local build

containers-common.spec

@@ -3,9 +3,6 @@
 # These vendored components must have the same version. If it is not the case,
 # pick the oldest version on c/image, c/common, c/storage vendored in
 # Buildah/Podman/Skopeo.
-%global skopeo_branch main
-%global podman_branch main
-%global buildah_branch main
 %global image_branch  main
 %global common_branch main
 %global storage_branch main
@@ -42,8 +39,8 @@ Source12: %{github_containers}/image/%{image_branch}/docs/containers-transports.
 Source13: %{github_containers}/image/%{image_branch}/registries.conf
 Source14: %{github_containers}/common/%{common_branch}/docs/containers-mounts.conf.5.md
 Source15: %{github_containers}/shortnames/%{shortnames_branch}/shortnames.conf
-Source16: %{github_containers}/skopeo/%{skopeo_branch}/default.yaml
+Source16: %{github_containers}/image/%{image_branch}/default.yaml
-Source17: %{github_containers}/skopeo/%{skopeo_branch}/default-policy.json
+Source17: %{github_containers}/image/%{image_branch}/default-policy.json
 Source18: %{github_containers}/storage/%{storage_branch}/docs/containers-storage.conf.5.md
 Source19: %{github_containers}/storage/%{storage_branch}/storage.conf
 Source20: RPM-GPG-KEY-redhat-release
@@ -130,6 +127,7 @@ cp man5/containerignore.5 man5/.containerignore.5
 install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,systemd}
 install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
 install -dp %{buildroot}%{_datadir}/containers/systemd
+install -dp %{buildroot}%{_prefix}/lib/containers/storage
 install -Dp -m0644 default.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
 install -Dp -m0644 storage.conf -t %{buildroot}%{_datadir}/containers
 install -Dp -m0644 registries.conf -t %{buildroot}%{_sysconfdir}/containers
@@ -169,6 +167,7 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
 %dir %{_sysconfdir}/containers/registries.conf.d
 %dir %{_sysconfdir}/containers/registries.d
 %dir %{_sysconfdir}/containers/systemd
+%dir %{_prefix}/lib/containers/storage
 %config(noreplace) %{_sysconfdir}/containers/policy.json
 %config(noreplace) %{_sysconfdir}/containers/registries.conf
 %config(noreplace) %{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf

containers-storage.conf.5.md

@@ -106,6 +106,10 @@ containers/storage supports three keys
     Tells containers/storage where an ostree repository exists that might have
     previously pulled content which can be used when attempting to avoid
     pulling content from the container registry
+  * convert_images = "false" | "true"
+    If set to true, containers/storage will convert images to the a format compatible with
+    partial pulls in order to take advantage of local deduplication and hardlinking.  It is an
+    expensive operation so it is not enabled by default.
 
 **remap-uids=**""
 **remap-gids=**""

containers-transports.5.md

@@ -40,10 +40,13 @@ By default, uses the authorization state in `$XDG_RUNTIME_DIR/containers/auth.js
 If the authorization state is not found there, `$HOME/.docker/config.json` is checked, which is set using docker-login(1).
 The containers-registries.conf(5) further allows for configuring various settings of a registry.
 
-Note that a _docker-reference_ has the following format: `name[:tag|@digest]`.
+Note that a _docker-reference_ has the following format: _name_[**:**_tag_ | **@**_digest_].
 While the docker transport does not support both a tag and a digest at the same time some formats like containers-storage do.
 Digests can also be used in an image destination as long as the manifest matches the provided digest.
+
+The docker transport supports pushing images without a tag or digest to a registry when the image name is suffixed with **@@unknown-digest@@**. The _name_**@@unknown-digest@@** reference format cannot be used with a reference that has a tag or digest.
 The digest of images can be explored with skopeo-inspect(1).
+
 If `name` does not contain a slash, it is treated as `docker.io/library/name`.
 Otherwise, the component before the first slash is checked if it is recognized as a `hostname[:port]` (i.e., it contains either a . or a :, or the component is exactly localhost).
 If the first component of name is not recognized as a `hostname[:port]`, `name` is treated as `docker.io/name`.

containers.conf

@@ -340,6 +340,14 @@ log_driver = "journald"
 #  "/usr/lib/netavark",
 #]
 
+# The firewall driver to be used by netavark.
+# The default is empty which means netavark will pick one accordingly. Current supported 
+# drivers are "iptables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
+# experimental at the moment and not recommend outside of testing). In the future we are
+# planning to add support for a "nftables" driver.
+#firewall_driver = ""
+
+
 # The network name of the default network to attach pods to.
 #
 #default_network = "podman"

containers.conf.5.md

@@ -449,6 +449,14 @@ and __$HOME/.config/cni/net.d__ as rootless.
 For the netavark backend "/etc/containers/networks" is used as root
 and "$graphroot/networks" as rootless.
 
