Merge branch 'main' into 2.0

SPECS/kata-containers-cc/kata-containers-cc.spec

@@ -8,7 +8,7 @@
 
 Name:         kata-containers-cc
 Version:      0.6.1
-Release:      3%{?dist}
+Release:      4%{?dist}
 Summary:      Kata Confidential Containers
 License:      ASL 2.0
 Vendor:       Microsoft Corporation
@@ -19,6 +19,7 @@ Source2:      %{name}-%{version}-cargo.tar.gz
 Source3:      mariner-coco-build-uvm.sh
 Patch0:       0001-tardev-snapshotter-enable-feature-impl_trait_in_asso.patch
 Patch1:       drop-mut-for-variables-that-are-not-mutated.patch
+Patch2:       keep-uvm-rootfs-dependencies.patch
 
 ExclusiveArch: x86_64
 
@@ -290,8 +291,11 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder
 %exclude %{osbuilder}/tools/osbuilder/rootfs-builder/ubuntu
 
 %changelog
-* Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 0.6.1-3
-- Bump release to rebuild with go 1.20.10
+*   Fri Nov 3 2023 Dallas Delaney <[email protected]> - 0.6.1-4
+-   Add patch to retain UVM rootfs dependencies
+
+*   Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 0.6.1-3
+-   Bump release to rebuild with go 1.20.10
 
 *   Tue Oct 10 2023 Dan Streetman <[email protected]> - 0.6.1-2
 -   Bump release to rebuild with updated version of Go.

SPECS/kata-containers-cc/keep-uvm-rootfs-dependencies.patch

@@ -0,0 +1,24 @@
+From e2ef156d481aacc24f20695c0ec65c81e4f85c17 Mon Sep 17 00:00:00 2001
+From: dallasd1 <[email protected]>
+Date: Thu, 2 Nov 2023 19:58:26 -0700
+Subject: [PATCH] Keep zstd-libs in UVM rootfs
+
+---
+ tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh
+index 0988f08f6..359a1c4d9 100644
+--- a/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh
++++ b/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh
+@@ -78,7 +78,6 @@ build_rootfs()
+ 		"tar" \
+ 		"tzdata" \
+ 		"xz" \
+-		"zstd-libs" \
+ 	)
+
+ 	for MARINER_REMOVED_PACKAGE in ${MARINER_REMOVED_PACKAGES[@]}
+-- 
+2.17.1
+

SPECS/kernel/CVE-2023-4623.nopatch

@@ -0,0 +1,3 @@
+CVE-2023-4623 - patched in 5.15.133.1 - (generated by autopatch tool)
+upstream b3d26c5702c7d6c45456326e56d2ccf3f103e60f - stable 4cf994d3f4ff42d604fae2b461bdd5195a7dfabd
+

SPECS/redis/redis.signatures.json

@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "redis-6.2.13.tar.gz": "89ff27c80d420456a721ccfb3beb7cc628d883c53059803513749e13214a23d1"
+    "redis-6.2.14.tar.gz": "34e74856cbd66fdb3a684fb349d93961d8c7aa668b06f81fd93ff267d09bc277"
   }
 }

SPECS/redis/redis.spec

@@ -1,7 +1,7 @@
 Summary:        advanced key-value store
 Name:           redis
-Version:        6.2.13
-Release:        2%{?dist}
+Version:        6.2.14
+Release:        1%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -83,6 +83,9 @@ exit 0
 %config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/redis.conf
 
 %changelog
+* Thu Nov 02 2023 CBL-Mariner Servicing Account <[email protected]> - 6.2.14-1
+- Auto-upgrade to 6.2.14 - Fixes CVE-2023-45145
+
 * Wed Sep 20 2023 Jon Slobodzian <[email protected]> - 6.2.13-2
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 

