Add patch for CVE-2024-9676 (bsc#1231698)
OBS-URL: https://build.opensuse.org/package/show/devel:microos/podman?expand=0&rev=71
This commit is contained in:
commit
cddcb6f3ea
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
.osc
|
84
0001-Backport-fix-for-CVE-2024-6104.patch
Normal file
84
0001-Backport-fix-for-CVE-2024-6104.patch
Normal file
@ -0,0 +1,84 @@
|
||||
From 1a3445769d0a3c392487ec9480c0bfad07bde063 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
|
||||
Date: Sun, 30 Jun 2024 16:09:52 +0200
|
||||
Subject: [PATCH] Backport fix for CVE-2024-6104
|
||||
|
||||
This is https://github.com/hashicorp/go-retryablehttp/pull/158 only directly
|
||||
applied to the vendor/ source tree
|
||||
See also https://github.com/advisories/GHSA-v6v8-xj6m-xwqh
|
||||
---
|
||||
.../hashicorp/go-retryablehttp/client.go | 28 ++++++++++++++-----
|
||||
1 file changed, 21 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
index 12ac50bcc..efee53c40 100644
|
||||
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||
@@ -658,9 +658,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
if logger != nil {
|
||||
switch v := logger.(type) {
|
||||
case LeveledLogger:
|
||||
- v.Debug("performing request", "method", req.Method, "url", req.URL)
|
||||
+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
|
||||
case Logger:
|
||||
- v.Printf("[DEBUG] %s %s", req.Method, req.URL)
|
||||
+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -715,9 +715,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
if err != nil {
|
||||
switch v := logger.(type) {
|
||||
case LeveledLogger:
|
||||
- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
|
||||
+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
|
||||
case Logger:
|
||||
- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
|
||||
+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
|
||||
}
|
||||
} else {
|
||||
// Call this here to maintain the behavior of logging all requests,
|
||||
@@ -753,7 +753,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
|
||||
wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
|
||||
if logger != nil {
|
||||
- desc := fmt.Sprintf("%s %s", req.Method, req.URL)
|
||||
+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
|
||||
if resp != nil {
|
||||
desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode)
|
||||
}
|
||||
@@ -818,11 +818,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||
// communicate why
|
||||
if err == nil {
|
||||
return nil, fmt.Errorf("%s %s giving up after %d attempt(s)",
|
||||
- req.Method, req.URL, attempt)
|
||||
+ req.Method, redactURL(req.URL), attempt)
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w",
|
||||
- req.Method, req.URL, attempt, err)
|
||||
+ req.Method, redactURL(req.URL), attempt, err)
|
||||
}
|
||||
|
||||
// Try to read the response body so we can reuse this connection.
|
||||
@@ -903,3 +903,17 @@ func (c *Client) StandardClient() *http.Client {
|
||||
Transport: &RoundTripper{Client: c},
|
||||
}
|
||||
}
|
||||
+
|
||||
+// Taken from url.URL#Redacted() which was introduced in go 1.15.
|
||||
+// We can switch to using it directly if we'll bump the minimum required go version.
|
||||
+func redactURL(u *url.URL) string {
|
||||
+ if u == nil {
|
||||
+ return ""
|
||||
+ }
|
||||
+
|
||||
+ ru := *u
|
||||
+ if _, has := ru.User.Password(); has {
|
||||
+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
|
||||
+ }
|
||||
+ return ru.String()
|
||||
+}
|
||||
--
|
||||
2.45.2
|
||||
|
68
0001-Properly-validate-cache-IDs-and-sources.patch
Normal file
68
0001-Properly-validate-cache-IDs-and-sources.patch
Normal file
@ -0,0 +1,68 @@
|
||||
From fe456eed5ac0647250fa5249e663ddb236b2adfb Mon Sep 17 00:00:00 2001
|
||||
From: Danish Prakash <contact@danishpraka.sh>
|
||||
Date: Tue, 15 Oct 2024 22:14:55 +0530
|
||||
Subject: [PATCH 1/2] Properly validate cache IDs and sources
|
||||
|
||||
The `--mount type=cache` argument to the `RUN` instruction in
|
||||
Dockerfiles was using `filepath.Join` on user input, allowing
|
||||
crafted paths to be used to gain access to paths on the host,
|
||||
when the command should normally be limited only to Buildah;s own
|
||||
cache and context directories. Switch to `filepath.SecureJoin` to
|
||||
resolve the issue.
