From 6a05f339556a5c91108a773601220a59ddf34ee5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 27 2020 19:04:34 +0000 Subject: import podman-2.0.4-3.module+el8.3.0+7716+ce654703 --- diff --git a/.gitignore b/.gitignore index c628a30..88e63c6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -SOURCES/v2.0.0-rc7.tar.gz +SOURCES/v0.1.5.tar.gz +SOURCES/v2.0.4.tar.gz diff --git a/.podman.metadata b/.podman.metadata index d44e675..9fde6d2 100644 --- a/.podman.metadata +++ b/.podman.metadata @@ -1 +1,2 @@ -b32c0bf490e773df61cc23d43ca1dbdfca7b0026 SOURCES/v2.0.0-rc7.tar.gz +4502491739693bd1b1d108d9af545f69a3bd424b SOURCES/v0.1.5.tar.gz +bcf008fe34d5e96886588a23da81a63fc5af4120 SOURCES/v2.0.4.tar.gz diff --git a/SOURCES/podman-1860126.patch b/SOURCES/podman-1860126.patch new file mode 100755 index 0000000..6bfc5cb --- /dev/null +++ b/SOURCES/podman-1860126.patch @@ -0,0 +1,61 @@ +From 5aaf6788f9c12a742de77782fb921570fcaa6d4d Mon Sep 17 00:00:00 2001 +From: TomSweeneyRedHat +Date: Thu, 23 Jul 2020 19:27:33 -0400 +Subject: [PATCH] [CI:DOCS] BZ1860126 - Fix userns defaults in run man page + +Addresses the multiple "default" userns values found +in the podman-run(1) man page: http://docs.podman.io/en/latest/markdown/podman-run.1.html. + +This in response to: https://bugzilla.redhat.com/show_bug.cgi?id=1860126 +which this PR wil fix. + +Signed-off-by: TomSweeneyRedHat +--- + docs/source/markdown/podman-run.1.md | 10 ++++++---- + pkg/namespaces/namespaces.go | 2 +- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md +index e47d1fa836..db742e429d 100644 +--- a/docs/source/markdown/podman-run.1.md ++++ b/docs/source/markdown/podman-run.1.md +@@ -905,20 +905,22 @@ Ulimit options. You can use **host** to copy the current configuration from the + + Sets the username or UID used and optionally the groupname or GID for the specified command. + +-Without this argument the command will be run as root in the container. ++Without this argument, the command will run as the user specified in the container image. Unless overridden by a `USER` command in the Containerfile or by a value passed to this option, this user generally defaults to root. ++ ++When a user namespace is not in use, the UID and GID used within the container and on the host will match. When user namespaces are in use, however, the UID and GID in the container may correspond to another UID and GID on the host. In rootless containers, for example, a user namespace is always used, and root in the container will by default correspond to the UID and GID of the user invoking Podman. + + **--userns**=**auto**|**host**|**keep-id**|**container:**_id_|**ns:**_namespace_ + +-Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable. An empty value means user namespaces are disabled. ++Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with they `--uidmapping` and `--gidmapping` options. + + - **auto**: automatically create a namespace. It is possible to specify other options to `auto`. The supported options are + **size=SIZE** to specify an explicit size for the automatic user namespace. e.g. `--userns=auto:size=8192`. If `size` is not specified, `auto` will guess a size for the user namespace. + **uidmapping=HOST_UID:CONTAINER_UID:SIZE** to force a UID mapping to be present in the user namespace. + **gidmapping=HOST_UID:CONTAINER_UID:SIZE** to force a GID mapping to be present in the user namespace. +-- **host**: run in the user namespace of the caller. This is the default if no user namespace options are set. The processes running in the container will have the same privileges on the host as any other process launched by the calling user. ++- **host**: run in the user namespace of the caller. The processes running in the container will have the same privileges on the host as any other process launched by the calling user (default). + - **keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is ignored for containers created by the root user. + - **ns**: run the container in the given existing user namespace. +-- **private**: create a new namespace for the container (default) ++- **private**: create a new namespace for the container. + - **container**: join the user namespace of the specified container. + + This option is incompatible with **--gidmap**, **--uidmap**, **--subuid** and **--subgid**. +diff --git a/pkg/namespaces/namespaces.go