Releases: sylabs/singularity
SingularityCE 4.2.2
SingularityCE 4.2.2 is a bugfix release in the 4.2 series.
Bug Fixes
- Fix regression from 4.1.5 that overwrites source image runscript, environment etc. in build from local image.
- Fall back to
$TMPDIR
as singularity-buildkitd root directory if~/.singularity
is on a filesystem that does not fully support overlay. - Add more intuitive error message for rootless
build --oci
when requiredXDG_RUNTIME_DIR
env var is not set. - Avoid error in CNI network setup with newer versions of iptables that include a setuid caller check.
New Features & Functionality
- In OCI-Mode, accommodate systems configured so that they do not create a
/run/user
session directory. OCI-Mode will now attempt to use$TMPDIR/singularity-oci-<uid>
for runtime state on systems where$XDG_RUNTIME_DIR
is not set and the default user session path of/run/user/<uid>
does not exist. Note that the$TMPDIR/singularity-oci-<uid>
directory is shared between concurrent--oci
mode invocations, and will not be removed on exit - an empty directory will remain.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.2.2.tar.gz download below to obtain and install SingularityCE 4.2.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.23.4
SingularityCE 4.2.1
SingularityCE 4.2.1 is a bugfix release in the 4.2 series.
Bug Fixes
- Fix regression that led to an empty shell field in the
/etc/passwd
file.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.2.1.tar.gz download below to obtain and install SingularityCE 4.2.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.22.7
SingularityCE 4.2.0
SingularityCE 4.2.0 is the first release in the 4.2 series, including various new features.
New Features & Functionality
- It is now possible to use multiple environment variable files using the
--env-file
flag, files can be specified as a comma-separated list or by using the flag multiple times. Variables defined in later files take
precedence. singularity.conf
now accepts setting new options regarding namespaces:allow ipc ns
: disable the use of the--ipc
flag.allow user ns
: disable creation of user namespaces. This will prevent execution of containers with the--userns
or--fakeroot
flags, and unprivileged installations of SingularityCE.allow uts ns
: invalidate the use of the--uts
and--hostname
flags.
- A new
singularity data package
command allows files and directories to be packaged into an OCI-SIF data container. - A new
--layer-format
flag forsingularity push
allows layers in an OCI-SIF image to be pushed tolibrary://
anddocker://
registries insquashfs
(default) ortar
format. Images pushed with--layer-format tar
can be pulled and run by other OCI runtimes. - A writable overlay can be added to an OCI-SIF file with the
singularity overlay create
command. The overlay will be applied read-only, by default, when executing the OCI-SIF. To write changes to the container into the overlay, use the--writable
flag. - A writable overlay is added to an OCI-SIF file as an ext3 format layer, appended to the encapsulated OCI image. After the overlay has been modified, use the
singularity overlay sync
command to synchronize the OCI digests with the overlay content. - A new
singularity overlay seal
command converts a writable overlay inside an OCI-SIF image into a read-only squashfs layer. This seals changes made to the image via the overlay, so that they are permanent. - Added a new
instance run
command that will execute the runscript when an instance is initiated instead of executing the startscript. - The new
--netns-path
flag takes a path to a network namespace to join when starting a container. Theroot
user may join any network namespace. An unprivileged user can only join a network namespace specified in the newallowed netns paths
directive insingularity.conf
, if they are also listed inallowed net users
/allowed net groups
. Not currently supported with--fakeroot
, or in--oci
mode.
Requirements
- Requires a minimum of Go 1.21.5 to build due to dependency updates.
- OCI-SIF embedded writable overlay functionality requires
fuse2fs
>= 1.46.6.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.2.0.tar.gz download below to obtain and install SingularityCE 4.2.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.22.6
SingularityCE 4.1.5
SingularityCE 4.1.5 is a patch release in the 4.1 series, including various bug fixes.
Bug Fixes
- Fix fall-back to temporary sandbox rootfs bundle in OCI-Mode for OCI URIs (
docker://
) etc. - Fix confusing error messages / incorrect fall-back attempt when explicit execution of an OCI-SIF fails.
- Fix failing builds from local images that have symbolic links for paths that are part of the base container environment (e.g. /var/tmp -> /tmp).
- Fix issue where
--platform
/--arch
did not apply when pulling an OCI image to native SIF via image manifest, rather than image index.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.1.5.tar.gz download below to obtain and install SingularityCE 4.1.5. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.22.6
v4.2.0-rc.1
This is the first release candidate for the upcoming 4.2 series of SingularityCE. We welcome all feedback and testing. Please continue to use the latest 4.1 release for production systems.
