Compare commits

...

No commits in common. "c8-stream-1.0" and "c10s" have entirely different histories.

23 changed files with 754 additions and 965 deletions

1
.fmf/version Normal file
View File

@ -0,0 +1 @@
1

3
.gitignore vendored
View File

@ -1,2 +1 @@
SOURCES/cri-o-9b1f0a0.tar.gz
SOURCES/libpod-921f98f.tar.gz
/*.tar.*

141
.packit.yaml Normal file
View File

@ -0,0 +1,141 @@
---
# See the documentation for more information:
# https://packit.dev/docs/configuration/
downstream_package_name: podman
upstream_tag_template: v{version}
packages:
podman-fedora:
pkg_tool: fedpkg
specfile_path: rpm/podman.spec
podman-centos:
pkg_tool: centpkg
specfile_path: rpm/podman.spec
podman-rhel:
specfile_path: rpm/podman.spec
podman-eln:
specfile_path: rpm/podman.spec
srpm_build_deps:
- git-archive-all
- make
actions:
fix-spec-file:
- "bash .packit.sh"
jobs:
- job: copr_build
trigger: pull_request
packages: [podman-fedora]
notifications: &packit_build_failure_notification
failure_comment:
message: "Ephemeral COPR build failed. @containers/packit-build please check."
enable_net: true
targets:
- fedora-development-x86_64
- fedora-development-aarch64
- fedora-latest-x86_64
- fedora-latest-aarch64
- fedora-latest-stable-x86_64
- fedora-latest-stable-aarch64
- fedora-40-x86_64
- fedora-40-aarch64
- job: copr_build
trigger: pull_request
packages: [podman-eln]
notifications: *packit_build_failure_notification
enable_net: true
targets:
fedora-eln-x86_64:
additional_repos:
- "https://kojipkgs.fedoraproject.org/repos/eln-build/latest/x86_64/"
fedora-eln-aarch64:
additional_repos:
- "https://kojipkgs.fedoraproject.org/repos/eln-build/latest/aarch64/"
- job: copr_build
trigger: pull_request
packages: [podman-centos]
notifications: *packit_build_failure_notification
enable_net: true
targets:
- centos-stream-9-x86_64
- centos-stream-9-aarch64
- centos-stream-10-x86_64
- centos-stream-10-aarch64
- job: copr_build
trigger: pull_request
packages: [podman-rhel]
notifications: *packit_build_failure_notification
enable_net: true
targets:
- epel-9-x86_64
- epel-9-aarch64
# Run on commit to main branch
- job: copr_build
trigger: commit
packages: [podman-fedora]
notifications:
failure_comment:
message: "podman-next COPR build failed. @containers/packit-build please check."
branch: main
owner: rhcontainerbot
project: podman-next
enable_net: true
- job: tests
identifier: cockpit-revdeps
trigger: pull_request
packages: [podman-fedora]
notifications:
failure_comment:
message: "Cockpit tests failed for commit {commit_sha}. @martinpitt, @jelly, @mvollmer please check."
targets:
- fedora-latest-stable
- fedora-development
tf_extra_params:
environments:
- artifacts:
- type: repository-file
id: https://copr.fedorainfracloud.org/coprs/g/cockpit/main-builds/repo/fedora-$releasever/group_cockpit-main-builds-fedora-$releasever.repo
- type: repository-file
id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
tmt:
context:
revdeps: "yes"
- job: propose_downstream
trigger: release
update_release: false
packages: [podman-fedora]
dist_git_branches: &fedora_targets
- fedora-all
- job: propose_downstream
trigger: release
update_release: false
packages: [podman-centos]
dist_git_branches:
- c10s
- job: koji_build
trigger: commit
sidetag_group: podman-releases
dist_git_branches: *fedora_targets
- job: bodhi_update
trigger: koji_build
sidetag_group: podman-releases
# Dependencies are not rpm dependencies, but packages that should go in the
# same bodhi update
# Ref: https://packit.dev/docs/fedora-releases-guide/releasing-multiple-packages
dependencies:
- buildah
- containers-common
- skopeo
dist_git_branches: *fedora_targets

View File

@ -1,2 +0,0 @@
b53ff7dd655dec8ddab85b7782a2d41e6bdcb301 SOURCES/cri-o-9b1f0a0.tar.gz
14fa9349a6277355aa6a4f079a131059d194fd99 SOURCES/libpod-921f98f.tar.gz

3
README.packit Normal file
View File

@ -0,0 +1,3 @@
This repository is maintained by packit.
https://packit.dev/
The file was generated using packit 0.101.0.

View File

@ -1,31 +0,0 @@
From fbc96cdd1741021f3d18e49eac3757297aaba851 Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Fri, 19 Feb 2021 11:34:39 -0500
Subject: [PATCH] Only drop all caps in exec when non-root
We were dropping too many capabilities otherwise, which broke
some critical system tools (e.g. useradd) in exec sessions.
Fix RHBZ#1930552
Signed-off-by: Matthew Heon <mheon@redhat.com>
---
libpod/oci_conmon_linux.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index d5973a1a6..18ede031e 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -1107,7 +1107,7 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se
pspec.Capabilities.Effective = []string{}
if privileged {
pspec.Capabilities.Bounding = allCaps
- } else {
+ } else if execUser.Uid != 0 {
pspec.Capabilities.Bounding = []string{}
}
pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
--
2.29.2

View File

@ -1,23 +0,0 @@
From bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Thu, 24 Sep 2020 10:42:13 -0400
Subject: [PATCH] Fix https://bugzilla.redhat.com/show_bug.cgi?id=1882267
Signed-off-by: Matthew Heon <mheon@redhat.com>
---
cmd/podman/sigproxy.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmd/podman/sigproxy.go b/cmd/podman/sigproxy.go
index 16861bad04..92d7f4e4a9 100644
--- a/cmd/podman/sigproxy.go
+++ b/cmd/podman/sigproxy.go
@@ -19,7 +19,7 @@ func ProxySignals(ctr *libpod.Container) {
for s := range sigBuffer {
// Ignore SIGCHLD and SIGPIPE - these are mostly likely
// intended for the podman command itself.
- if s == signal.SIGCHLD || s == signal.SIGPIPE {
+ if s == syscall.SIGCHLD || s == syscall.SIGPIPE || s == syscall.SIGURG {
continue
}

View File

@ -1,48 +0,0 @@
From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
From: TomSweeneyRedHat <tsweeney@redhat.com>
Date: Tue, 24 Mar 2020 20:10:22 -0400
Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
Stealing @nalind 's workaround to avoid refetching
content after a file read failure. Under the right
circumstances that could be a symlink to a file meant
to overwrite a good file with bad data.
Testing:
```
goodstuff
[1] 14901
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
no FROM statement found
goodstuff
```
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
---
imagebuildah/util.go | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
--- a/vendor/github.com/containers//buildah/imagebuildah/util.go.CVE-2020-10696
+++ b/vendor/github.com/containers//buildah/imagebuildah/util.go
@@ -12,6 +12,7 @@ import (
"github.com/containers/buildah"
"github.com/containers/storage/pkg/chrootarchive"
+ "github.com/containers/storage/pkg/ioutils"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
}
dockerfile := filepath.Join(dir, "Dockerfile")
// Assume this is a Dockerfile
- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
+ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
}
}

