1.4.1

Added

• Added support for proxy connections when pulling images from remote registries
• Added CMake option to control build of unit test executables

Changed

• Updated recommended runc version to 1.0.3
• Updated recommended libnvidia-container version to 1.7.0
• Updated recommended NVIDIA Container Toolkit version to 1.7.0
• Updated CppUTest framework for unit tests to version 4.0

Fixed

• Fixed generation of README files for standalone archives

1.4.0

Added

• Added the ability to pull from insecure registries via insecureRegistries parameter in sarus.json
• Added the -e/--env option to sarus run for setting environment variables inside the container. More details here
• Added the --device option to sarus run for mounting and whitelisting devices inside containers. More details here
• Added support for the optional siteDevices parameter in the sarus.json configuration file.
  This parameter can be used by administrators for defining devices to be automatically mounted and whitelisted inside containers.
• Added the --pid option to sarus run for setting the container PID namespace. More details here
• Added support for applying seccomp profiles to containers
• Added support for applying AppArmor profiles to containers
• Added support for applying SELinux labels to container processes and to mounts performed by the OCI runtime
• The MPI hook whitelists access to devices bind mounted inside containers
• cgroup filesystems are mounted inside containers
• Added script to check for host requirements in CI, linked in documentation.
• Added CI unit and integration tests from source on Fedora 34 and OpenSUSE Leap 15.3

Changed

• Containers now use the host's PID namespace by default. A private PID namespace can be requested through the CLI
• The --ssh option of sarus run now implies --pid=private
• Changed format of the environment parameter in the sarus.json configuration file
• Updated documentation about how the initial environment variables are set in containers
• Updated recommended Boost version to 1.77.0
• Updated recommended Cpprestsdk version to 2.10.18
• Updated recommended libarchive version to 3.5.2
• Updated recommended RapidJSON version to commit 00dbcf2
• Updated recommended runc version to 1.0.2
• Updated recommended libnvidia-container version to 1.5.1
• Updated recommended NVIDIA Container Toolkit version to 1.5.1
• Updated Dropbear software used by the SSH hook to version 2020.81
• Miscellaneous updates to Dockerfiles used for CI stages; in particular, the Sarus static standalone package is now built on Alpine Linux 3.14 with a GCC 10.3.1 toolchain

Fixed

• Corrected the error message when attempting to pull an image by digest

Removed

• The use of the bind-propagation property for bind mounts (deprecated in Sarus 1.1.0) has now been removed. All bind mounts are done with recursive private (rprivate) propagation.

Security

• Access to custom devices within containers is not allowed by default

1.3.3

[1.3.3]

Added

• Added CI unit and integration tests from source on Ubuntu 20.04
• Added regular cleanups of CI caches on GitLab
• Added diagrams representing CI/CD workflows to developer documentation
• Added Markdown builder for Sphinx documentation

Changed

• Updated minimum required CMake version to 2.8.12
• Improved clarity of some messages from the MPI hook
• Updated copyright notice and license formatting
• Migrated container images used by unit and integration tests to Quay.io

Fixed

• Fixed bug preventing extraction of image layers with hardlinks pointing to absolute paths
• Small fix to RapidJSON installation documentation

1.3.2

[1.3.2]

Added

• Added CONTRIBUTING.md file with guidelines about contributing to the project
• Added CI tests for the Spack package on Ubuntu 18.04, Debian 10, CentOS 7, Fedora 31, OpenSUSE Leap 15.2
• Added wget and autoconf as buildtime dependencies in the Spack package
• Added a documentation note about compiler selection when installing on CentOS 7 using the Spack package
• Added a documentation note about installing the static version of the glibc libraries when installing using the Spack package

Fixed

• Fixed a bug preventing bind mounts to /dev in the container

Removed

• Removed the CI test for the Spack package on Ubuntu 16.04

1.3.1

[1.3.1]

Added

• Support for pulling images from registries which do not use content redirect for blobs

Fixed

• Fixed extraction of image layers when replacing directories with other file types
• MPI and Glibc hooks skip entries from the dynamic linker cache if such entries do not exist
  in the container's filesystem

Security

• Slurm global sync hook drops privileges at startup
• MPI and Glibc hooks now perform validations with user credentials for host mounts and writes

1.3.0

[1.3.0]

Added

• Customizable sarus and hooks configuration templates within etc folder
• Port number used by the SSH hook is now configurable
• Added note in the User Guide about bind mounting FUSE filesystems into Sarus containers

