rpms/containers-common
7
0
Fork 0
Code Issues Pull Requests Releases Activity

containers-common-3:1-2

Browse Source 
- update registries.conf and other files

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
This commit is contained in:
Lokesh Mandvekar 2021-01-12 10:24:12 -05:00
parent ad1d3a6fa9
commit 6c7182809c
8 changed files with 80 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
containers-common.spec
View File

@ -8,11 +8,14 @@
%global image_branch master %global image_branch master
%global common_branch master %global common_branch master
%global storage_branch master %global storage_branch master
%global shortnames_branch master
%global github_containers https://raw.githubusercontent.com/containers
Epoch: 3 Epoch: 3
Name: containers-common Name: containers-common
Version: 1 Version: 1
Release: 1%{?dist} Release: 2%{?dist}
Summary: Common configuration and documentation for containers Summary: Common configuration and documentation for containers
License: ASL 2.0 License: ASL 2.0
BuildArch: noarch BuildArch: noarch
@ -20,34 +23,34 @@ BuildRequires: go-md2man
Recommends: fuse-overlayfs Recommends: fuse-overlayfs
Recommends: slirp4netns Recommends: slirp4netns
Recommends: subscription-manager Recommends: subscription-manager
Source1: https://raw.githubusercontent.com/containers/storage/%{storage_branch}/storage.conf Source1: %{github_containers}/storage/%{storage_branch}/storage.conf
Source2: https://raw.githubusercontent.com/containers/storage/%{storage_branch}/docs/containers-storage.conf.5.md Source2: %{github_containers}/storage/%{storage_branch}/docs/containers-storage.conf.5.md
Source3: mounts.conf Source3: mounts.conf
Source4: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.5.md Source4: %{github_containers}/image/%{image_branch}/docs/containers-registries.conf.5.md
#Source5: https://raw.githubusercontent.com/containers/image/%%{image_branch}/registries.conf Source5: %{github_containers}/image/%{image_branch}/registries.conf
Source5: registries.conf Source6: %{github_containers}/image/%{image_branch}/docs/containers-policy.json.5.md
Source6: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-policy.json.5.md Source7: %{github_containers}/common/%{common_branch}/pkg/seccomp/seccomp.json
Source7: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/seccomp/seccomp.json Source8: %{github_containers}/podman/%{podman_branch}/docs/source/markdown/containers-mounts.conf.5.md
Source8: https://raw.githubusercontent.com/containers/podman/%{podman_branch}/docs/source/markdown/containers-mounts.conf.5.md Source9: %{github_containers}/image/%{image_branch}/docs/containers-signature.5.md
Source9: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-signature.5.md Source10: %{github_containers}/image/%{image_branch}/docs/containers-transports.5.md
Source10: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-transports.5.md Source11: %{github_containers}/image/%{image_branch}/docs/containers-certs.d.5.md
Source11: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-certs.d.5.md Source12: %{github_containers}/image/%{image_branch}/docs/containers-registries.d.5.md
Source12: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.d.5.md Source13: %{github_containers}/common/%{common_branch}/pkg/config/containers.conf
Source13: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/config/containers.conf Source14: %{github_containers}/common/%{common_branch}/docs/containers.conf.5.md
Source14: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers.conf.5.md Source15: %{github_containers}/image/%{image_branch}/docs/containers-auth.json.5.md
Source15: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-auth.json.5.md Source16: %{github_containers}/image/%{image_branch}/docs/containers-registries.conf.d.5.md
Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.d.5.md Source17: %{github_containers}/skopeo/%{skopeo_branch}/integration/fixtures/policy.json
Source17: https://raw.githubusercontent.com/containers/skopeo/%{skopeo_branch}/integration/fixtures/policy.json Source18: %{github_containers}/skopeo/%{skopeo_branch}/default.yaml
Source18: https://raw.githubusercontent.com/containers/skopeo/%{skopeo_branch}/default.yaml Source19: %{github_containers}/shortnames/%{shortnames_branch}/shortnames.conf
# use this script to update sources above - it assures it contains required content # use this script to update sources above - it assures it contains required content
Source20: update.sh Source20: update.sh
%description %description
This package contains common configuration files and documentation for container This package contains common configuration files and documentation for container
tools ecosystem, such as podman, buildah, skopeo. tools ecosystem, such as Podman, Buildah and Skopeo.
It is required because the most of configuration files and docs come from projects It is required because the most of configuration files and docs come from projects
which are vendored into podman, buildah, skopeo, etc. but they are not packaged which are vendored into Podman, Buildah, Skopeo, etc. but they are not packaged
separately. separately.
%prep %prep
@ -55,11 +58,12 @@ separately.
%build %build
%install %install
install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.d} install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.conf.d,registries.d}
install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
install -m0644 %{SOURCE18} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml install -m0644 %{SOURCE18} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf
install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf
install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/shortnames.conf
install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/policy.json install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/policy.json
install -dp %{buildroot}%{_mandir}/man5 install -dp %{buildroot}%{_mandir}/man5
@ -97,6 +101,7 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
%config(noreplace) %{_sysconfdir}/containers/storage.conf %config(noreplace) %{_sysconfdir}/containers/storage.conf
%config(noreplace) %{_sysconfdir}/containers/registries.conf %config(noreplace) %{_sysconfdir}/containers/registries.conf
%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/shortnames.conf
%ghost %{_sysconfdir}/containers/containers.conf %ghost %{_sysconfdir}/containers/containers.conf
%dir %{_sharedstatedir}/containers/sigstore %dir %{_sharedstatedir}/containers/sigstore
%{_mandir}/man5/* %{_mandir}/man5/*
@ -108,5 +113,8 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
%{_datadir}/rhel/secrets/* %{_datadir}/rhel/secrets/*
%changelog %changelog
* Tue Jan 12 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 3:1-2
- update registries.conf and other files
* Tue Dec 08 2020 Jindrich Novy <jnovy@redhat.com> - 3:1-1 * Tue Dec 08 2020 Jindrich Novy <jnovy@redhat.com> - 3:1-1
- initial build - initial build

