skopeo-1.4.0-0.2.el9

- update vendored components - ship /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release only on non-RHEL and CentOS distros - Related: #1970747 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
2021-08-02 09:14:26 +02:00 · 2021-08-02 09:14:26 +02:00 · 0549f5d4f9
commit 0549f5d4f9
parent c701a7c529
10 changed files with 260 additions and 172 deletions
--- a/containers-auth.json.5.md
+++ b/containers-auth.json.5.md
@ -21,9 +21,23 @@ Except the primary (read/write) file, other files are read-only, unless the user
 The auth.json file stores encrypted authentication information for the
 user to container image registries.  The file can have zero to many entries and
 is created by a `login` command from a container tool such as `podman login`,
-`buildah login` or `skopeo login`.  Each entry includes the name of the registry and then an auth
+`buildah login` or `skopeo login`. Each entry either contains a single
-token in the form of a base64 encoded string from the concatenation of the
+hostname (e.g. `docker.io`) or a namespace (e.g. `quay.io/user/image`) as a key
-username, a colon, and the password.
+and an auth token in the form of a base64 encoded string as value of `auth`. The
 token is built from the concatenation of the username, a colon, and the
 password. The registry name can additionally contain a repository name (an image
 name without tag or digest) and namespaces. The path (or namespace) is matched
 in its hierarchical order when checking for available authentications. For
 example, an image pull for `my-registry.local/namespace/user/image:latest` will
 result in a lookup in `auth.json` in the following order:
 - `my-registry.local/namespace/user/image`
 - `my-registry.local/namespace/user`
 - `my-registry.local/namespace`
 - `my-registry.local`
 This way it is possible to setup multiple credentials for a single registry
 which can be distinguished by their path.
 The following example shows the values found in auth.json after the user logged in to
 their accounts on quay.io and docker.io:
@ -41,6 +55,25 @@ their accounts on quay.io and docker.io:
 }
 ```
 This example demonstrates how to use multiple paths for a single registry, while
 preserving a fallback for `my-registry.local`:
 ```
 {
 	"auths": {
 		"my-registry.local/foo/bar/image": {
 			"auth": "…"
 		},
 		"my-registry.local/foo": {
 			"auth": "…"
 		},
 		"my-registry.local": {
 			"auth": "…"
 		},
 	}
 }
 ```
 An entry can be removed by using a `logout` command from a container
 tool such as `podman logout` or `buildah logout`.
--- a/containers-policy.json.5.md
+++ b/containers-policy.json.5.md
@ -68,7 +68,7 @@ i.e. either specifying a complete name of a tagged image, or prefix denoting
 a host/namespace/image stream or a wildcarded expression for matching all
 subdomains. For wildcarded subdomain matching, `*.example.com` is a valid case, but `example*.*.com` is not.
-*Note:* The _hostname_ and _port_ refer to the Docker registry host and port (the one used
+*Note:* The _hostname_ and _port_ refer to the container registry host and port (the one used
 e.g. for `docker pull`), _not_ to the OpenShift API host and port.
 ### `dir:`
--- a/containers-registries.conf.5.md
+++ b/containers-registries.conf.5.md
@ -39,8 +39,8 @@ Given an image name, a single `[[registry]]` TOML table is chosen based on its `
 The user-specified image name must start with the specified `prefix` (and continue
 with the appropriate separator) for a particular `[[registry]]` TOML table to be
 considered; (only) the TOML table with the longest match is used. It can
-    also include wildcarded subdomains in the format `*.example.com` along as mentioned
+also include wildcarded subdomains in the format `*.example.com`.
-    above. The wildcard should only be present at the beginning as shown in the formats
+The wildcard should only be present at the beginning as shown in the formats
 above. Other cases will not work. For example, `*.example.com` is valid but
 `example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not.
--- a/containers-storage.conf.5.md
+++ b/containers-storage.conf.5.md
@ -174,6 +174,9 @@ The `storage.options.overlay` table supports the following options:
 **ignore_chown_errors** = "false"
  ignore_chown_errors can be set to allow a non privileged user running with a  single UID within a user namespace to run containers. The user can pull and use any image even those with multiple uids.  Note multiple UIDs will be squashed down to the default uid in the container.  These images will have no separation between the users in the container. (default: false)
 **inodes**=""
  Maximum inodes in a read/write layer.   This flag can be used to set a quota on the inodes allocated for a read/write layer of a container.
 **force_mask** = "0000|shared|private"
  ForceMask specifies the permissions mask that is used for new files and
 directories.
@ -220,7 +223,7 @@ based file systems.
