!46 change systemd unit file permission to 644

From: @fuowang 
Reviewed-by: @yangzhao_kl 
Signed-off-by: @yangzhao_kl

0001-k3s-cni-adaptation.patch

@@ -0,0 +1,313 @@
+From 5108900d343863625ded1e56f2f7dfbc18c30f38 Mon Sep 17 00:00:00 2001
+From: wang--ge <wang__ge@126.com>
+Date: Wed, 20 Jul 2022 19:16:50 +0800
+Subject: [PATCH] k3s cni adaptation
+
+---
+ plugins/ipam/host-local/dns.go                   | 2 +-
+ plugins/ipam/host-local/dns_test.go              | 2 +-
+ plugins/ipam/host-local/host_local_suite_test.go | 2 +-
+ plugins/ipam/host-local/host_local_test.go       | 2 +-
+ plugins/ipam/host-local/main.go                  | 4 ++--
+ plugins/main/bridge/bridge.go                    | 4 ++--
+ plugins/main/bridge/bridge_suite_test.go         | 2 +-
+ plugins/main/bridge/bridge_test.go               | 2 +-
+ plugins/main/loopback/loopback.go                | 4 ++--
+ plugins/main/loopback/loopback_suite_test.go     | 2 +-
+ plugins/main/loopback/loopback_test.go           | 2 +-
+ plugins/meta/portmap/chain.go                    | 2 +-
+ plugins/meta/portmap/chain_test.go               | 2 +-
+ plugins/meta/portmap/main.go                     | 4 ++--
+ plugins/meta/portmap/portmap.go                  | 2 +-
+ plugins/meta/portmap/portmap_integ_test.go       | 2 +-
+ plugins/meta/portmap/portmap_suite_test.go       | 2 +-
+ plugins/meta/portmap/portmap_test.go             | 2 +-
+ plugins/meta/portmap/utils.go                    | 2 +-
+ 19 files changed, 23 insertions(+), 23 deletions(-)
+
+diff --git a/plugins/ipam/host-local/dns.go b/plugins/ipam/host-local/dns.go
+index 1b3975a..ab056ad 100644
+--- a/plugins/ipam/host-local/dns.go
++++ b/plugins/ipam/host-local/dns.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package hostlocal
+ 
+ import (
+ 	"bufio"
+diff --git a/plugins/ipam/host-local/dns_test.go b/plugins/ipam/host-local/dns_test.go
+index 1b87002..837c7d4 100644
+--- a/plugins/ipam/host-local/dns_test.go
++++ b/plugins/ipam/host-local/dns_test.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package hostlocal_test
+ 
+ import (
+ 	"io/ioutil"
+diff --git a/plugins/ipam/host-local/host_local_suite_test.go b/plugins/ipam/host-local/host_local_suite_test.go
+index d458f6b..b368b0e 100644
+--- a/plugins/ipam/host-local/host_local_suite_test.go
++++ b/plugins/ipam/host-local/host_local_suite_test.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package hostlocal_test
+ 
+ import (
+ 	. "github.com/onsi/ginkgo"
+diff --git a/plugins/ipam/host-local/host_local_test.go b/plugins/ipam/host-local/host_local_test.go
+index 5cba3d4..1b3a956 100644
+--- a/plugins/ipam/host-local/host_local_test.go
++++ b/plugins/ipam/host-local/host_local_test.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package hostlocal_test
+ 
+ import (
+ 	"fmt"
+diff --git a/plugins/ipam/host-local/main.go b/plugins/ipam/host-local/main.go
+index 9983c83..3af4407 100644
+--- a/plugins/ipam/host-local/main.go
++++ b/plugins/ipam/host-local/main.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package hostlocal
+ 
+ import (
+ 	"fmt"
+@@ -29,7 +29,7 @@ import (
+ 	"github.com/containernetworking/cni/pkg/version"
+ )
+ 
+-func main() {
++func Main() {
+ 	skel.PluginMain(cmdAdd, cmdCheck, cmdDel, version.All, bv.BuildString("host-local"))
+ }
+ 
+diff --git a/plugins/main/bridge/bridge.go b/plugins/main/bridge/bridge.go
+index 23c1256..49c84bb 100644
+--- a/plugins/main/bridge/bridge.go
++++ b/plugins/main/bridge/bridge.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package bridge
+ 
+ import (
+ 	"encoding/json"
+@@ -693,7 +693,7 @@ func cmdDel(args *skel.CmdArgs) error {
+ 	return err
+ }
+ 
+-func main() {
++func Main() {
+ 	skel.PluginMain(cmdAdd, cmdCheck, cmdDel, version.All, bv.BuildString("bridge"))
+ }
+ 
+diff --git a/plugins/main/bridge/bridge_suite_test.go b/plugins/main/bridge/bridge_suite_test.go
+index 3e48736..392098e 100644
+--- a/plugins/main/bridge/bridge_suite_test.go
++++ b/plugins/main/bridge/bridge_suite_test.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package bridge_test
+ 
+ import (
+ 	. "github.com/onsi/ginkgo"
+diff --git a/plugins/main/bridge/bridge_test.go b/plugins/main/bridge/bridge_test.go
+index 118074e..a0f18fb 100644
