Incompatible updates to defaults in singularity/apptainer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I apologize that this notice is late.  Three weeks ago, there was an
update to the apptainer package (formerly called singularity) in EPEL
that may have caused functionality for users to break, especially on
EPEL7.  Apptainer is a container system that is popular especially for
High Performance Computing applications.

This was the first release in EPEL under the new name.  Because of the
name change, the configuration directory name changed, and previous
system-wide custom configuration is not automatically carried forward.
Warnings are printed if the old configuration directory still exists
(which happens when singularity configuration had been customized).  The
command is still available under the old name singularity, so that part
is still compatible.

More significantly, the apptainer-1.1 release changed the default
package to be "rootless" by not including a setuid-root component.  As a
result, if unprivileged user namespaces are not enabled, most operations
will fail.  System administrators in that case have to either enable
unprivileged user namespaces or separately install an apptainer-suid
package.  This is particularly an issue on EL7 because there user
namespaces are not enabled by default.  The reason the default was
changed is that the new version now supports doing most common
operations without setuid, using unprivileged FUSE mounts, and the
maintainers believe that unprivileged user namespaces are inherently
more secure than setuid-root.

For more details please see:
    https://apptainer.org/docs/user/1.1/security.html#setuid-user-namespaces
    https://apptainer.org/docs/admin/1.1/user_namespace.html#rhel-centos-7
    https://apptainer.org/docs/admin/1.1/installation.html
    https://apptainer.org/docs/admin/1.1/singularity_migration.html
    https://github.com/apptainer/apptainer/releases

If you find any problems please report them to
    https://github.com/apptainer/apptainer/issues

Dave
_______________________________________________
epel-announce mailing list -- epel-announce@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Announce]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Linux Apps]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]
  Powered by Linux