--writable-tmpfs
can be used withsingularity build
to run the%test
section of the build with a ephemeral tmpfs overlay, permitting tests that write to the container filesystem.--compat
flag for actions is a new short-hand to enable a number of options that increase OCI/Docker compatibility. Infers--containall, --no-init, --no-umask, --writable-tmpfs
. Does not use user, uts, or network namespaces as these may not be supported on many installations.--no-https
now applies to connections made to library services specified in--library://<hostname>/...
URIs.- The experimental
--nvccli
flag will usenvidia-container-cli
to setup the container for Nvidia GPU operation. Singularity will not bind GPU libraries itself. Environment variables that are used with Nvidia'sdocker-nvidia
runtime to configure GPU visibility / driver capabilities & requirements are parsed by the--nvccli
flag from the environment of the calling user. By default, thecompute
andutility
GPU capabilities are configured. Theuse nvidia-container-cli
option insingularity.conf
can be set toyes
to always usenvidia-container-cli
when supported.--nvccli
is not supported in the setuid workflow, and it requires being used in combination with--writable
in user namespace mode. Please see documentation for more details. - A new
--mount
flag andSINGULARITY_MOUNT
environment variable can be used to specify bind mounts intype=bind,source=<src>,destination=<dst>[,options...]
format. This improves CLI compatibility with other runtimes, and allows binding paths containing:
and,
characters (using CSV style escaping). - Perform concurrent multi-part downloads for
library://
URIs. Uses 3 concurrent downloads by default, and is configurable insingularity.conf
or via environment variables.
- Building Singularity from source requires go >=1.16. We now aim to support the two most recent stable versions of Go. This corresponds to the Go Release Maintenance Policy and Security Policy, ensuring critical bug fixes and security patches are available for all supported language versions. However, rpm and debian packaging apply patches to support older native go installations.
- LABELs from Docker/OCI images are now inherited. This fixes a longstanding
regression from Singularity 2.x. Note that you will now need to use
--force
in a build to override a label that already exists in the source Docker/OCI container. - Instances are no longer created with an IPC namespace by default. An IPC
namespace can be specified with the
-i|--ipc
flag. --bind
,--nv
and--rocm
options forbuild
command can't be set through environment variablesSINGULARITY_BIND
,SINGULARITY_BINDPATH
,SINGULARITY_NV
,SINGULARITY_ROCM
anymore due to side effects reported by users in this issue, they must be explicitely requested via command line.--nohttps
flag has been deprecated in favour of--no-https
. The old flag is still accepted, but will display a deprecation warning.- Removed
--nonet
flag, which was intended to disable networking for in-VM execution, but has no effect. - Paths for
cryptsetup
,go
,ldconfig
,mksquashfs
,nvidia-container-cli
,unsquashfs
are now found at build time bymconfig
and written intosingularity.conf
. The path to these executables can be overridden by changing the value insingularity.conf
. If the path for any of them other thancryptsetup
orldconfig
is not set insingularity.conf
then the executable will be found by searching$PATH
. - When calling
ldconfig
to find GPU libraries, singularity will not fall back to/sbin/ldconfig
if theldconfig
on$PATH
errors. If installing in a Guix/Nix on environment on top of a standard host distribution you must setldconfig path = /sbin/ldconfig
to use the host distributionldconfig
to find GPU libraries. - Example log-plugin rewritten as a CLI callback that can log all commands executed, instead of only container execution, and has access to command arguments.
- The bundled reference CNI plugins are updated to v1.0.1. The
flannel
plugin is no longer included, as it is maintained as a separate plugin at: https://github.com/flannel-io/cni-plugin. If you use the flannel CNI plugin you should install it from this repository. --nv
will not callnvidia-container-cli
to find host libraries, unless the new experimental GPU setup flow that employsnvidia-container-cli
for all GPU related operations is enabled (see above).- If a container is run with
--nvccli
and--contain
, only GPU devices specified via theNVIDIA_VISIBLE_DEVICES
environment variable will be exposed within the container. UseNVIDIA_VISIBLE_DEVICES=all
to access all GPUs inside a container run with--nvccli
. - Build
--bind
option allows to set multiple bind mount without specifying the--bind
option for each bindings. - The behaviour of the
allow container
directives insingularity.conf
has been modified, to support more intuitive limitations on the usage of SIF and non-SIF container images. If you use these directives, you may need to make changes to singularity.conf to preserve behaviour.- A new
allow container sif
directive permits or denies usage of unencrypted SIF images, irrespective of the filesystem(s) inside the SIF. - The
allow container encrypted
directive permits or denies usage of SIF images with an encrypted root filesystem. - The
allow container squashfs/extfs
directives insingularity.conf
permit or deny usage of bare SquashFS and EXT image files only. - The effect of the
allow container dir
directive is unchanged.
- A new
- Fix the oras contexts to avoid hangs upon failed pushed to Harbor registry.
