Update content

This commit is contained in:
Daniel J Walsh 2021-02-15 14:09:01 -05:00
parent 492c93c6c6
commit d27dde396f
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
7 changed files with 109 additions and 84 deletions

View File

@ -15,7 +15,7 @@
Epoch: 4 Epoch: 4
Name: containers-common Name: containers-common
Version: 1 Version: 1
Release: 7%{?dist} Release: 8%{?dist}
Summary: Common configuration and documentation for containers Summary: Common configuration and documentation for containers
License: ASL 2.0 License: ASL 2.0
BuildArch: noarch BuildArch: noarch
@ -114,6 +114,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
%{_datadir}/rhel/secrets/* %{_datadir}/rhel/secrets/*
%changelog %changelog
* Mon Feb 15 2021 Dan Walsh <dwalsh@fedoraproject.org> - 4:1-8
- Update content
* Mon Feb 01 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-7 * Mon Feb 01 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-7
- use the correct policy.json file - use the correct policy.json file

View File

@ -26,8 +26,7 @@ as well as among different namespaces/repositories within a registry.
Given an image name, a single `[[registry]]` TOML table is chosen based on its `prefix` field. Given an image name, a single `[[registry]]` TOML table is chosen based on its `prefix` field.
`prefix` `prefix`: A prefix of the user-specified image name, i.e. using one of the following formats:
: A prefix of the user-specified image name, i.e. using one of the following formats:
- _host_[`:`_port_] - _host_[`:`_port_]
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…] - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_ - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
@ -164,10 +163,10 @@ If `short-name-mode` is not specified at all or left empty, default to the
`permissive` mode. If the user-specified short name was not aliased already, `permissive` mode. If the user-specified short name was not aliased already,
the `enforcing` and `permissive` mode if prompted, will record a new alias the `enforcing` and `permissive` mode if prompted, will record a new alias
after a successful pull. Note that the recorded alias will be written to after a successful pull. Note that the recorded alias will be written to
`$XDG_CONFIG_HOME/containers/short-name-aliases.conf` to have a clear `/var/cache/containers/short-name-aliases.conf` for root to have a clear
separation between possibly human-edited registries.conf files and the separation between possibly human-edited registries.conf files and the
machine-generated `short-name-aliases-conf`. Note that `$HOME/.config` is used machine-generated `short-name-aliases-conf`. Note that `$HOME/.cache` is used
if `$XDG_CONFIG_HOME` is not set. If an alias is specified in a for rootless users. If an alias is specified in a
`registries.conf` file and also the machine-generated `registries.conf` file and also the machine-generated
`short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence. `short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence.

View File

@ -73,7 +73,6 @@ default_capabilities = [
"SYS_CHROOT" "SYS_CHROOT"
] ]
# A list of sysctls to be set in containers by default, # A list of sysctls to be set in containers by default,
# specified as "name=value", # specified as "name=value",
# for example:"net.ipv4.ping_group_range = 0 0". # for example:"net.ipv4.ping_group_range = 0 0".
@ -158,7 +157,7 @@ default_sysctls = [
# Logging driver for the container. Available options: k8s-file and journald. # Logging driver for the container. Available options: k8s-file and journald.
# #
# log_driver = "journald" # log_driver = "k8s-file"
# Maximum size allowed for the container log file. Negative numbers indicate # Maximum size allowed for the container log file. Negative numbers indicate
# that no size limit is imposed. If positive, it must be >= 8192 to match or # that no size limit is imposed. If positive, it must be >= 8192 to match or
@ -241,6 +240,9 @@ default_sysctls = [
# #
# cni_plugin_dirs = ["/usr/libexec/cni"] # cni_plugin_dirs = ["/usr/libexec/cni"]
# The network name of the default CNI network to attach pods to.
# default_network = "podman"
# Path to the directory where CNI configuration files are located. # Path to the directory where CNI configuration files are located.
# #
# network_config_dir = "/etc/cni/net.d/" # network_config_dir = "/etc/cni/net.d/"
@ -324,7 +326,7 @@ default_sysctls = [
# associated with the pod. This container does nothing other then sleep, # associated with the pod. This container does nothing other then sleep,
# reserving the pods resources for the lifetime of the pod. # reserving the pods resources for the lifetime of the pod.
# #
# infra_image = "k8s.gcr.io/pause:3.2" # infra_image = "k8s.gcr.io/pause:3.4.1"
# Specify the locking mechanism to use; valid values are "shm" and "file". # Specify the locking mechanism to use; valid values are "shm" and "file".
# Change the default only if you are sure of what you are doing, in general # Change the default only if you are sure of what you are doing, in general

