commit libcontainers-common for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package libcontainers-common for 
openSUSE:Factory checked in at 2022-01-21 01:25:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libcontainers-common (Old)
 and      /work/SRC/openSUSE:Factory/.libcontainers-common.new.1938 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libcontainers-common"

Fri Jan 21 01:25:10 2022 rev:44 rq:947411 version:20210626

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/libcontainers-common/libcontainers-common.changes    
    2021-09-30 23:43:22.408467876 +0200
+++ 
/work/SRC/openSUSE:Factory/.libcontainers-common.new.1938/libcontainers-common.changes
      2022-01-21 01:25:29.210559767 +0100
@@ -1,0 +2,5 @@
+Tue Jan 11 12:56:24 UTC 2022 - Dan ??erm??k <dcer...@suse.com>
+
+- Switch registries.conf to v2 format
+
+-------------------------------------------------------------------
@@ -4,0 +10,96 @@
+
+0.42.3:
+
+* (*libimage.Image).HasDifferentDigest: add authentication
+
+0.42.2:
+
+    Backports for Podman 3.3.2
+    Fix the fallback runtime path
+    Switch default Rootless Networking to "CNI" for OSX
+    libimage: disk usage: catch corrupted images
+    set GOPROXY=https://proxy.golang.org
+
+
+0.44.0:
+
+    Add HelperBinariesDir field to engine config
+    Add space trimming check in sysctl.Validate
+    Cirrus: Use fresher VM images
+    Fix `pkg/sysctl` path typo
+    Fix the fallback runtime path
+    Switch default Rootless Networking to "CNI" for OSX
+    Update pkg/sysctl/sysctl.go
+    add some cni plugin paths
+    build(deps): bump github.com/containers/image/v5 from 5.15.0 to 5.16.0
+    build(deps): bump github.com/containers/storage from 1.34.0 to 1.35.0
+    build(deps): bump github.com/onsi/gomega from 1.15.0 to 1.16.0
+    build(deps): bump github.com/opencontainers/runc from 1.0.1 to 1.0.2
+    build(deps): bump github.com/opencontainers/selinux from 1.8.4 to 1.8.5
+    docs/containers.conf.5.md: Fix manpage section
+    fix untag + v0.43.2
+    libimage: disk usage: catch corrupted images
+    libimage: relax untag by digest checks
+    path: dest paths inside container should always be treated as *nix type
+    remove-image: Add optional `LookupManifest` to RemoveImagesOptions.
+    runtime: Add ReturnManifestIfPresent to LookupImageOptions
+    runtime: Add `ManifestList` to `LookupImageOptions`
+    seccomp: allow memfd_secret
+
+0.43.2:
+
+* libimage: relax untag by digest checks
+* path: dest paths inside container should always be treated as *nix type
+
+0.43.1:
+
+Fix spelling mistakes
+Fix examples in containers.conf
+
+
+0.43.0:
+
+    Add documentation for Containerfile and Dockerfile
+    Remove no_libsubid flag
+    Add machine_image to containers.conf
+    build(deps): bump github.com/containers/storage from 1.33.1 to 1.34.0
+    build(deps): bump github.com/opencontainers/selinux from 1.8.2 to 1.8.4
+    Add machine_image to containers.conf
+    Switch default logdriver and eventslogger to journald, if root
+    build(deps): bump github.com/BurntSushi/toml from 0.3.1 to 0.4.1
+    build(deps): bump github.com/onsi/gomega from 1.14.0 to 1.15.0
+    libimage: {un}tag: reject digests
+    build(deps): bump github.com/docker/docker from 20.10.7+incompatible to 
20.10.8+incompatible
+    style: complete containers#556 to-do list part 4
+    build(deps): bump github.com/containers/image/v5 from 5.14.0 to 5.15.0
+    set GOPROXY=https://proxy.golang.org
+
+
+0.42.1:
+
+* pull: fallthrough for registry parsing errors
+
+0.42.0:
+
+* Remove --accept-repositories flag
+* pull policy: support camel cases
+* Use authfile in options to search image
+* vendor in containers/storage v1.33.0
+* config: split arguments in DBUS_SESSION_BUS_ADDRESS
+* pkg/seccomp: avoid DefaultErrnoRet: null
+* Add and use libimage.Runtime.imageIDsForManifest()
+* Add libimage/manifests.LockerForImage()
+* Add support for path based registry in login/logout
+* libimage: pull: normalize docker-daemon
+* libimage: report all removed images
+* libruntime: layer tree: handle empty images
+* refine dangling filters
+* libimage.RuntimeFromStore(): stop overriding the BlobInfoCache location
+* build(deps): bump github.com/opencontainers/runc from 1.0.0 to 1.0.1
+* pull with custom platform: handle "localhost/"
+* User option to prepare container after creation for volume copy-up. Docker 
does this by default.
