Accepting request 993098 from home:mslacken:pr

- Updated to version 1.1.0-rc1 which enables apptainer to run without suid and additional groups. Although this is a prerelease this is a major advantage justifying its use. * Added a squashfuse image driver that enables mounting SIF files without using setuid-root. Requires the squashfuse command and unprivileged user namespaces. * Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF overlay partitions without using setuid-root. Requires the fuse2fs command and unprivileged user namespaces. * Added the ability to use persistent overlay (--overlay) and --writable-tmpfs without using setuid-root. This requires unprivileged user namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs command. Persistent overlay works when the overlay path points to a regular filesystem (known as "sandbox" mode, which is not allowed when in setuid mode), or when it points to an EXT3 image. Does not work with a SIF partition because that requires privileges to mount as an ext3 image. * Extended the --fakeroot option to be useful when /etc/subuid and /etc/subgid mappings have not been set up. If they have not been set up, a root-mapped unprivileged user namespace (the equivalent of unshare -r) and/or the fakeroot command from the host will be tried. Together they emulate the mappings pretty well but they are simpler to administer. This feature is especially useful with the --overlay and --writable-tmpfs options and for building containers unprivileged, because they allow installing packages that assume they're running as root. A limitation on using it with --overlay and --writable-tmpfs however is that when only the fakeroot command can be used (because there are no user namespaces available, in suid mode) then the base image has to be a sandbox. This feature works nested inside of an apptainer container, where another apptainer command will also be in the fakeroot environment without requesting the --fakeroot option again, or it can be used inside an OBS-URL: https://build.opensuse.org/request/show/993098 OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=14
2022-08-04 15:03:35 +00:00 · 2022-08-04 15:03:35 +00:00 · 2bf2146d97
commit 2bf2146d97
parent 703518b6e6
7 changed files with 151 additions and 70 deletions
--- a/README.SUSE
+++ b/README.SUSE
@ -1,18 +1,3 @@
-openSUSE/SUSE specific Settings
-===============================
-
-openSUSE and SUSE have a small difference with upstream default. 
-This means the SUID root binaries distributed by singularty are
-executable only by users belonging to the group 'apptainer'.
-
-Otherwise, users will get an error message like this one:
-
-FATAL:   while executing /usr/lib/apptainer/bin/starter-suid: permission denied
-
-To add a user to the group apptainer, execute (as root):
-
- # usermod -a -G apptainer <user_login>
-
 Create Apptainer Images from openSUSE/SLE
 ===========================================

