Compare commits
No commits in common. "c8-stream-1.0" and "c10s" have entirely different histories.
c8-stream-
...
c10s
1
.fmf/version
Normal file
1
.fmf/version
Normal file
@ -0,0 +1 @@
|
|||||||
|
1
|
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,2 +1 @@
|
|||||||
SOURCES/cri-o-9b1f0a0.tar.gz
|
/*.tar.*
|
||||||
SOURCES/libpod-921f98f.tar.gz
|
|
||||||
|
141
.packit.yaml
Normal file
141
.packit.yaml
Normal file
@ -0,0 +1,141 @@
|
|||||||
|
---
|
||||||
|
# See the documentation for more information:
|
||||||
|
# https://packit.dev/docs/configuration/
|
||||||
|
|
||||||
|
downstream_package_name: podman
|
||||||
|
upstream_tag_template: v{version}
|
||||||
|
|
||||||
|
packages:
|
||||||
|
podman-fedora:
|
||||||
|
pkg_tool: fedpkg
|
||||||
|
specfile_path: rpm/podman.spec
|
||||||
|
podman-centos:
|
||||||
|
pkg_tool: centpkg
|
||||||
|
specfile_path: rpm/podman.spec
|
||||||
|
podman-rhel:
|
||||||
|
specfile_path: rpm/podman.spec
|
||||||
|
podman-eln:
|
||||||
|
specfile_path: rpm/podman.spec
|
||||||
|
|
||||||
|
srpm_build_deps:
|
||||||
|
- git-archive-all
|
||||||
|
- make
|
||||||
|
|
||||||
|
actions:
|
||||||
|
fix-spec-file:
|
||||||
|
- "bash .packit.sh"
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
- job: copr_build
|
||||||
|
trigger: pull_request
|
||||||
|
packages: [podman-fedora]
|
||||||
|
notifications: &packit_build_failure_notification
|
||||||
|
failure_comment:
|
||||||
|
message: "Ephemeral COPR build failed. @containers/packit-build please check."
|
||||||
|
enable_net: true
|
||||||
|
targets:
|
||||||
|
- fedora-development-x86_64
|
||||||
|
- fedora-development-aarch64
|
||||||
|
- fedora-latest-x86_64
|
||||||
|
- fedora-latest-aarch64
|
||||||
|
- fedora-latest-stable-x86_64
|
||||||
|
- fedora-latest-stable-aarch64
|
||||||
|
- fedora-40-x86_64
|
||||||
|
- fedora-40-aarch64
|
||||||
|
|
||||||
|
- job: copr_build
|
||||||
|
trigger: pull_request
|
||||||
|
packages: [podman-eln]
|
||||||
|
notifications: *packit_build_failure_notification
|
||||||
|
enable_net: true
|
||||||
|
targets:
|
||||||
|
fedora-eln-x86_64:
|
||||||
|
additional_repos:
|
||||||
|
- "https://kojipkgs.fedoraproject.org/repos/eln-build/latest/x86_64/"
|
||||||
|
fedora-eln-aarch64:
|
||||||
|
additional_repos:
|
||||||
|
- "https://kojipkgs.fedoraproject.org/repos/eln-build/latest/aarch64/"
|
||||||
|
|
||||||
|
- job: copr_build
|
||||||
|
trigger: pull_request
|
||||||
|
packages: [podman-centos]
|
||||||
|
notifications: *packit_build_failure_notification
|
||||||
|
enable_net: true
|
||||||
|
targets:
|
||||||
|
- centos-stream-9-x86_64
|
||||||
|
- centos-stream-9-aarch64
|
||||||
|
- centos-stream-10-x86_64
|
||||||
|
- centos-stream-10-aarch64
|
||||||
|
|
||||||
|
- job: copr_build
|
||||||
|
trigger: pull_request
|
||||||
|
packages: [podman-rhel]
|
||||||
|
notifications: *packit_build_failure_notification
|
||||||
|
enable_net: true
|
||||||
|
targets:
|
||||||
|
- epel-9-x86_64
|
||||||
|
- epel-9-aarch64
|
||||||
|
|
||||||
|
# Run on commit to main branch
|
||||||
|
- job: copr_build
|
||||||
|
trigger: commit
|
||||||
|
packages: [podman-fedora]
|
||||||
|
notifications:
|
||||||
|
failure_comment:
|
||||||
|
message: "podman-next COPR build failed. @containers/packit-build please check."
|
||||||
|
branch: main
|
||||||
|
owner: rhcontainerbot
|
||||||
|
project: podman-next
|
||||||
|
enable_net: true
|
||||||
|
|
||||||
|
- job: tests
|
||||||
|
identifier: cockpit-revdeps
|
||||||
|
trigger: pull_request
|
||||||
|
packages: [podman-fedora]
|
||||||
|
notifications:
|
||||||
|
failure_comment:
|
||||||
|
message: "Cockpit tests failed for commit {commit_sha}. @martinpitt, @jelly, @mvollmer please check."
|
||||||
|
targets:
|
||||||
|
- fedora-latest-stable
|
||||||
|
- fedora-development
|
||||||
|
tf_extra_params:
|
||||||
|
environments:
|
||||||
|
- artifacts:
|
||||||
|
- type: repository-file
|
||||||
|
id: https://copr.fedorainfracloud.org/coprs/g/cockpit/main-builds/repo/fedora-$releasever/group_cockpit-main-builds-fedora-$releasever.repo
|
||||||
|
- type: repository-file
|
||||||
|
id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
|
||||||
|
tmt:
|
||||||
|
context:
|
||||||
|
revdeps: "yes"
|
||||||
|
|
||||||
|
- job: propose_downstream
|
||||||
|
trigger: release
|
||||||
|
update_release: false
|
||||||
|
packages: [podman-fedora]
|
||||||
|
dist_git_branches: &fedora_targets
|
||||||
|
- fedora-all
|
||||||
|
|
||||||
|
- job: propose_downstream
|
||||||
|
trigger: release
|
||||||
|
update_release: false
|
||||||
|
packages: [podman-centos]
|
||||||
|
dist_git_branches:
|
||||||
|
- c10s
|
||||||
|
|
||||||
|
- job: koji_build
|
||||||
|
trigger: commit
|
||||||
|
sidetag_group: podman-releases
|
||||||
|
dist_git_branches: *fedora_targets
|
||||||
|
|
||||||
|
- job: bodhi_update
|
||||||
|
trigger: koji_build
|
||||||
|
sidetag_group: podman-releases
|
||||||
|
# Dependencies are not rpm dependencies, but packages that should go in the
|
||||||
|
# same bodhi update
|
||||||
|
# Ref: https://packit.dev/docs/fedora-releases-guide/releasing-multiple-packages
|
||||||
|
dependencies:
|
||||||
|
- buildah
|
||||||
|
- containers-common
|
||||||
|
- skopeo
|
||||||
|
dist_git_branches: *fedora_targets
|
@ -1,2 +0,0 @@
|
|||||||
b53ff7dd655dec8ddab85b7782a2d41e6bdcb301 SOURCES/cri-o-9b1f0a0.tar.gz
|
|
||||||
14fa9349a6277355aa6a4f079a131059d194fd99 SOURCES/libpod-921f98f.tar.gz
|
|
3
README.packit
Normal file
3
README.packit
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
This repository is maintained by packit.
|
||||||
|
https://packit.dev/
|
||||||
|
The file was generated using packit 0.101.0.
|
@ -1,31 +0,0 @@
|
|||||||
From fbc96cdd1741021f3d18e49eac3757297aaba851 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matthew Heon <mheon@redhat.com>
|
|
||||||
Date: Fri, 19 Feb 2021 11:34:39 -0500
|
|
||||||
Subject: [PATCH] Only drop all caps in exec when non-root
|
|
||||||
|
|
||||||
We were dropping too many capabilities otherwise, which broke
|
|
||||||
some critical system tools (e.g. useradd) in exec sessions.
|
|
||||||
|
|
||||||
Fix RHBZ#1930552
|
|
||||||
|
|
||||||
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|
||||||
---
|
|
||||||
libpod/oci_conmon_linux.go | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
|
|
||||||
index d5973a1a6..18ede031e 100644
|
|
||||||
--- a/libpod/oci.go
|
|
||||||
+++ b/libpod/oci.go
|
|
||||||
@@ -1107,7 +1107,7 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se
|
|
||||||
pspec.Capabilities.Effective = []string{}
|
|
||||||
if privileged {
|
|
||||||
pspec.Capabilities.Bounding = allCaps
|
|
||||||
- } else {
|
|
||||||
+ } else if execUser.Uid != 0 {
|
|
||||||
pspec.Capabilities.Bounding = []string{}
|
|
||||||
}
|
|
||||||
pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,23 +0,0 @@
|
|||||||
From bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matthew Heon <mheon@redhat.com>
|
|
||||||
Date: Thu, 24 Sep 2020 10:42:13 -0400
|
|
||||||
Subject: [PATCH] Fix https://bugzilla.redhat.com/show_bug.cgi?id=1882267
|
|
||||||
|
|
||||||
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|
||||||
---
|
|
||||||
cmd/podman/sigproxy.go | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/cmd/podman/sigproxy.go b/cmd/podman/sigproxy.go
|
|
||||||
index 16861bad04..92d7f4e4a9 100644
|
|
||||||
--- a/cmd/podman/sigproxy.go
|
|
||||||
+++ b/cmd/podman/sigproxy.go
|
|
||||||
@@ -19,7 +19,7 @@ func ProxySignals(ctr *libpod.Container) {
|
|
||||||
for s := range sigBuffer {
|
|
||||||
// Ignore SIGCHLD and SIGPIPE - these are mostly likely
|
|
||||||
// intended for the podman command itself.
|
|
||||||
- if s == signal.SIGCHLD || s == signal.SIGPIPE {
|
|
||||||
+ if s == syscall.SIGCHLD || s == syscall.SIGPIPE || s == syscall.SIGURG {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
@ -1,48 +0,0 @@
|
|||||||
From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
|
|
||||||
From: TomSweeneyRedHat <tsweeney@redhat.com>
|
|
||||||
Date: Tue, 24 Mar 2020 20:10:22 -0400
|
|
||||||
Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
|
|
||||||
|
|
||||||
Stealing @nalind 's workaround to avoid refetching
|
|
||||||
content after a file read failure. Under the right
|
|
||||||
circumstances that could be a symlink to a file meant
|
|
||||||
to overwrite a good file with bad data.
|
|
||||||
|
|
||||||
Testing:
|
|
||||||
```
|
|
||||||
goodstuff
|
|
||||||
|
|
||||||
[1] 14901
|
|
||||||
|
|
||||||
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
|
|
||||||
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
|
|
||||||
no FROM statement found
|
|
||||||
|
|
||||||
goodstuff
|
|
||||||
```
|
|
||||||
|
|
||||||
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
|
|
||||||
---
|
|
||||||
imagebuildah/util.go | 5 +++--
|
|
||||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
|
|
||||||
--- a/vendor/github.com/containers//buildah/imagebuildah/util.go.CVE-2020-10696
|
|
||||||
+++ b/vendor/github.com/containers//buildah/imagebuildah/util.go
|
|
||||||
@@ -12,6 +12,7 @@ import (
|
|
||||||
|
|
||||||
"github.com/containers/buildah"
|
|
||||||
"github.com/containers/storage/pkg/chrootarchive"
|
|
||||||
+ "github.com/containers/storage/pkg/ioutils"
|
|
||||||
"github.com/pkg/errors"
|
|
||||||
"github.com/sirupsen/logrus"
|
|
||||||
)
|
|
||||||
@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
|
|
||||||
}
|
|
||||||
dockerfile := filepath.Join(dir, "Dockerfile")
|
|
||||||
// Assume this is a Dockerfile
|
|
||||||
- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
|
|
||||||
+ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
|
|
||||||
return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,319 +0,0 @@
|
|||||||
From 69daa67c436a8fdeb0149aa5cb0112f03fdb699f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matthew Heon <mheon@redhat.com>
|
|
||||||
Date: Mon, 25 Jan 2021 14:18:07 -0500
|
|
||||||
Subject: [PATCH] Correct handling of capabilities
|
|
||||||
|
|
||||||
Ensure that capabilities are properly handled for non-root users
|
|
||||||
in privileged containers. We do not want to give full caps, but
|
|
||||||
instead only CapInh and CapEff (others should be all-zeroes).
