diff --git a/.gitignore b/.gitignore index efa64d2..8fd3960 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/cri-o-9b1f0a0.tar.gz -SOURCES/libpod-f604175.tar.gz +SOURCES/conmon-fac48d0.tar.gz +SOURCES/v1.4.2-stable2.tar.gz diff --git a/.podman.metadata b/.podman.metadata index ef7f5ff..aa42e5b 100644 --- a/.podman.metadata +++ b/.podman.metadata @@ -1,2 +1,2 @@ -b53ff7dd655dec8ddab85b7782a2d41e6bdcb301 SOURCES/cri-o-9b1f0a0.tar.gz -6b31c41ad9d334de431a2072f1929361c9e0676b SOURCES/libpod-f604175.tar.gz +9f8d9819e66e79e6d24b441d6f7fa4dbecb61695 SOURCES/conmon-fac48d0.tar.gz +7fca33bd483b3dd97bb9159e1b5e496b84324deb SOURCES/v1.4.2-stable2.tar.gz diff --git a/SOURCES/podman-CVE-2019-10214.patch b/SOURCES/podman-CVE-2019-10214.patch new file mode 100644 index 0000000..1c78552 --- /dev/null +++ b/SOURCES/podman-CVE-2019-10214.patch @@ -0,0 +1,16 @@ +diff -up ./libpod-1.4.2-stable2/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./libpod-1.4.2-stable2/vendor/github.com/containers/image/docker/docker_client.go +--- ./libpod-1.4.2-stable2/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 2019-09-12 15:17:12.911343773 +0200 ++++ ./libpod-1.4.2-stable2/vendor/github.com/containers/image/docker/docker_client.go 2019-09-12 15:17:12.912343786 +0200 +@@ -523,11 +523,7 @@ func (c *dockerClient) getBearerToken(ct + authReq.SetBasicAuth(c.username, c.password) + } + logrus.Debugf("%s %s", authReq.Method, authReq.URL.String()) +- tr := tlsclientconfig.NewTransport() +- // TODO(runcom): insecure for now to contact the external token service +- tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} +- client := &http.Client{Transport: tr} +- res, err := client.Do(authReq) ++ res, err := c.client.Do(authReq) + if err != nil { + return nil, err + } diff --git a/SPECS/podman.spec b/SPECS/podman.spec index 95bc6e8..2760211 100644 --- a/SPECS/podman.spec +++ b/SPECS/podman.spec @@ -9,7 +9,7 @@ %endif %define gobuild(o:) \ -go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; +go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; %define gogenerate go generate %if 0%{?rhel} > 7 || 0%{?fedora} @@ -26,22 +26,26 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} %global import_path %{provider_prefix} %global git_podman https://%{provider}.%{provider_tld}/%{project}/%{repo} -%global commit f60417506b0bd363749b0d32d6ffaced763c71be +%global commit 29c137ff665314f18a65cf55ba55522e702987b3 %global shortcommit %(c=%{commit}; echo ${c:0:7}) +%global tag v1.4.2-stable2 +%global tag_version %(t=%{tag}; echo ${t:1}) -%global import_path_conmon github.com/kubernetes-sigs/cri-o +%global import_path_conmon github.com/containers/conmon %global git_conmon https://%{import_path_conmon} -%global commit_conmon 9b1f0a08285a7f74b21cc9b6bfd98a48905a7ba2 +%global commit_conmon fac48d034d625f5366a6526f94e362deaa14d18d %global shortcommit_conmon %(c=%{commit_conmon}; echo ${c:0:7}) Name: podman -Version: 1.0.5 -Release: 1.git%{shortcommit}%{?dist} +Version: 1.4.2 +Release: 5%{?dist} Summary: Manage Pods, Containers and Container Images License: ASL 2.0 URL: %{git_podman} -Source0: %{git_podman}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz -Source1: %{git_conmon}/archive/%{commit_conmon}/cri-o-%{shortcommit_conmon}.tar.gz +#Source0: %{git_podman}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz +Source0: %{git_podman}/archive/%{commit}/%{tag}.tar.gz +Source1: %{git_conmon}/archive/%{commit_conmon}/conmon-%{shortcommit_conmon}.tar.gz +Patch0: podman-CVE-2019-10214.patch # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required #ExclusiveArch: %%{?go_arches:%%{go_arches}}%%{!?go_arches:%%{ix86} x86_64 aarch64 %%{arm}} @@ -65,13 +69,15 @@ Requires: runc Requires: containers-common >= 0.1.29-3 # can't use default conmon right now, so we ship our own #Requires: conmon -Requires: containernetworking-plugins >= 0.7.3-5 +Requires: containernetworking-plugins >= 0.8.1-1 Requires: iptables Requires: nftables Requires: oci-systemd-hook +Requires: %{name}-manpages = %{version}-%{release} Recommends: container-selinux Recommends: slirp4netns Recommends: fuse-overlayfs +Recommends: libvarlink # vendored libraries # awk '{print "Provides: bundled(golang("$1")) = "$2}' vendor.conf | sort @@ -183,6 +189,7 @@ the Container Pod concept popularized by Kubernetes. Summary: Emulate Docker CLI using podman BuildArch: noarch Requires: %{name} = %{version}-%{release} +Recommends: %{name}-manpages = %{version}-%{release} Conflicts: docker Provides : docker Conflicts: docker-latest @@ -194,13 +201,50 @@ This package installs a script named docker that emulates the Docker CLI by executing %{name} commands, it also creates links between all Docker CLI man pages and %{name}. +%package tests +Summary: Tests for %{name} +Requires: slirp4netns +Requires: %{name} = %{version}-%{release} +#Requires: bats (which RHEL8 doesn't have. If it ever does, un-comment this) +Requires: jq + +%description tests +%{summary} + +This package contains system tests for %{name} + +%package manpages +Summary: Man pages for the %{name} commands +BuildArch: noarch + +%description manpages +Man pages for the %{name} commands + +%package remote +Summary: (Experimental) Remote client for managing %{name} containers +Recommends: %{name}-manpages = %{version}-%{release} +Requires: libvarlink + +%description remote +Remote client for managing %{name} containers. + +This experimental remote client is under heavy development. Please do not +run %{name}-remote in production. + +%{name}-remote uses the varlink connection to connect to a %{name} client to +manage pods, containers and container images. %{name}-remote supports ssh +connections as well. + %prep -%autosetup -Sgit -n %{repo}-%{commit} +%setup -q -n %{repo}-%{tag_version} mv pkg/hooks/README.md pkg/hooks/README-hooks.md -# untar cri-o +# untar conmon tar zxf %{SOURCE1} +# fix CVE-2019-10214 +%patch0 -p2 + %build mkdir -p $(pwd)/_build pushd $(pwd)/_build @@ -210,22 +254,16 @@ popd ln -s vendor src export GOPATH=$(pwd):$(pwd)/_build -export BUILDTAGS="selinux seccomp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper $(hack/libdm_tag.sh)" + +%gogenerate ./cmd/%{name}/varlink/... + +export BUILDTAGS="varlink systemd selinux seccomp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper $(hack/libdm_tag.sh)" %gobuild -o bin/%{name} %{import_path}/cmd/%{name} +export BUILDTAGS="remoteclient varlink systemd selinux seccomp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper $(hack/libdm_tag.sh)" +%gobuild -o bin/%{name}-remote %{import_path}/cmd/%{name} # build conmon -pushd cri-o-%{commit_conmon} -mkdir _output -pushd _output -mkdir -p src/%{provider}.%{provider_tld}/{kubernetes-sigs,opencontainers} -ln -s $(dirs +1 -l) src/%{import_path_conmon} -popd - -ln -s vendor src -export GOPATH=$(pwd):$(pwd)/_output -export BUILDTAGS="selinux seccomp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper $(hack/libdm_tag.sh)" -%gobuild -o bin/crio-config %{import_path_conmon}/cmd/crio-config -cd conmon && ../bin/crio-config +pushd conmon-%{commit_conmon} %{__make} all popd @@ -233,6 +271,7 @@ popd install -dp %{buildroot}{%{_unitdir} %{__make} PREFIX=%{buildroot}%{_usr} ETCDIR=%{buildroot}%{_sysconfdir} \ install.bin \ + install.remote \ install.man \ install.cni \ install.systemd \ @@ -244,8 +283,9 @@ install -dp %{buildroot}%{_datadir}/containers install -p -m 644 %{repo}.conf %{buildroot}%{_datadir}/containers # install conmon -install -dp %{buildroot}%{_libexecdir}/%{name} -install -p -m 755 cri-o-%{commit_conmon}/bin/conmon %{buildroot}%{_libexecdir}/%{name} +pushd conmon-%{commit_conmon} +%{__make} LIBEXECDIR=%{buildroot}%{_libexecdir} install.