packages/podman
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 3.4.4

Browse Source
This commit is contained in:
fu-shanqing 2022-07-05 16:28:52 +08:00
parent a56c194d4d
commit 011702f40c
14 changed files with 283 additions and 1493 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
0002-Fix-the-invalid-memory-address-reference.patch → 0001-Fix-the-invalid-memory-address-reference.patch
View File

@ -11,20 +11,20 @@ diff --git a/libpod/stats.go b/libpod/stats.go
index c58a461..97a2169 100644
--- a/libpod/stats.go
+++ b/libpod/stats.go
@@ -57,9 +57,11 @@ func (c *Container) GetContainerStats(previousStats *ContainerStats) (*Container
previousCPU := previousStats.CPUNano
previousSystem := previousStats.SystemNano
stats.CPU = calculateCPUPercent(cgroupStats, previousCPU, previousSystem)
@@ -68,9 +68,11 @@
stats.CPU = calculateCPUPercent(cgroupStats, previousCPU, now, previousStats.SystemNano)
stats.AvgCPU = calculateAvgCPU(stats.CPU, previousStats.AvgCPU, previousStats.DataPoints)
stats.DataPoints = previousStats.DataPoints + 1
- stats.MemUsage = cgroupStats.Memory.Usage.Usage
- stats.MemLimit = getMemLimit(cgroupStats.Memory.Usage.Limit)
- stats.MemLimit = c.getMemLimit()
- stats.MemPerc = (float64(stats.MemUsage) / float64(stats.MemLimit)) * 100
+ if cgroupStats.Memory != nil {
+ stats.MemUsage = cgroupStats.Memory.Usage.Usage
+ stats.MemLimit = getMemLimit(cgroupStats.Memory.Usage.Limit)
+ stats.MemPerc = (float64(stats.MemUsage) / float64(stats.MemLimit)) * 100
+ }
+ if cgroupStats.Memory != (cgroups.MemoryMetrics{}){
+ stats.MemUsage = cgroupStats.Memory.Usage.Usage
+ stats.MemLimit = c.getMemLimit()
+ stats.MemPerc = (float64(stats.MemUsage) / float64(stats.MemLimit)) * 100
+ }
stats.PIDs = 0
if conState == ContainerStateRunning {
if conState == define.ContainerStateRunning || conState == define.ContainerStatePaused {
stats.PIDs = cgroupStats.Pids.Current
--
2.23.0

24
0001-podman-patch-for-local-search.patch
View File

@ -1,24 +0,0 @@
From 40aabbc1707bfb6ed0a0bb01bc356a16efae8b4e Mon Sep 17 00:00:00 2001
From: weishengjing1 <773945074@qq.com>
Date: Sat, 9 Jan 2021 10:09:27 +0800
Subject: [PATCH] patch for podman pull (issue I2BF99)
---
libpod.conf | 1 +
1 file changed, 1 insertion(+)
diff --git a/libpod.conf b/libpod.conf
index 2976cec..4001d21 100644
--- a/libpod.conf
+++ b/libpod.conf
@@ -7,6 +7,7 @@ image_default_transport = "docker://"
# Paths to look for a valid OCI runtime (runc, runv, etc)
runtime_path = [
"/usr/bin/runc",
+ "/usr/local/bin/runc",
"/usr/sbin/runc",
"/sbin/runc",
"/bin/runc",
--
2.27.0

7
0002-add-openEuler-hardened-ld.patch Normal file
View File

@ -0,0 +1,7 @@
diff -Naru podman-3.4.4/openEuler-hardened-ld podman-3.4.4-new/openEuler-hardened-ld
--- podman-3.4.4/openEuler-hardened-ld 1970-01-01 08:00:00.000000000 +0800
+++ podman-3.4.4-new/openEuler-hardened-ld 2022-07-01 16:50:11.640052823 +0800
@@ -0,0 +1,3 @@
+*self_spec:
++ %{!static:%{!shared:%{!r:-pie}}}
+

29
0003-eat-signal-23-in-signal-proxy.patch
View File

@ -1,29 +0,0 @@
From 7bb9c6b9d1f195391f50047447b8caec404b5c2a Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Wed, 31 Mar 2021 11:22:39 +0800
Subject: [PATCH] eat signal 23 in signal proxy
reference to: https://github.com/containers/podman/pull/5496
---
cmd/podman/sigproxy.go | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/cmd/podman/sigproxy.go b/cmd/podman/sigproxy.go
index 16861ba..9bb104d 100644
--- a/cmd/podman/sigproxy.go
+++ b/cmd/podman/sigproxy.go
@@ -19,7 +19,10 @@ func ProxySignals(ctr *libpod.Container) {
for s := range sigBuffer {
// Ignore SIGCHLD and SIGPIPE - these are mostly likely
// intended for the podman command itself.
- if s == signal.SIGCHLD || s == signal.SIGPIPE {
+ // SIGURG was added because of golang 1.14 and its preemptive changes
+ // causing more signals to "show up".
+ // https://github.com/containers/libpod/issues/5483
+ if s == syscall.SIGCHLD || s == syscall.SIGPIPE || s == syscall.SIGURG {
continue
}
--
2.23.0

