Commit Graph

96 Commits

Author SHA256 Message Date
Aleksa Sarai
a24734657f Accepting request 1165425 from home:cyphar:docker
- Update to runc v1.2.0~rc1. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.2.0-rc.1>.
- Remove upstreamed patches.
  - 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
  - 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
  - 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch

OBS-URL: https://build.opensuse.org/request/show/1165425
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=158
2024-04-05 06:50:38 +00:00
Aleksa Sarai
25576708db Accepting request 1159948 from home:cyphar:docker
- Add upstream patch <https://github.com/opencontainers/runc/pull/4219> to
  properly fix -ENOSYS stub on ppc64le. bsc#1192051 bsc#1221050
  + 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
  + 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
  + 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch

OBS-URL: https://build.opensuse.org/request/show/1159948
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=156
2024-03-21 03:51:32 +00:00
Aleksa Sarai
54c41d7982 Accepting request 1143138 from home:cyphar:docker
- Update to runc v1.1.12. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.12>. bsc#1218894

  * This release fixes a container breakout vulnerability (CVE-2024-21626). For
    more details, see the upstream security advisory:
    <https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
  * Remove upstreamed patches:
    - CVE-2024-21626.patch
  * Update runc.keyring to match upstream changes.

OBS-URL: https://build.opensuse.org/request/show/1143138
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=154
2024-01-31 20:38:35 +00:00
Aleksa Sarai
0279533c6d Accepting request 1136046 from home:cyphar:docker
- Update to runc v1.1.11. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.11>.

OBS-URL: https://build.opensuse.org/request/show/1136046
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=152
2024-01-02 03:04:06 +00:00
691094bc2c Accepting request 1121545 from home:cyphar:docker
- Update to runc v1.1.10. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.10>.

OBS-URL: https://build.opensuse.org/request/show/1121545
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=150
2023-11-07 10:34:07 +00:00
Aleksa Sarai
52d7f59d38 Accepting request 1109204 from home:danishprakash:branches:Virtualization:containers
Update to runc v1.1.9

OBS-URL: https://build.opensuse.org/request/show/1109204
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=148
2023-09-14 01:52:09 +00:00
Aleksa Sarai
dd0d62df2d Accepting request 1099531 from home:cyphar:docker
- Update to runc v1.1.8. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.8>.

OBS-URL: https://build.opensuse.org/request/show/1099531
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=146
2023-07-19 14:09:53 +00:00
Aleksa Sarai
58b3271d74 Accepting request 1083238 from home:cyphar:docker
- Update to runc v1.1.7. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.7>.
- Update runc.keyring to upstream version.

OBS-URL: https://build.opensuse.org/request/show/1083238
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=144
2023-04-27 09:57:52 +00:00
Aleksa Sarai
27f875d150 Accepting request 1079875 from home:cyphar:docker
Fix bugzilla references for /dev/null issues bsc#1168481 and bsc#1207004.

OBS-URL: https://build.opensuse.org/request/show/1079875
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=142
2023-04-17 09:46:28 +00:00
Aleksa Sarai
f97e1d6ae2 Accepting request 1078553 from home:cyphar:docker
- Update to runc v1.1.6. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.6>.

OBS-URL: https://build.opensuse.org/request/show/1078553
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=140
2023-04-12 04:25:25 +00:00
Aleksa Sarai
e6cfba71b6 Accepting request 1075227 from home:cyphar:docker
Add bsc references for CVEs.
   - CVE-2023-25809 bsc#1209884
   - CVE-2023-27561 bsc#1208962
   - CVE-2023-28642 bsc#1209888

OBS-URL: https://build.opensuse.org/request/show/1075227
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=138
2023-03-29 13:06:28 +00:00
Aleksa Sarai
861dacb77e Accepting request 1075138 from home:cyphar:docker
- Drop version-specific Go requirement.

OBS-URL: https://build.opensuse.org/request/show/1075138
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=137
2023-03-29 07:14:02 +00:00
Aleksa Sarai
c123e1fb6f Accepting request 1075135 from home:cyphar:docker
- Update to runc v1.1.5. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.5>.
  CVE-2023-25809 CVE-2023-27561 CVE-2023-28642

  * Fix the inability to use `/dev/null` when inside a container.
  * Fix changing the ownership of host's `/dev/null` caused by fd redirection
    (a regression in 1.1.1). bsc#1168481
  * Fix rare runc exec/enter unshare error on older kernels.
  * nsexec: Check for errors in `write_log()`.

