From 83e4dab508ce77ea454930b369d5b0ab4a7645d5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 18 May 2021 02:45:30 -0400 Subject: [PATCH] import osbuild-27.2-1.el8 --- .gitignore | 2 +- .osbuild.metadata | 2 +- SOURCES/no-floats-in-sources.patch | 53 ------------ ...nux-allow-nnp-and-nosuid-transitions.patch | 82 ------------------ SPECS/osbuild.spec | 84 ++++++++++++++++--- 5 files changed, 74 insertions(+), 149 deletions(-) delete mode 100644 SOURCES/no-floats-in-sources.patch delete mode 100644 SOURCES/selinux-allow-nnp-and-nosuid-transitions.patch diff --git a/.gitignore b/.gitignore index ec1812a..7c5ba62 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/osbuild-18.tar.gz +SOURCES/osbuild-27.2.tar.gz diff --git a/.osbuild.metadata b/.osbuild.metadata index ca68f10..20d45b7 100644 --- a/.osbuild.metadata +++ b/.osbuild.metadata @@ -1 +1 @@ -9bf4e1ce90639dcefba530df762de397f8e39bd6 SOURCES/osbuild-18.tar.gz +781efd5f4d96e25059c002a7e998429b9d682d03 SOURCES/osbuild-27.2.tar.gz diff --git a/SOURCES/no-floats-in-sources.patch b/SOURCES/no-floats-in-sources.patch deleted file mode 100644 index 61ce923..0000000 --- a/SOURCES/no-floats-in-sources.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 7b0db90c76c6b0de6a4d481e63450e8f0d1a1d9d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Budai?= -Date: Thu, 25 Jun 2020 09:56:30 +0200 -Subject: [PATCH] sources/files: do not pass floats to --max-time - -curl uses strtod from the C standard library to convert the --max-time's value -from string to double. However, this is what strtod expects: - -nonempty sequence of decimal digits optionally containing decimal-point -character (as determined by the current C locale) - -Yeah, unfortunately, the decimal-point character is determined by the current -C locale. For example, Czech and German locale uses a comma as the -decimal-point character. - -For reasons I don't fully understand, Python thinks it's running on en_US -locale, even though LC_NUMERIC is set to cs_CZ, so it uses a full stop as the -decimal-point character when converting float to string. However, as written -before, curl fails to parse this because it expects comma. - -The fix I chose is simple: Use math.ceil, so only an integer can be passed to -curl. Why ceil? Because --max-time == 0 sounds fishy. math.ceil should return -an integer (and it does in Python 3.8) but the documentation is not 100% clear -on this topic, so let's be paranoid and also convert it to int after the -ceiling. ---- - sources/org.osbuild.files | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/sources/org.osbuild.files b/sources/org.osbuild.files -index 42ff6ca..13ce9b8 100755 ---- a/sources/org.osbuild.files -+++ b/sources/org.osbuild.files -@@ -17,6 +17,7 @@ import concurrent.futures - import glob - import itertools - import json -+import math - import os - import subprocess - import sys -@@ -102,7 +103,7 @@ def fetch(url, checksum, directory): - curl_command = [ - "curl", - "--silent", -- "--max-time", f"{300 - elapsed_time}", -+ "--max-time", f"{int(math.ceil(300 - elapsed_time))}", - "--connect-timeout", "60", - "--fail", - "--location", --- -2.26.2 - diff --git a/SOURCES/selinux-allow-nnp-and-nosuid-transitions.patch b/SOURCES/selinux-allow-nnp-and-nosuid-transitions.patch deleted file mode 100644 index cda2234..0000000 --- a/SOURCES/selinux-allow-nnp-and-nosuid-transitions.