SPECS/snappy/build-with-rtti.patch

@@ -0,0 +1,30 @@
+From f137d551122afef008b3cc5380c6f9744653d69a Mon Sep 17 00:00:00 2001
+From: Noah Watkins <[email protected]>
+Date: Sat, 23 Oct 2021 13:15:29 -0700
+Subject: [PATCH] Enable rtti for snappy build
+
+Without rtti build fails to link when implementing a custom
+snappy::Source/Sink.
+
+https://github.com/facebook/folly/issues/1606
+
+Signed-off-by: Noah Watkins <[email protected]>
+---
+ CMakeLists.txt | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 7d9f5429..4a440d2e 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -74,10 +74,6 @@ else(CMAKE_CXX_COMPILER_ID STREQUAL "MSVC")
+   # Disable C++ exceptions.
+   string(REGEX REPLACE "-fexceptions" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")
+   set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-exceptions")
+-
+-  # Disable RTTI.
+-  string(REGEX REPLACE "-frtti" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")
+-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-rtti")
+ endif(CMAKE_CXX_COMPILER_ID STREQUAL "MSVC")
+
+ # BUILD_SHARED_LIBS is a standard CMake variable, but we declare it here to make

SPECS/snappy/snappy.spec

@@ -1,7 +1,7 @@
 Summary:        Fast compression and decompression library
 Name:           snappy
 Version:        1.1.9
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -21,6 +21,7 @@ Source0:        https://github.com/google/snappy/archive/%{version}.tar.gz#/%{na
 
 Patch0:         snappy-inline.patch
 Patch1:         detect_system_gtest.patch
+Patch2:         build-with-rtti.patch
 BuildRequires:  cmake >= 3.3
 BuildRequires:  gmock-devel
 BuildRequires:  gtest-devel
@@ -73,6 +74,9 @@ make test
 %{_libdir}/cmake/Snappy/
 
 %changelog
+* Thu Nov 02 2023 Bala <[email protected]> - 1.1.9-3
+- Patch to fix build with RTTI enabled.
+
 * Wed Mar 23 2022 Nicolas Guibourge <[email protected]> - 1.1.9-2
 - Do not provide gtest/gmock headers and binaries.
 

SPECS/systemd/systemd.spec

@@ -1,7 +1,7 @@
 Summary:        Systemd-250
 Name:           systemd
 Version:        250.3
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        LGPLv2+ AND GPLv2+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -60,6 +60,7 @@ Requires:       libgcrypt
 Requires:       lz4
 Requires:       pam
 Requires:       xz
+Requires:       zstd-libs
 Requires(post): audit-libs
 Requires(post): pam
 Requires(post): util-linux-libs
@@ -286,6 +287,9 @@ fi
 %files lang -f %{name}.lang
 
 %changelog
+* Thu Nov 02 2023 Chris Co <[email protected]> - 250.3-19
+- Add zstd-libs as a requires to ensure libzstd.so.1 is present
+
 * Thu Oct 19 2023 Dan Streetman <[email protected]> - 250.3-18
 - Enable zstd support for journalctl, but force journald to not use zstd to keep backwards compatibility
 

SPECS/telegraf/telegraf.signatures.json

@@ -1,6 +1,6 @@
 {
   "Signatures": {
-    "telegraf-1.27.3.tar.gz": "da4bc911483ff90f8c2c6ab230fcf329eea094baba423b55c9196b3214f3847a",
-    "telegraf-1.27.3-vendor.tar.gz": "8896d41bc462d529503c4d0af9e56b4bf042cc13631120e1422f4c95a5438249"
+    "telegraf-1.28.3.tar.gz": "0c65649c4b761b2a1403237ec48fa0c27b4c91320f3f5e178692bfa7ca1769f6",
+    "telegraf-1.28.3-vendor.tar.gz": "82929bd4fcaaa56940cf7b54fa65a91ef03c579873024092782ad3b7c0497b20"
   }
 }

