import containers-common-1-62.module+el8.8.0+18251+ad5b274c
This commit is contained in:
		
							parent
							
								
									5c9a408ae1
								
							
						
					
					
						commit
						43998629ff
					
				| @ -0,0 +1 @@ | |||||||
|  | a72daf8585b41529269cdffcca3a0b3d4e2f21cd SOURCES/RPM-GPG-KEY-redhat-beta | ||||||
							
								
								
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -0,0 +1 @@ | |||||||
|  | SOURCES/RPM-GPG-KEY-redhat-beta | ||||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -118,7 +118,7 @@ Current supported mount TYPES are bind, cache, secret and tmpfs. | |||||||
| 
 | 
 | ||||||
|               · dst, destination, target: mount destination spec. |               · dst, destination, target: mount destination spec. | ||||||
| 
 | 
 | ||||||
|               · ro, read-only: true or false (default). |               · ro, read-only: true (default) or false. | ||||||
| 
 | 
 | ||||||
|        Options specific to bind: |        Options specific to bind: | ||||||
| 
 | 
 | ||||||
| @ -128,6 +128,8 @@ Current supported mount TYPES are bind, cache, secret and tmpfs. | |||||||
| 
 | 
 | ||||||
|               · from: stage or image name for the root of the source. Defaults to the build context. |               · from: stage or image name for the root of the source. Defaults to the build context. | ||||||
| 
 | 
 | ||||||
|  |               · rw, read-write: allows writes on the mount. | ||||||
|  | 
 | ||||||
|        Options specific to tmpfs: |        Options specific to tmpfs: | ||||||
| 
 | 
 | ||||||
|               · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux. |               · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux. | ||||||
| @ -150,6 +152,8 @@ Current supported mount TYPES are bind, cache, secret and tmpfs. | |||||||
| 
 | 
 | ||||||
|               · from: stage name for the root of the source. Defaults to host cache directory. |               · from: stage name for the root of the source. Defaults to host cache directory. | ||||||
| 
 | 
 | ||||||
|  |               · rw, read-write: allows writes on the mount. | ||||||
|  | 
 | ||||||
| 
 | 
 | ||||||
| **RUN Secrets** | **RUN Secrets** | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -30,7 +30,9 @@ Policy requirements can be defined for: | |||||||
| 
 | 
 | ||||||
|   Usually, a scope can be defined to match a single image, and various prefixes of |   Usually, a scope can be defined to match a single image, and various prefixes of | ||||||
|   such a most specific scope define namespaces of matching images. |   such a most specific scope define namespaces of matching images. | ||||||
|  | 
 | ||||||
| - A default policy for a single transport, expressed using an empty string as a scope | - A default policy for a single transport, expressed using an empty string as a scope | ||||||
|  | 
 | ||||||
| - A global default policy. | - A global default policy. | ||||||
| 
 | 
 | ||||||
| If multiple policy requirements match a given image, only the requirements from the most specific match apply, | If multiple policy requirements match a given image, only the requirements from the most specific match apply, | ||||||
| @ -245,12 +247,37 @@ This requirement requires an image to be signed using a sigstore signature with | |||||||
| ```js | ```js | ||||||
| { | { | ||||||
|     "type":    "sigstoreSigned", |     "type":    "sigstoreSigned", | ||||||
|     "keyPath": "/path/to/local/keyring/file", |     "keyPath": "/path/to/local/public/key/file", | ||||||
|     "keyData": "base64-encoded-keyring-data", |     "keyData": "base64-encoded-public-key-data", | ||||||
|  |     "fulcio": { | ||||||
|  |         "caPath": "/path/to/local/CA/file", | ||||||
|  |         "caData": "base64-encoded-CA-data", | ||||||
|  |         "oidcIssuer": "https://expected.OIDC.issuer/", | ||||||
|  |         "subjectEmail", "expected-signing-user@example.com", | ||||||
|  |     }, | ||||||
|  |     "rekorPublicKeyPath": "/path/to/local/public/key/file", | ||||||
|  |     "rekorPublicKeyData": "base64-encoded-public-key-data", | ||||||
|     "signedIdentity": identity_requirement |     "signedIdentity": identity_requirement | ||||||
| } | } | ||||||
| ``` | ``` | ||||||
| Exactly one of `keyPath` and `keyData` must be present, containing a sigstore public key.  Only signatures made by this key is accepted. | Exactly one of `keyPath`, `keyData` and `fulcio` must be present. | ||||||
|  | 
 | ||||||
|  | If `keyPath` or `keyData` is present, it contains a sigstore public key. | ||||||
|  | Only signatures made by this key are accepted. | ||||||
|  | 
 | ||||||
|  | If `fulcio` is present, the signature must be based on a Fulcio-issued certificate. | ||||||
|  | One of `caPath` and `caData` must be specified, containing the public key of the Fulcio instance. | ||||||
|  | Both `oidcIssuer` and `subjectEmail` are mandatory, | ||||||
|  | exactly specifying the expected identity provider, | ||||||
|  | and the identity of the user obtaining the Fulcio certificate. | ||||||
|  | 
 | ||||||
|  | At most one of `rekorPublicKeyPath` and `rekorPublicKeyData` can be present; | ||||||
|  | it is mandatory if `fulcio` is specified. | ||||||
|  | If a Rekor public key is specified, | ||||||
|  | the signature must have been uploaded to a Rekor server | ||||||
|  | and the signature must contain an (offline-verifiable) “signed entry timestamp” | ||||||
|  | proving the existence of the Rekor log record, | ||||||
|  | signed by the provided public key. | ||||||
| 
 | 
 | ||||||
| The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above. | The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above. | ||||||
| Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag). | Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag). | ||||||
| @ -286,6 +313,21 @@ selectively allow individual transports and scopes as desired. | |||||||
|                     "keyPath": "/path/to/sigstore-pubkey.pub" |                     "keyPath": "/path/to/sigstore-pubkey.pub" | ||||||
|                 } |                 } | ||||||
|             ], |             ], | ||||||
|  |             /* A sigstore-signed repository using the community Fulcio+Rekor servers. | ||||||
|  | 
 | ||||||
|  |                The community servers’ public keys can be obtained from | ||||||
|  |                https://github.com/sigstore/sigstore/tree/main/pkg/tuf/repository/targets .  */ | ||||||
|  |             "hostname:5000/myns/sigstore-signed-fulcio-rekor": [ | ||||||
|  |                 { | ||||||
|  |                     "type": "sigstoreSigned", | ||||||
|  |                     "fulcio": { | ||||||
|  |                         "caPath": "/path/to/fulcio_v1.crt.pem", | ||||||
|  |                         "oidcIssuer": "https://github.com/login/oauth", | ||||||
|  |                         "subjectEmail": "test-user@example.com" | ||||||
|  |                     }, | ||||||
|  |                     "rekorPublicKeyPath": "/path/to/rekor.pub", | ||||||
|  |                 } | ||||||
|  |             ], | ||||||
|             /* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */ |             /* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */ | ||||||
|             "hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [ |             "hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [ | ||||||
|                 { |                 { | ||||||
| @ -293,6 +335,23 @@ selectively allow individual transports and scopes as desired. | |||||||
|                     "keyPath": "/path/to/sigstore-pubkey.pub", |                     "keyPath": "/path/to/sigstore-pubkey.pub", | ||||||
