With the release of v3.0.0, we're introducing a new changelog format in an attempt to consolidate the information presented in the changelog. The new changelog is reduced in scope to only documenting functionality changes from version to version. This ensures that the changelog is as useful as it can be. Changes which should be documented include:
- Renamed commands
- Deprecated / removed commands
- Changed defaults / behaviors
- Migration guidance
- New features / functionalities
The old changelog can be found in the release-2.6 branch
%files from ...will no longer follow symlinks when copying between stages. Copying from the host will still maintain previous behavior of following links.
- 700 permissions are enforced on
$HOME/.singularityandSINGULARITY_CACHEDIRdirectories (CVE-2019-19724). Many thanks to Stuart Barkley for reporting this issue.
-
Fixes an issue preventing use of
.docker/configfor docker registry authentication. -
Fixes the
run-helpcommand in the unprivileged workflow. -
Fixes a regression in the
inspectcommand to support older image formats. -
Adds a workaround for an EL6 kernel bug regarding shared bind mounts.
-
Fixes caching of http(s) sources with conflicting filenames.
-
Fixes a fakeroot sandbox build error on certain filesystems, e.g. lustre, GPFS.
-
Fixes a fakeroot build failure to a sandbox in $HOME.
-
Fixes a fakeroot build failure from a bad def file section script location.
-
Fixes container execution errors when CWD is a symlink.
-
Provides a useful warning r.e. possible fakeroot build issues when seccomp support is not available.
-
Fixes an issue where the
--disable-cacheoption was not being honored. -
Deprecated
--groupidflag forsignandverify; replaced with--group-id. -
Removed useless flag
--urlforsign.
A single feature has been added in the bugfix release, with specific functionality:
- A new option
allow container encryptedcan be set tonoinsingularity.confto prevent execution of encrypted containers.
This point release addresses the following issues:
- Fixes a disk space leak when building from docker-archive.
- Makes container process SIGABRT return the expected code.
- Fixes the
inspectcommand in unprivileged workflow. - Sets an appropriate default umask during build stages, to avoid issues with very restrictive user umasks.
- Fixes an issue with build script content being consumed from STDIN.
- Corrects the behaviour of underlay with non-empty / symlinked CWD and absolute symlink binds targets.
- Fixes execution of containers when binding BTRFS filesystems.
- Fixes build / check failures for MIPS & PPC64.
- Ensures file ownership maintained when building image from sandbox.
- Fixes a squashfs mount error on kernel 5.4.0 and above.
- Fixes an underlay fallback problem, which prevented use of sandboxes on lustre filesystems.
- New support for AMD GPUs via
--rocmoption added to bind ROCm devices and libraries into containers. - Plugins can now modify Singularity behaviour with two mutators: CLI and Runtime.
- Introduced the
config globalcommand to editsingularity.confsettings from the CLI. - Introduced the
config fakerootcommand to setupsubuidandsubgidmappings for--fakerootfrom the Singularity CLI.
- Go 1.13 adopted.
- Vendored modules removed from the Git tree, will be included in release tarballs.
- Singularity will now fail with an error if a requested bind mount cannot be
made.
- This is beneficial to fail fast in workflows where a task may fail a long way downstream if a bind mount is unavailable.
- Any unavailable bind mount sources must be removed from
singularity.conf.
- Docker/OCI image extraction now faithfully respects layer
permissions.
- This may lead to sandboxes that cannot be removed without modifying permissions.
--fix-permsoption added to preserve old behaviour when building sandboxes.- Discussion issue for this change at: https://github.com/sylabs/singularity/issues/4671
Singularity>prompt is always set when entering shell in a container.- The current
umaskwill be honored when building a SIF file. instance execprocesses acquire cgroups set oninstance start--fakerootsupports uid/subgid ranges >65536singularity versionnow reports semver compliant version information.
- Deprecated
--idflag forsignandverify; replaced with--sif-id.
