Hello community, here is the log from the commit of package buildah for openSUSE:Leap:15.2 checked in at 2020-03-31 07:24:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/buildah (Old) and /work/SRC/openSUSE:Leap:15.2/.buildah.new.3160 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "buildah" Tue Mar 31 07:24:11 2020 rev:10 rq:789897 version:1.14.5 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/buildah/buildah.changes 2020-03-29 14:56:14.863183848 +0200 +++ /work/SRC/openSUSE:Leap:15.2/.buildah.new.3160/buildah.changes 2020-03-31 07:24:31.450453993 +0200 @@ -1,0 +2,6 @@ +Mon Mar 30 06:48:28 UTC 2020 - Sascha Grunert <sgrun...@suse.com> + +- Update to v1.14.5 + * Revert FIPS mode change + +------------------------------------------------------------------- Old: ---- buildah-1.14.4.tar.xz New: ---- buildah-1.14.5.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ buildah.spec ++++++ --- /var/tmp/diff_new_pack.qkYRFC/_old 2020-03-31 07:24:31.898454178 +0200 +++ /var/tmp/diff_new_pack.qkYRFC/_new 2020-03-31 07:24:31.902454179 +0200 @@ -22,7 +22,7 @@ %define with_libostree 1 %endif Name: buildah -Version: 1.14.4 +Version: 1.14.5 Release: 0 Summary: Tool for building OCI containers License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.qkYRFC/_old 2020-03-31 07:24:31.922454188 +0200 +++ /var/tmp/diff_new_pack.qkYRFC/_new 2020-03-31 07:24:31.922454188 +0200 @@ -4,8 +4,8 @@ <param name="url">https://github.com/containers/buildah.git</param> <param name="scm">git</param> <param name="filename">buildah</param> -<param name="versionformat">1.14.4</param> -<param name="revision">v1.14.4</param> +<param name="versionformat">1.14.5</param> +<param name="revision">v1.14.5</param> </service> <service name="recompress" mode="disabled"> ++++++ buildah-1.14.4.tar.xz -> buildah-1.14.5.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.14.4/CHANGELOG.md new/buildah-1.14.5/CHANGELOG.md --- old/buildah-1.14.4/CHANGELOG.md 2020-03-26 00:03:41.000000000 +0100 +++ new/buildah-1.14.5/CHANGELOG.md 2020-03-27 00:07:01.000000000 +0100 @@ -2,6 +2,12 @@ # Changelog +## v1.14.5 (2020-03-26) + revert #2246 FIPS mode change + Bump back to v1.15.0-dev + image with dup layers: we now have one on quay + digest test : make more robust + ## v1.14.4 (2020-03-25) Fix fips-mode check for RHEL8 boxes Fix potential CVE in tarfile w/ symlink diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.14.4/buildah.go new/buildah-1.14.5/buildah.go --- old/buildah-1.14.4/buildah.go 2020-03-26 00:03:41.000000000 +0100 +++ new/buildah-1.14.5/buildah.go 2020-03-27 00:07:01.000000000 +0100 @@ -27,7 +27,7 @@ Package = "buildah" // Version for the Package. Bump version in contrib/rpm/buildah.spec // too. - Version = "1.14.4" + Version = "1.14.5" // The value we use to identify what type of information, currently a // serialized Builder structure, we are using as per-container state. // This should only be changed when we make incompatible changes to diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.14.4/changelog.txt new/buildah-1.14.5/changelog.txt --- old/buildah-1.14.4/changelog.txt 2020-03-26 00:03:41.000000000 +0100 +++ new/buildah-1.14.5/changelog.txt 2020-03-27 00:07:01.000000000 +0100 @@ -1,3 +1,9 @@ +- Changelog for v1.14.5 (2020-03-26) + * revert #2246 FIPS mode change + * Bump back to v1.15.0-dev + * image with dup layers: we now have one on quay + * digest test : make