containers-common-4:1-21

- fetch latest upstream configs

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
This commit is contained in:
Lokesh Mandvekar 2021-06-29 11:12:36 -04:00
parent 1a7468a695
commit abac6aa948
4 changed files with 306 additions and 118 deletions

View File

@ -15,7 +15,7 @@
Epoch: 4 Epoch: 4
Name: containers-common Name: containers-common
Version: 1 Version: 1
Release: 20%{?dist} Release: 21%{?dist}
Summary: Common configuration and documentation for containers Summary: Common configuration and documentation for containers
License: ASL 2.0 License: ASL 2.0
BuildArch: noarch BuildArch: noarch
@ -136,6 +136,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
%{_datadir}/rhel/secrets/* %{_datadir}/rhel/secrets/*
%changelog %changelog
* Tue Jun 29 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-21
- fetch latest upstream configs
* Thu Jun 10 2021 Dan Walsh <dwalsh@fedoraproject.org> - 4:1-20 * Thu Jun 10 2021 Dan Walsh <dwalsh@fedoraproject.org> - 4:1-20
- Update to grab latest man pages and configuration files, also switch to using some main rather then master branches - Update to grab latest man pages and configuration files, also switch to using some main rather then master branches

View File

@ -16,30 +16,16 @@
[containers] [containers]
# List of devices. Specified as
# "<device-on-host>:<device-on-container>:<permissions>", for example:
# "/dev/sdc:/dev/xvdc:rwm".
# If it is empty or commented out, only the default devices will be used
#
# devices = []
# List of volumes. Specified as
# "<directory-on-host>:<directory-in-container>:<options>", for example:
# "/db:/var/lib/db:ro".
# If it is empty or commented out, no volumes will be added
#
# volumes = []
# Used to change the name of the default AppArmor profile of container engine.
#
# apparmor_profile = "container-default"
# List of annotation. Specified as # List of annotation. Specified as
# "key = value" # "key = value"
# If it is empty or commented out, no annotations will be added # If it is empty or commented out, no annotations will be added
# #
# annotations = [] # annotations = []
# Used to change the name of the default AppArmor profile of container engine.
#
# apparmor_profile = "container-default"
# Default way to to create a cgroup namespace for the container # Default way to to create a cgroup namespace for the container
# Options are: # Options are:
# `private` Create private Cgroup Namespace for the container. # `private` Create private Cgroup Namespace for the container.
@ -93,6 +79,13 @@ default_sysctls = [
# "nofile=1280:2560", # "nofile=1280:2560",
# ] # ]
# List of devices. Specified as
# "<device-on-host>:<device-on-container>:<permissions>", for example:
# "/dev/sdc:/dev/xvdc:rwm".
# If it is empty or commented out, only the default devices will be used
#
# devices = []
# List of default DNS options to be added to /etc/resolv.conf inside of the container. # List of default DNS options to be added to /etc/resolv.conf inside of the container.
# #
# dns_options = [] # dns_options = []
@ -185,10 +178,6 @@ log_driver = "journald"
# #
# no_hosts = false # no_hosts = false
# Maximum number of processes allowed in a container.
#
# pids_limit = 2048
# Default way to to create a PID namespace for the container # Default way to to create a PID namespace for the container
# Options are: # Options are:
# `private` Create private PID Namespace for the container. # `private` Create private PID Namespace for the container.
@ -196,6 +185,10 @@ log_driver = "journald"
# #
# pidns = "private" # pidns = "private"
# Maximum number of processes allowed in a container.
#
# pids_limit = 2048
# Indicates the networking to be used for rootless containers # Indicates the networking to be used for rootless containers
# rootless_networking = "slirp4netns" # rootless_networking = "slirp4netns"
@ -220,13 +213,6 @@ log_driver = "journald"
# #
# umask = "0022" # umask = "0022"
# Default way to to create a UTS namespace for the container
# Options are:
# `private` Create private UTS Namespace for the container.
# `host` Share host UTS Namespace with the container.
#
# utsns = "private"
# Default way to to create a User namespace for the container # Default way to to create a User namespace for the container
# Options are: # Options are:
# `auto` Create unique User Namespace for the container. # `auto` Create unique User Namespace for the container.
@ -240,6 +226,20 @@ log_driver = "journald"
# #
# userns_size = 65536 # userns_size = 65536
# Default way to to create a UTS namespace for the container
# Options are:
# `private` Create private UTS Namespace for the container.
# `host` Share host UTS Namespace with the container.
#
# utsns = "private"
# List of volumes. Specified as
# "<directory-on-host>:<directory-in-container>:<options>", for example:
# "/db:/var/lib/db:ro".
# If it is empty or commented out, no volumes will be added
#
# volumes = []
# The network table contains settings pertaining to the management of # The network table contains settings pertaining to the management of
# CNI plugins. # CNI plugins.
@ -263,14 +263,8 @@ log_driver = "journald"
# network_config_dir = "/etc/cni/net.d/" # network_config_dir = "/etc/cni/net.d/"
[engine] [engine]
