Releases: apptainer/singularity
Singularity 3.8.7
Bug fixes
- Correct library bindings for
unsquashfs
containment. Fixes errors where resolved library filename does not match library filename in binary (e.g. EL8, POWER9 with glibc-hwcaps). - Remove python as a dependency of the debian package.
- Increased the TLS Handshake Timeout for the busybox bootstrap agent in build definition files to 60 seconds.
- Preload NSS libraries prior to mountspace name creation to avoid circumstances that can cause loading those libraries from the container image instead of the host, for example in the startup environment.
Singularity 3.8.6
Changed behaviours and bug fixes
- Update builds to require at least golang version 1.16.12, and update package builds to build the go toolchain from source if the provided version is too old.
- Auto-generate release assets including the distribution tarball and rpm (built on CentOS 7) and deb (built on Debian 11) x86_64 packages.
- Update dependency to correctly unset variables in container startup environment processing. Fixes regression introduced in singularity-3.8.5.
- Remove subshell overhead when processing large environments on container startup.
make install
now installs man pages. A separatemake man
is not required. As a consequence, man pages are now included in deb packages.
Singularity 3.8.5
Security Related Fixes
- CVE-2021-41190 / GHSA-77vh-xpmg-72qh:
OCI specifications allow ambiguous documents that contain both "manifests"
and "layers" fields. Interpretation depends on the presence / value of a
Content-Type header. Dependencies handling the retrieval of OCI images
have been updated to versions that reject ambiguous documents.
Changed defaults / behaviours
- Building Singularity from source requires go >=1.16. We now aim to support
the two most recent stable versions of Go. This corresponds to the Go
Release Maintenance Policy and Security Policy,
ensuring critical bug fixes and security patches are available for all supported language
versions. However, rpm packaging applies a patch to support older native
go installations.
Bug fixes
- Sourcing a script based on PATH is now permitted, fixing a regression introduced in 3.6.0.
- Environment variables in container definition files are properly scoped, fixing a regression introduced in 3.8.0.
Singularity 3.8.4
Bug Fixes
- Fix the oras contexts to avoid hangs upon failed pushes to Harbor registry.
Enhancements
- Added seccomp, cryptsetup, devscripts & correct go version test to debian packaging.
Singularity 3.8.3
Bug Fixes
- Fix regression introduced in 3.8.1 that caused bind mounts without a destination to be added twice.
Singularity 3.8.2
Bug Fixes
- Fix regression when files
source
d from%environment
contain\
escaped shell builtins (fixes issue withsource
of conda profile.d script). singularity delete
will use the correct library service when the hostname is specified in thelibrary://
URI.singularity build
will use the correct library service when the hostname is specified in thelibrary://
URI / definition file.- Call
debootstrap
with correct Debian arch when it is not identical to the value ofruntime.GOARCH
. E.g.ppc64el -> ppc64le
. - When destination is ommitted in
%files
entry in definition file, ensure globbed files are copied to correct resolved path. - Return an error if
--tokenfile
used forremote login
to an OCI registry, as this is not supported. - Ensure repeated
remote login
to same URI does not create duplicate entries in~/.singularity/remote.yaml
. - Properly escape single quotes in Docker
CMD
/ENTRYPOINT
translation. - Use host uid when choosing unsquashfs flags, to avoid selinux xattr errors with
--fakeroot
on non-EL/Fedora distributions with recent squashfs-tools. - Updated the modified golang-x-crypto module with the latest upstream version.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: singularity-security@hpcng.org.
Have fun!
Downloads
Please use the singularity-3.8.2.tar.gz
download below to obtain and install Singularity 3.8.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Singularity 3.8.1
Bug Fixes
- Allow escaped
\$
in a SINGULARITYENV_ var to set a literal$
in a container env var. Also allow escaped commas and colons in the source bind path. - Handle absolute symlinks correctly in multi-stage build
%copy from
blocks. - Fix incorrect reference in sandbox restrictive permissions warning.
- Prevent garbage collection from closing the container image file descriptor.
- Update to Arch Linux pacman.conf URL and remove file size verification.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: singularity-security@hpcng.org.
Have fun!
Downloads
Please use the singularity-3.8.1.tar.gz
download below to obtain and install Singularity 3.8.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Singularity 3.8.0
Changed defaults / behaviours
⚠️ Go module was renamed fromgithub.heygears.com/sylabs/singularity
github.com/hpcng/singularity
New features / functionalities
- A new
overlay
command allows creation and addition of writable overlays. - Administrators can allow named users/groups to use specific CNI network configurations. Managed by directives in
singularity.conf
. - The
build
command now honors--nv
,--rocm
, and--bind
flags, permitting builds that require GPU access or files bound in from the host. - A library service hostname can be specified as the first component of a
library://
URL. - Singularity is now relocatable for unprivileged installations only.
Bug Fixes
- Respect http proxy server environment variables in key operations.
- When pushing SIF images to
oras://
endpoints, work around Harbor & GitLab failure to accept theSifConfigMediaType
. - Avoid a
setfsuid
compilation warning on some gcc versions. - Fix a crash when silent/quiet log levels used on pulls from
shub://
andhttp(s)://
URIs. - Wait for dm device to appear when mounting an encrypted container rootfs.
- Accommodate ppc64le pageSize in TestCgroups and disable -race.
- Fix Debian packaging.
Testing / Development
Testing changes are not generally itemized. However, developers and contributors should note that this release has modified the behavior of make test
for ease of use:
make test
runs limited unit and integration tests that will not require docker hub credentials.make testall
runs the full unit/integration/e2e test suite that requires docker credentials to be set withE2E_DOCKER_USERNAME
andE2E_DOCKER_PASSWORD
environment variables.
Singularity 3.8.0 Release Candidate 2
This has been replaced with https://github.com/hpcng/singularity/releases/tag/v3.8.0
Singularity 3.7.4
Singularity 3.7.4 is a security release. We recommend all users upgrade to this version.
Security Related Fixes
- CVE-2021-32635: Due to incorrect use of a default URL, singularity action commands (run/shell/exec) specifying a container using a library:// URI will always attempt to retrieve the container from the default remote endpoint (cloud.sylabs.io) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: singularity-security@hpcng.org.
Have fun!
Downloads
Please use the singularity-3.7.4.tar.gz
download below to obtain and install Singularity 3.7.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.