containers-common-4:1-7
- use the correct policy.json file Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
This commit is contained in:
parent
69f29483f1
commit
2f71b43201
@ -15,7 +15,7 @@
|
|||||||
Epoch: 4
|
Epoch: 4
|
||||||
Name: containers-common
|
Name: containers-common
|
||||||
Version: 1
|
Version: 1
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
Summary: Common configuration and documentation for containers
|
Summary: Common configuration and documentation for containers
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
@ -38,7 +38,7 @@ Source13: %{github_containers}/image/%{image_branch}/registries.conf
|
|||||||
Source14: %{github_containers}/podman/%{podman_branch}/docs/source/markdown/containers-mounts.conf.5.md
|
Source14: %{github_containers}/podman/%{podman_branch}/docs/source/markdown/containers-mounts.conf.5.md
|
||||||
Source15: %{github_containers}/shortnames/%{shortnames_branch}/shortnames.conf
|
Source15: %{github_containers}/shortnames/%{shortnames_branch}/shortnames.conf
|
||||||
Source16: %{github_containers}/skopeo/%{skopeo_branch}/default.yaml
|
Source16: %{github_containers}/skopeo/%{skopeo_branch}/default.yaml
|
||||||
Source17: %{github_containers}/skopeo/%{skopeo_branch}/integration/fixtures/policy.json
|
Source17: %{github_containers}/skopeo/%{skopeo_branch}/default-policy.json
|
||||||
Source18: %{github_containers}/storage/%{storage_branch}/docs/containers-storage.conf.5.md
|
Source18: %{github_containers}/storage/%{storage_branch}/docs/containers-storage.conf.5.md
|
||||||
Source19: %{github_containers}/storage/%{storage_branch}/storage.conf
|
Source19: %{github_containers}/storage/%{storage_branch}/storage.conf
|
||||||
|
|
||||||
@ -62,7 +62,7 @@ install -m0644 %{_sourcedir}/default.yaml %{buildroot}%{_sysconfdir}/containers/
|
|||||||
install -m0644 %{_sourcedir}/storage.conf %{buildroot}%{_sysconfdir}/containers/storage.conf
|
install -m0644 %{_sourcedir}/storage.conf %{buildroot}%{_sysconfdir}/containers/storage.conf
|
||||||
install -m0644 %{_sourcedir}/registries.conf %{buildroot}%{_sysconfdir}/containers/registries.conf
|
install -m0644 %{_sourcedir}/registries.conf %{buildroot}%{_sysconfdir}/containers/registries.conf
|
||||||
install -m0644 %{_sourcedir}/shortnames.conf %{buildroot}%{_sysconfdir}/containers/registries.conf.d/shortnames.conf
|
install -m0644 %{_sourcedir}/shortnames.conf %{buildroot}%{_sysconfdir}/containers/registries.conf.d/shortnames.conf
|
||||||
install -m0644 %{_sourcedir}/policy.json %{buildroot}%{_sysconfdir}/containers/policy.json
|
install -m0644 %{_sourcedir}/default-policy.json %{buildroot}%{_sysconfdir}/containers/policy.json
|
||||||
|
|
||||||
# install manpages
|
# install manpages
|
||||||
install -dp %{buildroot}%{_mandir}/man5
|
install -dp %{buildroot}%{_mandir}/man5
|
||||||
@ -114,6 +114,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
|
|||||||
%{_datadir}/rhel/secrets/*
|
%{_datadir}/rhel/secrets/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Feb 01 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-7
|
||||||
|
- use the correct policy.json file
|
||||||
|
|
||||||
* Thu Jan 28 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-6
|
* Thu Jan 28 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-6
|
||||||
- short-name-mode="enforcing" in registries.conf
|
- short-name-mode="enforcing" in registries.conf
|
||||||
|
|
||||||
|
@ -158,7 +158,7 @@ default_sysctls = [
|
|||||||
|
|
||||||
# Logging driver for the container. Available options: k8s-file and journald.
|
# Logging driver for the container. Available options: k8s-file and journald.
|
||||||
#
|
#
|
||||||
# log_driver = "k8s-file"
|
# log_driver = "journald"
|
||||||
|
|
||||||
# Maximum size allowed for the container log file. Negative numbers indicate
|
# Maximum size allowed for the container log file. Negative numbers indicate
|
||||||
# that no size limit is imposed. If positive, it must be >= 8192 to match or
|
# that no size limit is imposed. If positive, it must be >= 8192 to match or
|
||||||
@ -246,9 +246,14 @@ default_sysctls = [
|
|||||||
# network_config_dir = "/etc/cni/net.d/"
|
# network_config_dir = "/etc/cni/net.d/"
|
||||||
|
|
||||||
[engine]
|
[engine]
