forked from pool/apptainer
Christian Goll
7fca039621
- update to 1.2.0 with following changes:
* binary is built reproducible which disables plugins
* Create the current working directory in a container when it doesn't exist.
This restores behavior as it was before singularity 3.6.0. As a result,
using --no-mount home won't have any effect when running apptainer from a
home directory and will require --no-mount home,cwd to avoid mounting that
directory.
* Handle current working directory paths containing symlinks both on the host
and in a container but pointing to different destinations. If detected, the
current working directory is not mounted when the destination directory in
the container exists.
* Destination mount points are now sorted by shortest path first to ensure
that a user bind doesn't override a previous bind path when set in
arbitrary order on the CLI. This is also applied to image binds.
* When the kernel supports unprivileged overlay mounts in a user namespace,
the container will be constructed by default using an overlay instead of an
underlay layout for bind mounts. A new --underlay action option can be used
to prefer underlay instead of overlay.
* sessiondir maxsize in apptainer.conf now defaults to 64 MiB for new
installations. This is an increase from 16 MiB in prior versions.
* The apptainer cache is now architecture aware, so the same home directory
cache can be shared by machines with different architectures.
* Overlay is blocked on the panfs filesystem, allowing sandbox directories to
be run from panfs without error.
* Lookup and store user/group information in stage one prior to entering any
namespaces, to fix an issue with winbind not correctly looking up
user/group information when using user namespaces.
- New features / functionalities
* Support for unprivileged encryption of SIF files using gocryptfs. This is
not compatible with privileged encryption, so containers encrypted by root
OBS-URL: https://build.opensuse.org/request/show/1099922
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=47
586 lines
34 KiB
Plaintext
586 lines
34 KiB
Plaintext
-------------------------------------------------------------------
|
|
Wed Jun 14 08:34:27 UTC 2023 - Christian Goll <cgoll@suse.com>
|
|
|
|
- update to 1.2.0 with following changes:
|
|
* binary is built reproducible which disables plugins
|
|
* Create the current working directory in a container when it doesn't exist.
|
|
This restores behavior as it was before singularity 3.6.0. As a result,
|
|
using --no-mount home won't have any effect when running apptainer from a
|
|
home directory and will require --no-mount home,cwd to avoid mounting that
|
|
directory.
|
|
* Handle current working directory paths containing symlinks both on the host
|
|
and in a container but pointing to different destinations. If detected, the
|
|
current working directory is not mounted when the destination directory in
|
|
the container exists.
|
|
* Destination mount points are now sorted by shortest path first to ensure
|
|
that a user bind doesn't override a previous bind path when set in
|
|
arbitrary order on the CLI. This is also applied to image binds.
|
|
* When the kernel supports unprivileged overlay mounts in a user namespace,
|
|
the container will be constructed by default using an overlay instead of an
|
|
underlay layout for bind mounts. A new --underlay action option can be used
|
|
to prefer underlay instead of overlay.
|
|
* sessiondir maxsize in apptainer.conf now defaults to 64 MiB for new
|
|
installations. This is an increase from 16 MiB in prior versions.
|
|
* The apptainer cache is now architecture aware, so the same home directory
|
|
cache can be shared by machines with different architectures.
|
|
* Overlay is blocked on the panfs filesystem, allowing sandbox directories to
|
|
be run from panfs without error.
|
|
* Lookup and store user/group information in stage one prior to entering any
|
|
namespaces, to fix an issue with winbind not correctly looking up
|
|
user/group information when using user namespaces.
|
|
- New features / functionalities
|
|
* Support for unprivileged encryption of SIF files using gocryptfs. This is
|
|
not compatible with privileged encryption, so containers encrypted by root
|
|
need to be rebuilt by an unprivileged user.
|
|
* Templating support for definition files. Users can now define variables in
|
|
definition files via a matching pair of double curly brackets. Variables of
|
|
the form {{ variable }} will be replaced by a value defined either by a
|
|
variable=value entry in the %arguments section of the definition file or
|
|
through new build options --build-arg or --build-arg-file.
|
|
* Add a new instance run command that will execute the runscript when an
|
|
instance is initiated instead of executing the startscript.
|
|
* The sign and verify commands now support signing and verification with
|
|
non-PGP key material by specifying the path to a private key via the --key
|
|
flag.
