diff --git a/containers-common.spec b/containers-common.spec index eeafa61..cf375f9 100644 --- a/containers-common.spec +++ b/containers-common.spec @@ -15,7 +15,7 @@ Epoch: 4 Name: containers-common Version: 1 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Common configuration and documentation for containers License: ASL 2.0 BuildArch: noarch @@ -114,6 +114,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret %{_datadir}/rhel/secrets/* %changelog +* Mon Feb 15 2021 Dan Walsh - 4:1-8 +- Update content + * Mon Feb 01 2021 Lokesh Mandvekar - 4:1-7 - use the correct policy.json file diff --git a/containers-registries.conf.5.md b/containers-registries.conf.5.md index 98b8a8d..f0a9995 100644 --- a/containers-registries.conf.5.md +++ b/containers-registries.conf.5.md @@ -26,12 +26,11 @@ as well as among different namespaces/repositories within a registry. Given an image name, a single `[[registry]]` TOML table is chosen based on its `prefix` field. -`prefix` -: A prefix of the user-specified image name, i.e. using one of the following formats: - - _host_[`:`_port_] - - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…] - - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_ - - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_) +`prefix`: A prefix of the user-specified image name, i.e. using one of the following formats: + - _host_[`:`_port_] + - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…] + - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_ + - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_) The user-specified image name must start with the specified `prefix` (and continue with the appropriate separator) for a particular `[[registry]]` TOML table to be @@ -164,10 +163,10 @@ If `short-name-mode` is not specified at all or left empty, default to the `permissive` mode. If the user-specified short name was not aliased already, the `enforcing` and `permissive` mode if prompted, will record a new alias after a successful pull. Note that the recorded alias will be written to -`$XDG_CONFIG_HOME/containers/short-name-aliases.conf` to have a clear +`/var/cache/containers/short-name-aliases.conf` for root to have a clear separation between possibly human-edited registries.conf files and the -machine-generated `short-name-aliases-conf`. Note that `$HOME/.config` is used -if `$XDG_CONFIG_HOME` is not set. If an alias is specified in a +machine-generated `short-name-aliases-conf`. Note that `$HOME/.cache` is used +for rootless users. If an alias is specified in a `registries.conf` file and also the machine-generated `short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence. diff --git a/containers.conf b/containers.conf index 14d043d..0114f29 100644 --- a/containers.conf +++ b/containers.conf @@ -73,7 +73,6 @@ default_capabilities = [ "SYS_CHROOT" ] - # A list of sysctls to be set in containers by default, # specified as "name=value", # for example:"net.ipv4.ping_group_range = 0 0". @@ -158,7 +157,7 @@ default_sysctls = [ # Logging driver for the container. Available options: k8s-file and journald. # -# log_driver = "journald" +# log_driver = "k8s-file" # Maximum size allowed for the container log file. Negative numbers indicate # that no size limit is imposed. If positive, it must be >= 8192 to match or @@ -241,6 +240,9 @@ default_sysctls = [ # # cni_plugin_dirs = ["/usr/libexec/cni"] +# The network name of the default CNI network to attach pods to. +# default_network = "podman" + # Path to the directory where CNI configuration files are located. # # network_config_dir = "/etc/cni/net.d/" @@ -324,7 +326,7 @@ default_sysctls = [ # associated with the pod. This container does nothing other then sleep, # reserving the pods resources for the lifetime of the pod. # -# infra_image = "k8s.gcr.io/pause:3.2" +# infra_image = "k8s.gcr.io/pause:3.4.1" # Specify the locking mechanism to use; valid values are "shm" and "file". # Change the default only if you are sure of what you are doing, in general diff --git a/containers.conf.5.md b/containers.conf.5.md index ceeb329..1234df6 100644 --- a/containers.conf.5.md +++ b/containers.conf.5.md @@ -46,32 +46,16 @@ TOML can be simplified to: The containers table contains settings pertaining to the OCI runtime that can configure and manage the OCI runtime. -**devices**=[] +**annotations** = [] +List of