microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Add distroless containers (#403) 

Co-authored-by: Jon Slobodzian <joslobo@microsoft.com>
This commit is contained in:
Mateusz Malisz 2020-12-15 16:31:49 -08:00 коммит произвёл GitHub
Родитель 283d6cde5a
Коммит 0695cac045
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
29 изменённых файлов: 3929 добавлений и 269 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

24
SPECS/busybox/busybox-1.31.1-stime-fix.patch Normal file
Просмотреть файл

@ -0,0 +1,24 @@
diff -up busybox-1.31.1/libbb/Kbuild.src.stime busybox-1.31.1/libbb/Kbuild.src
--- busybox-1.31.1/libbb/Kbuild.src.stime 2019-11-13 17:08:22.808371597 -0500
+++ busybox-1.31.1/libbb/Kbuild.src 2019-11-13 17:08:50.154882529 -0500
@@ -198,3 +198,6 @@ lib-$(CONFIG_FEATURE_FIND_REGEX) += xreg
# Add the experimental logging functionality, only used by zcip
lib-$(CONFIG_ZCIP) += logenv.o
+
+lib-$(CONFIG_DATE) += stime.o
+lib-$(CONFIG_RDATE) += stime.o
diff -up busybox-1.31.1/libbb/stime.c.stime busybox-1.31.1/libbb/stime.c
--- busybox-1.31.1/libbb/stime.c.stime 2019-11-13 17:07:06.905723262 -0500
+++ busybox-1.31.1/libbb/stime.c 2019-11-13 17:07:51.769924328 -0500
@@ -0,0 +1,10 @@
+#include <time.h>
+#include <sys/time.h>
+
+int stime(const time_t *t) {
+ struct timeval tv;
+
+ tv.tv_sec = *t;
+ tv.tv_usec = 0;
+ return settimeofday(&tv, NULL);
+}

1138
SPECS/busybox/busybox-petitboot.config Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

1147
SPECS/busybox/busybox-static.config Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

7
SPECS/busybox/busybox.signatures.json Normal file
Просмотреть файл

@ -0,0 +1,7 @@
{
"Signatures": {
"busybox-1.32.0.tar.bz2": "c35d87f1d04b2b153d33c275c2632e40d388a88f19a9e71727e0bbbff51fe689",
"busybox-petitboot.config": "28a4006863e0125bb564159c120067cb83b52ee0a829579cd399274cc78a10be",
"busybox-static.config": "6f2f534548da57df8b1f5fd4dfe6ceece0f1b97bf7d0baa4c484ac9850cf8e37"
}
}

