Sync with containers-common 0.60.0

Resolves: RHEL-45611 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
2024-07-29 10:52:48 +02:00 · 2024-07-29 10:52:48 +02:00 · c8fda2b083
commit c8fda2b083
parent 741a7129b3
15 changed files with 392 additions and 341 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
 /*.tar.gz
--- a/40
+++ b/40
@ -1,9 +1,13 @@
-pub   4096R/FD431D51 2009-10-22
+The following public key can be used to verify RPM packages built and
-      Key fingerprint = 567E 347A D004 4ADE 55BA  8A5F 199E 2F91 FD43 1D51
+signed by Red Hat, Inc.  This key is used for packages in Red Hat
-uid                  Red Hat, Inc. (release key 2) <security@redhat.com>
+products shipped after November 2009, and for all updates to those
 products.
 Questions about this key should be sent to security@redhat.com.
 pub  4096R/FD431D51 2009-10-22 Red Hat, Inc. (release key 2) <security@redhat.com>
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1.4.5 (GNU/Linux)
 mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF
 0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF
@ -31,4 +35,32 @@ OFktl15jZJaMxuQBqYdBgSay2G0U6D1+7VsWufpzd/Abx1/c3oi9ZaJvW22kAggq
 dzdA27UUYjWvx42w9menJwh/0jeQcTecIUd0d0rFcw/c1pvgMMl/Q73yzKgKYw==
 =zbHE
 -----END PGP PUBLIC KEY BLOCK-----
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBGIpIp4BEAC/o5e1WzLIsS6/JOQCs4XYATYTcf6B6ALzcP05G0W3uRpUQSrL
 FRKNrU8ZCelm/B+XSh2ljJNeklp2WLxYENDOsftDXGoyLr2hEkI5OyK267IHhFNJ
 g+BN+T5Cjh4ZiiWij6o9F7x2ZpxISE9M4iI80rwSv1KOnGSw5j2zD2EwoMjTVyVE
 /t3s5XJxnDclB7ZqL+cgjv0mWUY/4+b/OoRTkhq7b8QILuZp75Y64pkrndgakm1T
 8mAGXV02mEzpNj9DyAJdUqa11PIhMJMxxHOGHJ8CcHZ2NJL2e7yJf4orTj+cMhP5
 LzJcVlaXnQYu8Zkqa0V6J1Qdj8ZXL72QsmyicRYXAtK9Jm5pvBHuYU2m6Ja7dBEB
 Vkhe7lTKhAjkZC5ErPmANNS9kPdtXCOpwN1lOnmD2m04hks3kpH9OTX7RkTFUSws
 eARAfRID6RLfi59B9lmAbekecnsMIFMx7qR7ZKyQb3GOuZwNYOaYFevuxusSwCHv
 4FtLDIhk+Fge+EbPdEva+VLJeMOb02gC4V/cX/oFoPkxM1A5LHjkuAM+aFLAiIRd
 Np/tAPWk1k6yc+FqkcDqOttbP4ciiXb9JPtmzTCbJD8lgH0rGp8ufyMXC9x7/dqX
 TjsiGzyvlMnrkKB4GL4DqRFl8LAR02A3846DD8CAcaxoXggL2bJCU2rgUQARAQAB
 tDVSZWQgSGF0LCBJbmMuIChhdXhpbGlhcnkga2V5IDMpIDxzZWN1cml0eUByZWRo
 YXQuY29tPokCUgQTAQgAPBYhBH5GJCWMQGU11W1vE1BU5KRaY0CzBQJiKSKeAhsD
 BQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRBQVOSkWmNAsyBfEACuTN/X
 YR+QyzeRw0pXcTvMqzNE4DKKr97hSQEwZH1/v1PEPs5O3psuVUm2iam7bqYwG+ry
 EskAgMHi8AJmY0lioQD5/LTSLTrM8UyQnU3g17DHau1NHIFTGyaW4a7xviU4C2+k
 c6X0u1CPHI1U4Q8prpNcfLsldaNYlsVZtUtYSHKPAUcswXWliW7QYjZ5tMSbu8jR
 OMOc3mZuf0fcVFNu8+XSpN7qLhRNcPv+FCNmk/wkaQfH4Pv+jVsOgHqkV3aLqJeN
 kNUnpyEKYkNqo7mNfNVWOcl+Z1KKKwSkIi3vg8maC7rODsy6IX+Y96M93sqYDQom
 aaWue2gvw6thEoH4SaCrCL78mj2YFpeg1Oew4QwVcBnt68KOPfL9YyoOicNs4Vuu
 fb/vjU2ONPZAeepIKA8QxCETiryCcP43daqThvIgdbUIiWne3gae6eSj0EuUPoYe
 H5g2Lw0qdwbHIOxqp2kvN96Ii7s1DK3VyhMt/GSPCxRnDRJ8oQKJ2W/I1IT5VtiU
 zMjjq5JcYzRPzHDxfVzT9CLeU/0XQ+2OOUAiZKZ0dzSyyVn8xbpviT7iadvjlQX3
 CINaPB+d2Kxa6uFWh+ZYOLLAgZ9B8NKutUHpXN66YSfe79xFBSFWKkJ8cSIMk13/
 Ifs7ApKlKCCRDpwoDqx/sjIaj1cpOfLHYjnefg==
 =UZd/
 -----END PGP PUBLIC KEY BLOCK-----
--- a/containers-common.spec
+++ b/containers-common.spec
@ -1,56 +1,76 @@
 # Below definitions are used to deliver config files from a particular branch
-# of c/image, c/common, c/storage vendored in all of Buildah, Podman and Skopeo.
+# of c/image, c/storage  and c/shortnames vendored in all of Buildah, Podman and Skopeo.
 # These vendored components must have the same version. If it is not the case,
-# pick the oldest version on c/image, c/common, c/storage vendored in
+# pick the oldest version on c/image, c/storage and c/shortnames vendored in
 # Buildah/Podman/Skopeo.
-%global image_branch  main
+
-%global common_branch v%{version}
+# Packit will automatically update the image and storage versions on Fedora and
-%global storage_branch main
+# CentOS Stream dist-git PRs.
