github.com/opencontainers/umoci@v0.4.8-0.20240508124516-656e4836fb0d/CHANGELOG.md (about) 1 <!-- 2 +++ 3 # Hugo Front-matter 4 title = "Changelog" 5 aliases = ["/CHANGELOG.md"] 6 +++ 7 --> 8 9 # Changelog # 10 All notable changes to this project will be documented in this file. 11 12 The format is based on [Keep a Changelog](http://keepachangelog.com/) 13 and this project adheres to [Semantic Versioning](http://semver.org/). 14 15 ## [Unreleased] ## 16 17 ### Security ### 18 - A security flaw was found in the OCI image-spec, where it is possible to 19 cause a blob with one media-type to be interpreted as a different media-type. 20 As umoci is not a registry nor does it handle signatures, this vulnerability 21 had no real impact on umoci but for safety we implemented the now-recommended 22 media-type embedding and verification. CVE-2021-41190 23 24 ### Changes ### 25 - In this release, the primary development branch was renamed to `main`. 26 - The runtime-spec version of the `config.json` version we generate is no 27 longer hard-coded to `1.0.0`. We now use the version of the spec we have 28 imported (with any `-dev` suffix stripped, as such a prefix causes havoc with 29 verification tools -- ideally we would only ever use released versions of the 30 spec but that's not always possible). #452 31 - Add the `cgroup` namespace to the default configuration generated by `umoci 32 unpack` to make sure that our configuration plays nicely with `runc` when on 33 cgroupv2 systems. 34 35 ### Fixed ### 36 - In 0.4.7, a performance regression was introduced as part of the 37 `VerifiedReadCloser` hardening work (to read all trailing bytes) which would 38 cause walk operations on images to hash every blob in the image (even blobs 39 which we couldn't parse and thus couldn't recurse into). To resolve this, we 40 no longer recurse into unparseable blobs. #373 #375 #394 41 - Handle `EINTR` on `io.Copy` operations. Newer Go versions have added more 42 opportunistic pre-emption which can cause `EINTR` errors in io paths that 43 didn't occur before. #437 44 - Quite a few changes were made to CI to try to avoid issues with fragility. 45 #452 46 47 ## [0.4.7] - 2021-04-05 ## 48 49 ### Security ### 50 - A security flaw was found in umoci, and has been fixed in this release. If 51 umoci was used to unpack a malicious image (using either `umoci unpack` or 52 `umoci raw unpack`) that contained a symlink entry for `/.`, umoci would 53 apply subsequent layers to the target of the symlink (resolved on the host 54 filesystem). This means that if you ran umoci as root, a malicious image 55 could overwrite any file on the system (assuming you didn't have any other 56 access control restrictions). CVE-2021-29136 57 58 ### Added ### 59 - umoci now compiles on FreeBSD and appears to work, with the notable 60 limitation that it currently refuses to extract non-Linux images on any 61 platform (this will be fixed in a future release -- see #364). #357 62 - Initial fuzzer implementations for oss-fuzz. #365 63 64 ### Changed ### 65 - umoci will now read all trailing data from image layers, to combat the 66 existence of some image generators that appear to append NUL bytes to the end 67 of the gzip stream (which would previously cause checksum failures because we 68 didn't read nor checksum the trailing junk bytes). However, umoci will still 69 not read past the descriptor length. #360 70 - umoci now ignores all overlayfs xattrs during unpack and repack operations, 71 to avoid causing issues when packing a raw overlayfs directory. #354 72 - Changes to the (still-internal) APIs to allow for users to use umoci more 73 effectively as a library. 74 - The garbage collection API now supports custom GC policies. #338 75 - The mutate API now returns information about what layers were added by the 76 operation. #344 77 - The mutate API now supports custom compression, and has in-tree support for 78 zstd. #348 #350 79 - Support overlayfs-style whiteouts during unpack and repack. #342 80 81 ## [0.4.6] - 2020-06-24 ## 82 umoci has been adopted by the Open Container Initative as a reference 83 implementation of the OCI Image Specification. This will have little impact on 84 the roadmap or scope of umoci, but it does further solidify umoci as a useful 85 piece of "boring container infrastructure" that can be used to build larger 86 systems. 