What's new in 4.3 & misc changes

sylabs · Mar 6, 2025 · 37d4952 · 37d4952
1 parent a109bc3
commit 37d4952
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 4 deletions.
diff --git a/appendix.rst b/appendix.rst
@@ -103,6 +103,9 @@ below with their respective functionality.
    (comma separated string) to bind to the ``/.singularity.d/libs``
    directory.
 
+#. **SINGULARITY_COSIGN**: Set to true to sign or verify OCI-SIF images using
+   cosign-compatible signatures.
+
 #. **SINGULARITY_CPU_SHARES**: Specify a relative share of CPU time
    available to the container. Default is -1 (disabled).
 
@@ -805,8 +808,8 @@ the new image during bootstrap.
 
 .. _build-yum:
 
-``yum`` bootstrap agent
-=======================
+``yum`` / ``dnf`` bootstrap agent
+=================================
 
 .. _sec:build-yum:
 
@@ -816,8 +819,9 @@ container from a mirror URI.
 Overview
 --------
 
-Use the ``yum`` module to specify a base for a CentOS-like container.
-You must also specify the URI for the mirror you would like to use.
+Use the ``yum`` module (also aliased to ``dnf``) to specify a base for an
+Enterprise Linux container. You must also specify the URI for the mirror you
+would like to use.
 
 Keywords
 --------

diff --git a/cgroups.rst b/cgroups.rst
@@ -467,6 +467,8 @@ link below, which details the properties you can set using
 
 https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html
 
+.. _sec:cgroup_namespace:
+
 ****************
 Cgroup Namespace
 ****************

diff --git a/new.rst b/new.rst
@@ -7,3 +7,29 @@ What's New in {Singularity} 4.3
 This section highlights important changes and new features in {Singularity} 4.3
 that are of note to users. See also the "What's New" section in the Admin Guide
 for administrator-facing changes.
+
+========
+OCI-Mode
+========
+
+- Images in OCI-SIF files can now be signed with a :ref:`cosign-compatible
+  signature <sec:cosign>`. These signatures can be pushed/pulled to/from OCI
+  registries.
+- Containers run in OCI-Mode now start in a cgroup, :ref:`cgroup namespace
+  <sec:cgroup_namespace>`, and mount the cgroup filesystem wherever possible.
+
+
+=======
+Runtime
+=======
+
+- :ref:`Nesting Singularity-in-Docker and Singularity-in-Singularity <nested>`
+  is now explicitly supported and tested in native mode and OCI-Mode.
+- Subuid and subgid mappings used for :ref:`fakeroot <fakeroot>` and OCI-Mode
+  are now obtained with libsubid on supported systems.
+
+=====
+Build
+=====
+
+- A ``dnf`` bootstrap is now available, as an alias of ``yum``.
diff --git a/signNverify.rst b/signNverify.rst
@@ -498,6 +498,8 @@ error:
    INFO:    Validate: cert:leaf  issuer:intermediate
    FATAL:   Failed to verify container: OCSP verification has failed
 
+.. _sec:cosign:
+
 ************************************
 Cosign Compatible OCI-SIF Signatures
 ************************************