+* add config option for ChownCopiedFiles
+* build(deps): bump github.com/containers/storage from 1.32.5 to 1.32.6
+* libimage: image tree: fix nil deref
+
+
@@ -5,0 +107,331 @@
+
+3.3.1:
+
+### Bugfixes
+- Fixed a bug where unit files created by `podman generate systemd` could not 
cleanup shut down containers when stopped by `systemctl stop` 
([#11304](https://github.com/containers/podman/issues/11304)).
+- Fixed a bug where `podman machine` commands would not properly locate the 
`gvproxy` binary in some circumstances.
+- Fixed a bug where containers created as part of a pod using the 
`--pod-id-file` option would not join the pod's network namespace 
([#11303](https://github.com/containers/podman/issues/11303)).
+- Fixed a bug where Podman, when using the systemd cgroups driver, could 
sometimes leak dbus sessions.
+- Fixed a bug where the `until` filter to `podman logs` and `podman events` 
was improperly handled, requiring input to be negated 
([#11158](https://github.com/containers/podman/issues/11158)).
+- Fixed a bug where rootless containers using CNI networking run on systems 
using `systemd-resolved` for DNS would fail to start if resolved symlinked 
`/etc/resolv.conf` to an absolute path 
([#11358](https://github.com/containers/podman/issues/11358)).
+
+### API
+- A large number of potential file descriptor leaks from improperly closing 
client connections have been fixed.
+
+
+3.3.0:
+
+### Features
+- Containers inside VMs created by `podman machine` will now automatically 
handle port forwarding - containers in `podman machine` VMs that publish ports 
via `--publish` or `--publish-all` will have these ports not just forwarded on 
the VM, but also on the host system.
+- The `podman play kube` command's `--network` option now accepts advanced 
network options (e.g. `--network slirp4netns:port_handler=slirp4netns`) 
([#10807](https://github.com/containers/podman/issues/10807)).
+- The `podman play kube` commmand now supports Kubernetes liveness probes, 
which will be created as Podman healthchecks.
+- Podman now provides a systemd unit, `podman-restart.service`, which, when 
enabled, will restart all containers that were started with `--restart=always` 
after the system reboots.
+- Rootless Podman can now be configured to use CNI networking by default by 
using the `rootless_networking` option in `containers.conf`.
+- Images can now be pulled using `image:tag@digest` syntax (e.g. `podman pull 
fedora:34@sha256:1b0d4ddd99b1a8c8a80e885aafe6034c95f266da44ead992aab388e6aa91611a`)
 ([#6721](https://github.com/containers/podman/issues/6721)).
+- The `podman container checkpoint` and `podman container restore` commands 
can now be used to checkpoint containers that are in pods, and restore those 
containers into pods.
+- The `podman container restore` command now features a new option, 
`--publish`, to change the ports that are forwarded to a container that is 
being restored from an exported checkpoint.
+- The `podman container checkpoint` command now features a new option, 
`--compress`, to specify the compression algorithm that will be used on the 
generated checkpoint.
