Accepting request 993098 from home:mslacken:pr

- Updated to version 1.1.0-rc1 which enables apptainer to run without suid and additional groups. Although this is a prerelease this is a major advantage justifying its use. * Added a squashfuse image driver that enables mounting SIF files without using setuid-root. Requires the squashfuse command and unprivileged user namespaces. * Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF overlay partitions without using setuid-root. Requires the fuse2fs command and unprivileged user namespaces. * Added the ability to use persistent overlay (--overlay) and --writable-tmpfs without using setuid-root. This requires unprivileged user namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs command. Persistent overlay works when the overlay path points to a regular filesystem (known as "sandbox" mode, which is not allowed when in setuid mode), or when it points to an EXT3 image. Does not work with a SIF partition because that requires privileges to mount as an ext3 image. * Extended the --fakeroot option to be useful when /etc/subuid and /etc/subgid mappings have not been set up. If they have not been set up, a root-mapped unprivileged user namespace (the equivalent of unshare -r) and/or the fakeroot command from the host will be tried. Together they emulate the mappings pretty well but they are simpler to administer. This feature is especially useful with the --overlay and --writable-tmpfs options and for building containers unprivileged, because they allow installing packages that assume they're running as root. A limitation on using it with --overlay and --writable-tmpfs however is that when only the fakeroot command can be used (because there are no user namespaces available, in suid mode) then the base image has to be a sandbox. This feature works nested inside of an apptainer container, where another apptainer command will also be in the fakeroot environment without requesting the --fakeroot option again, or it can be used inside an OBS-URL: https://build.opensuse.org/request/show/993098 OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=14
2022-08-04 15:03:35 +00:00 · 2022-08-04 15:03:35 +00:00 · 2bf2146d97
commit 2bf2146d97
parent 703518b6e6
7 changed files with 151 additions and 70 deletions
--- a/README.SUSE
+++ b/README.SUSE
@ -1,18 +1,3 @@
 openSUSE/SUSE specific Settings
 ===============================
 openSUSE and SUSE have a small difference with upstream default. 
 This means the SUID root binaries distributed by singularty are
 executable only by users belonging to the group 'apptainer'.
 Otherwise, users will get an error message like this one:
 FATAL:   while executing /usr/lib/apptainer/bin/starter-suid: permission denied
 To add a user to the group apptainer, execute (as root):
 # usermod -a -G apptainer <user_login>
 Create Apptainer Images from openSUSE/SLE
 ===========================================
--- a/apptainer-1.0.3.tar.gz
+++ b/apptainer-1.0.3.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:29eb94d16cd5d3b0a10ab8c2f7bc49c003a06fddb66ef46fa53b86b9a846a459
 size 5113453
--- a/apptainer-1.1.0-rc.1.tar.gz
+++ b/apptainer-1.1.0-rc.1.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:18d2828c4c4e7adaccfbf82aac9ea8d698e11d5d4a690c372733f5eafd116d11
 size 5165719
--- a/apptainer.changes
+++ b/apptainer.changes
@ -1,3 +1,138 @@
 -------------------------------------------------------------------
 Thu Aug  4 12:31:33 UTC 2022 - Christian Goll <cgoll@suse.com>
 - Updated to version 1.1.0-rc1 which enables apptainer to run without
  suid and additional groups. Although this is a prerelease this is 
  a major advantage justifying its use.
  * Added a squashfuse image driver that enables mounting SIF files without
    using setuid-root. Requires the squashfuse command and unprivileged user
    namespaces.
  * Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF
    overlay partitions without using setuid-root. Requires the fuse2fs command
    and unprivileged user namespaces.
  * Added the ability to use persistent overlay (--overlay) and
    --writable-tmpfs without using setuid-root. This requires unprivileged user
    namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs
    command. Persistent overlay works when the overlay path points to a regular
    filesystem (known as "sandbox" mode, which is not allowed when in setuid
    mode), or when it points to an EXT3 image. Does not work with a SIF
    partition because that requires privileges to mount as an ext3 image.
