Releases: sylabs/singularity
SingularityCE 4.1.0 Release Candidate 1
SingularityCE 4.1.0-rc.1 is the first release candidate for the upcoming SingularityCE 4.1.0 release. This release candidate is intended to allow testing of new functionality and existing workflows. We welcome any and all feedback you are able to provide.
The release candidate is not intented for production use. Please see the latest 4.0.3 stable release instead.
Changed defaults / behaviours
- In native mode, SIF/SquashFS container images will now be mounted with squashfuse when kernel mounts are disabled in
singularity.conf
, or cannot be used (non-setuid / user namespace workflow). If the FUSE mount fails, Singularity will fall back to extracting the container to a temporary sandbox in order to run it. - In native mode, bare extfs container images will now be mounted with fuse2fs when kernel mounts are disabled in
singularity.conf
, or cannot be used (non-setuid / user namespace workflow).
New Features & Functionality
- The
registry login
andregistry logout
commands now support a--authfile <path>
flag, which causes the OCI credentials to be written to / removed from a custom file located at<path>
instead of the default location ($HOME/.singularity/docker-config.json
). The commandspull
,push
,run
,exec
,shell
, andinstance start
can now also be passed a--authfile <path>
option, to read OCI registry credentials from this custom file. - A new
--keep-layers
flag, for thepull
andrun/shell/exec/instance start
commands, allows individual layers to be preserved when an OCI-SIF image is created from an OCI source. Multi layer OCI-SIF images can be run with SingularityCE 4.1 and later. - Singularity will now build OCI-SIF images from Dockerfiles, if the
--oci
flag is used with thebuild
command. Provide a Dockerfile as the final argument tobuild
, instead of a Singularity definition (.def) file. Supports--build-arg
/--build-arg-file
options,--arch
for cross-architecture builds,--authfile
and other authentication options, and more. See the user guide for more information. - Docker-style SCIF containers (https://sci-f.github.io/tutorial-preview-install) are now supported. If the entrypoint of an OCI container is the
scif
executable, then therun
/exec
/shell
commands in--oci
mode can be given the--app <appname>
flag, and will automatically invoke the relevant SCIF command. - A new
--tmp-sandbox
flag has been added to therun / shell / exec / instance start
commands. This will force Singularity to extract a container to a temporary sandbox before running it, when it would otherwise perform a kernel or FUSE mount.
Deprecated Functionality
- The experimental
--sif-fuse
flag, andsif fuse
directive insingularity.conf
are deprecated. The flag and directive were used to enable experimental mounting of SIF/SquashFS container images with FUSE in prior versions of Singularity. From 4.1, FUSE mounts are used automatically when kernel mounts are disabled / not available.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.1.0-rc.1.tar.gz download below to obtain and install SingularityCE 4.0.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.21.6
SingularityCE 4.0.3
SingularityCE 4.0.3 is a patch release in the 4.0 series, with bug fixes along with dependency updates.
Bug Fixes
- Use kernel overlayfs instead of
fuse-overlayfs
when running as root user, regardless of unprivileged kernel overlay support. - Execute correct
%appstart
script when usinginstance start
with--app
.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.0.3.tar.gz download below to obtain and install SingularityCE 4.0.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.21.6
SingularityCE 4.0.2
SingularityCE 4.0.2 is a patch release in the 4.0 series, with bug fixes and minor updates.
Changed defaults / behaviours
- Added
libnvidia-nvvm
tonvliblist.conf
. Newer NVIDIA Drivers (known with >= 525.85.05) require this lib to compile OpenCL programs against NVIDIA GPUs, i.e.libnvidia-opencl
depends onlibnvidia-nvvm
.
Bug Fixes
- Support parentheses in
test
/[
commands in container startup scripts, via dependency update of mvdan.cc/sh. - Fix incorrect client timeout during remote build context upload.
- When user requests a bind of
/dev:/dev
or/dev/xxx:/dev/xxx
in OCI-mode, ensure that it is bind mounted with appropriate flags so that it is usable in the container.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.0.1.tar.gz download below to obtain and install SingularityCE 4.0.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.21.4
SingularityCE 4.0.1
SingularityCE 4.0.1 is a patch release in the 4.0 series, with bug fixes and minor updates.
