SingularityCE 4.3.1

This is a patch release in the 4.3 series.

Bug Fixes

• Update bundled squashfuse to 0.6.0, which includes ., .. entries in getdents() results, fixing errors with some applications.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.1.tar.gz download below to obtain and install SingularityCE 4.3.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.24.2

SingularityCE 4.3.0

SingularityCE 4.3.0

This is the first release in the 4.3 series. Please review the changes, fixes, and new features listed below.

The admin and user guides include a "What's New in 4.3" section, providing links to additional documentation:

• https://docs.sylabs.io/guides/4.3/admin-guide/new.html
• https://docs.sylabs.io/guides/4.3/user-guide/new.html

Behaviour Changes

• Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes` configuration option.
• In OCI mode, on a cgroups v2 system with functioning systemd cgroup management, a cgroup namespace is created for the container, and /sys/fs/cgroup is mounted. The cgroups mount is read-only by default, or read-write if the --keep-privs flag is used.
• In OCI mode, a cgroup is now created for the container when possible, even where resource limits have not been requested.

Bug Fixes

• Use correct username (not user's name) when computing singularity oci conmon / singularity state dir.
• Write StdErr messages from starter to terminal StdErr when an instance fails to start. Previously incorrectly written to terminal StdOut.
• Fix incorrect debug message in Cgroups checks.
• Skip invalid environment variables when pulling pulling OCI images to native SIF, so environment sourcing does not fail.
• Fix the Makefile generated by mconfig -b to work when the selected build directory is not a subdirectory of the source code.
• Check for existence of /run/systemd/system when verifying cgroups can be used via systemd manager.

New Features & Functionality

• Add support for libsubid. Sub[ug]id mappings will be retrieved from e.g. LDAP according to nssswitch.conf if Singularity is built with libsubid support (default). If built without libsubid support, Singularity will retrieve subid from /etc/subid and /etc/subgid regardless of system configuration. Note that singularity config fakeroot always modifies /etc/subid and /etc/subgidfiles.
• singularity sign now supports signing an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the --cosign flag, and provide a private key with the --key flag.
• singularity verify now supports verifying an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the --cosign flag, and provide a public key with the --key flag. Verification passes if at least one signature that can be validated with the provided key is present. The JSON payloads of all valid signatures are displayed.
• singularity push now supports pushing cosign signatures in an OCI-SIF to an OCI registry, via the --with-cosign flag.
• singularity pull now supports pulling cosign signatures from a registry to an OCI-SIF, via the --with-cosign flag when --oci is also specified. Signatures can only be pulled when the image in the registry is in SquashFS format. Converting layer formats, or squashing to a single layer, modifies the image manifest, and would invalidate any signatures.
• The new singularity key generate-cosign-key-pair subcommand can be used to generate a password-protected key-pair for signing OCI-SIF images with cosign-compatible signatures.
• Added dnf definition file bootstrap as an alias for yum.

Requirements / Packaging

• Go 1.23.4 or above is now required to build SingularityCE.
• libsubid headers are now required to build SingularityCE, unless the --without-libsubid flag is passed to mconfig.
• EL RPM packages are built with libsubid support.
• Ubuntu deb packages are built without libsubid support.
• The RPM spec file no longer includes rules for SLES / openSUSE package builds, which have been untested / unsupported for some time.
• Make binary builds more reproducible by deriving the GNU build ID from the Go build ID instead of using a randomly generated one.
• Conmon sources are no longer bundled and built with SingularityCE. Install the conmon package from your distribution, or upstream binary, if you need to use the singularity oci commands. Note that conmon is not required for --oci mode.
• Now compiles successfully with -std=c23.

Removed Features

• Plugin fakerootcallback functionality for customizing fakeroot subid mappings has been removed.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.0.tar.gz download below to obtain and install SingularityCE 4.3.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.24.0

v4.3.0-rc.1

SingularityCE 4.3.0-rc.1 Release Candidate

This is the first release candidate for the upcoming 4.3 series. All testing and feedback is welcome!

