commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2024-05-13 17:58:43
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.1880 (New)
Package is "apptainer"
Mon May 13 17:58:43 2024 rev:28 rq:1173668 version:1.3.0
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2024-03-22
15:32:23.870920031 +0100
+++ /work/SRC/openSUSE:Factory/.apptainer.new.1880/apptainer.changes
2024-05-13 17:59:12.676369476 +0200
@@ -1,0 +2,11 @@
+Mon May 13 05:36:38 UTC 2024 - Egbert Eich
+
+- Make sure, digest values handled by the Go library
+ github.com/opencontainers/go-digest and used throughout the
+ Go-implemented containers ecosystem are always validated. This
+ prevents attackers from triggering unexpected authenticated
+ registry accesses.
+ * Bump-github.com-containers-image-v5-from-5.30.0-to-5.30.1.patch
+(CVE-2024-3727, bsc#1224114).
+
+---
New:
Bump-github.com-containers-image-v5-from-5.30.0-to-5.30.1.patch
BETA DEBUG BEGIN:
New: registry accesses.
* Bump-github.com-containers-image-v5-from-5.30.0-to-5.30.1.patch
(CVE-2024-3727, bsc#1224114).
BETA DEBUG END:
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.b7wFq3/_old 2024-05-13 17:59:13.568402022 +0200
+++ /var/tmp/diff_new_pack.b7wFq3/_new 2024-05-13 17:59:13.568402022 +0200
@@ -42,6 +42,7 @@
Source20: %{name}-rpmlintrc
Source21: vendor.tar.gz
Patch1: Remove-signatures-from-Docker-images.patch
+Patch100: Bump-github.com-containers-image-v5-from-5.30.0-to-5.30.1.patch
BuildRequires: cryptsetup
BuildRequires: fdupes
BuildRequires: gcc
++ Bump-github.com-containers-image-v5-from-5.30.0-to-5.30.1.patch ++
From: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri May 10 15:29:32 2024 +
Subject: Bump github.com/containers/image/v5 from 5.30.0 to 5.30.1
Patch-mainline: Upstream
Git-repo: https://github.com/apptainer/apptainer
Git-commit: 37bcd30d64a934fa78acc838745f5868a4800706
References: bsc#1224114
Bumps [github.com/containers/image/v5](https://github.com/containers/image)
from 5.30.0 to 5.30.1.
- [Release notes](https://github.com/containers/image/releases)
- [Commits](https://github.com/containers/image/compare/v5.30.0...v5.30.1)
Signed-off-by: Egbert Eich
---
updated-dependencies:
- dependency-name: github.com/containers/image/v5
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] ---
go.mod | 2 +-
go.sum | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/go.mod b/go.mod
index 8ee607d04..e540f5658 100644
--- a/go.mod
+++ b/go.mod
@@ -21 +21 @@ require (
- github.com/containers/image/v5 v5.30.0
+ github.com/containers/image/v5 v5.30.1
diff --git a/go.sum b/go.sum
index 5747de20d..73e76ddd9 100644
--- a/go.sum
+++ b/go.sum
@@ -88,2 +88,2 @@ github.com/containernetworking/plugins v1.4.1/go.mod
h1:n6FFGKcaY4o2o5msgu/UImto
-github.com/containers/image/v5 v5.30.0
h1:CmHeSwI6W2kTRWnUsxATDFY5TEX4b58gPkaQcEyrLIA=
-github.com/containers/image/v5 v5.30.0/go.mod
h1:gSD8MVOyqBspc0ynLsuiMR9qmt8UQ4jpVImjmK0uXfk=
+github.com/containers/image/v5 v5.30.1
h1:AKrQMgOKI1oKx5FW5eoU2xoNyzACajHGx1O3qxobvFM=
+github.com/containers/image/v5 v5.30.1/go.mod
h1:gSD8MVOyqBspc0ynLsuiMR9qmt8UQ4jpVImjmK0uXfk=
++ vendor.tar.gz ++
/work/SRC/openSUSE:Factory/apptainer/vendor.tar.gz
/work/SRC/openSUSE:Factory/.apptainer.new.1880/vendor.tar.gz differ: char 12,
line 1
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apptainer for openSUSE:Factory checked in at 2024-03-22 15:20:22 Comparing /work/SRC/openSUSE:Factory/apptainer (Old) and /work/SRC/openSUSE:Factory/.apptainer.new.1905 (New) Package is "apptainer" Fri Mar 22 15:20:22 2024 rev:27 rq:1160483 version:1.3.0 Changes: --- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2024-03-14 17:46:39.384914681 +0100 +++ /work/SRC/openSUSE:Factory/.apptainer.new.1905/apptainer.changes 2024-03-22 15:32:23.870920031 +0100 @@ -1,0 +2,98 @@ +Fri Mar 15 11:20:14 UTC 2024 - Christian Goll + +- Updated apptainer to version 1.3.0 + * FUSE mounts are now supported in setuid mode, enabling full +functionality even when kernel filesystem mounts are insecure due to +unprivileged users having write access to raw filesystems in +containers. When allow `setuid-mount extfs = no` (the default) in +apptainer.conf, then the fuse2fs image driver will be used to mount +ext3 images in setuid mode instead of the kernel driver (ext3 images +are primarily used for the `--overlay` feature), restoring +functionality that was removed by default in Apptainer 1.1.8 because +of the security risk. +The allow `setuid-mount squashfs` configuration option in +`apptainer.conf` now has a new default called `iflimited` which allows +kernel squashfs mounts only if there is at least one `limit container` +option set or if Execution Control Lists are activated in ecl.toml. +If kernel squashfs mounts are are not allowed, then the squashfuse +image driver will be used instead. +`iflimited` is the default because if one of those limits are used +the system administrator ensures that unprivileged users do not have +write access to the containers, but on the other hand using FUSE +would enable a user to theoretically bypass the limits via `ptrace()` +because the FUSE process runs as that user. +The `fuse-overlayfs` image driver will also now be tried in setuid +mode if the kernel overlayfs driver does not work (for example if +one of the layers is a FUSE filesystem). In addition, if `allow +setuid-mount encrypted = no` then the unprivileged gocryptfs format +will be used for encrypting SIF files instead of the kernel +device-mapper. If a SIF file was encrypted using the gocryptfs +format, it can now be mounted in setuid mode in addition to +non-setuid mode. + * Change the default in user namespace mode to use either kernel +overlayfs or fuse-overlayfs instead of the underlay feature for the +purpose of adding bind mount points. That was already the default in +setuid mode; this change makes it consistent. The underlay feature +can still be used with the `--underlay` option, but it is deprecated +because the implementation is complicated and measurements have +shown that the performance of underlay is similar to overlayfs and +fuse-overlayfs. +For now the underlay feature can be made the default again with a +new `preferred` value on the `enable underlay` configuration option. +Also the `--underlay` option can be used in setuid mode or as the +root user, although it was ignored previously. + * Prefer again to use kernel overlayfs over fuse-overlayfs when a +lower layer is FUSE and there's no writable upper layer, undoing the +change from 1.2.0. Another workaround was found for the problem that +change addressed. This applies in both setuid mode and in user +namespace mode. + * `--cwd` is now the preferred form of the flag for setting the +container's working directory, though `--pwd` is still supported for +compatibility. + * The way `--home` is handled when running as root (e.g. sudo apptainer) +or with `--fakeroot` has changed. Previously, we were only modifying +the `HOME` environment variable in these cases, while leaving the +container's `/etc/passwd` file unchanged (with its homedir field +pointing to `/root`, regardless of the value passed to `--home`). With +this change, both value of HOME and the contents of `/etc/passwd` in +the container will reflect the value passed to `--home` if the +container is readonly. If the container is writable, the +`/etc/passwd` file is left alone because it can interfere with +commands that want to modify it. + * The `--vm` and related flags to start apptainer inside a VM have been +removed. This functionality was related to the retired Singularity Desktop +/ SyOS projects. + * The keyserver-related commands that were under `remote` have been moved to +their own, dedicated `keyserver` command. Run `apptainer help keyserver` +for more information. + * The commands
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2024-02-02 15:48:00
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.1815 (New)
Package is "apptainer"
Fri Feb 2 15:48:00 2024 rev:25 rq:1143604 version:1.2.5
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2024-02-01
18:05:52.520149323 +0100
+++ /work/SRC/openSUSE:Factory/.apptainer.new.1815/apptainer.changes
2024-02-02 15:48:37.571620043 +0100
@@ -29,0 +30 @@
+- Package .def templates separately for different SPs.
Old:
SLE.def
leap.def
New:
Leap.def
SLE-15SP5.def
SUSE.def
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.t6ud2w/_old 2024-02-02 15:48:38.183642291 +0100
+++ /var/tmp/diff_new_pack.t6ud2w/_new 2024-02-02 15:48:38.183642291 +0100
@@ -35,9 +35,10 @@
Conflicts: singularity-runtime
Source0:
https://github.com/apptainer/apptainer/archive/v%{version}%{?vers_suffix}/apptainer-%{version}%{?vers_suffix}.tar.gz
Source1:README.SUSE
-Source2:SLE-15SP6.def
-Source3:SLE.def
-Source4:leap.def
+Source2:SUSE.def
+Source3:SLE-15SP5.def
+Source4:SLE-15SP6.def
+Source5:Leap.def
Source20: %{name}-rpmlintrc
Source21: vendor.tar.gz
BuildRequires: cryptsetup
@@ -56,6 +57,10 @@
Requires: squashfs
Requires: squashfuse
Recommends: fuse2fs
+Requires: (apptainer-leap if product(Leap) = 15.5)
+Requires: (apptainer-sle15_5 if product(SUSE_SLE) = 15.5)
+Requires: (apptainer-sle15_6 if product(SUSE_SLE) = 15.6)
+
# Needed for container decryption in userspace, upstream rpms include this
# but factory should have this seperately
Recommends: gocryptfs
@@ -68,9 +73,36 @@
Apptainer provides functionality to make portable
containers that can be used across host environments.
+%package sle15_5
+Summary:Apptainer Definition File Templates for SLE 15 SP5
+BuildArch: noarch
+Requires: apptainer
+
+%description sle15_5
+The package provides a definition file template for Apptainer containers
+based on SUSE Linux Enterprise 15 SP5.
+
+%package sle15_6
+Summary:Apptainer Definition File Templates for SLE 15 SP6
+BuildArch: noarch
+Requires: apptainer
+
+%description sle15_6
+The package provides a definition file template for Apptainer containers
+based on SUSE Linux Enterprise 15 SP6.
+
+%package leap
+Summary:Apptainer Definition File Templates for current openSUSE Leap
+BuildArch: noarch
+Requires: apptainer
+
+%description leap
+The package provides a definition file template for Apptainer containers
+based on the latest openSUSE Leap release.
+
%prep
%setup -q -n %{name}-%{version}%{?vers_suffix}
-cp %{S:1} %{S:2} %{S:3} %{S:4} .
+cp %{S:1} .
%build
@@ -105,6 +137,8 @@
export PATH=$GOPATH/bin:$PATH
%make_install -C builddir V=
+install -d -m 0755 %{buildroot}/%{_datarootdir}/apptainer/templates
+install -m 0644 %{S:2} %{S:3} %{S:4} %{S:5}
%{buildroot}/%{_datarootdir}/apptainer/templates
%fdupes apptainer/examples
%fdupes -s %buildroot
@@ -116,8 +150,6 @@
%doc CHANGELOG.md
%doc CONTRIBUTORS.md
%doc %{basename:%{S:1}}
-%doc %{basename:%{S:2}}
-%doc %{basename:%{S:3}}
%license LICENSE.md
%license LICENSE_THIRD_PARTY.md
%license LICENSE_DEPENDENCIES.md
@@ -126,9 +158,12 @@
%dir %{_libexecdir}/apptainer/bin
%dir %{_libexecdir}/apptainer/cni
%dir %{_libexecdir}/apptainer/lib
+%dir %{_datarootdir}/apptainer
+%dir %{_datarootdir}/apptainer/templates
%{_libexecdir}/apptainer/bin/starter
%{_libexecdir}/apptainer/lib/offsetpreload.so
%{_libexecdir}/apptainer/cni/*
+%{_datarootdir}/apptainer/templates/%{basename:%{S:2}}
%dir %{_sysconfdir}/apptainer
%config(noreplace) %{_sysconfdir}/apptainer/capability.json
%config(noreplace) %{_sysconfdir}/apptainer/cgroups
@@ -147,3 +182,12 @@
%dir %{_localstatedir}/lib/apptainer/mnt/session
%{_mandir}/man1/*
+%files sle15_5
+%{_datarootdir}/apptainer/templates/%{basename:%{S:3}}
+
+%files sle15_6
+%{_datarootdir}/apptainer/templates/%{basename:%{S:4}}
+
+%files leap
+%{_datarootdir}/apptainer/templates/%{basename:%{S:5}}
+
++ Leap.def ++
Bootstrap: zypper
MirrorURL: http://download.opensuse.org/distribution/openSUSE-stable/repo/oss
Include: zypper
%post
echo "Hello from post boot strap"
zypper in -y vim
++ README.SUSE ++
--- /var/tmp/diff_new_pack.t6ud2w/_old 2024-02-02 15:48:38.239644327 +0100
+++ /var/tmp/diff_new_pack.t6ud2w/_new 2024-02-02 15:48:38.243644472 +0100
@@ -12,15 +12,15 @@
SLE version and service
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2023-10-27 22:27:52
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.17445 (New)
Package is "apptainer"
Fri Oct 27 22:27:52 2023 rev:23 rq:1120777 version:1.2.3
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2023-09-28
00:30:23.663282854 +0200
+++ /work/SRC/openSUSE:Factory/.apptainer.new.17445/apptainer.changes
2023-10-27 22:28:14.075605571 +0200
@@ -1,0 +2,11 @@
+Tue Oct 24 06:02:44 UTC 2023 - Egbert Eich
+
+- Do not build squashfuse, require it as a dependency.