annotations. Specified as "key=value" pairs to be added to all containers. -List of devices. -Specified as 'device-on-host:device-on-container:permissions'. - -Example: "/dev/sdc:/dev/xvdc:rwm". - -**volumes**=[] - -List of volumes. -Specified as "directory-on-host:directory-in-container:options". - -Example: "/db:/var/lib/db:ro". +Example: "run.oci.keep_original_groups=1" **apparmor_profile**="container-default" Used to change the name of the default AppArmor profile of container engines. The default profile name is "container-default". -**cgroupns**="private" - -Default way to to create a cgroup namespace for the container. -Options are: -`private` Create private Cgroup Namespace for the container. -`host` Share host Cgroup Namespace with the container. - **cgroups**="enabled" Determines whether the container will create CGroups. @@ -80,6 +64,13 @@ Options are: `disabled` Disable cgroup support, will inherit cgroups from parent `no-conmon` Do not create a cgroup dedicated to conmon. +**cgroupns**="private" + +Default way to to create a cgroup namespace for the container. +Options are: +`private` Create private Cgroup Namespace for the container. +`host` Share host Cgroup Namespace with the container. + **default_capabilities**=[] List of default capabilities for containers. @@ -117,6 +108,13 @@ specified as "name=soft-limit:hard-limit". Example: "nofile=1024:2048". +**devices**=[] + +List of devices. +Specified as 'device-on-host:device-on-container:permissions'. + +Example: "/dev/sdc:/dev/xvdc:rwm". + **dns_options**=[] List of default DNS options to be added to /etc/resolv.conf inside of the @@ -177,7 +175,7 @@ the container. Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems. -**log_driver**="journald" +**log_driver**="k8s-file" Logging driver for the container. Available options: `k8s-file` and `journald`. @@ -201,11 +199,6 @@ Options are: Create /etc/hosts for the container. By default, container engines manage /etc/hosts, automatically adding the container's own IP address. -**pids_limit**=1024 - -Maximum number of processes allowed in a container. 0 indicates that no limit -is imposed. - **pidns**="private" Default way to to create a PID namespace for the container. @@ -213,6 +206,11 @@ Options are: `private` Create private PID Namespace for the container. `host` Share host PID Namespace with the container. +**pids_limit**=1024 + +Maximum number of processes allowed in a container. 0 indicates that no limit +is imposed. + **seccomp_profile**="/usr/share/containers/seccomp.json" Path to the seccomp.json profile which is used as the default seccomp profile @@ -240,13 +238,6 @@ Examples: Sets umask inside the container. -**utsns**="private" - -Default way to to create a UTS namespace for the container. -Options are: - `private` Create private UTS Namespace for the container. - `host` Share host UTS Namespace with the container. - **userns**="host" Default way to to create a USER namespace for the container. @@ -259,6 +250,14 @@ Options are: Number of UIDs to allocate for the automatic container creation. UIDs are allocated from the “container” UIDs listed in /etc/subuid & /etc/subgid. +**utsns**="private" + +Default way to to create a UTS namespace for the container. +Options are: + `private` Create private UTS Namespace for the container. + `host` Share host UTS Namespace with the container. + + ## NETWORK TABLE The `network` table contains settings pertaining to the management of CNI plugins. @@ -275,15 +274,19 @@ The network name of the default CNI network to attach pods to. Path to the directory where CNI configuration files are located. +**volumes**=[] + +List of volumes. +Specified as "directory-on-host:directory-in-container:options". + +Example: "/db:/var/lib/db:ro". + ## ENGINE TABLE The `engine` table contains configuration options used to set up container engines such as Podman and Buildah. -**image_default_format**="oci"|"v2s2"|"v2s1" +**active_service**="" -Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building -container images. By default images pulled and pushed match the format of the -source image. Building/committing defaults to OCI. -Note: **image_build_format** is deprecated. +Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below. **cgroup_check**=false @@ -350,26 +353,33 @@ Valid values: `file`, `journald`, and `none`. Path to the OCI hooks