Merge branch 'main' into 2.0

.github/CODEOWNERS

@@ -95,4 +95,4 @@
 /toolkit/scripts/toolchain/create_toolchain_in_container.sh @microsoft/cbl-mariner-admins
 
 # Modifications to the trusted CA certificates require admin approval.
-/SPECS/*ca-certificates*/*
+/SPECS/*ca-certificates*/* @microsoft/cbl-mariner-admins

.github/workflows/validate-cg-manifest.sh

@@ -23,6 +23,7 @@ ignore_multiple_sources=" \
 
 # List of ignored specs due to no source tarball to scan.
 ignore_no_source_tarball=" \
+  azurelinux-sysinfo \
   ca-certificates \
   check-restart \
   core-packages \

.pipelines/containerSourceData/busybox/busybox.name

@@ -0,0 +1 @@
+busybox

.pipelines/containerSourceData/cdi/api.name

@@ -0,0 +1 @@
+containerized-data-importer-api

.pipelines/containerSourceData/cdi/cloner.name

@@ -0,0 +1 @@
+containerized-data-importer-cloner

.pipelines/containerSourceData/cdi/controller.name

@@ -0,0 +1 @@
+containerized-data-importer-controller

.pipelines/containerSourceData/cdi/importer.name

@@ -0,0 +1 @@
+containerized-data-importer-importer

.pipelines/containerSourceData/cdi/operator.name

@@ -0,0 +1 @@
+containerized-data-importer-operator

.pipelines/containerSourceData/cdi/uploadproxy.name

@@ -0,0 +1 @@
+containerized-data-importer-uploadproxy

.pipelines/containerSourceData/cdi/uploadserver.name

@@ -0,0 +1 @@
+containerized-data-importer-uploadserver

.pipelines/containerSourceData/certmanager/acmesolver.name

@@ -0,0 +1 @@
+cert-manager-acmesolver

.pipelines/containerSourceData/certmanager/cainjector.name

@@ -0,0 +1 @@
+cert-manager-cainjector

.pipelines/containerSourceData/certmanager/cmctl.name

@@ -0,0 +1 @@
+cert-manager-cmctl

.pipelines/containerSourceData/certmanager/controller.name

@@ -0,0 +1 @@
+cert-manager-controller

.pipelines/containerSourceData/certmanager/webhook.name

@@ -0,0 +1 @@
+cert-manager-webhook

.pipelines/containerSourceData/influxdb/influxdb.name

@@ -0,0 +1 @@
+influxdb

.pipelines/containerSourceData/kubevirt/virt-api.name

@@ -0,0 +1 @@
+kubevirt-virt-api

.pipelines/containerSourceData/kubevirt/virt-controller.name

@@ -0,0 +1 @@
+kubevirt-virt-controller

.pipelines/containerSourceData/kubevirt/virt-handler.name

@@ -0,0 +1 @@
+kubevirt-virt-handler

.pipelines/containerSourceData/kubevirt/virt-launcher.name

@@ -0,0 +1 @@
+kubevirt-virt-launcher

.pipelines/containerSourceData/kubevirt/virt-operator.name

@@ -0,0 +1 @@
+kubevirt-virt-operator

.pipelines/containerSourceData/memcached/memcached.name

@@ -0,0 +1 @@
+memcached

.pipelines/containerSourceData/multus/multus.name

@@ -0,0 +1 @@
+multus

.pipelines/containerSourceData/nginx/nginx.name

@@ -0,0 +1 @@
+nginx

.pipelines/containerSourceData/nodejs/nodejs.name

@@ -0,0 +1 @@
+nodejs18

.pipelines/containerSourceData/nodejs/nodejs.pkg

@@ -1,2 +1,2 @@
 ca-certificates
-nodejs
+nodejs18

.pipelines/containerSourceData/openmpi/openmpi.name

@@ -0,0 +1 @@
+openmpi

.pipelines/containerSourceData/php/php.name

@@ -0,0 +1 @@
+php

.pipelines/containerSourceData/postgres/postgres.name

@@ -0,0 +1 @@
+postgresql

