diff --git a/.gitignore b/.gitignore
index c8b3944..f779712 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/v1.1.0.tar.gz
+SOURCES/v1.1.1.tar.gz
diff --git a/.skopeo.metadata b/.skopeo.metadata
index 700cab8..389cd1b 100644
--- a/.skopeo.metadata
+++ b/.skopeo.metadata
@@ -1 +1 @@
-1796def947b9f2d8ee1b11eab02b8a49dda7801a SOURCES/v1.1.0.tar.gz
+997b1d28c341f37e655d19534d29073aca424cd4 SOURCES/v1.1.1.tar.gz
diff --git a/SOURCES/containers-storage.conf.5.md b/SOURCES/containers-storage.conf.5.md
index 3917334..5ea362f 100644
--- a/SOURCES/containers-storage.conf.5.md
+++ b/SOURCES/containers-storage.conf.5.md
@@ -138,6 +138,9 @@ The `storage.options.thinpool` table supports the following options for the `dev
6: LogLevelInfo
7: LogLevelDebug
+**metadata_size**=""
+ metadata_size is used to set the `pvcreate --metadatasize` options when creating thin devices. (Default 128k)
+
**min_free_space**=""
Specifies the min free space percent in a thin pool required for new device creation to succeed. Valid values are from 0% - 99%. Value 0% disables. (default: 10%)
diff --git a/SOURCES/containers.conf b/SOURCES/containers.conf
index 389479f..780df2a 100644
--- a/SOURCES/containers.conf
+++ b/SOURCES/containers.conf
@@ -205,6 +205,15 @@
#
# shm_size = "65536k"
+# Set timezone in container. Takes IANA timezones as well as "local",
+# which sets the timezone in the container to match the host machine.
+#
+# tz = ""
+
+# Set umask inside the container
+#
+# umask="0022"
+
# Default way to to create a UTS namespace for the container
# Options are:
# `private` Create private UTS Namespace for the container.
@@ -279,6 +288,12 @@
#
# enable_port_reservation = true
+# Environment variables to be used when running the container engine (e.g., Podman, Buildah).
+# For example "http_proxy=internal.proxy.company.com".
+# Note these environment variables will not be used within the container.
+# Set the env section under [containers] table, if you want to set environment variables for the container.
+# env = []
+
# Selects which logging mechanism to use for container engine events.
# Valid values are `journald`, `file` and `none`.
#
@@ -364,6 +379,25 @@
#
# runtime_supports_kvm = ["kata"]
+# Number of seconds to wait for container to exit before sending kill signal.
+# stop_timeout = 10
+
+# Index to the active service
+# active_service = production
+
+# map of service destinations
+# [service_destinations]
+# [service_destinations.production]
+# URI to access the Podman service
+# Examples:
+# rootless "unix://run/user/$UID/podman/podman.sock" (Default)
+# rootfull "unix://run/podman/podman.sock (Default)
+# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
+# remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock
+# uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"
+# Path to file containing ssh identity key
+# identity = "~/.ssh/id_rsa"
+
# Paths to look for a valid OCI runtime (runc, runv, kata, etc)
[engine.runtimes]
# runc = [
@@ -397,9 +431,6 @@
# "/usr/bin/kata-fc",
# ]
-# Number of seconds to wait for container to exit before sending kill signal.
-#stop_timeout = 10
-
# The [engine.runtimes] table MUST be the last entry in this file.
# (Unless another table is added)
# TOML does not provide a way to end a table other than a further table being
diff --git a/SOURCES/containers.conf.5.md b/SOURCES/containers.conf.5.md
index 7b2051b..88a0067 100644
--- a/SOURCES/containers.conf.5.md
+++ b/SOURCES/containers.conf.5.md
@@ -195,6 +195,16 @@ than `0`.
If you omit the unit, the system uses bytes. If you omit the size entirely,
the system uses `65536k`.
+**tz=**""
+ Set timezone in container. Takes IANA timezones as well as `local`, which sets the timezone in the container to match the host machine.
+ If not set, then containers will run with the time zone specified in the image.
+ Examples:
+ `tz="local"`
+ `tz="America/New_York"`
+
+**umask**="0022"
+ Sets umask inside the container.
+
**utsns**="private"
Default way to to create a UTS namespace for the container.
Options are:
@@ -271,6 +281,11 @@ they cannot be reused by other programs on the host. However, this can cause
significant memory usage if a container has many ports forwarded to it.
Disabling this can save memory.