87 88 ### Changed ### 89 - As part of the adoption procedure, the import path and module name of umoci 90 has changed from `github.com/openSUSE/umoci` to 91 `github.com/opencontainers/umoci`. This means that users of our (still 92 unstable) Go API will have to change their import paths in order to update to 93 newer versions of umoci. 94 95 The old GitHub project will contain a snapshot of `v0.4.5` with a few minor 96 changes to the readme that explain the situation. Go projects which import 97 the archived project will receive build warnings that explain the need to 98 update their import paths. 99 100 ### Added ### 101 - umoci now builds on MacOS, and we currently run the unit tests on MacOS to 102 hopefully catch core regressions (in the future we will get the integration 103 tests running to catch more possible regressions). opencontainers/umoci#318 104 105 ### Fixed ### 106 - Suppress repeated xattr warnings on destination filesystems that do not 107 support xattrs. opencontainers/umoci#311 108 - Work around a long-standing issue in our command-line parsing library (see 109 urfave/cli#1152) by disabling argument re-ordering for `umoci config`, which 110 often takes `-`-prefixed flag arguments. opencontainers/umoci#328 111 112 ## [0.4.5] - 2019-12-04 ## 113 ### Added ### 114 - Expose umoci subcommands as part of the API, so they can be used by other Go 115 projects. opencontainers/umoci#289 116 - Add extensible hooking to the core libraries in umoci, to allow for 117 third-party media-types to be treated just like first-party ones (the key 118 difference is the introspection and parsing logic). opencontainers/umoci#299 119 opencontainers/umoci#307 120 121 ### Fixed ### 122 - Use `type: bind` for generated `config.json` bind-mounts. While this doesn't 123 make too much sense (see opencontainers/runc#2035), it does mean that 124 rootless containers work properly with newer `runc` releases (which appear to 125 have regressed when handling file-based bind-mounts with a "bad" `type`). 126 opencontainers/umoci#294 opencontainers/umoci#295 127 - Don't insert a new layer if there is no diff. opencontainers/umoci#293 128 - Only output a warning if forbidden extended attributes are present inside the 129 tar archive -- otherwise we fail on certain (completely broken) Docker 130 images. opencontainers/umoci#304 131 132 ## [0.4.4] - 2019-01-30 ## 133 ### Added ### 134 - Full-stack verification of blob hashes and descriptor sizes is now done on 135 all operations, improving our hardening against bad blobs (we already did 136 some verification of layer DiffIDs but this is far more thorough). 137 opencontainers/umoci#278 opencontainers/umoci#280 opencontainers/umoci#282 138 139 ## [0.4.3] - 2018-11-11 ## 140 ### Added ### 141 - All umoci commands that had `--history.*` options can now decide to omit a 142 history entry with `--no-history`. Note that while this is supported for 143 commands that create layers (`umoci repack`, `umoci insert`, and `umoci raw 144 add-layer`) it is not recommended to use it for those commands since it can 145 cause other tools to become confused when inspecting the image history. The 146 primary usecase is to allow `umoci config --no-history` to leave no traces in 147 the history. See SUSE/kiwi#871. opencontainers/umoci#270 148 - `umoci insert` now has a `--tag` option that allows you to non-destructively 149 insert files into an image. The semantics match `umoci config --tag`. 150 opencontainers/umoci#273 151 152 ## [0.4.2] - 2018-09-11 ## 153 ### Added ### 154 - umoci now has an exposed Go API. At the moment it's unclear whether it will 155 be changed significantly, but at the least now users can use 156 umoci-as-a-library in a fairly sane way. opencontainers/umoci#245 157 - Added `umoci unpack --keep-dirlinks` (in the same vein as rsync's flag with 158 the same name) which allows layers that contain entries which have a symlink 159 as a path component. opencontainers/umoci#246 160 - `umoci insert` now supports whiteouts in two significant ways. You can use 161 `--whiteout` to "insert" a deletion of a given path, while you can use 162 `--opaque` to replace a directory by adding an opaque whiteout (the default 163 behaviour causes the old and new directories to be merged). 