  Comma separated list of default options to be used to mount container images.  Suggested value "nodev". Mount options are documented in the mount(8) man page.
 **size**=""
-  Maximum size of a container image.   This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
+  Maximum size of a read/write layer.   This flag can be used to set quota on the size of a read/write layer of a container. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
 ### STORAGE OPTIONS FOR VFS TABLE
--- a/containers.conf
+++ b/containers.conf
@ -16,30 +16,16 @@
 [containers]
 # List of devices. Specified as
 # "<device-on-host>:<device-on-container>:<permissions>", for example:
 # "/dev/sdc:/dev/xvdc:rwm".
 # If it is empty or commented out, only the default devices will be used
 #
 # devices = []
 # List of volumes. Specified as
 # "<directory-on-host>:<directory-in-container>:<options>", for example:
 # "/db:/var/lib/db:ro".
 # If it is empty or commented out, no volumes will be added
 #
 # volumes = []
 # Used to change the name of the default AppArmor profile of container engine.
 #
 # apparmor_profile = "container-default"
 # List of annotation. Specified as
 # "key = value"
 # If it is empty or commented out, no annotations will be added
 #
 # annotations = []
 # Used to change the name of the default AppArmor profile of container engine.
 #
 # apparmor_profile = "container-default"
 # Default way to to create a cgroup namespace for the container
 # Options are:
 # `private` Create private Cgroup Namespace for the container.
@ -94,6 +80,13 @@ default_sysctls = [
 #  "nofile=1280:2560",
 # ]
 # List of devices. Specified as
 # "<device-on-host>:<device-on-container>:<permissions>", for example:
 # "/dev/sdc:/dev/xvdc:rwm".
 # If it is empty or commented out, only the default devices will be used
 #
 # devices = []
 # List of default DNS options to be added to /etc/resolv.conf inside of the container.
 #
 # dns_options = []
@ -167,6 +160,12 @@ default_sysctls = [
 #
 # log_size_max = -1
 # Specifies default format tag for container log messages.
 # This is useful for creating a specific tag for container log messages.
 # Containers logs default to truncated container ID as a tag.
 #
 # log_tag = ""
 # Default way to to create a Network namespace for the container
 # Options are:
 # `private` Create private Network Namespace for the container.
@ -180,10 +179,6 @@ default_sysctls = [
 #
 # no_hosts = false
 # Maximum number of processes allowed in a container.
 #
 # pids_limit = 2048
 # Default way to to create a PID namespace for the container
 # Options are:
 # `private` Create private PID Namespace for the container.
@ -191,6 +186,13 @@ default_sysctls = [
 #
 # pidns = "private"
 # Maximum number of processes allowed in a container.
 #
 # pids_limit = 2048
 # Indicates the networking to be used for rootless containers
 # rootless_networking = "slirp4netns"
 # Path to the seccomp.json profile which is used as the default seccomp profile
 # for the runtime.
 #
@ -212,13 +214,6 @@ default_sysctls = [
 #
 # umask = "0022"
 # Default way to to create a UTS namespace for the container
 # Options are:
 # `private`        Create private UTS Namespace for the container.
 # `host`    Share host UTS Namespace with the container.
 #
 # utsns = "private"
 # Default way to to create a User namespace for the container
 # Options are:
 # `auto`        Create unique User Namespace for the container.
@ -232,9 +227,29 @@ default_sysctls = [
 #
 # userns_size = 65536
 # Default way to to create a UTS namespace for the container
 # Options are:
 # `private`        Create private UTS Namespace for the container.
 # `host`    Share host UTS Namespace with the container.
 #
 # utsns = "private"
 # List of volumes. Specified as
 # "<directory-on-host>:<directory-in-container>:<options>", for example:
 # "/db:/var/lib/db:ro".
 # If it is empty or commented out, no volumes will be added
 #
 # volumes = []
 # The network table contains settings pertaining to the management of
 # CNI plugins.
 [secrets]
 # driver = "file"
 [secrets.opts]
 # root = "/example/directory"
 [network]
 # Path to directory where CNI plugin binaries are located.
@ -255,14 +270,8 @@ default_sysctls = [
 # network_config_dir = "/etc/cni/net.d/"
 [engine]
-# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
+# Index to the active service
-# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
+# active_service = production
 # image_parallel_copies=0
 # Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
 # container images. By default image pulled and pushed match the format of the
 # source image. Building/committing defaults to OCI.
 # image_default_format = ""
 # Cgroup management implementation used for the runtime.
 # Valid options "systemd" or "cgroupfs"
@ -321,10 +330,19 @@ events_logger = "file"
