Update content
This commit is contained in:
parent
492c93c6c6
commit
d27dde396f
@ -15,7 +15,7 @@
|
|||||||
Epoch: 4
|
Epoch: 4
|
||||||
Name: containers-common
|
Name: containers-common
|
||||||
Version: 1
|
Version: 1
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
Summary: Common configuration and documentation for containers
|
Summary: Common configuration and documentation for containers
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
@ -114,6 +114,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
|
|||||||
%{_datadir}/rhel/secrets/*
|
%{_datadir}/rhel/secrets/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Feb 15 2021 Dan Walsh <dwalsh@fedoraproject.org> - 4:1-8
|
||||||
|
- Update content
|
||||||
|
|
||||||
* Mon Feb 01 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-7
|
* Mon Feb 01 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-7
|
||||||
- use the correct policy.json file
|
- use the correct policy.json file
|
||||||
|
|
||||||
|
@ -26,12 +26,11 @@ as well as among different namespaces/repositories within a registry.
|
|||||||
|
|
||||||
Given an image name, a single `[[registry]]` TOML table is chosen based on its `prefix` field.
|
Given an image name, a single `[[registry]]` TOML table is chosen based on its `prefix` field.
|
||||||
|
|
||||||
`prefix`
|
`prefix`: A prefix of the user-specified image name, i.e. using one of the following formats:
|
||||||
: A prefix of the user-specified image name, i.e. using one of the following formats:
|
- _host_[`:`_port_]
|
||||||
- _host_[`:`_port_]
|
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
|
||||||
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
|
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
|
||||||
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
|
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
|
||||||
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
|
|
||||||
|
|
||||||
The user-specified image name must start with the specified `prefix` (and continue
|
The user-specified image name must start with the specified `prefix` (and continue
|
||||||
with the appropriate separator) for a particular `[[registry]]` TOML table to be
|
with the appropriate separator) for a particular `[[registry]]` TOML table to be
|
||||||
@ -164,10 +163,10 @@ If `short-name-mode` is not specified at all or left empty, default to the
|
|||||||
`permissive` mode. If the user-specified short name was not aliased already,
|
`permissive` mode. If the user-specified short name was not aliased already,
|
||||||
the `enforcing` and `permissive` mode if prompted, will record a new alias
|
the `enforcing` and `permissive` mode if prompted, will record a new alias
|
||||||
after a successful pull. Note that the recorded alias will be written to
|
after a successful pull. Note that the recorded alias will be written to
|
||||||
`$XDG_CONFIG_HOME/containers/short-name-aliases.conf` to have a clear
|
`/var/cache/containers/short-name-aliases.conf` for root to have a clear
|
||||||
separation between possibly human-edited registries.conf files and the
|
separation between possibly human-edited registries.conf files and the
|
||||||
machine-generated `short-name-aliases-conf`. Note that `$HOME/.config` is used
|
machine-generated `short-name-aliases-conf`. Note that `$HOME/.cache` is used
|
||||||
if `$XDG_CONFIG_HOME` is not set. If an alias is specified in a
|
for rootless users. If an alias is specified in a
|
||||||
`registries.conf` file and also the machine-generated
|
`registries.conf` file and also the machine-generated
|
||||||
`short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence.
|
`short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence.
|
||||||
|
|
||||||
|
@ -73,7 +73,6 @@ default_capabilities = [
|
|||||||
"SYS_CHROOT"
|
"SYS_CHROOT"
