From abac6aa9480fe26dcc2a4fec8cb072f3a7bf96b4 Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Tue, 29 Jun 2021 11:12:36 -0400 Subject: [PATCH] containers-common-4:1-21 - fetch latest upstream configs Signed-off-by: Lokesh Mandvekar --- containers-common.spec | 5 +- containers.conf | 180 ++++++++++++++++++------------------- containers.conf.5.md | 39 ++++---- seccomp.json | 200 +++++++++++++++++++++++++++++++++++++++-- 4 files changed, 306 insertions(+), 118 deletions(-) diff --git a/containers-common.spec b/containers-common.spec index c21de77..f327b96 100644 --- a/containers-common.spec +++ b/containers-common.spec @@ -15,7 +15,7 @@ Epoch: 4 Name: containers-common Version: 1 -Release: 20%{?dist} +Release: 21%{?dist} Summary: Common configuration and documentation for containers License: ASL 2.0 BuildArch: noarch @@ -136,6 +136,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret %{_datadir}/rhel/secrets/* %changelog +* Tue Jun 29 2021 Lokesh Mandvekar - 4:1-21 +- fetch latest upstream configs + * Thu Jun 10 2021 Dan Walsh - 4:1-20 - Update to grab latest man pages and configuration files, also switch to using some main rather then master branches diff --git a/containers.conf b/containers.conf index 10935c2..e24dee6 100644 --- a/containers.conf +++ b/containers.conf @@ -16,30 +16,16 @@ [containers] -# List of devices. Specified as -# "::", for example: -# "/dev/sdc:/dev/xvdc:rwm". -# If it is empty or commented out, only the default devices will be used +# List of annotation. Specified as +# "key = value" +# If it is empty or commented out, no annotations will be added # -# devices = [] - -# List of volumes. Specified as -# "::", for example: -# "/db:/var/lib/db:ro". -# If it is empty or commented out, no volumes will be added -# -# volumes = [] +# annotations = [] # Used to change the name of the default AppArmor profile of container engine. # # apparmor_profile = "container-default" -# List of annotation. Specified as -# "key=value" -# If it is empty or commented out, no annotations will be added -# -# annotations = [] - # Default way to to create a cgroup namespace for the container # Options are: # `private` Create private Cgroup Namespace for the container. @@ -93,6 +79,13 @@ default_sysctls = [ # "nofile=1280:2560", # ] +# List of devices. Specified as +# "::", for example: +# "/dev/sdc:/dev/xvdc:rwm". +# If it is empty or commented out, only the default devices will be used +# +# devices = [] + # List of default DNS options to be added to /etc/resolv.conf inside of the container. # # dns_options = [] @@ -185,10 +178,6 @@ log_driver = "journald" # # no_hosts = false -# Maximum number of processes allowed in a container. -# -# pids_limit = 2048 - # Default way to to create a PID namespace for the container # Options are: # `private` Create private PID Namespace for the container. @@ -196,8 +185,12 @@ log_driver = "journald" # # pidns = "private" +# Maximum number of processes allowed in a container. +# +# pids_limit = 2048 + # Indicates the networking to be used for rootless containers -# rootless_networking="slirp4netns" +# rootless_networking = "slirp4netns" # Path to the seccomp.json profile which is used as the default seccomp profile # for the runtime. @@ -218,14 +211,7 @@ log_driver = "journald" # Set umask inside the container # -# umask="0022" - -# Default way to to create a UTS namespace for the container -# Options are: -# `private` Create private UTS Namespace for the container. -# `host` Share host UTS Namespace with the container. -# -# utsns = "private" +# umask = "0022" # Default way to to create a User namespace for the container # Options are: @@ -238,7 +224,21 @@ log_driver = "journald" # UIDs are allocated from the "container" UIDs listed in # /etc/subuid & /etc/subgid # -# userns_size=65536 +# userns_size = 65536 + +# Default way to to create a UTS namespace for the container +# Options are: +# `private` Create private UTS Namespace for the container. +# `host` Share host UTS Namespace with the container. +# +# utsns = "private" + +# List of volumes. Specified as +# "::", for example: +# "/db:/var/lib/db:ro". +# If it is empty or commented out, no volumes will be added +# +# volumes = [] # The network table contains settings pertaining to the management of # CNI plugins. @@ -263,14 +263,8 @@ log_driver = "journald" # network_config_dir = "/etc/cni/net.d/" [engine] -# Maximum number of image layers to be copied (pulled/pushed) simultaneously. -# Not setting this field, or setting