containers-common-4:1-16

- use latest configs from upstream Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
2021-04-12 08:59:58 -04:00 · 2021-04-12 08:59:58 -04:00 · c0dc80db85
commit c0dc80db85
parent 32e1915f4e
3 changed files with 69 additions and 22 deletions
--- a/containers-common.spec
+++ b/containers-common.spec
@ -15,7 +15,7 @@
 Epoch: 4
 Name: containers-common
 Version: 1
-Release: 15%{?dist}
+Release: 16%{?dist}
 Summary: Common configuration and documentation for containers
 License: ASL 2.0
 BuildArch: noarch
@ -52,6 +52,25 @@ which are vendored into Podman, Buildah, Skopeo, etc. but they are not packaged
 separately.

 %prep
+cp %{SOURCE1} .
+cp %{SOURCE2} .
+cp %{SOURCE3} .
+cp %{SOURCE4} .
+cp %{SOURCE5} .
+cp %{SOURCE6} .
+cp %{SOURCE7} .
+cp %{SOURCE8} .
+cp %{SOURCE9} .
+cp %{SOURCE10} .
+cp %{SOURCE11} .
+cp %{SOURCE12} .
+cp %{SOURCE13} .
+cp %{SOURCE14} .
+cp %{SOURCE15} .
+cp %{SOURCE16} .
+cp %{SOURCE17} .
+cp %{SOURCE18} .
+cp %{SOURCE19} .

 %build

@ -59,31 +78,31 @@ separately.
 # install config and policy files for registries
 install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.conf.d,registries.d}
 install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
-install -m0644 %{_sourcedir}/default.yaml %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
-install -m0644 %{_sourcedir}/storage.conf %{buildroot}%{_sysconfdir}/containers/storage.conf
-install -m0644 %{_sourcedir}/registries.conf %{buildroot}%{_sysconfdir}/containers/registries.conf
-install -m0644 %{_sourcedir}/shortnames.conf %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
-install -m0644 %{_sourcedir}/default-policy.json %{buildroot}%{_sysconfdir}/containers/policy.json
+install -m0644 default.yaml %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
+install -m0644 storage.conf %{buildroot}%{_sysconfdir}/containers/storage.conf
+install -m0644 registries.conf %{buildroot}%{_sysconfdir}/containers/registries.conf
+install -m0644 shortnames.conf %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
+install -m0644 default-policy.json %{buildroot}%{_sysconfdir}/containers/policy.json

 # install manpages
 install -dp %{buildroot}%{_mandir}/man5
-go-md2man -in %{_sourcedir}/containers-storage.conf.5.md -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5
-go-md2man -in %{_sourcedir}/containers-registries.conf.5.md -out %{buildroot}%{_mandir}/man5/containers-registries.conf.5
-go-md2man -in %{_sourcedir}/containers-policy.json.5.md -out %{buildroot}%{_mandir}/man5/containers-policy.json.5
-go-md2man -in %{_sourcedir}/containers-mounts.conf.5.md -out %{buildroot}%{_mandir}/man5/containers-mounts.conf.5
-go-md2man -in %{_sourcedir}/containers-signature.5.md -out %{buildroot}%{_mandir}/man5/containers-signature.5
-go-md2man -in %{_sourcedir}/containers-transports.5.md -out %{buildroot}%{_mandir}/man5/containers-transports.5
-go-md2man -in %{_sourcedir}/containers-certs.d.5.md -out %{buildroot}%{_mandir}/man5/containers-certs.d.5
-go-md2man -in %{_sourcedir}/containers-registries.d.5.md -out %{buildroot}%{_mandir}/man5/containers-registries.d.5
-go-md2man -in %{_sourcedir}/containers.conf.5.md -out %{buildroot}%{_mandir}/man5/containers.conf.5
-go-md2man -in %{_sourcedir}/containers-auth.json.5.md -out %{buildroot}%{_mandir}/man5/containers-auth.json.5
-go-md2man -in %{_sourcedir}/containers-registries.conf.d.5.md -out %{buildroot}%{_mandir}/man5/containers-registries.conf.d.5
+go-md2man -in containers-storage.conf.5.md -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5
+go-md2man -in containers-registries.conf.5.md -out %{buildroot}%{_mandir}/man5/containers-registries.conf.5
+go-md2man -in containers-policy.json.5.md -out %{buildroot}%{_mandir}/man5/containers-policy.json.5
+go-md2man -in containers-mounts.conf.5.md -out %{buildroot}%{_mandir}/man5/containers-mounts.conf.5
+go-md2man -in containers-signature.5.md -out %{buildroot}%{_mandir}/man5/containers-signature.5
+go-md2man -in containers-transports.5.md -out %{buildroot}%{_mandir}/man5/containers-transports.5
+go-md2man -in containers-certs.d.5.md -out %{buildroot}%{_mandir}/man5/containers-certs.d.5
+go-md2man -in containers-registries.d.5.md -out %{buildroot}%{_mandir}/man5/containers-registries.d.5
+go-md2man -in containers.conf.5.md -out %{buildroot}%{_mandir}/man5/containers.conf.5
+go-md2man -in containers-auth.json.5.md -out %{buildroot}%{_mandir}/man5/containers-auth.json.5
+go-md2man -in containers-registries.conf.d.5.md -out %{buildroot}%{_mandir}/man5/containers-registries.conf.d.5

