- When building RPM, we will now use
/var/lib/singularity(rather than/var/singularity) to store local state files. --cwdis now the preferred form of the flag for setting the container's working directory, though--pwdis still supported for compatibility.- The way --home is handled when running as root (e.g.
sudo singularity) or with--fakeroothas changed. Previously, we were only modifying theHOMEenvironment variable in these cases, while leaving the container's/etc/passwdfile unchanged (with its homedir field pointing to/root, regardless of the value passed to--home). With this change, both value ofHOMEand the contents of/etc/passwdin the container will reflect the value passed to--home. - Bind mounts are now performed in the order of their occurrence on the command
line, or within the value of the
SINGULARITY_BINDenvironment variable. (Previously, image-mounts were always performed first, regardless of order.)
- Added
--secretflag (shorthand:-s) tokey removesubcommand, to allow removal of a private key by fingerprint. - Added
--privateas a synonym for--secretinkey list,key export, andkey removesubcommands. - Added
remote get-login-passwordsubcommand that allows the user to retrieve a CLI token to interact with the OCI registry of a Singularity Enterprise instance. - Added
--deviceflag to "action" commands (run/exec/shell) when run in OCI mode (--oci). Currently supports passing one or more (comma-separated) fully-qualified CDI device names, and those devices will then be made available inside the container. - Added
--cdi-dirsflag to override the default search locations for CDI json files, allowing, for example, users who don't have root access on their host machine to nevertheless create CDI mappings (into containers run with--fakeroot, for example). - The
remote statuscommand will now print the username, realname, and email of the logged-in user, if available. - OCI-mode now supports the
--overlay <arg>flag.<arg>can be the path to a writable directory or writable extfs image, in which case changes to the filesystem will persist across runs of the OCI container. Alternatively,--overlay <arg>:rocan be used, where<arg>is the path to a directory, to a squashfs image, or to an extfs image, to be mounted as a read-only overlay. Multiple overlays can be specified, but all but one must be read-only. - The
tapCNI plugin, new to github.com/containernetworking/plugins v1.3.0, is now provided. - OCI-mode now supports the
--workdir <workdir>option. If this option is specified,/tmpand/var/tmpwill be mapped, respectively, to<workdir>/tmpand<workdir>/var_tmpon the host, rather than to tmpfs storage. If--scratch <scratchdir>is used in conjunction with--workdir, scratch directories will be mapped to subdirectories nested under<workdir>/scratchon the host, rather than to tmpfs storage. - Added ability to set a custom config directory via the new
SINGULARITY_CONFIGDIRenvironment variable. - If kernel does not support unprivileged overlays, OCI-mode will attempt to use
fuse-overlayfsandfusermountfor overlay mounting and unmounting.
- Fix interaction between
--workdirwhen given relative path and--scratch. - Fix dropped "n" characters on some platforms in definition file stored as part of SIF metadata.
- Pass STDIN to
--ocicontainers correctly, to fix piping input to a container. - Fix compilation on 32-bit systems.
--ocimode now provides a writable container by default, using a tmpfs overlay. This improves parity with--compatmode in the native runtime, as--compatenables--writable-tmpfs.
- Ensure the
allow kernel squashfsdirective insingularity.confapplies to encrypted squashfs filesystems in a SIF.
- OCI mode now supports
--hostname(requires UTS namespace, therefore this flag will infer--uts). - OCI mode now supports
--scratch(shorthand:-S) to mount a tmpfs scratch directory in the container. - Support
--pwdin OCI mode. - OCI mode now supports
--home. Supplying a single location (e.g.--home /myhomedir) will result in a new tmpfs directory being created at the specified location inside the container, and that dir being set as the in-container user's home dir. Supplying two locations separated by a colon (e.g.--home /home/user:/myhomedir) will result in the first location on the host being bind-mounted as the second location in-container, and set as the in-container user's home dir. - OCI mode now handles
--dnsandresolv.confon par with native mode: the--dnsflag can be used to pass a comma-separated list of DNS servers that will be used in the container; if this flag is not used, the container will use the sameresolv.confsettings as the host. - Added
allow kernel squashfsdirective tosingularity.conf. Defaults toyes. When set to no, Singularity will not mount squashfs filesystems using the kernel squashfs driver. - Added
allow kernel extfsdirective tosingularity.conf. Defaults toyes. When set to no, Singularity will not mount extfs filesystems using the kernel extfs driver.
- Require
runcin RPM packages built on SLES, notcrun, becausecrunis part of the Package Hub community repository that may not be enabled. SingularityCE will still prefercrunif it has been installed. - Use
/dev/loop-controlfor loop device creation, to avoid issues with recent kernel patch wheremax_loopis not set. - Always request inner userns in
--ocimode without--fakeroot, so that inner id mapping is applied correctly. - Use correct target uid/gid for inner id mappings in
--ocimode. - Avoid
runccgroup creation error when using--ocifrom a root-owned cgroup (e.g. ssh login session scope). - Pass host's
TERMenvironment variable to container in OCI mode. Can be overridden by settingSINGULARITYENV_TERMon host. - Honour
config passwdandconfig groupdirectives fromsingularity.confin--ocimode. - Honour
mount proc/mount sys/mount tmp/mount homedirectives fromsingularity.confin--ocimode. - Corrected
singularity.confcomment, to refer to correct file as source of default capabilities whenroot default capabilities = file.
- Add
setoptdefinition file header for theyumbootstrap agent. Thesetoptvalue is passed toyum / dnfusing the--setoptflag. This permits setting e.g.install_weak_deps=Falseto bootstrap recent versions of Fedora, wheresystemd(a weak dependency) cannot install correctly in the container. Seeexamples/Fedorafor an example defintion file. - Warn user that a
yumbootstrap of an older distro may fail if the host rpm_db_backendis notbdb.
- Fix implied
--writable-tmpfswith--nvccli, to avoid r/o filesytem error. - Avoid incorrect error when requesting fakeroot network.
- Pass computed
LD_LIBRARY_PATHto wrapped unsquashfs. Fixes issues whereunsquashfson host uses libraries in non-default paths. - Show correct memory limit in
instance statswhen a limit is set. - Ensure consistent binding of libraries under
--nv/--rocmwhen duplicate<library>.so[.version]files are listed byldconfig -p. - Fix systemd cgroup manager error when running a container as a non-root
user with
--oci, on systems with cgroups v1 andrunc. - Fix joining cgroup of instance started as root, with cgroups v1, non-default cgroupfs manager, and no device rules.
- Show standard output of yum bootstrap if log level is verbose or higher.
- Image driver plugins, implementing the
RegisterImageDrivercallback, are deprecated and will be removed in 4.0. Support for the example plugin, permitting Ubuntu unprivileged overlay functionality, has been replaced with direct support for kernel unprivileged overlay. - When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed using an overlay instead of underlay layout.
crunwill be used as the low-level OCI runtime, when available, rather thanrunc. Ifcrunis not available,runcwill be used.sessiondir maxsizeinsingularity.confnow defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.- Instances are started in a cgroup, by default, when run as root or when
unified cgroups v2 with systemd as manager is configured. This allows
singularity instance statsto be supported by default when possible.
