add rancher-machine

[Dentrax]

Needed by Rancher package.

CVEs in moby/moby can't be properly mitigated, as upgrading to different versions results in compilation failures.

└── 📄 /usr/bin/rancher-machine
        📦 github.com/moby/moby v1.4.2-0.20170731201646-1009e6a40b29 (go-module)
            High CVE-2024-36621 GHSA-2mj3-vfvx-fc43 fixed in 26.0.0
            Medium CVE-2022-24769 GHSA-2mm7-x5h6-5pvq fixed in 20.10.14
            Medium CVE-2021-41091 GHSA-3fwx-pjgw-3558 fixed in 20.10.9
            Medium CVE-2021-21285 GHSA-6fj5-m822-rqx8 fixed in 19.3.15
            Medium CVE-2020-27534 GHSA-6hwg-w5jg-9c6x fixed in 19.03.9
            Medium CVE-2021-21284 GHSA-7452-xqpj-6rpc fixed in 19.3.15
            High CVE-2024-36623 GHSA-gh5c-3h97-2f3q fixed in 26.0.0
            Medium GHSA-xmmx-7jpf-fx42 fixed in 20.10.11
            Medium CVE-2024-24557 GHSA-xw73-rw38-6vjc fixed in 24.0.9

Example:

go: github.com/rancher/machine/libmachine/mcndockerclient imports
2025/03/31 11:00:06 WARN     github.com/samalba/dockerclient tested by
2025/03/31 11:00:06 WARN     github.com/samalba/dockerclient.test imports
2025/03/31 11:00:06 WARN     github.com/docker/docker/pkg/jsonlog: module github.com/docker/docker@latest found (v28.0.4+incompatible, replaced by github.com/moby/[email protected]+incompatible), but does not contain package github.com/docker/docker/pkg/jsonlog

Fixes:

Related:

Pre-review Checklist

For new package PRs only

• This PR is marked as fixing a pre-existing package request bug
  • Alternatively, the PR is marked as related to a pre-existing package request bug, such as a dependency
• REQUIRED - The package is available under an OSI-approved or FSF-approved license
• REQUIRED - The version of the package is still receiving security updates
• This PR links to the upstream project's support policy (e.g. endoflife.date)

For new version streams

• The upstream project actually supports multiple concurrent versions.
• Any subpackages include the version string in their package name (e.g. name: ${{package.name}}-compat)
• The package (and subpackages) provides: logical unversioned forms of the package (e.g. nodejs, nodejs-lts)
• If non-streamed package names no longer built, open PR to withdraw them (see WITHDRAWING PACKAGES)

For package updates (renames) in the base images

When updating packages part of base images (i.e. cgr.dev/chainguard/wolfi-base or ghcr.io/wolfi-dev/sdk)

• REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk images successfully build
• REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk contain no obsolete (no longer built) packages
• Upon launch, does apk upgrade --latest successfully upgrades packages or performs no actions

For security-related PRs

• The security fix is recorded in the advisories repo

For version bump PRs

• The epoch field is reset to 0

For PRs that add patches

• Patch source is documented

[kranurag7]

everything looks good, I'm thinking if we should use 0.15.0.126 version so that we avoid if any possible regressions on main. (I understand that the chances of this happening is low given they only bump dependencies but this is a non-blocker in getting this merged)

I hope that tests are enough to catch the possible regressions if they come up on master branch.

[Dentrax]

Yeah but I'm not sure on this. Pinning version would require passing version-prefix filter and resulting version stream, we would also miss the 0.15.1 if they will cut it in the future.

[EyeCantCU]

@Dentrax I don't believe there will ever be a 0.15.1, but there will continue to be -rancher<xyz> tags cut that we should track

[octo-sts]

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

• Detected Error: "FAIL Expected commit 99d2c8daa21d3e81eebb3cfcda46459473628126 for v0.15.0-rancher126, found 9d46e6bb16f98d184afa83267ea28d3dcc898478"

• Error Category: Version/Git Commit Verification

• Failure Point: git-checkout pipeline step verification of expected commit hash

• Root Cause Analysis: The expected commit hash in the melange YAML doesn't match the actual commit hash for the specified tag v0.15.0-rancher126

• Suggested Fix:

1. Update the expected-commit in the git-checkout step to match the correct hash:

  - uses: git-checkout
    with:
      repository: https://github.com/rancher/machine
      expected-commit: 9d46e6bb16f98d184afa83267ea28d3dcc898478
      tag: v${{vars.mangled}}

• Explanation: The build system is correctly verifying git commit hashes to ensure reproducible builds and security. The current expected-commit hash (99d2c8...) doesn't match the actual commit hash (9d46e6...) for the tag v0.15.0-rancher126. Updating to the correct hash will allow the verification to pass.

• Additional Notes:

• This is a security feature to ensure the exact version of code being built
• The commit hash mismatch could indicate:
  • A tag was moved
  • The wrong commit hash was copied
  • The repository history was modified
• You can verify the correct commit hash using:
  git ls-remote https://github.com/rancher/machine refs/tags/v0.15.0-rancher126

• References:

• https://github.com/rancher/machine/tags
• https://github.com/rancher/machine/tree/v0.15.0-rancher126