containers-common-1-50.el8

- improve shortnames generation
- Related: #2176055

Signed-off-by: Jindrich Novy <jnovy@redhat.com>

.gitignore

@@ -1,2 +1 @@
-SOURCES/RPM-GPG-KEY-redhat-beta
-/RPM-GPG-KEY-redhat-beta
+/*.tar.gz

RPM-GPG-KEY-redhat-beta

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.2.6 (GNU/Linux)
+
+mQINBEmkAzABEAC2/c7bP1lHQ3XScxbIk0LQWe1YOiibQBRLwf8Si5PktgtuPibT
+kKpZjw8p4D+fM7jD1WUzUE0X7tXg2l/eUlMM4dw6XJAQ1AmEOtlwSg7rrMtTvM0A
+BEtI7Km6fC6sU6RtBMdcqD1cH/6dbsfh8muznVA7UlX+PRBHVzdWzj6y8h84dBjo
+gzcbYu9Hezqgj/lLzicqsSZPz9UdXiRTRAIhp8V30BD8uRaaa0KDDnD6IzJv3D9P
+xQWbFM4Z12GN9LyeZqmD7bpKzZmXG/3drvfXVisXaXp3M07t3NlBa3Dt8NFIKZ0D
+FRXBz5bvzxRVmdH6DtkDWXDPOt+Wdm1rZrCOrySFpBZQRpHw12eo1M1lirANIov7
+Z+V1Qh/aBxj5EUu32u9ZpjAPPNtQF6F/KjaoHHHmEQAuj4DLex4LY646Hv1rcv2i
+QFuCdvLKQGSiFBrfZH0j/IX3/0JXQlZzb3MuMFPxLXGAoAV9UP/Sw/WTmAuTzFVm
+G13UYFeMwrToOiqcX2VcK0aC1FCcTP2z4JW3PsWvU8rUDRUYfoXovc7eg4Vn5wHt
+0NBYsNhYiAAf320AUIHzQZYi38JgVwuJfFu43tJZE4Vig++RQq6tsEx9Ftz3EwRR
+fJ9z9mEvEiieZm+vbOvMvIuimFVPSCmLH+bI649K8eZlVRWsx3EXCVb0nQARAQAB
+tDBSZWQgSGF0LCBJbmMuIChiZXRhIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0LmNv
+bT6JAjYEEwECACAFAkpSM+cCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCT
+ioDK8hVB6/9tEAC0+KmzeKceXQ/GTUoU6jy9vtkFCFrmv+c7ol4XpdTt0QhqBOwy
+6m2mKWwmm8KfYfy0cADQ4y/EcoXl7FtFBwYmkCuEQGXhTDn9DvVjhooIq59LEMBQ
+OW879RwwzRIZ8ebbjMUjDPF5MfPQqP2LBu9N4KvXlZp4voykwuuaJ+cbsKZR6pZ6
+0RQKPHKP+NgUFC0fff7XY9cuOZZWFAeKRhLN2K7bnRHKxp+kELWb6R9ZfrYwZjWc
+MIPbTd1khE53L4NTfpWfAnJRtkPSDOKEGVlVLtLq4HEAxQt07kbslqISRWyXER3u
+QOJj64D1ZiIMz6t6uZ424VE4ry9rBR0Jz55cMMx5O/ni9x3xzFUgH8Su2yM0r3jE
+Rf24+tbOaPf7tebyx4OKe+JW95hNVstWUDyGbs6K9qGfI/pICuO1nMMFTo6GqzQ6
+DwLZvJ9QdXo7ujEtySZnfu42aycaQ9ZLC2DOCQCUBY350Hx6FLW3O546TAvpTfk0
+B6x+DV7mJQH7MGmRXQsE7TLBJKjq28Cn4tVp04PmybQyTxZdGA/8zY6pPl6xyVMH
+V68hSBKEVT/rlouOHuxfdmZva1DhVvUC6Xj7+iTMTVJUAq/4Uyn31P1OJmA2a0PT
+CAqWkbJSgKFccsjPoTbLyxhuMSNkEZFHvlZrSK9vnPzmfiRH0Orx3wYpMQ==
+=21pb
+-----END PGP PUBLIC KEY BLOCK-----

