June 2019 - openSUSE Commits - openSUSE Mailing Lists

commit vulkan-loader for openSUSE:Factory
by root 30 Jun '19

30 Jun '19

Hello community, here is the log from the commit of package vulkan-loader for openSUSE:Factory checked in at 2019-06-30 10:20:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vulkan-loader (Old) and /work/SRC/openSUSE:Factory/.vulkan-loader.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "vulkan-loader" Sun Jun 30 10:20:25 2019 rev:9 rq:712362 version:1.1.112 Changes: -------- --- /work/SRC/openSUSE:Factory/vulkan-loader/vulkan-loader.changes 2019-06-13 22:35:38.532336546 +0200 +++ /work/SRC/openSUSE:Factory/.vulkan-loader.new.4615/vulkan-loader.changes 2019-06-30 10:20:26.767521838 +0200 @@ -1,0 +2,6 @@ +Fri Jun 28 07:32:05 UTC 2019 - Jan Engelhardt <jengelh(a)inai.de> + +- Update to new upstream release 1.1.112 + * loader: Fix bug in searching for missing extension + +------------------------------------------------------------------- Old: ---- Vulkan-Loader-1.1.108.tar.xz New: ---- Vulkan-Loader-1.1.112.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vulkan-loader.spec ++++++ --- /var/tmp/diff_new_pack.6Zmm7F/_old 2019-06-30 10:20:28.155523994 +0200 +++ /var/tmp/diff_new_pack.6Zmm7F/_new 2019-06-30 10:20:28.159524001 +0200 @@ -16,11 +16,11 @@ # -%define version_unconverted 1.1.108 +%define version_unconverted 1.1.112 Name: vulkan-loader %define lname libvulkan1 -Version: 1.1.108 +Version: 1.1.112 Release: 0 Summary: Reference ICD loader for Vulkan License: Apache-2.0 ++++++ Vulkan-Loader-1.1.108.tar.xz -> Vulkan-Loader-1.1.112.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Vulkan-Loader-1.1.108/.appveyor.yml new/Vulkan-Loader-1.1.112/.appveyor.yml --- old/Vulkan-Loader-1.1.108/.appveyor.yml 2019-05-29 17:48:53.000000000 +0200 +++ new/Vulkan-Loader-1.1.112/.appveyor.yml 2019-06-25 18:04:58.000000000 +0200 @@ -17,11 +17,18 @@ environment: PYTHON_PATH: "C:/Python35" PYTHON_PACKAGE_PATH: "C:/Python35/Scripts" + CMAKE_URL: "http://cmake.org/files/v3.10/cmake-3.10.2-win64-x64.zip" branches: only: - master +install: + - appveyor DownloadFile %CMAKE_URL% -FileName cmake.zip + - 7z x cmake.zip -oC:\cmake > nul + - set path=C:\cmake\bin;%path% + - cmake --version + before_build: - "SET PATH=C:\\Python35;C:\\Python35\\Scripts;%PATH%" - echo. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Vulkan-Loader-1.1.108/.travis.yml new/Vulkan-Loader-1.1.112/.travis.yml --- old/Vulkan-Loader-1.1.108/.travis.yml 2019-05-29 17:48:53.000000000 +0200 +++ new/Vulkan-Loader-1.1.112/.travis.yml 2019-06-25 18:04:58.000000000 +0200 @@ -42,6 +42,18 @@ before_install: - set -e + - CMAKE_VERSION=3.10.2 + - | + if [[ "${TRAVIS_OS_NAME}" == "linux" ]]; then + # Upgrade to the desired version of CMake + CMAKE_URL="https://cmake.org/files/v${CMAKE_VERSION%.*}/cmake-${CMAKE_VERSION}-Linux-x…" + echo CMAKE_URL=${CMAKE_URL} + mkdir cmake-${CMAKE_VERSION} && travis_retry wget --no-check-certificate -O - ${CMAKE_URL} | tar --strip-components=1 -xz -C cmake-${CMAKE_VERSION} + export PATH=${PWD}/cmake-${CMAKE_VERSION}/bin:${PATH} + else + brew install cmake || brew upgrade cmake + fi + cmake --version - unset -f cd pushd popd - | if [[ "$TRAVIS_EVENT_TYPE" == "cron" ]]; then @@ -119,7 +131,6 @@ notifications: email: recipients: - - karl(a)lunarg.com - lenny(a)lunarg.com on_success: change on_failure: always diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Vulkan-Loader-1.1.108/CMakeLists.txt new/Vulkan-Loader-1.1.112/CMakeLists.txt --- old/Vulkan-Loader-1.1.108/CMakeLists.txt 2019-05-29 17:48:53.000000000 +0200 +++ new/Vulkan-Loader-1.1.112/CMakeLists.txt 2019-06-25 18:04:58.000000000 +0200 @@ -22,6 +22,8 @@ project(Vulkan-Loader) +enable_testing() + add_definitions(-DAPI_NAME="Vulkan") set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${CMAKE_CURRENT_SOURCE_DIR}/cmake") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Vulkan-Loader-1.1.108/loader/LoaderAndLayerInterface.md new/Vulkan-Loader-1.1.112/loader/LoaderAndLayerInterface.md --- old/Vulkan-Loader-1.1.108/loader/LoaderAndLayerInterface.md 2019-05-29 17:48:53.000000000 +0200 +++ new/Vulkan-Loader-1.1.112/loader/LoaderAndLayerInterface.md 2019-06-25 18:04:58.000000000 +0200 @@ -698,13 +698,10 @@ | Windowing System | Extensions available | |----------------|--------------------| | Windows | VK_KHR_win32_surface | -| Linux (Default) | VK_KHR_xcb_surface and VK_KHR_xlib_surface | | Linux (Wayland) | VK_KHR_wayland_surface | +| Linux (X11) | VK_KHR_xcb_surface and VK_KHR_xlib_surface | | macOS (MoltenVK) | VK_MVK_macos_surface | -**NOTE:** Wayland is not fully supported at this time. Wayland -support is present, but should be considered Beta quality. - It is important to understand that while the loader may support the various entry points for these extensions, there is a handshake required to actually use them: @@ -2506,7 +2503,7 @@ functions without involving the ICDs. * Where XXX stands for the Windowing System name: * Wayland - * Xcb + * XCB * Xlib * Windows * Android @@ -2518,7 +2515,7 @@ `VkIcdSurfaceXXX` structure. 4. The first field of all the `VkIcdSurfaceXXX` structures is a `VkIcdSurfaceBase` enumerant that indicates whether the - surface object is Win32, Xcb, Xlib, or Wayland. + surface object is Win32, XCB, Xlib, or Wayland. The ICD may choose to handle `VkSurfaceKHR` object creation instead. If an ICD desires to handle creating and destroying it must do the following: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Vulkan-Loader-1.1.108/loader/loader.c new/Vulkan-Loader-1.1.112/loader/loader.c --- old/Vulkan-Loader-1.1.108/loader/loader.c 2019-05-29 17:48:53.000000000 +0200 +++ new/Vulkan-Loader-1.1.112/loader/loader.c 2019-06-25 18:04:58.000000000 +0200 @@ -5821,7 +5821,7 @@ break; } - layer_prop = loaderFindLayerProperty(pCreateInfo->ppEnabledLayerNames[j], instance_layers); + layer_prop = loaderFindLayerProperty(expanded_layers.list[j].info.layerName, instance_layers); if (NULL == layer_prop) { // Should NOT get here, loaderValidateLayers should have already filtered this case out. continue; @@ -6756,12 +6756,57 @@ struct loader_extension_list all_exts = {0}; struct loader_extension_list icd_exts = {0}; - assert(pLayerName == NULL || strlen(pLayerName) == 0); - // Any layer or trampoline wrapping should be removed at this point in time can just cast to the expected // type for VkPhysicalDevice. phys_dev_term = (struct loader_physical_device_term *)physicalDevice; + // if we got here with a non-empty pLayerName, look up the extensions + // from the json + if (pLayerName != NULL && strlen(pLayerName) > 0) { + uint32_t count; + uint32_t copy_size; + const struct loader_instance *inst = phys_dev_term->this_icd_term->this_instance; + struct loader_device_extension_list *dev_ext_list = NULL; + struct loader_device_extension_list local_ext_list; + memset(&local_ext_list, 0, sizeof(local_ext_list)); + if (vk_string_validate(MaxLoaderStringLength, pLayerName) == VK_STRING_ERROR_NONE) { + for (uint32_t i = 0; i < inst->instance_layer_list.count; i++) { + struct loader_layer_properties *props = &inst->instance_layer_list.list[i]; + if (strcmp(props->info.layerName, pLayerName) == 0) { + dev_ext_list = &props->device_extension_list; + } + } + + count = (dev_ext_list == NULL) ? 0 : dev_ext_list->count; + if (pProperties == NULL) { + *pPropertyCount = count; + loader_destroy_generic_list(inst, (struct loader_generic_list *)&local_ext_list); + loader_platform_thread_unlock_mutex(&loader_lock); + return VK_SUCCESS; + } + + copy_size = *pPropertyCount < count ? *pPropertyCount : count; + for (uint32_t i = 0; i < copy_size; i++) { + memcpy(&pProperties[i], &dev_ext_list->list[i].props, sizeof(VkExtensionProperties)); + } + *pPropertyCount = copy_size; + + loader_destroy_generic_list(inst, (struct loader_generic_list *)&local_ext_list); + if (copy_size < count) { + loader_platform_thread_unlock_mutex(&loader_lock); + return VK_INCOMPLETE; + } + } else { + loader_log(inst, VK_DEBUG_REPORT_ERROR_BIT_EXT, 0, + "vkEnumerateDeviceExtensionProperties: pLayerName " + "is too long or is badly formed"); + loader_platform_thread_unlock_mutex(&loader_lock); + return VK_ERROR_EXTENSION_NOT_PRESENT; + } + + return VK_SUCCESS; + } + // This case is during the call down the instance chain with pLayerName == NULL struct loader_icd_term *icd_term = phys_dev_term->this_icd_term; uint32_t icd_ext_count = *pPropertyCount; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Vulkan-Loader-1.1.108/loader/trampoline.c new/Vulkan-Loader-1.1.112/loader/trampoline.c --- old/Vulkan-Loader-1.1.108/loader/trampoline.c 2019-05-29 17:48:53.000000000 +0200 +++ new/Vulkan-Loader-1.1.112/loader/trampoline.c 2019-06-25 18:04:58.000000000 +0200 @@ -778,61 +778,17 @@ VkExtensionProperties *pProperties) { VkResult res = VK_SUCCESS; struct loader_physical_device_tramp *phys_dev; + const VkLayerInstanceDispatchTable *disp; phys_dev = (struct loader_physical_device_tramp *)physicalDevice; loader_platform_thread_lock_mutex(&loader_lock); - // If pLayerName == NULL, then querying ICD extensions, pass this call - // down the instance chain which will terminate in the ICD. This allows - // layers to filter the extensions coming back up the chain. - // If pLayerName != NULL then get layer extensions from manifest file. - if (pLayerName == NULL || strlen(pLayerName) == 0) { - const VkLayerInstanceDispatchTable *disp; - - disp = loader_get_instance_layer_dispatch(physicalDevice); - res = disp->EnumerateDeviceExtensionProperties(phys_dev->phys_dev, NULL, pPropertyCount, pProperties); - } else { - uint32_t count; - uint32_t copy_size; - const struct loader_instance *inst = phys_dev->this_instance; - struct loader_device_extension_list *dev_ext_list = NULL; - struct loader_device_extension_list local_ext_list; - memset(&local_ext_list, 0, sizeof(local_ext_list)); - if (vk_string_validate(MaxLoaderStringLength, pLayerName) == VK_STRING_ERROR_NONE) { - for (uint32_t i = 0; i < inst->instance_layer_list.count; i++) { - struct loader_layer_properties *props = &inst->instance_layer_list.list[i]; - if (strcmp(props->info.layerName, pLayerName) == 0) { - dev_ext_list = &props->device_extension_list; - } - } - - count = (dev_ext_list == NULL) ? 0 : dev_ext_list->count; - if (pProperties == NULL) { - *pPropertyCount = count; - loader_destroy_generic_list(inst, (struct loader_generic_list *)&local_ext_list); - loader_platform_thread_unlock_mutex(&loader_lock); - return VK_SUCCESS; - } - - copy_size = *pPropertyCount < count ? *pPropertyCount : count; - for (uint32_t i = 0; i < copy_size; i++) { - memcpy(&pProperties[i], &dev_ext_list->list[i].props, sizeof(VkExtensionProperties)); - } - *pPropertyCount = copy_size; - - loader_destroy_generic_list(inst, (struct loader_generic_list *)&local_ext_list); - if (copy_size < count) { - loader_platform_thread_unlock_mutex(&loader_lock); - return VK_INCOMPLETE; - } - } else { - loader_log(inst, VK_DEBUG_REPORT_ERROR_BIT_EXT, 0, - "vkEnumerateDeviceExtensionProperties: pLayerName " - "is too long or is badly formed"); - loader_platform_thread_unlock_mutex(&loader_lock); - return VK_ERROR_EXTENSION_NOT_PRESENT; - } - } + // always pass this call down the instance chain which will terminate + // in the ICD. This allows layers to filter the extensions coming back + // up the chain. In the terminator we look up layer extensions from the + // manifest file if it wasn't provided by the layer itself. + disp = loader_get_instance_layer_dispatch(physicalDevice); + res = disp->EnumerateDeviceExtensionProperties(phys_dev->phys_dev, pLayerName, pPropertyCount, pProperties); loader_platform_thread_unlock_mutex(&loader_lock); return res; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Vulkan-Loader-1.1.108/scripts/known_good.json new/Vulkan-Loader-1.1.112/scripts/known_good.json --- old/Vulkan-Loader-1.1.108/scripts/known_good.json 2019-05-29 17:48:53.000000000 +0200 +++ new/Vulkan-Loader-1.1.112/scripts/known_good.json 2019-06-25 18:04:58.000000000 +0200 @@ -6,7 +6,7 @@ "sub_dir" : "Vulkan-Headers", "build_dir" : "Vulkan-Headers/build", "install_dir" : "Vulkan-Headers/build/install", - "commit" : "v1.1.108" + "commit" : "v1.1.112" } ], "install_names" : { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Vulkan-Loader-1.1.108/tests/CMakeLists.txt new/Vulkan-Loader-1.1.112/tests/CMakeLists.txt --- old/Vulkan-Loader-1.1.108/tests/CMakeLists.txt 2019-05-29 17:48:53.000000000 +0200 +++ new/Vulkan-Loader-1.1.112/tests/CMakeLists.txt 2019-06-25 18:04:58.000000000 +0200 @@ -16,6 +16,8 @@ # ~~~ add_executable(vk_loader_validation_tests loader_validation_tests.cpp) +add_test(NAME vk_loader_validation_tests COMMAND vk_loader_validation_tests) + set_target_properties(vk_loader_validation_tests PROPERTIES COMPILE_DEFINITIONS "GTEST_LINKED_AS_SHARED_LIBRARY=1") if(UNIX) set_target_properties(vk_loader_validation_tests PROPERTIES COMPILE_FLAGS "-Wno-sign-compare") ++++++ _service ++++++ --- /var/tmp/diff_new_pack.6Zmm7F/_old 2019-06-30 10:20:28.655524771 +0200 +++ /var/tmp/diff_new_pack.6Zmm7F/_new 2019-06-30 10:20:28.655524771 +0200 @@ -3,9 +3,9 @@ <param name="scm">git</param> <param name="url">https://github.com/KhronosGroup/Vulkan-Loader</param>  - <param name="revision">v1.1.108</param> - <param name="parent-tag">v1.1.108</param> - <param name="versionformat">1.1.108</param> + <param name="revision">v1.1.112</param> + <param name="parent-tag">v1.1.112</param> + <param name="versionformat">1.1.112</param> </service> <service name="recompress" mode="disabled"> <param name="file">*.tar</param>

