From ef305af98c86dbd641a6313dfa82eca27d9cc6fd Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 11 May 2021 12:18:59 -0400 Subject: [PATCH] Update containers.conf to latest, and change default log-driver to journald. --- containers-common.spec | 5 ++++- containers.conf | 29 +++++++++++++++++++++++++---- containers.conf.5.md | 15 +++++++++++++-- seccomp.json | 1 + shortnames.conf | 4 +++- update.sh | 3 +++ 6 files changed, 49 insertions(+), 8 deletions(-) diff --git a/containers-common.spec b/containers-common.spec index 40083c0..8c2499e 100644 --- a/containers-common.spec +++ b/containers-common.spec @@ -15,7 +15,7 @@ Epoch: 4 Name: containers-common Version: 1 -Release: 17%{?dist} +Release: 18%{?dist} Summary: Common configuration and documentation for containers License: ASL 2.0 BuildArch: noarch @@ -136,6 +136,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret %{_datadir}/rhel/secrets/* %changelog +* Tue May 11 2021 Dan Walsh - 4:1-18 +- Update containers.conf to latest, and change default log-driver to journald. + * Thu Apr 15 2021 Lokesh Mandvekar - 4:1-17 - add common dependencies like oci-runtime and container-selinux - will pull in crun by default, runc users should install runc separately first diff --git a/containers.conf b/containers.conf index 0114f29..3c57547 100644 --- a/containers.conf +++ b/containers.conf @@ -157,7 +157,7 @@ default_sysctls = [ # Logging driver for the container. Available options: k8s-file and journald. # -# log_driver = "k8s-file" +log_driver = "journald" # Maximum size allowed for the container log file. Negative numbers indicate # that no size limit is imposed. If positive, it must be >= 8192 to match or @@ -243,6 +243,12 @@ default_sysctls = [ # The network name of the default CNI network to attach pods to. # default_network = "podman" +# The default subnet for the default CNI network given in default_network. +# If a network with that name does not exist, a new network using that name and +# this subnet will be created. +# Must be a valid IPv4 CIDR prefix. +#default_subnet = "10.88.0.0/16" + # Path to the directory where CNI configuration files are located. # # network_config_dir = "/etc/cni/net.d/" @@ -254,7 +260,7 @@ default_sysctls = [ # Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building # container images. By default image pulled and pushed match the format of the -# source image. Building/commiting defaults to OCI. +# source image. Building/committing defaults to OCI. # image_default_format = "" # Cgroup management implementation used for the runtime. @@ -336,6 +342,11 @@ default_sysctls = [ # # lock_type** = "shm" +# Indicates if Podman is running inside a VM via Podman Machine. +# Podman uses this value to do extra setup around networking from the +# container inside the VM to to host. +# machine_enabled=false + # MultiImageArchive - if true, the container engine allows for storing archives # (e.g., of the docker-archive transport) with multiple images. By default, # Podman creates single-image archives. @@ -403,7 +414,7 @@ default_sysctls = [ # List of the OCI runtimes that support --format=json. When json is supported # engine will use it for reporting nicer errors. # -# runtime_supports_json = ["crun", "runc", "kata"] +# runtime_supports_json = ["crun", "runc", "kata", "runsc"] # List of the OCI runtimes that supports running containers without cgroups. # @@ -432,7 +443,7 @@ default_sysctls = [ # Path to file containing ssh identity key # identity = "~/.ssh/id_rsa" -# Paths to look for a valid OCI runtime (crun, runc, kata, etc) +# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, etc) [engine.runtimes] # crun = [ # "/usr/bin/crun", @@ -465,6 +476,16 @@ default_sysctls = [ # "/usr/bin/kata-fc", # ] +# runsc = [ +# "/usr/bin/runsc", +# "/usr/sbin/runsc", +# "/usr/local/bin/runsc", +# "/usr/local/sbin/runsc", +# "/bin/runsc", +# "/sbin/runsc", +# "/run/current-system/sw/bin/runsc", +# ] + [engine.volume_plugins] # testplugin = "/run/podman/plugins/test.sock" diff --git a/containers.conf.5.md b/containers.conf.5.md index 1234df6..944dac7 100644 --- a/containers.conf.5.md +++ b/containers.conf.5.md @@ -175,7 +175,7 @@ the container. Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems. -**log_driver**="k8s-file" +**log_driver**="journald" Logging driver for the container. Available options: `k8s-file` and `journald`. @@ -270,6 +270,11 @@ List of paths to directories where CNI plugin binaries are located. The network name of the default CNI network to attach pods to. +**default_subnet**="10.88.0.0/16" + +The subnet to use for the default CNI network (named above in **default_network**). +If the default network does not exist, it will be automatically created the first time a tool is run using this subnet. + **network_config_dir**="/etc/cni/net.d/" Path to the directory where CNI configuration files are located. @@ -388,6 +393,12 @@ Change the default only if you are sure of what you are doing, in general faster "shm" lock type. You may need to run "podman system renumber" after you change the lock type. +**machine_enabled**=false + +Indicates if Podman is running inside a VM via Podman Machine. +Podman uses this value to do extra setup around networking from the +container inside the VM to to host. + **multi_image_archive**=false Allows for creating archives (e.g., tarballs) with more than one image. Some container engines, such as Podman, interpret additional arguments as tags for one image and hence do not store more than one image. The default behavior can be altered with this option. @@ -439,7 +450,7 @@ Default OCI specific runtime in runtimes that will be used by default. Must refer to a member of the runtimes table. Default runtime will be searched for on the system using the priority: "crun", "runc", "kata". -**runtime_supports_json**=["crun", "runc", "kata"] +**runtime_supports_json**=["crun", "runc", "kata", "runsc"] The list of the OCI runtimes that support `--format=json`. diff --git a/seccomp.json b/seccomp.json index 8f2d3b2..37991d9 100644 --- a/seccomp.json +++ b/seccomp.json @@ -303,6 +303,7 @@ "sendmmsg", "sendmsg", "sendto", + "setns", "set_robust_list", "set_thread_area", "set_tid_address", diff --git a/shortnames.conf b/shortnames.conf index d841281..1cb9856 100644 --- a/shortnames.conf +++ b/shortnames.conf @@ -24,6 +24,8 @@ "tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf" "tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf" "leap" = "registry.opensuse.org/opensuse/leap" + "leap-dnf" = "registry.opensuse.org/opensuse/leap-dnf" + "leap-microdnf" = "registry.opensuse.org/opensuse/leap-microdnf" "tw-busybox" = "registry.opensuse.org/opensuse/busybox" # SUSE "suse/sle15" = "registry.suse.com/suse/sle15" @@ -54,7 +56,7 @@ # Ubuntu "ubuntu" = "docker.io/library/ubuntu" # Oracle Linux - "oraclelinux" = "container-registry.oracle.com/os/oraclelinux" + "oraclelinux" = "docker.io/library/oraclelinux" # busybox "busybox" = "docker.io/library/busybox" # php diff --git a/update.sh b/update.sh index ba57c97..849b5bf 100755 --- a/update.sh +++ b/update.sh @@ -20,3 +20,6 @@ grep '\nshort-name-mode="enforcing"' registries.conf if [[ $? == 1 ]]; then echo -e '\nshort-name-mode="enforcing"' >> registries.conf fi + +echo "Changing containers.conf..." +sed -i -e 's/^#.*log_driver.*=.*/log_driver = "journald"/' containers.conf