New Features & Functionality
- It is now possible to use multiple environment variable files using the
--env-file
flag, files can be specified as a comma-separated list or by using the flag multiple times. Variables defined in later files take precedence. singularity.conf
now accepts setting new options regarding namespaces:allow ipc ns
: disable the use of the--ipc
flag.allow user ns
: disable creation of user namespaces. This will prevent execution of containers with the--userns
or--fakeroot
flags, and unprivileged installations of SingularityCE.allow uts ns
: invalidate the use of the--uts
and--hostname
flags.
- A new
singularity data package
command allows files and directories to be packaged into an OCI-SIF data container. - A new
--layer-format
flag forsingularity push
allows layers in an OCI-SIF image to be pushed tolibrary://
anddocker://
registries insquashfs
(default) ortar
format. Images pushed with--layer-format tar
can be pulled and run by other OCI runtimes. - A writable overlay can be added to an OCI-SIF file with the
singularity overlay create
command. The overlay will be applied read-only, by default, when executing the OCI-SIF. To write changes to the container into the overlay, use the--writable
flag. - A writable overlay is added to an OCI-SIF file as an ext3 format layer, appended to the encapsulated OCI image. After the overlay has been modified, use the
singularity overlay sync
command to synchronize the OCI digests with the overlay content. - A new
singularity overlay seal
command converts a writable overlay inside an OCI-SIF image into a read-only squashfs layer. This seals changes made to the image via the overlay, so that they are permanent. - Added a new
instance run
command that will execute the runscript when an instance is initiated instead of executing the startscript. - The new
--netns-path
flag takes a path to a network namespace to join when starting a container. Theroot
user may join any network namespace. An unprivileged user can only join a network namespace specified in the newallowed netns paths
directive insingularity.conf
, if they are also listed inallowed net users
/allowed net groups
. Not currently supported with--fakeroot
, or in--oci
mode.
Bug Fixes
- Fix fall-back to temporary sandbox rootfs bundle in OCI-Mode for OCI URIs (
docker://
) etc. - Fix confusing error messages / incorrect fall-back attempt when explicit execution of an OCI-SIF fails.
- Fix failing builds from local images that have symbolic links for paths that are part of the base container environment (e.g. /var/tmp -> /tmp).
- Fix issue where
--platform
/--arch
did not apply when pulling an OCI image to native SIF via image manifest, rather than image index.
Requirements
- Requires a minimum of Go 1.21.5 to build due to dependency updates.
- OCI-SIF embedded writable overlay functionality requires
fuse2fs
>= 1.46.6.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.2.0-rc.1.tar.gz download below to obtain and install SingularityCE 4.2.0-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.22.6
SingularityCE 4.1.4
SingularityCE 4.1.4 is a patch release in the 4.1 series, including various bug fixes.
Bug Fixes
- Use ABI 3 for Apparmor profile on Ubuntu <23.10.
- Avoid unnecessary copying / extraction of OCI images and Docker tarballs into a layout directory when they are directly accessible as a local file / directory.
- Avoid unnecessary intermediate temporary image layout when building from Dockerfile to OCI-SIF.
%files from
in a definition file will now correctly copy symlinks that point to a target above the destination directory, but inside the destination stage rootfs.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.1.4.tar.gz download below to obtain and install SingularityCE 4.1.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.22.4
SingularityCE 4.1.3
SingularityCE 4.1.3 is a patch release in the 4.1 series, including various bug fixes.
Packages provided with this release now include a .deb for Ubuntu 24.04 (noble).
Requirements
- Requires a minimum of Go 1.21 to build. Go 1.20 is end-of-life.
Note - compilation with Go 1.22 currently causes an issue when using the PID namespace on distributions using older versions of glibc. We recommend using Go 1.21 at this time.
Bug Fixes
- Set default
PATH
in container run in OCI-Mode when image does not setPATH
. - Fix storage of credentials for
docker.io
to behave the same as forindex.docker.io
. - Improve documentation for
remote list
command. - Don't fail with lack of descriptor capacity when writing OCI images with many layers to OCI-SIF.
- Ensure a fixed number of spare descriptors is present in the OCI-SIF when pulling an OCI image.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.1.3.tar.gz download below to obtain and install SingularityCE 4.1.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.21.10
SingularityCE 4.1.2
SingularityCE 4.1.2 is a patch release in the 4.1 series, including various bug fixes.
Bug Fixes
- Set OCI runtime-spec annotations that are required by the documented image-spec conversion process.
- In
--oci
mode always set inner ID map based on host user, notUSER
in OCI container. Fixes incorrect permissions for files owned byUSER
in the container. - Provide warning / info message for OCI image-spec features (volumes, exposed ports) that are not supported by singularity.
