Releases: sylabs/singularity
SingularityCE 3.11.2
SingularityCE 3.11.2 is a patch release in the 3.11 series, with changes detailed below.
New Features & Functionality
- OCI mode now supports
--hostname
(requires UTS namespace, therefore this flag will infer--uts
). - OCI mode now supports
--scratch
(shorthand:-S
) to mount a tmpfs scratch directory in the container. - Support
--pwd
in OCI mode. - OCI mode now supports
--home
. Supplying a single location (e.g.--home /myhomedir
) will result in a new tmpfs directory being created at the specified location inside the container, and that dir being set as the in-container user's home dir. Supplying two locations separated by a colon (e.g.--home /home/user:/myhomedir
) will result in the first location on the host being bind-mounted as the second location in-container, and set as the in-container user's home dir. - OCI mode now handles
--dns
andresolv.conf
on par with native mode: the--dns
flag can be used to pass a comma-separated list of DNS servers that will be used in the container; if this flag is not used, the container will use the sameresolv.conf
settings as the host. - Added
allow kernel squashfs
directive tosingularity.conf
. Defaults toyes
. When set to no, Singularity will not mount squashfs filesystems using the kernel squashfs driver. - Added
allow kernel extfs
directive tosingularity.conf
. Defaults toyes
. When set to no, Singularity will not mount extfs filesystems using the kernel extfs driver.
Bug Fixes
- Require
runc
in RPM packages built on SLES, notcrun
, becausecrun
is part of the Package Hub community repository that may not be enabled. SingularityCE will still prefercrun
if it has been installed. - Use
/dev/loop-control
for loop device creation, to avoid issues with recent kernel patch wheremax_loop
is not set. - Always request inner userns in
--oci
mode without--fakeroot
, so that inner id mapping is applied correctly. - Use correct target uid/gid for inner id mappings in
--oci
mode. - Avoid
runc
cgroup creation error when using--oci
from a root-owned cgroup (e.g. ssh login session scope). - Pass host's
TERM
environment variable to container in OCI mode. Can be overridden by settingSINGULARITYENV_TERM
on host. - Honour
config passwd
andconfig group
directives fromsingularity.conf
in--oci
mode. - Honour
mount proc
/mount sys
/mount tmp
/mount home
directives fromsingularity.conf
in--oci
mode. - Corrected
singularity.conf
comment, to refer to correct file as source of default capabilities whenroot default capabilities = file
.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-3.11.2.tar.gz download below to obtain and install SingularityCE 3.11.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 18.04 (bionic)
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.20.3
SingularityCE 3.11.1
SingularityCE 3.11.1 is a bugfix patch release in the 3.11 series, with changes detailed below.
New Features & Functionality
- Add
setopt
definition file header for theyum
bootstrap agent. Thesetopt
value is passed toyum / dnf
using the--setopt
flag. This permits setting e.g.install_weak_deps=False
to bootstrap recent versions of Fedora, wheresystemd
(a weak dependency) cannot install correctly in the container. Seeexamples/Fedora
for an example defintion file. - Warn user that a
yum
bootstrap of an older distro may fail if the host rpm_db_backend
is notbdb
.
Bug Fixes
- Fix implied
--writable-tmpfs
with--nvccli
, to avoid r/o filesytem error. - Avoid incorrect error when requesting fakeroot network.
- Pass computed
LD_LIBRARY_PATH
to wrapped unsquashfs. Fixes issues whereunsquashfs
on host uses libraries in non-default paths. - Show correct memory limit in
instance stats
when a limit is set. - Ensure consistent binding of libraries under
--nv/--rocm
when duplicate<library>.so[.version]
files are listed byldconfig -p
. - Fix systemd cgroup manager error when running a container as a non-root user with
--oci
, on systems with cgroups v1 andrunc
. - Fix joining cgroup of instance started as root, with cgroups v1, non-default cgroupfs manager, and no device rules.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-3.11.1.tar.gz download below to obtain and install SingularityCE 3.11.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 18.04 (bionic)
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.20.2
SingularityCE 3.11.0
SingularityCE 3.11.0 is the first release in the 3.11 series, with changes, new features, and bug fixes detailed below.