# Maximum number of image layers to be copied (pulled/pushed) simultaneously. # Index to the active service
# Not setting this field, or setting it to zero, will fall back to containers/image defaults. # active_service = production
# image_parallel_copies=0
# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
# container images. By default image pulled and pushed match the format of the
# source image. Building/committing defaults to OCI.
# image_default_format = ""
# Cgroup management implementation used for the runtime. # Cgroup management implementation used for the runtime.
# Valid options "systemd" or "cgroupfs" # Valid options "systemd" or "cgroupfs"
@ -328,10 +322,19 @@ log_driver = "journald"
# "/usr/share/containers/oci/hooks.d", # "/usr/share/containers/oci/hooks.d",
# ] # ]
# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
# container images. By default image pulled and pushed match the format of the
# source image. Building/committing defaults to OCI.
# image_default_format = ""
# Default transport method for pulling and pushing for images # Default transport method for pulling and pushing for images
# #
# image_default_transport = "docker://" # image_default_transport = "docker://"
# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
# image_parallel_copies = 0
# Default command to run the infra container # Default command to run the infra container
# #
# infra_command = "/pause" # infra_command = "/pause"
@ -398,24 +401,6 @@ log_driver = "journald"
# `podman --remote=true` for access to the remote Podman service. # `podman --remote=true` for access to the remote Podman service.
# remote = false # remote = false
# Directory for persistent engine files (database, etc)
# By default, this will be configured relative to where the containers/storage
# stores containers
# Uncomment to change location from this default
#
# static_dir = "/var/lib/containers/storage/libpod"
# Directory for temporary files. Must be tmpfs (wiped after reboot)
#
# tmp_dir = "/run/libpod"
# Directory for libpod named volumes.
# By default, this will be configured relative to where containers/storage
# stores containers.
# Uncomment to change location from this default.
#
# volume_path = "/var/lib/containers/storage/volumes"
# Default OCI runtime # Default OCI runtime
# #
# runtime = "crun" # runtime = "crun"
@ -425,20 +410,24 @@ log_driver = "journald"
# #
# runtime_supports_json = ["crun", "runc", "kata", "runsc"] # runtime_supports_json = ["crun", "runc", "kata", "runsc"]
# List of the OCI runtimes that supports running containers without cgroups.
#
# runtime_supports_nocgroups = ["crun"]
# List of the OCI runtimes that supports running containers with KVM Separation. # List of the OCI runtimes that supports running containers with KVM Separation.
# #
# runtime_supports_kvm = ["kata"] # runtime_supports_kvm = ["kata"]
# List of the OCI runtimes that supports running containers without cgroups.
#
# runtime_supports_nocgroups = ["crun"]
# Directory for persistent engine files (database, etc)
# By default, this will be configured relative to where the containers/storage
# stores containers
# Uncomment to change location from this default
#
# static_dir = "/var/lib/containers/storage/libpod"
# Number of seconds to wait for container to exit before sending kill signal. # Number of seconds to wait for container to exit before sending kill signal.
# stop_timeout = 10 # stop_timeout = 10
# Index to the active service
# active_service = production
# map of service destinations # map of service destinations
# [service_destinations] # [service_destinations]
# [service_destinations.production] # [service_destinations.production]
@ -452,6 +441,17 @@ log_driver = "journald"
# Path to file containing ssh identity key # Path to file containing ssh identity key
# identity = "~/.ssh/id_rsa" # identity = "~/.ssh/id_rsa"
# Directory for temporary files. Must be tmpfs (wiped after reboot)
#
# tmp_dir = "/run/libpod"
# Directory for libpod named volumes.
# By default, this will be configured relative to where containers/storage
# stores containers.
# Uncomment to change location from this default.
#
# volume_path = "/var/lib/containers/storage/volumes"
# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, etc) # Paths to look for a valid OCI runtime (crun, runc, kata, runsc, etc)
[engine.runtimes] [engine.runtimes]
# crun = [ # crun = [
@ -464,16 +464,6 @@ log_driver = "journald"
# "/run/current-system/sw/bin/crun", # "/run/current-system/sw/bin/crun",
# ] # ]
# runc = [
# "/usr/bin/runc",
# "/usr/sbin/runc",
# "/usr/local/bin/runc",
# "/usr/local/sbin/runc",
# "/sbin/runc",
# "/bin/runc",
# "/usr/lib/cri-o-runc/sbin/runc",
# ]
# kata = [ # kata = [
# "/usr/bin/kata-runtime", # "/usr/bin/kata-runtime",
# "/usr/sbin/kata-runtime", # "/usr/sbin/kata-runtime",
@ -485,6 +475,16 @@ log_driver = "journald"
# "/usr/bin/kata-fc", # "/usr/bin/kata-fc",
# ] # ]
# runc = [
# "/usr/bin/runc",
# "/usr/sbin/runc",
# "/usr/local/bin/runc",
# "/usr/local/sbin/runc",
# "/sbin/runc",
# "/bin/runc",
# "/usr/lib/cri-o-runc/sbin/runc",
# ]
# runsc = [ # runsc = [
# "/usr/bin/runsc", # "/usr/bin/runsc",
# "/usr/sbin/runsc", # "/usr/sbin/runsc",

