Version: 3.6.3-bp152.2.8.1
* Fri Sep 18 2020 Ana Guerrero Lopez <aguerrero@suse.com>
- New version 3.6.3, addresses the following security issues:
- CVE-2020-25039, bsc#1176705
When a Singularity action command (run, shell, exec) is run with
the fakeroot or user namespace option, Singularity will extract
a container image to a temporary sandbox directory.
Due to insecure permissions on the temporary directory it is possible
for any user with access to the system to read the contents of the image.
Additionally, if the image contains a world-writable file or directory,
it is possible for a user to inject arbitrary content into the running
container.
- CVE-2020-25040, bsc#1176707
When a Singularity command that results in a container
build operation is executed, it is possible for a user with access
to the system to read the contents of the image during the build.
Additionally, if the image contains a world-writable file or directory,
it is possible for a user to inject arbitrary content into the running
build, which in certain circumstances may enable arbitrary code execution
during the build and/or when the built container is run.
* Mon Sep 14 2020 Ana Guerrero Lopez <aguerrero@suse.com>
- New version 3.6.2, new features / functionalities:
- Add --force option to singularity delete for non-interactive
workflows.
- Support compilation with FORTIFY_SOURCE=2 and build in pie mode
with fstack-protector enabled
- Changed defaults / behaviours
- Default to current architecture for singularity delete.
- Bug Fixes
- Respect current remote for singularity delete command.
- Allow rw as a (noop) bind option.
- Fix capability handling regression in overlay mount.
- Fix LD_LIBRARY_PATH environment override regression with --nv/--rocm.
- Fix environment variable duplication within singularity engine.
- Use -user-xattrs for unsquashfs to avoid error with rootless
extraction using unsquashfs 3.4
- Correct --no-home message for 3.6 CWD behavior.
- Don't fail if parent of cache dir not accessible.
- Fix tests for Go 1.15 Ctty handling.
- Fix additional issues with test images on ARM64.
- Fix FUSE e2e tests to use container ssh_config.
- Provide advisory message r.e. need for upper and work to exist
in overlay images.
- Use squashfs mem and processor limits in squashfs gzip check.
- Ensure build destination path is not an empty string - do not
overwrite CWD.
- Don't unset PATH when interpreting legacy /environment files.
- Remove patch, this change is now in upstream:
* build-position-independent-binaries.patch
Version: 3.6.0-bp152.2.4.1
* Wed Jul 15 2020 Ana Guerrero Lopez <aguerrero@suse.com>
- New version 3.6.0. This version introduces a new signature format
for SIF images, and changes to the signing / verification code to address
the following security problems:
- CVE-2020-13845, bsc#1174150
In Singularity 3.x versions below 3.6.0, issues allow the ECL to
be bypassed by a malicious user.
- CVE-2020-13846, bsc#1174148
In Singularity 3.5 the --all / -a option to singularity verify
returns success even when some objects in a SIF container are not signed,
or cannot be verified.
- CVE-2020-13847, bsc#1174152
In Singularity 3.x versions below 3.6.0, Singularity's sign and verify
commands do not sign metadata found in the global header or data object
descriptors of a SIF file, allowing an attacker to cause unexpected
behavior. A signed container may verify successfully, even when it has
been modified in ways that could be exploited to cause malicious behavior.
- New features / functionalities
- A new '--legacy-insecure' flag to verify allows verification of SIF
signatures in the old, insecure format.
- A new '-l / --logs' flag for instance list that shows the paths
to instance STDERR / STDOUT log files.
- The --json output of instance list now include paths to
STDERR / STDOUT log files.
- Changed defaults / behaviours
- New signature format (see security fixes above).
- Fixed spacing of singularity instance list to be dynamically changing
based off of input lengths instead of fixed number of spaces to account
for long instance names.
- Deprecate -a / --all option to sign/verify as new signature behavior
makes this the default.
- For more information about upstream changes, please check:
https://github.com/hpcng/singularity/blob/master/CHANGELOG.md
* Mon May 25 2020 Ana Guerrero Lopez <aguerrero@suse.com>
- New pre-version 3.6.0 rc5 with many changes:
- New features / functionalities
- Singularity now supports the execution of minimal Docker/OCI
containers that do not contain /bin/sh, e.g. docker://hello-world.
