7 changed files with 356 additions and 534 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1 @@
-SOURCES/cri-o-9b1f0a0.tar.gz
-SOURCES/libpod-921f98f.tar.gz
+SOURCES/v1.6.4-rhel-9407ffd.tar.gz
--- a/.podman.metadata
+++ b/.podman.metadata
@ -1,2 +1 @@
-b53ff7dd655dec8ddab85b7782a2d41e6bdcb301 SOURCES/cri-o-9b1f0a0.tar.gz
-14fa9349a6277355aa6a4f079a131059d194fd99 SOURCES/libpod-921f98f.tar.gz
+8cbdf362636da4557484bd88ae19026f712f9573 SOURCES/v1.6.4-rhel-9407ffd.tar.gz
--- a/SOURCES/0001-Only-drop-all-caps-in-exec-when-non-root.patch
+++ b/SOURCES/0001-Only-drop-all-caps-in-exec-when-non-root.patch
@ -1,31 +0,0 @@
-From fbc96cdd1741021f3d18e49eac3757297aaba851 Mon Sep 17 00:00:00 2001
-From: Matthew Heon <mheon@redhat.com>
-Date: Fri, 19 Feb 2021 11:34:39 -0500
-Subject: [PATCH] Only drop all caps in exec when non-root
-
-We were dropping too many capabilities otherwise, which broke
-some critical system tools (e.g. useradd) in exec sessions.
-
-Fix RHBZ#1930552
-
-Signed-off-by: Matthew Heon <mheon@redhat.com>
---
- libpod/oci_conmon_linux.go | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
-index d5973a1a6..18ede031e 100644
--- a/libpod/oci.go
-+++ b/libpod/oci.go
-@@ -1107,7 +1107,7 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se
- 	pspec.Capabilities.Effective = []string{}
- 	if privileged {
- 		pspec.Capabilities.Bounding = allCaps
-	} else {
-+	} else if execUser.Uid != 0 {
- 		pspec.Capabilities.Bounding = []string{}
- 	}
- 	pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
-- 
-2.29.2
-
--- a/SOURCES/podman-1882267.patch
+++ b/SOURCES/podman-1882267.patch
@ -1,23 +0,0 @@
-From bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea Mon Sep 17 00:00:00 2001
-From: Matthew Heon <mheon@redhat.com>
-Date: Thu, 24 Sep 2020 10:42:13 -0400
-Subject: [PATCH] Fix https://bugzilla.redhat.com/show_bug.cgi?id=1882267
-
-Signed-off-by: Matthew Heon <mheon@redhat.com>
---
- cmd/podman/sigproxy.go | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/cmd/podman/sigproxy.go b/cmd/podman/sigproxy.go
-index 16861bad04..92d7f4e4a9 100644
--- a/cmd/podman/sigproxy.go
-+++ b/cmd/podman/sigproxy.go
-@@ -19,7 +19,7 @@ func ProxySignals(ctr *libpod.Container) {
- 		for s := range sigBuffer {
- 			// Ignore SIGCHLD and SIGPIPE - these are mostly likely
- 			// intended for the podman command itself.
-			if s == signal.SIGCHLD || s == signal.SIGPIPE {
-+			if s == syscall.SIGCHLD || s == syscall.SIGPIPE || s == syscall.SIGURG {
- 				continue
- 			}
- 
--- a/SOURCES/podman-CVE-2020-10696.patch
+++ b/SOURCES/podman-CVE-2020-10696.patch
@ -1,48 +0,0 @@
-From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
-From: TomSweeneyRedHat <tsweeney@redhat.com>
-Date: Tue, 24 Mar 2020 20:10:22 -0400
-Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
-
-Stealing @nalind 's workaround to avoid refetching
-content after a file read failure.  Under the right
-circumstances that could be a symlink to a file meant
-to overwrite a good file with bad data.
-
-Testing:
-```
-goodstuff
-
-[1] 14901
-
-127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
-127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
-no FROM statement found
-
-goodstuff
-```
-
-Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
---
- imagebuildah/util.go | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
--- a/vendor/github.com/containers//buildah/imagebuildah/util.go.CVE-2020-10696
-+++ b/vendor/github.com/containers//buildah/imagebuildah/util.go
-@@ -12,6 +12,7 @@ import (
- 
- 	"github.com/containers/buildah"
- 	"github.com/containers/storage/pkg/chrootarchive"
-+	"github.com/containers/storage/pkg/ioutils"
- 	"github.com/pkg/errors"
- 	"github.com/sirupsen/logrus"
- )
-@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
- 		}
- 		dockerfile := filepath.Join(dir, "Dockerfile")
- 		// Assume this is a Dockerfile
-		if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
-+		if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
- 			return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
- 		}
- 	}
--- a/SOURCES/podman-CVE-2021-20188.patch
+++ b/SOURCES/podman-CVE-2021-20188.patch
@ -1,319 +0,0 @@
-From 69daa67c436a8fdeb0149aa5cb0112f03fdb699f Mon Sep 17 00:00:00 2001
-From: Matthew Heon <mheon@redhat.com>
-Date: Mon, 25 Jan 2021 14:18:07 -0500
-Subject: [PATCH] Correct handling of capabilities
-
-Ensure that capabilities are properly handled for non-root users
-in privileged containers. We do not want to give full caps, but
-instead only CapInh and CapEff (others should be all-zeroes).
-
-Fixing `podman run` is easy - the same code as the Podman 1.6 fix
-works there. The `podman exec` command is far more challenging.
-Exec received a complete rewrite to use Conmon at some point
-before Podman 1.6, and gained many capabilities in the process.
-One of those was the ability to actually tweak the capabilities
