diff --git a/.gitignore b/.gitignore index c8b3944..f779712 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/v1.1.0.tar.gz +SOURCES/v1.1.1.tar.gz diff --git a/.skopeo.metadata b/.skopeo.metadata index 700cab8..389cd1b 100644 --- a/.skopeo.metadata +++ b/.skopeo.metadata @@ -1 +1 @@ -1796def947b9f2d8ee1b11eab02b8a49dda7801a SOURCES/v1.1.0.tar.gz +997b1d28c341f37e655d19534d29073aca424cd4 SOURCES/v1.1.1.tar.gz diff --git a/SOURCES/containers-storage.conf.5.md b/SOURCES/containers-storage.conf.5.md index 3917334..5ea362f 100644 --- a/SOURCES/containers-storage.conf.5.md +++ b/SOURCES/containers-storage.conf.5.md @@ -138,6 +138,9 @@ The `storage.options.thinpool` table supports the following options for the `dev 6: LogLevelInfo 7: LogLevelDebug +**metadata_size**="" + metadata_size is used to set the `pvcreate --metadatasize` options when creating thin devices. (Default 128k) + **min_free_space**="" Specifies the min free space percent in a thin pool required for new device creation to succeed. Valid values are from 0% - 99%. Value 0% disables. (default: 10%) diff --git a/SOURCES/containers.conf b/SOURCES/containers.conf index 389479f..780df2a 100644 --- a/SOURCES/containers.conf +++ b/SOURCES/containers.conf @@ -205,6 +205,15 @@ # # shm_size = "65536k" +# Set timezone in container. Takes IANA timezones as well as "local", +# which sets the timezone in the container to match the host machine. +# +# tz = "" + +# Set umask inside the container +# +# umask="0022" + # Default way to to create a UTS namespace for the container # Options are: # `private` Create private UTS Namespace for the container. @@ -279,6 +288,12 @@ # # enable_port_reservation = true +# Environment variables to be used when running the container engine (e.g., Podman, Buildah). +# For example "http_proxy=internal.proxy.company.com". +# Note these environment variables will not be used within the container. +# Set the env section under [containers] table, if you want to set environment variables for the container. +# env = [] + # Selects which logging mechanism to use for container engine events. # Valid values are `journald`, `file` and `none`. # @@ -364,6 +379,25 @@ # # runtime_supports_kvm = ["kata"] +# Number of seconds to wait for container to exit before sending kill signal. +# stop_timeout = 10 + +# Index to the active service +# active_service = production + +# map of service destinations +# [service_destinations] +# [service_destinations.production] +# URI to access the Podman service +# Examples: +# rootless "unix://run/user/$UID/podman/podman.sock" (Default) +# rootfull "unix://run/podman/podman.sock (Default) +# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock +# remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock +# uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock" +# Path to file containing ssh identity key +# identity = "~/.ssh/id_rsa" + # Paths to look for a valid OCI runtime (runc, runv, kata, etc) [engine.runtimes] # runc = [ @@ -397,9 +431,6 @@ # "/usr/bin/kata-fc", # ] -# Number of seconds to wait for container to exit before sending kill signal. -#stop_timeout = 10 - # The [engine.runtimes] table MUST be the last entry in this file. # (Unless another table is added) # TOML does not provide a way to end a table other than a further table being diff --git a/SOURCES/containers.conf.5.md b/SOURCES/containers.conf.5.md index 7b2051b..88a0067 100644 --- a/SOURCES/containers.conf.5.md +++ b/SOURCES/containers.conf.5.md @@ -195,6 +195,16 @@ than `0`. If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `65536k`. +**tz=**"" + Set timezone in container. Takes IANA timezones as well as `local`, which sets the timezone in the container to match the host machine. + If not set, then containers will run with the time zone specified in the image. + Examples: + `tz="local"` + `tz="America/New_York"` + +**umask**="0022" + Sets