--- a/apptainer-1.0.3.tar.gz
+++ b/apptainer-1.0.3.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:29eb94d16cd5d3b0a10ab8c2f7bc49c003a06fddb66ef46fa53b86b9a846a459
-size 5113453
--- a/apptainer-1.1.0-rc.1.tar.gz
+++ b/apptainer-1.1.0-rc.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:18d2828c4c4e7adaccfbf82aac9ea8d698e11d5d4a690c372733f5eafd116d11
+size 5165719
--- a/apptainer.changes
+++ b/apptainer.changes
@ -1,3 +1,138 @@
+-------------------------------------------------------------------
+Thu Aug  4 12:31:33 UTC 2022 - Christian Goll <cgoll@suse.com>
+
+- Updated to version 1.1.0-rc1 which enables apptainer to run without
+  suid and additional groups. Although this is a prerelease this is 
+  a major advantage justifying its use.
+  * Added a squashfuse image driver that enables mounting SIF files without
+    using setuid-root. Requires the squashfuse command and unprivileged user
+    namespaces.
+  * Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF
+    overlay partitions without using setuid-root. Requires the fuse2fs command
+    and unprivileged user namespaces.
+  * Added the ability to use persistent overlay (--overlay) and
+    --writable-tmpfs without using setuid-root. This requires unprivileged user
+    namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs
+    command. Persistent overlay works when the overlay path points to a regular
+    filesystem (known as "sandbox" mode, which is not allowed when in setuid
+    mode), or when it points to an EXT3 image. Does not work with a SIF
+    partition because that requires privileges to mount as an ext3 image.
+  * Extended the --fakeroot option to be useful when /etc/subuid and
+    /etc/subgid mappings have not been set up. If they have not been set up, a
+    root-mapped unprivileged user namespace (the equivalent of unshare -r)
+    and/or the fakeroot command from the host will be tried. Together they
+    emulate the mappings pretty well but they are simpler to administer. This
+    feature is especially useful with the --overlay and --writable-tmpfs
+    options and for building containers unprivileged, because they allow
+    installing packages that assume they're running as root. A limitation on
+    using it with --overlay and --writable-tmpfs however is that when only the
+    fakeroot command can be used (because there are no user namespaces
+    available, in suid mode) then the base image has to be a sandbox. This
+    feature works nested inside of an apptainer container, where another
+    apptainer command will also be in the fakeroot environment without
+    requesting the --fakeroot option again, or it can be used inside an
+    apptainer container that was not started with --fakeroot. However, the
+    fakeroot command uses LD_PRELOAD and so needs to be bound into the
+    container which requires a compatible libc. For that reason it doesn't work
+    when the host and container operating systems are of very different
+    vintages. If that's a problem and you want to use only an unprivileged
+    root-mapped namespace even when the fakeroot command is installed, just run
+    apptainer with unshare -r.
+  * Made the --fakeroot option be implied when an unprivileged user builds a
+    container from a definition file. When /etc/subuid and /etc/subgid mappings
+    are not available, all scriptlets are run in a root-mapped unprivileged
+    namespace (when possible) and the %post scriptlet is additionally run with
+    the fakeroot command. When unprivileged user namespaces are not available,
+    such that only the fakeroot command can be used, the --fix-perms option is
+    implied to allow writing into directories.
+  * Added a --fakeroot option to the apptainer overlay create command to make
+    an overlay EXT3 image file that works with the fakeroot that comes from
+    unprivileged root-mapped namespaces. This is not needed with the fakeroot
+    that comes with /etc/sub[ug]id mappings nor with the fakeroot that comes
+    with only the fakeroot command in suid flow.
+  * $HOME is now used to find the user's configuration and cache by default. If
+    that is not set it will fall back to the previous behavior of looking up
+    the home directory in the password file. The value of $HOME inside the
+    container still defaults to the home directory in the password file and can
+    still be overridden by the --home option.
+  * When starting a container, if the user has specified the cwd by using the
+    --pwd flag, if there is a problem an error is returned instead of
+    defaulting to a different directory.
+  * Nesting of bind mounts now works even when a --bind option specified a
+    different source and destination with a colon between them. Now the
+    APPTAINER_BIND environment variable makes sure the bind source is from the
+    bind destination so it will be succesfully re-bound into a nested apptainer
+    container.
+  * The warning about more than 50 bind mounts required for an underlay bind
+    has been changed to an info message.
+  * oci mount sets Process.Terminal: true when creating an OCI config.json, so
+    that oci run provides expected interactive behavior by default.
+    The default hostname for oci mount containers is now apptainer instead of mrsdalloway.
+  * systemd is now supported and used as the default cgroups manager. Set
+    systemd cgroups = no in apptainer.conf to manage cgroups directly via the
+    cgroupfs.
+  * Added a new action flag --no-eval which:
+      + Prevents shell evaluation of APPTAINERENV_ / --env / --env-file
+        environment variables as they are injected in the container, to match
+        OCI behavior. Applies to all containers.  
+      + Prevents shell evaluation of the values of CMD / ENTRYPOINT and command
+        line arguments for containers run or built directly from an OCI/Docker
+        source. Applies to newly built containers only, use apptainer inspect
+        to check version that container was built with.
+  * Added --no-eval to the list of flags set by the OCI/Docker --compat mode.
+  * sinit process has been renamed to appinit.
+  * Added --keysdir to key command to provide an alternative way of setting
+    local keyring path. The existing reading of the keyring path from
+    environment variable 'APPTAINER_KEYSDIR' is untouched.
+  * apptainer key push will output the key server's response if included in
+    order to help guide users through any identity verification the server may
+    require.
+  * ECL no longer requires verification for all signatures, but only when
+    signature verification would alter the expected behavior of the list:
+      + At least one matching signature included in a whitelist must be
+        validated, but other unvalidated signatures do not cause ECL to fail.
+      + All matching signatures included in a whitestrict must be validated,
+        but unvalidated signatures not in the whitestrict do not cause ECL to
+        fail.
+      + Signature verification is not checked for a blacklist; unvalidated
+        signatures can still block execution via ECL, and unvalidated
+        signatures not in the blacklist do not cause ECL to fail.
+- New features / functionalities
+  * Non-root users can now use --apply-cgroups with run/shell/exec to limit
+    container resource usage on a system using cgroups v2 and the systemd
+    cgroups manager.
+  * Native cgroups v2 resource limits can be specified using the [unified] key
+    in a cgroups toml file applied via --apply-cgroups.
+  * Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups
+    resource limits to a container directly.
+    Added instance stats command.
+  * The --no-mount flag & APPTAINER_NO_MOUNT env var can now be used to disable
+    a bind path entry from apptainer.conf by specifying the absolute path to
+    the destination of the bind.
+  * Apptainer now supports the riscv64 architecture.
+  * remote add --insecure may now be used to configure endpoints that are only
+    accessible via http. Alternatively the environment variable
+    APPTAINER_ADD_INSECURE can be set to true to allow http remotes to be added
+    wihtout the --insecure flag. Specifying https in the remote URI overrules
+    both --insecure and APPTAINER_ADD_INSECURE.
+  * Gpu flags --nv and --rocm can now be used from an apptainer nested inside
+    another apptainer container.
+  * Added --public, --secret, and --both flags to the key remove command to
+    support removing secret keys from the apptainer keyring.
+  * Debug output can now be enabled by setting the APPTAINER_DEBUG env var.
+  * Debug output is now shown for nested apptainer calls, in wrapped unsquashfs
+    image extraction, and build stages.
+- Bug fixes
+  * Remove warning message about SINGULARITY and APPTAINER variables having
+    different values when the SINGULARITY variable is not set.
+  * Add specific error for unreadable image / overlay file.
+  * Pass through a literal \n in host environment variables to the container.
+  * Fix loop device creation with loop-control when running inside docker containers.
+  * Fix the issue that the oras protocol would ignore the --no-https/--nohttps flag.
+- File changes
+  * Removed useful_error_message.patch as not needed any more
+
+
 -------------------------------------------------------------------
 Mon Jul 11 09:38:45 UTC 2022 - Christian Goll <cgoll@suse.com>

