rpms/containers-common
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI containers-common-1-117.el9_6

Browse Source
This commit is contained in:
eabdullin 2025-05-13 14:52:51 +00:00
parent d8de6630ae
commit 1e51980161
11 changed files with 1305 additions and 262 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

961
SOURCES/001-rhel-shortnames-pyxis.conf
View File

File diff suppressed because it is too large Load Diff

92
SOURCES/containers-storage.conf.5.md
View File

@ -71,7 +71,7 @@ Default directory to store all temporary writable content created by container s
By default, the storage driver is set via the `driver` option. If it is not defined, then the best driver will be picked according to the current platform. This option allows you to override this internal priority list with a custom one to prefer certain drivers.
Setting this option only has an effect if the local storage has not been initialized yet and the driver name is not set.
**transient_store** = "false" | "true"
**transient_store** = "false"|"true"
Transient store mode makes all container metadata be saved in temporary storage
(i.e. runroot above). This is faster, but doesn't persist across reboots.
@ -84,33 +84,6 @@ The `storage.options` table supports the following options:
**additionalimagestores**=[]
Paths to additional container image stores. Usually these are read/only and stored on remote network shares.
**pull_options** = {enable_partial_images = "true", use_hard_links = "false", ostree_repos=""}
Allows specification of how storage is populated when pulling images. This
option can speed the pulling process of images compressed with format zstd:chunked. Containers/storage looks
for files within images that are being pulled from a container registry that
were previously pulled to the host. It can copy or create
a hard link to the existing file when it finds them, eliminating the need to pull them from the
container registry. These options can deduplicate pulling of content, disk
storage of content and can allow the kernel to use less memory when running
containers.
containers/storage supports four keys
* enable_partial_images="true" | "false"
Tells containers/storage to look for files previously pulled in storage
rather then always pulling them from the container registry.
* use_hard_links = "false" | "true"
Tells containers/storage to use hard links rather then create new files in
the image, if an identical file already existed in storage.
* ostree_repos = ""
Tells containers/storage where an ostree repository exists that might have
previously pulled content which can be used when attempting to avoid
pulling content from the container registry
* convert_images = "false" | "true"
If set to true, containers/storage will convert images to a format compatible with
partial pulls in order to take advantage of local deduplication and hardlinking. It is an
expensive operation so it is not enabled by default.
**root-auto-userns-user**=""
Root-auto-userns-user is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned to containers configured to create automatically a user namespace. Containers configured to automatically create a user namespace can still overlap with containers having an explicit mapping set. This setting is ignored when running as rootless.
@ -123,6 +96,55 @@ containers/storage supports four keys
**disable-volatile**=true
If disable-volatile is set, then the "volatile" mount optimization is disabled for all the containers.
### STORAGE PULL OPTIONS TABLE
The `storage.options.pull_options` table supports the following keys:
**enable_partial_images="true"|"false"**
Enable the "zstd:chunked" feature, which allows partial pulls, reusing
content that already exists on the system. This is disabled by default,
and must be explicitly enabled to be used. For more on zstd:chunked, see
<https://github.com/containers/storage/blob/main/docs/containers-storage-zstd-chunked.md>.
This is a "string bool": "false"|"true" (cannot be native TOML boolean)
**use_hard_links="false"|"true"**
Tells containers/storage to use hard links rather then create new files in
the image, if an identical file already existed in storage.
This is a "string bool": "false"|"true" (cannot be native TOML boolean)
**ostree_repos=""**
Path to an ostree repository that might have
previously pulled content which can be used when attempting to avoid
pulling content from the container registry.
**convert_images="false"|"true"**
If set to "true", containers/storage will convert images that are
not already in zstd:chunked format to that format before processing
in order to take advantage of local deduplication and hard linking.
It is an expensive operation so it is not enabled by default.
This is a "string bool": "false"|"true" (cannot be native TOML boolean)
**insecure_allow_unpredictable_image_contents="false"|"true"**
This should _almost never_ be set.
It allows partial pulls of images without guaranteeing that "partial
pulls" and non-partial pulls both result in consistent image contents.
This allows pulling estargz images and early versions of zstd:chunked images;
otherwise, these layers always use the traditional non-partial pull path.
This option should be enabled _extremely_ rarely, only if _all_ images that could
EVER be conceivably pulled on this system are _guaranteed_ (e.g. using a signature policy)
to come from a build system trusted to never attack image integrity.
If this consistency enforcement were disabled, malicious images could be built
in a way designed to evade other audit mechanisms, so presence of most other audit
mechanisms is not a replacement for the above-mentioned need for all images to come
from a trusted build system.
As a side effect, enabling this option will also make image IDs unpredictable
(usually not equal to the traditional value matching the config digest).
This is a "string bool": "false"|"true" (cannot be native TOML boolean)
### STORAGE OPTIONS FOR AUFS TABLE
The `storage.options.aufs` table supports the following options:
@ -145,7 +167,8 @@ The `storage.options.btrfs` table supports the following options:
The `storage.options.overlay` table supports the following options:
**ignore_chown_errors** = "false"
ignore_chown_errors can be set to allow a non privileged user running with a single UID within a user namespace to run containers. The user can pull and use any image even those with multiple uids. Note multiple UIDs will be squashed down to the default uid in the container. These images will have no separation between the users in the container. (default: false)
ignore_chown_errors can be set to allow a non privileged user running with a single UID within a user namespace to run containers. The user can pull and use any image even those with multiple uids. Note multiple UIDs will be squashed down to the default uid in the container. These images will have no separation between the users in the container. (default: "false")
This is a "string bool": "false"|"true" (cannot be native TOML boolean)
**inodes**=""
Maximum inodes in a read/write layer. This flag can be used to set a quota on the inodes allocated for a read/write layer of a container.
@ -194,21 +217,26 @@ based file systems.
**mountopt**=""
Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page.
**skip_mount_home=""**
**skip_mount_home="false"**
Tell storage drivers to not create a PRIVATE bind mount on their home directory.
This is a "string bool": "false"|"true" (cannot be native TOML boolean)
**size**=""
Maximum size of a read/write layer. This flag can be used to set quota on the size of a read/write layer of a container. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
**use_composefs** = "false"
Use ComposeFS to mount the data layers image. ComposeFS support is experimental and not recommended for production use. (default: false)
Use ComposeFS to mount the data layers image. ComposeFS support is experimental and not recommended for production use.
This is a "string bool": "false"|"true" (cannot be native TOML boolean)
### STORAGE OPTIONS FOR VFS TABLE
The `storage.options.vfs` table supports the following options:
**ignore_chown_errors** = "false"
ignore_chown_errors can be set to allow a non privileged user running with a single UID within a user namespace to run containers. The user can pull and use any image even those with multiple uids. Note multiple UIDs will be squashed down to the default uid in the container. These images will have no separation between the users in the container. (default: false)
ignore_chown_errors can be set to allow a non privileged user running with a single UID within a user namespace to run containers. The user can pull and use any image even those with multiple uids. Note multiple UIDs will be squashed down to the default uid in the container. These images will have no separation between the users in the container.
This is a "string bool": "false"|"true" (cannot be native TOML boolean)
### STORAGE OPTIONS FOR ZFS TABLE

