diff --git a/0001-podman-patch-for-local-search.patch b/0001-podman-patch-for-local-search.patch deleted file mode 100644 index 90b59b155701b31fcab926cafa00251d5f9316f9..0000000000000000000000000000000000000000 --- a/0001-podman-patch-for-local-search.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 40aabbc1707bfb6ed0a0bb01bc356a16efae8b4e Mon Sep 17 00:00:00 2001 -From: weishengjing1 <773945074@qq.com> -Date: Sat, 9 Jan 2021 10:09:27 +0800 -Subject: [PATCH] patch for podman pull (issue I2BF99) - ---- - libpod.conf | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libpod.conf b/libpod.conf -index 2976cec..4001d21 100644 ---- a/libpod.conf -+++ b/libpod.conf -@@ -7,6 +7,7 @@ image_default_transport = "docker://" - # Paths to look for a valid OCI runtime (runc, runv, etc) - runtime_path = [ - "/usr/bin/runc", -+ "/usr/local/bin/runc", - "/usr/sbin/runc", - "/sbin/runc", - "/bin/runc", --- -2.27.0 - diff --git a/0002-Fix-the-invalid-memory-address-reference.patch b/0002-Fix-the-invalid-memory-address-reference.patch deleted file mode 100644 index 0373f10cc836c156d7039dad041198952a358877..0000000000000000000000000000000000000000 --- a/0002-Fix-the-invalid-memory-address-reference.patch +++ /dev/null @@ -1,31 +0,0 @@ -From a9e6a71f9435a50c582993e946be4d53828bb48d Mon Sep 17 00:00:00 2001 -From: maminjie -Date: Sat, 13 Mar 2021 16:03:03 +0800 -Subject: [PATCH] Fix the invalid memory address or nil pointer reference - ---- - libpod/stats.go | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/libpod/stats.go b/libpod/stats.go -index c58a461..97a2169 100644 ---- a/libpod/stats.go -+++ b/libpod/stats.go -@@ -57,9 +57,11 @@ func (c *Container) GetContainerStats(previousStats *ContainerStats) (*Container - previousCPU := previousStats.CPUNano - previousSystem := previousStats.SystemNano - stats.CPU = calculateCPUPercent(cgroupStats, previousCPU, previousSystem) -- stats.MemUsage = cgroupStats.Memory.Usage.Usage -- stats.MemLimit = getMemLimit(cgroupStats.Memory.Usage.Limit) -- stats.MemPerc = (float64(stats.MemUsage) / float64(stats.MemLimit)) * 100 -+ if cgroupStats.Memory != nil { -+ stats.MemUsage = cgroupStats.Memory.Usage.Usage -+ stats.MemLimit = getMemLimit(cgroupStats.Memory.Usage.Limit) -+ stats.MemPerc = (float64(stats.MemUsage) / float64(stats.MemLimit)) * 100 -+ } - stats.PIDs = 0 - if conState == ContainerStateRunning { - stats.PIDs = cgroupStats.Pids.Current --- -2.23.0 - diff --git a/0003-eat-signal-23-in-signal-proxy.patch b/0003-eat-signal-23-in-signal-proxy.patch deleted file mode 100644 index ad307b577f9e98c92c9d6820d9a274abcde6b349..0000000000000000000000000000000000000000 --- a/0003-eat-signal-23-in-signal-proxy.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 7bb9c6b9d1f195391f50047447b8caec404b5c2a Mon Sep 17 00:00:00 2001 -From: maminjie -Date: Wed, 31 Mar 2021 11:22:39 +0800 -Subject: [PATCH] eat signal 23 in signal proxy - -reference to: https://github.com/containers/podman/pull/5496 ---- - cmd/podman/sigproxy.go | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/cmd/podman/sigproxy.go b/cmd/podman/sigproxy.go -index 16861ba..9bb104d 100644 ---- a/cmd/podman/sigproxy.go -+++ b/cmd/podman/sigproxy.go -@@ -19,7 +19,10 @@ func ProxySignals(ctr *libpod.Container) { - for s := range sigBuffer { - // Ignore SIGCHLD and SIGPIPE - these are mostly likely - // intended for the podman command itself. -- if s == signal.SIGCHLD || s == signal.SIGPIPE { -+ // SIGURG was added because of golang 1.14 and its preemptive changes -+ // causing more signals to "show up". -+ // https://github.com/containers/libpod/issues/5483 -+ if s == syscall.SIGCHLD || s == syscall.SIGPIPE || s == syscall.SIGURG { - continue - } - --- -2.23.0 - diff --git a/CVE-2021-20188-PRE1.patch b/CVE-2021-20188-PRE1.patch deleted file mode 100644 index 04aa6852379b631d62d01d3b29e5c96dd5e54b0b..0000000000000000000000000000000000000000 --- a/CVE-2021-20188-PRE1.patch +++ /dev/null @@ -1,371 +0,0 @@ -From 6246942d377bd9ed665a4ac448120352454dd83d Mon Sep 17 00:00:00 2001 -From: baude -Date: Wed, 24 Oct 2018 10:39:12 -0500 -Subject: [PATCH] Increase security and performance when looking up groups - -We implement the securejoin method to make sure the paths to /etc/passwd and -/etc/group are not symlinks to something naughty or outside the container -image. And then instead of actually chrooting, we use the runc functions to -get information about a user. The net result is increased security and -a a performance gain from 41ms to 100us. - -Signed-off-by: baude ---- - libpod/container_internal_linux.go | 26 +++- - .../cyphar/filepath-securejoin/LICENSE | 28 ++++ - .../cyphar/filepath-securejoin/README.md | 65 +++++++++ - .../cyphar/filepath-securejoin/join.go | 134 ++++++++++++++++++ - .../cyphar/filepath-securejoin/vendor.conf | 1 + - .../cyphar/filepath-securejoin/vfs.go | 41 ++++++ - 6 files changed, 291 insertions(+), 4 deletions(-) - create mode 100644 vendor/github.com/cyphar/filepath-securejoin/LICENSE - create mode 100644 vendor/github.com/cyphar/filepath-securejoin/README.md - create mode 100644 vendor/github.com/cyphar/filepath-securejoin/join.go - create mode 100644 vendor/github.com/cyphar/filepath-securejoin/vendor.conf - create mode 100644 vendor/github.com/cyphar/filepath-securejoin/vfs.go - -diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go -index b25645e5cc0..5a6b72580d5 100644 ---- a/libpod/container_internal_linux.go -+++ b/libpod/container_internal_linux.go -@@ -21,6 +21,8 @@ import ( - "github.com/containers/libpod/pkg/chrootuser" - "github.com/containers/libpod/pkg/rootless" - "github.com/containers/storage/pkg/idtools" -+ "github.com/cyphar/filepath-securejoin" -+ "github.com/opencontainers/runc/libcontainer/user" - spec "github.com/opencontainers/runtime-spec/specs-go" - "github.com/opencontainers/runtime-tools/generate" - "github.com/opencontainers/selinux/go-selinux/label" -@@ -197,12 +199,28 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { - - // Look up and add groups the user belongs to, if a group wasn't directly specified - if !rootless.IsRootless() && !strings.Contains(c.config.User, ":") { -- groups, err := chrootuser.GetAdditionalGroupsForUser(c.state.Mountpoint, uint64(g.Config.Process.User.UID)) -- if err != nil && errors.Cause(err) != chrootuser.ErrNoSuchUser { -+ var groupDest, passwdDest string -+ defaultExecUser := user.ExecUser{ -+ Uid: 0, -+ Gid: 0, -+ Home: "/", -+ } -+ -+ // Make sure the /etc/group and /etc/passwd destinations are not a symlink to something naughty -+ if groupDest, err = securejoin.SecureJoin(c.state.Mountpoint, "/etc/group"); err != nil { -+ logrus.Debug(err) - return nil, err - } -- for _, gid := range groups { -- g.AddProcessAdditionalGid(gid) -+ if passwdDest, err = securejoin.SecureJoin(c.state.Mountpoint, "/etc/passwd"); err != nil { -+ logrus.Debug(err) -+ return nil, err -+ } -+ execUser, err := user.GetExecUserPath(c.config.User, &defaultExecUser, passwdDest, groupDest) -+ if err != nil { -+ return nil, err -+ } -+ for _, gid := range execUser.Sgids { -+ g.AddProcessAdditionalGid(uint32(gid)) - } - } - -diff --git a/vendor/github.com/cyphar/filepath-securejoin/LICENSE b/vendor/github.com/cyphar/filepath-securejoin/LICENSE -new file mode 100644 -index 00000000000..bec842f294f ---- /dev/null -+++ b/vendor/github.com/cyphar/filepath-securejoin/LICENSE -@@ -0,0 +1,28 @@ -+Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved. -+Copyright (C) 2017 SUSE LLC. All rights reserved. -+ -+Redistribution and use in source and binary forms, with or without -+modification, are permitted provided that the following conditions are -+met: -+ -+ * Redistributions of source code must retain the above copyright -+notice, this list of conditions and the following disclaimer. -+ * Redistributions in binary form must reproduce the above -+copyright notice, this list of conditions and the following disclaimer -+in the documentation and/or other materials provided with the -+distribution. -+ * Neither the name of Google Inc. nor the names of its -+contributors may be used to endorse or promote products derived from -+this software without specific prior written permission. -+ -+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -diff --git a/vendor/github.com/cyphar/filepath-securejoin/README.md b/vendor/github.com/cyphar/filepath-securejoin/README.md -new file mode 100644 -index 00000000000..49b2baa9f35 ---- /dev/null -+++ b/vendor/github.com/cyphar/filepath-securejoin/README.md -@@ -0,0 +1,65 @@ -+## `filepath-securejoin` ## -+ -+[![Build Status](https://travis-ci.org/cyphar/filepath-securejoin.svg?branch=master)](https://travis-ci.org/cyphar/filepath-securejoin) -+ -+An implementation of `SecureJoin`, a [candidate for inclusion in the Go -+standard library][go#20126]. The purpose of this function is to be a "secure" -+alternative to `filepath.Join`, and in particular it provides certain -+guarantees that are not provided by `filepath.Join`. -+ -+This is the function prototype: -+ -+```go -+func SecureJoin(root, unsafePath string) (string, error) -+``` -+ -+This library **guarantees** the following: -+ -+* If no error is set, the resulting string **must** be a child path of -+ `SecureJoin` and will not contain any symlink path components (they will all -+ be expanded). -+ -+* When expanding symlinks, all symlink path components **must** be resolved -+ relative to the provided root. In particular, this can be considered a -+ userspace implementation of how `chroot(2)` operates on file paths. Note that -+ these symlinks will **not** be expanded lexically (`filepath.Clean` is not -+ called on the input before processing). -+ -+* Non-existant path components are unaffected by `SecureJoin` (similar to -+ `filepath.EvalSymlinks`'s semantics). -+ -+* The returned path will always be `filepath.Clean`ed and thus not contain any -+ `..` components. -+ -+A (trivial) implementation of this function on GNU/Linux systems could be done -+with the following (note that this requires root privileges and is far more -+opaque than the implementation in this library, and also requires that -+`readlink` is inside the `root` path): -+ -+```go -+package securejoin -+ -+import ( -+ "os/exec" -+ "path/filepath" -+) -+ -+func SecureJoin(root, unsafePath string) (string, error) { -+ unsafePath = string(filepath.Separator) + unsafePath -+ cmd := exec.Command("chroot", root, -+ "readlink", "--canonicalize-missing", "--no-newline", unsafePath) -+ output, err := cmd.CombinedOutput() -+ if err != nil { -+ return "", err -+ } -+ expanded := string(output) -+ return filepath.Join(root, expanded), nil -+} -+``` -+ -+[go#20126]: https://github.com/golang/go/issues/20126 -+ -+### License ### -+ -+The license of this project is the same as Go, which is a BSD 3-clause license -+available in the `LICENSE` file. -diff --git a/vendor/github.com/cyphar/filepath-securejoin/join.go b/vendor/github.com/cyphar/filepath-securejoin/join.go -new file mode 100644 -index 00000000000..c4ca3d71300 ---- /dev/null -+++ b/vendor/github.com/cyphar/filepath-securejoin/join.go -@@ -0,0 +1,134 @@ -+// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved. -+// Copyright (C) 2017 SUSE LLC. All rights reserved. -+// Use of this source code is governed by a BSD-style -+// license that can be found in the LICENSE file. -+ -+// Package securejoin is an implementation of the hopefully-soon-to-be-included -+// SecureJoin helper that is meant to be part of the "path/filepath" package. -+// The purpose of this project is to provide a PoC implementation to make the -+// SecureJoin proposal (https://github.com/golang/go/issues/20126) more -+// tangible. -+package securejoin -+ -+import ( -+ "bytes" -+ "os" -+ "path/filepath" -+ "strings" -+ "syscall" -+ -+ "github.com/pkg/errors" -+) -+ -+// ErrSymlinkLoop is returned by SecureJoinVFS when too many symlinks have been -+// evaluated in attempting to securely join the two given paths. -+var ErrSymlinkLoop = errors.Wrap(syscall.ELOOP, "secure join") -+ -+// IsNotExist tells you if err is an error that implies that either the path -+// accessed does not exist (or path components don't exist). This is -+// effectively a more broad version of os.IsNotExist. -+func IsNotExist(err error) bool { -+ // If it's a bone-fide ENOENT just bail. -+ if os.IsNotExist(errors.Cause(err)) { -+ return true -+ } -+ -+ // Check that it's not actually an ENOTDIR, which in some cases is a more -+ // convoluted case of ENOENT (usually involving weird paths). -+ var errno error -+ switch err := errors.Cause(err).(type) { -+ case *os.PathError: -+ errno = err.Err -+ case *os.LinkError: -+ errno = err.Err -+ case *os.SyscallError: -+ errno = err.Err -+ } -+ return errno == syscall.ENOTDIR || errno == syscall.ENOENT -+} -+ -+// SecureJoinVFS joins the two given path components (similar to Join) except -+// that the returned path is guaranteed to be scoped inside the provided root -+// path (when evaluated). Any symbolic links in the path are evaluated with the -+// given root treated as the root of the filesystem, similar to a chroot. The -+// filesystem state is evaluated through the given VFS interface (if nil, the -+// standard os.* family of functions are used). -+// -+// Note that the guarantees provided by this function only apply if the path -+// components in the returned string are not modified (in other words are not -+// replaced with symlinks on the filesystem) after this function has returned. -+// Such a symlink race is necessarily out-of-scope of SecureJoin. -+func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) { -+ // Use the os.* VFS implementation if none was specified. -+ if vfs == nil { -+ vfs = osVFS{} -+ } -+ -+ var path bytes.Buffer -+ n := 0 -+ for unsafePath != "" { -+ if n > 255 { -+ return "", ErrSymlinkLoop -+ } -+ -+ // Next path component, p. -+ i := strings.IndexRune(unsafePath, filepath.Separator) -+ var p string -+ if i == -1 { -+ p, unsafePath = unsafePath, "" -+ } else { -+ p, unsafePath = unsafePath[:i], unsafePath[i+1:] -+ } -+ -+ // Create a cleaned path, using the lexical semantics of /../a, to -+ // create a "scoped" path component which can safely be joined to fullP -+ // for evaluation. At this point, path.String() doesn't contain any -+ // symlink components. -+ cleanP := filepath.Clean(string(filepath.Separator) + path.String() + p) -+ if cleanP == string(filepath.Separator) { -+ path.Reset() -+ continue -+ } -+ fullP := filepath.Clean(root + cleanP) -+ -+ // Figure out whether the path is a symlink. -+ fi, err := vfs.Lstat(fullP) -+ if err != nil && !IsNotExist(err) { -+ return "", err -+ } -+ // Treat non-existent path components the same as non-symlinks (we -+ // can't do any better here). -+ if IsNotExist(err) || fi.Mode()&os.ModeSymlink == 0 { -+ path.WriteString(p) -+ path.WriteRune(filepath.Separator) -+ continue -+ } -+ -+ // Only increment when we actually dereference a link. -+ n++ -+ -+ // It's a symlink, expand it by prepending it to the yet-unparsed path. -+ dest, err := vfs.Readlink(fullP) -+ if err != nil { -+ return "", err -+ } -+ // Absolute symlinks reset any work we've already done. -+ if filepath.IsAbs(dest) { -+ path.Reset() -+ } -+ unsafePath = dest + string(filepath.Separator) + unsafePath -+ } -+ -+ // We have to clean path.String() here because it may contain '..' -+ // components that are entirely lexical, but would be misleading otherwise. -+ // And finally do a final clean to ensure that root is also lexically -+ // clean. -+ fullP := filepath.Clean(string(filepath.Separator) + path.String()) -+ return filepath.Clean(root + fullP), nil -+} -+ -+// SecureJoin is a wrapper around SecureJoinVFS that just uses the os.