-of the exec process - 1.0 did not have that. Since it was needed
-to resolve this CVE, I was forced to backport a large bit of the
-1.0 -> 1.6 exec changes (passing a Process block to the OCI
-runtime, and using `prepareProcessExec()` to prepare said block).
-I am honestly uncomfortable with the size and scope of this
-change but I don't see another way around this.
-
-Fixes CVE-2021-20188
-
-Signed-off-by: Matthew Heon <mheon@redhat.com>
---
- libpod/container_api.go |  24 +------
- libpod/oci.go           | 148 ++++++++++++++++++++++++++++++++--------
- pkg/spec/spec.go        |   8 +++
- 3 files changed, 132 insertions(+), 48 deletions(-)
-
-diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go.orig	2019-02-11 16:26:46.000000000 +0100
-+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go	2021-02-12 10:38:48.767172399 +0100
-@@ -2,7 +2,6 @@ package libpod
- 
- import (
- 	"context"
-	"fmt"
- 	"io/ioutil"
- 	"os"
- 	"strconv"
-@@ -11,9 +10,7 @@ import (
- 
- 	"github.com/containers/libpod/libpod/driver"
- 	"github.com/containers/libpod/pkg/inspect"
-	"github.com/containers/libpod/pkg/lookup"
- 	"github.com/containers/storage/pkg/stringid"
-	"github.com/docker/docker/daemon/caps"
- 	"github.com/pkg/errors"
- 	"github.com/sirupsen/logrus"
- 	"k8s.io/apimachinery/pkg/util/wait"
-@@ -263,8 +260,6 @@ func (c *Container) Kill(signal uint) er
- // TODO allow specifying streams to attach to
- // TODO investigate allowing exec without attaching
- func (c *Container) Exec(tty, privileged bool, env, cmd []string, user, workDir string) error {
-	var capList []string
-
- 	locked := false
- 	if !c.batched {
- 		locked = true
-@@ -287,22 +282,8 @@ func (c *Container) Exec(tty, privileged
- 	if conState != ContainerStateRunning {
- 		return errors.Errorf("cannot exec into container that is not running")
- 	}
-	if privileged || c.config.Privileged {
-		capList = caps.GetAllCapabilities()
-	}
- 
-	// If user was set, look it up in the container to get a UID to use on
-	// the host
-	hostUser := ""
-	if user != "" {
-		execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
-		if err != nil {
-			return err
-		}
-
-		// runc expects user formatted as uid:gid
-		hostUser = fmt.Sprintf("%d:%d", execUser.Uid, execUser.Gid)
-	}
-+	isPrivileged := privileged || c.config.Privileged
- 
- 	// Generate exec session ID
- 	// Ensure we don't conflict with an existing session ID
-@@ -324,10 +305,11 @@ func (c *Container) Exec(tty, privileged
- 
- 	logrus.Debugf("Creating new exec session in container %s with session id %s", c.ID(), sessionID)
- 
-	execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, workDir, hostUser, sessionID)
-+	execCmd, processFile, err := c.runtime.ociRuntime.execContainer(c, cmd, env, tty, workDir, user, sessionID, isPrivileged)
- 	if err != nil {
- 		return errors.Wrapf(err, "error exec %s", c.ID())
- 	}
-+	defer os.Remove(processFile)
- 	chWait := make(chan error)
- 	go func() {
- 		chWait <- execCmd.Wait()
-diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go.orig	2019-02-11 16:26:46.000000000 +0100
-+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go	2021-02-12 10:38:48.768172416 +0100
-@@ -15,10 +15,12 @@ import (
- 	"syscall"
- 	"time"
- 
-+	"github.com/containers/libpod/pkg/lookup"
- 	"github.com/containers/libpod/pkg/rootless"
- 	"github.com/containers/libpod/pkg/util"
- 	"github.com/coreos/go-systemd/activation"
- 	"github.com/cri-o/ocicni/pkg/ocicni"
-+	"github.com/docker/docker/daemon/caps"
- 	spec "github.com/opencontainers/runtime-spec/specs-go"
- 	"github.com/opencontainers/selinux/go-selinux"
- 	"github.com/opencontainers/selinux/go-selinux/label"
-@@ -735,18 +737,23 @@ func (r *OCIRuntime) unpauseContainer(ct
- // TODO: Add --detach support
- // TODO: Convert to use conmon
- // TODO: add --pid-file and use that to generate exec session tracking
-func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, cwd, user, sessionID string) (*exec.Cmd, error) {
-+func (r *OCIRuntime) execContainer(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (*exec.Cmd, string, error) {
- 	if len(cmd) == 0 {
-		return nil, errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
-+		return nil, "", errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
- 	}
- 
- 	if sessionID == "" {
-		return nil, errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
-+		return nil, "", errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
- 	}
- 
- 	runtimeDir, err := util.GetRootlessRuntimeDir()
- 	if err != nil {
-		return nil, err
-+		return nil, "", err
-+	}
-+
-+	processFile, err := prepareProcessExec(c, cmd, env, tty, cwd, user, sessionID, privileged)
-+	if err != nil {
-+		return nil, "", err
- 	}
- 
- 	args := []string{}
-@@ -756,34 +763,14 @@ func (r *OCIRuntime) execContainer(c *Co
- 
- 	args = append(args, "exec")
- 
-	if cwd != "" {
-		args = append(args, "--cwd", cwd)
-	}
-+	args = append(args, "--process", processFile)
- 
