Releases: sylabs/singularity
SingularityCE 4.3.1
This is a patch release in the 4.3 series.
Bug Fixes
- Update bundled squashfuse to 0.6.0, which includes
.
,..
entries ingetdents()
results, fixing errors with some applications.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.3.1.tar.gz download below to obtain and install SingularityCE 4.3.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.24.2
SingularityCE 4.3.0
SingularityCE 4.3.0
This is the first release in the 4.3 series. Please review the changes, fixes, and new features listed below.
The admin and user guides include a "What's New in 4.3" section, providing links to additional documentation:
- https://docs.sylabs.io/guides/4.3/admin-guide/new.html
- https://docs.sylabs.io/guides/4.3/user-guide/new.html
Behaviour Changes
- Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes` configuration option.
- In OCI mode, on a cgroups v2 system with functioning systemd cgroup management, a cgroup namespace is created for the container, and
/sys/fs/cgroup
is mounted. The cgroups mount is read-only by default, or read-write if the--keep-privs
flag is used. - In OCI mode, a cgroup is now created for the container when possible, even where resource limits have not been requested.
Bug Fixes
- Use correct username (not user's name) when computing
singularity oci
conmon / singularity state dir. - Write StdErr messages from starter to terminal StdErr when an instance fails to start. Previously incorrectly written to terminal StdOut.
- Fix incorrect debug message in Cgroups checks.
- Skip invalid environment variables when pulling pulling OCI images to native SIF, so environment sourcing does not fail.
- Fix the Makefile generated by
mconfig -b
to work when the selected build directory is not a subdirectory of the source code. - Check for existence of
/run/systemd/system
when verifying cgroups can be used via systemd manager.
New Features & Functionality
- Add support for libsubid. Sub[ug]id mappings will be retrieved from e.g. LDAP according to
nssswitch.conf
if Singularity is built with libsubid support (default). If built without libsubid support, Singularity will retrieve subid from/etc/subid
and/etc/subgid
regardless of system configuration. Note thatsingularity config fakeroot
always modifies/etc/subid
and/etc/subgid
files. singularity sign
now supports signing an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the--cosign
flag, and provide a private key with the--key
flag.singularity verify
now supports verifying an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the--cosign
flag, and provide a public key with the--key
flag. Verification passes if at least one signature that can be validated with the provided key is present. The JSON payloads of all valid signatures are displayed.singularity push
now supports pushing cosign signatures in an OCI-SIF to an OCI registry, via the--with-cosign
flag.singularity pull
now supports pulling cosign signatures from a registry to an OCI-SIF, via the--with-cosign
flag when--oci
is also specified. Signatures can only be pulled when the image in the registry is in SquashFS format. Converting layer formats, or squashing to a single layer, modifies the image manifest, and would invalidate any signatures.- The new
singularity key generate-cosign-key-pair
subcommand can be used to generate a password-protected key-pair for signing OCI-SIF images with cosign-compatible signatures. - Added
dnf
definition file bootstrap as an alias foryum
.
Requirements / Packaging
- Go 1.23.4 or above is now required to build SingularityCE.
- libsubid headers are now required to build SingularityCE, unless the
--without-libsubid
flag is passed tomconfig
. - EL RPM packages are built with libsubid support.
- Ubuntu deb packages are built without libsubid support.
- The RPM spec file no longer includes rules for SLES / openSUSE package builds, which have been untested / unsupported for some time.
- Make binary builds more reproducible by deriving the GNU build ID from the Go build ID instead of using a randomly generated one.
- Conmon sources are no longer bundled and built with SingularityCE. Install the
conmon
package from your distribution, or upstream binary, if you need to use thesingularity oci
commands. Note thatconmon
is not required for--oci
mode. - Now compiles successfully with
-std=c23
.
Removed Features
- Plugin
fakerootcallback
functionality for customizing fakeroot subid mappings has been removed.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.3.0.tar.gz download below to obtain and install SingularityCE 4.3.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.24.0
v4.3.0-rc.1
SingularityCE 4.3.0-rc.1 Release Candidate
This is the first release candidate for the upcoming 4.3 series. All testing and feedback is welcome!