+--- a/plugins/main/bridge/bridge_test.go
++++ b/plugins/main/bridge/bridge_test.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package bridge_test
+ 
+ import (
+ 	"encoding/json"
+diff --git a/plugins/main/loopback/loopback.go b/plugins/main/loopback/loopback.go
+index cae4aa4..8394a1b 100644
+--- a/plugins/main/loopback/loopback.go
++++ b/plugins/main/loopback/loopback.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package loopback
+ 
+ import (
+ 	"encoding/json"
+@@ -172,7 +172,7 @@ func cmdDel(args *skel.CmdArgs) error {
+ 	return nil
+ }
+ 
+-func main() {
++func Main() {
+ 	skel.PluginMain(cmdAdd, cmdCheck, cmdDel, version.All, bv.BuildString("loopback"))
+ }
+ 
+diff --git a/plugins/main/loopback/loopback_suite_test.go b/plugins/main/loopback/loopback_suite_test.go
+index d252d12..a2b6ae2 100644
+--- a/plugins/main/loopback/loopback_suite_test.go
++++ b/plugins/main/loopback/loopback_suite_test.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main_test
++package loopback_test
+ 
+ import (
+ 	"github.com/onsi/gomega/gexec"
+diff --git a/plugins/main/loopback/loopback_test.go b/plugins/main/loopback/loopback_test.go
+index b2aec44..12e5aa1 100644
+--- a/plugins/main/loopback/loopback_test.go
++++ b/plugins/main/loopback/loopback_test.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main_test
++package loopback_test
+ 
+ import (
+ 	"fmt"
+diff --git a/plugins/meta/portmap/chain.go b/plugins/meta/portmap/chain.go
+index adad1e7..87558cf 100644
+--- a/plugins/meta/portmap/chain.go
++++ b/plugins/meta/portmap/chain.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package portmap
+ 
+ import (
+ 	"fmt"
+diff --git a/plugins/meta/portmap/chain_test.go b/plugins/meta/portmap/chain_test.go
+index c4e41be..69f547e 100644
+--- a/plugins/meta/portmap/chain_test.go
++++ b/plugins/meta/portmap/chain_test.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package portmap_test
+ 
+ import (
+ 	"fmt"
+diff --git a/plugins/meta/portmap/main.go b/plugins/meta/portmap/main.go
+index 003d4d6..b5f5b3f 100644
+--- a/plugins/meta/portmap/main.go
++++ b/plugins/meta/portmap/main.go
+@@ -23,7 +23,7 @@
+ // of the actual host port. If there is a service on the host, it will have all
+ // its traffic captured by the container. If another container also claims a given
+ // port, it will caputure the traffic - it is last-write-wins.
+-package main
++package portmap
+ 
+ import (
+ 	"encoding/json"
+@@ -135,7 +135,7 @@ func cmdDel(args *skel.CmdArgs) error {
+ 	return nil
+ }
+ 
+-func main() {
++func Main() {
+ 	skel.PluginMain(cmdAdd, cmdCheck, cmdDel, version.All, bv.BuildString("portmap"))
+ }
+ 
+diff --git a/plugins/meta/portmap/portmap.go b/plugins/meta/portmap/portmap.go
+index 8178bfb..763ba12 100644
+--- a/plugins/meta/portmap/portmap.go
++++ b/plugins/meta/portmap/portmap.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package portmap
+ 
+ import (
+ 	"fmt"
+diff --git a/plugins/meta/portmap/portmap_integ_test.go b/plugins/meta/portmap/portmap_integ_test.go
+index 3e8201e..5d91e08 100644
+--- a/plugins/meta/portmap/portmap_integ_test.go
++++ b/plugins/meta/portmap/portmap_integ_test.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package portmap_test
+ 
+ import (
+ 	"bytes"
+diff --git a/plugins/meta/portmap/portmap_suite_test.go b/plugins/meta/portmap/portmap_suite_test.go
+index 55aee92..98a2e46 100644
+--- a/plugins/meta/portmap/portmap_suite_test.go
++++ b/plugins/meta/portmap/portmap_suite_test.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package portmap_test
+ 
+ import (
+ 	"math/rand"
+diff --git a/plugins/meta/portmap/portmap_test.go b/plugins/meta/portmap/portmap_test.go
+index dd68391..c31d139 100644
+--- a/plugins/meta/portmap/portmap_test.go
++++ b/plugins/meta/portmap/portmap_test.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package portmap_test
+ 
+ import (
+ 	"fmt"
+diff --git a/plugins/meta/portmap/utils.go b/plugins/meta/portmap/utils.go
+index a733fda..163e787 100644
+--- a/plugins/meta/portmap/utils.go
++++ b/plugins/meta/portmap/utils.go
+@@ -12,7 +12,7 @@
+ // See the License for the specific language governing permissions and
+ // limitations under the License.
+ 
+-package main
++package portmap
+ 
+ import (
+ 	"fmt"
+-- 
+2.27.0
+

