rpms/containers-common
7
0
Fork 0
Code Issues Pull Requests Releases Activity

containers-common-4:1-21

Browse Source 
- fetch latest upstream configs

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
This commit is contained in:
Lokesh Mandvekar 2021-06-29 11:12:36 -04:00
parent 1a7468a695
commit abac6aa948
4 changed files with 306 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
containers-common.spec
View File

@ -15,7 +15,7 @@
Epoch: 4
Name: containers-common
Version: 1
Release: 20%{?dist}
Release: 21%{?dist}
Summary: Common configuration and documentation for containers
License: ASL 2.0
BuildArch: noarch
@ -136,6 +136,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
%{_datadir}/rhel/secrets/*
%changelog
* Tue Jun 29 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-21
- fetch latest upstream configs
* Thu Jun 10 2021 Dan Walsh <dwalsh@fedoraproject.org> - 4:1-20
- Update to grab latest man pages and configuration files, also switch to using some main rather then master branches

180
containers.conf
View File

@ -16,30 +16,16 @@
[containers]
# List of devices. Specified as
# "<device-on-host>:<device-on-container>:<permissions>", for example:
# "/dev/sdc:/dev/xvdc:rwm".
# If it is empty or commented out, only the default devices will be used
# List of annotation. Specified as
# "key = value"
# If it is empty or commented out, no annotations will be added
#
# devices = []
# List of volumes. Specified as
# "<directory-on-host>:<directory-in-container>:<options>", for example:
# "/db:/var/lib/db:ro".
# If it is empty or commented out, no volumes will be added
#
# volumes = []
# annotations = []
# Used to change the name of the default AppArmor profile of container engine.
#
# apparmor_profile = "container-default"
# List of annotation. Specified as
# "key=value"
# If it is empty or commented out, no annotations will be added
#
# annotations = []
# Default way to to create a cgroup namespace for the container
# Options are:
# `private` Create private Cgroup Namespace for the container.
@ -93,6 +79,13 @@ default_sysctls = [
# "nofile=1280:2560",
# ]
# List of devices. Specified as
# "<device-on-host>:<device-on-container>:<permissions>", for example:
# "/dev/sdc:/dev/xvdc:rwm".
# If it is empty or commented out, only the default devices will be used
#
# devices = []
# List of default DNS options to be added to /etc/resolv.conf inside of the container.
#
# dns_options = []
@ -185,10 +178,6 @@ log_driver = "journald"
#
# no_hosts = false
# Maximum number of processes allowed in a container.
#
# pids_limit = 2048
# Default way to to create a PID namespace for the container
# Options are:
# `private` Create private PID Namespace for the container.
@ -196,8 +185,12 @@ log_driver = "journald"
#
# pidns = "private"
# Maximum number of processes allowed in a container.
#
# pids_limit = 2048
# Indicates the networking to be used for rootless containers
# rootless_networking="slirp4netns"
# rootless_networking = "slirp4netns"
# Path to the seccomp.json profile which is used as the default seccomp profile
# for the runtime.
@ -218,14 +211,7 @@ log_driver = "journald"
# Set umask inside the container
#
# umask="0022"
# Default way to to create a UTS namespace for the container
# Options are:
# `private` Create private UTS Namespace for the container.
# `host` Share host UTS Namespace with the container.
#
# utsns = "private"
# umask = "0022"
# Default way to to create a User namespace for the container
# Options are:
@ -238,7 +224,21 @@ log_driver = "journald"
# UIDs are allocated from the "container" UIDs listed in
# /etc/subuid & /etc/subgid
#
# userns_size=65536
# userns_size = 65536
# Default way to to create a UTS namespace for the container
# Options are:
# `private` Create private UTS Namespace for the container.
# `host` Share host UTS Namespace with the container.
#
# utsns = "private"
# List of volumes. Specified as
# "<directory-on-host>:<directory-in-container>:<options>", for example:
# "/db:/var/lib/db:ro".
# If it is empty or commented out, no volumes will be added
#
# volumes = []
# The network table contains settings pertaining to the management of
# CNI plugins.
@ -263,14 +263,8 @@ log_driver = "journald"
# network_config_dir = "/etc/cni/net.d/"
[engine]
# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
# image_parallel_copies=0
# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
# container images. By default image pulled and pushed match the format of the
# source image. Building/committing defaults to OCI.
# image_default_format = ""
# Index to the active service
# active_service = production
# Cgroup management implementation used for the runtime.
# Valid options "systemd" or "cgroupfs"
@ -328,10 +322,19 @@ log_driver = "journald"
# "/usr/share/containers/oci/hooks.d",
# ]
# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