containers-common.spec

@@ -4,15 +4,15 @@
 # pick the oldest version on c/image, c/common, c/storage vendored in
 # podman/skopeo/podman.
 %global skopeo_branch main
-%global image_branch v5.23.0
-%global common_branch v0.50.1
-%global storage_branch v1.43.0
+%global image_branch v5.24.1
+%global common_branch v0.51.0
+%global storage_branch v1.45.3
 %global shortnames_branch main
 
 Epoch: 2
 Name: containers-common
 Version: 1
-Release: 49%{?dist}
+Release: 50%{?dist}
 Summary: Common configuration and documentation for containers
 License: ASL 2.0
 # arch limitation because of go-md2man (missing on i686)
@@ -82,7 +82,8 @@ separately.
 %build
 
 %install
-install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.d,registries.conf.d}
+install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,systemd,registries.d,registries.conf.d}
+install -dp %{buildroot}%{_datadir}/containers/systemd
 install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf
 install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf
 install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
@@ -150,6 +151,8 @@ EOF
 %dir %{_sysconfdir}/containers/oci
 %dir %{_sysconfdir}/containers/oci/hooks.d
 %dir %{_sysconfdir}/containers/registries.conf.d
+%dir %{_sysconfdir}/containers/systemd
+%dir %{_datadir}/containers/systemd
 %if !0%{?rhel} || 0%{?centos}
 %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta
@@ -172,6 +175,10 @@ EOF
 %{_datadir}/rhel/secrets/*
 
 %changelog
+* Thu Mar 09 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-50
+- improve shortnames generation
+- Related: #2176055
+
 * Mon Jan 02 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-49
 - update vendored components and configuration files
 - Related: #2123641

containers-policy.json.5.md

@@ -30,7 +30,9 @@ Policy requirements can be defined for:
 
   Usually, a scope can be defined to match a single image, and various prefixes of
   such a most specific scope define namespaces of matching images.
+
 - A default policy for a single transport, expressed using an empty string as a scope
+
 - A global default policy.
 
 If multiple policy requirements match a given image, only the requirements from the most specific match apply,
@@ -245,12 +247,37 @@ This requirement requires an image to be signed using a sigstore signature with
 ```js
 {
     "type":    "sigstoreSigned",
-    "keyPath": "/path/to/local/keyring/file",
-    "keyData": "base64-encoded-keyring-data",
+    "keyPath": "/path/to/local/public/key/file",
+    "keyData": "base64-encoded-public-key-data",
+    "fulcio": {
+        "caPath": "/path/to/local/CA/file",
+        "caData": "base64-encoded-CA-data",
+        "oidcIssuer": "https://expected.OIDC.issuer/",
+        "subjectEmail", "expected-signing-user@example.com",
+    },
+    "rekorPublicKeyPath": "/path/to/local/public/key/file",
+    "rekorPublicKeyData": "base64-encoded-public-key-data",
     "signedIdentity": identity_requirement
 }
 ```
-Exactly one of `keyPath` and `keyData` must be present, containing a sigstore public key.  Only signatures made by this key is accepted.
+Exactly one of `keyPath`, `keyData` and `fulcio` must be present.
+
+If `keyPath` or `keyData` is present, it contains a sigstore public key.
+Only signatures made by this key are accepted.
+
+If `fulcio` is present, the signature must be based on a Fulcio-issued certificate.
+One of `caPath` and `caData` must be specified, containing the public key of the Fulcio instance.
+Both `oidcIssuer` and `subjectEmail` are mandatory,
+exactly specifying the expected identity provider,
+and the identity of the user obtaining the Fulcio certificate.
+
+At most one of `rekorPublicKeyPath` and `rekorPublicKeyData` can be present;
+it is mandatory if `fulcio` is specified.
+If a Rekor public key is specified,
+the signature must have been uploaded to a Rekor server
+and the signature must contain an (offline-verifiable) “signed entry timestamp”
+proving the existence of the Rekor log record,
+signed by the provided public key.
 
