Hello community, here is the log from the commit of package virt-bootstrap for openSUSE:Factory checked in at 2019-07-11 13:17:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/virt-bootstrap (Old) and /work/SRC/openSUSE:Factory/.virt-bootstrap.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "virt-bootstrap" Thu Jul 11 13:17:07 2019 rev:5 rq:714218 version:1.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/virt-bootstrap/virt-bootstrap.changes 2018-06-02 12:13:11.601689959 +0200 +++ /work/SRC/openSUSE:Factory/.virt-bootstrap.new.4615/virt-bootstrap.changes 2019-07-11 13:17:08.890790929 +0200 @@ -1,0 +2,10 @@ +Tue Jul 9 08:53:40 UTC 2019 - Cédric Bosdonnat <[email protected]> + +- Release 1.1.1 + * Don't expose the root password via command line (bsc#1140750) + * Set SElinux file context of destination folder + * Use absolute destination path + * safe-untar: Inherit SElinux context + * don't allow overwriting of the root partition + +------------------------------------------------------------------- Old: ---- virt-bootstrap-1.1.0.tar.gz New: ---- virt-bootstrap-1.1.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ virt-bootstrap.spec ++++++ --- /var/tmp/diff_new_pack.gCX7aj/_old 2019-07-11 13:17:09.622790699 +0200 +++ /var/tmp/diff_new_pack.gCX7aj/_new 2019-07-11 13:17:09.626790697 +0200 @@ -1,7 +1,7 @@ # # spec file for package virt-bootstrap # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,16 +12,16 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: virt-bootstrap -Version: 1.1.0 +Version: 1.1.1 Release: 0 Summary: System container rootfs creation tool -License: GPL-3.0+ +License: GPL-3.0-or-later Group: Productivity/Other Url: https://github.com/virt-manager/virt-bootstrap Source: http://virt-manager.org/download/sources/virt-bootstrap/%{name}-%{version}.tar.gz ++++++ virt-bootstrap-1.1.0.tar.gz -> virt-bootstrap-1.1.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/AUTHORS new/virt-bootstrap-1.1.1/AUTHORS --- old/virt-bootstrap-1.1.0/AUTHORS 2018-05-31 13:34:38.000000000 +0200 +++ new/virt-bootstrap-1.1.1/AUTHORS 2019-07-09 10:46:10.000000000 +0200 @@ -10,4 +10,5 @@ The individual contributors are Cédric Bosdonnat <[email protected]> + Fabiano Fidêncio <[email protected]> Radostin Stoyanov <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/ChangeLog new/virt-bootstrap-1.1.1/ChangeLog --- old/virt-bootstrap-1.1.0/ChangeLog 2018-05-31 13:34:38.000000000 +0200 +++ new/virt-bootstrap-1.1.1/ChangeLog 2019-07-09 10:46:10.000000000 +0200 @@ -1,3 +1,66 @@ +2019-07-06 Fabiano Fidêncio <[email protected]> + + Don't expose the root_password via command line + Instead of exposing the root-password in the command line, let's just + improve our way of handling the option and also accept a 'file:' + selector. + + Together with this change, let's warn the users that using + --root-password in the old manner is not recommended and that the + 'file:' selector should be used instead. + + Reviewed-by: Radostin Stoyanov <[email protected]> + + +2019-07-05 Radostin Stoyanov <[email protected]> + + Set SElinux file context of destination folder + Set file context to 'container_file_t' on the destination folder when + SElinux is enabled. + + Reviewed-by: Fabiano Fidêncio <[email protected]> + Tested-by: Fabiano Fidêncio <[email protected]> + + +2019-07-05 Radostin Stoyanov <[email protected]> + + Use absolute destination path + In order to avoid issues, for example, when