of the security risk.
image driver will be used instead.
would enable a user to theoretically bypass the limits via `ptrace()`
because the FUSE process runs as that user.
one of the layers is a FUSE filesystem). In addition, if `allow
setuid-mount encrypted = no` then the unprivileged gocryptfs format
can still be used with the `--underlay` option, but it is deprecated
their own, dedicated `keyserver` command. Run `apptainer help keyserver`
for more information.
been moved to their own, dedicated `registry` command. Run
* The `remote status` command will now print the username, realname, and
email of the logged-in user, if available.
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=71
- Updated apptainer to version 1.3.0
* FUSE mounts are now supported in setuid mode, enabling full
functionality even when kernel filesystem mounts are insecure due to
unprivileged users having write access to raw filesystems in
containers. When allow `setuid-mount extfs = no` (the default) in
apptainer.conf, then the fuse2fs image driver will be used to mount
ext3 images in setuid mode instead of the kernel driver (ext3 images
are primarily used for the --overlay feature), restoring
functionality that was removed by default in Apptainer 1.1.8 because
of the security risk.
The allow `setuid-mount squashfs` configuration option in
`apptainer.conf` now has a new default called `iflimited` which allows
kernel squashfs mounts only if there is at least one `limit container`
option set or if Execution Control Lists are activated in ecl.toml.
If kernel squashfs mounts are are not allowed, then the squashfuse
image driver will be used instead.
`iflimited` is the default because if one of those limits are used
the system administrator ensures that unprivileged users do not have
write access to the containers, but on the other hand using FUSE
would enable a user to theoretically bypass the limits via ptrace()
because the FUSE process runs as that user.
The `fuse-overlayfs` image driver will also now be tried in setuid
mode if the kernel overlayfs driver does not work (for example if
one of the layers is a FUSE filesystem). In addition, if allow
setuid-mount encrypted = no then the unprivileged gocryptfs format
will be used for encrypting SIF files instead of the kernel
device-mapper. If a SIF file was encrypted using the gocryptfs
format, it can now be mounted in setuid mode in addition to
non-setuid mode.
* Change the default in user namespace mode to use either kernel
OBS-URL: https://build.opensuse.org/request/show/1159335
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=70
- Updated apptainer to version 1.2.5
* Added `libnvidia-nvvm` to `nvliblist.conf`. Newer NVIDIA
Drivers (known with >= 525.85.05) require this lib to compile
OpenCL programs against NVIDIA GPUs, i.e. `libnvidia-opencl`
depends on `libnvidia-nvvm`.
* Disable the usage of cgroup in instance creation when
`--fakeroot` is passed.
* Disable the usage of cgroup in instance creation when `hidepid`
mount option on `/proc` is set.
* Fixed a regression introduced in 1.2.0 where the user's
password file information was not copied in to the container
when there was a parent root-mapped user namespace (as is the
case for example in `cvmfsexec`).
* Added the upcoming NVIDIA driver library `libnvidia-gpucomp.so`
to the list of libraries to add to NVIDIA GPU-enabled
containers. Fixed missing error handling during the creation
of an encrypted image that lead to the generation of corrupted
images.
* Use `APPTAINER_TMPDIR` for temporary files during privileged
image encryption.
* If rootless unified cgroups v2 is available when starting an
image but `XDG_RUNTIME_DIR` or `DBUS_SESSION_BUS_ADDRESS` is
not set, print an info message that stats will not be available
instead of exiting with a fatal error.
* Allow templated build arguments to definition files to have
empty values.
OBS-URL: https://build.opensuse.org/request/show/1143083
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=64
- Do not build squashfuse, require it as a dependency.
Removed: squashfuse-0.1.105.tar.gz, 70.patch
- Replace awkward 'Obsoletes: singularity-*' as well as the
'Provides: Singularity' by 'Conflicts:' and drop the provides -
the versioning scheme does not match and we do not automatically
migrate from one to the other.
- Exclude platforms which do not provide all build dependencies.
- removed CRYPTOGAMS license as not known in OBS and OpenSSL is
OBS-URL: https://build.opensuse.org/request/show/1120777
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apptainer?expand=0&rev=23
- Do not build squashfuse, require it as a dependency.
- Replace awkward 'Obsoletes: singularity-*' as well as the
'Provides: Singularity' by 'Conflicts:' and drop the provides -
the versioning scheme does not match and we do not automatically
migrate from one to the other.
- Exclude platforms which do not provide all build dependencies.
- removed CRYPTOGAMS license as not known in OBS and OpenSSL is
OBS-URL: https://build.opensuse.org/request/show/1119873
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=59
- removed CRYPTOGAMS license as not known in OBS and OpenSSL is
also valid
- updated to 1.2.3 with following changes:
* The apptainer push/pull commands now show a progress bar for the oras
protocol like there was for docker and library protocols.
* The --nv and --rocm flags can now be used simultaneously.
