Releases · apptainer/apptainer

v1.4.1 - [2025-05-14]

Fix the use of libsubid which had been broken by the revision applied in 1.4.0-rc.2.
Fix a bug introduced in 1.4.0 that caused arm64 to be mis-converted to arm64v8 and resulted in a failure when pulling OCI containers.
Fix user database lookup in master process preventing instance from starting correctly on systems using winbind.
Update minimum go version to 1.23.6 now that it is current in el8 & el9.
Check for existence of /run/systemd/system when verifying cgroups can be used via systemd manager.
Compile gocryptfs with the default GOAMD64 microarchitecture of the go compiler instead of always using GOAMD64=v2. The default value in the upstream go compiler is GOAMD64=v1, to work with older CPUs, although it can have a cost in performance on newer CPUs. It is still possible to set GOAMD64 to a newer microarchitecture (v2+). For instance RHEL 9 uses v2 and RHEL 10 uses v3 as their default values.
Add a clear error message if someone tries to use privileged network options while not using setuid mode.
Allow multi-arch oci-archive files that have a nested index with the manifest. This is the default format (both for Docker and OCI) when using nerdctl save.
Test if docker-archive is actually an oci-archive (since Docker version 25), and if it is oci then use the OCI parser to avoid bugs in the Docker parser. Save the daemon-daemon references to a temporary docker-archive, to benefit from the same improvements also for those references. Parse as oci-archive.

v1.4.0 - [2025-03-18]

Changes since 1.3.6

New Features & Functionality

Add support for libsubid, when available at compile time. This library enables central management of subuid and subgid mappings and typically comes as part of the shadow-utils package, possibly as a shadow-utils-subid subpackage.
Add new build option --mksquashfs-args to pass additional arguments to the mksquashfs command when building SIF files. If a compression method other than gzip is selected, the SIF file might not work with older installations of Apptainer or Singularity, so an INFO message about that is printed. On the other hand, an INFO message that was printed (twice) when running an image with non-gzip compression has been removed.
Expand the build instructions for squashfuse and apptainer packaging to include the libraries needed for maximum support of compression algorithms by squashfuse_ll.
If the mksquashfs version is new enough (version 4.6 or later), then show a percentage progress bar (with ETA) during SIF creation in the default log level. If the mksquashfs version is older, then in verbose or debug log level show the output of mksquashfs with its own progress bar.
Include a bundled copy of squashfs-tools to make the progress bar available and to ensure that all compression types are available. This includes the programs mksquashfs and unsquashfs.
Statistics are now normally available for instances that are started by non-root users on cgroups v2 systems. The instance will be started in the current cgroup. Information about configuration issues that prevent collection of statistics are displayed as INFO messages by default.
Add a dnf definition file bootstrap option as an alias to the yum bootstrap option.
Add a --sandbox option to apptainer pull.
Add configuration file binding to the --nv option. Files that are recognized in the NVIDIA Container Toolkit, including files for EGL ICD, were added to the default nvliblist.conf.
It is now possible to use multiple environment variable files using the --env-file flag. Files can be specified as a comma-separated list or by using the flag multiple times. Variables defined in later files take precedence over earlier files.
The registry login and registry logout commands now support a --authfile <path> option, which causes OCI credentials to be written to / removed from a custom file located at <path> instead of the default location ($HOME/.apptainer/docker-config.json). The commands pull, push, run, exec, shell and instance start can now also be passed a --authfile <path> option, to read OCI registry credentials from this custom file.
A new --netns-path option takes a path to a network namespace to join when starting a container. The root user may join any network namespace. An unprivileged user can only join a network namespace specified in the new allow netns paths directive in apptainer.conf, if they are also listed in allow net users / allow net groups and apptainer is installed with setuid privileges. Not supported with --fakeroot.
apptainer.conf now accepts setting the following options:
- allow ipc ns -- Default value is yes; when set to no, it will disable the use of the --ipc flag.
- allow uts ns -- Default value is yes; when set to no, it will invalidate the use of the --uts and --hostname flags.
- allow user ns -- Default value is yes; when set to no, it will disable creation of user namespaces. Note that this will prevent execution of containers with the --userns or --fakeroot flags and with unprivileged installations of Apptainer.
Add automated tests for OpenSUSE Leap and Tumbleweed and Debian Bookworm.