|
|
||||||
|
|
||||||
Fixing `podman run` is easy - the same code as the Podman 1.6 fix
|
|
||||||
works there. The `podman exec` command is far more challenging.
|
|
||||||
Exec received a complete rewrite to use Conmon at some point
|
|
||||||
before Podman 1.6, and gained many capabilities in the process.
|
|
||||||
One of those was the ability to actually tweak the capabilities
|
|
||||||
of the exec process - 1.0 did not have that. Since it was needed
|
|
||||||
to resolve this CVE, I was forced to backport a large bit of the
|
|
||||||
1.0 -> 1.6 exec changes (passing a Process block to the OCI
|
|
||||||
runtime, and using `prepareProcessExec()` to prepare said block).
|
|
||||||
I am honestly uncomfortable with the size and scope of this
|
|
||||||
change but I don't see another way around this.
|
|
||||||
|
|
||||||
Fixes CVE-2021-20188
|
|
||||||
|
|
||||||
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|
||||||
---
|
|
||||||
libpod/container_api.go | 24 +------
|
|
||||||
libpod/oci.go | 148 ++++++++++++++++++++++++++++++++--------
|
|
||||||
pkg/spec/spec.go | 8 +++
|
|
||||||
3 files changed, 132 insertions(+), 48 deletions(-)
|
|
||||||
|
|
||||||
diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go
|
|
||||||
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go.orig 2019-02-11 16:26:46.000000000 +0100
|
|
||||||
+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go 2021-02-12 10:38:48.767172399 +0100
|
|
||||||
@@ -2,7 +2,6 @@ package libpod
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
- "fmt"
|
|
||||||
"io/ioutil"
|
|
||||||
"os"
|
|
||||||
"strconv"
|
|
||||||
@@ -11,9 +10,7 @@ import (
|
|
||||||
|
|
||||||
"github.com/containers/libpod/libpod/driver"
|
|
||||||
"github.com/containers/libpod/pkg/inspect"
|
|
||||||
- "github.com/containers/libpod/pkg/lookup"
|
|
||||||
"github.com/containers/storage/pkg/stringid"
|
|
||||||
- "github.com/docker/docker/daemon/caps"
|
|
||||||
"github.com/pkg/errors"
|
|
||||||
"github.com/sirupsen/logrus"
|
|
||||||
"k8s.io/apimachinery/pkg/util/wait"
|
|
||||||
@@ -263,8 +260,6 @@ func (c *Container) Kill(signal uint) er
|
|
||||||
// TODO allow specifying streams to attach to
|
|
||||||
// TODO investigate allowing exec without attaching
|
|
||||||
func (c *Container) Exec(tty, privileged bool, env, cmd []string, user, workDir string) error {
|
|
||||||
- var capList []string
|
|
||||||
-
|
|
||||||
locked := false
|
|
||||||
if !c.batched {
|
|
||||||
locked = true
|
|
||||||
@@ -287,22 +282,8 @@ func (c *Container) Exec(tty, privileged
|
|
||||||
if conState != ContainerStateRunning {
|
|
||||||
return errors.Errorf("cannot exec into container that is not running")
|
|
||||||
}
|
|
||||||
- if privileged || c.config.Privileged {
|
|
||||||
- capList = caps.GetAllCapabilities()
|
|
||||||
- }
|
|
||||||
|
|
||||||
- // If user was set, look it up in the container to get a UID to use on
|
|
||||||
- // the host
|
|
||||||
- hostUser := ""
|
|
||||||
- if user != "" {
|
|
||||||
- execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
|
|
||||||
- if err != nil {
|
|
||||||
- return err
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- // runc expects user formatted as uid:gid
|
|
||||||
- hostUser = fmt.Sprintf("%d:%d", execUser.Uid, execUser.Gid)
|
|
||||||
- }
|
|
||||||
+ isPrivileged := privileged || c.config.Privileged
|
|
||||||
|
|
||||||
// Generate exec session ID
|
|
||||||
// Ensure we don't conflict with an existing session ID
|
|
||||||
@@ -324,10 +305,11 @@ func (c *Container) Exec(tty, privileged
|
|
||||||
|
|
||||||
logrus.Debugf("Creating new exec session in container %s with session id %s", c.ID(), sessionID)
|
|
||||||
|
|
||||||
- execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, workDir, hostUser, sessionID)
|
|
||||||
+ execCmd, processFile, err := c.runtime.ociRuntime.execContainer(c, cmd, env, tty, workDir, user, sessionID, isPrivileged)
|
|
||||||
if err != nil {
|
|
||||||
return errors.Wrapf(err, "error exec %s", c.ID())
|
|
||||||
}
|
|
||||||
+ defer os.Remove(processFile)
|
|
||||||
chWait := make(chan error)
|
|
||||||
go func() {
|
|
||||||
chWait <- execCmd.Wait()
|
|
||||||
diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go
|
|
||||||
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go.orig 2019-02-11 16:26:46.000000000 +0100
|
|
||||||
+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go 2021-02-12 10:38:48.768172416 +0100
|
|
||||||
@@ -15,10 +15,12 @@ import (
|
|
||||||
"syscall"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
+ "github.com/containers/libpod/pkg/lookup"
|
|
||||||
"github.com/containers/libpod/pkg/rootless"
|
|
||||||
"github.com/containers/libpod/pkg/util"
|
|
||||||
"github.com/coreos/go-systemd/activation"
|
|
||||||
"github.com/cri-o/ocicni/pkg/ocicni"
|
|
||||||
+ "github.com/docker/docker/daemon/caps"
|
|
||||||
spec "github.com/opencontainers/runtime-spec/specs-go"
|
|
||||||
"github.com/opencontainers/selinux/go-selinux"
|
|
||||||
"github.com/opencontainers/selinux/go-selinux/label"
|
|
||||||
@@ -735,18 +737,23 @@ func (r *OCIRuntime) unpauseContainer(ct
|
|
||||||
// TODO: Add --detach support
|
|
||||||
// TODO: Convert to use conmon
|
|
||||||
// TODO: add --pid-file and use that to generate exec session tracking
|
|
||||||
-func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, cwd, user, sessionID string) (*exec.Cmd, error) {
|
|
||||||
+func (r *OCIRuntime) execContainer(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (*exec.Cmd, string, error) {
|
|
||||||
if len(cmd) == 0 {
|
|
||||||
- return nil, errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
|
|
||||||
+ return nil, "", errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
|
|
||||||
}
|
|
||||||
|
|
||||||
if sessionID == "" {
|
|
||||||
- return nil, errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
|
|
||||||
+ return nil, "", errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
|
|
||||||
}
|
|
||||||
|
|
||||||
runtimeDir, err := util.GetRootlessRuntimeDir()
|
|
||||||
if err != nil {
|
|
||||||
- return nil, err
|
|
||||||
+ return nil, "", err
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ processFile, err := prepareProcessExec(c, cmd, env, tty, cwd, user, sessionID, privileged)
|
|
||||||
+ if err != nil {
|
|
||||||
+ return nil, "", err
|
|
||||||
}
|
|
||||||
|
|
||||||
args := []string{}
|
|
||||||
@@ -756,34 +763,14 @@ func (r *OCIRuntime) execContainer(c *Co
|
|
||||||
|
|
||||||
args = append(args, "exec")
|
|
||||||
|
|
||||||
- if cwd != "" {
|
|
||||||
- args = append(args, "--cwd", cwd)
|
|
||||||
- }
|
|
||||||
+ args = append(args, "--process", processFile)
|
|
||||||
|
|
||||||
args = append(args, "--pid-file", c.execPidPath(sessionID))
|
|
||||||
|
|
||||||
- if tty {
|
|
||||||
- args = append(args, "--tty")
|
|
||||||
- } else {
|
|
||||||
- args = append(args, "--tty=false")
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if user != "" {
|
|
||||||
- args = append(args, "--user", user)
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
if c.config.Spec.Process.NoNewPrivileges {
|
|
||||||
args = append(args, "--no-new-privs")
|
|
||||||
}
|
|
||||||
|
|
||||||
- for _, cap := range capAdd {
|
|
||||||
- args = append(args, "--cap", cap)
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- for _, envVar := range env {
|
|
||||||
- args = append(args, "--env", envVar)
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
// Append container ID and command
|
|
||||||
args = append(args, c.ID())
|
|
||||||
args = append(args, cmd...)
|
|
||||||
@@ -797,10 +784,10 @@ func (r *OCIRuntime) execContainer(c *Co
|
|
||||||
execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir))
|
|
||||||
|
|
||||||
if err := execCmd.Start(); err != nil {
|
|
||||||
- return nil, errors.Wrapf(err, "cannot start container %s", c.ID())
|
|
||||||
+ return nil, "", errors.Wrapf(err, "cannot start container %s", c.ID())
|
|
||||||
}
|
|
||||||
|
|
||||||
- return execCmd, nil
|
|
||||||
+ return execCmd, processFile, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// execStopContainer stops all active exec sessions in a container
|
|
||||||
@@ -892,3 +879,110 @@ func (r *OCIRuntime) checkpointContainer
|
|
||||||
args = append(args, ctr.ID())
|
|
||||||
return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, args...)
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+// prepareProcessExec returns the path of the process.json used in runc exec -p.
|
|
||||||
+// Returns path to the created exec process file. This will need to be removed
|
|
||||||
+// by the caller when they're done, best effort.
|
|
||||||
+func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (string, error) {
|
|
||||||
+ filename := filepath.Join(c.bundlePath(), fmt.Sprintf("exec-process-%s", sessionID))
|
|
||||||
+ f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0600)
|
|
||||||
+ if err != nil {
|
|
||||||
+ return "", err
|
|
||||||
+ }
|
|
||||||
+ defer f.Close()
|
|
||||||
+
|
|
||||||
+ pspec := c.config.Spec.Process
|
|
||||||
+ pspec.SelinuxLabel = c.config.ProcessLabel
|
|
||||||
+ pspec.Args = cmd
|
|
||||||
+ // We need to default this to false else it will inherit terminal as true
|
|
||||||
+ // from the container.
|
|
||||||
+ pspec.Terminal = false
|
|
||||||
+ if tty {
|
|
||||||
+ pspec.Terminal = true
|
|
||||||
+ }
|
|
||||||
+ if len(env) > 0 {
|
|
||||||
+ pspec.Env = append(pspec.Env, env...)
