rpms/containers-common
7
0
Fork 0
Code Issues Pull Requests Releases Activity

containers-common-0.61.0-1.el10

Browse Source 
- make spec file compatible with RHEL
- update vendored components
- Resolves: RHEL-69842

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
Jindrich Novy 2024-12-16 12:12:58 +01:00
parent 455b4b4aed
commit 099a656e30
9 changed files with 523 additions and 253 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.containerfile.5
View File

@ -1 +0,0 @@
.so man5/containerfile.5

1
.containerignore.5
View File

@ -1 +0,0 @@
.so man5/containerignore.5

114
Containerfile.5.md
View File

@ -9,7 +9,7 @@ Containerfile(Dockerfile) - automate the steps of creating a container image
The **Containerfile** is a configuration file that automates the steps of creating a container image. It is similar to a Makefile. Container engines (Podman, Buildah, Docker) read instructions from the **Containerfile** to automate the steps otherwise performed manually to create an image. To build an image, create a file called **Containerfile**. The **Containerfile** is a configuration file that automates the steps of creating a container image. It is similar to a Makefile. Container engines (Podman, Buildah, Docker) read instructions from the **Containerfile** to automate the steps otherwise performed manually to create an image. To build an image, create a file called **Containerfile**.
The **Containerfile** describes the steps taken to assemble the image. When the The **Containerfile** describes the steps taken to assemble the image. When the
**Containerfile** has been created, call the `buildah bud`, `podman build`, `docker build` command, **Containerfile** has been created, call the `buildah build`, `podman build`, `docker build` command,
using the path of context directory that contains **Containerfile** as the argument. Podman and Buildah default to **Containerfile** and will fall back to **Dockerfile**. Docker only will search for **Dockerfile** in the context directory. using the path of context directory that contains **Containerfile** as the argument. Podman and Buildah default to **Containerfile** and will fall back to **Dockerfile**. Docker only will search for **Dockerfile** in the context directory.
@ -31,7 +31,7 @@ A Containerfile is similar to a Makefile.
# USAGE # USAGE
``` ```
buildah bud . buildah build .
podman build . podman build .
``` ```
@ -40,7 +40,7 @@ A Containerfile is similar to a Makefile.
build. build.
``` ```
buildah bud -t repository/tag . buildah build -t repository/tag .
podman build -t repository/tag . podman build -t repository/tag .
``` ```
@ -61,7 +61,7 @@ A Containerfile is similar to a Makefile.
`FROM image@digest [AS <name>]` `FROM image@digest [AS <name>]`
-- The **FROM** instruction sets the base image for subsequent instructions. A -- The **FROM** instruction sets the base image for subsequent instructions. A
valid Containerfile must have either **ARG** or *FROM** as its first instruction. valid Containerfile must have either **ARG** or **FROM** as its first instruction.
If **FROM** is not the first instruction in the file, it may only be preceded by If **FROM** is not the first instruction in the file, it may only be preceded by
one or more ARG instructions, which declare arguments that are used in the next FROM line in the Containerfile. one or more ARG instructions, which declare arguments that are used in the next FROM line in the Containerfile.
The image can be any valid image. It is easy to start by pulling an image from the public The image can be any valid image. It is easy to start by pulling an image from the public
@ -82,7 +82,7 @@ A Containerfile is similar to a Makefile.
-- If no digest is given to the **FROM** instruction, container engines apply the -- If no digest is given to the **FROM** instruction, container engines apply the
`latest` tag. If the used tag does not exist, an error is returned. `latest` tag. If the used tag does not exist, an error is returned.
-- A name can be assigned to a build stage by adding **AS name** to the instruction. -- A name can be assigned to a build stage by adding **AS name** to the instruction.
The name can be referenced later in the Containerfile using the **FROM** or **COPY --from=<name>** instructions. The name can be referenced later in the Containerfile using the **FROM** or **COPY --from=<name>** instructions.
**MAINTAINER** **MAINTAINER**
@ -109,7 +109,7 @@ Current supported mount TYPES are bind, cache, secret and tmpfs.
e.g. e.g.
mount=type=bind,source=/path/on/host,destination=/path/in/container mount=type=bind,source=/path/on/host,destination=/path/in/container,relabel=shared
mount=type=tmpfs,tmpfs-size=512M,destination=/path/in/container mount=type=tmpfs,tmpfs-size=512M,destination=/path/in/container
@ -117,45 +117,57 @@ Current supported mount TYPES are bind, cache, secret and tmpfs.
Common Options: Common Options:
· src, source: mount source spec for bind and volume. Mandatory for bind. If `from` is specified, `src` is the subpath in the `from` field. · src, source: mount source spec for bind and volume. Mandatory for bind. If `from` is specified, `src` is the subpath in the `from` field.
· dst, destination, target: mount destination spec. · dst, destination, target: mount destination spec.
· ro, read-only: true (default) or false. · ro, read-only: true (default) or false.
Options specific to bind: Options specific to bind:
· bind-propagation: shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2). · bind-propagation: shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2).
. bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive. . bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive.
· from: stage or image name for the root of the source. Defaults to the build context. · from: stage or image name for the root of the source. Defaults to the build context.
· rw, read-write: allows writes on the mount. · relabel=shared, z: Relabels src content with a shared label.
. relabel=private, Z: Relabels src content with a private label.
Labeling systems like SELinux require proper labels on the bind mounted content mounted into a container. Without a label, the security system might prevent the processes running in side the container from using the content. By default, container engines do not change the labels set by the OS. The relabel flag tells the engine to relabel file objects on the shared mountz.
The relabel=shared and z options tell the engine that two or more containers will share the mount content. The engine labels the content with a shared content label.
The relabel=private and Z options tell the engine to label the content with a private unshared label. Only the current container can use a private mount.
Relabeling walks the file system under the mount and changes the label on each file, if the mount has thousands of inodes, this process takes a long time, delaying the start of the container.
· rw, read-write: allows writes on the mount.
Options specific to tmpfs: Options specific to tmpfs:
· tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux. · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.
· tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux. · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux.
· tmpcopyup: Path that is shadowed by the tmpfs mount is recursively copied up to the tmpfs itself. · tmpcopyup: Path that is shadowed by the tmpfs mount is recursively copied up to the tmpfs itself.
Options specific to cache: Options specific to cache:
· id: Create a separate cache directory for a particular id. · id: Create a separate cache directory for a particular id.
· mode: File mode for new cache directory in octal. Default 0755. · mode: File mode for new cache directory in octal. Default 0755.
· ro, readonly: read only cache if set. · ro, readonly: read only cache if set.
· uid: uid for cache directory. · uid: uid for cache directory.
· gid: gid for cache directory. · gid: gid for cache directory.
· from: stage name for the root of the source. Defaults to host cache directory. · from: stage name for the root of the source. Defaults to host cache directory.
· rw, read-write: allows writes on the mount. · rw, read-write: allows writes on the mount.
**RUN --network** **RUN --network**
@ -207,7 +219,7 @@ Container engines pass secret the secret file into the build using the `--secret
**--mount**=*type=secret,TYPE-SPECIFIC-OPTION[,...]* **--mount**=*type=secret,TYPE-SPECIFIC-OPTION[,...]*
- `id` is the identifier for the secret passed into the `buildah bud --secret` or `podman build --secret`. This identifier is associated with the RUN --mount identifier to use in the Containerfile. - `id` is the identifier for the secret passed into the `buildah build --secret` or `podman build --secret`. This identifier is associated with the RUN --mount identifier to use in the Containerfile.
- `dst`|`target`|`destination` rename the secret file to a specific file in the Containerfile RUN command to use. - `dst`|`target`|`destination` rename the secret file to a specific file in the Containerfile RUN command to use.
@ -224,7 +236,7 @@ RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar
The secret needs to be passed to the build using the --secret flag. The final image built does not container the secret file: The secret needs to be passed to the build using the --secret flag. The final image built does not container the secret file:
``` ```
buildah bud --no-cache --secret id=mysecret,src=mysecret.txt . buildah build --no-cache --secret id=mysecret,src=mysecret.txt .
