From 549de110a6bb56129b50d9cbd6764d33df9c2991 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Fri, 9 Apr 2021 16:26:51 -0700 Subject: [PATCH 01/60] Add scripts/files used to generate https://hub.docker.com/r/tianon/gosu --- hub/Dockerfile.alpine | 21 ++++++++++++++ hub/Dockerfile.debian | 26 +++++++++++++++++ hub/alpine.yml | 9 ++++++ hub/build.sh | 65 +++++++++++++++++++++++++++++++++++++++++++ hub/debian.yml | 10 +++++++ hub/latest.yml | 11 ++++++++ 6 files changed, 142 insertions(+) create mode 100644 hub/Dockerfile.alpine create mode 100644 hub/Dockerfile.debian create mode 100644 hub/alpine.yml create mode 100755 hub/build.sh create mode 100644 hub/debian.yml create mode 100644 hub/latest.yml diff --git a/hub/Dockerfile.alpine b/hub/Dockerfile.alpine new file mode 100644 index 0000000..f1b8a55 --- /dev/null +++ b/hub/Dockerfile.alpine @@ -0,0 +1,21 @@ +FROM alpine:3.13 + +# https://github.com/tianon/gosu/releases +ENV GOSU_VERSION 1.12 + +RUN set -eux; \ + apk add --no-cache --virtual .fetch-deps dpkg gnupg; \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; unset GNUPGHOME; \ + apk del --no-network .fetch-deps; \ + chmod +x /usr/local/bin/gosu; \ + gosu --version; \ + gosu nobody true; \ +# hard link to / for ease of COPY --from + ln -v /usr/local/bin/gosu / diff --git a/hub/Dockerfile.debian b/hub/Dockerfile.debian new file mode 100644 index 0000000..7d4b151 --- /dev/null +++ b/hub/Dockerfile.debian @@ -0,0 +1,26 @@ +FROM debian:buster-slim + +# https://github.com/tianon/gosu/releases +ENV GOSU_VERSION 1.12 + +RUN set -eux; \ + savedAptMark="$(apt-mark showmanual)"; \ + apt-get update; \ + apt-get install -y --no-install-recommends ca-certificates dirmngr gnupg wget; \ + rm -rf /var/lib/apt/lists/*; \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; unset GNUPGHOME; \ + apt-mark auto '.*' > /dev/null; \ + [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ + chmod +x /usr/local/bin/gosu; \ + gosu --version; \ + gosu nobody true; \ +# hard link to / for ease of COPY --from + ln -v /usr/local/bin/gosu / diff --git a/hub/alpine.yml b/hub/alpine.yml new file mode 100644 index 0000000..b27dea7 --- /dev/null +++ b/hub/alpine.yml @@ -0,0 +1,9 @@ +image: tianon/gosu:alpine +manifests: + - { image: tianon/gosu:alpine-amd64, platform: { os: linux, architecture: amd64 } } + - { image: tianon/gosu:alpine-arm32v6, platform: { os: linux, architecture: arm, variant: v6 } } + - { image: tianon/gosu:alpine-arm32v7, platform: { os: linux, architecture: arm, variant: v7 } } + - { image: tianon/gosu:alpine-arm64v8, platform: { os: linux, architecture: arm64, variant: v8 } } + - { image: tianon/gosu:alpine-i386, platform: { os: linux, architecture: 386 } } + - { image: tianon/gosu:alpine-ppc64le, platform: { os: linux, architecture: ppc64le } } + - { image: tianon/gosu:alpine-s390x, platform: { os: linux, architecture: s390x } } diff --git a/hub/build.sh b/hub/build.sh new file mode 100755 index 0000000..1b40ea6 --- /dev/null +++ b/hub/build.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +declare -A platforms=( + [amd64]='linux/amd64' + [arm32v5]='linux/arm/v5' + [arm32v6]='linux/arm/v6' + [arm32v7]='linux/arm/v7' + [arm64v8]='linux/arm64/v8' + [i386]='linux/386' + [mips64le]='linux/mips64le' + [ppc64le]='linux/ppc64le' + [s390x]='linux/s390x' +) + +declare -A arches=( + [alpine]='amd64 arm32v6 arm32v7 arm64v8 i386 ppc64le s390x' + [debian]='amd64 arm32v5 arm32v7 arm64v8 i386 mips64le ppc64le s390x' +) +preferredOrder=( alpine debian ) + +_platformToOCI() { + local platform="$1"; shift + local os="${platform%%/*}" + platform="${platform#$os/}" + local architecture="${platform%%/*}" + platform="${platform#$architecture/}" + local variant="$platform" + [ "$architecture" != "$variant" ] || variant= + echo "{ os: $os, architecture: $architecture${variant:+, variant: $variant} }" +} + +declare -A latest=() +for variant in "${preferredOrder[@]}"; do + cat > "$variant.yml" <<-EOYAML + image: tianon/gosu:$variant + manifests: + EOYAML + for arch in ${arches[$variant]}; do + platform="${platforms[$arch]}" + docker build --pull --platform "$platform" --tag "tianon/gosu:$variant-$arch" - < "Dockerfile.$variant" + : "${latest[$arch]:=$variant}" + platform="$(_platformToOCI "$platform")" + echo " - { image: tianon/gosu:$variant-$arch, platform: $platform }" >> "$variant.yml" + done +done + +cat > latest.yml <<-'EOYAML' + image: tianon/gosu:latest + manifests: +EOYAML +for arch in "${!latest[@]}"; do + variant="${latest[$arch]}" + docker tag "tianon/gosu:$variant-$arch" "tianon/gosu:$arch" + platform="$(_platformToOCI "${platforms[$arch]}")" + echo " - { image: tianon/gosu:$arch, platform: $platform }" >> latest.yml +done + +echo +echo '$ # now:' +echo +echo '$ docker push --all-tags tianon/gosu' +for variant in "${preferredOrder[@]}" latest; do + echo "\$ manifest-tool push from-spec $variant.yml" +done diff --git a/hub/debian.yml b/hub/debian.yml new file mode 100644 index 0000000..615fa23 --- /dev/null +++ b/hub/debian.yml @@ -0,0 +1,10 @@ +image: tianon/gosu:debian +manifests: + - { image: tianon/gosu:debian-amd64, platform: { os: linux, architecture: amd64 } } + - { image: tianon/gosu:debian-arm32v5, platform: { os: linux, architecture: arm, variant: v5 } } + - { image: tianon/gosu:debian-arm32v7, platform: { os: linux, architecture: arm, variant: v7 } } + - { image: tianon/gosu:debian-arm64v8, platform: { os: linux, architecture: arm64, variant: v8 } } + - { image: tianon/gosu:debian-i386, platform: { os: linux, architecture: 386 } } + - { image: tianon/gosu:debian-mips64le, platform: { os: linux, architecture: mips64le } } + - { image: tianon/gosu:debian-ppc64le, platform: { os: linux, architecture: ppc64le } } + - { image: tianon/gosu:debian-s390x, platform: { os: linux, architecture: s390x } } diff --git a/hub/latest.yml b/hub/latest.yml new file mode 100644 index 0000000..a1234b4 --- /dev/null +++ b/hub/latest.yml @@ -0,0 +1,11 @@ +image: tianon/gosu:latest +manifests: + - { image: tianon/gosu:mips64le, platform: { os: linux, architecture: mips64le } } + - { image: tianon/gosu:arm32v5, platform: { os: linux, architecture: arm, variant: v5 } } + - { image: tianon/gosu:arm32v6, platform: { os: linux, architecture: arm, variant: v6 } } + - { image: tianon/gosu:arm32v7, platform: { os: linux, architecture: arm, variant: v7 } } + - { image: tianon/gosu:arm64v8, platform: { os: linux, architecture: arm64, variant: v8 } } + - { image: tianon/gosu:s390x, platform: { os: linux, architecture: s390x } } + - { image: tianon/gosu:ppc64le, platform: { os: linux, architecture: ppc64le } } + - { image: tianon/gosu:i386, platform: { os: linux, architecture: 386 } } + - { image: tianon/gosu:amd64, platform: { os: linux, architecture: amd64 } } From 975771e79e281c541fab943a53243604271b4f59 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Sun, 6 Jun 2021 20:17:22 -0700 Subject: [PATCH 02/60] Switch from GPL to Apache-2.0 Closes https://github.com/tianon/gosu/issues/83 (see that thread for contributor approvals/discussion) --- LICENSE | 876 +++++++++++++------------------------------------------- main.go | 2 +- 2 files changed, 203 insertions(+), 675 deletions(-) diff --git a/LICENSE b/LICENSE index 94a9ed0..d645695 100644 --- a/LICENSE +++ b/LICENSE @@ -1,674 +1,202 @@ - GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007 - - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The GNU General Public License is a free, copyleft license for -software and other kinds of works. - - The licenses for most software and other practical works are designed -to take away your freedom to share and change the works. By contrast, -the GNU General Public License is intended to guarantee your freedom to -share and change all versions of a program--to make sure it remains free -software for all its users. We, the Free Software Foundation, use the -GNU General Public License for most of our software; it applies also to -any other work released this way by its authors. You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -them if you wish), that you receive source code or can get it if you -want it, that you can change the software or use pieces of it in new -free programs, and that you know you can do these things. - - To protect your rights, we need to prevent others from denying you -these rights or asking you to surrender the rights. Therefore, you have -certain responsibilities if you distribute copies of the software, or if -you modify it: responsibilities to respect the freedom of others. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must pass on to the recipients the same -freedoms that you received. You must make sure that they, too, receive -or can get the source code. And you must show them these terms so they -know their rights. - - Developers that use the GNU GPL protect your rights with two steps: -(1) assert copyright on the software, and (2) offer you this License -giving you legal permission to copy, distribute and/or modify it. - - For the developers' and authors' protection, the GPL clearly explains -that there is no warranty for this free software. For both users' and -authors' sake, the GPL requires that modified versions be marked as -changed, so that their problems will not be attributed erroneously to -authors of previous versions. - - Some devices are designed to deny users access to install or run -modified versions of the software inside them, although the manufacturer -can do so. This is fundamentally incompatible with the aim of -protecting users' freedom to change the software. The systematic -pattern of such abuse occurs in the area of products for individuals to -use, which is precisely where it is most unacceptable. Therefore, we -have designed this version of the GPL to prohibit the practice for those -products. If such problems arise substantially in other domains, we -stand ready to extend this provision to those domains in future versions -of the GPL, as needed to protect the freedom of users. - - Finally, every program is threatened constantly by software patents. -States should not allow patents to restrict development and use of -software on general-purpose computers, but in those that do, we wish to -avoid the special danger that patents applied to a free program could -make it effectively proprietary. To prevent this, the GPL assures that -patents cannot be used to render the program non-free. - - The precise terms and conditions for copying, distribution and -modification follow. - - TERMS AND CONDITIONS - - 0. Definitions. - - "This License" refers to version 3 of the GNU General Public License. - - "Copyright" also means copyright-like laws that apply to other kinds of -works, such as semiconductor masks. - - "The Program" refers to any copyrightable work licensed under this -License. Each licensee is addressed as "you". "Licensees" and -"recipients" may be individuals or organizations. - - To "modify" a work means to copy from or adapt all or part of the work -in a fashion requiring copyright permission, other than the making of an -exact copy. The resulting work is called a "modified version" of the -earlier work or a work "based on" the earlier work. - - A "covered work" means either the unmodified Program or a work based -on the Program. - - To "propagate" a work means to do anything with it that, without -permission, would make you directly or secondarily liable for -infringement under applicable copyright law, except executing it on a -computer or modifying a private copy. Propagation includes copying, -distribution (with or without modification), making available to the -public, and in some countries other activities as well. - - To "convey" a work means any kind of propagation that enables other -parties to make or receive copies. Mere interaction with a user through -a computer network, with no transfer of a copy, is not conveying. - - An interactive user interface displays "Appropriate Legal Notices" -to the extent that it includes a convenient and prominently visible -feature that (1) displays an appropriate copyright notice, and (2) -tells the user that there is no warranty for the work (except to the -extent that warranties are provided), that licensees may convey the -work under this License, and how to view a copy of this License. If -the interface presents a list of user commands or options, such as a -menu, a prominent item in the list meets this criterion. - - 1. Source Code. - - The "source code" for a work means the preferred form of the work -for making modifications to it. "Object code" means any non-source -form of a work. - - A "Standard Interface" means an interface that either is an official -standard defined by a recognized standards body, or, in the case of -interfaces specified for a particular programming language, one that -is widely used among developers working in that language. - - The "System Libraries" of an executable work include anything, other -than the work as a whole, that (a) is included in the normal form of -packaging a Major Component, but which is not part of that Major -Component, and (b) serves only to enable use of the work with that -Major Component, or to implement a Standard Interface for which an -implementation is available to the public in source code form. A -"Major Component", in this context, means a major essential component -(kernel, window system, and so on) of the specific operating system -(if any) on which the executable work runs, or a compiler used to -produce the work, or an object code interpreter used to run it. - - The "Corresponding Source" for a work in object code form means all -the source code needed to generate, install, and (for an executable -work) run the object code and to modify the work, including scripts to -control those activities. However, it does not include the work's -System Libraries, or general-purpose tools or generally available free -programs which are used unmodified in performing those activities but -which are not part of the work. For example, Corresponding Source -includes interface definition files associated with source files for -the work, and the source code for shared libraries and dynamically -linked subprograms that the work is specifically designed to require, -such as by intimate data communication or control flow between those -subprograms and other parts of the work. - - The Corresponding Source need not include anything that users -can regenerate automatically from other parts of the Corresponding -Source. - - The Corresponding Source for a work in source code form is that -same work. - - 2. Basic Permissions. - - All rights granted under this License are granted for the term of -copyright on the Program, and are irrevocable provided the stated -conditions are met. This License explicitly affirms your unlimited -permission to run the unmodified Program. The output from running a -covered work is covered by this License only if the output, given its -content, constitutes a covered work. This License acknowledges your -rights of fair use or other equivalent, as provided by copyright law. - - You may make, run and propagate covered works that you do not -convey, without conditions so long as your license otherwise remains -in force. You may convey covered works to others for the sole purpose -of having them make modifications exclusively for you, or provide you -with facilities for running those works, provided that you comply with -the terms of this License in conveying all material for which you do -not control copyright. Those thus making or running the covered works -for you must do so exclusively on your behalf, under your direction -and control, on terms that prohibit them from making any copies of -your copyrighted material outside their relationship with you. - - Conveying under any other circumstances is permitted solely under -the conditions stated below. Sublicensing is not allowed; section 10 -makes it unnecessary. - - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - - No covered work shall be deemed part of an effective technological -measure under any applicable law fulfilling obligations under article -11 of the WIPO copyright treaty adopted on 20 December 1996, or -similar laws prohibiting or restricting circumvention of such -measures. - - When you convey a covered work, you waive any legal power to forbid -circumvention of technological measures to the extent such circumvention -is effected by exercising rights under this License with respect to -the covered work, and you disclaim any intention to limit operation or -modification of the work as a means of enforcing, against the work's -users, your or third parties' legal rights to forbid circumvention of -technological measures. - - 4. Conveying Verbatim Copies. - - You may convey verbatim copies of the Program's source code as you -receive it, in any medium, provided that you conspicuously and -appropriately publish on each copy an appropriate copyright notice; -keep intact all notices stating that this License and any -non-permissive terms added in accord with section 7 apply to the code; -keep intact all notices of the absence of any warranty; and give all -recipients a copy of this License along with the Program. - - You may charge any price or no price for each copy that you convey, -and you may offer support or warranty protection for a fee. - - 5. Conveying Modified Source Versions. - - You may convey a work based on the Program, or the modifications to -produce it from the Program, in the form of source code under the -terms of section 4, provided that you also meet all of these conditions: - - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - - A compilation of a covered work with other separate and independent -works, which are not by their nature extensions of the covered work, -and which are not combined with it such as to form a larger program, -in or on a volume of a storage or distribution medium, is called an -"aggregate" if the compilation and its resulting copyright are not -used to limit the access or legal rights of the compilation's users -beyond what the individual works permit. Inclusion of a covered work -in an aggregate does not cause this License to apply to the other -parts of the aggregate. - - 6. Conveying Non-Source Forms. - - You may convey a covered work in object code form under the terms -of sections 4 and 5, provided that you also convey the -machine-readable Corresponding Source under the terms of this License, -in one of these ways: - - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - - A separable portion of the object code, whose source code is excluded -from the Corresponding Source as a System Library, need not be -included in conveying the object code work. - - A "User Product" is either (1) a "consumer product", which means any -tangible personal property which is normally used for personal, family, -or household purposes, or (2) anything designed or sold for incorporation -into a dwelling. In determining whether a product is a consumer product, -doubtful cases shall be resolved in favor of coverage. For a particular -product received by a particular user, "normally used" refers to a -typical or common use of that class of product, regardless of the status -of the particular user or of the way in which the particular user -actually uses, or expects or is expected to use, the product. A product -is a consumer product regardless of whether the product has substantial -commercial, industrial or non-consumer uses, unless such uses represent -the only significant mode of use of the product. - - "Installation Information" for a User Product means any methods, -procedures, authorization keys, or other information required to install -and execute modified versions of a covered work in that User Product from -a modified version of its Corresponding Source. The information must -suffice to ensure that the continued functioning of the modified object -code is in no case prevented or interfered with solely because -modification has been made. - - If you convey an object code work under this section in, or with, or -specifically for use in, a User Product, and the conveying occurs as -part of a transaction in which the right of possession and use of the -User Product is transferred to the recipient in perpetuity or for a -fixed term (regardless of how the transaction is characterized), the -Corresponding Source conveyed under this section must be accompanied -by the Installation Information. But this requirement does not apply -if neither you nor any third party retains the ability to install -modified object code on the User Product (for example, the work has -been installed in ROM). - - The requirement to provide Installation Information does not include a -requirement to continue to provide support service, warranty, or updates -for a work that has been modified or installed by the recipient, or for -the User Product in which it has been modified or installed. Access to a -network may be denied when the modification itself materially and -adversely affects the operation of the network or violates the rules and -protocols for communication across the network. - - Corresponding Source conveyed, and Installation Information provided, -in accord with this section must be in a format that is publicly -documented (and with an implementation available to the public in -source code form), and must require no special password or key for -unpacking, reading or copying. - - 7. Additional Terms. - - "Additional permissions" are terms that supplement the terms of this -License by making exceptions from one or more of its conditions. -Additional permissions that are applicable to the entire Program shall -be treated as though they were included in this License, to the extent -that they are valid under applicable law. If additional permissions -apply only to part of the Program, that part may be used separately -under those permissions, but the entire Program remains governed by -this License without regard to the additional permissions. - - When you convey a copy of a covered work, you may at your option -remove any additional permissions from that copy, or from any part of -it. (Additional permissions may be written to require their own -removal in certain cases when you modify the work.) You may place -additional permissions on material, added by you to a covered work, -for which you have or can give appropriate copyright permission. - - Notwithstanding any other provision of this License, for material you -add to a covered work, you may (if authorized by the copyright holders of -that material) supplement the terms of this License with terms: - - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - - All other non-permissive additional terms are considered "further -restrictions" within the meaning of section 10. If the Program as you -received it, or any part of it, contains a notice stating that it is -governed by this License along with a term that is a further -restriction, you may remove that term. If a license document contains -a further restriction but permits relicensing or conveying under this -License, you may add to a covered work material governed by the terms -of that license document, provided that the further restriction does -not survive such relicensing or conveying. - - If you add terms to a covered work in accord with this section, you -must place, in the relevant source files, a statement of the -additional terms that apply to those files, or a notice indicating -where to find the applicable terms. - - Additional terms, permissive or non-permissive, may be stated in the -form of a separately written license, or stated as exceptions; -the above requirements apply either way. - - 8. Termination. - - You may not propagate or modify a covered work except as expressly -provided under this License. Any attempt otherwise to propagate or -modify it is void, and will automatically terminate your rights under -this License (including any patent licenses granted under the third -paragraph of section 11). - - However, if you cease all violation of this License, then your -license from a particular copyright holder is reinstated (a) -provisionally, unless and until the copyright holder explicitly and -finally terminates your license, and (b) permanently, if the copyright -holder fails to notify you of the violation by some reasonable means -prior to 60 days after the cessation. - - Moreover, your license from a particular copyright holder is -reinstated permanently if the copyright holder notifies you of the -violation by some reasonable means, this is the first time you have -received notice of violation of this License (for any work) from that -copyright holder, and you cure the violation prior to 30 days after -your receipt of the notice. - - Termination of your rights under this section does not terminate the -licenses of parties who have received copies or rights from you under -this License. If your rights have been terminated and not permanently -reinstated, you do not qualify to receive new licenses for the same -material under section 10. - - 9. Acceptance Not Required for Having Copies. - - You are not required to accept this License in order to receive or -run a copy of the Program. Ancillary propagation of a covered work -occurring solely as a consequence of using peer-to-peer transmission -to receive a copy likewise does not require acceptance. However, -nothing other than this License grants you permission to propagate or -modify any covered work. These actions infringe copyright if you do -not accept this License. Therefore, by modifying or propagating a -covered work, you indicate your acceptance of this License to do so. - - 10. Automatic Licensing of Downstream Recipients. - - Each time you convey a covered work, the recipient automatically -receives a license from the original licensors, to run, modify and -propagate that work, subject to this License. You are not responsible -for enforcing compliance by third parties with this License. - - An "entity transaction" is a transaction transferring control of an -organization, or substantially all assets of one, or subdividing an -organization, or merging organizations. If propagation of a covered -work results from an entity transaction, each party to that -transaction who receives a copy of the work also receives whatever -licenses to the work the party's predecessor in interest had or could -give under the previous paragraph, plus a right to possession of the -Corresponding Source of the work from the predecessor in interest, if -the predecessor has it or can get it with reasonable efforts. - - You may not impose any further restrictions on the exercise of the -rights granted or affirmed under this License. For example, you may -not impose a license fee, royalty, or other charge for exercise of -rights granted under this License, and you may not initiate litigation -(including a cross-claim or counterclaim in a lawsuit) alleging that -any patent claim is infringed by making, using, selling, offering for -sale, or importing the Program or any portion of it. - - 11. Patents. - - A "contributor" is a copyright holder who authorizes use under this -License of the Program or a work on which the Program is based. The -work thus licensed is called the contributor's "contributor version". - - A contributor's "essential patent claims" are all patent claims -owned or controlled by the contributor, whether already acquired or -hereafter acquired, that would be infringed by some manner, permitted -by this License, of making, using, or selling its contributor version, -but do not include claims that would be infringed only as a -consequence of further modification of the contributor version. For -purposes of this definition, "control" includes the right to grant -patent sublicenses in a manner consistent with the requirements of -this License. - - Each contributor grants you a non-exclusive, worldwide, royalty-free -patent license under the contributor's essential patent claims, to -make, use, sell, offer for sale, import and otherwise run, modify and -propagate the contents of its contributor version. - - In the following three paragraphs, a "patent license" is any express -agreement or commitment, however denominated, not to enforce a patent -(such as an express permission to practice a patent or covenant not to -sue for patent infringement). To "grant" such a patent license to a -party means to make such an agreement or commitment not to enforce a -patent against the party. - - If you convey a covered work, knowingly relying on a patent license, -and the Corresponding Source of the work is not available for anyone -to copy, free of charge and under the terms of this License, through a -publicly available network server or other readily accessible means, -then you must either (1) cause the Corresponding Source to be so -available, or (2) arrange to deprive yourself of the benefit of the -patent license for this particular work, or (3) arrange, in a manner -consistent with the requirements of this License, to extend the patent -license to downstream recipients. "Knowingly relying" means you have -actual knowledge that, but for the patent license, your conveying the -covered work in a country, or your recipient's use of the covered work -in a country, would infringe one or more identifiable patents in that -country that you have reason to believe are valid. - - If, pursuant to or in connection with a single transaction or -arrangement, you convey, or propagate by procuring conveyance of, a -covered work, and grant a patent license to some of the parties -receiving the covered work authorizing them to use, propagate, modify -or convey a specific copy of the covered work, then the patent license -you grant is automatically extended to all recipients of the covered -work and works based on it. - - A patent license is "discriminatory" if it does not include within -the scope of its coverage, prohibits the exercise of, or is -conditioned on the non-exercise of one or more of the rights that are -specifically granted under this License. You may not convey a covered -work if you are a party to an arrangement with a third party that is -in the business of distributing software, under which you make payment -to the third party based on the extent of your activity of conveying -the work, and under which the third party grants, to any of the -parties who would receive the covered work from you, a discriminatory -patent license (a) in connection with copies of the covered work -conveyed by you (or copies made from those copies), or (b) primarily -for and in connection with specific products or compilations that -contain the covered work, unless you entered into that arrangement, -or that patent license was granted, prior to 28 March 2007. - - Nothing in this License shall be construed as excluding or limiting -any implied license or other defenses to infringement that may -otherwise be available to you under applicable patent law. - - 12. No Surrender of Others' Freedom. - - If conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot convey a -covered work so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you may -not convey it at all. For example, if you agree to terms that obligate you -to collect a royalty for further conveying from those to whom you convey -the Program, the only way you could satisfy both those terms and this -License would be to refrain entirely from conveying the Program. - - 13. Use with the GNU Affero General Public License. - - Notwithstanding any other provision of this License, you have -permission to link or combine any covered work with a work licensed -under version 3 of the GNU Affero General Public License into a single -combined work, and to convey the resulting work. The terms of this -License will continue to apply to the part which is the covered work, -but the special requirements of the GNU Affero General Public License, -section 13, concerning interaction through a network will apply to the -combination as such. - - 14. Revised Versions of this License. - - The Free Software Foundation may publish revised and/or new versions of -the GNU General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - - Each version is given a distinguishing version number. If the -Program specifies that a certain numbered version of the GNU General -Public License "or any later version" applies to it, you have the -option of following the terms and conditions either of that numbered -version or of any later version published by the Free Software -Foundation. If the Program does not specify a version number of the -GNU General Public License, you may choose any version ever published -by the Free Software Foundation. - - If the Program specifies that a proxy can decide which future -versions of the GNU General Public License can be used, that proxy's -public statement of acceptance of a version permanently authorizes you -to choose that version for the Program. - - Later license versions may give you additional or different -permissions. However, no additional obligations are imposed on any -author or copyright holder as a result of your choosing to follow a -later version. - - 15. Disclaimer of Warranty. - - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY -APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT -HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY -OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, -THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM -IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF -ALL NECESSARY SERVICING, REPAIR OR CORRECTION. - - 16. Limitation of Liability. - - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS -THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY -GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE -USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF -DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD -PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), -EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF -SUCH DAMAGES. - - 17. Interpretation of Sections 15 and 16. - - If the disclaimer of warranty and limitation of liability provided -above cannot be given local legal effect according to their terms, -reviewing courts shall apply local law that most closely approximates -an absolute waiver of all civil liability in connection with the -Program, unless a warranty or assumption of liability accompanies a -copy of the Program in return for a fee. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -state the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . - -Also add information on how to contact you by electronic and paper mail. - - If the program does terminal interaction, make it output a short -notice like this when it starts in an interactive mode: - - Copyright (C) - This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, your program's commands -might be different; for a GUI interface, you would use an "about box". - - You should also get your employer (if you work as a programmer) or school, -if any, to sign a "copyright disclaimer" for the program, if necessary. -For more information on this, and how to apply and follow the GNU GPL, see -. - - The GNU General Public License does not permit incorporating your program -into proprietary programs. If your program is a subroutine library, you -may consider it more useful to permit linking proprietary applications with -the library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. But first, please read -. + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/main.go b/main.go index 95b3a6d..8c25974 100644 --- a/main.go +++ b/main.go @@ -31,7 +31,7 @@ Usage: {{ .Self }} user-spec command [args] {{ .Self }} 1000:1 id {{ .Self }} version: {{ .Version }} -{{ .Self }} license: GPL-3 (full text at https://github.com/tianon/gosu) +{{ .Self }} license: Apache-2.0 (full text at https://github.com/tianon/gosu) `)) var b bytes.Buffer template.Must(t, t.Execute(&b, struct { From ef96dbb1a74ed82a0c23626adcc4aa99c694bdcf Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Sun, 6 Jun 2021 20:23:48 -0700 Subject: [PATCH 03/60] Update to Go 1.16 --- Dockerfile | 2 +- go.mod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2430497..e04ce59 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14-alpine3.12 +FROM golang:1.16-alpine3.12 RUN apk add --no-cache file diff --git a/go.mod b/go.mod index f97c934..42d2825 100644 --- a/go.mod +++ b/go.mod @@ -1,5 +1,5 @@ module github.com/tianon/gosu -go 1.14 +go 1.16 require github.com/opencontainers/runc v1.0.0-rc92 From 7d5b3b52280bb62ffff70bce7d7df30bf906f33a Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Sun, 6 Jun 2021 20:24:05 -0700 Subject: [PATCH 04/60] Update to Alpine 3.13 --- Dockerfile | 2 +- Dockerfile.test-alpine | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index e04ce59..d290be5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.16-alpine3.12 +FROM golang:1.16-alpine3.13 RUN apk add --no-cache file diff --git a/Dockerfile.test-alpine b/Dockerfile.test-alpine index 9fb4e64..60ae271 100644 --- a/Dockerfile.test-alpine +++ b/Dockerfile.test-alpine @@ -1,4 +1,4 @@ -FROM alpine:3.12 +FROM alpine:3.13 # add "nobody" to ALL groups (makes testing edge cases more interesting) RUN cut -d: -f1 /etc/group | xargs -n1 addgroup nobody From 7e121ca5614c441a0c642446047b2c0f35004c23 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Sun, 6 Jun 2021 20:24:15 -0700 Subject: [PATCH 05/60] Add riscv64 binary --- Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Dockerfile b/Dockerfile index d290be5..b9a1a3c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,6 +56,10 @@ RUN set -eux; \ eval "GOARCH=ppc64le go build $BUILD_FLAGS -o /go/bin/gosu-ppc64el"; \ file /go/bin/gosu-ppc64el +RUN set -eux; \ + eval "GOARCH=riscv64 go build $BUILD_FLAGS -o /go/bin/gosu-riscv64"; \ + file /go/bin/gosu-riscv64 + RUN set -eux; \ eval "GOARCH=s390x go build $BUILD_FLAGS -o /go/bin/gosu-s390x"; \ file /go/bin/gosu-s390x From c5d1d961f15edb9044cf23b903949e93c58ca9bf Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Sun, 6 Jun 2021 20:24:32 -0700 Subject: [PATCH 06/60] Update to runc 1.0.0-rc95 --- go.mod | 2 +- go.sum | 99 ++++++++++++++++++++++++++++++++++++++++++++-------------- 2 files changed, 77 insertions(+), 24 deletions(-) diff --git a/go.mod b/go.mod index 42d2825..f2345ef 100644 --- a/go.mod +++ b/go.mod @@ -2,4 +2,4 @@ module github.com/tianon/gosu go 1.16 -require github.com/opencontainers/runc v1.0.0-rc92 +require github.com/opencontainers/runc v1.0.0-rc95 diff --git a/go.sum b/go.sum index e1c90b7..cb52388 100644 --- a/go.sum +++ b/go.sum @@ -1,56 +1,109 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw= -github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLIdUjrmSXlK9pkrsDlLHbO8jiB8X8JnOc= -github.com/containerd/console v1.0.0/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE= -github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M= +github.com/cilium/ebpf v0.5.