rpms/containers-common
6
0
Fork 0
Code Issues Pull Requests Releases Activity

containers-common-1-114.el9

Browse Source 
- update vendored components
- Related: RHEL-60277

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
Jindrich Novy 2025-02-13 11:59:49 +01:00
parent d0ee3a527b
commit 201b701009
7 changed files with 73 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
containers-common.spec
View File

@ -4,15 +4,15 @@
# pick the oldest version on c/image, c/common, c/storage vendored in # pick the oldest version on c/image, c/common, c/storage vendored in
# podman/skopeo/podman. # podman/skopeo/podman.
%global skopeo_branch main %global skopeo_branch main
%global image_branch v5.33.0 %global image_branch v5.34.0
%global common_branch v0.61.0 %global common_branch v0.62.0
%global storage_branch v1.56.0 %global storage_branch v1.57.1
%global shortnames_branch main %global shortnames_branch main
Epoch: 2 Epoch: 2
Name: containers-common Name: containers-common
Version: 1 Version: 1
Release: 113%{?dist} Release: 114%{?dist}
Summary: Common configuration and documentation for containers Summary: Common configuration and documentation for containers
License: ASL 2.0 License: ASL 2.0
ExclusiveArch: %{go_arches} ExclusiveArch: %{go_arches}
@ -178,6 +178,10 @@ EOF
%{_datadir}/rhel/secrets/* %{_datadir}/rhel/secrets/*
%changelog %changelog
* Thu Feb 13 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-114
- update vendored components
- Related: RHEL-60277
* Thu Feb 06 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-113 * Thu Feb 06 2025 Jindrich Novy <jnovy@redhat.com> - 2:1-113
- Update shortnames from Pyxis - Update shortnames from Pyxis
- Resolves: RHEL-66761 - Resolves: RHEL-66761

21
containers-storage.conf.5.md
View File

@ -124,6 +124,27 @@ The `storage.options.pull_options` table supports the following keys:
It is an expensive operation so it is not enabled by default. It is an expensive operation so it is not enabled by default.
This is a "string bool": "false"|"true" (cannot be native TOML boolean) This is a "string bool": "false"|"true" (cannot be native TOML boolean)
**insecure_allow_unpredictable_image_contents="false"|"true"**
This should _almost never_ be set.
It allows partial pulls of images without guaranteeing that "partial
pulls" and non-partial pulls both result in consistent image contents.
This allows pulling estargz images and early versions of zstd:chunked images;
otherwise, these layers always use the traditional non-partial pull path.
This option should be enabled _extremely_ rarely, only if _all_ images that could
EVER be conceivably pulled on this system are _guaranteed_ (e.g. using a signature policy)
to come from a build system trusted to never attack image integrity.
If this consistency enforcement were disabled, malicious images could be built
in a way designed to evade other audit mechanisms, so presence of most other audit
mechanisms is not a replacement for the above-mentioned need for all images to come
from a trusted build system.
As a side effect, enabling this option will also make image IDs unpredictable
(usually not equal to the traditional value matching the config digest).
This is a "string bool": "false"|"true" (cannot be native TOML boolean)
### STORAGE OPTIONS FOR AUFS TABLE ### STORAGE OPTIONS FOR AUFS TABLE
The `storage.options.aufs` table supports the following options: The `storage.options.aufs` table supports the following options:

4
containers-transports.5.md
View File

@ -71,13 +71,15 @@ An image stored in the docker daemon's internal storage.
The image must be specified as a _docker-reference_ or in an alternative _algo_`:`_digest_ format when being used as an image source. The image must be specified as a _docker-reference_ or in an alternative _algo_`:`_digest_ format when being used as an image source.
The _algo_`:`_digest_ refers to the image ID reported by docker-inspect(1). The _algo_`:`_digest_ refers to the image ID reported by docker-inspect(1).
### **oci:**_path_[`:`_reference_] ### **oci:**_path_[`:`{_reference_|`@`_source-index_}]
An image in a directory structure compliant with the "Open Container Image Layout Specification" at _path_. An image in a directory structure compliant with the "Open Container Image Layout Specification" at _path_.
The _path_ value terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_. The _path_ value terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_.
The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index. The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index.
If _reference_ is not specified when reading an image, the directory must contain exactly one image. If _reference_ is not specified when reading an image, the directory must contain exactly one image.
For reading images, @_source-index_ is a zero-based index in manifest (to access untagged images).
If neither reference nor @_source_index is specified when reading an image, the path must contain exactly one image.
### **oci-archive:**_path_[`:`_reference_] ### **oci-archive:**_path_[`:`_reference_]

