All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- A security flaw was found in the OCI image-spec, where it is possible to cause a blob with one media-type to be interpreted as a different media-type. As umoci is not a registry nor does it handle signatures, this vulnerability had no real impact on umoci but for safety we implemented the now-recommended media-type embedding and verification. CVE-2021-41190
- In this release, the primary development branch was renamed to
main
. - The runtime-spec version of the
config.json
version we generate is no longer hard-coded to1.0.0
. We now use the version of the spec we have imported (with any-dev
suffix stripped, as such a prefix causes havoc with verification tools -- ideally we would only ever use released versions of the spec but that's not always possible). #452 - Add the
cgroup
namespace to the default configuration generated byumoci unpack
to make sure that our configuration plays nicely withrunc
when on cgroupv2 systems. - umoci has been migrated away from
github.com/pkg/errors
to Go stdlib error wrapping.
- In 0.4.7, a performance regression was introduced as part of the
VerifiedReadCloser
hardening work (to read all trailing bytes) which would cause walk operations on images to hash every blob in the image (even blobs which we couldn't parse and thus couldn't recurse into). To resolve this, we no longer recurse into unparseable blobs. #373 #375 #394 - Handle
EINTR
onio.Copy
operations. Newer Go versions have added more opportunistic pre-emption which can causeEINTR
errors in io paths that didn't occur before. #437 - Quite a few changes were made to CI to try to avoid issues with fragility. #452
- umoci will now return an explicit error if you pass invalid uid or gid values
to
--uid-map
and--gid-map
rather than silently truncating the value.
0.4.7 - 2021-04-05
- A security flaw was found in umoci, and has been fixed in this release. If
umoci was used to unpack a malicious image (using either
umoci unpack
orumoci raw unpack
) that contained a symlink entry for/.
, umoci would apply subsequent layers to the target of the symlink (resolved on the host filesystem). This means that if you ran umoci as root, a malicious image could overwrite any file on the system (assuming you didn't have any other access control restrictions). CVE-2021-29136
- umoci now compiles on FreeBSD and appears to work, with the notable limitation that it currently refuses to extract non-Linux images on any platform (this will be fixed in a future release -- see #364). #357
- Initial fuzzer implementations for oss-fuzz. #365
- umoci will now read all trailing data from image layers, to combat the existence of some image generators that appear to append NUL bytes to the end of the gzip stream (which would previously cause checksum failures because we didn't read nor checksum the trailing junk bytes). However, umoci will still not read past the descriptor length. #360
- umoci now ignores all overlayfs xattrs during unpack and repack operations, to avoid causing issues when packing a raw overlayfs directory. #354
- Changes to the (still-internal) APIs to allow for users to use umoci more
effectively as a library.
- The garbage collection API now supports custom GC policies. #338
- The mutate API now returns information about what layers were added by the operation. #344
- The mutate API now supports custom compression, and has in-tree support for zstd. #348 #350
- Support overlayfs-style whiteouts during unpack and repack. #342
0.4.6 - 2020-06-24
umoci has been adopted by the Open Container Initative as a reference implementation of the OCI Image Specification. This will have little impact on the roadmap or scope of umoci, but it does further solidify umoci as a useful piece of "boring container infrastructure" that can be used to build larger systems.
-
As part of the adoption procedure, the import path and module name of umoci has changed from
github.com/openSUSE/umoci
togithub.com/opencontainers/umoci
. This means that users of our (still unstable) Go API will have to change their import paths in order to update to newer versions of umoci.The old GitHub project will contain a snapshot of
v0.4.5
with a few minor changes to the readme that explain the situation. Go projects which import the archived project will receive build warnings that explain the need to update their import paths.