- Added seccomp, cryptsetup, devscripts & correct go version test to debian packaging.
Additional changes include dependency updates for the SIF module (to v2.0.0), and migration to maintained versions of other modules. There is no change to functionality, on-disk SIF format etc.
- Fix regression introduced in 3.8.1 that caused bind mounts without a destination to be added twice.
- Fix regression when files
source
d from%environment
contain\
escaped shell builtins (fixes issue withsource
of conda profile.d script). - The
oci
commands will operate on systems that use the v2 unified cgroups hierarchy. singularity delete
will use the correct library service when the hostname is specified in thelibrary://
URI.singularity build
will use the correct library service when the hostname is specified in thelibrary://
URI / definition file.- Call
debootstrap
with correct Debian arch when it is not identical to the value ofruntime.GOARCH
. E.g.ppc64el -> ppc64le
. - When destination is ommitted in
%files
entry in definition file, ensure globbed files are copied to correct resolved path. - Return an error if
--tokenfile
used forremote login
to an OCI registry, as this is not supported. - Ensure repeated
remote login
to same URI does not create duplicate entries in~/.singularity/remote.yaml
. - Properly escape single quotes in Docker
CMD
/ENTRYPOINT
translation. - Use host uid when choosing unsquashfs flags, to avoid selinux xattr errors
with
--fakeroot
on non-EL/Fedora distributions with recent squashfs-tools. - Updated the modified golang-x-crypto module with the latest upstream version.
- Allow escaped
\$
in a SINGULARITYENV_ var to set a literal$
in a container env var. Also allow escaped commas and colons in the source bind path. - Handle absolute symlinks correctly in multi-stage build
%copy from
blocks. - Fix incorrect reference in sandbox restrictive permissions warning.
- Prevent garbage collection from closing the container image file descriptor.
- Update to Arch Linux pacman.conf URL and remove file size verification.
- Avoid panic when mountinfo line has a blank field.
⚠️ Go module was renamed fromgh.neting.cc/sylabs/singularity
github.com/hpcng/singularity
- A new
overlay
command allows creation and addition of writable overlays. - Administrators can allow named users/groups to use specific CNI network
configurations. Managed by directives in
singularity.conf
. - The
build
command now honors--nv
,--rocm
, and--bind
flags, permitting builds that require GPU access or files bound in from the host. - A library service hostname can be specified as the first component of a
library://
URL. - Singularity is now relocatable for unprivileged installations only.
- Respect http proxy server environment variables in key operations.
- When pushing SIF images to
oras://
endpoints, work around Harbor & GitLab failure to accept theSifConfigMediaType
. - Avoid a
setfsuid
compilation warning on some gcc versions. - Fix a crash when silent/quiet log levels used on pulls from
shub://
andhttp(s)://
URIs. - Wait for dm device to appear when mounting an encrypted container rootfs.
- Accommodate ppc64le pageSize in TestCgroups and disable -race.
- Fix Debian packaging
Testing changes are not generally itemized. However, developers and contributors
should note that this release has modified the behavior of make test
for ease
of use:
make test
runs limited unit and integration tests that will not require docker hub credentials.make testall
runs the full unit/integration/e2e test suite that requires docker credentials to be set withE2E_DOCKER_USERNAME
andE2E_DOCKER_PASSWORD
environment variables.
- CVE-2021-32635: Due to incorrect use of a default URL, singularity action commands (run/shell/exec) specifying a container using a library:// URI will always attempt to retrieve the container from the default remote endpoint (cloud.sylabs.io) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container.
- CVE-2021-29136:
A dependency used by Singularity to extract docker/OCI image layers can be
tricked into modifying host files by creating a malicious layer that has a
symlink with the name "." (or "/"), when running as root. This vulnerability
affects a
singularity build
orsingularity pull
as root, from a docker or OCI source.
- Fix progress bar display when source image size is unknown.
- Fix a memory usage / leak issue when building from an existing image file.
- Fix to allow use of
--library
flag to point push/pull at default cloud library when another remote is in use. - Address false positive loop test errors, and an e2e test registry setup issue.
- Accommodate /sys/fs/selinux mount changes on kernel 5.9+.
- Fix loop devices file descriptor leak when shared loop devices is enabled.
- Use MaxLoopDevices variable from config file in all appropriate locations.
- Use -buildmode=default (non pie) on ppc64le to prevent crashes when using plugins.
- Remove spurious warning in parseTokenSection()
- e2e test fixes for new kernels, new unsquashfs version.
- Show correct web URI for detached builds against alternate remotes.
- The singularity binary is now relocatable when built without setuid support
- Allow configuration of global custom keyservers, separate from remote endpoints.
- Add a new global keyring, for public keys only (used for ECL).