8
containers.conf
View File

@ -58,6 +58,14 @@
# #
#cgroups = "enabled" #cgroups = "enabled"
# When no hostname is set for a container, use the container's name, with
# characters not valid for a hostname removed, as the hostname instead of
# the first 12 characters of the container's ID. Containers not running
# in a private UTS namespace will have their hostname set to the host's
# hostname regardless of this setting.
#
#container_name_as_hostname = false
# List of default capabilities for containers. If it is empty or commented out, # List of default capabilities for containers. If it is empty or commented out,
# the default capabilities defined in the container engine will be added. # the default capabilities defined in the container engine will be added.
# #

10
containers.conf.5.md
View File

@ -124,6 +124,16 @@ Options are:
`private` Create private Cgroup Namespace for the container. `private` Create private Cgroup Namespace for the container.
`host` Share host Cgroup Namespace with the container. `host` Share host Cgroup Namespace with the container.
**container_name_as_hostname**=true|false
When no hostname is set for a container, use the container's name, with
characters not valid for a hostname removed, as the hostname instead of
the first 12 characters of the container's ID. Containers not running
in a private UTS namespace will have their hostname set to the host's
hostname regardless of this setting.
Default is false.
**default_capabilities**=[] **default_capabilities**=[]
List of default capabilities for containers. List of default capabilities for containers.

4
shortnames.conf
View File

@ -62,9 +62,13 @@
"sles12sp5" = "registry.suse.com/suse/sles12sp5" "sles12sp5" = "registry.suse.com/suse/sles12sp5"
"sles12sp4" = "registry.suse.com/suse/sles12sp4" "sles12sp4" = "registry.suse.com/suse/sles12sp4"
"sles12sp3" = "registry.suse.com/suse/sles12sp3" "sles12sp3" = "registry.suse.com/suse/sles12sp3"
"bci-base" = "registry.suse.com/bci/bci-base"
"bci/bci-base" = "registry.suse.com/bci/bci-base" "bci/bci-base" = "registry.suse.com/bci/bci-base"
"bci-micro" = "registry.suse.com/bci/bci-micro"
"bci/bci-micro" = "registry.suse.com/bci/bci-micro" "bci/bci-micro" = "registry.suse.com/bci/bci-micro"
"bci-minimal" = "registry.suse.com/bci/bci-minimal"
"bci/bci-minimal" = "registry.suse.com/bci/bci-minimal" "bci/bci-minimal" = "registry.suse.com/bci/bci-minimal"
"bci-busybox" = "registry.suse.com/bci/bci-busybox"
"bci/bci-busybox" = "registry.suse.com/bci/bci-busybox" "bci/bci-busybox" = "registry.suse.com/bci/bci-busybox"
# Red Hat Enterprise Linux # Red Hat Enterprise Linux
"rhel" = "registry.access.redhat.com/rhel" "rhel" = "registry.access.redhat.com/rhel"

19
storage.conf
View File

@ -80,6 +80,25 @@ additionalimagestores = [
# This is a "string bool": "false" | "true" (cannot be native TOML boolean) # This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# convert_images = "false" # convert_images = "false"
# This should ALMOST NEVER be set.
# It allows partial pulls of images without guaranteeing that "partial
# pulls" and non-partial pulls both result in consistent image contents.
# This allows pulling estargz images and early versions of zstd:chunked images;
# otherwise, these layers always use the traditional non-partial pull path.
#
# This option should be enabled EXTREMELY rarely, only if ALL images that could
# EVER be conceivably pulled on this system are GUARANTEED (e.g. using a signature policy)
# to come from a build system trusted to never attack image integrity.
#
# If this consistency enforcement were disabled, malicious images could be built
# in a way designed to evade other audit mechanisms, so presence of most other audit
# mechanisms is not a replacement for the above-mentioned need for all images to come
# from a trusted build system.
#
# As a side effect, enabling this option will also make image IDs unpredictable
# (usually not equal to the traditional value matching the config digest).
# insecure_allow_unpredictable_image_contents = "false"
# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID # Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned # ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned
# to containers configured to create automatically a user namespace. Containers # to containers configured to create automatically a user namespace. Containers