SUSE SLES15 Security Update : buildah (SUSE-SU-2020:3423-1)


This update for buildah fixes the following issues : buildah was updated to v1.17.0 (bsc#1165184) : Handle cases where other tools mount/unmount containers overlay.MountReadOnly: support RO overlay mounts overlay: use fusermount for rootless umounts overlay: fix umount Switch default log level of Buildah to Warn. Users need to see these messages Drop error messages about OCI/Docker format to Warning level build(deps): bump github.com/containers/common from 0.26.0 to 0.26.2 tests/testreport: adjust for API break in storage v1.23.6 build(deps): bump github.com/containers/storage from 1.23.5 to 1.23.7 build(deps): bump github.com/fsouza/go-dockerclient from 1.6.5 to 1.6.6 copier: put: ignore Typeflag='g' Use curl to get repo file (fix #2714) build(deps): bump github.com/containers/common from 0.25.0 to 0.26.0 build(deps): bump github.com/spf13/cobra from 1.0.0 to 1.1.1 Remove docs that refer to bors, since we're not using it Buildah bud should not use stdin by default bump containerd, docker, and golang.org/x/sys Makefile: cross: remove windows.386 target copier.copierHandlerPut: don't check length when there are errors Stop excessive wrapping CI: require that conformance tests pass bump(github.com/openshift/imagebuilder) to v1.1.8 Skip tlsVerify insecure BUILD_REGISTRY_SOURCES Fix build path wrong containers/podman#7993 refactor pullpolicy to avoid deps build(deps): bump github.com/containers/common from 0.24.0 to 0.25.0 CI: run gating tasks with a lot more memory ADD and COPY: descend into excluded directories, sometimes copier: add more context to a couple of error messages copier: check an error earlier copier: log stderr output as debug on success Update nix pin with make nixpkgs Set directory ownership when copied with ID mapping build(deps): bump github.com/sirupsen/logrus from 1.6.0 to 1.7.0 build(deps): bump github.com/containers/common from 0.23.0 to 0.24.0 Cirrus: Remove bors artifacts Sort build flag definitions alphabetically ADD: only expand archives at the right time Remove configuration for bors Shell Completion for podman build flags Bump c/common to v0.24.0 New CI check: xref --help vs man pages CI: re-enable several linters Move --userns-uid-map/--userns-gid-map description into buildah man page add: preserve ownerships and permissions on ADDed archives Makefile: tweak the cross-compile target Bump containers/common to v0.23.0 chroot: create bind mount targets 0755 instead of 0700 Change call to Split() to safer SplitN() chroot: fix handling of errno seccomp rules build(deps): bump github.com/containers/image/v5 from 5.5.2 to 5.6.0 Add In Progress section to contributing integration tests: make sure tests run in ${topdir}/tests Run(): ignore containers.conf's environment configuration Warn when setting healthcheck in OCI format Cirrus: Skip git-validate on branches tools: update git-validation to the latest commit tools: update golangci-lint to v1.18.0 Add a few tests of push command Add(): fix handling of relative paths with no ContextDir build(deps): bump github.com/containers/common from 0.21.0 to 0.22.0 Lint: Use same linters as podman Validate: reference HEAD Fix buildah mount to display container names not ids Update nix pin with make nixpkgs Add missing --format option in buildah from man page Fix up code based on codespell build(deps): bump github.com/openshift/imagebuilder from 1.1.6 to 1.1.7 build(deps): bump github.com/containers/storage from 1.23.4 to 1.23.5 Improve buildah completions Cirrus: Fix validate commit epoch Fix bash completion of manifest flags Uniform some man pages Update Buildah Tutorial to address BZ1867426 Update bash completion of manifest add sub command copier.Get(): hard link targets shouldn't be relative paths build(deps): bump github.com/onsi/gomega from 1.10.1 to 1.10.2 Pass timestamp down to history lines Timestamp gets updated everytime you inspect an image bud.bats: use absolute paths in newly-added tests contrib/cirrus/lib.sh: don't use CN for the hostname tests: Add some tests Update manifest add man page Extend flags of manifest add build(deps): bump github.com/containers/storage from 1.23.3 to 1.23.4 build(deps): bump github.com/onsi/ginkgo from 1.14.0 to 1.14.1 CI: expand cross-compile checks Update to v1.16.2 : fix build on 32bit arches containerImageRef.NewImageSource(): don't always force timestamps Add fuse module warning to image readme Heed our retry delay option values when retrying