v4.2.0-rc.1

This is the first release candidate for the upcoming 4.2 series of SingularityCE. We welcome all feedback and testing. Please continue to use the latest 4.1 release for production systems.

New Features & Functionality

• It is now possible to use multiple environment variable files using the --env-file flag, files can be specified as a comma-separated list or by using the flag multiple times. Variables defined in later files take precedence.
• singularity.conf now accepts setting new options regarding namespaces:
  • allow ipc ns : disable the use of the --ipc flag.
  • allow user ns : disable creation of user namespaces. This will prevent execution of containers with the --userns or --fakeroot flags, and unprivileged installations of SingularityCE.
  • allow uts ns : invalidate the use of the --uts and --hostname flags.
• A new singularity data package command allows files and directories to be packaged into an OCI-SIF data container.
• A new --layer-format flag for singularity push allows layers in an OCI-SIF image to be pushed to library:// and docker:// registries in squashfs (default) or tar format. Images pushed with --layer-format tar can be pulled and run by other OCI runtimes.
• A writable overlay can be added to an OCI-SIF file with the singularity overlay create command. The overlay will be applied read-only, by default, when executing the OCI-SIF. To write changes to the container into the overlay, use the --writable flag.
• A writable overlay is added to an OCI-SIF file as an ext3 format layer, appended to the encapsulated OCI image. After the overlay has been modified, use the singularity overlay sync command to synchronize the OCI digests with the overlay content.
• A new singularity overlay seal command converts a writable overlay inside an OCI-SIF image into a read-only squashfs layer. This seals changes made to the image via the overlay, so that they are permanent.
• Added a new instance run command that will execute the runscript when an instance is initiated instead of executing the startscript.
• The new --netns-path flag takes a path to a network namespace to join when starting a container. The root user may join any network namespace. An unprivileged user can only join a network namespace specified in the new allowed netns paths directive in singularity.conf, if they are also listed in allowed net users / allowed net groups. Not currently supported with --fakeroot, or in --oci mode.

Bug Fixes

• Fix fall-back to temporary sandbox rootfs bundle in OCI-Mode for OCI URIs (docker://) etc.
• Fix confusing error messages / incorrect fall-back attempt when explicit execution of an OCI-SIF fails.
• Fix failing builds from local images that have symbolic links for paths that are part of the base container environment (e.g. /var/tmp -> /tmp).
• Fix issue where --platform / --arch did not apply when pulling an OCI image to native SIF via image manifest, rather than image index.

Requirements

• Requires a minimum of Go 1.21.5 to build due to dependency updates.
• OCI-SIF embedded writable overlay functionality requires fuse2fs >= 1.46.6.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.2.0-rc.1.tar.gz download below to obtain and install SingularityCE 4.2.0-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.22.6