Merge main to 3.11 for bugfixes

CHANGELOG.md

@@ -1,5 +1,11 @@
 # SingularityCE Changelog
 
+## Changes Since Last Release
+
+### Bug Fixes
+
+- Avoid UID / GID readonly var warnings with `--env-file`.
+
 ## 3.11.0 Release Candidate 1 \[2023-01-11\]
 
 *This is the first release candidate for the upcoming Singularity 3.11.0

LICENSE_DEPENDENCIES.md

@@ -17,6 +17,12 @@ The dependencies and their licenses are as follows:
 
 **License URL:** <https://github.com/Netflix/go-expect/blob/master/LICENSE>
 
+## github.com/container-orchestrated-devices/container-device-interface
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/container-orchestrated-devices/container-device-interface/blob/master/LICENSE>
+
 ## github.com/containerd/containerd
 
 **License:** Apache-2.0
@@ -77,6 +83,12 @@ The dependencies and their licenses are as follows:
 
 **License URL:** <https://github.com/coreos/go-systemd/blob/master/v22/dbus/LICENSE>
 
+## github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/cyberphone/json-canonicalization/blob/master/go/src/webpki.org/jsoncanonicalizer/LICENSE>
+
 ## github.com/docker/cli/cli/config
 
 **License:** Apache-2.0
@@ -119,6 +131,66 @@ The dependencies and their licenses are as follows:
 
 **License URL:** <https://github.com/docker/libtrust/blob/master/LICENSE>
 
+## github.com/go-openapi/analysis
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/go-openapi/analysis/blob/master/LICENSE>
+
+## github.com/go-openapi/errors
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/go-openapi/errors/blob/master/LICENSE>
+
+## github.com/go-openapi/jsonpointer
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/go-openapi/jsonpointer/blob/master/LICENSE>
+
+## github.com/go-openapi/jsonreference
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/go-openapi/jsonreference/blob/master/LICENSE>
+
+## github.com/go-openapi/loads
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/go-openapi/loads/blob/master/LICENSE>
+
+## github.com/go-openapi/runtime
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/go-openapi/runtime/blob/master/LICENSE>
+
+## github.com/go-openapi/spec
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/go-openapi/spec/blob/master/LICENSE>
+
+## github.com/go-openapi/strfmt
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/go-openapi/strfmt/blob/master/LICENSE>
+
+## github.com/go-openapi/swag
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/go-openapi/swag/blob/master/LICENSE>
+
+## github.com/go-openapi/validate
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/go-openapi/validate/blob/master/LICENSE>
+
 ## github.com/google/go-containerregistry/pkg/name
 
 **License:** Apache-2.0
@@ -179,6 +251,12 @@ The dependencies and their licenses are as follows:
 
 **License URL:** <https://github.com/modern-go/reflect2/blob/master/LICENSE>
 
+## github.com/oklog/ulid
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/oklog/ulid/blob/master/LICENSE>
+
 ## github.com/opencontainers/go-digest
 
 **License:** Apache-2.0
@@ -203,6 +281,12 @@ The dependencies and their licenses are as follows:
 
 **License URL:** <https://github.com/opencontainers/runtime-spec/blob/master/specs-go/LICENSE>
 
+## github.com/opencontainers/runtime-tools
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/opencontainers/runtime-tools/blob/master/LICENSE>
+
 ## github.com/opencontainers/selinux
 
 **License:** Apache-2.0
@@ -263,6 +347,18 @@ The dependencies and their licenses are as follows:
 
 **License URL:** <https://github.com/safchain/ethtool/blob/master/LICENSE>
 
+## github.com/sigstore/fulcio/pkg/certificate
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/sigstore/fulcio/blob/master/pkg/certificate/LICENSE>
+
+## github.com/sigstore/rekor/pkg/generated/models
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/sigstore/rekor/blob/master/pkg/generated/models/LICENSE>
+
 ## github.com/sigstore/sigstore/pkg
 
