Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libcontainers-common for
openSUSE:Factory checked in at 2025-06-01 21:36:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libcontainers-common (Old)
and /work/SRC/openSUSE:Factory/.libcontainers-common.new.16005 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libcontainers-common"
Sun Jun 1 21:36:16 2025 rev:76 rq:1281182 version:20250409
Changes:
--------
---
/work/SRC/openSUSE:Factory/libcontainers-common/libcontainers-common.changes
2025-04-10 21:57:32.248313641 +0200
+++
/work/SRC/openSUSE:Factory/.libcontainers-common.new.16005/libcontainers-common.changes
2025-06-01 21:36:28.761103858 +0200
@@ -1,0 +2,8 @@
+Thu May 29 16:30:56 UTC 2025 - Danish Prakash <danish.prak...@suse.com>
+
+- Sync containers.conf & storage.conf with the current c/* versions
+- Rename storage-conf-prio-list.patch to 0002-storage-conf-prio-list.patch
+- Add patch to set SUSE defaults to containers.conf:
+ * 0003-containers-conf-suse-defaults.patch
+
+-------------------------------------------------------------------
Old:
----
storage-conf-prio-list.patch
New:
----
0002-storage-conf-prio-list.patch
0003-containers-conf-suse-defaults.patch
BETA DEBUG BEGIN:
Old:- Sync containers.conf & storage.conf with the current c/* versions
- Rename storage-conf-prio-list.patch to 0002-storage-conf-prio-list.patch
- Add patch to set SUSE defaults to containers.conf:
BETA DEBUG END:
BETA DEBUG BEGIN:
New:- Sync containers.conf & storage.conf with the current c/* versions
- Rename storage-conf-prio-list.patch to 0002-storage-conf-prio-list.patch
- Add patch to set SUSE defaults to containers.conf:
New:- Add patch to set SUSE defaults to containers.conf:
* 0003-containers-conf-suse-defaults.patch
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libcontainers-common.spec ++++++
--- /var/tmp/diff_new_pack.VJlZM8/_old 2025-06-01 21:36:29.689142298 +0200
+++ /var/tmp/diff_new_pack.VJlZM8/_new 2025-06-01 21:36:29.689142298 +0200
@@ -52,7 +52,8 @@
Source12: openSUSE-policy.json
Patch100: 0001-containers.conf-SUSE-clear-cni-config-dir-for-ALP.patch
# Downstream patch to add the commented out storage driver priority list
-Patch101: storage-conf-prio-list.patch
+Patch101: 0002-storage-conf-prio-list.patch
+Patch102: 0003-containers-conf-suse-defaults.patch
BuildRequires: go-go-md2man
Requires(post): %{_bindir}/sed
# add SLE-specific mounts for only SLES systems
@@ -121,14 +122,14 @@
%prep
cp %{SOURCE9} .
-# Apply CNI config on streams other than ALP (bsc#1213556)
-# https://github.com/containers/podman/issues/19327
+# Apply CNI config to streams that support CNI networking backend for podman
i.e SLE-15
+# bsc#1213556 (https://github.com/containers/podman/issues/19327)
%if 0%{?suse_version} < 1600 && !0%{?is_opensuse}
%patch -P100 -p3
sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %_builddir/containers.conf
%endif
cp %{SOURCE4} .
-%patch -P101
+%patch -P101 -P102
%setup -q -Tcq -b0 -b1 -b8
# copy the LICENSE file in the build root
++++++ 0002-storage-conf-prio-list.patch ++++++
Index: storage.conf
===================================================================
--- storage.conf (revision 71490d8c0a9096277f3511c4adb298db)
+++ storage.conf (working copy)
@@ -21,7 +21,7 @@
# Priority list for the storage drivers that will be tested one
# after the other to pick the storage driver if it is not defined.
-# driver_priority = ["overlay", "btrfs"]
+# driver_priority = ["btrfs", "overlay"]
# Primary Read/Write location of container storage
# When changing the graphroot location on an SELinux system, you must
++++++ 0003-containers-conf-suse-defaults.patch ++++++
Index: containers.conf
===================================================================
--- containers.conf (revision 71490d8c0a9096277f3511c4adb298db)
+++ containers.conf (working copy)
