Sync from SUSE:SLFO:Main runc revision 1b708dc55c6e731fb8a9baa2c10b0f14

This commit is contained in:
Adrian Schröter 2024-05-04 00:21:41 +02:00
commit 863c656407
6 changed files with 1202 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

BIN
runc-1.1.12.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.

17
runc-1.1.12.tar.xz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmWvvCcQHGFzYXJhaUBz
dXNlLmNvbQAKCRCeGKomfduNtG2oD/9yLwYdfbx4GU31kCuvTS3odH8XyplL4QLl
TszoLO/50z/Y9r0QBNuLsDDvAWtsJAYTsRIwEwDgUuziHnbkbHCnE2C+6P7OWUKp
7VS1mqWzWeVibt0hYBWcooJb8inA/ctwfppZlH8EnTdoyqp0bAuQKtj2muA+LTvN
n/19qZ0/zAvErya5ugZCfnpJngOM0W//F5OSE/DKI3ct6o3AilxlzlhZuwkiYQud
nwS5j4CvQp7GkJeuwDluUHGmsT8AW6P3McptS/BcT4wUKWhxcntJG1cdiZOFTW84
3CLdwMPGQR0SVK5yPMbKogRtglODEW82Ytp4S8BB9sG5PS5rBsvnApSQxFluRMQT
oaQsEKwPS+VSUwf44QR42iF3fB8dxmmmcautr5yaUiSx4DdFGj9jjrbMa9YCk2da
J/5ExwJv5nP5R+uwOiH3ziZuFuuH1afbGLrT2ouv61/SMGiYiLEAyiegF94Zg2nu
5RvMUz33LpEckLrlNN5u9q+/jbfJmZAUtdVafKQQTBRFKPCyHjOroKM11PzoHX6l
3dsyEPbEfowZ+uM2z9wCfub529fNF8t9k9sUAIQsma5p7+l7xJMbOua2kd1kGiQU
ec19+KD6ka4NHyDRwxe0iM6/AuFlKKUUTVGZjg2bD+ap0qgDjZ3R5lTmI1pJ8Win
wfoEKZCm+A==
=Sl8m
-----END PGP SIGNATURE-----

834
runc.changes Normal file
View File

@ -0,0 +1,834 @@
-------------------------------------------------------------------
Wed Jan 31 00:00:33 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.1.12. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.12>. bsc#1218894
* This release fixes a container breakout vulnerability (CVE-2024-21626). For
more details, see the upstream security advisory:
<https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
* Remove upstreamed patches:
- CVE-2024-21626.patch
* Update runc.keyring to match upstream changes.
-------------------------------------------------------------------
Thu Jan 18 00:37:01 UTC 2024 - Aleksa Sarai <asarai@suse.com>
[ This was only ever released for SLES. ]
- Add upstream patch to fix embargoed issue CVE-2024-21626. bsc#1218894
<https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
+ CVE-2024-21626.patch
-------------------------------------------------------------------
Tue Jan 2 03:02:16 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.1.11. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.11>.
-------------------------------------------------------------------
Wed Nov 1 07:25:46 UTC 2023 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.1.10. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.10>.
-------------------------------------------------------------------
Wed Sep 6 06:42:37 UTC 2023 - Danish Prakash <danish.prakash@suse.com>
- Update to runc v1.1.9. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.9>.
-------------------------------------------------------------------
Wed Jul 19 14:04:08 UTC 2023 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.1.8. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.8>.
-------------------------------------------------------------------
Thu Apr 27 09:43:31 UTC 2023 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.1.7. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.7>.
- Update runc.keyring to upstream version.
-------------------------------------------------------------------
Wed Apr 12 04:17:29 UTC 2023 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.1.6. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.6>.
-------------------------------------------------------------------
Wed Mar 29 07:05:52 UTC 2023 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.1.5. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.5>.
Includes fixes for the following CVEs:
- CVE-2023-25809 bsc#1209884
- CVE-2023-27561 bsc#1208962
- CVE-2023-28642 bsc#1209888
* Fix the inability to use `/dev/null` when inside a container. bsc#1168481
* Fix changing the ownership of host's `/dev/null` caused by fd redirection
(a regression in 1.1.1). bsc#1207004
* Fix rare runc exec/enter unshare error on older kernels.
* nsexec: Check for errors in `write_log()`.
- Drop version-specific Go requirement.
-------------------------------------------------------------------
Wed Aug 31 13:00:31 UTC 2022 - Fabian Vogt <fvogt@suse.com>
- Update to runc v1.1.4. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.4.
bsc#1202021
* Fix mounting via wrong proc fd. When the user and mount namespaces are
used, and the bind mount is followed by the cgroup mount in the spec,
the cgroup was mounted using the bind mount's mount fd.
* Switch kill() in libcontainer/nsenter to sane_kill().
* Fix "permission denied" error from runc run on noexec fs.
* Fix failed exec after systemctl daemon-reload. Due to a regression
in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and
was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded.
(boo#1202821)
-------------------------------------------------------------------
Thu Jun 9 00:22:16 UTC 2022 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.1.3. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.3.
(Includes a fix for bsc#1200088.)
* Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
s390 and s390x. This solves the issue where syscalls the host kernel did not
support would return `-EPERM` despite the existence of the `-ENOSYS` stub
code (this was due to how s390x does syscall multiplexing).
* Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
intended; this fix does not affect runc binary itself but is important for
libcontainer users such as Kubernetes.
* Inability to compile with recent clang due to an issue with duplicate
constants in libseccomp-golang.
* When using systemd cgroup driver, skip adding device paths that don't exist,
to stop systemd from emitting warnings about those paths.
* Socket activation was failing when more than 3 sockets were used.
* Various CI fixes.
* Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
* runc static binaries are now linked against libseccomp v2.5.4.
- Remove upstreamed patches:
- bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
-------------------------------------------------------------------
Mon May 23 03:02:32 UTC 2022 - Aleksa Sarai <asarai@suse.com>
- Backport <https://github.com/opencontainers/runc/pull/3474> to fix issues
with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by
that platform's syscall multiplexing semantics. bsc#1192051 bsc#1199565
+ bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
-------------------------------------------------------------------
Thu May 12 10:04:57 UTC 2022 - Aleksa Sarai <asarai@suse.com>
- Add ExcludeArch for s390 (not s390x) since we've never supported it.
-------------------------------------------------------------------
Wed May 11 22:43:51 UTC 2022 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.1.2. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.2.
CVE-2022-29162 bsc#1199460
* A bug was found in runc where runc exec --cap executed processes with
non-empty inheritable Linux process capabilities, creating an atypical Linux
environment. For more information, see [GHSA-f3fp-gc8g-vw66][] and
CVE-2022-29162. bsc#1199460
* `runc spec` no longer sets any inheritable capabilities in the created
example OCI spec (`config.json`) file.
-------------------------------------------------------------------
Tue Mar 29 03:33:30 UTC 2022 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.1.1. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.1.
* runc run/start can now run a container with read-only /dev in OCI spec,
rather than error out. (#3355)
* runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)
libcontainer systemd v2 manager no longer errors out if one of the files
listed in /sys/kernel/cgroup/delegate do not exist in container's
cgroup. (#3387, #3404)
* Loosen OCI spec validation to avoid bogus "Intel RDT is not supported"
error. (#3406)
* libcontainer/cgroups no longer panics in cgroup v1 managers if stat
of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)
-------------------------------------------------------------------
Mon Jan 17 07:15:26 UTC 2022 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.1.0. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.0.
- libcontainer will now refuse to build without the nsenter package being
correctly compiled (specifically this requires CGO to be enabled). This
should avoid folks accidentally creating broken runc binaries (and
incorrectly importing our internal libraries into their projects). (#3331)
-------------------------------------------------------------------
Tue Dec 14 05:04:21 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.1.0~rc1. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1.
+ Add support for RDMA cgroup added in Linux 4.11.
* runc exec now produces exit code of 255 when the exec failed.
