Singularity has been renamed to Apptainer as part of us moving the project to the Linux Foundation. This repo has been persisted as a snapshot right before the changes.
This has been replaced with https://github.com/hpcng/singularity/releases/tag/v3.8.0-rc.2
Singularity 3.7.3 is a security release. We recommend all users upgrade to this version.
singularity build or singularity pull as root, from a docker or OCI source, as well as the implicit build to SIF that occurs through root use of run/exec/shell against a malicious docker/OCI image URI.Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Please use the singularity-3.7.3.tar.gz download below to obtain and install Singularity 3.7.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Please use the singularity-3.7.2.tar.gz download below to obtain and install Singularity 3.7.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Please use the singularity-3.7.1.tar.gz download below to obtain and install Singularity 3.7.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
This is a new version of Singularity with many new features, bug fixes, and other improvements detailed below. Some behaviour has changed. Please read the release notes below carefully before updating a production system.
remote login commmand now suports authentication to Docker/OCI registries and custom keyservers.--exclusive option for remote use allows admin to lock usage to a specific remote.Fingerprints: header in definition files will check that a SIF source image can be verified, and is signed with keys matching all specified fingerprints.%post section by setting them in the SINGULARITY_LABELS environment variable.build-arch label is automatically set to the architecure of the host during a container build.-D/--description flag for singularity push sets description for a library container image.singularity remote status shows validity of authentication token if set.singularity push reports quota usage and URL on successful push to a library server that supports this.--no-mount flag for actions allows a user to disable proc/sys/dev/devpts/home/tmp/hostfs/cwd mounts, even if they are enabled in singularity.conf.--fakeroot the umask from the calling environment will be propagated into the container, so that files are created with expected permissions. Use the new --no-umask flag to return to the previous behaviour of setting a default 0022 umask.inspect will use this if present.--nv flag for NVIDIA GPU support will not resolve libraries reported by nvidia-container-cli via the ld cache. Will instead respect absolute paths to libraries reported by the tool, and bind all versioned symlinks to them.remote login flow, adds prompts and token verification before replacing an existing authentication token.application/vnd.sylabs.sif.layer.v1.sif reflecting the published opencontainers/artifacts value.SINGULARITY_BIND has been restored as an environment variable set within a running container. It now reflects all user binds requested by the -B/--bind flag, as well as via SINGULARITY_BIND[PATHS].singularity search now correctly searches for container images matching the host architecture by default. A new --arch flag allows searching for other architectures. A new results format gives more detail about container image results, while users and collections are no longer returned.docker-daemon: and other source operations respect SINGULARITY_TMPDIR for all temporary files.%files section of build definitions.cache list sizes to show KiB with powers of 1024, matching du etc.enable fusemount=no when no fuse mounts are needed.Singularity> prompt is set when container has no environment script, or singularity is called through a wrapper script.yum/dnf operations against the 'setup' package on RHEL/CentOS/Fedora by ensuring staged /etc/ files do not match distro default content./etc/hosts and /etc/localtime in a container run with --contain are no longer fatal errors.LD_LIBRARYPATH issues when resolving dependencies for the unsquashfs sandbox./sbin/ldconfig if ldconfig on PATH fails while resolving GPU libraries. Fixes problems on systems using Nix / Guix.unsquashfs version 4.4./dev/kfd is bound into container for ROCm when --rocm is used with --contain.%files sections in build definition files.--fakeroot builds to fail with a /sys/fs/selinux remount error. This will be addressed in Singularity v3.7.1.Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Please use the singularity-3.7.0.tar.gz download below to obtain and install Singularity 3.7.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Singularity 3.6.4 is an important security release. Please read the release notes below carefully.
Singularity 3.6.4 addresses the following security issues.
Please see the published security advisories at https://github.com/hpcng/singularity/security/advisories for full detail of these security issues.
In keeping with their commitment to the open source community to release security patches incorporated into SingularityPRO, Sylabs is releasing the following diffs that contain security content only:
3.1: https://repo.sylabs.io/security/2020/CVE-2020-15229-31.diff 3.5: https://repo.sylabs.io/security/2020/CVE-2020-15229-35.diff
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Singularity 3.6.3 is an important security release. Please read the release notes below carefully.
Singularity 3.6.3 addresses the following security issues.