directories for automatically executed hooks. +**image_default_format**="oci"|"v2s2"|"v2s1" + +Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building +container images. By default images pulled and pushed match the format of the +source image. Building/committing defaults to OCI. +Note: **image_build_format** is deprecated. + **image_default_transport**="docker://" Default transport method for pulling and pushing images. -**infra_command**="/pause" - -Command to run the infra container. - -**infra_image**="k8s.gcr.io/pause:3.2" - -Infra (pause) container image name for pod infra containers. When running a -pod, we start a `pause` process in a container to hold open the namespaces -associated with the pod. This container does nothing other then sleep, -reserving the pods resources for the lifetime of the pod. - **image_parallel_copies**=0 Maximum number of image layers to be copied (pulled/pushed) simultaneously. Not setting this field will fall back to containers/image defaults. (6) +**infra_command**="/pause" + +Command to run the infra container. + +**infra_image**="k8s.gcr.io/pause:3.4.1" + +Infra (pause) container image name for pod infra containers. When running a +pod, we start a `pause` process in a container to hold open the namespaces +associated with the pod. This container does nothing other then sleep, +reserving the pods resources for the lifetime of the pod. + **lock_type**="shm" Specify the locking mechanism to use; valid values are "shm" and "file". @@ -411,27 +421,6 @@ pod consumes one lock. The default number available is 2048. If this is changed, a lock renumbering must be performed, using the `podman system renumber` command. -**active_service**="" - -Name of destination for accessing the Podman service. - -**[service_destinations]** - -**[service_destinations.{name}]** - -**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"** - - Example URIs: - -- **rootless local** - unix://run/user/1000/podman/podman.sock -- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock -- **rootfull local** - unix://run/podman/podman.sock -- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock - -**identity="~/.ssh/id_rsa** - -Path to file containing ssh identity key - **pull_policy**="always"|"missing"|"never" Pull image before running or creating a container. The default is **missing**. @@ -477,6 +466,24 @@ Number of seconds to wait for container to exit before sending kill signal. The path to a temporary directory to store per-boot container. Must be a tmpfs (wiped after reboot). +## SERVICE DESTINATION TABLE +The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API. + +**[service_destinations.{name}]** +URI to access the Podman service +**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"** + + Example URIs: + +- **rootless local** - unix://run/user/1000/podman/podman.sock +- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock +- **rootfull local** - unix://run/podman/podman.sock +- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock + +**identity="~/.ssh/id_rsa** + +Path to file containing ssh identity key + **volume_path**="/var/lib/containers/storage/volumes" Directory where named volumes will be created in using the default volume diff --git a/default-policy.json b/default-policy.json new file mode 100644 index 0000000..dffc54a --- /dev/null +++ b/default-policy.json @@ -0,0 +1,14 @@ +{ + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": + { + "docker-daemon": + { + "": [{"type":"insecureAcceptAnything"}] + } + } +} diff --git a/registries.conf b/registries.conf index e63d4a3..d4d3351 100644 --- a/registries.conf +++ b/registries.conf @@ -18,7 +18,7 @@ # of these registries, it should be added at the end of the list. # # # An array of host[:port] registries to try when pulling an unqualified image, in order. -unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"] +unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io"] # # [[registry]] # # The "prefix" field is used to choose the relevant [[registry]] TOML table; diff --git a/shortnames.conf b/shortnames.conf index 0a336e5..0222cec 100644 --- a/shortnames.conf +++ b/shortnames.conf @@ -1,6 +1,6 @@ [aliases] # centos - "centos" = "registry.centos.org/centos" + "centos" = "quay.io/centos/centos" # containers "skopeo" = "quay.io/skopeo/stable" "buildah" = "quay.io/buildah/stable"