diff --git a/.buildah.metadata b/.buildah.metadata index 524f7f1..ca2a784 100644 --- a/.buildah.metadata +++ b/.buildah.metadata @@ -1 +1 @@ -d8c4ecf4ff637f6341209f8ae685caae51c77fc7 SOURCES/buildah-00eb895.tar.gz +da35ceecbee25d37313869956f602161fc282153 SOURCES/buildah-9513cb8.tar.gz diff --git a/.gitignore b/.gitignore index 446fb64..dc35543 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/buildah-00eb895.tar.gz +SOURCES/buildah-9513cb8.tar.gz diff --git a/SOURCES/1996.patch b/SOURCES/1996.patch new file mode 100644 index 0000000..fd565dd --- /dev/null +++ b/SOURCES/1996.patch @@ -0,0 +1,153 @@ +From f09346578021c12069b6deb9487a1462b8d28a83 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Thu, 21 Nov 2019 15:32:41 -0500 +Subject: [PATCH 1/3] bind: don't complain about missing mountpoints + +When we go to unmount a tree of mounts, if one of the directories isn't +there, instead of returning an error as before, log a debug message and +keep going. + +Signed-off-by: Nalin Dahyabhai +--- + bind/mount.go | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/bind/mount.go b/bind/mount.go +index e1ae323b9..adde901fd 100644 +--- a/bind/mount.go ++++ b/bind/mount.go +@@ -264,6 +264,10 @@ func UnmountMountpoints(mountpoint string, mountpointsToRemove []string) error { + mount := getMountByID(id) + // check if this mountpoint is mounted + if err := unix.Lstat(mount.Mountpoint, &st); err != nil { ++ if os.IsNotExist(err) { ++ logrus.Debugf("mountpoint %q is not present(?), skipping", mount.Mountpoint) ++ continue ++ } + return errors.Wrapf(err, "error checking if %q is mounted", mount.Mountpoint) + } + if mount.Major != int(unix.Major(st.Dev)) || mount.Minor != int(unix.Minor(st.Dev)) { + +From c5fb681a6082b78c422eb3531667dc6d607a9355 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Fri, 22 Nov 2019 14:22:26 -0500 +Subject: [PATCH 2/3] chroot: Unmount with MNT_DETACH instead of + UnmountMountpoints() + +Unmounting the rootfs with MNT_DETACH should unmount everything below +it, so we don't need to use the more exhaustive method that our bind +package uses for its bind mounts. + +Signed-off-by: Nalin Dahyabhai +--- + chroot/run.go | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/chroot/run.go b/chroot/run.go +index fbccbcdb0..76ac78d1f 100644 +--- a/chroot/run.go ++++ b/chroot/run.go +@@ -15,6 +15,7 @@ import ( + "strings" + "sync" + "syscall" ++ "time" + "unsafe" + + "github.com/containers/buildah/bind" +@@ -1002,12 +1003,19 @@ func isDevNull(dev os.FileInfo) bool { + // callback that will clean up its work. + func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func() error, err error) { + var fs unix.Statfs_t +- removes := []string{} + undoBinds = func() error { +- if err2 := bind.UnmountMountpoints(spec.Root.Path, removes); err2 != nil { +- logrus.Warnf("pkg/chroot: error unmounting %q: %v", spec.Root.Path, err2) +- if err == nil { +- err = err2 ++ if err2 := unix.Unmount(spec.Root.Path, unix.MNT_DETACH); err2 != nil { ++ retries := 0 ++ for (err2 == unix.EBUSY || err2 == unix.EAGAIN) && retries < 50 { ++ time.Sleep(50 * time.Millisecond) ++ err2 = unix.Unmount(spec.Root.Path, unix.MNT_DETACH) ++ retries++ ++ } ++ if err2 != nil { ++ logrus.Warnf("pkg/chroot: error unmounting %q (retried %d times): %v", spec.Root.Path, retries, err2) ++ if err == nil { ++ err = err2 ++ } + } + } + return err +@@ -1096,6 +1104,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( + // Add /sys/fs/selinux to the set of masked paths, to ensure that we don't have processes + // attempting to interact with labeling, when they aren't allowed to do so. + spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux") ++ + // Bind mount in everything we've been asked to mount. + for _, m := range spec.Mounts { + // Skip anything that we just mounted. +@@ -1141,13 +1150,11 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( + if !os.IsNotExist(err) { + return