CVE-2020-25039: When a Singularity action command (run, shell, exec) is run with the fakeroot or user namespace option, Singularity will extract a container image to a temporary sandbox directory. Due to insecure permissions on the temporary directory it is possible for any user with access to the system to read the contents of the image. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running container.
CVE-2020-25040: When a Singularity command that results in a container build operation is executed, it is possible for a user with access to the system to read the contents of the image during the build. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running build, which in certain circumstances may enable arbitrary code execution during the build and/or when the built container is run.
In keeping with their commitment to the open source community to release security patches incorporated into SingularityPRO, Sylabs is releasing the following diffs that contain security content only:
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Singularity 3.6.2 is a patch release fixing a number of bugs present in the previous 3.6 releases, and adding minor improvements to the delete command for library:// containers.
singularity delete for non-interactive workflows.singularity delete.singularity delete command.rw as a (noop) bind option.--nv/--rocm.-user-xattrs for unsquashfs to avoid error with rootless extraction using unsquashfs 3.4 (Ubuntu 20.04).--no-home message for 3.6 CWD behavior.Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Singularity 3.6.1 is a patch release fixing some bugs raised soon after the 3.6.0 release. In particular, an issue where supplying an empty string "" as the destination to singularity build could result in the removal of the current directory has been addressed. Other fixes correct problems with mksquashfs limits, environment in Singularity 2.2 containers, and address a change in overlay behavior with an improved error message.
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Singularity 3.6.0 is an important security release, as well as including a large number of new features and improvements. Please read the release notes below carefully, especially regarding the security content and compatibility of SIF signatures.
In particular, note that 3.6.0 necessarily uses a new format for SIF signatures, which is incompatible with older versions of Singularity. 3.6.0 has a --legacy-insecure flag to verify the older insecure signatures temporarily if needed in your workflows, but older versions cannot verify containers signed by 3.6.0.
Singularity 3.6.0 introduces a new signature format for SIF images, and changes to the signing / verification code to address:
--all / -a option to singularity verify returns success even when some objects in a SIF container are not signed, or cannot be verified.Please see the published security advisories at https://github.com/hpcng/singularity/security/advisories for full detail of these security issues.
Note that the new signature format is necessarily incompatible with Singularity < 3.6.0 - e.g. Singularity 3.5.3 cannot verify containers signed by 3.6.0.
We thank Tru Huynh for a report that led to the review of, and changes to, the signature implementation.
/bin/sh, e.g. docker://hello-world.singularity cache clean.
--bind flag can now bind directories from a SIF or ext3 image into a container.--fusemount feature to mount filesystems to a container via FUSE drivers is now a supported feature (previously an experimental hidden flag). This permits users to mount e.g. sshfs and cvmfs filesystems to the container at runtime.-c/--config flag allows an alternative singularity.conf to be specified by the root user, or all users in an unprivileged installation.--env flag allows container environment variables to be set via the Singularity command line.--env-file flag allows container environment variables to be set from a specified file.--days flag for cache clean allows removal of items older than a specified number of days. Replaces the --name flag which is not generally useful as the cache entries are stored by hash, not a friendly name.verify allows verification of SIF signatures in the old, insecure format.instance list that shows the paths to instance STDERR / STDOUT log files.--json output of instance list now include paths to STDERR / STDOUT log files.SINGULARITYENV_ always take precedence over variables without SINGULARITYENV_ prefix.%post build section inherits environment variables from the base image.%files from ... will now follow symlinks for sources that are directly specified, or directly resolved from a glob pattern. It will not follow symlinks found through directory traversal. This mirrors Docker multi-stage COPY behaviour.%test build section is executed the same manner as singularity test image.--fusemount with the container: default directive will foreground the FUSE process. Use container-daemon: for previous behavior.singularity instance list to be dynamically changing based off of input lengths instead of fixed number of spaces to account for long instance names.--name flag for cache clean; replaced with --days.-a / --all option to sign/verify as new signature behavior makes this the default.$HOME when it is / (e.g. nobody user).%appinstall sections in order when building from a definition file.SINGULARITY_CONTAINER, SINGULARITY_ENVIRONMENT and the custom shell prompt are set inside a container./etc/containers/registries.conf.http_proxy env var handling in yum bootstrap builds.base metapackage for arch bootstrap builds - arch no longer has a base group.--debug.$HOME with --fakeroot --contain.Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!