rpms/containers-common
7
0
Fork 0
Code Issues Pull Requests Releases Activity

local build

Browse Source
This commit is contained in:
Daniel J Walsh 2022-03-23 10:48:56 -04:00
parent 0ae1cfd00e
commit b2a34f0c7f
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
4 changed files with 107 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
containers-common.spec
View File

@ -50,9 +50,10 @@ Source19: %{github_containers}/storage/%{storage_branch}/storage.conf
Source20: RPM-GPG-KEY-redhat-release Source20: RPM-GPG-KEY-redhat-release
Source21: registry.access.redhat.com.yaml Source21: registry.access.redhat.com.yaml
Source22: registry.redhat.io.yaml Source22: registry.redhat.io.yaml
Source23: %{github_containers}/buildah/%{buildah_branch}/docs/Containerfile.5.md Source23: %{github_containers}/common/%{common_branch}/docs/Containerfile.5.md
Source24: %{github_containers}/buildah/%{buildah_branch}/docs/containerignore.5.md Source24: %{github_containers}/common/%{common_branch}/docs/containerignore.5.md
Source25: %{github_containers}/buildah/%{buildah_branch}/docs/links/.containerignore.5 Source25: %{github_containers}/common/%{common_branch}/docs/links/.containerignore.5
%description %description
This package contains common configuration files and documentation for container This package contains common configuration files and documentation for container

33
containers.conf
View File

@ -133,10 +133,12 @@ default_sysctls = [
# Default way to to create an IPC namespace (POSIX SysV IPC) for the container # Default way to to create an IPC namespace (POSIX SysV IPC) for the container
# Options are: # Options are:
# `private` Create private IPC Namespace for the container. # "host" Share host IPC Namespace with the container.
# `host` Share host IPC Namespace with the container. # "none" Create shareable IPC Namespace for the container without a private /dev/shm.
# "private" Create private IPC Namespace for the container, other containers are not allowed to share it.
# "shareable" Create shareable IPC Namespace for the container.
# #
#ipcns = "private" #ipcns = "shareable"
# keyring tells the container engine whether to create # keyring tells the container engine whether to create
# a kernel keyring for use within the container. # a kernel keyring for use within the container.
@ -284,6 +286,20 @@ log_driver = "journald"
# #
#default_subnet = "10.88.0.0/16" #default_subnet = "10.88.0.0/16"
# DefaultSubnetPools is a list of subnets and size which are used to
# allocate subnets automatically for podman network create.
# It will iterate through the list and will pick the first free subnet
# with the given size. This is only used for ipv4 subnets, ipv6 subnets
# are always assigned randomly.
#
#default_subnet_pools = [
# {"base" = "10.89.0.0/16", "size" = 24},
# {"base" = "10.90.0.0/15", "size" = 24},
# {"base" = "10.92.0.0/14", "size" = 24},
# {"base" = "10.96.0.0/11", "size" = 24},
# {"base" = "10.128.0.0/9", "size" = 24},
#]
# Path to the directory where network configuration files are located. # Path to the directory where network configuration files are located.
# For the CNI backend the default is "/etc/cni/net.d" as root # For the CNI backend the default is "/etc/cni/net.d" as root
# and "$HOME/.config/cni/net.d" as rootless. # and "$HOME/.config/cni/net.d" as rootless.
@ -357,6 +373,12 @@ log_driver = "journald"
# Define where event logs will be stored, when events_logger is "file". # Define where event logs will be stored, when events_logger is "file".
#events_logfile_path="" #events_logfile_path=""
# Sets the maximum size for events_logfile_path in bytes. When the limit is exceeded,
# the logfile will be rotated and the old one will be deleted.
# If the maximum size is set to 0, then no limit will be applied,
# and the logfile will not be rotated.
#events_logfile_max_size = 0
# Selects which logging mechanism to use for container engine events. # Selects which logging mechanism to use for container engine events.
# Valid values are `journald`, `file` and `none`. # Valid values are `journald`, `file` and `none`.
# #
@ -501,6 +523,11 @@ log_driver = "journald"
# #
#stop_timeout = 10 #stop_timeout = 10
# Number of seconds to wait before exit command in API process is given to.
# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds).
#
#exit_command_delay = 300
# map of service destinations # map of service destinations
# #
#[service_destinations] #[service_destinations]