|                     "signedIdentity": {"type": "matchRepository"} |                     "signedIdentity": {"type": "matchRepository"} | ||||||
|                 } |                 } | ||||||
|  |             ], | ||||||
|  |             /* A sigstore-signed repository using the community Fulcio+Rekor servers, | ||||||
|  |                accepts signatures by /usr/bin/cosign. | ||||||
|  | 
 | ||||||
|  |                The community servers’ public keys can be obtained from | ||||||
|  |                https://github.com/sigstore/sigstore/tree/main/pkg/tuf/repository/targets .  */ | ||||||
|  |             "hostname:5000/myns/sigstore-signed-fulcio-rekor- allows-malicious-tag-substitution": [ | ||||||
|  |                 { | ||||||
|  |                     "type": "sigstoreSigned", | ||||||
|  |                     "fulcio": { | ||||||
|  |                         "caPath": "/path/to/fulcio_v1.crt.pem", | ||||||
|  |                         "oidcIssuer": "https://github.com/login/oauth", | ||||||
|  |                         "subjectEmail": "test-user@example.com" | ||||||
|  |                     }, | ||||||
|  |                     "rekorPublicKeyPath": "/path/to/rekor.pub", | ||||||
|  |                     "signedIdentity": { "type": "matchRepository" } | ||||||
|  |                 } | ||||||
|             ] |             ] | ||||||
|               /* Other docker: images use the global default policy and are rejected */ |               /* Other docker: images use the global default policy and are rejected */ | ||||||
|         }, |         }, | ||||||
|  | |||||||
| @ -210,7 +210,8 @@ Consumers still SHOULD reject any signature where a member of an `optional` obje | |||||||
| 
 | 
 | ||||||
| ### `optional.creator` | ### `optional.creator` | ||||||
| 
 | 
 | ||||||
| If present, this MUST be a JSON string, identifying the name and version of the software which has created the signature. | If present, this MUST be a JSON string, identifying the name and version of the software which has created the signature | ||||||
|  | (identifying the low-level software implementation; not the top-level caller). | ||||||
| 
 | 
 | ||||||
| The contents of this string is not defined in detail; however each implementation creating container signatures: | The contents of this string is not defined in detail; however each implementation creating container signatures: | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -27,8 +27,7 @@ No bare options are used. The format of TOML can be simplified to: | |||||||
| The `storage` table supports the following options: | The `storage` table supports the following options: | ||||||
| 
 | 
 | ||||||
| **driver**="" | **driver**="" | ||||||
|   container storage driver |   Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem. | ||||||
|   Default Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem. |  | ||||||
| This field is required to guarantee proper operation. | This field is required to guarantee proper operation. | ||||||
| Valid rootless drivers are "btrfs", "overlay", and "vfs". | Valid rootless drivers are "btrfs", "overlay", and "vfs". | ||||||
| Rootless users default to the driver defined in the system configuration when possible. | Rootless users default to the driver defined in the system configuration when possible. | ||||||
| @ -37,35 +36,33 @@ The `storage` table supports the following options: | |||||||
| **graphroot**="" | **graphroot**="" | ||||||
|   container storage graph dir (default: "/var/lib/containers/storage") |   container storage graph dir (default: "/var/lib/containers/storage") | ||||||
| Default directory to store all writable content created by container storage programs. | Default directory to store all writable content created by container storage programs. | ||||||
|   The rootless graphroot path supports environment variable substitutions (ie. `$HOME/containers/storage`) | The rootless graphroot path supports environment variable substitutions (ie. `$HOME/containers/storage`). | ||||||
|   When changing the graphroot location on an SELINUX system, ensure | When changing the graphroot location on an SELINUX system, ensure the labeling matches the default locations labels with the following commands: | ||||||
|   the labeling matches the default locations labels with the |  | ||||||
|   following commands: |  | ||||||
| 
 | 
 | ||||||
| ``` | ``` | ||||||
| # semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH | # semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH | ||||||
| # restorecon -R -v /NEWSTORAGEPATH | # restorecon -R -v /NEWSTORAGEPATH | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
|   In Rootless Mode you would set | In rootless mode you would set | ||||||
| 
 | 
 | ||||||
| ``` | ``` | ||||||
| # semanage fcontext -a -e $HOME/.local/share/containers NEWSTORAGEPATH | # semanage fcontext -a -e $HOME/.local/share/containers NEWSTORAGEPATH | ||||||
| $ restorecon -R -v /NEWSTORAGEPATH | $ restorecon -R -v /NEWSTORAGEPATH | ||||||
| ``` | ``` | ||||||
| **rootless_storage_path**="$HOME/.local/share/containers/storage" | **rootless_storage_path**="$HOME/.local/share/containers/storage" | ||||||
|   Storage path for rootless users. By default the graphroot for rootless users |   Storage path for rootless users. By default the graphroot for rootless users is set to `$XDG_DATA_HOME/containers/storage`, if XDG_DATA_HOME is set. Otherwise `$HOME/.local/share/containers/storage` is used. This field can be used if administrators need to change the storage location for all users. The rootless storage path supports environment variable substitutions (ie. `$HOME/containers/storage`) | ||||||
|   is set to `$XDG_DATA_HOME/containers/storage`, if XDG_DATA_HOME is set. |  | ||||||
|   Otherwise `$HOME/.local/share/containers/storage` is used.  This field can |  | ||||||
|   be used if administrators need to change the storage location for all users. |  | ||||||
|   The rootless storage path supports environment variable substitutions (ie. `$HOME/containers/storage`) |  | ||||||
| 
 | 
 | ||||||
| A common use case for this field is to provide a local storage directory when user home directories are NFS-mounted (podman does not support container storage over NFS). | A common use case for this field is to provide a local storage directory when user home directories are NFS-mounted (podman does not support container storage over NFS). | ||||||
| 
 | 
 | ||||||
| **runroot**="" | **runroot**="" | ||||||
|   container storage run dir (default: "/run/containers/storage") |   container storage run dir (default: "/run/containers/storage") | ||||||
|   Default directory to store all temporary writable content created by container storage programs. | Default directory to store all temporary writable content created by container storage programs. The rootless runroot path supports environment variable substitutions (ie. `$HOME/containers/storage`) | ||||||
|   The rootless runroot path supports environment variable substitutions (ie. `$HOME/containers/storage`) | 
 | ||||||
|  | **driver_priority**=[] | ||||||
|  |   Priority list for the storage drivers that will be tested one after the other to pick the storage driver if it is not defined. The first storage driver in this list that can be used, will be picked as the new one and all subsequent ones will not be tried. If all drivers in this list are not viable, then **all** known drivers will be tried and the first working one will be picked. | ||||||