 The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above.
 Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag).
@@ -286,6 +313,21 @@ selectively allow individual transports and scopes as desired.
                     "keyPath": "/path/to/sigstore-pubkey.pub"
                 }
             ],
+            /* A sigstore-signed repository using the community Fulcio+Rekor servers.
+
+               The community servers’ public keys can be obtained from
+               https://github.com/sigstore/sigstore/tree/main/pkg/tuf/repository/targets .  */
+            "hostname:5000/myns/sigstore-signed-fulcio-rekor": [
+                {
+                    "type": "sigstoreSigned",
+                    "fulcio": {
+                        "caPath": "/path/to/fulcio_v1.crt.pem",
+                        "oidcIssuer": "https://github.com/login/oauth",
+                        "subjectEmail": "test-user@example.com"
+                    },
+                    "rekorPublicKeyPath": "/path/to/rekor.pub",
+                }
+            ],
             /* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */
             "hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [
                 {
@@ -293,8 +335,25 @@ selectively allow individual transports and scopes as desired.
                     "keyPath": "/path/to/sigstore-pubkey.pub",
                     "signedIdentity": {"type": "matchRepository"}
                 }
+            ],
+            /* A sigstore-signed repository using the community Fulcio+Rekor servers,
+               accepts signatures by /usr/bin/cosign.
+
+               The community servers’ public keys can be obtained from
+               https://github.com/sigstore/sigstore/tree/main/pkg/tuf/repository/targets .  */
+            "hostname:5000/myns/sigstore-signed-fulcio-rekor- allows-malicious-tag-substitution": [
+                {
+                    "type": "sigstoreSigned",
+                    "fulcio": {
+                        "caPath": "/path/to/fulcio_v1.crt.pem",
+                        "oidcIssuer": "https://github.com/login/oauth",
+                        "subjectEmail": "test-user@example.com"
+                    },
+                    "rekorPublicKeyPath": "/path/to/rekor.pub",
+                    "signedIdentity": { "type": "matchRepository" }
+                }
             ]
-            /* Other docker: images use the global default policy and are rejected */
+              /* Other docker: images use the global default policy and are rejected */
         },
         "dir": {
             "": [{"type": "insecureAcceptAnything"}] /* Allow any images originating in local directories */

containers-signature.5.md

@@ -210,7 +210,8 @@ Consumers still SHOULD reject any signature where a member of an `optional` obje
 
 ### `optional.creator`
 
-If present, this MUST be a JSON string, identifying the name and version of the software which has created the signature.
+If present, this MUST be a JSON string, identifying the name and version of the software which has created the signature
+(identifying the low-level software implementation; not the top-level caller).
 
 The contents of this string is not defined in detail; however each implementation creating container signatures:
 

containers-storage.conf.5.md

@@ -59,6 +59,11 @@ A common use case for this field is to provide a local storage directory when us
   container storage run dir (default: "/run/containers/storage")
 Default directory to store all temporary writable content created by container storage programs. The rootless runroot path supports environment variable substitutions (ie. `$HOME/containers/storage`)
 
+**driver_priority**=[]
+  Priority list for the storage drivers that will be tested one after the other to pick the storage driver if it is not defined. The first storage driver in this list that can be used, will be picked as the new one and all subsequent ones will not be tried. If all drivers in this list are not viable, then **all** known drivers will be tried and the first working one will be picked.
+By default, the storage driver is set via the `driver` option. If it is not defined, then the best driver will be picked according to the current platform. This option allows you to override this internal priority list with a custom one to prefer certain drivers.
+Setting this option only has an effect if the local storage has not been initialized yet and the driver name is not set.
+
 ### STORAGE OPTIONS TABLE
 
 The `storage.options` table supports the following options:
@@ -331,7 +336,7 @@ This is a way to prevent xfs_quota management from conflicting with containers/s
 
 Distributions often provide a `/usr/share/containers/storage.conf` file to define default storage configuration. Administrators can override this file by creating `/etc/containers/storage.conf` to specify their own configuration. Likewise rootless users can create a storage.conf file to override the system storage.conf files. Files should be stored in the `$XDG_CONFIG_HOME/containers/storage.conf` file.  If `$XDG_CONFIG_HOME` is not set then the file `$HOME/.config/containers/storage.conf` is used.
 