 # install config files for mounts, containers and seccomp
 install -dp %{buildroot}%{_datadir}/containers
-install -m0644 %{_sourcedir}/mounts.conf %{buildroot}%{_datadir}/containers/mounts.conf
-install -m0644 %{_sourcedir}/seccomp.json %{buildroot}%{_datadir}/containers/seccomp.json
-install -m0644 %{_sourcedir}/containers.conf %{buildroot}%{_datadir}/containers/containers.conf
+install -m0644 mounts.conf %{buildroot}%{_datadir}/containers/mounts.conf
+install -m0644 seccomp.json %{buildroot}%{_datadir}/containers/seccomp.json
+install -m0644 containers.conf %{buildroot}%{_datadir}/containers/containers.conf

 # install secrets patch directory
 install -d -p -m 755 %{buildroot}/%{_datadir}/rhel/secrets
@ -115,6 +134,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
 %{_datadir}/rhel/secrets/*

 %changelog
+* Mon Apr 12 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-16
+- use latest configs from upstream
+
 * Fri Apr 09 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-15
 - pull latest files from upstream

--- a/containers-registries.conf.5.md
+++ b/containers-registries.conf.5.md
@ -34,10 +34,15 @@ Given an image name, a single `[[registry]]` TOML table is chosen based on its `
  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
+  - [`*.`]_host_

    The user-specified image name must start with the specified `prefix` (and continue
    with the appropriate separator) for a particular `[[registry]]` TOML table to be
-    considered; (only) the TOML table with the longest match is used.
+    considered; (only) the TOML table with the longest match is used. It can
+    also include wildcarded subdomains in the format `*.example.com` along as mentioned
+    above. The wildcard should only be present at the beginning as shown in the formats
+    above. Other cases will not work. For example, `*.example.com` is valid but
+    `example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not.

    As a special case, the `prefix` field can be missing; if so, it defaults to the value
    of the `location` field (described below).
@ -77,6 +82,19 @@ internet without having to change `Dockerfile`s, or to add redundancy).
    requests for the image `example.com/foo/myimage:latest` will actually work with the
    `internal-registry-for-example.net/bar/myimage:latest` image.

+    With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching,
+    the location can be empty. In such a case,
+    prefix matching will occur, but no reference rewrite will occur. The
+    original requested image string will be used as-is. But other settings like
+    `insecure` / `blocked` / `mirrors` will be applied to matching images.
+
+    Example: Given
+    ```
+    prefix = "*.example.com"
+    ```
+    requests for the image `blah.example.com/foo/myimage:latest` will be used
+    as-is. But other settings like insecure/blocked/mirrors will be applied to matching images
+
 `mirror`
 : An array of TOML tables specifying (possibly-partial) mirrors for the
    `prefix`-rooted namespace.
--- a/registries.conf
+++ b/registries.conf
@ -24,6 +24,9 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.
 # # The "prefix" field is used to choose the relevant [[registry]] TOML table;
 # # (only) the TOML table with the longest match for the input image name
 # # (taking into account namespace/repo/tag/digest separators) is used.
+# # 
+# # The prefix can also be of the form: *.example.com for wildcard subdomain
+# # matching.
 # #
 # # If the prefix field is missing, it defaults to be the same as the "location" field.
 # prefix = "example.com/foo"
@ -37,7 +40,7 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.
 #
 # # The physical location of the "prefix"-rooted namespace.
 # #
-# # By default, this equal to "prefix" (in which case "prefix" can be omitted
+# # By default, this is equal to "prefix" (in which case "prefix" can be omitted
 # # and the [[registry]] TOML table can only specify "location").
 # #
 # # Example: Given
@ -45,6 +48,10 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.
 # #   location = "internal-registry-for-example.net/bar"
 # # requests for the image example.com/foo/myimage:latest will actually work with the
 # # internal-registry-for-example.net/bar/myimage:latest image.
+#
+# # The location can be empty iff prefix is in a
+# # wildcarded format: "*.example.com". In this case, the input reference will
+# # be used as-is without any rewrite.
 # location = internal-registry-for-example.com/bar"
 #
 # # (Possibly-partial) mirrors for the "prefix"-rooted namespace.