354 lines
13 KiB
RPMSpec
354 lines
13 KiB
RPMSpec
%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=openEuler-hardened-ld '" -a -v -x %{?**};
|
|
|
|
Name: podman
|
|
Version: 3.4.4
|
|
Release: 8
|
|
Summary: A daemonless container engine for managing Containers
|
|
Epoch: 1
|
|
License: ASL 2.0
|
|
URL: https://podman.io/
|
|
Source0: https://github.com/containers/podman/archive/v3.4.4.tar.gz
|
|
Source1: https://github.com/containers/dnsname/archive/18822f9a4fb35d1349eb256f4cd2bfd372474d84/dnsname-18822f9.tar.gz
|
|
Source2: https://github.com/containers/podman-machine-cni/archive/0749884b8d1a455c68da30789e37811ec0809d51/podman-machine-cni-0749884.tar.gz
|
|
Source3: https://github.com/containers/gvisor-tap-vsock/archive/4ee84d66bd86668f011733d8873989b5862bcd07/gvisor-tap-vsock-4ee84d6.tar.gz
|
|
Source4: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
|
|
|
|
BuildRequires: golang btrfs-progs-devel glib2-devel glibc-devel glibc-static
|
|
BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel
|
|
BuildRequires: libselinux-devel ostree-devel pkgconfig make git
|
|
Requires: crun containers-common containernetworking-plugins >= 0.7.3-2 iptables nftables conmon
|
|
Requires: (container-selinux if selinux-policy)
|
|
Recommends: %{name}-plugins = %{epoch}:%{version}-%{release}
|
|
Recommends: slirp4netns catatonit
|
|
|
|
Patch1: 0001-Fix-the-invalid-memory-address-reference.patch
|
|
Patch2: 0002-add-openEuler-hardened-ld.patch
|
|
Patch3: 0003-CVE-2022-32149.patch
|
|
Patch4: 0004-fix-CVE-2024-37298.patch
|
|
Patch5: 0005-Fix-CVE-2023-0778.patch
|
|
Patch6: 0006-fix-cve-2022-2989.patch
|
|
Patch7: 0007-fix-cve-2022-27649.patch
|
|
|
|
%description
|
|
Podman manages the entire container ecosystem which includes pods,
|
|
containers, container images, and container volumes using the libpod library.
|
|
|
|
%package docker
|
|
Summary: Docker CLI emulator for podman
|
|
BuildArch: noarch
|
|
Requires: %{name} = %{epoch}:%{version}-%{release}
|
|
Conflicts: docker docker-latest docker-ce docker-ee moby-engine
|
|
|
|
%description docker
|
|
This package installs a script named docker, which emulates the Docker CLI through podman command.
|
|
|
|
%package tests
|
|
Summary: Tests for %{name}
|
|
|
|
Requires: %{name} = %{epoch}:%{version}-%{release}
|
|
Requires: bats
|
|
Requires: jq
|
|
Requires: skopeo
|
|
Requires: nmap-ncat
|
|
Requires: httpd-tools
|
|
Requires: openssl
|
|
Requires: socat
|
|
Requires: buildah
|
|
Requires: gnupg
|
|
|
|
%description tests
|
|
%{summary}
|
|
|
|
This package contains system tests for %{name}
|
|
|
|
%package remote
|
|
Summary: (Experimental) Remote client for managing %{name} containers
|
|
|
|
%description remote
|
|
Remote client for managing %{name} containers.
|
|
|
|
This experimental remote client is under heavy development. Please do not
|
|
run %{name}-remote in production.
|
|
|
|
%{name}-remote uses the version 2 API to connect to a %{name} client to
|
|
manage pods, containers and container images. %{name}-remote supports ssh
|
|
connections as well.
|
|
|
|
%package plugins
|
|
Summary: Plugins for %{name}
|
|
Requires: dnsmasq
|
|
Recommends: %{name}-gvproxy = %{epoch}:%{version}-%{release}
|
|
|
|
%description plugins
|
|
This plugin sets up the use of dnsmasq on a given CNI network so
|
|
that Pods can resolve each other by name. When configured,
|
|
the pod and its IP address are added to a network specific hosts file
|
|
that dnsmasq will read in. Similarly, when a pod
|
|
is removed from the network, it will remove the entry from the hosts
|
|
file. Each CNI network will have its own dnsmasq instance.
|
|
|
|
%package gvproxy
|
|
Summary: Go replacement for libslirp and VPNKit
|
|
|
|
%description gvproxy
|
|
A replacement for libslirp and VPNKit, written in pure Go.
