Sync with containers-common 0.60.0
Resolves: RHEL-45611 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
parent
741a7129b3
commit
c8fda2b083
1
.gitignore
vendored
1
.gitignore
vendored
@ -0,0 +1 @@
|
||||
/*.tar.gz
|
@ -1,9 +1,13 @@
|
||||
pub 4096R/FD431D51 2009-10-22
|
||||
Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51
|
||||
uid Red Hat, Inc. (release key 2) <security@redhat.com>
|
||||
The following public key can be used to verify RPM packages built and
|
||||
signed by Red Hat, Inc. This key is used for packages in Red Hat
|
||||
products shipped after November 2009, and for all updates to those
|
||||
products.
|
||||
|
||||
Questions about this key should be sent to security@redhat.com.
|
||||
|
||||
pub 4096R/FD431D51 2009-10-22 Red Hat, Inc. (release key 2) <security@redhat.com>
|
||||
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v1.4.5 (GNU/Linux)
|
||||
|
||||
mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF
|
||||
0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF
|
||||
@ -31,4 +35,32 @@ OFktl15jZJaMxuQBqYdBgSay2G0U6D1+7VsWufpzd/Abx1/c3oi9ZaJvW22kAggq
|
||||
dzdA27UUYjWvx42w9menJwh/0jeQcTecIUd0d0rFcw/c1pvgMMl/Q73yzKgKYw==
|
||||
=zbHE
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBGIpIp4BEAC/o5e1WzLIsS6/JOQCs4XYATYTcf6B6ALzcP05G0W3uRpUQSrL