Changed defaults / behaviours
- Image driver plugins, implementing the
RegisterImageDriver
callback, are deprecated and will be removed in 4.0. Support for the example plugin, permitting Ubuntu unprivileged overlay functionality, has been replaced with direct support for kernel unprivileged overlay. - When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed using an overlay instead of underlay layout.
crun
will be used as the low-level OCI runtime, when available, rather thanrunc
. Ifcrun
is not available,runc
will be used.sessiondir maxsize
insingularity.conf
now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.- Instances are started in a cgroup, by default, when run as root or when unified cgroups v2 with systemd as manager is configured. This allows
singularity instance stats
to be supported by default when possible.
New features / functionality
Image Building
- Support for a custom hashbang in the
%test
section of a Singularity recipe (akin to the runscript and start sections). - Non-root users can now build from a definition file, on systems that do not support
--fakeroot
. This requires the statically builtproot
command (https://proot-me.github.io/) to be available on the userPATH
. These builds:- Do not support
arch
/debootstrap
/yum
/zypper
bootstraps. Uselocalimage
,library
,oras
, or one of the docker/oci sources. - Do not support
%pre
and%setup
sections. - Run the
%post
sections of a build in the container as an emulated root user. - Run the
%test
section of a build as the non-root user, likesingularity test
. - Are subject to any restrictions imposed in
singularity.conf
. Incur a performance penalty due toproot
'sptrace
based interception of
syscalls. - May fail if the
%post
script requires privileged operations thatproot
cannot emulate.
- Do not support
Instances
- Instances started by a non-root user can use
--apply-cgroups
to apply resource limits. Requires cgroups v2, and delegation configured via systemd. - A new
instance stats
command displays basic resource usage statistics for a specified instance, running within a cgroup. - Instance name is available inside an instance via the new
SINGULARITY_INSTANCE
environment variable.
Mounts & Overlays
--writable-tmpfs
is now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.- The
--no-mount
flag now accepts the valuebind-paths
to disable mounting of allbind path
entries insingularity.conf
. - Persistent overlays (
--overlay
) from a directory are now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace. - Add
--sparse
flag tooverlay create
command to allow generation of a sparse ext3 overlay image.
OCI / Docker Compatibility
- Support for
DOCKER_HOST
parsing when usingdocker-daemon://
DOCKER_USERNAME
andDOCKER_PASSWORD
supported withoutSINGULARITY_
prefix.- A new
--oci
flag forrun/exec/shell
enables the experimental OCI runtime mode. This mode:- Runs OCI container images from an OCI bundle, using
runc
orcrun
. - Supports
docker://
,docker-archive:
,docker-daemon:
,oci:
,oci-archive:
image sources. - Does not support running Singularity SIF, SquashFS, or EXT3 images.
- Provides an environment similar to Singularity's native runtime, running with
--compat
. - Supports the following options / flags. Other options are not yet supported:
--fakeroot
for effective root in the container. Requires subuid/subgid mappings.- Bind mounts via
--bind
or--mount
. No image mounts. - Additional namespaces requests with
--net
,--uts
,--user
. - Container environment variables via
--env
,--env-file
, andSINGULARITYENV_
host env vars. --rocm
to bind ROCm GPU libraries and devices into the container.--nv
to bind Nvidia driver / basic CUDA libraries and devices into the container.--apply-cgroups
, and the--cpu*
,--blkio*
,--memory*
,--pids-limit
flags to apply resource limits.
- Runs OCI container images from an OCI bundle, using
Signing & Verification
- The
sign
command now supports signing with non-PGP key material by specifying the path to a private key via the--key
flag. - The
verify
command now supports verification with non-PGP key material by specifying the path to a public key via the--key
flag. - The
verify
command now supports verification with X.509 certificates by specifying the path to a certificate via the--certificate
flag. By default, the system root certificate pool is used as trust anchors unless overridden via the--certificate-roots
flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain can also be specified via the--certificate-intermediates
flag. - Support for online verification checks of x509 certificates using OCSP protocol. (introduced flag:
verify --ocsp-verify
)
Other
- Add new Linux capabilities:
CAP_PERFMON
,CAP_BPF
,CAP_CHECKPOINT_RESTORE
. - A new
--reproducible
flag for./mconfig
will configure Singularity so that its binaries do not contain non-reproducible paths. This disables plugin functionality.
