rpms/containers-common
7
0
Fork 0
Code Issues Pull Requests Releases Activity

containers-common-0.61.0-1.el10

Browse Source 
- make spec file compatible with RHEL
- update vendored components
- Resolves: RHEL-69842

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
Jindrich Novy 2024-12-16 12:12:58 +01:00
parent 455b4b4aed
commit 099a656e30
9 changed files with 523 additions and 253 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.containerfile.5
View File

@ -1 +0,0 @@
.so man5/containerfile.5

1
.containerignore.5
View File

@ -1 +0,0 @@
.so man5/containerignore.5

114
Containerfile.5.md
View File

@ -9,7 +9,7 @@ Containerfile(Dockerfile) - automate the steps of creating a container image
The **Containerfile** is a configuration file that automates the steps of creating a container image. It is similar to a Makefile. Container engines (Podman, Buildah, Docker) read instructions from the **Containerfile** to automate the steps otherwise performed manually to create an image. To build an image, create a file called **Containerfile**.
The **Containerfile** describes the steps taken to assemble the image. When the
**Containerfile** has been created, call the `buildah bud`, `podman build`, `docker build` command,
**Containerfile** has been created, call the `buildah build`, `podman build`, `docker build` command,
using the path of context directory that contains **Containerfile** as the argument. Podman and Buildah default to **Containerfile** and will fall back to **Dockerfile**. Docker only will search for **Dockerfile** in the context directory.
@ -31,7 +31,7 @@ A Containerfile is similar to a Makefile.
# USAGE
```
buildah bud .
buildah build .
podman build .
```
@ -40,7 +40,7 @@ A Containerfile is similar to a Makefile.
build.
```
buildah bud -t repository/tag .
buildah build -t repository/tag .
podman build -t repository/tag .
```
@ -61,7 +61,7 @@ A Containerfile is similar to a Makefile.
`FROM image@digest [AS <name>]`
-- The **FROM** instruction sets the base image for subsequent instructions. A
valid Containerfile must have either **ARG** or *FROM** as its first instruction.
valid Containerfile must have either **ARG** or **FROM** as its first instruction.
If **FROM** is not the first instruction in the file, it may only be preceded by
one or more ARG instructions, which declare arguments that are used in the next FROM line in the Containerfile.
The image can be any valid image. It is easy to start by pulling an image from the public
@ -82,7 +82,7 @@ A Containerfile is similar to a Makefile.
-- If no digest is given to the **FROM** instruction, container engines apply the
`latest` tag. If the used tag does not exist, an error is returned.
-- A name can be assigned to a build stage by adding **AS name** to the instruction.
-- A name can be assigned to a build stage by adding **AS name** to the instruction.
The name can be referenced later in the Containerfile using the **FROM** or **COPY --from=<name>** instructions.
**MAINTAINER**
@ -109,7 +109,7 @@ Current supported mount TYPES are bind, cache, secret and tmpfs.
e.g.
mount=type=bind,source=/path/on/host,destination=/path/in/container
mount=type=bind,source=/path/on/host,destination=/path/in/container,relabel=shared
mount=type=tmpfs,tmpfs-size=512M,destination=/path/in/container
@ -117,45 +117,57 @@ Current supported mount TYPES are bind, cache, secret and tmpfs.
Common Options:
· src, source: mount source spec for bind and volume. Mandatory for bind. If `from` is specified, `src` is the subpath in the `from` field.
· src, source: mount source spec for bind and volume. Mandatory for bind. If `from` is specified, `src` is the subpath in the `from` field.
· dst, destination, target: mount destination spec.
· dst, destination, target: mount destination spec.
· ro, read-only: true (default) or false.
· ro, read-only: true (default) or false.
Options specific to bind:
· bind-propagation: shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2).
· bind-propagation: shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2).
. bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive.
. bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive.
· from: stage or image name for the root of the source. Defaults to the build context.
· from: stage or image name for the root of the source. Defaults to the build context.
· rw, read-write: allows writes on the mount.
· relabel=shared, z: Relabels src content with a shared label.
. relabel=private, Z: Relabels src content with a private label.
Labeling systems like SELinux require proper labels on the bind mounted content mounted into a container. Without a label, the security system might prevent the processes running in side the container from using the content. By default, container engines do not change the labels set by the OS. The relabel flag tells the engine to relabel file objects on the shared mountz.
The relabel=shared and z options tell the engine that two or more containers will share the mount content. The engine labels the content with a shared content label.
The relabel=private and Z options tell the engine to label the content with a private unshared label. Only the current container can use a private mount.
Relabeling walks the file system under the mount and changes the label on each file, if the mount has thousands of inodes, this process takes a long time, delaying the start of the container.
· rw, read-write: allows writes on the mount.
Options specific to tmpfs:
· tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.
· tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.
· tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux.
· tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux.
· tmpcopyup: Path that is shadowed by the tmpfs mount is recursively copied up to the tmpfs itself.
· tmpcopyup: Path that is shadowed by the tmpfs mount is recursively copied up to the tmpfs itself.
Options specific to cache:
· id: Create a separate cache directory for a particular id.
· id: Create a separate cache directory for a particular id.
· mode: File mode for new cache directory in octal. Default 0755.
· mode: File mode for new cache directory in octal. Default 0755.
· ro, readonly: read only cache if set.
· ro, readonly: read only cache if set.
· uid: uid for cache directory.
· uid: uid for cache directory.
· gid: gid for cache directory.
· gid: gid for cache directory.
· from: stage name for the root of the source. Defaults to host cache directory.
· from: stage name for the root of the source. Defaults to host cache directory.
· rw, read-write: allows writes on the mount.
· rw, read-write: allows writes on the mount.
**RUN --network**
@ -207,7 +219,7 @@ Container engines pass secret the secret file into the build using the `--secret
**--mount**=*type=secret,TYPE-SPECIFIC-OPTION[,...]*
- `id` is the identifier for the secret passed into the `buildah bud --secret` or `podman build --secret`. This identifier is associated with the RUN --mount identifier to use in the Containerfile.
- `id` is the identifier for the secret passed into the `buildah build --secret` or `podman build --secret`. This identifier is associated with the RUN --mount identifier to use in the Containerfile.
- `dst`|`target`|`destination` rename the secret file to a specific file in the Containerfile RUN command to use.
@ -224,7 +236,7 @@ RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar
The secret needs to be passed to the build using the --secret flag. The final image built does not container the secret file:
```
buildah bud --no-cache --secret id=mysecret,src=mysecret.txt .
buildah build --no-cache --secret id=mysecret,src=mysecret.txt .
