- Update to 1.4.1
* Fix the use of libsubid which had been broken by the revision
applied in 1.4.0-rc.2.
* Fix a bug introduced in 1.4.0 that caused arm64 to be
mis-converted to arm64v8 and resulted in a failure when pulling
OCI containers.
* Fix user database lookup in master process preventing instance
from starting correctly on systems using winbind.
* Check for existence of `/run/systemd/system` when verifying
cgroups can be used via systemd manager.
* Add a clear error message if someone tries to use privileged
network options while not using setuid mode.
* Allow multi-arch oci-archive files that have a nested index
with the manifest. This is the default format (both for Docker
and OCI) when using `nerdctl save`.
* Test if docker-archive is actually an oci-archive (since Docker
version 25), and if it is oci then use the OCI parser to avoid
bugs in the Docker parser. Save the daemon-daemon references
to a temporary docker-archive, to benefit from the same
improvements also for those references. Parse as oci-archive.
- New Features & Functionality in from ineherited 1.4.0
* Add new build option `--mksquashfs-args` to pass additional
arguments to the `mksquashfs` command when building SIF files.
If a compression method other than gzip is selected, the SIF
file might not work with older installations of Apptainer
or Singularity, so an INFO message about that is printed. On
the other hand, an INFO message that was printed (twice) when
running an image with non-gzip compression has been removed.
* If the `mksquashfs` version is new enough (version 4.6 in
Leaep 16.0), then show a percentage progress bar (with ETA)
OBS-URL: https://build.opensuse.org/request/show/1283596
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apptainer?expand=0&rev=35
* Fix the use of libsubid which had been broken by the revision
applied in 1.4.0-rc.2.
* Fix a bug introduced in 1.4.0 that caused arm64 to be
mis-converted to arm64v8 and resulted in a failure when pulling
OCI containers.
* Fix user database lookup in master process preventing instance
from starting correctly on systems using winbind.
* Check for existence of `/run/systemd/system` when verifying
cgroups can be used via systemd manager.
* Add a clear error message if someone tries to use privileged
network options while not using setuid mode.
* Allow multi-arch oci-archive files that have a nested index
with the manifest. This is the default format (both for Docker
and OCI) when using `nerdctl save`.
* Test if docker-archive is actually an oci-archive (since Docker
version 25), and if it is oci then use the OCI parser to avoid
bugs in the Docker parser. Save the daemon-daemon references
to a temporary docker-archive, to benefit from the same
improvements also for those references. Parse as oci-archive.
* Add new build option `--mksquashfs-args` to pass additional
arguments to the `mksquashfs` command when building SIF files.
If a compression method other than gzip is selected, the SIF
file might not work with older installations of Apptainer
or Singularity, so an INFO message about that is printed. On
the other hand, an INFO message that was printed (twice) when
running an image with non-gzip compression has been removed.
* If the `mksquashfs` version is new enough (version 4.6 in
Leaep 16.0), then show a percentage progress bar (with ETA)
during SIF creation in the default log level. If the `mksquashfs`
version is older, then in verbose or debug log level show the
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=97
* Fix the use of libsubid which had been broken by the revision applied in 1.4.0-rc.2.
* Fix a bug introduced in 1.4.0 that caused arm64 to be mis-converted to
arm64v8 and resulted in a failure when pulling OCI containers.
* Fix user database lookup in master process preventing instance from
starting correctly on systems using winbind.
Update minimum go version to 1.23.6 now that it is current in el8 & el9.
* Check for existence of /run/systemd/system when verifying cgroups can be
used via systemd manager.
* Add a clear error message if someone tries to use privileged network
options while not using setuid mode.
* Allow multi-arch oci-archive files that have a nested index with the
manifest. This is the default format (both for Docker and OCI) when using
nerdctl save.
* Test if docker-archive is actually an oci-archive (since Docker version
25), and if it is oci then use the OCI parser to avoid bugs in the Docker
parser. Save the daemon-daemon references to a temporary docker-archive, to
benefit from the same improvements also for those references. Parse as
oci-archive.