+ Removed: squashfuse-0.1.105.tar.gz, 70.patch
+- Replace awkward 'Obsoletes: singularity-*' as well as the
+ 'Provides: Singularity' by 'Conflicts:' and drop the provides -
+ the versioning scheme does not match and we do not automatically
+ migrate from one to the other.
+- Exclude platforms which do not provide all build dependencies.
+
+---
Old:
70.patch
squashfuse-0.1.105.tar.gz
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.5oGWO2/_old 2023-10-27 22:28:14.791631833 +0200
+++ /var/tmp/diff_new_pack.5oGWO2/_new 2023-10-27 22:28:14.791631833 +0200
@@ -19,9 +19,6 @@
%define apptainerpath src/github.com/apptainer/
%define _buildshell /bin/bash
-%global squashfuse_version 0.1.105
-#%%define vers_suffix -rc.1
-
Summary:Application and environment virtualization
# CRYPTOGAMS isn't known in OBS
#License:BSD-3-Clause-LBNL and (OpenSSL or CRYPTOGAMS)
@@ -32,8 +29,10 @@
Release:0
# https://spdx.org/licenses/BSD-3-Clause-LBNL.html
URL:https://apptainer.org
-Provides: singularity
Obsoletes: singularity <= 3.8.5
+Conflicts: singularity
+Conflicts: singularity-ce
+Conflicts: singularity-runtime
Source0:
https://github.com/apptainer/apptainer/archive/v%{version}%{?vers_suffix}/apptainer-%{version}%{?vers_suffix}.tar.gz
Source1:README.SUSE
Source2:SLE-12SP5.def
@@ -42,10 +41,6 @@
Source5:leap.def
Source8:%{name}-rpmlintrc
Source9:vendor.tar.gz
-%if "%{?squashfuse_version}" != ""
-Source10:
https://github.com/vasi/squashfuse/archive/%{squashfuse_version}/squashfuse-%{squashfuse_version}.tar.gz
-Patch10:https://github.com/vasi/squashfuse/pull/70.patch
-%endif
BuildRequires: cryptsetup
BuildRequires: fdupes
BuildRequires: gcc
@@ -59,51 +54,26 @@
BuildRequires: binutils-gold
%endif
BuildRequires: libseccomp-devel
-%if "%{?squashfuse_version}" != ""
-BuildRequires: autoconf
-BuildRequires: automake
-BuildRequires: fuse3-devel
-BuildRequires: libtool
-BuildRequires: pkgconfig
-BuildRequires: pkgconfig(liblz4)
-BuildRequires: pkgconfig(liblzma)
-%endif
Requires: squashfs
+Requires: squashfuse
Recommends: fuse2fs
# Needed for container decryption in userspace, upstream rpms include this
# but factory should have this seperately
Recommends: gocryptfs
PreReq: permissions
-# there's no golang for ppc64, ppc64le does not have non pie builds
-ExcludeArch:ppc64 ppc64le
-
-Obsoletes: singularity
-Obsoletes: singularity-ce
-Obsoletes: singularity-runtime
+# there's no golang for ppc64 & %ix86, ppc64le does not have non pie builds
+ExcludeArch:ppc64 ppc64le %ix86 s390 s390x
%description
-Singularity provides functionality to make portable
+Apptainer provides functionality to make portable
containers that can be used across host environments.
%prep
-%if "%{?squashfuse_version}" != ""
-# the default directory for other steps is where the %prep section ends
-# so do main package last
-%setup -b 10 -n squashfuse-%{squashfuse_version}
-%patch -P 10 -p1
-%endif
%setup -q -n %{name}-%{version}%{?vers_suffix}
cp %{S:1} %{S:2} %{S:3} %{S:4} %{S:5} .
%build
-%if "%{?squashfuse_version}" != ""
-pushd ../squashfuse-%{squashfuse_version}
-./autogen.sh
-FLAGS=-std=c99 ./configure --enable-multithreading
-%make_build squashfuse_ll
-popd
-%endif
# create VERSION file
echo %version > VERSION
@@ -121,7 +91,7 @@
--includedir=%{_includedir} \
--libdir=%{_libdir} \
--libexecdir=%{_libexecdir} \
---localstatedir=%{_localstatedir} \
+--localstatedir=%{_localstatedir}/lib \
--sharedstatedir=%{_sharedstatedir} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
@@ -137,10 +107,6 @@
%make_install -C builddir V=
-%if "%{?squashfuse_version}" != ""
-install -m 755 ../squashfuse-%{squashfuse_version}/squashfuse_ll
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apptainer for openSUSE:Factory checked in at 2023-09-28 00:25:00 Comparing /work/SRC/openSUSE:Factory/apptainer (Old) and /work/SRC/openSUSE:Factory/.apptainer.new.23327 (New) Package is "apptainer" Thu Sep 28 00:25:00 2023 rev:22 rq:1113853 version:1.2.3 Changes: --- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2023-07-28 22:20:42.209322419 +0200 +++ /work/SRC/openSUSE:Factory/.apptainer.new.23327/apptainer.changes 2023-09-28 00:30:23.663282854 +0200 @@ -1,0 +2,25 @@ +Wed Sep 27 10:17:11 UTC 2023 - Christian Goll + +- removed CRYPTOGAMS license as not known in OBS and OpenSSL is + also valid + +--- +Mon Sep 25 08:57:57 UTC 2023 - Christian Goll + +- updated to 1.2.3 with following changes: + * The apptainer push/pull commands now show a progress bar for the oras +protocol like there was for docker and library protocols. + * The --nv and --rocm flags can now be used simultaneously. + * Fix the use of APPTAINER_CONFIGDIR with apptainer instance start and action +commands that refer to instance://. + * Fix the issue that apptainer would not read credentials from the Docker +fallback path ~/.docker/config.json if missing in the apptainer +credentials. + +--- +Tue Aug 29 15:34:36 UTC 2023 - Lubos Kocman + +- Update license for the package to cover also OpenSSL and CRYPTOGAMS + part of chacha_ppc64le.s + +--- Old: apptainer-1.2.2.tar.gz New: apptainer-1.2.3.tar.gz Other differences: -- ++ apptainer.spec ++ --- /var/tmp/diff_new_pack.Lsb2Lg/_old 2023-09-28 00:30:25.435346818 +0200 +++ /var/tmp/diff_new_pack.Lsb2Lg/_new 2023-09-28 00:30:25.435346818 +0200 @@ -23,10 +23,12 @@ #%%define vers_suffix -rc.1 Summary:Application and environment virtualization -License:BSD-3-Clause-LBNL +# CRYPTOGAMS isn't known in OBS +#License:BSD-3-Clause-LBNL and (OpenSSL or CRYPTOGAMS) +License:BSD-3-Clause-LBNL AND OpenSSL Group: Productivity/Clustering/Computing Name: apptainer -Version:1.2.2 +Version:1.2.3 Release:0 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html URL:https://apptainer.org ++ apptainer-1.2.2.tar.gz -> apptainer-1.2.3.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.2.2/.github/workflows/ci.yml new/apptainer-1.2.3/.github/workflows/ci.yml --- old/apptainer-1.2.2/.github/workflows/ci.yml2023-07-27 18:28:18.0 +0200 +++ new/apptainer-1.2.3/.github/workflows/ci.yml2023-09-14 17:00:48.0 +0200 @@ -324,7 +324,7 @@ # See https://github.com/apptainer/apptainer/issues/796 - name: Update fuse-overlayfs version run: | - sudo sh -c "echo 'deb http://archive.ubuntu.com/ubuntu kinetic universe' >/etc/apt/sources.list.d/kinetic.list" + sudo sh -c "echo 'deb http://old-releases.ubuntu.com/ubuntu kinetic universe' >/etc/apt/sources.list.d/kinetic.list" sudo apt-get -q update && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y fuse-overlayfs - name: Enable full cgroups v2 delegation diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.2.2/CHANGELOG.md new/apptainer-1.2.3/CHANGELOG.md --- old/apptainer-1.2.2/CHANGELOG.md2023-07-27 18:28:18.0 +0200 +++ new/apptainer-1.2.3/CHANGELOG.md2023-09-14 17:00:48.0 +0200 @@ -5,11 +5,24 @@ and re-branded as Apptainer. For older changes see the [archived Singularity change log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md). +## v1.2.3 - \[2023-09-14\] + +- The `apptainer push/pull` commands now show a progress bar for the oras + protocol like there was for docker and library protocols. +- The `--nv` and `--rocm` flags can now be used simultaneously. +- Fix the use of `APPTAINER_CONFIGDIR` with `apptainer instance start` + and action commands that refer to `instance://`. +- Ignore undefined macros, to fix yum bootstrap agent on el7. +- Fix the issue that apptainer would not read credentials from the Docker + fallback path `~/.docker/config.json` if missing in the apptainer + credentials. + ## v1.2.2 - \[2023-07-27\] - Fix `$APPTAINER_MESSAGELEVEL` to correctly set the logging level. - Fix build failures when in setuid mode and unprivileged user namespaces are unavailable and the `--fakeroot`
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2023-07-28 22:20:38
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.32662 (New)
Package is "apptainer"
Fri Jul 28 22:20:38 2023 rev:21 rq:1101201 version:1.2.2
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2023-07-26
13:26:04.000768301 +0200
+++ /work/SRC/openSUSE:Factory/.apptainer.new.32662/apptainer.changes
2023-07-28 22:20:42.209322419 +0200
@@ -1,0 +2,8 @@
+Fri Jul 28 13:39:30 UTC 2023 - Christian Goll
+
+- updated to 1.2.2 with following changes:
+ * Fix $APPTAINER_MESSAGELEVEL to correctly set the logging level.
+ * Fix build failures when in setuid mode and unprivileged user namespaces are
+unavailable and the --fakeroot option is not selected.
+
+---
Old:
apptainer-1.2.1.tar.gz
New:
apptainer-1.2.2.tar.gz
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.xST4X0/_old 2023-07-28 22:20:43.205328472 +0200
+++ /var/tmp/diff_new_pack.xST4X0/_new 2023-07-28 22:20:43.209328497 +0200
@@ -26,7 +26,7 @@
License:BSD-3-Clause-LBNL
Group: Productivity/Clustering/Computing
Name: apptainer
-Version:1.2.1
+Version:1.2.2
Release:0
# https://spdx.org/licenses/BSD-3-Clause-LBNL.html
URL:https://apptainer.org
++ apptainer-1.2.1.tar.gz -> apptainer-1.2.2.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.2.1/CHANGELOG.md
new/apptainer-1.2.2/CHANGELOG.md
--- old/apptainer-1.2.1/CHANGELOG.md2023-07-24 22:33:41.0 +0200
+++ new/apptainer-1.2.2/CHANGELOG.md2023-07-27 18:28:18.0 +0200
@@ -5,6 +5,12 @@
and re-branded as Apptainer.
For older changes see the [archived Singularity change
log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md).
+## v1.2.2 - \[2023-07-27\]
+
+- Fix `$APPTAINER_MESSAGELEVEL` to correctly set the logging level.
+- Fix build failures when in setuid mode and unprivileged user namespaces
+ are unavailable and the `--fakeroot` option is not selected.
