0.0 release, with changes detailed below.

OCI-mode

Singularity 4 introduces OCI-mode as a fully supported feature. It is enabled by using the --oci flag with the run / shell / exec / pull commands, or by setting oci mode = yes in singularity.conf.

In OCI-mode:

• Container images from OCI sources will be pull-ed to an OCI-SIF file. An OCI-SIF file encapsulates the OCI image configuration and squashed filesystem using an OCI, rather than Singularity specific, structure.
• The run / shell / exec commands use a low-level OCI runtime (crun/runc) for container execution.
• Default operation is compatible with other OCI tools, similar to using --compat in Singularity's non-OCI native mode.
• OCI-modes support running existing Singularity non-OCI-SIF images, and can be made to imitate native mode default behavior by using the --no-compat flag.

OCI-mode changes from 3.11 to 4.0 include:

• run / shell / exec in OCI-mode now includes support for the following existing CLI flags:
  • --add-caps
  • --drop-caps
  • --keep-privs
  • --no-privs
  • --overlay from directories, bare squashfs and extfs images.
  • --workdir
  • --scratch
  • --no-home
  • --no-mount (dev cannot be disabled in OCI mode)
  • --no-umask (with --no-compat)
  • --writable-tmpfs (with --no-compat)
• Added --device flag to "action" commands (run/exec/shell) when run in OCI mode (--oci). Currently supports passing one or more (comma-separated) fully-qualified CDI device names, and those devices will then be made available inside the container.
• Added --cdi-dirs flag to override the default search locations for CDI json files, allowing, for example, users who don't have root access on their host machine to nevertheless create CDI mappings (into containers run with --fakeroot, for example).
• A container run as root, or with --fakeroot, has OCI default effective/permitted capabilities.
• An --env-file is evaluated with respect to the host environment, to match native mode behaviour.
• If the kernel does not support unprivileged overlays, OCI-mode will attempt to use fuse-overlayfs and fusermount for overlay mounting and unmounting.
• Support for thee SINGULARITY_CONTAINLIBS env var, to specify libraries to bind into /.singularity.d/libs/ in the container.
• Support for running OCI-SIF images directly from docker://, http://, https:// and oras:// URIs.
• A new --no-compat flag can be used with OCI-mode to mirror singularity's historic native mode behavior on a variety of settings, instead of setting them the way other OCI runtimes typically do:
  • $HOME, /tmp, /var/tmp are bind mounted from the host.
  • The full /dev is bind mounted from the host, unless mount dev = minimal in singularity.conf (requires crun, not applied with runc).
  • bind path entries in singularity.conf are mounted into the container.
  • The current working directory is mounted into the container, and is the entry point into the container.
  • The container is read-only unless --writable-tmpfs is also used.
  • The host umask is propagated into the container, unless --no-umask is also used.
  • When a native (non-OCI-SIF) image is run in OCI-mode, environment variables will be shell evaluated on container startup.
• The pull command now accepts a new flag --oci for OCI image sources. This will create an OCI-SIF image rather than convert to Singularity's native container format.
• OCI-SIF containers can be pushed/pulled to/from OCI registries as single file artifacts using oras:// URIs.
• OCI-SIF containers can be pushed/pulled to/from registries as OCI images, with a single squashfs layer, using docker:// URIs.
• A new oci mode directive in singularity.conf can be set to true to enable OCI-mode by default. It can be negated with a new --no-oci command line flag.

See the admin guide and user guide for full requirements of OCI-mode and usage information.

Changed defaults / behaviours

Packages / Requirements

• RPM packages now use /var/lib/singularity (rather than /var/singularity) to store local state files.
• Bash completions are now install to the modern share/bash-completion/completions location, rather than under etc.
• The --vm and related flags to start singularity inside a VM have been removed. This functionality was related to the retired Singularity Desktop / SyOS projects.
• Singularity uses squashfuse_ll / squashfuse, which is now built from a git submodule unless --without-squashfuse is specified as an argument to mconfig. When built with --without-squashfuse, squashfuse_ll or squashfuse will be located on PATH. Version 0.2.0 or later is required.

CLI

• The commands related to OCI/Docker registries that were under remote have been moved to their own, dedicated registry command. Run singularity help registry for more information.
• The remote list subcommand now outputs only remote endpoints (with keyservers and OCI/Docker registries having been moved to separate commands), and the output has been streamlined.
• Adding a new remote endpoint using the singularity remote add command will now set the new endpoint as default. This behavior can be suppressed by supplying the --no-default (or -n) flag to remote add.
• The keyserver-related commands that were under remote have been moved to their own, dedicated keyserver command. Run singularity help keyserver for more information.
• Improved the clarity of singularity key list output.
• --cwd is now the preferred form of the flag for setting the container's working directory, though --pwd is still supported for compatibility.

Runtime Behaviour

• The way --home is handled when running as root (e.g. sudo singularity) or with --fakeroot has changed. Previously, we were only modifying the HOME environment variable in these cases, while leaving the container's /etc/passwd file unchanged (with its homedir field pointing to /root, regardless of the value passed to --home). With this change, both the value of HOME and the contents of /etc/passwd in the container will reflect the value passed to --home.
• Bind mounts are now performed in the order of their occurrence on the command line, or within the value of the SINGULARITY_BIND environment variable. (Previously, image-mounts were always performed first, regardless of order.)
• Default OCI config generated with singularity mount no longer sets any inheritable / ambient capabilites, matching other OCI runtimes.
• singularity oci mount now uses, and requires, squashfuse_ll or squashfuse to mount a SIF image to an OCI bundle. Note that squashfuse_ll is built with singularity unless --without-squashfuse is passed to mconfig.
• The current working directory is created in the container when it doesn't exist, so that it can be entered. You must now specify --no-mount home,cwd instead of just --no-mount home to avoid mounting from $HOME if you run singularity from inside $HOME.
• If the path of the current working directory in the container and on the host contain symlinks to different locations, it will not be mounted.

New Features & Functionality

• Templating support for definition files: users can now define variables in definition files via a matching pair of double curly brackets. Variables of the form {{ variable }} will be replaced by a value defined either by a variable=value entry in the %arguments section of the definition file, or through new build options --build-arg or --build-arg-file.
• Added --secret flag (shorthand: -s) to key remove subcommand, to allow removal of a private key by fingerprint.
• Added --private as a synonym for --secret in key list, key export, and key remove subcommands.
• The remote status command will now print the username, realname, and email of the logged-in user, if available.
• The cache commands now accept --type oci-sif to list and clean cached OCI-SIF image conversions of OCI sources.
• The instance start command now accepts an optional --app <name> argument which invokes start script within the %appstart <name> section in the definition file. The instance stop command still only requires the instance name.
• A new --no-pid flag for singularity run/shell/exec disables the PID namespace inferred by --containall and --compat.
• A new --platform flag can be used to specify an OS/Architecture[/Variant] when pulling images from OCI or library sources. When pulling from library sources the optional variant is ignored.
• The --arch flag can now be used to specify a required architecture when pulling images from OCI, as well as library sources.

Developer / API

• Support for image driver plugins, deprecated at 3.11, has been removed. Unprivileged kernel overlay is supported without a plugin. In singularity.conf, the image driver directive has been removed, and enable overlay no longer supports the driver option.
• Changes in pkg/build/types.Definition struct. New .FullRaw field introduced, which always contains the raw data for the entire definition file. Behavior of .Raw field has changed: for multi-stage builds parsed with pkg/build/types/parser.All(), .Raw contains the raw content of a single build stage. Otherwise, it is equal to .FullRaw.
• The SingularityCE go module is now github.com/sylabs/singularity/v4, reflecting the major version of the application.

Bug Fixes

• Fix interaction between --workdir when given relative path and --scratch.
• Set correct $HOME in --oci mode when mount home = no in singularity.conf.
• Lookup and store user/group information in stage one prior to entering any namespaces to fix issue with winbind not correctly lookup user/group information when using user namespace.
• Caching of OCI images is now architecture aware. This fixes behaviour where a user's home directory is shared between systems of different architectures.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.0.0-rc.1.tar.gz download below to obtain and install SingularityCE 4.0.0-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.21.0

- Go
Published by dtrudg over 2 years ago

https://github.com/sylabs/singularity - SingularityCE 3.11.4

SingularityCE 3.11.4 is a patch release in the 3.11 series, with changes detailed below.

Changed defaults / behaviours

• Add xino=on mount option for writable kernel overlay mount points to fix inode numbers consistency after kernel cache flush.