.pipelines/containerSourceData/prometheus/prometheus.name

@@ -0,0 +1 @@
+prometheus

.pipelines/containerSourceData/prometheusadapter/prometheusadapter.name

@@ -0,0 +1 @@
+prometheus-adapter

.pipelines/containerSourceData/python/python.name

@@ -0,0 +1 @@
+python

.pipelines/containerSourceData/pytorch/pytorch.name

@@ -0,0 +1 @@
+python3-pytorch

.pipelines/containerSourceData/rabbitmqserver/rabbitmqserver.name

@@ -0,0 +1 @@
+rabbitmq-server

.pipelines/containerSourceData/redis/redis.name

@@ -0,0 +1 @@
+redis

.pipelines/containerSourceData/ruby/ruby.name

@@ -0,0 +1 @@
+ruby

.pipelines/containerSourceData/rust/rust.name

@@ -0,0 +1 @@
+rust

.pipelines/containerSourceData/scripts/BuildBaseContainers.sh

@@ -206,6 +206,8 @@ function initialization {
 
     ROOT_FOLDER="$(git rev-parse --show-toplevel)"
     EULA_FILE_PATH="$ROOT_FOLDER/.pipelines/container_artifacts/data"
+    END_OF_LIFE_1_YEAR=$(date -d "+1 year" "+%Y-%m-%dT%H:%M:%SZ")
+    echo "END_OF_LIFE_1_YEAR                    -> $END_OF_LIFE_1_YEAR"
 }
 
 function build_builder_image {
@@ -234,7 +236,7 @@ function docker_build {
     pushd "$build_dir" > /dev/null
 
     echo "+++ Build image: $image_full_name"
-    docker build . \
+    docker buildx build . \
         --build-arg EULA="$EULA_FILE_NAME" \
         --build-arg BASE_IMAGE="$temp_image" \
         -t "$image_full_name" \
@@ -259,7 +261,7 @@ function docker_build_custom {
     pushd "$WORK_DIR" > /dev/null
 
     echo "+++ Build image: $image_full_name"
-    docker build . \
+    docker buildx build . \
         --build-arg BASE_IMAGE="$BASE_IMAGE_NAME" \
         --build-arg FINAL_IMAGE="$final_image_to_use" \
         --build-arg AZL_VERSION="$AZL_VERSION" \
@@ -290,7 +292,7 @@ function docker_build_marinara {
 
     sed -E "s|^FROM mcr\..*installer$|FROM $BASE_BUILDER as installer|g" -i "dockerfile-$MARINARA"
 
-    docker build . \
+    docker buildx build . \
         -t "$MARINARA_IMAGE_NAME" \
         -f dockerfile-$MARINARA \
         --build-arg AZL_VERSION="$AZL_VERSION" \
@@ -306,16 +308,31 @@ function docker_build_marinara {
     save_container_image "$MARINARA" "$MARINARA_IMAGE_NAME"
 }
 
+function oras_attach {
+    local image_name=$1
+    oras attach \
+        --artifact-type "application/vnd.microsoft.artifact.lifecycle" \
+        --annotation "vnd.microsoft.artifact.lifecycle.end-of-life.date=$END_OF_LIFE_1_YEAR" \
+        "$image_name"
+}
+
 function publish_to_acr {
     local image=$1
     if [[ ! "$PUBLISH_TO_ACR" =~ [Tt]rue ]]; then
         echo "+++ Skip publishing to ACR"
         return
     fi
+
+    echo "+++ az login into Azure ACR $ACR"
+    local oras_access_token
+    oras_access_token=$(az acr login --name "$ACR" --expose-token --output tsv --query accessToken)
+    oras login "$ACR.azurecr.io" \
+        --username "00000000-0000-0000-0000-000000000000" \
+        --password "$oras_access_token"
+
     echo "+++ Publish container $image"
-    echo "login into ACR: $ACR"
-    az acr login --name "$ACR"
     docker image push "$image"
+    oras_attach "$image"
 }
 