+
## v1.2.1 - \[2023-07-24\]
### Security fix
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.2.1/INSTALL.md
new/apptainer-1.2.2/INSTALL.md
--- old/apptainer-1.2.1/INSTALL.md 2023-07-24 22:33:41.0 +0200
+++ new/apptainer-1.2.2/INSTALL.md 2023-07-27 18:28:18.0 +0200
@@ -137,7 +137,7 @@
for example:
```sh
-git checkout v1.2.1
+git checkout v1.2.2
```
## Compiling Apptainer
@@ -272,7 +272,7 @@
```sh
-VERSION=1.2.1 # this is the apptainer version, change as you need
+VERSION=1.2.2 # this is the apptainer version, change as you need
# Fetch the source
wget
https://github.com/apptainer/apptainer/releases/download/v${VERSION}/apptainer-${VERSION}.tar.gz
```
@@ -324,7 +324,7 @@
```sh
-VERSION=1.2.1 # this is the latest apptainer version, change as you need
+VERSION=1.2.2 # this is the latest apptainer version, change as you need
./mconfig
make -C builddir rpm
sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/apptainer-$(echo $VERSION|tr -
\~)*.x86_64.rpm
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.2.1/cmd/internal/cli/apptainer.go
new/apptainer-1.2.2/cmd/internal/cli/apptainer.go
--- old/apptainer-1.2.1/cmd/internal/cli/apptainer.go 2023-07-24
22:33:41.0 +0200
+++ new/apptainer-1.2.2/cmd/internal/cli/apptainer.go 2023-07-27
18:28:18.0 +0200
@@ -15,11 +15,13 @@
"context"
"fmt"
"io"
+ "math"
"os"
"os/exec"
"os/signal"
"os/user"
"path/filepath"
+ "strconv"
"strings"
"text/template"
@@ -271,18 +273,26 @@
func setSylogMessageLevel() {
var level int
+ l, err := strconv.Atoi(env.GetenvLegacy("MESSAGELEVEL", "MESSAGELEVEL"))
+ if err == nil {
+ level = l
+ }
+
if debug {
level = 5
// Propagate debug flag to nested `apptainer` calls.
os.Setenv("APPTAINER_DEBUG", "1")
} else if verbose {
level = 4
+ os.Setenv("APPTAINER_VERBOSE", "1")
} else if quiet {
level = -1
+ os.Setenv("APPTAINER_QUIET", "1")
} else if silent {
level = -3
+ os.Setenv("APPTAINER_SILENT", "1")
} else {
- level = 1
+
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2023-07-26 13:24:51
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.15225 (New)
Package is "apptainer"
Wed Jul 26 13:24:51 2023 rev:20 rq:1100792 version:1.2.1
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2023-07-25
11:52:47.454045366 +0200
+++ /work/SRC/openSUSE:Factory/.apptainer.new.15225/apptainer.changes
2023-07-26 13:26:04.000768301 +0200
@@ -1,0 +2,6 @@
+Wed Jul 26 07:33:42 UTC 2023 - Christian Goll
+
+- updated to 1.2.1 to fix CVE-2023-38496 although not relevant as package is
+ compiled with setuid
+
+---
Old:
apptainer-1.2.0.tar.gz
New:
apptainer-1.2.1.tar.gz
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.Yt9ahQ/_old 2023-07-26 13:26:04.784773032 +0200
+++ /var/tmp/diff_new_pack.Yt9ahQ/_new 2023-07-26 13:26:04.792773081 +0200
@@ -26,7 +26,7 @@
License:BSD-3-Clause-LBNL
Group: Productivity/Clustering/Computing
Name: apptainer
-Version:1.2.0
+Version:1.2.1
Release:0
# https://spdx.org/licenses/BSD-3-Clause-LBNL.html
URL:https://apptainer.org
++ apptainer-1.2.0.tar.gz -> apptainer-1.2.1.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.2.0/CHANGELOG.md
new/apptainer-1.2.1/CHANGELOG.md
--- old/apptainer-1.2.0/CHANGELOG.md2023-07-18 17:19:51.0 +0200
+++ new/apptainer-1.2.1/CHANGELOG.md2023-07-24 22:33:41.0 +0200
@@ -5,6 +5,18 @@
and re-branded as Apptainer.
For older changes see the [archived Singularity change
log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md).
+## v1.2.1 - \[2023-07-24\]
+
+### Security fix
+
+- Included a fix for
+ [security advisory
GHSA-mmx5-32m4-wxvx](https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx)
+ which describes an ineffective privilege drop when requesting a
+ container network with a setuid installation of Apptainer.
+ The vulnerability allows an attacker to delete any directory on the
+ host filesystems with a crafted starter config.
+ Only affects v1.2.0-rc.2 and v1.2.0.
+
## v1.2.0 - \[2023-07-18\]
Changes since v1.1.9
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.2.0/INSTALL.md
new/apptainer-1.2.1/INSTALL.md
--- old/apptainer-1.2.0/INSTALL.md 2023-07-18 17:19:51.0 +0200
+++ new/apptainer-1.2.1/INSTALL.md 2023-07-24 22:33:41.0 +0200
@@ -137,7 +137,7 @@
for example:
```sh
-git checkout v1.2.0
+git checkout v1.2.1
```
## Compiling Apptainer
@@ -272,7 +272,7 @@
```sh
-VERSION=1.2.0 # this is the apptainer version, change as you need
+VERSION=1.2.1 # this is the apptainer version, change as you need
# Fetch the source
wget
https://github.com/apptainer/apptainer/releases/download/v${VERSION}/apptainer-${VERSION}.tar.gz
```
@@ -324,7 +324,7 @@
```sh
-VERSION=1.2.0 # this is the latest apptainer version, change as you need
+VERSION=1.2.1 # this is the latest apptainer version, change as you need
./mconfig
make -C builddir rpm
sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/apptainer-$(echo $VERSION|tr -
\~)*.x86_64.rpm
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.2.0/go.mod new/apptainer-1.2.1/go.mod
--- old/apptainer-1.2.0/go.mod 2023-07-18 17:19:51.0 +0200
+++ new/apptainer-1.2.1/go.mod 2023-07-24 22:33:41.0 +0200
@@ -29,7 +29,7 @@
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.0-rc4
github.com/opencontainers/runc v1.1.7
- github.com/opencontainers/runtime-spec v1.1.0-rc.3
+ github.com/opencontainers/runtime-spec v1.1.0
github.com/opencontainers/runtime-tools
v0.9.1-0.20221107090550-2e043c6bd626
github.com/opencontainers/selinux v1.11.0
github.com/opencontainers/umoci v0.4.7
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.2.0/go.sum new/apptainer-1.2.1/go.sum
--- old/apptainer-1.2.0/go.sum 2023-07-18 17:19:51.0 +0200
+++ new/apptainer-1.2.1/go.sum 2023-07-24 22:33:41.0 +0200
@@ -433,8 +433,8 @@
github.com/opencontainers/runtime-spec v1.0.2/go.mod
h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-spec
v1.0.3-0.20200710190001-3e4195d92445/go.mod
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2023-07-25 11:51:03
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.1467 (New)
Package is "apptainer"
Tue Jul 25 11:51:03 2023 rev:19 rq:1100359 version:1.2.0
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2023-07-18
22:07:44.262859304 +0200
+++ /work/SRC/openSUSE:Factory/.apptainer.new.1467/apptainer.changes
2023-07-25 11:52:47.454045366 +0200
@@ -1,0 +2,78 @@
+Wed Jun 14 08:34:27 UTC 2023 - Christian Goll
+
+- update to 1.2.0 with following changes:
+ * binary is built reproducible which disables plugins
+ * Create the current working directory in a container when it doesn't exist.
+This restores behavior as it was before singularity 3.6.0. As a result,
+using --no-mount home won't have any effect when running apptainer from a
+home directory and will require --no-mount home,cwd to avoid mounting that
+directory.
+ * Handle current working directory paths containing symlinks both on the host
+and in a container but pointing to different destinations. If detected, the
+current working directory is not mounted when the destination directory in
+the container exists.
+ * Destination mount points are now sorted by shortest path first to ensure
+that a user bind doesn't override a previous bind path when set in
+arbitrary order on the CLI. This is also applied to image binds.
+ * When the kernel supports unprivileged overlay mounts in a user namespace,
+the container will be constructed by default using an overlay instead of an
+underlay layout for bind mounts. A new --underlay action option can be used
+to prefer underlay instead of overlay.
+ * sessiondir maxsize in apptainer.conf now defaults to 64 MiB for new
+installations. This is an increase from 16 MiB in prior versions.
+ * The apptainer cache is now architecture aware, so the same home directory
+cache can be shared by machines with different architectures.
+ * Overlay is blocked on the panfs filesystem, allowing sandbox directories to
+be run from panfs without error.
+ * Lookup and store user/group information in stage one prior to entering any
+namespaces, to fix an issue with winbind not correctly looking up
+user/group information when using user namespaces.
+- New features / functionalities
+ * Support for unprivileged encryption of SIF files using gocryptfs. This is
+not compatible with privileged encryption, so containers encrypted by root
+need to be rebuilt by an unprivileged user.
+ * Templating support for definition files. Users can now define variables in
+definition files via a matching pair of double curly brackets. Variables of
+the form {{ variable }} will be replaced by a value defined either by a
+variable=value entry in the %arguments section of the definition file or
+through new build options --build-arg or --build-arg-file.
+ * Add a new instance run command that will execute the runscript when an
+instance is initiated instead of executing the startscript.
+ * The sign and verify commands now support signing and verification with
+non-PGP key material by specifying the path to a private key via the --key
+flag.
+ * The verify command now supports verification with X.509 certificates by
+specifying the path to a certificate via the --certificate flag. By
+default, the system root certificate pool is used as trust anchors unless
+overridden via the --certificate-roots flag. A pool of intermediate
+certificates that are not trust anchors, but can be used to form a
+certificate chain, can also be specified via the
+--certificate-intermediates flag.
+ * Support for online verification checks of X.509 certificates using OCSP
+protocol via the new verify --ocsp-verify option.
+ * The instance stats command displays the resource usage every second. The
+--no-stream option disables this interactive mode and shows the
+point-in-time usage.
+ * Instances are now started in a cgroup by default, when run as root or when
+unified cgroups v2 with systemd as manager is configured. This allows
+apptainer instance stats to be supported by default when possible.
+ * The instance start command now accepts an optional --app argument
+which invokes a start script within the %appstart section in the
+definition file. The instance stop command still only requires the instance
+name.
+ * The instance name is now available inside an instance via the new
+APPTAINER_INSTANCE environment variable.