New Features & Functionality

• The tap CNI plugin, new to github.com/containernetworking/plugins v1.3.0, is now provided.
• Added remote get-login-password subcommand that allows the user to retrieve a CLI token to interact with the OCI registry of a Singularity Enterprise instance.
• Added --no-setgroups flag for --fakeroot builds and run/shell/exec. This prevents the setgroups syscall being used on the container process in the fakeroot user namespace. Maintains access from within the user namespace to files on the host that have permissions based on supplementary group membership. Note that supplementary groups are mapped to nobody in the container, and chgrp, newgrp, etc. cannot be used.
• Added ability to set a custom user config directory (default $HOME/.singularity) via the new SINGULARITY_CONFIGDIR environment variable.

Bug Fixes

• In --oci mode, do not attempt to use unprivileged overlay on systems that do not support it.
• Fix dropped "n" characters on some platforms in definition file stored as part of SIF metadata.
• Pass STDIN to --oci containers correctly, to fix piping input to a container.
• Fix compilation on 32-bit systems.
• Fix seccomp filters to allow mknod/mknodat syscalls to create pipe/socket and character devices with device number 0 for fakeroot builds.
• Fix freeze when copying files between stages in an unprivileged proot build.
• Fix non-POSIX sh operator in mconfig.
• Correct internal name for CAPBLOCKSUSPEND.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.4.tar.gz download below to obtain and install SingularityCE 3.11.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.20.5

- Go
Published by dtrudg over 2 years ago

https://github.com/sylabs/singularity - SingularityCE 3.11.3

SingularityCE 3.11.3 is a patch release in the 3.11 series, with changes detailed below.

Changed defaults / behaviours

• --oci mode now provides a writable container by default, using a tmpfs overlay. This improves parity with --compat mode in the native runtime, as --compat enables --writable-tmpfs.

Bug Fixes

• Ensure the allow kernel squashfs directive in singularity.conf applies to encrypted squashfs filesystems in a SIF.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.3.tar.gz download below to obtain and install SingularityCE 3.11.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.20.4

- Go
Published by preminger almost 3 years ago

https://github.com/sylabs/singularity - SingularityCE 3.11.2

SingularityCE 3.11.2 is a patch release in the 3.11 series, with changes detailed below.

New Features & Functionality

• OCI mode now supports --hostname (requires UTS namespace, therefore this flag will infer --uts).
• OCI mode now supports --scratch (shorthand: -S) to mount a tmpfs scratch directory in the container.
• Support --pwd in OCI mode.
• OCI mode now supports --home. Supplying a single location (e.g. --home /myhomedir) will result in a new tmpfs directory being created at the specified location inside the container, and that dir being set as the in-container user's home dir. Supplying two locations separated by a colon (e.g. --home /home/user:/myhomedir) will result in the first location on the host being bind-mounted as the second location in-container, and set as the in-container user's home dir.
• OCI mode now handles --dns and resolv.conf on par with native mode: the --dns flag can be used to pass a comma-separated list of DNS servers that will be used in the container; if this flag is not used, the container will use the same resolv.conf settings as the host.
• Added allow kernel squashfs directive to singularity.conf. Defaults to yes. When set to no, Singularity will not mount squashfs filesystems using the kernel squashfs driver.
• Added allow kernel extfs directive to singularity.conf. Defaults to yes. When set to no, Singularity will not mount extfs filesystems using the kernel extfs driver.

Bug Fixes

• Require runc in RPM packages built on SLES, not crun, because crun is part of the Package Hub community repository that may not be enabled. SingularityCE will still prefer crun if it has been installed.
• Use /dev/loop-control for loop device creation, to avoid issues with recent kernel patch where max_loop is not set.
• Always request inner userns in --oci mode without --fakeroot, so that inner id mapping is applied correctly.
• Use correct target uid/gid for inner id mappings in --oci mode.
• Avoid runc cgroup creation error when using --oci from a root-owned cgroup (e.g. ssh login session scope).
• Pass host's TERM environment variable to container in OCI mode. Can be overridden by setting SINGULARITYENV_TERM on host.
• Honour config passwd and config group directives from singularity.conf in --oci mode.
• Honour mount proc / mount sys / mount tmp / mount home directives from singularity.conf in --oci mode.
• Corrected singularity.conf comment, to refer to correct file as source of default capabilities when root default capabilities = file.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.2.tar.gz download below to obtain and install SingularityCE 3.11.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.20.3

- Go
Published by preminger almost 3 years ago

https://github.com/sylabs/singularity - SingularityCE 3.11.1

SingularityCE 3.11.1 is a bugfix patch release in the 3.11 series, with changes detailed below.

New Features & Functionality

• Add setopt definition file header for the yum bootstrap agent. The setopt value is passed to yum / dnf using the --setopt flag. This permits setting e.g. install_weak_deps=False to bootstrap recent versions of Fedora, where systemd (a weak dependency) cannot install correctly in the container. See examples/Fedora for an example defintion file.
• Warn user that a yum bootstrap of an older distro may fail if the host rpm _db_backend is not bdb.

Bug Fixes

• Fix implied --writable-tmpfs with --nvccli, to avoid r/o filesytem error.
• Avoid incorrect error when requesting fakeroot network.
• Pass computed LD_LIBRARY_PATH to wrapped unsquashfs. Fixes issues where unsquashfs on host uses libraries in non-default paths.
• Show correct memory limit in instance stats when a limit is set.
• Ensure consistent binding of libraries under --nv/--rocm when duplicate <library>.so[.version] files are listed by ldconfig -p.
• Fix systemd cgroup manager error when running a container as a non-root user with --oci, on systems with cgroups v1 and runc.
• Fix joining cgroup of instance started as root, with cgroups v1, non-default cgroupfs manager, and no device rules.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.1.tar.gz download below to obtain and install SingularityCE 3.11.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.20.2

- Go
Published by dtrudg almost 3 years ago

https://github.com/sylabs/singularity - SingularityCE 3.11.0

SingularityCE 3.11.0 is the first release in the 3.11 series, with changes, new features, and bug fixes detailed below.

Changed defaults / behaviours

• Image driver plugins, implementing the RegisterImageDriver callback, are deprecated and will be removed in 4.0. Support for the example plugin, permitting Ubuntu unprivileged overlay functionality, has been replaced with direct support for kernel unprivileged overlay.
• When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed using an overlay instead of underlay layout.
• crun will be used as the low-level OCI runtime, when available, rather than runc. If crun is not available, runc will be used.
• sessiondir maxsize in singularity.conf now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.
• Instances are started in a cgroup, by default, when run as root or when unified cgroups v2 with systemd as manager is configured. This allows singularity instance stats to be supported by default when possible.

New features / functionality

Image Building

• Support for a custom hashbang in the %test section of a Singularity recipe (akin to the runscript and start sections).
• Non-root users can now build from a definition file, on systems that do not support --fakeroot. This requires the statically built proot command (https://proot-me.github.io/) to be available on the user PATH. These builds:
  • Do not support arch / debootstrap / yum / zypper bootstraps. Use localimage, library, oras, or one of the docker/oci sources.
  • Do not support %pre and %setup sections.
  • Run the %post sections of a build in the container as an emulated root user.
  • Run the %test section of a build as the non-root user, like singularity test.
  • Are subject to any restrictions imposed in singularity.conf. Incur a performance penalty due to proot's ptrace based interception of syscalls.
  • May fail if the %post script requires privileged operations that proot cannot emulate.

Instances

• Instances started by a non-root user can use --apply-cgroups to apply resource limits. Requires cgroups v2, and delegation configured via systemd.
• A new instance stats command displays basic resource usage statistics for a specified instance, running within a cgroup.
• Instance name is available inside an instance via the new SINGULARITY_INSTANCE environment variable.

Mounts & Overlays

• --writable-tmpfs is now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• The --no-mount flag now accepts the value bind-paths to disable mounting of all bind path entries in singularity.conf.
• Persistent overlays (--overlay) from a directory are now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• Add --sparse flag to overlay create command to allow generation of a sparse ext3 overlay image.

