Revisions of apptainer
buildservice-autocommit
accepted
request 1173668
from
Egbert Eich (eeich)
(revision 77)
baserev update by copy to link target
Egbert Eich (eeich)
committed
(revision 76)
* Bump-github.com-containers-image-v5-from-5.30.0-to-5.30.1.patch (CVE-2024-3727, bsc#1224114).
Christian Goll (mslacken)
accepted
request 1173630
from
Egbert Eich (eeich)
(revision 75)
- Make sure, digest values handled by the Go library github.com/opencontainers/go-digest and used throughout the Go-implemented containers ecosystem are always validated. This prevents attackers from triggering unexpected authenticated registry accesses. (CVE-2024-3727, bsc#1224114).
buildservice-autocommit
accepted
request 1160483
from
Egbert Eich (eeich)
(revision 74)
baserev update by copy to link target
Egbert Eich (eeich)
accepted
request 1160482
from
Egbert Eich (eeich)
(revision 73)
- Make apptainer definition templates version dependent.
Egbert Eich (eeich)
committed
(revision 72)
- Make 'gocryptfs' an optional dependency.
Egbert Eich (eeich)
committed
(revision 71)
are primarily used for the `--overlay` feature), restoring of the security risk. image driver will be used instead. would enable a user to theoretically bypass the limits via `ptrace()` because the FUSE process runs as that user. one of the layers is a FUSE filesystem). In addition, if `allow setuid-mount encrypted = no` then the unprivileged gocryptfs format can still be used with the `--underlay` option, but it is deprecated their own, dedicated `keyserver` command. Run `apptainer help keyserver` for more information. been moved to their own, dedicated `registry` command. Run * The `remote status` command will now print the username, realname, and email of the logged-in user, if available.
Egbert Eich (eeich)
accepted
request 1159335
from
Christian Goll (mslacken)
(revision 70)
- Updated apptainer to version 1.3.0 * FUSE mounts are now supported in setuid mode, enabling full functionality even when kernel filesystem mounts are insecure due to unprivileged users having write access to raw filesystems in containers. When allow `setuid-mount extfs = no` (the default) in apptainer.conf, then the fuse2fs image driver will be used to mount ext3 images in setuid mode instead of the kernel driver (ext3 images are primarily used for the --overlay feature), restoring functionality that was removed by default in Apptainer 1.1.8 because of the security risk. The allow `setuid-mount squashfs` configuration option in `apptainer.conf` now has a new default called `iflimited` which allows kernel squashfs mounts only if there is at least one `limit container` option set or if Execution Control Lists are activated in ecl.toml. If kernel squashfs mounts are are not allowed, then the squashfuse image driver will be used instead. `iflimited` is the default because if one of those limits are used the system administrator ensures that unprivileged users do not have write access to the containers, but on the other hand using FUSE would enable a user to theoretically bypass the limits via ptrace() because the FUSE process runs as that user. The `fuse-overlayfs` image driver will also now be tried in setuid mode if the kernel overlayfs driver does not work (for example if one of the layers is a FUSE filesystem). In addition, if allow setuid-mount encrypted = no then the unprivileged gocryptfs format will be used for encrypting SIF files instead of the kernel device-mapper. If a SIF file was encrypted using the gocryptfs format, it can now be mounted in setuid mode in addition to non-setuid mode. * Change the default in user namespace mode to use either kernel
buildservice-autocommit
accepted
request 1157874
from
Christian Goll (mslacken)
(revision 69)
baserev update by copy to link target
Christian Goll (mslacken)
accepted
request 1157757
from
Egbert Eich (eeich)
(revision 68)
- Fix 'apptainer build' using signed packages from the SUSE Registry (bsc#1221364). * Remove-signatures-from-Docker-images.patch
buildservice-autocommit
accepted
request 1143604
from
Egbert Eich (eeich)
(revision 67)
baserev update by copy to link target
Egbert Eich (eeich)
accepted
request 1143317
from
Egbert Eich (eeich)
(revision 66)
- Package .def templates separately for different SPs.
buildservice-autocommit
accepted
request 1143195
from
Christian Goll (mslacken)
(revision 65)
baserev update by copy to link target
Christian Goll (mslacken)
accepted
request 1143083
from
Egbert Eich (eeich)
(revision 64)
- Updated apptainer to version 1.2.5 * Added `libnvidia-nvvm` to `nvliblist.conf`. Newer NVIDIA Drivers (known with >= 525.85.05) require this lib to compile OpenCL programs against NVIDIA GPUs, i.e. `libnvidia-opencl` depends on `libnvidia-nvvm`. * Disable the usage of cgroup in instance creation when `--fakeroot` is passed. * Disable the usage of cgroup in instance creation when `hidepid` mount option on `/proc` is set. * Fixed a regression introduced in 1.2.0 where the user's password file information was not copied in to the container when there was a parent root-mapped user namespace (as is the case for example in `cvmfsexec`). * Added the upcoming NVIDIA driver library `libnvidia-gpucomp.so` to the list of libraries to add to NVIDIA GPU-enabled containers. Fixed missing error handling during the creation of an encrypted image that lead to the generation of corrupted images. * Use `APPTAINER_TMPDIR` for temporary files during privileged image encryption. * If rootless unified cgroups v2 is available when starting an image but `XDG_RUNTIME_DIR` or `DBUS_SESSION_BUS_ADDRESS` is not set, print an info message that stats will not be available instead of exiting with a fatal error. * Allow templated build arguments to definition files to have empty values.
buildservice-autocommit
accepted
request 1120777
from
Egbert Eich (eeich)
(revision 63)
baserev update by copy to link target
Egbert Eich (eeich)
committed
(revision 62)
- Fix typo
Egbert Eich (eeich)
committed
(revision 61)
Removed: squashfuse-0.1.105.tar.gz, 70.patch
Egbert Eich (eeich)
committed
(revision 60)
Removed: squashfuse-0.1.105.tar.gz
Christian Goll (mslacken)
accepted
request 1119873
from
Egbert Eich (eeich)
(revision 59)
- Do not build squashfuse, require it as a dependency. - Replace awkward 'Obsoletes: singularity-*' as well as the 'Provides: Singularity' by 'Conflicts:' and drop the provides - the versioning scheme does not match and we do not automatically migrate from one to the other. - Exclude platforms which do not provide all build dependencies. - removed CRYPTOGAMS license as not known in OBS and OpenSSL is
buildservice-autocommit
accepted
request 1113853
from
Christian Goll (mslacken)
(revision 58)
baserev update by copy to link target
Displaying revisions 1 - 20 of 77