- New Features & Functionality in from ineherited 1.4.0
* Add support for libsubid, when available at compile time. This library
enables central management of subuid and subgid mappings and typically
comes as part of the shadow-utils package, possibly as a shadow-utils-subid
subpackage.
* Add new build option --mksquashfs-args to pass additional arguments to the
mksquashfs command when building SIF files. If a compression method other
than gzip is selected, the SIF file might not work with older installations
of Apptainer or Singularity, so an INFO message about that is printed. On
the other hand, an INFO message that was printed (twice) when running an
image with non-gzip compression has been removed.
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=96
* Avoid using kernel overlayfs when the lower layer is a sandbox
on an incompatible filesystem type such as GPFS or Lustre.
For those cases use fuse-overlayfs instead. This fixes a
regression introduced in 1.3.0. The regression didn't much
impact Lustre because kernel overlayfs refused to try to use
it and Apptainer proceeded to use fuse-overlayfs anyway, but
with GPFS the kernel overlayfs allowed mounting but returned
stale file handle errors.
- Version 1.3.5
* Fix a regression introduced in 1.3.4 that overwrote existing
standard `/.singularity.d` files such as `runscript` in
container images even if they had been modified.
* Skip attempting to bind inaccessible mount points when
handling the `mount hostfs = yes` configuration option.
* Support parsing nested variables defined inside `%arguments`
section of definition files.
* Ignore invalid environment variables when pulling oci/docker
containers.
- Version 1.3.4
* Fixed sif-embedded overlay partitions for containers that are
larger than 2 gigabytes.
* Fixed the apparmor profile that was added in v1.3.3 but didn't
work. An apparmor profile is applied in all Debian-based
apptainer packaging, but is only needed to enable user namespaces
for apptainer on a default-configured Ubuntu 23.10 or newer.
* Fixed the failure when starting apptainer with
`instance --fakeroot`.
* `apptainer build -B ...` can now be used to mount custom
resolv.conf and hosts files from non-standard outside locations.
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=78
of the security risk.
image driver will be used instead.
would enable a user to theoretically bypass the limits via `ptrace()`
because the FUSE process runs as that user.
one of the layers is a FUSE filesystem). In addition, if `allow
setuid-mount encrypted = no` then the unprivileged gocryptfs format
can still be used with the `--underlay` option, but it is deprecated
their own, dedicated `keyserver` command. Run `apptainer help keyserver`
for more information.
been moved to their own, dedicated `registry` command. Run
* The `remote status` command will now print the username, realname, and
email of the logged-in user, if available.
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=71
- Updated apptainer to version 1.3.0
* FUSE mounts are now supported in setuid mode, enabling full
functionality even when kernel filesystem mounts are insecure due to
unprivileged users having write access to raw filesystems in
containers. When allow `setuid-mount extfs = no` (the default) in
apptainer.conf, then the fuse2fs image driver will be used to mount
ext3 images in setuid mode instead of the kernel driver (ext3 images
are primarily used for the --overlay feature), restoring
functionality that was removed by default in Apptainer 1.1.8 because
of the security risk.
The allow `setuid-mount squashfs` configuration option in
`apptainer.conf` now has a new default called `iflimited` which allows
kernel squashfs mounts only if there is at least one `limit container`
option set or if Execution Control Lists are activated in ecl.toml.
If kernel squashfs mounts are are not allowed, then the squashfuse
image driver will be used instead.
`iflimited` is the default because if one of those limits are used
the system administrator ensures that unprivileged users do not have
write access to the containers, but on the other hand using FUSE
would enable a user to theoretically bypass the limits via ptrace()
because the FUSE process runs as that user.
The `fuse-overlayfs` image driver will also now be tried in setuid
mode if the kernel overlayfs driver does not work (for example if
one of the layers is a FUSE filesystem). In addition, if allow
setuid-mount encrypted = no then the unprivileged gocryptfs format
will be used for encrypting SIF files instead of the kernel
device-mapper. If a SIF file was encrypted using the gocryptfs
format, it can now be mounted in setuid mode in addition to
non-setuid mode.
