containers-common-1-41.el9

- drop aardvark-dns and netavark - packaged separately
- update vendored components
- Related: #2061316

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
Jindrich Novy 2022-08-03 17:35:04 +02:00
parent ea492c0f30
commit 4e3361652d
13 changed files with 184 additions and 188 deletions

View File

@ -4,15 +4,15 @@
# pick the oldest version on c/image, c/common, c/storage vendored in
# podman/skopeo/podman.
%global skopeo_branch main
%global image_branch v5.21.1
%global common_branch v0.48.0
%global storage_branch v1.40.2
%global image_branch v5.22.0
%global common_branch v0.49.1
%global storage_branch v1.42.0
%global shortnames_branch main
Epoch: 2
Name: containers-common
Version: 1
Release: 40%{?dist}
Release: 41%{?dist}
Summary: Common configuration and documentation for containers
License: ASL 2.0
BuildRequires: /usr/bin/go-md2man
@ -65,28 +65,6 @@ Source100: update.sh
Source101: update-vendored.sh
Source102: pyxis.sh
%global aardvark_dns_version v1.0.3
#%%global aardvark_dns_branch v1.0.1-rhel
%global aardvark_dns_commit0 a92337b08fbd88c9eb10c1a5ebce2bf61aa59a7b
%global aardvark_dns_shortcommit0 %(c=%{aardvark_dns_commit0}; echo ${c:0:7})
%if 0%{?aardvark_dns_branch:1}
Source200: https://github.com/containers/aardvark-dns/tarball/%{aardvark_dns_commit0}/%{aardvark_dns_branch}-%{aardvark_dns_shortcommit0}.tar.gz
%else
Source200: https://github.com/containers/aardvark-dns/archive/%{aardvark_dns_commit0}/aardvark-dns-%{aardvark_dns_version}-%{aardvark_dns_shortcommit0}.tar.gz
%endif
Source201: https://github.com/containers/aardvark-dns/releases/download/%{aardvark_dns_version}/aardvark-dns-%{aardvark_dns_version}-vendor.tar.gz
%global netavark_version v1.0.3
#%%global netavark_branch v1.0.1-rhel
%global netavark_commit0 ec7efb85ef90db4a14c07cb003b65491f7eb4edf
%global netavark_shortcommit0 %(c=%{netavark_commit0}; echo ${c:0:7})
%if 0%{?netavark_branch:1}
Source300: https://github.com/containers/netavark/tarball/%{netavark_commit0}/%{netavark_branch}-%{netavark_shortcommit0}.tar.gz
%else
Source300: https://github.com/containers/netavark/archive/%{netavark_commit0}/netavark-%{netavark_version}-%{netavark_shortcommit0}.tar.gz
%endif
Source301: https://github.com/containers/netavark/releases/download/%{netavark_version}/netavark-%{netavark_version}-vendor.tar.gz
%description
This package contains common configuration files and documentation for container
tools ecosystem, such as Podman, Buildah and Skopeo.
@ -95,117 +73,11 @@ It is required because the most of configuration files and docs come from projec
which are vendored into Podman, Buildah, Skopeo, etc. but they are not packaged
separately.
%package -n aardvark-dns
Version: 1.0.1
Release: 40%{?dist}
URL: https://github.com/containers/aardvark-dns
Summary: Authoritative DNS server for A/AAAA container records
License: ASL 2.0 and BSD and MIT
BuildRequires: cargo
BuildRequires: git-core
BuildRequires: make
BuildRequires: rust-srpm-macros
BuildRequires: rust-toolset
#ExclusiveArch: %%{rust_arches}
ExclusiveArch: aarch64 ppc64le s390x x86_64
%description -n aardvark-dns
%{summary}
Forwards other request to configured resolvers.
Read more about configuration in `src/backend/mod.rs`.
%package -n netavark
Version: 1.0.1
Release: 40%{?dist}
URL: https://github.com/containers/netavark
Summary: OCI network stack
License: ASL 2.0 and BSD and MIT
BuildRequires: cargo
BuildRequires: make
BuildRequires: rust-srpm-macros
BuildRequires: git-core
BuildRequires: /usr/bin/go-md2man
Recommends: aardvark-dns
Provides: container-network-stack = 2
BuildRequires: rust-toolset
#ExclusiveArch: #%%{rust_arches}
ExclusiveArch: aarch64 ppc64le s390x x86_64
%description -n netavark