undoBinds, errors.Wrapf(err, "error examining %q for mounting in mount namespace", target) + } +- // The target isn't there yet, so create it, and make a +- // note to remove it later. ++ // The target isn't there yet, so create it. + if srcinfo.IsDir() { + if err = os.MkdirAll(target, 0111); err != nil { + return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target) + } +- removes = append(removes, target) + } else { + if err = os.MkdirAll(filepath.Dir(target), 0111); err != nil { + return undoBinds, errors.Wrapf(err, "error ensuring parent of mountpoint %q (%q) is present in mount namespace", target, filepath.Dir(target)) +@@ -1157,7 +1164,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( + return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target) + } + file.Close() +- removes = append(removes, target) + } + } + requestFlags := bindFlags +@@ -1266,7 +1272,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func( + if err := os.Mkdir(roEmptyDir, 0700); err != nil { + return undoBinds, errors.Wrapf(err, "error creating empty directory %q", roEmptyDir) + } +- removes = append(removes, roEmptyDir) + } + + // Set up any masked paths that we need to. If we're running inside of + +From ec1be6a51941e10b5316c911ef97c88940f7c095 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Fri, 22 Nov 2019 14:52:25 -0500 +Subject: [PATCH 3/3] overlay.bats typo: fuse-overlays should be fuse-overlayfs + +Signed-off-by: Nalin Dahyabhai +--- + tests/overlay.bats | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/overlay.bats b/tests/overlay.bats +index 04056f680..7cc2d0c62 100644 +--- a/tests/overlay.bats ++++ b/tests/overlay.bats +@@ -3,14 +3,14 @@ + load helpers + + @test "overlay specific level" { +- if test \! -e /usr/bin/fuse-overlays -a "$BUILDAH_ISOLATION" = "rootless"; then ++ if test \! -e /usr/bin/fuse-overlayfs -a "$BUILDAH_ISOLATION" = "rootless"; then + skip "BUILDAH_ISOLATION = $BUILDAH_ISOLATION" and no /usr/bin/fuse-overlayfs present + fi + image=alpine + mkdir ${TESTDIR}/lower + touch ${TESTDIR}/lower/foo + +-cid=$(buildah --log-level=error from -v ${TESTDIR}/lower:/lower:O --quiet --signature-policy ${TESTSDIR}/policy.json $image) ++ cid=$(buildah --log-level=error from -v ${TESTDIR}/lower:/lower:O --quiet --signature-policy ${TESTSDIR}/policy.json $image) + + # This should succeed + run_buildah --log-level=error run $cid ls /lower/foo diff --git a/SOURCES/buildah-CVE-2019-10214.patch b/SOURCES/buildah-CVE-2019-10214.patch deleted file mode 100644 index ea2cb77..0000000 --- a/SOURCES/buildah-CVE-2019-10214.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -up ./buildah-00eb895d6f2f13d658a9cb78714382e494974afc/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./buildah-00eb895d6f2f13d658a9cb78714382e494974afc/vendor/github.com/containers/image/docker/docker_client.go ---- buildah-00eb895d6f2f13d658a9cb78714382e494974afc/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 16:01:08.889098180 +0200 -+++ buildah-00eb895d6f2f13d658a9cb78714382e494974afc/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 16:01:08.890098192 +0200 -@@ -523,11 +523,7 @@ func (c *dockerClient) getBearerToken(ct - authReq.SetBasicAuth(c.username, c.password) - } - logrus.Debugf("%s %s", authReq.Method, authReq.URL.String()) -- tr := tlsclientconfig.NewTransport() -- // TODO(runcom): insecure for now to contact the external token service -- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} -- client := &http.Client{Transport: tr} -- res, err := client.Do(authReq) -+ res, err := c.client.Do(authReq) - if err != nil { - return nil, err - } diff --git a/SPECS/buildah.spec b/SPECS/buildah.spec index bb5c921..68a8001 100644 --- a/SPECS/buildah.spec +++ b/SPECS/buildah.spec @@ -10,8 +10,8 @@ %if 0%{?rhel} > 7 && ! 