Merge branch '1.0' of https://github.com/microsoft/CBL-Mariner into 1.0

.github/pull_request_template.md

@@ -11,7 +11,7 @@ Feel free to delete sections of the template which do not apply to your PR, or a
 - [ ] Any updated packages successfully build (or no packages were changed)
 - [ ] Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
 - [ ] All package sources are available
-- [ ] cgmanifest files are up-to-date and sorted (`./cgmanifest.json`, `./toolkit/tools/cgmanifest.json`, `./toolkit/scripts/toolchain/cgmanifest.json`, `.github/workflows/cgmanifest.json`)
+- [ ] cgmanifest files are up-to-date and sorted (`./cgmanifest.json`, `./toolkit/scripts/toolchain/cgmanifest.json`, `.github/workflows/cgmanifest.json`)
 - [ ] LICENSE-MAP files are up-to-date (`./SPECS/LICENSES-AND-NOTICES/data/licenses.json`, `./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md`, `./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON`)
 - [ ] All source files have up-to-date hashes in the `*.signatures.json` files
 - [ ] `sudo make go-tidy-all` and `sudo make go-test-coverage` pass

.github/workflows/check-manifests.yml

@@ -9,7 +9,7 @@ on:
 jobs:
   build:
     name: Check Manifests
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
 
     - name: Check out code

.github/workflows/check-package-cgmanifest.yml

@@ -10,7 +10,7 @@ jobs:
 
   build:
     name: Check Package CGManifests
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
 
     - name: Check out code

.github/workflows/check-spec.yml

@@ -8,7 +8,7 @@ jobs:
 
   build:
     name: Check Spec for version and/or release update and parsing
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
 
     - name: Check out code

.github/workflows/go-test-coverage.yml

@@ -10,7 +10,7 @@ jobs:
 
   build:
     name: Go Test Coverage
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
 
     - name: Set up Go 1.x

SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec

@@ -10,7 +10,7 @@
 Summary:        Signed GRand Unified Bootloader for %{buildarch} systems
 Name:           grub2-efi-binary-signed-%{buildarch}
 Version:        2.06~rc1
-Release:        8%{?dist}
+Release:        10%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -54,6 +54,12 @@ cp %{SOURCE1} %{buildroot}/boot/efi/EFI/BOOT/%{grubefiname}
 /boot/efi/EFI/BOOT/%{grubefiname}
 
 %changelog
+* Wed Feb 08 2023 Dan Streetman <[email protected]> - 2.06~rc1-10
+- CVE-2022-3775
+
+* Wed Dec 28 2022 Osama Esmail <[email protected]> - 2.06~rc1-9
+- Bump release number to match grub release number
+
 * Tue Apr 26 2022 Suresh Babu Chalamalasetty <[email protected]> - 2.06~rc1-8
 - Bump release number to match grub release number
 

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.10.142.1
+Version:        5.10.188.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -147,6 +147,84 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %endif
 