- umoci now builds on MacOS, and we currently run the unit tests on MacOS to hopefully catch core regressions (in the future we will get the integration tests running to catch more possible regressions). #318
- Suppress repeated xattr warnings on destination filesystems that do not support xattrs. #311
- Work around a long-standing issue in our command-line parsing library (see
urfave/cli#1152) by disabling argument re-ordering for
umoci config
, which often takes-
-prefixed flag arguments. #328
0.4.5 - 2019-12-04
- Expose umoci subcommands as part of the API, so they can be used by other Go projects. #289
- Add extensible hooking to the core libraries in umoci, to allow for third-party media-types to be treated just like first-party ones (the key difference is the introspection and parsing logic). #299 #307
- Use
type: bind
for generatedconfig.json
bind-mounts. While this doesn't make too much sense (see opencontainers/runc#2035), it does mean that rootless containers work properly with newerrunc
releases (which appear to have regressed when handling file-based bind-mounts with a "bad"type
). #294 #295 - Don't insert a new layer if there is no diff. #293
- Only output a warning if forbidden extended attributes are present inside the tar archive -- otherwise we fail on certain (completely broken) Docker images. #304
0.4.4 - 2019-01-30
- Full-stack verification of blob hashes and descriptor sizes is now done on all operations, improving our hardening against bad blobs (we already did some verification of layer DiffIDs but this is far more thorough). #278 #280 #282
0.4.3 - 2018-11-11
- All umoci commands that had
--history.*
options can now decide to omit a history entry with--no-history
. Note that while this is supported for commands that create layers (umoci repack
,umoci insert
, andumoci raw add-layer
) it is not recommended to use it for those commands since it can cause other tools to become confused when inspecting the image history. The primary usecase is to allowumoci config --no-history
to leave no traces in the history. See OSInside/kiwi#871. #270 umoci insert
now has a--tag
option that allows you to non-destructively insert files into an image. The semantics matchumoci config --tag
. #273
0.4.2 - 2018-09-11
- umoci now has an exposed Go API. At the moment it's unclear whether it will be changed significantly, but at the least now users can use umoci-as-a-library in a fairly sane way. #245
- Added
umoci unpack --keep-dirlinks
(in the same vein as rsync's flag with the same name) which allows layers that contain entries which have a symlink as a path component. #246 umoci insert
now supports whiteouts in two significant ways. You can use--whiteout
to "insert" a deletion of a given path, while you can use--opaque
to replace a directory by adding an opaque whiteout (the default behaviour causes the old and new directories to be merged). #257
- Docker has changed how they handle whiteouts for non-existent files. The specification is loose on this (and in umoci we've always been liberal with whiteout generation -- to avoid cases where someone was confused we didn't have a whiteout for every entry). But now that they have deviated from the spec, in the interest of playing nice, we can just follow their new restriction (even though it is not supported by the spec). This also makes our layers slightly smaller. #254
umoci unpack
now no longer erasessystem.nfs4_acl
and also has some more sophisticated handling of forbidden xattrs. #252 #248umoci unpack
now appears to work correctly on SELinux-enabled systems (previously we had various issues whereumoci
wouldn't like it when it was trying to ensure the filesystem was reproducibly generated and SELinux xattrs would act strangely). To fix this, nowumoci unpack
will only cause errors if it has been asked to change a forbidden xattr to a value different than it's current on-disk value. #235 #259
0.4.1 - 2018-08-16
- The number of possible tags that are now valid with
umoci
subcommands has increased significantly due to an expansion in the specification of the format of theref.name
annotation. To quote the specification, the following is the EBNF of validrefname
values. #234refname ::= component ("/" component)* component ::= alphanum (separator alphanum)* alphanum ::= [A-Za-z0-9]+ separator ::= [-._:@+] | "--"
- A new
umoci insert
subcommand which adds a given file to a path inside the container. #237 - A new
umoci raw unpack
subcommand in order to allow users to unpack images without needing a configuration or any of the manifest generation. #239 umoci
how has a logo. Thanks to Max Bailey for contributing this to the project. #165 #249
umoci unpack
now handles out-of-order regular whiteouts correctly (though this ordering is not recommended by the spec -- nor is it required). This is an extension of #229 that was missed during review. #232umoci unpack
andumoci repack
now make use of a far more optimisedgzip
compression library. In some benchmarks this has resulted inumoci repack
speedups of up to 3x (though of course, you should do your own benchmarks).umoci unpack
unfortunately doesn't have as significant of a performance improvement, due to the nature ofgzip
decompression (in future we may switch tozlib
wrappers). #225 #233
0.4.0 - 2018-03-10
umoci repack
now supports--refresh-bundle
which will update the OCI bundle's metadata (mtree and umoci-specific manifests) after packing the image tag. This means that the bundle can be used as a base layer for future diffs without needing to unpack the image again. #196- Added a website, and reworked the documentation to be better structured. You
can visit the website at
umo.ci
. #188 - Added support for the
user.rootlesscontainers
specification, which allows for persistent on-disk emulation ofchown(2)
inside rootless containers. This implementation is interoperable with @AkihiroSuda'sPRoot
