rpm/flake-pilot
SHA256
1
0
Fork 0
forked from pool/flake-pilot
Code Pull Requests Activity

Compare commits

base: rpm:devel
Branches Tags
rpm:factory rpm:devel pool:factory pool:slfo-1.2 pool:slfo-main
..
compare: pool:slfo-1.2
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main rpm:factory rpm:devel

38 Commits
devel ... slfo-1.2

Author SHA256 Message Date
Marcus Schäfer
bc931f4ea3 See changes diff for details about the update. 
This version is required for the public cloud team and transparent container support. Thanks
 2025-10-01 16:48:44 +02:00
Ana Guerrero
f963cf4c81 Accepting request 1293445 from Virtualization:Appliances:Builder 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1293445
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flake-pilot?expand=0&rev=13
 2025-07-16 13:51:48 +00:00
Marcus Schäfer
60de9960aa - Bump version: 3.1.19 → 3.1.20 
- Fix clippy hints
  variables can be used directly in the format! string

- Prune old images after load
  Make sure no <none> image references stay in the registry

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=50
 2025-07-08 13:11:39 +00:00
Ana Guerrero
d4f9253aab Accepting request 1288543 from Virtualization:Appliances:Builder 
- Bump version: 3.1.18 → 3.1.19

- Fix CVE-2025-3416
  rebuild of the tool also inherits openssl in a version that
  fixes the above mentioned CVE. This fixes bsc#1242680

- Fix CVE-2025-5791
  Switch to uzers crate as actively maintained fork of the
  unmaintained users crate. This Fixes bsc#1244207

OBS-URL: https://build.opensuse.org/request/show/1288543
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flake-pilot?expand=0&rev=12
 2025-06-26 09:39:17 +00:00
Marcus Schäfer
fb6b293254 - Bump version: 3.1.18 → 3.1.19 
- Fix CVE-2025-3416
  rebuild of the tool also inherits openssl in a version that
  fixes the above mentioned CVE. This fixes bsc#1242680

- Fix CVE-2025-5791
  Switch to uzers crate as actively maintained fork of the
  unmaintained users crate. This Fixes bsc#1244207

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=48
 2025-06-25 12:51:49 +00:00
Dominique Leuenberger
710d0af805 Accepting request 1248634 from Virtualization:Appliances:Builder 
- Fix firecracker requirement
  Require firefracker only for TW as it exists in no
  other version of SUSE. In case the firecracker-pilot
  is installed on a system that has no firecracker it
  must be installed to this system in an alternative
  way which is easily possible because firefracker
  is also a rust application only depending on libc

OBS-URL: https://build.opensuse.org/request/show/1248634
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flake-pilot?expand=0&rev=11
 2025-02-26 16:24:19 +00:00
Marcus Schäfer
c8e0388b2c - Fix firecracker requirement 
Require firefracker only for TW as it exists in no
  other version of SUSE. In case the firecracker-pilot
  is installed on a system that has no firecracker it
  must be installed to this system in an alternative
  way which is easily possible because firefracker
  is also a rust application only depending on libc

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=46
 2025-02-26 08:38:25 +00:00
Ana Guerrero
68a59d43b2 Accepting request 1245362 from Virtualization:Appliances:Builder 
- Bump version: 3.1.17 → 3.1.18

- Style fixes

- Fix error handling for container check methods
  The condition to setup permissions and redo the call
  was done when the exec of the call was not possible.
  But this is not the right place to check for a permission
  denied error. This commit fixes the evaluation of the
  error data

- Bump version: 3.1.16 → 3.1.17

- Don't use perform for bool status methods
  The perform() call checks the status code and raises an
  ExecutionError. This does not allow us to return a
  false boolean. Use output() call instead

- Bump version: 3.1.15 → 3.1.16

- No error return for bool method

- Bump version: 3.1.14 → 3.1.15

- Fix call for podman_setup_permissions
  Make sure podman_setup_permissions is only called if there
  is a permission problem detected.

