From 50ae100df6542c3c36aedf3bc0403cc06239bcd9 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 14 May 2025 18:52:45 +0000 Subject: [PATCH] import UBI podman-5.4.0-9.el10_0 --- .gitignore | 3 +- .podman.metadata | 2 - ...-drop-all-caps-in-exec-when-non-root.patch | 31 - SOURCES/podman-1882267.patch | 23 - SOURCES/podman-CVE-2020-10696.patch | 48 -- SOURCES/podman-CVE-2021-20188.patch | 319 ----------- SPECS/podman.spec | 540 ------------------ podman.spec | 476 +++++++++++++++ sources | 1 + 9 files changed, 478 insertions(+), 965 deletions(-) delete mode 100644 .podman.metadata delete mode 100644 SOURCES/0001-Only-drop-all-caps-in-exec-when-non-root.patch delete mode 100644 SOURCES/podman-1882267.patch delete mode 100644 SOURCES/podman-CVE-2020-10696.patch delete mode 100644 SOURCES/podman-CVE-2021-20188.patch delete mode 100644 SPECS/podman.spec create mode 100644 podman.spec create mode 100644 sources diff --git a/.gitignore b/.gitignore index 8960372..0cf2540 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ -SOURCES/cri-o-9b1f0a0.tar.gz -SOURCES/libpod-921f98f.tar.gz +v5.4-rhel-0ee1d49.tar.gz diff --git a/.podman.metadata b/.podman.metadata deleted file mode 100644 index ab33ce6..0000000 --- a/.podman.metadata +++ /dev/null @@ -1,2 +0,0 @@ -b53ff7dd655dec8ddab85b7782a2d41e6bdcb301 SOURCES/cri-o-9b1f0a0.tar.gz -14fa9349a6277355aa6a4f079a131059d194fd99 SOURCES/libpod-921f98f.tar.gz diff --git a/SOURCES/0001-Only-drop-all-caps-in-exec-when-non-root.patch b/SOURCES/0001-Only-drop-all-caps-in-exec-when-non-root.patch deleted file mode 100644 index 52c7cdb..0000000 --- a/SOURCES/0001-Only-drop-all-caps-in-exec-when-non-root.patch +++ /dev/null @@ -1,31 +0,0 @@ -From fbc96cdd1741021f3d18e49eac3757297aaba851 Mon Sep 17 00:00:00 2001 -From: Matthew Heon -Date: Fri, 19 Feb 2021 11:34:39 -0500 -Subject: [PATCH] Only drop all caps in exec when non-root - -We were dropping too many capabilities otherwise, which broke -some critical system tools (e.g. useradd) in exec sessions. - -Fix RHBZ#1930552 - -Signed-off-by: Matthew Heon ---- - libpod/oci_conmon_linux.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go -index d5973a1a6..18ede031e 100644 ---- a/libpod/oci.go -+++ b/libpod/oci.go -@@ -1107,7 +1107,7 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se - pspec.Capabilities.Effective = []string{} - if privileged { - pspec.Capabilities.Bounding = allCaps -- } else { -+ } else if execUser.Uid != 0 { - pspec.Capabilities.Bounding = []string{} - } - pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding --- -2.29.2 - diff --git a/SOURCES/podman-1882267.patch b/SOURCES/podman-1882267.patch deleted file mode 100644 index f0fd7b0..0000000 --- a/SOURCES/podman-1882267.patch +++ /dev/null @@ -1,23 +0,0 @@ -From bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea Mon Sep 17 00:00:00 2001 -From: Matthew Heon -Date: Thu, 24 Sep 2020 10:42:13 -0400 -Subject: [PATCH] Fix https://bugzilla.redhat.com/show_bug.cgi?id=1882267 - -Signed-off-by: Matthew Heon ---- - cmd/podman/sigproxy.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/cmd/podman/sigproxy.go b/cmd/podman/sigproxy.go -index 16861bad04..92d7f4e4a9 100644 ---- a/cmd/podman/sigproxy.go -+++ b/cmd/podman/sigproxy.go -@@ -19,7 +19,7 @@ func ProxySignals(ctr *libpod.Container) { - for s := range sigBuffer { - // Ignore SIGCHLD and SIGPIPE - these are mostly likely - // intended for the podman command itself. -- if s == signal.SIGCHLD || s == signal.SIGPIPE { -+ if s == syscall.SIGCHLD || s == syscall.SIGPIPE || s == syscall.SIGURG { - continue - } - diff --git a/SOURCES/podman-CVE-2020-10696.patch b/SOURCES/podman-CVE-2020-10696.patch deleted file mode 100644 index be12aca..0000000 --- a/SOURCES/podman-CVE-2020-10696.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001 -From: TomSweeneyRedHat -Date: Tue, 24 Mar 2020 20:10:22 -0400 -Subject: [PATCH] Fix potential CVE in tarfile w/ symlink - -Stealing @nalind 's workaround to avoid refetching -content after a file read failure. Under the right -circumstances that could be a symlink to a file meant -to overwrite a good file with bad data. - -Testing: -``` -goodstuff - -[1] 14901 - -127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 - -127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 - -no FROM statement found - -goodstuff -``` - -Signed-off-by: TomSweeneyRedHat ---- - imagebuildah/util.go | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go ---- a/vendor/github.com/containers//buildah/imagebuildah/util.go.CVE-2020-10696 -+++ b/vendor/github.com/containers//buildah/imagebuildah/util.go -@@ -12,6 +12,7 @@ import ( - - "github.com/containers/buildah" - "github.com/containers/storage/pkg/chrootarchive" -+ "github.com/containers/storage/pkg/ioutils" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" - ) -@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string - } - dockerfile := filepath.Join(dir, "Dockerfile") - // Assume this is a Dockerfile -- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil { -+ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil { - return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile) - } - } diff --git a/SOURCES/podman-CVE-2021-20188.patch b/SOURCES/podman-CVE-2021-20188.patch deleted file mode 100644 index e2a6ea5..0000000 --- a/SOURCES/podman-CVE-2021-20188.patch +++ /dev/null @@ -1,319 +0,0 @@ -From 69daa67c436a8fdeb0149aa5cb0112f03fdb699f Mon Sep 17 00:00:00 2001 -From: Matthew Heon -Date: Mon, 25 Jan 2021 14:18:07 -0500 -Subject: [PATCH] Correct handling of capabilities - -Ensure that capabilities are properly handled for non-root users -in privileged containers. We do not want to give full caps, but -instead only CapInh and CapEff (others should be all-zeroes). - -Fixing `podman run` is easy - the same code as the Podman 1.6 fix -works there. The `podman exec` command is far more challenging. -Exec received a complete rewrite to use Conmon at some point -before Podman 1.6, and gained many capabilities in the process. -One of those was the ability to actually tweak the capabilities -of the exec process - 1.0 did not have that. Since it was needed -to resolve this CVE, I was forced to backport a large bit of the -1.0 -> 1.6 exec changes (passing a Process block to the OCI -runtime, and using `prepareProcessExec()` to prepare said block). -I am honestly uncomfortable with the size and scope of this -change but I don't see another way around this. - -Fixes CVE-2021-20188 - -Signed-off-by: Matthew Heon ---- - libpod/container_api.go | 24 +------ - libpod/oci.go | 148 ++++++++++++++++++++++++++++++++-------- - pkg/spec/spec.go | 8 +++ - 3 files changed, 132 insertions(+), 48 deletions(-) - -diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go ---- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go.orig 2019-02-11 16:26:46.000000000 +0100 -+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go 2021-02-12 10:38:48.767172399 +0100 -@@ -2,7 +2,6 @@ package libpod - - import ( - "context" -- "fmt" - "io/ioutil" - "os" - "strconv" -@@ -11,9 +10,7 @@ import ( - - "github.com/containers/libpod/libpod/driver" - "github.com/containers/libpod/pkg/inspect" -- "github.com/containers/libpod/pkg/lookup" - "github.com/containers/storage/pkg/stringid" -- "github.com/docker/docker/daemon/caps" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" - "k8s.io/apimachinery/pkg/util/wait" -@@ -263,8 +260,6 @@ func (c *Container) Kill(signal uint) er - // TODO allow specifying streams to attach to - // TODO investigate allowing exec without attaching - func (c *Container) Exec(tty, privileged bool, env, cmd []string, user, workDir string) error { -- var capList []string -- - locked := false - if !c.batched { - locked = true -@@ -287,22 +282,8 @@ func (c *Container) Exec(tty, privileged - if conState != ContainerStateRunning { - return errors.Errorf("cannot exec into container that is not running") - } -- if privileged || c.config.Privileged { -- capList = caps.GetAllCapabilities() -- } - -- // If user was set, look it up in the container to get a UID to use on -- // the host -- hostUser := "" -- if user != "" { -- execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil) -- if err != nil { -- return err -- } -- -- // runc expects user formatted as uid:gid -- hostUser = fmt.Sprintf("%d:%d", execUser.Uid, execUser.Gid) -- } -+ isPrivileged := privileged || c.config.Privileged - - // Generate exec session ID - // Ensure we don't conflict with an existing session ID -@@ -324,10 +305,11 @@ func (c *Container) Exec(tty, privileged - - logrus.Debugf("Creating new exec session in container %s with session id %s", c.ID(), sessionID) - -- execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, workDir, hostUser, sessionID) -+ execCmd, processFile, err := c.runtime.ociRuntime.execContainer(c, cmd, env, tty, workDir, user, sessionID, isPrivileged) - if err != nil { - return errors.Wrapf(err, "error exec %s", c.ID()) - } -+ defer os.Remove(processFile) - chWait := make(chan error) - go func() { - chWait <- execCmd.Wait() -diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go ---- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go.orig 2019-02-11 16:26:46.000000000 +0100 -+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go 2021-02-12 10:38:48.768172416 +0100 -@@ -15,10 +15,12 @@ import ( - "syscall" - "time" - -+ "github.com/containers/libpod/pkg/lookup" - "github.com/containers/libpod/pkg/rootless" - "github.com/containers/libpod/pkg/util" - "github.com/coreos/go-systemd/activation" - "github.com/cri-o/ocicni/pkg/ocicni" -+ "github.com/docker/docker/daemon/caps" - spec "github.com/opencontainers/runtime-spec/specs-go" - "github.com/opencontainers/selinux/go-selinux" - "github.com/opencontainers/selinux/go-selinux/label" -@@ -735,18 +737,23 @@ func (r *OCIRuntime) unpauseContainer(ct - // TODO: Add --detach support - // TODO: Convert to use conmon - // TODO: add --pid-file and use that to generate exec session tracking --func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, cwd, user, sessionID string) (*exec.Cmd, error) { -+func (r *OCIRuntime) execContainer(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (*exec.Cmd, string, error) { - if len(cmd) == 0 { -- return nil, errors.Wrapf(ErrInvalidArg, "must provide a command to execute") -+ return nil, "", errors.Wrapf(ErrInvalidArg, "must provide a command to execute") - } - - if sessionID == "" { -- return nil, errors.Wrapf(ErrEmptyID, "must provide a session ID for exec") -+ return nil, "", errors.Wrapf(ErrEmptyID, "must provide a session ID for exec") - } - - runtimeDir, err := util.GetRootlessRuntimeDir() - if err != nil { -- return nil, err -+ return nil, "", err -+ } -+ -+ processFile, err := prepareProcessExec(c, cmd, env, tty, cwd, user, sessionID, privileged) -+ if err != nil { -+ return nil, "", err - } - - args := []string{} -@@ -756,34 +763,14 @@ func (r *OCIRuntime) execContainer(c *Co - - args = append(args, "exec") - -- if cwd != "" { -- args = append(args, "--cwd", cwd) -- } -+ args = append(args, "--process", processFile) - - args = append(args, "--pid-file", c.execPidPath(sessionID)) - -- if tty { -- args = append(args, "--tty") -- } else { -- args = append(args, "--tty=false") -- } -- -- if user != "" { -- args = append(args, "--user", user) -- } -- - if c.config.Spec.Process.NoNewPrivileges { - args = append(args, "--no-new-privs") - } - -- for _, cap := range capAdd { -- args = append(args, "--cap", cap) -- } -- -- for _, envVar := range env { -- args = append(args, "--env", envVar) -- } -- - // Append container ID and command - args = append(args, c.ID()) - args = append(args, cmd...) -@@ -797,10 +784,10 @@ func (r *OCIRuntime) execContainer(c *Co - execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir)) - - if err := execCmd.Start(); err != nil { -- return nil, errors.Wrapf(err, "cannot start container %s", c.ID()) -+ return nil, "", errors.Wrapf(err, "cannot start container %s", c.ID()) - } - -- return execCmd, nil -+ return execCmd, processFile, nil - } - - // execStopContainer stops all active exec sessions in a container -@@ -892,3 +879,110 @@ func (r *OCIRuntime) checkpointContainer - args = append(args, ctr.ID()) - return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, args...) - } -+ -+// prepareProcessExec returns the path of the process.json used in runc exec -p. -+// Returns path to the created exec process file. This will need to be removed -+// by the caller when they're done, best effort. -+func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (string, error) { -+ filename := filepath.Join(c.bundlePath(), fmt.Sprintf("exec-process-%s", sessionID)) -+ f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0600) -+ if err != nil { -+ return "", err -+ } -+ defer f.Close() -+ -+ pspec := c.config.Spec.Process -+ pspec.SelinuxLabel = c.config.ProcessLabel -+ pspec.Args = cmd -+ // We need to default this to false else it will inherit terminal as true -+ // from the container. -+ pspec.Terminal = false -+ if tty { -+ pspec.Terminal = true -+ } -+ if len(env) > 0 { -+ pspec.Env = append(pspec.Env, env...) -+ } -+ -+ if cwd != "" { -+ pspec.Cwd = cwd -+ -+ } -+ -+ var addGroups []string -+ var sgids []uint32 -+ -+ // if the user is empty, we should inherit the user that the container is currently running with -+ if user == "" { -+ user = c.config.User -+ addGroups = c.config.Groups -+ } -+ -+ execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil) -+ if err != nil { -+ return "", err -+ } -+ -+ if len(addGroups) > 0 { -+ sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, nil) -+ if err != nil { -+ return "", errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID) -+ } -+ } -+ -+ // If user was set, look it up in the container to get a UID to use on -+ // the host -+ if user != "" || len(sgids) > 0 { -+ if user != "" { -+ for _, sgid := range execUser.Sgids { -+ sgids = append(sgids, uint32(sgid)) -+ } -+ } -+ processUser := spec.User{ -+ UID: uint32(execUser.Uid), -+ GID: uint32(execUser.Gid), -+ AdditionalGids: sgids, -+ } -+ -+ pspec.User = processUser -+ } -+ -+ allCaps := caps.GetAllCapabilities() -+ pspec.Capabilities.Effective = []string{} -+ if privileged { -+ pspec.Capabilities.Bounding = allCaps -+ } else { -+ pspec.Capabilities.Bounding = []string{} -+ } -+ pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding -+ if execUser.Uid == 0 { -+ pspec.Capabilities.Effective = pspec.Capabilities.Bounding -+ pspec.Capabilities.Permitted = pspec.Capabilities.Bounding -+ pspec.Capabilities.Ambient = pspec.Capabilities.Bounding -+ } else { -+ pspec.Capabilities.Permitted = pspec.Capabilities.Effective -+ pspec.Capabilities.Ambient = pspec.Capabilities.Effective -+ } -+ -+ hasHomeSet := false -+ for _, s := range pspec.Env { -+ if strings.HasPrefix(s, "HOME=") { -+ hasHomeSet = true -+ break -+ } -+ } -+ if !hasHomeSet { -+ pspec.Env = append(pspec.Env, fmt.Sprintf("HOME=%s", execUser.Home)) -+ } -+ -+ processJSON, err := json.Marshal(pspec) -+ if err != nil { -+ return "", err -+ } -+ -+ if err := ioutil.WriteFile(filename, processJSON, 0644); err != nil { -+ return "", err -+ } -+ -+ return filename, nil -+} -diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go ---- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go.orig 2019-02-11 16:26:46.000000000 +0100 -+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go 2021-02-12 10:38:48.768172416 +0100 -@@ -325,6 +325,14 @@ func CreateConfigToOCISpec(config *Creat - } - } else { - g.SetupPrivileged(true) -+ if config.User != "" { -+ user := strings.SplitN(config.User, ":", 2)[0] -+ if user != "root" && user != "0" { -+ g.Spec().Process.Capabilities.Effective = []string{} -+ g.Spec().Process.Capabilities.Permitted = []string{} -+ g.Spec().Process.Capabilities.Ambient = []string{} -+ } -+ } - } - - // HANDLE SECCOMP diff --git a/SPECS/podman.spec b/SPECS/podman.spec deleted file mode 100644 index 9b397aa..0000000 --- a/SPECS/podman.spec +++ /dev/null @@ -1,540 +0,0 @@ -%global with_debug 1 -%global with_check 0 - -%if 0%{?with_debug} -%global _find_debuginfo_dwz_opts %{nil} -%global _dwz_low_mem_die_limit 0 -%else -%global debug_package %{nil} -%endif - -%define gobuild(o:) \ -go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; -%define gogenerate go generate - -%if 0%{?rhel} > 7 || 0%{?fedora} -%bcond_without varlink -%else -%bcond_with varlink -%endif - -%global provider github -%global provider_tld com -%global project containers -%global repo libpod -# https://github.com/containers/libpod -%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} -%global import_path %{provider_prefix} -%global git_podman https://%{provider}.%{provider_tld}/%{project}/%{repo} -%global commit 921f98f8795eb9fcb19ce581020cfdeff6dee09f -%global shortcommit %(c=%{commit}; echo ${c:0:7}) - -%global import_path_conmon github.com/kubernetes-sigs/cri-o -%global git_conmon https://%{import_path_conmon} -%global commit_conmon 9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2 -%global shortcommit_conmon %(c=%{commit_conmon}; echo ${c:0:7}) - -Name: podman -Version: 1.0.0 -Release: 8.git%{shortcommit}%{?dist} -Summary: Manage Pods, Containers and Container Images -License: ASL 2.0 -URL: %{git_podman} -Source0: %{git_podman}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz -Source1: %{git_conmon}/archive/%{commit_conmon}/cri-o-%{shortcommit_conmon}.tar.gz -# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696 -# backported: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch -Patch0: podman-CVE-2020-10696.patch -# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1882267 -# patch: https://github.com/mheon/libpod/commit/bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea.patch -Patch1: podman-1882267.patch -# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1918285 -Patch2: podman-CVE-2021-20188.patch -# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1930552 -Patch3: 0001-Only-drop-all-caps-in-exec-when-non-root.patch - -# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required -#ExclusiveArch: %%{?go_arches:%%{go_arches}}%%{!?go_arches:%%{ix86} x86_64 aarch64 %%{arm}} -ExclusiveArch: aarch64 %{arm} ppc64le s390x x86_64 -# If go_compiler is not set to 1, there is no virtual provide. Use golang instead. -BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} -BuildRequires: device-mapper-devel -BuildRequires: glib2-devel -BuildRequires: glibc-devel -BuildRequires: glibc-static -BuildRequires: git -BuildRequires: go-md2man -BuildRequires: gpgme-devel -BuildRequires: libassuan-devel -BuildRequires: libgpg-error-devel -BuildRequires: libseccomp-devel -BuildRequires: libselinux-devel -BuildRequires: ostree-devel -BuildRequires: pkgconfig -Requires: runc -Requires: containers-common >= 0.1.29-3 -# can't use default conmon right now, so we ship our own -#Requires: conmon -Requires: containernetworking-plugins >= 0.7.3-5 -Requires: iptables -Requires: nftables -Requires: oci-systemd-hook -Recommends: container-selinux -Recommends: slirp4netns -Recommends: fuse-overlayfs - -# vendored libraries -# awk '{print "Provides: bundled(golang("$1")) = "$2}' vendor.conf | sort -# [thanks to Carl George for containerd.spec] -Provides: bundled(golang(github.com/Azure/go-ansiterm)) = 19f72df4d05d31cbe1c56bfc8045c96babff6c7e -Provides: bundled(golang(github.com/blang/semver)) = v3.5.0 -Provides: bundled(golang(github.com/boltdb/bolt)) = master -Provides: bundled(golang(github.com/buger/goterm)) = 2f8dfbc7dbbff5dd1d391ed91482c24df243b2d3 -Provides: bundled(golang(github.com/BurntSushi/toml)) = v0.2.0 -Provides: bundled(golang(github.com/containerd/cgroups)) = 77e628511d924b13a77cebdc73b757a47f6d751b -Provides: bundled(golang(github.com/containerd/continuity)) = master -Provides: bundled(golang(github.com/containernetworking/cni)) = v0.7.0-alpha1 -Provides: bundled(golang(github.com/containernetworking/plugins)) = 1562a1e60ed101aacc5e08ed9dbeba8e9f3d4ec1 -Provides: bundled(golang(github.com/containers/image)) = 134f99bed228d6297dc01d152804f6f09f185418 -Provides: bundled(golang(github.com/containers/psgo)) = 382fc951fe0a8aba62043862ce1a56f77524db87 -Provides: bundled(golang(github.com/containers/storage)) = 17c7d1fee5603ccf6dd97edc14162fc1510e7e23 -Provides: bundled(golang(github.com/coreos/go-systemd)) = v14 -Provides: bundled(golang(github.com/cri-o/ocicni)) = master -Provides: bundled(golang(github.com/cyphar/filepath-securejoin)) = v0.2.1 -Provides: bundled(golang(github.com/davecgh/go-spew)) = v1.1.0 -Provides: bundled(golang(github.com/docker/distribution)) = 7a8efe719e55bbfaff7bc5718cdf0ed51ca821df -Provides: bundled(golang(github.com/docker/docker)) = 86f080cff0914e9694068ed78d503701667c4c00 -Provides: bundled(golang(github.com/docker/docker-credential-helpers)) = d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1 -Provides: bundled(golang(github.com/docker/go-connections)) = 3ede32e2033de7505e6500d6c868c2b9ed9f169d -Provides: bundled(golang(github.com/docker/go-units)) = v0.3.2 -Provides: bundled(golang(github.com/docker/libtrust)) = aabc10ec26b754e797f9028f4589c5b7bd90dc20 -Provides: bundled(golang(github.com/docker/spdystream)) = ed496381df8283605c435b86d4fdd6f4f20b8c6e -Provides: bundled(golang(github.com/fatih/camelcase)) = f6a740d52f961c60348ebb109adde9f4635d7540 -Provides: bundled(golang(github.com/fsnotify/fsnotify)) = 7d7316ed6e1ed2de075aab8dfc76de5d158d66e1 -Provides: bundled(golang(github.com/fsouza/go-dockerclient)) = master -Provides: bundled(golang(github.com/ghodss/yaml)) = 04f313413ffd65ce25f2541bfd2b2ceec5c0908c -Provides: bundled(golang(github.com/godbus/dbus)) = a389bdde4dd695d414e47b755e95e72b7826432c -Provides: bundled(golang(github.com/gogo/protobuf)) = c0656edd0d9eab7c66d1eb0c568f9039345796f7 -Provides: bundled(golang(github.com/golang/glog)) = 23def4e6c14b4da8ac2ed8007337bc5eb5007998 -Provides: bundled(golang(github.com/golang/groupcache)) = b710c8433bd175204919eb38776e944233235d03 -Provides: bundled(golang(github.com/golang/protobuf)) = 4bd1920723d7b7c925de087aa32e2187708897f7 -Provides: bundled(golang(github.com/googleapis/gnostic)) = 0c5108395e2debce0d731cf0287ddf7242066aba -Provides: bundled(golang(github.com/google/gofuzz)) = 44d81051d367757e1c7c6a5a86423ece9afcf63c -Provides: bundled(golang(github.com/gorilla/context)) = v1.1 -Provides: bundled(golang(github.com/gorilla/mux)) = v1.3.0 -Provides: bundled(golang(github.com/hashicorp/errwrap)) = 7554cd9344cec97297fa6649b055a8c98c2a1e55 -Provides: bundled(golang(github.com/hashicorp/golang-lru)) = 0a025b7e63adc15a622f29b0b2c4c3848243bbf6 -Provides: bundled(golang(github.com/hashicorp/go-multierror)) = 83588e72410abfbe4df460eeb6f30841ae47d4c4 -Provides: bundled(golang(github.com/imdario/mergo)) = 0.2.2 -Provides: bundled(golang(github.com/json-iterator/go)) = 1.0.0 -Provides: bundled(golang(github.com/kr/pty)) = v1.0.0 -Provides: bundled(golang(github.com/mattn/go-runewidth)) = v0.0.1 -Provides: bundled(golang(github.com/Microsoft/go-winio)) = 78439966b38d69bf38227fbf57ac8a6fee70f69a -Provides: bundled(golang(github.com/Microsoft/hcsshim)) = 43f9725307998e09f2e3816c2c0c36dc98f0c982 -Provides: bundled(golang(github.com/mistifyio/go-zfs)) = v2.1.1 -Provides: bundled(golang(github.com/mrunalp/fileutils)) = master -Provides: bundled(golang(github.com/mtrmac/gpgme)) = b2432428689ca58c2b8e8dea9449d3295cf96fc9 -Provides: bundled(golang(github.com/Nvveen/Gotty)) = master -Provides: bundled(golang(github.com/opencontainers/go-digest)) = v1.0.0-rc0 -Provides: bundled(golang(github.com/opencontainers/image-spec)) = v1.0.0 -Provides: bundled(golang(github.com/opencontainers/runc)) = b4e2ecb452d9ee4381137cc0a7e6715b96bed6de -Provides: bundled(golang(github.com/opencontainers/runtime-spec)) = v1.0.0 -Provides: bundled(golang(github.com/opencontainers/runtime-tools)) = 625e2322645b151a7cbb93a8b42920933e72167f -Provides: bundled(golang(github.com/opencontainers/selinux)) = b6fa367ed7f534f9ba25391cc2d467085dbb445a -Provides: bundled(golang(github.com/openshift/imagebuilder)) = master -Provides: bundled(golang(github.com/ostreedev/ostree-go)) = master -Provides: bundled(golang(github.com/pkg/errors)) = v0.8.0 -Provides: bundled(golang(github.com/pmezard/go-difflib)) = 792786c7400a136282c1664665ae0a8db921c6c2 -Provides: bundled(golang(github.com/pquerna/ffjson)) = d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac -Provides: bundled(golang(github.com/projectatomic/buildah)) = 35a37f36d37bf84397d7f79f6bb8649f728c19f1 -Provides: bundled(golang(github.com/seccomp/containers-golang)) = master -Provides: bundled(golang(github.com/seccomp/libseccomp-golang)) = v0.9.0 -Provides: bundled(golang(github.com/sirupsen/logrus)) = v1.0.0 -Provides: bundled(golang(github.com/spf13/pflag)) = 9ff6c6923cfffbcd502984b8e0c80539a94968b7 -Provides: bundled(golang(github.com/stretchr/testify)) = 4d4bfba8f1d1027c4fdbe371823030df51419987 -Provides: bundled(golang(github.com/syndtr/gocapability)) = e7cb7fa329f456b3855136a2642b197bad7366ba -Provides: bundled(golang(github.com/tchap/go-patricia)) = v2.2.6 -Provides: bundled(golang(github.com/ulikunitz/xz)) = v0.5.4 -Provides: bundled(golang(github.com/ulule/deepcopier)) = master -# version can't have '-' -#Provides: bundled(golang(github.com/urfave/cli)) = fix-short-opts-parsing -Provides: bundled(golang(github.com/varlink/go)) = master -Provides: bundled(golang(github.com/vbatts/tar-split)) = v0.10.2 -Provides: bundled(golang(github.com/vishvananda/netlink)) = master -Provides: bundled(golang(github.com/vishvananda/netns)) = master -Provides: bundled(golang(github.com/xeipuuv/gojsonpointer)) = master -Provides: bundled(golang(github.com/xeipuuv/gojsonreference)) = master -Provides: bundled(golang(github.com/xeipuuv/gojsonschema)) = master -Provides: bundled(golang(golang.org/x/crypto)) = 81e90905daefcd6fd217b62423c0908922eadb30 -Provides: bundled(golang(golang.org/x/net)) = c427ad74c6d7a814201695e9ffde0c5d400a7674 -Provides: bundled(golang(golang.org/x/sys)) = master -Provides: bundled(golang(golang.org/x/text)) = f72d8390a633d5dfb0cc84043294db9f6c935756 -Provides: bundled(golang(golang.org/x/time)) = f51c12702a4d776e4c1fa9b0fabab841babae631 -Provides: bundled(golang(google.golang.org/grpc)) = v1.0.4 -Provides: bundled(golang(gopkg.in/cheggaaa/pb.v1)) = v1.0.7 -Provides: bundled(golang(gopkg.in/inf.v0)) = v0.9.0 -Provides: bundled(golang(gopkg.in/mgo.v2)) = v2 -Provides: bundled(golang(gopkg.in/square/go-jose.v2)) = v2.1.3 -Provides: bundled(golang(gopkg.in/yaml.v2)) = v2 -Provides: bundled(golang(k8s.io/api)) = 5ce4aa0bf2f097f6021127b3d879eeda82026be8 -Provides: bundled(golang(k8s.io/apiextensions-apiserver)) = 1b31e26d82f1ec2e945c560790e98f34bb5f2e63 -Provides: bundled(golang(k8s.io/apimachinery)) = 616b23029fa3dc3e0ccefd47963f5651a6543d94 -Provides: bundled(golang(k8s.io/apiserver)) = 4d1163080139f1f9094baf8a3a6099e85e1867f6 -Provides: bundled(golang(k8s.io/client-go)) = 7cd1d3291b7d9b1e2d54d4b69eb65995eaf8888e -Provides: bundled(golang(k8s.io/kube-openapi)) = 275e2ce91dec4c05a4094a7b1daee5560b555ac9 -Provides: bundled(golang(k8s.io/utils)) = 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e - -%description -%{summary} -libpod provides a library for applications looking to use -the Container Pod concept popularized by Kubernetes. - -%package docker -Summary: Emulate Docker CLI using podman -BuildArch: noarch -Requires: %{name} = %{version}-%{release} -Conflicts: docker -Provides : docker -Conflicts: docker-latest -Conflicts: docker-ce -Conflicts: docker-ee - -%description docker -This package installs a script named docker that emulates the Docker CLI by -executing %{name} commands, it also creates links between all Docker CLI man -pages and %{name}. - -%prep -%autosetup -Sgit -n %{repo}-%{commit} -mv pkg/hooks/README.md pkg/hooks/README-hooks.md - -# untar cri-o -tar zxf %{SOURCE1} - -%build -mkdir -p $(pwd)/_build -pushd $(pwd)/_build -mkdir -p src/%{provider}.