Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apptainer for openSUSE:Factory checked in at 2023-03-29 23:28:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apptainer (Old) and /work/SRC/openSUSE:Factory/.apptainer.new.31432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apptainer" Wed Mar 29 23:28:06 2023 rev:16 rq:1075177 version:1.1.7 Changes: -------- --- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2023-03-08 14:54:18.891245285 +0100 +++ /work/SRC/openSUSE:Factory/.apptainer.new.31432/apptainer.changes 2023-03-29 23:28:07.343752744 +0200 @@ -1,0 +2,17 @@ +Wed Mar 29 08:14:47 UTC 2023 - Christian Goll <[email protected]> + +- updated to 1.1.7 with following changes: + * removed simpler-sif-building.patch as this was incoperated upstream + * Allow gpu options such as --nv to be nested by always inheriting all + libraries bound in to a parent container's /.singularity.d/libs. + * Map the user's home directory to the root home directory by default in the + non-subuid fakeroot mode like it was in the subuid fakeroot mode, for both + action commands and building containers from definition files. + * Make the error message more helpful in another place where a remote is + found to have no library client. + * Avoid incorrect error when requesting fakeroot network. + * Pass computed LD_LIBRARY_PATH to wrapped unsquashfs. Fixes issues where + unsquashfs on host uses libraries in non-default paths. + + +------------------------------------------------------------------- Old: ---- apptainer-1.1.6.tar.gz simpler-sif-building.patch New: ---- apptainer-1.1.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apptainer.spec ++++++ --- /var/tmp/diff_new_pack.UfMsZv/_old 2023-03-29 23:28:08.047756506 +0200 +++ /var/tmp/diff_new_pack.UfMsZv/_new 2023-03-29 23:28:08.051756528 +0200 @@ -25,7 +25,7 @@ License: BSD-3-Clause-LBNL Group: Productivity/Clustering/Computing Name: apptainer -Version: 1.1.6 +Version: 1.1.7 Release: 0 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html URL: https://apptainer.org @@ -39,7 +39,6 @@ Source5: leap.def Source8: %{name}-rpmlintrc Source9: vendor.tar.gz -Patch1: simpler-sif-building.patch %if "%{?squashfuse_version}" != "" Source10: https://github.com/vasi/squashfuse/archive/%{squashfuse_version}/squashfuse-%{squashfuse_version}.tar.gz Patch10: https://github.com/vasi/squashfuse/pull/70.patch @@ -63,7 +62,8 @@ BuildRequires: fuse3-devel BuildRequires: libtool BuildRequires: pkgconfig -BuildRequires: zlib-devel +BuildRequires: pkgconfig(liblz4) +BuildRequires: pkgconfig(liblzma) %endif Requires: squashfs Recommends: fuse2fs @@ -88,7 +88,6 @@ %patch -P 10 -p1 %endif %setup -q -n %{name}-%{version} -%patch1 -p 1 cp %{S:1} %{S:2} %{S:3} %{S:4} %{S:5} . %build ++++++ apptainer-1.1.6.tar.gz -> apptainer-1.1.7.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/CHANGELOG.md new/apptainer-1.1.7/CHANGELOG.md --- old/apptainer-1.1.6/CHANGELOG.md 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/CHANGELOG.md 2023-03-28 22:17:08.000000000 +0200 @@ -5,6 +5,28 @@ and re-branded as Apptainer. For older changes see the [archived Singularity change log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md). +## v1.1.7 - \[2023-03-28\] + +### Changes since last release + +- Allow gpu options such as `--nv` to be nested by always inheriting all + libraries bound in to a parent container's `/.singularity.d/libs`. +- Map the user's home directory to the root home directory by default in the + non-subuid fakeroot mode like it was in the subuid fakeroot mode, for both + action commands and building containers from definition files. +- Avoid `unknown option` error when using a bare squashfs image with + an unpatched `squashfuse_ll`. +- Fix `GOCACHE` settings for golang build on PPA build environment. +- Make the error message more helpful in another place where a remote is found + to have no library client. +- Allow symlinks to the compiled prefix for suid installations. Fixes a + regression introduced in 1.1.4. +- Avoid incorrect error when requesting fakeroot network. +- Build via zypper on SLE systems will use repositories of host via + suseconnect-container. +- Pass computed `LD_LIBRARY_PATH` to wrapped unsquashfs. Fixes issues where + `unsquashfs` on host uses libraries in non-default