``` ```
-- The **RUN** instruction executes any commands in a new layer on top of the current -- The **RUN** instruction executes any commands in a new layer on top of the current
@ -463,7 +475,7 @@ The secret needs to be passed to the build using the --secret flag. The final im
In the above example, the output of the **pwd** command is **a/b/c**. In the above example, the output of the **pwd** command is **a/b/c**.
**ARG** **ARG**
-- ARG <name>[=<default value>] -- `ARG <name>[=<default value>]`
The `ARG` instruction defines a variable that users can pass at build-time to The `ARG` instruction defines a variable that users can pass at build-time to
the builder with the `podman build` and `buildah build` commands using the the builder with the `podman build` and `buildah build` commands using the
@ -594,6 +606,56 @@ The secret needs to be passed to the build using the --secret flag. The final im
$ podman build --build-arg HTTPS_PROXY=https://my-proxy.example.com . $ podman build --build-arg HTTPS_PROXY=https://my-proxy.example.com .
``` ```
**Platform/OS/Arch ARG**
-- `ARG <name>`
When building multi-arch manifest-lists or images for a foreign-architecture,
it's often helpful to have access to platform details within the `Containerfile`.
For example, when using a `RUN curl ...` command to install OS/Arch specific
binary into the image. Or, if certain `RUN` operations are known incompatible
or non-performant when emulating a specific architecture.
There are several named `ARG` variables available. The purpose of each should be
self-evident by its name. _However_, in all cases these ARG values are **not**
automatically populated. You must always declare them within each `FROM` section
of the `Containerfile`.
The available `ARG <name>` variables are available with two prefixes:
* `TARGET...` variable names represent details about the currently running build
context (i.e. "inside" the container). These are often the most useful:
* `TARGETOS`: For example `linux`
* `TARGETARCH`: For example `amd64`
* `TARGETPLATFORM`: For example `linux/amd64`
* `TARGETVARIANT`: Uncommonly used, specific to `TARGETARCH`
* `BUILD...` variable names signify details about the _host_ performing the build
(i.e. "outside" the container):
* `BUILDOS`: OS of host performing the build
* `BUILDARCH`: Arch of host performing the build
* `BUILDPLATFORM`: Combined OS/Arch of host performing the build
* `BUILDVARIANT`: Uncommonly used, specific to `BUILDARCH`
An example `Containerfile` that uses `TARGETARCH` to fetch an arch-specific binary could be:
```
FROM busybox
ARG TARGETARCH
RUN curl -sSf -O https://example.com/downloads/bin-${TARGETARCH}.zip
```
Assuming the host platform is `linux/amd64` and foreign-architecture emulation
enabled (e.g. `qemu-user-static`), then running the command:
```
$ podman build --platform linux/s390x .
```
Would end up running `curl` on `https://example.com/downloads/bin-s390x.zip` and producing
a container image suited for the the `linux/s390x` platform. **Note:** Emulation isn't
strictly required, these special build-args will also function when building using
`podman farm build`.
**ONBUILD** **ONBUILD**
-- `ONBUILD [INSTRUCTION]` -- `ONBUILD [INSTRUCTION]`
The **ONBUILD** instruction adds a trigger instruction to an image. The The **ONBUILD** instruction adds a trigger instruction to an image. The

210
containers-common.spec
View File

@ -6,41 +6,18 @@
# Packit will automatically update the image and storage versions on Fedora and # Packit will automatically update the image and storage versions on Fedora and
# CentOS Stream dist-git PRs. # CentOS Stream dist-git PRs.
%global skopeo_branch main
%global image_branch v5.33.0 %global image_branch v5.33.0
%global storage_branch v1.56.0 %global storage_branch v1.56.0
%global shortnames_branch main %global shortnames_branch main
%global common_branch v0.61.0
%global project containers %global common_version %(v=%{common_branch}; echo ${v:1})
%global repo common
%global raw_github_url https://raw.githubusercontent.com/%{project}
%if %{defined copr_username}
%define copr_build 1
%endif
# See https://github.com/containers/netavark/blob/main/rpm/netavark.spec
# for netavark epoch
%if %{defined copr_build}
%define netavark_epoch 102
%else
%define netavark_epoch 2
%endif
Name: containers-common Name: containers-common
%if %{defined copr_build}
Epoch: 102
%else
Epoch: 5 Epoch: 5
%endif Version: %{common_version}
# DO NOT TOUCH the Version string! Release: 1%{?dist}
# The TRUE source of this specfile is:
# https://github.com/containers/common/blob/main/rpm/containers-common.spec
# If that's what you're reading, Version must be 0, and will be updated by Packit for
# copr and koji builds.
# If you're reading this on dist-git, the version is automatically filled in by Packit.
Version: 0.60.2
Release: 13%{?dist}
License: Apache-2.0 License: Apache-2.0
BuildArch: noarch BuildArch: noarch
# for BuildRequires: go-md2man # for BuildRequires: go-md2man
@ -57,28 +34,41 @@ Suggests: fuse-overlayfs
Requires: /etc/pki/sigstore/REKOR-signing-key Requires: /etc/pki/sigstore/REKOR-signing-key
Requires: /etc/pki/sigstore/SIGSTORE-redhat-release3 Requires: /etc/pki/sigstore/SIGSTORE-redhat-release3
%endif %endif
URL: https://github.com/%{project}/%{repo} URL: https://github.com/containers/common
Source0: %{url}/archive/v%{version_no_tilde}.tar.gz Source1: https://raw.githubusercontent.com/containers/storage/%{storage_branch}/storage.conf
Source1: %{raw_github_url}/image/%{image_branch}/docs/containers-auth.json.5.md Source2: https://raw.githubusercontent.com/containers/storage/%{storage_branch}/docs/containers-storage.conf.5.md
Source2: %{raw_github_url}/image/%{image_branch}/docs/containers-certs.d.5.md Source3: mounts.conf
Source3: %{raw_github_url}/image/%{image_branch}/docs/containers-policy.json.5.md Source4: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.5.md
Source4: %{raw_github_url}/image/%{image_branch}/docs/containers-registries.conf.5.md Source5: https://raw.githubusercontent.com/containers/image/%{image_branch}/registries.conf
Source5: %{raw_github_url}/image/%{image_branch}/docs/containers-registries.conf.d.5.md Source6: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-policy.json.5.md
Source6: %{raw_github_url}/image/%{image_branch}/docs/containers-registries.d.5.md Source7: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/seccomp/seccomp.json
Source7: %{raw_github_url}/image/%{image_branch}/docs/containers-signature.5.md Source8: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers-mounts.conf.5.md
Source8: %{raw_github_url}/image/%{image_branch}/docs/containers-transports.5.md Source9: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-signature.5.md
Source9: %{raw_github_url}/storage/%{storage_branch}/docs/containers-storage.conf.5.md Source10: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-transports.5.md
Source10: %{raw_github_url}/shortnames/%{shortnames_branch}/shortnames.conf Source11: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-certs.d.5.md
Source11: %{raw_github_url}/image/%{image_branch}/default.yaml Source12: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.d.5.md
Source12: default-policy.json Source13: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/config/containers.conf
Source13: %{raw_github_url}/image/%{image_branch}/registries.conf Source14: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers.conf.5.md
Source14: %{raw_github_url}/storage/%{storage_branch}/storage.conf Source15: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-auth.json.5.md
Source15: REKOR-signing-key Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.d.5.md
Source16: SIGSTORE-redhat-release3 Source17: https://raw.githubusercontent.com/containers/shortnames/%{shortnames_branch}/shortnames.conf
Source17: registry.access.redhat.com.yaml
Source18: registry.redhat.io.yaml
Source19: 001-rhel-shortnames-pyxis.conf Source19: 001-rhel-shortnames-pyxis.conf
Source20: 002-rhel-shortnames-overrides.conf Source20: 002-rhel-shortnames-overrides.conf
Source22: registry.access.redhat.com.yaml
Source23: registry.redhat.io.yaml
#Source24: https://raw.githubusercontent.com/containers/skopeo/%%{skopeo_branch}/default-policy.json
Source24: default-policy.json
Source25: https://raw.githubusercontent.com/containers/skopeo/%{skopeo_branch}/default.yaml
# FIXME: fix the branch once these are available via regular c/common branch
Source26: https://raw.githubusercontent.com/containers/common/main/docs/Containerfile.5.md
Source27: https://raw.githubusercontent.com/containers/common/main/docs/containerignore.5.md
Source29: REKOR-signing-key
Source30: SIGSTORE-redhat-release3
# scripts used for synchronization with upstream and shortname generation
Source100: update.sh
Source101: update-vendored.sh
Source102: pyxis.sh
%description %description
This package contains common configuration files and documentation for container This package contains common configuration files and documentation for container
@ -95,113 +85,66 @@ Requires: container-network-stack
Requires: oci-runtime Requires: oci-runtime
Requires: nftables Requires: nftables
Requires: passt Requires: passt
%if %{defined fedora}
Requires: iptables
Conflicts: podman < 5:5.0.0~rc4-1
Recommends: composefs
Recommends: crun
Requires: (crun if fedora-release-identity-server)
Requires: netavark >= %{netavark_epoch}:1.10.3-1
Suggests: slirp4netns
Recommends: qemu-user-static
Requires: (qemu-user-static-aarch64 if fedora-release-identity-server)
Requires: (qemu-user-static-arm if fedora-release-identity-server)
Requires: (qemu-user-static-x86 if fedora-release-identity-server)
%endif
%description extra %description extra
This subpackage will handle dependencies common to Podman and Buildah which are This subpackage will handle dependencies common to Podman and Buildah which are
not required by Skopeo. not required by Skopeo.
