Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apptainer for openSUSE:Factory checked in at 2022-08-05 19:50:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apptainer (Old) and /work/SRC/openSUSE:Factory/.apptainer.new.1521 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apptainer" Fri Aug 5 19:50:55 2022 rev:4 rq:993259 version:1.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2022-07-11 19:11:11.079764334 +0200 +++ /work/SRC/openSUSE:Factory/.apptainer.new.1521/apptainer.changes 2022-08-05 19:51:54.573596430 +0200 @@ -1,0 +2,136 @@ +Thu Aug 4 12:31:33 UTC 2022 - Christian Goll <cg...@suse.com> + +- Updated to version 1.1.0-rc1 which enables apptainer to run without + suid and additional groups. Although this is a prerelease this is + a major advantage justifying its use. + * Added a squashfuse image driver that enables mounting SIF files without + using setuid-root. Requires the squashfuse command and unprivileged user + namespaces. + * Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF + overlay partitions without using setuid-root. Requires the fuse2fs command + and unprivileged user namespaces. + * Added the ability to use persistent overlay (--overlay) and + --writable-tmpfs without using setuid-root. This requires unprivileged user + namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs + command. Persistent overlay works when the overlay path points to a regular + filesystem (known as "sandbox" mode, which is not allowed when in setuid + mode), or when it points to an EXT3 image. Does not work with a SIF + partition because that requires privileges to mount as an ext3 image. + * Extended the --fakeroot option to be useful when /etc/subuid and + /etc/subgid mappings have not been set up. If they have not been set up, a + root-mapped unprivileged user namespace (the equivalent of unshare -r) + and/or the fakeroot command from the host will be tried. Together they + emulate the mappings pretty well but they are simpler to administer. This + feature is especially useful with the --overlay and --writable-tmpfs + options and for building containers unprivileged, because they allow + installing packages that assume they're running as root. A limitation on + using it with --overlay and --writable-tmpfs however is that when only the + fakeroot command can be used (because there are no user namespaces + available, in suid mode) then the base image has to be a sandbox. This + feature works nested inside of an apptainer container, where another + apptainer command will also be in the fakeroot environment without + requesting the --fakeroot option again, or it can be used inside an + apptainer container that was not started with --fakeroot. However, the + fakeroot command uses LD_PRELOAD and so needs to be bound into the + container which requires a compatible libc. For that reason it doesn't work + when the host and container operating systems are of very different + vintages. If that's a problem and you want to use only an unprivileged + root-mapped namespace even when the fakeroot command is installed, just run + apptainer with unshare -r. + * Made the --fakeroot option be implied when an unprivileged user builds a + container from a definition file. When /etc/subuid and /etc/subgid mappings + are not available, all scriptlets are run in a root-mapped unprivileged + namespace (when possible) and the %post scriptlet is additionally run with + the fakeroot command. When unprivileged user namespaces are not available, + such that only the fakeroot command can be used, the --fix-perms option is + implied to allow writing into directories. + * Added a --fakeroot option to the apptainer overlay create command to make + an overlay EXT3 image file that works with the fakeroot that comes from + unprivileged root-mapped namespaces. This is not needed with the fakeroot + that comes with /etc/sub[ug]id mappings nor with the fakeroot that comes + with only the fakeroot command in suid flow. + * $HOME is now used to find the user's configuration and cache by default. If + that is not set it will fall back to the previous behavior of looking up + the home directory in the password file. The value of $HOME inside the + container still defaults to the home directory in the password file and can + still be overridden by the --home option. + * When starting a container, if the user has specified the cwd by using the + --pwd flag, if there is a problem an error is returned instead of + defaulting to a different directory. + * Nesting of bind mounts now works even when a --bind option specified a + different source and