View File

@ -46,32 +46,16 @@ TOML can be simplified to:
The containers table contains settings pertaining to the OCI runtime that can The containers table contains settings pertaining to the OCI runtime that can
configure and manage the OCI runtime. configure and manage the OCI runtime.
**devices**=[] **annotations** = []
List of annotations. Specified as "key=value" pairs to be added to all containers.
List of devices. Example: "run.oci.keep_original_groups=1"
Specified as 'device-on-host:device-on-container:permissions'.
Example: "/dev/sdc:/dev/xvdc:rwm".
**volumes**=[]
List of volumes.
Specified as "directory-on-host:directory-in-container:options".
Example: "/db:/var/lib/db:ro".
**apparmor_profile**="container-default" **apparmor_profile**="container-default"
Used to change the name of the default AppArmor profile of container engines. Used to change the name of the default AppArmor profile of container engines.
The default profile name is "container-default". The default profile name is "container-default".
**cgroupns**="private"
Default way to to create a cgroup namespace for the container.
Options are:
`private` Create private Cgroup Namespace for the container.
`host` Share host Cgroup Namespace with the container.
**cgroups**="enabled" **cgroups**="enabled"
Determines whether the container will create CGroups. Determines whether the container will create CGroups.
@ -80,6 +64,13 @@ Options are:
`disabled` Disable cgroup support, will inherit cgroups from parent `disabled` Disable cgroup support, will inherit cgroups from parent
`no-conmon` Do not create a cgroup dedicated to conmon. `no-conmon` Do not create a cgroup dedicated to conmon.
**cgroupns**="private"
Default way to to create a cgroup namespace for the container.
Options are:
`private` Create private Cgroup Namespace for the container.
`host` Share host Cgroup Namespace with the container.
**default_capabilities**=[] **default_capabilities**=[]
List of default capabilities for containers. List of default capabilities for containers.
@ -117,6 +108,13 @@ specified as "name=soft-limit:hard-limit".
Example: "nofile=1024:2048". Example: "nofile=1024:2048".
**devices**=[]
List of devices.
Specified as 'device-on-host:device-on-container:permissions'.
Example: "/dev/sdc:/dev/xvdc:rwm".
**dns_options**=[] **dns_options**=[]
List of default DNS options to be added to /etc/resolv.conf inside of the List of default DNS options to be added to /etc/resolv.conf inside of the
@ -177,7 +175,7 @@ the container.
Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems. Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.
**log_driver**="journald" **log_driver**="k8s-file"
Logging driver for the container. Available options: `k8s-file` and `journald`. Logging driver for the container. Available options: `k8s-file` and `journald`.
@ -201,11 +199,6 @@ Options are:
Create /etc/hosts for the container. By default, container engines manage Create /etc/hosts for the container. By default, container engines manage
/etc/hosts, automatically adding the container's own IP address. /etc/hosts, automatically adding the container's own IP address.
**pids_limit**=1024
Maximum number of processes allowed in a container. 0 indicates that no limit
is imposed.
**pidns**="private" **pidns**="private"
Default way to to create a PID namespace for the container. Default way to to create a PID namespace for the container.
@ -213,6 +206,11 @@ Options are:
`private` Create private PID Namespace for the container. `private` Create private PID Namespace for the container.
`host` Share host PID Namespace with the container. `host` Share host PID Namespace with the container.
**pids_limit**=1024
Maximum number of processes allowed in a container. 0 indicates that no limit
is imposed.
**seccomp_profile**="/usr/share/containers/seccomp.json" **seccomp_profile**="/usr/share/containers/seccomp.json"
Path to the seccomp.json profile which is used as the default seccomp profile Path to the seccomp.json profile which is used as the default seccomp profile
@ -240,13 +238,6 @@ Examples:
Sets umask inside the container. Sets umask inside the container.
**utsns**="private"
Default way to to create a UTS namespace for the container.
Options are:
`private` Create private UTS Namespace for the container.
`host` Share host UTS Namespace with the container.
**userns**="host" **userns**="host"
Default way to to create a USER namespace for the container. Default way to to create a USER namespace for the container.
@ -259,6 +250,14 @@ Options are:
Number of UIDs to allocate for the automatic container creation. UIDs are Number of UIDs to allocate for the automatic container creation. UIDs are
allocated from the “container” UIDs listed in /etc/subuid & /etc/subgid. allocated from the “container” UIDs listed in /etc/subuid & /etc/subgid.
**utsns**="private"
Default way to to create a UTS namespace for the container.
Options are:
`private` Create private UTS Namespace for the container.
`host` Share host UTS Namespace with the container.
## NETWORK TABLE ## NETWORK TABLE
The `network` table contains settings pertaining to the management of CNI The `network` table contains settings pertaining to the management of CNI
plugins. plugins.
@ -275,15 +274,19 @@ The network name of the default CNI network to attach pods to.
Path to the directory where CNI configuration files are located. Path to the directory where CNI configuration files are located.
**volumes**=[]
List of volumes.
Specified as "directory-on-host:directory-in-container:options".
Example: "/db:/var/lib/db:ro".