```
-- The **RUN** instruction executes any commands in a new layer on top of the current
@ -463,7 +475,7 @@ The secret needs to be passed to the build using the --secret flag. The final im
In the above example, the output of the **pwd** command is **a/b/c**.
**ARG**
-- ARG <name>[=<default value>]
-- `ARG <name>[=<default value>]`
The `ARG` instruction defines a variable that users can pass at build-time to
the builder with the `podman build` and `buildah build` commands using the
@ -594,6 +606,56 @@ The secret needs to be passed to the build using the --secret flag. The final im
$ podman build --build-arg HTTPS_PROXY=https://my-proxy.example.com .
```
**Platform/OS/Arch ARG**
-- `ARG <name>`
When building multi-arch manifest-lists or images for a foreign-architecture,
it's often helpful to have access to platform details within the `Containerfile`.
For example, when using a `RUN curl ...` command to install OS/Arch specific
binary into the image. Or, if certain `RUN` operations are known incompatible
or non-performant when emulating a specific architecture.
There are several named `ARG` variables available. The purpose of each should be
self-evident by its name. _However_, in all cases these ARG values are **not**
automatically populated. You must always declare them within each `FROM` section
of the `Containerfile`.
The available `ARG <name>` variables are available with two prefixes:
* `TARGET...` variable names represent details about the currently running build
context (i.e. "inside" the container). These are often the most useful:
* `TARGETOS`: For example `linux`
* `TARGETARCH`: For example `amd64`
* `TARGETPLATFORM`: For example `linux/amd64`
* `TARGETVARIANT`: Uncommonly used, specific to `TARGETARCH`
* `BUILD...` variable names signify details about the _host_ performing the build
(i.e. "outside" the container):
* `BUILDOS`: OS of host performing the build
* `BUILDARCH`: Arch of host performing the build
* `BUILDPLATFORM`: Combined OS/Arch of host performing the build
* `BUILDVARIANT`: Uncommonly used, specific to `BUILDARCH`
An example `Containerfile` that uses `TARGETARCH` to fetch an arch-specific binary could be:
```
FROM busybox
ARG TARGETARCH
RUN curl -sSf -O https://example.com/downloads/bin-${TARGETARCH}.zip
```
Assuming the host platform is `linux/amd64` and foreign-architecture emulation
enabled (e.g. `qemu-user-static`), then running the command:
```
$ podman build --platform linux/s390x .
```
Would end up running `curl` on `https://example.com/downloads/bin-s390x.zip` and producing
a container image suited for the the `linux/s390x` platform. **Note:** Emulation isn't
strictly required, these special build-args will also function when building using
`podman farm build`.
**ONBUILD**
-- `ONBUILD [INSTRUCTION]`
The **ONBUILD** instruction adds a trigger instruction to an image. The

210
containers-common.spec
View File

@ -6,41 +6,18 @@
# Packit will automatically update the image and storage versions on Fedora and
# CentOS Stream dist-git PRs.
%global skopeo_branch main
%global image_branch v5.33.0
%global storage_branch v1.56.0
%global shortnames_branch main
%global common_branch v0.61.0
%global project containers
%global repo common
%global raw_github_url https://raw.githubusercontent.com/%{project}
%if %{defined copr_username}
%define copr_build 1
%endif
# See https://github.com/containers/netavark/blob/main/rpm/netavark.spec
# for netavark epoch
%if %{defined copr_build}
%define netavark_epoch 102
%else
%define netavark_epoch 2
%endif
%global common_version %(v=%{common_branch}; echo ${v:1})
Name: containers-common
%if %{defined copr_build}
Epoch: 102
%else
Epoch: 5
%endif
# DO NOT TOUCH the Version string!
# The TRUE source of this specfile is:
# https://github.com/containers/common/blob/main/rpm/containers-common.spec
# If that's what you're reading, Version must be 0, and will be updated by Packit for
# copr and koji builds.
# If you're reading this on dist-git, the version is automatically filled in by Packit.
Version: 0.60.2
Release: 13%{?dist}
Version: %{common_version}
Release: 1%{?dist}
License: Apache-2.0
BuildArch: noarch
# for BuildRequires: go-md2man
@ -57,28 +34,41 @@ Suggests: fuse-overlayfs
Requires: /etc/pki/sigstore/REKOR-signing-key
Requires: /etc/pki/sigstore/SIGSTORE-redhat-release3
%endif
URL: https://github.com/%{project}/%{repo}
Source0: %{url}/archive/v%{version_no_tilde}.tar.gz
Source1: %{raw_github_url}/image/%{image_branch}/docs/containers-auth.json.5.md
Source2: %{raw_github_url}/image/%{image_branch}/docs/containers-certs.d.5.md
Source3: %{raw_github_url}/image/%{image_branch}/docs/containers-policy.json.5.md
Source4: %{raw_github_url}/image/%{image_branch}/docs/containers-registries.conf.5.md
Source5: %{raw_github_url}/image/%{image_branch}/docs/containers-registries.conf.d.5.md
Source6: %{raw_github_url}/image/%{image_branch}/docs/containers-registries.d.5.md
Source7: %{raw_github_url}/image/%{image_branch}/docs/containers-signature.5.md
Source8: %{raw_github_url}/image/%{image_branch}/docs/containers-transports.5.md
Source9: %{raw_github_url}/storage/%{storage_branch}/docs/containers-storage.conf.5.md
Source10: %{raw_github_url}/shortnames/%{shortnames_branch}/shortnames.conf
Source11: %{raw_github_url}/image/%{image_branch}/default.yaml
Source12: default-policy.json
Source13: %{raw_github_url}/image/%{image_branch}/registries.conf
Source14: %{raw_github_url}/storage/%{storage_branch}/storage.conf
Source15: REKOR-signing-key
Source16: SIGSTORE-redhat-release3
Source17: registry.access.redhat.com.yaml
Source18: registry.redhat.io.yaml
URL: https://github.com/containers/common
Source1: https://raw.githubusercontent.com/containers/storage/%{storage_branch}/storage.conf
Source2: https://raw.githubusercontent.com/containers/storage/%{storage_branch}/docs/containers-storage.conf.5.md
Source3: mounts.conf
Source4: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.5.md
Source5: https://raw.githubusercontent.com/containers/image/%{image_branch}/registries.conf
Source6: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-policy.json.5.md
Source7: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/seccomp/seccomp.json
Source8: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers-mounts.conf.5.md
Source9: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-signature.5.md
Source10: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-transports.5.md
Source11: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-certs.d.5.md
Source12: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.d.5.md
Source13: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/config/containers.conf
Source14: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers.conf.5.md
Source15: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-auth.json.5.md
Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.d.5.md
Source17: https://raw.githubusercontent.com/containers/shortnames/%{shortnames_branch}/shortnames.conf
Source19: 001-rhel-shortnames-pyxis.conf
Source20: 002-rhel-shortnames-overrides.conf
Source22: registry.access.redhat.com.yaml
Source23: registry.redhat.io.yaml
#Source24: https://raw.githubusercontent.com/containers/skopeo/%%{skopeo_branch}/default-policy.json
Source24: default-policy.json
Source25: https://raw.githubusercontent.com/containers/skopeo/%{skopeo_branch}/default.yaml
# FIXME: fix the branch once these are available via regular c/common branch
Source26: https://raw.githubusercontent.com/containers/common/main/docs/Containerfile.5.md
Source27: https://raw.githubusercontent.com/containers/common/main/docs/containerignore.5.md
Source29: REKOR-signing-key
Source30: SIGSTORE-redhat-release3
# scripts used for synchronization with upstream and shortname generation
Source100: update.sh
Source101: update-vendored.sh
Source102: pyxis.sh
%description
This package contains common configuration files and documentation for container
@ -95,113 +85,66 @@ Requires: container-network-stack
Requires: oci-runtime
Requires: nftables
Requires: passt
%if %{defined fedora}
Requires: iptables
Conflicts: podman < 5:5.0.0~rc4-1
Recommends: composefs
Recommends: crun
Requires: (crun if fedora-release-identity-server)
Requires: netavark >= %{netavark_epoch}:1.10.3-1
Suggests: slirp4netns
Recommends: qemu-user-static
Requires: (qemu-user-static-aarch64 if fedora-release-identity-server)
Requires: (qemu-user-static-arm if fedora-release-identity-server)
Requires: (qemu-user-static-x86 if fedora-release-identity-server)
%endif
%description extra
This subpackage will handle dependencies common to Podman and Buildah which are
not required by Skopeo.
