diff --git a/ignition-2.13.0.tar.gz b/ignition-2.13.0.tar.gz deleted file mode 100644 index d63fa2e..0000000 Binary files a/ignition-2.13.0.tar.gz and /dev/null differ diff --git a/ignition-2.14.0.tar.gz b/ignition-2.14.0.tar.gz new file mode 100644 index 0000000..5a7928d Binary files /dev/null and b/ignition-2.14.0.tar.gz differ diff --git a/ignition.spec b/ignition.spec index 895f948..c3390b9 100644 --- a/ignition.spec +++ b/ignition.spec @@ -5,16 +5,12 @@ %global gotest go test Name: ignition -Version: 2.13.0 +Version: 2.14.0 Release: 1 Summary: First boot installer and configuration tool License: Apache-2.0 URL: https://github.com/coreos/ignition Source0: https://github.com/coreos/ignition/archive/v%{version}/%{name}-%{version}.tar.gz -Patch0: luks-volume-reuse.patch -# vmware: kernel_lockdown breaks guestinfo fetching -# https://github.com/coreos/ignition/issues/1092 -Patch1: vendor-vmw-guestinfo-quickfix-to-skip-performing-iop.patch BuildRequires: libblkid-devel BuildRequires: golang >= 1.10 @@ -81,6 +77,7 @@ Provides: bundled(golang(github.com/aws/aws-sdk-go/service/s3/s3iface)) = 1.30.2 Provides: bundled(golang(github.com/aws/aws-sdk-go/service/s3/s3manager)) = 1.30.28 Provides: bundled(golang(github.com/aws/aws-sdk-go/service/sts)) = 1.30.28 Provides: bundled(golang(github.com/aws/aws-sdk-go/service/sts/stsiface)) = 1.30.28 +Provides: bundled(golang(github.com/beevik/etree)) = 1.1.1-0.20200718192613.git4a2f8b9d084c Provides: bundled(golang(github.com/coreos/go-semver/semver)) = 0.3.0 Provides: bundled(golang(github.com/coreos/go-systemd/v22/dbus)) = 22.0.0 Provides: bundled(golang(github.com/coreos/go-systemd/v22/journal)) = 22.0.0 @@ -94,14 +91,14 @@ Provides: bundled(golang(github.com/google/renameio)) = 0.1.0 Provides: bundled(golang(github.com/google/uuid)) = 1.1.1 Provides: bundled(golang(github.com/pin/tftp)) = 2.1.0 Provides: bundled(golang(github.com/pin/tftp/netascii)) = 2.1.0 -Provides: bundled(golang(github.com/stretchr/testify/assert)) = 1.5.1 +Provides: bundled(golang(github.com/spf13/pflag)) = 1.0.6-0.20210604193023.gitd5e0c0615ace +Provides: bundled(golang(github.com/stretchr/testify/assert)) = 1.7.0 Provides: bundled(golang(github.com/vincent-petithory/dataurl)) = 1.0.0 -Provides: bundled(golang(github.com/vmware/vmw-guestinfo/bdoor)) = 0.0.0-20170707015358.git25eff159a728 -Provides: bundled(golang(github.com/vmware/vmw-guestinfo/message)) = 0.0.0-20170707015358.git25eff159a728 -Provides: bundled(golang(github.com/vmware/vmw-guestinfo/rpcout)) = 0.0.0-20170707015358.git25eff159a728 -Provides: bundled(golang(github.com/vmware/vmw-guestinfo/rpcvmx)) = 0.0.0-20170707015358.git25eff159a728 -Provides: bundled(golang(github.com/vmware/vmw-guestinfo/vmcheck)) = 0.0.0-20170707015358.git25eff159a728 -Provides: bundled(golang(github.com/vmware/vmw-ovflib)) = 0.0.0-20170608004843.git1f217b9dc714 +Provides: bundled(golang(github.com/vmware/vmw-guestinfo/bdoor)) = 0.0.0-20220317130741.git510905f0efa3 +Provides: bundled(golang(github.com/vmware/vmw-guestinfo/message)) = 0.0.0-20220317130741.git510905f0efa3 +Provides: bundled(golang(github.com/vmware/vmw-guestinfo/rpcout)) = 0.0.0-20220317130741.git510905f0efa3 +Provides: bundled(golang(github.com/vmware/vmw-guestinfo/rpcvmx)) = 0.0.0-20220317130741.git510905f0efa3 +Provides: bundled(golang(github.com/vmware/vmw-guestinfo/vmcheck)) = 0.0.0-20220317130741.git510905f0efa3 Provides: bundled(golang(golang.org/x/net/context)) = 0.0.0-20200602114024.git627f9648deb9 Provides: bundled(golang(golang.org/x/net/context/ctxhttp)) = 0.0.0-20200602114024.git627f9648deb9 Provides: bundled(golang(golang.org/x/net/http2)) = 0.0.0-20200602114024.git627f9648deb9 @@ -221,6 +218,10 @@ echo "Building ignition-validate..." # dracut modules install -d -p %{buildroot}/%{dracutlibdir}/modules.d cp -r dracut/* %{buildroot}/%{dracutlibdir}/modules.d/ +install -m 0644 -D -t %{buildroot}/%{_unitdir} systemd/ignition-delete-config.service +install -m 0755 -d %{buildroot}/%{_libexecdir} +ln -sf ../lib/dracut/modules.d/30ignition/ignition %{buildroot}/%{_libexecdir}/ignition-apply +ln -sf ../lib/dracut/modules.d/30ignition/ignition %{buildroot}/%{_libexecdir}/ignition-rmcfg # ignition install -d -p %{buildroot}%{_bindir} @@ -240,6 +241,9 @@ install -p -m 0755 ./ignition %{buildroot}/%{dracutlibdir}/modules.d/30ignition %license LICENSE %doc README.md docs/ %{dracutlibdir}/modules.d/* +%{_unitdir}/*.service +%{_libexecdir}/ignition-apply +%{_libexecdir}/ignition-rmcfg %files validate %doc README.md @@ -247,6 +251,10 @@ install -p -m 0755 ./ignition %{buildroot}/%{dracutlibdir}/modules.d/30ignition %{_bindir}/ignition-validate %changelog +* Fri May 27 2022 duyiwei - 2.14.0-1 +- update version to 2.14.0 +- fix CVE-2022-1706 + * Mon May 23 2022 duyiwei - 2.13.0-1 - update version to 2.13.0 diff --git a/luks-volume-reuse.patch b/luks-volume-reuse.patch deleted file mode 100644 index b27f481..0000000 --- a/luks-volume-reuse.patch +++ /dev/null @@ -1,56 +0,0 @@ -From aed47c18aee593d155d45c0fe9ba29a9e3123cf6 Mon Sep 17 00:00:00 2001 -From: Benjamin Gilbert -Date: Mon, 17 Jan 2022 21:17:08 -0500 -Subject: [PATCH] disks: fix reuse of statically keyed LUKS volume - -We need to persist a volume's keyfile to the real root even if we take -the early `continue` when reusing the volume. Rather than copying code, -enable persistence up front and then disable it afterward if we decide -not to persist the key. - -Fixes error: - - CRITICAL : Ignition failed: creating crypttab entries: missing persisted keyfile for [...] - -Fixes: https://github.com/coreos/ignition/issues/1305 -Fixes: 65e9c1611128 ("stages/disks: use State to persist keyfiles for files stage") ---- - internal/exec/stages/disks/luks.go | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - -diff --git a/internal/exec/stages/disks/luks.go b/internal/exec/stages/disks/luks.go -index 77ecc24e..5fa15e70 100644 ---- a/internal/exec/stages/disks/luks.go -+++ b/internal/exec/stages/disks/luks.go -@@ -156,6 +156,13 @@ func (s *stage) createLuks(config types.Config) error { - } - } - } -+ // store the key to be persisted into the real root -+ // do this here so device reuse works correctly -+ key, err := ioutil.ReadFile(keyFilePath) -+ if err != nil { -+ return fmt.Errorf("failed to read keyfile %q: %w", keyFilePath, err) -+ } -+ s.State.LuksPersistKeyFiles[luks.Name] = dataurl.EncodeBytes(key) - - if !util.IsTrue(luks.WipeVolume) { - // If the volume isn't forcefully being created, then we need -@@ -329,13 +336,7 @@ func (s *stage) createLuks(config types.Config) error { - ); err != nil { - return fmt.Errorf("removing key file from luks device: %v", err) - } -- } else { -- // store the key to be persisted into the real root -- key, err := ioutil.ReadFile(keyFilePath) -- if err != nil { -- return fmt.Errorf("failed to read keyfile %q: %w", keyFilePath, err) -- } -- s.State.LuksPersistKeyFiles[luks.Name] = dataurl.EncodeBytes(key) -+ delete(s.State.LuksPersistKeyFiles, luks.Name) - } - } - --- -2.33.1 - diff --git a/vendor-vmw-guestinfo-quickfix-to-skip-performing-iop.patch b/vendor-vmw-guestinfo-quickfix-to-skip-performing-iop.patch deleted file mode 100644 index 6d43fe9..0000000 --- a/vendor-vmw-guestinfo-quickfix-to-skip-performing-iop.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 069ab246129be6860aed3389c526543afa87e712 Mon Sep 17 00:00:00 2001 -From: Luca BRUNO -Date: Thu, 17 Sep 2020 16:07:59 +0000 -Subject: [PATCH] vendor/vmw-guestinfo: quickfix to skip performing iopl - -This is a quickfix to avoid performing an `iopl`, which is blocked by -kernel_lockdown under SecureBoot. - -Refs: - * https://bugzilla.redhat.com/show_bug.cgi?id=1877995 - * https://github.com/lucab/vmw_backdoor-rs/issues/6 - * https://github.com/coreos/ignition/issues/1092 ---- - .../vmware/vmw-guestinfo/vmcheck/vmcheck.go | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go b/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go -index c46cc5e4..ffd866c0 100644 ---- a/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go -+++ b/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go -@@ -41,10 +41,13 @@ func IsVirtualWorld() (bool, error) { - - // hypervisorPortCheck tests the availability of the HV port. - func hypervisorPortCheck() (bool, error) { -- // Privilege level 3 to access all ports above 0x3ff -- if err := openPortsAccess(); err != nil { -- return false, err -- } -+ // XXX(lucab): quickfix for https://github.com/coreos/ignition/issues/1092. -+ /* -+ // Privilege level 3 to access all ports above 0x3ff -+ if err := openPortsAccess(); err != nil { -+ return false, err -+ } -+ */ - - p := &bdoor.BackdoorProto{} - --- -2.21.1