From ea641b151beb3064af6b64147ac705ffbc8776a2 Mon Sep 17 00:00:00 2001 From: Ed Santiago Date: Mon, 11 Nov 2024 06:42:19 -0700 Subject: [PATCH] DO NOT MERGE: vendor in buildah @ v1.37.1-0.20241111124227-596bbedbd431 This is a JUNK COMMIT from buildah-vendor-treadmill-x v0.3. DO NOT MERGE! This is just a way to keep the buildah-podman vendoring in sync. Refer to: https://github.com/containers/podman/wiki/Buildah-Vendor-Treadmill Signed-off-by: Ed Santiago --- .cirrus.yml | 60 +++-- go.mod | 10 +- go.sum | 20 +- .../github.com/containers/buildah/.cirrus.yml | 6 +- .../containers/buildah/CHANGELOG.md | 121 ++++++++++ .../containers/buildah/changelog.txt | 120 ++++++++++ .../containers/buildah/define/types.go | 2 +- .../libnetwork/resolvconf/resolvconf.go | 15 +- .../common/pkg/cgroups/systemd_linux.go | 74 ++++++- .../common/pkg/netns/netns_linux.go | 51 +++-- .../common/pkg/subscriptions/subscriptions.go | 206 ++++++++++++------ .../containers/common/version/version.go | 2 +- .../containers/image/v5/version/version.go | 2 +- vendor/github.com/containers/storage/VERSION | 2 +- vendor/modules.txt | 12 +- 15 files changed, 561 insertions(+), 142 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index 2cc2f71183..8383e43962 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -413,7 +413,8 @@ bindings_task: swagger_task: name: "Test Swagger" alias: swagger - depends_on: *build + depends_on: + - buildah_bud_test gce_instance: *standardvm env: <<: *stdenvars @@ -441,7 +442,8 @@ win_installer_task: CONTAINERS_MACHINE_PROVIDER: 'hyperv' alias: win_installer only_if: *no_rhel_release - depends_on: *build + depends_on: + - buildah_bud_test ec2_instance: &windows image: "${WINDOWS_AMI}" type: m5.large @@ -509,7 +511,8 @@ docker-py_test_task: changesInclude('.cirrus.yml', 'Makefile', 'contrib/cirrus/**', 'vendor/**', 'test/tools/**', 'test/registries*.conf', 'hack/**', 'version/rawversion/*') || changesInclude('test/python/**') || (changesInclude('**/*.go', '**/*.c', '**/*.h') && !changesIncludeOnly('test/**', 'pkg/machine/e2e/**')) - depends_on: *build + depends_on: + - buildah_bud_test gce_instance: *standardvm env: <<: *stdenvars @@ -536,7 +539,8 @@ unit_test_task: changesInclude('.cirrus.yml', 'Makefile', 'contrib/cirrus/**', 'vendor/**', 'test/tools/**', 'test/registries*.conf', 'hack/**', 'version/rawversion/*') || changesInclude('**/*_test.go') || (changesInclude('**/*.go', '**/*.c', '**/*.h') && !changesIncludeOnly('test/**', 'pkg/machine/e2e/**')) - depends_on: *build + depends_on: + - buildah_bud_test matrix: - env: *stdenvars # Special-case: Rootless on latest Fedora (standard) VM @@ -566,7 +570,8 @@ apiv2_test_task: changesInclude('.cirrus.yml', 'Makefile', 'contrib/cirrus/**', 'vendor/**', 'test/tools/**', 'test/registries*.conf', 'hack/**', 'version/rawversion/*') || changesInclude('test/apiv2/**', 'test/python/**') || (changesInclude('**/*.go', '**/*.c', '**/*.h') && !changesIncludeOnly('test/**', 'pkg/machine/e2e/**')) - depends_on: *build + depends_on: + - buildah_bud_test gce_instance: *standardvm env: <<: *stdenvars @@ -595,7 +600,8 @@ compose_test_task: changesInclude('.cirrus.yml', 'Makefile', 'contrib/cirrus/**', 'vendor/**', 'test/tools/**', 'test/registries*.conf', 'hack/**', 'version/rawversion/*') || changesInclude('test/compose/**') || (changesInclude('**/*.go', '**/*.c', '**/*.h') && !changesIncludeOnly('test/**', 'pkg/machine/e2e/**')) - depends_on: *build + depends_on: + - buildah_bud_test gce_instance: *standardvm matrix: - env: @@ -627,7 +633,8 @@ local_integration_test_task: &local_integration_test_task changesInclude('.cirrus.yml', 'Makefile', 'contrib/cirrus/**', 'vendor/**', 'test/tools/**', 'test/registries*.conf', 'hack/**', 'version/rawversion/*') || changesInclude('test/e2e/**', 'test/utils/**') || (changesInclude('**/*.go', '**/*.c', '**/*.h') && !changesIncludeOnly('test/**', 'pkg/machine/e2e/**')) - depends_on: *build + depends_on: + - buildah_bud_test matrix: *platform_axis # integration tests scale well with cpu as they are parallelized # so we give these tests 4 cores to make them faster @@ -662,7 +669,8 @@ container_integration_test_task: alias: container_integration_test # Docs: ./contrib/cirrus/CIModes.md only_if: *only_if_int_test - depends_on: *build + depends_on: + - buildah_bud_test matrix: &fedora_vm_axis - env: DISTRO_NV: ${FEDORA_NAME} @@ -689,7 +697,8 @@ rootless_integration_test_task: alias: rootless_integration_test # Docs: ./contrib/cirrus/CIModes.md only_if: *only_if_int_test - depends_on: *build + depends_on: + - buildah_bud_test matrix: *platform_axis gce_instance: *fastvm env: @@ -712,7 +721,8 @@ podman_machine_task: $CIRRUS_CHANGE_TITLE =~ '.*CI:ALL.*' || changesInclude('.cirrus.yml', 'Makefile', 'contrib/cirrus/**', 'vendor/**', 'test/tools/**', 'test/registries*.conf', 'hack/**', 'version/rawversion/*') || changesInclude('cmd/podman/machine/**', 'pkg/machine/**', '**/*machine*.go') - depends_on: *build + depends_on: + - buildah_bud_test ec2_instance: image: "${VM_IMAGE_NAME}" type: "${EC2_INST_TYPE}" @@ -734,7 +744,8 @@ podman_machine_aarch64_task: name: *std_name_fmt alias: podman_machine_aarch64 only_if: *only_if_machine_test - depends_on: *build + depends_on: + - buildah_bud_test ec2_instance: <<: *standard_build_ec2_aarch64 timeout_in: 30m @@ -767,7 +778,8 @@ podman_machine_windows_task: skip: &skip_rhel_release | $CIRRUS_BRANCH =~ 'v[0-9\.]+-rhel' || $CIRRUS_BASE_BRANCH =~ 'v[0-9\.]+-rhel' - depends_on: *build + depends_on: + - buildah_bud_test ec2_instance: <<: *windows type: m5zn.metal @@ -793,7 +805,8 @@ podman_machine_mac_task: alias: podman_machine_mac only_if: *only_if_machine_test skip: *skip_rhel_release - depends_on: *build + depends_on: + - buildah_bud_test persistent_worker: *mac_pw timeout_in: 35m env: @@ -849,7 +862,8 @@ local_system_test_task: &local_system_test_task changesInclude('.cirrus.yml', 'Makefile', 'contrib/cirrus/**', 'vendor/**', 'test/tools/**', 'test/registries*.conf', 'hack/**', 'version/rawversion/*') || changesInclude('test/system/**') || (changesInclude('**/*.go', '**/*.c', '**/*.h') && !changesIncludeOnly('test/**', 'pkg/machine/e2e/**')) - depends_on: *build + depends_on: + - buildah_bud_test matrix: *platform_axis gce_instance: *fastvm timeout_in: 25m @@ -866,7 +880,8 @@ local_system_test_aarch64_task: &local_system_test_task_aarch64 alias: local_system_test_aarch64 # Docs: ./contrib/cirrus/CIModes.md only_if: *only_if_system_test - depends_on: *build + depends_on: + - buildah_bud_test ec2_instance: *standard_build_ec2_aarch64 timeout_in: 35m env: @@ -918,7 +933,8 @@ rootless_system_test_task: alias: rootless_system_test # Docs: ./contrib/cirrus/CIModes.md only_if: *only_if_system_test - depends_on: *build + depends_on: + - buildah_bud_test matrix: *platform_axis gce_instance: *fastvm timeout_in: 25m @@ -944,7 +960,8 @@ farm_test_task: changesInclude('.cirrus.yml', 'Makefile', 'contrib/cirrus/**', 'vendor/**', 'test/tools/**', 'test/registries*.conf', 'hack/**', 'version/rawversion/*') || changesInclude('test/farm/**', 'test/system/*.bash') || (changesInclude('**/*.go', '**/*.c', '**/*.h') && !changesIncludeOnly('test/**', 'pkg/machine/e2e/**')) - depends_on: *build + depends_on: + - buildah_bud_test gce_instance: *standardvm env: <<: *stdenvars @@ -976,6 +993,12 @@ buildah_bud_test_task: PODBIN_NAME: podman - env: PODBIN_NAME: remote + - env: + PODBIN_NAME: podman + PRIV_NAME: rootless + - env: + PODBIN_NAME: remote + PRIV_NAME: rootless gce_instance: *standardvm timeout_in: 45m clone_script: *get_gosrc @@ -996,7 +1019,8 @@ upgrade_test_task: changesInclude('.cirrus.yml', 'Makefile', 'contrib/cirrus/**', 'vendor/**', 'test/tools/**', 'test/registries*.conf', 'hack/**', 'version/rawversion/*') || changesInclude('test/upgrade/**', 'test/system/*.bash') || (changesInclude('**/*.go', '**/*.c', '**/*.h') && !changesIncludeOnly('test/**', 'pkg/machine/e2e/**')) - depends_on: *build + depends_on: + - buildah_bud_test matrix: - env: # 2024-02: as long as possible/reasonable, try to keep diff --git a/go.mod b/go.mod index aada4519d0..d2a76f5cf4 100644 --- a/go.mod +++ b/go.mod @@ -13,15 +13,15 @@ require ( github.com/checkpoint-restore/checkpointctl v1.3.0 github.com/checkpoint-restore/go-criu/v7 v7.2.0 github.com/containernetworking/plugins v1.5.1 - github.com/containers/buildah v1.37.1-0.20241104213057-0dc5f958934a - github.com/containers/common v0.60.1-0.20241106101802-8130e31c0832 + github.com/containers/buildah v1.37.1-0.20241111124227-596bbedbd431 + github.com/containers/common v0.61.0 github.com/containers/conmon v2.0.20+incompatible github.com/containers/gvisor-tap-vsock v0.8.0 - github.com/containers/image/v5 v5.32.3-0.20241105183637-59417aed3db1 + github.com/containers/image/v5 v5.33.0 github.com/containers/libhvee v0.7.1 github.com/containers/ocicrypt v1.2.0 github.com/containers/psgo v1.9.0 - github.com/containers/storage v1.55.2-0.20241104201357-ad5f2a48e9e9 + github.com/containers/storage v1.56.0 github.com/containers/winquit v1.1.0 github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 github.com/crc-org/crc/v2 v2.38.0 @@ -170,7 +170,7 @@ require ( github.com/miekg/pkcs11 v1.1.1 // indirect github.com/mistifyio/go-zfs/v3 v3.0.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect - github.com/moby/buildkit v0.17.0 // indirect + github.com/moby/buildkit v0.17.1 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/patternmatcher v0.6.0 // indirect github.com/moby/sys/mountinfo v0.7.2 // indirect diff --git a/go.sum b/go.sum index 47616c2f52..e0ae1bd352 100644 --- a/go.sum +++ b/go.sum @@ -79,16 +79,16 @@ github.com/containernetworking/cni v1.2.3 h1:hhOcjNVUQTnzdRJ6alC5XF+wd9mfGIUaj8F github.com/containernetworking/cni v1.2.3/go.mod h1:DuLgF+aPd3DzcTQTtp/Nvl1Kim23oFKdm2okJzBQA5M= github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+E5J/EcKOE4gQ= github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM= -github.com/containers/buildah v1.37.1-0.20241104213057-0dc5f958934a h1:0ZkxeT5b46pyfvwnplL3yxI4XscQXFoXWVpn619qIYA= -github.com/containers/buildah v1.37.1-0.20241104213057-0dc5f958934a/go.mod h1:zyzg/OC40RZUl6NxvPkBHjaPHKFNGsAMyd8JrbseNwE= -github.com/containers/common v0.60.1-0.20241106101802-8130e31c0832 h1:bu0QHPZns2JbbaEArh+Khs9ajAoX8/biSdBYWAD+/Ec= -github.com/containers/common v0.60.1-0.20241106101802-8130e31c0832/go.mod h1:7MOGFZ12UTBYSPxvQpBBJHTbHho0qizdMR6MlDZwGBA= +github.com/containers/buildah v1.37.1-0.20241111124227-596bbedbd431 h1:heUWaY1b+BU0nOO5hiqOI8vkjDK3vkhFGGHi6UZckic= +github.com/containers/buildah v1.37.1-0.20241111124227-596bbedbd431/go.mod h1:tUsHC2bcgR5Q/R76qZUn7x0FRglqPFry2g5KhWfH4LI= +github.com/containers/common v0.61.0 h1:j/84PTqZIKKYy42OEJsZmjZ4g4Kq2ERuC3tqp2yWdh4= +github.com/containers/common v0.61.0/go.mod h1:NGRISq2vTFPSbhNqj6MLwyes4tWSlCnqbJg7R77B8xc= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/gvisor-tap-vsock v0.8.0 h1:Z8ZEWb+Lio0d+lXexONdUWT4rm9lF91vH0g3ARnMy7o= github.com/containers/gvisor-tap-vsock v0.8.0/go.mod h1:LVwnMiNvhxyGfhaMEQcXKJhNnN4h8woB9U3wf8rYOPc= -github.com/containers/image/v5 v5.32.3-0.20241105183637-59417aed3db1 h1:QOxFuqs21puYp9EnMaAEMgygtSORUYKn0felPS4rXa0= -github.com/containers/image/v5 v5.32.3-0.20241105183637-59417aed3db1/go.mod h1:qsONoo3ZvAnrwa2+49bY6m3ewtJO5+A1AaELCtGuDKc= +github.com/containers/image/v5 v5.33.0 h1:6oPEFwTurf7pDTGw7TghqGs8K0+OvPtY/UyzU0B2DfE= +github.com/containers/image/v5 v5.33.0/go.mod h1:T7HpASmvnp2H1u4cyckMvCzLuYgpD18dSmabSw0AcHk= github.com/containers/libhvee v0.7.1 h1:dWGF5GLq9DZvXo3P8aDp3cNieL5eCaSell4UmeA/jY4= github.com/containers/libhvee v0.7.1/go.mod h1:fRKB3AyIqHMvq6xaeYhTpckM2cdoq0oecolyoiuLP7M= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= @@ -99,8 +99,8 @@ github.com/containers/ocicrypt v1.2.0 h1:X14EgRK3xNFvJEfI5O4Qn4T3E25ANudSOZz/sir github.com/containers/ocicrypt v1.2.0/go.mod h1:ZNviigQajtdlxIZGibvblVuIFBKIuUI2M0QM12SD31U= github.com/containers/psgo v1.9.0 h1:eJ74jzSaCHnWt26OlKZROSyUyRcGDf+gYBdXnxrMW4g= github.com/containers/psgo v1.9.0/go.mod h1:0YoluUm43Mz2UnBIh1P+6V6NWcbpTL5uRtXyOcH0B5A= -github.com/containers/storage v1.55.2-0.20241104201357-ad5f2a48e9e9 h1:qB+KgM08F5GEGzdzrWLUHs41NU6d/+TUMEP2xMeyjGs= -github.com/containers/storage v1.55.2-0.20241104201357-ad5f2a48e9e9/go.mod h1:c6WKowcAlED/DkWGNuL9bvGYqIWCVy7isRMdCSKWNjk= +github.com/containers/storage v1.56.0 h1:DZ9KSkj6M2tvj/4bBoaJu3QDHRl35BwsZ4kmLJS97ZI= +github.com/containers/storage v1.56.0/go.mod h1:c6WKowcAlED/DkWGNuL9bvGYqIWCVy7isRMdCSKWNjk= github.com/containers/winquit v1.1.0 h1:jArun04BNDQvt2W0Y78kh9TazN2EIEMG5Im6/JY7+pE= github.com/containers/winquit v1.1.0/go.mod h1:PsPeZlnbkmGGIToMPHF1zhWjBUkd8aHjMOr/vFcPxw8= github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI= @@ -359,8 +359,8 @@ github.com/mistifyio/go-zfs/v3 v3.0.1 h1:YaoXgBePoMA12+S1u/ddkv+QqxcfiZK4prI6HPn github.com/mistifyio/go-zfs/v3 v3.0.1/go.mod h1:CzVgeB0RvF2EGzQnytKVvVSDwmKJXxkOTUGbNrTja/k= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/moby/buildkit v0.17.0 h1:ZA/4AxwBbve1f3ZaNNJQiCBtTV62R6YweWNwq4A+sTc= -github.com/moby/buildkit v0.17.0/go.mod h1:ru8NFyDHD8HbuKaLXJIjK9nr3x6FZR+IWjtF07S+wdM= +github.com/moby/buildkit v0.17.1 h1:VWj6eIdk7u6acHPn2CiA+tdq0/mQoBEk9ckweRzWmPw= +github.com/moby/buildkit v0.17.1/go.mod h1:ru8NFyDHD8HbuKaLXJIjK9nr3x6FZR+IWjtF07S+wdM= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= diff --git a/vendor/github.com/containers/buildah/.cirrus.yml b/vendor/github.com/containers/buildah/.cirrus.yml index 58a8f1b155..d3b666433e 100644 --- a/vendor/github.com/containers/buildah/.cirrus.yml +++ b/vendor/github.com/containers/buildah/.cirrus.yml @@ -27,12 +27,12 @@ env: #### # GCE project where images live IMAGE_PROJECT: "libpod-218412" - FEDORA_NAME: "fedora-40" - PRIOR_FEDORA_NAME: "fedora-39" + FEDORA_NAME: "fedora-41" + PRIOR_FEDORA_NAME: "fedora-40" DEBIAN_NAME: "debian-13" # Image identifiers - IMAGE_SUFFIX: "c20241010t105554z-f40f39d13" + IMAGE_SUFFIX: "c20241107t210000z-f41f40d13" FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}" PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}" DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}" diff --git a/vendor/github.com/containers/buildah/CHANGELOG.md b/vendor/github.com/containers/buildah/CHANGELOG.md index 0886d41906..4594421545 100644 --- a/vendor/github.com/containers/buildah/CHANGELOG.md +++ b/vendor/github.com/containers/buildah/CHANGELOG.md @@ -2,6 +2,127 @@ # Changelog +## v1.38.0 (2024-11-08) + + Bump to c/common v0.61.0, c/image v5.33.0, c/storage v1.56.0 + fix(deps): update module golang.org/x/crypto to v0.29.0 + fix(deps): update module github.com/moby/buildkit to v0.17.1 + fix(deps): update module github.com/containers/storage to v1.56.0 + tests: skip two ulimit tests + CI VMs: bump f40 -> f41 + tests/tools: rebuild tools when we change versions + tests/tools: update golangci-lint to v1.61.0 + fix(deps): update module github.com/moby/buildkit to v0.17.0 + Handle RUN --mount with relative targets and no configured workdir + tests: bud: make parallel-safe + fix(deps): update module github.com/opencontainers/runc to v1.2.1 + fix(deps): update golang.org/x/exp digest to f66d83c + fix(deps): update github.com/opencontainers/runtime-tools digest to 6c9570a + tests: blobcache: use unique image name + tests: sbom: never write to cwd + tests: mkcw: bug fixes, refactor + deps: bump runc to v1.2.0 + deps: switch to moby/sys/userns + tests/test_runner.sh: remove some redundancies + Integration tests: run git daemon on a random-but-bind()able port + fix(deps): update module github.com/opencontainers/selinux to v1.11.1 + go.mod: remove unnecessary replace + Document more buildah build --secret options + Add support for COPY --exclude and ADD --exclude options + fix(deps): update github.com/containers/luksy digest to e2530d6 + chore(deps): update dependency containers/automation_images to v20241010 + fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.4 + Properly validate cache IDs and sources + [skip-ci] Packit: constrain koji job to fedora package to avoid dupes + Audit and tidy OWNERS + fix(deps): update module golang.org/x/crypto to v0.28.0 + tests: add quotes to names + vendor: update c/common to latest + CVE-2024-9407: validate "bind-propagation" flag settings + vendor: switch to moby/sys/capability + Don't set ambient capabilities + Document that zstd:chunked is downgraded to zstd when encrypting + fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.3 + buildah-manifest-create.1: Fix manpage section + chore(deps): update dependency ubuntu to v24 + Make `buildah manifest push --all` true by default + chroot: add newlines at the end of printed error messages + Do not error on trying to write IMA xattr as rootless + fix: remove duplicate conditions + fix(deps): update module github.com/moby/buildkit to v0.16.0 + fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.2 + Document how entrypoint is configured in buildah config + In a container, try to register binfmt_misc + imagebuildah.StageExecutor: clean up volumes/volumeCache + build: fall back to parsing a TARGETPLATFORM build-arg + `manifest add --artifact`: handle multiple values + Packit: split out ELN jobs and reuse fedora downstream targets + Packit: Enable sidetags for bodhi updates + fix(deps): update module github.com/docker/docker to v27.2.1+incompatible + tests/bud.bats: add git source + add: add support for git source + Add support for the new c/common pasta options + vendor latest c/common + fix(deps): update module golang.org/x/term to v0.24.0 + fix(deps): update module github.com/fsouza/go-dockerclient to v1.12.0 + packit: update fedora and epel targets + cirrus: disable f39 testing + cirrus: fix fedora names + update to go 1.22 + Vendor c/common:9d025e4cb348 + copier: handle globbing with "**" path components + fix(deps): update golang.org/x/exp digest to 9b4947d + fix(deps): update github.com/containers/luksy digest to 2e7307c + imagebuildah: make scratch config handling toggleable + fix(deps): update module github.com/docker/docker to v27.2.0+incompatible + Add a validation script for Makefile $(SOURCES) + fix(deps): update module github.com/openshift/imagebuilder to v1.2.15 + New VMs + Update some godocs, use 0o to prefix an octal in a comment + buildah-build.1.md: expand the --layer-label description + fix(deps): update module github.com/containers/common to v0.60.2 + run: fix a nil pointer dereference on FreeBSD + CI: enable the whitespace linter + Fix some govet linter warnings + Commit(): retry committing to local storage on storage.LayerUnknown + CI: enable the gofumpt linter + conformance: move weirdly-named files out of the repository + fix(deps): update module github.com/docker/docker to v27.1.2+incompatible + fix(deps): update module github.com/containers/common to v0.60.1 + *: use gofmt -s, add gofmt linter + *: fix build tags + fix(deps): update module github.com/containers/image/v5 to v5.32.1 + Add(): re-escape any globbed items that included escapes + conformance tests: use mirror.gcr.io for most images + unit tests: use test-specific policy.json and registries.conf + fix(deps): update module golang.org/x/sys to v0.24.0 + Update to spun-out "github.com/containerd/platforms" + Bump github.com/containerd/containerd + test/tools/Makefile: duplicate the vendor-in-container target + linters: unchecked error + linters: don't end loop iterations with "else" when "then" would + linters: unused arguments shouldn't have names + linters: rename checkIdsGreaterThan5() to checkIDsGreaterThan5() + linters: don't name variables "cap" + `make lint`: use --timeout instead of --deadline + Drop the e2e test suite + fix(deps): update module golang.org/x/crypto to v0.26.0 + fix(deps): update module github.com/onsi/gomega to v1.34.1 + `make vendor-in-container`: use the caller's Go cache if it exists + fix(deps): fix test/tools ginkgo typo + fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.1 + Update to keep up with API changes in storage + fix(deps): update github.com/containers/luksy digest to 1f482a9 + install: On Debian/Ubuntu, add installation of libbtrfs-dev + fix(deps): update module golang.org/x/sys to v0.23.0 + fix(deps): update golang.org/x/exp digest to 8a7402a + fix(deps): update module github.com/fsouza/go-dockerclient to v1.11.2 + Use Epoch: 2 and respect the epoch in dependencies. + Bump to Buildah v1.38.0-dev + AddAndCopyOptions: add CertPath, InsecureSkipTLSVerify, Retry fields + Add PrependedLinkedLayers/AppendedLinkedLayers to CommitOptions + integration tests: teach starthttpd() about TLS and pid files + ## vv1.37.0 (2024-07-26) Bump c/storage, c/image, c/common for v1.37.0 diff --git a/vendor/github.com/containers/buildah/changelog.txt b/vendor/github.com/containers/buildah/changelog.txt index 3d861f4663..2c41aea4e6 100644 --- a/vendor/github.com/containers/buildah/changelog.txt +++ b/vendor/github.com/containers/buildah/changelog.txt @@ -1,3 +1,123 @@ +- Changelog for v1.38.0 (2024-11-08) + * Bump to c/common v0.61.0, c/image v5.33.0, c/storage v1.56.0 + * fix(deps): update module golang.org/x/crypto to v0.29.0 + * fix(deps): update module github.com/moby/buildkit to v0.17.1 + * fix(deps): update module github.com/containers/storage to v1.56.0 + * tests: skip two ulimit tests + * CI VMs: bump f40 -> f41 + * tests/tools: rebuild tools when we change versions + * tests/tools: update golangci-lint to v1.61.0 + * fix(deps): update module github.com/moby/buildkit to v0.17.0 + * Handle RUN --mount with relative targets and no configured workdir + * tests: bud: make parallel-safe + * fix(deps): update module github.com/opencontainers/runc to v1.2.1 + * fix(deps): update golang.org/x/exp digest to f66d83c + * fix(deps): update github.com/opencontainers/runtime-tools digest to 6c9570a + * tests: blobcache: use unique image name + * tests: sbom: never write to cwd + * tests: mkcw: bug fixes, refactor + * deps: bump runc to v1.2.0 + * deps: switch to moby/sys/userns + * tests/test_runner.sh: remove some redundancies + * Integration tests: run git daemon on a random-but-bind()able port + * fix(deps): update module github.com/opencontainers/selinux to v1.11.1 + * go.mod: remove unnecessary replace + * Document more buildah build --secret options + * Add support for COPY --exclude and ADD --exclude options + * fix(deps): update github.com/containers/luksy digest to e2530d6 + * chore(deps): update dependency containers/automation_images to v20241010 + * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.4 + * Properly validate cache IDs and sources + * [skip-ci] Packit: constrain koji job to fedora package to avoid dupes + * Audit and tidy OWNERS + * fix(deps): update module golang.org/x/crypto to v0.28.0 + * tests: add quotes to names + * vendor: update c/common to latest + * CVE-2024-9407: validate "bind-propagation" flag settings + * vendor: switch to moby/sys/capability + * Don't set ambient capabilities + * Document that zstd:chunked is downgraded to zstd when encrypting + * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.3 + * buildah-manifest-create.1: Fix manpage section + * chore(deps): update dependency ubuntu to v24 + * Make `buildah manifest push --all` true by default + * chroot: add newlines at the end of printed error messages + * Do not error on trying to write IMA xattr as rootless + * fix: remove duplicate conditions + * fix(deps): update module github.com/moby/buildkit to v0.16.0 + * fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.2 + * Document how entrypoint is configured in buildah config + * In a container, try to register binfmt_misc + * imagebuildah.StageExecutor: clean up volumes/volumeCache + * build: fall back to parsing a TARGETPLATFORM build-arg + * `manifest add --artifact`: handle multiple values + * Packit: split out ELN jobs and reuse fedora downstream targets + * Packit: Enable sidetags for bodhi updates + * fix(deps): update module github.com/docker/docker to v27.2.1+incompatible + * tests/bud.bats: add git source + * add: add support for git source + * Add support for the new c/common pasta options + * vendor latest c/common + * fix(deps): update module golang.org/x/term to v0.24.0 + * fix(deps): update module github.com/fsouza/go-dockerclient to v1.12.0 + * packit: update fedora and epel targets + * cirrus: disable f39 testing + * cirrus: fix fedora names + * update to go 1.22 + * Vendor c/common:9d025e4cb348 + * copier: handle globbing with "**" path components + * fix(deps): update golang.org/x/exp digest to 9b4947d + * fix(deps): update github.com/containers/luksy digest to 2e7307c + * imagebuildah: make scratch config handling toggleable + * fix(deps): update module github.com/docker/docker to v27.2.0+incompatible + * Add a validation script for Makefile $(SOURCES) + * fix(deps): update module github.com/openshift/imagebuilder to v1.2.15 + * New VMs + * Update some godocs, use 0o to prefix an octal in a comment + * buildah-build.1.md: expand the --layer-label description + * fix(deps): update module github.com/containers/common to v0.60.2 + * run: fix a nil pointer dereference on FreeBSD + * CI: enable the whitespace linter + * Fix some govet linter warnings + * Commit(): retry committing to local storage on storage.LayerUnknown + * CI: enable the gofumpt linter + * conformance: move weirdly-named files out of the repository + * fix(deps): update module github.com/docker/docker to v27.1.2+incompatible + * fix(deps): update module github.com/containers/common to v0.60.1 + * *: use gofmt -s, add gofmt linter + * *: fix build tags + * fix(deps): update module github.com/containers/image/v5 to v5.32.1 + * Add(): re-escape any globbed items that included escapes + * conformance tests: use mirror.gcr.io for most images + * unit tests: use test-specific policy.json and registries.conf + * fix(deps): update module golang.org/x/sys to v0.24.0 + * Update to spun-out "github.com/containerd/platforms" + * Bump github.com/containerd/containerd + * test/tools/Makefile: duplicate the vendor-in-container target + * linters: unchecked error + * linters: don't end loop iterations with "else" when "then" would + * linters: unused arguments shouldn't have names + * linters: rename checkIdsGreaterThan5() to checkIDsGreaterThan5() + * linters: don't name variables "cap" + * `make lint`: use --timeout instead of --deadline + * Drop the e2e test suite + * fix(deps): update module golang.org/x/crypto to v0.26.0 + * fix(deps): update module github.com/onsi/gomega to v1.34.1 + * `make vendor-in-container`: use the caller's Go cache if it exists + * fix(deps): fix test/tools ginkgo typo + * fix(deps): update module github.com/onsi/ginkgo/v2 to v2.19.1 + * Update to keep up with API changes in storage + * fix(deps): update github.com/containers/luksy digest to 1f482a9 + * install: On Debian/Ubuntu, add installation of libbtrfs-dev + * fix(deps): update module golang.org/x/sys to v0.23.0 + * fix(deps): update golang.org/x/exp digest to 8a7402a + * fix(deps): update module github.com/fsouza/go-dockerclient to v1.11.2 + * Use Epoch: 2 and respect the epoch in dependencies. + * Bump to Buildah v1.38.0-dev + * AddAndCopyOptions: add CertPath, InsecureSkipTLSVerify, Retry fields + * Add PrependedLinkedLayers/AppendedLinkedLayers to CommitOptions + * integration tests: teach starthttpd() about TLS and pid files + - Changelog for vv1.37.0 (2024-07-26) * Bump c/storage, c/image, c/common for v1.37.0 * "build with basename resolving user arg" tests: correct ARG use diff --git a/vendor/github.com/containers/buildah/define/types.go b/vendor/github.com/containers/buildah/define/types.go index 4f917b7db4..1b85ba1dad 100644 --- a/vendor/github.com/containers/buildah/define/types.go +++ b/vendor/github.com/containers/buildah/define/types.go @@ -29,7 +29,7 @@ const ( // identify working containers. Package = "buildah" // Version for the Package. Also used by .packit.sh for Packit builds. - Version = "1.38.0-dev" + Version = "1.39.0-dev" // DefaultRuntime if containers.conf fails. DefaultRuntime = "runc" diff --git a/vendor/github.com/containers/common/libnetwork/resolvconf/resolvconf.go b/vendor/github.com/containers/common/libnetwork/resolvconf/resolvconf.go index 6b844373d9..97cf48cfd5 100644 --- a/vendor/github.com/containers/common/libnetwork/resolvconf/resolvconf.go +++ b/vendor/github.com/containers/common/libnetwork/resolvconf/resolvconf.go @@ -32,11 +32,12 @@ var ( // ipLocalhost is a regex pattern for IPv4 or IPv6 loopback range. ipLocalhost = `((127\.([0-9]{1,3}\.){2}[0-9]{1,3})|(::1)$)` - localhostNSRegexp = regexp.Delayed(`(?m)^nameserver\s+` + ipLocalhost + `\s*\n*`) - nsIPv6Regexp = regexp.Delayed(`(?m)^nameserver\s+` + ipv6Address + `\s*\n*`) - nsRegexp = regexp.Delayed(`^\s*nameserver\s*((` + ipv4Address + `)|(` + ipv6Address + `))\s*$`) - searchRegexp = regexp.Delayed(`^\s*search\s*(([^\s]+\s*)*)$`) - optionsRegexp = regexp.Delayed(`^\s*options\s*(([^\s]+\s*)*)$`) + localhostNSRegexp = regexp.Delayed(`(?m)^nameserver\s+` + ipLocalhost + `\s*\n*`) + nsIPv6Regexp = regexp.Delayed(`(?m)^nameserver\s+` + ipv6Address + `\s*\n*`) + nsIPv6LinkLocalRegexp = regexp.Delayed(`(?m)^nameserver\s+` + ipv6Address + `%.*\s*\n*`) + nsRegexp = regexp.Delayed(`^\s*nameserver\s*((` + ipv4Address + `)|(` + ipv6Address + `))\s*$`) + searchRegexp = regexp.Delayed(`^\s*search\s*(([^\s]+\s*)*)$`) + optionsRegexp = regexp.Delayed(`^\s*options\s*(([^\s]+\s*)*)$`) ) // filterResolvDNS cleans up the config in resolvConf. It has two main jobs: @@ -54,6 +55,10 @@ func filterResolvDNS(resolvConf []byte, ipv6Enabled bool, netnsEnabled bool) []b // if IPv6 is not enabled, also clean out any IPv6 address nameserver if !ipv6Enabled { cleanedResolvConf = nsIPv6Regexp.ReplaceAll(cleanedResolvConf, []byte{}) + } else { + // If ipv6 is we still must remove any ipv6 link-local addresses as + // the zone will never match the interface name or index in the container. + cleanedResolvConf = nsIPv6LinkLocalRegexp.ReplaceAll(cleanedResolvConf, []byte{}) } // if the resulting resolvConf has no more nameservers defined, add appropriate // default DNS servers for IPv4 and (optionally) IPv6 diff --git a/vendor/github.com/containers/common/pkg/cgroups/systemd_linux.go b/vendor/github.com/containers/common/pkg/cgroups/systemd_linux.go index b1529410f9..b723b34cc9 100644 --- a/vendor/github.com/containers/common/pkg/cgroups/systemd_linux.go +++ b/vendor/github.com/containers/common/pkg/cgroups/systemd_linux.go @@ -4,8 +4,12 @@ package cgroups import ( "context" + "errors" "fmt" + "math/big" "path/filepath" + "slices" + "strconv" "strings" systemdDbus "github.com/coreos/go-systemd/v22/dbus" @@ -53,7 +57,11 @@ func systemdCreate(resources *configs.Resources, path string, c *systemdDbus.Con properties = append(properties, p) } - uMap, sMap, bMap, iMap, structMap := resourcesToProps(resources, v2) + uMap, sMap, bMap, iMap, structMap, err := resourcesToProps(resources, v2) + if err != nil { + lastError = err + continue + } for k, v := range uMap { p := systemdDbus.Property{ Name: k, @@ -95,7 +103,7 @@ func systemdCreate(resources *configs.Resources, path string, c *systemdDbus.Con } ch := make(chan string) - _, err := c.StartTransientUnitContext(context.TODO(), name, "replace", properties, ch) + _, err = c.StartTransientUnitContext(context.TODO(), name, "replace", properties, ch) if err != nil { lastError = err continue @@ -142,7 +150,7 @@ func systemdDestroyConn(path string, c *systemdDbus.Conn) error { return nil } -func resourcesToProps(res *configs.Resources, v2 bool) (map[string]uint64, map[string]string, map[string][]byte, map[string]int64, map[string][]BlkioDev) { +func resourcesToProps(res *configs.Resources, v2 bool) (map[string]uint64, map[string]string, map[string][]byte, map[string]int64, map[string][]BlkioDev, error) { bMap := make(map[string][]byte) // this array is not used but will be once more resource limits are added sMap := make(map[string]string) @@ -179,11 +187,19 @@ func resourcesToProps(res *configs.Resources, v2 bool) (map[string]uint64, map[s // CPUSet if res.CpusetCpus != "" { - bits := []byte(res.CpusetCpus) + bits, err := rangeToBits(res.CpusetCpus) + if err != nil { + return nil, nil, nil, nil, nil, fmt.Errorf("resources.CpusetCpus=%q conversion error: %w", + res.CpusetCpus, err) + } bMap["AllowedCPUs"] = bits } if res.CpusetMems != "" { - bits := []byte(res.CpusetMems) + bits, err := rangeToBits(res.CpusetMems) + if err != nil { + return nil, nil, nil, nil, nil, fmt.Errorf("resources.CpusetMems=%q conversion error: %w", + res.CpusetMems, err) + } bMap["AllowedMemoryNodes"] = bits } @@ -258,5 +274,51 @@ func resourcesToProps(res *configs.Resources, v2 bool) (map[string]uint64, map[s } } - return uMap, sMap, bMap, iMap, structMap + return uMap, sMap, bMap, iMap, structMap, nil +} + +func rangeToBits(str string) ([]byte, error) { + bits := new(big.Int) + + for _, r := range strings.Split(str, ",") { + // allow extra spaces around + r = strings.TrimSpace(r) + // allow empty elements (extra commas) + if r == "" { + continue + } + startr, endr, ok := strings.Cut(r, "-") + if ok { + start, err := strconv.ParseUint(startr, 10, 32) + if err != nil { + return nil, err + } + end, err := strconv.ParseUint(endr, 10, 32) + if err != nil { + return nil, err + } + if start > end { + return nil, errors.New("invalid range: " + r) + } + for i := start; i <= end; i++ { + bits.SetBit(bits, int(i), 1) + } + } else { + val, err := strconv.ParseUint(startr, 10, 32) + if err != nil { + return nil, err + } + bits.SetBit(bits, int(val), 1) + } + } + + ret := bits.Bytes() + if len(ret) == 0 { + // do not allow empty values + return nil, errors.New("empty value") + } + + // fit cpuset parsing order in systemd + slices.Reverse(ret) + return ret, nil } diff --git a/vendor/github.com/containers/common/pkg/netns/netns_linux.go b/vendor/github.com/containers/common/pkg/netns/netns_linux.go index 5461b05f75..0947b9f709 100644 --- a/vendor/github.com/containers/common/pkg/netns/netns_linux.go +++ b/vendor/github.com/containers/common/pkg/netns/netns_linux.go @@ -260,34 +260,37 @@ func newNSPath(nsPath string) (ns.NetNS, error) { // UnmountNS unmounts the given netns path func UnmountNS(nsPath string) error { // Only unmount if it's been bind-mounted (don't touch namespaces in /proc...) - if !strings.HasPrefix(nsPath, "/proc/") { - // EINVAL means the path exists but is not mounted, just try to remove the path below - if err := unix.Unmount(nsPath, unix.MNT_DETACH); err != nil && !errors.Is(err, unix.EINVAL) { - // If path does not exists we can return without error as we have nothing to do. - if errors.Is(err, unix.ENOENT) { - return nil - } - - return fmt.Errorf("failed to unmount NS: at %s: %w", nsPath, err) + if strings.HasPrefix(nsPath, "/proc/") { + return nil + } + // EINVAL means the path exists but is not mounted, just try to remove the path below + if err := unix.Unmount(nsPath, unix.MNT_DETACH); err != nil && !errors.Is(err, unix.EINVAL) { + // If path does not exists we can return without error as we have nothing to do. + if errors.Is(err, unix.ENOENT) { + return nil } - for { - if err := os.Remove(nsPath); err != nil { - if errors.Is(err, unix.EBUSY) { - // mount is still busy, sleep a moment and try again to remove - logrus.Debugf("Netns %s still busy, try removing it again in 10ms", nsPath) - time.Sleep(10 * time.Millisecond) - continue - } - // If path does not exists we can return without error. - if errors.Is(err, unix.ENOENT) { - break - } - return fmt.Errorf("failed to remove ns path: %w", err) + return fmt.Errorf("failed to unmount NS: at %s: %w", nsPath, err) + } + + var err error + // wait for up to 60s in the loop + for range 6000 { + if err = os.Remove(nsPath); err != nil { + if errors.Is(err, unix.EBUSY) { + // mount is still busy, sleep a moment and try again to remove + logrus.Debugf("Netns %s still busy, try removing it again in 10ms", nsPath) + time.Sleep(10 * time.Millisecond) + continue } - break + // If path does not exists we can return without error. + if errors.Is(err, unix.ENOENT) { + return nil + } + return fmt.Errorf("failed to remove ns path: %w", err) } + return nil } - return nil + return fmt.Errorf("failed to remove ns path (timeout after 60s): %w", err) } diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go index a6538ffb90..2c78cf1e65 100644 --- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go +++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go @@ -155,6 +155,25 @@ func getMountsMap(path string) (string, string, error) { //nolint return "", "", fmt.Errorf("unable to get host and container dir from path: %s", path) } +// Return true iff the system is in FIPS mode as determined by reading +// /proc/sys/crypto/fips_enabled. +func shouldAddFIPSMounts() bool { + fips_enabled, err := os.ReadFile("/proc/sys/crypto/fips_enabled") + if err != nil { + if !errors.Is(err, os.ErrNotExist) { + logrus.Errorf("Failed to read /proc/sys/crypto/fips_enabled to determine FIPS state: %v", err) + } + return false + } + + if strings.TrimSpace(string(fips_enabled)) != "1" { + logrus.Debug("/proc/sys/crypto/fips_enabled does not contain '1', not adding FIPS mode bind mounts") + return false + } + + return true +} + // MountsWithUIDGID copies, adds, and mounts the subscriptions to the container root filesystem // mountLabel: MAC/SELinux label for container content // containerRunDir: Private data for storing subscriptions on the host mounted in container. @@ -194,22 +213,16 @@ func MountsWithUIDGID(mountLabel, containerRunDir, mountFile, mountPoint string, } } - // Only add FIPS subscription mount if disableFips=false - if disableFips { + // Only add FIPS subscription mount if disableFips is false and + // /proc/sys/crypto/fips_enabled contains "1" + if disableFips || !shouldAddFIPSMounts() { return subscriptionMounts } - // Add FIPS mode subscription if /etc/system-fips exists on the host - err := fileutils.Exists("/etc/system-fips") - switch { - case err == nil: - if err := addFIPSModeSubscription(&subscriptionMounts, containerRunDir, mountPoint, mountLabel, uid, gid); err != nil { - logrus.Errorf("Adding FIPS mode subscription to container: %v", err) - } - case errors.Is(err, os.ErrNotExist): - logrus.Debug("/etc/system-fips does not exist on host, not mounting FIPS mode subscription") - default: - logrus.Errorf("stat /etc/system-fips failed for FIPS mode subscription: %v", err) + + if err := addFIPSMounts(&subscriptionMounts, containerRunDir, mountPoint, mountLabel, uid, gid); err != nil { + logrus.Errorf("Adding FIPS mode bind mounts to container: %v", err) } + return subscriptionMounts } @@ -306,43 +319,97 @@ func addSubscriptionsFromMountsFile(filePath, mountLabel, containerRunDir string return mounts, nil } -// addFIPSModeSubscription adds mounts to the `mounts` slice that are needed for the container to run openssl in FIPs mode -// (i.e: be FIPs compliant). -// It should only be called if /etc/system-fips exists on host. -// It primarily does two things: -// - creates /run/secrets/system-fips in the container root filesystem, and adds it to the `mounts` slice. -// - If `/etc/crypto-policies/back-ends` already exists inside of the container, it creates -// `/usr/share/crypto-policies/back-ends/FIPS` inside the container as well. -// It is done from within the container to ensure to avoid policy incompatibility between the container and host. -func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint, mountLabel string, uid, gid int) error { +func containerHasEtcSystemFips(subscriptionsDir, mountPoint string) (bool, error) { + containerEtc, err := securejoin.SecureJoin(mountPoint, "etc") + if err != nil { + return false, fmt.Errorf("Container /etc resolution error: %w", err) + } + if fileutils.Lexists(filepath.Join(containerEtc, "system-fips")) != nil { + logrus.Debug("/etc/system-fips does not exist in the container, not creating /run/secrets/system-fips") + return false, nil + } + + fipsFileTarget, err := securejoin.SecureJoin(mountPoint, "etc/system-fips") + if err != nil { + return false, fmt.Errorf("Container /etc/system-fips resolution error: %w", err) + } + if fipsFileTarget != filepath.Join(mountPoint, subscriptionsDir, "system-fips") { + logrus.Warnf("/etc/system-fips exists in the container, but is not a symlink to %[1]v/system-fips; not creating %[1]v/system-fips", subscriptionsDir) + return false, nil + } + + return true, nil +} + +// addFIPSMounts adds mounts to the `mounts` slice that are needed +// for the container to run cryptographic libraries (openssl, gnutls, NSS, ...) +// in FIPS mode (i.e: be FIPS compliant). +// It should only be called if /proc/sys/crypto/fips_enabled on the host +// contains '1'. +// It does three things: +// - creates /run/secrets/system-fips in the container root filesystem if +// /etc/system-fips exists and is a symlink to /run/secrets/system-fips, +// and adds it to the `mounts` slice. This is, for example, the case on +// RHEL 8, but not on newer RHEL, since /etc/system-fips is deprecated. +// - Bind-mounts `/usr/share/crypto-policies/back-ends/FIPS` over +// `/etc/crypto-policies/back-ends` if the former exists inside of the +// container. This is done from within the container to avoid policy +// incompatibility between container and host. +// - If a bind mount for `/etc/crypto-policies/back-ends` was created, +// bind-mounts `/usr/share/crypto-policies/default-fips-config` over +// `/etc/crypto-policies/config` if the former exists inside of the +// container. If it does not exist, creates a new temporary file containing +// "FIPS\n", and bind-mounts that over `/etc/crypto-policies/config`. +// +// Starting in CentOS 10 Stream, the crypto-policies package gracefully recognizes the two bind mounts +// +// - /etc/crypto-policies/config -> /usr/share/crypto-policies/default-fips-config +// - /etc/crypto-policies/back-ends/FIPS -> /usr/share/crypto-policies/back-ends/FIPS +// +// and unmounts them when users manually change the policy, or removes and +// restores the mounts when the crypto-policies package is upgraded. +func addFIPSMounts(mounts *[]rspec.Mount, containerRunDir, mountPoint, mountLabel string, uid, gid int) error { + // Check whether $container/etc/system-fips exists and is a symlink to /run/secrets/system-fips subscriptionsDir := "/run/secrets" - ctrDirOnHost := filepath.Join(containerRunDir, subscriptionsDir) - if err := fileutils.Exists(ctrDirOnHost); errors.Is(err, os.ErrNotExist) { - if err = idtools.MkdirAllAs(ctrDirOnHost, 0o755, uid, gid); err != nil { //nolint - return err - } - if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil { - return fmt.Errorf("applying correct labels on %q: %w", ctrDirOnHost, err) - } + + createSystemFipsSecret, err := containerHasEtcSystemFips(subscriptionsDir, mountPoint) + if err != nil { + return err } - fipsFile := filepath.Join(ctrDirOnHost, "system-fips") - // In the event of restart, it is possible for the FIPS mode file to already exist - if err := fileutils.Exists(fipsFile); errors.Is(err, os.ErrNotExist) { - file, err := os.Create(fipsFile) - if err != nil { - return fmt.Errorf("creating system-fips file in container for FIPS mode: %w", err) + if createSystemFipsSecret { + // This container contains + // /etc/system-fips -> /run/secrets/system-fips + // and expects podman to create this file if the container should + // be in FIPS mode + ctrDirOnHost := filepath.Join(containerRunDir, subscriptionsDir) + if err := fileutils.Exists(ctrDirOnHost); errors.Is(err, os.ErrNotExist) { + if err = idtools.MkdirAllAs(ctrDirOnHost, 0o755, uid, gid); err != nil { //nolint + return err + } + if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil { + return fmt.Errorf("applying correct labels on %q: %w", ctrDirOnHost, err) + } } - file.Close() - } + fipsFile := filepath.Join(ctrDirOnHost, "system-fips") - if !mountExists(*mounts, subscriptionsDir) { - m := rspec.Mount{ - Source: ctrDirOnHost, - Destination: subscriptionsDir, - Type: "bind", - Options: []string{"bind", "rprivate"}, + // In the event of restart, it is possible for the FIPS mode file to already exist + if err := fileutils.Exists(fipsFile); errors.Is(err, os.ErrNotExist) { + file, err := os.Create(fipsFile) + if err != nil { + return fmt.Errorf("creating system-fips file in container for FIPS mode: %w", err) + } + file.Close() + } + + if !mountExists(*mounts, subscriptionsDir) { + m := rspec.Mount{ + Source: ctrDirOnHost, + Destination: subscriptionsDir, + Type: "bind", + Options: []string{"bind", "rprivate"}, + } + *mounts = append(*mounts, m) } - *mounts = append(*mounts, m) } srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS" @@ -370,27 +437,44 @@ func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint, // Make sure we set the config to FIPS so that the container does not overwrite // /etc/crypto-policies/back-ends when crypto-policies-scripts is reinstalled. - cryptoPoliciesConfigFile := filepath.Join(containerRunDir, "fips-config") - file, err := os.Create(cryptoPoliciesConfigFile) + // + // Starting in CentOS 10 Stream, crypto-policies provides + // /usr/share/crypto-policies/default-fips-config as bind mount source + // file and the crypto-policies tooling gracefully deals with the two bind-mounts + // /etc/crypto-policies/back-ends -> /usr/share/crypto-policies/back-ends/FIPS + // /etc/crypto-policies/config -> /usr/share/crypto-policies/default-fips-config + // if they both exist. + srcPolicyConfig := "/usr/share/crypto-policies/default-fips-config" + destPolicyConfig := "/etc/crypto-policies/config" + srcPolicyConfigOnHost, err := securejoin.SecureJoin(mountPoint, srcPolicyConfig) if err != nil { - return fmt.Errorf("creating fips config file in container for FIPS mode: %w", err) - } - defer file.Close() - if _, err := file.WriteString("FIPS\n"); err != nil { - return fmt.Errorf("writing fips config file in container for FIPS mode: %w", err) - } - if err = label.Relabel(cryptoPoliciesConfigFile, mountLabel, false); err != nil { - return fmt.Errorf("applying correct labels on fips-config file: %w", err) + return fmt.Errorf("Could not expand %q in container: %w", srcPolicyConfig, err) } - if err := file.Chown(uid, gid); err != nil { - return fmt.Errorf("chown fips-config file: %w", err) + + if err = fileutils.Exists(srcPolicyConfigOnHost); err != nil { + if !errors.Is(err, os.ErrNotExist) { + return fmt.Errorf("Could not check whether %q exists in container: %w", srcPolicyConfig, err) + } + + // /usr/share/crypto-policies/default-fips-config does not exist, let's create it ourselves + cryptoPoliciesConfigFile := filepath.Join(containerRunDir, "fips-config") + if err := os.WriteFile(cryptoPoliciesConfigFile, []byte("FIPS\n"), 0o644); err != nil { + return fmt.Errorf("Failed to write fips config file in container for FIPS mode: %w", err) + } + if err = label.Relabel(cryptoPoliciesConfigFile, mountLabel, false); err != nil { + return fmt.Errorf("Failed to apply correct labels on fips config file: %w", err) + } + if err := os.Chown(cryptoPoliciesConfigFile, uid, gid); err != nil { + return fmt.Errorf("Failed to chown fips config file: %w", err) + } + + srcPolicyConfigOnHost = cryptoPoliciesConfigFile } - policyConfig := "/etc/crypto-policies/config" - if !mountExists(*mounts, policyConfig) { + if !mountExists(*mounts, destPolicyConfig) { m := rspec.Mount{ - Source: cryptoPoliciesConfigFile, - Destination: policyConfig, + Source: srcPolicyConfigOnHost, + Destination: destPolicyConfig, Type: "bind", Options: []string{"bind", "rprivate"}, } diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go index c73ec15cd4..98eee47e1a 100644 --- a/vendor/github.com/containers/common/version/version.go +++ b/vendor/github.com/containers/common/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.61.0-dev" +const Version = "0.61.0" diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go index d98e04b9a5..3743721fc3 100644 --- a/vendor/github.com/containers/image/v5/version/version.go +++ b/vendor/github.com/containers/image/v5/version/version.go @@ -11,7 +11,7 @@ const ( VersionPatch = 0 // VersionDev indicates development branch. Releases will be empty string. - VersionDev = "-dev" + VersionDev = "" ) // Version is the specification version that the package types support. diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION index 31907770ac..3ebf789f5a 100644 --- a/vendor/github.com/containers/storage/VERSION +++ b/vendor/github.com/containers/storage/VERSION @@ -1 +1 @@ -1.56.0-dev +1.56.0 diff --git a/vendor/modules.txt b/vendor/modules.txt index fdcf6dff2f..4eec05dab8 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -143,8 +143,8 @@ github.com/containernetworking/cni/pkg/version # github.com/containernetworking/plugins v1.5.1 ## explicit; go 1.20 github.com/containernetworking/plugins/pkg/ns -# github.com/containers/buildah v1.37.1-0.20241104213057-0dc5f958934a -## explicit; go 1.22.0 +# github.com/containers/buildah v1.37.1-0.20241111124227-596bbedbd431 +## explicit; go 1.22.6 github.com/containers/buildah github.com/containers/buildah/bind github.com/containers/buildah/chroot @@ -174,7 +174,7 @@ github.com/containers/buildah/pkg/sshagent github.com/containers/buildah/pkg/util github.com/containers/buildah/pkg/volumes github.com/containers/buildah/util -# github.com/containers/common v0.60.1-0.20241106101802-8130e31c0832 +# github.com/containers/common v0.61.0 ## explicit; go 1.22.6 github.com/containers/common/internal github.com/containers/common/internal/attributedstring @@ -247,7 +247,7 @@ github.com/containers/conmon/runner/config # github.com/containers/gvisor-tap-vsock v0.8.0 ## explicit; go 1.22.0 github.com/containers/gvisor-tap-vsock/pkg/types -# github.com/containers/image/v5 v5.32.3-0.20241105183637-59417aed3db1 +# github.com/containers/image/v5 v5.33.0 ## explicit; go 1.22.6 github.com/containers/image/v5/copy github.com/containers/image/v5/directory @@ -358,7 +358,7 @@ github.com/containers/psgo/internal/dev github.com/containers/psgo/internal/host github.com/containers/psgo/internal/proc github.com/containers/psgo/internal/process -# github.com/containers/storage v1.55.2-0.20241104201357-ad5f2a48e9e9 +# github.com/containers/storage v1.56.0 ## explicit; go 1.22.0 github.com/containers/storage github.com/containers/storage/drivers @@ -801,7 +801,7 @@ github.com/mistifyio/go-zfs/v3 # github.com/mitchellh/mapstructure v1.5.0 ## explicit; go 1.14 github.com/mitchellh/mapstructure -# github.com/moby/buildkit v0.17.0 +# github.com/moby/buildkit v0.17.1 ## explicit; go 1.22.0 github.com/moby/buildkit/frontend/dockerfile/command github.com/moby/buildkit/frontend/dockerfile/parser