 %global image_branch v5.30.2
 %global storage_branch v1.53.0
 %global shortnames_branch main
-%global github_containers https://raw.githubusercontent.com/containers
+%global project containers
 %global repo common
 %global raw_github_url https://raw.githubusercontent.com/%{project}
 %if %{defined copr_username}
 %define copr_build 1
 %endif
 # See https://github.com/containers/netavark/blob/main/rpm/netavark.spec
 # for netavark epoch
 %if %{defined copr_build}
 %define netavark_epoch 102
 %else
 %define netavark_epoch 2
 %endif
 Epoch: 5
 Name: containers-common
-Version: 0.57.3
+%if %{defined copr_build}
 Epoch: 102
 %else
 Epoch: 2
 %endif
 # DO NOT TOUCH the Version string!
 # The TRUE source of this specfile is:
 # https://github.com/containers/common/blob/main/rpm/containers-common.spec
 # If that's what you're reading, Version must be 0, and will be updated by Packit for
 # copr and koji builds.
 # If you're reading this on dist-git, the version is automatically filled in by Packit.
 Version: 0.60.0
 Release: %autorelease
 License: Apache-2.0
 BuildArch: noarch
 # for BuildRequires: go-md2man
 ExclusiveArch: %{golang_arches} noarch
 Summary: Common configuration and documentation for containers
 BuildRequires: git-core
 BuildRequires: go-md2man
 Provides: skopeo-containers = %{epoch}:%{version}-%{release}
-Recommends: (container-selinux >= 2:2.162.1 if selinux-policy)
+Requires: (container-selinux >= 2:2.162.1 if selinux-policy)
-Recommends: fuse-overlayfs
+Suggests: fuse-overlayfs
-Requires: (fuse-overlayfs if fedora-release-identity-server)
+URL: https://github.com/%{project}/%{repo}
-# SourceN files fetched from upstream
+Source0: %{url}/archive/v%{version_no_tilde}.tar.gz
-# GPG key and registry configs taken from RH
+Source1: %{raw_github_url}/image/%{image_branch}/docs/containers-auth.json.5.md
-Source1: %{github_containers}/common/%{common_branch}/docs/containers.conf.5.md
+Source2: %{raw_github_url}/image/%{image_branch}/docs/containers-certs.d.5.md
-Source2: %{github_containers}/common/%{common_branch}/pkg/config/containers.conf
+Source3: %{raw_github_url}/image/%{image_branch}/docs/containers-policy.json.5.md
-Source3: %{github_containers}/common/%{common_branch}/pkg/seccomp/seccomp.json
+Source4: %{raw_github_url}/image/%{image_branch}/docs/containers-registries.conf.5.md
-Source4: %{github_containers}/common/%{common_branch}/pkg/subscriptions/mounts.conf
+Source5: %{raw_github_url}/image/%{image_branch}/docs/containers-registries.conf.d.5.md
-Source5: %{github_containers}/image/%{image_branch}/docs/containers-auth.json.5.md
+Source6: %{raw_github_url}/image/%{image_branch}/docs/containers-registries.d.5.md
-Source6: %{github_containers}/image/%{image_branch}/docs/containers-certs.d.5.md
+Source7: %{raw_github_url}/image/%{image_branch}/docs/containers-signature.5.md
-Source7: %{github_containers}/image/%{image_branch}/docs/containers-policy.json.5.md
+Source8: %{raw_github_url}/image/%{image_branch}/docs/containers-transports.5.md
-Source8: %{github_containers}/image/%{image_branch}/docs/containers-registries.conf.5.md
+Source9: %{raw_github_url}/storage/%{storage_branch}/docs/containers-storage.conf.5.md
-Source9: %{github_containers}/image/%{image_branch}/docs/containers-registries.conf.d.5.md
+Source10: %{raw_github_url}/shortnames/%{shortnames_branch}/shortnames.conf
-Source10: %{github_containers}/image/%{image_branch}/docs/containers-registries.d.5.md
+Source11: %{raw_github_url}/image/%{image_branch}/default.yaml
-Source11: %{github_containers}/image/%{image_branch}/docs/containers-signature.5.md
+Source12: default-policy.json
-Source12: %{github_containers}/image/%{image_branch}/docs/containers-transports.5.md
+Source13: %{raw_github_url}/image/%{image_branch}/registries.conf
-Source13: %{github_containers}/image/%{image_branch}/registries.conf
+Source14: %{raw_github_url}/storage/%{storage_branch}/storage.conf
-Source14: %{github_containers}/common/%{common_branch}/docs/containers-mounts.conf.5.md
+# Fetch RPM-GPG-KEY-redhat-release from the authoritative source instead of storing
-Source15: %{github_containers}/shortnames/%{shortnames_branch}/shortnames.conf
+# a copy in repo or dist-git. Depending on distribution-gpg-keys rpm is also
-Source16: %{github_containers}/image/%{image_branch}/default.yaml
+# not an option because that package doesn't exist on CentOS Stream.
-Source17: %{github_containers}/image/%{image_branch}/default-policy.json
+Source15: https://access.redhat.com/security/data/fd431d51.txt
 Source18: %{github_containers}/storage/%{storage_branch}/docs/containers-storage.conf.5.md
 Source19: %{github_containers}/storage/%{storage_branch}/storage.conf
 Source20: RPM-GPG-KEY-redhat-release
 Source21: registry.access.redhat.com.yaml
 Source22: registry.redhat.io.yaml
 Source23: %{github_containers}/common/%{common_branch}/docs/Containerfile.5.md
 Source24: %{github_containers}/common/%{common_branch}/docs/containerignore.5.md
 Source25: %{github_containers}/common/%{common_branch}/docs/links/.containerignore.5
 %description
 This package contains common configuration files and documentation for container
@ -65,97 +85,94 @@ Summary: Extra dependencies for Podman and Buildah
 Requires: %{name} = %{epoch}:%{version}-%{release}
 Requires: container-network-stack
 Requires: oci-runtime
 Requires: nftables
 Requires: passt
 %if %{defined fedora}
 Requires: iptables
 Conflicts: podman < 5:5.0.0~rc4-1
 Recommends: composefs
 Recommends: crun
 Requires: (crun if fedora-release-identity-server)
-Recommends: netavark >= 1.10.2-1
+Requires: netavark >= %{netavark_epoch}:1.10.3-1
-Requires: (netavark >= 1.10.2-1 if fedora-release-identity-server)
+Suggests: slirp4netns
 Recommends: slirp4netns
 Requires: (slirp4netns if fedora-release-identity-server)
 Recommends: passt
 Requires: (passt if fedora-release-identity-server)
 Requires: iptables
 Requires: nftables
 Recommends: qemu-user-static
 Requires: (qemu-user-static-aarch64 if fedora-release-identity-server)
 Requires: (qemu-user-static-arm if fedora-release-identity-server)
 Requires: (qemu-user-static-x86 if fedora-release-identity-server)
 %endif
 %description extra
 This subpackage will handle dependencies common to Podman and Buildah which are
 not required by Skopeo.
