rpms/containers-common
6
0
Fork 0
Code Issues Pull Requests Releases Activity

containers-common-0.63.0-1.el10

Browse Source 
- update vendored components
- Related: RHEL-80817

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
Jindrich Novy 2025-06-11 16:28:20 +02:00
parent 42a8bbc876
commit 033521fec2
7 changed files with 67 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
containers-common.spec
View File

@ -7,17 +7,17 @@
# Packit will automatically update the image and storage versions on Fedora and # Packit will automatically update the image and storage versions on Fedora and
# CentOS Stream dist-git PRs. # CentOS Stream dist-git PRs.
%global skopeo_branch main %global skopeo_branch main
%global image_branch v5.34.0 %global image_branch v5.35.0
%global storage_branch v1.57.1 %global storage_branch v1.58.0
%global shortnames_branch main %global shortnames_branch main
%global common_branch v0.62.0 %global common_branch v0.63.0
%global common_version %(v=%{common_branch}; echo ${v:1}) %global common_version %(v=%{common_branch}; echo ${v:1})
Name: containers-common Name: containers-common
Epoch: 5 Epoch: 5
Version: %{common_version} Version: %{common_version}
Release: 2%{?dist} Release: 1%{?dist}
License: Apache-2.0 License: Apache-2.0
BuildArch: noarch BuildArch: noarch
# for BuildRequires: go-md2man # for BuildRequires: go-md2man
@ -203,6 +203,10 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
%files extra %files extra
%changelog %changelog
* Wed Jun 11 2025 Jindrich Novy <jnovy@redhat.com> - 5:0.63.0-1
- update vendored components
- Related: RHEL-80817
* Sun Jun 08 2025 Lokesh Mandvekar <lsm5@redhat.com> - 5:0.62.0-2 * Sun Jun 08 2025 Lokesh Mandvekar <lsm5@redhat.com> - 5:0.62.0-2
- fetch TMT podman revdep tests from podman dist-git - fetch TMT podman revdep tests from podman dist-git
- needs at least podman 5.4.0-7.el10 - needs at least podman 5.4.0-7.el10

