Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

apptainer-sle15_6-1.3.6-2.2 RPM for noarch

From OpenSuSE Tumbleweed for noarch

Name: apptainer-sle15_6 Distribution: openSUSE Tumbleweed
Version: 1.3.6 Vendor: openSUSE
Release: 2.2 Build date: Fri Jan 3 17:11:01 2025
Group: Productivity/Clustering/Computing Build host: reproducible
Size: 1456 Source RPM: apptainer-1.3.6-2.2.src.rpm
Packager: https://bugs.opensuse.org
Url: https://apptainer.org
Summary: Apptainer Definition File Templates for SLE 15 SP6
The package provides a definition file template for Apptainer containers
based on SUSE Linux Enterprise 15 SP6.

Provides

Requires

License

BSD-3-Clause-LBNL AND OpenSSL

Changelog

* Fri Jan 03 2025 Egbert Eich <eich@suse.com>
  - Update to version 1.3.6
    * Avoid using kernel overlayfs when the lower layer is a sandbox
      on an incompatible filesystem type such as GPFS or Lustre.
      For those cases use fuse-overlayfs instead. This fixes a
      regression introduced in 1.3.0. The regression didn't much
      impact Lustre because kernel overlayfs refused to try to use
      it and Apptainer proceeded to use fuse-overlayfs anyway, but
      with GPFS the kernel overlayfs allowed mounting but returned
      stale file handle errors.
  - Version 1.3.5
    * Fix a regression introduced in 1.3.4 that overwrote existing
      standard `/.singularity.d` files such as `runscript` in
      container images even if they had been modified.
    * Skip attempting to bind inaccessible mount points when
      handling the `mount hostfs = yes` configuration option.
    * Support parsing nested variables defined inside `%arguments`
      section of definition files.
    * Ignore invalid environment variables when pulling oci/docker
      containers.
  - Version 1.3.4
    * Fixed sif-embedded overlay partitions for containers that are
      larger than 2 gigabytes.
    * Fixed the failure when starting apptainer with
      `instance --fakeroot`.
    * `apptainer build -B ...` can now be used to mount custom
      resolv.conf and hosts files from non-standard outside locations.
      This can be used to run `apptainer build` in a nix-build sandbox
      that has no `/etc/resolv.conf`.
    * Fixed failing builds from local images that have symbolic links
      for paths that are part of the base container environment (e.g.
      /var/tmp -> /tmp).
    * Show info messages suggesting to use
      `enable underlay = preferred` or the `--underlay` flag when
      overlay is implied for bind mounts but the kernel is too old
      to support fuse mounts in user namespaces and so tries to use
      fusermount.
    * When someone uses a `yum` bootstrap to build a container
      without using subuid-based fakeroot or root, warn that it is
      unlikely to work.
    * Allow a writable `--overlay` to be used with `--nvccli` instead
      of `--writable-tmpfs`.
    * If an error "no descriptor found for reference" is seen while
      getting an oci container, retry the operation up to five times.
    * Make fakeroot Recommended for SUSE rpms instead of Required.
    * Allow bind mounts onto existing files on r/o NFS filesystems.
    * If an error is seen in the %post section when building a
      container using fakeroot mode 3 (with the fakeroot command)
      then show a message suggesting using `--ignore-fakeroot-command`
      and referring to the documentation about how to install and use
      it inside the container definition file.
    * Show a more helpful error message when using fakeroot in suid
      mode and there's an `/etc/subuid` mapping even though user
      namespaces are not available (user namespaces are required for
      `/etc/subuid` mapping).
  - Version 1.3.3
    * Added libcudadebugger.so to nvliblist.conf to support cuda-gdb
      in CUDA 12+.
    * Ensure opened/kept file descriptors in stage 1 are not closed
      during the Go garbage collection to avoid "bad file descriptor"
      errors at startup.
    * Fixed a segmentation violation issue when running Apptainer
      checkpoint.
    * Fixed an issue that Apptainer won't read default docker
      credentials.
  - Version 1.3.2
    * Fix for
      [CVE-2024-3727](https://github.com/advisories/GHSA-6wvf-f2vw-3425)
      in a dependent library which describes a flaw that can allow
      attackers to trigger unexpected authenticated registry accesses
      due to object digest values not being validated in all cases.
    * Fixed the issue when nesting `apptainer instance start` inside
      a container on cgroups-v2 capable host.
    * Fixed the issue that oras download progress bar gets stuck
      when downloading large images.
  - Version 1.3.1
    * Make 'apptainer build' work with signed Docker containers.
    * Fixed regression introduced in 1.3.0 that prevented closing
      cryptsetup and the corresponding loop device after running
      an encrypted sif container file in suid mode.
    * Stopped binding over the default timezone in the container
      with the host's timezone, which led to unexpected behavior if
      the application changed timezones.
    * Added progress bars for `oras://` push and pull.
    * Hide `Instance stats will not be available` message under
      `--sharens` mode.
    * Fix problem where credentials locally stored with
      `registry login` command were not usable in some execution
      flows. Run `registry login` again with latest version to ensure
      credentials are stored correctly.
    * Make runscript timeout configurable.
    * Return invalid bind path mount options during bind path
      parsing.
    * Make the INFO message more helpful when a running background
      process at exit time causes a FUSE mount to not shut down
      cleanly.
    * Fixed the wrong mediaType in the oras push manifest.