%{provider_tld}/%{project} -ln -s ../../../../ src/%{import_path} -popd -ln -s vendor src - -export GOPATH=$(pwd):$(pwd)/_build -export BUILDTAGS="selinux seccomp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper $(hack/libdm_tag.sh)" -%gobuild -o bin/%{name} %{import_path}/cmd/%{name} - -# build conmon -pushd cri-o-%{commit_conmon} -mkdir _output -pushd _output -mkdir -p src/%{provider}.%{provider_tld}/{kubernetes-sigs,opencontainers} -ln -s $(dirs +1 -l) src/%{import_path_conmon} -popd - -ln -s vendor src -export GOPATH=$(pwd):$(pwd)/_output -export BUILDTAGS="selinux seccomp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper $(hack/libdm_tag.sh)" -%gobuild -o bin/crio-config %{import_path_conmon}/cmd/crio-config -cd conmon && ../bin/crio-config -%{__make} all -popd - -%install -install -dp %{buildroot}{%{_unitdir} -%{__make} PREFIX=%{buildroot}%{_usr} ETCDIR=%{buildroot}%{_sysconfdir} \ - install.bin \ - install.man \ - install.cni \ - install.systemd \ - install.completions \ - install.docker - -# install libpod.conf -install -dp %{buildroot}%{_datadir}/containers -install -p -m 644 %{repo}.conf %{buildroot}%{_datadir}/containers - -# install conmon -install -dp %{buildroot}%{_libexecdir}/%{name} -install -p -m 755 cri-o-%{commit_conmon}/bin/conmon %{buildroot}%{_libexecdir}/%{name} - -%check -%if 0%{?with_check} -ln -s ./ ./vendor/src # ./vendor/src -> ./vendor -export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} - -%gotest %{import_path}/cmd/%{name} -%gotest %{import_path}/libkpod -%gotest %{import_path}/libpod -%gotest %{import_path}/pkg/registrar -%endif - -#define license tag if not already defined -%{!?_licensedir:%global license %doc} - -%files -%license LICENSE -%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md -%{_bindir}/%{name} -%{_mandir}/man1/podman*.1* -%{_mandir}/man5/*.5* -%{_datadir}/bash-completion/completions/* -%{_libexecdir}/%{name}/conmon -%config(noreplace) %{_sysconfdir}/cni/net.d/87-%{name}-bridge.conflist -%{_datadir}/containers/%{repo}.conf -%{_unitdir}/io.%{name}.service -%{_unitdir}/io.%{name}.socket -%{_usr}/lib/tmpfiles.d/%{name}.conf - -%files docker -%{_bindir}/docker -%{_mandir}/man1/docker*.1* - -%changelog -* Mon Mar 01 2021 Jindrich Novy - 1.0.0-8.git921f98f -- fix "podman can not create user inside of container" regression introduced by - patch for CVE-2021-20188 -- Related: #1918285 - -* Fri Feb 12 2021 Jindrich Novy - 1.0.0-7.git921f98f -- fix CVE-2021-20188 -- Resolves: #1918285 - -* Thu Sep 24 2020 Jindrich Novy - 1.0.0-6.git921f98f -- fix "podman run errors out/segfaults in container-tools-1.0-8.3.0" -- Resolves: #1882267 - -* Fri Jun 26 2020 Jindrich Novy - 1.0.0-5.git921f98f -- bump release to preserve upgrade path -- Resolves: #1821193 - -* Fri Apr 03 2020 Jindrich Novy - 1.0.0-4.git921f98f -- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process" -- Resolves: #1818122 - -* Thu Nov 28 2019 Jindrich Novy - 1.0.0-3.git921f98f -- rebuild because of CVE-2019-9512 and CVE-2019-9514 -- Resolves: #1766294, #1766322 - -* Mon Feb 11 2019 Frantisek Kluknavsky - 1.0.0-2.git921f98f -- rebase - -* Tue Jan 15 2019 Frantisek Kluknavsky - 1.0.0-1.git82e8011 -- rebase to v1, yay! -- rebase conmon to 9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2 -- Resolves:#1623282 -- python interface removed, moved to https://github.com/containers/python-podman/ - -* Tue Dec 18 2018 Frantisek Kluknavsky - 0.12.1.2-4.git9551f6b -- re-enable debuginfo - -* Mon Dec 17 2018 Frantisek Kluknavsky - 0.12.1.2-3.git9551f6b -- python libraries added -- resolves: #1657180 - -* Mon Dec 17 2018 Frantisek Kluknavsky - 0.12.1.2-2.git9551f6b -- rebase - -* Mon Dec 17 2018 Frantisek Kluknavsky - 0.11.1.1-3.git594495d -- go tools not in scl anymore - -* Mon Nov 19 2018 Frantisek Kluknavsky - 0.11.1.1-2.git594495d -- fedora-like buildrequires go toolset - -* Sat Nov 17 2018 Lokesh Mandvekar - 0.11.1.1-1.git594495d -- Resolves: #1636230 - build with FIPS enabled golang toolchain -- bump to v0.11.1.1 -- built commit 594495d - -* Fri Nov 16 2018 Frantisek Kluknavsky - 0.11.1-3.gita4adfe5 -- podman-docker provides docker -- Resolves: #1650355 - -* Thu Nov 15 2018 Lumír Balhar - 0.11.1-2.gita4adfe5 -- Require platform-python-setuptools instead of python3-setuptools -- Resolves: rhbz#1650144 - -* Tue Nov 13 2018 Lokesh Mandvekar - 0.11.1-1.gita4adfe5 -- bump to v0.11.1 -- built libpod commit a4adfe5 -- built conmon from cri-o commit 464dba6 - -* Fri Oct 19 2018 Lokesh Mandvekar - 0.10.1.3-5.gitdb08685 -- Resolves: #1625384 - keep BR: device-mapper-devel but don't build with it -- not having device-mapper-devel seems to have brew not recognize %%{_unitdir} - -* Thu Oct 18 2018 Lokesh Mandvekar - 0.10.1.3-4.gitdb08685 -- Resolves: #1625384 - correctly add buildtags to remove devmapper - -* Thu Oct 18 2018 Lokesh Mandvekar - 0.10.1.3-3.gitdb08685 -- Resolves: #1625384 - build without device-mapper-devel (no podman support) and lvm2 - -* Wed Oct 17 2018 Lokesh Mandvekar - 0.10.1.3-2.gitdb08685 -- Resolves: #1625384 - depend on lvm2 - -* Wed Oct 17 2018 Lokesh Mandvekar - 0.10.1.3-1.gitdb08685 -- Resolves: #1640298 - update vendored buildah to allow building when there are -running containers -- bump to v0.10.1.3 -- built podman commit db08685 - -* Wed Oct 17 2018 Lokesh Mandvekar - 0.10.1.2-1.git2b4f8d1 -- Resolves: #1625378 -- bump to v0.10.1.2 -- built podman commit 2b4f8d1 - -* Tue Oct 16 2018 Lokesh Mandvekar - 0.10.1.1-1.git4bea3e9 -- bump to v0.10.1.1 -- built podman commit 4bea3e9 - -* Thu Oct 11 2018 Lokesh Mandvekar - 0.10.1-1.gite4a1553 -- bump podman to v0.10.1 -- built podman commit e4a1553 -- built conmon from cri-o commit a30f93c - -* Tue Oct 09 2018 Frantisek Kluknavsky - 0.9.3.1-4.git1cd906d -- rebased cri-o to 1.11.6 - -* Wed Sep 26 2018 Frantisek Kluknavsky - 0.9.3.1-3.git1cd906d -- rebase - -* Tue Sep 18 2018 Frantisek Kluknavsky - 0.9.2-2.git37a2afe -- rebase to podman 0.9.2 -- rebase to cri-o 0.11.4 - -* Tue Sep 11 2018 Frantisek Kluknavsky - 0.9.1.1-2.git123de30 -- rebase - -* Mon Aug 27 2018 Lokesh Mandvekar - 0.8.4-1.git9f9b8cf -- bump to v0.8.4 -- built commit 9f9b8cf -- upstream username changed from projectatomic to containers -- use containernetworking-plugins >= 0.7.3-5 - -* Mon Aug 13 2018 Lokesh Mandvekar - 0.8.2.1-2.git7a526bb -- Resolves: #1615607 - rebuild with gobuild tag 'no_openssl' - -* Sun Aug 12 2018 Dan Walsh - 0.8.2.1-1.git7a526bb -- Upstream 0.8.2.1 release -- Add support for podman-docker -Resolves: rhbz#1615104 - -* Fri Aug 10 2018 Lokesh Mandvekar - 0.8.2-1.dev.git8b2d38e -- Resolves: #1614710 - podman search name includes registry -- bump to v0.8.2-dev -- built libpod commit 8b2d38e -- built conmon from cri-o commit acc0ee7 - -* Wed Aug 8 2018 Dan Walsh - 0.8.1-2.git6b4ab2a -- Add recommends for slirp4netns and container-selinux - -* Tue Aug 07 2018 Lokesh Mandvekar - 0.8.1-2.git6b4ab2a -- bump to v0.8.1 -- use %%go{build,generate} instead of go build and go generate -- update go deps to use scl-ized builds -- No need for Makefile patch for python installs - -* Sat Aug 4 2018 Dan Walsh - 0.8.1-1.git6b4ab2a -- Bump to v0.8.1 - -* Wed Aug 1 2018 Dan Walsh - 0.7.4-2.git079121 -- podman should not require atomic-registries - -* Tue Jul 24 2018 Lokesh Mandvekar - 0.7.4-1.dev.git9a18681 -- bump to v0.7.4-dev -- built commit 9a18681 - -* Sat Jul 21 2018 Dan Walsh - 0.7.3-2.git079121 -- Turn on ostree support -- Upstream 0.7.3 - -* Sat Jul 14 2018 Dan Walsh - 0.7.2-2.git4ca4c5f -- Upstream 0.7.2 release - -* Wed Jul 11 2018 Frantisek Kluknavsky - 0.7.1-3.git84cfdb2 -- rebuilt - -* Wed Jul 11 2018 Frantisek Kluknavsky - 0.7.1-2.git84cfdb2 -- rebase to 84cfdb2 - -* Sun Jul 08 2018 Dan Walsh - 0.7.1-1.git802d4f2 -- Upstream 0.7.1 release - -* Mon Jun 25 2018 Lokesh Mandvekar - 0.6.4-2.gitd5beb2f -- disable devel and unittest subpackages -- include conditionals for rhel-8.0 - -* Fri Jun 22 2018 Dan Walsh - 0.6.4-1.gitd5beb2f -- do not compress debuginfo with dwz to support delve debugger - -* Mon Jun 04 2018 Lokesh Mandvekar - 0.6.1-3.git3e0ff12 -- do not compress debuginfo with dwz to support delve debugger - -* Mon Jun 04 2018 Lokesh Mandvekar - 0.6.1-2.git3e0ff12 -- bash completion shouldn't have shebang - -* Mon Jun 04 2018 Lokesh Mandvekar - 0.6.1-1.git3e0ff12 -- Resolves: #1584429 - drop capabilities when running a container as non-root -- bump to v0.6.1 -- built podman commit 3e0ff12 -- built conmon from cri-o commit 1c0c3b0 -- drop containernetworking-plugins subpackage, it's now split out into a standalone -package - -* Fri Apr 27 2018 Lokesh Mandvekar - 0.4.1-4.gitb51d327 -- Resolves: #1572538 - build host-device and portmap plugins - -* Thu Apr 12 2018 Lokesh Mandvekar - 0.4.1-3.gitb51d327 -- correct dep on containernetworking-plugins - -* Thu Apr 12 2018 Lokesh Mandvekar - 0.4.1-2.gitb51d327 -- add containernetworking-plugins v0.7.0 as a subpackage (podman dep) -- release tag for the containernetworking-plugins is actually gotten from -podman release tag. - -* Wed Apr 11 2018 Lokesh Mandvekar - 0.4.1-1.gitb51d327 -- bump to v0.4.1 -- built commit b51d327 - -* Wed Mar 14 2018 Lokesh Mandvekar - 0.3.3-1.dev.gitbc358eb -- built podman commit bc358eb -- built conmon from cri-o commit 712f3b8 - -* Fri Mar 09 2018 baude - 0.3.2-1.gitf79a39a -- Release 0.3.2-1 - -* Sun Mar 04 2018 baude - 0.3.1-2.git98b95ff -- Correct RPM version - -* Fri Mar 02 2018 baude - 0.3.1-1-gitc187538 -- Release 0.3.1-1 - -* Sun Feb 25 2018 Peter Robinson 0.2.2-2.git525e3b1 -- Build on ARMv7 too (Fedora supports containers on that arch too) - -* Fri Feb 23 2018 baude - 0.2.2-1.git525e3b1 -- Release 0.2.2 - -* Fri Feb 16 2018 baude - 0.2.1-1.git3d0100b -- Release 0.2.1 - -* Wed Feb 14 2018 baude - 0.2-3.git3d0100b -- Add dep for atomic-registries - -* Tue Feb 13 2018 baude - 0.2-2.git3d0100b -- Add more 64bit arches -- Add containernetworking-cni dependancy -- Add iptables dependancy - -* Mon Feb 12 2018 baude - 0-2.1.git3d0100 -- Release 0.2 - -* Tue Feb 06 2018 Lokesh Mandvekar - 0-0.3.git367213a -- Resolves: #1541554 - first official build -- built commit 367213a - -* Fri Feb 02 2018 Lokesh Mandvekar - 0-0.2.git0387f69 -- built commit 0387f69 - -* Wed Jan 10 2018 Frantisek Kluknavsky - 0-0.1.gitc1b2278 -- First package for Fedora - diff --git a/podman.spec b/podman.spec new file mode 100644 index 0000000..f7ce757 --- /dev/null +++ b/podman.spec @@ -0,0 +1,476 @@ +%global with_debug 1 + +%if 0%{?with_debug} +%global _find_debuginfo_dwz_opts %{nil} +%global _dwz_low_mem_die_limit 0 +%else +%global debug_package %{nil} +%endif + +%global import_path github.com/containers/podman +%global branch v5.4-rhel +%global commit0 0ee1d4919a9686efb3b09842c8d960c1a5ecb2f1 +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) + +%global gomodulesmode GO111MODULE=on + +%if %{defined fedora} +%define build_with_btrfs 1 +# qemu-system* isn't packageed for CentOS Stream / RHEL +%define qemu 1 +%endif + +%if %{defined copr_username} +%define copr_build 1 +%endif + +# Only RHEL and CentOS Stream rpms are built with fips-enabled go compiler +%if %{defined rhel} +%define fips_enabled 1 +%endif + +%global container_base_path github.com/containers +%global container_base_url https://%{container_base_path} + +# For LDFLAGS +%global ld_project %{container_base_path}/%{name}/v5 +%global ld_libpod %{ld_project}/libpod + +# %%{name} +%global git0 %{container_base_url}/%{name} + +# podman-machine subpackage will be present only on these architectures +%global machine_arches x86_64 aarch64 + +%if %{defined copr_build} +%define build_origin Copr: %{?copr_username}/%{?copr_projectname} +%else +%define build_origin %{?packager} +%endif + +Name: podman +%if %{defined copr_build} +Epoch: 102 +%else +Epoch: 6 +%endif +# DO NOT TOUCH the Version string! +# The TRUE source of this specfile is: +# https://github.com/containers/podman/blob/main/rpm/podman.spec +# If that's what you're reading, Version must be 0, and will be updated by Packit for +# copr and koji builds. +# If you're reading this on dist-git, the version is automatically filled in by Packit. +Version: 5.4.0 +# The `AND` needs to be uppercase in the License for SPDX compatibility +License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0 +Release: 9%{?dist} +%if %{defined golang_arches_future} +ExclusiveArch: %{golang_arches_future} +%else +ExclusiveArch: aarch64 ppc64le s390x x86_64 +%endif +Summary: Manage Pods, Containers and Container Images +URL: https://%{name}.io/ +# All SourceN files fetched from upstream +%if 0%{?branch:1} +Source0: https://%{import_path}/tarball/%{commit0}/%{branch}-%{shortcommit0}.tar.gz +%else +Source0: https://%{import_path}/archive/%{commit0}/%{name}-%{version}-%{shortcommit0}.tar.gz +%endif + +Provides: %{name}-manpages = %{epoch}:%{version}-%{release} +BuildRequires: %{_bindir}/envsubst +%if %{defined build_with_btrfs} +BuildRequires: btrfs-progs-devel +%endif +BuildRequires: gcc +BuildRequires: glib2-devel +BuildRequires: glibc-devel +BuildRequires: glibc-static +BuildRequires: golang +BuildRequires: git-core +%if %{undefined rhel} || 0%{?rhel} >= 10 +BuildRequires: go-rpm-macros +%endif +BuildRequires: gpgme-devel +BuildRequires: libassuan-devel +BuildRequires: libgpg-error-devel +BuildRequires: libseccomp-devel +BuildRequires: libselinux-devel +BuildRequires: shadow-utils-subid-devel +BuildRequires: pkgconfig +BuildRequires: make +BuildRequires: man-db +BuildRequires: ostree-devel +BuildRequires: systemd +BuildRequires: systemd-devel +Requires: catatonit +Requires: conmon >= 2:2.1.7-2 +%if %{defined fedora} && 0%{?fedora} >= 40 +# TODO: Remove the f40 conditional after a few releases to keep conditionals to +# a minimum +# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2269148 +Requires: containers-common-extra >= 5:0.58.0-1 +%else +Requires: containers-common-extra +%endif +Obsoletes: %{name}-quadlet <= 5:4.4.0-1 +Provides: %{name}-quadlet = %{epoch}:%{version}-%{release} + +%description +%{name} (Pod Manager) is a fully featured container engine that is a simple +daemonless tool. %{name} provides a Docker-CLI comparable command line that +eases the transition from other container engines and allows the management of +pods, containers and images. Simply put: alias docker=%{name}. +Most %{name} commands can be run as a regular user, without requiring +additional privileges. + +%{name} uses Buildah(1) internally to create container images. +Both tools share image (not container) storage, hence each can use or +manipulate images (but not containers) created by the other. + + +%package docker +Summary: Emulate Docker CLI using %{name} +BuildArch: noarch +Requires: %{name} = %{epoch}:%{version}-%{release} +Conflicts: docker +Conflicts: docker-latest +Conflicts: docker-ce +Conflicts: docker-ee +Conflicts: moby-engine + +%description docker +This package installs a script named docker that emulates the Docker CLI by +executes %{name} commands, it also creates links between all Docker CLI man +pages and %{name}. + +%package tests +Summary: Tests for %{name} + +Requires: %{name} = %{epoch}:%{version}-%{release} +%if %{defined fedora} +Requires: bats +%endif +Requires: attr +Requires: jq +Requires: skopeo +Requires: nmap-ncat +Requires: httpd-tools +Requires: openssl +Requires: socat +Requires: buildah +Requires: gnupg + +%description tests +%{summary} + +This package contains system tests for %{name} + +%package remote +Summary: (Experimental) Remote client for managing %{name} containers + +%description remote +Remote client for managing %{name} containers. + +This experimental remote client is under heavy development. Please do not +run %{name}-remote in production. + +%{name}-remote uses the version 2 API to connect to a %{name} client to +manage pods, containers and container images. %{name}-remote supports ssh +connections as well. + +%package -n %{name}sh +Summary: Confined login and user shell using %{name} +Requires: %{name} = %{epoch}:%{version}-%{release} +Provides: %{name}-shell = %{epoch}:%{version}-%{release} +Provides: %{name}-%{name}sh = %{epoch}:%{version}-%{release} + +%description -n %{name}sh +%{name}sh provides a confined login and user shell with access to volumes and +capabilities specified in user quadlets. + +It is a symlink to %{_bindir}/%{name} and execs into the `%{name}sh` container +when `%{_bindir}/%{name}sh` is set as a login shell or set as os.Args[0]. + +%ifarch %{machine_arches} +%package machine +Summary: Metapackage for setting up %{name} machine +Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: gvisor-tap-vsock +%if %{defined qemu} +%ifarch aarch64 +Requires: qemu-system-aarch64-core +%endif +%ifarch x86_64 +Requires: qemu-system-x86-core +%endif +%else +Requires: qemu-kvm +%endif +Requires: qemu-img +Requires: virtiofsd +ExclusiveArch: x86_64 aarch64 + +%description machine +This subpackage installs the dependencies for %{name} machine, for more see: +https://docs.podman.io/en/latest/markdown/podman-machine.1.html +%endif + +%prep +%if 0%{?branch:1} +%autosetup -Sgit -n containers-%{name}-%{shortcommit0} +%else +%autosetup -Sgit -n %{name}-%{commit0} +%endif +sed -i 's;@@PODMAN@@\;$(BINDIR);@@PODMAN@@\;%{_bindir};' Makefile + +# cgroups-v1 is supported on rhel9 +%if 0%{?rhel} == 9 +sed -i '/DELETE ON RHEL9/,/DELETE ON RHEL9/d' libpod/runtime.go +%endif + +# These changes are only meant for copr builds +%if %{defined copr_build} +# podman --version should show short sha +sed -i "s/^const RawVersion = .*/const RawVersion = \"##VERSION##-##SHORT_SHA##\"/" version/rawversion/version.go +# use ParseTolerant to allow short sha in version +sed -i "s/^var Version.*/var Version, err = semver.ParseTolerant(rawversion.RawVersion)/" version/version.go +%endif + +%build +%set_build_flags +export CGO_CFLAGS=$CFLAGS + +# These extra flags present in $CFLAGS have been skipped for now as they break the build +CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-flto=auto//g') +CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-Wp,D_GLIBCXX_ASSERTIONS//g') +CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-specs=\/usr\/lib\/rpm\/redhat\/redhat-annobin-cc1//g') + +%ifarch x86_64 +export CGO_CFLAGS+=" -m64 -mtune=generic -fcf-protection=full" +%endif + +export GOPROXY=direct + +LDFLAGS="-X %{ld_libpod}/define.buildInfo=${SOURCE_DATE_EPOCH:-$(date +%s)} \ + -X \"%{ld_libpod}/define.buildOrigin=%{build_origin}\" \ + -X %{ld_libpod}/config._installPrefix=%{_prefix} \ + -X %{ld_libpod}/config._etcDir=%{_sysconfdir} \ + -X %{ld_project}/pkg/systemd/quadlet._binDir=%{_bindir}" + +# build rootlessport first +%gobuild -o bin/rootlessport ./cmd/rootlessport + +export BASEBUILDTAGS="seccomp exclude_graphdriver_devicemapper $(hack/systemd_tag.sh) $(hack/libsubid_tag.sh)" + +# libtrust_openssl buildtag switches to using the FIPS-compatible func +# `ecdsa.HashSign`. +# Ref 1: https://github.com/golang-fips/go/blob/main/patches/015-add-hash-sign-verify.patch#L22 +# Ref 2: https://github.com/containers/libtrust/blob/main/ec_key_openssl.go#L23 +%if %{defined fips_enabled} +export BASEBUILDTAGS="$BASEBUILDTAGS libtrust_openssl" +%endif + +# build %%{name} +export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh) $(hack/libdm_tag.sh)" +%gobuild -o bin/%{name} ./cmd/%{name} + +# build %%{name}-remote +export BUILDTAGS="$BASEBUILDTAGS exclude_graphdriver_btrfs btrfs_noversion remote" +%gobuild -o bin/%{name}-remote ./cmd/%{name} + +# build quadlet +export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh)" +%gobuild -o bin/quadlet ./cmd/quadlet + +# build %%{name}-testing +export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh)" +%gobuild -o bin/podman-testing ./cmd/podman-testing + +# reset LDFLAGS for plugins binaries +LDFLAGS='' + +%{__make} docs docker-docs + +%install +install -dp %{buildroot}%{_unitdir} +PODMAN_VERSION=%{version} %{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} ETCDIR=%{_sysconfdir} \ + install.bin \ + install.man \ + install.systemd \ + install.completions \ + install.docker \ + install.docker-docs \ + install.remote \ + install.testing + +# See above for the iptables.conf declaration +%if %{defined fedora} && 0%{?fedora} < 41 +%{__make} DESTDIR=%{buildroot} MODULESLOADDIR=%{_modulesloaddir} install.modules-load +%endif + +sed -i 's;%{buildroot};;g' %{buildroot}%{_bindir}/docker + +# do not include docker and podman-remote man pages in main package +for file in `find %{buildroot}%{_mandir}/man[157] -type f | sed "s,%{buildroot},," | grep -v -e %{name}sh.1 -e remote -e docker`; do + echo "$file*" >> %{name}.file-list +done + +rm -f %{buildroot}%{_mandir}/man5/docker*.5 + +install -d -p %{buildroot}%{_datadir}/%{name}/test/system +cp -pav test/system %{buildroot}%{_datadir}/%{name}/test/ + +%ifarch %{machine_arches} +# symlink virtiofsd in %%{name} libexecdir for machine subpackage +ln -s ../virtiofsd %{buildroot}%{_libexecdir}/%{name} +%endif + +#define license tag if not already defined +%{!?