+**env**=[]
+Environment variables to be used when running the container engine (e.g., Podman, Buildah). For example "http_proxy=internal.proxy.company.com".
+Note these environment variables will not be used within the container. Set the env section under [containers] table,
+if you want to set environment variables for the container.
+
**events_logger**="journald"
Default method to use when logging events.
Valid values: `file`, `journald`, and `none`.
@@ -310,6 +325,24 @@ pod consumes one lock. The default number available is 2048. If this is
changed, a lock renumbering must be performed, using the
`podman system renumber` command.
+**active_service**=""
+ Name of destination for accessing the Podman service.
+
+**[service_destinations]**
+
+**[service_destinations.{name}]**
+ **uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
+
+ Example URIs:
+
+- **rootless local** - unix://run/user/1000/podman/podman.sock
+- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
+- **rootfull local** - unix://run/podman/podman.sock
+- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
+
+ **identity="~/.ssh/id_rsa**
+ Path to file containing ssh identity key
+
**pull_policy**="always"|"missing"|"never"
Pull image before running or creating a container. The default is **missing**.
diff --git a/SOURCES/seccomp.json b/SOURCES/seccomp.json
index f060bea..d2cedab 100644
--- a/SOURCES/seccomp.json
+++ b/SOURCES/seccomp.json
@@ -52,6 +52,8 @@
"syscalls": [
{
"names": [
+ "_llseek",
+ "_newselect",
"accept",
"accept4",
"access",
@@ -120,6 +122,8 @@
"ftruncate64",
"futex",
"futimesat",
+ "get_robust_list",
+ "get_thread_area",
"getcpu",
"getcwd",
"getdents",
@@ -145,12 +149,10 @@
"getresuid",
"getresuid32",
"getrlimit",
- "get_robust_list",
"getrusage",
"getsid",
"getsockname",
"getsockopt",
- "get_thread_area",
"gettid",
"gettimeofday",
"getuid",
@@ -161,15 +163,15 @@
"inotify_init1",
"inotify_rm_watch",
"io_cancel",
- "ioctl",
"io_destroy",
"io_getevents",
- "ioprio_get",
- "ioprio_set",
"io_setup",
"io_submit",
+ "ioctl",
+ "ioprio_get",
+ "ioprio_set",
"ipc",
- "keyctl",
+ "keyctl",
"kill",
"lchown",
"lchown32",
@@ -179,7 +181,6 @@
"listen",
"listxattr",
"llistxattr",
- "_llseek",
"lremovexattr",
"lseek",
"lsetxattr",
@@ -197,6 +198,7 @@
"mlockall",
"mmap",
"mmap2",
+ "mount",
"mprotect",
"mq_getsetattr",
"mq_notify",
@@ -213,9 +215,9 @@
"munlock",
"munlockall",
"munmap",
+ "name_to_handle_at",
"nanosleep",
"newfstatat",
- "_newselect",
"open",
"openat",
"pause",
@@ -238,6 +240,7 @@
"readlink",
"readlinkat",
"readv",
+ "reboot",
"recv",
"recvfrom",
"recvmmsg",
@@ -257,11 +260,11 @@
"rt_sigsuspend",
"rt_sigtimedwait",
"rt_tgsigqueueinfo",
+ "sched_get_priority_max",
+ "sched_get_priority_min",
"sched_getaffinity",
"sched_getattr",
"sched_getparam",
- "sched_get_priority_max",
- "sched_get_priority_min",
"sched_getscheduler",
"sched_rr_get_interval",
"sched_setaffinity",
@@ -281,6 +284,9 @@
"sendmmsg",
"sendmsg",
"sendto",
+ "set_robust_list",
+ "set_thread_area",
+ "set_tid_address",
"setfsgid",
"setfsgid32",
"setfsuid",
@@ -301,11 +307,8 @@
"setreuid",
"setreuid32",
"setrlimit",
- "set_robust_list",
"setsid",
"setsockopt",
- "set_thread_area",
- "set_tid_address",
"setuid",
"setuid32",
"setxattr",
@@ -339,21 +342,24 @@
"time",
"timer_create",
"timer_delete",
- "timerfd_create",
- "timerfd_gettime",
- "timerfd_settime",
"timer_getoverrun",
"timer_gettime",
"timer_settime",
+ "timerfd_create",
+ "timerfd_gettime",
+ "timerfd_settime",
"times",
"tkill",
"truncate",
"truncate64",
"ugetrlimit",
"umask",
+ "umount",
+ "umount2",
"uname",
"unlink",
"unlinkat",
+ "unshare",
"utime",
"utimensat",
"utimes",
@@ -363,12 +369,7 @@
"waitid",
"waitpid",
"write",
- "writev",
- "mount",
- "umount2",
- "reboot",
- "name_to_handle_at",
- "unshare"
+ "writev"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
@@ -530,8 +531,7 @@
"names": [
"s390_pci_mmio_read",
"s390_pci_mmio_write",
- "s390_runtime_instr",