 %prep
-cp %{SOURCE1} .
+%autosetup -Sgit -n %{repo}-%{version_no_tilde}
 cp %{SOURCE2} .
 cp %{SOURCE3} .
 cp %{SOURCE4} .
 cp %{SOURCE5} .
 cp %{SOURCE6} .
 cp %{SOURCE7} .
 cp %{SOURCE8} .
 cp %{SOURCE9} .
 cp %{SOURCE10} .
 cp %{SOURCE11} .
 cp %{SOURCE12} .
 cp %{SOURCE13} .
 cp %{SOURCE14} .
 cp %{SOURCE15} 000-shortnames.conf
 cp %{SOURCE16} .
 cp %{SOURCE17} policy.json
 cp %{SOURCE18} .
 cp %{SOURCE19} .
 cp %{SOURCE20} .
 cp %{SOURCE21} .
 cp %{SOURCE22} .
 cp %{SOURCE23} .
 cp %{SOURCE24} .
 cp %{SOURCE25} .
-%if 0%{?rhel} <= 8
+# Copy manpages to docs subdir in builddir to build before installing.
-sed -i 's/log_driver = "journald"/#log_driver = "journald"/' containers.conf
+cp %{SOURCE1} docs/.
-%endif
+cp %{SOURCE2} docs/.
 cp %{SOURCE3} docs/.
 cp %{SOURCE4} docs/.
 cp %{SOURCE5} docs/.
 cp %{SOURCE6} docs/.
 cp %{SOURCE7} docs/.
 cp %{SOURCE8} docs/.
 cp %{SOURCE9} docs/.
 # Copy config files to builddir to patch them before installing.
 # Currently, only registries.conf and storage.conf files are patched before
 # installing.
 cp %{SOURCE10} shortnames.conf
 cp %{SOURCE13} registries.conf
 cp %{SOURCE14} storage.conf
 # Fine-grain distro- and release-specific tuning of config files,
 # e.g., seccomp, composefs, registries on different RHEL/Fedora versions
 bash rpm/update-config-files.sh
 %build
 mkdir -p man5
-for FILE in $(ls *.5.md); do
+for i in docs/*.5.md; do
-    go-md2man -in $FILE -out man5/$(basename $FILE .md)
+    go-md2man -in $i -out man5/$(basename $i .md)
 done
 cp man5/containerignore.5 man5/.containerignore.5
 %install
 # install config and policy files for registries
 install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,systemd}
 install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
 install -dp %{buildroot}%{_datadir}/containers/systemd
 install -dp %{buildroot}%{_prefix}/lib/containers/storage
 install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-images
 touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-images/images.lock
 install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers
 touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers/layers.lock
-install -Dp -m0644 default.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
+install -Dp -m0644 shortnames.conf %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
-install -Dp -m0644 storage.conf -t %{buildroot}%{_datadir}/containers
+install -Dp -m0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
-install -Dp -m0644 registries.conf -t %{buildroot}%{_sysconfdir}/containers
+install -Dp -m0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/containers/policy.json
-install -Dp -m0644 000-shortnames.conf -t %{buildroot}%{_sysconfdir}/containers/registries.conf.d
+install -Dp -m0644 registries.conf %{buildroot}%{_sysconfdir}/containers/registries.conf
-install -Dp -m0644 policy.json -t %{buildroot}%{_sysconfdir}/containers
+install -Dp -m0644 storage.conf %{buildroot}%{_datadir}/containers/storage.conf
 # RPM-GPG-KEY-redhat-release already exists on rhel envs, install only on
 # fedora and centos
-%if 0%{?fedora} || 0%{?centos}
+%if %{defined fedora} || %{defined centos}
-install -Dp -m0644 RPM-GPG-KEY-redhat-release -t %{buildroot}%{_sysconfdir}/pki/rpm-gpg
+install -Dp -m0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 %endif
 install -Dp -m0644 registry.access.redhat.com.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
 install -Dp -m0644 registry.redhat.io.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
 install -Dp -m0644 contrib/redhat/registry.access.redhat.com.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
 install -Dp -m0644 contrib/redhat/registry.redhat.io.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
 # install manpages
-for FILE in $(ls -a man5 | grep 5); do
+install -dp %{buildroot}%{_mandir}/man5
-    install -Dp -m0644 man5/$FILE -t %{buildroot}%{_mandir}/man5
+for i in man5/*.5; do
   install -Dp -m0644 $i -t %{buildroot}%{_mandir}/man5
 done
 ln -s containerignore.5 %{buildroot}%{_mandir}/man5/.containerignore.5
 # install config files for mounts, containers and seccomp
-install -m0644 mounts.conf %{buildroot}%{_datadir}/containers/mounts.conf
+install -m0644 pkg/subscriptions/mounts.conf %{buildroot}%{_datadir}/containers/mounts.conf
-install -m0644 seccomp.json %{buildroot}%{_datadir}/containers/seccomp.json
+install -m0644 pkg/seccomp/seccomp.json %{buildroot}%{_datadir}/containers/seccomp.json
-install -m0644 containers.conf %{buildroot}%{_datadir}/containers/containers.conf
+install -m0644 pkg/config/containers.conf %{buildroot}%{_datadir}/containers/containers.conf
 # install secrets patch directory
 install -d -p -m 755 %{buildroot}/%{_datadir}/rhel/secrets
@ -172,6 +189,7 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
 %dir %{_sysconfdir}/containers/registries.conf.d
 %dir %{_sysconfdir}/containers/registries.d
 %dir %{_sysconfdir}/containers/systemd
 %dir %{_prefix}/lib/containers
 %dir %{_prefix}/lib/containers/storage
 %dir %{_prefix}/lib/containers/storage/overlay-images
 %dir %{_prefix}/lib/containers/storage/overlay-layers
@ -185,8 +203,8 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
 %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 %endif
 %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
-%{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
+%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
-%{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
+%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
 %ghost %{_sysconfdir}/containers/storage.conf
 %ghost %{_sysconfdir}/containers/containers.conf
 %dir %{_sharedstatedir}/containers/sigstore
@ -200,6 +218,7 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
 %{_datadir}/containers/containers.conf
 %{_datadir}/containers/mounts.conf
 %{_datadir}/containers/seccomp.json
 %dir %{_datadir}/rhel
 %dir %{_datadir}/rhel/secrets
 %{_datadir}/rhel/secrets/*
--- a/containers-registries.conf.5.md
+++ b/containers-registries.conf.5.md
@ -19,6 +19,12 @@ Container engines will use the `$HOME/.config/containers/registries.conf` if it
 `credential-helpers`
 : An array of default credential helpers used as external credential stores.  Note that "containers-auth.json" is a reserved value to use auth files as specified in containers-auth.json(5).  The credential helpers are set to `["containers-auth.json"]` if none are specified.
