pool/umoci
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 883793 from Virtualization:containers

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/883793
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/umoci?expand=0&rev=17
This commit is contained in:
Richard Brown 2021-04-10 13:26:11 +00:00 committed by Git OBS Bridge
commit 642af8aef7
7 changed files with 361 additions and 287 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
0001-makefile-fix-bad-build-flags.patch Normal file
View File

@ -0,0 +1,30 @@
From ed20cebfec648920c59e0988aceeef7dfd646558 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Thu, 8 Apr 2021 18:55:40 +1000
Subject: [PATCH] makefile: fix bad build flags
Fix mistake in the Makefile which prevents the version field (as well as
some other build flags) from being passed to "go build".
Fixes: 6fbd32e48b66 ("Make Makefile more portable")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index d760e9289033..1fdcf650f4f9 100644
--- a/Makefile
+++ b/Makefile
@@ -71,7 +71,7 @@ BASE_LDFLAGS := -s -w -X ${PROJECT}.gitCommit=${COMMIT} -X ${PROJECT}.version=${
# Specific build flags for build type.
ifeq ($(GOOS), linux)
- TEST_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS} -X ${PROJECT}/pkg/testutils.binaryType=test" DYN_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS}"
+ DYN_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS}"
TEST_BUILD_FLAGS := ${BASE_FLAGS} -buildmode=pie -ldflags "${BASE_LDFLAGS} -X ${PROJECT}/pkg/testutils.binaryType=test"
else
DYN_BUILD_FLAGS := ${BASE_FLAGS} -ldflags "${BASE_LDFLAGS}"
--
2.30.2

3
umoci-0.4.6.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d0b495ee61781c23ad9f0e1f431646cfd74fa10ca35f0547004c7b6cb9eb071b
size 1546000

16
umoci-0.4.6.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAl7ynQoACgkQnhiqJn3b
jbRvhA/8Cy+8BejZaClgcn8gedWP70wAGDirhuJUbpxTIoBOPUxl5LK1q/K7AvqL
VKDJLXQpAuVDTivER10IC/daL04J/3aNGKE+IwaLPG0spwyR4l8xuJAmMCB04dev
tha0lrxyK6XygRYm5QHxJfSVEBfMfxY3LPeSVFDg4cIFNlr1jl3inGDPEMYftXy5
pjNspsWgsIciUMadc+EzTiDwoY+EQjDLJP5V5kiDJQc/GoJclCIdLPYPzLsMwonv
VEWZ8M5uplZ/5GyfEjcuiH2uyYojooHltWR6fa0aNE+2+oMHhH6l+MVFxvOSjVTi
Z+8Y0SH9duJ6cTpXgFJvknGRjoB6kaMPkroLQtKjxNNuziuuRwUwobp6B6971yjE
/TUVokPMQuoWcVk2TIg59P3IYTHoeU3etp/d1WIvVPy5jBtbU+msrgwuUBZzDyls
ehuLGL+PbG3MrgwC1vJeUVQjmr49sXkneg6KtvQcIK6fGXHYH5GVlciWr9M3OaTd
cI9riQQLHm/j3CwCAd1nluf77PH6aYmkFUPJ6rymH1Hxv2yJaMi1JweNcgismPVA
PIncI+ozOllUYyB/WsTThwYIvt8k0dl1uhtVMUdUQtymgtI/tSEwANJ0T7b4j87c
0qzHQlwU0mrF3HtOZj3U+wNA0k5jRRWjKN03rcmXDx4zDXubn7s=
=q4px
-----END PGP SIGNATURE-----

BIN
umoci-0.4.7.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

17
umoci-0.4.7.tar.xz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmBq/PMPHGFzYXJhaUBz
dXNlLmRlAAoJEJ4YqiZ92420uLUQAMgUBXRyvVePDAb/g4WVwwKbFrT8xPy0gQfT
h+zj/4MTtd2iu5ypGVhca1yhtqt6AutJXOgxhIU9bY+wo7oqCV9TJRoiZZDiyhRU
FUPmYszKqpBN2TIyyK4J9kqvfi7zlrYJOi4esRkay7ZgYz4el348aBIWNkak0Ip0
NKhoWEGf41HabB0Ep/Rhy7JHe15ZtPLG6uH3TkjilWu4GB2rEkQusAztSnvrRP3Z
9k/plJCwa04WJQW1r6kr1i5bqhTq82kP5yrzO52GbKdQWyLdESwxN8yFfWMl8Igb
LOOBYKjnk/MtKLUOFK09mbfbQpaSqG0NLzMg42kEeqF8TpyBF5+/YTdLbSalGQhx
+BDTSOd4GB6lgV8zyBOBGcmNZmV977gW4AjHOZT8i3FPD4iaH3Bnwg2R5aqbIJK5
AI40+NQMaAk+kME0FoAJnwov6w2kdDdOpyovfQ1l878HGlg8iZ5uf9bo6XuQGpr/
lZHy8k9xC3mGr7OWmHrhL08TQlGK7wMQW7hgXKbAC8p8SSNU2aAqwEDdNohRSiu5
g6Xg87zpc6Z4JsfYtI513ByWHdpE0jbcpv3BvSuEHnKGVfCjRBRBSOxAq7UZ1Koa
6rbic/liobiul27LdMi022nhVA8KqClbYDoe8bOiZU2ZhcvevrK+nb89ucbSkUs4
nlm2tviX
=Q3Fv
-----END PGP SIGNATURE-----

568
umoci.changes
View File

@ -1,3 +1,41 @@
-------------------------------------------------------------------
Tue Apr 6 11:13:10 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to umoci v0.4.7. CVE-2021-29136 bsc#1184147
A security flaw was found in umoci, and has been fixed in this release. If
umoci was used to unpack a malicious image (using either umoci unpack or
umoci raw unpack) that contained a symlink entry for /., umoci would apply
subsequent layers to the target of the symlink (resolved on the host
filesystem). This means that if you ran umoci as root, a malicious image
could overwrite any file on the system (assuming you didn't have any other
access control restrictions). Thanks to Robin Peraglie from Cure53 for
discovering this bug. CVE-2021-29136
Other changes in this release:
* umoci now compiles on FreeBSD and appears to work, with the notable
limitation that it currently refuses to extract non-Linux images on any
platform (this will be fixed in a future release).