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ= +github.com/coreos/go-systemd/v22 v22.3.1/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= -github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/moby/sys/mountinfo v0.1.3/go.mod h1:w2t2Avltqx8vE7gX5l+QiBKxODu2TX0+Syr3h52Tw4o= -github.com/mrunalp/fileutils v0.0.0-20200520151820-abd8a0e76976/go.mod h1:x8F1gnqOkIEiO4rqoeEEEqQbo7HjGMTvyoq3gej4iT0= -github.com/opencontainers/runc v1.0.0-rc92 h1:+IczUKCRzDzFDnw99O/PAqrcBBCoRp9xN3cB1SYSNS4= -github.com/opencontainers/runc v1.0.0-rc92/go.mod h1:X1zlU4p7wOlX4+WRCz+hvlRv8phdL7UqbYD+vQwNMmE= -github.com/opencontainers/runtime-spec v1.0.3-0.20200728170252-4d89ac9fbff6/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE= -github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= +github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= +github.com/opencontainers/runc v1.0.0-rc95 h1:RMuWVfY3E1ILlVsC3RhIq38n4sJtlOFwU9gfFZSqrd0= +github.com/opencontainers/runc v1.0.0-rc95/go.mod h1:z+bZxa/+Tz/FmYVWkhUajJdzFeOqjc5vrqskhVyHGUM= +github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= +github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= -github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= -golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1 h1:sIky/MyNRSHTrdxfsiUSS4WIAMvInbeXljJz+jDjeYE= -golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 h1:dXfMednGJh/SUUFjTLsWJz3P+TQt9qnR11GgeI3vWKs= +golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 7b8c92913d3957a8e9fcff3b06815de485aa5451 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Sun, 6 Jun 2021 20:25:20 -0700 Subject: [PATCH 07/60] Bump version to 1.13 --- version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.go b/version.go index e43fe0c..92685fa 100644 --- a/version.go +++ b/version.go @@ -1,3 +1,3 @@ package main -const Version = "1.12" +const Version = "1.13" From 8cddd86eb79efab8e9178f4b7af00f8bce43d579 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Sun, 6 Jun 2021 20:28:30 -0700 Subject: [PATCH 08/60] Add initial GitHub Actions --- .github/workflows/ci.yml | 21 +++++++++++++++++++++ .travis.yml | 9 --------- 2 files changed, 21 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/ci.yml delete mode 100644 .travis.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..b7ce14f --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,21 @@ +name: CI + +on: + pull_request: + push: + +defaults: + run: + shell: 'bash -Eeuo pipefail -x {0}' + +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - run: ./build.sh + - run: ./test.sh gosu-amd64 + - run: ./test.sh gosu-i386 + - run: ./test.sh --debian gosu-amd64 + - run: ./test.sh --debian gosu-i386 diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index d86052e..0000000 --- a/.travis.yml +++ /dev/null @@ -1,9 +0,0 @@ -language: bash -services: - - docker -script: - - ./build.sh - - ./test.sh gosu-amd64 - - ./test.sh gosu-i386 - - ./test.sh --debian gosu-amd64 - - ./test.sh --debian gosu-i386 From cc6a15501b77eaa6dfb0a36b783ab4cff79f3405 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Sun, 6 Jun 2021 20:47:12 -0700 Subject: [PATCH 09/60] Remove unused build badge --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index b5bcf34..9db0cad 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,5 @@ # gosu -[![Build Status](https://travis-ci.org/tianon/gosu.svg)](https://travis-ci.org/tianon/gosu) - This is a simple tool grown out of the simple fact that `su` and `sudo` have very strange and often annoying TTY and signal-forwarding behavior. They're also somewhat complex to setup and use (especially in the case of `sudo`), which allows for a great deal of expressivity, but falls flat if all you need is "run this specific application as this specific user and get out of the pipeline". The core of how `gosu` works is stolen directly from how Docker/libcontainer itself starts an application inside a container (and in fact, is using the `/etc/passwd` processing code directly from libcontainer's codebase). From d5439258ccc600c10fc16a2041b19205a040ae93 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Sun, 6 Jun 2021 21:04:13 -0700 Subject: [PATCH 10/60] Pre-emptively update a few more version numbers to 1.13 --- INSTALL.md | 4 ++-- hub/Dockerfile.alpine | 2 +- hub/Dockerfile.debian | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index bd9d83c..ba6c3f1 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -18,7 +18,7 @@ RUN set -eux; \ Older Debian releases (or newer `gosu` releases): ```dockerfile -ENV GOSU_VERSION 1.12 +ENV GOSU_VERSION 1.13 RUN set -eux; \ # save list of currently installed packages for later so we can clean up savedAptMark="$(apt-mark showmanual)"; \ @@ -59,7 +59,7 @@ RUN set -eux; \ **Note:** when using Alpine, it's probably also worth checking out [`su-exec`](https://github.com/ncopa/su-exec) (`apk add --no-cache su-exec`) instead, which since version 0.2 is fully `gosu`-compatible in a fraction of the file size. ```dockerfile -ENV GOSU_VERSION 1.12 +ENV GOSU_VERSION 1.13 RUN set -eux; \ \ apk add --no-cache --virtual .gosu-deps \ diff --git a/hub/Dockerfile.alpine b/hub/Dockerfile.alpine index f1b8a55..e5f579c 100644 --- a/hub/Dockerfile.alpine +++ b/hub/Dockerfile.alpine @@ -1,7 +1,7 @@ FROM alpine:3.13 # https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.12 +ENV GOSU_VERSION 1.13 RUN set -eux; \ apk add --no-cache --virtual .fetch-deps dpkg gnupg; \ diff --git a/hub/Dockerfile.debian b/hub/Dockerfile.debian index 7d4b151..2445a0e 100644 --- a/hub/Dockerfile.debian +++ b/hub/Dockerfile.debian @@ -1,7 +1,7 @@ FROM debian:buster-slim # https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.12 +ENV GOSU_VERSION 1.13 RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ From 34383f683cf30052ab16c88ed70181cf1a7dcdcf Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Sun, 6 Jun 2021 22:15:34 -0700 Subject: [PATCH 11/60] Fix sorting in latest.yml --- hub/build.sh | 3 ++- hub/latest.yml | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/hub/build.sh b/hub/build.sh index 1b40ea6..6aafd31 100755 --- a/hub/build.sh +++ b/hub/build.sh @@ -49,7 +49,8 @@ cat > latest.yml <<-'EOYAML' image: tianon/gosu:latest manifests: EOYAML -for arch in "${!latest[@]}"; do +mapfile -d '' sorted < <(printf '%s\0' "${!latest[@]}" | sort -z) +for arch in "${sorted[@]}"; do variant="${latest[$arch]}" docker tag "tianon/gosu:$variant-$arch" "tianon/gosu:$arch" platform="$(_platformToOCI "${platforms[$arch]}")" diff --git a/hub/latest.yml b/hub/latest.yml index a1234b4..619d424 100644 --- a/hub/latest.yml +++ b/hub/latest.yml @@ -1,11 +1,11 @@ image: tianon/gosu:latest manifests: - - { image: tianon/gosu:mips64le, platform: { os: linux, architecture: mips64le } } + - { image: tianon/gosu:amd64, platform: { os: linux, architecture: amd64 } } - { image: tianon/gosu:arm32v5, platform: { os: linux, architecture: arm, variant: v5 } } - { image: tianon/gosu:arm32v6, platform: { os: linux, architecture: arm, variant: v6 } } - { image: tianon/gosu:arm32v7, platform: { os: linux, architecture: arm, variant: v7 } } - { image: tianon/gosu:arm64v8, platform: { os: linux, architecture: arm64, variant: v8 } } - - { image: tianon/gosu:s390x, platform: { os: linux, architecture: s390x } } - - { image: tianon/gosu:ppc64le, platform: { os: linux, architecture: ppc64le } } - { image: tianon/gosu:i386, platform: { os: linux, architecture: 386 } } - - { image: tianon/gosu:amd64, platform: { os: linux, architecture: amd64 } } + - { image: tianon/gosu:mips64le, platform: { os: linux, architecture: mips64le } } + - { image: tianon/gosu:ppc64le, platform: { os: linux, architecture: ppc64le } } + - { image: tianon/gosu:s390x, platform: { os: linux, architecture: s390x } } From 8afd3dec5fb4fe0356e4fb5d358fe235f7311181 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Mon, 16 Aug 2021 17:18:07 -0700 Subject: [PATCH 12/60] Disallow installing gosu with setuid There are workarounds for this, but I will intentionally not be describing them because this is definitely not something I can endorse in any way. Please don't use gosu in this way. --- Dockerfile.test-alpine | 1 + Dockerfile.test-debian | 1 + main.go | 9 +++++++++ 3 files changed, 11 insertions(+) diff --git a/Dockerfile.test-alpine b/Dockerfile.test-alpine index 60ae271..5f21fe7 100644 --- a/Dockerfile.test-alpine +++ b/Dockerfile.test-alpine @@ -25,6 +25,7 @@ COPY gosu /usr/local/bin/ # adjust users so we can make sure the tests are interesting RUN chgrp nobody /usr/local/bin/gosu \ && chmod +s /usr/local/bin/gosu +ENV GOSU_PLEASE_LET_ME_BE_COMPLETELY_INSECURE_I_GET_TO_KEEP_ALL_THE_PIECES="I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhäuser Gate. All those moments will be lost in time, like tears in rain. Time to die." USER nobody ENV HOME /omg/really/gosu/nowhere # now we should be nobody, ALL groups, and have a bogus useless HOME value diff --git a/Dockerfile.test-debian b/Dockerfile.test-debian index 5ffaeae..0a22d61 100644 --- a/Dockerfile.test-debian +++ b/Dockerfile.test-debian @@ -27,6 +27,7 @@ COPY gosu /usr/local/bin/ # adjust users so we can make sure the tests are interesting RUN chgrp nogroup /usr/local/bin/gosu \ && chmod +s /usr/local/bin/gosu +ENV GOSU_PLEASE_LET_ME_BE_COMPLETELY_INSECURE_I_GET_TO_KEEP_ALL_THE_PIECES="I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhäuser Gate. All those moments will be lost in time, like tears in rain. Time to die." USER nobody ENV HOME /omg/really/gosu/nowhere # now we should be nobody, ALL groups, and have a bogus useless HOME value diff --git a/main.go b/main.go index 8c25974..1534ebe 100644 --- a/main.go +++ b/main.go @@ -47,6 +47,15 @@ Usage: {{ .Self }} user-spec command [args] func main() { log.SetFlags(0) // no timestamps on our logs + if ok := os.Getenv("GOSU_PLEASE_LET_ME_BE_COMPLETELY_INSECURE_I_GET_TO_KEEP_ALL_THE_PIECES"); ok != "I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhäuser Gate. All those moments will be lost in time, like tears in rain. Time to die." { + if fi, err := os.Stat("/proc/self/exe"); err != nil { + log.Fatalf("error: %v", err) + } else if fi.Mode()&os.ModeSetuid != 0 { + // ... oh no + log.Fatalf("error: %q appears to be installed with the 'setuid' bit set, which is an *extremely* insecure and completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')", os.Args[0]) + } + } + if len(os.Args) >= 2 { switch os.Args[1] { case "--help", "-h", "-?": From 220296afacb477291f4235ac5924c45df4535b54 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 17 Aug 2021 09:40:25 -0700 Subject: [PATCH 13/60] Update to Alpine 3.14 and Debian Bullseye --- .github/workflows/ci.yml | 2 ++ Dockerfile | 2 +- Dockerfile.test-alpine | 2 +- Dockerfile.test-debian | 2 +- hub/Dockerfile.alpine | 2 +- hub/Dockerfile.debian | 2 +- 6 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b7ce14f..a7e3110 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,3 +19,5 @@ jobs: - run: ./test.sh gosu-i386 - run: ./test.sh --debian gosu-amd64 - run: ./test.sh --debian gosu-i386 + - run: docker build --pull --file hub/Dockerfile.alpine hub + - run: docker build --pull --file hub/Dockerfile.debian hub diff --git a/Dockerfile b/Dockerfile index b9a1a3c..ac78d5b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.16-alpine3.13 +FROM golang:1.16-alpine3.14 RUN apk add --no-cache file diff --git a/Dockerfile.test-alpine b/Dockerfile.test-alpine index 5f21fe7..7499a88 100644 --- a/Dockerfile.test-alpine +++ b/Dockerfile.test-alpine @@ -1,4 +1,4 @@ -FROM alpine:3.13 +FROM alpine:3.14 # add "nobody" to ALL groups (makes testing edge cases more interesting) RUN cut -d: -f1 /etc/group | xargs -n1 addgroup nobody diff --git a/Dockerfile.test-debian b/Dockerfile.test-debian index 0a22d61..c520ab4 100644 --- a/Dockerfile.test-debian +++ b/Dockerfile.test-debian @@ -1,4 +1,4 @@ -FROM debian:buster-slim +FROM debian:bullseye-slim # add "nobody" to ALL groups (makes testing edge cases more interesting) RUN cut -d: -f1 /etc/group | xargs -n1 -I'{}' usermod -aG '{}' nobody diff --git a/hub/Dockerfile.alpine b/hub/Dockerfile.alpine index e5f579c..b2df47b 100644 --- a/hub/Dockerfile.alpine +++ b/hub/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM alpine:3.13 +FROM alpine:3.14 # https://github.com/tianon/gosu/releases ENV GOSU_VERSION 1.13 diff --git a/hub/Dockerfile.debian b/hub/Dockerfile.debian index 2445a0e..3961d18 100644 --- a/hub/Dockerfile.debian +++ b/hub/Dockerfile.debian @@ -1,4 +1,4 @@ -FROM debian:buster-slim +FROM debian:bullseye-slim # https://github.com/tianon/gosu/releases ENV GOSU_VERSION 1.13 From c5f80cc5d2df0d626f4f470ecf4228512b2a1818 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 17 Aug 2021 10:27:17 -0700 Subject: [PATCH 14/60] Update to runc 1.0.1 --- go.mod | 5 ++++- go.sum | 67 ++++++++++++---------------------------------------------- 2 files changed, 17 insertions(+), 55 deletions(-) diff --git a/go.mod b/go.mod index f2345ef..087b108 100644 --- a/go.mod +++ b/go.mod @@ -2,4 +2,7 @@ module github.com/tianon/gosu go 1.16 -require github.com/opencontainers/runc v1.0.0-rc95 +require ( + github.com/opencontainers/runc v1.0.1 + golang.org/x/sys v0.0.0-20210817142637-7d9622a276b7 // indirect +) diff --git a/go.sum b/go.sum index cb52388..0365c27 100644 --- a/go.sum +++ b/go.sum @@ -1,109 +1,68 @@ -cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA= github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M= -github.com/cilium/ebpf v0.5.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= -github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ= -github.com/coreos/go-systemd/v22 v22.3.1/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= -github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= -github.com/opencontainers/runc v1.0.0-rc95 h1:RMuWVfY3E1ILlVsC3RhIq38n4sJtlOFwU9gfFZSqrd0= -github.com/opencontainers/runc v1.0.0-rc95/go.mod h1:z+bZxa/+Tz/FmYVWkhUajJdzFeOqjc5vrqskhVyHGUM= +github.com/opencontainers/runc v1.0.1 h1:G18PGckGdAm3yVQRWDVQ1rLSLntiniKJ0cNRT2Tm5gs= +github.com/opencontainers/runc v1.0.1/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo= +github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= -github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= -golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 h1:dXfMednGJh/SUUFjTLsWJz3P+TQt9qnR11GgeI3vWKs= golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210817142637-7d9622a276b7 h1:lQ8Btl/sJr2+f4ql7ffKUKfnV0BsgsICvm0oEeINAQY= +golang.org/x/sys v0.0.0-20210817142637-7d9622a276b7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= -golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= -google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 9f7cd138a1ebc0684d43ef6046bf723978e8741f Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 17 Aug 2021 10:31:39 -0700 Subject: [PATCH 15/60] Update to 1.14 --- INSTALL.md | 4 ++-- hub/Dockerfile.alpine | 2 +- version.go | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index ba6c3f1..88ecce2 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -18,7 +18,7 @@ RUN set -eux; \ Older Debian releases (or newer `gosu` releases): ```dockerfile -ENV GOSU_VERSION 1.13 +ENV GOSU_VERSION 1.14 RUN set -eux; \ # save list of currently installed packages for later so we can clean up savedAptMark="$(apt-mark showmanual)"; \ @@ -59,7 +59,7 @@ RUN set -eux; \ **Note:** when using Alpine, it's probably also worth checking out [`su-exec`](https://github.com/ncopa/su-exec) (`apk add --no-cache su-exec`) instead, which since version 0.2 is fully `gosu`-compatible in a fraction of the file size. ```dockerfile -ENV GOSU_VERSION 1.13 +ENV GOSU_VERSION 1.14 RUN set -eux; \ \ apk add --no-cache --virtual .gosu-deps \ diff --git a/hub/Dockerfile.alpine b/hub/Dockerfile.alpine index b2df47b..2d91d80 100644 --- a/hub/Dockerfile.alpine +++ b/hub/Dockerfile.alpine @@ -1,7 +1,7 @@ FROM alpine:3.14 # https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.13 +ENV GOSU_VERSION 1.14 RUN set -eux; \ apk add --no-cache --virtual .fetch-deps dpkg gnupg; \ diff --git a/version.go b/version.go index 92685fa..ea5e89c 100644 --- a/version.go +++ b/version.go @@ -1,3 +1,3 @@ package main -const Version = "1.13" +const Version = "1.14" From c8ad227af285c9729045847f55c38b82adb19285 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 14 Dec 2021 13:17:37 -0800 Subject: [PATCH 16/60] Update build deps, esp. runc to v1.0.3 --- go.mod | 4 ++-- go.sum | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 087b108..863e1df 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,6 @@ module github.com/tianon/gosu go 1.16 require ( - github.com/opencontainers/runc v1.0.1 - golang.org/x/sys v0.0.0-20210817142637-7d9622a276b7 // indirect + github.com/opencontainers/runc v1.0.3 + golang.org/x/sys v0.0.0-20211214170744-3b038e5940ed // indirect ) diff --git a/go.sum b/go.sum index 0365c27..28df28b 100644 --- a/go.sum +++ b/go.sum @@ -29,6 +29,8 @@ github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2J github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= github.com/opencontainers/runc v1.0.1 h1:G18PGckGdAm3yVQRWDVQ1rLSLntiniKJ0cNRT2Tm5gs= github.com/opencontainers/runc v1.0.1/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= +github.com/opencontainers/runc v1.0.3 h1:1hbqejyQWCJBvtKAfdO0b1FmaEf2z/bxnjqbARass5k= +github.com/opencontainers/runc v1.0.3/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -52,6 +54,8 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210817142637-7d9622a276b7 h1:lQ8Btl/sJr2+f4ql7ffKUKfnV0BsgsICvm0oEeINAQY= golang.org/x/sys v0.0.0-20210817142637-7d9622a276b7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211214170744-3b038e5940ed