destination with a colon between them. Now the + APPTAINER_BIND environment variable makes sure the bind source is from the + bind destination so it will be succesfully re-bound into a nested apptainer + container. + * The warning about more than 50 bind mounts required for an underlay bind + has been changed to an info message. + * oci mount sets Process.Terminal: true when creating an OCI config.json, so + that oci run provides expected interactive behavior by default. + The default hostname for oci mount containers is now apptainer instead of mrsdalloway. + * systemd is now supported and used as the default cgroups manager. Set + systemd cgroups = no in apptainer.conf to manage cgroups directly via the + cgroupfs. + * Added a new action flag --no-eval which: + + Prevents shell evaluation of APPTAINERENV_ / --env / --env-file + environment variables as they are injected in the container, to match + OCI behavior. Applies to all containers. + + Prevents shell evaluation of the values of CMD / ENTRYPOINT and command + line arguments for containers run or built directly from an OCI/Docker + source. Applies to newly built containers only, use apptainer inspect + to check version that container was built with. + * Added --no-eval to the list of flags set by the OCI/Docker --compat mode. + * sinit process has been renamed to appinit. + * Added --keysdir to key command to provide an alternative way of setting + local keyring path. The existing reading of the keyring path from + environment variable 'APPTAINER_KEYSDIR' is untouched. + * apptainer key push will output the key server's response if included in + order to help guide users through any identity verification the server may + require. + * ECL no longer requires verification for all signatures, but only when + signature verification would alter the expected behavior of the list: + + At least one matching signature included in a whitelist must be + validated, but other unvalidated signatures do not cause ECL to fail. + + All matching signatures included in a whitestrict must be validated, + but unvalidated signatures not in the whitestrict do not cause ECL to + fail. + + Signature verification is not checked for a blacklist; unvalidated + signatures can still block execution via ECL, and unvalidated + signatures not in the blacklist do not cause ECL to fail. +- New features / functionalities + * Non-root users can now use --apply-cgroups with run/shell/exec to limit + container resource usage on a system using cgroups v2 and the systemd + cgroups manager. + * Native cgroups v2 resource limits can be specified using the [unified] key + in a cgroups toml file applied via --apply-cgroups. + * Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups + resource limits to a container directly. + Added instance stats command. + * The --no-mount flag & APPTAINER_NO_MOUNT env var can now be used to disable + a bind path entry from apptainer.conf by specifying the absolute path to + the destination of the bind. + * Apptainer now supports the riscv64 architecture. + * remote add --insecure may now be used to configure endpoints that are only + accessible via http. Alternatively the environment variable + APPTAINER_ADD_INSECURE can be set to true to allow http remotes to be added + wihtout the --insecure flag. Specifying https in the remote URI overrules + both --insecure and APPTAINER_ADD_INSECURE. + * Gpu flags --nv and --rocm can now be used from an apptainer nested inside + another apptainer container. + * Added --public, --secret, and --both flags to the key remove command to + support removing secret keys from the apptainer keyring. + * Debug output can now be enabled by setting the APPTAINER_DEBUG env var. + * Debug output is now shown for nested apptainer calls, in wrapped unsquashfs + image extraction, and build stages. +- Bug fixes + * Remove warning message about SINGULARITY and APPTAINER variables having + different values when the SINGULARITY variable is not set. + * Add specific error for unreadable image / overlay file. + * Pass through a literal \n in host environment variables to the container. + * Fix loop device creation with loop-control when running inside docker containers. + * Fix the issue that the oras protocol would ignore the --no-https/--nohttps flag. +- File changes + * Removed useful_error_message.patch as not needed any more + * Added fix-32bit-compilation.patch from upstream + + +------------------------------------------------------------------- Old: ---- apptainer-1.0.3.tar.gz useful_error_message.patch New: ---- apptainer-1.1.0-rc.1.tar.gz fix-32bit-compilation.