OBS-URL: https://build.opensuse.org/request/show/1245362
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flake-pilot?expand=0&rev=10
 2025-02-12 20:38:26 +00:00
Marcus Schäfer
dc32226a2c - Bump version: 3.1.17 → 3.1.18 
- Style fixes

- Fix error handling for container check methods
  The condition to setup permissions and redo the call
  was done when the exec of the call was not possible.
  But this is not the right place to check for a permission
  denied error. This commit fixes the evaluation of the
  error data

- Bump version: 3.1.16 → 3.1.17

- Don't use perform for bool status methods
  The perform() call checks the status code and raises an
  ExecutionError. This does not allow us to return a
  false boolean. Use output() call instead

- Bump version: 3.1.15 → 3.1.16

- No error return for bool method

- Bump version: 3.1.14 → 3.1.15

- Fix call for podman_setup_permissions
  Make sure podman_setup_permissions is only called if there
  is a permission problem detected.

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=44
 2025-02-11 20:46:04 +00:00
Marcus Schäfer
e8f198f535 - Bump version: 3.1.16 → 3.1.17 
- Don't use perform for bool status methods
  The perform() call checks the status code and raises an
  ExecutionError. This does not allow us to return a
  false boolean. Use output() call instead

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=43
 2025-02-11 18:18:14 +00:00
Marcus Schäfer
5544fe4bbd - Bump version: 3.1.15 → 3.1.16 
- No error return for bool method

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=42
 2025-02-11 17:39:00 +00:00
Marcus Schäfer
b0d5b923e3 - Bump version: 3.1.14 → 3.1.15 
- Fix call for podman_setup_permissions
  Make sure podman_setup_permissions is only called if there
  is a permission problem detected.

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=41
 2025-02-11 17:06:13 +00:00
Dominique Leuenberger
1b69298382 Accepting request 1244418 from Virtualization:Appliances:Builder 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1244418
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flake-pilot?expand=0&rev=9
 2025-02-09 19:06:51 +00:00
Marcus Schäfer
7f10286c0a - Bump version: 3.1.13 → 3.1.14 
- Use actions/upload-artifact: v4

- Make clippy happy

- Fix building runtime arguments
  Use get_run_cmdline method everywhere

- Fix container cleanup
  A flake configured to be attached can also be re-started
  using the same container storage. However, the container
  was always removed when the command exited. This commit
  fixes it to avoid removing the container of attach type
  flakes. In addition a flake option %remove was added to
  allow removing the container created for resume and attach
  type flakes

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=39
 2025-02-01 22:02:56 +00:00
Ana Guerrero
78a00d73fa Accepting request 1233259 from Virtualization:Appliances:Builder 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1233259
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flake-pilot?expand=0&rev=8
 2024-12-26 11:23:40 +00:00
Marcus Schäfer
f0be430f1f - Bump version: 3.1.12 → 3.1.13 
- Allow env placeholders for the podman pilot
  The podman runtime arguments allows to set environment
  variable placeholders starting with '%' and followed by
  the name of the environment variable. For example %HOME
  will be replaced to the value of $HOME of the calling user.
  If the given placeholder cannot be translated into an
  existing environment variable it will be turned into the
  variable name, $HOME in the above example.

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=37
 2024-12-17 13:46:54 +00:00
Marcus Schäfer
9c88d64f23 - Bump version: 3.1.11 → 3.1.12 
- Automatically detect terminal mode

- Drop superfluous comment

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=36
 2024-12-16 13:40:51 +00:00
Marcus Schäfer
99a9382f06 - Bump version: 3.1.10 → 3.1.11 
- Update system files provisioning
  Expect systemfiles to be a callable that produces the
  list of host files to sync

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=35
 2024-12-16 11:38:40 +00:00
Marcus Schäfer
1a20063e22 - Bump version: 3.1.9 → 3.1.10 
- Include systemfiles.libs for host provisioning
  Only use copy-links for the files mentioned in
  systemfiles.libs. The other systemfiles are synced in the
  usual way.

