commit 863c65640754ae052141b1e49f3c509c26738018ead6daf1e2e742134d66aa0d Author: Adrian Schröter Date: Sat May 4 00:21:41 2024 +0200 Sync from SUSE:SLFO:Main runc revision 1b708dc55c6e731fb8a9baa2c10b0f14 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/runc-1.1.12.tar.xz b/runc-1.1.12.tar.xz new file mode 100644 index 0000000..ded755c --- /dev/null +++ b/runc-1.1.12.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:47d9e34500e478d860512b3b646724ee4b9e638692122ddaa82af417668ca4d7 +size 1473936 diff --git a/runc-1.1.12.tar.xz.asc b/runc-1.1.12.tar.xz.asc new file mode 100644 index 0000000..4cdcf53 --- /dev/null +++ b/runc-1.1.12.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmWvvCcQHGFzYXJhaUBz +dXNlLmNvbQAKCRCeGKomfduNtG2oD/9yLwYdfbx4GU31kCuvTS3odH8XyplL4QLl +TszoLO/50z/Y9r0QBNuLsDDvAWtsJAYTsRIwEwDgUuziHnbkbHCnE2C+6P7OWUKp +7VS1mqWzWeVibt0hYBWcooJb8inA/ctwfppZlH8EnTdoyqp0bAuQKtj2muA+LTvN +n/19qZ0/zAvErya5ugZCfnpJngOM0W//F5OSE/DKI3ct6o3AilxlzlhZuwkiYQud +nwS5j4CvQp7GkJeuwDluUHGmsT8AW6P3McptS/BcT4wUKWhxcntJG1cdiZOFTW84 +3CLdwMPGQR0SVK5yPMbKogRtglODEW82Ytp4S8BB9sG5PS5rBsvnApSQxFluRMQT +oaQsEKwPS+VSUwf44QR42iF3fB8dxmmmcautr5yaUiSx4DdFGj9jjrbMa9YCk2da +J/5ExwJv5nP5R+uwOiH3ziZuFuuH1afbGLrT2ouv61/SMGiYiLEAyiegF94Zg2nu +5RvMUz33LpEckLrlNN5u9q+/jbfJmZAUtdVafKQQTBRFKPCyHjOroKM11PzoHX6l +3dsyEPbEfowZ+uM2z9wCfub529fNF8t9k9sUAIQsma5p7+l7xJMbOua2kd1kGiQU +ec19+KD6ka4NHyDRwxe0iM6/AuFlKKUUTVGZjg2bD+ap0qgDjZ3R5lTmI1pJ8Win +wfoEKZCm+A== +=Sl8m +-----END PGP SIGNATURE----- diff --git a/runc.changes b/runc.changes new file mode 100644 index 0000000..11da0d9 --- /dev/null +++ b/runc.changes @@ -0,0 +1,834 @@ +------------------------------------------------------------------- +Wed Jan 31 00:00:33 UTC 2024 - Aleksa Sarai + +- Update to runc v1.1.12. Upstream changelog is available from + . bsc#1218894 + + * This release fixes a container breakout vulnerability (CVE-2024-21626). For + more details, see the upstream security advisory: + + * Remove upstreamed patches: + - CVE-2024-21626.patch + * Update runc.keyring to match upstream changes. + +------------------------------------------------------------------- +Thu Jan 18 00:37:01 UTC 2024 - Aleksa Sarai + +[ This was only ever released for SLES. ] + +- Add upstream patch to fix embargoed issue CVE-2024-21626. bsc#1218894 + + + CVE-2024-21626.patch + +------------------------------------------------------------------- +Tue Jan 2 03:02:16 UTC 2024 - Aleksa Sarai + +- Update to runc v1.1.11. Upstream changelog is available from + . + +------------------------------------------------------------------- +Wed Nov 1 07:25:46 UTC 2023 - Aleksa Sarai + +- Update to runc v1.1.10. Upstream changelog is available from + . + +------------------------------------------------------------------- +Wed Sep 6 06:42:37 UTC 2023 - Danish Prakash + +- Update to runc v1.1.9. Upstream changelog is available from + . + +------------------------------------------------------------------- +Wed Jul 19 14:04:08 UTC 2023 - Aleksa Sarai + +- Update to runc v1.1.8. Upstream changelog is available from + . + +------------------------------------------------------------------- +Thu Apr 27 09:43:31 UTC 2023 - Aleksa Sarai + +- Update to runc v1.1.7. Upstream changelog is available from + . +- Update runc.keyring to upstream version. + +------------------------------------------------------------------- +Wed Apr 12 04:17:29 UTC 2023 - Aleksa Sarai + +- Update to runc v1.1.6. Upstream changelog is available from + . + +------------------------------------------------------------------- +Wed Mar 29 07:05:52 UTC 2023 - Aleksa Sarai + +- Update to runc v1.1.5. Upstream changelog is available from + . + + Includes fixes for the following CVEs: + - CVE-2023-25809 bsc#1209884 + - CVE-2023-27561 bsc#1208962 + - CVE-2023-28642 bsc#1209888 + + * Fix the inability to use `/dev/null` when inside a container. bsc#1168481 + * Fix changing the ownership of host's `/dev/null` caused by fd redirection + (a regression in 1.1.1). bsc#1207004 + * Fix rare runc exec/enter unshare error on older kernels. + * nsexec: Check for errors in `write_log()`. + +- Drop version-specific Go requirement. + +------------------------------------------------------------------- +Wed Aug 31 13:00:31 UTC 2022 - Fabian Vogt + +- Update to runc v1.1.4. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.1.4. + bsc#1202021 + + * Fix mounting via wrong proc fd. When the user and mount namespaces are + used, and the bind mount is followed by the cgroup mount in the spec, + the cgroup was mounted using the bind mount's mount fd. + * Switch kill() in libcontainer/nsenter to sane_kill(). + * Fix "permission denied" error from runc run on noexec fs. + * Fix failed exec after systemctl daemon-reload. Due to a regression + in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and + was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded. + (boo#1202821) + +------------------------------------------------------------------- +Thu Jun 9 00:22:16 UTC 2022 - Aleksa Sarai + +- Update to runc v1.1.3. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.1.3. + (Includes a fix for bsc#1200088.) + + * Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on + s390 and s390x. This solves the issue where syscalls the host kernel did not + support would return `-EPERM` despite the existence of the `-ENOSYS` stub + code (this was due to how s390x does syscall multiplexing). + * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as + intended; this fix does not affect runc binary itself but is important for + libcontainer users such as Kubernetes. + * Inability to compile with recent clang due to an issue with duplicate + constants in libseccomp-golang. + * When using systemd cgroup driver, skip adding device paths that don't exist, + to stop systemd from emitting warnings about those paths. + * Socket activation was failing when more than 3 sockets were used. + * Various CI fixes. + * Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container. + * runc static binaries are now linked against libseccomp v2.5.4. +- Remove upstreamed patches: + - bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch + +------------------------------------------------------------------- +Mon May 23 03:02:32 UTC 2022 - Aleksa Sarai + +- Backport to fix issues + with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by + that platform's syscall multiplexing semantics. bsc#1192051 bsc#1199565 + + bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch + +------------------------------------------------------------------- +Thu May 12 10:04:57 UTC 2022 - Aleksa Sarai + +- Add ExcludeArch for s390 (not s390x) since we've never supported it. + +------------------------------------------------------------------- +Wed May 11 22:43:51 UTC 2022 - Aleksa Sarai + +- Update to runc v1.1.2. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.1.2. + CVE-2022-29162 bsc#1199460 + + * A bug was found in runc where runc exec --cap executed processes with + non-empty inheritable Linux process capabilities, creating an atypical Linux + environment. For more information, see [GHSA-f3fp-gc8g-vw66][] and + CVE-2022-29162. bsc#1199460 + * `runc spec` no longer sets any inheritable capabilities in the created + example OCI spec (`config.json`) file. + +------------------------------------------------------------------- +Tue Mar 29 03:33:30 UTC 2022 - Aleksa Sarai + +- Update to runc v1.1.1. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.1.1. + + * runc run/start can now run a container with read-only /dev in OCI spec, + rather than error out. (#3355) + * runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403) + libcontainer systemd v2 manager no longer errors out if one of the files + listed in /sys/kernel/cgroup/delegate do not exist in container's + cgroup. (#3387, #3404) + * Loosen OCI spec validation to avoid bogus "Intel RDT is not supported" + error. (#3406) + * libcontainer/cgroups no longer panics in cgroup v1 managers if stat + of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435) + +------------------------------------------------------------------- +Mon Jan 17 07:15:26 UTC 2022 - Aleksa Sarai + +- Update to runc v1.1.0. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.1.0. + + - libcontainer will now refuse to build without the nsenter package being + correctly compiled (specifically this requires CGO to be enabled). This + should avoid folks accidentally creating broken runc binaries (and + incorrectly importing our internal libraries into their projects). (#3331) + +------------------------------------------------------------------- +Tue Dec 14 05:04:21 UTC 2021 - Aleksa Sarai + +- Update to runc v1.1.0~rc1. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1. + + + Add support for RDMA cgroup added in Linux 4.11. + * runc exec now produces exit code of 255 when the exec failed. + This may help in distinguishing between runc exec failures + (such as invalid options, non-running container or non-existent + binary etc.) and failures of the command being executed. + + runc run: new --keep option to skip removal exited containers artefacts. + This might be useful to check the state (e.g. of cgroup controllers) after + the container hasexited. + + seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD + (the latter is just an alias for SCMP_ACT_KILL). + + seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows + users to create sophisticated seccomp filters where syscalls can be + efficiently emulated by privileged processes on the host. + + checkpoint/restore: add an option (--lsm-mount-context) to set + a different LSM mount context on restore. + + intelrdt: support ClosID parameter. + + runc exec --cgroup: an option to specify a (non-top) in-container cgroup + to use for the process being executed. + + cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1 + machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc + run/exec now adds the container to the appropriate cgroup under it). + + sysctl: allow slashes in sysctl names, to better match sysctl(8)'s + behaviour. + + mounts: add support for bind-mounts which are inaccessible after switching + the user namespace. Note that this does not permit the container any + additional access to the host filesystem, it simply allows containers to + have bind-mounts configured for paths the user can access but have + restrictive access control settings for other users. + + Add support for recursive mount attributes using mount_setattr(2). These + have the same names as the proposed mount(8) options -- just prepend r + to the option name (such as rro). + + Add runc features subcommand to allow runc users to detect what features + runc has been built with. This includes critical information such as + supported mount flags, hook names, and so on. Note that the output of this + command is subject to change and will not be considered stable until runc + 1.2 at the earliest. The runtime-spec specification for this feature is + being developed in opencontainers/runtime-spec#1130. + * system: improve performance of /proc/$pid/stat parsing. + * cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change + the ownership of certain cgroup control files (as per + /sys/kernel/cgroup/delegate) to allow for proper deferral to the container + process. + * runc checkpoint/restore: fixed for containers with an external bind mount + which destination is a symlink. + * cgroup: improve openat2 handling for cgroup directory handle hardening. + runc delete -f now succeeds (rather than timing out) on a paused + container. + * runc run/start/exec now refuses a frozen cgroup (paused container in case of + exec). Users can disable this using --ignore-paused. +- Update version data embedded in binary to correctly include the git commit of + the release. +- Drop runc-rpmlintrc because we don't have runc-test anymore. + +------------------------------------------------------------------- +Mon Dec 6 04:38:25 UTC 2021 - Aleksa Sarai + +- Update to runc v1.0.3. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.3. CVE-2021-43784 + bsc#1193436 + + * A potential vulnerability was discovered in runc (related to an internal + usage of netlink), however upon further investigation we discovered that + while this bug was exploitable on the master branch of runc, no released + version of runc could be exploited using this bug. The exploit required + being able to create a netlink attribute with a length that would overflow a + uint16 but this was not possible in any released version of runc. For more + information see GHSA-v95c-p5hm-xq8f and CVE-2021-43784. + + Due to an abundance of caution we decided to do an emergency release with + this fix, but to reiterate we do not believe this vulnerability was + possible to exploit. Thanks to Felix Wilhelm from Google Project Zero for + discovering and reporting this vulnerability so quickly. + * Fixed inability to start a container with read-write bind mount of a + read-only fuse host mount. + * Fixed inability to start when read-only /dev in set in spec. + * Fixed not removing sub-cgroups upon container delete, when rootless cgroup + v2 is used with older systemd. + * Fixed returning error from GetStats when hugetlb is unsupported (which + causes excessive logging for kubernetes). + +------------------------------------------------------------------- +Mon Aug 23 09:35:05 UTC 2021 - Aleksa Sarai + +- Update to runc v1.0.2. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.2 + + * Fixed a failure to set CPU quota period in some cases on cgroup v1. + * Fixed the inability to start a container with the "adding seccomp filter + rule for syscall ..." error, caused by redundant seccomp rules (i.e. those + that has action equal to the default one). Such redundant rules are now + skipped. + * Made release builds reproducible from now on. + * Fixed a rare debug log race in runc init, which can result in occasional + harmful "failed to decode ..." errors from runc run or exec. + * Fixed the check in cgroup v1 systemd manager if a container needs to be + frozen before Set, and add a setting to skip such freeze unconditionally. + The previous fix for that issue, done in runc 1.0.1, was not working. + +------------------------------------------------------------------- +Sun Jul 18 02:40:16 UTC 2021 - Aleksa Sarai + +- Update to runc v1.0.1. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.1 + + * Fixed occasional runc exec/run failure ("interrupted system call") on an + Azure volume. + * Fixed "unable to find groups ... token too long" error with /etc/group + containing lines longer than 64K characters. + * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is + frozen. This is a regression in 1.0.0, not affecting runc itself but some + of libcontainer users (e.g Kubernetes). + * cgroupv2: bpf: Ignore inaccessible existing programs in case of + permission error when handling replacement of existing bpf cgroup + programs. This fixes a regression in 1.0.0, where some SELinux + policies would block runc from being able to run entirely. + * cgroup/systemd/v2: don't freeze cgroup on Set. + * cgroup/systemd/v1: avoid unnecessary freeze on Set. + +- Remove upstreamed patches: + + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch + +------------------------------------------------------------------- +Thu Jul 1 03:39:56 UTC 2021 - Aleksa Sarai + +- Backport to fix issues + with runc under openSUSE MicroOS's SELinux policy. boo#1187704 + + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch + +------------------------------------------------------------------- +Tue Jun 1 11:00:30 UTC 2021 - Aleksa Sarai + +- Update to runc v1.0.0. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0 + + ! The usage of relative paths for mountpoints will now produce a warning + (such configurations are outside of the spec, and in future runc will + produce an error when given such configurations). + + * cgroupv2: devices: rework the filter generation to produce consistent + results with cgroupv1, and always clobber any existing eBPF + program(s) to fix runc update and avoid leaking eBPF programs + (resulting in errors when managing containers). + * cgroupv2: correctly convert "number of IOs" statistics in a + cgroupv1-compatible way. + * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. + * cgroupv2: wait for freeze to finish before returning from the freezing + code, optimize the method for checking whether a cgroup is frozen. + * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94 + * cgroups/systemd: fixed returning "unit already exists" error from a systemd + cgroup manager (regression in rc94) + + + cgroupv2: support SkipDevices with systemd driver + + cgroup/systemd: return, not ignore, stop unit error from Destroy + + Make "runc --version" output sane even when built with go get or + otherwise outside of our build scripts. + + cgroups: set SkipDevices during runc update (so we don't modify + cgroups at all during runc update). + + cgroup1: blkio: support BFQ weights. + + cgroupv2: set per-device io weights if BFQ IO scheduler is available. + +------------------------------------------------------------------- +Wed May 19 10:00:00 UTC 2021 - Aleksa Sarai + +- Update to runc v1.0.0~rc95. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95 + + This release of runc contains a fix for CVE-2021-30465, and users are + strongly recommended to update (especially if you are providing + semi-limited access to spawn containers to untrusted users). bsc#1185405 + +------------------------------------------------------------------- +Wed May 12 08:03:58 UTC 2021 - Aleksa Sarai + +- Update to runc v1.0.0~rc94. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94 + Breaking Changes: + * cgroupv1: kernel memory limits are now always ignored, as kmemcg has + been effectively deprecated by the kernel. Users should make use of regular + memory cgroup controls. + Regression Fixes: + * seccomp: fix 32-bit compilation errors + * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code + * runc start: fix "chdir to cwd: permission denied" for some setups +- Remove upstreamed patches: + - 0001-cloned_binary-switch-from-error-to-warning-for-SYS_m.patch + +------------------------------------------------------------------- +Mon Apr 26 07:54:54 UTC 2021 - Aleksa Sarai + +- Backport patch to fix build on SLE-12 ppc64le. + + 0001-cloned_binary-switch-from-error-to-warning-for-SYS_m.patch + +------------------------------------------------------------------- +Wed Feb 3 04:09:17 UTC 2021 - Aleksa Sarai + +- Update to runc v1.0.0~rc93. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc93 + bsc#1182451 bsc#1184962 + + * Cgroupv2 support is no longer considered experimental. + * Mountinfo parsing code has been reworked significantly. + * Special ENOSYS handling for seccomp profiles to avoid making new + syscalls unusable for glibc. + * Various rootless containers improvements. + * The "selinux" and "apparmor" buildtags have been removed, and now all runc + builds will have SELinux and AppArmor support enabled. + +------------------------------------------------------------------- +Tue Feb 2 05:53:17 UTC 2021 - Aleksa Sarai + +- Update to handle the docker-runc removal. bsc#1181677 +- Modernise go building for runc now that it has go.mod. + +------------------------------------------------------------------- +Fri Aug 28 07:38:29 UTC 2020 - Ralf Haferkamp + +- Upgrade to runc v1.0.0~rc92 (bsc#1175821). Upstream changelog is available + from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc92 + + * Updates to CRIU support. + * Improvements to cgroupfs performance and correctness. + +------------------------------------------------------------------- +Thu Jul 2 01:24:49 UTC 2020 - Aleksa Sarai + +- Upgrade to runc v1.0.0~rc91. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc91 + + * This release of runc has experimental support for cgroupv2-only systems. + +- Remove upstreamed patches: + - bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch + - bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch + +------------------------------------------------------------------- +Thu Jun 25 22:34:03 UTC 2020 - Aleksa Sarai + +- Switch to Go 1.13 for build. + +------------------------------------------------------------------- +Wed May 13 06:49:44 UTC 2020 - Aleksa Sarai + +- Backport https://github.com/opencontainers/runc/pull/2391 to help fix + bsc#1168481. + + bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch + +------------------------------------------------------------------- +Tue Apr 14 10:16:21 UTC 2020 - Ralf Haferkamp + +- Renamed patch: + 0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch + to + bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch + +------------------------------------------------------------------- +Wed Mar 18 08:57:34 UTC 2020 - Ralf Haferkamp + +- Added fix for bsc#1149954 + * 0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch + (cherry pick of https://github.com/opencontainers/runc/pull/1807) + +------------------------------------------------------------------- +Thu Jan 23 17:18:05 UTC 2020 - Aleksa Sarai + +- Upgrade to runc v1.0.0~rc10. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc10 +- Drop upstreamed patches: + - CVE-2019-19921.patch + +------------------------------------------------------------------- +Tue Jan 21 22:10:58 UTC 2020 - Bjørn Lie + +- Change packagewide go version to be greater or equal to 1.10. + +------------------------------------------------------------------- +Fri Jan 17 03:02:46 UTC 2020 - Aleksa Sarai + +- Update CVE-2019-19921 patch to match upstream PR. + * CVE-2019-19921.patch + +------------------------------------------------------------------- +Tue Jan 14 04:44:36 UTC 2020 - Aleksa Sarai + +- Add backported fix for CVE-2019-19921. bsc#1160452 + + CVE-2019-19921.patch + +------------------------------------------------------------------- +Sat Oct 5 11:40:13 UTC 2019 - Aleksa Sarai + +- Upgrade to runc v1.0.0~rc9. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc9 +- Remove upstreamed patches: + - CVE-2019-16884.patch + +------------------------------------------------------------------- +Thu Sep 26 14:54:07 UTC 2019 - Aleksa Sarai + +- Add backported fix for CVE-2019-16884. bsc#1152308 + + CVE-2019-16884.patch +- Add runc-rpmlintrc to drop runc-test rpmlint warnings. + +------------------------------------------------------------------- +Mon Apr 29 11:56:21 UTC 2019 - Aleksa Sarai + +- Upgrade to runc v1.0.0~rc8. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc8 +- Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553). +- Remove upstreamed patches: + - CVE-2019-5736.patch + +------------------------------------------------------------------- +Wed Feb 6 08:10:47 UTC 2019 - Aleksa Sarai + +- Add fix for CVE-2019-5736 (effectively copying /proc/self/exe during re-exec + to avoid write attacks to the host runc binary). bsc#1121967 + + CVE-2019-5736.patch + +------------------------------------------------------------------- +Wed Dec 19 19:55:11 UTC 2018 - clee@suse.com + +- Update go requirements to >= go1.10 to fix + * bsc#1118897 CVE-2018-16873 + go#29230 cmd/go: remote command execution during "go get -u" + * bsc#1118898 CVE-2018-16874 + go#29231 cmd/go: directory traversal in "go get" via curly braces in import paths + * bsc#1118899 CVE-2018-16875 + go#29233 crypto/x509: CPU denial of service + +------------------------------------------------------------------- +Thu Dec 13 04:34:25 UTC 2018 - dorf@suse.com + +- Require golang = 1.10. + +------------------------------------------------------------------- +Thu Nov 29 09:10:09 UTC 2018 - Aleksa Sarai + +- Upgrade to runc v1.0.0~rc6. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc6 + +------------------------------------------------------------------- +Wed Oct 31 14:01:03 UTC 2018 - Valentin Rothberg + +- Create a symlink in /usr/bin/runc to enable rootless Podman and Buildah. + +------------------------------------------------------------------- +Wed Jun 13 12:59:09 UTC 2018 - dcassany@suse.com + +- Make use of %license macro + +------------------------------------------------------------------- +Tue Jun 5 06:38:40 UTC 2018 - asarai@suse.com + +- Remove 'go test' from %check section, as it has only ever caused us problems + and hasn't (as far as I remember) ever caught a release-blocking issue. Smoke + testing has been far more useful. boo#1095817 + +------------------------------------------------------------------- +Tue Feb 27 17:18:32 UTC 2018 - asarai@suse.com + +- Upgrade to runc v1.0.0~rc5. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc5 +- Remove patch now merged upstream. + - bsc1053532-0001-makefile-drop-usage-of-install.patch + +------------------------------------------------------------------- +Thu Aug 17 04:39:56 UTC 2017 - asarai@suse.com + +- Use .tar.xz provided by upstream, as well as include the keyring to allow + full provenance of the source. + +------------------------------------------------------------------- +Sun Aug 13 14:25:32 UTC 2017 - asarai@suse.com + +- Use the upstream Makefile, to ensure that we always include the version + information in runc. This was confusing users (and Docker). bsc#1053532 +- Add a backported patch to fix a Makefile bug. + https://github.com/opencontainers/runc/pull/1555 + + bsc1053532-0001-makefile-drop-usage-of-install.patch + +------------------------------------------------------------------- +Thu Aug 10 17:14:02 UTC 2017 - asarai@suse.com + +- Update to runc v1.0.0-rc4. Upstream changelog: + + runc now supports v1.0.0 of the OCI runtime specification. #1527 + + Rootless containers support has been released. The current state of + this feature is that it only supports single-{uid,gid} mappings as an + unprivileged user, and cgroups are completely unsupported. Work is + being done to improve this. #774 + + Rather than relying on CRIU