- Support for a custom hashbang in the
%testsection of a Singularity recipe (akin to the runscript and start sections). - Non-root users can now build from a definition file, on systems that do not
support
--fakeroot. This requires the statically builtprootcommand (https://proot-me.github.io/) to be available on the userPATH. These builds:- Do not support
arch/debootstrap/yum/zypperbootstraps. Uselocalimage,library,oras, or one of the docker/oci sources. - Do not support
%preand%setupsections. - Run the
%postsections of a build in the container as an emulated root user. - Run the
%testsection of a build as the non-root user, likesingularity test. - Are subject to any restrictions imposed in
singularity.conf. - Incur a performance penalty due to
proot'sptracebased interception of syscalls. - May fail if the
%postscript requires privileged operations thatprootcannot emulate.
- Do not support
- Instances started by a non-root user can use
--apply-cgroupsto apply resource limits. Requires cgroups v2, and delegation configured via systemd. - A new
instance statscommand displays basic resource usage statistics for a specified instance, running within a cgroup.
--writable-tmpfsis now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.- The
--no-mountflag now accepts the valuebind-pathsto disable mounting of allbind pathentries insingularity.conf. - Persistent overlays (
--overlay) from a directory are now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace. - Add
--sparseflag tooverlay createcommand to allow generation of a sparse ext3 overlay image.
- Support for
DOCKER_HOSTparsing when usingdocker-daemon:// DOCKER_USERNAMEandDOCKER_PASSWORDsupported withoutSINGULARITY_prefix.- A new
--ociflag forrun/exec/shellenables the experimental OCI runtime mode. This mode:- Runs OCI container images from an OCI bundle, using
runcorcrun. - Supports
docker://,docker-archive:,docker-daemon:,oci:,oci-archive:image sources. - Does not support running Singularity SIF, SquashFS, or EXT3 images.
- Provides an environment similar to Singularity's native runtime, running
with
--compat. - Supports the following options / flags. Other options are not yet supported:
--fakerootfor effective root in the container. Requires subuid/subgid mappings.- Bind mounts via
--bindor--mount. No image mounts. - Additional namespaces requests with
--net,--uts,--user. - Container environment variables via
--env,--env-file, andSINGULARITYENV_host env vars. --rocmto bind ROCm GPU libraries and devices into the container.--nvto bind Nvidia driver / basic CUDA libraries and devices into the container.--apply-cgroups, and the--cpu*,--blkio*,--memory*,--pids-limitflags to apply resource limits.
- Runs OCI container images from an OCI bundle, using
- Instance name is available inside an instance via the new
SINGULARITY_INSTANCEenvironment variable.
- The
signcommand now supports signing with non-PGP key material by specifying the path to a private key via the--keyflag. - The
verifycommand now supports verification with non-PGP key material by specifying the path to a public key via the--keyflag. - The
verifycommand now supports verification with X.509 certificates by specifying the path to a certificate via the--certificateflag. By default, the system root certificate pool is used as trust anchors unless overridden via the--certificate-rootsflag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain can also be specified via the--certificate-intermediatesflag. - Support for online verification checks of x509 certificates using OCSP
protocol. (introduced flag:
verify --ocsp-verify)
- Add new Linux capabilities:
CAP_PERFMON,CAP_BPF,CAP_CHECKPOINT_RESTORE. - A new
--reproducibleflag for./mconfigwill configure Singularity so that its binaries do not contain non-reproducible paths. This disables plugin functionality.
- In
--rocmmode, the whole of/dev/driis now bound into the container when--containis in use. This makes/dev/dri/renderdevices available, required for later ROCm versions. - Overlay is blocked on the
panfsfilesystem, allowing sandbox directories to be run frompanfswithout error. - Avoid UID / GID readonly var warnings with
--env-file.
- Significant reduction in the use of network image sources in the e2e tests.
- Improved parallelization and use of image caches in the e2e tests.
- The
e2e-testmakefile target now accepts an argumentE2E_GROUPSto only run specified groups of end to end tests. E.g.make -C builddir e2e-test E2E_GROUPS=VERSION,HELPwill run end to end tests in theVERSIONandHELPgroups only. - The
e2e-testmakefile target now accepts an argumentE2E_TESTSwhich is a regular expression specifying the names of (top level) end to end tests that should be run. E.g.make -C builddir e2e-test E2E_TESTS=^semanticwill only run end to end tests with a name that begins withsemantic. TheseE2E_variables offer an alternative to the-runflag, which may be easier to use given the structure of e2e tests.
- CVE-2022-23538:
The github.com/sylabs/scs-library-client dependency included in SingularityCE
>=3.10.0, <3.10.5 may leak user credentials to a third-party service via HTTP
redirect. This issue is limited to
library://access to specific Singularity Enterprise 1.x or 3rd party library configurations, which implement a concurrent multi-part download flow. Access to Singularity Enterprise 2.x, or Singularity Container Services (cloud.sylabs.io), does not trigger the vulnerable flow. See the linked advisory for full details.
- Ensure
make distdoesn't include conmon binary or intermediate files. - Do not hang on pull from http(s) source that doesn't provide a content-length.
- Avoid hang on fakeroot cleanup under high load seen on some distributions / kernels.
- CVE-2022-39237: The github.com/sylabs/sif/v2 dependency included in SingularityCE <=3.10.3 does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. This release updates to sif v2.8.1 which corrects this issue. See the linked advisory for references and a workaround.
- Ensure bootstrap_history directory is populated with previous definition files, present in source containers used in a build.
- Added EL9 package builds to CI for GitHub releases.
- Ensure no empty
ifbranch is present in generated OCI image runscripts. Would prevent execution of container by other tools that are not using mvdan.cc/sh.
- Debug output can now be enabled by setting the
SINGULARITY_DEBUGenv var. - Debug output is now shown for nested
singularitycalls, in wrappedunsquashfsimage extraction, and build stages.
- Fix test code that implied
%test -c <shell>was supported - it is not. - Fix compilation on
mipsel.
masterbranch of GitHub repository has been renamed tomain.oci mountsetsProcess.Terminal: truewhen creating an OCIconfig.json, so thatoci runprovides expected interactive behavior by default.- Default hostname for
oci mountcontainers is nowsingularityinstead ofmrsdalloway. - systemd is now supported and used as the default cgroups manager. Set
systemd cgroups = noinsingularity.confto manage cgroups directly via the cgroupfs. - The
singularity ocicommand group now usesruncto manage containers. - The
singularity ocicommands useconmonwhich is built from a git submodule, unless--without-conmonis specified as an argument tomconfig, in which case Singularity will searchPATHfor conmon. Version >=2.0.24 of conmon is required. - The
singularity ociflags--sync-socket,--empty-process, and--timeouthave been removed. - Don't prompt for y/n to overwrite an existing file when build is called from a non-interactive environment. Fail with an error.
- Plugins must be compiled from inside the SingularityCE source directory,
and will use the main SingularityCE
go.modfile. Required for Go 1.18 support. - seccomp support is not disabled automatically in the absence of
seccomp headers at build time. Run
mconfigusing--without-seccompand--without-conmonto disable seccomp support and building ofconmon(which requires seccomp headers). - SingularityCE now requires squashfs-tools >=4.3, which is satisfied by current EL / Ubuntu / Debian and other distributions.
