From 6c7182809c6a127962798ce596a2b4e14fd5077c Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Tue, 12 Jan 2021 10:24:12 -0500 Subject: [PATCH] containers-common-3:1-2 - update registries.conf and other files Signed-off-by: Lokesh Mandvekar --- containers-common.spec | 52 ++++++++++++++----------- containers-storage.conf.5.md | 2 +- containers.conf | 24 ++++++------ containers.conf.5.md | 9 +++-- policy.json | 12 ++++++ registries.conf | 75 ++++++++---------------------------- seccomp.json | 4 +- storage.conf | 2 +- 8 files changed, 80 insertions(+), 100 deletions(-) diff --git a/containers-common.spec b/containers-common.spec index e76278d..44c1336 100644 --- a/containers-common.spec +++ b/containers-common.spec @@ -8,11 +8,14 @@ %global image_branch master %global common_branch master %global storage_branch master +%global shortnames_branch master + +%global github_containers https://raw.githubusercontent.com/containers Epoch: 3 Name: containers-common Version: 1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Common configuration and documentation for containers License: ASL 2.0 BuildArch: noarch @@ -20,34 +23,34 @@ BuildRequires: go-md2man Recommends: fuse-overlayfs Recommends: slirp4netns Recommends: subscription-manager -Source1: https://raw.githubusercontent.com/containers/storage/%{storage_branch}/storage.conf -Source2: https://raw.githubusercontent.com/containers/storage/%{storage_branch}/docs/containers-storage.conf.5.md +Source1: %{github_containers}/storage/%{storage_branch}/storage.conf +Source2: %{github_containers}/storage/%{storage_branch}/docs/containers-storage.conf.5.md Source3: mounts.conf -Source4: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.5.md -#Source5: https://raw.githubusercontent.com/containers/image/%%{image_branch}/registries.conf -Source5: registries.conf -Source6: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-policy.json.5.md -Source7: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/seccomp/seccomp.json -Source8: https://raw.githubusercontent.com/containers/podman/%{podman_branch}/docs/source/markdown/containers-mounts.conf.5.md -Source9: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-signature.5.md -Source10: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-transports.5.md -Source11: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-certs.d.5.md -Source12: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.d.5.md -Source13: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/config/containers.conf -Source14: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers.conf.5.md -Source15: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-auth.json.5.md -Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.d.5.md -Source17: https://raw.githubusercontent.com/containers/skopeo/%{skopeo_branch}/integration/fixtures/policy.json -Source18: https://raw.githubusercontent.com/containers/skopeo/%{skopeo_branch}/default.yaml +Source4: %{github_containers}/image/%{image_branch}/docs/containers-registries.conf.5.md +Source5: %{github_containers}/image/%{image_branch}/registries.conf +Source6: %{github_containers}/image/%{image_branch}/docs/containers-policy.json.5.md +Source7: %{github_containers}/common/%{common_branch}/pkg/seccomp/seccomp.json +Source8: %{github_containers}/podman/%{podman_branch}/docs/source/markdown/containers-mounts.conf.5.md +Source9: %{github_containers}/image/%{image_branch}/docs/containers-signature.5.md +Source10: %{github_containers}/image/%{image_branch}/docs/containers-transports.5.md +Source11: %{github_containers}/image/%{image_branch}/docs/containers-certs.d.5.md +Source12: %{github_containers}/image/%{image_branch}/docs/containers-registries.d.5.md +Source13: %{github_containers}/common/%{common_branch}/pkg/config/containers.conf +Source14: %{github_containers}/common/%{common_branch}/docs/containers.conf.5.md +Source15: %{github_containers}/image/%{image_branch}/docs/containers-auth.json.5.md +Source16: %{github_containers}/image/%{image_branch}/docs/containers-registries.conf.d.5.md +Source17: %{github_containers}/skopeo/%{skopeo_branch}/integration/fixtures/policy.json +Source18: %{github_containers}/skopeo/%{skopeo_branch}/default.yaml +Source19: %{github_containers}/shortnames/%{shortnames_branch}/shortnames.conf # use this script to update sources above - it assures it contains required content Source20: update.sh %description This package contains common configuration files and documentation for container -tools ecosystem, such as podman, buildah, skopeo. +tools ecosystem, such as Podman, Buildah and Skopeo. It is required because the most of configuration files and docs come from projects -which are vendored into podman, buildah, skopeo, etc. but they are not packaged +which are vendored into Podman, Buildah, Skopeo, etc. but they are not packaged separately. %prep @@ -55,11 +58,12 @@ separately. %build %install -install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.d} +install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.conf.d,registries.d} install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore install -m0644 %{SOURCE18} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf +install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/shortnames.conf install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/policy.json install -dp %{buildroot}%{_mandir}/man5 @@ -97,6 +101,7 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml %config(noreplace) %{_sysconfdir}/containers/storage.conf %config(noreplace) %{_sysconfdir}/containers/registries.conf +%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/shortnames.conf %ghost %{_sysconfdir}/containers/containers.conf %dir %{_sharedstatedir}/containers/sigstore %{_mandir}/man5/* @@ -108,5 +113,8 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret %{_datadir}/rhel/secrets/* %changelog +* Tue Jan 12 2021 Lokesh Mandvekar - 3:1-2 +- update registries.conf and other files + * Tue Dec 08 2020 Jindrich Novy - 3:1-1 - initial build diff --git a/containers-storage.conf.5.md b/containers-storage.conf.5.md index 14c92e1..ba6fcaa 100644 --- a/containers-storage.conf.5.md +++ b/containers-storage.conf.5.md @@ -46,7 +46,7 @@ The `storage` table supports the following options: A common use case for this field is to provide a local storage directory when user home directories are NFS-mounted (podman does not support container storage over NFS). **runroot**="" - container storage run dir (default: "/var/run/containers/storage") + container storage run dir (default: "/run/containers/storage") Default directory to store all temporary writable content created by container storage programs. The rootless runroot path supports environment variable substitutions (ie. `$HOME/containers/storage`) diff --git a/containers.conf b/containers.conf index 12fbecc..0587469 100644 --- a/containers.conf +++ b/containers.conf @@ -380,7 +380,7 @@ default_sysctls = [ # Directory for temporary files. Must be tmpfs (wiped after reboot) # -# tmp_dir = "/var/run/libpod" +# tmp_dir = "/run/libpod" # Directory for libpod named volumes. # By default, this will be configured relative to where containers/storage @@ -425,18 +425,8 @@ default_sysctls = [ # Path to file containing ssh identity key # identity = "~/.ssh/id_rsa" -# Paths to look for a valid OCI runtime (runc, runv, kata, etc) +# Paths to look for a valid OCI runtime (crun, runc, kata, etc) [engine.runtimes] -# runc = [ -# "/usr/bin/runc", -# "/usr/sbin/runc", -# "/usr/local/bin/runc", -# "/usr/local/sbin/runc", -# "/sbin/runc", -# "/bin/runc", -# "/usr/lib/cri-o-runc/sbin/runc", -# ] - # crun = [ # "/usr/bin/crun", # "/usr/sbin/crun", @@ -447,6 +437,16 @@ default_sysctls = [ # "/run/current-system/sw/bin/crun", # ] +# runc = [ +# "/usr/bin/runc", +# "/usr/sbin/runc", +# "/usr/local/bin/runc", +# "/usr/local/sbin/runc", +# "/sbin/runc", +# "/bin/runc", +# "/usr/lib/cri-o-runc/sbin/runc", +# ] + # kata = [ # "/usr/bin/kata-runtime", # "/usr/sbin/kata-runtime", diff --git a/containers.conf.5.md b/containers.conf.5.md index 5836ee7..678eafb 100644 --- a/containers.conf.5.md +++ b/containers.conf.5.md @@ -142,7 +142,7 @@ environment variables to the container. Pass all host environment variables into the container. -**http_proxy**=false +**http_proxy**=true Default proxy environment variables will be passed into the container. The environment variables passed in include: @@ -435,10 +435,11 @@ Pull image before running or creating a container. The default is **missing**. Indicates whether the application should be running in remote mode. This flag modifies the --remote option on container engines. Setting the flag to true will default `podman --remote=true` for access to the remote Podman service. -**runtime**="crun" +**runtime**="" Default OCI specific runtime in runtimes that will be used by default. Must -refer to a member of the runtimes table. +refer to a member of the runtimes table. Default runtime will be searched for +on the system using the priority: "crun", "runc", "kata". **runtime_supports_json**=["crun", "runc", "kata"] @@ -462,7 +463,7 @@ stores containers. Number of seconds to wait for container to exit before sending kill signal. -**tmp_dir**="/var/run/libpod" +**tmp_dir**="/run/libpod" The path to a temporary directory to store per-boot container. Must be a tmpfs (wiped after reboot). diff --git a/policy.json b/policy.json index 85251e3..dba1043 100644 --- a/policy.json +++ b/policy.json @@ -34,6 +34,18 @@ "keyPath": "@keydir@/personal-pubkey.gpg" } ], + "localhost:5006/myns/mirroring-remap": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "@keydir@/personal-pubkey.gpg", + "signedIdentity": { + "type": "remapIdentity", + "prefix": "localhost:5006/myns/mirroring-remap", + "signedPrefix": "localhost:5006/myns/mirroring-primary" + } + } + ], "docker.io/openshift": [ { "type": "insecureAcceptAnything" diff --git a/registries.conf b/registries.conf index 4f20fba..11d1a29 100644 --- a/registries.conf +++ b/registries.conf @@ -1,64 +1,21 @@ # For more information on this configuration file, see containers-registries.conf(5). # -# There are multiple versions of the configuration syntax available, where the -# second iteration is backwards compatible to the first one. Mixing up both -# formats will result in an runtime error. -# -# The initial configuration format looks like this: -# # NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES -# Red Hat recommends always using fully qualified image names including the registry server (full dns name), -# namespace, image name, and tag (ex. registry.redhat.io/ubi8/ubu:latest). When using short names, there is -# always an inherent risk that the image being pulled could be spoofed. For example, a user