Drop support for remote use-cases when `.containerignore` or
`.dockerignore` is a symlink pointing to arbitrary location on host.
This backport addresses: CVE-2022-4122
https://issues.redhat.com/browse/RHEL-13467
Signed-off-by: Aditya R <arajan@redhat.com>
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
When running in an updated F36 environment, this old linter fail with
inumerable errors that aren't worth fixing. Disable it.
Signed-off-by: Chris Evich <cevich@redhat.com>
This branch is in need of a handful of CVE backports which are
incompatible with golang 1.16 shipping in F35. This is making the
backports very difficult. Bump the CI VM up to F36 with golang 1.18,
which is representative of what's happening in the RHEL builds. The
image used was pulled from the CI in the buildah release-1.26 branch.
Also: Disable the upgrade tests since they're non-functional on F36
without significant changes.
Signed-off-by: Chris Evich <cevich@redhat.com>
This release was originally built around Fedora 35 and golang 1.16.
However the RHEL platform this branch feeds has since moved on to golang
1.17 out of necessity to support security backports. Given the
difficulty/complexity of updating the CI platform to F36 (golang 1.18),
and the age of this branch, place it into a slimmed-down
"maintenance-only" mode.
Note: This implies a heavier reliance on downstream QE/QA.
Signed-off-by: Chris Evich <cevich@redhat.com>
Commit 480a451d7 manually patched runc/libcontainer in vendor, which is
OK short term but creates a maintenance problem down the line.
The manual patching was done in a rush to address CVE-2024-21626.
A fixed runc version (v1.1.12) could not be used as it requires Go 1.17
(since runc 1.1.6) , while this branch here uses Go 1.16.
Instead of manual patching in place, let's use a new runc branch in
projectatomic repo [1], which contains runc 1.1.2 + CVE fix.
Note runc v1.1.2 (rather than v1.1.0 which was used previosly) was
chosen as a base because the CVE backport was already available. As for
what's vendored here, the only difference from v1.1.0 is
https://github.com/opencontainers/runc/commit/8290c4cf58fb.
Meaning, update from v1.1.0 to v1.1.2 should not bring any new issues.
[1] https://github.com/projectatomic/runc/tree/podman-v4.0-rhel
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Apparent Cython regression causing a warning and traceback when
installing PyYAML with pip:
Ref. Upstream issue 601: https://github.com/yaml/pyyaml/issues/
Ref. warning message:
```
********************************************************************************
The license_file parameter is deprecated, use license_files instead.
By 2023-Oct-30, you need to update your project and remove deprecated calls
or your builds will no longer be supported.
See https://setuptools.pypa.io/en/latest/userguide/declarative_config.html for details.
********************************************************************************
```
Ref. traceback snippet:
```
Traceback (most recent call last):
File "/var/tmp/go/src/github.com/containers/podman/venv/lib/python3.10/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 353, in <module>
main()
...cut...
File "<string>", line 201, in get_source_files
File "/tmp/pip-build-env-yiijk0jv/overlay/lib/python3.10/site-packages/setuptools/_distutils/cmd.py", line 107, in __getattr__
raise AttributeError(attr)
AttributeError: cython_sources
```
Signed-off-by: Chris Evich <cevich@redhat.com>
* Utils must support higher level API to create Tar with chrooted into
directory
* Volume export: use TarwithChroot instead of Tar so we can make sure no
symlink can be exported by tar if it exists outside of the source
directory.
* container export: use chroot and Tar instead of Tar so we can make sure no
symlink can be exported by tar if it exists outside of the mointPoint.
[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Race needs combination of external/in-container mechanism which is hard to repro in CI.
Closes: BZ:#2168256
CVE: https://access.redhat.com/security/cve/CVE-2023-0778
Signed-off-by: Aditya R <arajan@redhat.com>
MH: Backport to v4.4-rhel per RHBZ 2169617
Signed-off-by: Matt Heon <mheon@redhat.com>
Mitigates a potential permissions issue. Mirrors Buildah PR #4200
and CRI-O PR #6159.
Signed-off-by: Matthew Heon <mheon@redhat.com>
MH: Backported to v4.0-rhel per RHBZ #2121541
Signed-off-by: Matthew Heon <mheon@redhat.com>
Cherry-pick #15788 to v4.0-rhel branch per RHBZ 2157930
In view of https://github.com/containers/storage/pull/1337, do this:
for f in $(git grep -l stringid.GenerateNonCryptoID | grep -v '^vendor/'); do
sed -i 's/stringid.GenerateNonCryptoID/stringid.GenerateRandomID/g' $f;
done
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
the new version of runc has the same check in place and it
automatically resume the container if it is paused. So when Podman
tries to resume it again, it fails since the container is not in the
paused state.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2100740
[NO NEW TESTS NEEDED] the CI doesn't use a new runc on cgroup v1 systems.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
There's no reason to maintain this task on a release-branch. The
environment is managed by Cirrus, no us. Nobody will ever need/want/try
to cross-compile an old podman version with the latest environment.
Just remove the test.
Signed-off-by: Chris Evich <cevich@redhat.com>
Migrate our OSX Cross build to a M1 instance, since Cirrus is sunsetting Intel-based macOS instances.
Signed-off-by: Ashley Cui <acui@redhat.com>
(cherry picked from commit a575111ad4bcaa8c9ec4b0c4f7ecc5197e5be43f)
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
This task runs the latest/greatest upstream gitlab unit tests. There is
no benefit to running it on a podman release-branch. Disable it.
Signed-off-by: Chris Evich <cevich@redhat.com>
ubi8 broke our tests. Fix is #16308 (don't use images that we
don't control), but it's too hard to backport to this old branch.
Just skip the failing test.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Match with docker API and suppress step errors when field quiet is set.
Closes: https://github.com/containers/podman/issues/14315
Signed-off-by: Aditya R <arajan@redhat.com>
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Pulling the K8s pause image seems unnecessarily expensive to me. Let's
use the testgitest_v2s2 one which is under our control and weighs only a
couple of KB.
This cut the execution time in less than half on my machine. Since it's
network bound and I am running on fibre, I expect more significant speed
ups in slower networks.
Also fixes CI since the K8s pause image changed and broke the test.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