Bug Fixes
- In
--rocm
mode, the whole of/dev/dri
is now bound into the container when--contain
is in use. This makes/dev/dri/render
devices available, required for later ROCm versions. - Overlay is blocked on the
panfs
filesystem, allowing sandbox directories to be run frompanfs
without error. - Avoid UID / GID readonly var warnings with --env-file.
Development / Testing
- Significant reduction in the use of network image sources in the e2e tests.
- Improved parallelization and use of image caches in the e2e tests.
- The
e2e-test
makefile target now accepts an argumentE2E_GROUPS
to only run specified groups of end to end tests. E.g.make -C builddir e2e-test E2E_GROUPS=VERSION,HELP
will run end to end tests in theVERSION
andHELP
groups only. - The
e2e-test
makefile target now accepts an argumentE2E_TESTS
which is a regular expression specifying the names of (top level) end to end tests that should be run. E.g.make -C builddir e2e-test E2E_TESTS=^semantic
will only run end to end tests with a name that begins withsemantic
. TheseE2E_
variables offer an alternative to the-run
flag, which may be easier to use given the structure of e2e tests.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-3.11.0.tar.gz download below to obtain and install SingularityCE 3.11.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 18.04 (bionic)
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.19.5
SingularityCE 3.11.0 Release Candidate 2
This is the second release candidate for the upcoming Singularity 3.11.0 release. Users are encouraged to test and report any issues, but should use the stable 3.10 release for production deployments.
3.11.0 Release Candidate 2 [2023-02-02]
Bug Fixes
- Avoid UID / GID readonly var warnings with
--env-file
. - Ensure proot flow does not override
--remote
build.
3.11.0 Release Candidate 1 [2023-01-11]
Changed defaults / behaviours
- Image driver plugins, implementing the
RegisterImageDriver
callback, are deprecated and will be removed in 4.0. Support for the example plugin, permitting Ubuntu unprivileged overlay functionality, has been replaced with direct support for kernel unprivileged overlay. - When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed using an overlay instead of underlay layout.
crun
will be used as the low-level OCI runtime, when available, rather thanrunc
. Ifcrun
is not available,runc
will be used.sessiondir maxsize
insingularity.conf
now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.- Instances are started in a cgroup, by default, when run as root or when unified cgroups v2 with systemd as manager is configured. This allows
singularity instance stats
to be supported by default when possible.
New features / functionalities
Image Building
- Support for a custom hashbang in the
%test
section of a Singularity recipe (akin to the runscript and start sections). - Non-root users can now build from a definition file, on systems that do not support
--fakeroot
. This requires the statically builtproot
command (https://proot-me.github.io/) to be available on the userPATH
. These builds:- Do not support
arch
/debootstrap
/yum
/zypper
bootstraps. Uselocalimage
,library
,oras
, or one of the docker/oci sources. - Do not support
%pre
and%setup
sections. - Run the
%post
sections of a build in the container as an emulated root user. - Run the
%test
section of a build as the non-root user, likesingularity test
. - Are subject to any restrictions imposed in
singularity.conf
. Incur a performance penalty due toproot
'sptrace
based interception of
syscalls. - May fail if the
%post
script requires privileged operations thatproot
cannot emulate.
- Do not support
Instances
- Instances started by a non-root user can use
--apply-cgroups
to apply resource limits. Requires cgroups v2, and delegation configured via systemd. - A new
instance stats
command displays basic resource usage statistics for a specified instance, running within a cgroup. - Instance name is available inside an instance via the new
SINGULARITY_INSTANCE
environment variable.
Mounts & Overlays
--writable-tmpfs
is now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.- The
--no-mount
flag now accepts the valuebind-paths
to disable mounting of allbind path
entries insingularity.conf
. - Persistent overlays (
--overlay
) from a directory are now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace. - Add
--sparse
flag tooverlay create
command to allow generation of a sparse ext3 overlay image.
OCI / Docker Compatibility
- Support for
DOCKER_HOST
parsing when usingdocker-daemon://
DOCKER_USERNAME
andDOCKER_PASSWORD
supported withoutSINGULARITY_
prefix.- A new
--oci
flag forrun/exec/shell
enables the experimental OCI runtime mode. This mode:- Runs OCI container images from an OCI bundle, using
runc
orcrun
. - Supports
docker://
,docker-archive:
,docker-daemon:
,oci:
,oci-archive:
image sources. - Does not support running Singularity SIF, SquashFS, or EXT3 images.