610
SPECS/busybox/busybox.spec Normal file
Просмотреть файл

@ -0,0 +1,610 @@
Summary: Statically linked binary providing simplified versions of system commands
Name: busybox
Version: 1.32.0
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://busybox.net/
Source: https://www.busybox.net/downloads/%{name}-%{version}.tar.bz2
Source1: busybox-static.config
Source2: busybox-petitboot.config
Patch0: busybox-1.31.1-stime-fix.patch
BuildRequires: gcc
BuildRequires: glibc-devel
BuildRequires: libselinux-devel >= 1.27.7-2
BuildRequires: libsepol-devel
# libbb/hash_md5_sha.c
# https://bugzilla.redhat.com/1024549
Provides: bundled(md5-drepper2)
# This package used to include a bundled copy of uClibc, but we now
# use the system copy.
%ifnarch aarch64
BuildRequires: uclibc-devel
%endif
%package petitboot
Summary: Version of busybox configured for use with petitboot
%description
Busybox is a single binary which includes versions of a large number
of system commands, including a shell. This package can be very
useful for recovering from certain types of system failures,
particularly those involving broken shared libraries.
%description petitboot
Busybox is a single binary which includes versions of a large number
of system commands, including a shell. The version contained in this
package is a minimal configuration intended for use with the Petitboot
bootloader used on PlayStation 3. The busybox package provides a binary
better suited to normal use.
%prep
%setup -q
%patch0 -p1 -b .stime
%build
# create static busybox - the executable is kept as busybox-static
# We use uclibc instead of system glibc, uclibc is several times
# smaller, this is important for static build.
# uclibc can't be built on ppc64,s390,ia64, we set $arch to "" in this case
arch=`uname -m | sed -e 's/i.86/i386/' -e 's/armv7l/arm/' -e 's/armv5tel/arm/' -e 's/aarch64//' -e 's/ppc64le//' -e 's/ppc64//' -e 's/powerpc64//' -e 's/ppc//' -e 's/ia64//' -e 's/s390.*//'`
cp %{SOURCE1} .config
# set all new options to defaults
yes "" | make oldconfig
# gcc needs to be convinced to use neither system headers, nor libs,
# nor startfiles (i.e. crtXXX.o files)
# Also turn the stack protector off, otherwise the program segfaults.
if test "$arch"; then \
mv .config .config1 && \
grep -v \
-e ^CONFIG_FEATURE_HAVE_RPC \
-e ^CONFIG_FEATURE_MOUNT_NFS \
-e ^CONFIG_FEATURE_INETD_RPC \
-e ^CONFIG_SELINUX \
.config1 >.config && \
yes "" | make oldconfig && \
cat .config && \
make V=1 \
EXTRA_CFLAGS="-g -isystem %{_includedir}/uClibc -fno-stack-protector" \
CFLAGS_busybox="-static -nostartfiles -L%{_libdir}/uClibc %{_libdir}/uClibc/crt1.o %{_libdir}/uClibc/crti.o %{_libdir}/uClibc/crtn.o"; \
else \
mv .config .config1 && \
grep -v \
-e ^CONFIG_FEATURE_HAVE_RPC \
-e ^CONFIG_FEATURE_MOUNT_NFS \
-e ^CONFIG_FEATURE_INETD_RPC \
.config1 >.config && \
echo "# CONFIG_FEATURE_HAVE_RPC is not set" >>.config && \
echo "# CONFIG_FEATURE_MOUNT_NFS is not set" >>.config && \
echo "# CONFIG_FEATURE_INETD_RPC is not set" >>.config && \
yes "" | make oldconfig && \
cat .config && \
make V=1 CC="gcc %{optflags}"; \
fi
cp busybox_unstripped busybox.static
cp docs/busybox.1 docs/busybox.static.1
# create busybox optimized for petitboot
make clean
# copy new configuration file
cp %{SOURCE2} .config
# set all new options to defaults
yes "" | make oldconfig
# -g is needed for generation of debuginfo.
# (Don't want to use full-blown $RPM_OPT_FLAGS for this,
# it makes binary much bigger: -O2 instead of -Os, many other options)
if test "$arch"; then \
cat .config && \
make V=1 \
EXTRA_CFLAGS="-g -isystem %{_includedir}/uClibc" \
CFLAGS_busybox="-static -nostartfiles -L%{_libdir}/uClibc %{_libdir}/uClibc/crt1.o %{_libdir}/uClibc/crti.o %{_libdir}/uClibc/crtn.o"; \
else \
cat .config && \
make V=1 CC="gcc %{optflags}"; \
fi
cp busybox_unstripped busybox.petitboot
cp docs/busybox.1 docs/busybox.petitboot.1
%install
mkdir -p %{buildroot}/sbin
install -m 755 busybox.static %{buildroot}/sbin/busybox
install -m 755 busybox.petitboot %{buildroot}/sbin/busybox.petitboot
mkdir -p %{buildroot}/%{_mandir}/man1
install -m 644 docs/busybox.static.1 %{buildroot}/%{_mandir}/man1/busybox.1
install -m 644 docs/busybox.petitboot.1 %{buildroot}/%{_mandir}/man1/busybox.petitboot.1
%files
%license LICENSE
%doc README
/sbin/busybox
%{_mandir}/man1/busybox.1.gz
%files petitboot
%license LICENSE
%doc README
/sbin/busybox.petitboot
%{_mandir}/man1/busybox.petitboot.1.gz
%changelog
* Thu Oct 15 2020 Mateusz Malisz <mamalisz@microsoft.com> - 1.32.0-1
- Initial CBL-Mariner import from Fedora 32 (license: MIT)
- License Verified
- Add -fno-stack-protector for x86 builds
- Changed version from 1.31.1 to 1.32.0
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.31.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Nov 13 2019 Tom Callaway <spot@fedoraproject.org> - 1:1.31.1-1
- update to 1.31.1 (fix FTBFS)
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.30.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon May 13 2019 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.30.1-2
- Tweak .config files
* Mon May 13 2019 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.30.1-1
- Update to 1.30.1
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.28.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.28.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Apr 05 2018 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.28.3-1
- Update to 1.28.3
* Mon Mar 26 2018 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.28.2-1
- Update to 1.28.2
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.26.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.26.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.26.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Thu Mar 30 2017 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.26.2-1
- Update to 1.26.2
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.22.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.22.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.22.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Apr 14 2015 Michael Schwendt <mschwendt@fedoraproject.org> - 1:1.22.1-3
- Provides: bundled(md5-drepper2) (rhbz #1024549)
* Thu Mar 05 2015 Dan Horák <dan[at]danny.cz> - 1:1.22.1-2
- drop unneeded patch (#1182677)
* Tue Dec 16 2014 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.22.1-1
- Update to 1.22.1
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.19.4-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.19.4-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Mon May 19 2014 Peter Robinson <pbrobinson@fedoraproject.org> 1:1.19.4-13
- uClibc not supported on aarch64
* Fri May 16 2014 Jaromir Capik <jcapik@redhat.com> - 1:1.19.4-12
- Disabled uClibc on ppc64le
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.19.4-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Fri May 24 2013 Dan Horák <dan[at]danny.cz> - 1.19.4-10
- disable uClib on s390(x)
* Wed May 15 2013 Karsten Hopp <karsten@redhat.com> 1.19.4-9
- disable uClibc on ppc, too
* Wed May 15 2013 Karsten Hopp <karsten@redhat.com> 1.19.4-8
- include sys/resource.h for RLIMIT_FSIZE (rhbz #961542) on PPC*
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.19.4-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.19.4-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Fri Jun 1 2012 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.19.4-5
- Added bboconfig applet - useful for running testsuite
* Fri Apr 13 2012 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.19.4-4
- Fixed breakage with newer kernel headers
- Excluded Sun-RPC dependednt features not available in newer static glibc
* Mon Mar 12 2012 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.19.4-3
- Tweaked spec file again to generate even more proper debuginfo package
* Wed Mar 7 2012 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.19.4-2
- Tweaked spec file to generate proper debuginfo package
* Tue Feb 28 2012 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.19.4-1
- update to 1.19.4
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.19.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Mon Oct 31 2011 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.19.3-1
- update to 1.19.3
* Sat Aug 27 2011 Daniel Drake <dsd@laptop.org> - 1:1.18.2-6
- Fix compilation against uClibc and Linux-3.0 headers
* Fri Aug 26 2011 Daniel Drake <dsd@laptop.org> - 1:1.18.2-5
- Remove Linux 2.4 support from insmod/modprobe/etc.
- Fixes build failures on ARM, where such ancient syscalls are not present
* Sat Jun 11 2011 Peter Robinson <pbrobinson@gmail.com> - 1:1.18.2-4
- Add support for ARM
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.18.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Mon Feb 7 2011 Tom Callaway <spot@fedoraproject.org> - 1:1.18.2-2
- apply fixes from upstream
* Mon Feb 7 2011 Tom Callaway <spot@fedoraproject.org> - 1:1.18.2-1
- update to 1.18.2
- use system uClibc
* Mon Oct 4 2010 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.15.1-10
- add compatibility with man-db config file (#639461)
* Wed Sep 29 2010 jkeating - 1:1.15.1-9
- Rebuilt for gcc bug 634757
* Fri Sep 17 2010 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.15.1-8
- fix build system so that it works with make 3.82 too
* Wed May 5 2010 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.15.1-7
- teach uclibc to use /etc/localtime
* Wed Feb 24 2010 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.15.1-6
- tweak installed docs
* Wed Jan 27 2010 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.15.1-5
- enable Fedora-specific uname -p behavior (#534081)
* Fri Nov 26 2009 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.15.1-4
- make uclibc use 32-bit compat struct utmp (#541587)
* Fri Nov 10 2009 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.15.1-3
- re-enable rpm applet (#534092)
* Fri Oct 2 2009 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.15.1-2
- add manpage generation (#525658)
* Sun Sep 13 2009 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.15.1-1
- Rebase to 1.15.1
* Fri Sep 11 2009 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.14.1-6
- REALLY fix build on s390, ia64
* Fri Sep 11 2009 Denys Vlasenko <dvlasenk@redhat.com> - 1:1.14.1-5
- fix build on s390, ia64
* Wed Sep 02 2009 Chris Lumens <clumens@redhat.com> 1.14.1-4
- Remove busybox-anaconda (#514319).
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.14.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Fri Jun 12 2009 Ivana Varekova <varekova@redhat.com> - 1:1.14.1-2
- add new options to readlink - patch created by Denys Valsenko
* Thu May 28 2009 Ivana Varekova <varekova@redhat.com> - 1:1.14.1-1
- fix ppc problem
- update to 1.14.1
* Sun May 24 2009 Milos Jakubicek <xjakub@fi.muni.cz> - 1:1.13.2-4
- Fixing FTBFS on i586/x86_64/ppc, ppc64 still an issue:
- Updated uClibc to 0.9.30.1, subsequently:
- Removed uClibc-0.9.30 patch (merged upstream).
- Added uClibc-0.9.30.1-getline.patch -- prevents conflicts with getline()
from stdio.h
- Temporarily disable C99 math to bypass ppc bug, see https://bugs.uclibc.org/show_bug.cgi?id=55
* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.13.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Mon Feb 9 2009 Ivana Varekova <varekova@redhat.com> - 1:1.13.2-2
- use uClibc instead of glibc for static build - thanks Denys Vlasenko
* Mon Jan 19 2009 Ivana Varekova <varekova@redhat.com> - 1:1.13.2-1
- update to 1.13.2
* Tue Dec 2 2008 Ivana Varekova <varekova@redhat.com> - 1:1.12.1-2
- enable selinux in static version of busybox (#462724)
* Mon Nov 10 2008 Ivana Varekova <varekova@redhat.com> - 1:1.12.1-1
- update to 1.12.1
* Tue Aug 26 2008 Ivana Varekova <varekova@redhat.com> - 1:1.10.3-3
- fix findfs problem - #455998
* Wed Jul 23 2008 Ivana Varekova <varekova@redhat.com> - 1:1.10.3-2
- add findfs to static version of busybox
(kexec-tools need it #455998)
* Tue Jun 10 2008 Ivana Varekova <varekova@redhat.com> - 1:1.10.3-1
- update to 1.10.3
* Fri May 16 2008 Ivana Varekova <varekova@redhat.com> - 1:1.10.2-1
- update to 1.10.2
* Thu May 9 2008 Ivana Varekova <varekova@redhat.com> - 1:1.10.1-1
- update to 1.10.1
* Thu Feb 14 2008 Ivana Varekova <varekova@redhat.com> - 1:1.9.1-1
- update to 1.9.1
- fix a problem with netfilter.h - thanks dwmw2
* Fri Feb 8 2008 Ivana Varekova <varekova@redhat.com> - 1:1.9.0-2
- fix hwclock on ia64 machines
* Mon Jan 7 2008 Ivana Varekova <varekova@redhat.com> - 1:1.9.0-1
- update to 1.9.0
* Mon Dec 3 2007 Ivana Varekova <varekova@redhat.com> - 1:1.8.2-1
- update to 1.8.2
* Wed Nov 21 2007 Ivana Varekova <varekova@redhat.com> - 1:1.8.1-1
- update to 1.8.1
* Tue Nov 6 2007 Ivana Varekova <varekova@redhat.com> - 1:1.7.3-1
- update to 1.7.3
- remove --gc-sections from static build Makefile
* Thu Nov 1 2007 Ivana Varekova <varekova@redhat.com> - 1:1.7.2-4
- fix 359371 - problem with grep output
* Wed Oct 31 2007 Ivana Varekova <varekova@redhat.com> - 1:1.7.2-3
- fix another sed problem (forgotten fflush - #356111)
* Mon Oct 29 2007 Ivana Varekova <varekova@redhat.com> - 1:1.7.2-2
- fix sed problem with output (#356111)
* Mon Oct 22 2007 Ivana Varekova <varekova@redhat.com> - 1:1.7.2-1
- update to 1.7.2
* Tue Sep 4 2007 Ivana Varekova <varekova@redhat.com> - 1:1.6.1-2
- spec file cleanup
* Mon Jul 23 2007 Ivana Varekova <varekova@redhat.com> - 1:1.6.1-1
- update to 1.6.1
* Fri Jun 1 2007 Ivana Varekova <varekova@redhat.com> - 1:1.5.1-2
- add msh shell
* Thu May 24 2007 Ivana Varekova <varekova@redhat.com> - 1:1.5.1-1
- update to 1.5.1
* Sat Apr 7 2007 David Woodhouse <dwmw2@redhat.com> - 1:1.2.2-8
- Add busybox-petitboot subpackage
* Mon Apr 2 2007 Ivana Varekova <varekova@redhat.com> - 1:1.2.2-7
- Resolves: 234769
busybox ls does not work without a tty
* Mon Feb 19 2007 Ivana Varekova <varekova@redhat.com> - 1:1.2.2-6
- incorporate package review feedback
* Fri Feb 2 2007 Ivana Varekova <varekova@redhat.com> - 1:1.2.2-5
- fix id_ps patch (thanks Chris MacGregor)
* Tue Jan 30 2007 Ivana Varekova <varekova@redhat.com> - 1:1.2.2-4
- remove debuginfo
* Mon Jan 22 2007 Ivana Varekova <varekova@redhat.com> - 1:1.2.2-3
- Resolves: 223620
id output shows context twice
- fix iptunnel x kernel-headers problem
* Mon Dec 10 2006 Ivana Varekova <varekova@redhat.com> - 1:1.2.2-2
- enable ash
* Thu Nov 16 2006 Ivana Varekova <varekova@redhat.com> - 1:1.2.2-1
- update to 1.2.2
* Mon Aug 28 2006 Ivana Varekova <varekova@redhat.com> - 1:1.2.0-3
- fix #200470 - dmesg aborts
backport dmesg upstream changes
* Mon Aug 28 2006 Ivana Varekova <varekova@redhat.com> - 1:1.2.0-2
- fix #202891 - tar problem
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1:1.2.0-1.1
- rebuild
* Tue Jul 4 2006 Ivana Varekova <varekova@redhat.com> - 1:1.2.0-1
- update to 1.2.0
* Thu Jun 8 2006 Jeremy Katz <katzj@redhat.com> - 1:1.1.3-2
- fix so that busybox.anaconda has sh
* Wed May 31 2006 Ivana Varekova <varekova@redhat.com> - 1:1.1.3-1
- update to 1.1.3
* Mon May 29 2006 Ivana Varekova <varekova@redhat.com> - 1:1.1.2-3
- fix Makefile typo (#193354)
* Fri May 5 2006 Ivana Varekova <varekova@redhat.com> - 1:1.1.2-1
- update to 1.1.2
* Thu May 4 2006 Ivana Varekova <varekova@redhat.com> - 1:1.1.1-2
- add -Z option to id command, rename ps command -Z option (#190534)
* Wed May 03 2006 Ivana Varekova <varekova@redhat.com> - 1:1.1.1-1
- update to 1.1.1
- fix CVE-2006-1058 - BusyBox passwd command
fails to generate password with salt (#187386)
- add -minimal-toc option
- add RPM_OPT_FLAGS
- remove asm/page.h used sysconf command to get PAGE_SIZE
- add overfl patch to aviod Buffer warning
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1:1.01-2.2.1
- bump again for double-long bug on ppc(64)
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1:1.01-2.2
- rebuilt for new gcc4.1 snapshot and glibc changes
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt
* Thu Oct 13 2005 Daniel Walsh <dwalsh@redhat.com> - 1.01-2
- Add sepol for linking load_policy
* Thu Sep 1 2005 Ivana Varekova <varekova@redhat.com> - 1.01-1
- update to 1.01
* Tue May 11 2005 Ivana Varekova <varekova@redhat.com> - 1.00-5
- add debug files to debug_package
* Mon Mar 7 2005 Ivana Varekova <varekova@redhat.com> - 1.00-4
- rebuilt
* Wed Jan 26 2005 Ivana Varekova <varekova@redhat.com> - 1.00-3
- update to 1.00 - fix bug #145681
- rebuild
* Thu Jan 13 2005 Jeremy Katz <katzj@redhat.com> - 1.00.rc1-6
- enable ash as the shell in busybox-anaconda
* Sat Oct 2 2004 Bill Nottingham <notting@redhat.com> - 1.00.rc1-5
- fix segfault in SELinux patch (#134404, #134406)
* Fri Sep 17 2004 Phil Knirsch <pknirsch@redhat.com> - 1.00.rc1-4
- Fixed double free in freecon() call (#132809)
* Fri Sep 10 2004 Daniel Walsh <dwalsh@redhat.com> - 1.00.rc1-3
- Add CONFIG_STATIC=y for static builds
* Wed Aug 25 2004 Jeremy Katz <katzj@redhat.com> - 1.00.rc1-2
- rebuild
* Fri Jun 25 2004 Dan Walsh <dwalsh@redhat.com> 1.00-pre10.1
- Add BuildRequires libselinux-devel
- Update to latest from upstream
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Tue May 11 2004 Karsten Hopp <karsten@redhat.de> 1.00.pre8-4
- add mknod to busybox-anaconda
* Wed Apr 21 2004 Karsten Hopp <karsten@redhat.de> 1.00.pre8-3
- fix LS_COLOR in anaconda patch
* Tue Mar 23 2004 Jeremy Katz <katzj@redhat.com> 1.00.pre8-2
- add awk to busybox-anaconda
* Sat Mar 20 2004 Dan Walsh <dwalsh@redhat.com> 1.00-pre8.1
- Update with latest patch.
- Turn off LS_COLOR in static patch
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Tue Jan 27 2004 Dan Walsh <dwalsh@redhat.com> 1.00-pre5.2
- Fix is_selinux_enabled calls
* Mon Dec 29 2003 Dan Walsh <dwalsh@redhat.com> 1.00-pre5.1
-Latest update
* Wed Nov 26 2003 Dan Walsh <dwalsh@redhat.com> 1.00-pre3.2
- Add insmod
* Mon Sep 15 2003 Dan Walsh <dwalsh@redhat.com> 1.00-pre3.1
- Upgrade to pre3
* Thu Sep 11 2003 Dan Walsh <dwalsh@redhat.com> 1.00.2
- Upgrade selinux support
* Wed Jul 23 2003 Dan Walsh <dwalsh@redhat.com> 1.00.1
- Upgrade to 1.00 package
* Wed Jul 16 2003 Elliot Lee <sopwith@redhat.com> 0.60.5-10
- Rebuild
* Mon Jul 14 2003 Jeremy Katz <katzj@redhat.com> 0.60.5-9
- rebuild
* Mon Jul 14 2003 Jeremy Katz <katzj@redhat.com> 0.60.5-8
- add dmesg to busybox-anaconda
* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
- rebuilt
* Mon Jan 13 2003 Jeremy Katz <katzj@redhat.com> 0.60.5-5
- lost nolock for anaconda mount when rediffing, it returns (#81764)
* Mon Jan 6 2003 Dan Walsh <dwalsh@redhat.com> 0.60.5-4
- Upstream developers wanted to eliminate the use of floats
* Thu Jan 3 2003 Dan Walsh <dwalsh@redhat.com> 0.60.5-3
- Fix free to work on large memory machines.
* Sat Dec 28 2002 Jeremy Katz <katzj@redhat.com> 0.60.5-2
- update Config.h for anaconda build to include more useful utils
* Thu Dec 19 2002 Dan Walsh <dwalsh@redhat.com> 0.60.5-1
- update latest release
* Thu Dec 19 2002 Dan Walsh <dwalsh@redhat.com> 0.60.2-8
- incorporate hammer changes
* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Thu May 23 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Mon May 06 2002 Florian La Roche <Florian.LaRoche@redhat.de>
- fix compilation on mainframe
* Tue Apr 2 2002 Jeremy Katz <katzj@redhat.com>
- fix static busybox (#60701)
* Thu Feb 28 2002 Jeremy Katz <katzj@redhat.com>
- don't include mknod in busybox.anaconda so we get collage mknod
* Fri Feb 22 2002 Jeremy Katz <katzj@redhat.com>
- rebuild in new environment
* Wed Jan 30 2002 Jeremy Katz <katzj@redhat.com>
- update to 0.60.2
- include more pieces for the anaconda version so that collage can go away
- make the mount in busybox.anaconda default to -onolock
* Wed Jan 09 2002 Tim Powers <timp@redhat.com>
`- automated rebuild
* Mon Jul 9 2001 Tim Powers <timp@redhat.com>
- don't obsolete sash
- fix URL and spelling in desc. to satisfy rpmlint
* Thu Jul 05 2001 Florian La Roche <Florian.LaRoche@redhat.de>
- add missing defattr for anaconda subpackage
* Thu Jun 28 2001 Erik Troan <ewt@redhat.com>
- initial build for Red Hat

