Singularity 2.6.0 Release

Greetings Singularity-ers!

It is my great pleasure to announce the release of version 2.6.0! This release has a few bug fixes and lot of cool new features that are detailed below.

Please note that 2.6.0 is expected to be the final feature release in the 2.x series. While bug fixes may be added via point releases (for example 2.6.1) no new features releases (for example 2.7.0) are planned.

Pull requests adding features to the 2.x series will no longer be reviewed. Any new features should be targeted to the master branch (which used to be called development-3.0).

For more information about the reorganization of Singularity branches in the GitHub repo, please see this Sylabs lab notes.

Thanks and have fun!

Implemented enhancements

• Allow admin to specify a non-standard location for mksquashfs binary at
  build time with --with-mksquashfs option #1662
• --nv option will use nvidia-container-cli if installed #1681
• nvliblist.conf now has a section for binaries #1681
• --nv can be made default with all action commands in singularity.conf #1681
• --nv can be controlled by env vars $SINGULARITY_NV and
  $SINGULARITY_NV_OFF #1681
• Refactored travis build and packaging tests #1601
• Added build and packaging tests for Debian 8/9 and openSUSE 42.3/15.0 #1713
• Restore shim init process for proper signal handling and child reaping when
  container is initiated in its own PID namespace #1221
• Add -i option to image.create to specify the inode ratio. #1759
• Bind /dev/nvidia* into the container when the --nv flag is used in
  conjuction with the --contain flag #1358
• Add --no-home option to not mount user $HOME if it is not the $CWD and
  mount home = yes is set. #1761
• Added support for OAUTH2 Docker registries like Azure Container Registry #1622

Bug fixes

• Fix 404 when using Arch Linux bootstrap #1731
• Fix environment variables clearing while starting instances #1766

As always, please report any bugs to:
https://github.com/singularityware/singularity/issues/new

Singularity 2.5.2 Release

Greetings Singularity containerizers!

This release contains fixes for a high severity security issue affecting Singularity 2.3.0 through 2.5.1 on kernels that support overlay file systems (CVE-2018-12021). A malicious user with network access to the host system (e.g. ssh) could exploit this vulnerability to access sensitive information on disk and bypass directory image restrictions like those preventing the root file system from being mounted into the container.

Singularity 2.5.2 should be installed immediately, and all previous versions of Singularity should be removed. The vulnerability addressed in this release affects kernels that support overlayfs. If you are unable to upgrade immediately, you should set enable overlay = no in singularity.conf.

In addition, this release contains a large number of bug fixes. Details follow:

Security related fixes

• Removed the option to use overlay images with singularity mount. This
  flaw could allow a malicious user accessing the host system to access
  sensitive information when coupled with persistent ext3 overlay.
• Fixed a race condition that might allow a malicious user to bypass directory
  image restrictions, like mounting the host root filesystem as a container
  image

Bug fixes

• Fix an error in malloc allocation #1620
• Honor debug flag when pulling from docker hub #1556
• Fix a bug with passwd abort #1580
• Allow user to override singularity.conf "mount home = no" with --home option
  #1496
• Improve debugging output #1535
• Fix some bugs in bind mounting #1525
• Define PR_(S|G)ET_NO_NEW_PRIVS in user space so that these features will
  work with kernels that implement them (like Cray systems) #1506
• Create /dev/fd and standard streams symlinks in /dev when using minimal dev
  mount or when specifying -c/-C/--contain option #1420
• Fixed * expansion during app runscript creation #1486

As always, please report any bugs to:
https://github.com/singularityware/singularity/issues/new

Singularity 2.5.1 Release

Greetings Singularity community!

This is a bug fix point release to the 2.5 feature branch.

Bug fixes

• Corrected a permissions error when attempting to run Singularity from a
  directory on NFS with root_squash enabled
• Fixed a bug that closed a socket early, preventing correct container
  execution on hosts using identity services like SSSD
• Fixed a regression that broke the debootstrap agent

As always, please report any bugs to:
https://github.com/singularityware/singularity/issues/new

Singularity 2.5.0 Release

Greetings Singularity containerizers!

This release includes fixes for several high and medium severity security issues. It also contains a whole slew of bug fixes including the much awaited docker aufs whiteout file fix. It's a new release instead of a point release because it adds a new dependency to handle this bug, includes some new (albeit minor) feature enhancements, and changes the behavior of a few environment variables (see below).