* Change the default in user namespace mode to use either kernel
OBS-URL: https://build.opensuse.org/request/show/1159335
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=70
- Updated apptainer to version 1.2.5
* Added `libnvidia-nvvm` to `nvliblist.conf`. Newer NVIDIA
Drivers (known with >= 525.85.05) require this lib to compile
OpenCL programs against NVIDIA GPUs, i.e. `libnvidia-opencl`
depends on `libnvidia-nvvm`.
* Disable the usage of cgroup in instance creation when
`--fakeroot` is passed.
* Disable the usage of cgroup in instance creation when `hidepid`
mount option on `/proc` is set.
* Fixed a regression introduced in 1.2.0 where the user's
password file information was not copied in to the container
when there was a parent root-mapped user namespace (as is the
case for example in `cvmfsexec`).
* Added the upcoming NVIDIA driver library `libnvidia-gpucomp.so`
to the list of libraries to add to NVIDIA GPU-enabled
containers. Fixed missing error handling during the creation
of an encrypted image that lead to the generation of corrupted
images.
* Use `APPTAINER_TMPDIR` for temporary files during privileged
image encryption.
* If rootless unified cgroups v2 is available when starting an
image but `XDG_RUNTIME_DIR` or `DBUS_SESSION_BUS_ADDRESS` is
not set, print an info message that stats will not be available
instead of exiting with a fatal error.
* Allow templated build arguments to definition files to have
empty values.
OBS-URL: https://build.opensuse.org/request/show/1143083
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=64
- Do not build squashfuse, require it as a dependency.
Removed: squashfuse-0.1.105.tar.gz, 70.patch
- Replace awkward 'Obsoletes: singularity-*' as well as the
'Provides: Singularity' by 'Conflicts:' and drop the provides -
the versioning scheme does not match and we do not automatically
migrate from one to the other.
- Exclude platforms which do not provide all build dependencies.
- removed CRYPTOGAMS license as not known in OBS and OpenSSL is
OBS-URL: https://build.opensuse.org/request/show/1120777
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apptainer?expand=0&rev=23
- Do not build squashfuse, require it as a dependency.
- Replace awkward 'Obsoletes: singularity-*' as well as the
'Provides: Singularity' by 'Conflicts:' and drop the provides -
the versioning scheme does not match and we do not automatically
migrate from one to the other.
- Exclude platforms which do not provide all build dependencies.
- removed CRYPTOGAMS license as not known in OBS and OpenSSL is
OBS-URL: https://build.opensuse.org/request/show/1119873
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=59
- removed CRYPTOGAMS license as not known in OBS and OpenSSL is
also valid
- updated to 1.2.3 with following changes:
* The apptainer push/pull commands now show a progress bar for the oras
protocol like there was for docker and library protocols.
* The --nv and --rocm flags can now be used simultaneously.
* Fix the use of APPTAINER_CONFIGDIR with apptainer instance start and action
commands that refer to instance://.
* Fix the issue that apptainer would not read credentials from the Docker
fallback path ~/.docker/config.json if missing in the apptainer
credentials.
- Update license for the package to cover also OpenSSL and CRYPTOGAMS
part of chacha_ppc64le.s
OBS-URL: https://build.opensuse.org/request/show/1113853
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apptainer?expand=0&rev=22
- updated to 1.2.3 with following changes:
* The apptainer push/pull commands now show a progress bar for the oras
protocol like there was for docker and library protocols.
* The --nv and --rocm flags can now be used simultaneously.
* Fix the use of APPTAINER_CONFIGDIR with apptainer instance start and action
commands that refer to instance://.
* Fix the issue that apptainer would not read credentials from the Docker
fallback path ~/.docker/config.json if missing in the apptainer
credentials.
OBS-URL: https://build.opensuse.org/request/show/1113390
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=56