|  | By default, the storage driver is set via the `driver` option. If it is not defined, then the best driver will be picked according to the current platform. This option allows you to override this internal priority list with a custom one to prefer certain drivers. | ||||||
|  | Setting this option only has an effect if the local storage has not been initialized yet and the driver name is not set. | ||||||
| 
 | 
 | ||||||
| ### STORAGE OPTIONS TABLE | ### STORAGE OPTIONS TABLE | ||||||
| 
 | 
 | ||||||
| @ -216,20 +213,19 @@ The `storage.options.overlay` table supports the following options: | |||||||
| 
 | 
 | ||||||
| **force_mask** = "0000|shared|private" | **force_mask** = "0000|shared|private" | ||||||
|   ForceMask specifies the permissions mask that is used for new files and |   ForceMask specifies the permissions mask that is used for new files and | ||||||
| directories. | directories. The values "shared" and "private" are accepted.  (default: ""). Octal permission | ||||||
| The values "shared" and "private" are accepted.  (default: ""). Octal permission |  | ||||||
| masks are also accepted. | masks are also accepted. | ||||||
| 
 | 
 | ||||||
|   ``: Not set | - ``: Not set | ||||||
|   All files/directories, get set with the permissions identified within the |   All files/directories, get set with the permissions identified within the | ||||||
| image. | image. | ||||||
| 
 | 
 | ||||||
|   `private`: it is equivalent to 0700. | - `private`: it is equivalent to 0700. | ||||||
|   All files/directories get set with 0700 permissions.  The owner has rwx |   All files/directories get set with 0700 permissions.  The owner has rwx | ||||||
| access to the files. No other users on the system can access the files. | access to the files. No other users on the system can access the files. | ||||||
| This setting could be used with networked based home directories. | This setting could be used with networked based home directories. | ||||||
| 
 | 
 | ||||||
|   `shared`: it is equivalent to 0755. | - `shared`: it is equivalent to 0755. | ||||||
|   The owner has rwx access to the files and everyone else can read, access |   The owner has rwx access to the files and everyone else can read, access | ||||||
| and execute them. This setting is useful for sharing containers storage | and execute them. This setting is useful for sharing containers storage | ||||||
| with other users.  For instance, a storage owned by root could be shared | with other users.  For instance, a storage owned by root could be shared | ||||||
| @ -244,7 +240,7 @@ Note: The force_mask Flag is an experimental feature, it could change in the | |||||||
| future.  When "force_mask" is set the original permission mask is stored in the | future.  When "force_mask" is set the original permission mask is stored in the | ||||||
| "user.containers.override_stat" xattr and the "mount_program" option must be | "user.containers.override_stat" xattr and the "mount_program" option must be | ||||||
| specified. Mount programs like "/usr/bin/fuse-overlayfs" present the extended | specified. Mount programs like "/usr/bin/fuse-overlayfs" present the extended | ||||||
| attribute permissions to processes within containers rather then the | attribute permissions to processes within containers rather than the | ||||||
| "force_mask"  permissions. | "force_mask"  permissions. | ||||||
| 
 | 
 | ||||||
| **mount_program**="" | **mount_program**="" | ||||||
| @ -340,7 +336,7 @@ This is a way to prevent xfs_quota management from conflicting with containers/s | |||||||
| 
 | 
 | ||||||
| Distributions often provide a `/usr/share/containers/storage.conf` file to define default storage configuration. Administrators can override this file by creating `/etc/containers/storage.conf` to specify their own configuration. Likewise rootless users can create a storage.conf file to override the system storage.conf files. Files should be stored in the `$XDG_CONFIG_HOME/containers/storage.conf` file.  If `$XDG_CONFIG_HOME` is not set then the file `$HOME/.config/containers/storage.conf` is used. | Distributions often provide a `/usr/share/containers/storage.conf` file to define default storage configuration. Administrators can override this file by creating `/etc/containers/storage.conf` to specify their own configuration. Likewise rootless users can create a storage.conf file to override the system storage.conf files. Files should be stored in the `$XDG_CONFIG_HOME/containers/storage.conf` file.  If `$XDG_CONFIG_HOME` is not set then the file `$HOME/.config/containers/storage.conf` is used. | ||||||
| 
 | 
 | ||||||
| Note: The storage.conf file overrides all other strorage.conf files. Container | Note: The storage.conf file overrides all other storage.conf files. Container | ||||||
| engines run by users with a storage.conf file in their home directory do not | engines run by users with a storage.conf file in their home directory do not | ||||||
| use options in the system storage.conf files. | use options in the system storage.conf files. | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -11,6 +11,11 @@ containers-transports - description of supported transports for copying and stor | |||||||
| Tools which use the containers/image library, including skopeo(1), buildah(1), podman(1), all share a common syntax for referring to container images in various locations. | Tools which use the containers/image library, including skopeo(1), buildah(1), podman(1), all share a common syntax for referring to container images in various locations. | ||||||
| The general form of the syntax is _transport:details_, where details are dependent on the specified transport, which are documented below. | The general form of the syntax is _transport:details_, where details are dependent on the specified transport, which are documented below. | ||||||
| 
 | 
 | ||||||
|  | The semantics of the image names ultimately depend on the environment where | ||||||
|  | they are evaluated. For example: if evaluated on a remote server, image names | ||||||
|  | might refer to paths on that server; relative paths are relative to the current | ||||||
|  | directory of the image consumer. | ||||||
|  | 
 | ||||||
| ### **containers-storage**:[**[**storage-specifier**]**]{image-id|docker-reference[@image-id]} | ### **containers-storage**:[**[**storage-specifier**]**]{image-id|docker-reference[@image-id]} | ||||||
| 
 | 
 | ||||||
| An image located in a local containers storage. | An image located in a local containers storage. | ||||||
|  | |||||||
| @ -64,7 +64,6 @@ default_capabilities = [ | |||||||
|   "SETGID", |   "SETGID", | ||||||
|   "SETPCAP", |   "SETPCAP", | ||||||
|   "SETUID", |   "SETUID", | ||||||
|   "SYS_CHROOT" |  | ||||||
| ] | ] | ||||||
| 
 | 
 | ||||||
| # A list of sysctls to be set in containers by default, | # A list of sysctls to be set in containers by default, | ||||||
| @ -218,6 +217,10 @@ log_driver = "k8s-file" | |||||||
| # | # | ||||||
| #prepare_volume_on_create = false | #prepare_volume_on_create = false | ||||||
| 
 | 
 | ||||||
|  | # Run all containers with root file system mounted read-only | ||||||
|  | # | ||||||
|  | # read_only = false | ||||||
|  | 
 | ||||||
| # Path to the seccomp.json profile which is used as the default seccomp profile | # Path to the seccomp.json profile which is used as the default seccomp profile | ||||||
| # for the runtime. | # for the runtime. | ||||||
| # | # | ||||||
| @ -246,12 +249,6 @@ log_driver = "k8s-file" | |||||||
| # | # | ||||||
| #userns = "host" | #userns = "host" | ||||||
| 
 | 
 | ||||||
| # Number of UIDs to allocate for the automatic container creation. |  | ||||||
