rpms/containers-common
6
0
Fork 0
Code Issues Pull Requests Releases Activity

containers-common-0.63.0-1.el10

Browse Source 
- update vendored components
- Related: RHEL-80817

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
Jindrich Novy 2025-06-11 16:28:20 +02:00
parent 42a8bbc876
commit 033521fec2
7 changed files with 67 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
containers-common.spec
View File

@ -7,17 +7,17 @@
# Packit will automatically update the image and storage versions on Fedora and
# CentOS Stream dist-git PRs.
%global skopeo_branch main
%global image_branch v5.34.0
%global storage_branch v1.57.1
%global image_branch v5.35.0
%global storage_branch v1.58.0
%global shortnames_branch main
%global common_branch v0.62.0
%global common_branch v0.63.0
%global common_version %(v=%{common_branch}; echo ${v:1})
Name: containers-common
Epoch: 5
Version: %{common_version}
Release: 2%{?dist}
Release: 1%{?dist}
License: Apache-2.0
BuildArch: noarch
# for BuildRequires: go-md2man
@ -203,6 +203,10 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
%files extra
%changelog
* Wed Jun 11 2025 Jindrich Novy <jnovy@redhat.com> - 5:0.63.0-1
- update vendored components
- Related: RHEL-80817
* Sun Jun 08 2025 Lokesh Mandvekar <lsm5@redhat.com> - 5:0.62.0-2
- fetch TMT podman revdep tests from podman dist-git
- needs at least podman 5.4.0-7.el10