  - Add Apptainer definition template for SLE15-SP7.
  - Obsoleted:
    * Remove-signatures-from-Docker-images.patch
    * Bump-github.com-containers-image-v5-from-5.30.0-to-5.30.1.patch
  - Make sure, build is reproducible by setting the GNU build ID to one
    derived from the Go one. See https://pkg.go.dev/cmd/link.
  - Use go-jose version with fix for CVE-2024-28180 (bsc#1235211).
* Mon May 13 2024 Egbert Eich <eich@suse.com>
  - Make sure, digest values handled by the Go library
    github.com/opencontainers/go-digest and used throughout the
    Go-implemented containers ecosystem are always validated. This
    prevents attackers from triggering unexpected authenticated
    registry accesses.
    * Bump-github.com-containers-image-v5-from-5.30.0-to-5.30.1.patch
      (CVE-2024-3727, bsc#1224114).
* Fri Mar 15 2024 Christian Goll <cgoll@suse.com>
  - Updated apptainer to version 1.3.0
    * FUSE mounts are now supported in setuid mode, enabling full
      functionality even when kernel filesystem mounts are insecure due to
      unprivileged users having write access to raw filesystems in
      containers. When allow `setuid-mount extfs = no` (the default) in
      apptainer.conf, then the fuse2fs image driver will be used to mount
      ext3 images in setuid mode instead of the kernel driver (ext3 images
      are primarily used for the `--overlay` feature), restoring
      functionality that was removed by default in Apptainer 1.1.8 because
      of the security risk.
      The allow `setuid-mount squashfs` configuration option in
      `apptainer.conf` now has a new default called `iflimited` which allows
      kernel squashfs mounts only if there is at least one `limit container`
      option set or if Execution Control Lists are activated in ecl.toml.
      If kernel squashfs mounts are are not allowed, then the squashfuse
      image driver will be used instead.
      `iflimited` is the default because if one of those limits are used
      the system administrator ensures that unprivileged users do not have
      write access to the containers, but on the other hand using FUSE
      would enable a user to theoretically bypass the limits via `ptrace()`
      because the FUSE process runs as that user.
      The `fuse-overlayfs` image driver will also now be tried in setuid
      mode if the kernel overlayfs driver does not work (for example if
      one of the layers is a FUSE filesystem).  In addition, if `allow
      setuid-mount encrypted = no` then the unprivileged gocryptfs format
      will be used for encrypting SIF files instead of the kernel
      device-mapper. If a SIF file was encrypted using the gocryptfs
      format, it can now be mounted in setuid mode in addition to
      non-setuid mode.
    * Change the default in user namespace mode to use either kernel
      overlayfs or fuse-overlayfs instead of the underlay feature for the
      purpose of adding bind mount points. That was already the default in
      setuid mode; this change makes it consistent. The underlay feature
      can still be used with the `--underlay` option, but it is deprecated
      because the implementation is complicated and measurements have
      shown that the performance of underlay is similar to overlayfs and
      fuse-overlayfs.
      For now the underlay feature can be made the default again with a
      new `preferred` value on the `enable underlay` configuration option.
      Also the `--underlay` option can be used in setuid mode or as the
      root user, although it was ignored previously.
    * Prefer again to use kernel overlayfs over fuse-overlayfs when a
      lower layer is FUSE and there's no writable upper layer, undoing the
      change from 1.2.0. Another workaround was found for the problem that
      change addressed. This applies in both setuid mode and in user
      namespace mode.
    * `--cwd` is now the preferred form of the flag for setting the
      container's working directory, though `--pwd` is still supported for
      compatibility.
    * The way `--home` is handled when running as root (e.g. sudo apptainer)
      or with `--fakeroot` has changed. Previously, we were only modifying
      the `HOME` environment variable in these cases, while leaving the
      container's `/etc/passwd` file unchanged (with its homedir field
      pointing to `/root`, regardless of the value passed to `--home`). With
      this change, both value of HOME and the contents of `/etc/passwd` in
      the container will reflect the value passed to `--home` if the
      container is readonly. If the container is writable, the
      `/etc/passwd` file is left alone because it can interfere with
      commands that want to modify it.
    * The `--vm` and related flags to start apptainer inside a VM have been
      removed. This functionality was related to the retired Singularity Desktop
      / SyOS projects.
    * The keyserver-related commands that were under `remote` have been moved to
      their own, dedicated `keyserver` command. Run `apptainer help keyserver`
      for more information.
    * The commands related to OCI/Docker registries that were under `remote` have
      been moved to their own, dedicated `registry` command. Run
      `apptainer help registry` for more information.
    * The the `remote list` subcommand now outputs only remote endpoints (with
      keyservers and OCI/Docker registries having been moved to separate
      commands), and the output has been streamlined.
    * Adding a new remote endpoint using the `apptainer remote add` command will
      now set the new endpoint as default. This behavior can be suppressed by
      supplying the `--no-default` (or `-n`) flag to `remote add`.
    * Skip parsing build definition file template variables after comments
      beginning with a hash symbol.
    * The global `/tmp` directory is no longer used for gocryptfs mountpoints.
  - New Features & Functionality
    * The `remote status` command will now print the username, realname, and
      email of the logged-in user, if available.
    * Add monitoring feature support, which requires the usage of an
      additional tool named `apptheus`, this tool will put apptainer starter
      into a newly created cgroup and collect system metrics.