|
||||||
# ImageBuildFormat indicates the default image format to building
|
# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
|
||||||
# container images. Valid values are "oci" (default) or "docker".
|
# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
|
||||||
# image_build_format = "oci"
|
# image_parallel_copies=0
|
||||||
|
|
||||||
|
# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
|
||||||
|
# container images. By default image pulled and pushed match the format of the
|
||||||
|
# source image. Building/commiting defaults to OCI.
|
||||||
|
# image_default_format = ""
|
||||||
|
|
||||||
# Cgroup management implementation used for the runtime.
|
# Cgroup management implementation used for the runtime.
|
||||||
# Valid options "systemd" or "cgroupfs"
|
# Valid options "systemd" or "cgroupfs"
|
||||||
@ -321,10 +326,6 @@ default_sysctls = [
|
|||||||
#
|
#
|
||||||
# infra_image = "k8s.gcr.io/pause:3.2"
|
# infra_image = "k8s.gcr.io/pause:3.2"
|
||||||
|
|
||||||
# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
|
|
||||||
# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
|
|
||||||
# image_parallel_copies=0
|
|
||||||
|
|
||||||
# Specify the locking mechanism to use; valid values are "shm" and "file".
|
# Specify the locking mechanism to use; valid values are "shm" and "file".
|
||||||
# Change the default only if you are sure of what you are doing, in general
|
# Change the default only if you are sure of what you are doing, in general
|
||||||
# "file" is useful only on platforms where cgo is not available for using the
|
# "file" is useful only on platforms where cgo is not available for using the
|
||||||
|
@ -177,7 +177,7 @@ the container.
|
|||||||
|
|
||||||
Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.
|
Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.
|
||||||
|
|
||||||
**log_driver**="k8s-file"
|
**log_driver**="journald"
|
||||||
|
|
||||||
Logging driver for the container. Available options: `k8s-file` and `journald`.
|
Logging driver for the container. Available options: `k8s-file` and `journald`.
|
||||||
|
|
||||||
@ -278,8 +278,12 @@ Path to the directory where CNI configuration files are located.
|
|||||||
## ENGINE TABLE
|
## ENGINE TABLE
|
||||||
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
|
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
|
||||||
|
|
||||||
**image_build_format**="oci"
|
**image_default_format**="oci"|"v2s2"|"v2s1"
|
||||||
The default image format to building container images. Valid values are "oci" (default) or "docker".
|
|
||||||
|
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
|
||||||
|
container images. By default images pulled and pushed match the format of the
|
||||||
|
source image. Building/committing defaults to OCI.
|
||||||
|
Note: **image_build_format** is deprecated.
|
||||||
|
|
||||||
**cgroup_check**=false
|
**cgroup_check**=false
|
||||||
|
|
||||||
|
82
seccomp.json
82
seccomp.json
@ -89,6 +89,7 @@
|
|||||||
"epoll_ctl",
|
"epoll_ctl",
|
||||||
"epoll_ctl_old",
|
"epoll_ctl_old",
|
||||||
"epoll_pwait",
|
"epoll_pwait",
|
||||||
|
"epoll_pwait2",
|
||||||
"epoll_wait",
|
"epoll_wait",
|
||||||
"epoll_wait_old",
|
"epoll_wait_old",
|
||||||
"eventfd",
|
"eventfd",
|
||||||
@ -117,7 +118,11 @@
|
|||||||
"flock",
|
"flock",
|
||||||
"fork",
|
"fork",
|
||||||
"fremovexattr",
|
"fremovexattr",
|
||||||
|
"fsconfig",
|
||||||
"fsetxattr",
|
"fsetxattr",
|
||||||
|
"fsmount",
|
||||||
|
"fsopen",
|
||||||
|
"fspick",
|
||||||