- This point release addresses the following issues:
- Sets workable permissions on OCI -> sandbox rootless builds
- Fallback correctly to user namespace for non setuid installation
- Correctly handle the starter-suid binary for non-root installs
- Creates CACHEDIR if it doesn't exist
- Set apex loglevel for umoci to match singularity loglevel
- This point release addresses the following issues:
- Fixes an issue where a PID namespace was always being used
- Fixes compilation on non 64-bit architectures
- Allows fakeroot builds for zypper, pacstrap, and debootstrap
- Correctly detects seccomp on OpenSUSE
- Honors GO_MODFLAGS properly in the mconfig generated makefile
- Passes the Mac hostname to the VM in MacOS Singularity builds
- Handles temporary EAGAIN failures when setting up loop devices on recent kernels
- Fixes excessive memory usage in singularity push
- New support for building and running encrypted containers with RSA keys and passphrases
--pem-pathoption added to thebuildand action commands for RSA based encrypted containers--passphraseoption added tobuildand action commands for passphrase based encrypted containersSINGULARITY_ENCRYPTION_PEM_PATHandSINGULARITY_ENCRYPTION_PASSPHRASEenvironment variables added to serve same functions as above--encryptoption added tobuildcommand to build an encrypted container when environment variables contain a secret
- New
--disable-cacheflag prevents caching of downloaded containers - Added support for multi-line variables in singularity def-files
- Added support for 'indexed' def-file variables (like arrays)
- Added support for SUSE SLE Products
- Added the def-file variables: product, user, regcode, productpgp, registerurl, modules, otherurl (indexed)
- Support multiple-architecture tags in the SCS library
- Added a
--dry-runflag tocache clean - Added a
SINGULARITY_SYPGPDIRenvironment variable to specify the location of PGP key data - Added a
--nonetoption to the action commands to disable networking when running with the--vmoption - Added a
--long-listflag to thekey searchcommand to preserve - Added experimental, hidden
--fusemountflag to pass a command to mount a libfuse3 based file system within the container
- Runtime now properly honors
SINGULARITY_DISABLE_CACHEenvironment variable remote addcommand now automatically attempts to login and a--no-loginflag is added to disable this behavior- Using the
pullcommand to download an unsigned container no longer produces an error code cache cleancommand now prompts user before cleaning when run without--forceoption and is more verbose- Shortened the default output of the
key searchcommand
- The
--allow-unsignedflag topullhas been deprecated and will be removed in the future
- Remote login and status commands will now use the default remote if a remote name is not supplied
- Added Singularity hub (
shub) cache support when using thepullcommand - Clean cache in a safer way by only deleting the cache subdirectories
- Improvements to the
cache cleancommand
- new
orasURI for pushing and pulling SIF files to and from supported OCI registries - added the
--fakerootoption tobuild,exec,run,shell,test, andinstance startcommands to run container in a new user namespace as uid 0 - added the
fakerootnetwork type for use with the--networkoption sifcommand to allow for the inspection and manipulation of SIF files with the following subcommandsaddAdd a data object to a SIF filedelDelete a specified object descriptor and data from SIF filedumpExtract and output data objects from SIF filesheaderDisplay SIF global headersinfoDisplay detailed information of object descriptorslistList object descriptors from SIF filesnewCreate a new empty SIF image filesetprimSet primary system partition
- This point release fixes the following bugs:
- Allows users to join instances with non-suid workflow
- Removes false warning when seccomp is disabled on the host
- Fixes an issue in the terminal when piping output to commands
- Binds NVIDIA persistenced socket when
--nvis invoked
- Instance files are now stored in user's home directory for privacy and many checks have been added to ensure that a user can't manipulate files to change
starter-suidbehavior when instances are joined (many thanks to Matthias Gerstner from the SUSE security team for finding and securely reporting this vulnerability)
- Introduced a new basic framework for creating and managing plugins
- Added the ability to create containers through multi-stage builds
- Definitions now require
Bootstrapbe the first parameter of header
- Definitions now require
- Created the concept of a Sylabs Cloud "remote" endpoint and added the ability for users and admins to set them through CLI and conf files
- Added caching for images from Singularity Hub
- Made it possible to compile Singularity outside of
$GOPATH - Added a json partition to SIF files for OCI configuration when building from an OCI source
- Full integration with Singularity desktop for MacOS code base
-
Introduced the