- 	args = append(args, "--pid-file", c.execPidPath(sessionID))
- 
-	if tty {
-		args = append(args, "--tty")
-	} else {
-		args = append(args, "--tty=false")
-	}
-
-	if user != "" {
-		args = append(args, "--user", user)
-	}
-
- 	if c.config.Spec.Process.NoNewPrivileges {
- 		args = append(args, "--no-new-privs")
- 	}
- 
-	for _, cap := range capAdd {
-		args = append(args, "--cap", cap)
-	}
-
-	for _, envVar := range env {
-		args = append(args, "--env", envVar)
-	}
-
- 	// Append container ID and command
- 	args = append(args, c.ID())
- 	args = append(args, cmd...)
-@@ -797,10 +784,10 @@ func (r *OCIRuntime) execContainer(c *Co
- 	execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir))
- 
- 	if err := execCmd.Start(); err != nil {
-		return nil, errors.Wrapf(err, "cannot start container %s", c.ID())
-+		return nil, "", errors.Wrapf(err, "cannot start container %s", c.ID())
- 	}
- 
-	return execCmd, nil
-+	return execCmd, processFile, nil
- }
- 
- // execStopContainer stops all active exec sessions in a container
-@@ -892,3 +879,110 @@ func (r *OCIRuntime) checkpointContainer
- 	args = append(args, ctr.ID())
- 	return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, args...)
- }
-+
-+// prepareProcessExec returns the path of the process.json used in runc exec -p.
-+// Returns path to the created exec process file. This will need to be removed
-+// by the caller when they're done, best effort.
-+func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (string, error) {
-+	filename := filepath.Join(c.bundlePath(), fmt.Sprintf("exec-process-%s", sessionID))
-+	f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0600)
-+	if err != nil {
-+		return "", err
-+	}
-+	defer f.Close()
-+
-+	pspec := c.config.Spec.Process
-+	pspec.SelinuxLabel = c.config.ProcessLabel
-+	pspec.Args = cmd
-+	// We need to default this to false else it will inherit terminal as true
-+	// from the container.
-+	pspec.Terminal = false
-+	if tty {
-+		pspec.Terminal = true
-+	}
-+	if len(env) > 0 {
-+		pspec.Env = append(pspec.Env, env...)
-+	}
-+
-+	if cwd != "" {
-+		pspec.Cwd = cwd
-+
-+	}
-+
-+	var addGroups []string
-+	var sgids []uint32
-+
-+	// if the user is empty, we should inherit the user that the container is currently running with
-+	if user == "" {
-+		user = c.config.User
-+		addGroups = c.config.Groups
-+	}
-+
-+	execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
-+	if err != nil {
-+		return "", err
-+	}
-+
-+	if len(addGroups) > 0 {
-+		sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, nil)
-+		if err != nil {
-+			return "", errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID)
-+		}
-+	}
-+
-+	// If user was set, look it up in the container to get a UID to use on
-+	// the host
-+	if user != "" || len(sgids) > 0 {
-+		if user != "" {
-+			for _, sgid := range execUser.Sgids {
-+				sgids = append(sgids, uint32(sgid))
-+			}
-+		}
-+		processUser := spec.User{
-+			UID:            uint32(execUser.Uid),
-+			GID:            uint32(execUser.Gid),
-+			AdditionalGids: sgids,
-+		}
-+
-+		pspec.User = processUser
-+	}
-+
-+	allCaps := caps.GetAllCapabilities()
-+	pspec.Capabilities.Effective = []string{}
-+	if privileged {
-+		pspec.Capabilities.Bounding = allCaps
-+	} else {
-+		pspec.Capabilities.Bounding = []string{}
-+	}
-+	pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
-+	if execUser.Uid == 0 {
-+		pspec.Capabilities.Effective = pspec.Capabilities.Bounding
-+		pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
-+		pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
-+	} else {
-+		pspec.Capabilities.Permitted = pspec.Capabilities.Effective
-+		pspec.Capabilities.Ambient = pspec.Capabilities.Effective
-+	}
-+
-+	hasHomeSet := false
-+	for _, s := range pspec.Env {
-+		if strings.HasPrefix(s, "HOME=") {
-+			hasHomeSet = true
-+			break
-+		}
-+	}
-+	if !hasHomeSet {
-+		pspec.Env = append(pspec.Env, fmt.Sprintf("HOME=%s", execUser.Home))
-+	}
-+
-+	processJSON, err := json.Marshal(pspec)
-+	if err != nil {
-+		return "", err
-+	}
-+
-+	if err := ioutil.WriteFile(filename, processJSON, 0644); err != nil {
-+		return "", err
-+	}
-+
-+	return filename, nil
-+}
-diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go.orig	2019-02-11 16:26:46.000000000 +0100
-+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go	2021-02-12 10:38:48.768172416 +0100
-@@ -325,6 +325,14 @@ func CreateConfigToOCISpec(config *Creat
- 		}
- 	} else {
- 		g.SetupPrivileged(true)
-+		if config.User != "" {
-+			user := strings.SplitN(config.User, ":", 2)[0]
-+			if user != "root" && user != "0" {
-+				g.Spec().Process.Capabilities.Effective = []string{}
-+				g.Spec().Process.Capabilities.Permitted = []string{}
-+				g.Spec().Process.Capabilities.Ambient = []string{}
-+			}
-+		}
- 	}
- 
- 	// HANDLE SECCOMP
--- a/SPECS/podman.spec
+++ b/SPECS/podman.spec
@ -1,6 +1,9 @@
 %global with_debug 1
 %global with_check 0