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if cwd != "" {
|
|
||||||
+ pspec.Cwd = cwd
|
|
||||||
+
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ var addGroups []string
|
|
||||||
+ var sgids []uint32
|
|
||||||
+
|
|
||||||
+ // if the user is empty, we should inherit the user that the container is currently running with
|
|
||||||
+ if user == "" {
|
|
||||||
+ user = c.config.User
|
|
||||||
+ addGroups = c.config.Groups
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
|
|
||||||
+ if err != nil {
|
|
||||||
+ return "", err
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if len(addGroups) > 0 {
|
|
||||||
+ sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, nil)
|
|
||||||
+ if err != nil {
|
|
||||||
+ return "", errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID)
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // If user was set, look it up in the container to get a UID to use on
|
|
||||||
+ // the host
|
|
||||||
+ if user != "" || len(sgids) > 0 {
|
|
||||||
+ if user != "" {
|
|
||||||
+ for _, sgid := range execUser.Sgids {
|
|
||||||
+ sgids = append(sgids, uint32(sgid))
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ processUser := spec.User{
|
|
||||||
+ UID: uint32(execUser.Uid),
|
|
||||||
+ GID: uint32(execUser.Gid),
|
|
||||||
+ AdditionalGids: sgids,
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ pspec.User = processUser
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ allCaps := caps.GetAllCapabilities()
|
|
||||||
+ pspec.Capabilities.Effective = []string{}
|
|
||||||
+ if privileged {
|
|
||||||
+ pspec.Capabilities.Bounding = allCaps
|
|
||||||
+ } else {
|
|
||||||
+ pspec.Capabilities.Bounding = []string{}
|
|
||||||
+ }
|
|
||||||
+ pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
|
|
||||||
+ if execUser.Uid == 0 {
|
|
||||||
+ pspec.Capabilities.Effective = pspec.Capabilities.Bounding
|
|
||||||
+ pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
|
|
||||||
+ pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
|
|
||||||
+ } else {
|
|
||||||
+ pspec.Capabilities.Permitted = pspec.Capabilities.Effective
|
|
||||||
+ pspec.Capabilities.Ambient = pspec.Capabilities.Effective
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ hasHomeSet := false
|
|
||||||
+ for _, s := range pspec.Env {
|
|
||||||
+ if strings.HasPrefix(s, "HOME=") {
|
|
||||||
+ hasHomeSet = true
|
|
||||||
+ break
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ if !hasHomeSet {
|
|
||||||
+ pspec.Env = append(pspec.Env, fmt.Sprintf("HOME=%s", execUser.Home))
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ processJSON, err := json.Marshal(pspec)
|
|
||||||
+ if err != nil {
|
|
||||||
+ return "", err
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if err := ioutil.WriteFile(filename, processJSON, 0644); err != nil {
|
|
||||||
+ return "", err
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return filename, nil
|
|
||||||
+}
|
|
||||||
diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go
|
|
||||||
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go.orig 2019-02-11 16:26:46.000000000 +0100
|
|
||||||
+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go 2021-02-12 10:38:48.768172416 +0100
|
|
||||||
@@ -325,6 +325,14 @@ func CreateConfigToOCISpec(config *Creat
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
g.SetupPrivileged(true)
|
|
||||||
+ if config.User != "" {
|
|
||||||
+ user := strings.SplitN(config.User, ":", 2)[0]
|
|
||||||
+ if user != "root" && user != "0" {
|
|
||||||
+ g.Spec().Process.Capabilities.Effective = []string{}
|
|
||||||
+ g.Spec().Process.Capabilities.Permitted = []string{}
|
|
||||||
+ g.Spec().Process.Capabilities.Ambient = []string{}
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
// HANDLE SECCOMP
|
|
@ -1,540 +0,0 @@
|
|||||||
%global with_debug 1
|
|
||||||
%global with_check 0
|
|
||||||
|
|
||||||
%if 0%{?with_debug}
|
|
||||||
%global _find_debuginfo_dwz_opts %{nil}
|
|
||||||
%global _dwz_low_mem_die_limit 0
|
|
||||||
%else
|
|
||||||
%global debug_package %{nil}
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%define gobuild(o:) \
|
|
||||||
go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
|
|
||||||
%define gogenerate go generate
|
|
||||||
|
|
||||||
%if 0%{?rhel} > 7 || 0%{?fedora}
|
|
||||||
%bcond_without varlink
|
|
||||||
%else
|
|
||||||
%bcond_with varlink
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%global provider github
|
|
||||||
%global provider_tld com
|
|
||||||
%global project containers
|
|
||||||
%global repo libpod
|
|
||||||
# https://github.com/containers/libpod
|
|
||||||
%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
|
|
||||||
%global import_path %{provider_prefix}
|
|
||||||
%global git_podman https://%{provider}.%{provider_tld}/%{project}/%{repo}
|
|
||||||
%global commit 921f98f8795eb9fcb19ce581020cfdeff6dee09f
|
|
||||||
%global shortcommit %(c=%{commit}; echo ${c:0:7})
|
|
||||||
|
|
||||||
%global import_path_conmon github.com/kubernetes-sigs/cri-o
|
|
||||||
%global git_conmon https://%{import_path_conmon}
|
|
||||||
%global commit_conmon 9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2
|
|
||||||
%global shortcommit_conmon %(c=%{commit_conmon}; echo ${c:0:7})
|
|
||||||
|
|
||||||
Name: podman
|
|
||||||
Version: 1.0.0
|
|
||||||
Release: 8.git%{shortcommit}%{?dist}
|
|
||||||
Summary: Manage Pods, Containers and Container Images
|
|
||||||
License: ASL 2.0
|
|
||||||
URL: %{git_podman}
|
|
||||||
Source0: %{git_podman}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
|
|
||||||
Source1: %{git_conmon}/archive/%{commit_conmon}/cri-o-%{shortcommit_conmon}.tar.gz
|
|
||||||
# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
|
|
||||||
# backported: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
|
|
||||||
Patch0: podman-CVE-2020-10696.patch
|
|
||||||
# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1882267
|
|
||||||
# patch: https://github.com/mheon/libpod/commit/bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea.patch
|
|
||||||
Patch1: podman-1882267.patch
|
|
||||||
# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1918285
|
|
||||||
Patch2: podman-CVE-2021-20188.patch
|
|
||||||
# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1930552
|
|
||||||
Patch3: 0001-Only-drop-all-caps-in-exec-when-non-root.patch
|
|
||||||
|
|
||||||
# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
|
|
||||||
#ExclusiveArch: %%{?go_arches:%%{go_arches}}%%{!?go_arches:%%{ix86} x86_64 aarch64 %%{arm}}
|
|
||||||
ExclusiveArch: aarch64 %{arm} ppc64le s390x x86_64
|
|
||||||
# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
|
|
||||||
BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
|
|
||||||
BuildRequires: device-mapper-devel
|
|
||||||
BuildRequires: glib2-devel
|
|
||||||
BuildRequires: glibc-devel
|
|
||||||
BuildRequires: glibc-static
|
|
||||||
BuildRequires: git
|
|
||||||
BuildRequires: go-md2man
|
|
||||||
BuildRequires: gpgme-devel
|
|
||||||
BuildRequires: libassuan-devel
|
|
||||||
BuildRequires: libgpg-error-devel
|
|
||||||
BuildRequires: libseccomp-devel
|
|
||||||
BuildRequires: libselinux-devel
|
|
||||||
BuildRequires: ostree-devel
|
|
||||||
BuildRequires: pkgconfig
|
|
||||||
Requires: runc
|
|
||||||
Requires: containers-common >= 0.1.29-3
|
|
||||||
# can't use default conmon right now, so we ship our own
|
|
||||||
#Requires: conmon
|
|
||||||
Requires: containernetworking-plugins >= 0.7.3-5
|
|
||||||
Requires: iptables
|
|
||||||
Requires: nftables
|
|
||||||
Requires: oci-systemd-hook
|
|
||||||
Recommends: container-selinux
|
|
||||||
Recommends: slirp4netns
|
|
||||||
Recommends: fuse-overlayfs
|
|
||||||
|
|
||||||
# vendored libraries
|
|
||||||
# awk '{print "Provides: bundled(golang("$1")) = "$2}' vendor.conf | sort
|
|
||||||
# [thanks to Carl George <carl@george.computer> for containerd.spec]
|
|
||||||
Provides: bundled(golang(github.com/Azure/go-ansiterm)) = 19f72df4d05d31cbe1c56bfc8045c96babff6c7e
|
|
||||||
Provides: bundled(golang(github.com/blang/semver)) = v3.5.0
|
|
||||||
Provides: bundled(golang(github.com/boltdb/bolt)) = master
|
|
||||||
Provides: bundled(golang(github.com/buger/goterm)) = 2f8dfbc7dbbff5dd1d391ed91482c24df243b2d3
|
|
||||||
Provides: bundled(golang(github.com/BurntSushi/toml)) = v0.2.0
|
|
||||||
Provides: bundled(golang(github.com/containerd/cgroups)) = 77e628511d924b13a77cebdc73b757a47f6d751b
|
|
||||||
Provides: bundled(golang(github.com/containerd/continuity)) = master
|
|
||||||
Provides: bundled(golang(github.com/containernetworking/cni)) = v0.7.0-alpha1
|
|
||||||
Provides: bundled(golang(github.com/containernetworking/plugins)) = 1562a1e60ed101aacc5e08ed9dbeba8e9f3d4ec1
|
|
||||||
Provides: bundled(golang(github.com/containers/image)) = 134f99bed228d6297dc01d152804f6f09f185418
|
|
||||||
Provides: bundled(golang(github.com/containers/psgo)) = 382fc951fe0a8aba62043862ce1a56f77524db87
|
|
||||||
Provides: bundled(golang(github.com/containers/storage)) = 17c7d1fee5603ccf6dd97edc14162fc1510e7e23
|
|
||||||
Provides: bundled(golang(github.com/coreos/go-systemd)) = v14
|
|
||||||
Provides: bundled(golang(github.com/cri-o/ocicni)) = master
|
|
||||||
Provides: bundled(golang(github.com/cyphar/filepath-securejoin)) = v0.2.1
|
|
||||||
Provides: bundled(golang(github.com/davecgh/go-spew)) = v1.1.0
|
|
||||||
Provides: bundled(golang(github.com/docker/distribution)) = 7a8efe719e55bbfaff7bc5718cdf0ed51ca821df
|
|
||||||
Provides: bundled(golang(github.com/docker/docker)) = 86f080cff0914e9694068ed78d503701667c4c00
|
|
||||||
Provides: bundled(golang(github.com/docker/docker-credential-helpers)) = d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1
|
|
||||||
Provides: bundled(golang(github.com/docker/go-connections)) = 3ede32e2033de7505e6500d6c868c2b9ed9f169d
|
|
||||||
Provides: bundled(golang(github.com/docker/go-units)) = v0.3.2
|
|
||||||
Provides: bundled(golang(github.com/docker/libtrust)) = aabc10ec26b754e797f9028f4589c5b7bd90dc20
|
|
||||||
Provides: bundled(golang(github.com/docker/spdystream)) = ed496381df8283605c435b86d4fdd6f4f20b8c6e
|
|
||||||
Provides: bundled(golang(github.com/fatih/camelcase)) = f6a740d52f961c60348ebb109adde9f4635d7540
|
|
||||||
Provides: bundled(golang(github.com/fsnotify/fsnotify)) = 7d7316ed6e1ed2de075aab8dfc76de5d158d66e1
|
|
||||||
Provides: bundled(golang(github.com/fsouza/go-dockerclient)) = master
|
|
||||||
Provides: bundled(golang(github.com/ghodss/yaml)) = 04f313413ffd65ce25f2541bfd2b2ceec5c0908c
|
|
||||||
Provides: bundled(golang(github.com/godbus/dbus)) = a389bdde4dd695d414e47b755e95e72b7826432c
|
|
||||||
Provides: bundled(golang(github.com/gogo/protobuf)) = c0656edd0d9eab7c66d1eb0c568f9039345796f7
|
|
||||||
Provides: bundled(golang(github.com/golang/glog)) = 23def4e6c14b4da8ac2ed8007337bc5eb5007998
|
|
||||||
Provides: bundled(golang(github.com/golang/groupcache)) = b710c8433bd175204919eb38776e944233235d03
|
|
||||||
Provides: bundled(golang(github.com/golang/protobuf)) = 4bd1920723d7b7c925de087aa32e2187708897f7
|
|
||||||
Provides: bundled(golang(github.com/googleapis/gnostic)) = 0c5108395e2debce0d731cf0287ddf7242066aba