|
|
* The verify command now supports verification with X.509 certificates by
|
|
specifying the path to a certificate via the --certificate flag. By
|
|
default, the system root certificate pool is used as trust anchors unless
|
|
overridden via the --certificate-roots flag. A pool of intermediate
|
|
certificates that are not trust anchors, but can be used to form a
|
|
certificate chain, can also be specified via the
|
|
--certificate-intermediates flag.
|
|
* Support for online verification checks of X.509 certificates using OCSP
|
|
protocol via the new verify --ocsp-verify option.
|
|
* The instance stats command displays the resource usage every second. The
|
|
--no-stream option disables this interactive mode and shows the
|
|
point-in-time usage.
|
|
* Instances are now started in a cgroup by default, when run as root or when
|
|
unified cgroups v2 with systemd as manager is configured. This allows
|
|
apptainer instance stats to be supported by default when possible.
|
|
* The instance start command now accepts an optional --app <name> argument
|
|
which invokes a start script within the %appstart <name> section in the
|
|
definition file. The instance stop command still only requires the instance
|
|
name.
|
|
* The instance name is now available inside an instance via the new
|
|
APPTAINER_INSTANCE environment variable.
|
|
* The --no-mount flag now accepts the value bind-paths to disable mounting of
|
|
all bind path entries in apptainer.conf.
|
|
Support for DOCKER_HOST parsing when using docker-daemon://
|
|
DOCKER_USERNAME and DOCKER_PASSWORD supported without APPTAINER_ prefix.
|
|
Add new Linux capabilities CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE.
|
|
* The remote get-login-password command allows users to retrieve a remote's
|
|
token. This enables piping the secret directly into docker login while
|
|
preventing it from showing up in a shell's history.
|
|
* Define EUID in %environment alongside UID.
|
|
* In --rocm mode, the whole of /dev/dri is now bound into the container when
|
|
--contain is in use. This makes /dev/dri/render devices available, required
|
|
for later ROCm versions.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 13 14:00:33 UTC 2023 - Christian Goll <cgoll@suse.com>
|
|
|
|
- update to 1.1.9 with following changes:
|
|
* Remove warning about unknown xino=on option from fuse-overlayfs, introduced
|
|
in 1.1.8.
|
|
* Ignore extraneous warning from fuse-overlayfs about a readonly /proc.
|
|
* Fix dropped "n" characters on some platforms in definition file stored as
|
|
part of SIF metadata.
|
|
* Remove duplicated group ids.
|
|
* Fix not being able to handle multiple entries in LD_PRELOAD when binding
|
|
fakeroot into container during apptainer startup for --fakeroot with
|
|
fakeroot command.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 27 12:59:22 UTC 2023 - Christian Goll <cgoll@suse.com>
|
|
|
|
- Included a fix for CVE-2023-30549 which is a vulnerability in setuid-root
|
|
installations of Apptainer iwhich was not active in the recent openSUSE
|
|
packages. Still this is included for completenss. The fix adds allow
|
|
setuid-mount configuration options encrypted, squashfs, and extfs, and makes
|
|
the default for extfs be "no". That disables the use of extfs mounts
|
|
including for overlays or binds while in the setuid-root mode, while leaving
|
|
it enabled for unprivileged user namespace mode. The default for encrypted
|
|
and squashfs is "yes".
|
|
- Other bug fixes:
|
|
* Fix loop device 'no such device or address' spurious errors when using shared
|
|
loop devices.
|
|
* Add xino=on mount option for writable kernel overlay mount points to fix
|
|
inode numbers consistency after kernel cache flush (not applicable to
|
|
fuse-overlayfs).
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 29 08:14:47 UTC 2023 - Christian Goll <cgoll@suse.com>
|
|
|
|
- updated to 1.1.7 with following changes:
|
|
* removed simpler-sif-building.patch as this was incoperated upstream
|
|
* Allow gpu options such as --nv to be nested by always inheriting all
|
|
libraries bound in to a parent container's /.singularity.d/libs.
|
|
* Map the user's home directory to the root home directory by default in the
|
|
non-subuid fakeroot mode like it was in the subuid fakeroot mode, for both
|
|
action commands and building containers from definition files.
|
|
* Make the error message more helpful in another place where a remote is
|
|
found to have no library client.
|
|
* Avoid incorrect error when requesting fakeroot network.
|
|
* Pass computed LD_LIBRARY_PATH to wrapped unsquashfs. Fixes issues where
|
|
unsquashfs on host uses libraries in non-default paths.