# container images. By default image pulled and pushed match the format of the
# source image. Building/committing defaults to OCI.
# image_default_format = ""
# Default transport method for pulling and pushing for images
#
# image_default_transport = "docker://"
# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
# image_parallel_copies = 0
# Default command to run the infra container
#
# infra_command = "/pause"
@ -354,7 +357,7 @@ log_driver = "journald"
# Indicates if Podman is running inside a VM via Podman Machine.
# Podman uses this value to do extra setup around networking from the
# container inside the VM to to host.
# machine_enabled=false
# machine_enabled = false
# MultiImageArchive - if true, the container engine allows for storing archives
# (e.g., of the docker-archive transport) with multiple images. By default,
@ -373,12 +376,12 @@ log_driver = "journald"
# Path to the slirp4netns binary
#
# network_cmd_path=""
# network_cmd_path = ""
# Default options to pass to the slirp4netns binary.
# For example "allow_host_loopback=true"
#
# network_cmd_options=[]
# network_cmd_options = []
# Whether to use chroot instead of pivot_root in the runtime
#
@ -398,6 +401,23 @@ log_driver = "journald"
# `podman --remote=true` for access to the remote Podman service.
# remote = false
# Default OCI runtime
#
# runtime = "crun"
# List of the OCI runtimes that support --format=json. When json is supported
# engine will use it for reporting nicer errors.
#
# runtime_supports_json = ["crun", "runc", "kata", "runsc"]
# List of the OCI runtimes that supports running containers with KVM Separation.
#
# runtime_supports_kvm = ["kata"]
# List of the OCI runtimes that supports running containers without cgroups.
#
# runtime_supports_nocgroups = ["crun"]
# Directory for persistent engine files (database, etc)
# By default, this will be configured relative to where the containers/storage
# stores containers
@ -405,6 +425,22 @@ log_driver = "journald"
#
# static_dir = "/var/lib/containers/storage/libpod"
# Number of seconds to wait for container to exit before sending kill signal.
# stop_timeout = 10
# map of service destinations
# [service_destinations]
# [service_destinations.production]
# URI to access the Podman service
# Examples:
# rootless "unix://run/user/$UID/podman/podman.sock" (Default)
# rootfull "unix://run/podman/podman.sock (Default)
# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
# remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock
# uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"
# Path to file containing ssh identity key
# identity = "~/.ssh/id_rsa"
# Directory for temporary files. Must be tmpfs (wiped after reboot)
#
# tmp_dir = "/run/libpod"
@ -416,42 +452,6 @@ log_driver = "journald"
#
# volume_path = "/var/lib/containers/storage/volumes"
# Default OCI runtime
#
# runtime = "crun"
# List of the OCI runtimes that support --format=json. When json is supported
# engine will use it for reporting nicer errors.
#
# runtime_supports_json = ["crun", "runc", "kata", "runsc"]
# List of the OCI runtimes that supports running containers without cgroups.
#
# runtime_supports_nocgroups = ["crun"]
# List of the OCI runtimes that supports running containers with KVM Separation.
#
# runtime_supports_kvm = ["kata"]
# Number of seconds to wait for container to exit before sending kill signal.
# stop_timeout = 10
# Index to the active service
# active_service = production
# map of service destinations
# [service_destinations]
# [service_destinations.production]
# URI to access the Podman service
# Examples:
# rootless "unix://run/user/$UID/podman/podman.sock" (Default)
# rootfull "unix://run/podman/podman.sock (Default)
# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
# remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock
# uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"
# Path to file containing ssh identity key
# identity = "~/.ssh/id_rsa"
# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, etc)
[engine.runtimes]
# crun = [
@ -464,16 +464,6 @@ log_driver = "journald"
# "/run/current-system/sw/bin/crun",
# ]
# runc = [
# "/usr/bin/runc",
# "/usr/sbin/runc",
# "/usr/local/bin/runc",
# "/usr/local/sbin/runc",
# "/sbin/runc",
# "/bin/runc",
# "/usr/lib/cri-o-runc/sbin/runc",
# ]
# kata = [
# "/usr/bin/kata-runtime",
# "/usr/sbin/kata-runtime",
@ -485,6 +475,16 @@ log_driver = "journald"
# "/usr/bin/kata-fc",
# ]
# runc = [
# "/usr/bin/runc",
# "/usr/sbin/runc",
# "/usr/local/bin/runc",
# "/usr/local/sbin/runc",
# "/sbin/runc",
# "/bin/runc",
# "/usr/lib/cri-o-runc/sbin/runc",
# ]
# runsc = [
# "/usr/bin/runsc",
# "/usr/sbin/runsc",
@ -505,7 +505,7 @@ log_driver = "journald"
# main config.
[secret]
# driver="file"
# driver = "file"
[secret.opts]
# root = "/example/directory"