|
||||
FRKNrU8ZCelm/B+XSh2ljJNeklp2WLxYENDOsftDXGoyLr2hEkI5OyK267IHhFNJ
|
||||
g+BN+T5Cjh4ZiiWij6o9F7x2ZpxISE9M4iI80rwSv1KOnGSw5j2zD2EwoMjTVyVE
|
||||
/t3s5XJxnDclB7ZqL+cgjv0mWUY/4+b/OoRTkhq7b8QILuZp75Y64pkrndgakm1T
|
||||
8mAGXV02mEzpNj9DyAJdUqa11PIhMJMxxHOGHJ8CcHZ2NJL2e7yJf4orTj+cMhP5
|
||||
LzJcVlaXnQYu8Zkqa0V6J1Qdj8ZXL72QsmyicRYXAtK9Jm5pvBHuYU2m6Ja7dBEB
|
||||
Vkhe7lTKhAjkZC5ErPmANNS9kPdtXCOpwN1lOnmD2m04hks3kpH9OTX7RkTFUSws
|
||||
eARAfRID6RLfi59B9lmAbekecnsMIFMx7qR7ZKyQb3GOuZwNYOaYFevuxusSwCHv
|
||||
4FtLDIhk+Fge+EbPdEva+VLJeMOb02gC4V/cX/oFoPkxM1A5LHjkuAM+aFLAiIRd
|
||||
Np/tAPWk1k6yc+FqkcDqOttbP4ciiXb9JPtmzTCbJD8lgH0rGp8ufyMXC9x7/dqX
|
||||
TjsiGzyvlMnrkKB4GL4DqRFl8LAR02A3846DD8CAcaxoXggL2bJCU2rgUQARAQAB
|
||||
tDVSZWQgSGF0LCBJbmMuIChhdXhpbGlhcnkga2V5IDMpIDxzZWN1cml0eUByZWRo
|
||||
YXQuY29tPokCUgQTAQgAPBYhBH5GJCWMQGU11W1vE1BU5KRaY0CzBQJiKSKeAhsD
|
||||
BQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRBQVOSkWmNAsyBfEACuTN/X
|
||||
YR+QyzeRw0pXcTvMqzNE4DKKr97hSQEwZH1/v1PEPs5O3psuVUm2iam7bqYwG+ry
|
||||
EskAgMHi8AJmY0lioQD5/LTSLTrM8UyQnU3g17DHau1NHIFTGyaW4a7xviU4C2+k
|
||||
c6X0u1CPHI1U4Q8prpNcfLsldaNYlsVZtUtYSHKPAUcswXWliW7QYjZ5tMSbu8jR
|
||||
OMOc3mZuf0fcVFNu8+XSpN7qLhRNcPv+FCNmk/wkaQfH4Pv+jVsOgHqkV3aLqJeN
|
||||
kNUnpyEKYkNqo7mNfNVWOcl+Z1KKKwSkIi3vg8maC7rODsy6IX+Y96M93sqYDQom
|
||||
aaWue2gvw6thEoH4SaCrCL78mj2YFpeg1Oew4QwVcBnt68KOPfL9YyoOicNs4Vuu
|
||||
fb/vjU2ONPZAeepIKA8QxCETiryCcP43daqThvIgdbUIiWne3gae6eSj0EuUPoYe
|
||||
H5g2Lw0qdwbHIOxqp2kvN96Ii7s1DK3VyhMt/GSPCxRnDRJ8oQKJ2W/I1IT5VtiU
|
||||
zMjjq5JcYzRPzHDxfVzT9CLeU/0XQ+2OOUAiZKZ0dzSyyVn8xbpviT7iadvjlQX3
|
||||
CINaPB+d2Kxa6uFWh+ZYOLLAgZ9B8NKutUHpXN66YSfe79xFBSFWKkJ8cSIMk13/
|
||||
Ifs7ApKlKCCRDpwoDqx/sjIaj1cpOfLHYjnefg==
|
||||
=UZd/
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
@ -1,56 +1,76 @@
|
||||
# Below definitions are used to deliver config files from a particular branch
|
||||
# of c/image, c/common, c/storage vendored in all of Buildah, Podman and Skopeo.
|
||||
# of c/image, c/storage and c/shortnames vendored in all of Buildah, Podman and Skopeo.
|
||||
# These vendored components must have the same version. If it is not the case,
|
||||
# pick the oldest version on c/image, c/common, c/storage vendored in
|
||||
# pick the oldest version on c/image, c/storage and c/shortnames vendored in
|
||||
# Buildah/Podman/Skopeo.
|
||||
%global image_branch main
|
||||
%global common_branch v%{version}
|
||||
%global storage_branch main
|
||||
|
||||
# Packit will automatically update the image and storage versions on Fedora and
|
||||
# CentOS Stream dist-git PRs.
|
||||
%global image_branch v5.30.2
|
||||
%global storage_branch v1.53.0
|
||||
%global shortnames_branch main
|
||||
|
||||
%global github_containers https://raw.githubusercontent.com/containers
|
||||
%global project containers
|
||||
%global repo common
|
||||
|
||||
%global raw_github_url https://raw.githubusercontent.com/%{project}
|
||||
|
||||
%if %{defined copr_username}
|
||||
%define copr_build 1
|
||||
%endif
|
||||
|
||||
# See https://github.com/containers/netavark/blob/main/rpm/netavark.spec
|
||||
# for netavark epoch
|
||||
%if %{defined copr_build}
|
||||
%define netavark_epoch 102
|
||||
%else
|
||||
%define netavark_epoch 2
|
||||
%endif
|
||||
|
||||
Epoch: 5
|
||||
Name: containers-common
|
||||
Version: 0.57.3
|
||||
%if %{defined copr_build}
|
||||
Epoch: 102
|
||||
%else
|
||||
Epoch: 2
|
||||
%endif
|
||||
# DO NOT TOUCH the Version string!
|
||||
# The TRUE source of this specfile is:
|
||||
# https://github.com/containers/common/blob/main/rpm/containers-common.spec
|
||||
# If that's what you're reading, Version must be 0, and will be updated by Packit for
|
||||
# copr and koji builds.
|
||||
# If you're reading this on dist-git, the version is automatically filled in by Packit.
|
||||
Version: 0.60.0
|
||||
Release: %autorelease
|
||||
License: Apache-2.0
|
||||
BuildArch: noarch
|
||||
# for BuildRequires: go-md2man
|
||||
ExclusiveArch: %{golang_arches} noarch
|
||||
Summary: Common configuration and documentation for containers
|
||||
BuildRequires: git-core
|
||||
BuildRequires: go-md2man
|
||||
Provides: skopeo-containers = %{epoch}:%{version}-%{release}
|
||||
Recommends: (container-selinux >= 2:2.162.1 if selinux-policy)
|
||||
Recommends: fuse-overlayfs
|
||||
Requires: (fuse-overlayfs if fedora-release-identity-server)
|
||||
# SourceN files fetched from upstream
|
||||
# GPG key and registry configs taken from RH
|
||||
Source1: %{github_containers}/common/%{common_branch}/docs/containers.conf.5.md
|
||||
Source2: %{github_containers}/common/%{common_branch}/pkg/config/containers.conf
|
||||
Source3: %{github_containers}/common/%{common_branch}/pkg/seccomp/seccomp.json
|
||||
Source4: %{github_containers}/common/%{common_branch}/pkg/subscriptions/mounts.conf
|
||||
Source5: %{github_containers}/image/%{image_branch}/docs/containers-auth.json.5.md
|
||||
Source6: %{github_containers}/image/%{image_branch}/docs/containers-certs.d.5.md
|
||||
Source7: %{github_containers}/image/%{image_branch}/docs/containers-policy.json.5.md
|
||||
Source8: %{github_containers}/image/%{image_branch}/docs/containers-registries.conf.5.md
|
||||
Source9: %{github_containers}/image/%{image_branch}/docs/containers-registries.conf.d.5.md
|
||||
Source10: %{github_containers}/image/%{image_branch}/docs/containers-registries.d.5.md
|
||||
Source11: %{github_containers}/image/%{image_branch}/docs/containers-signature.5.md
|
||||
Source12: %{github_containers}/image/%{image_branch}/docs/containers-transports.5.md
|
||||
Source13: %{github_containers}/image/%{image_branch}/registries.conf
|
||||
Source14: %{github_containers}/common/%{common_branch}/docs/containers-mounts.conf.5.md
|
||||
Source15: %{github_containers}/shortnames/%{shortnames_branch}/shortnames.conf
|
||||
Source16: %{github_containers}/image/%{image_branch}/default.yaml
|
||||
Source17: %{github_containers}/image/%{image_branch}/default-policy.json
|
||||
Source18: %{github_containers}/storage/%{storage_branch}/docs/containers-storage.conf.5.md
|
||||
Source19: %{github_containers}/storage/%{storage_branch}/storage.conf
|
||||
Source20: RPM-GPG-KEY-redhat-release
|
||||
Source21: registry.access.redhat.com.yaml
|
||||
Source22: registry.redhat.io.yaml
|
||||
Source23: %{github_containers}/common/%{common_branch}/docs/Containerfile.5.md
|
||||
Source24: %{github_containers}/common/%{common_branch}/docs/containerignore.5.md
|
||||
Source25: %{github_containers}/common/%{common_branch}/docs/links/.containerignore.5
|
||||
Requires: (container-selinux >= 2:2.162.1 if selinux-policy)
|
||||
Suggests: fuse-overlayfs
|
||||
URL: https://github.com/%{project}/%{repo}
|
||||
Source0: %{url}/archive/v%{version_no_tilde}.tar.gz
|
||||
Source1: %{raw_github_url}/image/%{image_branch}/docs/containers-auth.json.5.md
|
||||
Source2: %{raw_github_url}/image/%{image_branch}/docs/containers-certs.d.5.md
|
||||
Source3: %{raw_github_url}/image/%{image_branch}/docs/containers-policy.json.5.md
|
||||
Source4: %{raw_github_url}/image/%{image_branch}/docs/containers-registries.conf.5.md
|
||||
Source5: %{raw_github_url}/image/%{image_branch}/docs/containers-registries.conf.d.5.md
|
||||
Source6: %{raw_github_url}/image/%{image_branch}/docs/containers-registries.d.5.md
|
||||
Source7: %{raw_github_url}/image/%{image_branch}/docs/containers-signature.5.md
|
||||
Source8: %{raw_github_url}/image/%{image_branch}/docs/containers-transports.5.md
|
||||
Source9: %{raw_github_url}/storage/%{storage_branch}/docs/containers-storage.conf.5.md
|
||||
Source10: %{raw_github_url}/shortnames/%{shortnames_branch}/shortnames.conf
|
||||
Source11: %{raw_github_url}/image/%{image_branch}/default.yaml
|
||||
Source12: default-policy.json
|
||||
Source13: %{raw_github_url}/image/%{image_branch}/registries.conf
|
||||
Source14: %{raw_github_url}/storage/%{storage_branch}/storage.conf
|
||||
# Fetch RPM-GPG-KEY-redhat-release from the authoritative source instead of storing
|
||||
# a copy in repo or dist-git. Depending on distribution-gpg-keys rpm is also
|
||||
# not an option because that package doesn't exist on CentOS Stream.
|
||||
Source15: https://access.redhat.com/security/data/fd431d51.txt
|
||||
|
||||
%description
|
||||
This package contains common configuration files and documentation for container
|
||||
@ -65,97 +85,94 @@ Summary: Extra dependencies for Podman and Buildah
|
||||
Requires: %{name} = %{epoch}:%{version}-%{release}
|
||||
Requires: container-network-stack
|
||||
Requires: oci-runtime
|
||||
Requires: nftables
|
||||
Requires: passt
|
||||
%if %{defined fedora}
|
||||
Requires: iptables
|
||||
Conflicts: podman < 5:5.0.0~rc4-1
|
||||
Recommends: composefs
|
||||
Recommends: crun
|
||||
Requires: (crun if fedora-release-identity-server)
|
||||
Recommends: netavark >= 1.10.2-1
|
||||
Requires: (netavark >= 1.10.2-1 if fedora-release-identity-server)
|
||||
Recommends: slirp4netns
|
||||
Requires: (slirp4netns if fedora-release-identity-server)
|
||||
Recommends: passt
|
||||
Requires: (passt if fedora-release-identity-server)
|
||||
Requires: iptables
|
||||
Requires: nftables
|
||||
Requires: netavark >= %{netavark_epoch}:1.10.3-1
|
||||
Suggests: slirp4netns
|
||||
Recommends: qemu-user-static
|
||||
Requires: (qemu-user-static-aarch64 if fedora-release-identity-server)
|
||||
Requires: (qemu-user-static-arm if fedora-release-identity-server)
|
||||
Requires: (qemu-user-static-x86 if fedora-release-identity-server)
|
||||
%endif
|
||||
|
||||
%description extra
|
||||
This subpackage will handle dependencies common to Podman and Buildah which are
|
||||
not required by Skopeo.
|
||||
|
||||
%prep
|
||||
cp %{SOURCE1} .
|
||||
cp %{SOURCE2} .
|
||||
cp %{SOURCE3} .
|
||||
cp %{SOURCE4} .
|
||||
cp %{SOURCE5} .
|
||||
cp %{SOURCE6} .