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 24 13:22:57 UTC 2023 - Christian Goll <cgoll@suse.com>
|
|
|
|
- added simple sif building for SLE systems via suseconnect-container
|
|
- added files:
|
|
* simpler-sif-building.patch
|
|
* SLE-12SP5.def
|
|
* leap.def
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 15 09:01:08 UTC 2023 - Christian Goll <cgoll@suse.com>
|
|
|
|
- update to 1.1.6 with following changes:
|
|
|
|
* Included a fix for CVE-2022-23538 which potentially leaked user credentials
|
|
to a third-party S3 storage service when using the library:// protocol. See
|
|
the https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7
|
|
for details.
|
|
* Make PS1 environment variable changeable via %environment section on
|
|
definition file that used to be only changeable via APPTAINERENV_PS1
|
|
outside of container. This makes the container's prompt customizable.
|
|
* Fix the passing of nested bind mounts when there are multiple binds
|
|
separated by commas and some of them have colons separating sources and
|
|
destinations.
|
|
* Hide messages about SINGULARITY variables if corresponding APPTAINER
|
|
variables are defined. Fixes a regression introduced in 1.1.4.
|
|
* Print a warning if extra arguments are given to a shell action, and show in
|
|
the run action usage that arguments may be passed.
|
|
* Check for the existence of the runtime executable prefix, to avoid issues
|
|
when running under Slurm's srun. If it doesn't exist, fall back to the
|
|
compile-time prefix.
|
|
* Increase the timeout on image driver (that is, FUSE) mounts from 2 seconds
|
|
to 10 seconds. Instead, print an INFO message if it takes more than 2
|
|
seconds.
|
|
* If a remote is defined both globally (i.e. system-wide) and individually,
|
|
change apptainer remote commands to print an info message instead of
|
|
exiting with a fatal error and to give precedence to the individual
|
|
configuration.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 11 10:25:45 UTC 2023 - Christian Goll <cgoll@suse.com>
|
|
|
|
- Update to 1.1.5 with following changes:
|
|
* Fix the use of fakeroot, faked, and libfakeroot.so if they are not suffixed
|
|
by -sysv, as is for instance the case on Gentoo Linux.
|
|
* Prevent the use of a --libexecdir or --bindir mconfig option from making
|
|
apptainer think it was relocated and so preventing use of suid mode. The
|
|
bug was introduced in v1.1.4.
|
|
* Add helpful error message for build --remote option.
|
|
* Add more helpful error message when no library endpoint found.
|
|
* Avoid cleanup errors on exit when mountpoints are busy by doing a lazy
|
|
unmount if a regular unmount doesn't work after 10 tries.
|
|
* Make messages about using SINGULARITY variables less scary.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 21 13:17:54 UTC 2022 - Christian Goll <cgoll@suse.com>
|
|
|
|
- moved run dir from /var/lib/apptainer to /var/apptainer to be closer
|
|
to upstream
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 20 14:14:43 UTC 2022 - Christian Goll <cgoll@suse.com>
|
|
|
|
- Update to 1.1.4 with following changes:
|
|
* Make the binaries built in the unprivileged apptainer package relocatable.
|
|
When moving the binaries to a new location, the /usr at the top of some of
|
|
the paths needs to be removed. Relocation is disallowed when the
|
|
starter-suid is present, for security reasons.
|
|
* Change the warning when an overlay image is not writable, introduced in
|
|
v1.1.3, back into a (more informative) fatal error because it doesn't
|
|
actually enter the container environment.
|
|
* Set the --net flag if --network or --network-args is set rather than
|
|
silently ignoring them if --net was not set.
|
|
* Do not hang on pull from http(s) source that doesn't provide a content-length.
|
|
* Avoid hang on fakeroot cleanup under high load seen on some distributions / kernels.
|
|
* Remove obsolete pacstrap -d in Arch packer.
|
|
* Adjust warning message for deprecated environment variables usage.
|
|
* Enable the --security uid:N and --security gid:N options to work when run
|
|
in non-suid mode. In non-suid mode they work with any user, not just root.