|
||||
|
||||
Fixes CVE-2024-9675
|
||||
|
||||
Signed-off-by: Matt Heon <mheon@redhat.com>
|
||||
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
|
||||
---
|
||||
.../buildah/internal/volumes/volumes.go | 19 ++++++++++++++-----
|
||||
1 file changed, 14 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/vendor/github.com/containers/buildah/internal/volumes/volumes.go b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
|
||||
index da6b768fdc21..610e9fcf11b2 100644
|
||||
--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
|
||||
+++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
|
||||
@@ -23,6 +23,7 @@ import (
|
||||
"github.com/containers/storage/pkg/idtools"
|
||||
"github.com/containers/storage/pkg/lockfile"
|
||||
"github.com/containers/storage/pkg/unshare"
|
||||
+ digest "github.com/opencontainers/go-digest"
|
||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
selinux "github.com/opencontainers/selinux/go-selinux"
|
||||
)
|
||||
@@ -374,7 +375,11 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
|
||||
return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
|
||||
}
|
||||
// path should be /contextDir/specified path
|
||||
- newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
|
||||
+ evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
|
||||
+ if err != nil {
|
||||
+ return newMount, nil, err
|
||||
+ }
|
||||
+ newMount.Source = evaluated
|
||||
} else {
|
||||
// we need to create cache on host if no image is being used
|
||||
|
||||
@@ -391,11 +396,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
|
||||
}
|
||||
|
||||
if id != "" {
|
||||
- newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
|
||||
- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
|
||||
+ // Don't let the user control where we place the directory.
|
||||
+ dirID := digest.FromString(id).Encoded()[:16]
|
||||
+ newMount.Source = filepath.Join(cacheParent, dirID)
|
||||
+ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
|
||||
} else {
|
||||
- newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
|
||||
- buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
|
||||
+ // Don't let the user control where we place the directory.
|
||||
+ dirID := digest.FromString(newMount.Destination).Encoded()[:16]
|
||||
+ newMount.Source = filepath.Join(cacheParent, dirID)
|
||||
+ buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
|
||||
}
|
||||
idPair := idtools.IDPair{
|
||||
UID: uid,
|
||||
--
|
||||
2.46.0
|
||||
|
239
0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
Normal file
239
0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
Normal file
@ -0,0 +1,239 @@
|
||||
From 006e1387eaf2791d7b9c730b135de9648003c7db Mon Sep 17 00:00:00 2001
|
||||
From: Danish Prakash <contact@danishpraka.sh>
|
||||
Date: Mon, 21 Oct 2024 11:33:43 +0530
|
||||
Subject: [PATCH 2/2] Use securejoin.SecureJoin when forming userns paths
|
||||
|
||||
We need to read /etc/passwd and /etc/group in the container to
|
||||
get an idea of how many UIDs and GIDs we need to allocate for a
|
||||
user namespace when `--userns=auto` is specified. We were forming
|
||||
paths for these using filepath.Join, which is not safe for paths
|
||||
within a container, resulting in this CVE allowing crafted
|
||||
symlinks in the container to access paths on the host instead.