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 3c556c3386ffc2e4f722d90a723d9e97e9b72a66 Mon Sep 17 00:00:00 2001 -From: Christian Kellner -Date: Sun, 9 Aug 2020 13:09:06 +0200 -Subject: [PATCH] selinux: allow nnp and nosuid transitions - -Allow osbuild_t to no_new_privs (nnp) and nosuid domain transition -into setfiles_mac_t and install_t. nnp is a inheritable per-thread -flag (PR_SET_NO_NEW_PRIVS, see prctl(2)), whereby a promise is made -by execve(2) to not grant any new privileges that could not have -been done without the execv call. This is on contrast to what can -be done via SELinux rules, i.e. in our case `setfiles_mac_t` and -`install_t` can set arbitrary SELinux labels, but `osbuild_t` -itself can not; but `osbuild_t` enables the transitioning of -`setfiles_mac_t` for the `setfiles` binary via execve(2) from a -process with `osbuild_t`. Related, the nosuid mount flag, prevents -the suid, sgid bits to be interpreted and thus are in the same -spirit as nnp, i.e. no new privs during execve(2). - -Thus SELinux domain transitions stand in contrast with nnp and -nosuid transitions, and have therefore been de-coupled. See also -the corresponding kernel patch at [1] for more information. - -bubblewrap (bwrap) in contrast to `systemd-nspawn` always sets the -nnp flag, as well as the nosuid option for all bind-mounts. Since -we no use bwrap to contain processes we need to allow the nnp and -nosuid transitions from `osbuild_t` to `setfiles_mac_t` and -`install_t`. - -[1] https://patchwork.kernel.org/patch/9841441/ ---- - selinux/osbuild.if | 19 +++++++++++++++++++ - selinux/osbuild.te | 2 ++ - 2 files changed, 21 insertions(+) - -diff --git a/selinux/osbuild.if b/selinux/osbuild.if -index 815c691..48d099f 100644 ---- a/selinux/osbuild.if -+++ b/selinux/osbuild.if -@@ -93,3 +93,22 @@ interface(`osbuild_role',` - ps_process_pattern($2, osbuild_t) - allow $2 osbuild_t:process { signull signal sigkill }; - ') -+ -+######################################## -+## -+## osbuild nnp / nosuid transitions to domain -+## -+## -+## -+## Domain to be allowed to transition into. -+## -+## -+# -+interface(`osbuild_nnp_nosuid_trans',` -+ gen_require(` -+ type osbuild_t; -+ class process2 { nnp_transition nosuid_transition }; -+ ') -+ -+ allow osbuild_t $1:process2 {nnp_transition nosuid_transition}; -+') -diff --git a/selinux/osbuild.te b/selinux/osbuild.te -index 1a5f98d..e4a0c7d 100644 ---- a/selinux/osbuild.te -+++ b/selinux/osbuild.te -@@ -31,6 +31,7 @@ unconfined_domain(osbuild_t) - # execute setfiles in the setfiles_mac domain - # when in the osbuild_t domain - seutil_domtrans_setfiles_mac(osbuild_t) -+osbuild_nnp_nosuid_trans(setfiles_mac_t) - - # Allow sysadm and unconfined to run osbuild - optional_policy(` -@@ -63,4 +64,5 @@ optional_policy(` - # allow transitioning to install_t (for ostree) - optional_policy(` - anaconda_domtrans_install(osbuild_t) -+ osbuild_nnp_nosuid_trans(install_t) - ') --- -2.26.2 - diff --git a/SPECS/osbuild.spec b/SPECS/osbuild.spec index aef3b68..642005a 100644 --- a/SPECS/osbuild.spec +++ b/SPECS/osbuild.spec @@ -1,7 +1,7 @@ %global forgeurl https://github.com/osbuild/osbuild %global selinuxtype targeted -Version: 18 +Version: 27.2 %forgemeta @@ -9,14 +9,12 @@ Version: 18 %global pkgdir %{_prefix}/lib/%{pypi_name} Name: %{pypi_name} -Release: 3%{?dist} +Release: 1%{?dist} License: ASL 2.0 URL: %{forgeurl} Source0: %{forgesource} -Patch0: no-floats-in-sources.patch -Patch1: selinux-allow-nnp-and-nosuid-transitions.patch BuildArch: noarch Summary: A build system for OS images @@ -25,6 +23,7 @@ BuildRequires: python3-devel BuildRequires: python3-docutils Requires: bash +Requires: bubblewrap Requires: coreutils Requires: curl Requires: dnf @@ -33,20 +32,34 @@ Requires: glibc Requires: policycoreutils Requires: qemu-img Requires: systemd -Requires: systemd-container Requires: tar Requires: util-linux Requires: python3-%{pypi_name} = %{version}-%{release} Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) -# Turn off dependency generators for assemblers, runners and stages. -# They run in a container, so there's no reason to generate dependencies -# from them. As of 2020-03-25 this filters out python3.6 dependency generated -# by rhel runner. -%global __requires_exclude_from ^%{pkgdir}/(assemblers|runners|stages)/.