4
SOURCES/containers-transports.5.md
View File

@ -71,13 +71,15 @@ An image stored in the docker daemon's internal storage.
The image must be specified as a _docker-reference_ or in an alternative _algo_`:`_digest_ format when being used as an image source.
The _algo_`:`_digest_ refers to the image ID reported by docker-inspect(1).
### **oci:**_path_[`:`_reference_]
### **oci:**_path_[`:`{_reference_|`@`_source-index_}]
An image in a directory structure compliant with the "Open Container Image Layout Specification" at _path_.
The _path_ value terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_.
The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index.
If _reference_ is not specified when reading an image, the directory must contain exactly one image.
For reading images, @_source-index_ is a zero-based index in manifest (to access untagged images).
If neither reference nor @_source_index is specified when reading an image, the path must contain exactly one image.
### **oci-archive:**_path_[`:`_reference_]

63
SOURCES/containers.conf
View File

@ -27,16 +27,19 @@
#
#apparmor_profile = "container-default"
# The hosts entries from the base hosts file are added to the containers hosts
# file. This must be either an absolute path or as special values "image" which
# uses the hosts file from the container image or "none" which means
# no base hosts file is used. The default is "" which will use /etc/hosts.
# Base file to create the `/etc/hosts` file inside the container. This must either
# be an absolute path to a file on the host system, or one of the following
# special flags:
# "" Use the host's `/etc/hosts` file (the default)
# `none` Do not use a base file (i.e. start with an empty file)
# `image` Use the container image's `/etc/hosts` file as base file
#
#base_hosts_file = ""
# List of cgroup_conf entries specifying a list of cgroup files to write to and
# their values. For example `memory.high=1073741824` sets the
# memory.high limit to 1GB.
#
# cgroup_conf = []
# Default way to to create a cgroup namespace for the container
@ -55,6 +58,14 @@
#
#cgroups = "enabled"
# When no hostname is set for a container, use the container's name, with
# characters not valid for a hostname removed, as the hostname instead of
# the first 12 characters of the container's ID. Containers not running
# in a private UTS namespace will have their hostname set to the host's
# hostname regardless of this setting.
#
#container_name_as_hostname = false
# List of default capabilities for containers. If it is empty or commented out,
# the default capabilities defined in the container engine will be added.
#
@ -126,13 +137,25 @@ default_sysctls = [
#
#env_host = false
# Set the ip for the host.containers.internal entry in the containers /etc/hosts
# file. This can be set to "none" to disable adding this entry. By default it
# will automatically choose the host ip.
# Set the IP address the container should expect to connect to the host. The IP
# address is used by Podman to automatically add the `host.containers.internal`
# and `host.docker.internal` hostnames to the container's `/etc/hosts` file. It
# is also used for the *host-gateway* flag of Podman's `--add-host` CLI option.
# If no IP address is configured (the default), Podman will try to determine it
# automatically, but might fail to do so depending on the container's network
# setup. Adding these internal hostnames to `/etc/hosts` is silently skipped then.
# Set this config to `none` to never add the internal hostnames to `/etc/hosts`.
#
# NOTE: When using podman machine this entry will never be added to the containers
# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore
# it is not possible to disable the entry in this case.
# Note: If Podman is running in a virtual machine using `podman machine` (this
# includes Mac and Windows hosts), Podman will silently skip adding the internal
# hostnames to `/etc/hosts`, unless an IP address was configured manually. The
# internal hostnames are resolved by the gvproxy DNS resolver instead. This config
# has no effect on gvproxy. However, since `/etc/hosts` bypasses the DNS resolver,
# a manually configured IP address still takes precedence.
#
# Note: This config doesn't affect the actual network setup, it just tells Podman
# the IP address it should expect. Configuring an IP address here doesn't ensure
# that the container can actually reach the host using this IP address.
#
#host_containers_internal_ip = ""
@ -221,8 +244,10 @@ default_sysctls = [
#
#netns = "private"
# Create /etc/hosts for the container. By default, container engine manage
# /etc/hosts, automatically adding the container's own IP address.
# Do not modify the `/etc/hosts` file in the container. Podman assumes control
# over the container's `/etc/hosts` file by default; refer to the `--add-host`
# CLI option for details. To disable this, either set this config to `true`, or
# use the functionally identical `--no-hosts` CLI option.
#
#no_hosts = false
@ -416,6 +441,8 @@ default_sysctls = [
#List of compression algorithms. If set makes sure that requested compression variant
#for each platform is added to the manifest list keeping original instance intact in
#the same manifest list on every `manifest push`. Supported values are (`gzip`, `zstd` and `zstd:chunked`).
#`zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
#in that case.
#
#add_compression = ["gzip", "zstd", "zstd:chunked"]
@ -438,6 +465,8 @@ default_sysctls = [
# This field is ignored when pushing images to the docker-daemon and
# docker-archive formats. It is also ignored when the manifest format is set
# to v2s2.
# `zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
# in that case.
#
#compression_format = "gzip"
@ -866,7 +895,15 @@ runtime = "crun"
# Virtualization provider used to run Podman machine.
# If it is empty or commented out, the default provider will be used.
#
# Linux:
# qemu - Open source machine emulator and virtualizer. (Default)
# Windows: there are currently two options:
# wsl - Windows Subsystem for Linux (Default)
# hyperv - Windows Server Virtualization
# Mac: there are currently two options:
# applehv - Default Apple Hypervisor (Default)
# libkrun - Launch virtual machines using the libkrun platform, optimized
# for sharing GPU with the machine.
#provider = ""