256
SPECS/ca-certificates/ca-certificates.spec
Просмотреть файл

@ -5,43 +5,36 @@
%define legacy_default_bundle ca-bundle.legacy.default.crt
%define legacy_disable_bundle ca-bundle.legacy.disable.crt
%define java_bundle java/cacerts
%define p11_format_mozilla_bundle ca-bundle.trust.mozilla.p11-kit
%define legacy_default_mozilla_bundle ca-bundle.legacy.default.mozilla.crt
%define legacy_disable_mozilla_bundle ca-bundle.legacy.disable.mozilla.crt
%define p11_format_base_bundle ca-bundle.trust.base.p11-kit
%define legacy_default_base_bundle ca-bundle.legacy.default.base.crt
%define legacy_disable_base_bundle ca-bundle.legacy.disable.base.crt
%define p11_format_microsoft_bundle ca-bundle.trust.microsoft.p11-kit
%define legacy_default_microsoft_bundle ca-bundle.legacy.default.microsoft.crt
%define legacy_disable_microsoft_bundle ca-bundle.legacy.disable.microsoft.crt
# List of packages triggering legacy certs generation if 'ca-certificates-legacy'
# is installed.
%global watched_pkgs %{name}, %{name}-base, %{name}-microsoft
# Rebuilding cert bundles with source certificates.
%global refresh_bundles \
%{_bindir}/ca-legacy install\
%{_bindir}/update-ca-trust
# Converts certdata.txt files to p11-kit format bundles and legacy crt files.
# Arguments:
# %1 - the source certdata.txt file;
%define convert_certdata() \
WORKDIR=$(basename %1.d) \
WORKDIR=$(basename %{1}.d) \
mkdir -p $WORKDIR/certs/legacy-default \
mkdir $WORKDIR/certs/legacy-disable \
mkdir $WORKDIR/java \
pushd $WORKDIR/certs \
pwd $WORKDIR \
cp %1 certdata.txt \
cp %{1} certdata.txt \
python3 %{SOURCE4} >c2p.log 2>c2p.err \
popd \
%{SOURCE19} $WORKDIR %{SOURCE1} %{openssl_format_trust_bundle} %{legacy_default_bundle} %{legacy_disable_bundle} %{SOURCE3}
# Installs bundle files to the right directories.
# Arguments:
# %1 - the source certdata.txt file;
@ -49,21 +42,19 @@ popd \
# %3 - output legacy default bundle name;
# %4 - output legacy disabled bundle name;
%define install_bundles() \
WORKDIR=$(basename %1.d) \
install -p -m 644 $WORKDIR/%{openssl_format_trust_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%2 \
install -p -m 644 $WORKDIR/%{legacy_default_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%3 \
install -p -m 644 $WORKDIR/%{legacy_disable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%4 \
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%2 \
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%3 \
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%4
WORKDIR=$(basename %{1}.d) \
install -p -m 644 $WORKDIR/%{openssl_format_trust_bundle} %{buildroot}%{_datadir}/pki/ca-trust-source/%{2} \
install -p -m 644 $WORKDIR/%{legacy_default_bundle} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{3} \
install -p -m 644 $WORKDIR/%{legacy_disable_bundle} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{4} \
touch -r %{SOURCE0} %{buildroot}%{_datadir}/pki/ca-trust-source/%{2} \
touch -r %{SOURCE0} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{3} \
touch -r %{SOURCE0} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{4}
Summary: Certificate Authority certificates
Name: ca-certificates
# The files, certdata.txt and nssckbi.h, should be taken from a released version of NSS, as published
# at https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/
#
# The versions that are used by the latest released version of
# The versions that are used by the latest released version of
# Mozilla Firefox should be available from:
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
@ -72,14 +63,14 @@ Name: ca-certificates
# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h
# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
# (but these files might have not yet been released).
# WHEN UPDATING VERSION/RELEASE: remember to update prebuilt-ca-certificates as well.
Version: 20200720
Release: 10%{?dist}
License: MPLv2.0
URL: https://hg.mozilla.org
Group: System Environment/Security
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment/Security
URL: https://hg.mozilla.org
# Please always update both certdata.txt and nssckbi.h
Source0: https://hg.mozilla.org/releases/mozilla-release/raw-file/712412cb974c0392afe31fd9ce974b26ae3993c3/security/nss/lib/ckfw/builtins/certdata.txt
Source1: nssckbi.h
@ -103,28 +94,22 @@ Source20: LICENSE
Source21: certdata.base.txt
Source22: bundle2pem.sh
Source23: certdata.microsoft.txt
BuildRequires: /bin/ln
BuildRequires: asciidoc
BuildRequires: coreutils
BuildRequires: docbook-dtd-xml
BuildRequires: docbook-style-xsl
BuildRequires: libxslt
BuildRequires: openssl
BuildRequires: perl
BuildRequires: python3
Requires: %{name}-shared = %{version}-%{release}
Requires(post): %{name}-tools = %{version}-%{release}
Requires(post): coreutils
Requires(postun): %{name}-tools = %{version}-%{release}
Provides: ca-certificates-mozilla
BuildArch: noarch
BuildRequires: /bin/ln
BuildRequires: asciidoc
BuildRequires: coreutils
BuildRequires: docbook-dtd-xml
BuildRequires: docbook-style-xsl
BuildRequires: libxslt
BuildRequires: openssl
BuildRequires: perl
BuildRequires: python3
Requires(post): %{name}-tools = %{version}-%{release}
Requires(post): coreutils
Requires(postun): %{name}-tools = %{version}-%{release}
Requires: %{name}-shared = %{version}-%{release}
Provides: ca-certificates-mozilla
%description
The Public Key Inrastructure is used for many security issues in a
Linux system. In order for a certificate to be trusted, it must be
@ -135,59 +120,51 @@ OpenSSL-1.0.1e. The certificates can also be used by other applications
either directly of indirectly through openssl.
%package shared
Summary: A set of directories and files required by all certificate packages.
Group: System Environment/Security
Summary: A set of directories and files required by all certificate packages.
Group: System Environment/Security
%description shared
%{summary}
%package base
Summary: Basic set of trusted CAs required to authenticate the packages repository.
Group: System Environment/Security
Requires(post): %{name}-tools = %{version}-%{release}
Requires(post): coreutils
Requires(postun): %{name}-tools = %{version}-%{release}
Requires: %{name}-shared = %{version}-%{release}
Summary: Basic set of trusted CAs required to authenticate the packages repository.
Group: System Environment/Security
Requires: %{name}-shared = %{version}-%{release}
Requires(post): %{name}-tools = %{version}-%{release}
Requires(post): coreutils
Requires(postun): %{name}-tools = %{version}-%{release}
%description base
%{summary}
%package microsoft
Summary: A list of CAs trusted through the Microsoft Trusted Root Program.
Group: System Environment/Security
Requires(post): %{name}-tools = %{version}-%{release}
Requires(post): coreutils
Requires(postun): %{name}-tools = %{version}-%{release}
Requires: %{name}-shared = %{version}-%{release}
Summary: A list of CAs trusted through the Microsoft Trusted Root Program.
Group: System Environment/Security
Requires: %{name}-shared = %{version}-%{release}
Requires(post): %{name}-tools = %{version}-%{release}
Requires(post): coreutils
Requires(postun): %{name}-tools = %{version}-%{release}
%description microsoft
%{summary}
%package tools
Summary: Cert generation tools.
Group: System Environment/Security
Requires: p11-kit-trust >= 0.23.10
Requires: p11-kit >= 0.23.10
Summary: Cert generation tools.
Group: System Environment/Security
Requires: p11-kit >= 0.23.10
Requires: p11-kit-trust >= 0.23.10
%description tools
Set of scripts to generate certificates out of a certdata.txt file.
%package legacy
Summary: Support for legacy certificates configuration.
Group: System Environment/Security
Requires: %{name}-shared = %{version}-%{release}
Summary: Support for legacy certificates configuration.
Group: System Environment/Security
Requires: %{name}-shared = %{version}-%{release}
%description legacy
Provides a legacy version of ca-bundle.crt in the format of "[hash].0 -> [hash].pem"
pairs under /etc/pki/tls/certs.
pairs under %{_sysconfdir}/pki/tls/certs.
%prep -q
rm -rf %{name}
@ -203,45 +180,44 @@ cp -p %{SOURCE20} .
#manpage
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
xsltproc --nonet -o %{name}/update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
xsltproc --nonet -o %{name}/update-ca-trust.8 %{_sysconfdir}/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
cp %{SOURCE9} %{name}/ca-legacy.8.txt
asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
xsltproc --nonet -o %{name}/ca-legacy.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
xsltproc --nonet -o %{name}/ca-legacy.8 %{_sysconfdir}/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/tls/certs
mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
mkdir -p -m 755 %{buildroot}%{pkidir}/tls/certs
mkdir -p -m 755 %{buildroot}%{pkidir}/java
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/ssl
mkdir -p -m 755 %{buildroot}%{catrustdir}/source
mkdir -p -m 755 %{buildroot}%{catrustdir}/source/anchors
mkdir -p -m 755 %{buildroot}%{catrustdir}/source/blacklist
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/pem
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/openssl
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/java
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/edk2
mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-source/blacklist
mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-legacy
mkdir -p -m 755 %{buildroot}%{_bindir}
mkdir -p -m 755 %{buildroot}%{_mandir}/man8
install -p -m 644 %{name}/update-ca-trust.8 $RPM_BUILD_ROOT%{_mandir}/man8
install -p -m 644 %{name}/ca-legacy.8 $RPM_BUILD_ROOT%{_mandir}/man8
install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/README
install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT%{catrustdir}/README
install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README
install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README
install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README
install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
install -p -m 644 %{name}/update-ca-trust.8 %{buildroot}%{_mandir}/man8
install -p -m 644 %{name}/ca-legacy.8 %{buildroot}%{_mandir}/man8
install -p -m 644 %{SOURCE11} %{buildroot}%{_datadir}/pki/ca-trust-source/README
install -p -m 644 %{SOURCE12} %{buildroot}%{catrustdir}/README
install -p -m 644 %{SOURCE13} %{buildroot}%{catrustdir}/extracted/README
install -p -m 644 %{SOURCE14} %{buildroot}%{catrustdir}/extracted/java/README
install -p -m 644 %{SOURCE15} %{buildroot}%{catrustdir}/extracted/openssl/README
install -p -m 644 %{SOURCE16} %{buildroot}%{catrustdir}/extracted/pem/README
install -p -m 644 %{SOURCE17} %{buildroot}%{catrustdir}/extracted/edk2/README
install -p -m 644 %{SOURCE18} %{buildroot}%{catrustdir}/source/README
install -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{catrustdir}/ca-legacy.conf
install -p -m 644 %{SOURCE5} %{buildroot}%{catrustdir}/ca-legacy.conf
# Mozilla certs
%install_bundles %{SOURCE0} %{p11_format_mozilla_bundle} %{legacy_default_mozilla_bundle} %{legacy_disable_mozilla_bundle}
@ -254,65 +230,64 @@ install -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{catrustdir}/ca-legacy.conf
# TODO: consider to dynamically create the update-ca-trust script from within
# this .spec file, in order to have the output file+directory names at once place only.
install -p -m 755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/update-ca-trust
install -p -m 755 %{SOURCE2} %{buildroot}%{_bindir}/update-ca-trust
install -p -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/ca-legacy
install -p -m 755 %{SOURCE6} %{buildroot}%{_bindir}/ca-legacy
install -p -m 755 %{SOURCE22} $RPM_BUILD_ROOT%{_bindir}/bundle2pem.sh
install -p -m 755 %{SOURCE22} %{buildroot}%{_bindir}/bundle2pem.sh
# touch ghosted files that will be extracted dynamically
# Set chmod 444 to use identical permission
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/tls-ca-bundle.pem
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/tls-ca-bundle.pem
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
touch $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{legacy_default_bundle}
chmod 444 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{legacy_default_bundle}
touch $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{legacy_disable_bundle}
chmod 444 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{legacy_disable_bundle}
touch %{buildroot}%{catrustdir}/extracted/pem/tls-ca-bundle.pem
chmod 444 %{buildroot}%{catrustdir}/extracted/pem/tls-ca-bundle.pem
touch %{buildroot}%{catrustdir}/extracted/pem/email-ca-bundle.pem
chmod 444 %{buildroot}%{catrustdir}/extracted/pem/email-ca-bundle.pem
touch %{buildroot}%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
chmod 444 %{buildroot}%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
touch %{buildroot}%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
chmod 444 %{buildroot}%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
touch %{buildroot}%{catrustdir}/extracted/%{java_bundle}
chmod 444 %{buildroot}%{catrustdir}/extracted/%{java_bundle}
touch %{buildroot}%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 %{buildroot}%{catrustdir}/extracted/edk2/cacerts.bin
touch %{buildroot}%{_datadir}/pki/ca-trust-source/%{legacy_default_bundle}
chmod 444 %{buildroot}%{_datadir}/pki/ca-trust-source/%{legacy_default_bundle}
touch %{buildroot}%{_datadir}/pki/ca-trust-source/%{legacy_disable_bundle}
chmod 444 %{buildroot}%{_datadir}/pki/ca-trust-source/%{legacy_disable_bundle}
# /etc/ssl/certs symlink for 3rd-party tools
ln -s ../pki/tls/certs \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
%{buildroot}%{_sysconfdir}/ssl/certs
# legacy filenames
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
%{buildroot}%{pkidir}/tls/cert.pem
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
%{buildroot}%{pkidir}/tls/certs/%{classic_tls_bundle}
ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%{buildroot}%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
ln -s %{catrustdir}/extracted/%{java_bundle} \
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
%{buildroot}%{pkidir}/%{java_bundle}
%post
cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_default_mozilla_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_default_bundle}
cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_disable_mozilla_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_disable_bundle}
%refresh_bundles
%{refresh_bundles}
%post base
cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_default_base_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_default_base_bundle}
cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_disable_base_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_disable_base_bundle}
%refresh_bundles
%{refresh_bundles}
%post microsoft
cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_default_microsoft_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_default_microsoft_bundle}
cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_disable_microsoft_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_disable_microsoft_bundle}
%refresh_bundles
%{refresh_bundles}
%postun
%refresh_bundles
%{refresh_bundles}
%postun base
%refresh_bundles
%{refresh_bundles}
%postun legacy
# During build time it is unknown what files will get created by the
@ -331,10 +306,11 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
%{_bindir}/bundle2pem.sh %{pkidir}/tls/certs/%{classic_tls_bundle}
%postun microsoft
%refresh_bundles
%{refresh_bundles}
%clean
%files
# Mozilla certs bundle file with trust
%{_datadir}/pki/ca-trust-source/%{p11_format_mozilla_bundle}
@ -483,7 +459,7 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
*Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-1.0
- Update to CKBI 2.32 from NSS 3.44
Removing:
Removing:
# Certificate "Visa eCommerce Root"
# Certificate "AC Raiz Certicamara S.A."
# Certificate "Certplus Root CA G1"
@ -491,7 +467,7 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
# Certificate "OpenTrust Root CA G1"
# Certificate "OpenTrust Root CA G2"
# Certificate "OpenTrust Root CA G3"
Adding:
Adding:
# Certificate "GTS Root R1"
# Certificate "GTS Root R2"
# Certificate "GTS Root R3"
@ -694,7 +670,7 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
- Update to CKBI 1.95 from NSS 3.15.3.1
* Fri Sep 06 2013 Kai Engert <kaie@redhat.com> - 2013.1.94-18
- Update the Entrust root stapled extension for compatibility with
- Update the Entrust root stapled extension for compatibility with
p11-kit version 0.19.2, patch by Stef Walter, rhbz#988745
* Tue Sep 03 2013 Kai Engert <kaie@redhat.com> - 2013.1.94-17
@ -727,7 +703,7 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
- adjust to changed and new functionality provided by p11-kit 0.17.3
- updated READMEs to describe the new directory-specific treatment of files
- ship a new file that contains certificates with neutral trust
- ship a new file that contains distrust objects, and also staple a
- ship a new file that contains distrust objects, and also staple a
basic constraint extension to one legacy root contained in the
Mozilla CA list
- adjust the build script to dynamically produce most of above files
@ -741,7 +717,7 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
other file format bundles.
- Convert old file locations to symbolic links that point to dynamically
generated files.
- Old files, which might have been locally modified, will be saved in backup
- Old files, which might have been locally modified, will be saved in backup
files with .rpmsave extension.
- Added a update-ca-certificates script which can be used to regenerate
the merged trusted output.
@ -765,7 +741,7 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
* Wed Oct 24 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-2
- Updated blacklist with 20 entries (Diginotar, Trustwave, Comodo(?)
- Fix to certdata2pem.py to also check for CKT_NSS_NOT_TRUSTED
- Fix to certdata2pem.py to also check for CKT_NSS_NOT_TRUSTED
* Tue Oct 23 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-1
- update to r1.86