- Make sure interactive processes can run

- Fixed podman call dead lock
  When calling the flake and stdout/stderr gets redirected into
  a pipe like `flake | grep ... | cut ...` the pilot binary runs
  in a dead lock because there is no reader/writer to feed the
  pipe from the child process (podman) executed via the pilot.
  This commit fixes it by making sure all data from the child
  gets read first and then passed along to stdout/stderr of the
  caller.

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=34
 2024-12-13 09:47:47 +00:00
Marcus Schäfer
f973364b26 - Bump version: 3.1.8 → 3.1.9 
- Copy symlinks for host dependencies
  For provisioning of host dependencies copy symlinks such
  that they appear under their name as a file and not as a
  symlink. We use this logic for the host dependency sync
  only to be less strict on versioned library syncing

- Clippy fix
  elide the lifetimes for User instances

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=33
 2024-12-12 10:02:23 +00:00
Ana Guerrero
2d91ccc875 Accepting request 1230121 from Virtualization:Appliances:Builder 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1230121
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flake-pilot?expand=0&rev=7
 2024-12-11 20:05:06 +00:00
Marcus Schäfer
57307bbcfb - Bump version: 3.1.7 → 3.1.8 
- Fixed the runroot permission fixup
  podman differentiates the runroot between root and rootless
  calls. If you initially call a flake as a user the initial
  podman database gets setup as rootless variant which also
  allows root based workloads without permission issues.
  However, if you do it the other way round the runroot is
  setup for root only which prevents the flake to be called
  as normal user. To handle this permission issues we have
  fix methods in the flake common code to change the
  permissions according to the calling user via sudo. The
  code to handle permissions for the runroot target has to
  apply for all users as we can't predict if the storage
  will be setup initially as rootless or for root only

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=31
 2024-12-04 13:17:37 +00:00
Marcus Schäfer
8fd8813058 - Bump version: 3.1.6 → 3.1.7 
- Follow symlinks for mkdir

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=30
 2024-11-29 11:14:14 +00:00
Marcus Schäfer
5d11b5c336 - Bump version: 3.1.5 → 3.1.6 
- Add support for systemfiles provisioning
  If the base container comes with a systemfiles metadata file
  it will be used to transfer all the data mentioned in the file
  from the host to the instance. In contrast to the removed files
  the systemfiles sync will not continue when failed and this
  can only be overwritten via the %ignore_sync_error flake option

- Doc clarification
  Using the term "container name" can be confusing and interpreted as simply
  the name of the container itself. What we really need to make registration
  work is the path of the container in the local registry. Clarify the
  documentation by adding a not ethat points out this potential pitfall.

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=29
 2024-11-28 10:57:20 +00:00
Marcus Schäfer
c7f8d2733f - Bump version: 3.1.4 → 3.1.5 
- Add provision of systemfiles

- Fix initialization of CID dir
  chmod to the wrong path

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=28
 2024-11-27 21:22:45 +00:00
Marcus Schäfer
4b59a8b3b7 - Bump version: 3.1.3 → 3.1.4 
- Handle incomplete container path
  If the given oci path does not match a file, the value is treated
  as a glob pattern. From the possible match of the pattern the
  last match will be used as the file to load. This Fixes #51

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=27
 2024-11-26 15:05:53 +00:00
Marcus Schäfer
ef40cfa3f5 - Bump version: 3.1.2 → 3.1.3 
- Handle the removal of containers in the pilot

- Fix cleanup
  Only modify permissions of the run state for the calling user.
  Make sure to remove non resume/attach type app containers after
  the call

- suppress podman exists output

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=26
 2024-11-24 13:33:45 +00:00
Marcus Schäfer
bc2d74e5ec - Bump version: 3.1.1 → 3.1.2 
- Fix spec file
  Do not create /usr/share/flakes as part of the
  package. Let the tooling create the directory
  if not present