Changed defaults / behaviours

Label the starter process seen in ps with the image filename, for example: Apptainer runtime parent: example.sif.
Remove runtime and compute libraries from rocmliblist.conf. They should instead be provided by the container image.
Allow overriding the build architecture with --arch and --arch-variant, to build images for another architecture than the current host arch. This requires that the host has been set up to support multiple architectures (binfmt_misc).
Complete the previously partial support for the riscv64 architecture.
Show a warning message if changing directory to the cwd fails, instead of silently switching to the home directory or /.
Write starter messages to stderr when an instance fails to start. Previously they were incorrectly written to stdout.
Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes configuration option.
Make binary builds more reproducible by deriving the GNU build ID from the Go build ID instead of using a randomly generated one.
Fix storage of credentials for docker.io to behave the same as for index.docker.io.
Change message log level from warning to debug when environment variables set inside a container or by APPTAINERENV have a different value than the environment variable on the host.
Change the default message level from silent to the normal level in the nested apptainer that executes a build's %post section, and suppress an unnecessary warning message.
Ignore invalid environment variables when pulling oci/docker containers.
Improve documentation for remote list command.
Remove the little-known fakerootcallback functionality.
Update the default pacman confURL for Bootstrap: arch container builds.
Update the bundled fuse programs to their latest releases.
A go version of at least 1.22 is now required to build from source.

Bug fixes

Fix the mconfig -s option to build the apptainer and starter binaries statically as documented.
Fix the Makefile generated by mconfig -b to work when the selected build directory is not a subdirectory of the apptainer source code.
%files from in a definition file will now correctly copy symlinks that point to a target above the destination directory but inside the destination stage root filesystem.
Fixed typo in nvliblist.conf (libnvoptix.so.1 -> libnvoptix.so).
Avoid timeouts when cleaning up from building gocryptfs-encrypted SIF files.
Fix bug that prevented build with --passphrase or --pem-path but without --encrypt from implying fakeroot.
Fix hang when copying files between build stages while using suid mode without user namespaces.
Fix running and building containers of different architectures than the host via binfmt_misc when using rootless fakeroot.
Fix target: no such file or directory error when extracting layers from certain OCI images that manipulate hard links across layers.
Fix the crash that happened when executing a privilege-encrypted container as root.

Internal

Refactor image arch variation using go-containerregistry's platform.
A test mksquashfs is no longer done when building SIF files. That used to be done every build to verify that squashfs tools were new enough to support the -comp gzip option.

The following are the changes since 1.4.0-rc.2, included in the notes above:

Fix target: no such file or directory error when extracting layers from certain OCI images that manipulate hard links across layers.
Fix the crash that happens when executing a privilege-encrypted container as root.
Update the default pacman confURL for Bootstrap: arch container builds.
Update the bundled gocryptfs to 2.5.1 and squashfuse to 0.6.0.

v1.4.0 Release Candidate 2 - [2025-03-4]

Changes since 1.4.0-rc.1

If the mksquashfs version is new enough (version 4.6 or later), then show a percentage progress bar (with ETA) during SIF creation. If the mksquashfs version is older, than fallback to the message "To see mksquashfs output with progress bar enable verbose logging"
Include a bundled copy of squashfs-tools to make the progress bar available and to ensure that all compression types are available. This includes the programs mksquashfs and unsquashfs.
Revise the libsubid implementation including removing the fakerootcallback functionality.
Fix running and building containers of different architectures than the host via binfmt_misc when using rootless fakeroot.
Allow overriding the build architecture with --arch and --arch-variant, to build images for another architecture than the current host arch. This requires that the host has been set up to support multiple architectures (binfmt_misc).
Complete the previously partial support for the riscv64 architecture.
Show a warning message if changing directory to the cwd fails, instead of silently switching to the home directory or /.
Write starter messages to stderr when an instance fails to start. Previously they were incorrectly written to stdout.

v1.4.0 Release Candidate 1 - [2025-01-21]

