Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

singularity-ce-4.1.3-lp160.1.2 RPM for s390x

From OpenSuSE Leap 16.0 for s390x

Name: singularity-ce Distribution: openSUSE Leap 16.0
Version: 4.1.3 Vendor: openSUSE
Release: lp160.1.2 Build date: Wed May 15 20:06:24 2024
Group: Unspecified Build host: reproducible
Size: 192270500 Source RPM: singularity-ce-4.1.3-lp160.1.2.src.rpm
Packager: https://bugs.opensuse.org
Url: https://www.sylabs.io/singularity/
Summary: Application and environment virtualization
SingularityCE is the Community Edition of Singularity, an open source
container platform designed to be simple, fast, and secure.

Provides

Requires

License

Apache-2.0 AND BSD-3-Clause-LBNL

Changelog

* Wed May 15 2024 Egbert Eich <eich@suse.com>
  - Fix CVE-2024-3727 (bsc#1224129).
    * Fix-CVE-2024-3727-bsc-1224129.patch
    The fix is a no-op as none of the affected files are still in
    use with version 4.1.3.
* Tue May 14 2024 Egbert Eich <eich@suse.com>
  - Update to version 4.1.3
    * Bug Fixes
      + Set default `PATH` in container run in OCI-Mode when image does not set
      `PATH`.
      + Fix storage of credentials for `docker.io` to behave the same as for
      `index.docker.io`.
      + Improve documentation for remote list command.
      + Don't fail with lack of descriptor capacity when writing OCI images
      with many layers to OCI-SIF.
      + Ensure a fixed number of spare descriptors is present in the OCI-SIF
      when pulling an OCI image.
  - SingularityCE 4.1.2
    * Bug Fixes
      + Set OCI runtime-spec annotations that are required by the documented
      image-spec conversion process.
      + In `--oci` mode always set inner ID map based on host user, not
      `USER` in OCI container. Fixes incorrect permissions for files
      owned by `USER` in the container.
      + Provide warning / info message for OCI image-spec features
      (volumes, exposed ports) that are not supported by singularity.
      + Honor `WORKDIR` by default for OCI images in `--oci` mode, as
      required by OCI image-spec.
      + Restore previous `--writable` behaviour when running a container
      image from SIF/SquashFS in user namepace mode. The image will be
      extracted to a temporary sandbox, which is writable at runtime.
      Note that any changes are not made to the original image.
      + Fix `target: no such file or directory` error in native mode when
      extracting layers from certain OCI images that manipulate hard links
      across layers.
      + Fix extraction of OCI layers when run in a root mapped user namespace
      (e.g.. `unshare -r`).
      + Use user namespace for wrapping of unsquashfs when singularity is run
      with `--userns` / `-u` flag. Fixes temporary sandbox extraction of
      images in non-root mapped user namespace (e.g.`unshare -c`).
  - Version 4.1.1
    * Security Related Fixes
      + Update `github.com/moby/buildkit` dependency, used for `--oci`
      Dockerfile builds, addressing the following upstream CVEs:
      + CVE-2024-23650 Possible panic when incorrect parameters sent from
      frontend
      + CVE-2024-23651 Possible race condition with accessing subpaths
      from cache mounts.
      + CVE-2024-23652 Possible host system access from mount stub cleaner.
      + CVE-2024-23653 Interactive containers API does not validate
      entitlements check.
    Note also that in OCI-Mode, SingularityCE may call out to runc versions
    vulnerable to CVE-2024-21626. runc is not bundled with SingularityCE,
    and should be updated via your Linux distribution's package manager,
    or manually.
  - Version 4.1.0
    Introducing Dockerfile builds, multi-layer OCI-SIF images, and many
    other improvements.
    See the release notes below, and the user and admin guides for more
    information:
      https://docs.sylabs.io/guides/4.1/admin-guide/new.html
      https://docs.sylabs.io/guides/4.1/user-guide/new.html
    * Changed defaults / behaviours
      + `--oci` mode containers and native mode instances can now be
      successfully started as a non-root user on cgroups v2 systems when
      both:
    - The system configuration / environment does not provide the
      correct information necessary to communicate with systemd via dbus.
    - Resource limits (e.g. `--cpus`) have not been requested.
      + The container / instance will be started in the current cgroup, and
      information about the configuration issue displayed to the user as
      warnings.
      + In native mode, SIF/SquashFS container images will now be mounted
      with squashfuse when kernel mounts are disabled in `singularity.conf`,
      or cannot be used (non-setuid / user namespace workflow). If the
      FUSE mount fails, Singularity will fall back to extracting the
      container to a temporary sandbox in order to run it.
      + In native mode, bare extfs container images will now be mounted with
      fuse2fs when kernel mounts are disabled in `singularity.conf`, or
      cannot be used (non-setuid / user namespace workflow).
    * New Features & Functionality
      + The registry login and registry logout commands now support a
      `--authfile <path>` flag, which causes the OCI credentials to be
      written to / removed from a custom file located at `<path>` instead
      of the default location (`$HOME/.singularity/docker-config.json`).
