Update content

This commit is contained in:
Daniel J Walsh 2021-02-15 14:09:01 -05:00
parent 492c93c6c6
commit d27dde396f
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
7 changed files with 109 additions and 84 deletions

View File

@ -15,7 +15,7 @@
Epoch: 4
Name: containers-common
Version: 1
Release: 7%{?dist}
Release: 8%{?dist}
Summary: Common configuration and documentation for containers
License: ASL 2.0
BuildArch: noarch
@ -114,6 +114,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
%{_datadir}/rhel/secrets/*
%changelog
* Mon Feb 15 2021 Dan Walsh <dwalsh@fedoraproject.org> - 4:1-8
- Update content
* Mon Feb 01 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-7
- use the correct policy.json file

View File

@ -26,12 +26,11 @@ as well as among different namespaces/repositories within a registry.
Given an image name, a single `[[registry]]` TOML table is chosen based on its `prefix` field.
`prefix`
: A prefix of the user-specified image name, i.e. using one of the following formats:
- _host_[`:`_port_]
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
`prefix`: A prefix of the user-specified image name, i.e. using one of the following formats:
- _host_[`:`_port_]
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
The user-specified image name must start with the specified `prefix` (and continue
with the appropriate separator) for a particular `[[registry]]` TOML table to be
@ -164,10 +163,10 @@ If `short-name-mode` is not specified at all or left empty, default to the
`permissive` mode. If the user-specified short name was not aliased already,
the `enforcing` and `permissive` mode if prompted, will record a new alias
after a successful pull. Note that the recorded alias will be written to
`$XDG_CONFIG_HOME/containers/short-name-aliases.conf` to have a clear
`/var/cache/containers/short-name-aliases.conf` for root to have a clear
separation between possibly human-edited registries.conf files and the
machine-generated `short-name-aliases-conf`. Note that `$HOME/.config` is used
if `$XDG_CONFIG_HOME` is not set. If an alias is specified in a
machine-generated `short-name-aliases-conf`. Note that `$HOME/.cache` is used
for rootless users. If an alias is specified in a
`registries.conf` file and also the machine-generated
`short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence.

View File

@ -73,7 +73,6 @@ default_capabilities = [
"SYS_CHROOT"
]
# A list of sysctls to be set in containers by default,
# specified as "name=value",
# for example:"net.ipv4.ping_group_range = 0 0".
@ -158,7 +157,7 @@ default_sysctls = [
# Logging driver for the container. Available options: k8s-file and journald.
#
# log_driver = "journald"
# log_driver = "k8s-file"
# Maximum size allowed for the container log file. Negative numbers indicate
# that no size limit is imposed. If positive, it must be >= 8192 to match or
@ -241,6 +240,9 @@ default_sysctls = [
#
# cni_plugin_dirs = ["/usr/libexec/cni"]
# The network name of the default CNI network to attach pods to.
# default_network = "podman"
# Path to the directory where CNI configuration files are located.
#
# network_config_dir = "/etc/cni/net.d/"
@ -324,7 +326,7 @@ default_sysctls = [
# associated with the pod. This container does nothing other then sleep,
# reserving the pods resources for the lifetime of the pod.
#
# infra_image = "k8s.gcr.io/pause:3.2"
# infra_image = "k8s.gcr.io/pause:3.4.1"
# Specify the locking mechanism to use; valid values are "shm" and "file".
# Change the default only if you are sure of what you are doing, in general