OCI / Docker Compatibility

• Support for DOCKER_HOST parsing when using docker-daemon://
• DOCKER_USERNAME and DOCKER_PASSWORD supported without SINGULARITY_ prefix.
• A new --oci flag for run/exec/shell enables the experimental OCI runtime mode. This mode:
  • Runs OCI container images from an OCI bundle, using runc or crun.
  • Supports docker://, docker-archive:, docker-daemon:, oci:, oci-archive: image sources.
  • Does not support running Singularity SIF, SquashFS, or EXT3 images.
  • Provides an environment similar to Singularity's native runtime, running with --compat.
  • Supports the following options / flags. Other options are not yet supported:
  • --fakeroot for effective root in the container. Requires subuid/subgid mappings.
  • Bind mounts via --bind or --mount. No image mounts.
  • Additional namespaces requests with --net, --uts, --user.
  • Container environment variables via --env, --env-file, and SINGULARITYENV_ host env vars.
  • --rocm to bind ROCm GPU libraries and devices into the container.
  • --nv to bind Nvidia driver / basic CUDA libraries and devices into the container.
  • --apply-cgroups, and the --cpu*, --blkio*, --memory*, --pids-limit flags to apply resource limits.

Signing & Verification

• The sign command now supports signing with non-PGP key material by specifying the path to a private key via the --key flag.
• The verify command now supports verification with non-PGP key material by specifying the path to a public key via the --key flag.
• The verify command now supports verification with X.509 certificates by specifying the path to a certificate via the --certificate flag. By default, the system root certificate pool is used as trust anchors unless overridden via the --certificate-roots flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain can also be specified via the --certificate-intermediates flag.
• Support for online verification checks of x509 certificates using OCSP protocol. (introduced flag: verify --ocsp-verify)

Other

• Add new Linux capabilities: CAP_PERFMON, CAP_BPF, CAP_CHECKPOINT_RESTORE.
• A new --reproducible flag for ./mconfig will configure Singularity so that its binaries do not contain non-reproducible paths. This disables plugin functionality.

Bug Fixes

• In --rocm mode, the whole of /dev/dri is now bound into the container when --contain is in use. This makes /dev/dri/render devices available, required for later ROCm versions.
• Overlay is blocked on the panfs filesystem, allowing sandbox directories to be run from panfs without error.
• Avoid UID / GID readonly var warnings with --env-file.

Development / Testing

• Significant reduction in the use of network image sources in the e2e tests.
• Improved parallelization and use of image caches in the e2e tests.
• The e2e-test makefile target now accepts an argument E2E_GROUPS to only run specified groups of end to end tests. E.g. make -C builddir e2e-test E2E_GROUPS=VERSION,HELP will run end to end tests in the VERSION and HELP groups only.
• The e2e-test makefile target now accepts an argument E2E_TESTS which is a regular expression specifying the names of (top level) end to end tests that should be run. E.g. make -C builddir e2e-test E2E_TESTS=^semantic will only run end to end tests with a name that begins with semantic. These E2E_ variables offer an alternative to the -run flag, which may be easier to use given the structure of e2e tests.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.0.tar.gz download below to obtain and install SingularityCE 3.11.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.5

- Go
Published by dtrudg about 3 years ago

https://github.com/sylabs/singularity - SingularityCE 3.11.0 Release Candidate 2

This is the second release candidate for the upcoming Singularity 3.11.0 release. Users are encouraged to test and report any issues, but should use the stable 3.10 release for production deployments.

3.11.0 Release Candidate 2 [2023-02-02]

Bug Fixes

• Avoid UID / GID readonly var warnings with --env-file.
• Ensure proot flow does not override --remote build.

3.11.0 Release Candidate 1 [2023-01-11]

Changed defaults / behaviours

• Image driver plugins, implementing the RegisterImageDriver callback, are deprecated and will be removed in 4.0. Support for the example plugin, permitting Ubuntu unprivileged overlay functionality, has been replaced with direct support for kernel unprivileged overlay.
• When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed using an overlay instead of underlay layout.
• crun will be used as the low-level OCI runtime, when available, rather than runc. If crun is not available, runc will be used.
• sessiondir maxsize in singularity.conf now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.
• Instances are started in a cgroup, by default, when run as root or when unified cgroups v2 with systemd as manager is configured. This allows singularity instance stats to be supported by default when possible.

New features / functionalities

Image Building

• Support for a custom hashbang in the %test section of a Singularity recipe (akin to the runscript and start sections).
• Non-root users can now build from a definition file, on systems that do not support --fakeroot. This requires the statically built proot command (https://proot-me.github.io/) to be available on the user PATH. These builds:
  • Do not support arch / debootstrap / yum / zypper bootstraps. Use localimage, library, oras, or one of the docker/oci sources.
  • Do not support %pre and %setup sections.
  • Run the %post sections of a build in the container as an emulated root user.
  • Run the %test section of a build as the non-root user, like singularity test.
  • Are subject to any restrictions imposed in singularity.conf. Incur a performance penalty due to proot's ptrace based interception of syscalls.
  • May fail if the %post script requires privileged operations that proot cannot emulate.

Instances

• Instances started by a non-root user can use --apply-cgroups to apply resource limits. Requires cgroups v2, and delegation configured via systemd.
• A new instance stats command displays basic resource usage statistics for a specified instance, running within a cgroup.
• Instance name is available inside an instance via the new SINGULARITY_INSTANCE environment variable.

Mounts & Overlays

• --writable-tmpfs is now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• The --no-mount flag now accepts the value bind-paths to disable mounting of all bind path entries in singularity.conf.
• Persistent overlays (--overlay) from a directory are now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• Add --sparse flag to overlay create command to allow generation of a sparse ext3 overlay image.

OCI / Docker Compatibility

• Support for DOCKER_HOST parsing when using docker-daemon://
• DOCKER_USERNAME and DOCKER_PASSWORD supported without SINGULARITY_ prefix.
• A new --oci flag for run/exec/shell enables the experimental OCI runtime mode. This mode:
  • Runs OCI container images from an OCI bundle, using runc or crun.
  • Supports docker://, docker-archive:, docker-daemon:, oci:, oci-archive: image sources.
  • Does not support running Singularity SIF, SquashFS, or EXT3 images.
  • Provides an environment similar to Singularity's native runtime, running with --compat.
  • Supports the following options / flags. Other options are not yet supported:
  • --fakeroot for effective root in the container. Requires subuid/subgid mappings.
  • Bind mounts via --bind or --mount. No image mounts.
  • Additional namespaces requests with --net, --uts, --user.
  • Container environment variables via --env, --env-file, and SINGULARITYENV_ host env vars.
  • --rocm to bind ROCm GPU libraries and devices into the container.
  • --nv to bind Nvidia driver / basic CUDA libraries and devices into the container.
  • --apply-cgroups, and the --cpu*, --blkio*, --memory*, --pids-limit flags to apply resource limits.

Signing & Verification

• The sign command now supports signing with non-PGP key material by specifying the path to a private key via the --key flag.
• The verify command now supports verification with non-PGP key material by specifying the path to a public key via the --key flag.
• The verify command now supports verification with X.509 certificates by specifying the path to a certificate via the --certificate flag. By default, the system root certificate pool is used as trust anchors unless overridden via the --certificate-roots flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain can also be specified via the --certificate-intermediates flag.
• Support for online verification checks of x509 certificates using OCSP protocol. (introduced flag: verify --ocsp-verify)

Other

• Add new Linux capabilities: CAP_PERFMON, CAP_BPF, CAP_CHECKPOINT_RESTORE.
• A new --reproducible flag for ./mconfig will configure Singularity so that its binaries do not contain non-reproducible paths. This disables plugin functionality.

Bug Fixes

• In --rocm mode, the whole of /dev/dri is now bound into the container when --contain is in use. This makes /dev/dri/render devices available, required for later ROCm versions.
• Overlay is blocked on the panfs filesystem, allowing sandbox directories to be run from panfs without error.

Development / Testing

• Significant reduction in the use of network image sources in the e2e tests.
• Improved parallelization and use of image caches in the e2e tests.
• The e2e-test makefile target now accepts an argument E2E_GROUPS to only run specified groups of end to end tests. E.g. make -C builddir e2e-test E2E_GROUPS=VERSION,HELP will run end to end tests in the VERSION and HELP groups only.
• The e2e-test makefile target now accepts an argument E2E_TESTS which is a regular expression specifying the names of (top level) end to end tests that should be run. E.g. make -C builddir e2e-test E2E_TESTS=^semantic will only run end to end tests with a name that begins with semantic. These E2E_ variables offer an alternative to the -run flag, which may be easier to use given the structure of e2e tests.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.0-rc.2.tar.gz download below to obtain and install SingularityCE 3.11.0-rc.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.3

- Go
Published by dtrudg about 3 years ago

https://github.com/sylabs/singularity - SingularityCE 3.10.5

SingularityCE 3.10.5 is a security release in the 3.10 series.