containernetworking-plugins.spec

@@ -11,22 +11,25 @@
  
 # Used for comparing with latest upstream tag
 # to decide whether to autobuild
-%global built_tag v1.0.1
+%global built_tag v1.1.1
 %global built_tag_strip %(b=%{built_tag}; echo ${b:1})
  
 Name: %{project}-%{repo}
-Version: 1.0.1
-Release: 2
+Version: 1.1.1
+Release: 6
 Summary: Libraries for use by writing CNI plugin
 License: ASL 2.0
 URL: https://github.com/containernetworking/plugins
 Source0: https://github.com/containernetworking/plugins/archive/%{built_tag}.tar.gz
-
+Source1: 0001-k3s-cni-adaptation.patch
+Source2: https://github.com/zchee/reexec/archive/refs/heads/master.zip
 BuildRequires: golang >= 1.16.6
 BuildRequires: git
 BuildRequires: systemd-devel
+BuildRequires:  shadow
+BuildRequires:  xz
+BuildRequires:  unzip
 Requires: systemd
- 
 %if ! 0%{?with_bundled}
 BuildRequires: go-bindata
 BuildRequires: golang(github.com/vishvananda/netlink)
@@ -96,7 +99,12 @@ rm -rf plugins/main/windows
  
 # Use correct paths in cni-dhcp unitfiles
 sed -i 's/\/opt\/cni\/bin/\%{_prefix}\/libexec\/cni/' plugins/ipam/dhcp/systemd/cni-dhcp.service
- 
+
+%ifarch sw_64 loongarch64
+%__rm -rf vendor/golang.org/x/sys
+%__cp -af %{_prefix}/lib/golang/src/cmd/vendor/golang.org/x/sys vendor/golang.org/x/
+%endif
+
 %build
 export ORG_PATH="github.com/%{project}"
 export REPO_PATH="$ORG_PATH/%{repo}"
@@ -116,18 +124,103 @@ for d in $PLUGINS; do
     if [ -d "$d" ]; then
         plugin="$(basename "$d")"
         echo "  $plugin"
-        go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d '  \n') -extldflags '%__global_ldflags %{?__golang_extldflags}'" -a -v -x -o "${PWD}/bin/$plugin" "$@" github.com/containernetworking/plugins/$d
+        go build \
+%ifarch sw_64 sw64
+        -buildmode exe \
+%else
+        -buildmode pie \
+%endif
+        -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d '  \n') -extldflags '%__global_ldflags %{?__golang_extldflags}'" -a -v -x -o "${PWD}/bin/$plugin" "$@" github.com/containernetworking/plugins/$d
     fi
 done
- 
+
+TMPDIR=$(mktemp -d)
+WORKDIR=$TMPDIR/src/github.com/containernetworking/plugins
+mkdir -p $WORKDIR
+cd ..
+cp -r plugins-%{version}/* $WORKDIR
+mkdir -p $WORKDIR/vendor/github.com/docker/docker/pkg
+unzip -d $WORKDIR/vendor/github.com/docker/docker/pkg/ %{SOURCE2}
+mv $WORKDIR/vendor/github.com/docker/docker/pkg/reexec-master $WORKDIR/vendor/github.com/docker/docker/pkg/reexec
+
+cd $WORKDIR
+cp %{SOURCE1} ./
+patch -p1 < 0001-k3s-cni-adaptation.patch
+cat > main.go << EOF
+package main
+
+import (
+        "os"
+        "path/filepath"
+
+        "github.com/containernetworking/plugins/plugins/ipam/host-local"
+        "github.com/containernetworking/plugins/plugins/main/bridge"
+        "github.com/containernetworking/plugins/plugins/main/loopback"
+        //"github.com/containernetworking/plugins/plugins/meta/flannel"
+        "github.com/containernetworking/plugins/plugins/meta/portmap"
+        "github.com/docker/docker/pkg/reexec"
+)
+
+func main() {
+        os.Args[0] = filepath.Base(os.Args[0])
+        reexec.Register("host-local", hostlocal.Main)
+        reexec.Register("bridge", bridge.Main)
+        //reexec.Register("flannel", flannel.Main)
+        reexec.Register("loopback", loopback.Main)
+        reexec.Register("portmap", portmap.Main)
+        reexec.Init()
+}
+EOF
+
+PKG="github.com/k3s-io/k3s"
+PKG_CONTAINERD="github.com/containerd/containerd"
+PKG_K3S_CONTAINERD="github.com/k3s-io/containerd"
+PKG_CRICTL="github.com/kubernetes-sigs/cri-tools/pkg"
+PKG_K8S_BASE="k8s.io/component-base"
+PKG_K8S_CLIENT="k8s.io/client-go/pkg"
+PKG_CNI_PLUGINS="github.com/containernetworking/plugins"
+
+buildDate=$(date -u '+%Y-%m-%dT%H:%M:%SZ')
+
+VERSIONFLAGS="
+    -X ${PKG}/pkg/version.Version=${VERSION}
+    -X ${PKG}/pkg/version.GitCommit=${COMMIT:0:8}
+
+    -X ${PKG_K8S_CLIENT}/version.gitVersion=${VERSION}
+    -X ${PKG_K8S_CLIENT}/version.gitCommit=${COMMIT}
+    -X ${PKG_K8S_CLIENT}/version.gitTreeState=${TREE_STATE}
+    -X ${PKG_K8S_CLIENT}/version.buildDate=${buildDate}
+
+    -X ${PKG_K8S_BASE}/version.gitVersion=${VERSION}
+    -X ${PKG_K8S_BASE}/version.gitCommit=${COMMIT}
+    -X ${PKG_K8S_BASE}/version.gitTreeState=${TREE_STATE}
+    -X ${PKG_K8S_BASE}/version.buildDate=${buildDate}
+
+    -X ${PKG_CRICTL}/version.Version=${VERSION_CRICTL}
+
+    -X ${PKG_CONTAINERD}/version.Version=${VERSION_CONTAINERD}
+    -X ${PKG_CONTAINERD}/version.Package=${PKG_K3S_CONTAINERD}
+"
+TAGS="apparmor seccomp netcgo osusergo providerless"
+STATIC="-extldflags '-static -lm -ldl -lz -lpthread'"
+GO111MODULE=off CGO_ENABLED=0 GOPATH=$TMPDIR go build -tags "$TAGS" \
+%ifarch sw_64
+    -buildmode exe \
+%else
+    -buildmode pie \
+%endif
+    -ldflags "$VERSIONFLAGS $LDFLAGS $STATIC -s -w -linkmode=external -extldflags '-Wl,-z,relro  -Wl,-z,now  ' " -o %{_builddir}/cni
+
 %install
 install -d -p %{buildroot}%{_libexecdir}/cni/
+strip bin/*
 install -p -m 0755 bin/* %{buildroot}/%{_libexecdir}/cni
+cp %{_builddir}/cni %{buildroot}%{_libexecdir}/cni/
 install -d -p     %{buildroot}/%{gopath}/src/github.com/containernetworking/plugins/
  