more robust + - Changelog for v1.14.4 (2020-03-25) * Fix fips-mode check for RHEL8 boxes * Fix potential CVE in tarfile w/ symlink diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.14.4/contrib/rpm/buildah.spec new/buildah-1.14.5/contrib/rpm/buildah.spec --- old/buildah-1.14.4/contrib/rpm/buildah.spec 2020-03-26 00:03:41.000000000 +0100 +++ new/buildah-1.14.5/contrib/rpm/buildah.spec 2020-03-27 00:07:01.000000000 +0100 @@ -26,7 +26,7 @@ Name: buildah # Bump version in buildah.go too -Version: 1.14.4 +Version: 1.14.5 Release: 1.git%{shortcommit}%{?dist} Summary: A command line tool used to creating OCI Images License: ASL 2.0 @@ -99,6 +99,12 @@ %{_datadir}/bash-completion/completions/* %changelog +* Thu Mar 26, 2020 Tom Sweeney <tswee...@redhat.com> 1.14.5-1 +- revert #2246 FIPS mode change +- Bump back to v1.15.0-dev +- image with dup layers: we now have one on quay +- digest test : make more robust + * Wed Mar 25, 2020 Tom Sweeney <tswee...@redhat.com> 1.14.4-1 - Fix fips-mode check for RHEL8 boxes - Fix potential CVE in tarfile w/ symlink diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.14.4/pkg/secrets/secrets.go new/buildah-1.14.5/pkg/secrets/secrets.go --- old/buildah-1.14.4/pkg/secrets/secrets.go 2020-03-26 00:03:41.000000000 +0100 +++ new/buildah-1.14.5/pkg/secrets/secrets.go 2020-03-27 00:07:01.000000000 +0100 @@ -340,7 +340,7 @@ *mounts = append(*mounts, m) } - srcBackendDir := "/usr/share/crypto-policies/FIPS" + srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS" destDir := "/etc/crypto-policies/back-ends" srcOnHost := filepath.Join(mountPoint, srcBackendDir) if _, err := os.Stat(srcOnHost); err != nil { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.14.4/tests/digest/README.md new/buildah-1.14.5/tests/digest/README.md --- old/buildah-1.14.4/tests/digest/README.md 1970-01-01 01:00:00.000000000 +0100 +++ new/buildah-1.14.5/tests/digest/README.md 2020-03-27 00:07:01.000000000 +0100 @@ -0,0 +1,28 @@ +This subdirectory contains a script used to create images for testing. + +To rephrase: this script is used **before testing**, not used **in** testing. +_Much_ before testing (days/weeks/months/years), and manually. + +The script is `make-v2sN` but it is never invoked as such. Instead, +various different symlinks point to the script, and the script +figures out its use by picking apart the name under which it is called. + +As of the initial commit on 2020-02-10 there are three symlinks: + +* make-v2s1 - Create a schema 1 image +* make-v2s2 - Create a schema 2 image +* make-v2s1-with-dups - Create a schema 1 image with two identical layers + +If the script is successful, it will emit instructions on how to +push the images to quay and what else you might need to do. + +Updating +======== + +Should you need new image types, e.g. schema version 3 or an image +with purple elephant GIFs in it: + +1. Decide on a name. Create a new symlink pointing to `make-v2sN` +1. Add the relevant code to `make-v2sN`: a conditional check at the top, the actual image-creating code, and if possible a new test to make sure the generated image is good +1. Run the script. Verify that the generated image is what you expect. +1. Add new test(s) to `digest.bats` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.14.4/tests/digest/make-v2s1 new/buildah-1.14.5/tests/digest/make-v2s1 --- old/buildah-1.14.4/tests/digest/make-v2s1 1970-01-01 01:00:00.000000000 +0100 +++ new/buildah-1.14.5/tests/digest/make-v2s1 2020-03-31 07:24:34.326455177 +0200 @@ -0,0 +1 @@ +symbolic link to make-v2sN diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.14.4/tests/digest/make-v2s1-with-dups new/buildah-1.14.5/tests/digest/make-v2s1-with-dups --- old/buildah-1.14.4/tests/digest/make-v2s1-with-dups 1970-01-01 01:00:00.000000000 +0100 +++ new/buildah-1.14.5/tests/digest/make-v2s1-with-dups 2020-03-31 07:24:34.222455135 +0200 @@ -0,0 +1 @@ +symbolic link to make-v2sN diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.14.4/tests/digest/make-v2s2 new/buildah-1.14.5/tests/digest/make-v2s2 --- old/buildah-1.14.4/tests/digest/make-v2s2 1970-01-01 01:00:00.000000000 +0100 +++ new/buildah-1.14.5/tests/digest/make-v2s2 2020-03-31 07:24:34.290455162 +0200 @@ -0,0 +1 @@ +symbolic link to make-v2sN diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.14.4/tests/digest/make-v2sN new/buildah-1.14.5/tests/digest/make-v2sN --- old/buildah-1.14.4/tests/digest/make-v2sN 1970-01-01 01:00:00.000000000 +0100 +++ new/buildah-1.14.5/tests/digest/make-v2sN 2020-03-27 00:07:01.000000000 +0100 @@ -0,0 +1,180 @@ +#!/bin/bash +# +# make-v2sN - create a v2sN image, possibly with dups +# +# This is a helper script used for creating custom images for buildah testing. +# The images are used in the digest.bats test. +# +ME=$(basename $0) + +die() { + echo "$ME: $*" >&2 + exit 1 +} + +############################################################################### +# +# From the script name, determine the desired schema version (1 or 2) and +# whether or not we want duplicate layers. + +schemaversion=$(expr "$ME" : ".*-v2s\([12]\)") +test -n "$schemaversion" || die "Could not find 'v2s[12]' in basename" +test "$schemaversion" = "N" && die "Script must be invoked via symlink" + +dup= +if expr "$ME" : ".*-dup" &>/dev/null; then + dup="_with_dups" +fi + +IMGNAME=testdigest_v2s${schemaversion}${dup} + +############################################################################### +# Create the image. + +set -e + +# First layer +cid=$(buildah from scratch) +buildah commit -q $cid interim1 + +# Create a second layer containing this script and a README +cid2=$(buildah from interim1) +mp=$(buildah mount $cid2) +cp $0 $mp/ +cat <<EOF >$mp/README +This is a test image used for buildah testing. + +EOF + +# In the README include creation timestamp, user, script name, git tree state +function add_to_readme() { + printf " %-12s : %s\n" "$1" "$2" >>$mp/README +} + +add_to_readme "Created" "$(date --iso-8601=seconds)" + +# FIXME: do we really need to know? Will it ever, in practice, be non-root? +user=$(id -un) +if [ -n "$user" -a "$user" != "root" ]; then + add_to_readme "By (user)" "$user" +fi + +create_script=$(cd $(dirname $0) && git ls-files --full-name $ME) +if [ -z "$create_script" ]; then + create_script=$0 +fi +add_to_readme "By (script)" "$create_script" + +git_state=$(cd $(dirname $0) && git describe --dirty) +if [ -n "$git_state" ]; then + add_to_readme "git state" "$git_state" +fi + +echo "-----------------------------------------------------------------" +cat $mp/README +echo "-----------------------------------------------------------------" + +buildah umount $cid2 +buildah commit -q $cid2 interim2 + +layers="interim2 interim1" +buildah tag interim2 my_image + +############################################################################### +# +# Push/pull