Mariner 2.0 release 02/11/2023 (merge main into 2.0) (#7824)

.github/CODEOWNERS

@@ -21,7 +21,6 @@
 /SPECS/kernel-headers/* @microsoft/cbl-mariner-kernel
 /SPECS/kernel-mshv/* @microsoft/cbl-mariner-kata-containers
 /SPECS/kernel-uvm/* @microsoft/cbl-mariner-kata-containers
-/SPECS/kernel-uvm-cvm/* @microsoft/cbl-mariner-kata-containers
 /SPECS-SIGNED/kernel-signed/* @microsoft/cbl-mariner-kernel
 /SPECS-SIGNED/kernel-hci-signed/* @microsoft/cbl-mariner-kernel
 /SPECS-SIGNED/kernel-azure-signed/* @microsoft/cbl-mariner-kernel

SPECS-EXTENDED/buildah/buildah.spec

@@ -21,7 +21,7 @@
 Summary:        A command line tool used for creating OCI Images
 Name:           buildah
 Version:        1.18.0
-Release:        21%{?dist}
+Release:        22%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -123,6 +123,9 @@ cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
 %{_datadir}/%{name}/test
 
 %changelog
+* Fri Feb 02 2024 CBL-Mariner Servicing Account <[email protected]> - 1.18.0-22
+- Bump release to rebuild with go 1.21.6
+
 * Wed Oct 18 2023 Minghe Ren <[email protected]> - 1.18.0-21
 - Bump release to rebuild against glibc 2.35-6
 

SPECS-EXTENDED/containernetworking-plugins/containernetworking-plugins.spec

@@ -24,7 +24,7 @@
 
 Name:          %{project}-%{repo}
 Version:       1.1.1
-Release:       13%{?dist}
+Release:       14%{?dist}
 Summary:       Libraries for writing CNI plugin
 License:       ASL 2.0 and BSD and MIT
 Vendor:        Microsoft Corporation
@@ -129,6 +129,9 @@ install -p plugins/ipam/dhcp/systemd/cni-dhcp.socket %{buildroot}%{_unitdir}
 %{_unitdir}/cni-dhcp.socket
 
 %changelog
+* Fri Feb 02 2024 CBL-Mariner Servicing Account <[email protected]> - 1.1.1-14
+- Bump release to rebuild with go 1.21.6
+
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 1.1.1-13
 - Bump release to rebuild with go 1.20.9
 

SPECS-EXTENDED/delve/delve.spec

@@ -2,7 +2,7 @@ Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Name:                   delve
 Version:                1.5.0
-Release:                16%{?dist}
+Release:                17%{?dist}
 Summary:                A debugger for the Go programming language
 
 License:                MIT
@@ -72,6 +72,9 @@ done
 
 
 %changelog
+* Fri Feb 02 2024 CBL-Mariner Servicing Account <[email protected]> - 1.5.0-17
+- Bump release to rebuild with go 1.21.6
+
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 1.5.0-16
 - Bump release to rebuild with go 1.20.9
 