We encourage all users to upgrade. Please see the details and CVE/GHSA link below for more information about the vulnerability.

Security Related Fixes

• CVE-2022-23538: The github.com/sylabs/scs-library-client dependency included in SingularityCE >=3.10.0, <3.10.5 may leak user credentials to a third-party service via HTTP redirect. This issue is limited to library:// access to specific Singularity Enterprise 1.x or 3rd party library configurations, which plement a concurrent multi-part download flow. Access to Singularity Enterprise 2.x, or Singularity Container Services (cloud.sylabs.io), does not trigger the vulnerable flow. See the linked advisory for full details.

Commit https://github.com/sylabs/singularity/pull/1249/commits/7b841c59c5f802a800973d00aef90027fde19014 updates the dependency, bringing in the fix.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.5.tar.gz download below to obtain and install SingularityCE 3.10.5. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.5

- Go
Published by dtrudg about 3 years ago

https://github.com/sylabs/singularity - SingularityCE 3.11.0 Release Candidate 1

This is the first release candidate for the upcoming Singularity 3.11.0 release. Users are encouraged to test and report any issues, but should use the stable 3.10 release for production deployments.

Changed defaults / behaviours

• Image driver plugins, implementing the RegisterImageDriver callback, are deprecated and will be removed in 4.0. Support for the example plugin, permitting Ubuntu unprivileged overlay functionality, has been replaced with direct support for kernel unprivileged overlay.
• When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed using an overlay instead of underlay layout.
• crun will be used as the low-level OCI runtime, when available, rather than runc. If crun is not available, runc will be used.
• sessiondir maxsize in singularity.conf now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.
• Instances are started in a cgroup, by default, when run as root or when unified cgroups v2 with systemd as manager is configured. This allows singularity instance stats to be supported by default when possible.

New features / functionalities

Image Building

• Support for a custom hashbang in the %test section of a Singularity recipe (akin to the runscript and start sections).
• Non-root users can now build from a definition file, on systems that do not support --fakeroot. This requires the statically built proot command (https://proot-me.github.io/) to be available on the user PATH. These builds:
  • Do not support arch / debootstrap / yum / zypper bootstraps. Use localimage, library, oras, or one of the docker/oci sources.
  • Do not support %pre and %setup sections.
  • Run the %post sections of a build in the container as an emulated root user.
  • Run the %test section of a build as the non-root user, like singularity test.
  • Are subject to any restrictions imposed in singularity.conf. Incur a performance penalty due to proot's ptrace based interception of syscalls.
  • May fail if the %post script requires privileged operations that proot cannot emulate.

Instances

• Instances started by a non-root user can use --apply-cgroups to apply resource limits. Requires cgroups v2, and delegation configured via systemd.
• A new instance stats command displays basic resource usage statistics for a specified instance, running within a cgroup.
• Instance name is available inside an instance via the new SINGULARITY_INSTANCE environment variable.

Mounts & Overlays

• --writable-tmpfs is now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• The --no-mount flag now accepts the value bind-paths to disable mounting of all bind path entries in singularity.conf.
• Persistent overlays (--overlay) from a directory are now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• Add --sparse flag to overlay create command to allow generation of a sparse ext3 overlay image.

OCI / Docker Compatibility

• Support for DOCKER_HOST parsing when using docker-daemon://
• DOCKER_USERNAME and DOCKER_PASSWORD supported without SINGULARITY_ prefix.
• A new --oci flag for run/exec/shell enables the experimental OCI runtime mode. This mode:
  • Runs OCI container images from an OCI bundle, using runc or crun.
  • Supports docker://, docker-archive:, docker-daemon:, oci:, oci-archive: image sources.
  • Does not support running Singularity SIF, SquashFS, or EXT3 images.
  • Provides an environment similar to Singularity's native runtime, running with --compat.
  • Supports the following options / flags. Other options are not yet supported:
  • --fakeroot for effective root in the container. Requires subuid/subgid mappings.
  • Bind mounts via --bind or --mount. No image mounts.
  • Additional namespaces requests with --net, --uts, --user.
  • Container environment variables via --env, --env-file, and SINGULARITYENV_ host env vars.
  • --rocm to bind ROCm GPU libraries and devices into the container.
  • --nv to bind Nvidia driver / basic CUDA libraries and devices into the container.
  • --apply-cgroups, and the --cpu*, --blkio*, --memory*, --pids-limit flags to apply resource limits.

Signing & Verification

• The sign command now supports signing with non-PGP key material by specifying the path to a private key via the --key flag.
• The verify command now supports verification with non-PGP key material by specifying the path to a public key via the --key flag.
• The verify command now supports verification with X.509 certificates by specifying the path to a certificate via the --certificate flag. By default, the system root certificate pool is used as trust anchors unless overridden via the --certificate-roots flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain can also be specified via the --certificate-intermediates flag.
• Support for online verification checks of x509 certificates using OCSP protocol. (introduced flag: verify --ocsp-verify)

Other

• Add new Linux capabilities: CAP_PERFMON, CAP_BPF, CAP_CHECKPOINT_RESTORE.
• A new --reproducible flag for ./mconfig will configure Singularity so that its binaries do not contain non-reproducible paths. This disables plugin functionality.

Bug Fixes

• In --rocm mode, the whole of /dev/dri is now bound into the container when --contain is in use. This makes /dev/dri/render devices available, required for later ROCm versions.
• Overlay is blocked on the panfs filesystem, allowing sandbox directories to be run from panfs without error.

Development / Testing

• Significant reduction in the use of network image sources in the e2e tests.
• Improved parallelization and use of image caches in the e2e tests.
• The e2e-test makefile target now accepts an argument E2E_GROUPS to only run specified groups of end to end tests. E.g. make -C builddir e2e-test E2E_GROUPS=VERSION,HELP will run end to end tests in the VERSION and HELP groups only.
• The e2e-test makefile target now accepts an argument E2E_TESTS which is a regular expression specifying the names of (top level) end to end tests that should be run. E.g. make -C builddir e2e-test E2E_TESTS=^semantic will only run end to end tests with a name that begins with semantic. These E2E_ variables offer an alternative to the -run flag, which may be easier to use given the structure of e2e tests.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.0-rc.1.tar.gz download below to obtain and install SingularityCE 3.11.0-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.3

- Go
Published by dtrudg about 3 years ago

https://github.com/sylabs/singularity - SingularityCE 3.10.4

SingularityCE 3.10.4 is a bugfix release in the 3.10 series.

Bug Fixes

• Ensure make dist doesn't include conmon binary or intermediate files.
• Do not hang on pull from http(s) source that doesn't provide a content-length.
• Avoid hang on fakeroot cleanup under high load seen on some distributions / kernels.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.4.tar.gz download below to obtain and install SingularityCE 3.10.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.3

- Go
Published by dtrudg over 3 years ago

https://github.com/sylabs/singularity - SingularityCE 3.10.3

SingularityCE 3.10.3 is a security and bugfix release in the 3.10 series. It fixes a vulnerability related to the verification of SIF container image signatures, in the github.com/sylabs/sif dependency, by updating to sif v2.8.1.

We encourage all users to upgrade. Please see the details and CVE/GHSA link below for more information about the vulnerability.

Security Related Fixes

• CVE-2022-39237: The github.com/sylabs/sif/v2 dependency included in SingularityCE <=3.10.3 does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. This release updates to sif v2.8.1 which corrects this issue. See the linked advisory for references and a workaround.

Bug Fixes

• Ensure bootstrap_history directory is populated with previous definition files, present in source containers used in a build.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.3.tar.gz download below to obtain and install SingularityCE 3.10.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.2

- Go
Published by dtrudg over 3 years ago

https://github.com/sylabs/singularity - SingularityCE 3.10.2

SingularityCE 3.10.2 is a patch release in the 3.10 series. It introduces release packages for EL 9 distributions (RHEL, CentOS Stream, AlmaLinux, Rocky Linux) that are built on AlmaLinux 9. It also fixes a bug in the default runscript for converted OCI containers.

The OCI runscript issue, discovered by the Apptainer project on importing 3.10 series changes from SingularityCE, impacts containers that are directly pulled or built from an OCI source without a custom %runscript. SingularityCE 3.10.0 and 3.10.1 generated a default runscript that could not always be executed by other tools. While execution of these containers with recent versions of SingularityCE is not impacted, we advise upgrading so that all containers built are compatible with other tools.