# Rosetta supports running x86_64 Linux binaries on a Podman machine on Apple silicon.

67
SOURCES/containers.conf.5.md
View File

@ -96,10 +96,12 @@ The default profile name is "container-default".
**base_hosts_file**=""
The hosts entries from the base hosts file are added to the containers hosts
file. This must be either an absolute path or as special values "image" which
uses the hosts file from the container image or "none" which means
no base hosts file is used. The default is "" which will use /etc/hosts.
Base file to create the `/etc/hosts` file inside the container. This must either
be an absolute path to a file on the host system, or one of the following
special flags:
"" Use the host's `/etc/hosts` file (the default)
`none` Do not use a base file (i.e. start with an empty file)
`image` Use the container image's `/etc/hosts` file as base file
**cgroup_conf**=[]
@ -122,6 +124,16 @@ Options are:
`private` Create private Cgroup Namespace for the container.
`host` Share host Cgroup Namespace with the container.
**container_name_as_hostname**=true|false
When no hostname is set for a container, use the container's name, with
characters not valid for a hostname removed, as the hostname instead of
the first 12 characters of the container's ID. Containers not running
in a private UTS namespace will have their hostname set to the host's
hostname regardless of this setting.
Default is false.
**default_capabilities**=[]
List of default capabilities for containers.
@ -195,13 +207,25 @@ Pass all host environment variables into the container.
**host_containers_internal_ip**=""
Set the ip for the host.containers.internal entry in the containers /etc/hosts
file. This can be set to "none" to disable adding this entry. By default it
will automatically choose the host ip.
Set the IP address the container should expect to connect to the host. The IP
address is used by Podman to automatically add the `host.containers.internal`
and `host.docker.internal` hostnames to the container's `/etc/hosts` file. It
is also used for the *host-gateway* flag of Podman's `--add-host` CLI option.
If no IP address is configured (the default), Podman will try to determine it
automatically, but might fail to do so depending on the container's network
setup. Adding these internal hostnames to `/etc/hosts` is silently skipped then.
Set this config to `none` to never add the internal hostnames to `/etc/hosts`.
NOTE: When using podman machine this entry will never be added to the containers
hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore
it is not possible to disable the entry in this case.
Note: If Podman is running in a virtual machine using `podman machine` (this
includes Mac and Windows hosts), Podman will silently skip adding the internal
hostnames to `/etc/hosts`, unless an IP address was configured manually. The
internal hostnames are resolved by the gvproxy DNS resolver instead. This config
has no effect on gvproxy. However, since `/etc/hosts` bypasses the DNS resolver,
a manually configured IP address still takes precedence.
Note: This config doesn't affect the actual network setup, it just tells Podman
the IP address it should expect. Configuring an IP address here doesn't ensure
that the container can actually reach the host using this IP address.
**http_proxy**=true
@ -290,8 +314,10 @@ Options are:
**no_hosts**=false
Create /etc/hosts for the container. By default, container engines manage
/etc/hosts, automatically adding the container's own IP address.
Do not modify the `/etc/hosts` file in the container. Podman assumes control
over the container's `/etc/hosts` file by default; refer to the `--add-host`
CLI option for details. To disable this, either set this config to `true`, or
use the functionally identical `--no-hosts` CLI option.
**oom_score_adj**=0
@ -486,6 +512,9 @@ Name of destination for accessing the Podman service. See SERVICE DESTINATION TA
List of compression algorithms. If set makes sure that requested compression variant
for each platform is added to the manifest list keeping original instance intact in
the same manifest list on every `manifest push`. Supported values are (`gzip`, `zstd` and `zstd:chunked`).
`zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
in that case.
Note: This is different from `compression_format` which allows users to select a default
compression format for `push` and `manifest push`, while `add_compression` is limited to
@ -593,7 +622,7 @@ The default method is different based on the platform that
Podman is being run upon. To determine the current value,
use this command:
`podman info --format {{.Host.EventLogger}`
`podman info --format {{.Host.EventLogger}}`
Valid values are: `file`, `journald`, and `none`.
@ -855,6 +884,8 @@ Specifies the compression format to use when pushing an image. Supported values
are: `gzip`, `zstd` and `zstd:chunked`. This field is ignored when pushing
images to the docker-daemon and docker-archive formats. It is also ignored
when the manifest format is set to v2s2.
`zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning
in that case.
**compression_level**="5"
@ -950,8 +981,14 @@ On Mac, the default volumes are:
**provider**=""
Virtualization provider to be used for running a podman-machine VM. Empty value
is interpreted as the default provider for the current host OS. On Linux/Mac
default is `QEMU` and on Windows it is `WSL`.
is interpreted as the default provider for the current host OS.
| Platform | Default Virtualization provider | Optional |
| -------- | --------------------------------------- | -------- |
| Linux | "" (qemu) | None |
| Windows | "" ("wsl": Windows Subsystem for Linux) | "hyperv" (Windows Server Virtualization) |
| Mac | "" ("applehv": Apple Hypervisor) | "libkrun" (Launch machine via libkrun platform, optimized for sharing GPU with the machine) |
**rosetta**="true"