+ * The --no-mount flag now accepts the value bind-paths to disable mounting of
+all
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apptainer for openSUSE:Factory checked in at 2023-07-18 22:07:32 Comparing /work/SRC/openSUSE:Factory/apptainer (Old) and /work/SRC/openSUSE:Factory/.apptainer.new.3193 (New) Package is "apptainer" Tue Jul 18 22:07:32 2023 rev:18 rq:1099096 version:1.1.9 Changes: --- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2023-04-28 16:24:39.822463887 +0200 +++ /work/SRC/openSUSE:Factory/.apptainer.new.3193/apptainer.changes 2023-07-18 22:07:44.262859304 +0200 @@ -1,0 +2,14 @@ +Tue Jun 13 14:00:33 UTC 2023 - Christian Goll + +- update to 1.1.9 with following changes: + * Remove warning about unknown xino=on option from fuse-overlayfs, introduced +in 1.1.8. + * Ignore extraneous warning from fuse-overlayfs about a readonly /proc. + * Fix dropped "n" characters on some platforms in definition file stored as +part of SIF metadata. + * Remove duplicated group ids. + * Fix not being able to handle multiple entries in LD_PRELOAD when binding +fakeroot into container during apptainer startup for --fakeroot with +fakeroot command. + +--- Old: apptainer-1.1.8.tar.gz New: apptainer-1.1.9.tar.gz Other differences: -- ++ apptainer.spec ++ --- /var/tmp/diff_new_pack.wuMuSO/_old 2023-07-18 22:07:44.978863307 +0200 +++ /var/tmp/diff_new_pack.wuMuSO/_new 2023-07-18 22:07:44.982863329 +0200 @@ -25,7 +25,7 @@ License:BSD-3-Clause-LBNL Group: Productivity/Clustering/Computing Name: apptainer -Version:1.1.8 +Version:1.1.9 Release:0 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html URL:https://apptainer.org ++ apptainer-1.1.8.tar.gz -> apptainer-1.1.9.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.8/CHANGELOG.md new/apptainer-1.1.9/CHANGELOG.md --- old/apptainer-1.1.8/CHANGELOG.md2023-04-25 17:50:20.0 +0200 +++ new/apptainer-1.1.9/CHANGELOG.md2023-06-07 17:51:35.0 +0200 @@ -5,11 +5,25 @@ and re-branded as Apptainer. For older changes see the [archived Singularity change log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md). +## v1.1.9 - \[2023-06-07\] + +### Bug fixes + +- Remove warning about unknown `xino=on` option from fuse-overlayfs, + introduced in 1.1.8. +- Ignore extraneous warning from fuse-overlayfs about a readonly `/proc`. +- Fix dropped "n" characters on some platforms in definition file stored as part + of SIF metadata. +- Remove duplicated group ids. +- Fix not being able to handle multiple entries in `LD_PRELOAD` when + binding fakeroot into container during apptainer startup for --fakeroot + with fakeroot command. + ## v1.1.8 - \[2023-04-25\] ### Security fix -- Included a fix for [CVE-2023-30549](https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7) +- Included a fix for [CVE-2023-30549](https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg) which is a vulnerability in setuid-root installations of Apptainer and Singularity that causes an elevation in severity of an existing ext4 filesystem driver vulnerability that is unpatched in several diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.8/CODE_OF_CONDUCT.md new/apptainer-1.1.9/CODE_OF_CONDUCT.md --- old/apptainer-1.1.8/CODE_OF_CONDUCT.md 2023-04-25 17:50:20.0 +0200 +++ new/apptainer-1.1.9/CODE_OF_CONDUCT.md 2023-06-07 17:51:35.0 +0200 @@ -55,7 +55,7 @@ ## Enforcement Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project leader (gmkurt...@gmail.com). All +reported by contacting the project leader (`gmkurt...@gmail.com`). All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.8/CONTRIBUTORS.md new/apptainer-1.1.9/CONTRIBUTORS.md --- old/apptainer-1.1.8/CONTRIBUTORS.md 2023-04-25 17:50:20.0 +0200 +++ new/apptainer-1.1.9/CONTRIBUTORS.md 2023-06-07 17:51:35.0 +0200 @@ -81,6 +81,7 @@ - Satish Chebrolu - Shane Loretz , - Shengjing Zhu +- Subil Abraham - Tarcisio Fedrizzi - Thomas Hamel - Tim Wright <7im.wri...@protonmail.com> diff -urN '--exclude=CVS' '--exclude=.cvsignore'
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2023-04-28 16:23:41
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.1533 (New)
Package is "apptainer"
Fri Apr 28 16:23:41 2023 rev:17 rq:1083268 version:1.1.8
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2023-03-29
23:28:07.343752744 +0200
+++ /work/SRC/openSUSE:Factory/.apptainer.new.1533/apptainer.changes
2023-04-28 16:24:39.822463887 +0200
@@ -1,0 +2,19 @@
+Thu Apr 27 12:59:22 UTC 2023 - Christian Goll
+
+- Included a fix for CVE-2023-30549 which is a vulnerability in setuid-root
+ installations of Apptainer iwhich was not active in the recent openSUSE
+ packages. Still this is included for completenss. The fix adds allow
+ setuid-mount configuration options encrypted, squashfs, and extfs, and makes
+ the default for extfs be "no". That disables the use of extfs mounts
+ including for overlays or binds while in the setuid-root mode, while leaving
+ it enabled for unprivileged user namespace mode. The default for encrypted
+ and squashfs is "yes".
+- Other bug fixes:
+ * Fix loop device 'no such device or address' spurious errors when using
shared
+loop devices.
+ * Add xino=on mount option for writable kernel overlay mount points to fix
+inode numbers consistency after kernel cache flush (not applicable to
+fuse-overlayfs).
+
+
+---
Old:
apptainer-1.1.7.tar.gz
New:
apptainer-1.1.8.tar.gz
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.sMCmqG/_old 2023-04-28 16:24:43.114483102 +0200
+++ /var/tmp/diff_new_pack.sMCmqG/_new 2023-04-28 16:24:43.118483125 +0200
@@ -25,7 +25,7 @@
License:BSD-3-Clause-LBNL
Group: Productivity/Clustering/Computing
Name: apptainer
-Version:1.1.7
+Version:1.1.8
Release:0
# https://spdx.org/licenses/BSD-3-Clause-LBNL.html
URL:https://apptainer.org
++ apptainer-1.1.7.tar.gz -> apptainer-1.1.8.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.1.7/CHANGELOG.md
new/apptainer-1.1.8/CHANGELOG.md
--- old/apptainer-1.1.7/CHANGELOG.md2023-03-28 22:17:08.0 +0200
+++ new/apptainer-1.1.8/CHANGELOG.md2023-04-25 17:50:20.0 +0200
@@ -5,6 +5,31 @@
and re-branded as Apptainer.
For older changes see the [archived Singularity change
log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md).
+## v1.1.8 - \[2023-04-25\]
+
+### Security fix
+
+- Included a fix for
[CVE-2023-30549](https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7)
+ which is a vulnerability in setuid-root installations of Apptainer
+ and Singularity that causes an elevation in severity of an existing
+ ext4 filesystem driver vulnerability that is unpatched in several
+ older but still actively supported operating systems including RHEL7,
+ Debian 10, Ubuntu 18.04 and Ubuntu 20.04.
+ The fix adds `allow setuid-mount` configuration options `encrypted`,
+ `squashfs`, and `extfs`, and makes the default for `extfs` be "no".
+ That disables the use of extfs mounts including for overlays or
+ binds while in the setuid-root mode, while leaving it enabled for
+ unprivileged user namespace mode.
+ The default for `encrypted` and `squashfs` is "yes".
+
+### Other changes
+
+- Fix loop device 'no such device or address' spurious errors when using shared
+ loop devices.
+- Remove unwanted colors to STDERR.
+- Add `xino=on` mount option for writable kernel overlay mount points to fix
+ inode numbers consistency after kernel cache flush (not applicable to
fuse-overlayfs).
+
## v1.1.7 - \[2023-03-28\]
### Changes since last release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.1.7/INSTALL.md
new/apptainer-1.1.8/INSTALL.md
--- old/apptainer-1.1.7/INSTALL.md 2023-03-28 22:17:08.0 +0200
+++ new/apptainer-1.1.8/INSTALL.md 2023-04-25 17:50:20.0 +0200
@@ -137,7 +137,7 @@
for example:
```sh
-git checkout v1.1.7
+git checkout v1.1.8
```
## Compiling Apptainer
@@ -259,7 +259,7 @@
```sh
-VERSION=1.1.7 # this is the apptainer version, change as you need
+VERSION=1.1.8 # this is the apptainer version, change as you need
# Fetch the source
wget
https://github.com/apptainer/apptainer/releases/download/v${VERSION}/apptainer-${VERSION}.tar.gz
```
@@ -308,7 +308,7 @@
```sh
-VERSION=1.1.7 # this is the
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2023-03-29 23:28:06
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.31432 (New)
Package is "apptainer"
Wed Mar 29 23:28:06 2023 rev:16 rq:1075177 version:1.1.7
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2023-03-08
14:54:18.891245285 +0100
+++ /work/SRC/openSUSE:Factory/.apptainer.new.31432/apptainer.changes
2023-03-29 23:28:07.343752744 +0200
@@ -1,0 +2,17 @@
+Wed Mar 29 08:14:47 UTC 2023 - Christian Goll
+
+- updated to 1.1.7 with following changes:
+ * removed simpler-sif-building.patch as this was incoperated upstream
+ * Allow gpu options such as --nv to be nested by always inheriting all
+libraries bound in to a parent container's /.singularity.d/libs.
+ * Map the user's home directory to the root home directory by default in the
+non-subuid fakeroot mode like it was in the subuid fakeroot mode, for both
+action commands and building containers from definition files.
+ * Make the error message more helpful in another place where a remote is
+found to have no library client.
+ * Avoid incorrect error when requesting fakeroot network.
+ * Pass computed LD_LIBRARY_PATH to wrapped unsquashfs. Fixes issues where
+unsquashfs on host uses libraries in non-default paths.
+
+
+---
Old:
apptainer-1.1.6.tar.gz
simpler-sif-building.patch
New:
apptainer-1.1.7.tar.gz
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.UfMsZv/_old 2023-03-29 23:28:08.047756506 +0200
+++ /var/tmp/diff_new_pack.UfMsZv/_new 2023-03-29 23:28:08.051756528 +0200
@@ -25,7 +25,7 @@
License:BSD-3-Clause-LBNL
Group: Productivity/Clustering/Computing
Name: apptainer
-Version:1.1.6
+Version:1.1.7
Release:0
# https://spdx.org/licenses/BSD-3-Clause-LBNL.html
URL:https://apptainer.org
@@ -39,7 +39,6 @@
Source5:leap.def
Source8:%{name}-rpmlintrc
Source9:vendor.tar.gz
-Patch1: simpler-sif-building.patch
%if "%{?squashfuse_version}" != ""
Source10:
https://github.com/vasi/squashfuse/archive/%{squashfuse_version}/squashfuse-%{squashfuse_version}.tar.gz
Patch10:https://github.com/vasi/squashfuse/pull/70.patch
@@ -63,7 +62,8 @@
BuildRequires: fuse3-devel
BuildRequires: libtool
BuildRequires: pkgconfig
-BuildRequires: zlib-devel
+BuildRequires: pkgconfig(liblz4)
+BuildRequires: pkgconfig(liblzma)
%endif
Requires: squashfs
Recommends: fuse2fs
@@ -88,7 +88,6 @@
%patch -P 10 -p1
%endif
%setup -q -n %{name}-%{version}
-%patch1 -p 1
cp %{S:1} %{S:2} %{S:3} %{S:4} %{S:5} .
%build
++ apptainer-1.1.6.tar.gz -> apptainer-1.1.7.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.1.6/CHANGELOG.md
new/apptainer-1.1.7/CHANGELOG.md
--- old/apptainer-1.1.6/CHANGELOG.md2023-02-14 18:57:18.0 +0100
+++ new/apptainer-1.1.7/CHANGELOG.md2023-03-28 22:17:08.0 +0200
@@ -5,6 +5,28 @@
and re-branded as Apptainer.
For older changes see the [archived Singularity change
log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md).
+## v1.1.7 - \[2023-03-28\]
+
+### Changes since last release
+
+- Allow gpu options such as `--nv` to be nested by always inheriting all
+ libraries bound in to a parent container's `/.singularity.d/libs`.
+- Map the user's home directory to the root home directory by default in the
+ non-subuid fakeroot mode like it was in the subuid fakeroot mode, for both
+ action commands and building containers from definition files.
+- Avoid `unknown option` error when using a bare squashfs image with
+ an unpatched `squashfuse_ll`.
+- Fix `GOCACHE` settings for golang build on PPA build environment.
+- Make the error message more helpful in another place where a remote is found
+ to have no library client.
+- Allow symlinks to the compiled prefix for suid installations. Fixes a
+ regression introduced in 1.1.4.
+- Avoid incorrect error when requesting fakeroot network.
+- Build via zypper on SLE systems will use repositories of host via
+ suseconnect-container.
+- Pass computed `LD_LIBRARY_PATH` to wrapped unsquashfs. Fixes issues where
+ `unsquashfs` on host uses libraries in non-default paths.
+
## v1.1.6 - \[2023-02-14\]
### Security fix
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.1.6/CONTRIBUTORS.md
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2023-03-08 14:54:18
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.31432 (New)
Package is "apptainer"
Wed Mar 8 14:54:18 2023 rev:15 rq:1070160 version:1.1.6
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2023-02-16
16:56:31.154860669 +0100
+++ /work/SRC/openSUSE:Factory/.apptainer.new.31432/apptainer.changes
2023-03-08 14:54:18.891245285 +0100
@@ -1,0 +2,9 @@
+Fri Feb 24 13:22:57 UTC 2023 - Christian Goll
+
+- added simple sif building for SLE systems via suseconnect-container
+- added files:
+ * simpler-sif-building.patch
+ * SLE-12SP5.def
+ * leap.def
+
+---
Old:
SLE-15SP3.def
New:
SLE-15SP5.def
SLE.def
leap.def
simpler-sif-building.patch
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.EYqwC5/_old 2023-03-08 14:54:19.439248269 +0100
+++ /var/tmp/diff_new_pack.EYqwC5/_new 2023-03-08 14:54:19.443248291 +0100
@@ -34,9 +34,12 @@
Source0:
https://github.com/apptainer/apptainer/archive/v%{version}%{?vers_suffix}/apptainer-%{version}%{?vers_suffix}.tar.gz
Source1:README.SUSE
Source2:SLE-12SP5.def
-Source3:SLE-15SP3.def
-Source5:%{name}-rpmlintrc
+Source3:SLE-15SP5.def
+Source4:SLE.def
+Source5:leap.def
+Source8:%{name}-rpmlintrc
Source9:vendor.tar.gz
+Patch1: simpler-sif-building.patch
%if "%{?squashfuse_version}" != ""
Source10:
https://github.com/vasi/squashfuse/archive/%{squashfuse_version}/squashfuse-%{squashfuse_version}.tar.gz
Patch10:https://github.com/vasi/squashfuse/pull/70.patch
@@ -85,7 +88,8 @@
%patch -P 10 -p1
%endif
%setup -q -n %{name}-%{version}
-cp %{S:1} %{S:2} %{S:3} .