b/pkg/namespaces/namespaces.go +index 7831af8f96..c35f68e029 100644 +--- a/pkg/namespaces/namespaces.go ++++ b/pkg/namespaces/namespaces.go +@@ -91,7 +91,7 @@ func (n UsernsMode) IsHost() bool { + return n == hostType + } + +-// IsKeepID indicates whether container uses a mapping where the (uid, gid) on the host is lept inside of the namespace. ++// IsKeepID indicates whether container uses a mapping where the (uid, gid) on the host is kept inside of the namespace. + func (n UsernsMode) IsKeepID() bool { + return n == "keep-id" + } diff --git a/SPECS/podman.spec b/SPECS/podman.spec index 08b432e..b15c387 100644 --- a/SPECS/podman.spec +++ b/SPECS/podman.spec @@ -24,14 +24,19 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} %global import_path %{provider_prefix} %global git0 https://%{provider}.%{provider_tld}/%{project}/%{repo} +%global cataver 0.1.5 Name: podman -Version: 2.0.0 -Release: 0.9.rc7%{?dist} +Version: 2.0.4 +Release: 3%{?dist} Summary: Manage Pods, Containers and Container Images -License: ASL 2.0 +License: ASL 2.0 and GPLv3+ URL: https://%{name}.io/ -Source0: %{git0}/archive/v%{version}-rc7.tar.gz +Source0: %{git0}/archive/v%{version}.tar.gz +Source1: https://github.com/openSUSE/catatonit/archive/v%{cataver}.tar.gz +# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1860126 +# patch: https://github.com/containers/podman/pull/7075.patch +Patch0: podman-1860126.patch # Build fails with: No matching package to install: 'golang >= 1.12.12-4' on i686 ExcludeArch: i686 Provides: %{name}-manpages = %{version}-%{release} @@ -52,6 +57,12 @@ BuildRequires: pkgconfig BuildRequires: make BuildRequires: systemd BuildRequires: systemd-devel +# for catatonit +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: file +BuildRequires: gcc +BuildRequires: libtool Requires: containers-common >= 0.1.29-3 Requires: containernetworking-plugins >= 0.8.1-1 Requires: iptables @@ -64,6 +75,7 @@ Requires: slirp4netns >= 0.4.0-1 Requires: runc >= 1.0.0-57 Requires: fuse-overlayfs Requires: libvarlink +Requires: %{name}-catatonit >= %{version}-%{release} %description %{name} (Pod Manager) is a fully featured container engine that is a simple @@ -84,11 +96,7 @@ manipulate images (but not containers) created by the other. Summary: Emulate Docker CLI using %{name} BuildArch: noarch Requires: %{name} = %{version}-%{release} -Conflicts: docker -Conflicts: docker-latest -Conflicts: docker-ce -Conflicts: docker-ee -Conflicts: moby-engine +Provides: docker = %{version}-%{release} %description docker This package installs a script named docker that emulates the Docker CLI by @@ -108,6 +116,20 @@ run %{name}-remote in production. manage pods, containers and container images. %{name}-remote supports ssh connections as well. +%package catatonit +Summary: A signal-forwarding process manager for containers +Requires: %{name} = %{version}-%{release} + +%description catatonit +Catatonit is a /sbin/init program for use within containers. It +forwards (almost) all signals to the spawned child, tears down +the container when the spawned child exits, and otherwise +cleans up other exited processes (zombies). + +This is a reimplementation of other container init programs (such as +"tini" or "dumb-init"), but uses modern Linux facilities (such as +signalfd(2)) and has no additional features. + %package tests Summary: Tests for %{name} Requires: %{name} = %{version}-%{release} @@ -121,11 +143,9 @@ Requires: jq This package contains system tests for %{name} %prep -%autosetup -Sgit -n %{repo}-%{version}-rc7 +%autosetup -Sgit +tar fx %{SOURCE1} -sed -i 's/install.bin: podman/install.bin:/' Makefile -sed -i 's/install.man: docs/install.man:/' Makefile -sed -i 's/install.remote: podman-remote/install.remote:/' Makefile mv pkg/hooks/README.md pkg/hooks/README-hooks.md # this is shipped by skopeo: containers-common subpackage @@ -134,6 +154,7 @@ rm -rf docs/source/markdown/containers-mounts.conf.5.md %build export GO111MODULE=off export GOPATH=$(pwd):$(pwd)/_build +export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" mkdir -p $(pwd)/_build pushd $(pwd)/_build @@ -150,11 +171,24 @@ export BUILDTAGS="varlink systemd selinux seccomp btrfs_noversion exclude_graphd %gobuild -o bin/%{name} %{import_path}/cmd/%{name} # build %%{name}-remote -export BUILDTAGS="remoteclient $BUILDTAGS" +export BUILDTAGS="remote $BUILDTAGS" %gobuild -o bin/%{name}-remote %{import_path}/cmd/%{name} %{__make} docs -./docs/dckrman.sh ./docs/build/man/* + +# build catatonit +pushd catatonit-%{cataver} +autoreconf -fi +%configure +%{__make} %{?