- Added
--no-evalto the list of flags set by the OCI/Docker--compatmode (see below).
- Updated seccomp support allows use of seccomp profiles that set an error
return code with
errnoRetanddefaultErrnoRet. Previously EPERM was hard coded. The exampleetc/seccomp-profiles/default.jsonhas been updated. - Native cgroups v2 resource limits can be specified using the
[unified]key in a cgroups toml file applied via--apply-cgroups. - The
--no-mountflag &SINGULARITY_NO_MOUNTenv var can now be used to disable abind pathentry fromsingularity.confby specifying the absolute path to the destination of the bind. - Non-root users can now use
--apply-cgroupswithrun/shell/execto limit container resource usage on a system using cgroups v2 and the systemd cgroups manager. - Added
--cpu*,--blkio*,--memory*,--pids-limitflags to apply cgroups resource limits to a container directly. - Allow experimental direct mount of SIF images with
squashfusein user-namespace / no-setuid mode. - New action flag
--no-evalwhich:- Prevents shell evaluation of
SINGULARITYENV_ / --env / --env-fileenvironment variables as they are injected in the container, to match OCI behavior. Applies to all containers. - Prevents shell evaluation of the values of
CMD / ENTRYPOINTand command line arguments for containers run or built directly from an OCI/Docker source. Applies to newly built containers only, usesingularity inspectto check version that container was built with.
- Prevents shell evaluation of
- Add support for
%filessection in remote builds, when a compatible remote is used.
- Allow
newgidmap / newuidmapthat use capabilities instead of setuid root. - Corrected
key searchoutput for results from some servers, and keys with multiple names. - Pass through a literal
\nin host environment variables to container. - Address 401 error pulling from private library:// projects.
- Correctly launch CleanupHost process only when needed in
--sif-fuseflow. - Add specific error for unreadable image / overlay file.
- Ensure cgroups device limits are default allow per past behavior.
- Improve error message when remote build server does not support the
%filessection. - Fix non-root instance join with unprivileged systemd managed cgroups, when join is from outside a user-owned cgroup.
- Use HEAD request when checking digest of remote OCI image sources, with GET as a fall-back. Greatly reduces Singularity's impact on Docker Hub API limits.
- Add package build for Ubuntu 22.04 LTS.
- Do not truncate environment variables with commas.
- Fix error when pushing to host-less
library://URIs.
- Support nvidia-container-cli v1.8.0 and above, via fix to capability set.
- Avoid cleanup panic when invalid file specified for --apply-cgroups.
- SingularityCE now supports the
riscv64architecture.
- Correct library bindings for
unsquashfscontainment. Fixes errors where resolved library filename does not match library filename in binary (e.g. EL8, POWER9 with glibc-hwcaps).
make installnow installs man pages. A separatemake manis not required.
- GitHub .deb packages correctly include man pages.
- Update dependency to correctly unset variables in container startup environment processing. Fixes regression in v3.9.2.
- Remove subshell overhead when processing large environments on container startup.
- Address timeout in library pull single stream download.
- Ensure MIGs are visible with
--nvccliin non-contained mode, to match the legacy GPU binding behaviour. - Avoid fd leak in loop device transient error path.
- Ensure
gengodepin build uses vendor dir when present. - Fix
sourceof a script onPATHand scoping of environment variables in definition files (via dependency update). - Ensure a local build does not fail unnecessarily if a keyserver config cannot be retrieved from the remote endpoint.
- Correct documentation for sign command r.e. source of key index.
- Restructure loop device discovery to address an issue where a transient
EBUSYerror could lead to failure under Arvados. Also greedily try for a working loop device, rather than perform delayed retries on encounteringEAGAIN, since we hold an exclusive lock which can block other processes.
This is a security release for SingularityCE 3.9, addressing a security issue in SingularityCE's dependencies.
- CVE-2021-41190 / GHSA-77vh-xpmg-72qh: OCI specifications allow ambiguous documents that contain both "manifests" and "layers" fields. Interpretation depends on the presence / value of a Content-Type header. SingularityCE dependencies handling the retrieval of OCI images have been updated to versions that reject ambiguous documents.
This is the first release of SingularityCE 3.9, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity.
- Building SingularityCE 3.9.0 requires go >=1.16. We now aim to support the two most recent stable versions of Go. This corresponds to the Go Release Maintenance Policy and Security Policy, ensuring critical bug fixes and security patches are available for all supported language versions.
- LABELs from Docker/OCI images are now inherited. This fixes a longstanding
regression from Singularity 2.x. Note that you will now need to use
--forcein a build to override a label that already exists in the source Docker/OCI container. - The source paths for
%fileslines in a definition file are no longer interpreted by a shell. This means that environment variable substitution is not performed. Previously, environment variables were substituted for source paths, but not destination paths, leading to unexpected copy behaviour. Globbing for source files will now follow the Gofilepath.Matchpattern syntax. - Removed
--nonetflag, which was intended to disable networking for in-VM execution, but has no effect. --nohttpsflag has been deprecated in favour of--no-https. The old flag is still accepted, but will display a deprecation warning.- Paths for
cryptsetup,go,ldconfig,mksquashfs,nvidia-container-cli,unsquashfsare now found at build time bymconfigand written intosingularity.conf. The path to these executables can be overridden by changing the value insingularity.conf. - When calling
ldconfigto find GPU libraries, singularity will not fall back to/sbin/ldconfigif the configuredldconfigerrors. If installing in a Guix/Nix on environment on top of a standard host distribution you must setldconfig path = /sbin/ldconfigto use the host distributionldconfigto find GPU libraries. --nvwill not callnvidia-container-clito find host libraries, unless the new experimental GPU setup flow that employsnvidia-container-clifor all GPU related operations is enabled (see below).- If a container is run with
--nvcliand--contain, only GPU devices specified via theNVIDIA_VISIBLE_DEVICESenvironment variable will be exposed within the container. UseNVIDIA_VISIBLE_DEVICES=allto access all GPUs inside a container run with--nvccli. - Example log-plugin rewritten as a CLI callback that can log all commands executed, instead of only container execution, and has access to command arguments.
- The bundled reference CNI plugins are updated to v1.0.1. The
flannelplugin is no longer included, as it is maintained as a separate plugin at: https://github.com/flannel-io/cni-plugin. If you use the flannel CNI plugin you should install it from this repository. - Instances are no longer created with an IPC namespace by default. An IPC
namespace can be specified with the
-i|--ipcflag. - The behaviour of the
allow containerdirectives insingularity.confhas been modified, to support more intuitive limitations on the usage of SIF and non-SIF container images. If you use these directives, you may need to make changes to singularity.conf to preserve behaviour.- A new
allow container sifdirective permits or denies usage of unencrypted SIF images, irrespective of the filesystem(s) inside the SIF. - The
allow container encrypteddirective permits or denies usage of SIF images with an encrypted root filesystem. - The
allow container squashfs/extfsdirectives insingularity.confpermit or deny usage of bare SquashFS and EXT image files only. - The effect of the
allow container dirdirective is unchanged.
