From a605719d1ac07a6afcaaccaf8dcee5034e3a103a Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 14 May 2025 18:01:38 +0000 Subject: [PATCH] import UBI crun-1.21-1.el10_0 --- .crun.metadata | 1 - .gitignore | 2 +- ...t-tests-build-init-always-statically.patch | 43 ----- ...-do-not-set-inheritable-capabilities.patch | 30 ---- ...-do-not-set-inheritable-capabilities.patch | 31 ---- SPECS/crun.spec | 101 ----------- crun.spec | 165 ++++++++++++++++++ sources | 1 + 8 files changed, 167 insertions(+), 207 deletions(-) delete mode 100644 .crun.metadata delete mode 100644 SOURCES/0001-revert-tests-build-init-always-statically.patch delete mode 100644 SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch delete mode 100644 SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch delete mode 100644 SPECS/crun.spec create mode 100644 crun.spec create mode 100644 sources diff --git a/.crun.metadata b/.crun.metadata deleted file mode 100644 index 8265173..0000000 --- a/.crun.metadata +++ /dev/null @@ -1 +0,0 @@ -c79a414d0b980611ba929a7526b7b4c30c2b3b1d SOURCES/crun-0.18.tar.gz diff --git a/.gitignore b/.gitignore index 8a10d4c..707a1cc 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/crun-0.18.tar.gz +crun-1.21.tar.zst diff --git a/SOURCES/0001-revert-tests-build-init-always-statically.patch b/SOURCES/0001-revert-tests-build-init-always-statically.patch deleted file mode 100644 index 6000c58..0000000 --- a/SOURCES/0001-revert-tests-build-init-always-statically.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 320a7ec41342c95fd6bdc500cd207eb0ea5cda6a Mon Sep 17 00:00:00 2001 -From: Giuseppe Scrivano -Date: Fri, 19 Feb 2021 13:25:37 +0100 -Subject: [PATCH] Revert "tests: build init always statically" - -This reverts commit a0f322a49a10a014a447b505eda5923a8e6aff7c as it -causes issues on RHEL 8. - -Signed-off-by: Giuseppe Scrivano ---- - Makefile.am | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index e39dc3b..2b8e18b 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -14,7 +14,7 @@ srpm: dist-gzip rpm/crun.spec - $(MAKE) -C $(WD) dist-gzip - rpmbuild -bs --define "_sourcedir $(WD)" --define "_specdir $(WD)" --define "_builddir $(WD)" --define "_srcrpmdir $(WD)" --define "_rpmdir $(WD)" --define "_buildrootdir $(WD)/.build" rpm/crun.spec - --CLEANFILES = crun.spec tests/init -+CLEANFILES = crun.spec - - lib_LTLIBRARIES = libcrun.la - -@@ -79,9 +79,9 @@ noinst_PROGRAMS = tests/init $(UNIT_TESTS) - - TESTS_LDADD = libcrun_testing.a $(FOUND_LIBS) - --tests/init: tests/init.c -- $(CC) -static-libgcc --static -o $@ $< --EXTRA_DIST += tests/init.c -+tests_init_LDADD = -+tests_init_LDFLAGS = -static-libgcc -all-static -+tests_init_SOURCES = tests/init.c $(UNIT_TESTS) - - tests_tests_libcrun_utils_CFLAGS = -I $(abs_top_builddir)/libocispec/src -I $(abs_top_srcdir)/libocispec/src -I $(abs_top_builddir)/src -I $(abs_top_srcdir)/src - tests_tests_libcrun_utils_SOURCES = tests/tests_libcrun_utils.c --- -2.29.2 - - diff --git a/SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch b/SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch deleted file mode 100644 index a873251..0000000 --- a/SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch +++ /dev/null @@ -1,30 +0,0 @@ -From ed485db1465d67f0215c27529c57a76a1daf5135 Mon Sep 17 00:00:00 2001 -From: Giuseppe Scrivano -Date: Mon, 28 Feb 2022 11:05:18 +0100 -Subject: [PATCH 1/2] spec: do not set inheritable capabilities - -Closes: CVE-2022-27650 - -Signed-off-by: Giuseppe Scrivano -(cherry picked from commit b847d146d496c9d7beba166fd595488e85488562) ---- - src/libcrun/container.