.buildah.metadata

@@ -1 +1 @@
-427bc708dc556bf5be50eac881a7914ae81260cc SOURCES/buildah-1.37.5-5fd40b9.tar.gz
+80d289a0e9aaf8feb827df7aec25897ffec47bdc SOURCES/release-1.11-rhel-9a4764a.tar.gz

.gitignore

@@ -1 +1 @@
-SOURCES/buildah-1.37.5-5fd40b9.tar.gz
+SOURCES/release-1.11-rhel-9a4764a.tar.gz

SOURCES/1996.patch

@@ -0,0 +1,153 @@
+From f09346578021c12069b6deb9487a1462b8d28a83 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Thu, 21 Nov 2019 15:32:41 -0500
+Subject: [PATCH 1/3] bind: don't complain about missing mountpoints
+
+When we go to unmount a tree of mounts, if one of the directories isn't
+there, instead of returning an error as before, log a debug message and
+keep going.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+---
+ bind/mount.go | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/bind/mount.go b/bind/mount.go
+index e1ae323b9f..adde901fd1 100644
+--- a/bind/mount.go
++++ b/bind/mount.go
+@@ -264,6 +264,10 @@ func UnmountMountpoints(mountpoint string, mountpointsToRemove []string) error {
+ 		mount := getMountByID(id)
+ 		// check if this mountpoint is mounted
+ 		if err := unix.Lstat(mount.Mountpoint, &st); err != nil {
++			if os.IsNotExist(err) {
++				logrus.Debugf("mountpoint %q is not present(?), skipping", mount.Mountpoint)
++				continue
++			}
+ 			return errors.Wrapf(err, "error checking if %q is mounted", mount.Mountpoint)
+ 		}
+ 		if mount.Major != int(unix.Major(st.Dev)) || mount.Minor != int(unix.Minor(st.Dev)) {
+
+From c5fb681a6082b78c422eb3531667dc6d607a9355 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Fri, 22 Nov 2019 14:22:26 -0500
+Subject: [PATCH 2/3] chroot: Unmount with MNT_DETACH instead of
+ UnmountMountpoints()
+
+Unmounting the rootfs with MNT_DETACH should unmount everything below
+it, so we don't need to use the more exhaustive method that our bind
+package uses for its bind mounts.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+---
+ chroot/run.go | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/chroot/run.go b/chroot/run.go
+index fbccbcdb0d..76ac78d1ff 100644
+--- a/chroot/run.go
++++ b/chroot/run.go
+@@ -15,6 +15,7 @@ import (
+ 	"strings"
+ 	"sync"
+ 	"syscall"
++	"time"
+ 	"unsafe"
+ 
+ 	"github.com/containers/buildah/bind"
+@@ -1002,12 +1003,19 @@ func isDevNull(dev os.FileInfo) bool {
+ // callback that will clean up its work.
+ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func() error, err error) {
+ 	var fs unix.Statfs_t
+-	removes := []string{}
+ 	undoBinds = func() error {
+-		if err2 := bind.UnmountMountpoints(spec.Root.Path, removes); err2 != nil {
+-			logrus.Warnf("pkg/chroot: error unmounting %q: %v", spec.Root.Path, err2)
+-			if err == nil {
+-				err = err2
++		if err2 := unix.Unmount(spec.Root.Path, unix.MNT_DETACH); err2 != nil {
++			retries := 0
++			for (err2 == unix.EBUSY || err2 == unix.EAGAIN) && retries < 50 {
++				time.Sleep(50 * time.Millisecond)
++				err2 = unix.Unmount(spec.Root.Path, unix.MNT_DETACH)
++				retries++
++			}
++			if err2 != nil {
++				logrus.Warnf("pkg/chroot: error unmounting %q (retried %d times): %v", spec.Root.Path, retries, err2)