OBS-URL: https://build.opensuse.org/request/show/1075135
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=136
2023-03-29 07:12:21 +00:00
Aleksa Sarai
278167ae42 Accepting request 1005073 from home:cyphar:docker
Add bugzilla reference bsc#1202021

OBS-URL: https://build.opensuse.org/request/show/1005073
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=134
2022-09-21 00:34:33 +00:00
4e052b1a32 Accepting request 1000448 from home:favogt:branches:Virtualization:containers
- Update to runc v1.1.4. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.4.
  * Fix mounting via wrong proc fd. When the user and mount namespaces are
    used, and the bind mount is followed by the cgroup mount in the spec,
    the cgroup was mounted using the bind mount's mount fd.
  * Switch kill() in libcontainer/nsenter to sane_kill().
  * Fix "permission denied" error from runc run on noexec fs.
  * Fix failed exec after systemctl daemon-reload. Due to a regression
    in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and
    was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded.
    (boo#1202821)

OBS-URL: https://build.opensuse.org/request/show/1000448
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=132
2022-09-02 12:28:01 +00:00
Aleksa Sarai
f3dc3540c6 Accepting request 982018 from home:cyphar:docker
Fix bsc#1193436 reference.

OBS-URL: https://build.opensuse.org/request/show/982018
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=129
2022-06-10 09:28:15 +00:00
Aleksa Sarai
6859b36813 Accepting request 981401 from home:cyphar:docker
- Update to runc v1.1.3. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.3.
  (Includes a fix for bsc#1200088.)

  * Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
    s390 and s390x. This solves the issue where syscalls the host kernel did not
    support would return `-EPERM` despite the existence of the `-ENOSYS` stub
    code (this was due to how s390x does syscall multiplexing).
  * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
    intended; this fix does not affect runc binary itself but is important for
    libcontainer users such as Kubernetes.
  * Inability to compile with recent clang due to an issue with duplicate
    constants in libseccomp-golang.
  * When using systemd cgroup driver, skip adding device paths that don't exist,
    to stop systemd from emitting warnings about those paths.
  * Socket activation was failing when more than 3 sockets were used.
  * Various CI fixes.
  * Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
  * runc static binaries are now linked against libseccomp v2.5.4.
- Remove upstreamed patches:
  - bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch

OBS-URL: https://build.opensuse.org/request/show/981401
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=128
2022-06-09 00:28:16 +00:00
Aleksa Sarai
2646e7a7bf Accepting request 978576 from home:cyphar:docker
Fix CVE references.

OBS-URL: https://build.opensuse.org/request/show/978576
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=126
2022-05-23 03:24:41 +00:00
Aleksa Sarai
5dd3f813f2 Accepting request 978574 from home:cyphar:docker
- Backport <https://github.com/opencontainers/runc/pull/3474> to fix issues
  with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by
  that platform's syscall multiplexing semantics. bsc#1192051 bsc#1199565
  + bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
- Add ExcludeArch for s390 (not s390x) since we've never supported it.

OBS-URL: https://build.opensuse.org/request/show/978574
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=125
2022-05-23 03:15:57 +00:00
Aleksa Sarai
f194369665 Accepting request 976494 from home:cyphar:docker
- Update to runc v1.1.2. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.2.
  CVE-2022-24769

 * A bug was found in runc where runc exec --cap executed processes with
   non-empty inheritable Linux process capabilities, creating an atypical Linux
   environment. For more information, see [GHSA-f3fp-gc8g-vw66][] and
   CVE-2022-29162.
 * `runc spec` no longer sets any inheritable capabilities in the created
   example OCI spec (`config.json`) file.

OBS-URL: https://build.opensuse.org/request/show/976494
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=123
2022-05-11 23:03:17 +00:00
Aleksa Sarai
27f738c3d6 Accepting request 965511 from home:cyphar:docker
- Update to runc v1.1.1. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.1.

