Update man pages and config files
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
parent
0c713a7792
commit
8f165a5653
@ -149,20 +149,21 @@ This requirement rejects every image, and every signature.
|
|||||||
|
|
||||||
### `signedBy`
|
### `signedBy`
|
||||||
|
|
||||||
This requirement requires an image to be signed with an expected identity, or accepts a signature if it is using an expected identity and key.
|
This requirement requires an image to be signed using “simple signing” with an expected identity, or accepts a signature if it is using an expected identity and key.
|
||||||
|
|
||||||
```js
|
```js
|
||||||
{
|
{
|
||||||
"type": "signedBy",
|
"type": "signedBy",
|
||||||
"keyType": "GPGKeys", /* The only currently supported value */
|
"keyType": "GPGKeys", /* The only currently supported value */
|
||||||
"keyPath": "/path/to/local/keyring/file",
|
"keyPath": "/path/to/local/keyring/file",
|
||||||
|
"keyPaths": ["/path/to/local/keyring/file1","/path/to/local/keyring/file2"…],
|
||||||
"keyData": "base64-encoded-keyring-data",
|
"keyData": "base64-encoded-keyring-data",
|
||||||
"signedIdentity": identity_requirement
|
"signedIdentity": identity_requirement
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
<!-- Later: other keyType values -->
|
<!-- Later: other keyType values -->
|
||||||
|
|
||||||
Exactly one of `keyPath` and `keyData` must be present, containing a GPG keyring of one or more public keys. Only signatures made by these keys are accepted.
|
Exactly one of `keyPath`, `keyPaths` and `keyData` must be present, containing a GPG keyring of one or more public keys. Only signatures made by these keys are accepted.
|
||||||
|
|
||||||
The `signedIdentity` field, a JSON object, specifies what image identity the signature claims about the image.
|
The `signedIdentity` field, a JSON object, specifies what image identity the signature claims about the image.
|
||||||
One of the following alternatives are supported:
|
One of the following alternatives are supported:
|
||||||
@ -236,6 +237,24 @@ used with `exactReference` or `exactRepository`.
|
|||||||
|
|
||||||
<!-- ### `signedBaseLayer` -->
|
<!-- ### `signedBaseLayer` -->
|
||||||
|
|
||||||
|
|
||||||
|
### `sigstoreSigned`
|
||||||
|
|
||||||
|
This requirement requires an image to be signed using a sigstore signature with an expected identity and key.
|
||||||
|
|
||||||
|
```js
|
||||||
|
{
|
||||||
|
"type": "sigstoreSigned",
|
||||||
|
"keyPath": "/path/to/local/keyring/file",
|
||||||
|
"keyData": "base64-encoded-keyring-data",
|
||||||
|
"signedIdentity": identity_requirement
|
||||||
|
}
|
||||||
|
```
|
||||||
|
Exactly one of `keyPath` and `keyData` must be present, containing a sigstore public key. Only signatures made by this key is accepted.
|
||||||
|
|
||||||
|
The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above.
|
||||||
|
Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag).
|
||||||
|
|
||||||
## Examples
|
## Examples
|
||||||
|
|
||||||
It is *strongly* recommended to set the `default` policy to `reject`, and then
|
It is *strongly* recommended to set the `default` policy to `reject`, and then
|
||||||
@ -255,9 +274,24 @@ selectively allow individual transports and scopes as desired.
