Security fix for CVE-2021-3602

bump podman to v3.2.3

include podman-machine-cni in podman-plugins subpackage

bump crun to 0.20.1


Fix secrets definition in /usr/share/containers/containers.conf

How to install

sudo dnf upgrade --refresh --advisory=FEDORA-2021-0c53d8738d

This update has been submitted for testing by lsm5.

a year ago

This update's test gating status has been changed to 'failed'.

a year ago

This update's test gating status has been changed to 'waiting'.

a year ago

This update has obsoleted podman-3.2.0-1.fc33, and has inherited its bugs and notes.

a year ago

lsm5 edited this update.

New build(s):

  • containernetworking-plugins-1.0.0-0.2.rc1.fc33

Karma has been reset.

a year ago

This update's test gating status has been changed to 'failed'.

a year ago

lsm5 edited this update.

a year ago

lsm5 edited this update.

New build(s):

  • podman-3.2.0-3.fc33

Removed build(s):

  • podman-3.2.0-2.fc33

Karma has been reset.

a year ago

This update has been pushed to testing.

a year ago

This update's test gating status has been changed to 'passed'.

a year ago

This update's test gating status has been changed to 'passed'.

a year ago

lsm5 edited this update.

New build(s):

  • podman-3.2.0-4.fc33
  • crun-0.20.1-1.fc33
  • containers-common-1-17.fc33

Removed build(s):

  • podman-3.2.0-3.fc33

Karma has been reset.

a year ago

This update has been submitted for testing by lsm5.

a year ago

This update's test gating status has been changed to 'failed'.

a year ago

This update has obsoleted crun-0.20-1.fc33, and has inherited its bugs and notes.

a year ago

lsm5 edited this update.

a year ago

This update has been pushed to testing.

a year ago
User Icon carlwgeorge commented & provided feedback a year ago
karma

This update doesn't install.

# dnf --enablerepo updates-testing update --advisory FEDORA-2021-0c53d8738d
Last metadata expiration check: 0:35:23 ago on Wed 09 Jun 2021 09:50:34 PM CDT.
Dependencies resolved.

 Problem: package podman-3:3.2.0-4.fc33.x86_64 requires crun < 0.20-1, but none of the providers can be installed
  - cannot install both crun-0.20.1-1.fc33.x86_64 and crun-0.19.1-3.fc33.x86_64
  - cannot install both crun-0.20.1-1.fc33.x86_64 and crun-0.15-5.fc33.x86_64
  - cannot install the best update candidate for package podman-3:3.1.2-2.fc33.x86_64
  - cannot install the best update candidate for package crun-0.19.1-3.fc33.x86_64
==============================================================================================
 Package                         Arch       Version                 Repository           Size
==============================================================================================
Upgrading:
 containernetworking-plugins     x86_64     1.0.0-0.2.rc1.fc33      updates-testing     9.9 M
 containers-common               noarch     4:1-17.fc33             updates-testing      59 k
 crun                            x86_64     0.20.1-1.fc33           updates-testing     171 k
Skipping packages with conflicts:
(add '--best --allowerasing' to command line to force their upgrade):
 crun                            x86_64     0.15-5.fc33             fedora              156 k
Skipping packages with broken dependencies:
 podman                          x86_64     3:3.2.0-4.fc33          updates-testing      12 M

Transaction Summary
==============================================================================================
Upgrade  3 Packages
Skip     2 Packages

Total download size: 10 M
Is this ok [y/N]:
User Icon santiago commented & provided feedback a year ago
karma

Agreed. @lsm5 perhaps you meant to use >= for the crun requires?

User Icon lsm5 commented & provided feedback a year ago

whoops .. fixing now, thanks for the comments Carl and Ed.

lsm5 edited this update.

New build(s):

  • podman-3.2.0-5.fc33

Removed build(s):

  • podman-3.2.0-4.fc33

Karma has been reset.

a year ago

This update has been submitted for testing by lsm5.

a year ago
User Icon lsm5 commented & provided feedback a year ago

Fixed now, please check it out.

User Icon santiago commented & provided feedback a year ago
karma

Rootless is broken. Needs container-selinux 2.162 which is not building in koji.

lsm5 edited this update.

New build(s):

  • container-selinux-2.162.2-2.fc33

Karma has been reset.

a year ago
User Icon santiago commented & provided feedback a year ago
karma

Whew! With new container-selinux, LGTM. Passes podman and podman-remote tests, root and rootless.

User Icon tomsweeneyredhat commented & provided feedback a year ago
karma

Passes podman baseline tests as root user.