@@ -378,7 +378,7 @@
# drivers are "iptables", "nftables", "none" (no firewall rules will be
created) and "firewalld" (firewalld is
# experimental at the moment and not recommend outside of testing).
#
-#firewall_driver = ""
+firewall_driver = "nftables"
# The network name of the default network to attach pods to.
@@ -715,7 +715,7 @@
# Default OCI runtime
#
-#runtime = "crun"
+runtime = "runc"
# List of the OCI runtimes that support --format=json. When json is supported
# engine will use it for reporting nicer errors.
++++++ containers.conf ++++++
--- /var/tmp/diff_new_pack.VJlZM8/_old 2025-06-01 21:36:29.793146605 +0200
+++ /var/tmp/diff_new_pack.VJlZM8/_new 2025-06-01 21:36:29.797146771 +0200
@@ -27,16 +27,19 @@
#
#apparmor_profile = "container-default"
-# The hosts entries from the base hosts file are added to the containers hosts
-# file. This must be either an absolute path or as special values "image" which
-# uses the hosts file from the container image or "none" which means
-# no base hosts file is used. The default is "" which will use /etc/hosts.
+# Base file to create the `/etc/hosts` file inside the container. This must
either
+# be an absolute path to a file on the host system, or one of the following
+# special flags:
+# "" Use the host's `/etc/hosts` file (the default)
+# `none` Do not use a base file (i.e. start with an empty file)
+# `image` Use the container image's `/etc/hosts` file as base file
#
#base_hosts_file = ""
# List of cgroup_conf entries specifying a list of cgroup files to write to and
# their values. For example `memory.high=1073741824` sets the
# memory.high limit to 1GB.
+#
# cgroup_conf = []
# Default way to to create a cgroup namespace for the container
@@ -55,6 +58,14 @@
#
#cgroups = "enabled"
+# When no hostname is set for a container, use the container's name, with
+# characters not valid for a hostname removed, as the hostname instead of
+# the first 12 characters of the container's ID. Containers not running
+# in a private UTS namespace will have their hostname set to the host's
+# hostname regardless of this setting.
+#
+#container_name_as_hostname = false
+
# List of default capabilities for containers. If it is empty or commented out,
# the default capabilities defined in the container engine will be added.
#
@@ -126,13 +137,25 @@
#
#env_host = false
-# Set the ip for the host.containers.internal entry in the containers
/etc/hosts
-# file. This can be set to "none" to disable adding this entry. By default it
-# will automatically choose the host ip.
-#
-# NOTE: When using podman machine this entry will never be added to the
containers
-# hosts file instead the gvproxy dns resolver will resolve this hostname.
Therefore
-# it is not possible to disable the entry in this case.
+# Set the IP address the container should expect to connect to the host. The IP
+# address is used by Podman to automatically add the `host.containers.internal`
+# and `host.docker.internal` hostnames to the container's `/etc/hosts` file. It
+# is also used for the *host-gateway* flag of Podman's `--add-host` CLI option.
+# If no IP address is configured (the default), Podman will try to determine it
+# automatically, but might fail to do so depending on the container's network
+# setup. Adding these internal hostnames to `/etc/hosts` is silently skipped
then.
+# Set this config to `none` to never add the internal hostnames to
`/etc/hosts`.
+#
+# Note: If Podman is running in a virtual machine using `podman machine` (this
+# includes Mac and Windows hosts), Podman will silently skip adding the
internal
+# hostnames to `/etc/hosts`, unless an IP address was configured manually. The
+# internal hostnames are resolved by the gvproxy DNS resolver instead. This
config
+# has no effect on gvproxy. However, since `/etc/hosts` bypasses the DNS
resolver,
+# a manually configured IP address still takes precedence.
+#
+# Note: This config doesn't affect the actual network setup, it just tells
Podman
+# the IP address it should expect. Configuring an IP address here doesn't
ensure
+# that the container can actually reach the host using this IP address.
#
#host_containers_internal_ip = ""
@@ -221,8 +244,10 @@
#
#netns = "private"
-# Create /etc/hosts for the container. By default, container engine manage
-# /etc/hosts, automatically adding the container's own IP address.