 `additional-layer-store-auth-helper`
 : A string containing the helper binary name. This enables passing registry credentials to an
  Additional Layer Store every time an image is read using the `docker://`
  transport so that it can access private registries. See the 'Enabling Additional Layer Store to access to private registries' section below for
  more details.
 ### NAMESPACED `[[registry]]` SETTINGS
 The bulk of the configuration is represented as an array of `[[registry]]`
@ -254,6 +260,30 @@ in order, and use the first one that exists.
 Note that a mirror is associated only with the current `[[registry]]` TOML table. If using the example above, pulling the image `registry.com/image:latest` will hence only reach out to `mirror.registry.com`, and the mirrors associated with `example.com/foo` will not be considered.
 ### Enabling Additional Layer Store to access to private registries
 The `additional-layer-store-auth-helper` option enables passing registry
 credentials to an Additional Layer Store so that it can access private registries.
 When accessing a private registry via an Additional Layer Store, a helper binary needs to be provided. This helper binary is
 registered via the `additional-layer-store-auth-helper` option. Every time an image
 is read using the `docker://` transport, the specified helper binary is executed
 and receives registry credentials from stdin in the following format.
 ```json
 {
  "$image_reference": {
    "username": "$username",
    "password": "$password",
    "identityToken": "$identityToken"
  }
 }
 ```
 The format of `$image_reference` is `$repo{:$tag|@$digest}`.
 Additional Layer Stores can use this helper binary to access the private registry.
 ## VERSION 1 FORMAT - DEPRECATED
 VERSION 1 format is still supported but it does not support
 using registry mirrors, longest-prefix matches, or location rewriting.
--- a/containers-storage.conf.5.md
+++ b/containers-storage.conf.5.md
@ -27,7 +27,7 @@ No bare options are used. The format of TOML can be simplified to:
 The `storage` table supports the following options:
 **driver**=""
-  Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem.
+  Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem.
 This field is required to guarantee proper operation.
 Valid rootless drivers are "btrfs", "overlay", and "vfs".
 Rootless users default to the driver defined in the system configuration when possible.
@ -84,7 +84,7 @@ The `storage.options` table supports the following options:
 **additionalimagestores**=[]
  Paths to additional container image stores. Usually these are read/only and stored on remote network shares.
-**pull_options** = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
+**pull_options** = {enable_partial_images = "true", use_hard_links = "false", ostree_repos=""}
 Allows specification of how storage is populated when pulling images. This
 option can speed the pulling process of images compressed with format zstd:chunked. Containers/storage looks
@ -95,7 +95,7 @@ container registry. These options can deduplicate pulling of content, disk
 storage of content and can allow the kernel to use less memory when running
 containers.
-containers/storage supports three keys
+containers/storage supports four keys
  * enable_partial_images="true" | "false"
    Tells containers/storage to look for files previously pulled in storage
    rather then always pulling them from the container registry.
@ -107,28 +107,10 @@ containers/storage supports three keys
    previously pulled content which can be used when attempting to avoid
    pulling content from the container registry
  * convert_images = "false" | "true"
-    If set to true, containers/storage will convert images to the a format compatible with
+    If set to true, containers/storage will convert images to a format compatible with
    partial pulls in order to take advantage of local deduplication and hardlinking.  It is an
    expensive operation so it is not enabled by default.
 **remap-uids=**""
 **remap-gids=**""
  Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to the UIDs/GIDs outside of the container, and the length of the range of UIDs/GIDs.  Additional mapped sets can be listed and will be heeded by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container.
  Example
     remap-uids = "0:1668442479:65536"
     remap-gids = "0:1668442479:65536"
  These mappings tell the container engines to map UID 0 inside of the container to UID 1668442479 outside.  UID 1 will be mapped to 1668442480. UID 2 will be mapped to 1668442481, etc, for the next 65533 UIDs in succession.
 **remap-user**=""
 **remap-group**=""
  Remap-User/Group is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting with an in-container ID of 0 and then a host-level ID taken from the lowest range that matches the specified name, and using the length of that range. Additional ranges are then assigned, using the ranges which specify the lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, until all of the entries have been used for maps.  This setting overrides the Remap-UIDs/GIDs setting.
  Example
     remap-user = "containers"
     remap-group = "containers"
 **root-auto-userns-user**=""
  Root-auto-userns-user is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned to containers configured to create automatically a user namespace.  Containers configured to automatically create a user namespace can still overlap with containers having an explicit mapping set.  This setting is ignored when running as rootless.
@ -158,66 +140,6 @@ The `storage.options.btrfs` table supports the following options:
 **size**=""
  Maximum size of a container image.   This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
 ### STORAGE OPTIONS FOR THINPOOL (devicemapper) TABLE
 The `storage.options.thinpool` table supports the following options for the `devicemapper` driver:
 **autoextend_percent**=""
  Tells the thinpool driver the amount by which the thinpool needs to be grown. This is specified in terms of % of pool size. So a value of 20 means that when threshold is hit, pool will be grown by 20% of existing pool size. (default: 20%)
 **autoextend_threshold**=""
  Tells the driver the thinpool extension threshold in terms of percentage of pool size. For example, if threshold is 60, that means when pool is 60% full, threshold has been hit. (default: 80%)
 **basesize**=""
  Specifies the size to use when creating the base device, which limits the size of images and containers. (default: 10g)
 **blocksize**=""
  Specifies a custom blocksize to use for the thin pool. (default: 64k)
 **directlvm_device**=""
  Specifies a custom block storage device to use for the thin pool. Required for using graphdriver `devicemapper`.
 **directlvm_device_force**=""
  Tells driver to wipe device (directlvm_device) even if device already has a filesystem.  (default: false)
 **fs**="xfs"
  Specifies the filesystem type to use for the base device. (default: xfs)
 **log_level**=""
  Sets the log level of devicemapper.
