SingularityCE 4.4.0

This is a new minor version, focused around modernisation of code and bugfix improvements as detailed below.

Bug Fixes

• Include the home directory in the --workdir option (which is a modifier of the --contain option). This has always been in the
  --workdir usage description but the home directory has not actually been included at least since singularity-2.
• Avoid a fatal error when starting fakeroot from suid mode while in an NFS directory.
• Support hosts that have /etc/resolv.conf pointing to a symlink under /run, such as those hosts that are running systemd-resolved. In this case, the symlink is copied into the container and the parent directory of the target of the symlink is bind-mounted from the host. The result is that even if the target of the symlink is replaced with a new file, the container sees the update in /etc/resolv.conf.
• Correctly escape ENV vars when importing OCI containers to native SIF, so that they match podman / docker behaviour.
• Clarify error when trying to build --oci from a non-Dockerfile spec.
• When images are pulled implicitly by actions (run/shell/exec...), and the cache is disabled, correctly clean up the temporary files.
• Ensure singularity-buildkitd runs effective GC at the start of each run.
• Apply --debug flag to buildkit logging correctly.
• Avoid OOM by buffering docker-daemon: images via a temporary file instead of memory. Note that the file is created in $TMPDIR - the dependency involved cannot be instructed to use $SINGULARITY_TMPDIR at this time.

New Features & Functionality

• Add /etc/resolv.conf to the list of host paths that can be prevented from automatic import into the container with the --no-mount option.

Requirements / Packaging

• Requires Go 1.25.6 or above, due to various dependencies.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.4.0.tar.gz download below to obtain and install SingularityCE 4.4.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
• RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.26.0

SingularityCE 4.3.7

This is a patch release in the 4.3 series.

Bug Fixes

• Don't attempt to set relatime on workdir / scratch mounts in OCI-Mode.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.7.tar.gz download below to obtain and install SingularityCE 4.3.7. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
• RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.25.6

SingularityCE 4.3.6

This is a patch release in the 4.3 series, with security fixes.

Security Related Fixes

• Updates bundled CNI plugins to v1.9.0, to fix CVE-2025-67499 Portmap nftables backend can intercept non-local traffic.
• Dependencies updated.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.6.tar.gz download below to obtain and install SingularityCE 4.3.6. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
• RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.25.5

SingularityCE 4.3.5

This is a patch release in the 4.3 series, with security fixes.

Security Related Fixes

• Fix for CVE-2025-64750 / GHSA-wwrx-w7c9-rf87 Ineffective application of selinux / apparmor LSM process labels via the --security flag.
• Dependencies updated.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.5.tar.gz download below to obtain and install SingularityCE 4.3.5. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
• RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.25.4

SingularityCE 4.3.4

This is a patch release in the 4.3 series,

Security Related Fixes

• GitHub release packages built using Go 1.25.3, due to large number of denial-of-service CVEs fixed in 1.25.2.
• All dependencies updated.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.4.tar.gz download below to obtain and install SingularityCE 4.3.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
• RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.25.3

SingularityCE 4.3.3

This is a patch release in the 4.3 series, with dependency updates and the following changes:

Requirements / Packaging

• Requires Go 1.24.3 or above, due to various dependencies.
• Bundled squashfuse is now 0.6.1.

Changed defaults / behaviours

• Use OCI Manifest Schema 1 for ORAS pushes. Addresses errors pushing to Quay,
  which applies a must be restriction for the config.mediaType value on
  Docker Manifest Schema 2 (spec has a looser should generally be).