+%patch1 -p 1
+cp %{S:1} %{S:2} %{S:3} %{S:4} %{S:5} .
%build
%if "%{?squashfuse_version}" != ""
++ README.SUSE ++
--- /var/tmp/diff_new_pack.EYqwC5/_old 2023-03-08 14:54:19.507248639 +0100
+++ /var/tmp/diff_new_pack.EYqwC5/_new 2023-03-08 14:54:19.511248661 +0100
@@ -6,20 +6,22 @@
1. Create a bootdef file (for instance 'sle.def'), add
BootStrap: zypper
-2. Set the OS version:
+2. Set the optional OS version:
OSVersion: 15.0
The version number corresponds to the Leap version or the
SLE version and service pack level: .
Example: SLE-12 SP4 would be 12.4.
The inital release of a major version corresponds to
0.
-3. For openSUSE the following additional variables need to be
+3. For openSUSE the following variables need to be
specified:
- * MirrorURL: URL to the installation repository.
-Check 'man 8 zypper' for supported formats
+ * MirrorURL: URL to the installation repository. Following URL
+ should be work:
+ http://download.opensuse.org/distribution/openSUSE-stable/repo/oss
* UpdateURL: (optional) URI of the update repository
-4. For SLE, all required settings are obtained from SCC.
- The following variables are recognized:
+4. For SLE, all required settings are obtained from SCC via
+ suseconnect-container. If the container should be registered separately
+ the following variables are recognized:
* Product: The product code: The following forms may be
used:
@@ -51,8 +53,8 @@
Examples
-Example defintions for SLE12-SP5 and SLE15-SP3 are in the same
-directory as README.SUSE
+Example defintions for openSUSE leap, registration via suseconnect-container,
SLE12-SP5
+and SLE15-SP5 are in the same directory as README.SUSE
ProductPGP
==
++ SLE-12SP5.def ++
--- /var/tmp/diff_new_pack.EYqwC5/_old 2023-03-08 14:54:19.531248771 +0100
+++ /var/tmp/diff_new_pack.EYqwC5/_new 2023-03-08 14:54:19.535248792 +0100
@@ -36,18 +36,6 @@
%post
ln -s /etc/products.d/SLE-HPC.prod /etc/products.d/baseproduct
-SUSEConnect -p PackageHub/12.5/x86_64
-zypper install -y bash coreutils e2fsprogs \
-ethtool filesystem findutils gawk grep \
-iputils iproute2 net-tools nfs-client pam psmisc rsync sed \
-rsyslog util-linux words wicked tar less \
-gzip which util-linux \
-pciutils vim strace sudo syslinux tcpdump timezone chrony cpio \
-wget openssh
-# up to here, its a base container, line below can be used
-# used for warewulf
-zypper install -y ipmitool kernel-default
-
-systemctl enable sshd
-
+echo "Hello from post boot strap"
+zypper install -y vim
++ SLE-15SP3.def -> SLE-15SP5.def ++
---
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apptainer for openSUSE:Factory checked in at 2023-02-16 16:56:15 Comparing /work/SRC/openSUSE:Factory/apptainer (Old) and /work/SRC/openSUSE:Factory/.apptainer.new.22824 (New) Package is "apptainer" Thu Feb 16 16:56:15 2023 rev:14 rq:1065997 version:1.1.6 Changes: --- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2023-01-12 22:45:24.745241890 +0100 +++ /work/SRC/openSUSE:Factory/.apptainer.new.22824/apptainer.changes 2023-02-16 16:56:31.154860669 +0100 @@ -1,0 +2,30 @@ +Wed Feb 15 09:01:08 UTC 2023 - Christian Goll + +- update to 1.1.6 with following changes: + + * Included a fix for CVE-2022-23538 which potentially leaked user credentials +to a third-party S3 storage service when using the library:// protocol. See +the https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7 +for details. + * Make PS1 environment variable changeable via %environment section on +definition file that used to be only changeable via APPTAINERENV_PS1 +outside of container. This makes the container's prompt customizable. + * Fix the passing of nested bind mounts when there are multiple binds +separated by commas and some of them have colons separating sources and +destinations. + * Hide messages about SINGULARITY variables if corresponding APPTAINER +variables are defined. Fixes a regression introduced in 1.1.4. + * Print a warning if extra arguments are given to a shell action, and show in +the run action usage that arguments may be passed. + * Check for the existence of the runtime executable prefix, to avoid issues +when running under Slurm's srun. If it doesn't exist, fall back to the +compile-time prefix. + * Increase the timeout on image driver (that is, FUSE) mounts from 2 seconds +to 10 seconds. Instead, print an INFO message if it takes more than 2 +seconds. + * If a remote is defined both globally (i.e. system-wide) and individually, +change apptainer remote commands to print an info message instead of +exiting with a fatal error and to give precedence to the individual +configuration. + +--- Old: apptainer-1.1.5.tar.gz New: apptainer-1.1.6.tar.gz Other differences: -- ++ apptainer.spec ++ --- /var/tmp/diff_new_pack.EAeLfc/_old 2023-02-16 16:56:32.670866728 +0100 +++ /var/tmp/diff_new_pack.EAeLfc/_new 2023-02-16 16:56:32.674866745 +0100 @@ -25,7 +25,7 @@ License:BSD-3-Clause-LBNL Group: Productivity/Clustering/Computing Name: apptainer -Version:1.1.5 +Version:1.1.6 Release:0 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html URL:https://apptainer.org ++ apptainer-1.1.5.tar.gz -> apptainer-1.1.6.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.5/CHANGELOG.md new/apptainer-1.1.6/CHANGELOG.md --- old/apptainer-1.1.5/CHANGELOG.md2023-01-10 13:19:27.0 +0100 +++ new/apptainer-1.1.6/CHANGELOG.md2023-02-14 18:57:18.0 +0100 @@ -5,6 +5,44 @@ and re-branded as Apptainer. For older changes see the [archived Singularity change log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md). +## v1.1.6 - \[2023-02-14\] + +### Security fix + +- Included a fix for [CVE-2022-23538](https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7) + which potentially leaked user credentials to a third-party S3 storage + service when using the `library://` protocol. See the link for details. + +### Other changes + +- Restored the ability for running instances to be tracked when apptainer + is installed with tools/install-unprivileged.sh. Instance tracking + depends on argument 0 of the starter, which was not getting preserved. +- Fix `GOCACHE` environment variable settings when building debian source + package on PPA build environment. +- Make `PS1` environment variable changeable via `%environment` section on + definition file that used to be only changeable via `APPTAINERENV_PS1` + outside of container. This makes the container's prompt customizable. +- Fix the passing of nested bind mounts when there are multiple binds + separated by commas and some of them have colons separating sources + and destinations. +- Added `Provides: bundled(golang())` statements to the rpm packaging + for each bundled golang module. +- Hide messages about SINGULARITY variables if corresponding APPTAINER + variables are defined. Fixes a regression introduced in 1.1.4. +- Print a
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apptainer for openSUSE:Factory checked in at 2023-01-12 22:45:13 Comparing /work/SRC/openSUSE:Factory/apptainer (Old) and /work/SRC/openSUSE:Factory/.apptainer.new.32243 (New) Package is "apptainer" Thu Jan 12 22:45:13 2023 rev:13 rq:1058009 version:1.1.5 Changes: --- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2022-12-21 16:07:28.846826362 +0100 +++ /work/SRC/openSUSE:Factory/.apptainer.new.32243/apptainer.changes 2023-01-12 22:45:24.745241890 +0100 @@ -1,0 +2,15 @@ +Wed Jan 11 10:25:45 UTC 2023 - Christian Goll + +- Update to 1.1.5 with following changes: + * Fix the use of fakeroot, faked, and libfakeroot.so if they are not suffixed +by -sysv, as is for instance the case on Gentoo Linux. + * Prevent the use of a --libexecdir or --bindir mconfig option from making +apptainer think it was relocated and so preventing use of suid mode. The +bug was introduced in v1.1.4. + * Add helpful error message for build --remote option. + * Add more helpful error message when no library endpoint found. + * Avoid cleanup errors on exit when mountpoints are busy by doing a lazy +unmount if a regular unmount doesn't work after 10 tries. + * Make messages about using SINGULARITY variables less scary. + +--- Old: apptainer-1.1.4.tar.gz New: apptainer-1.1.5.tar.gz Other differences: -- ++ apptainer.spec ++ --- /var/tmp/diff_new_pack.84Qgdx/_old 2023-01-12 22:45:26.121249614 +0100 +++ /var/tmp/diff_new_pack.84Qgdx/_new 2023-01-12 22:45:26.133249681 +0100 @@ -1,7 +1,7 @@ # # spec file for package apptainer # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,7 +25,7 @@ License:BSD-3-Clause-LBNL Group: Productivity/Clustering/Computing Name: apptainer -Version:1.1.4 +Version:1.1.5 Release:0 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html URL:https://apptainer.org ++ apptainer-1.1.4.tar.gz -> apptainer-1.1.5.tar.gz ++ 3567 lines of diff (skipped)
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2022-12-21 16:07:27
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.1835 (New)
Package is "apptainer"
Wed Dec 21 16:07:27 2022 rev:12 rq:1044084 version:1.1.4
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2022-12-20
20:21:58.226365991 +0100
+++ /work/SRC/openSUSE:Factory/.apptainer.new.1835/apptainer.changes
2022-12-21 16:07:28.846826362 +0100
@@ -1,0 +2,6 @@
+Wed Dec 21 13:17:54 UTC 2022 - Christian Goll
+
+- moved run dir from /var/lib/apptainer to /var/apptainer to be closer
+ to upstream
+
+---
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.ypLtHd/_old 2022-12-21 16:07:29.490829836 +0100
+++ /var/tmp/diff_new_pack.ypLtHd/_new 2022-12-21 16:07:29.494829857 +0100
@@ -112,7 +112,7 @@
--includedir=%{_includedir} \
--libdir=%{_libdir} \
--libexecdir=%{_libexecdir} \
---localstatedir=%{_localstatedir}/lib \
+--localstatedir=%{_localstatedir} \
--sharedstatedir=%{_sharedstatedir} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
@@ -168,9 +168,9 @@
%config(noreplace) %{_sysconfdir}/apptainer/rocmliblist.conf
%config(noreplace) %{_sysconfdir}/apptainer/dmtcp-conf.yaml
%{_datadir}/bash-completion/completions/*
-%dir %{_localstatedir}/lib/apptainer
-%dir %{_localstatedir}/lib/apptainer/mnt
-%dir %{_localstatedir}/lib/apptainer/mnt/session
+%dir %{_localstatedir}/apptainer
+%dir %{_localstatedir}/apptainer/mnt
+%dir %{_localstatedir}/apptainer/mnt/session
%{_mandir}/man1/*
%changelog
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apptainer for openSUSE:Factory checked in at 2022-12-20 20:21:17 Comparing /work/SRC/openSUSE:Factory/apptainer (Old) and /work/SRC/openSUSE:Factory/.apptainer.new.1835 (New) Package is "apptainer" Tue Dec 20 20:21:17 2022 rev:11 rq:1043931 version:1.1.4 Changes: --- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2022-10-28 19:32:19.947474458 +0200 +++ /work/SRC/openSUSE:Factory/.apptainer.new.1835/apptainer.changes 2022-12-20 20:21:58.226365991 +0100 @@ -1,0 +2,43 @@ +Tue Dec 20 14:14:43 UTC 2022 - Christian Goll + +- Update to 1.1.4 with following changes: + * Make the binaries built in the unprivileged apptainer package relocatable. +When moving the binaries to a new location, the /usr at the top of some of +the paths needs to be removed. Relocation is disallowed when the +starter-suid is present, for security reasons. + * Change the warning when an overlay image is not writable, introduced in +v1.1.3, back into a (more informative) fatal error because it doesn't +actually enter the container environment. + * Set the --net flag if --network or --network-args is set rather than +silently ignoring them if --net was not set. + * Do not hang on pull from http(s) source that doesn't provide a content-length. + * Avoid hang on fakeroot cleanup under high load seen on some distributions / kernels. + * Remove obsolete pacstrap -d in Arch packer. + * Adjust warning message for deprecated environment variables usage. + * Enable the --security uid:N and --security gid:N options to work when run +in non-suid mode. In non-suid mode they work with any user, not just root. +Unlike with root and suid mode, however, only one gid may be set in +non-suid mode. +- Changes from 1.1.3 + * Prefer the fakeroot-sysv command over the fakeroot command because the +latter can be linked to either fakeroot-sysv or fakeroot-tcp, but +fakeroot-sysv is much faster. + * Update the included squashfuse_ll to have -o uid=N and -o gid=N options and +changed the corresponding image driver to use them when available. This +makes files inside sif files appear to be owned by the user instead of by +the nobody id 65534 when running in non-setuid mode. + * Fix the locating of shared libraries when running unsquashfs from a non-standard location. + * Properly clean up temporary files if unsquashfs fails. + * Fix the creation of missing bind points when using image binding with underlay. + * Change the error when an overlay image is not writable into a warning that +suggests adding :ro to make it read only or using --fakeroot. + * Avoid permission denied errors during unprivileged builds without +/etc/subuid-based fakeroot when /var/lib/containers/sigstore is readable +only by root. + * Avoid failures with --writable-tmpfs in non-setuid mode when using +fuse-overlayfs versions 1.8 or greater by adding the fuse-overlayfs noacl +mount option to disable support for POSIX Access Control Lists. + * Fix the --rocm flag in combination with -c / -C by forwarding all +/dri/render* devices into the container. + +--- Old: apptainer-1.1.2.tar.gz New: apptainer-1.1.4.tar.gz Other differences: -- ++ apptainer.spec ++ --- /var/tmp/diff_new_pack.SowAKO/_old 2022-12-20 20:21:58.818369235 +0100 +++ /var/tmp/diff_new_pack.SowAKO/_new 2022-12-20 20:21:58.822369257 +0100 @@ -25,7 +25,7 @@ License:BSD-3-Clause-LBNL Group: Productivity/Clustering/Computing Name: apptainer -Version:1.1.2 +Version:1.1.4 Release:0 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html URL:https://apptainer.org ++ apptainer-1.1.2.tar.gz -> apptainer-1.1.4.tar.gz ++ 2935 lines of diff (skipped)
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2022-10-28 19:31:39
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.2275 (New)
Package is "apptainer"
Fri Oct 28 19:31:39 2022 rev:10 rq:1031911 version:1.1.2
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2022-10-11
18:05:47.666108534 +0200
+++ /work/SRC/openSUSE:Factory/.apptainer.new.2275/apptainer.changes
2022-10-28 19:32:19.947474458 +0200
@@ -1,0 +2,7 @@
+Fri Oct 28 08:54:51 UTC 2022 - Egbert Eich
+
+- Add Provides: and Obsoletes: to attempt to mark this as a possible
+ replacement for the original singularity package which has been
+ discontinued.