    0: LogLevelSuppress 0 (default)
    2: LogLevelFatal
    3: LogLevelErr
    4: LogLevelWarn
    5: LogLevelNotice
    6: LogLevelInfo
    7: LogLevelDebug
 **metadata_size**=""
  metadata_size is used to set the `pvcreate --metadatasize` options when creating thin devices. (Default 128k)
 **min_free_space**=""
  Specifies the min free space percent in a thin pool required for new device creation to succeed. Valid values are from 0% - 99%. Value 0% disables. (default: 10%)
 **mkfsarg**=""
  Specifies extra mkfs arguments to be used when creating the base device.
 **mountopt**=""
  Comma separated list of default options to be used to mount container images.  Suggested value "nodev". Mount options are documented in the mount(8) man page.
 **size**=""
  Maximum size of a container image.  This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
 **use_deferred_deletion**=""
  Marks thinpool device for deferred deletion. If the thinpool is in use when the driver attempts to delete it, the driver will attempt to delete device every 30 seconds until successful, or when it restarts.  Deferred deletion permanently deletes the device and all data stored in the device will be lost. (default: true).
 **use_deferred_removal**=""
  Marks devicemapper block device for deferred removal.  If the device is in use when its driver attempts to remove it, the driver tells the kernel to remove the device as soon as possible.  Note this does not free up the disk space, use deferred deletion to fully remove the thinpool.  (default: true).
 **xfs_nospace_max_retries**=""
  Specifies the maximum number of retries XFS should attempt to complete IO when ENOSPC (no space) error is returned by underlying storage device. (default: 0, which means to try continuously.)
 ### STORAGE OPTIONS FOR OVERLAY TABLE
 The `storage.options.overlay` table supports the following options:
--- a/containers-transports.5.md
+++ b/containers-transports.5.md
@ -9,7 +9,7 @@ containers-transports - description of supported transports for copying and stor
 ## DESCRIPTION
 Tools which use the containers/image library, including skopeo(1), buildah(1), podman(1), all share a common syntax for referring to container images in various locations.
-The general form of the syntax is _transport:details_, where details are dependent on the specified transport, which are documented below.
+The general form of the syntax is _transport_`:`_details_, where details are dependent on the specified transport, which are documented below.
 The semantics of the image names ultimately depend on the environment where
 they are evaluated. For example: if evaluated on a remote server, image names
@ -18,14 +18,14 @@ directory of the image consumer.
 <!-- atomic: is deprecated and not documented here. -->
-### **containers-storage**:[**[**storage-specifier**]**]{image-id|docker-reference[@image-id]}
+### **containers-storage:**[**[**_storage-specifier_**]**]{_image-id_|_docker-reference_[**@**_image-id_]}
 An image located in a local containers storage.
 The format of _docker-reference_ is described in detail in the **docker** transport.
-The _storage-specifier_ allows for referencing storage locations on the file system and has the format `[[driver@]root[+run-root][:options]]` where the optional `driver` refers to the storage driver (e.g., overlay or btrfs) and where `root` is an absolute path to the storage's root directory.
+The _storage-specifier_ allows for referencing storage locations on the file system and has the format `[`[_driver_`@`]_root_[`+`_run-root_][`:`_options_]`]` where the optional _driver_ refers to the storage driver (e.g., `overlay` or `btrfs`) and where _root_ is an absolute path to the storage's root directory.
-The optional `run-root` can be used to specify the run directory of the storage where all temporary writable content is stored.
+The optional _run-root_ can be used to specify the run directory of the storage where all temporary writable content is stored.
-The optional `options` are a comma-separated list of driver-specific options.
+The optional _options_ are a comma-separated list of driver-specific options.
 Please refer to containers-storage.conf(5) for further information on the drivers and supported options.
 ### **dir:**_path_
@ -40,34 +40,38 @@ By default, uses the authorization state in `$XDG_RUNTIME_DIR/containers/auth.js
 If the authorization state is not found there, `$HOME/.docker/config.json` is checked, which is set using docker-login(1).
 The containers-registries.conf(5) further allows for configuring various settings of a registry.
-Note that a _docker-reference_ has the following format: _name_[**:**_tag_ | **@**_digest_].
+Note that a _docker-reference_ has the following format: _name_[`:`_tag_ | `@`_digest_].
 While the docker transport does not support both a tag and a digest at the same time some formats like containers-storage do.
 Digests can also be used in an image destination as long as the manifest matches the provided digest.
-The docker transport supports pushing images without a tag or digest to a registry when the image name is suffixed with **@@unknown-digest@@**. The _name_**@@unknown-digest@@** reference format cannot be used with a reference that has a tag or digest.
+The docker transport supports pushing images without a tag or digest to a registry when the image name is suffixed with `@@unknown-digest@@`. The _name_`@@unknown-digest@@` reference format cannot be used with a reference that has a tag or digest.
 The digest of images can be explored with skopeo-inspect(1).
-If `name` does not contain a slash, it is treated as `docker.io/library/name`.
+If _name_ does not contain a slash, it is treated as `docker.io/library/`_name_.
-Otherwise, the component before the first slash is checked if it is recognized as a `hostname[:port]` (i.e., it contains either a . or a :, or the component is exactly localhost).
+Otherwise, the component before the first slash is checked if it is recognized as a _hostname_[`:`_port_] (i.e., it contains either a `.` or a `:`, or the component is exactly `localhost`).
-If the first component of name is not recognized as a `hostname[:port]`, `name` is treated as `docker.io/name`.
+If the first component of name is not recognized as a _hostname_[`:`_port_], _name_ is treated as `docker.io/`_name_.
-### **docker-archive:**_path[:{docker-reference|@source-index}]_
+### **docker-archive:**_path_[`:`{_docker-reference_|`@`_source-index_}]
 An image is stored in the docker-save(1) formatted file.
-_docker-reference_ must not contain a digest.
+
-Alternatively, for reading archives, @_source-index_ is a zero-based index in archive manifest
+Unless a tool explicitly documents otherwise,
-(to access untagged images).
+a write to a **docker-archive:** destination completely overwrites _path_, replacing it with the single provided image.
 If neither _docker-reference_ nor @_source_index is specified when reading an archive, the archive must contain exactly one image.
 The _path_ can refer to a stream, e.g. `docker-archive:/dev/stdin`.
-### **docker-daemon:**_docker-reference|algo:digest_
+_docker-reference_ must not contain a digest.
 Alternatively, for reading archives, `@`_source-index_ is a zero-based index in archive manifest
 (to access untagged images).
 If neither _docker-reference_ nor `@`_source_index is specified when reading an archive, the archive must contain exactly one image.