%prep
%autosetup -Sgit -n %{repo}-%{version_no_tilde}
# Copy manpages to docs subdir in builddir to build before installing.
cp %{SOURCE1} docs/.
cp %{SOURCE2} docs/.
cp %{SOURCE3} docs/.
cp %{SOURCE4} docs/.
cp %{SOURCE5} docs/.
cp %{SOURCE6} docs/.
cp %{SOURCE7} docs/.
cp %{SOURCE8} docs/.
cp %{SOURCE9} docs/.
# Copy config files to builddir to patch them before installing.
# Currently, only registries.conf and storage.conf files are patched before
# installing.
cp %{SOURCE10} shortnames.conf
cp %{SOURCE13} registries.conf
cp %{SOURCE14} storage.conf
# Fine-grain distro- and release-specific tuning of config files,
# e.g., seccomp, composefs, registries on different RHEL/Fedora versions
bash rpm/update-config-files.sh
%build
mkdir -p man5
for i in docs/*.5.md; do
go-md2man -in $i -out man5/$(basename $i .md)
done
%install
ensure() {
if grep ^$2[[:blank:]].*= $1 > /dev/null
then
sed -i "s;^$2[[:blank:]]=.*;$2 = $3;" $1
else
if grep ^\#.*$2[[:blank:]].*= $1 > /dev/null
then
sed -i "/^#.*$2[[:blank:]].*=/a \
$2 = $3" $1
else
echo "$2 = $3" >> $1
fi
fi
}
# ensure required configurations for RHEL10 is present
ensure pkg/config/containers.conf runtime \"crun\"
ensure pkg/config/containers.conf log_driver \"k8s-file\"
# install config and policy files for registries
install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,systemd}
install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,systemd,registries.d,registries.conf.d}
install -dp %{buildroot}%{_datadir}/containers/systemd
install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
install -dp %{buildroot}%{_prefix}/lib/containers/storage
install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-images
touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-images/images.lock
install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers
touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers/layers.lock
install -Dp -m0644 shortnames.conf %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
install -m0644 %{SOURCE1} %{buildroot}%{_datadir}/containers/storage.conf
install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf
install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/001-rhel-shortnames.conf
install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/002-rhel-shortnames-overrides.conf
install -Dp -m0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
install -Dp -m0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/containers/policy.json
install -Dp -m0644 registries.conf %{buildroot}%{_sysconfdir}/containers/registries.conf
install -Dp -m0644 storage.conf %{buildroot}%{_datadir}/containers/storage.conf
%if 0%{?fedora} || 0%{?centos}
install -dp %{buildroot}%{_sysconfdir}/pki/sigstore
install -m0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pki/sigstore
install -m0644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pki/sigstore
%endif
install -dp %{buildroot}%{_sysconfdir}/containers/registries.d
install -m0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/containers/registries.d
install -m0644 %{SOURCE23} %{buildroot}%{_sysconfdir}/containers/registries.d
install -m0644 %{SOURCE24} %{buildroot}%{_sysconfdir}/containers/policy.json
install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
install -m0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
install -Dp -m0644 %{SOURCE17} -t %{buildroot}%{_sysconfdir}/containers/registries.d
install -Dp -m0644 %{SOURCE18} -t %{buildroot}%{_sysconfdir}/containers/registries.d
# install manpages
# for containers-common
install -dp %{buildroot}%{_mandir}/man5
for i in man5/*.5; do
install -Dp -m0644 $i -t %{buildroot}%{_mandir}/man5
done
go-md2man -in %{SOURCE2} -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5
go-md2man -in %{SOURCE4} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.5
go-md2man -in %{SOURCE6} -out %{buildroot}%{_mandir}/man5/containers-policy.json.5
go-md2man -in %{SOURCE8} -out %{buildroot}%{_mandir}/man5/containers-mounts.conf.5
go-md2man -in %{SOURCE9} -out %{buildroot}%{_mandir}/man5/containers-signature.5
go-md2man -in %{SOURCE10} -out %{buildroot}%{_mandir}/man5/containers-transports.5
go-md2man -in %{SOURCE11} -out %{buildroot}%{_mandir}/man5/containers-certs.d.5
go-md2man -in %{SOURCE12} -out %{buildroot}%{_mandir}/man5/containers-registries.d.5
go-md2man -in %{SOURCE14} -out %{buildroot}%{_mandir}/man5/containers.conf.5
go-md2man -in %{SOURCE15} -out %{buildroot}%{_mandir}/man5/containers-auth.json.5
go-md2man -in %{SOURCE16} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.d.5
go-md2man -in %{SOURCE26} -out %{buildroot}%{_mandir}/man5/Containerfile.5
go-md2man -in %{SOURCE27} -out %{buildroot}%{_mandir}/man5/containerignore.5
ln -s containerignore.5 %{buildroot}%{_mandir}/man5/.containerignore.5
# install config files for mounts, containers and seccomp
install -m0644 pkg/subscriptions/mounts.conf %{buildroot}%{_datadir}/containers/mounts.conf
install -m0644 pkg/seccomp/seccomp.json %{buildroot}%{_datadir}/containers/seccomp.json
install -m0644 pkg/config/containers.conf %{buildroot}%{_datadir}/containers/containers.conf
install -dp %{buildroot}%{_datadir}/containers
install -m0644 %{SOURCE3} %{buildroot}%{_datadir}/containers/mounts.conf
install -m0644 %{SOURCE7} %{buildroot}%{_datadir}/containers/seccomp.json
install -m0644 %{SOURCE13} %{buildroot}%{_datadir}/containers/containers.conf
# for signature verification
%if 0%{?fedora} || 0%{?centos}
install -dp %{buildroot}%{_sysconfdir}/pki/sigstore
install -m0644 %{SOURCE29} %{buildroot}%{_sysconfdir}/pki/sigstore
install -m0644 %{SOURCE30} %{buildroot}%{_sysconfdir}/pki/sigstore
%endif
# install secrets patch directory
install -d -p -m 755 %{buildroot}/%{_datadir}/rhel/secrets
@ -255,6 +198,11 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
%files extra
%changelog
* Mon Dec 16 2024 Jindrich Novy <jnovy@redhat.com> - 5:0.61.0-1
- make spec file compatible with RHEL
- update vendored components
- Resolves: RHEL-69842