- A new
--writable-tmpfscan be used withsingularity buildto run the%testsection of the build with a ephemeral tmpfs overlay, permitting tests that write to the container filesystem.- The
--compatflag for actions is a new short-hand to enable a number of options that increase OCI/Docker compatibility. Infers--containall, --no-init, --no-umask, --writable-tmpfs. Does not use user, uts, or network namespaces as these may not be supported on many installations. remote add --insecuremay be used to configure endpoints that are only accessible via http.- The experimental
--nvccliflag will usenvidia-container-clito setup the container for Nvidia GPU operation. SingularityCE will not bind GPU libraries itself. Environment variables that are used with Nvidia'sdocker-nvidiaruntime to configure GPU visibility / driver capabilities & requirements are parsed by the--nvccliflag from the environment of the calling user. By default, thecomputeandutilityGPU capabilities are configured. Theuse nvidia-container-clioption insingularity.confcan be set toyesto always usenvidia-container-cliwhen supported. Note that in a setuid install,nvidia-container-cliwill be run as root with required ambient capabilities.--nvccliis not currently supported in the hybrid fakeroot (setuid install +--fakeroot) workflow. Please see documentation for more details. - The
--apply-cgroupsflag can be used to apply cgroups resource and device restrictions on a system using the v2 unified cgroups hierarchy. The resource restrictions must still be specified in the v1 / OCI format, which will be translated into v2 cgroups resource restrictions, and eBPF device restrictions. - A new
--mountflag andSINGULARITY_MOUNTenvironment variable can be used to specify bind mounts intype=bind,source=<src>,destination=<dst>[,options...]format. This improves CLI compatibility with other runtimes, and allows binding paths containing:and,characters (using CSV style escaping). - Perform concurrent multi-part downloads for
library://URIs. Uses 3 concurrent downloads by default, and is configurable insingularity.confor via environment variables.
- The
ocicommands will operate on systems that use the v2 unified cgroups hierarchy. - Ensure invalid values passed to
config global --setcannot lead to an empty configuration file being written. - An invalid remote build source (bootstrap) will be identified before attempting to submit the build.
--no-httpsnow applies to connections made to library services specified inlibrary://<hostname>/...URIs.
- Update
oras-godependency to address push failures to some registry configurations. - Implement context cancellation when a signal is received in several CLI commands.
- Fix regression when files
sourced from%environmentcontain\escaped shell builtins (fixes issue withsourceof conda profile.d script).
Additional changes include dependency updates for the SIF module (to v2.0.0), and migration to maintained versions of other modules. There is no change to functionality, on-disk SIF format etc.
singularity deletewill use the correct library service when the hostname is specified in thelibrary://URI.singularity buildwill use the correct library service when the hostname is specified in thelibrary://URI / definition file.- Fix download of default
pacman.confinarchbootstrap. - Call
debootstrapwith correct Debian arch when it is not identical to the value ofruntime.GOARCH. E.g.ppc64el -> ppc64le. - When destination is omitted in
%filesentry in definition file, ensure globbed files are copied to correct resolved path. - Return an error if
--tokenfileused forremote loginto an OCI registry, as this is not supported. - Ensure repeated
remote loginto same URI does not create duplicate entries in~/.singularity/remote.yaml. - Avoid panic when mountinfo line has a blank field.
- Properly escape single quotes in Docker
CMD/ENTRYPOINTtranslation. - Use host uid when choosing unsquashfs flags, to avoid selinux xattr errors
with
--fakerooton non-EL/Fedora distributions with recent squashfs-tools.
- Allow escaped
\$in a SINGULARITYENV_ var to set a literal$in a container env var. - Handle absolute symlinks correctly in multi-stage build
%copy fromblocks. - Fix incorrect reference in sandbox restrictive permissions warning.
This is the first release of SingularityCE 3.8.0, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity.
- The package name for this release is now
singularity-ce. This name is used for the source tarball, output of anrpmbuild, and displayed in--versioninformation. - The name of the top level directory in the source tarball from
make distnow includes the version string.
- A new
overlaycommand allows creation and addition of writable overlays. - Administrators can allow named users/groups to use specific CNI network
configurations. Managed by directives in
singularity.conf. - The
buildcommand now honors--nv,--rocm, and--bindflags, permitting builds that require GPU access or files bound in from the host. - A library service hostname can be specified as the first component of a
library://URL. - Singularity is now relocatable for unprivileged installations only.
- Respect http proxy server environment variables in key operations.
- When pushing SIF images to
oras://endpoints, work around Harbor & GitLab failure to accept theSifConfigMediaType. - Avoid a
setfsuidcompilation warning on some gcc versions. - Fix a crash when silent/quiet log levels used on pulls from
shub://andhttp(s)://URIs. - Wait for dm device to appear when mounting an encrypted container rootfs.
Testing changes are not generally itemized. However, developers and contributors
should note that this release has modified the behavior of make test for ease
of use:
make testruns limited unit and integration tests that will not require docker hub credentials.make testallruns the full unit/integration/e2e test suite that requires docker credentials to be set withE2E_DOCKER_USERNAMEandE2E_DOCKER_PASSWORDenvironment variables.- Fix privilege handling issue with tests on Go >=1.16.
Singularity 3.7.4 is the most recent stable release of Singularity prior to Sylabs' fork from https://github.com/hpcng/singularity
The 3.7.4 release is identical to https://github.com/hpcng/singularity/releases/tag/v3.7.4 and is provided for convenience to users arriving from outdated links.
- CVE-2021-32635: Due to incorrect use of a default URL, singularity action commands (run/shell/exec) specifying a container using a library:// URI will always attempt to retrieve the container from the default remote endpoint (cloud.sylabs.io) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container.
- CVE-2021-29136:
A dependency used by Singularity to extract docker/OCI image layers can be
tricked into modifying host files by creating a malicious layer that has a
symlink with the name "." (or "/"), when running as root. This vulnerability
affects a
singularity buildorsingularity pullas root, from a docker or OCI source.
- Fix progress bar display when source image size is unknown.
- Fix a memory usage / leak issue when building from an existing image file.
- Fix to allow use of
--libraryflag to point push/pull at default cloud library when another remote is in use. - Address false positive loop test errors, and an e2e test registry setup issue.
- Accommodate /sys/fs/selinux mount changes on kernel 5.9+.
- Fix loop devices file descriptor leak when shared loop devices is enabled.
- Use MaxLoopDevices variable from config file in all appropriate locations.
- Use -buildmode=default (non pie) on ppc64le to prevent crashes when using plugins.
- Remove spurious warning in parseTokenSection()
- e2e test fixes for new kernels, new unsquashfs version.
- Show correct web URI for detached builds against alternate remotes.
- The singularity binary is now relocatable when built without setuid support
- Allow configuration of global custom keyservers, separate from remote endpoints.
- Add a new global keyring, for public keys only (used for ECL).