Changes since 1.3.6

New Features & Functionality

Add support for libsubid, when available at compile time. This library enables central management of subuid and subgid mappings and typically comes as part of the shadow-utils package, possibly as a shadow-utils-subid subpackage.
Add new build option --mksquashfs-args to pass additional arguments to the mksquashfs command when building SIF files. If a compression method other than gzip is selected, the SIF file might not work with older installations of Apptainer or Singularity, so an INFO message about that is printed. On the other hand, an INFO message that was printed (twice) when running an image with non-gzip compression has been removed.
Expand the build instructions for squashfuse and apptainer packaging to include the libraries needed for maximum support of compression algorithms by squashfuse_ll.
Statistics are now normally available for instances that are started by non-root users on cgroups v2 systems. The instance will be started in the current cgroup. Information about configuration issues that prevent collection of statistics are displayed as INFO messages by default.
Add a dnf definition file bootstrap option as an alias to the yum bootstrap option.
Add a --sandbox option to apptainer pull.
Add configuration file binding to the --nv option. Files that are recognized in the NVIDIA Container Toolkit, including files for EGL ICD, were added to the default nvliblist.conf.
It is now possible to use multiple environment variable files using the --env-file flag. Files can be specified as a comma-separated list or by using the flag multiple times. Variables defined in later files take precedence over earlier files.
The registry login and registry logout commands now support a --authfile <path> option, whic 8000 h causes OCI credentials to be written to / removed from a custom file located at <path> instead of the default location ($HOME/.apptainer/docker-config.json). The commands pull, push, run, exec, shell and instance start can now also be passed a --authfile <path> option, to read OCI registry credentials from this custom file.
A new --netns-path option takes a path to a network namespace to join when starting a container. The root user may join any network namespace. An unprivileged user can only join a network namespace specified in the new allowed netns paths directive in apptainer.conf, if they are also listed in allowed net users / allowed net groups and apptainer is installed with setuid privileges. Not supported with --fakeroot.
apptainer.conf now accepts setting the following options:
- allow ipc ns -- Default value is yes; when set to no, it will disable the use of the --ipc flag.
- allow uts ns -- Default value is yes; when set to no, it will invalidate the use of the --uts and --hostname flags.
- allow user ns -- Default value is yes; when set to no, it will disable creation of user namespaces. Note that this will prevent execution of containers with the --userns or --fakeroot flags and with unprivileged installations of Apptainer.
Add automated tests for OpenSUSE Leap and Tumbleweed and Debian Bookworm.

Changed defaults / behaviours

Label the starter process seen in ps with the image filename, for example: Apptainer runtime parent: example.sif.
When the logging level is verbose or debug, builds of SIF files now show the output of mksquashfs including the progress bar.
Remove runtime and compute libraries from rocmliblist.conf. They should instead be provided by the container image.
Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes configuration option.
Make binary builds more reproducible by deriving the GNU build ID from the Go build ID instead of using a randomly generated one.
Fix storage of credentials for docker.io to behave the same as for index.docker.io.
Change message log level from warning to debug when environment variables set inside a container or by APPTAINERENV have a different value than the environment variable on the host.
Change the default message level from silent to the normal level in the nested apptainer that executes a build's %post section, and suppress an unnecessary warning message.
Ignore invalid environment variables when pulling oci/docker containers.
Improve documentation for remote list command.
Update the bundled fuse programs to their latest releases.
A go version of at least 1.22 is now required to build from source.

Bug fixes

Fix the mconfig -s option to build the apptainer and starter binaries statically as documented.
Fix the Makefile generated by mconfig -b to work when the selected build directory is not a subdirectory of the apptainer source code.
%files from in a definition file will now correctly copy symlinks that point to a target above the destination directory but inside the destination stage root filesystem.
Fixed typo in nvliblist.conf (libnvoptix.so.1 -> libnvoptix.so).
Avoid timeouts when cleaning up from building gocryptfs-encrypted SIF files.
Fix bug that prevented build with --passphrase or --pem-path but without --encrypt from implying fakeroot.
Fix hang when copying files between build stages while using suid mode without user namespaces.

Internal

Refactor image arch variation using go-containerregistry's platform.
A test mksquashfs is no longer done when building SIF files. That used to be done every build to verify that squashfs tools were new enough to support the -comp gzip option.

v1.3.6 - [2024-12-02]

Avoid using kernel overlayfs when the lower layer is a sandbox on an incompatible filesystem type such as GPFS or Lustre. For those cases use fuse-overlayfs instead. This fixes a regression introduced in 1.3.0. The regression didn't much impact Lustre because kernel overlayfs refused to try to use it and Apptainer proceeded to use fuse-overlayfs anyway, but with GPFS the kernel overlayfs allowed mounting but returned stale file handle errors.

v1.3.5 - [2024-10-30]

Fix a regression introduced in 1.3.4 that overwrote existing standard /.singularity.d files such as runscript in container images even if they had been modified.
Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes configuration option.
Support parsing nested variables defined inside %arguments section of definition files.
Ignore invalid environment variables when pulling oci/docker containers.

v1.3.4 - [2024-09-04]

