Releases: apptainer/singularity
Singularity 3.8.7
Bug fixes
- Correct library bindings for
unsquashfscontainment. Fixes errors where resolved library filename does not match library filename in binary (e.g. EL8, POWER9 with glibc-hwcaps). - Remove python as a dependency of the debian package.
- Increased the TLS Handshake Timeout for the busybox bootstrap agent in build definition files to 60 seconds.
- Preload NSS libraries prior to mountspace name creation to avoid circumstances that can cause loading those libraries from the container image instead of the host, for example in the startup environment.
Singularity 3.8.6
Changed behaviours and bug fixes
- Update builds to require at least golang version 1.16.12, and update package builds to build the go toolchain from source if the provided version is too old.
- Auto-generate release assets including the distribution tarball and rpm (built on CentOS 7) and deb (built on Debian 11) x86_64 packages.
- Update dependency to correctly unset variables in container startup environment processing. Fixes regression introduced in singularity-3.8.5.
- Remove subshell overhead when processing large environments on container startup.
make installnow installs man pages. A separatemake manis not required. As a consequence, man pages are now included in deb packages.
Singularity 3.8.5
Security Related Fixes
- CVE-2021-41190 / GHSA-77vh-xpmg-72qh:
OCI specifications allow ambiguous documents that contain both "manifests"
and "layers" fields. Interpretation depends on the presence / value of a
Content-Type header. Dependencies handling the retrieval of OCI images
have been updated to versions that reject ambiguous documents.
Changed defaults / behaviours
- Building Singularity from source requires go >=1.16. We now aim to support
the two most recent stable versions of Go. This corresponds to the Go
Release Maintenance Policy and Security Policy,
ensuring critical bug fixes and security patches are available for all supported language
versions. However, rpm packaging applies a patch to support older native
go installations.
Bug fixes
- Sourcing a script based on PATH is now permitted, fixing a regression introduced in 3.6.0.
- Environment variables in container definition files are properly scoped, fixing a regression introduced in 3.8.0.
Singularity 3.8.4
Bug Fixes
- Fix the oras contexts to avoid hangs upon failed pushes to Harbor registry.
Enhancements
- Added seccomp, cryptsetup, devscripts & correct go version test to debian packaging.
Singularity 3.8.3
Bug Fixes
- Fix regression introduced in 3.8.1 that caused bind mounts without a destination to be added twice.
Singularity 3.8.2
Bug Fixes
- Fix regression when files
sourced from%environmentcontain\escaped shell builtins (fixes issue withsourceof conda profile.d script). singularity deletewill use the correct library service when the hostname is specified in thelibrary://URI.singularity buildwill use the correct library service when the hostname is specified in thelibrary://URI / definition file.- Call
debootstrapwith correct Debian arch when it is not identical to the value ofruntime.GOARCH. E.g.ppc64el -> ppc64le. - When destination is ommitted in
%filesentry in definition file, ensure globbed files are copied to correct resolved path. - Return an error if
--tokenfileused forremote loginto an OCI registry, as this is not supported. - Ensure repeated
remote loginto same URI does not create duplicate entries in~/.singularity/remote.yaml. - Properly escape single quotes in Docker
CMD/ENTRYPOINTtranslation. - Use host uid when choosing unsquashfs flags, to avoid selinux xattr errors with
--fakerooton non-EL/Fedora distributions with recent squashfs-tools. - Updated the modified golang-x-crypto module with the latest upstream version.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected].
Have fun!
Downloads
Please use the singularity-3.8.2.tar.gz download below to obtain and install Singularity 3.8.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Singularity 3.8.1
Bug Fixes
- Allow escaped
\$in a SINGULARITYENV_ var to set a literal$in a container env var. Also allow escaped commas and colons in the source bind path. - Handle absolute symlinks correctly in multi-stage build
%copy fromblocks. - Fix incorrect reference in sandbox restrictive permissions warning.
- Prevent garbage collection from closing the container image file descriptor.
- Update to Arch Linux pacman.conf URL and remove file size verification.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected].
Have fun!
Downloads
Please use the singularity-3.8.1.tar.gz download below to obtain and install Singularity 3.8.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Singularity 3.8.0
Changed defaults / behaviours
⚠️ Go module was renamed fromgithub.com/sylabs/singularitytogithub.com/hpcng/singularity
New features / functionalities
- A new
overlaycommand allows creation and addition of writable overlays. - Administrators can allow named users/groups to use specific CNI network configurations. Managed by directives in
singularity.conf. - The
buildcommand now honors--nv,--rocm, and--bindflags, permitting builds that require GPU access or files bound in from the host. - A library service hostname can be specified as the first component of a
library://URL. - Singularity is now relocatable for unprivileged installations only.
Bug Fixes
- Respect http proxy server environment variables in key operations.
- When pushing SIF images to
oras://endpoints, work around Harbor & GitLab failure to accept theSifConfigMediaType. - Avoid a
setfsuidcompilation warning on some gcc versions. - Fix a crash when silent/quiet log levels used on pulls from
shub://andhttp(s)://URIs. - Wait for dm device to appear when mounting an encrypted container rootfs.
- Accommodate ppc64le pageSize in TestCgroups and disable -race.
- Fix Debian packaging.
Testing / Development
Testing changes are not generally itemized. However, developers and contributors should note that this release has modified the behavior of make test for ease of use:
make testruns limited unit and integration tests that will not require docker hub credentials.make testallruns the full unit/integration/e2e test suite that requires docker credentials to be set withE2E_DOCKER_USERNAMEandE2E_DOCKER_PASSWORDenvironment variables.
Singularity 3.8.0 Release Candidate 2
This has been replaced with https://github.com/hpcng/singularity/releases/tag/v3.8.0
Singularity 3.7.4
Singularity 3.7.4 is a security release. We recommend all users upgrade to this version.
Security Related Fixes
- CVE-2021-32635: Due to incorrect use of a default URL, singularity action commands (run/shell/exec) specifying a container using a library:// URI will always attempt to retrieve the container from the default remote endpoint (cloud.sylabs.io) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected].
Have fun!
Downloads
Please use the singularity-3.7.4.tar.gz download below to obtain and install Singularity 3.7.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.