+- The `podman pull` command can now pull multiple images at once (e.g. `podman 
pull fedora:34 ubi8:latest` will pull both specified images).
+- THe `podman cp` command can now copy files from one container into another 
directly (e.g. `podman cp containera:/etc/hosts containerb:/etc/`) 
([#7370](https://github.com/containers/podman/issues/7370)).
+- The `podman cp` command now supports a new option, `--archive`, which 
controls whether copied files will be chown'd to the UID and GID of the user of 
the destination container.
+- The `podman stats` command now provides two additional metrics: Average CPU, 
and CPU time.
+- The `podman pod create` command supports a new flag, `--pid`, to specify the 
PID namespace of the pod. If specified, containers that join the pod will 
automatically share its PID namespace.
+- The `podman pod create` command supports a new flag, `--infra-name`, which 
allows the name of the pod's infra container to be set 
([#10794](https://github.com/containers/podman/issues/10794)).
+- The `podman auto-update` command has had its output reformatted - it is now 
much clearer what images were pulled and what containers were updated.
+- The `podman auto-update` command now supports a new option, `--dry-run`, 
which reports what would be updated but does not actually perform the update 
([#9949](https://github.com/containers/podman/issues/9949)).
+- The `podman build` command now supports a new option, `--secret`, to mount 
secrets into build containers.
+- The `podman manifest remove` command now has a new alias, `podman manifest 
rm`.
+- The `podman login` command now supports a new option, `--verbose`, to print 
detailed information about where the credentials entered were stored.
+- The `podman events` command now supports a new event, `exec_died`, which is 
produced when an exec session exits, and includes the exit code of the exec 
session.
+- The `podman system connection add` command now supports adding connections 
that connect using the `tcp://` and `unix://` URL schemes.
+- The `podman system connection list` command now supports a new flag, 
`--format`, to determine how the output is printed.
+- The `podman volume prune` and `podman volume ls` commands' `--filter` option 
now support a new filter, `until`, that matches volumes created before a 
certain time ([#10579](https://github.com/containers/podman/issues/10579)).
+- The `podman ps --filter` option's `network` filter now accepts a new value: 
`container:`, which matches containers that share a network namespace with a 
specific container 
([#10361](https://github.com/containers/podman/issues/10361)).
+- The `podman diff` command can now accept two arguments, allowing two images 
or two containers to be specified; the diff between the two will be printed 
([#10649](https://github.com/containers/podman/issues/10649)).
+- Podman can now optionally copy-up content from containers into volumes 
mounted into those containers earlier (at creation time, instead of at runtime) 
via the `prepare_on_create` option in `containers.conf` 
([#10262](https://github.com/containers/podman/issues/10262)).
+- A new option, `--gpus`, has been added to `podman create` and `podman run` 
as a no-op for better compatibility with Docker. If the 
nvidia-container-runtime package is installed, GPUs should be automatically 
added to containers without using the flag.
+- If an invalid subcommand is provided, similar commands to try will now be 
suggested in the error message.
+
+### Changes
+- The `podman system reset` command now removes non-Podman (e.g. Buildah and 
CRI-O) containers as well.
+- The new port forwarding offered by `podman machine` requires 
[gvproxy](https://github.com/containers/gvisor-tap-vsock) in order to function.
+- Podman will now automatically create the default CNI network if it does not 
exist, for both root and rootless users. This will only be done once per user - 
if the network is subsequently removed, it will not be recreated.
+- The `install.cni` makefile option has been removed. It is no longer required 
to distribute the default `87-podman.conflist` CNI configuration file, as 
Podman will now automatically create it.
+- The `--root` option to Podman will not automatically clear all default 
storage options when set. Storage options can be set manually using 
`--storage-opt` ([#10393](https://github.com/containers/podman/issues/10393)).
+- The output of `podman system connection list` is now deterministic, with 
connections being sorted alpabetically by their name.
