containers-common-1-51.el8

- be sure default_capabilities contain SYS_CHROOT - Resolves: #2166195 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
2023-03-21 13:27:17 +01:00 · 2023-03-21 13:27:17 +01:00 · 5152333795
commit 5152333795
parent 66f97f8a4b
4 changed files with 52 additions and 1 deletions
--- a/Containerfile.5.md
+++ b/Containerfile.5.md
@ -154,6 +154,47 @@ Current supported mount TYPES are bind, cache, secret and tmpfs.

              · rw, read-write: allows writes on the mount.

+**RUN --network**
+
+`RUN --network` allows control over which networking environment the command
+is run in.
+
+Syntax: `--network=<TYPE>`
+
+**Network types**
+
+| Type                                         | Description                            |
+|----------------------------------------------|----------------------------------------|
+| [`default`](#run---networkdefault) (default) | Run in the default network.            |
+| [`none`](#run---networknone)                 | Run with no network access.            |
+| [`host`](#run---networkhost)                 | Run in the host's network environment. |
+
+##### RUN --network=default
+
+Equivalent to not supplying a flag at all, the command is run in the default
+network for the build.
+
+##### RUN --network=none
+
+The command is run with no network access (`lo` is still available, but is
+isolated to this process).
+
+##### Example: isolating external effects
+
+```dockerfile
+FROM python:3.6
+ADD mypackage.tgz wheels/
+RUN --network=none pip install --find-links wheels mypackage
+```
+
+`pip` will only be able to install the packages provided in the tarfile, which
+can be controlled by an earlier build stage.
+
+##### RUN --network=host
+
+The command is run in the host's network environment (similar to
+`buildah build --network=host`, but on a per-instruction basis)
+

 **RUN Secrets**

--- a/containers-common.spec
+++ b/containers-common.spec
@ -12,7 +12,7 @@
 Epoch: 2
 Name: containers-common
 Version: 1
-Release: 50%{?dist}
+Release: 51%{?dist}
 Summary: Common configuration and documentation for containers
 License: ASL 2.0
 # arch limitation because of go-md2man (missing on i686)
@ -175,6 +175,10 @@ EOF
 %{_datadir}/rhel/secrets/*

 %changelog
+* Tue Mar 21 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-51
+- be sure default_capabilities contain SYS_CHROOT
+- Resolves: #2166195
+
 * Thu Mar 09 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-50
 - improve shortnames generation
 - Related: #2176055
--- a/containers.conf
+++ b/containers.conf
@ -53,6 +53,7 @@
 # the default capabilities defined in the container engine will be added.
 #
 default_capabilities = [
+  "SYS_CHROOT",
  "NET_RAW",
  "CHOWN",
  "DAC_OVERRIDE",
--- a/update.sh
+++ b/update.sh
@ -44,6 +44,11 @@ then
  sed -i '/^default_capabilities/a \
  "NET_RAW",' containers.conf
 fi
+if ! grep \"SYS_CHROOT\" containers.conf > /dev/null
+then
+  sed -i '/^default_capabilities/a \
+  "SYS_CHROOT",' containers.conf
+fi
 else
 ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
 ensure registries.conf short-name-mode               \"enforcing\"