containers-common-4:1-21

- fetch latest upstream configs Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
2021-06-29 11:12:36 -04:00 · 2021-06-29 11:12:36 -04:00 · abac6aa948
commit abac6aa948
parent 1a7468a695
4 changed files with 306 additions and 118 deletions
--- a/containers-common.spec
+++ b/containers-common.spec
@ -15,7 +15,7 @@
 Epoch: 4
 Name: containers-common
 Version: 1
-Release: 20%{?dist}
+Release: 21%{?dist}
 Summary: Common configuration and documentation for containers
 License: ASL 2.0
 BuildArch: noarch
@ -136,6 +136,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
 %{_datadir}/rhel/secrets/*
 %changelog
 * Tue Jun 29 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-21
 - fetch latest upstream configs
 * Thu Jun 10 2021 Dan Walsh <dwalsh@fedoraproject.org> - 4:1-20
 - Update to grab latest man pages and configuration files, also switch to using some main rather then master branches
--- a/containers.conf
+++ b/containers.conf
@ -16,30 +16,16 @@
 [containers]
-# List of devices. Specified as
+# List of annotation. Specified as
-# "<device-on-host>:<device-on-container>:<permissions>", for example:
+# "key = value"
-# "/dev/sdc:/dev/xvdc:rwm".
+# If it is empty or commented out, no annotations will be added
 # If it is empty or commented out, only the default devices will be used
 #
-# devices = []
+# annotations = []
 # List of volumes. Specified as
 # "<directory-on-host>:<directory-in-container>:<options>", for example:
 # "/db:/var/lib/db:ro".
 # If it is empty or commented out, no volumes will be added
 #
 # volumes = []
 # Used to change the name of the default AppArmor profile of container engine.
 #
 # apparmor_profile = "container-default"
 # List of annotation. Specified as
 # "key=value"
 # If it is empty or commented out, no annotations will be added
 #
 # annotations = []
 # Default way to to create a cgroup namespace for the container
 # Options are:
 # `private` Create private Cgroup Namespace for the container.
@ -93,6 +79,13 @@ default_sysctls = [
 #  "nofile=1280:2560",
 # ]
 # List of devices. Specified as
 # "<device-on-host>:<device-on-container>:<permissions>", for example:
 # "/dev/sdc:/dev/xvdc:rwm".
 # If it is empty or commented out, only the default devices will be used
 #
 # devices = []
 # List of default DNS options to be added to /etc/resolv.conf inside of the container.
 #
 # dns_options = []
@ -185,10 +178,6 @@ log_driver = "journald"
 #
 # no_hosts = false
 # Maximum number of processes allowed in a container.
 #
 # pids_limit = 2048
 # Default way to to create a PID namespace for the container
 # Options are:
 # `private` Create private PID Namespace for the container.
@ -196,8 +185,12 @@ log_driver = "journald"
 #
 # pidns = "private"
 # Maximum number of processes allowed in a container.
 #
 # pids_limit = 2048
 # Indicates the networking to be used for rootless containers
-# rootless_networking="slirp4netns"
+# rootless_networking = "slirp4netns"
 # Path to the seccomp.json profile which is used as the default seccomp profile
 # for the runtime.
@ -218,14 +211,7 @@ log_driver = "journald"
 # Set umask inside the container
 #
-# umask="0022"
+# umask = "0022"
 # Default way to to create a UTS namespace for the container
 # Options are:
 # `private`        Create private UTS Namespace for the container.
 # `host`    Share host UTS Namespace with the container.
 #
 # utsns = "private"
 # Default way to to create a User namespace for the container
 # Options are:
@ -238,7 +224,21 @@ log_driver = "journald"