|
|||||||
"docker.io/openshift": [{"type": "insecureAcceptAnything"}],
|
"docker.io/openshift": [{"type": "insecureAcceptAnything"}],
|
||||||
/* Similarly, allow installing the “official” busybox images. Note how the fully expanded
|
/* Similarly, allow installing the “official” busybox images. Note how the fully expanded
|
||||||
form, with the explicit /library/, must be used. */
|
form, with the explicit /library/, must be used. */
|
||||||
"docker.io/library/busybox": [{"type": "insecureAcceptAnything"}]
|
"docker.io/library/busybox": [{"type": "insecureAcceptAnything"}],
|
||||||
/* Allow installing images from all subdomains */
|
/* Allow installing images from all subdomains */
|
||||||
"*.temporary-project.example.com": [{"type": "insecureAcceptAnything"}]
|
"*.temporary-project.example.com": [{"type": "insecureAcceptAnything"}],
|
||||||
|
/* A sigstore-signed repository */
|
||||||
|
"hostname:5000/myns/sigstore-signed-with-full-references": [
|
||||||
|
{
|
||||||
|
"type": "sigstoreSigned",
|
||||||
|
"keyPath": "/path/to/sigstore-pubkey.key"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
/* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */
|
||||||
|
"hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [
|
||||||
|
{
|
||||||
|
"type": "sigstoreSigned",
|
||||||
|
"keyPath": "/path/to/sigstore-pubkey.key",
|
||||||
|
"signedIdentity": {"type": "matchRepository"}
|
||||||
|
}
|
||||||
|
]
|
||||||
/* Other docker: images use the global default policy and are rejected */
|
/* Other docker: images use the global default policy and are rejected */
|
||||||
},
|
},
|
||||||
"dir": {
|
"dir": {
|
||||||
@ -301,7 +335,7 @@ selectively allow individual transports and scopes as desired.
|
|||||||
"signedIdentity": {
|
"signedIdentity": {
|
||||||
"type": "remapIdentity",
|
"type": "remapIdentity",
|
||||||
"prefix": "private-mirror:5000/vendor-mirror",
|
"prefix": "private-mirror:5000/vendor-mirror",
|
||||||
"signedPrefix": "vendor.example.com",
|
"signedPrefix": "vendor.example.com"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
@ -63,25 +63,31 @@ more general scopes is ignored. For example, if _any_ configuration exists for
|
|||||||
|
|
||||||
### Built-in Defaults
|
### Built-in Defaults
|
||||||
|
|
||||||
If no `docker` section can be found for the container image, and no `default-docker` section is configured,
|
If no `docker` section can be found for the container image, and no `default-docker` section is configured:
|
||||||
the default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user, will be used for reading and writing signatures.
|
|
||||||
|
- The default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user, will be used for reading and writing signatures.
|
||||||
|
- Sigstore attachments will not be read/written.
|
||||||
|
|
||||||
## Individual Configuration Sections
|
## Individual Configuration Sections
|
||||||
|
|
||||||
A single configuration section is selected for a container image using the process
|
A single configuration section is selected for a container image using the process
|
||||||
described above. The configuration section is a YAML mapping, with the following keys:
|
described above. The configuration section is a YAML mapping, with the following keys:
|
||||||
|
|
||||||
- `sigstore-staging` defines an URL of of the signature storage, used for editing it (adding or deleting signatures).
|
<!-- `sigstore` and `sigstore-staging` are deprecated and intentionally not documented here. -->
|
||||||
|
|
||||||
This key is optional; if it is missing, `sigstore` below is used.
|
- `lookaside-staging` defines an URL of of the signature storage, used for editing it (adding or deleting signatures).
|
||||||
|
|
||||||
- `sigstore` defines an URL of the signature storage.
|
This key is optional; if it is missing, `lookaside` below is used.
|
||||||
|
|
||||||
|
- `lookaside` defines an URL of the signature storage.
|
||||||
This URL is used for reading existing signatures,
|
This URL is used for reading existing signatures,
|
||||||
and if `sigstore-staging` does not exist, also for adding or removing them.
|
and if `lookaside-staging` does not exist, also for adding or removing them.
|
||||||
|
|
||||||
This key is optional; if it is missing, no signature storage is defined (no signatures
|
This key is optional; if it is missing, no signature storage is defined (no signatures
|
||||||
are download along with images, adding new signatures is possible only if `sigstore-staging` is defined).
|
are download along with images, adding new signatures is possible only if `lookaside-staging` is defined).
|
||||||
|
|
||||||
|
- `use-sigstore-attachments` specifies whether sigstore image attachments (signatures, attestations and the like) are going to be read/written along with the image.
|
||||||
|
If disabled, the images are treated as if no attachments exist; attempts to write attachments fail.