-Note: The storage.conf file overrides all other strorage.conf files. Container
+Note: The storage.conf file overrides all other storage.conf files. Container
 engines run by users with a storage.conf file in their home directory do not
 use options in the system storage.conf files.
 

containers.conf

@@ -64,7 +64,6 @@ default_capabilities = [
   "SETGID",
   "SETPCAP",
   "SETUID",
-  "SYS_CHROOT"
 ]
 
 # A list of sysctls to be set in containers by default,
@@ -218,6 +217,10 @@ log_driver = "k8s-file"
 #
 #prepare_volume_on_create = false
 
+# Run all containers with root file system mounted read-only
+#
+# read_only = false
+
 # Path to the seccomp.json profile which is used as the default seccomp profile
 # for the runtime.
 #
@@ -246,12 +249,6 @@ log_driver = "k8s-file"
 #
 #userns = "host"
 
-# Number of UIDs to allocate for the automatic container creation.
-# UIDs are allocated from the "container" UIDs listed in
-# /etc/subuid & /etc/subgid
-#
-#userns_size = 65536
-
 # Default way to to create a UTS namespace for the container
 # Options are:
 # `private`        Create private UTS Namespace for the container.
@@ -265,6 +262,11 @@ log_driver = "k8s-file"
 # If it is empty or commented out, no volumes will be added
 #
 #volumes = []
+#
+#[engine.platform_to_oci_runtime]
+#"wasi/wasm" = ["crun-wasm"]
+#"wasi/wasm32" = ["crun-wasm"]
+#"wasi/wasm64" = ["crun-wasm"]
 
 [secrets]
 #driver = "file"
@@ -415,6 +417,10 @@ network_backend = "cni"
 #events_logger = "journald"
 events_logger = "file"
 
+# Creates a more verbose container-create event which includes a JSON payload
+# with detailed information about the container.
+#events_container_create_inspect_data = false
+
 # A is a list of directories which are used to search for helper binaries.
 #
 #helper_binaries_dir = [
@@ -548,7 +554,7 @@ runtime = "runc"
 # List of the OCI runtimes that support --format=json. When json is supported
 # engine will use it for reporting nicer errors.
 #
-#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"]
+#runtime_supports_json = ["crun", "runc", "kata", "runsc", "youki", "krun"]
 
 # List of the OCI runtimes that supports running containers with KVM Separation.
 #
@@ -586,7 +592,7 @@ runtime = "runc"
 
 # map of service destinations
 #
-#[service_destinations]
+# [service_destinations]
 #  [service_destinations.production]
 #     URI to access the Podman service
 #     Examples:
@@ -659,6 +665,13 @@ runtime = "runc"
 #  "/run/current-system/sw/bin/runsc",
 #]
 
+#youki = [
+#  "/usr/local/bin/youki",
+#  "/usr/bin/youki",
+#  "/bin/youki",
+#  "/run/current-system/sw/bin/youki",
+#]
+
 #krun = [
 #  "/usr/bin/krun",
 #  "/usr/local/bin/krun",

containers.conf.5.md

@@ -88,22 +88,24 @@ List of default capabilities for containers.
 The default list is:
 ```
 default_capabilities = [
-"AUDIT_WRITE",
       "CHOWN",
       "DAC_OVERRIDE",
       "FOWNER",
       "FSETID",
       "KILL",
-      "MKNOD",
       "NET_BIND_SERVICE",
-      "NET_RAW",
+      "SETFCAP",
       "SETGID",
       "SETPCAP",
       "SETUID",
-      "SYS_CHROOT",
 ]
 ```
 
+Note, by default container engines using containers.conf, run with less
+capabilities than Docker. Docker runs additionally with "AUDIT_WRITE", "MKNOD",
+"NET_RAW", "CHROOT". If you need to add one of these capabilities for a
+particular container, you can use the --cap-add option or edit your system's containers.conf.
+
 **default_sysctls**=[]
 
 A list of sysctls to be set in containers by default,
@@ -241,6 +243,10 @@ is imposed.
 