- A new cache structure is used that is concurrency safe on a filesystem that
supports atomic rename. If you downgrade to Singularity 3.5 or older after
using 3.6 you will need to run singularity cache clean.
- A plugin system rework adds new hook points that will allow the
development of plugins that modify behavior of the runtime. An image driver
concept is introduced for plugins to support new ways of handling image and
overlay mounts. Plugins built for <=3.5 are not compatible with 3.6.
- The --bind flag can now bind directories from a SIF or ext3 image into a
container.
- The --fusemount feature to mount filesystems to a container via FUSE
drivers is now a supported feature (previously an experimental hidden flag).
- This permits users to mount e.g. sshfs and cvmfs filesystems to the
container at runtime.
- A new -c/--config flag allows an alternative singularity.conf to be
specified by the root user, or all users in an unprivileged installation.
- A new --env flag allows container environment variables to be set via the
Singularity command line.
- A new --env-file flag allows container environment variables to be set from
a specified file.
- A new --days flag for cache clean allows removal of items older than a
specified number of days. Replaces the --name flag which is not generally
useful as the cache entries are stored by hash, not a friendly name.
- Changed defaults / behaviours
- Environment variables prefixed with SINGULARITYENV_ always take
precedence over variables without SINGULARITYENV_ prefix.
- The %post build section inherits environment variables from the base image.
- %files from ... will now follow symlinks for sources that are directly
specified, or directly resolved from a glob pattern. It will not follow
symlinks found through directory traversal. This mirrors Docker multi-stage
COPY behaviour.
- Restored the CWD mount behaviour of v2, implying that CWD path is not recreated
inside container and any symlinks in the CWD path are not resolved anymore to
determine the destination path inside container.
- The %test build section is executed the same manner as singularity test image.
- -fusemount with the container: default directive will foreground the FUSE
process. Use container-daemon: for previous behavior.
- Removed --name flag for cache clean; replaced with --days.
- And many bug fixes.
- Update URL, github repository has moved.
- Update patch:
* build-position-independent-binaries.patch
Version: 3.5.3-bp152.1.39
* Wed Feb 19 2020 Ana Guerrero Lopez <aguerrero@suse.com>
- New version 3.5.3. Main changes:
* Container action scripts are no longer bound in from `etc/actions.d` on the
host. They are created dynamically and inserted at container startup.
* `%files from ...` will no longer follow symlinks when copying between
stages in a multi stage build, as symlinks should be copied so that they
resolve identically in later stages. Copying `%files` from the host will
still maintain previous behavior of following links.
* Many bug fixes, please read CHANGELOG.md
* Thu Dec 19 2019 Ana Guerrero Lopez <aguerrero@suse.com>
- New version 3.5.2. Main change is a fix for a security issue related
to incorrect file permissions (CVE-2019-19724) on user configuration
and cache directories. (boo#1159550)
For other minor bug fixes please read CHANGELOG.md
* Thu Dec 19 2019 Ana Guerrero Lopez <aguerrero@suse.com>
- Update wording in SUSE.README
- New patch, to get a more clear error message when user doesn't
belong to the singularity group
* useful_error_message.patch
* Fri Dec 13 2019 Ana Guerrero Lopez <aguerrero@suse.com>
- New version 3.5.1. Many changes since 3.4.2, for the full changelog
please read CHANGELOG.md. Changes relevant to the package:
* New support for AMD GPUs via --rocm, install new configuration file
rocmliblist.conf
* Requires Go 1.13
- Update Source to download the release tarball that includes
the vendored modules.