+%bcond_without varlink
+%global gogenerate go generate
+
 %if 0%{?with_debug}
 %global _find_debuginfo_dwz_opts %{nil}
 %global _dwz_low_mem_die_limit 0
@ -8,16 +11,14 @@
 %global debug_package   %{nil}
 %endif

+%if 0%{?rhel} > 7 && ! 0%{?fedora}
 %define gobuild(o:) \
-go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
-%define gogenerate go generate
-
-%if 0%{?rhel} > 7 || 0%{?fedora}
-%bcond_without varlink
+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
 %else
-%bcond_with varlink
+%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v -x %{?**};
 %endif

+%global branch v1.6.4-rhel
 %global provider github
 %global provider_tld com
 %global project containers
@ -25,40 +26,26 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL
 # https://github.com/containers/libpod
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path %{provider_prefix}
-%global git_podman https://%{provider}.%{provider_tld}/%{project}/%{repo}
-%global commit 921f98f8795eb9fcb19ce581020cfdeff6dee09f
-%global shortcommit %(c=%{commit}; echo ${c:0:7})
-
-%global import_path_conmon github.com/kubernetes-sigs/cri-o
-%global git_conmon https://%{import_path_conmon}
-%global commit_conmon 9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2
-%global shortcommit_conmon %(c=%{commit_conmon}; echo ${c:0:7})
+%global git0 https://%{provider}.%{provider_tld}/%{project}/%{repo}
+%global commit0 9407ffda53e05dcd1b414b3db6daa7df637e0138
+%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

 Name: podman
-Version: 1.0.0
-Release: 8.git%{shortcommit}%{?dist}
+Version: 1.6.4
+Release: 28%{?dist}
 Summary: Manage Pods, Containers and Container Images
 License: ASL 2.0
-URL: %{git_podman}
-Source0: %{git_podman}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
-Source1: %{git_conmon}/archive/%{commit_conmon}/cri-o-%{shortcommit_conmon}.tar.gz
-# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
-# backported:  https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
-Patch0: podman-CVE-2020-10696.patch
-# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1882267
-# patch:       https://github.com/mheon/libpod/commit/bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea.patch
-Patch1: podman-1882267.patch
-# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1918285
-Patch2: podman-CVE-2021-20188.patch
-# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1930552
-Patch3: 0001-Only-drop-all-caps-in-exec-when-non-root.patch
-
-# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
-#ExclusiveArch:  %%{?go_arches:%%{go_arches}}%%{!?go_arches:%%{ix86} x86_64 aarch64 %%{arm}}
-ExclusiveArch: aarch64 %{arm} ppc64le s390x x86_64
-# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
-BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
-BuildRequires: device-mapper-devel
+URL: https://%{name}.io/
+# Build fails with: No matching package to install: 'golang >= 1.12.12-4' on i686
+ExcludeArch: i686
+%if 0%{?branch:1}
+Source0: https://%{import_path}/tarball/%{commit0}/%{branch}-%{shortcommit0}.tar.gz
+%else
+Source0: https://%{import_path}/archive/%{commit0}/%{name}-%{version}-%{shortcommit0}.tar.gz
+%endif
+Provides: %{name}-manpages = %{version}-%{release}
+Obsoletes: %{name}-manpages < %{version}-%{release}
+BuildRequires: golang >= 1.12.12-4
 BuildRequires: glib2-devel
 BuildRequires: glibc-devel
 BuildRequires: glibc-static
@ -71,17 +58,20 @@ BuildRequires: libseccomp-devel
 BuildRequires: libselinux-devel
 BuildRequires: ostree-devel
 BuildRequires: pkgconfig
-Requires: runc
+BuildRequires: make
+BuildRequires: systemd
+BuildRequires: systemd-devel
 Requires: containers-common >= 0.1.29-3
-# can't use default conmon right now, so we ship our own
-#Requires:       conmon
-Requires: containernetworking-plugins >= 0.7.3-5
+Requires: containernetworking-plugins >= 0.8.1-1
 Requires: iptables
 Requires: nftables
-Requires: oci-systemd-hook
-Recommends: container-selinux
-Recommends: slirp4netns
-Recommends: fuse-overlayfs
+Requires: libseccomp >= 2.4.1
+Requires: conmon
+Requires: container-selinux
+Requires: slirp4netns >= 0.4.0-1
+Requires: runc >= 1.0.0-57
+Requires: fuse-overlayfs
+Requires: libvarlink