 ### **docker-daemon:**_docker-reference_|_algo_`:`_digest_
 An image stored in the docker daemon's internal storage.
-The image must be specified as a _docker-reference_ or in an alternative _algo:digest_ format when being used as an image source.
+The image must be specified as a _docker-reference_ or in an alternative _algo_`:`_digest_ format when being used as an image source.
-The _algo:digest_ refers to the image ID reported by docker-inspect(1).
+The _algo_`:`_digest_ refers to the image ID reported by docker-inspect(1).
-### **oci:**_path[:reference]_
+### **oci:**_path_[`:`_reference_]
 An image in a directory structure compliant with the "Open Container Image Layout Specification" at _path_.
@ -75,18 +79,21 @@ The _path_ value terminates at the first `:` character; any further `:` characte
 The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index.
 If _reference_ is not specified when reading an image, the directory must contain exactly one image.
-### **oci-archive:**_path[:reference]_
+### **oci-archive:**_path_[`:`_reference_]
 An image in a tar(1) archive with contents compliant with the "Open Container Image Layout Specification" at _path_.
 Unless a tool explicitly documents otherwise,
 a write to an **oci-archive:** destination completely overwrites _path_, replacing it with the single provided image.
 The _path_ value terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_.
 The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index.
 If _reference_ is not specified when reading an archive, the archive must contain exactly one image.
-### **ostree:**_docker-reference[@/absolute/repo/path]_
+### **ostree:**_docker-reference_[`@`_/absolute/repo/path_]
 An image in the local ostree(1) repository.
-_/absolute/repo/path_ defaults to _/ostree/repo_.
+_/absolute/repo/path_ defaults to `/ostree/repo`.
 ### **sif:**_path_
--- a/containers.conf
+++ b/containers.conf
@ -642,6 +642,7 @@ log_driver = "journald"
 # Default OCI runtime
 #
 #runtime = "crun"
 runtime = "crun"
 # List of the OCI runtimes that support --format=json. When json is supported
 # engine will use it for reporting nicer errors.
--- a/default-policy.json
+++ b/default-policy.json
@ -4,11 +4,29 @@
            "type": "insecureAcceptAnything"
        }
    ],
-    "transports":
+    "transports": {
        "docker": {
 	    "registry.access.redhat.com": [
 		{
-            "docker-daemon":
+		    "type": "signedBy",
 		    "keyType": "GPGKeys",
 		    "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
 		}
 	    ],
 	    "registry.redhat.io": [
 		{
-                    "": [{"type":"insecureAcceptAnything"}]
+		    "type": "signedBy",
 		    "keyType": "GPGKeys",
 		    "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
 		}
 	    ]
 	},
        "docker-daemon": {
 	    "": [
 		{
 		    "type": "insecureAcceptAnything"
 		}
 	    ]
 	}
    }
 }
--- a/fd431d51.txt
+++ b/fd431d51.txt
@ -0,0 +1,33 @@
 pub   4096R/FD431D51 2009-10-22
      Key fingerprint = 567E 347A D004 4ADE 55BA  8A5F 199E 2F91 FD43 1D51
 uid                  Red Hat, Inc. (release key 2) <security@redhat.com>
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF
 0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF
 0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c
 u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh
 XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H
 5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW
 9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj
 /DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1
 PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY
 HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF
 buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB
 tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0
 LmNvbT6JAjYEEwEIACACGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAUCSuBJPAAK
 CRAZni+R/UMdUfIkD/9m3HWv07uJG26R3KBexTo2FFu3rmZs+m2nfW8R3dBX+k0o
 AOFpgJCsNgKwU81LOPrkMN19G0+Yn/ZTCDD7cIQ7dhYuDyEX97xh4une/EhnnRuh
 ASzR+1xYbj/HcYZIL9kbslgpebMn+AhxbUTQF/mziug3hLidR9Bzvygq0Q09E11c
 OZL4BU6J2HqxL+9m2F+tnLdfhL7MsAq9nbmWAOpkbGefc5SXBSq0sWfwoes3X3yD
 Q8B5Xqr9AxABU7oUB+wRqvY69ZCxi/BhuuJCUxY89ZmwXfkVxeHl1tYfROUwOnJO
 GYSbI/o41KBK4DkIiDcT7QqvqvCyudnxZdBjL2QU6OrIJvWmKs319qSF9m3mXRSt
 ZzWtB89Pj5LZ6cdtuHvW9GO4qSoBLmAfB313pGkbgi1DE6tqCLHlA0yQ8zv99OWV
 cMDGmS7tVTZqfX1xQJ0N3bNORQNtikJC3G+zBCJzIeZleeDlMDQcww00yWU1oE7/
 To2UmykMGc7o9iggFWR2g0PIcKsA/SXdRKWPqCHG2uKHBvdRTQGupdXQ1sbV+AHw
 ycyA/9H/mp/NUSNM2cqnBDcZ6GhlHt59zWtEveiuU5fpTbp4GVcFXbW8jStj8j8z
 1HI3cywZO8+YNPzqyx0JWsidXGkfzkPHyS4jTG84lfu2JG8m/nqLnRSeKpl20Q==
 =79bX
 -----END PGP PUBLIC KEY BLOCK-----
--- a/registries.conf
+++ b/registries.conf
@ -18,7 +18,8 @@
 # of these registries, it should be added at the end of the list.
 #
 # # An array of host[:port] registries to try when pulling an unqualified image, in order.
-unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io", "quay.io"]
+# unqualified-search-registries = ["example.com"]
 unqualified-search-registries = ["registry.access.redhat.com", "registry.redhat.io", "docker.io"]
 #
 # [[registry]]
 # # The "prefix" field is used to choose the relevant [[registry]] TOML table;
@ -75,5 +76,4 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.