h1:d5glpD+GMms2DMbu1doSYibjbKasYNvnhq885nOnRz8= +golang.org/x/sys v0.0.0-20211214170744-3b038e5940ed/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= From b185278477abf59ba62a08cf8782a906364d4460 Mon Sep 17 00:00:00 2001 From: Pascal Bourdier Date: Wed, 9 Mar 2022 18:22:32 +0100 Subject: [PATCH 17/60] Update to Alpine 3.15, Go 1.17, runc 1.1.0 (#102) --- Dockerfile | 2 +- Dockerfile.test-alpine | 2 +- go.mod | 9 ++++++--- go.sum | 16 ++++++++++++++++ hub/Dockerfile.alpine | 2 +- 5 files changed, 25 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index ac78d5b..2d05e99 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.16-alpine3.14 +FROM golang:1.17-alpine3.15 RUN apk add --no-cache file diff --git a/Dockerfile.test-alpine b/Dockerfile.test-alpine index 7499a88..c6554ec 100644 --- a/Dockerfile.test-alpine +++ b/Dockerfile.test-alpine @@ -1,4 +1,4 @@ -FROM alpine:3.14 +FROM alpine:3.15 # add "nobody" to ALL groups (makes testing edge cases more interesting) RUN cut -d: -f1 /etc/group | xargs -n1 addgroup nobody diff --git a/go.mod b/go.mod index 863e1df..d1be1b1 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,11 @@ module github.com/tianon/gosu -go 1.16 +go 1.17 + +require github.com/opencontainers/runc v1.1.0 require ( - github.com/opencontainers/runc v1.0.3 - golang.org/x/sys v0.0.0-20211214170744-3b038e5940ed // indirect + github.com/bits-and-blooms/bitset v1.2.0 // indirect + github.com/pkg/errors v0.9.1 // indirect + golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7 // indirect ) diff --git a/go.sum b/go.sum index 28df28b..ed433ca 100644 --- a/go.sum +++ b/go.sum @@ -1,15 +1,20 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA= github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M= +github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E= github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= +github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA= github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ= +github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= +github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= @@ -26,17 +31,22 @@ github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= +github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= github.com/opencontainers/runc v1.0.1 h1:G18PGckGdAm3yVQRWDVQ1rLSLntiniKJ0cNRT2Tm5gs= github.com/opencontainers/runc v1.0.1/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= github.com/opencontainers/runc v1.0.3 h1:1hbqejyQWCJBvtKAfdO0b1FmaEf2z/bxnjqbARass5k= github.com/opencontainers/runc v1.0.3/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= +github.com/opencontainers/runc v1.1.0 h1:O9+X96OcDjkmmZyfaG996kV7yq8HsoU2h1XRRQcefG8= +github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= +github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= +github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= @@ -54,8 +64,13 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210817142637-7d9622a276b7 h1:lQ8Btl/sJr2+f4ql7ffKUKfnV0BsgsICvm0oEeINAQY= golang.org/x/sys v0.0.0-20210817142637-7d9622a276b7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211214170744-3b038e5940ed h1:d5glpD+GMms2DMbu1doSYibjbKasYNvnhq885nOnRz8= golang.org/x/sys v0.0.0-20211214170744-3b038e5940ed/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7 h1:8IVLkfbr2cLhv0a/vKq4UFUcJym8RmDoDboxCFWEjYE= +golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -68,5 +83,6 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/hub/Dockerfile.alpine b/hub/Dockerfile.alpine index 2d91d80..2ac44d6 100644 --- a/hub/Dockerfile.alpine +++ b/hub/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM alpine:3.14 +FROM alpine:3.15 # https://github.com/tianon/gosu/releases ENV GOSU_VERSION 1.14 From 66c26c518cf0629c1d143cf0cb9f0e6b09b0fc11 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 9 Mar 2022 09:23:10 -0800 Subject: [PATCH 18/60] Invoke "go mod tidy" --- go.mod | 6 +----- go.sum | 35 ----------------------------------- 2 files changed, 1 insertion(+), 40 deletions(-) diff --git a/go.mod b/go.mod index d1be1b1..7704e37 100644 --- a/go.mod +++ b/go.mod @@ -4,8 +4,4 @@ go 1.17 require github.com/opencontainers/runc v1.1.0 -require ( - github.com/bits-and-blooms/bitset v1.2.0 // indirect - github.com/pkg/errors v0.9.1 // indirect - golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7 // indirect -) +require golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7 // indirect diff --git a/go.sum b/go.sum index ed433ca..e9cab87 100644 --- a/go.sum +++ b/go.sum @@ -1,51 +1,29 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA= -github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M= github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E= -github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA= -github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ= github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= -github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= -github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= -github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= -github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= -github.com/opencontainers/runc v1.0.1 h1:G18PGckGdAm3yVQRWDVQ1rLSLntiniKJ0cNRT2Tm5gs= -github.com/opencontainers/runc v1.0.1/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= -github.com/opencontainers/runc v1.0.3 h1:1hbqejyQWCJBvtKAfdO0b1FmaEf2z/bxnjqbARass5k= -github.com/opencontainers/runc v1.0.3/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= github.com/opencontainers/runc v1.1.0 h1:O9+X96OcDjkmmZyfaG996kV7yq8HsoU2h1XRRQcefG8= github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= @@ -58,31 +36,18 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210817142637-7d9622a276b7 h1:lQ8Btl/sJr2+f4ql7ffKUKfnV0BsgsICvm0oEeINAQY= -golang.org/x/sys v0.0.0-20210817142637-7d9622a276b7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211214170744-3b038e5940ed h1:d5glpD+GMms2DMbu1doSYibjbKasYNvnhq885nOnRz8= -golang.org/x/sys v0.0.0-20211214170744-3b038e5940ed/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7 h1:8IVLkfbr2cLhv0a/vKq4UFUcJym8RmDoDboxCFWEjYE= golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= -google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= -google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= -google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= -google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= From e0192f9bb326e006fabf80da8213b58957daba70 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 25 May 2022 10:57:09 -0700 Subject: [PATCH 19/60] Update to runc 1.1.2 --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 7704e37..aa8c488 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,6 @@ module github.com/tianon/gosu go 1.17 -require github.com/opencontainers/runc v1.1.0 +require github.com/opencontainers/runc v1.1.2 -require golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7 // indirect +require golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect diff --git a/go.sum b/go.sum index e9cab87..be388af 100644 --- a/go.sum +++ b/go.sum @@ -18,8 +18,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= -github.com/opencontainers/runc v1.1.0 h1:O9+X96OcDjkmmZyfaG996kV7yq8HsoU2h1XRRQcefG8= -github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= +github.com/opencontainers/runc v1.1.2 h1:2VSZwLx5k/BfsBxMMipG/LYUnmqOD/BPkIVgQUcTlLw= +github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -41,8 +41,8 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7 h1:8IVLkfbr2cLhv0a/vKq4UFUcJym8RmDoDboxCFWEjYE= -golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= From e40728286280584a0c697f2499ddb48d4370be7b Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 7 Sep 2022 14:51:08 -0700 Subject: [PATCH 20/60] Update to Go 1.19, Alpine 3.16, runc 1.1.4 --- Dockerfile | 2 +- Dockerfile.test-alpine | 2 +- go.mod | 6 +++--- go.sum | 5 +++++ hub/Dockerfile.alpine | 2 +- 5 files changed, 11 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2d05e99..d69c968 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.17-alpine3.15 +FROM golang:1.19-alpine3.16 RUN apk add --no-cache file diff --git a/Dockerfile.test-alpine b/Dockerfile.test-alpine index c6554ec..bbab7bd 100644 --- a/Dockerfile.test-alpine +++ b/Dockerfile.test-alpine @@ -1,4 +1,4 @@ -FROM alpine:3.15 +FROM alpine:3.16 # add "nobody" to ALL groups (makes testing edge cases more interesting) RUN cut -d: -f1 /etc/group | xargs -n1 addgroup nobody diff --git a/go.mod b/go.mod index aa8c488..84f066e 100644 --- a/go.mod +++ b/go.mod @@ -1,7 +1,7 @@ module github.com/tianon/gosu -go 1.17 +go 1.19 -require github.com/opencontainers/runc v1.1.2 +require github.com/opencontainers/runc v1.1.4 -require golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect +require golang.org/x/sys v0.0.0-20220907062415-87db552b00fd // indirect diff --git a/go.sum b/go.sum index be388af..c6669df 100644 --- a/go.sum +++ b/go.sum @@ -20,11 +20,14 @@ github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdx github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= github.com/opencontainers/runc v1.1.2 h1:2VSZwLx5k/BfsBxMMipG/LYUnmqOD/BPkIVgQUcTlLw= github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= +github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg= +github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= +github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= @@ -43,6 +46,8 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220907062415-87db552b00fd h1:AZeIEzg+8RCELJYq8w+ODLVxFgLMMigSwO/ffKPEd9U= +golang.org/x/sys v0.0.0-20220907062415-87db552b00fd/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/hub/Dockerfile.alpine b/hub/Dockerfile.alpine index 2ac44d6..e1a56ff 100644 --- a/hub/Dockerfile.alpine +++ b/hub/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM alpine:3.15 +FROM alpine:3.16 # https://github.com/tianon/gosu/releases ENV GOSU_VERSION 1.14 From f9e5ae0b4aca5d5f8be8b06f387c39ec0ae0d7d2 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Fri, 16 Dec 2022 15:28:41 -0800 Subject: [PATCH 21/60] Add SECURITY.md that points to `govulncheck` This builds `gosu` with an intentionally older version of runc *and* Go (but still new enough for `govulncheck` to work). The chosen version of `runc` includes https://github.com/opencontainers/runc/commit/262f294a2a3be96cb98ca2415ddff66e30671606, which is the last change I can find to any of the functions `gosu` invokes in all released versions of runc (up to v1.1.4). The chosen version of Go is the oldest supported by `govulncheck` but that also includes https://github.com/golang/go/commit/4f4542479d27161d70b22557c52f182c0332ac7b (because 32bit builds panic without this fix). (This also fixes a few other minor version number anomalies.) --- .github/workflows/ci.yml | 14 +++++++++++++- Dockerfile | 5 +++-- Dockerfile.test-alpine | 2 +- SECURITY.md | 15 +++++++++++++++ go.mod | 4 ++-- go.sum | 9 ++------- hub/Dockerfile.alpine | 2 +- hub/Dockerfile.debian | 2 +- 8 files changed, 38 insertions(+), 15 deletions(-) create mode 100644 SECURITY.md diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a7e3110..dbad7bb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,6 +3,8 @@ name: CI on: pull_request: push: + schedule: + - cron: 0 0 * * 0 defaults: run: @@ -13,7 +15,7 @@ jobs: name: Test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - run: ./build.sh - run: ./test.sh gosu-amd64 - run: ./test.sh gosu-i386 @@ -21,3 +23,13 @@ jobs: - run: ./test.sh --debian gosu-i386 - run: docker build --pull --file hub/Dockerfile.alpine hub - run: docker build --pull --file hub/Dockerfile.debian hub + + - uses: actions/setup-go@v3 + with: + go-version: 1.18 + # https://github.com/golang/vuln/commits/master + # https://github.com/golang/vuln/releases + - run: go install golang.org/x/vuln/cmd/govulncheck@9bf256343acc20d22586789d07aecf887d8a5aea + # (update "go-version" above when updating this version) + + - run: for gosu in gosu-*; do govulncheck "$gosu"; done diff --git a/Dockerfile b/Dockerfile index d69c968..4e5ae2d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.19-alpine3.16 +FROM golang:1.18.2-alpine3.14 RUN apk add --no-cache file @@ -12,7 +12,8 @@ RUN set -eux; \ go mod download; \ go mod verify -ENV BUILD_FLAGS="-v -ldflags '-d -s -w'" +# note: we cannot add "-s" here because then "govulncheck" does not work (see SECURITY.md); the ~0.2MiB increase (as of 2022-12-16, Go 1.18) is worth it +ENV BUILD_FLAGS="-v -ldflags '-d -w'" COPY *.go ./ diff --git a/Dockerfile.test-alpine b/Dockerfile.test-alpine index bbab7bd..aaec78e 100644 --- a/Dockerfile.test-alpine +++ b/Dockerfile.test-alpine @@ -1,4 +1,4 @@ -FROM alpine:3.16 +FROM alpine:3.17 # add "nobody" to ALL groups (makes testing edge cases more interesting) RUN cut -d: -f1 /etc/group | xargs -n1 addgroup nobody diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..58cafd1 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,15 @@ +# CVEs + +This project does not rebuild/release to "fix" CVEs which do not apply to actual builds of `gosu`. For example, this includes any CVE in Go which applies to interfaces that `gosu` does not ever invoke, such as `net/http`, `archive/tar`, `encoding/xml`, etc. + +Before reporting that `gosu` is "vulnerable" to a particular CVE, please run [`govulncheck`](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) to determine whether the latest release is *actually* using the vulnerable functionality. See [this excellent blog post](https://go.dev/blog/vuln) from the Go team for more information about the `govulncheck` tool and the methodology by which it is maintained. + +If you have a tool which is reporting that `gosu` is vulnerable to a particular CVE but `govulncheck` does not agree, **please** report this as a false positive to your CVE scanning vendor so that they can improve their tooling. (If you wish to verify that your reported CVE is part of `govulncheck`'s dataset and thus covered by their tool, you can check [the vulndb repository](https://github.com/golang/vulndb) where they track those.) + +# Reporting Vulnerabilities + +The surface area of `gosu` itself is really limited -- it only directly contains a small amount of Go code to instrument an interface that is part of [`runc`](https://github.com/opencontainers/runc) (and which itself is a pretty limited interface) for providing the same behavior as Docker's `--user` flag, but from within a running container. + +If you believe you have found a new vulnerability in `gosu`, chances are very high that it's actually a vulnerability in `runc` (or at the very least, `runc`'s code), and should be [reported appropriately and responsibly](https://github.com/opencontainers/.github/blob/master/SECURITY.md). + +After all this, if you still believe you have discovered a novel vulnerability in the limited code that is `gosu` itself, please [use GitHub's (private) advisory reporting feature](https://github.com/tianon/gosu/security/advisories/new) to responsibly report it. diff --git a/go.mod b/go.mod index 84f066e..d7ecfbf 100644 --- a/go.mod +++ b/go.mod @@ -1,7 +1,7 @@ module github.com/tianon/gosu -go 1.19 +go 1.18 -require github.com/opencontainers/runc v1.1.4 +require github.com/opencontainers/runc v1.1.0 require golang.org/x/sys v0.0.0-20220907062415-87db552b00fd // indirect diff --git a/go.sum b/go.sum index c6669df..b6fa411 100644 --- a/go.sum +++ b/go.sum @@ -18,16 +18,13 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= -github.com/opencontainers/runc v1.1.2 h1:2VSZwLx5k/BfsBxMMipG/LYUnmqOD/BPkIVgQUcTlLw= -github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= -github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg= -github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= +github.com/opencontainers/runc v1.1.0 h1:O9+X96OcDjkmmZyfaG996kV7yq8HsoU2h1XRRQcefG8= +github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= -github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= @@ -44,8 +41,6 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220907062415-87db552b00fd h1:AZeIEzg+8RCELJYq8w+ODLVxFgLMMigSwO/ffKPEd9U= golang.org/x/sys v0.0.0-20220907062415-87db552b00fd/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= diff --git a/hub/Dockerfile.alpine b/hub/Dockerfile.alpine index e1a56ff..dafa253 100644 --- a/hub/Dockerfile.alpine +++ b/hub/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM alpine:3.16 +FROM alpine:3.17 # https://github.com/tianon/gosu/releases ENV GOSU_VERSION 1.14 diff --git a/hub/Dockerfile.debian b/hub/Dockerfile.debian index 3961d18..89ca74e 100644 --- a/hub/Dockerfile.debian +++ b/hub/Dockerfile.debian @@ -1,7 +1,7 @@ FROM debian:bullseye-slim # https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.13 +ENV GOSU_VERSION 1.14 RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ From 50e26df5db529007cea258f0f886ae32a880e5c0 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Mon, 19 Dec 2022 13:26:01 -0800 Subject: [PATCH 22/60] Update to 1.15 --- INSTALL.md | 4 ++-- hub/Dockerfile.alpine | 2 +- hub/Dockerfile.debian | 2 +- version.go | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index 88ecce2..abc10b6 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -18,7 +18,7 @@ RUN set -eux; \ Older Debian releases (or newer `gosu` releases): ```dockerfile -ENV GOSU_VERSION 1.14 +ENV GOSU_VERSION 1.15 RUN set -eux; \ # save list of currently installed packages for later so we can clean up savedAptMark="$(apt-mark showmanual)"; \ @@ -59,7 +59,7 @@ RUN set -eux; \ **Note:** when using Alpine, it's probably also worth checking out [`su-exec`](https://github.com/ncopa/su-exec) (`apk add --no-cache su-exec`) instead, which since version 0.2 is fully `gosu`-compatible in a fraction of the file size. ```dockerfile -ENV GOSU_VERSION 1.14 +ENV GOSU_VERSION 1.15 RUN set -eux; \ \ apk add --no-cache --virtual .gosu-deps \ diff --git a/hub/Dockerfile.alpine b/hub/Dockerfile.alpine index dafa253..82bbb8b 100644 --- a/hub/Dockerfile.alpine +++ b/hub/Dockerfile.alpine @@ -1,7 +1,7 @@ FROM alpine:3.17 # https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.14 +ENV GOSU_VERSION 1.15 RUN set -eux; \ apk add --no-cache --virtual .fetch-deps dpkg gnupg; \ diff --git a/hub/Dockerfile.debian b/hub/Dockerfile.debian index 89ca74e..8b51ece 100644 --- a/hub/Dockerfile.debian +++ b/hub/Dockerfile.debian @@ -1,7 +1,7 @@ FROM debian:bullseye-slim # https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.14 +ENV GOSU_VERSION 1.15 RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ diff --git a/version.go b/version.go index ea5e89c..81bce7c 100644 --- a/version.go +++ b/version.go @@ -1,3 +1,3 @@ package main -const Version = "1.14" +const Version = "1.15" From e086fb4b3a18544a9924a1ae602c2b4b692c2355 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Mon, 19 Dec 2022 15:51:43 -0800 Subject: [PATCH 23/60] Use QEMU and "arch-test" to avoid bad binaries in the future --- .github/workflows/ci.yml | 1 + Dockerfile | 88 +++++++++++++++++----------------------- 2 files changed, 38 insertions(+), 51 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dbad7bb..f408e0d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,6 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + - run: sudo apt-get update && sudo apt-get install -y --no-install-recommends binfmt-support qemu-user-static - run: ./build.sh - run: ./test.sh gosu-amd64 - run: ./test.sh gosu-i386 diff --git a/Dockerfile b/Dockerfile index 4e5ae2d..4d142f1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,31 @@ -FROM golang:1.18.2-alpine3.14 +FROM golang:1.18.2-bullseye -RUN apk add --no-cache file +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends \ + arch-test \ + file \ + ; \ + rm -rf /var/lib/apt/lists/* + +# note: we cannot add "-s" here because then "govulncheck" does not work (see SECURITY.md); the ~0.2MiB increase (as of 2022-12-16, Go 1.18) is worth it +ENV BUILD_FLAGS="-v -ldflags '-d -w'" + +RUN set -eux; \ + { \ + echo '#!