182
SOURCES/oci-hooks.5.md Normal file
View File

@ -0,0 +1,182 @@
% oci-hooks 5 OCI Hooks Configuration
% W. Trevor King
% MAY 2018
# NAME
oci-hooks - OCI hooks configuration directories
# SYNOPSIS
`/usr/share/containers/oci/hooks.d/*.json`
# DESCRIPTION
Provides a way for users to configure the intended hooks for Open Container Initiative containers so they will only be executed for containers that need their functionality, and then only for the stages where they're needed.
## Directories
Hooks are configured with JSON files (ending with a `.json` extension) in a series of hook directories.
The default directory is `/usr/share/containers/oci/hooks.d`, but tools consuming this format may change that default, include additional directories, or provide their callers with ways to adjust the configuration directories.
If multiple directories are configured, a JSON filename in a preferred directory masks entries with the same filename in directories with lower precedence. For example, if a consuming tool watches for hooks in `/etc/containers/oci/hooks.d` and `/usr/share/containers/oci/hooks.d` (in order of decreasing precedence), then a hook definition in `/etc/containers/oci/hooks.d/01-my-hook.json` will mask any definition in `/usr/share/containers/oci/hooks.d/01-my-hook.json`.
Tools consuming this format may also opt to monitor the hook directories for changes, in which case they will notice additions, changes, and removals to JSON files without needing to be restarted or otherwise signaled. When the tool monitors multiple hooks directories, the precedence discussed in the previous paragraph still applies. For example, if a consuming tool watches for hooks in `/etc/containers/oci/hooks.d` and `/usr/share/containers/oci/hooks.d` (in order of decreasing precedence), then writing a new hook definition to `/etc/containers/oci/hooks.d/01-my-hook.json` will mask the hook previously loaded from `/usr/share/containers/oci/hooks.d/01-my-hook.json`. Subsequent changes to `/usr/share/containers/oci/hooks.d/01-my-hook.json` will have no effect on the consuming tool as long as `/etc/containers/oci/hooks.d/01-my-hook.json` exists. Removing `/etc/containers/oci/hooks.d/01-my-hook.json` will reload the hook from `/usr/share/containers/oci/hooks.d/01-my-hook.json`.
Hooks are injected in the order obtained by sorting the JSON file names, after converting them to lower case, based on their Unicode code points.
For example, a matching hook defined in `01-my-hook.json` would be injected before matching hooks defined in `02-another-hook.json` and `01-UPPERCASE.json`.
It is strongly recommended to make the sort order unambiguous depending on an ASCII-only prefix (like the `01`/`02` above).
Each JSON file should contain an object with one of the following schemas.
## 1.0.0 Hook Schema
`version` (required string)
Sets the hook-definition version. For this schema version, the value be `1.0.0`.
`hook` (required object)
The hook to inject, with the hook-entry schema defined by the 1.0.2 OCI Runtime Specification.
`when` (required object)
Conditions under which the hook is injected. The following properties can be specified, and at least one must be specified:
* `always` (optional boolean)
If set `true`, this condition matches.
* `annotations` (optional object)
If all `annotations` key/value pairs match a key/value pair from the configured annotations, this condition matches.
Both keys and values must be POSIX extended regular expressions.
* `commands` (optional array of strings)
If the configured `process.args[0]` matches an entry, this condition matches.
Entries must be POSIX extended regular expressions.
* `hasBindMounts` (optional boolean)
If `hasBindMounts` is true and the caller requested host-to-container bind mounts, this condition matches.
`stages` (required array of strings)
Stages when the hook must be injected. Entries must be chosen from the 1.0.2 OCI Runtime Specification hook stages or from extension stages supported by the package consumer.
If *all* of the conditions set in `when` match, then the `hook` must be injected for the stages set in `stages`.
## 0.1.0 Hook Schema
`hook` (required string)
Sets `path` in the injected hook.
`arguments` (optional array of strings)