- The
remote login
command now supports authentication to Docker/OCI registries and custom keyservers. - New
--exclusive
option forremote use
allows admin to lock usage to a specific remote. - A new
Fingerprints:
header in definition files will check that a SIF source image can be verified, and is signed with keys matching all specified fingerprints. - Labels can be set dynamically from a build's
%post
section by setting them in theSINGULARITY_LABELS
environment variable. - New
build-arch
label is automatically set to the architecture of the host during a container build. - New
-D/--description
flag forsingularity push
sets description for a library container image. singularity remote status
shows validity of authentication token if set.singularity push
reports quota usage and URL on successful push to a library server that supports this.- A new
--no-mount
flag for actions allows a user to disable proc/sys/dev/devpts/home/tmp/hostfs/cwd mounts, even if they are enabled insingularity.conf
.
- When actions (run/shell/exec...) are used without
--fakeroot
the umask from the calling environment will be propagated into the container, so that files are created with expected permissions. Use the new--no-umask
flag to return to the previous behaviour of setting a default 0022 umask. - Container metadata, environment, scripts are recorded in a descriptor in
builds to SIF files, and
inspect
will use this if present. - The
--nv
flag for NVIDIA GPU support will not resolve libraries reported bynvidia-container-cli
via the ld cache. Will instead respect absolute paths to libraries reported by the tool, and bind all versioned symlinks to them. - General re-work of the
remote login
flow, adds prompts and token verification before replacing an existing authentication token. - The Execution Control List (ECL) now verifies container fingerprints using the new global keyring. Previously all users would need relevant keys in their own keyring.
- The SIF layer mediatype for ORAS has been changed to
application/vnd.sylabs.sif.layer.v1.sif
reflecting the published opencontainers/artifacts value. SINGULARITY_BIND
has been restored as an environment variable set within a running container. It now reflects all user binds requested by the-B/--bind
flag, as well as viaSINGULARITY_BIND[PATHS]
.singularity search
now correctly searches for container images matching the host architecture by default. A new--arch
flag allows searching for other architectures. A new results format gives more detail about container image results, while users and collections are no longer returned.
- Support larger definition files, environments etc. by passing engine configuration in the environment vs. via socket buffer.
- Ensure
docker-daemon:
and other source operations respectSINGULARITY_TMPDIR
for all temporary files. - Support double quoted filenames in the
%files
section of build definitions. - Correct
cache list
sizes to show KiB with powers of 1024, matchingdu
etc. - Don't fail on
enable fusemount=no
when no fuse mounts are needed. - Pull OCI images to the correct requested location when the cache is disabled.
- Ensure
Singularity>
prompt is set when container has no environment script, or singularity is called through a wrapper script. - Avoid build failures in
yum/dnf
operations against the 'setup' package onRHEL/CentOS/Fedora
by ensuring staged/etc/
files do not match distro default content. - Failed binds to
/etc/hosts
and/etc/localtime
in a container run with--contain
are no longer fatal errors. - Don't initialize the cache for actions where it is not required.
- Increase embedded shell interpreter timeout, to allow slow-running environment scripts to complete.
- Correct buffer handling for key import to allow import from STDIN.
- Reset environment to avoid
LD_LIBRARY_PATH
issues when resolving dependencies for theunsquashfs
sandbox. - Fall back to
/sbin/ldconfig
ifldconfig
onPATH
fails while resolving GPU libraries. Fixes problems on systems using Nix / Guix. - Address issues caused by error code changes in
unsquashfs
version 4.4. - Ensure
/dev/kfd
is bound into container for ROCm when--rocm
is used with--contain
. - Tolerate comments on
%files
sections in build definition files. - Fix a loop device file descriptor leak.
- A change in Linux kernel 5.9 causes
--fakeroot
builds to fail with a/sys/fs/selinux
remount error. This will be addressed in Singularity v3.7.1.
Singularity 3.6.4 addresses the following security issue.
- CVE-2020-15229: Due to insecure handling of path traversal and the lack of path sanitization within unsquashfs (a distribution provided utility used by Singularity), it is possible to overwrite/create files on the host filesystem during the extraction of a crafted squashfs filesystem. Affects unprivileged execution of SIF / SquashFS images, and image builds from SIF / SquashFS images.
- Update scs-library-client to support
library://
backends using an 3rd party S3 object store that does not strictly conform to v4 signature spec.
Singularity 3.6.3 addresses the following security issues.
-
CVE-2020-25039: When a Singularity action command (run, shell, exec) is run with the fakeroot or user namespace option, Singularity will extract a container image to a temporary sandbox directory. Due to insecure permissions on the temporary directory it is possible for any user with access to the system to read the contents of the image. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running container.
-
CVE-2020-25040: When a Singularity command that results in a container build operation is executed, it is possible for a user with access to the system to read the contents of the image during the build. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running build, which in certain circumstances may enable arbitrary code execution during the build and/or when the built container is run.