|
|
||||||
Provides: bundled(golang(github.com/google/gofuzz)) = 44d81051d367757e1c7c6a5a86423ece9afcf63c
|
|
||||||
Provides: bundled(golang(github.com/gorilla/context)) = v1.1
|
|
||||||
Provides: bundled(golang(github.com/gorilla/mux)) = v1.3.0
|
|
||||||
Provides: bundled(golang(github.com/hashicorp/errwrap)) = 7554cd9344cec97297fa6649b055a8c98c2a1e55
|
|
||||||
Provides: bundled(golang(github.com/hashicorp/golang-lru)) = 0a025b7e63adc15a622f29b0b2c4c3848243bbf6
|
|
||||||
Provides: bundled(golang(github.com/hashicorp/go-multierror)) = 83588e72410abfbe4df460eeb6f30841ae47d4c4
|
|
||||||
Provides: bundled(golang(github.com/imdario/mergo)) = 0.2.2
|
|
||||||
Provides: bundled(golang(github.com/json-iterator/go)) = 1.0.0
|
|
||||||
Provides: bundled(golang(github.com/kr/pty)) = v1.0.0
|
|
||||||
Provides: bundled(golang(github.com/mattn/go-runewidth)) = v0.0.1
|
|
||||||
Provides: bundled(golang(github.com/Microsoft/go-winio)) = 78439966b38d69bf38227fbf57ac8a6fee70f69a
|
|
||||||
Provides: bundled(golang(github.com/Microsoft/hcsshim)) = 43f9725307998e09f2e3816c2c0c36dc98f0c982
|
|
||||||
Provides: bundled(golang(github.com/mistifyio/go-zfs)) = v2.1.1
|
|
||||||
Provides: bundled(golang(github.com/mrunalp/fileutils)) = master
|
|
||||||
Provides: bundled(golang(github.com/mtrmac/gpgme)) = b2432428689ca58c2b8e8dea9449d3295cf96fc9
|
|
||||||
Provides: bundled(golang(github.com/Nvveen/Gotty)) = master
|
|
||||||
Provides: bundled(golang(github.com/opencontainers/go-digest)) = v1.0.0-rc0
|
|
||||||
Provides: bundled(golang(github.com/opencontainers/image-spec)) = v1.0.0
|
|
||||||
Provides: bundled(golang(github.com/opencontainers/runc)) = b4e2ecb452d9ee4381137cc0a7e6715b96bed6de
|
|
||||||
Provides: bundled(golang(github.com/opencontainers/runtime-spec)) = v1.0.0
|
|
||||||
Provides: bundled(golang(github.com/opencontainers/runtime-tools)) = 625e2322645b151a7cbb93a8b42920933e72167f
|
|
||||||
Provides: bundled(golang(github.com/opencontainers/selinux)) = b6fa367ed7f534f9ba25391cc2d467085dbb445a
|
|
||||||
Provides: bundled(golang(github.com/openshift/imagebuilder)) = master
|
|
||||||
Provides: bundled(golang(github.com/ostreedev/ostree-go)) = master
|
|
||||||
Provides: bundled(golang(github.com/pkg/errors)) = v0.8.0
|
|
||||||
Provides: bundled(golang(github.com/pmezard/go-difflib)) = 792786c7400a136282c1664665ae0a8db921c6c2
|
|
||||||
Provides: bundled(golang(github.com/pquerna/ffjson)) = d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac
|
|
||||||
Provides: bundled(golang(github.com/projectatomic/buildah)) = 35a37f36d37bf84397d7f79f6bb8649f728c19f1
|
|
||||||
Provides: bundled(golang(github.com/seccomp/containers-golang)) = master
|
|
||||||
Provides: bundled(golang(github.com/seccomp/libseccomp-golang)) = v0.9.0
|
|
||||||
Provides: bundled(golang(github.com/sirupsen/logrus)) = v1.0.0
|
|
||||||
Provides: bundled(golang(github.com/spf13/pflag)) = 9ff6c6923cfffbcd502984b8e0c80539a94968b7
|
|
||||||
Provides: bundled(golang(github.com/stretchr/testify)) = 4d4bfba8f1d1027c4fdbe371823030df51419987
|
|
||||||
Provides: bundled(golang(github.com/syndtr/gocapability)) = e7cb7fa329f456b3855136a2642b197bad7366ba
|
|
||||||
Provides: bundled(golang(github.com/tchap/go-patricia)) = v2.2.6
|
|
||||||
Provides: bundled(golang(github.com/ulikunitz/xz)) = v0.5.4
|
|
||||||
Provides: bundled(golang(github.com/ulule/deepcopier)) = master
|
|
||||||
# version can't have '-'
|
|
||||||
#Provides: bundled(golang(github.com/urfave/cli)) = fix-short-opts-parsing
|
|
||||||
Provides: bundled(golang(github.com/varlink/go)) = master
|
|
||||||
Provides: bundled(golang(github.com/vbatts/tar-split)) = v0.10.2
|
|
||||||
Provides: bundled(golang(github.com/vishvananda/netlink)) = master
|
|
||||||
Provides: bundled(golang(github.com/vishvananda/netns)) = master
|
|
||||||
Provides: bundled(golang(github.com/xeipuuv/gojsonpointer)) = master
|
|
||||||
Provides: bundled(golang(github.com/xeipuuv/gojsonreference)) = master
|
|
||||||
Provides: bundled(golang(github.com/xeipuuv/gojsonschema)) = master
|
|
||||||
Provides: bundled(golang(golang.org/x/crypto)) = 81e90905daefcd6fd217b62423c0908922eadb30
|
|
||||||
Provides: bundled(golang(golang.org/x/net)) = c427ad74c6d7a814201695e9ffde0c5d400a7674
|
|
||||||
Provides: bundled(golang(golang.org/x/sys)) = master
|
|
||||||
Provides: bundled(golang(golang.org/x/text)) = f72d8390a633d5dfb0cc84043294db9f6c935756
|
|
||||||
Provides: bundled(golang(golang.org/x/time)) = f51c12702a4d776e4c1fa9b0fabab841babae631
|
|
||||||
Provides: bundled(golang(google.golang.org/grpc)) = v1.0.4
|
|
||||||
Provides: bundled(golang(gopkg.in/cheggaaa/pb.v1)) = v1.0.7
|
|
||||||
Provides: bundled(golang(gopkg.in/inf.v0)) = v0.9.0
|
|
||||||
Provides: bundled(golang(gopkg.in/mgo.v2)) = v2
|
|
||||||
Provides: bundled(golang(gopkg.in/square/go-jose.v2)) = v2.1.3
|
|
||||||
Provides: bundled(golang(gopkg.in/yaml.v2)) = v2
|
|
||||||
Provides: bundled(golang(k8s.io/api)) = 5ce4aa0bf2f097f6021127b3d879eeda82026be8
|
|
||||||
Provides: bundled(golang(k8s.io/apiextensions-apiserver)) = 1b31e26d82f1ec2e945c560790e98f34bb5f2e63
|
|
||||||
Provides: bundled(golang(k8s.io/apimachinery)) = 616b23029fa3dc3e0ccefd47963f5651a6543d94
|
|
||||||
Provides: bundled(golang(k8s.io/apiserver)) = 4d1163080139f1f9094baf8a3a6099e85e1867f6
|
|
||||||
Provides: bundled(golang(k8s.io/client-go)) = 7cd1d3291b7d9b1e2d54d4b69eb65995eaf8888e
|
|
||||||
Provides: bundled(golang(k8s.io/kube-openapi)) = 275e2ce91dec4c05a4094a7b1daee5560b555ac9
|
|
||||||
Provides: bundled(golang(k8s.io/utils)) = 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e
|
|
||||||
|
|
||||||
%description
|
|
||||||
%{summary}
|
|
||||||
libpod provides a library for applications looking to use
|
|
||||||
the Container Pod concept popularized by Kubernetes.
|
|
||||||
|
|
||||||
%package docker
|
|
||||||
Summary: Emulate Docker CLI using podman
|
|
||||||
BuildArch: noarch
|
|
||||||
Requires: %{name} = %{version}-%{release}
|
|
||||||
Conflicts: docker
|
|
||||||
Provides : docker
|
|
||||||
Conflicts: docker-latest
|
|
||||||
Conflicts: docker-ce
|
|
||||||
Conflicts: docker-ee
|
|
||||||
|
|
||||||
%description docker
|
|
||||||
This package installs a script named docker that emulates the Docker CLI by
|
|
||||||
executing %{name} commands, it also creates links between all Docker CLI man
|
|
||||||
pages and %{name}.
|
|
||||||
|
|
||||||
%prep
|
|
||||||
%autosetup -Sgit -n %{repo}-%{commit}
|
|
||||||
mv pkg/hooks/README.md pkg/hooks/README-hooks.md
|
|
||||||
|
|
||||||
# untar cri-o
|
|
||||||
tar zxf %{SOURCE1}
|
|
||||||
|
|
||||||
%build
|
|
||||||
mkdir -p $(pwd)/_build
|
|
||||||
pushd $(pwd)/_build
|
|
||||||
mkdir -p src/%{provider}.%{provider_tld}/%{project}
|
|
||||||
ln -s ../../../../ src/%{import_path}
|
|
||||||
popd
|
|
||||||
ln -s vendor src
|
|
||||||
|
|
||||||
export GOPATH=$(pwd):$(pwd)/_build
|
|
||||||
export BUILDTAGS="selinux seccomp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper $(hack/libdm_tag.sh)"
|
|
||||||
%gobuild -o bin/%{name} %{import_path}/cmd/%{name}
|
|
||||||
|
|
||||||
# build conmon
|
|
||||||
pushd cri-o-%{commit_conmon}
|
|
||||||
mkdir _output
|
|
||||||
pushd _output
|
|
||||||
mkdir -p src/%{provider}.%{provider_tld}/{kubernetes-sigs,opencontainers}
|
|
||||||
ln -s $(dirs +1 -l) src/%{import_path_conmon}
|
|
||||||
popd
|
|
||||||
|
|
||||||
ln -s vendor src
|
|
||||||
export GOPATH=$(pwd):$(pwd)/_output
|
|
||||||
export BUILDTAGS="selinux seccomp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper $(hack/libdm_tag.sh)"
|
|
||||||
%gobuild -o bin/crio-config %{import_path_conmon}/cmd/crio-config
|
|
||||||
cd conmon && ../bin/crio-config
|
|
||||||
%{__make} all
|
|
||||||
popd
|
|
||||||
|
|
||||||
%install
|
|
||||||
install -dp %{buildroot}{%{_unitdir}
|
|
||||||
%{__make} PREFIX=%{buildroot}%{_usr} ETCDIR=%{buildroot}%{_sysconfdir} \
|
|
||||||
install.bin \
|
|
||||||
install.man \
|
|
||||||
install.cni \
|
|
||||||
install.systemd \
|
|
||||||
install.completions \
|
|
||||||
install.docker
|
|
||||||
|
|
||||||
# install libpod.conf
|
|
||||||
install -dp %{buildroot}%{_datadir}/containers
|
|
||||||
install -p -m 644 %{repo}.conf %{buildroot}%{_datadir}/containers
|
|
||||||
|
|
||||||
# install conmon
|
|
||||||
install -dp %{buildroot}%{_libexecdir}/%{name}
|
|
||||||
install -p -m 755 cri-o-%{commit_conmon}/bin/conmon %{buildroot}%{_libexecdir}/%{name}
|
|
||||||
|
|
||||||
%check
|
|
||||||
%if 0%{?with_check}
|
|
||||||
ln -s ./ ./vendor/src # ./vendor/src -> ./vendor
|
|
||||||
export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
|
||||||
|
|
||||||
%gotest %{import_path}/cmd/%{name}
|
|
||||||
%gotest %{import_path}/libkpod
|
|
||||||
%gotest %{import_path}/libpod
|
|
||||||
%gotest %{import_path}/pkg/registrar
|
|
||||||
%endif
|
|
||||||
|
|
||||||
#define license tag if not already defined
|
|
||||||
%{!?_licensedir:%global license %doc}
|
|
||||||
|
|
||||||
%files
|
|
||||||
%license LICENSE
|
|
||||||
%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md
|
|
||||||
%{_bindir}/%{name}
|
|
||||||
%{_mandir}/man1/podman*.1*
|
|
||||||
%{_mandir}/man5/*.5*
|
|
||||||
%{_datadir}/bash-completion/completions/*
|
|
||||||
%{_libexecdir}/%{name}/conmon
|
|
||||||
%config(noreplace) %{_sysconfdir}/cni/net.d/87-%{name}-bridge.conflist
|
|
||||||
%{_datadir}/containers/%{repo}.conf
|
|
||||||
%{_unitdir}/io.%{name}.service
|
|
||||||
%{_unitdir}/io.%{name}.socket
|
|
||||||
%{_usr}/lib/tmpfiles.d/%{name}.conf
|
|
||||||
|
|
||||||
%files docker
|
|
||||||
%{_bindir}/docker
|
|
||||||
%{_mandir}/man1/docker*.1*
|
|
||||||
|
|
||||||
%changelog
|
|
||||||
* Mon Mar 01 2021 Jindrich Novy <jnovy@redhat.com> - 1.0.0-8.git921f98f
|
|
||||||
- fix "podman can not create user inside of container" regression introduced by
|
|
||||||
patch for CVE-2021-20188
|
|
||||||
- Related: #1918285
|
|
||||||
|
|
||||||
* Fri Feb 12 2021 Jindrich Novy <jnovy@redhat.com> - 1.0.0-7.git921f98f
|
|
||||||
- fix CVE-2021-20188
|
|
||||||
- Resolves: #1918285
|
|
||||||
|
|
||||||
* Thu Sep 24 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-6.git921f98f
|
|
||||||
- fix "podman run errors out/segfaults in container-tools-1.0-8.3.0"
|
|
||||||
- Resolves: #1882267
|
|
||||||
|
|
||||||
* Fri Jun 26 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-5.git921f98f
|
|
||||||
- bump release to preserve upgrade path
|
|
||||||
- Resolves: #1821193
|
|
||||||
|
|
||||||
* Fri Apr 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-4.git921f98f
|
|
||||||
- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
|
|
||||||
- Resolves: #1818122
|
|
||||||
|
|
||||||
* Thu Nov 28 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-3.git921f98f
|
|
||||||
- rebuild because of CVE-2019-9512 and CVE-2019-9514
|
|
||||||
- Resolves: #1766294, #1766322
|
|
||||||
|
|
||||||
* Mon Feb 11 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.0.0-2.git921f98f
|
|
||||||
- rebase
|
|
||||||
|
|
||||||
* Tue Jan 15 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.0.0-1.git82e8011
|
|
||||||
- rebase to v1, yay!