Additional arguments to pass to the hook. The injected hook's `args` is `hook` with `arguments` appended.
`stages` (required array of strings)
Stages when the hook must be injected. `stage` is an allowed synonym for this property, but you must not set both `stages` and `stage`. Entries must be chosen from the 1.0.2 OCI Runtime Specification hook stages or from extension stages supported by the package consumer.
`cmds` (optional array of strings)
The hook must be injected if the configured `process.args[0]` matches an entry. `cmd` is an allowed synonym for this property, but you must not set both `cmds` and `cmd`. Entries must be POSIX extended regular expressions.
`annotations` (optional array of strings)
The hook must be injected if an `annotations` entry matches a value from the configured annotations. `annotation` is an allowed synonym for this property, but you must not set both `annotations` and `annotation`. Entries must be POSIX extended regular expressions.
`hasbindmounts` (optional boolean)
The hook must be injected if `hasBindMounts` is true and the caller requested host-to-container bind mounts.
# EXAMPLE
## 1.0.0 Hook Schema
The following configuration injects `oci-systemd-hook` in the pre-start and post-stop stages if `process.args[0]` ends with `/init` or `/systemd`:
```console
$ cat /etc/containers/oci/hooks.d/oci-systemd-hook.json
{
"version": "1.0.0",
"hook": {
"path": "/usr/libexec/oci/hooks.d/oci-systemd-hook"
},
"when": {
"commands": [".*/init$" , ".*/systemd$"]
},
"stages": ["prestart", "poststop"]
}
```
The following example injects `oci-umount --debug` in the pre-start stage if the container is configured to bind-mount host directories into the container.
```console
$ cat /etc/containers/oci/hooks.d/oci-umount.json
{
"version": "1.0.0",
"hook": {
"path": "/usr/libexec/oci/hooks.d/oci-umount",
"args": ["oci-umount", "--debug"],
},
"when": {
"hasBindMounts": true
},
"stages": ["prestart"]
}
```
The following example injects `nvidia-container-runtime-hook prestart` with particular environment variables in the pre-start stage if the container is configured with an `annotations` entry whose key matches `^com\.example\.department$` and whose value matches `.*fluid-dynamics.*`.
```console
$ cat /etc/containers/oci/hooks.d/nvidia.json
{
"version": "1.0.0",
"hook": {
"path": "/usr/sbin/nvidia-container-runtime-hook",
"args": ["nvidia-container-runtime-hook", "prestart"],
"env": [
"NVIDIA_REQUIRE_CUDA=cuda>=9.1",
"NVIDIA_VISIBLE_DEVICES=GPU-fef8089b"
]
},
"when": {
"annotations": {
"^com\\.example\\.department$": ".*fluid-dynamics$"
}
},
"stages": ["prestart"]
}
```
## 0.1.0 Hook Schema
The following configuration injects `oci-systemd-hook` in the pre-start and post-stop stages if `process.args[0]` ends with `/init` or `/systemd`:
```console
$ cat /etc/containers/oci/hooks.d/oci-systemd-hook.json
{
"cmds": [".*/init$" , ".*/systemd$"],
"hook": "/usr/libexec/oci/hooks.d/oci-systemd-hook",
"stages": ["prestart", "poststop"]
}
```
The following example injects `oci-umount --debug` in the pre-start stage if the container is configured to bind-mount host directories into the container.
```console
$ cat /etc/containers/oci/hooks.d/oci-umount.json
{
"hook": "/usr/libexec/oci/hooks.d/oci-umount",
"arguments": ["--debug"],
"hasbindmounts": true,
"stages": ["prestart"]
}
```
The following example injects `nvidia-container-runtime-hook prestart` in the pre-start stage if the container is configured with an `annotations` entry whose value matches `.*fluid-dynamics.*`.
```console
$ cat /etc/containers/oci/hooks.d/osystemd-hook.json
{
"hook": "/usr/sbin/nvidia-container-runtime-hook",
"arguments": ["prestart"],
"annotations: [".*fluid-dynamics.*"],
"stages": ["prestart"]
}
```
# SEE ALSO
`oci-systemd-hook(1)`, `oci-umount(1)`, `locale(7)`
* [OCI Runtime Specification, 1.0.2, POSIX-platform hooks](https://github.com/opencontainers/runtime-spec/blob/v1.0.2/config.md#posix-platform-hooks)
* [OCI Runtime Specification, 1.0.2, process](https://github.com/opencontainers/runtime-spec/blob/v1.0.2/config.md#process)
* [POSIX extended regular expressions (EREs)](https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html#tag_09_04)