39
containers.conf.5.md
View File

@ -10,12 +10,16 @@ and modify the defaults for running containers on the host. containers.conf uses
a TOML format that can be easily modified and versioned.
Container engines read the /usr/share/containers/containers.conf and
/etc/containers/containers.conf files if they exists. When running in rootless
mode, they also read $HOME/.config/containers/containers.conf files.
/etc/containers/containers.conf, and /etc/containers/containers.conf.d/*.conf files
if they exist. When running in rootless mode, they also read
$HOME/.config/containers/containers.conf and
$HOME/.config/containers/containers.conf.d/*.conf files.
Fields specified in containers conf override the default options, as well as
options in previously read containers.conf files.
Config files in the `.d` directories, are added in alpha numeric sorted order and must end in `.conf`.
Not all options are supported in all container engines.
Note container engines also use other configuration files for configuring the environment.
@ -302,10 +306,6 @@ The `engine` table contains configuration options used to set up container engin
Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below.
**cgroup_check**=false
CgroupCheck indicates the configuration has been rewritten after an upgrade to Fedora 31 to change the default OCI runtime for cgroupsv2.
**cgroup_manager**="systemd"
The cgroup management implementation used for the runtime. Supports `cgroupfs`
@ -463,14 +463,14 @@ on the system using the priority: "crun", "runc", "kata".
The list of the OCI runtimes that support `--format=json`.
**runtime_supports_nocgroups**=["crun"]
The list of OCI runtimes that support running containers without CGroups.
**runtime_supports_kvm**=["kata"]
The list of OCI runtimes that support running containers with KVM separation.
**runtime_supports_nocgroups**=["crun"]
The list of OCI runtimes that support running containers without CGroups.
**static_dir**="/var/lib/containers/storage/libpod"
Directory for persistent libpod files (database, etc).
@ -486,6 +486,14 @@ Number of seconds to wait for container to exit before sending kill signal.
The path to a temporary directory to store per-boot container.
Must be a tmpfs (wiped after reboot).
**volume_path**="/var/lib/containers/storage/volumes"
Directory where named volumes will be created in using the default volume
driver.
By default this will be configured relative to where containers/storage store
containers. This convention is followed by the default volume driver, but may
not be by other drivers.
## SERVICE DESTINATION TABLE
The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
@ -504,14 +512,6 @@ URI to access the Podman service
Path to file containing ssh identity key
**volume_path**="/var/lib/containers/storage/volumes"
Directory where named volumes will be created in using the default volume
driver.
By default this will be configured relative to where containers/storage store
containers. This convention is followed by the default volume driver, but may
not be by other drivers.
**[engine.volume_plugins]**
A table of all the enabled volume plugins on the system. Volume plugins can be
@ -542,8 +542,7 @@ Distributions often provide a `/usr/share/containers/containers.conf` file to
define default container configuration. Administrators can override fields in
this file by creating `/etc/containers/containers.conf` to specify their own
configuration. Rootless users can further override fields in the config by
creating a config file stored in the
`$HOME/.config/containers/containers.conf` file.
creating a config file stored in the `$HOME/.config/containers/containers.conf` file.
If the `CONTAINERS_CONF` path environment variable is set, just
this path will be used. This is primarily used for testing.