version nnumbers, actually check if the + system supports pre-dumping. #1371 + + Allow the PIDs cgroup limit to be updated. #1423 + + Add support for checkpoint/restore of containers with orphaned PTYs + (which is effectively all containers with terminal=true). #1355 + + Permit prestart hooks to modify the cgroup configuration of a + container. #1239 + + Add support for a wide variety of mount options. #1460 + + Expose memory.use_hierarchy in MemoryStats. #1378 + * Fix incorrect handling of systems without the freezer cgroup. #1387 + * Many, many changes to switch away from Go's "syscall" stdlib to + "golang.org/x/sys/unix". #1394 #1398 #1442 #1464 #1467 #1470 #1474 + #1478 #1491 #1482 #1504 #1519 #1530 + * Set cgroup resources when restoring a container. #1399 + * Switch back to using /sbin as the installation directory. #1406 + * Remove the arbitrary container ID length restriction. #1435 + * Make container force deletion ignore non-existent containers. #1451 + * Improve handling of arbitrary cgroup mount locations when populating + cpuset. #1372 + * Make the SaneTerminal interface public. #1479 + * Fix cases where runc would report a container to be in a "Running" + state if the init was a zombie or dead. #1489 + * Do not set supplementary groups for numeric users. #1450 + * Fix various issues with the "owner" field in runc-list. #1516 + * Many other miscellaneous fixes, some of which were made by first-time + contributors. Thanks, and welcome to the project! #1406 #1400 #1365 + #1396 #1402 #1414 #1412 #1408 #1418 #1425 #1428 #1436 #1433 #1438 + #1410 #1447 #1388 #1484 #1481 #1496 #1245 #1524 #1534 #1526 #1533 + - Remove any semblance of non-Linux support. #1502 + - We no longer use shfmt for testing. #1510 + +------------------------------------------------------------------- +Wed Aug 2 13:51:43 UTC 2017 - asarai@suse.com + +- Use -buildmode=pie for tests and binary build. bsc#1048046 bsc#1051429 +- Cleanup seccomp builds similar to bsc#1028638 +- Remove the usage of 'cp -r' to reduce noise in the build logs. + +------------------------------------------------------------------- +Thu Jul 6 17:14:17 UTC 2017 - thipp@suse.de + +- switch to opencontainers/runc master branch +- remove CVE-2016-9962.patch +- stop providing docker-runc + +------------------------------------------------------------------- +Thu May 4 19:04:49 UTC 2017 - jmassaguerpla@suse.com + +- fix the golang requirement to 1.7 to the subpackages + +------------------------------------------------------------------- +Tue May 2 15:49:41 UTC 2017 - jmassaguerpla@suse.com + +- fix golang requirement to 1.7 + +------------------------------------------------------------------- +Fri Apr 28 16:16:00 UTC 2017 - jengelh@inai.de + +- Substitute %__-type macro indirections + +------------------------------------------------------------------- +Thu Apr 13 16:34:03 UTC 2017 - jmassaguerpla@suse.com + +- update version to the one required by docker-17.04.0-ce (bsc#1034053) + remove ignore_cgroup2_mountpoint.patch . This is already included in + the upstream source code. + +------------------------------------------------------------------- +Wed Apr 12 09:55:28 UTC 2017 - jmassaguerpla@suse.com + +- Make sure this is being built with go 1.7 + +------------------------------------------------------------------- +Tue Apr 11 15:37:36 UTC 2017 - jmassaguerpla@suse.com + +- remove the go_arches macro because we are using go1.7 which + is available in all archs + +------------------------------------------------------------------- +Wed Mar 29 15:47:52 UTC 2017 - jmassaguerpla@suse.com + +- fix bsc#1028113 - runc: make sure to ignore cgroup v2 mountpoints + This is a backport of https://github.com/opencontainers/runc/pull/1266 + + ignore_cgroup2_mountpoint.patch + +------------------------------------------------------------------- +Fri Feb 24 18:08:10 UTC 2017 - jmassaguerpla@suse.com + +- update to docker-1.13.0 requirement + +------------------------------------------------------------------- +Fri Jan 13 13:58:33 UTC 2017 - jmassaguerpla@suse.com + +- fix CVE-2016-9962 bsc#1012568 and applying the patch + CVE-2016-9962.patch, because 1.12.6 partially fixes it (it contains + the first patch attached in bsc#1012568) + +------------------------------------------------------------------- +Mon Dec 19 12:49:38 UTC 2016 - jmassaguerpla@suse.com + +- update runc to the version used in docker 1.12.5 (bsc#1016307). + This fixes bsc#1015661 + +------------------------------------------------------------------- +Mon Dec 19 12:17:07 UTC 2016 - asarai@suse.com + +- For the moment, we have to switch to using Docker's fork of runC. This *will* + be solved properly by creating a new package purely for Docker's runC fork, + because it's quite silly to tie OCI project releases to Docker's vendoring + scheme. Once this is fixed, this package will be switch to being purely-OCI. + +------------------------------------------------------------------- +Fri Dec 16 17:05:37 UTC 2016 - jmassaguerpla@suse.com + +- add the /usr/bin/docker-run symlink to partially fix bsc#1015661 + +------------------------------------------------------------------- +Thu Nov 24 11:05:41 UTC 2016 - jmassaguerpla@suse.com + +- fix version by adding a revision "counter" so that it will always + increase + + fix bsc#1009961 + +------------------------------------------------------------------- +Thu Oct 13 11:04:27 UTC 2016 - jmassaguerpla@suse.com + +- update to 02f8fa7 because that is the needed version for docker 1.12.1 (bsc#1004490) + +------------------------------------------------------------------- +Wed Sep 21 05:13:26 UTC 2016 - jengelh@inai.de + +- Run fdupes. + +------------------------------------------------------------------- +Mon Sep 19 11:57:45 UTC 2016 - jmassaguerpla@suse.com + +- fix go_arches definition: use global instead of define, otherwise + it fails to build + +------------------------------------------------------------------- +Fri Aug 26 08:59:54 UTC 2016 - asarai@suse.com + +- Remove docker-runc symlink because it's been fixed within the Docker + package. bsc#978260 + +------------------------------------------------------------------- +Thu Aug 25 17:02:33 UTC 2016 - jmassaguerpla@suse.com + +- Create a symlink /usr/sbin/docker-runc -> /usr/sbin/docker + Docker expects this symlink to exist bsc#978260 + +------------------------------------------------------------------- +Thu Aug 25 15:56:00 UTC 2016 - jmassaguerpla@suse.com + +- Remove GOPATH at the end of