  * runc run/start can now run a container with read-only /dev in OCI spec,
    rather than error out. (#3355)
  * runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)
    libcontainer systemd v2 manager no longer errors out if one of the files
    listed in /sys/kernel/cgroup/delegate do not exist in container's
    cgroup. (#3387, #3404)
  * Loosen OCI spec validation to avoid bogus "Intel RDT is not supported"
    error. (#3406)
  * libcontainer/cgroups no longer panics in cgroup v1 managers if stat
    of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)

OBS-URL: https://build.opensuse.org/request/show/965511
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=121
2022-03-29 03:37:10 +00:00
Aleksa Sarai
6c8247dcfa Accepting request 947075 from home:cyphar:docker
- Update to runc v1.1.0. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.0.

  - libcontainer will now refuse to build without the nsenter package being
    correctly compiled (specifically this requires CGO to be enabled). This
    should avoid folks accidentally creating broken runc binaries (and
    incorrectly importing our internal libraries into their projects). (#3331)

OBS-URL: https://build.opensuse.org/request/show/947075
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=120
2022-01-17 22:51:56 +00:00
Aleksa Sarai
800a87e8ed Accepting request 940368 from home:cyphar:docker
- Update to runc v1.1.0~rc1. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1.

  + Add support for RDMA cgroup added in Linux 4.11.
  * runc exec now produces exit code of 255 when the exec failed.
    This may help in distinguishing between runc exec failures
    (such as invalid options, non-running container or non-existent
    binary etc.) and failures of the command being executed.
  + runc run: new --keep option to skip removal exited containers artefacts.
    This might be useful to check the state (e.g. of cgroup controllers) after
    the container hasexited.
  + seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD
    (the latter is just an alias for SCMP_ACT_KILL).
  + seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows
    users to create sophisticated seccomp filters where syscalls can be
    efficiently emulated by privileged processes on the host.
  + checkpoint/restore: add an option (--lsm-mount-context) to set
    a different LSM mount context on restore.
  + intelrdt: support ClosID parameter.
  + runc exec --cgroup: an option to specify a (non-top) in-container cgroup
    to use for the process being executed.
  + cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1
    machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc
    run/exec now adds the container to the appropriate cgroup under it).
  + sysctl: allow slashes in sysctl names, to better match sysctl(8)'s
    behaviour.
  + mounts: add support for bind-mounts which are inaccessible after switching
    the user namespace. Note that this does not permit the container any
    additional access to the host filesystem, it simply allows containers to
    have bind-mounts configured for paths the user can access but have
    restrictive access control settings for other users.
  + Add support for recursive mount attributes using mount_setattr(2). These
    have the same names as the proposed mount(8) options -- just prepend r
    to the option name (such as rro).
  + Add runc features subcommand to allow runc users to detect what features
    runc has been built with. This includes critical information such as
    supported mount flags, hook names, and so on. Note that the output of this
    command is subject to change and will not be considered stable until runc
    1.2 at the earliest. The runtime-spec specification for this feature is
    being developed in opencontainers/runtime-spec#1130.
  * system: improve performance of /proc/$pid/stat parsing.
  * cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change
    the ownership of certain cgroup control files (as per
    /sys/kernel/cgroup/delegate) to allow for proper deferral to the container
    process.
  * runc checkpoint/restore: fixed for containers with an external bind mount
    which destination is a symlink.
  * cgroup: improve openat2 handling for cgroup directory handle hardening.
    runc delete -f now succeeds (rather than timing out) on a paused
    container.
  * runc run/start/exec now refuses a frozen cgroup (paused container in case of
    exec). Users can disable this using --ignore-paused.
- Update version data embedded in binary to correctly include the git commit of
  the release.
- Drop runc-rpmlintrc because we don't have runc-test anymore.

OBS-URL: https://build.opensuse.org/request/show/940368
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=119
2021-12-14 05:24:53 +00:00
Aleksa Sarai
1eaf2f6f5b Accepting request 935874 from home:cyphar:docker
- Update to runc v1.0.3. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.0.3. CVE-2021-43784

  * A potential vulnerability was discovered in runc (related to an internal
    usage of netlink), however upon further investigation we discovered that
    while this bug was exploitable on the master branch of runc, no released
    version of runc could be exploited using this bug. The exploit required
    being able to create a netlink attribute with a length that would overflow a
    uint16 but this was not possible in any released version of runc. For more
    information see GHSA-v95c-p5hm-xq8f and CVE-2021-43784.