commit/pull/push Switch to containers/common for seccomp Use --timestamp rather then --omit-timestamp docs: remove outdated notice docs: remove outdated notice build-using-dockerfile: add a hidden --log-rusage flag build(deps): bump github.com/containers/image/v5 from 5.5.1 to 5.5.2 Discard ReportWriter if user sets options.Quiet build(deps): bump github.com/containers/common from 0.19.0 to 0.20.3 Fix ownership of content copied using COPY --from newTarDigester: zero out timestamps in tar headers Update nix pin with `make nixpkgs` bud.bats: correct .dockerignore integration tests Use pipes for copying run: include stdout in error message run: use the correct error for errors.Wrapf copier: un-export internal types copier: add Mkdir() in_podman: don't get tripped up by $CIRRUS_CHANGE_TITLE docs/buildah-commit.md: tweak some wording, add a --rm example imagebuildah: don’t blank out destination names when COPYing Replace retry functions with common/pkg/retry StageExecutor.historyMatches: compare timestamps using .Equal Update vendor of containers/common Fix errors found in coverity scan Change namespace handling flags to better match podman commands conformance testing: ignore buildah.BuilderIdentityAnnotation labels Vendor in containers/storage v1.23.0 Add buildah.IsContainer interface Avoid feeding run_buildah to pipe fix(buildahimage): add xz dependency in buildah image Bump github.com/containers/common from 0.15.2 to 0.18.0 Howto for rootless image building from OpenShift Add --omit-timestamp flag to buildah bud Update nix pin with `make nixpkgs` Shutdown storage on failures Handle COPY --from when an argument is used Bump github.com/seccomp/containers-golang from 0.5.0 to 0.6.0 Cirrus: Use newly built VM images Bump github.com/opencontainers/runc from 1.0.0-rc91 to 1.0.0-rc92 Enhance the .dockerignore man pages conformance: add a test for COPY from subdirectory fix bug manifest inspct Add documentation for .dockerignore Add BuilderIdentityAnnotation to identify buildah version DOC: Add quay.io/containers/buildah image to README.md Update buildahimages readme fix spelling mistake in 'info' command result display Don't bind /etc/host and /etc/resolv.conf if network is not present blobcache: avoid an unnecessary NewImage() Build static binary with `buildGoModule` copier: split StripSetidBits into StripSetuidBit/StripSetgidBit/StripStickyBit tarFilterer: handle multiple archives Fix a race we hit during conformance tests Rework conformance testing Update 02-registries-repositories.md test-unit: invoke cmd/buildah tests with --flags parse: fix a type mismatch in a test Fix compilation of tests/testreport/testreport build.sh: log the version of Go that we're using test-unit: increase the test timeout to 40/45 minutes Add the 'copier' package Fix & add notes regarding problematic language in codebase Add dependency on github.com/stretchr/testify/require CompositeDigester: add the ability to filter tar streams BATS tests: make more robust vendor golang.org/x/text@v0.3.3 Switch golang 1.12 to golang 1.13 imagebuildah: wait for stages that might not have even started yet chroot, run: not fail on bind mounts from /sys chroot: do not use setgroups if it is blocked Set engine env from containers.conf imagebuildah: return the right stage's image as the 'final' image Fix a help string Deduplicate environment variables switch containers/libpod to containers/podman Bump github.com/containers/ocicrypt from 1.0.2 to 1.0.3 Bump github.com/opencontainers/selinux from 1.5.2 to 1.6.0 Mask out /sys/dev to prevent information leak linux: skip errors from the runtime kill Mask over the /sys/fs/selinux in mask branch Add VFS additional image store to container tests: add auth tests Allow 'readonly' as alias to 'ro' in mount options Ignore OS X specific consistency mount option Bump github.com/onsi/ginkgo from 1.13.0 to 1.14.0 Bump github.com/containers/common from 0.14.0 to 0.15.2 Rootless Buildah should default to IsolationOCIRootless imagebuildah: fix inheriting multi-stage builds Make imagebuildah.BuildOptions.Architecture/OS optional Make imagebuildah.BuildOptions.Jobs optional Resolve a possible race in imagebuildah.Executor.startStage() Switch scripts to use containers.conf Bump openshift/imagebuilder to v1.1.6 Bump go.etcd.io/bbolt from 1.3.4 to 1.3.5 buildah, bud: support --jobs=N for parallel execution executor: refactor build code inside new function Add bud regression tests Cirrus: Fix missing htpasswd in registry img docs: clarify