This may help in distinguishing between runc exec failures
(such as invalid options, non-running container or non-existent
binary etc.) and failures of the command being executed.
+ runc run: new --keep option to skip removal exited containers artefacts.
This might be useful to check the state (e.g. of cgroup controllers) after
the container hasexited.
+ seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD
(the latter is just an alias for SCMP_ACT_KILL).
+ seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows
users to create sophisticated seccomp filters where syscalls can be
efficiently emulated by privileged processes on the host.
+ checkpoint/restore: add an option (--lsm-mount-context) to set
a different LSM mount context on restore.
+ intelrdt: support ClosID parameter.
+ runc exec --cgroup: an option to specify a (non-top) in-container cgroup
to use for the process being executed.
+ cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1
machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc
run/exec now adds the container to the appropriate cgroup under it).
+ sysctl: allow slashes in sysctl names, to better match sysctl(8)'s
behaviour.
+ mounts: add support for bind-mounts which are inaccessible after switching
the user namespace. Note that this does not permit the container any
additional access to the host filesystem, it simply allows containers to
have bind-mounts configured for paths the user can access but have
restrictive access control settings for other users.
+ Add support for recursive mount attributes using mount_setattr(2). These
have the same names as the proposed mount(8) options -- just prepend r
to the option name (such as rro).
+ Add runc features subcommand to allow runc users to detect what features
runc has been built with. This includes critical information such as
supported mount flags, hook names, and so on. Note that the output of this
command is subject to change and will not be considered stable until runc
1.2 at the earliest. The runtime-spec specification for this feature is
being developed in opencontainers/runtime-spec#1130.
* system: improve performance of /proc/$pid/stat parsing.
* cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change
the ownership of certain cgroup control files (as per
/sys/kernel/cgroup/delegate) to allow for proper deferral to the container
process.
* runc checkpoint/restore: fixed for containers with an external bind mount
which destination is a symlink.
* cgroup: improve openat2 handling for cgroup directory handle hardening.
runc delete -f now succeeds (rather than timing out) on a paused
container.
* runc run/start/exec now refuses a frozen cgroup (paused container in case of
exec). Users can disable this using --ignore-paused.
- Update version data embedded in binary to correctly include the git commit of
the release.
- Drop runc-rpmlintrc because we don't have runc-test anymore.
-------------------------------------------------------------------
Mon Dec 6 04:38:25 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.0.3. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.3. CVE-2021-43784
bsc#1193436
* A potential vulnerability was discovered in runc (related to an internal
usage of netlink), however upon further investigation we discovered that
while this bug was exploitable on the master branch of runc, no released
version of runc could be exploited using this bug. The exploit required
being able to create a netlink attribute with a length that would overflow a
uint16 but this was not possible in any released version of runc. For more
information see GHSA-v95c-p5hm-xq8f and CVE-2021-43784.
Due to an abundance of caution we decided to do an emergency release with
this fix, but to reiterate we do not believe this vulnerability was
possible to exploit. Thanks to Felix Wilhelm from Google Project Zero for
discovering and reporting this vulnerability so quickly.
* Fixed inability to start a container with read-write bind mount of a
read-only fuse host mount.
* Fixed inability to start when read-only /dev in set in spec.
* Fixed not removing sub-cgroups upon container delete, when rootless cgroup
v2 is used with older systemd.
* Fixed returning error from GetStats when hugetlb is unsupported (which
causes excessive logging for kubernetes).
-------------------------------------------------------------------
Mon Aug 23 09:35:05 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.0.2. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.2
* Fixed a failure to set CPU quota period in some cases on cgroup v1.
* Fixed the inability to start a container with the "adding seccomp filter
rule for syscall ..." error, caused by redundant seccomp rules (i.e. those
that has action equal to the default one). Such redundant rules are now
skipped.
* Made release builds reproducible from now on.
* Fixed a rare debug log race in runc init, which can result in occasional
harmful "failed to decode ..." errors from runc run or exec.
* Fixed the check in cgroup v1 systemd manager if a container needs to be
frozen before Set, and add a setting to skip such freeze unconditionally.
The previous fix for that issue, done in runc 1.0.1, was not working.
-------------------------------------------------------------------
Sun Jul 18 02:40:16 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.0.1. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.1
* Fixed occasional runc exec/run failure ("interrupted system call") on an
Azure volume.
* Fixed "unable to find groups ... token too long" error with /etc/group
containing lines longer than 64K characters.
* cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
frozen. This is a regression in 1.0.0, not affecting runc itself but some
of libcontainer users (e.g Kubernetes).
* cgroupv2: bpf: Ignore inaccessible existing programs in case of
permission error when handling replacement of existing bpf cgroup
programs. This fixes a regression in 1.0.0, where some SELinux
policies would block runc from being able to run entirely.
* cgroup/systemd/v2: don't freeze cgroup on Set.
* cgroup/systemd/v1: avoid unnecessary freeze on Set.
- Remove upstreamed patches:
+ boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch
-------------------------------------------------------------------
Thu Jul 1 03:39:56 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Backport <https://github.com/opencontainers/runc/pull/3055> to fix issues
with runc under openSUSE MicroOS's SELinux policy. boo#1187704
+ boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch
-------------------------------------------------------------------
Tue Jun 1 11:00:30 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.0.0. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0
! The usage of relative paths for mountpoints will now produce a warning
(such configurations are outside of the spec, and in future runc will
produce an error when given such configurations).
* cgroupv2: devices: rework the filter generation to produce consistent
results with cgroupv1, and always clobber any existing eBPF
program(s) to fix runc update and avoid leaking eBPF programs
(resulting in errors when managing containers).
* cgroupv2: correctly convert "number of IOs" statistics in a
cgroupv1-compatible way.
* cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
* cgroupv2: wait for freeze to finish before returning from the freezing
code, optimize the method for checking whether a cgroup is frozen.
* cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
* cgroups/systemd: fixed returning "unit already exists" error from a systemd
cgroup manager (regression in rc94)
+ cgroupv2: support SkipDevices with systemd driver
+ cgroup/systemd: return, not ignore, stop unit error from Destroy
+ Make "runc --version" output sane even when built with go get or
otherwise outside of our build scripts.
+ cgroups: set SkipDevices during runc update (so we don't modify
cgroups at all during runc update).
+ cgroup1: blkio: support BFQ weights.
+ cgroupv2: set per-device io weights if BFQ IO scheduler is available.
-------------------------------------------------------------------
Wed May 19 10:00:00 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.0.0~rc95. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95
This release of runc contains a fix for CVE-2021-30465, and users are
strongly recommended to update (especially if you are providing
semi-limited access to spawn containers to untrusted users). bsc#1185405
-------------------------------------------------------------------
Wed May 12 08:03:58 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.0.0~rc94. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94
Breaking Changes:
* cgroupv1: kernel memory limits are now always ignored, as kmemcg has
been effectively deprecated by the kernel. Users should make use of regular
memory cgroup controls.
Regression Fixes:
* seccomp: fix 32-bit compilation errors
* runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
* runc start: fix "chdir to cwd: permission denied" for some setups
- Remove upstreamed patches:
- 0001-cloned_binary-switch-from-error-to-warning-for-SYS_m.patch
-------------------------------------------------------------------
Mon Apr 26 07:54:54 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Backport patch to fix build on SLE-12 ppc64le.
+ 0001-cloned_binary-switch-from-error-to-warning-for-SYS_m.patch
-------------------------------------------------------------------
Wed Feb 3 04:09:17 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.0.0~rc93. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc93
bsc#1182451 bsc#1184962
* Cgroupv2 support is no longer considered experimental.
* Mountinfo parsing code has been reworked significantly.
* Special ENOSYS handling for seccomp profiles to avoid making new
syscalls unusable for glibc.
* Various rootless containers improvements.
* The "selinux" and "apparmor" buildtags have been removed, and now all runc
builds will have SELinux and AppArmor support enabled.