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/src/libcrun/container.c b/src/libcrun/container.c -index d3fb017..1e3f3e6 100644 ---- a/src/libcrun/container.c -+++ b/src/libcrun/container.c -@@ -128,9 +128,6 @@ static char spec_file[] = "\ - \"CAP_NET_BIND_SERVICE\"\n\ - ],\n\ - \"inheritable\": [\n\ -- \"CAP_AUDIT_WRITE\",\n\ -- \"CAP_KILL\",\n\ -- \"CAP_NET_BIND_SERVICE\"\n\ - ],\n\ - \"permitted\": [\n\ - \"CAP_AUDIT_WRITE\",\n\ --- -2.35.1 - diff --git a/SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch b/SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch deleted file mode 100644 index 3d8f390..0000000 --- a/SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 21cb5a8c7bcc90c42743ffd15cd11a55bf66993d Mon Sep 17 00:00:00 2001 -From: Giuseppe Scrivano -Date: Mon, 28 Feb 2022 11:06:50 +0100 -Subject: [PATCH 2/2] exec: --cap do not set inheritable capabilities - -Closes: CVE-2022-27650 - -Signed-off-by: Giuseppe Scrivano -(cherry picked from commit 1aeeed2e4fdeffb4875c0d0b439915894594c8c6) ---- - src/exec.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/exec.c b/src/exec.c -index bf6c05f..8c9862d 100644 ---- a/src/exec.c -+++ b/src/exec.c -@@ -250,8 +250,8 @@ crun_command_exec (struct crun_global_arguments *global_args, int argc, char **a - capabilities->effective = exec_options.cap; - capabilities->effective_len = exec_options.cap_size; - -- capabilities->inheritable = dup_array (exec_options.cap, exec_options.cap_size); -- capabilities->inheritable_len = exec_options.cap_size; -+ capabilities->inheritable = NULL; -+ capabilities->inheritable_len = 0; - - capabilities->bounding = dup_array (exec_options.cap, exec_options.cap_size); - capabilities->bounding_len = exec_options.cap_size; --- -2.35.1 - diff --git a/SPECS/crun.spec b/SPECS/crun.spec deleted file mode 100644 index 7505ee9..0000000 --- a/SPECS/crun.spec +++ /dev/null @@ -1,101 +0,0 @@ -Summary: OCI runtime written in C -Name: crun -Version: 0.18 -Release: 3%{?dist} -Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz -Patch0: 0001-revert-tests-build-init-always-statically.patch -Patch1: 0001-spec-do-not-set-inheritable-capabilities.patch -Patch2: 0002-exec-cap-do-not-set-inheritable-capabilities.patch -License: GPLv2+ -URL: https://github.com/containers/crun -# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures -ExclusiveArch: %{go_arches} -# We always run autogen.sh -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: gcc -BuildRequires: python3 -BuildRequires: git -BuildRequires: libcap-devel -BuildRequires: systemd-devel -BuildRequires: yajl-devel -BuildRequires: libseccomp-devel -BuildRequires: libselinux-devel -BuildRequires: python3-libmount -BuildRequires: libtool -BuildRequires: go-md2man -Provides: oci-runtime = 2 - -%description -crun is a runtime for running OCI containers - -%prep -%autosetup -Sgit -n %{name}-%{version} - -%build -export