|
|
It is based on the network stack of gVisor. Compared to libslirp,
|
|
gvisor-tap-vsock brings a configurable DNS server and
|
|
dynamic port forwarding.
|
|
|
|
%package help
|
|
Summary: Help document for the podman package
|
|
Buildarch: noarch
|
|
Conflicts: docker docker-latest docker-ce docker-ee moby-engine
|
|
|
|
%description help
|
|
Help document for the podman package
|
|
|
|
%prep
|
|
%setup -n %{name}-%{version}
|
|
# untar dnsname
|
|
tar zxf %{SOURCE1}
|
|
# untar %%{name}-machine-cni
|
|
tar zxf %{SOURCE2}
|
|
# untar %%{name}-gvproxy
|
|
tar zxf %{SOURCE3}
|
|
tar -xf %{SOURCE4}
|
|
|
|
%patch1 -p1
|
|
%patch2 -p1
|
|
%patch3 -p1
|
|
%patch4 -p1
|
|
%patch5 -p1
|
|
%patch6 -p1
|
|
%patch7 -p1
|
|
|
|
%build
|
|
GO_MD2MAN_PATH="$(pwd)%{_bindir}"
|
|
mkdir -p _buildgo2man/bin $GO_MD2MAN_PATH
|
|
cd go-md2man-*
|
|
go build -mod=vendor -o ../_buildgo2man/bin/go-md2man .
|
|
cp ../_buildgo2man/bin/go-md2man $GO_MD2MAN_PATH/go-md2man
|
|
export PATH=$GO_MD2MAN_PATH:$PATH
|
|
cd -
|
|
|
|
%set_build_flags
|
|
export GO111MODULE=off
|
|
export GOPATH=$(pwd)/_build:$(pwd)
|
|
export CGO_CFLAGS=$CFLAGS
|
|
# These extra flags present in $CFLAGS have been skipped for now as they break the build
|
|
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-flto=auto//g')
|
|
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-Wp,D_GLIBCXX_ASSERTIONS//g')
|
|
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-specs=\/usr\/lib\/rpm\/redhat\/redhat-annobin-cc1//g')
|
|
|
|
%ifarch x86_64
|
|
export CGO_CFLAGS+=" -m64 -mtune=generic -fcf-protection=full"
|
|
%endif
|
|
|
|
mkdir _build
|
|
pushd _build
|
|
mkdir -p src/github.com/containers
|
|
ln -s ../../../../ src/github.com/containers/podman
|
|
popd
|
|
ln -s vendor src
|
|
# build %%{name}
|
|
export BUILDTAGS="seccomp exclude_graphdriver_devicemapper $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh) $(hack/libdm_tag.sh) $(hack/selinux_tag.sh) $(hack/systemd_tag.sh)"
|
|
|
|
# build date. FIXME: Makefile uses '/v2/libpod', that doesn't work here?
|
|
LDFLAGS="-X github.com/containers/podman/libpod/define.buildInfo=$(date +%s)"
|
|
|
|
%gobuild -o bin/%{name} github.com/containers/podman/cmd/%{name}
|
|
|
|
# build %%{name}-remote
|
|
export BUILDTAGS+=" exclude_graphdriver_btrfs btrfs_noversion remote"
|
|
%gobuild -o bin/%{name}-remote github.com/containers/podman/cmd/%{name}
|
|
|
|
pushd dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84
|
|
mkdir _build
|
|
pushd _build
|
|
mkdir -p src/github.com/containers
|
|
ln -s ../../../../ src/github.com/containers/dnsname
|
|
popd
|
|
ln -s vendor src
|
|
export GOPATH=$(pwd)/_build:$(pwd)
|
|
%gobuild -o bin/dnsname github.com/containers/dnsname/plugins/meta/dnsname
|
|
popd
|
|
|
|
pushd podman-machine-cni-0749884b8d1a455c68da30789e37811ec0809d51
|
|
mkdir _build
|
|
pushd _build
|
|
mkdir -p src/github.com/containers
|
|
ln -s ../../../../ src/github.com/containers/podman-machine-cni
|
|
popd
|
|
ln -s vendor src
|
|
export GOPATH=$(pwd)/_build:$(pwd)
|
|
%gobuild -o bin/%{name}-machine github.com/containers/podman-machine-cni/plugins/meta/%{name}-machine
|
|
popd
|
|
|
|
pushd gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07
|
|
mkdir _build
|
|
pushd _build
|
|
mkdir -p src/github.com/containers
|
|
ln -s ../../../../ src/github.com/containers/gvisor-tap-vsock
|
|
popd
|
|
ln -s vendor src