6
SOURCES/shortnames.conf
View File

@ -62,9 +62,13 @@
"sles12sp5" = "registry.suse.com/suse/sles12sp5"
"sles12sp4" = "registry.suse.com/suse/sles12sp4"
"sles12sp3" = "registry.suse.com/suse/sles12sp3"
"bci-base" = "registry.suse.com/bci/bci-base"
"bci/bci-base" = "registry.suse.com/bci/bci-base"
"bci-micro" = "registry.suse.com/bci/bci-micro"
"bci/bci-micro" = "registry.suse.com/bci/bci-micro"
"bci-minimal" = "registry.suse.com/bci/bci-minimal"
"bci/bci-minimal" = "registry.suse.com/bci/bci-minimal"
"bci-busybox" = "registry.suse.com/bci/bci-busybox"
"bci/bci-busybox" = "registry.suse.com/bci/bci-busybox"
# Red Hat Enterprise Linux
"rhel" = "registry.access.redhat.com/rhel"
@ -132,6 +136,8 @@
"oraclelinux" = "container-registry.oracle.com/os/oraclelinux"
# busybox
"busybox" = "docker.io/library/busybox"
# golang
"golang" = "docker.io/library/golang"
# php
"php" = "docker.io/library/php"
# python

81
SOURCES/storage.conf
View File

@ -8,12 +8,12 @@
# /usr/containers/storage.conf
# /etc/containers/storage.conf
# $HOME/.config/containers/storage.conf
# $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set)
# $XDG_CONFIG_HOME/containers/storage.conf (if XDG_CONFIG_HOME is set)
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
# The "storage" table contains all of the server options.
[storage]
# Default Storage Driver, Must be set for proper operation.
# Default storage driver, must be set for proper operation.
driver = "overlay"
# Temporary storage location
@ -24,8 +24,8 @@ runroot = "/run/containers/storage"
# driver_priority = ["overlay", "btrfs"]
# Primary Read/Write location of container storage
# When changing the graphroot location on an SELINUX system, you must
# ensure the labeling matches the default locations labels with the
# When changing the graphroot location on an SELinux system, you must
# ensure the labeling matches the default location's labels with the
# following commands:
# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH
# restorecon -R -v /NEWSTORAGEPATH
@ -54,32 +54,50 @@ graphroot = "/var/lib/containers/storage"
additionalimagestores = [
]
# Allows specification of how storage is populated when pulling images. This
# option can speed the pulling process of images compressed with format
# zstd:chunked. Containers/storage looks for files within images that are being
# pulled from a container registry that were previously pulled to the host. It
# can copy or create a hard link to the existing file when it finds them,
# eliminating the need to pull them from the container registry. These options
# can deduplicate pulling of content, disk storage of content and can allow the
# kernel to use less memory when running containers.
# Options controlling how storage is populated when pulling images.
[storage.options.pull_options]
# Enable the "zstd:chunked" feature, which allows partial pulls, reusing
# content that already exists on the system. This is disabled by default,
# and must be explicitly enabled to be used. For more on zstd:chunked, see
# https://github.com/containers/storage/blob/main/docs/containers-storage-zstd-chunked.md
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# enable_partial_images = "false"
# containers/storage supports four keys
# * enable_partial_images="true" | "false"
# Tells containers/storage to look for files previously pulled in storage
# rather then always pulling them from the container registry.
# * use_hard_links = "false" | "true"
# Tells containers/storage to use hard links rather then create new files in
# the image, if an identical file already existed in storage.
# * ostree_repos = ""
# Tells containers/storage where an ostree repository exists that might have
# previously pulled content which can be used when attempting to avoid
# pulling content from the container registry
# * convert_images = "false" | "true"
# If set to true, containers/storage will convert images to a
# format compatible with partial pulls in order to take advantage
# of local deduplication and hard linking. It is an expensive
# operation so it is not enabled by default.
pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
# Tells containers/storage to use hard links rather then create new files in
# the image, if an identical file already existed in storage.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# use_hard_links = "false"
# Path to an ostree repository that might have
# previously pulled content which can be used when attempting to avoid
# pulling content from the container registry.
# ostree_repos=""
# If set to "true", containers/storage will convert images that are
# not already in zstd:chunked format to that format before processing
# in order to take advantage of local deduplication and hard linking.
# It is an expensive operation so it is not enabled by default.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# convert_images = "false"
# This should ALMOST NEVER be set.
# It allows partial pulls of images without guaranteeing that "partial
# pulls" and non-partial pulls both result in consistent image contents.
# This allows pulling estargz images and early versions of zstd:chunked images;
# otherwise, these layers always use the traditional non-partial pull path.
#
# This option should be enabled EXTREMELY rarely, only if ALL images that could
# EVER be conceivably pulled on this system are GUARANTEED (e.g. using a signature policy)
# to come from a build system trusted to never attack image integrity.
#
# If this consistency enforcement were disabled, malicious images could be built
# in a way designed to evade other audit mechanisms, so presence of most other audit
# mechanisms is not a replacement for the above-mentioned need for all images to come
# from a trusted build system.
#
# As a side effect, enabling this option will also make image IDs unpredictable
# (usually not equal to the traditional value matching the config digest).
# insecure_allow_unpredictable_image_contents = "false"
# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned
@ -102,6 +120,7 @@ pull_options = {enable_partial_images = "false", use_hard_links = "false", ostre
# squashed down to the default uid in the container. These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
#ignore_chown_errors = "false"
# Inodes is used to set a maximum inodes of the container image.
@ -115,9 +134,11 @@ pull_options = {enable_partial_images = "false", use_hard_links = "false", ostre
mountopt = "nodev,metacopy=on"
# Set to skip a PRIVATE bind mount on the storage home directory.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# skip_mount_home = "false"
# Set to use composefs to mount data layers with overlay.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# use_composefs = "false"
# Size is used to set a maximum size of the container image.