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
# A list of sysctls to be set in containers by default,
|
# A list of sysctls to be set in containers by default,
|
||||||
# specified as "name=value",
|
# specified as "name=value",
|
||||||
# for example:"net.ipv4.ping_group_range = 0 0".
|
# for example:"net.ipv4.ping_group_range = 0 0".
|
||||||
@ -158,7 +157,7 @@ default_sysctls = [
|
|||||||
|
|
||||||
# Logging driver for the container. Available options: k8s-file and journald.
|
# Logging driver for the container. Available options: k8s-file and journald.
|
||||||
#
|
#
|
||||||
# log_driver = "journald"
|
# log_driver = "k8s-file"
|
||||||
|
|
||||||
# Maximum size allowed for the container log file. Negative numbers indicate
|
# Maximum size allowed for the container log file. Negative numbers indicate
|
||||||
# that no size limit is imposed. If positive, it must be >= 8192 to match or
|
# that no size limit is imposed. If positive, it must be >= 8192 to match or
|
||||||
@ -241,6 +240,9 @@ default_sysctls = [
|
|||||||
#
|
#
|
||||||
# cni_plugin_dirs = ["/usr/libexec/cni"]
|
# cni_plugin_dirs = ["/usr/libexec/cni"]
|
||||||
|
|
||||||
|
# The network name of the default CNI network to attach pods to.
|
||||||
|
# default_network = "podman"
|
||||||
|
|
||||||
# Path to the directory where CNI configuration files are located.
|
# Path to the directory where CNI configuration files are located.
|
||||||
#
|
#
|
||||||
# network_config_dir = "/etc/cni/net.d/"
|
# network_config_dir = "/etc/cni/net.d/"
|
||||||
@ -324,7 +326,7 @@ default_sysctls = [
|
|||||||
# associated with the pod. This container does nothing other then sleep,
|
# associated with the pod. This container does nothing other then sleep,
|
||||||
# reserving the pods resources for the lifetime of the pod.
|
# reserving the pods resources for the lifetime of the pod.
|
||||||
#
|
#
|
||||||
# infra_image = "k8s.gcr.io/pause:3.2"
|
# infra_image = "k8s.gcr.io/pause:3.4.1"
|
||||||
|
|
||||||
# Specify the locking mechanism to use; valid values are "shm" and "file".
|
# Specify the locking mechanism to use; valid values are "shm" and "file".
|
||||||
# Change the default only if you are sure of what you are doing, in general
|
# Change the default only if you are sure of what you are doing, in general
|
||||||
|
@ -46,32 +46,16 @@ TOML can be simplified to:
|
|||||||
The containers table contains settings pertaining to the OCI runtime that can
|
The containers table contains settings pertaining to the OCI runtime that can
|
||||||
configure and manage the OCI runtime.
|
configure and manage the OCI runtime.
|
||||||
|
|
||||||
**devices**=[]
|
**annotations** = []
|
||||||
|
List of annotations. Specified as "key=value" pairs to be added to all containers.
|
||||||
|
|
||||||
List of devices.
|
Example: "run.oci.keep_original_groups=1"
|
||||||
Specified as 'device-on-host:device-on-container:permissions'.
|
|
||||||
|
|
||||||
Example: "/dev/sdc:/dev/xvdc:rwm".
|
|
||||||
|
|
||||||
**volumes**=[]
|
|
||||||
|
|
||||||
List of volumes.
|
|
||||||
Specified as "directory-on-host:directory-in-container:options".
|
|
||||||
|
|
||||||
Example: "/db:/var/lib/db:ro".
|
|
||||||
|
|
||||||
**apparmor_profile**="container-default"
|
**apparmor_profile**="container-default"
|
||||||
|
|
||||||
Used to change the name of the default AppArmor profile of container engines.
|
Used to change the name of the default AppArmor profile of container engines.
|
||||||
The default profile name is "container-default".
|
The default profile name is "container-default".
|
||||||
|
|
||||||
**cgroupns**="private"
|
|
||||||
|
|
||||||
Default way to to create a cgroup namespace for the container.
|
|
||||||
Options are:
|
|
||||||
`private` Create private Cgroup Namespace for the container.
|
|
||||||
`host` Share host Cgroup Namespace with the container.
|
|
||||||
|
|
||||||
**cgroups**="enabled"
|
**cgroups**="enabled"
|
||||||
|
|
||||||
Determines whether the container will create CGroups.
|
Determines whether the container will create CGroups.
|
||||||
@ -80,6 +64,13 @@ Options are:
|
|||||||
`disabled` Disable cgroup support, will inherit cgroups from parent
|
`disabled` Disable cgroup support, will inherit cgroups from parent
|
||||||
`no-conmon` Do not create a cgroup dedicated to conmon.
|
`no-conmon` Do not create a cgroup dedicated to conmon.
|
||||||
|
|
||||||
|
**cgroupns**="private"
|
||||||
|
|
||||||
|
Default way to to create a cgroup namespace for the container.