* library -+// of functions as the VFS. If in doubt, use this function over SecureJoinVFS. -+func SecureJoin(root, unsafePath string) (string, error) { -+ return SecureJoinVFS(root, unsafePath, nil) -+} -diff --git a/vendor/github.com/cyphar/filepath-securejoin/vendor.conf b/vendor/github.com/cyphar/filepath-securejoin/vendor.conf -new file mode 100644 -index 00000000000..66bb574b955 ---- /dev/null -+++ b/vendor/github.com/cyphar/filepath-securejoin/vendor.conf -@@ -0,0 +1 @@ -+github.com/pkg/errors v0.8.0 -diff --git a/vendor/github.com/cyphar/filepath-securejoin/vfs.go b/vendor/github.com/cyphar/filepath-securejoin/vfs.go -new file mode 100644 -index 00000000000..a82a5eae11e ---- /dev/null -+++ b/vendor/github.com/cyphar/filepath-securejoin/vfs.go -@@ -0,0 +1,41 @@ -+// Copyright (C) 2017 SUSE LLC. All rights reserved. -+// Use of this source code is governed by a BSD-style -+// license that can be found in the LICENSE file. -+ -+package securejoin -+ -+import "os" -+ -+// In future this should be moved into a separate package, because now there -+// are several projects (umoci and go-mtree) that are using this sort of -+// interface. -+ -+// VFS is the minimal interface necessary to use SecureJoinVFS. A nil VFS is -+// equivalent to using the standard os.* family of functions. This is mainly -+// used for the purposes of mock testing, but also can be used to otherwise use -+// SecureJoin with VFS-like system. -+type VFS interface { -+ // Lstat returns a FileInfo describing the named file. If the file is a -+ // symbolic link, the returned FileInfo describes the symbolic link. Lstat -+ // makes no attempt to follow the link. These semantics are identical to -+ // os.Lstat. -+ Lstat(name string) (os.FileInfo, error) -+ -+ // Readlink returns the destination of the named symbolic link. These -+ // semantics are identical to os.Readlink. -+ Readlink(name string) (string, error) -+} -+ -+// osVFS is the "nil" VFS, in that it just passes everything through to the os -+// module. -+type osVFS struct{} -+ -+// Lstat returns a FileInfo describing the named file. If the file is a -+// symbolic link, the returned FileInfo describes the symbolic link. Lstat -+// makes no attempt to follow the link. These semantics are identical to -+// os.Lstat. -+func (o osVFS) Lstat(name string) (os.FileInfo, error) { return os.Lstat(name) } -+ -+// Readlink returns the destination of the named symbolic link. These -+// semantics are identical to os.Readlink. -+func (o osVFS) Readlink(name string) (string, error) { return os.Readlink(name) } diff --git a/CVE-2021-20188-PRE2.patch b/CVE-2021-20188-PRE2.patch deleted file mode 100644 index bdddeedbc041cf77ee65684c2a95df0f6ac902f9..0000000000000000000000000000000000000000 --- a/CVE-2021-20188-PRE2.patch +++ /dev/null @@ -1,388 +0,0 @@ -From 1dd7f13dfbc1dd377eabace0239b1c05cd60b144 Mon Sep 17 00:00:00 2001 -From: baude -Date: Thu, 25 Oct 2018 13:39:25 -0500 -Subject: [PATCH] get user and group information using securejoin and runc's - user library - -for the purposes of performance and security, we use securejoin to contstruct -the root fs's path so that symlinks are what they appear to be and no pointing -to something naughty. - -then instead of chrooting to parse /etc/passwd|/etc/group, we now use the runc user/group -methods which saves us quite a bit of performance. - -Signed-off-by: baude ---- - libpod/container_api.go | 8 +- - libpod/container_internal.go | 56 ++++++----- - libpod/container_internal_linux.go | 44 ++------ - pkg/lookup/lookup.go | 156 +++++++++++++++++++++++++++++ - 4 files changed, 201 insertions(+), 63 deletions(-) - create mode 100644 pkg/lookup/lookup.go - -diff --git a/libpod/container_api.go b/libpod/container_api.go -index 41a131ea212..83f93cf9eb6 100644 ---- a/libpod/container_api.go -+++ b/libpod/container_api.go -@@ -10,8 +10,8 @@ import ( - "time" - - "github.com/containers/libpod/libpod/driver" -- "github.com/containers/libpod/pkg/chrootuser" - "github.com/containers/libpod/pkg/inspect" -+ "github.com/containers/libpod/pkg/lookup" - "github.com/containers/storage/pkg/stringid" - "github.com/docker/docker/daemon/caps" - "github.com/pkg/errors" -@@ -292,13 +292,13 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e - // the host - hostUser := "" - if user != "" { -- uid, gid, err := chrootuser.GetUser(c.state.Mountpoint, user) -+ execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil) - if err != nil { -- return errors.Wrapf(err, "error getting user to launch exec session as") -+ return err - } - - // runc expects user formatted as uid:gid -- hostUser = fmt.Sprintf("%d:%d", uid, gid) -+ hostUser = fmt.Sprintf("%d:%d", execUser.Uid, execUser.Gid) - } - - // Generate exec session ID -diff --git a/libpod/container_internal.go b/libpod/container_internal.go -index 2af216358b4..d928c4aedd5 100644 ---- a/libpod/container_internal.go -+++ b/libpod/container_internal.go -@@ -12,9 +13,9 @@ import ( - "strings" - "syscall" - -- "github.com/containers/libpod/pkg/chrootuser" - "github.com/containers/libpod/pkg/hooks" - "github.com/containers/libpod/pkg/hooks/exec" -+ "github.com/containers/libpod/pkg/lookup" - "github.com/containers/libpod/pkg/resolvconf" - "github.com/containers/libpod/pkg/rootless" - "github.com/containers/libpod/pkg/secrets" -@@ -1094,6 +1095,7 @@ func (c *Container) generateHosts() (str - } - - func (c *Container) addLocalVolumes(ctx context.Context, g *generate.Generator) error { -+ var uid, gid int - mountPoint := c.state.Mountpoint - if !c.state.Mounted { - return errors.Wrapf(ErrInternal, "container is not mounted") -@@ -1117,6 +1119,18 @@ func (c *Container) addLocalVolumes(ctx - } - } - -+ if c.config.User != "" { -+ if !c.state.Mounted { -+ return errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to translate User field", c.ID()) -+ } -+ execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, nil) -+ if err != nil { -+ return err -+ } -+ uid = execUser.Uid -+ gid = execUser.Gid -+ } -+ - for k := range imageData.ContainerConfig.Volumes { - mount := spec.Mount{ - Destination: k, -@@ -1129,27 +1143,13 @@ func (c *Container) addLocalVolumes(ctx - volumePath := filepath.Join(c.config.StaticDir, "volumes", k) - srcPath := filepath.Join(mountPoint, k) - -- var ( -- uid uint32 -- gid uint32 -- ) -- if c.config.User != "" { -- if !c.state.Mounted { -- return errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to translate User field", c.ID()) -- } -- uid, gid, err = chrootuser.GetUser(c.state.Mountpoint, c.config.User) -- if err != nil { -- return err -- } -- } -- - if _, err := os.Stat(srcPath); os.IsNotExist(err) { - logrus.Infof("Volume image mount point %s does not exist in root FS, need to create it", k) - if err = os.MkdirAll(srcPath, 0755); err != nil { - return errors.Wrapf(err, "error creating directory %q for volume %q in container %q", volumePath, k, c.ID) - } - -- if err = os.Chown(srcPath, int(uid), int(gid)); err != nil { -+ if err = os.Chown(srcPath, uid, gid); err != nil { - return errors.Wrapf(err, "error chowning directory %q for volume %q in container %q", srcPath, k, c.ID) - } - } -@@ -1159,7 +1159,7 @@ func (c *Container) addLocalVolumes(ctx - return errors.Wrapf(err, "error creating directory %q for volume %q in container %q", volumePath, k, c.ID) - } - -- if err = os.Chown(volumePath, int(uid), int(gid)); err != nil { -+ if err = os.Chown(volumePath, uid, gid); err != nil { - return errors.Wrapf(err, "error chowning directory %q for volume %q in container %q", volumePath, k, c.ID) - } - -diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go -index 0a1784ba740..7bf2c71cac6 100644 ---- a/libpod/container_internal_linux.go -+++ b/libpod/container_internal_linux.go -@@ -17,11 +17,9 @@ import ( - - cnitypes "github.com/containernetworking/cni/pkg/types/current" - crioAnnotations "github.com/containers/libpod/pkg/annotations" -- "github.com/containers/libpod/pkg/chrootuser" -+ "github.com/containers/libpod/pkg/lookup" - "github.com/containers/libpod/pkg/rootless" - "github.com/containers/storage/pkg/idtools" -- "github.com/cyphar/filepath-securejoin" -- "github.com/opencontainers/runc/libcontainer/user" - spec "github.com/opencontainers/runtime-spec/specs-go" - "github.com/opencontainers/runtime-tools/generate" - "github.com/opencontainers/selinux/go-selinux/label" -@@ -135,6 +133,10 @@ func (c *Container) cleanupNetwork() error { - // Generate spec for a container - // Accepts a map of the container's dependencies - func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { -+ execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, nil) -+ if err != nil { -+ return nil, err -+ } - g := generate.NewFromSpec(c.config.Spec) - - // If network namespace was requested, add it now -@@ -188,7 +190,6 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { - } - } - -- var err error - if !rootless.IsRootless() { - if c.state.ExtensionStageHooks, err = c.setupOCIHooks(ctx, g.Config); err != nil { - return nil, errors.Wrapf(err, "error setting up OCI Hooks") -@@ -206,13 +207,9 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { - if !c.state.Mounted { - return nil, errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to translate User field", c.ID()) - } -- uid, gid, err := chrootuser.GetUser(c.state.Mountpoint, c.config.User) -- if err != nil { -- return nil, err -- } - // User and Group must go together -- g.SetProcessUID(uid) -- g.SetProcessGID(gid) -+ g.SetProcessUID(uint32(execUser.Uid)) -+ g.SetProcessGID(uint32(execUser.Gid)) - } - - // Add addition groups if c.config.GroupAdd is not empty -@@ -220,11 +217,8 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { - if !c.state.Mounted { - return nil, errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to add additional groups", c.ID()) - } -- for _, group := range c.config.Groups { -- gid, err := chrootuser.GetGroup(c.state.Mountpoint, group) -- if err != nil { -- return nil, err -- } -+ gids, _ := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, nil) -+ for _, gid := range gids { - g.AddProcessAdditionalGid(gid) - } - } -@@ -237,26 +231,6 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { - - // Look up and add groups the user belongs to, if a group wasn't directly specified - if !rootless.IsRootless() && !strings.Contains(c.config.User, ":") { -- var groupDest, passwdDest string -- defaultExecUser := user.ExecUser{ -- Uid: 0, -- Gid: 0, -- Home: "/", -- } -- -- // Make sure the /etc/group and /etc/passwd destinations are not a symlink to something naughty -- if groupDest, err = securejoin.SecureJoin(c.state.Mountpoint, "/etc/group"); err != nil { -- logrus.Debug(err) -- return nil, err -- } -- if passwdDest, err = securejoin.SecureJoin(c.state.Mountpoint, "/etc/passwd"); err != nil { -- logrus.Debug(err) -- return nil, err -- } -- execUser, err := user.GetExecUserPath(c.config.User, &defaultExecUser, passwdDest, groupDest) -- if err != nil { -- return nil, err -- } - for _, gid := range execUser.Sgids { - g.AddProcessAdditionalGid(uint32(gid)) - } -diff --git a/pkg/lookup/lookup.go b/pkg/lookup/lookup.go -new file mode 100644 -index 00000000000..b27e2a724bc ---- /dev/null -+++ b/pkg/lookup/lookup.go -@@ -0,0 +1,156 @@ -+package lookup -+ -+import ( -+ "github.com/cyphar/filepath-securejoin" -+ "github.com/opencontainers/runc/libcontainer/user" -+ "github.com/sirupsen/logrus" -+ "strconv" -+) -+ -+const ( -+ etcpasswd = "/etc/passwd" -+ etcgroup = "/etc/group" -+) -+ -+// Overrides allows you to override defaults in GetUserGroupInfo -+type Overrides struct { -+ DefaultUser *user.ExecUser -+ ContainerEtcPasswdPath string -+ ContainerEtcGroupPath string -+} -+ -+// GetUserGroupInfo takes string forms of the the container's mount path and the container user and -+// returns a ExecUser with uid, gid, sgids, and home. And override can be provided for defaults. -+func GetUserGroupInfo(containerMount, containerUser string, override *Overrides) (*user.ExecUser, error) { -+ var ( -+ passwdDest, groupDest string -+ defaultExecUser *user.ExecUser -+ err error -+ ) -+ passwdPath := etcpasswd -+ groupPath := etcgroup -+ -+ if override != nil { -+ // Check for an override /etc/passwd path -+ if override.ContainerEtcPasswdPath != "" { -+ passwdPath = override.ContainerEtcPasswdPath -+ } -+ // Check for an override for /etc/group path -+ if override.ContainerEtcGroupPath != "" { -+ groupPath = override.ContainerEtcGroupPath -+ } -+ } -+ -+ // Check for an override default user -+ if override != nil && override.DefaultUser != nil { -+ defaultExecUser = override.DefaultUser -+ } else { -+ // Define a default container user -+ //defaultExecUser = &user.ExecUser{ -+ // Uid: 0, -+ // Gid: 0, -+ // Home: "/", -+ defaultExecUser = nil -+ -+ } -+ -+ // Make sure the /etc/group and /etc/passwd destinations are not a symlink to something naughty -+ if passwdDest, err = securejoin.SecureJoin(containerMount, passwdPath); err != nil { -+ logrus.Debug(err) -+ return nil, err -+ } -+ if groupDest, err = securejoin.SecureJoin(containerMount, groupPath); err != nil { -+ logrus.Debug(err) -+ return nil, err -+ } -+ return user.GetExecUserPath(containerUser, defaultExecUser, passwdDest, groupDest) -+} -+ -+// GetContainerGroups uses securejoin to get a list of numerical groupids from a container. Per the runc -+// function it calls: If a group name cannot be found, an error will be returned. If a group id cannot be found, -+// or the given group data is nil, the id will be returned as-is provided it is in the legal range. -+func GetContainerGroups(groups []string, containerMount string, override *Overrides) ([]uint32, error) { -+ var ( -+ groupDest string -+ err error -+ uintgids []uint32 -+ ) -+ -+ groupPath := etcgroup -+ if override != nil && override.ContainerEtcGroupPath != "" { -+ groupPath = override.ContainerEtcGroupPath -+ } -+ -+ if groupDest, err = securejoin.SecureJoin(containerMount, groupPath); err != nil { -+ logrus.Debug(err) -+ return nil, err -+ } -+ -+ gids, err := user.GetAdditionalGroupsPath(groups, groupDest) -+ if err != nil { -+ return nil, err -+ } -+ // For libpod, we want []uint32s -+ for _, gid := range gids { -+ uintgids = append(uintgids, uint32(gid)) -+ } -+ return uintgids, nil -+} -+ -+// GetUser takes a containermount path and user name or id and returns -+// a matching User structure from /etc/passwd. If it cannot locate a user -+// with the provided information, an ErrNoPasswdEntries is returned. -+func GetUser(containerMount, userIDorName string) (*user.User, error) { -+ var inputIsName bool -+ uid, err := strconv.Atoi(userIDorName) -+ if err != nil { -+ inputIsName = true -+ } -+ passwdDest, err := securejoin.SecureJoin(containerMount, etcpasswd) -+ if err != nil { -+ return nil, err -+ } -+ users, err := user.ParsePasswdFileFilter(passwdDest, func(u user.User) bool { -+ if inputIsName { -+ return u.Name == userIDorName -+ } -+ return u.Uid == uid -+ }) -+ if err != nil { -+ return nil, err -+ } -+ if len(users) > 0 { -+ return &users[0], nil -+ } -+ return nil, user.ErrNoPasswdEntries -+} -+ -+// GetGroup takes ac ontainermount path and a group name or id and returns -+// a match Group struct from /etc/group. if it cannot locate a group, -+// an ErrNoGroupEntries error is returned. -+func GetGroup(containerMount, groupIDorName string) (*user.Group, error) { -+ var inputIsName bool -+ gid, err := strconv.Atoi(groupIDorName) -+ if err != nil { -+ inputIsName = true -+ } -+ -+ groupDest, err := securejoin.SecureJoin(containerMount, etcgroup) -+ if err != nil { -+ return nil, err -+ } -+ -+ groups, err := user.ParseGroupFileFilter(groupDest, func(g user.Group) bool { -+ if inputIsName { -+ return g.Name == groupIDorName -+ } -+ return g.Gid == gid -+ }) -+ if err != nil { -+ return nil, err -+ } -+ if len(groups) > 0 { -+ return &groups[0], nil -+ } -+ return nil, user.ErrNoGroupEntries -+} diff --git a/CVE-2021-20188-PRE3.patch b/CVE-2021-20188-PRE3.patch deleted file mode 100644 index ed59904f8fa4fc4e456e8ea9b1338b4ba83aa219..0000000000000000000000000000000000000000 --- a/CVE-2021-20188-PRE3.patch +++ /dev/null @@ -1,181 +0,0 @@ -From 867669374c3fdd39f2629e53cbe7430f1bc3e085 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Tue, 8 Jan 2019 12:53:50 +0100 -Subject: [PATCH] Add a --workdir option to 'podman exec' - -Signed-off-by: Debarshi Ray ---- - cmd/podman/common.go | 9 +++++---- - cmd/podman/exec.go | 3 ++- - completions/bash/podman | 2 ++ - docs/podman-exec.1.md | 8 ++++++++ - libpod/container_api.go | 4 ++-- - libpod/oci.go | 6 ++++-- - test/e2e/exec_test.go | 32 ++++++++++++++++++++++++++++++++ - 7 files changed, 55 insertions(+), 9 deletions(-) - -diff --git a/cmd/podman/common.go b/cmd/podman/common.go -index 0fc9a6accfd..d934c869946 100644 ---- a/cmd/podman/common.go -+++ b/cmd/podman/common.go -@@ -28,6 +28,10 @@ var ( - Name: "latest, l", - Usage: "act on the latest pod podman is aware of", - } -+ WorkDirFlag = cli.StringFlag{ -+ Name: "workdir, w", -+ Usage: "Working directory inside the container", -+ } - ) - - const ( -@@ -522,10 +526,7 @@ var createFlags = []cli.Flag{ - Name: "volumes-from", - Usage: "Mount volumes from the specified container(s) (default [])", - }, -- cli.StringFlag{ -- Name: "workdir, w", -- Usage: "Working `directory inside the container", -- }, -+ WorkDirFlag, - } - - func getFormat(c *cli.Context) (string, error) { -diff --git a/cmd/podman/exec.go b/cmd/podman/exec.go -index c03834dea23..073e72e6404 100644 ---- a/cmd/podman/exec.go -+++ b/cmd/podman/exec.go -@@ -34,6 +34,7 @@ var ( - Usage: "Sets the username or UID used and optionally the groupname or GID for the specified command", - }, - LatestFlag, -+ WorkDirFlag, - } - execDescription = ` - podman exec -@@ -108,5 +109,5 @@ func execCmd(c *cli.Context) error { - envs = append(envs, fmt.Sprintf("%s=%s", k, v)) - } - -- return ctr.Exec(c.Bool("tty"), c.Bool("privileged"), envs, cmd, c.String("user")) -+ return ctr.Exec(c.Bool("tty"), c.Bool("privileged"), envs, cmd, c.String("user"), c.String("workdir")) - } -diff --git a/completions/bash/podman b/completions/bash/podman -index d65f54690e3..e23615d5256 100644 ---- a/completions/bash/podman -+++ b/completions/bash/podman -@@ -1111,6 +1111,8 @@ _podman_exec() { - --env - --user - -u -+ --workdir -+ -w - " - local boolean_options=" - --latest -diff --git a/docs/podman-exec.1.md b/docs/podman-exec.1.md -index 284fa5a4a29..77317b0cabd 100644 ---- a/docs/podman-exec.1.md -+++ b/docs/podman-exec.1.md -@@ -38,6 +38,14 @@ Sets the username or UID used and optionally the groupname or GID for the specif - The following examples are all valid: - --user [user | user:group | uid | uid:gid | user:gid | uid:group ] - -+**--workdir**, **-w**="" -+ -+Working directory inside the container -+ -+The default working directory for running binaries within a container is the root directory (/). -+The image developer can set a different default with the WORKDIR instruction, which can be overridden -+when creating the container. -+ - ## SEE ALSO - podman(1), podman-run(1) - -diff --git a/libpod/container_api.go b/libpod/container_api.go -index 09bc46905ae..4eaf737b09a 100644 ---- a/libpod/container_api.go -+++ b/libpod/container_api.go -@@ -262,7 +262,7 @@ func (c *Container) Kill(signal uint) error { - // Exec starts a new process inside the container - // TODO allow specifying streams to attach to - // TODO investigate allowing exec without attaching --func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) error { -+func (c *Container) Exec(tty, privileged bool, env, cmd []string, user, workDir string) error { - var capList []string - - locked := false -@@ -324,7 +324,7 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e - - logrus.Debugf("Creating new exec session in container %s with session id %s", c.ID(), sessionID) - -- execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, hostUser, sessionID) -+ execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, workDir, hostUser, sessionID) - if err != nil { - return errors.Wrapf(err, "error exec %s", c.ID()) - } -diff --git a/libpod/oci.go b/libpod/oci.go -index 093bfdd3573..31c1a7e8514 100644 ---- a/libpod/oci.go -+++ b/libpod/oci.go -@@ -728,7 +728,7 @@ func (r *OCIRuntime) unpauseContainer(ctr *Container) error { - // TODO: Add --detach support - // TODO: Convert to use conmon - // TODO: add --pid-file and use that to generate exec session tracking --func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, user, sessionID string) (*exec.Cmd, error) { -+func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, cwd, user, sessionID string) (*exec.Cmd, error) { - if len(cmd) == 0 { - return nil, errors.Wrapf(ErrInvalidArg, "must provide a command to execute") - } -@@ -749,7 +749,9 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty - - args = append(args, "exec") - -- args = append(args, "--cwd", c.config.Spec.Process.Cwd) -+ if cwd != "" { -+ args = append(args, "--cwd", cwd) -+ } - - args = append(args, "--pid-file", c.execPidPath(sessionID)) - -diff --git a/test/e2e/exec_test.go b/test/e2e/exec_test.go -index fec80717fa2..a181501a5ff 100644 ---- a/test/e2e/exec_test.go -+++ b/test/e2e/exec_test.go -@@ -127,4 +127,36 @@ var _ = Describe("Podman exec", func() { - Expect(session2.ExitCode()).To(Equal(0)) - Expect(session2.OutputToString()).To(Equal(testUser)) - }) -+ -+ It("podman exec simple working directory test", func() { -+ setup := podmanTest.RunTopContainer("test1") -+ setup.WaitWithDefaultTimeout() -+ Expect(setup.ExitCode()).To(Equal(0)) -+ -+ session := podmanTest.Podman([]string{"exec", "-l", "--workdir", "/tmp", "pwd"}) -+ session.WaitWithDefaultTimeout() -+ Expect(session.ExitCode()).To(Equal(0)) -+ match, _ := session.GrepString("/tmp") -+ Expect(match).Should(BeTrue()) -+ -+ session = podmanTest.Podman([]string{"exec", "-l", "-w", "/tmp", "pwd"}) -+ session.WaitWithDefaultTimeout() -+ Expect(session.ExitCode()).To(Equal(0)) -+ match, _ = session.GrepString("/tmp") -+ Expect(match).Should(BeTrue()) -+ }) -+ -+ It("podman exec missing working directory test", func() { -+ setup := podmanTest.RunTopContainer("test1") -+ setup.WaitWithDefaultTimeout() -+ Expect(setup.ExitCode()).To(Equal(0)) -+ -+ session := podmanTest.Podman([]string{"exec", "-l", "--workdir", "/missing", "pwd"}) -+ session.WaitWithDefaultTimeout() -+ Expect(session.ExitCode()).To(Equal(1)) -+ -+ session = podmanTest.Podman([]string{"exec", "-l", "-w", "/missing", "pwd"}) -+ session.WaitWithDefaultTimeout() -+ Expect(session.ExitCode()).To(Equal(1)) -+ }) - }) diff --git a/CVE-2021-20188.patch b/CVE-2021-20188.patch deleted file mode 100644 index 021fa59b7c84e56ea920d360bc84e694ab3c017c..0000000000000000000000000000000000000000 --- a/CVE-2021-20188.patch +++ /dev/null @@ -1,320 +0,0 @@ -From 69daa67c436a8fdeb0149aa5cb0112f03fdb699f Mon Sep 17 00:00:00 2001 -From: Matthew Heon -Date: Mon, 25 Jan 2021 14:18:07 -0500 -Subject: [PATCH] Correct handling of capabilities - -Ensure that capabilities are properly handled for non-root users -in privileged containers. We do not want to give full caps, but -instead only CapInh and CapEff (others should be all-zeroes). - -Fixing `podman run` is easy - the same code as the Podman 1.6 fix -works there. The `podman exec` command is far more challenging. -Exec received a complete rewrite to use Conmon at some point -before Podman 1.6, and gained many capabilities in the process. -One of those was the ability to actually tweak the capabilities -of the exec process - 1.0 did not have that. Since it was needed -to resolve this CVE, I was forced to backport a large bit of the -1.0 -> 1.6 exec changes (passing a Process block to the OCI -runtime, and using `prepareProcessExec()` to prepare said block). -I am honestly uncomfortable with the size and scope of this -change but I don't see another way around this. - -Fixes CVE-2021-20188 - -Signed-off-by: Matthew Heon ---- - libpod/container_api.go | 24 +------ - libpod/oci.go | 148 ++++++++++++++++++++++++++++++++-------- - pkg/spec/spec.go | 8 +++ - 3 files changed, 132 insertions(+), 48 deletions(-) - -diff --git a/libpod/container_api.go b/libpod/container_api.go -index fe66abf7a8f..b10596f6228 100644 ---- a/libpod/container_api.go -+++ b/libpod/container_api.go -@@ -2,7 +2,6 @@ package libpod - - import ( - "context" -- "fmt" - "io/ioutil" - "os" - "strconv" -@@ -11,9 +10,7 @@ import ( - - "github.com/containers/libpod/libpod/driver" - "github.com/containers/libpod/pkg/inspect" -- "github.com/containers/libpod/pkg/lookup" - "github.com/containers/storage/pkg/stringid" -- "github.com/docker/docker/daemon/caps" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" - "k8s.io/apimachinery/pkg/util/wait" -@@ -260,8 +257,6 @@ func (c *Container) Kill(signal uint) er - // TODO allow specifying streams to attach to - // TODO investigate allowing exec without attaching - func (c *Container) Exec(tty, privileged bool, env, cmd []string, user, workDir string) error { -- var capList []string -- - locked := false - if !c.batched { - locked = true -@@ -284,22 +279,8 @@ func (c *Container) Exec(tty, privileged - if conState != ContainerStateRunning { - return errors.Errorf("cannot exec into container that is not running") - } -- if privileged || c.config.Privileged { -- capList = caps.GetAllCapabilities() -- } - -- // If user was set, look it up in the container to get a UID to use on -- // the host -- hostUser := "" -- if user != "" { -- execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil) -- if err != nil { -- return err -- } -- -- // runc expects user formatted as uid:gid -- hostUser = fmt.Sprintf("%d:%d", execUser.Uid, execUser.Gid) -- } -+ isPrivileged := privileged || c.config.Privileged - - // Generate exec session ID - // Ensure we don't conflict with an existing session ID -@@ -321,10 +303,11 @@ func (c *Container) Exec(tty, privileged - - logrus.Debugf("Creating new exec session in container %s with session id %s", c.ID(), sessionID) - -- execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, workDir, hostUser, sessionID) -+ execCmd, processFile, err := c.runtime.ociRuntime.execContainer(c, cmd, env, tty, workDir, user, sessionID, isPrivileged) - if err != nil { - return errors.Wrapf(err, "error exec %s", c.ID()) - } -+ defer os.Remove(processFile) - - pidFile := c.execPidPath(sessionID) - // 1 second seems a reasonable time to wait -diff --git a/libpod/oci.go b/libpod/oci.go -index a1894b52fbe..79217dced5d 100644 ---- a/libpod/oci.go -+++ b/libpod/oci.go -@@ -15,10 +15,12 @@ import ( - "syscall" - "time" - -+ "github.com/containers/libpod/pkg/lookup" - "github.com/containers/libpod/pkg/ctime" - "github.com/containers/libpod/pkg/rootless" - "github.com/coreos/go-systemd/activation" - "github.com/cri-o/ocicni/pkg/ocicni" -+ "github.com/docker/docker/daemon/caps" - spec "github.com/opencontainers/runtime-spec/specs-go" - "github.com/opencontainers/selinux/go-selinux" - "github.com/opencontainers/selinux/go-selinux/label" -@@ -689,18 +691,23 @@ func (r *OCIRuntime) unpauseContainer(ct - // TODO: Add --detach support - // TODO: Convert to use conmon - // TODO: add --pid-file and use that to generate exec session tracking --func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, cwd, user, sessionID string) (*exec.Cmd, error) { -+func (r *OCIRuntime) execContainer(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (*exec.Cmd, string, error) { - if len(cmd) == 0 { -- return nil, errors.Wrapf(ErrInvalidArg, "must provide a command to execute") -+ return nil, "", errors.Wrapf(ErrInvalidArg, "must provide a command to execute") - } - - if sessionID == "" { -- return nil, errors.Wrapf(ErrEmptyID, "must provide a session ID for exec") -+ return nil, "", errors.Wrapf(ErrEmptyID, "must provide a session ID for exec") - } - - runtimeDir, err := GetRootlessRuntimeDir() - if err != nil { -- return nil, err -+ return nil, "", err -+ } -+ -+ processFile, err := prepareProcessExec(c, cmd, env, tty, cwd, user, sessionID, privileged) -+ if err != nil { -+ return nil, "", err - } - - args := []string{} -@@ -710,32 +717,14 @@ func (r *OCIRuntime) execContainer(c *Co - - args = append(args, "exec") - -- if cwd != "" { -- args = append(args, "--cwd", cwd) -- } -+ args = append(args, "--process", processFile) - - args = append(args, "--pid-file", c.execPidPath(sessionID)) - -- if tty { -- args = append(args, "--tty") -- } -- -- if user != "" { -- args = append(args, "--user", user) -- } -- - if c.config.Spec.Process.NoNewPrivileges { - args = append(args, "--no-new-privs") - } - -- for _, cap := range capAdd { -- args = append(args, "--cap", cap) -- } -- -- for _, envVar := range env { -- args = append(args, "--env", envVar) -- } -- - // Append container ID and command - args = append(args, c.ID()) - args = append(args, cmd...) -@@ -749,10 +738,10 @@ func (r *OCIRuntime) execContainer(c *Co - execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir)) - - if err := execCmd.Start(); err != nil { -- return nil, errors.Wrapf(err, "cannot start container %s", c.ID()) -+ return nil, "", errors.Wrapf(err, "cannot start container %s", c.ID()) - } - -- return execCmd, nil -+ return execCmd, processFile, nil - } - - // execStopContainer stops all active exec sessions in a container -@@ -831,3 +820,110 @@ func (r *OCIRuntime) checkpointContainer - return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, "checkpoint", - "--image-path", imagePath, "--work-path", workPath, ctr.ID()) - } -+ -+// prepareProcessExec returns the path of the process.json used in runc exec -p. -+// Returns path to the created exec process file. This will need to be removed -+// by the caller when they're done, best effort. -+func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (string, error) { -+ filename := filepath.Join(c.bundlePath(), fmt.Sprintf("exec-process-%s", sessionID)) -+ f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0600) -+ if err != nil { -+ return "", err -+ } -+ defer f.Close() -+ -+ pspec := c.config.Spec.Process -+ pspec.SelinuxLabel = c.config.ProcessLabel -+ pspec.Args = cmd -+ // We need to default this to false else it will inherit terminal as true -+ // from the container. -+ pspec.Terminal = false -+ if tty { -+ pspec.Terminal = true -+ } -+ if len(env) > 0 { -+ pspec.Env = append(pspec.Env, env...) -+ } -+ -+ if cwd != "" { -+ pspec.Cwd = cwd -+ -+ } -+ -+ var addGroups []string -+ var sgids []uint32 -+ -+ // if the user is empty, we should inherit the user that the container is currently running with -+ if user == "" { -+ user = c.config.User -+ addGroups = c.config.Groups -+ } -+ -+ execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil) -+ if err != nil { -+ return "", err -+ } -+ -+ if len(addGroups) > 0 { -+ sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, nil) -+ if err != nil { -+ return "", errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID) -+ } -+ } -+ -+ // If user was set, look it up in the container to get a UID to use on -+ // the host -+ if user != "" || len(sgids) > 0 { -+ if user != "" { -+ for _, sgid := range execUser.Sgids { -+ sgids = append(sgids, uint32(sgid)) -+ } -+ } -+ processUser := spec.User{ -+ UID: uint32(execUser.Uid), -+ GID: uint32(execUser.Gid), -+ AdditionalGids: sgids, -+ } -+ -+ pspec.User = processUser -+ } -+ -+ allCaps := caps.GetAllCapabilities() -+ pspec.Capabilities.Effective = []string{} -+ if privileged { -+ pspec.Capabilities.Bounding = allCaps -+ } else { -+ pspec.Capabilities.Bounding = []string{} -+ } -+ pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding -+ if execUser.Uid == 0 { -+ pspec.Capabilities.Effective = pspec.Capabilities.Bounding -+ pspec.Capabilities.Permitted = pspec.Capabilities.Bounding -+ pspec.Capabilities.Ambient = pspec.Capabilities.Bounding -+ } else { -+ pspec.Capabilities.Permitted = pspec.Capabilities.Effective -+ pspec.Capabilities.Ambient = pspec.Capabilities.Effective -+ } -+ -+ hasHomeSet := false -+ for _, s := range pspec.Env { -+ if strings.HasPrefix(s, "HOME=") { -+ hasHomeSet = true -+ break -+ } -+ } -+ if !hasHomeSet { -+ pspec.Env = append(pspec.Env, fmt.Sprintf("HOME=%s", execUser.Home)) -+ } -+ -+ processJSON, err := json.Marshal(pspec) -+ if err != nil { -+ return "", err -+ } -+ -+ if err := ioutil.WriteFile(filename, processJSON, 0644); err != nil { -+ return "", err -+ } -+ -+ return filename, nil -+} -diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go -index 46105af4aef..d4f13711859 100644 ---- a/pkg/spec/spec.go -+++ b/pkg/spec/spec.go -@@ -325,6 +325,14 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint - } - } else { - g.SetupPrivileged(true) -+ if config.User != "" { -+ user := strings.SplitN(config.User, ":", 2)[0] -+ if user != "root" && user != "0" { -+ g.Spec().Process.Capabilities.Effective = []string{} -+ g.Spec().Process.Capabilities.Permitted = []string{} -+ g.Spec().Process.Capabilities.Ambient = []string{} -+ } -+ } - } - - // HANDLE SECCOMP diff --git a/v1.0.10.tar.gz b/go-md2man-1.0.10.tar.gz