 # vendored libraries
 # awk '{print "Provides: bundled(golang("$1")) = "$2}' vendor.conf | sort
@ -91,13 +81,14 @@ Provides: bundled(golang(github.com/blang/semver)) = v3.5.0
 Provides: bundled(golang(github.com/boltdb/bolt)) = master
 Provides: bundled(golang(github.com/buger/goterm)) = 2f8dfbc7dbbff5dd1d391ed91482c24df243b2d3
 Provides: bundled(golang(github.com/BurntSushi/toml)) = v0.2.0
-Provides: bundled(golang(github.com/containerd/cgroups)) = 77e628511d924b13a77cebdc73b757a47f6d751b
+Provides: bundled(golang(github.com/containerd/cgroups)) = 58556f5ad8448d99a6f7bea69ea4bdb7747cfeb0
 Provides: bundled(golang(github.com/containerd/continuity)) = master
-Provides: bundled(golang(github.com/containernetworking/cni)) = v0.7.0-alpha1
+#Provides: bundled(golang(github.com/containernetworking/cni)) = v0.7.0-alpha1
 Provides: bundled(golang(github.com/containernetworking/plugins)) = 1562a1e60ed101aacc5e08ed9dbeba8e9f3d4ec1
-Provides: bundled(golang(github.com/containers/image)) = 134f99bed228d6297dc01d152804f6f09f185418
-Provides: bundled(golang(github.com/containers/psgo)) = 382fc951fe0a8aba62043862ce1a56f77524db87
-Provides: bundled(golang(github.com/containers/storage)) = 17c7d1fee5603ccf6dd97edc14162fc1510e7e23
+Provides: bundled(golang(github.com/containers/image)) = 85d7559d44fd71f30e46e43d809bfbf88d11d916
+Provides: bundled(golang(github.com/containers/psgo)) = 5dde6da0bc8831b35243a847625bcf18183bd1ee
+Provides: bundled(golang(github.com/containers/storage)) = 243c4cd616afdf06b4a975f18c4db083d26b1641
+Provides: bundled(golang(github.com/coreos/go-iptables)) = 25d087f3cffd9aedc0c2b7eff25f23cbf3c20fe1
 Provides: bundled(golang(github.com/coreos/go-systemd)) = v14
 Provides: bundled(golang(github.com/cri-o/ocicni)) = master
 Provides: bundled(golang(github.com/cyphar/filepath-securejoin)) = v0.2.1
@ -128,6 +119,7 @@ Provides: bundled(golang(github.com/hashicorp/go-multierror)) = 83588e72410abfbe
 Provides: bundled(golang(github.com/imdario/mergo)) = 0.2.2
 Provides: bundled(golang(github.com/json-iterator/go)) = 1.0.0
 Provides: bundled(golang(github.com/kr/pty)) = v1.0.0
+Provides: bundled(golang(github.com/mailru/easyjson)) = 03f2033d19d5860aef995fe360ac7d395cd8ce65
 Provides: bundled(golang(github.com/mattn/go-runewidth)) = v0.0.1
 Provides: bundled(golang(github.com/Microsoft/go-winio)) = 78439966b38d69bf38227fbf57ac8a6fee70f69a
 Provides: bundled(golang(github.com/Microsoft/hcsshim)) = 43f9725307998e09f2e3816c2c0c36dc98f0c982
@ -135,18 +127,18 @@ Provides: bundled(golang(github.com/mistifyio/go-zfs)) = v2.1.1
 Provides: bundled(golang(github.com/mrunalp/fileutils)) = master
 Provides: bundled(golang(github.com/mtrmac/gpgme)) = b2432428689ca58c2b8e8dea9449d3295cf96fc9
 Provides: bundled(golang(github.com/Nvveen/Gotty)) = master
-Provides: bundled(golang(github.com/opencontainers/go-digest)) = v1.0.0-rc0
+#Provides: bundled(golang(github.com/opencontainers/go-digest)) = v1.0.0-rc0
 Provides: bundled(golang(github.com/opencontainers/image-spec)) = v1.0.0
 Provides: bundled(golang(github.com/opencontainers/runc)) = b4e2ecb452d9ee4381137cc0a7e6715b96bed6de
-Provides: bundled(golang(github.com/opencontainers/runtime-spec)) = v1.0.0
-Provides: bundled(golang(github.com/opencontainers/runtime-tools)) = 625e2322645b151a7cbb93a8b42920933e72167f
+Provides: bundled(golang(github.com/opencontainers/runtime-spec)) = d810dbc60d8c5aeeb3d054bd1132fab2121968ce
+Provides: bundled(golang(github.com/opencontainers/runtime-tools)) = master
 Provides: bundled(golang(github.com/opencontainers/selinux)) = b6fa367ed7f534f9ba25391cc2d467085dbb445a
 Provides: bundled(golang(github.com/openshift/imagebuilder)) = master
 Provides: bundled(golang(github.com/ostreedev/ostree-go)) = master
 Provides: bundled(golang(github.com/pkg/errors)) = v0.8.0
 Provides: bundled(golang(github.com/pmezard/go-difflib)) = 792786c7400a136282c1664665ae0a8db921c6c2
 Provides: bundled(golang(github.com/pquerna/ffjson)) = d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac
-Provides: bundled(golang(github.com/projectatomic/buildah)) = 35a37f36d37bf84397d7f79f6bb8649f728c19f1
+Provides: bundled(golang(github.com/projectatomic/buildah)) = af5bbde0180026ae87b7fc81c2dc124aa73ec959
 Provides: bundled(golang(github.com/seccomp/containers-golang)) = master
 Provides: bundled(golang(github.com/seccomp/libseccomp-golang)) = v0.9.0
 Provides: bundled(golang(github.com/sirupsen/logrus)) = v1.0.0
@ -156,8 +148,7 @@ Provides: bundled(golang(github.com/syndtr/gocapability)) = e7cb7fa329f456b38551
 Provides: bundled(golang(github.com/tchap/go-patricia)) = v2.2.6
 Provides: bundled(golang(github.com/ulikunitz/xz)) = v0.5.4
 Provides: bundled(golang(github.com/ulule/deepcopier)) = master
-# version can't have '-'
-#Provides: bundled(golang(github.com/urfave/cli)) = fix-short-opts-parsing
+Provides: bundled(golang(github.com/urfave/cli)) = 934abfb2f102315b5794e15ebc7949e4ca253920
 Provides: bundled(golang(github.com/varlink/go)) = master
 Provides: bundled(golang(github.com/vbatts/tar-split)) = v0.10.2
 Provides: bundled(golang(github.com/vishvananda/netlink)) = master
@ -185,33 +176,68 @@ Provides: bundled(golang(k8s.io/kube-openapi)) = 275e2ce91dec4c05a4094a7b1daee55
 Provides: bundled(golang(k8s.io/utils)) = 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e

 %description
+%{name} (Pod Manager) is a fully featured container engine that is a simple daemonless tool.  %{name} provides a Docker-CLI comparable command line that eases the transition from other container engines and allows the management of pods, containers and images.  Simply put: alias docker=%{name}.  Most %{name} commands can be run as a regular user, without requiring additional privileges.
+
+%{name} uses Buildah(1) internally to create container images. Both tools share image (not container) storage, hence each can use or manipulate images (but not containers) created by the other.
+
 %{summary}
-libpod provides a library for applications looking to use
-the Container Pod concept popularized by Kubernetes.
+%{repo} Simple management tool for pods, containers and images

 %package docker
-Summary: Emulate Docker CLI using podman
+Summary: Emulate Docker CLI using %{name}
 BuildArch: noarch
 Requires: %{name} = %{version}-%{release}
 Conflicts: docker
-Provides : docker
 Conflicts: docker-latest
 Conflicts: docker-ce
 Conflicts: docker-ee
+Conflicts: moby-engine

 %description docker
 This package installs a script named docker that emulates the Docker CLI by
-executing %{name} commands, it also creates links between all Docker CLI man
+executes %{name} commands, it also creates links between all Docker CLI man
 pages and %{name}.