|
|
export GOPATH=$(pwd)/_build:$(pwd)
|
|
%gobuild -o bin/gvproxy github.com/containers/gvisor-tap-vsock/cmd/gvproxy
|
|
popd
|
|
|
|
BUILDTAGS=$BUILDTAGS make docs docker-docs
|
|
|
|
%install
|
|
install -dp %{buildroot}%{_unitdir}
|
|
make PREFIX=%{buildroot}%{_prefix} ETCDIR=%{buildroot}%{_sysconfdir} \
|
|
install.bin-nobuild install.man-nobuild install.systemd install.completions install.docker install.docker-docs-nobuild install.remote-nobuild
|
|
|
|
install -Z -m 644 contrib/systemd/auto-update/podman-auto-update.service %{buildroot}%{_userunitdir}/podman-auto-update.service
|
|
install -Z -m 644 contrib/systemd/auto-update/podman-auto-update.timer %{buildroot}%{_userunitdir}/podman-auto-update.timer
|
|
install -Z -m 644 contrib/systemd/user/podman.socket %{buildroot}%{_userunitdir}/podman.socket
|
|
install -Z -m 644 contrib/systemd/user/podman.service %{buildroot}%{_userunitdir}/podman.service
|
|
install -Z -m 644 contrib/systemd/user/podman-restart.service %{buildroot}%{_userunitdir}/podman-restart.service
|
|
install -Z -m 644 contrib/systemd/auto-update/podman-auto-update.service %{buildroot}%{_unitdir}/podman-auto-update.service
|
|
install -Z -m 644 contrib/systemd/auto-update/podman-auto-update.timer %{buildroot}%{_unitdir}/podman-auto-update.timer
|
|
install -Z -m 644 contrib/systemd/system/podman.socket %{buildroot}%{_unitdir}/podman.socket
|
|
install -Z -m 644 contrib/systemd/system/podman.service %{buildroot}%{_unitdir}/podman.service
|
|
install -Z -m 644 contrib/systemd/system/podman-restart.service %{buildroot}%{_unitdir}/podman-restart.service
|
|
|
|
mv pkg/hooks/README.md pkg/hooks/README-hooks.md
|
|
|
|
# install dnsname plugin
|
|
pushd dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84
|
|
%{__make} PREFIX=%{_prefix} DESTDIR=%{buildroot} install
|
|
popd
|
|
|
|
# install machine-cni plugin
|
|
pushd podman-machine-cni-0749884b8d1a455c68da30789e37811ec0809d51
|
|
%{__make} PREFIX=%{_prefix} DESTDIR=%{buildroot} install
|
|
popd
|
|
|
|
# install gvproxy
|
|
pushd gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07
|
|
install -dp %{buildroot}%{_libexecdir}/%{name}
|
|
install -p -m0755 bin/gvproxy %{buildroot}%{_libexecdir}/%{name}
|
|
popd
|
|
|
|
# do not include docker and podman-remote man pages in main package
|
|
for file in `find %{buildroot}%{_mandir}/man[15] -type f | sed "s,%{buildroot},," | grep -v -e remote -e docker`; do
|
|
echo "$file*" >> podman.file-list
|
|
done
|
|
|
|
%global license %doc
|
|
|
|
%files
|
|
%license LICENSE
|
|
%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md transfer.md
|
|
%{_bindir}/%{name}
|
|
%{_datadir}/bash-completion/completions/%{name}
|
|
%dir %{_datadir}/zsh/site-functions
|
|
%{_datadir}/zsh/site-functions/_%{name}
|
|
%dir %{_datadir}/fish/vendor_completions.d
|
|
%{_datadir}/fish/vendor_completions.d/%{name}.fish
|
|
%{_unitdir}/%{name}-auto-update.service
|
|
%{_unitdir}/%{name}-auto-update.timer
|
|
%{_unitdir}/%{name}.service
|
|
%{_unitdir}/%{name}.socket
|
|
%{_unitdir}/%{name}-restart.service
|
|
%{_userunitdir}/%{name}-auto-update.service
|
|
%{_userunitdir}/%{name}-auto-update.timer
|
|
%{_userunitdir}/%{name}.service
|
|
%{_userunitdir}/%{name}.socket
|
|
%{_userunitdir}/%{name}-restart.service
|
|
%{_usr}/lib/tmpfiles.d/%{name}.conf
|
|
|
|
%files docker
|
|
%{_bindir}/docker
|
|
%{_usr}/lib/tmpfiles.d/%{name}-docker.conf