virt-sandbox might not + convert relative to absolute path, make sure that we always use + absolute destination path. + + Reviewed-by: Cole Robinson <[email protected]> + Reviewed-by: Fabiano Fidêncio <[email protected]> + Tested-by: Fabiano Fidêncio <[email protected]> + + +2019-07-05 Radostin Stoyanov <[email protected]> + + safe-untar: Inherit SElinux context + Allow virt-sandbox to inherit the SElinux context of virt-bootstrap. + + https://bugzilla.redhat.com/show_bug.cgi?id=1655305 + https://bugzilla.redhat.com/show_bug.cgi?id=1671794 + + Reviewed-by: Cole Robinson <[email protected]> + Reviewed-by: Fabiano Fidêncio <[email protected]> + Tested-by: Fabiano Fidêncio <[email protected]> + + +2019-05-28 Radostin Stoyanov <[email protected]> + + docker-source: Fix pylint too many blank lines + Reviewed-by: Cole Robinson <[email protected]> + + +2019-01-04 Radostin Stoyanov <[email protected]> + + Don't allow overwriting of the root partition + Closes #7 + + Reported-by: @loops + + 2018-05-31 Cédric Bosdonnat <[email protected]> Update NEWS file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/NEWS.md new/virt-bootstrap-1.1.1/NEWS.md --- old/virt-bootstrap-1.1.0/NEWS.md 2018-05-31 13:32:45.000000000 +0200 +++ new/virt-bootstrap-1.1.1/NEWS.md 2019-07-09 10:34:03.000000000 +0200 @@ -1,5 +1,13 @@ # Virt Bootstrap News +## Release 1.1.1 (Jul 9, 2019) + + * Don't expose the root password via command line + * Set SElinux file context of destination folder + * Use absolute destination path + * safe-untar: Inherit SElinux context + * don't allow overwriting of the root partition + ## Release 1.1.0 (May 31, 2018) * safe_untar: check for permissions to set attribs diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/PKG-INFO new/virt-bootstrap-1.1.1/PKG-INFO --- old/virt-bootstrap-1.1.0/PKG-INFO 2018-05-31 13:34:38.000000000 +0200 +++ new/virt-bootstrap-1.1.1/PKG-INFO 2019-07-09 10:46:10.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: virt-bootstrap -Version: 1.1.0 +Version: 1.1.1 Summary: Container bootstrapping tool Home-page: https://github.com/virt-manager/virt-bootstrap Author: Cedric Bosdonnat diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/man/virt-bootstrap.1 new/virt-bootstrap-1.1.1/man/virt-bootstrap.1 --- old/virt-bootstrap-1.1.0/man/virt-bootstrap.1 2017-09-07 11:47:52.000000000 +0200 +++ new/virt-bootstrap-1.1.1/man/virt-bootstrap.1 1970-01-01 01:00:00.000000000 +0100 @@ -1,318 +0,0 @@ -.\" Automatically generated by Pod::Man 4.07 (Pod::Simple 3.32) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "VIRT-BOOTSTRAP 1" -.TH VIRT-BOOTSTRAP 1 "2017-08-30" "1.0.0" "Container bootstrapping tool" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -virt\-bootstrap \- Setup root file system for libvirt\-based containers -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBvirt-bootstrap\fR \s-1URI DEST\s0 [\s-1OPTIONS\s0] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fBvirt-bootstrap\fR is a tool providing an easy way to setup the root -file system for libvirt-based containers. It allows to use either a -tarball containing the file system, an image on a docker registry -or virt-builder template and unpacks it either as a folder or in a -.SS "Supported sources are:" -.IX Subsection "Supported sources are:" -.IP "\fBfile://\f(BI/path/to/rootfs.tar\fB\fR" 4 -.IX Item "file:///path/to/rootfs.tar" -Tar archive which contains root file system -.IP "\fBdocker://\f(BIregistry\fB:\f(BIport\fB/\f(BIimage\fB:\f(BItag\fB\fR" 4 -.IX Item "docker://registry:port/image:tag" -Docker registry -.IP "\fBvirt\-builder://\f(BItemplate\fB\fR" 4 -.IX Item "virt-builder://template" -virt-builder templates -.PP -Docker container images are downloaded and the layers are getting cached. -If virt-bootstrap is running with effective UID=0 (root) the layersq -are cached in \f(CW\*(C`/var/cache/virt\-bootstrap/docker_images\*(C'\fR. -For unprivileged users the \f(CW\*(C`~/.cache/virt\-bootstrap/docker_images\*(C'\fR directory -is used. If the environment variable \f(CW\*(C`XDG_CACHE_HOME\*(C'\fR is specified then this -directory is used instead of \f(CW\*(C`~/.cache\*(C'\fR. -.PP -The environment variable \f(CW\*(C`VIRTBOOTSTRAP_TMPDIR\*(C'\fR can be used to specify -temporary directory used by virt-bootstrap or default \f(CW\*(C`/tmp\*(C'\fR will be used. -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB\-f\fR, \fB\-\-format\fR" 4 -.IX Item "-f, --format" -Output format of the root file system. Possible values are \fBdir\fR -(default) and \fBqcow2\fR. -.IP "\fB\-\-root\-password\fR \s-1ROOT_PASSWORD\s0" 4 -.IX Item "--root-password ROOT_PASSWORD" -This argument will generate hash from \fB\s-1ROOT_PASSWORD\s0\fR and insert the -hashed value into \f(CW\*(C`/etc/shadow\*(C'\fR in the created root file system. -.Sp -If the output format is \f(CW\*(C`qcow2\*(C'\fR these modifications are applied in -additional qcow2 disk image. -.Sp -Note that the \f(CW\*(C`/etc/shadow\*(C'\fR file must already exist in the extracted -root file system of the container image and it must have entry for root -user. -.IP "\fB\-\-no\-cache\fR" 4 -.IX Item "--no-cache" -When this flag is used Docker images will be downloaded in temporary -directory and discarded after the root file system is extracted. -.IP "\fB\-\-status\-only\fR" 4 -.IX Item "--status-only" -If this flag is used the log messages will be suppresses and only information -about the current progress will be displayed. -.IP "\fB\-q\fR, \fB\-\-quiet\fR" 4 -.IX Item "-q, --quiet" -Show only warning and error messages. -.IP "\fB\-d\fR, \fB\-\-debug\fR" 4 -.IX Item "-d, --debug" -Show debugging output messages. -.IP "\fB\-h\fR, \fB\-\-help\fR" 4 -.IX Item "-h, --help" -Display command line help summary. -.IP "\fB\-\-version\fR" 4 -.IX Item "--version" -Show virt-bootstrap's version number and exit. -.SS "Authentication options for accessing private Docker registry" -.IX Subsection "Authentication options for accessing private Docker registry" -Note: If \fB\-\-username\fR argument is specified and \fB\-\-password\fR omitted -password prompt will be issued. If \fB\-\-username\fR is omitted the \fB\-\-password\fR -argument will be ignored. -.IP "\fB\-u\fR, \fB\-\-username\fR \s-1USERNAME\s0" 4 -.IX Item "-u, --username USERNAME" -.Vb 1 -\& This argument takes USERNAME to be used to access Docker source registry. -.Ve -.IP "\fB\-p\fR, \fB\-\-password\fR \s-1PASSWORD\s0" 4 -.IX Item "-p, --password PASSWORD" -This argument takes \s-1PASSWORD\s0 to be used to access Docker source registry. -.IP "\fB\-\-not\-secure\fR" 4 -.IX Item "--not-secure" -Don't require \s-1HTTPS\s0 and verification of certificates when talking to Docker registry. -.Sp -See \*(L"skopeo copy\*(R" in \fIskopeo\fR\|(1) -.SS "\s-1UID/GID\s0 mapping" -.IX Subsection "UID/GID mapping" -.IP "\fB\-\-uidmap\fR \fIstart\fR:\fItarget\fR:\fIcount\fR" 4 -.IX Item "--uidmap