* Tue Nov 26 2024 Jindrich Novy <jnovy@redhat.com> - 5:0.60.2-13
- update vendored components
- Related: RHEL-58990

156
containers.conf
View File

@ -10,7 +10,8 @@
# locations in the following order:
# 1. /usr/share/containers/containers.conf
# 2. /etc/containers/containers.conf
# 3. $HOME/.config/containers/containers.conf (Rootless containers ONLY)
# 3. $XDG_CONFIG_HOME/containers/containers.conf or
# $HOME/.config/containers/containers.conf if $XDG_CONFIG_HOME is not set
# Items specified in the latter containers.conf, if they exist, override the
# previous containers.conf settings, or the default settings.
@ -26,16 +27,19 @@
#
#apparmor_profile = "container-default"
# The hosts entries from the base hosts file are added to the containers hosts
# file. This must be either an absolute path or as special values "image" which
# uses the hosts file from the container image or "none" which means
# no base hosts file is used. The default is "" which will use /etc/hosts.
# Base file to create the `/etc/hosts` file inside the container. This must either
# be an absolute path to a file on the host system, or one of the following
# special flags:
# "" Use the host's `/etc/hosts` file (the default)
# `none` Do not use a base file (i.e. start with an empty file)
# `image` Use the container image's `/etc/hosts` file as base file
#
#base_hosts_file = ""
# List of cgroup_conf entries specifying a list of cgroup files to write to and
# their values. For example `memory.high=1073741824` sets the
# memory.high limit to 1GB.
#
# cgroup_conf = []
# Default way to to create a cgroup namespace for the container
@ -125,13 +129,25 @@ default_sysctls = [
#
#env_host = false
# Set the ip for the host.containers.internal entry in the containers /etc/hosts
# file. This can be set to "none" to disable adding this entry. By default it
# will automatically choose the host ip.
# Set the IP address the container should expect to connect to the host. The IP
# address is used by Podman to automatically add the `host.containers.internal`
# and `host.docker.internal` hostnames to the container's `/etc/hosts` file. It
# is also used for the *host-gateway* flag of Podman's `--add-host` CLI option.
# If no IP address is configured (the default), Podman will try to determine it
# automatically, but might fail to do so depending on the container's network
# setup. Adding these internal hostnames to `/etc/hosts` is silently skipped then.
# Set this config to `none` to never add the internal hostnames to `/etc/hosts`.
#
# NOTE: When using podman machine this entry will never be added to the containers
# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore
# it is not possible to disable the entry in this case.
# Note: If Podman is running in a virtual machine using `podman machine` (this
# includes Mac and Windows hosts), Podman will silently skip adding the internal
# hostnames to `/etc/hosts`, unless an IP address was configured manually. The
# internal hostnames are resolved by the gvproxy DNS resolver instead. This config
# has no effect on gvproxy. However, since `/etc/hosts` bypasses the DNS resolver,
# a manually configured IP address still takes precedence.
#
# Note: This config doesn't affect the actual network setup, it just tells Podman
# the IP address it should expect. Configuring an IP address here doesn't ensure
# that the container can actually reach the host using this IP address.
#
#host_containers_internal_ip = ""
@ -164,6 +180,13 @@ default_sysctls = [
#
#ipcns = "shareable"
# Default way to set an interface name inside container. Defaults to legacy
# pattern of ethX, where X is a integer, when left undefined.
# Options are:
# "device" Uses the network_interface name from the network config as interface name.
# Falls back to the ethX pattern if the network_interface is not set.
#interface_name = ""
# keyring tells the container engine whether to create
# a kernel keyring for use within the container.
#
@ -183,7 +206,8 @@ default_sysctls = [
# Logging driver for the container. Available options: k8s-file and journald.
#
log_driver = "file"
#log_driver = "k8s-file"
log_driver = "k8s-file"
# Maximum size allowed for the container log file. Negative numbers indicate
# that no size limit is imposed. If positive, it must be >= 8192 to match or
@ -213,8 +237,10 @@ log_driver = "file"
#
#netns = "private"
# Create /etc/hosts for the container. By default, container engine manage
# /etc/hosts, automatically adding the container's own IP address.
# Do not modify the `/etc/hosts` file in the container. Podman assumes control
# over the container's `/etc/hosts` file by default; refer to the `--add-host`
# CLI option for details. To disable this, either set this config to `true`, or
# use the functionally identical `--no-hosts` CLI option.
#
#no_hosts = false
@ -340,6 +366,14 @@ log_driver = "file"
# "/usr/lib/netavark",
#]
# The firewall driver to be used by netavark.
# The default is empty which means netavark will pick one accordingly. Current supported
# drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
# experimental at the moment and not recommend outside of testing).
#
#firewall_driver = ""
# The network name of the default network to attach pods to.
#
#default_network = "podman"
@ -368,9 +402,9 @@ log_driver = "file"
# Configure which rootless network program to use by default. Valid options are
# `slirp4netns` (default) and `pasta`.
# `slirp4netns` and `pasta` (default).
#
#default_rootless_network_cmd = "slirp4netns"
#default_rootless_network_cmd = "pasta"
# Path to the directory where network configuration files are located.
# For the CNI backend the default is "/etc/cni/net.d" as root
@ -400,6 +434,8 @@ log_driver = "file"
#List of compression algorithms. If set makes sure that requested compression variant
#for each platform is added to the manifest list keeping original instance intact in
#the same manifest list on every `manifest push`. Supported values are (`gzip`, `zstd` and `zstd:chunked`).