Bug fixes

• Don't set ineffective mode=777 on workdir bind. Fixes error in OCI-mode with
  --workdir and runc >= 1.2.0.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.3.tar.gz download below to obtain and install SingularityCE 4.3.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
• RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.25.0

SingularityCE 4.3.2

This is a patch release in the 4.3 series, with dependency updates and the following changes:

Requirements / Packaging

• Ubuntu 20.04 packages dropped - end-of-life.
• EL 10 (RHEL/AlmaLinux/Rocky Linux 10) packages introduced.
• Build bundled squashfuse against FUSE3 for all packages.
• Don't depend on fuse on Ubuntu - installing this package on 22.04 can
  cause conflicts with the Ubuntu Desktop package set.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.2.tar.gz download below to obtain and install SingularityCE 4.3.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
• RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.24.4

SingularityCE 4.3.1

This is a patch release in the 4.3 series.

Bug Fixes

• Update bundled squashfuse to 0.6.0, which includes ., .. entries in getdents() results, fixing errors with some applications.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.1.tar.gz download below to obtain and install SingularityCE 4.3.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.24.2

SingularityCE 4.3.0

SingularityCE 4.3.0

This is the first release in the 4.3 series. Please review the changes, fixes, and new features listed below.

The admin and user guides include a "What's New in 4.3" section, providing links to additional documentation:

• https://docs.sylabs.io/guides/4.3/admin-guide/new.html
• https://docs.sylabs.io/guides/4.3/user-guide/new.html

Behaviour Changes

• Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes` configuration option.
• In OCI mode, on a cgroups v2 system with functioning systemd cgroup management, a cgroup namespace is created for the container, and /sys/fs/cgroup is mounted. The cgroups mount is read-only by default, or read-write if the --keep-privs flag is used.
• In OCI mode, a cgroup is now created for the container when possible, even where resource limits have not been requested.

Bug Fixes

• Use correct username (not user's name) when computing singularity oci conmon / singularity state dir.
• Write StdErr messages from starter to terminal StdErr when an instance fails to start. Previously incorrectly written to terminal StdOut.
• Fix incorrect debug message in Cgroups checks.
• Skip invalid environment variables when pulling pulling OCI images to native SIF, so environment sourcing does not fail.
• Fix the Makefile generated by mconfig -b to work when the selected build directory is not a subdirectory of the source code.
• Check for existence of /run/systemd/system when verifying cgroups can be used via systemd manager.

New Features & Functionality

• Add support for libsubid. Sub[ug]id mappings will be retrieved from e.g. LDAP according to nssswitch.conf if Singularity is built with libsubid support (default). If built without libsubid support, Singularity will retrieve subid from /etc/subid and /etc/subgid regardless of system configuration. Note that singularity config fakeroot always modifies /etc/subid and /etc/subgidfiles.
• singularity sign now supports signing an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the --cosign flag, and provide a private key with the --key flag.
• singularity verify now supports verifying an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the --cosign flag, and provide a public key with the --key flag. Verification passes if at least one signature that can be validated with the provided key is present. The JSON payloads of all valid signatures are displayed.
• singularity push now supports pushing cosign signatures in an OCI-SIF to an OCI registry, via the --with-cosign flag.
• singularity pull now supports pulling cosign signatures from a registry to an OCI-SIF, via the --with-cosign flag when --oci is also specified. Signatures can only be pulled when the image in the registry is in SquashFS format. Converting layer formats, or squashing to a single layer, modifies the image manifest, and would invalidate any signatures.
• The new singularity key generate-cosign-key-pair subcommand can be used to generate a password-protected key-pair for signing OCI-SIF images with cosign-compatible signatures.
• Added dnf definition file bootstrap as an alias for yum.

Requirements / Packaging

• Go 1.23.4 or above is now required to build SingularityCE.
• libsubid headers are now required to build SingularityCE, unless the --without-libsubid flag is passed to mconfig.
• EL RPM packages are built with libsubid support.
• Ubuntu deb packages are built without libsubid support.
• The RPM spec file no longer includes rules for SLES / openSUSE package builds, which have been untested / unsupported for some time.
• Make binary builds more reproducible by deriving the GNU build ID from the Go build ID instead of using a randomly generated one.
• Conmon sources are no longer bundled and built with SingularityCE. Install the conmon package from your distribution, or upstream binary, if you need to use the singularity oci commands. Note that conmon is not required for --oci mode.
• Now compiles successfully with -std=c23.