_smp_mflags} +# Make sure we *always* build a static binary for catatonit. Otherwise we'll break containers +# that don't have the necessary shared libs. +file catatonit | grep 'statically linked' +if [ $? != 0 ]; then + echo "ERROR: catatonit binary must be statically linked!" + exit 1 +fi +popd %install install -dp %{buildroot}%{_unitdir} @@ -163,30 +197,32 @@ install -dp %{buildroot}%{_tmpfilesdir} PODMAN_VERSION=%{version} %{__make} PREFIX=%{buildroot}%{_prefix} \ ETCDIR=%{buildroot}%{_sysconfdir} BUILDTAGS="varlink" \ install.bin-nobuild \ - install.remote \ + install.remote-nobuild \ install.man-nobuild \ install.cni \ install.systemd \ install.completions \ install.docker -# install docker-docs -install -dp %{buildroot}%{_mandir}/man1 -install -m 644 docs/build/man/docker*.1 -t %{buildroot}%{_mandir}/man1 - -# install docker symlink -install -m 755 docker %{buildroot}%{_bindir} - -# install test stuff +# install test scripts, but not the internal helpers.t meta-test ln -s ./ ./vendor/src # ./vendor/src -> ./vendor install -d -p %{buildroot}/%{_datadir}/%{name}/test/system cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/ +rm -f %{buildroot}/%{_datadir}/%{name}/test/system/*.t # do not include docker and podman-remote man pages in main package for file in `find %{buildroot}%{_mandir}/man[15] -type f | sed "s,%{buildroot},," | grep -v -e remote -e docker`; do echo "$file*" >> podman.file-list done +# install catatonit +install -dp %{buildroot}%{_libexecdir}/catatonit +install -p catatonit-%{cataver}/catatonit %{buildroot}%{_libexecdir}/catatonit +install -dp %{buildroot}%{_libexecdir}/podman +install -dp %{buildroot}%{_datadir}/licenses/podman-catatonit +install -p catatonit-%{cataver}/COPYING %{buildroot}%{_datadir}/licenses/podman-catatonit/COPYING +ln -s %{_libexecdir}/catatonit/catatonit %{buildroot}%{_libexecdir}/podman/catatonit + %check %if 0%{?with_check} # Since we aren't packaging up the vendor directory we need to link @@ -242,13 +278,69 @@ exit 0 %files remote %{_bindir}/%{name}-remote %{_mandir}/man1/%{name}-remote*.1* -%{_mandir}/man5/%{name}-remote*.5* + +%files catatonit +%license COPYING +%doc README.md +%dir %{_libexecdir}/catatonit +%{_libexecdir}/catatonit/catatonit +%dir %{_libexecdir}/podman +%{_libexecdir}/podman/catatonit %files tests %license LICENSE %{_datadir}/%{name}/test %changelog +* Thu Aug 20 2020 Jindrich Novy - 2.0.4-3 +- fix "podman run namespace in man page ambiguous" +- Resolves: #1860126 + +* Tue Aug 11 2020 Jindrich Novy - 2.0.4-2 +- propagate proper CFLAGS to CGO_CFLAGS to assure code hardening and optimization +- Related: #1821193 + +* Sat Aug 01 2020 Jindrich Novy - 2.0.4-1 +- update to https://github.com/containers/podman/releases/tag/v2.0.4 +- Related: #1821193 + +* Fri Jul 31 2020 Jindrich Novy - 2.0.3-2 +- fix "Podman build from url failed to get correct temp directory for store files" +- Resolves: #1858862 + +* Thu Jul 23 2020 Lokesh Mandvekar - 2.0.3-1 +- update to https://github.com/containers/podman/releases/tag/v2.0.3 +- Resolves: #1785242 - podman-docker Provides: docker +- Resolves: #1804195 + +* Fri Jul 17 2020 Jindrich Novy - 2.0.2-3 +- fix "CVE-2020-14040 podman: golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash [rhel-8]" +- Resolves: #1854718 + +* Wed Jul 15 2020 Jindrich Novy - 2.0.2-2 +- always pull in catatonit with podman and vice versa +- Related: #1821193 + +* Wed Jul 08 2020 Jindrich Novy - 2.0.2-1 +- update to https://github.com/containers/libpod/releases/tag/v2.0.2 +- Related: #1821193 + +* Thu Jul 02 2020 Jindrich Novy - 2.0.1-3 +- include catatonit +- Related: #1821193 + +* Wed Jul 01 2020 Jindrich Novy - 2.0.1-2 +- fix "Podman does not use --tmpdir when pulling an image" +- Resolves: #1769918 + +* Fri Jun 26 2020 Jindrich Novy - 2.0.1-1 +- update to https://github.com/containers/libpod/releases/tag/v2.0.1 +- Related: #1821193 + +* Mon Jun 22 2020 Jindrich Novy - 2.0.0-1 +- update to https://github.com/containers/libpod/releases/tag/v2.0.0 +- Related: #1821193 + * Thu Jun 18 2020 Jindrich Novy - 2.0.0-0.9.rc7 - update to https://github.com/containers/libpod/releases/tag/v2.0.0-rc7 - Related: #1821193