164 opencontainers/umoci#257 165 166 ### Fixed ### 167 - Docker has changed how they handle whiteouts for non-existent files. The 168 specification is loose on this (and in umoci we've always been liberal with 169 whiteout generation -- to avoid cases where someone was confused we didn't 170 have a whiteout for every entry). But now that they have deviated from the 171 spec, in the interest of playing nice, we can just follow their new 172 restriction (even though it is not supported by the spec). This also makes 173 our layers *slightly* smaller. opencontainers/umoci#254 174 - `umoci unpack` now no longer erases `system.nfs4_acl` and also has some more 175 sophisticated handling of forbidden xattrs. opencontainers/umoci#252 176 opencontainers/umoci#248 177 - `umoci unpack` now appears to work correctly on SELinux-enabled systems 178 (previously we had various issues where `umoci` wouldn't like it when it was 179 trying to ensure the filesystem was reproducibly generated and SELinux xattrs 180 would act strangely). To fix this, now `umoci unpack` will only cause errors 181 if it has been asked to change a forbidden xattr to a value different than 182 it's current on-disk value. opencontainers/umoci#235 opencontainers/umoci#259 183 184 ## [0.4.1] - 2018-08-16 ## 185 ### Added ### 186 - The number of possible tags that are now valid with `umoci` subcommands has 187 increased significantly due to an expansion in the specification of the 188 format of the `ref.name` annotation. To quote the specification, the 189 following is the EBNF of valid `refname` values. opencontainers/umoci#234 190 ``` 191 refname ::= component ("/" component)* 192 component ::= alphanum (separator alphanum)* 193 alphanum ::= [A-Za-z0-9]+ 194 separator ::= [-._:@+] | "--" 195 ``` 196 - A new `umoci insert` subcommand which adds a given file to a path inside the 197 container. opencontainers/umoci#237 198 - A new `umoci raw unpack` subcommand in order to allow users to unpack images 199 without needing a configuration or any of the manifest generation. 200 opencontainers/umoci#239 201 - `umoci` how has a logo. Thanks to [Max Bailey][maxbailey] for contributing 202 this to the project. opencontainers/umoci#165 opencontainers/umoci#249 203 204 ### Fixed ### 205 - `umoci unpack` now handles out-of-order regular whiteouts correctly (though 206 this ordering is not recommended by the spec -- nor is it required). This is 207 an extension of opencontainers/umoci#229 that was missed during review. 208 opencontainers/umoci#232 209 - `umoci unpack` and `umoci repack` now make use of a far more optimised `gzip` 210 compression library. In some benchmarks this has resulted in `umoci repack` 211 speedups of up to 3x (though of course, you should do your own benchmarks). 212 `umoci unpack` unfortunately doesn't have as significant of a performance 213 improvement, due to the nature of `gzip` decompression (in future we may 214 switch to `zlib` wrappers). opencontainers/umoci#225 opencontainers/umoci#233 215 216 [maxbailey]: http://www.maxbailey.me/ 217 218 ## [0.4.0] - 2018-03-10 ## 219 ### Added ### 220 - `umoci repack` now supports `--refresh-bundle` which will update the 221 OCI bundle's metadata (mtree and umoci-specific manifests) after packing the 222 image tag. This means that the bundle can be used as a base layer for 223 future diffs without needing to unpack the image again. opencontainers/umoci#196 224 - Added a website, and reworked the documentation to be better structured. You 225 can visit the website at [`umo.ci`][umo.ci]. opencontainers/umoci#188 226 - Added support for the `user.rootlesscontainers` specification, which allows 227 for persistent on-disk emulation of `chown(2)` inside rootless containers. 228 This implementation is interoperable with [@AkihiroSuda's `PRoot` 229 fork][as-proot-fork] (though we do not test its interoperability at the 230 moment) as both tools use [the same protobuf 231 specification][rootlesscontainers-proto]. opencontainers/umoci#227 232 - `umoci unpack` now has support for opaque whiteouts (whiteouts which remove 233 all children of a directory in the lower layer), though `umoci repack` does 234 not currently have support for generating them. While this is technically a 235 spec requirement, through testing we've never encountered an actual user of 236 these whiteouts. opencontainers/umoci#224 opencontainers/umoci#229 237 - `umoci unpack` will now use some rootless tricks inside user namespaces for 238 operations that are known to fail (such as `mknod(2)`) while other operations 239 will be carried out as normal (such as `lchown(2)`). It should be noted that 240 the `/proc/self/uid_map` checking we do can be tricked into not detecting 241 user namespaces, but you would need to be trying to break it on purpose. 