the image to/from a tempdir. This is a kludge allowing us to +# clean up interim layers. It's also necessary for dealing with v2s1 layers. + +TMPDIR=$(mktemp --tmpdir -d $(basename $0).XXXXXXX) +push_flags= +if [[ $schemaversion -eq 1 ]]; then + # buildah can't actually create a v2s1 image; only v2s2. To create v2s1, + # dir-push it to a tmpdir using '--format v2s1'; that will be inherited + # when we reload it + push_flags="--format v2s1" +fi +buildah push $push_flags my_image dir:${TMPDIR}/${IMGNAME} + +# Clean up containers and images +buildah rm -a +buildah rmi -f my_image $layers + +if [ -n "$dup" ]; then + manifest=${TMPDIR}/${IMGNAME}/manifest.json + cat $manifest | + jq -c '.fsLayers |= [.[0]] + .' | + jq -c '.history |= [.[0]] + .' | + tr -d '\012' >$manifest.tmp + mv $manifest $manifest.BAK + mv $manifest.tmp $manifest +fi + +# Delete possibly-existing image, because 'buildah pull' will not overwrite it +buildah rmi -f localhost/${IMGNAME}:latest &>/dev/null || true + +# Reload the image +(cd $TMPDIR && buildah pull dir:${IMGNAME}) + +# Leave the tmpdir behind for the -dup image! +if [ -z "$dup" ]; then + rm -rf ${TMPDIR} +fi + +############################################################################### +# +# We should now have a 'localhost/IMGNAME' image with desired SchemaVersion +# and other features as requested. +# +# Now verify what we have what we intended. +echo +if type -p jq >&/dev/null; then + # Manifest is embedded in the image but as a string, not actual JSON; + # the eval-echo converts it to usable JSON + manifest=$(eval echo $(buildah inspect ${IMGNAME} | jq .Manifest)) + + # Check desired schema version: + actual_schemaversion=$(jq .schemaVersion <<<"$manifest") + if [[ $actual_schemaversion -ne $schemaversion ]]; then + die "Expected .schemaVersion $schemaversion, got '$actual_schemaversion'" + fi + + echo "Image localhost/${IMGNAME} looks OK; feel free to:" + echo + + if [ -n "$dup" ]; then + echo " \$SKOPEO copy dir:${TMPDIR}/${IMGNAME} docker://quay.io/libpod/${IMGNAME}:\$(date +%Y%m%d)" + echo " ^^^^^^^--- must be specially-crafted skopeo(*), see below" + else + echo " buildah push localhost/${IMGNAME} quay.io/libpod/${IMGNAME}:$(date +%Y%m%d)" + echo " buildah push localhost/${IMGNAME} quay.io/libpod/${IMGNAME}:latest" + fi + + echo + echo "You may then need to log in to the https://quay.io/ web UI" + echo "make those images public, then update tags and/or SHAs" + echo "in test/digest.bats." + echo + echo "Note that the Digest SHA on quay.io != the SHA on the locally" + echo "created image. You can get the real SHA on quay.io by clicking" + echo "on the image name, then the luggage-tag icon on the left," + echo "then the gray box with the text 'SHA256' (not the actual" + echo "hash shown in blue to its right), and copy-pasting the SHA" + echo "from the popup window." + echo + echo "NOTE: the first push to quay.io sometimes fails with some sort of" + echo "500 error, trying to reuse blob, blah blah. Just ignore it and" + echo "retry. IME it works the second time." + + if [ -n "$dup" ]; then + echo + echo "(*) skopeo WILL NOT push an image with dup layers. To get it to" + echo " do that, build a custom skopeo using the patch here:" + echo " https://gist.github.com/nalind/b491204ff05c3c3f3b6ef014b333a60c" + echo " ...then use that skopeo in the above 'copy' command." + # And, for posterity should the gist ever disappear: + # vendor/github.com/containers/image/v5/manifest/docker_schema1.go + # - remove lines 66-68 ('if ... s1.fixManifestLayers()...') + fi +else + echo "WARNING: 'jq' not found; unable to verify built image" >&2 +fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/buildah-1.14.4/tests/digest.bats new/buildah-1.14.5/tests/digest.bats --- old/buildah-1.14.4/tests/digest.bats 2020-03-26 00:03:41.000000000 +0100 +++ new/buildah-1.14.5/tests/digest.bats 2020-03-27 00:07:01.000000000 +0100 @@ -3,40 +3,66 @@ load helpers fromreftest() { - _prefetch $1 - run_buildah from --quiet --pull --signature-policy ${TESTSDIR}/policy.json $1 + local img=$1 + + run_buildah from --quiet --pull --signature-policy ${TESTSDIR}/policy.json $img cid=$output + + # If image includes '_v2sN', verify that image is schema version N + local expected_schemaversion=$(expr "$img" : '.*_v2s\([0-9]\)') + if [ -n "$expected_schemaversion" ]; then + actual_schemaversion=$(imgtype -expected-manifest-type '*' -show-manifest $img | jq .schemaVersion) + expect_output --from="$actual_schemaversion" "$expected_schemaversion" \ + ".schemaversion of $img" + fi + + # This is all we test: basically, that buildah doesn't crash when pushing pushdir=${TESTDIR}/fromreftest mkdir -p ${pushdir}/{1,2,3} - run_buildah push --signature-policy ${TESTSDIR}/policy.json $1 dir:${pushdir}/1 + run_buildah push --signature-policy ${TESTSDIR}/policy.json $img dir:${pushdir}/1 run_buildah commit --signature-policy ${TESTSDIR}/policy.json $cid new-image run_buildah push --signature-policy ${TESTSDIR}/policy.json new-image dir:${pushdir}/2 run_buildah rmi new-image run_buildah commit --signature-policy ${TESTSDIR}/policy.json $cid dir:${pushdir}/3 + run_buildah rm $cid rm -fr ${pushdir} } @test "from-by-digest-s1" { - fromreftest k8s.gcr.io/pause@sha256:bbeaef1d40778579b7b86543fe03e1ec041428a50d21f7a7b25630e357ec9247 + fromreftest quay.io/libpod/testdigest_v2s1@sha256:816563225d7baae4782653efc9410579341754fe32cbe20f7600b39fc37d8ec7 } @test "from-by-digest-s1-a-discarded-layer" { - fromreftest libpod/whalesay@sha256:2413c2ffc29fb01d51c27a91b804079995d6037eed9e4b632249fce8c8708eb4 + IMG=quay.io/libpod/testdigest_v2s1_with_dups@sha256:2c619fffbed29d8677e246798333e7d1b288333cb61c020575f6372c76fdbb52 + + fromreftest ${IMG} + + # Verify that image meets our expectations (duplicate layers) + # Surprisingly, we do this after fromreftest, not before, because fromreftest + # has to pull the image for us. + # + # Check that the first and second .fsLayers and .history elements are dups + local manifest=$(imgtype -expected-manifest-type '*' -show-manifest ${IMG}) + for element in fsLayers history; do + local first=$(jq ".${element}[0]" <<<"$manifest") + local second=$(jq ".${element}[1]" <<<"$manifest") + expect_output --from="$second" "$first" "${IMG}: .${element}[1] == [0]" + done } @test "from-by-tag-s1" { - fromreftest k8s.gcr.io/pause:0.8.0 + fromreftest quay.io/libpod/testdigest_v2s1:20200210 } @test "from-by-digest-s2" { - fromreftest alpine@sha256:e9cec9aec697d8b9d450edd32860ecd363f2f3174c8338beb5f809422d182c63 + fromreftest quay.io/libpod/testdigest_v2s2@sha256:755f4d90b3716e2bf57060d249e2cd61c9ac089b1233465c5c2cb2d7ee550fdb } @test "from-by-tag-s2" { - fromreftest alpine:2.6 + fromreftest quay.io/libpod/testdigest_v2s2:20200210 } @test "from-by-repo-only-s2" { - fromreftest alpine + fromreftest quay.io/libpod/testdigest_v2s2 }