-------------------------------------------------------------------
Tue Feb 2 05:53:17 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to handle the docker-runc removal. bsc#1181677
- Modernise go building for runc now that it has go.mod.
-------------------------------------------------------------------
Fri Aug 28 07:38:29 UTC 2020 - Ralf Haferkamp <rhafer@suse.com>
- Upgrade to runc v1.0.0~rc92 (bsc#1175821). Upstream changelog is available
from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc92
* Updates to CRIU support.
* Improvements to cgroupfs performance and correctness.
-------------------------------------------------------------------
Thu Jul 2 01:24:49 UTC 2020 - Aleksa Sarai <asarai@suse.com>
- Upgrade to runc v1.0.0~rc91. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc91
* This release of runc has experimental support for cgroupv2-only systems.
- Remove upstreamed patches:
- bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
- bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch
-------------------------------------------------------------------
Thu Jun 25 22:34:03 UTC 2020 - Aleksa Sarai <asarai@suse.com>
- Switch to Go 1.13 for build.
-------------------------------------------------------------------
Wed May 13 06:49:44 UTC 2020 - Aleksa Sarai <asarai@suse.com>
- Backport https://github.com/opencontainers/runc/pull/2391 to help fix
bsc#1168481.
+ bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch
-------------------------------------------------------------------
Tue Apr 14 10:16:21 UTC 2020 - Ralf Haferkamp <rhafer@suse.com>
- Renamed patch:
0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
to
bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
-------------------------------------------------------------------
Wed Mar 18 08:57:34 UTC 2020 - Ralf Haferkamp <rhafer@suse.com>
- Added fix for bsc#1149954
* 0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
(cherry pick of https://github.com/opencontainers/runc/pull/1807)
-------------------------------------------------------------------
Thu Jan 23 17:18:05 UTC 2020 - Aleksa Sarai <asarai@suse.com>
- Upgrade to runc v1.0.0~rc10. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc10
- Drop upstreamed patches:
- CVE-2019-19921.patch
-------------------------------------------------------------------
Tue Jan 21 22:10:58 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>
- Change packagewide go version to be greater or equal to 1.10.
-------------------------------------------------------------------
Fri Jan 17 03:02:46 UTC 2020 - Aleksa Sarai <asarai@suse.com>
- Update CVE-2019-19921 patch to match upstream PR.
* CVE-2019-19921.patch
-------------------------------------------------------------------
Tue Jan 14 04:44:36 UTC 2020 - Aleksa Sarai <asarai@suse.com>
- Add backported fix for CVE-2019-19921. bsc#1160452
+ CVE-2019-19921.patch
-------------------------------------------------------------------
Sat Oct 5 11:40:13 UTC 2019 - Aleksa Sarai <asarai@suse.com>
- Upgrade to runc v1.0.0~rc9. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc9
- Remove upstreamed patches:
- CVE-2019-16884.patch
-------------------------------------------------------------------
Thu Sep 26 14:54:07 UTC 2019 - Aleksa Sarai <asarai@suse.com>
- Add backported fix for CVE-2019-16884. bsc#1152308
+ CVE-2019-16884.patch
- Add runc-rpmlintrc to drop runc-test rpmlint warnings.
-------------------------------------------------------------------
Mon Apr 29 11:56:21 UTC 2019 - Aleksa Sarai <asarai@suse.com>
- Upgrade to runc v1.0.0~rc8. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc8
- Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).
- Remove upstreamed patches:
- CVE-2019-5736.patch
-------------------------------------------------------------------
Wed Feb 6 08:10:47 UTC 2019 - Aleksa Sarai <asarai@suse.com>
- Add fix for CVE-2019-5736 (effectively copying /proc/self/exe during re-exec
to avoid write attacks to the host runc binary). bsc#1121967
+ CVE-2019-5736.patch
-------------------------------------------------------------------
Wed Dec 19 19:55:11 UTC 2018 - clee@suse.com
- Update go requirements to >= go1.10 to fix
* bsc#1118897 CVE-2018-16873
go#29230 cmd/go: remote command execution during "go get -u"
* bsc#1118898 CVE-2018-16874
go#29231 cmd/go: directory traversal in "go get" via curly braces in import paths
* bsc#1118899 CVE-2018-16875
go#29233 crypto/x509: CPU denial of service
-------------------------------------------------------------------
Thu Dec 13 04:34:25 UTC 2018 - dorf@suse.com
- Require golang = 1.10.
-------------------------------------------------------------------
Thu Nov 29 09:10:09 UTC 2018 - Aleksa Sarai <asarai@suse.com>
- Upgrade to runc v1.0.0~rc6. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc6
-------------------------------------------------------------------
Wed Oct 31 14:01:03 UTC 2018 - Valentin Rothberg <vrothberg@suse.com>
- Create a symlink in /usr/bin/runc to enable rootless Podman and Buildah.
-------------------------------------------------------------------
Wed Jun 13 12:59:09 UTC 2018 - dcassany@suse.com
- Make use of %license macro
-------------------------------------------------------------------
Tue Jun 5 06:38:40 UTC 2018 - asarai@suse.com
- Remove 'go test' from %check section, as it has only ever caused us problems
and hasn't (as far as I remember) ever caught a release-blocking issue. Smoke
testing has been far more useful. boo#1095817
-------------------------------------------------------------------
Tue Feb 27 17:18:32 UTC 2018 - asarai@suse.com
- Upgrade to runc v1.0.0~rc5. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc5
- Remove patch now merged upstream.
- bsc1053532-0001-makefile-drop-usage-of-install.patch
-------------------------------------------------------------------
Thu Aug 17 04:39:56 UTC 2017 - asarai@suse.com
- Use .tar.xz provided by upstream, as well as include the keyring to allow
full provenance of the source.
-------------------------------------------------------------------
Sun Aug 13 14:25:32 UTC 2017 - asarai@suse.com
- Use the upstream Makefile, to ensure that we always include the version
information in runc. This was confusing users (and Docker). bsc#1053532
- Add a backported patch to fix a Makefile bug.
https://github.com/opencontainers/runc/pull/1555
+ bsc1053532-0001-makefile-drop-usage-of-install.patch
-------------------------------------------------------------------
Thu Aug 10 17:14:02 UTC 2017 - asarai@suse.com
- Update to runc v1.0.0-rc4. Upstream changelog:
+ runc now supports v1.0.0 of the OCI runtime specification. #1527
+ Rootless containers support has been released. The current state of
this feature is that it only supports single-{uid,gid} mappings as an
unprivileged user, and cgroups are completely unsupported. Work is
being done to improve this. #774
+ Rather than relying on CRIU version nnumbers, actually check if the
system supports pre-dumping. #1371
+ Allow the PIDs cgroup limit to be updated. #1423
+ Add support for checkpoint/restore of containers with orphaned PTYs
(which is effectively all containers with terminal=true). #1355
+ Permit prestart hooks to modify the cgroup configuration of a
container. #1239
+ Add support for a wide variety of mount options. #1460
+ Expose memory.use_hierarchy in MemoryStats. #1378
* Fix incorrect handling of systems without the freezer cgroup. #1387
* Many, many changes to switch away from Go's "syscall" stdlib to
"golang.org/x/sys/unix". #1394 #1398 #1442 #1464 #1467 #1470 #1474
#1478 #1491 #1482 #1504 #1519 #1530
* Set cgroup resources when restoring a container. #1399
* Switch back to using /sbin as the installation directory. #1406
* Remove the arbitrary container ID length restriction. #1435
* Make container force deletion ignore non-existent containers. #1451
* Improve handling of arbitrary cgroup mount locations when populating
cpuset. #1372
* Make the SaneTerminal interface public. #1479
* Fix cases where runc would report a container to be in a "Running"
state if the init was a zombie or dead. #1489
* Do not set supplementary groups for numeric users. #1450
* Fix various issues with the "owner" field in runc-list. #1516
* Many other miscellaneous fixes, some of which were made by first-time
contributors. Thanks, and welcome to the project! #1406 #1400 #1365
#1396 #1402 #1414 #1412 #1408 #1418 #1425 #1428 #1436 #1433 #1438
#1410 #1447 #1388 #1484 #1481 #1496 #1245 #1524 #1534 #1526 #1533
- Remove any semblance of non-Linux support. #1502
- We no longer use shfmt for testing. #1510
-------------------------------------------------------------------
Wed Aug 2 13:51:43 UTC 2017 - asarai@suse.com
- Use -buildmode=pie for tests and binary build. bsc#1048046 bsc#1051429
- Cleanup seccomp builds similar to bsc#1028638
- Remove the usage of 'cp -r' to reduce noise in the build logs.
