SingularityCE 3.11.1

SingularityCE 3.11.1 is a bugfix patch release in the 3.11 series, with changes detailed below.

New Features & Functionality

• Add setopt definition file header for the yum bootstrap agent. The setopt value is passed to yum / dnf using the --setopt flag. This permits setting e.g. install_weak_deps=False to bootstrap recent versions of Fedora, where systemd (a weak dependency) cannot install correctly in the container. See examples/Fedora for an example defintion file.
• Warn user that a yum bootstrap of an older distro may fail if the host rpm _db_backend is not bdb.

Bug Fixes

• Fix implied --writable-tmpfs with --nvccli, to avoid r/o filesytem error.
• Avoid incorrect error when requesting fakeroot network.
• Pass computed LD_LIBRARY_PATH to wrapped unsquashfs. Fixes issues where unsquashfs on host uses libraries in non-default paths.
• Show correct memory limit in instance stats when a limit is set.
• Ensure consistent binding of libraries under --nv/--rocm when duplicate <library>.so[.version] files are listed by ldconfig -p.
• Fix systemd cgroup manager error when running a container as a non-root user with --oci, on systems with cgroups v1 and runc.
• Fix joining cgroup of instance started as root, with cgroups v1, non-default cgroupfs manager, and no device rules.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: [email protected]

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.1.tar.gz download below to obtain and install SingularityCE 3.11.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.20.2

SingularityCE 3.11.0

SingularityCE 3.11.0 is the first release in the 3.11 series, with changes, new features, and bug fixes detailed below.

Changed defaults / behaviours

• Image driver plugins, implementing the RegisterImageDriver callback, are deprecated and will be removed in 4.0. Support for the example plugin, permitting Ubuntu unprivileged overlay functionality, has been replaced with direct support for kernel unprivileged overlay.
• When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed using an overlay instead of underlay layout.
• crun will be used as the low-level OCI runtime, when available, rather than runc. If crun is not available, runc will be used.
• sessiondir maxsize in singularity.conf now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.
• Instances are started in a cgroup, by default, when run as root or when unified cgroups v2 with systemd as manager is configured. This allows singularity instance stats to be supported by default when possible.

New features / functionality

Image Building

• Support for a custom hashbang in the %test section of a Singularity recipe (akin to the runscript and start sections).
• Non-root users can now build from a definition file, on systems that do not support --fakeroot. This requires the statically built proot command (https://proot-me.github.io/) to be available on the user PATH. These builds:
  • Do not support arch / debootstrap / yum / zypper bootstraps. Use localimage, library, oras, or one of the docker/oci sources.
  • Do not support %pre and %setup sections.
  • Run the %post sections of a build in the container as an emulated root user.
  • Run the %test section of a build as the non-root user, like singularity test.
  • Are subject to any restrictions imposed in singularity.conf. Incur a performance penalty due to proot's ptrace based interception of
    syscalls.
  • May fail if the %post script requires privileged operations that proot cannot emulate.

Instances

• Instances started by a non-root user can use --apply-cgroups to apply resource limits. Requires cgroups v2, and delegation configured via systemd.
• A new instance stats command displays basic resource usage statistics for a specified instance, running within a cgroup.
• Instance name is available inside an instance via the new SINGULARITY_INSTANCE environment variable.

Mounts & Overlays

• --writable-tmpfs is now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• The --no-mount flag now accepts the value bind-paths to disable mounting of all bind path entries in singularity.conf.
• Persistent overlays (--overlay) from a directory are now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• Add --sparse flag to overlay create command to allow generation of a sparse ext3 overlay image.

OCI / Docker Compatibility

• Support for DOCKER_HOST parsing when using docker-daemon://
• DOCKER_USERNAME and DOCKER_PASSWORD supported without SINGULARITY_ prefix.
• A new --oci flag for run/exec/shell enables the experimental OCI runtime mode. This mode:
  • Runs OCI container images from an OCI bundle, using runc or crun.
  • Supports docker://, docker-archive:, docker-daemon:, oci:, oci-archive: image sources.
  • Does not support running Singularity SIF, SquashFS, or EXT3 images.
  • Provides an environment similar to Singularity's native runtime, running with --compat.
  • Supports the following options / flags. Other options are not yet supported:
    • --fakeroot for effective root in the container. Requires subuid/subgid mappings.
    • Bind mounts via --bind or --mount. No image mounts.
    • Additional namespaces requests with --net, --uts, --user.
    • Container environment variables via --env, --env-file, and SINGULARITYENV_ host env vars.
    • --rocm to bind ROCm GPU libraries and devices into the container.
    • --nv to bind Nvidia driver / basic CUDA libraries and devices into the container.
    • --apply-cgroups, and the --cpu*, --blkio*, --memory*, --pids-limit flags to apply resource limits.