 function save_container_image {

.pipelines/containerSourceData/scripts/BuildGoldenContainer.sh

@@ -10,7 +10,7 @@ set -e
 # - b) ACR name (e.g. azurelinepreview, acrafoimages, etc.)
 # - c) Container repository name (e.g. base/nodejs, base/postgres, base/kubevirt/cdi-apiserver, etc.)
 # - d) Image name (e.g. nodejs, postgres, cdi, etc.)
-# - e) Component name (e.g. nodejs18, postgresql, containerized-data-importer-api, etc.)
+# - e) Component file name (e.g. nodejs.name, postgres.name, api.name, etc.)
 # - f) Package file name (e.g. nodejs18.pkg, postgres.pkg, api.pkg, etc.)
 # - g) Dockerfile name (e.g. Dockerfile-nodejs, Dockerfile-Postgres, Dockerfile-cdi-apiserver, etc.)
 # - h) Docker build arguments (e.g. '--build-arg BINARY_NAME="cdi-apiserver" --build-arg USER=1001')
@@ -38,10 +38,11 @@ set -e
 #   ~/CBL-Mariner/.pipelines/containerSourceData
 #   ├── nodejs
 #   │   ├── distroless
-#   │   │   ├── holdback-nodejs18.pkg
-#   │   │   ├── nodejs18.pkg
+#   │   │   ├── holdback-nodejs.pkg
+#   │   │   ├── nodejs.pkg
 #   │   ├── Dockerfile-Nodejs
-#   │   ├── nodejs18.pkg
+#   │   ├── nodejs.pkg
+#   |   |── nodejs.name
 #   ├── configuration
 #   │   ├── acrRepoV2.json
 #   ├── scripts
@@ -62,7 +63,7 @@ while getopts ":a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" OPTIONS; do
     b ) ACR=$OPTARG;;
     c ) REPOSITORY=$OPTARG;;
     d ) IMAGE=$OPTARG;;
-    e ) COMPONENT=$OPTARG;;
+    e ) COMPONENT_FILE=$OPTARG;;
     f ) PACKAGE_FILE=$OPTARG;;
     g ) DOCKERFILE=$OPTARG;;
     h ) DOCKER_BUILD_ARGS=$OPTARG;;
@@ -105,7 +106,7 @@ function print_inputs {
     echo "ACR                           -> $ACR"
     echo "REPOSITORY                    -> $REPOSITORY"
     echo "IMAGE                         -> $IMAGE"
-    echo "COMPONENT                     -> $COMPONENT"
+    echo "COMPONENT_FILE                -> $COMPONENT_FILE"
     echo "PACKAGE_FILE                  -> $PACKAGE_FILE"
     echo "DOCKERFILE                    -> $DOCKERFILE"
     echo "DOCKER_BUILD_ARGS             -> $DOCKER_BUILD_ARGS"
@@ -214,6 +215,20 @@ function initialization {
     echo "End of Life                   -> $END_OF_LIFE_1_YEAR"
 }
 
+function get_packages_to_install {
+    echo "+++ Get packages to install"
+    packagesFilePath="$CONTAINER_SRC_DIR/$IMAGE/$PACKAGE_FILE"
+    PACKAGES_TO_INSTALL=$(paste -s -d' ' < "$packagesFilePath")
+    echo "Packages to install           -> $PACKAGES_TO_INSTALL"
+}
+
+function get_component_name {
+    echo "+++ Get Component name"
+    componentFilePath="$CONTAINER_SRC_DIR/$IMAGE/$COMPONENT_FILE"
+    COMPONENT=$(cat "$componentFilePath")
+    echo "Component name                -> $COMPONENT"
+}
+
 function prepare_dockerfile {
     echo "+++ Prepare dockerfile"
     # Copy original dockerfile from CBL-Mariner repo.
@@ -234,13 +249,6 @@ function prepare_dockerfile {
     echo ""
 }
 