Behaviour Changes
- Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes` configuration option.
- In OCI mode, on a cgroups v2 system with functioning systemd cgroup management, a cgroup namespace is created for the container, and
/sys/fs/cgroup
is mounted. The cgroups mount is read-only by default, or read-write if the--keep-privs
flag is used. - In OCI mode, a cgroup is now created for the container when possible, even where resource limits have not been requested.
Bug Fixes
- Use correct username (not user's name) when computing
singularity oci
conmon / singularity state dir. - Write StdErr messages from starter to terminal StdErr when an instance fails to start. Previously incorrectly written to terminal StdOut.
- Fix incorrect debug message in Cgroups checks.
- Skip invalid environment variables when pulling pulling OCI images to native SIF, so environment sourcing does not fail.
- Fix the Makefile generated by
mconfig -b
to work when the selected build directory is not a subdirectory of the source code. - Check for existence of
/run/systemd/system
when verifying cgroups can be used via systemd manager.
New Features & Functionality
- Add support for libsubid. Sub[ug]id mappings will be retrieved from e.g. LDAP according to
nssswitch.conf
if Singularity is built with libsubid support (default). If built without libsubid support, Singularity will retrieve subid from/etc/subid
and/etc/subgid
regardless of system configuration. Note thatsingularity config fakeroot
always modifies/etc/subid
and/etc/subgid
files. singularity sign
now supports signing an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the--cosign
flag, and provide a private key with the--key
flag.singularity verify
now supports verifying an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the--cosign
flag, and provide a public key with the--key
flag. Verification passes if at least one signature that can be validated with the provided key is present. The JSON payloads of all valid signatures are displayed.singularity push
now supports pushing cosign signatures in an OCI-SIF to an OCI registry, via the--with-cosign
flag.singularity pull
now supports pulling cosign signatures from a registry to an OCI-SIF, via the--with-cosign
flag when--oci
is also specified. Signatures can only be pulled when the image in the registry is in SquashFS format. Converting layer formats, or squashing to a single layer, modifies the image manifest, and would invalidate any signatures.- The new
singularity key generate-cosign-key-pair
subcommand can be used to generate a password-protected key-pair for signing OCI-SIF images with cosign-compatible signatures. - Added
dnf
definition file bootstrap as an alias foryum
.
Requirements / Packaging
- Go 1.23.4 or above is now required to build SingularityCE.
- libsubid headers are now required to build SingularityCE, unless the
--without-libsubid
flag is passed tomconfig
. - EL RPM packages are built with libsubid support.
- Ubuntu deb packages are built without libsubid support.
- The RPM spec file no longer includes rules for SLES / openSUSE package builds, which have been untested / unsupported for some time.
- Make binary builds more reproducible by deriving the GNU build ID from the Go build ID instead of using a randomly generated one.
- Conmon sources are no longer bundled and built with SingularityCE. Install the
conmon
package from your distribution, or upstream binary, if you need to use thesingularity oci
commands. Note thatconmon
is not required for--oci
mode. - Now compiles successfully with
-std=c23
.
Removed Features
- Plugin
fakerootcallback
functionality for customizing fakeroot subid mappings has been removed.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.3.0-rc.1.tar.gz download below to obtain and install SingularityCE 4.3.1-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.24.0
SingularityCE 4.2.2
SingularityCE 4.2.2 is a bugfix release in the 4.2 series.
Bug Fixes
- Fix regression from 4.1.5 that overwrites source image runscript, environment etc. in build from local image.
- Fall back to
$TMPDIR
as singularity-buildkitd root directory if~/.singularity
is on a filesystem that does not fully support overlay. - Add more intuitive error message for rootless
build --oci
when requiredXDG_RUNTIME_DIR
env var is not set. - Avoid error in CNI network setup with newer versions of iptables that include a setuid caller check.