- The
remote logincommand now supports authentication to Docker/OCI registries and custom keyservers. - New
--exclusiveoption forremote useallows admin to lock usage to a specific remote. - A new
Fingerprints:header in definition files will check that a SIF source image can be verified, and is signed with keys matching all specified fingerprints. - Labels can be set dynamically from a build's
%postsection by setting them in theSINGULARITY_LABELSenvironment variable. - New
build-archlabel is automatically set to the architecture of the host during a container build. - New
-D/--descriptionflag forsingularity pushsets description for a library container image. singularity remote statusshows validity of authentication token if set.singularity pushreports quota usage and URL on successful push to a library server that supports this.- A new
--no-mountflag for actions allows a user to disable proc/sys/dev/devpts/home/tmp/hostfs/cwd mounts, even if they are enabled insingularity.conf.
- When actions (run/shell/exec...) are used without
--fakerootthe umask from the calling environment will be propagated into the container, so that files are created with expected permissions. Use the new--no-umaskflag to return to the previous behaviour of setting a default 0022 umask. - Container metadata, environment, scripts are recorded in a descriptor in
builds to SIF files, and
inspectwill use this if present. - The
--nvflag for NVIDIA GPU support will not resolve libraries reported bynvidia-container-clivia the ld cache. Will instead respect absolute paths to libraries reported by the tool, and bind all versioned symlinks to them. - General re-work of the
remote loginflow, adds prompts and token verification before replacing an existing authentication token. - The Execution Control List (ECL) now verifies container fingerprints using the new global keyring. Previously all users would need relevant keys in their own keyring.
- The SIF layer mediatype for ORAS has been changed to
application/vnd.sylabs.sif.layer.v1.sifreflecting the published opencontainers/artifacts value. SINGULARITY_BINDhas been restored as an environment variable set within a running container. It now reflects all user binds requested by the-B/--bindflag, as well as viaSINGULARITY_BIND[PATHS].singularity searchnow correctly searches for container images matching the host architecture by default. A new--archflag allows searching for other architectures. A new results format gives more detail about container image results, while users and collections are no longer returned.
- Support larger definition files, environments etc. by passing engine configuration in the environment vs. via socket buffer.
- Ensure
docker-daemon:and other source operations respectSINGULARITY_TMPDIRfor all temporary files. - Support double quoted filenames in the
%filessection of build definitions. - Correct
cache listsizes to show KiB with powers of 1024, matchingduetc. - Don't fail on
enable fusemount=nowhen no fuse mounts are needed. - Pull OCI images to the correct requested location when the cache is disabled.
- Ensure
Singularity>prompt is set when container has no environment script, or singularity is called through a wrapper script. - Avoid build failures in
yum/dnfoperations against the 'setup' package onRHEL/CentOS/Fedoraby ensuring staged/etc/files do not match distro default content. - Failed binds to
/etc/hostsand/etc/localtimein a container run with--containare no longer fatal errors. - Don't initialize the cache for actions where it is not required.
- Increase embedded shell interpreter timeout, to allow slow-running environment scripts to complete.
- Correct buffer handling for key import to allow import from STDIN.
- Reset environment to avoid
LD_LIBRARY_PATHissues when resolving dependencies for theunsquashfssandbox. - Fall back to
/sbin/ldconfigifldconfigonPATHfails while resolving GPU libraries. Fixes problems on systems using Nix / Guix. - Address issues caused by error code changes in
unsquashfsversion 4.4. - Ensure
/dev/kfdis bound into container for ROCm when--rocmis used with--contain. - Tolerate comments on
%filessections in build definition files. - Fix a loop device file descriptor leak.
- A change in Linux kernel 5.9 causes
--fakerootbuilds to fail with a/sys/fs/selinuxremount error. This will be addressed in Singularity v3.7.1.
Singularity 3.6.4 addresses the following security issue.
- CVE-2020-15229: Due to insecure handling of path traversal and the lack of path sanitization within unsquashfs (a distribution provided utility used by Singularity), it is possible to overwrite/create files on the host filesystem during the extraction of a crafted squashfs filesystem. Affects unprivileged execution of SIF / SquashFS images, and image builds from SIF / SquashFS images.
- Update scs-library-client to support
library://backends using an 3rd party S3 object store that does not strictly conform to v4 signature spec.
Singularity 3.6.3 addresses the following security issues.
-
CVE-2020-25039: When a Singularity action command (run, shell, exec) is run with the fakeroot or user namespace option, Singularity will extract a container image to a temporary sandbox directory. Due to insecure permissions on the temporary directory it is possible for any user with access to the system to read the contents of the image. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running container.
-
CVE-2020-25040: When a Singularity command that results in a container build operation is executed, it is possible for a user with access to the system to read the contents of the image during the build. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running build, which in certain circumstances may enable arbitrary code execution during the build and/or when the built container is run.
- The value for maximum number of loop devices in the config file is now used everywhere instead of redefining this value
- Add CAP_MKNOD in capability bounding set of RPC to fix issue with cryptsetup when decrypting image from within a docker container.
- Fix decryption issue when using both IPC and PID namespaces.
- Fix unsupported builtins panic from shell interpreter and add umask support for definition file scripts.
- Do not load keyring in prepare_linux if ECL not enabled.
- Ensure sandbox option overrides remote build destination.
- Add --force option to
singularity deletefor non-interactive workflows.
- Default to current architecture for
singularity delete.
- Respect current remote for
singularity deletecommand. - Allow
rwas a (noop) bind option. - Fix capability handling regression in overlay mount.
- Fix LD_LIBRARY_PATH environment override regression with
--nv/--rocm. - Fix environment variable duplication within singularity engine.
- Use
-user-xattrsfor unsquashfs to avoid error with rootless extraction using unsquashfs 3.4 (Ubuntu 20.04). - Correct
--no-homemessage for 3.6 CWD behavior. - Don't fail if parent of cache dir not accessible.
- Fix tests for Go 1.15 Ctty handling.
- Fix additional issues with test images on ARM64.
- Fix FUSE e2e tests to use container ssh_config.
- Support compilation with
FORTIFY_SOURCE=2and build inpiemode withfstack-protectorenabled (#5433).
- Provide advisory message r.e. need for
upperandworkto exist in overlay images. - Use squashfs mem and processor limits in squashfs gzip check.
- Ensure build destination path is not an empty string - do not overwrite CWD.
- Don't unset PATH when interpreting legacy /environment files.
Singularity 3.6.0 introduces a new signature format for SIF images, and changes to the signing / verification code to address:
- CVE-2020-13845 In Singularity 3.x versions below 3.6.0, issues allow the ECL to be bypassed by a malicious user.
- CVE-2020-13846 In
Singularity 3.5 the
--all / -aoption tosingularity verifyreturns success even when some objects in a SIF container are not signed, or cannot be verified. - CVE-2020-13847 In Singularity 3.x versions below 3.6.0, Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file, allowing an attacker to cause unexpected behavior. A signed container may verify successfully, even when it has been modified in ways that could be exploited to cause malicious behavior.
Please see the published security advisories at https://github.com/hpcng/singularity/security/advisories for full detail of these security issues.
Note that the new signature format is necessarily incompatible with Singularity < 3.6.0 - e.g. Singularity 3.5.3 cannot verify containers signed by 3.6.0.