%prep %prep
%autosetup -Sgit -n %{repo}-%{version_no_tilde}
# Copy manpages to docs subdir in builddir to build before installing.
cp %{SOURCE1} docs/.
cp %{SOURCE2} docs/.
cp %{SOURCE3} docs/.
cp %{SOURCE4} docs/.
cp %{SOURCE5} docs/.
cp %{SOURCE6} docs/.
cp %{SOURCE7} docs/.
cp %{SOURCE8} docs/.
cp %{SOURCE9} docs/.
# Copy config files to builddir to patch them before installing.
# Currently, only registries.conf and storage.conf files are patched before
# installing.
cp %{SOURCE10} shortnames.conf
cp %{SOURCE13} registries.conf
cp %{SOURCE14} storage.conf
# Fine-grain distro- and release-specific tuning of config files,
# e.g., seccomp, composefs, registries on different RHEL/Fedora versions
bash rpm/update-config-files.sh
%build %build
mkdir -p man5
for i in docs/*.5.md; do
go-md2man -in $i -out man5/$(basename $i .md)
done
%install %install
ensure() { install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,systemd,registries.d,registries.conf.d}
if grep ^$2[[:blank:]].*= $1 > /dev/null
then
sed -i "s;^$2[[:blank:]]=.*;$2 = $3;" $1
else
if grep ^\#.*$2[[:blank:]].*= $1 > /dev/null
then
sed -i "/^#.*$2[[:blank:]].*=/a \
$2 = $3" $1
else
echo "$2 = $3" >> $1
fi
fi
}
# ensure required configurations for RHEL10 is present
ensure pkg/config/containers.conf runtime \"crun\"
ensure pkg/config/containers.conf log_driver \"k8s-file\"
# install config and policy files for registries
install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,systemd}
install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
install -dp %{buildroot}%{_datadir}/containers/systemd install -dp %{buildroot}%{_datadir}/containers/systemd
install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
install -dp %{buildroot}%{_prefix}/lib/containers/storage install -dp %{buildroot}%{_prefix}/lib/containers/storage
install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-images install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-images
touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-images/images.lock touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-images/images.lock
install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers
touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers/layers.lock touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers/layers.lock
install -Dp -m0644 shortnames.conf %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf install -m0644 %{SOURCE1} %{buildroot}%{_datadir}/containers/storage.conf
install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf
install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/001-rhel-shortnames.conf install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/001-rhel-shortnames.conf
install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/002-rhel-shortnames-overrides.conf install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/002-rhel-shortnames-overrides.conf
install -Dp -m0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
install -Dp -m0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/containers/policy.json
install -Dp -m0644 registries.conf %{buildroot}%{_sysconfdir}/containers/registries.conf
install -Dp -m0644 storage.conf %{buildroot}%{_datadir}/containers/storage.conf
%if 0%{?fedora} || 0%{?centos} install -dp %{buildroot}%{_sysconfdir}/containers/registries.d
install -dp %{buildroot}%{_sysconfdir}/pki/sigstore install -m0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/containers/registries.d
install -m0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pki/sigstore install -m0644 %{SOURCE23} %{buildroot}%{_sysconfdir}/containers/registries.d
install -m0644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pki/sigstore install -m0644 %{SOURCE24} %{buildroot}%{_sysconfdir}/containers/policy.json
%endif install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
install -m0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
install -Dp -m0644 %{SOURCE17} -t %{buildroot}%{_sysconfdir}/containers/registries.d # for containers-common
install -Dp -m0644 %{SOURCE18} -t %{buildroot}%{_sysconfdir}/containers/registries.d
# install manpages
install -dp %{buildroot}%{_mandir}/man5 install -dp %{buildroot}%{_mandir}/man5
for i in man5/*.5; do go-md2man -in %{SOURCE2} -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5
install -Dp -m0644 $i -t %{buildroot}%{_mandir}/man5 go-md2man -in %{SOURCE4} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.5
done go-md2man -in %{SOURCE6} -out %{buildroot}%{_mandir}/man5/containers-policy.json.5
go-md2man -in %{SOURCE8} -out %{buildroot}%{_mandir}/man5/containers-mounts.conf.5
go-md2man -in %{SOURCE9} -out %{buildroot}%{_mandir}/man5/containers-signature.5
go-md2man -in %{SOURCE10} -out %{buildroot}%{_mandir}/man5/containers-transports.5
go-md2man -in %{SOURCE11} -out %{buildroot}%{_mandir}/man5/containers-certs.d.5
go-md2man -in %{SOURCE12} -out %{buildroot}%{_mandir}/man5/containers-registries.d.5
go-md2man -in %{SOURCE14} -out %{buildroot}%{_mandir}/man5/containers.conf.5
go-md2man -in %{SOURCE15} -out %{buildroot}%{_mandir}/man5/containers-auth.json.5
go-md2man -in %{SOURCE16} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.d.5
go-md2man -in %{SOURCE26} -out %{buildroot}%{_mandir}/man5/Containerfile.5
go-md2man -in %{SOURCE27} -out %{buildroot}%{_mandir}/man5/containerignore.5
ln -s containerignore.5 %{buildroot}%{_mandir}/man5/.containerignore.5 ln -s containerignore.5 %{buildroot}%{_mandir}/man5/.containerignore.5
# install config files for mounts, containers and seccomp install -dp %{buildroot}%{_datadir}/containers
install -m0644 pkg/subscriptions/mounts.conf %{buildroot}%{_datadir}/containers/mounts.conf install -m0644 %{SOURCE3} %{buildroot}%{_datadir}/containers/mounts.conf
install -m0644 pkg/seccomp/seccomp.json %{buildroot}%{_datadir}/containers/seccomp.json install -m0644 %{SOURCE7} %{buildroot}%{_datadir}/containers/seccomp.json
install -m0644 pkg/config/containers.conf %{buildroot}%{_datadir}/containers/containers.conf install -m0644 %{SOURCE13} %{buildroot}%{_datadir}/containers/containers.conf
# for signature verification
%if 0%{?fedora} || 0%{?centos}
install -dp %{buildroot}%{_sysconfdir}/pki/sigstore
install -m0644 %{SOURCE29} %{buildroot}%{_sysconfdir}/pki/sigstore
install -m0644 %{SOURCE30} %{buildroot}%{_sysconfdir}/pki/sigstore
%endif
# install secrets patch directory # install secrets patch directory
install -d -p -m 755 %{buildroot}/%{_datadir}/rhel/secrets install -d -p -m 755 %{buildroot}/%{_datadir}/rhel/secrets
@ -255,6 +198,11 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
%files extra %files extra
%changelog %changelog
* Mon Dec 16 2024 Jindrich Novy <jnovy@redhat.com> - 5:0.61.0-1
- make spec file compatible with RHEL
- update vendored components
- Resolves: RHEL-69842
* Tue Nov 26 2024 Jindrich Novy <jnovy@redhat.com> - 5:0.60.2-13 * Tue Nov 26 2024 Jindrich Novy <jnovy@redhat.com> - 5:0.60.2-13
- update vendored components - update vendored components
- Related: RHEL-58990 - Related: RHEL-58990

156
containers.conf
View File

@ -10,7 +10,8 @@
# locations in the following order: # locations in the following order:
# 1. /usr/share/containers/containers.conf # 1. /usr/share/containers/containers.conf
# 2. /etc/containers/containers.conf # 2. /etc/containers/containers.conf
# 3. $HOME/.config/containers/containers.conf (Rootless containers ONLY) # 3. $XDG_CONFIG_HOME/containers/containers.conf or
# $HOME/.config/containers/containers.conf if $XDG_CONFIG_HOME is not set
# Items specified in the latter containers.conf, if they exist, override the # Items specified in the latter containers.conf, if they exist, override the
# previous containers.conf settings, or the default settings. # previous containers.conf settings, or the default settings.
