rpms/containers-common
5
0
Fork 0
Code Issues Pull Requests Releases Activity

local build

Browse Source
This commit is contained in:
Daniel J Walsh 2023-07-22 08:22:44 -04:00
parent 3b7f3c2477
commit b52142f2b4
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
4 changed files with 110 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
containers-policy.json.5.md
View File

@ -61,18 +61,41 @@ The global `default` set of policy requirements is mandatory; all of the other f
<!-- NOTE: Keep this in sync with transports/transports.go! --> <!-- NOTE: Keep this in sync with transports/transports.go! -->
## Supported transports and their scopes ## Supported transports and their scopes
See containers-transports(5) for general documentation about the transports and their reference syntax.
### `atomic:` ### `atomic:`
The `atomic:` transport refers to images in an Atomic Registry. The deprecated `atomic:` transport refers to images in an Atomic Registry.
Supported scopes use the form _hostname_[`:`_port_][`/`_namespace_[`/`_imagestream_ [`:`_tag_]]], Supported scopes use the form _hostname_[`:`_port_][`/`_namespace_[`/`_imagestream_ [`:`_tag_]]],
i.e. either specifying a complete name of a tagged image, or prefix denoting i.e. either specifying a complete name of a tagged image, or prefix denoting
a host/namespace/image stream or a wildcarded expression for matching all a host/namespace/image stream, or a wildcarded expression starting with `*.` for matching all
subdomains. For wildcarded subdomain matching, `*.example.com` is a valid case, but `example*.*.com` is not. subdomains. For wildcarded subdomain matching, `*.example.com` is a valid case, but `example*.*.com` is not.
*Note:* The _hostname_ and _port_ refer to the container registry host and port (the one used *Note:* The _hostname_ and _port_ refer to the container registry host and port (the one used
e.g. for `docker pull`), _not_ to the OpenShift API host and port. e.g. for `docker pull`), _not_ to the OpenShift API host and port.
### `containers-storage:`
Supported scopes have the form `[`_storage-specifier_`]`_image-scope_.
`[`_storage-specifier_`]` is usually `[`_graph-driver-name_`@`_graph-root_`]`, e.g. `[overlay@/var/lib/containers/storage]`.
_image-scope_ matching the individual image is
- a named Docker reference *in the fully expanded form*, either using a tag or digest. For example, `docker.io/library/busybox:latest` (*not* `busybox:latest`)
- and/or (depending on which one the users input provides) `@`_image-id_
More general scopes are prefixes of individual-image scopes, and specify a less-precisely-specified image, or a repository
(by omitting first the image ID, if any; then the digest, if any; and finally a tag, if any),
a repository namespace, or a registry host (by only specifying the host name and possibly a port number).
Finally, two full-store specifiers matching all images in the store are valid scopes:
- `[`_graph-driver-name_`@`_graph-root_`]` and
- `[`_graph-root_`]`
Note that some tools like Podman and Buildah hard-code overrides of the signature verification policy for “push” operations,
allowing these oprations regardless of configuration in `policy.json`.
### `dir:` ### `dir:`
The `dir:` transport refers to images stored in local directories. The `dir:` transport refers to images stored in local directories.
@ -80,9 +103,9 @@ The `dir:` transport refers to images stored in local directories.
Supported scopes are paths of directories (either containing a single image or Supported scopes are paths of directories (either containing a single image or
subdirectories possibly containing images). subdirectories possibly containing images).
*Note:* The paths must be absolute and contain no symlinks. Paths violating these requirements may be silently ignored. *Note:*
- The paths must be absolute and contain no symlinks. Paths violating these requirements may be silently ignored.
The top-level scope `"/"` is forbidden; use the transport default scope `""`, - The top-level scope `"/"` is forbidden; use the transport default scope `""`,
for consistency with other transports. for consistency with other transports.
### `docker:` ### `docker:`
@ -93,24 +116,73 @@ Scopes matching individual images are named Docker references *in the fully expa
using a tag or digest. For example, `docker.io/library/busybox:latest` (*not* `busybox:latest`). using a tag or digest. For example, `docker.io/library/busybox:latest` (*not* `busybox:latest`).
More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest),
a repository namespace, or a registry host (by only specifying the host name) a repository namespace, or a registry host (by only specifying the host name and possibly a port number)
or a wildcarded expression for matching all subdomains. For wildcarded subdomain or a wildcarded expression starting with `*.`, for matching all subdomains (not including a port number). For wildcarded subdomain
matching, `*.example.com` is a valid case, but `example*.*.com` is not.
### `docker-archive:`
Only the default `""` scope is supported.
### `docker-daemon:`
For references using the _algo:digest_ format (referring to an image ID), only the default `""` scope is used.
For images using a named reference, scopes matching individual images are *in the fully expanded form*, either
using a tag or digest. For example, `docker.io/library/busybox:latest` (*not* `busybox:latest`).
More general named scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest),
a repository namespace, or a registry host (by only specifying the host name and possibly a port number)
or a wildcarded expression starting with `*.`, for matching all subdomains (not including a port number). For wildcarded subdomain
matching, `*.example.com` is a valid case, but `example*.*.com` is not. matching, `*.example.com` is a valid case, but `example*.*.com` is not.
### `oci:` ### `oci:`
The `oci:` transport refers to images in directories compliant with "Open Container Image Layout Specification". The `oci:` transport refers to images in directories compliant with "Open Container Image Layout Specification".
Supported scopes use the form _directory_`:`_tag_, and _directory_ referring to Supported scopes are paths to directories
a directory containing one or more tags, or any of the parent directories. (either containing an OCI layout, or subdirectories possibly containing OCI layout directories).
The _reference_ annotation value, if any, is not used.
*Note:* See `dir:` above for semantics and restrictions on the directory paths, they apply to `oci:` equivalently. *Note:*
- The paths must be absolute and contain no symlinks. Paths violating these requirements may be silently ignored.
- The top-level scope `"/"` is forbidden; use the transport default scope `""`,
for consistency with other transports.
### `oci-archive:`
Supported scopes are paths to OCI archives, and their parent directories
(either containing a single archive, or subdirectories possibly containing archives).
The _reference_ annotation value, if any, is not used.
*Note:*
- The paths must be absolute and contain no symlinks. Paths violating these requirements may be silently ignored.
- The top-level scope `"/"` is forbidden; use the transport default scope `""`,
for consistency with other transports.
### `ostree`:
Supported scopes have the form _repo-path_`:`_image-scope_; _repo_path_ is the path to the OSTree repository.
_image-scope_ is the _docker_reference_ part of the reference, with with a `:latest` tag implied if no tag is present,
and parent namespaces of the _docker_reference_ value (by omitting the tag, or a prefix speciyfing a higher-level namespace).
*Note:*
- The _repo_path_ must be absolute and contain no symlinks. Paths violating these requirements may be silently ignored.
### `sif:`
Supported scopes are paths to Singularity images, and their parent directories
(either containing images, or subdirectories possibly containing images).
*Note:*
- The paths must be absolute and contain no symlinks. Paths violating these requirements may be silently ignored.
- The top-level scope `"/"` is forbidden; use the transport default scope `""`,
for consistency with other transports.
### `tarball:` ### `tarball:`
The `tarball:` transport refers to tarred up container root filesystems. The `tarball:` transport is an implementation detail of some import workflows. Only the default `""` scope is supported.
Scopes are ignored.
## Policy Requirements ## Policy Requirements