We thank Tru Huynh for a report that led to the review of, and changes to, the signature implementation.
- Singularity now supports the execution of minimal Docker/OCI containers that
do not contain
/bin/sh, e.g.docker://hello-world. - A new cache structure is used that is concurrency safe on a filesystem that
supports atomic rename. If you downgrade to Singularity 3.5 or older after
using 3.6 you will need to run
singularity cache clean. - A plugin system rework adds new hook points that will allow the development of plugins that modify behavior of the runtime. An image driver concept is introduced for plugins to support new ways of handling image and overlay mounts. Plugins built for <=3.5 are not compatible with 3.6.
- The
--bindflag can now bind directories from a SIF or ext3 image into a container. - The
--fusemountfeature to mount filesystems to a container via FUSE drivers is now a supported feature (previously an experimental hidden flag). This permits users to mount e.g.sshfsandcvmfsfilesystems to the container at runtime. - A new
-c/--configflag allows an alternativesingularity.confto be specified by therootuser, or all users in an unprivileged installation. - A new
--envflag allows container environment variables to be set via the Singularity command line. - A new
--env-fileflag allows container environment variables to be set from a specified file. - A new
--daysflag forcache cleanallows removal of items older than a specified number of days. Replaces the--nameflag which is not generally useful as the cache entries are stored by hash, not a friendly name. - A new '--legacy-insecure' flag to
verifyallows verification of SIF signatures in the old, insecure format. - A new '-l / --logs' flag for
instance listthat shows the paths to instance STDERR / STDOUT log files. - The
--jsonoutput ofinstance listnow include paths to STDERR / STDOUT log files.
- New signature format (see security fixes above).
- Environment variables prefixed with
SINGULARITYENV_always take precedence over variables withoutSINGULARITYENV_prefix. - The
%postbuild section inherits environment variables from the base image. %files from ...will now follow symlinks for sources that are directly specified, or directly resolved from a glob pattern. It will not follow symlinks found through directory traversal. This mirrors Docker multi-stage COPY behaviour.- Restored the CWD mount behaviour of v2, implying that CWD path is not recreated inside container and any symlinks in the CWD path are not resolved anymore to determine the destination path inside container.
- The
%testbuild section is executed the same manner assingularity test image. --fusemountwith thecontainer:default directive will foreground the FUSE process. Usecontainer-daemon:for previous behavior.- Fixed spacing of
singularity instance listto be dynamically changing based off of input lengths instead of fixed number of spaces to account for long instance names.
- Removed
--nameflag forcache clean; replaced with--days. - Deprecate
-a / --alloption tosign/verifyas new signature behavior makes this the default.
- Don't try to mount
$HOMEwhen it is/(e.g.nobodyuser). - Process
%appinstallsections in order when building from a definition file. - Ensure
SINGULARITY_CONTAINER,SINGULARITY_ENVIRONMENTand the custom shell prompt are set inside a container. - Honor insecure registry settings from
/etc/containers/registries.conf. - Fix
http_proxyenv var handling inyumbootstrap builds. - Disable log colorization when output location is not a terminal.
- Check encryption keys are usable before beginning an encrypted build.
- Allow app names with non-alphanumeric characters.
- Use the
basemetapackage for arch bootstrap builds - arch no longer has abasegroup. - Ensure library client messages are logged with
--debug. - Do not mount
$HOMEwith--fakeroot --contain. - Fall back to underlay automatically when using a sandbox on GPFS.
- Fix Ctrl-Z handling - propagation of signal.
The following minor behaviour changes have been made in 3.5.3 to allow correct operation on CRAY CLE6, and correct an issue with multi-stage image builds that was blocking use by build systems such as Spack:
- Container action scripts are no longer bound in from
etc/actions.don the host. They are created dynamically and inserted at container startup. %files from ...will no longer follow symlinks when copying between stages in a multi stage build, as symlinks should be copied so that they resolve identically in later stages. Copying%filesfrom the host will still maintain previous behavior of following links.
- Bind additional CUDA 10.2 libs when using the
--nvoption withoutnvidia-container-cli. - Fix an NVIDIA persistenced socket bind error with
--writable. - Add detection of ceph to allow workarounds that avoid issues with sandboxes on ceph filesystems.
- Ensure setgid is inherited during make install.
- Ensure the root directory of a build has owner write permissions, regardless of the permissions in the bootstrap source.
- Fix a regression in
%postand%testto honor the-coption. - Fix an issue running
%postwhen a container doesn't have/etc/resolv.confor/etc/hostsfiles. - Fix an issue with UID detection on RHEL6 when running instances.
- Fix a logic error when a sandbox image is in an overlay incompatible location, and both overlay and underlay are disabled globally.
- Fix an issue causing user namespace to always be used when
allow-setuid=nowas configured in a setuid installation. - Always allow key IDs and fingerprints to be specified with or without a
0xprefix when usingsingularity keys - Fix an issue preventing joining an instance started with
--boot. - Provide a useful error message if an invalid library:// path is provided.
- Bring in multi-part upload client functionality that will address large image upload / proxied upload issues with a future update to Sylabs cloud.
In addition, numerous improvements have been made to the test suites, allowing them to pass cleanly on a range of kernel versions and distributions that are not covered by the open-source CI runs.
- 700 permissions are enforced on
$HOME/.singularityandSINGULARITY_CACHEDIRdirectories (CVE-2019-19724). Many thanks to Stuart Barkley for reporting this issue.
-
Fixes an issue preventing use of
.docker/configfor docker registry authentication. -
Fixes the
run-helpcommand in the unprivileged workflow. -
Fixes a regression in the
inspectcommand to support older image formats. -
Adds a workaround for an EL6 kernel bug regarding shared bind mounts.
-
Fixes caching of http(s) sources with conflicting filenames.
-
Fixes a fakeroot sandbox build error on certain filesystems, e.g. lustre, GPFS.
-
Fixes a fakeroot build failure to a sandbox in $HOME.
-
Fixes a fakeroot build failure from a bad def file section script location.
-
Fixes container execution errors when CWD is a symlink.
-
Provides a useful warning r.e. possible fakeroot build issues when seccomp support is not available.
-
Fixes an issue where the
--disable-cacheoption was not being honored. -
Deprecated
--groupidflag forsignandverify; replaced with--group-id. -
Removed useless flag
--urlforsign.
A single feature has been added in the bugfix release, with specific functionality:
- A new option
allow container encryptedcan be set tonoinsingularity.confto prevent execution of encrypted containers.
This point release addresses the following issues:
- Fixes a disk space leak when building from docker-archive.
- Makes container process SIGABRT return the expected code.
- Fixes the
inspectcommand in unprivileged workflow. - Sets an appropriate default umask during build stages, to avoid issues with very restrictive user umasks.
- Fixes an issue with build script content being consumed from STDIN.
- Corrects the behaviour of underlay with non-empty / symlinked CWD and absolute symlink binds targets.
- Fixes execution of containers when binding BTRFS filesystems.
- Fixes build / check failures for MIPS & PPC64.
- Ensures file ownership maintained when building image from sandbox.
