auto commit by copy to link target

• Files Changed
• Browse Source

- Updated apptainer to version 1.3.0
  * FUSE mounts are now supported in setuid mode, enabling full
    functionality even when kernel filesystem mounts are insecure due to
    unprivileged users having write access to raw filesystems in
    containers. When allow `setuid-mount extfs = no` (the default) in
    apptainer.conf, then the fuse2fs image driver will be used to mount
    ext3 images in setuid mode instead of the kernel driver (ext3 images
    are primarily used for the --overlay feature), restoring
    functionality that was removed by default in Apptainer 1.1.8 because
    of the security risk. 
    The allow `setuid-mount squashfs` configuration option in
    `apptainer.conf` now has a new default called `iflimited` which allows
    kernel squashfs mounts only if there is at least one `limit container`
    option set or if Execution Control Lists are activated in ecl.toml.
    If kernel squashfs mounts are are not allowed, then the squashfuse
    image driver will be used instead.  
    `iflimited` is the default because if one of those limits are used
    the system administrator ensures that unprivileged users do not have
    write access to the containers, but on the other hand using FUSE
    would enable a user to theoretically bypass the limits via ptrace()
    because the FUSE process runs as that user.  
    The `fuse-overlayfs` image driver will also now be tried in setuid
    mode if the kernel overlayfs driver does not work (for example if
    one of the layers is a FUSE filesystem).  In addition, if allow
    setuid-mount encrypted = no then the unprivileged gocryptfs format
    will be used for encrypting SIF files instead of the kernel
    device-mapper. If a SIF file was encrypted using the gocryptfs
    format, it can now be mounted in setuid mode in addition to
    non-setuid mode.
  * Change the default in user namespace mode to use either kernel

• Files Changed
• Browse Source

auto commit by copy to link target

• Files Changed
• Browse Source

- updated to 1.2.3 with following changes:
  * The apptainer push/pull commands now show a progress bar for the oras
    protocol like there was for docker and library protocols.
  * The --nv and --rocm flags can now be used simultaneously.
  * Fix the use of APPTAINER_CONFIGDIR with apptainer instance start and action
    commands that refer to instance://.
  * Fix the issue that apptainer would not read credentials from the Docker
    fallback path ~/.docker/config.json if missing in the apptainer
    credentials.

• Files Changed
• Browse Source

auto commit by copy to link target

• Files Changed
• Browse Source

- updated to 1.2.2 with following changes:
  * Fix $APPTAINER_MESSAGELEVEL to correctly set the logging level.
  * Fix build failures when in setuid mode and unprivileged user namespaces are
    unavailable and the --fakeroot option is not selected.

• Files Changed
• Browse Source

auto commit by copy to link target

• Files Changed
• Browse Source

updated vendor

• Files Changed
• Browse Source

auto commit by copy to link target

• Files Changed
• Browse Source

- updated to 1.2.1 to fix CVE-2023-38496 although not relevant as package is 
  compiled with setuid

• Files Changed
• Browse Source

auto commit by copy to link target

• Files Changed
• Browse Source

removed old source

• Files Changed
• Browse Source

auto commit by copy to link target

• Files Changed
• Browse Source

• Files Changed
• Browse Source

updated to final 1.2.0

• Files Changed
• Browse Source

- update to 1.2.0 with following changes:
  * binary is built reproducible which disables plugins
  * Create the current working directory in a container when it doesn't exist.
    This restores behavior as it was before singularity 3.6.0. As a result,
    using --no-mount home won't have any effect when running apptainer from a
    home directory and will require --no-mount home,cwd to avoid mounting that
    directory.
  * Handle current working directory paths containing symlinks both on the host
    and in a container but pointing to different destinations. If detected, the
    current working directory is not mounted when the destination directory in
    the container exists.
  * Destination mount points are now sorted by shortest path first to ensure
    that a user bind doesn't override a previous bind path when set in
    arbitrary order on the CLI. This is also applied to image binds.
  * When the kernel supports unprivileged overlay mounts in a user namespace,
    the container will be constructed by default using an overlay instead of an
    underlay layout for bind mounts. A new --underlay action option can be used
    to prefer underlay instead of overlay.
  * sessiondir maxsize in apptainer.conf now defaults to 64 MiB for new
    installations. This is an increase from 16 MiB in prior versions.
  * The apptainer cache is now architecture aware, so the same home directory
    cache can be shared by machines with different architectures.
  * Overlay is blocked on the panfs filesystem, allowing sandbox directories to
    be run from panfs without error.
  * Lookup and store user/group information in stage one prior to entering any
    namespaces, to fix an issue with winbind not correctly looking up
    user/group information when using user namespaces.
- New features / functionalities
  * Support for unprivileged encryption of SIF files using gocryptfs.  This is
    not compatible with privileged encryption, so containers encrypted by root

• Files Changed
• Browse Source

- update to 1.1.9 with following changes:
  * Remove warning about unknown xino=on option from fuse-overlayfs, introduced
    in 1.1.8.
  * Ignore extraneous warning from fuse-overlayfs about a readonly /proc.
  * Fix dropped "n" characters on some platforms in definition file stored as
    part of SIF metadata.
  * Remove duplicated group ids.
  * Fix not being able to handle multiple entries in LD_PRELOAD when binding
    fakeroot into container during apptainer startup for --fakeroot with
    fakeroot command.

• Files Changed
• Browse Source

auto commit by copy to link target

• Files Changed
• Browse Source

- Included a fix for CVE-2023-30549 which is a vulnerability in setuid-root
  installations of Apptainer iwhich was not active in the recent openSUSE
  packages. Still this is included for completenss. The fix adds allow
  setuid-mount configuration options encrypted, squashfs, and extfs, and makes
  the default for extfs be "no". That disables the use of extfs mounts
  including for overlays or binds while in the setuid-root mode, while leaving
  it enabled for unprivileged user namespace mode. The default for encrypted
  and squashfs is "yes".
- Other bug fixes:
  * Fix loop device 'no such device or address' spurious errors when using shared
    loop devices.
  * Add xino=on mount option for writable kernel overlay mount points to fix
    inode numbers consistency after kernel cache flush (not applicable to
    fuse-overlayfs).

• Files Changed
• Browse Source

auto commit by copy to link target

• Files Changed
• Browse Source