Removed Features

• Plugin fakerootcallback functionality for customizing fakeroot subid mappings has been removed.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.0.tar.gz download below to obtain and install SingularityCE 4.3.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.24.0

v4.3.0-rc.1

SingularityCE 4.3.0-rc.1 Release Candidate

This is the first release candidate for the upcoming 4.3 series. All testing and feedback is welcome!

Behaviour Changes

• Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes` configuration option.
• In OCI mode, on a cgroups v2 system with functioning systemd cgroup management, a cgroup namespace is created for the container, and /sys/fs/cgroup is mounted. The cgroups mount is read-only by default, or read-write if the --keep-privs flag is used.
• In OCI mode, a cgroup is now created for the container when possible, even where resource limits have not been requested.

Bug Fixes

• Use correct username (not user's name) when computing singularity oci conmon / singularity state dir.
• Write StdErr messages from starter to terminal StdErr when an instance fails to start. Previously incorrectly written to terminal StdOut.
• Fix incorrect debug message in Cgroups checks.
• Skip invalid environment variables when pulling pulling OCI images to native SIF, so environment sourcing does not fail.
• Fix the Makefile generated by mconfig -b to work when the selected build directory is not a subdirectory of the source code.
• Check for existence of /run/systemd/system when verifying cgroups can be used via systemd manager.

New Features & Functionality

• Add support for libsubid. Sub[ug]id mappings will be retrieved from e.g. LDAP according to nssswitch.conf if Singularity is built with libsubid support (default). If built without libsubid support, Singularity will retrieve subid from /etc/subid and /etc/subgid regardless of system configuration. Note that singularity config fakeroot always modifies /etc/subid and /etc/subgidfiles.
• singularity sign now supports signing an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the --cosign flag, and provide a private key with the --key flag.
• singularity verify now supports verifying an image in an OCI-SIF with a cosign-compatible sigstore signature. Use the --cosign flag, and provide a public key with the --key flag. Verification passes if at least one signature that can be validated with the provided key is present. The JSON payloads of all valid signatures are displayed.
• singularity push now supports pushing cosign signatures in an OCI-SIF to an OCI registry, via the --with-cosign flag.
• singularity pull now supports pulling cosign signatures from a registry to an OCI-SIF, via the --with-cosign flag when --oci is also specified. Signatures can only be pulled when the image in the registry is in SquashFS format. Converting layer formats, or squashing to a single layer, modifies the image manifest, and would invalidate any signatures.
• The new singularity key generate-cosign-key-pair subcommand can be used to generate a password-protected key-pair for signing OCI-SIF images with cosign-compatible signatures.
• Added dnf definition file bootstrap as an alias for yum.

Requirements / Packaging

• Go 1.23.4 or above is now required to build SingularityCE.
• libsubid headers are now required to build SingularityCE, unless the --without-libsubid flag is passed to mconfig.
• EL RPM packages are built with libsubid support.
• Ubuntu deb packages are built without libsubid support.
• The RPM spec file no longer includes rules for SLES / openSUSE package builds, which have been untested / unsupported for some time.
• Make binary builds more reproducible by deriving the GNU build ID from the Go build ID instead of using a randomly generated one.
• Conmon sources are no longer bundled and built with SingularityCE. Install the conmon package from your distribution, or upstream binary, if you need to use the singularity oci commands. Note that conmon is not required for --oci mode.
• Now compiles successfully with -std=c23.

Removed Features

• Plugin fakerootcallback functionality for customizing fakeroot subid mappings has been removed.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.0-rc.1.tar.gz download below to obtain and install SingularityCE 4.3.1-rc.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

• Ubuntu 20.04 (focal)
• Ubuntu 22.04 (jammy)
• Ubuntu 24.04 (noble)
• RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
• RHEL/CentOS/AlmaLinux/Rocky 9 (el9)

These packages were built with Go 1.24.0