#`zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
#in that case.
#
#add_compression = ["gzip", "zstd", "zstd:chunked"]
@ -419,6 +455,11 @@ log_driver = "file"
# The compression format to use when pushing an image.
# Valid options are: `gzip`, `zstd` and `zstd:chunked`.
# This field is ignored when pushing images to the docker-daemon and
# docker-archive formats. It is also ignored when the manifest format is set
# to v2s2.
# `zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
# in that case.
#
#compression_format = "gzip"
@ -510,6 +551,15 @@ log_driver = "file"
# with detailed information about the container.
#events_container_create_inspect_data = false
# Whenever Podman should log healthcheck events.
# With many running healthcheck on short interval Podman will spam the event
# log a lot as it generates a event for each single healthcheck run. Because
# this event is optional and only useful to external consumers that may want
# to know when a healthcheck is run or failed allow users to turn it off by
# setting it to false. The default is true.
#
#healthcheck_events = true
# A is a list of directories which are used to search for helper binaries.
#
#helper_binaries_dir = [
@ -525,6 +575,12 @@ log_driver = "file"
# "/usr/share/containers/oci/hooks.d",
#]
# Directories to scan for CDI Spec files.
#
#cdi_spec_dirs = [
# "/etc/cdi",
#]
# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
# container images. By default image pulled and pushed match the format of the
# source image. Building/committing defaults to OCI.
@ -541,7 +597,7 @@ log_driver = "file"
#image_parallel_copies = 0
# Tells container engines how to handle the built-in image volumes.
# * bind: An anonymous named volume will be created and mounted
# * anonymous: An anonymous named volume will be created and mounted
# into the container.
# * tmpfs: The volume is mounted onto the container as a tmpfs,
# which allows users to create content that disappears when
@ -620,7 +676,8 @@ log_driver = "file"
#
#no_pivot_root = false
# Number of locks available for containers and pods.
# Number of locks available for containers, pods, and volumes. Each container,
# pod, and volume consumes 1 lock for as long as it exists.
# If this is changed, a lock renumber must be performed (e.g. with the
# 'podman system renumber' command).
#
@ -639,6 +696,16 @@ log_driver = "file"
#
#remote = false
# Number of times to retry pulling/pushing images in case of failure
#
#retry = 3
# Delay between retries in case pulling/pushing image fails.
# If set, container engines will retry at the set interval,
# otherwise they delay 2 seconds and then exponentially back off.
#
#retry_delay = "2s"
# Default OCI runtime
#
#runtime = "crun"
@ -715,9 +782,6 @@ runtime = "crun"
# A value of 0 is treated as no timeout.
#volume_plugin_timeout = 5
# Default timeout in seconds for podmansh logins.
#podmansh_timeout = 30
# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)
[engine.runtimes]
#crun = [
@ -730,6 +794,15 @@ runtime = "crun"
# "/run/current-system/sw/bin/crun",
#]
#crun-vm = [
# "/usr/bin/crun-vm",
# "/usr/local/bin/crun-vm",
# "/usr/local/sbin/crun-vm",
# "/sbin/crun-vm",
# "/bin/crun-vm",
# "/run/current-system/sw/bin/crun-vm",
#]
#kata = [
# "/usr/bin/kata-runtime",
# "/usr/sbin/kata-runtime",
@ -785,16 +858,15 @@ runtime = "crun"
#
#disk_size=10
# Default image URI when creating a new VM using `podman machine init`.
# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major
# version of the OS (e.g `36`) for Fedora 36. For all platforms you can
# alternatively specify a custom download URL to an image. Container engines
# translate URIs $OS and $ARCH to the native OS and ARCH. URI
# "https://example.com/$OS/$ARCH/foobar.ami" becomes
# Default Image used when creating a new VM using `podman machine init`.
# Can be specified as registry with a bootable OCI artifact, download URL, or a local path.
# Registry target must be in the form of `docker://registry/repo/image:version`.
# Container engines translate URIs $OS and $ARCH to the native OS and ARCH.
# URI "https://example.com/$OS/$ARCH/foobar.ami" would become
# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.
# The default value is `testing`.
# If unspecified, the default Podman machine image will be used.
#
#image = "testing"
#image = ""
# Memory in MB a machine is created with.
#
@ -816,9 +888,22 @@ runtime = "crun"
# Virtualization provider used to run Podman machine.
# If it is empty or commented out, the default provider will be used.
#
# Linux:
# qemu - Open source machine emulator and virtualizer. (Default)
# Windows: there are currently two options:
# wsl - Windows Subsystem for Linux (Default)
# hyperv - Windows Server Virtualization
# Mac: there are currently two options:
# applehv - Default Apple Hypervisor (Default)
# libkrun - Launch virtual machines using the libkrun platform, optimized
# for sharing GPU with the machine.
#provider = ""
# Rosetta supports running x86_64 Linux binaries on a Podman machine on Apple silicon.
# The default value is `true`. Supported on AppleHV(arm64) machines only.
#
#rosetta=true
# The [machine] table MUST be the last entry in this file.
# (Unless another table is added)
# TOML does not provide a way to end a table other than a further table being
@ -832,3 +917,14 @@ runtime = "crun"
#
# map of existing farms
#[farms.list]
[podmansh]
# Shell to spawn in container. Default: /bin/sh.
#shell = "/bin/sh"
#
# Name of the container the podmansh user should join.
#container = "podmansh"
#
# Default timeout in seconds for podmansh logins.
# Favored over the deprecated "podmansh_timeout" field.
#timeout = 30

191
containers.conf.5.md
View File

@ -11,10 +11,9 @@ a TOML format that can be easily modified and versioned.
Container engines read the __/usr/share/containers/containers.conf__,
__/etc/containers/containers.conf__, and __/etc/containers/containers.conf.d/\*.conf__
files if they exist.
When running in rootless mode, they also read
__$HOME/.config/containers/containers.conf__ and
__$HOME/.config/containers/containers.conf.d/\*.conf__ files.
for global configuration that effects all users.
