SingularityCE 3.11 – Features and Contributions

By Staff

Feb 28, 2023 | News, SingularityCE Updates

SingularityCE 3.11 was released on 10th February, and is available for download from the GitHub release page. This version brings a host of new features, including:
  • OCI Runtime Mode – with the new experimental ‘–oci’ mode, users can run containers from a native OCI on-disk layout, through a true OCI low-level runtime.
  • PEM Key / X.509 Signing & Verification – PEM keys and X.509 certificates can now be used to sign and verify the images, providing a secure way to ensure that only authorized images are used. The addition of OCSP support also allows organizations to perform online checks to make sure that the images have not been revoked.
  • Instance Resource Limits & Monitoring – SingularityCE 3.11 now has the ability to monitor and control the resources used by instances. A new `instance stats` command will show resource limits on systems that support starting the container in a cgroup. Limits can be applied with the `–cpu`, `–mem`, and other flags.
  • Rootless Builds Without User Namespaces / ID Mapping – SingularityCE now allows users to build containers without being a root user or using a special user mapping system. This new “proot” flow makes unprivileged builds possible for many different definition files, and does not require special configurations to be in place on the host system.

Contributions to SingularityCE 3.11

Shortly after the release of SingularityCE 3.10, we looked at the contributions that led to that new version, using vsoch’s excellent citelang analysis tool. Let’s use the same approach, running citelang against all the first-party code (including SIF, service clients, etc.) and documentation repositories that make up SingularityCE, and totaling the lines added or modified by each contributor:
Lines Added/Modified
David Trudgian
Adam Hughes
Mike Frisch
Fotis Nikolaidis
Cedric Clerget
Eng Zer Jun
Dave Dykstra
Vadym Lesich
Adrian Wobito
Till Korten
This gives us a grand total of 17,950 lines of code touched between 3.10 and 3.11, similar to the size of the 3.9 to 3.10 development cycle. Just as with the 3.10 release, work on the 3.11 release was mostly performed by Sylabs employees, but with significant contributions from the open source community.
Thanks especially to vsoch for introducing the `instance stats` resource monitoring command, and Fotis Nikolaidis for OCSP support and collaboration on the PEM key & X.509 signing / verification flows.

SingularityCE 3.11 vs Apptainer 1.1

For the SingularityCE 3.11 release we’ve again imported significantly less code from Apptainer than Apptainer imports from SingularityCE. This is to be expected, as we are taking a different path toward increased OCI compatibility and the expansion of unprivileged workflows. In addition, Sylabs drives almost all of the development of SIF (the Singularity Image Format), and the service client dependencies that are forked by Apptainer.
While Apptainer 1.1 has moved aggressively toward non-setuid execution by default, and has introduced various implicit, but distinct, modes for the `–fakeroot` option and unprivileged builds, we have chosen to take a more gradual approach in 3.11 and to hold larger changes for a major version release at 4.0. We’re very aware of the fact that SingularityCE is often employed in environments that value stability above all else, and are running older Linux distribution releases that may still limit the ability to use, or practically deploy, a fully unprivileged container runtime.
Looking on the other side of the fork, Apptainer has merged 95 pull requests that originate in SingularityCE since their v1.0.0 release, plus all work carried out on SIF. This clearly demonstrates the value of the bug fixes and general feature additions being developed for SingularityCE, and the benefits of our commitment to open source licensing, to other projects.

Join Our Mailing List

Recent Posts

Related Posts