View File

@ -1,319 +0,0 @@
From 69daa67c436a8fdeb0149aa5cb0112f03fdb699f Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Mon, 25 Jan 2021 14:18:07 -0500
Subject: [PATCH] Correct handling of capabilities
Ensure that capabilities are properly handled for non-root users
in privileged containers. We do not want to give full caps, but
instead only CapInh and CapEff (others should be all-zeroes).
Fixing `podman run` is easy - the same code as the Podman 1.6 fix
works there. The `podman exec` command is far more challenging.
Exec received a complete rewrite to use Conmon at some point
before Podman 1.6, and gained many capabilities in the process.
One of those was the ability to actually tweak the capabilities
of the exec process - 1.0 did not have that. Since it was needed
to resolve this CVE, I was forced to backport a large bit of the
1.0 -> 1.6 exec changes (passing a Process block to the OCI
runtime, and using `prepareProcessExec()` to prepare said block).
I am honestly uncomfortable with the size and scope of this
change but I don't see another way around this.
Fixes CVE-2021-20188
Signed-off-by: Matthew Heon <mheon@redhat.com>
---
libpod/container_api.go | 24 +------
libpod/oci.go | 148 ++++++++++++++++++++++++++++++++--------
pkg/spec/spec.go | 8 +++
3 files changed, 132 insertions(+), 48 deletions(-)
diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go.orig 2019-02-11 16:26:46.000000000 +0100
+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go 2021-02-12 10:38:48.767172399 +0100
@@ -2,7 +2,6 @@ package libpod
import (
"context"
- "fmt"
"io/ioutil"
"os"
"strconv"
@@ -11,9 +10,7 @@ import (
"github.com/containers/libpod/libpod/driver"
"github.com/containers/libpod/pkg/inspect"
- "github.com/containers/libpod/pkg/lookup"
"github.com/containers/storage/pkg/stringid"
- "github.com/docker/docker/daemon/caps"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"k8s.io/apimachinery/pkg/util/wait"
@@ -263,8 +260,6 @@ func (c *Container) Kill(signal uint) er
// TODO allow specifying streams to attach to
// TODO investigate allowing exec without attaching
func (c *Container) Exec(tty, privileged bool, env, cmd []string, user, workDir string) error {
- var capList []string
-
locked := false
if !c.batched {
locked = true
@@ -287,22 +282,8 @@ func (c *Container) Exec(tty, privileged
if conState != ContainerStateRunning {
return errors.Errorf("cannot exec into container that is not running")
}
- if privileged || c.config.Privileged {
- capList = caps.GetAllCapabilities()
- }
- // If user was set, look it up in the container to get a UID to use on
- // the host
- hostUser := ""
- if user != "" {
- execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
- if err != nil {
- return err
- }
-
- // runc expects user formatted as uid:gid
- hostUser = fmt.Sprintf("%d:%d", execUser.Uid, execUser.Gid)
- }
+ isPrivileged := privileged || c.config.Privileged
// Generate exec session ID
// Ensure we don't conflict with an existing session ID
@@ -324,10 +305,11 @@ func (c *Container) Exec(tty, privileged
logrus.Debugf("Creating new exec session in container %s with session id %s", c.ID(), sessionID)
- execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, workDir, hostUser, sessionID)
+ execCmd, processFile, err := c.runtime.ociRuntime.execContainer(c, cmd, env, tty, workDir, user, sessionID, isPrivileged)
if err != nil {
return errors.Wrapf(err, "error exec %s", c.ID())
}
+ defer os.Remove(processFile)
chWait := make(chan error)
go func() {
chWait <- execCmd.Wait()
diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go.orig 2019-02-11 16:26:46.000000000 +0100
+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go 2021-02-12 10:38:48.768172416 +0100
@@ -15,10 +15,12 @@ import (
"syscall"
"time"
+ "github.com/containers/libpod/pkg/lookup"
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/libpod/pkg/util"
"github.com/coreos/go-systemd/activation"
"github.com/cri-o/ocicni/pkg/ocicni"
+ "github.com/docker/docker/daemon/caps"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux"
"github.com/opencontainers/selinux/go-selinux/label"
@@ -735,18 +737,23 @@ func (r *OCIRuntime) unpauseContainer(ct
// TODO: Add --detach support
// TODO: Convert to use conmon
// TODO: add --pid-file and use that to generate exec session tracking
-func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, cwd, user, sessionID string) (*exec.Cmd, error) {
+func (r *OCIRuntime) execContainer(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (*exec.Cmd, string, error) {
if len(cmd) == 0 {
- return nil, errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
+ return nil, "", errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
}
if sessionID == "" {
- return nil, errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
+ return nil, "", errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
}
runtimeDir, err := util.GetRootlessRuntimeDir()
if err != nil {
- return nil, err
+ return nil, "", err
+ }
+
+ processFile, err := prepareProcessExec(c, cmd, env, tty, cwd, user, sessionID, privileged)
+ if err != nil {
+ return nil, "", err
}
args := []string{}
@@ -756,34 +763,14 @@ func (r *OCIRuntime) execContainer(c *Co
args = append(args, "exec")
- if cwd != "" {
- args = append(args, "--cwd", cwd)
- }
+ args = append(args, "--process", processFile)
args = append(args, "--pid-file", c.execPidPath(sessionID))
- if tty {
- args = append(args, "--tty")
- } else {
- args = append(args, "--tty=false")
- }
-
- if user != "" {
- args = append(args, "--user", user)
- }
-
if c.config.Spec.Process.NoNewPrivileges {
args = append(args, "--no-new-privs")
}
- for _, cap := range capAdd {
- args = append(args, "--cap", cap)
- }
-
- for _, envVar := range env {
- args = append(args, "--env", envVar)
- }
-
// Append container ID and command
args = append(args, c.ID())
args = append(args, cmd...)
@@ -797,10 +784,10 @@ func (r *OCIRuntime) execContainer(c *Co
execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir))
if err := execCmd.Start(); err != nil {
- return nil, errors.Wrapf(err, "cannot start container %s", c.ID())
+ return nil, "", errors.Wrapf(err, "cannot start container %s", c.ID())
}
- return execCmd, nil
+ return execCmd, processFile, nil
}
// execStopContainer stops all active exec sessions in a container
@@ -892,3 +879,110 @@ func (r *OCIRuntime) checkpointContainer
args = append(args, ctr.ID())
return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, args...)
}
+
+// prepareProcessExec returns the path of the process.json used in runc exec -p.
+// Returns path to the created exec process file. This will need to be removed
+// by the caller when they're done, best effort.
+func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (string, error) {
+ filename := filepath.Join(c.bundlePath(), fmt.Sprintf("exec-process-%s", sessionID))
+ f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0600)
+ if err != nil {
+ return "", err
+ }
+ defer f.Close()
+
+ pspec := c.config.Spec.Process
+ pspec.SelinuxLabel = c.config.ProcessLabel
+ pspec.Args = cmd
+ // We need to default this to false else it will inherit terminal as true
+ // from the container.
+ pspec.Terminal = false
+ if tty {
+ pspec.Terminal = true
+ }
+ if len(env) > 0 {
+ pspec.Env = append(pspec.Env, env...)
+ }
+
+ if cwd != "" {
+ pspec.Cwd = cwd
+
+ }
+
+ var addGroups []string
+ var sgids []uint32
+
+ // if the user is empty, we should inherit the user that the container is currently running with
+ if user == "" {
+ user = c.config.User
+ addGroups = c.config.Groups
+ }
+
+ execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
+ if err != nil {
+ return "", err
+ }
+
+ if len(addGroups) > 0 {
+ sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, nil)
+ if err != nil {
+ return "", errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID)
+ }
+ }
+
+ // If user was set, look it up in the container to get a UID to use on
+ // the host
+ if user != "" || len(sgids) > 0 {
+ if user != "" {
+ for _, sgid := range execUser.Sgids {
+ sgids = append(sgids, uint32(sgid))
+ }
+ }
+ processUser := spec.User{
+ UID: uint32(execUser.Uid),
+ GID: uint32(execUser.Gid),
+ AdditionalGids: sgids,
+ }
+
+ pspec.User = processUser
+ }
+
+ allCaps := caps.GetAllCapabilities()
+ pspec.Capabilities.Effective = []string{}
+ if privileged {
+ pspec.Capabilities.Bounding = allCaps
+ } else {
+ pspec.Capabilities.Bounding = []string{}
+ }
+ pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
+ if execUser.Uid == 0 {
+ pspec.Capabilities.Effective = pspec.Capabilities.Bounding
+ pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
+ pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
+ } else {
+ pspec.Capabilities.Permitted = pspec.Capabilities.Effective
+ pspec.Capabilities.Ambient = pspec.Capabilities.Effective
+ }
+
+ hasHomeSet := false
+ for _, s := range pspec.Env {
+ if strings.HasPrefix(s, "HOME=") {
+ hasHomeSet = true
+ break
+ }
+ }
+ if !hasHomeSet {
+ pspec.Env = append(pspec.Env, fmt.Sprintf("HOME=%s", execUser.Home))
+ }
+
+ processJSON, err := json.Marshal(pspec)
+ if err != nil {
+ return "", err
+ }
+
+ if err := ioutil.WriteFile(filename, processJSON, 0644); err != nil {
+ return "", err
+ }
+
+ return filename, nil
+}
diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go.orig 2019-02-11 16:26:46.000000000 +0100
+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go 2021-02-12 10:38:48.768172416 +0100
@@ -325,6 +325,14 @@ func CreateConfigToOCISpec(config *Creat
}
} else {
g.SetupPrivileged(true)
+ if config.User != "" {
+ user := strings.SplitN(config.User, ":", 2)[0]
+ if user != "root" && user != "0" {
+ g.Spec().Process.Capabilities.Effective = []string{}
+ g.Spec().Process.Capabilities.Permitted = []string{}
+ g.Spec().Process.Capabilities.Ambient = []string{}
+ }
+ }
}
// HANDLE SECCOMP