|
|
Unlike with root and suid mode, however, only one gid may be set in
|
|
non-suid mode.
|
|
- Changes from 1.1.3
|
|
* Prefer the fakeroot-sysv command over the fakeroot command because the
|
|
latter can be linked to either fakeroot-sysv or fakeroot-tcp, but
|
|
fakeroot-sysv is much faster.
|
|
* Update the included squashfuse_ll to have -o uid=N and -o gid=N options and
|
|
changed the corresponding image driver to use them when available. This
|
|
makes files inside sif files appear to be owned by the user instead of by
|
|
the nobody id 65534 when running in non-setuid mode.
|
|
* Fix the locating of shared libraries when running unsquashfs from a non-standard location.
|
|
* Properly clean up temporary files if unsquashfs fails.
|
|
* Fix the creation of missing bind points when using image binding with underlay.
|
|
* Change the error when an overlay image is not writable into a warning that
|
|
suggests adding :ro to make it read only or using --fakeroot.
|
|
* Avoid permission denied errors during unprivileged builds without
|
|
/etc/subuid-based fakeroot when /var/lib/containers/sigstore is readable
|
|
only by root.
|
|
* Avoid failures with --writable-tmpfs in non-setuid mode when using
|
|
fuse-overlayfs versions 1.8 or greater by adding the fuse-overlayfs noacl
|
|
mount option to disable support for POSIX Access Control Lists.
|
|
* Fix the --rocm flag in combination with -c / -C by forwarding all
|
|
/dri/render* devices into the container.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 28 08:54:51 UTC 2022 - Egbert Eich <eich@suse.com>
|
|
|
|
- Add Provides: and Obsoletes: to attempt to mark this as a possible
|
|
replacement for the original singularity package which has been
|
|
discontinued.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 11 08:19:01 UTC 2022 - Christian Goll <cgoll@suse.com>
|
|
|
|
- previous versions did not build squashfuse_ll, fixed this
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 7 12:42:57 UTC 2022 - Christian Goll <cgoll@suse.com>
|
|
|
|
- Udpated to 1.1.2 which fixed CVE-2022-39237
|
|
* CVE-2022-39237: The sif dependency included in Apptainer before this
|
|
release does not verify that the hash algorithm(s) used are
|
|
cryptographically secure when verifying digital signatures. This release
|
|
updates to sif v2.8.1 which corrects this issue. See the linked advisory
|
|
for references and a workaround.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 28 09:07:18 UTC 2022 - Christian Goll <cgoll@suse.com>
|
|
|
|
- updated to version 1.1.0 without changes to rc3
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 9 08:50:33 UTC 2022 - Christian Goll <cgoll@suse.com>
|
|
|
|
- Updated to version 1.1.0-rc3 with following changes:
|
|
* added squashfuse-0.1.105.tar.gz and 70.patch for the build of squashfuse_ll
|
|
which will be removed as soon as the multithread patch is incoperated
|
|
* Change squash mounts to prefer to use squashfuse_ll instead of squashfuse,
|
|
if available, for improved performance. squashfuse_ll is not available
|
|
in factory.
|
|
* Also, for even better parallel performance, include a patched
|
|
multithreaded version of squashfuse_ll in
|
|
* Imply adding ${prefix}/libexec/apptainer/bin to the binary path in
|
|
apptainer.conf, which is used for searching for helper executables. It is
|
|
implied as the first directory of $PATH if present (which is at the
|
|
beginning of binary path by default) or just as the first directory if
|
|
$PATH is not included in binary path.
|
|
${prefix}/libexec/apptainer/bin.
|
|
* Add --unsquash action flag to temporarily convert a SIF file to a sandbox
|
|
before running. In previous versions this was the default when running a
|
|
SIF file without setuid or with fakeroot, but now the default is to instead
|
|
mount with squashfuse.
|
|
* Add --sparse flag to overlay create command to allow generation of a sparse
|
|
ext3 overlay image.
|
|
* Support for a custom hashbang in the %test section of an Apptainer recipe
|
|
(akin to the runscript and start sections).
|
|
* When using fakeroot in setuid mode, have the image drivers first enter the
|
|
the container's user namespace to avoid write errors with overlays.
|
|
* Skip trying to use kernel overlayfs when using writable overlay and the
|
|
lower layer is FUSE, because of a kernel bug introduced in kernel 5.15.