umask inside the container. + **utsns**="private" Default way to to create a UTS namespace for the container. Options are: @@ -271,6 +281,11 @@ they cannot be reused by other programs on the host. However, this can cause significant memory usage if a container has many ports forwarded to it. Disabling this can save memory. +**env**=[] +Environment variables to be used when running the container engine (e.g., Podman, Buildah). For example "http_proxy=internal.proxy.company.com". +Note these environment variables will not be used within the container. Set the env section under [containers] table, +if you want to set environment variables for the container. + **events_logger**="journald" Default method to use when logging events. Valid values: `file`, `journald`, and `none`. @@ -310,6 +325,24 @@ pod consumes one lock. The default number available is 2048. If this is changed, a lock renumbering must be performed, using the `podman system renumber` command. +**active_service**="" + Name of destination for accessing the Podman service. + +**[service_destinations]** + +**[service_destinations.{name}]** + **uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"** + + Example URIs: + +- **rootless local** - unix://run/user/1000/podman/podman.sock +- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock +- **rootfull local** - unix://run/podman/podman.sock +- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock + + **identity="~/.ssh/id_rsa** + Path to file containing ssh identity key + **pull_policy**="always"|"missing"|"never" Pull image before running or creating a container. The default is **missing**. diff --git a/SOURCES/seccomp.json b/SOURCES/seccomp.json index f060bea..d2cedab 100644 --- a/SOURCES/seccomp.json +++ b/SOURCES/seccomp.json @@ -52,6 +52,8 @@ "syscalls": [ { "names": [ + "_llseek", + "_newselect", "accept", "accept4", "access", @@ -120,6 +122,8 @@ "ftruncate64", "futex", "futimesat", + "get_robust_list", + "get_thread_area", "getcpu", "getcwd", "getdents", @@ -145,12 +149,10 @@ "getresuid", "getresuid32", "getrlimit", - "get_robust_list", "getrusage", "getsid", "getsockname", "getsockopt", - "get_thread_area", "gettid", "gettimeofday", "getuid", @@ -161,15 +163,15 @@ "inotify_init1", "inotify_rm_watch", "io_cancel", - "ioctl", "io_destroy", "io_getevents", - "ioprio_get", - "ioprio_set", "io_setup", "io_submit", + "ioctl", + "ioprio_get", + "ioprio_set", "ipc", - "keyctl", + "keyctl", "kill", "lchown", "lchown32", @@ -179,7 +181,6 @@ "listen", "listxattr", "llistxattr", - "_llseek", "lremovexattr", "lseek", "lsetxattr", @@ -197,6 +198,7 @@ "mlockall", "mmap", "mmap2", + "mount", "mprotect", "mq_getsetattr", "mq_notify", @@ -213,9 +215,9 @@ "munlock", "munlockall", "munmap", + "name_to_handle_at", "nanosleep", "newfstatat", - "_newselect", "open", "openat", "pause", @@ -238,6 +240,7 @@ "readlink", "readlinkat", "readv", + "reboot", "recv", "recvfrom", "recvmmsg", @@ -257,11 +260,11 @@ "rt_sigsuspend", "rt_sigtimedwait", "rt_tgsigqueueinfo", + "sched_get_priority_max", + "sched_get_priority_min", "sched_getaffinity", "sched_getattr", "sched_getparam", - "sched_get_priority_max", - "sched_get_priority_min", "sched_getscheduler", "sched_rr_get_interval", "sched_setaffinity", @@ -281,6 +284,9 @@ "sendmmsg", "sendmsg", "sendto", + "set_robust_list", + "set_thread_area", + "set_tid_address", "setfsgid", "setfsgid32", "setfsuid", @@ -301,11 +307,8 @@ "setreuid", "setreuid32", "setrlimit", - "set_robust_list", "setsid", "setsockopt", - "set_thread_area", - "set_tid_address", "setuid", "setuid32", "setxattr", @@ -339,21 +342,24 @@ "time", "timer_create", "timer_delete", - "timerfd_create", - "timerfd_gettime", - "timerfd_settime", "timer_getoverrun", "timer_gettime", "timer_settime", + "timerfd_create", + "timerfd_gettime", + "timerfd_settime", "times", "tkill", "truncate", "truncate64", "ugetrlimit", "umask", + "umount", + "umount2", "uname", "unlink", "unlinkat", + "unshare", "utime", "utimensat", "utimes", @@ -363,12 +369,7 @@ "waitid", "waitpid", "write", - "writev", - "mount", - "umount2", - "reboot", - "name_to_handle_at", - "unshare" + "writev" ], "action": "SCMP_ACT_ALLOW", "args": [], @@ -530,8 +531,7 @@ "names": [ "s390_pci_mmio_read", "s390_pci_mmio_write", - "s390_runtime_instr", - "clone" + "s390_runtime_instr" ], "action": "SCMP_ACT_ALLOW", "args": [], @@ -748,9 +748,7 @@ "names": [ "settimeofday", "stime", - "clock_settime", - "clock_adjtime", - "adjtimex" + "clock_settime" ], "action": "SCMP_ACT_ALLOW", "args": [], @@ -775,6 +773,111 @@ ] }, "excludes": {} + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ERRNO", + "args": [ + { + "index": 0, + "value": 16, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + }, + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + }, + "errnoRet": 22 + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 16, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": null, + "comment": "", + "includes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + }, + "excludes": {} } ] } diff --git a/SOURCES/storage.conf b/SOURCES/storage.conf index 6dafb34..f6eeeb1 100644 --- a/SOURCES/storage.conf +++ b/SOURCES/storage.conf @@ -67,7 +67,7 @@ additionalimagestores = [ # squashed down to the default uid in the container. These images will have no # separation between the users in the container. Only supported for the overlay # and vfs drivers. -#ignore_chown_errors = false +#ignore_chown_errors = "false" # Path to an helper program to use for mounting the file system instead of mounting it # directly. @@ -76,6 +76,9 @@ additionalimagestores = [ # mountopt specifies comma separated list of extra mount options mountopt = "nodev,metacopy=on" +# Set to skip a PRIVATE bind mount on the storage home directory. +# skip_mount_home = "false" + # Size is used to set a maximum size of the container image. # size = "" diff --git a/SPECS/skopeo.spec b/SPECS/skopeo.spec index 3012135..4380621 100644 --- a/SPECS/skopeo.spec +++ b/SPECS/skopeo.spec @@ -25,8 +25,8 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl Epoch: 1 Name: %{repo} -Version: 1.1.0 -Release: 1%{?dist} +Version: 1.1.1 +Release: 3%{?dist} Summary: Inspect container images and repositories on registries License: ASL 2.0 URL: %{git0} @@ -87,6 +87,7 @@ Requires: %{name} = %{epoch}:%{version}-%{release} Requires: gnupg Requires: jq Requires: podman +Requires: httpd-tools %description tests %{summary} @@ -110,6 +111,7 @@ done export GOPATH=$(pwd):$(pwd)/vendor:%{gopath} export GO111MODULE=off +export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" export BUILDTAGS="exclude_graphdriver_btrfs btrfs_noversion $(hack/libdm_tag.sh) $(hack/ostree_tag.sh)" %gobuild -o %{name} ./cmd/%{name} %{__make} docs @@ -195,6 +197,26 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_datadir}/%{name}/test %changelog +* Tue Aug 11 2020 Jindrich Novy - 1:1.1.1-3 +- propagate proper CFLAGS to CGO_CFLAGS to assure code hardening and optimization +- Related: #1821193 + +* Wed Jul 29 2020 Jindrich Novy - 1:1.1.1-2 +- drop applied patches +- Related: #1821193 + +* Wed Jul 29 2020 Jindrich Novy - 1:1.1.1-1 +- update to https://github.com/containers/skopeo/releases/tag/v1.1.1 +- Related: #1821193 + +* Thu Jul 23 2020 Eduardo Santiago - 1:1.1.0-3 +- fix broken gating tests: docker unexpectedly removed htpasswd from + their 'registry:2' image, so we now use htpasswd from httpd-tools on host. + +* Fri Jul 17 2020 Jindrich Novy - 1:1.1.0-2 +- fix "CVE-2020-14040 skopeo: golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash [rhel-8]" +- Resolves: #1854719 + * Fri Jun 19 2020 Jindrich Novy - 1:1.1.0-1 - update to https://github.com/containers/skopeo/releases/tag/v1.1.0 - Related: #1821193