View File

@ -1,540 +0,0 @@
%global with_debug 1
%global with_check 0
%if 0%{?with_debug}
%global _find_debuginfo_dwz_opts %{nil}
%global _dwz_low_mem_die_limit 0
%else
%global debug_package %{nil}
%endif
%define gobuild(o:) \
go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
%define gogenerate go generate
%if 0%{?rhel} > 7 || 0%{?fedora}
%bcond_without varlink
%else
%bcond_with varlink
%endif
%global provider github
%global provider_tld com
%global project containers
%global repo libpod
# https://github.com/containers/libpod
%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
%global import_path %{provider_prefix}
%global git_podman https://%{provider}.%{provider_tld}/%{project}/%{repo}
%global commit 921f98f8795eb9fcb19ce581020cfdeff6dee09f
%global shortcommit %(c=%{commit}; echo ${c:0:7})
%global import_path_conmon github.com/kubernetes-sigs/cri-o
%global git_conmon https://%{import_path_conmon}
%global commit_conmon 9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2
%global shortcommit_conmon %(c=%{commit_conmon}; echo ${c:0:7})
Name: podman
Version: 1.0.0
Release: 8.git%{shortcommit}%{?dist}
Summary: Manage Pods, Containers and Container Images
License: ASL 2.0
URL: %{git_podman}
Source0: %{git_podman}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
Source1: %{git_conmon}/archive/%{commit_conmon}/cri-o-%{shortcommit_conmon}.tar.gz
# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
# backported: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
Patch0: podman-CVE-2020-10696.patch
# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1882267
# patch: https://github.com/mheon/libpod/commit/bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea.patch
Patch1: podman-1882267.patch
# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1918285
Patch2: podman-CVE-2021-20188.patch
# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1930552
Patch3: 0001-Only-drop-all-caps-in-exec-when-non-root.patch
# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
#ExclusiveArch: %%{?go_arches:%%{go_arches}}%%{!?go_arches:%%{ix86} x86_64 aarch64 %%{arm}}
ExclusiveArch: aarch64 %{arm} ppc64le s390x x86_64
# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
BuildRequires: device-mapper-devel
BuildRequires: glib2-devel
BuildRequires: glibc-devel
BuildRequires: glibc-static
BuildRequires: git
BuildRequires: go-md2man
BuildRequires: gpgme-devel
BuildRequires: libassuan-devel
BuildRequires: libgpg-error-devel
BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel
BuildRequires: ostree-devel
BuildRequires: pkgconfig
Requires: runc
Requires: containers-common >= 0.1.29-3
# can't use default conmon right now, so we ship our own
#Requires: conmon
Requires: containernetworking-plugins >= 0.7.3-5
Requires: iptables
Requires: nftables
Requires: oci-systemd-hook
Recommends: container-selinux
Recommends: slirp4netns
Recommends: fuse-overlayfs
# vendored libraries
# awk '{print "Provides: bundled(golang("$1")) = "$2}' vendor.conf | sort
# [thanks to Carl George <carl@george.computer> for containerd.spec]
Provides: bundled(golang(github.com/Azure/go-ansiterm)) = 19f72df4d05d31cbe1c56bfc8045c96babff6c7e
Provides: bundled(golang(github.com/blang/semver)) = v3.5.0
Provides: bundled(golang(github.com/boltdb/bolt)) = master
Provides: bundled(golang(github.com/buger/goterm)) = 2f8dfbc7dbbff5dd1d391ed91482c24df243b2d3
Provides: bundled(golang(github.com/BurntSushi/toml)) = v0.2.0
Provides: bundled(golang(github.com/containerd/cgroups)) = 77e628511d924b13a77cebdc73b757a47f6d751b
Provides: bundled(golang(github.com/containerd/continuity)) = master
Provides: bundled(golang(github.com/containernetworking/cni)) = v0.7.0-alpha1
Provides: bundled(golang(github.com/containernetworking/plugins)) = 1562a1e60ed101aacc5e08ed9dbeba8e9f3d4ec1
Provides: bundled(golang(github.com/containers/image)) = 134f99bed228d6297dc01d152804f6f09f185418
Provides: bundled(golang(github.com/containers/psgo)) = 382fc951fe0a8aba62043862ce1a56f77524db87
Provides: bundled(golang(github.com/containers/storage)) = 17c7d1fee5603ccf6dd97edc14162fc1510e7e23
Provides: bundled(golang(github.com/coreos/go-systemd)) = v14
Provides: bundled(golang(github.com/cri-o/ocicni)) = master
Provides: bundled(golang(github.com/cyphar/filepath-securejoin)) = v0.2.1
Provides: bundled(golang(github.com/davecgh/go-spew)) = v1.1.0
Provides: bundled(golang(github.com/docker/distribution)) = 7a8efe719e55bbfaff7bc5718cdf0ed51ca821df
Provides: bundled(golang(github.com/docker/docker)) = 86f080cff0914e9694068ed78d503701667c4c00
Provides: bundled(golang(github.com/docker/docker-credential-helpers)) = d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1
Provides: bundled(golang(github.com/docker/go-connections)) = 3ede32e2033de7505e6500d6c868c2b9ed9f169d
Provides: bundled(golang(github.com/docker/go-units)) = v0.3.2
Provides: bundled(golang(github.com/docker/libtrust)) = aabc10ec26b754e797f9028f4589c5b7bd90dc20
Provides: bundled(golang(github.com/docker/spdystream)) = ed496381df8283605c435b86d4fdd6f4f20b8c6e
Provides: bundled(golang(github.com/fatih/camelcase)) = f6a740d52f961c60348ebb109adde9f4635d7540
Provides: bundled(golang(github.com/fsnotify/fsnotify)) = 7d7316ed6e1ed2de075aab8dfc76de5d158d66e1
Provides: bundled(golang(github.com/fsouza/go-dockerclient)) = master
Provides: bundled(golang(github.com/ghodss/yaml)) = 04f313413ffd65ce25f2541bfd2b2ceec5c0908c
Provides: bundled(golang(github.com/godbus/dbus)) = a389bdde4dd695d414e47b755e95e72b7826432c
Provides: bundled(golang(github.com/gogo/protobuf)) = c0656edd0d9eab7c66d1eb0c568f9039345796f7
Provides: bundled(golang(github.com/golang/glog)) = 23def4e6c14b4da8ac2ed8007337bc5eb5007998
Provides: bundled(golang(github.com/golang/groupcache)) = b710c8433bd175204919eb38776e944233235d03
Provides: bundled(golang(github.com/golang/protobuf)) = 4bd1920723d7b7c925de087aa32e2187708897f7
Provides: bundled(golang(github.com/googleapis/gnostic)) = 0c5108395e2debce0d731cf0287ddf7242066aba
Provides: bundled(golang(github.com/google/gofuzz)) = 44d81051d367757e1c7c6a5a86423ece9afcf63c
Provides: bundled(golang(github.com/gorilla/context)) = v1.1
Provides: bundled(golang(github.com/gorilla/mux)) = v1.3.0
Provides: bundled(golang(github.com/hashicorp/errwrap)) = 7554cd9344cec97297fa6649b055a8c98c2a1e55
Provides: bundled(golang(github.com/hashicorp/golang-lru)) = 0a025b7e63adc15a622f29b0b2c4c3848243bbf6
Provides: bundled(golang(github.com/hashicorp/go-multierror)) = 83588e72410abfbe4df460eeb6f30841ae47d4c4
Provides: bundled(golang(github.com/imdario/mergo)) = 0.2.2
Provides: bundled(golang(github.com/json-iterator/go)) = 1.0.0
Provides: bundled(golang(github.com/kr/pty)) = v1.0.0
Provides: bundled(golang(github.com/mattn/go-runewidth)) = v0.0.1
Provides: bundled(golang(github.com/Microsoft/go-winio)) = 78439966b38d69bf38227fbf57ac8a6fee70f69a
Provides: bundled(golang(github.com/Microsoft/hcsshim)) = 43f9725307998e09f2e3816c2c0c36dc98f0c982
Provides: bundled(golang(github.com/mistifyio/go-zfs)) = v2.1.1
Provides: bundled(golang(github.com/mrunalp/fileutils)) = master
Provides: bundled(golang(github.com/mtrmac/gpgme)) = b2432428689ca58c2b8e8dea9449d3295cf96fc9
Provides: bundled(golang(github.com/Nvveen/Gotty)) = master
Provides: bundled(golang(github.com/opencontainers/go-digest)) = v1.0.0-rc0
Provides: bundled(golang(github.com/opencontainers/image-spec)) = v1.0.0
Provides: bundled(golang(github.com/opencontainers/runc)) = b4e2ecb452d9ee4381137cc0a7e6715b96bed6de
Provides: bundled(golang(github.com/opencontainers/runtime-spec)) = v1.0.0
Provides: bundled(golang(github.com/opencontainers/runtime-tools)) = 625e2322645b151a7cbb93a8b42920933e72167f