|
||||
|
||||
Addresses CVE-2024-9676
|
||||
|
||||
Signed-off-by: Matt Heon <mheon@redhat.com>
|
||||
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
|
||||
---
|
||||
go.mod | 2 +-
|
||||
go.sum | 4 +-
|
||||
.../github.com/containers/storage/.cirrus.yml | 2 +-
|
||||
vendor/github.com/containers/storage/VERSION | 2 +-
|
||||
.../github.com/containers/storage/userns.go | 87 +++++++++++++------
|
||||
.../containers/storage/userns_unsupported.go | 14 +++
|
||||
vendor/modules.txt | 2 +-
|
||||
7 files changed, 80 insertions(+), 33 deletions(-)
|
||||
create mode 100644 vendor/github.com/containers/storage/userns_unsupported.go
|
||||
|
||||
diff --git a/go.mod b/go.mod
|
||||
index 02d1876148a4..8f049568e0b8 100644
|
||||
--- a/go.mod
|
||||
+++ b/go.mod
|
||||
@@ -20,7 +20,7 @@ require (
|
||||
github.com/containers/libhvee v0.7.1
|
||||
github.com/containers/ocicrypt v1.2.0
|
||||
github.com/containers/psgo v1.9.0
|
||||
- github.com/containers/storage v1.55.0
|
||||
+ github.com/containers/storage v1.55.1
|
||||
github.com/containers/winquit v1.1.0
|
||||
github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09
|
||||
github.com/coreos/stream-metadata-go v0.4.4
|
||||
diff --git a/go.sum b/go.sum
|
||||
index 60da92454ca2..66795b5b82ad 100644
|
||||
--- a/go.sum
|
||||
+++ b/go.sum
|
||||
@@ -97,8 +97,8 @@ github.com/containers/ocicrypt v1.2.0 h1:X14EgRK3xNFvJEfI5O4Qn4T3E25ANudSOZz/sir
|
||||
github.com/containers/ocicrypt v1.2.0/go.mod h1:ZNviigQajtdlxIZGibvblVuIFBKIuUI2M0QM12SD31U=
|
||||
github.com/containers/psgo v1.9.0 h1:eJ74jzSaCHnWt26OlKZROSyUyRcGDf+gYBdXnxrMW4g=
|
||||
github.com/containers/psgo v1.9.0/go.mod h1:0YoluUm43Mz2UnBIh1P+6V6NWcbpTL5uRtXyOcH0B5A=
|
||||
-github.com/containers/storage v1.55.0 h1:wTWZ3YpcQf1F+dSP4KxG9iqDfpQY1otaUXjPpffuhgg=
|
||||
-github.com/containers/storage v1.55.0/go.mod h1:28cB81IDk+y7ok60Of6u52RbCeBRucbFOeLunhER1RQ=
|
||||
+github.com/containers/storage v1.55.1 h1:ius7angdTqxO56hmTJnAznyEcUnYeLOV3ybwLozA/h8=
|
||||
+github.com/containers/storage v1.55.1/go.mod h1:28cB81IDk+y7ok60Of6u52RbCeBRucbFOeLunhER1RQ=
|
||||
github.com/containers/winquit v1.1.0 h1:jArun04BNDQvt2W0Y78kh9TazN2EIEMG5Im6/JY7+pE=
|
||||
github.com/containers/winquit v1.1.0/go.mod h1:PsPeZlnbkmGGIToMPHF1zhWjBUkd8aHjMOr/vFcPxw8=
|
||||
github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU=
|
||||
diff --git a/vendor/github.com/containers/storage/.cirrus.yml b/vendor/github.com/containers/storage/.cirrus.yml
|
||||
index 50b98761694a..49a6e33b7014 100644
|
||||
--- a/vendor/github.com/containers/storage/.cirrus.yml
|
||||
+++ b/vendor/github.com/containers/storage/.cirrus.yml
|
||||
@@ -120,7 +120,7 @@ lint_task:
|
||||
env:
|
||||
CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage"
|
||||
container:
|
||||
- image: golang
|
||||
+ image: golang:1.21
|
||||
modules_cache:
|
||||
fingerprint_script: cat go.sum
|
||||
folder: $GOPATH/pkg/mod
|
||||
diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION
|
||||
index 094d6ad00ce7..6570a6d0dd76 100644
|
||||
--- a/vendor/github.com/containers/storage/VERSION
|
||||
+++ b/vendor/github.com/containers/storage/VERSION
|
||||
@@ -1 +1 @@
|
||||
-1.55.0
|
||||
+1.55.1
|
||||
diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/github.com/containers/storage/userns.go
|
||||
index 57120731be57..09919394c026 100644
|
||||
--- a/vendor/github.com/containers/storage/userns.go
|
||||
+++ b/vendor/github.com/containers/storage/userns.go
|
||||
@@ -1,18 +1,21 @@
|
||||
+//go:build linux
|
||||
+
|
||||
package storage
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"os/user"
|
||||
- "path/filepath"
|
||||
"strconv"
|
||||
|
||||
drivers "github.com/containers/storage/drivers"
|
||||
"github.com/containers/storage/pkg/idtools"
|
||||
"github.com/containers/storage/pkg/unshare"
|
||||
"github.com/containers/storage/types"
|
||||
+ securejoin "github.com/cyphar/filepath-securejoin"
|
||||
libcontainerUser "github.com/moby/sys/user"
|
||||
"github.com/sirupsen/logrus"
|
||||
+ "golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
// getAdditionalSubIDs looks up the additional IDs configured for
|
||||
@@ -85,40 +88,59 @@ const nobodyUser = 65534
|
||||
// parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and
|
||||
// /etc/group files.