|
|
* Add additional hidden options to the action command for testing different
|
|
fakeroot modes with --fakeroot: --ignore-subuid, --ignore-fakeroot-command,
|
|
and --ignore-userns.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 19 10:07:20 UTC 2022 - Christian Goll <cgoll@suse.com>
|
|
|
|
- Updated to version 1.1.0-rc2 with following changes:
|
|
* Fixed longstanding bug in the underlay logic when there are nested bind
|
|
points separated by more than one path level, for example /var and
|
|
/var/lib/yum, and the path didn't exist in the container image. The bug
|
|
only caused an error when there was a directory in the container image that
|
|
didn't exist on the host.
|
|
* Improved wildcard matching in the %files directive of build definition
|
|
files by replacing usage of sh with the mvdan.cc library.
|
|
* Replaced checks for compatible filesystem types when using fuse-overlayfs
|
|
with an INFO message when an incompatible filesystem type causes it to be
|
|
unwritable by a fakeroot user.
|
|
* The --nvccli option now works without --fakeroot. In that case the option
|
|
can be used with --writable-tmpfs instead of --writable, and
|
|
--writable-tmpfs is implied if neither option is given. Note that also
|
|
/usr/bin has to be writable by the user, so without --fakeroot that
|
|
probably requires a sandbox image that was built with --fix-perms.
|
|
* The --nvccli option implies --nv.
|
|
* Configure squashfuse to always show files to be owned by the current user.
|
|
That's especially important for fakeroot to prevent most of the files from
|
|
looking like they are owned by user 65534.
|
|
* The fakeroot command can now be used even if $PATH is empty in the
|
|
environment of the apptainer command.
|
|
* Allow the newuidmap command to be missing if the current user is not listed
|
|
in /etc/subuid.
|
|
* Require the uidmap package in Debian packaging.
|
|
* Improved error handling of unsupported pass protected PEM files with
|
|
encrypted containers.
|
|
* Ensure bootstrap_history directory is populated with previous definition
|
|
files, present in source containers used in a build.
|
|
* Add additional options to the build command for testing different fakeroot
|
|
modes: --userns like the action flag and hidden options --ignore-subuid,
|
|
--ignore-fakeroot-command, and --ignore-userns.
|
|
* Require root user early when building an encrypted container.
|
|
- removed upstream incorated patch fix-32bit-compilation.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 4 12:31:33 UTC 2022 - Christian Goll <cgoll@suse.com>
|
|
|
|
- Updated to version 1.1.0-rc1 which enables apptainer to run without
|
|
suid and additional groups. Although this is a prerelease this is
|
|
a major advantage justifying its use.
|
|
* Added a squashfuse image driver that enables mounting SIF files without
|
|
using setuid-root. Requires the squashfuse command and unprivileged user
|
|
namespaces.
|
|
* Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF
|
|
overlay partitions without using setuid-root. Requires the fuse2fs command
|
|
and unprivileged user namespaces.
|
|
* Added the ability to use persistent overlay (--overlay) and
|
|
--writable-tmpfs without using setuid-root. This requires unprivileged user
|
|
namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs
|
|
command. Persistent overlay works when the overlay path points to a regular
|
|
filesystem (known as "sandbox" mode, which is not allowed when in setuid
|
|
mode), or when it points to an EXT3 image. Does not work with a SIF
|
|
partition because that requires privileges to mount as an ext3 image.
|
|
* Extended the --fakeroot option to be useful when /etc/subuid and
|
|
/etc/subgid mappings have not been set up. If they have not been set up, a
|
|
root-mapped unprivileged user namespace (the equivalent of unshare -r)
|
|
and/or the fakeroot command from the host will be tried. Together they
|
|
emulate the mappings pretty well but they are simpler to administer. This
|
|
feature is especially useful with the --overlay and --writable-tmpfs
|
|
options and for building containers unprivileged, because they allow
|
|
installing packages that assume they're running as root. A limitation on
|
|
using it with --overlay and --writable-tmpfs however is that when only the
|
|
fakeroot command can be used (because there are no user namespaces
|
|
available, in suid mode) then the base image has to be a sandbox. This
|
|
feature works nested inside of an apptainer container, where another
|
|
apptainer command will also be in the fakeroot environment without
|
|
requesting the --fakeroot option again, or it can be used inside an
|
|
apptainer container that was not started with --fakeroot. However, the
|
|
fakeroot command uses LD_PRELOAD and so needs to be bound into the
|
|
container which requires a compatible libc. For that reason it doesn't work
|
|
when the host and container operating systems are of very different
|
|
vintages. If that's a problem and you want to use only an unprivileged
|
|
root-mapped namespace even when the fakeroot command is installed, just run
|
|
apptainer with unshare -r.