View File

@ -46,32 +46,16 @@ TOML can be simplified to:
The containers table contains settings pertaining to the OCI runtime that can
configure and manage the OCI runtime.
**devices**=[]
**annotations** = []
List of annotations. Specified as "key=value" pairs to be added to all containers.
List of devices.
Specified as 'device-on-host:device-on-container:permissions'.
Example: "/dev/sdc:/dev/xvdc:rwm".
**volumes**=[]
List of volumes.
Specified as "directory-on-host:directory-in-container:options".
Example: "/db:/var/lib/db:ro".
Example: "run.oci.keep_original_groups=1"
**apparmor_profile**="container-default"
Used to change the name of the default AppArmor profile of container engines.
The default profile name is "container-default".
**cgroupns**="private"
Default way to to create a cgroup namespace for the container.
Options are:
`private` Create private Cgroup Namespace for the container.
`host` Share host Cgroup Namespace with the container.
**cgroups**="enabled"
Determines whether the container will create CGroups.
@ -80,6 +64,13 @@ Options are:
`disabled` Disable cgroup support, will inherit cgroups from parent
`no-conmon` Do not create a cgroup dedicated to conmon.
**cgroupns**="private"
Default way to to create a cgroup namespace for the container.
Options are:
`private` Create private Cgroup Namespace for the container.
`host` Share host Cgroup Namespace with the container.
**default_capabilities**=[]
List of default capabilities for containers.
@ -117,6 +108,13 @@ specified as "name=soft-limit:hard-limit".
Example: "nofile=1024:2048".
**devices**=[]
List of devices.
Specified as 'device-on-host:device-on-container:permissions'.
Example: "/dev/sdc:/dev/xvdc:rwm".
**dns_options**=[]
List of default DNS options to be added to /etc/resolv.conf inside of the
@ -177,7 +175,7 @@ the container.
Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.
**log_driver**="journald"
**log_driver**="k8s-file"
Logging driver for the container. Available options: `k8s-file` and `journald`.
@ -201,11 +199,6 @@ Options are:
Create /etc/hosts for the container. By default, container engines manage
/etc/hosts, automatically adding the container's own IP address.
**pids_limit**=1024
Maximum number of processes allowed in a container. 0 indicates that no limit
is imposed.
**pidns**="private"
Default way to to create a PID namespace for the container.
@ -213,6 +206,11 @@ Options are:
`private` Create private PID Namespace for the container.
`host` Share host PID Namespace with the container.
**pids_limit**=1024
Maximum number of processes allowed in a container. 0 indicates that no limit
is imposed.
**seccomp_profile**="/usr/share/containers/seccomp.json"
Path to the seccomp.json profile which is used as the default seccomp profile
@ -240,13 +238,6 @@ Examples:
Sets umask inside the container.
**utsns**="private"
Default way to to create a UTS namespace for the container.
Options are:
`private` Create private UTS Namespace for the container.
`host` Share host UTS Namespace with the container.
**userns**="host"
Default way to to create a USER namespace for the container.
@ -259,6 +250,14 @@ Options are:
Number of UIDs to allocate for the automatic container creation. UIDs are
allocated from the “container” UIDs listed in /etc/subuid & /etc/subgid.
**utsns**="private"
Default way to to create a UTS namespace for the container.
Options are:
`private` Create private UTS Namespace for the container.
`host` Share host UTS Namespace with the container.
## NETWORK TABLE
The `network` table contains settings pertaining to the management of CNI
plugins.
@ -275,15 +274,19 @@ The network name of the default CNI network to attach pods to.
Path to the directory where CNI configuration files are located.
**volumes**=[]
List of volumes.
Specified as "directory-on-host:directory-in-container:options".
Example: "/db:/var/lib/db:ro".
## ENGINE TABLE
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
**image_default_format**="oci"|"v2s2"|"v2s1"
**active_service**=""
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
container images. By default images pulled and pushed match the format of the
source image. Building/committing defaults to OCI.
Note: **image_build_format** is deprecated.
Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below.
**cgroup_check**=false
@ -350,26 +353,33 @@ Valid values: `file`, `journald`, and `none`.
Path to the OCI hooks directories for automatically executed hooks.
**image_default_format**="oci"|"v2s2"|"v2s1"
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
container images. By default images pulled and pushed match the format of the
source image. Building/committing defaults to OCI.
Note: **image_build_format** is deprecated.
**image_default_transport**="docker://"
Default transport method for pulling and pushing images.
**infra_command**="/pause"
Command to run the infra container.
**infra_image**="k8s.gcr.io/pause:3.2"
Infra (pause) container image name for pod infra containers. When running a
pod, we start a `pause` process in a container to hold open the namespaces
associated with the pod. This container does nothing other then sleep,
reserving the pods resources for the lifetime of the pod.
**image_parallel_copies**=0
Maximum number of image layers to be copied (pulled/pushed) simultaneously.
Not setting this field will fall back to containers/image defaults. (6)
**infra_command**="/pause"
Command to run the infra container.
**infra_image**="k8s.gcr.io/pause:3.4.1"
Infra (pause) container image name for pod infra containers. When running a
pod, we start a `pause` process in a container to hold open the namespaces
associated with the pod. This container does nothing other then sleep,
reserving the pods resources for the lifetime of the pod.
**lock_type**="shm"
Specify the locking mechanism to use; valid values are "shm" and "file".
@ -411,27 +421,6 @@ pod consumes one lock. The default number available is 2048. If this is
changed, a lock renumbering must be performed, using the
`podman system renumber` command.
**active_service**=""
Name of destination for accessing the Podman service.
**[service_destinations]**
**[service_destinations.{name}]**
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
Example URIs:
- **rootless local** - unix://run/user/1000/podman/podman.sock
- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
- **rootfull local** - unix://run/podman/podman.sock
- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
**identity="~/.ssh/id_rsa**
Path to file containing ssh identity key
**pull_policy**="always"|"missing"|"never"
Pull image before running or creating a container. The default is **missing**.
@ -477,6 +466,24 @@ Number of seconds to wait for container to exit before sending kill signal.
The path to a temporary directory to store per-boot container.
Must be a tmpfs (wiped after reboot).
## SERVICE DESTINATION TABLE
The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
**[service_destinations.{name}]**
URI to access the Podman service
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
Example URIs:
- **rootless local** - unix://run/user/1000/podman/podman.sock
- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
- **rootfull local** - unix://run/podman/podman.sock
- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
**identity="~/.ssh/id_rsa**
Path to file containing ssh identity key
**volume_path**="/var/lib/containers/storage/volumes"
Directory where named volumes will be created in using the default volume

14
default-policy.json Normal file
View File

@ -0,0 +1,14 @@
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports":
{
"docker-daemon":
{
"": [{"type":"insecureAcceptAnything"}]
}
}
}

View File

@ -18,7 +18,7 @@
# of these registries, it should be added at the end of the list.
#
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io"]
#
# [[registry]]
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;

View File

@ -1,6 +1,6 @@
[aliases]
# centos
"centos" = "registry.centos.org/centos"
"centos" = "quay.io/centos/centos"
# containers
"skopeo" = "quay.io/skopeo/stable"
"buildah" = "quay.io/buildah/stable"