242 opencontainers/umoci#171 opencontainers/umoci#230 243 244 ### Fixed ### 245 - Fix a bug in our "parent directory restore" code, which is responsible for 246 ensuring that the mtime and other similar properties of a directory are not 247 modified by extraction inside said directory. The bug would manifest as 248 xattrs not being restored properly in certain edge-cases (which we 249 incidentally hit in a test-case). opencontainers/umoci#161 opencontainers/umoci#162 250 - `umoci unpack` will now "clean up" the bundle generated if an error occurs 251 during unpacking. Previously this didn't happen, which made cleaning up the 252 responsibility of the caller (which was quite difficult if you were 253 unprivileged). This is a breaking change, but is in the error path so it's 254 not critical. opencontainers/umoci#174 opencontainers/umoci#187 255 - `umoci gc` now will no longer remove unknown files and directories that 256 aren't `flock(2)`ed, thus ensuring that any possible OCI image-spec 257 extensions or other users of an image being operated on will no longer 258 break. opencontainers/umoci#198 259 - `umoci unpack --rootless` will now correctly handle regular file unpacking 260 when overwriting a file that `umoci` doesn't have write access to. In 261 addition, the semantics of pre-existing hardlinks to a clobbered file are 262 clarified (the hard-links will not refer to the new layer's inode). 263 opencontainers/umoci#222 opencontainers/umoci#223 264 265 [as-proot-fork]: https://github.com/AkihiroSuda/runrootless 266 [rootlesscontainers-proto]: https://rootlesscontaine.rs/proto/rootlesscontainers.proto 267 [umo.ci]: https://umo.ci/ 268 269 ## [0.3.1] - 2017-10-04 ## 270 ### Fixed ### 271 - Fix several minor bugs in `hack/release.sh` that caused the release artefacts 272 to not match the intended style, as well as making it more generic so other 273 projects can use it. opencontainers/umoci#155 opencontainers/umoci#163 274 - A recent configuration issue caused `go vet` and `go lint` to not run as part 275 of our CI jobs. This means that some of the information submitted as part of 276 [CII best practices badging][cii] was not accurate. This has been corrected, 277 and after review we concluded that only stylistic issues were discovered by 278 static analysis. opencontainers/umoci#158 279 - 32-bit unit test builds were broken in a refactor in [0.3.0]. This has been 280 fixed, and we've added tests to our CI to ensure that something like this 281 won't go unnoticed in the future. opencontainers/umoci#157 282 - `umoci unpack` would not correctly preserve set{uid,gid} bits. While this 283 would not cause issues when building an image (as we only create a manifest 284 of the final extracted rootfs), it would cause issues for other users of 285 `umoci`. opencontainers/umoci#166 opencontainers/umoci#169 286 - Updated to [v0.4.1 of `go-mtree`][gomtree-v0.4.1], which fixes several minor 287 bugs with manifest generation. opencontainers/umoci#176 288 - `umoci unpack` would not handle "weird" tar archive layers previously (it 289 would error out with DiffID errors). While this wouldn't cause issues for 290 layers generated using Go's `archive/tar` implementation, it would cause 291 issues for GNU gzip and other such tools. opencontainers/umoci#178 292 opencontainers/umoci#179 293 294 ### Changed ### 295 - `umoci unpack`'s mapping options (`--uid-map` and `--gid-map`) have had an 296 interface change, to better match the [`user_namespaces(7)`][user_namespaces] 297 interfaces. Note that this is a **breaking change**, but the workaround is to 298 switch to the trivially different (but now more consistent) format. 