  * Extended the --fakeroot option to be useful when /etc/subuid and
    /etc/subgid mappings have not been set up. If they have not been set up, a
    root-mapped unprivileged user namespace (the equivalent of unshare -r)
    and/or the fakeroot command from the host will be tried. Together they
    emulate the mappings pretty well but they are simpler to administer. This
    feature is especially useful with the --overlay and --writable-tmpfs
    options and for building containers unprivileged, because they allow
    installing packages that assume they're running as root. A limitation on
    using it with --overlay and --writable-tmpfs however is that when only the
    fakeroot command can be used (because there are no user namespaces
    available, in suid mode) then the base image has to be a sandbox. This
    feature works nested inside of an apptainer container, where another
    apptainer command will also be in the fakeroot environment without
    requesting the --fakeroot option again, or it can be used inside an
    apptainer container that was not started with --fakeroot. However, the
    fakeroot command uses LD_PRELOAD and so needs to be bound into the
    container which requires a compatible libc. For that reason it doesn't work
    when the host and container operating systems are of very different
    vintages. If that's a problem and you want to use only an unprivileged
    root-mapped namespace even when the fakeroot command is installed, just run
    apptainer with unshare -r.
  * Made the --fakeroot option be implied when an unprivileged user builds a
    container from a definition file. When /etc/subuid and /etc/subgid mappings
    are not available, all scriptlets are run in a root-mapped unprivileged
    namespace (when possible) and the %post scriptlet is additionally run with
    the fakeroot command. When unprivileged user namespaces are not available,
    such that only the fakeroot command can be used, the --fix-perms option is
    implied to allow writing into directories.
  * Added a --fakeroot option to the apptainer overlay create command to make
    an overlay EXT3 image file that works with the fakeroot that comes from
    unprivileged root-mapped namespaces. This is not needed with the fakeroot
    that comes with /etc/sub[ug]id mappings nor with the fakeroot that comes
    with only the fakeroot command in suid flow.
  * $HOME is now used to find the user's configuration and cache by default. If
    that is not set it will fall back to the previous behavior of looking up
    the home directory in the password file. The value of $HOME inside the
    container still defaults to the home directory in the password file and can
    still be overridden by the --home option.
  * When starting a container, if the user has specified the cwd by using the
    --pwd flag, if there is a problem an error is returned instead of
    defaulting to a different directory.
  * Nesting of bind mounts now works even when a --bind option specified a
    different source and destination with a colon between them. Now the
    APPTAINER_BIND environment variable makes sure the bind source is from the
    bind destination so it will be succesfully re-bound into a nested apptainer
    container.
  * The warning about more than 50 bind mounts required for an underlay bind
    has been changed to an info message.
  * oci mount sets Process.Terminal: true when creating an OCI config.json, so
    that oci run provides expected interactive behavior by default.
    The default hostname for oci mount containers is now apptainer instead of mrsdalloway.
  * systemd is now supported and used as the default cgroups manager. Set
    systemd cgroups = no in apptainer.conf to manage cgroups directly via the
    cgroupfs.
  * Added a new action flag --no-eval which:
      + Prevents shell evaluation of APPTAINERENV_ / --env / --env-file
        environment variables as they are injected in the container, to match
        OCI behavior. Applies to all containers.  
      + Prevents shell evaluation of the values of CMD / ENTRYPOINT and command
        line arguments for containers run or built directly from an OCI/Docker
        source. Applies to newly built containers only, use apptainer inspect
        to check version that container was built with.
  * Added --no-eval to the list of flags set by the OCI/Docker --compat mode.
  * sinit process has been renamed to appinit.
  * Added --keysdir to key command to provide an alternative way of setting
    local keyring path. The existing reading of the keyring path from
    environment variable 'APPTAINER_KEYSDIR' is untouched.
  * apptainer key push will output the key server's response if included in
    order to help guide users through any identity verification the server may
    require.
  * ECL no longer requires verification for all signatures, but only when
    signature verification would alter the expected behavior of the list:
      + At least one matching signature included in a whitelist must be
        validated, but other unvalidated signatures do not cause ECL to fail.
      + All matching signatures included in a whitestrict must be validated,
        but unvalidated signatures not in the whitestrict do not cause ECL to
        fail.