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=25
 2024-11-23 21:37:36 +00:00
Marcus Schäfer
194b250fd4 - Bump version: 3.1.0 → 3.1.1 
- Provide error message for unknown command
  If the target_app_path is set to / this means the
  container configured entry point is called. Such a
  setup cannot be used as resume flake because we
  don't know the entry point command to exec

- Update flake-ctl-podman-register man page

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=24
 2024-11-23 21:25:04 +00:00
Marcus Schäfer
5892d18e9f - Bump version: 3.0.15 → 3.1.0 
- Use custom registry for the podman pilot
  Use podman in a way that it references a custom registry
  only for the flakes and independent of any other registry
  setup on the system. This Fixes #48

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=23
 2024-11-23 17:38:14 +00:00
Ana Guerrero
114733956d Accepting request 1223706 from Virtualization:Appliances:Builder 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1223706
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flake-pilot?expand=0&rev=6
 2024-11-12 18:24:16 +00:00
Marcus Schäfer
97c9e2d82a - Bump version: 3.0.14 → 3.0.15 
- Fix vendoring
  Use cargo-vendor-filterer crate

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=21
 2024-11-05 13:46:08 +00:00
Marcus Schäfer
820fe5685d OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=20 2024-11-05 13:37:19 +00:00
Marcus Schäfer
9140c8937c - Bump version: 3.0.13 → 3.0.14 
- Fixed code still not using flakes config file

- Allow to mount podman storage in rootless mode
  Temporary gain root permissions via sudo for mounting
  and modifying instance storage. This allows for provisioning
  transparent containers also for non root users but still
  requires sudo to be configured properly.

- Make sure flake-ctl also reads /etc/flakes.yml
  The system wide configuration file was not read by flake-ctl
  only by the pilots. This commit fixes it

OBS-URL: https://build.opensuse.org/package/show/Virtualization:Appliances:Builder/flake-pilot?expand=0&rev=19
 2024-11-05 10:17:42 +00:00
Ana Guerrero
291111fe9e Accepting request 1181265 from Virtualization:Appliances:Builder 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1181265
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flake-pilot?expand=0&rev=5
 2024-06-17 17:33:33 +00:00
Ana Guerrero
2788cb298b Accepting request 1179039 from Virtualization:Appliances:Builder 
- Bump version: 3.0.12 → 3.0.13

- Rebuild with rustls fix
  The crate index was updated and the vendor source seems to have
  fixed the rustls security issue. This fixes bsc#1223217

OBS-URL: https://build.opensuse.org/request/show/1179039
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flake-pilot?expand=0&rev=4
 2024-06-07 13:03:33 +00:00
Ana Guerrero
74d69ba927 Accepting request 1166791 from Virtualization:Appliances:Builder 
- Turn terminal flag setup into function

- Bump version: 3.0.11 → 3.0.12

- Fix race condition on connection check

- set PS1 prompt via sci env

- Add terminal settings for pty stdout in sci
  disable ECHO

- Fix invalid early exit condition

- Bump version: 3.0.10 → 3.0.11

- Fix build for Leap
  Issues on the gcc side for static targets, disable
  sci static build for older targets, e.g Leap

- Prevent use of socat in firecracker-pilot
  Do not shell out socat and use proper UnixListener/UnixStream
  to do this job. This version of the commit works but I stumbled
  across a few issues:
  1. Permission denied when the UnixListener runs as user and the
  firecracker process was called as root (run_as: root in the flake).
  The former implementation ran socat via sudo in the same way as
  the firecracker process. Thus if you register the flake to
  run as root it can now also only be called as root, which is
  acceptable.
  2. The behavior in interactive sessions differs compared to socat.