 # UIDs are allocated from the "container" UIDs listed in
 # /etc/subuid & /etc/subgid
 #
-# userns_size=65536
+# userns_size = 65536
 # Default way to to create a UTS namespace for the container
 # Options are:
 # `private`        Create private UTS Namespace for the container.
 # `host`    Share host UTS Namespace with the container.
 #
 # utsns = "private"
 # List of volumes. Specified as
 # "<directory-on-host>:<directory-in-container>:<options>", for example:
 # "/db:/var/lib/db:ro".
 # If it is empty or commented out, no volumes will be added
 #
 # volumes = []
 # The network table contains settings pertaining to the management of
 # CNI plugins.
@ -263,14 +263,8 @@ log_driver = "journald"
 # network_config_dir = "/etc/cni/net.d/"
 [engine]
-# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
+# Index to the active service
-# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
+# active_service = production
 # image_parallel_copies=0
 # Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
 # container images. By default image pulled and pushed match the format of the
 # source image. Building/committing defaults to OCI.
 # image_default_format = ""
 # Cgroup management implementation used for the runtime.
 # Valid options "systemd" or "cgroupfs"
@ -328,10 +322,19 @@ log_driver = "journald"
 #     "/usr/share/containers/oci/hooks.d",
 # ]
 # Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
 # container images. By default image pulled and pushed match the format of the
 # source image. Building/committing defaults to OCI.
 # image_default_format = ""
 # Default transport method for pulling and pushing for images
 #
 # image_default_transport = "docker://"
 # Maximum number of image layers to be copied (pulled/pushed) simultaneously.
 # Not setting this field, or setting it to zero, will fall back to containers/image defaults.
 # image_parallel_copies = 0
 # Default command to run the infra container
 #
 # infra_command = "/pause"
@ -354,7 +357,7 @@ log_driver = "journald"
 # Indicates if Podman is running inside a VM via Podman Machine.
 # Podman uses this value to do extra setup around networking from the
 # container inside the VM to to host.
-# machine_enabled=false
+# machine_enabled = false
 # MultiImageArchive - if true, the container engine allows for storing archives
 # (e.g., of the docker-archive transport) with multiple images.  By default,
@ -373,12 +376,12 @@ log_driver = "journald"
 # Path to the slirp4netns binary
 #
-# network_cmd_path=""
+# network_cmd_path = ""
 # Default options to pass to the slirp4netns binary.
 # For example "allow_host_loopback=true"
 #
-# network_cmd_options=[]
+# network_cmd_options = []
 # Whether to use chroot instead of pivot_root in the runtime
 #
@ -398,6 +401,23 @@ log_driver = "journald"
 # `podman --remote=true` for access to the remote Podman service.
 # remote = false
 # Default OCI runtime
 #
 # runtime = "crun"
 # List of the OCI runtimes that support --format=json.  When json is supported
 # engine will use it for reporting nicer errors.
 #
 # runtime_supports_json = ["crun", "runc", "kata", "runsc"]
 # List of the OCI runtimes that supports running containers with KVM Separation.
 #
 # runtime_supports_kvm = ["kata"]
 # List of the OCI runtimes that supports running containers without cgroups.
 #
 # runtime_supports_nocgroups = ["crun"]
 # Directory for persistent engine files (database, etc)
 # By default, this will be configured relative to where the containers/storage
 # stores containers
@ -405,6 +425,22 @@ log_driver = "journald"
 #
 # static_dir = "/var/lib/containers/storage/libpod"
 # Number of seconds to wait for container to exit before sending kill signal.
 # stop_timeout = 10
 # map of service destinations
 # [service_destinations]
 #   [service_destinations.production]
 #     URI to access the Podman service
 #     Examples:
 #       rootless "unix://run/user/$UID/podman/podman.sock" (Default)
 #       rootfull "unix://run/podman/podman.sock (Default)
 #       remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
 #       remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock
 #     uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"
 #     Path to file containing ssh identity key
 #     identity = "~/.ssh/id_rsa"
 # Directory for temporary files. Must be tmpfs (wiped after reboot)
 #
 # tmp_dir = "/run/libpod"
@ -416,42 +452,6 @@ log_driver = "journald"