 %changelog
+* Mon Jul 31 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.188.1-1
+- Auto-upgrade to 5.10.188.1
+
+* Wed Jul 26 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.187.1-1
+- Auto-upgrade to 5.10.187.1
+
+* Wed Jun 28 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.185.1-1
+- Auto-upgrade to 5.10.185.1
+
+* Tue Jun 13 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.183.1-1
+- Auto-upgrade to 5.10.183.1
+
+* Fri Jun 02 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.181.1-1
+- Auto-upgrade to 5.10.181.1
+
+* Tue May 23 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.180.1-1
+- Auto-upgrade to 5.10.180.1
+
+* Wed May 10 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.179.1-1
+- Auto-upgrade to 5.10.179.1
+
+* Tue Apr 11 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.177.1-1
+- Auto-upgrade to 5.10.177.1
+
+* Tue Mar 14 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.174.1-1
+- Auto-upgrade to 5.10.174.1
+
+* Mon Mar 06 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.172.1-1
+- Auto-upgrade to 5.10.172.1
+
+* Wed Feb 22 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.168.1-1
+- Auto-upgrade to 5.10.168.1
+
+* Wed Feb 15 2023 Rachel Menge <[email protected]> - 5.10.167.1-2
+- Bump release number to match kernel release
+
+* Tue Feb 07 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.167.1-1
+- Auto-upgrade to 5.10.167.1
+
+* Thu Jan 26 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.165.1-1
+- Auto-upgrade to 5.10.165.1
+
+* Fri Jan 20 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.164.1-1
+- Auto-upgrade to 5.10.164.1
+
+* Sat Jan 14 2023 CBL-Mariner Servicing Account <[email protected]> - 5.10.162.1-1
+- Auto-upgrade to 5.10.162.1
+
+* Fri Dec 23 2022 CBL-Mariner Servicing Account <[email protected]> - 5.10.161.1-1
+- Auto-upgrade to 5.10.161.1
+
+* Tue Dec 13 2022 CBL-Mariner Servicing Account <[email protected]> - 5.10.158.1-1
+- Auto-upgrade to 5.10.158.1
+
+* Wed Dec 07 2022 CBL-Mariner Servicing Account <[email protected]> - 5.10.157.1-1
+- Auto-upgrade to 5.10.157.1
+
+* Tue Nov 29 2022 CBL-Mariner Servicing Account <[email protected]> - 5.10.156.1-1
+- Auto-upgrade to 5.10.156.1
+
+* Fri Nov 18 2022 CBL-Mariner Servicing Account <[email protected]> - 5.10.155.1-1
+- Auto-upgrade to 5.10.155.1
+
+* Tue Nov 08 2022 CBL-Mariner Servicing Account <[email protected]> - 5.10.153.1-1
+- Auto-upgrade to 5.10.153.1
+
+* Tue Nov 01 2022 CBL-Mariner Servicing Account <[email protected]> - 5.10.152.1-1
+- Upgrade to 5.10.152.1
+
+* Wed Oct 19 2022 CBL-Mariner Servicing Account <[email protected]> - 5.10.149.1-1
+- Upgrade to 5.10.149.1
+
+* Tue Sep 27 2022 CBL-Mariner Servicing Account <[email protected]> - 5.10.145.1-1
+- Upgrade to 5.10.145.1
+
+* Thu Sep 22 2022 CBL-Mariner Servicing Account <[email protected]> - 5.10.144.1-1
+- Upgrade to 5.10.144.1
+
 * Wed Sep 14 2022 CBL-Mariner Servicing Account <[email protected]> - 5.10.142.1-1
 - Upgrade to 5.10.142.1
 

SPECS/LICENSES-AND-NOTICES/data/licenses.json

@@ -402,7 +402,7 @@
         "efivar",
         "elfutils",
         "erlang",
-        "etcd-3.4.13",
+        "etcd-3.4.23",
         "etcd-3.5.0",
         "etcd-3.5.1",
         "ethtool",
@@ -761,6 +761,7 @@
         "python-zope-interface",
         "python2",
         "python3",
+        "python3-twisted",
         "pytz",
         "PyYAML",
         "rapidjson",

SPECS/WALinuxAgent/WALinuxAgent.signatures.json

@@ -1,5 +1,8 @@
 {
  "Signatures": {
-  "WALinuxAgent-2.2.54.2.tar.gz": "2c047d262ca55718268a0921c7bd04b6c1ab1032bd885e3e0949107f493e7b7c"
+  "WALinuxAgent-2.2.54.2.tar.gz": "2c047d262ca55718268a0921c7bd04b6c1ab1032bd885e3e0949107f493e7b7c",
+  "ephemeral-disk-warning": "5f3a42706ef6058cc82ff32d3f3f636d99c0b8e0007eb60376182ab9cb288b7f",
+  "ephemeral-disk-warning.conf": "128e531c029e04afdab591f44d2b0a69d5a4eb9dec8867282d0acb1ebded76d0",
+  "ephemeral-disk-warning.service": "627b06ab9692aafd20b8c2af4cc779675329426d2ad0c82ddc787d762027d0e9"
  }
 }