paths. + ## v1.1.6 - \[2023-02-14\] ### Security fix diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/CONTRIBUTORS.md new/apptainer-1.1.7/CONTRIBUTORS.md --- old/apptainer-1.1.6/CONTRIBUTORS.md 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/CONTRIBUTORS.md 2023-03-28 22:17:08.000000000 +0200 @@ -84,6 +84,7 @@ - Tarcisio Fedrizzi <[email protected]> - Thomas Hamel <[email protected]> - Tim Wright <[email protected]> +- Tobias Poschwatta <[email protected]> - Tru Huynh <[email protected]> - Tyson Whitehead <[email protected]> - Vanessa Sochat <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/INSTALL.md new/apptainer-1.1.7/INSTALL.md --- old/apptainer-1.1.6/INSTALL.md 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/INSTALL.md 2023-03-28 22:17:08.000000000 +0200 @@ -137,7 +137,7 @@ for example: ```sh -git checkout v1.1.6 +git checkout v1.1.7 ``` ## Compiling Apptainer @@ -259,7 +259,7 @@ <!-- markdownlint-disable MD013 --> ```sh -VERSION=1.1.6 # this is the apptainer version, change as you need +VERSION=1.1.7 # this is the apptainer version, change as you need # Fetch the source wget https://github.com/apptainer/apptainer/releases/download/v${VERSION}/apptainer-${VERSION}.tar.gz ``` @@ -308,7 +308,7 @@ <!-- markdownlint-disable MD013 --> ```sh -VERSION=1.1.6 # this is the latest apptainer version, change as you need +VERSION=1.1.7 # this is the latest apptainer version, change as you need ./mconfig make -C builddir rpm sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/apptainer-$(echo $VERSION|tr - \~)*.x86_64.rpm diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/cmd/internal/cli/actions_linux.go new/apptainer-1.1.7/cmd/internal/cli/actions_linux.go --- old/apptainer-1.1.6/cmd/internal/cli/actions_linux.go 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/cmd/internal/cli/actions_linux.go 2023-03-28 22:17:08.000000000 +0200 @@ -206,8 +206,22 @@ if isPrivileged && namespaces.IsUnprivileged() { // Already running root-mapped unprivileged IsFakeroot = false + UserNamespace = true sylog.Debugf("running root-mapped unprivileged") var err error + // Try to bind-mount the original user's home directory to /root. + // This may be overridden later by custom home directory settings, + // but this makes it available later as a source for the what it + // thinks of as the "original" user's home directory, if needed. + homedir := os.Getenv("HOME") + if homedir != "" { + err = syscall.Mount(homedir, "/root", "", syscall.MS_BIND, "") + if err != nil { + sylog.Debugf("Failure bind-mounting %s to /root: %v, skipping", homedir, err) + } else { + sylog.Debugf("Bind-mounting %s to /root", homedir) + } + } if IgnoreFakerootCmd { err = errors.New("fakeroot command is ignored because of --ignore-fakeroot-command") } else { @@ -223,7 +237,7 @@ IsFakeroot = false var err error if IgnoreUserns { - err = errors.New("could not start root-mapped namespace because of --ignore-userns is set") + err = errors.New("could not start root-mapped namespace because --ignore-userns is set") } else { err = fakeroot.UnshareRootMapped(os.Args) } @@ -560,6 +574,9 @@ // user's standard $HOME -> /root and we want to respect --contain not mounting // the $HOME in this case. // See https://github.com/apptainer/singularity/pull/5227 + // Note from dwd on 3/24/22: it's not clear to me that this has + // any effect because getHomePaths() appears to ignore the + // HomeDir settings if there is no CustomHome if !homeFlag.Changed && IsFakeroot { HomePath = fmt.Sprintf("%s:/root", HomePath) } @@ -673,8 +690,6 @@ engineConfig.SetNetwork(Network) } if IsFakeroot && Network != "none" { - engineConfig.SetNetwork("fakeroot") - // unprivileged installation could not use fakeroot // network because it requires a setuid installation // so we fallback to none diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/cmd/internal/cli/apptainer.go new/apptainer-1.1.7/cmd/internal/cli/apptainer.go --- old/apptainer-1.1.6/cmd/internal/cli/apptainer.go 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/cmd/internal/cli/apptainer.go 2023-03-28 22:17:08.000000000 +0200 @@ -846,7 +846,7 @@ return nil, err } if libClientConfig.BaseURL == "" { - return nil, fmt.Errorf("remote has no library client") + return nil, fmt.Errorf("remote has no library client (see