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apptainer.spec ++++++ --- /var/tmp/diff_new_pack.h7Hi4M/_old 2022-08-05 19:51:55.325598371 +0200 +++ /var/tmp/diff_new_pack.h7Hi4M/_new 2022-08-05 19:51:55.329598382 +0200 @@ -19,13 +19,13 @@ %define apptainerpath src/github.com/apptainer/ %define _buildshell /bin/bash -#%%define vers_suffix -rc.2 +%define vers_suffix -rc.1 Summary: Application and environment virtualization License: BSD-3-Clause-LBNL Group: Productivity/Clustering/Computing Name: apptainer -Version: 1.0.3 +Version: 1.1.0 Release: 0 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html URL: https://apptainer.org @@ -35,7 +35,7 @@ Source3: SLE-15SP3.def Source5: %{name}-rpmlintrc Source10: vendor.tar.gz -Patch1: useful_error_message.patch +Patch1: fix-32bit-compilation.patch BuildRequires: cryptsetup BuildRequires: fdupes BuildRequires: gcc @@ -55,8 +55,8 @@ # there's no golang for ppc64, ppc64le does not have non pie builds ExcludeArch: ppc64 ppc64le -Provides: %{name}-runtime Obsoletes: singularity +Obsoletes: singularity-ce Obsoletes: singularity-runtime %description @@ -91,7 +91,8 @@ --localstatedir=%{_localstatedir}/lib \ --sharedstatedir=%{_sharedstatedir} \ --mandir=%{_mandir} \ - --infodir=%{_infodir} + --infodir=%{_infodir} \ + --without-suid cd builddir make V="" old_config= @@ -101,8 +102,7 @@ export PATH=$GOPATH/bin:$PATH cd %{name}/builddir -mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 -make DESTDIR=$RPM_BUILD_ROOT install man +make DESTDIR=$RPM_BUILD_ROOT install cd ../.. %fdupes apptainer/examples mkdir -p .tmp @@ -115,21 +115,10 @@ done done -echo "g %name -" > system-group-%{name}.conf -%sysusers_generate_pre system-group-%{name}.conf %{name} system-group-%{name}.conf -install -D -m 644 system-group-%{name}.conf %{buildroot}%{_sysusersdir}/system-group-%{name}.conf - -%fdupes -s .tmp +%fdupes -s .tmp/ mv .tmp/* . rmdir .tmp - -%pre -f %{name}.pre - -%post -%set_permissions %{_libexecdir}/apptainer/bin/starter-suid - -%verifyscript -%set_permissions %{_libexecdir}/apptainer/bin/starter-suid +%fdupes -s %buildroot %files %doc apptainer/examples @@ -142,12 +131,13 @@ %doc %{basename:%{S:3}} %license apptainer/LICENSE.md %license *-LICENSE.md *-LICENSE -%attr(4750, root, apptainer) %{_libexecdir}/apptainer/bin/starter-suid %{_bindir}/* %dir %{_libexecdir}/apptainer %dir %{_libexecdir}/apptainer/bin %dir %{_libexecdir}/apptainer/cni +%dir %{_libexecdir}/apptainer/lib %{_libexecdir}/apptainer/bin/starter +%{_libexecdir}/apptainer/lib/offsetpreload.so %{_libexecdir}/apptainer/cni/* %dir %{_sysconfdir}/apptainer %config(noreplace) %{_sysconfdir}/apptainer/capability.json @@ -166,6 +156,5 @@ %dir %{_localstatedir}/lib/apptainer/mnt %dir %{_localstatedir}/lib/apptainer/mnt/session %{_mandir}/man1/* -%{_sysusersdir}/system-group-%{name}.conf %changelog ++++++ README.SUSE ++++++ --- /var/tmp/diff_new_pack.h7Hi4M/_old 2022-08-05 19:51:55.373598495 +0200 +++ /var/tmp/diff_new_pack.h7Hi4M/_new 2022-08-05 19:51:55.377598506 +0200 @@ -1,18 +1,3 @@ -openSUSE/SUSE specific Settings -=============================== - -openSUSE and SUSE have a small difference with upstream default. -This means the SUID root binaries distributed by singularty are -executable only by users belonging to the group 'apptainer'. - -Otherwise, users will get an error message like this one: - -FATAL: while executing /usr/lib/apptainer/bin/starter-suid: permission denied - -To add a user to the group apptainer, execute (as root): - - # usermod -a -G apptainer <user_login> - Create Apptainer Images from openSUSE/SLE =========================================== ++++++ fix-32bit-compilation.patch ++++++ >From cf82cf54c592e1fb86fe0b552c2a1769c5193725 Mon Sep 17 00:00:00 2001 From: Dave Dykstra <2129743+drda...@users.noreply.github.com> Date: Tue, 2 Aug 2022 11:55:17 -0500 Subject: [PATCH] fix 32bit compilation Signed-off-by: Dave Dykstra <2129743+drda...@users.noreply.github.com> --- internal/pkg/util/fs/overlay/overlay_linux.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/pkg/util/fs/overlay/overlay_linux.go b/internal/pkg/util/fs/overlay/overlay_linux.go index b5eff4bd2..7b220f97f 100644 --- a/internal/pkg/util/fs/overlay/overlay_linux.go +++ b/internal/pkg/util/fs/overlay/overlay_linux.go @@ -81,7 +81,7 @@ func check(path string, d dir, allowType int64) error { return nil } - if stfs.Type == allowType { + if int64(stfs.Type) == allowType { return nil } -- 2.37.1 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/apptainer/vendor.tar.gz /work/SRC/openSUSE:Factory/.apptainer.new.1521/vendor.tar.gz differ: char 5, line 1