 #
 # volume_path = "/var/lib/containers/storage/volumes"
 # Default OCI runtime
 #
 # runtime = "crun"
 # List of the OCI runtimes that support --format=json.  When json is supported
 # engine will use it for reporting nicer errors.
 #
 # runtime_supports_json = ["crun", "runc", "kata", "runsc"]
 # List of the OCI runtimes that supports running containers without cgroups.
 #
 # runtime_supports_nocgroups = ["crun"]
 # List of the OCI runtimes that supports running containers with KVM Separation.
 #
 # runtime_supports_kvm = ["kata"]
 # Number of seconds to wait for container to exit before sending kill signal.
 # stop_timeout = 10
 # Index to the active service
 # active_service = production
 # map of service destinations
 # [service_destinations]
 #   [service_destinations.production]
 #     URI to access the Podman service
 #     Examples:
 #       rootless "unix://run/user/$UID/podman/podman.sock" (Default)
 #       rootfull "unix://run/podman/podman.sock (Default)
 #       remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
 #       remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock
 #     uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"
 #     Path to file containing ssh identity key
 #     identity = "~/.ssh/id_rsa"
 # Paths to look for a valid OCI runtime (crun, runc, kata, runsc, etc)
 [engine.runtimes]
 # crun = [
@ -464,16 +464,6 @@ log_driver = "journald"
 #            "/run/current-system/sw/bin/crun",
 # ]
 # runc = [
 #        "/usr/bin/runc",
 #        "/usr/sbin/runc",
 #        "/usr/local/bin/runc",
 #        "/usr/local/sbin/runc",
 #        "/sbin/runc",
 #        "/bin/runc",
 #        "/usr/lib/cri-o-runc/sbin/runc",
 # ]
 # kata = [
 #            "/usr/bin/kata-runtime",
 #            "/usr/sbin/kata-runtime",
@ -485,6 +475,16 @@ log_driver = "journald"
 #            "/usr/bin/kata-fc",
 # ]
 # runc = [
 #        "/usr/bin/runc",
 #        "/usr/sbin/runc",
 #        "/usr/local/bin/runc",
 #        "/usr/local/sbin/runc",
 #        "/sbin/runc",
 #        "/bin/runc",
 #        "/usr/lib/cri-o-runc/sbin/runc",
 # ]
 # runsc = [
 #            "/usr/bin/runsc",
 #            "/usr/sbin/runsc",
@ -505,7 +505,7 @@ log_driver = "journald"
 # main config.
 [secret]
-# driver="file"
+# driver = "file"
 [secret.opts]
 # root = "/example/directory"
--- a/containers.conf.5.md
+++ b/containers.conf.5.md
@ -10,12 +10,16 @@ and modify the defaults for running containers on the host. containers.conf uses
 a TOML format that can be easily modified and versioned.
 Container engines read the /usr/share/containers/containers.conf and
-/etc/containers/containers.conf files if they exists.  When running in rootless
+/etc/containers/containers.conf, and /etc/containers/containers.conf.d/*.conf files
-mode, they also read $HOME/.config/containers/containers.conf files.
+if they exist.  When running in rootless mode, they also read
 $HOME/.config/containers/containers.conf and
 $HOME/.config/containers/containers.conf.d/*.conf files.
 Fields specified in containers conf override the default options, as well as
 options in previously read containers.conf files.
 Config files in the `.d` directories, are added in alpha numeric sorted order and must end in `.conf`.
 Not all options are supported in all container engines.
 Note container engines also use other configuration files for configuring the environment.
@ -302,10 +306,6 @@ The `engine` table contains configuration options used to set up container engin
 Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below.
 **cgroup_check**=false
 CgroupCheck indicates the configuration has been rewritten after an upgrade to Fedora 31 to change the default OCI runtime for cgroupsv2.
 **cgroup_manager**="systemd"
 The cgroup management implementation used for the runtime. Supports `cgroupfs`
@ -463,14 +463,14 @@ on the system using the priority: "crun", "runc", "kata".
 The list of the OCI runtimes that support `--format=json`.
 **runtime_supports_nocgroups**=["crun"]
 The list of OCI runtimes that support running containers without CGroups.
 **runtime_supports_kvm**=["kata"]
 The list of OCI runtimes that support running containers with KVM separation.
 **runtime_supports_nocgroups**=["crun"]
 The list of OCI runtimes that support running containers without CGroups.
 **static_dir**="/var/lib/containers/storage/libpod"
 Directory for persistent libpod files (database, etc).
@ -486,6 +486,14 @@ Number of seconds to wait for container to exit before sending kill signal.
 The path to a temporary directory to store per-boot container.
 Must be a tmpfs (wiped after reboot).
 **volume_path**="/var/lib/containers/storage/volumes"
 Directory where named volumes will be created in using the default volume
 driver.
 By default this will be configured relative to where containers/storage store
 containers. This convention is followed by the default volume driver, but may
 not be by other drivers.
 ## SERVICE DESTINATION TABLE
 The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
@ -504,14 +512,6 @@ URI to access the Podman service
 Path to file containing ssh identity key
 **volume_path**="/var/lib/containers/storage/volumes"
 Directory where named volumes will be created in using the default volume
 driver.