SPECS/WALinuxAgent/WALinuxAgent.spec

@@ -1,14 +1,17 @@
 Summary:        The Windows Azure Linux Agent
 Name:           WALinuxAgent
 Version:        2.2.54.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System/Daemons
 URL:            https://github.com/Azure/WALinuxAgent
 #Source0:       https://github.com/Azure/WALinuxAgent/archive/refs/tags/v%{version}.tar.gz
 Source0:        %{name}-%{version}.tar.gz
+Source1:        ephemeral-disk-warning.service
+Source2:        ephemeral-disk-warning.conf
+Source3:        ephemeral-disk-warning
 BuildRequires:  python3
 BuildRequires:  python3-distro
 BuildRequires:  python3-libs
@@ -55,12 +58,16 @@ install -m 644 config/66-azure-storage.rules %{buildroot}/%{_sysconfdir}/udev/ru
 sed -i 's,#!/usr/bin/env python,#!/usr/bin/python3,' %{buildroot}%{_bindir}/waagent
 sed -i 's,#!/usr/bin/env python,#!/usr/bin/python3,' %{buildroot}%{_bindir}/waagent2.0
 sed -i 's,/usr/bin/python ,/usr/bin/python3 ,' %{buildroot}%{_lib}/systemd/system/waagent.service
+install -m 644 %{SOURCE1} %{buildroot}%{_libdir}/systemd/system/ephemeral-disk-warning.service
+install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/ephemeral-disk-warning.conf
+install -m 644 %{SOURCE3} %{buildroot}%{_bindir}/ephemeral-disk-warning
 
 %check
 python3 setup.py check && python3 setup.py test
 
 %post
 %systemd_post waagent.service
+%systemd_post ephemeral-disk-warning.service
 
 %preun
 %systemd_preun waagent.service
@@ -75,12 +82,17 @@ python3 setup.py check && python3 setup.py test
 %license LICENSE.txt
 %attr(0755,root,root) %{_bindir}/waagent
 %attr(0755,root,root) %{_bindir}/waagent2.0
+%attr(0755,root,root) %{_bindir}/ephemeral-disk-warning
 %config %{_sysconfdir}/waagent.conf
+%config %{_sysconfdir}/ephemeral-disk-warning.conf
 %ghost %{_localstatedir}/log/waagent.log
 %dir %attr(0700, root, root) %{_sharedstatedir}/waagent
 %{_lib}/python3.7/site-packages/*
 
 %changelog
+* Tue Nov 29 2022 Nan Liu <[email protected]> - 2.2.54.2-4
+- Add ephemeral-disk-warning.service
+
 * Tue Dec 14 2021 Neha Agarwal <[email protected]> - 2.2.54.2-3
 - Include the 66-azure-storage udev rule.
 

SPECS/WALinuxAgent/ephemeral-disk-warning

@@ -0,0 +1,31 @@
+#!/bin/sh
+dev_resource=$(readlink -f /dev/disk/azure/resource-part1)
+dev_resource_mp=$(awk '$1==R {print$2}' "R=${dev_resource}" /proc/mounts)
+warn_file="${dev_resource_mp}/DATALOSS_WARNING_README.txt"
+
+if [ ! -f "${warn_file}" ]; then
+    cat > ${warn_file} <<EOM
+WARNING: THIS IS A TEMPORARY DISK.
+
+Any data stored on this drive is SUBJECT TO LOSS and THERE IS NO WAY TO
+RECOVER IT.
+
+Please do not use this disk for storing any personal or application data.
+
+For additional details to please refer to the MSDN documentation at:
+http://msdn.microsoft.com/en-us/library/windowsazure/jj672979.aspx
+
+To remove this warning run:
+    sudo chattr -i $warn_file
+    sudo rm $warn_file
+
+This warning is written each boot; to disable it:
+    echo "manual" | sudo tee /etc/ephemeral-disk-warning.override
+    sudo systemctl disable ephemeral-disk-warning.service
+
+EOM
+
+    chmod 0444 ${warn_file}
+    chattr +i ${warn_file}
+    logger "Added ephemeral disk warning to ${warn_file}"
+fi

