containers-common-4:1-7

- use the correct policy.json file

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
This commit is contained in:
Lokesh Mandvekar 2021-02-01 14:13:20 -05:00
parent 69f29483f1
commit 2f71b43201
4 changed files with 33 additions and 89 deletions

View File

@ -15,7 +15,7 @@
Epoch: 4 Epoch: 4
Name: containers-common Name: containers-common
Version: 1 Version: 1
Release: 6%{?dist} Release: 7%{?dist}
Summary: Common configuration and documentation for containers Summary: Common configuration and documentation for containers
License: ASL 2.0 License: ASL 2.0
BuildArch: noarch BuildArch: noarch
@ -38,7 +38,7 @@ Source13: %{github_containers}/image/%{image_branch}/registries.conf
Source14: %{github_containers}/podman/%{podman_branch}/docs/source/markdown/containers-mounts.conf.5.md Source14: %{github_containers}/podman/%{podman_branch}/docs/source/markdown/containers-mounts.conf.5.md
Source15: %{github_containers}/shortnames/%{shortnames_branch}/shortnames.conf Source15: %{github_containers}/shortnames/%{shortnames_branch}/shortnames.conf
Source16: %{github_containers}/skopeo/%{skopeo_branch}/default.yaml Source16: %{github_containers}/skopeo/%{skopeo_branch}/default.yaml
Source17: %{github_containers}/skopeo/%{skopeo_branch}/integration/fixtures/policy.json Source17: %{github_containers}/skopeo/%{skopeo_branch}/default-policy.json
Source18: %{github_containers}/storage/%{storage_branch}/docs/containers-storage.conf.5.md Source18: %{github_containers}/storage/%{storage_branch}/docs/containers-storage.conf.5.md
Source19: %{github_containers}/storage/%{storage_branch}/storage.conf Source19: %{github_containers}/storage/%{storage_branch}/storage.conf
@ -62,7 +62,7 @@ install -m0644 %{_sourcedir}/default.yaml %{buildroot}%{_sysconfdir}/containers/
install -m0644 %{_sourcedir}/storage.conf %{buildroot}%{_sysconfdir}/containers/storage.conf install -m0644 %{_sourcedir}/storage.conf %{buildroot}%{_sysconfdir}/containers/storage.conf
install -m0644 %{_sourcedir}/registries.conf %{buildroot}%{_sysconfdir}/containers/registries.conf install -m0644 %{_sourcedir}/registries.conf %{buildroot}%{_sysconfdir}/containers/registries.conf
install -m0644 %{_sourcedir}/shortnames.conf %{buildroot}%{_sysconfdir}/containers/registries.conf.d/shortnames.conf install -m0644 %{_sourcedir}/shortnames.conf %{buildroot}%{_sysconfdir}/containers/registries.conf.d/shortnames.conf
install -m0644 %{_sourcedir}/policy.json %{buildroot}%{_sysconfdir}/containers/policy.json install -m0644 %{_sourcedir}/default-policy.json %{buildroot}%{_sysconfdir}/containers/policy.json
# install manpages # install manpages
install -dp %{buildroot}%{_mandir}/man5 install -dp %{buildroot}%{_mandir}/man5
@ -114,6 +114,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
%{_datadir}/rhel/secrets/* %{_datadir}/rhel/secrets/*
%changelog %changelog
* Mon Feb 01 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-7
- use the correct policy.json file
* Thu Jan 28 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-6 * Thu Jan 28 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-6
- short-name-mode="enforcing" in registries.conf - short-name-mode="enforcing" in registries.conf

View File

@ -158,7 +158,7 @@ default_sysctls = [
# Logging driver for the container. Available options: k8s-file and journald. # Logging driver for the container. Available options: k8s-file and journald.
# #
# log_driver = "k8s-file" # log_driver = "journald"
# Maximum size allowed for the container log file. Negative numbers indicate # Maximum size allowed for the container log file. Negative numbers indicate
# that no size limit is imposed. If positive, it must be >= 8192 to match or # that no size limit is imposed. If positive, it must be >= 8192 to match or
@ -246,9 +246,14 @@ default_sysctls = [
# network_config_dir = "/etc/cni/net.d/" # network_config_dir = "/etc/cni/net.d/"
[engine] [engine]
# ImageBuildFormat indicates the default image format to building # Maximum number of image layers to be copied (pulled/pushed) simultaneously.
# container images. Valid values are "oci" (default) or "docker". # Not setting this field, or setting it to zero, will fall back to containers/image defaults.
# image_build_format = "oci" # image_parallel_copies=0
# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
# container images. By default image pulled and pushed match the format of the
# source image. Building/commiting defaults to OCI.
# image_default_format = ""
# Cgroup management implementation used for the runtime. # Cgroup management implementation used for the runtime.
# Valid options "systemd" or "cgroupfs" # Valid options "systemd" or "cgroupfs"
@ -321,10 +326,6 @@ default_sysctls = [
# #
# infra_image = "k8s.gcr.io/pause:3.2" # infra_image = "k8s.gcr.io/pause:3.2"
# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
# image_parallel_copies=0
# Specify the locking mechanism to use; valid values are "shm" and "file". # Specify the locking mechanism to use; valid values are "shm" and "file".
# Change the default only if you are sure of what you are doing, in general # Change the default only if you are sure of what you are doing, in general
# "file" is useful only on platforms where cgo is not available for using the # "file" is useful only on platforms where cgo is not available for using the