Signing & Verification

• The sign command now supports signing with non-PGP key material by specifying the path to a private key via the --key flag.
• The verify command now supports verification with non-PGP key material by specifying the path to a public key via the --key flag.
• The verify command now supports verification with X.509 certificates by specifying the path to a certificate via the --certificate flag. By default, the system root certificate pool is used as trust anchors unless overridden via the --certificate-roots flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain can also be specified via the --certificate-intermediates flag.
• Support for online verification checks of x509 certificates using OCSP protocol. (introduced flag: verify --ocsp-verify)

Other

• Add new Linux capabilities: CAP_PERFMON, CAP_BPF, CAP_CHECKPOINT_RESTORE.
• A new --reproducible flag for ./mconfig will configure Singularity so that its binaries do not contain non-reproducible paths. This disables plugin functionality.

Bug Fixes

• In --rocm mode, the whole of /dev/dri is now bound into the container when --contain is in use. This makes /dev/dri/render devices available, required for later ROCm versions.
• Overlay is blocked on the panfs filesystem, allowing sandbox directories to be run from panfs without error.
• Avoid UID / GID readonly var warnings with --env-file.

Development / Testing

• Significant reduction in the use of network image sources in the e2e tests.
• Improved parallelization and use of image caches in the e2e tests.
• The e2e-test makefile target now accepts an argument E2E_GROUPS to only run specified groups of end to end tests. E.g. make -C builddir e2e-test E2E_GROUPS=VERSION,HELP will run end to end tests in the VERSION and HELP groups only.
• The e2e-test makefile target now accepts an argument E2E_TESTS which is a regular expression specifying the names of (top level) end to end tests that should be run. E.g. make -C builddir e2e-test E2E_TESTS=^semantic will only run end to end tests with a name that begins with semantic. These E2E_ variables offer an alternative to the -run flag, which may be easier to use given the structure of e2e tests.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: [email protected]

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.0.tar.gz download below to obtain and install SingularityCE 3.11.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.5

SingularityCE 3.11.0 Release Candidate 2

This is the second release candidate for the upcoming Singularity 3.11.0 release. Users are encouraged to test and report any issues, but should use the stable 3.10 release for production deployments.

3.11.0 Release Candidate 2 [2023-02-02]

Bug Fixes

• Avoid UID / GID readonly var warnings with --env-file.
• Ensure proot flow does not override --remote build.

3.11.0 Release Candidate 1 [2023-01-11]

Changed defaults / behaviours

• Image driver plugins, implementing the RegisterImageDriver callback, are deprecated and will be removed in 4.0. Support for the example plugin, permitting Ubuntu unprivileged overlay functionality, has been replaced with direct support for kernel unprivileged overlay.
• When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed using an overlay instead of underlay layout.
• crun will be used as the low-level OCI runtime, when available, rather than runc. If crun is not available, runc will be used.
• sessiondir maxsize in singularity.conf now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.
• Instances are started in a cgroup, by default, when run as root or when unified cgroups v2 with systemd as manager is configured. This allows singularity instance stats to be supported by default when possible.

New features / functionalities

Image Building

• Support for a custom hashbang in the %test section of a Singularity recipe (akin to the runscript and start sections).
• Non-root users can now build from a definition file, on systems that do not support --fakeroot. This requires the statically built proot command (https://proot-me.github.io/) to be available on the user PATH. These builds:
  • Do not support arch / debootstrap / yum / zypper bootstraps. Use localimage, library, oras, or one of the docker/oci sources.
  • Do not support %pre and %setup sections.
  • Run the %post sections of a build in the container as an emulated root user.
  • Run the %test section of a build as the non-root user, like singularity test.
  • Are subject to any restrictions imposed in singularity.conf. Incur a performance penalty due to proot's ptrace based interception of
    syscalls.
  • May fail if the %post script requires privileged operations that proot cannot emulate.