+- The auto-update service (`podman-auto-update.service`) has had its default 
timer adjusted so it now starts at a random time up to 15 minutes after 
midnight, to help prevent system congestion from numerous daily services run at 
once.
+- Systemd unit files generated by `podman generate systemd` now depend on 
`network-online.target` by default 
([#10655](https://github.com/containers/podman/issues/10655)).
+- Systemd unit files generated by `podman generate systemd` now use 
`Type=notify` by default, instead of using PID files.
+- The `podman info` command's logic for detecting package versions on Gentoo 
has been improved, and should be significantly faster.
+
+### Bugfixes
+- Fixed a bug where the `podman play kube` command did not perform SELinux 
relabelling of volumes specified with a `mountPath` that included the `:z` or 
`:Z` options ([#9371](https://github.com/containers/podman/issues/9371)).
+- Fixed a bug where the `podman play kube` command would ignore the `USER` and 
`EXPOSE` directives in images 
([#9609](https://github.com/containers/podman/issues/9609)).
+- Fixed a bug where the `podman play kube` command would only accept lowercase 
pull policies.
+- Fixed a bug where named volumes mounted into containers with the `:z` or 
`:Z` options were not appropriately relabelled for access from the container 
([#10273](https://github.com/containers/podman/issues/10273)).
+- Fixed a bug where the `podman logs -f` command, with the `journald` log 
driver, could sometimes fail to pick up the last line of output from a 
container ([#10323](https://github.com/containers/podman/issues/10323)).
+- Fixed a bug where running `podman rm` on a container created with the `--rm` 
option would occasionally emit an error message saying the container failed to 
be removed, when it was successfully removed.
+- Fixed a bug where starting a Podman container would segfault if the 
`LISTEN_PID` and `LISTEN_FDS` environment variables were set, but 
`LISTEN_FDNAMES` was not 
([#10435](https://github.com/containers/podman/issues/10435)).
+- Fixed a bug where exec sessions in containers were sometimes not cleaned up 
when run without `-d` and when the associated `podman exec` process was killed 
before completion.
+- Fixed a bug where `podman system service` could, when run in a systemd unit 
file with sdnotify in use, drop some connections when it was starting up.
+- Fixed a bug where containers run using the REST API using the `slirp4netns` 
network mode would leave zombie processes that were not cleaned up until 
`podman system service` exited 
([#9777](https://github.com/containers/podman/issues/9777)).
+- Fixed a bug where the `podman system service` command would leave zombie 
processes after its initial launch that were not cleaned up until it exited 
([#10575](https://github.com/containers/podman/issues/10575)).
+- Fixed a bug where VMs created by `podman machine` could not be started after 
the host system restarted 
([#10824](https://github.com/containers/podman/issues/10824)).
+- Fixed a bug where the `podman pod ps` command would not show headers for 
optional information (e.g. container names when the `--ctr-names` option was 
given).
+- Fixed a bug where the remote Podman client's `podman create` and `podman 
run` commands would ignore timezone configuration from the server's 
`containers.conf` file 
([#11124](https://github.com/containers/podman/issues/11124)).
+- Fixed a bug where the remote Podman client's `podman build` command would 
only respect `.containerignore` and not `.dockerignore` files (when both are 
present, `.containerignore` will be preferred) 
([#10907](https://github.com/containers/podman/issues/10907)).
+- Fixed a bug where the remote Podman client's `podman build` command would 
fail to send the Dockerfile being built to the server when it was excluded by 
the `.dockerignore` file, resulting in an error 
([#9867](https://github.com/containers/podman/issues/9867)).
+- Fixed a bug where the remote Podman client's `podman build` command could 
unexpectedly stop streaming the output of the build 
([#10154](https://github.com/containers/podman/issues/10154)).
+- Fixed a bug where the remote Podman client's `podman build` command would 
fail to build when run on Windows 
([#11259](https://github.com/containers/podman/issues/11259)).