1 0

commit vulkan-headers for openSUSE:Factory
by root 30 Jun '19

30 Jun '19

Hello community, here is the log from the commit of package vulkan-headers for openSUSE:Factory checked in at 2019-06-30 10:20:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vulkan-headers (Old) and /work/SRC/openSUSE:Factory/.vulkan-headers.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "vulkan-headers" Sun Jun 30 10:20:17 2019 rev:8 rq:712361 version:1.1.112 Changes: -------- --- /work/SRC/openSUSE:Factory/vulkan-headers/vulkan-headers.changes 2019-06-13 22:35:20.696342339 +0200 +++ /work/SRC/openSUSE:Factory/.vulkan-headers.new.4615/vulkan-headers.changes 2019-06-30 10:20:18.327508726 +0200 @@ -1,0 +2,6 @@ +Fri Jun 28 07:30:29 UTC 2019 - Jan Engelhardt <jengelh(a)inai.de> + +- Update to new upstream release 1.1.112 + * No changelog was provided + +------------------------------------------------------------------- Old: ---- Vulkan-Headers-1.1.108.tar.xz New: ---- Vulkan-Headers-1.1.112.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vulkan-headers.spec ++++++ --- /var/tmp/diff_new_pack.XH6lyl/_old 2019-06-30 10:20:19.655510789 +0200 +++ /var/tmp/diff_new_pack.XH6lyl/_new 2019-06-30 10:20:19.695510851 +0200 @@ -16,9 +16,9 @@ # -%define version_unconverted 1.1.108 +%define version_unconverted 1.1.112 Name: vulkan-headers -Version: 1.1.108 +Version: 1.1.112 Release: 0 Summary: Vulkan C and C++ API header files License: Apache-2.0 ++++++ Vulkan-Headers-1.1.108.tar.xz -> Vulkan-Headers-1.1.112.tar.xz ++++++ ++++ 6824 lines of diff (skipped) ++++++ _service ++++++ --- /var/tmp/diff_new_pack.XH6lyl/_old 2019-06-30 10:20:21.015512902 +0200 +++ /var/tmp/diff_new_pack.XH6lyl/_new 2019-06-30 10:20:21.031512927 +0200 @@ -2,9 +2,9 @@ <service name="tar_scm" mode="disabled"> <param name="scm">git</param> <param name="url">https://github.com/KhronosGroup/Vulkan-Headers</param> - <param name="revision">v1.1.108</param> - <param name="parent-tag">v1.1.108</param> - <param name="versionformat">1.1.108</param> + <param name="revision">v1.1.112</param> + <param name="parent-tag">v1.1.112</param> + <param name="versionformat">1.1.112</param> </service> <service name="recompress" mode="disabled"> <param name="file">*.tar</param>

1 0

commit glslang for openSUSE:Factory
by root 30 Jun '19

30 Jun '19

Hello community, here is the log from the commit of package glslang for openSUSE:Factory checked in at 2019-06-30 10:20:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/glslang (Old) and /work/SRC/openSUSE:Factory/.glslang.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "glslang" Sun Jun 30 10:20:11 2019 rev:15 rq:712360 version:7.11.3276.git10 Changes: -------- --- /work/SRC/openSUSE:Factory/glslang/glslang.changes 2019-06-13 22:35:12.772344912 +0200 +++ /work/SRC/openSUSE:Factory/.glslang.new.4615/glslang.changes 2019-06-30 10:20:13.603501387 +0200 @@ -1,0 +2,18 @@ +Fri Jun 28 07:50:03 UTC 2019 - Jan Engelhardt <jengelh(a)inai.de> + +- Update to new snapshot 7.11.3276.git10 (4162de4) + * Add Float16/Int8/Int16 capabilities for private variables and + function parameters. + * Use spvValidatorOptionsSetBeforeHlslLegalization for + pre-legalized HLSL. + * Add support for GL_NV_shader_sm_builtins. + * Add gl_SemanticsVolatile to GL_KHR_memory_scope_semantics, + and make volatile-qualified atomics generate + MemorySemanticsVolatile when using the Vulkan memory model. + * Add missing GL_ARB_shader_ballot builtins to Geometry and + Tessellation shaders. + * SPV: Add a switch for favoring non-NaN operands in min, max, + and clamp. +- Remove nodate.diff (upstreamed) + +------------------------------------------------------------------- Old: ---- glslang-7.11.3214.git36.tar.xz nodate.diff New: ---- glslang-7.11.3276.git10.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ glslang.spec ++++++ --- /var/tmp/diff_new_pack.s1NHhx/_old 2019-06-30 10:20:15.299504022 +0200 +++ /var/tmp/diff_new_pack.s1NHhx/_new 2019-06-30 10:20:15.327504066 +0200 @@ -16,11 +16,11 @@ # -%define version_unconverted 7.11.3214.git36 -%define lname libglslang-suse5 +%define version_unconverted 7.11.3276.git10 +%define lname libglslang-suse6 Name: glslang -Version: 7.11.3214.git36 +Version: 7.11.3276.git10 Release: 0 Summary: OpenGL and OpenGL ES shader front end and validator License: BSD-3-Clause @@ -29,8 +29,7 @@ #Git-URL: https://github.com/KhronosGroup/glslang Source: %name-%version.tar.xz -Patch1: nodate.diff -Patch2: ver.diff +Patch1: ver.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: cmake >= 2.8 @@ -92,7 +91,7 @@ %files -n %lname %defattr(-,root,root) -%_libdir/*.so.suse5* +%_libdir/*.so.suse6* %files devel %defattr(-,root,root) ++++++ _service ++++++ --- /var/tmp/diff_new_pack.s1NHhx/_old 2019-06-30 10:20:15.767504749 +0200 +++ /var/tmp/diff_new_pack.s1NHhx/_new 2019-06-30 10:20:15.799504798 +0200 @@ -3,9 +3,9 @@ <param name="scm">git</param> <param name="url">git://github.com/KhronosGroup/glslang</param>  - <param name="revision">2f4a8dfd3a596d75e3c26cb7ae9b68886d3a19cf</param> - <param name="parent-tag">7.11.3214</param> - <param name="versionformat">7.11.3214.git@TAG_OFFSET@</param> + <param name="revision">4162de4bbfc58ef37600c23e4e8fcf58e604f382</param> + <param name="parent-tag">8e96e247fadd3b241fe4a5d081ebe1ad45f885bc</param> + <param name="versionformat">7.11.3276.git@TAG_OFFSET@</param> </service> <service name="recompress" mode="disabled"> <param name="file">*.tar</param> ++++++ glslang-7.11.3214.git36.tar.xz -> glslang-7.11.3276.git10.tar.xz ++++++ ++++ 6580 lines of diff (skipped) ++++++ ver.diff ++++++ --- /var/tmp/diff_new_pack.s1NHhx/_old 2019-06-30 10:20:17.895508055 +0200 +++ /var/tmp/diff_new_pack.s1NHhx/_new 2019-06-30 10:20:17.907508073 +0200 @@ -26,14 +26,14 @@ endif(ENABLE_NV_EXTENSIONS) add_library(SPIRV ${LIB_TYPE} ${SOURCES} ${HEADERS}) -+set_target_properties(SPIRV PROPERTIES SOVERSION suse5) ++set_target_properties(SPIRV PROPERTIES SOVERSION suse6) set_property(TARGET SPIRV PROPERTY FOLDER glslang) set_property(TARGET SPIRV PROPERTY POSITION_INDEPENDENT_CODE ON) target_include_directories(SPIRV PUBLIC ..) if (ENABLE_SPVREMAPPER) add_library(SPVRemapper ${LIB_TYPE} ${SPVREMAP_SOURCES} ${SPVREMAP_HEADERS}) -+ set_target_properties(SPVRemapper PROPERTIES SOVERSION suse5) ++ set_target_properties(SPVRemapper PROPERTIES SOVERSION suse6) set_property(TARGET SPVRemapper PROPERTY FOLDER glslang) set_property(TARGET SPVRemapper PROPERTY POSITION_INDEPENDENT_CODE ON) endif() @@ -44,7 +44,7 @@ @@ -1,5 +1,6 @@ add_library(glslang-default-resource-limits ${CMAKE_CURRENT_SOURCE_DIR}/ResourceLimits.cpp) -+set_target_properties(glslang-default-resource-limits PROPERTIES SOVERSION suse5) ++set_target_properties(glslang-default-resource-limits PROPERTIES SOVERSION suse6) set_property(TARGET glslang-default-resource-limits PROPERTY FOLDER glslang) set_property(TARGET glslang-default-resource-limits PROPERTY POSITION_INDEPENDENT_CODE ON) @@ -56,7 +56,7 @@ glslang_pch(SOURCES MachineIndependent/pch.cpp) add_library(glslang ${LIB_TYPE} ${BISON_GLSLParser_OUTPUT_SOURCE} ${SOURCES} ${HEADERS}) -+set_target_properties(glslang PROPERTIES SOVERSION suse5) ++set_target_properties(glslang PROPERTIES SOVERSION suse6) set_property(TARGET glslang PROPERTY FOLDER glslang) set_property(TARGET glslang PROPERTY POSITION_INDEPENDENT_CODE ON) target_link_libraries(glslang OGLCompiler OSDependent) @@ -68,7 +68,7 @@ glslang_pch(SOURCES pch.cpp) add_library(HLSL ${LIB_TYPE} ${SOURCES} ${HEADERS}) -+set_target_properties(HLSL PROPERTIES SOVERSION suse5) ++set_target_properties(HLSL PROPERTIES SOVERSION suse6) set_property(TARGET HLSL PROPERTY FOLDER hlsl) set_property(TARGET HLSL PROPERTY POSITION_INDEPENDENT_CODE ON)