++				if err == nil {
++					err = err2
++				}
+ 			}
+ 		}
+ 		return err
+@@ -1096,6 +1104,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
+ 	// Add /sys/fs/selinux to the set of masked paths, to ensure that we don't have processes
+ 	// attempting to interact with labeling, when they aren't allowed to do so.
+ 	spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux")
++
+ 	// Bind mount in everything we've been asked to mount.
+ 	for _, m := range spec.Mounts {
+ 		// Skip anything that we just mounted.
+@@ -1141,13 +1150,11 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
+ 			if !os.IsNotExist(err) {
+ 				return undoBinds, errors.Wrapf(err, "error examining %q for mounting in mount namespace", target)
+ 			}
+-			// The target isn't there yet, so create it, and make a
+-			// note to remove it later.
++			// The target isn't there yet, so create it.
+ 			if srcinfo.IsDir() {
+ 				if err = os.MkdirAll(target, 0111); err != nil {
+ 					return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target)
+ 				}
+-				removes = append(removes, target)
+ 			} else {
+ 				if err = os.MkdirAll(filepath.Dir(target), 0111); err != nil {
+ 					return undoBinds, errors.Wrapf(err, "error ensuring parent of mountpoint %q (%q) is present in mount namespace", target, filepath.Dir(target))
+@@ -1157,7 +1164,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
+ 					return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target)
+ 				}
+ 				file.Close()
+-				removes = append(removes, target)
+ 			}
+ 		}
+ 		requestFlags := bindFlags
+@@ -1266,7 +1272,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
+ 		if err := os.Mkdir(roEmptyDir, 0700); err != nil {
+ 			return undoBinds, errors.Wrapf(err, "error creating empty directory %q", roEmptyDir)
+ 		}
+-		removes = append(removes, roEmptyDir)
+ 	}
+ 
+ 	// Set up any masked paths that we need to.  If we're running inside of
+
+From ec1be6a51941e10b5316c911ef97c88940f7c095 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Fri, 22 Nov 2019 14:52:25 -0500
+Subject: [PATCH 3/3] overlay.bats typo: fuse-overlays should be fuse-overlayfs
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+---
+ tests/overlay.bats | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/overlay.bats b/tests/overlay.bats
+index 04056f6804..7cc2d0c622 100644
+--- a/tests/overlay.bats
++++ b/tests/overlay.bats
+@@ -3,14 +3,14 @@
+ load helpers
+ 
+ @test "overlay specific level" {
+-  if test \! -e /usr/bin/fuse-overlays -a  "$BUILDAH_ISOLATION" = "rootless"; then
++  if test \! -e /usr/bin/fuse-overlayfs -a "$BUILDAH_ISOLATION" = "rootless"; then
+     skip "BUILDAH_ISOLATION = $BUILDAH_ISOLATION" and no /usr/bin/fuse-overlayfs present
+   fi
+   image=alpine
+   mkdir ${TESTDIR}/lower
+   touch ${TESTDIR}/lower/foo
+ 
+-cid=$(buildah --log-level=error from -v ${TESTDIR}/lower:/lower:O --quiet --signature-policy ${TESTSDIR}/policy.json $image)
++  cid=$(buildah --log-level=error from -v ${TESTDIR}/lower:/lower:O --quiet --signature-policy ${TESTSDIR}/policy.json $image)
+ 
+   # This should succeed
+   run_buildah --log-level=error run $cid ls /lower/foo

