import containers-common-1-44.el9
This commit is contained in:
parent
07ebd918fe
commit
fbfab77772
@ -1,4 +0,0 @@
|
||||
efcbc896b7b92484f54268578b6847cf961557a1 SOURCES/aardvark-dns-v1.0.1-vendor.tar.gz
|
||||
3ed56a259e5a196706c2f27f83d9f46b4704675d SOURCES/netavark-v1.0.1-vendor.tar.gz
|
||||
8634b77bd1f0d5738a4e0e2b1ca0bf7c784afeb1 SOURCES/v1.0.1-rhel-0a8eabf.tar.gz
|
||||
d42da7797a651a93df43f8cfbaa42101660c1b62 SOURCES/v1.0.1-rhel-93af394.tar.gz
|
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,4 +0,0 @@
|
||||
SOURCES/aardvark-dns-v1.0.1-vendor.tar.gz
|
||||
SOURCES/netavark-v1.0.1-vendor.tar.gz
|
||||
SOURCES/v1.0.1-rhel-0a8eabf.tar.gz
|
||||
SOURCES/v1.0.1-rhel-93af394.tar.gz
|
File diff suppressed because it is too large
Load Diff
574
SOURCES/Containerfile.5.md
Normal file
574
SOURCES/Containerfile.5.md
Normal file
@ -0,0 +1,574 @@
|
||||
% "CONTAINERFILE" "5" "Aug 2021" "" "Container User Manuals"
|
||||
|
||||
# NAME
|
||||
|
||||
Containerfile(Dockerfile) - automate the steps of creating a container image
|
||||
|
||||
# INTRODUCTION
|
||||
|
||||
The **Containerfile** is a configuration file that automates the steps of creating a container image. It is similar to a Makefile. Container engines (Podman, Buildah, Docker) read instructions from the **Containerfile** to automate the steps otherwise performed manually to create an image. To build an image, create a file called **Containerfile**.
|
||||
|
||||
The **Containerfile** describes the steps taken to assemble the image. When the
|
||||
**Containerfile** has been created, call the `buildah bud`, `podman build`, `docker build` command,
|
||||
using the path of context directory that contains **Containerfile** as the argument. Podman and Buildah default to **Containerfile** and will fall back to **Dockerfile**. Docker only will search for **Dockerfile** in the context directory.
|
||||
|
||||
|
||||
**Dockerfile** is an alternate name for the same object. **Containerfile** and **Dockerfile** support the same syntax.
|
||||
|
||||
# SYNOPSIS
|
||||
|
||||
INSTRUCTION arguments
|
||||
|
||||
For example:
|
||||
|
||||
FROM image
|
||||
|
||||
# DESCRIPTION
|
||||
|
||||
A Containerfile is a file that automates the steps of creating a container image.
|
||||
A Containerfile is similar to a Makefile.
|
||||
|
||||
# USAGE
|
||||
|
||||
```
|
||||
buildah bud .
|
||||
podman build .
|
||||
```
|
||||
|
||||
-- Runs the steps and commits them, building a final image.
|
||||
The path to the source repository defines where to find the context of the
|
||||
build.
|
||||
|
||||
```
|
||||
buildah bud -t repository/tag .
|
||||
podman build -t repository/tag .
|
||||
```
|
||||
|
||||
-- specifies a repository and tag at which to save the new image if the build
|
||||
succeeds. The container engine runs the steps one-by-one, committing the result
|
||||
to a new image if necessary, before finally outputting the ID of the new
|
||||
image.
|
||||
|
||||
Container engines re-use intermediate images whenever possible. This significantly
|
||||
accelerates the *build* process.
|
||||
|
||||
# FORMAT
|
||||
|
||||
`FROM image`
|
||||
|
||||
`FROM image:tag`
|
||||
|
||||
`FROM image@digest`
|
||||
|
||||
-- The **FROM** instruction sets the base image for subsequent instructions. A
|
||||
valid Containerfile must have either **ARG** or *FROM** as its first instruction.
|
||||
If **FROM** is not the first instruction in the file, it may only be preceded by
|
||||
one or more ARG instructions, which declare arguments that are used in the next FROM line in the Containerfile.
|
||||
The image can be any valid image. It is easy to start by pulling an image from the public
|
||||
repositories.
|
||||
|
||||
-- **FROM** must appear at least once in the Containerfile.
|
||||
|
||||
-- **FROM** The first **FROM** command must come before all other instructions in
|
||||
the Containerfile except **ARG**
|
||||
|
||||
-- **FROM** may appear multiple times within a single Containerfile in order to create
|
||||
multiple images. Make a note of the last image ID output by the commit before
|
||||
each new **FROM** command.
|
||||
|
||||
-- If no tag is given to the **FROM** instruction, container engines apply the
|
||||
`latest` tag. If the used tag does not exist, an error is returned.
|
||||
|
||||
-- If no digest is given to the **FROM** instruction, container engines apply the
|
||||
`latest` tag. If the used tag does not exist, an error is returned.
|
||||
|
||||
**MAINTAINER**
|
||||
-- **MAINTAINER** sets the Author field for the generated images.
|
||||
Useful for providing users with an email or url for support.
|
||||
|
||||
**RUN**
|
||||
-- **RUN** has two forms:
|
||||
|
||||
```
|
||||
# the command is run in a shell - /bin/sh -c
|
||||
RUN <command>
|
||||
|
||||
# Executable form
|
||||
RUN ["executable", "param1", "param2"]
|
||||
```
|
||||
**RUN mounts**
|
||||
|
||||
**--mount**=*type=TYPE,TYPE-SPECIFIC-OPTION[,...]*
|
||||
|
||||
Attach a filesystem mount to the container
|
||||
|
||||
Current supported mount TYPES are bind, cache, secret and tmpfs.
