Skip to content

Merge the release-1.55 branch into main#2143

Merged
giuseppe merged 9 commits intocontainers:mainfrom
mtrmac:merge-branch
Oct 23, 2024
Merged

Merge the release-1.55 branch into main#2143
giuseppe merged 9 commits intocontainers:mainfrom
mtrmac:merge-branch

Conversation

@mtrmac
Copy link
Collaborator

@mtrmac mtrmac commented Oct 21, 2024

Go tools use commit parent links to determine ordering.

Without a merge like this this, commits on main, e.g. v1.55.1-0.20241002203117-0eb3a0231575, look “behind” v1.55.1, and Go tools “upgrade” to the branch, losing new features and breaking builds: https://cirrus-ci.com/build/6713959498121216 (Skopeo uses v1.55.1, c/image uses a commit from main, and combining the two uses the tagged release.)

So, add a merge commit to express the “is-later-than” relationship; afterwards, c/image will need to update to a commit which includes this merge, and Go tooling will again do the right thing.

giuseppe and others added 9 commits October 14, 2024 16:15
@giuseppe @mheon
userns: fix off-by-one userns max size detection
8038220 
fix the detection for the maximum userns size from an image.

If the maximum ID used in an image is X, we need to use a user
namespace with size X+1 to include UID=X.

Closes: containers#2104

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe @mheon
users: fix path for /etc/group in the container
5401ebd 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe @mheon
userns: skip "nogroup"
9b22eea 
the alpine image defines a "nogroup":

$ podman run --rm alpine grep nogroup /etc/group
nogroup:x:65533:

ignore it as we are already doing for the "nobody" user.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@mheon
Use securejoin.SecureJoin when forming userns paths
097de28 
We need to read /etc/passwd and /etc/group in the container to
get an idea of how many UIDs and GIDs we need to allocate for a
user namespace when `--userns=auto` is specified. We were forming
paths for these using filepath.Join, which is not safe for paths
within a container, resulting in this CVE allowing crafted
symlinks in the container to access paths on the host instead.

Addresses CVE-2024-9676

Signed-off-by: Matt Heon <mheon@redhat.com>
@mheon
Force lint to golang:1.21
eccfbd0 
Matches what we're compiling with.

Signed-off-by: Matt Heon <mheon@redhat.com>
@openshift-merge-bot
Merge pull request containers#2135 from mheon/backport_2024_9676_rele…
465d8c0 
…ase155

[release-1.55] backport fix for CVE-2026-9676
@nalind
Bump the version to v1.55.1
16bdeb5 
Bump the version identifier to v1.55.1 so that we can tag a new release.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@openshift-merge-bot
Merge pull request containers#2139 from nalind/v1.55.1
c31627e 
Bump the version to v1.55.1
@mtrmac
Merge remote-tracking branch 'origin/release-1.55' into merge-branch
31b1194
@mtrmac mtrmac mentioned this pull request Oct 21, 2024
Closed
1 task
@mtrmac
Copy link
Collaborator Author

mtrmac commented Oct 21, 2024

@Honny1 @kolyshkin @giuseppe PTAL, this is necessary to unblock c/image CI. (Alternatives: tag a release of c/storage from main; test c/image against a frozen version of Skopeo which hasn’t updated to 1.55.1.)

Honny1
Honny1 approved these changes Oct 21, 2024
View reviewed changes
Copy link
Member

@Honny1 Honny1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

giuseppe
giuseppe approved these changes Oct 21, 2024
View reviewed changes
Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Oct 21, 2024
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 21, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: giuseppe, Honny1, mtrmac

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mtrmac mtrmac mentioned this pull request Oct 23, 2024
Closed
@mtrmac
Copy link
Collaborator Author

mtrmac commented Oct 23, 2024

Please merge, c/image CI is broken now.

@giuseppe giuseppe merged commit 717b332 into containers:main Oct 23, 2024
@mtrmac mtrmac deleted the merge-branch branch October 23, 2024 20:04
mtrmac added a commit to mtrmac/image that referenced this pull request Oct 23, 2024
@mtrmac
Update c/storage after containers/storage#2143
26963e0 
This makes the declared version larger than 1.55.1, so that the Skopeo test
does not downgrade to 1.55.1 from a branch. That branch is missing an API
we now depend on, so c/image CI is failing; this should fix that.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Copy link
Collaborator Author

mtrmac commented Oct 23, 2024

Thanks!

C/image user: containers/image#2610

mtrmac added a commit to containers/image that referenced this pull request Oct 23, 2024
@mtrmac
Merge pull request #2610 from mtrmac/storage-version
75bad95 
Update c/storage after containers/storage#2143
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@giuseppe giuseppe giuseppe approved these changes

@Honny1 Honny1 Honny1 approved these changes

Assignees

@giuseppe giuseppe

Labels

lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mtrmac @giuseppe @Honny1 @mheon @nalind