Provides: bundled(golang(github.com/opencontainers/selinux)) = b6fa367ed7f534f9ba25391cc2d467085dbb445a
Provides: bundled(golang(github.com/openshift/imagebuilder)) = master
Provides: bundled(golang(github.com/ostreedev/ostree-go)) = master
Provides: bundled(golang(github.com/pkg/errors)) = v0.8.0
Provides: bundled(golang(github.com/pmezard/go-difflib)) = 792786c7400a136282c1664665ae0a8db921c6c2
Provides: bundled(golang(github.com/pquerna/ffjson)) = d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac
Provides: bundled(golang(github.com/projectatomic/buildah)) = 35a37f36d37bf84397d7f79f6bb8649f728c19f1
Provides: bundled(golang(github.com/seccomp/containers-golang)) = master
Provides: bundled(golang(github.com/seccomp/libseccomp-golang)) = v0.9.0
Provides: bundled(golang(github.com/sirupsen/logrus)) = v1.0.0
Provides: bundled(golang(github.com/spf13/pflag)) = 9ff6c6923cfffbcd502984b8e0c80539a94968b7
Provides: bundled(golang(github.com/stretchr/testify)) = 4d4bfba8f1d1027c4fdbe371823030df51419987
Provides: bundled(golang(github.com/syndtr/gocapability)) = e7cb7fa329f456b3855136a2642b197bad7366ba
Provides: bundled(golang(github.com/tchap/go-patricia)) = v2.2.6
Provides: bundled(golang(github.com/ulikunitz/xz)) = v0.5.4
Provides: bundled(golang(github.com/ulule/deepcopier)) = master
# version can't have '-'
#Provides: bundled(golang(github.com/urfave/cli)) = fix-short-opts-parsing
Provides: bundled(golang(github.com/varlink/go)) = master
Provides: bundled(golang(github.com/vbatts/tar-split)) = v0.10.2
Provides: bundled(golang(github.com/vishvananda/netlink)) = master
Provides: bundled(golang(github.com/vishvananda/netns)) = master
Provides: bundled(golang(github.com/xeipuuv/gojsonpointer)) = master
Provides: bundled(golang(github.com/xeipuuv/gojsonreference)) = master
Provides: bundled(golang(github.com/xeipuuv/gojsonschema)) = master
Provides: bundled(golang(golang.org/x/crypto)) = 81e90905daefcd6fd217b62423c0908922eadb30
Provides: bundled(golang(golang.org/x/net)) = c427ad74c6d7a814201695e9ffde0c5d400a7674
Provides: bundled(golang(golang.org/x/sys)) = master
Provides: bundled(golang(golang.org/x/text)) = f72d8390a633d5dfb0cc84043294db9f6c935756
Provides: bundled(golang(golang.org/x/time)) = f51c12702a4d776e4c1fa9b0fabab841babae631
Provides: bundled(golang(google.golang.org/grpc)) = v1.0.4
Provides: bundled(golang(gopkg.in/cheggaaa/pb.v1)) = v1.0.7
Provides: bundled(golang(gopkg.in/inf.v0)) = v0.9.0
Provides: bundled(golang(gopkg.in/mgo.v2)) = v2
Provides: bundled(golang(gopkg.in/square/go-jose.v2)) = v2.1.3
Provides: bundled(golang(gopkg.in/yaml.v2)) = v2
Provides: bundled(golang(k8s.io/api)) = 5ce4aa0bf2f097f6021127b3d879eeda82026be8
Provides: bundled(golang(k8s.io/apiextensions-apiserver)) = 1b31e26d82f1ec2e945c560790e98f34bb5f2e63
Provides: bundled(golang(k8s.io/apimachinery)) = 616b23029fa3dc3e0ccefd47963f5651a6543d94
Provides: bundled(golang(k8s.io/apiserver)) = 4d1163080139f1f9094baf8a3a6099e85e1867f6
Provides: bundled(golang(k8s.io/client-go)) = 7cd1d3291b7d9b1e2d54d4b69eb65995eaf8888e
Provides: bundled(golang(k8s.io/kube-openapi)) = 275e2ce91dec4c05a4094a7b1daee5560b555ac9
Provides: bundled(golang(k8s.io/utils)) = 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e
%description
%{summary}
libpod provides a library for applications looking to use
the Container Pod concept popularized by Kubernetes.
%package docker
Summary: Emulate Docker CLI using podman
BuildArch: noarch
Requires: %{name} = %{version}-%{release}
Conflicts: docker
Provides : docker
Conflicts: docker-latest
Conflicts: docker-ce
Conflicts: docker-ee
%description docker
This package installs a script named docker that emulates the Docker CLI by
executing %{name} commands, it also creates links between all Docker CLI man
pages and %{name}.
%prep
%autosetup -Sgit -n %{repo}-%{commit}
mv pkg/hooks/README.md pkg/hooks/README-hooks.md
# untar cri-o
tar zxf %{SOURCE1}
%build
mkdir -p $(pwd)/_build
pushd $(pwd)/_build
mkdir -p src/%{provider}.%{provider_tld}/%{project}
ln -s ../../../../ src/%{import_path}
popd
ln -s vendor src
export GOPATH=$(pwd):$(pwd)/_build
export BUILDTAGS="selinux seccomp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper $(hack/libdm_tag.sh)"
%gobuild -o bin/%{name} %{import_path}/cmd/%{name}
# build conmon
pushd cri-o-%{commit_conmon}
mkdir _output
pushd _output
mkdir -p src/%{provider}.%{provider_tld}/{kubernetes-sigs,opencontainers}
ln -s $(dirs +1 -l) src/%{import_path_conmon}
popd
ln -s vendor src
export GOPATH=$(pwd):$(pwd)/_output
export BUILDTAGS="selinux seccomp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper $(hack/libdm_tag.sh)"
%gobuild -o bin/crio-config %{import_path_conmon}/cmd/crio-config
cd conmon && ../bin/crio-config
%{__make} all
popd
%install
install -dp %{buildroot}{%{_unitdir}
%{__make} PREFIX=%{buildroot}%{_usr} ETCDIR=%{buildroot}%{_sysconfdir} \
install.bin \
install.man \
install.cni \
install.systemd \
install.completions \
install.docker
# install libpod.conf
install -dp %{buildroot}%{_datadir}/containers
install -p -m 644 %{repo}.conf %{buildroot}%{_datadir}/containers
# install conmon
install -dp %{buildroot}%{_libexecdir}/%{name}
install -p -m 755 cri-o-%{commit_conmon}/bin/conmon %{buildroot}%{_libexecdir}/%{name}
%check
%if 0%{?with_check}
ln -s ./ ./vendor/src # ./vendor/src -> ./vendor
export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%gotest %{import_path}/cmd/%{name}
%gotest %{import_path}/libkpod
%gotest %{import_path}/libpod
%gotest %{import_path}/pkg/registrar
%endif
#define license tag if not already defined
%{!?_licensedir:%global license %doc}
%files
%license LICENSE
%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md
%{_bindir}/%{name}
%{_mandir}/man1/podman*.1*
%{_mandir}/man5/*.5*
%{_datadir}/bash-completion/completions/*
%{_libexecdir}/%{name}/conmon
%config(noreplace) %{_sysconfdir}/cni/net.d/87-%{name}-bridge.conflist
%{_datadir}/containers/%{repo}.conf
%{_unitdir}/io.%{name}.service
%{_unitdir}/io.%{name}.socket
%{_usr}/lib/tmpfiles.d/%{name}.conf
%files docker
%{_bindir}/docker
%{_mandir}/man1/docker*.1*
%changelog
* Mon Mar 01 2021 Jindrich Novy <jnovy@redhat.com> - 1.0.0-8.git921f98f
- fix "podman can not create user inside of container" regression introduced by
patch for CVE-2021-20188
- Related: #1918285
* Fri Feb 12 2021 Jindrich Novy <jnovy@redhat.com> - 1.0.0-7.git921f98f
- fix CVE-2021-20188
- Resolves: #1918285
* Thu Sep 24 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-6.git921f98f
- fix "podman run errors out/segfaults in container-tools-1.0-8.3.0"
- Resolves: #1882267
* Fri Jun 26 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-5.git921f98f
- bump release to preserve upgrade path
- Resolves: #1821193
* Fri Apr 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-4.git921f98f
- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
- Resolves: #1818122
* Thu Nov 28 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-3.git921f98f
- rebuild because of CVE-2019-9512 and CVE-2019-9514
- Resolves: #1766294, #1766322
* Mon Feb 11 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.0.0-2.git921f98f
- rebase
* Tue Jan 15 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.0.0-1.git82e8011
- rebase to v1, yay!
- rebase conmon to 9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2
- Resolves:#1623282
- python interface removed, moved to https://github.com/containers/python-podman/
* Tue Dec 18 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.12.1.2-4.git9551f6b
- re-enable debuginfo
* Mon Dec 17 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.12.1.2-3.git9551f6b
- python libraries added
- resolves: #1657180
* Mon Dec 17 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.12.1.2-2.git9551f6b