SPECS/telegraf/telegraf.spec

@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
-Version:        1.27.3
-Release:        4%{?dist}
+Version:        1.28.3
+Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -75,6 +75,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Thu Nov 02 2023 CBL-Mariner Servicing Account <[email protected]> - 1.28.3-1
+- Auto-upgrade to 1.28.3 - To pull the fix for Telegraf update for service account token 
+
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 1.27.3-4
 - Bump release to rebuild with go 1.20.10
 

cgmanifest.json

@@ -25504,8 +25504,8 @@
         "type": "other",
         "other": {
           "name": "redis",
-          "version": "6.2.13",
-          "downloadUrl": "https://download.redis.io/releases/redis-6.2.13.tar.gz"
+          "version": "6.2.14",
+          "downloadUrl": "https://download.redis.io/releases/redis-6.2.14.tar.gz"
         }
       }
     },
@@ -28577,8 +28577,8 @@
         "type": "other",
         "other": {
           "name": "telegraf",
-          "version": "1.27.3",
-          "downloadUrl": "https://github.com/influxdata/telegraf/archive/v1.27.3.tar.gz"
+          "version": "1.28.3",
+          "downloadUrl": "https://github.com/influxdata/telegraf/archive/v1.28.3.tar.gz"
         }
       }
     },

toolkit/docs/building/developer-tools.md

@@ -3,7 +3,9 @@
 
 ## containerized-rpmbuild
 
-This [tool](./../../scripts/containerized-build/) enables the user to build/test a single Mariner package. It creates a Mariner container, either using the worker chroot as the fs or using upstream Mariner container (depending on the mode), and mounts SPECs, INTERMEDIATE_SRPMS, and out/RPMs from Mariner repository at repo_path (or the current Mariner repo). The user can choose whether to use locally built RPMs or upstream RPMs to satisfy build and runtime dependencies. One can use native rpm commands to build packages. Changes made to SPECS/ are synced to the host
+This [tool](./../../scripts/containerized-build/) enables the user to build/test a single Mariner package. It creates a Mariner container, either using the worker chroot as the fs or using upstream Mariner container (depending on the mode), and mounts SPECs, INTERMEDIATE_SRPMS, and out/RPMs from Mariner repository at repo_path (or the current Mariner repo) into the container. The user can choose whether to use locally built RPMs or upstream RPMs to satisfy build and runtime dependencies. One can use native rpm commands to build packages. Changes made to SPECS/ are synced to the host. All other changes are lost. Container is cleaned up upon exit.
+
+The user can optionally add arguments. REPO_PATH defines directory to use as Mariner repo, default is current directory. MODE can be build (default) or test. Mariner VERSION may be 2.0 (default) or 1.0. MOUNTS specify directories to mount into the container, besides the default ones. BUILD_MOUNT defines directory to mount as build directory into container, default is $REPO_PATH/build. EXTRA_PACKAGES to install into container besides the default ones. ENABLE_REPO to use local RPMs to satisfy build depenedencies. In addition, user may override any Mariner make definitions e.g. SPECS_DIR, SRPM_PACK_LIST, etc.
 
 ```bash
 cd CBL-Mariner/toolkit

toolkit/scripts/containerized-build.mk

@@ -30,6 +30,10 @@ ifneq ($(BUILD_MOUNT),)
 containerized_build_args += -b ${BUILD_MOUNT}
 endif
 
+ifneq ($(EXTRA_PACKAGES),)
+containerized_build_args += -ep "$(EXTRA_PACKAGES)"
+endif