27
containers-policy.json.5.md
View File

@ -329,6 +329,14 @@ This requirement requires an image to be signed using a sigstore signature with
"oidcIssuer": "https://expected.OIDC.issuer/", "oidcIssuer": "https://expected.OIDC.issuer/",
"subjectEmail", "expected-signing-user@example.com", "subjectEmail", "expected-signing-user@example.com",
}, },
"pki": {
"caRootsPath": "/path/to/local/CARoots/file",
"caRootsData": "base64-encoded-CARoots-data",
"caIntermediatesPath": "/path/to/local/CAIntermediates/file",
"caIntermediatesData": "base64-encoded-CAIntermediates-data",
"subjectHostname": "expected-signing-hostname.example.com",
"subjectEmail": "expected-signing-user@example.com"
},
"rekorPublicKeyPath": "/path/to/local/public/key/file", "rekorPublicKeyPath": "/path/to/local/public/key/file",
"rekorPublicKeyPaths": ["/path/to/local/public/key/one","/path/to/local/public/key/two"], "rekorPublicKeyPaths": ["/path/to/local/public/key/one","/path/to/local/public/key/two"],
"rekorPublicKeyData": "base64-encoded-public-key-data", "rekorPublicKeyData": "base64-encoded-public-key-data",
@ -336,7 +344,7 @@ This requirement requires an image to be signed using a sigstore signature with
"signedIdentity": identity_requirement "signedIdentity": identity_requirement
} }
``` ```
Exactly one of `keyPath`, `keyPaths`, `keyData`, `keyDatas` and `fulcio` must be present. Exactly one of `keyPath`, `keyPaths`, `keyData`, `keyDatas`, `fulcio` and `pki` must be present.
If `keyPath` or `keyData` is present, it contains a sigstore public key. If `keyPath` or `keyData` is present, it contains a sigstore public key.
Only signatures made by this key are accepted. Only signatures made by this key are accepted.
@ -350,6 +358,11 @@ Both `oidcIssuer` and `subjectEmail` are mandatory,
exactly specifying the expected identity provider, exactly specifying the expected identity provider,
and the identity of the user obtaining the Fulcio certificate. and the identity of the user obtaining the Fulcio certificate.
If `pki` is present, the signature must be based on a non-Fulcio X.509 certificate.
One of `caRootsPath` and `caRootsData` must be specified, containing certificates of the CAs.
Only one of `caIntermediatesPath` and `caIntermediatesData` can be present, containing certificates of the intermediate CAs.
One of `subjectEmail` and `subjectHostname` must be specified, exactly specifying the expected identity to which the certificate was issued.
At most one of `rekorPublicKeyPath`, `rekorPublicKeyPaths`, `rekorPublicKeyData` and `rekorPublicKeyDatas` can be present; At most one of `rekorPublicKeyPath`, `rekorPublicKeyPaths`, `rekorPublicKeyData` and `rekorPublicKeyDatas` can be present;
it is mandatory if `fulcio` is specified. it is mandatory if `fulcio` is specified.
If a Rekor public key is specified, If a Rekor public key is specified,
@ -407,6 +420,18 @@ selectively allow individual transports and scopes as desired.
"rekorPublicKeyPath": "/path/to/rekor.pub", "rekorPublicKeyPath": "/path/to/rekor.pub",
} }
], ],
/* A Sigstore-signed repository using a certificate generated by a custom public-key infrastructure.*/
"hostname:5000/myns/sigstore-signed-byopki": [
{
"type": "sigstoreSigned",
"pki": {
"caRootsPath": "/path/to/pki_root_crts.pem",
"caIntermediatesPath": "/path/to/pki_intermediate_crts.pem",
"subjectHostname": "test-user.example.com"
"subjectEmail": "test-user@example.com"
}
}
],
/* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */ /* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */
"hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [ "hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [
{ {

1
containers-transports.5.md
View File

@ -77,7 +77,6 @@ An image in a directory structure compliant with the "Open Container Image Layou
The _path_ value terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_. The _path_ value terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_.
The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index. The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index.
If _reference_ is not specified when reading an image, the directory must contain exactly one image.
For reading images, @_source-index_ is a zero-based index in manifest (to access untagged images). For reading images, @_source-index_ is a zero-based index in manifest (to access untagged images).
If neither reference nor @_source_index is specified when reading an image, the path must contain exactly one image. If neither reference nor @_source_index is specified when reading an image, the path must contain exactly one image.

24
containers.conf
View File

@ -236,13 +236,12 @@ default_sysctls = [
# #
#mounts = [] #mounts = []
# Default way to to create a Network namespace for the container # Default way to create a NET namespace for the container.
# Options are: # The option is mapped to the **--network** argument for the podman commands, it accepts the same values as that option.
# `private` Create private Network Namespace for the container. # For example it can be set to `bridge`, `host`, `none`, `pasta` and more, see the podman-create(1)
# `host` Share host Network Namespace with the container. # manual for all available options.
# `none` Containers do not use the network
# #
#netns = "private" #netns = ""
# Do not modify the `/etc/hosts` file in the container. Podman assumes control # Do not modify the `/etc/hosts` file in the container. Podman assumes control
# over the container's `/etc/hosts` file by default; refer to the `--add-host` # over the container's `/etc/hosts` file by default; refer to the `--add-host`
@ -381,14 +380,17 @@ default_sysctls = [