|
||||||
|
Options are:
|
||||||
|
`private` Create private Cgroup Namespace for the container.
|
||||||
|
`host` Share host Cgroup Namespace with the container.
|
||||||
|
|
||||||
**default_capabilities**=[]
|
**default_capabilities**=[]
|
||||||
|
|
||||||
List of default capabilities for containers.
|
List of default capabilities for containers.
|
||||||
@ -117,6 +108,13 @@ specified as "name=soft-limit:hard-limit".
|
|||||||
|
|
||||||
Example: "nofile=1024:2048".
|
Example: "nofile=1024:2048".
|
||||||
|
|
||||||
|
**devices**=[]
|
||||||
|
|
||||||
|
List of devices.
|
||||||
|
Specified as 'device-on-host:device-on-container:permissions'.
|
||||||
|
|
||||||
|
Example: "/dev/sdc:/dev/xvdc:rwm".
|
||||||
|
|
||||||
**dns_options**=[]
|
**dns_options**=[]
|
||||||
|
|
||||||
List of default DNS options to be added to /etc/resolv.conf inside of the
|
List of default DNS options to be added to /etc/resolv.conf inside of the
|
||||||
@ -177,7 +175,7 @@ the container.
|
|||||||
|
|
||||||
Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.
|
Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.
|
||||||
|
|
||||||
**log_driver**="journald"
|
**log_driver**="k8s-file"
|
||||||
|
|
||||||
Logging driver for the container. Available options: `k8s-file` and `journald`.
|
Logging driver for the container. Available options: `k8s-file` and `journald`.
|
||||||
|
|
||||||
@ -201,11 +199,6 @@ Options are:
|
|||||||
Create /etc/hosts for the container. By default, container engines manage
|
Create /etc/hosts for the container. By default, container engines manage
|
||||||
/etc/hosts, automatically adding the container's own IP address.
|
/etc/hosts, automatically adding the container's own IP address.
|
||||||
|
|
||||||
**pids_limit**=1024
|
|
||||||
|
|
||||||
Maximum number of processes allowed in a container. 0 indicates that no limit
|
|
||||||
is imposed.
|
|
||||||
|
|
||||||
**pidns**="private"
|
**pidns**="private"
|
||||||
|
|
||||||
Default way to to create a PID namespace for the container.
|
Default way to to create a PID namespace for the container.
|
||||||
@ -213,6 +206,11 @@ Options are:
|
|||||||
`private` Create private PID Namespace for the container.
|
`private` Create private PID Namespace for the container.
|
||||||
`host` Share host PID Namespace with the container.
|
`host` Share host PID Namespace with the container.
|
||||||
|
|
||||||
|
**pids_limit**=1024
|
||||||
|
|
||||||
|
Maximum number of processes allowed in a container. 0 indicates that no limit
|
||||||
|
is imposed.
|
||||||
|
|
||||||
**seccomp_profile**="/usr/share/containers/seccomp.json"
|
**seccomp_profile**="/usr/share/containers/seccomp.json"
|
||||||
|
|
||||||
Path to the seccomp.json profile which is used as the default seccomp profile
|
Path to the seccomp.json profile which is used as the default seccomp profile
|
||||||
@ -240,13 +238,6 @@ Examples:
|
|||||||
|
|
||||||
Sets umask inside the container.
|
Sets umask inside the container.
|
||||||
|
|
||||||
**utsns**="private"
|
|
||||||
|
|
||||||
Default way to to create a UTS namespace for the container.
|
|
||||||
Options are:
|
|
||||||
`private` Create private UTS Namespace for the container.
|
|
||||||
`host` Share host UTS Namespace with the container.
|
|
||||||
|
|
||||||
**userns**="host"
|
**userns**="host"
|
||||||
|
|
||||||
Default way to to create a USER namespace for the container.
|
Default way to to create a USER namespace for the container.
|
||||||
@ -259,6 +250,14 @@ Options are:
|
|||||||
Number of UIDs to allocate for the automatic container creation. UIDs are
|
Number of UIDs to allocate for the automatic container creation. UIDs are
|
||||||
allocated from the “container” UIDs listed in /etc/subuid & /etc/subgid.
|
allocated from the “container” UIDs listed in /etc/subuid & /etc/subgid.