 Copy the content from the underlying image into the newly created volume when the container is created instead of when it is started. If `false`, the container engine will not copy the content until the container is started. Setting it to `true` may have negative performance implications.
 
+**read_only**=true|false
+
+Run all containers with root file system mounted read-only. Set to false by default.
+
 **seccomp_profile**="/usr/share/containers/seccomp.json"
 
 Path to the seccomp.json profile which is used as the default seccomp profile
@@ -275,11 +281,6 @@ Options are:
   `private` Create private USER Namespace for the container.
   `host`    Share host USER Namespace with the container.
 
-**userns_size**=65536
-
-Number of UIDs to allocate for the automatic container creation. UIDs are
-allocated from the “container” UIDs listed in /etc/subuid & /etc/subgid.
-
 **utsns**="private"
 
 Default way to to create a UTS namespace for the container.
@@ -451,6 +452,11 @@ use this command:
 
 Valid values are: `file`, `journald`, and `none`.
 
+**events_container_create_inspect_data**=true|false
+
+Creates a more verbose container-create event which includes a JSON payload
+with detailed information about the container.  Set to false by default.
+
 **helper_binaries_dir**=["/usr/libexec/podman", ...]
 
 A is a list of directories which are used to search for helper binaries.
@@ -598,7 +604,7 @@ Default OCI specific runtime in runtimes that will be used by default. Must
 refer to a member of the runtimes table. Default runtime will be searched for
 on the system using the priority: "crun", "runc", "kata".
 
-**runtime_supports_json**=["crun", "runc", "kata", "runsc", "krun"]
+**runtime_supports_json**=["crun", "runc", "kata", "runsc", "youki", "krun"]
 
 The list of the OCI runtimes that support `--format=json`.
 
@@ -684,6 +690,10 @@ used as the backend for Podman named volumes. Individual plugins are specified
 below, as a map of the plugin name (what the plugin will be called) to its path
 (filepath of the plugin's unix socket).
 
+**[engine.platform_to_oci_runtime]**
+
+Allows end users to switch the OCI runtime on the bases of container image's platform string.
+Following config field contains a map of `platform/string = oci_runtime`.
 
 ## SECRET TABLE
 The `secret` table contains settings for the configuration of the secret subsystem.
@@ -735,6 +745,8 @@ Environment variables like $HOME as well as complete paths are supported for
 the source and destination. An optional third field `:ro` can be used to
 tell the container engines to mount the volume readonly.
 
+On Mac, the default volumes are: `"/Users:/Users", "/private:/private", "/var/folders:/var/folders"`
+
 # FILES
 
 **containers.conf**

gating.yaml

@@ -0,0 +1,6 @@
+# recipients: jnovy, lsm5, santiago
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules: []