| # UIDs are allocated from the "container" UIDs listed in |  | ||||||
| # /etc/subuid & /etc/subgid |  | ||||||
| # |  | ||||||
| #userns_size = 65536 |  | ||||||
| 
 |  | ||||||
| # Default way to to create a UTS namespace for the container | # Default way to to create a UTS namespace for the container | ||||||
| # Options are: | # Options are: | ||||||
| # `private`        Create private UTS Namespace for the container. | # `private`        Create private UTS Namespace for the container. | ||||||
| @ -265,6 +262,11 @@ log_driver = "k8s-file" | |||||||
| # If it is empty or commented out, no volumes will be added | # If it is empty or commented out, no volumes will be added | ||||||
| # | # | ||||||
| #volumes = [] | #volumes = [] | ||||||
|  | # | ||||||
|  | #[engine.platform_to_oci_runtime] | ||||||
|  | #"wasi/wasm" = ["crun-wasm"] | ||||||
|  | #"wasi/wasm32" = ["crun-wasm"] | ||||||
|  | #"wasi/wasm64" = ["crun-wasm"] | ||||||
| 
 | 
 | ||||||
| [secrets] | [secrets] | ||||||
| #driver = "file" | #driver = "file" | ||||||
| @ -415,6 +417,10 @@ network_backend = "cni" | |||||||
| #events_logger = "journald" | #events_logger = "journald" | ||||||
| events_logger = "file" | events_logger = "file" | ||||||
| 
 | 
 | ||||||
|  | # Creates a more verbose container-create event which includes a JSON payload | ||||||
|  | # with detailed information about the container. | ||||||
|  | #events_container_create_inspect_data = false | ||||||
|  | 
 | ||||||
| # A is a list of directories which are used to search for helper binaries. | # A is a list of directories which are used to search for helper binaries. | ||||||
| # | # | ||||||
| #helper_binaries_dir = [ | #helper_binaries_dir = [ | ||||||
| @ -548,7 +554,7 @@ runtime = "runc" | |||||||
| # List of the OCI runtimes that support --format=json. When json is supported | # List of the OCI runtimes that support --format=json. When json is supported | ||||||
| # engine will use it for reporting nicer errors. | # engine will use it for reporting nicer errors. | ||||||
| # | # | ||||||
| #runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"] | #runtime_supports_json = ["crun", "runc", "kata", "runsc", "youki", "krun"] | ||||||
| 
 | 
 | ||||||
| # List of the OCI runtimes that supports running containers with KVM Separation. | # List of the OCI runtimes that supports running containers with KVM Separation. | ||||||
| # | # | ||||||
| @ -610,6 +616,12 @@ runtime = "runc" | |||||||
| # | # | ||||||
| #volume_path = "/var/lib/containers/storage/volumes" | #volume_path = "/var/lib/containers/storage/volumes" | ||||||
| 
 | 
 | ||||||
|  | # Default timeout (in seconds) for volume plugin operations. | ||||||
|  | # Plugins are external programs accessed via a REST API; this sets a timeout | ||||||
|  | # for requests to that API. | ||||||
|  | # A value of 0 is treated as no timeout. | ||||||
|  | #volume_plugin_timeout = 5 | ||||||
|  | 
 | ||||||
| # Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc) | # Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc) | ||||||
| [engine.runtimes] | [engine.runtimes] | ||||||
| #crun = [ | #crun = [ | ||||||
| @ -653,6 +665,13 @@ runtime = "runc" | |||||||
| #  "/run/current-system/sw/bin/runsc", | #  "/run/current-system/sw/bin/runsc", | ||||||
| #] | #] | ||||||
| 
 | 
 | ||||||
|  | #youki = [ | ||||||
|  | #  "/usr/local/bin/youki", | ||||||
|  | #  "/usr/bin/youki", | ||||||
|  | #  "/bin/youki", | ||||||
|  | #  "/run/current-system/sw/bin/youki", | ||||||
|  | #] | ||||||
|  | 
 | ||||||
| #krun = [ | #krun = [ | ||||||
| #  "/usr/bin/krun", | #  "/usr/bin/krun", | ||||||
| #  "/usr/local/bin/krun", | #  "/usr/local/bin/krun", | ||||||
| @ -670,7 +689,14 @@ runtime = "runc" | |||||||
| # | # | ||||||
| #disk_size=10 | #disk_size=10 | ||||||
| 
 | 
 | ||||||
| # The image used when creating a podman-machine VM. | # Default image URI when creating a new VM using `podman machine init`. | ||||||
|  | # Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major | ||||||
|  | # version of the OS (e.g `36`) for Fedora 36. For all platforms you can | ||||||
|  | # alternatively specify a custom download URL to an image. Container engines | ||||||
|  | # translate URIs $OS and $ARCH to the native OS and ARCH. URI | ||||||
|  | # "https://example.com/$OS/$ARCH/foobar.ami" becomes | ||||||
|  | # "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine. | ||||||
|  | # The default value is `testing`. | ||||||
| # | # | ||||||
| # image = "testing" | # image = "testing" | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -88,22 +88,24 @@ List of default capabilities for containers. | |||||||
| The default list is: | The default list is: | ||||||
| ``` | ``` | ||||||
| default_capabilities = [ | default_capabilities = [ | ||||||
| "AUDIT_WRITE", |  | ||||||
|       "CHOWN", |       "CHOWN", | ||||||
|       "DAC_OVERRIDE", |       "DAC_OVERRIDE", | ||||||
|       "FOWNER", |       "FOWNER", | ||||||
|       "FSETID", |       "FSETID", | ||||||
|       "KILL", |       "KILL", | ||||||
|       "MKNOD", |  | ||||||
|       "NET_BIND_SERVICE", |       "NET_BIND_SERVICE", | ||||||
|       "NET_RAW", |       "SETFCAP", | ||||||
|       "SETGID", |       "SETGID", | ||||||
|       "SETPCAP", |       "SETPCAP", | ||||||
|       "SETUID", |       "SETUID", | ||||||
|       "SYS_CHROOT", |  | ||||||
| ] | ] | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
|  | Note, by default container engines using containers.conf, run with less | ||||||
|  | capabilities than Docker. Docker runs additionally with "AUDIT_WRITE", "MKNOD", | ||||||
|  | "NET_RAW", "CHROOT". If you need to add one of these capabilities for a | ||||||
|  | particular container, you can use the --cap-add option or edit your system's containers.conf. | ||||||
|  | 
 | ||||||
| **default_sysctls**=[] | **default_sysctls**=[] | ||||||
| 
 | 
 | ||||||
| A list of sysctls to be set in containers by default, | A list of sysctls to be set in containers by default, | ||||||
| @ -197,9 +199,9 @@ the container. | |||||||
| 
 | 
 | ||||||
| Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems. | Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems. | ||||||
| 
 | 
 | ||||||
| **log_driver**="k8s-file" | **log_driver**="" | ||||||
| 
 | 
 | ||||||
| Logging driver for the container. Available options: `k8s-file` and `journald`. | Logging driver for the container. Currently available options are k8s-file, journald, none and passthrough, with json-file aliased to k8s-file for scripting compatibility.  The journald driver is used by default if the systemd journal is readable and writable.  Otherwise, the k8s-file driver is used. | ||||||
| 
 | 
 | ||||||
| **log_size_max**=-1 | **log_size_max**=-1 | ||||||
| 
 | 
 | ||||||
| @ -241,6 +243,10 @@ is imposed. | |||||||
| 
 | 
 | ||||||
| Copy the content from the underlying image into the newly created volume when the container is created instead of when it is started. If `false`, the container engine will not copy the content until the container is started. Setting it to `true` may have negative performance implications. | Copy the content from the underlying image into the newly created volume when the container is created instead of when it is started. If `false`, the container engine will not copy the content until the container is started. Setting it to `true` may have negative performance implications. | ||||||
| 
 | 
 | ||||||
|  | **read_only**=true|false | ||||||
|  | 
 | ||||||
|  | Run all containers with root file system mounted read-only. Set to false by default. | ||||||