-function get_packages_to_install {
-    echo "+++ Get packages to install"
-    packagesFilePath="$CONTAINER_SRC_DIR/$IMAGE/$PACKAGE_FILE"
-    PACKAGES_TO_INSTALL=$(paste -s -d' ' < "$packagesFilePath")
-    echo "Packages to install           -> $PACKAGES_TO_INSTALL"
-}
-
 function prepare_docker_directory {
     echo "+++ Prepare docker directory"
     # Get additional required files for the container build from CBL-Mariner repo.
@@ -393,8 +401,9 @@ function distroless_container {
 print_inputs
 validate_inputs
 initialization
-prepare_dockerfile
 get_packages_to_install
+get_component_name
+prepare_dockerfile
 prepare_docker_directory
 docker_build
 set_image_tag

.pipelines/containerSourceData/scripts/BuildGoldenDistrolessContainer.sh

@@ -22,6 +22,13 @@ function DockerBuild {
 
     # Create container
     echo "+++ Create container $containerName"
+
+    # DOCKER_BUILDKIT=0 is set to avoid the unknown timeout error in the Azure DevOps pipeline.
+    # The error is likely caused by some BuildKit feature in version 24.0.9 of moby-engine.
+    # The error is not seen in the local environment.
+    # Setting DOCKER_BUILDKIT=0 disables BuildKit and uses the legacy builder.
+    # TODO: Remove this line once the issue is resolved.
+    export DOCKER_BUILDKIT=0
     docker build . \
         -t "$containerName" \
         -f "$marinaraSrcDir/dockerfiles/dockerfile-new-image" \
@@ -33,8 +40,7 @@ function DockerBuild {
         --build-arg USER_UID=$userUid \
         --build-arg RPMS="$rpmsDir" \
         --build-arg LOCAL_REPO_FILE="$marinaraSrcDir/local.repo" \
-        --no-cache \
-        --progress=plain
+        --no-cache
 }
 
 function create_distroless_container {

.pipelines/containerSourceData/sriovnetworkdeviceplugin/sriovnetworkdeviceplugin.name

@@ -0,0 +1 @@
+sriov-network-device-plugin

.pipelines/containerSourceData/telegraf/telegraf.name

@@ -0,0 +1 @@
+telegraf

.pipelines/containerSourceData/tensorflow/tensorflow.name

@@ -0,0 +1 @@
+python3-tensorflow

CONTRIBUTING.md

@@ -155,7 +155,7 @@ When creating your PR, please ensure the following:
 
 * Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files. When running the check section, results will not fail a build. Check the logs for the results of this section.
 
-* All package sources are available. The sources are either in the source server or local `SPECS` folder (`SPECS/<package>/SOURCES` or `SPECS/<package>`). While it is possible to build packages with all sources inside the repo, our policy is generally to have the source compressed and placed on the source server. Uploading to the source server can only be accomplished by a CBL-Mariner developer. Please request help in your PR for uploading your sources to the source server. To check the source server see [https://cblmarinerstorage.blob.core.windows.net/sources/core/< source tar >].
+* All package sources are available. The sources are either in the source server or local `SPECS` folder (`SPECS/<package>/SOURCES` or `SPECS/<package>`). While it is possible to build packages with all sources inside the repo, our policy is generally to have the source compressed and placed on the source server. Uploading to the source server can only be accomplished by a CBL-Mariner developer. Please request help in your PR for uploading your sources to the source server. To check the source server see [https://azurelinuxsrcstorage.blob.core.windows.net/sources/core/< source tar >].
 
 * cgmanifest files are up-to-date and alphabetically sorted. The cgmanifest files are used to record all package sources. They include the following files:
 

SPECS-EXTENDED/buildah/buildah.spec

@@ -21,7 +21,7 @@
 Summary:        A command line tool used for creating OCI Images
 Name:           buildah
 Version:        1.18.0
-Release:        22%{?dist}
+Release:        23%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -32,7 +32,7 @@ BuildRequires:  btrfs-progs-devel
 BuildRequires:  device-mapper-devel
 BuildRequires:  git
 BuildRequires:  glib2-devel
-BuildRequires:  glibc-static >= 2.35-6%{?dist}
+BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  go-md2man
 BuildRequires:  go-rpm-macros
 BuildRequires:  golang
@@ -123,6 +123,9 @@ cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
 %{_datadir}/%{name}/test
 