Instances

• Instances started by a non-root user can use --apply-cgroups to apply resource limits. Requires cgroups v2, and delegation configured via systemd.
• A new instance stats command displays basic resource usage statistics for a specified instance, running within a cgroup.
• Instance name is available inside an instance via the new SINGULARITY_INSTANCE environment variable.

Mounts & Overlays

• --writable-tmpfs is now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• The --no-mount flag now accepts the value bind-paths to disable mounting of all bind path entries in singularity.conf.
• Persistent overlays (--overlay) from a directory are now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• Add --sparse flag to overlay create command to allow generation of a sparse ext3 overlay image.

OCI / Docker Compatibility

• Support for DOCKER_HOST parsing when using docker-daemon://
• DOCKER_USERNAME and DOCKER_PASSWORD supported without SINGULARITY_ prefix.
• A new --oci flag for run/exec/shell enables the experimental OCI runtime mode. This mode:
  • Runs OCI container images from an OCI bundle, using runc or crun.
  • Supports docker://, docker-archive:, docker-daemon:, oci:, oci-archive: image sources.
  • Does not support running Singularity SIF, SquashFS, or EXT3 images.
  • Provides an environment similar to Singularity's native runtime, running with --compat.
  • Supports the following options / flags. Other options are not yet supported:
    • --fakeroot for effective root in the container. Requires subuid/subgid mappings.
    • Bind mounts via --bind or --mount. No image mounts.
    • Additional namespaces requests with --net, --uts, --user.
    • Container environment variables via --env, --env-file, and SINGULARITYENV_ host env vars.
    • --rocm to bind ROCm GPU libraries and devices into the container.
    • --nv to bind Nvidia driver / basic CUDA libraries and devices into the container.
    • --apply-cgroups, and the --cpu*, --blkio*, --memory*, --pids-limit flags to apply resource limits.

Signing & Verification

• The sign command now supports signing with non-PGP key material by specifying the path to a private key via the --key flag.
• The verify command now supports verification with non-PGP key material by specifying the path to a public key via the --key flag.
• The verify command now supports verification with X.509 certificates by specifying the path to a certificate via the --certificate flag. By default, the system root certificate pool is used as trust anchors unless overridden via the --certificate-roots flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain can also be specified via the --certificate-intermediates flag.
• Support for online verification checks of x509 certificates using OCSP protocol. (introduced flag: verify --ocsp-verify)

Other

• Add new Linux capabilities: CAP_PERFMON, CAP_BPF, CAP_CHECKPOINT_RESTORE.
• A new --reproducible flag for ./mconfig will configure Singularity so that its binaries do not contain non-reproducible paths. This disables plugin functionality.

Bug Fixes

• In --rocm mode, the whole of /dev/dri is now bound into the container when --contain is in use. This makes /dev/dri/render devices available, required for later ROCm versions.
• Overlay is blocked on the panfs filesystem, allowing sandbox directories to be run from panfs without error.

Development / Testing

• Significant reduction in the use of network image sources in the e2e tests.
• Improved parallelization and use of image caches in the e2e tests.
• The e2e-test makefile target now accepts an argument E2E_GROUPS to only run specified groups of end to end tests. E.g. make -C builddir e2e-test E2E_GROUPS=VERSION,HELP will run end to end tests in the VERSION and HELP groups only.
• The e2e-test makefile target now accepts an argument E2E_TESTS which is a regular expression specifying the names of (top level) end to end tests that should be run. E.g. make -C builddir e2e-test E2E_TESTS=^semantic will only run end to end tests with a name that begins with semantic. These E2E_ variables offer an alternative to the -run flag, which may be easier to use given the structure of e2e tests.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: [email protected]

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.0-rc.2.tar.gz download below to obtain and install SingularityCE 3.11.0-rc.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.3

SingularityCE 3.10.5

SingularityCE 3.10.5 is a security release in the 3.10 series.

We encourage all users to upgrade. Please see the details and CVE/GHSA link below for more information about the vulnerability.