Behaviour Changes

• Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes` configuration option.
• In OCI mode, on a cgroups v2 system with functioning systemd cgroup management, a cgroup namespace is created for the container, and /sys/fs/cgroup is mounted. The cgroups mount is read-only by default, or read-write if the --keep-privs flag is used.
• In OCI mode, a cgroup is now created for the container when possible, even where resource limits have not been requested.

Bug Fixes

• Use correct username (not user's name) when computing singularity oci conmon / singularity state dir.
• Write StdErr messages from starter to terminal StdErr when an instance fails to start. Previously incorrectly written to terminal StdOut.
• Fix incorrect debug message in Cgroups checks.
• Skip invalid environment variables when pulling pulling OCI images to native SIF, so environment sourcing does not fail.
• Fix the Makefile generated by mconfig -b to work when the selected build directory is not a subdirectory of the source code.
• Check for existence of /run/systemd/system when verifying cgroups can be used via systemd manager.

New Features & Functionality

• Add support for libsubid. Sub[ug]id mappings will be retrieved from e.g. LDAP according to nssswitch.conf if Singularity is built with libsubid support (default). If built without libsubid support, Singularity will retrieve subid from /etc/subid and /etc/subgid regardless of system configuration. Note that singularity config fakeroot always modifies /etc/subid and /etc/subgidfiles.
• singularity sign now supports signing an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the --cosign flag, and provide a private key with the --key flag.
• singularity verify now supports verifying an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the --cosign flag, and provide a public key with the --key flag. Verification passes if at least one signature that can be validated with the provided key is present. The JSON payloads of all valid signatures are displayed.
• singularity push now supports pushing cosign signatures in an OCI-SIF to an OCI registry, via the --with-cosign flag.
• singularity pull now supports pulling cosign signatures from a registry to an OCI-SIF, via the --with-cosign flag when --oci is also specified. Signatures can only be pulled when the image in the registry is in SquashFS format. Converting layer formats, or squashing to a single layer, modifies the image manifest, and would invalidate any signatures.
• The new singularity key generate-cosign-key-pair subcommand can be used to generate a password-protected key-pair for signing OCI-SIF images with cosign-compatible signatures.
• Added dnf definition file bootstrap as an alias for yum.

Requirements / Packaging

• Go 1.23.4 or above is now required to build SingularityCE.
• libsubid headers are now required to build SingularityCE, unless the --without-libsubid flag is passed to mconfig.
• EL RPM packages are built with libsubid support.
• Ubuntu deb packages are built without libsubid support.
• The RPM spec file no longer includes rules for SLES / openSUSE package builds, which have been untested / unsupported for some time.
• Make binary builds more reproducible by deriving the GNU build ID from the Go build ID instead of using a randomly generated one.
• Conmon sources are no longer bundled and built with SingularityCE. Install the conmon package from your distribution, or upstream binary, if you need to use the singularity oci commands. Note that conmon is not required for --oci mode.
• Now compiles successfully with -std=c23.

Removed Features

• Plugin fakerootcallback functionality for customizing fakeroot subid mappings has been removed.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.0-rc.1.tar.gz download below to obtain and install SingularityCE 4.3.1-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.24.0

SingularityCE 4.2.2

SingularityCE 4.2.2 is a bugfix release in the 4.2 series.

Bug Fixes

• Fix regression from 4.1.5 that overwrites source image runscript, environment etc. in build from local image.
• Fall back to $TMPDIR as singularity-buildkitd root directory if ~/.singularity is on a filesystem that does not fully support overlay.
• Add more intuitive error message for rootless build --oci when required XDG_RUNTIME_DIR env var is not set.
• Avoid error in CNI network setup with newer versions of iptables that include a setuid caller check.