OBS-URL: https://build.opensuse.org/request/show/1166791
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flake-pilot?expand=0&rev=3
 2024-04-11 17:41:36 +00:00
Ana Guerrero
9edac9ec5f Accepting request 1164042 from Virtualization:Appliances:Builder 
- Bump version: 3.0.9 → 3.0.10

- Clippy fixes

- sudo is required

- Fix error handling
  Make sure the real command that is called through sudo is
  displayed. Also fix that the runas information is really used

- Exit on remove if there is an error
  The remove sequence when used with --container or --vm deregisters
  all apps associated with the container or VM first. If there is
  an error on this deregistration, exit early and do not try to
  delete the container/vm

- Update URL in spec file
  Point to OSInside Organisation

OBS-URL: https://build.opensuse.org/request/show/1164042
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flake-pilot?expand=0&rev=2
 2024-04-02 14:43:51 +00:00
3 changed files with 547 additions and 5 deletions
Expand all files Collapse all files

540
flake-pilot.changes
View File

@@ -1,3 +1,543 @@
-------------------------------------------------------------------
Thu Sep 04 21:33:20 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.21 → 3.1.22
-------------------------------------------------------------------
Thu Sep 04 18:56:45 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fixes to use flakes as normal user
Running a flake is a container based instance provisioning
and startup. Some part of this process requires root permissions
for example mounting the container instance store for the
provisioning step. This commit fixes the required calls to
be properly managed by sudo.
-------------------------------------------------------------------
Thu Aug 21 16:56:12 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.20 → 3.1.21
-------------------------------------------------------------------
Thu Aug 21 16:30:01 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- seed from entropy
-------------------------------------------------------------------
Thu Aug 21 15:58:13 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fix assignment of random sequence number
We should use a seed for the sequence as described in
https://rust-random.github.io/book/guide-seeding.html#a-simple-number
In addition the logic when a random sequence number should
be used was wrong and needed a fix regarding resume and
attach type flakes which must not use a random sequence
-------------------------------------------------------------------
Tue Aug 19 15:43:21 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Pass --init option for resume type flakes
In resume mode a sleep command is used to keep the container
open. However, without the --init option there is no signal
handling available. This commit fixes it
-------------------------------------------------------------------
Tue Aug 19 15:12:40 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Revert "kill prior remove when using %remove flag"
This reverts commit 06c7d4aa71f74865dfecba399fd08cc2fde2e1f2.
no hard killing needed with the event loop entrypoint
-------------------------------------------------------------------
Tue Aug 19 15:04:47 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fixed CVE-2025-55159 slab: incorrect bounds check
Update to slab 0.4.11 to fix the mentioned CVE.
This Fixes bsc#1248004
-------------------------------------------------------------------
Tue Aug 19 12:49:28 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Apply clippy fixes
-------------------------------------------------------------------
Tue Aug 19 12:22:51 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Create sequence number for the same invocation
If a flake which is not a resume or attach flake is called twice
with the same invocation arguments an error message is displayed
to give this invocation a new name via the @NAME runtime option.
This commit makes this more comfortable and automatically assigns
a random sequence number for the call if no @NAME is given.
-------------------------------------------------------------------
Wed Jul 09 11:20:12 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- kill prior remove when using %remove flag
In case the container instance should be removed via the %remove
flag, send a kill first, followed by a force remove. The reason
for this is because we use a never ending sleep command as entry
point for resume type containers. If they should be removed the
standard signal send on podman rm will not stop the sleep and
after a period of 10 seconds podman sends a kill signal itself.
We can speedup this process as we know the entry point command
and send the kill signal first followed by the remove which
saves us some wait time spent in podman otherwise.
-------------------------------------------------------------------
Tue Jul 08 15:10:31 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.19 → 3.1.20
-------------------------------------------------------------------
Tue Jul 08 12:53:22 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fix clippy hints
variables can be used directly in the format! string
-------------------------------------------------------------------
Tue Jul 08 12:44:44 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Prune old images after load
Make sure no <none> image references stay in the registry
-------------------------------------------------------------------
Wed Jun 25 14:49:48 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.18 → 3.1.19
-------------------------------------------------------------------
Wed Jun 25 10:13:12 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fix CVE-2025-3416
rebuild of the tool also inherits openssl in a version that
fixes the above mentioned CVE. This fixes bsc#1242680
-------------------------------------------------------------------
Wed Jun 25 09:59:27 CEST 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fix CVE-2025-5791
Switch to uzers crate as actively maintained fork of the
unmaintained users crate. This Fixes bsc#1244207
-------------------------------------------------------------------
Wed Feb 26 09:35:26 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fix firecracker requirement
Require firefracker only for TW as it exists in no
other version of SUSE. In case the firecracker-pilot
is installed on a system that has no firecracker it
must be installed to this system in an alternative
way which is easily possible because firefracker
is also a rust application only depending on libc
-------------------------------------------------------------------
Tue Feb 11 21:41:40 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.17 → 3.1.18
-------------------------------------------------------------------
Tue Feb 11 21:41:15 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Style fixes
