SingularityCE 3.9.0 Release Candidate 2

This is the second release candidate for the upcoming SingularityCE 3.9.0. We'd be grateful for all testing, bug reports, and comments, as we look forward to a stable 3.9.0 release. Please carefully review the release notes below, and refer to the 'master branch (unreleased)' documentation at https://sylabs.io/docs/

Security related fixes

• Due to trusting a path to an executable that was incorrectly generated in code that could be manipulated by an unprivileged user, privilege escalation was possible when using the new --nvccli GPU configuration option. This vulnerability affected the 3.9.0-rc.1 release candidate only. Stable releases of SingularityCE are not impacted.

  All users who have installed 3.9.0-rc.1 should update to 3.9.0-rc.2

  Thanks to @cclerget for reporting this issue.

Changed defaults / behaviours

• The location of the cryptsetup, ldconfig and nvidia-container-cli binaries are always taken from singularity.conf. No $PATH search is performed.

Bug fixes

• Ensure a build with --nvccli runs using nvidia-container-cli and not the legacy gpu support.
• Advise on limitations and provide workaround for inability to run %test in --fakeroot --nvccli builds.

Additionally, this RC includes fixes introduced in SingularityCE 3.8.4

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.9.0-rc.2.tar.gz download below to obtain and install SingularityCE 3.9.0-rc.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

SingularityCE 3.8.4

This is a bugfix release of SingularityCE, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity. Documentation is available at https://sylabs.io/docs/.

Bug fixes

• Update oras-go dependency to address push failures to some registry configurations.
• Implement context cancellation when a signal is received in several CLI commands.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.8.4.tar.gz download below to obtain and install SingularityCE 3.8.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

SingularityCE 3.9.0 Release Candidate 1

This is the first release candidate for the upcoming SingularityCE 3.9.0. We'd be grateful all testing, bug reports, and comments, as we look forward to a stable 3.9.0 release.

Various behavior changes and new features have been introduced. Please carefully review the release notes below, and refer to the 'master branch (unreleased)' documentation at https://sylabs.io/docs/

Changed defaults / behaviours

• Building SingularityCE 3.9.0 requires go >=1.16. We now aim to support the two most recent stable versions of Go. This corresponds to the Go Release Maintenance Policy and Security Policy, ensuring critical bug fixes and security patches are available for all supported language versions.
• LABELs from Docker/OCI images are now inherited. This fixes a longstanding regression from Singularity 2.x. Note that you will now need to use --force in a build to override a label that already exists in the source Docker/OCI container.
• The source paths for %files lines in a definition file are no longer interpreted by a shell. This means that environment variable substitution is not performed. Previously, environment variables were substituted for source paths, but not destination paths, leading to unexpected copy behaviour. Globbing for source files will now follow the Go filepath.Match pattern
  syntax.
• Removed --nonet flag, which was intended to disable networking for in-VM execution, but has no effect.
• --nohttps flag has been deprecated in favour of --no-https. The old flag is still accepted, but will display a deprecation warning.
• Paths for cryptsetup, go, ldconfig, mksquashfs, nvidia-container-cli, unsquashfs are now found at build time by mconfig and written into singularity.conf. The path to these executables can be overridden by changing the value in singularity.conf. If the path is not set in singularity.conf then the the executable will be found by searching $PATH.
• When calling ldconfig to find GPU libraries, singularity will not fall back to /sbin/ldconfig if the ldconfig on $PATH errors. If installing in a Guix/Nix on environment on top of a standard host distribution you must set ldconfig path = /sbin/ldconfig to use the host distribution ldconfig to find GPU libraries.
• --nv will not call nvidia-container-cli to find host libraries, unless the new experimental GPU setup flow that employs nvidia-container-cli for all GPU related operations is enabled (see below).
• If a container is run with --nvcli and --contain, only GPU devices specified via the NVIDIA_VISIBLE_DEVICES environment variable will be exposed within the container. Use NVIDIA_VISIBLE_DEVICES=all to access all GPUs inside a container run with --nvccli.
• Example log-plugin rewritten as a CLI callback that can log all commands executed, instead of only container execution, and has access to command arguments.
• An invalid remote build source (bootstrap) will be identified before attempting to submit the build.
• The bundled reference CNI plugins are updated to v1.0.1. The flannel plugin is no longer included, as it is maintained as a separate plugin at: https://github.com/flannel-io/cni-plugin. If you use the flannel CNI plugin you should install it from this repository.
• Instances are no longer created with an IPC namespace by default. An IPC namespace can be specified with the -i|--ipc flag.