- Update patch:
* build-position-independent-binaries.patch
* Thu Nov 07 2019 Ana Guerrero Lopez <aguerrero@suse.com>
- New version 3.4.2, this release addresses the following issues:
- Sets workable permissions on OCI -> sandbox rootless builds
- Fallback correctly to user namespace for non setuid installation
- Correctly handle the starter-suid binary for non-root installs
- Creates CACHEDIR if it doesn't exist
- Set apex loglevel for umoci to match singularity loglevel
Version: 3.4.1-bp150.2.10.1
* Tue Sep 24 2019 Egbert Eich <eich@suse.com>
- New version 3.4.1
- This point release addresses the following issues:
- Fixes an issue where a PID namespace was always being used
- Fixes compilation on non 64-bit architectures
- Allows fakeroot builds for zypper, pacstrap, and debootstrap
- Correctly detects seccomp on OpenSUSE
- Honors GO_MODFLAGS properly in the mconfig generated makefile
- Passes the Mac hostname to the VM in MacOS Singularity builds
- Handles temporary EAGAIN failures when setting up loop devices on
recent kernels.
* Removed obsoleted patches:
- fix_build_in_32_bits.patch
- fix_flags_order.patch
* Mon Sep 23 2019 Ana Guerrero Lopez <aguerrero@suse.com>
- Fix build failure in i586. The patch is taken from upstream and should
be removed with the next release update.
* fix_build_in_32_bits.patch
* Tue Sep 03 2019 Ana Guerrero Lopez <aguerrero@suse.com>
- New version 3.4.0. Many changes since 3.2.1, for the full changelog
please read CHANGELOG.md
- Add new BuildRequires on cryptsetup.
- Patches refreshed:
* build-position-independent-binaries.patch
- Patches removed, merged upstream:
* zypper-install-Fix-dbpath-for-newer-versions-of-SUSE-Linux.patch
* Handle-zypper-error-code-correctly.patch
* Support-multi-line-bootdef-settings.patch
* Add-support-for-numbered-variables.patch
* Improve-zypper-integration.patch
* Add-unit-tests-for-zypper-installation-on-SLE.patch
* Fix-pgp-key-version-strings-and-paths.patch
- Patches added, fix an issue with the flags order provided by the Makefile
* fix_flags_order.patch
* Sat Jul 20 2019 Egbert Eich <eich@suse.com>
- Fix-pgp-key-version-strings-and-paths.patch
Fixing pgp key, version strings and paths.
* Tue Jun 11 2019 Egbert Eich <eich@suse.com>
- Update to version 3.2.1:
This point release fixes the following bugs:
* Allows users to join instances with non-suid workflow
* Removes false warning when seccomp is disabled on the host
* Fixes an issue in the terminal when piping output to commands
* Binds NVIDIA persistenced socket when `--nv` is invoked
* Thu Jun 06 2019 Egbert Eich <eich@suse.com>
- Improve integration with SUSE Products: add support to create
Singularity images with SLE.
* build-position-independent-binaries.patch:
Make sure, the built binaries adhere to the packaging guidelines.
* zypper-install-Fix-dbpath-for-newer-versions-of-SUSE-Linux.patch:
Newer SUSE versions use a different path for the RPM database.
* Handle-zypper-error-code-correctly.patch:
When the installation succeeds by an installation scriptlet fails
zypper returns error code 107. Don't treat this as an error.
* Support-multi-line-bootdef-settings.patch:
In order to specify a repository GPG key, add support for
multi line variables.
* Add-support-for-numbered-variables.patch:
In order to specify a list of additional repos, add support
to 'indexed' variables.
* Improve-zypper-integration.patch:
Improve handling of SUSE repositires:
- For SLE, use SUSEConnect to get all product repos.
- Allow to specify a repository GPG key.
- Allow to specify additional installation repositories.
* Add-unit-tests-for-zypper-installation-on-SLE.patch
Add unit tests.
* Sat May 18 2019 Egbert Eich <eich@suse.com>
- Add group 'singularity', fix ownerships.
