Singularity has been renamed to Apptainer as part of us moving the project to the Linux Foundation. This repo has been persisted as a snapshot right before the changes.
This has been replaced with https://github.com/hpcng/singularity/releases/tag/v3.8.0-rc.2
Singularity 3.7.3 is a security release. We recommend all users upgrade to this version.
singularity build
or singularity pull
as root, from a docker or OCI source, as well as the implicit build to SIF that occurs through root use of run/exec/shell
against a malicious docker/OCI image URI.Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Please use the singularity-3.7.3.tar.gz
download below to obtain and install Singularity 3.7.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Please use the singularity-3.7.2.tar.gz
download below to obtain and install Singularity 3.7.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Please use the singularity-3.7.1.tar.gz
download below to obtain and install Singularity 3.7.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
This is a new version of Singularity with many new features, bug fixes, and other improvements detailed below. Some behaviour has changed. Please read the release notes below carefully before updating a production system.
remote login
commmand now suports authentication to Docker/OCI registries and custom keyservers.--exclusive
option for remote use
allows admin to lock usage to a specific remote.Fingerprints:
header in definition files will check that a SIF source image can be verified, and is signed with keys matching all specified fingerprints.%post
section by setting them in the SINGULARITY_LABELS
environment variable.build-arch
label is automatically set to the architecure of the host during a container build.-D/--description
flag for singularity push
sets description for a library container image.singularity remote status
shows validity of authentication token if set.singularity push
reports quota usage and URL on successful push to a library server that supports this.--no-mount
flag for actions allows a user to disable proc/sys/dev/devpts/home/tmp/hostfs/cwd mounts, even if they are enabled in singularity.conf
.--fakeroot
the umask from the calling environment will be propagated into the container, so that files are created with expected permissions. Use the new --no-umask
flag to return to the previous behaviour of setting a default 0022 umask.inspect
will use this if present.--nv
flag for NVIDIA GPU support will not resolve libraries reported by nvidia-container-cli
via the ld cache. Will instead respect absolute paths to libraries reported by the tool, and bind all versioned symlinks to them.remote login
flow, adds prompts and token verification before replacing an existing authentication token.application/vnd.sylabs.sif.layer.v1.sif
reflecting the published opencontainers/artifacts value.SINGULARITY_BIND
has been restored as an environment variable set within a running container. It now reflects all user binds requested by the -B/--bind
flag, as well as via SINGULARITY_BIND[PATHS]
.singularity search
now correctly searches for container images matching the host architecture by default. A new --arch
flag allows searching for other architectures. A new results format gives more detail about container image results, while users and collections are no longer returned.docker-daemon:
and other source operations respect SINGULARITY_TMPDIR
for all temporary files.%files
section of build definitions.cache list
sizes to show KiB with powers of 1024, matching du
etc.enable fusemount=no
when no fuse mounts are needed.Singularity>
prompt is set when container has no environment script, or singularity is called through a wrapper script.yum/dnf
operations against the 'setup' package on RHEL/CentOS/Fedora
by ensuring staged /etc/
files do not match distro default content./etc/hosts
and /etc/localtime
in a container run with --contain
are no longer fatal errors.LD_LIBRARYPATH
issues when resolving dependencies for the unsquashfs
sandbox./sbin/ldconfig
if ldconfig
on PATH
fails while resolving GPU libraries. Fixes problems on systems using Nix / Guix.unsquashfs
version 4.4./dev/kfd
is bound into container for ROCm when --rocm
is used with --contain
.%files
sections in build definition files.--fakeroot
builds to fail with a /sys/fs/selinux
remount error. This will be addressed in Singularity v3.7.1.Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Please use the singularity-3.7.0.tar.gz
download below to obtain and install Singularity 3.7.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Singularity 3.6.4 is an important security release. Please read the release notes below carefully.
Singularity 3.6.4 addresses the following security issues.
Please see the published security advisories at https://github.com/hpcng/singularity/security/advisories for full detail of these security issues.
In keeping with their commitment to the open source community to release security patches incorporated into SingularityPRO, Sylabs is releasing the following diffs that contain security content only:
3.1: https://repo.sylabs.io/security/2020/CVE-2020-15229-31.diff 3.5: https://repo.sylabs.io/security/2020/CVE-2020-15229-35.diff
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Singularity 3.6.3 is an important security release. Please read the release notes below carefully.
Singularity 3.6.3 addresses the following security issues.