New features / functionalities

• --writable-tmpfs can be used with singularity build to run the %test section of the build with a ephemeral tmpfs overlay, permitting tests that write to the container filesystem.
• --compat flag for actions is a new short-hand to enable a number of options that increase OCI/Docker compatibility. Infers --containall, --no-init, --no-umask, --writable-tmpfs. Does not use user, uts, or network namespaces as these may not be supported on many installations.
• --no-https now applies to connections made to library services specified in --library://<hostname>/... URIs.
• remote add --insecure may be used to configure endpoints that are only accessible via http.
• The experimental --nvccli flag will use nvidia-container-cli to setup the container for Nvidia GPU operation. SingularityCE will not bind GPU libraries itself. Environment variables that are used with Nvidia's docker-nvidia runtime to configure GPU visibility / driver capabilities & requirements are parsed by the --nvccli flag from the environment of the calling user. By
  default, the compute and utility GPU capabilities are configured. The use nvidia-container-cli option in singularity.conf can be set to yes to always use nvidia-container-cli when supported. Note that in a setuid
  install, nvidia-container-cli will be run as root with required ambient capabilities. --nvccli is not currently supported in the hybrid fakeroot (setuid install + --fakeroot) workflow. Please see documentation for more details.
• The --apply-cgroups flag can be used to apply cgroups resource and device restrictions on a system using the v2 unified cgroups hierarchy. The resource restrictions must still be specified in the v1 / OCI format, which will be translated into v2 cgroups resource restrictions, and eBPF device restrictions.
• A new --mount flag and SINGULARITY_MOUNT environment variable can be used to specify bind mounts in type=bind,source=<src>,destination=<dst>[,options...] format. This improves CLI compatibility with other runtimes, and allows binding paths containing : and , characters (using CSV style escaping).

Bug fixes

• The oci commands will operate on systems that use the v2 unified cgroups hierarchy.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.9.0-rc.1.tar.gz download below to obtain and install SingularityCE 3.9.0-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

SingularityCE 3.8.3

This is a bugfix release of SingularityCE, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity. Documentation is available at https://sylabs.io/docs/.

Bug fixes

• Fix regression when files sourced from %environment contain \ escaped shell builtins (fixes issue with source of conda profile.d script).

Additional changes include dependency updates for the SIF module (to v2.0.0), and migration to maintained versions of other modules. There is no change to functionality, on-disk SIF format etc.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.8.3.tar.gz download below to obtain and install SingularityCE 3.8.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

SingularityCE 3.8.2

This is a bugfix release of SingularityCE, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity. Documentation is available at https://sylabs.io/docs/.

Bug Fixes

• singularity delete will use the correct library service when the hostname is specified in the library:// URI.
• singularity build will use the correct library service when the hostname is specified in the library:// URI / definition file.
• Fix download of default pacman.conf in arch bootstrap.
• Call debootstrap with correct Debian arch when it is not identical to the value of runtime.GOARCH. E.g. ppc64el -> ppc64le.
• When destination is ommitted in %files entry in definition file, ensure globbed files are copied to correct resolved path.
• Return an error if --tokenfile used for remote login to an OCI registry, as this is not supported.
• Ensure repeated remote login to same URI does not create duplicate entries in ~/.singularity/remote.yaml.
• Avoid panic when mountinfo line has a blank field.
• Properly escape single quotes in Docker CMD / ENTRYPOINT translation.
• Use host uid when choosing unsquashfs flags, to avoid selinux xattr errors with --fakeroot on non-EL/Fedora distributions with recent squashfs-tools.

