Package Release Info

apptainer-1.1.6-bp155.2.18

Update Info: Base Release
Available in Package Hub : 15 SP5

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

apptainer

Change Logs

* Fri Feb 24 2023 Christian Goll <cgoll@suse.com>
- added simple sif building for SLE systems via suseconnect-container
- added files:
  * simpler-sif-building.patch
  * SLE-12SP5.def
  * leap.def
* Wed Feb 15 2023 Christian Goll <cgoll@suse.com>
- update to 1.1.6 with following changes:
  * Included a fix for CVE-2022-23538 which potentially leaked user credentials
    to a third-party S3 storage service when using the library:// protocol. See
    the https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7
    for details.
  * Make PS1 environment variable changeable via %environment section on
    definition file that used to be only changeable via APPTAINERENV_PS1
    outside of container. This makes the container's prompt customizable.
  * Fix the passing of nested bind mounts when there are multiple binds
    separated by commas and some of them have colons separating sources and
    destinations.
  * Hide messages about SINGULARITY variables if corresponding APPTAINER
    variables are defined. Fixes a regression introduced in 1.1.4.
  * Print a warning if extra arguments are given to a shell action, and show in
    the run action usage that arguments may be passed.
  * Check for the existence of the runtime executable prefix, to avoid issues
    when running under Slurm's srun. If it doesn't exist, fall back to the
    compile-time prefix.
  * Increase the timeout on image driver (that is, FUSE) mounts from 2 seconds
    to 10 seconds. Instead, print an INFO message if it takes more than 2
    seconds.
  * If a remote is defined both globally (i.e. system-wide) and individually,
    change apptainer remote commands to print an info message instead of
    exiting with a fatal error and to give precedence to the individual
    configuration.
* Wed Jan 11 2023 Christian Goll <cgoll@suse.com>
- Update to 1.1.5 with following changes:
  * Fix the use of fakeroot, faked, and libfakeroot.so if they are not suffixed
    by -sysv, as is for instance the case on Gentoo Linux.
  * Prevent the use of a --libexecdir or --bindir mconfig option from making
    apptainer think it was relocated and so preventing use of suid mode. The
    bug was introduced in v1.1.4.
  * Add helpful error message for build --remote option.
  * Add more helpful error message when no library endpoint found.
  * Avoid cleanup errors on exit when mountpoints are busy by doing a lazy
    unmount if a regular unmount doesn't work after 10 tries.
  * Make messages about using SINGULARITY variables less scary.
* Wed Dec 21 2022 Christian Goll <cgoll@suse.com>
- moved run dir from /var/lib/apptainer to /var/apptainer to be closer
  to upstream
* Tue Dec 20 2022 Christian Goll <cgoll@suse.com>
- Update to 1.1.4 with following changes:
  * Make the binaries built in the unprivileged apptainer package relocatable.
    When moving the binaries to a new location, the /usr at the top of some of
    the paths needs to be removed. Relocation is disallowed when the
    starter-suid is present, for security reasons.
  * Change the warning when an overlay image is not writable, introduced in
    v1.1.3, back into a (more informative) fatal error because it doesn't
    actually enter the container environment.
  * Set the --net flag if --network or --network-args is set rather than
    silently ignoring them if --net was not set.
  * Do not hang on pull from http(s) source that doesn't provide a content-length.
  * Avoid hang on fakeroot cleanup under high load seen on some distributions / kernels.
  * Remove obsolete pacstrap -d in Arch packer.
  * Adjust warning message for deprecated environment variables usage.
  * Enable the --security uid:N and --security gid:N options to work when run
    in non-suid mode. In non-suid mode they work with any user, not just root.
    Unlike with root and suid mode, however, only one gid may be set in
    non-suid mode.
- Changes from 1.1.3
  * Prefer the fakeroot-sysv command over the fakeroot command because the
    latter can be linked to either fakeroot-sysv or fakeroot-tcp, but
    fakeroot-sysv is much faster.
  * Update the included squashfuse_ll to have -o uid=N and -o gid=N options and
    changed the corresponding image driver to use them when available. This
    makes files inside sif files appear to be owned by the user instead of by
    the nobody id 65534 when running in non-setuid mode.
  * Fix the locating of shared libraries when running unsquashfs from a non-standard location.
  * Properly clean up temporary files if unsquashfs fails.
  * Fix the creation of missing bind points when using image binding with underlay.
  * Change the error when an overlay image is not writable into a warning that
    suggests adding :ro to make it read only or using --fakeroot.