+# Do not modify the `/etc/hosts` file in the container. Podman assumes control
+# over the container's `/etc/hosts` file by default; refer to the `--add-host`
+# CLI option for details. To disable this, either set this config to `true`, or
+# use the functionally identical `--no-hosts` CLI option.
#
#no_hosts = false
@@ -353,7 +378,7 @@
# drivers are "iptables", "nftables", "none" (no firewall rules will be
created) and "firewalld" (firewalld is
# experimental at the moment and not recommend outside of testing).
#
-firewall_driver = "nftables"
+#firewall_driver = ""
# The network name of the default network to attach pods to.
@@ -416,6 +441,8 @@
#List of compression algorithms. If set makes sure that requested compression
variant
#for each platform is added to the manifest list keeping original instance
intact in
#the same manifest list on every `manifest push`. Supported values are
(`gzip`, `zstd` and `zstd:chunked`).
+#`zstd:chunked` is incompatible with encrypting images, and will be treated as
`zstd` with a warning
+#in that case.
#
#add_compression = ["gzip", "zstd", "zstd:chunked"]
@@ -438,6 +465,8 @@
# This field is ignored when pushing images to the docker-daemon and
# docker-archive formats. It is also ignored when the manifest format is set
# to v2s2.
+# `zstd:chunked` is incompatible with encrypting images, and will be treated
as `zstd` with a warning
+# in that case.
#
#compression_format = "gzip"
@@ -686,7 +715,7 @@
# Default OCI runtime
#
-runtime = "runc"
+#runtime = "crun"
# List of the OCI runtimes that support --format=json. When json is supported
# engine will use it for reporting nicer errors.
@@ -865,7 +894,15 @@
# Virtualization provider used to run Podman machine.
# If it is empty or commented out, the default provider will be used.
-#
+# Linux:
+# qemu - Open source machine emulator and virtualizer. (Default)
+# Windows: there are currently two options:
+# wsl - Windows Subsystem for Linux (Default)
+# hyperv - Windows Server Virtualization
+# Mac: there are currently two options:
+# applehv - Default Apple Hypervisor (Default)
+# libkrun - Launch virtual machines using the libkrun platform, optimized
+# for sharing GPU with the machine.
#provider = ""
# Rosetta supports running x86_64 Linux binaries on a Podman machine on Apple
silicon.
++++++ storage.conf ++++++
--- /var/tmp/diff_new_pack.VJlZM8/_old 2025-06-01 21:36:29.901151079 +0200
+++ /var/tmp/diff_new_pack.VJlZM8/_new 2025-06-01 21:36:29.905151245 +0200
@@ -8,20 +8,24 @@
# /usr/containers/storage.conf
# /etc/containers/storage.conf
# $HOME/.config/containers/storage.conf
-# $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set)
+# $XDG_CONFIG_HOME/containers/storage.conf (if XDG_CONFIG_HOME is set)
# See man 5 containers-storage.conf for more information
-# The "container storage" table contains all of the server options.
+# The "storage" table contains all of the server options.
[storage]
-# Default Storage Driver, Must be set for proper operation.
+# Default storage driver, must be set for proper operation.
driver = "overlay"
# Temporary storage location
runroot = "/run/containers/storage"
+# Priority list for the storage drivers that will be tested one
+# after the other to pick the storage driver if it is not defined.
+# driver_priority = ["overlay", "btrfs"]
+
# Primary Read/Write location of container storage
-# When changing the graphroot location on an SELINUX system, you must
-# ensure the labeling matches the default locations labels with the
+# When changing the graphroot location on an SELinux system, you must
+# ensure the labeling matches the default location's labels with the
# following commands:
# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH
# restorecon -R -v /NEWSTORAGEPATH
@@ -50,54 +54,50 @@
additionalimagestores = [
]
-# Allows specification of how storage is populated when pulling images. This
-# option can speed the pulling process of images compressed with format
-# zstd:chunked. Containers/storage looks for files within images that are being
-# pulled from a container registry that were previously pulled to the host. It
-# can copy or create a hard link to the existing file when it finds them,
-# eliminating the need to pull them from the container registry. These options
-# can deduplicate pulling of content, disk storage of content and can allow the
-# kernel to use less memory when running containers.