|
||||||
|
|
||||||
|
**utsns**="private"
|
||||||
|
|
||||||
|
Default way to to create a UTS namespace for the container.
|
||||||
|
Options are:
|
||||||
|
`private` Create private UTS Namespace for the container.
|
||||||
|
`host` Share host UTS Namespace with the container.
|
||||||
|
|
||||||
|
|
||||||
## NETWORK TABLE
|
## NETWORK TABLE
|
||||||
The `network` table contains settings pertaining to the management of CNI
|
The `network` table contains settings pertaining to the management of CNI
|
||||||
plugins.
|
plugins.
|
||||||
@ -275,15 +274,19 @@ The network name of the default CNI network to attach pods to.
|
|||||||
|
|
||||||
Path to the directory where CNI configuration files are located.
|
Path to the directory where CNI configuration files are located.
|
||||||
|
|
||||||
|
**volumes**=[]
|
||||||
|
|
||||||
|
List of volumes.
|
||||||
|
Specified as "directory-on-host:directory-in-container:options".
|
||||||
|
|
||||||
|
Example: "/db:/var/lib/db:ro".
|
||||||
|
|
||||||
## ENGINE TABLE
|
## ENGINE TABLE
|
||||||
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
|
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
|
||||||
|
|
||||||
**image_default_format**="oci"|"v2s2"|"v2s1"
|
**active_service**=""
|
||||||
|
|
||||||
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
|
Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below.
|
||||||
container images. By default images pulled and pushed match the format of the
|
|
||||||
source image. Building/committing defaults to OCI.
|
|
||||||
Note: **image_build_format** is deprecated.
|
|
||||||
|
|
||||||
**cgroup_check**=false
|
**cgroup_check**=false
|
||||||
|
|
||||||
@ -350,26 +353,33 @@ Valid values: `file`, `journald`, and `none`.
|
|||||||
|
|
||||||
Path to the OCI hooks directories for automatically executed hooks.
|
Path to the OCI hooks directories for automatically executed hooks.
|
||||||
|
|
||||||
|
**image_default_format**="oci"|"v2s2"|"v2s1"
|
||||||
|
|
||||||
|
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
|
||||||
|
container images. By default images pulled and pushed match the format of the
|
||||||
|
source image. Building/committing defaults to OCI.
|
||||||
|
Note: **image_build_format** is deprecated.
|
||||||
|
|
||||||
**image_default_transport**="docker://"
|
**image_default_transport**="docker://"
|
||||||
|
|
||||||
Default transport method for pulling and pushing images.
|
Default transport method for pulling and pushing images.
|
||||||
|
|
||||||
**infra_command**="/pause"
|
|
||||||
|
|
||||||
Command to run the infra container.
|
|
||||||
|
|
||||||
**infra_image**="k8s.gcr.io/pause:3.2"
|
|
||||||
|
|
||||||
Infra (pause) container image name for pod infra containers. When running a
|
|
||||||
pod, we start a `pause` process in a container to hold open the namespaces
|
|
||||||
associated with the pod. This container does nothing other then sleep,
|
|
||||||
reserving the pods resources for the lifetime of the pod.
|
|
||||||
|
|
||||||
**image_parallel_copies**=0
|
**image_parallel_copies**=0
|
||||||
|
|
||||||
Maximum number of image layers to be copied (pulled/pushed) simultaneously.
|
Maximum number of image layers to be copied (pulled/pushed) simultaneously.
|
||||||
Not setting this field will fall back to containers/image defaults. (6)
|
Not setting this field will fall back to containers/image defaults. (6)
|
||||||
|
|
||||||
|
**infra_command**="/pause"
|
||||||
|
|
||||||
|
Command to run the infra container.
|
||||||
|
|
||||||
|
**infra_image**="k8s.gcr.io/pause:3.4.1"
|
||||||
|
|
||||||
|
Infra (pause) container image name for pod infra containers. When running a
|
||||||
|
pod, we start a `pause` process in a container to hold open the namespaces
|
||||||
|
associated with the pod. This container does nothing other then sleep,
|
||||||
|
reserving the pods resources for the lifetime of the pod.