- Fixes a squashfs mount error on kernel 5.4.0 and above.
- Fixes an underlay fallback problem, which prevented use of sandboxes on lustre filesystems.
- New support for AMD GPUs via
--rocmoption added to bind ROCm devices and libraries into containers. - Plugins can now modify Singularity behaviour with two mutators: CLI and Runtime.
- Introduced the
config globalcommand to editsingularity.confsettings from the CLI. - Introduced the
config fakerootcommand to setupsubuidandsubgidmappings for--fakerootfrom the Singularity CLI.
- Go 1.13 adopted.
- Vendored modules removed from the Git tree, will be included in release tarballs.
- Singularity will now fail with an error if a requested bind mount cannot be
made.
- This is beneficial to fail fast in workflows where a task may fail a long way downstream if a bind mount is unavailable.
- Any unavailable bind mount sources must be removed from
singularity.conf.
- Docker/OCI image extraction now faithfully respects layer permissions.
- This may lead to sandboxes that cannot be removed without modifying permissions.
--fix-permsoption added to preserve old behaviour when building sandboxes.- Discussion issue for this change at: https://github.com/sylabs/singularity/issues/4671
Singularity>prompt is always set when entering shell in a container.- The current
umaskwill be honored when building a SIF file. instance execprocesses acquire cgroups set oninstance start--fakerootsupports uid/subgid ranges >65536singularity versionnow reports semver compliant version information.
- Deprecated
--idflag forsignandverify; replaced with--sif-id.
- This point release addresses the following issues:
- Sets workable permissions on OCI -> sandbox rootless builds
- Fallback correctly to user namespace for non setuid installation
- Correctly handle the starter-suid binary for non-root installs
- Creates CACHEDIR if it doesn't exist
- Set apex loglevel for umoci to match singularity loglevel
- This point release addresses the following issues:
- Fixes an issue where a PID namespace was always being used
- Fixes compilation on non 64-bit architectures
- Allows fakeroot builds for zypper, pacstrap, and debootstrap
- Correctly detects seccomp on OpenSUSE
- Honors GO_MODFLAGS properly in the mconfig generated makefile
- Passes the Mac hostname to the VM in MacOS Singularity builds
- Handles temporary EAGAIN failures when setting up loop devices on recent kernels
- Fixes excessive memory usage in singularity push
- New support for building and running encrypted containers with RSA keys and
passphrases
--pem-pathoption added to thebuildand action commands for RSA based encrypted containers--passphraseoption added tobuildand action commands for passphrase based encrypted containersSINGULARITY_ENCRYPTION_PEM_PATHandSINGULARITY_ENCRYPTION_PASSPHRASEenvironment variables added to serve same functions as above--encryptoption added tobuildcommand to build an encrypted container when environment variables contain a secret
- New
--disable-cacheflag prevents caching of downloaded containers - Added support for multi-line variables in singularity def-files
- Added support for 'indexed' def-file variables (like arrays)
- Added support for SUSE SLE Products
- Added the def-file variables: product, user, regcode, productpgp, registerurl, modules, otherurl (indexed)
- Support multiple-architecture tags in the SCS library
- Added a
--dry-runflag tocache clean - Added a
SINGULARITY_SYPGPDIRenvironment variable to specify the location of PGP key data - Added a
--nonetoption to the action commands to disable networking when running with the--vmoption - Added a
--long-listflag to thekey searchcommand to preserve - Added experimental, hidden
--fusemountflag to pass a command to mount a libfuse3 based file system within the container
- Runtime now properly honors
SINGULARITY_DISABLE_CACHEenvironment variable remote addcommand now automatically attempts to login and a--no-loginflag is added to disable this behavior- Using the
pullcommand to download an unsigned container no longer produces an error code cache cleancommand now prompts user before cleaning when run without--forceoption and is more verbose- Shortened the default output of the
key searchcommand
- The
--allow-unsignedflag topullhas been deprecated and will be removed in the future
- Remote login and status commands will now use the default remote if a remote name is not supplied
- Added Singularity hub (
shub) cache support when using thepullcommand - Clean cache in a safer way by only deleting the cache subdirectories
- Improvements to the
cache cleancommand
- new
orasURI for pushing and pulling SIF files to and from supported OCI registries - added the
--fakerootoption tobuild,exec,run,shell,test, andinstance startcommands to run container in a new user namespace as uid 0 - added the
fakerootnetwork type for use with the--networkoption sifcommand to allow for the inspection and manipulation of SIF files with the following subcommandsaddAdd a data object to a SIF filedelDelete a specified object descriptor and data from SIF filedumpExtract and output data objects from SIF filesheaderDisplay SIF global headersinfoDisplay detailed information of object descriptorslistList object descriptors from SIF filesnewCreate a new empty SIF image filesetprimSet primary system partition
- This point release fixes the following bugs:
- Allows users to join instances with non-suid workflow
- Removes false warning when seccomp is disabled on the host
- Fixes an issue in the terminal when piping output to commands
- Binds NVIDIA persistenced socket when
--nvis invoked
- Instance files are now stored in user's home directory for privacy and many
checks have been added to ensure that a user can't manipulate files to change
starter-suidbehavior when instances are joined (many thanks to Matthias Gerstner from the SUSE security team for finding and securely reporting this vulnerability)
- Introduced a new basic framework for creating and managing plugins
- Added the ability to create containers through multi-stage builds
- Definitions now require
Bootstrapbe the first parameter of header
- Definitions now require
- Created the concept of a Sylabs Cloud "remote" endpoint and added the ability for users and admins to set them through CLI and conf files
- Added caching for images from Singularity Hub
- Made it possible to compile Singularity outside of
$GOPATH - Added a json partition to SIF files for OCI configuration when building from an OCI source
- Full integration with Singularity desktop for MacOS code base
-
Introduced the
plugincommand group for creating and managing pluginscompileCompile a singularity plugindisabledisable an installed singularity pluginenableEnable an installed singularity plugininspectInspect a singularity plugin (either an installed one or an image)installInstall a singularity pluginlistList installed singularity pluginsuninstallUninstall removes the named plugin from the system
-
Introduced the
remotecommand group to support management of Singularity endpoints:addCreate a new Sylabs Cloud remote endpointlistList all remote endpoints that are configuredloginLog into a remote endpoint using an authentication tokenremoveRemove an existing Sylabs Cloud remote endpointstatusCheck the status of the services at an endpointuseSet a remote endpoint to be used by default
-
Added to the
keycommand group to improve PGP key management:exportExport a public or private key into a specific fileimportImport a local key into the local keyringremoveRemove a local public key
-
Added the
Stage: <name>keyword to the definition file header and thefrom <stage name>option/argument pair to the%filessection to support multistage builds
- The
--token/-toption has been deprecated in favor of thesingularity remotecommand group
- Ask to confirm password on a newly generated PGP key
- Prompt to push a key to the KeyStore when generated
- Refuse to push an unsigned container unless overridden with
--allow-unauthenticated/-Uoption - Warn and prompt when pulling an unsigned container without the
--allow-unauthenticated/-Uoption Bootstrapmust now be the first field of every header because of parser requirements for multi-stage builds
- New hidden
buildcfgcommand to display compile-time parameters - Added support for