      The commands `pull`, `push`, `run`, `exec`, `shell`, and instance
      start can now also be passed a `--authfile <path>` option, to read
      OCI registry credentials from this custom file.
    + A new `--keep-layers` flag, for the `pull` and `run/shell/exec/
      instance start` commands, allows individual layers to be preserved
      when an OCI-SIF image is created from an OCI source. Multi layer
      OCI-SIF images can be run with SingularityCE 4.1 and later.
    + Singularity will now build OCI-SIF images from Dockerfiles, if the
      `--oci` flag is used with the build command. Provide a Dockerfile
      as the final argument to `build`, instead of a Singularity definition
      (.def) file. Supports `--build-arg` / `--build-arg-file` options,
      `--arch` for cross-architecture builds, `--authfile` and other
      authentication options, and more. See the user guide for more
      information.
    + Docker-style SCIF containers
      (https://sci-f.github.io/tutorial-preview-install)
      are now supported. If the entrypoint of an OCI container is the
      scif executable, then the `run` / `exec` / `shell` commands in
      `--oci` mode can be given the `--app <appname>` flag, and will
      automatically invoke the relevant SCIF command.
    + A new --tmp-sandbox flag has been added to the `run / shell /
      exec / instance start` commands. This will force Singularity to
      extract a container to a temporary sandbox before running it, when it
      would otherwise perform a kernel or FUSE mount.
    + Bug Fixes
      + Added missing tmp sandbox directive to singularity.conf template.
    * Deprecated Functionality
      +  The experimental `--sif-fuse` flag, and sif fuse directive in
      `singularity.conf` are deprecated. The flag and directive were used
      to enable experimental mounting of SIF/SquashFS container images with
      FUSE in prior versions of Singularity. From 4.1, FUSE mounts are used
      automatically when kernel mounts are disabled / not available.
  - Version 4.0.3
    * Bug Fixes
      + Use kernel overlayfs instead of fuse-overlayfs when running as root
      user, regardless of unprivileged kernel overlay support.
      + Execute correct `%appstart` script when using instance start with
      `--app`.
  - Version 4.0.2
    * Changed defaults / behaviours
      + Added `libnvidia-nvvm` to `nvliblist.conf`. Newer NVIDIA Drivers
      (known with >= 525.85.05) require this lib to compile OpenCL programs
      against NVIDIA GPUs, i.e. `libnvidia-opencl` depends on
      `libnvidia-nvvm`.
    * Bug Fixes
      + Support parentheses in test / [ commands in container startup scripts,
      via dependency update of mvdan.cc/sh.
      + Fix incorrect client timeout during remote build context upload.
      + When user requests a bind of `/dev:/dev` or `/dev/xxx:/dev/xxx` in
      OCI-mode, ensure that it is bind mounted with appropriate flags so
      that it is usable in the container.
  - Version 4.0.1
    * New Features & Functionality
      + Added the upcoming NVIDIA driver library libnvidia-gpucomp.so to the
      list of libraries to add to NVIDIA GPU-enabled containers.
    * Bug Fixes
      + Don't bind `/var/tmp` on top of `/tmp` in the container, where
      `/var/tmp` resolves to same location as `/tmp`.
      + Fix problem where credentials locally stored with registry login
      command were not usable in some execution flows. Run registry login
      again with latest version to ensure credentials are stored correctly.
      + Don't fail in a yum bootstrap on systems where the _db_backend rpm
      macros is not defined (EL <8).
  - Version 4.0.0
    New major release with the new OCI-mode becoming fully supported and
    expanded to use OCI-SIF images. v4.0.0 also introduces a number of CLI
    improvements, templating support for definition files, improved
    platform/architecture handling for OCI images, and much more.
    * OCI-mode
      Singularity 4 introduces OCI-mode as a fully supported feature. It is
      enabled by using the `--oci` flag with the `run / shell / exec / pull`
      commands, or by setting `oci mode = yes` in `singularity.conf`.
      In OCI-mode:
      + Container images from OCI sources will be pull-ed to an OCI-SIF file.
      An OCI-SIF file encapsulates the OCI image configuration and squashed
      filesystem using an OCI, rather than Singularity specific, structure.
      + The `run / shell / exec` commands use a low-level OCI runtime
      (`crun`/`runc`) for container execution.
      + Default operation is compatible with other OCI tools, similar to
      using `--compat` in Singularity's non-OCI native mode.
      + OCI-modes support running existing Singularity non-OCI-SIF images,
      and can be made to imitate native mode default behavior by using the
      `--no-compat` flag.
    * OCI-mode changes from 3.11 to 4.0 include:
      + `run / shell / exec` in OCI-mode now includes support for the following
      existing CLI flags:
    - `--add-caps`
    - `--drop-caps`
    - `--keep-privs`
    - `--no-privs`
    - `--overlay` from directories, bare squashfs and extfs images.
    - `--workdir`
    - `--scratch`
    - `--no-home`
    - `--no-mount` (dev cannot be disabled in OCI mode)
    - `--no-umask` (with --no-compat)
    - `--writable-tmpfs` (with `--no-compat`)
      + Added `--device` flag to "action" commands (`run`/`exec`/`shell`)
      when run in OCI mode (`--oci`). Currently supports passing one or
      more (comma-separated) fully-qualified CDI device names, and those
      devices will then be made available inside the container.