62
SPECS/distroless-packages/distroless-packages.spec Normal file
Просмотреть файл

@ -0,0 +1,62 @@
Summary: Metapackage with core sets of packages for distroless containers.
Name: distroless-packages
Version: 0.1
Release: 2%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment/Base
URL: https://aka.ms/cbl-mariner
%description
Metapackage holding sets of core packages for different applications.
%package minimal
Summary: The smallest useful package list.
Requires: prebuilt-ca-certificates-base
Requires: filesystem
Requires: mariner-release
%description minimal
%{summary}
Created using a minimal set of packages.
%package base
Summary: Metapackage defining the basic set of packages (no kernel) used to create a "distroless" container.
Requires: %{name}-minimal = %{version}-%{release}
Requires: filesystem
Requires: glibc-iconv
Requires: iana-etc
Requires: mariner-release
Requires: openssl
Requires: openssl-libs
Requires: tzdata
%description base
%{summary}
%package debug
Summary: Debug packages for distroless
Requires: %{name}-minimal = %{version}-%{release}
Requires: busybox
%description debug
%{summary} This version features busybox for easier debugging.
%prep
%build
%files minimal
%files base
%files debug
%changelog
* Thu Oct 15 2020 Mateusz Malisz <mamalisz@microsoft.com> - 0.1-2
- Extend the set of requirements for the base image
- Add debug package with busybox
* Tue Sep 01 2020 Jon Slobodzian <joslobo@microsoft.com> - 0.1-1
- Original version for CBL-Mariner

17
SPECS/glibc/glibc.spec
Просмотреть файл

@ -1,10 +1,12 @@
%global security_hardening nonow
%define glibc_target_cpu %{_build}
%define debug_package %{nil}
# Don't depend on bash by default
%define __requires_exclude ^/(bin|usr/bin).*$
Summary: Main C library
Name: glibc
Version: 2.28
Release: 14%{?dist}
Release: 15%{?dist}
License: LGPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
@ -97,8 +99,9 @@ Name Service Cache Daemon
sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile
install -vdm 755 %{_builddir}/%{name}-build
# do not try to explicitly provide GLIBC_PRIVATE versioned libraries
%define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh
%define __find_requires %{_builddir}/%{name}-%{version}/find_requires.sh
%global __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh
%global __find_requires %{_builddir}/%{name}-%{version}/find_requires.sh
# create find-provides and find-requires script in order to ignore GLIBC_PRIVATE errors
cat > find_provides.sh << _EOF
@ -121,7 +124,6 @@ else
fi
_EOF
chmod +x find_requires.sh
#___EOF
%build
CFLAGS="`echo " %{build_cflags} " | sed 's/-Wp,-D_FORTIFY_SOURCE=2//'`"
@ -239,8 +241,8 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
%ifarch aarch64
%exclude /lib
%endif
%exclude /lib64/libpcprofile.so
%{_lib64dir}/*.so
%{_lib64dir}/audit/*
/sbin/ldconfig
/sbin/locale-gen.sh
%{_bindir}/*
@ -277,8 +279,6 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
%{_sbindir}/zdump
%{_sbindir}/zic
/sbin/sln
%{_lib64dir}/audit/*
/lib64/libpcprofile.so
%files nscd
%defattr(-,root,root)
@ -306,6 +306,9 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
%defattr(-,root,root)
%changelog
* Mon Dec 07 2020 Mateusz Malisz <mamalisz@microsoft.com> - 2.28-15
- Exclude binaries(such as bash) from requires list.
* Tue Nov 10 2020 Thomas Crain <thcrain@microsoft.com> - 2.28-14
- Patch CVE-2019-19126