pyxis.sh

@@ -1,63 +1,46 @@
 #!/bin/bash
-#set -e
+set -e
 rm -f /tmp/pyxis*.json
 TOTAL=`curl -s --negotiate -u: -H 'Content-Type: application/json' -H 'Accept: application/json' -X GET "https://pyxis.engineering.redhat.com/v1/repositories?page_size=1" | jq .total`
 if [ "$TOTAL" == "null" ]; then
   echo "Error comunicating with Pyxis API."
   exit 1
 fi
-PAGES=$(($TOTAL/500))
+PAGES=$(($TOTAL/250))
 for P in `seq 0 $PAGES`; do
   curl -s --negotiate -u: -H 'Content-Type: application/json' -H 'Accept: application/json' -X GET "https://pyxis.engineering.redhat.com/v1/repositories?page_size=500&page=$P" > /tmp/pyxis$P.json
 done
 cat /tmp/pyxis*.json > /tmp/pyx.json
+rm -f /tmp/pyx_debug
 rm -f /tmp/rhel-shortnames.conf
-while read -r LINE; do
-  if [[ "$LINE" == *\"_id\":* ]] || [[ "$LINE" == *\"total\":* ]]; then
-    if [ -z $REGISTRY ] ||
-       [ -z $PUBLISHED ] ||
-       [ -z $REPOSITORY ] ||
-       [  $REPOSITORY == \"\" ] ||
-       [ "$AVAILABLE" != "Generally Available" ] ||
-       [[ $REPOSITORY == *[@:]* ]] ||
-       [[ $REPOSITORY == *[* ]] ||
-       [[ "$REGISTRY" == *non_registry* ]] ||
-       [[ $REGISTRY != *.* ]]
-     then
-      continue
-    fi
+jq '.data[]|.published,.requires_terms,.repository,.registry,.release_categories[0]' < /tmp/pyx.json >/tmp/pyx
+readarray -t lines < /tmp/pyx
+IDX=0
+while [ $IDX -lt ${#lines[@]} ]; do
+  PUBLISHED=${lines[$IDX]}
+  REQ_TERMS=${lines[$IDX+1]}
+  REPOSITORY=`echo ${lines[$IDX+2]} | tr -d '"'`
+  REGISTRY=`echo ${lines[$IDX+3]} | tr -d '"'`
+  RELEASE=`echo ${lines[$IDX+4]} | tr -d '"'`
+  if [ "$PUBLISHED" == "true" ] &&
+     [ "$RELEASE" == "Generally Available" ] &&
+     [  $REPOSITORY != \"\" ] &&
+     [[ $REPOSITORY != *[@:]* ]] &&
+     [[ $REPOSITORY != *[* ]] &&
+     [[ $REGISTRY == *.* ]] &&
+     [ "$REGISTRY" != "non_registry" ]; then
     if [[ $REGISTRY == *quay.io* ]] ||
        [[ $REGISTRY == *redhat.com* ]]; then
-      if [ "$REQUIRES_TERMS" == "1" ]; then
+      if [ "$REQ_TERMS" == "true" ]; then
         REGISTRY=registry.redhat.io
       fi
-      echo "\"$REPOSITORY\" = \"$REGISTRY/$REPOSITORY\""
-      echo "\"$REPOSITORY\" = \"$REGISTRY/$REPOSITORY\"" >> /tmp/rhel-shortnames.conf
     fi
-    REGISTRY=""
-    PUBLISHED=""
-    AVAILABLE=""
-    REPOSITORY=""
-    REQUIRES_TERMS=""
-    continue
+    echo "\"$REPOSITORY\" = \"$REGISTRY/$REPOSITORY\""
+    echo $PUBLISHED,$REQ_TERMS,$REPOSITORY,$REGISTRY,$RELEASE >> /tmp/pyx_debug
+    echo "\"$REPOSITORY\" = \"$REGISTRY/$REPOSITORY\"" >> /tmp/rhel-shortnames.conf
   fi
-  if [[ "$LINE" == *\"published\":\ true,* ]]; then
-    PUBLISHED=1
-  fi
-  if [[ "$LINE" == *\"requires_terms\":\ true,* ]]; then
-    REQUIRES_TERMS=1
-  fi
-  if [[ "$LINE" == *\"repository\":\ * ]]; then
-    REPOSITORY=`echo $LINE | sed 's,^.* ",,' | sed 's;",$;;'`
-  fi
-  if [[ "$LINE" == *\"registry\":\ * ]]; then
-    REGISTRY=`echo $LINE | sed -e 's,^.*:\ ",,' -e 's,".*,,'`
-  fi
-  if [[ "$LINE" == *\"release_categories\":\ * ]]; then
-    read -r LINE
-    AVAILABLE=`echo $LINE | sed 's,",,g'`
-  fi
-done < /tmp/pyx.json
+  IDX=$(($IDX+5))
+done
 