|
||||
cp %{SOURCE7} .
|
||||
cp %{SOURCE8} .
|
||||
cp %{SOURCE9} .
|
||||
cp %{SOURCE10} .
|
||||
cp %{SOURCE11} .
|
||||
cp %{SOURCE12} .
|
||||
cp %{SOURCE13} .
|
||||
cp %{SOURCE14} .
|
||||
cp %{SOURCE15} 000-shortnames.conf
|
||||
cp %{SOURCE16} .
|
||||
cp %{SOURCE17} policy.json
|
||||
cp %{SOURCE18} .
|
||||
cp %{SOURCE19} .
|
||||
cp %{SOURCE20} .
|
||||
cp %{SOURCE21} .
|
||||
cp %{SOURCE22} .
|
||||
cp %{SOURCE23} .
|
||||
cp %{SOURCE24} .
|
||||
cp %{SOURCE25} .
|
||||
%autosetup -Sgit -n %{repo}-%{version_no_tilde}
|
||||
|
||||
%if 0%{?rhel} <= 8
|
||||
sed -i 's/log_driver = "journald"/#log_driver = "journald"/' containers.conf
|
||||
%endif
|
||||
# Copy manpages to docs subdir in builddir to build before installing.
|
||||
cp %{SOURCE1} docs/.
|
||||
cp %{SOURCE2} docs/.
|
||||
cp %{SOURCE3} docs/.
|
||||
cp %{SOURCE4} docs/.
|
||||
cp %{SOURCE5} docs/.
|
||||
cp %{SOURCE6} docs/.
|
||||
cp %{SOURCE7} docs/.
|
||||
cp %{SOURCE8} docs/.
|
||||
cp %{SOURCE9} docs/.
|
||||
|
||||
# Copy config files to builddir to patch them before installing.
|
||||
# Currently, only registries.conf and storage.conf files are patched before
|
||||
# installing.
|
||||
cp %{SOURCE10} shortnames.conf
|
||||
cp %{SOURCE13} registries.conf
|
||||
cp %{SOURCE14} storage.conf
|
||||
|
||||
# Fine-grain distro- and release-specific tuning of config files,
|
||||
# e.g., seccomp, composefs, registries on different RHEL/Fedora versions
|
||||
bash rpm/update-config-files.sh
|
||||
|
||||
%build
|
||||
mkdir -p man5
|
||||
for FILE in $(ls *.5.md); do
|
||||
go-md2man -in $FILE -out man5/$(basename $FILE .md)
|
||||
for i in docs/*.5.md; do
|
||||
go-md2man -in $i -out man5/$(basename $i .md)
|
||||
done
|
||||
|
||||
cp man5/containerignore.5 man5/.containerignore.5
|
||||
|
||||
%install
|
||||
# install config and policy files for registries
|
||||
install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,systemd}
|
||||
install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
|
||||
install -dp %{buildroot}%{_datadir}/containers/systemd
|
||||
install -dp %{buildroot}%{_prefix}/lib/containers/storage
|
||||
install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-images
|
||||
touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-images/images.lock
|
||||
install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers
|
||||
touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers/layers.lock
|
||||
|
||||
install -Dp -m0644 default.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
|
||||
install -Dp -m0644 storage.conf -t %{buildroot}%{_datadir}/containers
|
||||
install -Dp -m0644 registries.conf -t %{buildroot}%{_sysconfdir}/containers
|
||||
install -Dp -m0644 000-shortnames.conf -t %{buildroot}%{_sysconfdir}/containers/registries.conf.d
|
||||
install -Dp -m0644 policy.json -t %{buildroot}%{_sysconfdir}/containers
|
||||
install -Dp -m0644 shortnames.conf %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
|
||||
install -Dp -m0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
|
||||
install -Dp -m0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/containers/policy.json
|
||||
install -Dp -m0644 registries.conf %{buildroot}%{_sysconfdir}/containers/registries.conf
|
||||
install -Dp -m0644 storage.conf %{buildroot}%{_datadir}/containers/storage.conf
|
||||
|
||||
# RPM-GPG-KEY-redhat-release already exists on rhel envs, install only on
|
||||
# fedora and centos
|
||||
%if 0%{?fedora} || 0%{?centos}
|
||||
install -Dp -m0644 RPM-GPG-KEY-redhat-release -t %{buildroot}%{_sysconfdir}/pki/rpm-gpg
|
||||
%if %{defined fedora} || %{defined centos}
|
||||
install -Dp -m0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
|
||||
%endif
|
||||
install -Dp -m0644 registry.access.redhat.com.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
|
||||
install -Dp -m0644 registry.redhat.io.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
|
||||
|
||||
install -Dp -m0644 contrib/redhat/registry.access.redhat.com.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
|
||||
install -Dp -m0644 contrib/redhat/registry.redhat.io.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
|
||||
|
||||
# install manpages
|
||||
for FILE in $(ls -a man5 | grep 5); do
|
||||
install -Dp -m0644 man5/$FILE -t %{buildroot}%{_mandir}/man5
|
||||
install -dp %{buildroot}%{_mandir}/man5
|
||||
for i in man5/*.5; do
|
||||
install -Dp -m0644 $i -t %{buildroot}%{_mandir}/man5
|
||||
done
|
||||
ln -s containerignore.5 %{buildroot}%{_mandir}/man5/.containerignore.5
|
||||
|
||||
# install config files for mounts, containers and seccomp
|
||||
install -m0644 mounts.conf %{buildroot}%{_datadir}/containers/mounts.conf
|
||||
install -m0644 seccomp.json %{buildroot}%{_datadir}/containers/seccomp.json
|
||||
install -m0644 containers.conf %{buildroot}%{_datadir}/containers/containers.conf
|
||||
install -m0644 pkg/subscriptions/mounts.conf %{buildroot}%{_datadir}/containers/mounts.conf
|
||||
install -m0644 pkg/seccomp/seccomp.json %{buildroot}%{_datadir}/containers/seccomp.json
|
||||
install -m0644 pkg/config/containers.conf %{buildroot}%{_datadir}/containers/containers.conf
|
||||
|
||||
# install secrets patch directory
|
||||
install -d -p -m 755 %{buildroot}/%{_datadir}/rhel/secrets
|
||||
@ -172,6 +189,7 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
|
||||
%dir %{_sysconfdir}/containers/registries.conf.d
|
||||
%dir %{_sysconfdir}/containers/registries.d
|
||||
%dir %{_sysconfdir}/containers/systemd
|
||||
%dir %{_prefix}/lib/containers
|
||||
%dir %{_prefix}/lib/containers/storage
|
||||
%dir %{_prefix}/lib/containers/storage/overlay-images
|
||||
%dir %{_prefix}/lib/containers/storage/overlay-layers
|
||||
@ -185,8 +203,8 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
|
||||
%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
|
||||
%endif
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
|
||||
%{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
|
||||
%{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
|
||||
%ghost %{_sysconfdir}/containers/storage.conf
|
||||
%ghost %{_sysconfdir}/containers/containers.conf
|
||||
%dir %{_sharedstatedir}/containers/sigstore
|
||||
@ -200,6 +218,7 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
|
||||
%{_datadir}/containers/containers.conf
|
||||
%{_datadir}/containers/mounts.conf
|
||||
%{_datadir}/containers/seccomp.json
|
||||
%dir %{_datadir}/rhel
|
||||
%dir %{_datadir}/rhel/secrets
|
||||
%{_datadir}/rhel/secrets/*
|
||||
|
||||
|
@ -19,6 +19,12 @@ Container engines will use the `$HOME/.config/containers/registries.conf` if it
|
||||
`credential-helpers`
|
||||
: An array of default credential helpers used as external credential stores. Note that "containers-auth.json" is a reserved value to use auth files as specified in containers-auth.json(5). The credential helpers are set to `["containers-auth.json"]` if none are specified.