|
|
* Made the --fakeroot option be implied when an unprivileged user builds a
|
|
container from a definition file. When /etc/subuid and /etc/subgid mappings
|
|
are not available, all scriptlets are run in a root-mapped unprivileged
|
|
namespace (when possible) and the %post scriptlet is additionally run with
|
|
the fakeroot command. When unprivileged user namespaces are not available,
|
|
such that only the fakeroot command can be used, the --fix-perms option is
|
|
implied to allow writing into directories.
|
|
* Added a --fakeroot option to the apptainer overlay create command to make
|
|
an overlay EXT3 image file that works with the fakeroot that comes from
|
|
unprivileged root-mapped namespaces. This is not needed with the fakeroot
|
|
that comes with /etc/sub[ug]id mappings nor with the fakeroot that comes
|
|
with only the fakeroot command in suid flow.
|
|
* $HOME is now used to find the user's configuration and cache by default. If
|
|
that is not set it will fall back to the previous behavior of looking up
|
|
the home directory in the password file. The value of $HOME inside the
|
|
container still defaults to the home directory in the password file and can
|
|
still be overridden by the --home option.
|
|
* When starting a container, if the user has specified the cwd by using the
|
|
--pwd flag, if there is a problem an error is returned instead of
|
|
defaulting to a different directory.
|
|
* Nesting of bind mounts now works even when a --bind option specified a
|
|
different source and destination with a colon between them. Now the
|
|
APPTAINER_BIND environment variable makes sure the bind source is from the
|
|
bind destination so it will be succesfully re-bound into a nested apptainer
|
|
container.
|
|
* The warning about more than 50 bind mounts required for an underlay bind
|
|
has been changed to an info message.
|
|
* oci mount sets Process.Terminal: true when creating an OCI config.json, so
|
|
that oci run provides expected interactive behavior by default.
|
|
The default hostname for oci mount containers is now apptainer instead of mrsdalloway.
|
|
* systemd is now supported and used as the default cgroups manager. Set
|
|
systemd cgroups = no in apptainer.conf to manage cgroups directly via the
|
|
cgroupfs.
|
|
* Added a new action flag --no-eval which:
|
|
+ Prevents shell evaluation of APPTAINERENV_ / --env / --env-file
|
|
environment variables as they are injected in the container, to match
|
|
OCI behavior. Applies to all containers.
|
|
+ Prevents shell evaluation of the values of CMD / ENTRYPOINT and command
|
|
line arguments for containers run or built directly from an OCI/Docker
|
|
source. Applies to newly built containers only, use apptainer inspect
|
|
to check version that container was built with.
|
|
* Added --no-eval to the list of flags set by the OCI/Docker --compat mode.
|
|
* sinit process has been renamed to appinit.
|
|
* Added --keysdir to key command to provide an alternative way of setting
|
|
local keyring path. The existing reading of the keyring path from
|
|
environment variable 'APPTAINER_KEYSDIR' is untouched.
|
|
* apptainer key push will output the key server's response if included in
|
|
order to help guide users through any identity verification the server may
|
|
require.
|
|
* ECL no longer requires verification for all signatures, but only when
|
|
signature verification would alter the expected behavior of the list:
|
|
+ At least one matching signature included in a whitelist must be
|
|
validated, but other unvalidated signatures do not cause ECL to fail.
|
|
+ All matching signatures included in a whitestrict must be validated,
|
|
but unvalidated signatures not in the whitestrict do not cause ECL to
|
|
fail.
|
|
+ Signature verification is not checked for a blacklist; unvalidated
|
|
signatures can still block execution via ECL, and unvalidated
|
|
signatures not in the blacklist do not cause ECL to fail.
|
|
- New features / functionalities
|
|
* Non-root users can now use --apply-cgroups with run/shell/exec to limit
|
|
container resource usage on a system using cgroups v2 and the systemd
|
|
cgroups manager.