* Thu May 16 2019 Egbert Eich <eich@suse.com>
- Updated to singularity v3.2.0
* [Security related fix](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11328)
Instance files are now stored in user's home directory for privacy and
many checks have been added to ensure that a user can't manipulate files
to change `starter-suid` behavior when instances are joined (many thanks
to Matthias Gerstner from the SUSE security team for finding and securely
reporting this vulnerability)
(CVE-2019-11328, bsc#1128598)
* New features / functionalities
- Introduced a new basic framework for creating and managing plugins
- Added the ability to create containers through multi-stage builds
- Created the concept of a Sylabs Cloud "remote" endpoint and added the
ability for users and admins to set them through CLI and conf files
- Added caching for images from Singularity Hub
- Made it possible to compile Singularity outside of `$GOPATH`
- Added a json partition to SIF files for OCI configuration when building
from an OCI source
- Full integration with Singularity desktop for MacOS code base
* New Commands
- Introduced the `plugin` command group for creating and managing plugins.
* Introduced the `remote` command group to support management of Singularity
endpoints.
* Added to the `key` command group to improve PGP key management.
* Added the `Stage: <name>` keyword to the definition file header and the
`from <stage name>` option/argument pair to the `%files` section to
support multistage builds
* Deprecated / removed commands
- The `--token/-t` option has been deprecated in favor of the `singularity
remote` command group
* Changed defaults / behaviors
- Ask to confirm password on a newly generated PGP key
- Prompt to push a key to the KeyStore when generated
- Refuse to push an unsigned container unless overridden with
`--allow-unauthenticated/-U` option
- Warn and prompt when pulling an unsigned container without the
`--allow-unauthenticated/-U` option
For more information check:
https://github.com/sylabs/singularity/blob/release-3.2/CHANGELOG.md
- Updated build-position-independent-binaries.patch
* Tue Apr 09 2019 Christian Goll <cgoll@suse.com>
- building now non stripped version
* Thu Apr 04 2019 Christian Goll <cgoll@suse.com>
- updated to singularity v3.1.1
* New Commands
- New hidden `buildcfg` command to display compile-time parameters
- Added support for `LDFLAGS`, `CFLAGS`, `CGO_` variables in build system
- Added `--nocolor` flag to Singularity client to disable color in logging
* Removed Commands
`singularity capability <add/drop> --desc` has been removed
`singularity capability list <--all/--group/--user>` flags have all
been removed
* New features / functionalities
- The `--builder` flag to the `build` command implicitly sets `--remote`
- Repeated binds no longer cause Singularity to exit and fail, just warn
instead
- Corrected typos and improved docstrings throughout
- Removed warning when CWD does not exist on the host system
- Added support to spec file for RPM building on SLES 11
* Wed Mar 06 2019 Christian Goll <cgoll@suse.com>
- update to singularity 3.1.0 what is reimplementaion in go
so this is a complete new build and just reusing the changelog
entries, following build differences were made to the upstream
spec file
* build position independent executable
* build stripped executable
* added following files:
* build_flags.patch what adds the right build flags
* singularity-rpmlintrc which supresses warning of file duplicate
badness dues to different setuid bit
* Fri Feb 15 2019 Egbert Eich <eich@suse.com>
- On Leap 42 or SLE 12 / PackageHub12 do not check the
permissions version: unfortunately the version number
has no relation to the patch set applied (bsc#1125369).
Version: 2.6.1-14.1
* Fri Jan 04 2019 eich@suse.com
- Change from /var/singularity to /var/lib/singularity
- zypper-install-Fix-dbpath-for-newer-versions-of-SUSE-Linux.patch:
Fix the RPM db path for later versions of SUSE.
- Fix warning on bash-completion file about non-executible script.
* Mon Dec 17 2018 cgoll@suse.com
- Updated to 2.6.1 to fix CVE-2018-19295 (bsc#1111411).
* mount points are not mounted with shared mount propagation by
default anymore, as this may result in privilege escalation.
* Wed Oct 31 2018 matthias.gerstner@suse.com
- Also package the directory tree rooted at /var/singularity/.
Otherwise running a container fails with:
'Failed to resolve path to /var/singularity/mnt/container: No such file or directory'
* Tue Oct 30 2018 eich@suse.com
- Add bash completions directory to file list for suse_version < 1500
to keep the build checker happy.