- The value for maximum number of loop devices in the config file is now used everywhere instead of redefining this value
- Add CAP_MKNOD in capability bounding set of RPC to fix issue with cryptsetup when decrypting image from within a docker container.
- Fix decryption issue when using both IPC and PID namespaces.
- Fix unsupported builtins panic from shell interpreter and add umask support for definition file scripts.
- Do not load keyring in prepare_linux if ECL not enabled.
- Ensure sandbox option overrides remote build destination.
- Add --force option to
singularity delete
for non-interactive workflows.
- Default to current architecture for
singularity delete
.
- Respect current remote for
singularity delete
command. - Allow
rw
as a (noop) bind option. - Fix capability handling regression in overlay mount.
- Fix LD_LIBRARY_PATH environment override regression with
--nv/--rocm
. - Fix environment variable duplication within singularity engine.
- Use
-user-xattrs
for unsquashfs to avoid error with rootless extraction using unsquashfs 3.4 (Ubuntu 20.04). - Correct
--no-home
message for 3.6 CWD behavior. - Don't fail if parent of cache dir not accessible.
- Fix tests for Go 1.15 Ctty handling.
- Fix additional issues with test images on ARM64.
- Fix FUSE e2e tests to use container ssh_config.
- Support compilation with
FORTIFY_SOURCE=2
and build inpie
mode withfstack-protector
enabled (#5433).
- Provide advisory message r.e. need for
upper
andwork
to exist in overlay images. - Use squashfs mem and processor limits in squashfs gzip check.
- Ensure build destination path is not an empty string - do not overwrite CWD.
- Don't unset PATH when interpreting legacy /environment files.
Singularity 3.6.0 introduces a new signature format for SIF images, and changes to the signing / verification code to address:
- CVE-2020-13845 In Singularity 3.x versions below 3.6.0, issues allow the ECL to be bypassed by a malicious user.
- CVE-2020-13846 In
Singularity 3.5 the
--all / -a
option tosingularity verify
returns success even when some objects in a SIF container are not signed, or cannot be verified. - CVE-2020-13847 In Singularity 3.x versions below 3.6.0, Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file, allowing an attacker to cause unexpected behavior. A signed container may verify successfully, even when it has been modified in ways that could be exploited to cause malicious behavior.
Please see the published security advisories at https://github.com/hpcng/singularity/security/advisories for full detail of these security issues.
Note that the new signature format is necessarily incompatible with Singularity < 3.6.0 - e.g. Singularity 3.5.3 cannot verify containers signed by 3.6.0.
We thank Tru Huynh for a report that led to the review of, and changes to, the signature implementation.
- Singularity now supports the execution of minimal Docker/OCI containers that
do not contain
/bin/sh
, e.g.docker://hello-world
. - A new cache structure is used that is concurrency safe on a filesystem that
supports atomic rename. If you downgrade to Singularity 3.5 or older after
using 3.6 you will need to run
singularity cache clean
. - A plugin system rework adds new hook points that will allow the development of plugins that modify behavior of the runtime. An image driver concept is introduced for plugins to support new ways of handling image and overlay mounts. Plugins built for <=3.5 are not compatible with 3.6.
- The
--bind
flag can now bind directories from a SIF or ext3 image into a container. - The
--fusemount
feature to mount filesystems to a container via FUSE drivers is now a supported feature (previously an experimental hidden flag). This permits users to mount e.g.sshfs
andcvmfs
filesystems to the container at runtime. - A new
-c/--config
flag allows an alternativesingularity.conf
to be specified by theroot
user, or all users in an unprivileged installation. - A new
--env
flag allows container environment variables to be set via the Singularity command line. - A new
--env-file
flag allows container environment variables to be set from a specified file. - A new
--days
flag forcache clean
allows removal of items older than a specified number of days. Replaces the--name
flag which is not generally useful as the cache entries are stored by hash, not a friendly name. - A new '--legacy-insecure' flag to
verify
allows verification of SIF signatures in the old, insecure format. - A new '-l / --logs' flag for
instance list
that shows the paths to instance STDERR / STDOUT log files. - The
--json
output ofinstance list
now include paths to STDERR / STDOUT log files.
- New signature format (see security fixes above).
- Environment variables prefixed with
SINGULARITYENV_
always take precedence over variables withoutSINGULARITYENV_
prefix. - The
%post
build section inherits environment variables from the base image. %files from ...
will now follow symlinks for sources that are directly specified, or directly resolved from a glob pattern. It will not follow symlinks found through directory traversal. This mirrors Docker multi-stage COPY behaviour.- Restored the CWD mount behaviour of v2, implying that CWD path is not recreated inside container and any symlinks in the CWD path are not resolved anymore to determine the destination path inside container.
- The
%test
build section is executed the same manner assingularity test image
. --fusemount
with thecontainer:
default directive will foreground the FUSE process. Usecontainer-daemon:
for previous behavior.- Fixed spacing of
singularity instance list
to be dynamically changing based off of input lengths instead of fixed number of spaces to account for long instance names.
