podman-5.4.0-1.el10

- update to https://github.com/containers/podman/releases/tag/v5.4.0
- Related: RHEL-58990

Signed-off-by: Jindrich Novy <jnovy@redhat.com>

podman.spec

@@ -8,33 +8,27 @@
 %endif
 
 %global import_path github.com/containers/podman
-#%%global branch v5.2-rhel
+#%%global branch v5.4-rhel
-%global commit0 85043bb1a3818102194afa82845cb63841067c9c
+%global commit0 f9f7d48b24b1ca4403f189caaeab1cb8ff4a9aa2
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
-# RHEL's default %%gobuild macro doesn't account for the BUILDTAGS variable, so we
-# set it separately here and do not depend on RHEL's go-[s]rpm-macros package
-# until that's fixed.
-# c9s bz: https://bugzilla.redhat.com/show_bug.cgi?id=2227328
-%if %{defined rhel} && 0%{?rhel} < 10
-%define gobuild(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "-linkmode=external -compressdwarf=false ${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
-%endif
-
 %global gomodulesmode GO111MODULE=on
 
-%if %{defined rhel}
-# _user_tmpfiles.d currently undefined on rhel
-%global _user_tmpfilesdir %{_datadir}/user-tmpfiles.d
-%endif
-
 %if %{defined fedora}
 %define build_with_btrfs 1
+# qemu-system* isn't packageed for CentOS Stream / RHEL
+%define qemu 1
 %endif
 
 %if %{defined copr_username}
 %define copr_build 1
 %endif
 
+# Only RHEL and CentOS Stream rpms are built with fips-enabled go compiler
+%if %{defined rhel}
+%define fips_enabled 1
+%endif
+
 %global container_base_path github.com/containers
 %global container_base_url https://%{container_base_path}
 
@@ -45,6 +39,15 @@
 # %%{name}
 %global git0 %{container_base_url}/%{name}
 
+# podman-machine subpackage will be present only on these architectures
+%global machine_arches x86_64 aarch64
+
+%if %{defined copr_build}
+%define build_origin Copr: %{?copr_username}/%{?copr_projectname}
+%else
+%define build_origin %{?packager}
+%endif
+
 Name: podman
 %if %{defined copr_build}
 Epoch: 102
@@ -57,7 +60,7 @@ Epoch: 6
 # If that's what you're reading, Version must be 0, and will be updated by Packit for
 # copr and koji builds.
 # If you're reading this on dist-git, the version is automatically filled in by Packit.
-Version: 5.3.2
+Version: 5.4.0
 # The `AND` needs to be uppercase in the License for SPDX compatibility
 License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0
 Release: 1%{?dist}
@@ -149,6 +152,7 @@ Requires: %{name} = %{epoch}:%{version}-%{release}
 %if %{defined fedora}
 Requires: bats
 %endif
+Requires: attr
 Requires: jq
 Requires: skopeo
 Requires: nmap-ncat
@@ -189,13 +193,24 @@ capabilities specified in user quadlets.
 It is a symlink to %{_bindir}/%{name} and execs into the `%{name}sh` container
 when `%{_bindir}/%{name}sh` is set as a login shell or set as os.Args[0].
 
-%ifarch x86_64 aarch64
+%ifarch %{machine_arches}
 %package machine
 Summary: Metapackage for setting up %{name} machine
 Requires: %{name} = %{epoch}:%{version}-%{release}
 Requires: gvisor-tap-vsock
-Recommends: qemu
+%if %{defined qemu}
+%ifarch aarch64
+Requires: qemu-system-aarch64-core
+%endif
+%ifarch x86_64
+Requires: qemu-system-x86-core
+%endif
+%else
+Requires: qemu-kvm
+%endif
+Requires: qemu-img
 Requires: virtiofsd
+ExclusiveArch: x86_64 aarch64
 
 %description machine
 This subpackage installs the dependencies for %{name} machine, for more see:
@@ -239,6 +254,7 @@ export CGO_CFLAGS+=" -m64 -mtune=generic -fcf-protection=full"
 export GOPROXY=direct
 
 LDFLAGS="-X %{ld_libpod}/define.buildInfo=${SOURCE_DATE_EPOCH:-$(date +%s)} \
+         -X \"%{ld_libpod}/define.buildOrigin=%{build_origin}\" \
          -X %{ld_libpod}/config._installPrefix=%{_prefix} \
          -X %{ld_libpod}/config._etcDir=%{_sysconfdir} \
          -X %{ld_project}/pkg/systemd/quadlet._binDir=%{_bindir}"
@@ -248,6 +264,14 @@ LDFLAGS="-X %{ld_libpod}/define.buildInfo=${SOURCE_DATE_EPOCH:-$(date +%s)} \
 
 export BASEBUILDTAGS="seccomp exclude_graphdriver_devicemapper $(hack/systemd_tag.sh) $(hack/libsubid_tag.sh)"
 