Version: 2.6.0-bp150.3.3.1
* Sun Oct 14 2018 eich@suse.com
- Update to version 2.6.0
* Allow admin to specify a non-standard location for mksquashfs binary at
build time with '--with-mksquashfs' option #1662
* '--nv' option will use
[nvidia-container-cli](https://github.com/NVIDIA/libnvidia-container) if
installed #1681
* [nvliblist.conf]
(https://github.com/singularityware/singularity/blob/master/etc/nvliblist.conf)
now has a section for binaries #1681
* '--nv' can be made default with all action commands in singularity.conf
[#1681]
* '--nv' can be controlled by env vars '$SINGULARITY_NV' and
'$SINGULARITY_NV_OFF' #1681
* Refactored travis build and packaging tests #1601
* Added build and packaging tests for Debian 8/9 and openSUSE 42.3/15.0 #1713
* Restore shim init process for proper signal handling and child reaping when
container is initiated in its own PID namespace #1221
* Add '-i' option to image.create to specify the inode ratio. #1759
* Bind '/dev/nvidia*' into the container when the '--nv' flag is used in
conjuction with the '--contain' flag #1358
* Add '--no-home' option to not mount user $HOME if it is not the $CWD and
'mount home = yes' is set. #1761
* Added support for OAUTH2 Docker registries like Azure Container Registry
[#1622]
[#]## Bug fixes
* Fix 404 when using Arch Linux bootstrap #1731
* Fix environment variables clearing while starting instances #1766
* Mon Jul 09 2018 eich@suse.com
- Use %license instead of %doc for license files on newer products.
- Fix bash completion path.
* Fri Jul 06 2018 cgoll@suse.com
- Updated from 2.3.2 to 2.5.2
- Fix security issues for incorrect access control on systems
supporting overlay file system descirbed in CVE-2018-12021 and
bsc#1100333
Highlights of 2.5.2
* a new `build` command was added to replace `create` +
`bootstrap`
* default image format is squashfs, eliminating the need to
specify a size
* a `localimage` can be used as a build base, including ext3,
sandbox, and other squashfs images
* singularity hub can now be used as a base with the uri
* Restore docker-extract aufs whiteout handling that implements
correct extraction of docker container layers.
* several bug fixes, see CHANGELOG.md for details
- Removed: singularity-2.3.2.tar.gz
- Added: singularity-2.5.2.tar.gz
- Removed 'notyet' if conditions in specfile to allow files
introduced in v2.5.2
- Fixed access control on systems supporting overlay file system
(CVE-2018-12021, boo#1100333).
Version: 2.3.1-2.1
* Thu Oct 05 2017 eich@suse.com
- Removed:
Do-chdir-before-duing-chroot.patch:
After checking with the security team that there are no concerns
about doing the chdir() after the chroot(), remove this patch and
add a filter to keep rpmlint from complaining (bsc#1028304).
* Mon Oct 02 2017 eich@suse.com
- set permissions for SUID binaries to 4750.
- fix library packaging for i586.
- add a README.SUSE
- temporarily filter filter for non-standard-gid from rpmlint
until group 'singularity' is available as known group.
* Thu Sep 14 2017 eich@suse.com
- Update to version 2.3.1:
This release includes a fix for a High Severity security issue on older
hosts, and other improvements and fixes to previous versions of Singularity.
Version 2.3:
There are a massive number of fixes, updates, optimizations and awesomeness
contained within this release, but here is a brief overview of the major
changes you can expect to find in this release:
Lots of backend library changes to accommodate a more flexible API
Restructured Python backend
Updated bootstrap backend to make it much more reliable
Direct support for the awesome, the fantastic, Singularity-Hub!
Ability to run additional commands without root privileges (e.g. create,
import, copy, export, etc..).
Added ability to pull images from Singularity Hub and Docker
Containers now have labels, and are inspect'able
- Do-chdir-before-duing-chroot.patch:
Add a chdir() before chroot() just to keep rpmlint from complaining
even more. There is a chdir("/") right after the chroot() call.
- Created group 'singularity' and make suid-root binaries only executable
by this group.
* Sat Feb 18 2017 eich@suse.com
- Initial import of singuarity 2.2.1.