Greetings Singularity containerizers!
The 2.6.1 release contains fixes for a high severity security issue affecting Singularity 2.4.0 through 2.6.0 on modern distributions managed with systemd where mount points are mounted with shared mount propagation by default (CVE-2018-19295). A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability to mount arbitrary directories into the host mount namespace resulting in privilege escalation on the host.
Singularity 2.6.1 should be installed immediately, and all previous versions of Singularity should be removed. The vulnerability addressed in this release affects systems on which the / mount point or any exploitable mount point (eg: /run, /var ...) are set shared. If you are unable to upgrade immediately, you should set:
mount --make-rprivate /
so that / and all mount points belonging to / are no longer mounted shared. This change must be repeated on every reboot.
Security related fix
- disables instance features for mount commands, disables instance join for start command, and disables daemon start for action commands
Great thanks to Matthias Gerstner of the SUSE security team for confidentially reporting this vulnerability to Sylabs!
As always, please report any bugs to:
https://github.com/singularityware/singularity/issues/new
If you think that you’ve discovered a security vulnerability, please email the Sylabs team at:
security@sylabs.io
Greetings Singularity community!
We're happy to announce the release of singularity v3.0.1. This release fixes some major problems with building and installing v3.0.0 as an RPM. We've also greatly enhanced the general stability of the runtime.
In order to build v3.0.1 as an RPM:
- Download the
singularity-3.0.1.tar.gzasset - Run
rpmbuild -tb singularity-3.0.1.tar.gz - Install the RPM
As always, we appreciate your continued feedback and contributions.
Greetings Singularity Folks!
Note: to install from a tarball, please use the attached singularity-v3.0.0.tar.gz asset. The Source code (zip) and Source code (tar.gz) are automatically generated by GitHub will provide a development environment, not the release source.
To install from the included singularity-v3.0.0.tar.gz asset, extract the tarball to ${GOPATH}/src/github.com/sylabs/singularity using the following command and then continue with the procedure outlined in the installation instructions:
tar xf singularity-v3.0.0.tar.gz -C ${GOPATH}/src/github.com/sylabs/
It is our greatest pleasure to finally announce the release of Singularity v3.0.0. For the last 10 months, we've been hard at work on making sure this new iteration of Singularity is as successful as possible.
On the SylabsIO website you can read about our decision to migrate from C to Golang, the new Singularity Image Format (SIF), our new GitHub branch structure, the Sylabs Container Library, and more on all parts the development cycle of v3.0.0.
A full list of changes and improvements from v2.6.0 -> v3.0.0 can be found in the changelog.
If you have any feedback, please reach out to us. As always, we greatly appreciate your feedback and contributions.
Assets
2
Greetings Singularity Folks!
It is our great pleasure to announce the v3.0.0-beta.1 Singularity after many months of work. This release again contains major bug-fixes, improvements, and enhancements when compared to v3.0.0-alpha.2. Further, we feel that this release achieves feature parity (with some minor differences here and there) with the 2.x versions of Singularity. We anticipate that all major features have already been committed at this point, and thus all development for the rest of the pre-release of v3.0.0 will be geared towards catching and fixing bugs.
It would be greatly appreciated if everybody in the community could spend as much time as possible trying to break this release. If you do happen to notice anything that doesn't seem right, something that works in 2.x but isn't working now, or any other minor bugs/problems, please let us know on our slack channel or on the Issues Tab of the Singularity repository.
A full changelog and release notes for everything being introduced and changed in v3.0.0 will be available when we officially tag the v3.0.0 release. For the time being, you can refer to this blog post by @ArangoGutierrez about what we expect the release to look like.
Known Issues:
- Zypper bootstrap does not work correctly in some scenarios
%filessection is not supported when building remotely via the Sylabs Remote Build Service- The command
singularity help ...always returns 0, even when attempting to get help on a non-existent subcommand. This behavior is different from2.x - Similarly, the command
singularity instance listnow returns 0 even when no instances are running on the system. - The command
singularity inspectdoes not yet provide inspection for individual apps, only the base image
Over the coming weeks, we will be tirelessly squashing bugs to ensure the most stable release of v3.0.0 possible. Stay tuned, and as always, we welcome your feedback and contributions!
Assets
2
Greetings Singularity Folks!