fork (though we do not test its interoperability at the moment) as both tools use the same protobuf specification. #227 umoci unpack
now has support for opaque whiteouts (whiteouts which remove all children of a directory in the lower layer), thoughumoci repack
does not currently have support for generating them. While this is technically a spec requirement, through testing we've never encountered an actual user of these whiteouts. #224 #229umoci unpack
will now use some rootless tricks inside user namespaces for operations that are known to fail (such asmknod(2)
) while other operations will be carried out as normal (such aslchown(2)
). It should be noted that the/proc/self/uid_map
checking we do can be tricked into not detecting user namespaces, but you would need to be trying to break it on purpose. #171 #230
- Fix a bug in our "parent directory restore" code, which is responsible for ensuring that the mtime and other similar properties of a directory are not modified by extraction inside said directory. The bug would manifest as xattrs not being restored properly in certain edge-cases (which we incidentally hit in a test-case). #161 #162
umoci unpack
will now "clean up" the bundle generated if an error occurs during unpacking. Previously this didn't happen, which made cleaning up the responsibility of the caller (which was quite difficult if you were unprivileged). This is a breaking change, but is in the error path so it's not critical. #174 #187umoci gc
now will no longer remove unknown files and directories that aren'tflock(2)
ed, thus ensuring that any possible OCI image-spec extensions or other users of an image being operated on will no longer break. #198umoci unpack --rootless
will now correctly handle regular file unpacking when overwriting a file thatumoci
doesn't have write access to. In addition, the semantics of pre-existing hardlinks to a clobbered file are clarified (the hard-links will not refer to the new layer's inode). #222 #223
0.3.1 - 2017-10-04
- Fix several minor bugs in
hack/release.sh
that caused the release artefacts to not match the intended style, as well as making it more generic so other projects can use it. #155 #163 - A recent configuration issue caused
go vet
andgo lint
to not run as part of our CI jobs. This means that some of the information submitted as part of CII best practices badging was not accurate. This has been corrected, and after review we concluded that only stylistic issues were discovered by static analysis. #158 - 32-bit unit test builds were broken in a refactor in 0.3.0. This has been fixed, and we've added tests to our CI to ensure that something like this won't go unnoticed in the future. #157
umoci unpack
would not correctly preserve set{uid,gid} bits. While this would not cause issues when building an image (as we only create a manifest of the final extracted rootfs), it would cause issues for other users ofumoci
. #166 #169- Updated to v0.4.1 of
go-mtree
, which fixes several minor bugs with manifest generation. #176 umoci unpack
would not handle "weird" tar archive layers previously (it would error out with DiffID errors). While this wouldn't cause issues for layers generated using Go'sarchive/tar
implementation, it would cause issues for GNU gzip and other such tools. #178 #179
umoci unpack
's mapping options (--uid-map
and--gid-map
) have had an interface change, to better match theuser_namespaces(7)
interfaces. Note that this is a breaking change, but the workaround is to switch to the trivially different (but now more consistent) format. #167
umoci unpack
used to create the bundle and rootfs with world read-and-execute permissions by default. This could potentially result in an unsafe rootfs (containing dangerous setuid binaries for instance) being accessible by an unprivileged user. This has been fixed by always setting the mode of the bundle to0700
, which requires a user to explicitly work around this basic protection. This scenario was documented in our security documentation previously, but has now been fixed. #181 #182
0.3.0 - 2017-07-20
umoci
now passes all of the requirements for the CII best practices bading program. #134umoci
also now has more extensive architecture, quick-start and roadmap documentation. #134umoci
now supports1.0.0
of the OCI image specification and1.0.0
of the OCI runtime specification, which are the first milestone release. Note that there are still some remaining UX issues with--image
and other parts ofumoci
which may be subject to change in future versions. In particular, this update of the specification now means that images may have ambiguous tags.umoci
will warn you if an operation may have an ambiguous result, but we plan to improve this functionality far more in the future. #133 #142umoci
also now supports more complicated descriptor walk structures, and also handles mutation of such structures more sanely. At the moment, this functionality has not been used "in the wild" andumoci
doesn't have the UX to create such structures (yet) but these will be implemented in future versions. #145umoci repack
now supports--mask-path
to ignore changes in the rootfs that are in a child of at least one of the provided masks when generating new layers. #127
- Error messages from
github.com/opencontainers/umoci/oci/cas/drivers/dir
actually make sense now. #121 umoci unpack
now generatesconfig.json
blobs according to the still proposed OCI image specification conversion document. #120umoci repack
also now automatically addingConfig.Volumes
from the image configuration to the set of masked paths. This matches recently added recommendations by the spec, but is a backwards-incompatible change because the new default is thatConfig.Volumes
will be masked. If you wish to retain the old semantics, use--no-mask-volumes