SOURCES/2031.patch

@@ -0,0 +1,147 @@
+From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001
+From: Daniel J Walsh <dwalsh@redhat.com>
+Date: Tue, 17 Dec 2019 15:24:29 -0500
+Subject: [PATCH] Add support for FIPS-Mode backends
+
+If host is running in fips mode, then RHEL8.2 and beyond container images
+will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
+This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
+order to make all tools in the container follow the FIPS Mode rules.
+
+Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
+---
+ pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++---------
+ run_linux.go           |  2 +-
+ 2 files changed, 39 insertions(+), 11 deletions(-)
+
+diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
+index 80ca050165..ee2e9a7c84 100644
+--- a/pkg/secrets/secrets.go
++++ b/pkg/secrets/secrets.go
+@@ -148,12 +148,21 @@ func getMountsMap(path string) (string, string, error) {
+ }
+ 
+ // SecretMounts copies, adds, and mounts the secrets to the container root filesystem
++// Deprecated, Please use SecretMountWithUIDGID
+ func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
+ 	return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
+ }
+ 
+-// SecretMountsWithUIDGID specifies the uid/gid of the owner
+-func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
++// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem
++// mountLabel: MAC/SELinux label for container content
++// containerWorkingDir: Private data for storing secrets on the host mounted in container.
++// mountFile: Additional mount points required for the container.
++// mountPoint: Container image mountpoint
++// uid: to assign to content created for secrets
++// gid: to assign to content created for secrets
++// rootless: indicates whether container is running in rootless mode
++// disableFips: indicates whether system should ignore fips mode
++func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
+ 	var (
+ 		secretMounts []rspec.Mount
+ 		mountFiles   []string
+@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
+ 	}
+ 	for _, file := range mountFiles {
+ 		if _, err := os.Stat(file); err == nil {
+-			mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
++			mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
+ 			if err != nil {
+ 				logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err)
+ 			}
+@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
+ 	// Add FIPS mode secret if /etc/system-fips exists on the host
+ 	_, err := os.Stat("/etc/system-fips")
+ 	if err == nil {
+-		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
++		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
+ 			logrus.Errorf("error adding FIPS mode secret to container: %v", err)
+ 		}
+ 	} else if os.IsNotExist(err) {
+@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid int) error {
+ 
+ // addSecretsFromMountsFile copies the contents of host directory to container directory
+ // and returns a list of mounts
+-func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
++func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
+ 	var mounts []rspec.Mount
+ 	defaultMountsPaths := getMounts(filePath)
+ 	for _, path := range defaultMountsPaths {
+@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
+ 		}
+ 
+ 		m := rspec.Mount{
+-			Source:      filepath.Join(mountPrefix, ctrDirOrFile),
++			Source:      ctrDirOrFileOnHost,
+ 			Destination: ctrDirOrFile,
+ 			Type:        "bind",
+ 			Options:     []string{"bind", "rprivate"},
+@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
+ // root filesystem if /etc/system-fips exists on hosts.
+ // This enables the container to be FIPS compliant and run openssl in
+ // FIPS mode as the host is also in FIPS mode.
+-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
++func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
+ 	secretsDir := "/run/secrets"
+ 	ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
+ 	if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
+ 		if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
+-			return errors.Wrapf(err, "making container directory on host failed")
++			return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost)
+ 		}
+ 		if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
+-			return errors.Wrap(err, "error applying correct labels")
++			return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost)
+ 		}
+ 	}
+ 	fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
+@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
+ 
+ 	if !mountExists(*mounts, secretsDir) {
+ 		m := rspec.Mount{
+-			Source:      filepath.Join(mountPrefix, secretsDir),
++			Source:      ctrDirOnHost,
+ 			Destination: secretsDir,
+ 			Type:        "bind",
+ 			Options:     []string{"bind", "rprivate"},
+@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
+ 		*mounts = append(*mounts, m)
+ 	}
+ 
++	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
++	destDir := "/etc/crypto-policies/back-ends"
++	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
++	if _, err := os.Stat(srcOnHost); err != nil {
++		if os.IsNotExist(err) {
++			return nil
++		}
++		return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost)
++	}
++
++	if !mountExists(*mounts, destDir) {
++		m := rspec.Mount{
++			Source:      srcOnHost,
++			Destination: destDir,
++			Type:        "bind",
++			Options:     []string{"bind", "rprivate"},
++		}
++		*mounts = append(*mounts, m)
++	}
+ 	return nil
+ }
+ 
+diff --git a/run_linux.go b/run_linux.go
+index 4c2d73edde..c8e75eada6 100644
+--- a/run_linux.go
++++ b/run_linux.go
+@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
+ 	}
+ 
+ 	// Get the list of secrets mounts.
+-	secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false)
++	secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false)
+ 
+ 	// Add temporary copies of the contents of volume locations at the
+ 	// volume locations, unless we already have something there.