%{name} +popd %check %if 0%{?with_check} @@ -258,6 +298,13 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %gotest %{import_path}/pkg/registrar %endif +install -d -p %{buildroot}/%{_datadir}/%{name}/test/system +cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/ + +%triggerpostun -- %{name} < 1.1 +%{_bindir}/%{name} system renumber +exit 0 + #define license tag if not already defined %{!?_licensedir:%global license %doc} @@ -265,9 +312,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %license LICENSE %doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md %{_bindir}/%{name} -%{_mandir}/man1/podman*.1* -%{_mandir}/man5/*.5* %{_datadir}/bash-completion/completions/* +%dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_%{name} +%dir %{_libexecdir}/%{name} %{_libexecdir}/%{name}/conmon %config(noreplace) %{_sysconfdir}/cni/net.d/87-%{name}-bridge.conflist %{_datadir}/containers/%{repo}.conf @@ -277,20 +325,72 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %files docker %{_bindir}/docker -%{_mandir}/man1/docker*.1* + +%files tests +%license LICENSE +%{_datadir}/%{name}/test + +%files manpages +%{_mandir}/man1/*.1* +%{_mandir}/man5/*.5* + +%files remote +%license LICENSE +%{_bindir}/%{name}-remote %changelog -* Mon Aug 19 2019 Jindrich Novy - 1.0.5-1.gitf604175 -- Resolves: #1741110 -- bump to v1.0.5 +* Thu Sep 12 2019 Jindrich Novy - 1.4.2-5 +- Fix CVE-2019-10214 (#1734649). + +* Tue Sep 03 2019 Jindrich Novy - 1.4.2-4 +- update to latest conmon (Resolves: #1743685) + +* Wed Aug 28 2019 Jindrich Novy - 1.4.2-3 +- update to v1.4.2-stable1 +- Resolves: #1741157 + +* Wed Jun 19 2019 Lokesh Mandvekar - 1.4.2-2 +- Resolves: #1669197, #1705763, #1737077, #1671622, #1723879, #1730281, +- Resolves: #1731117 +- built libpod v1.4.2-stable1 -* Fri Jul 19 2019 Lokesh Mandvekar - 1.0.3-1.git9d78c0c -- Resolves: #1731270 -- bump to v1.0.3 +* Wed Jun 19 2019 Lokesh Mandvekar - 1.4.2-1 +- Resolves: #1721638 +- bump to v1.4.2 -* Fri Jun 28 2019 Lokesh Mandvekar - 1.0.2-1.git4426985 -- Resolves: #1724522 -- bump to v1.0.2 +* Mon Jun 17 2019 Lokesh Mandvekar - 1.4.1-4 +- Resolves: #1720654 - update dep on libvarlink +- Resolves: #1721247 - enable fips mode + +* Mon Jun 17 2019 Lokesh Mandvekar - 1.4.1-3 +- Resolves: #1720654 - podman requires podman-manpages +- update dep on cni plugins >= 0.8.1-1 + +* Sat Jun 15 2019 Lokesh Mandvekar - 1.4.1-2 +- Resolves: #1720654 - podman-manpages obsoletes podman < 1.4.1-2 + +* Sat Jun 15 2019 Lokesh Mandvekar - 1.4.1-1 +- Resolves: #1720654 - bump to v1.4.1 +- bump conmon to v0.3.0 + +* Fri Jun 14 2019 Lokesh Mandvekar - 1.4.0-1 +- Resolves: #1720654 - bump to v1.4.0 + +* Fri Jun 07 2019 Lokesh Mandvekar - 1.3.2-2 +- Resolves: #1683217 - tests subpackage requires slirp4netns + +* Fri May 31 2019 Lokesh Mandvekar - 1.3.2-1 +- Resolves: #1707220 - bump to v1.3.2 +- built conmon v0.2.0 + +* Wed Apr 3 2019 Eduardo Santiago - 1.2.0-1.git3bd528e5 +- package system tests, zsh completion. Update CI tests to use new -tests pkg + +* Thu Feb 28 2019 Lokesh Mandvekar - 1.1.0-1.git006206a +- bump to v1.1.0 + +* Fri Feb 22 2019 Lokesh Mandvekar - 1.0.1-1.git2c74edd +- bump to v1.0.1 * Mon Feb 11 2019 Frantisek Kluknavsky - 1.0.0-2.git921f98f - rebase @@ -514,4 +614,3 @@ podman release tag. * Wed Jan 10 2018 Frantisek Kluknavsky - 0-0.1.gitc1b2278 - First package for Fedora -