View File

@ -10,12 +10,16 @@ and modify the defaults for running containers on the host. containers.conf uses
a TOML format that can be easily modified and versioned. a TOML format that can be easily modified and versioned.
Container engines read the /usr/share/containers/containers.conf and Container engines read the /usr/share/containers/containers.conf and
/etc/containers/containers.conf files if they exists. When running in rootless /etc/containers/containers.conf, and /etc/containers/containers.conf.d/*.conf files
mode, they also read $HOME/.config/containers/containers.conf files. if they exist. When running in rootless mode, they also read
$HOME/.config/containers/containers.conf and
$HOME/.config/containers/containers.conf.d/*.conf files.
Fields specified in containers conf override the default options, as well as Fields specified in containers conf override the default options, as well as
options in previously read containers.conf files. options in previously read containers.conf files.
Config files in the `.d` directories, are added in alpha numeric sorted order and must end in `.conf`.
Not all options are supported in all container engines. Not all options are supported in all container engines.
Note container engines also use other configuration files for configuring the environment. Note container engines also use other configuration files for configuring the environment.
@ -302,10 +306,6 @@ The `engine` table contains configuration options used to set up container engin
Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below. Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below.
**cgroup_check**=false
CgroupCheck indicates the configuration has been rewritten after an upgrade to Fedora 31 to change the default OCI runtime for cgroupsv2.
**cgroup_manager**="systemd" **cgroup_manager**="systemd"
The cgroup management implementation used for the runtime. Supports `cgroupfs` The cgroup management implementation used for the runtime. Supports `cgroupfs`
@ -463,14 +463,14 @@ on the system using the priority: "crun", "runc", "kata".
The list of the OCI runtimes that support `--format=json`. The list of the OCI runtimes that support `--format=json`.
**runtime_supports_nocgroups**=["crun"]
The list of OCI runtimes that support running containers without CGroups.
**runtime_supports_kvm**=["kata"] **runtime_supports_kvm**=["kata"]
The list of OCI runtimes that support running containers with KVM separation. The list of OCI runtimes that support running containers with KVM separation.
**runtime_supports_nocgroups**=["crun"]
The list of OCI runtimes that support running containers without CGroups.
**static_dir**="/var/lib/containers/storage/libpod" **static_dir**="/var/lib/containers/storage/libpod"
Directory for persistent libpod files (database, etc). Directory for persistent libpod files (database, etc).
@ -486,6 +486,14 @@ Number of seconds to wait for container to exit before sending kill signal.
The path to a temporary directory to store per-boot container. The path to a temporary directory to store per-boot container.
Must be a tmpfs (wiped after reboot). Must be a tmpfs (wiped after reboot).
**volume_path**="/var/lib/containers/storage/volumes"
Directory where named volumes will be created in using the default volume
driver.
By default this will be configured relative to where containers/storage store
containers. This convention is followed by the default volume driver, but may
not be by other drivers.
## SERVICE DESTINATION TABLE ## SERVICE DESTINATION TABLE
The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API. The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
@ -504,14 +512,6 @@ URI to access the Podman service
Path to file containing ssh identity key Path to file containing ssh identity key
**volume_path**="/var/lib/containers/storage/volumes"
Directory where named volumes will be created in using the default volume
driver.
By default this will be configured relative to where containers/storage store
containers. This convention is followed by the default volume driver, but may
not be by other drivers.
**[engine.volume_plugins]** **[engine.volume_plugins]**
A table of all the enabled volume plugins on the system. Volume plugins can be A table of all the enabled volume plugins on the system. Volume plugins can be
@ -542,8 +542,7 @@ Distributions often provide a `/usr/share/containers/containers.conf` file to
define default container configuration. Administrators can override fields in define default container configuration. Administrators can override fields in
this file by creating `/etc/containers/containers.conf` to specify their own this file by creating `/etc/containers/containers.conf` to specify their own
configuration. Rootless users can further override fields in the config by configuration. Rootless users can further override fields in the config by
creating a config file stored in the creating a config file stored in the `$HOME/.config/containers/containers.conf` file.
`$HOME/.config/containers/containers.conf` file.
If the `CONTAINERS_CONF` path environment variable is set, just If the `CONTAINERS_CONF` path environment variable is set, just
this path will be used. This is primarily used for testing. this path will be used. This is primarily used for testing.