+
 ifeq ($(ENABLE_REPO),y)
 containerized_build_args += -r
 endif

toolkit/scripts/containerized-build/create_container_build.sh

@@ -23,7 +23,7 @@ print_error() {
 help() {
 echo "
 Usage:
-sudo make containerized-rpmbuild [REPO_PATH=/path/to/CBL-Mariner] [MODE=test|build] [VERSION=1.0|2.0] [MOUNTS=/path/in/host:/path/in/container ...] [ENABLE_REPO=y] [BUILD_MOUNT=/path/to/build/chroot/mount]
+sudo make containerized-rpmbuild [REPO_PATH=/path/to/CBL-Mariner] [MODE=test|build] [VERSION=1.0|2.0] [MOUNTS=/path/in/host:/path/in/container ...] [BUILD_MOUNT=/path/to/build/chroot/mount] [EXTRA_PACKAGES=pkg ...] [ENABLE_REPO=y]
 
 Starts a docker container with the specified version of mariner.
 
@@ -37,6 +37,7 @@ Optional arguments:
                         e.g. MOUNTS=\"/host/dir1:/container/dir1 /host/dir2:/container/dir2\"
     BUILD_MOUNT     path to folder to create mountpoints for container's BUILD and BUILDROOT directories.
                         Mountpoints will be ${BUILD_MOUNT}/container-build and ${BUILD_MOUNT}/container-buildroot. default: $REPO_PATH/build
+    EXTRA_PACKAGES  Space delimited list of packages to tdnf install in the container on startup. e.g. EXTRA_PACKAGES=\"pkg1 pkg2\" default: \"\"
     ENABLE_REPO:    Set to 'y' to use local RPMs to satisfy package dependencies. default: n
 
     * User can override Mariner make definitions. Some useful overrides could be
@@ -86,6 +87,7 @@ while (( "$#")); do
     -p ) repo_path="$(realpath $2)"; shift 2 ;;
     -mo ) extra_mounts="$2"; shift 2 ;;
     -b ) build_mount_dir="$(realpath $2)"; shift 2;;
+    -ep ) extra_packages="$2"; shift 2;;
     -r ) enable_local_repo=true; shift ;;
     -h ) help; exit 1 ;;
     ? ) echo -e "ERROR: INVALID OPTION.\n\n"; help; exit 1 ;;
@@ -235,6 +237,7 @@ docker build -q \
                 --build-arg enable_local_repo="$enable_local_repo" \
                 --build-arg mariner_repo="$repo_path" \
                 --build-arg mode="$mode" \
+                --build-arg extra_packages="$extra_packages" \
                 .
 
 echo "docker_image_tag is ${docker_image_tag}"

toolkit/scripts/containerized-build/resources/mariner.Dockerfile

@@ -4,6 +4,7 @@ ARG version
 ARG enable_local_repo
 ARG mariner_repo
 ARG mode
+ARG extra_packages
 LABEL containerized-rpmbuild=$mariner_repo/build
 
 COPY resources/local_repo /etc/yum.repos.d/local_repo.disabled_repo
@@ -22,4 +23,4 @@ RUN if [[ "${mode}" == "build" ]]; then echo "cd /usr/src/mariner || { echo \"ER
 RUN if [[ "${mode}" == "test" ]]; then echo "cd /mnt || { echo \"ERROR: Could not change directory to /mnt \"; exit 1; }"  >> /root/.bashrc; fi
 
 # Install vim & git in the build env
-RUN tdnf --releasever=$version install -y vim git
+RUN tdnf --releasever=$version install -y vim git $extra_packages

toolkit/tools/internal/azureblobstorage/azureblobstorage.go

@@ -17,8 +17,9 @@ import (
 )
 
 const (
-	AnonymousAccess     = 0
-	AuthenticatedAccess = 1
+	AnonymousAccess        = 0
+	ServicePrincipalAccess = 1
+	ManagedIdentityAccess  = 2
 )
 
 type AzureBlobStorage struct {
@@ -116,11 +117,25 @@ func Create(tenantId string, userName string, password string, storageAccount st
 
 		return abs, nil
 
-	} else if authenticationType == AuthenticatedAccess {
+	} else if authenticationType == ServicePrincipalAccess {
 
 		credential, err := azidentity.NewClientSecretCredential(tenantId, userName, password, nil)
 		if err != nil {
-			return nil, fmt.Errorf("Unable to init azure identity:\n%w", err)