- Provides an environment similar to Singularity's native runtime, running with
--compat
. - Supports the following options / flags. Other options are not yet supported:
--fakeroot
for effective root in the container. Requires subuid/subgid mappings.- Bind mounts via
--bind
or--mount
. No image mounts. - Additional namespaces requests with
--net
,--uts
,--user
. - Container environment variables via
--env
,--env-file
, andSINGULARITYENV_
host env vars. --rocm
to bind ROCm GPU libraries and devices into the container.--nv
to bind Nvidia driver / basic CUDA libraries and devices into the container.--apply-cgroups
, and the--cpu*
,--blkio*
,--memory*
,--pids-limit
flags to apply resource limits.
- Runs OCI container images from an OCI bundle, using
Signing & Verification
- The
sign
command now supports signing with non-PGP key material by specifying the path to a private key via the--key
flag. - The
verify
command now supports verification with non-PGP key material by specifying the path to a public key via the--key
flag. - The
verify
command now supports verification with X.509 certificates by specifying the path to a certificate via the--certificate
flag. By default, the system root certificate pool is used as trust anchors unless overridden via the--certificate-roots
flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain can also be specified via the--certificate-intermediates
flag. - Support for online verification checks of x509 certificates using OCSP protocol. (introduced flag:
verify --ocsp-verify
)
Other
- Add new Linux capabilities:
CAP_PERFMON
,CAP_BPF
,CAP_CHECKPOINT_RESTORE
. - A new
--reproducible
flag for./mconfig
will configure Singularity so that its binaries do not contain non-reproducible paths. This disables plugin functionality.
Bug Fixes
- In
--rocm
mode, the whole of/dev/dri
is now bound into the container when--contain
is in use. This makes/dev/dri/render
devices available, required for later ROCm versions. - Overlay is blocked on the
panfs
filesystem, allowing sandbox directories to be run frompanfs
without error.
Development / Testing
- Significant reduction in the use of network image sources in the e2e tests.
- Improved parallelization and use of image caches in the e2e tests.
- The
e2e-test
makefile target now accepts an argumentE2E_GROUPS
to only run specified groups of end to end tests. E.g.make -C builddir e2e-test E2E_GROUPS=VERSION,HELP
will run end to end tests in theVERSION
andHELP
groups only. - The
e2e-test
makefile target now accepts an argumentE2E_TESTS
which is a regular expression specifying the names of (top level) end to end tests that should be run. E.g.make -C builddir e2e-test E2E_TESTS=^semantic
will only run end to end tests with a name that begins withsemantic
. TheseE2E_
variables offer an alternative to the-run
flag, which may be easier to use given the structure of e2e tests.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-3.11.0-rc.2.tar.gz download below to obtain and install SingularityCE 3.11.0-rc.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 18.04 (bionic)
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.19.3
SingularityCE 3.10.5
SingularityCE 3.10.5 is a security release in the 3.10 series.
We encourage all users to upgrade. Please see the details and CVE/GHSA link below for more information about the vulnerability.
Security Related Fixes
- CVE-2022-23538: The github.com/sylabs/scs-library-client dependency included in SingularityCE >=3.10.0, <3.10.5 may leak user credentials to a third-party service via HTTP redirect. This issue is limited to
library://
access to specific Singularity Enterprise 1.x or 3rd party library configurations, which plement a concurrent multi-part download flow. Access to Singularity Enterprise 2.x, or Singularity Container Services (cloud.sylabs.io), does not trigger the vulnerable flow. See the linked advisory for full details.
Commit 7b841c5 updates the dependency, bringing in the fix.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-3.10.5.tar.gz download below to obtain and install SingularityCE 3.10.5. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 18.04 (bionic)
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.19.5
SingularityCE 3.11.0 Release Candidate 1
This is the first release candidate for the upcoming Singularity 3.11.0 release. Users are encouraged to test and report any issues, but should use the stable 3.10 release for production deployments.
