- Update to 1.1.5 with following changes:
* Fix the use of fakeroot, faked, and libfakeroot.so if they are not suffixed
by -sysv, as is for instance the case on Gentoo Linux.
* Prevent the use of a --libexecdir or --bindir mconfig option from making
apptainer think it was relocated and so preventing use of suid mode. The
bug was introduced in v1.1.4.
* Add helpful error message for build --remote option.
* Add more helpful error message when no library endpoint found.
* Avoid cleanup errors on exit when mountpoints are busy by doing a lazy
unmount if a regular unmount doesn't work after 10 tries.
* Make messages about using SINGULARITY variables less scary.
OBS-URL: https://build.opensuse.org/request/show/1057746
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=34
- Update to 1.1.4 with following changes:
* Make the binaries built in the unprivileged apptainer package relocatable.
When moving the binaries to a new location, the /usr at the top of some of
the paths needs to be removed. Relocation is disallowed when the
starter-suid is present, for security reasons.
* Change the warning when an overlay image is not writable, introduced in
v1.1.3, back into a (more informative) fatal error because it doesn't
actually enter the container environment.
* Set the --net flag if --network or --network-args is set rather than
silently ignoring them if --net was not set.
* Do not hang on pull from http(s) source that doesn't provide a content-length.
* Avoid hang on fakeroot cleanup under high load seen on some distributions / kernels.
* Remove obsolete pacstrap -d in Arch packer.
* Adjust warning message for deprecated environment variables usage.
* Enable the --security uid:N and --security gid:N options to work when run
in non-suid mode. In non-suid mode they work with any user, not just root.
Unlike with root and suid mode, however, only one gid may be set in
non-suid mode.
- Changes from 1.1.3
* Prefer the fakeroot-sysv command over the fakeroot command because the
latter can be linked to either fakeroot-sysv or fakeroot-tcp, but
fakeroot-sysv is much faster.
* Update the included squashfuse_ll to have -o uid=N and -o gid=N options and
changed the corresponding image driver to use them when available. This
makes files inside sif files appear to be owned by the user instead of by
the nobody id 65534 when running in non-setuid mode.
* Fix the locating of shared libraries when running unsquashfs from a non-standard location.
* Properly clean up temporary files if unsquashfs fails.
* Fix the creation of missing bind points when using image binding with underlay.
* Change the error when an overlay image is not writable into a warning that
OBS-URL: https://build.opensuse.org/request/show/1043930
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=30
- Udpated to 1.1.2 which fixed CVE-2022-39237
* CVE-2022-39237: The sif dependency included in Apptainer before this
release does not verify that the hash algorithm(s) used are
cryptographically secure when verifying digital signatures. This release
updates to sif v2.8.1 which corrects this issue. See the linked advisory
for references and a workaround. (forwarded request 1008777 from mslacken)
OBS-URL: https://build.opensuse.org/request/show/1008781
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apptainer?expand=0&rev=8
- Updated to version 1.1.0-rc3 with following changes:
* added squashfuse-0.1.105.tar.gz and 70.patch for the build of squashfuse_ll
which will be removed as soon as the multithread patch is incoperated
* Change squash mounts to prefer to use squashfuse_ll instead of squashfuse,
if available, for improved performance. squashfuse_ll is not available
in factory.
* Also, for even better parallel performance, include a patched
multithreaded version of squashfuse_ll in
* Imply adding ${prefix}/libexec/apptainer/bin to the binary path in
apptainer.conf, which is used for searching for helper executables. It is
implied as the first directory of $PATH if present (which is at the
beginning of binary path by default) or just as the first directory if
$PATH is not included in binary path.
${prefix}/libexec/apptainer/bin.
* Add --unsquash action flag to temporarily convert a SIF file to a sandbox
before running. In previous versions this was the default when running a
SIF file without setuid or with fakeroot, but now the default is to instead
mount with squashfuse.
* Add --sparse flag to overlay create command to allow generation of a sparse
ext3 overlay image.
* Support for a custom hashbang in the %test section of an Apptainer recipe
(akin to the runscript and start sections).
* When using fakeroot in setuid mode, have the image drivers first enter the
the container's user namespace to avoid write errors with overlays.
* Skip trying to use kernel overlayfs when using writable overlay and the
lower layer is FUSE, because of a kernel bug introduced in kernel 5.15.
* Add additional hidden options to the action command for testing different
fakeroot modes with --fakeroot: --ignore-subuid, --ignore-fakeroot-command,
and --ignore-userns.
OBS-URL: https://build.opensuse.org/request/show/1003468
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=19
- Udpated to version 1.1.0-rc2 with following changes:
* Fixed longstanding bug in the underlay logic when there are nested bind
points separated by more than one path level, for example /var and
/var/lib/yum, and the path didn't exist in the container image. The bug
only caused an error when there was a directory in the container image that
didn't exist on the host.
* Improved wildcard matching in the %files directive of build definition
files by replacing usage of sh with the mvdan.cc library.
* Replaced checks for compatible filesystem types when using fuse-overlayfs
with an INFO message when an incompatible filesystem type causes it to be
unwritable by a fakeroot user.
* The --nvccli option now works without --fakeroot. In that case the option
can be used with --writable-tmpfs instead of --writable, and
--writable-tmpfs is implied if neither option is given. Note that also
/usr/bin has to be writable by the user, so without --fakeroot that
probably requires a sandbox image that was built with --fix-perms.
