nixpkgs/pkgs/applications/virtualization/singularity/default.nix

64 lines
1.7 KiB
Nix
Raw Normal View History

2016-11-14 01:26:59 +00:00
{ stdenv
, fetchFromGitHub
2017-11-07 03:47:20 +00:00
, autoreconfHook
, gnutar
, which
, gnugrep
, coreutils
, python
, e2fsprogs
, makeWrapper
, squashfsTools
, gzip
, gnused
, curl
, utillinux
2018-05-08 09:40:10 +01:00
, libarchive
, file
2017-11-07 03:47:20 +00:00
}:
2016-11-14 01:26:59 +00:00
stdenv.mkDerivation rec {
name = "singularity-${version}";
singularity: 2.5.1 -> 2.5.2 Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools. This update was made based on information from https://repology.org/metapackage/singularity/versions. <details><summary>Version release notes (from GitHub)</summary> Greetings Singularity containerizers! This release contains fixes for a _high severity_ security issue affecting Singularity 2.3.0 through 2.5.1 on kernels that support overlay file systems (CVE-2018-12021). A malicious user with network access to the host system (e.g. ssh) could exploit this vulnerability to access sensitive information on disk and bypass directory image restrictions like those preventing the root file system from being mounted into the container. Singularity 2.5.2 should be installed immediately, and all previous versions of Singularity should be removed. The vulnerability addressed in this release affects kernels that support overlayfs. If you are unable to upgrade immediately, you should set `enable overlay = no` in `singularity.conf`. In addition, this release contains a large number of bug fixes. Details follow: ## [Security related fixes](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12021) - Removed the option to use overlay images with `singularity mount`. This flaw could allow a malicious user accessing the host system to access sensitive information when coupled with persistent ext3 overlay. - Fixed a race condition that might allow a malicious user to bypass directory image restrictions, like mounting the host root filesystem as a container image ## Bug fixes - Fix an error in malloc allocation #1620 - Honor debug flag when pulling from docker hub #1556 - Fix a bug with passwd abort #1580 - Allow user to override singularity.conf "mount home = no" with --home option #1496 - Improve debugging output #1535 - Fix some bugs in bind mounting #1525 - Define PR_(S|G)ET_NO_NEW_PRIVS in user space so that these features will work with kernels that implement them (like Cray systems) #1506 - Create /dev/fd and standard streams symlinks in /dev when using minimal dev mount or when specifying -c/-C/--contain option #1420 - Fixed * expansion during app runscript creation #1486 As always, please report any bugs to: https://github.com/singularityware/singularity/issues/new</details> These checks were done: - built on NixOS - /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2/bin/singularity passed the binary check. - Warning: no invocation of /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2/bin/run-singularity had a zero exit code or showed the expected version - 1 of 2 passed binary check by having a zero exit code. - 0 of 2 passed binary check by having the new version present in output. - found 2.5.2 with grep in /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2 - directory tree listing: https://gist.github.com/ed6db09ad43a19c6abf2d35d15ef489c - du listing: https://gist.github.com/9bd23f4d6ee86a9eb2ba7ec5c986741d
2018-07-08 00:41:51 +01:00
version = "2.5.2";
2017-11-07 03:47:20 +00:00
enableParallelBuilding = true;
patches = [ ./env.patch ];
preConfigure = ''
sed -i 's/-static//g' src/Makefile.am
patchShebangs .
'';
2018-03-12 04:13:31 +00:00
configureFlags = "--localstatedir=/var";
installFlags = "CONTAINER_MOUNTDIR=dummy CONTAINER_FINALDIR=dummy CONTAINER_OVERLAY=dummy SESSIONDIR=dummy";
2017-11-07 03:47:20 +00:00
fixupPhase = ''
patchShebangs $out
for f in $out/libexec/singularity/helpers/help.sh $out/libexec/singularity/cli/*.exec $out/libexec/singularity/bootstrap-scripts/*.sh ; do
chmod a+x $f
sed -i 's| /sbin/| |g' $f
sed -i 's| /bin/bash| ${stdenv.shell}|g' $f
wrapProgram $f --prefix PATH : ${stdenv.lib.makeBinPath buildInputs}
done
'';
2016-11-14 01:26:59 +00:00
src = fetchFromGitHub {
owner = "singularityware";
repo = "singularity";
rev = version;
singularity: 2.5.1 -> 2.5.2 Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools. This update was made based on information from https://repology.org/metapackage/singularity/versions. <details><summary>Version release notes (from GitHub)</summary> Greetings Singularity containerizers! This release contains fixes for a _high severity_ security issue affecting Singularity 2.3.0 through 2.5.1 on kernels that support overlay file systems (CVE-2018-12021). A malicious user with network access to the host system (e.g. ssh) could exploit this vulnerability to access sensitive information on disk and bypass directory image restrictions like those preventing the root file system from being mounted into the container. Singularity 2.5.2 should be installed immediately, and all previous versions of Singularity should be removed. The vulnerability addressed in this release affects kernels that support overlayfs. If you are unable to upgrade immediately, you should set `enable overlay = no` in `singularity.conf`. In addition, this release contains a large number of bug fixes. Details follow: ## [Security related fixes](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12021) - Removed the option to use overlay images with `singularity mount`. This flaw could allow a malicious user accessing the host system to access sensitive information when coupled with persistent ext3 overlay. - Fixed a race condition that might allow a malicious user to bypass directory image restrictions, like mounting the host root filesystem as a container image ## Bug fixes - Fix an error in malloc allocation #1620 - Honor debug flag when pulling from docker hub #1556 - Fix a bug with passwd abort #1580 - Allow user to override singularity.conf "mount home = no" with --home option #1496 - Improve debugging output #1535 - Fix some bugs in bind mounting #1525 - Define PR_(S|G)ET_NO_NEW_PRIVS in user space so that these features will work with kernels that implement them (like Cray systems) #1506 - Create /dev/fd and standard streams symlinks in /dev when using minimal dev mount or when specifying -c/-C/--contain option #1420 - Fixed * expansion during app runscript creation #1486 As always, please report any bugs to: https://github.com/singularityware/singularity/issues/new</details> These checks were done: - built on NixOS - /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2/bin/singularity passed the binary check. - Warning: no invocation of /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2/bin/run-singularity had a zero exit code or showed the expected version - 1 of 2 passed binary check by having a zero exit code. - 0 of 2 passed binary check by having the new version present in output. - found 2.5.2 with grep in /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2 - directory tree listing: https://gist.github.com/ed6db09ad43a19c6abf2d35d15ef489c - du listing: https://gist.github.com/9bd23f4d6ee86a9eb2ba7ec5c986741d
2018-07-08 00:41:51 +01:00
sha256 = "09wv8xagr5fjfhra5vyig0f1frfp97g99baqkh4avbzpg296q933";
2016-11-14 01:26:59 +00:00
};
2017-11-07 03:47:20 +00:00
nativeBuildInputs = [ autoreconfHook makeWrapper ];
buildInputs = [ coreutils gnugrep python e2fsprogs which gnutar squashfsTools gzip gnused curl utillinux libarchive file ];
2016-11-14 01:26:59 +00:00
meta = with stdenv.lib; {
homepage = http://singularity.lbl.gov/;
description = "Designed around the notion of extreme mobility of compute and reproducible science, Singularity enables users to have full control of their operating system environment";
license = "BSD license with 2 modifications";
platforms = platforms.linux;
maintainers = [ maintainers.jbedo ];
};
}