%{summary}
Netavark is a rust based network stack for containers. It is being
designed to work with Podman but is also applicable for other OCI
container management applications.
Netavark is a tool for configuring networking for Linux containers.
Its features include:
* Configuration of container networks via JSON configuration file
* Creation and management of required network interfaces,
including MACVLAN networks
* All required firewall configuration to perform NAT and port
forwarding as required for containers
* Support for iptables and firewalld at present, with support
for nftables planned in a future release
* Support for rootless containers
* Support for IPv4 and IPv6
* Support for container DNS resolution via aardvark-dns.
%prep
tar fx %{SOURCE200}
pushd aardvark-dns-%{aardvark_dns_commit0}
tar fx %{SOURCE201}
mkdir -p .cargo
cat >.cargo/config << EOF
[source.crates-io]
replace-with = "vendored-sources"
[source.vendored-sources]
directory = "vendor"
EOF
popd
tar fx %{SOURCE300}
pushd netavark-%{netavark_commit0}
tar fx %{SOURCE301}
mkdir -p .cargo
cat >.cargo/config << EOF
[source.crates-io]
replace-with = "vendored-sources"
[source.vendored-sources]
directory = "vendor"
EOF
popd
%build
%if 0%{?build_rustflags:1}
export RUSTFLAGS="%{build_rustflags}"
%endif
pushd aardvark-dns-%{aardvark_dns_commit0}
%__scm_setup_git -q
%make_build build
popd
pushd netavark-%{netavark_commit0}
%__scm_setup_git -q
%make_build build
pushd docs
go-md2man -in netavark.1.md -out netavark.1
popd
%{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} install
popd
%install
pushd aardvark-dns-%{aardvark_dns_commit0}
%{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} install
popd
pushd netavark-%{netavark_commit0}
%{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} install
popd
install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.d,registries.conf.d}
install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf
install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf
@ -270,8 +142,6 @@ EOF
%dir %{_sysconfdir}/containers
%dir %{_sysconfdir}/containers/certs.d
%dir %{_sysconfdir}/containers/registries.d
%{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
%{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
%dir %{_sysconfdir}/containers/oci
%dir %{_sysconfdir}/containers/oci/hooks.d
%dir %{_sysconfdir}/containers/registries.conf.d
@ -279,11 +149,12 @@ EOF
%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
%endif
%config(noreplace) %{_sysconfdir}/containers/policy.json
%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
%config(noreplace) %{_sysconfdir}/containers/storage.conf
%config(noreplace) %{_sysconfdir}/containers/registries.conf
%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/*.conf
%config(noreplace) %{_sysconfdir}/containers/registries.d/*.yaml
%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
%ghost %{_sysconfdir}/containers/containers.conf
%dir %{_sharedstatedir}/containers/sigstore
%{_mandir}/man5/*
@ -294,18 +165,12 @@ EOF
%dir %{_datadir}/rhel/secrets
%{_datadir}/rhel/secrets/*
%files -n aardvark-dns
%license aardvark-dns-%{aardvark_dns_commit0}/LICENSE
%dir %{_libexecdir}/podman
%{_libexecdir}/podman/aardvark-dns
%files -n netavark
%license netavark-%{netavark_commit0}/LICENSE
%dir %{_libexecdir}/podman
%{_libexecdir}/podman/netavark
%{_mandir}/man1/netavark.1*
%changelog
* Wed Aug 03 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-41
- drop aardvark-dns and netavark - packaged separately
- update vendored components
- Related: #2061316
* Mon Jun 27 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-40
- remove rhel-els and update shortnames
- Related: #2061316