1 0

commit colord for openSUSE:Factory
by root 30 Jun '19

30 Jun '19

Hello community, here is the log from the commit of package colord for openSUSE:Factory checked in at 2019-06-30 10:20:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/colord (Old) and /work/SRC/openSUSE:Factory/.colord.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "colord" Sun Jun 30 10:20:03 2019 rev:77 rq:712351 version:1.4.3 Changes: -------- --- /work/SRC/openSUSE:Factory/colord/colord.changes 2019-02-24 16:58:45.568812763 +0100 +++ /work/SRC/openSUSE:Factory/.colord.new.4615/colord.changes 2019-06-30 10:20:04.431487138 +0200 @@ -1,0 +2,7 @@ +Wed Jun 26 11:17:53 UTC 2019 - Stefan Brüns <stefan.bruens(a)rwth-aachen.de> + +- Change BuildRequires to docbook-utils-minimal, otherwise the build + pulls in half of texlive and all its dependencies. Only man pages + and HTML API docs are generated, no need for PS/PDF generation. + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ colord.spec ++++++ --- /var/tmp/diff_new_pack.yWVTOd/_old 2019-06-30 10:20:05.199488331 +0200 +++ /var/tmp/diff_new_pack.yWVTOd/_new 2019-06-30 10:20:05.227488375 +0200 @@ -31,7 +31,7 @@ Source3: usr.lib.colord Source99: baselibs.conf BuildRequires: argyllcms -BuildRequires: docbook-utils +BuildRequires: docbook-utils-minimal BuildRequires: gobject-introspection-devel BuildRequires: gtk-doc BuildRequires: meson

1 0

commit gnome-calculator for openSUSE:Factory
by root 30 Jun '19

30 Jun '19

Hello community, here is the log from the commit of package gnome-calculator for openSUSE:Factory checked in at 2019-06-30 10:19:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnome-calculator (Old) and /work/SRC/openSUSE:Factory/.gnome-calculator.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gnome-calculator" Sun Jun 30 10:19:51 2019 rev:43 rq:712350 version:3.32.2 Changes: -------- --- /work/SRC/openSUSE:Factory/gnome-calculator/gnome-calculator.changes 2019-06-07 12:17:13.460812233 +0200 +++ /work/SRC/openSUSE:Factory/.gnome-calculator.new.4615/gnome-calculator.changes 2019-06-30 10:19:53.863470720 +0200 @@ -1,0 +2,8 @@ +Wed Jun 26 10:00:39 UTC 2019 - Bjørn Lie <bjorn.lie(a)gmail.com> + +- Update to version 3.32.2: + + Snap build updates. + + Fixed numbers with octal prefix. + + Updated translations. + +------------------------------------------------------------------- Old: ---- gnome-calculator-3.32.1.tar.xz New: ---- gnome-calculator-3.32.2.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnome-calculator.spec ++++++ --- /var/tmp/diff_new_pack.hqEzgL/_old 2019-06-30 10:19:54.339471459 +0200 +++ /var/tmp/diff_new_pack.hqEzgL/_new 2019-06-30 10:19:54.343471466 +0200 @@ -17,7 +17,7 @@ Name: gnome-calculator -Version: 3.32.1 +Version: 3.32.2 Release: 0 Summary: A GNOME Calculator Application License: GPL-3.0-or-later ++++++ gnome-calculator-3.32.1.tar.xz -> gnome-calculator-3.32.2.tar.xz ++++++ ++++ 2802 lines of diff (skipped)

1 0

commit kio for openSUSE:Factory
by root 30 Jun '19

30 Jun '19

Hello community, here is the log from the commit of package kio for openSUSE:Factory checked in at 2019-06-30 10:19:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kio (Old) and /work/SRC/openSUSE:Factory/.kio.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "kio" Sun Jun 30 10:19:43 2019 rev:81 rq:712345 version:5.59.0 Changes: -------- --- /work/SRC/openSUSE:Factory/kio/kio.changes 2019-06-22 11:12:18.496595512 +0200 +++ /work/SRC/openSUSE:Factory/.kio.new.4615/kio.changes 2019-06-30 10:19:44.771456595 +0200 @@ -1,0 +2,7 @@ +Wed Jun 26 06:26:38 UTC 2019 - wbauer(a)tmo.at + +- Add upstream patch to fix downloaded files (via http) getting an + "invalid" modification time (boo#1104595, kde#374420) + * copyjob-Only-set-modification-time-if-the-kio-slave-provided-it.patch + +------------------------------------------------------------------- New: ---- copyjob-Only-set-modification-time-if-the-kio-slave-provided-it.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kio.spec ++++++ --- /var/tmp/diff_new_pack.YCJ2EO/_old 2019-06-30 10:19:45.363457514 +0200 +++ /var/tmp/diff_new_pack.YCJ2EO/_new 2019-06-30 10:19:45.367457521 +0200 @@ -33,6 +33,8 @@ Source1: baselibs.conf # PATCH-FIX-OPENSUSE kio_help-fallback-to-kde4-docs.patch -- allow kio_help to see into kde4 documentation, needed especially for khelpcenter5 Patch0: kio_help-fallback-to-kde4-docs.patch +# PATCH-FIX-UPSTREAM +Patch1: copyjob-Only-set-modification-time-if-the-kio-slave-provided-it.patch BuildRequires: cmake >= 3.0 BuildRequires: extra-cmake-modules >= %{_kf5_bugfix_version} BuildRequires: fdupes ++++++ copyjob-Only-set-modification-time-if-the-kio-slave-provided-it.patch ++++++ >From 5e791ef216c230efc15b853c08b21d41eca65e0c Mon Sep 17 00:00:00 2001 From: Wolfgang Bauer <wbauer(a)tmo.at> Date: Fri, 21 Jun 2019 15:30:48 +0200 Subject: [copyjob] Only set modification time if the kio-slave provided it If the slave didn't pass a modification time (e.g. the http slave doesn't), it was set to -1, resulting in setting a wrong modification time for the destination file in copyNextFile() later on because that case wasn't checked. So only set info.mtime when the slave actually provided a value. There's no need for further checks later in copyNextFile() (where FileCopyJob::setModificationTime() is called) because FileCopyJob checks for validity anyway. BUG: 374420 FIXED-IN: 5.60.0 Differential Revision: https://phabricator.kde.org/D21955 --- src/core/copyjob.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/core/copyjob.cpp b/src/core/copyjob.cpp index 7288a26..0a14edc 100644 --- a/src/core/copyjob.cpp +++ b/src/core/copyjob.cpp @@ -664,7 +664,10 @@ void CopyJobPrivate::addCopyInfoFromUDSEntry(const UDSEntry &entry, const QUrl & { struct CopyInfo info; info.permissions = entry.numberValue(KIO::UDSEntry::UDS_ACCESS, -1); - info.mtime = QDateTime::fromMSecsSinceEpoch(1000 * entry.numberValue(KIO::UDSEntry::UDS_MODIFICATION_TIME, -1), Qt::UTC); + const auto timeVal = entry.numberValue(KIO::UDSEntry::UDS_MODIFICATION_TIME, -1); + if (timeVal != -1) { + info.mtime = QDateTime::fromMSecsSinceEpoch(1000 * timeVal, Qt::UTC); + } info.ctime = QDateTime::fromMSecsSinceEpoch(1000 * entry.numberValue(KIO::UDSEntry::UDS_CREATION_TIME, -1), Qt::UTC); info.size = static_cast<KIO::filesize_t>(entry.numberValue(KIO::UDSEntry::UDS_SIZE, -1)); -- cgit v1.1

