Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apptainer for openSUSE:Factory checked in at 2022-09-29 18:12:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apptainer (Old) and /work/SRC/openSUSE:Factory/.apptainer.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apptainer" Thu Sep 29 18:12:50 2022 rev:7 rq:1006656 version:1.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2022-09-14 13:45:31.741976865 +0200 +++ /work/SRC/openSUSE:Factory/.apptainer.new.2275/apptainer.changes 2022-09-29 18:13:05.843224806 +0200 @@ -1,0 +2,5 @@ +Wed Sep 28 09:07:18 UTC 2022 - Christian Goll <cg...@suse.com> + +- updated to version 1.1.0 without changes to rc3 + +------------------------------------------------------------------- Old: ---- apptainer-1.1.0-rc.3.tar.gz New: ---- apptainer-1.1.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apptainer.spec ++++++ --- /var/tmp/diff_new_pack.CLVUaT/_old 2022-09-29 18:13:07.071227206 +0200 +++ /var/tmp/diff_new_pack.CLVUaT/_new 2022-09-29 18:13:07.071227206 +0200 @@ -19,7 +19,6 @@ %define apptainerpath src/github.com/apptainer/ %define _buildshell /bin/bash -%define vers_suffix -rc.3 %global squashfuse_version 0.1.105 Summary: Application and environment virtualization ++++++ apptainer-1.1.0-rc.3.tar.gz -> apptainer-1.1.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.0-rc.3/CHANGELOG.md new/apptainer-1.1.0/CHANGELOG.md --- old/apptainer-1.1.0-rc.3/CHANGELOG.md 2022-09-06 18:29:25.000000000 +0200 +++ new/apptainer-1.1.0/CHANGELOG.md 2022-09-27 16:55:22.000000000 +0200 @@ -5,90 +5,7 @@ and re-branded as Apptainer. For older changes see the [archived Singularity change log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md). -## v1.1.0-rc.3 - \[2022-09-06\] - -- Imply adding `${prefix}/libexec/apptainer/bin` to the `binary path` in - `apptainer.conf`, which is used for searching for helper executables. - It is implied as the first directory of `$PATH` if present (which is at - the beginning of `binary path` by default) or just as the first directory - if `$PATH` is not included in `binary path`. -- Change squash mounts to prefer to use `squashfuse_ll` instead of - `squashfuse`, if available, for improved performance. - `squashfuse_ll` is available on RHEL-based systems but not Debian as - part of the `squashfuse` package. - Also, for even better parallel performance, include a patched multithreaded - version of `squashfuse_ll` in rpm and debian packaging in - `${prefix}/libexec/apptainer/bin`. -- Add `--unsquash` action flag to temporarily convert a SIF file to a - sandbox before running. In previous versions this was the default when - running a SIF file without setuid or with fakeroot, but now the default - is to instead mount with squashfuse. -- Add `--sparse` flag to `overlay create` command to allow generation of a - sparse ext3 overlay image. -- Support for a custom hashbang in the `%test` section of an Apptainer recipe - (akin to the runscript and start sections). -- When using fakeroot in setuid mode, have the image drivers first enter the - the container's user namespace to avoid write errors with overlays. -- Skip trying to use kernel overlayfs when using writable overlay and the - lower layer is FUSE, because of a kernel bug introduced in kernel 5.15. -- Add additional hidden options to the action command for testing different fakeroot - modes with `--fakeroot`: `--ignore-subuid`, `--ignore-fakeroot-command`, - and `--ignore-userns`. -- Fix github release rpm to be installable on EL8 & EL9 by not requiring - the fuse2fs package which doesn't exist there. Instead, on EL7 cause an - install failure if /usr/*bin/fuse2fs is not installed with a message - explaining how to fix it. The EPEL build won't have this issue; there - EPEL7 will require the fuse2fs package. -- Fix ORAS image push to registries with authorization servers not supporting - multiple scope query parameter. - -## v1.1.0-rc.2 - \[2022-08-16\] - -### Changed defaults / behaviours - -- Fixed longstanding bug in the underlay logic when there are nested bind - points separated by more than one path level, for example `/var` and - `/var/lib/yum`, and the path didn't exist in the container image. - The bug only caused an error when there was a directory in the container - image that didn't exist on the host. -- Improved wildcard matching in the %files directive of build definition - files by replacing usage of sh with