 By default this will be configured relative to where containers/storage store
 containers. This convention is followed by the default volume driver, but may
 not be by other drivers.
 **[engine.volume_plugins]**
 A table of all the enabled volume plugins on the system. Volume plugins can be
@ -542,8 +542,7 @@ Distributions often provide a `/usr/share/containers/containers.conf` file to
 define default container configuration. Administrators can override fields in
 this file by creating `/etc/containers/containers.conf` to specify their own
 configuration. Rootless users can further override fields in the config by
-creating a config file stored in the
+creating a config file stored in the `$HOME/.config/containers/containers.conf` file.
 `$HOME/.config/containers/containers.conf` file.
 If the `CONTAINERS_CONF` path environment variable is set, just
 this path will be used.  This is primarily used for testing.
--- a/seccomp.json
+++ b/seccomp.json
@ -1,5 +1,6 @@
 {
 	"defaultAction": "SCMP_ACT_ERRNO",
 	"defaultErrnoRet": 38,
 	"archMap": [
 		{
 			"architecture": "SCMP_ARCH_X86_64",
@ -50,6 +51,44 @@
 		}
 	],
 	"syscalls": [
 		{
 			"names": [
 				"bdflush",
 				"io_pgetevents",
 				"kexec_file_load",
 				"kexec_load",
 				"migrate_pages",
 				"move_pages",
 				"nfsservctl",
 				"nice",
 				"oldfstat",
 				"oldlstat",
 				"oldolduname",
 				"oldstat",
 				"olduname",
 				"pciconfig_iobase",
 				"pciconfig_read",
 				"pciconfig_write",
 				"sgetmask",
 				"ssetmask",
 				"swapcontext",
 				"swapoff",
 				"swapon",
 				"sysfs",
 				"uselib",
 				"userfaultfd",
 				"ustat",
 				"vm86",
 				"vm86old",
 				"vmsplice"
 			],
 			"action": "SCMP_ACT_ERRNO",
 			"args": [],
 			"comment": "",
 			"includes": {},
 			"excludes": {},
 			"errnoRet": 1
 		},
 		{
 			"names": [
 				"_llseek",
@ -76,6 +115,7 @@
 				"clock_nanosleep",
 				"clock_nanosleep_time64",
 				"clone",
 				"clone3",
 				"close",
 				"close_range",
 				"connect",
@ -149,6 +189,7 @@
 				"getgroups",
 				"getgroups32",
 				"getitimer",
 				"get_mempolicy",
 				"getpeername",
 				"getpgid",
 				"getpgrp",
@ -199,6 +240,7 @@
 				"lstat",
 				"lstat64",
 				"madvise",
 				"mbind",
 				"memfd_create",
 				"mincore",
 				"mkdir",
@ -244,6 +286,9 @@
 				"pipe",
 				"pipe2",
 				"pivot_root",
 				"pkey_alloc",
 				"pkey_free",
 				"pkey_mprotect",
 				"poll",
 				"ppoll",
 				"ppoll_time64",
@ -259,6 +304,7 @@
 				"pwritev2",
 				"read",
 				"readahead",
 				"readdir",
 				"readlink",
 				"readlinkat",
 				"readv",
@ -275,6 +321,7 @@
 				"renameat2",
 				"restart_syscall",
 				"rmdir",
 				"rseq",
 				"rt_sigaction",
 				"rt_sigpending",
 				"rt_sigprocmask",
@ -311,6 +358,7 @@
 				"sendmsg",
 				"sendto",
 				"setns",
 				"set_mempolicy",
 				"set_robust_list",
 				"set_thread_area",
 				"set_tid_address",
@ -373,6 +421,7 @@
 				"timer_gettime",
 				"timer_gettime64",
 				"timer_settime",
 				"timer_settime64",
 				"timerfd_create",
 				"timerfd_gettime",
 				"timerfd_gettime64",
@ -588,6 +637,21 @@
 			},
 			"excludes": {}
 		},
 		{
 			"names": [
 				"open_by_handle_at"