We are pleased to announce the second alpha version of Singularity 3.0. This release is a large improvement over 3.0.0-alpha.1, with major fixes to bugs and feature parity issues. We've also just moved the repository from singularityware/singularity to sylabs/singularity. Nothing should change with this update, but if any complications arise as a result of the move please reach out to us on our slack channel.
It is our intention to quickly iterate, with further alpha and beta releases over the coming weeks. Stay tuned, and as always, we welcome your feedback and contributions!
Assets
2
Greetings Singularity Folks!
We are pleased to announce the first alpha version of Singularity 3.0. This release is not for the faint of heart, with bugs must be squashed, features that are not yet complete, and new development environment requirements. On that last point, be sure to check out the installation instructions.
It is our intention to quickly iterate, with further alpha (and eventually beta) releases over the coming weeks. Stay tuned, and as always, we welcome your feedback and contributions!
Greetings Singularity-ers!
It is my great pleasure to announce the release of version 2.6.0! This release has a few bug fixes and lot of cool new features that are detailed below.
Please note that 2.6.0 is expected to be the final feature release in the 2.x series. While bug fixes may be added via point releases (for example 2.6.1) no new features releases (for example 2.7.0) are planned.
Pull requests adding features to the 2.x series will no longer be reviewed. Any new features should be targeted to the master branch (which used to be called development-3.0).
For more information about the reorganization of Singularity branches in the GitHub repo, please see this Sylabs lab notes.
Thanks and have fun!
Implemented enhancements
- Allow admin to specify a non-standard location for mksquashfs binary at
build time with--with-mksquashfsoption #1662 --nvoption will use nvidia-container-cli if installed #1681- nvliblist.conf now has a section for binaries #1681
--nvcan be made default with all action commands in singularity.conf #1681--nvcan be controlled by env vars$SINGULARITY_NVand
$SINGULARITY_NV_OFF#1681- Refactored travis build and packaging tests #1601
- Added build and packaging tests for Debian 8/9 and openSUSE 42.3/15.0 #1713
- Restore shim init process for proper signal handling and child reaping when
container is initiated in its own PID namespace #1221 - Add
-ioption to image.create to specify the inode ratio. #1759 - Bind
/dev/nvidia*into the container when the--nvflag is used in
conjuction with the--containflag #1358 - Add
--no-homeoption to not mount user $HOME if it is not the $CWD and
mount home = yesis set. #1761 - Added support for OAUTH2 Docker registries like Azure Container Registry #1622
Bug fixes
- Fix 404 when using Arch Linux bootstrap #1731
- Fix environment variables clearing while starting instances #1766
As always, please report any bugs to:
https://github.com/singularityware/singularity/issues/new
Greetings Singularity containerizers!
This release contains fixes for a high severity security issue affecting Singularity 2.3.0 through 2.5.1 on kernels that support overlay file systems (CVE-2018-12021). A malicious user with network access to the host system (e.g. ssh) could exploit this vulnerability to access sensitive information on disk and bypass directory image restrictions like those preventing the root file system from being mounted into the container.
Singularity 2.5.2 should be installed immediately, and all previous versions of Singularity should be removed. The vulnerability addressed in this release affects kernels that support overlayfs. If you are unable to upgrade immediately, you should set enable overlay = no in singularity.conf.
In addition, this release contains a large number of bug fixes. Details follow:
Security related fixes
- Removed the option to use overlay images with
singularity mount. This
flaw could allow a malicious user accessing the host system to access
sensitive information when coupled with persistent ext3 overlay. - Fixed a race condition that might allow a malicious user to bypass directory
image restrictions, like mounting the host root filesystem as a container
image
Bug fixes
- Fix an error in malloc allocation #1620
- Honor debug flag when pulling from docker hub #1556
- Fix a bug with passwd abort #1580
- Allow user to override singularity.conf "mount home = no" with --home option
#1496 - Improve debugging output #1535
- Fix some bugs in bind mounting #1525
- Define PR_(S|G)ET_NO_NEW_PRIVS in user space so that these features will
work with kernels that implement them (like Cray systems) #1506 - Create /dev/fd and standard streams symlinks in /dev when using minimal dev
mount or when specifying -c/-C/--contain option #1420 - Fixed * expansion during app runscript creation #1486
As always, please report any bugs to:
https://github.com/singularityware/singularity/issues/new