it to zero, will fall back to containers/image defaults. -# image_parallel_copies=0 - -# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building -# container images. By default image pulled and pushed match the format of the -# source image. Building/committing defaults to OCI. -# image_default_format = "" +# Index to the active service +# active_service = production # Cgroup management implementation used for the runtime. # Valid options "systemd" or "cgroupfs" @@ -328,10 +322,19 @@ log_driver = "journald" # "/usr/share/containers/oci/hooks.d", # ] +# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building +# container images. By default image pulled and pushed match the format of the +# source image. Building/committing defaults to OCI. +# image_default_format = "" + # Default transport method for pulling and pushing for images # # image_default_transport = "docker://" +# Maximum number of image layers to be copied (pulled/pushed) simultaneously. +# Not setting this field, or setting it to zero, will fall back to containers/image defaults. +# image_parallel_copies = 0 + # Default command to run the infra container # # infra_command = "/pause" @@ -354,7 +357,7 @@ log_driver = "journald" # Indicates if Podman is running inside a VM via Podman Machine. # Podman uses this value to do extra setup around networking from the # container inside the VM to to host. -# machine_enabled=false +# machine_enabled = false # MultiImageArchive - if true, the container engine allows for storing archives # (e.g., of the docker-archive transport) with multiple images. By default, @@ -373,12 +376,12 @@ log_driver = "journald" # Path to the slirp4netns binary # -# network_cmd_path="" +# network_cmd_path = "" # Default options to pass to the slirp4netns binary. # For example "allow_host_loopback=true" # -# network_cmd_options=[] +# network_cmd_options = [] # Whether to use chroot instead of pivot_root in the runtime # @@ -398,6 +401,23 @@ log_driver = "journald" # `podman --remote=true` for access to the remote Podman service. # remote = false +# Default OCI runtime +# +# runtime = "crun" + +# List of the OCI runtimes that support --format=json. When json is supported +# engine will use it for reporting nicer errors. +# +# runtime_supports_json = ["crun", "runc", "kata", "runsc"] + +# List of the OCI runtimes that supports running containers with KVM Separation. +# +# runtime_supports_kvm = ["kata"] + +# List of the OCI runtimes that supports running containers without cgroups. +# +# runtime_supports_nocgroups = ["crun"] + # Directory for persistent engine files (database, etc) # By default, this will be configured relative to where the containers/storage # stores containers @@ -405,6 +425,22 @@ log_driver = "journald" # # static_dir = "/var/lib/containers/storage/libpod" +# Number of seconds to wait for container to exit before sending kill signal. +# stop_timeout = 10 + +# map of service destinations +# [service_destinations] +# [service_destinations.production] +# URI to access the Podman service +# Examples: +# rootless "unix://run/user/$UID/podman/podman.sock" (Default) +# rootfull "unix://run/podman/podman.sock (Default) +# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock +# remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock +# uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock" +# Path to file containing ssh identity key +# identity = "~/.ssh/id_rsa" + # Directory for temporary files. Must be tmpfs (wiped after reboot) # # tmp_dir = "/run/libpod" @@ -416,42 +452,6 @@ log_driver = "journald" # # volume_path = "/var/lib/containers/storage/volumes" -# Default OCI runtime -# -# runtime = "crun" - -# List of the OCI runtimes that support --format=json. When json is supported -# engine will use it for reporting nicer errors. -# -# runtime_supports_json = ["crun", "runc", "kata", "runsc"] - -# List of the OCI runtimes that supports running containers without cgroups. -# -# runtime_supports_nocgroups = ["crun"] - -# List of the OCI runtimes that supports running containers with KVM Separation. -# -# runtime_supports_kvm = ["kata"] - -# Number of seconds to wait for container to exit before sending kill signal. -# stop_timeout = 10 - -# Index to the active service -# active_service = production - -# map of service destinations -# [service_destinations] -# [service_destinations.production] -# URI to access the Podman service -# Examples: -# rootless "unix://run/user/$UID/podman/podman.sock" (Default) -# rootfull "unix://run/podman/podman.sock (Default) -# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock -# remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock -# uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock" -# Path to file containing ssh identity key -# identity = "~/.ssh/id_rsa" - # Paths to look for a valid OCI runtime (crun, runc, kata, runsc, etc) [engine.runtimes] # crun = [ @@ -464,16 +464,6 @@ log_driver = "journald" # "/run/current-system/sw/bin/crun", # ] -# runc = [ -# "/usr/bin/runc", -# "/usr/sbin/runc", -# "/usr/local/bin/runc", -# "/usr/local/sbin/runc", -# "/sbin/runc", -# "/bin/runc", -# "/usr/lib/cri-o-runc/sbin/runc", -# ] - # kata = [ # "/usr/bin/kata-runtime", # "/usr/sbin/kata-runtime", @@ -485,6 +475,16 @@ log_driver = "journald" # "/usr/bin/kata-fc", # ] +# runc = [ +# "/usr/bin/runc", +# "/usr/sbin/runc", +# "/usr/local/bin/runc", +# "/usr/local/sbin/runc", +# "/sbin/runc", +# "/bin/runc", +# "/usr/lib/cri-o-runc/sbin/runc", +# ] + # runsc = [ # "/usr/bin/runsc", # "/usr/sbin/runsc", @@ -505,7 +505,7 @@ log_driver = "journald" # main config. [secret] -# driver="file" +# driver = "file" [secret.opts] # root = "/example/directory" diff --git a/containers.conf.5.md b/containers.conf.5.md index dbf306f..64b5bf4 100644 --- a/containers.conf.5.md +++ b/containers.conf.5.md @@ -10,12 +10,16 @@ and modify the defaults for running containers on the host. containers.conf uses a TOML format that can be easily modified and versioned. Container engines read the /usr/share/containers/containers.conf and -/etc/containers/containers.conf files if they exists. When running in rootless -mode, they also read $HOME/.config/containers/containers.conf files. +/etc/containers/containers.conf, and /etc/containers/containers.conf.d/*.conf files +if they exist. When running in rootless mode, they also read +$HOME/.config/containers/containers.conf and +$HOME/.config/containers/containers.conf.d/*.conf files. Fields specified in containers conf override the default options, as well as options in previously read containers.conf files. +Config files in the `.d` directories, are added in alpha numeric sorted order and must end in `.conf`. + Not all options are supported in all container engines. Note container engines also use other configuration files for configuring the environment. @@ -302,10 +306,6 @@ The `engine` table contains configuration options used to set up container engin Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below. -**cgroup_check**=false - -CgroupCheck indicates the configuration has been rewritten after an upgrade to Fedora 31 to change the default OCI runtime for cgroupsv2. - **cgroup_manager**="systemd" The cgroup management implementation used for the runtime. Supports `cgroupfs` @@ -463,14 +463,14 @@ on the system using the priority: "crun", "runc", "kata". The list of the OCI runtimes that support `--format=json`. -**runtime_supports_nocgroups**=["crun"] - -The list of OCI runtimes that support running containers without CGroups. - **runtime_supports_kvm**=["kata"] The list of OCI runtimes that support running containers with KVM separation. +**runtime_supports_nocgroups**=["crun"] + +The list of OCI runtimes that support running containers without CGroups. + **static_dir**="/var/lib/containers/storage/libpod" Directory for persistent libpod files (database, etc). @@ -486,6 +486,14 @@ Number of seconds to wait for container to exit before sending kill signal. The path to a temporary directory to store per-boot container. Must be a tmpfs (wiped after reboot). +**volume_path**="/var/lib/containers/storage/volumes" + +Directory where named volumes will be created in using the default volume +driver. +By default this will be configured relative to where containers/storage store +containers. This convention is followed by the default volume driver, but may +not be by other drivers. + ## SERVICE DESTINATION TABLE The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API. @@ -504,14 +512,6 @@ URI to access the Podman service Path to file containing ssh identity key -**volume_path**="/var/lib/containers/storage/volumes" - -Directory where named volumes will be created in using the default volume -driver. -By default this will be configured relative to where containers/storage store -containers. This convention is followed by the default volume driver, but may -not be by other drivers. - **[engine.volume_plugins]** A table of all the enabled volume plugins on the system. Volume