 #     "/usr/share/containers/oci/hooks.d",
 # ]
 # Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
 # container images. By default image pulled and pushed match the format of the
 # source image. Building/committing defaults to OCI.
 # image_default_format = ""
 # Default transport method for pulling and pushing for images
 #
 # image_default_transport = "docker://"
 # Maximum number of image layers to be copied (pulled/pushed) simultaneously.
 # Not setting this field, or setting it to zero, will fall back to containers/image defaults.
 # image_parallel_copies = 0
 # Default command to run the infra container
 #
 # infra_command = "/pause"
@ -392,24 +410,6 @@ infra_image = "registry.access.redhat.com/ubi9/pause"
 # `podman --remote=true` for access to the remote Podman service.
 # remote = false
 # Directory for persistent engine files (database, etc)
 # By default, this will be configured relative to where the containers/storage
 # stores containers
 # Uncomment to change location from this default
 #
 # static_dir = "/var/lib/containers/storage/libpod"
 # Directory for temporary files. Must be tmpfs (wiped after reboot)
 #
 # tmp_dir = "/run/libpod"
 # Directory for libpod named volumes.
 # By default, this will be configured relative to where containers/storage
 # stores containers.
 # Uncomment to change location from this default.
 #
 # volume_path = "/var/lib/containers/storage/volumes"
 # Default OCI runtime
 #
 # runtime = "crun"
@ -420,20 +420,24 @@ runtime = "crun"
 #
 # runtime_supports_json = ["crun", "runc", "kata", "runsc"]
 # List of the OCI runtimes that supports running containers without cgroups.
 #
 # runtime_supports_nocgroups = ["crun"]
 # List of the OCI runtimes that supports running containers with KVM Separation.
 #
 # runtime_supports_kvm = ["kata"]
 # List of the OCI runtimes that supports running containers without cgroups.
 #
 # runtime_supports_nocgroups = ["crun"]
 # Directory for persistent engine files (database, etc)
 # By default, this will be configured relative to where the containers/storage
 # stores containers
 # Uncomment to change location from this default
 #
 # static_dir = "/var/lib/containers/storage/libpod"
 # Number of seconds to wait for container to exit before sending kill signal.
 # stop_timeout = 10
 # Index to the active service
 # active_service = production
 # map of service destinations
 # [service_destinations]
 #   [service_destinations.production]
@ -447,6 +451,17 @@ runtime = "crun"
 #     Path to file containing ssh identity key
 #     identity = "~/.ssh/id_rsa"
 # Directory for temporary files. Must be tmpfs (wiped after reboot)
 #
 # tmp_dir = "/run/libpod"
 # Directory for libpod named volumes.
 # By default, this will be configured relative to where containers/storage
 # stores containers.
 # Uncomment to change location from this default.
 #
 # volume_path = "/var/lib/containers/storage/volumes"
 # Paths to look for a valid OCI runtime (crun, runc, kata, runsc, etc)
 [engine.runtimes]
 # crun = [
@ -459,16 +474,6 @@ runtime = "crun"
 #            "/run/current-system/sw/bin/crun",
 # ]
 # runc = [
 #        "/usr/bin/runc",
 #        "/usr/sbin/runc",
 #        "/usr/local/bin/runc",
 #        "/usr/local/sbin/runc",
 #        "/sbin/runc",
 #        "/bin/runc",
 #        "/usr/lib/cri-o-runc/sbin/runc",
 # ]
 # kata = [
 #            "/usr/bin/kata-runtime",
 #            "/usr/sbin/kata-runtime",
@ -480,6 +485,16 @@ runtime = "crun"
 #            "/usr/bin/kata-fc",
 # ]
 # runc = [
 #        "/usr/bin/runc",
 #        "/usr/sbin/runc",
 #        "/usr/local/bin/runc",
 #        "/usr/local/sbin/runc",
 #        "/sbin/runc",
 #        "/bin/runc",
 #        "/usr/lib/cri-o-runc/sbin/runc",
 # ]
 # runsc = [
 #            "/usr/bin/runsc",
 #            "/usr/sbin/runsc",
--- a/containers.conf.5.md
+++ b/containers.conf.5.md
@ -10,12 +10,16 @@ and modify the defaults for running containers on the host. containers.conf uses
 a TOML format that can be easily modified and versioned.
 Container engines read the /usr/share/containers/containers.conf and
-/etc/containers/containers.conf files if they exists.  When running in rootless
+/etc/containers/containers.conf, and /etc/containers/containers.conf.d/*.conf files
-mode, they also read $HOME/.config/containers/containers.conf files.
+if they exist.  When running in rootless mode, they also read
 $HOME/.config/containers/containers.conf and
 $HOME/.config/containers/containers.conf.d/*.conf files.