371
CVE-2021-20188-PRE1.patch
View File

@ -1,371 +0,0 @@
From 6246942d377bd9ed665a4ac448120352454dd83d Mon Sep 17 00:00:00 2001
From: baude <bbaude@redhat.com>
Date: Wed, 24 Oct 2018 10:39:12 -0500
Subject: [PATCH] Increase security and performance when looking up groups
We implement the securejoin method to make sure the paths to /etc/passwd and
/etc/group are not symlinks to something naughty or outside the container
image. And then instead of actually chrooting, we use the runc functions to
get information about a user. The net result is increased security and
a a performance gain from 41ms to 100us.
Signed-off-by: baude <bbaude@redhat.com>
---
libpod/container_internal_linux.go | 26 +++-
.../cyphar/filepath-securejoin/LICENSE | 28 ++++
.../cyphar/filepath-securejoin/README.md | 65 +++++++++
.../cyphar/filepath-securejoin/join.go | 134 ++++++++++++++++++
.../cyphar/filepath-securejoin/vendor.conf | 1 +
.../cyphar/filepath-securejoin/vfs.go | 41 ++++++
6 files changed, 291 insertions(+), 4 deletions(-)
create mode 100644 vendor/github.com/cyphar/filepath-securejoin/LICENSE
create mode 100644 vendor/github.com/cyphar/filepath-securejoin/README.md
create mode 100644 vendor/github.com/cyphar/filepath-securejoin/join.go
create mode 100644 vendor/github.com/cyphar/filepath-securejoin/vendor.conf
create mode 100644 vendor/github.com/cyphar/filepath-securejoin/vfs.go
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index b25645e5cc0..5a6b72580d5 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -21,6 +21,8 @@ import (
"github.com/containers/libpod/pkg/chrootuser"
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/storage/pkg/idtools"
+ "github.com/cyphar/filepath-securejoin"
+ "github.com/opencontainers/runc/libcontainer/user"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
"github.com/opencontainers/selinux/go-selinux/label"
@@ -197,12 +199,28 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
// Look up and add groups the user belongs to, if a group wasn't directly specified
if !rootless.IsRootless() && !strings.Contains(c.config.User, ":") {
- groups, err := chrootuser.GetAdditionalGroupsForUser(c.state.Mountpoint, uint64(g.Config.Process.User.UID))
- if err != nil && errors.Cause(err) != chrootuser.ErrNoSuchUser {
+ var groupDest, passwdDest string
+ defaultExecUser := user.ExecUser{
+ Uid: 0,
+ Gid: 0,
+ Home: "/",
+ }
+
+ // Make sure the /etc/group and /etc/passwd destinations are not a symlink to something naughty
+ if groupDest, err = securejoin.SecureJoin(c.state.Mountpoint, "/etc/group"); err != nil {
+ logrus.Debug(err)
return nil, err
}
- for _, gid := range groups {
- g.AddProcessAdditionalGid(gid)
+ if passwdDest, err = securejoin.SecureJoin(c.state.Mountpoint, "/etc/passwd"); err != nil {
+ logrus.Debug(err)
+ return nil, err
+ }
+ execUser, err := user.GetExecUserPath(c.config.User, &defaultExecUser, passwdDest, groupDest)
+ if err != nil {
+ return nil, err
+ }
+ for _, gid := range execUser.Sgids {
+ g.AddProcessAdditionalGid(uint32(gid))
}
}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/LICENSE b/vendor/github.com/cyphar/filepath-securejoin/LICENSE
new file mode 100644
index 00000000000..bec842f294f
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/LICENSE
@@ -0,0 +1,28 @@
+Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
+Copyright (C) 2017 SUSE LLC. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+ * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+ * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/cyphar/filepath-securejoin/README.md b/vendor/github.com/cyphar/filepath-securejoin/README.md
new file mode 100644
index 00000000000..49b2baa9f35
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/README.md
@@ -0,0 +1,65 @@
+## `filepath-securejoin` ##
+
+[![Build Status](https://travis-ci.org/cyphar/filepath-securejoin.svg?branch=master)](https://travis-ci.org/cyphar/filepath-securejoin)
+
+An implementation of `SecureJoin`, a [candidate for inclusion in the Go
+standard library][go#20126]. The purpose of this function is to be a "secure"
+alternative to `filepath.Join`, and in particular it provides certain
+guarantees that are not provided by `filepath.Join`.
+
+This is the function prototype:
+
+```go
+func SecureJoin(root, unsafePath string) (string, error)
+```
+
+This library **guarantees** the following:
+
+* If no error is set, the resulting string **must** be a child path of
+ `SecureJoin` and will not contain any symlink path components (they will all
+ be expanded).
+
+* When expanding symlinks, all symlink path components **must** be resolved
+ relative to the provided root. In particular, this can be considered a
+ userspace implementation of how `chroot(2)` operates on file paths. Note that
+ these symlinks will **not** be expanded lexically (`filepath.Clean` is not
+ called on the input before processing).
+
+* Non-existant path components are unaffected by `SecureJoin` (similar to
+ `filepath.EvalSymlinks`'s semantics).
+
+* The returned path will always be `filepath.Clean`ed and thus not contain any
+ `..` components.
+
+A (trivial) implementation of this function on GNU/Linux systems could be done
+with the following (note that this requires root privileges and is far more
+opaque than the implementation in this library, and also requires that
+`readlink` is inside the `root` path):
+
+```go
+package securejoin
+
+import (
+ "os/exec"
+ "path/filepath"
+)
+
+func SecureJoin(root, unsafePath string) (string, error) {
+ unsafePath = string(filepath.Separator) + unsafePath
+ cmd := exec.Command("chroot", root,
+ "readlink", "--canonicalize-missing", "--no-newline", unsafePath)
+ output, err := cmd.CombinedOutput()
+ if err != nil {
+ return "", err
+ }
+ expanded := string(output)
+ return filepath.Join(root, expanded), nil
+}
+```
+
+[go#20126]: https://github.com/golang/go/issues/20126
+
+### License ###
+
+The license of this project is the same as Go, which is a BSD 3-clause license
+available in the `LICENSE` file.
diff --git a/vendor/github.com/cyphar/filepath-securejoin/join.go b/vendor/github.com/cyphar/filepath-securejoin/join.go
new file mode 100644
index 00000000000..c4ca3d71300
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/join.go
@@ -0,0 +1,134 @@
+// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
+// Copyright (C) 2017 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package securejoin is an implementation of the hopefully-soon-to-be-included
+// SecureJoin helper that is meant to be part of the "path/filepath" package.
+// The purpose of this project is to provide a PoC implementation to make the
+// SecureJoin proposal (https://github.com/golang/go/issues/20126) more
+// tangible.
+package securejoin
+
+import (
+ "bytes"
+ "os"
+ "path/filepath"
+ "strings"
+ "syscall"
+
+ "github.com/pkg/errors"
+)
+
+// ErrSymlinkLoop is returned by SecureJoinVFS when too many symlinks have been
+// evaluated in attempting to securely join the two given paths.
+var ErrSymlinkLoop = errors.Wrap(syscall.ELOOP, "secure join")
+
+// IsNotExist tells you if err is an error that implies that either the path
+// accessed does not exist (or path components don't exist). This is
+// effectively a more broad version of os.IsNotExist.
+func IsNotExist(err error) bool {
+ // If it's a bone-fide ENOENT just bail.
+ if os.IsNotExist(errors.Cause(err)) {
+ return true
+ }
+
+ // Check that it's not actually an ENOTDIR, which in some cases is a more
+ // convoluted case of ENOENT (usually involving weird paths).
+ var errno error
+ switch err := errors.Cause(err).(type) {
+ case *os.PathError:
+ errno = err.Err
+ case *os.LinkError:
+ errno = err.Err
+ case *os.SyscallError:
+ errno = err.Err
+ }
+ return errno == syscall.ENOTDIR || errno == syscall.ENOENT
+}
+
+// SecureJoinVFS joins the two given path components (similar to Join) except
+// that the returned path is guaranteed to be scoped inside the provided root
+// path (when evaluated). Any symbolic links in the path are evaluated with the
+// given root treated as the root of the filesystem, similar to a chroot. The
+// filesystem state is evaluated through the given VFS interface (if nil, the
+// standard os.* family of functions are used).
+//
+// Note that the guarantees provided by this function only apply if the path
+// components in the returned string are not modified (in other words are not
+// replaced with symlinks on the filesystem) after this function has returned.
+// Such a symlink race is necessarily out-of-scope of SecureJoin.
+func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) {
+ // Use the os.* VFS implementation if none was specified.
+ if vfs == nil {
+ vfs = osVFS{}
+ }
+
+ var path bytes.Buffer
+ n := 0
+ for unsafePath != "" {
+ if n > 255 {
+ return "", ErrSymlinkLoop
+ }
+
+ // Next path component, p.
+ i := strings.IndexRune(unsafePath, filepath.Separator)
+ var p string
+ if i == -1 {
+ p, unsafePath = unsafePath, ""
+ } else {
+ p, unsafePath = unsafePath[:i], unsafePath[i+1:]
+ }
+
+ // Create a cleaned path, using the lexical semantics of /../a, to
+ // create a "scoped" path component which can safely be joined to fullP
+ // for evaluation. At this point, path.String() doesn't contain any
+ // symlink components.
+ cleanP := filepath.Clean(string(filepath.Separator) + path.String() + p)
+ if cleanP == string(filepath.Separator) {
+ path.Reset()
+ continue
+ }
+ fullP := filepath.Clean(root + cleanP)
+
+ // Figure out whether the path is a symlink.
+ fi, err := vfs.Lstat(fullP)
+ if err != nil && !IsNotExist(err) {
+ return "", err
+ }
+ // Treat non-existent path components the same as non-symlinks (we
+ // can't do any better here).
+ if IsNotExist(err) || fi.Mode()&os.ModeSymlink == 0 {
+ path.WriteString(p)
+ path.WriteRune(filepath.Separator)
+ continue
+ }
+
+ // Only increment when we actually dereference a link.
+ n++
+
+ // It's a symlink, expand it by prepending it to the yet-unparsed path.
+ dest, err := vfs.Readlink(fullP)
+ if err != nil {
+ return "", err
+ }
+ // Absolute symlinks reset any work we've already done.
+ if filepath.IsAbs(dest) {
+ path.Reset()
+ }
+ unsafePath = dest + string(filepath.Separator) + unsafePath
+ }
+
+ // We have to clean path.String() here because it may contain '..'
+ // components that are entirely lexical, but would be misleading otherwise.
+ // And finally do a final clean to ensure that root is also lexically
+ // clean.
+ fullP := filepath.Clean(string(filepath.Separator) + path.String())
+ return filepath.Clean(root + fullP), nil
+}
+
+// SecureJoin is a wrapper around SecureJoinVFS that just uses the os.* library
+// of functions as the VFS. If in doubt, use this function over SecureJoinVFS.
+func SecureJoin(root, unsafePath string) (string, error) {
+ return SecureJoinVFS(root, unsafePath, nil)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/vendor.conf b/vendor/github.com/cyphar/filepath-securejoin/vendor.conf
new file mode 100644
index 00000000000..66bb574b955
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/vendor.conf
@@ -0,0 +1 @@
+github.com/pkg/errors v0.8.0
diff --git a/vendor/github.com/cyphar/filepath-securejoin/vfs.go b/vendor/github.com/cyphar/filepath-securejoin/vfs.go
new file mode 100644
index 00000000000..a82a5eae11e
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/vfs.go
@@ -0,0 +1,41 @@
+// Copyright (C) 2017 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import "os"
+
+// In future this should be moved into a separate package, because now there
+// are several projects (umoci and go-mtree) that are using this sort of
+// interface.
+
+// VFS is the minimal interface necessary to use SecureJoinVFS. A nil VFS is
+// equivalent to using the standard os.* family of functions. This is mainly
+// used for the purposes of mock testing, but also can be used to otherwise use
+// SecureJoin with VFS-like system.
+type VFS interface {
+ // Lstat returns a FileInfo describing the named file. If the file is a
+ // symbolic link, the returned FileInfo describes the symbolic link. Lstat
+ // makes no attempt to follow the link. These semantics are identical to
+ // os.Lstat.
+ Lstat(name string) (os.FileInfo, error)
+
+ // Readlink returns the destination of the named symbolic link. These
+ // semantics are identical to os.Readlink.
+ Readlink(name string) (string, error)
+}
+
+// osVFS is the "nil" VFS, in that it just passes everything through to the os
+// module.
+type osVFS struct{}
+
+// Lstat returns a FileInfo describing the named file. If the file is a
+// symbolic link, the returned FileInfo describes the symbolic link. Lstat
+// makes no attempt to follow the link. These semantics are identical to
+// os.Lstat.
+func (o osVFS) Lstat(name string) (os.FileInfo, error) { return os.Lstat(name) }
+
+// Readlink returns the destination of the named symbolic link. These
+// semantics are identical to os.Readlink.
+func (o osVFS) Readlink(name string) (string, error) { return os.Readlink(name) }