1 0

commit golang-github-docker-libnetwork for openSUSE:Factory
by root 30 Jun '19

30 Jun '19

Hello community, here is the log from the commit of package golang-github-docker-libnetwork for openSUSE:Factory checked in at 2019-06-30 10:19:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/golang-github-docker-libnetwork (Old) and /work/SRC/openSUSE:Factory/.golang-github-docker-libnetwork.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "golang-github-docker-libnetwork" Sun Jun 30 10:19:33 2019 rev:16 rq:712300 version:0.7.0.1+gitr2728_e7933d41e7b2 Changes: -------- --- /work/SRC/openSUSE:Factory/golang-github-docker-libnetwork/golang-github-docker-libnetwork.changes 2019-05-06 21:14:42.236664308 +0200 +++ /work/SRC/openSUSE:Factory/.golang-github-docker-libnetwork.new.4615/golang-github-docker-libnetwork.changes 2019-06-30 10:19:35.603442352 +0200 @@ -1,0 +2,6 @@ +Fri Jun 28 01:49:23 UTC 2019 - Aleksa Sarai <asarai(a)suse.com> + +- Update to version git.e7933d41e7b206756115aa9df5e0599fc5169742, which is + required for Docker v18.09.7-ce. bsc#1139649 + +------------------------------------------------------------------- Old: ---- libnetwork-git.872f0a83c98add6cae255c8859e29532febc0039.tar.xz New: ---- libnetwork-git.e7933d41e7b206756115aa9df5e0599fc5169742.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ golang-github-docker-libnetwork.spec ++++++ --- /var/tmp/diff_new_pack.J2XEnb/_old 2019-06-30 10:19:37.171444788 +0200 +++ /var/tmp/diff_new_pack.J2XEnb/_new 2019-06-30 10:19:37.175444795 +0200 @@ -29,14 +29,14 @@ %endif # MANUAL: Update the git_version and git_revision -%define git_version 872f0a83c98add6cae255c8859e29532febc0039 -%define git_short 872f0a83c98a +%define git_version e7933d41e7b206756115aa9df5e0599fc5169742 +%define git_short e7933d41e7b2 # How to get the git_revision # git clone https://github.com/docker/libnetwork.git libnetwork # cd libnetwork # git checkout $git_version # git_revision=r$(git rev-list HEAD | wc -l) -%define git_revision r2726 +%define git_revision r2728 %global provider github %global provider_tld com ++++++ _service ++++++ --- /var/tmp/diff_new_pack.J2XEnb/_old 2019-06-30 10:19:37.227444875 +0200 +++ /var/tmp/diff_new_pack.J2XEnb/_new 2019-06-30 10:19:37.227444875 +0200 @@ -4,8 +4,7 @@ <param name="scm">git</param> <param name="exclude">.git</param> <param name="versionformat">git.%H</param> - <param name="revision">872f0a83c98add6cae255c8859e29532febc0039</param> - <param name="changesgenerate">enable</param> + <param name="revision">e7933d41e7b206756115aa9df5e0599fc5169742</param> </service> <service name="recompress" mode="disabled"> <param name="file">libnetwork-*.tar</param> ++++++ libnetwork-git.872f0a83c98add6cae255c8859e29532febc0039.tar.xz -> libnetwork-git.e7933d41e7b206756115aa9df5e0599fc5169742.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libnetwork-git.872f0a83c98add6cae255c8859e29532febc0039/drivers/windows/port_mapping.go new/libnetwork-git.e7933d41e7b206756115aa9df5e0599fc5169742/drivers/windows/port_mapping.go --- old/libnetwork-git.872f0a83c98add6cae255c8859e29532febc0039/drivers/windows/port_mapping.go 2019-04-23 18:19:33.000000000 +0200 +++ new/libnetwork-git.e7933d41e7b206756115aa9df5e0599fc5169742/drivers/windows/port_mapping.go 2019-05-15 00:33:05.000000000 +0200 @@ -48,6 +48,12 @@ err error ) + // Windows does not support a host ip for port bindings (this is validated in ConvertPortBindings()). + // If the HostIP is nil, force it to be 0.0.0.0 for use as the key in portMapper. + if bnd.HostIP == nil { + bnd.HostIP = net.IPv4zero + } + // Store the container interface address in the operational binding bnd.IP = containerIP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libnetwork-git.872f0a83c98add6cae255c8859e29532febc0039/drivers/windows/windows.go new/libnetwork-git.e7933d41e7b206756115aa9df5e0599fc5169742/drivers/windows/windows.go --- old/libnetwork-git.872f0a83c98add6cae255c8859e29532febc0039/drivers/windows/windows.go 2019-04-23 18:19:33.000000000 +0200 +++ new/libnetwork-git.e7933d41e7b206756115aa9df5e0599fc5169742/drivers/windows/windows.go 2019-05-15 00:33:05.000000000 +0200 @@ -462,7 +462,7 @@ return nil, fmt.Errorf("Windows does not support more than one host port in NAT settings") } - if len(elem.HostIP) != 0 { + if len(elem.HostIP) != 0 && !elem.HostIP.IsUnspecified() { return nil, fmt.Errorf("Windows does not support host IP addresses in NAT settings") }

1 0

commit docker-runc for openSUSE:Factory
by root 30 Jun '19

30 Jun '19

Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2019-06-30 10:19:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "docker-runc" Sun Jun 30 10:19:25 2019 rev:19 rq:712299 version:1.0.0rc8+gitr3826_425e105d5a03 Changes: -------- --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2019-05-06 21:13:04.168383080 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.4615/docker-runc.changes 2019-06-30 10:19:26.507428221 +0200 @@ -1,0 +2,7 @@ +Fri Jun 28 01:39:44 UTC 2019 - Aleksa Sarai <asarai(a)suse.com> + +- Update to runc 425e105d5a03, which is required for Docker v18.09.7-ce. + bsc#1139649 +- Remove docker-runc-test (it's not useful for actual testing). + +------------------------------------------------------------------- Old: ---- docker-runc-git.2b18fe1d885ee5083ef9f0838fee39b62d653e30.tar.xz New: ---- docker-runc-git.425e105d5a03fabd737a126ad93d62a9eeede87f.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker-runc.spec ++++++ --- /var/tmp/diff_new_pack.x48kca/_old 2019-06-30 10:19:28.167430800 +0200 +++ /var/tmp/diff_new_pack.x48kca/_new 2019-06-30 10:19:28.191430838 +0200 @@ -29,21 +29,21 @@ %endif # MANUAL: Update the git_version, git_short, and git_revision -%define git_version 2b18fe1d885ee5083ef9f0838fee39b62d653e30 -%define git_short 2b18fe1d885e +%define git_version 425e105d5a03fabd737a126ad93d62a9eeede87f +%define git_short 425e105d5a03 # How to get the git_revision # git clone ${url}.git runc-upstream # cd runc-upstream # git checkout $git_version # git_revision=r$(git rev-list HEAD | wc -l) -%define git_revision r3804 +%define git_revision r3826 %define go_tool go %define _name runc %define project github.com/opencontainers/%{_name} Name: %{realname}%{name_suffix} -Version: 1.0.0rc6+git%{git_revision}_%{git_short} +Version: 1.0.0rc8+git%{git_revision}_%{git_short} Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 @@ -85,32 +85,6 @@ of Docker. It was originally designed to be a replacement for LXC within Docker, and has grown to become a separate project entirely. -%package test -Summary: Test package for runc -Group: System/Management -BuildRequires: golang(API) = 1.10 -Requires: go-go-md2man -Requires: libapparmor-devel -BuildRequires: libseccomp-devel >= 2.3 -Requires: libselinux-devel -Recommends: criu -BuildArch: noarch -Obsoletes: runc-test <= 1.0 -# KUBIC-SPECIFIC: This was required when upgrading from the original kubic -# packaging, when everything was renamed to -kubic. It also is -# used to ensure that nothing complains too much when using -# -kubic packages. Hopfully it can be removed one day. -%if "%flavour" == "kubic" -# Obsolete older package without -kubic suffix: v2 -> v3 -Obsoletes: %{realname}-test = 0.1.1+gitr2819_50a19c6 -# Conflict with non-kubic package, and provide equivalent -Conflicts: %{realname}-test -Provides: %{realname}-test = %{version} -%endif - -%description test -Test package for runc. It contains the source code and the tests. - %prep %setup -q -n %{realname}-git.%{git_version} @@ -137,7 +111,7 @@ source ./.runc_build_env # Build runc. -make -C $PROJECT EXTRA_FLAGS="-x $BUILDFLAGS" BUILDTAGS="$BUILDTAGS" COMMIT_NO=%{git_version} runc +make -C $PROJECT EXTRA_FLAGS="$BUILDFLAGS" BUILDTAGS="$BUILDTAGS" COMMIT_NO=%{git_version} runc cp $PROJECT/runc %{realname}-%{version} # Build man pages, this can only be done on arches where we can build go-md2man. @@ -155,9 +129,6 @@ # Make sure we install in /usr/sbin/docker-runc install -D -m755 %{realname}-%{version} %{buildroot}%{_sbindir}/%{realname} -install -d -m755 %{buildroot}/usr/src/%{realname}/ -cp -av $HOME/go/src/%{project}/* %{buildroot}/usr/src/%{realname}/ -rm -rf %{buildroot}/usr/src/docker-runc/runc # We have to rename the man pages to docker-runc. install -d -m755 %{buildroot}%{_mandir}/man8 @@ -175,8 +146,4 @@ %{_sbindir}/docker-runc %{_mandir}/man8/docker-runc*.8.gz -%files test -%defattr(-,root,root) -/usr/src/docker-runc/ - %changelog ++++++ _service ++++++ --- /var/tmp/diff_new_pack.x48kca/_old 2019-06-30 10:19:28.759431720 +0200 +++ /var/tmp/diff_new_pack.x48kca/_new 2019-06-30 10:19:28.783431757 +0200 @@ -4,7 +4,7 @@ <param name="scm">git</param> <param name="filename">docker-runc</param> <param name="versionformat">git.%H</param> - <param name="revision">2b18fe1d885ee5083ef9f0838fee39b62d653e30</param> + <param name="revision">425e105d5a03fabd737a126ad93d62a9eeede87f</param> <param name="exclude">.git</param> </service> <service name="recompress" mode="disabled"> ++++++ docker-runc-git.2b18fe1d885ee5083ef9f0838fee39b62d653e30.tar.xz -> docker-runc-git.425e105d5a03fabd737a126ad93d62a9eeede87f.tar.xz ++++++ ++++ 2104 lines of diff (skipped)