For user specific configuration it reads __\$XDG_CONFIG_HOME/containers/containers.conf__ and
__\$XDG_CONFIG_HOME/containers/containers.conf.d/\*.conf__ files. When `$XDG_CONFIG_HOME` is not set it falls back to using `$HOME/.config` instead.
Fields specified in containers conf override the default options, as well as
options in previously read containers.conf files.
@ -42,13 +41,13 @@ instance, `CONTAINERS_CONF=/tmp/my_containers.conf`.
## MODULES
A module is a containers.conf file located directly in or a sub-directory of the following three directories:
- __$HOME/.config/containers/containers.conf.modules__
- __\$XDG_CONFIG_HOME/containers/containers.conf.modules__ or __\$HOME/.config/containers/containers.conf.modules__ if `$XDG_CONFIG_HOME` is not set.
- __/etc/containers/containers.conf.modules__
- __/usr/share/containers/containers.conf.modules__
Files in those locations are not loaded by default but only on-demand. They are loaded after all system and user configuration files but before `CONTAINERS_CONF_OVERRIDE` hence allowing for overriding system and user configs.
Modules are currently supported by podman(1). The `podman --module` flag allows for loading a module and can be specified multiple times. If the specified value is an absolute path, the config file will be loaded directly. Relative paths are resolved relative to the three module directories mentioned above and in the specified order such that modules in `$HOME` allow for overriding those in `/etc` and `/usr/share`. Modules in `$HOME` (or `$XDG_CONFIG_HOME` if specified) are only used for rootless users.
Modules are currently supported by podman(1). The `podman --module` flag allows for loading a module and can be specified multiple times. If the specified value is an absolute path, the config file will be loaded directly. Relative paths are resolved relative to the three module directories mentioned above and in the specified order such that modules in `$XDG_CONFIG_HOME/$HOME` allow for overriding those in `/etc` and `/usr/share`.
## APPENDING TO STRING ARRAYS
@ -59,7 +58,7 @@ Consider the following example:
modules1.conf: env=["1=true"]
modules2.conf: env=["2=true"]
modules3.conf: env=["3=true", {append=true}]
modules3.conf: env=["4=true"]
modules4.conf: env=["4=true"]
```
After loading the files in the given order, the final contents are `env=["2=true", "3=true", "4=true"]`. If modules4.conf would set `{append=false}`, the final contents would be `env=["4=true"]`.
@ -97,10 +96,12 @@ The default profile name is "container-default".
**base_hosts_file**=""
The hosts entries from the base hosts file are added to the containers hosts
file. This must be either an absolute path or as special values "image" which
uses the hosts file from the container image or "none" which means
no base hosts file is used. The default is "" which will use /etc/hosts.
Base file to create the `/etc/hosts` file inside the container. This must either
be an absolute path to a file on the host system, or one of the following
special flags:
"" Use the host's `/etc/hosts` file (the default)
`none` Do not use a base file (i.e. start with an empty file)
`image` Use the container image's `/etc/hosts` file as base file
**cgroup_conf**=[]
@ -118,7 +119,7 @@ Options are:
**cgroupns**="private"
Default way to to create a cgroup namespace for the container.
Default way to create a cgroup namespace for the container.
Options are:
`private` Create private Cgroup Namespace for the container.
`host` Share host Cgroup Namespace with the container.
@ -196,13 +197,25 @@ Pass all host environment variables into the container.
**host_containers_internal_ip**=""
Set the ip for the host.containers.internal entry in the containers /etc/hosts
file. This can be set to "none" to disable adding this entry. By default it
will automatically choose the host ip.
Set the IP address the container should expect to connect to the host. The IP
address is used by Podman to automatically add the `host.containers.internal`
and `host.docker.internal` hostnames to the container's `/etc/hosts` file. It
is also used for the *host-gateway* flag of Podman's `--add-host` CLI option.
If no IP address is configured (the default), Podman will try to determine it
automatically, but might fail to do so depending on the container's network
setup. Adding these internal hostnames to `/etc/hosts` is silently skipped then.
Set this config to `none` to never add the internal hostnames to `/etc/hosts`.
NOTE: When using podman machine this entry will never be added to the containers
hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore
it is not possible to disable the entry in this case.
Note: If Podman is running in a virtual machine using `podman machine` (this
includes Mac and Windows hosts), Podman will silently skip adding the internal
hostnames to `/etc/hosts`, unless an IP address was configured manually. The
internal hostnames are resolved by the gvproxy DNS resolver instead. This config
has no effect on gvproxy. However, since `/etc/hosts` bypasses the DNS resolver,
a manually configured IP address still takes precedence.
Note: This config doesn't affect the actual network setup, it just tells Podman
the IP address it should expect. Configuring an IP address here doesn't ensure
that the container can actually reach the host using this IP address.
**http_proxy**=true
@ -227,9 +240,16 @@ Path to the container-init binary, which forwards signals and reaps processes
within containers. Note that the container-init binary will only be used when
the `--init` for podman-create and podman-run is set.
**interface_name**=""
Default way to set interface names inside containers. Defaults to legacy pattern
of ethX, where X is an integer, when left undefined.
Options are:
`device` Uses the network_interface name from the network config as interface name. Falls back to the ethX pattern if the network_interface is not set.
**ipcns**="shareable"
Default way to to create a IPC namespace for the container.
Default way to create a IPC namespace for the container.
Options are:
`host` Share host IPC Namespace with the container.
`none` Create shareable IPC Namespace for the container without a private /dev/shm.
@ -276,7 +296,7 @@ Example: [ "type=bind,source=/var/lib/foobar,destination=/var/lib/foobar,ro", ]
**netns**="private"
Default way to to create a NET namespace for the container.
Default way to create a NET namespace for the container.
Options are:
`private` Create private NET Namespace for the container.
`host` Share host NET Namespace with the container.
@ -284,8 +304,10 @@ Options are:
**no_hosts**=false
Create /etc/hosts for the container. By default, container engines manage
/etc/hosts, automatically adding the container's own IP address.
Do not modify the `/etc/hosts` file in the container. Podman assumes control
over the container's `/etc/hosts` file by default; refer to the `--add-host`
CLI option for details. To disable this, either set this config to `true`, or
use the functionally identical `--no-hosts` CLI option.
**oom_score_adj**=0
@ -293,7 +315,7 @@ Tune the host's OOM preferences for containers (accepts values from -1000 to 100
**pidns**="private"
Default way to to create a PID namespace for the container.
Default way to create a PID namespace for the container.
Options are:
`private` Create private PID Namespace for the container.
`host` Share host PID Namespace with the container.
@ -346,14 +368,14 @@ Sets umask inside the container.