@ -26,16 +27,19 @@
# #
#apparmor_profile = "container-default" #apparmor_profile = "container-default"
# The hosts entries from the base hosts file are added to the containers hosts # Base file to create the `/etc/hosts` file inside the container. This must either
# file. This must be either an absolute path or as special values "image" which # be an absolute path to a file on the host system, or one of the following
# uses the hosts file from the container image or "none" which means # special flags:
# no base hosts file is used. The default is "" which will use /etc/hosts. # "" Use the host's `/etc/hosts` file (the default)
# `none` Do not use a base file (i.e. start with an empty file)
# `image` Use the container image's `/etc/hosts` file as base file
# #
#base_hosts_file = "" #base_hosts_file = ""
# List of cgroup_conf entries specifying a list of cgroup files to write to and # List of cgroup_conf entries specifying a list of cgroup files to write to and
# their values. For example `memory.high=1073741824` sets the # their values. For example `memory.high=1073741824` sets the
# memory.high limit to 1GB. # memory.high limit to 1GB.
#
# cgroup_conf = [] # cgroup_conf = []
# Default way to to create a cgroup namespace for the container # Default way to to create a cgroup namespace for the container
@ -125,13 +129,25 @@ default_sysctls = [
# #
#env_host = false #env_host = false
# Set the ip for the host.containers.internal entry in the containers /etc/hosts # Set the IP address the container should expect to connect to the host. The IP
# file. This can be set to "none" to disable adding this entry. By default it # address is used by Podman to automatically add the `host.containers.internal`
# will automatically choose the host ip. # and `host.docker.internal` hostnames to the container's `/etc/hosts` file. It
# is also used for the *host-gateway* flag of Podman's `--add-host` CLI option.
# If no IP address is configured (the default), Podman will try to determine it
# automatically, but might fail to do so depending on the container's network
# setup. Adding these internal hostnames to `/etc/hosts` is silently skipped then.
# Set this config to `none` to never add the internal hostnames to `/etc/hosts`.
# #
# NOTE: When using podman machine this entry will never be added to the containers # Note: If Podman is running in a virtual machine using `podman machine` (this
# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore # includes Mac and Windows hosts), Podman will silently skip adding the internal
# it is not possible to disable the entry in this case. # hostnames to `/etc/hosts`, unless an IP address was configured manually. The
# internal hostnames are resolved by the gvproxy DNS resolver instead. This config
# has no effect on gvproxy. However, since `/etc/hosts` bypasses the DNS resolver,
# a manually configured IP address still takes precedence.
#
# Note: This config doesn't affect the actual network setup, it just tells Podman
# the IP address it should expect. Configuring an IP address here doesn't ensure
# that the container can actually reach the host using this IP address.
# #
#host_containers_internal_ip = "" #host_containers_internal_ip = ""
@ -164,6 +180,13 @@ default_sysctls = [
# #
#ipcns = "shareable" #ipcns = "shareable"
# Default way to set an interface name inside container. Defaults to legacy
# pattern of ethX, where X is a integer, when left undefined.
# Options are:
# "device" Uses the network_interface name from the network config as interface name.
# Falls back to the ethX pattern if the network_interface is not set.
#interface_name = ""
# keyring tells the container engine whether to create # keyring tells the container engine whether to create
# a kernel keyring for use within the container. # a kernel keyring for use within the container.
# #
@ -183,7 +206,8 @@ default_sysctls = [
# Logging driver for the container. Available options: k8s-file and journald. # Logging driver for the container. Available options: k8s-file and journald.
# #
log_driver = "file" #log_driver = "k8s-file"
log_driver = "k8s-file"
# Maximum size allowed for the container log file. Negative numbers indicate # Maximum size allowed for the container log file. Negative numbers indicate
# that no size limit is imposed. If positive, it must be >= 8192 to match or # that no size limit is imposed. If positive, it must be >= 8192 to match or
@ -213,8 +237,10 @@ log_driver = "file"
# #
#netns = "private" #netns = "private"
# Create /etc/hosts for the container. By default, container engine manage # Do not modify the `/etc/hosts` file in the container. Podman assumes control
# /etc/hosts, automatically adding the container's own IP address. # over the container's `/etc/hosts` file by default; refer to the `--add-host`
# CLI option for details. To disable this, either set this config to `true`, or
# use the functionally identical `--no-hosts` CLI option.
# #
#no_hosts = false #no_hosts = false
@ -340,6 +366,14 @@ log_driver = "file"
# "/usr/lib/netavark", # "/usr/lib/netavark",
#] #]
# The firewall driver to be used by netavark.
# The default is empty which means netavark will pick one accordingly. Current supported
# drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
# experimental at the moment and not recommend outside of testing).
#
#firewall_driver = ""
# The network name of the default network to attach pods to. # The network name of the default network to attach pods to.
# #
#default_network = "podman" #default_network = "podman"
@ -368,9 +402,9 @@ log_driver = "file"
# Configure which rootless network program to use by default. Valid options are # Configure which rootless network program to use by default. Valid options are
# `slirp4netns` (default) and `pasta`. # `slirp4netns` and `pasta` (default).
# #
#default_rootless_network_cmd = "slirp4netns" #default_rootless_network_cmd = "pasta"
# Path to the directory where network configuration files are located. # Path to the directory where network configuration files are located.
# For the CNI backend the default is "/etc/cni/net.d" as root # For the CNI backend the default is "/etc/cni/net.d" as root
@ -400,6 +434,8 @@ log_driver = "file"
#List of compression algorithms. If set makes sure that requested compression variant #List of compression algorithms. If set makes sure that requested compression variant
#for each platform is added to the manifest list keeping original instance intact in #for each platform is added to the manifest list keeping original instance intact in
#the same manifest list on every `manifest push`. Supported values are (`gzip`, `zstd` and `zstd:chunked`). #the same manifest list on every `manifest push`. Supported values are (`gzip`, `zstd` and `zstd:chunked`).
#`zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
#in that case.
# #
#add_compression = ["gzip", "zstd", "zstd:chunked"] #add_compression = ["gzip", "zstd", "zstd:chunked"]
@ -419,6 +455,11 @@ log_driver = "file"
# The compression format to use when pushing an image. # The compression format to use when pushing an image.
# Valid options are: `gzip`, `zstd` and `zstd:chunked`. # Valid options are: `gzip`, `zstd` and `zstd:chunked`.
# This field is ignored when pushing images to the docker-daemon and
# docker-archive formats. It is also ignored when the manifest format is set
# to v2s2.
# `zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
# in that case.
# #
#compression_format = "gzip" #compression_format = "gzip"
@ -510,6 +551,15 @@ log_driver = "file"
# with detailed information about the container. # with detailed information about the container.
#events_container_create_inspect_data = false #events_container_create_inspect_data = false
# Whenever Podman should log healthcheck events.
# With many running healthcheck on short interval Podman will spam the event
# log a lot as it generates a event for each single healthcheck run. Because
# this event is optional and only useful to external consumers that may want
# to know when a healthcheck is run or failed allow users to turn it off by
# setting it to false. The default is true.
#
#healthcheck_events = true
# A is a list of directories which are used to search for helper binaries. # A is a list of directories which are used to search for helper binaries.