View File

@ -149,20 +149,21 @@ This requirement rejects every image, and every signature.
### `signedBy`
This requirement requires an image to be signed with an expected identity, or accepts a signature if it is using an expected identity and key.
This requirement requires an image to be signed using “simple signing” with an expected identity, or accepts a signature if it is using an expected identity and key.
```js
{
"type": "signedBy",
"keyType": "GPGKeys", /* The only currently supported value */
"keyPath": "/path/to/local/keyring/file",
"keyPaths": ["/path/to/local/keyring/file1","/path/to/local/keyring/file2"…],
"keyData": "base64-encoded-keyring-data",
"signedIdentity": identity_requirement
}
```
<!-- Later: other keyType values -->
Exactly one of `keyPath` and `keyData` must be present, containing a GPG keyring of one or more public keys. Only signatures made by these keys are accepted.
Exactly one of `keyPath`, `keyPaths` and `keyData` must be present, containing a GPG keyring of one or more public keys. Only signatures made by these keys are accepted.
The `signedIdentity` field, a JSON object, specifies what image identity the signature claims about the image.
One of the following alternatives are supported:
@ -236,6 +237,26 @@ used with `exactReference` or `exactRepository`.
<!-- ### `signedBaseLayer` -->
### `sigstoreSigned`
This requirement requires an image to be signed using a sigstore signature with an expected identity and key.
```js
{
"type": "sigstoreSigned",
"keyPath": "/path/to/local/keyring/file",
"keyData": "base64-encoded-keyring-data",
"signedIdentity": identity_requirement
}
```
Exactly one of `keyPath` and `keyData` must be present, containing a sigstore public key. Only signatures made by this key is accepted.
The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above.
Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag).
To use this with images hosted on image registries, the relevant registry or repository must have the `use-sigstore-attachments` option enabled in containers-registries.d(5).
## Examples
It is *strongly* recommended to set the `default` policy to `reject`, and then
@ -255,9 +276,24 @@ selectively allow individual transports and scopes as desired.
"docker.io/openshift": [{"type": "insecureAcceptAnything"}],
/* Similarly, allow installing the “official” busybox images. Note how the fully expanded
form, with the explicit /library/, must be used. */
"docker.io/library/busybox": [{"type": "insecureAcceptAnything"}]
"docker.io/library/busybox": [{"type": "insecureAcceptAnything"}],
/* Allow installing images from all subdomains */
"*.temporary-project.example.com": [{"type": "insecureAcceptAnything"}]
"*.temporary-project.example.com": [{"type": "insecureAcceptAnything"}],
/* A sigstore-signed repository */
"hostname:5000/myns/sigstore-signed-with-full-references": [
{
"type": "sigstoreSigned",
"keyPath": "/path/to/sigstore-pubkey.pub"
}
],
/* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */
"hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [
{
"type": "sigstoreSigned",
"keyPath": "/path/to/sigstore-pubkey.pub",
"signedIdentity": {"type": "matchRepository"}
}
]
/* Other docker: images use the global default policy and are rejected */
},
"dir": {
@ -301,7 +337,7 @@ selectively allow individual transports and scopes as desired.
"signedIdentity": {
"type": "remapIdentity",
"prefix": "private-mirror:5000/vendor-mirror",
"signedPrefix": "vendor.example.com",
"signedPrefix": "vendor.example.com"
}
}
]

View File

@ -43,7 +43,7 @@ also include wildcarded subdomains in the format `*.example.com`.
The wildcard should only be present at the beginning as shown in the formats
above. Other cases will not work. For example, `*.example.com` is valid but
`example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not.
Note that `*` matches an arbitary number of subdomains. `*.example.com` will hence
Note that `*` matches an arbitrary number of subdomains. `*.example.com` will hence
match `bar.example.com`, `foo.bar.example.com` and so on.
As a special case, the `prefix` field can be missing; if so, it defaults to the value

