diff --git a/containers-common.spec b/containers-common.spec index 9e2f79c..300ed88 100644 --- a/containers-common.spec +++ b/containers-common.spec @@ -4,15 +4,15 @@ # pick the oldest version on c/image, c/common, c/storage vendored in # podman/skopeo/podman. %global skopeo_branch main -%global image_branch v5.21.1 -%global common_branch v0.48.0 -%global storage_branch v1.40.2 +%global image_branch v5.22.0 +%global common_branch v0.49.1 +%global storage_branch v1.42.0 %global shortnames_branch main Epoch: 2 Name: containers-common Version: 1 -Release: 40%{?dist} +Release: 41%{?dist} Summary: Common configuration and documentation for containers License: ASL 2.0 BuildRequires: /usr/bin/go-md2man @@ -65,28 +65,6 @@ Source100: update.sh Source101: update-vendored.sh Source102: pyxis.sh -%global aardvark_dns_version v1.0.3 -#%%global aardvark_dns_branch v1.0.1-rhel -%global aardvark_dns_commit0 a92337b08fbd88c9eb10c1a5ebce2bf61aa59a7b -%global aardvark_dns_shortcommit0 %(c=%{aardvark_dns_commit0}; echo ${c:0:7}) -%if 0%{?aardvark_dns_branch:1} -Source200: https://github.com/containers/aardvark-dns/tarball/%{aardvark_dns_commit0}/%{aardvark_dns_branch}-%{aardvark_dns_shortcommit0}.tar.gz -%else -Source200: https://github.com/containers/aardvark-dns/archive/%{aardvark_dns_commit0}/aardvark-dns-%{aardvark_dns_version}-%{aardvark_dns_shortcommit0}.tar.gz -%endif -Source201: https://github.com/containers/aardvark-dns/releases/download/%{aardvark_dns_version}/aardvark-dns-%{aardvark_dns_version}-vendor.tar.gz - -%global netavark_version v1.0.3 -#%%global netavark_branch v1.0.1-rhel -%global netavark_commit0 ec7efb85ef90db4a14c07cb003b65491f7eb4edf -%global netavark_shortcommit0 %(c=%{netavark_commit0}; echo ${c:0:7}) -%if 0%{?netavark_branch:1} -Source300: https://github.com/containers/netavark/tarball/%{netavark_commit0}/%{netavark_branch}-%{netavark_shortcommit0}.tar.gz -%else -Source300: https://github.com/containers/netavark/archive/%{netavark_commit0}/netavark-%{netavark_version}-%{netavark_shortcommit0}.tar.gz -%endif -Source301: https://github.com/containers/netavark/releases/download/%{netavark_version}/netavark-%{netavark_version}-vendor.tar.gz - %description This package contains common configuration files and documentation for container tools ecosystem, such as Podman, Buildah and Skopeo. @@ -95,117 +73,11 @@ It is required because the most of configuration files and docs come from projec which are vendored into Podman, Buildah, Skopeo, etc. but they are not packaged separately. -%package -n aardvark-dns -Version: 1.0.1 -Release: 40%{?dist} -URL: https://github.com/containers/aardvark-dns -Summary: Authoritative DNS server for A/AAAA container records -License: ASL 2.0 and BSD and MIT -BuildRequires: cargo -BuildRequires: git-core -BuildRequires: make -BuildRequires: rust-srpm-macros -BuildRequires: rust-toolset -#ExclusiveArch: %%{rust_arches} -ExclusiveArch: aarch64 ppc64le s390x x86_64 - -%description -n aardvark-dns -%{summary} - -Forwards other request to configured resolvers. -Read more about configuration in `src/backend/mod.rs`. - -%package -n netavark -Version: 1.0.1 -Release: 40%{?dist} -URL: https://github.com/containers/netavark -Summary: OCI network stack -License: ASL 2.0 and BSD and MIT -BuildRequires: cargo -BuildRequires: make -BuildRequires: rust-srpm-macros -BuildRequires: git-core -BuildRequires: /usr/bin/go-md2man -Recommends: aardvark-dns -Provides: container-network-stack = 2 -BuildRequires: rust-toolset -#ExclusiveArch: #%%{rust_arches} -ExclusiveArch: aarch64 ppc64le s390x x86_64 - -%description -n netavark -%{summary} - -Netavark is a rust based network stack for containers. It is being -designed to work with Podman but is also applicable for other OCI -container management applications. - -Netavark is a tool for configuring networking for Linux containers. -Its features include: -* Configuration of container networks via JSON configuration file -* Creation and management of required network interfaces, - including MACVLAN networks -* All required firewall configuration to perform NAT and port - forwarding as required for containers -* Support for iptables and firewalld at present, with support - for nftables planned in a future release -* Support for rootless containers -* Support for IPv4 and IPv6 -* Support for container DNS resolution via aardvark-dns. - %prep -tar fx %{SOURCE200} -pushd aardvark-dns-%{aardvark_dns_commit0} -tar fx %{SOURCE201} -mkdir -p .cargo -cat >.cargo/config << EOF -[source.crates-io] -replace-with = "vendored-sources" - -[source.vendored-sources] -directory = "vendor" -EOF -popd -tar fx %{SOURCE300} -pushd netavark-%{netavark_commit0} -tar fx %{SOURCE301} -mkdir -p .cargo -cat >.cargo/config << EOF -[source.crates-io] -replace-with = "vendored-sources" - -[source.vendored-sources] -directory = "vendor" -EOF -popd %build -%if 0%{?build_rustflags:1} -export RUSTFLAGS="%{build_rustflags}" -%endif - -pushd aardvark-dns-%{aardvark_dns_commit0} -%__scm_setup_git -q -%make_build build -popd - -pushd netavark-%{netavark_commit0} -%__scm_setup_git -q -%make_build build -pushd docs -go-md2man -in netavark.1.md -out netavark.1 -popd -%{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} install -popd %install -pushd aardvark-dns-%{aardvark_dns_commit0} -%{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} install -popd - -pushd netavark-%{netavark_commit0} -%{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} install -popd - install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.d,registries.conf.d} install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf @@ -270,8 +142,6 @@ EOF %dir %{_sysconfdir}/containers %dir %{_sysconfdir}/containers/certs.d %dir %{_sysconfdir}/containers/registries.d -%{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml -%{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml %dir %{_sysconfdir}/containers/oci %dir %{_sysconfdir}/containers/oci/hooks.d %dir %{_sysconfdir}/containers/registries.conf.d @@ -279,11 +149,12 @@ EOF %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release %endif %config(noreplace) %{_sysconfdir}/containers/policy.json -%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml %config(noreplace) %{_sysconfdir}/containers/storage.conf %config(noreplace) %{_sysconfdir}/containers/registries.conf %config(noreplace) %{_sysconfdir}/containers/registries.conf.d/*.conf -%config(noreplace) %{_sysconfdir}/containers/registries.d/*.yaml +%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml +%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml +%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml %ghost %{_sysconfdir}/containers/containers.conf %dir %{_sharedstatedir}/containers/sigstore %{_mandir}/man5/* @@ -294,18 +165,12 @@ EOF %dir %{_datadir}/rhel/secrets %{_datadir}/rhel/secrets/* -%files -n aardvark-dns -%license aardvark-dns-%{aardvark_dns_commit0}/LICENSE -%dir %{_libexecdir}/podman -%{_libexecdir}/podman/aardvark-dns - -%files -n netavark -%license netavark-%{netavark_commit0}/LICENSE -%dir %{_libexecdir}/podman -%{_libexecdir}/podman/netavark -%{_mandir}/man1/netavark.1* - %changelog +* Wed Aug 03 2022 Jindrich Novy - 2:1-41 +- drop aardvark-dns and netavark - packaged separately +- update vendored components +- Related: #2061316 + * Mon Jun 27 2022 Jindrich Novy - 2:1-40 - remove rhel-els and update shortnames - Related: #2061316 diff --git a/containers-policy.json.5.md b/containers-policy.json.5.md index 62f5855..e13839b 100644 --- a/containers-policy.json.5.md +++ b/containers-policy.json.5.md @@ -149,20 +149,21 @@ This requirement rejects every image, and every signature. ### `signedBy` -This requirement requires an image to be signed with an expected identity, or accepts a signature if it is using an expected identity and key. +This requirement requires an image to be signed using “simple signing” with an expected identity, or accepts a signature if it is using an expected identity and key. ```js { "type": "signedBy", "keyType": "GPGKeys", /* The only currently supported value */ "keyPath": "/path/to/local/keyring/file", + "keyPaths": ["/path/to/local/keyring/file1","/path/to/local/keyring/file2"…], "keyData": "base64-encoded-keyring-data", "signedIdentity": identity_requirement } ``` -Exactly one of `keyPath` and `keyData` must be present, containing a GPG keyring of one or more public keys. Only signatures made by these keys are accepted. +Exactly one of `keyPath`, `keyPaths` and `keyData` must be present, containing a GPG keyring of one or more public keys. Only signatures made by these keys are accepted. The `signedIdentity` field, a JSON object, specifies what image identity the signature claims about the image. One of the following alternatives are supported: @@ -236,6 +237,26 @@ used with `exactReference` or `exactRepository`. + +### `sigstoreSigned` + +This requirement requires an image to be signed using a sigstore signature with an expected identity and key. + +```js +{ + "type": "sigstoreSigned", + "keyPath": "/path/to/local/keyring/file", + "keyData": "base64-encoded-keyring-data", + "signedIdentity": identity_requirement +} +``` +Exactly one of `keyPath` and `keyData` must be present, containing a