    * A new `--no-pid` flag for `apptainer run/shell/exec` disables the PID
      namespace inferred by `--containall` and `--compat`.
    * Added `--config` option to `keyserver` commands.
    * Honor an optional remoteName argument to the `keyserver list` command.
    * Added the `APPTAINER_ENCRYPTION_PEM_DATA` env var to allow for
      encrypting and running encrypted containers without a PEM file.
    * Adding `--sharens` mode for `apptainer exec/run/shell`, which enables to
      run multiple apptainer instances created by the same parent using
      the same image in the same user namespace.
  - Make 'gocryptfs' an optional dependency.
  - Make apptainer definition templates version dependent.
* Wed Mar 13 2024 Egbert Eich <eich@suse.com>
  - Fix 'apptainer build' using signed packages from the SUSE
    Registry (bsc#1221364).
    * Remove-signatures-from-Docker-images.patch
* Wed Jan 31 2024 Egbert Eich <eich@suse.com>
  - Updated apptainer to version 1.2.5
    * Added `libnvidia-nvvm` to `nvliblist.conf`. Newer NVIDIA
      Drivers (known with >= 525.85.05) require this lib to compile
      OpenCL programs against NVIDIA GPUs, i.e. `libnvidia-opencl`
      depends on `libnvidia-nvvm`.
    * Disable the usage of cgroup in instance creation when
      `--fakeroot` is passed.
    * Disable the usage of cgroup in instance creation when `hidepid`
      mount option on `/proc` is set.
    * Fixed a regression introduced in 1.2.0 where the user's
      password file information was not copied in to the container
      when there was a parent root-mapped user namespace (as is the
      case for example in `cvmfsexec`).
    * Added the upcoming NVIDIA driver library `libnvidia-gpucomp.so`
      to the list of libraries to add to NVIDIA GPU-enabled
      containers. Fixed missing error handling during the creation
      of an encrypted image that lead to the generation of corrupted
      images.
    * Use `APPTAINER_TMPDIR` for temporary files during privileged
      image encryption.
    * If rootless unified cgroups v2 is available when starting an
      image but `XDG_RUNTIME_DIR` or `DBUS_SESSION_BUS_ADDRESS` is
      not set, print an info message that stats will not be available
      instead of exiting with a fatal error.
    * Allow templated build arguments to definition files to have
      empty values.
  - Package .def templates separately for different SPs.
* Tue Oct 24 2023 Egbert Eich <eich@suse.com>
  - Do not build squashfuse, require it as a dependency.
    Removed: squashfuse-0.1.105.tar.gz, 70.patch
  - Replace awkward 'Obsoletes: singularity-*' as well as the
    'Provides: Singularity' by 'Conflicts:' and drop the provides -
    the versioning scheme does not match and we do not automatically
    migrate from one to the other.
  - Exclude platforms which do not provide all build dependencies.
* Wed Sep 27 2023 Christian Goll <cgoll@suse.com>
  - removed CRYPTOGAMS license as not known in OBS and OpenSSL is
    also valid
* Mon Sep 25 2023 Christian Goll <cgoll@suse.com>
  - updated to 1.2.3 with following changes:
    * The apptainer push/pull commands now show a progress bar for the oras
      protocol like there was for docker and library protocols.
    * The --nv and --rocm flags can now be used simultaneously.
    * Fix the use of APPTAINER_CONFIGDIR with apptainer instance start and action
      commands that refer to instance://.
    * Fix the issue that apptainer would not read credentials from the Docker
      fallback path ~/.docker/config.json if missing in the apptainer
      credentials.
* Tue Aug 29 2023 Lubos Kocman <lubos.kocman@suse.com>
  - Update license for the package to cover also OpenSSL and CRYPTOGAMS
    part of chacha_ppc64le.s
* Fri Jul 28 2023 Christian Goll <cgoll@suse.com>
  - updated to 1.2.2 with following changes:
    * Fix $APPTAINER_MESSAGELEVEL to correctly set the logging level.
    * Fix build failures when in setuid mode and unprivileged user namespaces are
      unavailable and the --fakeroot option is not selected.
* Wed Jul 26 2023 Christian Goll <cgoll@suse.com>
  - updated to 1.2.1 to fix CVE-2023-38496 although not relevant as package is
    compiled with setuid
* Wed Jun 14 2023 Christian Goll <cgoll@suse.com>
  - update to 1.2.0 with following changes:
    * binary is built reproducible which disables plugins
    * Create the current working directory in a container when it doesn't exist.
      This restores behavior as it was before singularity 3.6.0. As a result,
      using --no-mount home won't have any effect when running apptainer from a
      home directory and will require --no-mount home,cwd to avoid mounting that
      directory.
    * Handle current working directory paths containing symlinks both on the host
      and in a container but pointing to different destinations. If detected, the
      current working directory is not mounted when the destination directory in
      the container exists.
    * Destination mount points are now sorted by shortest path first to ensure
      that a user bind doesn't override a previous bind path when set in
      arbitrary order on the CLI. This is also applied to image binds.
    * When the kernel supports unprivileged overlay mounts in a user namespace,
      the container will be constructed by default using an overlay instead of an
      underlay layout for bind mounts. A new --underlay action option can be used
      to prefer underlay instead of overlay.
    * sessiondir maxsize in apptainer.conf now defaults to 64 MiB for new
      installations. This is an increase from 16 MiB in prior versions.
