rpms/containers-common
5
0
Fork 0
Code Issues Pull Requests Releases Activity

containers-common-1-51.el8

Browse Source 
- be sure default_capabilities contain SYS_CHROOT
- Resolves: #2166195

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
Jindrich Novy 2023-03-21 13:27:17 +01:00
parent 66f97f8a4b
commit 5152333795
4 changed files with 52 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
Containerfile.5.md
View File

@ -154,6 +154,47 @@ Current supported mount TYPES are bind, cache, secret and tmpfs.
· rw, read-write: allows writes on the mount. · rw, read-write: allows writes on the mount.
**RUN --network**
`RUN --network` allows control over which networking environment the command
is run in.
Syntax: `--network=<TYPE>`
**Network types**
| Type | Description |
|----------------------------------------------|----------------------------------------|
| [`default`](#run---networkdefault) (default) | Run in the default network. |
| [`none`](#run---networknone) | Run with no network access. |
| [`host`](#run---networkhost) | Run in the host's network environment. |
##### RUN --network=default
Equivalent to not supplying a flag at all, the command is run in the default
network for the build.
##### RUN --network=none
The command is run with no network access (`lo` is still available, but is
isolated to this process).
##### Example: isolating external effects
```dockerfile
FROM python:3.6
ADD mypackage.tgz wheels/
RUN --network=none pip install --find-links wheels mypackage
```
`pip` will only be able to install the packages provided in the tarfile, which
can be controlled by an earlier build stage.
##### RUN --network=host
The command is run in the host's network environment (similar to
`buildah build --network=host`, but on a per-instruction basis)
**RUN Secrets** **RUN Secrets**

6
containers-common.spec
View File

@ -12,7 +12,7 @@
Epoch: 2 Epoch: 2
Name: containers-common Name: containers-common
Version: 1 Version: 1
Release: 50%{?dist} Release: 51%{?dist}
Summary: Common configuration and documentation for containers Summary: Common configuration and documentation for containers
License: ASL 2.0 License: ASL 2.0
# arch limitation because of go-md2man (missing on i686) # arch limitation because of go-md2man (missing on i686)
@ -175,6 +175,10 @@ EOF
%{_datadir}/rhel/secrets/* %{_datadir}/rhel/secrets/*
%changelog %changelog
* Tue Mar 21 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-51
- be sure default_capabilities contain SYS_CHROOT
- Resolves: #2166195
* Thu Mar 09 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-50 * Thu Mar 09 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-50
- improve shortnames generation - improve shortnames generation
- Related: #2176055 - Related: #2176055

1
containers.conf
View File

@ -53,6 +53,7 @@
# the default capabilities defined in the container engine will be added. # the default capabilities defined in the container engine will be added.
# #
default_capabilities = [ default_capabilities = [
"SYS_CHROOT",
"NET_RAW", "NET_RAW",
"CHOWN", "CHOWN",
"DAC_OVERRIDE", "DAC_OVERRIDE",

5
update.sh
View File

@ -44,6 +44,11 @@ then
sed -i '/^default_capabilities/a \ sed -i '/^default_capabilities/a \
"NET_RAW",' containers.conf "NET_RAW",' containers.conf
fi fi
if ! grep \"SYS_CHROOT\" containers.conf > /dev/null
then
sed -i '/^default_capabilities/a \
"SYS_CHROOT",' containers.conf
fi
else else
ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"] ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
ensure registries.conf short-name-mode \"enforcing\" ensure registries.conf short-name-mode \"enforcing\"