|
||||
func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {
|
||||
+ var (
|
||||
+ passwd *os.File
|
||||
+ group *os.File
|
||||
+ size int
|
||||
+ err error
|
||||
+ )
|
||||
if passwdFile == "" {
|
||||
- passwdFile = filepath.Join(containerMount, "etc/passwd")
|
||||
- }
|
||||
- if groupFile == "" {
|
||||
- groupFile = filepath.Join(groupFile, "etc/group")
|
||||
+ passwd, err = secureOpen(containerMount, "/etc/passwd")
|
||||
+ } else {
|
||||
+ // User-specified override from a volume. Will not be in
|
||||
+ // container root.
|
||||
+ passwd, err = os.Open(passwdFile)
|
||||
}
|
||||
-
|
||||
- size := 0
|
||||
-
|
||||
- users, err := libcontainerUser.ParsePasswdFile(passwdFile)
|
||||
if err == nil {
|
||||
- for _, u := range users {
|
||||
- // Skip the "nobody" user otherwise we end up with 65536
|
||||
- // ids with most images
|
||||
- if u.Name == "nobody" {
|
||||
- continue
|
||||
- }
|
||||
- if u.Uid > size && u.Uid != nobodyUser {
|
||||
- size = u.Uid
|
||||
- }
|
||||
- if u.Gid > size && u.Gid != nobodyUser {
|
||||
- size = u.Gid
|
||||
+ defer passwd.Close()
|
||||
+
|
||||
+ users, err := libcontainerUser.ParsePasswd(passwd)
|
||||
+ if err == nil {
|
||||
+ for _, u := range users {
|
||||
+ // Skip the "nobody" user otherwise we end up with 65536
|
||||
+ // ids with most images
|
||||
+ if u.Name == "nobody" || u.Name == "nogroup" {
|
||||
+ continue
|
||||
+ }
|
||||
+ if u.Uid > size && u.Uid != nobodyUser {
|
||||
+ size = u.Uid + 1
|
||||
+ }
|
||||
+ if u.Gid > size && u.Gid != nobodyUser {
|
||||
+ size = u.Gid + 1
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
- groups, err := libcontainerUser.ParseGroupFile(groupFile)
|
||||
+ if groupFile == "" {
|
||||
+ group, err = secureOpen(containerMount, "/etc/group")
|
||||
+ } else {
|
||||
+ // User-specified override from a volume. Will not be in
|
||||
+ // container root.
|
||||
+ group, err = os.Open(groupFile)
|
||||
+ }
|
||||
if err == nil {
|
||||
- for _, g := range groups {
|
||||
- if g.Name == "nobody" {
|
||||
- continue
|
||||
- }
|
||||
- if g.Gid > size && g.Gid != nobodyUser {
|
||||
- size = g.Gid
|
||||
+ defer group.Close()
|
||||
+
|
||||
+ groups, err := libcontainerUser.ParseGroup(group)
|
||||
+ if err == nil {
|
||||
+ for _, g := range groups {
|
||||
+ if g.Name == "nobody" || g.Name == "nogroup" {
|
||||
+ continue
|
||||
+ }
|
||||
+ if g.Gid > size && g.Gid != nobodyUser {
|
||||
+ size = g.Gid + 1
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -309,3 +331,14 @@ func getAutoUserNSIDMappings(
|
||||
gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...)
|
||||
return uidMap, gidMap, nil
|
||||
}
|
||||
+
|
||||
+// Securely open (read-only) a file in a container mount.