New features / functionalities

• Added EL9 package builds to CI for GitHub releases.

Bug Fixes

• Ensure no empty if branch is present in generated OCI image runscripts. Would prevent execution of container by other tools that are not using mvdan.cc/sh.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.2.tar.gz download below to obtain and install SingularityCE 3.10.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.18.4

- Go
Published by dtrudg over 3 years ago

https://github.com/sylabs/singularity - SingularityCE 3.10.1

SingularityCE 3.10.1 is a patch release in the 3.10 series, with changes detailed below.

Note - Binary packages released via GitHub for 3.10.1 were built with Go 1.18.4, which addresses a number of CVEs present in earlier versions of Go. Although these are not critically applicable to SingularityCE, you may wish to update if you use the binary packages, or recompile if you build from source.

New features / functionalities

• Debug output can now be enabled by setting the SINGULARITY_DEBUG env var.
• Debug output is now shown for nested singularity calls, in wrapped unsquashfs image extraction, and build stages.

Bug Fixes

• Fix test code that implied %test -c <shell> was supported - it is not.
• Fix compilation on mipsel.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.1.tar.gz download below to obtain and install SingularityCE 3.10.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.18.4

- Go
Published by dtrudg over 3 years ago

https://github.com/sylabs/singularity - SingularityCE 3.10.0

SingularityCE 3.10.0 is the first release in the 3.10 series, with changes, new features, and bug fixes detailed below.

Please note that some dependencies have changed, the master develop branch has been renamed to main, and you should now use --recurse-submodules when git cloning the SingularityCE source code repository, or checking out a branch / release. See the INSTALL.md or admin guide for details.

Changed defaults / behaviours

• master branch of GitHub repository has been renamed to main.
• oci mount sets Process.Terminal: true when creating an OCI config.json, so that oci run provides expected interactive behavior by default.
• Default hostname for oci mount containers is now singularity instead of mrsdalloway.
• systemd is now supported and used as the default cgroups manager. Set systemd cgroups = no in singularity.conf to manage cgroups directly via the cgroupfs.
• The singularity oci command group now uses runc to manage containers.
• The singularity oci commands use conmon which is built from a git submodule, unless --without-conmon is specified as an argument to mconfig, in which case Singularity will search PATH for conmon. Version >=2.0.24 of conmon is required.
• The singularity oci flags --sync-socket, --empty-process, and --timeout have been removed.
• Don't prompt for y/n to overwrite an existing file when build is called from a non-interactive environment. Fail with an error.
• Plugins must be compiled from inside the SingularityCE source directory, and will use the main SingularityCE go.mod file. Required for Go 1.18 support.
• seccomp support is not disabled automatically in the absence of seccomp headers at build time. Run mconfig using --without-seccomp and --without-conmon to disable seccomp support and building of conmon (which requires seccomp headers).
• SingularityCE now requires squashfs-tools >=4.3, which is satisfied by current EL / Ubuntu / Debian and other distributions.
• Added --no-eval to the list of flags set by the OCI/Docker --compat mode (see below).

New features / functionalities

• Updated seccomp support allows use of seccomp profiles that set an error return code with errnoRet and defaultErrnoRet. Previously EPERM was hard coded. The example etc/seccomp-profiles/default.json has been updated.
• Native cgroups v2 resource limits can be specified using the [unified] key in a cgroups toml file applied via --apply-cgroups.
• The --no-mount flag & SINGULARITY_NO_MOUNT env var can now be used to disable a bind path entry from singularity.conf by specifying the absolute path to the destination of the bind.
• Non-root users can now use --apply-cgroups with run/shell/exec to limit container resource usage on a system using cgroups v2 and the systemd cgroups manager.
• Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups resource limits to a container directly.
• Allow experimental direct mount of SIF images with squashfuse in user-namespace / no-setuid mode.
• New action flag --no-eval which:
  • Prevents shell evaluation of SINGULARITYENV_ / --env / --env-file environment variables as they are injected in the container, to match OCI behavior. Applies to all containers.
  • Prevents shell evaluation of the values of CMD / ENTRYPOINT and command line arguments for containers run or built directly from an OCI/Docker source. Applies to newly built containers only, use singularity inspect to check version that container was built with.
• Add support for %files section in remote builds, when a compatible remote is used.

Bug Fixes

• Allow newgidmap / newuidmap that use capabilities instead of setuid root.
• Corrected key search output for results from some servers, and keys with multiple names.
• Pass through a literal \n in host environment variables to container.
• Address 401 error pulling from private library:// projects.
• Correctly launch CleanupHost process only when needed in --sif-fuse flow.
• Add specific error for unreadable image / overlay file.
• Ensure cgroups device limits are default allow per past behavior.
• Improve error message when remote build server does not support the %files section.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.0.tar.gz download below to obtain and install SingularityCE 3.10.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.18.2

- Go
Published by dtrudg almost 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.10.0 Release Candidate 2

This is the second release candidate for the upcoming SingularityCE 3.10 release.

The following changes are present in addition to those introduced in RC1 (https://github.com/sylabs/singularity/releases/tag/v3.10.0-rc.1)

New features / functionalities

• Add support for %files section in remote builds, when a compatible remote is used.

Bug Fixes

• Correctly launch CleanupHost process only when needed in --sif-fuse flow.
• Add specific error for unreadable image / overlay file.
• Ensure cgroups device limits are default allow per past behavior.
• Improve error message when remote build server does not support the %files section.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.0-rc.2.tar.gz download below to obtain and install SingularityCE 3.10.0-rc.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.18.2

- Go
Published by dtrudg almost 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.10.0 Release Candidate 1

This is the first release candidate for the upcoming SingularityCE 3.10 release.

We would be grateful for any testing you can perform, and all feedback you can give. As this is a pre-release, you may not want to install it on a production system

Changed defaults / behaviours

• oci mount sets Process.Terminal: true when creating an OCI config.json, so that oci run provides expected interactive behavior by default.
• Default hostname for oci mount containers is now singularity instead of mrsdalloway.
• systemd is now supported and used as the default cgroups manager. Set systemd cgroups = no in singularity.conf to manage cgroups directly via the cgroupfs.
• The singularity oci command group now uses runc to manage containers.
• The singularity oci commands use conmon which is built from a git submodule, unless --without-conmon is specified as an argument to mconfig, in which case Singularity will search PATH for conmon. Version >=2.0.24 of conmon is required.
• The singularity oci flags --sync-socket, --empty-process, and --timeout have been removed.
• Don't prompt for y/n to overwrite an existing file when build is called from a non-interactive environment. Fail with an error.
• Plugins must be compiled from inside the SingularityCE source directory, and will use the main SingularityCE go.mod file. Required for Go 1.18 support.
• seccomp support is not disabled automatically in the absence of seccomp headers at build time. Run mconfig using --without-seccomp and --without-conmon to disable seccomp support and building of conmon (which requires seccomp headers).
• SingularityCE now requires squashfs-tools >=4.3, which is satisfied by current EL / Ubuntu / Debian and other distributions.
• Added --no-eval to the list of flags set by the OCI/Docker --compat mode (see below).

New features / functionalities

• Updated seccomp support allows use of seccomp profiles that set an error return code with errnoRet and defaultErrnoRet. Previously EPERM was hard coded. The example etc/seccomp-profiles/default.json has been updated.
• Native cgroups v2 resource limits can be specified using the [unified] key in a cgroups toml file applied via --apply-cgroups.
• The --no-mount flag & SINGULARITY_NO_MOUNT env var can now be used to disable a bind path entry from singularity.conf by specifying the absolute path to the destination of the bind.
• Non-root users can now use --apply-cgroups with run/shell/exec to limit container resource usage on a system using cgroups v2 and the systemd cgroups manager.
• Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups resource limits to a container directly.
• Allow experimental direct mount of SIF images with squashfuse in user-namespace / no-setuid mode.
• New action flag --no-eval which:
  • Prevents shell evaluation of SINGULARITYENV_ / --env / --env-file environment variables as they are injected in the container, to match OCI behavior. Applies to all containers.
  • Prevents shell evaluation of the values of CMD / ENTRYPOINT and command line arguments for containers run or built directly from an OCI/Docker source. Applies to newly built containers only, use singularity inspect to check version that container was built with.

