We are happy to announce that Apptainer version 1.1.0 is now available.
This is very big release, with a lot of new features and changes.
The most significant change is that Apptainer is no longer setuid-root by default. It can still be installed that way, but either an extra apptainer-suid package has to be installed or when compiling an extra --with-suid
option has to be given to mconfig.
This is practical because almost all functionality can now be done with only unprivileged user namespaces and readily available unprivileged commands. SIF files (that is, squashfs-based files), EXT2/3/4 files, and OverlayFS can all be done with unprivileged, no-setuid FUSE.
The only remaining major feature that cannot yet be done fully unprivileged is encrypted containers, and we expect to get that into version 1.2.
The performance of SIF file mounts through FUSE has been demonstrated to be nearly identical to that of kernel squashfs mounts, thanks to an included multithreaded version of squashfuse.
In addition, building of container images can now be done completely unprivileged, even if the system administrator did not set up /etc/subuid & /etc/subgid mappings for use with --fakeroot
. This is done by using a root-mapped unprivileged user namespace in combination with the fakeroot command.
For those who are concerned about kernel vulnerabilities with unprivileged user namespaces, please see the security discussion in the user guide especially including the link to the admin guide where it advises disabling network namespaces.
This version is also planned to be installed in EPEL and Fedora within about a week. Upgrading the singularity package will install a non-setuid root apptainer package by default.
If this is the first time you are upgrading from Singularity please see Migrating from Singularity in the admin guide.
As always, please report any problems as an issue on github.