-------------------------------------------------------------------
Thu Jul 6 17:14:17 UTC 2017 - thipp@suse.de
- switch to opencontainers/runc master branch
- remove CVE-2016-9962.patch
- stop providing docker-runc
-------------------------------------------------------------------
Thu May 4 19:04:49 UTC 2017 - jmassaguerpla@suse.com
- fix the golang requirement to 1.7 to the subpackages
-------------------------------------------------------------------
Tue May 2 15:49:41 UTC 2017 - jmassaguerpla@suse.com
- fix golang requirement to 1.7
-------------------------------------------------------------------
Fri Apr 28 16:16:00 UTC 2017 - jengelh@inai.de
- Substitute %__-type macro indirections
-------------------------------------------------------------------
Thu Apr 13 16:34:03 UTC 2017 - jmassaguerpla@suse.com
- update version to the one required by docker-17.04.0-ce (bsc#1034053)
remove ignore_cgroup2_mountpoint.patch . This is already included in
the upstream source code.
-------------------------------------------------------------------
Wed Apr 12 09:55:28 UTC 2017 - jmassaguerpla@suse.com
- Make sure this is being built with go 1.7
-------------------------------------------------------------------
Tue Apr 11 15:37:36 UTC 2017 - jmassaguerpla@suse.com
- remove the go_arches macro because we are using go1.7 which
is available in all archs
-------------------------------------------------------------------
Wed Mar 29 15:47:52 UTC 2017 - jmassaguerpla@suse.com
- fix bsc#1028113 - runc: make sure to ignore cgroup v2 mountpoints
This is a backport of https://github.com/opencontainers/runc/pull/1266
+ ignore_cgroup2_mountpoint.patch
-------------------------------------------------------------------
Fri Feb 24 18:08:10 UTC 2017 - jmassaguerpla@suse.com
- update to docker-1.13.0 requirement
-------------------------------------------------------------------
Fri Jan 13 13:58:33 UTC 2017 - jmassaguerpla@suse.com
- fix CVE-2016-9962 bsc#1012568 and applying the patch
CVE-2016-9962.patch, because 1.12.6 partially fixes it (it contains
the first patch attached in bsc#1012568)
-------------------------------------------------------------------
Mon Dec 19 12:49:38 UTC 2016 - jmassaguerpla@suse.com
- update runc to the version used in docker 1.12.5 (bsc#1016307).
This fixes bsc#1015661
-------------------------------------------------------------------
Mon Dec 19 12:17:07 UTC 2016 - asarai@suse.com
- For the moment, we have to switch to using Docker's fork of runC. This *will*
be solved properly by creating a new package purely for Docker's runC fork,
because it's quite silly to tie OCI project releases to Docker's vendoring
scheme. Once this is fixed, this package will be switch to being purely-OCI.
-------------------------------------------------------------------
Fri Dec 16 17:05:37 UTC 2016 - jmassaguerpla@suse.com
- add the /usr/bin/docker-run symlink to partially fix bsc#1015661
-------------------------------------------------------------------
Thu Nov 24 11:05:41 UTC 2016 - jmassaguerpla@suse.com
- fix version by adding a revision "counter" so that it will always
increase
fix bsc#1009961
-------------------------------------------------------------------
Thu Oct 13 11:04:27 UTC 2016 - jmassaguerpla@suse.com
- update to 02f8fa7 because that is the needed version for docker 1.12.1 (bsc#1004490)
-------------------------------------------------------------------
Wed Sep 21 05:13:26 UTC 2016 - jengelh@inai.de
- Run fdupes.
-------------------------------------------------------------------
Mon Sep 19 11:57:45 UTC 2016 - jmassaguerpla@suse.com
- fix go_arches definition: use global instead of define, otherwise
it fails to build
-------------------------------------------------------------------
Fri Aug 26 08:59:54 UTC 2016 - asarai@suse.com
- Remove docker-runc symlink because it's been fixed within the Docker
package. bsc#978260
-------------------------------------------------------------------
Thu Aug 25 17:02:33 UTC 2016 - jmassaguerpla@suse.com
- Create a symlink /usr/sbin/docker-runc -> /usr/sbin/docker
Docker expects this symlink to exist bsc#978260
-------------------------------------------------------------------
Thu Aug 25 15:56:00 UTC 2016 - jmassaguerpla@suse.com
- Remove GOPATH at the end of the GOPATH assignment
cause GOPATH is empty and if we do that, we get the path ""
appended, which causes gcc6-go to complain
-------------------------------------------------------------------
Wed Aug 24 12:27:57 UTC 2016 - jmassaguerpla@suse.com
- add go_arches in project configuration: this way, we can use the
same spec file but decide in the project configuration if to
use gc-go or gcc-go for some archs.
-------------------------------------------------------------------
Thu Aug 18 10:35:29 UTC 2016 - jmassaguerpla@suse.com
- use gcc6-go instead of gcc5-go (bsc#988408)
- build ppc64le with gc-go because this version builds with gc-go 1.6
-------------------------------------------------------------------
Thu Aug 18 10:34:29 UTC 2016 - cbrauner@suse.de
- bump git commit id to the one required by docker v1.12.0 (bsc#995058)
- run unit tests during package build
- remove seccomp-use-pkg-config.patch
The patch is now upstream.
- remove GO_BUILD_FLAGS macro and substitute with BUILDFLAGS env variable to
allow for easier string appending.
- only run unit test on architectures that provide the go list and go test tools
-------------------------------------------------------------------
Wed Aug 17 10:29:15 UTC 2016 - cbrauner@suse.de
- Add runc-test package which contains the source code and the test. This
package will be used to run the integration tests.
- Simplify package build and check sections: Instead of symlinking we default to
cp -avr. go list gets confused by symlinks hence, we need to copy the source
code anyway if we want to run unit tests during package build at some point.
-------------------------------------------------------------------
Fri Apr 29 09:03:24 UTC 2016 - asarai@suse.de
* Update to runC 0.1.1. (bsc#989566 FATE#320763) Changelog from upstream:
This release includes a bug fix for adding the selinux mount label in the specification.
-------------------------------------------------------------------
Tue Apr 19 09:59:05 UTC 2016 - asarai@suse.de
* Don't use gcc-go for aarch64, since gc has grown support for it and is more
stable.
-------------------------------------------------------------------
Fri Apr 15 10:46:04 UTC 2016 - asarai@suse.de
* Disable seccomp entirely for aarch64 builds, since it is not provided on all
SUSE platforms.
-------------------------------------------------------------------
Wed Apr 13 12:03:09 UTC 2016 - asarai@suse.de
* Update to runC 0.1.0. Changelog from upstream:
This release updates runc to the OCI runtime specification v0.5.0 and includes
various fixes and features.
Features:
+ cgroups: pid limits and stats
+ cgroups: kmem stats
+ systemd cgroup support
+ libcontainer specconv package
+ no pivot root option
+ numeric ids are treated as uid/gid
+ hook improvements
Bug Fixes:
* log flushing
* atomic pid file creation
* init error recovery
* seccomp logging removed
* delete container on aborted start
* /dev bind mount handling
-------------------------------------------------------------------
Wed Mar 30 14:18:18 UTC 2016 - asarai@suse.de
* Install to /usr/sbin. https://github.com/opencontainers/runc/pull/702
-------------------------------------------------------------------
Sun Mar 27 14:50:32 UTC 2016 - asarai@suse.de
* Added runC man pages.