plugincommand group for creating and managing pluginscompileCompile a singularity plugindisabledisable an installed singularity pluginenableEnable an installed singularity plugininspectInspect a singularity plugin (either an installed one or an image)installInstall a singularity pluginlistList installed singularity pluginsuninstallUninstall removes the named plugin from the system
-
Introduced the
remotecommand group to support management of Singularity endpoints:addCreate a new Sylabs Cloud remote endpointlistList all remote endpoints that are configuredloginLog into a remote endpoint using an authentication tokenremoveRemove an existing Sylabs Cloud remote endpointstatusCheck the status of the services at an endpointuseSet a remote endpoint to be used by default
-
Added to the
keycommand group to improve PGP key management:exportExport a public or private key into a specific fileimportImport a local key into the local keyringremoveRemove a local public key
-
Added the
Stage: <name>keyword to the definition file header and thefrom <stage name>option/argument pair to the%filessection to support multistage builds
- The
--token/-toption has been deprecated in favor of thesingularity remotecommand group
- Ask to confirm password on a newly generated PGP key
- Prompt to push a key to the KeyStore when generated
- Refuse to push an unsigned container unless overridden with
--allow-unauthenticated/-Uoption - Warn and prompt when pulling an unsigned container without the
--allow-unauthenticated/-Uoption Bootstrapmust now be the first field of every header because of parser requirements for multi-stage builds
- New hidden
buildcfgcommand to display compile-time parameters - Added support for
LDFLAGS,CFLAGS,CGO_variables in build system - Added
--nocolorflag to Singularity client to disable color in logging
singularity capability <add/drop> --deschas been removedsingularity capability list <--all/--group/--user>flags have all been removed
- The
--builderflag to thebuildcommand implicitly sets--remote - Repeated binds no longer cause Singularity to exit and fail, just warn instead
- Corrected typos and improved docstrings throughout
- Removed warning when CWD does not exist on the host system
- Added support to spec file for RPM building on SLES 11
- Introduced the
ocicommand group to support a new OCI compliant variant of the Singularity runtime:attachAttach console to a running container processcreateCreate a container from a bundle directorydeleteDelete containerexecExecute a command within containerkillKill a containermountMount create an OCI bundle from SIF imagepauseSuspends all processes inside the containerresumeResumes all processes previously paused inside the containerrunCreate/start/attach/delete a container from a bundle directorystartStart container processstateQuery state of a containerumountUmount delete bundleupdateUpdate container cgroups resources
- Added
cachecommand group to inspect and manage cached filescleanClean your local Singularity cachelistList your local Singularity cache
- Can now build CLI on darwin for limited functionality on Mac
- Added the
scratchbootstrap agent to build from anything - Reintroduced support for zypper bootstrap agent
- Added the ability to overwrite a new
singularity.confwhen building from RPM if desired - Fixed several regressions and omissions in SCIF support
- Added caching for containers pulled/built from the Container Library
- Changed
keyscommand group tokey(retained hiddenkeyscommand for backward compatibility) - Created an
RPMPREFIXvariable to allow RPMs to be installed in custom locations - Greatly expanded CI unit and end-to-end testing
- Bind paths in
singularity.confare properly parsed and applied at runtime - Singularity runtime will properly fail if
singularity.conffile is not owned by the root user - Several improvements to RPM packaging including using golang from epel, improved support for Fedora, and avoiding overwriting conf file on new RPM install
- Unprivileged
--containoption now properly mountsdevptson older kernels - Uppercase proxy environment variables are now rightly respected
- Add http/https protocols for singularity run/pull commands
- Update to SIF 1.0.2
- Add noPrompt parameter to
pkg/signing/Verifyfunction to enable silent verification
- Added the
--docker-loginflag to enable interactive authentication with docker registries - Added support for pulling directly from HTTP and HTTPS
- Made minor improvements to RPM packaging and added basic support for alpine packaging
- The
$SINGULARITY_NOHTTPS,$SINGULARITY_TMPDIR, and$SINGULARITY_DOCKER_USERNAME/$SINGULARITY_DOCKER_PASSWORDenvironment variables are now correctly respected - Pulling from a private shub registry now works as expected
- Running a container with
--network="none"no longer incorrectly fails with an error message - Commands now correctly return 1 when incorrectly executed without arguments
- Progress bars no longer incorrectly display when running with
--quietor--silent - Contents of