* The --nvccli option implies --nv.
* Configure squashfuse to always show files to be owned by the current user.
That's especially important for fakeroot to prevent most of the files from
looking like they are owned by user 65534.
* The fakeroot command can now be used even if $PATH is empty in the
environment of the apptainer command.
* Allow the newuidmap command to be missing if the current user is not listed
in /etc/subuid.
* Require the uidmap package in Debian packaging.
* Improved error handling of unsupported pass protected PEM files with
encrypted containers.
* Ensure bootstrap_history directory is populated with previous definition
files, present in source containers used in a build.
* Add additional options to the build command for testing different fakeroot (forwarded request 998137 from mslacken)
OBS-URL: https://build.opensuse.org/request/show/998138
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apptainer?expand=0&rev=5
- Udpated to version 1.1.0-rc2 with following changes:
* Fixed longstanding bug in the underlay logic when there are nested bind
points separated by more than one path level, for example /var and
/var/lib/yum, and the path didn't exist in the container image. The bug
only caused an error when there was a directory in the container image that
didn't exist on the host.
* Improved wildcard matching in the %files directive of build definition
files by replacing usage of sh with the mvdan.cc library.
* Replaced checks for compatible filesystem types when using fuse-overlayfs
with an INFO message when an incompatible filesystem type causes it to be
unwritable by a fakeroot user.
* The --nvccli option now works without --fakeroot. In that case the option
can be used with --writable-tmpfs instead of --writable, and
--writable-tmpfs is implied if neither option is given. Note that also
/usr/bin has to be writable by the user, so without --fakeroot that
probably requires a sandbox image that was built with --fix-perms.
* The --nvccli option implies --nv.
* Configure squashfuse to always show files to be owned by the current user.
That's especially important for fakeroot to prevent most of the files from
looking like they are owned by user 65534.
* The fakeroot command can now be used even if $PATH is empty in the
environment of the apptainer command.
* Allow the newuidmap command to be missing if the current user is not listed
in /etc/subuid.
* Require the uidmap package in Debian packaging.
* Improved error handling of unsupported pass protected PEM files with
encrypted containers.
* Ensure bootstrap_history directory is populated with previous definition
files, present in source containers used in a build.
* Add additional options to the build command for testing different fakeroot
OBS-URL: https://build.opensuse.org/request/show/998137
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=17
- Updated to version 1.1.0-rc1 which enables apptainer to run without
suid and additional groups. Although this is a prerelease this is
a major advantage justifying its use.
* Added a squashfuse image driver that enables mounting SIF files without
using setuid-root. Requires the squashfuse command and unprivileged user
namespaces.
* Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF
overlay partitions without using setuid-root. Requires the fuse2fs command
and unprivileged user namespaces.
* Added the ability to use persistent overlay (--overlay) and
--writable-tmpfs without using setuid-root. This requires unprivileged user
namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs
command. Persistent overlay works when the overlay path points to a regular
filesystem (known as "sandbox" mode, which is not allowed when in setuid
mode), or when it points to an EXT3 image. Does not work with a SIF
partition because that requires privileges to mount as an ext3 image.
* Extended the --fakeroot option to be useful when /etc/subuid and
/etc/subgid mappings have not been set up. If they have not been set up, a
root-mapped unprivileged user namespace (the equivalent of unshare -r)
and/or the fakeroot command from the host will be tried. Together they
emulate the mappings pretty well but they are simpler to administer. This
feature is especially useful with the --overlay and --writable-tmpfs
options and for building containers unprivileged, because they allow
installing packages that assume they're running as root. A limitation on
using it with --overlay and --writable-tmpfs however is that when only the
fakeroot command can be used (because there are no user namespaces
available, in suid mode) then the base image has to be a sandbox. This
feature works nested inside of an apptainer container, where another
apptainer command will also be in the fakeroot environment without
requesting the --fakeroot option again, or it can be used inside an
OBS-URL: https://build.opensuse.org/request/show/993098
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=14
- Update to version 1.0.3:
* Process redirects that can come from sregistry with a library:// URL.
* Fix inspect --deffile and inspect --all to correctly show definition files
in sandbox container images instead of empty output. This has a side effect
of also fixing the storing of definition files in the metadata of sif files
built by Apptainer, because that metadata is constructed by doing inspect
--all.
OBS-URL: https://build.opensuse.org/request/show/988330
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apptainer?expand=0&rev=3
- Update to version 1.0.3:
* Process redirects that can come from sregistry with a library:// URL.
* Fix inspect --deffile and inspect --all to correctly show definition files
in sandbox container images instead of empty output. This has a side effect
of also fixing the storing of definition files in the metadata of sif files
built by Apptainer, because that metadata is constructed by doing inspect
--all.
OBS-URL: https://build.opensuse.org/request/show/988329
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=12
- Updated to v1.0.1 with following bug fixes
* Don't prompt for y/n to overwrite an existing file when build is called
from a non-interactive environment. Fail with an error.
* Preload NSS libraries prior to mountspace name creation to avoid
circumstances that can cause loading those libraries from the container
image instead of the host, for example in the startup environment.
* Fix race condition where newly created loop devices can sometimes not be opened.
* Support nvidia-container-cli v1.8.0 and above, via fix to capability set.
OBS-URL: https://build.opensuse.org/request/show/962878
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=6