Fixed sif-embedded overlay partitions for containers that are larger than 2 gigabytes.
Fixed the apparmor profile that was added in v1.3.3 but didn't work. An apparmor profile is applied in all Debian-based apptainer packaging, but is only needed to enable user namespaces for apptainer on a default-configured Ubuntu 23.10 or newer.
Fixed the failure when starting apptainer with instance --fakeroot.
apptainer build -B ... can now be used to mount custom resolv.conf and hosts files from non-standard outside locations. This can be used to run apptainer build in a nix-build sandbox that has no /etc/resolv.conf.
Fixed failing builds from local images that have symbolic links for paths that are part of the base container environment (e.g. /var/tmp -> /tmp).
Show info messages suggesting to use enable underlay = preferred or the --underlay flag when overlay is implied for bind mounts but the kernel is too old to support fuse mounts in user namespaces and so tries to use fusermount.
When someone uses a yum bootstrap to build a container without using subuid-based fakeroot or root, warn that it is unlikely to work.
Allow a writable --overlay to be used with --nvccli instead of --writable-tmpfs.
If an error "no descriptor found for reference" is seen while getting an oci container, retry the operation up to five times.
Make fakeroot Recommended for SUSE rpms instead of Required.
Allow bind mounts onto existing files on r/o NFS filesystems.
If an error is seen in the %post section when building a container using fakeroot mode 3 (with the fakeroot command) then show a message suggesting using --ignore-fakeroot-command and referring to the documentation about how to install and use it inside the container definition file.
Show a more helpful error message when using fakeroot in suid mode and there's an /etc/subuid mapping even though user namespaces are not available (user namespaces are required for /etc/subuid mapping).

v1.3.3 - [2024-07-03]

Updated the minimum golang version to 1.21.
Removed support for EL7.
Added libcudadebugger.so to nvliblist.conf to support cuda-gdb in CUDA 12+.
Ensure opened/kept file descriptors in stage 1 are not closed during the Go garbage collection to avoid "bad file descriptor" errors at startup.
Fixed a segmentation violation issue when running Apptainer checkpoint.
Added apparmor profiles for ubuntu 24.04 or higher distros.
Fixed an issue that Apptainer won't read default docker credentials.

v1.3.2 - [2024-05-28]

Security fix

Included a fix for CVE-2024-3727 in a dependent library which describes a flaw that can allow attackers to trigger unexpected authenticated registry accesses due to object digest values not being validated in all cases.

Other Changes

Fixed the issue when nesting apptainer instance start inside a container on cgroups-v2 capable host.
Fixed the issue that oras download progress bar gets stuck when downloading large images.

v1.3.1 - [2024-04-24]

Make 'apptainer build' work with signed Docker containers.
Fixed regression introduced in 1.3.0 that prevented closing cryptsetup and the corresponding loop device after running an encrypted sif container file in suid mode.
Stopped binding over the default timezone in the container with the host's timezone, which led to unexpected behavior if the application changed timezones.
Added progress bars for oras:// push and pull.
Hide Instance stats will not be available message under --sharens mode.
Fix problem where credentials locally stored with registry login command were not usable in some execution flows. Run registry login again with latest version to ensure credentials are stored correctly.
Make runscript timeout configurable.
Return invalid bind path mount options during bind path parsing.
Make the INFO message more helpful when a running background process at exit time causes a FUSE mount to not shut down cleanly.
Fixed the wrong mediaType in the oras push manifest.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

v1.4.1 - [2025-05-14]

Uh oh!

v1.4.0 - [2025-03-18]

New Features & Functionality

Changed defaults / behaviours

Bug fixes

Internal

Uh oh!

v1.4.0 Release Candidate 2 - [2025-03-4]

Uh oh!

v1.4.0 Release Candidate 1 - [2025-01-21]

New Features & Functionality

Changed defaults / behaviours

Bug fixes

Internal

Uh oh!

Uh oh!

v1.3.5 - [2024-10-30]

Uh oh!

v1.3.4 - [2024-09-04]

Uh oh!

v1.3.3 - [2024-07-03]

Uh oh!

v1.3.2 - [2024-05-28]

Security fix

Other Changes

Uh oh!

v1.3.1 - [2024-04-24]

Uh oh!

Releases: apptainer/apptainer

Apptainer 1.4.1

v1.4.1 - [2025-05-14]

Uh oh!

Apptainer 1.4.0

v1.4.0 - [2025-03-18]

New Features & Functionality

Changed defaults / behaviours

Bug fixes

Internal

Uh oh!

Apptainer 1.4.0 Release Candidate 2

v1.4.0 Release Candidate 2 - [2025-03-4]

Uh oh!

Apptainer 1.4.0 Release Candidate 1

v1.4.0 Release Candidate 1 - [2025-01-21]

New Features & Functionality

Changed defaults / behaviours

Bug fixes

Internal

Uh oh!

Apptainer 1.3.6

Uh oh!

Apptainer 1.3.5

v1.3.5 - [2024-10-30]

Uh oh!

Apptainer 1.3.4

v1.3.4 - [2024-09-04]

Uh oh!

Apptainer 1.3.3

v1.3.3 - [2024-07-03]

Uh oh!

v1.3.2

v1.3.2 - [2024-05-28]

Security fix

Other Changes

Uh oh!

v1.3.1

v1.3.1 - [2024-04-24]

Uh oh!