(though make sure to be aware of the reasoning behindConfig.Volume
masking). #127umoci
now usesSecureJoin
rather than a patched version ofFollowSymlinkInScope
. The two implementations are roughly equivalent, butSecureJoin
has a nicer API and is maintained as a separate project.- Switched to using
golang.org/x/sys/unix
oversyscall
where possible, which makes the codebase significantly cleaner. #141
0.2.1 - 2017-04-12
hack/release.sh
automates the process of generating all of the published artefacts for releases. The new script also generates signed source code archives. #116
umoci
now outputs configurations that are compliant withv1.0.0-rc5
of the OCI runtime-spec. This means that now you can use runc v1.0.0-rc3 withumoci
(and rootless containers should work out of the box if you use a development build of runc). #114umoci unpack
no longer adds a dummy linux.seccomp entry, and instead just sets it to null. #114
0.2.0 - 2017-04-11
umoci
now has some automated scripts for generated RPMs that are used in openSUSE to automatically submit packages to OBS. #101--clear=config.{cmd,entrypoint}
is now supported. While this interface is a bit weird (cmd
andentrypoint
aren't treated atomically) this makes the UX more consistent while we come up with a bettercmd
andentrypoint
UX. #107- New subcommand:
umoci raw runtime-config
. It generates the runtime-spec config.json for a particular image without also unpacking the root filesystem, allowing for users ofumoci
that are regularly parsingconfig.json
without caring about the root filesystem to be more efficient. However, a downside of this approach is that some image-spec fields (Config.User
) require a root filesystem in order to make sense, which is why this command is hidden under theumoci-raw(1)
subcommand (to make sure only users that understand what they're doing use it). #110
umoci
'soci/cas
andoci/config
libraries have been massively refactored and rewritten, to allow for third-parties to use the OCI libraries. The plan is for these to eventually become part of an OCI project. #90- The
oci/cas
interface has been modifed to switch from*ispec.Descriptor
toispec.Descriptor
. This is a breaking, but fairly insignificant, change. #89
umoci
now uses an updated version ofgo-mtree
, which has a complete rewrite ofVis
andUnvis
. The rewrite ensures that unicode handling is handled in a far more consistent and sane way. #88umoci
used to setprocess.user.additionalGids
to the "normal value" when unpacking an image in rootless mode, causing issues when trying to actually run said bundle with runC. #109
0.1.0 - 2017-02-11
CHANGELOG.md
has now been added. #76
umoci
now supportsv1.0.0-rc4
images, which has made fairly minimal changes to the schema (mainly related tomediaType
s). While this change is backwards compatible (several fields were removed from the schema, but the specification allows for "additional fields"), tools using older versions of the specification may fail to operate on newer OCI images. There was no UX change associated with this update.
umoci tag
would fail to clobber existing tags, which was in contrast to how the rest of the tag clobbering commands operated. This has been fixed and is now consistent with the other commands. #78umoci repack
now can correctly handle unicode-encoded filenames, allowing the creation of containers that have oddly named files. This required fixes to go-mtree (where the issue was). #80
0.0.0 - 2017-02-07
- Unit tests are massively expanded, as well as the integration tests. #68 #69
- Full coverage profiles (unit+integration) are generated to get all information about how much code is tested. #68 #69
- Unit tests can now be run inside
%check
of anrpmbuild
script, allowing for proper testing. #65. - The logging output has been cleaned up to be much nicer for end-users to read. #73
- Project has been moved to an openSUSE project. #75
0.0.0-rc3 - 2016-12-19
unpack
,repack
:xattr
support which also handlessecurity.selinux.*
difficulties. #49 #52config
,unpack
: Ensure that environment variables are not duplicated in the extracted or stored configurations. #30- Add support for read-only CAS operations for read-only filesystems. #47
- Add some helpful output about
--rootless
ifumoci
fails withEPERM
. - Enable stack traces with errors if the
--debug
flag was given toumoci
. This requires a patch topkg/errors
.
gc
: Garbage collection now also garbage collects temporary directories. #17- Clean-ups to vendoring of
go-mtree
so that it's much more upstream-friendly.
0.0.0-rc2 - 2016-12-12
unpack
,repack
: Support for rootless unpacking and repacking. #26unpack
,repack
: UID and GID mapping when unpacking and repacking. #26tag
,rm
,ls
: Tag modification commands such asumoci tag
,umoci rm
andumoci ls
. #6 #27stat
: Output information about an image. Currently only shows the history information. Only the JSON output is stable. #38init
,new
: New commands have been created to allow for image creation from scratch. #5 #42gc
: Garbage collection of images. #6- Full integration and unit testing, with OCI validation to ensure that we always create valid images. #12
unpack
,repack
: Create history entries automatically (with options to modify the entries). #36unpack
: Store information about its source to ensure consistency when doing arepack
. #14- The
--image
and--from
arguments have been combined into a single<path>[:<tag>]
argument for--image
. #39 unpack
: Configuration annotations are now extracted, though there are still some discussions happening upstream about the correct way of doing this. #43
repack
: Errors encountered during generation of delta layers are now correctly propagated. #33unpack
: Hardlinks are now extracted as real hardlinks. #25
unpack
,repack
: Symlinks are now correctly resolved inside the unpacked rootfs. #27
- Proof of concept with major functionality implemented.
unpack
repack
config