Security Related Fixes

• CVE-2022-23538: The github.com/sylabs/scs-library-client dependency included in SingularityCE >=3.10.0, <3.10.5 may leak user credentials to a third-party service via HTTP redirect. This issue is limited to library:// access to specific Singularity Enterprise 1.x or 3rd party library configurations, which plement a concurrent multi-part download flow. Access to Singularity Enterprise 2.x, or Singularity Container Services (cloud.sylabs.io), does not trigger the vulnerable flow. See the linked advisory for full details.

Commit 7b841c5 updates the dependency, bringing in the fix.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: [email protected]

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.5.tar.gz download below to obtain and install SingularityCE 3.10.5. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.5

SingularityCE 3.11.0 Release Candidate 1

This is the first release candidate for the upcoming Singularity 3.11.0 release. Users are encouraged to test and report any issues, but should use the stable 3.10 release for production deployments.

Changed defaults / behaviours

• Image driver plugins, implementing the RegisterImageDriver callback, are deprecated and will be removed in 4.0. Support for the example plugin, permitting Ubuntu unprivileged overlay functionality, has been replaced with direct support for kernel unprivileged overlay.
• When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed using an overlay instead of underlay layout.
• crun will be used as the low-level OCI runtime, when available, rather than runc. If crun is not available, runc will be used.
• sessiondir maxsize in singularity.conf now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.
• Instances are started in a cgroup, by default, when run as root or when unified cgroups v2 with systemd as manager is configured. This allows singularity instance stats to be supported by default when possible.

New features / functionalities

Image Building

• Support for a custom hashbang in the %test section of a Singularity recipe (akin to the runscript and start sections).
• Non-root users can now build from a definition file, on systems that do not support --fakeroot. This requires the statically built proot command (https://proot-me.github.io/) to be available on the user PATH. These builds:
  • Do not support arch / debootstrap / yum / zypper bootstraps. Use localimage, library, oras, or one of the docker/oci sources.
  • Do not support %pre and %setup sections.
  • Run the %post sections of a build in the container as an emulated root user.
  • Run the %test section of a build as the non-root user, like singularity test.
  • Are subject to any restrictions imposed in singularity.conf. Incur a performance penalty due to proot's ptrace based interception of
    syscalls.
  • May fail if the %post script requires privileged operations that proot cannot emulate.

Instances

• Instances started by a non-root user can use --apply-cgroups to apply resource limits. Requires cgroups v2, and delegation configured via systemd.
• A new instance stats command displays basic resource usage statistics for a specified instance, running within a cgroup.
• Instance name is available inside an instance via the new SINGULARITY_INSTANCE environment variable.

Mounts & Overlays

• --writable-tmpfs is now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• The --no-mount flag now accepts the value bind-paths to disable mounting of all bind path entries in singularity.conf.
• Persistent overlays (--overlay) from a directory are now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• Add --sparse flag to overlay create command to allow generation of a sparse ext3 overlay image.

OCI / Docker Compatibility

• Support for DOCKER_HOST parsing when using docker-daemon://
• DOCKER_USERNAME and DOCKER_PASSWORD supported without SINGULARITY_ prefix.
• A new --oci flag for run/exec/shell enables the experimental OCI runtime mode. This mode:
  • Runs OCI container images from an OCI bundle, using runc or crun.
  • Supports docker://, docker-archive:, docker-daemon:, oci:, oci-archive: image sources.
  • Does not support running Singularity SIF, SquashFS, or EXT3 images.
  • Provides an environment similar to Singularity's native runtime, running with --compat.
  • Supports the following options / flags. Other options are not yet supported:
    • --fakeroot for effective root in the container. Requires subuid/subgid mappings.
    • Bind mounts via --bind or --mount. No image mounts.
    • Additional namespaces requests with --net, --uts, --user.
    • Container environment variables via --env, --env-file, and SINGULARITYENV_ host env vars.
    • --rocm to bind ROCm GPU libraries and devices into the container.
    • --nv to bind Nvidia driver / basic CUDA libraries and devices into the container.
    • --apply-cgroups, and the --cpu*, --blkio*, --memory*, --pids-limit flags to apply resource limits.