the mvdan.cc library. -- Replaced checks for compatible filesystem types when using fuse-overlayfs - with an INFO message when an incompatible filesystem type causes it to - be unwritable by a fakeroot user. -- Mount the user's home directory at `/root` when using `--fakeroot` in - the setuid flow (fixes a regression introduced in 1.1.0-rc.1 which didn't - impact non-setuid flow). -- The `--nvccli` option now works without `--fakeroot`. In that case the - option can be used with `--writable-tmpfs` instead of `--writable`, - and `--writable-tmpfs` is implied if neither option is given. - Note that also `/usr/bin` has to be writable by the user, so without - `--fakeroot` that probably requires a sandbox image that was built with - `--fix-perms`. -- The `--nvccli` option implies `--nv`. -- Configure squashfuse to always show files to be owned by the current user. - That's especially important for fakeroot to prevent most of the files - from looking like they are owned by user 65534. -- The fakeroot command can now be used even if $PATH is empty in the - environment of the apptainer command. -- Allow the ``newuidmap`` command to be missing if the current user is not - listed in ``/etc/subuid``. -- Require the ``uidmap`` package in Debian packaging. -- Improved error handling of unsupported pass protected PEM files with - encrypted containers. -- Require fuse2fs in RPM packaging. In EPEL7 the package is called fuse2fs, - otherwise it is in e2fsprogs. -- Require the fuse-overlayfs package for all RPM packages instead of just - on el7 because it is sometimes useful even with kernel support for - unprivileged overlayfs. -- Ensure bootstrap_history directory is populated with previous definition - files, present in source containers used in a build. -- Add additional options to the build command for testing different fakeroot - modes: `--userns` like the action flag and hidden options `--ignore-subuid`, - `--ignore-fakeroot-command`, and `--ignore-userns`. -- Require root user early when building an encrypted container. - -## v1.1.0-rc.1 - \[2022-08-01\] +## v1.1.0 - \[2022-09-27\] ### Changed defaults / behaviours @@ -104,8 +21,15 @@ namespaces, we recommend disabling network namespaces if you can. See the [discussion in the admin guide](https://apptainer.org/docs/admin/main/user_namespace.html#disabling-network-namespaces). - Added a squashfuse image driver that enables mounting SIF files without - using setuid-root. Requires the squashfuse command and unprivileged user - namespaces. + using setuid-root. Uses either a squashfuse_ll command or a + squashfuse command and requires unprivileged user namespaces. + For better parallel performance, a patched multithreaded version of + `squashfuse_ll` is included in rpm and debian packaging in + `${prefix}/libexec/apptainer/bin`. +- Added an `--unsquash` action flag to temporarily convert a SIF file to a + sandbox before running. In previous versions this was the default when + running a SIF file without setuid or with fakeroot, but now the default + is to mount with squashfuse_ll or squashfuse. - Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF overlay partitions without using setuid-root. Requires the fuse2fs command and unprivileged user namespaces. @@ -153,20 +77,37 @@ When unprivileged user namespaces are not available, such that only the fakeroot command can be used, the `--fix-perms` option is implied to allow writing into directories. +- Added additional hidden options to action and build commands for testing + different fakeroot modes: `--ignore-subuid`, `--ignore-fakeroot-command`, + and `--ignore-userns`. + Also added `--userns` to the build command to ignore setuid-root mode + like action commands do. - Added a `--fakeroot` option to the `apptainer overlay create` command to make an overlay EXT3 image file that works with the fakeroot that comes from unprivileged root-mapped namespaces. This is not needed with the fakeroot that comes with `/etc/sub[ug]id` mappings nor with the fakeroot that comes with only the fakeroot command in suid flow. +- Added a `--sparse` flag to `overlay create` command to allow generation of + a sparse EXT3 overlay image. - Added a `binary path` configuration variable as the default path to use when searching for helper executables. May contain `$PATH:` which gets substituted with the user's PATH except when running a program that may be run with elevated privileges