    Due to an abundance of caution we decided to do an emergency release with
    this fix, but to reiterate we do not believe this vulnerability was
    possible to exploit. Thanks to Felix Wilhelm from Google Project Zero for
    discovering and reporting this vulnerability so quickly.
  * Fixed inability to start a container with read-write bind mount of a
    read-only fuse host mount.
  * Fixed inability to start when read-only /dev in set in spec.
  * Fixed not removing sub-cgroups upon container delete, when rootless cgroup
    v2 is used with older systemd.
  * Fixed returning error from GetStats when hugetlb is unsupported (which
    causes excessive logging for kubernetes).

OBS-URL: https://build.opensuse.org/request/show/935874
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=118
2021-12-06 04:44:55 +00:00
Aleksa Sarai
bcc52e4d46 Accepting request 913731 from home:cyphar:docker
- Update to runc v1.0.2. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.0.2

  * Fixed a failure to set CPU quota period in some cases on cgroup v1.
  * Fixed the inability to start a container with the "adding seccomp filter
    rule for syscall ..." error, caused by redundant seccomp rules (i.e. those
    that has action equal to the default one). Such redundant rules are now
    skipped.
  * Made release builds reproducible from now on.
  * Fixed a rare debug log race in runc init, which can result in occasional
    harmful "failed to decode ..." errors from runc run or exec.
  * Fixed the check in cgroup v1 systemd manager if a container needs to be
    frozen before Set, and add a setting to skip such freeze unconditionally.
    The previous fix for that issue, done in runc 1.0.1, was not working.

OBS-URL: https://build.opensuse.org/request/show/913731
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=117
2021-08-23 09:40:05 +00:00
Aleksa Sarai
0d8a6b3c6e Accepting request 907285 from home:cyphar:docker
- Update to runc v1.0.1. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.0.1

  * Fixed occasional runc exec/run failure ("interrupted system call") on an
    Azure volume.
  * Fixed "unable to find groups ... token too long" error with /etc/group
    containing lines longer than 64K characters.
  * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
    frozen. This is a regression in 1.0.0, not affecting runc itself but some
    of libcontainer users (e.g Kubernetes).
  * cgroupv2: bpf: Ignore inaccessible existing programs in case of
    permission error when handling replacement of existing bpf cgroup
    programs. This fixes a regression in 1.0.0, where some SELinux
    policies would block runc from being able to run entirely.
  * cgroup/systemd/v2: don't freeze cgroup on Set.
  * cgroup/systemd/v1: avoid unnecessary freeze on Set.

- Remove upstreamed patches:
  + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch

OBS-URL: https://build.opensuse.org/request/show/907285
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=116
2021-07-20 09:40:45 +00:00
Aleksa Sarai
53ec3e1834 Accepting request 903342 from home:cyphar:docker
- Backport <https://github.com/opencontainers/runc/pull/3055> to fix issues
  with runc under openSUSE MicroOS's SELinux policy. boo#1187704
  + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch

OBS-URL: https://build.opensuse.org/request/show/903342
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=114
2021-07-01 06:17:25 +00:00
0b604a862b Accepting request 901272 from home:cyphar:docker
- Update to runc v1.0.0. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.0.0

  ! The usage of relative paths for mountpoints will now produce a warning
    (such configurations are outside of the spec, and in future runc will
    produce an error when given such configurations).

  * cgroupv2: devices: rework the filter generation to produce consistent
    results with cgroupv1, and always clobber any existing eBPF
    program(s) to fix runc update and avoid leaking eBPF programs
    (resulting in errors when managing containers).
  * cgroupv2: correctly convert "number of IOs" statistics in a
    cgroupv1-compatible way.
  * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
  * cgroupv2: wait for freeze to finish before returning from the freezing
    code, optimize the method for checking whether a cgroup is frozen.
  * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
  * cgroups/systemd: fixed returning "unit already exists" error from a systemd
    cgroup manager (regression in rc94)

  + cgroupv2: support SkipDevices with systemd driver
  + cgroup/systemd: return, not ignore, stop unit error from Destroy
  + Make "runc --version" output sane even when built with go get or
    otherwise outside of our build scripts.
  + cgroups: set SkipDevices during runc update (so we don't modify
    cgroups at all during runc update).
  + cgroup1: blkio: support BFQ weights.
  + cgroupv2: set per-device io weights if BFQ IO scheduler is available.