New Features & Functionality
- In OCI-Mode, accommodate systems configured so that they do not create a
/run/user
session directory. OCI-Mode will now attempt to use$TMPDIR/singularity-oci-<uid>
for runtime state on systems where$XDG_RUNTIME_DIR
is not set and the default user session path of/run/user/<uid>
does not exist. Note that the$TMPDIR/singularity-oci-<uid>
directory is shared between concurrent--oci
mode invocations, and will not be removed on exit - an empty directory will remain.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.2.2.tar.gz download below to obtain and install SingularityCE 4.2.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.23.4
SingularityCE 4.2.1
SingularityCE 4.2.1 is a bugfix release in the 4.2 series.
Bug Fixes
- Fix regression that led to an empty shell field in the
/etc/passwd
file.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.2.1.tar.gz download below to obtain and install SingularityCE 4.2.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.22.7
SingularityCE 4.2.0
SingularityCE 4.2.0 is the first release in the 4.2 series, including various new features.
New Features & Functionality
- It is now possible to use multiple environment variable files using the
--env-file
flag, files can be specified as a comma-separated list or by using the flag multiple times. Variables defined in later files take
precedence. singularity.conf
now accepts setting new options regarding namespaces:allow ipc ns
: disable the use of the--ipc
flag.allow user ns
: disable creation of user namespaces. This will prevent execution of containers with the--userns
or--fakeroot
flags, and unprivileged installations of SingularityCE.allow uts ns
: invalidate the use of the--uts
and--hostname
flags.
- A new
singularity data package
command allows files and directories to be packaged into an OCI-SIF data container. - A new
--layer-format
flag forsingularity push
allows layers in an OCI-SIF image to be pushed tolibrary://
anddocker://
registries insquashfs
(default) ortar
format. Images pushed with--layer-format tar
can be pulled and run by other OCI runtimes. - A writable overlay can be added to an OCI-SIF file with the
singularity overlay create
command. The overlay will be applied read-only, by default, when executing the OCI-SIF. To write changes to the container into the overlay, use the--writable
flag. - A writable overlay is added to an OCI-SIF file as an ext3 format layer, appended to the encapsulated OCI image. After the overlay has been modified, use the
singularity overlay sync
command to synchronize the OCI digests with the overlay content. - A new
singularity overlay seal
command converts a writable overlay inside an OCI-SIF image into a read-only squashfs layer. This seals changes made to the image via the overlay, so that they are permanent. - Added a new
instance run
command that will execute the runscript when an instance is initiated instead of executing the startscript. - The new
--netns-path
flag takes a path to a network namespace to join when starting a container. Theroot
user may join any network namespace. An unprivileged user can only join a network namespace specified in the newallowed netns paths
directive insingularity.conf
, if they are also listed inallowed net users
/allowed net groups
. Not currently supported with--fakeroot
, or in--oci
mode.
Requirements
- Requires a minimum of Go 1.21.5 to build due to dependency updates.
- OCI-SIF embedded writable overlay functionality requires
fuse2fs
>= 1.46.6.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.2.0.tar.gz download below to obtain and install SingularityCE 4.2.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.22.6
SingularityCE 4.1.5
SingularityCE 4.1.5 is a patch release in the 4.1 series, including various bug fixes.
Bug Fixes
- Fix fall-back to temporary sandbox rootfs bundle in OCI-Mode for OCI URIs (
docker://
) etc. - Fix confusing error messages / incorrect fall-back attempt when explicit execution of an OCI-SIF fails.
- Fix failing builds from local images that have symbolic links for paths that are part of the base container environment (e.g. /var/tmp -> /tmp).
- Fix issue where
--platform
/--arch
did not apply when pulling an OCI image to native SIF via image manifest, rather than image index.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.1.5.tar.gz download below to obtain and install SingularityCE 4.1.5. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.22.6
v4.2.0-rc.1
This is the first release candidate for the upcoming 4.2 series of SingularityCE. We welcome all feedback and testing. Please continue to use the latest 4.1 release for production systems.
New Features & Functionality
- It is now possible to use multiple environment variable files using the
--env-file
flag, files can be specified as a comma-separated list or by using the flag multiple times. Variables defined in later files take precedence. singularity.conf
now accepts setting new options regarding namespaces:allow ipc ns
: disable the use of the--ipc
flag.allow user ns
: disable creation of user namespaces. This will prevent execution of containers with the--userns
or--fakeroot
flags, and unprivileged installations of SingularityCE.allow uts ns
: invalidate the use of the--uts
and--hostname
flags.