299 opencontainers/umoci#167 300 301 ### Security ### 302 - `umoci unpack` used to create the bundle and rootfs with world 303 read-and-execute permissions by default. This could potentially result in an 304 unsafe rootfs (containing dangerous setuid binaries for instance) being 305 accessible by an unprivileged user. This has been fixed by always setting the 306 mode of the bundle to `0700`, which requires a user to explicitly work around 307 this basic protection. This scenario was documented in our security 308 documentation previously, but has now been fixed. opencontainers/umoci#181 309 opencontainers/umoci#182 310 311 [cii]: https://bestpractices.coreinfrastructure.org/projects/1084 312 [gomtree-v0.4.1]: https://github.com/vbatts/go-mtree/releases/tag/v0.4.1 313 [user_namespaces]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html 314 315 ## [0.3.0] - 2017-07-20 ## 316 ### Added ### 317 - `umoci` now passes all of the requirements for the [CII best practices bading 318 program][cii]. opencontainers/umoci#134 319 - `umoci` also now has more extensive architecture, quick-start and roadmap 320 documentation. opencontainers/umoci#134 321 - `umoci` now supports [`1.0.0` of the OCI image 322 specification][ispec-v1.0.0] and [`1.0.0` of the OCI runtime 323 specification][rspec-v1.0.0], which are the first milestone release. Note 324 that there are still some remaining UX issues with `--image` and other parts 325 of `umoci` which may be subject to change in future versions. In particular, 326 this update of the specification now means that images may have ambiguous 327 tags. `umoci` will warn you if an operation may have an ambiguous result, but 328 we plan to improve this functionality far more in the future. 329 opencontainers/umoci#133 opencontainers/umoci#142 330 - `umoci` also now supports more complicated descriptor walk structures, and 331 also handles mutation of such structures more sanely. At the moment, this 332 functionality has not been used "in the wild" and `umoci` doesn't have the UX 333 to create such structures (yet) but these will be implemented in future 334 versions. opencontainers/umoci#145 335 - `umoci repack` now supports `--mask-path` to ignore changes in the rootfs 336 that are in a child of at least one of the provided masks when generating new 337 layers. opencontainers/umoci#127 338 339 ### Changed ### 340 - Error messages from `github.com/opencontainers/umoci/oci/cas/drivers/dir` actually 341 make sense now. opencontainers/umoci#121 342 - `umoci unpack` now generates `config.json` blobs according to the [still 343 proposed][ispec-pr492] OCI image specification conversion document. 344 opencontainers/umoci#120 345 - `umoci repack` also now automatically adding `Config.Volumes` from the image 346 configuration to the set of masked paths. This matches recently added 347 [recommendations by the spec][ispec-pr694], but is a backwards-incompatible 348 change because the new default is that `Config.Volumes` **will** be masked. 349 If you wish to retain the old semantics, use `--no-mask-volumes` (though make 350 sure to be aware of the reasoning behind `Config.Volume` masking). 351 opencontainers/umoci#127 352 - `umoci` now uses [`SecureJoin`][securejoin] rather than a patched version of 353 `FollowSymlinkInScope`. The two implementations are roughly equivalent, but 354 `SecureJoin` has a nicer API and is maintained as a separate project. 355 - Switched to using `golang.org/x/sys/unix` over `syscall` where possible, 356 which makes the codebase significantly cleaner. opencontainers/umoci#141 357 358 [cii]: https://bestpractices.coreinfrastructure.org/projects/1084 359 [rspec-v1.0.0]: https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0 360 [ispec-v1.0.0]: https://github.com/opencontainers/image-spec/releases/tag/v1.0.0 361 [ispec-pr492]: https://github.com/opencontainers/image-spec/pull/492 362 [ispec-pr694]: https://github.com/opencontainers/image-spec/pull/694 363 [securejoin]: https://github.com/cyphar/filepath-securejoin 364 365 ## [0.2.1] - 2017-04-12 ## 366 ### Added ### 367 - `hack/release.sh` automates the process of generating all of the published 368 artefacts for releases. The new script also generates signed source code 369 archives. opencontainers/umoci#116 370 371 ### Changed ### 372 - `umoci` now outputs configurations that are compliant with [`v1.0.0-rc5` of 373 the OCI runtime-spec][rspec-v1.0.0-rc5]. This means that now you can use runc 374 v1.0.0-rc3 with `umoci` (and rootless containers should work out of the box 375 if you use a development build of runc). opencontainers/umoci#114 376 - `umoci unpack` no longer adds a dummy linux.seccomp entry, and instead just 377 sets it to null. opencontainers/umoci#114 378 379 [rspec-v1.0.0-rc5]: https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0-rc5 380 381 ## [0.2.0] - 2017-04-11 ## 382 ### Added ### 383 - `umoci` now has some automated scripts for generated RPMs that are used in 384 openSUSE to automatically submit packages to OBS. opencontainers/umoci#101 385 - `--clear=config.