diff --git a/traefik-user.conf b/traefik-user.conf new file mode 100644 index 0000000..ef76ecc --- /dev/null +++ b/traefik-user.conf @@ -0,0 +1,3 @@ +#Type Name ID GECOS Home directory Shell +u traefik - "HTTP reverse proxy and load balancer" /etc/traefik - +m traefik traefik diff --git a/traefik-v3.1.0.src.tar.gz b/traefik-v3.1.0.src.tar.gz deleted file mode 100644 index c595e5a..0000000 --- a/traefik-v3.1.0.src.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:266091d5c477afd8814bf0a94e07e79044f8e6092b71930b09cfa3046ef67b4e -size 11490625 diff --git a/traefik-v3.1.2.src.tar.gz b/traefik-v3.1.2.src.tar.gz new file mode 100644 index 0000000..0ac3c64 --- /dev/null +++ b/traefik-v3.1.2.src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d8cada1d42e2fad4cbe15b75e8db21647b520ffd49dd09814cc1131c3fe02d00 +size 11491439 diff --git a/traefik.changes b/traefik.changes index 4bb68c5..aa8f510 100644 --- a/traefik.changes +++ b/traefik.changes @@ -1,3 +1,38 @@ +------------------------------------------------------------------- +Wed Aug 7 08:03:10 UTC 2024 - Johannes Weberhofer + +- Fixed service-file: set working directory, so that the /etc/traefik/acme.json + file can be written in /etc/traefik/acme.json + +- Update to version 3.1.1 + - Bug fixes: + * grpc: Bump google.golang.org/grpc to v1.64.1 + * k8s/gatewayapi: Do not update route status when nothing changed + * metrics + - Fix grafana dashboard to work with scrape interval greater than 15s + - Update open connections gauge with connections count + - Use ServiceName in traefik_service_server_up metric + * docker: Update to github.com/docker/docker v27.1.1 + * webui: Upgrade webui dependencies - fixes boo#1224308 and CVE-2024-4068 + +------------------------------------------------------------------- +Wed Jul 31 16:47:51 UTC 2024 - Johannes Weberhofer + +- Run traefik as traefik user, fixes boo#1227226 +- Added ACME confiuration template + +- Update to version 3.1.1 + - Bug fixes: + * k8s/gatewayapi + - Do not update route status when nothing changed + * metrics + - Fix grafana dashboard to work with scrape interval greater than 15s + - Update open connections gauge with connections count + - Use ServiceName in traefik_service_server_up metric + - Updates + +- Fix for CVE-2024-6104, boo#1227059 + ------------------------------------------------------------------- Mon Jul 15 17:22:18 UTC 2024 - Johannes Weberhofer diff --git a/traefik.service b/traefik.service index 47bbefe..768ff25 100644 --- a/traefik.service +++ b/traefik.service @@ -9,6 +9,8 @@ AssertPathExists=/etc/traefik/traefik.yml [Service] Type=notify ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.yml +User=traefik +WorkingDirectory=~ Restart=always WatchdogSec=1s PrivateTmp=true diff --git a/traefik.spec b/traefik.spec index 87e252f..bf79acb 100644 --- a/traefik.spec +++ b/traefik.spec @@ -23,7 +23,7 @@ %define buildmode pie %endif Name: traefik -Version: 3.1.0 +Version: 3.1.2 Release: 0 Summary: The Cloud Native Application Proxy License: MIT @@ -33,14 +33,19 @@ URL: https://traefik.io/ # download the source files and create the vendor tarball with "osc service mr" Source0: https://github.com/traefik/traefik/releases/download/v%{version}/%{name}-v%{version}.src.tar.gz Source1: vendor.tar.gz -Source2: traefik.service -Source3: traefik.yml +Source2: %{name}.service +Source3: %{name}.yml +Source4: %{name}-user.conf BuildRequires: go-bindata BuildRequires: golang-packaging BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools BuildRequires: (golang(API) >= 1.22) Recommends: podman Conflicts: traefik2 +Provides: group(%{name}) +Provides: user(%{name}) +%sysusers_requires %{?systemd_requires} %{go_provides} @@ -57,6 +62,7 @@ Pointing Traefik at your orchestrator should be the only configuration step you %autopatch -p1 %build +%sysusers_generate_pre %{SOURCE4} %{name} %{name}-user.conf %{goprep} %{project} # see script/generate go generate @@ -74,6 +80,9 @@ CGO_ENABLED=1 GOGC=off go build \ ./cmd/traefik %install +# system user +install -D -m 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/%{name}-user.conf + install -d %{buildroot}/%{_sbindir} install -D -p -m 0755 %{name} %{buildroot}%{_bindir}/%{name} @@ -88,12 +97,14 @@ mkdir -p %{buildroot}%{_sysconfdir}/%{name}/conf.d # logging mkdir -p %{buildroot}%{_localstatedir}/log/%{name} -%pre +%pre -f %{name}.pre %service_add_pre %{name}.service %post %service_add_post %{name}.service %{fillup_only -n %{name}} +# fix ownership for config and logging directory +chown -R traefik: %{_sysconfdir}/%{name} %{_localstatedir}/log/%{name} %preun %service_del_preun %{name}.service @@ -102,6 +113,8 @@ mkdir -p %{buildroot}%{_localstatedir}/log/%{name} %service_del_postun %{name}.service %files +%{_sysusersdir}/%{name}-user.conf + %license LICENSE.md %doc README.md SECURITY.md CONTRIBUTING.md %{_bindir}/%{name} @@ -109,10 +122,11 @@ mkdir -p %{buildroot}%{_localstatedir}/log/%{name} %{_unitdir}/%{name}.service %{_sbindir}/rc%{name} +%defattr(0660, traefik, traefik, 0750) %dir %{_sysconfdir}/%{name} %dir %{_sysconfdir}/%{name}/conf.d %config(noreplace) %{_sysconfdir}/%{name}/%{name}.yml -%attr(750,root,root) %dir %{_localstatedir}/log/%{name} +%dir %{_localstatedir}/log/%{name} %changelog diff --git a/traefik.yml b/traefik.yml index c5fcb18..f1818dc 100644 --- a/traefik.yml +++ b/traefik.yml @@ -138,3 +138,16 @@ providers: # Default: false watch: true +# -------------------------------------------------------------------------- +# ACME Certificate Resolvers configuration +# Default: not configured +# https://doc.traefik.io/traefik/https/acme/ +# -------------------------------------------------------------------------- +#certificatesResolvers: +# letsencryptResolver: +# acme: +# email: your@email +# storage: /etc/traefik/acme.json +# httpChallenge: +# entryPoint: web + diff --git a/vendor.tar.gz b/vendor.tar.gz index 9ad4841..b3b6c29 100644 --- a/vendor.tar.gz +++ b/vendor.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:324efd6afb1f541d5c4f11e46ede555b9ba6c04312a199b15e015cd2e6c1ec52 -size 23173814 +oid sha256:3e0427bab18e00c659433a0650bb27731acc18f54308005fb8fb2d8181230d41 +size 23188316