|  | 
 | ||||||
| **seccomp_profile**="/usr/share/containers/seccomp.json" | **seccomp_profile**="/usr/share/containers/seccomp.json" | ||||||
| 
 | 
 | ||||||
| Path to the seccomp.json profile which is used as the default seccomp profile | Path to the seccomp.json profile which is used as the default seccomp profile | ||||||
| @ -275,11 +281,6 @@ Options are: | |||||||
|   `private` Create private USER Namespace for the container. |   `private` Create private USER Namespace for the container. | ||||||
|   `host`    Share host USER Namespace with the container. |   `host`    Share host USER Namespace with the container. | ||||||
| 
 | 
 | ||||||
| **userns_size**=65536 |  | ||||||
| 
 |  | ||||||
| Number of UIDs to allocate for the automatic container creation. UIDs are |  | ||||||
| allocated from the “container” UIDs listed in /etc/subuid & /etc/subgid. |  | ||||||
| 
 |  | ||||||
| **utsns**="private" | **utsns**="private" | ||||||
| 
 | 
 | ||||||
| Default way to to create a UTS namespace for the container. | Default way to to create a UTS namespace for the container. | ||||||
| @ -451,6 +452,11 @@ use this command: | |||||||
| 
 | 
 | ||||||
| Valid values are: `file`, `journald`, and `none`. | Valid values are: `file`, `journald`, and `none`. | ||||||
| 
 | 
 | ||||||
|  | **events_container_create_inspect_data**=true|false | ||||||
|  | 
 | ||||||
|  | Creates a more verbose container-create event which includes a JSON payload | ||||||
|  | with detailed information about the container.  Set to false by default. | ||||||
|  | 
 | ||||||
| **helper_binaries_dir**=["/usr/libexec/podman", ...] | **helper_binaries_dir**=["/usr/libexec/podman", ...] | ||||||
| 
 | 
 | ||||||
| A is a list of directories which are used to search for helper binaries. | A is a list of directories which are used to search for helper binaries. | ||||||
| @ -598,7 +604,7 @@ Default OCI specific runtime in runtimes that will be used by default. Must | |||||||
| refer to a member of the runtimes table. Default runtime will be searched for | refer to a member of the runtimes table. Default runtime will be searched for | ||||||
| on the system using the priority: "crun", "runc", "kata". | on the system using the priority: "crun", "runc", "kata". | ||||||
| 
 | 
 | ||||||
| **runtime_supports_json**=["crun", "runc", "kata", "runsc", "krun"] | **runtime_supports_json**=["crun", "runc", "kata", "runsc", "youki", "krun"] | ||||||
| 
 | 
 | ||||||
| The list of the OCI runtimes that support `--format=json`. | The list of the OCI runtimes that support `--format=json`. | ||||||
| 
 | 
 | ||||||
| @ -684,6 +690,10 @@ used as the backend for Podman named volumes. Individual plugins are specified | |||||||
| below, as a map of the plugin name (what the plugin will be called) to its path | below, as a map of the plugin name (what the plugin will be called) to its path | ||||||
| (filepath of the plugin's unix socket). | (filepath of the plugin's unix socket). | ||||||
| 
 | 
 | ||||||
|  | **[engine.platform_to_oci_runtime]** | ||||||
|  | 
 | ||||||
|  | Allows end users to switch the OCI runtime on the bases of container image's platform string. | ||||||
|  | Following config field contains a map of `platform/string = oci_runtime`. | ||||||
| 
 | 
 | ||||||
| ## SECRET TABLE | ## SECRET TABLE | ||||||
| The `secret` table contains settings for the configuration of the secret subsystem. | The `secret` table contains settings for the configuration of the secret subsystem. | ||||||
| @ -711,11 +721,13 @@ The size of the disk in GB created when init-ing a podman-machine VM | |||||||
| 
 | 
 | ||||||
| **image**="" | **image**="" | ||||||
| 
 | 
 | ||||||
| Default image used when creating a new VM using `podman machine init`. | Default image URI when creating a new VM using `podman machine init`. | ||||||
| Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major | Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major | ||||||
| version of the OS (e.g `35`). For all platforms you can alternatively specify | version of the OS (e.g `36`) for Fedora 36. For all platforms you can | ||||||
| a custom path or download URL to an image. The default is `testing` on | alternatively specify a custom download URL to an image. Container engines | ||||||
| Linux/Mac, and `35` on Windows. | translate URIs $OS and $ARCH to the native OS and ARCH. URI "https://example.com/$OS/$ARCH/foobar.ami" would become "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine. | ||||||
|  | The default value | ||||||
|  | is `testing` on Linux/Mac, and on Windows. | ||||||
| 
 | 
 | ||||||
| **memory**=2048 | **memory**=2048 | ||||||
| 
 | 
 | ||||||
| @ -733,6 +745,8 @@ Environment variables like $HOME as well as complete paths are supported for | |||||||
| the source and destination. An optional third field `:ro` can be used to | the source and destination. An optional third field `:ro` can be used to | ||||||
| tell the container engines to mount the volume readonly. | tell the container engines to mount the volume readonly. | ||||||
| 
 | 
 | ||||||
|  | On Mac, the default volumes are: `"/Users:/Users", "/private:/private", "/var/folders:/var/folders"` | ||||||
|  | 
 | ||||||
| # FILES | # FILES | ||||||
| 
 | 
 | ||||||
| **containers.conf** | **containers.conf** | ||||||
|  | |||||||
| @ -1,8 +1,8 @@ | |||||||
| # This is a default registries.d configuration file.  You may | # This is a default registries.d configuration file.  You may | ||||||
| # add to this file or create additional files in registries.d/. | # add to this file or create additional files in registries.d/. | ||||||
| # | # | ||||||
| # lookaside: indicates a location that is read and write | # lookaside: for reading/writing simple signing signatures | ||||||
| # lookaside-staging: indicates a location that is only for write | # lookaside-staging: for writing simple signing signatures, preferred over lookaside | ||||||
| # | # | ||||||
| # lookaside and lookaside-staging take a value of the following: | # lookaside and lookaside-staging take a value of the following: | ||||||
| #   lookaside:  {schema}://location | #   lookaside:  {schema}://location | ||||||
| @ -10,10 +10,12 @@ | |||||||
| # For reading signatures, schema may be http, https, or file. | # For reading signatures, schema may be http, https, or file. | ||||||
| # For writing signatures, schema may only be file. | # For writing signatures, schema may only be file. | ||||||
| 
 | 
 | ||||||
| # This is the default signature write location for docker registries. | # The default locations are built-in, for both reading and writing: | ||||||
|  | # /var/lib/containers/sigstore for root, or | ||||||
|  | # ~/.local/share/containers/sigstore for non-root users. | ||||||
| default-docker: | default-docker: | ||||||
| #  lookaside: file:///var/lib/containers/sigstore | #  lookaside: https://… | ||||||
|   lookaside-staging: file:///var/lib/containers/sigstore | #  lookaside-staging: file:///… | ||||||
| 
 | 
 | ||||||
| # The 'docker' indicator here is the start of the configuration | # The 'docker' indicator here is the start of the configuration | ||||||
| # for docker registries. | # for docker registries. | ||||||
| @ -21,6 +23,6 @@ default-docker: | |||||||
| # docker: | # docker: | ||||||
| # | # | ||||||
| #   privateregistry.com: | #   privateregistry.com: | ||||||
| #    lookaside: http://privateregistry.com/sigstore/ | #    lookaside: https://privateregistry.com/sigstore/ | ||||||