-------------------------------------------------------------------
Tue Feb 11 21:30:01 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fix error handling for container check methods
The condition to setup permissions and redo the call
was done when the exec of the call was not possible.
But this is not the right place to check for a permission
denied error. This commit fixes the evaluation of the
error data
-------------------------------------------------------------------
Tue Feb 11 19:17:18 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.16 → 3.1.17
-------------------------------------------------------------------
Tue Feb 11 19:15:33 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Don't use perform for bool status methods
The perform() call checks the status code and raises an
ExecutionError. This does not allow us to return a
false boolean. Use output() call instead
-------------------------------------------------------------------
Tue Feb 11 18:38:09 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.15 → 3.1.16
-------------------------------------------------------------------
Tue Feb 11 18:37:38 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- No error return for bool method
-------------------------------------------------------------------
Tue Feb 11 18:05:20 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.14 → 3.1.15
-------------------------------------------------------------------
Tue Feb 11 18:00:48 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fix call for podman_setup_permissions
Make sure podman_setup_permissions is only called if there
is a permission problem detected.
-------------------------------------------------------------------
Sat Feb 01 22:57:28 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.13 → 3.1.14
-------------------------------------------------------------------
Sat Feb 01 22:47:35 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Use actions/upload-artifact: v4
-------------------------------------------------------------------
Sat Feb 01 22:46:14 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Make clippy happy
-------------------------------------------------------------------
Sat Feb 01 22:37:25 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fix building runtime arguments
Use get_run_cmdline method everywhere
-------------------------------------------------------------------
Sat Feb 01 22:14:16 CET 2025 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fix container cleanup
A flake configured to be attached can also be re-started
using the same container storage. However, the container
was always removed when the command exited. This commit
fixes it to avoid removing the container of attach type
flakes. In addition a flake option %remove was added to
allow removing the container created for resume and attach
type flakes
-------------------------------------------------------------------
Tue Dec 17 14:46:11 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.12 → 3.1.13
-------------------------------------------------------------------
Tue Dec 17 10:19:53 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Allow env placeholders for the podman pilot
The podman runtime arguments allows to set environment
variable placeholders starting with '%' and followed by
the name of the environment variable. For example %HOME
will be replaced to the value of $HOME of the calling user.
If the given placeholder cannot be translated into an
existing environment variable it will be turned into the
variable name, $HOME in the above example.
-------------------------------------------------------------------
Mon Dec 16 14:40:06 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.11 → 3.1.12
-------------------------------------------------------------------
Mon Dec 16 12:51:34 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Automatically detect terminal mode
-------------------------------------------------------------------
Mon Dec 16 12:41:09 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Drop superfluous comment
-------------------------------------------------------------------
Mon Dec 16 12:37:42 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.10 → 3.1.11
-------------------------------------------------------------------
Mon Dec 16 12:36:37 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Update system files provisioning
Expect systemfiles to be a callable that produces the
list of host files to sync
-------------------------------------------------------------------
Fri Dec 13 10:47:06 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.9 → 3.1.10
-------------------------------------------------------------------
Fri Dec 13 10:28:40 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Include systemfiles.libs for host provisioning
Only use copy-links for the files mentioned in
systemfiles.libs. The other systemfiles are synced in the
usual way.
-------------------------------------------------------------------
Thu Dec 12 15:39:51 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Make sure interactive processes can run
-------------------------------------------------------------------
Thu Dec 12 15:22:37 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fixed podman call dead lock
When calling the flake and stdout/stderr gets redirected into
a pipe like `flake | grep ... | cut ...` the pilot binary runs
in a dead lock because there is no reader/writer to feed the
pipe from the child process (podman) executed via the pilot.
This commit fixes it by making sure all data from the child
gets read first and then passed along to stdout/stderr of the
caller.
-------------------------------------------------------------------
Thu Dec 12 11:01:36 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.8 → 3.1.9
-------------------------------------------------------------------
Tue Dec 10 18:46:14 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Copy symlinks for host dependencies
For provisioning of host dependencies copy symlinks such
that they appear under their name as a file and not as a
symlink. We use this logic for the host dependency sync
only to be less strict on versioned library syncing
-------------------------------------------------------------------
Wed Dec 04 15:01:53 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Clippy fix
elide the lifetimes for User instances
-------------------------------------------------------------------
Wed Dec 04 14:16:53 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.7 → 3.1.8
-------------------------------------------------------------------
Wed Dec 04 09:50:50 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fixed the runroot permission fixup
podman differentiates the runroot between root and rootless
calls. If you initially call a flake as a user the initial
podman database gets setup as rootless variant which also