* Initial fuzzer implementations for oss-fuzz.
* umoci will now read all trailing data from image layers, to combat the
existence of some image generators that appear to append NUL bytes to the
end of the gzip stream (which would previously cause checksum failures
because we didn't read nor checksum the trailing junk bytes). However,
umoci will still not read past the descriptor length.
* umoci now ignores all overlayfs xattrs during unpack and repack
operations, to avoid causing issues when packing a raw overlayfs
directory.
* For details, see CHANGELOG.md in the package.
- Backport patch to fix KIWI which depends on umoci having sane output from
"umoci --version". <https://github.com/opencontainers/umoci/pull/369>
+ 0001-makefile-fix-bad-build-flags.patch
-------------------------------------------------------------------
Thu Apr 1 05:36:50 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Re-disable s390 builds.
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Jun 24 00:27:44 UTC 2020 - Aleksa Sarai <asarai@suse.com> Wed Jun 24 00:27:44 UTC 2020 - Aleksa Sarai <asarai@suse.com>
@ -80,8 +118,8 @@ Thu Aug 16 03:39:22 UTC 2018 - asarai@suse.com
* Add 'umoci insert' and 'umoci raw unpack'. * Add 'umoci insert' and 'umoci raw unpack'.
* 'umoci unpack' correctly handles out-of-order whiteouts now. * 'umoci unpack' correctly handles out-of-order whiteouts now.
* 'umoci unpack' and 'umoci repack' make sure of a more optimised gzip * 'umoci unpack' and 'umoci repack' make sure of a more optimised gzip
implementation now -- in some benchmarks 'umoci repack' can have a speedup implementation now -- in some benchmarks 'umoci repack' can have a speedup
of up to 3x. of up to 3x.
* For details, see CHANGELOG.md in the package. * For details, see CHANGELOG.md in the package.
------------------------------------------------------------------- -------------------------------------------------------------------
@ -93,55 +131,55 @@ Wed Jun 13 13:06:39 UTC 2018 - dcassany@suse.com
Sat Mar 10 08:10:42 UTC 2018 - asarai@suse.com Sat Mar 10 08:10:42 UTC 2018 - asarai@suse.com
- Update to umoci v0.4.0. Upstream changelog: - Update to umoci v0.4.0. Upstream changelog:
+ `umoci repack` now supports `--refresh-bundle` which will update the + `umoci repack` now supports `--refresh-bundle` which will update the
OCI bundle's metadata (mtree and umoci-specific manifests) after packing OCI bundle's metadata (mtree and umoci-specific manifests) after packing
the image tag. This means that the bundle can be used as a base layer for the image tag. This means that the bundle can be used as a base layer for
future diffs without needing to unpack the image again. future diffs without needing to unpack the image again.
openSUSE/umoci#196 openSUSE/umoci#196
+ Added a website, and reworked the documentation to be better structured. + Added a website, and reworked the documentation to be better structured.
You can visit the website at [`umo.ci`][umo.ci]. openSUSE/umoci#188 You can visit the website at [`umo.ci`][umo.ci]. openSUSE/umoci#188
+ Added support for the `user.rootlesscontainers` specification, which + Added support for the `user.rootlesscontainers` specification, which
allows for persistent on-disk emulation of `chown(2)` inside rootless allows for persistent on-disk emulation of `chown(2)` inside rootless
containers. This implementation is interoperable with [@AkihiroSuda's containers. This implementation is interoperable with [@AkihiroSuda's
`PRoot` fork][as-proot-fork] (though we do not test its interoperability `PRoot` fork][as-proot-fork] (though we do not test its interoperability
at the moment) as both tools use [the same protobuf at the moment) as both tools use [the same protobuf
specification][rootlesscontainers-proto]. openSUSE/umoci#227 specification][rootlesscontainers-proto]. openSUSE/umoci#227
+ `umoci unpack` now has support for opaque whiteouts (whiteouts which + `umoci unpack` now has support for opaque whiteouts (whiteouts which
remove all children of a directory in the lower layer), though `umoci remove all children of a directory in the lower layer), though `umoci
repack` does not currently have support for generating them. While this repack` does not currently have support for generating them. While this
is technically a spec requirement, through testing we've never is technically a spec requirement, through testing we've never
encountered an actual user of these whiteouts. openSUSE/umoci#224 encountered an actual user of these whiteouts. openSUSE/umoci#224
openSUSE/umoci#229 openSUSE/umoci#229
+ `umoci unpack` will now use some rootless tricks inside user namespaces + `umoci unpack` will now use some rootless tricks inside user namespaces
for operations that are known to fail (such as `mknod(2)`) while other for operations that are known to fail (such as `mknod(2)`) while other
operations will be carried out as normal (such as `lchown(2)`). It should operations will be carried out as normal (such as `lchown(2)`). It should
be noted that the `/proc/self/uid_map` checking we do can be tricked into be noted that the `/proc/self/uid_map` checking we do can be tricked into
not detecting user namespaces, but you would need to be trying to break not detecting user namespaces, but you would need to be trying to break
it on purpose. openSUSE/umoci#171 openSUSE/umoci#230 it on purpose. openSUSE/umoci#171 openSUSE/umoci#230
* Fix a bug in our "parent directory restore" code, which is responsible * Fix a bug in our "parent directory restore" code, which is responsible
for ensuring that the mtime and other similar properties of a directory for ensuring that the mtime and other similar properties of a directory
are not modified by extraction inside said directory. The bug would are not modified by extraction inside said directory. The bug would