|
|
* Native cgroups v2 resource limits can be specified using the [unified] key
|
|
in a cgroups toml file applied via --apply-cgroups.
|
|
* Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups
|
|
resource limits to a container directly.
|
|
Added instance stats command.
|
|
* The --no-mount flag & APPTAINER_NO_MOUNT env var can now be used to disable
|
|
a bind path entry from apptainer.conf by specifying the absolute path to
|
|
the destination of the bind.
|
|
* Apptainer now supports the riscv64 architecture.
|
|
* remote add --insecure may now be used to configure endpoints that are only
|
|
accessible via http. Alternatively the environment variable
|
|
APPTAINER_ADD_INSECURE can be set to true to allow http remotes to be added
|
|
wihtout the --insecure flag. Specifying https in the remote URI overrules
|
|
both --insecure and APPTAINER_ADD_INSECURE.
|
|
* Gpu flags --nv and --rocm can now be used from an apptainer nested inside
|
|
another apptainer container.
|
|
* Added --public, --secret, and --both flags to the key remove command to
|
|
support removing secret keys from the apptainer keyring.
|
|
* Debug output can now be enabled by setting the APPTAINER_DEBUG env var.
|
|
* Debug output is now shown for nested apptainer calls, in wrapped unsquashfs
|
|
image extraction, and build stages.
|
|
- Bug fixes
|
|
* Remove warning message about SINGULARITY and APPTAINER variables having
|
|
different values when the SINGULARITY variable is not set.
|
|
* Add specific error for unreadable image / overlay file.
|
|
* Pass through a literal \n in host environment variables to the container.
|
|
* Fix loop device creation with loop-control when running inside docker containers.
|
|
* Fix the issue that the oras protocol would ignore the --no-https/--nohttps flag.
|
|
- File changes
|
|
* Removed useful_error_message.patch as not needed any more
|
|
* Added fix-32bit-compilation.patch from upstream
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 11 09:38:45 UTC 2022 - Christian Goll <cgoll@suse.com>
|
|
|
|
- Update to version 1.0.3:
|
|
* Process redirects that can come from sregistry with a library:// URL.
|
|
* Fix inspect --deffile and inspect --all to correctly show definition files
|
|
in sandbox container images instead of empty output. This has a side effect
|
|
of also fixing the storing of definition files in the metadata of sif files
|
|
built by Apptainer, because that metadata is constructed by doing inspect
|
|
--all.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 18 12:07:59 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
|
|
|
|
- Update to version 1.0.2:
|
|
+ Fixed `FATAL` error thrown by user configuration migration code
|
|
that caused users with inaccessible home directories to be
|
|
unable to use `apptainer` commands.
|
|
+ Do not truncate environment variables with commas.
|
|
+ Use HEAD request when checking digest of remote OCI image
|
|
sources, with GET as a fall-back. Greatly reduces Apptainer's
|
|
impact on Docker Hub API limits.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 18 16:02:59 UTC 2022 - Christian Goll <cgoll@suse.com>
|
|
|
|
- Updated to v1.0.1 with following bug fixes
|
|
* Don't prompt for y/n to overwrite an existing file when build is called
|
|
from a non-interactive environment. Fail with an error.
|
|
* Preload NSS libraries prior to mountspace name creation to avoid
|
|
circumstances that can cause loading those libraries from the container
|
|
image instead of the host, for example in the startup environment.
|
|
* Fix race condition where newly created loop devices can sometimes not be opened.
|
|
* Support nvidia-container-cli v1.8.0 and above, via fix to capability set.
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 17 15:29:45 UTC 2022 - Christian Goll <cgoll@suse.com>
|
|
|
|
- Updated to v1.0.0-rc1 changes to singularity 3.9.5 are
|
|
* The primary executable has been changed from singularity to apptainer.
|
|
However, a singularity command symlink alias has been created pointing to
|
|
the apptainer command. The contents of containers are unchanged and
|
|
continue to use the singularity name for startup scripts, etc.
|
|
* The per-user configuration directory has changed from ~/.singularity to
|
|
~/.apptainer. The first time the apptainer command accesses the user
|
|
configuration directory, relevant configuration is automatically imported
|
|
from the old directory to the new one.
