Revisions of apptainer
- Udpated to 1.1.2 which fixed CVE-2022-39237 * CVE-2022-39237: The sif dependency included in Apptainer before this release does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. This release updates to sif v2.8.1 which corrects this issue. See the linked advisory for references and a workaround.
buildservice-autocommit
accepted
request 1006622
from
Christian Goll (mslacken)
(revision 32)
auto commit by copy to link target
buildservice-autocommit
accepted
request 1003468
from
Christian Goll (mslacken)
(revision 29)
auto commit by copy to link target
- Updated to version 1.1.0-rc3 with following changes: * added squashfuse-0.1.105.tar.gz and 70.patch for the build of squashfuse_ll which will be removed as soon as the multithread patch is incoperated * Change squash mounts to prefer to use squashfuse_ll instead of squashfuse, if available, for improved performance. squashfuse_ll is not available in factory. * Also, for even better parallel performance, include a patched multithreaded version of squashfuse_ll in * Imply adding ${prefix}/libexec/apptainer/bin to the binary path in apptainer.conf, which is used for searching for helper executables. It is implied as the first directory of $PATH if present (which is at the beginning of binary path by default) or just as the first directory if $PATH is not included in binary path. ${prefix}/libexec/apptainer/bin. * Add --unsquash action flag to temporarily convert a SIF file to a sandbox before running. In previous versions this was the default when running a SIF file without setuid or with fakeroot, but now the default is to instead mount with squashfuse. * Add --sparse flag to overlay create command to allow generation of a sparse ext3 overlay image. * Support for a custom hashbang in the %test section of an Apptainer recipe (akin to the runscript and start sections). * When using fakeroot in setuid mode, have the image drivers first enter the the container's user namespace to avoid write errors with overlays. * Skip trying to use kernel overlayfs when using writable overlay and the lower layer is FUSE, because of a kernel bug introduced in kernel 5.15. * Add additional hidden options to the action command for testing different fakeroot modes with --fakeroot: --ignore-subuid, --ignore-fakeroot-command, and --ignore-userns. - Updated to version 1.1.0-rc2 with following changes:
buildservice-autocommit
accepted
request 998137
from
Christian Goll (mslacken)
(revision 27)
auto commit by copy to link target
- Udpated to version 1.1.0-rc2 with following changes: * Fixed longstanding bug in the underlay logic when there are nested bind points separated by more than one path level, for example /var and /var/lib/yum, and the path didn't exist in the container image. The bug only caused an error when there was a directory in the container image that didn't exist on the host. * Improved wildcard matching in the %files directive of build definition files by replacing usage of sh with the mvdan.cc library. * Replaced checks for compatible filesystem types when using fuse-overlayfs with an INFO message when an incompatible filesystem type causes it to be unwritable by a fakeroot user. * The --nvccli option now works without --fakeroot. In that case the option can be used with --writable-tmpfs instead of --writable, and --writable-tmpfs is implied if neither option is given. Note that also /usr/bin has to be writable by the user, so without --fakeroot that probably requires a sandbox image that was built with --fix-perms. * The --nvccli option implies --nv. * Configure squashfuse to always show files to be owned by the current user. That's especially important for fakeroot to prevent most of the files from looking like they are owned by user 65534. * The fakeroot command can now be used even if $PATH is empty in the environment of the apptainer command. * Allow the newuidmap command to be missing if the current user is not listed in /etc/subuid. * Require the uidmap package in Debian packaging. * Improved error handling of unsupported pass protected PEM files with encrypted containers. * Ensure bootstrap_history directory is populated with previous definition files, present in source containers used in a build. * Add additional options to the build command for testing different fakeroot
buildservice-autocommit
accepted
request 993258
from
Christian Goll (mslacken)
(revision 25)
auto commit by copy to link target
buildservice-autocommit
accepted
request 993098
from
Christian Goll (mslacken)
(revision 23)
auto commit by copy to link target
- Updated to version 1.1.0-rc1 which enables apptainer to run without suid and additional groups. Although this is a prerelease this is a major advantage justifying its use. * Added a squashfuse image driver that enables mounting SIF files without using setuid-root. Requires the squashfuse command and unprivileged user namespaces. * Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF overlay partitions without using setuid-root. Requires the fuse2fs command and unprivileged user namespaces. * Added the ability to use persistent overlay (--overlay) and --writable-tmpfs without using setuid-root. This requires unprivileged user namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs command. Persistent overlay works when the overlay path points to a regular filesystem (known as "sandbox" mode, which is not allowed when in setuid mode), or when it points to an EXT3 image. Does not work with a SIF partition because that requires privileges to mount as an ext3 image. * Extended the --fakeroot option to be useful when /etc/subuid and /etc/subgid mappings have not been set up. If they have not been set up, a root-mapped unprivileged user namespace (the equivalent of unshare -r) and/or the fakeroot command from the host will be tried. Together they emulate the mappings pretty well but they are simpler to administer. This feature is especially useful with the --overlay and --writable-tmpfs options and for building containers unprivileged, because they allow installing packages that assume they're running as root. A limitation on using it with --overlay and --writable-tmpfs however is that when only the fakeroot command can be used (because there are no user namespaces available, in suid mode) then the base image has to be a sandbox. This feature works nested inside of an apptainer container, where another apptainer command will also be in the fakeroot environment without requesting the --fakeroot option again, or it can be used inside an
buildservice-autocommit
accepted
request 988329
from
Christian Goll (mslacken)
(revision 19)
auto commit by copy to link target
- Update to version 1.0.3: * Process redirects that can come from sregistry with a library:// URL. * Fix inspect --deffile and inspect --all to correctly show definition files in sandbox container images instead of empty output. This has a side effect of also fixing the storing of definition files in the metadata of sif files built by Apptainer, because that metadata is constructed by doing inspect --all.
buildservice-autocommit
accepted
request 963975
from
Christian Goll (mslacken)
(revision 17)
auto commit by copy to link target
buildservice-autocommit
accepted
request 962882
from
Christian Goll (mslacken)
(revision 15)
auto commit by copy to link target
Displaying revisions 41 - 60 of 73