## ENGINE TABLE ## ENGINE TABLE
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah. The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
**image_default_format**="oci"|"v2s2"|"v2s1" **active_service**=""
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below.
container images. By default images pulled and pushed match the format of the
source image. Building/committing defaults to OCI.
Note: **image_build_format** is deprecated.
**cgroup_check**=false **cgroup_check**=false
@ -350,26 +353,33 @@ Valid values: `file`, `journald`, and `none`.
Path to the OCI hooks directories for automatically executed hooks. Path to the OCI hooks directories for automatically executed hooks.
**image_default_format**="oci"|"v2s2"|"v2s1"
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
container images. By default images pulled and pushed match the format of the
source image. Building/committing defaults to OCI.
Note: **image_build_format** is deprecated.
**image_default_transport**="docker://" **image_default_transport**="docker://"
Default transport method for pulling and pushing images. Default transport method for pulling and pushing images.
**infra_command**="/pause"
Command to run the infra container.
**infra_image**="k8s.gcr.io/pause:3.2"
Infra (pause) container image name for pod infra containers. When running a
pod, we start a `pause` process in a container to hold open the namespaces
associated with the pod. This container does nothing other then sleep,
reserving the pods resources for the lifetime of the pod.
**image_parallel_copies**=0 **image_parallel_copies**=0
Maximum number of image layers to be copied (pulled/pushed) simultaneously. Maximum number of image layers to be copied (pulled/pushed) simultaneously.
Not setting this field will fall back to containers/image defaults. (6) Not setting this field will fall back to containers/image defaults. (6)
**infra_command**="/pause"
Command to run the infra container.
**infra_image**="k8s.gcr.io/pause:3.4.1"
Infra (pause) container image name for pod infra containers. When running a
pod, we start a `pause` process in a container to hold open the namespaces
associated with the pod. This container does nothing other then sleep,
reserving the pods resources for the lifetime of the pod.
**lock_type**="shm" **lock_type**="shm"
Specify the locking mechanism to use; valid values are "shm" and "file". Specify the locking mechanism to use; valid values are "shm" and "file".
@ -411,27 +421,6 @@ pod consumes one lock. The default number available is 2048. If this is
changed, a lock renumbering must be performed, using the changed, a lock renumbering must be performed, using the
`podman system renumber` command. `podman system renumber` command.
**active_service**=""
Name of destination for accessing the Podman service.
**[service_destinations]**
**[service_destinations.{name}]**
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
Example URIs:
- **rootless local** - unix://run/user/1000/podman/podman.sock
- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
- **rootfull local** - unix://run/podman/podman.sock
- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
**identity="~/.ssh/id_rsa**
Path to file containing ssh identity key
**pull_policy**="always"|"missing"|"never" **pull_policy**="always"|"missing"|"never"
Pull image before running or creating a container. The default is **missing**. Pull image before running or creating a container. The default is **missing**.
@ -477,6 +466,24 @@ Number of seconds to wait for container to exit before sending kill signal.
The path to a temporary directory to store per-boot container. The path to a temporary directory to store per-boot container.
Must be a tmpfs (wiped after reboot). Must be a tmpfs (wiped after reboot).
## SERVICE DESTINATION TABLE
The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
**[service_destinations.{name}]**
URI to access the Podman service
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
Example URIs:
- **rootless local** - unix://run/user/1000/podman/podman.sock
- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
- **rootfull local** - unix://run/podman/podman.sock
- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
**identity="~/.ssh/id_rsa**
Path to file containing ssh identity key
**volume_path**="/var/lib/containers/storage/volumes" **volume_path**="/var/lib/containers/storage/volumes"
Directory where named volumes will be created in using the default volume Directory where named volumes will be created in using the default volume

14
default-policy.json Normal file
View File

@ -0,0 +1,14 @@
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports":
{
"docker-daemon":
{
"": [{"type":"insecureAcceptAnything"}]
}
}
}

View File

@ -18,7 +18,7 @@
# of these registries, it should be added at the end of the list. # of these registries, it should be added at the end of the list.
# #
# # An array of host[:port] registries to try when pulling an unqualified image, in order. # # An array of host[:port] registries to try when pulling an unqualified image, in order.
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"] unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io"]
# #
# [[registry]] # [[registry]]
# # The "prefix" field is used to choose the relevant [[registry]] TOML table; # # The "prefix" field is used to choose the relevant [[registry]] TOML table;

View File

@ -1,6 +1,6 @@
[aliases] [aliases]
# centos # centos
"centos" = "registry.centos.org/centos" "centos" = "quay.io/centos/centos"
# containers # containers
"skopeo" = "quay.io/skopeo/stable" "skopeo" = "quay.io/skopeo/stable"
"buildah" = "quay.io/buildah/stable" "buildah" = "quay.io/buildah/stable"