the 'triples' format CHANGELOG.md: Fix markdown formatting Add nix derivation for static builds Bump to v1.16.0-dev Update to v1.15.1 Mask over the /sys/fs/selinux in mask branch chroot: do not use setgroups if it is blocked chroot, run: not fail on bind mounts from /sys Allow 'readonly' as alias to 'ro' in mount options Add VFS additional image store to container vendor golang.org/x/text@v0.3.3 Make imagebuildah.BuildOptions.Architecture/OS optional Update to v1.15.0 : Add CVE-2020-10696 to CHANGELOG.md and changelog.txt fix lighttpd example remove dependency on openshift struct Warn on unset build arguments vendor: update seccomp/containers-golang to v0.4.1 Updated docs clean up comments update exit code for tests Implement commit for encryption implementation of encrypt/decrypt push/pull/bud/from fix resolve docker image name as transport Add preliminary profiling support to the CLI Evaluate symlinks in build context directory fix error info about get signatures for containerImageSource Add Security Policy Cirrus: Fixes from review feedback imagebuildah: stages shouldn't count as their base images Update containers/common v0.10.0 Add registry to buildahimage Dockerfiles Cirrus: Use pre-installed VM packages + F32 Cirrus: Re-enable all distro versions Cirrus: Update to F31 + Use cache images golangci-lint: Disable gosimple Lower number of golangci-lint threads Fix permissions on containers.conf Don't force tests to use runc Return exit code from failed containers cgroup_manager should be under [engine] Use c/common/pkg/auth in login/logout Cirrus: Temporarily disable Ubuntu 19 testing Add containers.conf to stablebyhand build Update gitignore to exclude test Dockerfiles Remove warning for systemd inside of container Update to v1.14.6 : Make image history work correctly with new args handling Don't add args to the RUN environment from the Builder Update to v1.14.5 : Revert FIPS mode change Update to v1.14.4 : Update unshare man page to fix script example Fix compilation errors on non linux platforms Preserve volume uid and gid through subsequent commands Fix potential CVE in tarfile w/ symlink Fix .dockerignore with globs and ! commands Update to v1.14.2 : Search for local runtime per values in containers.conf Set correct ownership on working directory Improve remote manifest retrieval Correct a couple of incorrect format specifiers manifest push --format: force an image type, not a list type run: adjust the order in which elements are added to $ getDateAndDigestAndSize(): handle creation time not being set Make the commit id clear like Docker Show error on copied file above context directory in build pull/from/commit/push: retry on most failures Repair buildah so it can use containers.conf on the server side Fixing formatting & build instructions Fix XDG_RUNTIME_DIR for authfile Show validation command-line Update to v1.14.0 : getDateAndDigestAndSize(): use manifest.Digest Touch up os/arch doc chroot: handle slightly broken seccomp defaults buildahimage: specify fuse-overlayfs mount options parse: don't complain about not being able to rename something to itself Fix build for 32bit platforms Allow users to set OS and architecture on bud Fix COPY in containerfile with envvar Add --sign-by to bud/commit/push, --remove-signatures for pull/push Add support for containers.conf manifest push: add --format option Update to v1.13.1 : copyFileWithTar: close source files at the right time copy: don't digest files that we ignore Check for .dockerignore specifically Don't setup excludes, if their is only one pattern to match set HOME env to /root on chroot-isolation by default docs: fix references to containers-*.5 fix bug Add check .dockerignore COPY file buildah bud --volume: run from tmpdir, not source dir Fix imageNamePrefix to give consistent names in buildah-from cpp: use -traditional and -undef flags discard outputs coming from onbuild command on buildah-from --quiet make --format columnizing consistent with buildah images Fix option handling for volumes in build Rework overlay pkg for use with libpod Fix buildahimage builds for buildah Add support for FIPS-Mode backends Set the TMPDIR for pulling/pushing image to $TMPDIR Update to v1.12.0 : Allow ADD to use http src imgtype: reset storage opts if driver overridden Start using containers/common overlay.bats typo: fuse-overlays should be fuse-overlayfs chroot: Unmount with MNT_DETACH instead of UnmountMountpoints() bind: don't complain about missing mountpoints imgtype: check earlier for expected manifest type Add history names support Update to v1.11.6 : Handle missing equal sign in --from and --chown flags for COPY/ADD bud COPY does not download URL Fix .dockerignore exclude regression commit(docker): always set ContainerID and ContainerConfig Touch up commit man page image parameter Add builder identity annotations. Update to v1.11.5 : buildah: add 'manifest' command pkg/supplemented: add a package for grouping images together pkg/manifests: add a manifest list build/manipulation API Update for ErrUnauthorizedForCredentials API change in containers/image Update for manifest-lists API changes in containers/image version: also note the version of containers/image Move to containers/image v5.0.0 Enable --device directory as src device Add clarification to the Tutorial for new users Silence 'using cache' to ensure -q is fully quiet Move runtime flag to bud from common Commit: check for storage.ErrImageUnknown using errors.Cause() Fix crash when invalid COPY --from flag is specified. Update to v1.11.4 : buildah: add a 'manifest' command pkg/manifests: add a manifest list build/manipulation API Update for ErrUnauthorizedForCredentials API change in containers/image Update for manifest-lists API changes in containers/image Move to containers/image v5.0.0 Enable --device directory as src device Add clarification to the Tutorial for new users Silence 'using cache' to ensure -q is fully quiet Move runtime flag to bud from common Commit: check for storage.ErrImageUnknown using errors.Cause() Fix crash when invalid COPY --from flag is specified. Update to v1.11.3 : Add cgroups2 Add support for retrieving context from stdin '-' Added tutorial on how to include Buildah as library Fix --build-args handling Print build 'STEP' line to stdout, not stderr Use Containerfile by default Update to v1.11.2 : Add some cleanup code Move devices code to unit specific directory. Update to v1.11.1 : Add --devices flag to bud and from Add support for /run/.containerenv Allow mounts.conf entries for equal source and destination paths Fix label and annotation for 1-line Dockerfiles Preserve file and directory mount permissions Replace --debug=false with --log-level=error Set TMPDIR to /var/tmp by default Truncate output of too long image names Ignore EmptyLayer if Squash is set Update to v1.11.0 : Add --digestfile and Re-add push statement as debug Add --log-level command line option and deprecate --debug Add security-related volume options to validator Allow buildah bud to be called without arguments Allow to override build date with SOURCE_DATE_EPOCH Correctly detect ExitError values from Run() Disable empty logrus timestamps to reduce logger noise Fix directory pull image names Fix handling of /dev/null masked devices Fix possible runtime panic on bud Update bud/from help to contain indicator for --dns=none Update documentation about bud Update shebangs to take env into consideration Use content digests in ADD/COPY history entries add support for cgroupsV2 add: add a DryRun flag to AddAndCopyOptions add: handle hard links when copying with .dockerignore add: teach copyFileWithTar() about symlinks and directories imagebuilder: fix detection of referenced stage roots pull/commit/push: pay attention to $BUILD_REGISTRY_SOURCES run_linux: fix mounting /sys in a userns Update to v1.10.1 : Add automatic apparmor tag discovery Add overlayfs to fuse-overlayfs tip Bug fix for volume minus syntax Bump container/storage v1.13.1 and containers/image v3.0.1 Bump containers/image to v3.0.2 to fix keyring issue Fix bug whereby --get-login has no effect Bump github.com/containernetworking/cni to v0.7.1 Add appamor-pattern requirement Update build process to match the latest repository architecture Update to v1.10.0 vendor github.com/containers/image@v3.0.0 Remove GO111MODULE in favor of -mod=vendor Vendor in containers/storage v1.12.16 Add '-' minus syntax for removal of config values tests: enable overlay tests for rootless rootless, overlay: use fuse-overlayfs vendor github.com/containers/image@v2.0.1 Added '-' syntax to remove volume config option delete successfully pushed message Add golint linter and apply fixes vendor github.com/containers/storage@v1.12.15 Change wait to sleep in buildahimage readme Handle ReadOnly images when deleting images Add support for listing read/only images from/import: record the base image's digest, if it has one Fix CNI version retrieval to not require network connection Add misspell