86
SPECS/openssl/openssl.spec
Просмотреть файл

@ -1,30 +1,27 @@
# Don't depend on bash by default
%define __requires_exclude ^/(bin|usr/bin).*$
%define soversion 1.1
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1g
Release: 8%{?dist}
Release: 9%{?dist}
License: OpenSSL
URL: http://www.openssl.org/
Group: System Environment/Security
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment/Security
URL: https://www.openssl.org/
Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz
Patch0: openssl-1.1.1-no-html.patch
# CVE only applies when Apache HTTP Server version 2.4.37 or less.
Patch1: CVE-2019-0190.nopatch
Patch2: 0001-Replacing-deprecated-functions-with-NULL-or-highest.patch
Patch3: CVE-2020-1971.patch
Conflicts: httpd <= 2.4.37
BuildRequires: perl-Test-Warnings
BuildRequires: perl-Text-Template
Requires: bash
Requires: %{name}-libs = %{version}-%{release}
Requires: glibc
Requires: libgcc
Requires: %{name}-libs = %{version}-%{release}
%define soversion 1.1
Conflicts: httpd <= 2.4.37
%description
The OpenSSL toolkit provides support for secure communications between
@ -33,20 +30,19 @@ libraries which provide various cryptographic algorithms and
protocols.
%package libs
Summary: A general purpose cryptography library with TLS implementation
Group: System Environment/Libraries
Summary: A general purpose cryptography library with TLS implementation
Group: System Environment/Libraries
%description libs
OpenSSL is a toolkit for supporting cryptography. The openssl-libs
package contains the libraries that are used by various applications which
support cryptographic algorithms and protocols.
Requires: openssl = %{version}-%{release}
%package devel
Summary: Development Libraries for openssl
Group: Development/Libraries
Requires: openssl = %{version}-%{release}
Requires: %{name}-libs = %{version}-%{release}
Summary: Development Libraries for openssl
Group: Development/Libraries
Requires: %{name}-libs = %{version}-%{release}
Requires: openssl = %{version}-%{release}
%description devel
OpenSSL is a toolkit for supporting cryptography. The openssl-devel
@ -54,9 +50,9 @@ package contains include files needed to develop applications which
support various cryptographic algorithms and protocols.
%package static
Summary: Libraries for static linking of applications which will use OpenSSL
Group: Development/Libraries
Requires: %{name}-devel = %{version}-%{release}
Summary: Libraries for static linking of applications which will use OpenSSL
Group: Development/Libraries
Requires: %{name}-devel = %{version}-%{release}
%description static
OpenSSL is a toolkit for supporting cryptography. The openssl-static
@ -65,10 +61,10 @@ applications which support various cryptographic algorithms and
protocols.
%package perl
Summary: Perl scripts provided with OpenSSL
Group: Applications/Internet
Requires: perl
Requires: openssl = %{version}-%{release}
Summary: Perl scripts provided with OpenSSL
Group: Applications/Internet
Requires: openssl = %{version}-%{release}
Requires: perl
%description perl
OpenSSL is a toolkit for supporting cryptography. The openssl-perl
@ -86,9 +82,9 @@ from other formats to the formats used by the OpenSSL toolkit.
# marked as not requiring an executable stack.
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
# want to depend on the uninitialized memory as a source of entropy anyway.
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
NEW_RPM_OPT_FLAGS="%{optflags} -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
export HASHBANGPERL=/usr/bin/perl
export HASHBANGPERL=%{_bindir}/perl
# The Configure script already knows to use -fPIC and
# RPM_OPT_FLAGS, so we can skip specifiying them here.
@ -146,7 +142,7 @@ export HASHBANGPERL=/usr/bin/perl
no-whirlpool \
no-zlib \
no-zlib-dynamic \
$RPM_OPT_FLAGS \
$NEW_RPM_OPT_FLAGS \
'-DDEVRANDOM="\"/dev/urandom\""'
perl ./configdata.pm -d
@ -164,21 +160,21 @@ make test
%install
[ %{buildroot} != "/" ] && rm -rf %{buildroot}/*
install -d %{buildroot}{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
make DESTDIR=%{buildroot} MANDIR=/usr/share/man MANSUFFIX=ssl install
make DESTDIR=%{buildroot} MANDIR=%{_mandir} MANSUFFIX=ssl install
rename so.%{soversion} so.%{version} %{buildroot}%{_libdir}/*.so.%{soversion}
for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do
chmod 755 ${lib}
ln -s -f `basename ${lib}` %{buildroot}%{_libdir}/`basename ${lib} .%{version}`
ln -s -f `basename ${lib}` %{buildroot}%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
done
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs
# Move runable perl scripts to bindir
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}
mv %{buildroot}%{_sysconfdir}/pki/tls/misc/*.pl %{buildroot}%{_bindir}
mv %{buildroot}%{_sysconfdir}/pki/tls/misc/tsget %{buildroot}%{_bindir}
# Rename man pages so that they don't conflict with other system man pages.
pushd $RPM_BUILD_ROOT%{_mandir}
pushd %{buildroot}%{_mandir}
ln -s -f config.5 man5/openssl.cnf.5
for manpage in man*/* ; do
if [ -L ${manpage} ]; then
@ -199,14 +195,14 @@ for conflict in passwd rand ; do
done
popd
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA
mkdir -m700 %{buildroot}%{_sysconfdir}/pki/CA/private
mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA/certs
mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA/crl
mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA/newcerts
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
rm -f %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf.dist
rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
%files
%{!?_licensedir:%global license %%doc}
@ -232,7 +228,7 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
%files devel
%doc CHANGES doc/dir-locals.example.el doc/openssl-c-indent.el
%{_prefix}/include/openssl
%{_includedir}/openssl
%{_mandir}/man3*/*
%{_libdir}/pkgconfig/*.pc
@ -256,9 +252,15 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
%postun libs -p /sbin/ldconfig
%clean
rm -rf $RPM_BUILD_ROOT
rm -rf %{buildroot}
%changelog
* Thu Dec 10 2020 Mateusz Malisz <mamalisz@microsoft.com> - 1.1.1g-9
- Remove binaries (such as bash) from requires list
* Wed Dec 09 2020 Joe Schmitt <joschmit@microsoft.com> - 1.1.1g-8
- Patch CVE-2020-1971.

45
SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec Normal file
Просмотреть файл

@ -0,0 +1,45 @@
#nospeccleaner
Summary: Prebuilt version of ca-certificates-base package.
Name: prebuilt-ca-certificates-base
Version: 20200720
Release: 1%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment/Security
URL: https://hg.mozilla.org
BuildArch: noarch
%description
Prebuilt version of the ca-certificates-base package with no runtime dependencies.
BuildRequires: ca-certificates-base
Conflicts: ca-certificates
Conflicts: ca-certificates-base
Conflicts: ca-certificates-microsoft
%prep -q
%build
%install
mkdir -p %{buildroot}%{_datadir}/pki/ca-trust-legacy/
mkdir -p %{buildroot}%{_sysconfdir}/pki/
install -p -m 644 %{_datadir}/pki/ca-trust-legacy/* %{buildroot}%{_datadir}/pki/ca-trust-legacy/
find %{buildroot} -name README -delete
cp -r %{_sysconfdir}/pki/* %{buildroot}%{_sysconfdir}/pki/
%files
# Base certs bundle file with trust
%{_sysconfdir}/pki/cert.pem
%{_sysconfdir}/pki/certs/*
%{_sysconfdir}/pki/ca-trust/extracted/*
%{_sysconfdir}/pki/java/cacerts
%{_datadir}/pki/ca-trust-legacy/*
%changelog
* Wed Dec 2 2020 Mateusz Malisz <mamalisz@microsoft.com> - 20200720-1
- Original version for CBL-Mariner

208
SPECS/uclibc-ng/uClibc.config Normal file
Просмотреть файл

@ -0,0 +1,208 @@
#
# Target Architecture Features and Options
#
FORCE_OPTIONS_FOR_ARCH=y
TARGET_SUBARCH=""
#
# Using ELF file format
#
ARCH_LITTLE_ENDIAN=y
#
# Using Little Endian
#
ARCH_HAS_MMU=y
ARCH_USE_MMU=y
UCLIBC_HAS_FLOATS=y
UCLIBC_HAS_FPU=y
DO_C99_MATH=y
# DO_XSI_MATH is not set
UCLIBC_HAS_FENV=y
UCLIBC_HAS_LONG_DOUBLE_MATH=y
KERNEL_HEADERS="./kernel-include"
HAVE_DOT_CONFIG=y
#
# General Library Settings
#
# HAVE_NO_PIC is not set
# DOPIC is not set
# ARCH_HAS_NO_SHARED is not set
# ARCH_HAS_NO_LDSO is not set
# HAVE_SHARED is not set
UCLIBC_CTOR_DTOR=y
HAS_NO_THREADS=y
# LINUXTHREADS_OLD is not set
# LINUXTHREADS_NEW is not set
# UCLIBC_HAS_THREADS is not set
# PTHREADS_DEBUG_SUPPORT is not set
UCLIBC_HAS_SYSLOG=y
UCLIBC_HAS_LFS=y
# MALLOC is not set
# MALLOC_SIMPLE is not set
MALLOC_STANDARD=y
MALLOC_GLIBC_COMPAT=y
UCLIBC_DYNAMIC_ATEXIT=y
# COMPAT_ATEXIT is not set
UCLIBC_SUSV3_LEGACY=y
# UCLIBC_SUSV3_LEGACY_MACROS is not set
UCLIBC_SUSV4_LEGACY=y
# UCLIBC_HAS_STUBS is not set
UCLIBC_HAS_SHADOW=y
# UCLIBC_HAS_PROGRAM_INVOCATION_NAME is not set
# UCLIBC_HAS___PROGNAME is not set
UCLIBC_HAS_PTY=y
ASSUME_DEVPTS=y
UNIX98PTY_ONLY=y
UCLIBC_HAS_GETPT=y
UCLIBC_HAS_LIBUTIL=y
UCLIBC_HAS_TM_EXTENSIONS=y
UCLIBC_HAS_TZ_CACHING=y
UCLIBC_HAS_TZ_FILE=y
UCLIBC_HAS_TZ_FILE_READ_MANY=y
UCLIBC_TZ_FILE_PATH="/etc/TZ"
UCLIBC_FALLBACK_TO_ETC_LOCALTIME=y
#
# Advanced Library Settings
#
UCLIBC_PWD_BUFFER_SIZE=256
UCLIBC_GRP_BUFFER_SIZE=256
#
# Support various families of functions
#
UCLIBC_LINUX_MODULE_26=y
UCLIBC_LINUX_MODULE_24=y
UCLIBC_LINUX_SPECIFIC=y
UCLIBC_HAS_GNU_ERROR=y
UCLIBC_BSD_SPECIFIC=y
UCLIBC_HAS_BSD_ERR=y
UCLIBC_HAS_OBSOLETE_BSD_SIGNAL=y
UCLIBC_HAS_OBSOLETE_SYSV_SIGNAL=y
UCLIBC_NTP_LEGACY=y
UCLIBC_SV4_DEPRECATED=y
UCLIBC_HAS_REALTIME=y
UCLIBC_HAS_ADVANCED_REALTIME=y
UCLIBC_HAS_EPOLL=y
UCLIBC_HAS_XATTR=y
UCLIBC_HAS_PROFILING=y
UCLIBC_HAS_CRYPT_IMPL=y
UCLIBC_HAS_SHA256_CRYPT_IMPL=y
UCLIBC_HAS_SHA512_CRYPT_IMPL=y
UCLIBC_HAS_CRYPT=y
UCLIBC_HAS_NETWORK_SUPPORT=y
UCLIBC_HAS_SOCKET=y
UCLIBC_HAS_IPV4=y
UCLIBC_HAS_IPV6=y
UCLIBC_HAS_RPC=y
UCLIBC_HAS_FULL_RPC=y
UCLIBC_HAS_REENTRANT_RPC=y
UCLIBC_USE_NETLINK=y
# UCLIBC_SUPPORT_AI_ADDRCONFIG is not set
# UCLIBC_HAS_BSD_RES_CLOSE is not set
UCLIBC_HAS_COMPAT_RES_STATE=y
# UCLIBC_HAS_EXTRA_COMPAT_RES_STATE is not set
UCLIBC_HAS_RESOLVER_SUPPORT=y
UCLIBC_HAS_LIBRESOLV_STUB=y
UCLIBC_HAS_LIBNSL_STUB=y
#
# String and Stdio Support
#
UCLIBC_HAS_STRING_GENERIC_OPT=y
UCLIBC_HAS_STRING_ARCH_OPT=y
UCLIBC_HAS_CTYPE_TABLES=y
UCLIBC_HAS_CTYPE_SIGNED=y
UCLIBC_HAS_CTYPE_UNSAFE=y
# UCLIBC_HAS_CTYPE_CHECKED is not set
UCLIBC_HAS_CTYPE_ENFORCED=y
# UCLIBC_HAS_WCHAR is not set
# UCLIBC_HAS_LOCALE is not set
UCLIBC_HAS_HEXADECIMAL_FLOATS=y
# UCLIBC_HAS_GLIBC_DIGIT_GROUPING is not set
UCLIBC_HAS_GLIBC_CUSTOM_PRINTF=y
# USE_OLD_VFPRINTF is not set
UCLIBC_PRINTF_SCANF_POSITIONAL_ARGS=9
UCLIBC_HAS_SCANF_GLIBC_A_FLAG=y
# UCLIBC_HAS_STDIO_BUFSIZ_NONE is not set
# UCLIBC_HAS_STDIO_BUFSIZ_256 is not set
# UCLIBC_HAS_STDIO_BUFSIZ_512 is not set
# UCLIBC_HAS_STDIO_BUFSIZ_1024
# UCLIBC_HAS_STDIO_BUFSIZ_2048 is not set
UCLIBC_HAS_STDIO_BUFSIZ_4096=y
# UCLIBC_HAS_STDIO_BUFSIZ_8192 is not set
UCLIBC_HAS_STDIO_BUILTIN_BUFFER_NONE=y
# UCLIBC_HAS_STDIO_BUILTIN_BUFFER_4 is not set
# UCLIBC_HAS_STDIO_BUILTIN_BUFFER_8 is not set
# UCLIBC_HAS_STDIO_SHUTDOWN_ON_ABORT is not set
UCLIBC_HAS_STDIO_GETC_MACRO=y
UCLIBC_HAS_STDIO_PUTC_MACRO=y
UCLIBC_HAS_STDIO_AUTO_RW_TRANSITION=y
# UCLIBC_HAS_FOPEN_LARGEFILE_MODE is not set
UCLIBC_HAS_FOPEN_EXCLUSIVE_MODE=y
UCLIBC_HAS_FOPEN_CLOSEEXEC_MODE=y
UCLIBC_HAS_GLIBC_CUSTOM_STREAMS=y
UCLIBC_HAS_PRINTF_M_SPEC=y
UCLIBC_HAS_ERRNO_MESSAGES=y
# UCLIBC_HAS_SYS_ERRLIST is not set
UCLIBC_HAS_SIGNUM_MESSAGES=y
# UCLIBC_HAS_SYS_SIGLIST is not set
UCLIBC_HAS_GNU_GETOPT=y
UCLIBC_HAS_GNU_GETSUBOPT=y
#
# Big and Tall
#
UCLIBC_HAS_REGEX=y
# UCLIBC_HAS_REGEX_OLD is not set
UCLIBC_HAS_FNMATCH=y
UCLIBC_HAS_FNMATCH_OLD=y
UCLIBC_HAS_WORDEXP=y
UCLIBC_HAS_NFTW=y
UCLIBC_HAS_FTW=y
# UCLIBC_HAS_FTS is not set
UCLIBC_HAS_GLOB=y
UCLIBC_HAS_GNU_GLOB=y
UCLIBC_HAS_UTMPX=y
#
# Library Installation Options
#
RUNTIME_PREFIX="/lib_uc"
DEVEL_PREFIX=""
# HARDWIRED_ABSPATH is not set
#
# Security options
#
# UCLIBC_BUILD_PIE is not set
# UCLIBC_HAS_ARC4RANDOM is not set
# HAVE_NO_SSP is not set
UCLIBC_HAS_SSP=y
# UCLIBC_HAS_SSP_COMPAT is not set
# SSP_QUICK_CANARY is not set
PROPOLICE_BLOCK_ABRT=y
# PROPOLICE_BLOCK_SEGV is not set
# UCLIBC_BUILD_SSP is not set
UCLIBC_BUILD_RELRO=y
UCLIBC_BUILD_NOW=y
UCLIBC_BUILD_NOEXECSTACK=y
#
# uClibc development/debugging options
#
CROSS_COMPILER_PREFIX=""
UCLIBC_EXTRA_CFLAGS=""
DODEBUG=y
DOSTRIP=y
# DOASSERTS is not set
# SUPPORT_LD_DEBUG is not set
# SUPPORT_LD_DEBUG_EARLY is not set
# UCLIBC_MALLOC_DEBUGGING is not set
WARNINGS="-Wall"
# EXTRA_WARNINGS is not set
# DOMULTI is not set
# UCLIBC_MJN3_ONLY is not set