 Fields specified in containers conf override the default options, as well as
 options in previously read containers.conf files.
 Config files in the `.d` directories, are added in alpha numeric sorted order and must end in `.conf`.
 Not all options are supported in all container engines.
 Note container engines also use other configuration files for configuring the environment.
@ -186,6 +190,10 @@ that no size limit is imposed. If it is positive, it must be >= 8192 to
 match/exceed conmon's read buffer. The file is truncated and re-opened so the
 limit is never exceeded.
 **log_tag**=""
 Default format tag for container log messages.  This is useful for creating a specific tag for container log messages. Container log messages default to using the truncated container ID as a tag.
 **netns**="private"
 Default way to to create a NET namespace for the container.
@ -211,6 +219,11 @@ Options are:
 Maximum number of processes allowed in a container. 0 indicates that no limit
 is imposed.
 **rootless_networking**="slirp4netns"
 Set type of networking rootless containers should use.  Valid options are `slirp4netns`
 or `cni`.
 **seccomp_profile**="/usr/share/containers/seccomp.json"
 Path to the seccomp.json profile which is used as the default seccomp profile
@ -293,10 +306,6 @@ The `engine` table contains configuration options used to set up container engin
 Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below.
 **cgroup_check**=false
 CgroupCheck indicates the configuration has been rewritten after an upgrade to Fedora 31 to change the default OCI runtime for cgroupsv2.
 **cgroup_manager**="systemd"
 The cgroup management implementation used for the runtime. Supports `cgroupfs`
@ -454,14 +463,14 @@ on the system using the priority: "crun", "runc", "kata".
 The list of the OCI runtimes that support `--format=json`.
 **runtime_supports_nocgroups**=["crun"]
 The list of OCI runtimes that support running containers without CGroups.
 **runtime_supports_kvm**=["kata"]
 The list of OCI runtimes that support running containers with KVM separation.
 **runtime_supports_nocgroups**=["crun"]
 The list of OCI runtimes that support running containers without CGroups.
 **static_dir**="/var/lib/containers/storage/libpod"
 Directory for persistent libpod files (database, etc).
@ -477,6 +486,14 @@ Number of seconds to wait for container to exit before sending kill signal.
 The path to a temporary directory to store per-boot container.
 Must be a tmpfs (wiped after reboot).
 **volume_path**="/var/lib/containers/storage/volumes"
 Directory where named volumes will be created in using the default volume
 driver.
 By default this will be configured relative to where containers/storage store
 containers. This convention is followed by the default volume driver, but may
 not be by other drivers.
 ## SERVICE DESTINATION TABLE
 The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
@ -495,14 +512,6 @@ URI to access the Podman service
 Path to file containing ssh identity key
 **volume_path**="/var/lib/containers/storage/volumes"
 Directory where named volumes will be created in using the default volume
 driver.
 By default this will be configured relative to where containers/storage store
 containers. This convention is followed by the default volume driver, but may
 not be by other drivers.
 **[engine.volume_plugins]**
 A table of all the enabled volume plugins on the system. Volume plugins can be
@ -510,6 +519,21 @@ used as the backend for Podman named volumes. Individual plugins are specified
 below, as a map of the plugin name (what the plugin will be called) to its path
 (filepath of the plugin's unix socket).
 ## SECRET TABLE
 The `secret` table contains settings for the configuration of the secret subsystem.
 **driver**=file
 Name of the secret driver to be used.
 Currently valid values are:
  * file
  * pass
 **[secrets.opts]**
 The driver specific options object.
 # FILES
 **containers.conf**
@ -518,8 +542,7 @@ Distributions often provide a `/usr/share/containers/containers.conf` file to
 define default container configuration. Administrators can override fields in
 this file by creating `/etc/containers/containers.conf` to specify their own
 configuration. Rootless users can further override fields in the config by
-creating a config file stored in the
+creating a config file stored in the `$HOME/.config/containers/containers.conf` file.
 `$HOME/.config/containers/containers.conf` file.
 If the `CONTAINERS_CONF` path environment variable is set, just
 this path will be used.  This is primarily used for testing.