2
containers-storage.conf.5.md
View File

@ -46,7 +46,7 @@ The `storage` table supports the following options:
A common use case for this field is to provide a local storage directory when user home directories are NFS-mounted (podman does not support container storage over NFS). A common use case for this field is to provide a local storage directory when user home directories are NFS-mounted (podman does not support container storage over NFS).
**runroot**="" **runroot**=""
container storage run dir (default: "/var/run/containers/storage") container storage run dir (default: "/run/containers/storage")
Default directory to store all temporary writable content created by container storage programs. Default directory to store all temporary writable content created by container storage programs.
The rootless runroot path supports environment variable substitutions (ie. `$HOME/containers/storage`) The rootless runroot path supports environment variable substitutions (ie. `$HOME/containers/storage`)

24
containers.conf
View File

@ -380,7 +380,7 @@ default_sysctls = [
# Directory for temporary files. Must be tmpfs (wiped after reboot) # Directory for temporary files. Must be tmpfs (wiped after reboot)
# #
# tmp_dir = "/var/run/libpod" # tmp_dir = "/run/libpod"
# Directory for libpod named volumes. # Directory for libpod named volumes.
# By default, this will be configured relative to where containers/storage # By default, this will be configured relative to where containers/storage
@ -425,18 +425,8 @@ default_sysctls = [
# Path to file containing ssh identity key # Path to file containing ssh identity key
# identity = "~/.ssh/id_rsa" # identity = "~/.ssh/id_rsa"
# Paths to look for a valid OCI runtime (runc, runv, kata, etc) # Paths to look for a valid OCI runtime (crun, runc, kata, etc)
[engine.runtimes] [engine.runtimes]
# runc = [
# "/usr/bin/runc",
# "/usr/sbin/runc",
# "/usr/local/bin/runc",
# "/usr/local/sbin/runc",
# "/sbin/runc",
# "/bin/runc",
# "/usr/lib/cri-o-runc/sbin/runc",
# ]
# crun = [ # crun = [
# "/usr/bin/crun", # "/usr/bin/crun",
# "/usr/sbin/crun", # "/usr/sbin/crun",
@ -447,6 +437,16 @@ default_sysctls = [
# "/run/current-system/sw/bin/crun", # "/run/current-system/sw/bin/crun",
# ] # ]
# runc = [
# "/usr/bin/runc",
# "/usr/sbin/runc",
# "/usr/local/bin/runc",
# "/usr/local/sbin/runc",
# "/sbin/runc",
# "/bin/runc",
# "/usr/lib/cri-o-runc/sbin/runc",
# ]
# kata = [ # kata = [
# "/usr/bin/kata-runtime", # "/usr/bin/kata-runtime",
# "/usr/sbin/kata-runtime", # "/usr/sbin/kata-runtime",