* Recommended criu, since it's required for the checkpoint and restore
functionality.
-------------------------------------------------------------------
Sun Mar 27 10:14:32 UTC 2016 - asarai@suse.de
* Small updates to method of compilation to better match Makefile.
-------------------------------------------------------------------
Mon Mar 21 12:04:59 UTC 2016 - asarai@suse.de
* Make compilation work on gcc-go only systems (ppc and s390).
-------------------------------------------------------------------
Mon Mar 21 08:24:02 UTC 2016 - asarai@suse.de
* initial import of runC 0.0.9
* add patch seccomp-use-pkg-config.patch which allows us to build runC, since
they assume that the seccomp.h file lives at /usr/include/seccomp.h.

221
runc.keyring Normal file
View File

@ -0,0 +1,221 @@
pub rsa4096 2016-06-21 [SC] [expires: 2031-06-18]
5F36C6C61B5460124A75F5A69E18AA267DDB8DB4
uid [ultimate] Aleksa Sarai <asarai@suse.com>
uid [ultimate] Aleksa Sarai <asarai@suse.de>
sub rsa4096 2016-06-21 [E] [expires: 2031-06-18]
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: github=cyphar
mQINBFdpGN0BEADMEmLpnUel7OI2SM8f88i7w0iRgJd4kOvF1z673+zWCgaw9QW8
ha7wAm/+3isas9IqlvGx61i6hbO7TFwcYi472VHhs4HP8jMtWytHHkjc3O9xlMc0
CfekjIpoR1CffYtCvkLr8/f74jHNRfqsmZ1Oxa9GjbhgDnbw4Baztp6WctzMXyOJ
j5bJuSfQTcgFbIeQ27zx7gNjbnHyEP5TEm1/CeoWpGPpZLJPiKHdI/TBCyFexHJ0
IlabKc4DC43RZyh0Btuf+FiX9K2NkoCC7l5nQdde8B6YG7SA6xEhwhQ73bSs7A56
rlZxfIFmLCB/81FyXk5eH0Eu9Lbwj69YQ81EdkLnLAyP3ZB+MRGuiWVD88Jr1He2
25m3dxTVzaP0TAV4LqdbuqTwr2wagu9MZQ5XXDiaEuiPwTrO10xlmivOjRaWxoWA
E0I3fOdrzqfg9XK6g1pG23v2WhHFIejqVCXrf5oPcCd62lGeh0ghEdNN89ikXbka
1PJRiWI3uDQ6STSKa+6uC5eUM7tK/ymqS8JYSQf4d3eIaC2H403psPt5kbq1bHdx
nRPX2eh/t1QzR1dhPxzai4CzLERIYJ9iD4nGiSscwy0P44AgyeuywSg4qXzr9Sfe
igOj+6lfJb3iZRN3dKLTRAKWvo7yfdi/UOycodlaQyW8v0yXAx7Yh1NgJQARAQAB
tB1BbGVrc2EgU2FyYWkgPGFzYXJhaUBzdXNlLmRlPokCPQQTAQgAJwUCV2kY3QIb
AwUJHDIEgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRCeGKomfduNtGecEACZ
JLVdeKHKsSUqTLOjbC6t9uKfKlNpu+iQ2/TS9YazLWXoFEc8f/uWB8BpHcJBFrqz
j+mI34ShEkbbNJArxR76njnAtPF+73GiD0dAjRDWz8YtQgSg5UhYm6O2Si/EM4I8
TDzflyjaZltCkDe2U+2T8dTkYxqOi11IuCukPBNe0moxGKvLGPWEqZQMPCfBgllD
lv2Toiry2Fp1bkBlT6hk0C684rfAwzPQuH0BBv8vgfgroRMJg/qfZb64lhMCXaPr
rCtVHP+F1bVXKZCBCt7ETTtcteUEKaFmGgDGpXGnIqPL5iWLK5u8DQL/1lGcinj9
QdD9IUNqsrsNAbdyMMqQvZKQwIVDgFMXrCwSRymOi6cppN7eF0VyFN7YsATttRGx
CZBoSMhVW6VVxuJFGaQWFXWthVGVEd2jkvny1TX8Nm8KBHC2G/wNVU3pKrCPhMCt
rYc8xWZ+6uisQ6XWs8H4nyBOVN6RvhIqqXJL1nvViOSFMLSDyFgPA16368krgxYE
pVDvie04aDjKZj2/0LSogNQPqZxs8uKIjLZ1NYQQmCQ8Dx9/nshg1wbyDD/c///M
EmVFmZhlNLZ8tV/iTlwfD/4vjbeaAQTVanhPFRbUtmL/iuz5f0gH0b0xc+mc+yQ1
egjBwMuKr+h7jbSXIWoFGZLrqT3WswTg0Khk6oEL57QeQWxla3NhIFNhcmFpIDxh
c2FyYWlAc3VzZS5jb20+iQI9BBMBCAAnBQJXaRngAhsDBQkcMgSABQsJCAcCBhUI
CQoLAgQWAgMBAh4BAheAAAoJEJ4YqiZ924202mIQAIjGrikF7OPBCbV5Oo4oC0QQ
7HcG+DM9cN6UcFO+rzWQxZ/atEpiULa4O3YKoGOkSV5WAjUpaY5Rf7Obt3EjgrwE
PhtGvOpC6kkkTV43RmmK06CxHiZPrUJBwcpbW1rf2JZx7PPBMbZfsmWdVZc+LjzC
D3KtJ7xhzT0mi+zN5ONNHody6sDQO6n0mN+bRVxiVdcxwjYHfJYGobI6aaKyupvl
+xCGK4ekzNCVzaxudzqmbFE6qk+cWcvcA8HpggA63rCvCLfK1embNOtqzKAcJh1o
cJvrtpe18qBvd4yXFWEqQBW6IoDLvdzaLY7eNMI97UDInciz/GUtbxhqbs1lAOBz
V1y9fi0+NIIq1qmhbLxpUFC2BWsZRuWEqYWdr4FFJCuYEEXX6KXM7d9CSdWlErCU
mqKYsx6X4E7Iy1yupYbIqXRea9wBr8aPoFk+gLdNbCWAE4o7InKJY1uqOt141ffs
+6XJe2wVvA2xLr0ZphlcyF0EHZX8tMWLCYdQJdLMps2hl5oFpi7ccdM1GpE/Kwt5
pEBqsJ6vP59BsbmciYmNkYKvFIKJcasImglQP6nrQiBwjTd7fYXpMDeO0yNtklaZ
IZlbNvxOe1TqbRzfVFk3oSBbEaFzPAx/W0uU1evZynpu2PcIvOuadScc9j0jMzt8
0wknTD5AqhD/fkfZlwRouQINBFdpGN0BEADfqvO6AkGOWf+lcQZfWBMSMpzneCCS
JvQvD65VrFt0CCbSlJv1pc3GwLlL2dMulIxQGg0JMTjfPZcCYqrnOcWe0gedETRV
nOucY7zWmohR7L70YWwh46FlAPifY6bIIYGYTHyI9w1adS9K4tAJW/XS0WrvZ5KA
l7htrAzUAsMhag9y9jtQJVPLErGJta3jZJASs8PZWWmLYZE+oy1R3W52w/HqGQHS
8BPgo4oL+lrjPmjAwouhhNETTq9W2xmCe18EJodOjNKdF5ODOq1LOkPNHIaIdG0s
sY3qbifcRLVDvSmb8++4WRYl1HLy2vpsTQ31mZ3KyRKR6cP61ivTZy8idwD+Qt1t
3uKTCGNZj96OCob8ZeZsak6enuFZleVbLty1eULIw/IZuq8g6E+/V7mbFo4vkXMN
q4YrX0Q3XEzB8Cdxd5vsnz7Uga35j44gwJ+BUsCyaRUyGzLqhUWHJS73Vy3IxHfX
Rj7TQUBFYDKbOS9oKearmvTb1SQzH7NM5jQUFzXeJQE03jetRneNQ5hkh9UhUr64
gtRnnKXTimXkczEMU9eDSTgQoaebdPnWEnzoStS5ln03zH+CNTQF9qjcpYBrJ2mZ
