diff --git a/.circleci/config.yml b/.circleci/config.yml index e465bb070b..8e9354bd58 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -23,7 +23,7 @@ executors: password: $CIRCLE_CI_DOCKER_PASSWORD macos-machine: macos: - xcode: "10.2.0" + xcode: 12.4.0 ubuntu-machine: working_directory: ~/go/singularity machine: @@ -119,10 +119,10 @@ jobs: name: Check Module Tidiness command: git diff --exit-code -- go.mod go.sum - check-stretch: + check-debian: executor: name: golang - variant: stretch + variant: buster steps: - checkout - install-deps-apt: @@ -226,7 +226,7 @@ workflows: build_and_test: jobs: - check-go-mod - - check-stretch + - check-debian - check-alpine - check-darwin - short-unit-tests diff --git a/.github/RELEASE_PROCEDURE.md b/.github/RELEASE_PROCEDURE.md index 28f18e1593..f564765255 100644 --- a/.github/RELEASE_PROCEDURE.md +++ b/.github/RELEASE_PROCEDURE.md @@ -71,7 +71,7 @@ bug(s), and well covered by tests. 4. Modify the `README.md`, `INSTALL.md`, `CHANGELOG.md` via PR against the release branch, so that they reflect the version to be released. 5. Apply an annotated tag via `git tag -a -m "SingularityCE v3.8.0" v3.8.0`. -6. Push the tag via `git push upstream v3.8.0-rc.1`. +6. Push the tag via `git push upstream v3.8.0`. 7. Create a tarball via `mconfig -v && make dist`. 8. Test intallation from the tarball. 9. Compute the sha256sum of the tarball e.g. `sha256sum *.tar.gz > sha256sums`. diff --git a/CHANGELOG.md b/CHANGELOG.md index 941db09929..f92d8a8c6e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,8 @@ # SingularityCE Changelog -## v3.8.0-rc.2 [2021-05-18] +## v3.8.0 [2021-05-26] -This is the second release candidate for SingularityCE 3.8.0, the Community +This is the first release of SingularityCE 3.8.0, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity. @@ -55,11 +55,26 @@ of `make test` for ease of use: ---- -## v3.7.3 - [2021-04-06] +## v3.7.4 - [2021-05-26] + +**Singularity 3.7.4 is the most recent stable release of Singularity prior to Sylabs' fork from https://github.com/hpcng/singularity** -**Singularity 3.7.3 is the most recent stable release of Singularity prior to Sylabs' fork from https://github.com/hpcng/singularity** +The 3.7.4 release is identical to https://github.com/hpcng/singularity/releases/tag/v3.7.4 and is provided for convenience to users arriving from outdated links. + +### Security Related Fixes -The 3.7.3 release is identical to https://github.com/hpcng/singularity/releases/tag/v3.7.3 and is provided for convenience to users arriving from outdated links. + - [CVE-2021-32635](https://github.com/sylabs/singularity/security/advisories/GHSA-5mv9-q7fq-9394): + Due to incorrect use of a default URL, singularity action commands + (run/shell/exec) specifying a container using a library:// URI will + always attempt to retrieve the container from the default remote + endpoint (cloud.sylabs.io) rather than the configured remote + endpoint. An attacker may be able to push a malicious container to + the default remote endpoint with a URI that is identical to the URI + used by a victim with a non-default remote endpoint, thus executing + the malicious container. + + +## v3.7.3 - [2021-04-06] ### Security Related Fixes diff --git a/INSTALL.md b/INSTALL.md index 8138848bdf..2fe8a0c17a 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -1,10 +1,5 @@ # Installing SingularityCE -**NOTE:** *This installation guide has been updated for the release candidate of -SingularityCE 3.8.0. The `3.8.0-rc2` version that will be installed is a -pre-release of SingularityCE. To install the latest stable version, -substitute the version `3.7.3` in the instructions below. See the `release-3.7` branch for the current stable codebase.* - Since you are reading this from the SingularityCE source code, it will be assumed that you are building/compiling from source. @@ -87,7 +82,7 @@ $ mkdir -p ${GOPATH}/src/github.com/sylabs && \ To build a specific version of SingularityCE, check out a [release tag](https://github.com/sylabs/singularity/tags) before compiling: ``` -$ git checkout v3.8.0-rc.2 +$ git checkout v3.8.0 ``` ## Compiling SingularityCE @@ -130,7 +125,7 @@ as shown above. Then download the latest and use it to install the RPM like this: ``` -$ export VERSION=3.8.0-rc.2 # this is the singularity version, change as you need +$ export VERSION=3.8.0 # this is the singularity version, change as you need $ wget