similarity index 100% rename from v1.0.10.tar.gz rename to go-md2man-1.0.10.tar.gz diff --git a/libpod-e4a1553.tar.gz b/podman-3.1.0.tar.gz similarity index 36% rename from libpod-e4a1553.tar.gz rename to podman-3.1.0.tar.gz index b0723a3a28cfa043f81c1c1efbba60ccfd60a2fb..8118d42cc9f38ae660fa4ae69497cda5d4b2f20b 100644 Binary files a/libpod-e4a1553.tar.gz and b/podman-3.1.0.tar.gz differ diff --git a/podman.spec b/podman.spec index d3890e2278fe490f171abbd07779ac27d2a823d1..4f37dac1b0929b0f8f6be210e71cad62d5497d41 100644 --- a/podman.spec +++ b/podman.spec @@ -1,145 +1,25 @@ Name: podman -Version: 0.10.1 -Release: 10 -Summary: A daemonless container engine for managing Containers +Version: 3.1.0 +Release: 1 +Summary: A tool for managing OCI containers and pods Epoch: 1 License: ASL 2.0 URL: https://podman.io/ -Source0: https://github.com/containers/libpod/archive/e4a155328fb88590fafd3d4e845f9bca49133f62/libpod-e4a1553.tar.gz -Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz +Source0: https://github.com/containers/podman/archive/v%{version}/podman-%{version}.tar.gz +Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10/go-md2man-1.0.10.tar.gz BuildRequires: golang btrfs-progs-devel glib2-devel glibc-devel glibc-static BuildRequires: git gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel -BuildRequires: libselinux-devel ostree-devel pkgconfig make +BuildRequires: libselinux-devel ostree-devel pkgconfig make systemd systemd-devel Requires: docker-runc containers-common containernetworking-plugins >= 0.7.3-2 iptables nftables conmon Requires: (container-selinux if selinux-policy) Recommends: slirp4netns -Provides: bundled(golang(github.com/Azure/go-ansiterm)) = 19f72df4d05d31cbe1c56bfc8045c96babff6c7e -Provides: bundled(golang(github.com/blang/semver)) = v3.5.0 -Provides: bundled(golang(github.com/boltdb/bolt)) = master -Provides: bundled(golang(github.com/buger/goterm)) = 2f8dfbc7dbbff5dd1d391ed91482c24df243b2d3 -Provides: bundled(golang(github.com/BurntSushi/toml)) = v0.2.0 -Provides: bundled(golang(github.com/containerd/cgroups)) = 77e628511d924b13a77cebdc73b757a47f6d751b -Provides: bundled(golang(github.com/containerd/continuity)) = master -Provides: bundled(golang(github.com/containernetworking/plugins)) = 1562a1e60ed101aacc5e08ed9dbeba8e9f3d4ec1 -Provides: bundled(golang(github.com/containers/image)) = 134f99bed228d6297dc01d152804f6f09f185418 -Provides: bundled(golang(github.com/containers/psgo)) = 5dde6da0bc8831b35243a847625bcf18183bd1ee -Provides: bundled(golang(github.com/containers/storage)) = 17c7d1fee5603ccf6dd97edc14162fc1510e7e23 -Provides: bundled(golang(github.com/coreos/go-systemd)) = v14 -Provides: bundled(golang(github.com/cri-o/ocicni)) = master -Provides: bundled(golang(github.com/cyphar/filepath-securejoin)) = v0.2.1 -Provides: bundled(golang(github.com/davecgh/go-spew)) = v1.1.0 -Provides: bundled(golang(github.com/docker/distribution)) = 7a8efe719e55bbfaff7bc5718cdf0ed51ca821df -Provides: bundled(golang(github.com/docker/docker)) = 86f080cff0914e9694068ed78d503701667c4c00 -Provides: bundled(golang(github.com/docker/docker-credential-helpers)) = d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1 -Provides: bundled(golang(github.com/docker/go-connections)) = 3ede32e2033de7505e6500d6c868c2b9ed9f169d -Provides: bundled(golang(github.com/docker/go-units)) = v0.3.2 -Provides: bundled(golang(github.com/docker/libtrust)) = aabc10ec26b754e797f9028f4589c5b7bd90dc20 -Provides: bundled(golang(github.com/docker/spdystream)) = ed496381df8283605c435b86d4fdd6f4f20b8c6e -Provides: bundled(golang(github.com/fatih/camelcase)) = f6a740d52f961c60348ebb109adde9f4635d7540 -Provides: bundled(golang(github.com/fsnotify/fsnotify)) = 7d7316ed6e1ed2de075aab8dfc76de5d158d66e1 -Provides: bundled(golang(github.com/fsouza/go-dockerclient)) = master -Provides: bundled(golang(github.com/ghodss/yaml)) = 04f313413ffd65ce25f2541bfd2b2ceec5c0908c -Provides: bundled(golang(github.com/godbus/dbus)) = a389bdde4dd695d414e47b755e95e72b7826432c -Provides: bundled(golang(github.com/gogo/protobuf)) = c0656edd0d9eab7c66d1eb0c568f9039345796f7 -Provides: bundled(golang(github.com/golang/glog)) = 23def4e6c14b4da8ac2ed8007337bc5eb5007998 -Provides: bundled(golang(github.com/golang/groupcache)) = b710c8433bd175204919eb38776e944233235d03 -Provides: bundled(golang(github.com/golang/protobuf)) = 4bd1920723d7b7c925de087aa32e2187708897f7 -Provides: bundled(golang(github.com/googleapis/gnostic)) = 0c5108395e2debce0d731cf0287ddf7242066aba -Provides: bundled(golang(github.com/google/gofuzz)) = 44d81051d367757e1c7c6a5a86423ece9afcf63c -Provides: bundled(golang(github.com/gorilla/context)) = v1.1 -Provides: bundled(golang(github.com/gorilla/mux)) = v1.3.0 -Provides: bundled(golang(github.com/hashicorp/errwrap)) = 7554cd9344cec97297fa6649b055a8c98c2a1e55 -Provides: bundled(golang(github.com/hashicorp/golang-lru)) = 0a025b7e63adc15a622f29b0b2c4c3848243bbf6 -Provides: bundled(golang(github.com/hashicorp/go-multierror)) = 83588e72410abfbe4df460eeb6f30841ae47d4c4 -Provides: bundled(golang(github.com/imdario/mergo)) = 0.2.2 -Provides: bundled(golang(github.com/json-iterator/go)) = 1.0.0 -Provides: bundled(golang(github.com/kr/pty)) = v1.0.0 -Provides: bundled(golang(github.com/mailru/easyjson)) = 03f2033d19d5860aef995fe360ac7d395cd8ce65 -Provides: bundled(golang(github.com/mattn/go-runewidth)) = v0.0.1 -Provides: bundled(golang(github.com/Microsoft/go-winio)) = 78439966b38d69bf38227fbf57ac8a6fee70f69a -Provides: bundled(golang(github.com/Microsoft/hcsshim)) = 43f9725307998e09f2e3816c2c0c36dc98f0c982 -Provides: bundled(golang(github.com/mistifyio/go-zfs)) = v2.1.1 -Provides: bundled(golang(github.com/mrunalp/fileutils)) = master -Provides: bundled(golang(github.com/mtrmac/gpgme)) = b2432428689ca58c2b8e8dea9449d3295cf96fc9 -Provides: bundled(golang(github.com/Nvveen/Gotty)) = master -Provides: bundled(golang(github.com/opencontainers/image-spec)) = v1.0.0 -Provides: bundled(golang(github.com/opencontainers/runc)) = b4e2ecb452d9ee4381137cc0a7e6715b96bed6de -Provides: bundled(golang(github.com/opencontainers/runtime-spec)) = v1.0.0 -Provides: bundled(golang(github.com/opencontainers/runtime-tools)) = master -Provides: bundled(golang(github.com/opencontainers/selinux)) = b6fa367ed7f534f9ba25391cc2d467085dbb445a -Provides: bundled(golang(github.com/openshift/imagebuilder)) = master -Provides: bundled(golang(github.com/ostreedev/ostree-go)) = master -Provides: bundled(golang(github.com/pkg/errors)) = v0.8.0 -Provides: bundled(golang(github.com/pmezard/go-difflib)) = 792786c7400a136282c1664665ae0a8db921c6c2 -Provides: bundled(golang(github.com/pquerna/ffjson)) = d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac -Provides: bundled(golang(github.com/projectatomic/buildah)) = 745bf7e56bda740ce7cfc55318da08529e5ed519 -Provides: bundled(golang(github.com/seccomp/containers-golang)) = master -Provides: bundled(golang(github.com/seccomp/libseccomp-golang)) = v0.9.0 -Provides: bundled(golang(github.com/sirupsen/logrus)) = v1.0.0 -Provides: bundled(golang(github.com/spf13/pflag)) = 9ff6c6923cfffbcd502984b8e0c80539a94968b7 -Provides: bundled(golang(github.com/stretchr/testify)) = 4d4bfba8f1d1027c4fdbe371823030df51419987 -Provides: bundled(golang(github.com/syndtr/gocapability)) = e7cb7fa329f456b3855136a2642b197bad7366ba -Provides: bundled(golang(github.com/tchap/go-patricia)) = v2.2.6 -Provides: bundled(golang(github.com/ulikunitz/xz)) = v0.5.4 -Provides: bundled(golang(github.com/ulule/deepcopier)) = master -Provides: bundled(golang(github.com/urfave/cli)) = 934abfb2f102315b5794e15ebc7949e4ca253920 -Provides: bundled(golang(github.com/varlink/go)) = master -Provides: bundled(golang(github.com/vbatts/tar-split)) = v0.10.2 -Provides: bundled(golang(github.com/vishvananda/netlink)) = master -Provides: bundled(golang(github.com/vishvananda/netns)) = master -Provides: bundled(golang(github.com/xeipuuv/gojsonpointer)) = master -Provides: bundled(golang(github.com/xeipuuv/gojsonreference)) = master -Provides: bundled(golang(github.com/xeipuuv/gojsonschema)) = master -Provides: bundled(golang(golang.org/x/crypto)) = 81e90905daefcd6fd217b62423c0908922eadb30 -Provides: bundled(golang(golang.org/x/net)) = c427ad74c6d7a814201695e9ffde0c5d400a7674 -Provides: bundled(golang(golang.org/x/sys)) = master -Provides: bundled(golang(golang.org/x/text)) = f72d8390a633d5dfb0cc84043294db9f6c935756 -Provides: bundled(golang(golang.org/x/time)) = f51c12702a4d776e4c1fa9b0fabab841babae631 -Provides: bundled(golang(google.golang.org/grpc)) = v1.0.4 -Provides: bundled(golang(gopkg.in/cheggaaa/pb.v1)) = v1.0.7 -Provides: bundled(golang(gopkg.in/inf.v0)) = v0.9.0 -Provides: bundled(golang(gopkg.in/mgo.v2)) = v2 -Provides: bundled(golang(gopkg.in/square/go-jose.v2)) = v2.1.3 -Provides: bundled(golang(gopkg.in/yaml.v2)) = v2 -Provides: bundled(golang(k8s.io/api)) = 5ce4aa0bf2f097f6021127b3d879eeda82026be8 -Provides: bundled(golang(k8s.io/apiextensions-apiserver)) = 1b31e26d82f1ec2e945c560790e98f34bb5f2e63 -Provides: bundled(golang(k8s.io/apimachinery)) = 616b23029fa3dc3e0ccefd47963f5651a6543d94 -Provides: bundled(golang(k8s.io/apiserver)) = 4d1163080139f1f9094baf8a3a6099e85e1867f6 -Provides: bundled(golang(k8s.io/client-go)) = 7cd1d3291b7d9b1e2d54d4b69eb65995eaf8888e -Provides: bundled(golang(k8s.io/kube-openapi)) = 275e2ce91dec4c05a4094a7b1daee5560b555ac9 -Provides: bundled(golang(k8s.io/utils)) = 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e - -Patch1: 0001-podman-patch-for-local-search.patch -Patch2: CVE-2021-20188-PRE1.patch -Patch3: CVE-2021-20188-PRE2.patch -Patch4: CVE-2021-20188-PRE3.patch -Patch5: CVE-2021-20188.patch -Patch6: 0002-Fix-the-invalid-memory-address-reference.patch -Patch7: 0003-eat-signal-23-in-signal-proxy.patch +# vendored libraries +# awk '{print "Provides: bundled(golang("$1")) = "$2}' go.mod %description Podman manages the entire container ecosystem which includes pods, -containers, container images, and container volumes using the libpod library. - -%package -n python3-podman -Summary: Python 3 bindings and client for podman -BuildArch: noarch -BuildRequires: python3-devel python3-setuptools python3-varlink -Requires: python3-setuptools python3-varlink python3-dateutil python3-humanize python3-psutil -Provides: python3-%{name} = %{version}-%{release} - -%description -n python3-podman -The python3-podman package containers a module that allows you to connect to a Podman socket activated systemdservice on the same host or a remote host using a ssh tunnel. - -%package -n python3-pypodman -Summary: Python 3 tool for podman -BuildArch: noarch -BuildRequires: python3-devel python3-setuptools python3-varlink -Requires: python3-setuptools python3-varlink python3-dateutil python3-psutil - -%description -n python3-pypodman -Python 3 tool for podman. +containers, container images, and container volumes using the libpod library. %package docker Summary: Docker CLI emulator for podman @@ -150,6 +30,17 @@ Conflicts: docker docker-latest docker-ce docker-ee moby-engine %description docker This package installs a script named docker, which emulates the Docker CLI through podman command. +%package remote +Summary: (Experimental) Remote client for managing %{name} containers + +%description remote +Remote client for managing %{name} containers. +This experimental remote client is under heavy development. Please do not +run %{name}-remote in production. +%{name}-remote uses the version 2 API to connect to a %{name} client to +manage pods, containers and container images. %{name}-remote supports ssh +connections as well. + %package help Summary: Help document for the podman package Conflicts: docker docker-latest docker-ce docker-ee moby-engine @@ -158,73 +49,86 @@ Conflicts: docker docker-latest docker-ce docker-ee moby-engine Help document for the podman package %prep -%autosetup -Sgit -n libpod-e4a155328fb88590fafd3d4e845f9bca49133f62 -p1 -sed -i '/\/bin\/env/d' completions/bash/%{name} -sed -i 's/0.0.0/%{version}/' contrib/python/%{name}/setup.py -sed -i 's/0.0.0/%{version}/' contrib/python/py%{name}/setup.py -mv pkg/hooks/README.md pkg/hooks/README-hooks.md -tar -xf %SOURCE1 +%autosetup -p1 +tar -zxf %{SOURCE1} %build -mkdir -p _build/bin _output/bin -cd go-md2man-* -go build -mod=vendor -o ../_build/bin/go-md2man . -cp ../_build/bin/go-md2man ../_output/bin/go-md2man -cd - +# build go-md2man +pushd go-md2man-* +mkdir _build +pushd _build +mkdir -p src/github.com/cpuguy83/ +ln -s ../../../../ src/github.com/cpuguy83/go-md2man +popd +ln -s vendor src +export GOPATH=$(pwd)/_build:$(pwd) +go build -mod=vendor -o bin/go-md2man github.com/cpuguy83/go-md2man +popd + +# build podman +mkdir -p _build/bin +cp go-md2man-*/bin/go-md2man _build/bin cd _build mkdir -p src/github.com/containers -ln -s ../../../../ src/github.com/containers/libpod +ln -s ../../../../ src/github.com/containers/podman cd - ln -s vendor src -export GOPATH=$(pwd)/_build:$(pwd):$(pwd):%{gopath} +export GOPATH=$(pwd)/_build:$(pwd):%{gopath} export BUILDTAGS="varlink selinux seccomp $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh) $(hack/libdm_tag.sh) exclude_graphdriver_devicemapper" -go generate ./cmd/%{name}/varlink/... -BUILDTAGS=$BUILDTAGS make binaries docs +BUILDTAGS=$BUILDTAGS make %{?_smp_mflags} binaries docs docker-docs %install +export GOPATH=$(pwd)/_build:$(pwd):%{gopath} install -dp %{buildroot}%{_unitdir} make PREFIX=%{buildroot}%{_prefix} ETCDIR=%{buildroot}%{_sysconfdir} \ - install.bin install.man install.cni install.systemd install.completions install.docker - -%{__make} DESTDIR=%{buildroot} install.python + install.bin install.man install.cni install.systemd install.completions install.docker install.docker-docs install.remote -install -Dp -m644 libpod.conf %{buildroot}%{_datadir}/containers/libpod.conf +mv pkg/hooks/README.md pkg/hooks/README-hooks.md %global license %doc %files %license LICENSE -%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md +%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md CODE-OF-CONDUCT.md transfer.md %{_bindir}/%{name} -%{_datadir}/bash-completion/completions/* +%{_datadir}/bash-completion/completions/%{name} +%dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_%{name} +%dir %{_datadir}/fish/vendor_completions.d +%{_datadir}/fish/vendor_completions.d/%{name}.fish %config(noreplace) %{_sysconfdir}/cni/net.d/87-%{name}-bridge.conflist -%{_datadir}/containers/libpod.conf -%{_unitdir}/{io.%{name}.service,io.%{name}.socket} +%{_unitdir}/%{name}-auto-update.service +%{_unitdir}/%{name}-auto-update.timer +%{_unitdir}/%{name}.service +%{_unitdir}/%{name}.socket +%{_userunitdir}/%{name}-auto-update.service +%{_userunitdir}/%{name}-auto-update.timer +%{_userunitdir}/%{name}.service +%{_userunitdir}/%{name}.socket %{_usr}/lib/tmpfiles.d/%{name}.conf -%files -n python3-podman -%license LICENSE -%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md -%dir %{python3_sitelib}/%{name} -%{python3_sitelib}/%{name}/* -%{python3_sitelib}/%{name}*.egg-info - -%files -n python3-pypodman +%files remote %license LICENSE -%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md -%dir %{python3_sitelib}/py%{name} -%{python3_sitelib}/py%{name}/* -%{python3_sitelib}/py%{name}*.egg-info -%{_bindir}/py%{name} +%{_bindir}/%{name}-remote +%{_mandir}/man1/%{name}-remote*.* +%{_datadir}/bash-completion/completions/%{name}-remote +%dir %{_datadir}/fish/vendor_completions.d +%{_datadir}/fish/vendor_completions.d/%{name}-remote.fish +%dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_%{name}-remote %files docker %{_bindir}/docker +%{_usr}/lib/tmpfiles.d/%{name}-docker.conf %files help %{_mandir}/man1/{docker*.1*,podman*.1*} %{_mandir}/man5/*.5* %changelog +* Tue Apr 06 2021 maminjie - 1:3.1.0-1 +- Upgrade to 3.1.0 + * Wed Mar 31 2021 maminjie - 1:0.10.1-10 - Eat signal 23 in signal proxy - Require container-selinux only when selinux-policy is installed diff --git a/podman.yaml b/podman.yaml index 9f95c1c79ea55ce152981eb9a856c04b0359a95c..33bcc56584bff90ac19102c2f10d838d7772c08a 100644 --- a/podman.yaml +++ b/podman.yaml @@ -1,4 +1,4 @@ version_control: github -src_repo: containers/libpod +src_repo: containers/podman tag_prefix: ^v seperator: .