      + Signature verification is not checked for a blacklist; unvalidated
        signatures can still block execution via ECL, and unvalidated
        signatures not in the blacklist do not cause ECL to fail.
 - New features / functionalities
  * Non-root users can now use --apply-cgroups with run/shell/exec to limit
    container resource usage on a system using cgroups v2 and the systemd
    cgroups manager.
  * Native cgroups v2 resource limits can be specified using the [unified] key
    in a cgroups toml file applied via --apply-cgroups.
  * Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups
    resource limits to a container directly.
    Added instance stats command.
  * The --no-mount flag & APPTAINER_NO_MOUNT env var can now be used to disable
    a bind path entry from apptainer.conf by specifying the absolute path to
    the destination of the bind.
  * Apptainer now supports the riscv64 architecture.
  * remote add --insecure may now be used to configure endpoints that are only
    accessible via http. Alternatively the environment variable
    APPTAINER_ADD_INSECURE can be set to true to allow http remotes to be added
    wihtout the --insecure flag. Specifying https in the remote URI overrules
    both --insecure and APPTAINER_ADD_INSECURE.
  * Gpu flags --nv and --rocm can now be used from an apptainer nested inside
    another apptainer container.
  * Added --public, --secret, and --both flags to the key remove command to
    support removing secret keys from the apptainer keyring.
  * Debug output can now be enabled by setting the APPTAINER_DEBUG env var.
  * Debug output is now shown for nested apptainer calls, in wrapped unsquashfs
    image extraction, and build stages.
 - Bug fixes
  * Remove warning message about SINGULARITY and APPTAINER variables having
    different values when the SINGULARITY variable is not set.
  * Add specific error for unreadable image / overlay file.
  * Pass through a literal \n in host environment variables to the container.
  * Fix loop device creation with loop-control when running inside docker containers.
  * Fix the issue that the oras protocol would ignore the --no-https/--nohttps flag.
 - File changes
  * Removed useful_error_message.patch as not needed any more
 -------------------------------------------------------------------
 Mon Jul 11 09:38:45 UTC 2022 - Christian Goll <cgoll@suse.com>
--- a/apptainer.spec
+++ b/apptainer.spec
@ -19,13 +19,13 @@
 %define apptainerpath src/github.com/apptainer/
 %define _buildshell /bin/bash
-#%%define vers_suffix -rc.2
+%define vers_suffix -rc.1
 Summary:        Application and environment virtualization
 License:        BSD-3-Clause-LBNL
 Group:          Productivity/Clustering/Computing
 Name:           apptainer
-Version:        1.0.3
+Version:        1.1.0
 Release:        0
 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html
 URL:            https://apptainer.org
@ -35,7 +35,6 @@ Source2:        SLE-12SP5.def
 Source3:        SLE-15SP3.def
 Source5:        %{name}-rpmlintrc
 Source10:       vendor.tar.gz
 Patch1:         useful_error_message.patch
 BuildRequires:  cryptsetup
 BuildRequires:  fdupes
 BuildRequires:  gcc
@ -55,8 +54,8 @@ PreReq:         permissions
 # there's no golang for ppc64, ppc64le does not have non pie builds
 ExcludeArch:    ppc64 ppc64le
 Provides:       %{name}-runtime
 Obsoletes:      singularity
 Obsoletes:      singularity-ce
 Obsoletes:      singularity-runtime
 %description
@ -68,14 +67,13 @@ containers that can be used across host environments.
 cp %{S:1} %{S:2} %{S:3} .
 mv %{name}-%{version}%{?vers_suffix} %{name}
 cd %{_builddir}/gopath/%{apptainerpath}/apptainer
 %patch1 -p1
 %build
 cd %{name}
 # create VERSION file
 echo %version > VERSION
 # Not all of these parameters currently have an effect, but they might be
-#  used someday.  They are the same parameters as in the configure macro.