{cmd,entrypoint}` is now supported. While this interface is a 386 bit weird (`cmd` and `entrypoint` aren't treated atomically) this makes the 387 UX more consistent while we come up with a better `cmd` and `entrypoint` UX. 388 opencontainers/umoci#107 389 - New subcommand: `umoci raw runtime-config`. It generates the runtime-spec 390 config.json for a particular image without also unpacking the root 391 filesystem, allowing for users of `umoci` that are regularly parsing 392 `config.json` without caring about the root filesystem to be more efficient. 393 However, a downside of this approach is that some image-spec fields 394 (`Config.User`) require a root filesystem in order to make sense, which is 395 why this command is hidden under the `umoci-raw(1)` subcommand (to make sure 396 only users that understand what they're doing use it). opencontainers/umoci#110 397 398 ### Changed ### 399 - `umoci`'s `oci/cas` and `oci/config` libraries have been massively refactored 400 and rewritten, to allow for third-parties to use the OCI libraries. The plan 401 is for these to eventually become part of an OCI project. opencontainers/umoci#90 402 - The `oci/cas` interface has been modifed to switch from `*ispec.Descriptor` 403 to `ispec.Descriptor`. This is a breaking, but fairly insignificant, change. 404 opencontainers/umoci#89 405 406 ### Fixed ### 407 - `umoci` now uses an updated version of `go-mtree`, which has a complete 408 rewrite of `Vis` and `Unvis`. The rewrite ensures that unicode handling is 409 handled in a far more consistent and sane way. opencontainers/umoci#88 410 - `umoci` used to set `process.user.additionalGids` to the "normal value" when 411 unpacking an image in rootless mode, causing issues when trying to actually 412 run said bundle with runC. opencontainers/umoci#109 413 414 ## [0.1.0] - 2017-02-11 ## 415 ### Added ### 416 - `CHANGELOG.md` has now been added. opencontainers/umoci#76 417 418 ### Changed ### 419 - `umoci` now supports `v1.0.0-rc4` images, which has made fairly minimal 420 changes to the schema (mainly related to `mediaType`s). While this change 421 **is** backwards compatible (several fields were removed from the schema, but 422 the specification allows for "additional fields"), tools using older versions 423 of the specification may fail to operate on newer OCI images. There was no UX 424 change associated with this update. 425 426 ### Fixed ### 427 - `umoci tag` would fail to clobber existing tags, which was in contrast to how 428 the rest of the tag clobbering commands operated. This has been fixed and is 429 now consistent with the other commands. opencontainers/umoci#78 430 - `umoci repack` now can correctly handle unicode-encoded filenames, allowing 431 the creation of containers that have oddly named files. This required fixes 432 to go-mtree (where the issue was). opencontainers/umoci#80 433 434 ## [0.0.0] - 2017-02-07 ## 435 ### Added ### 436 - Unit tests are massively expanded, as well as the integration tests. 437 opencontainers/umoci#68 opencontainers/umoci#69 438 - Full coverage profiles (unit+integration) are generated to get all 439 information about how much code is tested. opencontainers/umoci#68 440 opencontainers/umoci#69 441 442 ### Fixed ### 443 - Static compilation now works properly. opencontainers/umoci#64 444 - 32-bit architecture builds are fixed. opencontainers/umoci#70 445 446 ### Changed ### 447 - Unit tests can now be run inside `%check` of an `rpmbuild` script, allowing 448 for proper testing. opencontainers/umoci#65. 449 - The logging output has been cleaned up to be much nicer for end-users to 450 read. opencontainers/umoci#73 451 - Project has been moved to an openSUSE project. opencontainers/umoci#75 452 453 ## [0.0.0-rc3] - 2016-12-19 ## 454 ### Added ### 455 - `unpack`, `repack`: `xattr` support which also handles `security.selinux.