Singularity 2.5 should be installed immediately and all previous versions of Singularity should be removed. Many of the vulnerabilities fixed in this release are expected to affect all Linux distributions regardless of whether they implement overlayfs. There are no mitigations or workarounds for these issues outside of updating Singularity.

Additionally, Singularity 2.5 drops support for hosts that do not support the prctl() function PR_SET_NO_NEW_PRIVS. The PR_SET_NO_NEW_PRIVS feature was added to prctl() in the Linux 3.5 kernel. Various distributions have since backported this feature to currently maintained kernels (for example, Red Hat added this feature to RHEL 6.7 with the 2.6.32-504.16.2 kernel). Kernels that do not have this feature are inherently insecure in many ways. They do not implement container runtimes securely. Blocks have therefore been put in place to prevent Singularity 2.5 from building or running on vulnerable kernels.

Security related fixes

Patches are provided to prevent a malicious user with the ability to log in to
the host system and use the Singularity container runtime from carrying out any
of the following actions:

• Create world writable files in root-owned directories on the host system by
  manipulating symbolic links and bind mounts
• Create folders outside of the container by manipulating symbolic links in
  conjunction with the --nv option or by bypassing check_mounted function
  with relative symlinks
• Bypass the enable overlay = no option in the singularity.conf
  configuration file by setting an environment variable
• Exploit buffer overflows in src/util/daemon.c and/or
  src/lib/image/ext3/init.c (reported by Erik Sjölund (DBB, Stockholm
  University, Sweden))
• Forge of the pid_path to join any Singularity namespace (reported by Erik
  Sjölund (DBB, Stockholm University, Sweden))

Implemented enhancements

• Restore docker-extract aufs whiteout handling that implements correct
  extraction of docker container layers. This adds libarchive-devel as a
  build time dep. At runtime libarchive is needed for whiteout handling. If
  libarchive is not available at runtime will fall back to previous
  extraction method.
• Changed behavior of SINGULARITYENV_PATH to overwrite container PATH and
  added SINGULARITYENV_PREPEND_PATH and SINGULARITYENV_APPEND_PATH for users
  wanting to prepend or append to the container PATH at runtime

Bug fixes

• Support pulls from the NVIDIA cloud docker registry (fix by Justin Riley,
  Harvard)
• Close socket file descriptors in fd_cleanup
• Fix conflict between --nv and --contain options
• Throw errors at build and runtime if NO_NEW_PRIVS is not present and working
• Reset umask to 0022 at start to correct several errors
• Verify docker layers after download with sha256 checksum
• Do not make excessive requests for auth tokens to docker registries
• Fixed stripping whitespaces and empty new lines for the app commands (fix by
  Rafal Gumienny, Biozentrum, Basel)
• Improved the way that working directory is mounted
• Fixed an out of bounds array in src/lib/image/ext3/init.c

And as always, report any bugs to:
https://github.com/singularityware/singularity/issues/new

Singularity 2.4.6 Release

This release addresses a high severity security issue with bind mounts on hosts using overlayfs. This fixes a vulnerability that could allow a malicious user to create files and directories outside of a Singularity container. Special thanks to Lars Viklund (HPC2N, Umeå University, Sweden) for identifying and helping test fixes for this bug.

But fixes include:

• Fix for check_mounted() to check parent directories #1436
• Free strdupped temporary variable in joinpath #1438

Please note that this release is being made with minimal community testing to allow administrators to expedite the patch process. Without full community testing, this release may not be completely stable. It's up to administrators to decide if they value stability or security when choosing whether to install 2.4.6.

And as always, report any bugs to:
https://github.com/singularityware/singularity/issues/new

Thanks!

Singularity 2.4.5 Release

Hello Singularity users

This is a security-related point release, bringing the following fix thanks to Justin Riley (@jtriley):

PR 1387/1397 - python: strip "Authorization" header on (urllib) redirects to different domains

The security fix prevents Singularity from leaking credentials if:

• You are logging in to a docker registry with credentials
• The registry redirects you to a 3rd party host (e.g. S3 for download of layers)

The fix ensures that in this situation the HTTP “Authorization” header is stripped from the redirected request, to prevent leaking of registry credentials to the 3rd party.