New Features & Functionality
- Added the upcoming NVIDIA driver library
libnvidia-gpucomp.so
to the
list of libraries to add to NVIDIA GPU-enabled containers.
Bug Fixes
- Don't bind
/var/tmp
on top of/tmp
in the container, where/var/tmp
resolves to same location as/tmp
. - Fix problem where credentials locally stored with
registry login
command were not usable in some execution flows. Runregistry login
again with latest version to ensure credentials are stored correctly. - Don't fail in a yum bootstrap on systems where the _db_backend rpm macros is not defined (EL <8).
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.0.1.tar.gz download below to obtain and install SingularityCE 4.0.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.21.3
SingularityCE 4.0.0
We are pleased to announce the availability of SingularityCE 4.0.0. This is a new major version, with the new OCI-mode becoming fully supported and expanded to use OCI-SIF images. v4.0.0 also introduces a number of CLI improvements, templating support for definition files, improved platform/architecture handling for OCI images, and much more.
Please review the changelog carefully, as it highlights behavior changes that may impact some workflows. You may also wish to read the 'What's new in SingularityCE 4.0' sections of the:
OCI-mode
Singularity 4 introduces OCI-mode as a fully supported feature. It is enabled by using the --oci
flag with the run / shell / exec / pull
commands, or by setting oci mode = yes
in singularity.conf
.
In OCI-mode:
- Container images from OCI sources will be
pull
-ed to an OCI-SIF file. An OCI-SIF file encapsulates the OCI image configuration and squashed filesystem using an OCI, rather than Singularity specific, structure. - The
run / shell / exec
commands use a low-level OCI runtime (crun/runc) for container execution. - Default operation is compatible with other OCI tools, similar to using
--compat
in Singularity's non-OCI native mode. - OCI-modes support running existing Singularity non-OCI-SIF images, and can be made to imitate native mode default behavior by using the
--no-compat
flag.
OCI-mode changes from 3.11 to 4.0 include:
run / shell / exec
in OCI-mode now includes support for the following existing CLI flags:--add-caps
--drop-caps
--keep-privs
--no-privs
--overlay
from directories, bare squashfs and extfs images.--workdir
--scratch
--no-home
--no-mount
(dev cannot be disabled in OCI mode)--no-umask
(with--no-compat
)--writable-tmpfs
(with--no-compat
)
- Added
--device
flag to "action" commands (run
/exec
/shell
) when run in OCI mode (--oci
). Currently supports passing one or more (comma-separated) fully-qualified CDI device names, and those devices will then be made available inside the container. - Added
--cdi-dirs
flag to override the default search locations for CDI json files, allowing, for example, users who don't have root access on their host machine to nevertheless create CDI mappings (into containers run with--fakeroot
, for example). - A container run as root, or with
--fakeroot
, has OCI default effective/permitted capabilities. - An
--env-file
is evaluated with respect to the host environment, to match native mode behaviour. - If the kernel does not support unprivileged overlays, OCI-mode will attempt to use
fuse-overlayfs
andfusermount
for overlay mounting and unmounting. - Support for thee
SINGULARITY_CONTAINLIBS
env var, to specify libraries to bind into/.singularity.d/libs/
in the container. - Support for running OCI-SIF images directly from
docker://
,http://
,https://
andoras://
URIs. - A new
--no-compat
flag can be used with OCI-mode to mirror singularity's historic native mode behavior on a variety of settings, instead of setting them the way other OCI runtimes typically do:$HOME
,/tmp
,/var/tmp
are bind mounted from the host.- The full
/dev
is bind mounted from the host, unlessmount dev = minimal
insingularity.conf
(requirescrun
, not applied withrunc
). bind path
entries insingularity.conf
are mounted into the container.- The current working directory is mounted into the container, and is the entry point into the container.
- The container is read-only unless
--writable-tmpfs
is also used. - The host umask is propagated into the container, unless
--no-umask
is also used. - When a native (non-OCI-SIF) image is run in OCI-mode, environment variables will be shell evaluated on container startup.