 install -dp %{buildroot}%{_unitdir}
-install -p plugins/ipam/dhcp/systemd/cni-dhcp.service %{buildroot}%{_unitdir}
-install -p plugins/ipam/dhcp/systemd/cni-dhcp.socket %{buildroot}%{_unitdir}
+install -p -m 0644 plugins/ipam/dhcp/systemd/cni-dhcp.service %{buildroot}%{_unitdir}
+install -p -m 0644 plugins/ipam/dhcp/systemd/cni-dhcp.socket %{buildroot}%{_unitdir}
  
 # source codes for building projects
 %if 0%{?with_devel}
@@ -238,6 +331,27 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 
 
 %changelog
+* Mon Jun 24 2024 wangshuo <wangshuo@kylinos.cn> - 1.1.1-6
+- change systemd unit file permission to 644
+
+* Fri Jun 21 2024 zmr_2020 <zhang_jian7@hoperun.com> - 1.1.1-5
+- strip binary files
+
+* Thu Dec 28 2023 yaoxin <yao_xin001@hoperun.com> - 1.1.1-4
+- Rebuild for golang cves: CVE-2023-24534,CVE-2023-24536,CVE-2023-24537 and CVE-2023-24538
+
+* Thu Aug 10 2023 herengui <herengui@kylinsec.com.cn> - 1.1.1-3
+- Type:sync
+- ID:NA
+- SUG:NA
+- DESC: Add support for sw_64 and loongarch64.
+
+* Thu Feb 09 2023 yaoxin <yaoxin30@h-partners.com> - 1.1.1-2
+- Add PIE,BIND_NOW,RELRO,STRIP secure compilation options
+
+* Wed Jul 20 2022 Ge Wang <wangge20@h-partners.com> - 1.1.1-1
+- update to version 1.1.1
+
 * Mon Jan 10 2022 liyanan <liyanan32@huawei.com> - 1.0.1-2
 - drop deps for golang packages due to vendor has everything