388
CVE-2021-20188-PRE2.patch
View File

@ -1,388 +0,0 @@
From 1dd7f13dfbc1dd377eabace0239b1c05cd60b144 Mon Sep 17 00:00:00 2001
From: baude <bbaude@redhat.com>
Date: Thu, 25 Oct 2018 13:39:25 -0500
Subject: [PATCH] get user and group information using securejoin and runc's
user library
for the purposes of performance and security, we use securejoin to contstruct
the root fs's path so that symlinks are what they appear to be and no pointing
to something naughty.
then instead of chrooting to parse /etc/passwd|/etc/group, we now use the runc user/group
methods which saves us quite a bit of performance.
Signed-off-by: baude <bbaude@redhat.com>
---
libpod/container_api.go | 8 +-
libpod/container_internal.go | 56 ++++++-----
libpod/container_internal_linux.go | 44 ++------
pkg/lookup/lookup.go | 156 +++++++++++++++++++++++++++++
4 files changed, 201 insertions(+), 63 deletions(-)
create mode 100644 pkg/lookup/lookup.go
diff --git a/libpod/container_api.go b/libpod/container_api.go
index 41a131ea212..83f93cf9eb6 100644
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@@ -10,8 +10,8 @@ import (
"time"
"github.com/containers/libpod/libpod/driver"
- "github.com/containers/libpod/pkg/chrootuser"
"github.com/containers/libpod/pkg/inspect"
+ "github.com/containers/libpod/pkg/lookup"
"github.com/containers/storage/pkg/stringid"
"github.com/docker/docker/daemon/caps"
"github.com/pkg/errors"
@@ -292,13 +292,13 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e
// the host
hostUser := ""
if user != "" {
- uid, gid, err := chrootuser.GetUser(c.state.Mountpoint, user)
+ execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
if err != nil {
- return errors.Wrapf(err, "error getting user to launch exec session as")
+ return err
}
// runc expects user formatted as uid:gid
- hostUser = fmt.Sprintf("%d:%d", uid, gid)
+ hostUser = fmt.Sprintf("%d:%d", execUser.Uid, execUser.Gid)
}
// Generate exec session ID
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 2af216358b4..d928c4aedd5 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -12,9 +13,9 @@ import (
"strings"
"syscall"
- "github.com/containers/libpod/pkg/chrootuser"
"github.com/containers/libpod/pkg/hooks"
"github.com/containers/libpod/pkg/hooks/exec"
+ "github.com/containers/libpod/pkg/lookup"
"github.com/containers/libpod/pkg/resolvconf"
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/libpod/pkg/secrets"
@@ -1094,6 +1095,7 @@ func (c *Container) generateHosts() (str
}
func (c *Container) addLocalVolumes(ctx context.Context, g *generate.Generator) error {
+ var uid, gid int
mountPoint := c.state.Mountpoint
if !c.state.Mounted {
return errors.Wrapf(ErrInternal, "container is not mounted")
@@ -1117,6 +1119,18 @@ func (c *Container) addLocalVolumes(ctx
}
}
+ if c.config.User != "" {
+ if !c.state.Mounted {
+ return errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to translate User field", c.ID())
+ }
+ execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, nil)
+ if err != nil {
+ return err
+ }
+ uid = execUser.Uid
+ gid = execUser.Gid
+ }
+
for k := range imageData.ContainerConfig.Volumes {
mount := spec.Mount{
Destination: k,
@@ -1129,27 +1143,13 @@ func (c *Container) addLocalVolumes(ctx
volumePath := filepath.Join(c.config.StaticDir, "volumes", k)
srcPath := filepath.Join(mountPoint, k)
- var (
- uid uint32
- gid uint32
- )
- if c.config.User != "" {
- if !c.state.Mounted {
- return errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to translate User field", c.ID())
- }
- uid, gid, err = chrootuser.GetUser(c.state.Mountpoint, c.config.User)
- if err != nil {
- return err
- }
- }
-
if _, err := os.Stat(srcPath); os.IsNotExist(err) {
logrus.Infof("Volume image mount point %s does not exist in root FS, need to create it", k)
if err = os.MkdirAll(srcPath, 0755); err != nil {
return errors.Wrapf(err, "error creating directory %q for volume %q in container %q", volumePath, k, c.ID)
}
- if err = os.Chown(srcPath, int(uid), int(gid)); err != nil {
+ if err = os.Chown(srcPath, uid, gid); err != nil {
return errors.Wrapf(err, "error chowning directory %q for volume %q in container %q", srcPath, k, c.ID)
}
}
@@ -1159,7 +1159,7 @@ func (c *Container) addLocalVolumes(ctx
return errors.Wrapf(err, "error creating directory %q for volume %q in container %q", volumePath, k, c.ID)
}
- if err = os.Chown(volumePath, int(uid), int(gid)); err != nil {
+ if err = os.Chown(volumePath, uid, gid); err != nil {
return errors.Wrapf(err, "error chowning directory %q for volume %q in container %q", volumePath, k, c.ID)
}
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 0a1784ba740..7bf2c71cac6 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -17,11 +17,9 @@ import (
cnitypes "github.com/containernetworking/cni/pkg/types/current"
crioAnnotations "github.com/containers/libpod/pkg/annotations"
- "github.com/containers/libpod/pkg/chrootuser"
+ "github.com/containers/libpod/pkg/lookup"
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/storage/pkg/idtools"
- "github.com/cyphar/filepath-securejoin"
- "github.com/opencontainers/runc/libcontainer/user"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
"github.com/opencontainers/selinux/go-selinux/label"
@@ -135,6 +133,10 @@ func (c *Container) cleanupNetwork() error {
// Generate spec for a container
// Accepts a map of the container's dependencies
func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
+ execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, nil)
+ if err != nil {
+ return nil, err
+ }
g := generate.NewFromSpec(c.config.Spec)
// If network namespace was requested, add it now
@@ -188,7 +190,6 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
}
}
- var err error
if !rootless.IsRootless() {
if c.state.ExtensionStageHooks, err = c.setupOCIHooks(ctx, g.Config); err != nil {
return nil, errors.Wrapf(err, "error setting up OCI Hooks")
@@ -206,13 +207,9 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
if !c.state.Mounted {
return nil, errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to translate User field", c.ID())
}
- uid, gid, err := chrootuser.GetUser(c.state.Mountpoint, c.config.User)
- if err != nil {
- return nil, err
- }
// User and Group must go together
- g.SetProcessUID(uid)
- g.SetProcessGID(gid)
+ g.SetProcessUID(uint32(execUser.Uid))
+ g.SetProcessGID(uint32(execUser.Gid))
}
// Add addition groups if c.config.GroupAdd is not empty
@@ -220,11 +217,8 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
if !c.state.Mounted {
return nil, errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to add additional groups", c.ID())
}
- for _, group := range c.config.Groups {
- gid, err := chrootuser.GetGroup(c.state.Mountpoint, group)
- if err != nil {
- return nil, err
- }
+ gids, _ := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, nil)
+ for _, gid := range gids {
g.AddProcessAdditionalGid(gid)
}
}
@@ -237,26 +231,6 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
// Look up and add groups the user belongs to, if a group wasn't directly specified
if !rootless.IsRootless() && !strings.Contains(c.config.User, ":") {
- var groupDest, passwdDest string
- defaultExecUser := user.ExecUser{
- Uid: 0,
- Gid: 0,
- Home: "/",
- }
-
- // Make sure the /etc/group and /etc/passwd destinations are not a symlink to something naughty
- if groupDest, err = securejoin.SecureJoin(c.state.Mountpoint, "/etc/group"); err != nil {
- logrus.Debug(err)
- return nil, err
- }
- if passwdDest, err = securejoin.SecureJoin(c.state.Mountpoint, "/etc/passwd"); err != nil {
- logrus.Debug(err)
- return nil, err
- }
- execUser, err := user.GetExecUserPath(c.config.User, &defaultExecUser, passwdDest, groupDest)
- if err != nil {
- return nil, err
- }
for _, gid := range execUser.Sgids {
g.AddProcessAdditionalGid(uint32(gid))
}
diff --git a/pkg/lookup/lookup.go b/pkg/lookup/lookup.go
new file mode 100644
index 00000000000..b27e2a724bc
--- /dev/null
+++ b/pkg/lookup/lookup.go
@@ -0,0 +1,156 @@
+package lookup
+
+import (
+ "github.com/cyphar/filepath-securejoin"
+ "github.com/opencontainers/runc/libcontainer/user"
+ "github.com/sirupsen/logrus"
+ "strconv"
+)
+
+const (
+ etcpasswd = "/etc/passwd"
+ etcgroup = "/etc/group"
+)
+
+// Overrides allows you to override defaults in GetUserGroupInfo
+type Overrides struct {
+ DefaultUser *user.ExecUser
+ ContainerEtcPasswdPath string
+ ContainerEtcGroupPath string
+}
+
+// GetUserGroupInfo takes string forms of the the container's mount path and the container user and
+// returns a ExecUser with uid, gid, sgids, and home. And override can be provided for defaults.
+func GetUserGroupInfo(containerMount, containerUser string, override *Overrides) (*user.ExecUser, error) {
+ var (
+ passwdDest, groupDest string
+ defaultExecUser *user.ExecUser
+ err error
+ )
+ passwdPath := etcpasswd
+ groupPath := etcgroup
+
+ if override != nil {
+ // Check for an override /etc/passwd path
+ if override.ContainerEtcPasswdPath != "" {
+ passwdPath = override.ContainerEtcPasswdPath
+ }
+ // Check for an override for /etc/group path
+ if override.ContainerEtcGroupPath != "" {
+ groupPath = override.ContainerEtcGroupPath
+ }
+ }
+
+ // Check for an override default user
+ if override != nil && override.DefaultUser != nil {
+ defaultExecUser = override.DefaultUser
+ } else {
+ // Define a default container user
+ //defaultExecUser = &user.ExecUser{
+ // Uid: 0,
+ // Gid: 0,
+ // Home: "/",
+ defaultExecUser = nil
+
+ }
+
+ // Make sure the /etc/group and /etc/passwd destinations are not a symlink to something naughty
+ if passwdDest, err = securejoin.SecureJoin(containerMount, passwdPath); err != nil {
+ logrus.Debug(err)
+ return nil, err
+ }
+ if groupDest, err = securejoin.SecureJoin(containerMount, groupPath); err != nil {
+ logrus.Debug(err)
+ return nil, err
+ }
+ return user.GetExecUserPath(containerUser, defaultExecUser, passwdDest, groupDest)
+}
+
+// GetContainerGroups uses securejoin to get a list of numerical groupids from a container. Per the runc
+// function it calls: If a group name cannot be found, an error will be returned. If a group id cannot be found,
+// or the given group data is nil, the id will be returned as-is provided it is in the legal range.
+func GetContainerGroups(groups []string, containerMount string, override *Overrides) ([]uint32, error) {
+ var (
+ groupDest string
+ err error
+ uintgids []uint32
+ )
+
+ groupPath := etcgroup
+ if override != nil && override.ContainerEtcGroupPath != "" {
+ groupPath = override.ContainerEtcGroupPath
+ }
+
+ if groupDest, err = securejoin.SecureJoin(containerMount, groupPath); err != nil {
+ logrus.Debug(err)
+ return nil, err
+ }
+
+ gids, err := user.GetAdditionalGroupsPath(groups, groupDest)
+ if err != nil {
+ return nil, err
+ }
+ // For libpod, we want []uint32s
+ for _, gid := range gids {
+ uintgids = append(uintgids, uint32(gid))
+ }
+ return uintgids, nil
+}
+
+// GetUser takes a containermount path and user name or id and returns
+// a matching User structure from /etc/passwd. If it cannot locate a user
+// with the provided information, an ErrNoPasswdEntries is returned.
+func GetUser(containerMount, userIDorName string) (*user.User, error) {
+ var inputIsName bool
+ uid, err := strconv.Atoi(userIDorName)
+ if err != nil {
+ inputIsName = true
+ }
+ passwdDest, err := securejoin.SecureJoin(containerMount, etcpasswd)
+ if err != nil {
+ return nil, err
+ }
+ users, err := user.ParsePasswdFileFilter(passwdDest, func(u user.User) bool {
+ if inputIsName {
+ return u.Name == userIDorName
+ }
+ return u.Uid == uid
+ })
+ if err != nil {
+ return nil, err
+ }
+ if len(users) > 0 {
+ return &users[0], nil
+ }
+ return nil, user.ErrNoPasswdEntries
+}
+
+// GetGroup takes ac ontainermount path and a group name or id and returns
+// a match Group struct from /etc/group. if it cannot locate a group,
+// an ErrNoGroupEntries error is returned.
+func GetGroup(containerMount, groupIDorName string) (*user.Group, error) {
+ var inputIsName bool
+ gid, err := strconv.Atoi(groupIDorName)
+ if err != nil {
+ inputIsName = true
+ }
+
+ groupDest, err := securejoin.SecureJoin(containerMount, etcgroup)
+ if err != nil {
+ return nil, err
+ }
+
+ groups, err := user.ParseGroupFileFilter(groupDest, func(g user.Group) bool {
+ if inputIsName {
+ return g.Name == groupIDorName
+ }
+ return g.Gid == gid
+ })
+ if err != nil {
+ return nil, err
+ }
+ if len(groups) > 0 {
+ return &groups[0], nil
+ }
+ return nil, user.ErrNoGroupEntries
+}

