containers-common-3:1-2

- update registries.conf and other files Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
2021-01-12 10:24:12 -05:00 · 2021-01-12 10:24:12 -05:00 · 6c7182809c
commit 6c7182809c
parent ad1d3a6fa9
8 changed files with 80 additions and 100 deletions
--- a/containers-common.spec
+++ b/containers-common.spec
@ -8,11 +8,14 @@
 %global image_branch  master
 %global common_branch master
 %global storage_branch master
+%global shortnames_branch master
+
+%global github_containers https://raw.githubusercontent.com/containers

 Epoch: 3
 Name: containers-common
 Version: 1
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: Common configuration and documentation for containers
 License: ASL 2.0
 BuildArch: noarch
@ -20,34 +23,34 @@ BuildRequires: go-md2man
 Recommends: fuse-overlayfs
 Recommends: slirp4netns
 Recommends: subscription-manager
-Source1: https://raw.githubusercontent.com/containers/storage/%{storage_branch}/storage.conf
-Source2: https://raw.githubusercontent.com/containers/storage/%{storage_branch}/docs/containers-storage.conf.5.md
+Source1: %{github_containers}/storage/%{storage_branch}/storage.conf
+Source2: %{github_containers}/storage/%{storage_branch}/docs/containers-storage.conf.5.md
 Source3: mounts.conf
-Source4: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.5.md
-#Source5: https://raw.githubusercontent.com/containers/image/%%{image_branch}/registries.conf
-Source5: registries.conf
-Source6: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-policy.json.5.md
-Source7: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/seccomp/seccomp.json
-Source8: https://raw.githubusercontent.com/containers/podman/%{podman_branch}/docs/source/markdown/containers-mounts.conf.5.md
-Source9: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-signature.5.md
-Source10: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-transports.5.md
-Source11: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-certs.d.5.md
-Source12: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.d.5.md
-Source13: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/config/containers.conf
-Source14: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers.conf.5.md
-Source15: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-auth.json.5.md
-Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.d.5.md
-Source17: https://raw.githubusercontent.com/containers/skopeo/%{skopeo_branch}/integration/fixtures/policy.json
-Source18: https://raw.githubusercontent.com/containers/skopeo/%{skopeo_branch}/default.yaml
+Source4: %{github_containers}/image/%{image_branch}/docs/containers-registries.conf.5.md
+Source5: %{github_containers}/image/%{image_branch}/registries.conf
+Source6: %{github_containers}/image/%{image_branch}/docs/containers-policy.json.5.md
+Source7: %{github_containers}/common/%{common_branch}/pkg/seccomp/seccomp.json
+Source8: %{github_containers}/podman/%{podman_branch}/docs/source/markdown/containers-mounts.conf.5.md
+Source9: %{github_containers}/image/%{image_branch}/docs/containers-signature.5.md
+Source10: %{github_containers}/image/%{image_branch}/docs/containers-transports.5.md
+Source11: %{github_containers}/image/%{image_branch}/docs/containers-certs.d.5.md
+Source12: %{github_containers}/image/%{image_branch}/docs/containers-registries.d.5.md
+Source13: %{github_containers}/common/%{common_branch}/pkg/config/containers.conf
+Source14: %{github_containers}/common/%{common_branch}/docs/containers.conf.5.md
+Source15: %{github_containers}/image/%{image_branch}/docs/containers-auth.json.5.md
+Source16: %{github_containers}/image/%{image_branch}/docs/containers-registries.conf.d.5.md
+Source17: %{github_containers}/skopeo/%{skopeo_branch}/integration/fixtures/policy.json
+Source18: %{github_containers}/skopeo/%{skopeo_branch}/default.yaml
+Source19: %{github_containers}/shortnames/%{shortnames_branch}/shortnames.conf
 # use this script to update sources above - it assures it contains required content
 Source20: update.sh

 %description
 This package contains common configuration files and documentation for container
-tools ecosystem, such as podman, buildah, skopeo.
+tools ecosystem, such as Podman, Buildah and Skopeo.

 It is required because the most of configuration files and docs come from projects
-which are vendored into podman, buildah, skopeo, etc. but they are not packaged
+which are vendored into Podman, Buildah, Skopeo, etc. but they are not packaged
 separately.

