This update for apptainer fixes the following issues:
Make sure, digest values handled by the Go library github.com/opencontainers/go-digest and used throughout the Go-implemented containers ecosystem are always validated. This prevents attackers from triggering unexpected authenticated registry accesses. (CVE-2024-3727, boo#1224114).
Updated apptainer to version 1.3.0
setuid-mount extfs = no
(the default) in
apptainer.conf, then the fuse2fs image driver will be used to mount
ext3 images in setuid mode instead of the kernel driver (ext3 images
are primarily used for the --overlay
feature), restoring
functionality that was removed by default in Apptainer 1.1.8 because
of the security risk.
The allow setuid-mount squashfs
configuration option in
apptainer.conf
now has a new default called iflimited
which allows
kernel squashfs mounts only if there is at least one limit container
option set or if Execution Control Lists are activated in ecl.toml.
If kernel squashfs mounts are are not allowed, then the squashfuse
image driver will be used instead.
iflimited
is the default because if one of those limits are used
the system administrator ensures that unprivileged users do not have
write access to the containers, but on the other hand using FUSE
would enable a user to theoretically bypass the limits via ptrace()
because the FUSE process runs as that user.
The fuse-overlayfs
image driver will also now be tried in setuid
mode if the kernel overlayfs driver does not work (for example if
one of the layers is a FUSE filesystem). In addition, if allow
setuid-mount encrypted = no
then the unprivileged gocryptfs format
will be used for encrypting SIF files instead of the kernel
device-mapper. If a SIF file was encrypted using the gocryptfs
format, it can now be mounted in setuid mode in addition to
non-setuid mode.--underlay
option, but it is deprecated
because the implementation is complicated and measurements have
shown that the performance of underlay is similar to overlayfs and
fuse-overlayfs.
For now the underlay feature can be made the default again with a
new preferred
value on the enable underlay
configuration option.
Also the --underlay
option can be used in setuid mode or as the
root user, although it was ignored previously.--cwd
is now the preferred form of the flag for setting the
container's working directory, though --pwd
is still supported for
compatibility.--home
is handled when running as root (e.g. sudo apptainer)
or with --fakeroot
has changed. Previously, we were only modifying
the HOME
environment variable in these cases, while leaving the
container's /etc/passwd
file unchanged (with its homedir field
pointing to /root
, regardless of the value passed to --home
). With
this change, both value of HOME and the contents of /etc/passwd
in
the container will reflect the value passed to --home
if the
container is readonly. If the container is writable, the
/etc/passwd
file is left alone because it can interfere with
commands that want to modify it.--vm
and related flags to start apptainer inside a VM have been
removed. This functionality was related to the retired Singularity Desktop
/ SyOS projects.remote
have been moved to
their own, dedicated keyserver
command. Run apptainer help keyserver
for more information.remote
have
been moved to their own, dedicated registry
command. Run
apptainer help registry
for more information.remote list
subcommand now outputs only remote endpoints (with
keyservers and OCI/Docker registries having been moved to separate
commands), and the output has been streamlined.apptainer remote add
command will
now set the new endpoint as default. This behavior can be suppressed by
supplying the --no-default
(or -n
) flag to remote add
./tmp
directory is no longer used for gocryptfs mountpoints.remote status
command will now print the username, realname, and
email of the logged-in user, if available.apptheus
, this tool will put apptainer starter
into a newly created cgroup and collect system metrics.--no-pid
flag for apptainer run/shell/exec
disables the PID
namespace inferred by --containall
and --compat
.--config
option to keyserver
commands.keyserver list
command.APPTAINER_ENCRYPTION_PEM_DATA
env var to allow for
encrypting and running encrypted containers without a PEM file.--sharens
mode for apptainer exec/run/shell
, which enables to
run multiple apptainer instances created by the same parent using
the same image in the same user namespace.Make apptainer definition templates version dependent.
Fix 'apptainer build' using signed packages from the SUSE Registry (boo#1221364).