wnxO9OP/45KQL4hPAi2+hGkq2yjuIzeCkFJabAc7sF6lwJqH82XtiIIR+AGTM8QC
Eno0eqAytg8YawARAQABiQIlBBgBCAAPBQJXaRjdAhsMBQkcMgSAAAoJEJ4YqiZ9
2420AuIP/1PYZDKFLv//+iY6Z9xGz4zHL+9nWND/Kll3xHeuWjYGZ2nmcovSnEW4
0eiMn1c6KMgs/CCR4+9bm7MdgaF73pjM4xzHBIBetLLkcKQIrniX2Fq+WgscJfFx
+0ha7Xb2TTpSy8PRiYHowVUaMPwyqSsAUwrSenLuwyiKr+EW4Wzo+YM2w9a86yw1
GfWuiyk0Z4sGoPoPEjmD4y6Xlf8kIfuZeb+joHd6W1nMf7cxDkNLQqX6sWvs62Tv
Lsx2jApPKD2PyTyyxItJKc6NXFVM+Uww323ZYVWMkz+VKalHRiv6xzGqArhpAIH6
fn+1WjjqkrrLU4I7smjlulZCy/NZLOKqQYaqM+7BgC2mOPMb5CM99cg4SrK86dFr
3Cf22+OTmC6/Wb5Gu4PzTzkYIJDnt3BJQYjJlp4zyOHluN6notrWagLIB06oX+jQ
pxGySHW++Cha/JCUb0mfeHIJKvRor3v7YaSJoFIo//rz6XJ9WVZfsKnOte/3s9m7
qkEvLArbe2o7pUJ2mxZZw/nAk/Y39FYAMvgMA9f+uv18O7u+ojYjS6DlrmNuIEg/
mp8FqVxVNdIS2capSF4+eOn3a4kcF0018xbTLA2AwQ2o9eF5G9qTdSVrN865VPCd
KWr9ByCKAwVHsaSgVSJE/dse4f1toqeEHHbWk682U4RqOWZR4bA0
=3/jE
-----END PGP PUBLIC KEY BLOCK-----
pub ed25519 2019-06-21 [C]
C9C370B246B09F6DBCFC744C34401015D1D2D386
uid [ultimate] Aleksa Sarai <cyphar@cyphar.com>
sub ed25519 2022-09-30 [S] [expires: 2030-03-25]
sub cv25519 2022-09-30 [E] [expires: 2030-03-25]
sub ed25519 2022-09-30 [A] [expires: 2030-03-25]
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: github=cyphar
mDMEXQxvLxYJKwYBBAHaRw8BAQdArRQoZs9YzYtQIiPA1qdvUT8Q0wbPZyRV65Tz
QNTIZla0IEFsZWtzYSBTYXJhaSA8Y3lwaGFyQGN5cGhhci5jb20+iJAEExYIADgF
CwkIBwIGFQoJCAsCBBYCAwECHgECF4ACGwEWIQTJw3CyRrCfbbz8dEw0QBAV0dLT
hgUCZa3xwQAKCRA0QBAV0dLThpQyAQDGzjZyyWWmd6Ykg5/lymp2MLIg1f2jG6ew
AiPT4ATkBAD/RgdLDf1IQStEH7pHmQa1qvqyRq1jeEgF23KruXbbdQ64MwRdDMJS
FgkrBgEEAdpHDwEBB0B2IGusH7LuDH3hNT6JYM30S7G92FGogA6a9WQzKRlqvIh4
BCgWCgAgFiEEycNwskawn228/HRMNEAQFdHS04YFAmM2ukUCHQEACgkQNEAQFdHS
04ZTQAEAjAT0fXVJHdRL6UMCxDYsgjG+QyH1mr7gKgbPvB8A5LgBAN4QDqCxIY3b
8+X4Ud3C9yLfkbcsdgctU3fO/jHpKVIIiO8EGBYIACAWIQTJw3CyRrCfbbz8dEw0
QBAV0dLThgUCXQzCUgIbAgCBCRA0QBAV0dLThnYgBBkWCAAdFiEEsWZunbXxPIMS
y32KnZS5YyG50BIFAl0MwlIACgkQnZS5YyG50BLusQD/aPjX4NhlSYgzNV2x31aw
x5AxTp+18xoQDwaU123grDgA/2B73RiaTO2boRK5UETxx6awdsA51hZubxo4LyxG
SP8IW5gA/2JWrDg+7cSQrS71gHmtqvz0se+D7zmWdcnN8O3LoUZeAQDW3Pkq0cru
YVbsXiTwzenLPUJrjGBAVaoFmYqFUelFDLg4BF0MwmoSCisGAQQBl1UBBQEBB0BL
FI5mD555F7t6dovnw4DW19nkG/g/Vd5Zb/7qhMLWagMBCAeIeAQoFgoAIBYhBMnD
cLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpFAh0BAAoJEDRAEBXR0tOGgPkA/1Z69M4e
qU3ZM7czYOHKAbNHiRuAqzc6o90WBJLhgFJmAQCcKmpnnnTpbnGoXgkcRSr2y1wk
uId1oVRwfRbN9h94Doh4BBgWCAAgFiEEycNwskawn228/HRMNEAQFdHS04YFAl0M
wmoCGwwACgkQNEAQFdHS04aZWgD/d0gCCB7ytnRB9RBtns9RRrtGXOIrzzWKw+zx
za6Y2zgBANoj7CUeH0MygzZkgMrCmKPNnMxEnHJaTuYZA4yBixkIuDMEXQzCjRYJ
KwYBBAHaRw8BAQdAAiFh7AD1u/UhjVbGJkRflPhjHBKIsAuP4pkI/qjavwaIeAQo
FgoAIBYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpFAh0BAAoJEDRAEBXR0tOG
AUgA/2ZDB3tCRBON1WjLBESkHZmNtplYcV03u/oshA/MVCzpAQDGusGcv/rf1ZI9
o7lcWozXFlQDOM7eoT4avvWOVcsaD4h4BBgWCAAgFiEEycNwskawn228/HRMNEAQ
FdHS04YFAl0Mwo0CGyAACgkQNEAQFdHS04ajxQEAsZf1yDORUVYicREc/7z0U+51
DJzeAexeJTYM+N+x13EA/0Ex+o7qQ7dZLGDn7x4LSbd39C+++suHsEaE4XwlX6cH
uDMEYza6SxYJKwYBBAHaRw8BAQdAE3s7dZQFuImQX2tWshIdGjeUKZc7rlMcrZ6+
q25gaH2I9QQYFgoAJgIbAhYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJlrfJcBQkO
EpjFAIF2IAQZFgoAHRYhBLZOSVWyn6PUY/KpBiiX+tK36URvBQJjNrpLAAoJECiX
+tK36URv2hsBALyKPjIlNTtlwC1PHZkyOPwSiu4ZveS7pWlHLHX6nJBCAP9CBDtf
UbvG3C5WljSQdiBrXKgosDbJxPwXw+tW0XukAwkQNEAQFdHS04bMkQEA9elVwA0A
+ywDw+jnifIc98XqLI+KF3Xl0A9+lMuwthMBAO00DeAEjkryFMGp62GPNHqr/r6p
+6DIeUjWgK4Sh8IMuDgEYza6YBIKKwYBBAGXVQEFAQEHQKECW5Y7nUGCka0/WcCM
OerRY95Pm2DQVL76QzvhXD8tAwEIB4h+BBgWCgAmAhsMFiEEycNwskawn228/HRM
NEAQFdHS04YFAmWt8lwFCQ4SmLAACgkQNEAQFdHS04apHgD+MIRj2kujpxtQt04D
ZB+hofBtHIEMo2tplFBYvhZ6KOMA/1q3aRv6jnWAv8woc50KitP4/+iPmfyzaBA/
8XA5DdIKuDMEYza6bhYJKwYBBAHaRw8BAQdAgHXd0yf6MPXJZCZ3TFz8xLymyPsD
TF2SQwwqM4+nYbeIfgQYFgoAJgIbIBYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJl
rfJcBQkOEpiiAAoJEDRAEBXR0tOGAUwA/jbaz04OXnV3PYC/yQUsUJsihCTqz4Ne
lxxclgJYU604APsFzpoLD0oUlfMn5Fh75ftkKPrwiHpTj4rRU6oIQu1/Bg==
=Ab7w
-----END PGP PUBLIC KEY BLOCK-----
pub rsa2048 2020-04-28 [SC] [expires: 2025-04-18]
C2428CD75720FACDCF76B6EA17DE5ECB75A1100E
uid [ultimate] Kir Kolyshkin <kolyshkin@gmail.com>
sub rsa2048 2020-04-28 [E] [expires: 2025-04-18]