BZ#1962008 [podman][systemd] /usr/lib/systemd/system/cni-dhcp.service wrong executable
User Icon cevich commented & provided feedback a year ago

grumble...grumble...grumble...@lsm5 I'm still only seeing podman-3.2.0-4. I tried dnf clean all but no love. Downloading the files manually and will try that way...

User Icon cevich commented & provided feedback a year ago

...so on a freshly installed F33 VM (never run any containers before) the SELinux label update on upgrade fails:

[root@localhost ~]# dnf upgrade ...big list of download URLs...
...cut...
  Running scriptlet: container-selinux-2:2.162.2-2.fc33.noarch                    4/8
  Upgrading        : container-selinux-2:2.162.2-2.fc33.noarch                    4/8
  Running scriptlet: container-selinux-2:2.162.2-2.fc33.noarch                    4/8
Deprecated, use selabel_lookup

  Cleanup          : container-selinux-2:2.160.2-1.fc33.noarch                    5/8
  Running scriptlet: container-selinux-2:2.160.2-1.fc33.noarch                    5/8
Fixing Rootless SELinux labels in homedir
warning: %triggerpostun(container-selinux-2:2.162.2-2.fc33.noarch) scriptlet failed, exit status 255

Error in <unknown> scriptlet in rpm package container-selinux

I'm guessing it's failing due to not finding any $HOME/.local/share/containers. Maybe a simple fix?

User Icon cevich commented & provided feedback a year ago
karma

Okay, I tried building a custom nginx container and running it (rootless) while curling from it, and erasing/re-installing packages (container-selinux especially). It seems to behave and I do not see that scriptlet failure anymore, so it's most definitely happening for users w/o any container storage. This is something that should be fixed but isn't worth holding up the release. I'll file a separate BZ for it.

I also tried but failed to reproduce the issue described in BZ#1962008

BZ#1962008 [podman][systemd] /usr/lib/systemd/system/cni-dhcp.service wrong executable

This update has been pushed to testing.

a year ago
User Icon carlwgeorge provided feedback a year ago
karma

lsm5 edited this update.

New build(s):

  • podman-3.2.2-1.fc33
  • containers-common-1-18.fc33

Removed build(s):

  • containers-common-1-17.fc33
  • container-selinux-2.162.2-2.fc33
  • podman-3.2.0-5.fc33

Karma has been reset.

a year ago

This update has been submitted for testing by lsm5.

a year ago

This update has obsoleted podman-3.2.1-1.fc33, and has inherited its bugs and notes.

a year ago

lsm5 edited this update.

a year ago

lsm5 edited this update.

a year ago

lsm5 edited this update.

a year ago

This update has been pushed to testing.

a year ago

This update's test gating status has been changed to 'passed'.

a year ago

This update's test gating status has been changed to 'passed'.

a year ago

lsm5 edited this update.

a year ago

lsm5 edited this update.

a year ago

lsm5 edited this update.

New build(s):

  • buildah-1.21.2-1.fc33

Karma has been reset.

a year ago

This update has been submitted for testing by lsm5.

a year ago

This update's test gating status has been changed to 'failed'.

a year ago

lsm5 edited this update.

a year ago

lsm5 edited this update.

a year ago

lsm5 edited this update.

New build(s):

  • skopeo-1.3.1-1.fc33

Karma has been reset.

a year ago
User Icon santiago commented & provided feedback a year ago

Podman LGTM. Buildah, though, is failing a lot of its system tests; and I can't figure out why, and I'm about to give up for the day.

This update has been pushed to testing.

a year ago

lsm5 edited this update.

Removed build(s):

  • buildah-1.21.2-1.fc33

Karma has been reset.

a year ago

This update has been submitted for testing by lsm5.

a year ago

This update's test gating status has been changed to 'passed'.

a year ago
User Icon santiago provided feedback a year ago
karma
User Icon lsm5 commented & provided feedback a year ago

removing buildah as gating tests for it will need some work

lsm5 edited this update.

a year ago
User Icon santiago commented & provided feedback a year ago

This update has been pushed to testing.

a year ago

This update's test gating status has been changed to 'failed'.

a year ago
User Icon lsm5 commented & provided feedback a year ago

@santiago looks like gating tests that were passing earlier are failing now, do you think re-running would help?

User Icon santiago commented & provided feedback a year ago

I was just looking at those. No, these aren't flakes. I'm pretty sure this is a kernel issue: between the last (successful) run and now, the kernel bumped, and something broke.

User Icon santiago commented & provided feedback a year ago

Or maybe it's selinux instead. Sure, can you try rerunning? I'm running tests on my end itm.

User Icon adamwill commented & provided feedback a year ago
karma

OpenQA tests are also failing on this update, see "automated tests" tab. A podman pull registry.fedoraproject.org... command gives an Error initializing source...manifest unknown error. Runs of the same test on other F33 updates are passing, so the problem is definitely specific to the packages in this update.