https://apptainer.org/docs/user/latest/endpoint.html#no-default-remote)") } return libClientConfig, nil } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/cmd/internal/cli/build_linux.go new/apptainer-1.1.7/cmd/internal/cli/build_linux.go --- old/apptainer-1.1.6/cmd/internal/cli/build_linux.go 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/cmd/internal/cli/build_linux.go 2023-03-28 22:17:08.000000000 +0200 @@ -18,6 +18,7 @@ osExec "os/exec" "strconv" "strings" + "syscall" "github.com/apptainer/apptainer/internal/pkg/build" "github.com/apptainer/apptainer/internal/pkg/buildcfg" @@ -87,7 +88,7 @@ sylog.Infof("User not listed in %v, trying root-mapped namespace", fakeroot.SubUIDFile) os.Setenv("_APPTAINER_FAKEFAKEROOT", "1") if buildArgs.ignoreUserns { - err = errors.New("could not start root-mapped namesapce because of --ignore-userns is set") + err = errors.New("could not start root-mapped namespace because --ignore-userns is set") } else { err = fakeroot.UnshareRootMapped(args) } @@ -142,10 +143,25 @@ fakerootPath := "" if os.Getenv("_APPTAINER_FAKEFAKEROOT") == "1" { + var err error + uid := os.Getuid() + if uid == 0 { + // Try to bind-mount the original user's home directory to /root. + // This enables things like git clone to work in the %setup section + // of a definition file. + homedir := os.Getenv("HOME") + if homedir != "" { + err = syscall.Mount(homedir, "/root", "", syscall.MS_BIND, "") + if err != nil { + sylog.Debugf("Failure bind-mounting %s to /root: %v, skipping", homedir, err) + } else { + sylog.Debugf("Bind-mounting %s to /root", homedir) + } + } + } // Try fakeroot command os.Unsetenv("_APPTAINER_FAKEFAKEROOT") buildArgs.fakeroot = false - var err error if buildArgs.ignoreFakerootCmd { err = errors.New("fakeroot command is ignored because of --ignore-fakeroot-command") } else { @@ -153,7 +169,7 @@ } if err != nil { sylog.Infof("fakeroot command not found") - if os.Getuid() != 0 { + if uid != 0 { if fs.IsFile(spec) && !isImage(spec) { sylog.Fatalf("Building from a definition file requires root or some kind of fake root") } @@ -163,7 +179,7 @@ sylog.Infof("Installing some packages may fail") } else { sylog.Infof("The %%post section will be run under fakeroot") - if !buildArgs.fixPerms && os.Getuid() != 0 { + if !buildArgs.fixPerms && uid != 0 { sylog.Infof("Using --fix-perms because building from a definition file") sylog.Infof(" without either root user or unprivileged user namespaces") buildArgs.fixPerms = true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/dist/debian/rules new/apptainer-1.1.7/dist/debian/rules --- old/apptainer-1.1.6/dist/debian/rules 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/dist/debian/rules 2023-03-28 22:17:08.000000000 +0200 @@ -79,7 +79,7 @@ cd $(GOROOT)/..; \ tar -xf $$HERE/debian/go$(MINGO_VERSION).src.tar.gz; \ cd go/src; \ - ./make.bash; \ + GOCACHE=$(GOCACHE) ./make.bash; \ fi ifneq ($(NEW_VERSION),) $(warning "Setting new version in debian changelog: $(NEW_VERSION)") @@ -92,7 +92,6 @@ --mandir=/usr/share/man override_dh_auto_build: - @mkdir -p $(GOCACHE) @PATH=$(GOROOT)/bin:$$PATH GOCACHE=$(GOCACHE) dh_auto_build -Smakefile --parallel --max-parallel=$(MAKEPARALLEL) -D$(DEB_SC_BUILDDIR) override_dh_auto_install: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/docs/content.go new/apptainer-1.1.7/docs/content.go --- old/apptainer-1.1.6/docs/content.go 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/docs/content.go 2023-03-28 22:17:08.000000000 +0200 @@ -90,6 +90,15 @@ MirrorURL: http://mirror.centos.org/centos-%{OSVERSION}/%{OSVERSION}/os/x86_64/ Include: yum + SUSE: + Bootstrap: zypper # on SLE system registration of build host is used + Include: zypper + + openSUSE: + Bootstrap: zypper + MirrorURL: http://download.opensuse.org/distribution/openSUSE-stable/repo/oss + Include: zypper + Debian/Ubuntu: Bootstrap: debootstrap OSVersion: trusty diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/examples/sle/Apptainer new/apptainer-1.1.7/examples/sle/Apptainer --- old/apptainer-1.1.6/examples/sle/Apptainer 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/examples/sle/Apptainer 2023-03-28 22:17:08.000000000 +0200 @@ -1,38 +1,13 @@ +# use repos and registration from build host BootStrap: zypper -OSVersion: 12.4 -Product: SLE-HPC/%{OSVERSION}/x86_64 -User: -Regcode: -# MirrorURL: -# Modules: sle-module-basesystem,sle-module-server-applications,sle-module-web-scripting,sle-module-hpc -Include: zypper -# Otherurl0: -# Otherurl1: -ProductPGP: -----BEGIN PGP PUBLIC KEY BLOCK-----\n\ -Version: rpm-4.11.2 (NSS-3)\n\ -\n\ -mQENBFEKlmsBCADbpZZbbSC5Zi+HxCR/ynYsVxU5JNNiSSZabN5GMgc9Z0hxeXxp\n\ -YWvFoE/4n0+IXIsp83iKvxf06Eu8je/DXp0lMqDZu7WiT3XXAlkOPSNV4akHTDoY\n\ -91SJaZCpgUJ7K1QXOPABNbREsAMN1a7rxBowjNjBUyiTJ2YuvQRLtGdK1kExsVma\n\ -hieh/QxpoDyYd5w/aky3z23erCoEd+OPfAqEHd5tQIa6LOosa63BSCEl3milJ7J9\n\ -vDmoGPAoS6ui7S2R5X4/+PLN8Mm2kOBrFjhmL93LX0mrGCMxsNsKgP6zabYKQEb8\n\ -L028SXvl7EGoA+Vw5Vd3wIGbM73PfbgNrXjfABEBAAG0KFN1U0UgUGFja2FnZSBT\n\ -aWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6JATwEEwECACYCGwMGCwkIBwMCBBUC\n\ -CAMEFgIDAQIeAQIXgAUCWEfrHwUJDsIitAAKCRBwr56BOdt8gpqUB/wPSSS5BcDu\n\ -Oi4n02cj4Hdt7WITKBjjo0lG1fXG1ppx1wOST+s8FertMVFY53TW6FGjcYtwVOIq\n\ -rsMYiV6kf1NxUV/jcAy7VmC5EZnO0R/D3sT4Oh5hsLtERauZolK5BZmd0S51Qa8e\n\ -TxZ5mX9PL2i3s/ShETc30drf83ugc7B4yZPNQWXNDPgGcC+hEeC5qw48RzHYIpUt\n\ -RzHmefR5Z3ioTUbDlzy+SGP2uA7mhR4Lfk/df5fYxWfCoKlyGjtrvA65cB+Pksyn\n\ -xrAeBuB+vBM+KnDrxW2Sn4AbWkzH//dfz9OJDJu4UM91hb7qxM0OkrXHQV3iNqzg\n\ -MDEhky/9NqMy\n\ -=GdP5\n\ ------END PGP PUBLIC KEY BLOCK----- + %runscript echo "This is what happens when you run the container..." %post + update-ca-certificates echo "Hello from inside the container" zypper lr -d SUSEConnect -l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/go.mod new/apptainer-1.1.7/go.mod --- old/apptainer-1.1.6/go.mod 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/go.mod 2023-03-28 22:17:08.000000000 +0200 @@ -56,6 +56,7 @@ ) require ( + github.com/BurntSushi/toml v1.2.0 github.com/docker/distribution v2.8.1+incompatible github.com/hashicorp/go-multierror v1.1.1 github.com/sirupsen/logrus v1.9.0 @@ -64,7 +65,6 @@ require ( github.com/AdamKorcz/go-fuzz-headers v0.0.0-20210319161527-f761c2329661 // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect - github.com/BurntSushi/toml v1.2.0 // indirect github.com/Microsoft/go-winio v0.5.2 // indirect github.com/Microsoft/hcsshim v0.9.4 // indirect github.com/VividCortex/ewma v1.2.0 // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/internal/pkg/build/sources/conveyorPacker_zypper.go new/apptainer-1.1.7/internal/pkg/build/sources/conveyorPacker_zypper.go --- old/apptainer-1.1.6/internal/pkg/build/sources/conveyorPacker_zypper.go 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/internal/pkg/build/sources/conveyorPacker_zypper.go 2023-03-28 22:17:08.000000000 +0200 @@ -14,7 +14,6 @@ "bytes" "context" "fmt" - "io/ioutil" "os" "os/exec" "path/filepath" @@ -24,13 +23,18 @@ "strings" "syscall" + "github.com/BurntSushi/toml" "github.com/apptainer/apptainer/internal/pkg/util/bin" + "github.com/apptainer/apptainer/internal/pkg/util/fs" "github.com/apptainer/apptainer/pkg/build/types" "github.com/apptainer/apptainer/pkg/sylog" ) const ( - zypperConf = "/etc/zypp/zypp.conf" + zypperConf = "/etc/zypp/zypp.conf" + osreleaseFile = "/etc/os-release" + ssccredentialsFile = "/etc/zypp/credentials.d/SCCcredentials" + gpgKeyid = "gpg-pubkey-307e3d54-5aaa90a5 gpg-pubkey-39db7c82-5f68629b" ) // ZypperConveyorPacker only needs to hold the bundle for the container @@ -58,6 +62,8 @@ func (cp *ZypperConveyorPacker) Get(ctx context.Context, b *types.Bundle) (err error) { var suseconnectProduct, suseconnectModver string var suseconnectPath string + // dependContainer is a container which shares the repos with the host through container-suseconnect + dependContainer := false var pgpfile string var iosmajor int var otherurl [20]string @@ -76,7 +82,6 @@ } include := cp.b.Recipe.Header["include"] - // check for include environment variable and add it to requires string include += ` ` + os.Getenv("INCLUDE") @@ -86,14 +91,22 @@ // add aaa_base to start of include list by default include = `aaa_base ` + include + suseVars := getSusevars() // get mirrorURL, OSVerison, and Includes components to definition osversion, osversionOk := cp.b.Recipe.Header["osversion"] + if !osversionOk { + osversion = suseVars.Version + } mirrorurl, mirrorurlOk := cp.b.Recipe.Header["mirrorurl"] updateurl, updateurlOk := cp.b.Recipe.Header["updateurl"] sleproduct, sleproductOk := cp.b.Recipe.Header["product"] sleuser, sleuserOk := cp.b.Recipe.Header["user"] sleregcode, sleregcodeOk := cp.b.Recipe.Header["regcode"] slepgp, slepgpOk := cp.b.Recipe.Header["productpgp"] + if !slepgpOk && suseVars.GpgKeyOk { + slepgpOk = true + slepgp = suseVars.GpgKey + } sleurl, sleurlOk := cp.b.Recipe.Header["registerurl"] slemodules, slemodulesOk := cp.b.Recipe.Header["modules"] cnt := -1 @@ -116,7 +129,6 @@ } } regex := regexp.MustCompile(`(?i)%{OSVERSION}`) - if sleproductOk || sleuserOk || sleregcodeOk { if !sleproductOk || !sleuserOk || !sleregcodeOk { return fmt.Errorf("for installation of SLE 'Product', 'User' and 'Regcode' need to be set") @@ -173,23 +185,9 @@ default: return fmt.Errorf("malformed Product setting") } - if slepgpOk { - tmpfile, err := ioutil.TempFile("/tmp", "apptainer-pgp") - if err != nil { - return fmt.Errorf("cannot create pgp-file: %v", err) - } - pgpfile = tmpfile.Name() - - if _, err = tmpfile.WriteString(slepgp + "\n"); err != nil { - return fmt.Errorf("cannot write pgp-file: %v", err) - } - if err = tmpfile.Close(); err != nil { - return fmt.Errorf("cannot close pgp-file %v", err) - } - } include = include + ` SUSEConnect` - } else { + } else if mirrorurlOk { if !mirrorurlOk { return fmt.Errorf("invalid zypper header, no MirrorURL specified") } @@ -202,6 +200,24 @@ updateurl = regex.ReplaceAllString(updateurl, osversion) } } + } else if suseVars.HasScc { + dependContainer = true + include += " container-suseconnect" + cp.b.Opts.Binds = append(cp.b.Opts.Binds, ssccredentialsFile+":"+ssccredentialsFile) + } + if slepgpOk { + tmpfile, err := os.CreateTemp("/tmp", "apptainer-pgp") + if err != nil { + return fmt.Errorf("cannot create pgp-file: %v", err) + } + pgpfile = tmpfile.Name() + + if _, err = tmpfile.WriteString(slepgp + "\n"); err != nil { + return fmt.Errorf("cannot write pgp-file: %v", err) + } + if err = tmpfile.Close(); err != nil { + return fmt.Errorf("cannot close pgp-file %v", err) + } } // Create the main portion of zypper config @@ -318,8 +334,26 @@ return fmt.Errorf("while refreshing: %s %v", `repo-`+sID, err) } } + args := []string{`--non-interactive`, `-c`, filepath.Join(cp.b.RootfsPath, zypperConf)} + if dependContainer { + // --installroot will use containers from repo + args = append(args, `--installroot`, cp.b.RootfsPath) + include += " zypper" + if suseVars.HasScc { + if err = os.MkdirAll(filepath.Join(cp.b.RootfsPath, "/etc/zypp/credentials.d/"), 0o755); err != nil { + return fmt.Errorf("cannot recreate /etc/zypp/credentials.d/ directories: %v", err) + } + sccF, err := os.Create(filepath.Join(cp.b.RootfsPath, "/etc/zypp/credentials.d/SCCcredentials")) + if err != nil { + return fmt.Errorf("couldn't create SCCcredentials file: %v", err) + } + sccF.Close() + } + } else { + args = append(args, `--root`, cp.b.RootfsPath, `--releasever=`+osversion) + } + args = append(args, `-n`, `install`, `--auto-agree-with-licenses`, `--download-in-advance`) - args := []string{`--non-interactive`, `-c`, filepath.Join(cp.b.RootfsPath, zypperConf), `--root`, cp.b.RootfsPath, `--releasever=` + osversion, `-n`, `install`, `--auto-agree-with-licenses`, `--download-in-advance`} args = append(args, strings.Fields(include)...) // Zypper install command @@ -392,7 +426,7 @@ return fmt.Errorf("while creating %v: %v", filepath.Join(cp.b.RootfsPath, "/etc/zypp"), err) } - err = ioutil.WriteFile(filepath.Join(cp.b.RootfsPath, zypperConf), []byte("[main]\ncachedir=/val/cache/zypp-bootstrap\n\n"), 0o664) + err = os.WriteFile(filepath.Join(cp.b.RootfsPath, zypperConf), []byte("[main]\ncachedir=/var/cache/zypp-bootstrap\n\n"), 0o664) if err != nil { return } @@ -469,3 +503,44 @@ return nil } + +/* +Parse the /etc/os.release file to a a struct, so that SUSE versions +need not to be set on a SLE syste, +*/ +func getSusevars() (ret struct { + osRelease + GpgKey string + GpgKeyOk bool + HasScc bool +}, +) { + // ignore errors as we check for empty fields later + b, _ := os.ReadFile(osreleaseFile) + var osrel osRelease + _ = toml.Unmarshal(b, &osrel) + ret.osRelease = osrel + if ret.Name != "" { + ret.Product = ret.Name + "/" + ret.VersionID + "/" + runtime.GOARCH + } + ret.GpgKeyOk = false + args := []string{"-q", "--qf", "'%{PUBKEYS:armor}'"} + args = append(args, strings.Split(gpgKeyid, " ")...) + out, err := exec.Command("rpm", args...).Output() + if