Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v3.2.3-rhel] fix CVE-2022-1227 #13915

Merged
merged 7 commits into from
Apr 21, 2022
Merged

[v3.2.3-rhel] fix CVE-2022-1227 #13915

merged 7 commits into from
Apr 21, 2022

Conversation

vrothberg
Copy link
Member

Vendor in the backports for psgo from the dedicated v1.5.2-podman-3.2.3
branch.

Signed-off-by: Valentin Rothberg [email protected]

@TomSweeneyRedHat @jnovy PTAL

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Apr 19, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 19, 2022
@vrothberg
Copy link
Member Author

@cevich the images are gone. Can you take a look?

@cevich
Copy link
Member

cevich commented Apr 19, 2022

@vrothberg try using image id c6737534580424704. This is from the v3.3.1-rhel branch, which is a close match to this one. I'm not sure if other script tweaks may be needed, but the images for this branch are definitely gone and irrecoverable. Besides manually testing, this is the best I can think of.

@vrothberg
Copy link
Member Author

Thank you, @cevich! I added another commit on top.

@cevich cevich mentioned this pull request Apr 19, 2022
Merged
@vrothberg
Copy link
Member Author

Need to backport #13290 for CI fixes.

@cevich
Copy link
Member

cevich commented Apr 19, 2022
edited
Loading

Fix for APIv2 failure: https://github.com/containers/podman/pull/13239/files#diff-78e94c5d76d1e6550157ecd4414bd675727c1062551c1075d70718ea412520ae

( PR #13239 )

@vrothberg vrothberg force-pushed the 3.2-backports branch 2 times, most recently from 05854fe to 7efb615 Compare April 20, 2022 08:30
@vrothberg
Copy link
Member Author

Looks like we need containers/common#858 to make CI happy.

@vrothberg vrothberg force-pushed the 3.2-backports branch 3 times, most recently from b80a29e to 3d2b987 Compare April 20, 2022 11:33
@rhatdan
Copy link
Member

rhatdan commented Apr 20, 2022

/lgtm
/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 20, 2022
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 20, 2022
@vrothberg
Copy link
Member Author

Too optimistic. Some things are still barking -.-

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Apr 20, 2022
@rhatdan
Copy link
Member

rhatdan commented Apr 20, 2022

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 20, 2022
@vrothberg
Copy link
Member Author

/hold

@vrothberg
Copy link
Member Author

There may still be a number of network flakes left. Let's see 👀

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Apr 20, 2022
@vrothberg vrothberg force-pushed the 3.2-backports branch 2 times, most recently from 76fd33c to 758dd0a Compare April 20, 2022 15:01
@vrothberg
Copy link
Member Author

Notes from the meeting: in case e2e tests are still barking, disable them and rely on system tests only.

@vrothberg
Copy link
Member Author

@Luap99 it looks like network prune are left to tackle. Do you know how to make them happy?

@Luap99
Copy link
Member

Luap99 commented Apr 20, 2022

I remember this being an annoying flake but never that it would fail across all tests.
Note that the backport 1b5f64f is not suitable for 3.2. Only 3.4 onwards create automatically a podman network for users. Can you just drop the backport? It may flake in or or two runs but you could restart it again.

@cevich
Copy link
Member

cevich commented Apr 20, 2022

IIUC: We can rollback quite a few backports here and simply disable the integration tests, ya? If so, simply removing the int_*_task sections from .cirrus.yml (don't forget to update success_task dependencies`) is sufficient. I'm involved in some other things at the moment, if another maintainer is able to do this and force-push to Valentin's branch. Otherwise I probably can't get to it until tomorrow 😞

@vrothberg
fix CVE-2022-1227
3a902de 
Vendor in the backports for psgo from the dedicated v1.5.2-podman-3.2.3
branch.

Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg
cirrus: update image
e6ed1d4 
Update the image to c6737534580424704 to revive CI on the
rhel branch.

Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg
cirrus: disable compose test
0319af3 
Compose is not officially supported in the v3.2.3-rhel branch,
so disable it to turn CI green.

Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg
CI fix: cirrus: rootless: load iptables
a67584a 
Since rootless cannot otherwise.

Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg vrothberg force-pushed the 3.2-backports branch 3 times, most recently from e3b8cd1 to f9cddf7 Compare April 21, 2022 07:33
@vrothberg
cirrus: disable integration tasks
00d876d 
They are too flaky on this stable branch.  The system tests are
sufficient to pass gating.

Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg
cirrus: disable bud task
eab7759 
Same game as for the other tasks.  It's flaking and we decided to rely
on the system tests.

Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg
cirrus: disable apiv2 task
b659678 
Business as usual.  It's flaky and we agreed to only run the system
tests.

Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg
Copy link
Member Author

@Luap99 PTAL

Let's get this in

@Luap99
Copy link
Member

Luap99 commented Apr 21, 2022

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 21, 2022
@vrothberg
Copy link
Member Author

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 21, 2022
@openshift-merge-robot openshift-merge-robot merged commit e493ef9 into containers:v3.2.3-rhel Apr 21, 2022
@vrothberg vrothberg deleted the 3.2-backports branch April 21, 2022 11:27
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@rhatdan rhatdan

@Luap99 Luap99

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@vrothberg @cevich @rhatdan @Luap99 @openshift-merge-robot