"fstat",
|
"fstat",
|
||||||
"fstat64",
|
"fstat64",
|
||||||
"fstatat64",
|
"fstatat64",
|
||||||
@ -205,6 +210,7 @@
|
|||||||
"mmap",
|
"mmap",
|
||||||
"mmap2",
|
"mmap2",
|
||||||
"mount",
|
"mount",
|
||||||
|
"move_mount",
|
||||||
"mprotect",
|
"mprotect",
|
||||||
"mq_getsetattr",
|
"mq_getsetattr",
|
||||||
"mq_notify",
|
"mq_notify",
|
||||||
@ -227,6 +233,7 @@
|
|||||||
"open",
|
"open",
|
||||||
"openat",
|
"openat",
|
||||||
"openat2",
|
"openat2",
|
||||||
|
"open_tree",
|
||||||
"pause",
|
"pause",
|
||||||
"pidfd_getfd",
|
"pidfd_getfd",
|
||||||
"pidfd_open",
|
"pidfd_open",
|
||||||
@ -576,19 +583,13 @@
|
|||||||
{
|
{
|
||||||
"names": [
|
"names": [
|
||||||
"bpf",
|
"bpf",
|
||||||
"clone",
|
|
||||||
"fanotify_init",
|
"fanotify_init",
|
||||||
"lookup_dcookie",
|
"lookup_dcookie",
|
||||||
"mount",
|
|
||||||
"name_to_handle_at",
|
|
||||||
"perf_event_open",
|
"perf_event_open",
|
||||||
"quotactl",
|
"quotactl",
|
||||||
"setdomainname",
|
"setdomainname",
|
||||||
"sethostname",
|
"sethostname",
|
||||||
"setns",
|
"setns"
|
||||||
"umount",
|
|
||||||
"umount2",
|
|
||||||
"unshare"
|
|
||||||
],
|
],
|
||||||
"action": "SCMP_ACT_ALLOW",
|
"action": "SCMP_ACT_ALLOW",
|
||||||
"args": [],
|
"args": [],
|
||||||
@ -600,71 +601,6 @@
|
|||||||
},
|
},
|
||||||
"excludes": {}
|
"excludes": {}
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"names": [
|
|
||||||
"clone"
|
|
||||||
],
|
|
||||||
"action": "SCMP_ACT_ALLOW",
|
|
||||||
"args": [
|
|
||||||
{
|
|
||||||
"index": 0,
|
|
||||||
"value": 2080505856,
|
|
||||||
"valueTwo": 0,
|
|
||||||
"op": "SCMP_CMP_MASKED_EQ"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"comment": "",
|
|
||||||
"includes": {},
|
|
||||||
"excludes": {
|
|
||||||
"caps": [
|
|
||||||
"CAP_SYS_ADMIN"
|
|
||||||
],
|
|
||||||
"arches": [
|
|
||||||
"s390",
|
|
||||||
"s390x"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"names": [
|
|
||||||
"clone"
|
|
||||||
],
|
|
||||||
"action": "SCMP_ACT_ALLOW",
|
|
||||||
"args": [
|
|
||||||
{
|
|
||||||
"index": 1,
|
|
||||||
"value": 2080505856,
|
|
||||||
"valueTwo": 0,
|
|
||||||
"op": "SCMP_CMP_MASKED_EQ"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"comment": "s390 parameter ordering for clone is different",
|
|
||||||
"includes": {
|
|
||||||
"arches": [
|
|
||||||
"s390",
|
|
||||||
"s390x"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"excludes": {
|
|
||||||
"caps": [
|
|
||||||
"CAP_SYS_ADMIN"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"names": [
|
|
||||||
"reboot"
|
|
||||||
],
|
|
||||||
"action": "SCMP_ACT_ALLOW",
|
|
||||||
"args": [],
|
|
||||||
"comment": "",
|
|
||||||
"includes": {
|
|
||||||
"caps": [
|
|
||||||
"CAP_SYS_BOOT"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"excludes": {}
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"names": [
|
"names": [
|
||||||
"chroot"
|
"chroot"
|
||||||
@ -700,7 +636,6 @@
|
|||||||
"names": [
|
"names": [
|
||||||
"get_mempolicy",
|
"get_mempolicy",
|
||||||
"mbind",
|
"mbind",
|
||||||
"name_to_handle_at",
|
|
||||||
"set_mempolicy"
|
"set_mempolicy"
|
||||||
],
|
],
|
||||||
"action": "SCMP_ACT_ALLOW",
|
"action": "SCMP_ACT_ALLOW",
|
||||||
@ -730,6 +665,7 @@
|
|||||||
{
|
{
|
||||||
"names": [
|
"names": [
|
||||||
"kcmp",
|
"kcmp",
|
||||||
|
"process_madvise",
|
||||||
"process_vm_readv",
|
"process_vm_readv",
|
||||||
"process_vm_writev",
|
"process_vm_writev",
|
||||||
"ptrace"
|
"ptrace"
|
||||||
|
Loading…
Reference in New Issue
Block a user