| #    lookaside-staging: /mnt/nfs/privateregistry/sigstore | #    lookaside-staging: /mnt/nfs/privateregistry/sigstore | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -1,63 +1,46 @@ | |||||||
| #!/bin/bash | #!/bin/bash | ||||||
| #set -e | set -e | ||||||
| rm -f /tmp/pyxis*.json | rm -f /tmp/pyxis*.json | ||||||
| TOTAL=`curl -s --negotiate -u: -H 'Content-Type: application/json' -H 'Accept: application/json' -X GET "https://pyxis.engineering.redhat.com/v1/repositories?page_size=1" | jq .total` | TOTAL=`curl -s --negotiate -u: -H 'Content-Type: application/json' -H 'Accept: application/json' -X GET "https://pyxis.engineering.redhat.com/v1/repositories?page_size=1" | jq .total` | ||||||
| if [ "$TOTAL" == "null" ]; then | if [ "$TOTAL" == "null" ]; then | ||||||
|   echo "Error comunicating with Pyxis API." |   echo "Error comunicating with Pyxis API." | ||||||
|   exit 1 |   exit 1 | ||||||
| fi | fi | ||||||
| PAGES=$(($TOTAL/500)) | PAGES=$(($TOTAL/250)) | ||||||
| for P in `seq 0 $PAGES`; do | for P in `seq 0 $PAGES`; do | ||||||
|   curl -s --negotiate -u: -H 'Content-Type: application/json' -H 'Accept: application/json' -X GET "https://pyxis.engineering.redhat.com/v1/repositories?page_size=500&page=$P" > /tmp/pyxis$P.json |   curl -s --negotiate -u: -H 'Content-Type: application/json' -H 'Accept: application/json' -X GET "https://pyxis.engineering.redhat.com/v1/repositories?page_size=500&page=$P" > /tmp/pyxis$P.json | ||||||
| done | done | ||||||
| cat /tmp/pyxis*.json > /tmp/pyx.json | cat /tmp/pyxis*.json > /tmp/pyx.json | ||||||
|  | rm -f /tmp/pyx_debug | ||||||
| rm -f /tmp/rhel-shortnames.conf | rm -f /tmp/rhel-shortnames.conf | ||||||
| while read -r LINE; do | jq '.data[]|.published,.requires_terms,.repository,.registry,.release_categories[0]' < /tmp/pyx.json >/tmp/pyx | ||||||
|   if [[ "$LINE" == *\"_id\":* ]] || [[ "$LINE" == *\"total\":* ]]; then | readarray -t lines < /tmp/pyx | ||||||
|     if [ -z $REGISTRY ] || | IDX=0 | ||||||
|        [ -z $PUBLISHED ] || | while [ $IDX -lt ${#lines[@]} ]; do | ||||||
|        [ -z $REPOSITORY ] || |   PUBLISHED=${lines[$IDX]} | ||||||
|        [  $REPOSITORY == \"\" ] || |   REQ_TERMS=${lines[$IDX+1]} | ||||||
|        [ "$AVAILABLE" != "Generally Available" ] || |   REPOSITORY=`echo ${lines[$IDX+2]} | tr -d '"'` | ||||||
|        [[ $REPOSITORY == *[@:]* ]] || |   REGISTRY=`echo ${lines[$IDX+3]} | tr -d '"'` | ||||||
|        [[ $REPOSITORY == *[* ]] || |   RELEASE=`echo ${lines[$IDX+4]} | tr -d '"'` | ||||||
|        [[ "$REGISTRY" == *non_registry* ]] || |   if [ "$PUBLISHED" == "true" ] && | ||||||
|        [[ $REGISTRY != *.* ]] |      [ "$RELEASE" == "Generally Available" ] && | ||||||
|      then |      [  $REPOSITORY != \"\" ] && | ||||||
|       continue |      [[ $REPOSITORY != *[@:]* ]] && | ||||||
|     fi |      [[ $REPOSITORY != *[* ]] && | ||||||
|  |      [[ $REGISTRY == *.* ]] && | ||||||
|  |      [ "$REGISTRY" != "non_registry" ]; then | ||||||
|     if [[ $REGISTRY == *quay.io* ]] || |     if [[ $REGISTRY == *quay.io* ]] || | ||||||
|        [[ $REGISTRY == *redhat.com* ]]; then |        [[ $REGISTRY == *redhat.com* ]]; then | ||||||
|       if [ "$REQUIRES_TERMS" == "1" ]; then |       if [ "$REQ_TERMS" == "true" ]; then | ||||||
|         REGISTRY=registry.redhat.io |         REGISTRY=registry.redhat.io | ||||||
|       fi |       fi | ||||||
|  |     fi | ||||||
|     echo "\"$REPOSITORY\" = \"$REGISTRY/$REPOSITORY\"" |     echo "\"$REPOSITORY\" = \"$REGISTRY/$REPOSITORY\"" | ||||||
|  |     echo $PUBLISHED,$REQ_TERMS,$REPOSITORY,$REGISTRY,$RELEASE >> /tmp/pyx_debug | ||||||
|     echo "\"$REPOSITORY\" = \"$REGISTRY/$REPOSITORY\"" >> /tmp/rhel-shortnames.conf |     echo "\"$REPOSITORY\" = \"$REGISTRY/$REPOSITORY\"" >> /tmp/rhel-shortnames.conf | ||||||
|   fi |   fi | ||||||
|     REGISTRY="" |   IDX=$(($IDX+5)) | ||||||
|     PUBLISHED="" | done | ||||||
|     AVAILABLE="" |  | ||||||
|     REPOSITORY="" |  | ||||||
|     REQUIRES_TERMS="" |  | ||||||
|     continue |  | ||||||
|   fi |  | ||||||
|   if [[ "$LINE" == *\"published\":\ true,* ]]; then |  | ||||||
|     PUBLISHED=1 |  | ||||||
|   fi |  | ||||||
|   if [[ "$LINE" == *\"requires_terms\":\ true,* ]]; then |  | ||||||
|     REQUIRES_TERMS=1 |  | ||||||
|   fi |  | ||||||
|   if [[ "$LINE" == *\"repository\":\ * ]]; then |  | ||||||
|     REPOSITORY=`echo $LINE | sed 's,^.* ",,' | sed 's;",$;;'` |  | ||||||
|   fi |  | ||||||
|   if [[ "$LINE" == *\"registry\":\ * ]]; then |  | ||||||
|     REGISTRY=`echo $LINE | sed -e 's,^.*:\ ",,' -e 's,".*,,'` |  | ||||||
|   fi |  | ||||||
|   if [[ "$LINE" == *\"release_categories\":\ * ]]; then |  | ||||||
|     read -r LINE |  | ||||||
|     AVAILABLE=`echo $LINE | sed 's,",,g'` |  | ||||||
|   fi |  | ||||||
| done < /tmp/pyx.json |  | ||||||
| 
 | 
 | ||||||
| cp /tmp/rhel-shortnames.conf /tmp/r.conf | cp /tmp/rhel-shortnames.conf /tmp/r.conf | ||||||
| for D in `cut -d\  -f1 /tmp/r.conf | sort | uniq -d`; do | for D in `cut -d\  -f1 /tmp/r.conf | sort | uniq -d`; do | ||||||
|  | |||||||
| @ -3,7 +3,7 @@ | |||||||
|   "almalinux" = "docker.io/library/almalinux" |   "almalinux" = "docker.io/library/almalinux" | ||||||
|   "almalinux-minimal" = "docker.io/library/almalinux-minimal" |   "almalinux-minimal" = "docker.io/library/almalinux-minimal" | ||||||
|   # Arch Linux |   # Arch Linux | ||||||
|   "archlinux" = "docker.io/archlinux/archlinux" |   "archlinux" = "docker.io/library/archlinux" | ||||||
|   # centos |   # centos | ||||||
|   "centos" = "quay.io/centos/centos" |   "centos" = "quay.io/centos/centos" | ||||||
|   # containers |   # containers | ||||||
| @ -42,6 +42,10 @@ | |||||||
|   "sles12sp5" = "registry.suse.com/suse/sles12sp5" |   "sles12sp5" = "registry.suse.com/suse/sles12sp5" | ||||||
|   "sles12sp4" = "registry.suse.com/suse/sles12sp4" |   "sles12sp4" = "registry.suse.com/suse/sles12sp4" | ||||||
|   "sles12sp3" = "registry.suse.com/suse/sles12sp3" |   "sles12sp3" = "registry.suse.com/suse/sles12sp3" | ||||||
|  |   "bci/bci-base" = "registry.suse.com/bci/bci-base" | ||||||
|  |   "bci/bci-micro" = "registry.suse.com/bci/bci-micro" | ||||||
|  |   "bci/bci-minimal" = "registry.suse.com/bci/bci-minimal" | ||||||
|  |   "bci/bci-busybox" = "registry.suse.com/bci/bci-busybox" | ||||||
|   # Red Hat Enterprise Linux |   # Red Hat Enterprise Linux | ||||||
|   "rhel" = "registry.access.redhat.com/rhel" |   "rhel" = "registry.access.redhat.com/rhel" | ||||||
|   "rhel6" = "registry.access.redhat.com/rhel6" |   "rhel6" = "registry.access.redhat.com/rhel6" | ||||||
| @ -111,5 +115,7 @@ | |||||||
|   "php" = "docker.io/library/php" |   "php" = "docker.io/library/php" | ||||||
|   # python |   # python | ||||||
|   "python" = "docker.io/library/python" |   "python" = "docker.io/library/python" | ||||||
|  |   # rust | ||||||
|  |   "rust" = "docker.io/library/rust" | ||||||
|   # node |   # node | ||||||
|   "node" = "docker.io/library/node" |   "node" = "docker.io/library/node" | ||||||
|  | |||||||
| @ -1,4 +1,4 @@ | |||||||
| # This file is is the configuration file for all tools | # This file is the configuration file for all tools | ||||||
| # that use the containers/storage library. The storage.conf file | # that use the containers/storage library. The storage.conf file | ||||||
| # overrides all other storage.conf files. Container engines using the | # overrides all other storage.conf files. Container engines using the | ||||||
| # container/storage library do not inherit fields from other storage.conf | # container/storage library do not inherit fields from other storage.conf | ||||||
| @ -32,6 +32,10 @@ graphroot = "/var/lib/containers/storage" | |||||||
| # | # | ||||||