0%{?fedora} %define gobuild(o:) \ -go build -buildmode pie -compiler gc -tags="rpm_crashtraceback seccomp selinux ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; -%endif # distro +go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; +%endif %global provider github %global provider_tld com @@ -19,32 +19,34 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback seccomp selinux $ %global repo buildah # https://github.com/containers/buildah %global import_path %{provider}.%{provider_tld}/%{project}/%{repo} -%global commit 00eb895d6f2f13d658a9cb78714382e494974afc -%global shortcommit %(c=%{commit}; echo ${c:0:7}) +%global git0 https://%{import_path} +%global commit0 9513cb8c7bec0f7789c696aee4d252ebf85194cc +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) Name: %{repo} -Version: 1.9.0 -Release: 5%{?dist} +Version: 1.11.6 +Release: 4%{?dist} Summary: A command line tool used for creating OCI Images License: ASL 2.0 URL: https://%{name}.io -Source0: https://%{import_path}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz -Patch0: buildah-CVE-2019-10214.patch -ExclusiveArch: x86_64 %{arm} aarch64 ppc64le s390x -# If go_compiler is not set to 1, there is no virtual provide. Use golang instead. -BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} +Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz +Patch0: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/1996.patch + +BuildRequires: golang >= 1.12.12-4 BuildRequires: git BuildRequires: glib2-devel +BuildRequires: libseccomp-devel BuildRequires: ostree-devel BuildRequires: glibc-static BuildRequires: go-md2man BuildRequires: gpgme-devel BuildRequires: device-mapper-devel BuildRequires: libassuan-devel -BuildRequires: libseccomp-devel +BuildRequires: make Requires: runc >= 1.0.0-26 Requires: containers-common Requires: container-selinux +Requires: slirp4netns >= 0.3-0 %description The %{name} package provides a command line tool which can be used to @@ -68,8 +70,9 @@ Requires: golang This package contains system tests for %{name} %prep -%autosetup -Sgit -n %{name}-%{commit} - +%autosetup -Sgit -n %{name}-%{commit0} +sed -i 's/GOMD2MAN =/GOMD2MAN ?=/' docs/Makefile +sed -i '/docs install/d' Makefile %build mkdir _build @@ -81,18 +84,20 @@ popd mv vendor src export GOPATH=$(pwd)/_build:$(pwd) -export BUILDTAGS='seccomp selinux exclude_graphdriver_btrfs' +export BUILDTAGS='seccomp selinux btrfs_noversion exclude_graphdriver_btrfs' +export GO111MODULE=off +rm -f src/github.com/containers/storage/drivers/register/register_btrfs.go %gobuild -o %{name} %{import_path}/cmd/%{name} -make imgtype -make docs +%gobuild -o imgtype %{import_path}/tests/imgtype +GOMD2MAN=go-md2man %{__make} -C docs %install export GOPATH=$(pwd)/_build:$(pwd):%{gopath} make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions - install -d -p %{buildroot}/%{_datadir}/%{name}/test/system cp -pav tests/. %{buildroot}/%{_datadir}/%{name}/test/system cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype +make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install #define license tag if not already defined %{!?_licensedir:%global license %doc} @@ -112,6 +117,33 @@ cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype %{_datadir}/%{name}/test %changelog +* Wed Dec 11 2019 Jindrich Novy - 1.11.6-4 +- compile in FIPS mode +- Related: RHELPLAN-25138 + +* Mon Dec 09 2019 Jindrich Novy - 1.11.6-3 +- be sure to use golang >= 1.12.12-4 +- Related: RHELPLAN-25138 + +* Sat Dec 07 2019 Jindrich Novy - 1.11.6-2 +- fix chroot: unmount with MNT_DETACH instead of UnmountMountpoints() +- bug reference 1772179 +- Related: RHELPLAN-25138 + +* Thu Dec 05 2019 Jindrich Novy - 1.11.6-1 +- update to buildah 1.11.6 +- Related: RHELPLAN-25138 + +* Thu Nov 21 2019 Jindrich Novy - 1.11.5-1 +- update to buildah 1.11.5 +- Related: RHELPLAN-25138 + +* Thu Nov 07 2019 Jindrich Novy - 1.11.4-2 +- fix %%gobuild macro to not to ignore BUILDTAGS + +* Thu Nov 07 2019 Jindrich Novy - 1.11.4-1 +- update to 1.11.4 + * Tue Sep 17 2019 Jindrich Novy - 1.9.0-5 - Use autosetup macro again.