https://github.com/sylabs/singularity/releases/download/v${VERSION}/singularity-ce-${VERSION}.tar.gz && \ rpmbuild -tb singularity-ce-${VERSION}.tar.gz && \ diff --git a/cmd/internal/cli/actions.go b/cmd/internal/cli/actions.go index 14c04a320b..43ae2fd291 100644 --- a/cmd/internal/cli/actions.go +++ b/cmd/internal/cli/actions.go @@ -21,7 +21,6 @@ import ( "github.com/sylabs/singularity/internal/pkg/client/oci" "github.com/sylabs/singularity/internal/pkg/client/oras" "github.com/sylabs/singularity/internal/pkg/client/shub" - "github.com/sylabs/singularity/internal/pkg/remote/endpoint" "github.com/sylabs/singularity/internal/pkg/util/uri" "github.com/sylabs/singularity/pkg/sylog" ) @@ -80,11 +79,10 @@ func handleLibrary(ctx context.Context, imgCache *cache.Handle, pullFrom string) return "", err } + // Default "" = use current remote endpoint var libraryURI string if r.Host != "" { libraryURI = "https://" + r.Host - } else { - libraryURI = endpoint.SCSDefaultLibraryURI } c, err := getLibraryClientConfig(libraryURI) diff --git a/e2e/actions/actions.go b/e2e/actions/actions.go index 037ceac81d..8a036a50f5 100644 --- a/e2e/actions/actions.go +++ b/e2e/actions/actions.go @@ -2198,6 +2198,8 @@ func E2ETests(env e2e.TestEnv) testhelper.Tests { env: env, } + np := testhelper.NoParallel + return testhelper.Tests{ "action URI": c.RunFromURI, // action_URI "exec": c.actionExec, // singularity exec @@ -2230,5 +2232,6 @@ func E2ETests(env e2e.TestEnv) testhelper.Tests { "bind image": c.bindImage, // test bind image "umask": c.actionUmask, // test umask propagation "no-mount": c.actionNoMount, // test --no-mount + "invalidRemote": np(c.invalidRemote), // GHSA-5mv9-q7fq-9394 } } diff --git a/e2e/actions/regressions.go b/e2e/actions/regressions.go index 79d3a7ce5b..de65e861e3 100644 --- a/e2e/actions/regressions.go +++ b/e2e/actions/regressions.go @@ -616,3 +616,69 @@ func (c actionTests) issue5690(t *testing.T) { e2e.ExpectExit(0), ) } + +// If an invalid remote is set, we should not pull a container from the default +// library. +// GHSA-5mv9-q7fq-9394 +func (c actionTests) invalidRemote(t *testing.T) { + testEndpoint := "invalid" + testEndpointURI := "https://cloud.example.com" + testImage := "library://alpine" + + // Exec library image from the default remote... ensure it succeeds + argv := []string{testImage, "/bin/true"} + c.env.RunSingularity( + t, + e2e.AsSubtest("exec default"), + e2e.WithProfile(e2e.UserProfile), + e2e.WithCommand("exec"), + e2e.WithArgs(argv...), + e2e.ExpectExit(0), + ) + + // Add another endpoint + argv = []string{"add", "--no-login", testEndpoint, testEndpointURI} + c.env.RunSingularity( + t, + e2e.AsSubtest("remote add"), + e2e.WithProfile(e2e.UserProfile), + e2e.WithCommand("remote"), + e2e.WithArgs(argv...), + e2e.ExpectExit(0), + ) + // Remove test remote when we are done here + defer func(t *testing.T) { + argv := []string{"remove", testEndpoint} + c.env.RunSingularity( + t, + e2e.AsSubtest("remote remove"), + e2e.WithProfile(e2e.UserProfile), + e2e.WithCommand("remote"), + e2e.WithArgs(argv...), + e2e.ExpectExit(0), + ) + }(t) + + // Set as default + argv = []string{"use", testEndpoint} + c.env.RunSingularity( + t, + e2e.AsSubtest("remote use"), + e2e.WithProfile(e2e.UserProfile), + e2e.WithCommand("remote"), + e2e.WithArgs(argv...), + e2e.ExpectExit(0), + ) + + // Exec library image from the invalid remote, should fail + argv = []string{testImage, "/bin/true"} + c.env.RunSingularity( + t, + e2e.AsSubtest("exec invalid"), + e2e.WithProfile(e2e.UserProfile), + e2e.WithCommand("exec"), + e2e.WithArgs(argv...), + e2e.ExpectExit(255), + ) + +} diff --git a/go.mod b/go.mod index 3a63f76cc9..26d101a537 100644 --- a/go.mod +++ b/go.mod @@ -14,11 +14,11 @@ require ( github.com/bugsnag/bugsnag-go v1.5.1 // indirect github.com/bugsnag/panicwrap v1.2.0 // indirect github.com/containerd/cgroups v1.0.1 - github.com/containerd/containerd v1.5.1 + github.com/containerd/containerd v1.5.2 github.com/containernetworking/cni v0.8.1 github.com/containernetworking/plugins v0.9.1 github.com/containers/image/v5 v5.12.0 - github.com/fatih/color v1.11.0 + github.com/fatih/color v1.12.0 github.com/garyburd/redigo v1.6.0 // indirect github.com/go-log/log v0.2.0 github.com/godbus/dbus v4.1.0+incompatible // indirect @@ -51,7 +51,7 @@ require ( github.com/sylabs/sif v1.2.3 github.com/urfave/cli v1.22.5 // indirect github.com/vbauerster/mpb/v4 v4.12.2 - github.com/vbauerster/mpb/v6 v6.0.3 + github.com/vbauerster/mpb/v6 v6.0.4 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/yvasiyarov/go-metrics v0.0.0-20150112132944-c25f46c4b940 // indirect github.com/yvasiyarov/gorelic v0.0.6 // indirect @@ -60,7 +60,7 @@ require ( golang.org/x/crypto v0.0.0-20210503195802-e9a32991a82e golang.org/x/net v0.0.0-20210510120150-4163338589ed // indirect golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect - golang.org/x/sys v0.0.0-20210511113859-b0526f3d8744 + golang.org/x/sys v0.0.0-20210514084401-e8d321eab015 google.golang.org/genproto v0.0.0-20210510173355-fb37daa5cd7a // indirect google.golang.org/grpc v1.37.0 // indirect gopkg.in/yaml.v2 v2.4.0 diff --git a/go.sum b/go.sum index 546e11b622..520773a85c 100644 --- a/go.sum +++ b/go.sum @@ -71,8 +71,9 @@ github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbt github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= -github.com/VividCortex/ewma v1.1.1 h1:MnEK4VOv6n0RSY4vtRe3h11qjxL3+t0B8yOL8iMXdcM= github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmxzcbUokwA= +github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow= +github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4= github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpHMqeKTCYkitsPqHNxTmd4SNR5r94FGM8= github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo= github.com/adigunhammedolalekan/registry-auth v0.0.0-20200730122110-8cde180a3a60 h1:1IG6ye8dellBRE2uqvG0EzQScRqjsH/n5xOw+n0OGec= @@ -179,8 +180,8 @@ github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI= github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s= github.com/containerd/containerd v1.5.0-rc.3/go.mod h1:kYiJ+LvywDUKzyax6+UKCk5xwQNCfcGR6KsSdShdg5U= -github.com/containerd/containerd v1.5.1 h1:xWHPAoe6VkUiI9GAvndJM7s/0MTrmwX3AQiYTr3olf0= -github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g= +github.com/containerd/containerd v1.5.2 h1:MG/Bg1pbmMb61j3wHCFWPxESXHieiKr2xG64px/k8zQ= +github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= @@ -318,8 +319,8 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7 github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= -github.com/fatih/color v1.11.0 h1:l4iX0RqNnx/pU7rY2DB/I+znuYY0K3x6Ywac6EIr0PA= -github.com/fatih/color v1.11.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= +github.com/fatih/color v1.12.0 h1:mRhaKNwANqRgUBGKmnI5ZxEk7QXmjQeCcuYFMX2bfcc= +github.com/fatih/color v1.12.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= @@ -551,8 +552,9 @@ github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOA github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/mattn/go-runewidth v0.0.10 h1:CoZ3S2P7pvtP45xOtBw+/mDL2z0RKI576gSkzRRpdGg= github.com/mattn/go-runewidth v0.0.10/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= +github.com/mattn/go-runewidth v0.0.12 h1:Y41i/hVW3Pgwr8gV+J23B9YEY0zxjptBuCWEaxmAOow= +github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= github.com/mattn/go-shellwords v1.0.11 h1:vCoR9VPpsk/TZFW2JwK5I9S0xdrtUq2bph6/YjEPnaw= github.com/mattn/go-shellwords v1.0.11/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= @@ -830,8 +832,9 @@ github.com/vbatts/go-mtree v0.5.0/go.mod h1:7JbaNHyBMng+RP8C3Q4E+4Ca8JnGQA2R/MB+ github.com/vbatts/tar-split v0.11.1/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g= github.com/vbauerster/mpb/v4 v4.12.2 h1:TsBs1nWRYF0m8cUH13pxNhOUqY6yKcOr2PeSYxp2L3I= github.com/vbauerster/mpb/v4 v4.12.2/go.mod h1:LVRGvMch8T4HQO3eg2pFPsACH9kO/O6fT/7vhGje3QE= -github.com/vbauerster/mpb/v6 v6.0.3 h1:j+twHHhSUe8aXWaT/27E98G5cSBeqEuJSVCMjmLg0PI= github.com/vbauerster/mpb/v6 v6.0.3/go.mod h1:5luBx4rDLWxpA4t6I5sdeeQuZhqDxc+wr5Nqf35+tnM= +github.com/vbauerster/mpb/v6 v6.0.4 h1:h6J5zM/2wimP5Hj00unQuV8qbo5EPcj6wbkCqgj7KcY= +github.com/vbauerster/mpb/v6 v6.0.4/go.mod h1:a/+JT57gqh6Du0Ay5jSR+uBMfXGdlR7VQlGP52fJxLM= github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852 h1:cPXZWzzG0NllBLdjWoD1nDfaqu98YMv+OneaKc8sPOA= @@ -1039,8 +1042,8 @@ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210511113859-b0526f3d8744 h1:yhBbb4IRs2HS9PPlAg6DMC6mUOKexJBNsLf4Z+6En1Q= -golang.org/x/sys v0.0.0-20210511113859-b0526f3d8744/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015 h1:hZR0X1kPW+nwyJ9xRxqZk1vx5RUObAPBdKVvXPDUH/E= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20191110171634-ad39bd3f0407/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=