9
containers.conf.5.md
View File

@ -142,7 +142,7 @@ environment variables to the container.
Pass all host environment variables into the container. Pass all host environment variables into the container.
**http_proxy**=false **http_proxy**=true
Default proxy environment variables will be passed into the container. Default proxy environment variables will be passed into the container.
The environment variables passed in include: The environment variables passed in include:
@ -435,10 +435,11 @@ Pull image before running or creating a container. The default is **missing**.
Indicates whether the application should be running in remote mode. This flag modifies the Indicates whether the application should be running in remote mode. This flag modifies the
--remote option on container engines. Setting the flag to true will default `podman --remote=true` for access to the remote Podman service. --remote option on container engines. Setting the flag to true will default `podman --remote=true` for access to the remote Podman service.
**runtime**="crun" **runtime**=""
Default OCI specific runtime in runtimes that will be used by default. Must Default OCI specific runtime in runtimes that will be used by default. Must
refer to a member of the runtimes table. refer to a member of the runtimes table. Default runtime will be searched for
on the system using the priority: "crun", "runc", "kata".
**runtime_supports_json**=["crun", "runc", "kata"] **runtime_supports_json**=["crun", "runc", "kata"]
@ -462,7 +463,7 @@ stores containers.
Number of seconds to wait for container to exit before sending kill signal. Number of seconds to wait for container to exit before sending kill signal.
**tmp_dir**="/var/run/libpod" **tmp_dir**="/run/libpod"
The path to a temporary directory to store per-boot container. The path to a temporary directory to store per-boot container.
Must be a tmpfs (wiped after reboot). Must be a tmpfs (wiped after reboot).

12
policy.json
View File

@ -34,6 +34,18 @@
"keyPath": "@keydir@/personal-pubkey.gpg" "keyPath": "@keydir@/personal-pubkey.gpg"
} }
], ],
"localhost:5006/myns/mirroring-remap": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "@keydir@/personal-pubkey.gpg",
"signedIdentity": {
"type": "remapIdentity",
"prefix": "localhost:5006/myns/mirroring-remap",
"signedPrefix": "localhost:5006/myns/mirroring-primary"
}
}
],
"docker.io/openshift": [ "docker.io/openshift": [
{ {
"type": "insecureAcceptAnything" "type": "insecureAcceptAnything"