9
SOURCES/update-vendored.sh
View File

@ -25,6 +25,9 @@ for P in podman skopeo buildah; do
fi
rm -rf *SPECPARTS
DIR=`ls -d -- */ | grep "$P"`
if [[ $DIR == *-build/ ]]; then
DIR=`ls -d $DIR/* | grep -v SPECPARTS`
fi
grep github.com/containers/image $DIR/go.mod | cut -d\ -f2 | sed 's,-.*,,'>> /tmp/ver_image
grep github.com/containers/common $DIR/go.mod | cut -d\ -f2 | sed 's,-.*,,' >> /tmp/ver_common
grep github.com/containers/storage $DIR/go.mod | cut -d\ -f2 | sed 's,-.*,,' >> /tmp/ver_storage
@ -33,8 +36,8 @@ done
IMAGE_VER=`sort -n /tmp/ver_image | head -n1`
COMMON_VER=`sort -n /tmp/ver_common | head -n1`
STORAGE_VER=`sort -n /tmp/ver_storage | head -n1`
sed -i "s,^%global.*image_branch.*,%global image_branch $IMAGE_VER," containers-common.spec
sed -i "s,^%global.*common_branch.*,%global common_branch $COMMON_VER," containers-common.spec
sed -i "s,^%global.*storage_branch.*,%global storage_branch $STORAGE_VER," containers-common.spec
sed -i "s,^%global[ \t]*image_branch.*,%global image_branch $IMAGE_VER," containers-common.spec
sed -i "s,^%global[ \t]*common_branch.*,%global common_branch $COMMON_VER," containers-common.spec
sed -i "s,^%global[ \t]*storage_branch.*,%global storage_branch $STORAGE_VER," containers-common.spec
rm -f /tmp/ver_image /tmp/ver_common /tmp/ver_storage
rm -rf podman skopeo buildah

24
SOURCES/update.sh
View File

@ -30,11 +30,11 @@ for FILE in *; do
done
ensure storage.conf driver \"overlay\"
ensure storage.conf mountopt \"nodev,metacopy=on\"
ensure storage.conf pull_options {enable_partial_images\ =\ \"false\"\,\ use_hard_links\ =\ \"false\"\,\ ostree_repos=\"\"}
if pwd | grep rhel-8 > /dev/null
ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
if pwd | grep -e rhel-8 -e c8s > /dev/null
then
awk -i inplace '/#default_capabilities/,/#\]/{gsub("#","",$0)}1' containers.conf
ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
ensure registries.conf short-name-mode \"permissive\"
ensure containers.conf runtime \"runc\"
ensure containers.conf events_logger \"file\"
@ -50,19 +50,29 @@ then
sed -i '/^default_capabilities/a \
"SYS_CHROOT",' containers.conf
fi
else
ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
elif pwd | grep -e rhel-9 -e c9s > /dev/null
then
ensure registries.conf short-name-mode \"enforcing\"
ensure containers.conf runtime \"crun\"
elif pwd | grep -e rhel-10 -e c10s > /dev/null
then
ensure registries.conf short-name-mode \"enforcing\"
ensure containers.conf runtime \"crun\"
ensure containers.conf log_driver \"k8s-file\"
else
echo "Unknown release"
fi
[ `grep \"keyctl\", seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \
"keyctl",' seccomp.json
[ `grep \"socket\", seccomp.json | wc -l` == 0 ] && sed -i '/\"socketcall\",/i \
"socket",' seccomp.json
rhpkg clone redhat-release
cd redhat-release
rhpkg switch-branch rhel-9.4.0
rhpkg switch-branch rhel-9-main
rhpkg prep
cp -f redhat-release-*/RPM-GPG* ../
cp -f redhat-release-*/redhat-release-*/RPM-GPG* ../../
cd -
rm -rf redhat-release