    * The apptainer cache is now architecture aware, so the same home directory
      cache can be shared by machines with different architectures.
    * Overlay is blocked on the panfs filesystem, allowing sandbox directories to
      be run from panfs without error.
    * Lookup and store user/group information in stage one prior to entering any
      namespaces, to fix an issue with winbind not correctly looking up
      user/group information when using user namespaces.
  - New features / functionalities
    * Support for unprivileged encryption of SIF files using gocryptfs.  This is
      not compatible with privileged encryption, so containers encrypted by root
      need to be rebuilt by an unprivileged user.
    * Templating support for definition files. Users can now define variables in
      definition files via a matching pair of double curly brackets. Variables of
      the form {{ variable }} will be replaced by a value defined either by a
      variable=value entry in the %arguments section of the definition file or
      through new build options --build-arg or --build-arg-file.
    * Add a new instance run command that will execute the runscript when an
      instance is initiated instead of executing the startscript.
    * The sign and verify commands now support signing and verification with
      non-PGP key material by specifying the path to a private key via the --key
      flag.
    * The verify command now supports verification with X.509 certificates by
      specifying the path to a certificate via the --certificate flag. By
      default, the system root certificate pool is used as trust anchors unless
      overridden via the --certificate-roots flag. A pool of intermediate
      certificates that are not trust anchors, but can be used to form a
      certificate chain, can also be specified via the
    - -certificate-intermediates flag.
    * Support for online verification checks of X.509 certificates using OCSP
      protocol via the new verify --ocsp-verify option.
    * The instance stats command displays the resource usage every second. The
    - -no-stream option disables this interactive mode and shows the
      point-in-time usage.
    * Instances are now started in a cgroup by default, when run as root or when
      unified cgroups v2 with systemd as manager is configured. This allows
      apptainer instance stats to be supported by default when possible.
    * The instance start command now accepts an optional --app <name> argument
      which invokes a start script within the %appstart <name> section in the
      definition file. The instance stop command still only requires the instance
      name.
    * The instance name is now available inside an instance via the new
      APPTAINER_INSTANCE environment variable.
    * The --no-mount flag now accepts the value bind-paths to disable mounting of
      all bind path entries in apptainer.conf.
      Support for DOCKER_HOST parsing when using docker-daemon://
      DOCKER_USERNAME and DOCKER_PASSWORD supported without APPTAINER_ prefix.
      Add new Linux capabilities CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE.
    * The remote get-login-password command allows users to retrieve a remote's
      token. This enables piping the secret directly into docker login while
      preventing it from showing up in a shell's history.
    * Define EUID in %environment alongside UID.
    * In --rocm mode, the whole of /dev/dri is now bound into the container when
    - -contain is in use. This makes /dev/dri/render devices available, required
      for later ROCm versions.
* Tue Jun 13 2023 Christian Goll <cgoll@suse.com>
  - update to 1.1.9 with following changes:
    * Remove warning about unknown xino=on option from fuse-overlayfs, introduced
      in 1.1.8.
    * Ignore extraneous warning from fuse-overlayfs about a readonly /proc.
    * Fix dropped "n" characters on some platforms in definition file stored as
      part of SIF metadata.
    * Remove duplicated group ids.
    * Fix not being able to handle multiple entries in LD_PRELOAD when binding
      fakeroot into container during apptainer startup for --fakeroot with
      fakeroot command.
* Thu Apr 27 2023 Christian Goll <cgoll@suse.com>
  - Included a fix for CVE-2023-30549 which is a vulnerability in setuid-root
    installations of Apptainer iwhich was not active in the recent openSUSE
    packages. Still this is included for completenss. The fix adds allow
    setuid-mount configuration options encrypted, squashfs, and extfs, and makes
    the default for extfs be "no". That disables the use of extfs mounts
    including for overlays or binds while in the setuid-root mode, while leaving
    it enabled for unprivileged user namespace mode. The default for encrypted
    and squashfs is "yes".
  - Other bug fixes:
    * Fix loop device 'no such device or address' spurious errors when using shared
      loop devices.
    * Add xino=on mount option for writable kernel overlay mount points to fix
      inode numbers consistency after kernel cache flush (not applicable to
      fuse-overlayfs).
* Wed Mar 29 2023 Christian Goll <cgoll@suse.com>
  - updated to 1.1.7 with following changes:
    * removed simpler-sif-building.patch as this was incoperated upstream
    * Allow gpu options such as --nv to be nested by always inheriting all
      libraries bound in to a parent container's /.singularity.d/libs.
    * Map the user's home directory to the root home directory by default in the
      non-subuid fakeroot mode like it was in the subuid fakeroot mode, for both
      action commands and building containers from definition files.
    * Make the error message more helpful in another place where a remote is
      found to have no library client.
    * Avoid incorrect error when requesting fakeroot network.
    * Pass computed LD_LIBRARY_PATH to wrapped unsquashfs. Fixes issues where
      unsquashfs on host uses libraries in non-default paths.
* Fri Feb 24 2023 Christian Goll <cgoll@suse.com>
  - added simple sif building for SLE systems via suseconnect-container
  - added files:
    * simpler-sif-building.patch
    * SLE-12SP5.def
    * leap.def
* Wed Feb 15 2023 Christian Goll <cgoll@suse.com>
  - update to 1.1.6 with following changes:
    * Included a fix for CVE-2022-23538 which potentially leaked user credentials
      to a third-party S3 storage service when using the library:// protocol. See
      the https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7
      for details.