22
containers-transports.5.md
View File

@ -16,6 +16,8 @@ they are evaluated. For example: if evaluated on a remote server, image names
might refer to paths on that server; relative paths are relative to the current might refer to paths on that server; relative paths are relative to the current
directory of the image consumer. directory of the image consumer.
<!-- atomic: is deprecated and not documented here. -->
### **containers-storage**:[**[**storage-specifier**]**]{image-id|docker-reference[@image-id]} ### **containers-storage**:[**[**storage-specifier**]**]{image-id|docker-reference[@image-id]}
An image located in a local containers storage. An image located in a local containers storage.
@ -54,7 +56,7 @@ Alternatively, for reading archives, @_source-index_ is a zero-based index in ar
(to access untagged images). (to access untagged images).
If neither _docker-reference_ nor @_source_index is specified when reading an archive, the archive must contain exactly one image. If neither _docker-reference_ nor @_source_index is specified when reading an archive, the archive must contain exactly one image.
It is further possible to copy data to stdin by specifying `docker-archive:/dev/stdin` but note that the used file must be seekable. The _path_ can refer to a stream, e.g. `docker-archive:/dev/stdin`.
### **docker-daemon:**_docker-reference|algo:digest_ ### **docker-daemon:**_docker-reference|algo:digest_
@ -66,21 +68,31 @@ The _algo:digest_ refers to the image ID reported by docker-inspect(1).
An image in a directory structure compliant with the "Open Container Image Layout Specification" at _path_. An image in a directory structure compliant with the "Open Container Image Layout Specification" at _path_.
_Path_ terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_. The _path_ value terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_.
Specify a _reference_ to allow storing multiple images within the same _path_. The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index.
If _reference_ is not specified when reading an image, the directory must contain exactly one image.
### **oci-archive:**_path[:reference]_ ### **oci-archive:**_path[:reference]_
An image in a tar(1) archive with contents compliant with the "Open Container Image Layout Specification" at _path_. An image in a tar(1) archive with contents compliant with the "Open Container Image Layout Specification" at _path_.
_Path_ terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_. The _path_ value terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_.
Specify a _reference_ to allow storing multiple images within the same _path_. The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index.
If _reference_ is not specified when reading an archive, the archive must contain exactly one image.
### **ostree:**_docker-reference[@/absolute/repo/path]_ ### **ostree:**_docker-reference[@/absolute/repo/path]_
An image in the local ostree(1) repository. An image in the local ostree(1) repository.
_/absolute/repo/path_ defaults to _/ostree/repo_. _/absolute/repo/path_ defaults to _/ostree/repo_.
### **sif:**_path_
An image using the Singularity image format at _path_.
Only reading images is supported, and not all scripts can be represented in the OCI format.
<!-- tarball: can only usefully be used from Go callers who call tarballReference.ConfigUpdate, and is not documented here. -->
## Examples ## Examples
The following examples demonstrate how some of the containers transports can be used. The following examples demonstrate how some of the containers transports can be used.

3
containers.conf
View File

@ -669,6 +669,9 @@ log_driver = "journald"
# A value of 0 is treated as no timeout. # A value of 0 is treated as no timeout.
#volume_plugin_timeout = 5 #volume_plugin_timeout = 5
# Default timeout in seconds for podmansh logins.
#podmansh_timeout = 30
# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc) # Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)
[engine.runtimes] [engine.runtimes]
#crun = [ #crun = [

4
containers.conf.5.md
View File

@ -730,6 +730,10 @@ depend on the compression format used. For gzip, valid options are
1-9, with a default of 5. For zstd, valid options are 1-20, with a 1-9, with a default of 5. For zstd, valid options are 1-20, with a
default of 3. default of 3.
**podmansh_timeout**=30
Number of seconds to wait for podmansh logins.
## SERVICE DESTINATION TABLE ## SERVICE DESTINATION TABLE
The `engine.service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API. The `engine.service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.