*$ +# Turn off dependency generators for runners. The reason is that runners are +# tailored to the platform, e.g. on RHEL they are using platform-python. We +# don't want to pick up those dependencies on other platform. +%global __requires_exclude_from ^%{pkgdir}/(runners)/.*$ + +# Turn off shebang mangling on RHEL. brp-mangle-shebangs (from package +# redhat-rpm-config) is run on all executables in a package after the `install` +# section runs. The below macro turns this behavior off for: +# - runners, because they already have the correct shebang for the platform +# they're meant for, and +# - stages and assemblers, because they are run within osbuild build roots, +# which are not required to contain the same OS as the host and might thus +# have a different notion of "platform-python". +# RHEL NB: Since assemblers and stages are not excluded from the dependency +# generator, this also means that an additional dependency on /usr/bin/python3 +# will be added. This is intended and needed, so that in the host build root +# /usr/bin/python3 is present so stages and assemblers can be run. +%global __brp_mangle_shebangs_exclude_from ^%{pkgdir}/(assemblers|runners|stages)/.*$ + %{?python_enable_dependency_generator} + %description A build system for OS images @@ -81,8 +94,6 @@ containers it uses to build OS artifacts. %prep %forgesetup -%patch0 -p1 -%patch1 -p1 %build %py3_build @@ -110,6 +121,9 @@ install -p -m 0755 $(find runners -type f -or -type l) %{buildroot}%{pkgdir}/run mkdir -p %{buildroot}%{pkgdir}/sources install -p -m 0755 $(find sources -type f) %{buildroot}%{pkgdir}/sources +mkdir -p %{buildroot}%{pkgdir}/inputs +install -p -m 0755 $(find inputs -type f) %{buildroot}%{pkgdir}/inputs + # mount point for bind mounting the osbuild library mkdir -p %{buildroot}%{pkgdir}/osbuild @@ -176,6 +190,52 @@ fi %changelog +* Thu Apr 8 2021 Christian Kellner - 27.2-1 +- Upstream release 27.2. +- Support for explicitly selecting the qcow2 version. + +* Thu Apr 1 2021 Achilleas Koutsou - 27.1-1 +- Upstream release 27.1 +- Bug fixes related to OCI archive generation. + +* Tue Mar 16 2021 Christian Kellner - 27-1 +- Upstream release 27 +- Various bug fixes related to the new container and installer + stages introdcued in version 25 and 26. + +* Fri Feb 19 2021 Christian Kellner - 26-1 +- Upstream release 26 +- Includes the necessary stages to build boot isos. + +* Fri Feb 12 2021 Christian Kellner - 25-1 +- Upstream 25 release +- First tech preview of the new manifest format. Includes + various new stages and inputs to be able to build ostree + commits contained in a oci archive. + +* Thu Jan 28 2021 Christian Kellner - 24-1 +- Upstream 24 release +- Include new `Input` modules. + +* Mon Nov 23 2020 Christian Kellner - 23-3 +- only disable the dep. generator for runners, remove explicity + python3 requirement again. The dependency should be picked up + via the dependency generator now. + +* Fri Nov 13 2020 Christian Kellner - 23-2 +- Explicilty require python3. See the comment above the Requires + for an explanation why this is needed. + +* Fri Oct 23 2020 Christian Kellner - 23-1 +- Upstream release 23 +- Do not mangle shebangs for assemblers, runners & stages. + +* Wed Oct 14 2020 Christian Kellner - 22-1 +- Upstream release 22 +- Remove all patches since they are all in osbuild-22. +- bubblewrap replaced systemd-nspawn for sandboxing; change the + requirements accordingly. + * Thu Aug 13 2020 Christian Kellner - 18-3 - Add patch to allow nnp and nosuid domain transitions https://github.com/osbuild/osbuild/pull/495