OBS-URL: https://build.opensuse.org/request/show/901272
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=113
2021-06-22 06:34:42 +00:00
Aleksa Sarai
ffc5721921 Accepting request 894285 from home:cyphar:docker
- Update to runc v1.0.0~rc95. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95

  This release of runc contains a fix for CVE-2021-30465, and users are
  strongly recommended to update (especially if you are providing
  semi-limited access to spawn containers to untrusted users). bsc#1185405

OBS-URL: https://build.opensuse.org/request/show/894285
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=111
2021-05-19 10:09:39 +00:00
Aleksa Sarai
b43f769557 Accepting request 892389 from home:cyphar:docker
- Update to runc v1.0.0~rc94. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94
  Breaking Changes:
  * cgroupv1: kernel memory limits are now always ignored, as kmemcg has
    been effectively deprecated by the kernel. Users should make use of regular
    memory cgroup controls.
  Regression Fixes:
  * seccomp: fix 32-bit compilation errors
  * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
  * runc start: fix "chdir to cwd: permission denied" for some setups
- Remove upstreamed patches:
  - 0001-cloned_binary-switch-from-error-to-warning-for-SYS_m.patch

OBS-URL: https://build.opensuse.org/request/show/892389
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=109
2021-05-12 08:08:56 +00:00
Aleksa Sarai
89808d395e Accepting request 888384 from home:cyphar:docker
- Backport patch to fix build on SLE-12 ppc64le.
  + 0001-cloned_binary-switch-from-error-to-warning-for-SYS_m.patch

OBS-URL: https://build.opensuse.org/request/show/888384
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=107
2021-04-26 08:00:58 +00:00
Aleksa Sarai
c0e255523d Accepting request 886957 from home:cyphar:docker
Add new BZ reference.

OBS-URL: https://build.opensuse.org/request/show/886957
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=105
2021-04-20 10:41:16 +00:00
Aleksa Sarai
23b10a8174 Accepting request 876332 from home:cyphar:docker
Add BZ reference.

OBS-URL: https://build.opensuse.org/request/show/876332
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=103
2021-03-03 03:06:45 +00:00
Aleksa Sarai
153f71ec48 Accepting request 869056 from home:cyphar:docker
runc 1.0.0-rc93 update.

OBS-URL: https://build.opensuse.org/request/show/869056
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=101
2021-02-04 00:26:20 +00:00
Aleksa Sarai
819ff378e5 - Update to Docker 20.10.3-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-21285 CVE-2021-21284
- Drop docker-runc, docker-test and docker-libnetwork packages. We now just use
  the upstream runc package (it's stable enough and Docker no longer pins git
  versions). docker-libnetwork is so unstable that it doesn't have any
  versioning scheme and so it really doesn't make sense to maintain the project
  as a separate package. bsc#1181641 bsc#1181677

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=100
2021-02-02 22:19:53 +00:00
Aleksa Sarai
5039dc9cd9 Accepting request 830206 from home:rhafer:branches:Virtualization:containers
- Upgrade to runc v1.0.0~rc92 (bsc#1175821). Upstream changelog is
  available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc92
  * Updates to CRIU support.
  * Improvements to cgroupfs performance and correctness.

OBS-URL: https://build.opensuse.org/request/show/830206
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=98
2020-08-29 09:35:30 +00:00
Aleksa Sarai
efa986a2bb Accepting request 818188 from home:cyphar:docker
- Upgrade to runc v1.0.0~rc91. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc91

  * This release of runc has experimental support for cgroupv2-only systems.