Additionally, dependencies have been updated and some testing changes have been applied.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.8.2.tar.gz download below to obtain and install SingularityCE 3.8.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

SingularityCE 3.8.1

This is a patch release of SingularityCE, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity. Documentation is available at https://sylabs.io/docs/.

Bug Fixes

• Allow escaped \$ in a SINGULARITYENV_ var to set a literal $ in a container env var.
• Handle absolute symlinks correctly in multi-stage build %copy from blocks.
• Fix incorrect reference in sandbox restrictive permissions warning.

Additionally, dependencies have been updated and some testing & markdown file changes have been applied.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.8.1.tar.gz download below to obtain and install SingularityCE 3.8.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

SingularityCE 3.8.0

This is the first release of SingularityCE 3.8.0, the Community Edition of the Singularity container runtime hosted at https://github.com/sylabs/singularity. Documentation is available at https://sylabs.io/docs/

Changed defaults / behaviours

• The package name for this release is now singularity-ce. This name is used for the source tarball, output of an rpmbuild, and displayed in --version information.
• The name of the top level directory in the source tarball from make dist now includes the version string.

New features / functionalities

• A new overlay command allows creation and addition of writable overlays.
• Administrators can allow named users/groups to use specific CNI network configurations. Managed by directives in singularity.conf.
• The build command now honors --nv, --rocm, and --bind flags, permitting builds that require GPU access or files bound in from the host.
• A library service hostname can be specified as the first component of a library:// URL.
• Singularity is now relocatable for unprivileged installations only.

Bug Fixes

• Respect http proxy server environment variables in key operations.
• When pushing SIF images to oras:// endpoints, work around Harbor & GitLab failure to accept the SifConfigMediaType.
• Avoid a setfsuid compilation warning on some gcc versions.
• Fix a crash when silent/quiet log levels used on pulls from shub:// and http(s):// URIs.
• Wait for dm device to appear when mounting an encrypted container rootfs.

Testing / Development

Testing changes are not generally itemized. However, developers and contributors should note that this release has modified the behavior of make test for ease of use:

• make test runs limited unit and integration tests that will not require docker hub credentials.
• make testall runs the full unit/integration/e2e test suite that requires docker credentials to be set with E2E_DOCKER_USERNAME and E2E_DOCKER_PASSWORD environment variables.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-ce-3.8.0.tar.gz download below to obtain and install SingularityCE 3.8.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Singularity 3.7.4

Singularity 3.7.4 is the most recent stable release of Singularity prior to Sylabs' fork from github.com/hpcng/singularity which will take effect from the SingularityCE 3.8.0 onward.

This is a security release that has been coordinated with HPCng. We recommend all users upgrade to this version.

The downloads provided here are identical to those provided at https://github.com/hpcng/singularity/releases/tag/v3.7.4

This release is provided for convenience to users arriving from outdated links. Future releases posted here will be made from the code-base of this Sylabs fork.

---

Security Related Fixes

CVE-2021-32635: Due to incorrect use of a default URL, singularity action commands (run/shell/exec) specifying a container using a library:// URI will always attempt to retrieve the container from the default remote endpoint (cloud.sylabs.io) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container.

Please see the published security advisory at github.com/sylabs/singularity/security/advisories for further detail.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Please use the singularity-3.7.4.tar.gz download below to obtain and install Singularity 3.7.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

SingularityCE 3.8.0 Release Candidate 2

Replaced by the 3.8.0 release: https://github.com/sylabs/singularity/releases/tag/v3.8.0

SingularityCE 3.8.0 Release Candidate 1

Replaced by RC2: https://github.com/sylabs/singularity/releases/tag/v3.8.0-rc.2