    * Make PS1 environment variable changeable via %environment section on
      definition file that used to be only changeable via APPTAINERENV_PS1
      outside of container. This makes the container's prompt customizable.
    * Fix the passing of nested bind mounts when there are multiple binds
      separated by commas and some of them have colons separating sources and
      destinations.
    * Hide messages about SINGULARITY variables if corresponding APPTAINER
      variables are defined. Fixes a regression introduced in 1.1.4.
    * Print a warning if extra arguments are given to a shell action, and show in
      the run action usage that arguments may be passed.
    * Check for the existence of the runtime executable prefix, to avoid issues
      when running under Slurm's srun. If it doesn't exist, fall back to the
      compile-time prefix.
    * Increase the timeout on image driver (that is, FUSE) mounts from 2 seconds
      to 10 seconds. Instead, print an INFO message if it takes more than 2
      seconds.
    * If a remote is defined both globally (i.e. system-wide) and individually,
      change apptainer remote commands to print an info message instead of
      exiting with a fatal error and to give precedence to the individual
      configuration.
* Wed Jan 11 2023 Christian Goll <cgoll@suse.com>
  - Update to 1.1.5 with following changes:
    * Fix the use of fakeroot, faked, and libfakeroot.so if they are not suffixed
      by -sysv, as is for instance the case on Gentoo Linux.
    * Prevent the use of a --libexecdir or --bindir mconfig option from making
      apptainer think it was relocated and so preventing use of suid mode. The
      bug was introduced in v1.1.4.
    * Add helpful error message for build --remote option.
    * Add more helpful error message when no library endpoint found.
    * Avoid cleanup errors on exit when mountpoints are busy by doing a lazy
      unmount if a regular unmount doesn't work after 10 tries.
    * Make messages about using SINGULARITY variables less scary.
* Wed Dec 21 2022 Christian Goll <cgoll@suse.com>
  - moved run dir from /var/lib/apptainer to /var/apptainer to be closer
    to upstream
* Tue Dec 20 2022 Christian Goll <cgoll@suse.com>
  - Update to 1.1.4 with following changes:
    * Make the binaries built in the unprivileged apptainer package relocatable.
      When moving the binaries to a new location, the /usr at the top of some of
      the paths needs to be removed. Relocation is disallowed when the
      starter-suid is present, for security reasons.
    * Change the warning when an overlay image is not writable, introduced in
      v1.1.3, back into a (more informative) fatal error because it doesn't
      actually enter the container environment.
    * Set the --net flag if --network or --network-args is set rather than
      silently ignoring them if --net was not set.
    * Do not hang on pull from http(s) source that doesn't provide a content-length.
    * Avoid hang on fakeroot cleanup under high load seen on some distributions / kernels.
    * Remove obsolete pacstrap -d in Arch packer.
    * Adjust warning message for deprecated environment variables usage.
    * Enable the --security uid:N and --security gid:N options to work when run
      in non-suid mode. In non-suid mode they work with any user, not just root.
      Unlike with root and suid mode, however, only one gid may be set in
      non-suid mode.
  - Changes from 1.1.3
    * Prefer the fakeroot-sysv command over the fakeroot command because the
      latter can be linked to either fakeroot-sysv or fakeroot-tcp, but
      fakeroot-sysv is much faster.
    * Update the included squashfuse_ll to have -o uid=N and -o gid=N options and
      changed the corresponding image driver to use them when available. This
      makes files inside sif files appear to be owned by the user instead of by
      the nobody id 65534 when running in non-setuid mode.
    * Fix the locating of shared libraries when running unsquashfs from a non-standard location.
    * Properly clean up temporary files if unsquashfs fails.
    * Fix the creation of missing bind points when using image binding with underlay.
    * Change the error when an overlay image is not writable into a warning that
      suggests adding :ro to make it read only or using --fakeroot.
    * Avoid permission denied errors during unprivileged builds without
      /etc/subuid-based fakeroot when /var/lib/containers/sigstore is readable
      only by root.
    * Avoid failures with --writable-tmpfs in non-setuid mode when using
      fuse-overlayfs versions 1.8 or greater by adding the fuse-overlayfs noacl
      mount option to disable support for POSIX Access Control Lists.
    * Fix the --rocm flag in combination with -c / -C by forwarding all
      /dri/render* devices into the container.
* Fri Oct 28 2022 Egbert Eich <eich@suse.com>
  - Add Provides: and Obsoletes: to attempt to mark this as a possible
    replacement for the original singularity package which has been
    discontinued.
* Tue Oct 11 2022 Christian Goll <cgoll@suse.com>
  - previous versions did not build squashfuse_ll, fixed this
* Fri Oct 07 2022 Christian Goll <cgoll@suse.com>
  - Udpated to 1.1.2 which fixed CVE-2022-39237
    * CVE-2022-39237: The sif dependency included in Apptainer before this
      release does not verify that the hash algorithm(s) used are
      cryptographically secure when verifying digital signatures. This release
      updates to sif v2.8.1 which corrects this issue. See the linked advisory
      for references and a workaround.
* Wed Sep 28 2022 Christian Goll <cgoll@suse.com>
  - updated to version 1.1.0 without changes to rc3
* Fri Sep 09 2022 Christian Goll <cgoll@suse.com>
  - Updated to version 1.1.0-rc3 with following changes:
    * added squashfuse-0.1.105.tar.gz and 70.patch for the build of squashfuse_ll
      which will be removed as soon as the multithread patch is incoperated
    * Change squash mounts to prefer to use squashfuse_ll instead of squashfuse,
      if available, for improved performance. squashfuse_ll is not available
      in factory.
