- Updated to version 1.1.0-rc1 which enables apptainer to run without
suid and additional groups. Although this is a prerelease this is
a major advantage justifying its use.
* Added a squashfuse image driver that enables mounting SIF files without
using setuid-root. Requires the squashfuse command and unprivileged user
namespaces.
* Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF
overlay partitions without using setuid-root. Requires the fuse2fs command
and unprivileged user namespaces.
* Added the ability to use persistent overlay (--overlay) and
--writable-tmpfs without using setuid-root. This requires unprivileged user
namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs
command. Persistent overlay works when the overlay path points to a regular
filesystem (known as "sandbox" mode, which is not allowed when in setuid
mode), or when it points to an EXT3 image. Does not work with a SIF
partition because that requires privileges to mount as an ext3 image.
* Extended the --fakeroot option to be useful when /etc/subuid and
/etc/subgid mappings have not been set up. If they have not been set up, a
root-mapped unprivileged user namespace (the equivalent of unshare -r)
and/or the fakeroot command from the host will be tried. Together they
emulate the mappings pretty well but they are simpler to administer. This
feature is especially useful with the --overlay and --writable-tmpfs
options and for building containers unprivileged, because they allow
installing packages that assume they're running as root. A limitation on
using it with --overlay and --writable-tmpfs however is that when only the
fakeroot command can be used (because there are no user namespaces
available, in suid mode) then the base image has to be a sandbox. This
feature works nested inside of an apptainer container, where another
apptainer command will also be in the fakeroot environment without
requesting the --fakeroot option again, or it can be used inside an
OBS-URL: https://build.opensuse.org/request/show/993098
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=14
- Update to version 1.0.3:
* Process redirects that can come from sregistry with a library:// URL.
* Fix inspect --deffile and inspect --all to correctly show definition files
in sandbox container images instead of empty output. This has a side effect
of also fixing the storing of definition files in the metadata of sif files
built by Apptainer, because that metadata is constructed by doing inspect
--all.
OBS-URL: https://build.opensuse.org/request/show/988329
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=12
- Updated to v1.0.1 with following bug fixes
* Don't prompt for y/n to overwrite an existing file when build is called
from a non-interactive environment. Fail with an error.
* Preload NSS libraries prior to mountspace name creation to avoid
circumstances that can cause loading those libraries from the container
image instead of the host, for example in the startup environment.
* Fix race condition where newly created loop devices can sometimes not be opened.
* Support nvidia-container-cli v1.8.0 and above, via fix to capability set.
OBS-URL: https://build.opensuse.org/request/show/962878
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=6