|
||||
+func secureOpen(containerMount, file string) (*os.File, error) {
|
||||
+ tmpFile, err := securejoin.OpenInRoot(containerMount, file)
|
||||
+ if err != nil {
|
||||
+ return nil, err
|
||||
+ }
|
||||
+ defer tmpFile.Close()
|
||||
+
|
||||
+ return securejoin.Reopen(tmpFile, unix.O_RDONLY)
|
||||
+}
|
||||
diff --git a/vendor/github.com/containers/storage/userns_unsupported.go b/vendor/github.com/containers/storage/userns_unsupported.go
|
||||
new file mode 100644
|
||||
index 000000000000..e37c18fe4381
|
||||
--- /dev/null
|
||||
+++ b/vendor/github.com/containers/storage/userns_unsupported.go
|
||||
@@ -0,0 +1,14 @@
|
||||
+//go:build !linux
|
||||
+
|
||||
+package storage
|
||||
+
|
||||
+import (
|
||||
+ "errors"
|
||||
+
|
||||
+ "github.com/containers/storage/pkg/idtools"
|
||||
+ "github.com/containers/storage/types"
|
||||
+)
|
||||
+
|
||||
+func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) {
|
||||
+ return nil, nil, errors.New("user namespaces are not supported on this platform")
|
||||
+}
|
||||
diff --git a/vendor/modules.txt b/vendor/modules.txt
|
||||
index 3d35b8be92d7..c0801a56b979 100644
|
||||
--- a/vendor/modules.txt
|
||||
+++ b/vendor/modules.txt
|
||||
@@ -354,7 +354,7 @@ github.com/containers/psgo/internal/dev
|
||||
github.com/containers/psgo/internal/host
|
||||
github.com/containers/psgo/internal/proc
|
||||
github.com/containers/psgo/internal/process
|
||||
-# github.com/containers/storage v1.55.0
|
||||
+# github.com/containers/storage v1.55.1
|
||||
## explicit; go 1.21
|
||||
github.com/containers/storage
|
||||
github.com/containers/storage/drivers
|
||||
--
|
||||
2.46.0
|
||||
|
16
_service
Normal file
16
_service
Normal file
@ -0,0 +1,16 @@
|
||||
<services>
|
||||
<service name="obs_scm" mode="manual">
|
||||
<param name="url">https://github.com/containers/podman.git</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="revision">v5.2.4</param>
|
||||
<param name="versionformat">@PARENT_TAG@</param>
|
||||
<param name="changesgenerate">enable</param>
|
||||
<param name="versionrewrite-pattern">v(.*)</param>
|
||||
</service>
|
||||
<service mode="manual" name="set_version"/>
|
||||
<service name="tar" mode="buildtime"/>
|
||||
<service name="recompress" mode="buildtime">
|
||||
<param name="file">*.tar</param>
|
||||
<param name="compression">gz</param>
|
||||
</service>
|
||||
</services>
|
4
_servicedata
Normal file
4
_servicedata
Normal file
@ -0,0 +1,4 @@
|
||||
<servicedata>
|
||||
<service name="tar_scm">
|
||||
<param name="url">https://github.com/containers/podman.git</param>
|
||||
<param name="changesrevision">76d0859d9f6e5d7c84392da9dcd2fae3447f789d</param></service></servicedata>
|
3
podman-5.1.1.obscpio
Normal file
3
podman-5.1.1.obscpio
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1cc6d2195d65f529b4169d96ac8dd20f4a832b314b990eb9faf9588cced425c9
|
||||
size 109453838
|
3
podman-5.1.2.obscpio
Normal file
3
podman-5.1.2.obscpio
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:86ae9f9404e0f605de8cb2f056dd61a8929038c4e6eecacb7b5fc903ad4f2471
|
||||
size 109458446
|
3
podman-5.2.0.obscpio
Normal file
3
podman-5.2.0.obscpio
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:af6c274fbcbd4b432e137f8ca0c43bd638d2a286bd3cb0a2455e05c22bb64a7a
|
||||
size 109566478
|
3
podman-5.2.2.obscpio
Normal file
3
podman-5.2.2.obscpio
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1f2e5bd13e4c0ca13561fe124f44c93898450405ef15e93c6cce1d10d24105c2
|
||||
size 109693454
|
3
podman-5.2.4.obscpio
Normal file
3
podman-5.2.4.obscpio
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d98c93f568b31cecc530b86cfd0078fb290f72ec0ab61649b63ca4407173a809