CFLAGS="%{optflags} -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" -./autogen.sh -%configure --disable-silent-rules - -%make_build - -%install -%make_install -rm -rf $RPM_BUILD_ROOT/usr/lib* - -%files -%license COPYING -%{_bindir}/%{name} -%{_mandir}/man1/* - -%changelog -* Tue Apr 05 2022 Jindrich Novy - 0.18-3 -- fix CVE-2022-27650 -- Related: #2061390 - -* Fri Feb 19 2021 Jindrich Novy - 0.18-2 -- allow to build without glibc-static (thanks to Giuseppe Scrivano) -- Related: #1883490 - -* Fri Feb 19 2021 Jindrich Novy - 0.18-1 -- update to https://github.com/containers/crun/releases/tag/0.18 -- Related: #1883490 - -* Fri Jan 22 2021 Jindrich Novy - 0.17-1 -- update to https://github.com/containers/crun/releases/tag/0.17 -- Related: #1883490 - -* Thu Dec 03 2020 Jindrich Novy - 0.16-2 -- exclude i686 because of build failures -- Related: #1883490 - -* Wed Nov 25 2020 Jindrich Novy - 0.16-1 -- update to https://github.com/containers/crun/releases/tag/0.16 -- Related: #1883490 - -* Wed Nov 04 2020 Jindrich Novy - 0.15.1-1 -- update to https://github.com/containers/crun/releases/tag/0.15.1 -- Related: #1883490 - -* Thu Oct 29 2020 Jindrich Novy - 0.15-2 -- synchronize with stream-container-tools-rhel8 -- Related: #1883490 - -* Wed Oct 21 2020 Jindrich Novy - 0.15-1 -- synchronize with stream-container-tools-rhel8 -- Related: #1883490 - -* Tue Aug 11 2020 Jindrich Novy - 0.14.1-2 -- use proper CFLAGS -- Related: #1821193 - -* Wed Jul 08 2020 Jindrich Novy - 0.14.1-1 -- update to https://github.com/containers/crun/releases/tag/v0.14.1 -- Related: #1821193 - -* Thu Jul 02 2020 Jindrich Novy - 0.14-1 -- update to https://github.com/containers/crun/releases/tag/v0.14 -- Related: #1821193 - -* Tue Jun 16 2020 Giuseppe Scrivano - 0.13-1 -- initial import diff --git a/crun.spec b/crun.spec new file mode 100644 index 0000000..df8492e --- /dev/null +++ b/crun.spec @@ -0,0 +1,165 @@ +%global krun_opts %{nil} +%global wasmedge_opts %{nil} +%global yajl_opts %{nil} + +%if %{defined copr_username} +%define copr_build 1 +%endif + +# krun and wasm support only on aarch64 and x86_64 +%ifarch aarch64 || x86_64 + +# Disable wasmedge on rhel 10 until EPEL10 is in place, otherwise it causes +# build issues on copr +%if %{defined fedora} || (%{defined copr_build} && %{defined rhel} && 0%{?rhel} < 10) +%global wasm_support 1 +%global wasmedge_support 1 +%global wasmedge_opts --with-wasmedge +%endif + +# krun only exists on fedora +%if %{defined fedora} +%global krun_support 1 +%global krun_opts --with-libkrun +%endif + +%endif + +%if %{defined fedora} || (%{defined rhel} && 0%{?rhel} < 10) +%global system_yajl 1 +%else +%global yajl_opts --enable-embedded-yajl +%endif + +Summary: OCI runtime written in C +Name: crun +%if %{defined copr_build} +Epoch: 102 +%endif +# DO NOT TOUCH the Version string! +# The TRUE source of this specfile is: +# https://github.com/containers/crun/blob/main/rpm/crun.spec +# If that's what you're reading, Version must be 0, and will be updated by Packit for +# copr and koji builds. +# If you're reading this on dist-git, the version is automatically filled in by Packit. +Version: 1.21 +Release: 1%{?dist} +URL: https://github.com/containers/%{name} +Source0: %{url}/releases/download/%{version}/%{name}-%{version}.tar.zst +License: GPL-2.0-only +%if %{defined golang_arches_future} +ExclusiveArch: %{golang_arches_future} +%else +ExclusiveArch: aarch64 ppc64le riscv64 s390x x86_64 +%endif +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: gcc +BuildRequires: git-core +BuildRequires: gperf +BuildRequires: libcap-devel +%if %{defined krun_support} +BuildRequires: libkrun-devel +%endif +BuildRequires: systemd-devel +%if %{defined system_yajl} +BuildRequires: yajl-devel +%endif +BuildRequires: libseccomp-devel +BuildRequires: python3-libmount +BuildRequires: libtool +BuildRequires: protobuf-c-devel +%ifnarch riscv64 +BuildRequires: criu-devel >= 3.17.1-2 +Recommends: criu >= 3.17.1 +Recommends: criu-libs +%endif +%if %{defined wasmedge_support} +BuildRequires: wasmedge-devel +%endif +BuildRequires: python +Provides: oci-runtime + +%description +%{name} is a OCI runtime + +%if %{defined krun_support} +%package krun +Summary: %{name} with libkrun support +Requires: libkrun +Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release} +Provides: krun = %{?epoch:%{epoch}:}%{version}-%{release} + +%description krun +krun is a symlink to the %{name} binary, with libkrun as an additional dependency. +%endif + +%if %{defined wasm_support} +%package wasm +Summary: %{name} with wasm support +Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release} +# wasm packages are not present on RHEL yet and are currently a PITA to test +# Best to only include wasmedge as weak dep on rhel +%if %{defined fedora} +Requires: wasm-library +%endif +Recommends: wasmedge + +%description wasm +%{name}-wasm is a symlink to the %{name} binary, with wasm as an additional dependency. +%endif + +%prep +%autosetup -Sgit -n %{name}-%{version} + +%build +./autogen.sh +./configure --disable-silent-rules %{krun_opts} %{wasmedge_opts} %{yajl_opts} +%make_build + +%install +%make_install prefix=%{_prefix} +rm -rf %{buildroot}%{_prefix}/lib* + +%files +%license COPYING +%{_bindir}/%{name} +%{_mandir}/man1/%{name}.1.gz + +%if %{defined krun_support} +%files krun +%license COPYING +%{_bindir}/krun +%{_mandir}/man1/krun.1.gz +%endif + +%if %{defined wasm_support} +%files wasm +%license COPYING +%{_bindir}/%{name}-wasm +%endif + +%changelog +* Fri Mar 28 2025 Jindrich Novy - 1.21-1 +- update to https://github.com/containers/crun/releases/tag/1.21 +- Resolves: RHEL-84959 + +* Tue Mar 18 2025 Jindrich Novy - 1.20-2 +- fix gating.yaml and remove useless files +- Resolves: RHEL-83933 + +* Wed Feb 05 2025 Jindrich Novy - 1.20-1 +- update to https://github.com/containers/crun/releases/tag/1.20 +- Related: RHEL-58990 + +* Thu Jan 02 2025 Jindrich Novy - 1.19.1-1 +- update to https://github.com/containers/crun/releases/tag/1.19.1 +- Related: RHEL-58990 + +* Mon Dec 09 2024 Jindrich Novy - 1.19-1 +- update to https://github.com/containers/crun/releases/tag/1.19 +- Related: RHEL-58990 + +* Mon Nov 25 2024 Jindrich Novy - 1.18.2-1 +- update to https://github.com/containers/crun/releases/tag/1.18.2 +- Related: RHEL-58992 diff --git a/sources b/sources new file mode 100644 index 0000000..0bdcdb2 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (crun-1.21.tar.zst) = 022bb56dbf20eb7c479b76a92fc55c69b219e36233ee7e588eb883afd092fb4aaeca842e64d83e53bbb08bd09f635d582a86824950971842b73921d1ce134bd1