    * Also, for even better parallel performance, include a patched
      multithreaded version of squashfuse_ll in
    * Imply adding ${prefix}/libexec/apptainer/bin to the binary path in
      apptainer.conf, which is used for searching for helper executables. It is
      implied as the first directory of $PATH if present (which is at the
      beginning of binary path by default) or just as the first directory if
      $PATH is not included in binary path.
      ${prefix}/libexec/apptainer/bin.
    * Add --unsquash action flag to temporarily convert a SIF file to a sandbox
      before running. In previous versions this was the default when running a
      SIF file without setuid or with fakeroot, but now the default is to instead
      mount with squashfuse.
    * Add --sparse flag to overlay create command to allow generation of a sparse
      ext3 overlay image.
    * Support for a custom hashbang in the %test section of an Apptainer recipe
      (akin to the runscript and start sections).
    * When using fakeroot in setuid mode, have the image drivers first enter the
      the container's user namespace to avoid write errors with overlays.
    * Skip trying to use kernel overlayfs when using writable overlay and the
      lower layer is FUSE, because of a kernel bug introduced in kernel 5.15.
    * Add additional hidden options to the action command for testing different
      fakeroot modes with --fakeroot: --ignore-subuid, --ignore-fakeroot-command,
      and --ignore-userns.
* Fri Aug 19 2022 Christian Goll <cgoll@suse.com>
  - Updated to version 1.1.0-rc2 with following changes:
    * Fixed longstanding bug in the underlay logic when there are nested bind
      points separated by more than one path level, for example /var and
      /var/lib/yum, and the path didn't exist in the container image. The bug
      only caused an error when there was a directory in the container image that
      didn't exist on the host.
    * Improved wildcard matching in the %files directive of build definition
      files by replacing usage of sh with the mvdan.cc library.
    * Replaced checks for compatible filesystem types when using fuse-overlayfs
      with an INFO message when an incompatible filesystem type causes it to be
      unwritable by a fakeroot user.
    * The --nvccli option now works without --fakeroot. In that case the option
      can be used with --writable-tmpfs instead of --writable, and
    - -writable-tmpfs is implied if neither option is given. Note that also
      /usr/bin has to be writable by the user, so without --fakeroot that
      probably requires a sandbox image that was built with --fix-perms.
    * The --nvccli option implies --nv.
    * Configure squashfuse to always show files to be owned by the current user.
      That's especially important for fakeroot to prevent most of the files from
      looking like they are owned by user 65534.
    * The fakeroot command can now be used even if $PATH is empty in the
      environment of the apptainer command.
    * Allow the newuidmap command to be missing if the current user is not listed
      in /etc/subuid.
    * Require the uidmap package in Debian packaging.
    * Improved error handling of unsupported pass protected PEM files with
      encrypted containers.
    * Ensure bootstrap_history directory is populated with previous definition
      files, present in source containers used in a build.
    * Add additional options to the build command for testing different fakeroot
      modes: --userns like the action flag and hidden options --ignore-subuid,
    - -ignore-fakeroot-command, and --ignore-userns.
    * Require root user early when building an encrypted container.
  - removed upstream incorated patch fix-32bit-compilation.patch
* Thu Aug 04 2022 Christian Goll <cgoll@suse.com>
  - Updated to version 1.1.0-rc1 which enables apptainer to run without
    suid and additional groups. Although this is a prerelease this is
    a major advantage justifying its use.
    * Added a squashfuse image driver that enables mounting SIF files without
      using setuid-root. Requires the squashfuse command and unprivileged user
      namespaces.
    * Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF
      overlay partitions without using setuid-root. Requires the fuse2fs command
      and unprivileged user namespaces.
    * Added the ability to use persistent overlay (--overlay) and
    - -writable-tmpfs without using setuid-root. This requires unprivileged user
      namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs
      command. Persistent overlay works when the overlay path points to a regular
      filesystem (known as "sandbox" mode, which is not allowed when in setuid
      mode), or when it points to an EXT3 image. Does not work with a SIF
      partition because that requires privileges to mount as an ext3 image.
    * Extended the --fakeroot option to be useful when /etc/subuid and
      /etc/subgid mappings have not been set up. If they have not been set up, a
      root-mapped unprivileged user namespace (the equivalent of unshare -r)
      and/or the fakeroot command from the host will be tried. Together they
      emulate the mappings pretty well but they are simpler to administer. This
      feature is especially useful with the --overlay and --writable-tmpfs
      options and for building containers unprivileged, because they allow
      installing packages that assume they're running as root. A limitation on
      using it with --overlay and --writable-tmpfs however is that when only the
      fakeroot command can be used (because there are no user namespaces
      available, in suid mode) then the base image has to be a sandbox. This
      feature works nested inside of an apptainer container, where another
      apptainer command will also be in the fakeroot environment without
      requesting the --fakeroot option again, or it can be used inside an
      apptainer container that was not started with --fakeroot. However, the
      fakeroot command uses LD_PRELOAD and so needs to be bound into the
      container which requires a compatible libc. For that reason it doesn't work
      when the host and container operating systems are of very different
      vintages. If that's a problem and you want to use only an unprivileged
      root-mapped namespace even when the fakeroot command is installed, just run
      apptainer with unshare -r.