|
||||
size 109701646
|
9746
podman.changes
Normal file
9746
podman.changes
Normal file
File diff suppressed because it is too large
Load Diff
8
podman.conf
Normal file
8
podman.conf
Normal file
@ -0,0 +1,8 @@
|
||||
# Load br_netfilter module at boot
|
||||
br_netfilter
|
||||
# A rootless user has no permsissions to load iptables modules and these are not loaded by default.
|
||||
# netarvark defaults to iptables, but it will soon default to nftables.
|
||||
# CNI defaults to iptables.
|
||||
# If iptables is using nftables as a backend this might not be needed.
|
||||
ip_tables
|
||||
ip6_tables
|
4
podman.obsinfo
Normal file
4
podman.obsinfo
Normal file
@ -0,0 +1,4 @@
|
||||
name: podman
|
||||
version: 5.2.4
|
||||
mtime: 1728308549
|
||||
commit: 76d0859d9f6e5d7c84392da9dcd2fae3447f789d
|
274
podman.spec
Normal file
274
podman.spec
Normal file
@ -0,0 +1,274 @@
|
||||
#
|
||||
# spec file for package podman
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
%{!?_user_tmpfilesdir: %global _user_tmpfilesdir %{_datadir}/user-tmpfiles.d}
|
||||
%define project github.com/containers/podman
|
||||
|
||||
%bcond_without apparmor
|
||||
|
||||
Name: podman
|
||||
Version: 5.2.4
|
||||
Release: 0
|
||||
Summary: Daemon-less container engine for managing containers, pods and images
|
||||
License: Apache-2.0
|
||||
Group: System/Management
|
||||
URL: https://%{project}
|
||||
Source0: %{name}-%{version}.tar.gz
|
||||
Source1: podman.conf
|
||||
Patch0: 0001-Properly-validate-cache-IDs-and-sources.patch
|
||||
Patch1: 0002-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
|
||||
BuildRequires: man
|
||||
BuildRequires: bash-completion
|
||||
BuildRequires: device-mapper-devel
|
||||
BuildRequires: fdupes
|
||||
BuildRequires: git-core
|
||||
BuildRequires: glib2-devel-static
|
||||
BuildRequires: glibc-devel-static
|
||||
BuildRequires: go-go-md2man
|
||||
BuildRequires: golang-packaging
|
||||
%if %{with apparmor}
|
||||
BuildRequires: libapparmor-devel
|
||||
%endif
|
||||
BuildRequires: libassuan-devel
|
||||
BuildRequires: libbtrfs-devel
|
||||
BuildRequires: libcontainers-common
|
||||
BuildRequires: libgpgme-devel
|
||||
BuildRequires: libostree-devel
|
||||
BuildRequires: libseccomp-devel
|
||||
# at least go 1.18 is needed from go.mod
|
||||
BuildRequires: golang(API) >= 1.21
|
||||
BuildRequires: pkgconfig(libselinux)
|
||||
BuildRequires: pkgconfig(libsystemd)
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
%if %{with apparmor}
|
||||
Recommends: apparmor-abstractions
|
||||
Recommends: apparmor-parser
|
||||
%endif
|
||||
# requirement for `podman machine`
|
||||
Recommends: gvisor-tap-vsock
|
||||
Requires: catatonit >= 0.1.7
|
||||
Requires: conmon >= 2.0.24
|
||||
Requires: fuse-overlayfs
|
||||
Requires: iptables
|
||||
Requires: libcontainers-common >= 20230214
|
||||
%if 0%{?sle_version} && 0%{?sle_version} <= 150500
|
||||
# Build podman with CNI support for SLE-15-SP5 and lower
|
||||
Requires: (netavark or cni-plugins)
|
||||
# We still want users with fresh installation to start off
|
||||
# with Netavark but if they already have cni-plugins installed
|
||||
# and are attempting a migration, it's better to continue with cni
|
||||
Suggests: netavark
|
||||
%else
|
||||
Requires: netavark
|
||||
%endif
|
||||
# use crun on Tumbleweed & ALP for WASM support
|
||||
%if 0%{suse_version} >= 1600
|
||||
# crun is only available for selected archs (because of criu)
|
||||
%ifarch x86_64 aarch64 ppc64le armv7l armv7hl s390x
|
||||
Requires: crun
|
||||
%else
|
||||
Requires: runc >= 1.0.1
|
||||
%endif
|
||||
%else
|
||||
Requires: runc >= 1.0.1
|
||||
%endif
|
||||
Requires: passt
|
||||
Requires: timezone
|
||||
Suggests: katacontainers
|
||||
|
||||
# deprecate unused podman-cni-config subpackage
|
||||
Provides: %{name}-cni-config = %{version}
|
||||
Obsoletes: %{name}-cni-config < 4.5.1
|
||||
|
||||
%description
|
||||
Podman is a container engine for managing pods, containers, and container
|
||||
images.