51
containers.conf.5.md
View File

@ -162,12 +162,14 @@ Path to the container-init binary, which forwards signals and reaps processes
within containers. Note that the container-init binary will only be used when within containers. Note that the container-init binary will only be used when
the `--init` for podman-create and podman-run is set. the `--init` for podman-create and podman-run is set.
**ipcns**="private" **ipcns**="shareable"
Default way to to create a IPC namespace for the container. Default way to to create a IPC namespace for the container.
Options are: Options are:
`private` Create private IPC Namespace for the container. `host` Share host IPC Namespace with the container.
`host` Share host IPC Namespace with the container. `none` Create shareable IPC Namespace for the container without a private /dev/shm.
`private` Create private IPC Namespace for the container, other containers are not allowed to share it.
`shareable` Create shareable IPC Namespace for the container.
**keyring**=true **keyring**=true
@ -268,6 +270,12 @@ Options are:
`private` Create private UTS Namespace for the container. `private` Create private UTS Namespace for the container.
`host` Share host UTS Namespace with the container. `host` Share host UTS Namespace with the container.
**volumes**=[]
List of volumes.
Specified as "directory-on-host:directory-in-container:options".
Example: "/db:/var/lib/db:ro".
## NETWORK TABLE ## NETWORK TABLE
The `network` table contains settings pertaining to the management of CNI The `network` table contains settings pertaining to the management of CNI
@ -307,6 +315,25 @@ The network name of the default network to attach pods to.
The subnet to use for the default network (named above in **default_network**). The subnet to use for the default network (named above in **default_network**).
If the default network does not exist, it will be automatically created the first time a tool is run using this subnet. If the default network does not exist, it will be automatically created the first time a tool is run using this subnet.
**default_subnet_pools**=[]
DefaultSubnetPools is a list of subnets and size which are used to
allocate subnets automatically for podman network create.
It will iterate through the list and will pick the first free subnet
with the given size. This is only used for ipv4 subnets, ipv6 subnets
are always assigned randomly.
The default list is (10.89.0.0-10.255.255.0/24):
```
default_subnet_pools = [
{"base" = "10.89.0.0/16", "size" = 24},
{"base" = "10.90.0.0/15", "size" = 24},
{"base" = "10.92.0.0/14", "size" = 24},
{"base" = "10.96.0.0/11", "size" = 24},
{"base" = "10.128.0.0/9", "size" = 24},
]
```
**network_config_dir**="/etc/cni/net.d/" **network_config_dir**="/etc/cni/net.d/"
Path to the directory where network configuration files are located. Path to the directory where network configuration files are located.
@ -315,13 +342,6 @@ and "$HOME/.config/cni/net.d" as rootless.
For the netavark backend "/etc/containers/networks" is used as root For the netavark backend "/etc/containers/networks" is used as root
and "$graphroot/networks" as rootless. and "$graphroot/networks" as rootless.
**volumes**=[]
List of volumes.
Specified as "directory-on-host:directory-in-container:options".
Example: "/db:/var/lib/db:ro".
## ENGINE TABLE ## ENGINE TABLE
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah. The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
@ -385,6 +405,13 @@ if you want to set environment variables for the container.
Define where event logs will be stored, when events_logger is "file". Define where event logs will be stored, when events_logger is "file".
**events_logfile_max_size**=0
Sets the maximum size for events_logfile_path in bytes. When the limit is exceeded,
the logfile will be rotated and the old one will be deleted.
If the maximumn size is set to 0, then no limit will be applied,
and the logfile will not be rotated.
**events_logger**="journald" **events_logger**="journald"
Default method to use when logging events. Default method to use when logging events.
@ -561,6 +588,10 @@ stores containers.
Number of seconds to wait for container to exit before sending kill signal. Number of seconds to wait for container to exit before sending kill signal.
**exit_command_delay**=300
Number of seconds to wait for the API process for the exec call before sending exit command mimicing the Docker behavior of 5 minutes (in seconds).
**tmp_dir**="/run/libpod" **tmp_dir**="/run/libpod"
The path to a temporary directory to store per-boot container. The path to a temporary directory to store per-boot container.

