What’s New in SingularityCE 4.0

This section highlights important changes in SingularityCE 4.0 that are of note to system administrators. See also the “What’s New” section in the User Guide for user-facing changes.

OCI-Compatibility

  • SingularityCE’s OCI-mode, which was experimental in 3.11, is now expanded and fully supported. It is enabled via --oci on the command line, or by setting oci mode = true in singularity.conf.

  • OCI-mode runs containers unprivileged, using a low-level OCI runtime rather than SingularityCE’s own native runtime. SingularityCE’s setuid starter executable is not used on OCI-mode, even when setuid is enabled for the native runtime.

  • OCI-mode uses OCI-SIF images, a variant of the Singularity Image Format. These images cannot be run using earlier versions of SingularityCE.

  • OCI-mode supports the Container Device Interface (CDI) standard for enabling access to GPUs and other devices within containers.

Requirements

  • SingularityCE uses squashfuse_ll or squashfuse, which is now built from a git submodule unless --without-squashfuse is specified as an argument to mconfig. When built with --without-squashfuse, squashfuse_ll or squashfuse should be located on PATH. Version 0.2.0 or later is required.

  • OCI-mode requires sqfstar or tar2sqfs to be installed on the system in order to create OCI-SIF images.

  • OCI-mode requires fuse-overlayfs to be installed on the system (from a distribution package), to fully support unprivileged overlays.

  • OCI-mode requires that either runc or crun is installed on the system (from a distribution package).

  • OCI-mode requires that subuid/subgid mappings have been configured for users, in the same manner as documented for the fakeroot feature.

Packaging

  • RPM packages now use /var/lib/singularity (rather than /var/singularity) to store local state files.

  • Bash completions are now installed to the modern share/bash-completion/completions location, rather than under etc.

CLI

  • The keyserver management commands that were under remote have been moved to their own, dedicated keyserver command. Run singularity help keyserver for more information.

Caching

  • Caching of OCI blobs is now architecture aware. If older versions of SingularityCE are not being used in parallel, users should run singularity cache clean to recover space used by obsolete cached blobs.

Plugins

  • Support for image driver plugins, deprecated at 3.11, has been removed. Unprivileged kernel overlay is supported without a plugin. In singularity.conf, the image driver directive has been removed, and enable overlay no longer supports the driver option.