+%package remote
+Summary: (Experimental) Remote client for managing %{name} containers
+
+%description remote
+Remote client for managing %{name} containers.
+
+This experimental remote client is under heavy development. Please do not
+run %{name}-remote in production.
+
+%{name}-remote uses the varlink connection to connect to a %{name} client to
+manage pods, containers and container images. %{name}-remote supports ssh
+connections as well.
+
+%package tests
+Summary: Tests for %{name}
+Requires: %{name} = %{version}-%{release}
+#Requires: bats  (which RHEL8 doesn't have. If it ever does, un-comment this)
+Requires: jq
+
+%description tests
+%{summary}
+
+This package contains system tests for %{name}
+
 %prep
-%autosetup -Sgit -n %{repo}-%{commit}
+%if 0%{?branch:1}
+%autosetup -Sgit -n containers-%{name}-%{shortcommit0}
+%else
+%autosetup -Sgit -n %{name}-%{commit0}
+%endif
+
+sed -i 's/install.bin: podman/install.bin:/' Makefile
+sed -i 's/install.man: docs/install.man:/' Makefile
+sed -i 's/install.remote: podman-remote/install.remote:/' Makefile
 mv pkg/hooks/README.md pkg/hooks/README-hooks.md

-# untar cri-o
-tar zxf %{SOURCE1}
-
 %build
+export GO111MODULE=off
+export GOPATH=$(pwd):$(pwd)/_build
+
 mkdir -p $(pwd)/_build
 pushd $(pwd)/_build
 mkdir -p src/%{provider}.%{provider_tld}/%{project}
@ -219,101 +245,321 @@ ln -s ../../../../ src/%{import_path}
 popd
 ln -s vendor src

-export GOPATH=$(pwd):$(pwd)/_build
-export BUILDTAGS="selinux seccomp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper $(hack/libdm_tag.sh)"
+rm -rf vendor/github.com/containers/storage/drivers/register/register_btrfs.go
+%gogenerate ./cmd/%{name}/varlink/...
+
+# build %%{name}
+export BUILDTAGS="varlink systemd selinux seccomp btrfs_noversion exclude_graphdriver_devicemapper $(hack/libdm_tag.sh)"
 %gobuild -o bin/%{name} %{import_path}/cmd/%{name}

-# build conmon
-pushd cri-o-%{commit_conmon}
-mkdir _output
-pushd _output
-mkdir -p src/%{provider}.%{provider_tld}/{kubernetes-sigs,opencontainers}
-ln -s $(dirs +1 -l) src/%{import_path_conmon}
-popd
+# build %%{name}-remote
+export BUILDTAGS="remoteclient $BUILDTAGS"
+%gobuild -o bin/%{name}-remote %{import_path}/cmd/%{name}

-ln -s vendor src
-export GOPATH=$(pwd):$(pwd)/_output
-export BUILDTAGS="selinux seccomp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper $(hack/libdm_tag.sh)"
-%gobuild -o bin/crio-config %{import_path_conmon}/cmd/crio-config
-cd conmon && ../bin/crio-config
-%{__make} all
-popd
+%{__make} docs
+./docs/dckrman.sh ./docs/build/man/*

 %install
-install -dp %{buildroot}{%{_unitdir}
-%{__make} PREFIX=%{buildroot}%{_usr} ETCDIR=%{buildroot}%{_sysconfdir} \
+install -dp %{buildroot}%{_unitdir}
+PODMAN_VERSION=%{version} %{__make} PREFIX=%{buildroot}%{_prefix} ETCDIR=%{buildroot}%{_sysconfdir} \
        install.bin \
+        install.remote \
        install.man \
        install.cni \
        install.systemd \
-        install.completions \
-        install.docker
+        install.completions

 # install libpod.conf
 install -dp %{buildroot}%{_datadir}/containers
-install -p -m 644 %{repo}.conf %{buildroot}%{_datadir}/containers
+install -m 644 %{repo}.conf %{buildroot}%{_datadir}/containers

-# install conmon
-install -dp %{buildroot}%{_libexecdir}/%{name}
-install -p -m 755 cri-o-%{commit_conmon}/bin/conmon %{buildroot}%{_libexecdir}/%{name}
+# install docker-docs
+install -dp %{buildroot}%{_mandir}/man1
+install -m 644 docs/build/man/docker*.1 -t %{buildroot}%{_mandir}/man1
+
+# install docker symlink
+install -m 755 docker %{buildroot}%{_bindir}
+
+# install test stuff
+ln -s ./ ./vendor/src # ./vendor/src -> ./vendor
+install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
+cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
+
+# do not include docker and podman-remote man pages in main package
+for file in `find %{buildroot}%{_mandir}/man[15] -type f | sed "s,%{buildroot},," | grep -v -e remote -e docker`; do
+    echo "$file*" >> podman.file-list
+done

