Apptainer v1.5.0

v1.5.0 - [2026-05-06]

Changes since v1.4.5

New Features & Functionality

• Add support for a subset of the Container Device Interface (CDI) standard through new --device and --cdi-dirs run/shell/exec options. Honors environment variable settings, bind mounts, and device files listed in CDI specification files.
• Add support for selective mounting of Intel(R) Gaudi accelerators. This feature is only for use in combination with a minimal /dev directory, selected either with the --contain flag or by configuring mount dev with the minimal option; otherwise all the devices are available anyway. This feature is enabled via the --intel-hpu option and by specifying the HABANA_VISIBLE_DEVICES environment variable, which should contain a comma-separated list of device IDs (e.g., "1,2,3") or "all" to import all of them. The default if HABANA_VISIBLE_DEVICES is not set is "all".
• Add new bootstrap buildkit: (and buildkit: URL) for building SIF images directly from Dockerfile, without having to use Docker/Podman. Requires BuildKit to be installed. The full buildkit log file is included in the image, for traceability. It is also shown on the console, as a progress update while building. If an APPTAINER_BUILDKIT_HOST environment variable is set it will select or override what backend to use for the BuildKit bootstrap.
• Add support for downloading SIF images from an IPFS peer-to-peer cluster using an HTTP gateway (similar to the existing support for IPFS in the curl tool). The address of the gateway can be set in the IPFS_GATEWAY environment variable or read from ~/.ipfs/gateway or /etc/ipfs/gateway.
• Add --no-env action and instance option and corresponding APPTAINER_NOENV environment variable that can provide a comma-separated list of environment variables to skip importing from the host environment into the container.
• Add --data build option which creates a SIF file with a squashfs data partition instead of a code partition, given an existing squashfs file as the source.
• If PREPEND_LD_LIBRARY_PATH is set in the container environment (through an --env option, an APPTAINERENV_ prefix from the host, or in the container definition) then prepend that string to :$LD_LIBRARY_PATH. Likewise if APPEND_LD_LIBRARY_PATH is set in the container environment then append that string to $LD_LIBRARY_PATH:. This is only done when LD_LIBRARY_PATH is set, although if the container is based on glibc, when LD_LIBRARY_PATH is not set it will first be filled with the default library search path as found through ldconfig.
• Create reproducible SIF images, if the environment variable SOURCE_DATE_EPOCH has been set (as a Unix timestamp given as seconds since the beginning of 1970, in the UTC timezone). Also add --reproducible flag to build and pull from oras:// sources. This sets SOURCE_DATE_EPOCH automatically from the image "created" time.
• Support hosts that have /etc/resolv.conf pointing to a symlink under /run, such as those hosts that are running systemd-resolved. In this case, the symlink is copied into the container and the parent directory of the target of the symlink is bind-mounted from the host. The result is that even if the target of the symlink is replaced with a new file, the container sees the update in /etc/resolv.conf.
• Add /etc/resolv.conf to the list of host paths that can be prevented from automatic import into the container with the --no-mount option.
• Preserve owner and group information on files in containers downloaded from OCI registries when building SIF files, even for unprivileged users. This takes advantage of the fact that the library (umoci) that downloads containers preserves owner and group information in an extended attribute. Adds bundled tool proot which is modified from the upstream tool by the rootless-containers project to make the owner and group appear to be in the ordinary stat() information. That tool is now used when invoking mksquashfs to create the filesystem partition in a SIF file. It can be disabled with the hidden build option --ignore-proot.
• When unsquashing an image while running under a root-mapped user namespace (such as when using fakeroot without subuid mapping), insert another namespace mapping back to the original user so unsquashfs doesn't try (and fail) to change the owner and group information on the unpacked files.
• Record image digest metadata (sha256 from RepoDigests), for OCI registry images. Also add the image name (ref) of the image from "docker", with registry and tag. This is useful for traceability, when using docker.io or a tag like latest. Unfortunately the feature does not work with "docker-archive" or "docker-daemon".
• Print resulting digest when doing push to and pull from oras.
• debugsource rpms are now generated in addition to debuginfo rpms on RHEL-derived and Fedora operating systems.
• Add additional .rpm packages to the release assets that include el10 in their names. Those packages are necessary to work on EL10 which has a newer libsubid library than older EL releases.
• Apptainer now supports the loong64 architecture.