|
||||
It is a standalone tool and it directly manipulates containers without the need
|
||||
of a container engine daemon.
|
||||
Podman is able to interact with container images create in buildah, cri-o, and
|
||||
skopeo, as they all share the same datastore backend.
|
||||
|
||||
%prep
|
||||
%autosetup -p1
|
||||
|
||||
%package remote
|
||||
Summary: Client for managing podman containers remotely
|
||||
Group: System/Management
|
||||
Conflicts: %{name} < 3.1.2
|
||||
Provides: podman:%{_bindir}/%{name}-remote
|
||||
|
||||
%description remote
|
||||
This client allows controlling podman on a separate host, e.g. over SSH.
|
||||
|
||||
%package docker
|
||||
Summary: Emulate Docker CLI using podman
|
||||
BuildArch: noarch
|
||||
Requires: %{name} = %{version}
|
||||
Conflicts: docker
|
||||
Conflicts: docker-ce
|
||||
Conflicts: docker-ee
|
||||
Conflicts: docker-latest
|
||||
Conflicts: moby-engine
|
||||
Provides: docker
|
||||
|
||||
%description docker
|
||||
This package installs a script named docker that emulates the Docker CLI by
|
||||
executes podman commands, it also creates links between all Docker CLI man
|
||||
pages and %{name}.
|
||||
|
||||
%package -n %{name}sh
|
||||
Summary: Confined login and user shell using %{name}
|
||||
Requires: %{name} = %{version}
|
||||
Provides: %{name}-%{name}sh = %{version}
|
||||
Provides: %{name}-shell = %{version}
|
||||
|
||||
%description -n %{name}sh
|
||||
%{name}sh provides a confined login and user shell with access to volumes and
|
||||
capabilities specified in user quadlets.
|
||||
|
||||
It is a symlink to %{_bindir}/%{name} and execs into the `%{name}sh` container
|
||||
when `%{_bindir}/%{name}sh is set as a login shell or set as os.Args[0].
|
||||
|
||||
%build
|
||||
# Build podman
|
||||
BUILDTAGS="$(hack/apparmor_tag.sh) \
|
||||
$(hack/btrfs_installed_tag.sh) \
|
||||
$(hack/btrfs_tag.sh) \
|
||||
$(hack/systemd_tag.sh) \
|
||||
$(hack/libsubid_tag.sh) \
|
||||
exclude_graphdriver_devicemapper \
|
||||
seccomp"
|
||||
|
||||
%if 0%{?sle_version} && 0%{?sle_version} <= 150500
|
||||
# Podman >= 5.0.0 disables CNI support by default,
|
||||
# update buildtags to build podman with CNI support
|
||||
# for SLE-15-SP5 and lower.
|
||||
BUILDTAGS="cni $BUILDTAGS"
