SingularityCE 3.10.0

SingularityCE 3.10.0 is the first release in the 3.10 series, with changes, new features, and bug fixes detailed below.

Please note that some dependencies have changed, the master develop branch has been renamed to main, and you should now use --recurse-submodules when git cloning the SingularityCE source code repository, or checking out a branch / release. See the INSTALL.md or admin guide for details.

Changed defaults / behaviours

• master branch of GitHub repository has been renamed to main.
• oci mount sets Process.Terminal: true when creating an OCI config.json, so that oci run provides expected interactive behavior by default.
• Default hostname for oci mount containers is now singularity instead of mrsdalloway.
• systemd is now supported and used as the default cgroups manager. Set systemd cgroups = no in singularity.conf to manage cgroups directly via the cgroupfs.
• The singularity oci command group now uses runc to manage containers.
• The singularity oci commands use conmon which is built from a git submodule, unless --without-conmon is specified as an argument to mconfig, in which case Singularity will search PATH for conmon. Version >=2.0.24 of conmon is required.
• The singularity oci flags --sync-socket, --empty-process, and --timeout have been removed.
• Don't prompt for y/n to overwrite an existing file when build is called from a non-interactive environment. Fail with an error.
• Plugins must be compiled from inside the SingularityCE source directory, and will use the main SingularityCE go.mod file. Required for Go 1.18 support.
• seccomp support is not disabled automatically in the absence of seccomp headers at build time. Run mconfig using --without-seccomp and --without-conmon to disable seccomp support and building of conmon (which requires seccomp headers).
• SingularityCE now requires squashfs-tools >=4.3, which is satisfied by current EL / Ubuntu / Debian and other distributions.
• Added --no-eval to the list of flags set by the OCI/Docker --compat mode (see below).

New features / functionalities

• Updated seccomp support allows use of seccomp profiles that set an error return code with errnoRet and defaultErrnoRet. Previously EPERM was hard coded. The example etc/seccomp-profiles/default.json has been updated.
• Native cgroups v2 resource limits can be specified using the [unified] key in a cgroups toml file applied via --apply-cgroups.
• The --no-mount flag & SINGULARITY_NO_MOUNT env var can now be used to disable a bind path entry from singularity.conf by specifying the absolute path to the destination of the bind.
• Non-root users can now use --apply-cgroups with run/shell/exec to limit container resource usage on a system using cgroups v2 and the systemd cgroups manager.
• Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups resource limits to a container directly.
• Allow experimental direct mount of SIF images with squashfuse in user-namespace / no-setuid mode.
• New action flag --no-eval which:
  • Prevents shell evaluation of SINGULARITYENV_ / --env / --env-file environment variables as they are injected in the container, to match OCI behavior. Applies to all containers.
  • Prevents shell evaluation of the values of CMD / ENTRYPOINT and command line arguments for containers run or built directly from an OCI/Docker source. Applies to newly built containers only, use singularity inspect to check version that container was built with.
• Add support for %files section in remote builds, when a compatible remote is used.

Bug Fixes

• Allow newgidmap / newuidmap that use capabilities instead of setuid root.
• Corrected key search output for results from some servers, and keys with multiple names.
• Pass through a literal \n in host environment variables to container.
• Address 401 error pulling from private library:// projects.
• Correctly launch CleanupHost process only when needed in --sif-fuse flow.
• Add specific error for unreadable image / overlay file.
• Ensure cgroups device limits are default allow per past behavior.
• Improve error message when remote build server does not support the %files section.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.0.tar.gz download below to obtain and install SingularityCE 3.10.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.18.2

SingularityCE 3.10.0 Release Candidate 2

This is the second release candidate for the upcoming SingularityCE 3.10 release.

The following changes are present in addition to those introduced in RC1 (https://github.com/sylabs/singularity/releases/tag/v3.10.0-rc.1)

New features / functionalities

• Add support for %files section in remote builds, when a compatible remote is used.

Bug Fixes

• Correctly launch CleanupHost process only when needed in --sif-fuse flow.
• Add specific error for unreadable image / overlay file.
• Ensure cgroups device limits are default allow per past behavior.
• Improve error message when remote build server does not support the %files section.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.0-rc.2.tar.gz download below to obtain and install SingularityCE 3.10.0-rc.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.18.2

SingularityCE 3.10.0 Release Candidate 1

This is the first release candidate for the upcoming SingularityCE 3.10 release.

We would be grateful for any testing you can perform, and all feedback you can give. As this is a pre-release, you may not want to install it on a production system

Changed defaults / behaviours

• oci mount sets Process.Terminal: true when creating an OCI config.json, so that oci run provides expected interactive behavior by default.
• Default hostname for oci mount containers is now singularity instead of mrsdalloway.
• systemd is now supported and used as the default cgroups manager. Set systemd cgroups = no in singularity.conf to manage cgroups directly via the cgroupfs.
• The singularity oci command group now uses runc to manage containers.
• The singularity oci commands use conmon which is built from a git submodule, unless --without-conmon is specified as an argument to mconfig, in which case Singularity will search PATH for conmon. Version >=2.0.24 of conmon is required.
• The singularity oci flags --sync-socket, --empty-process, and --timeout have been removed.
• Don't prompt for y/n to overwrite an existing file when build is called from a non-interactive environment. Fail with an error.
• Plugins must be compiled from inside the SingularityCE source directory, and will use the main SingularityCE go.mod file. Required for Go 1.18 support.
• seccomp support is not disabled automatically in the absence of seccomp headers at build time. Run mconfig using --without-seccomp and --without-conmon to disable seccomp support and building of conmon (which requires seccomp headers).
• SingularityCE now requires squashfs-tools >=4.3, which is satisfied by current EL / Ubuntu / Debian and other distributions.
• Added --no-eval to the list of flags set by the OCI/Docker --compat mode (see below).