-
-# containers/storage supports four keys
-# * enable_partial_images="true" | "false"
-# Tells containers/storage to look for files previously pulled in storage
-# rather then always pulling them from the container registry.
-# * use_hard_links = "false" | "true"
-# Tells containers/storage to use hard links rather then create new files
in
-# the image, if an identical file already existed in storage.
-# * ostree_repos = ""
-# Tells containers/storage where an ostree repository exists that might
have
-# previously pulled content which can be used when attempting to avoid
-# pulling content from the container registry
-# * convert_images = "false" | "true"
-# If set to true, containers/storage will convert images to a
-# format compatible with partial pulls in order to take advantage
-# of local deduplication and hard linking. It is an expensive
-# operation so it is not enabled by default.
-pull_options = {enable_partial_images = "true", use_hard_links = "false",
ostree_repos=""}
-
-# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
-# a container, to the UIDs/GIDs as they should appear outside of the container,
-# and the length of the range of UIDs/GIDs. Additional mapped sets can be
-# listed and will be heeded by libraries, but there are limits to the number of
-# mappings which the kernel will allow when you later attempt to run a
-# container.
-#
-# remap-uids = "0:1668442479:65536"
-# remap-gids = "0:1668442479:65536"
-
-# Remap-User/Group is a user name which can be used to look up one or more
UID/GID
-# ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting
-# with an in-container ID of 0 and then a host-level ID taken from the lowest
-# range that matches the specified name, and using the length of that range.
-# Additional ranges are then assigned, using the ranges which specify the
-# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
-# until all of the entries have been used for maps. This setting overrides the
-# Remap-UIDs/GIDs setting.
+# Options controlling how storage is populated when pulling images.
+[storage.options.pull_options]
+# Enable the "zstd:chunked" feature, which allows partial pulls, reusing
+# content that already exists on the system. This is disabled by default,
+# and must be explicitly enabled to be used. For more on zstd:chunked, see
+#
https://github.com/containers/storage/blob/main/docs/containers-storage-zstd-chunked.md
+# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
+# enable_partial_images = "false"
+
+# Tells containers/storage to use hard links rather then create new files in
+# the image, if an identical file already existed in storage.
+# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
+# use_hard_links = "false"
+
+# Path to an ostree repository that might have
+# previously pulled content which can be used when attempting to avoid
+# pulling content from the container registry.
+# ostree_repos=""
+
+# If set to "true", containers/storage will convert images that are
+# not already in zstd:chunked format to that format before processing
+# in order to take advantage of local deduplication and hard linking.
+# It is an expensive operation so it is not enabled by default.
+# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
+# convert_images = "false"
+
+# This should ALMOST NEVER be set.
+# It allows partial pulls of images without guaranteeing that "partial
+# pulls" and non-partial pulls both result in consistent image contents.
+# This allows pulling estargz images and early versions of zstd:chunked images;
+# otherwise, these layers always use the traditional non-partial pull path.
+#
+# This option should be enabled EXTREMELY rarely, only if ALL images that could
+# EVER be conceivably pulled on this system are GUARANTEED (e.g. using a
signature policy)
+# to come from a build system trusted to never attack image integrity.
+#
+# If this consistency enforcement were disabled, malicious images could be
built
+# in a way designed to evade other audit mechanisms, so presence of most other
audit
+# mechanisms is not a replacement for the above-mentioned need for all images
to come
+# from a trusted build system.
#
-# remap-user = "containers"
-# remap-group = "containers"
+# As a side effect, enabling this option will also make image IDs unpredictable
+# (usually not equal to the traditional value matching the config digest).
+# insecure_allow_unpredictable_image_contents = "false"
# Root-auto-userns-user is a user name which can be used to look up one or
more UID/GID
# ranges in the /etc/subuid and /etc/subgid file. These ranges will be
partitioned
@@ -120,6 +120,7 @@
# squashed down to the default uid in the container. These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
+# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
#ignore_chown_errors = "false"
# Inodes is used to set a maximum inodes of the container image.
@@ -133,9 +134,11 @@
mountopt = "nodev"
# Set to skip a PRIVATE bind mount on the storage home directory.
+# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# skip_mount_home = "false"
# Set to use composefs to mount data layers with overlay.
+# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# use_composefs = "false"
# Size is used to set a maximum size of the container image.