|
|
* Environment variables have all been changed to have an APPTAINER prefix
|
|
instead of a SINGULARITY prefix. However, SINGULARITY prefix variables are
|
|
still recognized. If only a SINGULARITY prefix variable exists, a warning
|
|
will be printed about deprecated usage and then the value will be used. If
|
|
both prefixes exist and the value is the same, no warning is printed; this
|
|
is the recommended method to set environment variables for those who need
|
|
to support both apptainer and singularity. If both prefixes exist for the
|
|
same variable and the value is different then a warning is also printed.
|
|
* The default SylabsCloud remote endpoint has been removed and replaced by
|
|
one called DefaultRemote which has no defined server for the library://
|
|
URI. System administrators may restore the old default if they wish by
|
|
adding it to /etc/apptainer/remote.yaml with a URI of cloud.sylabs.io and
|
|
setting it there as the Active remote, or users can add it to their own
|
|
configuration with the commands apptainer remote add SylabsCloud
|
|
cloud.sylabs.io and apptainer remote use SylabsCloud.
|
|
* The DefaultRemote's key server is https://keys.openpgp.org instead of the
|
|
Sylabs key server
|
|
* The apptainer build --remote option has been removed because there is no
|
|
standard protocol or non-commercial service that supports it.
|
|
- New Features:
|
|
* Honor image binds and user binds in the order they're given instead of
|
|
always doing image binds first.
|
|
* Experimental support for checkpointing of instances using DMTCP has been
|
|
added. Additional flags --dmtcp-launch and --dmtcp-restart has been added
|
|
to the apptainer instance start command, and a checkpoint command group has
|
|
been added to manage the checkpoint state. A new
|
|
/etc/apptainer/dmtcp-conf.yaml configuration file is also added.
|
|
Limitations are that it can only work with dynamically linked applications
|
|
and the container has to be based on glibc.
|
|
* --writable-tmpfs can be used with apptainer build to run the %test section
|
|
of the build with a ephemeral tmpfs overlay, permitting tests that write to
|
|
the container filesystem.
|
|
* The --compat flag for actions is a new short-hand to enable a number of
|
|
options that increase OCI/Docker compatibility. Infers --containall,
|
|
--no-init, --no-umask, --writable-tmpfs. Does not use user, uts, or network
|
|
namespaces as these may not be supported on many installations.
|
|
* The experimental --nvccli flag will use nvidia-container-cli to setup the
|
|
container for Nvidia GPU operation. Apptainer will not bind GPU libraries
|
|
itself. Environment variables that are used with Nvidia's docker-nvidia
|
|
runtime to configure GPU visibility / driver capabilities & requirements
|
|
are parsed by the --nvccli flag from the environment of the calling user.
|
|
By default, the compute and utility GPU capabilities are configured. The
|
|
use nvidia-container-cli option in apptainer.conf can be set to yes to
|
|
always use nvidia-container-cli when supported. --nvccli is not supported
|
|
in the setuid workflow, and it requires being used in combination with
|
|
--writable in user namespace mode. Please see documentation for more
|
|
details.
|
|
* The --apply-cgroups flag can be used to apply cgroups resource and device
|
|
restrictions on a system using the v2 unified cgroups hierarchy. The
|
|
resource restrictions must still be specified in the v1 / OCI format, which
|
|
will be translated into v2 cgroups resource restrictions, and eBPF device
|
|
restrictions.
|
|
* A new --mount flag and APPTAINER_MOUNT environment variable can be used to
|
|
specify bind mounts in
|
|
type=bind,source=<src>,destination=<dst>[,options...] format. This improves
|
|
CLI compatibility with other runtimes, and allows binding paths containing
|
|
: and , characters (using CSV style escaping).
|
|
* Perform concurrent multi-part downloads for library:// URIs. Uses 3
|
|
concurrent downloads by default, and is configurable in apptainer.conf or
|
|
via environment variables.
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 15 08:38:57 UTC 2021 - Christian Goll <cgoll@suse.com>
|
|
|
|
- Explicit dependcy on go1.16.12 or go1.17.5 which fix
|
|
(CVE-2021-44717) and (CVE-2021-44716) that may affect singualrity
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 13 12:55:47 UTC 2021 - Christian Goll <cgoll@suse.com>
|
|
|
|
- inital commit of apptainer which is a singularity fork
|