- The
pull
command now accepts a new flag--oci
for OCI image sources. This will create an OCI-SIF image rather than convert to Singularity's native container format. - OCI-SIF containers can be pushed/pulled to/from OCI registries as single file artifacts using
oras://
URIs. - OCI-SIF containers can be pushed/pulled to/from registries as OCI images, with a single squashfs layer, using
docker://
URIs. - A new
oci mode
directive insingularity.conf
can be set to true to enable OCI-mode by default. It can be negated with a new--no-oci
command line flag.
See the admin guide and user guide for full requirements of OCI-mode and usage information.
Changed defaults / behaviours
Packages / Requirements
- RPM packages now use
/var/lib/singularity
(rather than/var/singularity
) to store local state files. - Bash completions are now install to the modern
share/bash-completion/completions
location, rather than underetc
. - The
--vm
and related flags to start singularity inside a VM have been removed. This functionality was related to the retired Singularity Desktop / SyOS projects. - Singularity uses
squashfuse_ll
/squashfuse
, which is now built from a git submodule unless--without-squashfuse
is specified as an argument tomconfig
. When built with--without-squashfuse
,squashfuse_ll
orsquashfuse
will be located onPATH
. Version 0.2.0 or later is required.
CLI
- The commands related to OCI/Docker registries that were under
remote
have been moved to their own, dedicatedregistry
command. Runsingularity help registry
for more information. - The
remote list
subcommand now outputs only remote endpoints (with keyservers and OCI/Docker registries having been moved to separate commands), and the output has been streamlined. - Adding a new remote endpoint using the
singularity remote add
command will now set the new endpoint as default. This behavior can be suppressed by supplying the--no-default
(or-n
) flag toremote add
. - The keyserver-related commands that were under
remote
have been moved to their own, dedicatedkeyserver
command. Runsingularity help keyserver
for more information. - Improved the clarity of
singularity key list
output. --cwd
is now the preferred form of the flag for setting the container's working directory, though--pwd
is still supported for compatibility.
Runtime Behaviour
- The way
--home
is handled when running as root (e.g.sudo singularity
) or with--fakeroot
has changed. Previously, we were only modifying theHOME
environment variable in these cases, while leaving the container's/etc/passwd
file unchanged (with its homedir field pointing to/root
, regardless of the value passed to--home
). With this change, both the value ofHOME
and the contents of/etc/passwd
in the container will reflect the value passed to--home
. - Bind mounts are now performed in the order of their occurrence on the command line, or within the value of the
SINGULARITY_BIND
environment variable. (Previously, image-mounts were always performed first, regardless of order.) - Default OCI config generated with
singularity mount
no longer sets any inheritable / ambient capabilites, matching other OCI runtimes. singularity oci mount
now uses, and requires,squashfuse_ll
orsquashfuse
to mount a SIF image to an OCI bundle. Note thatsquashfuse_ll
is built with singularity unless--without-squashfuse
is passed tomconfig
.- The current working directory is created in the container when it doesn't exist, so that it can be entered. You must now specify
--no-mount home,cwd
instead of just--no-mount home
to avoid mounting from$HOME
if you runsingularity
from inside$HOME
. - If the path of the current working directory in the container and on the host contain symlinks to different locations, it will not be mounted.
New Features & Functionality
- Templating support for definition files: users can now define variables in definition files via a matching pair of double curly brackets. Variables of the form
{{ variable }}
will be replaced by a value defined either by avariable=value
entry in the%arguments
section of the definition file, or through new build options--build-arg
or--build-arg-file
. - Added
--secret
flag (shorthand:-s
) tokey remove
subcommand, to allow removal of a private key by fingerprint. - Added
--private
as a synonym for--secret
inkey list
,key export
, andkey remove
subcommands. - The
remote status
command will now print the username, realname, and email of the logged-in user, if available. - The
cache
commands now accept--type oci-sif
to list and clean cached OCI-SIF image conversions of OCI sources. - The
instance start
command now accepts an optional--app <name>
argument which invokes start script within the%appstart <name>
section in the definition file. Theinstance stop
command still only requires the instance name. - A new
--no-pid
flag forsingularity run/shell/exec
disables the PID namespace inferred by--containall
and--compat
. - A new
--platform
flag can be used to specify anOS/Architecture[/Variant]
when pulling images from OCI or library sources. When pulling from library sources the optional variant is ignored. - The
--arch
flag can now be used to specify a required architecture when pulling images from OCI, as well as library sources. - Execution flows that unpack an image into a temporary sandbox dir can now be disabled, by setting "tmp sandbox = no" in
singularity.conf
or by passing--no-tmp-sandbox
to the relevantrun / shell / exec
command.