SPECS-EXTENDED/nss-mdns/nss-mdns-local-heuristic-unit.patch

@@ -0,0 +1,112 @@
+From 6ff47454ff413e3033a77d4d9c09b914c78ab3a0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <[email protected]>
+Date: Wed, 7 Dec 2022 22:56:47 +0100
+Subject: [PATCH] Add unit test parts for new autodetection
+
+Use new enum to specify forced present or missing .local SOA record. Use
+from production code auto value, but use forced values from unit test.
+Add few different results to unit test.
+---
+ src/nss.c          |  3 ++-
+ src/util.c         |  7 +++++--
+ src/util.h         |  9 ++++++++-
+ tests/check_util.c | 18 ++++++++++++++++++
+ 4 files changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/src/nss.c b/src/nss.c
+index 7f9230e..2e1a90b 100644
+--- a/src/nss.c
++++ b/src/nss.c
+@@ -118,7 +118,8 @@ enum nss_status _nss_mdns_gethostbyname_impl(const char* name, int af,
+ #ifndef MDNS_MINIMAL
+     mdns_allow_file = fopen(MDNS_ALLOW_FILE, "r");
+ #endif
+-    result = verify_name_allowed_with_soa(name, mdns_allow_file);
++    result = verify_name_allowed_with_soa(name, mdns_allow_file,
++                                          TEST_LOCAL_SOA_AUTO);
+ #ifndef MDNS_MINIMAL
+     if (mdns_allow_file)
+         fclose(mdns_allow_file);
+diff --git a/src/util.c b/src/util.c
+index 4eacf07..0a1c28a 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -55,14 +55,17 @@ int ends_with(const char* name, const char* suffix) {
+     return strcasecmp(name + ln - ls, suffix) == 0;
+ }
+
+-use_name_result_t verify_name_allowed_with_soa(const char* name, FILE* mdns_allow_file) {
++use_name_result_t verify_name_allowed_with_soa(const char* name,
++                                               FILE* mdns_allow_file,
++                                               test_local_soa_t test) {
+     switch (verify_name_allowed(name, mdns_allow_file)) {
+     case VERIFY_NAME_RESULT_NOT_ALLOWED:
+         return USE_NAME_RESULT_SKIP;
+     case VERIFY_NAME_RESULT_ALLOWED:
+         return USE_NAME_RESULT_AUTHORITATIVE;
+     case VERIFY_NAME_RESULT_ALLOWED_IF_NO_LOCAL_SOA:
+-	if (local_soa())
++	if (test == TEST_LOCAL_SOA_YES ||
++	    (test == TEST_LOCAL_SOA_AUTO && local_soa()) )
+ 		/* Make multicast resolution not authoritative for .local zone.
+ 		 * Allow continuing to unicast resolution after multicast had not worked. */
+ 		return USE_NAME_RESULT_OPTIONAL;
+diff --git a/src/util.h b/src/util.h
+index 76809d4..80527e3 100644
+--- a/src/util.h
++++ b/src/util.h
+@@ -67,6 +67,12 @@ typedef enum {
+     USE_NAME_RESULT_OPTIONAL,
+ } use_name_result_t;
+
++typedef enum {
++    TEST_LOCAL_SOA_NO,
++    TEST_LOCAL_SOA_YES,
++    TEST_LOCAL_SOA_AUTO,
++} test_local_soa_t;
++
+ // Returns true if we should try to resolve the name with mDNS.
+ //
+ // If mdns_allow_file is NULL, then this implements the "local" SOA
+@@ -78,7 +84,8 @@ typedef enum {
+ // The two heuristics described above are disabled if mdns_allow_file
+ // is not NULL.
+ use_name_result_t verify_name_allowed_with_soa(const char* name,
+-                                               FILE* mdns_allow_file);
++                                               FILE* mdns_allow_file,
++                                               test_local_soa_t test);
+
+ typedef enum {
+     VERIFY_NAME_RESULT_NOT_ALLOWED,
+diff --git a/tests/check_util.c b/tests/check_util.c
+index d600a2e..36f1008 100644
+--- a/tests/check_util.c
++++ b/tests/check_util.c
+@@ -50,6 +50,24 @@ START_TEST(test_verify_name_allowed_minimal) {
+                      VERIFY_NAME_RESULT_NOT_ALLOWED);
+     ck_assert_int_eq(verify_name_allowed(".", NULL),
+                      VERIFY_NAME_RESULT_NOT_ALLOWED);
++
++    ck_assert_int_eq(verify_name_allowed_with_soa(".", NULL, TEST_LOCAL_SOA_YES),
++                     USE_NAME_RESULT_SKIP);
++    ck_assert_int_eq(verify_name_allowed_with_soa(".", NULL, TEST_LOCAL_SOA_NO),
++                     USE_NAME_RESULT_SKIP);
++    ck_assert_int_eq(verify_name_allowed_with_soa(".", NULL, TEST_LOCAL_SOA_AUTO),
++                     USE_NAME_RESULT_SKIP);
++    ck_assert_int_eq(verify_name_allowed_with_soa("example3.sub.local",
++                         NULL, TEST_LOCAL_SOA_YES), USE_NAME_RESULT_SKIP);
++    ck_assert_int_eq(verify_name_allowed_with_soa("example4.sub.local",
++                         NULL, TEST_LOCAL_SOA_NO), USE_NAME_RESULT_SKIP);
++    ck_assert_int_eq(verify_name_allowed_with_soa("example4.sub.local",
++                         NULL, TEST_LOCAL_SOA_AUTO), USE_NAME_RESULT_SKIP);
++    ck_assert_int_eq(verify_name_allowed_with_soa("example1.local",
++                         NULL, TEST_LOCAL_SOA_YES), USE_NAME_RESULT_OPTIONAL);
++    ck_assert_int_eq(verify_name_allowed_with_soa("example2.local",
++                         NULL, TEST_LOCAL_SOA_NO), USE_NAME_RESULT_AUTHORITATIVE);
++    /* TEST_LOCAL_SOA_AUTO would test actual DNS on host, skip that. */
+ }
+ END_TEST
+
+-- 
+2.38.1
+