--- a/apptainer.spec
+++ b/apptainer.spec
@ -19,13 +19,13 @@
 %define apptainerpath src/github.com/apptainer/
 %define _buildshell /bin/bash

-#%%define vers_suffix -rc.2
+%define vers_suffix -rc.1

 Summary:        Application and environment virtualization
 License:        BSD-3-Clause-LBNL
 Group:          Productivity/Clustering/Computing
 Name:           apptainer
-Version:        1.0.3
+Version:        1.1.0
 Release:        0
 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html
 URL:            https://apptainer.org
@ -35,7 +35,6 @@ Source2:        SLE-12SP5.def
 Source3:        SLE-15SP3.def
 Source5:        %{name}-rpmlintrc
 Source10:       vendor.tar.gz
-Patch1:         useful_error_message.patch
 BuildRequires:  cryptsetup
 BuildRequires:  fdupes
 BuildRequires:  gcc
@ -55,8 +54,8 @@ PreReq:         permissions
 # there's no golang for ppc64, ppc64le does not have non pie builds
 ExcludeArch:    ppc64 ppc64le

-Provides:       %{name}-runtime
 Obsoletes:      singularity
+Obsoletes:      singularity-ce
 Obsoletes:      singularity-runtime

 %description
@ -68,14 +67,13 @@ containers that can be used across host environments.
 cp %{S:1} %{S:2} %{S:3} .
 mv %{name}-%{version}%{?vers_suffix} %{name}
 cd %{_builddir}/gopath/%{apptainerpath}/apptainer
-%patch1 -p1

 %build
 cd %{name}
 # create VERSION file
 echo %version > VERSION
 # Not all of these parameters currently have an effect, but they might be
-#  used someday.  They are the same parameters as in the configure macro.
+# used someday.  They are the same parameters as in the configure macro.
 tar xzf %{S:10}
 ./mconfig -V %{version}-%{release} \
        -P release \
@ -91,7 +89,8 @@ tar xzf %{S:10}
        --localstatedir=%{_localstatedir}/lib \
        --sharedstatedir=%{_sharedstatedir} \
        --mandir=%{_mandir} \
-        --infodir=%{_infodir}
+        --infodir=%{_infodir} \
+        --without-suid
 cd builddir
 make V="" old_config=