start:target:count" -Shift UIDs of all root file system entries with some offset. This parameter -can be specified multiple times. -.Sp -Example: \f(CW\*(C`\-\-uidmap 0:1000:10 \-\-uidmap 500:1500:10\*(C'\fR -This will map the UIDs: 0\-9 to 1000\-1009 and 500\-509 to 1500\-1509 -.Sp -See \*(L"\s-1INSTALLATION OPTIONS\*(R"\s0 in \fIvirt\-install\fR\|(1) -.IP "\fB\-\-gidmap\fR \fIstart\fR:\fItarget\fR:\fIcount\fR" 4 -.IX Item "--gidmap start:target:count" -Shift GIDs of all root file system entries with some offset. This parameter -can be specified multiple times. -.Sp -Example: \f(CW\*(C`\-\-gidmap 0:1000:10 \-\-gidmap 500:1500:10\*(C'\fR -This will map the GIDs: 0\-9 to 1000\-1009 and 500\-509 to 1500\-1509 -.Sp -See \*(L"\s-1INSTALLATION OPTIONS\*(R"\s0 in \fIvirt\-install\fR\|(1) -.IP "\fB\-\-idmap\fR \fIstart\fR:\fItarget\fR:\fIcount\fR" 4 -.IX Item "--idmap start:target:count" -Remapping owner and group of all files and directories inside of the -root file system. This parameter can be specified multiple times. -.Sp -Example: \f(CW\*(C`\-\-idmap 0:1000:10 \-\-idmap 500:1500:10\*(C'\fR -This will map UIDs and GIDs: 0\-9 to 1000\-1009 and 500\-509 to 1500\-1509 -.Sp -See \*(L"\s-1INSTALLATION OPTIONS\*(R"\s0 in \fIvirt\-install\fR\|(1) -.SH "USAGE EXAMPLES" -.IX Header "USAGE EXAMPLES" -.IP "Create root file system using Ubuntu image docker.io registry:" 4 -.IX Item "Create root file system using Ubuntu image docker.io registry:" -.Vb 1 -\& $ virt\-bootstrap docker://ubuntu /tmp/foo -.Ve -.IP "Create root file system from image stored on private Docker registry:" 4 -.IX Item "Create root file system from image stored on private Docker registry:" -.Vb 4 -\& $ virt\-bootstrap docker://localhost:5000/ubuntu /tmp/foo \e -\& \-\-username testuser \e -\& \-\-password testpassoword \e -\& \-\-not\-secure -.Ve -.IP "Apply UIDs/GIDs mapping for root file system entries" 4 -.IX Item "Apply UIDs/GIDs mapping for root file system entries" -.Vb 2 -\& $ virt\-bootstrap docker://fedora /tmp/foo \e -\& \-\-idmap 0:1000:10 -.Ve -.Sp -This above command will map UIDs/GIDs: \fB0\fR\-\fB9\fR to \fB1000\fR\-\fB1009\fR -.Sp -The same result can be achieved with: -.Sp -.Vb 3 -\& $ virt\-bootstrap docker://fedora /tmp/foo \e -\& \-\-uidmap 0:1000:10 \e -\& \-\-gidmap 0:1000:10 -.Ve -.IP "Multiple mapping values can be specified as follows:" 4 -.IX Item "Multiple mapping values can be specified as follows:" -.Vb 3 -\& $ virt_bootstrap.py docker://ubuntu /tmp/foo \e -\& \-\-idmap 0:1000:10 \e -\& \-\-idmap 500:1500:10 -.Ve -.Sp -This will map the UID/GIDs: -\&\fB0\fR\-\fB9\fR to \fB1000\fR\-\fB1009\fR and \fB500\fR\-\fB509\fR to \fB1500\fR\-\fB1509\fR -.IP "Set root password" 4 -.IX Item "Set root password" -.Vb 2 -\& $ virt_bootstrap.py docker://opensuse /tmp/foo \e -\& \-\-root\-password secret -.Ve -.Sp -The above command will download the \f(CW\*(C`opensuse\*(C'\fR container image and -extract the root file system to \f(CW\*(C`/tmp/foo\*(C'\fR. Then it will generate hash -of the string \f(CW\*(C`secret\*(C'\fR and insert it into \f(CW\*(C`/tmp/foo/etc/shadow\*(C'\fR file. -.Sp -.Vb 3 -\& $ virt_bootstrap.py docker://opensuse /tmp/foo \e -\& \-\-root\-password secret \e -\& \-f qcow2 -.Ve -.Sp -Similarly for \fBqcow2\fR format the container image will be downloaded and -the root file system will be extracted into qcow2 disk images with backing -chains. Then additional qcow2 image will be created with backing file set to -the last layer and the modification of \f(CW\*(C`shadow\*(C'\fR file will be applied -there. -.SH "AUTHOR" -.IX Header "AUTHOR" -Written by Cedric Bosdonnat and Radostin Stoyanov diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/man/virt-bootstrap.pod new/virt-bootstrap-1.1.1/man/virt-bootstrap.pod --- old/virt-bootstrap-1.1.0/man/virt-bootstrap.pod 2017-08-30 16:05:40.000000000 +0200 +++ new/virt-bootstrap-1.1.1/man/virt-bootstrap.pod 2019-07-09 09:26:28.000000000 +0200 @@ -52,10 +52,13 @@ Output format of the root file system. Possible values are B<dir> (default) and B<qcow2>. -=item B<--root-password> ROOT_PASSWORD +=item B<--root-password> SELECTOR -This argument will generate hash from B<ROOT_PASSWORD> and insert the -hashed value into C</etc/shadow> in the created root file system. +This argument will generate hash from B<ROOT_PASSWORD>, gotten from +the B<SELECTOR> field, and insert the hashed value into C</etc/shadow> +in the created root file system. + +Note that B<SELECTOR> can be one of the following: "file:". If the output format is C<qcow2> these modifications are applied in additional qcow2 disk image. @@ -192,14 +195,15 @@ =item Set root password $ virt_bootstrap.py docker://opensuse /tmp/foo \ - --root-password secret + --root-password file:/tmp/secret The above command will download the C<opensuse> container image and extract the root file system to C</tmp/foo>. Then it will generate hash -of the string C<secret> and insert it into C</tmp/foo/etc/shadow> file. +of the password present in C</tmp/secret> file and insert it into +C</tmp/foo/etc/shadow> file. $ virt_bootstrap.py docker://opensuse /tmp/foo \ - --root-password secret \ + --root-password file:/tmp/secret \ -f qcow2 Similarly for B<qcow2> format the container image will be downloaded and diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/src/virtBootstrap/__init__.py new/virt-bootstrap-1.1.1/src/virtBootstrap/__init__.py --- old/virt-bootstrap-1.1.0/src/virtBootstrap/__init__.py 2017-09-07 11:49:01.000000000 +0200 +++ new/virt-bootstrap-1.1.1/src/virtBootstrap/__init__.py 2019-07-09 09:27:01.000000000 +0200 @@ -152,7 +152,7 @@ virtBootstrap.bootstrap( uri='docker://fedora', dest='/tmp/foo', - root_password='secret' + root_password='file:/tmp/secret' ) # Convert Ubuntu container image to qcow2 disk image using backing chains diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/src/virtBootstrap/sources/docker_source.py new/virt-bootstrap-1.1.1/src/virtBootstrap/sources/docker_source.py --- old/virt-bootstrap-1.1.0/src/virtBootstrap/sources/docker_source.py 2018-05-31 13:03:07.000000000 +0200 +++ new/virt-bootstrap-1.1.1/src/virtBootstrap/sources/docker_source.py 2019-07-09 09:27:01.000000000 +0200 @@ -168,7 +168,6 @@ else: raise ValueError('Blob %s does not exist.' % path) - def parse_output(self, proc): """ Read stdout from skopeo's process asynchconosly. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/src/virtBootstrap/utils.py new/virt-bootstrap-1.1.1/src/virtBootstrap/utils.py --- old/virt-bootstrap-1.1.0/src/virtBootstrap/utils.py 2018-05-31 13:03:07.000000000 +0200 +++ new/virt-bootstrap-1.1.1/src/virtBootstrap/utils.py 2019-07-09 09:26:28.000000000 +0200 @@ -269,6 +269,7 @@ Extract tarball within LXC container for safety. """ virt_sandbox = ['virt-sandbox', + '--security=inherit', '-c', LIBVIRT_CONN, '--name=bootstrap_%s' % os.getpid(), '-m', 'host-bind:/mnt=' + dest] # Bind destination