57
seccomp.json
View File

@ -176,6 +176,7 @@
"futex", "futex",
"futex_time64", "futex_time64",
"futimesat", "futimesat",
"get_mempolicy",
"get_robust_list", "get_robust_list",
"get_thread_area", "get_thread_area",
"getcpu", "getcpu",
@ -191,7 +192,6 @@
"getgroups", "getgroups",
"getgroups32", "getgroups32",
"getitimer", "getitimer",
"get_mempolicy",
"getpeername", "getpeername",
"getpgid", "getpgid",
"getpgrp", "getpgrp",
@ -243,6 +243,7 @@
"lstat64", "lstat64",
"madvise", "madvise",
"mbind", "mbind",
"membarrier",
"memfd_create", "memfd_create",
"memfd_secret", "memfd_secret",
"mincore", "mincore",
@ -256,6 +257,7 @@
"mmap", "mmap",
"mmap2", "mmap2",
"mount", "mount",
"mount_setattr",
"move_mount", "move_mount",
"mprotect", "mprotect",
"mq_getsetattr", "mq_getsetattr",
@ -279,9 +281,9 @@
"nanosleep", "nanosleep",
"newfstatat", "newfstatat",
"open", "open",
"open_tree",
"openat", "openat",
"openat2", "openat2",
"open_tree",
"pause", "pause",
"pidfd_getfd", "pidfd_getfd",
"pidfd_open", "pidfd_open",
@ -300,8 +302,12 @@
"preadv", "preadv",
"preadv2", "preadv2",
"prlimit64", "prlimit64",
"process_mrelease",
"process_vm_readv",
"process_vm_writev",
"pselect6", "pselect6",
"pselect6_time64", "pselect6_time64",
"ptrace",
"pwrite64", "pwrite64",
"pwritev", "pwritev",
"pwritev2", "pwritev2",
@ -360,7 +366,6 @@
"sendmmsg", "sendmmsg",
"sendmsg", "sendmsg",
"sendto", "sendto",
"setns",
"set_mempolicy", "set_mempolicy",
"set_robust_list", "set_robust_list",
"set_thread_area", "set_thread_area",
@ -374,6 +379,7 @@
"setgroups", "setgroups",
"setgroups32", "setgroups32",
"setitimer", "setitimer",
"setns",
"setpgid", "setpgid",
"setpriority", "setpriority",
"setregid", "setregid",
@ -395,10 +401,15 @@
"shmdt", "shmdt",
"shmget", "shmget",
"shutdown", "shutdown",
"sigaction",
"sigaltstack", "sigaltstack",
"signal",
"signalfd", "signalfd",
"signalfd4", "signalfd4",
"sigpending",
"sigprocmask",
"sigreturn", "sigreturn",
"sigsuspend",
"socket", "socket",
"socketcall", "socketcall",
"socketpair", "socketpair",
@ -413,6 +424,7 @@
"sync", "sync",
"sync_file_range", "sync_file_range",
"syncfs", "syncfs",
"syscall",
"sysinfo", "sysinfo",
"syslog", "syslog",
"tee", "tee",
@ -425,6 +437,7 @@
"timer_gettime64", "timer_gettime64",
"timer_settime", "timer_settime",
"timer_settime64", "timer_settime64",
"timerfd",
"timerfd_create", "timerfd_create",
"timerfd_gettime", "timerfd_gettime",
"timerfd_gettime64", "timerfd_gettime64",
@ -562,10 +575,10 @@
"names": [ "names": [
"arm_fadvise64_64", "arm_fadvise64_64",
"arm_sync_file_range", "arm_sync_file_range",
"sync_file_range2",
"breakpoint", "breakpoint",
"cacheflush", "cacheflush",
"set_tls" "set_tls",
"sync_file_range2"
], ],
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
"args": [], "args": [],
@ -733,8 +746,8 @@
{ {
"names": [ "names": [
"delete_module", "delete_module",
"init_module",
"finit_module", "finit_module",
"init_module",
"query_module" "query_module"
], ],
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
@ -750,8 +763,8 @@
{ {
"names": [ "names": [
"delete_module", "delete_module",
"init_module",
"finit_module", "finit_module",
"init_module",
"query_module" "query_module"
], ],
"action": "SCMP_ACT_ERRNO", "action": "SCMP_ACT_ERRNO",
@ -799,10 +812,7 @@
{ {
"names": [ "names": [
"kcmp", "kcmp",
"process_madvise", "process_madvise"
"process_vm_readv",
"process_vm_writev",
"ptrace"
], ],
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
"args": [], "args": [],
@ -817,10 +827,7 @@
{ {
"names": [ "names": [
"kcmp", "kcmp",
"process_madvise", "process_madvise"
"process_vm_readv",
"process_vm_writev",
"ptrace"
], ],
"action": "SCMP_ACT_ERRNO", "action": "SCMP_ACT_ERRNO",
"args": [], "args": [],
@ -836,8 +843,8 @@
}, },
{ {
"names": [ "names": [
"iopl", "ioperm",
"ioperm" "iopl"
], ],
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
"args": [], "args": [],
@ -851,8 +858,8 @@
}, },
{ {
"names": [ "names": [
"iopl", "ioperm",
"ioperm" "iopl"
], ],
"action": "SCMP_ACT_ERRNO", "action": "SCMP_ACT_ERRNO",
"args": [], "args": [],
@ -868,10 +875,10 @@
}, },
{ {
"names": [ "names": [
"settimeofday",
"stime",
"clock_settime", "clock_settime",
"clock_settime64" "clock_settime64",
"settimeofday",
"stime"
], ],
"action": "SCMP_ACT_ALLOW", "action": "SCMP_ACT_ALLOW",
"args": [], "args": [],
@ -885,10 +892,10 @@
}, },
{ {
"names": [ "names": [
"settimeofday",
"stime",
"clock_settime", "clock_settime",
"clock_settime64" "clock_settime64",
"settimeofday",
"stime"
], ],
"action": "SCMP_ACT_ERRNO", "action": "SCMP_ACT_ERRNO",
"args": [], "args": [],