/usr/bin/env bash'; \ + echo 'set -Eeuo pipefail -x'; \ + echo 'eval "go build $BUILD_FLAGS -o /go/bin/gosu-$ARCH"'; \ + echo 'file "/go/bin/gosu-$ARCH"'; \ + echo 'if arch-test "$ARCH"; then'; \ +# there's a fun QEMU + Go 1.18+ bug that causes our binaries (especially on ARM arches) to hang indefinitely *sometimes*, hence the "timeout" and looping here + echo ' try() { for (( i = 0; i < 30; i++ )); do if timeout 1s "$@"; then return 0; fi; done; return 1; }'; \ + echo ' try "/go/bin/gosu-$ARCH" --version'; \ + echo ' try "/go/bin/gosu-$ARCH" nobody id'; \ + echo ' try "/go/bin/gosu-$ARCH" nobody ls -l /proc/self/fd'; \ + echo 'fi'; \ + } > /usr/local/bin/gosu-build-and-test.sh; \ + chmod +x /usr/local/bin/gosu-build-and-test.sh # disable CGO for ALL THE THINGS (to help ensure no libc) ENV CGO_ENABLED 0 @@ -12,57 +37,18 @@ RUN set -eux; \ go mod download; \ go mod verify -# note: we cannot add "-s" here because then "govulncheck" does not work (see SECURITY.md); the ~0.2MiB increase (as of 2022-12-16, Go 1.18) is worth it -ENV BUILD_FLAGS="-v -ldflags '-d -w'" - COPY *.go ./ # gosu-$(dpkg --print-architecture) -RUN set -eux; \ - eval "GOARCH=amd64 go build $BUILD_FLAGS -o /go/bin/gosu-amd64"; \ - file /go/bin/gosu-amd64; \ - /go/bin/gosu-amd64 --version; \ - /go/bin/gosu-amd64 nobody id; \ - /go/bin/gosu-amd64 nobody ls -l /proc/self/fd - -RUN set -eux; \ - eval "GOARCH=386 go build $BUILD_FLAGS -o /go/bin/gosu-i386"; \ - file /go/bin/gosu-i386; \ - /go/bin/gosu-i386 --version; \ - /go/bin/gosu-i386 nobody id; \ - /go/bin/gosu-i386 nobody ls -l /proc/self/fd - -RUN set -eux; \ - eval "GOARCH=arm GOARM=5 go build $BUILD_FLAGS -o /go/bin/gosu-armel"; \ - file /go/bin/gosu-armel - -RUN set -eux; \ - eval "GOARCH=arm GOARM=6 go build $BUILD_FLAGS -o /go/bin/gosu-armhf"; \ - file /go/bin/gosu-armhf - -# boo Raspberry Pi, making life hard (armhf-is-v7 vs armhf-is-v6 ...) -#RUN set -eux; \ -# eval "GOARCH=arm GOARM=7 go build $BUILD_FLAGS -o /go/bin/gosu-armhf"; \ -# file /go/bin/gosu-armhf - -RUN set -eux; \ - eval "GOARCH=arm64 go build $BUILD_FLAGS -o /go/bin/gosu-arm64"; \ - file /go/bin/gosu-arm64 - -RUN set -eux; \ - eval "GOARCH=mips64le go build $BUILD_FLAGS -o /go/bin/gosu-mips64el"; \ - file /go/bin/gosu-mips64el - -RUN set -eux; \ - eval "GOARCH=ppc64le go build $BUILD_FLAGS -o /go/bin/gosu-ppc64el"; \ - file /go/bin/gosu-ppc64el - -RUN set -eux; \ - eval "GOARCH=riscv64 go build $BUILD_FLAGS -o /go/bin/gosu-riscv64"; \ - file /go/bin/gosu-riscv64 - -RUN set -eux; \ - eval "GOARCH=s390x go build $BUILD_FLAGS -o /go/bin/gosu-s390x"; \ - file /go/bin/gosu-s390x +RUN ARCH=amd64 GOARCH=amd64 gosu-build-and-test.sh +RUN ARCH=i386 GOARCH=386 gosu-build-and-test.sh +RUN ARCH=armel GOARCH=arm GOARM=5 gosu-build-and-test.sh +RUN ARCH=armhf GOARCH=arm GOARM=6 gosu-build-and-test.sh +#RUN ARCH=armhf GOARCH=arm GOARM=7 gosu-build-and-test.sh # boo Raspberry Pi, making life hard (armhf-is-v7 vs armhf-is-v6 ...) +RUN ARCH=arm64 GOARCH=arm64 gosu-build-and-test.sh +RUN ARCH=mips64el GOARCH=mips64le gosu-build-and-test.sh +RUN ARCH=ppc64el GOARCH=ppc64le gosu-build-and-test.sh +RUN ARCH=riscv64 GOARCH=riscv64 gosu-build-and-test.sh +RUN ARCH=s390x GOARCH=s390x gosu-build-and-test.sh RUN set -eux; ls -lAFh /go/bin/gosu-*; file /go/bin/gosu-* From 8eb191480fd3aca7f1cd0f91f089f2f7d3646870 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Mon, 19 Dec 2022 16:26:02 -0800 Subject: [PATCH 24/60] Backport https://github.com/golang/go/commit/2c7c98c3ad719aa9d6d2594827a6894ff9950042 in our builds This fixes our `mips64le` builds. --- Dockerfile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Dockerfile b/Dockerfile index 4d142f1..38a8a0e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,9 +5,15 @@ RUN set -eux; \ apt-get install -y --no-install-recommends \ arch-test \ file \ + patch \ ; \ rm -rf /var/lib/apt/lists/* +# https://github.com/golang/go/issues/56426 +RUN set -eux; \ + wget -O /tmp/go-mips.patch 'https://github.com/golang/go/commit/2c7c98c3ad719aa9d6d2594827a6894ff9950042.patch'; \ + patch --strip=1 --directory=/usr/local/go --input=/tmp/go-mips.patch + # note: we cannot add "-s" here because then "govulncheck" does not work (see SECURITY.md); the ~0.2MiB increase (as of 2022-12-16, Go 1.18) is worth it ENV BUILD_FLAGS="-v -ldflags '-d -w'" From 0e7347714352cd7f2e5edc9d2cf838d9934e6036 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Mon, 19 Dec 2022 16:41:18 -0800 Subject: [PATCH 25/60] Update to 1.16 --- INSTALL.md | 4 ++-- hub/Dockerfile.alpine | 2 +- hub/Dockerfile.debian | 2 +- version.go | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index abc10b6..a3fb3fa 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -18,7 +18,7 @@ RUN set -eux; \ Older Debian releases (or newer `gosu` releases): ```dockerfile -ENV GOSU_VERSION 1.15 +ENV GOSU_VERSION 1.16 RUN set -eux; \ # save list of currently installed packages for later so we can clean up savedAptMark="$(apt-mark showmanual)"; \ @@ -59,7 +59,7 @@ RUN set -eux; \ **Note:** when using Alpine, it's probably also worth checking out [`su-exec`](https://github.com/ncopa/su-exec) (`apk add --no-cache su-exec`) instead, which since version 0.2 is fully `gosu`-compatible in a fraction of the file size. ```dockerfile -ENV GOSU_VERSION 1.15 +ENV GOSU_VERSION 1.16 RUN set -eux; \ \ apk add --no-cache --virtual .gosu-deps \ diff --git a/hub/Dockerfile.alpine b/hub/Dockerfile.alpine index 82bbb8b..d4aa706 100644 --- a/hub/Dockerfile.alpine +++ b/hub/Dockerfile.alpine @@ -1,7 +1,7 @@ FROM alpine:3.17 # https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.15 +ENV GOSU_VERSION 1.16 RUN set -eux; \ apk add --no-cache --virtual .fetch-deps dpkg gnupg; \ diff --git a/hub/Dockerfile.debian b/hub/Dockerfile.debian index 8b51ece..1f68973 100644 --- a/hub/Dockerfile.debian +++ b/hub/Dockerfile.debian @@ -1,7 +1,7 @@ FROM debian:bullseye-slim # https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.15 +ENV GOSU_VERSION 1.16 RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ diff --git a/version.go b/version.go index 81bce7c..3c46570 100644 --- a/version.go +++ b/version.go @@ -1,3 +1,3 @@ package main -const Version = "1.15" +const Version = "1.16" From 6a1967c98c3d1854dd29f32433f1e0c59b244c5f Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Fri, 31 Mar 2023 11:51:36 -0700 Subject: [PATCH 26/60] Update CI's govulncheck (to https://github.com/golang/vuln/commit/a42f9910daf3ee8f4a813ce33e16b4470a93faee) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f408e0d..fa109a6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,7 @@ jobs: go-version: 1.18 # https://github.com/golang/vuln/commits/master # https://github.com/golang/vuln/releases - - run: go install golang.org/x/vuln/cmd/govulncheck@9bf256343acc20d22586789d07aecf887d8a5aea + - run: go install golang.org/x/vuln/cmd/govulncheck@a42f9910daf3ee8f4a813ce33e16b4470a93faee # (update "go-version" above when updating this version) - run: for gosu in gosu-*; do govulncheck "$gosu"; done From bf158f3b52664ba62de0b561a2bff706fa0e9daf Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Fri, 14 Apr 2023 16:13:48 -0700 Subject: [PATCH 27/60] Update "govulncheck" and add "-mode=binary" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See https://go-review.googlesource.com/c/vuln/+/481137 🙃 --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fa109a6..75e6e1c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,7 @@ jobs: go-version: 1.18 # https://github.com/golang/vuln/commits/master # https://github.com/golang/vuln/releases - - run: go install golang.org/x/vuln/cmd/govulncheck@a42f9910daf3ee8f4a813ce33e16b4470a93faee + - run: go install golang.org/x/vuln/cmd/govulncheck@d3666e3e8dbbcb0748a371d2ff17f4da36a158f4 # (update "go-version" above when updating this version) - - run: for gosu in gosu-*; do govulncheck "$gosu"; done + - run: for gosu in gosu-*; do govulncheck -mode=binary "$gosu"; done From 93cfc61c550e533442ea7b3b3c845e40ea01c58b Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Fri, 28 Apr 2023 15:41:37 -0700 Subject: [PATCH 28/60] Remove explicit `dirmngr` reference MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is pulled in automatically via `gnupg`, and moved from `Recommends` to `Depends` in https://salsa.debian.org/debian/gnupg2/-/commit/99474ad900a8bcdd0e7b68f986fec0013fc01470, which has been part of `src:gnupg2` since 2.1.21-4 (and every supported version of both Debian _and_ Ubuntu have 2.2.x 😇). --- INSTALL.md | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index a3fb3fa..9a4812f 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -15,7 +15,7 @@ RUN set -eux; \ gosu nobody true ``` -Older Debian releases (or newer `gosu` releases): +Newer `gosu` releases: ```dockerfile ENV GOSU_VERSION 1.16 @@ -23,13 +23,7 @@ RUN set -eux; \ # save list of currently installed packages for later so we can clean up savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ - apt-get install -y --no-install-recommends ca-certificates wget; \ - if ! command -v gpg; then \ - apt-get install -y --no-install-recommends gnupg2 dirmngr; \ - elif gpg --version | grep -q '^gpg (GnuPG) 1\.'; then \ -# "This package provides support for HKPS keyservers." (GnuPG 1.x only) - apt-get install -y --no-install-recommends gnupg-curl; \ - fi; \ + apt-get install -y --no-install-recommends ca-certificates gnupg wget; \ rm -rf /var/lib/apt/lists/*; \ \ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ @@ -40,7 +34,7 @@ RUN set -eux; \ export GNUPGHOME="$(mktemp -d)"; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - command -v gpgconf && gpgconf --kill all || :; \ + gpgconf --kill all; \ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ \ # clean up fetch dependencies @@ -76,7 +70,7 @@ RUN set -eux; \ export GNUPGHOME="$(mktemp -d)"; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - command -v gpgconf && gpgconf --kill all || :; \ + gpgconf --kill all; \ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ \ # clean up fetch dependencies From bfab97a4a3d9cf6c16a6f8d24ae6350c579756e1 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 2 May 2023 17:12:47 -0700 Subject: [PATCH 29/60] Update govulncheck to the explicit new v0.1.0 release --- .github/workflows/ci.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 75e6e1c..121878b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,8 @@ jobs: go-version: 1.18 # https://github.com/golang/vuln/commits/master # https://github.com/golang/vuln/releases - - run: go install golang.org/x/vuln/cmd/govulncheck@d3666e3e8dbbcb0748a371d2ff17f4da36a158f4 - # (update "go-version" above when updating this version) + # https://github.com/golang/vuln/tags + - run: go install golang.org/x/vuln/cmd/govulncheck@v0.1.0 + # (update "go-version" above when updating this version; https://github.com/golang/vuln/blob/v0.1.0/go.mod#L3) - run: for gosu in gosu-*; do govulncheck -mode=binary "$gosu"; done From d0aba5203f78c3c0360b851c33712d2e7e4cd2ea Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 27 Jun 2023 12:52:15 -0700 Subject: [PATCH 30/60] Add new "govulncheck-with-excludes.sh" wrapper script This allows us to exclude GO-2023-1840 (aka CVE-2023-29403) from our report since we already refuse to operate when users have enabled the `setuid` bit on the binary. Additionally, this updates our in-code check for `setuid` to also disallow `setgid`, but the impact of that configuration is lesser (so this is considered a best-effort pre-emptive mitigation -- hopefully the block on `setuid` has already discouraged users from using `gosu` in this way). --- .github/workflows/ci.yml | 2 +- SECURITY.md | 4 ++- govulncheck-with-excludes.sh | 69 ++++++++++++++++++++++++++++++++++++ main.go | 3 ++ 4 files changed, 76 insertions(+), 2 deletions(-) create mode 100755 govulncheck-with-excludes.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 121878b..57695ca 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,4 +34,4 @@ jobs: - run: go install golang.org/x/vuln/cmd/govulncheck@v0.1.0 # (update "go-version" above when updating this version; https://github.com/golang/vuln/blob/v0.1.0/go.mod#L3) - - run: for gosu in gosu-*; do govulncheck -mode=binary "$gosu"; done + - run: for gosu in gosu-*; do ./govulncheck-with-excludes.sh -mode=binary "$gosu"; done diff --git a/SECURITY.md b/SECURITY.md index 58cafd1..99c21c4 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,10 +2,12 @@ This project does not rebuild/release to "fix" CVEs which do not apply to actual builds of `gosu`. For example, this includes any CVE in Go which applies to interfaces that `gosu` does not ever invoke, such as `net/http`, `archive/tar`, `encoding/xml`, etc. -Before reporting that `gosu` is "vulnerable" to a particular CVE, please run [`govulncheck`](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) to determine whether the latest release is *actually* using the vulnerable functionality. See [this excellent blog post](https://go.dev/blog/vuln) from the Go team for more information about the `govulncheck` tool and the methodology by which it is maintained. +Before reporting that `gosu` is "vulnerable" to a particular CVE, please run our [`./govulncheck-with-excludes.sh`](govulncheck-with-excludes.sh) wrapper around [`govulncheck`](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) to determine whether the latest release is *actually* using the vulnerable functionality. See [this excellent blog post](https://go.dev/blog/vuln) from the Go team for more information about the `govulncheck` tool and the methodology by which it is maintained. If you have a tool which is reporting that `gosu` is vulnerable to a particular CVE but `govulncheck` does not agree, **please** report this as a false positive to your CVE scanning vendor so that they can improve their tooling. (If you wish to verify that your reported CVE is part of `govulncheck`'s dataset and thus covered by their tool, you can check [the vulndb repository](https://github.com/golang/vulndb) where they track those.) +Our wrapper script ([`govulncheck-with-excludes.sh`](govulncheck-with-excludes.sh)) includes a very small set of vulnerabilities that will be reported by `govulncheck` which do not apply (due to other mitigations or otherwise). + # Reporting Vulnerabilities The surface area of `gosu` itself is really limited -- it only directly contains a small amount of Go code to instrument an interface that is part of [`runc`](https://github.com/opencontainers/runc) (and which itself is a pretty limited interface) for providing the same behavior as Docker's `--user` flag, but from within a running container. diff --git a/govulncheck-with-excludes.sh b/govulncheck-with-excludes.sh new file mode 100755 index 0000000..40e7b5f --- /dev/null +++ b/govulncheck-with-excludes.sh @@ -0,0 +1,69 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +# a wrapper / replacement for "govulncheck" which allows for excluding vulnerabilities +# (https://github.com/golang/go/issues/59507) + +excludeVulns="$(jq -nc '[ + + # https://pkg.go.dev/vuln/GO-2023-1840 + # we already mitigate setuid in our code + "GO-2023-1840", "CVE-2023-29403", + # (https://github.com/tianon/gosu/issues/128#issuecomment-1607803883) + + empty # trailing comma hack (makes diffs smaller) +]')" +export excludeVulns + +if ! command -v govulncheck > /dev/null; then + govulncheck() { + local user; user="$(id -u):$(id -g)" + local args=( + --rm --interactive --init + --user "$user" + --env HOME=/tmp + --env GOPATH=/tmp/go + --volume govulncheck:/tmp + --env CGO_ENABLED=0 + --mount "type=bind,src=$PWD,dst=/wd,ro" + --workdir /wd + "${GOLANG_IMAGE:-golang:latest}" + sh -euc ' + go install golang.org/x/vuln/cmd/govulncheck@latest > /dev/null + exec "$GOPATH/bin/govulncheck" "$@" + ' -- + ) + docker run "${args[@]}" "$@" + } +fi + +if out="$(govulncheck "$@")"; then + printf '%s\n' "$out" + exit 0 +fi + +json="$(govulncheck -json "$@")" + +vulns="$(jq <<<"$json" -cs 'map(select(has("vulnerability")) | .vulnerability.osv)')" +if [ "$(jq <<<"$vulns" -r 'length')" -le 0 ]; then + printf '%s\n' "$out" + exit 1 +fi + +filtered="$(jq <<<"$vulns" -c ' + (env.excludeVulns | fromjson) as $exclude + | map(select( + .id as $id + | $exclude | index($id) | not + )) +')" + +text="$(jq <<<"$filtered" -r 'map("- \(.id) (aka \(.aliases | join(", ")))\n\n\t\(.details | gsub("\n"; "\n\t"))") | join("\n\n")')" + +if [ -z "$text" ]; then + printf 'No vulnerabilities found.\n' + exit 0 +else + printf '%s\n' "$text" + exit 1 +fi diff --git a/main.go b/main.go index 1534ebe..f984da8 100644 --- a/main.go +++ b/main.go @@ -53,6 +53,9 @@ func main() { } else if fi.Mode()&os.ModeSetuid != 0 { // ... oh no log.Fatalf("error: %q appears to be installed with the 'setuid' bit set, which is an *extremely* insecure and completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')", os.Args[0]) + } else if fi.Mode()&os.ModeSetgid != 0 { + // ... oh no + log.Fatalf("error: %q appears to be installed with the 'setgid' bit set, which is not quite *as* insecure as 'setuid', but still not great, and definitely a completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')", os.Args[0]) } } From facd58e00ad8877724d62bfe03142d3bf01a26fa Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 13 Jul 2023 09:27:23 -0700 Subject: [PATCH 31/60] Update to govulncheck v1.0.0 --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 57695ca..aebfc20 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,7 @@ jobs: # https://github.com/golang/vuln/commits/master # https://github.com/golang/vuln/releases # https://github.com/golang/vuln/tags - - run: go install golang.org/x/vuln/cmd/govulncheck@v0.1.0 - # (update "go-version" above when updating this version; https://github.com/golang/vuln/blob/v0.1.0/go.mod#L3) + - run: go install golang.org/x/vuln/cmd/govulncheck@v1.0.0 + # (update "go-version" above when updating this version; https://github.com/golang/vuln/blob/v1.0.0/go.mod#L3) - run: for gosu in gosu-*; do ./govulncheck-with-excludes.sh -mode=binary "$gosu"; done From a430ca0e1086cae8273b0187a8ffb52bf4c4d21c Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 13 Jul 2023 10:24:27 -0700 Subject: [PATCH 32/60] Update govulncheck JSON parsing for v1.0.0 --- govulncheck-with-excludes.