      + Added `--cdi-dirs flag` to override the default search locations
      for CDI json files, allowing, for example, users who don't have root
      access on their host machine to nevertheless create CDI mappings
      (into containers run with `--fakeroot`, for example).
      + A container run as root, or with `--fakeroot`, has OCI default
      effective/permitted capabilities.
      + An `--env-file` is evaluated with respect to the host environment,
      to match native mode behaviour.
      + If the kernel does not support unprivileged overlays, OCI-mode will
      attempt to use fuse-overlayfs and fusermount for overlay mounting
      and unmounting.
      + Support for thee `SINGULARITY_CONTAINLIBS` env var, to specify
      libraries to bind into /.singularity.d/libs/ in the container.
      + Support for running OCI-SIF images directly from `docker://`,
      `http://`, `https://` and `oras://` URIs.
      + A new `--no-compat` flag can be used with OCI-mode to mirror
      singularity's historic native mode behavior on a variety of settings,
      instead of setting them the way other OCI runtimes typically do:
    - `$HOME`, `/tmp`, `/var/tmp` are bind mounted from the host.
      The full /dev is bind mounted from the host, unless `mount
      dev = minimal` in `singularity.conf` (requires `crun`, not
      applied with `runc`).
    - `bind path` entries in `singularity.conf` are mounted into the
      container.
    - The current working directory is mounted into the container, and
      is the entry point into the container.
    - The container is read-only unless `--writable-tmpfs` is also used.
      The host umask is propagated into the container, unless `--no-umask`
      is also used.
    - When a native (non-OCI-SIF) image is run in OCI-mode, environment
      variables will be shell evaluated on container startup.
      + The pull command now accepts a new flag --oci for OCI image sources.
      This will create an OCI-SIF image rather than convert to Singularity's
      native container format.
      + OCI-SIF containers can be pushed/pulled to/from OCI registries as
      single file artifacts using `oras://` URIs.
      + OCI-SIF containers can be pushed/pulled to/from registries as OCI
      images, with a single squashfs layer, using `docker://` URIs.
      + A new oci mode directive in singularity.conf can be set to true to
      enable OCI-mode by default. It can be negated with a new `--no-oci`
      command line flag.
    * Changed defaults / behaviours
      + Packages / Requirements
    - The --vm and related flags to start singularity inside a VM have been
      removed. This functionality was related to the retired Singularity
      Desktop / SyOS projects.
      + CLI
    - The commands related to OCI/Docker registries that were under remote
      have been moved to their own, dedicated registry command. Run
      `singularity help registry` for more information.
    - The `remote list` subcommand now outputs only remote endpoints (with
      keyservers and OCI/Docker registries having been moved to separate
      commands), and the output has been streamlined.
    - Adding a new remote endpoint using the `singularity remote add`
      command will now set the new endpoint as default. This behavior
      can be suppressed by supplying the `--no-default` (or `-n`) flag
      to remote add.
    - The keyserver-related commands that were under remote have been moved
      to their own, dedicated keyserver command. Run singularity help
      keyserver for more information.
    - Improved the clarity of singularity key list output.
      `--cwd` is now the preferred form of the flag for setting the
      container's working directory, though `--pwd` is still supported
      for compatibility.
      + Runtime Behaviour
    - The way `--home` is handled when running as root (e.g. `sudo
      singularity`) or with `--fakeroot` has changed. Previously, we were
      only modifying the `HOME` environment variable in these cases, while
      leaving the container's `/etc/passwd` file unchanged (with its
      homedir field pointing to `/root`, regardless of the value passed
      to `--home`). With this change, both the value of HOME and the
      contents of `/etc/passwd` in the container will reflect the value
      passed to `--home`.
    - Bind mounts are now performed in the order of their occurrence on the
      command line, or within the value of the `SINGULARITY_BIND`
      environment variable. (Previously, image-mounts were always
      performed first, regardless of order.)
    - Default OCI config generated with `singularity mount` no longer sets
      any inheritable / ambient capabilites, matching other OCI runtimes.
    - `singularity oci mount` now uses, and requires, `squashfuse_ll` or
      `squashfuse` to mount a SIF image to an OCI bundle.
    - The current working directory is created in the container when it
      doesn't exist, so that it can be entered. You must now specify
      `--no-mount home,cwd` instead of just `--no-mount home` to avoid
      mounting from `$HOME` if you run singularity from inside `$HOME`.
    - If the path of the current working directory in the container and
      on the host contain symlinks to different locations, it will not
      be mounted.
      + New Features & Functionality
    - Templating support for definition files: users can now define
      variables in definition files via a matching pair of double curly
      brackets.
      Variables of the form `{{ variable }}` will be replaced by a value
      defined either by a variable=value entry in the `%arguments` section
      of the definition file, or through new build options `--build-arg`
      or `--build-arg-file`.
    - Added `--secret` flag (shorthand: `-s`) to key remove subcommand, to
      allow removal of a private key by fingerprint.