SPECS-EXTENDED/nss-mdns/nss-mdns-local-heuristic.patch

@@ -0,0 +1,119 @@
+From 0cbe3ff2a64cdddbfb3884ccbe28be9f08077614 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <[email protected]>
+Date: Tue, 6 Dec 2022 20:39:27 +0100
+Subject: [PATCH] Change .local domain heuristic
+
+Previous way skipped all multicast queries when unicast DNS contains
+local. SOA record. Change that behaviour and always request multicast
+name. But if local SOA is present, then make missing multicast optional
+and continue to DNS plugin. That would make names ending with .local to
+take longer resolve on unicast DNS, but should still deliver the answer.
+---
+ src/nss.c  | 11 ++++++++---
+ src/util.c | 15 ++++++++++-----
+ src/util.h |  9 ++++++++-
+ 3 files changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/src/nss.c b/src/nss.c
+index 93d140a..7f9230e 100644
+--- a/src/nss.c
++++ b/src/nss.c
+@@ -85,8 +85,8 @@ enum nss_status _nss_mdns_gethostbyname_impl(const char* name, int af,
+                                              userdata_t* u, int* errnop,
+                                              int* h_errnop) {
+
+-    int name_allowed;
+     FILE* mdns_allow_file = NULL;
++    use_name_result_t result;
+
+ #ifdef NSS_IPV4_ONLY
+     if (af == AF_UNSPEC) {
+@@ -118,13 +118,13 @@ enum nss_status _nss_mdns_gethostbyname_impl(const char* name, int af,
+ #ifndef MDNS_MINIMAL
+     mdns_allow_file = fopen(MDNS_ALLOW_FILE, "r");
+ #endif
+-    name_allowed = verify_name_allowed_with_soa(name, mdns_allow_file);
++    result = verify_name_allowed_with_soa(name, mdns_allow_file);
+ #ifndef MDNS_MINIMAL
+     if (mdns_allow_file)
+         fclose(mdns_allow_file);
+ #endif
+
+-    if (!name_allowed) {
++    if (result == USE_NAME_RESULT_SKIP) {
+         *errnop = EINVAL;
+         *h_errnop = NO_RECOVERY;
+         return NSS_STATUS_UNAVAIL;
+@@ -137,6 +137,11 @@ enum nss_status _nss_mdns_gethostbyname_impl(const char* name, int af,
+     case AVAHI_RESOLVE_RESULT_HOST_NOT_FOUND:
+         *errnop = ETIMEDOUT;
+         *h_errnop = HOST_NOT_FOUND;
++        if (result == USE_NAME_RESULT_OPTIONAL) {
++            /* continue to dns plugin if DNS .local zone is detected. */
++            *h_errnop = TRY_AGAIN;
++            return NSS_STATUS_UNAVAIL;
++	}
+         return NSS_STATUS_NOTFOUND;
+
+     case AVAHI_RESOLVE_RESULT_UNAVAIL:
+diff --git a/src/util.c b/src/util.c
+index d5e0290..4eacf07 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -55,16 +55,21 @@ int ends_with(const char* name, const char* suffix) {
+     return strcasecmp(name + ln - ls, suffix) == 0;
+ }
+
+-int verify_name_allowed_with_soa(const char* name, FILE* mdns_allow_file) {
++use_name_result_t verify_name_allowed_with_soa(const char* name, FILE* mdns_allow_file) {
+     switch (verify_name_allowed(name, mdns_allow_file)) {
+     case VERIFY_NAME_RESULT_NOT_ALLOWED:
+-        return 0;
++        return USE_NAME_RESULT_SKIP;
+     case VERIFY_NAME_RESULT_ALLOWED:
+-        return 1;
++        return USE_NAME_RESULT_AUTHORITATIVE;
+     case VERIFY_NAME_RESULT_ALLOWED_IF_NO_LOCAL_SOA:
+-        return !local_soa();
++	if (local_soa())
++		/* Make multicast resolution not authoritative for .local zone.
++		 * Allow continuing to unicast resolution after multicast had not worked. */
++		return USE_NAME_RESULT_OPTIONAL;
++	else
++		return USE_NAME_RESULT_AUTHORITATIVE;
+     default:
+-        return 0;
++        return USE_NAME_RESULT_SKIP;
+     }
+ }
+
+diff --git a/src/util.h b/src/util.h
+index 218c094..76809d4 100644
+--- a/src/util.h
++++ b/src/util.h
+@@ -61,6 +61,12 @@ char* buffer_strdup(buffer_t* buf, const char* str);
+ int set_cloexec(int fd);
+ int ends_with(const char* name, const char* suffix);
+
++typedef enum {
++    USE_NAME_RESULT_SKIP,
++    USE_NAME_RESULT_AUTHORITATIVE,
++    USE_NAME_RESULT_OPTIONAL,
++} use_name_result_t;
++
+ // Returns true if we should try to resolve the name with mDNS.
+ //
+ // If mdns_allow_file is NULL, then this implements the "local" SOA
+@@ -71,7 +77,8 @@ int ends_with(const char* name, const char* suffix);
+ //
+ // The two heuristics described above are disabled if mdns_allow_file
+ // is not NULL.
+-int verify_name_allowed_with_soa(const char* name, FILE* mdns_allow_file);
++use_name_result_t verify_name_allowed_with_soa(const char* name,
++                                               FILE* mdns_allow_file);
+
+ typedef enum {
+     VERIFY_NAME_RESULT_NOT_ALLOWED,
+-- 
+2.38.1
+

SPECS-EXTENDED/nss-mdns/nss-mdns.signatures.json

@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "nss-mdns-0.15.1.tar.gz": "ddf71453d7a7cdc5921fe53ef387b24fd0c3c49f4dcf94a2a437498596761a21"
+ }
+}