|
|
|
|
%files help
|
|
%{_mandir}/man1/{docker*.1*,podman*.1*}
|
|
%{_mandir}/man5/*.5*
|
|
|
|
%files remote
|
|
%license LICENSE
|
|
%{_bindir}/%{name}-remote
|
|
%{_mandir}/man1/%{name}-remote*.*
|
|
%{_datadir}/bash-completion/completions/%{name}-remote
|
|
%dir %{_datadir}/fish/vendor_completions.d
|
|
%{_datadir}/fish/vendor_completions.d/%{name}-remote.fish
|
|
%dir %{_datadir}/zsh/site-functions
|
|
%{_datadir}/zsh/site-functions/_%{name}-remote
|
|
|
|
%files plugins
|
|
%license dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/LICENSE
|
|
%doc dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/{README.md,README_PODMAN.md}
|
|
%dir %{_libexecdir}/cni
|
|
%{_libexecdir}/cni/dnsname
|
|
%{_libexecdir}/cni/%{name}-machine
|
|
|
|
%files gvproxy
|
|
%license gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/LICENSE
|
|
%doc gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/README.md
|
|
%dir %{_libexecdir}/%{name}
|
|
%{_libexecdir}/%{name}/gvproxy
|
|
|
|
%changelog
|
|
* Thu Jan 16 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-8
|
|
- fix cve 2022-27649
|
|
|
|
* Thu Jan 16 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-7
|
|
- fix cve-2022-2989
|
|
|
|
* Thu Jan 16 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-6
|
|
- Fix CVE-2023-0778
|
|
|
|
* Mon Jan 13 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-5
|
|
- Fix CVE-2024-37298
|
|
|
|
* Thu Jan 09 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-4
|
|
- Type:bugfix
|
|
- CVE:CVE-2024-9355、CVE-2019-9514、CVE-2024-24791、CVE-2022-32189、CVE-2022-41715、CVE-2022-2880、CVE-2022-1962、CVE-2023-45290、CVE-2024-24783、CVE-2024-24785
|
|
- SUG:NA
|
|
- DESC: Optimize spec files and fix CVE in batches through rebuild
|
|
|
|
* Tue Aug 20 2024 Xuebing Li <lixuebing@cqsoftware.com.cn> - 1:3.4.4-3
|
|
- Add 'Buildarch: noarch' to the help subpackage
|
|
|
|
* Thu Apr 25 2024 lijian <lijian2@kylinos.cn> - 1:3.4.4-2
|
|
- Fix CVE-2022-32149
|
|
|
|
* Tue Jul 05 2022 fushanqing <fushanqing@kylinos.cn> - 1:3.4.4-1
|
|
- update to 3.4.4
|
|
|
|
* Mon Mar 28 2022 Ge Wang <wangge20@huawei.com> 1:0.10.1-12
|
|
- Set umask to 022 ensure create directories with 0755 mode
|
|
|
|
* Sat Jan 08 2022 houyingchao <houyingchao@huawei.com> 1:0.10.1-11
|
|
- Solve the podman's compilation failure
|
|
|
|
* Wed Mar 31 2021 maminjie <maminjie1@huawei.com> - 1:0.10.1-10
|
|
- Eat signal 23 in signal proxy
|
|
- Require container-selinux only when selinux-policy is installed
|
|
|
|
* Sat Mar 13 2021 maminjie <maminjie1@huawei.com> - 1:0.10.1-9
|
|
- Fix the invalid memory address reference
|
|
|
|
* Wed Mar 3 2021 wangxiao <wangxiao65@huawei.com> - 1:0.10.1-8
|
|
- Fix CVE-2021-20188
|
|
|
|
* Thu Feb 18 2021 lingsheng <lingsheng@huawei.com> - 1:0.10.1-7
|
|
- Resolve go-md2man dependency
|
|
|
|
* Mon Feb 8 2021 lingsheng <lingsheng@huawei.com> - 1:0.10.1-6
|
|
- Change BuildRequires to golang
|
|
|
|
* Sat Jan 9 2021 Shengjing Wei <weishengjing1@huawei.com> - 1:0.10.1-5
|
|
- Fixed podman pull failed with issue I2BF99
|
|
|
|
* Wed Sep 9 2020 Guoshuai Sun <sunguoshuai@huawei.com> - 1:0.10.1-4
|
|
- Add conflicts with docker-engine for help package
|
|
|
|
* Thu Mar 12 2020 Ling Yang <lingyang2@huawei.com> - 1:0.10.1-3
|
|
- Fixed install fail
|
|
|
|
* Mon Dec 2 2019 shijian <shijian16@huawei.com> - 1:0.10.1-2
|
|
- Package init
|