Overview Repositories Revisions Requests Users Attributes Meta

Revisions of apptainer

buildservice-autocommit accepted request 1173668 from Egbert Eich's avatar Egbert Eich (eeich) (revision 77) 
baserev update by copy to link target
Egbert Eich's avatar Egbert Eich (eeich) committed (revision 76) 
  * Bump-github.com-containers-image-v5-from-5.30.0-to-5.30.1.patch
    (CVE-2024-3727, bsc#1224114).
Christian Goll's avatar Christian Goll (mslacken) accepted request 1173630 from Egbert Eich's avatar Egbert Eich (eeich) (revision 75) 
- Make sure, digest values handled by the Go library
  github.com/opencontainers/go-digest and used throughout the
  Go-implemented containers ecosystem are always validated. This
  prevents attackers from triggering unexpected authenticated
  registry accesses. (CVE-2024-3727, bsc#1224114).
buildservice-autocommit accepted request 1160483 from Egbert Eich's avatar Egbert Eich (eeich) (revision 74) 
baserev update by copy to link target
Egbert Eich's avatar Egbert Eich (eeich) accepted request 1160482 from Egbert Eich's avatar Egbert Eich (eeich) (revision 73) 
- Make apptainer definition templates version dependent.
Egbert Eich's avatar Egbert Eich (eeich) committed (revision 72) 
- Make 'gocryptfs' an optional dependency.
Egbert Eich's avatar Egbert Eich (eeich) committed (revision 71) 
    are primarily used for the `--overlay` feature), restoring
    of the security risk.
    image driver will be used instead.
    would enable a user to theoretically bypass the limits via `ptrace()`
    because the FUSE process runs as that user.
    one of the layers is a FUSE filesystem).  In addition, if `allow
    setuid-mount encrypted = no` then the unprivileged gocryptfs format
    can still be used with the `--underlay` option, but it is deprecated
    their own, dedicated `keyserver` command. Run `apptainer help keyserver`
    for more information.
    been moved to their own, dedicated `registry` command. Run
  * The `remote status` command will now print the username, realname, and
    email of the logged-in user, if available.
Egbert Eich's avatar Egbert Eich (eeich) accepted request 1159335 from Christian Goll's avatar Christian Goll (mslacken) (revision 70) 
- Updated apptainer to version 1.3.0
  * FUSE mounts are now supported in setuid mode, enabling full
    functionality even when kernel filesystem mounts are insecure due to
    unprivileged users having write access to raw filesystems in
    containers. When allow `setuid-mount extfs = no` (the default) in
    apptainer.conf, then the fuse2fs image driver will be used to mount
    ext3 images in setuid mode instead of the kernel driver (ext3 images
    are primarily used for the --overlay feature), restoring
    functionality that was removed by default in Apptainer 1.1.8 because
    of the security risk. 
    The allow `setuid-mount squashfs` configuration option in
    `apptainer.conf` now has a new default called `iflimited` which allows
    kernel squashfs mounts only if there is at least one `limit container`
    option set or if Execution Control Lists are activated in ecl.toml.
    If kernel squashfs mounts are are not allowed, then the squashfuse
    image driver will be used instead.  
    `iflimited` is the default because if one of those limits are used
    the system administrator ensures that unprivileged users do not have
    write access to the containers, but on the other hand using FUSE
    would enable a user to theoretically bypass the limits via ptrace()
    because the FUSE process runs as that user.  
    The `fuse-overlayfs` image driver will also now be tried in setuid
    mode if the kernel overlayfs driver does not work (for example if
    one of the layers is a FUSE filesystem).  In addition, if allow
    setuid-mount encrypted = no then the unprivileged gocryptfs format