linter and apply fixes Add goimports linter and apply fixes Add stylecheck linter and apply fixes Add unconvert linter and apply fixes image: make sure we don't try to use zstd compression run.bats: skip the 'z' flag when testing --mount Update to runc v1.0.0-rc8 Update to match updated runtime-tools API bump github.com/opencontainers/runtime-tools to v0.9.0 Build e2e tests using the proper build tags Add unparam linter and apply fixes Run: correct a typo in the --cap-add help text unshare: add a --mount flag fix push check image name is not empty add: fix slow copy with no excludes Add errcheck linter and fix missing error check Improve tests/tools/Makefile parallelism and abstraction Fix response body not closed resource leak Switch to golangci-lint Add gomod instructions and mailing list links On Masked path, check if /dev/null already mounted before mounting Update to containers/storage v1.12.13 Refactor code in package imagebuildah Add rootless podman with NFS issue in documentation Add --mount for buildah run import method ValidateVolumeOpts from libpod Fix typo Makefile: set GO111MODULE=off rootless: add the built-in slirp DNS server Update docker/libnetwork to get rid of outdated sctp package Update buildah-login.md migrate to go modules install.md: mention go modules tests/tools: go module for test binaries fix --volume splits comma delimited option Add bud test for RUN with a priv'd command vendor logrus v1.4.2 pkg/cli: panic when flags can't be hidden pkg/unshare: check all errors pull: check error during report write run_linux.go: ignore unchecked errors conformance test: catch copy error chroot/run_test.go: export funcs to actually be executed tests/imgtype: ignore error when shutting down the store testreport: check json error bind/util.go: remove unused func rm chroot/util.go imagebuildah: remove unused dedupeStringSlice StageExecutor: EnsureContainerPath: catch error from SecureJoin() imagebuildah/build.go: return instead of branching rmi: avoid redundant branching conformance tests: nilness: allocate map imagebuildah/build.go: avoid redundant filepath.Join() imagebuildah/build.go: avoid redundant os.Stat() imagebuildah: omit comparison to bool fix 'ineffectual assignment' lint errors docker: ignore 'repeats json tag' lint error pkg/unshare: use ... instead of iterating a slice conformance: bud test: use raw strings for regexes conformance suite: remove unused func/var buildah test suite: remove unused vars/funcs testreport: fix golangci-lint errors util: remove redundant return statement chroot: only log clean-up errors images_test: ignore golangci-lint error blobcache: log error when draining the pipe imagebuildah: check errors in deferred calls chroot: fix error handling in deferred funcs cmd: check all errors chroot/run_test.go: check errors chroot/run.go: check errors in deferred calls imagebuildah.Executor: remove unused onbuild field docker/types.go: remove unused struct fields util: use strings.ContainsRune instead of index check Cirrus: Initial implementation buildah-run: fix-out-of-range panic (2) Update containers/image to v2.0.0 run: fix hang with run and --isolation=chroot run: fix hang when using run chroot: drop unused function call remove --> before imgageID on build Always close stdin pipe Write deny to setgroups when doing single user mapping Avoid including linux/memfd.h Add a test for the symlink pointing to a directory Add missing continue Fix the handling of symlinks to absolute paths Only set default network sysctls if not rootless Support --dns=none like podman fix bug --cpu-shares parsing typo Fix validate complaint Update vendor on containers/storage to v1.12.10 Create directory paths for COPY thereby ensuring correct perms imagebuildah: use a stable sort for comparing build args imagebuildah: tighten up cache checking bud.bats: add a test verying the order of --build-args add -t to podman run imagebuildah: simplify screening by top layers imagebuildah: handle ID mappings for COPY --from imagebuildah: apply additionalTags ourselves bud.bats: test additional tags with cached images bud.bats: add a test for WORKDIR and COPY with absolute destinations Cleanup Overlay Mounts content Add support for file secret mounts Add ability to skip secrets in mounts file allow 32bit builds fix tutorial instructions imagebuilder: pass the right contextDir to Add() add: use fileutils.PatternMatcher for .dockerignore bud.bats: add another .dockerignore test unshare: fallback to single