Changed defaults / behaviours

• If libraries are bound in to /.singularity.d/libs (such as with GPU options like --nv) and the container is based on glibc and LD_LIBRARY_PATH is not already set, it is now set to the default library search path. Since /.singularity.d/libs is appended to LD_LIBRARY_PATH, this makes libraries installed in the container take precedence over libraries bound in from the host. This reduces the chances of mismatched glibc versions. However, if there are indeed libraries on the host that need to take precedence over libraries in the container, that can be forced with PREPEND_LD_LIBRARY_PATH=/.singularity.d/libs.
• Change the default arm variant to v7, and stop using the GOARM environment variable. The variables GOOS, GOARCH and GOARM are only used when building.
• The oras transport now supports architectures beyond amd64.
• Images downloaded from oras without using the cache are now checksummed. A progress bar is shown during the process.
• Add support for APPTAINER_TMPDIR to the commands apptainer overlay create and apptainer plugin compile.
• Update minimum go version to 1.25.7.
• Update the bundled gocryptfs to version 2.6.1.
• Update the bundled squashfuse to version 0.6.1.
• Update the bundled fuse-overlayfs to version 1.16.
• Update the bundled squashfs-tools to version 4.7.5.

Bug fixes

• Make the root default capabilities configuration option apply only to the real root user as documented and not to a fakeroot user.
• Fix long-time bug in importing environment variables from oci containers (defined by ENV in their definition file) with shell characters in them. It now escapes them with single backslashes instead of double backslashes so they behave like they do in podman and docker.
• The username in /etc/passwd inside a container now always corresponds to the username of the user on the host even if an entry with the same UID is found in the container.
• When apptainer reinvokes itself on behalf of the run-help command, it passes through LD_LIBRARY_PATH. This makes it work correctly when it was installed with install-unprivileged.sh on a host operating system that's different than the one the installed binaries were built on.

Apptainer v1.5.0-rc.2

v1.5.0-rc.2 - [2026-04-14]

Changes since v1.5.0-rc.1

• Apptainer now supports the loong64 architecture.
• Add APPTAINER_BUILDKIT_HOST environment variable for selecting or overriding what backend to use for the BuildKit bootstrap.
• When apptainer reinvokes itself on behalf of the run-help command, pass through LD_LIBRARY_PATH. This makes it work correctly when it was installed with install-unprivileged.sh on a host operating system that's different than the one the installed binaries were built on.
• Update minimum go version to 1.25.7.

Apptainer 1.5.0-rc.1

v1.5.0-rc.1 - [2026-03-12]