Bug Fixes

• Allow newgidmap / newuidmap that use capabilities instead of setuid root.
• Corrected key search output for results from some servers, and keys with multiple names.
• Pass through a literal \n in host environment variables to container.
• Address 401 error pulling from private library:// projects.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.0-rc.1.tar.gz download below to obtain and install SingularityCE 3.10.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.18.1

- Go
Published by dtrudg almost 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.9.9

SingularityCE 3.9.9 is a bugfix / packaging release, with the following changes:

Bug Fixes

• Use HEAD request when checking digest of remote OCI image sources, with GET as a fall-back. Greatly reduces Singularity's impact on Docker Hub API limits.

New features / functionalities

• Add package build for Ubuntu 22.04 LTS.

Known Issues

• When built with Go 1.18, some plugins fail to load (more detail available here). This will be fixed in the next minor release (3.10.x). Users utilizing plugins with SingularityCE 3.9.x should use version 1.17.x of the Go toolchain.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.9.tar.gz download below to obtain and install SingularityCE 3.9.9. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.9

- Go
Published by dtrudg almost 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.9.8

SingularityCE 3.9.8 is a bugfix release, with the following changes:

In accordance with our Go version compatibility policy, SingularityCE now targets Go 1.17 and Go 1.18. You may need to upgrade from an older Go version to build SingularityCE.

Bug fixes

• Do not truncate environment variables with commas when using --env.
• Fix error when pushing to host-less library:// URIs

Known Issues

• When built with Go 1.18, some plugins fail to load (more detail available here). This will be fixed in the next minor release (3.10.x). Users utilizing plugins with SingularityCE 3.9.x should use version 1.17.x of the Go toolchain.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.8.tar.gz download below to obtain and install SingularityCE 3.9.8. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.8

- Go
Published by dtrudg almost 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.9.7

SingularityCE 3.9.7 is a bugfix release, with the following changes:

Bug fixes

• Support nvidia-container-cli v1.8.0 and above, via fix to capability set.
• Avoid cleanup panic when invalid file specified for --apply-cgroups.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.7.tar.gz download below to obtain and install SingularityCE 3.9.7. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.8

- Go
Published by dtrudg almost 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.9.6

SingularityCE 3.9.6 is an architecture support / bugfix release, with the following changes:

New features / functionalities

• SingularityCE now supports the riscv64 architecture.

Bug fixes

• Correct library bindings for unsquashfs containment. Fixes errors where resolved library filename does not match library filename in binary (e.g. EL8, POWER9 with glibc-hwcaps).

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.6.tar.gz download below to obtain and install SingularityCE 3.9.6. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.7

- Go
Published by dtrudg almost 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.9.5

SingularityCE 3.9.5 is a bugfix release, with the following changes:

Changed defaults / behaviours

• make install now installs man pages. A separate make man is not required.

Bug fixes

• GitHub .deb packages correctly include man pages.
• Update dependency to correctly unset variables in container startup environment processing. Fixes regression in v3.9.2 affecting precedence of host/container environment variables.
• Remove subshell overhead when processing large environments on container startup. Reduces container startup time by >25x for a 5000 variable, 500KiB environment.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.5.tar.gz download below to obtain and install SingularityCE 3.9.5. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.6

- Go
Published by dtrudg about 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.9.4

Bug fixes

• Address timeout in library pull single stream download.

This release includes a single bugfix to address context timeout errors that may be experienced when pulling larger images, or small images over a slow connection, from the recently updated Sylabs Cloud or Singularity Enterprise 2.x Library.

The errors affect SingularityCE >=3.9.0

If you pull images from the Sylabs Cloud or Singularity Enterprise 2.x Library, the new 3.9.4 release provides an immediate fix for the problem.

Separately, Sylabs is working to design and implement a server-side mitigation for the issue. If it is possible, this would mitigate the issue without the need to upgrade your SingularityCE installation.

We sincerely apologize for the recent inconvenience following updates to the Sylabs Cloud. We are working to resolve all remaining issues, and will conduct a review to identify process improvements for the future.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.4.tar.gz download below to obtain and install SingularityCE 3.9.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.6

- Go
Published by dtrudg about 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.9.3

Bug fixes

• Ensure MIGs are visible with --nvccli in non-contained mode, to match the legacy GPU binding behaviour.
• Avoid fd leak in loop device transient error path.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.3.tar.gz download below to obtain and install SingularityCE 3.9.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.5

- Go
Published by dtrudg about 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.9.2

Bug fixes

• Ensure gengodep in build uses vendor dir when present.
• Fix source of a script on PATH and scoping of environment variables in definition files (via dependency update).
• Ensure a local build does not fail unnecessarily if a keyserver config cannot be retrieved from the remote endpoint.
• Correct documentation for sign command r.e. source of key index.
• Restructure loop device discovery to address an issue where a transient EBUSY error could lead to failure under Arvados. Also greedily try for a working loop device, rather than perform delayed retries on encountering EAGAIN, since we hold an exclusive lock which can block other processes.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.2.tar.gz download below to obtain and install SingularityCE 3.9.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.5

- Go
Published by dtrudg about 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.9.1

This is a security release for SingularityCE 3.9, addressing a security issue in SingularityCE's dependencies.

Security Related Fixes

• CVE-2021-41190 / GHSA-77vh-xpmg-72qh: OCI specifications allow ambiguous documents that contain both "manifests" and "layers" fields. Interpretation depends on the presence / value of a Content-Type header. SingularityCE dependencies handling the retrieval of OCI images have been updated to versions that reject ambiguous documents.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.1.tar.gz download below to obtain and install SingularityCE 3.9.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

:warning: These packages were built with a Go version (1.17.3) vulnerable to CVE-2021-44717. This is a Go issue, rather than a problem in the SingularityCE code. No direct exploit for SingularityCE has been identified at this time, however ForkExec calls are performed for multiple tasks, and users are encouraged to use updated packages.

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

Note: the +6.g38b50cb version suffix is introduced by packaging automation added after the 3.9.1 release. There are no code/functionality changes vs the 3.9.1 source code.

- Go
Published by dtrudg about 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.9.0

This is the first release of SingularityCE 3.9, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity.

Changed defaults / behaviours

• Building SingularityCE 3.9.0 requires go >=1.16. We now aim to support the two most recent stable versions of Go. This corresponds to the Go Release Maintenance Policy and Security Policy, ensuring critical bug fixes and security patches are available for all supported language versions.
• LABELs from Docker/OCI images are now inherited. This fixes a longstanding regression from Singularity 2.x. Note that you will now need to use --force in a build to override a label that already exists in the source Docker/OCI container.
• The source paths for %files lines in a definition file are no longer interpreted by a shell. This means that environment variable substitution is not performed. Previously, environment variables were substituted for source paths, but not destination paths, leading to unexpected copy behaviour. Globbing for source files will now follow the Go filepath.Match pattern syntax.
• Removed --nonet flag, which was intended to disable networking for in-VM execution, but has no effect.
• --nohttps flag has been deprecated in favour of --no-https. The old flag is still accepted, but will display a deprecation warning.
• Paths for cryptsetup, go, ldconfig, mksquashfs, nvidia-container-cli, unsquashfs are now found at build time by mconfig and written into singularity.conf. The path to these executables can be overridden by changing the value in singularity.conf.
• When calling ldconfig to find GPU libraries, singularity will not fall back to /sbin/ldconfig if the configured ldconfig errors. If installing in a Guix/Nix on environment on top of a standard host distribution you must set ldconfig path = /sbin/ldconfig to use the host distribution ldconfig to find GPU libraries.
• --nv will not call nvidia-container-cli to find host libraries, unless the new experimental GPU setup flow that employs nvidia-container-cli for all GPU related operations is enabled (see below).
• If a container is run with --nvcli and --contain, only GPU devices specified via the NVIDIA_VISIBLE_DEVICES environment variable will be exposed within the container. Use NVIDIA_VISIBLE_DEVICES=all to access all GPUs inside a container run with --nvccli.
• Example log-plugin rewritten as a CLI callback that can log all commands executed, instead of only container execution, and has access to command arguments.
• The bundled reference CNI plugins are updated to v1.0.1. The flannel plugin is no longer included, as it is maintained as a separate plugin at: https://github.com/flannel-io/cni-plugin. If you use the flannel CNI plugin you should install it from this repository.
• Instances are no longer created with an IPC namespace by default. An IPC namespace can be specified with the -i|--ipc flag.
• The behaviour of the allow container directives in singularity.conf has been modified, to support more intuitive limitations on the usage of SIF and non-SIF container images. If you use these directives, you may need to make changes to singularity.conf to preserve behaviour.
  • A new allow container sif directive permits or denies usage of unencrypted SIF images, irrespective of the filesystem(s) inside the SIF.
  • The allow container encrypted directive permits or denies usage of SIF images with an encrypted root filesystem.
  • The allow container squashfs/extfs directives in singularity.conf permit or deny usage of bare SquashFS and EXT image files only.
  • The effect of the allow container dir directive is unchanged.