#firewall_driver = "" #firewall_driver = ""
# The network name of the default network to attach pods to. # The name of the default network as seen in `podman network ls`. This option only effects the network assignment when
# the bridge network mode is selected, i.e. `--network bridge`. It is the default for rootful containers but not as
# rootless. To change the default network mode use the **netns** option under the `[containers]` table.
#
# Note: This should not be changed while you have any containers using this network.
# #
#default_network = "podman" #default_network = "podman"
# The default subnet for the default network given in default_network. # The default subnet for the default network given in default_network.
# If a network with that name does not exist, a new network using that name and #
# this subnet will be created. # Note: This should not be changed if any containers are currently running on the default network.
# Must be a valid IPv4 CIDR prefix.
# #
#default_subnet = "10.88.0.0/16" #default_subnet = "10.88.0.0/16"
@ -898,7 +900,7 @@ runtime = "crun"
# Linux: # Linux:
# qemu - Open source machine emulator and virtualizer. (Default) # qemu - Open source machine emulator and virtualizer. (Default)
# Windows: there are currently two options: # Windows: there are currently two options:
# wsl - Windows Subsystem for Linux (Default) # wsl - Windows Subsystem for Linux (Default)
# hyperv - Windows Server Virtualization # hyperv - Windows Server Virtualization
# Mac: there are currently two options: # Mac: there are currently two options:
# applehv - Default Apple Hypervisor (Default) # applehv - Default Apple Hypervisor (Default)

25
containers.conf.5.md
View File

@ -199,7 +199,12 @@ container. The special value “none” can be specified to disable creation of
**env**=["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"] **env**=["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
Environment variable list for the container process, used for passing Environment variable list for the container process, used for passing
environment variables to the container. environment variables to the container. If a variable is listed without a value,
the value is copied from the host environment.
Note that this is only used when a container is created, not with subsequent
commands like `podman exec`. This prevents variables in the config file from
overwriting values specified on the command line when the container was created.
**env_host**=false **env_host**=false
@ -304,13 +309,12 @@ Specified as "type=TYPE,source=<directory-on-host>,destination=<directory-in-con
Example: [ "type=bind,source=/var/lib/foobar,destination=/var/lib/foobar,ro", ] Example: [ "type=bind,source=/var/lib/foobar,destination=/var/lib/foobar,ro", ]
**netns**="private" **netns**=""
Default way to create a NET namespace for the container. Default way to create a NET namespace for the container.
Options are: The option is mapped to the **--network** argument for the podman commands, it accepts the same values as that option.
`private` Create private NET Namespace for the container. For example it can be set to `bridge`, `host`, `none`, `pasta` and more, see the [podman-create(1)](https://docs.podman.io/en/latest/markdown/podman-create.1.html#network-mode-net)
`host` Share host NET Namespace with the container. manual for all available options.
`none` Containers do not use the network.
**no_hosts**=false **no_hosts**=false
@ -442,12 +446,17 @@ netavark_plugin_dirs = [
**default_network**="podman" **default_network**="podman"
The network name of the default network to attach pods to. The name of the default network as seen in `podman network ls`. This option only effects the network assignment when
the bridge network mode is selected, i.e. `--network bridge`. It is the default for rootful containers but not as
rootless. To change the default network mode use the **netns** option under the `[containers]` table.
Note: This should not be changed while you have any containers using this network.
**default_subnet**="10.88.0.0/16" **default_subnet**="10.88.0.0/16"
The subnet to use for the default network (named above in **default_network**). The subnet to use for the default network (named above in **default_network**).
If the default network does not exist, it will be automatically created the first time a tool is run using this subnet.
Note: This should not be changed if any containers are currently running on the default network.
**default_subnet_pools**=[] **default_subnet_pools**=[]

3
seccomp.json
View File

@ -152,6 +152,7 @@
"fadvise64", "fadvise64",
"fadvise64_64", "fadvise64_64",
"fallocate", "fallocate",
"fanotify_init",
"fanotify_mark", "fanotify_mark",
"fchdir", "fchdir",
"fchmod", "fchmod",
@ -692,7 +693,6 @@
{ {
"names": [ "names": [
"bpf", "bpf",
"fanotify_init",
"lookup_dcookie", "lookup_dcookie",
"quotactl", "quotactl",
"quotactl_fd", "quotactl_fd",
@ -712,7 +712,6 @@
}, },
{ {
"names": [ "names": [
"fanotify_init",
"lookup_dcookie", "lookup_dcookie",
"perf_event_open", "perf_event_open",
"quotactl", "quotactl",

2
shortnames.conf
View File

@ -155,3 +155,5 @@
"grafana/oncall" = "docker.io/grafana/oncall" "grafana/oncall" = "docker.io/grafana/oncall"
"grafana/pyroscope" = "docker.io/grafana/pyroscope" "grafana/pyroscope" = "docker.io/grafana/pyroscope"
"grafana/tempo" = "docker.io/grafana/tempo" "grafana/tempo" = "docker.io/grafana/tempo"
# curl
"curl" = "quay.io/curl/curl"