* Fix the use of APPTAINER_CONFIGDIR with apptainer instance start and action
commands that refer to instance://.
* Fix the issue that apptainer would not read credentials from the Docker
fallback path ~/.docker/config.json if missing in the apptainer
credentials.
- Update license for the package to cover also OpenSSL and CRYPTOGAMS
part of chacha_ppc64le.s
OBS-URL: https://build.opensuse.org/request/show/1113853
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apptainer?expand=0&rev=22
- updated to 1.2.3 with following changes:
* The apptainer push/pull commands now show a progress bar for the oras
protocol like there was for docker and library protocols.
* The --nv and --rocm flags can now be used simultaneously.
* Fix the use of APPTAINER_CONFIGDIR with apptainer instance start and action
commands that refer to instance://.
* Fix the issue that apptainer would not read credentials from the Docker
fallback path ~/.docker/config.json if missing in the apptainer
credentials.
OBS-URL: https://build.opensuse.org/request/show/1113390
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=56
- update to 1.2.0 with following changes:
* binary is built reproducible which disables plugins
* Create the current working directory in a container when it doesn't exist.
This restores behavior as it was before singularity 3.6.0. As a result,
using --no-mount home won't have any effect when running apptainer from a
home directory and will require --no-mount home,cwd to avoid mounting that
directory.
* Handle current working directory paths containing symlinks both on the host
and in a container but pointing to different destinations. If detected, the
current working directory is not mounted when the destination directory in
the container exists.
* Destination mount points are now sorted by shortest path first to ensure
that a user bind doesn't override a previous bind path when set in
arbitrary order on the CLI. This is also applied to image binds.
* When the kernel supports unprivileged overlay mounts in a user namespace,
the container will be constructed by default using an overlay instead of an
underlay layout for bind mounts. A new --underlay action option can be used
to prefer underlay instead of overlay.
* sessiondir maxsize in apptainer.conf now defaults to 64 MiB for new
installations. This is an increase from 16 MiB in prior versions.
* The apptainer cache is now architecture aware, so the same home directory
cache can be shared by machines with different architectures.
* Overlay is blocked on the panfs filesystem, allowing sandbox directories to
be run from panfs without error.
* Lookup and store user/group information in stage one prior to entering any
namespaces, to fix an issue with winbind not correctly looking up
user/group information when using user namespaces.
- New features / functionalities
* Support for unprivileged encryption of SIF files using gocryptfs. This is
not compatible with privileged encryption, so containers encrypted by root
OBS-URL: https://build.opensuse.org/request/show/1099922
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=47
- update to 1.1.9 with following changes:
* Remove warning about unknown xino=on option from fuse-overlayfs, introduced
in 1.1.8.
* Ignore extraneous warning from fuse-overlayfs about a readonly /proc.
* Fix dropped "n" characters on some platforms in definition file stored as
part of SIF metadata.
* Remove duplicated group ids.
* Fix not being able to handle multiple entries in LD_PRELOAD when binding
fakeroot into container during apptainer startup for --fakeroot with
fakeroot command.
OBS-URL: https://build.opensuse.org/request/show/1092892
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=45
- Included a fix for CVE-2023-30549 which is a vulnerability in setuid-root
installations of Apptainer iwhich was not active in the recent openSUSE
packages. Still this is included for completenss. The fix adds allow
setuid-mount configuration options encrypted, squashfs, and extfs, and makes
the default for extfs be "no". That disables the use of extfs mounts
including for overlays or binds while in the setuid-root mode, while leaving
it enabled for unprivileged user namespace mode. The default for encrypted
and squashfs is "yes".
- Other bug fixes:
* Fix loop device 'no such device or address' spurious errors when using shared
loop devices.
* Add xino=on mount option for writable kernel overlay mount points to fix
inode numbers consistency after kernel cache flush (not applicable to
fuse-overlayfs).
OBS-URL: https://build.opensuse.org/request/show/1083262
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=43
- updated to 1.1.7 with following changes:
* removed simpler-sif-building.patch as this was incoperated upstream
* Allow gpu options such as --nv to be nested by always inheriting all
libraries bound in to a parent container's /.singularity.d/libs.
* Map the user's home directory to the root home directory by default in the
non-subuid fakeroot mode like it was in the subuid fakeroot mode, for both
action commands and building containers from definition files.
* Make the error message more helpful in another place where a remote is
found to have no library client.
* Avoid incorrect error when requesting fakeroot network.
* Pass computed LD_LIBRARY_PATH to wrapped unsquashfs. Fixes issues where
unsquashfs on host uses libraries in non-default paths.
OBS-URL: https://build.opensuse.org/request/show/1075152
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=41
- update to 1.1.6 with following changes:
* Included a fix for CVE-2022-23538 which potentially leaked user credentials
to a third-party S3 storage service when using the library:// protocol. See
the https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7
for details.