Changes since 1.4.5

New Features & Functionality

• Add support for a subset of the Container Device Interface (CDI) standard through new --device and --cdi-dirs run/shell/exec options. Honors environment variable settings, bind mounts, and device files listed in CDI specification files.
• Add support for selective mounting of Intel(R) Gaudi accelerators. This feature is only for use in combination with a minimal /dev directory, selected either with the --contain flag or by configuring mount dev with the minimal option; otherwise all the devices are available anyway. This feature is enabled via the --intel-hpu option and by specifying the HABANA_VISIBLE_DEVICES environment variable, which should contain a comma-separated list of device IDs (e.g., "1,2,3") or "all" to import all of them. The default if HABANA_VISIBLE_DEVICES is not set is "all".
• Add new bootstrap buildkit: (and buildkit: URL) for building SIF images directly from Dockerfile, without having to use Docker/Podman. Requires BuildKit to be installed. The full buildkit log file is included in the image, for traceability. It is also shown on the console, as a progress update while building.
• Add support for downloading SIF images from an IPFS peer-to-peer cluster using an HTTP gateway (similar to the existing support for IPFS in the curl tool). The address of the gateway can be set in the IPFS_GATEWAY environment variable or read from ~/.ipfs/gateway or /etc/ipfs/gateway.
• Add --no-env action and instance option and corresponding APPTAINER_NOENV environment variable that can provide a comma-separated list of environment variables to skip importing from the host environment into the container.
• Add --data build option which creates a SIF file with a squashfs data partition instead of a code partition, given an existing squashfs file as the source.
• If PREPEND_LD_LIBRARY_PATH is set in the container environment (through an --env option, an APPTAINERENV_ prefix from the host, or in the container definition) then prepend that string to :$LD_LIBRARY_PATH. Likewise if APPEND_LD_LIBRARY_PATH is set in the container environment then append that string to $LD_LIBRARY_PATH:. This is only done when LD_LIBRARY_PATH is set, although if the container is based on glibc, when LD_LIBRARY_PATH is not set it will first be filled with the default library search path as found through ldconfig.
• Create reproducible SIF images, if the environment variable SOURCE_DATE_EPOCH has been set (as a Unix timestamp given as seconds since the beginning of 1970, in the UTC timezone). Also add --reproducible flag to build and pull from oras:// sources. This sets SOURCE_DATE_EPOCH automatically from the image "created" time.
• Support hosts that have /etc/resolv.conf pointing to a symlink under /run, such as those hosts that are running systemd-resolved. In this case, the symlink is copied into the container and the parent directory of the target of the symlink is bind-mounted from the host. The result is that even if the target of the symlink is replaced with a new file, the container sees the update in /etc/resolv.conf.
• Add /etc/resolv.conf to the list of host paths that can be prevented from automatic import into the container with the --no-mount option.
• Preserve owner and group information on files in containers downloaded from OCI registries when building SIF files, even for unprivileged users. This takes advantage of the fact that the library (umoci) that downloads containers preserves owner and group information in an extended attribute. Adds bundled tool proot which is modified from the upstream tool by the rootless-containers project to make the owner and group appear to be in the ordinary stat() information. That tool is now used when invoking mksquashfs to create the filesystem partition in a SIF file. It can be disabled with the hidden build option --ignore-proot.
• When unsquashing an image while running under a root-mapped user namespace (such as when using fakeroot without subuid mapping), insert another namespace mapping back to the original user so unsquashfs doesn't try (and fail) to change the owner and group information on the unpacked files.
• Record image digest metadata (sha256 from RepoDigests), for OCI registry images. Also add the image name (ref) of the image from "docker", with registry and tag. This is useful for traceability, when using docker.io or a tag like latest. Unfortunately the feature does not work with "docker-archive" or "docker-daemon".
• Print resulting digest when doing push to and pull from oras.
• debugsource rpms are now generated in addition to debuginfo rpms on RHEL-derived and Fedora operating systems.
• Add additional .rpm packages to the release assets that include el10 in their names. Those packages are necessary to work on EL10 which has a newer libsubid library than older EL releases.

Changed defaults / behaviours

• If libraries are bound in to /.singularity.d/libs (such as with GPU options like --nv) and the container is based on glibc and LD_LIBRARY_PATH is not already set, it is now set to the default library search path. Since /.singularity.d/libs is appended to LD_LIBRARY_PATH, this makes libraries installed in the container take precedence over libraries bound in from the host. This reduces the chances of mismatched glibc versions. However, if there are indeed libraries on the host that need to take precedence over libraries in the container, that can be forced with PREPEND_LD_LIBRARY_PATH=/.singularity.d/libs.
• Change the default arm variant to v7, and stop using the GOARM environment variable. The variables GOOS, GOARCH and GOARM are only used when building.
• The oras transport now supports architectures beyond amd64.
• Images downloaded from oras without using the cache are now checksummed. A progress bar is shown during the process.
• Add support for APPTAINER_TMPDIR to the commands apptainer overlay create and apptainer plugin compile.
• Update minimum go version to 1.25.6.
• Update the bundled gocryptfs to version 2.6.1.
• Update the bundled squashfuse to version 0.6.1.
• Update the bundled fuse-overlayfs to version 1.16.
• Update the bundled squashfs-tools to version 4.7.5.