    * Made the --fakeroot option be implied when an unprivileged user builds a
      container from a definition file. When /etc/subuid and /etc/subgid mappings
      are not available, all scriptlets are run in a root-mapped unprivileged
      namespace (when possible) and the %post scriptlet is additionally run with
      the fakeroot command. When unprivileged user namespaces are not available,
      such that only the fakeroot command can be used, the --fix-perms option is
      implied to allow writing into directories.
    * Added a --fakeroot option to the apptainer overlay create command to make
      an overlay EXT3 image file that works with the fakeroot that comes from
      unprivileged root-mapped namespaces. This is not needed with the fakeroot
      that comes with /etc/sub[ug]id mappings nor with the fakeroot that comes
      with only the fakeroot command in suid flow.
    * $HOME is now used to find the user's configuration and cache by default. If
      that is not set it will fall back to the previous behavior of looking up
      the home directory in the password file. The value of $HOME inside the
      container still defaults to the home directory in the password file and can
      still be overridden by the --home option.
    * When starting a container, if the user has specified the cwd by using the
    - -pwd flag, if there is a problem an error is returned instead of
      defaulting to a different directory.
    * Nesting of bind mounts now works even when a --bind option specified a
      different source and destination with a colon between them. Now the
      APPTAINER_BIND environment variable makes sure the bind source is from the
      bind destination so it will be succesfully re-bound into a nested apptainer
      container.
    * The warning about more than 50 bind mounts required for an underlay bind
      has been changed to an info message.
    * oci mount sets Process.Terminal: true when creating an OCI config.json, so
      that oci run provides expected interactive behavior by default.
      The default hostname for oci mount containers is now apptainer instead of mrsdalloway.
    * systemd is now supported and used as the default cgroups manager. Set
      systemd cgroups = no in apptainer.conf to manage cgroups directly via the
      cgroupfs.
    * Added a new action flag --no-eval which:
      + Prevents shell evaluation of APPTAINERENV_ / --env / --env-file
      environment variables as they are injected in the container, to match
      OCI behavior. Applies to all containers.
      + Prevents shell evaluation of the values of CMD / ENTRYPOINT and command
      line arguments for containers run or built directly from an OCI/Docker
      source. Applies to newly built containers only, use apptainer inspect
      to check version that container was built with.
    * Added --no-eval to the list of flags set by the OCI/Docker --compat mode.
    * sinit process has been renamed to appinit.
    * Added --keysdir to key command to provide an alternative way of setting
      local keyring path. The existing reading of the keyring path from
      environment variable 'APPTAINER_KEYSDIR' is untouched.
    * apptainer key push will output the key server's response if included in
      order to help guide users through any identity verification the server may
      require.
    * ECL no longer requires verification for all signatures, but only when
      signature verification would alter the expected behavior of the list:
      + At least one matching signature included in a whitelist must be
      validated, but other unvalidated signatures do not cause ECL to fail.
      + All matching signatures included in a whitestrict must be validated,
      but unvalidated signatures not in the whitestrict do not cause ECL to
      fail.
      + Signature verification is not checked for a blacklist; unvalidated
      signatures can still block execution via ECL, and unvalidated
      signatures not in the blacklist do not cause ECL to fail.
  - New features / functionalities
    * Non-root users can now use --apply-cgroups with run/shell/exec to limit
      container resource usage on a system using cgroups v2 and the systemd
      cgroups manager.
    * Native cgroups v2 resource limits can be specified using the [unified] key
      in a cgroups toml file applied via --apply-cgroups.
    * Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups
      resource limits to a container directly.
      Added instance stats command.
    * The --no-mount flag & APPTAINER_NO_MOUNT env var can now be used to disable
      a bind path entry from apptainer.conf by specifying the absolute path to
      the destination of the bind.
    * Apptainer now supports the riscv64 architecture.
    * remote add --insecure may now be used to configure endpoints that are only
      accessible via http. Alternatively the environment variable
      APPTAINER_ADD_INSECURE can be set to true to allow http remotes to be added
      wihtout the --insecure flag. Specifying https in the remote URI overrules
      both --insecure and APPTAINER_ADD_INSECURE.
    * Gpu flags --nv and --rocm can now be used from an apptainer nested inside
      another apptainer container.
    * Added --public, --secret, and --both flags to the key remove command to
      support removing secret keys from the apptainer keyring.
    * Debug output can now be enabled by setting the APPTAINER_DEBUG env var.
    * Debug output is now shown for nested apptainer calls, in wrapped unsquashfs
      image extraction, and build stages.
  - Bug fixes
    * Remove warning message about SINGULARITY and APPTAINER variables having
      different values when the SINGULARITY variable is not set.
    * Add specific error for unreadable image / overlay file.
    * Pass through a literal \n in host environment variables to the container.
    * Fix loop device creation with loop-control when running inside docker containers.
    * Fix the issue that the oras protocol would ignore the --no-https/--nohttps flag.
  - File changes
    * Removed useful_error_message.patch as not needed any more
    * Added fix-32bit-compilation.patch from upstream
* Mon Jul 11 2022 Christian Goll <cgoll@suse.com>
  - Update to version 1.0.3:
    * Process redirects that can come from sregistry with a library:// URL.