sigstore public key. Only signatures made by this key is accepted. + +The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above. +Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag). + +To use this with images hosted on image registries, the relevant registry or repository must have the `use-sigstore-attachments` option enabled in containers-registries.d(5). + ## Examples It is *strongly* recommended to set the `default` policy to `reject`, and then @@ -255,9 +276,24 @@ selectively allow individual transports and scopes as desired. "docker.io/openshift": [{"type": "insecureAcceptAnything"}], /* Similarly, allow installing the “official” busybox images. Note how the fully expanded form, with the explicit /library/, must be used. */ - "docker.io/library/busybox": [{"type": "insecureAcceptAnything"}] + "docker.io/library/busybox": [{"type": "insecureAcceptAnything"}], /* Allow installing images from all subdomains */ - "*.temporary-project.example.com": [{"type": "insecureAcceptAnything"}] + "*.temporary-project.example.com": [{"type": "insecureAcceptAnything"}], + /* A sigstore-signed repository */ + "hostname:5000/myns/sigstore-signed-with-full-references": [ + { + "type": "sigstoreSigned", + "keyPath": "/path/to/sigstore-pubkey.pub" + } + ], + /* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */ + "hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [ + { + "type": "sigstoreSigned", + "keyPath": "/path/to/sigstore-pubkey.pub", + "signedIdentity": {"type": "matchRepository"} + } + ] /* Other docker: images use the global default policy and are rejected */ }, "dir": { @@ -301,7 +337,7 @@ selectively allow individual transports and scopes as desired. "signedIdentity": { "type": "remapIdentity", "prefix": "private-mirror:5000/vendor-mirror", - "signedPrefix": "vendor.example.com", + "signedPrefix": "vendor.example.com" } } ] diff --git a/containers-registries.conf.5.md b/containers-registries.conf.5.md index 0b90b60..fdc2fa9 100644 --- a/containers-registries.conf.5.md +++ b/containers-registries.conf.5.md @@ -43,7 +43,7 @@ also include wildcarded subdomains in the format `*.example.com`. The wildcard should only be present at the beginning as shown in the formats above. Other cases will not work. For example, `*.example.com` is valid but `example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not. -Note that `*` matches an arbitary number of subdomains. `*.example.com` will hence +Note that `*` matches an arbitrary number of subdomains. `*.example.com` will hence match `bar.example.com`, `foo.bar.example.com` and so on. As a special case, the `prefix` field can be missing; if so, it defaults to the value diff --git a/containers-registries.d.5.md b/containers-registries.d.5.md index 0707961..04434de 100644 --- a/containers-registries.d.5.md +++ b/containers-registries.d.5.md @@ -63,25 +63,31 @@ more general scopes is ignored. For example, if _any_ configuration exists for ### Built-in Defaults -If no `docker` section can be found for the container image, and no `default-docker` section is configured, -the default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user, will be used for reading and writing signatures. +If no `docker` section can be found for the container image, and no `default-docker` section is configured: + +- The default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user, will be used for reading and writing signatures. +- Sigstore attachments will not be read/written. ## Individual Configuration Sections A single configuration section is selected for a container image using the process described above. The configuration section is a YAML mapping, with the following keys: -- `sigstore-staging` defines an URL of of the signature storage, used for editing it (adding or deleting signatures). + - This key is optional; if it is missing, `sigstore` below is used. +- `lookaside-staging` defines an URL of of the signature storage, used for editing it (adding or deleting signatures). -- `sigstore` defines an URL of the signature storage. + This key is optional; if it is missing, `lookaside` below is used. + +- `lookaside` defines an URL of the signature storage. This URL is used for reading existing signatures, - and if `sigstore-staging` does not exist, also for adding or removing them. + and if `lookaside-staging` does not exist, also for adding or removing them. This key is optional; if it is missing, no signature storage is defined (no signatures - are download along with images, adding new signatures is possible only if `sigstore-staging` is defined). + are download along with images, adding