- rebase
* Mon Dec 17 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.11.1.1-3.git594495d
- go tools not in scl anymore
* Mon Nov 19 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.11.1.1-2.git594495d
- fedora-like buildrequires go toolset
* Sat Nov 17 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.11.1.1-1.git594495d
- Resolves: #1636230 - build with FIPS enabled golang toolchain
- bump to v0.11.1.1
- built commit 594495d
* Fri Nov 16 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.11.1-3.gita4adfe5
- podman-docker provides docker
- Resolves: #1650355
* Thu Nov 15 2018 Lumír Balhar <lbalhar@redhat.com> - 0.11.1-2.gita4adfe5
- Require platform-python-setuptools instead of python3-setuptools
- Resolves: rhbz#1650144
* Tue Nov 13 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.11.1-1.gita4adfe5
- bump to v0.11.1
- built libpod commit a4adfe5
- built conmon from cri-o commit 464dba6
* Fri Oct 19 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1.3-5.gitdb08685
- Resolves: #1625384 - keep BR: device-mapper-devel but don't build with it
- not having device-mapper-devel seems to have brew not recognize %%{_unitdir}
* Thu Oct 18 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1.3-4.gitdb08685
- Resolves: #1625384 - correctly add buildtags to remove devmapper
* Thu Oct 18 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1.3-3.gitdb08685
- Resolves: #1625384 - build without device-mapper-devel (no podman support) and lvm2
* Wed Oct 17 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1.3-2.gitdb08685
- Resolves: #1625384 - depend on lvm2
* Wed Oct 17 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1.3-1.gitdb08685
- Resolves: #1640298 - update vendored buildah to allow building when there are
running containers
- bump to v0.10.1.3
- built podman commit db08685
* Wed Oct 17 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1.2-1.git2b4f8d1
- Resolves: #1625378
- bump to v0.10.1.2
- built podman commit 2b4f8d1
* Tue Oct 16 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1.1-1.git4bea3e9
- bump to v0.10.1.1
- built podman commit 4bea3e9
* Thu Oct 11 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1-1.gite4a1553
- bump podman to v0.10.1
- built podman commit e4a1553
- built conmon from cri-o commit a30f93c
* Tue Oct 09 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.9.3.1-4.git1cd906d
- rebased cri-o to 1.11.6
* Wed Sep 26 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.9.3.1-3.git1cd906d
- rebase
* Tue Sep 18 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.9.2-2.git37a2afe
- rebase to podman 0.9.2
- rebase to cri-o 0.11.4
* Tue Sep 11 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.9.1.1-2.git123de30
- rebase
* Mon Aug 27 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.8.4-1.git9f9b8cf
- bump to v0.8.4
- built commit 9f9b8cf
- upstream username changed from projectatomic to containers
- use containernetworking-plugins >= 0.7.3-5
* Mon Aug 13 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.8.2.1-2.git7a526bb
- Resolves: #1615607 - rebuild with gobuild tag 'no_openssl'
* Sun Aug 12 2018 Dan Walsh <dwalsh@redhat.com> - 0.8.2.1-1.git7a526bb
- Upstream 0.8.2.1 release
- Add support for podman-docker
Resolves: rhbz#1615104
* Fri Aug 10 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.8.2-1.dev.git8b2d38e
- Resolves: #1614710 - podman search name includes registry
- bump to v0.8.2-dev
- built libpod commit 8b2d38e
- built conmon from cri-o commit acc0ee7
* Wed Aug 8 2018 Dan Walsh <dwalsh@redhat.com> - 0.8.1-2.git6b4ab2a
- Add recommends for slirp4netns and container-selinux
* Tue Aug 07 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.8.1-2.git6b4ab2a
- bump to v0.8.1
- use %%go{build,generate} instead of go build and go generate
- update go deps to use scl-ized builds
- No need for Makefile patch for python installs
* Sat Aug 4 2018 Dan Walsh <dwalsh@redhat.com> - 0.8.1-1.git6b4ab2a
- Bump to v0.8.1
* Wed Aug 1 2018 Dan Walsh <dwalsh@redhat.com> - 0.7.4-2.git079121
- podman should not require atomic-registries
* Tue Jul 24 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.7.4-1.dev.git9a18681
- bump to v0.7.4-dev
- built commit 9a18681
* Sat Jul 21 2018 Dan Walsh <dwalsh@redhat.com> - 0.7.3-2.git079121
- Turn on ostree support
- Upstream 0.7.3
* Sat Jul 14 2018 Dan Walsh <dwalsh@redhat.com> - 0.7.2-2.git4ca4c5f
- Upstream 0.7.2 release
* Wed Jul 11 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.7.1-3.git84cfdb2
- rebuilt
* Wed Jul 11 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.7.1-2.git84cfdb2
- rebase to 84cfdb2
* Sun Jul 08 2018 Dan Walsh <dwalsh@redhat.com> - 0.7.1-1.git802d4f2
- Upstream 0.7.1 release
* Mon Jun 25 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.6.4-2.gitd5beb2f
- disable devel and unittest subpackages
- include conditionals for rhel-8.0
* Fri Jun 22 2018 Dan Walsh <dwalsh@redhat.com> - 0.6.4-1.gitd5beb2f
- do not compress debuginfo with dwz to support delve debugger
* Mon Jun 04 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.6.1-3.git3e0ff12
- do not compress debuginfo with dwz to support delve debugger
* Mon Jun 04 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.6.1-2.git3e0ff12
- bash completion shouldn't have shebang
* Mon Jun 04 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.6.1-1.git3e0ff12
- Resolves: #1584429 - drop capabilities when running a container as non-root
- bump to v0.6.1
- built podman commit 3e0ff12
- built conmon from cri-o commit 1c0c3b0
- drop containernetworking-plugins subpackage, it's now split out into a standalone
package
* Fri Apr 27 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.4.1-4.gitb51d327
- Resolves: #1572538 - build host-device and portmap plugins
* Thu Apr 12 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.4.1-3.gitb51d327
- correct dep on containernetworking-plugins
* Thu Apr 12 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.4.1-2.gitb51d327
- add containernetworking-plugins v0.7.0 as a subpackage (podman dep)
- release tag for the containernetworking-plugins is actually gotten from
podman release tag.
* Wed Apr 11 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.4.1-1.gitb51d327
- bump to v0.4.1
- built commit b51d327
* Wed Mar 14 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 0.3.3-1.dev.gitbc358eb
- built podman commit bc358eb
- built conmon from cri-o commit 712f3b8
* Fri Mar 09 2018 baude <bbaude@redhat.com> - 0.3.2-1.gitf79a39a
- Release 0.3.2-1
* Sun Mar 04 2018 baude <bbaude@redhat.com> - 0.3.1-2.git98b95ff
- Correct RPM version
* Fri Mar 02 2018 baude <bbaude@redhat.com> - 0.3.1-1-gitc187538
- Release 0.3.1-1
* Sun Feb 25 2018 Peter Robinson <pbrobinson@fedoraproject.org> 0.2.2-2.git525e3b1
- Build on ARMv7 too (Fedora supports containers on that arch too)
* Fri Feb 23 2018 baude <bbaude@redhat.com> - 0.2.2-1.git525e3b1
- Release 0.2.2
* Fri Feb 16 2018 baude <bbaude@redhat.com> - 0.2.1-1.git3d0100b
- Release 0.2.1
* Wed Feb 14 2018 baude <bbaude@redhat.com> - 0.2-3.git3d0100b
- Add dep for atomic-registries
* Tue Feb 13 2018 baude <bbaude@redhat.com> - 0.2-2.git3d0100b
- Add more 64bit arches
- Add containernetworking-cni dependancy
- Add iptables dependancy
* Mon Feb 12 2018 baude <bbaude@redhat.com> - 0-2.1.git3d0100
- Release 0.2
* Tue Feb 06 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 0-0.3.git367213a
- Resolves: #1541554 - first official build
- built commit 367213a
* Fri Feb 02 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 0-0.2.git0387f69
- built commit 0387f69
* Wed Jan 10 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0-0.1.gitc1b2278
- First package for Fedora