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/govulncheck-with-excludes.sh b/govulncheck-with-excludes.sh index 40e7b5f..61c9b16 100755 --- a/govulncheck-with-excludes.sh +++ b/govulncheck-with-excludes.sh @@ -44,7 +44,7 @@ fi json="$(govulncheck -json "$@")" -vulns="$(jq <<<"$json" -cs 'map(select(has("vulnerability")) | .vulnerability.osv)')" +vulns="$(jq <<<"$json" -cs 'map(select(has("osv")) | .osv)')" if [ "$(jq <<<"$vulns" -r 'length')" -le 0 ]; then printf '%s\n' "$out" exit 1 From 7059acbd2ef983a7f26827eee247b85f72abb4bb Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Mon, 4 Sep 2023 20:13:31 -0700 Subject: [PATCH 33/60] Update govulncheck to v1.0.1 --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index aebfc20..6d5de65 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,7 @@ jobs: # https://github.com/golang/vuln/commits/master # https://github.com/golang/vuln/releases # https://github.com/golang/vuln/tags - - run: go install golang.org/x/vuln/cmd/govulncheck@v1.0.0 - # (update "go-version" above when updating this version; https://github.com/golang/vuln/blob/v1.0.0/go.mod#L3) + - run: go install golang.org/x/vuln/cmd/govulncheck@v1.0.1 + # (update "go-version" above when updating this version; https://github.com/golang/vuln/blob/v1.0.1/go.mod#L3) - run: for gosu in gosu-*; do ./govulncheck-with-excludes.sh -mode=binary "$gosu"; done From 512d5e6bdc29cbee291f542f05e2354fc695becf Mon Sep 17 00:00:00 2001 From: Bjorn Neergaard Date: Wed, 11 Oct 2023 10:32:40 -0600 Subject: [PATCH 34/60] setup-user: use syscall instead of libcontainer/system Since Go 1.16, [Go issue 1435][1] is solved, and the stdlib syscall implementations work on Linux. [1]: https://github.com/golang/go/issues/1435 Signed-off-by: Bjorn Neergaard --- setup-user.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/setup-user.go b/setup-user.go index 3a04ec9..57b5343 100644 --- a/setup-user.go +++ b/setup-user.go @@ -4,7 +4,6 @@ import ( "os" "syscall" - "github.com/opencontainers/runc/libcontainer/system" "github.com/opencontainers/runc/libcontainer/user" ) @@ -35,10 +34,10 @@ func SetupUser(u string) error { if err := syscall.Setgroups(execUser.Sgids); err != nil { return err } - if err := system.Setgid(execUser.Gid); err != nil { + if err := syscall.Setgid(execUser.Gid); err != nil { return err } - if err := system.Setuid(execUser.Uid); err != nil { + if err := syscall.Setuid(execUser.Uid); err != nil { return err } // if we didn't get HOME already, set it based on the user's HOME From f7d40f009bf48a03f763fcce879b5ee8a70bd3ab Mon Sep 17 00:00:00 2001 From: Bjorn Neergaard Date: Wed, 11 Oct 2023 10:34:46 -0600 Subject: [PATCH 35/60] setup-user: use golang.org/x/sys/unix Prefer to use the latest syscall implementation, instead of the one that was shipped with the Go compiler. As this was an indirect dependency, this aligns all syscalls in the package to a common implementation. Signed-off-by: Bjorn Neergaard --- go.mod | 2 +- go.sum | 4 ++-- setup-user.go | 12 ++++++------ 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index d7ecfbf..3be3c72 100644 --- a/go.mod +++ b/go.mod @@ -4,4 +4,4 @@ go 1.18 require github.com/opencontainers/runc v1.1.0 -require golang.org/x/sys v0.0.0-20220907062415-87db552b00fd // indirect +require golang.org/x/sys v0.13.0 diff --git a/go.sum b/go.sum index b6fa411..e2ce19e 100644 --- a/go.sum +++ b/go.sum @@ -41,8 +41,8 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220907062415-87db552b00fd h1:AZeIEzg+8RCELJYq8w+ODLVxFgLMMigSwO/ffKPEd9U= -golang.org/x/sys v0.0.0-20220907062415-87db552b00fd/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/setup-user.go b/setup-user.go index 57b5343..e65be1d 100644 --- a/setup-user.go +++ b/setup-user.go @@ -2,9 +2,9 @@ package main import ( "os" - "syscall" "github.com/opencontainers/runc/libcontainer/user" + "golang.org/x/sys/unix" ) // this function comes from libcontainer/init_linux.go @@ -15,8 +15,8 @@ import ( func SetupUser(u string) error { // Set up defaults. defaultExecUser := user.ExecUser{ - Uid: syscall.Getuid(), - Gid: syscall.Getgid(), + Uid: unix.Getuid(), + Gid: unix.Getgid(), Home: "/", } passwdPath, err := user.GetPasswdPath() @@ -31,13 +31,13 @@ func SetupUser(u string) error { if err != nil { return err } - if err := syscall.Setgroups(execUser.Sgids); err != nil { + if err := unix.Setgroups(execUser.Sgids); err != nil { return err } - if err := syscall.Setgid(execUser.Gid); err != nil { + if err := unix.Setgid(execUser.Gid); err != nil { return err } - if err := syscall.Setuid(execUser.Uid); err != nil { + if err := unix.Setuid(execUser.Uid); err != nil { return err } // if we didn't get HOME already, set it based on the user's HOME From 165a750e27122b57948a823319d1653e357e8252 Mon Sep 17 00:00:00 2001 From: Bjorn Neergaard Date: Wed, 11 Oct 2023 10:35:46 -0600 Subject: [PATCH 36/60] setup-user: use github.com/moby/sys/user Break the dependency on runc by using the new canonical source of the `user` package at github.com/moby/sys. Signed-off-by: Bjorn Neergaard --- go.mod | 7 ++++--- go.sum | 53 ++------------------------------------------------- setup-user.go | 2 +- 3 files changed, 7 insertions(+), 55 deletions(-) diff --git a/go.mod b/go.mod index 3be3c72..eae1559 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,7 @@ module github.com/tianon/gosu go 1.18 -require github.com/opencontainers/runc v1.1.0 - -require golang.org/x/sys v0.13.0 +require ( + github.com/moby/sys/user v0.1.0 + golang.org/x/sys v0.13.0 +) diff --git a/go.sum b/go.sum index e2ce19e..7fe378e 100644 --- a/go.sum +++ b/go.sum @@ -1,53 +1,4 @@ -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E= -github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA= -github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= -github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= -github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= -github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU= -github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= -github.com/opencontainers/runc v1.1.0 h1:O9+X96OcDjkmmZyfaG996kV7yq8HsoU2h1XRRQcefG8= -github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= -github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= -github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= -github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= -github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= -github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= -golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg= +github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU= golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/setup-user.go b/setup-user.go index e65be1d..ac0783f 100644 --- a/setup-user.go +++ b/setup-user.go @@ -3,7 +3,7 @@ package main import ( "os" - "github.com/opencontainers/runc/libcontainer/user" + "github.com/moby/sys/user" "golang.org/x/sys/unix" ) From d1265292c7ad8192cfbf45bff07fb98eb284af83 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 2 Nov 2023 14:30:48 -0700 Subject: [PATCH 37/60] Update "tianon/gosu" Docker Hub image to build via bashbrew instead of bespoke script This gives us nice provenance, etc; see https://explore.ggcr.dev/?image=tianon/gosu:1.16 --- hub/alpine.yml | 9 ------- hub/build.sh | 66 -------------------------------------------------- hub/debian.yml | 10 -------- hub/gsl.sh | 54 +++++++++++++++++++++++++++++++++++++++++ hub/latest.yml | 11 --------- 5 files changed, 54 insertions(+), 96 deletions(-) delete mode 100644 hub/alpine.yml delete mode 100755 hub/build.sh delete mode 100644 hub/debian.yml create mode 100755 hub/gsl.sh delete mode 100644 hub/latest.yml diff --git a/hub/alpine.yml b/hub/alpine.yml deleted file mode 100644 index b27dea7..0000000 --- a/hub/alpine.yml +++ /dev/null @@ -1,9 +0,0 @@ -image: tianon/gosu:alpine -manifests: - - { image: tianon/gosu:alpine-amd64, platform: { os: linux, architecture: amd64 } } - - { image: tianon/gosu:alpine-arm32v6, platform: { os: linux, architecture: arm, variant: v6 } } - - { image: tianon/gosu:alpine-arm32v7, platform: { os: linux, architecture: arm, variant: v7 } } - - { image: tianon/gosu:alpine-arm64v8, platform: { os: linux, architecture: arm64, variant: v8 } } - - { image: tianon/gosu:alpine-i386, platform: { os: linux, architecture: 386 } } - - { image: tianon/gosu:alpine-ppc64le, platform: { os: linux, architecture: ppc64le } } - - { image: tianon/gosu:alpine-s390x, platform: { os: linux, architecture: s390x } } diff --git a/hub/build.sh b/hub/build.sh deleted file mode 100755 index 6aafd31..0000000 --- a/hub/build.sh +++ /dev/null @@ -1,66 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail - -declare -A platforms=( - [amd64]='linux/amd64' - [arm32v5]='linux/arm/v5' - [arm32v6]='linux/arm/v6' - [arm32v7]='linux/arm/v7' - [arm64v8]='linux/arm64/v8' - [i386]='linux/386' - [mips64le]='linux/mips64le' - [ppc64le]='linux/ppc64le' - [s390x]='linux/s390x' -) - -declare -A arches=( - [alpine]='amd64 arm32v6 arm32v7 arm64v8 i386 ppc64le s390x' - [debian]='amd64 arm32v5 arm32v7 arm64v8 i386 mips64le ppc64le s390x' -) -preferredOrder=( alpine debian ) - -_platformToOCI() { - local platform="$1"; shift - local os="${platform%%/*}" - platform="${platform#$os/}" - local architecture="${platform%%/*}" - platform="${platform#$architecture/}" - local variant="$platform" - [ "$architecture" != "$variant" ] || variant= - echo "{ os: $os, architecture: $architecture${variant:+, variant: $variant} }" -} - -declare -A latest=() -for variant in "${preferredOrder[@]}"; do - cat > "$variant.yml" <<-EOYAML - image: tianon/gosu:$variant - manifests: - EOYAML - for arch in ${arches[$variant]}; do - platform="${platforms[$arch]}" - docker build --pull --platform "$platform" --tag "tianon/gosu:$variant-$arch" - < "Dockerfile.$variant" - : "${latest[$arch]:=$variant}" - platform="$(_platformToOCI "$platform")" - echo " - { image: tianon/gosu:$variant-$arch, platform: $platform }" >> "$variant.yml" - done -done - -cat > latest.yml <<-'EOYAML' - image: tianon/gosu:latest - manifests: -EOYAML -mapfile -d '' sorted < <(printf '%s\0' "${!latest[@]}" | sort -z) -for arch in "${sorted[@]}"; do - variant="${latest[$arch]}" - docker tag "tianon/gosu:$variant-$arch" "tianon/gosu:$arch" - platform="$(_platformToOCI "${platforms[$arch]}")" - echo " - { image: tianon/gosu:$arch, platform: $platform }" >> latest.yml -done - -echo -echo '$ # now:' -echo -echo '$ docker push --all-tags tianon/gosu' -for variant in "${preferredOrder[@]}" latest; do - echo "\$ manifest-tool push from-spec $variant.yml" -done diff --git a/hub/debian.yml b/hub/debian.yml deleted file mode 100644 index 615fa23..0000000 --- a/hub/debian.yml +++ /dev/null @@ -1,10 +0,0 @@ -image: tianon/gosu:debian -manifests: - - { image: tianon/gosu:debian-amd64, platform: { os: linux, architecture: amd64 } } - - { image: tianon/gosu:debian-arm32v5, platform: { os: linux, architecture: arm, variant: v5 } } - - { image: tianon/gosu:debian-arm32v7, platform: { os: linux, architecture: arm, variant: v7 } } - - { image: tianon/gosu:debian-arm64v8, platform: { os: linux, architecture: arm64, variant: v8 } } - - { image: tianon/gosu:debian-i386, platform: { os: linux, architecture: 386 } } - - { image: tianon/gosu:debian-mips64le, platform: { os: linux, architecture: mips64le } } - - { image: tianon/gosu:debian-ppc64le, platform: { os: linux, architecture: ppc64le } } - - { image: tianon/gosu:debian-s390x, platform: { os: linux, architecture: s390x } } diff --git a/hub/gsl.sh b/hub/gsl.sh new file mode 100755 index 0000000..4eda9af --- /dev/null +++ b/hub/gsl.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +preferredOrder=( alpine debian ) + +dir="$(dirname "$BASH_SOURCE")" +cd "$dir" + +commit="$(git log -1 --format='format:%H' HEAD -- .)" +cat <<-EOH + Maintainers: Tianon Gravi (@tianon) + GitRepo: https://github.com/tianon/gosu.git + GitCommit: $commit + Directory: hub + Builder: buildkit +EOH + +version= +i=0; jq=; froms=() +for variant in "${preferredOrder[@]}"; do + from="$(awk 'toupper($1) == "FROM" { print $2; exit }' "Dockerfile.$variant")" # TODO multi-stage? + variantVersion="$(awk 'toupper($1) == "ENV" && toupper($2) == "GOSU_VERSION" { print $3; exit }' "Dockerfile.$variant")" + version="${version:-$variantVersion}" + if [ "$version" != "$variantVersion" ]; then + echo >&2 "error: mismatched version in '$variant' ('$version' vs '$variantVersion')" + exit 1 + fi + jq="${jq:+$jq, }$variant: (.[$i].arches | keys_unsorted)" + froms["$i"]="$from" + (( i++ )) || : +done +arches="$(bashbrew remote arches --json "${froms[@]}" | jq -sc "{ $jq }")" # { alpine: [ "amd64", ... ], debian: [ "amd64", ... ] } + +queue="$(jq <<<"$arches" -r 'to_entries | map(@sh "variant=\(.key)\narch=\(.value[])") | map(@sh) | join("\n")')" +eval "queue=( $queue )" + +declare -A seenArches=() +for item in "${queue[@]}"; do + eval "$item" # variant=yyy arch=xxx + [ -n "$variant" ] + [ -n "$arch" ] + tags="$variant-$arch" + sharedTags="$variant, $version-$variant" + if [ -z "${seenArches["$arch"]:-}" ]; then + tags+=", $arch" + sharedTags+=", $version, latest" + fi + echo + echo "Tags: $tags" + [ -z "$sharedTags" ] || echo "SharedTags: $sharedTags" + echo "Architectures: $arch" + echo "File: Dockerfile.$variant" + : "${seenArches["$arch"]:=1}" +done diff --git a/hub/latest.yml b/hub/latest.yml deleted file mode 100644 index 619d424..0000000 --- a/hub/latest.yml +++ /dev/null @@ -1,11 +0,0 @@ -image: tianon/gosu:latest -manifests: - - { image: tianon/gosu:amd64, platform: { os: linux, architecture: amd64 } } - - { image: tianon/gosu:arm32v5, platform: { os: linux, architecture: arm, variant: v5 } } - - { image: tianon/gosu:arm32v6, platform: { os: linux, architecture: arm, variant: v6 } } - - { image: tianon/gosu:arm32v7, platform: { os: linux, architecture: arm, variant: v7 } } - - { image: tianon/gosu:arm64v8, platform: { os: linux, architecture: arm64, variant: v8 } } - - { image: tianon/gosu:i386, platform: { os: linux, architecture: 386 } } - - { image: tianon/gosu:mips64le, platform: { os: linux, architecture: mips64le } } - - { image: tianon/gosu:ppc64le, platform: { os: linux, architecture: ppc64le } } - - { image: tianon/gosu:s390x, platform: { os: linux, architecture: s390x } } From 0d1847490b448a17eb347e5e357f2c0478df87ad Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 2 Nov 2023 14:34:38 -0700 Subject: [PATCH 38/60] Update to 1.17 --- INSTALL.md | 4 ++-- hub/Dockerfile.alpine | 2 +- hub/Dockerfile.debian | 2 +- version.go | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index 9a4812f..6ca05f4 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -18,7 +18,7 @@ RUN set -eux; \ Newer `gosu` releases: ```dockerfile -ENV GOSU_VERSION 1.16 +ENV GOSU_VERSION 1.17 RUN set -eux; \ # save list of currently installed packages for later so we can clean up savedAptMark="$(apt-mark showmanual)"; \ @@ -53,7 +53,7 @@ RUN set -eux; \ **Note:** when using Alpine, it's probably also worth checking out [`su-exec`](https://github.com/ncopa/su-exec) (`apk add --no-cache su-exec`) instead, which since version 0.2 is fully `gosu`-compatible in a fraction of the file size. ```dockerfile -ENV GOSU_VERSION 1.16 +ENV GOSU_VERSION 1.17 RUN set -eux; \ \ apk add --no-cache --virtual .gosu-deps \ diff --git a/hub/Dockerfile.alpine b/hub/Dockerfile.alpine index d4aa706..1d9629b 100644 --- a/hub/Dockerfile.alpine +++ b/hub/Dockerfile.alpine @@ -1,7 +1,7 @@ FROM alpine:3.17 # https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.16 +ENV GOSU_VERSION 1.17 RUN set -eux; \ apk add --no-cache --virtual .fetch-deps dpkg gnupg; \ diff --git a/hub/Dockerfile.debian b/hub/Dockerfile.debian index 1f68973..21a156d 100644 --- a/hub/Dockerfile.debian +++ b/hub/Dockerfile.debian @@ -1,7 +1,7 @@ FROM debian:bullseye-slim # https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.16 +ENV GOSU_VERSION 1.17 RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ diff --git a/version.go b/version.go index 3c46570..28e3550 100644 --- a/version.go +++ b/version.go @@ -1,3 +1,3 @@ package main -const Version = "1.16" +const Version = "1.17" From bd5b5e823761930d02609c99f49b71e45b90f96f Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 2 Nov 2023 15:17:06 -0700 Subject: [PATCH 39/60] Update published images to Debian Bookworm, Alpine 3.18 --- hub/Dockerfile.alpine | 2 +- hub/Dockerfile.debian | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hub/Dockerfile.alpine b/hub/Dockerfile.alpine index 1d9629b..f280e3f 100644 --- a/hub/Dockerfile.alpine +++ b/hub/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM alpine:3.17 +FROM alpine:3.18 # https://github.com/tianon/gosu/releases ENV GOSU_VERSION 1.17 diff --git a/hub/Dockerfile.debian b/hub/Dockerfile.debian index 21a156d..2fb1eeb 100644 --- a/hub/Dockerfile.debian +++ b/hub/Dockerfile.debian @@ -1,4 +1,4 @@ -FROM debian:bullseye-slim +FROM debian:bookworm-slim # https://github.com/tianon/gosu/releases ENV GOSU_VERSION 1.17 From 2dada3bb5dfbc1e7162a29907691b6f45995d54e Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 2 Nov 2023 16:25:39 -0700 Subject: [PATCH 40/60] Rewrite gsl.sh so it relies less on SharedTags This should make our "version" provenance metadata more correct --- hub/gsl.sh | 93 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 65 insertions(+), 28 deletions(-) diff --git a/hub/gsl.sh b/hub/gsl.sh index 4eda9af..19a2d9b 100755 --- a/hub/gsl.sh +++ b/hub/gsl.sh @@ -7,13 +7,6 @@ dir="$(dirname "$BASH_SOURCE")" cd "$dir" commit="$(git log -1 --format='format:%H' HEAD -- .)" -cat <<-EOH - Maintainers: Tianon Gravi (@tianon) - GitRepo: https://github.com/tianon/gosu.git - GitCommit: $commit - Directory: hub - Builder: buildkit -EOH version= i=0; jq=; froms=() @@ -31,24 +24,68 @@ for variant in "${preferredOrder[@]}"; do done arches="$(bashbrew remote arches --json "${froms[@]}" | jq -sc "{ $jq }")" # { alpine: [ "amd64", ... ], debian: [ "amd64", ... ] } -queue="$(jq <<<"$arches" -r 'to_entries | map(@sh "variant=\(.key)\narch=\(.value[])") | map(@sh) | join("\n")')" -eval "queue=( $queue )" - -declare -A seenArches=() -for item in "${queue[@]}"; do - eval "$item" # variant=yyy arch=xxx - [ -n "$variant" ] - [ -n "$arch" ] - tags="$variant-$arch" - sharedTags="$variant, $version-$variant" - if [ -z "${seenArches["$arch"]:-}" ]; then - tags+=", $arch" - sharedTags+=", $version, latest" - fi - echo - echo "Tags: $tags" - [ -z "$sharedTags" ] || echo "SharedTags: $sharedTags" - echo "Architectures: $arch" - echo "File: Dockerfile.