allows root based workloads without permission issues.
However, if you do it the other way round the runroot is
setup for root only which prevents the flake to be called
as normal user. To handle this permission issues we have
fix methods in the flake common code to change the
permissions according to the calling user via sudo. The
code to handle permissions for the runroot target has to
apply for all users as we can't predict if the storage
will be setup initially as rootless or for root only
-------------------------------------------------------------------
Fri Nov 29 12:13:32 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.6 → 3.1.7
-------------------------------------------------------------------
Fri Nov 29 12:12:43 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Follow symlinks for mkdir
-------------------------------------------------------------------
Thu Nov 28 11:56:14 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.5 → 3.1.6
-------------------------------------------------------------------
Thu Nov 28 11:54:08 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Add support for systemfiles provisioning
If the base container comes with a systemfiles metadata file
it will be used to transfer all the data mentioned in the file
from the host to the instance. In contrast to the removed files
the systemfiles sync will not continue when failed and this
can only be overwritten via the %ignore_sync_error flake option
-------------------------------------------------------------------
Wed Nov 27 22:21:46 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.4 → 3.1.5
-------------------------------------------------------------------
Wed Nov 27 22:21:18 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Add provision of systemfiles
-------------------------------------------------------------------
Wed Nov 27 21:21:55 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fix initialization of CID dir
chmod to the wrong path
-------------------------------------------------------------------
Tue Nov 26 17:25:56 CET 2024 - Robert Schweikert <rjschwei@suse.com>
- Doc clarification
Using the term "container name" can be confusing and interpreted as simply
the name of the container itself. What we really need to make registration
work is the path of the container in the local registry. Clarify the
documentation by adding a not ethat points out this potential pitfall.
-------------------------------------------------------------------
Tue Nov 26 16:04:57 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.3 → 3.1.4
-------------------------------------------------------------------
Tue Nov 26 16:03:33 CET 2024 - Robert Schweikert <rjschwei@suse.com>
- Handle incomplete container path
If the given oci path does not match a file, the value is treated
as a glob pattern. From the possible match of the pattern the
last match will be used as the file to load. This Fixes #51
-------------------------------------------------------------------
Sun Nov 24 14:32:10 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.2 → 3.1.3
-------------------------------------------------------------------
Sun Nov 24 14:27:33 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Handle the removal of containers in the pilot
-------------------------------------------------------------------
Sun Nov 24 11:58:19 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fix cleanup
Only modify permissions of the run state for the calling user.
Make sure to remove non resume/attach type app containers after
the call
-------------------------------------------------------------------
Sat Nov 23 23:36:24 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- suppress podman exists output
-------------------------------------------------------------------
Sat Nov 23 22:35:50 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.1 → 3.1.2
-------------------------------------------------------------------
Sat Nov 23 22:35:20 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fix spec file
Do not create /usr/share/flakes as part of the
package. Let the tooling create the directory
if not present
-------------------------------------------------------------------
Sat Nov 23 22:23:57 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.1.0 → 3.1.1
-------------------------------------------------------------------
Sat Nov 23 22:22:55 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Provide error message for unknown command
If the target_app_path is set to / this means the
container configured entry point is called. Such a
setup cannot be used as resume flake because we
don't know the entry point command to exec
-------------------------------------------------------------------
Sat Nov 23 22:04:48 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Update flake-ctl-podman-register man page
-------------------------------------------------------------------
Sat Nov 23 18:32:41 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.0.15 → 3.1.0
-------------------------------------------------------------------
Thu Nov 21 23:16:04 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Use custom registry for the podman pilot
Use podman in a way that it references a custom registry
only for the flakes and independent of any other registry
setup on the system. This Fixes #48
-------------------------------------------------------------------
Tue Nov 05 14:40:52 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.0.14 → 3.0.15
-------------------------------------------------------------------
Tue Nov 05 14:40:29 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fix vendoring
Use cargo-vendor-filterer crate
-------------------------------------------------------------------
Tue Nov 05 11:13:04 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Bump version: 3.0.13 → 3.0.14
-------------------------------------------------------------------
Tue Nov 05 10:49:52 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Fixed code still not using flakes config file
-------------------------------------------------------------------
Mon Nov 04 23:02:57 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Allow to mount podman storage in rootless mode
Temporary gain root permissions via sudo for mounting
and modifying instance storage. This allows for provisioning
transparent containers also for non root users but still
requires sudo to be configured properly.
-------------------------------------------------------------------
Mon Nov 04 11:48:06 CET 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>
- Make sure flake-ctl also reads /etc/flakes.yml
The system wide configuration file was not read by flake-ctl
only by the pilots. This commit fixes it
-------------------------------------------------------------------
Thu Jun 06 17:26:31 CEST 2024 - Marcus Schäfer <marcus.schaefer@gmail.com>