Bug fixes

• Make the root default capabilities configuration option apply only to the real root user as documented and not to a fakeroot user.
• Fix long-time bug in importing environment variables from oci containers (defined by ENV in their definition file) with shell characters in them. It now escapes them with single backslashes instead of double backslashes so they behave like they do in podman and docker.
• The username in /etc/passwd inside a container now always corresponds to the username of the user on the host even if an entry with the same UID is found in the container.

Apptainer v1.4.5

v1.4.5 - [2025-12-02]

Security Related Fixes

• Fix for moderate severity CVE-2025-65105 / GHSA-j3rw-fx6g-q46j: Ineffective application of selinux / apparmor --security option.
• Updates of a few dependent go libraries for related security fixes.

Other fix

• Run FUSE processes in a separate process group. This detaches them from the main process so they don't receive signals such as interrupts sent to a terminal there. This was not a problem with interactive shells because they start their own group, but was a problem with some programs with interactive Read/Eval/Print/Loops such as python. An interrupt there would kill the FUSE processes.

Apptainer v1.4.4

v1.4.4 - [2025-10-29]

• By applying patches to the bundled fuse2fs, allow again the possibility of using a non-writable ext3 image file as an overlay. Fixes regression introduced in 1.4.3.
• If an overlay or bound data image is asked to be mounted writable but the user has no write access to the image, show a warning message instead of silently switching to readonly.
• Avoid a fatal error when starting fakeroot from suid mode while in an NFS directory.
• Fix 32-bit builds which were accidentally broken by a library upgrade that was done for a minor security issue.

Apptainer v1.4.3

v1.4.3 - [2025-09-29]

• Include the home directory in the --workdir option (which is a modifier of the --contain option). This has always been in the --workdir usage description but the home directory has not actually been included at least since singularity-2.
• Update the bundled fuse2fs to version 1.47.3. This fixes a bug that caused removal of files in the --overlay mode to silently fail.
• Update the bundled fuse-overlayfs to version 1.15.
• Add support for building and publishing Apptainer for Ubuntu 25.04 PPA.
• Fix reading images using the oras protocol to store temporary files in APPTAINER_TMPDIR instead of TMPDIR.

Apptainer 1.4.2

v1.4.2 - [2025-07-07]

• Restore looking for registry mirrors in /etc/containers/registry.conf and related files. This had been inadvertently dropped beginning in 1.4.0.
• Fix use of the image cache when the home directory contains @ characters. Previously it would assume that it was the start of a digest in the oci-dir.
• Fix signature verification failures on unsigned images.
• Add additional .deb packages to the release assets that include the label trixie+ to indicate that they are for installing on Debian 13 or later. Those packages are necessary to work with the new libfuse3 library in Debian13. They also support libsubid, unlike the default packages because they are built on Debian 11 which doesn't have that library.
• Add automatic triggering of Ubuntu PPA builds whenever there's a new apptainer release.

Apptainer 1.4.1

v1.4.1 - [2025-05-14]