New Features & Functionality

• In OCI-Mode, accommodate systems configured so that they do not create a /run/user session directory. OCI-Mode will now attempt to use $TMPDIR/singularity-oci-<uid> for runtime state on systems where $XDG_RUNTIME_DIR is not set and the default user session path of /run/user/<uid> does not exist. Note that the $TMPDIR/singularity-oci-<uid> directory is shared between concurrent --oci mode invocations, and will not be removed on exit - an empty directory will remain.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.2.2.tar.gz download below to obtain and install SingularityCE 4.2.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.23.4

SingularityCE 4.2.1

SingularityCE 4.2.1 is a bugfix release in the 4.2 series.

Bug Fixes

• Fix regression that led to an empty shell field in the /etc/passwd file.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.2.1.tar.gz download below to obtain and install SingularityCE 4.2.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.22.7

SingularityCE 4.2.0

SingularityCE 4.2.0 is the first release in the 4.2 series, including various new features.

New Features & Functionality

• It is now possible to use multiple environment variable files using the --env-file flag, files can be specified as a comma-separated list or by using the flag multiple times. Variables defined in later files take
  precedence.
• singularity.conf now accepts setting new options regarding namespaces:
  • allow ipc ns : disable the use of the --ipc flag.
  • allow user ns : disable creation of user namespaces. This will prevent execution of containers with the --userns or --fakeroot flags, and unprivileged installations of SingularityCE.
  • allow uts ns : invalidate the use of the --uts and --hostname flags.
• A new singularity data package command allows files and directories to be packaged into an OCI-SIF data container.
• A new --layer-format flag for singularity push allows layers in an OCI-SIF image to be pushed to library:// and docker:// registries in squashfs (default) or tar format. Images pushed with --layer-format tar can be pulled and run by other OCI runtimes.
• A writable overlay can be added to an OCI-SIF file with the singularity overlay create command. The overlay will be applied read-only, by default, when executing the OCI-SIF. To write changes to the container into the overlay, use the --writable flag.
• A writable overlay is added to an OCI-SIF file as an ext3 format layer, appended to the encapsulated OCI image. After the overlay has been modified, use the singularity overlay sync command to synchronize the OCI digests with the overlay content.
• A new singularity overlay seal command converts a writable overlay inside an OCI-SIF image into a read-only squashfs layer. This seals changes made to the image via the overlay, so that they are permanent.
• Added a new instance run command that will execute the runscript when an instance is initiated instead of executing the startscript.
• The new --netns-path flag takes a path to a network namespace to join when starting a container. The root user may join any network namespace. An unprivileged user can only join a network namespace specified in the new allowed netns paths directive in singularity.conf, if they are also listed in allowed net users / allowed net groups. Not currently supported with --fakeroot, or in --oci mode.

Requirements

• Requires a minimum of Go 1.21.5 to build due to dependency updates.
• OCI-SIF embedded writable overlay functionality requires fuse2fs >= 1.46.6.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.2.0.tar.gz download below to obtain and install SingularityCE 4.2.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.22.6

SingularityCE 4.1.5

SingularityCE 4.1.5 is a patch release in the 4.1 series, including various bug fixes.

Bug Fixes

• Fix fall-back to temporary sandbox rootfs bundle in OCI-Mode for OCI URIs (docker://) etc.
• Fix confusing error messages / incorrect fall-back attempt when explicit execution of an OCI-SIF fails.
• Fix failing builds from local images that have symbolic links for paths that are part of the base container environment (e.g. /var/tmp -> /tmp).
• Fix issue where --platform / --arch did not apply when pulling an OCI image to native SIF via image manifest, rather than image index.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.1.5.tar.gz download below to obtain and install SingularityCE 4.1.5. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.22.6

v4.2.0-rc.1

This is the first release candidate for the upcoming 4.2 series of SingularityCE. We welcome all feedback and testing. Please continue to use the latest 4.1 release for production systems.