CVE-2020-25039: When a Singularity action command (run, shell, exec) is run with the fakeroot or user namespace option, Singularity will extract a container image to a temporary sandbox directory. Due to insecure permissions on the temporary directory it is possible for any user with access to the system to read the contents of the image. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running container.
CVE-2020-25040: When a Singularity command that results in a container build operation is executed, it is possible for a user with access to the system to read the contents of the image during the build. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running build, which in certain circumstances may enable arbitrary code execution during the build and/or when the built container is run.
In keeping with their commitment to the open source community to release security patches incorporated into SingularityPRO, Sylabs is releasing the following diffs that contain security content only:
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Singularity 3.6.2 is a patch release fixing a number of bugs present in the previous 3.6 releases, and adding minor improvements to the delete
command for library://
containers.
singularity delete
for non-interactive workflows.singularity delete
.singularity delete
command.rw
as a (noop) bind option.--nv/--rocm
.-user-xattrs
for unsquashfs to avoid error with rootless extraction using unsquashfs 3.4 (Ubuntu 20.04).--no-home
message for 3.6 CWD behavior.Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Singularity 3.6.1 is a patch release fixing some bugs raised soon after the 3.6.0 release. In particular, an issue where supplying an empty string ""
as the destination to singularity build
could result in the removal of the current directory has been addressed. Other fixes correct problems with mksquashfs
limits, environment in Singularity 2.2 containers, and address a change in overlay behavior with an improved error message.
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Singularity 3.6.0 is an important security release, as well as including a large number of new features and improvements. Please read the release notes below carefully, especially regarding the security content and compatibility of SIF signatures.
In particular, note that 3.6.0 necessarily uses a new format for SIF signatures, which is incompatible with older versions of Singularity. 3.6.0 has a --legacy-insecure
flag to verify
the older insecure signatures temporarily if needed in your workflows, but older versions cannot verify containers signed by 3.6.0.
Singularity 3.6.0 introduces a new signature format for SIF images, and changes to the signing / verification code to address:
--all / -a
option to singularity verify
returns success even when some objects in a SIF container are not signed, or cannot be verified.Please see the published security advisories at https://github.com/hpcng/singularity/security/advisories for full detail of these security issues.
Note that the new signature format is necessarily incompatible with Singularity < 3.6.0 - e.g. Singularity 3.5.3 cannot verify containers signed by 3.6.0.
We thank Tru Huynh for a report that led to the review of, and changes to, the signature implementation.
/bin/sh
, e.g. docker://hello-world
.singularity cache clean
.
--bind
flag can now bind directories from a SIF or ext3 image into a container.--fusemount
feature to mount filesystems to a container via FUSE drivers is now a supported feature (previously an experimental hidden flag). This permits users to mount e.g. sshfs
and cvmfs
filesystems to the container at runtime.-c/--config
flag allows an alternative singularity.conf
to be specified by the root
user, or all users in an unprivileged installation.--env
flag allows container environment variables to be set via the Singularity command line.--env-file
flag allows container environment variables to be set from a specified file.--days
flag for cache clean
allows removal of items older than a specified number of days. Replaces the --name
flag which is not generally useful as the cache entries are stored by hash, not a friendly name.verify
allows verification of SIF signatures in the old, insecure format.instance list
that shows the paths to instance STDERR / STDOUT log files.--json
output of instance list
now include paths to STDERR / STDOUT log files.SINGULARITYENV_
always take precedence over variables without SINGULARITYENV_
prefix.%post
build section inherits environment variables from the base image.%files from ...
will now follow symlinks for sources that are directly specified, or directly resolved from a glob pattern. It will not follow symlinks found through directory traversal. This mirrors Docker multi-stage COPY behaviour.%test
build section is executed the same manner as singularity test image
.--fusemount
with the container:
default directive will foreground the FUSE process. Use container-daemon:
for previous behavior.singularity instance list
to be dynamically changing based off of input lengths instead of fixed number of spaces to account for long instance names.--name
flag for cache clean
; replaced with --days
.-a / --all
option to sign/verify
as new signature behavior makes this the default.$HOME
when it is /
(e.g. nobody
user).%appinstall
sections in order when building from a definition file.SINGULARITY_CONTAINER
, SINGULARITY_ENVIRONMENT
and the custom shell prompt are set inside a container./etc/containers/registries.conf
.http_proxy
env var handling in yum
bootstrap builds.base
metapackage for arch bootstrap builds - arch no longer has a base
group.--debug
.$HOME
with --fakeroot --contain
.Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!