- A new
singularity data package
command allows files and directories to be packaged into an OCI-SIF data container. - A new
--layer-format
flag forsingularity push
allows layers in an OCI-SIF image to be pushed tolibrary://
anddocker://
registries insquashfs
(default) ortar
format. Images pushed with--layer-format tar
can be pulled and run by other OCI runtimes. - A writable overlay can be added to an OCI-SIF file with the
singularity overlay create
command. The overlay will be applied read-only, by default, when executing the OCI-SIF. To write changes to the container into the overlay, use the--writable
flag. - A writable overlay is added to an OCI-SIF file as an ext3 format layer, appended to the encapsulated OCI image. After the overlay has been modified, use the
singularity overlay sync
command to synchronize the OCI digests with the overlay content. - A new
singularity overlay seal
command converts a writable overlay inside an OCI-SIF image into a read-only squashfs layer. This seals changes made to the image via the overlay, so that they are permanent. - Added a new
instance run
command that will execute the runscript when an instance is initiated instead of executing the startscript. - The new
--netns-path
flag takes a path to a network namespace to join when starting a container. Theroot
user may join any network namespace. An unprivileged user can only join a network namespace specified in the newallowed netns paths
directive insingularity.conf
, if they are also listed inallowed net users
/allowed net groups
. Not currently supported with--fakeroot
, or in--oci
mode.
Bug Fixes
- Fix fall-back to temporary sandbox rootfs bundle in OCI-Mode for OCI URIs (
docker://
) etc. - Fix confusing error messages / incorrect fall-back attempt when explicit execution of an OCI-SIF fails.
- Fix failing builds from local images that have symbolic links for paths that are part of the base container environment (e.g. /var/tmp -> /tmp).
- Fix issue where
--platform
/--arch
did not apply when pulling an OCI image to native SIF via image manifest, rather than image index.
Requirements
- Requires a minimum of Go 1.21.5 to build due to dependency updates.
- OCI-SIF embedded writable overlay functionality requires
fuse2fs
>= 1.46.6.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.2.0-rc.1.tar.gz download below to obtain and install SingularityCE 4.2.0-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.22.6
SingularityCE 4.1.4
SingularityCE 4.1.4 is a patch release in the 4.1 series, including various bug fixes.
Bug Fixes
- Use ABI 3 for Apparmor profile on Ubuntu <23.10.
- Avoid unnecessary copying / extraction of OCI images and Docker tarballs into a layout directory when they are directly accessible as a local file / directory.
- Avoid unnecessary intermediate temporary image layout when building from Dockerfile to OCI-SIF.
%files from
in a definition file will now correctly copy symlinks that point to a target above the destination directory, but inside the destination stage rootfs.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.1.4.tar.gz download below to obtain and install SingularityCE 4.1.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.22.4
SingularityCE 4.1.3
SingularityCE 4.1.3 is a patch release in the 4.1 series, including various bug fixes.
Packages provided with this release now include a .deb for Ubuntu 24.04 (noble).
Requirements
- Requires a minimum of Go 1.21 to build. Go 1.20 is end-of-life.
Note - compilation with Go 1.22 currently causes an issue when using the PID namespace on distributions using older versions of glibc. We recommend using Go 1.21 at this time.
Bug Fixes
- Set default
PATH
in container run in OCI-Mode when image does not setPATH
. - Fix storage of credentials for
docker.io
to behave the same as forindex.docker.io
. - Improve documentation for
remote list
command. - Don't fail with lack of descriptor capacity when writing OCI images with many layers to OCI-SIF.
- Ensure a fixed number of spare descriptors is present in the OCI-SIF when pulling an OCI image.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.1.3.tar.gz download below to obtain and install SingularityCE 4.1.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
- Ubuntu 20.04 (focal)
- Ubuntu 22.04 (jammy)
- Ubuntu 24.04 (noble)
- RHEL/CentOS 7 (el7)
- RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
- RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
These packages were built with Go 1.21.10