+
+---
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.SM36hf/_old 2022-10-28 19:32:20.583477647 +0200
+++ /var/tmp/diff_new_pack.SM36hf/_new 2022-10-28 19:32:20.587477667 +0200
@@ -29,6 +29,8 @@
Release:0
# https://spdx.org/licenses/BSD-3-Clause-LBNL.html
URL:https://apptainer.org
+Provides: singularity
+Obsoletes: singularity <= 3.8.5
Source0:
https://github.com/apptainer/apptainer/archive/v%{version}%{?vers_suffix}/apptainer-%{version}%{?vers_suffix}.tar.gz
Source1:README.SUSE
Source2:SLE-12SP5.def
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2022-10-11 18:03:20
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.2275 (New)
Package is "apptainer"
Tue Oct 11 18:03:20 2022 rev:9 rq:1009744 version:1.1.2
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2022-10-08
01:26:15.478371807 +0200
+++ /work/SRC/openSUSE:Factory/.apptainer.new.2275/apptainer.changes
2022-10-11 18:05:47.666108534 +0200
@@ -1,0 +2,5 @@
+Tue Oct 11 08:19:01 UTC 2022 - Christian Goll
+
+- previous versions did not build squashfuse_ll, fixed this
+
+---
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.cN9Wxg/_old 2022-10-11 18:05:48.202109400 +0200
+++ /var/tmp/diff_new_pack.cN9Wxg/_new 2022-10-11 18:05:48.206109407 +0200
@@ -61,6 +61,7 @@
BuildRequires: zlib-devel
%endif
Requires: squashfs
+Recommends: fuse2fs
PreReq: permissions
# there's no golang for ppc64, ppc64le does not have non pie builds
@@ -81,13 +82,18 @@
%setup -b 10 -n squashfuse-%{squashfuse_version}
%patch -P 10 -p1
%endif
-%setup -q -n gopath/%{apptainerpath} -c
+%setup -q -n %{name}-%{version}
cp %{S:1} %{S:2} %{S:3} .
-mv %{name}-%{version}%{?vers_suffix} %{name}
-cd %{_builddir}/gopath/%{apptainerpath}/apptainer
%build
-cd %{name}
+%if "%{?squashfuse_version}" != ""
+pushd ../squashfuse-%{squashfuse_version}
+./autogen.sh
+FLAGS=-std=c99 ./configure --enable-multithreading
+%make_build squashfuse_ll
+popd
+%endif
+
# create VERSION file
echo %version > VERSION
# Not all of these parameters currently have an effect, but they might be
@@ -109,50 +115,42 @@
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--without-suid
-cd builddir
-make V="" old_config=
+
+%make_build -C builddir V=""
%install
export GOPATH=$PWD/gopath
export GOFLAGS=-mod=vendor
export PATH=$GOPATH/bin:$PATH
-cd %{name}/builddir
-make DESTDIR=$RPM_BUILD_ROOT install
-cd ../..
+%make_install -C builddir V=
+
+%if "%{?squashfuse_version}" != ""
+install -m 755 ../squashfuse-%{squashfuse_version}/squashfuse_ll
%{buildroot}%{_libexecdir}/%{name}/bin/squashfuse_ll
+%endif
+
%fdupes apptainer/examples
-mkdir -p .tmp
-for j in LICENSE.md LICENSE; do
-for i in `find . -name $j`; do
- k="`basename ${i/%\/$j/-$j}`"
- if ! [[ $k =~ apptainer-.* ]]; then
- cp $i .tmp/$k
- fi
-done
-done
-
-%fdupes -s .tmp/
-mv .tmp/* .
-rmdir .tmp
%fdupes -s %buildroot
%files
-%doc apptainer/examples
-%doc apptainer/CONTRIBUTING.md
-%doc apptainer/README.md
-%doc apptainer/CHANGELOG.md
-%doc apptainer/CONTRIBUTORS.md
+%doc examples
+%doc CONTRIBUTING.md
+%doc README.md
+%doc CHANGELOG.md
+%doc CONTRIBUTORS.md
%doc %{basename:%{S:1}}
%doc %{basename:%{S:2}}
%doc %{basename:%{S:3}}
-%license apptainer/LICENSE.md
-%license *-LICENSE.md *-LICENSE
+%license LICENSE.md
+%license LICENSE_THIRD_PARTY.md
+%license LICENSE_DEPENDENCIES.md
%{_bindir}/*
%dir %{_libexecdir}/apptainer
%dir %{_libexecdir}/apptainer/bin
%dir %{_libexecdir}/apptainer/cni
%dir %{_libexecdir}/apptainer/lib
%{_libexecdir}/apptainer/bin/starter
+%{_libexecdir}/apptainer/bin/squashfuse_ll
%{_libexecdir}/apptainer/lib/offsetpreload.so
%{_libexecdir}/apptainer/cni/*
%dir %{_sysconfdir}/apptainer
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2022-10-08 01:25:47
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.2275 (New)
Package is "apptainer"
Sat Oct 8 01:25:47 2022 rev:8 rq:1008781 version:1.1.2
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2022-09-29
18:13:05.843224806 +0200
+++ /work/SRC/openSUSE:Factory/.apptainer.new.2275/apptainer.changes
2022-10-08 01:26:15.478371807 +0200
@@ -1,0 +2,10 @@
+Fri Oct 7 12:42:57 UTC 2022 - Christian Goll
+
+- Udpated to 1.1.2 which fixed CVE-2022-39237
+ * CVE-2022-39237: The sif dependency included in Apptainer before this
+release does not verify that the hash algorithm(s) used are
+cryptographically secure when verifying digital signatures. This release
+updates to sif v2.8.1 which corrects this issue. See the linked advisory
+for references and a workaround.
+
+---
Old:
apptainer-1.1.0.tar.gz
New:
apptainer-1.1.2.tar.gz
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.fT7391/_old 2022-10-08 01:26:17.838377219 +0200
+++ /var/tmp/diff_new_pack.fT7391/_new 2022-10-08 01:26:17.842377228 +0200
@@ -25,7 +25,7 @@
License:BSD-3-Clause-LBNL
Group: Productivity/Clustering/Computing
Name: apptainer
-Version:1.1.0
+Version:1.1.2
Release:0
# https://spdx.org/licenses/BSD-3-Clause-LBNL.html
URL:https://apptainer.org
++ apptainer-1.1.0.tar.gz -> apptainer-1.1.2.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.1.0/CHANGELOG.md
new/apptainer-1.1.2/CHANGELOG.md
--- old/apptainer-1.1.0/CHANGELOG.md2022-09-27 16:55:22.0 +0200
+++ new/apptainer-1.1.2/CHANGELOG.md2022-10-06 21:51:39.0 +0200
@@ -5,6 +5,19 @@
and re-branded as Apptainer.
For older changes see the [archived Singularity change
log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md).
+## v1.1.2 - \[2022-10-06\]
+
+-
[CVE-2022-39237](https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8):
+ The sif dependency included in Apptainer before this release does not
+ verify that the hash algorithm(s) used are cryptographically secure
+ when verifying digital signatures. This release updates to sif v2.8.1
+ which corrects this issue. See the linked advisory for references and
+ a workaround.
+
+## v1.1.1 - \[2022-10-06\]
+
+Accidentally included no code changes.
+
## v1.1.0 - \[2022-09-27\]
### Changed defaults / behaviours
@@ -40,8 +53,6 @@
Persistent overlay works when the overlay path points to a regular
filesystem (known as "sandbox" mode, which is not allowed when in
setuid mode), or when it points to an EXT3 image.
- Does not work with a SIF partition because that requires privileges to
- mount as an ext3 image.
- Extended the `--fakeroot` option to be useful when `/etc/subuid` and
`/etc/subgid` mappings have not been set up.
If they have not been set up, a root-mapped unprivileged user namespace
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.1.0/INSTALL.md
new/apptainer-1.1.2/INSTALL.md
--- old/apptainer-1.1.0/INSTALL.md 2022-09-27 16:55:22.0 +0200
+++ new/apptainer-1.1.2/INSTALL.md 2022-10-06 21:51:39.0 +0200
@@ -136,7 +136,7 @@
for example:
```sh
-git checkout v1.1.0
+git checkout v1.1.2
```
## Compiling Apptainer
@@ -250,7 +250,7 @@
```sh
-VERSION=1.1.0 # this is the apptainer version, change as you need
+VERSION=1.1.2 # this is the apptainer version, change as you need
# Fetch the source
wget
https://github.com/apptainer/apptainer/releases/download/v${VERSION}/apptainer-${VERSION}.tar.gz
```
@@ -299,7 +299,7 @@
```sh
-VERSION=1.1.0 # this is the latest apptainer version, change as you need
+VERSION=1.1.2 # this is the latest apptainer version, change as you need
./mconfig
make -C builddir rpm
sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/apptainer-$(echo $VERSION|tr -
\~)*.x86_64.rpm
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.1.0/LICENSE_DEPENDENCIES.md
new/apptainer-1.1.2/LICENSE_DEPENDENCIES.md
--- old/apptainer-1.1.0/LICENSE_DEPENDENCIES.md 2022-09-27 16:55:22.0
+0200
+++ new/apptainer-1.1.2/LICENSE_DEPENDENCIES.md 2022-10-06 21:51:39.0
+0200
@@ -383,6 +383,12 @@
**License URL:**
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2022-09-29 18:12:50
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.2275 (New)
Package is "apptainer"
Thu Sep 29 18:12:50 2022 rev:7 rq:1006656 version:1.1.0
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2022-09-14
13:45:31.741976865 +0200
+++ /work/SRC/openSUSE:Factory/.apptainer.new.2275/apptainer.changes
2022-09-29 18:13:05.843224806 +0200
@@ -1,0 +2,5 @@
+Wed Sep 28 09:07:18 UTC 2022 - Christian Goll
+
+- updated to version 1.1.0 without changes to rc3
+
+---
Old:
apptainer-1.1.0-rc.3.tar.gz
New:
apptainer-1.1.0.tar.gz
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.CLVUaT/_old 2022-09-29 18:13:07.071227206 +0200
+++ /var/tmp/diff_new_pack.CLVUaT/_new 2022-09-29 18:13:07.071227206 +0200
@@ -19,7 +19,6 @@
%define apptainerpath src/github.com/apptainer/
%define _buildshell /bin/bash
-%define vers_suffix -rc.3
%global squashfuse_version 0.1.105
Summary:Application and environment virtualization
++ apptainer-1.1.0-rc.3.tar.gz -> apptainer-1.1.0.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.1.0-rc.3/CHANGELOG.md
new/apptainer-1.1.0/CHANGELOG.md
--- old/apptainer-1.1.0-rc.3/CHANGELOG.md 2022-09-06 18:29:25.0
+0200
+++ new/apptainer-1.1.0/CHANGELOG.md2022-09-27 16:55:22.0 +0200
@@ -5,90 +5,7 @@
and re-branded as Apptainer.