 **License:** Apache-2.0
@@ -299,6 +395,30 @@ The dependencies and their licenses are as follows:
 
 **License URL:** <https://github.com/vishvananda/netns/blob/master/LICENSE>
 
+## github.com/xeipuuv/gojsonpointer
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/xeipuuv/gojsonpointer/blob/master/LICENSE-APACHE-2.0.txt>
+
+## github.com/xeipuuv/gojsonreference
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/xeipuuv/gojsonreference/blob/master/LICENSE-APACHE-2.0.txt>
+
+## github.com/xeipuuv/gojsonschema
+
+**License:** Apache-2.0
+
+**License URL:** <https://github.com/xeipuuv/gojsonschema/blob/master/LICENSE-APACHE-2.0.txt>
+
+## go.mongodb.org/mongo-driver
+
+**License:** Apache-2.0
+
+**Project URL:** <https://go.mongodb.org/mongo-driver>
+
 ## google.golang.org/genproto/googleapis/rpc/status
 
 **License:** Apache-2.0
@@ -389,6 +509,12 @@ The dependencies and their licenses are as follows:
 
 **License URL:** <https://github.com/cyphar/filepath-securejoin/blob/master/LICENSE>
 
+## github.com/fsnotify/fsnotify
+
+**License:** BSD-3-Clause
+
+**License URL:** <https://github.com/fsnotify/fsnotify/blob/master/LICENSE>
+
 ## github.com/gogo/protobuf/proto
 
 **License:** BSD-3-Clause
@@ -593,6 +719,12 @@ The dependencies and their licenses are as follows:
 
 **License URL:** <https://github.com/apex/log/blob/master/LICENSE>
 
+## github.com/asaskevich/govalidator
+
+**License:** MIT
+
+**License URL:** <https://github.com/asaskevich/govalidator/blob/master/LICENSE>
+
 ## github.com/beorn7/perks/quantile
 
 **License:** MIT
@@ -671,6 +803,12 @@ The dependencies and their licenses are as follows:
 
 **License URL:** <https://github.com/go-log/log/blob/master/LICENSE>
 
+## github.com/josharian/intern
+
+**License:** MIT
+
+**License URL:** <https://github.com/josharian/intern/blob/master/license.md>
+
 ## github.com/json-iterator/go
 
 **License:** MIT
@@ -695,6 +833,12 @@ The dependencies and their licenses are as follows:
 
 **License URL:** <https://github.com/kr/pty/blob/master/LICENSE>
 
+## github.com/mailru/easyjson
+
+**License:** MIT
+
+**License URL:** <https://github.com/mailru/easyjson/blob/master/LICENSE>
+
 ## github.com/mattn/go-colorable
 
 **License:** MIT
@@ -713,6 +857,12 @@ The dependencies and their licenses are as follows:
 
 **License URL:** <https://github.com/mattn/go-runewidth/blob/master/LICENSE>
 
+## github.com/mitchellh/mapstructure
+
+**License:** MIT
+
+**License URL:** <https://github.com/mitchellh/mapstructure/blob/master/LICENSE>
+
 ## github.com/morikuni/aec
 
 **License:** MIT
@@ -773,6 +923,12 @@ The dependencies and their licenses are as follows:
 
 **Project URL:** <https://gopkg.in/yaml.v3>
 
+## sigs.k8s.io/yaml
+
+**License:** MIT
+
+**Project URL:** <https://sigs.k8s.io/yaml>
+
 ## github.com/gosimple/slug
 
 **License:** MPL-2.0

cmd/internal/cli/build_linux.go

@@ -148,7 +148,10 @@ func runBuild(cmd *cobra.Command, args []string) {
 	dest := args[0]
 	spec := args[1]
 