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

a year ago
User Icon santiago commented & provided feedback a year ago

see "automated tests" tab.

Specifically, the "update podman" test, eventually drilling down to this log file, which does indeed include a failure regarding registry.fedoraproject.org, although I don't find the string manifest anywhere. @adamwill can you link to the exact log file you're looking at? I have no idea what these tests are, or who wrote them, or how to look at logs, or even how to read those unreadable logs.

FWIW tests pass for me on a 1minutetip f33 VM.

User Icon santiago commented & provided feedback a year ago

@adamwill is there a way to restart/rerun this test? I can't reproduce the failure, and I know that registry.fedoraproject.org has been a source of flakes for some years. When we do 'pull' in our tests, it's often with || (sleep 6;pull again).

User Icon adamwill commented & provided feedback a year ago

@santiago it would already have been auto-retried once (we auto-retry all failed update tests one time). It also failed exactly the same way on prod and stg. So that's likely four identical failures (I'll double check the initial fails were the same).

And as I said, it is passing on other f33 updates. If it was flaky we'd have problems with it failing on other updates, but it isn't.

User Icon adamwill commented & provided feedback a year ago

@santiago the failure is visible in the screenshot with the red border (red border means that is where the test failed). One of the downloadable assets on the assets tab should be a tarball of the whole /var/log directory from the test system, which should provide all the logs you need. The test execution logs aren't usually relevant to real test failures (they're more for debugging issues in the tests).

User Icon adamwill commented & provided feedback a year ago

https://openqa.fedoraproject.org/tests/922123/file/podman-var_log.tar.gz is the /var/log tarball. I checked, and the test did indeed fail twice on both prod and stg in the same way, so four identical failures. It has not failed on any other F33 update since we started running it, as you can see from https://openqa.fedoraproject.org/tests/922123#next_previous , including three passes for other updates after the failure on this update.

User Icon t3rm1n4l commented & provided feedback a year ago
karma

works for me

lsm5 edited this update.

a year ago
User Icon adamwill commented & provided feedback a year ago

Looks like openQA tests passed this time, thanks.

lsm5 edited this update.

New build(s):

  • podman-3.2.3-1.fc33

Removed build(s):

  • podman-3.2.2-1.fc33

Karma has been reset.

a year ago

This update has been submitted for testing by lsm5.

a year ago

lsm5 edited this update.

a year ago

lsm5 edited this update.

a year ago

lsm5 edited this update.

New build(s):

  • containers-common-1-20.fc33

Removed build(s):

  • containers-common-1-18.fc33

Karma has been reset.

a year ago

This update has obsoleted containers-common-1-19.fc33, and has inherited its bugs and notes.

a year ago

This update has been pushed to testing.

a year ago
User Icon andilinux commented & provided feedback a year ago
karma

works fine

User Icon santiago commented & provided feedback a year ago
karma

LGTM - all tests passing, including podman. Current failures in this bodhi are the RELRO flake

User Icon carlwgeorge provided feedback a year ago
karma
User Icon ngompa provided feedback a year ago
karma
BZ#1958474 dnf update causes error: The futex facility returned an unexpect
BZ#1962008 [podman][systemd] /usr/lib/systemd/system/cni-dhcp.service wrong executable
BZ#1969264 CVE-2021-3602 buildah: Host environment variables leaked in build container when using chroot isolation
BZ#1982881 CVE-2021-3602 podman: buildah: Host environment variables leaked in build container when using chroot isolation [fedora-all]

This update has been submitted for stable by bodhi.

a year ago

FEDORA-2021-0c53d8738d ejected from the push because 'Required tests did not pass on this update'

a year ago

This update's test gating status has been changed to 'waiting'.

a year ago

This update's test gating status has been changed to 'passed'.

a year ago

This update's test gating status has been changed to 'passed'.

a year ago

This update has been submitted for stable by lsm5.

a year ago

This update has been pushed to stable.

a year ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
4
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
4
Stable by Time
7 days
Dates
submitted
a year ago
in testing
a year ago
in stable
a year ago
modified
a year ago
BZ#1958474 dnf update causes error: The futex facility returned an unexpect
0
1
BZ#1962008 [podman][systemd] /usr/lib/systemd/system/cni-dhcp.service wrong executable
0
1
BZ#1969264 CVE-2021-3602 buildah: Host environment variables leaked in build container when using chroot isolation
0
1
BZ#1982881 CVE-2021-3602 podman: buildah: Host environment variables leaked in build container when using chroot isolation [fedora-all]
0
1

Automated Test Results