|
||||
|
||||
`additional-layer-store-auth-helper`
|
||||
: A string containing the helper binary name. This enables passing registry credentials to an
|
||||
Additional Layer Store every time an image is read using the `docker://`
|
||||
transport so that it can access private registries. See the 'Enabling Additional Layer Store to access to private registries' section below for
|
||||
more details.
|
||||
|
||||
### NAMESPACED `[[registry]]` SETTINGS
|
||||
|
||||
The bulk of the configuration is represented as an array of `[[registry]]`
|
||||
@ -254,6 +260,30 @@ in order, and use the first one that exists.
|
||||
|
||||
Note that a mirror is associated only with the current `[[registry]]` TOML table. If using the example above, pulling the image `registry.com/image:latest` will hence only reach out to `mirror.registry.com`, and the mirrors associated with `example.com/foo` will not be considered.
|
||||
|
||||
### Enabling Additional Layer Store to access to private registries
|
||||
|
||||
The `additional-layer-store-auth-helper` option enables passing registry
|
||||
credentials to an Additional Layer Store so that it can access private registries.
|
||||
|
||||
When accessing a private registry via an Additional Layer Store, a helper binary needs to be provided. This helper binary is
|
||||
registered via the `additional-layer-store-auth-helper` option. Every time an image
|
||||
is read using the `docker://` transport, the specified helper binary is executed
|
||||
and receives registry credentials from stdin in the following format.
|
||||
|
||||
```json
|
||||
{
|
||||
"$image_reference": {
|
||||
"username": "$username",
|
||||
"password": "$password",
|
||||
"identityToken": "$identityToken"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
The format of `$image_reference` is `$repo{:$tag|@$digest}`.
|
||||
|
||||
Additional Layer Stores can use this helper binary to access the private registry.
|
||||
|
||||
## VERSION 1 FORMAT - DEPRECATED
|
||||
VERSION 1 format is still supported but it does not support
|
||||
using registry mirrors, longest-prefix matches, or location rewriting.
|
||||
|
@ -27,7 +27,7 @@ No bare options are used. The format of TOML can be simplified to:
|
||||
The `storage` table supports the following options:
|
||||
|
||||
**driver**=""
|
||||
Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem.
|
||||
Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem.
|
||||
This field is required to guarantee proper operation.
|
||||
Valid rootless drivers are "btrfs", "overlay", and "vfs".
|
||||
Rootless users default to the driver defined in the system configuration when possible.
|
||||
@ -84,7 +84,7 @@ The `storage.options` table supports the following options:
|
||||
**additionalimagestores**=[]
|
||||
Paths to additional container image stores. Usually these are read/only and stored on remote network shares.
|
||||
|
||||
**pull_options** = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
|
||||
**pull_options** = {enable_partial_images = "true", use_hard_links = "false", ostree_repos=""}
|
||||
|
||||
Allows specification of how storage is populated when pulling images. This
|
||||
option can speed the pulling process of images compressed with format zstd:chunked. Containers/storage looks
|
||||
@ -95,7 +95,7 @@ container registry. These options can deduplicate pulling of content, disk
|
||||
storage of content and can allow the kernel to use less memory when running
|
||||
containers.
|
||||
|
||||
containers/storage supports three keys
|
||||
containers/storage supports four keys
|
||||
* enable_partial_images="true" | "false"
|
||||
Tells containers/storage to look for files previously pulled in storage
|
||||
rather then always pulling them from the container registry.
|
||||
@ -107,28 +107,10 @@ containers/storage supports three keys
|
||||
previously pulled content which can be used when attempting to avoid
|
||||
pulling content from the container registry
|
||||
* convert_images = "false" | "true"
|
||||
If set to true, containers/storage will convert images to the a format compatible with
|
||||
If set to true, containers/storage will convert images to a format compatible with
|
||||
partial pulls in order to take advantage of local deduplication and hardlinking. It is an
|
||||
expensive operation so it is not enabled by default.
|
||||
|
||||
**remap-uids=**""
|
||||
**remap-gids=**""
|
||||
Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to the UIDs/GIDs outside of the container, and the length of the range of UIDs/GIDs. Additional mapped sets can be listed and will be heeded by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container.
|
||||
|
||||
Example
|
||||
remap-uids = "0:1668442479:65536"
|
||||
remap-gids = "0:1668442479:65536"
|
||||
|
||||
These mappings tell the container engines to map UID 0 inside of the container to UID 1668442479 outside. UID 1 will be mapped to 1668442480. UID 2 will be mapped to 1668442481, etc, for the next 65533 UIDs in succession.
|
||||
|
||||
**remap-user**=""
|
||||
**remap-group**=""
|
||||
Remap-User/Group is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting with an in-container ID of 0 and then a host-level ID taken from the lowest range that matches the specified name, and using the length of that range. Additional ranges are then assigned, using the ranges which specify the lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, until all of the entries have been used for maps. This setting overrides the Remap-UIDs/GIDs setting.
|
||||
|
||||
Example
|
||||
remap-user = "containers"
|
||||
remap-group = "containers"
|
||||
|
||||
**root-auto-userns-user**=""
|
||||
Root-auto-userns-user is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned to containers configured to create automatically a user namespace. Containers configured to automatically create a user namespace can still overlap with containers having an explicit mapping set. This setting is ignored when running as rootless.
|
||||
|
||||
@ -158,66 +140,6 @@ The `storage.options.btrfs` table supports the following options:
|
||||
**size**=""
|
||||
Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
|
||||
|
||||
### STORAGE OPTIONS FOR THINPOOL (devicemapper) TABLE
|
||||
|
||||
The `storage.options.thinpool` table supports the following options for the `devicemapper` driver:
|
||||
|
||||
**autoextend_percent**=""
|
||||
Tells the thinpool driver the amount by which the thinpool needs to be grown. This is specified in terms of % of pool size. So a value of 20 means that when threshold is hit, pool will be grown by 20% of existing pool size. (default: 20%)
|
||||
|
||||
**autoextend_threshold**=""
|
||||
Tells the driver the thinpool extension threshold in terms of percentage of pool size. For example, if threshold is 60, that means when pool is 60% full, threshold has been hit. (default: 80%)
|
||||
|
||||
**basesize**=""
|
||||
Specifies the size to use when creating the base device, which limits the size of images and containers. (default: 10g)
|
||||
|
||||
**blocksize**=""
|
||||
Specifies a custom blocksize to use for the thin pool. (default: 64k)
|
||||
|
||||
**directlvm_device**=""
|
||||
Specifies a custom block storage device to use for the thin pool. Required for using graphdriver `devicemapper`.
|
||||
|
||||
**directlvm_device_force**=""
|
||||
Tells driver to wipe device (directlvm_device) even if device already has a filesystem. (default: false)
|
||||
|
||||
**fs**="xfs"
|
||||
Specifies the filesystem type to use for the base device. (default: xfs)
|
||||
|
||||
**log_level**=""
|
||||
Sets the log level of devicemapper.