Signing & Verification

• The sign command now supports signing with non-PGP key material by specifying the path to a private key via the --key flag.
• The verify command now supports verification with non-PGP key material by specifying the path to a public key via the --key flag.
• The verify command now supports verification with X.509 certificates by specifying the path to a certificate via the --certificate flag. By default, the system root certificate pool is used as trust anchors unless overridden via the --certificate-roots flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain can also be specified via the --certificate-intermediates flag.
• Support for online verification checks of x509 certificates using OCSP protocol. (introduced flag: verify --ocsp-verify)

Other

• Add new Linux capabilities: CAP_PERFMON, CAP_BPF, CAP_CHECKPOINT_RESTORE.
• A new --reproducible flag for ./mconfig will configure Singularity so that its binaries do not contain non-reproducible paths. This disables plugin functionality.

Bug Fixes

• In --rocm mode, the whole of /dev/dri is now bound into the container when --contain is in use. This makes /dev/dri/render devices available, required for later ROCm versions.
• Overlay is blocked on the panfs filesystem, allowing sandbox directories to be run from panfs without error.

Development / Testing

• Significant reduction in the use of network image sources in the e2e tests.
• Improved parallelization and use of image caches in the e2e tests.
• The e2e-test makefile target now accepts an argument E2E_GROUPS to only run specified groups of end to end tests. E.g. make -C builddir e2e-test E2E_GROUPS=VERSION,HELP will run end to end tests in the VERSION and HELP groups only.
• The e2e-test makefile target now accepts an argument E2E_TESTS which is a regular expression specifying the names of (top level) end to end tests that should be run. E.g. make -C builddir e2e-test E2E_TESTS=^semantic will only run end to end tests with a name that begins with semantic. These E2E_ variables offer an alternative to the -run flag, which may be easier to use given the structure of e2e tests.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: [email protected]

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.0-rc.1.tar.gz download below to obtain and install SingularityCE 3.11.0-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.3

SingularityCE 3.10.4

SingularityCE 3.10.4 is a bugfix release in the 3.10 series.

Bug Fixes

• Ensure make dist doesn't include conmon binary or intermediate files.
• Do not hang on pull from http(s) source that doesn't provide a content-length.
• Avoid hang on fakeroot cleanup under high load seen on some
  distributions / kernels.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: [email protected]

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.4.tar.gz download below to obtain and install SingularityCE 3.10.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.3

SingularityCE 3.10.3

SingularityCE 3.10.3 is a security and bugfix release in the 3.10 series. It fixes a vulnerability related to the verification of SIF container image signatures, in the github.com/sylabs/sif dependency, by updating to sif v2.8.1.

We encourage all users to upgrade. Please see the details and CVE/GHSA link below for more information about the vulnerability.

Security Related Fixes

• CVE-2022-39237: The github.com/sylabs/sif/v2 dependency included in SingularityCE <=3.10.3 does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. This release updates to sif v2.8.1 which corrects this issue. See the linked advisory for references and a workaround.

Bug Fixes

• Ensure bootstrap_history directory is populated with previous definition files, present in source containers used in a build.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: [email protected]

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.3.tar.gz download below to obtain and install SingularityCE 3.10.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.2

SingularityCE 3.10.2

SingularityCE 3.10.2 is a patch release in the 3.10 series. It introduces release packages for EL 9 distributions (RHEL, CentOS Stream, AlmaLinux, Rocky Linux) that are built on AlmaLinux 9. It also fixes a bug in the default runscript for converted OCI containers.

The OCI runscript issue, discovered by the Apptainer project on importing 3.10 series changes from SingularityCE, impacts containers that are directly pulled or built from an OCI source without a custom %runscript. SingularityCE 3.10.0 and 3.10.1 generated a default runscript that could not always be executed by other tools. While execution of these containers with recent versions of SingularityCE is not impacted, we advise upgrading so that all containers built are compatible with other tools.

New features / functionalities

• Added EL9 package builds to CI for GitHub releases.

Bug Fixes

• Ensure no empty if branch is present in generated OCI image runscripts. Would prevent execution of container by other tools that are not using mvdan.cc/sh.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: [email protected]

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.2.tar.gz download below to obtain and install SingularityCE 3.10.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.18.4

SingularityCE 3.10.1

SingularityCE 3.10.1 is a patch release in the 3.10 series, with changes detailed below.