|
||||||
|
|
||||||
## Examples
|
## Examples
|
||||||
|
|
||||||
@ -92,11 +98,11 @@ The following demonstrates how to to consume and run images from various registr
|
|||||||
```yaml
|
```yaml
|
||||||
docker:
|
docker:
|
||||||
registry.database-supplier.com:
|
registry.database-supplier.com:
|
||||||
sigstore: https://sigstore.database-supplier.com
|
lookaside: https://lookaside.database-supplier.com
|
||||||
distribution.great-middleware.org:
|
distribution.great-middleware.org:
|
||||||
sigstore: https://security-team.great-middleware.org/sigstore
|
lookaside: https://security-team.great-middleware.org/lookaside
|
||||||
docker.io/web-framework:
|
docker.io/web-framework:
|
||||||
sigstore: https://sigstore.web-framework.io:8080
|
lookaside: https://lookaside.web-framework.io:8080
|
||||||
```
|
```
|
||||||
|
|
||||||
### Developing and Signing Containers, Staging Signatures
|
### Developing and Signing Containers, Staging Signatures
|
||||||
@ -110,13 +116,13 @@ For developers in `example.com`:
|
|||||||
```yaml
|
```yaml
|
||||||
docker:
|
docker:
|
||||||
registry.example.com:
|
registry.example.com:
|
||||||
sigstore: https://registry-sigstore.example.com
|
lookaside: https://registry-lookaside.example.com
|
||||||
registry.example.com/mydepartment:
|
registry.example.com/mydepartment:
|
||||||
sigstore: https://sigstore.mydepartment.example.com
|
lookaside: https://lookaside.mydepartment.example.com
|
||||||
sigstore-staging: file:///mnt/mydepartment/sigstore-staging
|
lookaside-staging: file:///mnt/mydepartment/lookaside-staging
|
||||||
registry.example.com/mydepartment/myproject:mybranch:
|
registry.example.com/mydepartment/myproject:mybranch:
|
||||||
sigstore: http://localhost:4242/sigstore
|
lookaside: http://localhost:4242/lookaside
|
||||||
sigstore-staging: file:///home/useraccount/webroot/sigstore
|
lookaside-staging: file:///home/useraccount/webroot/lookaside
|
||||||
```
|
```
|
||||||
|
|
||||||
### A Global Default
|
### A Global Default
|
||||||
@ -126,7 +132,7 @@ without listing each domain individually. This is expected to rarely happen, usu
|
|||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
default-docker:
|
default-docker:
|
||||||
sigstore-staging: file:///mnt/company/common-sigstore-staging
|
lookaside-staging: file:///mnt/company/common-lookaside-staging
|
||||||
```
|
```
|
||||||
|
|
||||||
# AUTHORS
|
# AUTHORS
|
||||||
|
@ -74,6 +74,29 @@ The `storage.options` table supports the following options:
|
|||||||
**additionalimagestores**=[]
|
**additionalimagestores**=[]
|
||||||
Paths to additional container image stores. Usually these are read/only and stored on remote network shares.
|
Paths to additional container image stores. Usually these are read/only and stored on remote network shares.
|
||||||
|
|
||||||
|
**pull_options** = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
|
||||||
|
|
||||||
|
Allows specification of how storage is populated when pulling images. This
|
||||||
|
option can speed the pulling process of images compressed with format zstd:chunked. Containers/storage looks
|
||||||
|
for files within images that are being pulled from a container registry that
|
||||||
|
were previously pulled to the host. It can copy or create
|
||||||
|
a hard link to the existing file when it finds them, eliminating the need to pull them from the
|
||||||
|
container registry. These options can deduplicate pulling of content, disk
|
||||||
|
storage of content and can allow the kernel to use less memory when running
|
||||||
|
containers.
|
||||||
|
|
||||||
|
containers/storage supports four keys
|
||||||
|
* enable_partial_images="true" | "false"
|
||||||
|
Tells containers/storage to look for files previously pulled in storage
|
||||||
|
rather then always pulling them from the container registry.
|
||||||
|
* use_hard_links = "false" | "true"
|
||||||
|
Tells containers/storage to use hard links rather then create new files in
|
||||||
|
the image, if an identical file already existed in storage.
