Accepting request 1160483 from network:cluster

- Make apptainer definition templates version dependent. (forwarded request 1160482 from eeich) OBS-URL: https://build.opensuse.org/request/show/1160483 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apptainer?expand=0&rev=27
2024-03-22 14:20:22 +00:00
parent 7ed58aadab 16c1bbbbc9
commit a8651ef236
5 changed files with 111 additions and 12 deletions
--- a/apptainer-1.2.5.tar.gz
+++ b/apptainer-1.2.5.tar.gz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9daebdd688cfcf646d87c0c1cc5f3f4eb274aceb9e3483e58e53da293cc4f310
-size 5061186
--- a/apptainer-1.3.0.tar.gz
+++ b/apptainer-1.3.0.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3151d39128ce8f91c2fe4042d9e419d87b20f5b5f3fe0016cf9c7757ef7b7017
+size 5086105
--- a/apptainer.changes
+++ b/apptainer.changes
@@ -1,3 +1,101 @@
+-------------------------------------------------------------------
+Fri Mar 15 11:20:14 UTC 2024 - Christian Goll <cgoll@suse.com>
+
+- Updated apptainer to version 1.3.0
+  * FUSE mounts are now supported in setuid mode, enabling full
+    functionality even when kernel filesystem mounts are insecure due to
+    unprivileged users having write access to raw filesystems in
+    containers. When allow `setuid-mount extfs = no` (the default) in
+    apptainer.conf, then the fuse2fs image driver will be used to mount
+    ext3 images in setuid mode instead of the kernel driver (ext3 images
+    are primarily used for the `--overlay` feature), restoring
+    functionality that was removed by default in Apptainer 1.1.8 because
+    of the security risk.
+    The allow `setuid-mount squashfs` configuration option in
+    `apptainer.conf` now has a new default called `iflimited` which allows
+    kernel squashfs mounts only if there is at least one `limit container`
+    option set or if Execution Control Lists are activated in ecl.toml.
+    If kernel squashfs mounts are are not allowed, then the squashfuse
+    image driver will be used instead.
+    `iflimited` is the default because if one of those limits are used
+    the system administrator ensures that unprivileged users do not have
+    write access to the containers, but on the other hand using FUSE
+    would enable a user to theoretically bypass the limits via `ptrace()`
+    because the FUSE process runs as that user.
+    The `fuse-overlayfs` image driver will also now be tried in setuid
+    mode if the kernel overlayfs driver does not work (for example if
+    one of the layers is a FUSE filesystem).  In addition, if `allow
+    setuid-mount encrypted = no` then the unprivileged gocryptfs format
+    will be used for encrypting SIF files instead of the kernel
+    device-mapper. If a SIF file was encrypted using the gocryptfs
+    format, it can now be mounted in setuid mode in addition to
+    non-setuid mode.
+  * Change the default in user namespace mode to use either kernel
+    overlayfs or fuse-overlayfs instead of the underlay feature for the
+    purpose of adding bind mount points. That was already the default in
+    setuid mode; this change makes it consistent. The underlay feature
+    can still be used with the `--underlay` option, but it is deprecated
+    because the implementation is complicated and measurements have
+    shown that the performance of underlay is similar to overlayfs and
+    fuse-overlayfs.
+    For now the underlay feature can be made the default again with a
+    new `preferred` value on the `enable underlay` configuration option.
+    Also the `--underlay` option can be used in setuid mode or as the
+    root user, although it was ignored previously.
+  * Prefer again to use kernel overlayfs over fuse-overlayfs when a
+    lower layer is FUSE and there's no writable upper layer, undoing the
+    change from 1.2.0. Another workaround was found for the problem that
+    change addressed. This applies in both setuid mode and in user
+    namespace mode.
+  * `--cwd` is now the preferred form of the flag for setting the
+    container's working directory, though `--pwd` is still supported for
+    compatibility.
+  * The way `--home` is handled when running as root (e.g. sudo apptainer)
+    or with `--fakeroot` has changed. Previously, we were only modifying
+    the `HOME` environment variable in these cases, while leaving the
+    container's `/etc/passwd` file unchanged (with its homedir field
+    pointing to `/root`, regardless of the value passed to `--home`). With
+    this change, both value of HOME and the contents of `/etc/passwd` in
+    the container will reflect the value passed to `--home` if the
+    container is readonly. If the container is writable, the
+    `/etc/passwd` file is left alone because it can interfere with
+    commands that want to modify it.
+  * The `--vm` and related flags to start apptainer inside a VM have been
+    removed. This functionality was related to the retired Singularity Desktop
+    / SyOS projects.
+  * The keyserver-related commands that were under `remote` have been moved to
+    their own, dedicated `keyserver` command. Run `apptainer help keyserver`
+    for more information.
+  * The commands related to OCI/Docker registries that were under `remote` have
+    been moved to their own, dedicated `registry` command. Run
+    `apptainer help registry` for more information.
+  * The the `remote list` subcommand now outputs only remote endpoints (with
+    keyservers and OCI/Docker registries having been moved to separate
+    commands), and the output has been streamlined.
+  * Adding a new remote endpoint using the `apptainer remote add` command will
+    now set the new endpoint as default. This behavior can be suppressed by
+    supplying the `--no-default` (or `-n`) flag to `remote add`.
+  * Skip parsing build definition file template variables after comments
+    beginning with a hash symbol.
+  * The global `/tmp` directory is no longer used for gocryptfs mountpoints.
+- New Features & Functionality
+  * The `remote status` command will now print the username, realname, and
+    email of the logged-in user, if available.
+  * Add monitoring feature support, which requires the usage of an
+    additional tool named `apptheus`, this tool will put apptainer starter
+    into a newly created cgroup and collect system metrics.
+  * A new `--no-pid` flag for `apptainer run/shell/exec` disables the PID
+    namespace inferred by `--containall` and `--compat`.
+  * Added `--config` option to `keyserver` commands.
+  * Honor an optional remoteName argument to the `keyserver list` command.
+  * Added the `APPTAINER_ENCRYPTION_PEM_DATA` env var to allow for
+    encrypting and running encrypted containers without a PEM file.
+  * Adding `--sharens` mode for `apptainer exec/run/shell`, which enables to
+    run multiple apptainer instances created by the same parent using
+    the same image in the same user namespace.
+- Make 'gocryptfs' an optional dependency.
+- Make apptainer definition templates version dependent.
+
 -------------------------------------------------------------------
 Wed Mar 13 19:28:40 UTC 2024 - Egbert Eich <eich@suse.com>