• Fix the use of libsubid which had been broken by the revision applied in 1.4.0-rc.2.
• Fix a bug introduced in 1.4.0 that caused arm64 to be mis-converted to arm64v8 and resulted in a failure when pulling OCI containers.
• Fix user database lookup in master process preventing instance from starting correctly on systems using winbind.
• Update minimum go version to 1.23.6 now that it is current in el8 & el9.
• Check for existence of /run/systemd/system when verifying cgroups can be used via systemd manager.
• Compile gocryptfs with the default GOAMD64 microarchitecture of the go compiler instead of always using GOAMD64=v2. The default value in the upstream go compiler is GOAMD64=v1, to work with older CPUs, although it can have a cost in performance on newer CPUs. It is still possible to set GOAMD64 to a newer microarchitecture (v2+). For instance RHEL 9 uses v2 and RHEL 10 uses v3 as their default values.
• Add a clear error message if someone tries to use privileged network options while not using setuid mode.
• Allow multi-arch oci-archive files that have a nested index with the manifest. This is the default format (both for Docker and OCI) when using nerdctl save.
• Test if docker-archive is actually an oci-archive (since Docker version 25), and if it is oci then use the OCI parser to avoid bugs in the Docker parser. Save the daemon-daemon references to a temporary docker-archive, to benefit from the same improvements also for those references. Parse as oci-archive.

Apptainer 1.4.0

v1.4.0 - [2025-03-18]

Changes since 1.3.6

New Features & Functionality

• Add support for libsubid, when available at compile time. This library enables central management of subuid and subgid mappings and typically comes as part of the shadow-utils package, possibly as a shadow-utils-subid subpackage.
• Add new build option --mksquashfs-args to pass additional arguments to the mksquashfs command when building SIF files. If a compression method other than gzip is selected, the SIF file might not work with older installations of Apptainer or Singularity, so an INFO message about that is printed. On the other hand, an INFO message that was printed (twice) when running an image with non-gzip compression has been removed.
• Expand the build instructions for squashfuse and apptainer packaging to include the libraries needed for maximum support of compression algorithms by squashfuse_ll.
• If the mksquashfs version is new enough (version 4.6 or later), then show a percentage progress bar (with ETA) during SIF creation in the default log level. If the mksquashfs version is older, then in verbose or debug log level show the output of mksquashfs with its own progress bar.
• Include a bundled copy of squashfs-tools to make the progress bar available and to ensure that all compression types are available. This includes the programs mksquashfs and unsquashfs.
• Statistics are now normally available for instances that are started by non-root users on cgroups v2 systems. The instance will be started in the current cgroup. Information about configuration issues that prevent collection of statistics are displayed as INFO messages by default.
• Add a dnf definition file bootstrap option as an alias to the yum bootstrap option.
• Add a --sandbox option to apptainer pull.
• Add configuration file binding to the --nv option. Files that are recognized in the NVIDIA Container Toolkit, including files for EGL ICD, were added to the default nvliblist.conf.
• It is now possible to use multiple environment variable files using the --env-file flag. Files can be specified as a comma-separated list or by using the flag multiple times. Variables defined in later files take precedence over earlier files.
• The registry login and registry logout commands now support a --authfile <path> option, which causes OCI credentials to be written to / removed from a custom file located at <path> instead of the default location ($HOME/.apptainer/docker-config.json). The commands pull, push, run, exec, shell and instance start can now also be passed a --authfile <path> option, to read OCI registry credentials from this custom file.
• A new --netns-path option takes a path to a network namespace to join when starting a container. The root user may join any network namespace. An unprivileged user can only join a network namespace specified in the new allow netns paths directive in apptainer.conf, if they are also listed in allow net users / allow net groups and apptainer is installed with setuid privileges. Not supported with --fakeroot.
• apptainer.conf now accepts setting the following options:
  • allow ipc ns -- Default value is yes; when set to no, it will disable the use of the --ipc flag.
  • allow uts ns -- Default value is yes; when set to no, it will invalidate the use of the --uts and --hostname flags.
  • allow user ns -- Default value is yes; when set to no, it will disable creation of user namespaces. Note that this will prevent execution of containers with the --userns or --fakeroot flags and with unprivileged installations of Apptainer.
• Add automated tests for OpenSUSE Leap and Tumbleweed and Debian Bookworm.