Updated apptainer to version 1.2.5
libnvidia-nvvm
to nvliblist.conf
. Newer NVIDIA
Drivers (known with >= 525.85.05) require this lib to compile
OpenCL programs against NVIDIA GPUs, i.e. libnvidia-opencl
depends on libnvidia-nvvm
.--fakeroot
is passed.hidepid
mount option on /proc
is set.cvmfsexec
).libnvidia-gpucomp.so
to the list of libraries to add to NVIDIA GPU-enabled
containers. Fixed missing error handling during the creation
of an encrypted image that lead to the generation of corrupted
images.APPTAINER_TMPDIR
for temporary files during privileged
image encryption.XDG_RUNTIME_DIR
or DBUS_SESSION_BUS_ADDRESS
is
not set, print an info message that stats will not be available
instead of exiting with a fatal error.Package .def templates separately for different SPs.
Do not build squashfuse, require it as a dependency.
Exclude platforms which do not provide all build dependencies.
updated to 1.2.3 with following changes:
updated to 1.2.2 with following changes:
updated to 1.2.1 to fix CVE-2023-38496 although not relevant as package is compiled with setuid
update to 1.2.0 with following changes:
New features / functionalities
update to 1.1.9 with following changes:
Included a fix for CVE-2023-30549 which is a vulnerability in setuid-root installations of Apptainer iwhich was not active in the recent openSUSE packages. Still this is included for completenss. The fix adds allow setuid-mount configuration options encrypted, squashfs, and extfs, and makes the default for extfs be 'no'. That disables the use of extfs mounts including for overlays or binds while in the setuid-root mode, while leaving it enabled for unprivileged user namespace mode. The default for encrypted and squashfs is 'yes'.
Other bug fixes:
updated to 1.1.7 with following changes:
{ "binaries": [ { "libsquashfuse0": "0.5.0-bp155.2.1", "apptainer-sle15_6": "1.3.0-bp155.3.3.2", "apptainer-leap": "1.3.0-bp155.3.3.2", "squashfuse-tools": "0.5.0-bp155.2.1", "apptainer-sle15_5": "1.3.0-bp155.3.3.2", "apptainer": "1.3.0-bp155.3.3.2", "squashfuse": "0.5.0-bp155.2.1", "squashfuse-devel": "0.5.0-bp155.2.1" } ] }
{ "binaries": [ { "libsquashfuse0": "0.5.0-bp155.2.1", "apptainer-sle15_6": "1.3.0-bp155.3.3.2", "apptainer-leap": "1.3.0-bp155.3.3.2", "squashfuse-tools": "0.5.0-bp155.2.1", "apptainer-sle15_5": "1.3.0-bp155.3.3.2", "apptainer": "1.3.0-bp155.3.3.2", "squashfuse": "0.5.0-bp155.2.1", "squashfuse-devel": "0.5.0-bp155.2.1" } ] }
{ "binaries": [ { "libsquashfuse0": "0.5.0-bp155.2.1", "apptainer-sle15_6": "1.3.0-bp155.3.3.2", "apptainer-leap": "1.3.0-bp155.3.3.2", "squashfuse-tools": "0.5.0-bp155.2.1", "apptainer-sle15_5": "1.3.0-bp155.3.3.2", "apptainer": "1.3.0-bp155.3.3.2", "squashfuse": "0.5.0-bp155.2.1", "squashfuse-devel": "0.5.0-bp155.2.1" } ] }
{ "binaries": [ { "libsquashfuse0": "0.5.0-bp155.2.1", "apptainer-sle15_6": "1.3.0-bp155.3.3.2", "apptainer-leap": "1.3.0-bp155.3.3.2", "squashfuse-tools": "0.5.0-bp155.2.1", "apptainer-sle15_5": "1.3.0-bp155.3.3.2", "apptainer": "1.3.0-bp155.3.3.2", "squashfuse": "0.5.0-bp155.2.1", "squashfuse-devel": "0.5.0-bp155.2.1" } ] }