 %check
 %if 0%{?with_check}
+# Since we aren't packaging up the vendor directory we need to link
+# back to it somehow. Hack it up so that we can add the vendor
+# directory from BUILD dir as a gopath to be searched when executing
+# tests from the BUILDROOT dir.
 ln -s ./ ./vendor/src # ./vendor/src -> ./vendor
+
 export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}

+%if ! 0%{?gotest:1}
+%global gotest go test
+%endif
+
 %gotest %{import_path}/cmd/%{name}
 %gotest %{import_path}/libkpod
 %gotest %{import_path}/libpod
 %gotest %{import_path}/pkg/registrar
 %endif

+%triggerpostun -- %{name} < 1.1
+%{_bindir}/%{name} system renumber
+exit 0
+
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}

-%files
+%files -f podman.file-list
 %license LICENSE
 %doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md
 %{_bindir}/%{name}
-%{_mandir}/man1/podman*.1*
-%{_mandir}/man5/*.5*
 %{_datadir}/bash-completion/completions/*
-%{_libexecdir}/%{name}/conmon
+# By "owning" the site-functions dir, we don't need to Require zsh
+%{_datadir}/zsh/site-functions
+%{_datadir}/zsh/site-functions/*
 %config(noreplace) %{_sysconfdir}/cni/net.d/87-%{name}-bridge.conflist
 %{_datadir}/containers/%{repo}.conf
 %{_unitdir}/io.%{name}.service
 %{_unitdir}/io.%{name}.socket
+%{_userunitdir}/io.%{name}.service
+%{_userunitdir}/io.%{name}.socket
 %{_usr}/lib/tmpfiles.d/%{name}.conf

 %files docker
 %{_bindir}/docker
 %{_mandir}/man1/docker*.1*

+%files remote
+%{_bindir}/%{name}-remote
+%{_mandir}/man1/%{name}-remote*.1*
+
+%files tests
+%license LICENSE
+%{_datadir}/%{name}/test
+
 %changelog
-* Mon Mar 01 2021 Jindrich Novy <jnovy@redhat.com> - 1.0.0-8.git921f98f
- fix "podman can not create user inside of container" regression introduced by
-  patch for CVE-2021-20188
- Related: #1918285
+* Mon Apr 11 2022 Jindrich Novy <jnovy@redhat.com> - 1.6.4-28
+- update to the latest content of https://github.com/containers/podman/tree/v1.6.4-rhel
+  (https://github.com/containers/podman/commit/9407ffd)
+- fixes CVE-2022-27651
+- Resolves: #2067545

-* Fri Feb 12 2021 Jindrich Novy <jnovy@redhat.com> - 1.0.0-7.git921f98f
+* Thu Mar 10 2022 Jindrich Novy <jnovy@redhat.com> - 1.6.4-27
+- update to the latest content of https://github.com/containers/podman/tree/v1.6.4-rhel
+  (https://github.com/containers/podman/commit/c19e460)
+- Resolves: #2062401
+
+* Wed Mar 03 2021 Jindrich Novy <jnovy@redhat.com> - 1.6.4-26
+- fix regression introduced by fix of CVE-2021-20188
+- update to the latest content of https://github.com/containers/podman/tree/v1.6.4-rhel
+  (https://github.com/containers/podman/commit/bcbbbc4)
+- Resolves: #1934649
+
+* Fri Feb 12 2021 Jindrich Novy <jnovy@redhat.com> - 1.6.4-25
+- bump NVR to preserve upgrade path
+- Related: #1920383
+
+* Thu Feb 11 2021 Jindrich Novy <jnovy@redhat.com> - 1.6.4-24
 - fix CVE-2021-20188
- Resolves: #1918285
+- update to the latest content of https://github.com/containers/podman/tree/v1.6.4-rhel
+  (https://github.com/containers/podman/commit/2c7b579)
+- Related: #1920383

-* Thu Sep 24 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-6.git921f98f
- fix "podman run errors out/segfaults in container-tools-1.0-8.3.0"
- Resolves: #1882267
+* Tue Jan 12 2021 Jindrich Novy <jnovy@redhat.com> - 1.6.4-23
+- fix "podman exec is fragile in the presence of signals" to avoid regression
+- Resolves: #1883490

-* Fri Jun 26 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-5.git921f98f
+* Fri Sep 18 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-22
+- sync with 1.6.4-rhel branch to avoid regression
+- Resolves: #1879092
+
+* Thu Sep 10 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-21
+- fix "podman run with --rm errors out/segfaults on rhel8.3"
+- Resolves: #1875289
+
+* Thu Aug 20 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-20
 - bump release to preserve upgrade path
- Resolves: #1821193
+- Related: #1868603

-* Fri Apr 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-4.git921f98f
+* Mon Aug 17 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-14
+- fix "[2.0-8.3.0] Podman does not use --tmpdir when pulling an image"
+- Related: #1868603
+
+* Thu Jul 16 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-13
+- exclude i686 arch
+- Related: #1821193
+
+* Fri Jun 26 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-12
+- bump release to preserve upgrade path
+- Related: #1821193
+
+* Wed Apr 01 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-11
 - fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
- Resolves: #1818122
+- Resolves: #1819391