View File

@ -63,25 +63,31 @@ more general scopes is ignored. For example, if _any_ configuration exists for
### Built-in Defaults
If no `docker` section can be found for the container image, and no `default-docker` section is configured,
the default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user, will be used for reading and writing signatures.
If no `docker` section can be found for the container image, and no `default-docker` section is configured:
- The default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user, will be used for reading and writing signatures.
- Sigstore attachments will not be read/written.
## Individual Configuration Sections
A single configuration section is selected for a container image using the process
described above. The configuration section is a YAML mapping, with the following keys:
- `sigstore-staging` defines an URL of of the signature storage, used for editing it (adding or deleting signatures).
<!-- `sigstore` and `sigstore-staging` are deprecated and intentionally not documented here. -->
This key is optional; if it is missing, `sigstore` below is used.
- `lookaside-staging` defines an URL of of the signature storage, used for editing it (adding or deleting signatures).
- `sigstore` defines an URL of the signature storage.
This key is optional; if it is missing, `lookaside` below is used.
- `lookaside` defines an URL of the signature storage.
This URL is used for reading existing signatures,
and if `sigstore-staging` does not exist, also for adding or removing them.
and if `lookaside-staging` does not exist, also for adding or removing them.
This key is optional; if it is missing, no signature storage is defined (no signatures
are download along with images, adding new signatures is possible only if `sigstore-staging` is defined).
are download along with images, adding new signatures is possible only if `lookaside-staging` is defined).
- `use-sigstore-attachments` specifies whether sigstore image attachments (signatures, attestations and the like) are going to be read/written along with the image.
If disabled, the images are treated as if no attachments exist; attempts to write attachments fail.
## Examples
@ -92,11 +98,11 @@ The following demonstrates how to to consume and run images from various registr
```yaml
docker:
registry.database-supplier.com:
sigstore: https://sigstore.database-supplier.com
lookaside: https://lookaside.database-supplier.com
distribution.great-middleware.org:
sigstore: https://security-team.great-middleware.org/sigstore
lookaside: https://security-team.great-middleware.org/lookaside
docker.io/web-framework:
sigstore: https://sigstore.web-framework.io:8080
lookaside: https://lookaside.web-framework.io:8080
```
### Developing and Signing Containers, Staging Signatures
@ -110,13 +116,13 @@ For developers in `example.com`:
```yaml
docker:
registry.example.com:
sigstore: https://registry-sigstore.example.com
lookaside: https://registry-lookaside.example.com
registry.example.com/mydepartment:
sigstore: https://sigstore.mydepartment.example.com
sigstore-staging: file:///mnt/mydepartment/sigstore-staging
lookaside: https://lookaside.mydepartment.example.com
lookaside-staging: file:///mnt/mydepartment/lookaside-staging
registry.example.com/mydepartment/myproject:mybranch:
sigstore: http://localhost:4242/sigstore
sigstore-staging: file:///home/useraccount/webroot/sigstore
lookaside: http://localhost:4242/lookaside
lookaside-staging: file:///home/useraccount/webroot/lookaside
```
### A Global Default
@ -126,7 +132,7 @@ without listing each domain individually. This is expected to rarely happen, usu
```yaml
default-docker:
sigstore-staging: file:///mnt/company/common-sigstore-staging
lookaside-staging: file:///mnt/company/common-lookaside-staging
```
# AUTHORS

