Update content
This commit is contained in:
parent
492c93c6c6
commit
d27dde396f
@ -15,7 +15,7 @@
|
||||
Epoch: 4
|
||||
Name: containers-common
|
||||
Version: 1
|
||||
Release: 7%{?dist}
|
||||
Release: 8%{?dist}
|
||||
Summary: Common configuration and documentation for containers
|
||||
License: ASL 2.0
|
||||
BuildArch: noarch
|
||||
@ -114,6 +114,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
|
||||
%{_datadir}/rhel/secrets/*
|
||||
|
||||
%changelog
|
||||
* Mon Feb 15 2021 Dan Walsh <dwalsh@fedoraproject.org> - 4:1-8
|
||||
- Update content
|
||||
|
||||
* Mon Feb 01 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-7
|
||||
- use the correct policy.json file
|
||||
|
||||
|
@ -26,12 +26,11 @@ as well as among different namespaces/repositories within a registry.
|
||||
|
||||
Given an image name, a single `[[registry]]` TOML table is chosen based on its `prefix` field.
|
||||
|
||||
`prefix`
|
||||
: A prefix of the user-specified image name, i.e. using one of the following formats:
|
||||
- _host_[`:`_port_]
|
||||
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
|
||||
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
|
||||
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
|
||||
`prefix`: A prefix of the user-specified image name, i.e. using one of the following formats:
|
||||
- _host_[`:`_port_]
|
||||
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
|
||||
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
|
||||
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
|
||||
|
||||
The user-specified image name must start with the specified `prefix` (and continue
|
||||
with the appropriate separator) for a particular `[[registry]]` TOML table to be
|
||||
@ -164,10 +163,10 @@ If `short-name-mode` is not specified at all or left empty, default to the
|
||||
`permissive` mode. If the user-specified short name was not aliased already,
|
||||
the `enforcing` and `permissive` mode if prompted, will record a new alias
|
||||
after a successful pull. Note that the recorded alias will be written to
|
||||
`$XDG_CONFIG_HOME/containers/short-name-aliases.conf` to have a clear
|
||||
`/var/cache/containers/short-name-aliases.conf` for root to have a clear
|
||||
separation between possibly human-edited registries.conf files and the
|
||||
machine-generated `short-name-aliases-conf`. Note that `$HOME/.config` is used
|
||||
if `$XDG_CONFIG_HOME` is not set. If an alias is specified in a
|
||||
machine-generated `short-name-aliases-conf`. Note that `$HOME/.cache` is used
|
||||
for rootless users. If an alias is specified in a
|
||||
`registries.conf` file and also the machine-generated
|
||||
`short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence.
|
||||
|
||||
|
@ -73,7 +73,6 @@ default_capabilities = [
|
||||
"SYS_CHROOT"
|
||||
]
|
||||
|
||||
|
||||
# A list of sysctls to be set in containers by default,
|
||||
# specified as "name=value",
|
||||
# for example:"net.ipv4.ping_group_range = 0 0".
|
||||
@ -158,7 +157,7 @@ default_sysctls = [
|
||||
|
||||
# Logging driver for the container. Available options: k8s-file and journald.
|
||||
#
|
||||
# log_driver = "journald"
|
||||
# log_driver = "k8s-file"
|
||||
|
||||
# Maximum size allowed for the container log file. Negative numbers indicate
|
||||
# that no size limit is imposed. If positive, it must be >= 8192 to match or
|
||||
@ -241,6 +240,9 @@ default_sysctls = [
|
||||
#
|
||||
# cni_plugin_dirs = ["/usr/libexec/cni"]
|
||||
|
||||
# The network name of the default CNI network to attach pods to.
|
||||
# default_network = "podman"
|
||||
|
||||
# Path to the directory where CNI configuration files are located.
|
||||
#
|
||||
# network_config_dir = "/etc/cni/net.d/"
|
||||
@ -324,7 +326,7 @@ default_sysctls = [
|
||||
# associated with the pod. This container does nothing other then sleep,
|
||||
# reserving the pods resources for the lifetime of the pod.
|
||||
#
|
||||
# infra_image = "k8s.gcr.io/pause:3.2"
|
||||
# infra_image = "k8s.gcr.io/pause:3.4.1"
|
||||
|
||||
# Specify the locking mechanism to use; valid values are "shm" and "file".
|
||||
# Change the default only if you are sure of what you are doing, in general
|
||||
|
@ -46,32 +46,16 @@ TOML can be simplified to:
|
||||
The containers table contains settings pertaining to the OCI runtime that can
|
||||
configure and manage the OCI runtime.
|
||||
|
||||
**devices**=[]
|
||||
**annotations** = []
|
||||
List of annotations. Specified as "key=value" pairs to be added to all containers.
|
||||
|
||||
List of devices.
|
||||
Specified as 'device-on-host:device-on-container:permissions'.
|
||||
|
||||
Example: "/dev/sdc:/dev/xvdc:rwm".
|
||||
|
||||
**volumes**=[]
|
||||
|
||||
List of volumes.
|
||||
Specified as "directory-on-host:directory-in-container:options".