  * Avoid permission denied errors during unprivileged builds without
    /etc/subuid-based fakeroot when /var/lib/containers/sigstore is readable
    only by root.
  * Avoid failures with --writable-tmpfs in non-setuid mode when using
    fuse-overlayfs versions 1.8 or greater by adding the fuse-overlayfs noacl
    mount option to disable support for POSIX Access Control Lists.
  * Fix the --rocm flag in combination with -c / -C by forwarding all
    /dri/render* devices into the container.
* Fri Oct 28 2022 Egbert Eich <eich@suse.com>
- Add Provides: and Obsoletes: to attempt to mark this as a possible
  replacement for the original singularity package which has been
  discontinued.
* Tue Oct 11 2022 Christian Goll <cgoll@suse.com>
- previous versions did not build squashfuse_ll, fixed this
* Fri Oct 07 2022 Christian Goll <cgoll@suse.com>
- Udpated to 1.1.2 which fixed CVE-2022-39237
  * CVE-2022-39237: The sif dependency included in Apptainer before this
    release does not verify that the hash algorithm(s) used are
    cryptographically secure when verifying digital signatures. This release
    updates to sif v2.8.1 which corrects this issue. See the linked advisory
    for references and a workaround.
* Wed Sep 28 2022 Christian Goll <cgoll@suse.com>
- updated to version 1.1.0 without changes to rc3
* Fri Sep 09 2022 Christian Goll <cgoll@suse.com>
- Updated to version 1.1.0-rc3 with following changes:
  * added squashfuse-0.1.105.tar.gz and 70.patch for the build of squashfuse_ll
    which will be removed as soon as the multithread patch is incoperated
  * Change squash mounts to prefer to use squashfuse_ll instead of squashfuse,
    if available, for improved performance. squashfuse_ll is not available
    in factory.
  * Also, for even better parallel performance, include a patched
    multithreaded version of squashfuse_ll in
  * Imply adding ${prefix}/libexec/apptainer/bin to the binary path in
    apptainer.conf, which is used for searching for helper executables. It is
    implied as the first directory of $PATH if present (which is at the
    beginning of binary path by default) or just as the first directory if
    $PATH is not included in binary path.
    ${prefix}/libexec/apptainer/bin.
  * Add --unsquash action flag to temporarily convert a SIF file to a sandbox
    before running. In previous versions this was the default when running a
    SIF file without setuid or with fakeroot, but now the default is to instead
    mount with squashfuse.
  * Add --sparse flag to overlay create command to allow generation of a sparse
    ext3 overlay image.
  * Support for a custom hashbang in the %test section of an Apptainer recipe
    (akin to the runscript and start sections).
  * When using fakeroot in setuid mode, have the image drivers first enter the
    the container's user namespace to avoid write errors with overlays.
  * Skip trying to use kernel overlayfs when using writable overlay and the
    lower layer is FUSE, because of a kernel bug introduced in kernel 5.15.
  * Add additional hidden options to the action command for testing different
    fakeroot modes with --fakeroot: --ignore-subuid, --ignore-fakeroot-command,
    and --ignore-userns.
* Fri Aug 19 2022 Christian Goll <cgoll@suse.com>
- Updated to version 1.1.0-rc2 with following changes:
  * Fixed longstanding bug in the underlay logic when there are nested bind
    points separated by more than one path level, for example /var and
    /var/lib/yum, and the path didn't exist in the container image. The bug
    only caused an error when there was a directory in the container image that
    didn't exist on the host.
  * Improved wildcard matching in the %files directive of build definition
    files by replacing usage of sh with the mvdan.cc library.
  * Replaced checks for compatible filesystem types when using fuse-overlayfs
    with an INFO message when an incompatible filesystem type causes it to be
    unwritable by a fakeroot user.
  * The --nvccli option now works without --fakeroot. In that case the option
    can be used with --writable-tmpfs instead of --writable, and
  - -writable-tmpfs is implied if neither option is given. Note that also
    /usr/bin has to be writable by the user, so without --fakeroot that
    probably requires a sandbox image that was built with --fix-perms.
  * The --nvccli option implies --nv.
  * Configure squashfuse to always show files to be owned by the current user.
    That's especially important for fakeroot to prevent most of the files from
    looking like they are owned by user 65534.
  * The fakeroot command can now be used even if $PATH is empty in the
    environment of the apptainer command.
  * Allow the newuidmap command to be missing if the current user is not listed
    in /etc/subuid.
