Overview Repositories Revisions Requests Users Attributes Meta

Revisions of apptainer

Ruediger Oertel's avatar Ruediger Oertel (oertel) committed (revision 4) 
Please consider the CVE fix included for inclusion into SLE 15 SP6.

- Make sure, digest values handled by the Go library
  github.com/opencontainers/go-digest and used throughout the
  Go-implemented containers ecosystem are always validated. This
  prevents attackers from triggering unexpected authenticated
  registry accesses.
  * Bump-github.com-containers-image-v5-from-5.30.0-to-5.30.1.patch
    (CVE-2024-3727, bsc#1224114).
Ruediger Oertel's avatar Ruediger Oertel (oertel) committed (revision 3) 
- Updated apptainer to version 1.3.0 (bsc#1221832)
  * FUSE mounts are now supported in setuid mode, enabling full
    functionality even when kernel filesystem mounts are insecure due to
    unprivileged users having write access to raw filesystems in
    containers. When allow `setuid-mount extfs = no` (the default) in
    apptainer.conf, then the fuse2fs image driver will be used to mount
    ext3 images in setuid mode instead of the kernel driver (ext3 images
    are primarily used for the `--overlay` feature), restoring
    functionality that was removed by default in Apptainer 1.1.8 because
    of the security risk.
    The allow `setuid-mount squashfs` configuration option in
    `apptainer.conf` now has a new default called `iflimited` which allows
    kernel squashfs mounts only if there is at least one `limit container`
    option set or if Execution Control Lists are activated in ecl.toml.
    If kernel squashfs mounts are are not allowed, then the squashfuse
    image driver will be used instead.
    `iflimited` is the default because if one of those limits are used
    the system administrator ensures that unprivileged users do not have
    write access to the containers, but on the other hand using FUSE
    would enable a user to theoretically bypass the limits via `ptrace()`
    because the FUSE process runs as that user.
    The `fuse-overlayfs` image driver will also now be tried in setuid
    mode if the kernel overlayfs driver does not work (for example if
    one of the layers is a FUSE filesystem).  In addition, if `allow
    setuid-mount encrypted = no` then the unprivileged gocryptfs format
    will be used for encrypting SIF files instead of the kernel
    device-mapper. If a SIF file was encrypted using the gocryptfs
    format, it can now be mounted in setuid mode in addition to
    non-setuid mode.
  * Change the default in user namespace mode to use either kernel
Daniel Mach's avatar Daniel Mach (dmach) committed (revision 2) 
- Fix 'apptainer build' using signed packages from the SUSE
  Registry (bsc#1221364).
  * Remove-signatures-from-Docker-images.patch
Ruediger Oertel's avatar Ruediger Oertel (oertel) committed (revision 1) 
bugowner: group:hpc-team

- This submission introduces `apptainer` and satisfies jsc#PED-7114.
- The following packages should be added to 000package-groups/groups.yaml:
  hpc_tools:
  # apptainer
  - apptainer: [x86_64, aarch64] # jsc#PED-3012
  - apptainer-sle15_64, aarch64]

  * NOTE that the `hpc_tools:` section already exists un groups.yaml!
Displaying all 4 revisions
openSUSE Build Service is sponsored by
Places