For older changes see the [archived Singularity change
log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md).
-## v1.1.0-rc.3 - \[2022-09-06\]
-
-- Imply adding `${prefix}/libexec/apptainer/bin` to the `binary path` in
- `apptainer.conf`, which is used for searching for helper executables.
- It is implied as the first directory of `$PATH` if present (which is at
- the beginning of `binary path` by default) or just as the first directory
- if `$PATH` is not included in `binary path`.
-- Change squash mounts to prefer to use `squashfuse_ll` instead of
- `squashfuse`, if available, for improved performance.
- `squashfuse_ll` is available on RHEL-based systems but not Debian as
- part of the `squashfuse` package.
- Also, for even better parallel performance, include a patched multithreaded
- version of `squashfuse_ll` in rpm and debian packaging in
- `${prefix}/libexec/apptainer/bin`.
-- Add `--unsquash` action flag to temporarily convert a SIF file to a
- sandbox before running. In previous versions this was the default when
- running a SIF file without setuid or with fakeroot, but now the default
- is to instead mount with squashfuse.
-- Add `--sparse` flag to `overlay create` command to allow generation of a
- sparse ext3 overlay image.
-- Support for a custom hashbang in the `%test` section of an Apptainer recipe
- (akin to the runscript and start sections).
-- When using fakeroot in setuid mode, have the image drivers first enter the
- the container's user namespace to avoid write errors with overlays.
-- Skip trying to use kernel overlayfs when using writable overlay and the
- lower layer is FUSE, because of a kernel bug introduced in kernel 5.15.
-- Add additional hidden options to the action command for testing different
fakeroot
- modes with `--fakeroot`: `--ignore-subuid`, `--ignore-fakeroot-command`,
- and `--ignore-userns`.
-- Fix github release rpm to be installable on EL8 & EL9 by not requiring
- the fuse2fs package which doesn't exist there. Instead, on EL7 cause an
- install failure if /usr/*bin/fuse2fs is not installed with a message
- explaining how to fix it. The EPEL build won't have this issue; there
- EPEL7 will require the fuse2fs package.
-- Fix ORAS image push to registries with authorization servers not supporting
- multiple scope query parameter.
-
-## v1.1.0-rc.2 - \[2022-08-16\]
-
-### Changed defaults / behaviours
-
-- Fixed longstanding bug in the underlay logic when there are nested bind
- points separated by more than one path level, for example `/var` and
- `/var/lib/yum`, and the path didn't exist in the container image.
- The bug only caused an error when there was a directory in the container
- image that didn't exist on the host.
-- Improved wildcard matching in the %files directive of build definition
- files by replacing usage of sh with the mvdan.cc library.
-- Replaced checks for compatible filesystem types when using fuse-overlayfs
- with an INFO message when an incompatible filesystem
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2022-09-14 13:45:18
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.2083 (New)
Package is "apptainer"
Wed Sep 14 13:45:18 2022 rev:6 rq:1003477 version:1.1.0
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2022-08-19
17:59:19.980459320 +0200
+++ /work/SRC/openSUSE:Factory/.apptainer.new.2083/apptainer.changes
2022-09-14 13:45:31.741976865 +0200
@@ -1,0 +2,33 @@
+Fri Sep 9 08:50:33 UTC 2022 - Christian Goll
+
+- Updated to version 1.1.0-rc3 with following changes:
+ * added squashfuse-0.1.105.tar.gz and 70.patch for the build of squashfuse_ll
+which will be removed as soon as the multithread patch is incoperated
+ * Change squash mounts to prefer to use squashfuse_ll instead of squashfuse,
+if available, for improved performance. squashfuse_ll is not available
+in factory.
+ * Also, for even better parallel performance, include a patched
+multithreaded version of squashfuse_ll in
+ * Imply adding ${prefix}/libexec/apptainer/bin to the binary path in
+apptainer.conf, which is used for searching for helper executables. It is
+implied as the first directory of $PATH if present (which is at the
+beginning of binary path by default) or just as the first directory if
+$PATH is not included in binary path.
+${prefix}/libexec/apptainer/bin.
+ * Add --unsquash action flag to temporarily convert a SIF file to a sandbox
+before running. In previous versions this was the default when running a
+SIF file without setuid or with fakeroot, but now the default is to instead
+mount with squashfuse.
+ * Add --sparse flag to overlay create command to allow generation of a sparse
+ext3 overlay image.
+ * Support for a custom hashbang in the %test section of an Apptainer recipe
+(akin to the runscript and start sections).
+ * When using fakeroot in setuid mode, have the image drivers first enter the
+the container's user namespace to avoid write errors with overlays.
+ * Skip trying to use kernel overlayfs when using writable overlay and the
+lower layer is FUSE, because of a kernel bug introduced in kernel 5.15.
+ * Add additional hidden options to the action command for testing different
+fakeroot modes with --fakeroot: --ignore-subuid, --ignore-fakeroot-command,
+and --ignore-userns.
+
+---
@@ -4 +37 @@
-- Udpated to version 1.1.0-rc2 with following changes:
+- Updated to version 1.1.0-rc2 with following changes:
Old:
apptainer-1.1.0-rc.2.tar.gz
New:
70.patch
apptainer-1.1.0-rc.3.tar.gz
squashfuse-0.1.105.tar.gz
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.WnMpSw/_old 2022-09-14 13:45:32.573978960 +0200
+++ /var/tmp/diff_new_pack.WnMpSw/_new 2022-09-14 13:45:32.581978980 +0200
@@ -19,7 +19,8 @@
%define apptainerpath src/github.com/apptainer/
%define _buildshell /bin/bash
-%define vers_suffix -rc.2
+%define vers_suffix -rc.3
+%global squashfuse_version 0.1.105
Summary:Application and environment virtualization
License:BSD-3-Clause-LBNL
@@ -34,7 +35,11 @@
Source2:SLE-12SP5.def
Source3:SLE-15SP3.def
Source5:%{name}-rpmlintrc
-Source10: vendor.tar.gz
+Source9:vendor.tar.gz
+%if "%{?squashfuse_version}" != ""
+Source10:
https://github.com/vasi/squashfuse/archive/%{squashfuse_version}/squashfuse-%{squashfuse_version}.tar.gz
+Patch10:https://github.com/vasi/squashfuse/pull/70.patch
+%endif
BuildRequires: cryptsetup
BuildRequires: fdupes
BuildRequires: gcc
@@ -48,6 +53,14 @@
BuildRequires: binutils-gold
%endif
BuildRequires: libseccomp-devel
+%if "%{?squashfuse_version}" != ""
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: fuse3-devel
+BuildRequires: libtool
+BuildRequires: pkgconfig
+BuildRequires: zlib-devel
+%endif
Requires: squashfs
PreReq: permissions
@@ -63,6 +76,12 @@
containers that can be used across host environments.
%prep
+%if "%{?squashfuse_version}" != ""
+# the default directory for other steps is where the %prep section ends
+# so do main package last
+%setup -b 10 -n squashfuse-%{squashfuse_version}
+%patch -P 10 -p1
+%endif
%setup -q -n gopath/%{apptainerpath} -c
cp %{S:1} %{S:2} %{S:3} .
mv %{name}-%{version}%{?vers_suffix} %{name}
@@ -74,7 +93,7 @@
echo %version > VERSION
# Not all of these parameters currently have an effect, but they might be
# used someday. They are the same parameters as in the
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2022-08-19 17:56:44
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.2083 (New)
Package is "apptainer"
Fri Aug 19 17:56:44 2022 rev:5 rq:998138 version:1.1.0
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2022-08-05
19:51:54.573596430 +0200
+++ /work/SRC/openSUSE:Factory/.apptainer.new.2083/apptainer.changes
2022-08-19 17:59:19.980459320 +0200
@@ -1,0 +2,38 @@
+Fri Aug 19 10:07:20 UTC 2022 - Christian Goll
+
+- Udpated to version 1.1.0-rc2 with following changes:
+ * Fixed longstanding bug in the underlay logic when there are nested bind
+points separated by more than one path level, for example /var and
+/var/lib/yum, and the path didn't exist in the container image. The bug
+only caused an error when there was a directory in the container image that
+didn't exist on the host.
+ * Improved wildcard matching in the %files directive of build definition
+files by replacing usage of sh with the mvdan.cc library.
+ * Replaced checks for compatible filesystem types when using fuse-overlayfs
+with an INFO message when an incompatible filesystem type causes it to be
+unwritable by a fakeroot user.
+ * The --nvccli option now works without --fakeroot. In that case the option
+can be used with --writable-tmpfs instead of --writable, and
+--writable-tmpfs is implied if neither option is given. Note that also
+/usr/bin has to be writable by the user, so without --fakeroot that
+probably requires a sandbox image that was built with --fix-perms.
+ * The --nvccli option implies --nv.
+ * Configure squashfuse to always show files to be owned by the current user.
+That's especially important for fakeroot to prevent most of the files from
+looking like they are owned by user 65534.
+ * The fakeroot command can now be used even if $PATH is empty in the
+environment of the apptainer command.
+ * Allow the newuidmap command to be missing if the current user is not listed
+in /etc/subuid.
+ * Require the uidmap package in Debian packaging.
+ * Improved error handling of unsupported pass protected PEM files with
+encrypted containers.
+ * Ensure bootstrap_history directory is populated with previous definition
+files, present in source containers used in a build.
+ * Add additional options to the build command for testing different fakeroot
+modes: --userns like the action flag and hidden options --ignore-subuid,
+--ignore-fakeroot-command, and --ignore-userns.
+ * Require root user early when building an encrypted container.
+- removed upstream incorated patch fix-32bit-compilation.patch
+
+---
Old:
apptainer-1.1.0-rc.1.tar.gz
fix-32bit-compilation.patch
New:
apptainer-1.1.0-rc.2.tar.gz
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.8D1ROq/_old 2022-08-19 17:59:20.612460645 +0200
+++ /var/tmp/diff_new_pack.8D1ROq/_new 2022-08-19 17:59:20.616460653 +0200
@@ -19,7 +19,7 @@
%define apptainerpath src/github.com/apptainer/
%define _buildshell /bin/bash
-%define vers_suffix -rc.1
+%define vers_suffix -rc.2
Summary:Application and environment virtualization
License:BSD-3-Clause-LBNL
@@ -35,7 +35,6 @@
Source3:SLE-15SP3.def
Source5:%{name}-rpmlintrc
Source10: vendor.tar.gz
-Patch1: fix-32bit-compilation.patch
BuildRequires: cryptsetup
BuildRequires: fdupes
BuildRequires: gcc
@@ -68,7 +67,6 @@
cp %{S:1} %{S:2} %{S:3} .
