Release notes from sarus

1.7.0

2024-09-05T14:53:20Z

Added

Added the sarus ps command to list running containers. More details here.
Added the sarus kill command to terminate (and subsequently remove) containers.
Added the -n, --name option the sarus run command to specify the name of the container to run. If the option is not specified, Sarus assigns a default name in the form sarus-container-*. More details here
MPI hook: added support for the environment variable MPI_COMPATIBILITY_TYPE that defines the behaviour of the compatibility check of the libraries
that the hook mounts. Valid values are major, full and strict. Default value is major.
More details here.
MPI hook: added support for the HOOK_ROOTLESS environment variable, enabling the hook to be used in rootless container runtimes. More details here.
SSH Hook: added a poststop functionality that kills the Dropbear process in case the hook does not join the container's PID namespace. More details here.

Changed

Configuration templates and documentation for OCI hooks now use the createRuntime, createContainer, or startContainer execution stages instead of the prestart stage, which has been deprecated since version 1.0.2 of the OCI Runtime specification. The only exception is the NVIDIA Container Toolkit hook.
Updated the build environment of the Sarus static standalone package to Alpine Linux 3.20 with a GCC 13.2.1 toolchain.
Updated recommended runc version to 1.1.14
Updated recommended Boost version to 1.85.0
Updated recommended RapidJSON version to commit ab1842a2da

1.6.4

2024-02-27T15:12:37Z

Added

SSH hook: added support for the com.hooks.ssh.port OCI annotation, which allows to customize the port used by the Dropbear server.

Changed

MPI hook: verbosity levels for log messages about ABI compatibility and library replacements have been slightly adjusted.
In particular, a warning about adding libraries into the container has been moved to a higher verbosity level
(i.e. it will only be displayed when using the --verbose or --debug global command-line options).
SSH hook: the default port used by the Dropbear server is now set through the SERVER_PORT_DEFAULT environment variable in the hook JSON configuration file.
The SERVER_PORT variable is still supported for backward compatibility, although SERVER_PORT_DEFAULT takes precedence if set.

Deprecated

SSH hook: usage of the SERVER_PORT environment variable in the hook JSON configuration file has been deprecated.
Support for it will be removed in a future release.

Fixed

Glibc hook: fixed detection of the container's glibc version, which was causing a shell-init error on some systems
SSH hook: permissions on the container's authorized keys file are now set explicitly, fixing possible errors caused by applying unsuitable defaults from the process.

1.6.3

2024-02-09T00:50:42Z

Changed

Changed the implementation of the lock for the image repository metadata file to a mechanism based on flock(2).
The new implementation can support both shared locks (a.k.a. read locks) and exclusive locks (a.k.a. write locks),
and improves the startup time when launching large numbers of containers at scale.
Updated recommended runc version to 1.1.12
Updated recommended libnvidia-container version to 1.14.5
Updated recommended NVIDIA Container Toolkit version to 1.14.5
Updated CI integration tests on Rocky 8 to use Python 3.9, solving a problem of missing wheel packages for the previous Python version
Updated CI distributed tests to use Docker Compose V2 and Compose file format version 3
Updated automatic documentation build to use Sphinx 7.2.6 and Sphinx RTD Theme 2.0.0

1.6.2

2023-12-07T12:36:43Z

Added

SSH Hook: added support for the com.hooks.ssh.pidfile_container OCI annotation, which allows to customize the path to the Dropbear daemon PIDfile inside the container.
SSH Hook: added support for the com.hooks.ssh.pidfile_host OCI annotation, which optionally copies the PIDfile of the Dropbear server to the specified path on the host.
SSH Hook: added support for the OVERLAY_MOUNT_HOME_SSH environment variable, which allows to control the creation of an overlay filesystem on top of the container's ${HOME}/.ssh directory.
More details here.

1.6.1

2023-10-17T13:22:57Z

Added

SSH Hook: added support for the com.hooks.ssh.authorize_ssh_key OCI annotation, which allows to authorize a user-provided public key for connecting to the running container.
Added a User Guide section about using Visual Studio Code's Remote Development extension in conjunction with Sarus and the SSH hook. More details here

Changed

The configuration files for the SSH hook and the Slurm sync hook are no longer generated automatically as part of the CMake installation process.
In other words, the aforementioned hooks are no longer configured and enabled by default.
Updated recommended runc version to 1.1.9
Updated CI tests from source on Fedora (36 -> 38) and OpenSUSE Leap (15.4 -> 15.5)

Fixed

Fixed support for image manifests which are provided by registries as multi-line, not indented JSON
Fixed parsing from the command line of image references which feature registry host and image name, but no namespaces (e.g. <registry>/<image>)

Security

The installation directory of Sarus binaries is now always verified by the security checks.
Previously the check on this directory could be skipped if no Sarus hooks were configured and if the runc and init binaries were located elsewhere.

1.6.0

2023-05-25T10:09:37Z

Added

Added the sarus hooks command to list the hooks configured for the engine
Added the --annotation option to sarus run for setting custom annotations in the OCI bundle. More details here
Added the --mpi-type option to sarus run for selecting an MPI hook among those configured by the system administrator
Added a warning message when acquisition of a lock file on the local repository metadata file is taking an unusually long time.
The message is displayed at a configurable interval (default 10 seconds), until the lock acquisition timeout is reached.
Added support for the optional defaultMPIType parameter in the sarus.json configuration file. More details here.
Added support for the optional repositoryMetadataLockTimings parameter in the sarus.json configuration file. More details here.
Added the AMD GPU OCI hook to provide access to ROCm AMD GPU devices inside the container. More details here
Added a new OCI hook to perform arbitrary sequences of bind mounts and device mounts into containers.
The hook is meant to streamline the implementation and usage of advanced features which can be enabled through sets of related mounts.
More details here.
Added a note about the Boost minimum required version 1.77 when building on ARM.