7
gating.yaml Normal file
View File

@ -0,0 +1,7 @@
# recipients: jnovy, lsm5, santiago
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

8
plans/basic.fmf Normal file
View File

@ -0,0 +1,8 @@
summary: Check basic functionality
discover:
how: fmf
execute:
how: tmt
prepare:
how: feature
epel: enabled

370
podman.spec Normal file
View File

@ -0,0 +1,370 @@
%global with_debug 1
%if 0%{?with_debug}
%global _find_debuginfo_dwz_opts %{nil}
%global _dwz_low_mem_die_limit 0
%else
%global debug_package %{nil}
%endif
%global import_path github.com/containers/podman
%global branch v5.2-rhel
%global commit0 458f9b42760bf79aae4a96d0610b22f317ac7714
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
# RHEL's default %%gobuild macro doesn't account for the BUILDTAGS variable, so we
# set it separately here and do not depend on RHEL's go-[s]rpm-macros package
# until that's fixed.
# c9s bz: https://bugzilla.redhat.com/show_bug.cgi?id=2227328
%if %{defined rhel} && 0%{?rhel} < 10
%define gobuild(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "-linkmode=external -compressdwarf=false ${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
%endif
%global gomodulesmode GO111MODULE=on
%if %{defined rhel}
# _user_tmpfiles.d currently undefined on rhel
%global _user_tmpfilesdir %{_datadir}/user-tmpfiles.d
%endif
%if %{defined fedora}
%define build_with_btrfs 1
%endif
%if %{defined copr_username}
%define copr_build 1
%endif
%global container_base_path github.com/containers
%global container_base_url https://%{container_base_path}
# For LDFLAGS
%global ld_project %{container_base_path}/%{name}/v5
%global ld_libpod %{ld_project}/libpod
# %%{name}
%global git0 %{container_base_url}/%{name}
Name: podman
%if %{defined copr_build}
Epoch: 102
%else
Epoch: 6
%endif
# DO NOT TOUCH the Version string!
# The TRUE source of this specfile is:
# https://github.com/containers/podman/blob/main/rpm/podman.spec
# If that's what you're reading, Version must be 0, and will be updated by Packit for
# copr and koji builds.
# If you're reading this on dist-git, the version is automatically filled in by Packit.
Version: 5.2.2
# The `AND` needs to be uppercase in the License for SPDX compatibility
License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0
Release: 2%{?dist}
%if %{defined golang_arches_future}
ExclusiveArch: %{golang_arches_future}
%else
ExclusiveArch: aarch64 ppc64le s390x x86_64
%endif
Summary: Manage Pods, Containers and Container Images
URL: https://%{name}.io/
# All SourceN files fetched from upstream
%if 0%{?branch:1}
Source0: https://%{import_path}/tarball/%{commit0}/%{branch}-%{shortcommit0}.tar.gz
%else
Source0: https://%{import_path}/archive/%{commit0}/%{name}-%{version}-%{shortcommit0}.tar.gz
%endif
Provides: %{name}-manpages = %{epoch}:%{version}-%{release}
BuildRequires: %{_bindir}/envsubst
%if %{defined build_with_btrfs}
BuildRequires: btrfs-progs-devel
%endif
BuildRequires: gcc
BuildRequires: glib2-devel
BuildRequires: glibc-devel
BuildRequires: glibc-static
BuildRequires: golang
BuildRequires: git-core
%if %{undefined rhel} || 0%{?rhel} >= 10
BuildRequires: go-rpm-macros
%endif
BuildRequires: gpgme-devel
BuildRequires: libassuan-devel
BuildRequires: libgpg-error-devel
BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel
BuildRequires: shadow-utils-subid-devel
BuildRequires: pkgconfig
BuildRequires: make
BuildRequires: man-db
BuildRequires: ostree-devel
BuildRequires: systemd
BuildRequires: systemd-devel
Requires: catatonit
Requires: conmon >= 2:2.1.7-2
%if %{defined fedora} && 0%{?fedora} >= 40
# TODO: Remove the f40 conditional after a few releases to keep conditionals to
# a minimum
# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2269148
Requires: containers-common-extra >= 5:0.58.0-1
%else
Requires: containers-common-extra
%endif
Provides: %{name}-quadlet
Obsoletes: %{name}-quadlet <= 5:4.4.0-1
Provides: %{name}-quadlet = %{epoch}:%{version}-%{release}
%description
%{name} (Pod Manager) is a fully featured container engine that is a simple
daemonless tool. %{name} provides a Docker-CLI comparable command line that
eases the transition from other container engines and allows the management of
pods, containers and images. Simply put: alias docker=%{name}.
Most %{name} commands can be run as a regular user, without requiring
additional privileges.
%{name} uses Buildah(1) internally to create container images.
Both tools share image (not container) storage, hence each can use or
manipulate images (but not containers) created by the other.
%package docker
Summary: Emulate Docker CLI using %{name}
BuildArch: noarch
Requires: %{name} = %{epoch}:%{version}-%{release}
Conflicts: docker
Conflicts: docker-latest
Conflicts: docker-ce
Conflicts: docker-ee
Conflicts: moby-engine
%description docker
This package installs a script named docker that emulates the Docker CLI by
executes %{name} commands, it also creates links between all Docker CLI man
pages and %{name}.
%package tests
Summary: Tests for %{name}
Requires: %{name} = %{epoch}:%{version}-%{release}
%if %{defined fedora}
Requires: bats
%endif
Requires: jq
Requires: skopeo
Requires: nmap-ncat
Requires: httpd-tools
Requires: openssl
Requires: socat
Requires: buildah
Requires: gnupg
%description tests
%{summary}
This package contains system tests for %{name}
%package remote
Summary: (Experimental) Remote client for managing %{name} containers
%description remote
Remote client for managing %{name} containers.
This experimental remote client is under heavy development. Please do not
run %{name}-remote in production.
%{name}-remote uses the version 2 API to connect to a %{name} client to
manage pods, containers and container images. %{name}-remote supports ssh
connections as well.
%package -n %{name}sh
Summary: Confined login and user shell using %{name}
Requires: %{name} = %{epoch}:%{version}-%{release}
Provides: %{name}-shell = %{epoch}:%{version}-%{release}
Provides: %{name}-%{name}sh = %{epoch}:%{version}-%{release}
%description -n %{name}sh
