about summary refs log tree commit diff
path: root/pkgs/applications/virtualization/singularity
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/applications/virtualization/singularity')
-rw-r--r--pkgs/applications/virtualization/singularity/generic.nix50
-rw-r--r--pkgs/applications/virtualization/singularity/packages.nix10
2 files changed, 42 insertions, 18 deletions
diff --git a/pkgs/applications/virtualization/singularity/generic.nix b/pkgs/applications/virtualization/singularity/generic.nix
index f27f58fda4876..1cac1d4f16c65 100644
--- a/pkgs/applications/virtualization/singularity/generic.nix
+++ b/pkgs/applications/virtualization/singularity/generic.nix
@@ -70,11 +70,19 @@ in
   # Whether to compile with SUID support
   enableSuid ? false,
   starterSuidPath ? null,
-  # newuidmapPath and newgidmapPath are to support --fakeroot
-  # where those SUID-ed executables are unavailable from the FHS system PATH.
+  # Extra system-wide /**/bin paths to prefix,
+  # useful to specify directories containing binaries with SUID bit set.
+  # The paths take higher precedence over the FHS system PATH specified
+  # inside the upstream source code.
+  # Include "/run/wrappers/bin" by default for the convenience of NixOS users.
+  systemBinPaths ? [ "/run/wrappers/bin" ],
   # Path to SUID-ed newuidmap executable
+  # Deprecated in favour of systemBinPaths
+  # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off
   newuidmapPath ? null,
   # Path to SUID-ed newgidmap executable
+  # Deprecated in favour of systemBinPaths
+  # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off
   newgidmapPath ? null,
   # External LOCALSTATEDIR
   externalLocalStateDir ? null,
@@ -99,18 +107,30 @@ in
   vendorHash ? _defaultGoVendorArgs.vendorHash,
   deleteVendor ? _defaultGoVendorArgs.deleteVendor,
   proxyVendor ? _defaultGoVendorArgs.proxyVendor,
-}:
+}@args:
 
 let
+  # Backward compatibility for privileged-un-utils.
+  # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off.
   privileged-un-utils =
     if ((newuidmapPath == null) && (newgidmapPath == null)) then
       null
     else
-      (runCommandLocal "privileged-un-utils" { } ''
-        mkdir -p "$out/bin"
-        ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap"
-        ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap"
-      '');
+      lib.warn
+        "${pname}: arguments newuidmapPath and newgidmapPath is deprecated in favour of systemBinPaths."
+        (
+          runCommandLocal "privileged-un-utils" { } ''
+            mkdir -p "$out/bin"
+            ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap"
+            ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap"
+          ''
+        );
+
+  # Backward compatibility for privileged-un-utils.
+  # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off.
+  systemBinPaths =
+    lib.optional (privileged-un-utils != null) (lib.makeBinPath [ privileged-un-utils ])
+    ++ args.systemBinPaths or [ "/run/wrappers/bin" ];
 
   concatMapStringAttrsSep =
     sep: f: attrs:
@@ -196,8 +216,9 @@ in
   # causes redefinition of _FORTIFY_SOURCE
   hardeningDisable = [ "fortify3" ];
 
-  # Packages to prefix to the Apptainer/Singularity container runtime default PATH
-  # Use overrideAttrs to override
+  # Packages to provide fallback bin paths
+  # to the Apptainer/Singularity container runtime default PATHs.
+  # Override with `<pkg>.overrideAttrs`.
   defaultPathInputs = [
     bash
     coreutils
@@ -206,7 +227,6 @@ in
     fuse2fs # Mount ext3 filesystems
     go
     mount # mount
-    privileged-un-utils
     squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image
     squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges
   ] ++ lib.optional enableNvidiaContainerCli nvidia-docker;
@@ -228,7 +248,7 @@ in
             lib.concatStringsSep " " [
               "--replace-fail"
               (addShellDoubleQuotes (lib.escapeShellArg originalDefaultPath))
-              (addShellDoubleQuotes ''$inputsDefaultPath''${inputsDefaultPath:+:}${lib.escapeShellArg originalDefaultPath}'')
+              (addShellDoubleQuotes ''$systemDefaultPath''${systemDefaultPath:+:}${lib.escapeShellArg originalDefaultPath}''${inputsDefaultPath:+:}$inputsDefaultPath'')
             ]
           ) originalDefaultPaths
         }
@@ -267,8 +287,11 @@ in
   postFixup = ''
     substituteInPlace "$out/bin/run-singularity" \
       --replace "/usr/bin/env ${projectName}" "$out/bin/${projectName}"
+    # Respect PATH from the environment/the user.
+    # Fallback to bin paths provided by Nixpkgs packages.
     wrapProgram "$out/bin/${projectName}" \
-      --prefix PATH : "$inputsDefaultPath"
+      --suffix PATH : "$systemDefaultPath" \
+      --suffix PATH : "$inputsDefaultPath"
     # Make changes in the config file
     ${lib.optionalString forceNvcCli ''
       substituteInPlace "$out/etc/${projectName}/${projectName}.conf" \
@@ -326,6 +349,7 @@ in
 }).overrideAttrs
   (
     finalAttrs: prevAttrs: {
+      systemDefaultPath = lib.concatStringsSep ":" systemBinPaths;
       inputsDefaultPath = lib.makeBinPath finalAttrs.defaultPathInputs;
       passthru = prevAttrs.passthru or { } // {
         inherit sourceFilesWithDefaultPaths;
diff --git a/pkgs/applications/virtualization/singularity/packages.nix b/pkgs/applications/virtualization/singularity/packages.nix
index f03bdf9631c56..6237db9cd6991 100644
--- a/pkgs/applications/virtualization/singularity/packages.nix
+++ b/pkgs/applications/virtualization/singularity/packages.nix
@@ -9,14 +9,14 @@ let
     callPackage
       (import ./generic.nix rec {
         pname = "apptainer";
-        version = "1.3.2";
+        version = "1.3.3";
         projectName = "apptainer";
 
         src = fetchFromGitHub {
           owner = "apptainer";
           repo = "apptainer";
           rev = "refs/tags/v${version}";
-          hash = "sha256-NseigaPmRKDsBk8v7RpYf+uoEGvQHVnqOMO49kP0mQ8=";
+          hash = "sha256-xQZCQa9z1aJ2tVtxMlwcNhlm0EV/nn8OnbfaVZRm4JI=";
         };
 
         # Update by running
@@ -47,20 +47,20 @@ let
     callPackage
       (import ./generic.nix rec {
         pname = "singularity-ce";
-        version = "4.1.3";
+        version = "4.1.4";
         projectName = "singularity";
 
         src = fetchFromGitHub {
           owner = "sylabs";
           repo = "singularity";
           rev = "refs/tags/v${version}";
-          hash = "sha256-pR8zyMr23wcbDCXAysVEgGUDHkrfhLoVF3fjMLgZFYs=";
+          hash = "sha256-+qwPzgwfF6A1c/rmSM/5T2N9/wVeWhMoAthj3eSQmh8=";
         };
 
         # Update by running
         # nix-prefetch -E "{ sha256 }: ((import ./. { }).singularity.override { vendorHash = sha256; }).goModules"
         # at the root directory of the Nixpkgs repository
-        vendorHash = "sha256-332GFL04aE6B6vxgtJJH4TeI6YJCDBpCClJ3sc5gN3A=";
+        vendorHash = "sha256-dTqOSk8APLOsqwEiZ/IL8Zu1SR48MyEYPgRe6PC2nd8=";
 
         # Do not build conmon and squashfuse from the Git submodule sources,
         # Use Nixpkgs provided version
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-06 03:54:23 +0000