+- Fixed a bug where the `podman manifest create` command accepted at most two 
arguments (an arbitrary number of images are allowed as arguments, which will 
be added to the manifest).
+- Fixed a bug where named volumes would not be properly chowned to the UID and 
GID of the directory they were mounted over when first mounted into a container 
([#10776](https://github.com/containers/podman/issues/10776)).
+- Fixed a bug where named volumes created using a volume plugin would be 
removed from Podman, even if the plugin reported a failure to remove the volume 
([#11214](https://github.com/containers/podman/issues/11214)).
+- Fixed a bug where the remote Podman client's `podman exec -i` command would 
hang when input was provided via shell redirection (e.g. `podman --remote exec 
-i foo cat <<<"hello"`) 
([#7360](https://github.com/containers/podman/issues/7360)).
+- Fixed a bug where containers created with `--rm` were not immediately 
removed after being started by `podman start` if they failed to start 
([#10935](https://github.com/containers/podman/issues/10935)).
+- Fixed a bug where the `--storage-opt` flag to `podman create` and `podman 
run` was nonfunctional 
([#10264](https://github.com/containers/podman/issues/10264)).
+- Fixed a bug where the `--device-cgroup-rule` option to `podman create` and 
`podman run` was nonfunctional 
([#10302](https://github.com/containers/podman/issues/10302)).
+- Fixed a bug where the `--tls-verify` option to `podman manifest push` was 
nonfunctional.
+- Fixed a bug where the `podman import` command could, in some circumstances, 
produce empty images 
([#10994](https://github.com/containers/podman/issues/10994)).
+- Fixed a bug where images pulled using the `docker-daemon:` transport had the 
wrong registry (`localhost` instead of `docker.io/library`) 
([#10998](https://github.com/containers/podman/issues/10998)).
+- Fixed a bug where operations that pruned images (`podman image prune` and 
`podman system prune`) would prune untagged images with children 
([#10832](https://github.com/containers/podman/issues/10832)).
+- Fixed a bug where dual-stack networks created by `podman network create` did 
not properly auto-assign an IPv4 subnet when one was not explicitly specified 
([#11032](https://github.com/containers/podman/issues/11032)).
+- Fixed a bug where port forwarding using the `rootlessport` port forwarder 
would break when a network was disconnected and then reconnected 
([#10052](https://github.com/containers/podman/issues/10052)).
+- Fixed a bug where Podman would ignore user-specified SELinux policies for 
containers using the Kata OCI runtime, or containers using systemd as PID 1 
([#11100](https://github.com/containers/podman/issues/11100)).
+- Fixed a bug where Podman containers created using `--net=host` would add an 
entry to `/etc/hosts` for the container's hostname pointing to `127.0.1.1` 
([#10319](https://github.com/containers/podman/issues/10319)).
++++ 3453 more lines (skipped)
++++ between 
/work/SRC/openSUSE:Factory/libcontainers-common/libcontainers-common.changes
++++ and 
/work/SRC/openSUSE:Factory/.libcontainers-common.new.1938/libcontainers-common.changes

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ registries.conf ++++++
--- /var/tmp/diff_new_pack.CBg6N8/_old  2022-01-21 01:25:29.942554749 +0100
+++ /var/tmp/diff_new_pack.CBg6N8/_new  2022-01-21 01:25:29.946554722 +0100
@@ -1,21 +1,78 @@
 # For more information on this configuration file, see 
containers-registries.conf(5).
 #
-# Registries to search for images that are not fully-qualified.
-# i.e. foobar.com/my_image:latest vs my_image:latest
-[registries.search]
-registries = ["registry.opensuse.org", "docker.io"]
-
-# Registries that do not use TLS when pulling images or uses self-signed
-# certificates.
-[registries.insecure]
-registries = []
-
-# Blocked Registries, blocks the `docker daemon` from pulling from the blocked 
registry.  If you specify
-# "*", then the docker daemon will only be allowed to pull from registries 
listed above in the search
-# registries.  Blocked Registries is deprecated because other container 
runtimes and tools will not use it.