plugins can be @@ -542,8 +542,7 @@ Distributions often provide a `/usr/share/containers/containers.conf` file to define default container configuration. Administrators can override fields in this file by creating `/etc/containers/containers.conf` to specify their own configuration. Rootless users can further override fields in the config by -creating a config file stored in the -`$HOME/.config/containers/containers.conf` file. +creating a config file stored in the `$HOME/.config/containers/containers.conf` file. If the `CONTAINERS_CONF` path environment variable is set, just this path will be used. This is primarily used for testing. diff --git a/seccomp.json b/seccomp.json index 6c10b20..af28b62 100644 --- a/seccomp.json +++ b/seccomp.json @@ -1,5 +1,6 @@ { "defaultAction": "SCMP_ACT_ERRNO", + "defaultErrnoRet": 38, "archMap": [ { "architecture": "SCMP_ARCH_X86_64", @@ -50,6 +51,44 @@ } ], "syscalls": [ + { + "names": [ + "bdflush", + "io_pgetevents", + "kexec_file_load", + "kexec_load", + "migrate_pages", + "move_pages", + "nfsservctl", + "nice", + "oldfstat", + "oldlstat", + "oldolduname", + "oldstat", + "olduname", + "pciconfig_iobase", + "pciconfig_read", + "pciconfig_write", + "sgetmask", + "ssetmask", + "swapcontext", + "swapoff", + "swapon", + "sysfs", + "uselib", + "userfaultfd", + "ustat", + "vm86", + "vm86old", + "vmsplice" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": {}, + "errnoRet": 1 + }, { "names": [ "_llseek", @@ -76,6 +115,7 @@ "clock_nanosleep", "clock_nanosleep_time64", "clone", + "clone3", "close", "close_range", "connect", @@ -149,6 +189,7 @@ "getgroups", "getgroups32", "getitimer", + "get_mempolicy", "getpeername", "getpgid", "getpgrp", @@ -199,6 +240,7 @@ "lstat", "lstat64", "madvise", + "mbind", "memfd_create", "mincore", "mkdir", @@ -244,6 +286,9 @@ "pipe", "pipe2", "pivot_root", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", "poll", "ppoll", "ppoll_time64", @@ -259,6 +304,7 @@ "pwritev2", "read", "readahead", + "readdir", "readlink", "readlinkat", "readv", @@ -275,6 +321,7 @@ "renameat2", "restart_syscall", "rmdir", + "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", @@ -311,6 +358,7 @@ "sendmsg", "sendto", "setns", + "set_mempolicy", "set_robust_list", "set_thread_area", "set_tid_address", @@ -373,6 +421,7 @@ "timer_gettime", "timer_gettime64", "timer_settime", + "timer_settime64", "timerfd_create", "timerfd_gettime", "timerfd_gettime64", @@ -588,6 +637,21 @@ }, "excludes": {} }, + { + "names": [ + "open_by_handle_at" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_DAC_READ_SEARCH" + ] + }, + "errnoRet": 1 + }, { "names": [ "bpf", @@ -609,6 +673,28 @@ }, "excludes": {} }, + { + "names": [ + "bpf", + "fanotify_init", + "lookup_dcookie", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + }, + "errnoRet": 1 + }, { "names": [ "chroot" @@ -623,6 +709,21 @@ }, "excludes": {} }, + { + "names": [ + "chroot" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_CHROOT" + ] + }, + "errnoRet": 1 + }, { "names": [ "delete_module", @@ -642,19 +743,21 @@ }, { "names": [ - "get_mempolicy", - "mbind", - "set_mempolicy" + "delete_module", + "init_module", + "finit_module", + "query_module" ], - "action": "SCMP_ACT_ALLOW", + "action": "SCMP_ACT_ERRNO", "args": [], "comment": "", - "includes": { + "includes": {}, + "excludes": { "caps": [ - "CAP_SYS_NICE" + "CAP_SYS_MODULE" ] }, - "excludes": {} + "errnoRet": 1 }, { "names": [ @@ -670,6 +773,21 @@ }, "excludes": {} }, + { + "names": [ + "acct" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_PACCT" + ] + }, + "errnoRet": 1 + }, { "names": [ "kcmp", @@ -688,6 +806,25 @@ }, "excludes": {} }, + { + "names": [ + "kcmp", + "process_madvise", + "process_vm_readv", + "process_vm_writev", + "ptrace" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_PTRACE" + ] + }, + "errnoRet": 1 + }, { "names": [ "iopl", @@ -703,6 +840,22 @@ }, "excludes": {} }, + { + "names": [ + "iopl", + "ioperm" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_RAWIO" + ] + }, + "errnoRet": 1 + }, { "names": [ "settimeofday", @@ -720,6 +873,24 @@ }, "excludes": {} }, + { + "names": [ + "settimeofday", + "stime", + "clock_settime", + "clock_settime64" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_TIME" + ] + }, + "errnoRet": 1 + }, { "names": [ "vhangup" @@ -734,6 +905,21 @@ }, "excludes": {} }, + { + "names": [ + "vhangup" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_TTY_CONFIG" + ] + }, + "errnoRet": 1 + }, { "names": [ "socket"