SUSE-RU-2019:2624-1: moderate: Recommended update for umoci
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Thu Oct 10 07:10:47 MDT 2019
SUSE Recommended Update: Recommended update for umoci
______________________________________________________________________________
Announcement ID: SUSE-RU-2019:2624-1
Rating: moderate
References:
Affected Products:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15
______________________________________________________________________________
An update that has 0 recommended fixes can now be installed.
Description:
This update for umoci fixes the following issues:
- Enable build for s390x on openSUSE
- Update to umoci v0.4.4.
* Added full-stack verification of blob hashes and descriptors for all
operations (improving our hardening against bad images).
* For details, see CHANGELOG.md in the package.
- Update to umoci v0.4.3.
* Added --no-history to all commands with --history.* flags. Should only
be used for umoci-config(1).
* Added `umoci insert --tag` to allow non-destructive modifications.
* For details, see packaged /usr/share/doc/packages/umoci/CHANGELOG.md.
- Update to umoci v0.4.2.
* umoci now has an exposed Go API
* Added `umoci unpack --keep-dirlinks`
* `umoci insert` now supports whiteouts two ways.
* For details, see CHANGELOG.md in the package.
- Update to umoci v0.4.1.
* Support more tags (the valid set of characters in tags has expanded).
* Add 'umoci insert' and 'umoci raw unpack'.
* 'umoci unpack' correctly handles out-of-order whiteouts now.
* 'umoci unpack' and 'umoci repack' make sure of a more optimised gzip
implementation now -- in some benchmarks 'umoci repack' can have a
speedup
of up to 3x.
* For details, see CHANGELOG.md in the package.
- Update to umoci v0.4.0. Upstream changelog:
+ `umoci repack` now supports `--refresh-bundle` which will update the
OCI bundle's metadata (mtree and umoci-specific manifests) after
packing the image tag. This means that the bundle can be used as a base
layer for future diffs without needing to unpack the image again.
openSUSE/umoci#196
+ Added a website, and reworked the documentation to be better
structured. You can visit the website at [`umo.ci`][umo.ci].
openSUSE/umoci#188
+ Added support for the `user.rootlesscontainers` specification, which
allows for persistent on-disk emulation of `chown(2)` inside rootless
containers. This implementation is interoperable with [@AkihiroSuda's
`PRoot` fork][as-proot-fork] (though we do not test its
interoperability at the moment) as both tools use [the same protobuf
specification][rootlesscontainers-proto]. openSUSE/umoci#227
+ `umoci unpack` now has support for opaque whiteouts (whiteouts which
remove all children of a directory in the lower layer), though `umoci
repack` does not currently have support for generating them. While this
is technically a spec requirement, through testing we've never
encountered an actual user of these whiteouts. openSUSE/umoci#224
openSUSE/umoci#229
+ `umoci unpack` will now use some rootless tricks inside user namespaces
for operations that are known to fail (such as `mknod(2)`) while other
operations will be carried out as normal (such as `lchown(2)`). It
should be noted that the `/proc/self/uid_map` checking we do can be
tricked into not detecting user namespaces, but you would need to be
trying to break it on purpose. openSUSE/umoci#171 openSUSE/umoci#230
* Fix a bug in our "parent directory restore" code, which is responsible
for ensuring that the mtime and other similar properties of a directory
are not modified by extraction inside said directory. The bug would
manifest as xattrs not being restored properly in certain edge-cases
(which we incidentally hit in a test-case). openSUSE/umoci#161
openSUSE/umoci#162
* `umoci unpack` will now "clean up" the bundle generated if an error
occurs during unpacking. Previously this didn't happen, which made
cleaning up the responsibility of the caller (which was quite
difficult if you were unprivileged). This is a breaking change, but is
in the error path so it's not critical. openSUSE/umoci#174
openSUSE/umoci#187
* `umoci gc` now will no longer remove unknown files and directories that
aren't `flock(2)`ed, thus ensuring that any possible OCI image-spec
extensions or other users of an image being operated on will no longer
break. openSUSE/umoci#198
* `umoci unpack --rootless` will now correctly handle regular file
unpacking when overwriting a file that `umoci` doesn't have write
access to. In addition, the semantics of pre-existing hardlinks to a
clobbered file are clarified (the hard-links will not refer to the new
layer's inode). openSUSE/umoci#222 openSUSE/umoci#223 [as-proot-fork]:
https://github.com/AkihiroSuda/runrootless [rootlesscontainers-proto]:
https://rootlesscontaine.rs/proto/rootlesscontainers.proto [umo.ci]:
https://umo.ci/
Patch Instructions:
To install this SUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1:
zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2624=1
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:
zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2624=1
Package List:
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64):
umoci-0.4.4-4.3.1
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64):
umoci-0.4.4-4.3.1
References:
More information about the sle-updates
mailing list