the GOPATH assignment + cause GOPATH is empty and if we do that, we get the path "" + appended, which causes gcc6-go to complain + +------------------------------------------------------------------- +Wed Aug 24 12:27:57 UTC 2016 - jmassaguerpla@suse.com + +- add go_arches in project configuration: this way, we can use the + same spec file but decide in the project configuration if to + use gc-go or gcc-go for some archs. + +------------------------------------------------------------------- +Thu Aug 18 10:35:29 UTC 2016 - jmassaguerpla@suse.com + +- use gcc6-go instead of gcc5-go (bsc#988408) +- build ppc64le with gc-go because this version builds with gc-go 1.6 + +------------------------------------------------------------------- +Thu Aug 18 10:34:29 UTC 2016 - cbrauner@suse.de + +- bump git commit id to the one required by docker v1.12.0 (bsc#995058) +- run unit tests during package build +- remove seccomp-use-pkg-config.patch + The patch is now upstream. +- remove GO_BUILD_FLAGS macro and substitute with BUILDFLAGS env variable to + allow for easier string appending. +- only run unit test on architectures that provide the go list and go test tools + +------------------------------------------------------------------- +Wed Aug 17 10:29:15 UTC 2016 - cbrauner@suse.de + +- Add runc-test package which contains the source code and the test. This + package will be used to run the integration tests. +- Simplify package build and check sections: Instead of symlinking we default to + cp -avr. go list gets confused by symlinks hence, we need to copy the source + code anyway if we want to run unit tests during package build at some point. + +------------------------------------------------------------------- +Fri Apr 29 09:03:24 UTC 2016 - asarai@suse.de + +* Update to runC 0.1.1. (bsc#989566 FATE#320763) Changelog from upstream: + + This release includes a bug fix for adding the selinux mount label in the specification. + +------------------------------------------------------------------- +Tue Apr 19 09:59:05 UTC 2016 - asarai@suse.de + +* Don't use gcc-go for aarch64, since gc has grown support for it and is more + stable. + +------------------------------------------------------------------- +Fri Apr 15 10:46:04 UTC 2016 - asarai@suse.de + +* Disable seccomp entirely for aarch64 builds, since it is not provided on all + SUSE platforms. + +------------------------------------------------------------------- +Wed Apr 13 12:03:09 UTC 2016 - asarai@suse.de + +* Update to runC 0.1.0. Changelog from upstream: + + This release updates runc to the OCI runtime specification v0.5.0 and includes + various fixes and features. + + Features: + + cgroups: pid limits and stats + + cgroups: kmem stats + + systemd cgroup support + + libcontainer specconv package + + no pivot root option + + numeric ids are treated as uid/gid + + hook improvements + + Bug Fixes: + * log flushing + * atomic pid file creation + * init error recovery + * seccomp logging removed + * delete container on aborted start + * /dev bind mount handling + +------------------------------------------------------------------- +Wed Mar 30 14:18:18 UTC 2016 - asarai@suse.de + +* Install to /usr/sbin. https://github.com/opencontainers/runc/pull/702 + +------------------------------------------------------------------- +Sun Mar 27 14:50:32 UTC 2016 - asarai@suse.de + +* Added runC man pages. +* Recommended criu, since it's required for the checkpoint and restore + functionality. + +------------------------------------------------------------------- +Sun Mar 27 10:14:32 UTC 2016 - asarai@suse.de + +* Small updates to method of compilation to better match Makefile. + +------------------------------------------------------------------- +Mon Mar 21 12:04:59 UTC 2016 - asarai@suse.de + +* Make compilation work on gcc-go only systems (ppc and s390). + +------------------------------------------------------------------- +Mon Mar 21 08:24:02 UTC 2016 - asarai@suse.de + +* initial import of runC 0.0.9 +* add patch seccomp-use-pkg-config.patch which allows us to build runC, since + they assume that the seccomp.h file lives at /usr/include/seccomp.h. + diff --git a/runc.keyring b/runc.keyring new file mode 100644 index 0000000..afc1c45 --- /dev/null +++ b/runc.keyring @@ -0,0 +1,221 @@ +pub rsa4096 2016-06-21 [SC] [expires: 2031-06-18] + 5F36C6C61B5460124A75F5A69E18AA267DDB8DB4 +uid [ultimate] Aleksa Sarai +uid [ultimate] Aleksa Sarai +sub rsa4096 2016-06-21 [E] [expires: 2031-06-18] + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: github=cyphar + +mQINBFdpGN0BEADMEmLpnUel7OI2SM8f88i7w0iRgJd4kOvF1z673+zWCgaw9QW8 +ha7wAm/+3isas9IqlvGx61i6hbO7TFwcYi472VHhs4HP8jMtWytHHkjc3O9xlMc0 +CfekjIpoR1CffYtCvkLr8/f74jHNRfqsmZ1Oxa9GjbhgDnbw4Baztp6WctzMXyOJ +j5bJuSfQTcgFbIeQ27zx7gNjbnHyEP5TEm1/CeoWpGPpZLJPiKHdI/TBCyFexHJ0 +IlabKc4DC43RZyh0Btuf+FiX9K2NkoCC7l5nQdde8B6YG7SA6xEhwhQ73bSs7A56 +rlZxfIFmLCB/81FyXk5eH0Eu9Lbwj69YQ81EdkLnLAyP3ZB+MRGuiWVD88Jr1He2 +25m3dxTVzaP0TAV4LqdbuqTwr2wagu9MZQ5XXDiaEuiPwTrO10xlmivOjRaWxoWA +E0I3fOdrzqfg9XK6g1pG23v2WhHFIejqVCXrf5oPcCd62lGeh0ghEdNN89ikXbka +1PJRiWI3uDQ6STSKa+6uC5eUM7tK/ymqS8JYSQf4d3eIaC2H403psPt5kbq1bHdx +nRPX2eh/t1QzR1dhPxzai4CzLERIYJ9iD4nGiSscwy0P44AgyeuywSg4qXzr9Sfe +igOj+6lfJb3iZRN3dKLTRAKWvo7yfdi/UOycodlaQyW8v0yXAx7Yh1NgJQARAQAB +tB1BbGVrc2EgU2FyYWkgPGFzYXJhaUBzdXNlLmRlPokCPQQTAQgAJwUCV2kY3QIb +AwUJHDIEgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRCeGKomfduNtGecEACZ +JLVdeKHKsSUqTLOjbC6t9uKfKlNpu+iQ2/TS9YazLWXoFEc8f/uWB8BpHcJBFrqz +j+mI34ShEkbbNJArxR76njnAtPF+73GiD0dAjRDWz8YtQgSg5UhYm6O2Si/EM4I8 +TDzflyjaZltCkDe2U+2T8dTkYxqOi11IuCukPBNe0moxGKvLGPWEqZQMPCfBgllD +lv2Toiry2Fp1bkBlT6hk0C684rfAwzPQuH0BBv8vgfgroRMJg/qfZb64lhMCXaPr +rCtVHP+F1bVXKZCBCt7ETTtcteUEKaFmGgDGpXGnIqPL5iWLK5u8DQL/1lGcinj9 +QdD9IUNqsrsNAbdyMMqQvZKQwIVDgFMXrCwSRymOi6cppN7eF0VyFN7YsATttRGx +CZBoSMhVW6VVxuJFGaQWFXWthVGVEd2jkvny1TX8Nm8KBHC2G/wNVU3pKrCPhMCt +rYc8xWZ+6uisQ6XWs8H4nyBOVN6RvhIqqXJL1nvViOSFMLSDyFgPA16368krgxYE +pVDvie04aDjKZj2/0LSogNQPqZxs8uKIjLZ1NYQQmCQ8Dx9/nshg1wbyDD/c///M +EmVFmZhlNLZ8tV/iTlwfD/4vjbeaAQTVanhPFRbUtmL/iuz5f0gH0b0xc+mc+yQ1 +egjBwMuKr+h7jbSXIWoFGZLrqT3WswTg0Khk6oEL57QeQWxla3NhIFNhcmFpIDxh +c2FyYWlAc3VzZS5jb20+iQI9BBMBCAAnBQJXaRngAhsDBQkcMgSABQsJCAcCBhUI +CQoLAgQWAgMBAh4BAheAAAoJEJ4YqiZ924202mIQAIjGrikF7OPBCbV5Oo4oC0QQ +7HcG+DM9cN6UcFO+rzWQxZ/atEpiULa4O3YKoGOkSV5WAjUpaY5Rf7Obt3EjgrwE +PhtGvOpC6kkkTV43RmmK06CxHiZPrUJBwcpbW1rf2JZx7PPBMbZfsmWdVZc+LjzC +D3KtJ7xhzT0mi+zN5ONNHody6sDQO6n0mN+bRVxiVdcxwjYHfJYGobI6aaKyupvl ++xCGK4ekzNCVzaxudzqmbFE6qk+cWcvcA8HpggA63rCvCLfK1embNOtqzKAcJh1o +cJvrtpe18qBvd4yXFWEqQBW6IoDLvdzaLY7eNMI97UDInciz/GUtbxhqbs1lAOBz +V1y9fi0+NIIq1qmhbLxpUFC2BWsZRuWEqYWdr4FFJCuYEEXX6KXM7d9CSdWlErCU +mqKYsx6X4E7Iy1yupYbIqXRea9wBr8aPoFk+gLdNbCWAE4o7InKJY1uqOt141ffs ++6XJe2wVvA2xLr0ZphlcyF0EHZX8tMWLCYdQJdLMps2hl5oFpi7ccdM1GpE/Kwt5 +pEBqsJ6vP59BsbmciYmNkYKvFIKJcasImglQP6nrQiBwjTd7fYXpMDeO0yNtklaZ +IZlbNvxOe1TqbRzfVFk3oSBbEaFzPAx/W0uU1evZynpu2PcIvOuadScc9j0jMzt8 +0wknTD5AqhD/fkfZlwRouQINBFdpGN0BEADfqvO6AkGOWf+lcQZfWBMSMpzneCCS +JvQvD65VrFt0CCbSlJv1pc3GwLlL2dMulIxQGg0JMTjfPZcCYqrnOcWe0gedETRV +nOucY7zWmohR7L70YWwh46FlAPifY6bIIYGYTHyI9w1adS9K4tAJW/XS0WrvZ5KA +l7htrAzUAsMhag9y9jtQJVPLErGJta3jZJASs8PZWWmLYZE+oy1R3W52w/HqGQHS +8BPgo4oL+lrjPmjAwouhhNETTq9W2xmCe18EJodOjNKdF5ODOq1LOkPNHIaIdG0s +sY3qbifcRLVDvSmb8++4WRYl1HLy2vpsTQ31mZ3KyRKR6cP61ivTZy8idwD+Qt1t +3uKTCGNZj96OCob8ZeZsak6enuFZleVbLty1eULIw/IZuq8g6E+/V7mbFo4vkXMN +q4YrX0Q3XEzB8Cdxd5vsnz7Uga35j44gwJ+BUsCyaRUyGzLqhUWHJS73Vy3IxHfX +Rj7TQUBFYDKbOS9oKearmvTb1SQzH7NM5jQUFzXeJQE03jetRneNQ5hkh9UhUr64 +gtRnnKXTimXkczEMU9eDSTgQoaebdPnWEnzoStS5ln03zH+CNTQF9qjcpYBrJ2mZ +wnxO9OP/45KQL4hPAi2+hGkq2yjuIzeCkFJabAc7sF6lwJqH82XtiIIR+AGTM8QC +Eno0eqAytg8YawARAQABiQIlBBgBCAAPBQJXaRjdAhsMBQkcMgSAAAoJEJ4YqiZ9 +2420AuIP/1PYZDKFLv//+iY6Z9xGz4zHL+9nWND/Kll3xHeuWjYGZ2nmcovSnEW4 +0eiMn1c6KMgs/CCR4+9bm7MdgaF73pjM4xzHBIBetLLkcKQIrniX2Fq+WgscJfFx ++0ha7Xb2TTpSy8PRiYHowVUaMPwyqSsAUwrSenLuwyiKr+EW4Wzo+YM2w9a86yw1 +GfWuiyk0Z4sGoPoPEjmD4y6Xlf8kIfuZeb+joHd6W1nMf7cxDkNLQqX6sWvs62Tv +Lsx2jApPKD2PyTyyxItJKc6NXFVM+Uww323ZYVWMkz+VKalHRiv6xzGqArhpAIH6 +fn+1WjjqkrrLU4I7smjlulZCy/NZLOKqQYaqM+7BgC2mOPMb5CM99cg4SrK86dFr +3Cf22+OTmC6/Wb5Gu4PzTzkYIJDnt3BJQYjJlp4zyOHluN6notrWagLIB06oX+jQ +pxGySHW++Cha/JCUb0mfeHIJKvRor3v7YaSJoFIo//rz6XJ9WVZfsKnOte/3s9m7 +qkEvLArbe2o7pUJ2mxZZw/nAk/Y39FYAMvgMA9f+uv18O7u+ojYjS6DlrmNuIEg/ +mp8FqVxVNdIS2capSF4+eOn3a4kcF0018xbTLA2AwQ2o9eF5G9qTdSVrN865VPCd +KWr9ByCKAwVHsaSgVSJE/dse4f1toqeEHHbWk682U4RqOWZR4bA0 +=3/jE +-----END PGP PUBLIC KEY BLOCK----- + +pub ed25519 2019-06-21 [C] + C9C370B246B09F6DBCFC744C34401015D1D2D386 +uid [ultimate] Aleksa Sarai +sub ed25519 2022-09-30 [S] [expires: 2030-03-25] +sub cv25519 2022-09-30 [E] [expires: 2030-03-25] +sub ed25519 2022-09-30 [A] [expires: 2030-03-25] + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: github=cyphar + +mDMEXQxvLxYJKwYBBAHaRw8BAQdArRQoZs9YzYtQIiPA1qdvUT8Q0wbPZyRV65Tz +QNTIZla0IEFsZWtzYSBTYXJhaSA8Y3lwaGFyQGN5cGhhci5jb20+iJAEExYIADgF +CwkIBwIGFQoJCAsCBBYCAwECHgECF4ACGwEWIQTJw3CyRrCfbbz8dEw0QBAV0dLT +hgUCZa3xwQAKCRA0QBAV0dLThpQyAQDGzjZyyWWmd6Ykg5/lymp2MLIg1f2jG6ew +AiPT4ATkBAD/RgdLDf1IQStEH7pHmQa1qvqyRq1jeEgF23KruXbbdQ64MwRdDMJS +FgkrBgEEAdpHDwEBB0B2IGusH7LuDH3hNT6JYM30S7G92FGogA6a9WQzKRlqvIh4 +BCgWCgAgFiEEycNwskawn228/HRMNEAQFdHS04YFAmM2ukUCHQEACgkQNEAQFdHS +04ZTQAEAjAT0fXVJHdRL6UMCxDYsgjG+QyH1mr7gKgbPvB8A5LgBAN4QDqCxIY3b +8+X4Ud3C9yLfkbcsdgctU3fO/jHpKVIIiO8EGBYIACAWIQTJw3CyRrCfbbz8dEw0 +QBAV0dLThgUCXQzCUgIbAgCBCRA0QBAV0dLThnYgBBkWCAAdFiEEsWZunbXxPIMS +y32KnZS5YyG50BIFAl0MwlIACgkQnZS5YyG50BLusQD/aPjX4NhlSYgzNV2x31aw +x5AxTp+18xoQDwaU123grDgA/2B73RiaTO2boRK5UETxx6awdsA51hZubxo4LyxG +SP8IW5gA/2JWrDg+7cSQrS71gHmtqvz0se+D7zmWdcnN8O3LoUZeAQDW3Pkq0cru +YVbsXiTwzenLPUJrjGBAVaoFmYqFUelFDLg4BF0MwmoSCisGAQQBl1UBBQEBB0BL +FI5mD555F7t6dovnw4DW19nkG/g/Vd5Zb/7qhMLWagMBCAeIeAQoFgoAIBYhBMnD +cLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpFAh0BAAoJEDRAEBXR0tOGgPkA/1Z69M4e +qU3ZM7czYOHKAbNHiRuAqzc6o90WBJLhgFJmAQCcKmpnnnTpbnGoXgkcRSr2y1wk +uId1oVRwfRbN9h94Doh4BBgWCAAgFiEEycNwskawn228/HRMNEAQFdHS04YFAl0M +wmoCGwwACgkQNEAQFdHS04aZWgD/d0gCCB7ytnRB9RBtns9RRrtGXOIrzzWKw+zx +za6Y2zgBANoj7CUeH0MygzZkgMrCmKPNnMxEnHJaTuYZA4yBixkIuDMEXQzCjRYJ +KwYBBAHaRw8BAQdAAiFh7AD1u/UhjVbGJkRflPhjHBKIsAuP4pkI/qjavwaIeAQo +FgoAIBYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpFAh0BAAoJEDRAEBXR0tOG +AUgA/2ZDB3tCRBON1WjLBESkHZmNtplYcV03u/oshA/MVCzpAQDGusGcv/rf1ZI9 +o7lcWozXFlQDOM7eoT4avvWOVcsaD4h4BBgWCAAgFiEEycNwskawn228/HRMNEAQ +FdHS04YFAl0Mwo0CGyAACgkQNEAQFdHS04ajxQEAsZf1yDORUVYicREc/7z0U+51 +DJzeAexeJTYM+N+x13EA/0Ex+o7qQ7dZLGDn7x4LSbd39C+++suHsEaE4XwlX6cH +uDMEYza6SxYJKwYBBAHaRw8BAQdAE3s7dZQFuImQX2tWshIdGjeUKZc7rlMcrZ6+ +q25gaH2I9QQYFgoAJgIbAhYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJlrfJcBQkO +EpjFAIF2IAQZFgoAHRYhBLZOSVWyn6PUY/KpBiiX+tK36URvBQJjNrpLAAoJECiX ++tK36URv2hsBALyKPjIlNTtlwC1PHZkyOPwSiu4ZveS7pWlHLHX6nJBCAP9CBDtf +UbvG3C5WljSQdiBrXKgosDbJxPwXw+tW0XukAwkQNEAQFdHS04bMkQEA9elVwA0A ++ywDw+jnifIc98XqLI+KF3Xl0A9+lMuwthMBAO00DeAEjkryFMGp62GPNHqr/r6p ++6DIeUjWgK4Sh8IMuDgEYza6YBIKKwYBBAGXVQEFAQEHQKECW5Y7nUGCka0/WcCM +OerRY95Pm2DQVL76QzvhXD8tAwEIB4h+BBgWCgAmAhsMFiEEycNwskawn228/HRM +NEAQFdHS04YFAmWt8lwFCQ4SmLAACgkQNEAQFdHS04apHgD+MIRj2kujpxtQt04D +ZB+hofBtHIEMo2tplFBYvhZ6KOMA/1q3aRv6jnWAv8woc50KitP4/+iPmfyzaBA/ +8XA5DdIKuDMEYza6bhYJKwYBBAHaRw8BAQdAgHXd0yf6MPXJZCZ3TFz8xLymyPsD +TF2SQwwqM4+nYbeIfgQYFgoAJgIbIBYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJl +rfJcBQkOEpiiAAoJEDRAEBXR0tOGAUwA/jbaz04OXnV3PYC/yQUsUJsihCTqz4Ne +lxxclgJYU604APsFzpoLD0oUlfMn5Fh75ftkKPrwiHpTj4rRU6oIQu1/Bg== +=Ab7w +-----END PGP PUBLIC KEY BLOCK----- + +pub rsa2048 2020-04-28 [SC] [expires: 2025-04-18] + C2428CD75720FACDCF76B6EA17DE5ECB75A1100E +uid [ultimate] Kir Kolyshkin +sub rsa2048 2020-04-28 [E] [expires: 2025-04-18] + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: github=kolyshkin + +mQENBF6ou34BCACow4f1kUqw0varU4pq+C91xhYeNb/0sGyFKCvYfiLY74yG8EXW +rZ8n06AYDHzPv9oubkUhnFk/u25kXQVgLB6Z5SKRBCiFq1QZirXeNJ8Iss8AwDBV +ppTSiCl8/x/gKoXiJ+7MyvOZozUavkVHdim1NKCzwD014VOB8RXz+heUjS+HDXY9 +2IknlaZg2oGpQe6weVmXmEhxERapG/y+/Vo6t8UfhSv0gEeM00/yWhBJKSYPtzMg +SbTL4jCsN/x0bq+ZNp4lunihVY5WqX+BGLcx7xPnJ0Rp9Ju1mAhKrbKUmOG3rkWu +DIJuVP8HQfCoffsBLUKQ0V4fh18kfq1bo3JvABEBAAG0I0tpciBLb2x5c2hraW4g +PGtvbHlzaGtpbkBnbWFpbC5jb20+iQFUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQW +AgMBAh4BAheAFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmRAbOgFCQlaGGoACgkQ +F95ey3WhEA6dRQf+P+OHI3QiZu3TnrNBTsf+V8HhFBWKqafrjKbIE1A5HOHzcK2F +t2afYG+MZQILwSuCQOObgr3o7hGlqkwMwGtHt5nqG6/Z0bmkowG4JJmYIg9FhvQW +JEm/7lSBtxvFkw05H90UlzCM7AigD+PrLs96Zb0+FqdzEDWTMJeU7yYUFRNbXEu3 +wqpOZpHlYCJGKzFJBbGxYphlmljexRlWdZPwACKg7lBsVkM8JDPGxmmEe7/5tXPt +Oa1yS13SleLv4muHH3KO3cgJGqBfY/XIExZUQUF0GdL0yppBDbn0oZ/wvRuibCR0 +1P7rW88csSjAjhNjja4v/zWleSIpyWVi8IvYLLkBDQReqLt+AQgAtKUDLyUFxQ9k +p8OwI/MsPTLLoYfjilJaXnmtzQjGYFrEuU3lt7omRUBldNChkjGghEukGTq0RD7Z +s6Qv5PM5dtOypPJM0lmz2j7seun3AfDV44h/bjOFwTUjab3Nr9fQ52qESmRS03ik +6+5YNwq2D/+2kHVJ2vkUoo6KvioA1vPU311oW/Yfky8dLS5NguikE3to6YElWW38 +oqFUVdMScCbf9a6CPXSQEz/rH4TgAhwyTo6oegv+8L/szGFy5ToNGiA0D45HcFDc +yXs1d+b3bYRuGfC1l/z+WZWwbeHt1fKEQ8pCLDLRre5y0hPRHeN2CG4U7iyI5B5h +8LITPcZ66wARAQABiQE8BBgBCAAmAhsMFiEEwkKM11cg+s3PdrbqF95ey3WhEA4F +AmRAbRQFCQlaGJYACgkQF95ey3WhEA7vywf9FFTeRgNji8ZIPMM2vIlns+CMkP5R +uXakU6Q0O6Wmbb/ULOkobTqJ/Jcze8OuembuU3V6MiOQKgUIDrN7itjnJPQBneKT +iqJdPK8KOiGIzqa0aRekvOu2nCz9n87Bf48pviH922yfs8gXYRCUnSV/i7/p+N8r +5Fy7dJen5SXksN2/rUCEgU9FD17l2uMAoQbRqZg74/GwSDLnhrZ9eMrbPnguSQF4 +S1NPMeS7+G/gPN9Ze9qFmOF2p57cmEa+8mriZCYY3BcUBOiMOV5HSBKJwqA2M8au +2dAKmFWb/G+K/dgBdkAulQ/BfCpwgFmmgJ5dAeaS3y8Xd86aBE0/eLCrhQ== +=GkpD +-----END PGP PUBLIC KEY BLOCK----- + +pub rsa3072 2019-07-25 [SC] [expires: 2025-07-27] + C020EA876CE4E06C7AB95AEF49524C6F9F638F1A +uid [ultimate] Akihiro Suda +uid [ultimate] Akihiro Suda +sub rsa3072 2019-07-25 [E] [expires: 2025-07-27] + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: github=AkihiroSuda + +mQGNBF06GR8BDADEpCHv9HzGbqzQ2RAqTWBGHUNsiHD89NVmbXx4nw56odXf5mAK +QHxyh9tKkt0BIaKMLcxcU6+GXP5iSLdHnQvnxxbR0gW3CJ8bIWPUflE4hjv8QLbc +5CSpqa3d7/tsntVYNLPFs6B0acTXB4YLK+u2aC42US6by5zO4KS+8/7RyXhdkYGY +wy6dCU1ysnuG4QstxlObKJUtxcW/9vQkF/ZdqaqLf6HHL/kMasWUxWG1uvf+V/MO +BRKu7zBW290XDE5Dd9DomyX4q2kqoWQBkpvkJlVsKWpW+AXnBizbVD+pX90VEQmk +Tvnr6U9OiArS6m2yVwZlu836l2yo3tX2tsgTNn8gtZugO4Qb3iZnDUexqgCwnLBx +dsyq4W565jNRV/HWRUMR+LDIS1KiEalzDoID3aUXRHHLUQG0oqX8jqFJUqp1P9pO +9nezuUDg8SsaBg8O4tyv/CZq/FeF3RMMc2EHTiO8HTERqmRMxUFZv3bkgA4GnjnA +3wsZhLXQq+UaIJUAEQEAAbQsQWtpaGlybyBTdWRhIDxha2loaXJvLnN1ZGEuY3pA +aGNvLm50dC5jby5qcD6JAdQEEwEKAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC +F4AWIQTAIOqHbOTgbHq5Wu9JUkxvn2OPGgUCZMPL2QUJC0wZugAKCRBJUkxvn2OP +GqTiC/93jTl0ci2zWC8vVBPSyjHDrpOhn+3ukCeC7VxHOdo6hBwbsxqaBUWi0Maf +p9oa4HzmsQjhMM+i3/Q/jHBvijXQ2UO5MaDrLhacoAW8i/YeU2aKn2yIyrQPIdc/ +tlcwjvsRPt534DOisf1N5+w6Y4DRgt2tNl0KOjEBmXsBWN7Fg+QRfLeNWKS9soq7 +QkI68T0e0h752FmI8TK4yy6FrhLVUU2ArLcOV2wjx5zKnWjgX7BbwYjAp8fi9hcC +XdmSvllQ8U9Y2ll8dDq3HBmo+uI4lfz31S4B5EKo4Wn+3bA4Y+VBNoJfoKyLeOgr +0cmo6SRJIsVaSvAJcMZ6oq+jvTDuygfRkxxgoTzCgwre7CPzcvC8gC0sYOB34TN4 +UogwN3pFmCPfi5TjXsx7vgfWKlHgwe3L/5aoQjTm+z6WanTHbIqOK9QkIuGykMpL +7nOJeH9LoRzpzc8aOwIOki2bbo7s9yzL8Gil+zaqe16Q+Y7wVBxSRxbg/3oUTi1K +/uM8N4S0I0FraWhpcm8gU3VkYSA8c3VkYS5reW90b0BnbWFpbC5jb20+iQHUBBMB +CgA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEwCDqh2zk4Gx6uVrvSVJM +b59jjxoFAmTDy9kFCQtMGboACgkQSVJMb59jjxogzgv/a+4+T5Xoklt0rGujSgtD +ogpQp4guaImEhkPieWMPG7+UfqxwoMLcvLE5kTzqLPe1DdYs8Tm/gtteHttLUfjD +qwY/+BsqIYYMJMRoXFBk2iokn0m/36da7WKpN+5r5ssujsvGj991k4oLQgFV0kEx +f4PSRxWQNlAqp4OfQNI91S7oMDH94dR+V5TIYYHxsPsnCvygD72GVER4G5mUvkCH +Nf8aqeckVxu8uZ/2LiNtYxbh5pwriuj8XbifuawdMdjpTvwAAa2DuKqCtj9cuQIt +hmOF1ux68TRxk//QGPqX49+WT0mwdHBX/I/nZVTOGt9sjjKU5m1o+rUiVHtQ3Yhw +fSLWEbfZiTjWDPWpjLU+r3C2qCiJyPjNpsxYAp4y3v511BXesejcXm24+MHFym5F +ngyAItzwDD9ieTt3uviuC64VZVz7NgnDMUK0LumKh9mrZZ20dTcX9Vw70o41CMQN +yBKloXOSPzQDZp1ZXzR3P/22WXG/e52YuU3Aw1femld+uQGNBF06GR8BDACxpQ9c +y72+/WZGon+CToNj+a24PiduyExfFv26E0D77ACS6UAC5jz71mSuLbHiauQ3MHj+ +786z4m4St8+HjDL9YrAe19MobxWsLHAFvBJ8UHfZdkLzBkIKPHz7TUqlhvFR13b6 +ZAZVZk975hgCT3LpzA1miHBY2E5WDpVa3pe94xshVHL3iVf9Jv1a4hmM+eu0gxX4 +iEw7RLq9LssTyjeuRVN23X+ojD4Mp3jQnPA+cjLF718KpCsw5r+tGZ98/5GZevmH +Qf6sg0b/k6/vkVveopeeH28zb/nnVuhgGSxcbiZUrFC9EfhX4/6NNFRhE300AjeF +bP7SoXx3qRhr993BDSP32r44hy+kYLhZP5K5oXivcITJZuGcJh49P4QuYGrnODIL +gEhedWeePcJXFcEz09teizlWKGzd+EA3uwYd/bQelflwXkGuCLaoNv4qcH3oJDp1 +vYI0zT7hGvnz3thRLg3SOWFq5cBhnfNGXPLsoNZBzWGn2cm5MJYSKjIM470AEQEA +AYkBvAQYAQoAJgIbDBYhBMAg6ods5OBserla70lSTG+fY48aBQJkw8uyBQkLTBmT +AAoJEElSTG+fY48ayhsL+gLvKlfkYgxodyWKR5hOiUMKWE5tqfQY6kqrgssPYw+u +Fn69AamQLt4I2AHRg0AHjoZEsMfR19uXZ24XwwcWwgWU6yRJgMSIK67bLvL+d686 +m2KQ2PpmfDrizUgY4J0sY+tzwNZeWxQiFy/Ni6AdEqJvJQDsrKYJ2GGWm6JMZCPw +y3h5ouueieiEc0pvwEz2kg64uv6p8SUV1me66IXQaGseXb/BcW+Ap2WJO+IZjtNB +qhk+V+1x5ZT6s9RecjiTDmKfZ71zyRWplkfL22+4XVEc3qLS3r0ZSzeIA4JPRf+N +yCGjavdTNgu2bTo8iSgBq2NRT9kNwTaS8j883L0eY/JJktrfWnWE4qAuXBqLzkIl +smspRWy0byLQrrzk9stncF/CDt5XuHPcsXOcRVXVyM+/RXqWKdNAwZO67HD4wJR9 +YR4avhGZZXguH3b0ka2zO8sxTju/09yb07NJ2qfjfWSHCmaj9KuhhE0EO625tckS +58ceqolNBtrydoYZOc2CKw== +=ol6W +-----END PGP PUBLIC KEY BLOCK----- + diff --git a/runc.spec b/runc.spec new file mode 100644 index 0000000..b4a7484 --- /dev/null +++ b/runc.spec @@ -0,0 +1,104 @@ +# +# spec file for package runc +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# +# nodebuginfo + + +# MANUAL: Make sure you update this each time you update runc. +%define git_version 51d5e94601ceffbbd85688df1c928ecccbfa4685 +%define git_short 51d5e94601ce + +%define project github.com/opencontainers/runc + +Name: runc +Version: 1.1.12 +Release: 0 +Summary: Tool for spawning and running OCI containers +License: Apache-2.0 +Group: System/Management +URL: https://github.com/opencontainers/runc +Source0: https://github.com/opencontainers/runc/releases/download/v%{version}/runc.tar.xz#/runc-%{version}.tar.xz +Source1: https://github.com/opencontainers/runc/releases/download/v%{version}/runc.tar.xz.asc#/runc-%{version}.tar.xz.asc +Source2: runc.keyring +BuildRequires: diffutils +BuildRequires: fdupes +BuildRequires: go +BuildRequires: go-go-md2man +BuildRequires: libseccomp-devel +BuildRequires: libselinux-devel +Recommends: criu +# There used to be a docker-runc package which was specifically for Docker. +# Since Docker now tracks upstream more consistently, we use the same package +# but we need to obsolete the old one. bsc#1181677 +Obsoletes: docker-runc < %{version} +Provides: docker-runc = %{version} +# KUBIC-SPECIFIC: There used to be a kubic-specific docker-runc package, but +# now it's been merged into the one package. bsc#1181677 +Obsoletes: docker-runc-kubic < %{version} +Provides: docker-runc-kubic = %{version} +Obsoletes: docker-runc = 0.1.1+gitr2819_50a19c6 +Obsoletes: docker-runc_50a19c6 +ExcludeArch: s390 + +# Construct "git describe --dirty --long --always". +%define git_describe v%{version}-0-g%{git_short} + +%description +runc is a CLI tool for spawning and running containers according to the OCI +specification. It is designed to be as minimal as possible, and is the workhorse +of Docker. It was originally designed to be a replacement for LXC within Docker, +and has grown to become a separate project entirely. + +%prep +%setup -q -n %{name}-%{version} + +%build +# build runc +make BUILDTAGS="seccomp" COMMIT="%{git_describe}" runc +# build man pages +man/md2man-all.sh + +# make sure that our keyring copy is identical to upstream. +our_keyring=$(sha256sum <"%{SOURCE2}") +src_keyring=$(sha256sum