folder @@ -521,6 +522,28 @@ sys.stdout.flush() +def is_selinux_enabled(): + """ + Returns True if SElinux is enabled, False otherwise. + """ + try: + subprocess.check_call(['selinuxenabled']) + except Exception: + return False + return True + + +def chcon(path, context, flags="-Rt"): + """ + Change file SELinux security context + """ + try: + subprocess.check_call(['chcon', flags, context, path]) + except Exception: + return False + return True + + # The implementation for remapping ownership of all files inside a # container's rootfs is inspired by the tool uidmapshift: # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/src/virtBootstrap/virt_bootstrap.py new/virt-bootstrap-1.1.1/src/virtBootstrap/virt_bootstrap.py --- old/virt-bootstrap-1.1.0/src/virtBootstrap/virt_bootstrap.py 2018-05-31 13:14:57.000000000 +0200 +++ new/virt-bootstrap-1.1.1/src/virtBootstrap/virt_bootstrap.py 2019-07-09 10:41:41.000000000 +0200 @@ -38,7 +38,7 @@ from virtBootstrap import utils -__version__ = "1.1.0" +__version__ = "1.1.1" gettext.bindtextdomain("virt-bootstrap", "/usr/share/locale") @@ -121,9 +121,13 @@ uri = urlparse(uri) source = get_source(uri.scheme or 'file') + dest = os.path.abspath(dest) if not os.path.exists(dest): os.makedirs(dest) + elif dest == "/": # Don't overwrite root + logger.error("Unpack to root directory is not allowed") + sys.exit(1) elif not os.path.isdir(dest): # Show error if not directory logger.error("Destination path '%s' is not directory.", dest) sys.exit(1) @@ -131,12 +135,33 @@ logger.error("No write permissions on destination path '%s'", dest) sys.exit(1) + if utils.is_selinux_enabled(): + logger.debug("Setting file SELinux security context") + if not utils.chcon(dest, "container_file_t"): + logger.error("Can't set SElinux context on destination path '%s'", + dest) + sys.exit(1) + if uid_map is None: uid_map = [] if gid_map is None: gid_map = [] + + if root_password: + if root_password.startswith('file:'): + root_password_file = root_password[len('file:'):] + logger.debug("Reading root password from file %s" % + root_password_file) + with open(root_password_file) as pwdfile: + root_password = pwdfile.readline().rstrip("\n\r") + else: + logger.warning(_("Passing the root_password directly via command " + "line is deprecated and using the 'file:' " + "selector is the recommended way to use this " + "option.")) + source(uri=uri, fmt=fmt, username=username, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/src/virt_bootstrap.egg-info/PKG-INFO new/virt-bootstrap-1.1.1/src/virt_bootstrap.egg-info/PKG-INFO --- old/virt-bootstrap-1.1.0/src/virt_bootstrap.egg-info/PKG-INFO 2018-05-31 13:34:38.000000000 +0200 +++ new/virt-bootstrap-1.1.1/src/virt_bootstrap.egg-info/PKG-INFO 2019-07-09 10:46:10.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: virt-bootstrap -Version: 1.1.0 +Version: 1.1.1 Summary: Container bootstrapping tool Home-page: https://github.com/virt-manager/virt-bootstrap Author: Cedric Bosdonnat diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/src/virt_bootstrap.egg-info/SOURCES.txt new/virt-bootstrap-1.1.1/src/virt_bootstrap.egg-info/SOURCES.txt --- old/virt-bootstrap-1.1.0/src/virt_bootstrap.egg-info/SOURCES.txt 2018-05-31 13:34:38.000000000 +0200 +++ new/virt-bootstrap-1.1.1/src/virt_bootstrap.egg-info/SOURCES.txt 2019-07-09 10:46:10.000000000 +0200 @@ -5,7 +5,6 @@ NEWS.md README.md setup.py -man/virt-bootstrap.1 man/virt-bootstrap.pod