New features / functionalities

• Updated seccomp support allows use of seccomp profiles that set an error return code with errnoRet and defaultErrnoRet. Previously EPERM was hard coded. The example etc/seccomp-profiles/default.json has been updated.
• Native cgroups v2 resource limits can be specified using the [unified] key in a cgroups toml file applied via --apply-cgroups.
• The --no-mount flag & SINGULARITY_NO_MOUNT env var can now be used to disable a bind path entry from singularity.conf by specifying the absolute path to the destination of the bind.
• Non-root users can now use --apply-cgroups with run/shell/exec to limit container resource usage on a system using cgroups v2 and the systemd cgroups manager.
• Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups resource limits to a container directly.
• Allow experimental direct mount of SIF images with squashfuse in user-namespace / no-setuid mode.
• New action flag --no-eval which:
  • Prevents shell evaluation of SINGULARITYENV_ / --env / --env-file environment variables as they are injected in the container, to match OCI behavior. Applies to all containers.
  • Prevents shell evaluation of the values of CMD / ENTRYPOINT and command line arguments for containers run or built directly from an OCI/Docker source. Applies to newly built containers only, use singularity inspect to check version that container was built with.

Bug Fixes

• Allow newgidmap / newuidmap that use capabilities instead of setuid root.
• Corrected key search output for results from some servers, and keys with multiple names.
• Pass through a literal \n in host environment variables to container.
• Address 401 error pulling from private library:// projects.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.0-rc.1.tar.gz download below to obtain and install SingularityCE 3.10.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.18.1

SingularityCE 3.9.9

SingularityCE 3.9.9 is a bugfix / packaging release, with the following changes:

Bug Fixes

• Use HEAD request when checking digest of remote OCI image sources, with GET as a fall-back. Greatly reduces Singularity's impact on Docker Hub API limits.

New features / functionalities

• Add package build for Ubuntu 22.04 LTS.

Known Issues

• When built with Go 1.18, some plugins fail to load (more detail available here). This will be fixed in the next minor release (3.10.x). Users utilizing plugins with SingularityCE 3.9.x should use version 1.17.x of the Go toolchain.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.9.tar.gz download below to obtain and install SingularityCE 3.9.9. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.9

SingularityCE 3.9.8

SingularityCE 3.9.8 is a bugfix release, with the following changes:

In accordance with our Go version compatibility policy, SingularityCE now targets Go 1.17 and Go 1.18. You may need to upgrade from an older Go version to build SingularityCE.

Bug fixes

• Do not truncate environment variables with commas when using --env.
• Fix error when pushing to host-less library:// URIs

Known Issues

• When built with Go 1.18, some plugins fail to load (more detail available here). This will be fixed in the next minor release (3.10.x). Users utilizing plugins with SingularityCE 3.9.x should use version 1.17.x of the Go toolchain.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.8.tar.gz download below to obtain and install SingularityCE 3.9.8. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.8

SingularityCE 3.9.7

SingularityCE 3.9.7 is a bugfix release, with the following changes:

Bug fixes

• Support nvidia-container-cli v1.8.0 and above, via fix to capability set.
• Avoid cleanup panic when invalid file specified for --apply-cgroups.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.7.tar.gz download below to obtain and install SingularityCE 3.9.7. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.8

SingularityCE 3.9.6

SingularityCE 3.9.6 is an architecture support / bugfix release, with the following changes:

New features / functionalities

• SingularityCE now supports the riscv64 architecture.

Bug fixes

• Correct library bindings for unsquashfs containment. Fixes errors where resolved library filename does not match library filename in binary (e.g. EL8, POWER9 with glibc-hwcaps).

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.6.tar.gz download below to obtain and install SingularityCE 3.9.6. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.7

SingularityCE 3.9.5

SingularityCE 3.9.5 is a bugfix release, with the following changes:

Changed defaults / behaviours

• make install now installs man pages. A separate make man is not required.

Bug fixes

• GitHub .deb packages correctly include man pages.
• Update dependency to correctly unset variables in container startup environment processing. Fixes regression in v3.9.2 affecting precedence of host/container environment variables.
• Remove subshell overhead when processing large environments on container startup. Reduces container startup time by >25x for a 5000 variable, 500KiB environment.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.5.tar.gz download below to obtain and install SingularityCE 3.9.5. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.6

SingularityCE 3.9.4

Bug fixes

• Address timeout in library pull single stream download.

This release includes a single bugfix to address context timeout errors that may be experienced when pulling larger images, or small images over a slow connection, from the recently updated Sylabs Cloud or Singularity Enterprise 2.x Library.

The errors affect SingularityCE >=3.9.0

If you pull images from the Sylabs Cloud or Singularity Enterprise 2.x Library, the new 3.9.4 release provides an immediate fix for the problem.

Separately, Sylabs is working to design and implement a server-side mitigation for the issue. If it is possible, this would mitigate the issue without the need to upgrade your SingularityCE installation.

We sincerely apologize for the recent inconvenience following updates to the Sylabs Cloud. We are working to resolve all remaining issues, and will conduct a review to identify process improvements for the future.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.4.tar.gz download below to obtain and install SingularityCE 3.9.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.6

SingularityCE 3.9.3

Bug fixes

• Ensure MIGs are visible with --nvccli in non-contained mode, to match the legacy GPU binding behaviour.
• Avoid fd leak in loop device transient error path.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.3.tar.gz download below to obtain and install SingularityCE 3.9.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.17.5