- Removed
--name
flag forcache clean
; replaced with--days
. - Deprecate
-a / --all
option tosign/verify
as new signature behavior makes this the default.
- Don't try to mount
$HOME
when it is/
(e.g.nobody
user). - Process
%appinstall
sections in order when building from a definition file. - Ensure
SINGULARITY_CONTAINER
,SINGULARITY_ENVIRONMENT
and the custom shell prompt are set inside a container. - Honor insecure registry settings from
/etc/containers/registries.conf
. - Fix
http_proxy
env var handling inyum
bootstrap builds. - Disable log colorization when output location is not a terminal.
- Check encryption keys are usable before beginning an encrypted build.
- Allow app names with non-alphanumeric characters.
- Use the
base
metapackage for arch bootstrap builds - arch no longer has abase
group. - Ensure library client messages are logged with
--debug
. - Do not mount
$HOME
with--fakeroot --contain
. - Fall back to underlay automatically when using a sandbox on GPFS.
- Fix Ctrl-Z handling - propagation of signal.
The following minor behaviour changes have been made in 3.5.3 to allow correct operation on CRAY CLE6, and correct an issue with multi-stage image builds that was blocking use by build systems such as Spack:
- Container action scripts are no longer bound in from
etc/actions.d
on the host. They are created dynamically and inserted at container startup. %files from ...
will no longer follow symlinks when copying between stages in a multi stage build, as symlinks should be copied so that they resolve identically in later stages. Copying%files
from the host will still maintain previous behavior of following links.
- Bind additional CUDA 10.2 libs when using the
--nv
option withoutnvidia-container-cli
. - Fix an NVIDIA persistenced socket bind error with
--writable
. - Add detection of ceph to allow workarounds that avoid issues with sandboxes on ceph filesystems.
- Ensure setgid is inherited during make install.
- Ensure the root directory of a build has owner write permissions, regardless of the permissions in the bootstrap source.
- Fix a regression in
%post
and%test
to honor the-c
option. - Fix an issue running
%post
when a container doesn't have/etc/resolv.conf
or/etc/hosts
files. - Fix an issue with UID detection on RHEL6 when running instances.
- Fix a logic error when a sandbox image is in an overlay incompatible location, and both overlay and underlay are disabled globally.
- Fix an issue causing user namespace to always be used when
allow-setuid=no
was configured in a setuid installation. - Always allow key IDs and fingerprints to be specified with or without a
0x
prefix when usingsingularity keys
- Fix an issue preventing joining an instance started with
--boot
. - Provide a useful error message if an invalid library:// path is provided.
- Bring in multi-part upload client functionality that will address large image upload / proxied upload issues with a future update to Sylabs cloud.
In addition, numerous improvements have been made to the test suites, allowing them to pass cleanly on a range of kernel versions and distributions that are not covered by the open-source CI runs.
- 700 permissions are enforced on
$HOME/.singularity
andSINGULARITY_CACHEDIR
directories (CVE-2019-19724). Many thanks to Stuart Barkley for reporting this issue.
-
Fixes an issue preventing use of
.docker/config
for docker registry authentication. -
Fixes the
run-help
command in the unprivileged workflow. -
Fixes a regression in the
inspect
command to support older image formats. -
Adds a workaround for an EL6 kernel bug regarding shared bind mounts.
-
Fixes caching of http(s) sources with conflicting filenames.
-
Fixes a fakeroot sandbox build error on certain filesystems, e.g. lustre, GPFS.
-
Fixes a fakeroot build failure to a sandbox in $HOME.
-
Fixes a fakeroot build failure from a bad def file section script location.
-
Fixes container execution errors when CWD is a symlink.
-
Provides a useful warning r.e. possible fakeroot build issues when seccomp support is not available.
-
Fixes an issue where the
--disable-cache
option was not being honored. -
Deprecated
--groupid
flag forsign
andverify
; replaced with--group-id
. -
Removed useless flag
--url
forsign
.
A single feature has been added in the bugfix release, with specific functionality:
- A new option
allow container encrypted
can be set tono
insingularity.conf
to prevent execution of encrypted containers.
This point release addresses the following issues:
- Fixes a disk space leak when building from docker-archive.
- Makes container process SIGABRT return the expected code.
- Fixes the
inspect
command in unprivileged workflow. - Sets an appropriate default umask during build stages, to avoid issues with very restrictive user umasks.
- Fixes an issue with build script content being consumed from STDIN.
- Corrects the behaviour of underlay with non-empty / symlinked CWD and absolute symlink binds targets.
- Fixes execution of containers when binding BTRFS filesystems.
- Fixes build / check failures for MIPS & PPC64.
- Ensures file ownership maintained when building image from sandbox.
- Fixes a squashfs mount error on kernel 5.4.0 and above.