|
||||
|
||||
Example: "/db:/var/lib/db:ro".
|
||||
Example: "run.oci.keep_original_groups=1"
|
||||
|
||||
**apparmor_profile**="container-default"
|
||||
|
||||
Used to change the name of the default AppArmor profile of container engines.
|
||||
The default profile name is "container-default".
|
||||
|
||||
**cgroupns**="private"
|
||||
|
||||
Default way to to create a cgroup namespace for the container.
|
||||
Options are:
|
||||
`private` Create private Cgroup Namespace for the container.
|
||||
`host` Share host Cgroup Namespace with the container.
|
||||
|
||||
**cgroups**="enabled"
|
||||
|
||||
Determines whether the container will create CGroups.
|
||||
@ -80,6 +64,13 @@ Options are:
|
||||
`disabled` Disable cgroup support, will inherit cgroups from parent
|
||||
`no-conmon` Do not create a cgroup dedicated to conmon.
|
||||
|
||||
**cgroupns**="private"
|
||||
|
||||
Default way to to create a cgroup namespace for the container.
|
||||
Options are:
|
||||
`private` Create private Cgroup Namespace for the container.
|
||||
`host` Share host Cgroup Namespace with the container.
|
||||
|
||||
**default_capabilities**=[]
|
||||
|
||||
List of default capabilities for containers.
|
||||
@ -117,6 +108,13 @@ specified as "name=soft-limit:hard-limit".
|
||||
|
||||
Example: "nofile=1024:2048".
|
||||
|
||||
**devices**=[]
|
||||
|
||||
List of devices.
|
||||
Specified as 'device-on-host:device-on-container:permissions'.
|
||||
|
||||
Example: "/dev/sdc:/dev/xvdc:rwm".
|
||||
|
||||
**dns_options**=[]
|
||||
|
||||
List of default DNS options to be added to /etc/resolv.conf inside of the
|
||||
@ -177,7 +175,7 @@ the container.
|
||||
|
||||
Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.
|
||||
|
||||
**log_driver**="journald"
|
||||
**log_driver**="k8s-file"
|
||||
|
||||
Logging driver for the container. Available options: `k8s-file` and `journald`.
|
||||
|
||||
@ -201,11 +199,6 @@ Options are:
|
||||
Create /etc/hosts for the container. By default, container engines manage
|
||||
/etc/hosts, automatically adding the container's own IP address.
|
||||
|
||||
**pids_limit**=1024
|
||||
|
||||
Maximum number of processes allowed in a container. 0 indicates that no limit
|
||||
is imposed.
|
||||
|
||||
**pidns**="private"
|
||||
|
||||
Default way to to create a PID namespace for the container.
|
||||
@ -213,6 +206,11 @@ Options are:
|
||||
`private` Create private PID Namespace for the container.
|
||||
`host` Share host PID Namespace with the container.
|
||||
|
||||
**pids_limit**=1024
|
||||
|
||||
Maximum number of processes allowed in a container. 0 indicates that no limit
|
||||
is imposed.
|
||||
|
||||
**seccomp_profile**="/usr/share/containers/seccomp.json"
|
||||
|
||||
Path to the seccomp.json profile which is used as the default seccomp profile
|
||||
@ -240,13 +238,6 @@ Examples:
|
||||
|
||||
Sets umask inside the container.
|
||||
|
||||
**utsns**="private"
|
||||
|
||||
Default way to to create a UTS namespace for the container.
|
||||
Options are:
|
||||
`private` Create private UTS Namespace for the container.
|
||||
`host` Share host UTS Namespace with the container.
|
||||
|
||||
**userns**="host"
|
||||
|
||||
Default way to to create a USER namespace for the container.
|
||||
@ -259,6 +250,14 @@ Options are:
|
||||
Number of UIDs to allocate for the automatic container creation. UIDs are
|
||||
allocated from the “container” UIDs listed in /etc/subuid & /etc/subgid.
|
||||
|
||||
**utsns**="private"
|
||||
|
||||
Default way to to create a UTS namespace for the container.
|
||||
Options are:
|
||||
`private` Create private UTS Namespace for the container.
|
||||
`host` Share host UTS Namespace with the container.
|
||||
|
||||
|
||||
## NETWORK TABLE
|
||||
The `network` table contains settings pertaining to the management of CNI
|
||||
plugins.
|
||||
@ -275,15 +274,19 @@ The network name of the default CNI network to attach pods to.
|
||||
|
||||
Path to the directory where CNI configuration files are located.
|
||||
|
||||
**volumes**=[]
|
||||
|
||||
List of volumes.
|
||||
Specified as "directory-on-host:directory-in-container:options".
|
||||
|
||||
Example: "/db:/var/lib/db:ro".
|
||||
|
||||
## ENGINE TABLE
|
||||
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
|
||||
|
||||
**image_default_format**="oci"|"v2s2"|"v2s1"
|
||||
**active_service**=""
|
||||
|
||||
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
|
||||
container images. By default images pulled and pushed match the format of the
|
||||
source image. Building/committing defaults to OCI.
|
||||
Note: **image_build_format** is deprecated.
|
||||
Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below.