 			],
 			"action": "SCMP_ACT_ERRNO",
 			"args": [],
 			"comment": "",
 			"includes": {},
 			"excludes": {
 				"caps": [
 					"CAP_DAC_READ_SEARCH"
 				]
 			},
 			"errnoRet": 1
 		},
 		{
 			"names": [
 				"bpf",
@ -609,6 +673,28 @@
 			},
 			"excludes": {}
 		},
 		{
 			"names": [
 				"bpf",
 				"fanotify_init",
 				"lookup_dcookie",
 				"perf_event_open",
 				"quotactl",
 				"setdomainname",
 				"sethostname",
 				"setns"
 			],
 			"action": "SCMP_ACT_ERRNO",
 			"args": [],
 			"comment": "",
 			"includes": {},
 			"excludes": {
 				"caps": [
 					"CAP_SYS_ADMIN"
 				]
 			},
 			"errnoRet": 1
 		},
 		{
 			"names": [
 				"chroot"
@ -623,6 +709,21 @@
 			},
 			"excludes": {}
 		},
 		{
 			"names": [
 				"chroot"
 			],
 			"action": "SCMP_ACT_ERRNO",
 			"args": [],
 			"comment": "",
 			"includes": {},
 			"excludes": {
 				"caps": [
 					"CAP_SYS_CHROOT"
 				]
 			},
 			"errnoRet": 1
 		},
 		{
 			"names": [
 				"delete_module",
@ -642,19 +743,21 @@
 		},
 		{
 			"names": [
-				"get_mempolicy",
+				"delete_module",
-				"mbind",
+				"init_module",
-				"set_mempolicy"
+				"finit_module",
 				"query_module"
 			],
-			"action": "SCMP_ACT_ALLOW",
+			"action": "SCMP_ACT_ERRNO",
 			"args": [],
 			"comment": "",
-			"includes": {
+			"includes": {},
 			"excludes": {
 				"caps": [
-					"CAP_SYS_NICE"
+					"CAP_SYS_MODULE"
 				]
 			},
-			"excludes": {}
+			"errnoRet": 1
 		},
 		{
 			"names": [
@ -670,6 +773,21 @@
 			},
 			"excludes": {}
 		},
 		{
 			"names": [
 				"acct"
 			],
 			"action": "SCMP_ACT_ERRNO",
 			"args": [],
 			"comment": "",
 			"includes": {},
 			"excludes": {
 				"caps": [
 					"CAP_SYS_PACCT"
 				]
 			},
 			"errnoRet": 1
 		},
 		{
 			"names": [
 				"kcmp",
@ -688,6 +806,25 @@
 			},
 			"excludes": {}
 		},
 		{
 			"names": [
 				"kcmp",
 				"process_madvise",
 				"process_vm_readv",
 				"process_vm_writev",
 				"ptrace"
 			],
 			"action": "SCMP_ACT_ERRNO",
 			"args": [],
 			"comment": "",
 			"includes": {},
 			"excludes": {
 				"caps": [
 					"CAP_SYS_PTRACE"
 				]
 			},
 			"errnoRet": 1
 		},
 		{
 			"names": [
 				"iopl",
@ -703,6 +840,22 @@
 			},
 			"excludes": {}
 		},
 		{
 			"names": [
 				"iopl",
 				"ioperm"
 			],
 			"action": "SCMP_ACT_ERRNO",
 			"args": [],
 			"comment": "",
 			"includes": {},
 			"excludes": {
 				"caps": [
 					"CAP_SYS_RAWIO"
 				]
 			},
 			"errnoRet": 1
 		},
 		{
 			"names": [
 				"settimeofday",
@ -720,6 +873,24 @@
 			},
 			"excludes": {}
 		},
 		{
 			"names": [
 				"settimeofday",
 				"stime",
 				"clock_settime",
 				"clock_settime64"
 			],
 			"action": "SCMP_ACT_ERRNO",
 			"args": [],
 			"comment": "",
 			"includes": {},
 			"excludes": {
 				"caps": [
 					"CAP_SYS_TIME"
 				]
 			},
 			"errnoRet": 1
 		},
 		{
 			"names": [
 				"vhangup"
@ -734,6 +905,21 @@
 			},
 			"excludes": {}
 		},
 		{
 			"names": [
 				"vhangup"
 			],
 			"action": "SCMP_ACT_ERRNO",
 			"args": [],
 			"comment": "",
 			"includes": {},
 			"excludes": {
 				"caps": [
 					"CAP_SYS_TTY_CONFIG"
 				]
 			},
 			"errnoRet": 1
 		},
 		{
 			"names": [
 				"socket"