 %prep
@ -55,11 +58,12 @@ separately.
 %build

 %install
-install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.d}
+install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.conf.d,registries.d}
 install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
 install -m0644 %{SOURCE18} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
 install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf
 install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf
+install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/shortnames.conf
 install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/policy.json
 install -dp %{buildroot}%{_mandir}/man5

@ -97,6 +101,7 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
 %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
 %config(noreplace) %{_sysconfdir}/containers/storage.conf
 %config(noreplace) %{_sysconfdir}/containers/registries.conf
+%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/shortnames.conf
 %ghost %{_sysconfdir}/containers/containers.conf
 %dir %{_sharedstatedir}/containers/sigstore
 %{_mandir}/man5/*
@ -108,5 +113,8 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
 %{_datadir}/rhel/secrets/*

 %changelog
+* Tue Jan 12 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 3:1-2
+- update registries.conf and other files
+
 * Tue Dec 08 2020 Jindrich Novy <jnovy@redhat.com> - 3:1-1
 - initial build
--- a/containers-storage.conf.5.md
+++ b/containers-storage.conf.5.md
@ -46,7 +46,7 @@ The `storage` table supports the following options:
  A common use case for this field is to provide a local storage directory when user home directories are NFS-mounted (podman does not support container storage over NFS).

 **runroot**=""
-  container storage run dir (default: "/var/run/containers/storage")
+  container storage run dir (default: "/run/containers/storage")
  Default directory to store all temporary writable content created by container storage programs.
  The rootless runroot path supports environment variable substitutions (ie. `$HOME/containers/storage`)

--- a/containers.conf
+++ b/containers.conf
@ -380,7 +380,7 @@ default_sysctls = [

 # Directory for temporary files. Must be tmpfs (wiped after reboot)
 #
-# tmp_dir = "/var/run/libpod"
+# tmp_dir = "/run/libpod"

 # Directory for libpod named volumes.
 # By default, this will be configured relative to where containers/storage
@ -425,18 +425,8 @@ default_sysctls = [
 #     Path to file containing ssh identity key
 #     identity = "~/.ssh/id_rsa"

-# Paths to look for a valid OCI runtime (runc, runv, kata, etc)
+# Paths to look for a valid OCI runtime (crun, runc, kata, etc)
 [engine.runtimes]
-# runc = [
-#        "/usr/bin/runc",
-#        "/usr/sbin/runc",
-#        "/usr/local/bin/runc",
-#        "/usr/local/sbin/runc",
-#        "/sbin/runc",
-#        "/bin/runc",
-#        "/usr/lib/cri-o-runc/sbin/runc",
-# ]
-
 # crun = [
 #            "/usr/bin/crun",
 #            "/usr/sbin/crun",
@ -447,6 +437,16 @@ default_sysctls = [
 #            "/run/current-system/sw/bin/crun",
 # ]

+# runc = [
+#        "/usr/bin/runc",
+#        "/usr/sbin/runc",
+#        "/usr/local/bin/runc",
+#        "/usr/local/sbin/runc",
+#        "/sbin/runc",
+#        "/bin/runc",
+#        "/usr/lib/cri-o-runc/sbin/runc",
+# ]
+
 # kata = [
 #            "/usr/bin/kata-runtime",
 #            "/usr/sbin/kata-runtime",
--- a/containers.conf.5.md
+++ b/containers.conf.5.md
@ -142,7 +142,7 @@ environment variables to the container.

 Pass all host environment variables into the container.

-**http_proxy**=false
+**http_proxy**=true

 Default proxy environment variables will be passed into the container.
 The environment variables passed in include:
@ -435,10 +435,11 @@ Pull image before running or creating a container. The default is **missing**.
 Indicates whether the application should be running in remote mode. This flag modifies the
 --remote option on container engines. Setting the flag to true will default `podman --remote=true` for access to the remote Podman service.

-**runtime**="crun"
+**runtime**=""

 Default OCI specific runtime in runtimes that will be used by default. Must
-refer to a member of the runtimes table.
+refer to a member of the runtimes table. Default runtime will be searched for
+on the system using the priority: "crun", "runc", "kata".

 **runtime_supports_json**=["crun", "runc", "kata"]

@ -462,7 +463,7 @@ stores containers.

 Number of seconds to wait for container to exit before sending kill signal.

-**tmp_dir**="/var/run/libpod"
+**tmp_dir**="/run/libpod"