|
|
||||||
- rebase conmon to 9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2
|
|
||||||
- Resolves:#1623282
|
|
||||||
- python interface removed, moved to https://github.com/containers/python-podman/
|
|
||||||
|
|
||||||
* Tue Dec 18 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.12.1.2-4.git9551f6b
|
|
||||||
- re-enable debuginfo
|
|
||||||
|
|
||||||
* Mon Dec 17 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.12.1.2-3.git9551f6b
|
|
||||||
- python libraries added
|
|
||||||
- resolves: #1657180
|
|
||||||
|
|
||||||
* Mon Dec 17 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.12.1.2-2.git9551f6b
|
|
||||||
- rebase
|
|
||||||
|
|
||||||
* Mon Dec 17 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.11.1.1-3.git594495d
|
|
||||||
- go tools not in scl anymore
|
|
||||||
|
|
||||||
* Mon Nov 19 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.11.1.1-2.git594495d
|
|
||||||
- fedora-like buildrequires go toolset
|
|
||||||
|
|
||||||
* Sat Nov 17 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.11.1.1-1.git594495d
|
|
||||||
- Resolves: #1636230 - build with FIPS enabled golang toolchain
|
|
||||||
- bump to v0.11.1.1
|
|
||||||
- built commit 594495d
|
|
||||||
|
|
||||||
* Fri Nov 16 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.11.1-3.gita4adfe5
|
|
||||||
- podman-docker provides docker
|
|
||||||
- Resolves: #1650355
|
|
||||||
|
|
||||||
* Thu Nov 15 2018 Lumír Balhar <lbalhar@redhat.com> - 0.11.1-2.gita4adfe5
|
|
||||||
- Require platform-python-setuptools instead of python3-setuptools
|
|
||||||
- Resolves: rhbz#1650144
|
|
||||||
|
|
||||||
* Tue Nov 13 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.11.1-1.gita4adfe5
|
|
||||||
- bump to v0.11.1
|
|
||||||
- built libpod commit a4adfe5
|
|
||||||
- built conmon from cri-o commit 464dba6
|
|
||||||
|
|
||||||
* Fri Oct 19 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1.3-5.gitdb08685
|
|
||||||
- Resolves: #1625384 - keep BR: device-mapper-devel but don't build with it
|
|
||||||
- not having device-mapper-devel seems to have brew not recognize %%{_unitdir}
|
|
||||||
|
|
||||||
* Thu Oct 18 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1.3-4.gitdb08685
|
|
||||||
- Resolves: #1625384 - correctly add buildtags to remove devmapper
|
|
||||||
|
|
||||||
* Thu Oct 18 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1.3-3.gitdb08685
|
|
||||||
- Resolves: #1625384 - build without device-mapper-devel (no podman support) and lvm2
|
|
||||||
|
|
||||||
* Wed Oct 17 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1.3-2.gitdb08685
|
|
||||||
- Resolves: #1625384 - depend on lvm2
|
|
||||||
|
|
||||||
* Wed Oct 17 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1.3-1.gitdb08685
|
|
||||||
- Resolves: #1640298 - update vendored buildah to allow building when there are
|
|
||||||
running containers
|
|
||||||
- bump to v0.10.1.3
|
|
||||||
- built podman commit db08685
|
|
||||||
|
|
||||||
* Wed Oct 17 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1.2-1.git2b4f8d1
|
|
||||||
- Resolves: #1625378
|
|
||||||
- bump to v0.10.1.2
|
|
||||||
- built podman commit 2b4f8d1
|
|
||||||
|
|
||||||
* Tue Oct 16 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1.1-1.git4bea3e9
|
|
||||||
- bump to v0.10.1.1
|
|
||||||
- built podman commit 4bea3e9
|
|
||||||
|
|
||||||
* Thu Oct 11 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.10.1-1.gite4a1553
|
|
||||||
- bump podman to v0.10.1
|
|
||||||
- built podman commit e4a1553
|
|
||||||
- built conmon from cri-o commit a30f93c
|
|
||||||
|
|
||||||
* Tue Oct 09 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.9.3.1-4.git1cd906d
|
|
||||||
- rebased cri-o to 1.11.6
|
|
||||||
|
|
||||||
* Wed Sep 26 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.9.3.1-3.git1cd906d
|
|
||||||
- rebase
|
|
||||||
|
|
||||||
* Tue Sep 18 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.9.2-2.git37a2afe
|
|
||||||
- rebase to podman 0.9.2
|
|
||||||
- rebase to cri-o 0.11.4
|
|
||||||
|
|
||||||
* Tue Sep 11 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.9.1.1-2.git123de30
|
|
||||||
- rebase
|
|
||||||
|
|
||||||
* Mon Aug 27 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.8.4-1.git9f9b8cf
|
|
||||||
- bump to v0.8.4
|
|
||||||
- built commit 9f9b8cf
|
|
||||||
- upstream username changed from projectatomic to containers
|
|
||||||
- use containernetworking-plugins >= 0.7.3-5
|
|
||||||
|
|
||||||
* Mon Aug 13 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.8.2.1-2.git7a526bb
|
|
||||||
- Resolves: #1615607 - rebuild with gobuild tag 'no_openssl'
|
|
||||||
|
|
||||||
* Sun Aug 12 2018 Dan Walsh <dwalsh@redhat.com> - 0.8.2.1-1.git7a526bb
|
|
||||||
- Upstream 0.8.2.1 release
|
|
||||||
- Add support for podman-docker
|
|
||||||
Resolves: rhbz#1615104
|
|
||||||
|
|
||||||
* Fri Aug 10 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.8.2-1.dev.git8b2d38e
|
|
||||||
- Resolves: #1614710 - podman search name includes registry
|
|
||||||
- bump to v0.8.2-dev
|
|
||||||
- built libpod commit 8b2d38e
|
|
||||||
- built conmon from cri-o commit acc0ee7
|
|
||||||
|
|
||||||
* Wed Aug 8 2018 Dan Walsh <dwalsh@redhat.com> - 0.8.1-2.git6b4ab2a
|
|
||||||
- Add recommends for slirp4netns and container-selinux
|
|
||||||
|
|
||||||
* Tue Aug 07 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.8.1-2.git6b4ab2a
|
|
||||||
- bump to v0.8.1
|
|
||||||
- use %%go{build,generate} instead of go build and go generate
|
|
||||||
- update go deps to use scl-ized builds
|
|
||||||
- No need for Makefile patch for python installs
|
|
||||||
|
|
||||||
* Sat Aug 4 2018 Dan Walsh <dwalsh@redhat.com> - 0.8.1-1.git6b4ab2a
|
|
||||||
- Bump to v0.8.1
|
|
||||||
|
|
||||||
* Wed Aug 1 2018 Dan Walsh <dwalsh@redhat.com> - 0.7.4-2.git079121
|
|
||||||
- podman should not require atomic-registries
|
|
||||||
|
|
||||||
* Tue Jul 24 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.7.4-1.dev.git9a18681
|
|
||||||
- bump to v0.7.4-dev
|
|
||||||
- built commit 9a18681
|
|
||||||
|
|
||||||
* Sat Jul 21 2018 Dan Walsh <dwalsh@redhat.com> - 0.7.3-2.git079121
|
|
||||||
- Turn on ostree support
|
|
||||||
- Upstream 0.7.3
|
|
||||||
|
|
||||||
* Sat Jul 14 2018 Dan Walsh <dwalsh@redhat.com> - 0.7.2-2.git4ca4c5f
|
|
||||||
- Upstream 0.7.2 release
|
|
||||||
|
|
||||||
* Wed Jul 11 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.7.1-3.git84cfdb2
|
|
||||||
- rebuilt
|
|
||||||
|
|
||||||
* Wed Jul 11 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0.7.1-2.git84cfdb2
|
|
||||||
- rebase to 84cfdb2
|
|
||||||
|
|
||||||
* Sun Jul 08 2018 Dan Walsh <dwalsh@redhat.com> - 0.7.1-1.git802d4f2
|
|
||||||
- Upstream 0.7.1 release
|
|
||||||
|
|
||||||
* Mon Jun 25 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.6.4-2.gitd5beb2f
|
|
||||||
- disable devel and unittest subpackages
|
|
||||||
- include conditionals for rhel-8.0
|
|
||||||
|
|
||||||
* Fri Jun 22 2018 Dan Walsh <dwalsh@redhat.com> - 0.6.4-1.gitd5beb2f
|
|
||||||
- do not compress debuginfo with dwz to support delve debugger
|
|
||||||
|
|
||||||
* Mon Jun 04 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.6.1-3.git3e0ff12
|
|
||||||
- do not compress debuginfo with dwz to support delve debugger
|
|
||||||
|
|
||||||
* Mon Jun 04 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.6.1-2.git3e0ff12
|
|
||||||
- bash completion shouldn't have shebang
|
|
||||||
|
|
||||||
* Mon Jun 04 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.6.1-1.git3e0ff12
|
|
||||||
- Resolves: #1584429 - drop capabilities when running a container as non-root
|
|
||||||
- bump to v0.6.1
|
|
||||||
- built podman commit 3e0ff12
|
|
||||||
- built conmon from cri-o commit 1c0c3b0
|
|
||||||
- drop containernetworking-plugins subpackage, it's now split out into a standalone
|
|
||||||
package
|
|
||||||
|
|
||||||
* Fri Apr 27 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.4.1-4.gitb51d327
|
|
||||||
- Resolves: #1572538 - build host-device and portmap plugins
|
|
||||||
|
|
||||||
* Thu Apr 12 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.4.1-3.gitb51d327
|
|
||||||
- correct dep on containernetworking-plugins
|
|
||||||
|
|
||||||
* Thu Apr 12 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.4.1-2.gitb51d327
|
|
||||||
- add containernetworking-plugins v0.7.0 as a subpackage (podman dep)
|
|
||||||
- release tag for the containernetworking-plugins is actually gotten from
|
|
||||||
podman release tag.