mv %{name}-%{version}%{?vers_suffix} %{name}
cd %{_builddir}/gopath/%{apptainerpath}/apptainer
-%patch1 -p1
%build
cd %{name}
++ apptainer-1.1.0-rc.1.tar.gz -> apptainer-1.1.0-rc.2.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.1.0-rc.1/.github/workflows/ci.yml
new/apptainer-1.1.0-rc.2/.github/workflows/ci.yml
--- old/apptainer-1.1.0-rc.1/.github/workflows/ci.yml 2022-08-01
23:52:07.0 +0200
+++ new/apptainer-1.1.0-rc.2/.github/workflows/ci.yml 2022-08-17
13:47:34.0 +0200
@@ -169,7 +169,7 @@
go-version: 1.18.4
- name: Fetch deps
-run: sudo apt-get -q update && sudo apt-get install -y build-essential
squashfs-tools squashfuse fuse-overlayfs fakeroot libseccomp-dev cryptsetup
+run: sudo apt-get -q update && sudo apt-get install -y build-essential
squashfs-tools squashfuse fuse-overlayfs fakeroot fuse2fs libseccomp-dev
cryptsetup
- name:
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apptainer for openSUSE:Factory checked in at 2022-08-05 19:50:55 Comparing /work/SRC/openSUSE:Factory/apptainer (Old) and /work/SRC/openSUSE:Factory/.apptainer.new.1521 (New) Package is "apptainer" Fri Aug 5 19:50:55 2022 rev:4 rq:993259 version:1.1.0 Changes: --- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2022-07-11 19:11:11.079764334 +0200 +++ /work/SRC/openSUSE:Factory/.apptainer.new.1521/apptainer.changes 2022-08-05 19:51:54.573596430 +0200 @@ -1,0 +2,136 @@ +Thu Aug 4 12:31:33 UTC 2022 - Christian Goll + +- Updated to version 1.1.0-rc1 which enables apptainer to run without + suid and additional groups. Although this is a prerelease this is + a major advantage justifying its use. + * Added a squashfuse image driver that enables mounting SIF files without +using setuid-root. Requires the squashfuse command and unprivileged user +namespaces. + * Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF +overlay partitions without using setuid-root. Requires the fuse2fs command +and unprivileged user namespaces. + * Added the ability to use persistent overlay (--overlay) and +--writable-tmpfs without using setuid-root. This requires unprivileged user +namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs +command. Persistent overlay works when the overlay path points to a regular +filesystem (known as "sandbox" mode, which is not allowed when in setuid +mode), or when it points to an EXT3 image. Does not work with a SIF +partition because that requires privileges to mount as an ext3 image. + * Extended the --fakeroot option to be useful when /etc/subuid and +/etc/subgid mappings have not been set up. If they have not been set up, a +root-mapped unprivileged user namespace (the equivalent of unshare -r) +and/or the fakeroot command from the host will be tried. Together they +emulate the mappings pretty well but they are simpler to administer. This +feature is especially useful with the --overlay and --writable-tmpfs +options and for building containers unprivileged, because they allow +installing packages that assume they're running as root. A limitation on +using it with --overlay and --writable-tmpfs however is that when only the +fakeroot command can be used (because there are no user namespaces +available, in suid mode) then the base image has to be a sandbox. This +feature works nested inside of an apptainer container, where another +apptainer command will also be in the fakeroot environment without +requesting the --fakeroot option again, or it can be used inside an +apptainer container that was not started with --fakeroot. However, the +fakeroot command uses LD_PRELOAD and so needs to be bound into the +container which requires a compatible libc. For that reason it doesn't work +when the host and container operating systems are of very different +vintages. If that's a problem and you want to use only an unprivileged +root-mapped namespace even when the fakeroot command is installed, just run +apptainer with unshare -r. + * Made the --fakeroot option be implied when an unprivileged user builds a +container from a definition file. When /etc/subuid and /etc/subgid mappings +are not available, all scriptlets are run in a root-mapped unprivileged +namespace (when possible) and the %post scriptlet is additionally run with +the fakeroot command. When unprivileged user namespaces are not available, +such that only the fakeroot command can be used, the --fix-perms option is +implied to allow writing into directories. + * Added a --fakeroot option to the apptainer overlay create command to make +an overlay EXT3 image file that works with the fakeroot that comes from +unprivileged root-mapped namespaces. This is not needed with the fakeroot +that comes with /etc/sub[ug]id mappings nor with the fakeroot that comes +with only the fakeroot command in suid flow. + * $HOME is now used to find the user's configuration and cache by default. If +that is not set it will fall back to the previous behavior of looking up +the home directory in the password file. The value of $HOME inside the +container still defaults to the home directory in the password file and can +still be overridden by the --home option. + * When starting a container, if the user has specified the cwd by using the +--pwd flag, if there is a problem an error is returned instead of +defaulting to a different directory. + * Nesting of bind mounts now works even when a --bind option specified a +different source and destination with a
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apptainer for openSUSE:Factory
checked in at 2022-07-11 19:09:49
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
and /work/SRC/openSUSE:Factory/.apptainer.new.1523 (New)
Package is "apptainer"
Mon Jul 11 19:09:49 2022 rev:3 rq:988330 version:1.0.3
Changes:
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2022-05-19
22:49:18.578334092 +0200
+++ /work/SRC/openSUSE:Factory/.apptainer.new.1523/apptainer.changes
2022-07-11 19:11:11.079764334 +0200
@@ -1,0 +2,11 @@
+Mon Jul 11 09:38:45 UTC 2022 - Christian Goll
+
+- Update to version 1.0.3:
+ * Process redirects that can come from sregistry with a library:// URL.
+ * Fix inspect --deffile and inspect --all to correctly show definition files
+in sandbox container images instead of empty output. This has a side effect
+of also fixing the storing of definition files in the metadata of sif files
+built by Apptainer, because that metadata is constructed by doing inspect
+--all.
+
+---
Old:
apptainer-1.0.2.tar.gz
New:
apptainer-1.0.3.tar.gz
Other differences:
--
++ apptainer.spec ++
--- /var/tmp/diff_new_pack.6OCG86/_old 2022-07-11 19:11:11.591765077 +0200
+++ /var/tmp/diff_new_pack.6OCG86/_new 2022-07-11 19:11:11.595765083 +0200
@@ -25,7 +25,7 @@
License:BSD-3-Clause-LBNL
Group: Productivity/Clustering/Computing
Name: apptainer
-Version:1.0.2
+Version:1.0.3
Release:0
# https://spdx.org/licenses/BSD-3-Clause-LBNL.html
URL:https://apptainer.org
++ apptainer-1.0.2.tar.gz -> apptainer-1.0.3.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.0.2/CHANGELOG.md
new/apptainer-1.0.3/CHANGELOG.md
--- old/apptainer-1.0.2/CHANGELOG.md2022-05-10 00:10:52.0 +0200
+++ new/apptainer-1.0.3/CHANGELOG.md2022-07-06 16:06:49.0 +0200
@@ -5,6 +5,17 @@
and re-branded as Apptainer.
For older changes see the [archived Singularity change
log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md).
+## v1.0.3 - \[2022-07-06\]
+
+### Bug fixes
+
+- Process redirects that can come from sregistry with a `library://` URL.
+- Fix `inspect --deffile` and `inspect --all` to correctly show definition
+ files in sandbox container images instead of empty output.
+ This has a side effect of also fixing the storing of definition files in
+ the metadata of sif files built by Apptainer, because that metadata is
+ constructed by doing `inspect --all`.
+
## v1.0.2 - \[2022-05-09\]
### Bug fixes
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.0.2/INSTALL.md
new/apptainer-1.0.3/INSTALL.md
--- old/apptainer-1.0.2/INSTALL.md 2022-05-10 00:10:52.0 +0200
+++ new/apptainer-1.0.3/INSTALL.md 2022-07-06 16:06:49.0 +0200
@@ -131,7 +131,7 @@
for example:
```sh
-git checkout v1.0.2
+git checkout v1.0.3
```
## Compiling Apptainer
@@ -201,7 +201,7 @@
```sh
-VERSION=1.0.2 # this is the apptainer version, change as you need
+VERSION=1.0.3 # this is the apptainer version, change as you need
# Fetch the source
wget
https://github.com/apptainer/apptainer/releases/download/v${VERSION}/apptainer-${VERSION}.tar.gz
# Build the rpm from the source tar.gz
@@ -223,7 +223,7 @@
```sh
-VERSION=1.0.2 # this is the latest apptainer version, change as you need
+VERSION=1.0.3 # this is the latest apptainer version, change as you need
./mconfig
make -C builddir rpm
sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/apptainer-$(echo $VERSION|tr -
\~)*.x86_64.rpm
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.0.2/cmd/internal/cli/inspect.go
new/apptainer-1.0.3/cmd/internal/cli/inspect.go
--- old/apptainer-1.0.2/cmd/internal/cli/inspect.go 2022-05-10
00:10:52.0 +0200
+++ new/apptainer-1.0.3/cmd/internal/cli/inspect.go 2022-07-06
16:06:49.0 +0200
@@ -534,7 +534,7 @@
func (c *command) addDefinitionCommand() {
deffile, err := inspectDeffilePartition(c.img)
if err == errNoSIFMetadata || err == errNoSIF {
- c.addSingleFileCommand("Apptainer", "deffile")
+ c.addSingleFileCommand("Singularity", "deffile")
} else if err != nil {
sylog.Warningf("Unable to inspect deffile: %s", err)
} else {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apptainer-1.0.2/e2e/inspect/inspect.go
commit apptainer for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apptainer for openSUSE:Factory checked in at 2022-05-19 22:49:09 Comparing /work/SRC/openSUSE:Factory/apptainer (Old) and /work/SRC/openSUSE:Factory/.apptainer.new.1538 (New) Package is "apptainer" Thu May 19 22:49:09 2022 rev:2 rq:977939 version:1.0.2 Changes: --- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2022-03-22 19:41:10.915151699 +0100 +++ /work/SRC/openSUSE:Factory/.apptainer.new.1538/apptainer.changes 2022-05-19 22:49:18.578334092 +0200 @@ -1,0 +2,12 @@ +Wed May 18 12:07:59 UTC 2022 - Dominique Leuenberger + +- Update to version 1.0.2: + + Fixed `FATAL` error thrown by user configuration migration code +that caused users with inaccessible home directories to be +unable to use `apptainer` commands. + + Do not truncate environment variables with commas. + + Use HEAD request when checking digest of remote OCI image +sources, with GET as a fall-back. Greatly reduces Apptainer's +impact on Docker Hub API limits. + +--- Old: apptainer-1.0.1.tar.gz New: apptainer-1.0.2.tar.gz Other differences: -- ++ apptainer.spec ++ --- /var/tmp/diff_new_pack.7miejY/_old 2022-05-19 22:49:19.482335250 +0200 +++ /var/tmp/diff_new_pack.7miejY/_new 2022-05-19 22:49:19.486335255 +0200 @@ -25,7 +25,7 @@ License:BSD-3-Clause-LBNL Group: Productivity/Clustering/Computing Name: apptainer -Version:1.0.1 +Version:1.0.2 Release:0 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html URL:https://apptainer.org ++ apptainer-1.0.1.tar.gz -> apptainer-1.0.2.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.0.1/.github/workflows/ci.yml new/apptainer-1.0.2/.github/workflows/ci.yml --- old/apptainer-1.0.1/.github/workflows/ci.yml2022-03-16 13:16:03.0 +0100 +++ new/apptainer-1.0.2/.github/workflows/ci.yml2022-05-10 00:10:52.0 +0200 @@ -50,6 +50,7 @@ - name: Build Apptainer run: | + git config --global --add safe.directory $(pwd) ./mconfig -v -p /usr/local make -C ./builddir all @@ -66,6 +67,7 @@ - name: Build Apptainer run: | + git config --global --add safe.directory $(pwd) ./mconfig -v -p /usr/local make -C ./builddir all diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.0.1/CHANGELOG.md new/apptainer-1.0.2/CHANGELOG.md --- old/apptainer-1.0.1/CHANGELOG.md2022-03-16 13:16:03.0 +0100 +++ new/apptainer-1.0.2/CHANGELOG.md2022-05-10 00:10:52.0 +0200 @@ -5,6 +5,18 @@ and re-branded as Apptainer. For older changes see the [archived Singularity change log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md). +## v1.0.2 - \[2022-05-09\] + +### Bug fixes + +- Fixed `FATAL` error thrown by user configuration migration code that caused + users with inaccessible home directories to be unable to use `apptainer` + commands. +- The Debian package now conflicts with the singularity-container package. +- Do not truncate environment variables with commas. +- Use HEAD request when checking digest of remote OCI image sources, with GET as + a fall-back. Greatly reduces Apptainer's impact on Docker Hub API limits. + ## v1.0.1 - \[2022-03-15\] ### Bug fixes diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.0.1/CONTRIBUTORS.md new/apptainer-1.0.2/CONTRIBUTORS.md --- old/apptainer-1.0.1/CONTRIBUTORS.md 2022-03-16 13:16:03.0 +0100 +++ new/apptainer-1.0.2/CONTRIBUTORS.md 2022-05-10 00:10:52.0 +0200 @@ -80,7 +80,7 @@ - Tim Wright <7im.wri...@protonmail.com> - Tru Huynh - Tyson Whitehead -- Vanessa Sochat +- Vanessa Sochat - Westley Kurtzer , - Yannick Cote , - Yaroslav Halchenko diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.0.1/INSTALL.md new/apptainer-1.0.2/INSTALL.md --- old/apptainer-1.0.1/INSTALL.md 2022-03-16 13:16:03.0 +0100 +++ new/apptainer-1.0.2/INSTALL.md 2022-05-10 00:10:52.0 +0200 @@ -131,7 +131,7 @@ for example: ```sh -git checkout v1.0.1 +git checkout v1.0.2 ``` ## Compiling Apptainer @@ -201,7 +201,7 @@ ```sh -VERSION=1.0.1 # this is the apptainer version, change as you need +VERSION=1.0.2 # this is the apptainer version, change as you need # Fetch the source wget