    - Added `--private` as a synonym for `--secret` in `key list`,
      `key export`, and key remove subcommands.
    - The `remote status` command will now print the username, realname,
      and email of the logged-in user, if available.
    - The cache commands now accept `--type oci-sif` to list and clean
      cached OCI-SIF image conversions of OCI sources.
    - The `instance start` command now accepts an optional `--app <name>`
      argument which invokes start script within the `%appstart <name>`
      section in the definition file. The instance stop command still
      only requires the instance name.
    - A new `--no-pid` flag for singularity `run/shell/exec` disables the
      PID namespace inferred by `--containall` and `--compat`.
    - A new `--platform` flag can be used to specify an
      `OS/Architecture[/Variant]` when pulling images from OCI or
      library sources. When pulling from library sources the optional
      variant is ignored.
    - The `--arch` flag can now be used to specify a required
      architecture when pulling images from OCI, as well as library
      sources.
    - Execution flows that unpack an image into a temporary sandbox
      dir can now be disabled, by setting `tmp sandbox = no` in
      `singularity.conf` or by passing `--no-tmp-sandbox` to the
      relevant run / shell / exec command.
      + Developer / API
    - Support for image driver plugins, deprecated at 3.11, has been
      removed. Unprivileged kernel overlay is supported without a plugin.
      In `singularity.conf`, the image driver directive has been removed,
      and enable overlay no longer supports the driver option.
    - Changes in `pkg/build/types.Definition` struct. New `.FullRaw`
      field introduced, which always contains the raw data for the entire
      definition file. Behavior of .Raw field has changed: for multi-stage
      builds parsed with `pkg/build/types/parser.All()`, `.Raw` contains
      the raw content of a single build stage. Otherwise, it is equal to
      `.FullRaw`.
    - The SingularityCE go module is now
      `github.com/sylabs/singularity/v4`,
      reflecting the major version of the application.
      + Bug Fixes
    - Fix interaction between `--workdir` when given relative path and
      `--scratch`.
    - Set correct `$HOME` in `--oci` mode when `mount home = no` in
      `singularity.conf`.
    - Lookup and store user/group information in stage one prior to
      entering any namespaces to fix issue with winbind not correctly
      lookup user/group information when using user namespace.
    - Caching of OCI images is now architecture aware. This fixes
      behaviour where a user's home directory is shared between systems
      of different architectures.
  - Version 3.11.5
    * Changed defaults / behaviours
    - If commands that expect an image file are given an OCI-SIF image,
      an error will be generated advising the user that this format is
      only supported in versions 4.0 and up.
    * Bug Fixes
    - Improved help text for compile and install subcommands of `plugin`
      command.
  - Version 3.11.4
    * Changed defaults / behaviours
    - Add `xino=on` mount option for writable kernel overlay mount points
      to fix inode numbers consistency after kernel cache flush.
    * New Features & Functionality
    - The `tap` CNI plugin, new to github.com/containernetworking/plugins
      v1.3.0, is now provided.
    - Added remote get-login-password subcommand that allows the user to
      retrieve a CLI token to interact with the OCI registry of a
      Singularity Enterprise instance.
    - Added `--no-setgroups` flag for `--fakeroot` builds and `run`/
      `shell`/`exec`. This prevents the setgroups syscall being used
      on the container process in the fakeroot user namespace. Maintains
      access from within the user namespace to files on the host that
      have permissions based on supplementary group membership. Note
      that supplementary groups are mapped to nobody in the container,
      and `chgrp`, `newgrp`, etc. cannot be used.
    - Added ability to set a custom user config directory (default
      `$HOME/.singularity`) via the new `SINGULARITY_CONFIGDIR`
      environment variable.
    * Bug Fixes
      + In `--oci` mode, do not attempt to use unprivileged overlay on
      systems that do not support it.
      + Fix dropped "n" characters on some platforms in definition file
      stored as part of SIF metadata.
      + Pass STDIN to `--oci` containers correctly, to fix piping input
      to a container.
      + Fix seccomp filters to allow `mknod`/`mknodat` syscalls to create
      pipe/socket and character devices with device number 0 for
      fakeroot builds.
      + Fix freeze when copying files between stages in an unprivileged
      proot build.
      + Fix non-POSIX sh operator in mconfig.
      + Correct internal name for `CAP_BLOCK_SUSPEND`.
  - Version 3.11.3
    * Changed defaults / behaviours
      + `--oci` mode now provides a writable container by default, using
      a tmpfs overlay. This improves parity with `--compat` mode in the
      native runtime, as `--compat` enables `--writable-tmpfs`.
    * Bug Fixes
      + Ensure the allow kernel squashfs directive in `singularity.conf`
      applies to encrypted squashfs filesystems in a SIF.
  - Version 3.11.2
    * New Features & Functionality
      + OCI mode now supports `--hostname` (requires UTS namespace,
      therefore this flag will infer `--uts`).
      + OCI mode now supports `--scratch` (shorthand: `-S`) to mount a
      tmpfs scratch directory in the container.
      + Support `--pwd` in OCI mode.