|
||||
%endif
|
||||
|
||||
BUILDFLAGS="-buildmode=pie" BUILDTAGS="$BUILDTAGS" PREFIX=%{_prefix} %make_build
|
||||
|
||||
# Build manpages
|
||||
%make_build docs
|
||||
|
||||
%check
|
||||
# Too many tests fail due to the restricted permissions in the build enviroment.
|
||||
# Updates must be tested manually.
|
||||
|
||||
%install
|
||||
%make_install PREFIX=%{_prefix} LIBEXECDIR=%{_libexecdir} ETCDIR=%{_sysconfdir} \
|
||||
install.completions \
|
||||
install.docker
|
||||
|
||||
# remove the user tmpfile on SLE/Leap as it cannot handle them
|
||||
%if 0%{?suse_version} == 1500
|
||||
rm %{buildroot}%{_user_tmpfilesdir}/podman-docker.conf
|
||||
%endif
|
||||
|
||||
# Add podman modprobe.d drop-in config
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1703261
|
||||
mkdir -p %{buildroot}%{_prefix}/lib/modules-load.d
|
||||
install -m 0644 -t %{buildroot}%{_prefix}/lib/modules-load.d/ %{SOURCE1}
|
||||
|
||||
%fdupes %{buildroot}/%{_datadir}
|
||||
%fdupes %{buildroot}/%{_systemd_util_dir}
|
||||
|
||||
%files
|
||||
# Binaries
|
||||
%{_bindir}/podman
|
||||
# Manpages
|
||||
%{_mandir}/man1/podman*.1*
|
||||
%{_mandir}/man5/podman*.5*
|
||||
%{_mandir}/man5/quadlet*.5*
|
||||
%exclude %{_mandir}/man1/podman-remote*.1*
|
||||
# Configs
|
||||
%dir %{_prefix}/lib/modules-load.d
|
||||
%{_prefix}/lib/modules-load.d/podman.conf
|
||||
%{_tmpfilesdir}/podman.conf
|
||||
# Rootless port
|
||||
%dir %{_libexecdir}/podman
|
||||
%{_libexecdir}/podman/rootlessport
|
||||
%{_libexecdir}/podman/quadlet
|
||||
# Completion
|
||||
%{_datadir}/bash-completion/completions/podman
|
||||
%{_datadir}/zsh/site-functions/_podman
|
||||
%dir %{_datadir}/fish/
|
||||
%dir %{_datadir}/fish/vendor_completions.d/
|
||||
%{_datadir}/fish/vendor_completions.d/podman.fish
|
||||
%{_unitdir}/podman.service
|
||||
%{_unitdir}/podman.socket
|
||||
%{_unitdir}/podman-auto-update.service
|
||||
%{_unitdir}/podman-kube@.service
|
||||
%{_unitdir}/podman-restart.service
|
||||
%{_unitdir}/podman-auto-update.timer
|
||||
%{_unitdir}/podman-clean-transient.service
|
||||
%{_userunitdir}/podman.service
|
||||
%{_userunitdir}/podman.socket
|
||||
%{_userunitdir}/podman-auto-update.service
|
||||
%{_userunitdir}/podman-kube@.service
|
||||
%{_userunitdir}/podman-restart.service
|
||||
%{_userunitdir}/podman-auto-update.timer
|
||||
%{_userunitdir}/podman-clean-transient.service
|
||||
%{_systemdusergeneratordir}/podman-user-generator
|
||||
%{_systemdgeneratordir}/podman-system-generator
|
||||
%ghost /run/podman
|
||||
%license LICENSE
|
||||
|
||||
%files remote
|
||||
%{_bindir}/podman-remote
|
||||
%{_mandir}/man1/podman-remote*.1*
|
||||
%{_datadir}/bash-completion/completions/podman-remote
|
||||
%{_datadir}/zsh/site-functions/_podman-remote
|
||||
%dir %{_datadir}/fish/
|
||||
%dir %{_datadir}/fish/vendor_completions.d/
|
||||
%{_datadir}/fish/vendor_completions.d/podman-remote.fish
|
||||
|
||||
%files docker
|
||||
%{_bindir}/docker
|
||||
%{_tmpfilesdir}/podman-docker.conf
|
||||
%{_sysconfdir}/profile.d/%{name}-docker.*
|
||||
%if 0%{?suse_version} > 1500
|
||||
%{_user_tmpfilesdir}/podman-docker.conf
|
||||
%dir %{_user_tmpfilesdir}
|
||||
%endif
|
||||
|
||||
%files -n %{name}sh
|
||||
%license LICENSE
|
||||
%doc README.md CONTRIBUTING.md install.md transfer.md
|
||||
%{_bindir}/%{name}sh
|
||||
|
||||
%post docker
|
||||
%tmpfiles_create %{_tmpfilesdir}/podman-docker.conf
|
||||
|
||||
%pre
|
||||
%service_add_pre podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
|
||||
|
||||
%post
|
||||
%service_add_post podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
|
||||
%tmpfiles_create %{_tmpfilesdir}/podman.conf
|
||||
%systemd_user_post podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer
|
||||
|
||||
%preun
|
||||
%service_del_preun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
|
||||
%systemd_user_preun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
|
||||
|
||||
%postun
|
||||
%service_del_postun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
|
||||
%systemd_user_postun podman.service podman.socket podman-auto-update.service podman-restart.service podman-auto-update.timer podman-clean-transient.service
|
||||
|
||||
%changelog
|
Loading…
Reference in New Issue
Block a user