diff -Nru libpod-3.4.4+ds1/debian/changelog libpod-3.4.4+ds1/debian/changelog --- libpod-3.4.4+ds1/debian/changelog 2022-01-23 20:04:53.000000000 +0100 +++ libpod-3.4.4+ds1/debian/changelog 2023-02-22 10:46:22.000000000 +0100 @@ -1,3 +1,11 @@ +libpod (3.4.4+ds1-1ubuntu1.22.04.1) jammy; urgency=medium + + * Add d/p/lp-2007972-play-kube-don-t-force-pull-infra-image.patch + to prevent play kube from unwanted force-pull of infra image + and with that unwanted (untrusted) k8s pause (LP: #2007972). + + -- Frank Heimes Wed, 22 Feb 2023 10:46:22 +0100 + libpod (3.4.4+ds1-1ubuntu1) jammy; urgency=medium * Merge from Debian unstable. Remaining changes: diff -Nru libpod-3.4.4+ds1/debian/patches/lp-2007972-play-kube-don-t-force-pull-infra-image.patch libpod-3.4.4+ds1/debian/patches/lp-2007972-play-kube-don-t-force-pull-infra-image.patch --- libpod-3.4.4+ds1/debian/patches/lp-2007972-play-kube-don-t-force-pull-infra-image.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpod-3.4.4+ds1/debian/patches/lp-2007972-play-kube-don-t-force-pull-infra-image.patch 2023-02-22 10:46:22.000000000 +0100 @@ -0,0 +1,81 @@ +From f517510bc8c11f6ba3145facc10ce351084a4ce4 Mon Sep 17 00:00:00 2001 +From: Valentin Rothberg +Date: Fri, 12 Nov 2021 13:44:13 +0100 +Subject: [PATCH] play kube: don't force-pull infra image + +Do not force-pull the infra image in `play kube` but let the backend +take care of that when creating the pod(s) which may build a local +`podman-pause` image instead of using the default infra image. + +Fixes: #12254 +Signed-off-by: Valentin Rothberg + +Origin: upstream, https://github.com/containers/podman/commit/f517510bc8c11f6ba3145facc10ce351084a4ce4 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/2007972 +Last-Update: 2023-02-22 + +--- + pkg/domain/infra/abi/play.go | 30 +++--------------------------- + test/system/700-play.bats | 6 ++++++ + 2 files changed, 9 insertions(+), 27 deletions(-) + +--- a/pkg/domain/infra/abi/play.go ++++ b/pkg/domain/infra/abi/play.go +@@ -285,17 +285,11 @@ + } + + if podOpt.Infra { +- containerConfig := util.DefaultContainerConfig() +- +- pulledImages, err := pullImage(ic, writer, containerConfig.Engine.InfraImage, options, config.PullPolicyNewer) +- if err != nil { +- return nil, err +- } ++ infraImage := util.DefaultContainerConfig().Engine.InfraImage + infraOptions := entities.ContainerCreateOptions{ImageVolume: "bind"} +- +- podSpec.PodSpecGen.InfraImage = pulledImages[0].Names()[0] ++ podSpec.PodSpecGen.InfraImage = infraImage + podSpec.PodSpecGen.NoInfra = false +- podSpec.PodSpecGen.InfraContainerSpec = specgen.NewSpecGenerator(pulledImages[0].Names()[0], false) ++ podSpec.PodSpecGen.InfraContainerSpec = specgen.NewSpecGenerator(infraImage, false) + podSpec.PodSpecGen.InfraContainerSpec.NetworkOptions = p.NetworkOptions + + err = specgenutil.FillOutSpecGen(podSpec.PodSpecGen.InfraContainerSpec, &infraOptions, []string{}) +@@ -772,21 +766,3 @@ + } + return reports, nil + } +- +-// pullImage is a helper function to set up the proper pull options and pull the image for certain containers +-func pullImage(ic *ContainerEngine, writer io.Writer, imagePull string, options entities.PlayKubeOptions, pullPolicy config.PullPolicy) ([]*libimage.Image, error) { +- // This ensures the image is the image store +- pullOptions := &libimage.PullOptions{} +- pullOptions.AuthFilePath = options.Authfile +- pullOptions.CertDirPath = options.CertDir +- pullOptions.SignaturePolicyPath = options.SignaturePolicy +- pullOptions.Writer = writer +- pullOptions.Username = options.Username +- pullOptions.Password = options.Password +- pullOptions.InsecureSkipTLSVerify = options.SkipTLSVerify +- pulledImages, err := ic.Libpod.LibimageRuntime().Pull(context.Background(), imagePull, pullPolicy, pullOptions) +- if err != nil { +- return nil, err +- } +- return pulledImages, nil +-} +--- a/test/system/700-play.bats ++++ b/test/system/700-play.bats +@@ -76,6 +76,12 @@ + is "$output" ${RELABEL} "selinux relabel should have happened" + fi + ++ # Make sure that the K8s pause image isn't pulled but the local podman-pause is built. ++ run_podman images ++ run_podman 1 image exists k8s.gcr.io/pause ++ run_podman version --format "{{.Server.Version}}-{{.Server.Built}}" ++ run_podman image exists localhost/podman-pause:$output ++ + run_podman stop -a -t 0 + run_podman pod stop test_pod + run_podman pod rm -f test_pod diff -Nru libpod-3.4.4+ds1/debian/patches/series libpod-3.4.4+ds1/debian/patches/series --- libpod-3.4.4+ds1/debian/patches/series 2022-01-23 20:04:53.000000000 +0100 +++ libpod-3.4.4+ds1/debian/patches/series 2023-02-22 10:46:22.000000000 +0100 @@ -1,3 +1,4 @@ test--skip-TestPostDeleteHooks.patch mbp.patch old-godbus.patch +lp-2007972-play-kube-don-t-force-pull-infra-image.patch