181
CVE-2021-20188-PRE3.patch
View File

@ -1,181 +0,0 @@
From 867669374c3fdd39f2629e53cbe7430f1bc3e085 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Tue, 8 Jan 2019 12:53:50 +0100
Subject: [PATCH] Add a --workdir option to 'podman exec'
Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
---
cmd/podman/common.go | 9 +++++----
cmd/podman/exec.go | 3 ++-
completions/bash/podman | 2 ++
docs/podman-exec.1.md | 8 ++++++++
libpod/container_api.go | 4 ++--
libpod/oci.go | 6 ++++--
test/e2e/exec_test.go | 32 ++++++++++++++++++++++++++++++++
7 files changed, 55 insertions(+), 9 deletions(-)
diff --git a/cmd/podman/common.go b/cmd/podman/common.go
index 0fc9a6accfd..d934c869946 100644
--- a/cmd/podman/common.go
+++ b/cmd/podman/common.go
@@ -28,6 +28,10 @@ var (
Name: "latest, l",
Usage: "act on the latest pod podman is aware of",
}
+ WorkDirFlag = cli.StringFlag{
+ Name: "workdir, w",
+ Usage: "Working directory inside the container",
+ }
)
const (
@@ -522,10 +526,7 @@ var createFlags = []cli.Flag{
Name: "volumes-from",
Usage: "Mount volumes from the specified container(s) (default [])",
},
- cli.StringFlag{
- Name: "workdir, w",
- Usage: "Working `directory inside the container",
- },
+ WorkDirFlag,
}
func getFormat(c *cli.Context) (string, error) {
diff --git a/cmd/podman/exec.go b/cmd/podman/exec.go
index c03834dea23..073e72e6404 100644
--- a/cmd/podman/exec.go
+++ b/cmd/podman/exec.go
@@ -34,6 +34,7 @@ var (
Usage: "Sets the username or UID used and optionally the groupname or GID for the specified command",
},
LatestFlag,
+ WorkDirFlag,
}
execDescription = `
podman exec
@@ -108,5 +109,5 @@ func execCmd(c *cli.Context) error {
envs = append(envs, fmt.Sprintf("%s=%s", k, v))
}
- return ctr.Exec(c.Bool("tty"), c.Bool("privileged"), envs, cmd, c.String("user"))
+ return ctr.Exec(c.Bool("tty"), c.Bool("privileged"), envs, cmd, c.String("user"), c.String("workdir"))
}
diff --git a/completions/bash/podman b/completions/bash/podman
index d65f54690e3..e23615d5256 100644
--- a/completions/bash/podman
+++ b/completions/bash/podman
@@ -1111,6 +1111,8 @@ _podman_exec() {
--env
--user
-u
+ --workdir
+ -w
"
local boolean_options="
--latest
diff --git a/docs/podman-exec.1.md b/docs/podman-exec.1.md
index 284fa5a4a29..77317b0cabd 100644
--- a/docs/podman-exec.1.md
+++ b/docs/podman-exec.1.md
@@ -38,6 +38,14 @@ Sets the username or UID used and optionally the groupname or GID for the specif
The following examples are all valid:
--user [user | user:group | uid | uid:gid | user:gid | uid:group ]
+**--workdir**, **-w**=""
+
+Working directory inside the container
+
+The default working directory for running binaries within a container is the root directory (/).
+The image developer can set a different default with the WORKDIR instruction, which can be overridden
+when creating the container.
+
## SEE ALSO
podman(1), podman-run(1)
diff --git a/libpod/container_api.go b/libpod/container_api.go
index 09bc46905ae..4eaf737b09a 100644
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@@ -262,7 +262,7 @@ func (c *Container) Kill(signal uint) error {
// Exec starts a new process inside the container
// TODO allow specifying streams to attach to
// TODO investigate allowing exec without attaching
-func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) error {
+func (c *Container) Exec(tty, privileged bool, env, cmd []string, user, workDir string) error {
var capList []string
locked := false
@@ -324,7 +324,7 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e
logrus.Debugf("Creating new exec session in container %s with session id %s", c.ID(), sessionID)
- execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, hostUser, sessionID)
+ execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, workDir, hostUser, sessionID)
if err != nil {
return errors.Wrapf(err, "error exec %s", c.ID())
}
diff --git a/libpod/oci.go b/libpod/oci.go
index 093bfdd3573..31c1a7e8514 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -728,7 +728,7 @@ func (r *OCIRuntime) unpauseContainer(ctr *Container) error {
// TODO: Add --detach support
// TODO: Convert to use conmon
// TODO: add --pid-file and use that to generate exec session tracking
-func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, user, sessionID string) (*exec.Cmd, error) {
+func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, cwd, user, sessionID string) (*exec.Cmd, error) {
if len(cmd) == 0 {
return nil, errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
}
@@ -749,7 +749,9 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty
args = append(args, "exec")
- args = append(args, "--cwd", c.config.Spec.Process.Cwd)
+ if cwd != "" {
+ args = append(args, "--cwd", cwd)
+ }
args = append(args, "--pid-file", c.execPidPath(sessionID))
diff --git a/test/e2e/exec_test.go b/test/e2e/exec_test.go
index fec80717fa2..a181501a5ff 100644
--- a/test/e2e/exec_test.go
+++ b/test/e2e/exec_test.go
@@ -127,4 +127,36 @@ var _ = Describe("Podman exec", func() {
Expect(session2.ExitCode()).To(Equal(0))
Expect(session2.OutputToString()).To(Equal(testUser))
})
+
+ It("podman exec simple working directory test", func() {
+ setup := podmanTest.RunTopContainer("test1")
+ setup.WaitWithDefaultTimeout()
+ Expect(setup.ExitCode()).To(Equal(0))
+
+ session := podmanTest.Podman([]string{"exec", "-l", "--workdir", "/tmp", "pwd"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ match, _ := session.GrepString("/tmp")
+ Expect(match).Should(BeTrue())
+
+ session = podmanTest.Podman([]string{"exec", "-l", "-w", "/tmp", "pwd"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ match, _ = session.GrepString("/tmp")
+ Expect(match).Should(BeTrue())
+ })
+
+ It("podman exec missing working directory test", func() {
+ setup := podmanTest.RunTopContainer("test1")
+ setup.WaitWithDefaultTimeout()
+ Expect(setup.ExitCode()).To(Equal(0))
+
+ session := podmanTest.Podman([]string{"exec", "-l", "--workdir", "/missing", "pwd"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(1))
+
+ session = podmanTest.Podman([]string{"exec", "-l", "-w", "/missing", "pwd"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(1))
+ })
})