+**firewall_driver**=""
+
+The firewall driver to be used by netavark.
+The default is empty which means netavark will pick one accordingly. Current supported 
+drivers are "iptables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
+experimental at the moment and not recommend outside of testing). In the future we are
+planning to add support for a "nftables" driver.
+
 **dns_bind_port**=53
 
 Port to use for dns forwarding daemon with netavark in rootful bridge

default.yaml

@@ -25,4 +25,3 @@ default-docker:
 #   privateregistry.com:
 #    lookaside: https://privateregistry.com/sigstore/
 #    lookaside-staging: /mnt/nfs/privateregistry/sigstore
-

shortnames.conf

@@ -123,3 +123,12 @@
   "rust" = "docker.io/library/rust"
   # node
   "node" = "docker.io/library/node"
+  # Grafana Labs
+  "grafana/agent" = "docker.io/grafana/agent"
+  "grafana/grafana" = "docker.io/grafana/grafana"
+  "grafana/k6" = "docker.io/grafana/k6"
+  "grafana/loki" = "docker.io/grafana/loki"
+  "grafana/mimir" = "docker.io/grafana/mimir"
+  "grafana/oncall" = "docker.io/grafana/oncall"
+  "grafana/pyroscope" = "docker.io/grafana/pyroscope"
+  "grafana/tempo" = "docker.io/grafana/tempo"

storage.conf

@@ -47,8 +47,9 @@ graphroot = "/var/lib/containers/storage"
 
 # AdditionalImageStores is used to pass paths to additional Read/Only image stores
 # Must be comma separated list.
-additionalimagestores = [
+#additionalimagestores = [
-]
+#"/usr/lib/containers/storage",
+#]
 
 # Allows specification of how storage is populated when pulling images. This
 # option can speed the pulling process of images compressed with format
@@ -70,7 +71,7 @@ additionalimagestores = [
 #     Tells containers/storage where an ostree repository exists that might have
 #     previously pulled content which can be used when attempting to avoid
 #     pulling content from the container registry
-pull_options = {enable_partial_images = "true", use_hard_links = "false", ostree_repos=""}
+pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
 
 # Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
 # a container, to the UIDs/GIDs as they should appear outside of the container,

update.sh

@@ -4,7 +4,8 @@ spectool -fg containers-common.spec
 
 echo "Changing storage.conf..."
 sed -i -e 's/^driver.*=.*/driver = "overlay"/' -e 's/^mountopt.*=.*/mountopt = "nodev,metacopy=on"/' \
-        storage.conf
+    -e '/additionalimage.*/a "/usr/lib/containers/storage",' \
+    storage.conf
 
 echo "Changing seccomp.json..."
 [ `grep "keyctl" seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \

update.sh.rawhide

@@ -0,0 +1,29 @@
+#!/usr/bin/bash
+
+spectool -fg containers-common.spec
+
+echo "Changing storage.conf..."
+sed -i -e 's/^driver.*=.*/driver = "overlay"/' -e 's/^mountopt.*=.*/mountopt = "nodev,metacopy=on"/' -e 's/^pull_options.*=.*/pull_options = {enable_partial_images = \"true\", use_hard_links = \"false\", ostree_repos=""}/' \
+        storage.conf
+
+echo "Changing seccomp.json..."
+[ `grep "keyctl" seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \
+                                "keyctl",' seccomp.json
+sed -i '/\"socketcall\",/i \
+                                "socket",' seccomp.json
+
+echo "Changing registries.conf..."
+sed -i 's/^#.*unqualified-search-registries.*=.*/unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io", "quay.io"]/g' \
+        registries.conf
+
+grep '\nshort-name-mode="enforcing"' registries.conf
+if [[ $? == 1 ]]; then
+    echo -e '\nshort-name-mode="enforcing"' >> registries.conf
+fi
+
+echo "Changing containers.conf..."
+sed -i -e 's/^#.*log_driver.*=.*/log_driver = "journald"/' \
+    -e 's/^#.*compression_format.*=.*/compression_format = "zstd:chunked"/' \
+    containers.conf
+
+git checkout origin default-policy.json