err == nil { + ret.GpgKeyOk = true + ret.GpgKey = string(out) + } + ret.HasScc = fs.IsFile(ssccredentialsFile) + return ret +} + +/* +hold the os_release vars +*/ +type osRelease struct { + Name string `toml:"NAME"` + Version string `toml:"VERSION"` + VersionID string `toml:"VERSION_ID"` + Product string +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/internal/pkg/build/stage.go new/apptainer-1.1.7/internal/pkg/build/stage.go --- old/apptainer-1.1.6/internal/pkg/build/stage.go 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/internal/pkg/build/stage.go 2023-03-28 22:17:08.000000000 +0200 @@ -109,7 +109,11 @@ } cmdArgs = append(cmdArgs, "-B", strings.Join(fakerootBinds[:], ",")) } - + if len(s.b.Opts.Binds) != 0 { + for _, bind := range s.b.Opts.Binds { + cmdArgs = append(cmdArgs, "-B", bind) + } + } script := s.b.Recipe.BuildData.Post scriptPath := filepath.Join(s.b.RootfsPath, ".post.script") if err = createScript(scriptPath, []byte(script.Script)); err != nil { @@ -153,6 +157,11 @@ if sessionHosts != "" { cmdArgs = append(cmdArgs, "-B", sessionHosts+":/etc/hosts") } + if len(s.b.Opts.Binds) != 0 { + for _, bind := range s.b.Opts.Binds { + cmdArgs = append(cmdArgs, "-B", bind) + } + } exe := filepath.Join(buildcfg.BINDIR, "apptainer") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/internal/pkg/buildcfg/confgen/gen.go new/apptainer-1.1.7/internal/pkg/buildcfg/confgen/gen.go --- old/apptainer-1.1.6/internal/pkg/buildcfg/confgen/gen.go 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/internal/pkg/buildcfg/confgen/gen.go 2023-03-28 22:17:08.000000000 +0200 @@ -89,7 +89,12 @@ ) func getPrefix() (string) { + // NOTE: the first time this is called (from isSuidInstall()) is very + // early, and some error conditions may happen before debug messages + // are enabled. Warnings and info messages do still work at that point. prefixOnce.Do(func() { + // Although this is a sync.Once, there are multiple address + // spaces using this code so it does get called more than once executablePath, err := os.Executable() if err != nil { sylog.Warningf("Error getting executable path, using default: %v", err) @@ -100,7 +105,9 @@ _, err = os.Stat(executablePath) if err != nil { // Due to mount namespace issues, os.Executable may return a non-existing - // location + // location. This is normal when starter-suid is in its compiled location, + // but assuming the original prefix here may help also in other circumstances. + // See https://github.com/apptainer/apptainer/issues/1061 installPrefix = "{{.Prefix}}" return } @@ -110,7 +117,8 @@ switch base { case "apptainer": - if bin == "{{.Bindir}}" { + realBindir, err := filepath.EvalSymlinks("{{.Bindir}}") + if err == nil && bin == realBindir { // apptainer binary was not relocated installPrefix = "{{.Prefix}}" } else { @@ -121,7 +129,8 @@ // The default LIBEXECDIR is PREFIX/libexec // LIBEXECDIR/apptainer/bin/starter{|-suid} installLibexecdir := filepath.Dir(filepath.Dir(bin)) - if installLibexecdir == "{{.Libexecdir}}" { + realLibexecdir, err := filepath.EvalSymlinks("{{.Libexecdir}}") + if err == nil && installLibexecdir == realLibexecdir { // starter was not relocated installPrefix = "{{.Prefix}}" } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/internal/pkg/fakeroot/fakefake.go new/apptainer-1.1.7/internal/pkg/fakeroot/fakefake.go --- old/apptainer-1.1.6/internal/pkg/fakeroot/fakefake.go 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/internal/pkg/fakeroot/fakefake.go 2023-03-28 22:17:08.000000000 +0200 @@ -25,14 +25,14 @@ "github.com/apptainer/apptainer/pkg/sylog" ) -// re-exec the command effectively under unshare -r +// re-exec the command effectively under unshare -rm func UnshareRootMapped(args []string) error { cmd := osExec.Command(args[0], args[1:]...) cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr cmd.Stdin = os.Stdin cmd.SysProcAttr = &syscall.SysProcAttr{} - cmd.SysProcAttr.Cloneflags = syscall.CLONE_NEWUSER + cmd.SysProcAttr.Cloneflags = syscall.CLONE_NEWUSER | syscall.CLONE_NEWNS cmd.SysProcAttr.UidMappings = []syscall.SysProcIDMap{ {ContainerID: 0, HostID: syscall.Getuid(), Size: 1}, } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/internal/pkg/image/driver/imagedriver.go new/apptainer-1.1.7/internal/pkg/image/driver/imagedriver.go --- old/apptainer-1.1.6/internal/pkg/image/driver/imagedriver.go 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/internal/pkg/image/driver/imagedriver.go 2023-03-28 22:17:08.000000000 +0200 @@ -176,7 +176,11 @@ // this will be passed as the first ExtraFile below, always fd 3 srcPath = "/proc/self/fd/3" } - cmdArgs = append(cmdArgs, f.cmdPath, "-f", "-o", optsStr, srcPath, params.Target) + if optsStr != "" { + cmdArgs = append(cmdArgs, f.cmdPath, "-f", "-o", optsStr, srcPath, params.Target) + } else { + cmdArgs = append(cmdArgs, f.cmdPath, "-f", srcPath, params.Target) + } cmd = exec.Command(cmdArgs[0], cmdArgs[1:]...) case "ext3": diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/internal/pkg/image/unpacker/squashfs_apptainer.go new/apptainer-1.1.7/internal/pkg/image/unpacker/squashfs_apptainer.go --- old/apptainer-1.1.6/internal/pkg/image/unpacker/squashfs_apptainer.go 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/internal/pkg/image/unpacker/squashfs_apptainer.go 2023-03-28 22:17:08.000000000 +0200 @@ -363,6 +363,7 @@ cmd.Dir = "/" cmd.Env = []string{ fmt.Sprintf("LD_LIBRARY_PATH=%s", strings.Join(libraryPath, string(os.PathListSeparator))), + fmt.Sprintf("APPTAINERENV_LD_LIBRARY_PATH=%s", strings.Join(libraryPath, string(os.PathListSeparator))), fmt.Sprintf("APPTAINER_DEBUG=%s", os.Getenv("APPTAINER_DEBUG")), } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/internal/pkg/runtime/engine/apptainer/container_linux.go new/apptainer-1.1.7/internal/pkg/runtime/engine/apptainer/container_linux.go --- old/apptainer-1.1.6/internal/pkg/runtime/engine/apptainer/container_linux.go 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/internal/pkg/runtime/engine/apptainer/container_linux.go 2023-03-28 22:17:08.000000000 +0200 @@ -2382,7 +2382,6 @@ sessionNetNs = "/netns" ) - fakeroot := c.engine.EngineConfig.GetFakeroot() net := c.engine.EngineConfig.GetNetwork() // If we haven't requested a network namespace, or we have but with no config, we are done here @@ -2390,10 +2389,21 @@ return nil, nil } - // Otherwise start checking what's permitted for the current user + // In fakeroot mode only permit the `fakeroot` CNI config, overriding any other request. euid := os.Geteuid() + fakeroot := c.engine.EngineConfig.GetFakeroot() + forceFakerootNet := false + if fakeroot && euid != 0 { + if net != fakerootNet { + sylog.Warningf("Only --network=%s is permitted in --fakeroot mode. You requested '%s'.", fakerootNet, net) + sylog.Warningf("Overriding with --network=%s", fakerootNet) + } + forceFakerootNet = true + net = fakerootNet + } + allowedNetUnpriv := false - if euid != 0 { + if euid != 0 && !forceFakerootNet { // Is the user permitted in the list of unpriv users / groups permitted to use CNI? allowedNetUser, err := user.UIDInList(euid, c.engine.EngineConfig.File.AllowNetUsers) if err != nil { @@ -2406,7 +2416,11 @@ // Is/are the requested network(s) in the list of networks allowed for unpriv CNI? allowedNetNetwork := false for _, n := range strings.Split(net, ",") { - allowedNetNetwork = slice.ContainsString(c.engine.EngineConfig.File.AllowNetNetworks, n) + // Allowed in apptainer.conf + adminPermitted := slice.ContainsString(c.engine.EngineConfig.File.AllowNetNetworks, n) + // 'fakeroot' network is always allowed in --fakeroot mode + fakerootPermitted := fakeroot && net == fakerootNet + allowedNetNetwork = adminPermitted || fakerootPermitted // If any one requested network is not allowed, disallow the whole config if !allowedNetNetwork { if !fakeroot { @@ -2433,14 +2447,7 @@ if err := system.Points.AddBind(mount.SharedTag, procNetNs, nspath, 0); err != nil { return nil, fmt.Errorf("could not hold network namespace reference: %s", err) } - networks := strings.Split(c.engine.EngineConfig.GetNetwork(), ",") - - // In fakeroot mode only permit the `fakeroot` CNI config - if fakeroot && euid != 0 && net != fakerootNet { - // set as debug message to avoid annoying warning - sylog.Debugf("only '%s' network is allowed for regular user, you requested '%s'", fakerootNet, net) - networks = []string{fakerootNet} - } + networks := strings.Split(net, ",") cniPath := &network.CNIPath{} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/internal/pkg/util/paths/resolve.go new/apptainer-1.1.7/internal/pkg/util/paths/resolve.go --- old/apptainer-1.1.6/internal/pkg/util/paths/resolve.go 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/internal/pkg/util/paths/resolve.go 2023-03-28 22:17:08.000000000 +0200 @@ -71,20 +71,25 @@ return nil, nil, fmt.Errorf("could not retrieve ld cache: %v", err) } - boundLibsDir := "/.singularity.d/libs" - boundLibs, err := ioutil.ReadDir(boundLibsDir) - if err != nil { - boundLibs = nil // just in case - } - // Track processed binaries/libraries to eliminate duplicates bins := make(map[string]struct{}) libs := make(map[string]struct{}) var libraries []string var binaries []string + + boundLibsDir := "/.singularity.d/libs" + boundLibs, err := ioutil.ReadDir(boundLibsDir) + if err == nil { + // Inherit all libraries from a parent + for _, boundLib := range boundLibs { + libName := boundLib.Name() + libs[libName] = struct{}{} + libraries = append(libraries, filepath.Join(boundLibsDir, libName)) + } + } + for _, file := range fileList { - // if the file contains an ".so", treat it as a library if strings.Contains(file, ".so") { // If we have an absolute path, add it 'as-is', plus any symlinks that resolve to it if filepath.IsAbs(file) { @@ -107,21 +112,6 @@ sylog.Warningf("Could not close ELIB: %v", err) } } else { - // look first in /.singularity.d/libs - // this enables using gpu options in nested containers - gotone := false - for _, boundLib := range boundLibs { - libName := boundLib.Name() - if !strings.HasPrefix(libName, file) { - continue - } - libraries = append(libraries, filepath.Join(boundLibsDir, libName)) - gotone = true - break - } - if gotone { - continue - } for libPath, libName := range ldCache { if !strings.HasPrefix(libName, file) { continue diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/mconfig new/apptainer-1.1.7/mconfig --- old/apptainer-1.1.6/mconfig 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/mconfig 2023-03-28 22:17:08.000000000 +0200 @@ -882,7 +882,7 @@ -e "s/@PACKAGE_RELEASE@/${release_info}/" \ -e "s,@PACKAGE_GOLANG_SOURCE@,${package_golang_source}," \ $sourcedir/dist/rpm/$RPMSPEC.in | \ - while read -r; do + while IFS='' read -r REPLY; do if [ "$REPLY" = "@BUNDLED_PROVIDES@" ]; then # Calculate bundled provides awk '{if (index($1, "/") != 0 && ($1 != "//")) {print "Provides: bundled(golang("$1")) = "$2}}' go.mod | sed -e 's/-/_/g' | sort | uniq diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/pkg/build/types/bundle.go new/apptainer-1.1.7/pkg/build/types/bundle.go --- old/apptainer-1.1.6/pkg/build/types/bundle.go 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/pkg/build/types/bundle.go 2023-03-28 22:17:08.000000000 +0200 @@ -81,6 +81,8 @@ // To warn when the above is needed, we need to know if the target of this // bundle will be a sandbox SandboxTarget bool + // Binds stores bind mounts used for the post scripts + Binds []string } // NewEncryptedBundle creates an Encrypted Bundle environment. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.6/tools/install-unprivileged.sh new/apptainer-1.1.7/tools/install-unprivileged.sh --- old/apptainer-1.1.6/tools/install-unprivileged.sh 2023-02-14 18:57:18.000000000 +0100 +++ new/apptainer-1.1.7/tools/install-unprivileged.sh 2023-03-28 22:17:08.000000000 +0200 @@ -151,8 +151,11 @@ # $4 -- if true, try replacing "/updates/" with "/releases/" if nothing found # If return value 0, succeeded and stdout contains latest url # If return value not zero, failed and stdout contains final directory url +# If a package is not found, the listing will be silently retried up to 3 times, +# because sometimes not all mirrors are up to date LASTURL="" LASTPKGS="" +RETRY=0 latesturl() { typeset URL="$1" @@ -164,16 +167,25 @@ # optimization: re-use last list if it hasn't changed LASTURL="$URL" LASTPKGS="$(curl -Ls "$URL")" + elif [ $RETRY -gt 0 ]; then + LASTPKGS="$(curl -Ls "$URL")" fi typeset LATEST="$(echo "$LASTPKGS"|sed 's/.*href="//;s/".*//'|grep "^$2-[0-9].*$ARCH"|tail -1)" if [ -n "$LATEST" ]; then + RETRY=0 echo "$URL/$LATEST" elif [ "$4" = true ]; then + RETRY=0 URL="${URL/\/updates\///releases/}" URL="${URL/\/Packages\///os/Packages/}" latesturl "$URL" "$2" false false return $? + elif [ $RETRY -lt 3 ]; then + RETRY=$((RETRY+1)) + latesturl "$URL" "$2" false "$4" + return $? else + RETRY=0 echo "$URL" return 1 fi
