containers-common-1-46.el9

- The NET_RAW capability was required in RHEL8 but no longer required in RHEL9 - Resolves: #2141531 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
2022-11-10 10:27:54 +01:00 · 2022-11-10 10:27:54 +01:00 · bb15f9dd76
commit bb15f9dd76
parent 1967e20216
4 changed files with 18 additions and 13 deletions
--- a/containers-common.spec
+++ b/containers-common.spec
@ -12,7 +12,7 @@
 Epoch: 2
 Name: containers-common
 Version: 1
-Release: 45%{?dist}
+Release: 46%{?dist}
 Summary: Common configuration and documentation for containers
 License: ASL 2.0
 ExclusiveArch: %{go_arches}
@ -170,6 +170,10 @@ EOF
 %{_datadir}/rhel/secrets/*

 %changelog
+* Thu Nov 10 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-46
+- The NET_RAW capability was required in RHEL8 but no longer required in RHEL9
+- Resolves: #2141531
+
 * Fri Oct 21 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-45
 - add beta GPG key
 - Related: #2124478
--- a/containers.conf
+++ b/containers.conf
@ -53,7 +53,6 @@
 # the default capabilities defined in the container engine will be added.
 #
 default_capabilities = [
-    "NET_RAW",
  "CHOWN",
  "DAC_OVERRIDE",
  "FOWNER",
--- a/default.yaml
+++ b/default.yaml
@ -1,8 +1,8 @@
 # This is a default registries.d configuration file.  You may
 # add to this file or create additional files in registries.d/.
 #
-# lookaside: indicates a location that is read and write
-# lookaside-staging: indicates a location that is only for write
+# lookaside: for reading/writing simple signing signatures
+# lookaside-staging: for writing simple signing signatures, preferred over lookaside
 #
 # lookaside and lookaside-staging take a value of the following:
 #   lookaside:  {schema}://location
@ -10,10 +10,12 @@
 # For reading signatures, schema may be http, https, or file.
 # For writing signatures, schema may only be file.

-# This is the default signature write location for docker registries.
+# The default locations are built-in, for both reading and writing:
+# /var/lib/containers/sigstore for root, or
+# ~/.local/share/containers/sigstore for non-root users.
 default-docker:
-#  lookaside: file:///var/lib/containers/sigstore
-  lookaside-staging: file:///var/lib/containers/sigstore
+#  lookaside: https://…
+#  lookaside-staging: file:///…

 # The 'docker' indicator here is the start of the configuration
 # for docker registries.
@ -21,6 +23,6 @@ default-docker:
 # docker:
 #
 #   privateregistry.com:
-#    lookaside: http://privateregistry.com/sigstore/
+#    lookaside: https://privateregistry.com/sigstore/
 #    lookaside-staging: /mnt/nfs/privateregistry/sigstore

--- a/update.sh
+++ b/update.sh
@ -31,6 +31,11 @@ ensure containers.conf runtime                       \"runc\"
 ensure containers.conf events_logger                 \"file\"
 ensure containers.conf log_driver                    \"k8s-file\"
 ensure containers.conf network_backend               \"cni\"
+if ! grep \"NET_RAW\" containers.conf > /dev/null
+then
+  sed -i '/^default_capabilities/a \
+    "NET_RAW",' containers.conf
+fi
 else
 ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
 ensure registries.conf short-name-mode               \"enforcing\"
@ -40,8 +45,3 @@ fi
 				"keyctl",' seccomp.json
 sed -i '/\"socketcall\",/i \
 				"socket",' seccomp.json
-if ! grep \"NET_RAW\" containers.conf > /dev/null
-then
-  sed -i '/^default_capabilities/a \
-    "NET_RAW",' containers.conf
-fi