Singularity has been renamed to Apptainer as part of us moving the project to the Linux Foundation. This repo has been persisted as a snapshot right before the changes.
Singularity 3.5.3 is a bugfix release with the following changes and fixes:
The following minor behaviour changes have been made in 3.5.3 to allow correct operation on CRAY CLE6, and correct an issue with multi-stage image builds that was blocking use by build systems such as Spack:
etc/actions.d
on the host. They are created dynamically and inserted at container startup.%files from ...
will no longer follow symlinks when copying between stages in a multi stage build, as symlinks should be copied so that they resolve identically in later stages. Copying %files
from the host will still maintain previous behavior of following links.--nv
option without nvidia-container-cli
.--writable
.%post
and %test
to honor the -c
option.%post
when a container doesn't have /etc/resolv.conf
or /etc/hosts
files.allow-setuid=no
was configured in a setuid installation.0x
prefix when using singularity keys
--boot
.In addition, numerous improvements have been made to the test suites, allowing them to pass cleanly on a range of kernel versions and distributions that are not covered by the open-source CI runs.
Many thanks to those who have contributed code, bug reports, and testing!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
The 3.5.2 release of Singularity contains fixes for a security issue related to incorrect file permissions (CVE-2019-19724) on user configuration and cache directories.
In Singularity >=3.3.0 (on all OS/kernels) the $HOME/.singularity
directory holding user configuration and caches is incorrectly created with 777 permissions. If the $HOME
directory of a user has group/any x
permission set, then a malicious user with login access to the host system may traverse into $HOME/.singularity
and:
Inject a remote.yaml configuration file that can direct interactions with Sylabs cloud services / Singularity Enterprise to a malicious server. This may result in the execution of malicious container images.
Read the content of a user’s cached containers, which may include sensitive private data.
In Singularity >=2.4.0 (on all OS/kernels) the $HOME/.singularity
directory and any explicit SINGULARITY_CACHEDIR
directory are created with 755, or umask dependent permissions. If a user’s $HOME
directory, or the directory containing an explicitly set SINGULARITY_CACHEDIR
, have group/any x
permission set, then a malicious user with login access to the host system may:
Singularity 3.5.2 should be installed immediately, and all previous versions of Singularity should be removed.
Additionally, we recommend running chmod 700
against the .singularity
directory within all user $HOME directories, especially if $HOME directories may have group/any x
bits set on your system.
If no user $HOME
directories have group/any x
bits set, and SINGULARITY_CACHEDIR
has never been set to a location open to shared access, the exploits listed above are not possible.
If Singularity is configured to only run containers signed with keys specified in an execution control list, and these keys are not compromised, arbitrary malicious containers cannot be run with a remote.yaml
exploit.
Singularity 3.5.2 ensures 700
permissions are set on $HOME/.singularity
when the singularity
command is run by a user, and that 700
permissions are set for any existing or new explicit cache directory configured using the SINGULARITY_CACHEDIR
environment variable.
This release makes additional permission changes to further harden plugin operations against weak directory permissions / sudo secure umask settings, that should not occur without explicit administrator action.
Previous alpha and beta versions of Singularity Desktop for Mac are affected by this issue. A new beta release, beta-v0.2, is being prepared, and will be available shortly.
In keeping with our commitment to the open source community to release security patches incorporated into Singularity PRO, Sylabs is also releasing patches that can be applied to the 3.1, 2.6, 2.5, and 2.4 series. Even though 3.5.2 technically deprecates all previous open-source versions of Singularity, interested parties can find the patches to fix this specific issue at the following links:
Note - these prior versions of Singularity may be subject to additional security issues, addressed by further patches released previously. Please review the release history carefully before using a deprecated version of Singularity.
$HOME/.singularity
and SINGULARITY_CACHEDIR
directories (CVE-2019-19724). Many thanks to Stuart Barkley for reporting this issue..docker/config
for docker registry
authentication.run-help
command in the unprivileged workflow.inspect
command to support older image formats.--disable-cache
option was not being honored.This is the first bugfix release for Singularity 3.5
A single feature has been added in the bugfix release, with specific functionality:
allow container encrypted
can be set to no
in
singularity.conf
to prevent execution of encrypted containers.This bugfix release addresses the following issues:
inspect
command in unprivileged workflows.The following are known issues in this release, and will be addressed in an upcoming version of Singularity:
--fakeroot
to build sandboxes to GPFS, and most sandboxes to Lustre filesystems, is known not to work. As a workaround you may built to a local filesystem, e.g./tmp/mysandbox
and copy to GPFS/Lustre.http(s)://
image sources is incorrect. Images with the same final part in the URL will be considered the same image. Use --disable-cache
or singularity cache clean
between runs, or use singularity pull
to explicitly fetch the image to a local SIF file.Thanks to our contributors for code, feedback, and testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Howdy container enthusiasts!
Singularity 3.5.0 brings some new features, most notably AMD GPU / ROCm support. We also have a couple of behavior changes noted below. Apart from this many bug fixes and small tweaks have been merged.
--rocm
option added to bind ROCm devices and
libraries into containers.config global
command to edit singularity.conf
settings
from the CLI.config fakeroot
command to setup subuid
and subgid
mappings for --fakeroot
from the Singularity CLI.singularity.conf
.--fix-perms
option added to preserve old behaviour when
building sandboxes.Singularity>
prompt is always set when entering shell in a container.umask
will be honored when building a SIF file.instance exec
processes acquire cgroups set on instance start
--fakeroot
supports uid/subgid ranges >65536singularity version
now reports semver compliant version
information.--id
flag for sign
and verify
; replaced with --sif-id
.Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
This is the v3.4.2 bugfix release of Singularity, which addresses non-security related issues that were found in v3.4.1. We recommend you update to v3.4.2 for improved stability.