- Remove upstreamed patches:
  - bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
  - bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch

OBS-URL: https://build.opensuse.org/request/show/818188
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=96
2020-07-02 01:50:30 +00:00
Aleksa Sarai
5dbfe9576f Accepting request 804873 from home:cyphar:docker
- Backport https://github.com/opencontainers/runc/pull/2391 to help fix
  bsc#1168481.
  + bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch

OBS-URL: https://build.opensuse.org/request/show/804873
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=94
2020-05-13 07:16:34 +00:00
Aleksa Sarai
f91cfb6e11 Accepting request 793807 from home:rhafer:branches:Virtualization:containers
- Renamed patch:
  0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
  to
  bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch

- Added fix for bsc#1149954
  * 0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
    (cherry pick of https://github.com/opencontainers/runc/pull/1807)

OBS-URL: https://build.opensuse.org/request/show/793807
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=92
2020-04-14 10:22:21 +00:00
Aleksa Sarai
4cc7da61f8 Accepting request 766566 from home:iznogood:branches:Virtualization:containers
- Change packagewide go version to be greater or equal to 1.10.

OBS-URL: https://build.opensuse.org/request/show/766566
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=90
2020-02-04 02:30:22 +00:00
Aleksa Sarai
189d2c49bd Accepting request 766724 from home:cyphar:docker
runc 1.0.0-rc10 update

OBS-URL: https://build.opensuse.org/request/show/766724
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=88
2020-01-24 03:07:47 +00:00
Aleksa Sarai
da44978e96 Accepting request 765103 from home:cyphar:docker
- Update CVE-2019-19921 patch to match upstream PR.
  * CVE-2019-19921.patch

OBS-URL: https://build.opensuse.org/request/show/765103
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=86
2020-01-17 03:34:42 +00:00
Aleksa Sarai
a2c407c28a Accepting request 764682 from home:cyphar:docker
Add bug reference for CVE-2019-19921.

OBS-URL: https://build.opensuse.org/request/show/764682
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=84
2020-01-15 14:07:23 +00:00
Aleksa Sarai
066a3bfeaa Accepting request 764148 from home:cyphar:docker
- Add backported fix for CVE-2019-19921.
  + CVE-2019-19921.patch

OBS-URL: https://build.opensuse.org/request/show/764148
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=83
2020-01-14 04:49:43 +00:00
Aleksa Sarai
0f2a74731d Accepting request 735404 from home:cyphar:containers:maint
- Upgrade to runc v1.0.0~rc9. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc9
- Remove upstreamed patches:
  - CVE-2019-16884.patch

OBS-URL: https://build.opensuse.org/request/show/735404
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=81
2019-10-05 11:52:50 +00:00
Aleksa Sarai
58623da251 Accepting request 733834 from home:cyphar:containers:maint
Add reference to bsc#1152308.

OBS-URL: https://build.opensuse.org/request/show/733834
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=80
2019-09-28 11:41:04 +00:00
Aleksa Sarai
f3a10f34bd Accepting request 733478 from home:cyphar:containers:maint
- Add backported fix for CVE-2019-16884.
  + CVE-2019-16884.patch
- Add runc-rpmlintrc to drop runc-test rpmlint warnings.

OBS-URL: https://build.opensuse.org/request/show/733478
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=76
2019-09-26 15:15:16 +00:00
Aleksa Sarai
48d20bc916 Accepting request 699412 from home:cyphar:runc
- Upgrade to runc v1.0.0~rc8. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc8
- Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).
- Remove upstreamed patches:
  - CVE-2019-5736.patch

OBS-URL: https://build.opensuse.org/request/show/699412
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=74
2019-04-29 12:05:18 +00:00
Aleksa Sarai
ba0b485e9f Accepting request 674111 from home:cyphar:cve-2019-5736
- Add fix for CVE-2019-5736 (effectively copying /proc/self/exe during re-exec
  to avoid write attacks to the host runc binary). bsc#1121967
  + CVE-2019-5736.patch

OBS-URL: https://build.opensuse.org/request/show/674111
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=72
2019-02-12 14:09:26 +00:00
Aleksa Sarai
d568e44ecc Accepting request 660132 from home:clee:branches:Virtualization:containers
- Update go requirements to >= go1.10 to fix
  * bsc#1118897 CVE-2018-16873
    go#29230 cmd/go: remote command execution during "go get -u"
  * bsc#1118898 CVE-2018-16874
    go#29231 cmd/go: directory traversal in "go get" via curly braces in import paths
  * bsc#1118899 CVE-2018-16875
    go#29233 crypto/x509: CPU denial of service

OBS-URL: https://build.opensuse.org/request/show/660132
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=70
2018-12-20 11:15:05 +00:00