From 81524619b3dc474c9f0656c43cb7fea4217205e8 Mon Sep 17 00:00:00 2001
From: Packit Service <user-cont-team+packit-service@redhat.com>
Date: Apr 03 2021 04:21:42 +0000
Subject: Source-git repo for imports/c8s/osbuild-27.1-1.el8


---

diff --git a/.packit.yaml b/.packit.yaml
index e6cc09b..bc549a3 100644
--- a/.packit.yaml
+++ b/.packit.yaml
@@ -7,5 +7,7 @@ jobs:
   metadata:
     targets: *id001
   trigger: pull_request
+sources:
+- {path: osbuild-27.1.tar.gz, url: 'https://git.centos.org/sources/osbuild/c8s/94c92fbda1b22a44f004749f53896f5ba35a3787'}
 specfile_path: SPECS/osbuild.spec
 upstream_ref: c8s-source-git
diff --git a/NEWS.md b/NEWS.md
index f9c3aa5..68b0d5f 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -1,5 +1,19 @@
 # OSBuild - Build-Pipelines for Operating System Artifacts
 
+## CHANGES WITH 27.1:
+
+ * Add history entries to the layers of OCI archives produced by the
+   `org.osbuild.oci-archive` stage. This fixes push failures to quay.io.
+
+ * Include only a specific, limited set of xattrs in OCI archives produced by
+   the `org.osbuild.oci-archive` stage. This is specifically meant to exclude
+   SELinux-related attributes (`security.selinux`) which are sometimes added
+   even when invoking  `tar` with the `--no-selinux` option.
+
+Contributions from: Christian Kellner
+
+— Berlin, 2021-04-01
+
 ## CHANGES WITH 27:
 
  * Add new `org.osbuild.resolv-conf` stage that can be used to
diff --git a/SPECS/osbuild-27.tar.gz b/SPECS/osbuild-27.tar.gz
deleted file mode 100644
index ec82924..0000000
Binary files a/SPECS/osbuild-27.tar.gz and /dev/null differ
diff --git a/SPECS/osbuild.spec b/SPECS/osbuild.spec
index 1f62f84..582152f 100644
--- a/SPECS/osbuild.spec
+++ b/SPECS/osbuild.spec
@@ -1,7 +1,7 @@
 %global         forgeurl https://github.com/osbuild/osbuild
 %global         selinuxtype targeted
 
-Version:        27
+Version:        27.1
 
 %forgemeta
 
@@ -190,6 +190,10 @@ fi
 
 
 %changelog
+* Thu Apr 1 2021 Achilleas Koutsou <akoutsou@redhat.com> - 27.1-1
+- Upstream release 27.1
+- Bug fixes related to OCI archive generation.
+
 * Tue Mar 16 2021 Christian Kellner <ckellner@redhat.com> - 27-1
 - Upstream release 27
 - Various bug fixes related to the new container and installer
diff --git a/osbuild.spec b/osbuild.spec
index 81e5fc8..50d9eae 100644
--- a/osbuild.spec
+++ b/osbuild.spec
@@ -1,7 +1,7 @@
 %global         forgeurl https://github.com/osbuild/osbuild
 %global         selinuxtype targeted
 
-Version:        27
+Version:        27.1
 
 %forgemeta
 
diff --git a/setup.py b/setup.py
index 2ec2dc1..5da7d7b 100644
--- a/setup.py
+++ b/setup.py
@@ -2,7 +2,7 @@ import setuptools
 
 setuptools.setup(
     name="osbuild",
-    version="27",
+    version="27.1",
     description="A build system for OS images",
     packages=["osbuild", "osbuild.formats", "osbuild.util"],
     license='Apache-2.0',
diff --git a/stages/org.osbuild.oci-archive b/stages/org.osbuild.oci-archive
index fb2e7bb..047e348 100755
--- a/stages/org.osbuild.oci-archive
+++ b/stages/org.osbuild.oci-archive
@@ -126,6 +126,14 @@ MEDIA_TYPES = {
 }
 
 
+# The extended attributes that should be recorded for the
+# contents of file system layers:
+#  - user.*: user specified extended attributes
+#  - security.ima: Integrity Measurement Architecture (IMA)
+#  - security.capability: Linux capabilities(7)
+XATTRS_WANT = r"^(user.|security\.ima|security\.capability)"
+
+
 def sha256sum(path: str) -> str:
     ret = subprocess.run(["sha256sum", path],
                          stdout=subprocess.PIPE,
@@ -168,6 +176,7 @@ def blobs_add_layer(blobs: str, tree: str):
         "--no-selinux",
         "--acls",
         "--xattrs",
+        "--xattrs-include=" + XATTRS_WANT,
         "-cf", layer_file,
         "-C", tree,
     ] + os.listdir(tree)
@@ -221,15 +230,18 @@ def config_from_options(options):
 def create_oci_dir(inputs, output_dir, options):
     architecture = options["architecture"]
 
+    now = datetime.datetime.utcnow().isoformat() + "Z"
+
     config = {
-        "created": datetime.datetime.utcnow().isoformat() + "Z",
+        "created": now,
         "architecture": architecture,
         "os": "linux",
         "config": config_from_options(options["config"]),
         "rootfs": {
             "type": "layers",
             "diff_ids": []
-        }
+        },
+        "history": []
     }
 
     manifest = {
@@ -251,8 +263,12 @@ def create_oci_dir(inputs, output_dir, options):
         tree = inputs[ip]["path"]
         digest, info = blobs_add_layer(blobs, tree)
 
-        config["rootfs"]["diff_ids"] = [digest]
         manifest["layers"].append(info)
+        config["rootfs"]["diff_ids"] = [digest]
+        config["history"].append({
+            "created": now,
+            "created_by": f"/bin/sh -c #(nop) osbuild input '{ip}'"
+        })
 
     ## write config
     info = blobs_add_json(blobs, config, "config")
@@ -284,6 +300,8 @@ def main(inputs, output_dir, options):
         command = [
             "tar",
             "--remove-files",
+            "--no-selinux",
+            "--no-xattrs",
             "-cf", os.path.join(output_dir, filename),
             f"--directory={workdir}",
         ] + os.listdir(workdir)