  * Require the uidmap package in Debian packaging.
  * Improved error handling of unsupported pass protected PEM files with
    encrypted containers.
  * Ensure bootstrap_history directory is populated with previous definition
    files, present in source containers used in a build.
  * Add additional options to the build command for testing different fakeroot
    modes: --userns like the action flag and hidden options --ignore-subuid,
  - -ignore-fakeroot-command, and --ignore-userns.
  * Require root user early when building an encrypted container.
- removed upstream incorated patch fix-32bit-compilation.patch
* Thu Aug 04 2022 Christian Goll <cgoll@suse.com>
- Updated to version 1.1.0-rc1 which enables apptainer to run without
  suid and additional groups. Although this is a prerelease this is
  a major advantage justifying its use.
  * Added a squashfuse image driver that enables mounting SIF files without
    using setuid-root. Requires the squashfuse command and unprivileged user
    namespaces.
  * Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF
    overlay partitions without using setuid-root. Requires the fuse2fs command
    and unprivileged user namespaces.
  * Added the ability to use persistent overlay (--overlay) and
  - -writable-tmpfs without using setuid-root. This requires unprivileged user
    namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs
    command. Persistent overlay works when the overlay path points to a regular
    filesystem (known as "sandbox" mode, which is not allowed when in setuid
    mode), or when it points to an EXT3 image. Does not work with a SIF
    partition because that requires privileges to mount as an ext3 image.
  * Extended the --fakeroot option to be useful when /etc/subuid and
    /etc/subgid mappings have not been set up. If they have not been set up, a
    root-mapped unprivileged user namespace (the equivalent of unshare -r)
    and/or the fakeroot command from the host will be tried. Together they
    emulate the mappings pretty well but they are simpler to administer. This
    feature is especially useful with the --overlay and --writable-tmpfs
    options and for building containers unprivileged, because they allow
    installing packages that assume they're running as root. A limitation on
    using it with --overlay and --writable-tmpfs however is that when only the
    fakeroot command can be used (because there are no user namespaces
    available, in suid mode) then the base image has to be a sandbox. This
    feature works nested inside of an apptainer container, where another
    apptainer command will also be in the fakeroot environment without
    requesting the --fakeroot option again, or it can be used inside an
    apptainer container that was not started with --fakeroot. However, the
    fakeroot command uses LD_PRELOAD and so needs to be bound into the
    container which requires a compatible libc. For that reason it doesn't work
    when the host and container operating systems are of very different
    vintages. If that's a problem and you want to use only an unprivileged
    root-mapped namespace even when the fakeroot command is installed, just run
    apptainer with unshare -r.
  * Made the --fakeroot option be implied when an unprivileged user builds a
    container from a definition file. When /etc/subuid and /etc/subgid mappings
    are not available, all scriptlets are run in a root-mapped unprivileged
    namespace (when possible) and the %post scriptlet is additionally run with
    the fakeroot command. When unprivileged user namespaces are not available,
    such that only the fakeroot command can be used, the --fix-perms option is
    implied to allow writing into directories.
  * Added a --fakeroot option to the apptainer overlay create command to make
    an overlay EXT3 image file that works with the fakeroot that comes from
    unprivileged root-mapped namespaces. This is not needed with the fakeroot
    that comes with /etc/sub[ug]id mappings nor with the fakeroot that comes
    with only the fakeroot command in suid flow.
  * $HOME is now used to find the user's configuration and cache by default. If
    that is not set it will fall back to the previous behavior of looking up
    the home directory in the password file. The value of $HOME inside the
    container still defaults to the home directory in the password file and can
    still be overridden by the --home option.
  * When starting a container, if the user has specified the cwd by using the
  - -pwd flag, if there is a problem an error is returned instead of
    defaulting to a different directory.
  * Nesting of bind mounts now works even when a --bind option specified a
    different source and destination with a colon between them. Now the
    APPTAINER_BIND environment variable makes sure the bind source is from the
    bind destination so it will be succesfully re-bound into a nested apptainer
    container.
  * The warning about more than 50 bind mounts required for an underlay bind
    has been changed to an info message.
  * oci mount sets Process.Terminal: true when creating an OCI config.json, so
    that oci run provides expected interactive behavior by default.
    The default hostname for oci mount containers is now apptainer instead of mrsdalloway.
  * systemd is now supported and used as the default cgroups manager. Set
    systemd cgroups = no in apptainer.conf to manage cgroups directly via the
    cgroupfs.