This release addresses the following issues:
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
This is the v3.4.1 bugfix release of Singularity, which addresses non-security related issues that were found in v3.4.0. We recommend you update to v3.4.1 for improved stability.
This release addresses the following issues:
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Howdy Singularity cowpokes! :cowboy_hat_face: :cow2:
The major new feature of this release is the ability to build and run encrypted containers. These containers are encrypted at rest, in transit, and even while running! There is no intermediate decrypted rootfs left around upon termination. Data is decrypted totally in kernel space.
Below is a slightly more thorough list of changes in 3.4.0. For a complete list, please see the commit history in git and on GitHub.
--pem-path
option added to the build
and action commands for RSA based encrypted containers--passphrase
option added to build
and action commands for passphrase based encrypted containersSINGULARITY_ENCRYPTION_PEM_PATH
and SINGULARITY_ENCRYPTION_PASSPHRASE
environment variables added to serve same functions as above--encrypt
option added to build
command to build an encrypted container when environment variables contain a secret--disable-cache
flag prevents caching of downloaded containers--dry-run
flag to cache clean
SINGULARITY_SYPGPDIR
environment variable to specify the location of PGP key data--nonet
option to the action commands to disable networking when running with the --vm
option--long-list
flag to the key search
command to preserve--fusemount
flag to pass a command to mount a libfuse3 based file system within the containerSINGULARITY_DISABLE_CACHE
environment variableremote add
command now automatically attempts to login and a --no-login
flag is added to disable this behaviorpull
command to download an unsigned container no longer produces an error codecache clean
command now prompts user before cleaning when run without --force
option and is more verbosekey search
command--allow-unsigned
flag to pull
has been deprecated and will be removed in the futureAs always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
And if you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Hey, hey, hey Singularity community!
Here's a brand spankin' new release of Singularity!
Major new features include a --fakeroot
flag allowing you to build without sudo
and spoof uid 0 on kernels with user namespace support, a sif
command allowing you to inspect and manipulate SIF files, and an oras
URI allowing you to push and pull SIF files to supported OCI registries! More details appear below and the full details appear in the git log.
shub
) cache support when using the pull
commandcache clean
commandoras
URI for pushing and pulling SIF files to and from supported OCI registries--fakeroot
option to build
, exec
, run
, shell
, test
, and instance start
commands to run container in a new user namespace as uid 0fakeroot
network type for use with the --network
optionsif
command to allow for the inspection and manipulation of SIF files with the following subcommands
add
Add a data object to a SIF filedel
Delete a specified object descriptor and data from SIF filedump
Extract and output data objects from SIF filesheader
Display SIF global headersinfo
Display detailed information of object descriptorslist
List object descriptors from SIF filesnew
Create a new empty SIF image filesetprim
Set primary system partitionAs always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
And if you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Howdy Singularity Containnerds! 🤓
This point release fixes a few pesky bugs that were discovered in v3.2.0. In particular it:
--nv
is invokedAs always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
And if you think that you've discovered a security vulnerability please report it to: [email protected]
Have fun!
Greetings Singularity community!
The 3.2.0 release contains fixes for a high severity security issue affecting Singularity >=3.1.0 on Linux kernels that support namespace requirements (pid
namespace) for creating and joining instances (CVE-2019-11328). A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing/<user>/<instance>
. The manipulation of those files can change the behavior of the starter-suid
program when instances are joined resulting in potential privilege escalation on the host.
Singularity 3.2.0 should be installed immediately, and all previous versions of Singularity should be removed. The vulnerability addressed in this release affects systems on which unprivileged users are permitted to initiate and join instances via the suid workflow. If you are unable to upgrade immediately, you should disable the suid workflow on your system. You can do so by setting the following in the singularity.conf
file:
allow setuid = no
In keeping with our commitment to the open source community, Sylabs is also releasing a patch that can be applied to the 3.1 series. Even though 3.2.0 technically deprecates all previous versions of Singularity, interested parties can find the patch to fix this vulnerability in the 3.1 series at the following link:
https://repo.sylabs.io/security/2019/CVE-2019-11328.diff
In addition to a security patch, 3.2.0 has a lot of great features. Highlights include a new plugin system, the added ability to create multi-stage builds, and better integration with the Singularity Container Services KeyStore. More details appear in the release notes below:
starter-suid
behavior when instances are joined
(many thanks to Matthias Gerstner from the SUSE security team for finding and securely reporting this vulnerability)$GOPATH
Introduced the plugin
command group for creating and managing plugins
compile
Compile a singularity plugindisable
disable an installed singularity pluginenable
Enable an installed singularity plugininspect
Inspect a singularity plugin (either an installed one or an image)install
Install a singularity pluginlist
List installed singularity pluginsuninstall
Uninstall removes the named plugin from the systemIntroduced the remote
command group to support management of Singularity endpoints:
add
Create a new Sylabs Cloud remote endpointlist
List all remote endpoints that are configuredlogin
Log into a remote endpoint using an authentication tokenremove
Remove an existing Sylabs Cloud remote endpointstatus
Check the status of the services at an endpointuse
Set a remote endpoint to be used by defaultAdded to the key
command group to improve PGP key management:
export
Export a public or private key into a specific file import
Import a local key into the local keyring remove
Remove a local public keyAdded the Stage: <name>
keyword to the definition file header and the from <stage name>
option/argument pair to the %files
section to support multistage builds
--token/-t
option has been deprecated in favor of the singularity remote
command group--allow-unauthenticated/-U
option--allow-unauthenticated/-U
optionAs always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
And if you think that you've discovered a security vulnerability please report it to: [email protected]