--- a/apptainer.spec
+++ b/apptainer.spec
@@ -25,7 +25,7 @@ Summary:        Application and environment virtualization
 License:        BSD-3-Clause-LBNL AND OpenSSL
 Group:          Productivity/Clustering/Computing
 Name:           apptainer
-Version:        1.2.5
+Version:        1.3.0
 Release:        0
 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html
 URL:            https://apptainer.org
@@ -58,9 +58,10 @@ BuildRequires:  libseccomp-devel
 Requires:       squashfs
 Requires:       squashfuse
 Recommends:     fuse2fs
-Requires:       (apptainer-leap if product(Leap) = 15.5)
-Requires:       (apptainer-sle15_5 if product(SUSE_SLE) = 15.5)
-Requires:       (apptainer-sle15_6 if product(SUSE_SLE) = 15.6)
+Recommends:     gocryptfs
+Requires:       (apptainer-leap = %version if product(Leap) = 15.5)
+Requires:       (apptainer-sle15_5 = %version if product(SUSE_SLE) = 15.5)
+Requires:       (apptainer-sle15_6 = %version if product(SUSE_SLE) = 15.6)

 # Needed for container decryption in userspace, upstream rpms include this
 # but factory should have this seperately
@@ -77,7 +78,7 @@ containers that can be used across host environments.
 %package   sle15_5
 Summary:        Apptainer Definition File Templates for SLE 15 SP5
 BuildArch:      noarch
-Requires:       apptainer
+Requires:       apptainer = %version

 %description sle15_5
 The package provides a definition file template for Apptainer containers
@@ -86,7 +87,7 @@ based on SUSE Linux Enterprise 15 SP5.
 %package   sle15_6
 Summary:        Apptainer Definition File Templates for SLE 15 SP6
 BuildArch:      noarch
-Requires:       apptainer
+Requires:       apptainer = %version

 %description sle15_6
 The package provides a definition file template for Apptainer containers
@@ -95,7 +96,7 @@ based on SUSE Linux Enterprise 15 SP6.
 %package leap
 Summary:        Apptainer Definition File Templates for current openSUSE Leap
 BuildArch:      noarch
-Requires:       apptainer
+Requires:       apptainer = %version

 %description leap
 The package provides a definition file template for Apptainer containers
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:7aa132e7de3bf160c90529d1b8c4b2fb56a80655375d0d02aeaaa024d1033dad
-size 9286899
+oid sha256:c9ae840ef26b9d9b04ddba942207a1823655b6622fa20e55708ee764803509cd
+size 11976052