hpcng/singularity: Singularity 3.7.0 Release Candidate 1

This is the first release candidate for the upcoming 3.7.0 version of Singularity.

This is a new version of Singularity with many new features, bug fixes, and other improvements detailed below. Some behaviour has changed. Please read the release notes below carefully. Documentation is currently being updated for 3.7.0 and will reflect the changes prior to the stable release.

To ensure a stable 3.7.0 release we'd appreciate any and all testing you're able to perform. Many thanks to those who have contributed code, bug reports, and testing! As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to security@sylabs.io - see the security policy at https://sylabs.io/security-policy for more information.

• Allow configuration of global custom keyservers, separate from remote endpoints.
• Add a new global keyring, for public keys only (used for ECL).
• The remote login commmand now suports authentication to Docker/OCI registries and custom keyservers.
• New --exclusive option for remote use allows admin to lock usage to a specific remote.
• A new Fingerprints: header in definition files will check that a SIF source image can be verified, and is signed with keys matching all specified fingerprints.
• Labels can be set dynamically from a build's %post section by setting them in the SINGULARITY_LABELS environment variable.
• New build-arch label is automatically set to the architecure of the host during a container build.
• New -D/--description flag for singularity push sets description for a library container image.
• singularity remote status shows validity of authentication token if set.
• singularity push reports quota usage and URL on successful push to a library server that supports this.
• A new --no-mount flag for actions allows a user to disable proc/sys/dev/devpts/home/tmp/hostfs/cwd mounts, even if they are enabled in singularity.conf.

• When actions (run/shell/exec...) are used without --fakeroot the umask from the calling environment will be propagated into the container, so that files are created with expected permissions. Use the new --no-umask flag to return to the previous behaviour of setting a default 0022 umask.
• Container metadata, environment, scripts are recorded in a descriptor in builds to SIF files, and inspect will use this if present.
• The --nv flag for NVIDIA GPU support will not resolve libraries reported by nvidia-container-cli via the ld cache. Will instead respect absolute paths to libraries reported by the tool, and bind all versioned symlinks to them.
• General re-work of the remote login flow, adds prompts and token verification before replacing an existing authentication token.
• The Execution Control List (ECL) now verifies container fingerprints using the new global keyring. Previously all users would need relevant keys in their own keyring.
• The SIF layer mediatype for ORAS has been changed to application/vnd.sylabs.sif.layer.v1.sif reflecting the published opencontainers/artifacts value.
• SINGULARITY_BIND has been restored as an environment variable set within a running container. It now reflects all user binds requested by the -B/--bind flag, as well as via SINGULARITY_BIND[PATHS].
• singularity search now correctly searches for container images matching the host architecture by default. A new --arch flag allows searching for other architectures. A new results format gives more detail about container image results, while users and collections are no longer returned.

• Support larger definition files, environments etc. by passing engine configuration in the environment vs. via socket buffer.
• Ensure docker-daemon: and other source operations respect SINGULARITY_TMPDIR for all temporary files.
• Support double quoted filenames in the %files section of build definitions.
• Correct cache list sizes to show KiB with powers of 1024, matching du etc.
• Don't fail on enable fusemount=no when no fuse mounts are needed.
• Pull OCI images to the correct requested location when the cache is disabled.
• Ensure Singularity> prompt is set when container has no environment script, or singularity is called through a wrapper script.
• Avoid build failures in yum/dnf operations against the 'setup' package on RHEL/CentOS/Fedora by ensuring staged /etc/ files do not match distro default content.
• Failed binds to /etc/hosts and /etc/localtime in a container run with --contain are no longer fatal errors.
• Don't initialize the cache for actions where it is not required.
• Increase embedded shell interpreter timeout, to allow slow-running environment scripts to complete.
• Correct buffer handling for key import to allow import from STDIN.
• Reset environment to avoid LD_LIBRARYPATH issues when resolving dependencies for the unsquashfs sandbox.
• Fall back to /sbin/ldconfig if ldconfig on PATH fails while resolving GPU libraries. Fixes problems on systems using Nix / Guix.
• Address issues caused by error code changes in unsquashfs version 4.4.
• Ensure /dev/kfd is bound into container for ROCm when --rocm is used with --contain.
• Tolerate comments on %files sections in build definition files.
• Fix a loop device file descriptor leak.