75
registries.conf
View File

@ -1,64 +1,21 @@
# For more information on this configuration file, see containers-registries.conf(5). # For more information on this configuration file, see containers-registries.conf(5).
# #
# There are multiple versions of the configuration syntax available, where the
# second iteration is backwards compatible to the first one. Mixing up both
# formats will result in an runtime error.
#
# The initial configuration format looks like this:
#
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES # NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
# Red Hat recommends always using fully qualified image names including the registry server (full dns name), # We recommend always using fully qualified image names including the registry
# namespace, image name, and tag (ex. registry.redhat.io/ubi8/ubu:latest). When using short names, there is # server (full dns name), namespace, image name, and tag
# always an inherent risk that the image being pulled could be spoofed. For example, a user wants to. # (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
# pull an image named `foobar` from a registry and expects it to come from myregistry.com. If myregistry.com # quay.io/repository/name@digest) further eliminates the ambiguity of tags.
# is not first in the search list, an attacker could place a different `foobar` image at a registry earlier # When using short names, there is always an inherent risk that the image being
# in the search list. The user would accidentally pull and run the attacker's image and code rather than the # pulled could be spoofed. For example, a user wants to pull an image named
# intended content. Red Hat recommends only adding registries which are completely trusted, i.e. registries # `foobar` from a registry and expects it to come from myregistry.com. If
# which don't allow unknown or anonymous users to create accounts with arbitrary names. This will prevent # myregistry.com is not first in the search list, an attacker could place a
# an image from being spoofed, squatted or otherwise made insecure. If it is necessary to use one of these # different `foobar` image at a registry earlier in the search list. The user
# registries, it should be added at the end of the list. # would accidentally pull and run the attacker's image and code rather than the
# # intended content. We recommend only adding registries which are completely
# It is recommended to use fully-qualified images for pulling as the # trusted (i.e., registries which don't allow unknown or anonymous users to
# destination registry is unambiguous. Pulling by digest # create accounts with arbitrary names). This will prevent an image from being
# (i.e., quay.io/repository/name@digest) further eliminates the ambiguity of # spoofed, squatted or otherwise made insecure. If it is necessary to use one
# tags. # of these registries, it should be added at the end of the list.
# The following registries are a set of secure defaults provided by Red Hat.
# Each of these registries provides container images curated, patched
# and maintained by Red Hat and its partners
#[registries.search]
#registries = ['registry.access.redhat.com', 'registry.redhat.io']
# To ensure compatibility with docker we've included docker.io in the default search list. However Red Hat
# does not curate, patch or maintain container images from the docker.io registry.
[registries.search]
registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io']
# The following registries entry can be used for convenience but includes
# container images built by the community. This set of content comes with all
# of the risks of any user generated content including security and performance
# issues. To use this list first comment out the default list, then uncomment
# the following list
#[registries.search]
#registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io', 'quay.io']
# Registries that do not use TLS when pulling images or uses self-signed
# certificates.
[registries.insecure]
registries = []
# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry. If you specify
# "*", then the docker daemon will only be allowed to pull from registries listed above in the search
# registries. Blocked Registries is deprecated because other container runtimes and tools will not use it.
# It is recommended that you use the trust policy file /etc/containers/policy.json to control which
# registries you want to allow users to pull and push from. policy.json gives greater flexibility, and
# supports all container runtimes and tools including the docker daemon, cri-o, buildah ...
# The atomic CLI `atomic trust` can be used to easily configure the policy.json file.
[registries.block]
registries = []
# The second version of the configuration format allows to specify registry
# mirrors:
# #
# # An array of host[:port] registries to try when pulling an unqualified image, in order. # # An array of host[:port] registries to try when pulling an unqualified image, in order.
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"] unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]
@ -109,5 +66,5 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.
# # Given the above, a pull of example.com/foo/image:latest will try: # # Given the above, a pull of example.com/foo/image:latest will try:
# # 1. example-mirror-0.local/mirror-for-foo/image:latest # # 1. example-mirror-0.local/mirror-for-foo/image:latest
# # 2. example-mirror-1.local/mirrors/foo/image:latest # # 2. example-mirror-1.local/mirrors/foo/image:latest
# # 3. internal-registry-for-example.net/bar/myimage:latest # # 3. internal-registry-for-example.net/bar/image:latest
# # in order, and use the first one that exists. # # in order, and use the first one that exists.

4
seccomp.json
View File

@ -77,6 +77,7 @@
"clock_nanosleep_time64", "clock_nanosleep_time64",
"clone", "clone",
"close", "close",
"close_range",
"connect", "connect",
"copy_file_range", "copy_file_range",
"creat", "creat",
@ -228,6 +229,8 @@
"openat2", "openat2",
"pause", "pause",
"pidfd_getfd", "pidfd_getfd",
"pidfd_open",
"pidfd_send_signal",
"pipe", "pipe",
"pipe2", "pipe2",
"pivot_root", "pivot_root",
@ -377,7 +380,6 @@
"utimensat_time64", "utimensat_time64",
"utimes", "utimes",
"vfork", "vfork",
"vmsplice",
"wait4", "wait4",
"waitid", "waitid",
"waitpid", "waitpid",

2
storage.conf
View File

@ -8,7 +8,7 @@
driver = "overlay" driver = "overlay"
# Temporary storage location # Temporary storage location
runroot = "/var/run/containers/storage" runroot = "/run/containers/storage"
# Primary Read/Write location of container storage # Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage" graphroot = "/var/lib/containers/storage"