      + OCI mode now supports `--home`. Supplying a single location (e.g.
      `--home /myhomedir`) will result in a new tmpfs directory being
      created at the specified location inside the container, and that
      dir being set as the in-container user's home dir. Supplying two
      locations separated by a colon (e.g.
      `--home /home/user:/myhomedir`) will result in the first
      location on the host being bind-mounted as the second location
      in-container, and set as the in-container user's home dir.
      + OCI mode now handles `--dns` and `resolv.conf` on par with
      native mode: the `--dns` flag can be used to pass a
      comma-separated list of DNS servers that will be used in the
      container; if this flag is not used, the container will use the
      same `resolv.conf` settings as the host.
      + Added `allow kernel squashfs` directive to `singularity.conf`.
      Defaults to `yes`. When set to no, Singularity will not mount
      squashfs filesystems using the kernel squashfs driver.
      + Added `allow kernel extfs` directive to `singularity.conf`.
      Defaults to yes. When set to no, Singularity will not mount
      extfs filesystems using the kernel extfs driver.
    * Bug Fixes
      + Require runc in RPM packages built on SLES, not crun, because crun
      is part of the Package Hub community repository that may not be
      enabled. SingularityCE will still prefer crun if it has been
      installed.
      + Use `/dev/loop-control` for loop device creation, to avoid issues
      with recent kernel patch where `max_loop` is not set.
      + Always request inner userns in `--oci` mode without `--fakeroot`,
      so that inner id mapping is applied correctly.
      + Use correct target uid/gid for inner id mappings in `--oci` mode.
      + Avoid `runc` cgroup creation error when using `--oci` from a
      root-owned cgroup (e.g. ssh login session scope).
      + Pass host's `TERM` environment variable to container in OCI mode.
      Can be overridden by setting `SINGULARITYENV_TERM` on host.
      + Honour config passwd and config group directives from
      `singularity.conf` in `--oci` mode.
      + Honour `mount proc` / `mount sys` / `mount tmp` / `mount home`
      directives from singularity.conf in --oci mode.
      + Corrected `singularity.conf` comment, to refer to correct file as
      source of default capabilities when `root default capabilities = file`.
  - Version 3.11.1
    * New Features & Functionality
      + Add `setopt` definition file header for the yum bootstrap agent.
      The `setopt` value is passed to `yum / dnf` using the `--setopt`
      flag. This permits setting e.g. `install_weak_deps=False` to
      bootstrap recent versions of Fedora, where systemd (a weak
      dependency) cannot install correctly in the container.
      See `examples/Fedora` for an example defintion file.
      + Warn user that a `yum` bootstrap of an older distro may fail if
      the host rpm `_db_backend` is not `bdb`.
    * Bug Fixes
      + Fix implied `--writable-tmpfs` with `--nvccli`, to avoid r/o
      filesytem error.
      + Avoid incorrect error when requesting fakeroot network.
      + Pass computed `LD_LIBRARY_PATH` to wrapped `unsquashfs`. Fixes
      issues where unsquashfs on host uses libraries in non-default paths.
      + Show correct memory limit in instance stats when a limit is set.
      + Ensure consistent binding of libraries under `--nv/--rocm` when
      duplicate <library>.so[.version] files are listed by `ldconfig -p`.
      + Fix systemd cgroup manager error when running a container as a
      non-root user with `--oci`, on systems with cgroups v1 and `runc`.
      + Fix joining cgroup of instance started as root, with cgroups v1,
      non-default cgroupfs manager, and no device rules.
  - Version 3.11.0
    * Changed defaults / behaviours
    - Image driver plugins, implementing the `RegisterImageDriver`
      callback, are deprecated and will be removed in 4.0. Support for
      the example plugin has been replaced with direct support for
      kernel unprivileged overlay.
    - When the kernel supports unprivileged overlay mounts in a user
      namespace, the container will be constructed using an overlay
      instead of underlay layout.
    - `crun` will be used as the low-level OCI runtime, when available,
      rather than `runc`. If crun is not available, runc will be used.
    - `sessiondir maxsize` in `singularity.conf` now defaults to 64 MiB
      for new installations. This is an increase from 16 MiB in prior
      versions.
    - Instances are started in a cgroup, by default, when run as root
      or when unified cgroups v2 with systemd as manager is configured.
      This allows `singularity instance stats` to be supported by default
      when possible.
    * New features / functionality
      + Image Building
    - Support for a custom hashbang in the `%test` section of a
      Singularity recipe (akin to the runscript and start sections).
      + Non-root users can now build from a definition file, on systems that
      do not support `--fakeroot`. This requires the statically built
      `proot` command (https://proot-me.github.io/) to be available on
      the user `PATH`. These builds:
    - Do not support `arch` / `debootstrap` / `yum` / `zypper`
      bootstraps. Use `localimage`, `library`, `oras`, or one of the
      docker/oci sources.
    - Do not support `%pre` and `%setup` sections.
    - Run the `%post` sections of a build in the container as an
      emulated root user.
    - Run the `%test` section of a build as the non-root user, like
      singularity test.
    - Are subject to any restrictions imposed in `singularity.conf`.