**userns**="host"
Default way to to create a USER namespace for the container.
Default way to create a USER namespace for the container.
Options are:
`private` Create private USER Namespace for the container.
`host` Share host USER Namespace with the container.
**utsns**="private"
Default way to to create a UTS namespace for the container.
Default way to create a UTS namespace for the container.
Options are:
`private` Create private UTS Namespace for the container.
`host` Share host UTS Namespace with the container.
@ -436,10 +458,10 @@ default_subnet_pools = [
]
```
**default_rootless_network_cmd**="slirp4netns"
**default_rootless_network_cmd**="pasta"
Configure which rootless network program to use by default. Valid options are
`slirp4netns` (default) and `pasta`.
`slirp4netns` and `pasta` (default).
**network_config_dir**="/etc/cni/net.d/"
@ -449,6 +471,13 @@ and __$HOME/.config/cni/net.d__ as rootless.
For the netavark backend "/etc/containers/networks" is used as root
and "$graphroot/networks" as rootless.
**firewall_driver**=""
The firewall driver to be used by netavark.
The default is empty which means netavark will pick one accordingly. Current supported
drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
experimental at the moment and not recommend outside of testing).
**dns_bind_port**=53
Port to use for dns forwarding daemon with netavark in rootful bridge
@ -473,6 +502,9 @@ Name of destination for accessing the Podman service. See SERVICE DESTINATION TA
List of compression algorithms. If set makes sure that requested compression variant
for each platform is added to the manifest list keeping original instance intact in
the same manifest list on every `manifest push`. Supported values are (`gzip`, `zstd` and `zstd:chunked`).
`zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
in that case.
Note: This is different from `compression_format` which allows users to select a default
compression format for `push` and `manifest push`, while `add_compression` is limited to
@ -569,7 +601,7 @@ The unit can be b (bytes), k (kilobytes), m (megabytes) or g (gigabytes).
The format for the size is `<number><unit>`, e.g., `1b` or `3g`.
If no unit is included then the size will be in bytes.
When the limit is exceeded, the logfile will be rotated and the old one will be deleted.
If the maximumn size is set to 0, then no limit will be applied,
If the maximum size is set to 0, then no limit will be applied,
and the logfile will not be rotated.
**events_logger**="journald"
@ -580,7 +612,7 @@ The default method is different based on the platform that
Podman is being run upon. To determine the current value,
use this command:
`podman info --format {{.Host.EventLogger}`
`podman info --format {{.Host.EventLogger}}`
Valid values are: `file`, `journald`, and `none`.
@ -589,6 +621,17 @@ Valid values are: `file`, `journald`, and `none`.
Creates a more verbose container-create event which includes a JSON payload
with detailed information about the container. Set to false by default.
**healthcheck_events**=true|false
Whenever Podman should log healthcheck events.
With many running healthcheck on short interval Podman will spam the event
log a lot as it generates a event for each single healthcheck run. Because
this event is optional and only useful to external consumers that may want
to know when a healthcheck is run or failed allow users to turn it off by
setting it to false.
Default is true.
**helper_binaries_dir**=["/usr/libexec/podman", ...]
A is a list of directories which are used to search for helper binaries.
@ -630,6 +673,10 @@ The default path on Windows is:
Path to the OCI hooks directories for automatically executed hooks.
**cdi_spec_dirs**=["/etc/cdi", ...]
Directories to scan for CDI Spec files.
**image_default_format**="oci"|"v2s2"|"v2s1"
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
@ -722,10 +769,11 @@ Whether to use chroot instead of pivot_root in the runtime.
**num_locks**=2048
Number of locks available for containers and pods. Each created container or
pod consumes one lock. The default number available is 2048. If this is
changed, a lock renumbering must be performed, using the
`podman system renumber` command.
Number of locks available for containers, pods, and volumes.
Each created container, pod, or volume consumes one lock.
Locks are recycled and can be reused after the associated container, pod, or volume is removed.
The default number available is 2048.
If this is changed, a lock renumbering must be performed, using the `podman system renumber` command.
**pod_exit_policy**="continue"
@ -749,13 +797,21 @@ Pull image before running or creating a container. The default is **missing**.
Indicates whether the application should be running in remote mode. This flag modifies the
--remote option on container engines. Setting the flag to true will default `podman --remote=true` for access to the remote Podman service.
**retry** = 3
Number of times to retry pulling/pushing images in case of failure.
**retry_delay** = ""
Delay between retries in case pulling/pushing image fails. If set, container engines will retry at the set interval, otherwise they delay 2 seconds and then exponentially back off.
**runtime**=""
Default OCI specific runtime in runtimes that will be used by default. Must
refer to a member of the runtimes table. Default runtime will be searched for
on the system using the priority: "crun", "runc", "kata".
on the system using the priority: "crun", "runc", "runj", "kata", "runsc", "ocijail"
**runtime_supports_json**=["crun", "runc", "kata", "runsc", "youki", "krun"]
**runtime_supports_json**=["crun", "crun-vm", "runc", "kata", "runsc", "youki", "krun"]
The list of the OCI runtimes that support `--format=json`.
@ -763,7 +819,7 @@ The list of the OCI runtimes that support `--format=json`.
The list of OCI runtimes that support running containers with KVM separation.
**runtime_supports_nocgroups**=["crun", "krun"]
**runtime_supports_nocgroups**=["crun", "crun-vm", "krun"]
The list of OCI runtimes that support running containers without CGroups.
@ -814,7 +870,12 @@ the primary uid/gid of the container.
**compression_format**="gzip"
Specifies the compression format to use when pushing an image. Supported values are: `gzip`, `zstd` and `zstd:chunked`.
Specifies the compression format to use when pushing an image. Supported values
are: `gzip`, `zstd` and `zstd:chunked`. This field is ignored when pushing
images to the docker-daemon and docker-archive formats. It is also ignored
when the manifest format is set to v2s2.
`zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
in that case.
**compression_level**="5"
@ -823,10 +884,6 @@ depend on the compression format used. For gzip, valid options are
1-9, with a default of 5. For zstd, valid options are 1-20, with a
default of 3.
**podmansh_timeout**=30
Number of seconds to wait for podmansh logins.
## SERVICE DESTINATION TABLE
The `engine.service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
@ -883,13 +940,13 @@ The size of the disk in GB created when init-ing a podman-machine VM
**image**=""
Default image URI when creating a new VM using `podman machine init`.
Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major
version of the OS (e.g `36`) for Fedora 36. For all platforms you can
alternatively specify a custom download URL to an image. Container engines
translate URIs $OS and $ARCH to the native OS and ARCH. URI "https://example.com/$OS/$ARCH/foobar.ami" would become "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.
