From 05f8598395e7faa90c5b505fa75ff58bbcf46de1 Mon Sep 17 00:00:00 2001
From: matt <mleung975@gmail.com>
Date: Mon, 11 Oct 2021 13:43:44 -0700
Subject: [PATCH 1/3] Update docker images and centos repos to address CVE
 false positives

---
 Dockerfile.amd64       | 13 +++++++------
 centos.repo            |  4 ++--
 clean-up-filesystem.sh |  2 ++
 3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/Dockerfile.amd64 b/Dockerfile.amd64
index a7d6bd892..6f580876d 100644
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@@ -13,7 +13,7 @@
 # limitations under the License.
 ARG ARCH=x86_64
 ARG GIT_VERSION=unknown
-ARG IPTABLES_VER=1.8.4-15
+ARG IPTABLES_VER=1.8.4-17
 ARG LIBNFTNL_VER=1.1.5-4
 ARG RUNIT_VER=2.1.2
 ARG BIRD_IMAGE=calico/bird:latest
@@ -31,7 +31,7 @@ ARG ARCH
 ARG IPTABLES_VER
 ARG LIBNFTNL_VER
 ARG RUNIT_VER
-ARG CENTOS_MIRROR_BASE_URL=http://vault.centos.org/8.3.2011
+ARG CENTOS_MIRROR_BASE_URL=https://vault.centos.org/8.4.2105
 ARG LIBNFTNL_SOURCERPM_URL=${CENTOS_MIRROR_BASE_URL}/BaseOS/Source/SPackages/libnftnl-${LIBNFTNL_VER}.el8.src.rpm
 ARG IPTABLES_SOURCERPM_URL=${CENTOS_MIRROR_BASE_URL}/BaseOS/Source/SPackages/iptables-${IPTABLES_VER}.el8.src.rpm
 
@@ -88,13 +88,14 @@ RUN sed -i '/%files$/a \
 RUN rpmbuild -bb /root/rpmbuild/SPECS/iptables.spec
 
 # runit is not available in ubi or CentOS repos so build it.
-RUN wget -P /tmp http://smarden.org/runit/runit-${RUNIT_VER}.tar.gz && \
-    gunzip /tmp/runit-${RUNIT_VER}.tar.gz && \
-    tar -xpf /tmp/runit-${RUNIT_VER}.tar -C /tmp && \
+# get it from the debian repos as the official website doesn't support https
+RUN wget -P /tmp https://ftp.debian.org/debian/pool/main/r/runit/runit_${RUNIT_VER}.orig.tar.gz && \
+    gunzip /tmp/runit_${RUNIT_VER}.orig.tar.gz && \
+    tar -xpf /tmp/runit_${RUNIT_VER}.orig.tar -C /tmp && \
     cd /tmp/admin/runit-${RUNIT_VER}/ && \
     package/install
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 as ubi
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.4 as ubi
 ARG ARCH
 ARG GIT_VERSION
 ARG IPTABLES_VER
diff --git a/centos.repo b/centos.repo
index 7144b2f69..383de314a 100644
--- a/centos.repo
+++ b/centos.repo
@@ -1,13 +1,13 @@
 [centos-8-base-os]
 name = CentOS - BaseOS
-baseurl = http://vault.centos.org/8.1.1911/BaseOS/x86_64/os
+baseurl = https://mirror.rackspace.com/CentOS/8.4.2105/BaseOS/x86_64/os/
 enabled = 1
 gpgkey = https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official
 gpgcheck = 1
 
 [centos-8-appstream]
 name = CentOS - AppStream
-baseurl = http://vault.centos.org/8.1.1911/AppStream/x86_64/os
+baseurl = https://mirror.rackspace.com/CentOS/8.4.2105/AppStream/x86_64/os/
 enabled = 1
 gpgkey = https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official
 gpgcheck = 1
diff --git a/clean-up-filesystem.sh b/clean-up-filesystem.sh
index 49f41febd..9555fd58d 100755
--- a/clean-up-filesystem.sh
+++ b/clean-up-filesystem.sh
@@ -245,10 +245,12 @@ packages_to_keep=(
   libcrypto
   libelf
   libgcc
+  libibverbs
   libmnl
   libnetfilter
   libnfnetlink
   libnftnl
+  libnl3
   libnss
   libpcap
   libpwquality

From f10c5d6ac569a213d093586c8e1add4986df1648 Mon Sep 17 00:00:00 2001
From: matt <mleung975@gmail.com>
Date: Fri, 15 Oct 2021 11:40:02 -0700
Subject: [PATCH 2/3] Clean up semaphore disk before running tests

---
 .semaphore/semaphore.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml
index b91b74cf7..e1fa00de8 100644
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -11,6 +11,14 @@ global_job_config:
   - name: docker-hub
   prologue:
     commands:
+      # make some room on the disk
+      - sudo rm -rf ~/.kiex ~/.phpbrew ~/.rbenv ~/.nvm ~/.kerl
+      # Semaphore mounts a copy-on-write FS as /var/lib/docker in order to provide a pre-loaded cache of
+      # some images. However, the cache is not useful to us and the copy-on-write FS is a big problem given
+      # how much we churn docker containers during the build.  Disable it.
+      - sudo systemctl stop docker
+      - sudo umount /var/lib/docker && sudo killall qemu-nbd || true
+      - sudo systemctl start docker
       - echo $DOCKERHUB_PASSWORD | docker login --username "$DOCKERHUB_USERNAME" --password-stdin
       - checkout
       # Semaphore is doing shallow clone on a commit without tags.

From fcccd7f7f944f71482f2c0c193bbc65fbee416db Mon Sep 17 00:00:00 2001
From: matt <mleung975@gmail.com>
Date: Fri, 15 Oct 2021 16:37:43 -0700
Subject: [PATCH 3/3] fix missing ipreservations in the tests

---
 tests/k8st/infra/calico-kdd.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/k8st/infra/calico-kdd.yaml b/tests/k8st/infra/calico-kdd.yaml
index d8f5d4cf0..197b025f7 100644
--- a/tests/k8st/infra/calico-kdd.yaml
+++ b/tests/k8st/infra/calico-kdd.yaml
@@ -304,6 +304,7 @@ rules:
   - apiGroups: ["crd.projectcalico.org"]
     resources:
       - ippools
+      - ipreservations
     verbs:
       - list
   - apiGroups: ["crd.projectcalico.org"]
@@ -429,6 +430,7 @@ rules:
       - globalbgpconfigs
       - bgpconfigurations
       - ippools
+      - ipreservations
       - ipamblocks
       - globalnetworkpolicies
       - globalnetworksets