From a0c17419b45e26d201ed074651edf789a1153901 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 21 Oct 2021 09:51:45 -0400 Subject: [PATCH] Update to grab latest man pages and configuration files --- Containerfile.5.md | 60 +++++++++++++++++++++++++++++++++--- containers-common.spec | 5 ++- containers-storage.conf.5.md | 19 ++++++++++-- 3 files changed, 77 insertions(+), 7 deletions(-) diff --git a/Containerfile.5.md b/Containerfile.5.md index 42f7849..de728c2 100644 --- a/Containerfile.5.md +++ b/Containerfile.5.md @@ -61,8 +61,10 @@ A Containerfile is similar to a Makefile. `FROM image@digest` -- The **FROM** instruction sets the base image for subsequent instructions. A - valid Containerfile must have **FROM** as its first instruction. The image can be any - valid image. It is easy to start by pulling an image from the public + valid Containerfile must have either **ARG** or *FROM** as its first instruction. + If **FROM** is not the first instruction in the file, it may only be preceded by + one or more ARG instructions, which declare arguments that are used in the next FROM line in the Containerfile. + The image can be any valid image. It is easy to start by pulling an image from the public repositories. -- **FROM** must appear at least once in the Containerfile. @@ -94,14 +96,64 @@ A Containerfile is similar to a Makefile. # Executable form RUN ["executable", "param1", "param2"] ``` +**RUN mounts** -**RUN Secrets* +**--mount**=*type=TYPE,TYPE-SPECIFIC-OPTION[,...]* + +Attach a filesystem mount to the container + +Current supported mount TYPES are bind, cache, secret and tmpfs. + + e.g. + + mount=type=bind,source=/path/on/host,destination=/path/in/container + + mount=type=tmpfs,tmpfs-size=512M,destination=/path/in/container + + mount=type=secret,id=mysecret cat /run/secrets/mysecret + + Common Options: + + · src, source: mount source spec for bind and volume. Mandatory for bind. + + · dst, destination, target: mount destination spec. + + · ro, read-only: true or false (default). + + Options specific to bind: + + · bind-propagation: shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2). + + . bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive. + + Options specific to tmpfs: + + · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux. + + · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux. + + · tmpcopyup: Path that is shadowed by the tmpfs mount is recursively copied up to the tmpfs itself. + + Options specific to cache: + + · id: Create a separate cache directory for a particular id. + + · mode: File mode for new cache directory in octal. Default 0755. + + · ro, readonly: read only cache if set. + + · uid: uid for cache directory. + + · gid: gid for cache directory. + + +**RUN Secrets** The RUN command has a feature to allow the passing of secret information into the image build. These secrets files can be used during the RUN command but are not committed to the final image. The `RUN` command supports the `--mount` option to identify the secret file. A secret file from the host is mounted into the container while the image is being built. Container engines pass secret the secret file into the build using the `--secret` flag. -**RUN --mount* options: +**--mount**=*type=secret,TYPE-SPECIFIC-OPTION[,...]* - `id` is the identifier to for the secret passed into the `buildah bud --secret` or `podman build --secret`. This identifier is associated with the RUN --mount identifier to use in the Containerfile. diff --git a/containers-common.spec b/containers-common.spec index c2c909b..30da556 100644 --- a/containers-common.spec +++ b/containers-common.spec @@ -16,7 +16,7 @@ Epoch: 4 Name: containers-common Version: 1 -Release: 33%{?dist} +Release: 34%{?dist} Summary: Common configuration and documentation for containers License: ASL 2.0 BuildArch: noarch @@ -161,6 +161,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret %{_datadir}/rhel/secrets/* %changelog +* Thu Oct 21 2021 Dan Walsh - 4:1-34 +- Update to grab latest man pages and configuration files + * Fri Oct 1 2021 Dan Walsh - 4:1-33 - Update to grab latest man pages and configuration files diff --git a/containers-storage.conf.5.md b/containers-storage.conf.5.md index df79b61..1f81de8 100644 --- a/containers-storage.conf.5.md +++ b/containers-storage.conf.5.md @@ -42,9 +42,17 @@ The `storage` table supports the following options: the labeling matches the default locations labels with the following commands: - # semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH - # restorecon -R -v /NEWSTORAGEPATH +``` +# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH +# restorecon -R -v /NEWSTORAGEPATH +``` + In Rootless Mode you would set + +``` +# semanage fcontext -a -e $HOME/.local/share/containers NEWSTORAGEPATH +$ restorecon -R -v /NEWSTORAGEPATH +``` **rootless_storage_path**="$HOME/.local/share/containers/storage" Storage path for rootless users. By default the graphroot for rootless users is set to `$XDG_DATA_HOME/containers/storage`, if XDG_DATA_HOME is set. @@ -265,6 +273,13 @@ semanage fcontext -a -e /var/lib/containers NEWSTORAGEPATH restorecon -R -v NEWSTORAGEPATH ``` +In rootless mode, you would set + +``` +semanage fcontext -a -e $HOME/.local/share/containers NEWSTORAGEPATH +restorecon -R -v NEWSTORAGEPATH +``` + The semanage command above tells SELinux to setup the default labeling of `NEWSTORAGEPATH` to match `/var/lib/containers`. The `restorecon` command tells SELinux to apply the labels to the actual content. Now all new content created in these directories will automatically be created with the correct label.