|
|
||||||
|
|
||||||
* Wed Apr 11 2018 Lokesh Mandvekar <lsm5@redhat.com> - 0.4.1-1.gitb51d327
|
|
||||||
- bump to v0.4.1
|
|
||||||
- built commit b51d327
|
|
||||||
|
|
||||||
* Wed Mar 14 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 0.3.3-1.dev.gitbc358eb
|
|
||||||
- built podman commit bc358eb
|
|
||||||
- built conmon from cri-o commit 712f3b8
|
|
||||||
|
|
||||||
* Fri Mar 09 2018 baude <bbaude@redhat.com> - 0.3.2-1.gitf79a39a
|
|
||||||
- Release 0.3.2-1
|
|
||||||
|
|
||||||
* Sun Mar 04 2018 baude <bbaude@redhat.com> - 0.3.1-2.git98b95ff
|
|
||||||
- Correct RPM version
|
|
||||||
|
|
||||||
* Fri Mar 02 2018 baude <bbaude@redhat.com> - 0.3.1-1-gitc187538
|
|
||||||
- Release 0.3.1-1
|
|
||||||
|
|
||||||
* Sun Feb 25 2018 Peter Robinson <pbrobinson@fedoraproject.org> 0.2.2-2.git525e3b1
|
|
||||||
- Build on ARMv7 too (Fedora supports containers on that arch too)
|
|
||||||
|
|
||||||
* Fri Feb 23 2018 baude <bbaude@redhat.com> - 0.2.2-1.git525e3b1
|
|
||||||
- Release 0.2.2
|
|
||||||
|
|
||||||
* Fri Feb 16 2018 baude <bbaude@redhat.com> - 0.2.1-1.git3d0100b
|
|
||||||
- Release 0.2.1
|
|
||||||
|
|
||||||
* Wed Feb 14 2018 baude <bbaude@redhat.com> - 0.2-3.git3d0100b
|
|
||||||
- Add dep for atomic-registries
|
|
||||||
|
|
||||||
* Tue Feb 13 2018 baude <bbaude@redhat.com> - 0.2-2.git3d0100b
|
|
||||||
- Add more 64bit arches
|
|
||||||
- Add containernetworking-cni dependancy
|
|
||||||
- Add iptables dependancy
|
|
||||||
|
|
||||||
* Mon Feb 12 2018 baude <bbaude@redhat.com> - 0-2.1.git3d0100
|
|
||||||
- Release 0.2
|
|
||||||
|
|
||||||
* Tue Feb 06 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 0-0.3.git367213a
|
|
||||||
- Resolves: #1541554 - first official build
|
|
||||||
- built commit 367213a
|
|
||||||
|
|
||||||
* Fri Feb 02 2018 Lokesh Mandvekar <lsm5@fedoraproject.org> - 0-0.2.git0387f69
|
|
||||||
- built commit 0387f69
|
|
||||||
|
|
||||||
* Wed Jan 10 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 0-0.1.gitc1b2278
|
|
||||||
- First package for Fedora
|
|
||||||
|
|
7
gating.yaml
Normal file
7
gating.yaml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
# recipients: jnovy, lsm5, santiago
|
||||||
|
--- !Policy
|
||||||
|
product_versions:
|
||||||
|
- rhel-10
|
||||||
|
decision_context: osci_compose_gate
|
||||||
|
rules:
|
||||||
|
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
8
plans/basic.fmf
Normal file
8
plans/basic.fmf
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
summary: Check basic functionality
|
||||||
|
discover:
|
||||||
|
how: fmf
|
||||||
|
execute:
|
||||||
|
how: tmt
|
||||||
|
prepare:
|
||||||
|
how: feature
|
||||||
|
epel: enabled
|
375
podman.spec
Normal file
375
podman.spec
Normal file
@ -0,0 +1,375 @@
|
|||||||
|
%global with_debug 1
|
||||||
|
|
||||||
|
%if 0%{?with_debug}
|
||||||
|
%global _find_debuginfo_dwz_opts %{nil}
|
||||||
|
%global _dwz_low_mem_die_limit 0
|
||||||
|
%else
|
||||||
|
%global debug_package %{nil}
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%global import_path github.com/containers/podman
|
||||||
|
%global branch v5.2-rhel
|
||||||
|
%global commit0 e40738bd34f1776356494522d129846fee357299
|
||||||
|
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
||||||
|
|
||||||
|
# RHEL's default %%gobuild macro doesn't account for the BUILDTAGS variable, so we
|
||||||
|
# set it separately here and do not depend on RHEL's go-[s]rpm-macros package
|
||||||
|
# until that's fixed.
|
||||||
|
# c9s bz: https://bugzilla.redhat.com/show_bug.cgi?id=2227328
|
||||||
|
%if %{defined rhel} && 0%{?rhel} < 10
|
||||||
|
%define gobuild(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "-linkmode=external -compressdwarf=false ${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%global gomodulesmode GO111MODULE=on
|
||||||
|
|
||||||
|
%if %{defined rhel}
|
||||||
|
# _user_tmpfiles.d currently undefined on rhel
|
||||||
|
%global _user_tmpfilesdir %{_datadir}/user-tmpfiles.d
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{defined fedora}
|
||||||
|
%define build_with_btrfs 1
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{defined copr_username}
|
||||||
|
%define copr_build 1
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%global container_base_path github.com/containers
|
||||||
|
%global container_base_url https://%{container_base_path}
|
||||||
|
|
||||||
|
# For LDFLAGS
|
||||||
|
%global ld_project %{container_base_path}/%{name}/v5
|
||||||
|
%global ld_libpod %{ld_project}/libpod
|
||||||
|
|
||||||
|
# %%{name}
|
||||||
|
%global git0 %{container_base_url}/%{name}
|
||||||
|
|
||||||
|
Name: podman
|
||||||
|
%if %{defined copr_build}
|
||||||
|
Epoch: 102
|
||||||
|
%else
|
||||||
|
Epoch: 6
|
||||||
|
%endif
|
||||||
|
# DO NOT TOUCH the Version string!
|
||||||
|
# The TRUE source of this specfile is:
|
||||||
|
# https://github.com/containers/podman/blob/main/rpm/podman.spec
|
||||||
|
# If that's what you're reading, Version must be 0, and will be updated by Packit for
|
||||||
|
# copr and koji builds.
|
||||||
|
# If you're reading this on dist-git, the version is automatically filled in by Packit.
|
||||||
|
Version: 5.2.2
|
||||||
|
# The `AND` needs to be uppercase in the License for SPDX compatibility
|
||||||
|
License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0
|
||||||
|
Release: 3%{?dist}
|
||||||
|
%if %{defined golang_arches_future}
|
||||||
|
ExclusiveArch: %{golang_arches_future}
|
||||||
|
%else
|
||||||
|
ExclusiveArch: aarch64 ppc64le s390x x86_64
|
||||||
|
%endif
|
||||||
|
Summary: Manage Pods, Containers and Container Images
|
||||||
|
URL: https://%{name}.io/
|
||||||
|
# All SourceN files fetched from upstream
|
||||||
|
%if 0%{?branch:1}
|
||||||
|
Source0: https://%{import_path}/tarball/%{commit0}/%{branch}-%{shortcommit0}.tar.gz
|
||||||
|
%else
|
||||||
|
Source0: https://%{import_path}/archive/%{commit0}/%{name}-%{version}-%{shortcommit0}.tar.gz
|
||||||
|
%endif
|
||||||
|
|
||||||
|
Provides: %{name}-manpages = %{epoch}:%{version}-%{release}
|
||||||
|
BuildRequires: %{_bindir}/envsubst
|
||||||
|
%if %{defined build_with_btrfs}
|
||||||
|
BuildRequires: btrfs-progs-devel
|
||||||
|
%endif
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: glib2-devel
|
||||||
|
BuildRequires: glibc-devel
|
||||||
|
BuildRequires: glibc-static
|
||||||
|
BuildRequires: golang
|
||||||
|
BuildRequires: git-core
|
||||||
|
%if %{undefined rhel} || 0%{?rhel} >= 10
|
||||||
|
BuildRequires: go-rpm-macros
|
||||||
|
%endif
|
||||||
|
BuildRequires: gpgme-devel
|
||||||
|
BuildRequires: libassuan-devel
|
||||||
|
BuildRequires: libgpg-error-devel
|
||||||
|
BuildRequires: libseccomp-devel
|
||||||
|
BuildRequires: libselinux-devel
|
||||||
|
BuildRequires: shadow-utils-subid-devel
|
||||||
|
BuildRequires: pkgconfig
|
||||||
|
BuildRequires: make
|
||||||
|
BuildRequires: man-db
|
||||||
|
BuildRequires: ostree-devel
|
||||||
|
BuildRequires: systemd
|
||||||
|
BuildRequires: systemd-devel
|
||||||
|
Requires: catatonit
|
||||||
|
Requires: conmon >= 2:2.1.7-2
|
||||||
|
%if %{defined fedora} && 0%{?fedora} >= 40
|
||||||
|
# TODO: Remove the f40 conditional after a few releases to keep conditionals to
|
||||||
|
# a minimum
|
||||||
|
# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2269148
|
||||||
|
Requires: containers-common-extra >= 5:0.58.0-1
|
||||||
|
%else
|
||||||
|
Requires: containers-common-extra
|
||||||
|
%endif
|
||||||
|
Provides: %{name}-quadlet
|
||||||
|
Obsoletes: %{name}-quadlet <= 5:4.4.0-1
|
||||||
|
Provides: %{name}-quadlet = %{epoch}:%{version}-%{release}
|
||||||
|
|
||||||
|
%description
|
||||||
|
%{name} (Pod Manager) is a fully featured container engine that is a simple
|
||||||
|
daemonless tool. %{name} provides a Docker-CLI comparable command line that
|
||||||
|
eases the transition from other container engines and allows the management of
|
||||||
|
pods, containers and images. Simply put: alias docker=%{name}.
|
||||||
|
Most %{name} commands can be run as a regular user, without requiring
|
||||||
|
additional privileges.
|
||||||
|
|
||||||
|
%{name} uses Buildah(1) internally to create container images.
|
||||||
|
Both tools share image (not container) storage, hence each can use or
|
||||||
|
manipulate images (but not containers) created by the other.
|
||||||
|
|
||||||
|
|
||||||
|
%package docker
|
||||||
|
Summary: Emulate Docker CLI using %{name}
|
||||||
|
BuildArch: noarch
|
||||||
|
Requires: %{name} = %{epoch}:%{version}-%{release}
|
||||||
|
Conflicts: docker
|
||||||
|
Conflicts: docker-latest
|
||||||
|
Conflicts: docker-ce
|
||||||
|
Conflicts: docker-ee
|
||||||
|
Conflicts: moby-engine
|
||||||
|
|
||||||
|
%description docker
|
||||||
|
This package installs a script named docker that emulates the Docker CLI by
|
||||||
|
executes %{name} commands, it also creates links between all Docker CLI man
|
||||||
|
pages and %{name}.