manifest as xattrs not being restored properly in certain edge-cases manifest as xattrs not being restored properly in certain edge-cases
(which we incidentally hit in a test-case). openSUSE/umoci#161 (which we incidentally hit in a test-case). openSUSE/umoci#161
openSUSE/umoci#162 openSUSE/umoci#162
* `umoci unpack` will now "clean up" the bundle generated if an error * `umoci unpack` will now "clean up" the bundle generated if an error
occurs during unpacking. Previously this didn't happen, which made occurs during unpacking. Previously this didn't happen, which made
cleaning up the responsibility of the caller (which was quite difficult cleaning up the responsibility of the caller (which was quite difficult
if you were unprivileged). This is a breaking change, but is in the error if you were unprivileged). This is a breaking change, but is in the error
path so it's not critical. openSUSE/umoci#174 openSUSE/umoci#187 path so it's not critical. openSUSE/umoci#174 openSUSE/umoci#187
* `umoci gc` now will no longer remove unknown files and directories that * `umoci gc` now will no longer remove unknown files and directories that
aren't `flock(2)`ed, thus ensuring that any possible OCI image-spec aren't `flock(2)`ed, thus ensuring that any possible OCI image-spec
extensions or other users of an image being operated on will no longer extensions or other users of an image being operated on will no longer
break. openSUSE/umoci#198 break. openSUSE/umoci#198
* `umoci unpack --rootless` will now correctly handle regular file * `umoci unpack --rootless` will now correctly handle regular file
unpacking when overwriting a file that `umoci` doesn't have write access unpacking when overwriting a file that `umoci` doesn't have write access
to. In addition, the semantics of pre-existing hardlinks to a clobbered to. In addition, the semantics of pre-existing hardlinks to a clobbered
file are clarified (the hard-links will not refer to the new layer's file are clarified (the hard-links will not refer to the new layer's
inode). openSUSE/umoci#222 openSUSE/umoci#223 inode). openSUSE/umoci#222 openSUSE/umoci#223
[as-proot-fork]: https://github.com/AkihiroSuda/runrootless [as-proot-fork]: https://github.com/AkihiroSuda/runrootless
[rootlesscontainers-proto]: https://rootlesscontaine.rs/proto/rootlesscontainers.proto [rootlesscontainers-proto]: https://rootlesscontaine.rs/proto/rootlesscontainers.proto
[umo.ci]: https://umo.ci/ [umo.ci]: https://umo.ci/
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Feb 1 16:58:09 CET 2018 - ro@suse.de Thu Feb 1 16:58:09 CET 2018 - ro@suse.de
@ -152,44 +190,44 @@ Thu Feb 1 16:58:09 CET 2018 - ro@suse.de
Wed Oct 4 02:52:51 UTC 2017 - asarai@suse.com Wed Oct 4 02:52:51 UTC 2017 - asarai@suse.com
- Update to umoci v0.3.1. Upstream changelog: - Update to umoci v0.3.1. Upstream changelog:
- Fix several minor bugs in `hack/release.sh` that caused the release artefacts - Fix several minor bugs in `hack/release.sh` that caused the release artefacts
to not match the intended style, as well as making it more generic so other to not match the intended style, as well as making it more generic so other
projects can use it. openSUSE/umoci#155 openSUSE/umoci#163 projects can use it. openSUSE/umoci#155 openSUSE/umoci#163
- A recent configuration issue caused `go vet` and `go lint` to not run as part - A recent configuration issue caused `go vet` and `go lint` to not run as part
of our CI jobs. This means that some of the information submitted as part of of our CI jobs. This means that some of the information submitted as part of
[CII best practices badging][cii] was not accurate. This has been corrected, [CII best practices badging][cii] was not accurate. This has been corrected,
and after review we concluded that only stylistic issues were discovered by and after review we concluded that only stylistic issues were discovered by
static analysis. openSUSE/umoci#158 static analysis. openSUSE/umoci#158
- 32-bit unit test builds were broken in a refactor in [0.3.0]. This has been - 32-bit unit test builds were broken in a refactor in [0.3.0]. This has been
fixed, and we've added tests to our CI to ensure that something like this fixed, and we've added tests to our CI to ensure that something like this
won't go unnoticed in the future. openSUSE/umoci#157 won't go unnoticed in the future. openSUSE/umoci#157
- `umoci unpack` would not correctly preserve set{uid,gid} bits. While this - `umoci unpack` would not correctly preserve set{uid,gid} bits. While this
would not cause issues when building an image (as we only create a manifest would not cause issues when building an image (as we only create a manifest
of the final extracted rootfs), it would cause issues for other users of of the final extracted rootfs), it would cause issues for other users of
`umoci`. openSUSE/umoci#166 openSUSE/umoci#169 `umoci`. openSUSE/umoci#166 openSUSE/umoci#169
- Updated to [v0.4.1 of `go-mtree`][gomtree-v0.4.1], which fixes several minor - Updated to [v0.4.1 of `go-mtree`][gomtree-v0.4.1], which fixes several minor
bugs with manifest generation. openSUSE/umoci#176 bugs with manifest generation. openSUSE/umoci#176
- `umoci unpack` would not handle "weird" tar archive layers previously (it - `umoci unpack` would not handle "weird" tar archive layers previously (it
would error out with DiffID errors). While this wouldn't cause issues for would error out with DiffID errors). While this wouldn't cause issues for
layers generated using Go's `archive/tar` implementation, it would cause layers generated using Go's `archive/tar` implementation, it would cause
issues for GNU gzip and other such tools. issues for GNU gzip and other such tools.