LDFLAGS,CFLAGS,CGO_variables in build system - Added
--nocolorflag to Singularity client to disable color in logging
singularity capability <add/drop> --deschas been removedsingularity capability list <--all/--group/--user>flags have all been removed
- The
--builderflag to thebuildcommand implicitly sets--remote - Repeated binds no longer cause Singularity to exit and fail, just warn instead
- Corrected typos and improved docstrings throughout
- Removed warning when CWD does not exist on the host system
- Added support to spec file for RPM building on SLES 11
- Introduced the
ocicommand group to support a new OCI compliant variant of the Singularity runtime:attachAttach console to a running container processcreateCreate a container from a bundle directorydeleteDelete containerexecExecute a command within containerkillKill a containermountMount create an OCI bundle from SIF imagepauseSuspends all processes inside the containerresumeResumes all processes previously paused inside the containerrunCreate/start/attach/delete a container from a bundle directorystartStart container processstateQuery state of a containerumountUmount delete bundleupdateUpdate container cgroups resources
- Added
cachecommand group to inspect and manage cached filescleanClean your local Singularity cachelistList your local Singularity cache
- Can now build CLI on darwin for limited functionality on Mac
- Added the
scratchbootstrap agent to build from anything - Reintroduced support for zypper bootstrap agent
- Added the ability to overwrite a new
singularity.confwhen building from RPM if desired - Fixed several regressions and omissions in SCIF support
- Added caching for containers pulled/built from the Container Library
- Changed
keyscommand group tokey(retained hiddenkeyscommand for backward compatibility) - Created an
RPMPREFIXvariable to allow RPMs to be installed in custom locations - Greatly expanded CI unit and end-to-end testing
- Bind paths in
singularity.confare properly parsed and applied at runtime - Singularity runtime will properly fail if
singularity.conffile is not owned by the root user - Several improvements to RPM packaging including using golang from epel, improved support for Fedora, and avoiding overwriting conf file on new RPM install
- Unprivileged
--containoption now properly mountsdevptson older kernels - Uppercase proxy environment variables are now rightly respected
- Add http/https protocols for singularity run/pull commands
- Update to SIF 1.0.2
- Add noPrompt parameter to
pkg/signing/Verifyfunction to enable silent verification
- Added the
--docker-loginflag to enable interactive authentication with docker registries - Added support for pulling directly from HTTP and HTTPS
- Made minor improvements to RPM packaging and added basic support for alpine packaging
- The
$SINGULARITY_NOHTTPS,$SINGULARITY_TMPDIR, and$SINGULARITY_DOCKER_USERNAME/$SINGULARITY_DOCKER_PASSWORDenvironment variables are now correctly respected - Pulling from a private shub registry now works as expected
- Running a container with
--network="none"no longer incorrectly fails with an error message - Commands now correctly return 1 when incorrectly executed without arguments
- Progress bars no longer incorrectly display when running with
--quietor--silent - Contents of
91-environment.shfile are now displayed if appropriate when runninginspect --environment
- Improved RPM packaging procedure via makeit
- Enhanced general stability of runtime
- Singularity is now written primarily in Go to bring better integration with the existing container ecosystem
- Added support for new URIs (
build&run/exec/shell/start):library://- Supports the Sylabs.io Cloud Librarydocker-daemon:- Supports images managed by the locally running docker daemondocker-archive:- Supports archived docker imagesoci:- Supports oci imagesoci-archive:- Supports archived oci images
- Handling of
docker&ociURIs/images now utilizes containers/image to parse and convert those image types in a supported way - Replaced
singularity instance.*command group withsingularity instance * - The command
singularity helpnow only provides help regarding the usage of thesingularitycommand. To display an image'shelpmessage, usesingularity run-help <image path>instead
- Removed deprecated
singularity image.*command group - Removed deprecated
singularity createcommand - Removed deprecated
singularity bootstrapcommand - Removed deprecated
singularity mountcommand - Removed deprecated
singularity checkcommand
- Added
singularity run-help <image path>command to output an image'shelpmessage - Added
singularity sign <image path>command to allow a user to cryptographically sign a SIF image - Added
singularity verify <image path>command to allow a user to verify a SIF image's cryptographic signatures - Added
singularity keyscommand to allow the management ofOpenPGPkey stores - Added
singularity capabilitycommand to allow fine grained control over the capabilities of running containers - Added
singularity pushcommand to push images to the Sylabs.io Cloud Library
- Added flags:
--add-caps <string>: Run the contained process with the specified capability set (requires root)--allow-setuid: Allows setuid binaries to be mounted into the container (requires root)--apply-cgroups <path>: Apply cgroups configuration from file to contained processes (requires root)--dns <string>: Adds the comma separated list of DNS servers to the containersresolv.conffile--drop-caps <string>: Drop the specified capabilities from the container (requires root)--fakeroot: Run the container in a user namespace asuid=0. Requires a recent kernel to function properly--hostname <string>: Set the hostname of the container--keep-privs: Keep root user privilege inside the container (requires root)--network <string>: Specify a list of comma separated network types (CNI Plugins) to be present inside the container, each with its own dedicated interface in the container--network-args <string>: Specify arguments to pass to CNI network plugins (set by--network)--no-privs: Drop all privileges from root user inside the container (requires root)--security <string>: Configure security features such as SELinux, Apparmor, Seccomp...--writable-tmpfs: Run container with atmpfsoverlay
- The command
singularity instance startnow supports the--bootflag to boot the container via/sbin/init - Changes to image mounting behavior:
- All image formats are mounted as read only by default
--writableonly works on images which can be mounted in read/write [applicable to:sandboxand legacyext3images]--writable-tmpfsruns the container with a writabletmpfs-based overlay [applicable to: all image formats]--overlay <string>now specifies a list ofext3/sandboximages which are set as the containers overlay [applicable to: all image formats]
- All images are now built as Singularity Image Format (SIF) images by default
- When building to a path that already exists,
singularity buildwill now prompt the user if they wish to overwrite the file existing at the specified location - The
-w|--writableflag has been removed - The
-F|--forceflag now overrides the interactive prompt and will always attempt to overwrite the file existing at the specified location - The
-u|--updateflag has been added to support the workflow of running a definition file on top of an existing container [implies--sandbox, only supportssandboximage types] - The
singularity buildcommand now supports the following flags for integration with the Sylabs.io Cloud Library:-r|--remote: Build the image remotely on the Sylabs Remote Builder (currently unavailable)-d|--detached: Detach from thestdoutof the remote build [requires--remote]--builder <string>: Specifies the URL of the remote builder to access--library <string>: Specifies the URL of the Sylabs.io Cloud Library to push the built image to when the build command destination is in the formlibrary://<reference>
- The
bootstrapkeyword in the definition file now supports the following values:librarydocker-daemondocker-archiveocioci-archive
- The
fromkeyword in the definition file now correctly parses adockerURI which includes theregistryand/ornamespacecomponents - The
registryandnamespacekeywords in the definition file are no longer supported. Instead, those values may all go into thefromkeyword - Building from a tar archive of a
sandboxno longer works