%{name}sh provides a confined login and user shell with access to volumes and
capabilities specified in user quadlets.
It is a symlink to %{_bindir}/%{name} and execs into the `%{name}sh` container
when `%{_bindir}/%{name}sh` is set as a login shell or set as os.Args[0].
%package machine
Summary: Metapackage for setting up %{name} machine
Requires: %{name} = %{epoch}:%{version}-%{release}
Requires: gvisor-tap-vsock
Recommends: qemu
Requires: virtiofsd
%description machine
This subpackage installs the dependencies for %{name} machine, for more see:
https://docs.podman.io/en/latest/markdown/podman-machine.1.html
%prep
%if 0%{?branch:1}
%autosetup -Sgit -n containers-%{name}-%{shortcommit0}
%else
%autosetup -Sgit -n %{name}-%{commit0}
%endif
sed -i 's;@@PODMAN@@\;$(BINDIR);@@PODMAN@@\;%{_bindir};' Makefile
# cgroups-v1 is supported on rhel9
%if 0%{?rhel} == 9
sed -i '/DELETE ON RHEL9/,/DELETE ON RHEL9/d' libpod/runtime.go
%endif
# These changes are only meant for copr builds
%if %{defined copr_build}
# podman --version should show short sha
sed -i "s/^const RawVersion = .*/const RawVersion = \"##VERSION##-##SHORT_SHA##\"/" version/rawversion/version.go
# use ParseTolerant to allow short sha in version
sed -i "s/^var Version.*/var Version, err = semver.ParseTolerant(rawversion.RawVersion)/" version/version.go
%endif
%build
%set_build_flags
export CGO_CFLAGS=$CFLAGS
# These extra flags present in $CFLAGS have been skipped for now as they break the build
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-flto=auto//g')
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-Wp,D_GLIBCXX_ASSERTIONS//g')
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-specs=\/usr\/lib\/rpm\/redhat\/redhat-annobin-cc1//g')
%ifarch x86_64
export CGO_CFLAGS+=" -m64 -mtune=generic -fcf-protection=full"
%endif
export GOPROXY=direct
LDFLAGS="-X %{ld_libpod}/define.buildInfo=${SOURCE_DATE_EPOCH:-$(date +%s)} \
-X %{ld_libpod}/config._installPrefix=%{_prefix} \
-X %{ld_libpod}/config._etcDir=%{_sysconfdir} \
-X %{ld_project}/pkg/systemd/quadlet._binDir=%{_bindir}"
# build rootlessport first
%gobuild -o bin/rootlessport ./cmd/rootlessport
export BASEBUILDTAGS="seccomp exclude_graphdriver_devicemapper $(hack/systemd_tag.sh) $(hack/libsubid_tag.sh)"
# build %%{name}
export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh) $(hack/libdm_tag.sh)"
%gobuild -o bin/%{name} ./cmd/%{name}
# build %%{name}-remote
export BUILDTAGS="$BASEBUILDTAGS exclude_graphdriver_btrfs btrfs_noversion remote"
%gobuild -o bin/%{name}-remote ./cmd/%{name}
# build quadlet
export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh)"
%gobuild -o bin/quadlet ./cmd/quadlet
# build %%{name}-testing
export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh)"
%gobuild -o bin/podman-testing ./cmd/podman-testing
# reset LDFLAGS for plugins binaries
LDFLAGS=''
%{__make} docs docker-docs
%install
install -dp %{buildroot}%{_unitdir}
PODMAN_VERSION=%{version} %{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} ETCDIR=%{_sysconfdir} \
install.bin \
install.man \
install.systemd \
install.completions \
install.docker \
install.docker-docs \
install.remote \
install.testing
# Only need this on Fedora until nftables becomes the default
%if %{defined fedora}
%{__make} DESTDIR=%{buildroot} MODULESLOADDIR=%{_modulesloaddir} install.modules-load
%endif
sed -i 's;%{buildroot};;g' %{buildroot}%{_bindir}/docker
# do not include docker and podman-remote man pages in main package
for file in `find %{buildroot}%{_mandir}/man[15] -type f | sed "s,%{buildroot},," | grep -v -e %{name}sh.1 -e remote -e docker`; do
echo "$file*" >> %{name}.file-list
done
rm -f %{buildroot}%{_mandir}/man5/docker*.5
install -d -p %{buildroot}%{_datadir}/%{name}/test/system
cp -pav test/system %{buildroot}%{_datadir}/%{name}/test/
# symlink virtiofsd in %%{name} libexecdir for machine subpackage
ln -s ../virtiofsd %{buildroot}%{_libexecdir}/%{name}
#define license tag if not already defined
%{!?_licensedir:%global license %doc}
%files -f %{name}.file-list
%license LICENSE vendor/modules.txt
%doc README.md CONTRIBUTING.md install.md transfer.md
%{_bindir}/%{name}
%dir %{_libexecdir}/%{name}
%{_libexecdir}/%{name}/rootlessport
%{_libexecdir}/%{name}/quadlet
%{_datadir}/bash-completion/completions/%{name}
# By "owning" the site-functions dir, we don't need to Require zsh
%dir %{_datadir}/zsh/site-functions
%{_datadir}/zsh/site-functions/_%{name}
%dir %{_datadir}/fish/vendor_completions.d
%{_datadir}/fish/vendor_completions.d/%{name}.fish
%{_unitdir}/%{name}*
%{_userunitdir}/%{name}*
%{_tmpfilesdir}/%{name}.conf
%{_systemdgeneratordir}/%{name}-system-generator
%{_systemdusergeneratordir}/%{name}-user-generator
%if %{defined fedora}
%{_modulesloaddir}/%{name}-iptables.conf
%endif
%files docker
%{_bindir}/docker
%{_mandir}/man1/docker*.1*
%{_sysconfdir}/profile.d/%{name}-docker.*
%{_tmpfilesdir}/%{name}-docker.conf
%{_user_tmpfilesdir}/%{name}-docker.conf
%files remote
%license LICENSE
%{_bindir}/%{name}-remote
%{_mandir}/man1/%{name}-remote*.*
%{_datadir}/bash-completion/completions/%{name}-remote
%dir %{_datadir}/fish/vendor_completions.d
%{_datadir}/fish/vendor_completions.d/%{name}-remote.fish
%dir %{_datadir}/zsh/site-functions
%{_datadir}/zsh/site-functions/_%{name}-remote
%files tests
%{_bindir}/%{name}-testing
%{_datadir}/%{name}/test
%files -n %{name}sh
%{_bindir}/%{name}sh
%{_mandir}/man1/%{name}sh.1*
%files machine
%dir %{_libexecdir}/%{name}
%{_libexecdir}/%{name}/virtiofsd
%changelog
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 6:5.2.2-2
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Wed Oct 09 2024 Jindrich Novy <jnovy@redhat.com> - 6:5.2.2-1
- stick to v5.2-rhel upstream branch for RHEL
- update to the latest content of https://github.com/containers/podman/tree/v5.2-rhel
(https://github.com/containers/podman/commit/458f9b4)
- Related: RHEL-58990
* Tue Oct 08 2024 Jindrich Novy <jnovy@redhat.com> - 5:5.2.4-1
- update to https://github.com/containers/podman/releases/tag/v5.2.4
- Related: RHEL-61719