Changed

Sarus will now exit with an error if an operation requiring a lock file on the local repository metadata cannot acquire a lock within the configured timeout duration (default 60 seconds).
Previously, Sarus would keep attempting to acquire a lock indefinitely.
When printing error traces, entries related to standard C++ exceptions now provide clearer information
Updated recommended runc version to 1.1.6
Updated recommended libnvidia-container version to 1.13.0
Updated recommended NVIDIA Container Toolkit version to 1.13.0

Fixed

Fixed a race condition when pulling private images concurrently with the same user
Fixed a bug which was causing repository metadata files and their corresponding lockfiles to be created or atomically updated with root group ownership after executing a sarus run command.
The aforementioned files are now correctly created or updated with user and group ownership of the user who launched Sarus.

1.5.2

2022-11-11T22:29:00Z

Added

Added support for passing command-line options to mksquashfs through the mksquashfsOptions parameter in the sarus.json configuration file
Added explicit forwarding of standard signals from engine to OCI runtime
Added experimental support for the PMIx v3 interface. Given its experimental nature, this feature has to be enabled through a parameter in the sarus.json configuration file
Added CI unit and integration tests from source on Rocky Linux 8 and 9

Changed

The sarus run and sarus images commands now automatically remove images missing the internal SquashFS or metadata file, and report them as not available
The MPI hook and Glibc hook no longer enter the container PID namespace
The Slurm Global Sync hook and the Timestamp hook no longer enter any container namespace
Updated recommended runc version to 1.1.3
Updated recommended libnvidia-container version to 1.11.0
Updated recommended NVIDIA Container Toolkit version to 1.11.0
Updated documentation about the NVIDIA Container Toolkit to refer more specifically to the NVIDIA Container Runtime hook
The configure_installation.sh script can now acquire custom values for the local and/or centralized repository paths from environment variables.
More details here
Updated CI tests from source on Ubuntu (21.10 -> 22.04), Fedora (35 -> 36) and OpenSUSE Leap (15.3 -> 15.4)

Removed

Removed CI tests from source on Ubuntu 20.04 and CentOS 7

Security

The executable pointed by the mksquashfsPath parameter in the sarus.json configuration file has been excluded from the security checks.
The mksquashfs utility is only used by sarus pull and sarus load commands, which already run without privileges

1.5.1

2022-07-12T10:00:15Z

Changed

Changed the default registry to docker.io.
When the server is not entered as part of the image reference, the sarus run command first looks under docker.io repositories and, if the image is not available, falls back to images under the previous default server (index.docker.io). This is done to preserve compatibility with existing workflows.
The sarus images and sarus rmi commands treat images from index.docker.io as images from a 3rd party registry.
If the image manifest obtained from a registry during a pull does not feature the mediaType property, Sarus now attempts to process the manifest as an OCI Manifest V1 instead of failing with an error.
Updated recommended libnvidia-container version to 1.10.0
Updated recommended NVIDIA Container Toolkit version to 1.10.0
Replaced Travis public CICD with Github Actions

Fixed

Fixed an issue in the generation of manifest digests, where the digest result was incorrectly influenced by JSON formatting
Fixed an inconsistency with Skopeo which was preventing to pull private images from Docker Hub

1.5.0

2022-05-31T16:58:40Z

Added

Added Skopeo as a dependency to pull or load container images
Added Umoci as a dependency to unpack OCI images
Added support for pulling, running and removing images by digest
Added the --digests option to sarus images for displaying digests of locally available images
Added the --username and --password-stdin options to sarus pull for supplying authentication credentials directly on the command line. More details here
Added support for the optional containersPolicy parameter in the sarus.json configuration file. More details here.
Added support for the optional containersRegistries.dPath parameter in the sarus.json configuration file. More details here.
Added support for labels defined in OCI image configurations
Added glossary page to the documentation
Added CI unit and integration tests from source on Ubuntu 21.10, Debian 11 and Fedora 35
Added git submodule for RapidJSON (commit Tencent/rapidjson@fcb23c2dbf) to simplify dependency management and build process

Changed

The sarus images command now displays the image ID by default.
The image ID, as defined by the OCI Image Specification, is the hash of the image's configuration JSON. More details here.
The sarus pull command now skips the pull if the requested image is already available locally and up-to-date
zlib is no longer a dependency of Sarus itself, but remains a dependency of the Dropbear software used by the SSH hook
Updated the build environment of the Sarus static standalone package to Alpine Linux 3.15

Removed

Removed the insecureRegistries parameter from sarus.json and the built-in support for insecure registries.
Access to insecure registries via Skopeo must now be enabled through containers-registries.conf(5) files. More details here.
Removed dependencies on cpprestsdk, libarchive, OpenSSL, libcap, and libexpat
Removed CI unit and integration tests from source on Ubuntu 18.04, Debian 10 and Fedora 34

1.4.2

2022-03-04T10:51:24Z

Changed

The Glibc hook now uses the output of ldd to detect the version of glibc
Sarus now attempts to parse the Bearer authorization token regardless of the value of the Content-Type response header when pulling images