+# used someday.  They are the same parameters as in the configure macro.
 tar xzf %{S:10}
 ./mconfig -V %{version}-%{release} \
        -P release \
@ -91,7 +89,8 @@ tar xzf %{S:10}
        --localstatedir=%{_localstatedir}/lib \
        --sharedstatedir=%{_sharedstatedir} \
        --mandir=%{_mandir} \
-        --infodir=%{_infodir}
+        --infodir=%{_infodir} \
        --without-suid
 cd builddir
 make V="" old_config=
@ -101,8 +100,7 @@ export GOFLAGS=-mod=vendor
 export PATH=$GOPATH/bin:$PATH
 cd %{name}/builddir
-mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
+make DESTDIR=$RPM_BUILD_ROOT install
 make DESTDIR=$RPM_BUILD_ROOT install man
 cd ../..
 %fdupes apptainer/examples
 mkdir -p .tmp
@ -115,21 +113,10 @@ for j in LICENSE.md LICENSE; do
    done
 done
-echo "g %name -" > system-group-%{name}.conf
+%fdupes -s .tmp/
 %sysusers_generate_pre system-group-%{name}.conf %{name} system-group-%{name}.conf
 install -D -m 644 system-group-%{name}.conf %{buildroot}%{_sysusersdir}/system-group-%{name}.conf
 %fdupes -s .tmp
 mv .tmp/* .
 rmdir .tmp
-
+%fdupes -s %buildroot
 %pre -f %{name}.pre
 %post
 %set_permissions %{_libexecdir}/apptainer/bin/starter-suid
 %verifyscript
 %set_permissions %{_libexecdir}/apptainer/bin/starter-suid
 %files
 %doc apptainer/examples
@ -142,12 +129,13 @@ rmdir .tmp
 %doc %{basename:%{S:3}}
 %license apptainer/LICENSE.md
 %license *-LICENSE.md *-LICENSE
 %attr(4750, root, apptainer) %{_libexecdir}/apptainer/bin/starter-suid
 %{_bindir}/*
 %dir %{_libexecdir}/apptainer
 %dir %{_libexecdir}/apptainer/bin
 %dir %{_libexecdir}/apptainer/cni
 %dir %{_libexecdir}/apptainer/lib
 %{_libexecdir}/apptainer/bin/starter
 %{_libexecdir}/apptainer/lib/offsetpreload.so
 %{_libexecdir}/apptainer/cni/*
 %dir %{_sysconfdir}/apptainer
 %config(noreplace) %{_sysconfdir}/apptainer/capability.json
@ -166,6 +154,5 @@ rmdir .tmp
 %dir %{_localstatedir}/lib/apptainer/mnt
 %dir %{_localstatedir}/lib/apptainer/mnt/session
 %{_mandir}/man1/*
 %{_sysusersdir}/system-group-%{name}.conf
 %changelog
--- a/useful_error_message.patch
+++ b/useful_error_message.patch
@ -1,26 +0,0 @@
 From 5194ad8f863e971dde1c668d9c9de844b58ae893 Mon Sep 17 00:00:00 2001
 From: Christian Goll <cgoll@suse.de>
 Date: Mon, 13 Dec 2021 14:35:41 +0100
 Subject: [PATCH] Add an useful error message when the user doesn't belong to
 the singularity group
 ---
 internal/pkg/util/starter/starter.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/internal/pkg/util/starter/starter.go b/internal/pkg/util/starter/starter.go
 index 11858ee20..5f76ac08d 100644
 --- a/internal/pkg/util/starter/starter.go
 +++ b/internal/pkg/util/starter/starter.go
@@ -94,7 +94,7 @@ func Exec(name string, config *config.Common, ops ...CommandOp) error {
 		return fmt.Errorf("while initializing starter command: %s", err)
 	}
 	err := unix.Exec(c.path, []string{name}, c.env)
 -	return fmt.Errorf("while executing %s: %s", c.path, err)
 +  return fmt.Errorf("while executing %s: %s\nPlease read /usr/share/doc/packages/apptainer/README.SUSE to get help\n", c.path, err)
 }
 // Run executes the starter binary and returns once starter
 -- 
 2.34.1
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:009ecb531043c5b66eaf112a9a2a3f9f8612d890ce59fae16ac30128b031078e
+oid sha256:7735457b98aafd288d84535215550976fff739082cd8290784415e1bee514c1f
-size 6499970
+size 7205443