*` 456 difficulties. opencontainers/umoci#49 opencontainers/umoci#52 457 - `config`, `unpack`: Ensure that environment variables are not duplicated in 458 the extracted or stored configurations. opencontainers/umoci#30 459 - Add support for read-only CAS operations for read-only filesystems. 460 opencontainers/umoci#47 461 - Add some helpful output about `--rootless` if `umoci` fails with `EPERM`. 462 - Enable stack traces with errors if the `--debug` flag was given to `umoci`. 463 This requires a patch to `pkg/errors`. 464 465 ### Changed ### 466 - `gc`: Garbage collection now also garbage collects temporary directories. 467 opencontainers/umoci#17 468 - Clean-ups to vendoring of `go-mtree` so that it's much more 469 upstream-friendly. 470 471 ## [0.0.0-rc2] - 2016-12-12 ## 472 ### Added ### 473 - `unpack`, `repack`: Support for rootless unpacking and repacking. 474 opencontainers/umoci#26 475 - `unpack`, `repack`: UID and GID mapping when unpacking and repacking. 476 opencontainers/umoci#26 477 - `tag`, `rm`, `ls`: Tag modification commands such as `umoci tag`, `umoci rm` 478 and `umoci ls`. opencontainers/umoci#6 opencontainers/umoci#27 479 - `stat`: Output information about an image. Currently only shows the history 480 information. Only the **JSON** output is stable. opencontainers/umoci#38 481 - `init`, `new`: New commands have been created to allow for image creation 482 from scratch. opencontainers/umoci#5 opencontainers/umoci#42 483 - `gc`: Garbage collection of images. opencontainers/umoci#6 484 - Full integration and unit testing, with OCI validation to ensure that we 485 always create valid images. opencontainers/umoci#12 486 487 ### Changed ### 488 - `unpack`, `repack`: Create history entries automatically (with options to 489 modify the entries). opencontainers/umoci#36 490 - `unpack`: Store information about its source to ensure consistency when doing 491 a `repack`. opencontainers/umoci#14 492 - The `--image` and `--from` arguments have been combined into a single 493 `<path>[:<tag>]` argument for `--image`. opencontainers/umoci#39 494 - `unpack`: Configuration annotations are now extracted, though there are still 495 some discussions happening upstream about the correct way of doing this. 496 opencontainers/umoci#43 497 498 ### Fixed ### 499 - `repack`: Errors encountered during generation of delta layers are now 500 correctly propagated. opencontainers/umoci#33 501 - `unpack`: Hardlinks are now extracted as real hardlinks. opencontainers/umoci#25 502 503 ### Security ### 504 - `unpack`, `repack`: Symlinks are now correctly resolved inside the unpacked 505 rootfs. opencontainers/umoci#27 506 507 ## 0.0.0-rc1 - 2016-11-10 ## 508 ### Added ### 509 - Proof of concept with major functionality implemented. 510 + `unpack` 511 + `repack` 512 + `config` 513 514 [Unreleased]: https://github.com/opencontainers/umoci/compare/v0.4.7...HEAD 515 [0.4.7]: https://github.com/opencontainers/umoci/compare/v0.4.6...v0.4.7 516 [0.4.6]: https://github.com/opencontainers/umoci/compare/v0.4.5...v0.4.6 517 [0.4.5]: https://github.com/opencontainers/umoci/compare/v0.4.4...v0.4.5 518 [0.4.4]: https://github.com/opencontainers/umoci/compare/v0.4.3...v0.4.4 519 [0.4.3]: https://github.com/opencontainers/umoci/compare/v0.4.2...v0.4.3 520 [0.4.2]: https://github.com/opencontainers/umoci/compare/v0.4.1...v0.4.2 521 [0.4.1]: https://github.com/opencontainers/umoci/compare/v0.4.0...v0.4.1 522 [0.4.0]: https://github.com/opencontainers/umoci/compare/v0.3.1...v0.4.0 523 [0.3.1]: https://github.com/opencontainers/umoci/compare/v0.3.0...v0.3.1 524 [0.3.0]: https://github.com/opencontainers/umoci/compare/v0.2.1...v0.3.0 525 [0.2.1]: https://github.com/opencontainers/umoci/compare/v0.2.0...v0.2.1 526 [0.2.0]: https://github.com/opencontainers/umoci/compare/v0.1.0...v0.2.0 527 [0.1.0]: https://github.com/opencontainers/umoci/compare/v0.0.0...v0.1.0 528 [0.0.0]: https://github.com/opencontainers/umoci/compare/v0.0.0-rc3...v0.0.0 529 [0.0.0-rc3]: https://github.com/opencontainers/umoci/compare/v0.0.0-rc2...v0.0.0-rc3 530 [0.0.0-rc2]: https://github.com/opencontainers/umoci/compare/v0.0.0-rc1...v0.0.0-rc2