openSUSE Recommended Update: Recommended update for singularity ______________________________________________________________________________ Announcement ID: openSUSE-RU-2021:0464-1 Rating: moderate References: Affected Products: openSUSE Backports SLE-15-SP2 ______________________________________________________________________________ An update that has 0 recommended fixes can now be installed. Description: This update for singularity fixes the following issues: singularity was updated to version 3.7.2: - Bug Fixes - Fix progress bar display when source image size is unknown. - Fix a memory usage / leak issue when building from an existing image file. - Fix to allow use of ``--library`` flag to point push/pull at default cloud library when another remote is in use. - Address false positive loop test errors, and an e2e test registry setup issue. New version 3.7.1 - Bug Fixes - Accommodate /sys/fs/selinux mount changes on kernel 5.9+. - Fix loop devices file descriptor leak when shared loop devices is enabled. - Use MaxLoopDevices variable from config file in all appropriate locations. - Use -buildmode=default (non pie) on ppc64le to prevent crashes when using plugins. - Remove spurious warning in parseTokenSection() - e2e test fixes for new kernels, new unsquashfs version. - Show correct web URI for detached builds against alternate remotes. New version 3.7.0 - New features / functionalities - Allow configuration of global custom keyservers, separate from remote endpoints. - Add a new global keyring, for public keys only (used for ECL). - The `remote login` commmand now suports authentication to Docker/OCI registries and custom keyservers. - New `--exclusive` option for `remote use` allows admin to lock usage to a specific remote. - A new `Fingerprints:` header in definition files will check that a SIF source image can be verified, and is signed with keys matching all specified fingerprints. - Labels can be set dynamically from a build's `%post` section by setting them in the `SINGULARITY_LABELS` environment variable. - New `build-arch` label is automatically set to the architecure of the host during a container build. - New `-D/--description` flag for `singularity push` sets description for a library container image. - `singularity remote status` shows validity of authentication token if set. - `singularity push` reports quota usage and URL on successful push to a library server that supports this. - A new `--no-mount` flag for actions allows a user to disable proc/sys/dev/devpts/home/tmp/hostfs/cwd mounts, even if they are enabled in `singularity.conf`. - Changed defaults / behaviours - When actions (run/shell/exec...) are used without `--fakeroot` the umask from the calling environment will be propagated into the container, so that files are created with expected permissions. Use the new `--no-umask` flag to return to the previous behaviour of setting a default 0022 umask. - Container metadata, environment, scripts are recorded in a descriptor in builds to SIF files, and `inspect` will use this if present. - The `--nv` flag for NVIDIA GPU support will not resolve libraries reported by `nvidia-container-cli` via the ld cache. Will instead respect absolute paths to libraries reported by the tool, and bind all versioned symlinks to them. - General re-work of the `remote login` flow, adds prompts and token verification before replacing an existing authentication token. - The Execution Control List (ECL) now verifies container fingerprints using the new global keyring. Previously all users would need relevant keys in their own keyring. - The SIF layer mediatype for ORAS has been changed to `application/vnd.sylabs.sif.layer.v1.sif` reflecting the published [opencontainers/artifacts](https://github.com/opencontainers/artifacts/blob /master/artifact-authors.md#defining-layermediatypes) value. - `SINGULARITY_BIND` has been restored as an environment variable set within a running container. It now reflects all user binds requested by the `-B/--bind` flag, as well as via `SINGULARITY_BIND[PATHS]`. - `singularity search` now correctly searches for container images matching the host architecture by default. A new `--arch` flag allows searching for other architectures. A new results format gives more detail about container image results, while users and collections are no longer returned. - Bug Fixes - Support larger definition files, environments etc. by passing engine configuration in the environment vs. via socket buffer. - Ensure `docker-daemon:` and other source operations respect `SINGULARITY_TMPDIR` for all temporary files. - Support double quoted filenames in the `%files` section of build definitions. - Correct `cache list` sizes to show KiB with powers of 1024, matching `du` etc. - Don't fail on `enable fusemount=no` when no fuse mounts are needed. - Pull OCI images to the correct requested location when the cache is disabled. - Ensure `Singularity>` prompt is set when container has no environment script, or singularity is called through a wrapper script. - Avoid build failures in `yum/dnf` operations against the 'setup' package on `RHEL/CentOS/Fedora` by ensuring staged `/etc/` files do not match distro default content. - Failed binds to `/etc/hosts` and `/etc/localtime` in a container run with `--contain` are no longer fatal errors. - Don't initialize the cache for actions where it is not required. - Increase embedded shell interpreter timeout, to allow slow-running environment scripts to complete. - Correct buffer handling for key import to allow import from STDIN. - Reset environment to avoid `LD_LIBRARY_PATH` issues when resolving dependencies for the `unsquashfs` sandbox. - Fall back to `/sbin/ldconfig` if `ldconfig` on `PATH` fails while resolving GPU libraries. Fixes problems on systems using Nix / Guix. - Address issues caused by error code changes in `unsquashfs` version 4.4. - Ensure `/dev/kfd` is bound into container for ROCm when `--rocm` is used with `--contain`. - Tolerate comments on `%files` sections in build definition files. - Fix a loop device file descriptor leak. This update was imported from the openSUSE:Leap:15.2:Update update project. Patch Instructions: To install this openSUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2021-464=1 Package List: - openSUSE Backports SLE-15-SP2 (aarch64 s390x x86_64): singularity-3.7.2-bp152.2.16.1 References: