update to v2.14 and fix CVE-2022-1706
This commit is contained in:
duyiwei
parent
9acecd6c5b
commit
3a2d0cb180
Binary file not shown.
BIN
ignition-2.14.0.tar.gz
Normal file
BIN
ignition-2.14.0.tar.gz
Normal file
Binary file not shown.
@ -5,16 +5,12 @@
|
||||
%global gotest go test
|
||||
|
||||
Name: ignition
|
||||
Version: 2.13.0
|
||||
Version: 2.14.0
|
||||
Release: 1
|
||||
Summary: First boot installer and configuration tool
|
||||
License: Apache-2.0
|
||||
URL: https://github.com/coreos/ignition
|
||||
Source0: https://github.com/coreos/ignition/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
Patch0: luks-volume-reuse.patch
|
||||
# vmware: kernel_lockdown breaks guestinfo fetching
|
||||
# https://github.com/coreos/ignition/issues/1092
|
||||
Patch1: vendor-vmw-guestinfo-quickfix-to-skip-performing-iop.patch
|
||||
|
||||
BuildRequires: libblkid-devel
|
||||
BuildRequires: golang >= 1.10
|
||||
@ -81,6 +77,7 @@ Provides: bundled(golang(github.com/aws/aws-sdk-go/service/s3/s3iface)) = 1.30.2
|
||||
Provides: bundled(golang(github.com/aws/aws-sdk-go/service/s3/s3manager)) = 1.30.28
|
||||
Provides: bundled(golang(github.com/aws/aws-sdk-go/service/sts)) = 1.30.28
|
||||
Provides: bundled(golang(github.com/aws/aws-sdk-go/service/sts/stsiface)) = 1.30.28
|
||||
Provides: bundled(golang(github.com/beevik/etree)) = 1.1.1-0.20200718192613.git4a2f8b9d084c
|
||||
Provides: bundled(golang(github.com/coreos/go-semver/semver)) = 0.3.0
|
||||
Provides: bundled(golang(github.com/coreos/go-systemd/v22/dbus)) = 22.0.0
|
||||
Provides: bundled(golang(github.com/coreos/go-systemd/v22/journal)) = 22.0.0
|
||||
@ -94,14 +91,14 @@ Provides: bundled(golang(github.com/google/renameio)) = 0.1.0
|
||||
Provides: bundled(golang(github.com/google/uuid)) = 1.1.1
|
||||
Provides: bundled(golang(github.com/pin/tftp)) = 2.1.0
|
||||
Provides: bundled(golang(github.com/pin/tftp/netascii)) = 2.1.0
|
||||
Provides: bundled(golang(github.com/stretchr/testify/assert)) = 1.5.1
|
||||
Provides: bundled(golang(github.com/spf13/pflag)) = 1.0.6-0.20210604193023.gitd5e0c0615ace
|
||||
Provides: bundled(golang(github.com/stretchr/testify/assert)) = 1.7.0
|
||||
Provides: bundled(golang(github.com/vincent-petithory/dataurl)) = 1.0.0
|
||||
Provides: bundled(golang(github.com/vmware/vmw-guestinfo/bdoor)) = 0.0.0-20170707015358.git25eff159a728
|
||||
Provides: bundled(golang(github.com/vmware/vmw-guestinfo/message)) = 0.0.0-20170707015358.git25eff159a728
|
||||
Provides: bundled(golang(github.com/vmware/vmw-guestinfo/rpcout)) = 0.0.0-20170707015358.git25eff159a728
|
||||
Provides: bundled(golang(github.com/vmware/vmw-guestinfo/rpcvmx)) = 0.0.0-20170707015358.git25eff159a728
|
||||
Provides: bundled(golang(github.com/vmware/vmw-guestinfo/vmcheck)) = 0.0.0-20170707015358.git25eff159a728
|
||||
Provides: bundled(golang(github.com/vmware/vmw-ovflib)) = 0.0.0-20170608004843.git1f217b9dc714
|
||||
Provides: bundled(golang(github.com/vmware/vmw-guestinfo/bdoor)) = 0.0.0-20220317130741.git510905f0efa3
|
||||
Provides: bundled(golang(github.com/vmware/vmw-guestinfo/message)) = 0.0.0-20220317130741.git510905f0efa3
|
||||
Provides: bundled(golang(github.com/vmware/vmw-guestinfo/rpcout)) = 0.0.0-20220317130741.git510905f0efa3
|
||||
Provides: bundled(golang(github.com/vmware/vmw-guestinfo/rpcvmx)) = 0.0.0-20220317130741.git510905f0efa3
|
||||
Provides: bundled(golang(github.com/vmware/vmw-guestinfo/vmcheck)) = 0.0.0-20220317130741.git510905f0efa3
|
||||
Provides: bundled(golang(golang.org/x/net/context)) = 0.0.0-20200602114024.git627f9648deb9
|
||||
Provides: bundled(golang(golang.org/x/net/context/ctxhttp)) = 0.0.0-20200602114024.git627f9648deb9
|
||||
Provides: bundled(golang(golang.org/x/net/http2)) = 0.0.0-20200602114024.git627f9648deb9
|
||||
@ -221,6 +218,10 @@ echo "Building ignition-validate..."
|
||||
# dracut modules
|
||||
install -d -p %{buildroot}/%{dracutlibdir}/modules.d
|
||||
cp -r dracut/* %{buildroot}/%{dracutlibdir}/modules.d/
|
||||
install -m 0644 -D -t %{buildroot}/%{_unitdir} systemd/ignition-delete-config.service
|
||||
install -m 0755 -d %{buildroot}/%{_libexecdir}
|
||||
ln -sf ../lib/dracut/modules.d/30ignition/ignition %{buildroot}/%{_libexecdir}/ignition-apply
|
||||
ln -sf ../lib/dracut/modules.d/30ignition/ignition %{buildroot}/%{_libexecdir}/ignition-rmcfg
|
||||
|
||||
# ignition
|
||||
install -d -p %{buildroot}%{_bindir}
|
||||
@ -240,6 +241,9 @@ install -p -m 0755 ./ignition %{buildroot}/%{dracutlibdir}/modules.d/30ignition
|
||||
%license LICENSE
|
||||
%doc README.md docs/
|
||||
%{dracutlibdir}/modules.d/*
|
||||
%{_unitdir}/*.service
|
||||
%{_libexecdir}/ignition-apply
|
||||
%{_libexecdir}/ignition-rmcfg
|
||||
|
||||
%files validate
|
||||
%doc README.md
|
||||
@ -247,6 +251,10 @@ install -p -m 0755 ./ignition %{buildroot}/%{dracutlibdir}/modules.d/30ignition
|
||||
%{_bindir}/ignition-validate
|
||||
|
||||
%changelog
|
||||
* Fri May 27 2022 duyiwei <duyiwei@kylinos.cn> - 2.14.0-1
|
||||
- update version to 2.14.0
|
||||
- fix CVE-2022-1706
|
||||
|
||||
* Mon May 23 2022 duyiwei <duyiwei@kylinos.cn> - 2.13.0-1
|
||||
- update version to 2.13.0
|
||||
|
||||
|
||||
@ -1,56 +0,0 @@
|
||||
From aed47c18aee593d155d45c0fe9ba29a9e3123cf6 Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Gilbert <bgilbert@redhat.com>
|
||||
Date: Mon, 17 Jan 2022 21:17:08 -0500
|
||||
Subject: [PATCH] disks: fix reuse of statically keyed LUKS volume
|
||||
|
||||
We need to persist a volume's keyfile to the real root even if we take
|
||||
the early `continue` when reusing the volume. Rather than copying code,
|
||||
enable persistence up front and then disable it afterward if we decide
|
||||
not to persist the key.
|
||||
|
||||
Fixes error:
|
||||
|
||||
CRITICAL : Ignition failed: creating crypttab entries: missing persisted keyfile for [...]
|
||||
|
||||
Fixes: https://github.com/coreos/ignition/issues/1305
|
||||
Fixes: 65e9c1611128 ("stages/disks: use State to persist keyfiles for files stage")
|
||||
---
|
||||
internal/exec/stages/disks/luks.go | 15 ++++++++-------
|
||||
1 file changed, 8 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/internal/exec/stages/disks/luks.go b/internal/exec/stages/disks/luks.go
|
||||
index 77ecc24e..5fa15e70 100644
|
||||
--- a/internal/exec/stages/disks/luks.go
|
||||
+++ b/internal/exec/stages/disks/luks.go
|
||||
@@ -156,6 +156,13 @@ func (s *stage) createLuks(config types.Config) error {
|
||||
}
|
||||
}
|
||||
}
|
||||
+ // store the key to be persisted into the real root
|
||||
+ // do this here so device reuse works correctly
|
||||
+ key, err := ioutil.ReadFile(keyFilePath)
|
||||
+ if err != nil {
|
||||
+ return fmt.Errorf("failed to read keyfile %q: %w", keyFilePath, err)
|
||||
+ }
|
||||
+ s.State.LuksPersistKeyFiles[luks.Name] = dataurl.EncodeBytes(key)
|
||||
|
||||
if !util.IsTrue(luks.WipeVolume) {
|
||||
// If the volume isn't forcefully being created, then we need
|
||||
@@ -329,13 +336,7 @@ func (s *stage) createLuks(config types.Config) error {
|
||||
); err != nil {
|
||||
return fmt.Errorf("removing key file from luks device: %v", err)
|
||||
}
|
||||
- } else {
|
||||
- // store the key to be persisted into the real root
|
||||
- key, err := ioutil.ReadFile(keyFilePath)
|
||||
- if err != nil {
|
||||
- return fmt.Errorf("failed to read keyfile %q: %w", keyFilePath, err)
|
||||
- }
|
||||
- s.State.LuksPersistKeyFiles[luks.Name] = dataurl.EncodeBytes(key)
|
||||
+ delete(s.State.LuksPersistKeyFiles, luks.Name)
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.33.1
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
From 069ab246129be6860aed3389c526543afa87e712 Mon Sep 17 00:00:00 2001
|
||||
From: Luca BRUNO <luca.bruno@coreos.com>
|
||||
Date: Thu, 17 Sep 2020 16:07:59 +0000
|
||||
Subject: [PATCH] vendor/vmw-guestinfo: quickfix to skip performing iopl
|
||||
|
||||
This is a quickfix to avoid performing an `iopl`, which is blocked by
|
||||
kernel_lockdown under SecureBoot.
|
||||
|
||||
Refs:
|
||||
* https://bugzilla.redhat.com/show_bug.cgi?id=1877995
|
||||
* https://github.com/lucab/vmw_backdoor-rs/issues/6
|
||||
* https://github.com/coreos/ignition/issues/1092
|
||||
---
|
||||
.../vmware/vmw-guestinfo/vmcheck/vmcheck.go | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go b/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go
|
||||
index c46cc5e4..ffd866c0 100644
|
||||
--- a/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go
|
||||
+++ b/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go
|
||||
@@ -41,10 +41,13 @@ func IsVirtualWorld() (bool, error) {
|
||||
|
||||
// hypervisorPortCheck tests the availability of the HV port.
|
||||
func hypervisorPortCheck() (bool, error) {
|
||||
- // Privilege level 3 to access all ports above 0x3ff
|
||||
- if err := openPortsAccess(); err != nil {
|
||||
- return false, err
|
||||
- }
|
||||
+ // XXX(lucab): quickfix for https://github.com/coreos/ignition/issues/1092.
|
||||
+ /*
|
||||
+ // Privilege level 3 to access all ports above 0x3ff
|
||||
+ if err := openPortsAccess(); err != nil {
|
||||
+ return false, err
|
||||
+ }
|
||||
+ */
|
||||
|
||||
p := &bdoor.BackdoorProto{}
|
||||
|
||||
--
|
||||
2.21.1
|
||||
Loading…
x
Reference in New Issue
Block a user