src/virtBootstrap/__init__.py src/virtBootstrap/progress.py diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/tests/__init__.py new/virt-bootstrap-1.1.1/tests/__init__.py --- old/virt-bootstrap-1.1.0/tests/__init__.py 2017-09-07 11:49:01.000000000 +0200 +++ new/virt-bootstrap-1.1.1/tests/__init__.py 2019-07-09 09:27:01.000000000 +0200 @@ -334,9 +334,15 @@ Note: For simplicity we assume that the first line of /etc/shadow contains the root entry. """ + root_password = self.root_password + if root_password and root_password.startswith('file:'): + root_password_file = root_password[len('file:'):] + with open(root_password_file) as pwdfile: + root_password = pwdfile.readline().rstrip("\n\r") + self.assertTrue( passlib.hosts.linux_context.verify( - self.root_password, + root_password, shadow_content[0].split(':')[1] ), "Invalid root password hash." diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/tests/docker_source.py new/virt-bootstrap-1.1.1/tests/docker_source.py --- old/virt-bootstrap-1.1.0/tests/docker_source.py 2018-05-31 13:03:07.000000000 +0200 +++ new/virt-bootstrap-1.1.1/tests/docker_source.py 2019-07-09 09:27:01.000000000 +0200 @@ -156,7 +156,7 @@ Ensures that the root password is set correctly. """ layers = CreateLayers(self.tar_file, self.rootfs_tree, self.tar_dir) - self.root_password = "My secret root password" + self.root_password = "file:tests/password.txt" self.call_bootstrap(layers.generate_manifest()) self.validate_shadow_file() @@ -282,7 +282,7 @@ """ Ensures that the root password is set in the last qcow2 image. """ - self.root_password = "My secret password" + self.root_password = "file:tests/password.txt" layers_rootfs = self.call_bootstrap() g = guestfs.GuestFS(python_return_dict=True) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/tests/file_source.py new/virt-bootstrap-1.1.1/tests/file_source.py --- old/virt-bootstrap-1.1.0/tests/file_source.py 2017-08-30 16:05:40.000000000 +0200 +++ new/virt-bootstrap-1.1.1/tests/file_source.py 2019-07-09 09:27:01.000000000 +0200 @@ -74,7 +74,7 @@ Ensures that the root password is set correctly when FileSource is used with fmt='dir'. """ - self.root_password = 'my secret root password' + self.root_password = 'file:tests/password.txt' self.call_bootstrap() self.validate_shadow_file() @@ -120,7 +120,7 @@ """ Ensures that the root password is set in the last qcow2 image. """ - self.root_password = "My secret password" + self.root_password = "file:tests/password.txt" self.call_bootstrap() self.check_image = self.validate_shadow_file_in_image self.check_qcow2_images(self.get_image_path(1)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/virt-bootstrap-1.1.0/tests/virt_builder_source.py new/virt-bootstrap-1.1.1/tests/virt_builder_source.py --- old/virt-bootstrap-1.1.0/tests/virt_builder_source.py 2017-08-30 16:05:40.000000000 +0200 +++ new/virt-bootstrap-1.1.1/tests/virt_builder_source.py 2019-07-09 09:27:01.000000000 +0200 @@ -206,7 +206,7 @@ """ Ensures that password for root is set correctly. """ - self.root_password = 'my secret root password' + self.root_password = 'file:tests/password.txt' self.fmt = 'dir' self.call_bootstrap() self.validate_shadow_file() @@ -237,7 +237,7 @@ "layer-1.qcow2" """ self.fmt = 'qcow2' - self.root_password = "My secret password" + self.root_password = "file:tests/password.txt" self.call_bootstrap() self.check_image = self.validate_shadow_file_in_image self.check_qcow2_images(self.get_image_path())