 %changelog
+* Mon May 06 2024 Rachel Menge <[email protected]> - 1.18.0-23
+- Bump release to rebuild against glibc 2.35-7
+
 * Fri Feb 02 2024 CBL-Mariner Servicing Account <[email protected]> - 1.18.0-22
 - Bump release to rebuild with go 1.21.6
 

SPECS-EXTENDED/catatonit/catatonit.spec

@@ -3,7 +3,7 @@ Distribution:   Mariner
 
 Name: catatonit
 Version: 0.1.7
-Release: 9%{?dist}
+Release: 10%{?dist}
 Summary: A signal-forwarding process manager for containers
 License: GPLv3+
 URL: https://github.com/openSUSE/catatonit
@@ -13,7 +13,7 @@ BuildRequires: automake
 BuildRequires: file
 BuildRequires: gcc
 BuildRequires: git
-BuildRequires: glibc-static >= 2.35-6%{?dist}
+BuildRequires: glibc-static >= 2.35-7%{?dist}
 BuildRequires: libtool
 BuildRequires: make
 
@@ -61,6 +61,9 @@ ln -s %{_libexecdir}/%{name}/%{name} %{buildroot}%{_libexecdir}/podman/%{name}
 %{_libexecdir}/podman/%{name}
 
 %changelog
+* Mon May 06 2024 Rachel Menge <[email protected]> - 0.1.7-10
+- Bump release to rebuild against glibc 2.35-7
+
 * Wed Oct 04 2023 Minghe Ren <[email protected]> - 0.1.7-9
 - Bump release to rebuild against glibc 2.35-6
 

SPECS-EXTENDED/dyninst/dyninst.spec

@@ -1,7 +1,7 @@
 Summary: An API for Run-time Code Generation
 License: LGPLv2+
 Name: dyninst
-Release: 11%{?dist}
+Release: 12%{?dist}
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL: http://www.dyninst.org
@@ -31,7 +31,7 @@ BuildRequires: tbb tbb-devel
 
 # Extra requires just for the testsuite
 BuildRequires: gcc-gfortran libstdc++-static libxml2-devel
-BuildRequires: glibc-static >= 2.35-6%{?dist}
+BuildRequires: glibc-static >= 2.35-7%{?dist}
 
 # Testsuite files should not provide/require anything
 %{?filter_setup:
@@ -194,6 +194,9 @@ echo "%{_libdir}/dyninst" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %attr(644,root,root) %{_libdir}/dyninst/testsuite/*.a
 
 %changelog
+* Mon May 06 2024 Rachel Menge <[email protected]> - 10.1.0-12
+- Bump release to rebuild against glibc 2.35-7
+
 * Wed Oct 04 2023 Minghe Ren <[email protected]> - 10.1.0-11
 - Bump release to rebuild against glibc 2.35-6
 

SPECS-EXTENDED/facter/facter.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "facter-4.2.5.gem": "e88e3fa874c1c735779704d1a4dd69b255ad5e34c8912857864469a852cb3f8d"
+  "facter-4.2.13.gem": "a4f293b585176b080c8f10e9adb7a4d1cfd484268dfef518b162a0422450264c"
  }
-}
+}

SPECS-EXTENDED/facter/facter.spec

@@ -11,8 +11,8 @@
 %global debug_package %{nil}
 
 Name:           facter
-Version:        4.2.5
-Release:        2%{?dist}
+Version:        4.2.13
+Release:        1%{?dist}
 Summary:        Command and ruby library for gathering system information
 Vendor:		Microsoft Corporation
 Distribution:	Mariner
@@ -100,6 +100,9 @@ GEM_HOME="%{buildroot}%{gem_dir}" %{buildroot}%{_bindir}/facter
 %doc %{gem_docdir}
 
 %changelog
+* Tue May 07 2024 Andy Zaugg <[email protected]> 4.2.13-1
+- Bumped version to facter version which has Mariner Linux Support
+
 * Thu Dec 30 2021 Suresh Babu Chalamalasetty <[email protected]> 4.2.5-2
 - Initial CBL-Mariner import from Fedora 35 (license: MIT)
 - License verified