# #
#helper_binaries_dir = [ #helper_binaries_dir = [
@ -525,6 +575,12 @@ log_driver = "file"
# "/usr/share/containers/oci/hooks.d", # "/usr/share/containers/oci/hooks.d",
#] #]
# Directories to scan for CDI Spec files.
#
#cdi_spec_dirs = [
# "/etc/cdi",
#]
# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building # Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
# container images. By default image pulled and pushed match the format of the # container images. By default image pulled and pushed match the format of the
# source image. Building/committing defaults to OCI. # source image. Building/committing defaults to OCI.
@ -541,7 +597,7 @@ log_driver = "file"
#image_parallel_copies = 0 #image_parallel_copies = 0
# Tells container engines how to handle the built-in image volumes. # Tells container engines how to handle the built-in image volumes.
# * bind: An anonymous named volume will be created and mounted # * anonymous: An anonymous named volume will be created and mounted
# into the container. # into the container.
# * tmpfs: The volume is mounted onto the container as a tmpfs, # * tmpfs: The volume is mounted onto the container as a tmpfs,
# which allows users to create content that disappears when # which allows users to create content that disappears when
@ -620,7 +676,8 @@ log_driver = "file"
# #
#no_pivot_root = false #no_pivot_root = false
# Number of locks available for containers and pods. # Number of locks available for containers, pods, and volumes. Each container,
# pod, and volume consumes 1 lock for as long as it exists.
# If this is changed, a lock renumber must be performed (e.g. with the # If this is changed, a lock renumber must be performed (e.g. with the
# 'podman system renumber' command). # 'podman system renumber' command).
# #
@ -639,6 +696,16 @@ log_driver = "file"
# #
#remote = false #remote = false
# Number of times to retry pulling/pushing images in case of failure
#
#retry = 3
# Delay between retries in case pulling/pushing image fails.
# If set, container engines will retry at the set interval,
# otherwise they delay 2 seconds and then exponentially back off.
#
#retry_delay = "2s"
# Default OCI runtime # Default OCI runtime
# #
#runtime = "crun" #runtime = "crun"
@ -715,9 +782,6 @@ runtime = "crun"
# A value of 0 is treated as no timeout. # A value of 0 is treated as no timeout.
#volume_plugin_timeout = 5 #volume_plugin_timeout = 5
# Default timeout in seconds for podmansh logins.
#podmansh_timeout = 30
# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc) # Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)
[engine.runtimes] [engine.runtimes]
#crun = [ #crun = [
@ -730,6 +794,15 @@ runtime = "crun"
# "/run/current-system/sw/bin/crun", # "/run/current-system/sw/bin/crun",
#] #]
#crun-vm = [
# "/usr/bin/crun-vm",
# "/usr/local/bin/crun-vm",
# "/usr/local/sbin/crun-vm",
# "/sbin/crun-vm",
# "/bin/crun-vm",
# "/run/current-system/sw/bin/crun-vm",
#]
#kata = [ #kata = [
# "/usr/bin/kata-runtime", # "/usr/bin/kata-runtime",
# "/usr/sbin/kata-runtime", # "/usr/sbin/kata-runtime",
@ -785,16 +858,15 @@ runtime = "crun"
# #
#disk_size=10 #disk_size=10
# Default image URI when creating a new VM using `podman machine init`. # Default Image used when creating a new VM using `podman machine init`.
# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major # Can be specified as registry with a bootable OCI artifact, download URL, or a local path.
# version of the OS (e.g `36`) for Fedora 36. For all platforms you can # Registry target must be in the form of `docker://registry/repo/image:version`.
# alternatively specify a custom download URL to an image. Container engines # Container engines translate URIs $OS and $ARCH to the native OS and ARCH.
# translate URIs $OS and $ARCH to the native OS and ARCH. URI # URI "https://example.com/$OS/$ARCH/foobar.ami" would become
# "https://example.com/$OS/$ARCH/foobar.ami" becomes
# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine. # "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.
# The default value is `testing`. # If unspecified, the default Podman machine image will be used.
# #
#image = "testing" #image = ""
# Memory in MB a machine is created with. # Memory in MB a machine is created with.
# #
@ -816,9 +888,22 @@ runtime = "crun"
# Virtualization provider used to run Podman machine. # Virtualization provider used to run Podman machine.
# If it is empty or commented out, the default provider will be used. # If it is empty or commented out, the default provider will be used.
# # Linux:
# qemu - Open source machine emulator and virtualizer. (Default)
# Windows: there are currently two options:
# wsl - Windows Subsystem for Linux (Default)
# hyperv - Windows Server Virtualization
# Mac: there are currently two options:
# applehv - Default Apple Hypervisor (Default)
# libkrun - Launch virtual machines using the libkrun platform, optimized
# for sharing GPU with the machine.
#provider = "" #provider = ""
# Rosetta supports running x86_64 Linux binaries on a Podman machine on Apple silicon.
# The default value is `true`. Supported on AppleHV(arm64) machines only.
#
#rosetta=true
# The [machine] table MUST be the last entry in this file. # The [machine] table MUST be the last entry in this file.
# (Unless another table is added) # (Unless another table is added)
# TOML does not provide a way to end a table other than a further table being # TOML does not provide a way to end a table other than a further table being
@ -832,3 +917,14 @@ runtime = "crun"
# #
# map of existing farms # map of existing farms
#[farms.list] #[farms.list]
[podmansh]
# Shell to spawn in container. Default: /bin/sh.
#shell = "/bin/sh"
#
# Name of the container the podmansh user should join.
#container = "podmansh"
#
# Default timeout in seconds for podmansh logins.
# Favored over the deprecated "podmansh_timeout" field.
#timeout = 30

191
containers.conf.5.md
View File

@ -11,10 +11,9 @@ a TOML format that can be easily modified and versioned.
Container engines read the __/usr/share/containers/containers.conf__, Container engines read the __/usr/share/containers/containers.conf__,
__/etc/containers/containers.conf__, and __/etc/containers/containers.conf.d/\*.conf__ __/etc/containers/containers.conf__, and __/etc/containers/containers.conf.d/\*.conf__
files if they exist. for global configuration that effects all users.
When running in rootless mode, they also read For user specific configuration it reads __\$XDG_CONFIG_HOME/containers/containers.conf__ and
__$HOME/.config/containers/containers.conf__ and __\$XDG_CONFIG_HOME/containers/containers.conf.d/\*.conf__ files. When `$XDG_CONFIG_HOME` is not set it falls back to using `$HOME/.config` instead.
__$HOME/.config/containers/containers.conf.d/\*.conf__ files.
Fields specified in containers conf override the default options, as well as Fields specified in containers conf override the default options, as well as
options in previously read containers.conf files. options in previously read containers.conf files.
@ -42,13 +41,13 @@ instance, `CONTAINERS_CONF=/tmp/my_containers.conf`.
## MODULES ## MODULES
A module is a containers.conf file located directly in or a sub-directory of the following three directories: A module is a containers.conf file located directly in or a sub-directory of the following three directories:
- __$HOME/.config/containers/containers.conf.modules__ - __\$XDG_CONFIG_HOME/containers/containers.conf.modules__ or __\$HOME/.config/containers/containers.conf.modules__ if `$XDG_CONFIG_HOME` is not set.