-	if syscall.Getuid() != 0 && !buildArgs.fakeroot && fs.IsFile(spec) && !isImage(spec) {
+	// Non-remote build with def file as source
+	rootNeeded := !buildArgs.remote && fs.IsFile(spec) && !isImage(spec)
+
+	if rootNeeded && syscall.Getuid() != 0 && !buildArgs.fakeroot {
 		prootPath, err := bin.FindBin("proot")
 		if err != nil {
 			sylog.Fatalf("--remote, --fakeroot, or the proot command are required to build this source as a non-root user")

e2e/env/env.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2019-2022, Sylabs Inc. All rights reserved.
+// Copyright (c) 2019-2023, Sylabs Inc. All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the
 // LICENSE.md file distributed with the sources of this project regarding your
 // rights to use or distribute this software.
@@ -640,6 +640,7 @@ func E2ETests(env e2e.TestEnv) testhelper.Tests {
 		"issue 5057":               c.issue5057, // https://github.com/sylabs/hpcng/issues/5057
 		"issue 5426":               c.issue5426, // https://github.com/sylabs/hpcng/issues/5426
 		"issue 43":                 c.issue43,   // https://github.com/sylabs/singularity/issues/43
+		"issue 1263":               c.issue1263, // https://github.com/sylabs/singularity/issues/1263
 		//
 		// --oci mode
 		//

e2e/env/regressions.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2020-2022, Sylabs Inc. All rights reserved.
+// Copyright (c) 2020-2023, Sylabs Inc. All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the
 // LICENSE.md file distributed with the sources of this project regarding your
 // rights to use or distribute this software.
@@ -122,3 +122,29 @@ func (c ctx) issue43(t *testing.T) {
 		),
 	)
 }
+
+// https://github.com/sylabs/singularity/issues/1263
+// With --env-file we should avoid any override of UID / GID that are set readonly by bash.
+func (c ctx) issue1263(t *testing.T) {
+	e2e.EnsureImage(t, c.env)
+
+	// An empty env file is sufficient, as UID/GID come from the mvdan.cc/sh evaluation of it.
+	envFile, err := e2e.WriteTempFile(c.env.TestDir, "env-file", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(func() {
+		os.Remove(envFile)
+	})
+
+	c.env.RunSingularity(
+		t,
+		e2e.WithProfile(e2e.UserProfile),
+		e2e.WithCommand("exec"),
+		e2e.WithArgs("--env-file", envFile, c.env.ImagePath, "/bin/true"),
+		e2e.ExpectExit(
+			0,
+			e2e.ExpectError(e2e.UnwantedContainMatch, "readonly variable"),
+		),
+	)
+}

e2e/imgbuild/imgbuild.go

@@ -1624,5 +1624,6 @@ func E2ETests(env e2e.TestEnv) testhelper.Tests {
 		"issue 5435":                      c.issue5435,                 // https://github.com/hpcng/singularity/issues/5435
 		"issue 5668":                      c.issue5668,                 // https://github.com/hpcng/singularity/issues/5435
 		"issue 5690":                      c.issue5690,                 // https://github.com/hpcng/singularity/issues/5690
+		"issue 1273":                      c.issue1273,                 // https://github.com/sylabs/singularity/issues/1273
 	}
 }

e2e/imgbuild/regressions.go

@@ -445,3 +445,22 @@ From: {{ .From }}
 		e2e.ExpectExit(0),
 	)
 }
+
+// Ensure a `--remote` build request fails (not-authorized) and proot flow is not invoked.
+func (c *imgBuildTests) issue1273(t *testing.T) {
+	image := filepath.Join(c.env.TestDir, "issue_1273.sif")
+
+	c.env.RunSingularity(
+		t,
+		e2e.WithProfile(e2e.UserProfile),
+		e2e.WithCommand("build"),
+		e2e.WithArgs("--remote", image, "testdata/proot_alpine.def"),
+		e2e.PostRun(func(t *testing.T) {
+			os.Remove(image)
+		}),
+		e2e.ExpectExit(
+			255,
+			e2e.ExpectError(e2e.UnwantedContainMatch, "proot"),
+		),
+	)
+}