New Features & Functionality

• It is now possible to use multiple environment variable files using the --env-file flag, files can be specified as a comma-separated list or by using the flag multiple times. Variables defined in later files take precedence.
• singularity.conf now accepts setting new options regarding namespaces:
  • allow ipc ns : disable the use of the --ipc flag.
  • allow user ns : disable creation of user namespaces. This will prevent execution of containers with the --userns or --fakeroot flags, and unprivileged installations of SingularityCE.
  • allow uts ns : invalidate the use of the --uts and --hostname flags.
• A new singularity data package command allows files and directories to be packaged into an OCI-SIF data container.
• A new --layer-format flag for singularity push allows layers in an OCI-SIF image to be pushed to library:// and docker:// registries in squashfs (default) or tar format. Images pushed with --layer-format tar can be pulled and run by other OCI runtimes.
• A writable overlay can be added to an OCI-SIF file with the singularity overlay create command. The overlay will be applied read-only, by default, when executing the OCI-SIF. To write changes to the container into the overlay, use the --writable flag.
• A writable overlay is added to an OCI-SIF file as an ext3 format layer, appended to the encapsulated OCI image. After the overlay has been modified, use the singularity overlay sync command to synchronize the OCI digests with the overlay content.
• A new singularity overlay seal command converts a writable overlay inside an OCI-SIF image into a read-only squashfs layer. This seals changes made to the image via the overlay, so that they are permanent.
• Added a new instance run command that will execute the runscript when an instance is initiated instead of executing the startscript.
• The new --netns-path flag takes a path to a network namespace to join when starting a container. The root user may join any network namespace. An unprivileged user can only join a network namespace specified in the new allowed netns paths directive in singularity.conf, if they are also listed in allowed net users / allowed net groups. Not currently supported with --fakeroot, or in --oci mode.

Bug Fixes

• Fix fall-back to temporary sandbox rootfs bundle in OCI-Mode for OCI URIs (docker://) etc.
• Fix confusing error messages / incorrect fall-back attempt when explicit execution of an OCI-SIF fails.
• Fix failing builds from local images that have symbolic links for paths that are part of the base container environment (e.g. /var/tmp -> /tmp).
• Fix issue where --platform / --arch did not apply when pulling an OCI image to native SIF via image manifest, rather than image index.

Requirements

• Requires a minimum of Go 1.21.5 to build due to dependency updates.
• OCI-SIF embedded writable overlay functionality requires fuse2fs >= 1.46.6.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.2.0-rc.1.tar.gz download below to obtain and install SingularityCE 4.2.0-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.22.6

SingularityCE 4.1.4

SingularityCE 4.1.4 is a patch release in the 4.1 series, including various bug fixes.

Bug Fixes

• Use ABI 3 for Apparmor profile on Ubuntu <23.10.
• Avoid unnecessary copying / extraction of OCI images and Docker tarballs into a layout directory when they are directly accessible as a local file / directory.
• Avoid unnecessary intermediate temporary image layout when building from Dockerfile to OCI-SIF.
• %files from in a definition file will now correctly copy symlinks that point to a target above the destination directory, but inside the destination stage rootfs.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.1.4.tar.gz download below to obtain and install SingularityCE 4.1.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.22.4

SingularityCE 4.1.3

SingularityCE 4.1.3 is a patch release in the 4.1 series, including various bug fixes.

Packages provided with this release now include a .deb for Ubuntu 24.04 (noble).

Requirements

• Requires a minimum of Go 1.21 to build. Go 1.20 is end-of-life.

Note - compilation with Go 1.22 currently causes an issue when using the PID namespace on distributions using older versions of glibc. We recommend using Go 1.21 at this time.

Bug Fixes

• Set default PATH in container run in OCI-Mode when image does not set PATH.
• Fix storage of credentials for docker.io to behave the same as for index.docker.io.
• Improve documentation for remote list command.
• Don't fail with lack of descriptor capacity when writing OCI images with many layers to OCI-SIF.
• Ensure a fixed number of spare descriptors is present in the OCI-SIF when pulling an OCI image.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.1.3.tar.gz download below to obtain and install SingularityCE 4.1.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS 7 (el7)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.21.10