The default value
is `testing` on Linux/Mac, and on Windows.
Image used when creating a new VM using `podman machine init`.
Can be specified as a registry with a bootable OCI artifact, download URL, or a local path.
Registry target must be in the form of `docker://registry/repo/image:version`.
Container engines translate URIs $OS and $ARCH to the native OS and ARCH.
URI "https://example.com/$OS/$ARCH/foobar.ami" would become
"https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.
If unspecified, the default Podman machine image will be used.
**memory**=2048
@ -914,8 +971,19 @@ On Mac, the default volumes are:
**provider**=""
Virtualization provider to be used for running a podman-machine VM. Empty value
is interpreted as the default provider for the current host OS. On Linux/Mac
default is `QEMU` and on Windows it is `WSL`.
is interpreted as the default provider for the current host OS.
| Platform | Default Virtualization provider | Optional |
| -------- | --------------------------------------- | -------- |
| Linux | "" (qemu) | None |
| Windows | "" ("wsl": Windows Subsystem for Linux) | "hyperv" (Windows Server Virtualization) |
| Mac | "" ("applehv": Apple Hypervisor) | "libkrun" (Launch machine via libkrun platform, optimized for sharing GPU with the machine) |
**rosetta**="true"
Rosetta supports running x86_64 Linux binaries on a Podman machine on Apple silicon.
The default value is `true`. Supported on AppleHV(arm64) machines only.
## FARMS TABLE
The `farms` table contains configuration options used to group up remote connections into farms that will be used when sending out builds to different machines in a farm via `podman buildfarm`.
@ -928,6 +996,25 @@ The default farm to use when farming out builds.
Map of farms created where the key is the farm name and the value is the list of system connections.
## PODMANSH TABLE
The `podmansh` table contains configuration options used by podmansh.
**shell**="/bin/sh"
The shell to spawn in the container.
The default value is `/bin/sh`.
**container**="podmansh"
Name of the container that podmansh joins.
The default value is `podmansh`.
**timeout**=0
Number of seconds to wait for podmansh logins. This value if favoured over the deprecated field `engine.podmansh_timeout` if set.
The default value is 30.
# FILES
**containers.conf**
@ -937,8 +1024,8 @@ provide a default configuration. Administrators can override fields in this
file by creating __/etc/containers/containers.conf__ to specify their own
configuration. They may also drop `.conf` files in
__/etc/containers/containers.conf.d__ which will be loaded in alphanumeric order.
Rootless users can further override fields in the config by creating a config
file stored in the __$HOME/.config/containers/containers.conf__ file or __.conf__ files in __$HOME/.config/containers/containers.conf.d__.
For user specific configuration it reads __\$XDG_CONFIG_HOME/containers/containers.conf__ and
__\$XDG_CONFIG_HOME/containers/containers.conf.d/\*.conf__ files. When `$XDG_CONFIG_HOME` is not set it falls back to using `$HOME/.config` instead.
Fields specified in a containers.conf file override the default options, as
well as options in previously loaded containers.conf files.

1
default.yaml
View File

@ -25,3 +25,4 @@ default-docker:
# privateregistry.com:
# lookaside: https://privateregistry.com/sigstore/
# lookaside-staging: /mnt/nfs/privateregistry/sigstore

101
seccomp.json
View File

@ -55,9 +55,16 @@
{
"names": [
"bdflush",
"cachestat",
"futex_requeue",
"futex_wait",
"futex_waitv",
"futex_wake",
"io_pgetevents",
"io_pgetevents_time64",
"kexec_file_load",
"kexec_load",
"map_shadow_stack",
"migrate_pages",
"move_pages",
"nfsservctl",
@ -72,9 +79,9 @@
"pciconfig_write",
"sgetmask",
"ssetmask",
"swapcontext",
"swapoff",
"swapon",
"syscall",
"sysfs",
"uselib",
"userfaultfd",
@ -149,6 +156,7 @@
"fchdir",
"fchmod",
"fchmodat",
"fchmodat2",
"fchown",
"fchown32",
"fchownat",
@ -316,7 +324,6 @@
"pwritev2",
"read",
"readahead",
"readdir",
"readlink",
"readlinkat",
"readv",
@ -404,16 +411,13 @@
"shmdt",
"shmget",
"shutdown",
"sigaction",
"sigaltstack",
"signal",
"signalfd",
"signalfd4",
"sigpending",
"sigprocmask",
"sigreturn",
"sigsuspend",
"socket",
"socket",
"socketcall",
"socketpair",
"splice",
@ -427,7 +431,6 @@
"sync",
"sync_file_range",
"syncfs",
"syscall",
"sysinfo",
"syslog",
"tee",
@ -440,7 +443,6 @@
"timer_gettime64",
"timer_settime",
"timer_settime64",
"timerfd",
"timerfd_create",
"timerfd_gettime",
"timerfd_gettime64",
@ -562,7 +564,8 @@
},
{
"names": [
"sync_file_range2"
"sync_file_range2",
"swapcontext"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
@ -642,6 +645,20 @@
},
"excludes": {}
},
{
"names": [
"riscv_flush_icache"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"arches": [
"riscv64"
]
},
"excludes": {}
},
{
"names": [
"open_by_handle_at"
@ -677,8 +694,8 @@
"bpf",
"fanotify_init",
"lookup_dcookie",
"perf_event_open",
"quotactl",
"quotactl_fd",
"setdomainname",
"sethostname",
"setns"
@ -695,11 +712,11 @@
},
{
"names": [
"bpf",
"fanotify_init",
"lookup_dcookie",
"perf_event_open",
"quotactl",
"quotactl_fd",
"setdomainname",
"sethostname",
"setns"
@ -1047,6 +1064,68 @@
]
},
"excludes": {}
},
{
"names": [
"bpf"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_ADMIN",
"CAP_BPF"
]
},
"errnoRet": 1,
"errno": "EPERM"
},
{
"names": [
"bpf"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_BPF"
]
},
"excludes": {}
},
{
"names": [
"perf_event_open"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_ADMIN",
"CAP_BPF"
]
},
"errnoRet": 1,
"errno": "EPERM"
},
{
"names": [
"perf_event_open"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_PERFMON"
]
},
"excludes": {}
}
]
}

1
sources
View File

@ -1 +0,0 @@
SHA512 (v0.60.2.tar.gz) = 0f0495adfbac1c1cea3a209d506495617e727523b4edf436225df79c7378bad1ea5504a94e0e54322601585a5740f67cef81b971a0825d5180c2c29da703fc82