From ac4765a62fdb810ea49a86d0fbbe29176609bb39 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 24 Oct 2023 19:25:33 -0400 Subject: [PATCH] local build --- Containerfile.5.md | 2 +- containers.conf | 25 ++++++++++++++++++++++--- containers.conf.5.md | 30 +++++++++++++++++++++++++++--- shortnames.conf | 4 ++-- 4 files changed, 52 insertions(+), 9 deletions(-) diff --git a/Containerfile.5.md b/Containerfile.5.md index 48374c7..49720c5 100644 --- a/Containerfile.5.md +++ b/Containerfile.5.md @@ -49,7 +49,7 @@ A Containerfile is similar to a Makefile. to a new image if necessary, before finally outputting the ID of the new image. - Container engines re-use intermediate images whenever possible. This significantly + Container engines reuse intermediate images whenever possible. This significantly accelerates the *build* process. # FORMAT diff --git a/containers.conf b/containers.conf index cbf2616..a9b4ca3 100644 --- a/containers.conf +++ b/containers.conf @@ -149,6 +149,9 @@ default_sysctls = [ #init = false # Container init binary, if init=true, this is the init binary to be used for containers. +# If this option is not set catatonit is searched in the directories listed under +# the helper_binaries_dir option. It is recommended to just install catatonit +# there instead of configuring this option here. # #init_path = "/usr/libexec/podman/catatonit" @@ -237,6 +240,18 @@ log_driver = "journald" # #prepare_volume_on_create = false +# Give extended privileges to all containers. A privileged container turns off +# the security features that isolate the container from the host. Dropped +# Capabilities, limited devices, read-only mount points, Apparmor/SELinux +# separation, and Seccomp filters are all disabled. Due to the disabled +# security features the privileged field should almost never be set as +# containers can easily break out of confinment. +# +# Containers running in a user namespace (e.g., rootless containers) cannot +# have more privileges than the user that launched them. +# +#privileged = false + # Run all containers with root file system mounted read-only # # read_only = false @@ -442,10 +457,14 @@ log_driver = "journald" # short-name aliases defined in containers-registries.conf(5). #compat_api_enforce_docker_hub = true -# The database backend of Podman. Supported values are "boltdb" (default) and -# "sqlite". Please run `podman-system-reset` prior to changing the database +# The database backend of Podman. Supported values are "" (default), "boltdb" +# and "sqlite". An empty value means it will check whenever a boltdb already +# exists and use it when it does, otherwise it will use sqlite as default +# (e.g. new installs). This allows for backwards compatibility with older versions. +# Please run `podman-system-reset` prior to changing the database # backend of an existing deployment, to make sure Podman can operate correctly. -#database_backend="boltdb" +# +#database_backend = "" # Specify the keys sequence used to detach a container. # Format is a single character [a-Z] or a comma separated sequence of diff --git a/containers.conf.5.md b/containers.conf.5.md index f3cb03f..dfbc27a 100644 --- a/containers.conf.5.md +++ b/containers.conf.5.md @@ -205,6 +205,10 @@ Run an init inside the container that forwards signals and reaps processes. **init_path**="/usr/libexec/podman/catatonit" +If this option is not set catatonit is searched in the directories listed under +the **helper_binaries_dir** option. It is recommended to just install catatonit +there instead of configuring this option here. + Path to the container-init binary, which forwards signals and reaps processes within containers. Note that the container-init binary will only be used when the `--init` for podman-create and podman-run is set. @@ -289,6 +293,12 @@ is imposed. Copy the content from the underlying image into the newly created volume when the container is created instead of when it is started. If `false`, the container engine will not copy the content until the container is started. Setting it to `true` may have negative performance implications. +**privileged**=false + +Give extended privileges to all containers. A privileged container turns off the security features that isolate the container from the host. Dropped Capabilities, limited devices, read-only mount points, Apparmor/SELinux separation, and Seccomp filters are all disabled. Due to the disabled security features, the privileged field should almost never be set as containers can easily break out of confinment. + +Containers running in a user namespace (e.g., rootless containers) cannot have more privileges than the user that launched them. + **read_only**=true|false Run all containers with root file system mounted read-only. Set to false by default. @@ -501,10 +511,13 @@ conmon_path=[ ] ``` -**database_backend**="boltdb" +**database_backend**="" -The database backend of Podman. Supported values are "boltdb" (default) and -"sqlite". Please run `podman-system-reset` prior to changing the database +The database backend of Podman. Supported values are "" (default), "boltdb" +and "sqlite". An empty value means it will check whenever a boltdb already +exists and use it when it does, otherwise it will use sqlite as default +(e.g. new installs). This allows for backwards compatibility with older versions. +Please run `podman-system-reset` prior to changing the database backend of an existing deployment, to make sure Podman can operate correctly. **detach_keys**="ctrl-p,ctrl-q" @@ -565,6 +578,17 @@ with detailed information about the container. Set to false by default. **helper_binaries_dir**=["/usr/libexec/podman", ...] A is a list of directories which are used to search for helper binaries. +The following binaries are searched in these directories: + - aardvark-dns + - catatonit + - netavark + - pasta + - slirp4netns + +Podman machine uses it for these binaries: + - gvproxy + - qemu + - vfkit The default paths on Linux are: diff --git a/shortnames.conf b/shortnames.conf index cded329..7b5906c 100644 --- a/shortnames.conf +++ b/shortnames.conf @@ -56,10 +56,10 @@ "rhel7" = "registry.access.redhat.com/rhel7" "rhel7.9" = "registry.access.redhat.com/rhel7.9" "rhel-atomic" = "registry.access.redhat.com/rhel-atomic" - "rhel-minimal" = "registry.access.redhat.com/rhel-minimum" + "rhel-minimal" = "registry.access.redhat.com/rhel-minimal" "rhel-init" = "registry.access.redhat.com/rhel-init" "rhel7-atomic" = "registry.access.redhat.com/rhel7-atomic" - "rhel7-minimal" = "registry.access.redhat.com/rhel7-minimum" + "rhel7-minimal" = "registry.access.redhat.com/rhel7-minimal" "rhel7-init" = "registry.access.redhat.com/rhel7-init" "rhel7/rhel" = "registry.access.redhat.com/rhel7/rhel" "rhel7/rhel-atomic" = "registry.access.redhat.com/rhel7/rhel7/rhel-atomic"