91-environment.shfile are now displayed if appropriate when runninginspect --environment
- Improved RPM packaging procedure via makeit
- Enhanced general stability of runtime
- Singularity is now written primarily in Go to bring better integration with the existing container ecosystem
- Added support for new URIs (
build&run/exec/shell/start):library://- Supports the Sylabs.io Cloud Librarydocker-daemon:- Supports images managed by the locally running docker daemondocker-archive:- Supports archived docker imagesoci:- Supports oci imagesoci-archive:- Supports archived oci images
- Handling of
docker&ociURIs/images now utilizes containers/image to parse and convert those image types in a supported way - Replaced
singularity instance.*command group withsingularity instance * - The command
singularity helpnow only provides help regarding the usage of thesingularitycommand. To display an image'shelpmessage, usesingularity run-help <image path>instead
- Removed deprecated
singularity image.*command group - Removed deprecated
singularity createcommand - Removed deprecated
singularity bootstrapcommand - Removed deprecated
singularity mountcommand
- Added
singularity run-help <image path>command to output an image'shelpmessage - Added
singularity sign <image path>command to allow a user to cryptographically sign a SIF image - Added
singularity verify <image path>command to allow a user to verify a SIF image's cryptographic signatures - Added
singularity keyscommand to allow the management ofOpenPGPkey stores - Added
singularity capabilitycommand to allow fine grained control over the capabilities of running containers - Added
singularity pushcommand to push images to the Sylabs.io Cloud Library
- Added flags:
--add-caps <string>: Run the contained process with the specified capability set (requires root)--allow-setuid: Allows setuid binaries to be mounted into the container (requires root)--apply-cgroups <path>: Apply cgroups configuration from file to contained processes (requires root)--dns <string>: Adds the comma separated list of DNS servers to the containersresolv.conffile--drop-caps <string>: Drop the specified capabilities from the container (requires root)--fakeroot: Run the container in a user namespace asuid=0. Requires a recent kernel to function properly--hostname <string>: Set the hostname of the container--keep-privs: Keep root user privilege inside the container (requires root)--network <string>: Specify a list of comma separated network types (CNI Plugins) to be present inside the container, each with its own dedicated interface in the container--network-args <string>: Specify arguments to pass to CNI network plugins (set by--network)--no-privs: Drop all privileges from root user inside the container (requires root)--security <string>: Configure security features such as SELinux, Apparmor, Seccomp...--writable-tmpfs: Run container with atmpfsoverlay
- The command
singularity instance startnow supports the--bootflag to boot the container via/sbin/init - Changes to image mounting behavior:
- All image formats are mounted as read only by default
--writableonly works on images which can be mounted in read/write [applicable to:sandboxand legacyext3images]--writable-tmpfsruns the container with a writabletmpfs-based overlay [applicable to: all image formats]--overlay <string>now specifies a list ofext3/sandboximages which are set as the containers overlay [applicable to: all image formats]
- All images are now built as Singularity Image Format (SIF) images by default
- When building to a path that already exists,
singularity buildwill now prompt the user if they wish to overwrite the file existing at the specified location - The
-w|--writableflag has been removed - The
-F|--forceflag now overrides the interactive prompt and will always attempt to overwrite the file existing at the specified location - The
-u|--updateflag has been added to support the workflow of running a definition file on top of an existing container [implies--sandbox, only supportssandboximage types] - The
singularity buildcommand now supports the following flags for integration with the Sylabs.io Cloud Library:-r|--remote: Build the image remotely on the Sylabs Remote Builder (currently unavailable)-d|--detached: Detach from thestdoutof the remote build [requires--remote]--builder <string>: Specifies the URL of the remote builder to access--library <string>: Specifies the URL of the Sylabs.io Cloud Library to push the built image to when the build command destination is in the formlibrary://<reference>
- The
bootstrapkeyword in the definition file now supports the following values:librarydocker-daemondocker-archiveocioci-archive
- The
fromkeyword in the definition file now correctly parses adockerURI which includes theregistryand/ornamespacecomponents - The
registryandnamespacekeywords in the definition file are no longer supported. Instead, those values may all go into thefromkeyword - Building from a tar archive of a
sandboxno longer works