SPECS/WALinuxAgent/ephemeral-disk-warning.conf

@@ -0,0 +1,55 @@
+# ephemeral-disk-warning - warns user that the disk is really, really ephemeral
+#
+# On Azure, the ephemeral disk is extremely ephemeral; the ephemeral disk is
+# unsafe between boots. This places a file on /mnt that warns the user
+# that the disk is a dangerous place for storing data of any importance.
+
+env RESOURCE_DISK=/dev/disk/azure/resource-part1
+
+start on (stopped rc RUNLEVEL=[2345] and stopped cloud-config)
+task
+script
+    if [ ! -e $RESOURCE_DISK ]; then
+            logger "Disk $RESOURCE_DISK does not exist, skipping ephemeral warning"
+            exit 0
+    fi
+
+    ephemeral_kdev=$(readlink -f $RESOURCE_DISK)
+    ephemeral_mp=$(awk '$1==kd {print$2}' "kd=$ephemeral_kdev" /proc/mounts)
+    warn_file="$ephemeral_mp/DATALOSS_WARNING_README.txt"
+
+    if [ -z "$ephemeral_mp" ]; then
+            logger "Unable to discover mount point of $ephemeral_kdev. Ephemeral warning will not be written"
+            exit 0
+    else
+            logger "Ephemeral disk $ephemeral_kdev located at $ephemeral_mp"
+    fi
+
+    if [ ! -e "$warn_file" ]; then
+        cat >> $warn_file <<EOF
+WARNING: THIS IS A TEMPORARY DISK.
+
+Any data stored on this drive is SUBJECT TO LOSS and THERE IS NO WAY TO
+RECOVER IT.
+
+Please do not use this disk for storing any personal or application data.
+
+For additional details to please refer to the MSDN documentation at:
+http://msdn.microsoft.com/en-us/library/windowsazure/jj672979.aspx
+
+To remove this warning run:
+    sudo chattr -i $warn_file
+    sudo rm $warn_file
+
+This warning is written each boot; to disable it:
+    echo "manual" | sudo tee /etc/ephemeral-disk-warning.override
+    sudo systemctl disable ephemeral-disk-warning.service
+
+EOF
+        chmod 0444 $warn_file
+        chattr +i $warn_file
+        logger "Added ephemeral disk warning to $warn_file"
+    fi
+    logger "WARNING: $ephemeral_mp is an ephemeral disk. See $warn_file for more information"
+
+end script

SPECS/WALinuxAgent/ephemeral-disk-warning.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Write warning to Azure ephemeral disk
+After=cloud-config.service
+ConditionVirtualization=microsoft
+ConditionPathIsMountPoint=/mnt
+ConditionPathExists=/dev/disk/azure/resource-part1
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/ephemeral-disk-warning
+RemainAfterExit=yes
+StandardOutput=journal+console
+
+[Install]
+WantedBy=multi-user.target

SPECS/ansible/ansible.spec

@@ -3,7 +3,7 @@
 Summary:        Configuration-management, application deployment, cloud provisioning system
 Name:           ansible
 Version:        2.9.27
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -38,7 +38,7 @@ python3 setup.py build
 python3 setup.py install -O1 --root %{buildroot}
 
 %check
-pip3 install tox
+pip3 install 'tox>=3.27.1,<4.0.0'
 cd build/lib/ansible_test/_data && tox
 
 %files
@@ -48,6 +48,9 @@ cd build/lib/ansible_test/_data && tox
 %{python3_sitelib}/*
 
 %changelog
+* Thu Jan 12 2023 Sam Meluch <[email protected]> - 2.9.27-2
+- Update version of tox for package tests
+
 * Mon May 02 2022 Nick Samson <[email protected]> - 2.9.27-1
 - Upgraded to 2.9.27-1 to fix CVE-2021-3620
 

SPECS/apr-util/apr-util.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "apr-util-1.6.1.tar.gz": "b65e40713da57d004123b6319828be7f1273fbc6490e145874ee1177e112c459"
+  "apr-util-1.6.3.tar.gz": "2b74d8932703826862ca305b094eef2983c27b39d5c9414442e9976a9acf1983"
  }
 }