320
CVE-2021-20188.patch
View File

@ -1,320 +0,0 @@
From 69daa67c436a8fdeb0149aa5cb0112f03fdb699f Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Mon, 25 Jan 2021 14:18:07 -0500
Subject: [PATCH] Correct handling of capabilities
Ensure that capabilities are properly handled for non-root users
in privileged containers. We do not want to give full caps, but
instead only CapInh and CapEff (others should be all-zeroes).
Fixing `podman run` is easy - the same code as the Podman 1.6 fix
works there. The `podman exec` command is far more challenging.
Exec received a complete rewrite to use Conmon at some point
before Podman 1.6, and gained many capabilities in the process.
One of those was the ability to actually tweak the capabilities
of the exec process - 1.0 did not have that. Since it was needed
to resolve this CVE, I was forced to backport a large bit of the
1.0 -> 1.6 exec changes (passing a Process block to the OCI
runtime, and using `prepareProcessExec()` to prepare said block).
I am honestly uncomfortable with the size and scope of this
change but I don't see another way around this.
Fixes CVE-2021-20188
Signed-off-by: Matthew Heon <mheon@redhat.com>
---
libpod/container_api.go | 24 +------
libpod/oci.go | 148 ++++++++++++++++++++++++++++++++--------
pkg/spec/spec.go | 8 +++
3 files changed, 132 insertions(+), 48 deletions(-)
diff --git a/libpod/container_api.go b/libpod/container_api.go
index fe66abf7a8f..b10596f6228 100644
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@@ -2,7 +2,6 @@ package libpod
import (
"context"
- "fmt"
"io/ioutil"
"os"
"strconv"
@@ -11,9 +10,7 @@ import (
"github.com/containers/libpod/libpod/driver"
"github.com/containers/libpod/pkg/inspect"
- "github.com/containers/libpod/pkg/lookup"
"github.com/containers/storage/pkg/stringid"
- "github.com/docker/docker/daemon/caps"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"k8s.io/apimachinery/pkg/util/wait"
@@ -260,8 +257,6 @@ func (c *Container) Kill(signal uint) er
// TODO allow specifying streams to attach to
// TODO investigate allowing exec without attaching
func (c *Container) Exec(tty, privileged bool, env, cmd []string, user, workDir string) error {
- var capList []string
-
locked := false
if !c.batched {
locked = true
@@ -284,22 +279,8 @@ func (c *Container) Exec(tty, privileged
if conState != ContainerStateRunning {
return errors.Errorf("cannot exec into container that is not running")
}
- if privileged || c.config.Privileged {
- capList = caps.GetAllCapabilities()
- }
- // If user was set, look it up in the container to get a UID to use on
- // the host
- hostUser := ""
- if user != "" {
- execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
- if err != nil {
- return err
- }
-
- // runc expects user formatted as uid:gid
- hostUser = fmt.Sprintf("%d:%d", execUser.Uid, execUser.Gid)
- }
+ isPrivileged := privileged || c.config.Privileged
// Generate exec session ID
// Ensure we don't conflict with an existing session ID
@@ -321,10 +303,11 @@ func (c *Container) Exec(tty, privileged
logrus.Debugf("Creating new exec session in container %s with session id %s", c.ID(), sessionID)
- execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, workDir, hostUser, sessionID)
+ execCmd, processFile, err := c.runtime.ociRuntime.execContainer(c, cmd, env, tty, workDir, user, sessionID, isPrivileged)
if err != nil {
return errors.Wrapf(err, "error exec %s", c.ID())
}
+ defer os.Remove(processFile)
pidFile := c.execPidPath(sessionID)
// 1 second seems a reasonable time to wait
diff --git a/libpod/oci.go b/libpod/oci.go
index a1894b52fbe..79217dced5d 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -15,10 +15,12 @@ import (
"syscall"
"time"
+ "github.com/containers/libpod/pkg/lookup"
"github.com/containers/libpod/pkg/ctime"
"github.com/containers/libpod/pkg/rootless"
"github.com/coreos/go-systemd/activation"
"github.com/cri-o/ocicni/pkg/ocicni"
+ "github.com/docker/docker/daemon/caps"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux"
"github.com/opencontainers/selinux/go-selinux/label"
@@ -689,18 +691,23 @@ func (r *OCIRuntime) unpauseContainer(ct
// TODO: Add --detach support
// TODO: Convert to use conmon
// TODO: add --pid-file and use that to generate exec session tracking
-func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, cwd, user, sessionID string) (*exec.Cmd, error) {
+func (r *OCIRuntime) execContainer(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (*exec.Cmd, string, error) {
if len(cmd) == 0 {
- return nil, errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
+ return nil, "", errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
}
if sessionID == "" {
- return nil, errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
+ return nil, "", errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
}
runtimeDir, err := GetRootlessRuntimeDir()
if err != nil {
- return nil, err
+ return nil, "", err
+ }
+
+ processFile, err := prepareProcessExec(c, cmd, env, tty, cwd, user, sessionID, privileged)
+ if err != nil {
+ return nil, "", err
}
args := []string{}
@@ -710,32 +717,14 @@ func (r *OCIRuntime) execContainer(c *Co
args = append(args, "exec")
- if cwd != "" {
- args = append(args, "--cwd", cwd)
- }
+ args = append(args, "--process", processFile)
args = append(args, "--pid-file", c.execPidPath(sessionID))
- if tty {
- args = append(args, "--tty")
- }
-
- if user != "" {
- args = append(args, "--user", user)
- }
-
if c.config.Spec.Process.NoNewPrivileges {
args = append(args, "--no-new-privs")
}
- for _, cap := range capAdd {
- args = append(args, "--cap", cap)
- }
-
- for _, envVar := range env {
- args = append(args, "--env", envVar)
- }
-
// Append container ID and command
args = append(args, c.ID())
args = append(args, cmd...)
@@ -749,10 +738,10 @@ func (r *OCIRuntime) execContainer(c *Co
execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir))
if err := execCmd.Start(); err != nil {
- return nil, errors.Wrapf(err, "cannot start container %s", c.ID())
+ return nil, "", errors.Wrapf(err, "cannot start container %s", c.ID())
}
- return execCmd, nil
+ return execCmd, processFile, nil
}
// execStopContainer stops all active exec sessions in a container
@@ -831,3 +820,110 @@ func (r *OCIRuntime) checkpointContainer
return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, "checkpoint",
"--image-path", imagePath, "--work-path", workPath, ctr.ID())
}
+
+// prepareProcessExec returns the path of the process.json used in runc exec -p.
+// Returns path to the created exec process file. This will need to be removed
+// by the caller when they're done, best effort.
+func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (string, error) {
+ filename := filepath.Join(c.bundlePath(), fmt.Sprintf("exec-process-%s", sessionID))
+ f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0600)
+ if err != nil {
+ return "", err
+ }
+ defer f.Close()
+
+ pspec := c.config.Spec.Process
+ pspec.SelinuxLabel = c.config.ProcessLabel
+ pspec.Args = cmd
+ // We need to default this to false else it will inherit terminal as true
+ // from the container.
+ pspec.Terminal = false
+ if tty {
+ pspec.Terminal = true
+ }
+ if len(env) > 0 {
+ pspec.Env = append(pspec.Env, env...)
+ }
+
+ if cwd != "" {
+ pspec.Cwd = cwd
+
+ }
+
+ var addGroups []string
+ var sgids []uint32
+
+ // if the user is empty, we should inherit the user that the container is currently running with
+ if user == "" {
+ user = c.config.User
+ addGroups = c.config.Groups
+ }
+
+ execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
+ if err != nil {
+ return "", err
+ }
+
+ if len(addGroups) > 0 {
+ sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, nil)
+ if err != nil {
+ return "", errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID)
+ }
+ }
+
+ // If user was set, look it up in the container to get a UID to use on
+ // the host
+ if user != "" || len(sgids) > 0 {
+ if user != "" {
+ for _, sgid := range execUser.Sgids {
+ sgids = append(sgids, uint32(sgid))
+ }
+ }
+ processUser := spec.User{
+ UID: uint32(execUser.Uid),
+ GID: uint32(execUser.Gid),
+ AdditionalGids: sgids,
+ }
+
+ pspec.User = processUser
+ }
+
+ allCaps := caps.GetAllCapabilities()
+ pspec.Capabilities.Effective = []string{}
+ if privileged {
+ pspec.Capabilities.Bounding = allCaps
+ } else {
+ pspec.Capabilities.Bounding = []string{}
+ }
+ pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
+ if execUser.Uid == 0 {
+ pspec.Capabilities.Effective = pspec.Capabilities.Bounding
+ pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
+ pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
+ } else {
+ pspec.Capabilities.Permitted = pspec.Capabilities.Effective
+ pspec.Capabilities.Ambient = pspec.Capabilities.Effective
+ }
+
+ hasHomeSet := false
+ for _, s := range pspec.Env {
+ if strings.HasPrefix(s, "HOME=") {
+ hasHomeSet = true
+ break
+ }
+ }
+ if !hasHomeSet {
+ pspec.Env = append(pspec.Env, fmt.Sprintf("HOME=%s", execUser.Home))
+ }
+
+ processJSON, err := json.Marshal(pspec)
+ if err != nil {
+ return "", err
+ }
+
+ if err := ioutil.WriteFile(filename, processJSON, 0644); err != nil {
+ return "", err
+ }
+
+ return filename, nil
+}
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 46105af4aef..d4f13711859 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -325,6 +325,14 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
}
} else {
g.SetupPrivileged(true)
+ if config.User != "" {
+ user := strings.SplitN(config.User, ":", 2)[0]
+ if user != "root" && user != "0" {
+ g.Spec().Process.Capabilities.Effective = []string{}
+ g.Spec().Process.Capabilities.Permitted = []string{}
+ g.Spec().Process.Capabilities.Ambient = []string{}
+ }
+ }
}
// HANDLE SECCOMP

BIN
dnsname-18822f9.tar.gz Normal file
View File

Binary file not shown.

