rpms/containers-common
7
0
Fork 0
Code Issues Pull Requests Releases Activity

local build

Browse Source
This commit is contained in:
Daniel J Walsh 2022-08-10 08:50:23 -04:00
parent 91c97adffd
commit 23d18a07d3
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
3 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
containers-policy.json.5.md
View File

@ -255,6 +255,8 @@ Exactly one of `keyPath` and `keyData` must be present, containing a sigstore pu
The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above. The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above.
Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag). Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag).
To use this with images hosted on image registries, the relevant registry or repository must have the `use-sigstore-attachments` option enabled in containers-registries.d(5).
## Examples ## Examples
It is *strongly* recommended to set the `default` policy to `reject`, and then It is *strongly* recommended to set the `default` policy to `reject`, and then
@ -281,14 +283,14 @@ selectively allow individual transports and scopes as desired.
"hostname:5000/myns/sigstore-signed-with-full-references": [ "hostname:5000/myns/sigstore-signed-with-full-references": [
{ {
"type": "sigstoreSigned", "type": "sigstoreSigned",
"keyPath": "/path/to/sigstore-pubkey.key" "keyPath": "/path/to/sigstore-pubkey.pub"
} }
], ],
/* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */ /* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */
"hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [ "hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [
{ {
"type": "sigstoreSigned", "type": "sigstoreSigned",
"keyPath": "/path/to/sigstore-pubkey.key", "keyPath": "/path/to/sigstore-pubkey.pub",
"signedIdentity": {"type": "matchRepository"} "signedIdentity": {"type": "matchRepository"}
} }
] ]

4
containers-storage.conf.5.md
View File

@ -99,7 +99,7 @@ containers/storage supports four keys
**remap-uids=**"" **remap-uids=**""
**remap-gids=**"" **remap-gids=**""
Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to the UIDs/GIDs outside of the container, and the length of the range of UIDs/GIDs. Additional mapped sets can be listed and will be heeded by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container. Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to the UIDs/GIDs outside of the container, and the length of the range of UIDs/GIDs. Additional mapped sets can be listed and will be needed by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container.
Example Example
remap-uids = 0:1668442479:65536 remap-uids = 0:1668442479:65536
@ -244,7 +244,7 @@ Note: The force_mask Flag is an experimental feature, it could change in the
future. When "force_mask" is set the original permission mask is stored in the future. When "force_mask" is set the original permission mask is stored in the
"user.containers.override_stat" xattr and the "mount_program" option must be "user.containers.override_stat" xattr and the "mount_program" option must be
specified. Mount programs like "/usr/bin/fuse-overlayfs" present the extended specified. Mount programs like "/usr/bin/fuse-overlayfs" present the extended
attribute permissions to processes within containers rather then the attribute permissions to processes within containers rather than the
"force_mask" permissions. "force_mask" permissions.
**mount_program**="" **mount_program**=""

6
storage.conf
View File

@ -1,4 +1,4 @@
# This file is is the configuration file for all tools # This file is the configuration file for all tools
# that use the containers/storage library. The storage.conf file # that use the containers/storage library. The storage.conf file
# overrides all other storage.conf files. Container engines using the # overrides all other storage.conf files. Container engines using the
# container/storage library do not inherit fields from other storage.conf # container/storage library do not inherit fields from other storage.conf
@ -65,7 +65,7 @@ pull_options = {enable_partial_images = "false", use_hard_links = "false", ostre
# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of # Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
# a container, to the UIDs/GIDs as they should appear outside of the container, # a container, to the UIDs/GIDs as they should appear outside of the container,
# and the length of the range of UIDs/GIDs. Additional mapped sets can be # and the length of the range of UIDs/GIDs. Additional mapped sets can be
# listed and will be heeded by libraries, but there are limits to the number of # listed and will be needed by libraries, but there are limits to the number of
# mappings which the kernel will allow when you later attempt to run a # mappings which the kernel will allow when you later attempt to run a
# container. # container.
# #
@ -150,7 +150,7 @@ mountopt = "nodev,metacopy=on"
# future. When "force_mask" is set the original permission mask is stored in # future. When "force_mask" is set the original permission mask is stored in
# the "user.containers.override_stat" xattr and the "mount_program" option must # the "user.containers.override_stat" xattr and the "mount_program" option must
# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the # be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
# extended attribute permissions to processes within containers rather then the # extended attribute permissions to processes within containers rather than the
# "force_mask" permissions. # "force_mask" permissions.
# #
# force_mask = "" # force_mask = ""