 The path to a temporary directory to store per-boot container.
 Must be a tmpfs (wiped after reboot).
--- a/policy.json
+++ b/policy.json
@ -34,6 +34,18 @@
                    "keyPath": "@keydir@/personal-pubkey.gpg"
                }
            ],
+            "localhost:5006/myns/mirroring-remap": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg",
+                    "signedIdentity": {
+                        "type": "remapIdentity",
+                        "prefix": "localhost:5006/myns/mirroring-remap",
+                        "signedPrefix": "localhost:5006/myns/mirroring-primary"
+                    }
+                }
+            ],
            "docker.io/openshift": [
                {
                    "type": "insecureAcceptAnything"
--- a/registries.conf
+++ b/registries.conf
@ -1,64 +1,21 @@
 # For more information on this configuration file, see containers-registries.conf(5).
 #
-# There are multiple versions of the configuration syntax available, where the
-# second iteration is backwards compatible to the first one. Mixing up both
-# formats will result in an runtime error.
-#
-# The initial configuration format looks like this:
-#
 # NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
-# Red Hat recommends always using fully qualified image names including the registry server (full dns name),
-# namespace, image name, and tag (ex. registry.redhat.io/ubi8/ubu:latest). When using short names, there is
-# always an inherent risk that the image being pulled could be spoofed. For example, a user wants to.
-# pull an image named `foobar` from a registry and expects it to come from myregistry.com. If myregistry.com
-# is not first in the search list, an attacker could place a different `foobar` image at a registry earlier
-# in the search list. The user would accidentally pull and run the attacker's image and code rather than the
-# intended content. Red Hat recommends only adding registries which are completely trusted, i.e. registries
-# which don't allow unknown or anonymous users to create accounts with arbitrary names. This will prevent
-# an image from being spoofed, squatted or otherwise made insecure.  If it is necessary to use one of these
-# registries, it should be added at the end of the list.
-#
-# It is recommended to use fully-qualified images for pulling as the
-# destination registry is unambiguous. Pulling by digest
-# (i.e., quay.io/repository/name@digest) further eliminates the ambiguity of
-# tags.
-
-# The following registries are a set of secure defaults provided by Red Hat.
-# Each of these registries provides container images curated, patched
-# and maintained by Red Hat and its partners
-#[registries.search]
-#registries = ['registry.access.redhat.com', 'registry.redhat.io']
-
-# To ensure compatibility with docker we've included docker.io in the default search list. However Red Hat
-# does not curate, patch or maintain container images from the docker.io registry.
-[registries.search]
-registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io']
-
-# The following registries entry can be used for convenience but includes
-# container images built by the community. This set of content comes with all
-# of the risks of any user generated content including security and performance
-# issues. To use this list first comment out the default list, then uncomment
-# the following list
-#[registries.search]
-#registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io', 'quay.io']
-
-# Registries that do not use TLS when pulling images or uses self-signed
-# certificates.
-[registries.insecure]
-registries = []
-
-# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry.  If you specify
-# "*", then the docker daemon will only be allowed to pull from registries listed above in the search
-# registries.  Blocked Registries is deprecated because other container runtimes and tools will not use it.
-# It is recommended that you use the trust policy file /etc/containers/policy.json to control which
-# registries you want to allow users to pull and push from.  policy.json gives greater flexibility, and
-# supports all container runtimes and tools including the docker daemon, cri-o, buildah ...
-# The atomic CLI `atomic trust` can be used to easily configure the policy.json file.
-[registries.block]
-registries = []
-
-# The second version of the configuration format allows to specify registry
-# mirrors:
+# We recommend always using fully qualified image names including the registry
+# server (full dns name), namespace, image name, and tag
+# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
+# quay.io/repository/name@digest) further eliminates the ambiguity of tags.
+# When using short names, there is always an inherent risk that the image being
+# pulled could be spoofed. For example, a user wants to pull an image named
+# `foobar` from a registry and expects it to come from myregistry.com. If
+# myregistry.com is not first in the search list, an attacker could place a
+# different `foobar` image at a registry earlier in the search list. The user
+# would accidentally pull and run the attacker's image and code rather than the
+# intended content. We recommend only adding registries which are completely
+# trusted (i.e., registries which don't allow unknown or anonymous users to
+# create accounts with arbitrary names). This will prevent an image from being
+# spoofed, squatted or otherwise made insecure.  If it is necessary to use one
+# of these registries, it should be added at the end of the list.
 #
 # # An array of host[:port] registries to try when pulling an unqualified image, in order.
 unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]
@ -109,5 +66,5 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.
 # # Given the above, a pull of example.com/foo/image:latest will try:
 # # 1. example-mirror-0.local/mirror-for-foo/image:latest
 # # 2. example-mirror-1.local/mirrors/foo/image:latest
-# # 3. internal-registry-for-example.net/bar/myimage:latest
+# # 3. internal-registry-for-example.net/bar/image:latest
 # # in order, and use the first one that exists.
--- a/seccomp.json
+++ b/seccomp.json
@ -77,6 +77,7 @@
 				"clock_nanosleep_time64",
 				"clone",
 				"close",
+				"close_range",
 				"connect",
 				"copy_file_range",
 				"creat",
@ -228,6 +229,8 @@
 				"openat2",
 				"pause",
 				"pidfd_getfd",
+				"pidfd_open",
+				"pidfd_send_signal",
 				"pipe",
 				"pipe2",
 				"pivot_root",
@ -377,7 +380,6 @@
 				"utimensat_time64",
 				"utimes",
 				"vfork",
-				"vmsplice",
 				"wait4",
 				"waitid",
 				"waitpid",
--- a/storage.conf
+++ b/storage.conf
@ -8,7 +8,7 @@
 driver = "overlay"

 # Temporary storage location
-runroot = "/var/run/containers/storage"
+runroot = "/run/containers/storage"

 # Primary Read/Write location of container storage
 graphroot = "/var/lib/containers/storage"