|
||||||
|
* ostree_repos = ""
|
||||||
|
Tells containers/storage where an ostree repository exists that might have
|
||||||
|
previously pulled content which can be used when attempting to avoid
|
||||||
|
pulling content from the container registry
|
||||||
|
|
||||||
**remap-uids=**""
|
**remap-uids=**""
|
||||||
**remap-gids=**""
|
**remap-gids=**""
|
||||||
Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to the UIDs/GIDs outside of the container, and the length of the range of UIDs/GIDs. Additional mapped sets can be listed and will be heeded by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container.
|
Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to the UIDs/GIDs outside of the container, and the length of the range of UIDs/GIDs. Additional mapped sets can be listed and will be heeded by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container.
|
||||||
@ -236,6 +259,9 @@ based file systems.
|
|||||||
**mountopt**=""
|
**mountopt**=""
|
||||||
Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page.
|
Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page.
|
||||||
|
|
||||||
|
**skip_mount_home=""**
|
||||||
|
Tell storage drivers to not create a PRIVATE bind mount on their home directory.
|
||||||
|
|
||||||
**size**=""
|
**size**=""
|
||||||
Maximum size of a read/write layer. This flag can be used to set quota on the size of a read/write layer of a container. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
|
Maximum size of a read/write layer. This flag can be used to set quota on the size of a read/write layer of a container. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
|
||||||
|
|
||||||
@ -256,9 +282,6 @@ The `storage.options.zfs` table supports the following options:
|
|||||||
**mountopt**=""
|
**mountopt**=""
|
||||||
Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page.
|
Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page.
|
||||||
|
|
||||||
**skip_mount_home=""**
|
|
||||||
Tell storage drivers to not create a PRIVATE bind mount on their home directory.
|
|
||||||
|
|
||||||
**size**=""
|
**size**=""
|
||||||
Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
|
Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
|
||||||
|
|
||||||
|
@ -325,6 +325,13 @@ log_driver = "journald"
|
|||||||
#
|
#
|
||||||
#network_config_dir = "/etc/cni/net.d/"
|
#network_config_dir = "/etc/cni/net.d/"
|
||||||
|
|
||||||
|
# Port to use for dns forwarding daemon with netavark in rootful bridge
|
||||||
|
# mode and dns enabled.
|
||||||
|
# Using an alternate port might be useful if other dns services should
|
||||||
|
# run on the machine.
|
||||||
|
#
|
||||||
|
#dns_bind_port = 53
|
||||||
|
|
||||||
[engine]
|
[engine]
|
||||||
# Index to the active service
|
# Index to the active service
|
||||||
#
|
#
|
||||||
|
@ -359,6 +359,13 @@ and "$HOME/.config/cni/net.d" as rootless.
|
|||||||
For the netavark backend "/etc/containers/networks" is used as root
|
For the netavark backend "/etc/containers/networks" is used as root
|
||||||
and "$graphroot/networks" as rootless.
|
and "$graphroot/networks" as rootless.
|
||||||
|
|
||||||
|
**dns_bind_port**=53
|
||||||
|
|
||||||
|
Port to use for dns forwarding daemon with netavark in rootful bridge
|
||||||
|
mode and dns enabled.
|
||||||
|
Using an alternate port might be useful if other dns services should
|
||||||
|
run on the machine.