- Fixes an underlay fallback problem, which prevented use of sandboxes on lustre filesystems.
- New support for AMD GPUs via
--rocm
option added to bind ROCm devices and libraries into containers. - Plugins can now modify Singularity behaviour with two mutators: CLI and Runtime.
- Introduced the
config global
command to editsingularity.conf
settings from the CLI. - Introduced the
config fakeroot
command to setupsubuid
andsubgid
mappings for--fakeroot
from the Singularity CLI.
- Go 1.13 adopted.
- Vendored modules removed from the Git tree, will be included in release tarballs.
- Singularity will now fail with an error if a requested bind mount cannot be
made.
- This is beneficial to fail fast in workflows where a task may fail a long way downstream if a bind mount is unavailable.
- Any unavailable bind mount sources must be removed from
singularity.conf
.
- Docker/OCI image extraction now faithfully respects layer permissions.
- This may lead to sandboxes that cannot be removed without modifying permissions.
--fix-perms
option added to preserve old behaviour when building sandboxes.- Discussion issue for this change at: https://github.com/sylabs/singularity/issues/4671
Singularity>
prompt is always set when entering shell in a container.- The current
umask
will be honored when building a SIF file. instance exec
processes acquire cgroups set oninstance start
--fakeroot
supports uid/subgid ranges >65536singularity version
now reports semver compliant version information.
- Deprecated
--id
flag forsign
andverify
; replaced with--sif-id
.
- This point release addresses the following issues:
- Sets workable permissions on OCI -> sandbox rootless builds
- Fallback correctly to user namespace for non setuid installation
- Correctly handle the starter-suid binary for non-root installs
- Creates CACHEDIR if it doesn't exist
- Set apex loglevel for umoci to match singularity loglevel
- This point release addresses the following issues:
- Fixes an issue where a PID namespace was always being used
- Fixes compilation on non 64-bit architectures
- Allows fakeroot builds for zypper, pacstrap, and debootstrap
- Correctly detects seccomp on OpenSUSE
- Honors GO_MODFLAGS properly in the mconfig generated makefile
- Passes the Mac hostname to the VM in MacOS Singularity builds
- Handles temporary EAGAIN failures when setting up loop devices on recent kernels
- Fixes excessive memory usage in singularity push
- New support for building and running encrypted containers with RSA keys and
passphrases
--pem-path
option added to thebuild
and action commands for RSA based encrypted containers--passphrase
option added tobuild
and action commands for passphrase based encrypted containersSINGULARITY_ENCRYPTION_PEM_PATH
andSINGULARITY_ENCRYPTION_PASSPHRASE
environment variables added to serve same functions as above--encrypt
option added tobuild
command to build an encrypted container when environment variables contain a secret
- New
--disable-cache
flag prevents caching of downloaded containers - Added support for multi-line variables in singularity def-files
- Added support for 'indexed' def-file variables (like arrays)
- Added support for SUSE SLE Products
- Added the def-file variables: product, user, regcode, productpgp, registerurl, modules, otherurl (indexed)
- Support multiple-architecture tags in the SCS library
- Added a
--dry-run
flag tocache clean
- Added a
SINGULARITY_SYPGPDIR
environment variable to specify the location of PGP key data - Added a
--nonet
option to the action commands to disable networking when running with the--vm
option - Added a
--long-list
flag to thekey search
command to preserve - Added experimental, hidden
--fusemount
flag to pass a command to mount a libfuse3 based file system within the container
- Runtime now properly honors
SINGULARITY_DISABLE_CACHE
environment variable remote add
command now automatically attempts to login and a--no-login
flag is added to disable this behavior- Using the
pull
command to download an unsigned container no longer produces an error code cache clean
command now prompts user before cleaning when run without--force
option and is more verbose- Shortened the default output of the
key search
command
- The
--allow-unsigned
flag topull
has been deprecated and will be removed in the future
- Remote login and status commands will now use the default remote if a remote name is not supplied
- Added Singularity hub (
shub
) cache support when using thepull
command - Clean cache in a safer way by only deleting the cache subdirectories
- Improvements to the
cache clean
command
- new
oras
URI for pushing and pulling SIF files to and from supported OCI registries - added the
--fakeroot
option tobuild
,exec
,run
,shell
,test
, andinstance start
commands to run container in a new user namespace as uid 0 - added the
fakeroot
network type for use with the--network
option sif
command to allow for the inspection and manipulation of SIF files with the following subcommandsadd
Add a data object to a SIF filedel
Delete a specified object descriptor and data from SIF filedump
Extract and output data objects from SIF filesheader
Display SIF global headersinfo
Display detailed information of object descriptorslist
List object descriptors from SIF filesnew
Create a new empty SIF image filesetprim
Set primary system partition
- This point release fixes the following bugs:
- Allows users to join instances with non-suid workflow
- Removes false warning when seccomp is disabled on the host
- Fixes an issue in the terminal when piping output to commands
- Binds NVIDIA persistenced socket when