|
||||||
|
|
||||||
|
%package tests
|
||||||
|
Summary: Tests for %{name}
|
||||||
|
|
||||||
|
Requires: %{name} = %{epoch}:%{version}-%{release}
|
||||||
|
%if %{defined fedora}
|
||||||
|
Requires: bats
|
||||||
|
%endif
|
||||||
|
Requires: jq
|
||||||
|
Requires: skopeo
|
||||||
|
Requires: nmap-ncat
|
||||||
|
Requires: httpd-tools
|
||||||
|
Requires: openssl
|
||||||
|
Requires: socat
|
||||||
|
Requires: buildah
|
||||||
|
Requires: gnupg
|
||||||
|
|
||||||
|
%description tests
|
||||||
|
%{summary}
|
||||||
|
|
||||||
|
This package contains system tests for %{name}
|
||||||
|
|
||||||
|
%package remote
|
||||||
|
Summary: (Experimental) Remote client for managing %{name} containers
|
||||||
|
|
||||||
|
%description remote
|
||||||
|
Remote client for managing %{name} containers.
|
||||||
|
|
||||||
|
This experimental remote client is under heavy development. Please do not
|
||||||
|
run %{name}-remote in production.
|
||||||
|
|
||||||
|
%{name}-remote uses the version 2 API to connect to a %{name} client to
|
||||||
|
manage pods, containers and container images. %{name}-remote supports ssh
|
||||||
|
connections as well.
|
||||||
|
|
||||||
|
%package -n %{name}sh
|
||||||
|
Summary: Confined login and user shell using %{name}
|
||||||
|
Requires: %{name} = %{epoch}:%{version}-%{release}
|
||||||
|
Provides: %{name}-shell = %{epoch}:%{version}-%{release}
|
||||||
|
Provides: %{name}-%{name}sh = %{epoch}:%{version}-%{release}
|
||||||
|
|
||||||
|
%description -n %{name}sh
|
||||||
|
%{name}sh provides a confined login and user shell with access to volumes and
|
||||||
|
capabilities specified in user quadlets.
|
||||||
|
|
||||||
|
It is a symlink to %{_bindir}/%{name} and execs into the `%{name}sh` container
|
||||||
|
when `%{_bindir}/%{name}sh` is set as a login shell or set as os.Args[0].
|
||||||
|
|
||||||
|
%package machine
|
||||||
|
Summary: Metapackage for setting up %{name} machine
|
||||||
|
Requires: %{name} = %{epoch}:%{version}-%{release}
|
||||||
|
Requires: gvisor-tap-vsock
|
||||||
|
Recommends: qemu
|
||||||
|
Requires: virtiofsd
|
||||||
|
|
||||||
|
%description machine
|
||||||
|
This subpackage installs the dependencies for %{name} machine, for more see:
|
||||||
|
https://docs.podman.io/en/latest/markdown/podman-machine.1.html
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%if 0%{?branch:1}
|
||||||
|
%autosetup -Sgit -n containers-%{name}-%{shortcommit0}
|
||||||
|
%else
|
||||||
|
%autosetup -Sgit -n %{name}-%{commit0}
|
||||||
|
%endif
|
||||||
|
sed -i 's;@@PODMAN@@\;$(BINDIR);@@PODMAN@@\;%{_bindir};' Makefile
|
||||||
|
|
||||||
|
# cgroups-v1 is supported on rhel9
|
||||||
|
%if 0%{?rhel} == 9
|
||||||
|
sed -i '/DELETE ON RHEL9/,/DELETE ON RHEL9/d' libpod/runtime.go
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# These changes are only meant for copr builds
|
||||||
|
%if %{defined copr_build}
|
||||||
|
# podman --version should show short sha
|
||||||
|
sed -i "s/^const RawVersion = .*/const RawVersion = \"##VERSION##-##SHORT_SHA##\"/" version/rawversion/version.go
|
||||||
|
# use ParseTolerant to allow short sha in version
|
||||||
|
sed -i "s/^var Version.*/var Version, err = semver.ParseTolerant(rawversion.RawVersion)/" version/version.go
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%build
|
||||||
|
%set_build_flags
|
||||||
|
export CGO_CFLAGS=$CFLAGS
|
||||||
|
|
||||||
|
# These extra flags present in $CFLAGS have been skipped for now as they break the build
|
||||||
|
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-flto=auto//g')
|
||||||
|
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-Wp,D_GLIBCXX_ASSERTIONS//g')
|
||||||
|
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-specs=\/usr\/lib\/rpm\/redhat\/redhat-annobin-cc1//g')
|
||||||
|
|
||||||
|
%ifarch x86_64
|
||||||
|
export CGO_CFLAGS+=" -m64 -mtune=generic -fcf-protection=full"
|
||||||
|
%endif
|
||||||
|
|
||||||
|
export GOPROXY=direct
|
||||||
|
|
||||||
|
LDFLAGS="-X %{ld_libpod}/define.buildInfo=${SOURCE_DATE_EPOCH:-$(date +%s)} \
|
||||||
|
-X %{ld_libpod}/config._installPrefix=%{_prefix} \
|
||||||
|
-X %{ld_libpod}/config._etcDir=%{_sysconfdir} \
|
||||||
|
-X %{ld_project}/pkg/systemd/quadlet._binDir=%{_bindir}"
|
||||||
|
|
||||||
|
# build rootlessport first
|
||||||
|
%gobuild -o bin/rootlessport ./cmd/rootlessport
|
||||||
|
|
||||||
|
export BASEBUILDTAGS="seccomp exclude_graphdriver_devicemapper $(hack/systemd_tag.sh) $(hack/libsubid_tag.sh)"
|
||||||
|
|
||||||
|
# build %%{name}
|
||||||
|
export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh) $(hack/libdm_tag.sh)"
|
||||||
|
%gobuild -o bin/%{name} ./cmd/%{name}
|
||||||
|
|
||||||
|
# build %%{name}-remote
|
||||||
|
export BUILDTAGS="$BASEBUILDTAGS exclude_graphdriver_btrfs btrfs_noversion remote"
|
||||||
|
%gobuild -o bin/%{name}-remote ./cmd/%{name}
|
||||||
|
|
||||||
|
# build quadlet
|
||||||
|
export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh)"
|
||||||
|
%gobuild -o bin/quadlet ./cmd/quadlet
|
||||||
|
|
||||||
|
# build %%{name}-testing
|
||||||
|
export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh)"
|
||||||
|
%gobuild -o bin/podman-testing ./cmd/podman-testing
|
||||||
|
|
||||||
|
# reset LDFLAGS for plugins binaries
|
||||||
|
LDFLAGS=''
|
||||||
|
|
||||||
|
%{__make} docs docker-docs
|
||||||
|
|
||||||
|
%install
|
||||||
|
install -dp %{buildroot}%{_unitdir}
|
||||||
|
PODMAN_VERSION=%{version} %{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} ETCDIR=%{_sysconfdir} \
|
||||||
|
install.bin \
|
||||||
|
install.man \
|
||||||
|
install.systemd \
|
||||||
|
install.completions \
|
||||||
|
install.docker \
|
||||||
|
install.docker-docs \
|
||||||
|
install.remote \
|
||||||
|
install.testing
|
||||||
|
|
||||||
|
# Only need this on Fedora until nftables becomes the default
|
||||||
|
%if %{defined fedora}
|
||||||
|
%{__make} DESTDIR=%{buildroot} MODULESLOADDIR=%{_modulesloaddir} install.modules-load
|
||||||
|
%endif
|
||||||
|
|
||||||
|
sed -i 's;%{buildroot};;g' %{buildroot}%{_bindir}/docker
|
||||||
|
|
||||||
|
# do not include docker and podman-remote man pages in main package
|
||||||
|
for file in `find %{buildroot}%{_mandir}/man[15] -type f | sed "s,%{buildroot},," | grep -v -e %{name}sh.1 -e remote -e docker`; do
|
||||||
|
echo "$file*" >> %{name}.file-list
|
||||||
|
done
|
||||||
|
|
||||||
|
rm -f %{buildroot}%{_mandir}/man5/docker*.5
|
||||||
|
|
||||||
|
install -d -p %{buildroot}%{_datadir}/%{name}/test/system
|
||||||
|
cp -pav test/system %{buildroot}%{_datadir}/%{name}/test/
|
||||||
|
|
||||||
|
# symlink virtiofsd in %%{name} libexecdir for machine subpackage
|
||||||
|
ln -s ../virtiofsd %{buildroot}%{_libexecdir}/%{name}
|
||||||
|
|
||||||
|
#define license tag if not already defined
|
||||||
|
%{!?_licensedir:%global license %doc}
|
||||||
|
|
||||||
|
%files -f %{name}.file-list
|
||||||
|
%license LICENSE vendor/modules.txt
|
||||||
|
%doc README.md CONTRIBUTING.md install.md transfer.md
|
||||||
|
%{_bindir}/%{name}
|
||||||
|
%dir %{_libexecdir}/%{name}
|
||||||
|
%{_libexecdir}/%{name}/rootlessport
|
||||||
|
%{_libexecdir}/%{name}/quadlet
|
||||||
|
%{_datadir}/bash-completion/completions/%{name}
|
||||||
|
# By "owning" the site-functions dir, we don't need to Require zsh
|
||||||
|
%dir %{_datadir}/zsh/site-functions
|
||||||
|
%{_datadir}/zsh/site-functions/_%{name}
|
||||||
|
%dir %{_datadir}/fish/vendor_completions.d
|
||||||
|
%{_datadir}/fish/vendor_completions.d/%{name}.fish
|
||||||
|
%{_unitdir}/%{name}*
|
||||||
|
%{_userunitdir}/%{name}*
|
||||||
|
%{_tmpfilesdir}/%{name}.conf
|
||||||
|
%{_systemdgeneratordir}/%{name}-system-generator
|
||||||
|
%{_systemdusergeneratordir}/%{name}-user-generator
|
||||||
|
%if %{defined fedora}
|
||||||
|
%{_modulesloaddir}/%{name}-iptables.conf
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%files docker
|
||||||
|
%{_bindir}/docker
|
||||||
|
%{_mandir}/man1/docker*.1*
|
||||||
|
%{_sysconfdir}/profile.d/%{name}-docker.*
|
||||||
|
%{_tmpfilesdir}/%{name}-docker.conf
|
||||||
|
%{_user_tmpfilesdir}/%{name}-docker.conf
|
||||||
|
|
||||||
|
%files remote
|
||||||
|
%license LICENSE
|
||||||
|
%{_bindir}/%{name}-remote
|
||||||
|
%{_mandir}/man1/%{name}-remote*.*
|
||||||
|
%{_datadir}/bash-completion/completions/%{name}-remote
|
||||||
|
%dir %{_datadir}/fish/vendor_completions.d
|
||||||
|
%{_datadir}/fish/vendor_completions.d/%{name}-remote.fish
|
||||||
|
%dir %{_datadir}/zsh/site-functions
|
||||||
|
%{_datadir}/zsh/site-functions/_%{name}-remote
|
||||||
|
|
||||||
|
%files tests
|
||||||
|
%{_bindir}/%{name}-testing
|
||||||
|
%{_datadir}/%{name}/test
|
||||||
|
|
||||||
|
%files -n %{name}sh
|
||||||
|
%{_bindir}/%{name}sh
|
||||||
|
%{_mandir}/man1/%{name}sh.1*
|
||||||
|
|
||||||
|
%files machine
|
||||||
|
%dir %{_libexecdir}/%{name}
|
||||||
|
%{_libexecdir}/%{name}/virtiofsd
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Mon Nov 11 2024 Jindrich Novy <jnovy@redhat.com> - 6:5.2.2-3
|
||||||
|
- update to the latest content of https://github.com/containers/podman/tree/v5.2-rhel
|
||||||
|
(https://github.com/containers/podman/commit/e40738b)
|
||||||
|
- Resolves: RHEL-61858
|
||||||
|
|
||||||
|
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 6:5.2.2-2
|
||||||
|
- Bump release for October 2024 mass rebuild:
|
||||||
|
Resolves: RHEL-64018
|
||||||
|
|
||||||
|
* Wed Oct 09 2024 Jindrich Novy <jnovy@redhat.com> - 6:5.2.2-1
|
||||||
|
- stick to v5.2-rhel upstream branch for RHEL
|
||||||
|
- update to the latest content of https://github.com/containers/podman/tree/v5.2-rhel
|
||||||
|
(https://github.com/containers/podman/commit/458f9b4)
|
||||||
|
- Related: RHEL-58990
|
||||||
|
|
||||||
|
* Tue Oct 08 2024 Jindrich Novy <jnovy@redhat.com> - 5:5.2.4-1
|
||||||
|
- update to https://github.com/containers/podman/releases/tag/v5.2.4
|
||||||
|
- Related: RHEL-61719
|
1
sources
Normal file
1
sources
Normal file
@ -0,0 +1 @@
|
|||||||
|
SHA512 (v5.2-rhel-e40738b.tar.gz) = 27667061b263a9b626fccefcde42cf1e9c88c9c48820be3f4f5e5cae7ca74bef34f0ddbeef0e7fffcdaa3dfc03628e385d99b55c727769f76c511b20dbe2150f
|
2
tests/main.fmf
Normal file
2
tests/main.fmf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
require:
|
||||||
|
- podman
|
12
tests/roles/bats_installed/tasks/main.yml
Normal file
12
tests/roles/bats_installed/tasks/main.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
# Sigh; RHEL8 doesn't have BATS
|
||||||
|
- name: bats | fetch and unpack tarball
|
||||||
|
unarchive:
|
||||||
|
src: https://github.com/bats-core/bats-core/archive/v1.11.0.tar.gz
|
||||||
|
dest: /root
|
||||||
|
remote_src: true
|
||||||
|
|
||||||
|
- name: bats | install
|
||||||
|
command: ./install.sh /usr/local
|
||||||
|
args:
|
||||||
|
chdir: /root/bats-core-1.11.0
|
7
tests/roles/rootless_user/tasks/main.yml
Normal file
7
tests/roles/rootless_user/tasks/main.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
- name: create rootless user
|
||||||
|
user:
|
||||||
|
name: testuser
|
||||||
|
shell: /bin/bash
|
||||||
|
- name: enable linger
|
||||||
|
command: loginctl enable-linger testuser
|
72
tests/roles/run_bats_tests/files/run_bats_tests.sh
Executable file
72
tests/roles/run_bats_tests/files/run_bats_tests.sh
Executable file
@ -0,0 +1,72 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Run bats tests for a given $TEST_PACKAGE, e.g. buildah, podman
