SingularityCE 4.3.0-rc.1 Release Candidate

[David Trudgian]

SingularityCE 4.3.0-rc.1 Release Candidate
https://github.com/sylabs/singularity/releases/tag/v4.3.0-rc.1

This is the first release candidate for the upcoming 4.3 series. All testing and feedback is welcome!

See the link above for details. Documentation will be updated prior to the stable 4.3.0 release.

Behaviour Changes

• Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes` configuration option.
• In OCI mode, on a cgroups v2 system with functioning systemd cgroup management, a cgroup namespace is created for the container, and /sys/fs/cgroup is mounted. The cgroups mount is read-only by default, or read-write if the --keep-privs flag is used.
• In OCI mode, a cgroup is now created for the container when possible, even where resource limits have not been requested.

Bug Fixes

• Use correct username (not user's name) when computing singularity oci conmon / singularity state dir.
• Write StdErr messages from starter to terminal StdErr when an instance fails to start. Previously incorrectly written to terminal StdOut.
• Fix incorrect debug message in Cgroups checks.
• Skip invalid environment variables when pulling pulling OCI images to native SIF, so environment sourcing does not fail.
• Fix the Makefile generated by mconfig -b to work when the selected build directory is not a subdirectory of the source code.
• Check for existence of /run/systemd/system when verifying cgroups can be used via systemd manager.

New Features & Functionality

• Add support for libsubid. Sub[ug]id mappings will be retrieved from e.g. LDAP according to nssswitch.conf if Singularity is built with libsubid support (default). If built without libsubid support, Singularity will retrieve subid from /etc/subid and /etc/subgid regardless of system configuration. Note that singularity config fakeroot always modifies /etc/subid and /etc/subgidfiles.
• singularity sign now supports signing an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the --cosign flag, and provide a private key with the --key flag.
• singularity verify now supports verifying an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the --cosign flag, and provide a public key with the --key flag. Verification passes if at least one signature that can be validated with the provided key is present. The JSON payloads of all valid signatures are displayed.
• singularity push now supports pushing cosign signatures in an OCI-SIF to an OCI registry, via the --with-cosign flag.
• singularity pull now supports pulling cosign signatures from a registry to an OCI-SIF, via the --with-cosign flag when --oci is also specified. Signatures can only be pulled when the image in the registry is in SquashFS format. Converting layer formats, or squashing to a single layer, modifies the image manifest, and would invalidate any signatures.
• The new singularity key generate-cosign-key-pair subcommand can be used to generate a password-protected key-pair for signing OCI-SIF images with cosign-compatible signatures.
• Added dnf definition file bootstrap as an alias for yum.

Requirements / Packaging

• Go 1.23.4 or above is now required to build SingularityCE.
• libsubid headers are now required to build SingularityCE, unless the --without-libsubid flag is passed to mconfig.
• EL RPM packages are built with libsubid support.
• Ubuntu deb packages are built without libsubid support.
• The RPM spec file no longer includes rules for SLES / openSUSE package builds, which have been untested / unsupported for some time.
• Make binary builds more reproducible by deriving the GNU build ID from the Go build ID instead of using a randomly generated one.
• Conmon sources are no longer bundled and built with SingularityCE. Install the conmon package from your distribution, or upstream binary, if you need to use the singularity oci commands. Note that conmon is not required for --oci mode.
• Now compiles successfully with -std=c23.

Removed Features

• Plugin fakerootcallback functionality for customizing fakeroot subid mappings has been removed.