Developer / API
- Support for image driver plugins, deprecated at 3.11, has been removed. Unprivileged kernel overlay is supp...
SingularityCE 3.11.5
SingularityCE 3.11.5 is a patch release in the 3.11 series, with changes detailed below.
Changed defaults / behaviours
- If commands that expect an image file are given an OCI-SIF image, an error will be generated advising the user that this format is only supported in versions 4.0 and up.
Bug Fixes
- Improved help text for
compile
andinstall
subcommands ofplugin
command. Thanks to tonghuaroot (https://github.com/tonghuaroot) for the suggested improvements.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-3.11.5.tar.gz download below to obtain and install SingularityCE 3.11.5. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.21.1
SingularityCE 4.0.0 Release Candidate 2
SingularityCE 4.0.0-rc.2 is a release candidate for the upcoming 4.0.0 release, with the changes detailed below relative to 4.0.0-rc.1.
See the 4.0.0-rc.1 release notes for a full changelog.
OCI-mode
- If system does not meet the requirements for using OCI-SIF, OCI mode will fall back to a filesystem-based strategy: the OCI container will be unpacked into a temporary sandbox dir and run from there.
New Features & Functionality
- Execution flows that unpack an image into a temporary sandbox dir can now be disabled, by setting "tmp sandbox = no" in
singularity.conf
or by passing--no-tmp-sandbox
to the relevantrun / shell / exec
command.
Bug Fixes
- Improved help text for
compile
andinstall
subcommands ofplugin
command. Thanks to tonghuaroot (https://github.com/tonghuaroot) for the suggested improvements. - Fix compilation with the
mconfig
-b
option (custom builddir).
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.0.0-rc.2.tar.gz download below to obtain and install SingularityCE 4.0.0-rc.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.21.0
SingularityCE 4.0.0 Release Candidate 1
SingularityCE 4.0.0-rc.1 is a release candidate for the upcoming 4.0.0 release, with changes detailed below.
OCI-mode
Singularity 4 introduces OCI-mode as a fully supported feature. It is enabled by using the --oci
flag with the run / shell / exec / pull
commands, or by setting oci mode = yes
in singularity.conf
.
In OCI-mode:
- Container images from OCI sources will be
pull
-ed to an OCI-SIF file. An OCI-SIF file encapsulates the OCI image configuration and squashed filesystem using an OCI, rather than Singularity specific, structure. - The
run / shell / exec
commands use a low-level OCI runtime (crun/runc) for container execution. - Default operation is compatible with other OCI tools, similar to using
--compat
in Singularity's non-OCI native mode. - OCI-modes support running existing Singularity non-OCI-SIF images, and can be made to imitate native mode default behavior by using the
--no-compat
flag.
OCI-mode changes from 3.11 to 4.0 include:
run / shell / exec
in OCI-mode now includes support for the following existing CLI flags:--add-caps
--drop-caps
--keep-privs
--no-privs
--overlay
from directories, bare squashfs and extfs images.--workdir
--scratch
--no-home
--no-mount
(dev cannot be disabled in OCI mode)--no-umask
(with--no-compat
)--writable-tmpfs
(with--no-compat
)
- Added
--device
flag to "action" commands (run
/exec
/shell
) when run in OCI mode (--oci
). Currently supports passing one or more (comma-separated) fully-qualified CDI device names, and those devices will then be made available inside the container. - Added
--cdi-dirs
flag to override the default search locations for CDI json files, allowing, for example, users who don't have root access on their host machine to nevertheless create CDI mappings (into containers run with--fakeroot
, for example). - A container run as root, or with
--fakeroot
, has OCI default effective/permitted capabilities. - An
--env-file
is evaluated with respect to the host environment, to match native mode behaviour. - If the kernel does not support unprivileged overlays, OCI-mode will attempt to use
fuse-overlayfs
andfusermount
for overlay mounting and unmounting. - Support for thee
SINGULARITY_CONTAINLIBS
env var, to specify libraries to bind into/.singularity.d/libs/
in the container. - Support for running OCI-SIF images directly from
docker://
,http://
,https://
andoras://
URIs. - A new
--no-compat
flag can be used with OCI-mode to mirror singularity's historic native mode behavior on a variety of settings, instead of setting them the way other OCI runtimes typically do:$HOME
,/tmp
,/var/tmp
are bind mounted from the host.- The full
/dev
is bind mounted from the host, unlessmount dev = minimal
insingularity.conf
(requirescrun
, not applied withrunc
). bind path
entries insingularity.conf
are mounted into the container.- The current working directory is mounted into the container, and is the entry point into the container.