--- a/skopeo.spec
+++ b/skopeo.spec
@ -20,17 +20,17 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
 # pick the oldest version on c/image, c/common, c/storage vendored in
 # podman/skopeo/podman.
 %global podman_branch master
-%global image_branch v5.12.0
+%global image_branch v5.14.0
-%global common_branch v0.38.12
+%global common_branch v0.41.0
-%global storage_branch v1.31.3
+%global storage_branch v1.33.0
 %global shortnames_branch main
-%global commit0 64dc748e5e871da30e50edc496911094e3fe0114
+%global commit0 caf1469b1d6d1a7a23716a8fc797563d75e81902
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 Epoch: 1
 Name: skopeo
 Version: 1.4.0
-Release: 0.1%{?dist}
+Release: 0.2%{?dist}
 Summary: Inspect container images and repositories on registries
 License: ASL 2.0
 URL: %{git0}
@ -80,6 +80,7 @@ BuildRequires: pkgconfig(devmapper)
 BuildRequires: glib2-devel
 BuildRequires: make
 Requires: containers-common = %{epoch}:%{version}-%{release}
 Requires: system-release
 %description
 Command line utility to inspect images and repositories directly on Docker
@ -155,8 +156,10 @@ install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf
 install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/002-rhel-shortnames-overrides.conf
 # for signature verification
 %if !0%{?rhel} || 0%{?centos}
 install -dp %{buildroot}%{_sysconfdir}/pki/rpm-gpg
 install -m0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/pki/rpm-gpg
 %endif
 install -dp %{buildroot}%{_sysconfdir}/containers/registries.d
 install -m0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/containers/registries.d
 install -m0644 %{SOURCE23} %{buildroot}%{_sysconfdir}/containers/registries.d
@ -226,7 +229,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %dir %{_sysconfdir}/containers/oci
 %dir %{_sysconfdir}/containers/oci/hooks.d
 %dir %{_sysconfdir}/containers/registries.conf.d
 %if !0%{?rhel} || 0%{?centos}
 %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 %endif
 %config(noreplace) %{_sysconfdir}/containers/policy.json
 %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
 %config(noreplace) %{_sysconfdir}/containers/storage.conf
@ -258,6 +263,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %{_datadir}/%{name}/test
 %changelog
 * Mon Aug 02 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.4.0-0.2
 - update vendored components
 - ship /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release only on non-RHEL and
  CentOS distros
 - Related: #1970747
 * Thu Jul 29 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.4.0-0.1
 - switch to the main branch of skopeo
 - Related: #1970747
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (main-64dc748.tar.gz) = 3d46051530d01415a9d56971018fc641d67143b3f5348881d52550651df8c0d39f1f293d3c1fa2404eeb106d32a87576f871f362424cdefa2dc32f91735086ee
+SHA512 (main-caf1469.tar.gz) = be3db2ff0373b9fc330fa308920f60b68a150ab171cffe51dc940154163439e9ef86066bcfa357a522b982d2d8715339dfe24ce3f01eb4b1cf23244eeb6bb9c8
--- a/storage.conf
+++ b/storage.conf
@ -69,6 +69,9 @@ additionalimagestores = [
 # and vfs drivers.
 #ignore_chown_errors = "false"
 # Inodes is used to set a maximum inodes of the container image.
 # inodes = ""
 # Path to an helper program to use for mounting the file system instead of mounting it
 # directly.
 #mount_program = "/usr/bin/fuse-overlayfs"
--- a/update-vendored.sh
+++ b/update-vendored.sh
@ -22,9 +22,9 @@ for P in podman skopeo buildah; do
    pkg --release rhel-8 prep
  fi
  DIR=`ls -d -- */ | grep -v ^tests | head -n1`
-  grep github.com/containers/image $DIR/go.mod | cut -d\  -f2 >> /tmp/ver_image
+  grep github.com/containers/image $DIR/go.mod | grep -v - | cut -d\  -f2 >> /tmp/ver_image
-  grep github.com/containers/common $DIR/go.mod | cut -d\  -f2 >> /tmp/ver_common
+  grep github.com/containers/common $DIR/go.mod | grep -v - | cut -d\  -f2 >> /tmp/ver_common
-  grep github.com/containers/storage $DIR/go.mod | cut -d\  -f2 >> /tmp/ver_storage
+  grep github.com/containers/storage $DIR/go.mod | grep -v - | cut -d\  -f2 >> /tmp/ver_storage
  cd -
 done
 IMAGE_VER=`sort -n /tmp/ver_image | head -n1`
`@ -1 +1 @@`
	`SHA512 (main-64dc748.tar.gz) = 3d46051530d01415a9d56971018fc641d67143b3f5348881d52550651df8c0d39f1f293d3c1fa2404eeb106d32a87576f871f362424cdefa2dc32f91735086ee`	`SHA512 (main-caf1469.tar.gz) = be3db2ff0373b9fc330fa308920f60b68a150ab171cffe51dc940154163439e9ef86066bcfa357a522b982d2d8715339dfe24ce3f01eb4b1cf23244eeb6bb9c8`