- __/etc/containers/containers.conf.modules__ - __/etc/containers/containers.conf.modules__
- __/usr/share/containers/containers.conf.modules__ - __/usr/share/containers/containers.conf.modules__
Files in those locations are not loaded by default but only on-demand. They are loaded after all system and user configuration files but before `CONTAINERS_CONF_OVERRIDE` hence allowing for overriding system and user configs. Files in those locations are not loaded by default but only on-demand. They are loaded after all system and user configuration files but before `CONTAINERS_CONF_OVERRIDE` hence allowing for overriding system and user configs.
Modules are currently supported by podman(1). The `podman --module` flag allows for loading a module and can be specified multiple times. If the specified value is an absolute path, the config file will be loaded directly. Relative paths are resolved relative to the three module directories mentioned above and in the specified order such that modules in `$HOME` allow for overriding those in `/etc` and `/usr/share`. Modules in `$HOME` (or `$XDG_CONFIG_HOME` if specified) are only used for rootless users. Modules are currently supported by podman(1). The `podman --module` flag allows for loading a module and can be specified multiple times. If the specified value is an absolute path, the config file will be loaded directly. Relative paths are resolved relative to the three module directories mentioned above and in the specified order such that modules in `$XDG_CONFIG_HOME/$HOME` allow for overriding those in `/etc` and `/usr/share`.
## APPENDING TO STRING ARRAYS ## APPENDING TO STRING ARRAYS
@ -59,7 +58,7 @@ Consider the following example:
modules1.conf: env=["1=true"] modules1.conf: env=["1=true"]
modules2.conf: env=["2=true"] modules2.conf: env=["2=true"]
modules3.conf: env=["3=true", {append=true}] modules3.conf: env=["3=true", {append=true}]
modules3.conf: env=["4=true"] modules4.conf: env=["4=true"]
``` ```
After loading the files in the given order, the final contents are `env=["2=true", "3=true", "4=true"]`. If modules4.conf would set `{append=false}`, the final contents would be `env=["4=true"]`. After loading the files in the given order, the final contents are `env=["2=true", "3=true", "4=true"]`. If modules4.conf would set `{append=false}`, the final contents would be `env=["4=true"]`.
@ -97,10 +96,12 @@ The default profile name is "container-default".
**base_hosts_file**="" **base_hosts_file**=""
The hosts entries from the base hosts file are added to the containers hosts Base file to create the `/etc/hosts` file inside the container. This must either
file. This must be either an absolute path or as special values "image" which be an absolute path to a file on the host system, or one of the following
uses the hosts file from the container image or "none" which means special flags:
no base hosts file is used. The default is "" which will use /etc/hosts. "" Use the host's `/etc/hosts` file (the default)
`none` Do not use a base file (i.e. start with an empty file)
`image` Use the container image's `/etc/hosts` file as base file
**cgroup_conf**=[] **cgroup_conf**=[]
@ -118,7 +119,7 @@ Options are:
**cgroupns**="private" **cgroupns**="private"
Default way to to create a cgroup namespace for the container. Default way to create a cgroup namespace for the container.
Options are: Options are:
`private` Create private Cgroup Namespace for the container. `private` Create private Cgroup Namespace for the container.
`host` Share host Cgroup Namespace with the container. `host` Share host Cgroup Namespace with the container.
@ -196,13 +197,25 @@ Pass all host environment variables into the container.
**host_containers_internal_ip**="" **host_containers_internal_ip**=""
Set the ip for the host.containers.internal entry in the containers /etc/hosts Set the IP address the container should expect to connect to the host. The IP
file. This can be set to "none" to disable adding this entry. By default it address is used by Podman to automatically add the `host.containers.internal`
will automatically choose the host ip. and `host.docker.internal` hostnames to the container's `/etc/hosts` file. It
is also used for the *host-gateway* flag of Podman's `--add-host` CLI option.
If no IP address is configured (the default), Podman will try to determine it
automatically, but might fail to do so depending on the container's network
setup. Adding these internal hostnames to `/etc/hosts` is silently skipped then.
Set this config to `none` to never add the internal hostnames to `/etc/hosts`.
NOTE: When using podman machine this entry will never be added to the containers Note: If Podman is running in a virtual machine using `podman machine` (this
hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore includes Mac and Windows hosts), Podman will silently skip adding the internal
it is not possible to disable the entry in this case. hostnames to `/etc/hosts`, unless an IP address was configured manually. The
internal hostnames are resolved by the gvproxy DNS resolver instead. This config
has no effect on gvproxy. However, since `/etc/hosts` bypasses the DNS resolver,
a manually configured IP address still takes precedence.
Note: This config doesn't affect the actual network setup, it just tells Podman
the IP address it should expect. Configuring an IP address here doesn't ensure
that the container can actually reach the host using this IP address.
**http_proxy**=true **http_proxy**=true
@ -227,9 +240,16 @@ Path to the container-init binary, which forwards signals and reaps processes
within containers. Note that the container-init binary will only be used when within containers. Note that the container-init binary will only be used when
the `--init` for podman-create and podman-run is set. the `--init` for podman-create and podman-run is set.
**interface_name**=""
Default way to set interface names inside containers. Defaults to legacy pattern
of ethX, where X is an integer, when left undefined.
Options are:
`device` Uses the network_interface name from the network config as interface name. Falls back to the ethX pattern if the network_interface is not set.
**ipcns**="shareable" **ipcns**="shareable"
Default way to to create a IPC namespace for the container. Default way to create a IPC namespace for the container.
Options are: Options are:
`host` Share host IPC Namespace with the container. `host` Share host IPC Namespace with the container.
`none` Create shareable IPC Namespace for the container without a private /dev/shm. `none` Create shareable IPC Namespace for the container without a private /dev/shm.
@ -276,7 +296,7 @@ Example: [ "type=bind,source=/var/lib/foobar,destination=/var/lib/foobar,ro", ]
**netns**="private" **netns**="private"
Default way to to create a NET namespace for the container. Default way to create a NET namespace for the container.
Options are: Options are:
`private` Create private NET Namespace for the container. `private` Create private NET Namespace for the container.
`host` Share host NET Namespace with the container. `host` Share host NET Namespace with the container.
@ -284,8 +304,10 @@ Options are:
**no_hosts**=false **no_hosts**=false
Create /etc/hosts for the container. By default, container engines manage Do not modify the `/etc/hosts` file in the container. Podman assumes control
/etc/hosts, automatically adding the container's own IP address. over the container's `/etc/hosts` file by default; refer to the `--add-host`
CLI option for details. To disable this, either set this config to `true`, or
use the functionally identical `--no-hosts` CLI option.
**oom_score_adj**=0 **oom_score_adj**=0
@ -293,7 +315,7 @@ Tune the host's OOM preferences for containers (accepts values from -1000 to 100
**pidns**="private" **pidns**="private"
Default way to to create a PID namespace for the container. Default way to create a PID namespace for the container.
Options are: Options are:
`private` Create private PID Namespace for the container. `private` Create private PID Namespace for the container.
`host` Share host PID Namespace with the container. `host` Share host PID Namespace with the container.
@ -346,14 +368,14 @@ Sets umask inside the container.
**userns**="host" **userns**="host"
Default way to to create a USER namespace for the container. Default way to create a USER namespace for the container.
Options are: Options are:
`private` Create private USER Namespace for the container. `private` Create private USER Namespace for the container.
`host` Share host USER Namespace with the container. `host` Share host USER Namespace with the container.
**utsns**="private" **utsns**="private"
Default way to to create a UTS namespace for the container. Default way to create a UTS namespace for the container.
Options are: Options are:
`private` Create private UTS Namespace for the container. `private` Create private UTS Namespace for the container.
`host` Share host UTS Namespace with the container. `host` Share host UTS Namespace with the container.
@ -436,10 +458,10 @@ default_subnet_pools = [
] ]
``` ```
**default_rootless_network_cmd**="slirp4netns" **default_rootless_network_cmd**="pasta"
Configure which rootless network program to use by default. Valid options are Configure which rootless network program to use by default. Valid options are
`slirp4netns` (default) and `pasta`. `slirp4netns` and `pasta` (default).
**network_config_dir**="/etc/cni/net.d/" **network_config_dir**="/etc/cni/net.d/"
@ -449,6 +471,13 @@ and __$HOME/.config/cni/net.d__ as rootless.
