This is a new version of Singularity with many new features, bug fixes, and other improvements detailed below. Some behaviour has changed. Please read the release notes below carefully before updating a production system.
New features / functionalities
- Allow configuration of global custom keyservers, separate from remote endpoints.
- Add a new global keyring, for public keys only (used for ECL).
- The
remote login
commmand now suports authentication to Docker/OCI registries and custom keyservers. - New
--exclusive
option forremote use
allows admin to lock usage to a specific remote. - A new
Fingerprints:
header in definition files will check that a SIF source image can be verified, and is signed with keys matching all specified fingerprints. - Labels can be set dynamically from a build's
%post
section by setting them in theSINGULARITY_LABELS
environment variable. - New
build-arch
label is automatically set to the architecure of the host during a container build. - New
-D/--description
flag forsingularity push
sets description for a library container image. singularity remote status
shows validity of authentication token if set.singularity push
reports quota usage and URL on successful push to a library server that supports this.- A new
--no-mount
flag for actions allows a user to disable proc/sys/dev/devpts/home/tmp/hostfs/cwd mounts, even if they are enabled insingularity.conf
.
Changed defaults / behaviours
- When actions (run/shell/exec...) are used without
--fakeroot
the umask from the calling environment will be propagated into the container, so that files are created with expected permissions. Use the new--no-umask
flag to return to the previous behaviour of setting a default 0022 umask. - Container metadata, environment, scripts are recorded in a descriptor in builds to SIF files, and
inspect
will use this if present. - The
--nv
flag for NVIDIA GPU support will not resolve libraries reported bynvidia-container-cli
via the ld cache. Will instead respect absolute paths to libraries reported by the tool, and bind all versioned symlinks to them. - General re-work of the
remote login
flow, adds prompts and token verification before replacing an existing authentication token. - The Execution Control List (ECL) now verifies container fingerprints using the new global keyring. Previously all users would need relevant keys in their own keyring.
- The SIF layer mediatype for ORAS has been changed to
application/vnd.sylabs.sif.layer.v1.sif
reflecting the published opencontainers/artifacts value. SINGULARITY_BIND
has been restored as an environment variable set within a running container. It now reflects all user binds requested by the-B/--bind
flag, as well as viaSINGULARITY_BIND[PATHS]
.singularity search
now correctly searches for container images matching the host architecture by default. A new--arch
flag allows searching for other architectures. A new results format gives more detail about container image results, while users and collections are no longer returned.
Bug Fixes
- Support larger definition files, environments etc. by passing engine configuration in the environment vs. via socket buffer.
- Ensure
docker-daemon:
and other source operations respectSINGULARITY_TMPDIR
for all temporary files. - Support double quoted filenames in the
%files
section of build definitions. - Correct
cache list
sizes to show KiB with powers of 1024, matchingdu
etc. - Don't fail on
enable fusemount=no
when no fuse mounts are needed. - Pull OCI images to the correct requested location when the cache is disabled.
- Ensure
Singularity>
prompt is set when container has no environment script, or singularity is called through a wrapper script. - Avoid build failures in
yum/dnf
operations against the 'setup' package onRHEL/CentOS/Fedora
by ensuring staged/etc/
files do not match distro default content. - Failed binds to
/etc/hosts
and/etc/localtime
in a container run with--contain
are no longer fatal errors. - Don't initialize the cache for actions where it is not required.
- Increase embedded shell interpreter timeout, to allow slow-running environment scripts to complete.
- Correct buffer handling for key import to allow import from STDIN.
- Reset environment to avoid
LD_LIBRARYPATH
issues when resolving dependencies for theunsquashfs
sandbox. - Fall back to
/sbin/ldconfig
ifldconfig
onPATH
fails while resolving GPU libraries. Fixes problems on systems using Nix / Guix. - Address issues caused by error code changes in
unsquashfs
version 4.4. - Ensure
/dev/kfd
is bound into container for ROCm when--rocm
is used with--contain
. - Tolerate comments on
%files
sections in build definition files. - Fix a loop device file descriptor leak.
Known Issues
- A change in Linux kernel 5.9 causes
--fakeroot
builds to fail with a/sys/fs/selinux
remount error. This will be addressed in Singularity v3.7.1.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Please use the singularity-3.7.0.tar.gz
download below to obtain and install Singularity 3.7.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.