- `umoci unpack`'s mapping options (`--uid-map` and `--gid-map`) have had an - `umoci unpack`'s mapping options (`--uid-map` and `--gid-map`) have had an
interface change, to better match the [`user_namespaces(7)`][user_namespaces] interface change, to better match the [`user_namespaces(7)`][user_namespaces]
interfaces. Note that this is a **breaking change**, but the workaround is to interfaces. Note that this is a **breaking change**, but the workaround is to
switch to the trivially different (but now more consistent) format. switch to the trivially different (but now more consistent) format.
openSUSE/umoci#167 openSUSE/umoci#167
- `umoci unpack` used to create the bundle and rootfs with world - `umoci unpack` used to create the bundle and rootfs with world
read-and-execute permissions by default. This could potentially result in an read-and-execute permissions by default. This could potentially result in an
unsafe rootfs (containing dangerous setuid binaries for instance) being unsafe rootfs (containing dangerous setuid binaries for instance) being
accessible by an unprivileged user. This has been fixed by always setting the accessible by an unprivileged user. This has been fixed by always setting the
mode of the bundle to `0700`, which requires a user to explicitly work around mode of the bundle to `0700`, which requires a user to explicitly work around
this basic protection. This scenario was documented in our security this basic protection. This scenario was documented in our security
documentation previously, but has now been fixed. openSUSE/umoci#181 documentation previously, but has now been fixed. openSUSE/umoci#181
openSUSE/umoci#182 openSUSE/umoci#182
[cii]: https://bestpractices.coreinfrastructure.org/projects/1084 [cii]: https://bestpractices.coreinfrastructure.org/projects/1084
[gomtree-v0.4.1]: https://github.com/vbatts/go-mtree/releases/tag/v0.4.1 [gomtree-v0.4.1]: https://github.com/vbatts/go-mtree/releases/tag/v0.4.1
[user_namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html [user_namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html
- Remove patch that has been applied upstream. - Remove patch that has been applied upstream.
- i586-0001-fix-mis-usage-of-time.Unix.patch - i586-0001-fix-mis-usage-of-time.Unix.patch
@ -204,51 +242,51 @@ Tue Jul 25 10:42:54 UTC 2017 - asarai@suse.com
Sat Jul 22 15:57:44 UTC 2017 - asarai@suse.com Sat Jul 22 15:57:44 UTC 2017 - asarai@suse.com
- Update to umoci v0.3.0. Upstream changelog: - Update to umoci v0.3.0. Upstream changelog:
- `umoci` now passes all of the requirements for the [CII best practices bading - `umoci` now passes all of the requirements for the [CII best practices bading
program][cii]. openSUSE/umoci#134 program][cii]. openSUSE/umoci#134
- `umoci` also now has more extensive architecture, quick-start and roadmap - `umoci` also now has more extensive architecture, quick-start and roadmap
documentation. openSUSE/umoci#134 documentation. openSUSE/umoci#134
- `umoci` now supports [`1.0.0` of the OCI image - `umoci` now supports [`1.0.0` of the OCI image
specification][ispec-v1.0.0] and [`1.0.0` of the OCI runtime specification][ispec-v1.0.0] and [`1.0.0` of the OCI runtime
specification][rspec-v1.0.0], which are the first milestone release. Note specification][rspec-v1.0.0], which are the first milestone release. Note
that there are still some remaining UX issues with `--image` and other parts that there are still some remaining UX issues with `--image` and other parts
of `umoci` which may be subject to change in future versions. In particular, of `umoci` which may be subject to change in future versions. In particular,
this update of the specification now means that images may have ambiguous this update of the specification now means that images may have ambiguous
tags. `umoci` will warn you if an operation may have an ambiguous result, but tags. `umoci` will warn you if an operation may have an ambiguous result, but
we plan to improve this functionality far more in the future. we plan to improve this functionality far more in the future.
openSUSE/umoci#133 openSUSE/umoci#142 openSUSE/umoci#133 openSUSE/umoci#142
- `umoci` also now supports more complicated descriptor walk structures, and - `umoci` also now supports more complicated descriptor walk structures, and
also handles mutation of such structures more sanely. At the moment, this also handles mutation of such structures more sanely. At the moment, this
functionality has not been used "in the wild" and `umoci` doesn't have the UX functionality has not been used "in the wild" and `umoci` doesn't have the UX
to create such structures (yet) but these will be implemented in future to create such structures (yet) but these will be implemented in future
versions. openSUSE/umoci#145 versions. openSUSE/umoci#145
- `umoci repack` now supports `--mask-path` to ignore changes in the rootfs - `umoci repack` now supports `--mask-path` to ignore changes in the rootfs
that are in a child of at least one of the provided masks when generating new that are in a child of at least one of the provided masks when generating new
layers. openSUSE/umoci#127 layers. openSUSE/umoci#127
- Error messages from `github.com/openSUSE/umoci/oci/cas/drivers/dir` actually - Error messages from `github.com/openSUSE/umoci/oci/cas/drivers/dir` actually
make sense now. openSUSE/umoci#121 make sense now. openSUSE/umoci#121
- `umoci unpack` now generates `config.json` blobs according to the [still - `umoci unpack` now generates `config.json` blobs according to the [still
proposed][ispec-pr492] OCI image specification conversion document. proposed][ispec-pr492] OCI image specification conversion document.
openSUSE/umoci#120 openSUSE/umoci#120
- `umoci repack` also now automatically adding `Config.Volumes` from the image - `umoci repack` also now automatically adding `Config.Volumes` from the image
configuration to the set of masked paths. This matches recently added configuration to the set of masked paths. This matches recently added
[recommendations by the spec][ispec-pr694], but is a backwards-incompatible [recommendations by the spec][ispec-pr694], but is a backwards-incompatible
change because the new default is that `Config.Volumes` **will** be masked. change because the new default is that `Config.Volumes` **will** be masked.