-# It is recommended that you use the trust policy file 
/etc/containers/policy.json to control which
-# registries you want to allow users to pull and push from.  policy.json gives 
greater flexibility, and
-# supports all container runtimes and tools including the docker daemon, 
cri-o, buildah ...
-[registries.block]
-registries = []
+# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
+# We recommend always using fully qualified image names including the registry
+# server (full dns name), namespace, image name, and tag
+# (e.g., registry.opensuse.org/opensuse/tumbleweed:latest). Pulling by digest 
(i.e.,
+# registry.opensuse.org/project/name@digest) further eliminates the ambiguity 
of tags.
+# When using short names, there is always an inherent risk that the image being
+# pulled could be spoofed. For example, a user wants to pull an image named
+# `foobar` from a registry and expects it to come from myregistry.com. If
+# myregistry.com is not first in the search list, an attacker could place a
+# different `foobar` image at a registry earlier in the search list. The user
+# would accidentally pull and run the attacker's image and code rather than the
+# intended content. We recommend only adding registries which are completely
+# trusted (i.e., registries which don't allow unknown or anonymous users to
+# create accounts with arbitrary names). This will prevent an image from being
+# spoofed, squatted or otherwise made insecure.  If it is necessary to use one
+# of these registries, it should be added at the end of the list.
+#
+# # An array of host[:port] registries to try when pulling an unqualified 
image, in order.
+unqualified-search-registries = ["registry.opensuse.org", "docker.io"]
+#
+# [[registry]]
+# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
+# # (only) the TOML table with the longest match for the input image name
+# # (taking into account namespace/repo/tag/digest separators) is used.
+# # 
+# # The prefix can also be of the form: *.example.com for wildcard subdomain
+# # matching.
+# #
+# # If the prefix field is missing, it defaults to be the same as the 
"location" field.
+# prefix = "example.com/foo"
+#
+# # If true, unencrypted HTTP as well as TLS connections with untrusted
+# # certificates are allowed.
+# insecure = false
+#
+# # If true, pulling images with matching names is forbidden.
+# blocked = false
+#
+# # The physical location of the "prefix"-rooted namespace.
+# #
+# # By default, this is equal to "prefix" (in which case "prefix" can be 
omitted
+# # and the [[registry]] TOML table can only specify "location").
+# #
+# # Example: Given
+# #   prefix = "example.com/foo"
+# #   location = "internal-registry-for-example.net/bar"
+# # requests for the image example.com/foo/myimage:latest will actually work 
with the
+# # internal-registry-for-example.net/bar/myimage:latest image.
+#
+# # The location can be empty iff prefix is in a
+# # wildcarded format: "*.example.com". In this case, the input reference will
+# # be used as-is without any rewrite.
+# location = internal-registry-for-example.com/bar"
+#
+# # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
+# #
+# # The mirrors are attempted in the specified order; the first one that can be
+# # contacted and contains the image will be used (and if none of the mirrors 
contains the image,
+# # the primary location specified by the "registry.location" field, or using 
the unmodified
+# # user-specified reference, is tried last).
+# #
+# # Each TOML table in the "mirror" array can contain the following fields, 
with the same semantics
+# # as if specified in the [[registry]] TOML table directly:
+# # - location
+# # - insecure
+# [[registry.mirror]]
+# location = "example-mirror-0.local/mirror-for-foo"
+# [[registry.mirror]]
+# location = "example-mirror-1.local/mirrors/foo"
+# insecure = true
+# # Given the above, a pull of example.com/foo/image:latest will try:
+# # 1. example-mirror-0.local/mirror-for-foo/image:latest
+# # 2. example-mirror-1.local/mirrors/foo/image:latest
+# # 3. internal-registry-for-example.net/bar/image:latest
+# # in order, and use the first one that exists.