1 0

commit docker for openSUSE:Factory
by root 30 Jun '19

30 Jun '19

Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2019-06-30 10:19:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "docker" Sun Jun 30 10:19:13 2019 rev:91 rq:712298 version:18.09.7_ce Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2019-06-24 21:47:19.635825748 +0200 +++ /work/SRC/openSUSE:Factory/.docker.new.4615/docker.changes 2019-06-30 10:19:15.499411120 +0200 @@ -1,0 +2,13 @@ +Fri Jun 28 01:21:19 UTC 2019 - Aleksa Sarai <asarai(a)suse.com> + +- Update to Docker 18.09.7-ce. See upstream changelog in the packaged + /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1139649 +- Remove upstreamed patches: + - CVE-2018-15664.patch + +------------------------------------------------------------------- +Thu Jun 27 07:12:57 UTC 2019 - Aleksa Sarai <asarai(a)suse.com> + +- Use %config(noreplace) for /etc/docker/daemon.json. bsc#1138920 + +------------------------------------------------------------------- Old: ---- CVE-2018-15664.patch docker-18.09.6_ce_481bc7715621.tar.xz New: ---- docker-18.09.7_ce_2d0083d657f8.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.8CrHqj/_old 2019-06-30 10:19:18.435415681 +0200 +++ /var/tmp/diff_new_pack.8CrHqj/_new 2019-06-30 10:19:18.483415756 +0200 @@ -42,17 +42,17 @@ # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define git_version 481bc7715621 -%define git_commit_epoch 1556935084 +%define git_version 2d0083d657f8 +%define git_commit_epoch 1561655613 # These are the git commits required. We verify them against the source to make # sure we didn't miss anything important when doing upgrades. -%define required_containerd bb71b10fd8f58240ca47fbb579b9d1028eea7c84 -%define required_dockerrunc 2b18fe1d885ee5083ef9f0838fee39b62d653e30 -%define required_libnetwork 872f0a83c98add6cae255c8859e29532febc0039 +%define required_containerd 894b81a4b802e4eb2a91d1ce216b8817763c29fb +%define required_dockerrunc 425e105d5a03fabd737a126ad93d62a9eeede87f +%define required_libnetwork e7933d41e7b206756115aa9df5e0599fc5169742 Name: %{realname}%{name_suffix} -Version: 18.09.6_ce +Version: 18.09.7_ce Release: 0 Summary: The Moby-project Linux container runtime License: Apache-2.0 @@ -87,8 +87,6 @@ Patch404: bsc1001161-0001-oci-include-the-domainname-in-kernel.domainname.patch # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1130. bsc#1001161 Patch405: bsc1001161-0002-cli-add-a-separate-domainname-flag.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/39292. CVE-2018-15664 bsc#1096726 -Patch406: CVE-2018-15664.patch # SUSE-FEATURE: Add support to mirror inofficial/private registries # (https://github.com/docker/docker/pull/34319) Patch500: private-registry-0001-Add-private-registry-mirror-support.patch @@ -275,8 +273,6 @@ # bsc#1001161 %patch404 -p1 %patch405 -p1 -# CVE-2018-15664 bsc#1096726 -%patch406 -p1 %if "%flavour" == "kubic" # PATCH-SUSE: Mirror patch. %patch500 -p1 @@ -469,17 +465,21 @@ %{_bindir}/docker %{_bindir}/dockerd %{_sbindir}/rcdocker +%dir %{_localstatedir}/lib/docker/ + %{_unitdir}/%{realname}.service %if "%flavour" == "kubic" %dir %{_unitdir}/%{realname}.service.d/ %{_unitdir}/%{realname}.service.d/90-kubic.conf %endif + %dir %{_sysconfdir}/docker -%config %{_sysconfdir}/docker/daemon.json +%config(noreplace) %{_sysconfdir}/docker/daemon.json +%{_fillupdir}/sysconfig.docker + %config %{_sysconfdir}/audit/rules.d/%{realname}.rules %{_udevrulesdir}/80-%{realname}.rules -%{_fillupdir}/sysconfig.docker -%dir %{_localstatedir}/lib/docker/ + %{_mandir}/man1/docker-*.1%{ext_man} %{_mandir}/man1/docker.1%{ext_man} %{_mandir}/man5/Dockerfile.5%{ext_man} ++++++ _service ++++++ --- /var/tmp/diff_new_pack.8CrHqj/_old 2019-06-30 10:19:19.215416893 +0200 +++ /var/tmp/diff_new_pack.8CrHqj/_new 2019-06-30 10:19:19.243416936 +0200 @@ -3,8 +3,8 @@ <param name="url">https://github.com/docker/docker-ce.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="versionformat">18.09.6_ce_%h</param> - <param name="revision">v18.09.6</param> + <param name="versionformat">18.09.7_ce_%h</param> + <param name="revision">v18.09.7</param> <param name="filename">docker</param> </service> <service name="recompress" mode="disabled"> ++++++ docker-18.09.6_ce_481bc7715621.tar.xz -> docker-18.09.7_ce_2d0083d657f8.tar.xz ++++++ /work/SRC/openSUSE:Factory/docker/docker-18.09.6_ce_481bc7715621.tar.xz /work/SRC/openSUSE:Factory/.docker.new.4615/docker-18.09.7_ce_2d0083d657f8.tar.xz differ: char 26, line 1