in the suid flow. Defaults to `$PATH:` followed by standard system paths. + `${prefix}/libexec/apptainer/bin` is also implied as the first component, + either as the first directory of `$PATH` if present or simply as the + first directory if `$PATH` is not included. Configuration variables for paths to individual programs that were in apptainer.conf (`cryptsetup`, `go`, `ldconfig`, `msquashfs`, `unsquashfs`, and `nvidia-container-cli`) have been removed. +- The `--nvccli` option now works without `--fakeroot`. In that case the + option can be used with `--writable-tmpfs` instead of `--writable`, + and `--writable-tmpfs` is implied if neither option is given. + Note that also `/usr/bin` has to be writable by the user, so without + `--fakeroot` that probably requires a sandbox image that was built with + `--fix-perms`. +- The `--nvccli` option now implies `--nv`. - $HOME is now used to find the user's configuration and cache by default. If that is not set it will fall back to the previous behavior of looking up the home directory in the password file. The value of $HOME inside @@ -222,6 +163,8 @@ - Signature verification is not checked for a blacklist; unvalidated signatures can still block execution via ECL, and unvalidated signatures not in the blacklist do not cause ECL to fail. +- Improved wildcard matching in the %files directive of build definition + files by replacing usage of sh with the mvdan.cc library. ### New features / functionalities @@ -233,6 +176,8 @@ - Added `--cpu*`, `--blkio*`, `--memory*`, `--pids-limit` flags to apply cgroups resource limits to a container directly. - Added instance stats command. +- Added support for a custom hashbang in the `%test` section of an Apptainer + recipe (akin to the runscript and start sections). - The `--no-mount` flag & `APPTAINER_NO_MOUNT` env var can now be used to disable a `bind path` entry from `apptainer.conf` by specifying the absolute path to the destination of the bind. @@ -257,6 +202,11 @@ - Remove warning message about SINGULARITY and APPTAINER variables having different values when the SINGULARITY variable is not set. +- Fixed longstanding bug in the underlay logic when there are nested bind + points separated by more than one path level, for example `/var` and + `/var/lib/yum`, and the path didn't exist in the container image. + The bug only caused an error when there was a directory in the container + image that didn't exist on the host. - Add specific error for unreadable image / overlay file. - Pass through a literal `\n` in host environment variables to the container. - Allow `newgidmap / newuidmap` that use capabilities instead of setuid root. @@ -266,6 +216,12 @@ containers. - Fix the issue that the oras protocol would ignore the `--no-https/--nohttps` flag. +- Fix oras image push to registries with authorization servers not supporting + multiple scope query parameter. +- Improved error handling of unsupported password protected PEM files with + encrypted containers. +- Ensure bootstrap_history directory is populated with previous definition + files, present in source containers used in a build. ## v1.0.3 - \[2022-07-06\] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.0-rc.3/INSTALL.md new/apptainer-1.1.0/INSTALL.md --- old/apptainer-1.1.0-rc.3/INSTALL.md 2022-09-06 18:29:25.000000000 +0200 +++ new/apptainer-1.1.0/INSTALL.md 2022-09-27 16:55:22.000000000 +0200 @@ -136,7 +136,7 @@ for example: ```sh -git checkout v1.1.0-rc.3 +git checkout v1.1.0 ``` ## Compiling Apptainer @@ -250,7 +250,7 @@ <!-- markdownlint-disable MD013 --> ```sh -VERSION=1.1.0-rc.3 # this is the apptainer version, change as you need +VERSION=1.1.0 # this is the apptainer version, change as you need # Fetch the source wget https://github.com/apptainer/apptainer/releases/download/v${VERSION}/apptainer-${VERSION}.tar.gz ``` @@ -299,7 +299,7 @@ <!