BIN
gvisor-tap-vsock-4ee84d6.tar.gz Normal file
View File

Binary file not shown.

BIN
libpod-e4a1553.tar.gz
View File

Binary file not shown.

BIN
podman-machine-cni-0749884.tar.gz Normal file
View File

Binary file not shown.

434
podman.spec
View File

@ -1,146 +1,75 @@
%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=openEuler-hardened-ld '" -a -v -x %{?**};
Name: podman
Version: 0.10.1
Release: 12
Version: 3.4.4
Release: 1
Summary: A daemonless container engine for managing Containers
Epoch: 1
Epoch: 0
License: ASL 2.0
URL: https://podman.io/
Source0: https://github.com/containers/libpod/archive/e4a155328fb88590fafd3d4e845f9bca49133f62/libpod-e4a1553.tar.gz
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
Source0: https://github.com/containers/podman/archive/v3.4.4.tar.gz
Source1: https://github.com/containers/dnsname/archive/18822f9a4fb35d1349eb256f4cd2bfd372474d84/dnsname-18822f9.tar.gz
Source2: https://github.com/containers/podman-machine-cni/archive/0749884b8d1a455c68da30789e37811ec0809d51/podman-machine-cni-0749884.tar.gz
Source3: https://github.com/containers/gvisor-tap-vsock/archive/4ee84d66bd86668f011733d8873989b5862bcd07/gvisor-tap-vsock-4ee84d6.tar.gz
Source4: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
BuildRequires: golang btrfs-progs-devel glib2-devel glibc-devel glibc-static
BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel
BuildRequires: libselinux-devel ostree-devel pkgconfig make
Requires: docker-runc containers-common containernetworking-plugins >= 0.7.3-2 iptables nftables conmon
Requires: crun containers-common containernetworking-plugins >= 0.7.3-2 iptables nftables conmon
Requires: (container-selinux if selinux-policy)
Recommends: slirp4netns
Recommends: %{name}-plugins = %{epoch}:%{version}-%{release}
Recommends: slirp4netns catatonit
Provides: bundled(golang(github.com/Azure/go-ansiterm)) = 19f72df4d05d31cbe1c56bfc8045c96babff6c7e
Provides: bundled(golang(github.com/blang/semver)) = v3.5.0
Provides: bundled(golang(github.com/boltdb/bolt)) = master
Provides: bundled(golang(github.com/buger/goterm)) = 2f8dfbc7dbbff5dd1d391ed91482c24df243b2d3
Provides: bundled(golang(github.com/BurntSushi/toml)) = v0.2.0
Provides: bundled(golang(github.com/containerd/cgroups)) = 77e628511d924b13a77cebdc73b757a47f6d751b
Provides: bundled(golang(github.com/containerd/continuity)) = master
Provides: bundled(golang(github.com/containernetworking/plugins)) = 1562a1e60ed101aacc5e08ed9dbeba8e9f3d4ec1
Provides: bundled(golang(github.com/containers/image)) = 134f99bed228d6297dc01d152804f6f09f185418
Provides: bundled(golang(github.com/containers/psgo)) = 5dde6da0bc8831b35243a847625bcf18183bd1ee
Provides: bundled(golang(github.com/containers/storage)) = 17c7d1fee5603ccf6dd97edc14162fc1510e7e23
Provides: bundled(golang(github.com/coreos/go-systemd)) = v14
Provides: bundled(golang(github.com/cri-o/ocicni)) = master
Provides: bundled(golang(github.com/cyphar/filepath-securejoin)) = v0.2.1
Provides: bundled(golang(github.com/davecgh/go-spew)) = v1.1.0
Provides: bundled(golang(github.com/docker/distribution)) = 7a8efe719e55bbfaff7bc5718cdf0ed51ca821df
Provides: bundled(golang(github.com/docker/docker)) = 86f080cff0914e9694068ed78d503701667c4c00
Provides: bundled(golang(github.com/docker/docker-credential-helpers)) = d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1
Provides: bundled(golang(github.com/docker/go-connections)) = 3ede32e2033de7505e6500d6c868c2b9ed9f169d
Provides: bundled(golang(github.com/docker/go-units)) = v0.3.2
Provides: bundled(golang(github.com/docker/libtrust)) = aabc10ec26b754e797f9028f4589c5b7bd90dc20
Provides: bundled(golang(github.com/docker/spdystream)) = ed496381df8283605c435b86d4fdd6f4f20b8c6e
Provides: bundled(golang(github.com/fatih/camelcase)) = f6a740d52f961c60348ebb109adde9f4635d7540
Provides: bundled(golang(github.com/fsnotify/fsnotify)) = 7d7316ed6e1ed2de075aab8dfc76de5d158d66e1
Provides: bundled(golang(github.com/fsouza/go-dockerclient)) = master
Provides: bundled(golang(github.com/ghodss/yaml)) = 04f313413ffd65ce25f2541bfd2b2ceec5c0908c
Provides: bundled(golang(github.com/godbus/dbus)) = a389bdde4dd695d414e47b755e95e72b7826432c
Provides: bundled(golang(github.com/gogo/protobuf)) = c0656edd0d9eab7c66d1eb0c568f9039345796f7
Provides: bundled(golang(github.com/golang/glog)) = 23def4e6c14b4da8ac2ed8007337bc5eb5007998
Provides: bundled(golang(github.com/golang/groupcache)) = b710c8433bd175204919eb38776e944233235d03
Provides: bundled(golang(github.com/golang/protobuf)) = 4bd1920723d7b7c925de087aa32e2187708897f7
Provides: bundled(golang(github.com/googleapis/gnostic)) = 0c5108395e2debce0d731cf0287ddf7242066aba
Provides: bundled(golang(github.com/google/gofuzz)) = 44d81051d367757e1c7c6a5a86423ece9afcf63c
Provides: bundled(golang(github.com/gorilla/context)) = v1.1
Provides: bundled(golang(github.com/gorilla/mux)) = v1.3.0
Provides: bundled(golang(github.com/hashicorp/errwrap)) = 7554cd9344cec97297fa6649b055a8c98c2a1e55
Provides: bundled(golang(github.com/hashicorp/golang-lru)) = 0a025b7e63adc15a622f29b0b2c4c3848243bbf6
Provides: bundled(golang(github.com/hashicorp/go-multierror)) = 83588e72410abfbe4df460eeb6f30841ae47d4c4
Provides: bundled(golang(github.com/imdario/mergo)) = 0.2.2
Provides: bundled(golang(github.com/json-iterator/go)) = 1.0.0
Provides: bundled(golang(github.com/kr/pty)) = v1.0.0
Provides: bundled(golang(github.com/mailru/easyjson)) = 03f2033d19d5860aef995fe360ac7d395cd8ce65
Provides: bundled(golang(github.com/mattn/go-runewidth)) = v0.0.1
Provides: bundled(golang(github.com/Microsoft/go-winio)) = 78439966b38d69bf38227fbf57ac8a6fee70f69a
Provides: bundled(golang(github.com/Microsoft/hcsshim)) = 43f9725307998e09f2e3816c2c0c36dc98f0c982
Provides: bundled(golang(github.com/mistifyio/go-zfs)) = v2.1.1
Provides: bundled(golang(github.com/mrunalp/fileutils)) = master
Provides: bundled(golang(github.com/mtrmac/gpgme)) = b2432428689ca58c2b8e8dea9449d3295cf96fc9
Provides: bundled(golang(github.com/Nvveen/Gotty)) = master
Provides: bundled(golang(github.com/opencontainers/image-spec)) = v1.0.0
Provides: bundled(golang(github.com/opencontainers/runc)) = b4e2ecb452d9ee4381137cc0a7e6715b96bed6de
Provides: bundled(golang(github.com/opencontainers/runtime-spec)) = v1.0.0
Provides: bundled(golang(github.com/opencontainers/runtime-tools)) = master
Provides: bundled(golang(github.com/opencontainers/selinux)) = b6fa367ed7f534f9ba25391cc2d467085dbb445a
Provides: bundled(golang(github.com/openshift/imagebuilder)) = master
Provides: bundled(golang(github.com/ostreedev/ostree-go)) = master
Provides: bundled(golang(github.com/pkg/errors)) = v0.8.0
Provides: bundled(golang(github.com/pmezard/go-difflib)) = 792786c7400a136282c1664665ae0a8db921c6c2
Provides: bundled(golang(github.com/pquerna/ffjson)) = d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac
Provides: bundled(golang(github.com/projectatomic/buildah)) = 745bf7e56bda740ce7cfc55318da08529e5ed519
Provides: bundled(golang(github.com/seccomp/containers-golang)) = master
Provides: bundled(golang(github.com/seccomp/libseccomp-golang)) = v0.9.0
Provides: bundled(golang(github.com/sirupsen/logrus)) = v1.0.0
Provides: bundled(golang(github.com/spf13/pflag)) = 9ff6c6923cfffbcd502984b8e0c80539a94968b7
Provides: bundled(golang(github.com/stretchr/testify)) = 4d4bfba8f1d1027c4fdbe371823030df51419987
Provides: bundled(golang(github.com/syndtr/gocapability)) = e7cb7fa329f456b3855136a2642b197bad7366ba
Provides: bundled(golang(github.com/tchap/go-patricia)) = v2.2.6
Provides: bundled(golang(github.com/ulikunitz/xz)) = v0.5.4
Provides: bundled(golang(github.com/ulule/deepcopier)) = master
Provides: bundled(golang(github.com/urfave/cli)) = 934abfb2f102315b5794e15ebc7949e4ca253920
Provides: bundled(golang(github.com/varlink/go)) = master
Provides: bundled(golang(github.com/vbatts/tar-split)) = v0.10.2
Provides: bundled(golang(github.com/vishvananda/netlink)) = master
Provides: bundled(golang(github.com/vishvananda/netns)) = master
Provides: bundled(golang(github.com/xeipuuv/gojsonpointer)) = master