  * Added a new action flag --no-eval which:
    + Prevents shell evaluation of APPTAINERENV_ / --env / --env-file
    environment variables as they are injected in the container, to match
    OCI behavior. Applies to all containers.
    + Prevents shell evaluation of the values of CMD / ENTRYPOINT and command
    line arguments for containers run or built directly from an OCI/Docker
    source. Applies to newly built containers only, use apptainer inspect
    to check version that container was built with.
  * Added --no-eval to the list of flags set by the OCI/Docker --compat mode.
  * sinit process has been renamed to appinit.
  * Added --keysdir to key command to provide an alternative way of setting
    local keyring path. The existing reading of the keyring path from
    environment variable 'APPTAINER_KEYSDIR' is untouched.
  * apptainer key push will output the key server's response if included in
    order to help guide users through any identity verification the server may
    require.
  * ECL no longer requires verification for all signatures, but only when
    signature verification would alter the expected behavior of the list:
    + At least one matching signature included in a whitelist must be
    validated, but other unvalidated signatures do not cause ECL to fail.
    + All matching signatures included in a whitestrict must be validated,
    but unvalidated signatures not in the whitestrict do not cause ECL to
    fail.
    + Signature verification is not checked for a blacklist; unvalidated
    signatures can still block execution via ECL, and unvalidated
    signatures not in the blacklist do not cause ECL to fail.
- New features / functionalities
  * Non-root users can now use --apply-cgroups with run/shell/exec to limit
    container resource usage on a system using cgroups v2 and the systemd
    cgroups manager.
  * Native cgroups v2 resource limits can be specified using the [unified] key
    in a cgroups toml file applied via --apply-cgroups.
  * Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups
    resource limits to a container directly.
    Added instance stats command.
  * The --no-mount flag & APPTAINER_NO_MOUNT env var can now be used to disable
    a bind path entry from apptainer.conf by specifying the absolute path to
    the destination of the bind.
  * Apptainer now supports the riscv64 architecture.
  * remote add --insecure may now be used to configure endpoints that are only
    accessible via http. Alternatively the environment variable
    APPTAINER_ADD_INSECURE can be set to true to allow http remotes to be added
    wihtout the --insecure flag. Specifying https in the remote URI overrules
    both --insecure and APPTAINER_ADD_INSECURE.
  * Gpu flags --nv and --rocm can now be used from an apptainer nested inside
    another apptainer container.
  * Added --public, --secret, and --both flags to the key remove command to
    support removing secret keys from the apptainer keyring.
  * Debug output can now be enabled by setting the APPTAINER_DEBUG env var.
  * Debug output is now shown for nested apptainer calls, in wrapped unsquashfs
    image extraction, and build stages.
- Bug fixes
  * Remove warning message about SINGULARITY and APPTAINER variables having
    different values when the SINGULARITY variable is not set.
  * Add specific error for unreadable image / overlay file.
  * Pass through a literal \n in host environment variables to the container.
  * Fix loop device creation with loop-control when running inside docker containers.
  * Fix the issue that the oras protocol would ignore the --no-https/--nohttps flag.
- File changes
  * Removed useful_error_message.patch as not needed any more
  * Added fix-32bit-compilation.patch from upstream
* Mon Jul 11 2022 Christian Goll <cgoll@suse.com>
- Update to version 1.0.3:
  * Process redirects that can come from sregistry with a library:// URL.
  * Fix inspect --deffile and inspect --all to correctly show definition files
    in sandbox container images instead of empty output. This has a side effect
    of also fixing the storing of definition files in the metadata of sif files
    built by Apptainer, because that metadata is constructed by doing inspect
  - -all.
* Wed May 18 2022 Dominique Leuenberger <dimstar@opensuse.org>
- Update to version 1.0.2:
  + Fixed `FATAL` error thrown by user configuration migration code
    that caused users with inaccessible home directories to be
    unable to use `apptainer` commands.
  + Do not truncate environment variables with commas.
  + Use HEAD request when checking digest of remote OCI image
    sources, with GET as a fall-back. Greatly reduces Apptainer's
    impact on Docker Hub API limits.
* Fri Mar 18 2022 Christian Goll <cgoll@suse.com>
- Updated to v1.0.1 with following bug fixes
  * Don't prompt for y/n to overwrite an existing file when build is called
    from a non-interactive environment. Fail with an error.
  * Preload NSS libraries prior to mountspace name creation to avoid
    circumstances that can cause loading those libraries from the container
    image instead of the host, for example in the startup environment.