| # rootless_storage_path = "$HOME/.local/share/containers/storage" | # rootless_storage_path = "$HOME/.local/share/containers/storage" | ||||||
| 
 | 
 | ||||||
|  | # Transient store mode makes all container metadata be saved in temporary storage | ||||||
|  | # (i.e. runroot above). This is faster, but doesn't persist across reboots. | ||||||
|  | # transient_store = true | ||||||
|  | 
 | ||||||
| [storage.options] | [storage.options] | ||||||
| # Storage options to be passed to underlying storage drivers | # Storage options to be passed to underlying storage drivers | ||||||
| 
 | 
 | ||||||
| @ -150,7 +154,7 @@ mountopt = "nodev,metacopy=on" | |||||||
| #  future.  When "force_mask" is set the original permission mask is stored in | #  future.  When "force_mask" is set the original permission mask is stored in | ||||||
| #  the "user.containers.override_stat" xattr and the "mount_program" option must | #  the "user.containers.override_stat" xattr and the "mount_program" option must | ||||||
| #  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the | #  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the | ||||||
| #  extended attribute permissions to processes within containers rather then the | #  extended attribute permissions to processes within containers rather than the | ||||||
| #  "force_mask"  permissions. | #  "force_mask"  permissions. | ||||||
| # | # | ||||||
| # force_mask = "" | # force_mask = "" | ||||||
|  | |||||||
| @ -21,9 +21,9 @@ for P in podman skopeo buildah; do | |||||||
|     pkg --release rhel-8 prep |     pkg --release rhel-8 prep | ||||||
|   fi |   fi | ||||||
|   DIR=`ls -d -- */ | grep -v ^tests | head -n1` |   DIR=`ls -d -- */ | grep -v ^tests | head -n1` | ||||||
|   grep github.com/containers/image $DIR/go.mod | grep -v - | cut -d\  -f2 >> /tmp/ver_image |   grep github.com/containers/image $DIR/go.mod | cut -d\  -f2 | sed 's,-.*,,'>> /tmp/ver_image | ||||||
|   grep github.com/containers/common $DIR/go.mod | grep -v - | cut -d\  -f2 >> /tmp/ver_common |   grep github.com/containers/common $DIR/go.mod | cut -d\  -f2 | sed 's,-.*,,' >> /tmp/ver_common | ||||||
|   grep github.com/containers/storage $DIR/go.mod | grep -v - | cut -d\  -f2 >> /tmp/ver_storage |   grep github.com/containers/storage $DIR/go.mod | cut -d\  -f2 | sed 's,-.*,,' >> /tmp/ver_storage | ||||||
|   cd - |   cd - | ||||||
| done | done | ||||||
| IMAGE_VER=`sort -n /tmp/ver_image | head -n1` | IMAGE_VER=`sort -n /tmp/ver_image | head -n1` | ||||||
|  | |||||||
| @ -13,7 +13,7 @@ ensure() { | |||||||
|       sed -i "/^#.*$2[[:blank:]].*=/a \ |       sed -i "/^#.*$2[[:blank:]].*=/a \ | ||||||
| $2 = $3" $1 | $2 = $3" $1 | ||||||
|     else |     else | ||||||
|       echo "$2 = \"$3\"" >> $1 |       echo "$2 = $3" >> $1 | ||||||
|     fi |     fi | ||||||
|   fi |   fi | ||||||
| } | } | ||||||
| @ -21,27 +21,35 @@ $2 = $3" $1 | |||||||
| #./pyxis.sh | #./pyxis.sh | ||||||
| #./update-vendored.sh | #./update-vendored.sh | ||||||
| spectool -f -g containers-common.spec | spectool -f -g containers-common.spec | ||||||
|  | for FILE in *; do | ||||||
|  |   [ -s "$FILE" ] | ||||||
|  |   if [ $? == 1 ] && [ "$FILE" != "sources" ]; then | ||||||
|  |     echo "empty file: $FILE" | ||||||
|  |     exit 1 | ||||||
|  |   fi | ||||||
|  | done | ||||||
| ensure storage.conf    driver                        \"overlay\" | ensure storage.conf    driver                        \"overlay\" | ||||||
| ensure storage.conf    mountopt                      \"nodev,metacopy=on\" | ensure storage.conf    mountopt                      \"nodev,metacopy=on\" | ||||||
| if pwd | grep rhel-8 > /dev/null | if pwd | grep rhel-8 > /dev/null | ||||||
| then | then | ||||||
|  | awk -i inplace '/#default_capabilities/,/#\]/{gsub("#","",$0)}1' containers.conf | ||||||
| ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"] | ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"] | ||||||
| ensure registries.conf short-name-mode               \"permissive\" | ensure registries.conf short-name-mode               \"permissive\" | ||||||
| ensure containers.conf runtime                       \"runc\" | ensure containers.conf runtime                       \"runc\" | ||||||
| ensure containers.conf events_logger                 \"file\" | ensure containers.conf events_logger                 \"file\" | ||||||
| ensure containers.conf log_driver                    \"k8s-file\" | ensure containers.conf log_driver                    \"k8s-file\" | ||||||
| ensure containers.conf network_backend               \"cni\" | ensure containers.conf network_backend               \"cni\" | ||||||
| else |  | ||||||
| ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"] |  | ||||||
| ensure registries.conf short-name-mode               \"enforcing\" |  | ||||||
| ensure containers.conf runtime                       \"crun\" |  | ||||||
| fi |  | ||||||
| [ `grep "keyctl" seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \ |  | ||||||
| 				"keyctl",' seccomp.json |  | ||||||
| sed -i '/\"socketcall\",/i \ |  | ||||||
| 				"socket",' seccomp.json |  | ||||||
| if ! grep \"NET_RAW\" containers.conf > /dev/null | if ! grep \"NET_RAW\" containers.conf > /dev/null | ||||||
| then | then | ||||||
|   sed -i '/^default_capabilities/a \ |   sed -i '/^default_capabilities/a \ | ||||||
|   "NET_RAW",' containers.conf |   "NET_RAW",' containers.conf | ||||||
| fi | fi | ||||||
|  | else | ||||||
|  | ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"] | ||||||
|  | ensure registries.conf short-name-mode               \"enforcing\" | ||||||
|  | ensure containers.conf runtime                       \"crun\" | ||||||
|  | fi | ||||||
|  | [ `grep \"keyctl\", seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \ | ||||||
|  | 				"keyctl",' seccomp.json | ||||||
|  | [ `grep \"socket\", seccomp.json | wc -l` == 0 ] && sed -i '/\"socketcall\",/i \ | ||||||
|  | 				"socket",' seccomp.json | ||||||
|  | |||||||
| @ -4,15 +4,15 @@ | |||||||
| # pick the oldest version on c/image, c/common, c/storage vendored in | # pick the oldest version on c/image, c/common, c/storage vendored in | ||||||
| # podman/skopeo/podman. | # podman/skopeo/podman. | ||||||
| %global skopeo_branch main | %global skopeo_branch main | ||||||
| %global image_branch v5.22.0 | %global image_branch v5.24.1 | ||||||
| %global common_branch v0.49.1 | %global common_branch v0.51.0 | ||||||
| %global storage_branch v1.42.0 | %global storage_branch v1.45.3 | ||||||
| %global shortnames_branch main | %global shortnames_branch main | ||||||
| 
 | 
 | ||||||
| Epoch: 2 | Epoch: 2 | ||||||
| Name: containers-common | Name: containers-common | ||||||
| Version: 1 | Version: 1 | ||||||
| Release: 40%{?dist} | Release: 62%{?dist} | ||||||
| Summary: Common configuration and documentation for containers | Summary: Common configuration and documentation for containers | ||||||
| License: ASL 2.0 | License: ASL 2.0 | ||||||
| # arch limitation because of go-md2man (missing on i686) | # arch limitation because of go-md2man (missing on i686) | ||||||
| @ -62,6 +62,7 @@ Source25: https://raw.githubusercontent.com/containers/skopeo/%{skopeo_branch}/d | |||||||
| # FIXME: fix the branch once these are available via regular c/common branch | # FIXME: fix the branch once these are available via regular c/common branch | ||||||
| Source26: https://raw.githubusercontent.com/containers/common/main/docs/Containerfile.5.md | Source26: https://raw.githubusercontent.com/containers/common/main/docs/Containerfile.5.md | ||||||