-* Thu Nov 28 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-3.git921f98f
- rebuild because of CVE-2019-9512 and CVE-2019-9514
- Resolves: #1766294, #1766322
+* Thu Mar 19 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-10
+- use the full PR 5348 to fix "no route to host from inside container"
+- Resolves: #1806899
+
+* Fri Mar 06 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-9
+- update fix for "podman (1.6.4) rhel 8.1 no route to host from inside container"
+- Resolves: #1806899
+
+* Fri Mar 06 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-8
+- fix "[FJ8.2 Bug]: [REG]The "--group-add" option of "podman create" doesn't function."
+- Resolves: #1808705
+
+* Thu Feb 27 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-7
+- fix "podman (1.6.4) rhel 8.1 no route to host from inside container"
+- Resolves: #1806899
+
+* Fri Feb 21 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-6
+- fix "CVE-2020-1726 podman: incorrectly allows existing files in volumes to be overwritten by a container when it is created"
+- Resolves: #1801572
+
+* Wed Feb 19 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-5
+- fix "Podman support for FIPS Mode requires a bind mount inside the container"
+- Resolves: #1804193
+
+* Mon Feb 17 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-4
+- fix CVE-2020-1702
+- Resolves: #1801929
+
+* Wed Jan 08 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-3
+- merge podman-manpages with podman package and put man pages for
+  podman-remote to its dedicated subpackage
+Resolves: #1788539
+
+* Fri Jan 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-2
+- apply fix for #1757845
+- Related: RHELPLAN-25139
+
+* Wed Dec 11 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.4-1
+- update to 1.6.4
+- Related: RHELPLAN-25139
+
+* Mon Dec 09 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.3-6
+- remove BR: device-mapper-devel, minor spec file changes
+- Related: RHELPLAN-25139
+
+* Sat Dec 07 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.3-5
+- Ensure volumes reacquire locks on state refresh (thanks Matt Heon)
+- Related: RHELPLAN-25139
+
+* Fri Nov 29 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.3-4
+- use the file events logger backend if systemd isn't available
+  (thanks to Giuseppe Scrivano)
+- Related: RHELPLAN-25139
+
+* Thu Nov 21 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.3-3
+- require slirp4netns >= 0.4.0-1
+- Resolves: #1766774
+
+* Tue Nov 19 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.3-2
+- apply fix to not to fail gating tests:
+  don't parse the config for cgroup-manager default
+- don't hang while on podman run --rm - bug 1767663
+- Related: RHELPLAN-25139
+
+* Mon Nov 18 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.3-1
+- update to podman 1.6.3
+- addresses CVE-2019-18466
+- Related: RHELPLAN-25139
+
+* Fri Nov 08 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.2-6
+- fix %%gobuild macro to not to ignore BUILDTAGS
+- Related: RHELPLAN-25139
+
+* Tue Nov 05 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.2-5
+- use btrfs_noversion to really disable BTRFS support
+- amend/reuse BUILDTAGS
+- still keep device-mapper-devel BR otherwise build fails
+  despite dm support being disabled (build scripting invokes
+  pkg-config for devmapper which is shipped by the dm-devel
+  package)
+- Related: RHELPLAN-25139
+
+* Mon Nov 04 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.2-4
+- disable BTRFS support
+- Related: RHELPLAN-25139
+
+* Mon Nov 04 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.2-3
+- split podman and conmon packages
+- drop BR: device-mapper-devel and update BRs in general
+- Related: RHELPLAN-25139
+
+* Fri Nov 01 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.2-2
+- drop oci-systemd-hook requirement
+- drop upstreamed CVE-2019-10214 patch
+- Related: RHELPLAN-25139
+
+* Tue Oct 29 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.2-1
+- update to podman 1.6.2
+
+* Wed Oct 16 2019 Jindrich Novy <jnovy@redhat.com> - 1.4.2-6
+- fix build with --nocheck (#1721394)
+- escape commented out macros
+
+* Thu Sep 12 2019 Jindrich Novy <jnovy@redhat.com> - 1.4.2-5
+- Fix CVE-2019-10214 (#1734649).
+
+* Tue Sep 03 2019 Jindrich Novy <jnovy@redhat.com> - 1.4.2-4
+- update to latest conmon (Resolves: #1743685)
+
+* Wed Aug 28 2019 Jindrich Novy <jnovy@redhat.com> - 1.4.2-3
+- update to v1.4.2-stable1
+- Resolves: #1741157
+
+* Wed Jun 19 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.4.2-2
+- Resolves: #1669197, #1705763, #1737077, #1671622, #1723879, #1730281,
+- Resolves: #1731117
+- built libpod v1.4.2-stable1
+
+* Wed Jun 19 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.4.2-1
+- Resolves: #1721638
+- bump to v1.4.2
+
+* Mon Jun 17 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.4.1-4
+- Resolves: #1720654 - update dep on libvarlink
+- Resolves: #1721247 - enable fips mode
+
+* Mon Jun 17 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.4.1-3
+- Resolves: #1720654 - podman requires podman-manpages
+- update dep on cni plugins >= 0.8.1-1
+
+* Sat Jun 15 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.4.1-2
+- Resolves: #1720654 - podman-manpages obsoletes podman < 1.4.1-2
+
+* Sat Jun 15 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.4.1-1
+- Resolves: #1720654 - bump to v1.4.1
+- bump conmon to v0.3.0
+
+* Fri Jun 14 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.4.0-1
+- Resolves: #1720654 - bump to v1.4.0
+
+* Fri Jun 07 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.3.2-2
+- Resolves: #1683217 - tests subpackage requires slirp4netns
+
+* Fri May 31 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.3.2-1
+- Resolves: #1707220 - bump to v1.3.2
+- built conmon v0.2.0
+
+* Wed Apr  3 2019 Eduardo Santiago <santiago@redhat.com> - 1.2.0-1.git3bd528e5
+- package system tests, zsh completion. Update CI tests to use new -tests pkg
+
+* Thu Feb 28 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.1.0-1.git006206a
+- bump to v1.1.0
+
+* Fri Feb 22 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.0.1-1.git2c74edd
+- bump to v1.0.1

 * Mon Feb 11 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.0.0-2.git921f98f
 - rebase
@ -537,4 +783,3 @@ podman release tag.

 * Wed Jan 10 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0-0.1.gitc1b2278
 - First package for Fedora
-