new signatures is possible only if `lookaside-staging` is defined). +- `use-sigstore-attachments` specifies whether sigstore image attachments (signatures, attestations and the like) are going to be read/written along with the image. + If disabled, the images are treated as if no attachments exist; attempts to write attachments fail. ## Examples @@ -92,11 +98,11 @@ The following demonstrates how to to consume and run images from various registr ```yaml docker: registry.database-supplier.com: - sigstore: https://sigstore.database-supplier.com + lookaside: https://lookaside.database-supplier.com distribution.great-middleware.org: - sigstore: https://security-team.great-middleware.org/sigstore + lookaside: https://security-team.great-middleware.org/lookaside docker.io/web-framework: - sigstore: https://sigstore.web-framework.io:8080 + lookaside: https://lookaside.web-framework.io:8080 ``` ### Developing and Signing Containers, Staging Signatures @@ -110,13 +116,13 @@ For developers in `example.com`: ```yaml docker: registry.example.com: - sigstore: https://registry-sigstore.example.com + lookaside: https://registry-lookaside.example.com registry.example.com/mydepartment: - sigstore: https://sigstore.mydepartment.example.com - sigstore-staging: file:///mnt/mydepartment/sigstore-staging + lookaside: https://lookaside.mydepartment.example.com + lookaside-staging: file:///mnt/mydepartment/lookaside-staging registry.example.com/mydepartment/myproject:mybranch: - sigstore: http://localhost:4242/sigstore - sigstore-staging: file:///home/useraccount/webroot/sigstore + lookaside: http://localhost:4242/lookaside + lookaside-staging: file:///home/useraccount/webroot/lookaside ``` ### A Global Default @@ -126,7 +132,7 @@ without listing each domain individually. This is expected to rarely happen, usu ```yaml default-docker: - sigstore-staging: file:///mnt/company/common-sigstore-staging + lookaside-staging: file:///mnt/company/common-lookaside-staging ``` # AUTHORS diff --git a/containers-storage.conf.5.md b/containers-storage.conf.5.md index 8a82bdc..e5cc7c0 100644 --- a/containers-storage.conf.5.md +++ b/containers-storage.conf.5.md @@ -41,7 +41,7 @@ The `storage` table supports the following options: When changing the graphroot location on an SELINUX system, ensure the labeling matches the default locations labels with the following commands: - + ``` # semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH # restorecon -R -v /NEWSTORAGEPATH @@ -74,6 +74,29 @@ The `storage.options` table supports the following options: **additionalimagestores**=[] Paths to additional container image stores. Usually these are read/only and stored on remote network shares. +**pull_options** = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} + +Allows specification of how storage is populated when pulling images. This +option can speed the pulling process of images compressed with format zstd:chunked. Containers/storage looks +for files within images that are being pulled from a container registry that +were previously pulled to the host. It can copy or create +a hard link to the existing file when it finds them, eliminating the need to pull them from the +container registry. These options can deduplicate pulling of content, disk +storage of content and can allow the kernel to use less memory when running +containers. + +containers/storage supports four keys + * enable_partial_images="true" | "false" + Tells containers/storage to look for files previously pulled in storage + rather then always pulling them from the container registry. + * use_hard_links = "false" | "true" + Tells containers/storage to use hard links rather then create new files in + the image, if an identical file already existed in storage. + * ostree_repos = "" + Tells containers/storage where an ostree repository exists that might have + previously pulled content which can be used when attempting to avoid + pulling content from the container registry + **remap-uids=**"" **remap-gids=**"" Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to the UIDs/GIDs outside of the container, and the length of the range of UIDs/GIDs. Additional mapped sets can be listed and will be heeded by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container. @@ -236,6 +259,9 @@ based file systems. **mountopt**="" Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page. +**skip_mount_home=""** + Tell storage drivers to not create a PRIVATE bind mount on their home directory. + **size**="" Maximum size of a read/write layer. This flag can be used to set quota on the size of a read/write layer of a