New features / functionalities

• --writable-tmpfs can be used with singularity build to run the %test section of the build with a ephemeral tmpfs overlay, permitting tests that write to the container filesystem.
• The --compat flag for actions is a new short-hand to enable a number of options that increase OCI/Docker compatibility. Infers --containall, --no-init, --no-umask, --writable-tmpfs. Does not use user, uts, or network namespaces as these may not be supported on many installations.
• remote add --insecure may be used to configure endpoints that are only accessible via http.
• The experimental --nvccli flag will use nvidia-container-cli to setup the container for Nvidia GPU operation. SingularityCE will not bind GPU libraries itself. Environment variables that are used with Nvidia's docker-nvidia runtime to configure GPU visibility / driver capabilities & requirements are parsed by the --nvccli flag from the environment of the calling user. By default, the compute and utility GPU capabilities are configured. The use nvidia-container-cli option in singularity.conf can be set to yes to always use nvidia-container-cli when supported. Note that in a setuid install, nvidia-container-cli will be run as root with required ambient capabilities. --nvccli is not currently supported in the hybrid fakeroot (setuid install + --fakeroot) workflow. Please see documentation for more details.
• The --apply-cgroups flag can be used to apply cgroups resource and device restrictions on a system using the v2 unified cgroups hierarchy. The resource restrictions must still be specified in the v1 / OCI format, which will be translated into v2 cgroups resource restrictions, and eBPF device restrictions.
• A new --mount flag and SINGULARITY_MOUNT environment variable can be used to specify bind mounts in type=bind,source=<src>,destination=<dst>[,options...] format. This improves CLI compatibility with other runtimes, and allows binding paths containing : and , characters (using CSV style escaping).
• Perform concurrent multi-part downloads for library:// URIs. Uses 3 concurrent downloads by default, and is configurable in singularity.conf or via environment variables.

Bug fixes

• The oci commands will operate on systems that use the v2 unified cgroups hierarchy.
• Ensure invalid values passed to config global --set cannot lead to an empty configuration file being written.
• An invalid remote build source (bootstrap) will be identified before attempting to submit the build.
• --no-https now applies to connections made to library services specified in library://<hostname>/... URIs.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.9.0.tar.gz download below to obtain and install SingularityCE 3.9.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

- Go
Published by dtrudg over 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.9.0 Release Candidate 3

This is the third release candidate for the upcoming SingularityCE 3.9.0. We'd be grateful for all testing, bug reports, and comments, as we look forward to a stable 3.9.0 release. Please carefully review the release notes below, and refer to the 'master branch (unreleased)' documentation at https://sylabs.io/docs/

This is a release candidate for SingularityCE 3.9.0

Changed defaults / behaviours

• The behaviour of the allow container directives in singularity.conf has been modified, to support more intuitive limitations on the usage of SIF and non-SIF container images. If you use these directives, you may need to make changes to singularity.conf to preserve behaviour.
  • A new allow container sif directive permits or denies usage of unencrypted SIF images, irrespective of the filesystem(s) inside the SIF.
  • The allow container encrypted directive permits or denies usage of SIF images with an encrypted root filesystem.
  • The allow container squashfs/extfs directives in singularity.conf permit or deny usage of bare SquashFS and EXT image files only.
  • The effect of the allow container dir directive is unchanged.

New features

• Perform concurrent multi-part downloads for library:// URIs. Uses 3 concurrent downloads by default, and is configurable in singularity.conf or via environment variables.

Bug fixes

• Ensure invalid values passed to config global --set cannot lead to an empty configuration file being written.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.9.0-rc.3.tar.gz download below to obtain and install SingularityCE 3.9.0-rc.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

- Go
Published by dtrudg over 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.8.4

This is a bugfix release of SingularityCE, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity. Documentation is available at https://sylabs.io/docs/.

Bug fixes

• Update oras-go dependency to address push failures to some registry configurations.
• Implement context cancellation when a signal is received in several CLI commands.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.8.4.tar.gz download below to obtain and install SingularityCE 3.8.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

- Go
Published by dtrudg over 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.9.0 Release Candidate 2

This is the second release candidate for the upcoming SingularityCE 3.9.0. We'd be grateful for all testing, bug reports, and comments, as we look forward to a stable 3.9.0 release. Please carefully review the release notes below, and refer to the 'master branch (unreleased)' documentation at https://sylabs.io/docs/

Security related fixes

• Due to trusting a path to an executable that was incorrectly generated in code that could be manipulated by an unprivileged user, privilege escalation was possible when using the new --nvccli GPU configuration option. This vulnerability affected the 3.9.0-rc.1 release candidate only. Stable releases of SingularityCE are not impacted.

All users who have installed 3.9.0-rc.1 should update to 3.9.0-rc.2

Thanks to @cclerget for reporting this issue.

Changed defaults / behaviours

• The location of the cryptsetup, ldconfig and nvidia-container-cli binaries are always taken from singularity.conf. No $PATH search is performed.

Bug fixes

• Ensure a build with --nvccli runs using nvidia-container-cli and not the legacy gpu support.
• Advise on limitations and provide workaround for inability to run %test in --fakeroot --nvccli builds.

Additionally, this RC includes fixes introduced in SingularityCE 3.8.4

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.9.0-rc.2.tar.gz download below to obtain and install SingularityCE 3.9.0-rc.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

- Go
Published by dtrudg over 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.9.0 Release Candidate 1

This is the first release candidate for the upcoming SingularityCE 3.9.0. We'd be grateful all testing, bug reports, and comments, as we look forward to a stable 3.9.0 release.

Various behavior changes and new features have been introduced. Please carefully review the release notes below, and refer to the 'master branch (unreleased)' documentation at https://sylabs.io/docs/

Changed defaults / behaviours

• Building SingularityCE 3.9.0 requires go >=1.16. We now aim to support the two most recent stable versions of Go. This corresponds to the Go Release Maintenance Policy and Security Policy, ensuring critical bug fixes and security patches are available for all supported language versions.
• LABELs from Docker/OCI images are now inherited. This fixes a longstanding regression from Singularity 2.x. Note that you will now need to use --force in a build to override a label that already exists in the source Docker/OCI container.
• The source paths for %files lines in a definition file are no longer interpreted by a shell. This means that environment variable substitution is not performed. Previously, environment variables were substituted for source paths, but not destination paths, leading to unexpected copy behaviour. Globbing for source files will now follow the Go filepath.Match pattern syntax.
• Removed --nonet flag, which was intended to disable networking for in-VM execution, but has no effect.
• --nohttps flag has been deprecated in favour of --no-https. The old flag is still accepted, but will display a deprecation warning.
• Paths for cryptsetup, go, ldconfig, mksquashfs, nvidia-container-cli, unsquashfs are now found at build time by mconfig and written into singularity.conf. The path to these executables can be overridden by changing the value in singularity.conf. If the path is not set in singularity.conf then the the executable will be found by searching $PATH.
• When calling ldconfig to find GPU libraries, singularity will not fall back to /sbin/ldconfig if the ldconfig on $PATH errors. If installing in a Guix/Nix on environment on top of a standard host distribution you must set ldconfig path = /sbin/ldconfig to use the host distribution ldconfig to find GPU libraries.
• --nv will not call nvidia-container-cli to find host libraries, unless the new experimental GPU setup flow that employs nvidia-container-cli for all GPU related operations is enabled (see below).
• If a container is run with --nvcli and --contain, only GPU devices specified via the NVIDIA_VISIBLE_DEVICES environment variable will be exposed within the container. Use NVIDIA_VISIBLE_DEVICES=all to access all GPUs inside a container run with --nvccli.
• Example log-plugin rewritten as a CLI callback that can log all commands executed, instead of only container execution, and has access to command arguments.
• An invalid remote build source (bootstrap) will be identified before attempting to submit the build.
• The bundled reference CNI plugins are updated to v1.0.1. The flannel plugin is no longer included, as it is maintained as a separate plugin at: https://github.com/flannel-io/cni-plugin. If you use the flannel CNI plugin you should install it from this repository.
• Instances are no longer created with an IPC namespace by default. An IPC namespace can be specified with the -i|--ipc flag.