 # # 2. example-mirror-1.local/mirrors/foo/image:latest
 # # 3. internal-registry-for-example.com/bar/image:latest
 # # in order, and use the first one that exists.
 short-name-mode = "enforcing"
--- a/shortnames.conf
+++ b/shortnames.conf
@ -20,6 +20,7 @@
  "registry" = "docker.io/library/registry"
  "swarm" = "docker.io/library/swarm"
  # Fedora
  "fedora-bootc" = "registry.fedoraproject.org/fedora-bootc"
  "fedora-minimal" = "registry.fedoraproject.org/fedora-minimal"
  "fedora" = "registry.fedoraproject.org/fedora"
  # Gentoo
@ -56,6 +57,7 @@
  "rhel7" = "registry.access.redhat.com/rhel7"
  "rhel7.9" = "registry.access.redhat.com/rhel7.9"
  "rhel-atomic" = "registry.access.redhat.com/rhel-atomic"
  "rhel9-bootc" = "registry.redhat.io/rhel9/rhel-bootc"
  "rhel-minimal" = "registry.access.redhat.com/rhel-minimal"
  "rhel-init" = "registry.access.redhat.com/rhel-init"
  "rhel7-atomic" = "registry.access.redhat.com/rhel7-atomic"
@ -100,7 +102,7 @@
  "ubi9/buildah" = "registry.access.redhat.com/ubi9/buildah"
  "ubi9/skopeo" = "registry.access.redhat.com/ubi9/skopeo"
  # Rocky Linux
-  "rockylinux" = "docker.io/library/rockylinux"
+  "rockylinux" = "quay.io/rockylinux/rockylinux"
  # Debian
  "debian" = "docker.io/library/debian"
  # Kali Linux
--- a/1
+++ b/1
@ -0,0 +1 @@
 SHA512 (v0.60.0.tar.gz) = 9eae809f6834472172fb997dedf828a11c7617b19374f46086394be3eeeb7f8fa9a1245a020af3a611142d6edda6670ee1d080229048fd0886313c7f698c21af
--- a/storage.conf
+++ b/storage.conf
@ -19,6 +19,10 @@ driver = "overlay"
 # Temporary storage location
 runroot = "/run/containers/storage"
 # Priority list for the storage drivers that will be tested one
 # after the other to pick the storage driver if it is not defined.
 # driver_priority = ["overlay", "btrfs"]
 # Primary Read/Write location of container storage
 # When changing the graphroot location on an SELINUX system, you must
 # ensure  the labeling matches the default locations labels with the
@ -59,7 +63,7 @@ additionalimagestores = [
 # can deduplicate pulling of content, disk storage of content and can allow the
 # kernel to use less memory when running containers.
-# containers/storage supports three keys
+# containers/storage supports four keys
 #   * enable_partial_images="true" | "false"
 #     Tells containers/storage to look for files previously pulled in storage
 #     rather then always pulling them from the container registry.
@ -70,30 +74,13 @@ additionalimagestores = [
 #     Tells containers/storage where an ostree repository exists that might have
 #     previously pulled content which can be used when attempting to avoid
 #     pulling content from the container registry
 #   * convert_images = "false" | "true"
 #     If set to true, containers/storage will convert images to a
 #     format compatible with partial pulls in order to take advantage
 #     of local deduplication and hard linking.  It is an expensive
 #     operation so it is not enabled by default.
 pull_options = {enable_partial_images = "true", use_hard_links = "false", ostree_repos=""}
 # Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
 # a container, to the UIDs/GIDs as they should appear outside of the container,
 # and the length of the range of UIDs/GIDs.  Additional mapped sets can be
 # listed and will be heeded by libraries, but there are limits to the number of
 # mappings which the kernel will allow when you later attempt to run a
 # container.
 #
 # remap-uids = "0:1668442479:65536"
 # remap-gids = "0:1668442479:65536"
 # Remap-User/Group is a user name which can be used to look up one or more UID/GID
 # ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
 # with an in-container ID of 0 and then a host-level ID taken from the lowest
 # range that matches the specified name, and using the length of that range.
 # Additional ranges are then assigned, using the ranges which specify the
 # lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
 # until all of the entries have been used for maps. This setting overrides the
 # Remap-UIDs/GIDs setting.
 #
 # remap-user = "containers"
 # remap-group = "containers"
 # Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
 # ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
 # to containers configured to create automatically a user namespace.  Containers
@ -168,79 +155,3 @@ mountopt = "nodev,metacopy=on"
 #  "force_mask"  permissions.
 #
 # force_mask = ""
 [storage.options.thinpool]