View File

@ -1,5 +1,6 @@
{ {
"defaultAction": "SCMP_ACT_ERRNO", "defaultAction": "SCMP_ACT_ERRNO",
"defaultErrnoRet": 38,
"archMap": [ "archMap": [
{ {
"architecture": "SCMP_ARCH_X86_64", "architecture": "SCMP_ARCH_X86_64",
@ -50,6 +51,44 @@
} }
], ],
"syscalls": [ "syscalls": [
{
"names": [
"bdflush",
"io_pgetevents",
"kexec_file_load",
"kexec_load",
"migrate_pages",
"move_pages",
"nfsservctl",
"nice",
"oldfstat",
"oldlstat",
"oldolduname",
"oldstat",
"olduname",
"pciconfig_iobase",
"pciconfig_read",
"pciconfig_write",
"sgetmask",
"ssetmask",
"swapcontext",
"swapoff",
"swapon",
"sysfs",
"uselib",
"userfaultfd",
"ustat",
"vm86",
"vm86old",
"vmsplice"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {},
"errnoRet": 1
},
{ {
"names": [ "names": [
"_llseek", "_llseek",
@ -76,6 +115,7 @@
"clock_nanosleep", "clock_nanosleep",
"clock_nanosleep_time64", "clock_nanosleep_time64",
"clone", "clone",
"clone3",
"close", "close",
"close_range", "close_range",
"connect", "connect",
@ -149,6 +189,7 @@
"getgroups", "getgroups",
"getgroups32", "getgroups32",
"getitimer", "getitimer",
"get_mempolicy",
"getpeername", "getpeername",
"getpgid", "getpgid",
"getpgrp", "getpgrp",
@ -199,6 +240,7 @@
"lstat", "lstat",
"lstat64", "lstat64",
"madvise", "madvise",
"mbind",
"memfd_create", "memfd_create",
"mincore", "mincore",
"mkdir", "mkdir",
@ -244,6 +286,9 @@
"pipe", "pipe",
"pipe2", "pipe2",
"pivot_root", "pivot_root",
"pkey_alloc",
"pkey_free",
"pkey_mprotect",
"poll", "poll",
"ppoll", "ppoll",
"ppoll_time64", "ppoll_time64",
@ -259,6 +304,7 @@
"pwritev2", "pwritev2",
"read", "read",
"readahead", "readahead",
"readdir",
"readlink", "readlink",
"readlinkat", "readlinkat",
"readv", "readv",
@ -275,6 +321,7 @@
"renameat2", "renameat2",
"restart_syscall", "restart_syscall",
"rmdir", "rmdir",
"rseq",
"rt_sigaction", "rt_sigaction",
"rt_sigpending", "rt_sigpending",
"rt_sigprocmask", "rt_sigprocmask",
@ -311,6 +358,7 @@
"sendmsg", "sendmsg",
"sendto", "sendto",
"setns", "setns",
"set_mempolicy",
"set_robust_list", "set_robust_list",
"set_thread_area", "set_thread_area",
"set_tid_address", "set_tid_address",
@ -373,6 +421,7 @@
"timer_gettime", "timer_gettime",
"timer_gettime64", "timer_gettime64",
"timer_settime", "timer_settime",
"timer_settime64",
"timerfd_create", "timerfd_create",
"timerfd_gettime", "timerfd_gettime",
"timerfd_gettime64", "timerfd_gettime64",
@ -588,6 +637,21 @@