|
||||
|
||||
0: LogLevelSuppress 0 (default)
|
||||
2: LogLevelFatal
|
||||
3: LogLevelErr
|
||||
4: LogLevelWarn
|
||||
5: LogLevelNotice
|
||||
6: LogLevelInfo
|
||||
7: LogLevelDebug
|
||||
|
||||
**metadata_size**=""
|
||||
metadata_size is used to set the `pvcreate --metadatasize` options when creating thin devices. (Default 128k)
|
||||
|
||||
**min_free_space**=""
|
||||
Specifies the min free space percent in a thin pool required for new device creation to succeed. Valid values are from 0% - 99%. Value 0% disables. (default: 10%)
|
||||
|
||||
**mkfsarg**=""
|
||||
Specifies extra mkfs arguments to be used when creating the base device.
|
||||
|
||||
**mountopt**=""
|
||||
Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page.
|
||||
|
||||
**size**=""
|
||||
Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
|
||||
|
||||
**use_deferred_deletion**=""
|
||||
Marks thinpool device for deferred deletion. If the thinpool is in use when the driver attempts to delete it, the driver will attempt to delete device every 30 seconds until successful, or when it restarts. Deferred deletion permanently deletes the device and all data stored in the device will be lost. (default: true).
|
||||
|
||||
**use_deferred_removal**=""
|
||||
Marks devicemapper block device for deferred removal. If the device is in use when its driver attempts to remove it, the driver tells the kernel to remove the device as soon as possible. Note this does not free up the disk space, use deferred deletion to fully remove the thinpool. (default: true).
|
||||
|
||||
**xfs_nospace_max_retries**=""
|
||||
Specifies the maximum number of retries XFS should attempt to complete IO when ENOSPC (no space) error is returned by underlying storage device. (default: 0, which means to try continuously.)
|
||||
|
||||
### STORAGE OPTIONS FOR OVERLAY TABLE
|
||||
|
||||
The `storage.options.overlay` table supports the following options:
|
||||
|
@ -9,7 +9,7 @@ containers-transports - description of supported transports for copying and stor
|
||||
## DESCRIPTION
|
||||
|
||||
Tools which use the containers/image library, including skopeo(1), buildah(1), podman(1), all share a common syntax for referring to container images in various locations.
|
||||
The general form of the syntax is _transport:details_, where details are dependent on the specified transport, which are documented below.
|
||||
The general form of the syntax is _transport_`:`_details_, where details are dependent on the specified transport, which are documented below.
|
||||
|
||||
The semantics of the image names ultimately depend on the environment where
|
||||
they are evaluated. For example: if evaluated on a remote server, image names
|
||||
@ -18,14 +18,14 @@ directory of the image consumer.
|
||||
|
||||
<!-- atomic: is deprecated and not documented here. -->
|
||||
|
||||
### **containers-storage**:[**[**storage-specifier**]**]{image-id|docker-reference[@image-id]}
|
||||
### **containers-storage:**[**[**_storage-specifier_**]**]{_image-id_|_docker-reference_[**@**_image-id_]}
|
||||
|
||||
An image located in a local containers storage.
|
||||
The format of _docker-reference_ is described in detail in the **docker** transport.
|
||||
|
||||
The _storage-specifier_ allows for referencing storage locations on the file system and has the format `[[driver@]root[+run-root][:options]]` where the optional `driver` refers to the storage driver (e.g., overlay or btrfs) and where `root` is an absolute path to the storage's root directory.
|
||||
The optional `run-root` can be used to specify the run directory of the storage where all temporary writable content is stored.
|
||||
The optional `options` are a comma-separated list of driver-specific options.
|
||||
The _storage-specifier_ allows for referencing storage locations on the file system and has the format `[`[_driver_`@`]_root_[`+`_run-root_][`:`_options_]`]` where the optional _driver_ refers to the storage driver (e.g., `overlay` or `btrfs`) and where _root_ is an absolute path to the storage's root directory.
|
||||
The optional _run-root_ can be used to specify the run directory of the storage where all temporary writable content is stored.
|
||||
The optional _options_ are a comma-separated list of driver-specific options.
|
||||
Please refer to containers-storage.conf(5) for further information on the drivers and supported options.
|
||||
|
||||
### **dir:**_path_
|
||||
@ -40,34 +40,38 @@ By default, uses the authorization state in `$XDG_RUNTIME_DIR/containers/auth.js
|
||||
If the authorization state is not found there, `$HOME/.docker/config.json` is checked, which is set using docker-login(1).
|
||||
The containers-registries.conf(5) further allows for configuring various settings of a registry.
|
||||
|
||||
Note that a _docker-reference_ has the following format: _name_[**:**_tag_ | **@**_digest_].
|
||||
Note that a _docker-reference_ has the following format: _name_[`:`_tag_ | `@`_digest_].
|
||||
While the docker transport does not support both a tag and a digest at the same time some formats like containers-storage do.
|
||||
Digests can also be used in an image destination as long as the manifest matches the provided digest.
|
||||
|
||||
The docker transport supports pushing images without a tag or digest to a registry when the image name is suffixed with **@@unknown-digest@@**. The _name_**@@unknown-digest@@** reference format cannot be used with a reference that has a tag or digest.
|
||||
The docker transport supports pushing images without a tag or digest to a registry when the image name is suffixed with `@@unknown-digest@@`. The _name_`@@unknown-digest@@` reference format cannot be used with a reference that has a tag or digest.
|
||||
The digest of images can be explored with skopeo-inspect(1).
|
||||
|
||||
If `name` does not contain a slash, it is treated as `docker.io/library/name`.
|
||||
Otherwise, the component before the first slash is checked if it is recognized as a `hostname[:port]` (i.e., it contains either a . or a :, or the component is exactly localhost).
|
||||
If the first component of name is not recognized as a `hostname[:port]`, `name` is treated as `docker.io/name`.
|
||||
If _name_ does not contain a slash, it is treated as `docker.io/library/`_name_.
|
||||
Otherwise, the component before the first slash is checked if it is recognized as a _hostname_[`:`_port_] (i.e., it contains either a `.` or a `:`, or the component is exactly `localhost`).
|
||||
If the first component of name is not recognized as a _hostname_[`:`_port_], _name_ is treated as `docker.io/`_name_.
|
||||
|
||||
### **docker-archive:**_path[:{docker-reference|@source-index}]_
|
||||
### **docker-archive:**_path_[`:`{_docker-reference_|`@`_source-index_}]
|
||||
|
||||
An image is stored in the docker-save(1) formatted file.
|
||||
_docker-reference_ must not contain a digest.
|
||||
Alternatively, for reading archives, @_source-index_ is a zero-based index in archive manifest
|
||||
(to access untagged images).
|
||||
If neither _docker-reference_ nor @_source_index is specified when reading an archive, the archive must contain exactly one image.
|
||||
|
||||
Unless a tool explicitly documents otherwise,
|
||||
a write to a **docker-archive:** destination completely overwrites _path_, replacing it with the single provided image.
|
||||
|
||||
The _path_ can refer to a stream, e.g. `docker-archive:/dev/stdin`.
|
||||
|
||||
### **docker-daemon:**_docker-reference|algo:digest_
|
||||
_docker-reference_ must not contain a digest.
|
||||
Alternatively, for reading archives, `@`_source-index_ is a zero-based index in archive manifest
|
||||
(to access untagged images).
|
||||
If neither _docker-reference_ nor `@`_source_index is specified when reading an archive, the archive must contain exactly one image.
|
||||
|
||||
### **docker-daemon:**_docker-reference_|_algo_`:`_digest_
|
||||
|
||||
An image stored in the docker daemon's internal storage.
