From 7fca039621c727def2044273a5ef2df54edefb320d38ed4cff94ea9cded8d1a3 Mon Sep 17 00:00:00 2001 From: Christian Goll Date: Mon, 24 Jul 2023 09:11:01 +0000 Subject: [PATCH 1/2] Accepting request 1099922 from home:mslacken:pr - update to 1.2.0 with following changes: * binary is built reproducible which disables plugins * Create the current working directory in a container when it doesn't exist. This restores behavior as it was before singularity 3.6.0. As a result, using --no-mount home won't have any effect when running apptainer from a home directory and will require --no-mount home,cwd to avoid mounting that directory. * Handle current working directory paths containing symlinks both on the host and in a container but pointing to different destinations. If detected, the current working directory is not mounted when the destination directory in the container exists. * Destination mount points are now sorted by shortest path first to ensure that a user bind doesn't override a previous bind path when set in arbitrary order on the CLI. This is also applied to image binds. * When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed by default using an overlay instead of an underlay layout for bind mounts. A new --underlay action option can be used to prefer underlay instead of overlay. * sessiondir maxsize in apptainer.conf now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions. * The apptainer cache is now architecture aware, so the same home directory cache can be shared by machines with different architectures. * Overlay is blocked on the panfs filesystem, allowing sandbox directories to be run from panfs without error. * Lookup and store user/group information in stage one prior to entering any namespaces, to fix an issue with winbind not correctly looking up user/group information when using user namespaces. - New features / functionalities * Support for unprivileged encryption of SIF files using gocryptfs. This is not compatible with privileged encryption, so containers encrypted by root OBS-URL: https://build.opensuse.org/request/show/1099922 OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=47 --- apptainer-1.2.0.tar.gz | 3 ++ apptainer.changes | 78 ++++++++++++++++++++++++++++++++++++++++++ apptainer.spec | 13 ++++--- vendor.tar.gz | 4 +-- 4 files changed, 92 insertions(+), 6 deletions(-) create mode 100644 apptainer-1.2.0.tar.gz diff --git a/apptainer-1.2.0.tar.gz b/apptainer-1.2.0.tar.gz new file mode 100644 index 0000000..91f8618 --- /dev/null +++ b/apptainer-1.2.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:24c58759b9c1c6bf861f525804cbb7ffab5c52d5f587b49882bee854f4891c4b +size 5058467 diff --git a/apptainer.changes b/apptainer.changes index 47a637d..762ee1c 100644 --- a/apptainer.changes +++ b/apptainer.changes @@ -1,3 +1,81 @@ +------------------------------------------------------------------- +Wed Jun 14 08:34:27 UTC 2023 - Christian Goll + +- update to 1.2.0 with following changes: + * binary is built reproducible which disables plugins + * Create the current working directory in a container when it doesn't exist. + This restores behavior as it was before singularity 3.6.0. As a result, + using --no-mount home won't have any effect when running apptainer from a + home directory and will require --no-mount home,cwd to avoid mounting that + directory. + * Handle current working directory paths containing symlinks both on the host + and in a container but pointing to different destinations. If detected, the + current working directory is not mounted when the destination directory in + the container exists. + * Destination mount points are now sorted by shortest path first to ensure + that a user bind doesn't override a previous bind path when set in + arbitrary order on the CLI. This is also applied to image binds. + * When the kernel supports unprivileged overlay mounts in a user namespace, + the container will be constructed by default using an overlay instead of an + underlay layout for bind mounts. A new --underlay action option can be used + to prefer underlay instead of overlay. + * sessiondir maxsize in apptainer.conf now defaults to 64 MiB for new + installations. This is an increase from 16 MiB in prior versions. + * The apptainer cache is now architecture aware, so the same home directory + cache can be shared by machines with different architectures. + * Overlay is blocked on the panfs filesystem, allowing sandbox directories to + be run from panfs without error. + * Lookup and store user/group information in stage one prior to entering any + namespaces, to fix an issue with winbind not correctly looking up + user/group information when using user namespaces. +- New features / functionalities + * Support for unprivileged encryption of SIF files using gocryptfs. This is + not compatible with privileged encryption, so containers encrypted by root + need to be rebuilt by an unprivileged user. + * Templating support for definition files. Users can now define variables in + definition files via a matching pair of double curly brackets. Variables of + the form {{ variable }} will be replaced by a value defined either by a + variable=value entry in the %arguments section of the definition file or + through new build options --build-arg or --build-arg-file. + * Add a new instance run command that will execute the runscript when an + instance is initiated instead of executing the startscript. + * The sign and verify commands now support signing and verification with + non-PGP key material by specifying the path to a private key via the --key + flag. + * The verify command now supports verification with X.509 certificates by + specifying the path to a certificate via the --certificate flag. By + default, the system root certificate pool is used as trust anchors unless + overridden via the --certificate-roots flag. A pool of intermediate + certificates that are not trust anchors, but can be used to form a + certificate chain, can also be specified via the + --certificate-intermediates flag. + * Support for online verification checks of X.509 certificates using OCSP + protocol via the new verify --ocsp-verify option. + * The instance stats command displays the resource usage every second. The + --no-stream option disables this interactive mode and shows the + point-in-time usage. + * Instances are now started in a cgroup by default, when run as root or when + unified cgroups v2 with systemd as manager is configured. This allows + apptainer instance stats to be supported by default when possible. + * The instance start command now accepts an optional --app argument + which invokes a start script within the %appstart section in the + definition file. The instance stop command still only requires the instance + name. + * The instance name is now available inside an instance via the new + APPTAINER_INSTANCE environment variable. + * The --no-mount flag now accepts the value bind-paths to disable mounting of + all bind path entries in apptainer.conf. + Support for DOCKER_HOST parsing when using docker-daemon:// + DOCKER_USERNAME and DOCKER_PASSWORD supported without APPTAINER_ prefix. + Add new Linux capabilities CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE. + * The remote get-login-password command allows users to retrieve a remote's + token. This enables piping the secret directly into docker login while + preventing it from showing up in a shell's history. + * Define EUID in %environment alongside UID. + * In --rocm mode, the whole of /dev/dri is now bound into the container when + --contain is in use. This makes /dev/dri/render devices available, required + for later ROCm versions. + ------------------------------------------------------------------- Tue Jun 13 14:00:33 UTC 2023 - Christian Goll diff --git a/apptainer.spec b/apptainer.spec index 41097e7..6bc9d1b 100644 --- a/apptainer.spec +++ b/apptainer.spec @@ -20,12 +20,13 @@ %define _buildshell /bin/bash %global squashfuse_version 0.1.105 +#%%define vers_suffix -rc.1 Summary: Application and environment virtualization License: BSD-3-Clause-LBNL Group: Productivity/Clustering/Computing Name: apptainer -Version: 1.1.9 +Version: 1.2.0 Release: 0 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html URL: https://apptainer.org @@ -47,7 +48,7 @@ BuildRequires: cryptsetup BuildRequires: fdupes BuildRequires: gcc BuildRequires: git -BuildRequires: go >= 1.17 +BuildRequires: go >= 1.19 BuildRequires: libuuid-devel BuildRequires: make BuildRequires: openssl-devel @@ -67,6 +68,9 @@ BuildRequires: pkgconfig(liblzma) %endif Requires: squashfs Recommends: fuse2fs +# Needed for container decryption in userspace, upstream rpms include this +# but factory should have this seperately +Recommends: gocryptfs PreReq: permissions # there's no golang for ppc64, ppc64le does not have non pie builds @@ -87,7 +91,7 @@ containers that can be used across host environments. %setup -b 10 -n squashfuse-%{squashfuse_version} %patch -P 10 -p1 %endif -%setup -q -n %{name}-%{version} +%setup -q -n %{name}-%{version}%{?vers_suffix} cp %{S:1} %{S:2} %{S:3} %{S:4} %{S:5} . %build @@ -119,7 +123,8 @@ tar xzf %{S:9} --sharedstatedir=%{_sharedstatedir} \ --mandir=%{_mandir} \ --infodir=%{_infodir} \ - --without-suid + --without-suid \ + --reproducible %make_build -C builddir V="" diff --git a/vendor.tar.gz b/vendor.tar.gz index 45d1cd9..68c4e21 100644 --- a/vendor.tar.gz +++ b/vendor.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8e503b473a008cd681079b7b782ddace9e7dc7d1864b12be10b1d40eaf09350b -size 7350195 +oid sha256:564adf10e776afc78353a2b0beebf61706ad4a71eb63426536d49413e184dbaf +size 9277615 From 743ca3819562761881dc24a45ab359103d9117871254290f9a01c99fc5e09333 Mon Sep 17 00:00:00 2001 From: Christian Goll Date: Mon, 24 Jul 2023 09:28:08 +0000 Subject: [PATCH 2/2] Accepting request 1100358 from home:mslacken:pr without old source OBS-URL: https://build.opensuse.org/request/show/1100358 OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=48 --- apptainer-1.1.9.tar.gz | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 apptainer-1.1.9.tar.gz diff --git a/apptainer-1.1.9.tar.gz b/apptainer-1.1.9.tar.gz deleted file mode 100644 index 7b979b3..0000000 --- a/apptainer-1.1.9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6d73d85ae775bde0493cc1c56a885d7cdaa1dfa7d502492a2083eba9d172563c -size 5190344