$variant" - : "${seenArches["$arch"]:=1}" -done +exec jq <<<"$arches" -r --arg commit "$commit" --arg version "$version" ' + with_entries(select(length > 0)) + | keys_unsorted as $variants + | (add | unique) as $arches + | . as $variantArches + | ( + reduce ( + to_entries[] + | { + variant: .key, + arch: .value[], + } + ) as $m ({}; + if has($m.arch) then . else + .[$m.arch] = $m.variant + end + ) + ) as $archVariants + | [ + { + Maintainers: "Tianon Gravi (@tianon)", + GitRepo: "https://github.com/tianon/gosu.git", + GitCommit: $commit, + Directory: "hub", + Builder: "buildkit", + }, + + reduce $arches[] as $arch ( + { + Tags: [ $version, "latest" ], + Architectures: $arches, + File: "Dockerfile.\($variants[0])", + }; + if has($arch + "-File") then . else + "Dockerfile.\($archVariants[$arch])" as $df + | if $df == .File then . else + .[$arch + "-File"] = $df + end + end + ), + + ( + $variants[] + | { + Tags: [ "\($version)-\(.)", . ], + Architectures: $variantArches[.], + File: "Dockerfile.\(.)", + }, + + ( + . as $variant + | $variantArches[.][] + | { + Tags: [ "\($variant)-\(.)", if $archVariants[.] == $variant then . else empty end ], + Architectures: ., + File: "Dockerfile.\($variant)", + } + ) + ), + + empty + ] + | map(to_entries | map(.key + ": " + ([ .value ] | flatten | join(", "))) | join("\n")) + | join("\n\n") +' From 056c5dc2dde193a7bd00d5675f8f1b1213e57a8a Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 21 Dec 2023 11:56:12 -0800 Subject: [PATCH 41/60] Add `-trimpath` to builds for cleaner embedded paths --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 38a8a0e..8a51c3e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ RUN set -eux; \ patch --strip=1 --directory=/usr/local/go --input=/tmp/go-mips.patch # note: we cannot add "-s" here because then "govulncheck" does not work (see SECURITY.md); the ~0.2MiB increase (as of 2022-12-16, Go 1.18) is worth it -ENV BUILD_FLAGS="-v -ldflags '-d -w'" +ENV BUILD_FLAGS="-v -trimpath -ldflags '-d -w'" RUN set -eux; \ { \ From 96e1ec4c991395b88c00637c8bc0e59a4c3d0378 Mon Sep 17 00:00:00 2001 From: Alexander Yastrebov Date: Tue, 19 Mar 2024 13:34:35 +0100 Subject: [PATCH 42/60] Remove use of text/template Use of text/template inhibits dead code elimination, see https://github.com/golang/go/issues/62024 Building with go1.22.1 via `go build -v -trimpath -ldflags '-d -w'` results in binary size reduction from 2704725 to 1652718 bytes (-39%). --- main.go | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/main.go b/main.go index f984da8..3645b85 100644 --- a/main.go +++ b/main.go @@ -1,7 +1,6 @@ package main // import "github.com/tianon/gosu" import ( - "bytes" "fmt" "log" "os" @@ -10,7 +9,6 @@ import ( "runtime" "strings" "syscall" - "text/template" ) func init() { @@ -24,7 +22,7 @@ func version() string { } func usage() string { - t := template.Must(template.New("usage").Parse(` + t := ` Usage: {{ .Self }} user-spec command [args] eg: {{ .Self }} tianon bash {{ .Self }} nobody:root bash -c 'whoami && id' @@ -32,16 +30,10 @@ Usage: {{ .Self }} user-spec command [args] {{ .Self }} version: {{ .Version }} {{ .Self }} license: Apache-2.0 (full text at https://github.com/tianon/gosu) -`)) - var b bytes.Buffer - template.Must(t, t.Execute(&b, struct { - Self string - Version string - }{ - Self: filepath.Base(os.Args[0]), - Version: version(), - })) - return strings.TrimSpace(b.String()) + "\n" +` + t = strings.ReplaceAll(t, "{{ .Self }}", filepath.Base(os.Args[0])) + t = strings.ReplaceAll(t, "{{ .Version }}", version()) + return t[1:] } func main() { From 04fac5a03d468b0ea1a9bad71b8f772325639500 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 20 Mar 2024 03:27:42 -0700 Subject: [PATCH 43/60] Ditch `fmt`, `log`, `path/filepath`, and `strings` for ~17KB more savings ```console $ stat --format '% 11n %s' gosu-before gosu-after gosu-before 1495254 gosu-after 1478001 ``` --- main.go | 62 ++++++++++++++++++++++++++++++--------------------------- 1 file changed, 33 insertions(+), 29 deletions(-) diff --git a/main.go b/main.go index 3645b85..94546e2 100644 --- a/main.go +++ b/main.go @@ -1,13 +1,10 @@ package main // import "github.com/tianon/gosu" import ( - "fmt" - "log" + "io" "os" "os/exec" - "path/filepath" "runtime" - "strings" "syscall" ) @@ -18,67 +15,74 @@ func init() { } func version() string { - return fmt.Sprintf(`%s (%s on %s/%s; %s)`, Version, runtime.Version(), runtime.GOOS, runtime.GOARCH, runtime.Compiler) + // 1.17 (go1.18.2 on linux/amd64; gc) + return Version + ` (` + runtime.Version() + ` on ` + runtime.GOOS + `/` + runtime.GOARCH + `; ` + runtime.Compiler + `)` } func usage() string { + self := os.Args[0] + v := version() t := ` -Usage: {{ .Self }} user-spec command [args] - eg: {{ .Self }} tianon bash - {{ .Self }} nobody:root bash -c 'whoami && id' - {{ .Self }} 1000:1 id +Usage: ` + self + ` user-spec command [args] + eg: ` + self + ` tianon bash + ` + self + ` nobody:root bash -c 'whoami && id' + ` + self + ` 1000:1 id -{{ .Self }} version: {{ .Version }} -{{ .Self }} license: Apache-2.0 (full text at https://github.com/tianon/gosu) +` + self + ` version: ` + v + ` +` + self + ` license: Apache-2.0 (full text at https://github.com/tianon/gosu) ` - t = strings.ReplaceAll(t, "{{ .Self }}", filepath.Base(os.Args[0])) - t = strings.ReplaceAll(t, "{{ .Version }}", version()) return t[1:] } -func main() { - log.SetFlags(0) // no timestamps on our logs +func exit(code int, w io.Writer, ss ...string) { + for i, s := range ss { + if i > 0 { + w.Write([]byte{' '}) + } + w.Write([]byte(s)) + } + w.Write([]byte{'\n'}) + os.Exit(code) +} +func main() { if ok := os.Getenv("GOSU_PLEASE_LET_ME_BE_COMPLETELY_INSECURE_I_GET_TO_KEEP_ALL_THE_PIECES"); ok != "I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhäuser Gate. All those moments will be lost in time, like tears in rain. Time to die." { if fi, err := os.Stat("/proc/self/exe"); err != nil { - log.Fatalf("error: %v", err) - } else if fi.Mode()&os.ModeSetuid != 0 { + exit(1, os.Stderr, "error:", err.Error()) + } else if mode := fi.Mode(); mode&os.ModeSetuid != 0 { // ... oh no - log.Fatalf("error: %q appears to be installed with the 'setuid' bit set, which is an *extremely* insecure and completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')", os.Args[0]) - } else if fi.Mode()&os.ModeSetgid != 0 { + exit(1, os.Stderr, "error:", os.Args[0], "appears to be installed with the 'setuid' bit set, which is an *extremely* insecure and completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')") + } else if mode&os.ModeSetgid != 0 { // ... oh no - log.Fatalf("error: %q appears to be installed with the 'setgid' bit set, which is not quite *as* insecure as 'setuid', but still not great, and definitely a completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')", os.Args[0]) + exit(1, os.Stderr, "error:", os.Args[0], "appears to be installed with the 'setgid' bit set, which is not quite *as* insecure as 'setuid', but still not great, and definitely a completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')") } } if len(os.Args) >= 2 { switch os.Args[1] { case "--help", "-h", "-?": - fmt.Println(usage()) - os.Exit(0) + exit(0, os.Stdout, usage()) case "--version", "-v": - fmt.Println(version()) - os.Exit(0) + exit(0, os.Stdout, version()) } } if len(os.Args) <= 2 { - log.Println(usage()) - os.Exit(1) + exit(1, os.Stderr, usage()) } // clear HOME so that SetupUser will set it os.Unsetenv("HOME") if err := SetupUser(os.Args[1]); err != nil { - log.Fatalf("error: failed switching to %q: %v", os.Args[1], err) + exit(1, os.Stderr, "error: failed switching to '"+os.Args[1]+"':", err.Error()) } name, err := exec.LookPath(os.Args[2]) if err != nil { - log.Fatalf("error: %v", err) + exit(1, os.Stderr, "error:", err.Error()) } if err = syscall.Exec(name, os.Args[2:], os.Environ()); err != nil { - log.Fatalf("error: exec failed: %v", err) + exit(1, os.Stderr, "error: exec failed:", err.Error()) } } From f0ea85bbe86fb43b2344fd69d44a19b7cfa10050 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 20 Mar 2024 03:56:27 -0700 Subject: [PATCH 44/60] Update `tianon/gosu` Alpine images to 3.19 --- hub/Dockerfile.alpine | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hub/Dockerfile.alpine b/hub/Dockerfile.alpine index f280e3f..35f4edf 100644 --- a/hub/Dockerfile.alpine +++ b/hub/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM alpine:3.18 +FROM alpine:3.19 # https://github.com/tianon/gosu/releases ENV GOSU_VERSION 1.17 From 2176ec221479581233c1d22a6e9ac2db02e77992 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 20 Mar 2024 04:06:59 -0700 Subject: [PATCH 45/60] Add `COPY --from=tianon/gosu` to `INSTALL.md` --- INSTALL.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/INSTALL.md b/INSTALL.md index 6ca05f4..b4dc089 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -81,3 +81,9 @@ RUN set -eux; \ gosu --version; \ gosu nobody true ``` + +## Others / Lazy Method + +```dockerfile +COPY --from=tianon/gosu /gosu /usr/local/bin/ +``` From 0396450a9d9d4d8ff30219594884418dd2c4c86a Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 20 Mar 2024 04:17:26 -0700 Subject: [PATCH 46/60] Slightly better / more up-to-date comment in setup-user.go --- setup-user.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup-user.go b/setup-user.go index ac0783f..87afcd1 100644 --- a/setup-user.go +++ b/setup-user.go @@ -7,9 +7,9 @@ import ( "golang.org/x/sys/unix" ) -// this function comes from libcontainer/init_linux.go -// we don't use that directly because we don't want the whole namespaces package imported here -// (also, because we need minor modifications and it's not even exported) +// this function comes from https://github.com/opencontainers/runc/blob/18c313be729dd02b17934af41e32116a28b4b3bf/libcontainer/init_linux.go#L472-L561 +// we don't use that directly because it isn't exported *and* we don't want that whole package/runc imported here +// (also, because we need minor modifications) // SetupUser changes the groups, gid, and uid for the user inside the container func SetupUser(u string) error { From 64a0cd92b71e0299d8f326856038920ed899e1bf Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 20 Mar 2024 04:27:56 -0700 Subject: [PATCH 47/60] Update `SECURITY.md` to better reflect the move to `github.com/moby/sys/user` --- SECURITY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 99c21c4..f610165 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,12 +6,12 @@ Before reporting that `gosu` is "vulnerable" to a particular CVE, please run our If you have a tool which is reporting that `gosu` is vulnerable to a particular CVE but `govulncheck` does not agree, **please** report this as a false positive to your CVE scanning vendor so that they can improve their tooling. (If you wish to verify that your reported CVE is part of `govulncheck`'s dataset and thus covered by their tool, you can check [the vulndb repository](https://github.com/golang/vulndb) where they track those.) -Our wrapper script ([`govulncheck-with-excludes.sh`](govulncheck-with-excludes.sh)) includes a very small set of vulnerabilities that will be reported by `govulncheck` which do not apply (due to other mitigations or otherwise). +Our `govulncheck` wrapper script ([`govulncheck-with-excludes.sh`](govulncheck-with-excludes.sh)) may include a small set of vulnerabilities that will be reported by `govulncheck` which do not apply (due to other mitigations or otherwise). See comments in that script for details. # Reporting Vulnerabilities -The surface area of `gosu` itself is really limited -- it only directly contains a small amount of Go code to instrument an interface that is part of [`runc`](https://github.com/opencontainers/runc) (and which itself is a pretty limited interface) for providing the same behavior as Docker's `--user` flag, but from within a running container. +The surface area of `gosu` itself is really limited -- it only directly contains a small amount of Go code to instrument an interface that is part of [`github.com/moby/sys/user` (the Docker Engine's `--user` parsing code, to be exact)](https://github.com/moby/sys/tree/main/user) (and which itself is a pretty limited interface) intended for providing the same behavior as Docker's `--user` flag (switching from `root` to a less privileged user), but from within an already running container. -If you believe you have found a new vulnerability in `gosu`, chances are very high that it's actually a vulnerability in `runc` (or at the very least, `runc`'s code), and should be [reported appropriately and responsibly](https://github.com/opencontainers/.github/blob/master/SECURITY.md). +If you believe you have found a new vulnerability in `gosu`, chances are very high that it's actually a vulnerability in `github.com/moby/sys/user` or `golang.org/x/sys`, and should be [reported appropriately and responsibly](https://github.com/moby/moby/blob/HEAD/SECURITY.md). After all this, if you still believe you have discovered a novel vulnerability in the limited code that is `gosu` itself, please [use GitHub's (private) advisory reporting feature](https://github.com/tianon/gosu/security/advisories/new) to responsibly report it. From 9ea56fefddfda3644e0ded04d303ebc15147f040 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 20 Mar 2024 04:19:08 -0700 Subject: [PATCH 48/60] Update to Go 1.20.5 This allows us to drop the mips64le upstream patch we've been applying (fixed in Go 1.20.0) and the GO-2023-1840 / CVE-2023-29403 govulncheck exclusion (which still doesn't apply, but was fixed in Go in 1.20.5 and thus we no longer need to ignore). Also: - update the tests to Debian Bookworm and Alpine 3.19 - update `SECURITY.md` to make our Go version update policy explicit and written down (including the parallel to how Linux distributions handle similar situations) --- Dockerfile | 8 +------- Dockerfile.test-alpine | 4 ++-- Dockerfile.test-debian | 4 ++-- SECURITY.md | 6 ++++++ go.mod | 2 +- govulncheck-with-excludes.sh | 3 ++- 6 files changed, 14 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8a51c3e..fba901c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,19 +1,13 @@ -FROM golang:1.18.2-bullseye +FROM golang:1.20.5-bookworm RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ arch-test \ file \ - patch \ ; \ rm -rf /var/lib/apt/lists/* -# https://github.com/golang/go/issues/56426 -RUN set -eux; \ - wget -O /tmp/go-mips.patch 'https://github.com/golang/go/commit/2c7c98c3ad719aa9d6d2594827a6894ff9950042.patch'; \ - patch --strip=1 --directory=/usr/local/go --input=/tmp/go-mips.patch - # note: we cannot add "-s" here because then "govulncheck" does not work (see SECURITY.md); the ~0.2MiB increase (as of 2022-12-16, Go 1.18) is worth it ENV BUILD_FLAGS="-v -trimpath -ldflags '-d -w'" diff --git a/Dockerfile.test-alpine b/Dockerfile.test-alpine index aaec78e..1277bd9 100644 --- a/Dockerfile.test-alpine +++ b/Dockerfile.test-alpine @@ -1,7 +1,7 @@ -FROM alpine:3.17 +FROM alpine:3.19 # add "nobody" to ALL groups (makes testing edge cases more interesting) -RUN cut -d: -f1 /etc/group | xargs -n1 addgroup nobody +RUN cut -d: -f1 /etc/group | xargs -rtn1 addgroup nobody RUN { \ echo '#!/bin/sh'; \ diff --git a/Dockerfile.test-debian b/Dockerfile.test-debian index c520ab4..4efde06 100644 --- a/Dockerfile.test-debian +++ b/Dockerfile.test-debian @@ -1,7 +1,7 @@ -FROM debian:bullseye-slim +FROM debian:bookworm-slim # add "nobody" to ALL groups (makes testing edge cases more interesting) -RUN cut -d: -f1 /etc/group | xargs -n1 -I'{}' usermod -aG '{}' nobody +RUN cut -d: -f1 /etc/group | xargs -rtI'{}' usermod -aG '{}' nobody # emulate Alpine's "games" user (which is part of the "users" group) RUN usermod -aG users games diff --git a/SECURITY.md b/SECURITY.md index f610165..f4cc978 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -8,6 +8,12 @@ If you have a tool which is reporting that `gosu` is vulnerable to a particular Our `govulncheck` wrapper script ([`govulncheck-with-excludes.sh`](govulncheck-with-excludes.sh)) may include a small set of vulnerabilities that will be reported by `govulncheck` which do not apply (due to other mitigations or otherwise). See comments in that script for details. +## Go Version Updates + +Similar to the how traditional Linux distributions such as Debian handle rebuilding binaries between stable releases / for updated compilers (or rather, the situations and reasons for which they do *not* do so), and in the same spirit as the above CVE policy, we do *not* update the compiler/rebuild with a newer compiler unless there is a compelling functional or security reason in the code that ends up as part of the `gosu` binary that warrants doing so. + +As above, if you have a "security scanning" tool which does not agree with this policy, please take that up with your scanning tool vendor (report as a false positive, improve the tool to `govulncheck`, etc). + # Reporting Vulnerabilities The surface area of `gosu` itself is really limited -- it only directly contains a small amount of Go code to instrument an interface that is part of [`github.com/moby/sys/user` (the Docker Engine's `--user` parsing code, to be exact)](https://github.com/moby/sys/tree/main/user) (and which itself is a pretty limited interface) intended for providing the same behavior as Docker's `--user` flag (switching from `root` to a less privileged user), but from within an already running container. diff --git a/go.mod b/go.mod index eae1559..3e2a20e 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/tianon/gosu -go 1.18 +go 1.20 require ( github.com/moby/sys/user v0.1.0 diff --git a/govulncheck-with-excludes.sh b/govulncheck-with-excludes.sh index 61c9b16..b535177 100755 --- a/govulncheck-with-excludes.sh +++ b/govulncheck-with-excludes.sh @@ -6,9 +6,10 @@ set -Eeuo pipefail excludeVulns="$(jq -nc '[ + # fixed in Go 1.20.5+ # https://pkg.go.dev/vuln/GO-2023-1840 # we already mitigate setuid in our code - "GO-2023-1840", "CVE-2023-29403", + #"GO-2023-1840", "CVE-2023-29403", # (https://github.com/tianon/gosu/issues/128#issuecomment-1607803883) empty # trailing comma hack (makes diffs smaller) From 21b5265195d262d6a185739ed7b7547983456e3c Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 20 Mar 2024 05:05:50 -0700 Subject: [PATCH 49/60] Adjust minimum required `golang.org/x/sys` down to v0.1.0 --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 3e2a20e..9f8577f 100644 --- a/go.mod +++ b/go.mod @@ -4,5 +4,5 @@ go 1.20 require ( github.com/moby/sys/user v0.1.0 - golang.org/x/sys v0.13.0 + golang.org/x/sys v0.1.0 ) diff --git a/go.sum b/go.sum index 7fe378e..dea95ab 100644 --- a/go.sum +++ b/go.sum @@ -1,4 +1,4 @@ github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg= github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= From ea17b7978df76582637ff1f0d947779e5af807b4 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 20 Mar 2024 09:36:11 -0700 Subject: [PATCH 50/60] Add a reference to the blog post about Go's "Minimal Version Selection" --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index f4cc978..89c82a2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -8,9 +8,9 @@ If you have a tool which is reporting that `gosu` is vulnerable to a particular Our `govulncheck` wrapper script ([`govulncheck-with-excludes.sh`](govulncheck-with-excludes.sh)) may include a small set of vulnerabilities that will be reported by `govulncheck` which do not apply (due to other mitigations or otherwise). See comments in that script for details. -## Go Version Updates +## Version Updates -Similar to the how traditional Linux distributions such as Debian handle rebuilding binaries between stable releases / for updated compilers (or rather, the situations and reasons for which they do *not* do so), and in the same spirit as the above CVE policy, we do *not* update the compiler/rebuild with a newer compiler unless there is a compelling functional or security reason in the code that ends up as part of the `gosu` binary that warrants doing so. +Similar to the how traditional Linux distributions such as Debian handle rebuilding binaries between stable releases / for updated compilers (or rather, the situations and reasons for which they do *not* do so), and in the same spirit as the above CVE policy and [Go's "Minimal Version Selection"](https://research.swtch.com/vgo-mvs), we do *not* update the compiler/rebuild with a newer compiler unless there is a compelling functional or security reason in the code that ends up as part of the `gosu` binary that warrants doing so. As above, if you have a "security scanning" tool which does not agree with this policy, please take that up with your scanning tool vendor (report as a false positive, improve the tool to `govulncheck`, etc). From ccc5c46e5fc49132e0515885cbe8e4ffe79b0fb6 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 20 Mar 2024 09:41:19 -0700 Subject: [PATCH 51/60] Switch from `io.Writer` to explicit `*os.File` (shaving off a tiny amount more bytes) --- main.