Changed

• The OCI hooks are now configured through OCI hook JSON configuration files. The previous OCI hooks configuration through sarus.json is no longer supported and Sarus Administrators should reconfigure their hooks according to the Sarus' hook documentation page
• Replaced the custom OpenSSH used by the SSH hook with Dropbear
• Made CPU affinity detection more robust
• Updated recommended tini version to 0.19.0
• Updated recommended libnvidia-container version to 1.2.0
• Updated recommended NVIDIA Container Toolkit version to 1.2.1

Fixed

• CLI: fixed detection of option values separated by whitespace
• CLI: 'sarus run' does not return an error anymore when passing an option (i.e. a token starting with "-") as the first argument to the container application.
  This allows to directly pass options to containers which feature an entrypoint
• Support for root_squashed filesystems as image storage and as bind mounts sources
• When executing unit tests through the CTest program, tests now run in the directory of the test binary
• Fixed broken links in the documentation

1.2.0

[1.2.0] - 2020-06-17

Added

• Enabled Sarus to print log messages from the OCI Hooks
• Better documentation for ABI Compatibility here
• Added User Guide section about running MPI applications without the MPI hook. See here
• Added documentation about requiring Linux kernel >= 3.0 and util-linux >= 2.20
• Added AddressSanitizer CI job

Changed

• The glibc Hook is no longer activated by default, unless the --mpi option is used. To activate it explicitly, the new --glibc option of sarus run can be used. See here
• Using OCI annotations instead of environment variables to pass information to hooks. It is an internal change, transparent to users, moving towards OCI Hooks independence from Sarus
• Most of the Environment Variables for Hooks were renamed. Sarus Administrators should check the new names in the respective hook documentation pages
• OCI MPI Hook will now enable MPI "backwards" library injections, issuing a warning. More details here
• Improved the retrieval of image manifests from remote registries to better leverage the OCI Distribution specification
• Removed the explicit use of the autoclear option when loop-mounting squashfs images. Explicit use of the option causes a failure on
  Linux kernels >= 5.4. The autoclear option is still set implicitly by the mount system utility since June 2011 for kernels > 2.6.37.
• Updated Spack packages and installation instructions
• Updated documentation about the NVIDIA Container Toolkit. See here
• The SSH and Slurm global sync hooks now use configurable paths for their resources and are no longer dependant on Sarus-specific directories
• Reviewed and updated documentation about runtime security checks. See here
• Several improvements to the Continuous Integration workflow

Fixed

• Fixed bug on OCI MPI Hook which failed to run containers having multiple versions of an MPI Dependency library
• Runtime security checks no longer fail if a checked path does not exist
• Fixed setting of default bind propagation values for custom mounts
• Fixed parsing of authentication challenges from the NVIDIA GPU Cloud registry
• Fixed the ability to pull images from the Quay.io registry

Security

• Compiling now with -fstack-protector-strong as a measure against buffer overflows

1.1.0

[1.1.0] - 2020-02-03

Added

• Added the --workdir option to sarus run for setting the initial working directory inside the container.
• Added "Communications" and "Publications" sections to project README.
• Added documentation about complementing Sarus with Skopeo for interacting with 3rd party registries.
• Added integration tests for security checks.

Changed

• Updated libarchive dependency to version 3.4.1.
• Updated recommended runc version to 1.0.0-rc10.
• Improved string parsing by using Boost functions.
• Site/user bind mounts have "recursive private" propagation by default. More details here.
• Extensive code refactoring on the Native MPI hook:
  • Easier to extend and better control of performed actions.
  • More robust symlink generation.
  • Enhanced ABI version resolution.
  • Improved unit tests.
  • Factored out non-specific code to common utility functions.
• The Slurm global sync hook is activated only when the user requests activation of the SSH hook.
• Transitioned integration tests to Python 3 and pytest.
• Integration tests for the virtual cluster reuse the same Docker image of unit and integration tests.
• Updated cookbook page about the Intel Cluster Edition software.

Deprecated

• Deprecated the use of the bind-propagation property for site/user bind mounts. It will be removed in a future release.

Fixed

• Fixed propagation of CPU affinity from the host to the container process.
• Fixed some hyperlinks in the documentation

Security

• Changes to security checks:
  • Reorganized and unified code for the checks.
  • Root ownership is checked based on uid, regardless of gid.
  • Root ownership for directories is checked recursively all the way up to the / directory.
  • Always check that sarus.json is untamperable regardless of the value of the configuration parameter.
• Improved usage of libarchive to prevent image contents from spilling outside of the expansion directory when extracting layers.

1.0.1

• SSH hook starts unprivileged sshd

1.0.0

First production release