  * Fix race condition where newly created loop devices can sometimes not be opened.
  * Support nvidia-container-cli v1.8.0 and above, via fix to capability set.
* Thu Feb 17 2022 Christian Goll <cgoll@suse.com>
- Updated to v1.0.0-rc1 changes to singularity 3.9.5 are
  * The primary executable has been changed from singularity to apptainer.
    However, a singularity command symlink alias has been created pointing to
    the apptainer command. The contents of containers are unchanged and
    continue to use the singularity name for startup scripts, etc.
  * The per-user configuration directory has changed from ~/.singularity to
    ~/.apptainer. The first time the apptainer command accesses the user
    configuration directory, relevant configuration is automatically imported
    from the old directory to the new one.
  * Environment variables have all been changed to have an APPTAINER prefix
    instead of a SINGULARITY prefix. However, SINGULARITY prefix variables are
    still recognized. If only a SINGULARITY prefix variable exists, a warning
    will be printed about deprecated usage and then the value will be used. If
    both prefixes exist and the value is the same, no warning is printed; this
    is the recommended method to set environment variables for those who need
    to support both apptainer and singularity. If both prefixes exist for the
    same variable and the value is different then a warning is also printed.
  * The default SylabsCloud remote endpoint has been removed and replaced by
    one called DefaultRemote which has no defined server for the library://
    URI. System administrators may restore the old default if they wish by
    adding it to /etc/apptainer/remote.yaml with a URI of cloud.sylabs.io and
    setting it there as the Active remote, or users can add it to their own
    configuration with the commands apptainer remote add SylabsCloud
    cloud.sylabs.io and apptainer remote use SylabsCloud.
  * The DefaultRemote's key server is https://keys.openpgp.org instead of the
    Sylabs key server
  * The apptainer build --remote option has been removed because there is no
    standard protocol or non-commercial service that supports it.
- New Features:
  * Honor image binds and user binds in the order they're given instead of
    always doing image binds first.
  * Experimental support for checkpointing of instances using DMTCP has been
    added. Additional flags --dmtcp-launch and --dmtcp-restart has been added
    to the apptainer instance start command, and a checkpoint command group has
    been added to manage the checkpoint state. A new
    /etc/apptainer/dmtcp-conf.yaml configuration file is also added.
    Limitations are that it can only work with dynamically linked applications
    and the container has to be based on glibc.
  * --writable-tmpfs can be used with apptainer build to run the %test section
    of the build with a ephemeral tmpfs overlay, permitting tests that write to
    the container filesystem.
  * The --compat flag for actions is a new short-hand to enable a number of
    options that increase OCI/Docker compatibility. Infers --containall,
  - -no-init, --no-umask, --writable-tmpfs. Does not use user, uts, or network
    namespaces as these may not be supported on many installations.
  * The experimental --nvccli flag will use nvidia-container-cli to setup the
    container for Nvidia GPU operation. Apptainer will not bind GPU libraries
    itself. Environment variables that are used with Nvidia's docker-nvidia
    runtime to configure GPU visibility / driver capabilities & requirements
    are parsed by the --nvccli flag from the environment of the calling user.
    By default, the compute and utility GPU capabilities are configured. The
    use nvidia-container-cli option in apptainer.conf can be set to yes to
    always use nvidia-container-cli when supported. --nvccli is not supported
    in the setuid workflow, and it requires being used in combination with
  - -writable in user namespace mode. Please see documentation for more
    details.
  * The --apply-cgroups flag can be used to apply cgroups resource and device
    restrictions on a system using the v2 unified cgroups hierarchy. The
    resource restrictions must still be specified in the v1 / OCI format, which
    will be translated into v2 cgroups resource restrictions, and eBPF device
    restrictions.
  * A new --mount flag and APPTAINER_MOUNT environment variable can be used to
    specify bind mounts in
    type=bind,source=<src>,destination=<dst>[,options...] format. This improves
    CLI compatibility with other runtimes, and allows binding paths containing
    : and , characters (using CSV style escaping).
  * Perform concurrent multi-part downloads for library:// URIs. Uses 3
    concurrent downloads by default, and is configurable in apptainer.conf or
    via environment variables.
* Wed Dec 15 2021 Christian Goll <cgoll@suse.com>
- Explicit dependcy on go1.16.12 or go1.17.5 which fix
  (CVE-2021-44717) and (CVE-2021-44716) that may affect singualrity
* Mon Dec 13 2021 Christian Goll <cgoll@suse.com>
- inital commit of apptainer which is a singularity fork