 # Storage Options for thinpool
 # autoextend_percent determines the amount by which pool needs to be
 # grown. This is specified in terms of % of pool size. So a value of 20 means
 # that when threshold is hit, pool will be grown by 20% of existing
 # pool size.
 # autoextend_percent = "20"
 # autoextend_threshold determines the pool extension threshold in terms
 # of percentage of pool size. For example, if threshold is 60, that means when
 # pool is 60% full, threshold has been hit.
 # autoextend_threshold = "80"
 # basesize specifies the size to use when creating the base device, which
 # limits the size of images and containers.
 # basesize = "10G"
 # blocksize specifies a custom blocksize to use for the thin pool.
 # blocksize="64k"
 # directlvm_device specifies a custom block storage device to use for the
 # thin pool. Required if you setup devicemapper.
 # directlvm_device = ""
 # directlvm_device_force wipes device even if device already has a filesystem.
 # directlvm_device_force = "True"
 # fs specifies the filesystem type to use for the base device.
 # fs="xfs"
 # log_level sets the log level of devicemapper.
 # 0: LogLevelSuppress 0 (Default)
 # 2: LogLevelFatal
 # 3: LogLevelErr
 # 4: LogLevelWarn
 # 5: LogLevelNotice
 # 6: LogLevelInfo
 # 7: LogLevelDebug
 # log_level = "7"
 # min_free_space specifies the min free space percent in a thin pool require for
 # new device creation to succeed. Valid values are from 0% - 99%.
 # Value 0% disables
 # min_free_space = "10%"
 # mkfsarg specifies extra mkfs arguments to be used when creating the base
 # device.
 # mkfsarg = ""
 # metadata_size is used to set the `pvcreate --metadatasize` options when
 # creating thin devices. Default is 128k
 # metadata_size = ""
 # Size is used to set a maximum size of the container image.
 # size = ""
 # use_deferred_removal marks devicemapper block device for deferred removal.
 # If the thinpool is in use when the driver attempts to remove it, the driver
 # tells the kernel to remove it as soon as possible. Note this does not free
 # up the disk space, use deferred deletion to fully remove the thinpool.
 # use_deferred_removal = "True"
 # use_deferred_deletion marks thinpool device for deferred deletion.
 # If the device is busy when the driver attempts to delete it, the driver
 # will attempt to delete device every 30 seconds until successful.
 # If the program using the driver exits, the driver will continue attempting
 # to cleanup the next time the driver is used. Deferred deletion permanently
 # deletes the device and all data stored in device will be lost.
 # use_deferred_deletion = "True"
 # xfs_nospace_max_retries specifies the maximum number of retries XFS should
 # attempt to complete IO when ENOSPC (no space) error is returned by
 # underlying storage device.
 # xfs_nospace_max_retries = "0"
--- a/update-vendored.sh
+++ b/update-vendored.sh
@ -0,0 +1,40 @@
 #!/bin/bash
 # This script assures we always deliver the current documentation/configs
 # for the c/storage, c/image and c/common vendored in podman, skopeo, buildah
 # For questions reach to Jindrich Novy <jnovy@redhat.com>
 rm -f /tmp/ver_image /tmp/ver_common /tmp/ver_storage
 CENTOS=""
 pwd | grep /tmp/centos > /dev/null
 if [ $? == 0 ]; then
  CENTOS=1
  PKG=centpkg
 else
  PKG=rhpkg
 fi
 set -e
 for P in podman skopeo buildah; do
  BRN=`pwd | sed 's,^.*/,,'`
  rm -rf $P
  $PKG clone $P
  cd $P
  $PKG switch-branch $BRN
  if [ $BRN != stream-container-tools-rhel8 ]; then
    $PKG prep
  else
    $PKG --release rhel-8 prep
  fi
  rm -rf *SPECPARTS
  DIR=`ls -d -- */ | grep "$P"`
  grep github.com/containers/image $DIR/go.mod | cut -d\  -f2 | sed 's,-.*,,'>> /tmp/ver_image
  grep github.com/containers/common $DIR/go.mod | cut -d\  -f2 | sed 's,-.*,,' >> /tmp/ver_common
  grep github.com/containers/storage $DIR/go.mod | cut -d\  -f2 | sed 's,-.*,,' >> /tmp/ver_storage
  cd -
 done
 IMAGE_VER=`sort -n /tmp/ver_image | head -n1`
 COMMON_VER=`sort -n /tmp/ver_common | head -n1`
 STORAGE_VER=`sort -n /tmp/ver_storage | head -n1`
 sed -i "s,^%global.*image_branch.*,%global image_branch $IMAGE_VER," containers-common.spec
 sed -i "s,^%global.*common_branch.*,%global common_branch $COMMON_VER," containers-common.spec
 sed -i "s,^%global.*storage_branch.*,%global storage_branch $STORAGE_VER," containers-common.spec
 rm -f /tmp/ver_image /tmp/ver_common /tmp/ver_storage
 rm -rf podman skopeo buildah
--- a/update.sh
+++ b/update.sh
@ -1,33 +1,67 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # This script delivers current documentation/configs and assures it has the intended
 # settings for a particular branch/release.
 # For questions reach to Jindrich Novy <jnovy@redhat.com>
-set -ox pipefail
+ensure() {
-
+  if grep ^$2[[:blank:]].*= $1 > /dev/null
-spectool -fg containers-common.spec
+  then
-
+    sed -i "s;^$2[[:blank:]]=.*;$2 = $3;" $1
 if [[ $(git rev-parse --abbrev-ref HEAD) == "rawhide" ]]; then
    sed -i -e 's/^driver.*=.*/driver = "overlay"/' -e 's/^mountopt.*=.*/mountopt = "nodev,metacopy=on"/' \
        -e 's/^pull_options.*=.*/pull_options = {enable_partial_images = \"true\", use_hard_links = \"false\", ostree_repos=""}/' \
        storage.conf
  else
-    sed -i -e 's/^driver.*=.*/driver = "overlay"/' -e 's/^mountopt.*=.*/mountopt = "nodev,metacopy=on"/' \
+    if grep ^\#.*$2[[:blank:]].*= $1 > /dev/null
-        -e '/additionalimage.*/a "/usr/lib/containers/storage",' \
+    then
-        storage.conf
+      sed -i "/^#.*$2[[:blank:]].*=/a \
 $2 = $3" $1
    else
      echo "$2 = $3" >> $1
    fi
  fi
 }
-[ `grep "keyctl" seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \
+#./pyxis.sh
 #./update-vendored.sh
 spectool -f -g containers-common.spec
 for FILE in *; do
  [ -s "$FILE" ]
  if [ $? == 1 ] && [ "$FILE" != "sources" ]; then
    echo "empty file: $FILE"
    exit 1
  fi
 done
 ensure storage.conf    driver                        \"overlay\"
 ensure storage.conf    mountopt                      \"nodev,metacopy=on\"
 if pwd | grep rhel-8 > /dev/null
 then
 awk -i inplace '/#default_capabilities/,/#\]/{gsub("#","",$0)}1' containers.conf
 ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
 ensure registries.conf short-name-mode               \"permissive\"
 ensure containers.conf runtime                       \"runc\"
 ensure containers.conf events_logger                 \"file\"
 ensure containers.conf log_driver                    \"k8s-file\"
 ensure containers.conf network_backend               \"cni\"
 if ! grep \"NET_RAW\" containers.conf > /dev/null
 then
  sed -i '/^default_capabilities/a \
  "NET_RAW",' containers.conf
 fi
 if ! grep \"SYS_CHROOT\" containers.conf > /dev/null
 then
  sed -i '/^default_capabilities/a \
  "SYS_CHROOT",' containers.conf
 fi
 else
 ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
 ensure registries.conf short-name-mode               \"enforcing\"
 ensure containers.conf runtime                       \"crun\"
 fi
 [ `grep \"keyctl\", seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \
 				"keyctl",' seccomp.json
-sed -i '/\"socketcall\",/i \
+[ `grep \"socket\", seccomp.json | wc -l` == 0 ] && sed -i '/\"socketcall\",/i \
 				"socket",' seccomp.json
-
+rhpkg clone redhat-release
-sed -i 's/^#.*unqualified-search-registries.*=.*/unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io", "quay.io"]/g' \
+cd redhat-release
-        registries.conf
+rhpkg switch-branch rhel-9.4.0
-
+rhpkg prep
-grep '^short-name-mode="enforcing"' registries.conf
+cp -f redhat-release-*/RPM-GPG* ../
-if [[ $? == 1 ]]; then
+cd -
-    echo -e '\nshort-name-mode="enforcing"' >> registries.conf
+rm -rf redhat-release
 fi
 sed -i -e 's/^#.*log_driver.*=.*/log_driver = "journald"/' \
    containers.conf
 git checkout origin default-policy.json
		`@ -0,0 +1 @@`
							`SHA512 (v0.60.0.tar.gz) = 9eae809f6834472172fb997dedf828a11c7617b19374f46086394be3eeeb7f8fa9a1245a020af3a611142d6edda6670ee1d080229048fd0886313c7f698c21af`