--nv
is invoked
- Instance files are now stored in user's home directory for privacy and many
checks have been added to ensure that a user can't manipulate files to change
starter-suid
behavior when instances are joined (many thanks to Matthias Gerstner from the SUSE security team for finding and securely reporting this vulnerability)
- Introduced a new basic framework for creating and managing plugins
- Added the ability to create containers through multi-stage builds
- Definitions now require
Bootstrap
be the first parameter of header
- Definitions now require
- Created the concept of a Sylabs Cloud "remote" endpoint and added the ability for users and admins to set them through CLI and conf files
- Added caching for images from Singularity Hub
- Made it possible to compile Singularity outside of
$GOPATH
- Added a json partition to SIF files for OCI configuration when building from an OCI source
- Full integration with Singularity desktop for MacOS code base
-
Introduced the
plugin
command group for creating and managing pluginscompile
Compile a singularity plugindisable
disable an installed singularity pluginenable
Enable an installed singularity plugininspect
Inspect a singularity plugin (either an installed one or an image)install
Install a singularity pluginlist
List installed singularity pluginsuninstall
Uninstall removes the named plugin from the system
-
Introduced the
remote
command group to support management of Singularity endpoints:add
Create a new Sylabs Cloud remote endpointlist
List all remote endpoints that are configuredlogin
Log into a remote endpoint using an authentication tokenremove
Remove an existing Sylabs Cloud remote endpointstatus
Check the status of the services at an endpointuse
Set a remote endpoint to be used by default
-
Added to the
key
command group to improve PGP key management:export
Export a public or private key into a specific fileimport
Import a local key into the local keyringremove
Remove a local public key
-
Added the
Stage: <name>
keyword to the definition file header and thefrom <stage name>
option/argument pair to the%files
section to support multistage builds
- The
--token/-t
option has been deprecated in favor of thesingularity remote
command group
- Ask to confirm password on a newly generated PGP key
- Prompt to push a key to the KeyStore when generated
- Refuse to push an unsigned container unless overridden with
--allow-unauthenticated/-U
option - Warn and prompt when pulling an unsigned container without the
--allow-unauthenticated/-U
option Bootstrap
must now be the first field of every header because of parser requirements for multi-stage builds
- New hidden
buildcfg
command to display compile-time parameters - Added support for
LDFLAGS
,CFLAGS
,CGO_
variables in build system - Added
--nocolor
flag to Singularity client to disable color in logging
singularity capability <add/drop> --desc
has been removedsingularity capability list <--all/--group/--user>
flags have all been removed
- The
--builder
flag to thebuild
command implicitly sets--remote
- Repeated binds no longer cause Singularity to exit and fail, just warn instead
- Corrected typos and improved docstrings throughout
- Removed warning when CWD does not exist on the host system
- Added support to spec file for RPM building on SLES 11
- Introduced the
oci
command group to support a new OCI compliant variant of the Singularity runtime:attach
Attach console to a running container processcreate
Create a container from a bundle directorydelete
Delete containerexec
Execute a command within containerkill
Kill a containermount
Mount create an OCI bundle from SIF imagepause
Suspends all processes inside the containerresume
Resumes all processes previously paused inside the containerrun
Create/start/attach/delete a container from a bundle directorystart
Start container processstate
Query state of a containerumount
Umount delete bundleupdate
Update container cgroups resources
- Added
cache
command group to inspect and manage cached filesclean
Clean your local Singularity cachelist
List your local Singularity cache
- Can now build CLI on darwin for limited functionality on Mac
- Added the
scratch
bootstrap agent to build from anything - Reintroduced support for zypper bootstrap agent
- Added the ability to overwrite a new
singularity.conf
when building from RPM if desired - Fixed several regressions and omissions in SCIF support
- Added caching for containers pulled/built from the Container Library
- Changed
keys
command group tokey
(retained hiddenkeys
command for backward compatibility) - Created an
RPMPREFIX
variable to allow RPMs to be installed in custom locations - Greatly expanded CI unit and end-to-end testing
- Bind paths in
singularity.conf
are properly parsed and applied at runtime - Singularity runtime will properly fail if
singularity.conf
file is not owned by the root user - Several improvements to RPM packaging including using golang from epel, improved support for Fedora, and avoiding overwriting conf file on new RPM install
- Unprivileged
--contain
option now properly mountsdevpts
on older kernels - Uppercase proxy environment variables are now rightly respected
- Add http/https protocols for singularity run/pull commands
- Update to SIF 1.0.2
- Add noPrompt parameter to
pkg/signing/Verify
function to enable silent verification
- Added the
--docker-login
flag to enable interactive authentication with docker registries - Added support for pulling directly from HTTP and HTTPS
- Made minor improvements to RPM packaging and added basic support for alpine packaging
- The
$SINGULARITY_NOHTTPS