1 0

commit containerd for openSUSE:Factory
by root 30 Jun '19

30 Jun '19

Hello community, here is the log from the commit of package containerd for openSUSE:Factory checked in at 2019-06-30 10:19:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/containerd (Old) and /work/SRC/openSUSE:Factory/.containerd.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "containerd" Sun Jun 30 10:19:04 2019 rev:32 rq:712297 version:1.2.6 Changes: -------- --- /work/SRC/openSUSE:Factory/containerd/containerd.changes 2019-05-06 21:13:12.860412771 +0200 +++ /work/SRC/openSUSE:Factory/.containerd.new.4615/containerd.changes 2019-06-30 10:19:06.819397635 +0200 @@ -1,0 +2,7 @@ +Fri Jun 28 01:45:50 UTC 2019 - Aleksa Sarai <asarai(a)suse.com> + +- Update to containerd v1.2.6, which is required for Docker v18.09.7-ce. + bsc#1139649 +- Remove containerd-test (it's not useful for actual testing). + +------------------------------------------------------------------- Old: ---- containerd-1.2.5_bb71b10fd8f5.tar.xz New: ---- containerd-1.2.6_894b81a4b802.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ containerd.spec ++++++ --- /var/tmp/diff_new_pack.ouNVah/_old 2019-06-30 10:19:07.259398319 +0200 +++ /var/tmp/diff_new_pack.ouNVah/_new 2019-06-30 10:19:07.259398319 +0200 @@ -34,11 +34,11 @@ %endif # MANUAL: Update the git_version. -%define git_version bb71b10fd8f58240ca47fbb579b9d1028eea7c84 -%define git_short bb71b10fd8f5 +%define git_version 894b81a4b802e4eb2a91d1ce216b8817763c29fb +%define git_short 894b81a4b802 Name: %{realname}%{name_suffix} -Version: 1.2.5 +Version: 1.2.6 Release: 0 Summary: Standalone OCI Container Daemon License: Apache-2.0 @@ -106,25 +106,6 @@ Standalone client for containerd, which allows management of containerd containers separately from Docker. -%package test -Summary: Test package for containerd -Group: System/Management -BuildArch: noarch -# KUBIC-SPECIFIC: This was required when upgrading from the original kubic -# packaging, when everything was renamed to -kubic. It also is -# used to ensure that nothing complains too much when using -# -kubic packages. Hopfully it can be removed one day. -%if "%flavour" == "kubic" -# Obsolete older package without -kubic suffix: v2 -> v3 -Obsoletes: %{realname}-test = 0.2.5+gitr569_2a5e70c -# Conflict with non-kubic package, and provide equivalent -Conflicts: %{realname}-test > 0.2.5+gitr569_2a5e70c -Provides: %{realname}-test = %{version} -%endif - -%description test -Test package for containerd. It contains the source code and the tests. - %prep %setup -q -n %{realname}-%{version}_%{git_short} %patch1 -p1 @@ -181,12 +162,6 @@ done ln -s ctr.1 %{buildroot}/%{_mandir}/man1/%{realname}-ctr.1 -# Source tree for containerd-test. -install -d -m755 %{buildroot}/usr/src/containerd/ -cp -ar $HOME/go/src/github.com/containerd/containerd/* %{buildroot}/usr/src/containerd/ -# Remove files we don't want to ship - exclude is the wrong usage here. -rm -rf %{buildroot}/usr/src/containerd/bin - %fdupes %{buildroot} %files @@ -206,8 +181,4 @@ %{_sbindir}/%{realname}-ctr %{_mandir}/man1/*ctr.1* -%files test -%defattr(-,root,root) -/usr/src/containerd/ - %changelog ++++++ _service ++++++ --- /var/tmp/diff_new_pack.ouNVah/_old 2019-06-30 10:19:07.295398375 +0200 +++ /var/tmp/diff_new_pack.ouNVah/_new 2019-06-30 10:19:07.295398375 +0200 @@ -3,8 +3,8 @@ <param name="url">https://github.com/containerd/containerd.git</param> <param name="scm">git</param> <param name="filename">containerd</param> - <param name="versionformat">1.2.5_%h</param> - <param name="revision">v1.2.5</param> + <param name="versionformat">1.2.6_%h</param> + <param name="revision">v1.2.6</param> <param name="exclude">.git</param> </service> <service name="recompress" mode="disabled"> ++++++ containerd-1.2.5_bb71b10fd8f5.tar.xz -> containerd-1.2.6_894b81a4b802.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/Makefile new/containerd-1.2.6_894b81a4b802/Makefile --- old/containerd-1.2.5_bb71b10fd8f5/Makefile 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/Makefile 2019-04-05 20:39:47.000000000 +0200 @@ -22,6 +22,7 @@ # Used to populate variables in version package. VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always) REVISION=$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi) +PACKAGE=github.com/containerd/containerd ifneq "$(strip $(shell command -v go 2>/dev/null))" "" GOOS ?= $(shell go env GOOS) @@ -77,8 +78,8 @@ # Build tags seccomp and apparmor are needed by CRI plugin. BUILDTAGS ?= seccomp apparmor GO_TAGS=$(if $(BUILDTAGS),-tags "$(BUILDTAGS)",) -GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PKG) $(EXTRA_LDFLAGS)' -SHIM_GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PKG) -extldflags "-static"' +GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) $(EXTRA_LDFLAGS)' +SHIM_GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PACKAGE) -extldflags "-static"' #Replaces ":" (*nix), ";" (windows) with newline for easy parsing GOPATHS=$(shell echo ${GOPATH} | tr ":" "\n" | tr ";" "\n") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/contrib/seccomp/seccomp_default.go new/containerd-1.2.6_894b81a4b802/contrib/seccomp/seccomp_default.go --- old/containerd-1.2.5_bb71b10fd8f5/contrib/seccomp/seccomp_default.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/contrib/seccomp/seccomp_default.go 2019-04-05 20:39:47.000000000 +0200 @@ -161,6 +161,7 @@ "ioctl", "io_destroy", "io_getevents", + "io_pgetevents", "ioprio_get", "ioprio_set", "io_setup", @@ -319,6 +320,7 @@ "stat64", "statfs", "statfs64", + "statx", "symlink", "symlinkat", "sync", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/mount/mountinfo_linux.go new/containerd-1.2.6_894b81a4b802/mount/mountinfo_linux.go --- old/containerd-1.2.5_bb71b10fd8f5/mount/mountinfo_linux.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/mount/mountinfo_linux.go 2019-04-05 20:39:47.000000000 +0200 @@ -25,6 +25,8 @@ "os" "strconv" "strings" + + "github.com/pkg/errors" ) // Self retrieves a list of mounts for the current running process. @@ -41,13 +43,15 @@ func parseInfoFile(r io.Reader) ([]Info, error) { s := bufio.NewScanner(r) out := []Info{} - + var err error for s.Scan() { - if err := s.Err(); err != nil { + if err = s.Err(); err != nil { return nil, err } /* + See http://man7.org/linux/man-pages/man5/proc.5.html + 36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue (1)(2)(3) (4) (5) (6) (7) (8) (9) (10) (11) (1) mount ID: unique identifier of the mount (may be reused after umount) @@ -68,7 +72,7 @@ numFields := len(fields) if numFields < 10 { // should be at least 10 fields - return nil, fmt.Errorf("parsing '%s' failed: not enough fields (%d)", text, numFields) + return nil, errors.Errorf("parsing '%s' failed: not enough fields (%d)", text, numFields) } p := Info{} // ignore any numbers parsing errors, as there should not be any @@ -76,13 +80,19 @@ p.Parent, _ = strconv.Atoi(fields[1]) mm := strings.Split(fields[2], ":") if len(mm) != 2 { - return nil, fmt.Errorf("parsing '%s' failed: unexpected minor:major pair %s", text, mm) + return nil, errors.Errorf("parsing '%s' failed: unexpected minor:major pair %s", text, mm) } p.Major, _ = strconv.Atoi(mm[0]) p.Minor, _ = strconv.Atoi(mm[1]) - p.Root = fields[3] - p.Mountpoint = fields[4] + p.Root, err = strconv.Unquote(`"` + fields[3] + `"`) + if err != nil { + return nil, errors.Wrapf(err, "parsing '%s' failed: unable to unquote root field", fields[3]) + } + p.Mountpoint, err = strconv.Unquote(`"` + fields[4] + `"`) + if err != nil { + return nil, errors.Wrapf(err, "parsing '%s' failed: unable to unquote mount point field", fields[4]) + } p.Options = fields[5] // one or more optional fields, when a separator (-) @@ -101,11 +111,11 @@ } } if i == numFields { - return nil, fmt.Errorf("parsing '%s' failed: missing separator ('-')", text) + return nil, errors.Errorf("parsing '%s' failed: missing separator ('-')", text) } // There should be 3 fields after the separator... if i+4 > numFields { - return nil, fmt.Errorf("parsing '%s' failed: not enough fields after a separator", text) + return nil, errors.Errorf("parsing '%s' failed: not enough fields after a separator", text) } // ... but in Linux <= 3.9 mounting a cifs with spaces in a share name // (like "//serv/My Documents") _may_ end up having a space in the last field diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/mount/mountinfo_linux_test.go new/containerd-1.2.6_894b81a4b802/mount/mountinfo_linux_test.go --- old/containerd-1.2.5_bb71b10fd8f5/mount/mountinfo_linux_test.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/mount/mountinfo_linux_test.go 2019-04-05 20:39:47.000000000 +0200 @@ -436,6 +436,9 @@ 286 15 0:3631 / /var/lib/docker/aufs/mnt/ff28c27d5f894363993622de26d5dd352dba072f219e4691d6498c19bbbc15a9 rw,relatime - aufs none rw,si=9b4a7642265b339c 289 15 0:3634 / /var/lib/docker/aufs/mnt/aa128fe0e64fdede333aa48fd9de39530c91a9244a0f0649a3c411c61e372daa rw,relatime - aufs none rw,si=9b4a764012ada39c 99 15 8:33 / /media/REMOVE\040ME rw,nosuid,nodev,relatime - fuseblk /dev/sdc1 rw,user_id=0,group_id=0,allow_other,blksize=4096` + + mountInfoWithSpaces = `486 28 252:1 / /mnt/foo\040bar rw,relatime shared:243 - ext4 /dev/vda1 rw,data=ordered +31 21 0:23 / /DATA/foo_bla_bla rw,relatime - cifs //foo/BLA\040BLA\040BLA/ rw,sec=ntlm,cache=loose,unc=\\foo\BLA BLA BLA,username=my_login,domain=mydomain.com,uid=12345678,forceuid,gid=12345678,forcegid,addr=10.1.30.10,file_mode=0755,dir_mode=0755,nounix,rsize=61440,wsize=65536,actimeo=1` ) func TestParseFedoraMountinfo(t *testing.T) { @@ -490,3 +493,48 @@ t.Fatalf("expected %#v, got %#v", mi, infos[0]) } } + +func TestParseMountinfoWithSpaces(t *testing.T) { + r := bytes.NewBuffer([]byte(mountInfoWithSpaces)) + infos, err := parseInfoFile(r) + if err != nil { + t.Fatal(err) + } + expected := []Info{ + { + ID: 486, + Parent: 28, + Major: 252, + Minor: 1, + Root: "/", + Mountpoint: "/mnt/foo bar", + Options: "rw,relatime", + Optional: "shared:243", + FSType: "ext4", + Source: "/dev/vda1", + VFSOptions: "rw,data=ordered", + }, + { + ID: 31, + Parent: 21, + Major: 0, + Minor: 23, + Root: "/", + Mountpoint: "/DATA/foo_bla_bla", + Options: "rw,relatime", + Optional: "", + FSType: "cifs", + Source: `//foo/BLA\040BLA\040BLA/`, + VFSOptions: `rw,sec=ntlm,cache=loose,unc=\\foo\BLA`, + }, + } + + if len(infos) != len(expected) { + t.Fatalf("expected %d entries, got %d", len(expected), len(infos)) + } + for i, mi := range expected { + if infos[i] != mi { + t.Fatalf("expected %#v, got %#v", mi, infos[i]) + } + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/oci/spec_opts.go new/containerd-1.2.6_894b81a4b802/oci/spec_opts.go --- old/containerd-1.2.5_bb71b10fd8f5/oci/spec_opts.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/oci/spec_opts.go 2019-04-05 20:39:47.000000000 +0200 @@ -733,7 +733,9 @@ } // WithAllCapabilities sets all linux capabilities for the process -var WithAllCapabilities = WithCapabilities(getAllCapabilities()) +var WithAllCapabilities = func(ctx context.Context, client Client, c *containers.Container, s *Spec) error { + return WithCapabilities(getAllCapabilities())(ctx, client, c, s) +} func getAllCapabilities() []string { last := capability.CAP_LAST_CAP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/oci/spec_opts_test.go new/containerd-1.2.6_894b81a4b802/oci/spec_opts_test.go --- old/containerd-1.2.5_bb71b10fd8f5/oci/spec_opts_test.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/oci/spec_opts_test.go 2019-04-05 20:39:47.000000000 +0200 @@ -39,25 +39,25 @@ Env: []string{"DEFAULT=test"}, } - WithEnv([]string{"env=1"})(nil, nil, nil, &s) + WithEnv([]string{"env=1"})(context.Background(), nil, nil, &s) if len(s.Process.Env) != 2 { t.Fatal("didn't append") } - WithEnv([]string{"env2=1"})(nil, nil, nil, &s) + WithEnv([]string{"env2=1"})(context.Background(), nil, nil, &s) if len(s.Process.Env) != 3 { t.Fatal("didn't append") } - WithEnv([]string{"env2=2"})(nil, nil, nil, &s) + WithEnv([]string{"env2=2"})(context.Background(), nil, nil, &s) if s.Process.Env[2] != "env2=2" { t.Fatal("couldn't update") } - WithEnv([]string{"env2"})(nil, nil, nil, &s) + WithEnv([]string{"env2"})(context.Background(), nil, nil, &s) if len(s.Process.Env) != 2 { t.Fatal("couldn't unset") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/releases/v1.2.6.toml new/containerd-1.2.6_894b81a4b802/releases/v1.2.6.toml --- old/containerd-1.2.5_bb71b10fd8f5/releases/v1.2.6.toml 1970-01-01 01:00:00.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/releases/v1.2.6.toml 2019-04-05 20:39:47.000000000 +0200 @@ -0,0 +1,39 @@ +# commit to be tagged for new release +commit = "HEAD" + +project_name = "containerd" +github_repo = "containerd/containerd" +match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" + +# previous release +previous = "v1.2.5" + +pre_release = false + +preface = """\ +The sixth patch release for `containerd` 1.2 contains fixes +for the containerd client, the CRI plugin and containerd io +and mount handling. + +It whitelists 2 new syscalls in the default seccomp profile, +and also updates CNI to v0.7.5 to include the fix for [CVE-2019-9946](https://nvd.nist.gov/vuln/detail/CVE-2019-9946). + +All these changes are noted below. +### Notable Updates +* Allow overriding package name in `containerd --version` output. [#3098](https://github.com/containerd/containerd/pull/3098) +* Add 2 new syscalls `io_pgetevents` and `statx` in the default seccomp whitelist. [#3113](https://github.com/containerd/containerd/pull/3113) [#3115](https://github.com/containerd/containerd/pull/3115) +* Fix a bug that custom containerd cgroup path does not work in containerd 1.2.5. [#3143](https://github.com/containerd/containerd/pull/3143) +* Fix a bug in the containerd client that `WithAllCapabilities` applies incomplete capability list. [#3147](https://github.com/containerd/containerd/pull/3147) +* Fix a bug that container output can be incomplete when stdout and stderr are pointed to the same file. [#3118](https://github.com/containerd/containerd/issues/3118) +* Fix a bug that containerd can't properly handle space in mount point path. [3161](https://github.com/containerd/containerd/pull/3161) +* cri: fix a bug that containers being gracefully stopped are SIGKILLed when kubelet is restarted. [cri#1098](https://github.com/containerd/cri/issues/1098) +* cri: Fix a bug that pod UTS namespace is used for host network. [cri#1111](https://github.com/containerd/cri/pull/1111) +* cri: Update CNI plugins to v0.7.5 for [CVE-2019-9946](https://nvd.nist.gov/vuln/detail/CVE-2019-9946). +* Update cri to eb926cd79d3bac188dcc4ed7694fc9298f8831be. [#3174](https://github.com/containerd/containerd/pull/3174) +* Update runc to v1.0.0-rc7-6-g029124da [#3183](https://github.com/containerd/containerd/pull/3183) to fix potential container start failure on non-SELinux system. [runc#2030](https://github.com/opencontainers/runc/issues/2030) +""" + +# notable prs to include in the release notes, 1234 is the pr number +[notes] + +[breaking] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/runtime/v1/linux/proc/io.go new/containerd-1.2.6_894b81a4b802/runtime/v1/linux/proc/io.go --- old/containerd-1.2.5_bb71b10fd8f5/runtime/v1/linux/proc/io.go 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/runtime/v1/linux/proc/io.go 2019-04-05 20:39:47.000000000 +0200 @@ -24,8 +24,10 @@ "io" "os" "sync" + "sync/atomic" "syscall" + "github.com/containerd/containerd/log" "github.com/containerd/fifo" runc "github.com/containerd/go-runc" ) @@ -38,7 +40,7 @@ } func copyPipes(ctx context.Context, rio runc.IO, stdin, stdout, stderr string, wg, cwg *sync.WaitGroup) error { - var sameFile io.WriteCloser + var sameFile *countingWriteCloser for _, i := range []struct { name string dest func(wc io.WriteCloser, rc io.Closer) @@ -52,7 +54,9 @@ cwg.Done() p := bufPool.Get().(*[]byte) defer bufPool.Put(p) - io.CopyBuffer(wc, rio.Stdout(), *p) + if _, err := io.CopyBuffer(wc, rio.Stdout(), *p); err != nil { + log.G(ctx).Warn("error copying stdout") + } wg.Done() wc.Close() if rc != nil { @@ -69,7 +73,9 @@ cwg.Done() p := bufPool.Get().(*[]byte) defer bufPool.Put(p) - io.CopyBuffer(wc, rio.Stderr(), *p) + if _, err := io.CopyBuffer(wc, rio.Stderr(), *p); err != nil { + log.G(ctx).Warn("error copying stderr") + } wg.Done() wc.Close() if rc != nil { @@ -96,6 +102,7 @@ } } else { if sameFile != nil { + sameFile.count++ i.dest(sameFile, nil) continue } @@ -103,7 +110,10 @@ return fmt.Errorf("containerd-shim: opening %s failed: %s", i.name, err) } if stdout == stderr { - sameFile = fw + sameFile = &countingWriteCloser{ + WriteCloser: fw, + count: 1, + } } } i.dest(fw, fr) @@ -128,6 +138,19 @@ return nil } +// countingWriteCloser masks io.Closer() until close has been invoked a certain number of times. +type countingWriteCloser struct { + io.WriteCloser + count int64 +} + +func (c *countingWriteCloser) Close() error { + if atomic.AddInt64(&c.count, -1) > 0 { + return nil + } + return c.WriteCloser.Close() +} + // isFifo checks if a file is a fifo // if the file does not exist then it returns false func isFifo(path string) (bool, error) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cgroups/cgro… new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cgroups/cgro… --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cgroups/cgro… 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cgroups/cgro… 2019-04-05 20:39:47.000000000 +0200 @@ -105,6 +105,10 @@ } activeSubsystems = append(activeSubsystems, s) } + // if we do not have any active systems then the cgroup is deleted + if len(activeSubsystems) == 0 { + return nil, ErrCgroupDeleted + } return &cgroup{ path: path, subsystems: activeSubsystems, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/serv… new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/serv… --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/serv… 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/serv… 2019-04-05 20:39:47.000000000 +0200 @@ -143,8 +143,9 @@ return errors.Wrapf(err, "failed to stop container %q", id) } - if err = c.waitContainerStop(ctx, container, timeout); err == nil { - return nil + if err = c.waitContainerStop(ctx, container, timeout); err == nil || errors.Cause(err) == ctx.Err() { + // Do not SIGKILL container if the context is cancelled. + return err } logrus.WithError(err).Errorf("An error occurs during waiting for container %q to be stopped", id) } @@ -167,7 +168,7 @@ defer timeoutTimer.Stop() select { case <-ctx.Done(): - return errors.Errorf("wait container %q is cancelled", container.ID) + return errors.Wrapf(ctx.Err(), "wait container %q is cancelled", container.ID) case <-timeoutTimer.C: return errors.Errorf("wait container %q stop timeout", container.ID) case <-container.Stopped(): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/serv… new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/serv… --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/serv… 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/serv… 2019-04-05 20:39:47.000000000 +0200 @@ -37,7 +37,6 @@ imagedigest "github.com/opencontainers/go-digest" runtimespec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" - "github.com/opencontainers/selinux/go-selinux" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "golang.org/x/net/context" @@ -355,7 +354,12 @@ selinuxOpt.GetRole(), selinuxOpt.GetType(), selinuxOpt.GetLevel()) - return label.InitLabels(selinux.DupSecOpt(labelOpts)) + + options, err := label.DupSecOpt(labelOpts) + if err != nil { + return "", "", err + } + return label.InitLabels(options) } func checkSelinuxLevel(level string) (bool, error) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/serv… new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/serv… --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/serv… 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/serv… 2019-04-05 20:39:47.000000000 +0200 @@ -385,6 +385,7 @@ nsOptions := securityContext.GetNamespaceOptions() if nsOptions.GetNetwork() == runtime.NamespaceMode_NODE { g.RemoveLinuxNamespace(string(runtimespec.NetworkNamespace)) // nolint: errcheck + g.RemoveLinuxNamespace(string(runtimespec.UTSNamespace)) // nolint: errcheck } else { //TODO(Abhi): May be move this to containerd spec opts (WithLinuxSpaceOption) g.AddOrReplaceLinuxNamespace(string(runtimespec.NetworkNamespace), nsPath) // nolint: errcheck diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/serv… new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/serv… --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/pkg/serv… 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/pkg/serv… 2019-04-05 20:39:47.000000000 +0200 @@ -144,7 +144,7 @@ defer timeoutTimer.Stop() select { case <-ctx.Done(): - return errors.Errorf("wait sandbox container %q is cancelled", sandbox.ID) + return errors.Wrapf(ctx.Err(), "wait sandbox container %q is cancelled", sandbox.ID) case <-timeoutTimer.C: return errors.Errorf("wait sandbox container %q stop timeout", sandbox.ID) case <-sandbox.Stopped(): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/vendor.c… new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/vendor.c… --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/containerd/cri/vendor.c… 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/containerd/cri/vendor.c… 2019-04-05 20:39:47.000000000 +0200 @@ -1,9 +1,9 @@ github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9 github.com/blang/semver v3.1.0 github.com/BurntSushi/toml a368813c5e648fee92e5f6c30e3944ff9d5e8895 -github.com/containerd/cgroups 5e610833b72089b37d0e615de9a92dfc043757c2 +github.com/containerd/cgroups dbea6f2bd41658b84b00417ceefa416b979cbf10 github.com/containerd/console c12b1e7919c14469339a5d38f2f8ed9b64a9de23 -github.com/containerd/containerd 583472f67a3d7c258f874347339688de05802790 +github.com/containerd/containerd v1.2.5 github.com/containerd/continuity bd77b46c8352f74eb12c85bdc01f4b90f69d66b4 github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c github.com/containerd/go-cni 40bcf8ec8acd7372be1d77031d585d5d8e561c90 @@ -11,7 +11,7 @@ github.com/containerd/ttrpc 2a805f71863501300ae1976d29f0454ae003e85a github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40 github.com/containernetworking/cni v0.6.0 -github.com/containernetworking/plugins v0.7.0 +github.com/containernetworking/plugins v0.7.5 github.com/coreos/go-systemd v14 github.com/davecgh/go-spew v1.1.0 github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580 @@ -39,10 +39,10 @@ github.com/modern-go/reflect2 1.0.1 github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7 github.com/opencontainers/image-spec v1.0.1 -github.com/opencontainers/runc 6635b4f0c6af3810594d2770f662f34ddc15b40d +github.com/opencontainers/runc 2b18fe1d885ee5083ef9f0838fee39b62d653e30 github.com/opencontainers/runtime-spec eba862dc2470385a233c7507392675cbeadf7353 github.com/opencontainers/runtime-tools v0.6.0 -github.com/opencontainers/selinux b6fa367ed7f534f9ba25391cc2d467085dbb445a +github.com/opencontainers/selinux v1.2.1 github.com/pkg/errors v0.8.0 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang f4fb1b73fb099f396a7f0036bf86aa8def4ed823 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/runc/lib… new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/runc/lib… --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/runc/lib… 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/runc/lib… 2019-04-05 20:39:47.000000000 +0200 @@ -249,7 +249,7 @@ { int fd = -1; char template[PATH_MAX] = {0}; - char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR"); + char *prefix = getenv("_LIBCONTAINER_STATEDIR"); if (!prefix || *prefix != '/') prefix = "/tmp"; @@ -351,7 +351,7 @@ { int fd, ret = -1; char template[PATH_MAX] = {0}; - char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR"); + char *prefix = getenv("_LIBCONTAINER_STATEDIR"); if (!prefix || *prefix != '/') prefix = "/tmp"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/runc/ven… new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/runc/ven… --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/runc/ven… 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/runc/ven… 2019-04-05 20:39:47.000000000 +0200 @@ -5,7 +5,7 @@ # Core libcontainer functionality. github.com/checkpoint-restore/go-criu v3.11 github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08 -github.com/opencontainers/selinux v1.0.0-rc1 +github.com/opencontainers/selinux v1.2.1 github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/… new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/… --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/… 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/… 2019-04-05 20:39:47.000000000 +0200 @@ -5,3 +5,14 @@ Common SELinux package used across the container ecosystem. Please see the [godoc](https://godoc.org/github.com/opencontainers/selinux) for more information. + +## Code of Conduct + +Participation in the OpenContainers community is governed by [OpenContainer's Code of Conduct][code-of-conduct]. + +## Security + +If you find an issue, please follow the [security][security] protocol to report it. + +[security]: https://github.com/opencontainers/org/blob/master/security +[code-of-conduct]: https://github.com/opencontainers/org/blob/master/CODE_OF_CONDUCT.md diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/… new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/… --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/… 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/… 2019-04-05 20:39:47.000000000 +0200 @@ -9,7 +9,7 @@ return "", "", nil } -func GetROMountLabel() string { +func ROMountLabel() string { return "" } @@ -25,7 +25,27 @@ return nil } -func GetFileLabel(path string) (string, error) { +func ProcessLabel() (string, error) { + return "", nil +} + +func SetSocketLabel(processLabel string) error { + return nil +} + +func SocketLabel() (string, error) { + return "", nil +} + +func SetKeyLabel(processLabel string) error { + return nil +} + +func KeyLabel() (string, error) { + return "", nil +} + +func FileLabel(path string) (string, error) { return "", nil } @@ -41,13 +61,18 @@ return nil } -func GetPidLabel(pid int) (string, error) { +func PidLabel(pid int) (string, error) { return "", nil } func Init() { } +// ClearLabels clears all reserved labels +func ClearLabels() { + return +} + func ReserveLabel(label string) error { return nil } @@ -58,8 +83,8 @@ // DupSecOpt takes a process label and returns security options that // can be used to set duplicate labels on future container processes -func DupSecOpt(src string) []string { - return nil +func DupSecOpt(src string) ([]string, error) { + return nil, nil } // DisableSecOpt returns a security opt that can disable labeling diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/… new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/… --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/… 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/… 2019-04-05 20:39:47.000000000 +0200 @@ -4,6 +4,8 @@ import ( "fmt" + "os" + "os/user" "strings" "github.com/opencontainers/selinux/go-selinux" @@ -24,17 +26,29 @@ // the container. A list of options can be passed into this function to alter // the labels. The labels returned will include a random MCS String, that is // guaranteed to be unique. -func InitLabels(options []string) (string, string, error) { +func InitLabels(options []string) (plabel string, mlabel string, Err error) { if !selinux.GetEnabled() { return "", "", nil } processLabel, mountLabel := selinux.ContainerLabels() if processLabel != "" { - pcon := selinux.NewContext(processLabel) - mcon := selinux.NewContext(mountLabel) + defer func() { + if Err != nil { + ReleaseLabel(mountLabel) + } + }() + pcon, err := selinux.NewContext(processLabel) + if err != nil { + return "", "", err + } + + mcon, err := selinux.NewContext(mountLabel) + if err != nil { + return "", "", err + } for _, opt := range options { if opt == "disable" { - return "", "", nil + return "", mountLabel, nil } if i := strings.Index(opt, ":"); i == -1 { return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt) @@ -90,6 +104,28 @@ return selinux.SetExecLabel(processLabel) } +// SetSocketLabel takes a process label and tells the kernel to assign the +// label to the next socket that gets created +func SetSocketLabel(processLabel string) error { + return selinux.SetSocketLabel(processLabel) +} + +// SocketLabel retrieves the current default socket label setting +func SocketLabel() (string, error) { + return selinux.SocketLabel() +} + +// SetKeyLabel takes a process label and tells the kernel to assign the +// label to the next kernel keyring that gets created +func SetKeyLabel(processLabel string) error { + return selinux.SetKeyLabel(processLabel) +} + +// KeyLabel retrieves the current default kernel keyring label setting +func KeyLabel() (string, error) { + return selinux.KeyLabel() +} + // ProcessLabel returns the process label that the kernel will assign // to the next program executed by the current process. If "" is returned // this indicates that the default labeling will happen for the process. @@ -97,7 +133,7 @@ return selinux.ExecLabel() } -// GetFileLabel returns the label for specified path +// FileLabel returns the label for specified path func FileLabel(path string) (string, error) { return selinux.FileLabel(path) } @@ -130,13 +166,56 @@ return nil } - exclude_paths := map[string]bool{"/": true, "/usr": true, "/etc": true, "/tmp": true, "/home": true, "/run": true, "/var": true, "/root": true} + exclude_paths := map[string]bool{ + "/": true, + "/bin": true, + "/boot": true, + "/dev": true, + "/etc": true, + "/etc/passwd": true, + "/etc/pki": true, + "/etc/shadow": true, + "/home": true, + "/lib": true, + "/lib64": true, + "/media": true, + "/opt": true, + "/proc": true, + "/root": true, + "/run": true, + "/sbin": true, + "/srv": true, + "/sys": true, + "/tmp": true, + "/usr": true, + "/var": true, + "/var/lib": true, + "/var/log": true, + } + + if home := os.Getenv("HOME"); home != "" { + exclude_paths[home] = true + } + + if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" { + if usr, err := user.Lookup(sudoUser); err == nil { + exclude_paths[usr.HomeDir] = true + } + } + + if path != "/" { + path = strings.TrimSuffix(path, "/") + } if exclude_paths[path] { return fmt.Errorf("SELinux relabeling of %s is not allowed", path) } if shared { - c := selinux.NewContext(fileLabel) + c, err := selinux.NewContext(fileLabel) + if err != nil { + return err + } + c["level"] = "s0" fileLabel = c.Get() } @@ -156,6 +235,11 @@ selinux.GetEnabled() } +// ClearLabels will clear all reserved labels +func ClearLabels() { + selinux.ClearLabels() +} + // ReserveLabel will record the fact that the MCS label has already been used. // This will prevent InitLabels from using the MCS label in a newly created // container @@ -174,7 +258,7 @@ // DupSecOpt takes a process label and returns security options that // can be used to set duplicate labels on future container processes -func DupSecOpt(src string) []string { +func DupSecOpt(src string) ([]string, error) { return selinux.DupSecOpt(src) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/… new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/… --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/… 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/… 2019-04-05 20:39:47.000000000 +0200 @@ -52,6 +52,8 @@ ErrMCSAlreadyExists = errors.New("MCS label already exists") // ErrEmptyPath is returned when an empty path has been specified. ErrEmptyPath = errors.New("empty path") + // InvalidLabel is returned when an invalid label is specified. + InvalidLabel = errors.New("Invalid Label") assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`) roFileLabel string @@ -331,6 +333,11 @@ if fpath == "" { return ErrEmptyPath } + if val == "" { + if !GetEnabled() { + return nil + } + } out, err := os.OpenFile(fpath, os.O_WRONLY, 0) if err != nil { @@ -385,6 +392,28 @@ return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label) } +// SetSocketLabel takes a process label and tells the kernel to assign the +// label to the next socket that gets created +func SetSocketLabel(label string) error { + return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()), label) +} + +// SocketLabel retrieves the current socket label setting +func SocketLabel() (string, error) { + return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid())) +} + +// SetKeyLabel takes a process label and tells the kernel to assign the +// label to the next kernel keyring that gets created +func SetKeyLabel(label string) error { + return writeCon("/proc/self/attr/keycreate", label) +} + +// KeyLabel retrieves the current kernel keyring label setting +func KeyLabel() (string, error) { + return readCon("/proc/self/attr/keycreate") +} + // Get returns the Context as a string func (c Context) Get() string { if c["level"] != "" { @@ -394,11 +423,14 @@ } // NewContext creates a new Context struct from the specified label -func NewContext(label string) Context { +func NewContext(label string) (Context, error) { c := make(Context) if len(label) != 0 { con := strings.SplitN(label, ":", 4) + if len(con) < 3 { + return c, InvalidLabel + } c["user"] = con[0] c["role"] = con[1] c["type"] = con[2] @@ -406,7 +438,14 @@ c["level"] = con[3] } } - return c + return c, nil +} + +// ClearLabels clears all reserved labels +func ClearLabels() { + state.Lock() + state.mcsList = make(map[string]bool) + state.Unlock() } // ReserveLabel reserves the MLS/MCS level component of the specified label @@ -612,12 +651,12 @@ roFileLabel = fileLabel } exit: - scon := NewContext(processLabel) + scon, _ := NewContext(processLabel) if scon["level"] != "" { mcs := uniqMcs(1024) scon["level"] = mcs processLabel = scon.Get() - scon = NewContext(fileLabel) + scon, _ = NewContext(fileLabel) scon["level"] = mcs fileLabel = scon.Get() } @@ -643,8 +682,14 @@ if err := SecurityCheckContext(dest); err != nil { return "", err } - scon := NewContext(src) - tcon := NewContext(dest) + scon, err := NewContext(src) + if err != nil { + return "", err + } + tcon, err := NewContext(dest) + if err != nil { + return "", err + } mcsDelete(tcon["level"]) mcsAdd(scon["level"]) tcon["level"] = scon["level"] @@ -680,7 +725,11 @@ return err } callback := func(p string, info os.FileInfo, err error) error { - return SetFileLabel(p, label) + e := SetFileLabel(p, label) + if os.IsNotExist(e) { + return nil + } + return e } if recurse { @@ -692,15 +741,18 @@ // DupSecOpt takes an SELinux process label and returns security options that // can be used to set the SELinux Type and Level for future container processes. -func DupSecOpt(src string) []string { +func DupSecOpt(src string) ([]string, error) { if src == "" { - return nil + return nil, nil + } + con, err := NewContext(src) + if err != nil { + return nil, err } - con := NewContext(src) if con["user"] == "" || con["role"] == "" || con["type"] == "" { - return nil + return nil, nil } dup := []string{"user:" + con["user"], "role:" + con["role"], @@ -711,7 +763,7 @@ dup = append(dup, "level:"+con["level"]) } - return dup + return dup, nil } // DisableSecOpt returns a security opt that can be used to disable SELinux diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/… new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/… --- old/containerd-1.2.5_bb71b10fd8f5/vendor/github.com/opencontainers/selinux/… 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor/github.com/opencontainers/selinux/… 2019-04-05 20:39:47.000000000 +0200 @@ -96,15 +96,44 @@ return nil } +/* +SetSocketLabel sets the SELinux label that the kernel will use for any programs +that are executed by the current process thread, or an error. +*/ +func SetSocketLabel(label string) error { + return nil +} + +// SocketLabel retrieves the current socket label setting +func SocketLabel() (string, error) { + return "", nil +} + +// SetKeyLabel takes a process label and tells the kernel to assign the +// label to the next kernel keyring that gets created +func SetKeyLabel(label string) error { + return nil +} + +// KeyLabel retrieves the current kernel keyring label setting +func KeyLabel() (string, error) { + return "", nil +} + // Get returns the Context as a string func (c Context) Get() string { return "" } // NewContext creates a new Context struct from the specified label -func NewContext(label string) Context { +func NewContext(label string) (Context, error) { c := make(Context) - return c + return c, nil +} + +// ClearLabels clears all reserved MLS/MCS levels +func ClearLabels() { + return } // ReserveLabel reserves the MLS/MCS level component of the specified label @@ -177,8 +206,8 @@ // DupSecOpt takes an SELinux process label and returns security options that // can be used to set the SELinux Type and Level for future container processes. -func DupSecOpt(src string) []string { - return nil +func DupSecOpt(src string) ([]string, error) { + return nil, nil } // DisableSecOpt returns a security opt that can be used to disable SELinux diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/containerd-1.2.5_bb71b10fd8f5/vendor.conf new/containerd-1.2.6_894b81a4b802/vendor.conf --- old/containerd-1.2.5_bb71b10fd8f5/vendor.conf 2019-03-13 06:41:42.000000000 +0100 +++ new/containerd-1.2.6_894b81a4b802/vendor.conf 2019-04-05 20:39:47.000000000 +0200 @@ -1,6 +1,6 @@ github.com/containerd/go-runc 5a6d9f37cfa36b15efba46dc7ea349fa9b7143c3 github.com/containerd/console c12b1e7919c14469339a5d38f2f8ed9b64a9de23 -github.com/containerd/cgroups dbea6f2bd41658b84b00417ceefa416b979cbf10 +github.com/containerd/cgroups 4994991857f9b0ae8dc439551e8bebdbb4bf66c1 github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40 github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c github.com/containerd/btrfs 2e1aa0ddf94f91fa282b6ed87c23bf0d64911244 @@ -20,7 +20,7 @@ github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef github.com/golang/protobuf v1.1.0 github.com/opencontainers/runtime-spec eba862dc2470385a233c7507392675cbeadf7353 # v1.0.1-45-geba862d -github.com/opencontainers/runc 2b18fe1d885ee5083ef9f0838fee39b62d653e30 +github.com/opencontainers/runc 029124da7af7360afa781a0234d1b083550f797c # v1.0.0-rc7-6-g029124da github.com/sirupsen/logrus v1.0.0 github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c golang.org/x/net b3756b4b77d7b13260a0a2ec658753cf48922eac @@ -43,11 +43,11 @@ go.etcd.io/bbolt v1.3.1-etcd.8 # cri dependencies -github.com/containerd/cri a92c40017473cbe0239ce180125f12669757e44f # release/1.2 branch +github.com/containerd/cri eb926cd79d3bac188dcc4ed7694fc9298f8831be # release/1.2 branch github.com/containerd/go-cni 40bcf8ec8acd7372be1d77031d585d5d8e561c90 github.com/blang/semver v3.1.0 github.com/containernetworking/cni v0.6.0 -github.com/containernetworking/plugins v0.7.0 +github.com/containernetworking/plugins v0.7.5 github.com/davecgh/go-spew v1.1.0 github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580 github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00 @@ -62,7 +62,7 @@ github.com/modern-go/reflect2 1.0.1 github.com/modern-go/concurrent 1.0.3 github.com/opencontainers/runtime-tools v0.6.0 -github.com/opencontainers/selinux b6fa367ed7f534f9ba25391cc2d467085dbb445a +github.com/opencontainers/selinux v1.2.1 github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0 github.com/tchap/go-patricia v2.2.6 github.com/xeipuuv/gojsonpointer 4e3ac2762d5f479393488629ee9370b50873b3a6

1 0