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: github=kolyshkin
mQENBF6ou34BCACow4f1kUqw0varU4pq+C91xhYeNb/0sGyFKCvYfiLY74yG8EXW
rZ8n06AYDHzPv9oubkUhnFk/u25kXQVgLB6Z5SKRBCiFq1QZirXeNJ8Iss8AwDBV
ppTSiCl8/x/gKoXiJ+7MyvOZozUavkVHdim1NKCzwD014VOB8RXz+heUjS+HDXY9
2IknlaZg2oGpQe6weVmXmEhxERapG/y+/Vo6t8UfhSv0gEeM00/yWhBJKSYPtzMg
SbTL4jCsN/x0bq+ZNp4lunihVY5WqX+BGLcx7xPnJ0Rp9Ju1mAhKrbKUmOG3rkWu
DIJuVP8HQfCoffsBLUKQ0V4fh18kfq1bo3JvABEBAAG0I0tpciBLb2x5c2hraW4g
PGtvbHlzaGtpbkBnbWFpbC5jb20+iQFUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQW
AgMBAh4BAheAFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmRAbOgFCQlaGGoACgkQ
F95ey3WhEA6dRQf+P+OHI3QiZu3TnrNBTsf+V8HhFBWKqafrjKbIE1A5HOHzcK2F
t2afYG+MZQILwSuCQOObgr3o7hGlqkwMwGtHt5nqG6/Z0bmkowG4JJmYIg9FhvQW
JEm/7lSBtxvFkw05H90UlzCM7AigD+PrLs96Zb0+FqdzEDWTMJeU7yYUFRNbXEu3
wqpOZpHlYCJGKzFJBbGxYphlmljexRlWdZPwACKg7lBsVkM8JDPGxmmEe7/5tXPt
Oa1yS13SleLv4muHH3KO3cgJGqBfY/XIExZUQUF0GdL0yppBDbn0oZ/wvRuibCR0
1P7rW88csSjAjhNjja4v/zWleSIpyWVi8IvYLLkBDQReqLt+AQgAtKUDLyUFxQ9k
p8OwI/MsPTLLoYfjilJaXnmtzQjGYFrEuU3lt7omRUBldNChkjGghEukGTq0RD7Z
s6Qv5PM5dtOypPJM0lmz2j7seun3AfDV44h/bjOFwTUjab3Nr9fQ52qESmRS03ik
6+5YNwq2D/+2kHVJ2vkUoo6KvioA1vPU311oW/Yfky8dLS5NguikE3to6YElWW38
oqFUVdMScCbf9a6CPXSQEz/rH4TgAhwyTo6oegv+8L/szGFy5ToNGiA0D45HcFDc
yXs1d+b3bYRuGfC1l/z+WZWwbeHt1fKEQ8pCLDLRre5y0hPRHeN2CG4U7iyI5B5h
8LITPcZ66wARAQABiQE8BBgBCAAmAhsMFiEEwkKM11cg+s3PdrbqF95ey3WhEA4F
AmRAbRQFCQlaGJYACgkQF95ey3WhEA7vywf9FFTeRgNji8ZIPMM2vIlns+CMkP5R
uXakU6Q0O6Wmbb/ULOkobTqJ/Jcze8OuembuU3V6MiOQKgUIDrN7itjnJPQBneKT
iqJdPK8KOiGIzqa0aRekvOu2nCz9n87Bf48pviH922yfs8gXYRCUnSV/i7/p+N8r
5Fy7dJen5SXksN2/rUCEgU9FD17l2uMAoQbRqZg74/GwSDLnhrZ9eMrbPnguSQF4
S1NPMeS7+G/gPN9Ze9qFmOF2p57cmEa+8mriZCYY3BcUBOiMOV5HSBKJwqA2M8au
2dAKmFWb/G+K/dgBdkAulQ/BfCpwgFmmgJ5dAeaS3y8Xd86aBE0/eLCrhQ==
=GkpD
-----END PGP PUBLIC KEY BLOCK-----
pub rsa3072 2019-07-25 [SC] [expires: 2025-07-27]
C020EA876CE4E06C7AB95AEF49524C6F9F638F1A
uid [ultimate] Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
uid [ultimate] Akihiro Suda <suda.kyoto@gmail.com>
sub rsa3072 2019-07-25 [E] [expires: 2025-07-27]
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: github=AkihiroSuda
mQGNBF06GR8BDADEpCHv9HzGbqzQ2RAqTWBGHUNsiHD89NVmbXx4nw56odXf5mAK
QHxyh9tKkt0BIaKMLcxcU6+GXP5iSLdHnQvnxxbR0gW3CJ8bIWPUflE4hjv8QLbc
5CSpqa3d7/tsntVYNLPFs6B0acTXB4YLK+u2aC42US6by5zO4KS+8/7RyXhdkYGY
wy6dCU1ysnuG4QstxlObKJUtxcW/9vQkF/ZdqaqLf6HHL/kMasWUxWG1uvf+V/MO
BRKu7zBW290XDE5Dd9DomyX4q2kqoWQBkpvkJlVsKWpW+AXnBizbVD+pX90VEQmk
Tvnr6U9OiArS6m2yVwZlu836l2yo3tX2tsgTNn8gtZugO4Qb3iZnDUexqgCwnLBx
dsyq4W565jNRV/HWRUMR+LDIS1KiEalzDoID3aUXRHHLUQG0oqX8jqFJUqp1P9pO
9nezuUDg8SsaBg8O4tyv/CZq/FeF3RMMc2EHTiO8HTERqmRMxUFZv3bkgA4GnjnA
3wsZhLXQq+UaIJUAEQEAAbQsQWtpaGlybyBTdWRhIDxha2loaXJvLnN1ZGEuY3pA
aGNvLm50dC5jby5qcD6JAdQEEwEKAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC
F4AWIQTAIOqHbOTgbHq5Wu9JUkxvn2OPGgUCZMPL2QUJC0wZugAKCRBJUkxvn2OP
GqTiC/93jTl0ci2zWC8vVBPSyjHDrpOhn+3ukCeC7VxHOdo6hBwbsxqaBUWi0Maf
p9oa4HzmsQjhMM+i3/Q/jHBvijXQ2UO5MaDrLhacoAW8i/YeU2aKn2yIyrQPIdc/
tlcwjvsRPt534DOisf1N5+w6Y4DRgt2tNl0KOjEBmXsBWN7Fg+QRfLeNWKS9soq7
QkI68T0e0h752FmI8TK4yy6FrhLVUU2ArLcOV2wjx5zKnWjgX7BbwYjAp8fi9hcC
XdmSvllQ8U9Y2ll8dDq3HBmo+uI4lfz31S4B5EKo4Wn+3bA4Y+VBNoJfoKyLeOgr
0cmo6SRJIsVaSvAJcMZ6oq+jvTDuygfRkxxgoTzCgwre7CPzcvC8gC0sYOB34TN4
UogwN3pFmCPfi5TjXsx7vgfWKlHgwe3L/5aoQjTm+z6WanTHbIqOK9QkIuGykMpL
7nOJeH9LoRzpzc8aOwIOki2bbo7s9yzL8Gil+zaqe16Q+Y7wVBxSRxbg/3oUTi1K
/uM8N4S0I0FraWhpcm8gU3VkYSA8c3VkYS5reW90b0BnbWFpbC5jb20+iQHUBBMB
CgA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEwCDqh2zk4Gx6uVrvSVJM
b59jjxoFAmTDy9kFCQtMGboACgkQSVJMb59jjxogzgv/a+4+T5Xoklt0rGujSgtD
ogpQp4guaImEhkPieWMPG7+UfqxwoMLcvLE5kTzqLPe1DdYs8Tm/gtteHttLUfjD
qwY/+BsqIYYMJMRoXFBk2iokn0m/36da7WKpN+5r5ssujsvGj991k4oLQgFV0kEx
f4PSRxWQNlAqp4OfQNI91S7oMDH94dR+V5TIYYHxsPsnCvygD72GVER4G5mUvkCH
Nf8aqeckVxu8uZ/2LiNtYxbh5pwriuj8XbifuawdMdjpTvwAAa2DuKqCtj9cuQIt
hmOF1ux68TRxk//QGPqX49+WT0mwdHBX/I/nZVTOGt9sjjKU5m1o+rUiVHtQ3Yhw
fSLWEbfZiTjWDPWpjLU+r3C2qCiJyPjNpsxYAp4y3v511BXesejcXm24+MHFym5F
ngyAItzwDD9ieTt3uviuC64VZVz7NgnDMUK0LumKh9mrZZ20dTcX9Vw70o41CMQN
yBKloXOSPzQDZp1ZXzR3P/22WXG/e52YuU3Aw1femld+uQGNBF06GR8BDACxpQ9c