|
||||
The image must be specified as a _docker-reference_ or in an alternative _algo:digest_ format when being used as an image source.
|
||||
The _algo:digest_ refers to the image ID reported by docker-inspect(1).
|
||||
The image must be specified as a _docker-reference_ or in an alternative _algo_`:`_digest_ format when being used as an image source.
|
||||
The _algo_`:`_digest_ refers to the image ID reported by docker-inspect(1).
|
||||
|
||||
### **oci:**_path[:reference]_
|
||||
### **oci:**_path_[`:`_reference_]
|
||||
|
||||
An image in a directory structure compliant with the "Open Container Image Layout Specification" at _path_.
|
||||
|
||||
@ -75,18 +79,21 @@ The _path_ value terminates at the first `:` character; any further `:` characte
|
||||
The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index.
|
||||
If _reference_ is not specified when reading an image, the directory must contain exactly one image.
|
||||
|
||||
### **oci-archive:**_path[:reference]_
|
||||
### **oci-archive:**_path_[`:`_reference_]
|
||||
|
||||
An image in a tar(1) archive with contents compliant with the "Open Container Image Layout Specification" at _path_.
|
||||
|
||||
Unless a tool explicitly documents otherwise,
|
||||
a write to an **oci-archive:** destination completely overwrites _path_, replacing it with the single provided image.
|
||||
|
||||
The _path_ value terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_.
|
||||
The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index.
|
||||
If _reference_ is not specified when reading an archive, the archive must contain exactly one image.
|
||||
|
||||
### **ostree:**_docker-reference[@/absolute/repo/path]_
|
||||
### **ostree:**_docker-reference_[`@`_/absolute/repo/path_]
|
||||
|
||||
An image in the local ostree(1) repository.
|
||||
_/absolute/repo/path_ defaults to _/ostree/repo_.
|
||||
_/absolute/repo/path_ defaults to `/ostree/repo`.
|
||||
|
||||
### **sif:**_path_
|
||||
|
||||
|
@ -642,6 +642,7 @@ log_driver = "journald"
|
||||
# Default OCI runtime
|
||||
#
|
||||
#runtime = "crun"
|
||||
runtime = "crun"
|
||||
|
||||
# List of the OCI runtimes that support --format=json. When json is supported
|
||||
# engine will use it for reporting nicer errors.
|
||||
|
@ -4,11 +4,29 @@
|
||||
"type": "insecureAcceptAnything"
|
||||
}
|
||||
],
|
||||
"transports":
|
||||
"transports": {
|
||||
"docker": {
|
||||
"registry.access.redhat.com": [
|
||||
{
|
||||
"docker-daemon":
|
||||
"type": "signedBy",
|
||||
"keyType": "GPGKeys",
|
||||
"keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
|
||||
}
|
||||
],
|
||||
"registry.redhat.io": [
|
||||
{
|
||||
"": [{"type":"insecureAcceptAnything"}]
|
||||
"type": "signedBy",
|
||||
"keyType": "GPGKeys",
|
||||
"keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
|
||||
}
|
||||
]
|
||||
},
|
||||
"docker-daemon": {
|
||||
"": [
|
||||
{
|
||||
"type": "insecureAcceptAnything"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
33
fd431d51.txt
Normal file
33
fd431d51.txt
Normal file
@ -0,0 +1,33 @@
|
||||
pub 4096R/FD431D51 2009-10-22
|
||||
Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51
|
||||
uid Red Hat, Inc. (release key 2) <security@redhat.com>
|
||||
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v2.0.22 (GNU/Linux)
|
||||
|
||||
mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF
|
||||
0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF
|
||||
0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c
|
||||
u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh
|
||||
XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H
|
||||
5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW
|
||||
9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj
|
||||
/DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1
|
||||
PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY
|
||||
HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF
|
||||
buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB
|
||||
tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0
|
||||
LmNvbT6JAjYEEwEIACACGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAUCSuBJPAAK
|
||||
CRAZni+R/UMdUfIkD/9m3HWv07uJG26R3KBexTo2FFu3rmZs+m2nfW8R3dBX+k0o
|
||||
AOFpgJCsNgKwU81LOPrkMN19G0+Yn/ZTCDD7cIQ7dhYuDyEX97xh4une/EhnnRuh
|
||||
ASzR+1xYbj/HcYZIL9kbslgpebMn+AhxbUTQF/mziug3hLidR9Bzvygq0Q09E11c
|
||||
OZL4BU6J2HqxL+9m2F+tnLdfhL7MsAq9nbmWAOpkbGefc5SXBSq0sWfwoes3X3yD
|
||||
Q8B5Xqr9AxABU7oUB+wRqvY69ZCxi/BhuuJCUxY89ZmwXfkVxeHl1tYfROUwOnJO
|
||||
GYSbI/o41KBK4DkIiDcT7QqvqvCyudnxZdBjL2QU6OrIJvWmKs319qSF9m3mXRSt
|
||||
ZzWtB89Pj5LZ6cdtuHvW9GO4qSoBLmAfB313pGkbgi1DE6tqCLHlA0yQ8zv99OWV
|
||||
cMDGmS7tVTZqfX1xQJ0N3bNORQNtikJC3G+zBCJzIeZleeDlMDQcww00yWU1oE7/
|
||||
To2UmykMGc7o9iggFWR2g0PIcKsA/SXdRKWPqCHG2uKHBvdRTQGupdXQ1sbV+AHw
|
||||
ycyA/9H/mp/NUSNM2cqnBDcZ6GhlHt59zWtEveiuU5fpTbp4GVcFXbW8jStj8j8z
|
||||
1HI3cywZO8+YNPzqyx0JWsidXGkfzkPHyS4jTG84lfu2JG8m/nqLnRSeKpl20Q==
|
||||
=79bX
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
@ -18,7 +18,8 @@
|
||||
# of these registries, it should be added at the end of the list.
|
||||
#
|
||||
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
|
||||
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io", "quay.io"]
|
||||
# unqualified-search-registries = ["example.com"]
|
||||
unqualified-search-registries = ["registry.access.redhat.com", "registry.redhat.io", "docker.io"]
|
||||
#
|
||||
# [[registry]]
|
||||
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
|
||||
@ -75,5 +76,4 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.