For the netavark backend "/etc/containers/networks" is used as root For the netavark backend "/etc/containers/networks" is used as root
and "$graphroot/networks" as rootless. and "$graphroot/networks" as rootless.
**firewall_driver**=""
The firewall driver to be used by netavark.
The default is empty which means netavark will pick one accordingly. Current supported
drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
experimental at the moment and not recommend outside of testing).
**dns_bind_port**=53 **dns_bind_port**=53
Port to use for dns forwarding daemon with netavark in rootful bridge Port to use for dns forwarding daemon with netavark in rootful bridge
@ -473,6 +502,9 @@ Name of destination for accessing the Podman service. See SERVICE DESTINATION TA
List of compression algorithms. If set makes sure that requested compression variant List of compression algorithms. If set makes sure that requested compression variant
for each platform is added to the manifest list keeping original instance intact in for each platform is added to the manifest list keeping original instance intact in
the same manifest list on every `manifest push`. Supported values are (`gzip`, `zstd` and `zstd:chunked`). the same manifest list on every `manifest push`. Supported values are (`gzip`, `zstd` and `zstd:chunked`).
`zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
in that case.
Note: This is different from `compression_format` which allows users to select a default Note: This is different from `compression_format` which allows users to select a default
compression format for `push` and `manifest push`, while `add_compression` is limited to compression format for `push` and `manifest push`, while `add_compression` is limited to
@ -569,7 +601,7 @@ The unit can be b (bytes), k (kilobytes), m (megabytes) or g (gigabytes).
The format for the size is `<number><unit>`, e.g., `1b` or `3g`. The format for the size is `<number><unit>`, e.g., `1b` or `3g`.
If no unit is included then the size will be in bytes. If no unit is included then the size will be in bytes.
When the limit is exceeded, the logfile will be rotated and the old one will be deleted. When the limit is exceeded, the logfile will be rotated and the old one will be deleted.
If the maximumn size is set to 0, then no limit will be applied, If the maximum size is set to 0, then no limit will be applied,
and the logfile will not be rotated. and the logfile will not be rotated.
**events_logger**="journald" **events_logger**="journald"
@ -580,7 +612,7 @@ The default method is different based on the platform that
Podman is being run upon. To determine the current value, Podman is being run upon. To determine the current value,
use this command: use this command:
`podman info --format {{.Host.EventLogger}` `podman info --format {{.Host.EventLogger}}`
Valid values are: `file`, `journald`, and `none`. Valid values are: `file`, `journald`, and `none`.
@ -589,6 +621,17 @@ Valid values are: `file`, `journald`, and `none`.
Creates a more verbose container-create event which includes a JSON payload Creates a more verbose container-create event which includes a JSON payload
with detailed information about the container. Set to false by default. with detailed information about the container. Set to false by default.
**healthcheck_events**=true|false
Whenever Podman should log healthcheck events.
With many running healthcheck on short interval Podman will spam the event
log a lot as it generates a event for each single healthcheck run. Because
this event is optional and only useful to external consumers that may want
to know when a healthcheck is run or failed allow users to turn it off by
setting it to false.
Default is true.
**helper_binaries_dir**=["/usr/libexec/podman", ...] **helper_binaries_dir**=["/usr/libexec/podman", ...]
A is a list of directories which are used to search for helper binaries. A is a list of directories which are used to search for helper binaries.
@ -630,6 +673,10 @@ The default path on Windows is:
Path to the OCI hooks directories for automatically executed hooks. Path to the OCI hooks directories for automatically executed hooks.
**cdi_spec_dirs**=["/etc/cdi", ...]
Directories to scan for CDI Spec files.
**image_default_format**="oci"|"v2s2"|"v2s1" **image_default_format**="oci"|"v2s2"|"v2s1"
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
@ -722,10 +769,11 @@ Whether to use chroot instead of pivot_root in the runtime.
**num_locks**=2048 **num_locks**=2048
Number of locks available for containers and pods. Each created container or Number of locks available for containers, pods, and volumes.
pod consumes one lock. The default number available is 2048. If this is Each created container, pod, or volume consumes one lock.
changed, a lock renumbering must be performed, using the Locks are recycled and can be reused after the associated container, pod, or volume is removed.
`podman system renumber` command. The default number available is 2048.
If this is changed, a lock renumbering must be performed, using the `podman system renumber` command.
**pod_exit_policy**="continue" **pod_exit_policy**="continue"
@ -749,13 +797,21 @@ Pull image before running or creating a container. The default is **missing**.
Indicates whether the application should be running in remote mode. This flag modifies the Indicates whether the application should be running in remote mode. This flag modifies the
--remote option on container engines. Setting the flag to true will default `podman --remote=true` for access to the remote Podman service. --remote option on container engines. Setting the flag to true will default `podman --remote=true` for access to the remote Podman service.
**retry** = 3
Number of times to retry pulling/pushing images in case of failure.
**retry_delay** = ""
Delay between retries in case pulling/pushing image fails. If set, container engines will retry at the set interval, otherwise they delay 2 seconds and then exponentially back off.
**runtime**="" **runtime**=""
Default OCI specific runtime in runtimes that will be used by default. Must Default OCI specific runtime in runtimes that will be used by default. Must
refer to a member of the runtimes table. Default runtime will be searched for refer to a member of the runtimes table. Default runtime will be searched for
on the system using the priority: "crun", "runc", "kata". on the system using the priority: "crun", "runc", "runj", "kata", "runsc", "ocijail"
**runtime_supports_json**=["crun", "runc", "kata", "runsc", "youki", "krun"] **runtime_supports_json**=["crun", "crun-vm", "runc", "kata", "runsc", "youki", "krun"]
The list of the OCI runtimes that support `--format=json`. The list of the OCI runtimes that support `--format=json`.
@ -763,7 +819,7 @@ The list of the OCI runtimes that support `--format=json`.
The list of OCI runtimes that support running containers with KVM separation. The list of OCI runtimes that support running containers with KVM separation.
**runtime_supports_nocgroups**=["crun", "krun"] **runtime_supports_nocgroups**=["crun", "crun-vm", "krun"]
The list of OCI runtimes that support running containers without CGroups. The list of OCI runtimes that support running containers without CGroups.
@ -814,7 +870,12 @@ the primary uid/gid of the container.
**compression_format**="gzip" **compression_format**="gzip"
Specifies the compression format to use when pushing an image. Supported values are: `gzip`, `zstd` and `zstd:chunked`. Specifies the compression format to use when pushing an image. Supported values
are: `gzip`, `zstd` and `zstd:chunked`. This field is ignored when pushing
images to the docker-daemon and docker-archive formats. It is also ignored
when the manifest format is set to v2s2.
`zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
in that case.
**compression_level**="5" **compression_level**="5"
@ -823,10 +884,6 @@ depend on the compression format used. For gzip, valid options are
1-9, with a default of 5. For zstd, valid options are 1-20, with a 1-9, with a default of 5. For zstd, valid options are 1-20, with a
default of 3. default of 3.
**podmansh_timeout**=30
Number of seconds to wait for podmansh logins.
## SERVICE DESTINATION TABLE ## SERVICE DESTINATION TABLE
The `engine.service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API. The `engine.service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
@ -883,13 +940,13 @@ The size of the disk in GB created when init-ing a podman-machine VM
**image**="" **image**=""
Default image URI when creating a new VM using `podman machine init`. Image used when creating a new VM using `podman machine init`.
Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major Can be specified as a registry with a bootable OCI artifact, download URL, or a local path.
version of the OS (e.g `36`) for Fedora 36. For all platforms you can Registry target must be in the form of `docker://registry/repo/image:version`.
alternatively specify a custom download URL to an image. Container engines Container engines translate URIs $OS and $ARCH to the native OS and ARCH.
translate URIs $OS and $ARCH to the native OS and ARCH. URI "https://example.com/$OS/$ARCH/foobar.ami" would become "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine. URI "https://example.com/$OS/$ARCH/foobar.ami" would become
The default value "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.
is `testing` on Linux/Mac, and on Windows. If unspecified, the default Podman machine image will be used.
