update some URLs
The origin repository renamed its "master" branch to "main", so we need
to update our references to items in that branch.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
... in layer blobs
When analyzing a layer blob's contents, don't break if the blob has more
zeroes padding it out even after the tar reader thinks it's hit the end
of the archive.
Add more detail to the diagnostic error we print when there's a digest
or length mismatch, too, in case it's triggered by something other than
zero padding.
Don't ignore errors which might be encountered when we try to use skopeo
to copy an image to a directory.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Addresses CVE-2024-1753 which allowed a user to write files to the
`/` directory of the host machine if selinux was not enabled.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
cross build task depends on `brew install`ing a go version that's
no longer supported upstream.
We will also be switching to TMT tests using centos stream, so cirrus
cross build task which will use the latest available version of golang
on centos stream. So disabling this task in cirrus shouldn't be too big
a deal.
It's only being commented out so we don't forget about it when we switch
to TMT.
Ref: https://cirrus-ci.com/build/6451305468657664
[NO NEW TESTS NEEDED]
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Normally updates to release-branches are ill-advised for multiple
reasons. However, in the case of necessary security updates all
downstream releases have already updated to golang 1.17. Do the
same for CI to maintain parity with downstream user experience.
Also: Stop testing on F34. This release-branch is needed only to
validate backports. It simply needs to remain close to RHEL/CentOS, so
there's no sense in maintaining more Fedora releases than minimally
necessary.
Signed-off-by: Chris Evich <cevich@redhat.com>
Manual bump because of failed automated cherrypick of #5232.
Go bumped to 1.17 otherwise it fails to build.
Fixes: GHSA-45x7-px36-x8w8 CVE-2023-48795
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
When comparing layer payloads during conformance tests, mask off any
file type bits that the tar headers in the layers might have included.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Chris Evich <cevich@redhat.com>
This mimics #5111 but without the vendor update, which is very
large on this branch.
[NO NEW TESTS NEEDED] This cannot be tested in CI as cloud
providers already don't provide these interfaces in their VMs.
Signed-off-by: Matt Heon <mheon@redhat.com>
Commit d5b77bf72c updated the conformance test references from a
deprecated repository. However, by pointing at the docker-hub it
inadvertantly introduce a significant possibility for flakes. This is
because anonymous docker hub access is rate-limited by IP. We cannot
predict the IP used for CI VMs & Containers, any of which could be at or
close to the limit. Fix this by pointing conformance tests explicitly at
`quay.io/libpod/centos` which is excluesively for use by CI, with
static images.
Signed-off-by: Chris Evich <cevich@redhat.com>
Migrate our OSX build to a M1 instance, since Cirrus is sunsetting Intel-based macOS instances.
Signed-off-by: Ashley Cui <acui@redhat.com>
(cherry picked from commit 498b45770f)
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
The ubi8 image changed some architecture string yesterday and
broke all our CI on all branches, including podman because
it too runs bud.bats tests.
Solution: use a safe, reliable, trustworthy test image (the
one built and used for podman). Because that image does not
have the same labels, confirm pull using .Architecture
instead.
We should stop using ubi8 and registry.redhat (#4318). They
are unreliable. This PR doesn't fix that; it's just an
emergency patch for one specific CI break. We can use
this as a basis for future removals of ubi8.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Adding sources from URL using `ADD` instruction adds reponse to build
container even if it receives bad HTTP response, following behaviour is
not in parity with `docker` or `buildkit`.
Following commit ensures that `ADD` where source is external URL fails
on build step if we get bad HTTP response.
Example: Following containerfile should fail while building
```Dockerfile
FROM registry.fedoraproject.org/fedora:36
ADD https://mirror.init7.net/fedora/fedora/linux/releases/36/Server/x86_64/iso/Fedora-Server-netinst-x86_64-36-1.5.foo /
```
**Fixes: BZ#2102140**
Signed-off-by: Aditya R <arajan@redhat.com>
When container is created with specific uid and gid also add container
gid to supplementary/additional group.
Signed-off-by: Aditya R <arajan@redhat.com>
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Recently (as of this commit) the OSX CI environment was updated. This
is causing the cross_build task to break. Fix this by locking onto the
golang version it was passing with on release.
Signed-off-by: Chris Evich <cevich@redhat.com>
- Update the version number to v1.24.5 for tagging a new release.
- Drop commas from changelog dates because `rpmspec -q` doesn't like them.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Update github.com/containers/storage from v1.38.3 to v1.38.5.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Resolves: GHSA-8c26-wmh5-6g9v - CVE-2022-27191
Buildah doesn't seem to be directly affected as the logic in question
is not called.
golang.org/x/crypto@1baeb1ce contains the actual CVE fix. Using the
latest upstream commit to also include support for SHA-2.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
(cherry picked from commit 84580a69bc)
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
openshift-merge-bot[bot]
Nalin Dahyabhai
Chris Evich
tomsweeneyredhat
Lokesh Mandvekar
Matt Heon
OpenShift Merge Robot
Aditya R
Ashley Cui
Ed Santiago
Daniel J Walsh
openshift-ci[bot]
Lokesh Mandvekar