View File

@ -177,7 +177,7 @@ the container.
Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems. Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.
**log_driver**="k8s-file" **log_driver**="journald"
Logging driver for the container. Available options: `k8s-file` and `journald`. Logging driver for the container. Available options: `k8s-file` and `journald`.
@ -278,8 +278,12 @@ Path to the directory where CNI configuration files are located.
## ENGINE TABLE ## ENGINE TABLE
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah. The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
**image_build_format**="oci" **image_default_format**="oci"|"v2s2"|"v2s1"
The default image format to building container images. Valid values are "oci" (default) or "docker".
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
container images. By default images pulled and pushed match the format of the
source image. Building/committing defaults to OCI.
Note: **image_build_format** is deprecated.
**cgroup_check**=false **cgroup_check**=false

View File

@ -89,6 +89,7 @@
"epoll_ctl", "epoll_ctl",
"epoll_ctl_old", "epoll_ctl_old",
"epoll_pwait", "epoll_pwait",
"epoll_pwait2",
"epoll_wait", "epoll_wait",
"epoll_wait_old", "epoll_wait_old",
"eventfd", "eventfd",
@ -117,7 +118,11 @@
"flock", "flock",
"fork", "fork",
"fremovexattr", "fremovexattr",
"fsconfig",
"fsetxattr", "fsetxattr",
"fsmount",
"fsopen",
"fspick",
"fstat", "fstat",
"fstat64", "fstat64",
"fstatat64", "fstatat64",
@ -177,7 +182,7 @@
"ioprio_get", "ioprio_get",
"ioprio_set", "ioprio_set",
"ipc", "ipc",
"keyctl", "keyctl",
"kill", "kill",
"lchown", "lchown",
"lchown32", "lchown32",
@ -205,6 +210,7 @@
"mmap", "mmap",
"mmap2", "mmap2",
"mount", "mount",
"move_mount",
"mprotect", "mprotect",
"mq_getsetattr", "mq_getsetattr",
"mq_notify", "mq_notify",
@ -227,6 +233,7 @@
"open", "open",
"openat", "openat",
"openat2", "openat2",
"open_tree",
"pause", "pause",
"pidfd_getfd", "pidfd_getfd",
"pidfd_open", "pidfd_open",
@ -576,19 +583,13 @@
{ {
"names": [ "names": [
"bpf", "bpf",
"clone",
"fanotify_init", "fanotify_init",
"lookup_dcookie", "lookup_dcookie",
"mount",
"name_to_handle_at",
"perf_event_open", "perf_event_open",
"quotactl", "quotactl",
"setdomainname", "setdomainname",
"sethostname", "sethostname",
"setns", "setns"
"umount",
"umount2",
"unshare"
], ],
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
"args": [], "args": [],
@ -600,71 +601,6 @@
}, },
"excludes": {} "excludes": {}
}, },
{
"names": [
"clone"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 2080505856,
"valueTwo": 0,
"op": "SCMP_CMP_MASKED_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_ADMIN"
],
"arches": [
"s390",
"s390x"
]
}
},
{
"names": [
"clone"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 1,
"value": 2080505856,
"valueTwo": 0,
"op": "SCMP_CMP_MASKED_EQ"
}
],
"comment": "s390 parameter ordering for clone is different",
"includes": {
"arches": [
"s390",
"s390x"
]
},
"excludes": {
"caps": [
"CAP_SYS_ADMIN"
]
}
},
{
"names": [
"reboot"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_SYS_BOOT"
]
},
"excludes": {}
},
{ {
"names": [ "names": [
"chroot" "chroot"
@ -700,7 +636,6 @@
"names": [ "names": [
"get_mempolicy", "get_mempolicy",
"mbind", "mbind",
"name_to_handle_at",
"set_mempolicy" "set_mempolicy"
], ],
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
@ -730,6 +665,7 @@
{ {
"names": [ "names": [
"kcmp", "kcmp",
"process_madvise",
"process_vm_readv", "process_vm_readv",
"process_vm_writev", "process_vm_writev",
"ptrace" "ptrace"
@ -896,4 +832,4 @@
"excludes": {} "excludes": {}
} }
] ]
} }