- Update to umoci v0.3.1. Upstream changelog:
- Fix several minor bugs in `hack/release.sh` that caused the release artefacts
to not match the intended style, as well as making it more generic so other
projects can use it. openSUSE/umoci#155openSUSE/umoci#163
- A recent configuration issue caused `go vet` and `go lint` to not run as part
of our CI jobs. This means that some of the information submitted as part of
[CII best practices badging][cii] was not accurate. This has been corrected,
and after review we concluded that only stylistic issues were discovered by
static analysis. openSUSE/umoci#158
- 32-bit unit test builds were broken in a refactor in [0.3.0]. This has been
fixed, and we've added tests to our CI to ensure that something like this
won't go unnoticed in the future. openSUSE/umoci#157
- `umoci unpack` would not correctly preserve set{uid,gid} bits. While this
would not cause issues when building an image (as we only create a manifest
of the final extracted rootfs), it would cause issues for other users of
`umoci`. openSUSE/umoci#166openSUSE/umoci#169
- Updated to [v0.4.1 of `go-mtree`][gomtree-v0.4.1], which fixes several minor
bugs with manifest generation. openSUSE/umoci#176
- `umoci unpack` would not handle "weird" tar archive layers previously (it
would error out with DiffID errors). While this wouldn't cause issues for
layers generated using Go's `archive/tar` implementation, it would cause
issues for GNU gzip and other such tools.
- `umoci unpack`'s mapping options (`--uid-map` and `--gid-map`) have had an
interface change, to better match the [`user_namespaces(7)`][user_namespaces]
interfaces. Note that this is a **breaking change**, but the workaround is to
switch to the trivially different (but now more consistent) format.
openSUSE/umoci#167
- `umoci unpack` used to create the bundle and rootfs with world
read-and-execute permissions by default. This could potentially result in an
unsafe rootfs (containing dangerous setuid binaries for instance) being
accessible by an unprivileged user. This has been fixed by always setting the
mode of the bundle to `0700`, which requires a user to explicitly work around
this basic protection. This scenario was documented in our security
documentation previously, but has now been fixed. openSUSE/umoci#181openSUSE/umoci#182
[cii]: https://bestpractices.coreinfrastructure.org/projects/1084
[gomtree-v0.4.1]: https://github.com/vbatts/go-mtree/releases/tag/v0.4.1
[user_namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html
- Remove patch that has been applied upstream.
- i586-0001-fix-mis-usage-of-time.Unix.patch
OBS-URL: https://build.opensuse.org/request/show/531029
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/umoci?expand=0&rev=26
- Update to umoci v0.3.0. Upstream changelog:
- `umoci` now passes all of the requirements for the [CII best practices bading
program][cii]. openSUSE/umoci#134
- `umoci` also now has more extensive architecture, quick-start and roadmap
documentation. openSUSE/umoci#134
- `umoci` now supports [`1.0.0` of the OCI image
specification][ispec-v1.0.0] and [`1.0.0` of the OCI runtime
specification][rspec-v1.0.0], which are the first milestone release. Note
that there are still some remaining UX issues with `--image` and other parts
of `umoci` which may be subject to change in future versions. In particular,
this update of the specification now means that images may have ambiguous
tags. `umoci` will warn you if an operation may have an ambiguous result, but
we plan to improve this functionality far more in the future.
openSUSE/umoci#133openSUSE/umoci#142
- `umoci` also now supports more complicated descriptor walk structures, and
also handles mutation of such structures more sanely. At the moment, this
functionality has not been used "in the wild" and `umoci` doesn't have the UX
to create such structures (yet) but these will be implemented in future
versions. openSUSE/umoci#145
- `umoci repack` now supports `--mask-path` to ignore changes in the rootfs
that are in a child of at least one of the provided masks when generating new
layers. openSUSE/umoci#127
- Error messages from `github.com/openSUSE/umoci/oci/cas/drivers/dir` actually
make sense now. openSUSE/umoci#121
- `umoci unpack` now generates `config.json` blobs according to the [still
proposed][ispec-pr492] OCI image specification conversion document.
openSUSE/umoci#120
- `umoci repack` also now automatically adding `Config.Volumes` from the image
configuration to the set of masked paths. This matches recently added
[recommendations by the spec][ispec-pr694], but is a backwards-incompatible
change because the new default is that `Config.Volumes` **will** be masked.
