Revisions of apptainer
buildservice-autocommit
accepted
request 1159335
from
Christian Goll (mslacken)
(revision 73)
auto commit by copy to link target
Christian Goll (mslacken)
committed
(revision 72)
- Updated apptainer to version 1.3.0 * FUSE mounts are now supported in setuid mode, enabling full functionality even when kernel filesystem mounts are insecure due to unprivileged users having write access to raw filesystems in containers. When allow `setuid-mount extfs = no` (the default) in apptainer.conf, then the fuse2fs image driver will be used to mount ext3 images in setuid mode instead of the kernel driver (ext3 images are primarily used for the --overlay feature), restoring functionality that was removed by default in Apptainer 1.1.8 because of the security risk. The allow `setuid-mount squashfs` configuration option in `apptainer.conf` now has a new default called `iflimited` which allows kernel squashfs mounts only if there is at least one `limit container` option set or if Execution Control Lists are activated in ecl.toml. If kernel squashfs mounts are are not allowed, then the squashfuse image driver will be used instead. `iflimited` is the default because if one of those limits are used the system administrator ensures that unprivileged users do not have write access to the containers, but on the other hand using FUSE would enable a user to theoretically bypass the limits via ptrace() because the FUSE process runs as that user. The `fuse-overlayfs` image driver will also now be tried in setuid mode if the kernel overlayfs driver does not work (for example if one of the layers is a FUSE filesystem). In addition, if allow setuid-mount encrypted = no then the unprivileged gocryptfs format will be used for encrypting SIF files instead of the kernel device-mapper. If a SIF file was encrypted using the gocryptfs format, it can now be mounted in setuid mode in addition to non-setuid mode. * Change the default in user namespace mode to use either kernel
buildservice-autocommit
accepted
request 1113390
from
Christian Goll (mslacken)
(revision 71)
auto commit by copy to link target
Christian Goll (mslacken)
committed
(revision 70)
- updated to 1.2.3 with following changes: * The apptainer push/pull commands now show a progress bar for the oras protocol like there was for docker and library protocols. * The --nv and --rocm flags can now be used simultaneously. * Fix the use of APPTAINER_CONFIGDIR with apptainer instance start and action commands that refer to instance://. * Fix the issue that apptainer would not read credentials from the Docker fallback path ~/.docker/config.json if missing in the apptainer credentials.
buildservice-autocommit
accepted
request 1101200
from
Christian Goll (mslacken)
(revision 69)
auto commit by copy to link target
Christian Goll (mslacken)
committed
(revision 68)
- updated to 1.2.2 with following changes: * Fix $APPTAINER_MESSAGELEVEL to correctly set the logging level. * Fix build failures when in setuid mode and unprivileged user namespaces are unavailable and the --fakeroot option is not selected.
buildservice-autocommit
accepted
request 1100790
from
Christian Goll (mslacken)
(revision 67)
auto commit by copy to link target
Christian Goll (mslacken)
committed
(revision 66)
updated vendor
buildservice-autocommit
accepted
request 1100767
from
Christian Goll (mslacken)
(revision 65)
auto commit by copy to link target
Christian Goll (mslacken)
committed
(revision 64)
- updated to 1.2.1 to fix CVE-2023-38496 although not relevant as package is compiled with setuid
buildservice-autocommit
accepted
request 1100358
from
Christian Goll (mslacken)
(revision 63)
auto commit by copy to link target
Christian Goll (mslacken)
committed
(revision 62)
removed old source
buildservice-autocommit
accepted
request 1099922
from
Christian Goll (mslacken)
(revision 61)
auto commit by copy to link target
Christian Goll (mslacken)
committed
(revision 60)
Christian Goll (mslacken)
committed
(revision 59)
updated to final 1.2.0
Christian Goll (mslacken)
committed
(revision 58)
- update to 1.2.0 with following changes: * binary is built reproducible which disables plugins * Create the current working directory in a container when it doesn't exist. This restores behavior as it was before singularity 3.6.0. As a result, using --no-mount home won't have any effect when running apptainer from a home directory and will require --no-mount home,cwd to avoid mounting that directory. * Handle current working directory paths containing symlinks both on the host and in a container but pointing to different destinations. If detected, the current working directory is not mounted when the destination directory in the container exists. * Destination mount points are now sorted by shortest path first to ensure that a user bind doesn't override a previous bind path when set in arbitrary order on the CLI. This is also applied to image binds. * When the kernel supports unprivileged overlay mounts in a user namespace, the container will be constructed by default using an overlay instead of an underlay layout for bind mounts. A new --underlay action option can be used to prefer underlay instead of overlay. * sessiondir maxsize in apptainer.conf now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions. * The apptainer cache is now architecture aware, so the same home directory cache can be shared by machines with different architectures. * Overlay is blocked on the panfs filesystem, allowing sandbox directories to be run from panfs without error. * Lookup and store user/group information in stage one prior to entering any namespaces, to fix an issue with winbind not correctly looking up user/group information when using user namespaces. - New features / functionalities * Support for unprivileged encryption of SIF files using gocryptfs. This is not compatible with privileged encryption, so containers encrypted by root
Christian Goll (mslacken)
committed
(revision 57)
- update to 1.1.9 with following changes: * Remove warning about unknown xino=on option from fuse-overlayfs, introduced in 1.1.8. * Ignore extraneous warning from fuse-overlayfs about a readonly /proc. * Fix dropped "n" characters on some platforms in definition file stored as part of SIF metadata. * Remove duplicated group ids. * Fix not being able to handle multiple entries in LD_PRELOAD when binding fakeroot into container during apptainer startup for --fakeroot with fakeroot command.
buildservice-autocommit
accepted
request 1083262
from
Christian Goll (mslacken)
(revision 56)
auto commit by copy to link target
Christian Goll (mslacken)
committed
(revision 55)
- Included a fix for CVE-2023-30549 which is a vulnerability in setuid-root installations of Apptainer iwhich was not active in the recent openSUSE packages. Still this is included for completenss. The fix adds allow setuid-mount configuration options encrypted, squashfs, and extfs, and makes the default for extfs be "no". That disables the use of extfs mounts including for overlays or binds while in the setuid-root mode, while leaving it enabled for unprivileged user namespace mode. The default for encrypted and squashfs is "yes". - Other bug fixes: * Fix loop device 'no such device or address' spurious errors when using shared loop devices. * Add xino=on mount option for writable kernel overlay mount points to fix inode numbers consistency after kernel cache flush (not applicable to fuse-overlayfs).
buildservice-autocommit
accepted
request 1075152
from
Christian Goll (mslacken)
(revision 54)
auto commit by copy to link target
Displaying revisions 1 - 20 of 73