usermapping addHelperSymlink: clear the destination on os.IsExist errors bud.bats: test replacing symbolic links imagebuildah: fix handling of destinations that end with '/' bud.bats: test COPY with a final '/' in the destination linux: add check for sysctl before using it unshare: set _CONTAINERS_ROOTLESS_GID Rework buildahimamges build context: support https git repos Add a test for ENV special chars behaviour Check in new Dockerfiles Apply custom SHELL during build time config: expand variables only at the command line SetEnv: we only need to expand v once Add default /root if empty on chroot iso Add support for Overlay volumes into the container. Export buildah validate volume functions so it can share code with libpod Bump baseline test to F30 Fix rootless handling of /dev/shm size Avoid fmt.Printf() in the library imagebuildah: tighten cache checking back up Handle WORKDIR with dangling target Default Authfile to proper path Make buildah run --isolation follow BUILDAH_ISOLATION environment Vendor in latest containers/storage and containers/image getParent/getChildren: handle layerless images imagebuildah: recognize cache images for layerless images bud.bats: test scratch images with --layers caching Get CHANGELOG.md updates Add some symlinks to test our .dockerignore logic imagebuildah: addHelper: handle symbolic links commit/push: use an everything-allowed policy Correct manpage formatting in files section Remove must be root statement from buildah doc Change image names to stable, testing and upstream Don't create directory on container Replace kubernetes/pause in tests with k8s.gcr.io/pause imagebuildah: don't remove intermediate images if we need them Rework buildahimagegit to buildahimageupstream Fix Transient Mounts Handle WORKDIRs that are symlinks allow podman to build a client for windows Touch up 1.9-dev to 1.9.0-dev Resolve symlink when checking container path commit: commit on every instruction, but not always with layers CommitOptions: drop the unused OnBuild field makeImageRef: pass in the whole CommitOptions structure cmd: API cleanup: stores before images run: check if SELinux is enabled Fix buildahimages Dockerfiles to include support for additionalimages mounted from host. Detect changes in rootdir Fix typo in buildah-pull(1) Vendor in latest containers/storage Keep track of any build-args used during buildah bud --layers commit: always set a parent ID imagebuildah: rework unused-argument detection fix bug dest path when COPY .dockerignore Move Host IDMAppings code from util to unshare Add BUILDAH_ISOLATION rootless back Travis CI: fail fast, upon error in any step imagebuildah: only commit images for intermediate stages if we have to Use errors.Cause() when checking for IsNotExist errors auto pass http_proxy to container imagebuildah: don't leak image structs Add Dockerfiles for buildahimages Bump to Replace golang 1.10 with 1.12 add --dns* flags to buildah bud Add hack/build_speed.sh test speeds on building container images Create buildahimage Dockerfile for Quay rename 'is' to 'expect_output' squash.bats: test squashing in multi-layered builds bud.bats: test COPY --from in a Dockerfile while using the cache commit: make target image names optional Fix bud-args to allow comma separation oops, missed some tests in commit.bats new helper: expect_line_count New tests for #1467 (string slices in cmdline opts) Workarounds for dealing with travis; review feedback BATS tests - extensive but minor cleanup imagebuildah: defer pulling images for COPY --from imagebuildah: centralize COMMIT and image ID output Travis: do not use traviswait imagebuildah: only initialize imagebuilder configuration once per stage Make cleaner error on Dockerfile build errors unshare: move to pkg/ unshare: move some code from cmd/buildah/unshare Fix handling of Slices versus Arrays imagebuildah: reorganize stage and per-stage logic imagebuildah: add empty layers for instructions Add missing step in installing into Ubuntu fix bug in .dockerignore support imagebuildah: deduplicate prepended 'FROM' instructions Touch up intro commit: set created-by to the shell if it isn't set commit: check that we always set a 'created-by' docs/buildah.md: add 'containers-' prefixes under 'SEE ALSO' Update to v1.7.2 Updates vendored containers/storage to latest version rootless: by default use the host network namespace Full changelog: https://github.com/containers/buildah/releases/tag/v1.6 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.