200
seccomp.json
View File

@ -1,5 +1,6 @@
{
"defaultAction": "SCMP_ACT_ERRNO",
"defaultErrnoRet": 38,
"archMap": [
{
"architecture": "SCMP_ARCH_X86_64",
@ -50,6 +51,44 @@
}
],
"syscalls": [
{
"names": [
"bdflush",
"io_pgetevents",
"kexec_file_load",
"kexec_load",
"migrate_pages",
"move_pages",
"nfsservctl",
"nice",
"oldfstat",
"oldlstat",
"oldolduname",
"oldstat",
"olduname",
"pciconfig_iobase",
"pciconfig_read",
"pciconfig_write",
"sgetmask",
"ssetmask",
"swapcontext",
"swapoff",
"swapon",
"sysfs",
"uselib",
"userfaultfd",
"ustat",
"vm86",
"vm86old",
"vmsplice"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {},
"errnoRet": 1
},
{
"names": [
"_llseek",
@ -76,6 +115,7 @@
"clock_nanosleep",
"clock_nanosleep_time64",
"clone",
"clone3",
"close",
"close_range",
"connect",
@ -149,6 +189,7 @@
"getgroups",
"getgroups32",
"getitimer",
"get_mempolicy",
"getpeername",
"getpgid",
"getpgrp",
@ -199,6 +240,7 @@
"lstat",
"lstat64",
"madvise",
"mbind",
"memfd_create",
"mincore",
"mkdir",
@ -244,6 +286,9 @@
"pipe",
"pipe2",
"pivot_root",
"pkey_alloc",
"pkey_free",
"pkey_mprotect",
"poll",
"ppoll",
"ppoll_time64",
@ -259,6 +304,7 @@
"pwritev2",
"read",
"readahead",
"readdir",
"readlink",
"readlinkat",
"readv",
@ -275,6 +321,7 @@
"renameat2",
"restart_syscall",
"rmdir",
"rseq",
"rt_sigaction",
"rt_sigpending",
"rt_sigprocmask",
@ -311,6 +358,7 @@
"sendmsg",
"sendto",
"setns",
"set_mempolicy",
"set_robust_list",
"set_thread_area",
"set_tid_address",
@ -373,6 +421,7 @@
"timer_gettime",
"timer_gettime64",
"timer_settime",
"timer_settime64",
"timerfd_create",
"timerfd_gettime",
"timerfd_gettime64",
@ -588,6 +637,21 @@
},
"excludes": {}
},
{
"names": [
"open_by_handle_at"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_DAC_READ_SEARCH"
]
},
"errnoRet": 1
},
{
"names": [
"bpf",
@ -609,6 +673,28 @@
},
"excludes": {}
},
{
"names": [
"bpf",
"fanotify_init",
"lookup_dcookie",
"perf_event_open",
"quotactl",
"setdomainname",
"sethostname",
"setns"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_ADMIN"
]
},
"errnoRet": 1
},
{
"names": [
"chroot"
@ -623,6 +709,21 @@
},
"excludes": {}
},
{
"names": [
"chroot"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_CHROOT"
]
},
"errnoRet": 1
},
{
"names": [
"delete_module",
@ -642,19 +743,21 @@
},
{
"names": [
"get_mempolicy",
"mbind",
"set_mempolicy"
"delete_module",
"init_module",
"finit_module",
"query_module"
],
"action": "SCMP_ACT_ALLOW",
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_NICE"
"CAP_SYS_MODULE"
]
},
"excludes": {}
"errnoRet": 1
},
{
"names": [
@ -670,6 +773,21 @@
},
"excludes": {}
},
{
"names": [
"acct"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_PACCT"
]
},
"errnoRet": 1
},
{
"names": [
"kcmp",
@ -688,6 +806,25 @@
},
"excludes": {}
},
{
"names": [
"kcmp",
"process_madvise",
"process_vm_readv",
"process_vm_writev",
"ptrace"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_PTRACE"
]
},
"errnoRet": 1
},
{
"names": [
"iopl",
@ -703,6 +840,22 @@
},
"excludes": {}
},
{
"names": [
"iopl",
"ioperm"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_RAWIO"
]
},
"errnoRet": 1
},
{
"names": [
"settimeofday",
@ -720,6 +873,24 @@
},
"excludes": {}
},
{
"names": [
"settimeofday",
"stime",
"clock_settime",
"clock_settime64"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_TIME"
]
},
"errnoRet": 1
},
{
"names": [
"vhangup"
@ -734,6 +905,21 @@
},
"excludes": {}
},
{
"names": [
"vhangup"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_TTY_CONFIG"
]
},
"errnoRet": 1
},
{
"names": [
"socket"