|
||||
# # 2. example-mirror-1.local/mirrors/foo/image:latest
|
||||
# # 3. internal-registry-for-example.com/bar/image:latest
|
||||
# # in order, and use the first one that exists.
|
||||
|
||||
short-name-mode="enforcing"
|
||||
short-name-mode = "enforcing"
|
||||
|
@ -20,6 +20,7 @@
|
||||
"registry" = "docker.io/library/registry"
|
||||
"swarm" = "docker.io/library/swarm"
|
||||
# Fedora
|
||||
"fedora-bootc" = "registry.fedoraproject.org/fedora-bootc"
|
||||
"fedora-minimal" = "registry.fedoraproject.org/fedora-minimal"
|
||||
"fedora" = "registry.fedoraproject.org/fedora"
|
||||
# Gentoo
|
||||
@ -56,6 +57,7 @@
|
||||
"rhel7" = "registry.access.redhat.com/rhel7"
|
||||
"rhel7.9" = "registry.access.redhat.com/rhel7.9"
|
||||
"rhel-atomic" = "registry.access.redhat.com/rhel-atomic"
|
||||
"rhel9-bootc" = "registry.redhat.io/rhel9/rhel-bootc"
|
||||
"rhel-minimal" = "registry.access.redhat.com/rhel-minimal"
|
||||
"rhel-init" = "registry.access.redhat.com/rhel-init"
|
||||
"rhel7-atomic" = "registry.access.redhat.com/rhel7-atomic"
|
||||
@ -100,7 +102,7 @@
|
||||
"ubi9/buildah" = "registry.access.redhat.com/ubi9/buildah"
|
||||
"ubi9/skopeo" = "registry.access.redhat.com/ubi9/skopeo"
|
||||
# Rocky Linux
|
||||
"rockylinux" = "docker.io/library/rockylinux"
|
||||
"rockylinux" = "quay.io/rockylinux/rockylinux"
|
||||
# Debian
|
||||
"debian" = "docker.io/library/debian"
|
||||
# Kali Linux
|
||||
|
1
sources
1
sources
@ -0,0 +1 @@
|
||||
SHA512 (v0.60.0.tar.gz) = 9eae809f6834472172fb997dedf828a11c7617b19374f46086394be3eeeb7f8fa9a1245a020af3a611142d6edda6670ee1d080229048fd0886313c7f698c21af
|
109
storage.conf
109
storage.conf
@ -19,6 +19,10 @@ driver = "overlay"
|
||||
# Temporary storage location
|
||||
runroot = "/run/containers/storage"
|
||||
|
||||
# Priority list for the storage drivers that will be tested one
|
||||
# after the other to pick the storage driver if it is not defined.
|
||||
# driver_priority = ["overlay", "btrfs"]
|
||||
|
||||
# Primary Read/Write location of container storage
|
||||
# When changing the graphroot location on an SELINUX system, you must
|
||||
# ensure the labeling matches the default locations labels with the
|
||||
@ -59,7 +63,7 @@ additionalimagestores = [
|
||||
# can deduplicate pulling of content, disk storage of content and can allow the
|
||||
# kernel to use less memory when running containers.
|
||||
|
||||
# containers/storage supports three keys
|
||||
# containers/storage supports four keys
|
||||
# * enable_partial_images="true" | "false"
|
||||
# Tells containers/storage to look for files previously pulled in storage
|
||||
# rather then always pulling them from the container registry.
|
||||
@ -70,30 +74,13 @@ additionalimagestores = [
|
||||
# Tells containers/storage where an ostree repository exists that might have
|
||||
# previously pulled content which can be used when attempting to avoid
|
||||
# pulling content from the container registry
|
||||
# * convert_images = "false" | "true"
|
||||
# If set to true, containers/storage will convert images to a
|
||||
# format compatible with partial pulls in order to take advantage
|
||||
# of local deduplication and hard linking. It is an expensive
|
||||
# operation so it is not enabled by default.
|
||||
pull_options = {enable_partial_images = "true", use_hard_links = "false", ostree_repos=""}
|
||||
|
||||
# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
|
||||
# a container, to the UIDs/GIDs as they should appear outside of the container,
|
||||
# and the length of the range of UIDs/GIDs. Additional mapped sets can be
|
||||
# listed and will be heeded by libraries, but there are limits to the number of
|
||||
# mappings which the kernel will allow when you later attempt to run a
|
||||
# container.
|
||||
#
|
||||
# remap-uids = "0:1668442479:65536"
|
||||
# remap-gids = "0:1668442479:65536"
|
||||
|
||||
# Remap-User/Group is a user name which can be used to look up one or more UID/GID
|
||||
# ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting
|
||||
# with an in-container ID of 0 and then a host-level ID taken from the lowest
|
||||
# range that matches the specified name, and using the length of that range.
|
||||
# Additional ranges are then assigned, using the ranges which specify the
|
||||
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
|
||||
# until all of the entries have been used for maps. This setting overrides the
|
||||
# Remap-UIDs/GIDs setting.
|
||||
#
|
||||
# remap-user = "containers"
|
||||
# remap-group = "containers"
|
||||
|
||||
# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
|
||||
# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned
|
||||
# to containers configured to create automatically a user namespace. Containers
|
||||
@ -168,79 +155,3 @@ mountopt = "nodev,metacopy=on"
|
||||
# "force_mask" permissions.
|
||||
#
|
||||
# force_mask = ""
|
||||
|
||||
[storage.options.thinpool]
