From bb15f9dd761b44a959f8c66cb2676107c8c7c25b Mon Sep 17 00:00:00 2001 From: Jindrich Novy Date: Thu, 10 Nov 2022 10:27:54 +0100 Subject: [PATCH] containers-common-1-46.el9 - The NET_RAW capability was required in RHEL8 but no longer required in RHEL9 - Resolves: #2141531 Signed-off-by: Jindrich Novy --- containers-common.spec | 6 +++++- containers.conf | 1 - default.yaml | 14 ++++++++------ update.sh | 10 +++++----- 4 files changed, 18 insertions(+), 13 deletions(-) diff --git a/containers-common.spec b/containers-common.spec index 76ed7f0..579fb46 100644 --- a/containers-common.spec +++ b/containers-common.spec @@ -12,7 +12,7 @@ Epoch: 2 Name: containers-common Version: 1 -Release: 45%{?dist} +Release: 46%{?dist} Summary: Common configuration and documentation for containers License: ASL 2.0 ExclusiveArch: %{go_arches} @@ -170,6 +170,10 @@ EOF %{_datadir}/rhel/secrets/* %changelog +* Thu Nov 10 2022 Jindrich Novy - 2:1-46 +- The NET_RAW capability was required in RHEL8 but no longer required in RHEL9 +- Resolves: #2141531 + * Fri Oct 21 2022 Jindrich Novy - 2:1-45 - add beta GPG key - Related: #2124478 diff --git a/containers.conf b/containers.conf index ffea089..2160137 100644 --- a/containers.conf +++ b/containers.conf @@ -53,7 +53,6 @@ # the default capabilities defined in the container engine will be added. # default_capabilities = [ - "NET_RAW", "CHOWN", "DAC_OVERRIDE", "FOWNER", diff --git a/default.yaml b/default.yaml index fa2ea36..a7f3d28 100644 --- a/default.yaml +++ b/default.yaml @@ -1,8 +1,8 @@ # This is a default registries.d configuration file. You may # add to this file or create additional files in registries.d/. # -# lookaside: indicates a location that is read and write -# lookaside-staging: indicates a location that is only for write +# lookaside: for reading/writing simple signing signatures +# lookaside-staging: for writing simple signing signatures, preferred over lookaside # # lookaside and lookaside-staging take a value of the following: # lookaside: {schema}://location @@ -10,10 +10,12 @@ # For reading signatures, schema may be http, https, or file. # For writing signatures, schema may only be file. -# This is the default signature write location for docker registries. +# The default locations are built-in, for both reading and writing: +# /var/lib/containers/sigstore for root, or +# ~/.local/share/containers/sigstore for non-root users. default-docker: -# lookaside: file:///var/lib/containers/sigstore - lookaside-staging: file:///var/lib/containers/sigstore +# lookaside: https://… +# lookaside-staging: file:///… # The 'docker' indicator here is the start of the configuration # for docker registries. @@ -21,6 +23,6 @@ default-docker: # docker: # # privateregistry.com: -# lookaside: http://privateregistry.com/sigstore/ +# lookaside: https://privateregistry.com/sigstore/ # lookaside-staging: /mnt/nfs/privateregistry/sigstore diff --git a/update.sh b/update.sh index 2e83bac..04b601a 100755 --- a/update.sh +++ b/update.sh @@ -31,6 +31,11 @@ ensure containers.conf runtime \"runc\" ensure containers.conf events_logger \"file\" ensure containers.conf log_driver \"k8s-file\" ensure containers.conf network_backend \"cni\" +if ! grep \"NET_RAW\" containers.conf > /dev/null +then + sed -i '/^default_capabilities/a \ + "NET_RAW",' containers.conf +fi else ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"] ensure registries.conf short-name-mode \"enforcing\" @@ -40,8 +45,3 @@ fi "keyctl",' seccomp.json sed -i '/\"socketcall\",/i \ "socket",' seccomp.json -if ! grep \"NET_RAW\" containers.conf > /dev/null -then - sed -i '/^default_capabilities/a \ - "NET_RAW",' containers.conf -fi