-- markdownlint-disable MD013 --> ```sh -VERSION=1.1.0-rc.3 # this is the latest apptainer version, change as you need +VERSION=1.1.0 # this is the latest apptainer version, change as you need ./mconfig make -C builddir rpm sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/apptainer-$(echo $VERSION|tr - \~)*.x86_64.rpm diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.0-rc.3/cmd/starter/main_linux.go new/apptainer-1.1.0/cmd/starter/main_linux.go --- old/apptainer-1.1.0-rc.3/cmd/starter/main_linux.go 2022-09-06 18:29:25.000000000 +0200 +++ new/apptainer-1.1.0/cmd/starter/main_linux.go 2022-09-27 16:55:22.000000000 +0200 @@ -9,6 +9,11 @@ package main +// Note that the inclusion of builddir here only works when mconfig -b has not +// renamed it; that is handled via a setting of CGO_CFLAGS in mconfig. It is +// included here also so that Go tools such as code editors and linters can +// find config.h when the default builddir is used. + // #cgo CFLAGS: -I${SRCDIR}/../../builddir // #include <config.h> // #include "c/message.c" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.0-rc.3/docs/content.go new/apptainer-1.1.0/docs/content.go --- old/apptainer-1.1.0-rc.3/docs/content.go 2022-09-06 18:29:25.000000000 +0200 +++ new/apptainer-1.1.0/docs/content.go 2022-09-27 16:55:22.000000000 +0200 @@ -646,7 +646,7 @@ library://user/collection/container[:tag] oras: - oras://registry/namespace/repo:tag + oras://registry/namespace/image:tag NOTE: It's always good practice to sign your containers before diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.0-rc.3/internal/pkg/fakeroot/fakeroot.go new/apptainer-1.1.0/internal/pkg/fakeroot/fakeroot.go --- old/apptainer-1.1.0-rc.3/internal/pkg/fakeroot/fakeroot.go 2022-09-06 18:29:25.000000000 +0200 +++ new/apptainer-1.1.0/internal/pkg/fakeroot/fakeroot.go 2022-09-27 16:55:22.000000000 +0200 @@ -12,6 +12,7 @@ import ( "bufio" "bytes" + "errors" "fmt" "io" "os" @@ -69,6 +70,10 @@ // GetUserFn defines the user lookup function prototype. type GetUserFn func(string) (*user.User, error) +// Wrapped errors +var errNoMappingEntry = errors.New("no mapping entry found") +var errRangeTooLow = errors.New("range count lower than") + // GetConfig parses a subuid/subgid configuration file and returns // a Config holding all mapping entries, it allows to pass a custom // function getUserFn used to lookup in a custom user database, if @@ -334,11 +339,11 @@ if entryCount > 0 { return nil, fmt.Errorf( - "mapping entries for user %s found in %s but all with a range count lower than %d", - username, c.file.Name(), validRangeCount, + "mapping entries for user %s found in %s but all with a %w %d", + username, c.file.Name(), errRangeTooLow, validRangeCount, ) } - return nil, fmt.Errorf("no mapping entry found in %s for %s", c.file.Name(), username) + return nil, fmt.Errorf("%w in %s for %s", errNoMappingEntry, c.file.Name(), username) } // getPwUID is also used for mocking purpose @@ -388,10 +393,10 @@ sylog.Fatalf("could not retrieve user with UID %d: %s", uid, err) } e, err := config.GetUserEntry(userinfo.Name) - if err != nil { + if err != nil && !errors.Is(err, errRangeTooLow) { return false } - if e.disabled { + if e != nil && e.disabled { return false } return true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.0-rc.3/mconfig new/apptainer-1.1.0/mconfig --- old/apptainer-1.1.0-rc.3/mconfig 2022-09-06 18:29:25.000000000 +0200 +++ new/apptainer-1.1.0/mconfig 2022-09-27 16:55:22.000000000 +0200 @@ -65,6 +65,7 @@ with_seccomp_check=1 do_go_version_check=1 +builddir= prefix= exec_prefix= bindir= @@ -513,7 +514,7 @@ else mkdir -p $builddir if ! builddir=`(cd $builddir 2>/dev/null && pwd -P)`; then - echo "error: could not chdir to builddir" + echo "error: could not chdir to $builddir" exit 2 fi fi @@ -674,7 +675,7 @@ GO := $hstgo -CGO_CFLAGS := $CGO_CFLAGS +CGO_CFLAGS := -I$builddir $CGO_CFLAGS CGO_LDFLAGS := $CGO_LDFLAGS CGO_CPPFLAGS := $CGO_CPPFLAGS CGO_CXXFLAGS := $CGO_CXXFLAGS diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.1.0-rc.3/pkg/util/apptainerconf/config.go new/apptainer-1.1.0/pkg/util/apptainerconf/config.go --- old/apptainer-1.1.0-rc.3/pkg/util/apptainerconf/config.go 2022-09-06 18:29:25.000000000 +0200 +++ new/apptainer-1.1.0/pkg/util/apptainerconf/config.go 2022-09-27 16:55:22.000000000 +0200 @@ -278,9 +278,10 @@ # SESSIONDIR MAXSIZE: [STRING] # DEFAULT: 16 -# This specifies how large the default sessiondir should be (in MB) and it will -# only affect users who use the "--contain" options and don't also specify a -# location to do default read/writes to (e.g. "--workdir" or "--home"). +# This specifies how large the default sessiondir should be (in MB). It will +# affect users who use the "--contain" options and don't also specify a +# location to do default read/writes to (e.g. "--workdir" or "--home") and +# it will also affect users of "--writable-tmpfs". sessiondir max size = {{ .SessiondirMaxSize }} # LIMIT CONTAINER OWNERS: [STRING]