|
||||
# Storage Options for thinpool
|
||||
|
||||
# autoextend_percent determines the amount by which pool needs to be
|
||||
# grown. This is specified in terms of % of pool size. So a value of 20 means
|
||||
# that when threshold is hit, pool will be grown by 20% of existing
|
||||
# pool size.
|
||||
# autoextend_percent = "20"
|
||||
|
||||
# autoextend_threshold determines the pool extension threshold in terms
|
||||
# of percentage of pool size. For example, if threshold is 60, that means when
|
||||
# pool is 60% full, threshold has been hit.
|
||||
# autoextend_threshold = "80"
|
||||
|
||||
# basesize specifies the size to use when creating the base device, which
|
||||
# limits the size of images and containers.
|
||||
# basesize = "10G"
|
||||
|
||||
# blocksize specifies a custom blocksize to use for the thin pool.
|
||||
# blocksize="64k"
|
||||
|
||||
# directlvm_device specifies a custom block storage device to use for the
|
||||
# thin pool. Required if you setup devicemapper.
|
||||
# directlvm_device = ""
|
||||
|
||||
# directlvm_device_force wipes device even if device already has a filesystem.
|
||||
# directlvm_device_force = "True"
|
||||
|
||||
# fs specifies the filesystem type to use for the base device.
|
||||
# fs="xfs"
|
||||
|
||||
# log_level sets the log level of devicemapper.
|
||||
# 0: LogLevelSuppress 0 (Default)
|
||||
# 2: LogLevelFatal
|
||||
# 3: LogLevelErr
|
||||
# 4: LogLevelWarn
|
||||
# 5: LogLevelNotice
|
||||
# 6: LogLevelInfo
|
||||
# 7: LogLevelDebug
|
||||
# log_level = "7"
|
||||
|
||||
# min_free_space specifies the min free space percent in a thin pool require for
|
||||
# new device creation to succeed. Valid values are from 0% - 99%.
|
||||
# Value 0% disables
|
||||
# min_free_space = "10%"
|
||||
|
||||
# mkfsarg specifies extra mkfs arguments to be used when creating the base
|
||||
# device.
|
||||
# mkfsarg = ""
|
||||
|
||||
# metadata_size is used to set the `pvcreate --metadatasize` options when
|
||||
# creating thin devices. Default is 128k
|
||||
# metadata_size = ""
|
||||
|
||||
# Size is used to set a maximum size of the container image.
|
||||
# size = ""
|
||||
|
||||
# use_deferred_removal marks devicemapper block device for deferred removal.
|
||||
# If the thinpool is in use when the driver attempts to remove it, the driver
|
||||
# tells the kernel to remove it as soon as possible. Note this does not free
|
||||
# up the disk space, use deferred deletion to fully remove the thinpool.
|
||||
# use_deferred_removal = "True"
|
||||
|
||||
# use_deferred_deletion marks thinpool device for deferred deletion.
|
||||
# If the device is busy when the driver attempts to delete it, the driver
|
||||
# will attempt to delete device every 30 seconds until successful.
|
||||
# If the program using the driver exits, the driver will continue attempting
|
||||
# to cleanup the next time the driver is used. Deferred deletion permanently
|
||||
# deletes the device and all data stored in device will be lost.
|
||||
# use_deferred_deletion = "True"
|
||||
|
||||
# xfs_nospace_max_retries specifies the maximum number of retries XFS should
|
||||
# attempt to complete IO when ENOSPC (no space) error is returned by
|
||||
# underlying storage device.
|
||||
# xfs_nospace_max_retries = "0"
|
||||
|
40
update-vendored.sh
Executable file
40
update-vendored.sh
Executable file
@ -0,0 +1,40 @@
|
||||
#!/bin/bash
|
||||
# This script assures we always deliver the current documentation/configs
|
||||
# for the c/storage, c/image and c/common vendored in podman, skopeo, buildah
|
||||
# For questions reach to Jindrich Novy <jnovy@redhat.com>
|
||||
rm -f /tmp/ver_image /tmp/ver_common /tmp/ver_storage
|
||||
CENTOS=""
|
||||
pwd | grep /tmp/centos > /dev/null
|
||||
if [ $? == 0 ]; then
|
||||
CENTOS=1
|
||||
PKG=centpkg
|
||||
else
|
||||
PKG=rhpkg
|
||||
fi
|
||||
set -e
|
||||
for P in podman skopeo buildah; do
|
||||
BRN=`pwd | sed 's,^.*/,,'`
|
||||
rm -rf $P
|
||||
$PKG clone $P
|
||||
cd $P
|
||||
$PKG switch-branch $BRN
|
||||
if [ $BRN != stream-container-tools-rhel8 ]; then
|
||||
$PKG prep
|
||||
else
|
||||
$PKG --release rhel-8 prep
|
||||
fi
|
||||
rm -rf *SPECPARTS
|
||||
DIR=`ls -d -- */ | grep "$P"`
|
||||
grep github.com/containers/image $DIR/go.mod | cut -d\ -f2 | sed 's,-.*,,'>> /tmp/ver_image
|
||||
grep github.com/containers/common $DIR/go.mod | cut -d\ -f2 | sed 's,-.*,,' >> /tmp/ver_common
|
||||
grep github.com/containers/storage $DIR/go.mod | cut -d\ -f2 | sed 's,-.*,,' >> /tmp/ver_storage
|
||||
cd -
|
||||
done
|
||||
IMAGE_VER=`sort -n /tmp/ver_image | head -n1`
|
||||
COMMON_VER=`sort -n /tmp/ver_common | head -n1`
|
||||
STORAGE_VER=`sort -n /tmp/ver_storage | head -n1`
|
||||
sed -i "s,^%global.*image_branch.*,%global image_branch $IMAGE_VER," containers-common.spec
|
||||
sed -i "s,^%global.*common_branch.*,%global common_branch $COMMON_VER," containers-common.spec
|
||||
sed -i "s,^%global.*storage_branch.*,%global storage_branch $STORAGE_VER," containers-common.spec
|
||||
rm -f /tmp/ver_image /tmp/ver_common /tmp/ver_storage
|
||||
rm -rf podman skopeo buildah
|
88
update.sh
88
update.sh
@ -1,33 +1,67 @@
|
||||
#!/usr/bin/env bash
|
||||
#!/bin/bash
|
||||
# This script delivers current documentation/configs and assures it has the intended
|
||||
# settings for a particular branch/release.
|
||||
# For questions reach to Jindrich Novy <jnovy@redhat.com>
|
||||
|
||||
set -ox pipefail
|
||||
ensure() {
|
||||
if grep ^$2[[:blank:]].*= $1 > /dev/null
|
||||
then
|
||||
sed -i "s;^$2[[:blank:]]=.*;$2 = $3;" $1
|
||||
else
|
||||
if grep ^\#.*$2[[:blank:]].*= $1 > /dev/null
|
||||
then
|
||||
sed -i "/^#.*$2[[:blank:]].*=/a \
|
||||
$2 = $3" $1
|
||||
else
|
||||
echo "$2 = $3" >> $1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
spectool -fg containers-common.spec
|
||||
|
||||
if [[ $(git rev-parse --abbrev-ref HEAD) == "rawhide" ]]; then
|
||||
sed -i -e 's/^driver.*=.*/driver = "overlay"/' -e 's/^mountopt.*=.*/mountopt = "nodev,metacopy=on"/' \
|
||||
-e 's/^pull_options.*=.*/pull_options = {enable_partial_images = \"true\", use_hard_links = \"false\", ostree_repos=""}/' \
|
||||
storage.conf
|
||||
#./pyxis.sh
|
||||
#./update-vendored.sh
|
||||
spectool -f -g containers-common.spec
|
||||
for FILE in *; do
|
||||
[ -s "$FILE" ]
|
||||
if [ $? == 1 ] && [ "$FILE" != "sources" ]; then
|
||||
echo "empty file: $FILE"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
ensure storage.conf driver \"overlay\"
|
||||
ensure storage.conf mountopt \"nodev,metacopy=on\"
|
||||
if pwd | grep rhel-8 > /dev/null
|
||||
then
|
||||
awk -i inplace '/#default_capabilities/,/#\]/{gsub("#","",$0)}1' containers.conf
|
||||
ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
|
||||
ensure registries.conf short-name-mode \"permissive\"
|
||||
ensure containers.conf runtime \"runc\"
|
||||
ensure containers.conf events_logger \"file\"
|
||||
ensure containers.conf log_driver \"k8s-file\"
|
||||
ensure containers.conf network_backend \"cni\"
|
||||
if ! grep \"NET_RAW\" containers.conf > /dev/null
|
||||
then
|
||||
sed -i '/^default_capabilities/a \
|
||||
"NET_RAW",' containers.conf
|
||||
fi
|
||||
if ! grep \"SYS_CHROOT\" containers.conf > /dev/null
|
||||
then
|
||||
sed -i '/^default_capabilities/a \
|
||||
"SYS_CHROOT",' containers.conf
|
||||
fi
|
||||
else
|
||||
sed -i -e 's/^driver.*=.*/driver = "overlay"/' -e 's/^mountopt.*=.*/mountopt = "nodev,metacopy=on"/' \
|
||||
-e '/additionalimage.*/a "/usr/lib/containers/storage",' \
|
||||
storage.conf
|
||||
ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
|
||||
ensure registries.conf short-name-mode \"enforcing\"
|
||||
ensure containers.conf runtime \"crun\"
|
||||
fi
|
||||
|
||||
[ `grep "keyctl" seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \
|
||||
[ `grep \"keyctl\", seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \
|
||||
"keyctl",' seccomp.json
|
||||
sed -i '/\"socketcall\",/i \
|
||||
[ `grep \"socket\", seccomp.json | wc -l` == 0 ] && sed -i '/\"socketcall\",/i \
|
||||
"socket",' seccomp.json
|
||||
|
||||
sed -i 's/^#.*unqualified-search-registries.*=.*/unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io", "quay.io"]/g' \
|
||||
registries.conf
|
||||
|
||||
grep '^short-name-mode="enforcing"' registries.conf
|
||||
if [[ $? == 1 ]]; then
|
||||
echo -e '\nshort-name-mode="enforcing"' >> registries.conf
|
||||
fi
|
||||
|
||||
sed -i -e 's/^#.*log_driver.*=.*/log_driver = "journald"/' \
|
||||
containers.conf
|
||||
|
||||
git checkout origin default-policy.json
|
||||
rhpkg clone redhat-release
|
||||
cd redhat-release
|
||||
rhpkg switch-branch rhel-9.4.0
|
||||
rhpkg prep
|
||||
cp -f redhat-release-*/RPM-GPG* ../
|
||||
cd -
|
||||
rm -rf redhat-release
|
||||
|
Loading…
Reference in New Issue
Block a user