+			return nil, fmt.Errorf("Unable to init azure service principal identity:\n%w", err)
+		}
+
+		abs.theClient, err = azblob.NewClient(url, credential, nil)
+		if err != nil {
+			return nil, fmt.Errorf("Unable to init azure blob storage read-write client:\n%w", err)
+		}
+
+		return abs, nil
+
+	} else if authenticationType == ManagedIdentityAccess {
+
+		credential, err := azidentity.NewDefaultAzureCredential(nil)
+		if err != nil {
+			return nil, fmt.Errorf("Unable to init azure managed identity:\n%w", err)
 		}
 
 		abs.theClient, err = azblob.NewClient(url, credential, nil)

toolkit/tools/internal/ccachemanager/ccachemanager.go

@@ -456,7 +456,7 @@ func CreateManager(rootDir string, configFileName string) (m *CCacheManager, err
 	logger.Log.Infof("  creating blob storage client...")
 	accessType := azureblobstoragepkg.AnonymousAccess
 	if configuration.RemoteStoreConfig.UploadEnabled {
-		accessType = azureblobstoragepkg.AuthenticatedAccess
+		accessType = azureblobstoragepkg.ManagedIdentityAccess
 	}
 
 	azureBlobStorage, err := azureblobstoragepkg.Create(configuration.RemoteStoreConfig.TenantId, configuration.RemoteStoreConfig.UserName, configuration.RemoteStoreConfig.Password, configuration.RemoteStoreConfig.StorageAccount, accessType)

toolkit/tools/internal/userutils/userutils.go

@@ -93,8 +93,14 @@ func UpdateUserPassword(installRoot, username, hashedPassword string) error {
 	shadowFilePath := filepath.Join(installRoot, ShadowFile)
 
 	if hashedPassword == "" {
-		// In the /etc/shadow file, `!` means there is no password and password login is disabled.
-		hashedPassword = "!"
+		// In the /etc/shadow file, the values `*` and `!` both mean the user's password login is disabled but the user
+		// may login using other means (e.g. ssh, auto-login, etc.). This interpretation is also used by PAM. When sshd
+		// has `UsePAM` set to `yes`, then sshd defers to PAM the decision on whether or not the user is disabled.
+		// However, when `UsePAM` is set to `no`, then sshd must make this interpretation for itself. And the Mariner
+		// build of sshd is configured to interpret the `!` in the shadow file to mean the user is fully disabled, even
+		// for ssh login. But it interprets `*` to mean that only password login is disabled but sshd public/private key
+		// login is fine.
+		hashedPassword = "*"
 	}
 
 	// Find the line that starts with "<user>:<password>:..."

toolkit/tools/internal/userutils/userutils_test.go

@@ -80,20 +80,20 @@ func TestHashPasswordNotEmpty(t *testing.T) {
 }
 
 func TestUpdateUserPasswordEmptyToEmpty(t *testing.T) {
-	testUpdateUserPassword(t, "root:!:19634:7:99999:7:::", "root:!:19634:7:99999:7:::", "root", "")
+	testUpdateUserPassword(t, "root:*:19634:7:99999:7:::", "root:*:19634:7:99999:7:::", "root", "")
 }
 
 func TestUpdateUserPasswordSomethingToEmpty(t *testing.T) {
 	testUpdateUserPassword(t,
 		"root:$6$E0M9VkDvOLvO$nr9FjmIiSSP5C5V3Lhuqv4VzWmscABoiQ0mF.ZTbwKEN4nS60nsiU17qA/RGMbXHtJfci/DeLT1Zu2nhNFbwQ.:19634:7:99999:7:::",
-		"root:!:19634:7:99999:7:::",
+		"root:*:19634:7:99999:7:::",
 		"root",
 		"")
 }
 
 func TestUpdateUserPassword(t *testing.T) {
 	testUpdateUserPassword(t,
-		"root:!:19634:7:99999:7:::",
+		"root:*:19634:7:99999:7:::",
 		"root:$6$E0M9VkDvOLvO$nr9FjmIiSSP5C5V3Lhuqv4VzWmscABoiQ0mF.ZTbwKEN4nS60nsiU17qA/RGMbXHtJfci/DeLT1Zu2nhNFbwQ.:19634:7:99999:7:::",
 		"root",
 		"$6$E0M9VkDvOLvO$nr9FjmIiSSP5C5V3Lhuqv4VzWmscABoiQ0mF.ZTbwKEN4nS60nsiU17qA/RGMbXHtJfci/DeLT1Zu2nhNFbwQ.")