wants to. -# pull an image named `foobar` from a registry and expects it to come from myregistry.com. If myregistry.com -# is not first in the search list, an attacker could place a different `foobar` image at a registry earlier -# in the search list. The user would accidentally pull and run the attacker's image and code rather than the -# intended content. Red Hat recommends only adding registries which are completely trusted, i.e. registries -# which don't allow unknown or anonymous users to create accounts with arbitrary names. This will prevent -# an image from being spoofed, squatted or otherwise made insecure. If it is necessary to use one of these -# registries, it should be added at the end of the list. -# -# It is recommended to use fully-qualified images for pulling as the -# destination registry is unambiguous. Pulling by digest -# (i.e., quay.io/repository/name@digest) further eliminates the ambiguity of -# tags. - -# The following registries are a set of secure defaults provided by Red Hat. -# Each of these registries provides container images curated, patched -# and maintained by Red Hat and its partners -#[registries.search] -#registries = ['registry.access.redhat.com', 'registry.redhat.io'] - -# To ensure compatibility with docker we've included docker.io in the default search list. However Red Hat -# does not curate, patch or maintain container images from the docker.io registry. -[registries.search] -registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io'] - -# The following registries entry can be used for convenience but includes -# container images built by the community. This set of content comes with all -# of the risks of any user generated content including security and performance -# issues. To use this list first comment out the default list, then uncomment -# the following list -#[registries.search] -#registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io', 'quay.io'] - -# Registries that do not use TLS when pulling images or uses self-signed -# certificates. -[registries.insecure] -registries = [] - -# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry. If you specify -# "*", then the docker daemon will only be allowed to pull from registries listed above in the search -# registries. Blocked Registries is deprecated because other container runtimes and tools will not use it. -# It is recommended that you use the trust policy file /etc/containers/policy.json to control which -# registries you want to allow users to pull and push from. policy.json gives greater flexibility, and -# supports all container runtimes and tools including the docker daemon, cri-o, buildah ... -# The atomic CLI `atomic trust` can be used to easily configure the policy.json file. -[registries.block] -registries = [] - -# The second version of the configuration format allows to specify registry -# mirrors: +# We recommend always using fully qualified image names including the registry +# server (full dns name), namespace, image name, and tag +# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e., +# quay.io/repository/name@digest) further eliminates the ambiguity of tags. +# When using short names, there is always an inherent risk that the image being +# pulled could be spoofed. For example, a user wants to pull an image named +# `foobar` from a registry and expects it to come from myregistry.com. If +# myregistry.com is not first in the search list, an attacker could place a +# different `foobar` image at a registry earlier in the search list. The user +# would accidentally pull and run the attacker's image and code rather than the +# intended content. We recommend only adding registries which are completely +# trusted (i.e., registries which don't allow unknown or anonymous users to +# create accounts with arbitrary names). This will prevent an image from being +# spoofed, squatted or otherwise made insecure. If it is necessary to use one +# of these registries, it should be added at the end of the list. # # # An array of host[:port] registries to try when pulling an unqualified image, in order. unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"] @@ -109,5 +66,5 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access. # # Given the above, a pull of example.com/foo/image:latest will try: # # 1. example-mirror-0.local/mirror-for-foo/image:latest # # 2. example-mirror-1.local/mirrors/foo/image:latest -# # 3. internal-registry-for-example.net/bar/myimage:latest +# # 3. internal-registry-for-example.net/bar/image:latest # # in order, and use the first one that exists. diff --git a/seccomp.json b/seccomp.json index ec24538..15876ac 100644 --- a/seccomp.json +++ b/seccomp.json @@ -77,6 +77,7 @@ "clock_nanosleep_time64", "clone", "close", + "close_range", "connect", "copy_file_range", "creat", @@ -228,6 +229,8 @@ "openat2", "pause", "pidfd_getfd", + "pidfd_open", + "pidfd_send_signal", "pipe", "pipe2", "pivot_root", @@ -377,7 +380,6 @@ "utimensat_time64", "utimes", "vfork", - "vmsplice", "wait4", "waitid", "waitpid", diff --git a/storage.conf b/storage.conf index 72735b6..7372e5a 100644 --- a/storage.conf +++ b/storage.conf @@ -8,7 +8,7 @@ driver = "overlay" # Temporary storage location -runroot = "/var/run/containers/storage" +runroot = "/run/containers/storage" # Primary Read/Write location of container storage graphroot = "/var/lib/containers/storage"