If you wish to retain the old semantics, use `--no-mask-volumes` (though make If you wish to retain the old semantics, use `--no-mask-volumes` (though make
sure to be aware of the reasoning behind `Config.Volume` masking). sure to be aware of the reasoning behind `Config.Volume` masking).
openSUSE/umoci#127 openSUSE/umoci#127
- `umoci` now uses [`SecureJoin`][securejoin] rather than a patched version of - `umoci` now uses [`SecureJoin`][securejoin] rather than a patched version of
`FollowSymlinkInScope`. The two implementations are roughly equivalent, but `FollowSymlinkInScope`. The two implementations are roughly equivalent, but
`SecureJoin` has a nicer API and is maintained as a separate project. `SecureJoin` has a nicer API and is maintained as a separate project.
- Switched to using `golang.org/x/sys/unix` over `syscall` where possible, - Switched to using `golang.org/x/sys/unix` over `syscall` where possible,
which makes the codebase significantly cleaner. openSUSE/umoci#141 which makes the codebase significantly cleaner. openSUSE/umoci#141
[cii]: https://bestpractices.coreinfrastructure.org/projects/1084 [cii]: https://bestpractices.coreinfrastructure.org/projects/1084
[rspec-v1.0.0]: https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0 [rspec-v1.0.0]: https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0
[ispec-v1.0.0]: https://github.com/opencontainers/image-spec/releases/tag/v1.0.0 [ispec-v1.0.0]: https://github.com/opencontainers/image-spec/releases/tag/v1.0.0
[ispec-pr492]: https://github.com/opencontainers/image-spec/pull/492 [ispec-pr492]: https://github.com/opencontainers/image-spec/pull/492
[ispec-pr694]: https://github.com/opencontainers/image-spec/pull/694 [ispec-pr694]: https://github.com/opencontainers/image-spec/pull/694
[securejoin]: https://github.com/cyphar/filepath-securejoin [securejoin]: https://github.com/cyphar/filepath-securejoin
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Apr 12 09:46:18 UTC 2017 - jmassaguerpla@suse.com Wed Apr 12 09:46:18 UTC 2017 - jmassaguerpla@suse.com
@ -260,76 +298,76 @@ Wed Apr 12 09:46:18 UTC 2017 - jmassaguerpla@suse.com
Wed Apr 12 01:05:12 UTC 2017 - asarai@suse.com Wed Apr 12 01:05:12 UTC 2017 - asarai@suse.com
- Update to umoci v0.2.1. Upstream changelog: - Update to umoci v0.2.1. Upstream changelog:
* `hack/release.sh` automates the process of generating all of the published * `hack/release.sh` automates the process of generating all of the published
artefacts for releases. The new script also generates signed source code artefacts for releases. The new script also generates signed source code
archives. openSUSE/umoci#116 archives. openSUSE/umoci#116
* `umoci` now outputs configurations that are compliant with [`v1.0.0-rc5` of * `umoci` now outputs configurations that are compliant with [`v1.0.0-rc5` of
the OCI runtime-spec][rspec-v1.0.0-rc5]. This means that now you can use runc the OCI runtime-spec][rspec-v1.0.0-rc5]. This means that now you can use runc
v1.0.0-rc3 with `umoci` (and rootless containers should work out of the box v1.0.0-rc3 with `umoci` (and rootless containers should work out of the box
if you use a development build of runc). openSUSE/umoci#114 if you use a development build of runc). openSUSE/umoci#114
* `umoci unpack` no longer adds a dummy linux.seccomp entry, and instead just * `umoci unpack` no longer adds a dummy linux.seccomp entry, and instead just
sets it to null. openSUSE/umoci#114 sets it to null. openSUSE/umoci#114
[rspec-v1.0.0-rc5]: https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0-rc5 [rspec-v1.0.0-rc5]: https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0-rc5
- Add umoci.keyring to check signed archives on check-in and submission. - Add umoci.keyring to check signed archives on check-in and submission.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Apr 10 14:49:35 UTC 2017 - asarai@suse.com Mon Apr 10 14:49:35 UTC 2017 - asarai@suse.com
- Update to umoci v0.2.0. Upstream changelog: - Update to umoci v0.2.0. Upstream changelog:
* `umoci` now has some automated scripts for generated RPMs that are used in * `umoci` now has some automated scripts for generated RPMs that are used in
openSUSE to automatically submit packages to OBS. openSUSE/umoci#101 openSUSE to automatically submit packages to OBS. openSUSE/umoci#101
* `--clear=config.{cmd,entrypoint}` is now supported. While this interface is a * `--clear=config.{cmd,entrypoint}` is now supported. While this interface is a
bit weird (`cmd` and `entrypoint` aren't treated atomically) this makes the bit weird (`cmd` and `entrypoint` aren't treated atomically) this makes the
UX more consistent while we come up with a better `cmd` and `entrypoint` UX. UX more consistent while we come up with a better `cmd` and `entrypoint` UX.
openSUSE/umoci#107 openSUSE/umoci#107
* New subcommand: `umoci raw runtime-config`. It generates the runtime-spec * New subcommand: `umoci raw runtime-config`. It generates the runtime-spec
config.json for a particular image without also unpacking the root config.json for a particular image without also unpacking the root
filesystem, allowing for users of `umoci` that are regularly parsing filesystem, allowing for users of `umoci` that are regularly parsing
`config.json` without caring about the root filesystem to be more efficient. `config.json` without caring about the root filesystem to be more efficient.