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/main.go b/main.go index 94546e2..7eb3d47 100644 --- a/main.go +++ b/main.go @@ -1,7 +1,6 @@ package main // import "github.com/tianon/gosu" import ( - "io" "os" "os/exec" "runtime" @@ -34,7 +33,7 @@ Usage: ` + self + ` user-spec command [args] return t[1:] } -func exit(code int, w io.Writer, ss ...string) { +func exit(code int, w *os.File, ss ...string) { for i, s := range ss { if i > 0 { w.Write([]byte{' '}) From 1cd234d3a580c6ce9dab2267e503462867f75f73 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 20 Mar 2024 21:21:48 -0700 Subject: [PATCH 52/60] Update govulncheck to 1.0.4, actions versions --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6d5de65..f3ff975 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,7 +15,7 @@ jobs: name: Test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - run: sudo apt-get update && sudo apt-get install -y --no-install-recommends binfmt-support qemu-user-static - run: ./build.sh - run: ./test.sh gosu-amd64 @@ -25,13 +25,13 @@ jobs: - run: docker build --pull --file hub/Dockerfile.alpine hub - run: docker build --pull --file hub/Dockerfile.debian hub - - uses: actions/setup-go@v3 + - uses: actions/setup-go@v4 with: go-version: 1.18 # https://github.com/golang/vuln/commits/master # https://github.com/golang/vuln/releases # https://github.com/golang/vuln/tags - - run: go install golang.org/x/vuln/cmd/govulncheck@v1.0.1 + - run: go install golang.org/x/vuln/cmd/govulncheck@v1.0.4 # (update "go-version" above when updating this version; https://github.com/golang/vuln/blob/v1.0.1/go.mod#L3) - run: for gosu in gosu-*; do ./govulncheck-with-excludes.sh -mode=binary "$gosu"; done From a1f38cab3a132e996dc4972605ec91e8650d4859 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 21 Mar 2024 11:30:35 -0700 Subject: [PATCH 53/60] Improve grammar around tooling in SECURITY --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 89c82a2..3610ffb 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,7 +12,7 @@ Our `govulncheck` wrapper script ([`govulncheck-with-excludes.sh`](govulncheck-w Similar to the how traditional Linux distributions such as Debian handle rebuilding binaries between stable releases / for updated compilers (or rather, the situations and reasons for which they do *not* do so), and in the same spirit as the above CVE policy and [Go's "Minimal Version Selection"](https://research.swtch.com/vgo-mvs), we do *not* update the compiler/rebuild with a newer compiler unless there is a compelling functional or security reason in the code that ends up as part of the `gosu` binary that warrants doing so. -As above, if you have a "security scanning" tool which does not agree with this policy, please take that up with your scanning tool vendor (report as a false positive, improve the tool to `govulncheck`, etc). +As above, if you have a "security scanning" tool which does not agree with this policy, please take that up with your scanning tool vendor (report as a false positive, improve the tool to use `govulncheck`, etc). # Reporting Vulnerabilities From 08ad027f40a4faf1b97af6520dd5d2a0b2b14c81 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 29 May 2024 09:57:39 -0700 Subject: [PATCH 54/60] Add an "RPM-based" section back to `INSTALL.md` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Thanks to `rpm --query --queryformat='%{ARCH}' rpm`, I feel good about documenting this "officially" again. 🚀 --- INSTALL.md | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/INSTALL.md b/INSTALL.md index b4dc089..704b8b6 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -82,6 +82,43 @@ RUN set -eux; \ gosu nobody true ``` +## `FROM centos|oraclelinux|...|ubi|...` (RPM-based distro) + +```dockerfile +ENV GOSU_VERSION 1.17 +RUN set -eux; \ + \ + rpmArch="$(rpm --query --queryformat='%{ARCH}' rpm)"; \ + case "$rpmArch" in \ + aarch64) dpkgArch='arm64' ;; \ + armv[67]*) dpkgArch='armhf' ;; \ + i[3456]86) dpkgArch='i386' ;; \ + ppc64le) dpkgArch='ppc64el' ;; \ + riscv64 | s390x) dpkgArch="$rpmArch" ;; \ + x86_64) dpkgArch='amd64' ;; \ + *) echo >&2 "error: unknown/unsupported architecture '$rpmArch'"; exit 1 ;; \ + esac; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + \ +# verify the signature + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + \ + chmod +x /usr/local/bin/gosu; \ +# verify that the binary works + gosu --version; \ + gosu nobody true +``` + +Notes: + +- `gosu`'s `armhf` builds are ARMv6 (not ARMv7 as they might be in Debian proper) thanks to Raspbian, hence the `armv6` allowance above +- `rpm` architecture values sourced from https://rpmfind.net/linux/rpm2html/search.php?query=rpm + ## Others / Lazy Method ```dockerfile From 68286328f5fda27bbae4fc93aa24cc12961a9865 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Mon, 3 Jun 2024 13:50:48 -0700 Subject: [PATCH 55/60] Adjust `su-exec` references, especially to note the severe years-long issue with 0.3 --- INSTALL.md | 2 -- README.md | 8 ++++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index 704b8b6..ad11df8 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -50,8 +50,6 @@ RUN set -eux; \ ## `FROM alpine` (3.7+) -**Note:** when using Alpine, it's probably also worth checking out [`su-exec`](https://github.com/ncopa/su-exec) (`apk add --no-cache su-exec`) instead, which since version 0.2 is fully `gosu`-compatible in a fraction of the file size. - ```dockerfile ENV GOSU_VERSION 1.17 RUN set -eux; \ diff --git a/README.md b/README.md index 9db0cad..5de859b 100644 --- a/README.md +++ b/README.md @@ -58,10 +58,6 @@ If you're curious about the edge cases that `gosu` handles, see [`Dockerfile.tes ## Alternatives -### `su-exec` - -As mentioned in `INSTALL.md`, [`su-exec`](https://github.com/ncopa/su-exec) is a very minimal re-write of `gosu` in C, making for a much smaller binary, and is available in the `main` Alpine package repository. - ### `chroot` With the `--userspec` flag, `chroot` can provide similar benefits/behavior: @@ -82,6 +78,10 @@ USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND nobody 1 5.0 0.0 9592 1252 pts/0 RNs+ 23:21 0:00 ps faux ``` +### `su-exec` + +In the Alpine Linux ecosystem, [`su-exec`](https://github.com/ncopa/su-exec) is a minimal re-write of `gosu` in C, making for a much smaller binary, and is available in the `main` Alpine package repository. However, as of version 0.3 it has [a pretty severe parser bug](https://github.com/ncopa/su-exec/pull/26) that hasn't been in a release for many years (and which the buggy behavior is that typos lead to running code as root unexpectedly 😬). + ### Others I'm not terribly familiar with them, but a few other alternatives I'm aware of include: From a094511005799318adac840b6974852075a81153 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Mon, 3 Jun 2024 13:51:42 -0700 Subject: [PATCH 56/60] Fix version reference --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5de859b..06dd7e5 100644 --- a/README.md +++ b/README.md @@ -80,7 +80,7 @@ nobody 1 5.0 0.0 9592 1252 pts/0 RNs+ 23:21 0:00 ps faux ### `su-exec` -In the Alpine Linux ecosystem, [`su-exec`](https://github.com/ncopa/su-exec) is a minimal re-write of `gosu` in C, making for a much smaller binary, and is available in the `main` Alpine package repository. However, as of version 0.3 it has [a pretty severe parser bug](https://github.com/ncopa/su-exec/pull/26) that hasn't been in a release for many years (and which the buggy behavior is that typos lead to running code as root unexpectedly 😬). +In the Alpine Linux ecosystem, [`su-exec`](https://github.com/ncopa/su-exec) is a minimal re-write of `gosu` in C, making for a much smaller binary, and is available in the `main` Alpine package repository. However, as of version 0.2 it has [a pretty severe parser bug](https://github.com/ncopa/su-exec/pull/26) that hasn't been in a release for many years (and which the buggy behavior is that typos lead to running code as root unexpectedly 😬). ### Others From 7b1b498b980f0bab2cc4061c601482845bddb0c8 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 6 Jun 2024 11:16:49 -0700 Subject: [PATCH 57/60] Fix govulncheck wrapper + run govulncheck on latest release periodically too --- .github/workflows/ci.yml | 16 ++++------- .github/workflows/release.yml | 52 +++++++++++++++++++++++++++++++++++ govulncheck-with-excludes.sh | 25 +++++++++++++++-- 3 files changed, 80 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f3ff975..e601c81 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,6 +5,7 @@ on: push: schedule: - cron: 0 0 * * 0 + workflow_dispatch: defaults: run: @@ -25,13 +26,8 @@ jobs: - run: docker build --pull --file hub/Dockerfile.alpine hub - run: docker build --pull --file hub/Dockerfile.debian hub - - uses: actions/setup-go@v4 - with: - go-version: 1.18 - # https://github.com/golang/vuln/commits/master - # https://github.com/golang/vuln/releases - # https://github.com/golang/vuln/tags - - run: go install golang.org/x/vuln/cmd/govulncheck@v1.0.4 - # (update "go-version" above when updating this version; https://github.com/golang/vuln/blob/v1.0.1/go.mod#L3) - - - run: for gosu in gosu-*; do ./govulncheck-with-excludes.sh -mode=binary "$gosu"; done + - name: govulncheck + run: | + for gosu in gosu-*; do + ./govulncheck-with-excludes.sh -mode=binary "$gosu" + done diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..6b9311d --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,52 @@ +name: Release + +on: + pull_request: + paths: + - '.github/workflows/release.yml' + - 'govulncheck-with-excludes.sh' + push: + paths: + - '.github/workflows/release.yml' + - 'govulncheck-with-excludes.sh' + schedule: + - cron: 0 0 * * 0 + workflow_dispatch: + +defaults: + run: + shell: 'bash -Eeuo pipefail -x {0}' + +jobs: + test: + name: govulncheck + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: download + run: | + # find and download the latest release for testing + tags="$(git ls-remote --tags https://github.com/tianon/gosu.git | cut -d/ -f3 | cut -d^ -f1 | sort -urV)" + for tag in $tags; do + echo >&2 "checking $tag ..." + url="https://github.com/tianon/gosu/releases/download/$tag" + if wget -O SHA256SUMS "$url/SHA256SUMS" && [ -s SHA256SUMS ]; then + files="$(grep -oE '[ *]gosu-[^.]+$' SHA256SUMS | grep -oE 'gosu-.*$')" + for file in $files; do + wget -O "$file" "$url/$file" + done + if grep -E '[ *]gosu-[^.]+$' SHA256SUMS | sha256sum --strict --check -; then + echo >&2 "success with $tag !" + exit 0 + fi + fi + done + + echo >&2 'error: failed to find latest release' + + - name: govulncheck + run: | + for gosu in gosu-*; do + ./govulncheck-with-excludes.sh -mode=binary "$gosu" + done diff --git a/govulncheck-with-excludes.sh b/govulncheck-with-excludes.sh index b535177..616f656 100755 --- a/govulncheck-with-excludes.sh +++ b/govulncheck-with-excludes.sh @@ -9,7 +9,7 @@ excludeVulns="$(jq -nc '[ # fixed in Go 1.20.5+ # https://pkg.go.dev/vuln/GO-2023-1840 # we already mitigate setuid in our code - #"GO-2023-1840", "CVE-2023-29403", + "GO-2023-1840", "CVE-2023-29403", # (https://github.com/tianon/gosu/issues/128#issuecomment-1607803883) empty # trailing comma hack (makes diffs smaller) @@ -30,7 +30,9 @@ if ! command -v govulncheck > /dev/null; then --workdir /wd "${GOLANG_IMAGE:-golang:latest}" sh -euc ' - go install golang.org/x/vuln/cmd/govulncheck@latest > /dev/null + # https://github.com/golang/vuln/releases + # (pinning version to avoid format changes like https://github.com/tianon/gosu/issues/144 surprising us unexpectedly) + go install golang.org/x/vuln/cmd/govulncheck@v1.1.2 > /dev/null exec "$GOPATH/bin/govulncheck" "$@" ' -- ) @@ -45,7 +47,24 @@ fi json="$(govulncheck -json "$@")" -vulns="$(jq <<<"$json" -cs 'map(select(has("osv")) | .osv)')" +vulns="$(jq <<<"$json" -cs ' + ( + map( + .osv // empty + | { key: .id, value: . } + ) + | from_entries + ) as $meta + # https://github.com/tianon/gosu/issues/144 + | map( + .finding // empty + # https://github.com/golang/vuln/blob/3740f5cb12a3f93b18dbe200c4bcb6256f8586e2/internal/scan/template.go#L97-L104 + | select((.trace[0].function // "") != "") + | .osv + ) + | unique + | map($meta[.]) +')" if [ "$(jq <<<"$vulns" -r 'length')" -le 0 ]; then printf '%s\n' "$out" exit 1 From 46d62581abec6906ad4af73cc0524093bd49c8a1 Mon Sep 17 00:00:00 2001 From: Luke Parkinson <41398636+LukeParky@users.noreply.github.com> Date: Tue, 16 Jul 2024 12:45:53 +1200 Subject: [PATCH 58/60] Update broken dockerfile.test link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 06dd7e5..b74503d 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,7 @@ root 1 0.0 0.0 7140 768 ? Rs+ 02:22 0:00 ps aux Additionally, due to the fact that `gosu` is using Docker's own code for processing these `user:group`, it has exact 1:1 parity with Docker's own `--user` flag. -If you're curious about the edge cases that `gosu` handles, see [`Dockerfile.test`](Dockerfile.test) for the "test suite" (and the associated [`test.sh`](test.sh) script that wraps this up for testing arbitrary binaries). +If you're curious about the edge cases that `gosu` handles, see [`Dockerfile.test-alpine`](Dockerfile.test-alpine) for the "test suite" (and the associated [`test.sh`](test.sh) script that wraps this up for testing arbitrary binaries). (Note that `sudo` has different goals from this project, and it is *not* intended to be a `sudo` replacement; for example, see [this Stack Overflow answer](https://stackoverflow.com/a/48105623) for a short explanation of why `sudo` does `fork`+`exec` instead of just `exec`.) From 9842436d3bd9129c5834ab41f4e08fbe0c916d68 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Fri, 27 Sep 2024 00:47:11 -0700 Subject: [PATCH 59/60] Add "suite" aliases to published images (`bookworm`, `alpine3.19`) --- hub/gsl.sh | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/hub/gsl.sh b/hub/gsl.sh index 19a2d9b..120e75b 100755 --- a/hub/gsl.sh +++ b/hub/gsl.sh @@ -18,23 +18,33 @@ for variant in "${preferredOrder[@]}"; do echo >&2 "error: mismatched version in '$variant' ('$version' vs '$variantVersion')" exit 1 fi - jq="${jq:+$jq, }$variant: (.[$i].arches | keys_unsorted)" + jq="${jq:+$jq, }$variant: (.[$i] | { ref: .ref, arches: .arches | keys_unsorted })" froms["$i"]="$from" (( i++ )) || : done arches="$(bashbrew remote arches --json "${froms[@]}" | jq -sc "{ $jq }")" # { alpine: [ "amd64", ... ], debian: [ "amd64", ... ] } exec jq <<<"$arches" -r --arg commit "$commit" --arg version "$version" ' - with_entries(select(length > 0)) + map_values(select(.arches | length > 0)) | keys_unsorted as $variants - | (add | unique) as $arches - | . as $variantArches + | with_entries(.value |= .arches) as $variantArches + | ($variantArches | add | unique) as $arches + | with_entries(.value |= ( + .ref + | sub("^(docker[.]io/(library/)?)?"; "") + | split(":") + | if .[0] == "alpine" then + join("") # alpine3.20, etc + elif .[0] == "debian" or .[0] == "ubuntu" then + .[1] | split("-")[0] # "bookworm", etc + else empty end + )) as $variantAlias | ( reduce ( to_entries[] | { variant: .key, - arch: .value[], + arch: .value.arches[], } ) as $m ({}; if has($m.arch) then . else @@ -67,8 +77,9 @@ exec jq <<<"$arches" -r --arg commit "$commit" --arg version "$version" ' ( $variants[] + | $variantAlias[.] as $alias | { - Tags: [ "\($version)-\(.)", . ], + Tags: [ "\($version)-\(.)", ., "\($version)-\($alias // empty)", $alias // empty ], Architectures: $variantArches[.], File: "Dockerfile.\(.)", }, @@ -77,7 +88,7 @@ exec jq <<<"$arches" -r --arg commit "$commit" --arg version "$version" ' . as $variant | $variantArches[.][] | { - Tags: [ "\($variant)-\(.)", if $archVariants[.] == $variant then . else empty end ], + Tags: [ "\($variant)-\(.)", "\($alias // empty)-\(.)", if $archVariants[.] == $variant then . else empty end ], Architectures: ., File: "Dockerfile.\($variant)", } From 4233b796eeb3ba76c8597a46d89eab1f116188e2 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Fri, 27 Sep 2024 01:20:36 -0700 Subject: [PATCH 60/60] Update to Alpine 3.20 --- Dockerfile.test-alpine | 2 +- hub/Dockerfile.alpine | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile.test-alpine b/Dockerfile.test-alpine index 1277bd9..66d839f 100644 --- a/Dockerfile.test-alpine +++ b/Dockerfile.test-alpine @@ -1,4 +1,4 @@ -FROM alpine:3.19 +FROM alpine:3.20 # add "nobody" to ALL groups (makes testing edge cases more interesting) RUN cut -d: -f1 /etc/group | xargs -rtn1 addgroup nobody diff --git a/hub/Dockerfile.alpine b/hub/Dockerfile.alpine index 35f4edf..da88f91 100644 --- a/hub/Dockerfile.alpine +++ b/hub/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM alpine:3.19 +FROM alpine:3.20 # https://github.com/tianon/gosu/releases ENV GOSU_VERSION 1.17