container. (format: [], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) @@ -256,9 +282,6 @@ The `storage.options.zfs` table supports the following options: **mountopt**="" Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page. -**skip_mount_home=""** - Tell storage drivers to not create a PRIVATE bind mount on their home directory. - **size**="" Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: [], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) diff --git a/containers.conf b/containers.conf index d696b8b..ffea089 100644 --- a/containers.conf +++ b/containers.conf @@ -326,6 +326,13 @@ default_sysctls = [ # #network_config_dir = "/etc/cni/net.d/" +# Port to use for dns forwarding daemon with netavark in rootful bridge +# mode and dns enabled. +# Using an alternate port might be useful if other dns services should +# run on the machine. +# +#dns_bind_port = 53 + [engine] # Index to the active service # @@ -435,6 +442,16 @@ default_sysctls = [ # #image_parallel_copies = 0 +# Tells container engines how to handle the builtin image volumes. +# * bind: An anonymous named volume will be created and mounted +# into the container. +# * tmpfs: The volume is mounted onto the container as a tmpfs, +# which allows users to create content that disappears when +# the container is stopped. +# * ignore: All volumes are just ignored and no action is taken. +# +#image_volume_mode = "" + # Default command to run the infra container # #infra_command = "/pause" diff --git a/containers.conf.5.md b/containers.conf.5.md index 6aac497..1f2bd5e 100644 --- a/containers.conf.5.md +++ b/containers.conf.5.md @@ -359,6 +359,13 @@ and "$HOME/.config/cni/net.d" as rootless. For the netavark backend "/etc/containers/networks" is used as root and "$graphroot/networks" as rootless. +**dns_bind_port**=53 + +Port to use for dns forwarding daemon with netavark in rootful bridge +mode and dns enabled. +Using an alternate port might be useful if other dns services should +run on the machine. + ## ENGINE TABLE The `engine` table contains configuration options used to set up container engines such as Podman and Buildah. @@ -434,8 +441,15 @@ and the logfile will not be rotated. **events_logger**="journald" -Default method to use when logging events. -Valid values: `file`, `journald`, and `none`. +The default method to use when logging events. + +The default method is different based on the platform that +Podman is being run upon. To determine the current value, +use this command: + +`podman info --format {{.Host.EventLogger}` + +Valid values are: `file`, `journald`, and `none`. **helper_binaries_dir**=["/usr/libexec/podman", ...] @@ -480,6 +494,14 @@ Default transport method for pulling and pushing images. Maximum number of image layers to be copied (pulled/pushed) simultaneously. Not setting this field will fall back to containers/image defaults. (6) +**image_volume_mode**="bind" + +Tells container engines how to handle the builtin image volumes. + +* bind: An anonymous named volume will be created and mounted into the container. +* tmpfs: The volume is mounted onto the container as a tmpfs, which allows the users to create content that disappears when the container is stopped. +* ignore: All volumes are just ignored and no action is taken. + **infra_command**="/pause" Infra (pause) container image command for pod infra containers. When running a diff --git a/default.yaml b/default.yaml index 943ea17..fa2ea36 100644 --- a/default.yaml +++ b/default.yaml @@ -1,19 +1,19 @@ # This is a default registries.d configuration file. You may # add to this file or create additional files in registries.d/. # -# sigstore: indicates a location that is read and write -# sigstore-staging: indicates a location that is only for write +# lookaside: indicates a location that is read and write +# lookaside-staging: indicates a location that is only for write # -# sigstore and sigstore-staging take a value of the following: -# sigstore: {schema}://location +# lookaside and lookaside-staging take a value of the following: +# lookaside: {schema}://location # # For reading signatures, schema may be http, https, or file. # For writing signatures, schema may only be file. # This is the default signature write location for docker registries. default-docker: -# sigstore: file:///var/lib/containers/sigstore - sigstore-staging: file:///var/lib/containers/sigstore +# lookaside: file:///var/lib/containers/sigstore + lookaside-staging: file:///var/lib/containers/sigstore # The 'docker' indicator here is the start of the configuration # for docker registries. @@ -21,6 +21,6 @@ default-docker: # docker: # # privateregistry.com: -# sigstore: http://privateregistry.com/sigstore/ -# sigstore-staging: /mnt/nfs/privateregistry/sigstore +# lookaside: http://privateregistry.com/sigstore/ +# lookaside-staging: /mnt/nfs/privateregistry/sigstore diff --git a/registries.conf b/registries.conf index 10e8f76..d966aea 100644 --- a/registries.conf +++ b/registries.conf @@ -19,7 +19,7 @@ # # # An array of host[:port] registries to try when pulling an unqualified image, in order. -unqualified-search-registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io'] +unqualified-search-registries = ["registry.access.redhat.com", "registry.redhat.io", "docker.io"] # [[registry]] # # The "prefix" field is used to choose the relevant [[registry]] TOML table; diff --git a/seccomp.json b/seccomp.json index cb826cd..3edc0c6 100644 --- a/seccomp.json +++ b/seccomp.json @@ -228,6 +228,9 @@ "ipc", "keyctl", "kill", + "landlock_add_rule", + "landlock_create_ruleset", + "landlock_restrict_self", "lchown", "lchown32", "lgetxattr", diff --git a/shortnames.conf b/shortnames.conf index 56f772d..4dfba37 100644 --- a/shortnames.conf +++ b/shortnames.conf @@ -73,6 +73,9 @@ "ubi8/ubi-minimal" = "registry.access.redhat.com/ubi8-minimal" "ubi8/ubi-init" = "registry.access.redhat.com/ubi8-init" "ubi8/ubi-micro" = "registry.access.redhat.com/ubi8-micro" + "ubi8/podman" = "registry.access.redhat.com/ubi8/podman" + "ubi8/buildah" = "registry.access.redhat.com/ubi8/buildah" + "ubi8/skopeo" = "registry.access.redhat.com/ubi8/skopeo" "rhel9" = "registry.access.redhat.com/ubi9" "rhel9-init" = "registry.access.redhat.com/ubi9-init" "rhel9-minimal" = "registry.access.redhat.com/ubi9-minimal" @@ -85,6 +88,9 @@ "ubi9/ubi-minimal" = "registry.access.redhat.com/ubi9-minimal" "ubi9/ubi-init" = "registry.access.redhat.com/ubi9-init" "ubi9/ubi-micro" = "registry.access.redhat.com/ubi9-micro" + "ubi9/podman" = "registry.access.redhat.com/ubi9/podman" + "ubi9/buildah" = "registry.access.redhat.com/ubi9/buildah" + "ubi9/skopeo" = "registry.access.redhat.com/ubi9/skopeo" # Rocky Linux "rockylinux" = "docker.io/library/rockylinux" # Debian diff --git a/sources b/sources index 276cd1e..e69de29 100644 --- a/sources +++ b/sources @@ -1,4 +0,0 @@ -SHA512 (aardvark-dns-v1.0.3-a92337b.tar.gz) = a9816795724cd30611e610a94a5cccce445cefd742dacae0914c0d42c6f318ba282eea37f7558a1ca534bc784ed3299d8d501b149b74c70804218573b5e44ae4 -SHA512 (aardvark-dns-v1.0.3-vendor.tar.gz) = c8e3e2aef545cf1e6485df93dc8aa291db51fa88f70084a3cb02cfc6bfc2a1f9805af56774a3400eb3772c149aa965f236b04ed48090eae3d3668669ac5d34b7 -SHA512 (netavark-v1.0.3-ec7efb8.tar.gz) = 04a65b13da1e808c9a7130fd68b41fd0cd0e753b798609ff9e133f4dbc15a71f48fac6af49e09bfe784b47d583e9427defab3137c24091e0a3ba9a5737b0612a -SHA512 (netavark-v1.0.3-vendor.tar.gz) = 6b7ce6b95ad5bcf55d38728ce9ac8749038cac884988cc6692ab320c1b1c0962a30470cfaef61e0d771b705c1659862e95e779d6b5c31e4445e4fb3b4f34423f diff --git a/storage.conf b/storage.conf index 4b44c38..e26d02b 100644 --- a/storage.conf +++ b/storage.conf @@ -40,6 +40,28 @@ graphroot = "/var/lib/containers/storage" additionalimagestores = [ ] +# Allows specification of how storage is populated when pulling images. This +# option can speed the pulling process of images compressed with format +# zstd:chunked. Containers/storage looks for files within images that are being +# pulled from a container registry that were previously pulled to the host. It +# can copy or create a hard link to the existing file when it finds them, +# eliminating the need to pull them from the container registry. These options +# can deduplicate pulling of content, disk storage of content and can allow the +# kernel to use less memory when running containers. + +# containers/storage supports four keys +# * enable_partial_images="true" | "false" +# Tells containers/storage to look for files previously pulled in storage +# rather then always pulling them from the container registry. +# * use_hard_links = "false" | "true" +# Tells containers/storage to use hard links rather then create new files in +# the image, if an identical file already existed in storage. +# * ostree_repos = "" +# Tells containers/storage where an ostree repository exists that might have +# previously pulled content which can be used when attempting to avoid +# pulling content from the container registry +pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} + # Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of # a container, to the UIDs/GIDs as they should appear outside of the container, # and the length of the range of UIDs/GIDs. Additional mapped sets can be