However, a downside of this approach is that some image-spec fields However, a downside of this approach is that some image-spec fields
(`Config.User`) require a root filesystem in order to make sense, which is (`Config.User`) require a root filesystem in order to make sense, which is
why this command is hidden under the `umoci-raw(1)` subcommand (to make sure why this command is hidden under the `umoci-raw(1)` subcommand (to make sure
only users that understand what they're doing use it). openSUSE/umoci#110 only users that understand what they're doing use it). openSUSE/umoci#110
* `umoci`'s `oci/cas` and `oci/config` libraries have been massively refactored * `umoci`'s `oci/cas` and `oci/config` libraries have been massively refactored
and rewritten, to allow for third-parties to use the OCI libraries. The plan and rewritten, to allow for third-parties to use the OCI libraries. The plan
is for these to eventually become part of an OCI project. openSUSE/umoci#90 is for these to eventually become part of an OCI project. openSUSE/umoci#90
* The `oci/cas` interface has been modifed to switch from `*ispec.Descriptor` * The `oci/cas` interface has been modifed to switch from `*ispec.Descriptor`
to `ispec.Descriptor`. This is a breaking, but fairly insignificant, change. to `ispec.Descriptor`. This is a breaking, but fairly insignificant, change.
openSUSE/umoci#89 openSUSE/umoci#89
* `umoci` now uses an updated version of `go-mtree`, which has a complete * `umoci` now uses an updated version of `go-mtree`, which has a complete
rewrite of `Vis` and `Unvis`. The rewrite ensures that unicode handling is rewrite of `Vis` and `Unvis`. The rewrite ensures that unicode handling is
handled in a far more consistent and sane way. openSUSE/umoci#88 handled in a far more consistent and sane way. openSUSE/umoci#88
* `umoci` used to set `process.user.additionalGids` to the "normal value" when * `umoci` used to set `process.user.additionalGids` to the "normal value" when
unpacking an image in rootless mode, causing issues when trying to actually unpacking an image in rootless mode, causing issues when trying to actually
run said bundle with runC. openSUSE/umoci#109 run said bundle with runC. openSUSE/umoci#109
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Feb 10 18:03:27 UTC 2017 - asarai@suse.com Fri Feb 10 18:03:27 UTC 2017 - asarai@suse.com
- Update to umoci v0.1.0. Upstream changelog: - Update to umoci v0.1.0. Upstream changelog:
* `CHANGELOG.md` has now been added. openSUSE/umoci#76 * `CHANGELOG.md` has now been added. openSUSE/umoci#76
* `umoci` now supports `v1.0.0-rc4` images, which has made fairly minimal * `umoci` now supports `v1.0.0-rc4` images, which has made fairly minimal
changes to the schema (mainly related to `mediaType`s). While this change changes to the schema (mainly related to `mediaType`s). While this change
**is** backwards compatible (several fields were removed from the schema, but **is** backwards compatible (several fields were removed from the schema, but
the specification allows for "additional fields"), tools using older versions the specification allows for "additional fields"), tools using older versions
of the specification may fail to operate on newer OCI images. There was no UX of the specification may fail to operate on newer OCI images. There was no UX
change associated with this update. change associated with this update.
* `umoci tag` would fail to clobber existing tags, which was in contrast to how * `umoci tag` would fail to clobber existing tags, which was in contrast to how
the rest of the tag clobbering commands operated. This has been fixed and is the rest of the tag clobbering commands operated. This has been fixed and is
now consistent with the other commands. openSUSE/umoci#78 now consistent with the other commands. openSUSE/umoci#78
* `umoci repack` now can correctly handle unicode-encoded filenames, allowing * `umoci repack` now can correctly handle unicode-encoded filenames, allowing
the creation of containers that have oddly named files. This required fixes the creation of containers that have oddly named files. This required fixes
to go-mtree (where the issue was). openSUSE/umoci#80 to go-mtree (where the issue was). openSUSE/umoci#80
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 7 22:25:56 UTC 2017 - jengelh@inai.de Tue Feb 7 22:25:56 UTC 2017 - jengelh@inai.de
@ -344,30 +382,30 @@ Mon Feb 6 17:06:05 UTC 2017 - asarai@suse.com
- Switch upstream channel to openSUSE's GitHub (where the project has been - Switch upstream channel to openSUSE's GitHub (where the project has been
moved). moved).
- Update to umoci v0.0.0. Upstream changelog: - Update to umoci v0.0.0. Upstream changelog:
This is the first beta release of umoci, and it includes very few This is the first beta release of umoci, and it includes very few
changes from v0.0.0-rc3. However, at this point the UX is effectively changes from v0.0.0-rc3. However, at this point the UX is effectively
stable and umoci is properly tested. The (small) list of changes in this stable and umoci is properly tested. The (small) list of changes in this
release from -rc3 is: release from -rc3 is:
* Static compilation now works properly. openSUSE/umoci#64 * Static compilation now works properly. openSUSE/umoci#64
* 32-bit builds have been fixed, and now umoci works on 32-bit * 32-bit builds have been fixed, and now umoci works on 32-bit
architectures. openSUSE/umoci#70 architectures. openSUSE/umoci#70
* The unit tests can now be run inside the %check section of an rpmbuild * The unit tests can now be run inside the %check section of an rpmbuild
script, allowing for proper testing of packages when they are built on script, allowing for proper testing of packages when they are built on
openSUSE (and Fedora). openSUSE/umoci#65 openSUSE (and Fedora). openSUSE/umoci#65
* Unit tests have been massively expanded, as have the integration * Unit tests have been massively expanded, as have the integration
tests. In addition, full coverage profiles (both unit and integration) tests. In addition, full coverage profiles (both unit and integration)
are generated to fully understand how much of the code is properly are generated to fully understand how much of the code is properly
tested. Currently it is at ~80%. openSUSE/umoci#68 openSUSE/umoci#69 tested. Currently it is at ~80%. openSUSE/umoci#68 openSUSE/umoci#69
* The logging output has been cleaned up to be much better for end-users * The logging output has been cleaned up to be much better for end-users
to read. It's also a lot less chatty now. openSUSE/umoci#73 to read. It's also a lot less chatty now. openSUSE/umoci#73
* This project has now been moved to become an openSUSE project. * This project has now been moved to become an openSUSE project.