| Source27: https://raw.githubusercontent.com/containers/common/main/docs/containerignore.5.md | Source27: https://raw.githubusercontent.com/containers/common/main/docs/containerignore.5.md | ||||||
|  | Source28: RPM-GPG-KEY-redhat-beta | ||||||
| 
 | 
 | ||||||
| # scripts used for synchronization with upstream and shortname generation | # scripts used for synchronization with upstream and shortname generation | ||||||
| Source100: update.sh | Source100: update.sh | ||||||
| @ -81,7 +82,8 @@ separately. | |||||||
| %build | %build | ||||||
| 
 | 
 | ||||||
| %install | %install | ||||||
| install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.d,registries.conf.d} | install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,systemd,registries.d,registries.conf.d} | ||||||
|  | install -dp %{buildroot}%{_datadir}/containers/systemd | ||||||
| install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf | install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf | ||||||
| install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf | install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf | ||||||
| install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf | install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf | ||||||
| @ -92,6 +94,7 @@ install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf | |||||||
| %if !0%{?rhel} || 0%{?centos} | %if !0%{?rhel} || 0%{?centos} | ||||||
| install -dp %{buildroot}%{_sysconfdir}/pki/rpm-gpg | install -dp %{buildroot}%{_sysconfdir}/pki/rpm-gpg | ||||||
| install -m0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/pki/rpm-gpg | install -m0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/pki/rpm-gpg | ||||||
|  | install -m0644 %{SOURCE28} %{buildroot}%{_sysconfdir}/pki/rpm-gpg | ||||||
| %endif | %endif | ||||||
| install -dp %{buildroot}%{_sysconfdir}/containers/registries.d | install -dp %{buildroot}%{_sysconfdir}/containers/registries.d | ||||||
| install -m0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/containers/registries.d | install -m0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/containers/registries.d | ||||||
| @ -148,8 +151,11 @@ EOF | |||||||
| %dir %{_sysconfdir}/containers/oci | %dir %{_sysconfdir}/containers/oci | ||||||
| %dir %{_sysconfdir}/containers/oci/hooks.d | %dir %{_sysconfdir}/containers/oci/hooks.d | ||||||
| %dir %{_sysconfdir}/containers/registries.conf.d | %dir %{_sysconfdir}/containers/registries.conf.d | ||||||
|  | %dir %{_sysconfdir}/containers/systemd | ||||||
|  | %dir %{_datadir}/containers/systemd | ||||||
| %if !0%{?rhel} || 0%{?centos} | %if !0%{?rhel} || 0%{?centos} | ||||||
| %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release | %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release | ||||||
|  | %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta | ||||||
| %endif | %endif | ||||||
| %config(noreplace) %{_sysconfdir}/containers/policy.json | %config(noreplace) %{_sysconfdir}/containers/policy.json | ||||||
| %config(noreplace) %{_sysconfdir}/containers/storage.conf | %config(noreplace) %{_sysconfdir}/containers/storage.conf | ||||||
| @ -169,6 +175,94 @@ EOF | |||||||
| %{_datadir}/rhel/secrets/* | %{_datadir}/rhel/secrets/* | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Wed Feb 22 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-62 | ||||||
|  | - improve shortnames generation | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Fri Feb 17 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-61 | ||||||
|  | - update vendored components and configuration files | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Tue Jan 31 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-60 | ||||||
|  | - add missing systemd directories | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Fri Jan 27 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-59 | ||||||
|  | - always define default_capablities in RHEL8 | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Fri Jan 27 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-58 | ||||||
|  | - update vendored components and configuration files | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Wed Jan 25 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-57 | ||||||
|  | - fix vendoring script | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Wed Jan 25 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-56 | ||||||
|  | - update vendored components and configuration files | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Tue Jan 24 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-55 | ||||||
|  | - update vendored components and configuration files | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Wed Jan 18 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-54 | ||||||
|  | - readd containers-storage.conf.5.md | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Wed Jan 18 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-53 | ||||||
|  | - point c/storage to 1.44.0 as 1.44.1 is missing files upstream | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Tue Jan 17 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-52 | ||||||
|  | - update vendored components and configuration files | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Fri Jan 13 2023 Jindrich Novy <jnovy@redhat.com> | ||||||
|  | - update vendored components and configuration files | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Thu Jan 05 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-50 | ||||||
|  | - update vendored components, regenerate shortnames | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Mon Jan 02 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-49 | ||||||
|  | - update vendored components and configuration files | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Fri Dec 02 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-48 | ||||||
|  | - update vendored components and configuration files | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Mon Nov 14 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-47 | ||||||
|  | - enable NET_RAW capability for RHEL8 only | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Tue Nov 08 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-46 | ||||||
|  | - update vendored components and configuration files | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Fri Oct 21 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-45 | ||||||
|  | - update vendored components and configuration files | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Mon Oct 17 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-44 | ||||||
|  | - update vendored components and configuration files | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Thu Oct 06 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-43 | ||||||
|  | - update vendored components and configuration files | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Wed Sep 21 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-42 | ||||||
|  | - update vendored components and configuration files | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
|  | * Tue Sep 06 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-41 | ||||||
|  | - add beta GPG key | ||||||
|  | - Related: #2123641 | ||||||
|  | 
 | ||||||
| * Tue Aug 23 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-40 | * Tue Aug 23 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-40 | ||||||
| - add beta keys to default-policy.json | - add beta keys to default-policy.json | ||||||
| - Related: #2061390 | - Related: #2061390 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user