Provides: bundled(golang(github.com/xeipuuv/gojsonreference)) = master
Provides: bundled(golang(github.com/xeipuuv/gojsonschema)) = master
Provides: bundled(golang(golang.org/x/crypto)) = 81e90905daefcd6fd217b62423c0908922eadb30
Provides: bundled(golang(golang.org/x/net)) = c427ad74c6d7a814201695e9ffde0c5d400a7674
Provides: bundled(golang(golang.org/x/sys)) = master
Provides: bundled(golang(golang.org/x/text)) = f72d8390a633d5dfb0cc84043294db9f6c935756
Provides: bundled(golang(golang.org/x/time)) = f51c12702a4d776e4c1fa9b0fabab841babae631
Provides: bundled(golang(google.golang.org/grpc)) = v1.0.4
Provides: bundled(golang(gopkg.in/cheggaaa/pb.v1)) = v1.0.7
Provides: bundled(golang(gopkg.in/inf.v0)) = v0.9.0
Provides: bundled(golang(gopkg.in/mgo.v2)) = v2
Provides: bundled(golang(gopkg.in/square/go-jose.v2)) = v2.1.3
Provides: bundled(golang(gopkg.in/yaml.v2)) = v2
Provides: bundled(golang(k8s.io/api)) = 5ce4aa0bf2f097f6021127b3d879eeda82026be8
Provides: bundled(golang(k8s.io/apiextensions-apiserver)) = 1b31e26d82f1ec2e945c560790e98f34bb5f2e63
Provides: bundled(golang(k8s.io/apimachinery)) = 616b23029fa3dc3e0ccefd47963f5651a6543d94
Provides: bundled(golang(k8s.io/apiserver)) = 4d1163080139f1f9094baf8a3a6099e85e1867f6
Provides: bundled(golang(k8s.io/client-go)) = 7cd1d3291b7d9b1e2d54d4b69eb65995eaf8888e
Provides: bundled(golang(k8s.io/kube-openapi)) = 275e2ce91dec4c05a4094a7b1daee5560b555ac9
Provides: bundled(golang(k8s.io/utils)) = 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e
Provides: bundled(golang(github.com/BurntSushi/toml)) = v0.3.1
Provides: bundled(golang(github.com/containernetworking/cni)) = v0.8.0
Provides: bundled(golang(github.com/containernetworking/plugins)) = v0.8.7
Provides: bundled(golang(github.com/containers/image/v5)) = v5.5.2
Provides: bundled(golang(github.com/containers/psgo)) = v1.5.1
Provides: bundled(golang(github.com/containers/storage)) = v1.23.2
Provides: bundled(golang(github.com/coreos/go-systemd/v22)) = v22.1.0
Provides: bundled(golang(github.com/cri-o/ocicni)) = v0.2.0
Provides: bundled(golang(github.com/cyphar/filepath-securejoin)) = v0.2.2
Provides: bundled(golang(github.com/davecgh/go-spew)) = v1.1.1
Provides: bundled(golang(github.com/docker/distribution)) = v2.7.1+incompatible
Provides: bundled(golang(github.com/docker/go-connections)) = v0.4.0
Provides: bundled(golang(github.com/docker/go-units)) = v0.4.0
Provides: bundled(golang(github.com/fsnotify/fsnotify)) = v1.4.9
Provides: bundled(golang(github.com/ghodss/yaml)) = v1.0.0
Provides: bundled(golang(github.com/godbus/dbus/v5)) = v5.0.3
Provides: bundled(golang(github.com/google/uuid)) = v1.1.2
Provides: bundled(golang(github.com/gorilla/mux)) = v1.7.4
Provides: bundled(golang(github.com/gorilla/schema)) = v1.2.0
Provides: bundled(golang(github.com/hashicorp/go-multierror)) = v1.1.0
Provides: bundled(golang(github.com/hpcloud/tail)) = v1.0.0
Provides: bundled(golang(github.com/json-iterator/go)) = v1.1.10
Provides: bundled(golang(github.com/onsi/ginkgo)) = v1.14.0
Provides: bundled(golang(github.com/onsi/gomega)) = v1.10.1
Provides: bundled(golang(github.com/opencontainers/go-digest)) = v1.0.0
Provides: bundled(golang(github.com/opencontainers/runtime-tools)) = v0.9.0
Provides: bundled(golang(github.com/opencontainers/selinux)) = v1.6.0
Provides: bundled(golang(github.com/opentracing/opentracing-go)) = v1.2.0
Provides: bundled(golang(github.com/pkg/errors)) = v0.9.1
Provides: bundled(golang(github.com/pmezard/go-difflib)) = v1.0.0
Provides: bundled(golang(github.com/rootless-containers/rootlesskit)) = v0.10.0
Provides: bundled(golang(github.com/sirupsen/logrus)) = v1.6.0
Provides: bundled(golang(github.com/spf13/cobra)) = v0.0.7
Provides: bundled(golang(github.com/spf13/pflag)) = v1.0.5
Provides: bundled(golang(github.com/stretchr/testify)) = v1.6.1
Provides: bundled(golang(github.com/uber/jaeger-client-go)) = v2.25.0+incompatible
Provides: bundled(golang(github.com/uber/jaeger-lib)) = v2.2.0+incompatible
Provides: bundled(golang(github.com/vishvananda/netlink)) = v1.1.0
Provides: bundled(golang(go.etcd.io/bbolt)) = v1.3.5
Provides: bundled(golang(k8s.io/api)) = v0.18.8
Provides: bundled(golang(k8s.io/apimachinery)) = v0.19.0
Patch1: 0001-podman-patch-for-local-search.patch
Patch2: CVE-2021-20188-PRE1.patch
Patch3: CVE-2021-20188-PRE2.patch
Patch4: CVE-2021-20188-PRE3.patch
Patch5: CVE-2021-20188.patch
Patch6: 0002-Fix-the-invalid-memory-address-reference.patch
Patch7: 0003-eat-signal-23-in-signal-proxy.patch
Patch1: 0001-Fix-the-invalid-memory-address-reference.patch
Patch2: 0002-add-openEuler-hardened-ld.patch
%description
Podman manages the entire container ecosystem which includes pods,
containers, container images, and container volumes using the libpod library.
%package -n python3-podman
Summary: Python 3 bindings and client for podman
BuildArch: noarch
BuildRequires: python3-devel python3-setuptools python3-varlink
Requires: python3-setuptools python3-varlink python3-dateutil python3-humanize python3-psutil
Provides: python3-%{name} = %{version}-%{release}
%description -n python3-podman
The python3-podman package containers a module that allows you to connect to a Podman socket activated systemdservice on the same host or a remote host using a ssh tunnel.
%package -n python3-pypodman
Summary: Python 3 tool for podman
BuildArch: noarch
BuildRequires: python3-devel python3-setuptools python3-varlink
Requires: python3-setuptools python3-varlink python3-dateutil python3-psutil
%description -n python3-pypodman
Python 3 tool for podman.
%package docker
Summary: Docker CLI emulator for podman
BuildArch: noarch
@ -150,6 +79,60 @@ Conflicts: docker docker-latest docker-ce docker-ee moby-engine
%description docker
This package installs a script named docker, which emulates the Docker CLI through podman command.
%package tests
Summary: Tests for %{name}
Requires: %{name} = %{epoch}:%{version}-%{release}
Requires: bats
Requires: jq
Requires: skopeo
Requires: nmap-ncat
Requires: httpd-tools
Requires: openssl
Requires: socat
Requires: buildah
Requires: gnupg
%description tests
%{summary}
This package contains system tests for %{name}
%package remote
Summary: (Experimental) Remote client for managing %{name} containers
%description remote
Remote client for managing %{name} containers.
This experimental remote client is under heavy development. Please do not
run %{name}-remote in production.
%{name}-remote uses the version 2 API to connect to a %{name} client to
manage pods, containers and container images. %{name}-remote supports ssh
connections as well.
%package plugins
Summary: Plugins for %{name}
Requires: dnsmasq
Recommends: %{name}-gvproxy = %{epoch}:%{version}-%{release}
%description plugins
This plugin sets up the use of dnsmasq on a given CNI network so
that Pods can resolve each other by name. When configured,
the pod and its IP address are added to a network specific hosts file
that dnsmasq will read in. Similarly, when a pod
is removed from the network, it will remove the entry from the hosts
file. Each CNI network will have its own dnsmasq instance.
%package gvproxy
Summary: Go replacement for libslirp and VPNKit
%description gvproxy
A replacement for libslirp and VPNKit, written in pure Go.
It is based on the network stack of gVisor. Compared to libslirp,
gvisor-tap-vsock brings a configurable DNS server and
dynamic port forwarding.
%package help
Summary: Help document for the podman package
Conflicts: docker docker-latest docker-ce docker-ee moby-engine
@ -158,74 +141,187 @@ Conflicts: docker docker-latest docker-ce docker-ee moby-engine
Help document for the podman package
%prep
%autosetup -n libpod-e4a155328fb88590fafd3d4e845f9bca49133f62 -p1
sed -i '/\/bin\/env/d' completions/bash/%{name}
sed -i 's/0.0.0/%{version}/' contrib/python/%{name}/setup.py
sed -i 's/0.0.0/%{version}/' contrib/python/py%{name}/setup.py
mv pkg/hooks/README.md pkg/hooks/README-hooks.md
tar -xf %SOURCE1
%autosetup -Sgit -n %{name}-%{version}
# untar dnsname
tar zxf %{SOURCE1}
# untar %%{name}-machine-cni
tar zxf %{SOURCE2}
# untar %%{name}-gvproxy
tar zxf %{SOURCE3}