openSUSE/umoci#75 openSUSE/umoci#75
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Dec 30 14:56:38 UTC 2016 - asarai@suse.com Fri Dec 30 14:56:38 UTC 2016 - asarai@suse.com
@ -388,41 +426,41 @@ Tue Dec 20 08:10:00 UTC 2016 - asarai@suse.com
Mon Dec 19 12:57:31 UTC 2016 - asarai@suse.com Mon Dec 19 12:57:31 UTC 2016 - asarai@suse.com
- Update to umoci 0.0.0~rc3. Upstream changelog: - Update to umoci 0.0.0~rc3. Upstream changelog:
umoci has now gone a large amount of cleanup, and included the addition umoci has now gone a large amount of cleanup, and included the addition
of a few previously missing features. The main thing blocking a full of a few previously missing features. The main thing blocking a full
release is that manifest lists are still unsupported, and there are some release is that manifest lists are still unsupported, and there are some
upstream PRs that define some of umoci's operations that need to be upstream PRs that define some of umoci's operations that need to be
merged before umoci can be considered a compliant implementation. In merged before umoci can be considered a compliant implementation. In
addition, the logging library needs to be swapped (and the amount of addition, the logging library needs to be swapped (and the amount of
output reduced). output reduced).
Here's a short list of features added: Here's a short list of features added:
* xattr support for both packing and unpacking was added, in particular * xattr support for both packing and unpacking was added, in particular
this code also handles the issue of security.selinux. More policy this code also handles the issue of security.selinux. More policy
decisions need to be added, but those are being discussed upstream. decisions need to be added, but those are being discussed upstream.
cyphar/umoci#52 cyphar/umoci#49 cyphar/umoci#52 cyphar/umoci#49
* Ensure that environment variables have no duplicates. This ensures * Ensure that environment variables have no duplicates. This ensures
that umoci won't duplicate environment variables in either Config.Env that umoci won't duplicate environment variables in either Config.Env
or the extracted process.env. cyphar/umoci#30 or the extracted process.env. cyphar/umoci#30
* Add support for read-only CAS operations with a read-only filesystem. * Add support for read-only CAS operations with a read-only filesystem.
Previously, attempting to open an OCI image on a read-only filesystem Previously, attempting to open an OCI image on a read-only filesystem
would fail miserably, now you can do read-only operations without would fail miserably, now you can do read-only operations without
issue. cyphar/umoci#47 issue. cyphar/umoci#47
* Garbage collection now also garbage collects old tmpdirs, and other * Garbage collection now also garbage collects old tmpdirs, and other
garbage from inside an image layout. cyphar/umoci#17 garbage from inside an image layout. cyphar/umoci#17
* Output a helpful comment about --rootless if you're getting EPERMs. * Output a helpful comment about --rootless if you're getting EPERMs.
* Enable stack traces from an error if the --debug flag was applied to * Enable stack traces from an error if the --debug flag was applied to
umoci. This is a feature that hopefully will be added to pkg/errors umoci. This is a feature that hopefully will be added to pkg/errors
upstream. upstream.
* Cleanups to vendoring of go-mtree so that it's much more * Cleanups to vendoring of go-mtree so that it's much more
upstream-friendly. upstream-friendly.
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Dec 13 09:20:10 UTC 2016 - asarai@suse.com Tue Dec 13 09:20:10 UTC 2016 - asarai@suse.com
@ -435,60 +473,60 @@ Tue Dec 13 09:20:10 UTC 2016 - asarai@suse.com
Sun Dec 11 13:42:08 UTC 2016 - asarai@suse.com Sun Dec 11 13:42:08 UTC 2016 - asarai@suse.com
- Update to umoci 0.0.0-rc2. Upstream changelog: - Update to umoci 0.0.0-rc2. Upstream changelog:
umoci now has a stable UX, as well as proper documentation for the UX in umoci now has a stable UX, as well as proper documentation for the UX in
the form of generated man pages. Here's the full list of cool features: the form of generated man pages. Here's the full list of cool features:
* umoci v0.0.0-rc2 has support for rootless unpacking and repacking! * umoci v0.0.0-rc2 has support for rootless unpacking and repacking!
