sylabs/singularity: SingularityCE 3.10.0 Release Candidate 1

This is the first release candidate for the upcoming SingularityCE 3.10 release.

We would be grateful for any testing you can perform, and all feedback you can give. As this is a pre-release, you may not want to install it on a production system

Changed defaults / behaviours

• oci mount sets Process.Terminal: true when creating an OCI config.json, so that oci run provides expected interactive behavior by default.
• Default hostname for oci mount containers is now singularity instead of mrsdalloway.
• systemd is now supported and used as the default cgroups manager. Set systemd cgroups = no in singularity.conf to manage cgroups directly via the cgroupfs.
• The singularity oci command group now uses runc to manage containers.
• The singularity oci commands use conmon which is built from a git submodule, unless --without-conmon is specified as an argument to mconfig, in which case Singularity will search PATH for conmon. Version >=2.0.24 of conmon is required.
• The singularity oci flags --sync-socket, --empty-process, and --timeout have been removed.
• Don't prompt for y/n to overwrite an existing file when build is called from a non-interactive environment. Fail with an error.
• Plugins must be compiled from inside the SingularityCE source directory, and will use the main SingularityCE go.mod file. Required for Go 1.18 support.
• seccomp support is not disabled automatically in the absence of seccomp headers at build time. Run mconfig using --without-seccomp and --without-conmon to disable seccomp support and building of conmon (which requires seccomp headers).
• SingularityCE now requires squashfs-tools >=4.3, which is satisfied by current EL / Ubuntu / Debian and other distributions.
• Added --no-eval to the list of flags set by the OCI/Docker --compat mode (see below).

New features / functionalities

• Updated seccomp support allows use of seccomp profiles that set an error return code with errnoRet and defaultErrnoRet. Previously EPERM was hard coded. The example etc/seccomp-profiles/default.json has been updated.
• Native cgroups v2 resource limits can be specified using the [unified] key in a cgroups toml file applied via --apply-cgroups.
• The --no-mount flag & SINGULARITY_NO_MOUNT env var can now be used to disable a bind path entry from singularity.conf by specifying the absolute path to the destination of the bind.
• Non-root users can now use --apply-cgroups with run/shell/exec to limit container resource usage on a system using cgroups v2 and the systemd cgroups manager.
• Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups resource limits to a container directly.
• Allow experimental direct mount of SIF images with squashfuse in user-namespace / no-setuid mode.
• New action flag --no-eval which:
  • Prevents shell evaluation of SINGULARITYENV_ / --env / --env-file environment variables as they are injected in the container, to match OCI behavior. Applies to all containers.
  • Prevents shell evaluation of the values of CMD / ENTRYPOINT and command line arguments for containers run or built directly from an OCI/Docker source. Applies to newly built containers only, use singularity inspect to check version that container was built with.

Bug Fixes

• Allow newgidmap / newuidmap that use capabilities instead of setuid root.
• Corrected key search output for results from some servers, and keys with multiple names.
• Pass through a literal \n in host environment variables to container.
• Address 401 error pulling from private library:// projects.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.10.0-rc.1.tar.gz download below to obtain and install SingularityCE 3.10.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 18.04 (bionic)
• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/Alma/Rocky 8 (el8)

These packages were built with Go 1.18.1