Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2018-10-25 08:10:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bubblewrap" Thu Oct 25 08:10:49 2018 rev:7 rq:641812 version:0.3.1 Changes: -------- --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes 2018-07-22 23:03:32.780945917 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new/bubblewrap.changes 2018-10-25 08:10:52.376245754 +0200 @@ -1,0 +2,12 @@ +Thu Oct 11 16:41:12 UTC 2018 - Antonio Larrosa <[email protected]> - 0.3.1 + +- update to version 0.3.1: + * New feature in this release is --bind-try (as well as --dev-bind-try + and --ro-bind-try) which works like the regular versions if the source + exists, but does nothing if it doesn't exist. + + * The mount type for the root tmpfs was also changed to "tmpfs" instead + of being empty, as the later could cause problems with some programs + when parsing the mountinfo files in /proc. + +------------------------------------------------------------------- @@ -5 +17,16 @@ - * no upstream changelog available + * The biggest feature from this release is that bwrap + now supports being invoked recursively (from other container + runtimes such as Docker/podman/runc as well as bwrap itself) + when user namespaces are enabled, and the outer container manager + allows it (Docker's default seccomp policy doesn't). + + * This is useful for testing scenarios; for example a project + uses Kubernetes for its CI, but inside build the project wants to run + each unit test in their own pid namespace, without going out + and creating a new pod for every single unit test. + + * Similarly, rpm-ostree compose tree uses bwrap internally for scripts, + and we want to support running rpm-ostree inside a container as well. + + * Another feature is bwrap now supports -- to terminate argument + parsing. To detect availablity of this, you could parse bwrap --version. Old: ---- v0.3.0.tar.gz New: ---- v0.3.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bubblewrap.spec ++++++ --- /var/tmp/diff_new_pack.Ovcqfs/_old 2018-10-25 08:10:52.872245429 +0200 +++ /var/tmp/diff_new_pack.Ovcqfs/_new 2018-10-25 08:10:52.876245426 +0200 @@ -12,12 +12,12 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: bubblewrap -Version: 0.3.0 +Version: 0.3.1 Release: 0 Summary: Core execution tool for unprivileged containers License: LGPL-2.0-or-later ++++++ v0.3.0.tar.gz -> v0.3.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.3.0/bubblewrap.c new/bubblewrap-0.3.1/bubblewrap.c --- old/bubblewrap-0.3.0/bubblewrap.c 2018-07-11 17:32:00.000000000 +0200 +++ new/bubblewrap-0.3.1/bubblewrap.c 2018-08-09 15:34:51.000000000 +0200 @@ -99,6 +99,7 @@ typedef enum { NO_CREATE_DEST = (1 << 0), + ALLOW_NOTEXIST = (2 << 0), } SetupOpFlag; typedef struct _SetupOp SetupOp; @@ -207,8 +208,11 @@ " --lock-file DEST Take a lock on DEST while sandbox is running\n" " --sync-fd FD Keep this fd open while sandbox is running\n" " --bind SRC DEST Bind mount the host path SRC on DEST\n" + " --bind-try SRC DEST Equal to --bind but ignores non-existant SRC\n" " --dev-bind SRC DEST Bind mount the host path SRC on DEST, allowing device access\n" + " --dev-bind-try SRC DEST Equal to --dev-bind but ignores non-existant SRC\n" " --ro-bind SRC DEST Bind mount the host path SRC readonly on DEST\n" + " --ro-bind-try SRC DEST Equal to --ro-bind but ignores non-existant SRC\n" " --remount-ro DEST Remount DEST as readonly; does not recursively remount\n" " --exec-label LABEL Exec label for the sandbox\n" " --file-label LABEL File label for temporary sandbox content\n" @@ -966,7 +970,11 @@ source = get_oldroot_path (op->source); source_mode = get_file_mode (source); if (source_mode < 0) - die_with_error ("Can't get type of source %s", op->source); + { + if (op->flags & ALLOW_NOTEXIST && errno == ENOENT) + continue; /* Ignore and move on */ + die_with_error("Can't get type of source %s", op->source); + } } if (op->dest && @@ -1252,7 +1260,12 @@ old_source = op->source; op->source = realpath (old_source, NULL); if (op->source == NULL) - die_with_error ("Can't find source path %s", old_source); + { + if (op->flags & ALLOW_NOTEXIST && errno == ENOENT) + op->source = old_source; + else + die_with_error("Can't find source path %s", old_source); + } break; default: break; @@ -1485,38 +1498,47 @@ argv++; argc--; } - else if (strcmp (arg, "--bind") == 0) + else if (strcmp(arg, "--bind") == 0 || + strcmp(arg, "--bind-try") == 0) { if (argc < 3) - die ("--bind takes two arguments"); + die ("%s takes two arguments", arg); op = setup_op_new (SETUP_BIND_MOUNT); op->source = argv[1]; op->dest = argv[2]; + if (strcmp(arg, "--bind-try") == 0) + op->flags = ALLOW_NOTEXIST; argv += 2; argc -= 2; } - else if (strcmp (arg, "--ro-bind") == 0) + else if (strcmp(arg, "--ro-bind") == 0 || + strcmp(arg, "--ro-bind-try") == 0) { if (argc < 3) - die ("--ro-bind takes two arguments"); + die ("%s takes two arguments", arg); op = setup_op_new (SETUP_RO_BIND_MOUNT); op->source = argv[1]; op->dest = argv[2]; + if (strcmp(arg, "--ro-bind-try") == 0) + op->flags = ALLOW_NOTEXIST; argv += 2; argc -= 2; } - else if (strcmp (arg, "--dev-bind") == 0) + else if (strcmp (arg, "--dev-bind") == 0 || + strcmp (arg, "--dev-bind-try") == 0) { if (argc < 3) - die ("--dev-bind takes two arguments"); + die ("%s takes two arguments", arg); op = setup_op_new (SETUP_DEV_BIND_MOUNT); op->source = argv[1]; op->dest = argv[2]; + if (strcmp(arg, "--dev-bind-try") == 0) + op->flags = ALLOW_NOTEXIST; argv += 2; argc -= 2; @@ -2280,7 +2302,7 @@ die_with_error ("Failed to make / slave"); /* Create a tmpfs which we will use as / in the namespace */ - if (mount ("", base_path, "tmpfs", MS_NODEV | MS_NOSUID, NULL) != 0) + if (mount ("tmpfs", base_path, "tmpfs", MS_NODEV | MS_NOSUID, NULL) != 0) die_with_error ("Failed to mount tmpfs"); old_cwd = get_current_dir_name (); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.3.0/bwrap.xml new/bubblewrap-0.3.1/bwrap.xml --- old/bubblewrap-0.3.0/bwrap.xml 2018-07-11 17:32:00.000000000 +0200 +++ new/bubblewrap-0.3.1/bwrap.xml 2018-08-09 15:34:51.000000000 +0200 @@ -48,7 +48,7 @@ <para> It works by creating a new, completely empty, filesystem namespace where the root is on a tmpfs that is invisible from the host, and which will be automatically - cleaned up when the last process exists. You can then use commandline options to + cleaned up when the last process exits. You can then use commandline options to construct the root filesystem and process environment for the command to run in the namespace. </para> @@ -184,14 +184,26 @@ <listitem><para>Bind mount the host path <arg choice="plain">SRC</arg> on <arg choice="plain">DEST</arg></para></listitem> </varlistentry> <varlistentry> + <term><option>--bind-try <arg choice="plain">SRC</arg> <arg choice="plain">DEST</arg></option></term> + <listitem><para>Equal to <option>--bind</option> but ignores non-existant <arg choice="plain">SRC</arg></para></listitem> + </varlistentry> + <varlistentry> <term><option>--dev-bind <arg choice="plain">SRC</arg> <arg choice="plain">DEST</arg></option></term> <listitem><para>Bind mount the host path <arg choice="plain">SRC</arg> on <arg choice="plain">DEST</arg>, allowing device access</para></listitem> </varlistentry> <varlistentry> + <term><option>--dev-bind-try <arg choice="plain">SRC</arg> <arg choice="plain">DEST</arg></option></term> + <listitem><para>Equal to <option>--dev-bind</option> but ignores non-existant <arg choice="plain">SRC</arg></para></listitem> + </varlistentry> + <varlistentry> <term><option>--ro-bind <arg choice="plain">SRC</arg> <arg choice="plain">DEST</arg></option></term> <listitem><para>Bind mount the host path <arg choice="plain">SRC</arg> readonly on <arg choice="plain">DEST</arg></para></listitem> </varlistentry> <varlistentry> + <term><option>--ro-bind-try <arg choice="plain">SRC</arg> <arg choice="plain">DEST</arg></option></term> + <listitem><para>Equal to <option>--ro-bind</option> but ignores non-existant <arg choice="plain">SRC</arg></para></listitem> + </varlistentry> + <varlistentry> <term><option>--remount-ro <arg choice="plain">DEST</arg></option></term> <listitem><para>Remount the path <arg choice="plain">DEST</arg> as readonly. It works only on the specified mount point, without changing any other mount point under the specified path</para></listitem> </varlistentry> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.3.0/configure.ac new/bubblewrap-0.3.1/configure.ac --- old/bubblewrap-0.3.0/configure.ac 2018-07-11 17:32:00.000000000 +0200 +++ new/bubblewrap-0.3.1/configure.ac 2018-08-09 15:34:51.000000000 +0200 @@ -1,5 +1,5 @@ AC_PREREQ([2.63]) -AC_INIT([bubblewrap], [0.3.0], [[email protected]]) +AC_INIT([bubblewrap], [0.3.1], [[email protected]]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux])