If you wish to retain the old semantics, use `--no-mask-volumes` (though make
sure to be aware of the reasoning behind `Config.Volume` masking).
openSUSE/umoci#127
- `umoci` now uses [`SecureJoin`][securejoin] rather than a patched version of
`FollowSymlinkInScope`. The two implementations are roughly equivalent, but
`SecureJoin` has a nicer API and is maintained as a separate project.
- Switched to using `golang.org/x/sys/unix` over `syscall` where possible,
which makes the codebase significantly cleaner. openSUSE/umoci#141
[cii]: https://bestpractices.coreinfrastructure.org/projects/1084
[rspec-v1.0.0]: https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0
[ispec-v1.0.0]: https://github.com/opencontainers/image-spec/releases/tag/v1.0.0
[ispec-pr492]: https://github.com/opencontainers/image-spec/pull/492
[ispec-pr694]: https://github.com/opencontainers/image-spec/pull/694
[securejoin]: https://github.com/cyphar/filepath-securejoin
OBS-URL: https://build.opensuse.org/request/show/512069
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/umoci?expand=0&rev=23
- Update to umoci v0.2.0. Upstream changelog:
* `umoci` now has some automated scripts for generated RPMs that are used in
openSUSE to automatically submit packages to OBS. openSUSE/umoci#101
* `--clear=config.{cmd,entrypoint}` is now supported. While this interface is a
bit weird (`cmd` and `entrypoint` aren't treated atomically) this makes the
UX more consistent while we come up with a better `cmd` and `entrypoint` UX.
openSUSE/umoci#107
* New subcommand: `umoci raw runtime-config`. It generates the runtime-spec
config.json for a particular image without also unpacking the root
filesystem, allowing for users of `umoci` that are regularly parsing
`config.json` without caring about the root filesystem to be more efficient.
However, a downside of this approach is that some image-spec fields
(`Config.User`) require a root filesystem in order to make sense, which is
why this command is hidden under the `umoci-raw(1)` subcommand (to make sure
only users that understand what they're doing use it). openSUSE/umoci#110
* `umoci`'s `oci/cas` and `oci/config` libraries have been massively refactored
and rewritten, to allow for third-parties to use the OCI libraries. The plan
is for these to eventually become part of an OCI project. openSUSE/umoci#90
* The `oci/cas` interface has been modifed to switch from `*ispec.Descriptor`
to `ispec.Descriptor`. This is a breaking, but fairly insignificant, change.
openSUSE/umoci#89
* `umoci` now uses an updated version of `go-mtree`, which has a complete
rewrite of `Vis` and `Unvis`. The rewrite ensures that unicode handling is
handled in a far more consistent and sane way. openSUSE/umoci#88
* `umoci` used to set `process.user.additionalGids` to the "normal value" when
unpacking an image in rootless mode, causing issues when trying to actually
run said bundle with runC. openSUSE/umoci#109
OBS-URL: https://build.opensuse.org/request/show/487107
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/umoci?expand=0&rev=18
- Update to umoci v0.1.0. Upstream changelog:
* `CHANGELOG.md` has now been added. openSUSE/umoci#76
* `umoci` now supports `v1.0.0-rc4` images, which has made fairly minimal
changes to the schema (mainly related to `mediaType`s). While this change
**is** backwards compatible (several fields were removed from the schema, but
the specification allows for "additional fields"), tools using older versions
of the specification may fail to operate on newer OCI images. There was no UX
change associated with this update.
* `umoci tag` would fail to clobber existing tags, which was in contrast to how
the rest of the tag clobbering commands operated. This has been fixed and is
now consistent with the other commands. openSUSE/umoci#78
* `umoci repack` now can correctly handle unicode-encoded filenames, allowing
the creation of containers that have oddly named files. This required fixes
to go-mtree (where the issue was). openSUSE/umoci#80
OBS-URL: https://build.opensuse.org/request/show/456113
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/umoci?expand=0&rev=8