8
flake-pilot.spec
View File

@@ -23,7 +23,7 @@
# SOFTWARE.
#
Name: flake-pilot
Version: 3.0.13
Version: 3.1.22
Release: 0
Summary: Launcher for flake applications
License: MIT
@@ -83,7 +83,9 @@ BuildRequires: clang
BuildRequires: clang-devel
%endif
Requires: rsync
%if 0%{?suse_version} > 1600
Requires: firecracker
%endif
Requires: xz
Requires: e2fsprogs
Requires: sudo
@@ -120,7 +122,7 @@ Guest VM tools to help with firecracker workloads
%build
mkdir -p .cargo
cp %{SOURCE1} .cargo/config
cp %{SOURCE1} .cargo/config.toml
make build
%ifnarch ppc64le
%if 0%{?suse_version} && 0%{?suse_version} >= 1600
@@ -157,7 +159,6 @@ install -m 644 flakes.yml %{buildroot}/etc/flakes.yml
%files
%defattr(-,root,root)
%dir /usr/share/flakes
%dir /etc/flakes
%config /etc/flakes.yml
/usr/bin/flake-ctl
@@ -168,6 +169,7 @@ install -m 644 flakes.yml %{buildroot}/etc/flakes.yml
%files -n flake-pilot-podman
%config /etc/flakes/container-flake.yaml
%config /etc/flakes/storage.conf
/usr/bin/podman-pilot
/usr/sbin/flake-registry
%doc /usr/share/man/man8/flake-ctl-podman-load.8.gz

BIN
flake-pilot.tar.gz LFS
View File

Binary file not shown.