6
SPECS/uclibc-ng/uclibc-ng.signatures.json Normal file
Просмотреть файл

@ -0,0 +1,6 @@
{
"Signatures": {
"uClibc-ng-1.0.36.tar.xz": "010f40841669809422e01b47e7169d49c61bf3382f493c2571a8a96634ed300c",
"uClibc.config": "5cd0bebdcc29597e6abdcfcbb0d7309633dd843b273b0baca718e6d5f2fb0f1f"
}
}

196
SPECS/uclibc-ng/uclibc-ng.spec Normal file
Просмотреть файл

@ -0,0 +1,196 @@
%global uclibc_name uClibc-ng
# This package only contains a static library
%global debug_package %{nil}
Summary: C library for embedded Linux
Name: uclibc-ng
Version: 1.0.36
Release: 1%{?dist}
License: LGPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://www.uclibc.org/
Source0: https://downloads.uclibc-ng.org/releases/%{version}/%{uclibc_name}-%{version}.tar.xz
Source1: uClibc.config
BuildRequires: gcc
%description
uClibc-ng is a C library for developing embedded Linux systems.
It is much smaller than the GNU C Library, but nearly all applications
supported by glibc also work perfectly with uClibc.
%package devel
Summary: Header files and libraries for uClibc library
Provides: uclibc-static = %{version}-%{release}
Provides: uclibc-devel = %{version}-%{release}
%description devel
uClibc is a C library for developing embedded Linux systems.
It is much smaller than the GNU C Library, but nearly all applications
supported by glibc also work perfectly with uClibc.
This package contains the header files and libraries
needed for uClibc package.
%prep
%setup -q -n %{uclibc_name}-%{version}
cat %{SOURCE1} >.config1
iconv -f windows-1252 -t utf-8 README >README.pom
mv README.pom README
%build
mkdir kernel-include
cp -a %{_includedir}/asm kernel-include
cp -a %{_includedir}/asm-generic kernel-include
cp -a %{_includedir}/linux kernel-include
arch=`uname -m | sed -e 's/i.86/i386/' -e 's/ppc/powerpc/' -e 's/armv7l/arm/' -e 's/armv5tel/arm/'`
echo "TARGET_$arch=y" >.config
echo "TARGET_ARCH=\"$arch\"" >>.config
%ifarch %{arm}
echo "CONFIG_ARM_EABI=y" >>.config
echo "ARCH_ANY_ENDIAN=n" >>.config
echo "ARCH_LITTLE_ENDIAN=y" >>.config
echo "ARCH_WANTS_LITTLE_ENDIAN=y" >>.config
%endif
cat .config1 >>.config
yes "" | make oldconfig %{?_smp_mflags}
make V=1 %{?_smp_mflags}
%install
mkdir -p %{buildroot}/lib
make install PREFIX="%{buildroot}/"
make install_headers PREFIX="%{buildroot}/" DEVEL_PREFIX=""
cp -a kernel-include/* %{buildroot}/include/
# move libraries to proper subdirectory
mkdir -p %{buildroot}/%{_libdir}/uClibc
mv %{buildroot}/lib/* %{buildroot}/%{_libdir}/uClibc/
rm -rf %{buildroot}/lib/
# move the header files to /usr subdirectory
mkdir -p %{buildroot}/%{_includedir}/uClibc
mv %{buildroot}/include/* %{buildroot}/%{_includedir}/uClibc
rm -rf %{buildroot}/include/
%files devel
%doc docs/Glibc_vs_uClibc_Differences.txt docs/uClibc_vs_SuSv3.txt docs/porting.txt
%license COPYING.LIB
%doc README MAINTAINERS
%{_includedir}/uClibc
%{_libdir}/uClibc
%changelog
* Thu Oct 15 2020 Mateusz Malisz <mamalisz@microsoft.com> - 1.0.36-1
- Initial CBL-Mariner import from Fedora 32 (license: MIT)
- License Verified
- Changed uclibc to uclibc-ng
- Changed version from 0.9.33.2 to 1.0.36
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.33.2-21
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.33.2-20
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.33.2-19
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.33.2-18
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Feb 20 2018 Nikola Forró <nforro@redhat.com> - 0.9.33.2-17
- add missing gcc build dependency
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.33.2-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.33.2-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.33.2-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.33.2-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Wed Oct 20 2016 Dan Horák <dan[at]danny.cz> - 0.9.33.2-12
- switch to ExclusiveArch
* Mon Aug 15 2016 Peter Robinson <pbrobinson@fedoraproject.org> 0.9.33.2-11
- Update Power64 macro
* Mon Jul 11 2016 Nikola Forró <nforro@redhat.com> - 0.9.33.2-10
- fix CVE-2016-6264
resolves #1352460
* Thu Feb 18 2016 Nikola Forró <nforro@redhat.com> - 0.9.33.2-9
- add support for MIPS
resolves #1305957
* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.33.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.33.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.33.2-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.33.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Mon May 19 2014 Peter Robinson <pbrobinson@fedoraproject.org> 0.9.33.2-5
- No aarch64 support
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.33.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Mon May 6 2013 Denys Vlasenko <dvlasenko@redhat.com> - 0.9.32-3
- Enable UCLIBC_HAS_RESOLVER_SUPPORT, UCLIBC_LINUX_MODULE_26,
UCLIBC_HAS_SHA256/512_CRYPT_IMPL, UCLIBC_HAS_FOPEN_CLOSEEXEC_MODE
config options.
- fix __kernel_long_t problem.
* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.33.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Fri Jul 27 2012 Peter Schiffer <pschiffe@redhat.com> - 0.9.33.2-1
- resolves: #771041
update to 0.9.33.2
* Sun Jul 22 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.32-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.32-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Thu Aug 18 2011 Peter Schiffer <pschiffe@redhat.com> - 0.9.32-2
- fixed compile error on i686
* Tue Aug 16 2011 Peter Schiffer <pschiffe@redhat.com> - 0.9.32-1
- resolves: #712040
resolves: #716134
update to 0.9.32 final
* Mon Jun 13 2011 Peter Robinson <pbrobinson@gmail.com> - 0.9.32-0.5.rc2
- And set the ARM build to little endian
* Sat Jun 11 2011 Peter Robinson <pbrobinson@gmail.com> - 0.9.32-0.4.rc2
- It seems we need to set the ARM ABI to EABI too
* Sat Jun 11 2011 Peter Robinson <pbrobinson@gmail.com> - 0.9.32-0.3.rc2
- Add support for ARM
* Mon Feb 07 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.32-0.2.rc2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Mon Feb 7 2011 Tom Callaway <spot@fedoraproject.org> - 0.9.32-0.1.rc2
- update config for 0.9.32-rc2, busybox
- patch getutent
* Tue Nov 9 2010 Ivana Hutarova Varekova <varekova@redhat.com> - 0.9.31-2
- update to 0.9.31
* Fri Jun 5 2009 Ivana Varekova <varekova@redhat.com> - 0.9.30.1-2
- initial build for Red Hat

21
cgmanifest.json
Просмотреть файл

@ -360,6 +360,16 @@
}
}
},
{
"component": {
"type": "other",
"other": {
"name": "busybox",
"version": "1.32.0",
"downloadUrl": "http://www.busybox.net/downloads/busybox-1.32.0.tar.bz2"
}
}
},
{
"component": {
"type": "other",
@ -580,7 +590,6 @@
}
}
},
{
"component": {
"type": "other",
@ -5801,6 +5810,16 @@
}
}
},
{
"component": {
"type": "other",
"other": {
"name": "uclibc-ng",
"version": "1.0.36",
"downloadUrl": "https://downloads.uclibc-ng.org/releases/1.0.36/uClibc-ng-1.0.36.tar.xz"
}
}
},
{
"component": {
"type": "other",