 cp /tmp/rhel-shortnames.conf /tmp/r.conf
 for D in `cut -d\  -f1 /tmp/r.conf | sort | uniq -d`; do

sources

@@ -1 +0,0 @@
-SHA512 (RPM-GPG-KEY-redhat-beta) = ec1b2d3446376909deea3c292804224e895b6e41e60059afb5ffbc234152092ad5c821c88fd8ccf45bfb49163c7e5c934e4148c224b2b27c071b12cb0473ea8d

storage.conf

@@ -32,6 +32,10 @@ graphroot = "/var/lib/containers/storage"
 #
 # rootless_storage_path = "$HOME/.local/share/containers/storage"
 
+# Transient store mode makes all container metadata be saved in temporary storage
+# (i.e. runroot above). This is faster, but doesn't persist across reboots.
+# transient_store = true
+
 [storage.options]
 # Storage options to be passed to underlying storage drivers
 

update-vendored.sh

@@ -21,9 +21,9 @@ for P in podman skopeo buildah; do
     pkg --release rhel-8 prep
   fi
   DIR=`ls -d -- */ | grep -v ^tests | head -n1`
-  grep github.com/containers/image $DIR/go.mod | grep -v - | cut -d\  -f2 >> /tmp/ver_image
-  grep github.com/containers/common $DIR/go.mod | grep -v - | cut -d\  -f2 >> /tmp/ver_common
-  grep github.com/containers/storage $DIR/go.mod | grep -v - | cut -d\  -f2 >> /tmp/ver_storage
+  grep github.com/containers/image $DIR/go.mod | cut -d\  -f2 | sed 's,-.*,,'>> /tmp/ver_image
+  grep github.com/containers/common $DIR/go.mod | cut -d\  -f2 | sed 's,-.*,,' >> /tmp/ver_common
+  grep github.com/containers/storage $DIR/go.mod | cut -d\  -f2 | sed 's,-.*,,' >> /tmp/ver_storage
   cd -
 done
 IMAGE_VER=`sort -n /tmp/ver_image | head -n1`

update.sh

@@ -13,7 +13,7 @@ ensure() {
       sed -i "/^#.*$2[[:blank:]].*=/a \
 $2 = $3" $1
     else
-      echo "$2 = \"$3\"" >> $1
+      echo "$2 = $3" >> $1
     fi
   fi
 }
@@ -21,10 +21,18 @@ $2 = $3" $1
 #./pyxis.sh
 #./update-vendored.sh
 spectool -f -g containers-common.spec
+for FILE in *; do
+  [ -s "$FILE" ]
+  if [ $? == 1 ] && [ "$FILE" != "sources" ]; then
+    echo "empty file: $FILE"
+    exit 1
+  fi
+done
 ensure storage.conf    driver                        \"overlay\"
 ensure storage.conf    mountopt                      \"nodev,metacopy=on\"
 if pwd | grep rhel-8 > /dev/null
 then
+awk -i inplace '/#default_capabilities/,/#\]/{gsub("#","",$0)}1' containers.conf
 ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
 ensure registries.conf short-name-mode               \"permissive\"
 ensure containers.conf runtime                       \"runc\"
@@ -41,7 +49,7 @@ ensure registries.conf unqualified-search-registries [\"registry.access.redhat.c
 ensure registries.conf short-name-mode               \"enforcing\"
 ensure containers.conf runtime                       \"crun\"
 fi
-[ `grep "keyctl" seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \
+[ `grep \"keyctl\", seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \
 				"keyctl",' seccomp.json
-sed -i '/\"socketcall\",/i \
+[ `grep \"socket\", seccomp.json | wc -l` == 0 ] && sed -i '/\"socketcall\",/i \
 				"socket",' seccomp.json