Changed defaults / behaviours
- Image driver plugins, implementing the
RegisterImageDriver
callback, are deprecated and will be removed in 4.0. Support for the example plugin, permitting Ubuntu unprivileged overlay functionality, has been replaced with direct support for kernel unprivileged overlay. - When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed using an overlay instead of underlay layout.
crun
will be used as the low-level OCI runtime, when available, rather thanrunc
. Ifcrun
is not available,runc
will be used.sessiondir maxsize
insingularity.conf
now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.- Instances are started in a cgroup, by default, when run as root or when unified cgroups v2 with systemd as manager is configured. This allows
singularity instance stats
to be supported by default when possible.
New features / functionalities
Image Building
- Support for a custom hashbang in the
%test
section of a Singularity recipe (akin to the runscript and start sections). - Non-root users can now build from a definition file, on systems that do not support
--fakeroot
. This requires the statically builtproot
command (https://proot-me.github.io/) to be available on the userPATH
. These builds:- Do not support
arch
/debootstrap
/yum
/zypper
bootstraps. Uselocalimage
,library
,oras
, or one of the docker/oci sources. - Do not support
%pre
and%setup
sections. - Run the
%post
sections of a build in the container as an emulated root user. - Run the
%test
section of a build as the non-root user, likesingularity test
. - Are subject to any restrictions imposed in
singularity.conf
. Incur a performance penalty due toproot
'sptrace
based interception of
syscalls. - May fail if the
%post
script requires privileged operations thatproot
cannot emulate.
- Do not support
Instances
- Instances started by a non-root user can use
--apply-cgroups
to apply resource limits. Requires cgroups v2, and delegation configured via systemd. - A new
instance stats
command displays basic resource usage statistics for a specified instance, running within a cgroup. - Instance name is available inside an instance via the new
SINGULARITY_INSTANCE
environment variable.
Mounts & Overlays
--writable-tmpfs
is now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.- The
--no-mount
flag now accepts the valuebind-paths
to disable mounting of allbind path
entries insingularity.conf
. - Persistent overlays (
--overlay
) from a directory are now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace. - Add
--sparse
flag tooverlay create
command to allow generation of a sparse ext3 overlay image.
OCI / Docker Compatibility
- Support for
DOCKER_HOST
parsing when usingdocker-daemon://
DOCKER_USERNAME
andDOCKER_PASSWORD
supported withoutSINGULARITY_
prefix.- A new
--oci
flag forrun/exec/shell
enables the experimental OCI runtime mode. This mode:- Runs OCI container images from an OCI bundle, using
runc
orcrun
. - Supports
docker://
,docker-archive:
,docker-daemon:
,oci:
,oci-archive:
image sources. - Does not support running Singularity SIF, SquashFS, or EXT3 images.
- Provides an environment similar to Singularity's native runtime, running with
--compat
. - Supports the following options / flags. Other options are not yet supported:
--fakeroot
for effective root in the container. Requires subuid/subgid mappings.- Bind mounts via
--bind
or--mount
. No image mounts. - Additional namespaces requests with
--net
,--uts
,--user
. - Container environment variables via
--env
,--env-file
, andSINGULARITYENV_
host env vars. --rocm
to bind ROCm GPU libraries and devices into the container.--nv
to bind Nvidia driver / basic CUDA libraries and devices into the container.--apply-cgroups
, and the--cpu*
,--blkio*
,--memory*
,--pids-limit
flags to apply resource limits.
- Runs OCI container images from an OCI bundle, using
Signing & Verification
- The
sign
command now supports signing with non-PGP key material by specifying the path to a private key via the--key
flag. - The
verify
command now supports verification with non-PGP key material by specifying the path to a public key via the--key
flag. - The
verify
command now supports verification with X.509 certificates by specifying the path to a certificate via the--certificate
flag. By default, the system root certificate pool is used as trust anchors unless overridden via the--certificate-roots
flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain can also be specified via the--certificate-intermediates
flag. - Support for online verification checks of x509 certificates using OCSP protocol. (introduced flag:
verify --ocsp-verify
)
Other
- Add new Linux capabilities:
CAP_PERFMON
,CAP_BPF
,CAP_CHECKPOINT_RESTORE
. - A new
--reproducible
flag for./mconfig
will configure Singularity so that its binaries do not contain non-reproducible paths. This disables plugin functionality.
Bug Fixes
- In
--rocm
mode, the whole of/dev/dri
is now bound into the container when--contain
is in use. This makes/dev/dri/render
devices available, required for later ROCm versions. - Overlay is blocked on the
panfs
filesystem, allowing sandbox directories to be run frompanfs
without error.