10
toolkit/docs/formats/imageconfig.md
Просмотреть файл

@ -111,6 +111,12 @@ A sample PackageLists entry pointing to three files containing package lists:
"packagelists/cloud-init-packages.json"
],
```
### RemoveRpmDb
RemoveRpmDb triggers RPM database removal after the packages have been installed.
Removing the RPM database may break any package managers inside the image.
### KernelOptions
KernelOptions key consists of a map of key-value pairs, where a key is an identifier and a value is a name of the package (kernel) used in a scenario described by the identifier. During the build time, all kernels provided in KernelOptions will be built.
@ -160,11 +166,11 @@ A sample KernelCommandLine enabling a basic IMA mode and passing two additional
### Users
Users is an array of user information. The User information is a map of key value pairs.
Users is an array of user information. The User information is a map of key value pairs.
The image generated has users matching the values specified in Users.
The table below are the keys for the users.
The table below are the keys for the users.
|Key |Type |Restrictions
--------------------|:------------------|:------------------------------------------------

21
toolkit/imageconfigs/distroless-base.json Normal file
Просмотреть файл

@ -0,0 +1,21 @@
{
"Disks": [
{
"Artifacts": [
{
"Name": "core",
"Compression": "tar.gz"
}
]
}
],
"SystemConfigs": [
{
"Name": "Standard",
"PackageLists": [
"packagelists/distroless-packages-container.json"
],
"RemoveRpmDb": true
}
]
}

22
toolkit/imageconfigs/distroless-debug.json Normal file
Просмотреть файл

@ -0,0 +1,22 @@
{
"Disks": [
{
"Artifacts": [
{
"Name": "core",
"Compression": "tar.gz"
}
]
}
],
"SystemConfigs": [
{
"Name": "Standard",
"PackageLists": [
"packagelists/distroless-packages-container.json",
"packagelists/distroless-packages-debug.json"
],
"RemoveRpmDb": true
}
]
}

5
toolkit/imageconfigs/packagelists/distroless-packages-container.json Normal file
Просмотреть файл

@ -0,0 +1,5 @@
{
"packages": [
"distroless-packages-base"
]
}

5
toolkit/imageconfigs/packagelists/distroless-packages-debug.json Normal file
Просмотреть файл

@ -0,0 +1,5 @@
{
"packages": [
"distroless-packages-debug"
]
}

26
toolkit/resources/manifests/package/pkggen_core_aarch64.txt
Просмотреть файл

@ -1,12 +1,12 @@
filesystem-1.1-7.cm1.aarch64.rpm
kernel-headers-5.4.81-1.cm1.noarch.rpm
glibc-2.28-14.cm1.aarch64.rpm
glibc-devel-2.28-14.cm1.aarch64.rpm
glibc-i18n-2.28-14.cm1.aarch64.rpm
glibc-iconv-2.28-14.cm1.aarch64.rpm
glibc-lang-2.28-14.cm1.aarch64.rpm
glibc-nscd-2.28-14.cm1.aarch64.rpm
glibc-tools-2.28-14.cm1.aarch64.rpm
glibc-2.28-15.cm1.aarch64.rpm
glibc-devel-2.28-15.cm1.aarch64.rpm
glibc-i18n-2.28-15.cm1.aarch64.rpm
glibc-iconv-2.28-15.cm1.aarch64.rpm
glibc-lang-2.28-15.cm1.aarch64.rpm
glibc-nscd-2.28-15.cm1.aarch64.rpm
glibc-tools-2.28-15.cm1.aarch64.rpm
zlib-1.2.11-3.cm1.aarch64.rpm
zlib-devel-1.2.11-3.cm1.aarch64.rpm
file-5.38-1.cm1.aarch64.rpm
@ -105,12 +105,12 @@ perl-5.30.3-2.cm1.aarch64.rpm
texinfo-6.5-7.cm1.aarch64.rpm
autoconf-2.69-10.cm1.noarch.rpm
automake-1.16.1-3.cm1.noarch.rpm
openssl-1.1.1g-8.cm1.aarch64.rpm
openssl-devel-1.1.1g-8.cm1.aarch64.rpm
openssl-libs-1.1.1g-8.cm1.aarch64.rpm
openssl-perl-1.1.1g-8.cm1.aarch64.rpm
openssl-static-1.1.1g-8.cm1.aarch64.rpm
openssl-debuginfo-1.1.1g-8.cm1.aarch64.rpm
openssl-1.1.1g-9.cm1.aarch64.rpm
openssl-devel-1.1.1g-9.cm1.aarch64.rpm
openssl-libs-1.1.1g-9.cm1.aarch64.rpm
openssl-perl-1.1.1g-9.cm1.aarch64.rpm
openssl-static-1.1.1g-9.cm1.aarch64.rpm
openssl-debuginfo-1.1.1g-9.cm1.aarch64.rpm
libcap-2.26-2.cm1.aarch64.rpm
libcap-devel-2.26-2.cm1.aarch64.rpm
libdb-5.3.28-4.cm1.aarch64.rpm

26
toolkit/resources/manifests/package/pkggen_core_x86_64.txt
Просмотреть файл

@ -1,12 +1,12 @@
filesystem-1.1-7.cm1.x86_64.rpm
kernel-headers-5.4.81-1.cm1.noarch.rpm
glibc-2.28-14.cm1.x86_64.rpm
glibc-devel-2.28-14.cm1.x86_64.rpm
glibc-i18n-2.28-14.cm1.x86_64.rpm
glibc-iconv-2.28-14.cm1.x86_64.rpm
glibc-lang-2.28-14.cm1.x86_64.rpm
glibc-nscd-2.28-14.cm1.x86_64.rpm
glibc-tools-2.28-14.cm1.x86_64.rpm
glibc-2.28-15.cm1.x86_64.rpm
glibc-devel-2.28-15.cm1.x86_64.rpm
glibc-i18n-2.28-15.cm1.x86_64.rpm
glibc-iconv-2.28-15.cm1.x86_64.rpm
glibc-lang-2.28-15.cm1.x86_64.rpm
glibc-nscd-2.28-15.cm1.x86_64.rpm
glibc-tools-2.28-15.cm1.x86_64.rpm
zlib-1.2.11-3.cm1.x86_64.rpm
zlib-devel-1.2.11-3.cm1.x86_64.rpm
file-5.38-1.cm1.x86_64.rpm
@ -105,12 +105,12 @@ perl-5.30.3-2.cm1.x86_64.rpm
texinfo-6.5-7.cm1.x86_64.rpm
autoconf-2.69-10.cm1.noarch.rpm
automake-1.16.1-3.cm1.noarch.rpm
openssl-1.1.1g-8.cm1.x86_64.rpm
openssl-devel-1.1.1g-8.cm1.x86_64.rpm
openssl-libs-1.1.1g-8.cm1.x86_64.rpm
openssl-perl-1.1.1g-8.cm1.x86_64.rpm
openssl-static-1.1.1g-8.cm1.x86_64.rpm
openssl-debuginfo-1.1.1g-8.cm1.x86_64.rpm
openssl-1.1.1g-9.cm1.x86_64.rpm
openssl-devel-1.1.1g-9.cm1.x86_64.rpm
openssl-libs-1.1.1g-9.cm1.x86_64.rpm
openssl-perl-1.1.1g-9.cm1.x86_64.rpm
openssl-static-1.1.1g-9.cm1.x86_64.rpm
openssl-debuginfo-1.1.1g-9.cm1.x86_64.rpm
libcap-2.26-2.cm1.x86_64.rpm
libcap-devel-2.26-2.cm1.x86_64.rpm
libdb-5.3.28-4.cm1.x86_64.rpm

26
toolkit/resources/manifests/package/toolchain_aarch64.txt
Просмотреть файл

@ -104,13 +104,13 @@ gettext-0.19.8.1-3.cm1.aarch64.rpm
gettext-debuginfo-0.19.8.1-3.cm1.aarch64.rpm
gfortran-9.1.0-7.cm1.aarch64.rpm
glib-2.58.0-6.cm1.aarch64.rpm
glibc-2.28-14.cm1.aarch64.rpm
glibc-devel-2.28-14.cm1.aarch64.rpm
glibc-i18n-2.28-14.cm1.aarch64.rpm
glibc-iconv-2.28-14.cm1.aarch64.rpm
glibc-lang-2.28-14.cm1.aarch64.rpm
glibc-nscd-2.28-14.cm1.aarch64.rpm
glibc-tools-2.28-14.cm1.aarch64.rpm
glibc-2.28-15.cm1.aarch64.rpm
glibc-devel-2.28-15.cm1.aarch64.rpm
glibc-i18n-2.28-15.cm1.aarch64.rpm
glibc-iconv-2.28-15.cm1.aarch64.rpm
glibc-lang-2.28-15.cm1.aarch64.rpm
glibc-nscd-2.28-15.cm1.aarch64.rpm
glibc-tools-2.28-15.cm1.aarch64.rpm
glib-debuginfo-2.58.0-6.cm1.aarch64.rpm
glib-devel-2.58.0-6.cm1.aarch64.rpm
glib-schemas-2.58.0-6.cm1.aarch64.rpm
@ -269,12 +269,12 @@ openjdk8-doc-1.8.0.181-8.cm1.aarch64.rpm
openjdk8-sample-1.8.0.181-8.cm1.aarch64.rpm
openjdk8-src-1.8.0.181-8.cm1.aarch64.rpm
openjre8-1.8.0.181-8.cm1.aarch64.rpm
openssl-1.1.1g-8.cm1.aarch64.rpm
openssl-debuginfo-1.1.1g-8.cm1.aarch64.rpm
openssl-devel-1.1.1g-8.cm1.aarch64.rpm
openssl-libs-1.1.1g-8.cm1.aarch64.rpm
openssl-perl-1.1.1g-8.cm1.aarch64.rpm
openssl-static-1.1.1g-8.cm1.aarch64.rpm
openssl-1.1.1g-9.cm1.aarch64.rpm
openssl-debuginfo-1.1.1g-9.cm1.aarch64.rpm
openssl-devel-1.1.1g-9.cm1.aarch64.rpm
openssl-libs-1.1.1g-9.cm1.aarch64.rpm
openssl-perl-1.1.1g-9.cm1.aarch64.rpm
openssl-static-1.1.1g-9.cm1.aarch64.rpm
p11-kit-0.23.16.1-2.cm1.aarch64.rpm
p11-kit-debuginfo-0.23.16.1-2.cm1.aarch64.rpm
p11-kit-devel-0.23.16.1-2.cm1.aarch64.rpm

26
toolkit/resources/manifests/package/toolchain_x86_64.txt
Просмотреть файл

@ -104,13 +104,13 @@ gettext-0.19.8.1-3.cm1.x86_64.rpm
gettext-debuginfo-0.19.8.1-3.cm1.x86_64.rpm
gfortran-9.1.0-7.cm1.x86_64.rpm
glib-2.58.0-6.cm1.x86_64.rpm
glibc-2.28-14.cm1.x86_64.rpm
glibc-devel-2.28-14.cm1.x86_64.rpm
glibc-i18n-2.28-14.cm1.x86_64.rpm
glibc-iconv-2.28-14.cm1.x86_64.rpm
glibc-lang-2.28-14.cm1.x86_64.rpm
glibc-nscd-2.28-14.cm1.x86_64.rpm
glibc-tools-2.28-14.cm1.x86_64.rpm
glibc-2.28-15.cm1.x86_64.rpm
glibc-devel-2.28-15.cm1.x86_64.rpm
glibc-i18n-2.28-15.cm1.x86_64.rpm
glibc-iconv-2.28-15.cm1.x86_64.rpm
glibc-lang-2.28-15.cm1.x86_64.rpm
glibc-nscd-2.28-15.cm1.x86_64.rpm
glibc-tools-2.28-15.cm1.x86_64.rpm
glib-debuginfo-2.58.0-6.cm1.x86_64.rpm
glib-devel-2.58.0-6.cm1.x86_64.rpm
glib-schemas-2.58.0-6.cm1.x86_64.rpm
@ -269,12 +269,12 @@ openjdk8-doc-1.8.0.212-10.cm1.x86_64.rpm
openjdk8-sample-1.8.0.212-10.cm1.x86_64.rpm
openjdk8-src-1.8.0.212-10.cm1.x86_64.rpm
openjre8-1.8.0.212-10.cm1.x86_64.rpm
openssl-1.1.1g-8.cm1.x86_64.rpm
openssl-debuginfo-1.1.1g-8.cm1.x86_64.rpm
openssl-devel-1.1.1g-8.cm1.x86_64.rpm
openssl-libs-1.1.1g-8.cm1.x86_64.rpm
openssl-perl-1.1.1g-8.cm1.x86_64.rpm
openssl-static-1.1.1g-8.cm1.x86_64.rpm
openssl-1.1.1g-9.cm1.x86_64.rpm
openssl-debuginfo-1.1.1g-9.cm1.x86_64.rpm
openssl-devel-1.1.1g-9.cm1.x86_64.rpm
openssl-libs-1.1.1g-9.cm1.x86_64.rpm
openssl-perl-1.1.1g-9.cm1.x86_64.rpm
openssl-static-1.1.1g-9.cm1.x86_64.rpm
p11-kit-0.23.16.1-2.cm1.x86_64.rpm
p11-kit-debuginfo-0.23.16.1-2.cm1.x86_64.rpm
p11-kit-devel-0.23.16.1-2.cm1.x86_64.rpm

1
toolkit/tools/imagegen/configuration/configuration_test.go
Просмотреть файл

@ -239,6 +239,7 @@ var expectedConfiguration Config = Config{
Enable: true,
Password: "EncryptPassphrase123",
},
RemoveRpmDb: false,
},
{
Name: "BiggerDiskA",

1
toolkit/tools/imagegen/configuration/systemconfig.go
Просмотреть файл

@ -26,6 +26,7 @@ type SystemConfig struct {
Groups []Group `json:"Groups"`
Users []User `json:"Users"`
Encryption RootEncryption `json:"Encryption"`
RemoveRpmDb bool `json:"RemoveRpmDb`
}
// IsValid returns an error if the SystemConfig is not valid

4
toolkit/tools/imagegen/configuration/systemconfig_test.go
Просмотреть файл

@ -147,3 +147,7 @@ func TestShouldFailToParseInvalidJSON_SystemConfig(t *testing.T) {
assert.Equal(t, "failed to parse [SystemConfig]: json: cannot unmarshal number into Go struct field IntermediateTypeSystemConfig.IsDefault of type bool", err.Error())
}
func TestShouldSetRemoveRpmDbToFalse(t *testing.T) {
assert.Equal(t, validSystemConfig.RemoveRpmDb, false)
}

3
toolkit/tools/imagegen/configuration/testdata/test_configuration.json поставляемый
Просмотреть файл

@ -171,7 +171,8 @@
"Encryption" : {
"Enable": true,
"Password": "EncryptPassphrase123"
}
},
"RemoveRpmDb": false
},
{
"Name": "BiggerDiskA",

181
toolkit/tools/imagegen/installutils/installutils.go
Просмотреть файл

@ -30,9 +30,13 @@ const (
rootMountPoint = "/"
rootUser = "root"
// rpmDependenciesDirectory is the directory which contains RPM database. It is not required for images that do not contain RPM.
rpmDependenciesDirectory = "/var/lib/rpm"
// /boot directory should be only accesible by root. The directories need the execute bit as well.
bootDirectoryFileMode = 0600
bootDirectoryDirMode = 0700
shadowFile = "/etc/shadow"
)
// PackageList represents the list of packages to install into an image
@ -274,6 +278,20 @@ func PopulateInstallRoot(installChroot *safechroot.Chroot, packagesToInstall []s
return
}
if !config.RemoveRpmDb {
// User wants to avoid removing the RPM database.
logger.Log.Debug("RemoveRpmDb is not turned on. Skipping RPM database cleanup.")