cyphar/umoci#26 cyphar/umoci#26
* It also has support for regular UID and GID mapping! cyphar/umoci#26 * It also has support for regular UID and GID mapping! cyphar/umoci#26
* Symlinks and other similarly tricky unpacking problems have been * Symlinks and other similarly tricky unpacking problems have been
resolved. All symlink path components are resolved inside the root resolved. All symlink path components are resolved inside the root
filesystem of the container during unpacking. cyphar/umoci#27 filesystem of the container during unpacking. cyphar/umoci#27
* Tag modification commands (such as umoci-tag(1), umoci-rm(1), * Tag modification commands (such as umoci-tag(1), umoci-rm(1),
umoci-ls(1)) have been implemented. cyphar/umoci#6 cyphar/umoci#40 umoci-ls(1)) have been implemented. cyphar/umoci#6 cyphar/umoci#40
* umoci-stat(1) has been implemented. Currently it only outputs history * umoci-stat(1) has been implemented. Currently it only outputs history
information, but this will change in the future. It has stable JSON information, but this will change in the future. It has stable JSON
output. cyphar/umoci#38 output. cyphar/umoci#38
* umoci-init(1) and umoci-new(1) have been implemented, allowing for the * umoci-init(1) and umoci-new(1) have been implemented, allowing for the
creation of entirely new images from scratch. cyphar/umoci#5 creation of entirely new images from scratch. cyphar/umoci#5
cyphar/umoci#42 cyphar/umoci#42
* umoci-repack(1) and umoci-config(1) now automatically generate history * umoci-repack(1) and umoci-config(1) now automatically generate history
entries (since the history is actually used by tooling like skopeo). In entries (since the history is actually used by tooling like skopeo). In
addition, the history mutation from umoci-config(1) has been removed addition, the history mutation from umoci-config(1) has been removed
because it was just unsafe. In order for users to be able to configure because it was just unsafe. In order for users to be able to configure
history entries' values, --history.* flags have been introduced. history entries' values, --history.* flags have been introduced.
cyphar/umoci# cyphar/umoci#
* umoci-unpack(1) now saves all of the important argument metadata * umoci-unpack(1) now saves all of the important argument metadata
provided to it inside the generated bundle. These saved arguments are provided to it inside the generated bundle. These saved arguments are
loaded by umoci-repack(1) to make the workflow much more sane. loaded by umoci-repack(1) to make the workflow much more sane.
* --image and --from arguments have been combined into skopeo-style * --image and --from arguments have been combined into skopeo-style
<path>[:<tag>] arguments to --image. cyphar/umoci#39 <path>[:<tag>] arguments to --image. cyphar/umoci#39
* Errors encountered during generation of a delta layer now are * Errors encountered during generation of a delta layer now are
correctly propagated. cyphar/umoci#33 correctly propagated. cyphar/umoci#33
* Hardlinks are now correctly unpacked as bone-fide hardlinks. * Hardlinks are now correctly unpacked as bone-fide hardlinks.
cyphar/umoci#25 cyphar/umoci#25
* Support for unpacking and configuring annotations (which is a * Support for unpacking and configuring annotations (which is a
v1.0.0-rc3 feature of the OCI image specification). There's still some v1.0.0-rc3 feature of the OCI image specification). There's still some
work to be done upstream in making the unpacking procedure specified work to be done upstream in making the unpacking procedure specified
but this is as good as you're going to get for a while. but this is as good as you're going to get for a while.
cyphar/umoci#43 cyphar/umoci#43
* umoci has full integration and unit testing. cyphar/umoci#12 * umoci has full integration and unit testing. cyphar/umoci#12
* umoci now has validation integration tests to ensure that at every * umoci now has validation integration tests to ensure that at every
stage of a test we could stop and still have a completely valid OCI stage of a test we could stop and still have a completely valid OCI
image and that every extracted bundle is a valid OCI runtime bundle. image and that every extracted bundle is a valid OCI runtime bundle.
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Dec 11 12:43:30 UTC 2016 - asarai@suse.com Sun Dec 11 12:43:30 UTC 2016 - asarai@suse.com

11
umoci.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package umoci # spec file for package umoci
# #
# Copyright (c) 2020 SUSE LLC # Copyright (c) 2021 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -20,7 +20,7 @@
%define project github.com/opencontainers/umoci %define project github.com/opencontainers/umoci
Name: umoci Name: umoci
Version: 0.4.6 Version: 0.4.7
Release: 0 Release: 0
Summary: Open Container Image manipulation tool Summary: Open Container Image manipulation tool
License: Apache-2.0 License: Apache-2.0
@ -29,11 +29,14 @@ URL: https://umo.ci
Source0: https://github.com/opencontainers/umoci/releases/download/v%{version}/umoci.tar.xz#/%{name}-%{version}.tar.xz Source0: https://github.com/opencontainers/umoci/releases/download/v%{version}/umoci.tar.xz#/%{name}-%{version}.tar.xz
Source1: https://github.com/opencontainers/umoci/releases/download/v%{version}/umoci.tar.xz.asc#/%{name}-%{version}.tar.xz.asc Source1: https://github.com/opencontainers/umoci/releases/download/v%{version}/umoci.tar.xz.asc#/%{name}-%{version}.tar.xz.asc
Source2: https://umo.ci/%{name}.keyring Source2: https://umo.ci/%{name}.keyring
# OPENSUSE-FIX-UPSTREAM: Backport of <https://github.com/opencontainers/umoci/pull/369>.
Patch1: 0001-makefile-fix-bad-build-flags.patch
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: go-go-md2man
# Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires
# for 'golang(API) >= 1.13' here, so just require 1.13 exactly. bsc#1172608 # for 'golang(API) >= 1.13' here, so just require 1.13 exactly. bsc#1172608
BuildRequires: go-go-md2man
BuildRequires: go1.14 BuildRequires: go1.14
ExcludeArch: s390
%description %description
umoci modifies Open Container images. umoci is a manipulation tool for OCI umoci modifies Open Container images. umoci is a manipulation tool for OCI
@ -42,6 +45,8 @@ provided by the OCI.
%prep %prep
%setup -q %setup -q
# <https://github.com/opencontainers/umoci/pull/369>
%patch1 -p1
%build %build
export VERSION="$(cat ./VERSION)" export VERSION="$(cat ./VERSION)"