Development / Testing
- Significant reduction in the use of network image sources in the e2e tests.
- Improved parallelization and use of image caches in the e2e tests.
- The
e2e-test
makefile target now accepts an argumentE2E_GROUPS
to only run specified groups of end to end tests. E.g.make -C builddir e2e-test E2E_GROUPS=VERSION,HELP
will run end to end tests in theVERSION
andHELP
groups only. - The
e2e-test
makefile target now accepts an argumentE2E_TESTS
which is a regular expression specifying the names of (top level) end to end tests that should be run. E.g.make -C builddir e2e-test E2E_TESTS=^semantic
will only run end to end tests with a name that begins withsemantic
. TheseE2E_
variables offer an alternative to the-run
flag, which may be easier to use given the structure of e2e tests.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-3.11.0-rc.1.tar.gz download below to obtain and install SingularityCE 3.11.0-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 18.04 (bionic)
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.19.3
SingularityCE 3.10.4
SingularityCE 3.10.4 is a bugfix release in the 3.10 series.
Bug Fixes
- Ensure
make dist
doesn't include conmon binary or intermediate files. - Do not hang on pull from http(s) source that doesn't provide a content-length.
- Avoid hang on fakeroot cleanup under high load seen on some
distributions / kernels.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-3.10.4.tar.gz download below to obtain and install SingularityCE 3.10.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 18.04 (bionic)
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.19.3
SingularityCE 3.10.3
SingularityCE 3.10.3 is a security and bugfix release in the 3.10 series. It fixes a vulnerability related to the verification of SIF container image signatures, in the github.com/sylabs/sif dependency, by updating to sif v2.8.1.
We encourage all users to upgrade. Please see the details and CVE/GHSA link below for more information about the vulnerability.
Security Related Fixes
- CVE-2022-39237: The github.com/sylabs/sif/v2 dependency included in SingularityCE <=3.10.3 does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. This release updates to sif v2.8.1 which corrects this issue. See the linked advisory for references and a workaround.
Bug Fixes
- Ensure bootstrap_history directory is populated with previous definition files, present in source containers used in a build.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-3.10.3.tar.gz download below to obtain and install SingularityCE 3.10.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 18.04 (bionic)
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.19.2
SingularityCE 3.10.2
SingularityCE 3.10.2 is a patch release in the 3.10 series. It introduces release packages for EL 9 distributions (RHEL, CentOS Stream, AlmaLinux, Rocky Linux) that are built on AlmaLinux 9. It also fixes a bug in the default runscript for converted OCI containers.
The OCI runscript issue, discovered by the Apptainer project on importing 3.10 series changes from SingularityCE, impacts containers that are directly pulled or built from an OCI source without a custom %runscript
. SingularityCE 3.10.0 and 3.10.1 generated a default runscript that could not always be executed by other tools. While execution of these containers with recent versions of SingularityCE is not impacted, we advise upgrading so that all containers built are compatible with other tools.
New features / functionalities
- Added EL9 package builds to CI for GitHub releases.
Bug Fixes
- Ensure no empty
if
branch is present in generated OCI image runscripts. Would prevent execution of container by other tools that are not using mvdan.cc/sh.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-3.10.2.tar.gz download below to obtain and install SingularityCE 3.10.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 18.04 (bionic)
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.18.4
SingularityCE 3.10.1
SingularityCE 3.10.1 is a patch release in the 3.10 series, with changes detailed below.
Note - Binary packages released via GitHub for 3.10.1 were built with Go 1.18.4, which addresses a number of CVEs present in earlier versions of Go. Although these are not critically applicable to SingularityCE, you may wish to update if you use the binary packages, or recompile if you build from source.
New features / functionalities
- Debug output can now be enabled by setting the
SINGULARITY_DEBUG
env var. - Debug output is now shown for nested
singularity
calls, in wrappedunsquashfs
image extraction, and build stages.
Bug Fixes
- Fix test code that implied
%test -c <shell>
was supported - it is not. - Fix compilation on
mipsel
.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-3.10.1.tar.gz download below to obtain and install SingularityCE 3.10.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 18.04 (bionic)
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/Alma/Rocky 8 (el8)
These packages were built with Go 1.18.4