containers-common-0.62.0-1.el10

- update vendored components - Related: RHEL-58990 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
2025-02-13 11:25:27 +01:00 · 2025-02-13 11:25:27 +01:00 · 077bdb62c6
commit 077bdb62c6
parent 96af70841e
7 changed files with 73 additions and 5 deletions
--- a/containers-common.spec
+++ b/containers-common.spec
@ -7,17 +7,17 @@
 # Packit will automatically update the image and storage versions on Fedora and
 # CentOS Stream dist-git PRs.
 %global skopeo_branch main
-%global image_branch v5.33.0
-%global storage_branch v1.56.0
+%global image_branch v5.34.0
+%global storage_branch v1.57.1
 %global shortnames_branch main
-%global common_branch v0.61.0
+%global common_branch v0.62.0

 %global common_version %(v=%{common_branch}; echo ${v:1})

 Name: containers-common
 Epoch: 5
 Version: %{common_version}
-Release: 5%{?dist}
+Release: 1%{?dist}
 License: Apache-2.0
 BuildArch: noarch
 # for BuildRequires: go-md2man
@ -200,6 +200,10 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
 %files extra

 %changelog
+* Thu Feb 13 2025 Jindrich Novy <jnovy@redhat.com> - 5:0.62.0-1
+- update vendored components
+- Related: RHEL-58990
+
 * Thu Feb 06 2025 Jindrich Novy <jnovy@redhat.com> - 5:0.61.0-5
 - Be sure log-driver is the podman default, not k8s-file
 - Resolves: RHEL-78154
--- a/containers-storage.conf.5.md
+++ b/containers-storage.conf.5.md
@ -124,6 +124,27 @@ The `storage.options.pull_options` table supports the following keys:
  It is an expensive operation so it is not enabled by default.
  This is a "string bool": "false"|"true" (cannot be native TOML boolean)

+**insecure_allow_unpredictable_image_contents="false"|"true"**
+  This should _almost never_ be set.
+  It allows partial pulls of images without guaranteeing that "partial
+  pulls" and non-partial pulls both result in consistent image contents.
+  This allows pulling estargz images and early versions of zstd:chunked images;
+  otherwise, these layers always use the traditional non-partial pull path.
+
+  This option should be enabled _extremely_ rarely, only if _all_ images that could
+  EVER be conceivably pulled on this system are _guaranteed_ (e.g. using a signature policy)
+  to come from a build system trusted to never attack image integrity.
+
+  If this consistency enforcement were disabled, malicious images could be built
+  in a way designed to evade other audit mechanisms, so presence of most other audit
+  mechanisms is not a replacement for the above-mentioned need for all images to come
+  from a trusted build system.
+
+  As a side effect, enabling this option will also make image IDs unpredictable
+  (usually not equal to the traditional value matching the config digest).
+
+  This is a "string bool": "false"|"true" (cannot be native TOML boolean)
+
 ### STORAGE OPTIONS FOR AUFS TABLE

 The `storage.options.aufs` table supports the following options:
--- a/containers-transports.5.md
+++ b/containers-transports.5.md
@ -71,13 +71,15 @@ An image stored in the docker daemon's internal storage.
 The image must be specified as a _docker-reference_ or in an alternative _algo_`:`_digest_ format when being used as an image source.
 The _algo_`:`_digest_ refers to the image ID reported by docker-inspect(1).

-### **oci:**_path_[`:`_reference_]
+### **oci:**_path_[`:`{_reference_|`@`_source-index_}]

 An image in a directory structure compliant with the "Open Container Image Layout Specification" at _path_.

 The _path_ value terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_.
 The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index.
 If _reference_ is not specified when reading an image, the directory must contain exactly one image.
+For reading images, @_source-index_ is a zero-based index in manifest (to access untagged images).
+If neither reference nor @_source_index is specified when reading an image, the path must contain exactly one image.

 ### **oci-archive:**_path_[`:`_reference_]

--- a/containers.conf
+++ b/containers.conf
@ -58,6 +58,14 @@
 #
 #cgroups = "enabled"

+# When no hostname is set for a container, use the container's name, with
+# characters not valid for a hostname removed, as the hostname instead of
+# the first 12 characters of the container's ID. Containers not running
+# in a private UTS namespace will have their hostname set to the host's
+# hostname regardless of this setting.
+#
+#container_name_as_hostname = false
+
 # List of default capabilities for containers. If it is empty or commented out,
 # the default capabilities defined in the container engine will be added.
 #
--- a/containers.conf.5.md
+++ b/containers.conf.5.md
@ -124,6 +124,16 @@ Options are:
 `private` Create private Cgroup Namespace for the container.
 `host`    Share host Cgroup Namespace with the container.

+**container_name_as_hostname**=true|false
+
+When no hostname is set for a container, use the container's name, with
+characters not valid for a hostname removed, as the hostname instead of
+the first 12 characters of the container's ID. Containers not running
+in a private UTS namespace will have their hostname set to the host's
+hostname regardless of this setting.
+
+Default is false.
+
 **default_capabilities**=[]

 List of default capabilities for containers.
--- a/shortnames.conf
+++ b/shortnames.conf
@ -62,9 +62,13 @@
  "sles12sp5" = "registry.suse.com/suse/sles12sp5"
  "sles12sp4" = "registry.suse.com/suse/sles12sp4"
  "sles12sp3" = "registry.suse.com/suse/sles12sp3"
+  "bci-base" = "registry.suse.com/bci/bci-base"
  "bci/bci-base" = "registry.suse.com/bci/bci-base"
+  "bci-micro" = "registry.suse.com/bci/bci-micro"
  "bci/bci-micro" = "registry.suse.com/bci/bci-micro"
+  "bci-minimal" = "registry.suse.com/bci/bci-minimal"
  "bci/bci-minimal" = "registry.suse.com/bci/bci-minimal"
+  "bci-busybox" = "registry.suse.com/bci/bci-busybox"
  "bci/bci-busybox" = "registry.suse.com/bci/bci-busybox"
  # Red Hat Enterprise Linux
  "rhel" = "registry.access.redhat.com/rhel"
--- a/storage.conf
+++ b/storage.conf
@ -80,6 +80,25 @@ additionalimagestores = [
 # This is a "string bool": "false" | "true" (cannot be native TOML boolean)
 # convert_images = "false"

+# This should ALMOST NEVER be set.
+# It allows partial pulls of images without guaranteeing that "partial
+# pulls" and non-partial pulls both result in consistent image contents.
+# This allows pulling estargz images and early versions of zstd:chunked images;
+# otherwise, these layers always use the traditional non-partial pull path.
+#
+# This option should be enabled EXTREMELY rarely, only if ALL images that could
+# EVER be conceivably pulled on this system are GUARANTEED (e.g. using a signature policy)
+# to come from a build system trusted to never attack image integrity.
+#
+# If this consistency enforcement were disabled, malicious images could be built
+# in a way designed to evade other audit mechanisms, so presence of most other audit
+# mechanisms is not a replacement for the above-mentioned need for all images to come
+# from a trusted build system.
+#
+# As a side effect, enabling this option will also make image IDs unpredictable
+# (usually not equal to the traditional value matching the config digest).
+# insecure_allow_unpredictable_image_contents = "false"
+
 # Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
 # ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
 # to containers configured to create automatically a user namespace.  Containers