|
||||||
|
#
|
||||||
|
# This is invoked by the 'run_bats_tests' role; we assume that
|
||||||
|
# the package foo has a foo-tests subpackage which provides the
|
||||||
|
# directory /usr/share/foo/test/system, containing one or more .bats
|
||||||
|
# test files.
|
||||||
|
#
|
||||||
|
|
||||||
|
export PATH=/usr/local/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
FULL_LOG=/tmp/test.debug.log
|
||||||
|
BATS_LOG=/tmp/test.bats.log
|
||||||
|
rm -f $FULL_LOG $BATS_LOG
|
||||||
|
touch $FULL_LOG $BATS_LOG
|
||||||
|
|
||||||
|
exec &> $FULL_LOG
|
||||||
|
|
||||||
|
# Log program versions
|
||||||
|
echo "Packages:"
|
||||||
|
rpm -q ${TEST_PACKAGE} ${TEST_PACKAGE}-tests
|
||||||
|
|
||||||
|
echo "------------------------------"
|
||||||
|
printenv | sort
|
||||||
|
|
||||||
|
testdir=/usr/share/${TEST_PACKAGE}/test/system
|
||||||
|
|
||||||
|
if ! cd $testdir; then
|
||||||
|
echo "FAIL ${TEST_NAME} : cd $testdir" >> /tmp/test.log
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -e /tmp/helper.sh ]; then
|
||||||
|
echo "------------------------------"
|
||||||
|
echo ". /tmp/helper.sh"
|
||||||
|
. /tmp/helper.sh
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$(type -t setup)" = "function" ]; then
|
||||||
|
echo "------------------------------"
|
||||||
|
echo "\$ setup"
|
||||||
|
setup
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
echo "FAIL ${TEST_NAME} : setup" >> /tmp/test.log
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "------------------------------"
|
||||||
|
echo "\$ bats ."
|
||||||
|
bats . &> $BATS_LOG
|
||||||
|
rc=$?
|
||||||
|
|
||||||
|
echo "------------------------------"
|
||||||
|
echo "bats completed with status $rc"
|
||||||
|
|
||||||
|
status=PASS
|
||||||
|
if [ $rc -ne 0 ]; then
|
||||||
|
status=FAIL
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "${status} ${TEST_NAME}" >> /tmp/test.log
|
||||||
|
|
||||||
|
if [ "$(type -t teardown)" = "function" ]; then
|
||||||
|
echo "------------------------------"
|
||||||
|
echo "\$ teardown"
|
||||||
|
teardown
|
||||||
|
fi
|
||||||
|
|
||||||
|
# FIXME: for CI purposes, always exit 0. This allows subsequent tests.
|
||||||
|
exit 0
|
37
tests/roles/run_bats_tests/tasks/main.yml
Normal file
37
tests/roles/run_bats_tests/tasks/main.yml
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
---
|
||||||
|
# Create empty results file, world-writable
|
||||||
|
- name: initialize test.log file
|
||||||
|
copy: dest=/tmp/test.log content='' force=yes mode=0666
|
||||||
|
|
||||||
|
- name: execute tests
|
||||||
|
include: run_one_test.yml
|
||||||
|
with_items: "{{ tests }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: test
|
||||||
|
|
||||||
|
- name: pull test.log results
|
||||||
|
fetch:
|
||||||
|
src: "/tmp/test.log"
|
||||||
|
dest: "{{ artifacts }}/test.log"
|
||||||
|
flat: yes
|
||||||
|
|
||||||
|
# Copied from standard-test-basic
|
||||||
|
- name: check results
|
||||||
|
shell: grep "^FAIL" /tmp/test.log
|
||||||
|
register: test_fails
|
||||||
|
# Never fail at this step. Just store result of tests.
|
||||||
|
failed_when: False
|
||||||
|
|
||||||
|
- name: preserve results
|
||||||
|
set_fact:
|
||||||
|
role_result_failed: "{{ (test_fails.stdout|d|length > 0) or (test_fails.stderr|d|length > 0) }}"
|
||||||
|
role_result_msg: "{{ test_fails.stdout|d('tests failed.') }}"
|
||||||
|
|
||||||
|
- name: display results
|
||||||
|
vars:
|
||||||
|
msg: |
|
||||||
|
Tests failed: {{ role_result_failed|d('Undefined') }}
|
||||||
|
Tests msg: {{ role_result_msg|d('None') }}
|
||||||
|
debug:
|
||||||
|
msg: "{{ msg.split('\n') }}"
|
||||||
|
failed_when: "role_result_failed|bool"
|
52
tests/roles/run_bats_tests/tasks/run_one_test.yml
Normal file
52
tests/roles/run_bats_tests/tasks/run_one_test.yml
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
---
|
||||||
|
- name: "{{ test.name }} | install test packages"
|
||||||
|
dnf: name="{{ test.package }}-tests" state=installed
|
||||||
|
|
||||||
|
- name: "{{ test.name }} | define helper variables"
|
||||||
|
set_fact:
|
||||||
|
test_name_oneword: "{{ test.name | replace(' ','-') }}"
|
||||||
|
|
||||||
|
# UGH. This is necessary because our caller sets some environment variables
|
||||||
|
# and we need to set a few more based on other caller variables; then we
|
||||||
|
# need to combine the two dicts when running the test. This seems to be
|
||||||
|
# the only way to do it in ansible.
|
||||||
|
- name: "{{ test.name }} | define local environment"
|
||||||
|
set_fact:
|
||||||
|
local_environment:
|
||||||
|
TEST_NAME: "{{ test.name }}"
|
||||||
|
TEST_PACKAGE: "{{ test.package }}"
|
||||||
|
TEST_ENV: "{{ test.environment }}"
|
||||||
|
|
||||||
|
- name: "{{ test.name }} | setup/teardown helper | see if exists"
|
||||||
|
local_action: stat path={{ role_path }}/files/helper.{{ test_name_oneword }}.sh
|
||||||
|
register: helper
|
||||||
|
|
||||||
|
- name: "{{ test.name }} | setup/teardown helper | install"
|
||||||
|
copy: src=helper.{{ test_name_oneword }}.sh dest=/tmp/helper.sh
|
||||||
|
when: helper.stat.exists
|
||||||
|
|
||||||
|
- name: "{{ test.name }} | run test"
|
||||||
|
script: ./run_bats_tests.sh
|
||||||
|
args:
|
||||||
|
chdir: /usr/share/{{ test.package }}/test/system
|
||||||
|
become: "{{ true if test.become is defined else false }}"
|
||||||
|
become_user: testuser
|
||||||
|
environment: "{{ local_environment | combine(test.environment) }}"
|
||||||
|
|
||||||
|
- name: "{{ test.name }} | pull logs"
|
||||||
|
fetch:
|
||||||
|
src: "/tmp/test.{{ item }}.log"
|
||||||
|
dest: "{{ artifacts }}/test.{{ test_name_oneword }}.{{ item }}.log"
|
||||||
|
flat: yes
|
||||||
|
with_items:
|
||||||
|
- bats
|
||||||
|
- debug
|
||||||
|
|
||||||
|
- name: "{{ test.name }} | remove remote logs and helpers"
|
||||||
|
file:
|
||||||
|
dest=/tmp/{{ item }}
|
||||||
|
state=absent
|
||||||
|
with_items:
|
||||||
|
- test.bats.log
|
||||||
|
- test.debug.log
|
||||||
|
- helper.sh
|
2
tests/smoke.fmf
Normal file
2
tests/smoke.fmf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
summary: Execute a simple command
|
||||||
|
test: podman run -t --rm fedora cat /etc/os-release | grep 'Fedora Linux'
|
30
tests/tests.yml
Normal file
30
tests/tests.yml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
tags: classic
|
||||||
|
vars:
|
||||||
|
- artifacts: ./artifacts
|
||||||
|
roles:
|
||||||
|
- role: bats_installed
|
||||||
|
- role: rootless_user
|
||||||
|
- role: run_bats_tests
|
||||||
|
tests:
|
||||||
|
- name: podman root
|
||||||
|
package: podman
|
||||||
|
environment:
|
||||||
|
PODMAN: /usr/bin/podman
|
||||||
|
QUADLET: /usr/libexec/podman/quadlet
|
||||||
|
PODMAN_TESTING: /usr/bin/podman-testing
|
||||||
|
|
||||||
|
- name: podman rootless
|
||||||
|
package: podman
|
||||||
|
environment:
|
||||||
|
PODMAN: /usr/bin/podman
|
||||||
|
QUADLET: /usr/libexec/podman/quadlet
|
||||||
|
PODMAN_TESTING: /usr/bin/podman-testing
|
||||||
|
become: true
|
||||||
|
|
||||||
|
#- name: podman-remote root
|
||||||
|
#package: podman
|
||||||
|
#environment:
|
||||||
|
# PODMAN: /usr/bin/podman-remote
|
||||||
|
# QUADLET: /usr/libexec/podman/quadlet
|
8
tests/tmt.fmf
Normal file
8
tests/tmt.fmf
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
summary: Make sure that container provision works
|
||||||
|
require:
|
||||||
|
- tmt+provision-container
|
||||||
|
test:
|
||||||
|
tmt run --verbose --remove
|
||||||
|
provision --how container --image fedora
|
||||||
|
login --command 'cat /etc/os-release'
|
||||||
|
finish
|
Loading…
Reference in New Issue
Block a user