View File

@ -41,7 +41,7 @@ The `storage` table supports the following options:
When changing the graphroot location on an SELINUX system, ensure
the labeling matches the default locations labels with the
following commands:
```
# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH
# restorecon -R -v /NEWSTORAGEPATH
@ -74,6 +74,29 @@ The `storage.options` table supports the following options:
**additionalimagestores**=[]
Paths to additional container image stores. Usually these are read/only and stored on remote network shares.
**pull_options** = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
Allows specification of how storage is populated when pulling images. This
option can speed the pulling process of images compressed with format zstd:chunked. Containers/storage looks
for files within images that are being pulled from a container registry that
were previously pulled to the host. It can copy or create
a hard link to the existing file when it finds them, eliminating the need to pull them from the
container registry. These options can deduplicate pulling of content, disk
storage of content and can allow the kernel to use less memory when running
containers.
containers/storage supports four keys
* enable_partial_images="true" | "false"
Tells containers/storage to look for files previously pulled in storage
rather then always pulling them from the container registry.
* use_hard_links = "false" | "true"
Tells containers/storage to use hard links rather then create new files in
the image, if an identical file already existed in storage.
* ostree_repos = ""
Tells containers/storage where an ostree repository exists that might have
previously pulled content which can be used when attempting to avoid
pulling content from the container registry
**remap-uids=**""
**remap-gids=**""
Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to the UIDs/GIDs outside of the container, and the length of the range of UIDs/GIDs. Additional mapped sets can be listed and will be heeded by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container.
@ -236,6 +259,9 @@ based file systems.
**mountopt**=""
Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page.
**skip_mount_home=""**
Tell storage drivers to not create a PRIVATE bind mount on their home directory.
**size**=""
Maximum size of a read/write layer. This flag can be used to set quota on the size of a read/write layer of a container. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
@ -256,9 +282,6 @@ The `storage.options.zfs` table supports the following options:
**mountopt**=""
Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page.
**skip_mount_home=""**
Tell storage drivers to not create a PRIVATE bind mount on their home directory.
**size**=""
Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))

View File

@ -326,6 +326,13 @@ default_sysctls = [
#
#network_config_dir = "/etc/cni/net.d/"
# Port to use for dns forwarding daemon with netavark in rootful bridge
# mode and dns enabled.
# Using an alternate port might be useful if other dns services should
# run on the machine.
#
#dns_bind_port = 53
[engine]
# Index to the active service
#
@ -435,6 +442,16 @@ default_sysctls = [
#
#image_parallel_copies = 0
# Tells container engines how to handle the builtin image volumes.
# * bind: An anonymous named volume will be created and mounted
# into the container.
# * tmpfs: The volume is mounted onto the container as a tmpfs,
# which allows users to create content that disappears when
# the container is stopped.
# * ignore: All volumes are just ignored and no action is taken.
#
#image_volume_mode = ""
# Default command to run the infra container
#
#infra_command = "/pause"

View File

@ -359,6 +359,13 @@ and "$HOME/.config/cni/net.d" as rootless.
For the netavark backend "/etc/containers/networks" is used as root
and "$graphroot/networks" as rootless.
**dns_bind_port**=53
Port to use for dns forwarding daemon with netavark in rootful bridge
mode and dns enabled.
Using an alternate port might be useful if other dns services should
run on the machine.
## ENGINE TABLE
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
@ -434,8 +441,15 @@ and the logfile will not be rotated.
**events_logger**="journald"
Default method to use when logging events.
Valid values: `file`, `journald`, and `none`.
The default method to use when logging events.
The default method is different based on the platform that
Podman is being run upon. To determine the current value,
use this command:
`podman info --format {{.Host.EventLogger}`
Valid values are: `file`, `journald`, and `none`.
**helper_binaries_dir**=["/usr/libexec/podman", ...]
@ -480,6 +494,14 @@ Default transport method for pulling and pushing images.
Maximum number of image layers to be copied (pulled/pushed) simultaneously.
Not setting this field will fall back to containers/image defaults. (6)
**image_volume_mode**="bind"
Tells container engines how to handle the builtin image volumes.
* bind: An anonymous named volume will be created and mounted into the container.
* tmpfs: The volume is mounted onto the container as a tmpfs, which allows the users to create content that disappears when the container is stopped.