      Incur a performance penalty due to `proot`'s ptrace based
      interception of syscalls.
    - May fail if the `%post` script requires privileged operations
      that proot cannot emulate.
      + Instances
    - Instances started by a non-root user can use `--apply-cgroups`
      to apply resource limits. Requires cgroups v2, and delegation
      configured via systemd.
    - A new instance stats command displays basic resource usage
      statistics for a specified instance, running within a cgroup.
    - Instance name is available inside an instance via the new
      `SINGULARITY_INSTANCE` environment variable.
      + Mounts & Overlays
    - `--writable-tmpfs` is now available when running unprivileged,
      or explicitly requesting a user namespace, on systems with a
      kernel that supports unprivileged overlay mounts in a user
      namespace.
    - The `--no-mount` flag now accepts the value bind-paths to disable
      mounting of all bind path entries in `singularity.conf`.
    - Persistent overlays (`--overlay`) from a directory are now available
      when running unprivileged, or explicitly requesting a user
      namespace, on systems with a kernel that supports unprivileged
      overlay mounts in a user namespace.
    - Add `--sparse` flag to overlay create command to allow generation
      of a sparse ext3 overlay image.
      + OCI / Docker Compatibility
    - Support for `DOCKER_HOST` parsing when using `docker-daemon://`
    - `DOCKER_USERNAME` and `DOCKER_PASSWORD` supported without
      `SINGULARITY_` prefix.
    - A new `--oci` flag for run/exec/shell enables the experimental
      OCI runtime mode. This mode:
    - Runs OCI container images from an OCI bundle, using `runc` or
      `crun`.
    - Supports `docker://`, `docker-archive:`, `docker-daemon:`,
      `oci:`, `oci-archive:` image sources.
    - Does not support running Singularity SIF, SquashFS, or EXT3
      images.
      Provides an environment similar to Singularity's native runtime,
      running with `--compat`.
    - Supports the following options / flags. Other options are not
      yet supported:
    * `--fakeroot` for effective root in the container. Requires
      subuid/subgid mappings.
    * Bind mounts via `--bind` or `--mount`. No image mounts.
    * Additional namespaces requests with `--net`, `--uts`, `--user`.
    * Container environment variables via `--env`, `--env-file`,
      and `SINGULARITYENV_` host env vars.
    * `--rocm` to bind ROCm GPU libraries and devices into the
      container.
    * `--nv` to bind Nvidia driver / basic CUDA libraries and devices
      into the container.
    * `--apply-cgroups`, and the `--cpu*`, `--blkio*`, `--memory*`,
      `--pids-limit` flags to apply resource limits.
      + Signing & Verification
    - The `sign` command now supports signing with non-PGP key material
      by specifying the path to a private key via the `--key` flag.
    - The `verify` command now supports verification with non-PGP key
      material by specifying the path to a public key via the `--key`
      flag.
    - The verify command now supports verification with X.509
      certificates by specifying the path to a certificate via the
      `--certificate` flag. By default, the system root certificate
      pool is used as trust anchors unless overridden via the
      `--certificate-roots` flag. A pool of intermediate certificates
      that are not trust anchors, but can be used to form a
      certificate chain can also be specified via the
      `--certificate-intermediates` flag.
    - Support for online verification checks of x509 certificates
      using OCSP protocol. (introduced flag: verify `--ocsp-verify`)
      + Other
    - Add new Linux capabilities: `CAP_PERFMON`, `CAP_BPF`,
      `CAP_CHECKPOINT_RESTORE`.
    - A new `--reproducible` flag for `./mconfig` will configure
      Singularity so that its binaries do not contain non-reproducible
      paths. This disables plugin functionality.
      + Bug Fixes
    - In `--rocm` mode, the whole of `/dev/dri` is now bound into
      the container when --contain is in use. This makes
      `/dev/dri/render` devices available, required for later ROCm
      versions.
    - Overlay is blocked on the panfs filesystem, allowing sandbox
      directories to be run from `panfs` without error.
    - Avoid UID / GID readonly var warnings with `--env-file`.
  - Version 3.10.5 (security release).
    * Security Related Fixes
    * CVE-2022-23538: The github.com/sylabs/scs-library-client dependency
      included in SingularityCE >=3.10.0, <3.10.5 may leak user
      credentials to a third-party service via HTTP redirect.
  - Version 3.10.4
    * Bug Fixes
      + Ensure make dist doesn't include conmon binary or intermediate
      files. Do not hang on pull from http(s) source that doesn't
      provide a content-length.
      Avoid hang on fakeroot cleanup under high load seen on some
      distributions / kernels.
  - Version 3.10.3 (security release)
    * Security Related Fixes
      + This version fixes a vulnerability related to the verification of
      SIF container image signatures, in the `github.com/sylabs/sif`
      dependency, by updating to sif v2.8.1.
      CVE-2022-39237: The `github.com/sylabs/sif/v2` dependency included
      in SingularityCE <=3.10.3 does not verify that the hash algorithm(s)
      used are cryptographically secure when verifying digital signatures.
      This release updates to sif v2.8.1 which corrects this issue. See
      the linked advisory for references and a workaround.