y72+/WZGon+CToNj+a24PiduyExfFv26E0D77ACS6UAC5jz71mSuLbHiauQ3MHj+
786z4m4St8+HjDL9YrAe19MobxWsLHAFvBJ8UHfZdkLzBkIKPHz7TUqlhvFR13b6
ZAZVZk975hgCT3LpzA1miHBY2E5WDpVa3pe94xshVHL3iVf9Jv1a4hmM+eu0gxX4
iEw7RLq9LssTyjeuRVN23X+ojD4Mp3jQnPA+cjLF718KpCsw5r+tGZ98/5GZevmH
Qf6sg0b/k6/vkVveopeeH28zb/nnVuhgGSxcbiZUrFC9EfhX4/6NNFRhE300AjeF
bP7SoXx3qRhr993BDSP32r44hy+kYLhZP5K5oXivcITJZuGcJh49P4QuYGrnODIL
gEhedWeePcJXFcEz09teizlWKGzd+EA3uwYd/bQelflwXkGuCLaoNv4qcH3oJDp1
vYI0zT7hGvnz3thRLg3SOWFq5cBhnfNGXPLsoNZBzWGn2cm5MJYSKjIM470AEQEA
AYkBvAQYAQoAJgIbDBYhBMAg6ods5OBserla70lSTG+fY48aBQJkw8uyBQkLTBmT
AAoJEElSTG+fY48ayhsL+gLvKlfkYgxodyWKR5hOiUMKWE5tqfQY6kqrgssPYw+u
Fn69AamQLt4I2AHRg0AHjoZEsMfR19uXZ24XwwcWwgWU6yRJgMSIK67bLvL+d686
m2KQ2PpmfDrizUgY4J0sY+tzwNZeWxQiFy/Ni6AdEqJvJQDsrKYJ2GGWm6JMZCPw
y3h5ouueieiEc0pvwEz2kg64uv6p8SUV1me66IXQaGseXb/BcW+Ap2WJO+IZjtNB
qhk+V+1x5ZT6s9RecjiTDmKfZ71zyRWplkfL22+4XVEc3qLS3r0ZSzeIA4JPRf+N
yCGjavdTNgu2bTo8iSgBq2NRT9kNwTaS8j883L0eY/JJktrfWnWE4qAuXBqLzkIl
smspRWy0byLQrrzk9stncF/CDt5XuHPcsXOcRVXVyM+/RXqWKdNAwZO67HD4wJR9
YR4avhGZZXguH3b0ka2zO8sxTju/09yb07NJ2qfjfWSHCmaj9KuhhE0EO625tckS
58ceqolNBtrydoYZOc2CKw==
=ol6W
-----END PGP PUBLIC KEY BLOCK-----

104
runc.spec Normal file
View File

@ -0,0 +1,104 @@
#
# spec file for package runc
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
# nodebuginfo
# MANUAL: Make sure you update this each time you update runc.
%define git_version 51d5e94601ceffbbd85688df1c928ecccbfa4685
%define git_short 51d5e94601ce
%define project github.com/opencontainers/runc
Name: runc
Version: 1.1.12
Release: 0
Summary: Tool for spawning and running OCI containers
License: Apache-2.0
Group: System/Management
URL: https://github.com/opencontainers/runc
Source0: https://github.com/opencontainers/runc/releases/download/v%{version}/runc.tar.xz#/runc-%{version}.tar.xz
Source1: https://github.com/opencontainers/runc/releases/download/v%{version}/runc.tar.xz.asc#/runc-%{version}.tar.xz.asc
Source2: runc.keyring
BuildRequires: diffutils
BuildRequires: fdupes
BuildRequires: go
BuildRequires: go-go-md2man
BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel
Recommends: criu
# There used to be a docker-runc package which was specifically for Docker.
# Since Docker now tracks upstream more consistently, we use the same package
# but we need to obsolete the old one. bsc#1181677
Obsoletes: docker-runc < %{version}
Provides: docker-runc = %{version}
# KUBIC-SPECIFIC: There used to be a kubic-specific docker-runc package, but
# now it's been merged into the one package. bsc#1181677
Obsoletes: docker-runc-kubic < %{version}
Provides: docker-runc-kubic = %{version}
Obsoletes: docker-runc = 0.1.1+gitr2819_50a19c6
Obsoletes: docker-runc_50a19c6
ExcludeArch: s390
# Construct "git describe --dirty --long --always".
%define git_describe v%{version}-0-g%{git_short}
%description
runc is a CLI tool for spawning and running containers according to the OCI
specification. It is designed to be as minimal as possible, and is the workhorse
of Docker. It was originally designed to be a replacement for LXC within Docker,
and has grown to become a separate project entirely.
%prep
%setup -q -n %{name}-%{version}
%build
# build runc
make BUILDTAGS="seccomp" COMMIT="%{git_describe}" runc
# build man pages
man/md2man-all.sh
# make sure that our keyring copy is identical to upstream.
our_keyring=$(sha256sum <"%{SOURCE2}")
src_keyring=$(sha256sum <runc.keyring)
if [ "$our_keyring" != "$src_keyring" ]; then
echo "keyring file doesn't match upstream"
diff -u "%{SOURCE2}" runc.keyring
exit 1
fi
%install
# We install to /usr/sbin/runc as per upstream and create a symlink in /usr/bin
# for rootless tools.
install -D -m0755 %{name} %{buildroot}%{_sbindir}/%{name}
install -m0755 -d %{buildroot}%{_bindir}
ln -s %{_sbindir}/%{name} %{buildroot}%{_bindir}/%{name}
# Man pages.
install -d -m0755 %{buildroot}%{_mandir}/man8
install -m0644 man/man8/runc*.8 %{buildroot}%{_mandir}/man8
%fdupes %{buildroot}
%files
%defattr(-,root,root)
%doc README.md
%license LICENSE
%{_sbindir}/%{name}
%{_bindir}/%{name}
%{_mandir}/man8/runc*.8.gz
%changelog