27
containers-policy.json.5.md
View File

@ -329,6 +329,14 @@ This requirement requires an image to be signed using a sigstore signature with
"oidcIssuer": "https://expected.OIDC.issuer/",
"subjectEmail", "expected-signing-user@example.com",
},
"pki": {
"caRootsPath": "/path/to/local/CARoots/file",
"caRootsData": "base64-encoded-CARoots-data",
"caIntermediatesPath": "/path/to/local/CAIntermediates/file",
"caIntermediatesData": "base64-encoded-CAIntermediates-data",
"subjectHostname": "expected-signing-hostname.example.com",
"subjectEmail": "expected-signing-user@example.com"
},
"rekorPublicKeyPath": "/path/to/local/public/key/file",
"rekorPublicKeyPaths": ["/path/to/local/public/key/one","/path/to/local/public/key/two"],
"rekorPublicKeyData": "base64-encoded-public-key-data",
@ -336,7 +344,7 @@ This requirement requires an image to be signed using a sigstore signature with
"signedIdentity": identity_requirement
}
```
Exactly one of `keyPath`, `keyPaths`, `keyData`, `keyDatas` and `fulcio` must be present.
Exactly one of `keyPath`, `keyPaths`, `keyData`, `keyDatas`, `fulcio` and `pki` must be present.
If `keyPath` or `keyData` is present, it contains a sigstore public key.
Only signatures made by this key are accepted.
@ -350,6 +358,11 @@ Both `oidcIssuer` and `subjectEmail` are mandatory,
exactly specifying the expected identity provider,
and the identity of the user obtaining the Fulcio certificate.
If `pki` is present, the signature must be based on a non-Fulcio X.509 certificate.
One of `caRootsPath` and `caRootsData` must be specified, containing certificates of the CAs.
Only one of `caIntermediatesPath` and `caIntermediatesData` can be present, containing certificates of the intermediate CAs.
One of `subjectEmail` and `subjectHostname` must be specified, exactly specifying the expected identity to which the certificate was issued.
At most one of `rekorPublicKeyPath`, `rekorPublicKeyPaths`, `rekorPublicKeyData` and `rekorPublicKeyDatas` can be present;
it is mandatory if `fulcio` is specified.
If a Rekor public key is specified,
@ -407,6 +420,18 @@ selectively allow individual transports and scopes as desired.
"rekorPublicKeyPath": "/path/to/rekor.pub",
}
],
/* A Sigstore-signed repository using a certificate generated by a custom public-key infrastructure.*/
"hostname:5000/myns/sigstore-signed-byopki": [
{
"type": "sigstoreSigned",
"pki": {
"caRootsPath": "/path/to/pki_root_crts.pem",
"caIntermediatesPath": "/path/to/pki_intermediate_crts.pem",
"subjectHostname": "test-user.example.com"
"subjectEmail": "test-user@example.com"
}
}
],
/* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */
"hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [
{

1
containers-transports.5.md
View File

@ -77,7 +77,6 @@ An image in a directory structure compliant with the "Open Container Image Layou
The _path_ value terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_.
The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index.
If _reference_ is not specified when reading an image, the directory must contain exactly one image.
For reading images, @_source-index_ is a zero-based index in manifest (to access untagged images).
If neither reference nor @_source_index is specified when reading an image, the path must contain exactly one image.

24
containers.conf
View File

@ -236,13 +236,12 @@ default_sysctls = [
#
#mounts = []
# Default way to to create a Network namespace for the container
# Options are:
# `private` Create private Network Namespace for the container.
# `host` Share host Network Namespace with the container.
# `none` Containers do not use the network
# Default way to create a NET namespace for the container.
# The option is mapped to the **--network** argument for the podman commands, it accepts the same values as that option.
# For example it can be set to `bridge`, `host`, `none`, `pasta` and more, see the podman-create(1)
# manual for all available options.
#
#netns = "private"
#netns = ""
# Do not modify the `/etc/hosts` file in the container. Podman assumes control
# over the container's `/etc/hosts` file by default; refer to the `--add-host`
@ -381,14 +380,17 @@ default_sysctls = [
#firewall_driver = ""
# The network name of the default network to attach pods to.
# The name of the default network as seen in `podman network ls`. This option only effects the network assignment when
# the bridge network mode is selected, i.e. `--network bridge`. It is the default for rootful containers but not as
# rootless. To change the default network mode use the **netns** option under the `[containers]` table.
#
# Note: This should not be changed while you have any containers using this network.
#
#default_network = "podman"
# The default subnet for the default network given in default_network.
# If a network with that name does not exist, a new network using that name and
# this subnet will be created.
# Must be a valid IPv4 CIDR prefix.
#
# Note: This should not be changed if any containers are currently running on the default network.
#
#default_subnet = "10.88.0.0/16"
@ -898,7 +900,7 @@ runtime = "crun"
# Linux:
# qemu - Open source machine emulator and virtualizer. (Default)
# Windows: there are currently two options:
# wsl - Windows Subsystem for Linux (Default)
# wsl - Windows Subsystem for Linux (Default)
# hyperv - Windows Server Virtualization
# Mac: there are currently two options:
# applehv - Default Apple Hypervisor (Default)

25
containers.conf.5.md
View File

@ -199,7 +199,12 @@ container. The special value “none” can be specified to disable creation of
**env**=["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
Environment variable list for the container process, used for passing
environment variables to the container.
environment variables to the container. If a variable is listed without a value,
the value is copied from the host environment.
Note that this is only used when a container is created, not with subsequent
commands like `podman exec`. This prevents variables in the config file from
overwriting values specified on the command line when the container was created.
**env_host**=false
@ -304,13 +309,12 @@ Specified as "type=TYPE,source=<directory-on-host>,destination=<directory-in-con
Example: [ "type=bind,source=/var/lib/foobar,destination=/var/lib/foobar,ro", ]
**netns**="private"
**netns**=""
Default way to create a NET namespace for the container.
Options are:
`private` Create private NET Namespace for the container.
`host` Share host NET Namespace with the container.
`none` Containers do not use the network.
The option is mapped to the **--network** argument for the podman commands, it accepts the same values as that option.
For example it can be set to `bridge`, `host`, `none`, `pasta` and more, see the [podman-create(1)](https://docs.podman.io/en/latest/markdown/podman-create.1.html#network-mode-net)
manual for all available options.
**no_hosts**=false
@ -442,12 +446,17 @@ netavark_plugin_dirs = [
**default_network**="podman"
The network name of the default network to attach pods to.
The name of the default network as seen in `podman network ls`. This option only effects the network assignment when
the bridge network mode is selected, i.e. `--network bridge`. It is the default for rootful containers but not as
rootless. To change the default network mode use the **netns** option under the `[containers]` table.
Note: This should not be changed while you have any containers using this network.
**default_subnet**="10.88.0.0/16"
The subnet to use for the default network (named above in **default_network**).
If the default network does not exist, it will be automatically created the first time a tool is run using this subnet.
Note: This should not be changed if any containers are currently running on the default network.
**default_subnet_pools**=[]

3
seccomp.json
View File

@ -152,6 +152,7 @@
"fadvise64",
"fadvise64_64",
"fallocate",
"fanotify_init",
"fanotify_mark",
"fchdir",
"fchmod",
@ -692,7 +693,6 @@
{
"names": [
"bpf",
"fanotify_init",
"lookup_dcookie",
"quotactl",
"quotactl_fd",
@ -712,7 +712,6 @@
},
{
"names": [
"fanotify_init",
"lookup_dcookie",
"perf_event_open",
"quotactl",

2
shortnames.conf
View File

@ -155,3 +155,5 @@
"grafana/oncall" = "docker.io/grafana/oncall"
"grafana/pyroscope" = "docker.io/grafana/pyroscope"
"grafana/tempo" = "docker.io/grafana/tempo"
# curl
"curl" = "quay.io/curl/curl"