    * Fix inspect --deffile and inspect --all to correctly show definition files
      in sandbox container images instead of empty output. This has a side effect
      of also fixing the storing of definition files in the metadata of sif files
      built by Apptainer, because that metadata is constructed by doing inspect
    - -all.
* Wed May 18 2022 Dominique Leuenberger <dimstar@opensuse.org>
  - Update to version 1.0.2:
    + Fixed `FATAL` error thrown by user configuration migration code
      that caused users with inaccessible home directories to be
      unable to use `apptainer` commands.
    + Do not truncate environment variables with commas.
    + Use HEAD request when checking digest of remote OCI image
      sources, with GET as a fall-back. Greatly reduces Apptainer's
      impact on Docker Hub API limits.
* Fri Mar 18 2022 Christian Goll <cgoll@suse.com>
  - Updated to v1.0.1 with following bug fixes
    * Don't prompt for y/n to overwrite an existing file when build is called
      from a non-interactive environment. Fail with an error.
    * Preload NSS libraries prior to mountspace name creation to avoid
      circumstances that can cause loading those libraries from the container
      image instead of the host, for example in the startup environment.
    * Fix race condition where newly created loop devices can sometimes not be opened.
    * Support nvidia-container-cli v1.8.0 and above, via fix to capability set.
* Thu Feb 17 2022 Christian Goll <cgoll@suse.com>
  - Updated to v1.0.0-rc1 changes to singularity 3.9.5 are
    * The primary executable has been changed from singularity to apptainer.
      However, a singularity command symlink alias has been created pointing to
      the apptainer command. The contents of containers are unchanged and
      continue to use the singularity name for startup scripts, etc.
    * The per-user configuration directory has changed from ~/.singularity to
      ~/.apptainer. The first time the apptainer command accesses the user
      configuration directory, relevant configuration is automatically imported
      from the old directory to the new one.
    * Environment variables have all been changed to have an APPTAINER prefix
      instead of a SINGULARITY prefix. However, SINGULARITY prefix variables are
      still recognized. If only a SINGULARITY prefix variable exists, a warning
      will be printed about deprecated usage and then the value will be used. If
      both prefixes exist and the value is the same, no warning is printed; this
      is the recommended method to set environment variables for those who need
      to support both apptainer and singularity. If both prefixes exist for the
      same variable and the value is different then a warning is also printed.
    * The default SylabsCloud remote endpoint has been removed and replaced by
      one called DefaultRemote which has no defined server for the library://
      URI. System administrators may restore the old default if they wish by
      adding it to /etc/apptainer/remote.yaml with a URI of cloud.sylabs.io and
      setting it there as the Active remote, or users can add it to their own
      configuration with the commands apptainer remote add SylabsCloud
      cloud.sylabs.io and apptainer remote use SylabsCloud.
    * The DefaultRemote's key server is https://keys.openpgp.org instead of the
      Sylabs key server
    * The apptainer build --remote option has been removed because there is no
      standard protocol or non-commercial service that supports it.
  - New Features:
    * Honor image binds and user binds in the order they're given instead of
      always doing image binds first.
    * Experimental support for checkpointing of instances using DMTCP has been
      added. Additional flags --dmtcp-launch and --dmtcp-restart has been added
      to the apptainer instance start command, and a checkpoint command group has
      been added to manage the checkpoint state. A new
      /etc/apptainer/dmtcp-conf.yaml configuration file is also added.
      Limitations are that it can only work with dynamically linked applications
      and the container has to be based on glibc.
    * --writable-tmpfs can be used with apptainer build to run the %test section
      of the build with a ephemeral tmpfs overlay, permitting tests that write to
      the container filesystem.
    * The --compat flag for actions is a new short-hand to enable a number of
      options that increase OCI/Docker compatibility. Infers --containall,
    - -no-init, --no-umask, --writable-tmpfs. Does not use user, uts, or network
      namespaces as these may not be supported on many installations.
    * The experimental --nvccli flag will use nvidia-container-cli to setup the
      container for Nvidia GPU operation. Apptainer will not bind GPU libraries
      itself. Environment variables that are used with Nvidia's docker-nvidia
      runtime to configure GPU visibility / driver capabilities & requirements
      are parsed by the --nvccli flag from the environment of the calling user.
      By default, the compute and utility GPU capabilities are configured. The
      use nvidia-container-cli option in apptainer.conf can be set to yes to
      always use nvidia-container-cli when supported. --nvccli is not supported
      in the setuid workflow, and it requires being used in combination with
    - -writable in user namespace mode. Please see documentation for more
      details.
    * The --apply-cgroups flag can be used to apply cgroups resource and device
      restrictions on a system using the v2 unified cgroups hierarchy. The
      resource restrictions must still be specified in the v1 / OCI format, which
      will be translated into v2 cgroups resource restrictions, and eBPF device
      restrictions.
    * A new --mount flag and APPTAINER_MOUNT environment variable can be used to
      specify bind mounts in
      type=bind,source=<src>,destination=<dst>[,options...] format. This improves
      CLI compatibility with other runtimes, and allows binding paths containing
      : and , characters (using CSV style escaping).
    * Perform concurrent multi-part downloads for library:// URIs. Uses 3
      concurrent downloads by default, and is configurable in apptainer.conf or
      via environment variables.

Files

/usr/share/apptainer/templates/SLE-15SP6.def


Generated by rpm2html 1.8.1

Fabrice Bellet, Sun Jan 12 00:30:25 2025