|
||||||
|
|
||||||
## ENGINE TABLE
|
## ENGINE TABLE
|
||||||
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
|
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
|
||||||
|
|
||||||
|
16
default.yaml
16
default.yaml
@ -1,19 +1,19 @@
|
|||||||
# This is a default registries.d configuration file. You may
|
# This is a default registries.d configuration file. You may
|
||||||
# add to this file or create additional files in registries.d/.
|
# add to this file or create additional files in registries.d/.
|
||||||
#
|
#
|
||||||
# sigstore: indicates a location that is read and write
|
# lookaside: indicates a location that is read and write
|
||||||
# sigstore-staging: indicates a location that is only for write
|
# lookaside-staging: indicates a location that is only for write
|
||||||
#
|
#
|
||||||
# sigstore and sigstore-staging take a value of the following:
|
# lookaside and lookaside-staging take a value of the following:
|
||||||
# sigstore: {schema}://location
|
# lookaside: {schema}://location
|
||||||
#
|
#
|
||||||
# For reading signatures, schema may be http, https, or file.
|
# For reading signatures, schema may be http, https, or file.
|
||||||
# For writing signatures, schema may only be file.
|
# For writing signatures, schema may only be file.
|
||||||
|
|
||||||
# This is the default signature write location for docker registries.
|
# This is the default signature write location for docker registries.
|
||||||
default-docker:
|
default-docker:
|
||||||
# sigstore: file:///var/lib/containers/sigstore
|
# lookaside: file:///var/lib/containers/sigstore
|
||||||
sigstore-staging: file:///var/lib/containers/sigstore
|
lookaside-staging: file:///var/lib/containers/sigstore
|
||||||
|
|
||||||
# The 'docker' indicator here is the start of the configuration
|
# The 'docker' indicator here is the start of the configuration
|
||||||
# for docker registries.
|
# for docker registries.
|
||||||
@ -21,6 +21,6 @@ default-docker:
|
|||||||
# docker:
|
# docker:
|
||||||
#
|
#
|
||||||
# privateregistry.com:
|
# privateregistry.com:
|
||||||
# sigstore: http://privateregistry.com/sigstore/
|
# lookaside: http://privateregistry.com/sigstore/
|
||||||
# sigstore-staging: /mnt/nfs/privateregistry/sigstore
|
# lookaside-staging: /mnt/nfs/privateregistry/sigstore
|
||||||
|
|
||||||
|
@ -228,6 +228,9 @@
|
|||||||
"ipc",
|
"ipc",
|
||||||
"keyctl",
|
"keyctl",
|
||||||
"kill",
|
"kill",
|
||||||
|
"landlock_add_rule",
|
||||||
|
"landlock_create_ruleset",
|
||||||
|
"landlock_restrict_self",
|
||||||
"lchown",
|
"lchown",
|
||||||
"lchown32",
|
"lchown32",
|
||||||
"lgetxattr",
|
"lgetxattr",
|
||||||
|
22
storage.conf
22
storage.conf
@ -40,6 +40,28 @@ graphroot = "/var/lib/containers/storage"
|
|||||||
additionalimagestores = [
|
additionalimagestores = [
|
||||||
]
|
]
|
||||||
|
|
||||||
|
# Allows specification of how storage is populated when pulling images. This
|
||||||
|
# option can speed the pulling process of images compressed with format
|
||||||
|
# zstd:chunked. Containers/storage looks for files within images that are being
|
||||||
|
# pulled from a container registry that were previously pulled to the host. It
|
||||||
|
# can copy or create a hard link to the existing file when it finds them,
|
||||||
|
# eliminating the need to pull them from the container registry. These options
|
||||||
|
# can deduplicate pulling of content, disk storage of content and can allow the
|
||||||
|
# kernel to use less memory when running containers.
|
||||||
|
|
||||||
|
# containers/storage supports four keys
|
||||||
|
# * enable_partial_images="true" | "false"
|
||||||
|
# Tells containers/storage to look for files previously pulled in storage
|
||||||
|
# rather then always pulling them from the container registry.
|
||||||
|
# * use_hard_links = "false" | "true"
|
||||||
|
# Tells containers/storage to use hard links rather then create new files in
|
||||||
|
# the image, if an identical file already existed in storage.
|
||||||
|
# * ostree_repos = ""
|
||||||
|
# Tells containers/storage where an ostree repository exists that might have
|
||||||
|
# previously pulled content which can be used when attempting to avoid
|
||||||
|
# pulling content from the container registry
|
||||||
|
pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
|
||||||
|
|
||||||
# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
|
# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
|
||||||
# a container, to the UIDs/GIDs as they should appear outside of the container,
|
# a container, to the UIDs/GIDs as they should appear outside of the container,
|
||||||
# and the length of the range of UIDs/GIDs. Additional mapped sets can be
|
# and the length of the range of UIDs/GIDs. Additional mapped sets can be
|
||||||
|
Loading…
Reference in New Issue
Block a user