- The container is read-only unless
--writable-tmpfs
is also used. - The host umask is propagated into the container, unless
--no-umask
is also used. - When a native (non-OCI-SIF) image is run in OCI-mode, environment variables will be shell evaluated on container startup.
- The
pull
command now accepts a new flag--oci
for OCI image sources. This will create an OCI-SIF image rather than convert to Singularity's native container format. - OCI-SIF containers can be pushed/pulled to/from OCI registries as single file artifacts using
oras://
URIs. - OCI-SIF containers can be pushed/pulled to/from registries as OCI images, with a single squashfs layer, using
docker://
URIs. - A new
oci mode
directive insingularity.conf
can be set to true to enable OCI-mode by default. It can be negated with a new--no-oci
command line flag.
See the admin guide and user guide for full requirements of OCI-mode and usage information.
Changed defaults / behaviours
Packages / Requirements
- RPM packages now use
/var/lib/singularity
(rather than/var/singularity
) to store local state files. - Bash completions are now install to the modern
share/bash-completion/completions
location, rather than underetc
. - The
--vm
and related flags to start singularity inside a VM have been removed. This functionality was related to the retired Singularity Desktop / SyOS projects. - Singularity uses
squashfuse_ll
/squashfuse
, which is now built from a git submodule unless--without-squashfuse
is specified as an argument tomconfig
. When built with--without-squashfuse
,squashfuse_ll
orsquashfuse
will be located onPATH
. Version 0.2.0 or later is required.
CLI
- The commands related to OCI/Docker registries that were under
remote
have been moved to their own, dedicatedregistry
command. Runsingularity help registry
for more information. - The
remote list
subcommand now outputs only remote endpoints (with keyservers and OCI/Docker registries having been moved to separate commands), and the output has been streamlined. - Adding a new remote endpoint using the
singularity remote add
command will now set the new endpoint as default. This behavior can be suppressed by supplying the--no-default
(or-n
) flag toremote add
. - The keyserver-related commands that were under
remote
have been moved to their own, dedicatedkeyserver
command. Runsingularity help keyserver
for more information. - Improved the clarity of
singularity key list
output. --cwd
is now the preferred form of the flag for setting the container's working directory, though--pwd
is still supported for compatibility.
Runtime Behaviour
- The way
--home
is handled when running as root (e.g.sudo singularity
) or with--fakeroot
has changed. Previously, we were only modifying theHOME
environment variable in these cases, while leaving the container's/etc/passwd
file unchanged (with its homedir field pointing to/root
, regardless of the value passed to--home
). With this change, both the value ofHOME
and the contents of/etc/passwd
in the container will reflect the value passed to--home
. - Bind mounts are now performed in the order of their occurrence on the command line, or within the value of the
SINGULARITY_BIND
environment variable. (Previously, image-mounts were always performed first, regardless of order.) - Default OCI config generated with
singularity mount
no longer sets any inheritable / ambient capabilites, matching other OCI runtimes. singularity oci mount
now uses, and requires,squashfuse_ll
orsquashfuse
to mount a SIF image to an OCI bundle. Note thatsquashfuse_ll
is built with singularity unless--without-squashfuse
is passed tomconfig
.- The current working directory is created in the container when it doesn't exist, so that it can be entered. You must now specify
--no-mount home,cwd
instead of just--no-mount home
to avoid mounting from$HOME
if you runsingularity
from inside$HOME
. - If the path of the current working directory in the container and on the host contain symlinks to different locations, it will not be mounted.