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (v5.2-rhel-458f9b4.tar.gz) = 750be4f38db0445fea79cc2d20a3979c9c7c84fec79298defb53d2b899695d337bdd7e8feee8eb2e3f91dabda743e5b9c628ca1533eb125c1bc19d79fd8482c5

2
tests/main.fmf Normal file
View File

@ -0,0 +1,2 @@
require:
- podman

View File

@ -0,0 +1,12 @@
---
# Sigh; RHEL8 doesn't have BATS
- name: bats | fetch and unpack tarball
unarchive:
src: https://github.com/bats-core/bats-core/archive/v1.11.0.tar.gz
dest: /root
remote_src: true
- name: bats | install
command: ./install.sh /usr/local
args:
chdir: /root/bats-core-1.11.0

View File

@ -0,0 +1,7 @@
---
- name: create rootless user
user:
name: testuser
shell: /bin/bash
- name: enable linger
command: loginctl enable-linger testuser

View File

@ -0,0 +1,72 @@
#!/bin/bash
#
# Run bats tests for a given $TEST_PACKAGE, e.g. buildah, podman
#
# This is invoked by the 'run_bats_tests' role; we assume that
# the package foo has a foo-tests subpackage which provides the
# directory /usr/share/foo/test/system, containing one or more .bats
# test files.
#
export PATH=/usr/local/bin:/usr/sbin:/usr/bin
FULL_LOG=/tmp/test.debug.log
BATS_LOG=/tmp/test.bats.log
rm -f $FULL_LOG $BATS_LOG
touch $FULL_LOG $BATS_LOG
exec &> $FULL_LOG
# Log program versions
echo "Packages:"
rpm -q ${TEST_PACKAGE} ${TEST_PACKAGE}-tests
echo "------------------------------"
printenv | sort
testdir=/usr/share/${TEST_PACKAGE}/test/system
if ! cd $testdir; then
echo "FAIL ${TEST_NAME} : cd $testdir" >> /tmp/test.log
exit 0
fi
if [ -e /tmp/helper.sh ]; then
echo "------------------------------"
echo ". /tmp/helper.sh"
. /tmp/helper.sh
fi
if [ "$(type -t setup)" = "function" ]; then
echo "------------------------------"
echo "\$ setup"
setup
if [ $? -ne 0 ]; then
echo "FAIL ${TEST_NAME} : setup" >> /tmp/test.log
exit 0
fi
fi
echo "------------------------------"
echo "\$ bats ."
bats . &> $BATS_LOG
rc=$?
echo "------------------------------"
echo "bats completed with status $rc"
status=PASS
if [ $rc -ne 0 ]; then
status=FAIL
fi
echo "${status} ${TEST_NAME}" >> /tmp/test.log
if [ "$(type -t teardown)" = "function" ]; then
echo "------------------------------"
echo "\$ teardown"
teardown
fi
# FIXME: for CI purposes, always exit 0. This allows subsequent tests.
exit 0

View File

@ -0,0 +1,37 @@
---
# Create empty results file, world-writable
- name: initialize test.log file
copy: dest=/tmp/test.log content='' force=yes mode=0666
- name: execute tests
include: run_one_test.yml
with_items: "{{ tests }}"
loop_control:
loop_var: test
- name: pull test.log results
fetch:
src: "/tmp/test.log"
dest: "{{ artifacts }}/test.log"
flat: yes
# Copied from standard-test-basic
- name: check results
shell: grep "^FAIL" /tmp/test.log
register: test_fails
# Never fail at this step. Just store result of tests.
failed_when: False
- name: preserve results
set_fact:
role_result_failed: "{{ (test_fails.stdout|d|length > 0) or (test_fails.stderr|d|length > 0) }}"
role_result_msg: "{{ test_fails.stdout|d('tests failed.') }}"
- name: display results
vars:
msg: |
Tests failed: {{ role_result_failed|d('Undefined') }}
Tests msg: {{ role_result_msg|d('None') }}
debug:
msg: "{{ msg.split('\n') }}"
failed_when: "role_result_failed|bool"

View File

@ -0,0 +1,52 @@
---
- name: "{{ test.name }} | install test packages"
dnf: name="{{ test.package }}-tests" state=installed
- name: "{{ test.name }} | define helper variables"
set_fact:
test_name_oneword: "{{ test.name | replace(' ','-') }}"
# UGH. This is necessary because our caller sets some environment variables
# and we need to set a few more based on other caller variables; then we
# need to combine the two dicts when running the test. This seems to be
# the only way to do it in ansible.
- name: "{{ test.name }} | define local environment"
set_fact:
local_environment:
TEST_NAME: "{{ test.name }}"
TEST_PACKAGE: "{{ test.package }}"
TEST_ENV: "{{ test.environment }}"
- name: "{{ test.name }} | setup/teardown helper | see if exists"
local_action: stat path={{ role_path }}/files/helper.{{ test_name_oneword }}.sh
register: helper
- name: "{{ test.name }} | setup/teardown helper | install"
copy: src=helper.{{ test_name_oneword }}.sh dest=/tmp/helper.sh
when: helper.stat.exists
- name: "{{ test.name }} | run test"
script: ./run_bats_tests.sh
args:
chdir: /usr/share/{{ test.package }}/test/system
become: "{{ true if test.become is defined else false }}"
become_user: testuser
environment: "{{ local_environment | combine(test.environment) }}"
- name: "{{ test.name }} | pull logs"
fetch:
src: "/tmp/test.{{ item }}.log"
dest: "{{ artifacts }}/test.{{ test_name_oneword }}.{{ item }}.log"
flat: yes
with_items:
- bats
- debug
- name: "{{ test.name }} | remove remote logs and helpers"
file:
dest=/tmp/{{ item }}
state=absent
with_items:
- test.bats.log
- test.debug.log
- helper.sh

2
tests/smoke.fmf Normal file
View File

@ -0,0 +1,2 @@
summary: Execute a simple command
test: podman run -t --rm fedora cat /etc/os-release | grep 'Fedora Linux'

30
tests/tests.yml Normal file
View File

@ -0,0 +1,30 @@
---
- hosts: localhost
tags: classic
vars:
- artifacts: ./artifacts
roles:
- role: bats_installed
- role: rootless_user
- role: run_bats_tests
tests:
- name: podman root
package: podman
environment:
PODMAN: /usr/bin/podman
QUADLET: /usr/libexec/podman/quadlet
PODMAN_TESTING: /usr/bin/podman-testing
- name: podman rootless
package: podman
environment:
PODMAN: /usr/bin/podman
QUADLET: /usr/libexec/podman/quadlet
PODMAN_TESTING: /usr/bin/podman-testing
become: true
#- name: podman-remote root
#package: podman
#environment:
# PODMAN: /usr/bin/podman-remote
# QUADLET: /usr/libexec/podman/quadlet

8
tests/tmt.fmf Normal file
View File

@ -0,0 +1,8 @@
summary: Make sure that container provision works
require:
- tmt+provision-container
test:
tmt run --verbose --remove
provision --how container --image fedora
login --command 'cat /etc/os-release'
finish