    will be used for encrypting SIF files instead of the kernel
    device-mapper. If a SIF file was encrypted using the gocryptfs
    format, it can now be mounted in setuid mode in addition to
    non-setuid mode.
  * Change the default in user namespace mode to use either kernel
buildservice-autocommit accepted request 1157874 from Christian Goll's avatar Christian Goll (mslacken) (revision 69) 
baserev update by copy to link target
Christian Goll's avatar Christian Goll (mslacken) accepted request 1157757 from Egbert Eich's avatar Egbert Eich (eeich) (revision 68) 
- Fix 'apptainer build' using signed packages from the SUSE
  Registry (bsc#1221364).
  * Remove-signatures-from-Docker-images.patch
buildservice-autocommit accepted request 1143604 from Egbert Eich's avatar Egbert Eich (eeich) (revision 67) 
baserev update by copy to link target
Egbert Eich's avatar Egbert Eich (eeich) accepted request 1143317 from Egbert Eich's avatar Egbert Eich (eeich) (revision 66) 
- Package .def templates separately for different SPs.
buildservice-autocommit accepted request 1143195 from Christian Goll's avatar Christian Goll (mslacken) (revision 65) 
baserev update by copy to link target
Christian Goll's avatar Christian Goll (mslacken) accepted request 1143083 from Egbert Eich's avatar Egbert Eich (eeich) (revision 64) 
- Updated apptainer to version 1.2.5
  * Added `libnvidia-nvvm` to `nvliblist.conf`. Newer NVIDIA
    Drivers (known with >= 525.85.05) require this lib to compile
    OpenCL programs against NVIDIA GPUs, i.e. `libnvidia-opencl`
    depends on `libnvidia-nvvm`.
  * Disable the usage of cgroup in instance creation when
    `--fakeroot` is passed.
  * Disable the usage of cgroup in instance creation when `hidepid`
    mount option on `/proc` is set.
  * Fixed a regression introduced in 1.2.0 where the user's
    password file information was not copied in to the container
    when there was a parent root-mapped user namespace (as is the
    case for example in `cvmfsexec`).
  * Added the upcoming NVIDIA driver library `libnvidia-gpucomp.so`
    to the list of libraries to add to NVIDIA GPU-enabled
    containers. Fixed missing error handling during the creation
    of an encrypted image that lead to the generation of corrupted
    images.
  * Use `APPTAINER_TMPDIR` for temporary files during privileged
    image encryption.
  * If rootless unified cgroups v2 is available when starting an
    image but `XDG_RUNTIME_DIR` or `DBUS_SESSION_BUS_ADDRESS` is
    not set, print an info message that stats will not be available
    instead of exiting with a fatal error.
  * Allow templated build arguments to definition files to have
    empty values.
buildservice-autocommit accepted request 1120777 from Egbert Eich's avatar Egbert Eich (eeich) (revision 63) 
baserev update by copy to link target
Egbert Eich's avatar Egbert Eich (eeich) committed (revision 62) 
- Fix typo
Egbert Eich's avatar Egbert Eich (eeich) committed (revision 61) 
  Removed: squashfuse-0.1.105.tar.gz, 70.patch
Egbert Eich's avatar Egbert Eich (eeich) committed (revision 60) 
  Removed: squashfuse-0.1.105.tar.gz
Christian Goll's avatar Christian Goll (mslacken) accepted request 1119873 from Egbert Eich's avatar Egbert Eich (eeich) (revision 59) 
- Do not build squashfuse, require it as a dependency.
- Replace awkward 'Obsoletes: singularity-*' as well as the
  'Provides: Singularity' by 'Conflicts:' and drop the provides -
  the versioning scheme does not match and we do not automatically
  migrate from one to the other.
- Exclude platforms which do not provide all build dependencies.

- removed CRYPTOGAMS license as not known in OBS and OpenSSL is
buildservice-autocommit accepted request 1113853 from Christian Goll's avatar Christian Goll (mslacken) (revision 58) 
baserev update by copy to link target
Displaying revisions 1 - 20 of 77
openSUSE Build Service is sponsored by
Places