New features / functionalities

• --writable-tmpfs can be used with singularity build to run the %test section of the build with a ephemeral tmpfs overlay, permitting tests that write to the container filesystem.
• --compat flag for actions is a new short-hand to enable a number of options that increase OCI/Docker compatibility. Infers --containall, --no-init, --no-umask, --writable-tmpfs. Does not use user, uts, or network namespaces as these may not be supported on many installations.
• --no-https now applies to connections made to library services specified in --library://<hostname>/... URIs.
• remote add --insecure may be used to configure endpoints that are only accessible via http.
• The experimental --nvccli flag will use nvidia-container-cli to setup the container for Nvidia GPU operation. SingularityCE will not bind GPU libraries itself. Environment variables that are used with Nvidia's docker-nvidia runtime to configure GPU visibility / driver capabilities & requirements are parsed by the --nvccli flag from the environment of the calling user. By default, the compute and utility GPU capabilities are configured. The use nvidia-container-cli option in singularity.conf can be set to yes to always use nvidia-container-cli when supported. Note that in a setuid install, nvidia-container-cli will be run as root with required ambient capabilities. --nvccli is not currently supported in the hybrid fakeroot (setuid install + --fakeroot) workflow. Please see documentation for more details.
• The --apply-cgroups flag can be used to apply cgroups resource and device restrictions on a system using the v2 unified cgroups hierarchy. The resource restrictions must still be specified in the v1 / OCI format, which will be translated into v2 cgroups resource restrictions, and eBPF device restrictions.
• A new --mount flag and SINGULARITY_MOUNT environment variable can be used to specify bind mounts in type=bind,source=<src>,destination=<dst>[,options...] format. This improves CLI compatibility with other runtimes, and allows binding paths containing : and , characters (using CSV style escaping).

Bug fixes

• The oci commands will operate on systems that use the v2 unified cgroups hierarchy.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.9.0-rc.1.tar.gz download below to obtain and install SingularityCE 3.9.0-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

- Go
Published by dtrudg over 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.8.3

This is a bugfix release of SingularityCE, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity. Documentation is available at https://sylabs.io/docs/.

Bug fixes

• Fix regression when files sourced from %environment contain \ escaped shell builtins (fixes issue with source of conda profile.d script).

Additional changes include dependency updates for the SIF module (to v2.0.0), and migration to maintained versions of other modules. There is no change to functionality, on-disk SIF format etc.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.8.3.tar.gz download below to obtain and install SingularityCE 3.8.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

- Go
Published by dtrudg over 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.8.2

This is a bugfix release of SingularityCE, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity. Documentation is available at https://sylabs.io/docs/.

Bug Fixes

• singularity delete will use the correct library service when the hostname is specified in the library:// URI.
• singularity build will use the correct library service when the hostname is specified in the library:// URI / definition file.
• Fix download of default pacman.conf in arch bootstrap.
• Call debootstrap with correct Debian arch when it is not identical to the value of runtime.GOARCH. E.g. ppc64el -> ppc64le.
• When destination is ommitted in %files entry in definition file, ensure globbed files are copied to correct resolved path.
• Return an error if --tokenfile used for remote login to an OCI registry, as this is not supported.
• Ensure repeated remote login to same URI does not create duplicate entries in ~/.singularity/remote.yaml.
• Avoid panic when mountinfo line has a blank field.
• Properly escape single quotes in Docker CMD / ENTRYPOINT translation.
• Use host uid when choosing unsquashfs flags, to avoid selinux xattr errors with --fakeroot on non-EL/Fedora distributions with recent squashfs-tools.

Additionally, dependencies have been updated and some testing changes have been applied.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.8.2.tar.gz download below to obtain and install SingularityCE 3.8.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

- Go
Published by dtrudg over 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.8.1

This is a patch release of SingularityCE, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity. Documentation is available at https://sylabs.io/docs/.

Bug Fixes

• Allow escaped \$ in a SINGULARITYENV_ var to set a literal $ in a container env var.
• Handle absolute symlinks correctly in multi-stage build %copy from blocks.
• Fix incorrect reference in sandbox restrictive permissions warning.

Additionally, dependencies have been updated and some testing & markdown file changes have been applied.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.8.1.tar.gz download below to obtain and install SingularityCE 3.8.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

- Go
Published by dtrudg over 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.8.0

This is the first release of SingularityCE 3.8.0, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity. Documentation is available at https://sylabs.io/docs/

Changed defaults / behaviours

• The package name for this release is now singularity-ce. This name is used for the source tarball, output of an rpmbuild, and displayed in --version information.
• The name of the top level directory in the source tarball from make dist now includes the version string.

New features / functionalities

• A new overlay command allows creation and addition of writable overlays.
• Administrators can allow named users/groups to use specific CNI network configurations. Managed by directives in singularity.conf.
• The build command now honors --nv, --rocm, and --bind flags, permitting builds that require GPU access or files bound in from the host.
• A library service hostname can be specified as the first component of a library:// URL.
• Singularity is now relocatable for unprivileged installations only.

Bug Fixes

• Respect http proxy server environment variables in key operations.
• When pushing SIF images to oras:// endpoints, work around Harbor & GitLab failure to accept the SifConfigMediaType.
• Avoid a setfsuid compilation warning on some gcc versions.
• Fix a crash when silent/quiet log levels used on pulls from shub:// and http(s):// URIs.
• Wait for dm device to appear when mounting an encrypted container rootfs.

Testing / Development

Testing changes are not generally itemized. However, developers and contributors should note that this release has modified the behavior of make test for ease of use:

• make test runs limited unit and integration tests that will not require docker hub credentials.
• make testall runs the full unit/integration/e2e test suite that requires docker credentials to be set with E2E_DOCKER_USERNAME and E2E_DOCKER_PASSWORD environment variables.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.8.0.tar.gz download below to obtain and install SingularityCE 3.8.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

- Go
Published by dtrudg over 4 years ago

https://github.com/sylabs/singularity - Singularity 3.7.4

Singularity 3.7.4 is the most recent stable release of Singularity prior to Sylabs' fork from github.com/hpcng/singularity which will take effect from the SingularityCE 3.8.0 onward.

This is a security release that has been coordinated with HPCng. We recommend all users upgrade to this version.

The downloads provided here are identical to those provided at https://github.com/hpcng/singularity/releases/tag/v3.7.4

This release is provided for convenience to users arriving from outdated links. Future releases posted here will be made from the code-base of this Sylabs fork.

---

Security Related Fixes

CVE-2021-32635: Due to incorrect use of a default URL, singularity action commands (run/shell/exec) specifying a container using a library:// URI will always attempt to retrieve the container from the default remote endpoint (cloud.sylabs.io) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container.

Please see the published security advisory at github.com/sylabs/singularity/security/advisories for further detail.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-3.7.4.tar.gz download below to obtain and install Singularity 3.7.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

- Go
Published by dtrudg over 4 years ago

https://github.com/sylabs/singularity - SingularityCE 3.8.0 Release Candidate 1

Replaced by RC2: https://github.com/sylabs/singularity/releases/tag/v3.8.0-rc.2

- Go
Published by dtrudg almost 5 years ago

https://github.com/sylabs/singularity - SingularityCE 3.8.0 Release Candidate 2

Replaced by the 3.8.0 release: https://github.com/sylabs/singularity/releases/tag/v3.8.0

- Go
Published by dtrudg almost 5 years ago

https://github.com/sylabs/singularity - Singularity 3.7.3

Singularity 3.7.3 is the previous stable release of Singularity prior to Sylabs' fork from github.com/hpcng/singularity

The downloads provided here are identical to those provided at https://github.com/hpcng/singularity/releases/tag/v3.7.3

This release is provided for convenience to users arriving from outdated links. Future releases posted here will be made from the code-base of this Sylabs fork.

---

Singularity 3.7.3 is a security release. We recommend all users upgrade to this version.

Security Related Fixes

CVE-2021-29136: A dependency used by Singularity to extract docker/OCI image layers can be tricked into modifying host files by creating a malicious layer that has a symlink with the name "." (or "/"), when running as root. This vulnerability affects a singularity build or singularity pull as root, from a docker or OCI source, as well as the implicit build to SIF that occurs through root use of run/exec/shell against a malicious docker/OCI image URI.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-3.7.3.tar.gz download below to obtain and install Singularity 3.7.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

- Go
Published by dtrudg almost 5 years ago