Note - Binary packages released via GitHub for 3.10.1 were built with Go 1.18.4, which addresses a number of CVEs present in earlier versions of Go. Although these are not critically applicable to SingularityCE, you may wish to update if you use the binary packages, or recompile if you build from source.

New features / functionalities

• Debug output can now be enabled by setting the SINGULARITY_DEBUG env var.
• Debug output is now shown for nested singularity calls, in wrapped unsquashfs image extraction, and build stages.

Bug Fixes

• Fix test code that implied %test -c <shell> was supported - it is not.
• Fix compilation on mipsel.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: [email protected]

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.1.tar.gz download below to obtain and install SingularityCE 3.10.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.18.4

SingularityCE 3.10.0

SingularityCE 3.10.0 is the first release in the 3.10 series, with changes, new features, and bug fixes detailed below.

Please note that some dependencies have changed, the master develop branch has been renamed to main, and you should now use --recurse-submodules when git cloning the SingularityCE source code repository, or checking out a branch / release. See the INSTALL.md or admin guide for details.

Changed defaults / behaviours

• master branch of GitHub repository has been renamed to main.
• oci mount sets Process.Terminal: true when creating an OCI config.json, so that oci run provides expected interactive behavior by default.
• Default hostname for oci mount containers is now singularity instead of mrsdalloway.
• systemd is now supported and used as the default cgroups manager. Set systemd cgroups = no in singularity.conf to manage cgroups directly via the cgroupfs.
• The singularity oci command group now uses runc to manage containers.
• The singularity oci commands use conmon which is built from a git submodule, unless --without-conmon is specified as an argument to mconfig, in which case Singularity will search PATH for conmon. Version >=2.0.24 of conmon is required.
• The singularity oci flags --sync-socket, --empty-process, and --timeout have been removed.
• Don't prompt for y/n to overwrite an existing file when build is called from a non-interactive environment. Fail with an error.
• Plugins must be compiled from inside the SingularityCE source directory, and will use the main SingularityCE go.mod file. Required for Go 1.18 support.
• seccomp support is not disabled automatically in the absence of seccomp headers at build time. Run mconfig using --without-seccomp and --without-conmon to disable seccomp support and building of conmon (which requires seccomp headers).
• SingularityCE now requires squashfs-tools >=4.3, which is satisfied by current EL / Ubuntu / Debian and other distributions.
• Added --no-eval to the list of flags set by the OCI/Docker --compat mode (see below).

New features / functionalities

• Updated seccomp support allows use of seccomp profiles that set an error return code with errnoRet and defaultErrnoRet. Previously EPERM was hard coded. The example etc/seccomp-profiles/default.json has been updated.
• Native cgroups v2 resource limits can be specified using the [unified] key in a cgroups toml file applied via --apply-cgroups.
• The --no-mount flag & SINGULARITY_NO_MOUNT env var can now be used to disable a bind path entry from singularity.conf by specifying the absolute path to the destination of the bind.
• Non-root users can now use --apply-cgroups with run/shell/exec to limit container resource usage on a system using cgroups v2 and the systemd cgroups manager.
• Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups resource limits to a container directly.
• Allow experimental direct mount of SIF images with squashfuse in user-namespace / no-setuid mode.
• New action flag --no-eval which:
  • Prevents shell evaluation of SINGULARITYENV_ / --env / --env-file environment variables as they are injected in the container, to match OCI behavior. Applies to all containers.
  • Prevents shell evaluation of the values of CMD / ENTRYPOINT and command line arguments for containers run or built directly from an OCI/Docker source. Applies to newly built containers only, use singularity inspect to check version that container was built with.
• Add support for %files section in remote builds, when a compatible remote is used.

Bug Fixes

• Allow newgidmap / newuidmap that use capabilities instead of setuid root.
• Corrected key search output for results from some servers, and keys with multiple names.
• Pass through a literal \n in host environment variables to container.
• Address 401 error pulling from private library:// projects.
• Correctly launch CleanupHost process only when needed in --sif-fuse flow.
• Add specific error for unreadable image / overlay file.
• Ensure cgroups device limits are default allow per past behavior.
• Improve error message when remote build server does not support the %files section.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: [email protected]

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.0.tar.gz download below to obtain and install SingularityCE 3.10.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.18.2