,$SINGULARITY_TMPDIR
, and$SINGULARITY_DOCKER_USERNAME
/$SINGULARITY_DOCKER_PASSWORD
environment variables are now correctly respected - Pulling from a private shub registry now works as expected
- Running a container with
--network="none"
no longer incorrectly fails with an error message - Commands now correctly return 1 when incorrectly executed without arguments
- Progress bars no longer incorrectly display when running with
--quiet
or--silent
- Contents of
91-environment.sh
file are now displayed if appropriate when runninginspect --environment
- Improved RPM packaging procedure via makeit
- Enhanced general stability of runtime
- Singularity is now written primarily in Go to bring better integration with the existing container ecosystem
- Added support for new URIs (
build
&run/exec/shell/start
):library://
- Supports the Sylabs.io Cloud Librarydocker-daemon:
- Supports images managed by the locally running docker daemondocker-archive:
- Supports archived docker imagesoci:
- Supports oci imagesoci-archive:
- Supports archived oci images
- Handling of
docker
&oci
URIs/images now utilizes containers/image to parse and convert those image types in a supported way - Replaced
singularity instance.*
command group withsingularity instance *
- The command
singularity help
now only provides help regarding the usage of thesingularity
command. To display an image'shelp
message, usesingularity run-help <image path>
instead
- Removed deprecated
singularity image.*
command group - Removed deprecated
singularity create
command - Removed deprecated
singularity bootstrap
command - Removed deprecated
singularity mount
command - Removed deprecated
singularity check
command
- Added
singularity run-help <image path>
command to output an image'shelp
message - Added
singularity sign <image path>
command to allow a user to cryptographically sign a SIF image - Added
singularity verify <image path>
command to allow a user to verify a SIF image's cryptographic signatures - Added
singularity keys
command to allow the management ofOpenPGP
key stores - Added
singularity capability
command to allow fine grained control over the capabilities of running containers - Added
singularity push
command to push images to the Sylabs.io Cloud Library
- Added flags:
--add-caps <string>
: Run the contained process with the specified capability set (requires root)--allow-setuid
: Allows setuid binaries to be mounted into the container (requires root)--apply-cgroups <path>
: Apply cgroups configuration from file to contained processes (requires root)--dns <string>
: Adds the comma separated list of DNS servers to the containersresolv.conf
file--drop-caps <string>
: Drop the specified capabilities from the container (requires root)--fakeroot
: Run the container in a user namespace asuid=0
. Requires a recent kernel to function properly--hostname <string>
: Set the hostname of the container--keep-privs
: Keep root user privilege inside the container (requires root)--network <string>
: Specify a list of comma separated network types (CNI Plugins) to be present inside the container, each with its own dedicated interface in the container--network-args <string>
: Specify arguments to pass to CNI network plugins (set by--network
)--no-privs
: Drop all privileges from root user inside the container (requires root)--security <string>
: Configure security features such as SELinux, Apparmor, Seccomp...--writable-tmpfs
: Run container with atmpfs
overlay
- The command
singularity instance start
now supports the--boot
flag to boot the container via/sbin/init
- Changes to image mounting behavior:
- All image formats are mounted as read only by default
--writable
only works on images which can be mounted in read/write [applicable to:sandbox
and legacyext3
images]--writable-tmpfs
runs the container with a writabletmpfs
-based overlay [applicable to: all image formats]--overlay <string>
now specifies a list ofext3
/sandbox
images which are set as the containers overlay [applicable to: all image formats]
- All images are now built as Singularity Image Format (SIF) images by default
- When building to a path that already exists,
singularity build
will now prompt the user if they wish to overwrite the file existing at the specified location - The
-w|--writable
flag has been removed - The
-F|--force
flag now overrides the interactive prompt and will always attempt to overwrite the file existing at the specified location - The
-u|--update
flag has been added to support the workflow of running a definition file on top of an existing container [implies--sandbox
, only supportssandbox
image types] - The
singularity build
command now supports the following flags for integration with the Sylabs.io Cloud Library:-r|--remote
: Build the image remotely on the Sylabs Remote Builder (currently unavailable)-d|--detached
: Detach from thestdout
of the remote build [requires--remote
]--builder <string>
: Specifies the URL of the remote builder to access--library <string>
: Specifies the URL of the Sylabs.io Cloud Library to push the built image to when the build command destination is in the formlibrary://<reference>
- The
bootstrap
keyword in the definition file now supports the following values:library
docker-daemon
docker-archive
oci
oci-archive
- The
from
keyword in the definition file now correctly parses adocker
URI which includes theregistry
and/ornamespace
components - The
registry
andnamespace
keywords in the definition file are no longer supported. Instead, those values may all go into thefrom
keyword - Building from a tar archive of a
sandbox
no longer works