} else {
defer func() {
// Signal an error if cleanup fails; don't overwrite the previous error though.
// Failure to clean up the RPM database constitutes a build break.
cleanupErr := cleanupRpmDatabase(installRoot)
if err == nil {
err = cleanupErr
}
}()
}
// Calculate how many packages need to be installed so an accurate percent complete can be reported
totalPackages, err := calculateTotalPackages(packagesToInstall, installRoot)
if err != nil {
@ -843,8 +861,17 @@ func addUsers(installChroot *safechroot.Chroot, users []configuration.User) (err
// If no root entry was specified in the config file, never expire the root password
if !rootUserAdded {
logger.Log.Debugf("No root user entry found in config file. Setting root password to never expire.")
// Ignore updating if there is no shadow file to update
if exists, ferr := file.PathExists(shadowFile); ferr != nil {
logger.Log.Error("Error accessing shadow file.")
return ferr
} else if !exists {
logger.Log.Debugf("No shadow file to update. Skipping setting password to never expire.")
return
}
err = installChroot.UnsafeRun(func() error {
return shell.ExecuteLive(squashErrors, "chage", "-M", "-1", "root")
return chage(-1, "root")
})
}
return
@ -852,12 +879,11 @@ func addUsers(installChroot *safechroot.Chroot, users []configuration.User) (err
func createUserWithPassword(installChroot *safechroot.Chroot, user configuration.User) (homeDir string, isRoot bool, err error) {
const (
squashErrors = false
rootHomeDir = "/root"
userHomeDirPrefix = "/home"
passwordExpiresBase = 10
postfixLength = 12
alphaNumeric = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
squashErrors = false
rootHomeDir = "/root"
userHomeDirPrefix = "/home"
postfixLength = 12
alphaNumeric = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
)
var (
@ -900,8 +926,20 @@ func createUserWithPassword(installChroot *safechroot.Chroot, user configuration
logger.Log.Warnf("Ignoring UID for (%s) user, using default", rootUser)
}
// Update shadow file
err = updateUserPassword(installChroot.RootDir(), user.Name, hashedPassword)
if exists, ferr := file.PathExists(shadowFile); ferr != nil {
logger.Log.Error("Error accessing shadow file.")
err = ferr
return
} else if !exists {
logger.Log.Debugf("No shadow file to update. Skipping updating user password..")
} else {
// Update shadow file
err = updateUserPassword(installChroot.RootDir(), user.Name, hashedPassword)
if err != nil {
logger.Log.Warnf("Encountered a problem when updating root user password: %s", err)
return
}
}
isRoot = true
} else {
homeDir = filepath.Join(userHomeDirPrefix, user.Name)
@ -920,21 +958,112 @@ func createUserWithPassword(installChroot *safechroot.Chroot, user configuration
return
}
err = user.PasswordExpiresDaysIsValid()
if err != nil {
return
}
// Update password expiration
if user.PasswordExpiresDays != 0 {
// Ignore updating if there is no shadow file to update
if exists, ferr := file.PathExists(shadowFile); ferr != nil {
logger.Log.Error("Error accessing shadow file.")
err = ferr
return
} else if !exists {
logger.Log.Debugf("No shadow file to update. Skipping updating password expiration.")
return
}
err = installChroot.UnsafeRun(func() error {
return shell.ExecuteLive(squashErrors, "chage", "-M", strconv.FormatInt(user.PasswordExpiresDays, passwordExpiresBase), user.Name)
return chage(user.PasswordExpiresDays, user.Name)
})
}
return
}
// chage works in the same way as invoking "chage -M passwordExpirationInDays username"
// i.e. it sets the maximum password expiration date.
func chage(passwordExpirationInDays int64, username string) (err error) {
var (
shadow []string
usernameWithColon = fmt.Sprintf("%s:", username)
)
shadow, err = file.ReadLines(shadowFile)
if err != nil {
return
}
for n, entry := range shadow {
done := false
// Entries in shadow are separated by colon and start with a username
// Finding one that starts like that means we've found our entry
if strings.HasPrefix(entry, usernameWithColon) {
// Each line in shadow contains 9 fields separated by colon ("") in the following order:
// login name, encrypted password, date of last password change,
// minimum password age, maximum password age, password warning period,
// password inactivity period, account expiration date, reserved field for future use
const (
passwordNeverExpiresValue = -1
loginNameField = 0
encryptedPasswordField = 1
passwordChangedField = 2
minPasswordAgeField = 3
maxPasswordAgeField = 4
warnPeriodField = 5
inactivityPeriodField = 6
expirationField = 7
reservedField = 8
totalFieldsCount = 9
)
fields := strings.Split(entry, ":")
// Any value other than totalFieldsCount indicates error in parsing
if len(fields) != totalFieldsCount {
return fmt.Errorf(`invalid shadow entry "%v" for user "%s": %d fields expected, but %d found.`, fields, username, totalFieldsCount, len(fields))
}
if passwordExpirationInDays == passwordNeverExpiresValue {
// If passwordExpirationInDays is equal to -1, it means that password never expires.
// This is expressed by leaving account expiration date field (and fields after it) empty.
for _, fieldToChange := range []int{maxPasswordAgeField, warnPeriodField, inactivityPeriodField, expirationField, reservedField} {
fields[fieldToChange] = ""
}
// Each user appears only once, since we found one, we are finished; save the changes and exit.
done = true
} else if passwordExpirationInDays < passwordNeverExpiresValue {
// Values smaller than -1 make no sense
return fmt.Errorf(`invalid value for maximum user's "%s" password expiration:(%d); should be greater than %d`, username, passwordExpirationInDays, passwordNeverExpiresValue)
} else {
// If passwordExpirationInDays has any other value, it's the maximum expiration date: set it accordingly
// To do so, we need to ensure that passwordChangedField holds a valid value and then sum it with passwordExpirationInDays.
var (
passwordAge int64
passwordChanged = fields[passwordChangedField]
)
if passwordChanged == "" {
// Set to the number of days since epoch
fields[passwordChangedField] = fmt.Sprintf("%d", int64(time.Since(time.Unix(0, 0)).Hours()/24))
}
passwordAge, err = strconv.ParseInt(fields[passwordChangedField], 10, 64)
if err != nil {
return
}
fields[expirationField] = fmt.Sprintf("%d", passwordAge+passwordExpirationInDays)
// Each user appears only once, since we found one, we are finished; save the changes and exit.
done = true
}
if done {
// Create and save new shadow file including potential changes from above.
shadow[n] = strings.Join(fields, ":")
err = file.Write(strings.Join(shadow, "\n"), shadowFile)
return
}
}
}
return fmt.Errorf(`user "%s" not found when trying to change the password expiration date`, username)
}
func configureUserGroupMembership(installChroot *safechroot.Chroot, user configuration.User) (err error) {
const squashErrors = false
@ -1041,14 +1170,11 @@ func provisionUserSSHCerts(installChroot *safechroot.Chroot, user configuration.
}
func updateUserPassword(installRoot, username, password string) (err error) {
const (
shadowFilePath = "etc/shadow"
sedDelimiter = "|"
)
const sedDelimiter = "|"
findPattern := fmt.Sprintf("%v:x:", username)
replacePattern := fmt.Sprintf("%v:%v:", username, password)
filePath := filepath.Join(installRoot, shadowFilePath)
filePath := filepath.Join(installRoot, shadowFile)
err = sed(findPattern, replacePattern, sedDelimiter, filePath)
if err != nil {
logger.Log.Warnf("Failed to write hashed password to shadow file")
@ -1285,6 +1411,21 @@ func copyAdditionalFiles(installChroot *safechroot.Chroot, config configuration.
return
}
// cleanupRpmDatabase removes RPM database if the image does not require a package manager.
// rootPrefix is prepended to the RPM database path - useful when RPM database resides in a chroot and cleanupRpmDatabase can't be called from within the chroot.
func cleanupRpmDatabase(rootPrefix string) (err error) {
logger.Log.Info("Attempting RPM database cleanup...")
rpmDir := filepath.Join(rootPrefix, rpmDependenciesDirectory)
err = os.RemoveAll(rpmDir)
if err != nil {
logger.Log.Errorf("Failed to remove RPM database (%s). Error: %s", rpmDir, err)
err = fmt.Errorf("failed to remove RPM database (%s): %s", rpmDir, err)
} else {
logger.Log.Infof("Cleaned up RPM database (%s)", rpmDir)
}
return
}
func runPostInstallScripts(installChroot *safechroot.Chroot, config configuration.SystemConfig) (err error) {
const squashErrors = false

18
toolkit/tools/imager/imager.go
Просмотреть файл

@ -110,7 +110,7 @@ func buildSystemConfig(systemConfig configuration.SystemConfig, disks []configur
return
}
isRootFS = (len(systemConfig.PartitionSettings) == 0)
isRootFS = len(systemConfig.PartitionSettings) == 0
if isRootFS {
logger.Log.Infof("Creating rootfs")
additionalExtraMountPoints, additionalExtraDirectories, err := setupRootFS(outputDir, installRoot)
@ -188,7 +188,7 @@ func buildSystemConfig(systemConfig configuration.SystemConfig, disks []configur
return
}
err = cleanupExtraFilesInChroot(setupChroot, systemConfig)
err = cleanupExtraFilesInChroot(setupChroot)
if err != nil {
logger.Log.Error("Failed to cleanup extra files in setup chroot")
return
@ -403,18 +403,28 @@ func fixupExtraFilesIntoChroot(installChroot *safechroot.Chroot, config *configu
return
}
func cleanupExtraFilesInChroot(installChroot *safechroot.Chroot, config configuration.SystemConfig) (err error) {
func cleanupExtraFiles() (err error) {
dirsToRemove := []string{additionalFilesTempDirectory, postInstallScriptTempDirectory, sshPubKeysTempDirectory}
for _, dir := range dirsToRemove {
logger.Log.Infof("Cleaning up directory %s", dir)
err = os.RemoveAll(dir)
if err != nil {
logger.Log.Errorf("Failed to cleanup directory (%s). Error: %s", dir, err)
logger.Log.Warnf("Failed to cleanup directory (%s). Error: %s", dir, err)
return
}
}
return
}
func cleanupExtraFilesInChroot(chroot *safechroot.Chroot) (err error) {
logger.Log.Infof("Proceeding to cleanup extra files in chroot %s.", chroot.RootDir())
err = chroot.Run(func() error {
return cleanupExtraFiles()
})
return
}
func buildImage(mountPointMap, mountPointToFsTypeMap, mountPointToMountArgsMap map[string]string, packagesToInstall []string, systemConfig configuration.SystemConfig, diskDevPath string, isRootFS bool, encryptedRoot diskutils.EncryptedRootDevice) (err error) {
const (
installRoot = "/installroot"