* ignore: All volumes are just ignored and no action is taken.
**infra_command**="/pause"
Infra (pause) container image command for pod infra containers. When running a

View File

@ -1,19 +1,19 @@
# This is a default registries.d configuration file. You may
# add to this file or create additional files in registries.d/.
#
# sigstore: indicates a location that is read and write
# sigstore-staging: indicates a location that is only for write
# lookaside: indicates a location that is read and write
# lookaside-staging: indicates a location that is only for write
#
# sigstore and sigstore-staging take a value of the following:
# sigstore: {schema}://location
# lookaside and lookaside-staging take a value of the following:
# lookaside: {schema}://location
#
# For reading signatures, schema may be http, https, or file.
# For writing signatures, schema may only be file.
# This is the default signature write location for docker registries.
default-docker:
# sigstore: file:///var/lib/containers/sigstore
sigstore-staging: file:///var/lib/containers/sigstore
# lookaside: file:///var/lib/containers/sigstore
lookaside-staging: file:///var/lib/containers/sigstore
# The 'docker' indicator here is the start of the configuration
# for docker registries.
@ -21,6 +21,6 @@ default-docker:
# docker:
#
# privateregistry.com:
# sigstore: http://privateregistry.com/sigstore/
# sigstore-staging: /mnt/nfs/privateregistry/sigstore
# lookaside: http://privateregistry.com/sigstore/
# lookaside-staging: /mnt/nfs/privateregistry/sigstore

View File

@ -19,7 +19,7 @@
#
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
unqualified-search-registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io']
unqualified-search-registries = ["registry.access.redhat.com", "registry.redhat.io", "docker.io"]
# [[registry]]
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;

View File

@ -228,6 +228,9 @@
"ipc",
"keyctl",
"kill",
"landlock_add_rule",
"landlock_create_ruleset",
"landlock_restrict_self",
"lchown",
"lchown32",
"lgetxattr",

View File

@ -73,6 +73,9 @@
"ubi8/ubi-minimal" = "registry.access.redhat.com/ubi8-minimal"
"ubi8/ubi-init" = "registry.access.redhat.com/ubi8-init"
"ubi8/ubi-micro" = "registry.access.redhat.com/ubi8-micro"
"ubi8/podman" = "registry.access.redhat.com/ubi8/podman"
"ubi8/buildah" = "registry.access.redhat.com/ubi8/buildah"
"ubi8/skopeo" = "registry.access.redhat.com/ubi8/skopeo"
"rhel9" = "registry.access.redhat.com/ubi9"
"rhel9-init" = "registry.access.redhat.com/ubi9-init"
"rhel9-minimal" = "registry.access.redhat.com/ubi9-minimal"
@ -85,6 +88,9 @@
"ubi9/ubi-minimal" = "registry.access.redhat.com/ubi9-minimal"
"ubi9/ubi-init" = "registry.access.redhat.com/ubi9-init"
"ubi9/ubi-micro" = "registry.access.redhat.com/ubi9-micro"
"ubi9/podman" = "registry.access.redhat.com/ubi9/podman"
"ubi9/buildah" = "registry.access.redhat.com/ubi9/buildah"
"ubi9/skopeo" = "registry.access.redhat.com/ubi9/skopeo"
# Rocky Linux
"rockylinux" = "docker.io/library/rockylinux"
# Debian

View File

@ -1,4 +0,0 @@
SHA512 (aardvark-dns-v1.0.3-a92337b.tar.gz) = a9816795724cd30611e610a94a5cccce445cefd742dacae0914c0d42c6f318ba282eea37f7558a1ca534bc784ed3299d8d501b149b74c70804218573b5e44ae4
SHA512 (aardvark-dns-v1.0.3-vendor.tar.gz) = c8e3e2aef545cf1e6485df93dc8aa291db51fa88f70084a3cb02cfc6bfc2a1f9805af56774a3400eb3772c149aa965f236b04ed48090eae3d3668669ac5d34b7
SHA512 (netavark-v1.0.3-ec7efb8.tar.gz) = 04a65b13da1e808c9a7130fd68b41fd0cd0e753b798609ff9e133f4dbc15a71f48fac6af49e09bfe784b47d583e9427defab3137c24091e0a3ba9a5737b0612a
SHA512 (netavark-v1.0.3-vendor.tar.gz) = 6b7ce6b95ad5bcf55d38728ce9ac8749038cac884988cc6692ab320c1b1c0962a30470cfaef61e0d771b705c1659862e95e779d6b5c31e4445e4fb3b4f34423f

View File

@ -40,6 +40,28 @@ graphroot = "/var/lib/containers/storage"
additionalimagestores = [
]
# Allows specification of how storage is populated when pulling images. This
# option can speed the pulling process of images compressed with format
# zstd:chunked. Containers/storage looks for files within images that are being
# pulled from a container registry that were previously pulled to the host. It
# can copy or create a hard link to the existing file when it finds them,
# eliminating the need to pull them from the container registry. These options
# can deduplicate pulling of content, disk storage of content and can allow the
# kernel to use less memory when running containers.
# containers/storage supports four keys
# * enable_partial_images="true" | "false"
# Tells containers/storage to look for files previously pulled in storage
# rather then always pulling them from the container registry.
# * use_hard_links = "false" | "true"
# Tells containers/storage to use hard links rather then create new files in
# the image, if an identical file already existed in storage.
# * ostree_repos = ""
# Tells containers/storage where an ostree repository exists that might have
# previously pulled content which can be used when attempting to avoid
# pulling content from the container registry
pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
# a container, to the UIDs/GIDs as they should appear outside of the container,
# and the length of the range of UIDs/GIDs. Additional mapped sets can be