tar -xf %SOURCE4
%build
mkdir -p _build/bin _output/bin
GO_MD2MAN_PATH="$(pwd)%{_bindir}"
mkdir -p _buildgo2man/bin $GO_MD2MAN_PATH
cd go-md2man-*
go build -mod=vendor -o ../_build/bin/go-md2man .
cp ../_build/bin/go-md2man ../_output/bin/go-md2man
go build -mod=vendor -o ../_buildgo2man/bin/go-md2man .
cp ../_buildgo2man/bin/go-md2man $GO_MD2MAN_PATH/go-md2man
export PATH=$GO_MD2MAN_PATH:$PATH
cd -
cd _build
mkdir -p src/github.com/containers
ln -s ../../../../ src/github.com/containers/libpod
cd -
ln -s vendor src
export GOPATH=$(pwd)/_build:$(pwd):$(pwd):%{gopath}
export BUILDTAGS="varlink selinux seccomp $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh) $(hack/libdm_tag.sh) exclude_graphdriver_devicemapper"
%set_build_flags
export GO111MODULE=off
go generate ./cmd/%{name}/varlink/...
BUILDTAGS=$BUILDTAGS make binaries docs
export GOPATH=$(pwd)/_build:$(pwd)
export CGO_CFLAGS=$CFLAGS
# These extra flags present in $CFLAGS have been skipped for now as they break the build
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-flto=auto//g')
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-Wp,D_GLIBCXX_ASSERTIONS//g')
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-specs=\/usr\/lib\/rpm\/redhat\/redhat-annobin-cc1//g')
%ifarch x86_64
export CGO_CFLAGS+=" -m64 -mtune=generic -fcf-protection=full"
%endif
mkdir _build
pushd _build
mkdir -p src/github.com/containers
ln -s ../../../../ src/github.com/containers/podman
popd
ln -s vendor src
# build %%{name}
export BUILDTAGS="seccomp exclude_graphdriver_devicemapper $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh) $(hack/libdm_tag.sh) $(hack/selinux_tag.sh) $(hack/systemd_tag.sh)"
# build date. FIXME: Makefile uses '/v2/libpod', that doesn't work here?
LDFLAGS="-X github.com/containers/podman/libpod/define.buildInfo=$(date +%s)"
%gobuild -o bin/%{name} github.com/containers/podman/cmd/%{name}
# build %%{name}-remote
export BUILDTAGS+=" exclude_graphdriver_btrfs btrfs_noversion remote"
%gobuild -o bin/%{name}-remote github.com/containers/podman/cmd/%{name}
pushd dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84
mkdir _build
pushd _build
mkdir -p src/github.com/containers
ln -s ../../../../ src/github.com/containers/dnsname
popd
ln -s vendor src
export GOPATH=$(pwd)/_build:$(pwd)
%gobuild -o bin/dnsname github.com/containers/dnsname/plugins/meta/dnsname
popd
pushd podman-machine-cni-0749884b8d1a455c68da30789e37811ec0809d51
mkdir _build
pushd _build
mkdir -p src/github.com/containers
ln -s ../../../../ src/github.com/containers/podman-machine-cni
popd
ln -s vendor src
export GOPATH=$(pwd)/_build:$(pwd)
%gobuild -o bin/%{name}-machine github.com/containers/podman-machine-cni/plugins/meta/%{name}-machine
popd
pushd gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07
mkdir _build
pushd _build
mkdir -p src/github.com/containers
ln -s ../../../../ src/github.com/containers/gvisor-tap-vsock
popd
ln -s vendor src
export GOPATH=$(pwd)/_build:$(pwd)
%gobuild -o bin/gvproxy github.com/containers/gvisor-tap-vsock/cmd/gvproxy
popd
BUILDTAGS=$BUILDTAGS make docs docker-docs
%install
install -dp %{buildroot}%{_unitdir}
make PREFIX=%{buildroot}%{_prefix} ETCDIR=%{buildroot}%{_sysconfdir} \
install.bin install.man install.cni install.systemd install.completions install.docker
install.bin-nobuild install.man-nobuild install.systemd install.completions install.docker install.docker-docs-nobuild install.remote-nobuild
%{__make} DESTDIR=%{buildroot} install.python
install -Z -m 644 contrib/systemd/auto-update/podman-auto-update.service %{buildroot}%{_userunitdir}/podman-auto-update.service
install -Z -m 644 contrib/systemd/auto-update/podman-auto-update.timer %{buildroot}%{_userunitdir}/podman-auto-update.timer
install -Z -m 644 contrib/systemd/user/podman.socket %{buildroot}%{_userunitdir}/podman.socket
install -Z -m 644 contrib/systemd/user/podman.service %{buildroot}%{_userunitdir}/podman.service
install -Z -m 644 contrib/systemd/user/podman-restart.service %{buildroot}%{_userunitdir}/podman-restart.service
install -Z -m 644 contrib/systemd/auto-update/podman-auto-update.service %{buildroot}%{_unitdir}/podman-auto-update.service
install -Z -m 644 contrib/systemd/auto-update/podman-auto-update.timer %{buildroot}%{_unitdir}/podman-auto-update.timer
install -Z -m 644 contrib/systemd/system/podman.socket %{buildroot}%{_unitdir}/podman.socket
install -Z -m 644 contrib/systemd/system/podman.service %{buildroot}%{_unitdir}/podman.service
install -Z -m 644 contrib/systemd/system/podman-restart.service %{buildroot}%{_unitdir}/podman-restart.service
install -Dp -m644 libpod.conf %{buildroot}%{_datadir}/containers/libpod.conf
mv pkg/hooks/README.md pkg/hooks/README-hooks.md
# install dnsname plugin
pushd dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84
%{__make} PREFIX=%{_prefix} DESTDIR=%{buildroot} install
popd
# install machine-cni plugin
pushd podman-machine-cni-0749884b8d1a455c68da30789e37811ec0809d51
%{__make} PREFIX=%{_prefix} DESTDIR=%{buildroot} install
popd
# install gvproxy
pushd gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07
install -dp %{buildroot}%{_libexecdir}/%{name}
install -p -m0755 bin/gvproxy %{buildroot}%{_libexecdir}/%{name}
popd
# do not include docker and podman-remote man pages in main package
for file in `find %{buildroot}%{_mandir}/man[15] -type f | sed "s,%{buildroot},," | grep -v -e remote -e docker`; do
echo "$file*" >> podman.file-list
done
%global license %doc
%files
%license LICENSE
%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md
%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md transfer.md
%{_bindir}/%{name}
%{_datadir}/bash-completion/completions/*
%config(noreplace) %{_sysconfdir}/cni/net.d/87-%{name}-bridge.conflist
%{_datadir}/containers/libpod.conf
%{_unitdir}/{io.%{name}.service,io.%{name}.socket}
%{_datadir}/bash-completion/completions/%{name}
%dir %{_datadir}/zsh/site-functions
%{_datadir}/zsh/site-functions/_%{name}
%dir %{_datadir}/fish/vendor_completions.d
%{_datadir}/fish/vendor_completions.d/%{name}.fish
%{_unitdir}/%{name}-auto-update.service
%{_unitdir}/%{name}-auto-update.timer
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}.socket
%{_unitdir}/%{name}-restart.service
%{_userunitdir}/%{name}-auto-update.service
%{_userunitdir}/%{name}-auto-update.timer
%{_userunitdir}/%{name}.service
%{_userunitdir}/%{name}.socket
%{_userunitdir}/%{name}-restart.service
%{_usr}/lib/tmpfiles.d/%{name}.conf
%files -n python3-podman
%license LICENSE
%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md
%dir %{python3_sitelib}/%{name}
%{python3_sitelib}/%{name}/*
%{python3_sitelib}/%{name}*.egg-info
%files -n python3-pypodman
%license LICENSE
%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md
%dir %{python3_sitelib}/py%{name}
%{python3_sitelib}/py%{name}/*
%{python3_sitelib}/py%{name}*.egg-info
%{_bindir}/py%{name}
%files docker
%{_bindir}/docker
%{_usr}/lib/tmpfiles.d/%{name}-docker.conf
%files help
%{_mandir}/man1/{docker*.1*,podman*.1*}
%{_mandir}/man5/*.5*
%files remote
%license LICENSE
%{_bindir}/%{name}-remote
%{_mandir}/man1/%{name}-remote*.*
%{_datadir}/bash-completion/completions/%{name}-remote
%dir %{_datadir}/fish/vendor_completions.d
%{_datadir}/fish/vendor_completions.d/%{name}-remote.fish
%dir %{_datadir}/zsh/site-functions
%{_datadir}/zsh/site-functions/_%{name}-remote
%files plugins
%license dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/LICENSE
%doc dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/{README.md,README_PODMAN.md}
%dir %{_libexecdir}/cni
%{_libexecdir}/cni/dnsname
%{_libexecdir}/cni/%{name}-machine
%files gvproxy
%license gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/LICENSE
%doc gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/README.md
%dir %{_libexecdir}/%{name}
%{_libexecdir}/%{name}/gvproxy
%changelog
* Tue Jul 05 2022 fushanqing <fushanqing@kylinos.cn> - 0:3.4.4-1
- update to 3.4.4
* Thu Apr 14 2022 wangkai<wangkai385@h-partners.com> - 0.10.1-12
- Fix build error

BIN
v3.4.4.tar.gz Normal file
View File

Binary file not shown.