As always, please report any bugs to:
https://github.com/singularityware/singularity/issues/new

Singularity 2.4.4 Release

Hello Singularity users

This is a bug fix point release to the 2.4 feature branch. It removes the docker-extract functionality that was added in version 2.4.3. This feature added a new dependency and was subsequently found to increase the Singularity attack surface by unnecessarily linking the action-suid binary to libarchive, when compiled on specific Linux distributions. This feature will be re-implemented in a future release.

As always, please report any bugs to:
https://github.com/singularityware/singularity/issues/new

Singularity 2.4.3 Release

EDIT:
Shortly after the release of Singularity 2.4.3 a community member discovered that a newly-added dependency increases the Singularity attack surface by unnecessarily linking the action-suid binary to libarchive, when compiled on specific Linux distributions. The only clean and fast way to correct this problem is to remove the new docker-extract functionality, which implements improved whiteout handling for docker containers. As a temporary fix, several git commits will be reverted, and a new 2.4.4 release will be created. This release will still include the remaining bug and security fixes from the 2.4.3 release. The docker-extract functionality will be re-implemented in a new version (tentatively 2.5) in a manner that will avoid the issue. We sincerely apologize for the confusion and inconvenience. Thank you for your patience.

Hello Singularity enthusiasts!

This is a bug fix point release to the 2.4 feature branch, and includes a number of bug fixes as well as a security related fix that affects Singularity running on older kernels. If this security issue affects you (see below) you should consider this a high priority update:

Security related fixes

• Close file descriptors pointing to a directory #1305

Details:
It may be possible for a malicious user to keep a directory open pointing to anything on the host filesystem within a container in such a manner that would bypass the security precautions already in place. Hosts that do not support the prctl() function PR_SET_NO_NEW_PRIVS are at risk. Most current distributions of Linux support this feature (e.g. RHEL6 with kernels newer then 2.6.32-504.16.2), and it is recommended to update to the latest upstream distribution release if you can.

Bug Fixes

• Fix permission denied when binding directory located on NFS with root_squash enabled
• Add capability to support all tar compression formats #1155
• Handle docker layer aufs whiteout files correctly (requires libarchive).
• Updated output of image.print command #1190
• Fixed parsing of backslashes in apprun script #1189
• Fixed parsing of arch keyword from definition file #1217
• Fixed incompatibility between --pwd and --contain options #1259
• Updated license information #1267
• Fix non-root build from docker containers with non-writable file/dir permissions
• Fix race condition between container exit and cleanupd while removing runtime directory

---

Please do remember to have fun!

And as always, report any bugs to:
https://github.com/singularityware/singularity/issues/new

Singularity 2.4.2 Release

Hello Singularity world!

This is a minor bug fix release which includes the following changes:

• This fixed an issue for support of older distributions and kernels with regards to setns()
  functionality.
• Fixed autofs bug path (lost during merge)

As usual, please report any additional bugs to:
https://github.com/singularityware/singularity/issues/new

Singularity 2.4.1 Release

Hello Containerizers!

This is a bug fix point release to the 2.4 feature branch, and includes a number of fixes including some security related points that deserve immediate attention:

Security related fixes

• Fixed container path and owner limitations (if you are using these features, consider this an important update, thank you Valentin Plugaru for letting us know!)
• Abort if overlay upper/work images are symlinks

Implemented enhancements

• This changelog was added.
• Addition of APP[app]_[LABELS,ENV,RUNSCRIPT,META] so apps can internally find one another.
• Exposing labels for SCI-F in environment

Bug Fixes

• Adjusting environment parsing regular expression for Docker to allow for "=" sign in variable
• Try overlayFS now default option
• Confirm that localstate directories were properly packaged
• Fix when running over NFS with root_squash enabled
• Honor the user name request when pulling from Singularity Hub
• Allow http_proxy related envars for runtime and build
• Properly require mksquashfs tools for Debian packaging
• Fix for empty docker namespaces in private repositories
• Fix Docker environment parsing
• Revert lolcow easter egg
• Fix "Duplicate bootstrap definition key" triggered by comments and blank spaces
• Fix for docker permission error when downloading multiple layers
• Fix parsing of registry (including port), namespace, tags, and version
• Add "$@" to any CMD/ENTRYPOINT found when building from Docker
• Added sqaushfs-tools as a dependency for building deb files
• Fix terminal echo problem when using PID namespace and killing shell
• Fix SuSE squashFS package name in RPM spec

---

As usual, please report any additional bugs to:
https://github.com/singularityware/singularity/issues/new