New Features & Functionality
- Templating support for definition files: users can now define variables in definition files via a matching pair of double curly brackets. Variables of the form
{{ variable }}
will be replaced by a value defined either by avariable=value
entry in the%arguments
section of the definition file, or through new build options--build-arg
or--build-arg-file
. - Added
--secret
flag (shorthand:-s
) tokey remove
subcommand, to allow removal of a private key by fingerprint. - Added
--private
as a synonym for--secret
inkey list
,key export
, andkey remove
subcommands. - The
remote status
command will now print the username, realname, and email of the logged-in user, if available. - The
cache
commands now accept--type oci-sif
to list and clean cached OCI-SIF image conversions of OCI sources. - The
instance start
command now accepts an optional--app <name>
argument which invokes start script within the%appstart <name>
section in the definition file. Theinstance stop
command still only requires the instance name. - A new
--no-pid
flag forsingularity run/shell/exec
disables the PID namespace inferred by--containall
and--compat
. - A new
--platform
flag can be used to specify anOS/Architecture[/Variant]
when pulling images from OCI or library sources. When pulling from library sources the optional variant is ignored. - The
--arch
flag can now be used to specify a required architecture when pulling images from OCI, as well as library sources.
Developer / API
- Support for image driver plugins, deprecated at 3.11, has been removed. Unprivileged kernel overlay is supported without a plugin. In
singularity.conf
, theimage driver
directive has been removed, andenable overlay
no longer supports thedriver
option. - Changes in
pkg/build/types.Definition
struct. New.FullRaw
field introduced, which always contains the raw data for the entire definition file. Behavior of.Raw
field has changed: for multi-stage builds parsed withpkg/build/types/parser.All()
,.Raw
contains the raw content of a single build stage. Otherwise, it is equal to.FullRaw
. - The SingularityCE go module is now
github.com/sylabs/singularity/v4
, reflecting the major version of the application.
Bug Fixes
- Fix interaction between
--workdir
when given relative path and--scratch
. - Set correct
$HOME
in--oci
mode whenmount home = no
insingularity.conf
. - Lookup a...
SingularityCE 3.11.4
SingularityCE 3.11.4 is a patch release in the 3.11 series, with changes detailed below.
Changed defaults / behaviours
- Add
xino=on
mount option for writable kernel overlay mount points to fix inode numbers consistency after kernel cache flush.
New Features & Functionality
- The
tap
CNI plugin, new to github.com/containernetworking/plugins v1.3.0, is now provided. - Added
remote get-login-password
subcommand that allows the user to retrieve a CLI token to interact with the OCI registry of a
Singularity Enterprise instance. - Added
--no-setgroups
flag for--fakeroot
builds and run/shell/exec. This prevents thesetgroups
syscall being used on the container process in the fakeroot user namespace. Maintains access from within the user namespace to files on the host that have permissions based on supplementary group membership. Note that supplementary groups are mapped tonobody
in the container, andchgrp
,newgrp
, etc. cannot be used. - Added ability to set a custom user config directory (default
$HOME/.singularity
) via the newSINGULARITY_CONFIGDIR
environment variable.
Bug Fixes
- In
--oci
mode, do not attempt to use unprivileged overlay on systems that do not support it. - Fix dropped "n" characters on some platforms in definition file stored as part of SIF metadata.
- Pass STDIN to
--oci
containers correctly, to fix piping input to a container. - Fix compilation on 32-bit systems.
- Fix seccomp filters to allow mknod/mknodat syscalls to create pipe/socket and character devices with device number 0 for fakeroot builds.
- Fix freeze when copying files between stages in an unprivileged proot build.
- Fix non-POSIX sh operator in mconfig.
- Correct internal name for CAP_BLOCK_SUSPEND.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-3.11.4.tar.gz download below to obtain and install SingularityCE 3.11.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.20.5
SingularityCE 3.11.3
SingularityCE 3.11.3 is a patch release in the 3.11 series, with changes detailed below.
Changed defaults / behaviours
--oci
mode now provides a writable container by default, using a tmpfs overlay. This improves parity with--compat
mode in the native runtime, as--compat
enables--writable-tmpfs
.
Bug Fixes
- Ensure the
allow kernel squashfs
directive insingularity.conf
applies to encrypted squashfs filesystems in a SIF.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-3.11.3.tar.gz download below to obtain and install SingularityCE 3.11.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 18.04 (bionic)
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.20.4