Changed defaults / behaviours

• Label the starter process seen in ps with the image filename, for example: Apptainer runtime parent: example.sif.
• Remove runtime and compute libraries from rocmliblist.conf. They should instead be provided by the container image.
• Allow overriding the build architecture with --arch and --arch-variant, to build images for another architecture than the current host arch. This requires that the host has been set up to support multiple architectures (binfmt_misc).
• Complete the previously partial support for the riscv64 architecture.
• Show a warning message if changing directory to the cwd fails, instead of silently switching to the home directory or /.
• Write starter messages to stderr when an instance fails to start. Previously they were incorrectly written to stdout.
• Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes configuration option.
• Make binary builds more reproducible by deriving the GNU build ID from the Go build ID instead of using a randomly generated one.
• Fix storage of credentials for docker.io to behave the same as for index.docker.io.
• Change message log level from warning to debug when environment variables set inside a container or by APPTAINERENV have a different value than the environment variable on the host.
• Change the default message level from silent to the normal level in the nested apptainer that executes a build's %post section, and suppress an unnecessary warning message.
• Ignore invalid environment variables when pulling oci/docker containers.
• Improve documentation for remote list command.
• Remove the little-known fakerootcallback functionality.
• Update the default pacman confURL for Bootstrap: arch container builds.
• Update the bundled fuse programs to their latest releases.
• A go version of at least 1.22 is now required to build from source.

Bug fixes

• Fix the mconfig -s option to build the apptainer and starter binaries statically as documented.
• Fix the Makefile generated by mconfig -b to work when the selected build directory is not a subdirectory of the apptainer source code.
• %files from in a definition file will now correctly copy symlinks that point to a target above the destination directory but inside the destination stage root filesystem.
• Fixed typo in nvliblist.conf (libnvoptix.so.1 -> libnvoptix.so).
• Avoid timeouts when cleaning up from building gocryptfs-encrypted SIF files.
• Fix bug that prevented build with --passphrase or --pem-path but without --encrypt from implying fakeroot.
• Fix hang when copying files between build stages while using suid mode without user namespaces.
• Fix running and building containers of different architectures than the host via binfmt_misc when using rootless fakeroot.
• Fix target: no such file or directory error when extracting layers from certain OCI images that manipulate hard links across layers.
• Fix the crash that happened when executing a privilege-encrypted container as root.

Internal

• Refactor image arch variation using go-containerregistry's platform.
• A test mksquashfs is no longer done when building SIF files. That used to be done every build to verify that squashfs tools were new enough to support the -comp gzip option.

---

The following are the changes since 1.4.0-rc.2, included in the notes above:

• Fix target: no such file or directory error when extracting layers from certain OCI images that manipulate hard links across layers.
• Fix the crash that happens when executing a privilege-encrypted container as root.
• Update the default pacman confURL for Bootstrap: arch container builds.
• Update the bundled gocryptfs to 2.5.1 and squashfuse to 0.6.0.

Apptainer 1.4.0 Release Candidate 2

v1.4.0 Release Candidate 2 - [2025-03-4]

Changes since 1.4.0-rc.1

• If the mksquashfs version is new enough (version 4.6 or later), then show a percentage progress bar (with ETA) during SIF creation. If the mksquashfs version is older, than fallback to the message "To see mksquashfs output with progress bar enable verbose logging"
• Include a bundled copy of squashfs-tools to make the progress bar available and to ensure that all compression types are available. This includes the programs mksquashfs and unsquashfs.
• Revise the libsubid implementation including removing the fakerootcallback functionality.
• Fix running and building containers of different architectures than the host via binfmt_misc when using rootless fakeroot.
• Allow overriding the build architecture with --arch and --arch-variant, to build images for another architecture than the current host arch. This requires that the host has been set up to support multiple architectures (binfmt_misc).
• Complete the previously partial support for the riscv64 architecture.
• Show a warning message if changing directory to the cwd fails, instead of silently switching to the home directory or /.
• Write starter messages to stderr when an instance fails to start. Previously they were incorrectly written to stdout.