@ -101,8 +100,7 @@ export GOFLAGS=-mod=vendor
 export PATH=$GOPATH/bin:$PATH
 cd %{name}/builddir

-mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
-make DESTDIR=$RPM_BUILD_ROOT install man
+make DESTDIR=$RPM_BUILD_ROOT install
 cd ../..
 %fdupes apptainer/examples
 mkdir -p .tmp
@ -115,21 +113,10 @@ for j in LICENSE.md LICENSE; do
    done
 done

-echo "g %name -" > system-group-%{name}.conf
-%sysusers_generate_pre system-group-%{name}.conf %{name} system-group-%{name}.conf
-install -D -m 644 system-group-%{name}.conf %{buildroot}%{_sysusersdir}/system-group-%{name}.conf
-
-%fdupes -s .tmp
+%fdupes -s .tmp/
 mv .tmp/* .
 rmdir .tmp
-
-%pre -f %{name}.pre
-
-%post
-%set_permissions %{_libexecdir}/apptainer/bin/starter-suid
-
-%verifyscript
-%set_permissions %{_libexecdir}/apptainer/bin/starter-suid
+%fdupes -s %buildroot

 %files
 %doc apptainer/examples
@ -142,12 +129,13 @@ rmdir .tmp
 %doc %{basename:%{S:3}}
 %license apptainer/LICENSE.md
 %license *-LICENSE.md *-LICENSE
-%attr(4750, root, apptainer) %{_libexecdir}/apptainer/bin/starter-suid
 %{_bindir}/*
 %dir %{_libexecdir}/apptainer
 %dir %{_libexecdir}/apptainer/bin
 %dir %{_libexecdir}/apptainer/cni
+%dir %{_libexecdir}/apptainer/lib
 %{_libexecdir}/apptainer/bin/starter
+%{_libexecdir}/apptainer/lib/offsetpreload.so
 %{_libexecdir}/apptainer/cni/*
 %dir %{_sysconfdir}/apptainer
 %config(noreplace) %{_sysconfdir}/apptainer/capability.json
@ -166,6 +154,5 @@ rmdir .tmp
 %dir %{_localstatedir}/lib/apptainer/mnt
 %dir %{_localstatedir}/lib/apptainer/mnt/session
 %{_mandir}/man1/*
-%{_sysusersdir}/system-group-%{name}.conf

 %changelog
--- a/useful_error_message.patch
+++ b/useful_error_message.patch
@ -1,26 +0,0 @@
-From 5194ad8f863e971dde1c668d9c9de844b58ae893 Mon Sep 17 00:00:00 2001
-From: Christian Goll <cgoll@suse.de>
-Date: Mon, 13 Dec 2021 14:35:41 +0100
-Subject: [PATCH] Add an useful error message when the user doesn't belong to
- the singularity group
-
---
- internal/pkg/util/starter/starter.go | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/internal/pkg/util/starter/starter.go b/internal/pkg/util/starter/starter.go
-index 11858ee20..5f76ac08d 100644
--- a/internal/pkg/util/starter/starter.go
-+++ b/internal/pkg/util/starter/starter.go
-@@ -94,7 +94,7 @@ func Exec(name string, config *config.Common, ops ...CommandOp) error {
- 		return fmt.Errorf("while initializing starter command: %s", err)
- 	}
- 	err := unix.Exec(c.path, []string{name}, c.env)
-	return fmt.Errorf("while executing %s: %s", c.path, err)
-+  return fmt.Errorf("while executing %s: %s\nPlease read /usr/share/doc/packages/apptainer/README.SUSE to get help\n", c.path, err)
- }
- 
- // Run executes the starter binary and returns once starter
-- 
-2.34.1
-
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:009ecb531043c5b66eaf112a9a2a3f9f8612d890ce59fae16ac30128b031078e
-size 6499970
+oid sha256:7735457b98aafd288d84535215550976fff739082cd8290784415e1bee514c1f
+size 7205443