|
||||||
|
|
||||||
**lock_type**="shm"
|
**lock_type**="shm"
|
||||||
|
|
||||||
Specify the locking mechanism to use; valid values are "shm" and "file".
|
Specify the locking mechanism to use; valid values are "shm" and "file".
|
||||||
@ -411,27 +421,6 @@ pod consumes one lock. The default number available is 2048. If this is
|
|||||||
changed, a lock renumbering must be performed, using the
|
changed, a lock renumbering must be performed, using the
|
||||||
`podman system renumber` command.
|
`podman system renumber` command.
|
||||||
|
|
||||||
**active_service**=""
|
|
||||||
|
|
||||||
Name of destination for accessing the Podman service.
|
|
||||||
|
|
||||||
**[service_destinations]**
|
|
||||||
|
|
||||||
**[service_destinations.{name}]**
|
|
||||||
|
|
||||||
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
|
|
||||||
|
|
||||||
Example URIs:
|
|
||||||
|
|
||||||
- **rootless local** - unix://run/user/1000/podman/podman.sock
|
|
||||||
- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
|
|
||||||
- **rootfull local** - unix://run/podman/podman.sock
|
|
||||||
- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
|
|
||||||
|
|
||||||
**identity="~/.ssh/id_rsa**
|
|
||||||
|
|
||||||
Path to file containing ssh identity key
|
|
||||||
|
|
||||||
**pull_policy**="always"|"missing"|"never"
|
**pull_policy**="always"|"missing"|"never"
|
||||||
|
|
||||||
Pull image before running or creating a container. The default is **missing**.
|
Pull image before running or creating a container. The default is **missing**.
|
||||||
@ -477,6 +466,24 @@ Number of seconds to wait for container to exit before sending kill signal.
|
|||||||
The path to a temporary directory to store per-boot container.
|
The path to a temporary directory to store per-boot container.
|
||||||
Must be a tmpfs (wiped after reboot).
|
Must be a tmpfs (wiped after reboot).
|
||||||
|
|
||||||
|
## SERVICE DESTINATION TABLE
|
||||||
|
The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
|
||||||
|
|
||||||
|
**[service_destinations.{name}]**
|
||||||
|
URI to access the Podman service
|
||||||
|
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
|
||||||
|
|
||||||
|
Example URIs:
|
||||||
|
|
||||||
|
- **rootless local** - unix://run/user/1000/podman/podman.sock
|
||||||
|
- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
|
||||||
|
- **rootfull local** - unix://run/podman/podman.sock
|
||||||
|
- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
|
||||||
|
|
||||||
|
**identity="~/.ssh/id_rsa**
|
||||||
|
|
||||||
|
Path to file containing ssh identity key
|
||||||
|
|
||||||
**volume_path**="/var/lib/containers/storage/volumes"
|
**volume_path**="/var/lib/containers/storage/volumes"
|
||||||
|
|
||||||
Directory where named volumes will be created in using the default volume
|
Directory where named volumes will be created in using the default volume
|
||||||
|
14
default-policy.json
Normal file
14
default-policy.json
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
{
|
||||||
|
"default": [
|
||||||
|
{
|
||||||
|
"type": "insecureAcceptAnything"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"transports":
|
||||||
|
{
|
||||||
|
"docker-daemon":
|
||||||
|
{
|
||||||
|
"": [{"type":"insecureAcceptAnything"}]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -18,7 +18,7 @@
|
|||||||
# of these registries, it should be added at the end of the list.
|
# of these registries, it should be added at the end of the list.
|
||||||
#
|
#
|
||||||
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
|
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
|
||||||
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]
|
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io"]
|
||||||
#
|
#
|
||||||
# [[registry]]
|
# [[registry]]
|
||||||
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
|
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
[aliases]
|
[aliases]
|
||||||
# centos
|
# centos
|
||||||
"centos" = "registry.centos.org/centos"
|
"centos" = "quay.io/centos/centos"
|
||||||
# containers
|
# containers
|
||||||
"skopeo" = "quay.io/skopeo/stable"
|
"skopeo" = "quay.io/skopeo/stable"
|
||||||
"buildah" = "quay.io/buildah/stable"
|
"buildah" = "quay.io/buildah/stable"
|
||||||
|
Loading…
Reference in New Issue
Block a user