SingularityCE 4.0.0 Release Candidate 1 #2086
dtrudg
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
SingularityCE 4.0.0-rc.1 is a release candidate for the upcoming 4.0.0 release, with changes detailed below.
OCI-mode
Singularity 4 introduces OCI-mode as a fully supported feature. It is enabled by using the
--oci
flag with therun / shell / exec / pull
commands, or by settingoci mode = yes
insingularity.conf
.In OCI-mode:
pull
-ed to an OCI-SIF file. An OCI-SIF file encapsulates the OCI image configuration and squashed filesystem using an OCI, rather than Singularity specific, structure.run / shell / exec
commands use a low-level OCI runtime (crun/runc) for container execution.--compat
in Singularity's non-OCI native mode.--no-compat
flag.OCI-mode changes from 3.11 to 4.0 include:
run / shell / exec
in OCI-mode now includes support for the following existing CLI flags:--add-caps
--drop-caps
--keep-privs
--no-privs
--overlay
from directories, bare squashfs and extfs images.--workdir
--scratch
--no-home
--no-mount
(dev cannot be disabled in OCI mode)--no-umask
(with--no-compat
)--writable-tmpfs
(with--no-compat
)--device
flag to "action" commands (run
/exec
/shell
) when run in OCI mode (--oci
). Currently supports passing one or more (comma-separated) fully-qualified CDI device names, and those devices will then be made available inside the container.--cdi-dirs
flag to override the default search locations for CDI json files, allowing, for example, users who don't have root access on their host machine to nevertheless create CDI mappings (into containers run with--fakeroot
, for example).--fakeroot
, has OCI default effective/permitted capabilities.--env-file
is evaluated with respect to the host environment, to match native mode behaviour.fuse-overlayfs
andfusermount
for overlay mounting and unmounting.SINGULARITY_CONTAINLIBS
env var, to specify libraries to bind into/.singularity.d/libs/
in the container.docker://
,http://
,https://
andoras://
URIs.--no-compat
flag can be used with OCI-mode to mirror singularity's historic native mode behavior on a variety of settings, instead of setting them the way other OCI runtimes typically do:$HOME
,/tmp
,/var/tmp
are bind mounted from the host./dev
is bind mounted from the host, unlessmount dev = minimal
insingularity.conf
(requirescrun
, not applied withrunc
).bind path
entries insingularity.conf
are mounted into the container.--writable-tmpfs
is also used.--no-umask
is also used.pull
command now accepts a new flag--oci
for OCI image sources. This will create an OCI-SIF image rather than convert to Singularity's native container format.oras://
URIs.docker://
URIs.oci mode
directive insingularity.conf
can be set to true to enable OCI-mode by default. It can be negated with a new--no-oci
command line flag.See the admin guide and user guide for full requirements of OCI-mode and usage information.
Changed defaults / behaviours
Packages / Requirements
/var/lib/singularity
(rather than/var/singularity
) to store local state files.share/bash-completion/completions
location, rather than underetc
.--vm
and related flags to start singularity inside a VM have been removed. This functionality was related to the retired Singularity Desktop / SyOS projects.squashfuse_ll
/squashfuse
, which is now built from a git submodule unless--without-squashfuse
is specified as an argument tomconfig
. When built with--without-squashfuse
,squashfuse_ll
orsquashfuse
will be located onPATH
. Version 0.2.0 or later is required.CLI
remote
have been moved to their own, dedicatedregistry
command. Runsingularity help registry
for more information.remote list
subcommand now outputs only remote endpoints (with keyservers and OCI/Docker registries having been moved to separate commands), and the output has been streamlined.singularity remote add
command will now set the new endpoint as default. This behavior can be suppressed by supplying the--no-default
(or-n
) flag toremote add
.remote
have been moved to their own, dedicatedkeyserver
command. Runsingularity help keyserver
for more information.singularity key list
output.--cwd
is now the preferred form of the flag for setting the container's working directory, though--pwd
is still supported for compatibility.Runtime Behaviour
--home
is handled when running as root (e.g.sudo singularity
) or with--fakeroot
has changed. Previously, we were only modifying theHOME
environment variable in these cases, while leaving the container's/etc/passwd
file unchanged (with its homedir field pointing to/root
, regardless of the value passed to--home
). With this change, both the value ofHOME
and the contents of/etc/passwd
in the container will reflect the value passed to--home
.SINGULARITY_BIND
environment variable. (Previously, image-mounts were always performed first, regardless of order.)singularity mount
no longer sets any inheritable / ambient capabilites, matching other OCI runtimes.singularity oci mount
now uses, and requires,squashfuse_ll
orsquashfuse
to mount a SIF image to an OCI bundle. Note thatsquashfuse_ll
is built with singularity unless--without-squashfuse
is passed tomconfig
.--no-mount home,cwd
instead of just--no-mount home
to avoid mounting from$HOME
if you runsingularity
from inside$HOME
.New Features & Functionality
{{ variable }}
will be replaced by a value defined either by avariable=value
entry in the%arguments
section of the definition file, or through new build options--build-arg
or--build-arg-file
.--secret
flag (shorthand:-s
) tokey remove
subcommand, to allow removal of a private key by fingerprint.--private
as a synonym for--secret
inkey list
,key export
, andkey remove
subcommands.remote status
command will now print the username, realname, and email of the logged-in user, if available.cache
commands now accept--type oci-sif
to list and clean cached OCI-SIF image conversions of OCI sources.instance start
command now accepts an optional--app <name>
argument which invokes start script within the%appstart <name>
section in the definition file. Theinstance stop
command still only requires the instance name.--no-pid
flag forsingularity run/shell/exec
disables the PID namespace inferred by--containall
and--compat
.--platform
flag can be used to specify anOS/Architecture[/Variant]
when pulling images from OCI or library sources. When pulling from library sources the optional variant is ignored.--arch
flag can now be used to specify a required architecture when pulling images from OCI, as well as library sources.Developer / API
singularity.conf
, theimage driver
directive has been removed, andenable overlay
no longer supports thedriver
option.pkg/build/types.Definition
struct. New.FullRaw
field introduced, which always contains the raw data for the entire definition file. Behavior of.Raw
field has changed: for multi-stage builds parsed withpkg/build/types/parser.All()
,.Raw
contains the raw content of a single build stage. Otherwise, it is equal to.FullRaw
.github.com/sylabs/singularity/v4
, reflecting the major version of the application.Bug Fixes
--workdir
when given relative path and--scratch
.$HOME
in--oci
mode whenmount home = no
insingularity.conf
.Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Source Code
Please use the singularity-ce-4.0.0-rc.1.tar.gz download below to obtain and install SingularityCE 4.0.0-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.
Packages
RPM / DEB packages are provided for:
These packages were built with Go 1.21.0
This discussion was created from the release SingularityCE 4.0.0 Release Candidate 1.
Beta Was this translation helpful? Give feedback.
All reactions