- "clone"
+ "s390_runtime_instr"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
@@ -748,9 +748,7 @@
"names": [
"settimeofday",
"stime",
- "clock_settime",
- "clock_adjtime",
- "adjtimex"
+ "clock_settime"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
@@ -775,6 +773,111 @@
]
},
"excludes": {}
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "args": [
+ {
+ "index": 0,
+ "value": 16,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ },
+ {
+ "index": 2,
+ "value": 9,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ },
+ "errnoRet": 22
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 2,
+ "value": 9,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_NE"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ }
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 16,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_NE"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ }
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 2,
+ "value": 9,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_NE"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ }
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": null,
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ },
+ "excludes": {}
}
]
}
diff --git a/SOURCES/storage.conf b/SOURCES/storage.conf
index 6dafb34..f6eeeb1 100644
--- a/SOURCES/storage.conf
+++ b/SOURCES/storage.conf
@@ -67,7 +67,7 @@ additionalimagestores = [
# squashed down to the default uid in the container. These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
-#ignore_chown_errors = false
+#ignore_chown_errors = "false"
# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
@@ -76,6 +76,9 @@ additionalimagestores = [
# mountopt specifies comma separated list of extra mount options
mountopt = "nodev,metacopy=on"
+# Set to skip a PRIVATE bind mount on the storage home directory.
+# skip_mount_home = "false"
+
# Size is used to set a maximum size of the container image.
# size = ""
diff --git a/SPECS/skopeo.spec b/SPECS/skopeo.spec
index 3012135..4380621 100644
--- a/SPECS/skopeo.spec
+++ b/SPECS/skopeo.spec
@@ -25,8 +25,8 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
Epoch: 1
Name: %{repo}
-Version: 1.1.0
-Release: 1%{?dist}
+Version: 1.1.1
+Release: 3%{?dist}
Summary: Inspect container images and repositories on registries
License: ASL 2.0
URL: %{git0}
@@ -87,6 +87,7 @@ Requires: %{name} = %{epoch}:%{version}-%{release}
Requires: gnupg
Requires: jq
Requires: podman
+Requires: httpd-tools
%description tests
%{summary}
@@ -110,6 +111,7 @@ done
export GOPATH=$(pwd):$(pwd)/vendor:%{gopath}
export GO111MODULE=off
+export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
export BUILDTAGS="exclude_graphdriver_btrfs btrfs_noversion $(hack/libdm_tag.sh) $(hack/ostree_tag.sh)"
%gobuild -o %{name} ./cmd/%{name}
%{__make} docs
@@ -195,6 +197,26 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%{_datadir}/%{name}/test
%changelog
+* Tue Aug 11 2020 Jindrich Novy <jnovy@redhat.com> - 1:1.1.1-3
+- propagate proper CFLAGS to CGO_CFLAGS to assure code hardening and optimization
+- Related: #1821193
+
+* Wed Jul 29 2020 Jindrich Novy <jnovy@redhat.com> - 1:1.1.1-2
+- drop applied patches
+- Related: #1821193
+
+* Wed Jul 29 2020 Jindrich Novy <jnovy@redhat.com> - 1:1.1.1-1
+- update to https://github.com/containers/skopeo/releases/tag/v1.1.1
+- Related: #1821193
+
+* Thu Jul 23 2020 Eduardo Santiago <santiago@redhat.com> - 1:1.1.0-3
+- fix broken gating tests: docker unexpectedly removed htpasswd from
+ their 'registry:2' image, so we now use htpasswd from httpd-tools on host.
+
+* Fri Jul 17 2020 Jindrich Novy <jnovy@redhat.com> - 1:1.1.0-2
+- fix "CVE-2020-14040 skopeo: golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash [rhel-8]"
+- Resolves: #1854719
+
* Fri Jun 19 2020 Jindrich Novy <jnovy@redhat.com> - 1:1.1.0-1
- update to https://github.com/containers/skopeo/releases/tag/v1.1.0
- Related: #1821193