}, },
"excludes": {} "excludes": {}
}, },
{
"names": [
"open_by_handle_at"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_DAC_READ_SEARCH"
]
},
"errnoRet": 1
},
{ {
"names": [ "names": [
"bpf", "bpf",
@ -609,6 +673,28 @@
}, },
"excludes": {} "excludes": {}
}, },
{
"names": [
"bpf",
"fanotify_init",
"lookup_dcookie",
"perf_event_open",
"quotactl",
"setdomainname",
"sethostname",
"setns"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_ADMIN"
]
},
"errnoRet": 1
},
{ {
"names": [ "names": [
"chroot" "chroot"
@ -623,6 +709,21 @@
}, },
"excludes": {} "excludes": {}
}, },
{
"names": [
"chroot"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_CHROOT"
]
},
"errnoRet": 1
},
{ {
"names": [ "names": [
"delete_module", "delete_module",
@ -642,19 +743,21 @@
}, },
{ {
"names": [ "names": [
"get_mempolicy", "delete_module",
"mbind", "init_module",
"set_mempolicy" "finit_module",
"query_module"
], ],
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ERRNO",
"args": [], "args": [],
"comment": "", "comment": "",
"includes": { "includes": {},
"excludes": {
"caps": [ "caps": [
"CAP_SYS_NICE" "CAP_SYS_MODULE"
] ]
}, },
"excludes": {} "errnoRet": 1
}, },
{ {
"names": [ "names": [
@ -670,6 +773,21 @@
}, },
"excludes": {} "excludes": {}
}, },
{
"names": [
"acct"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_PACCT"
]
},
"errnoRet": 1
},
{ {
"names": [ "names": [
"kcmp", "kcmp",
@ -688,6 +806,25 @@
}, },
"excludes": {} "excludes": {}
}, },
{
"names": [
"kcmp",
"process_madvise",
"process_vm_readv",
"process_vm_writev",
"ptrace"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_PTRACE"
]
},
"errnoRet": 1
},
{ {
"names": [ "names": [
"iopl", "iopl",
@ -703,6 +840,22 @@
}, },
"excludes": {} "excludes": {}
}, },
{
"names": [
"iopl",
"ioperm"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_RAWIO"
]
},
"errnoRet": 1
},
{ {
"names": [ "names": [
"settimeofday", "settimeofday",
@ -720,6 +873,24 @@
}, },
"excludes": {} "excludes": {}
}, },
{
"names": [
"settimeofday",
"stime",
"clock_settime",
"clock_settime64"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_TIME"
]
},
"errnoRet": 1
},
{ {
"names": [ "names": [
"vhangup" "vhangup"
@ -734,6 +905,21 @@
}, },
"excludes": {} "excludes": {}
}, },
{
"names": [
"vhangup"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_TTY_CONFIG"
]
},
"errnoRet": 1
},
{ {
"names": [ "names": [
"socket" "socket"