- Honor
WORKDIR
by default for OCI images in--oci
mode, as required by OCI image-spec. - Restore previous
--writable
behaviour when running a container image from SIF/SquashFS in user namepace mode. The image will be extracted to a temporary sandbox, which is writable at runtime. Note that any changes are not made to the original image. - Fix
target: no such file or directory
error in native mode when extracting layers from certain OCI images that manipulate hard links across layers. - Fix extraction of OCI layers when run in a root mapped user namespace (e.g..
unshare -r
). - Use user namespace for wrapping of
unsquashfs
when singularity is run with --userns / -uflag. Fixes temporary sandbox extraction of images in non-root mapped user namespace (e.g.
unshare -c`).
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.1.2.tar.gz download below to obtain and install SingularityCE 4.1.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.21.7
SingularityCE 4.1.1
SingularityCE 4.1.1 is a patch release in the 4.1 series, including security and bug fixes.
Security Related Fixes
- Update
github.com/moby/buildkit
dependency, used for--oci
Dockerfile builds, addressing the following upstream CVEs:- CVE-2024-23650 Possible panic when incorrect parameters sent from frontend
- CVE-2024-23651 Possible race condition with accessing subpaths from cache mounts.
- CVE-2024-23652 Possible host system access from mount stub cleaner.
- CVE-2024-23653 Interactive containers API does not validate entitlements check.
Note also that in OCI-Mode, SingularityCE may call out to runc
versions vulnerable to CVE-2024-21626. runc
is not bundled with SingularityCE, and should be updated via your Linux distribution's package manager, or manually.
Bug Fixes
- Workaround segfault in
crun
v1.11+ when no resource limits are specified. containers/crun#1402
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.1.1.tar.gz download below to obtain and install SingularityCE 4.1.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.21.6
SingularityCE 4.1.0
SingularityCE 4.1.0 is the first release in the 4.1 series, introducing Dockerfile builds, multi-layer OCI-SIF images, and many other improvements. See the release notes below, and the user and admin guides for more information:
- https://docs.sylabs.io/guides/4.1/admin-guide/new.html
- https://docs.sylabs.io/guides/4.1/user-guide/new.html
Changed defaults / behaviours
-
--oci
mode containers and native mode instances can now be successfully started as a non-root user on cgroups v2 systems when both:- The system configuration / environment does not provide the correct information necessary to communicate with systemd via dbus.
- Resource limits (e.g.
--cpus
) have not been requested.
The container / instance will be started in the current cgroup, and information about the configuration issue displayed to the user as warnings.
-
In native mode, SIF/SquashFS container images will now be mounted with squashfuse when kernel mounts are disabled in
singularity.conf
, or cannot be used (non-setuid / user namespace workflow). If the FUSE mount fails, Singularity will fall back to extracting the container to a temporary sandbox in order to run it. -
In native mode, bare extfs container images will now be mounted with fuse2fs when kernel mounts are disabled in
singularity.conf
, or cannot be used (non-setuid / user namespace workflow).
New Features & Functionality
- The
registry login
andregistry logout
commands now support a--authfile <path>
flag, which causes the OCI credentials to be written to / removed from a custom file located at<path>
instead of the default location ($HOME/.singularity/docker-config.json
). The commandspull
,push
,run
,exec
,shell
, andinstance start
can now also be passed a--authfile <path>
option, to read OCI registry credentials from this custom file. - A new
--keep-layers
flag, for thepull
andrun/shell/exec/instance start
commands, allows individual layers to be preserved when an OCI-SIF image is created from an OCI source. Multi layer OCI-SIF images can be run with SingularityCE 4.1 and later. - Singularity will now build OCI-SIF images from Dockerfiles, if the
--oci
flag is used with thebuild
command. Provide a Dockerfile as the final argument tobuild
, instead of a Singularity definition (.def) file. Supports--build-arg
/--build-arg-file
options,--arch
for cross-architecture builds,--authfile
and other authentication options, and more. See the user guide for more information. - Docker-style SCIF containers (https://sci-f.github.io/tutorial-preview-install) are now supported. If the entrypoint of an OCI container is the
scif
executable, then therun
/exec
/shell
commands in--oci
mode can be given the--app <appname>
flag, and will automatically invoke the relevant SCIF command. - A new
--tmp-sandbox
flag has been added to therun / shell / exec / instance start
commands. This will force Singularity to extract a container to a temporary sandbox before running it, when it would otherwise perform a kernel or FUSE mount.
Bug Fixes
- Added missing
tmp sandbox
directive tosingularity.conf
template.
Deprecated Functionality
- The experimental
--sif-fuse
flag, andsif fuse
directive insingularity.conf
are deprecated. The flag and directive were used to enable experimental mounting of SIF/SquashFS container images with FUSE in prior versions of Singularity. From 4.1, FUSE mounts are used automatically when kernel mounts are disabled / not available.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.1.0.tar.gz download below to obtain and install SingularityCE 4.1.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.21.6