    * Bug Fixes
      + Ensure bootstrap_history directory is populated with previous
      definition files, present in source containers used in a build.
* Mon Feb 26 2024 Dominique Leuenberger <dimstar@opensuse.org>
  - Use %autosetup macro. Allows to eliminate the usage of deprecated
    PatchN.
* Fri Oct 28 2022 Egbert Eich <eich@suse.com>
  - Add Provides: and Obsoletes: to attempt to mark this as a possible
    replacement for the original singularity package which has been
    discontinued.
* Mon Aug 08 2022 Christian Goll <cgoll@suse.com>
  - Fixed i586 builds
  - Udated to 3.10.2 with following changes:
    * Ensure no empty if branch is present in generated OCI image runscripts.
      Would prevent execution of container by other tools that are not using
      mvdan.cc/sh.
    * Debug output can now be enabled by setting the SINGULARITY_DEBUG env var.
    * Debug output is now shown for nested singularity calls, in wrapped
      unsquashfs image extraction, and build stages.
    * Fix test code that implied %test -c <shell> was supported - it is not.
    * Fix compilation on mipsel.
* Fri Jul 15 2022 Christian Goll <cgoll@suse.com>
  - Initial check in for singularity-ce (community eddtion) 3.10.0, which
    is a for of apptainer and singularity
  - Additional files:
    * useful_error_message.patch adds a pointer to README.SUSE
    * README.SUSE explains how to run apptainer

Files

/etc/singularity
/etc/singularity/capability.json
/etc/singularity/cgroups
/etc/singularity/cgroups/cgroups.toml
/etc/singularity/ecl.toml
/etc/singularity/global-pgp-public
/etc/singularity/network
/etc/singularity/network/00_bridge.conflist
/etc/singularity/network/10_ptp.conflist
/etc/singularity/network/20_ipvlan.conflist
/etc/singularity/network/30_macvlan.conflist
/etc/singularity/network/40_fakeroot.conflist
/etc/singularity/nvliblist.conf
/etc/singularity/remote.yaml
/etc/singularity/rocmliblist.conf
/etc/singularity/seccomp-profiles
/etc/singularity/seccomp-profiles/default.json
/etc/singularity/singularity.conf
/usr/bin/run-singularity
/usr/bin/singularity
/usr/lib/sysusers.d/system-group-singularity-ce.conf
/usr/libexec/singularity
/usr/libexec/singularity/bin
/usr/libexec/singularity/bin/singularity-buildkitd
/usr/libexec/singularity/bin/starter
/usr/libexec/singularity/bin/starter-suid
/usr/libexec/singularity/cni
/usr/libexec/singularity/cni/bandwidth
/usr/libexec/singularity/cni/bridge
/usr/libexec/singularity/cni/dhcp
/usr/libexec/singularity/cni/firewall
/usr/libexec/singularity/cni/host-device
/usr/libexec/singularity/cni/host-local
/usr/libexec/singularity/cni/ipvlan
/usr/libexec/singularity/cni/loopback
/usr/libexec/singularity/cni/macvlan
/usr/libexec/singularity/cni/portmap
/usr/libexec/singularity/cni/ptp
/usr/libexec/singularity/cni/sbr
/usr/libexec/singularity/cni/static
/usr/libexec/singularity/cni/tap
/usr/libexec/singularity/cni/tuning
/usr/libexec/singularity/cni/vlan
/usr/libexec/singularity/cni/vrf
/usr/share/bash-completion/completions
/usr/share/bash-completion/completions/singularity
/usr/share/doc/packages/singularity-ce
/usr/share/doc/packages/singularity-ce/CHANGELOG.md
/usr/share/doc/packages/singularity-ce/CONTRIBUTING.md
/usr/share/doc/packages/singularity-ce/CONTRIBUTORS.md
/usr/share/doc/packages/singularity-ce/README.SUSE
/usr/share/doc/packages/singularity-ce/README.md
/usr/share/licenses/singularity-ce
/usr/share/licenses/singularity-ce/LICENSE.md
/usr/share/licenses/singularity-ce/LICENSE_DEPENDENCIES.md
/usr/share/licenses/singularity-ce/LICENSE_THIRD_PARTY.md
/usr/share/man/man1/singularity-build.1.gz
/usr/share/man/man1/singularity-cache-clean.1.gz
/usr/share/man/man1/singularity-cache-list.1.gz
/usr/share/man/man1/singularity-cache.1.gz
/usr/share/man/man1/singularity-capability-add.1.gz
/usr/share/man/man1/singularity-capability-avail.1.gz
/usr/share/man/man1/singularity-capability-drop.1.gz
/usr/share/man/man1/singularity-capability-list.1.gz
/usr/share/man/man1/singularity-capability.1.gz
/usr/share/man/man1/singularity-config-fakeroot.1.gz