**memory**=2048 **memory**=2048
@ -914,8 +971,19 @@ On Mac, the default volumes are:
**provider**="" **provider**=""
Virtualization provider to be used for running a podman-machine VM. Empty value Virtualization provider to be used for running a podman-machine VM. Empty value
is interpreted as the default provider for the current host OS. On Linux/Mac is interpreted as the default provider for the current host OS.
default is `QEMU` and on Windows it is `WSL`.
| Platform | Default Virtualization provider | Optional |
| -------- | --------------------------------------- | -------- |
| Linux | "" (qemu) | None |
| Windows | "" ("wsl": Windows Subsystem for Linux) | "hyperv" (Windows Server Virtualization) |
| Mac | "" ("applehv": Apple Hypervisor) | "libkrun" (Launch machine via libkrun platform, optimized for sharing GPU with the machine) |
**rosetta**="true"
Rosetta supports running x86_64 Linux binaries on a Podman machine on Apple silicon.
The default value is `true`. Supported on AppleHV(arm64) machines only.
## FARMS TABLE ## FARMS TABLE
The `farms` table contains configuration options used to group up remote connections into farms that will be used when sending out builds to different machines in a farm via `podman buildfarm`. The `farms` table contains configuration options used to group up remote connections into farms that will be used when sending out builds to different machines in a farm via `podman buildfarm`.
@ -928,6 +996,25 @@ The default farm to use when farming out builds.
Map of farms created where the key is the farm name and the value is the list of system connections. Map of farms created where the key is the farm name and the value is the list of system connections.
## PODMANSH TABLE
The `podmansh` table contains configuration options used by podmansh.
**shell**="/bin/sh"
The shell to spawn in the container.
The default value is `/bin/sh`.
**container**="podmansh"
Name of the container that podmansh joins.
The default value is `podmansh`.
**timeout**=0
Number of seconds to wait for podmansh logins. This value if favoured over the deprecated field `engine.podmansh_timeout` if set.
The default value is 30.
# FILES # FILES
**containers.conf** **containers.conf**
@ -937,8 +1024,8 @@ provide a default configuration. Administrators can override fields in this
file by creating __/etc/containers/containers.conf__ to specify their own file by creating __/etc/containers/containers.conf__ to specify their own
configuration. They may also drop `.conf` files in configuration. They may also drop `.conf` files in
__/etc/containers/containers.conf.d__ which will be loaded in alphanumeric order. __/etc/containers/containers.conf.d__ which will be loaded in alphanumeric order.
Rootless users can further override fields in the config by creating a config For user specific configuration it reads __\$XDG_CONFIG_HOME/containers/containers.conf__ and
file stored in the __$HOME/.config/containers/containers.conf__ file or __.conf__ files in __$HOME/.config/containers/containers.conf.d__. __\$XDG_CONFIG_HOME/containers/containers.conf.d/\*.conf__ files. When `$XDG_CONFIG_HOME` is not set it falls back to using `$HOME/.config` instead.
Fields specified in a containers.conf file override the default options, as Fields specified in a containers.conf file override the default options, as
well as options in previously loaded containers.conf files. well as options in previously loaded containers.conf files.

1
default.yaml
View File

@ -25,3 +25,4 @@ default-docker:
# privateregistry.com: # privateregistry.com:
# lookaside: https://privateregistry.com/sigstore/ # lookaside: https://privateregistry.com/sigstore/
# lookaside-staging: /mnt/nfs/privateregistry/sigstore # lookaside-staging: /mnt/nfs/privateregistry/sigstore

101
seccomp.json
View File

@ -55,9 +55,16 @@
{ {
"names": [ "names": [
"bdflush", "bdflush",
"cachestat",
"futex_requeue",
"futex_wait",
"futex_waitv",
"futex_wake",
"io_pgetevents", "io_pgetevents",
"io_pgetevents_time64",
"kexec_file_load", "kexec_file_load",
"kexec_load", "kexec_load",
"map_shadow_stack",
"migrate_pages", "migrate_pages",
"move_pages", "move_pages",
"nfsservctl", "nfsservctl",
@ -72,9 +79,9 @@
"pciconfig_write", "pciconfig_write",
"sgetmask", "sgetmask",
"ssetmask", "ssetmask",
"swapcontext",
"swapoff", "swapoff",
"swapon", "swapon",
"syscall",
"sysfs", "sysfs",
"uselib", "uselib",
"userfaultfd", "userfaultfd",
@ -149,6 +156,7 @@
"fchdir", "fchdir",
"fchmod", "fchmod",
"fchmodat", "fchmodat",
"fchmodat2",
"fchown", "fchown",
"fchown32", "fchown32",
"fchownat", "fchownat",
@ -316,7 +324,6 @@
"pwritev2", "pwritev2",
"read", "read",
"readahead", "readahead",
"readdir",
"readlink", "readlink",
"readlinkat", "readlinkat",
"readv", "readv",
@ -404,16 +411,13 @@
"shmdt", "shmdt",
"shmget", "shmget",
"shutdown", "shutdown",
"sigaction",
"sigaltstack", "sigaltstack",
"signal", "signal",
"signalfd", "signalfd",
"signalfd4", "signalfd4",
"sigpending",
"sigprocmask", "sigprocmask",
"sigreturn", "sigreturn",
"sigsuspend", "socket",
"socket",
"socketcall", "socketcall",
"socketpair", "socketpair",
"splice", "splice",
@ -427,7 +431,6 @@
"sync", "sync",
"sync_file_range", "sync_file_range",
"syncfs", "syncfs",
"syscall",
"sysinfo", "sysinfo",
"syslog", "syslog",
"tee", "tee",
@ -440,7 +443,6 @@
"timer_gettime64", "timer_gettime64",
"timer_settime", "timer_settime",
"timer_settime64", "timer_settime64",
"timerfd",
"timerfd_create", "timerfd_create",
"timerfd_gettime", "timerfd_gettime",
"timerfd_gettime64", "timerfd_gettime64",
@ -562,7 +564,8 @@
}, },
{ {
"names": [ "names": [
"sync_file_range2" "sync_file_range2",
"swapcontext"
], ],
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
"args": [], "args": [],
@ -642,6 +645,20 @@
}, },
"excludes": {} "excludes": {}
}, },
{
"names": [
"riscv_flush_icache"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"arches": [
"riscv64"
]
},
"excludes": {}
},
{ {
"names": [ "names": [
"open_by_handle_at" "open_by_handle_at"
@ -677,8 +694,8 @@
"bpf", "bpf",
"fanotify_init", "fanotify_init",
"lookup_dcookie", "lookup_dcookie",
"perf_event_open",
"quotactl", "quotactl",
"quotactl_fd",
"setdomainname", "setdomainname",
"sethostname", "sethostname",
"setns" "setns"
@ -695,11 +712,11 @@
}, },
{ {
"names": [ "names": [
"bpf",
"fanotify_init", "fanotify_init",
"lookup_dcookie", "lookup_dcookie",
"perf_event_open", "perf_event_open",
"quotactl", "quotactl",
"quotactl_fd",
"setdomainname", "setdomainname",
"sethostname", "sethostname",
"setns" "setns"
@ -1047,6 +1064,68 @@
] ]
}, },
"excludes": {} "excludes": {}
},
{
"names": [
"bpf"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_ADMIN",
"CAP_BPF"
]
},
"errnoRet": 1,
"errno": "EPERM"
},
{
"names": [
"bpf"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_BPF"
]
},
"excludes": {}
},
{
"names": [
"perf_event_open"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_ADMIN",
"CAP_BPF"
]
},
"errnoRet": 1,
"errno": "EPERM"
},
{
"names": [
"perf_event_open"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_PERFMON"
]
},
"excludes": {}
} }
] ]
} }

1
sources
View File

@ -1 +0,0 @@
SHA512 (v0.60.2.tar.gz) = 0f0495adfbac1c1cea3a209d506495617e727523b4edf436225df79c7378bad1ea5504a94e0e54322601585a5740f67cef81b971a0825d5180c2c29da703fc82