78
SPECS/containers-common.spec
View File

@ -4,15 +4,15 @@
# pick the oldest version on c/image, c/common, c/storage vendored in
# podman/skopeo/podman.
%global skopeo_branch main
%global image_branch v5.32.2
%global common_branch v0.60.2
%global storage_branch v1.55.0
%global image_branch v5.34.0
%global common_branch v0.62.0
%global storage_branch v1.57.1
%global shortnames_branch main
Epoch: 2
Name: containers-common
Version: 1
Release: 96%{?dist}
Release: 117%{?dist}
Summary: Common configuration and documentation for containers
License: ASL 2.0
ExclusiveArch: %{go_arches}
@ -49,6 +49,7 @@ Source14: https://raw.githubusercontent.com/containers/common/%{common_branch}/d
Source15: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-auth.json.5.md
Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.d.5.md
Source17: https://raw.githubusercontent.com/containers/shortnames/%{shortnames_branch}/shortnames.conf
Source18: https://raw.githubusercontent.com/containers/common/refs/heads/main/pkg/hooks/docs/oci-hooks.5.md
Source19: 001-rhel-shortnames-pyxis.conf
Source20: 002-rhel-shortnames-overrides.conf
Source21: RPM-GPG-KEY-redhat-release
@ -75,6 +76,18 @@ It is required because the most of configuration files and docs come from projec
which are vendored into Podman, Buildah, Skopeo, etc. but they are not packaged
separately.
%package extra
Summary: Extra dependencies for Podman and Buildah
Requires: %{name} = %{epoch}:%{version}-%{release}
Requires: container-network-stack
Requires: oci-runtime
Requires: nftables
Requires: passt
%description extra
This subpackage will handle dependencies common to Podman and Buildah which are
not required by Skopeo.
%prep
%build
@ -85,8 +98,10 @@ install -dp %{buildroot}%{_datadir}/containers/systemd
install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf
install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf
install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/001-rhel-shortnames.conf
install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/002-rhel-shortnames-overrides.conf
%if 0%{?fedora} == 0 && 0%{?centos} == 0
install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/001-rhel-shortnames.conf
install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/002-rhel-shortnames-overrides.conf
%endif
# for signature verification
%if !0%{?rhel} || 0%{?centos}
@ -114,6 +129,7 @@ go-md2man -in %{SOURCE12} -out %{buildroot}%{_mandir}/man5/containers-registries
go-md2man -in %{SOURCE14} -out %{buildroot}%{_mandir}/man5/containers.conf.5
go-md2man -in %{SOURCE15} -out %{buildroot}%{_mandir}/man5/containers-auth.json.5
go-md2man -in %{SOURCE16} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.d.5
go-md2man -in %{SOURCE18} -out %{buildroot}%{_mandir}/man5/oci-hooks.5
go-md2man -in %{SOURCE26} -out %{buildroot}%{_mandir}/man5/Containerfile.5
go-md2man -in %{SOURCE27} -out %{buildroot}%{_mandir}/man5/containerignore.5
@ -172,22 +188,48 @@ EOF
%dir %{_datadir}/rhel/secrets
%{_datadir}/rhel/secrets/*
%files extra
%changelog
* Thu Nov 14 2024 Jindrich Novy <jnovy@redhat.com> - 2:1-96
- Be sure to enable_partial_images = false in storage.conf
- Resolves: RHEL-65057
* Mon Mar 03 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-117
- rebuild against the proper target
- Resolves: RHEL-78845
* Wed Oct 30 2024 Jindrich Novy <jnovy@redhat.com> - 2:1-95
- update vendored components and configuration files
- Resolves: RHEL-62566
* Wed Feb 26 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-116
- add files section for extra subpackage
- Resolves: RHEL-78845
* Mon Oct 28 2024 Lokesh Mandvekar <lsm5@redhat.com> - 2:1-94
- enable_partial_images should be set to false
- Resolves: RHEL-62937
* Mon Feb 17 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-115
- Add containers-common-extra properly
- Resolves: RHEL-78845
* Thu Oct 17 2024 Jindrich Novy <jnovy@redhat.com> - 2:1-93
- rebuild
- Resolves: RHEL-62937
* Thu Feb 13 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-114
- update vendored components
- Related: RHEL-60277
* Thu Feb 06 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-113
- Update shortnames from Pyxis
- Resolves: RHEL-66761
* Tue Jan 28 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-112
- ship RHEL shortnames only in RHEL - thanks to Dennis Gilmore
- Related: RHEL-60277
* Wed Jan 15 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-111
- Add missing oci-hooks.5 man page
- Related: RHEL-60277
* Fri Nov 29 2024 Jindrich Novy <jnovy@redhat.com> - 2:1-110
- bump release to preserve upgrade path from RHEL9.5
- Related: RHEL-60277
* Fri Nov 29 2024 Jindrich Novy <jnovy@redhat.com> - 2:1-94
- add containers-common-extra provides to satisfy new buildah spec
- Related: RHEL-60277
* Thu Nov 28 2024 Jindrich Novy <jnovy@redhat.com> - 2:1-93
- update vendored components
- Resolves: RHEL-69402
* Tue Aug 27 2024 Jindrich Novy <jnovy@redhat.com> - 2:1-92
- update vendored components