- OCI Compatibility Mode – With the new experimental ‘–oci’ mode, users can run containers from a native OCI on-disk layout, making it easier for HPC and enterprise users in key industries to adopt containers and work with existing Dockerfiles. Users can run containers using the familiar Singularity commands in a way that is compatible with the industry standard for containers (OCI). Developers can use Singularity containers with other systems and allow for more flexible use. Additionally, the behavior of the new mode closely mirrors the existing runtime, making it more convenient to use.
- Broadening and Securing Workflows – Singularity has added new security features to help verify and protect the integrity of container images. PEM keys and X.509 certificates can be used to sign and verify the images, providing a secure way to ensure that only authorized images are used. The addition of OCSP support also allows organizations to perform online checks to make sure that the images have not been revoked. These new features can easily integrate with the existing security infrastructure used by many organizations, providing an extra layer of protection for the containers.
- Instance Resource Limits & Monitoring – SingularityCE 3.11 now has the ability to monitor and control the resources used by the containers. When a container is run, it will be started in a special environment called a cgroup, which allows monitoring of its resource usage, such as CPU and memory, using the new singularity instance stats command. This feature is particularly important for organizations that want to ensure that their containers do not consume too many resources and negatively impact other applications or systems.
- Rootless Builds Without User Namespaces / ID Mapping – SingularityCE now allows users to build containers without being a root user or using a special user mapping system. This means that building containers can be done in a simplified and more straightforward way, without adding unnecessary complexity or potential compatibility issues. This new “proot” flow makes unprivileged builds possible for many different definition files, and does not require special configurations to be in place on the host system.
Sylabs Releases SingularityCE 3.11 for HPC Workflows with OCI Compatibility