/usr/share/man/man1/singularity-config-global.1.gz
/usr/share/man/man1/singularity-config.1.gz
/usr/share/man/man1/singularity-delete.1.gz
/usr/share/man/man1/singularity-exec.1.gz
/usr/share/man/man1/singularity-inspect.1.gz
/usr/share/man/man1/singularity-instance-list.1.gz
/usr/share/man/man1/singularity-instance-start.1.gz
/usr/share/man/man1/singularity-instance-stats.1.gz
/usr/share/man/man1/singularity-instance-stop.1.gz
/usr/share/man/man1/singularity-instance.1.gz
/usr/share/man/man1/singularity-key-export.1.gz
/usr/share/man/man1/singularity-key-import.1.gz
/usr/share/man/man1/singularity-key-list.1.gz
/usr/share/man/man1/singularity-key-newpair.1.gz
/usr/share/man/man1/singularity-key-pull.1.gz
/usr/share/man/man1/singularity-key-push.1.gz
/usr/share/man/man1/singularity-key-remove.1.gz
/usr/share/man/man1/singularity-key-search.1.gz
/usr/share/man/man1/singularity-key.1.gz
/usr/share/man/man1/singularity-keyserver-add.1.gz
/usr/share/man/man1/singularity-keyserver-list.1.gz
/usr/share/man/man1/singularity-keyserver-login.1.gz
/usr/share/man/man1/singularity-keyserver-logout.1.gz
/usr/share/man/man1/singularity-keyserver-remove.1.gz
/usr/share/man/man1/singularity-keyserver.1.gz
/usr/share/man/man1/singularity-oci-attach.1.gz
/usr/share/man/man1/singularity-oci-create.1.gz
/usr/share/man/man1/singularity-oci-delete.1.gz
/usr/share/man/man1/singularity-oci-exec.1.gz
/usr/share/man/man1/singularity-oci-kill.1.gz
/usr/share/man/man1/singularity-oci-mount.1.gz
/usr/share/man/man1/singularity-oci-pause.1.gz
/usr/share/man/man1/singularity-oci-resume.1.gz
/usr/share/man/man1/singularity-oci-run.1.gz
/usr/share/man/man1/singularity-oci-start.1.gz
/usr/share/man/man1/singularity-oci-state.1.gz
/usr/share/man/man1/singularity-oci-umount.1.gz
/usr/share/man/man1/singularity-oci-update.1.gz
/usr/share/man/man1/singularity-oci.1.gz
/usr/share/man/man1/singularity-overlay-create.1.gz
/usr/share/man/man1/singularity-overlay.1.gz
/usr/share/man/man1/singularity-plugin-compile.1.gz
/usr/share/man/man1/singularity-plugin-create.1.gz
/usr/share/man/man1/singularity-plugin-disable.1.gz
/usr/share/man/man1/singularity-plugin-enable.1.gz
/usr/share/man/man1/singularity-plugin-inspect.1.gz
/usr/share/man/man1/singularity-plugin-install.1.gz
/usr/share/man/man1/singularity-plugin-list.1.gz
/usr/share/man/man1/singularity-plugin-uninstall.1.gz
/usr/share/man/man1/singularity-plugin.1.gz
/usr/share/man/man1/singularity-pull.1.gz
/usr/share/man/man1/singularity-push.1.gz
/usr/share/man/man1/singularity-registry-list.1.gz
/usr/share/man/man1/singularity-registry-login.1.gz
/usr/share/man/man1/singularity-registry-logout.1.gz
/usr/share/man/man1/singularity-registry.1.gz
/usr/share/man/man1/singularity-remote-add.1.gz
/usr/share/man/man1/singularity-remote-get-login-password.1.gz
/usr/share/man/man1/singularity-remote-list.1.gz
/usr/share/man/man1/singularity-remote-login.1.gz
/usr/share/man/man1/singularity-remote-logout.1.gz
/usr/share/man/man1/singularity-remote-remove.1.gz
/usr/share/man/man1/singularity-remote-status.1.gz
/usr/share/man/man1/singularity-remote-use.1.gz
/usr/share/man/man1/singularity-remote.1.gz
/usr/share/man/man1/singularity-run-help.1.gz
/usr/share/man/man1/singularity-run.1.gz
/usr/share/man/man1/singularity-search.1.gz
/usr/share/man/man1/singularity-shell.1.gz
/usr/share/man/man1/singularity-sif-add.1.gz
/usr/share/man/man1/singularity-sif-del.1.gz
/usr/share/man/man1/singularity-sif-dump.1.gz
/usr/share/man/man1/singularity-sif-header.1.gz
/usr/share/man/man1/singularity-sif-info.1.gz
/usr/share/man/man1/singularity-sif-list.1.gz
/usr/share/man/man1/singularity-sif-new.1.gz
/usr/share/man/man1/singularity-sif-setprim.1.gz
/usr/share/man/man1/singularity-sif.1.gz
/usr/share/man/man1/singularity-sign.1.gz
/usr/share/man/man1/singularity-test.1.gz
/usr/share/man/man1/singularity-verify.1.gz
/usr/share/man/man1/singularity-version.1.gz
/usr/share/man/man1/singularity.1.gz
/var/lib/singularity
/var/lib/singularity/mnt
/var/lib/singularity/mnt/session


Generated by rpm2html 1.8.1

Fabrice Bellet, Fri Jan 24 23:38:10 2025