* Make PS1 environment variable changeable via %environment section on
definition file that used to be only changeable via APPTAINERENV_PS1
outside of container. This makes the container's prompt customizable.
* Fix the passing of nested bind mounts when there are multiple binds
separated by commas and some of them have colons separating sources and
destinations.
* Hide messages about SINGULARITY variables if corresponding APPTAINER
variables are defined. Fixes a regression introduced in 1.1.4.
* Print a warning if extra arguments are given to a shell action, and show in
the run action usage that arguments may be passed.
* Check for the existence of the runtime executable prefix, to avoid issues
when running under Slurm's srun. If it doesn't exist, fall back to the
compile-time prefix.
* Increase the timeout on image driver (that is, FUSE) mounts from 2 seconds
to 10 seconds. Instead, print an INFO message if it takes more than 2
seconds.
* If a remote is defined both globally (i.e. system-wide) and individually,
change apptainer remote commands to print an info message instead of
exiting with a fatal error and to give precedence to the individual
configuration. (forwarded request 1065996 from mslacken)
OBS-URL: https://build.opensuse.org/request/show/1065997
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apptainer?expand=0&rev=14
- update to 1.1.6 with following changes:
* Included a fix for CVE-2022-23538 which potentially leaked user credentials
to a third-party S3 storage service when using the library:// protocol. See
the https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7
for details.
* Make PS1 environment variable changeable via %environment section on
definition file that used to be only changeable via APPTAINERENV_PS1
outside of container. This makes the container's prompt customizable.
* Fix the passing of nested bind mounts when there are multiple binds
separated by commas and some of them have colons separating sources and
destinations.
* Hide messages about SINGULARITY variables if corresponding APPTAINER
variables are defined. Fixes a regression introduced in 1.1.4.
* Print a warning if extra arguments are given to a shell action, and show in
the run action usage that arguments may be passed.
* Check for the existence of the runtime executable prefix, to avoid issues
when running under Slurm's srun. If it doesn't exist, fall back to the
compile-time prefix.
* Increase the timeout on image driver (that is, FUSE) mounts from 2 seconds
to 10 seconds. Instead, print an INFO message if it takes more than 2
seconds.
* If a remote is defined both globally (i.e. system-wide) and individually,
change apptainer remote commands to print an info message instead of
exiting with a fatal error and to give precedence to the individual
configuration.
OBS-URL: https://build.opensuse.org/request/show/1065996
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=36
- Update to 1.1.5 with following changes:
* Fix the use of fakeroot, faked, and libfakeroot.so if they are not suffixed
by -sysv, as is for instance the case on Gentoo Linux.
* Prevent the use of a --libexecdir or --bindir mconfig option from making
apptainer think it was relocated and so preventing use of suid mode. The
bug was introduced in v1.1.4.
* Add helpful error message for build --remote option.
* Add more helpful error message when no library endpoint found.
* Avoid cleanup errors on exit when mountpoints are busy by doing a lazy
unmount if a regular unmount doesn't work after 10 tries.
* Make messages about using SINGULARITY variables less scary.
OBS-URL: https://build.opensuse.org/request/show/1057746
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=34
- Update to 1.1.4 with following changes:
* Make the binaries built in the unprivileged apptainer package relocatable.
When moving the binaries to a new location, the /usr at the top of some of
the paths needs to be removed. Relocation is disallowed when the
starter-suid is present, for security reasons.
* Change the warning when an overlay image is not writable, introduced in
v1.1.3, back into a (more informative) fatal error because it doesn't
actually enter the container environment.
* Set the --net flag if --network or --network-args is set rather than
silently ignoring them if --net was not set.
* Do not hang on pull from http(s) source that doesn't provide a content-length.
* Avoid hang on fakeroot cleanup under high load seen on some distributions / kernels.
* Remove obsolete pacstrap -d in Arch packer.
* Adjust warning message for deprecated environment variables usage.
* Enable the --security uid:N and --security gid:N options to work when run
in non-suid mode. In non-suid mode they work with any user, not just root.
Unlike with root and suid mode, however, only one gid may be set in
non-suid mode.
- Changes from 1.1.3
* Prefer the fakeroot-sysv command over the fakeroot command because the
latter can be linked to either fakeroot-sysv or fakeroot-tcp, but
fakeroot-sysv is much faster.
* Update the included squashfuse_ll to have -o uid=N and -o gid=N options and
changed the corresponding image driver to use them when available. This
makes files inside sif files appear to be owned by the user instead of by
the nobody id 65534 when running in non-setuid mode.
* Fix the locating of shared libraries when running unsquashfs from a non-standard location.
* Properly clean up temporary files if unsquashfs fails.
* Fix the creation of missing bind points when using image binding with underlay.
* Change the error when an overlay image is not writable into a warning that
OBS-URL: https://build.opensuse.org/request/show/1043930
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=30