|
||||
|
||||
**cgroup_check**=false
|
||||
|
||||
@ -350,26 +353,33 @@ Valid values: `file`, `journald`, and `none`.
|
||||
|
||||
Path to the OCI hooks directories for automatically executed hooks.
|
||||
|
||||
**image_default_format**="oci"|"v2s2"|"v2s1"
|
||||
|
||||
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
|
||||
container images. By default images pulled and pushed match the format of the
|
||||
source image. Building/committing defaults to OCI.
|
||||
Note: **image_build_format** is deprecated.
|
||||
|
||||
**image_default_transport**="docker://"
|
||||
|
||||
Default transport method for pulling and pushing images.
|
||||
|
||||
**infra_command**="/pause"
|
||||
|
||||
Command to run the infra container.
|
||||
|
||||
**infra_image**="k8s.gcr.io/pause:3.2"
|
||||
|
||||
Infra (pause) container image name for pod infra containers. When running a
|
||||
pod, we start a `pause` process in a container to hold open the namespaces
|
||||
associated with the pod. This container does nothing other then sleep,
|
||||
reserving the pods resources for the lifetime of the pod.
|
||||
|
||||
**image_parallel_copies**=0
|
||||
|
||||
Maximum number of image layers to be copied (pulled/pushed) simultaneously.
|
||||
Not setting this field will fall back to containers/image defaults. (6)
|
||||
|
||||
**infra_command**="/pause"
|
||||
|
||||
Command to run the infra container.
|
||||
|
||||
**infra_image**="k8s.gcr.io/pause:3.4.1"
|
||||
|
||||
Infra (pause) container image name for pod infra containers. When running a
|
||||
pod, we start a `pause` process in a container to hold open the namespaces
|
||||
associated with the pod. This container does nothing other then sleep,
|
||||
reserving the pods resources for the lifetime of the pod.
|
||||
|
||||
**lock_type**="shm"
|
||||
|
||||
Specify the locking mechanism to use; valid values are "shm" and "file".
|
||||
@ -411,27 +421,6 @@ pod consumes one lock. The default number available is 2048. If this is
|
||||
changed, a lock renumbering must be performed, using the
|
||||
`podman system renumber` command.
|
||||
|
||||
**active_service**=""
|
||||
|
||||
Name of destination for accessing the Podman service.
|
||||
|
||||
**[service_destinations]**
|
||||
|
||||
**[service_destinations.{name}]**
|
||||
|
||||
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
|
||||
|
||||
Example URIs:
|
||||
|
||||
- **rootless local** - unix://run/user/1000/podman/podman.sock
|
||||
- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
|
||||
- **rootfull local** - unix://run/podman/podman.sock
|
||||
- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
|
||||
|
||||
**identity="~/.ssh/id_rsa**
|
||||
|
||||
Path to file containing ssh identity key
|
||||
|
||||
**pull_policy**="always"|"missing"|"never"
|
||||
|
||||
Pull image before running or creating a container. The default is **missing**.
|
||||
@ -477,6 +466,24 @@ Number of seconds to wait for container to exit before sending kill signal.
|
||||
The path to a temporary directory to store per-boot container.
|
||||
Must be a tmpfs (wiped after reboot).
|
||||
|
||||
## SERVICE DESTINATION TABLE
|
||||
The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
|
||||
|
||||
**[service_destinations.{name}]**
|
||||
URI to access the Podman service
|
||||
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
|
||||
|
||||
Example URIs:
|
||||
|
||||
- **rootless local** - unix://run/user/1000/podman/podman.sock
|
||||
- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
|
||||
- **rootfull local** - unix://run/podman/podman.sock
|
||||
- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
|
||||
|
||||
**identity="~/.ssh/id_rsa**
|
||||
|
||||
Path to file containing ssh identity key
|
||||
|
||||
**volume_path**="/var/lib/containers/storage/volumes"
|
||||
|
||||
Directory where named volumes will be created in using the default volume
|
||||
|
14
default-policy.json
Normal file
14
default-policy.json
Normal file
@ -0,0 +1,14 @@
|
||||
{
|
||||
"default": [
|
||||
{
|
||||
"type": "insecureAcceptAnything"
|
||||
}
|
||||
],
|
||||
"transports":
|
||||
{
|
||||
"docker-daemon":
|
||||
{
|
||||
"": [{"type":"insecureAcceptAnything"}]
|
||||
}
|
||||
}
|
||||
}
|
@ -18,7 +18,7 @@
|
||||
# of these registries, it should be added at the end of the list.
|
||||
#
|
||||
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
|
||||
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]
|
||||
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io"]
|
||||
#
|
||||
# [[registry]]
|
||||
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
|
||||
|
@ -1,6 +1,6 @@
|
||||
[aliases]
|
||||
# centos
|
||||
"centos" = "registry.centos.org/centos"
|
||||
"centos" = "quay.io/centos/centos"
|
||||
# containers
|
||||
"skopeo" = "quay.io/skopeo/stable"
|
||||
"buildah" = "quay.io/buildah/stable"
|
||||
|
Loading…
Reference in New Issue
Block a user