_licensedir:%global license %doc} + +# Include empty check to silence rpmlint warning +%check + +%files -f %{name}.file-list +%license LICENSE vendor/modules.txt +%doc README.md CONTRIBUTING.md install.md transfer.md +%{_bindir}/%{name} +%dir %{_libexecdir}/%{name} +%{_libexecdir}/%{name}/rootlessport +%{_libexecdir}/%{name}/quadlet +%{_datadir}/bash-completion/completions/%{name} +# By "owning" the site-functions dir, we don't need to Require zsh +%dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_%{name} +%dir %{_datadir}/fish/vendor_completions.d +%{_datadir}/fish/vendor_completions.d/%{name}.fish +%{_unitdir}/%{name}* +%{_userunitdir}/%{name}* +%{_tmpfilesdir}/%{name}.conf +%{_systemdgeneratordir}/%{name}-system-generator +%{_systemdusergeneratordir}/%{name}-user-generator +# iptables modules are only needed with iptables-legacy, +# as of f41 netavark will default to nftables so do not load unessary modules +# https://fedoraproject.org/wiki/Changes/NetavarkNftablesDefault +%if %{defined fedora} && 0%{?fedora} < 41 +%{_modulesloaddir}/%{name}-iptables.conf +%endif + +%files docker +%{_bindir}/docker +%{_mandir}/man1/docker*.1* +%{_sysconfdir}/profile.d/%{name}-docker.* +%{_tmpfilesdir}/%{name}-docker.conf +%{_user_tmpfilesdir}/%{name}-docker.conf + +%files remote +%license LICENSE +%{_bindir}/%{name}-remote +%{_mandir}/man1/%{name}-remote*.* +%{_datadir}/bash-completion/completions/%{name}-remote +%dir %{_datadir}/fish/vendor_completions.d +%{_datadir}/fish/vendor_completions.d/%{name}-remote.fish +%dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_%{name}-remote + +%files tests +%{_bindir}/%{name}-testing +%{_datadir}/%{name}/test + +%files -n %{name}sh +%{_bindir}/%{name}sh +%{_mandir}/man1/%{name}sh.1* + +%ifarch %{machine_arches} +%files machine +%dir %{_libexecdir}/%{name} +%{_libexecdir}/%{name}/virtiofsd +%endif + +%changelog +* Wed Apr 09 2025 Jindrich Novy - 6:5.4.0-9 +- update to the latest content of https://github.com/containers/podman/tree/v5.4-rhel + (https://github.com/containers/podman/commit/0ee1d49) +- fixes "Rootless container libpod/tmp/persist directories not cleaned up, fill up tmpfs - [RHEL 10.0] 0day" +- Resolves: RHEL-86550 + +* Mon Apr 07 2025 Jindrich Novy - 6:5.4.0-8 +- update to the latest content of https://github.com/containers/podman/tree/v5.4-rhel + (https://github.com/containers/podman/commit/a994a04) +- fixes "podman tests are failing - [RHEL 10.0] 0day" +- Resolves: RHEL-86093 + +* Mon Mar 31 2025 Jindrich Novy - 6:5.4.0-7 +- update to the latest content of https://github.com/containers/podman/tree/v5.4-rhel + (https://github.com/containers/podman/commit/f7bf65c) +- fixes "Importing a tar.xz archive as a container fails with error 'layer 0 <...> does not match config's DiffID' - [RHEL 10.0] 0day" +- Resolves: RHEL-85219 + +* Tue Mar 18 2025 Jindrich Novy - 6:5.4.0-6 +- update to the latest content of https://github.com/containers/podman/tree/v5.4-rhel + (https://github.com/containers/podman/commit/9ad4842) +- fixes "CVE-2025-22869 podman: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh [rhel-10.0.z]" +- Resolves: RHEL-82775 + +* Fri Mar 14 2025 Jindrich Novy - 6:5.4.0-5 +- update to the latest content of https://github.com/containers/podman/tree/v5.4-rhel + (https://github.com/containers/podman/commit/9d2e54f) +- fixes "Excessive memory leak due to uncontrolled accumulation of health.log entries in Podman 5.x - [RHEL 10.0] ZeroDay" +- Resolves: RHEL-83556 + +* Wed Mar 12 2025 Jindrich Novy - 6:5.4.0-4 +- update to the latest content of https://github.com/containers/podman/tree/v5.4-rhel + (https://github.com/containers/podman/commit/45c2d1f) +- fixes "CVE-2025-27144 podman: Go JOSE's Parsing Vulnerable to Denial of Service [rhel-10.0.z]" +- Resolves: RHEL-82959 + +* Tue Mar 11 2025 Jindrich Novy - 6:5.4.0-3 +- update to the latest content of https://github.com/containers/podman/tree/v5.4-rhel + (https://github.com/containers/podman/commit/e48006b) +- Resolves: RHEL-82199 + +* Thu Mar 06 2025 Jindrich Novy - 6:5.4.0-2 +- update to the latest content of https://github.com/containers/podman/tree/v5.4-rhel + (https://github.com/containers/podman/commit/2adbe89) +- Resolves: RHEL-79695 + +* Wed Feb 12 2025 Jindrich Novy - 6:5.4.0-1 +- update to https://github.com/containers/podman/releases/tag/v5.4.0 +- Related: RHEL-58990 + +* Wed Jan 22 2025 Jindrich Novy - 6:5.3.2-1 +- update to https://github.com/containers/podman/releases/tag/v5.3.2 +- Related: RHEL-58990 + +* Mon Dec 02 2024 Jindrich Novy - 6:5.3.1-3 +- Do not use ExcludeArch for machine but ifarch conditionals +- Resolves: RHEL-69441 + +* Thu Nov 28 2024 Jindrich Novy - 6:5.3.1-2 +- Reduce arches for podman-machine to x86_64 aarch64 +- Resolves: RHEL-69441 + +* Mon Nov 25 2024 Jindrich Novy - 6:5.3.1-1 +- update to https://github.com/containers/podman/releases/tag/v5.3.1 +- Resolves: RHEL-24623 + +* Mon Nov 11 2024 Jindrich Novy - 6:5.2.2-3 +- update to the latest content of https://github.com/containers/podman/tree/v5.2-rhel + (https://github.com/containers/podman/commit/e40738b) +- Resolves: RHEL-61858 + +* Tue Oct 29 2024 Troy Dawson - 6:5.2.2-2 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Wed Oct 09 2024 Jindrich Novy - 6:5.2.2-1 +- stick to v5.2-rhel upstream branch for RHEL +- update to the latest content of https://github.com/containers/podman/tree/v5.2-rhel + (https://github.com/containers/podman/commit/458f9b4) +- Related: RHEL-58990 + +* Tue Oct 08 2024 Jindrich Novy - 5:5.2.4-1 +- update to https://github.com/containers/podman/releases/tag/v5.2.4 +- Related: RHEL-61719 diff --git a/sources b/sources new file mode 100644 index 0000000..d8aef9e --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (v5.4-rhel-0ee1d49.tar.gz) = e2cd3b181fc362ed1ed6318350ba4e9f465128e9042f97d04a9ae25deed66780997b7b212cc412ea0f063fc5a72cd6b40704b946985fe2c7982105c05a347767