+# libtrust_openssl buildtag switches to using the FIPS-compatible func
+# `ecdsa.HashSign`.
+# Ref 1: https://github.com/golang-fips/go/blob/main/patches/015-add-hash-sign-verify.patch#L22
+# Ref 2: https://github.com/containers/libtrust/blob/main/ec_key_openssl.go#L23
+%if %{defined fips_enabled}
+export BASEBUILDTAGS="$BASEBUILDTAGS libtrust_openssl"
+%endif
+
 # build %%{name}
 export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh) $(hack/libdm_tag.sh)"
 %gobuild -o bin/%{name} ./cmd/%{name}
@@ -281,8 +305,8 @@ PODMAN_VERSION=%{version} %{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} ETCDI
        install.remote \
        install.testing
 
-# Only need this on Fedora until nftables becomes the default
+# See above for the iptables.conf declaration
-%if %{defined fedora}
+%if %{defined fedora} && 0%{?fedora} < 41
 %{__make} DESTDIR=%{buildroot} MODULESLOADDIR=%{_modulesloaddir} install.modules-load
 %endif
 
@@ -298,7 +322,7 @@ rm -f %{buildroot}%{_mandir}/man5/docker*.5
 install -d -p %{buildroot}%{_datadir}/%{name}/test/system
 cp -pav test/system %{buildroot}%{_datadir}/%{name}/test/
 
-%ifarch x86_64 aarch64
+%ifarch %{machine_arches}
 # symlink virtiofsd in %%{name} libexecdir for machine subpackage
 ln -s ../virtiofsd %{buildroot}%{_libexecdir}/%{name}
 %endif
@@ -306,6 +330,9 @@ ln -s ../virtiofsd %{buildroot}%{_libexecdir}/%{name}
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}
 
+# Include empty check to silence rpmlint warning
+%check
+
 %files -f %{name}.file-list
 %license LICENSE vendor/modules.txt
 %doc README.md CONTRIBUTING.md install.md transfer.md
@@ -324,7 +351,10 @@ ln -s ../virtiofsd %{buildroot}%{_libexecdir}/%{name}
 %{_tmpfilesdir}/%{name}.conf
 %{_systemdgeneratordir}/%{name}-system-generator
 %{_systemdusergeneratordir}/%{name}-user-generator
-%if %{defined fedora}
+# iptables modules are only needed with iptables-legacy,
+# as of f41 netavark will default to nftables so do not load unessary modules
+# https://fedoraproject.org/wiki/Changes/NetavarkNftablesDefault
+%if %{defined fedora} && 0%{?fedora} < 41
 %{_modulesloaddir}/%{name}-iptables.conf
 %endif
 
@@ -353,13 +383,17 @@ ln -s ../virtiofsd %{buildroot}%{_libexecdir}/%{name}
 %{_bindir}/%{name}sh
 %{_mandir}/man1/%{name}sh.1*
 
-%ifarch x86_64 aarch64
+%ifarch %{machine_arches}
 %files machine
 %dir %{_libexecdir}/%{name}
 %{_libexecdir}/%{name}/virtiofsd
 %endif
 
 %changelog
+* Wed Feb 12 2025 Jindrich Novy <jnovy@redhat.com> - 6:5.4.0-1
+- update to https://github.com/containers/podman/releases/tag/v5.4.0
+- Related: RHEL-58990
+
 * Wed Jan 22 2025 Jindrich Novy <jnovy@redhat.com> - 6:5.3.2-1
 - update to https://github.com/containers/podman/releases/tag/v5.3.2
 - Related: RHEL-58990

sources

@@ -1 +1 @@
-SHA512 (podman-5.3.2-85043bb.tar.gz) = 8d3d9663605921579bf4f243e38c71ecce15dd07bc63812fb81bdab778715f96e4dfb42c5fb896530be4e42c622e017e7e8e948a5e24030939d9ebaeab4aaa75
+SHA512 (podman-5.4.0-f9f7d48.tar.gz) = 44552281b586db588da2dc3af1b3c65ebd9ef25f815ee4061631d553aff41e4e5c622faf2f8f92c4d5f800d9d9d95ab0c5f4962f3608be57cac4a5d9479caef6