What’s New in SingularityCE 4.0
This section highlights important changes in SingularityCE 4.0 that are of note to users. See also the “What’s New” section in the Admin Guide for administrator-facing changes.
OCI-mode
Singularity 4 introduces OCI-mode as a fully supported
feature. It is enabled by using the --oci flag with the run / shell / exec /
pull commands, or when oci mode = yes is set in singularity.conf.
In OCI-mode:
Container images from OCI sources will be
pull-ed to an OCI-SIF file. An OCI-SIF file encapsulates the OCI image configuration and squashed filesystem using an OCI, rather than Singularity specific, structure.The run / shell / exec commands use a low-level OCI runtime (crun/runc) for container execution.
Default operation is compatible with other OCI tools, similar to
--compatin Singularity’s non-OCI native mode.OCI-mode supports running existing Singularity SIF images, that are not OCI-SIF, and can be made to imitate native mode default behavior by using the
--no-compatflag.
CLI Changes
The commands related to OCI/Docker registries that were under
singularity remotehave been moved to their own, dedicated registry command.The keyserver-related commands that were under
singularity remotehave been moved to their own, dedicated keyserver command.Adding a new remote endpoint using the
singularity remote addcommand will now set the new endpoint as default. This behavior can be suppressed by supplying the--no-default(or-n) flag toremote add.--cwdis now the preferred form of the flag for setting the container’s working directory, though--pwdis still supported for compatibility.
Runtime Behavior Changes
The way
--homeis handled when running as root (e.g.sudo singularity) or with--fakeroothas changed. Previously, we were only modifying theHOMEenvironment variable in these cases, while leaving the container’s/etc/passwdfile unchanged (with its homedir field pointing to/root, regardless of the value passed to--home). Now, both the value of HOME and the contents of/etc/passwdin the container will reflect the value passed to--home.Bind mounts are now performed in the order of their occurrence on the command line, or within the value of the
SINGULARITY_BINDenvironment variable. (Previously, image-mounts were always performed first, regardless of order.)The current working directory is created in the container when it doesn’t exist, so that it can be entered. You must now specify
--no-mount home,cwdinstead of just--no-mount hometo avoid mounting from$HOMEif you runsingularityfrom inside$HOME.If the path of the current working directory in the container and on the host contain symlinks to different locations, the current working directory will not be mounted.
New Features & Functionality
Templating support for definition files: users can now define variables in definition files via a matching pair of double curly brackets.
Added a
--secretflag (shorthand:-s) to thekey removesubcommand, to allow removal of a private key by fingerprint.Added
--privateas a synonym for--secretinkey list,key export, andkey removesubcommands.The
instance startcommand now accepts an optional--app <name>argument which invokes the start script within the%appstart <name>section in the definition file. Theinstance stopcommand still only requires the instance name.A new
--no-pidflag forsingularity run/shell/execdisables the PID namespace inferred by--containalland--compat.Caching of OCI images is now architecture aware. This fixes behavior in cases where a user’s home directory is shared between systems of different architectures. If you do not use older versions of SingularityCE on a system, you can remove obsolete cache entries with
singularity cache clean --type blob.A new
--platformflag can be used to specify anOS/Architecture[/Variant]when pulling images from OCI or library sources. When pulling from library sources the optional variant is ignored.The
--archflag can now be used to specify a required architecture when pulling images from OCI, as well as library sources.