|
||||
|
||||
e.g.
|
||||
|
||||
mount=type=bind,source=/path/on/host,destination=/path/in/container
|
||||
|
||||
mount=type=tmpfs,tmpfs-size=512M,destination=/path/in/container
|
||||
|
||||
mount=type=secret,id=mysecret cat /run/secrets/mysecret
|
||||
|
||||
Common Options:
|
||||
|
||||
· src, source: mount source spec for bind and volume. Mandatory for bind. If `from` is specified, `src` is the subpath in the `from` field.
|
||||
|
||||
· dst, destination, target: mount destination spec.
|
||||
|
||||
· ro, read-only: true or false (default).
|
||||
|
||||
Options specific to bind:
|
||||
|
||||
· bind-propagation: shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2).
|
||||
|
||||
. bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive.
|
||||
|
||||
· from: stage or image name for the root of the source. Defaults to the build context.
|
||||
|
||||
Options specific to tmpfs:
|
||||
|
||||
· tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.
|
||||
|
||||
· tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux.
|
||||
|
||||
· tmpcopyup: Path that is shadowed by the tmpfs mount is recursively copied up to the tmpfs itself.
|
||||
|
||||
Options specific to cache:
|
||||
|
||||
· id: Create a separate cache directory for a particular id.
|
||||
|
||||
· mode: File mode for new cache directory in octal. Default 0755.
|
||||
|
||||
· ro, readonly: read only cache if set.
|
||||
|
||||
· uid: uid for cache directory.
|
||||
|
||||
· gid: gid for cache directory.
|
||||
|
||||
· from: stage name for the root of the source. Defaults to host cache directory.
|
||||
|
||||
|
||||
**RUN Secrets**
|
||||
|
||||
The RUN command has a feature to allow the passing of secret information into the image build. These secrets files can be used during the RUN command but are not committed to the final image. The `RUN` command supports the `--mount` option to identify the secret file. A secret file from the host is mounted into the container while the image is being built.
|
||||
|
||||
Container engines pass secret the secret file into the build using the `--secret` flag.
|
||||
|
||||
**--mount**=*type=secret,TYPE-SPECIFIC-OPTION[,...]*
|
||||
|
||||
- `id` is the identifier for the secret passed into the `buildah bud --secret` or `podman build --secret`. This identifier is associated with the RUN --mount identifier to use in the Containerfile.
|
||||
|
||||
- `dst`|`target`|`destination` rename the secret file to a specific file in the Containerfile RUN command to use.
|
||||
|
||||
- `type=secret` tells the --mount command that it is mounting in a secret file
|
||||
|
||||
```
|
||||
# shows secret from default secret location:
|
||||
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
|
||||
```
|
||||
```
|
||||
# shows secret from custom secret location:
|
||||
RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar
|
||||
```
|
||||
The secret needs to be passed to the build using the --secret flag. The final image built does not container the secret file:
|
||||
|
||||
```
|
||||
buildah bud --no-cache --secret id=mysecret,src=mysecret.txt .
|
||||
```
|
||||
|
||||
-- The **RUN** instruction executes any commands in a new layer on top of the current
|
||||
image and commits the results. The committed image is used for the next step in
|
||||
Containerfile.
|
||||
|
||||
-- Layering **RUN** instructions and generating commits conforms to the core
|
||||
concepts of container engines where commits are cheap and containers can be created from
|
||||
any point in the history of an image. This is similar to source control. The
|
||||
exec form makes it possible to avoid shell string munging. The exec form makes
|
||||
it possible to **RUN** commands using a base image that does not contain `/bin/sh`.
|
||||
|
||||
Note that the exec form is parsed as a JSON array, which means that you must
|
||||
use double-quotes (") around words, not single-quotes (').
|
||||
|
||||
**CMD**
|
||||
-- **CMD** has three forms:
|
||||
|
||||
```
|
||||
# Executable form
|
||||
CMD ["executable", "param1", "param2"]`
|
||||
|
||||
# Provide default arguments to ENTRYPOINT
|
||||
CMD ["param1", "param2"]`
|
||||
|
||||
# the command is run in a shell - /bin/sh -c
|
||||
CMD command param1 param2
|
||||
```
|
||||
|
||||
-- There should be only one **CMD** in a Containerfile. If more than one **CMD** is listed, only
|
||||
the last **CMD** takes effect.
|
||||
The main purpose of a **CMD** is to provide defaults for an executing container.
|
||||
These defaults may include an executable, or they can omit the executable. If
|
||||
they omit the executable, an **ENTRYPOINT** must be specified.
|
||||
When used in the shell or exec formats, the **CMD** instruction sets the command to
|
||||
be executed when running the image.
|
||||
If you use the shell form of the **CMD**, the `<command>` executes in `/bin/sh -c`:
|
||||
|
||||
Note that the exec form is parsed as a JSON array, which means that you must
|
||||
use double-quotes (") around words, not single-quotes (').
|
||||
|
||||
```
|
||||
FROM ubuntu
|
||||
CMD echo "This is a test." | wc -
|
||||
```
|
||||
|
||||
-- If you run **command** without a shell, then you must express the command as a
|
||||
JSON array and give the full path to the executable. This array form is the
|
||||
preferred form of **CMD**. All additional parameters must be individually expressed
|
||||
as strings in the array:
|
||||
|
||||
```
|
||||
FROM ubuntu
|
||||
CMD ["/usr/bin/wc","--help"]
|
||||
```
|
||||
|
||||
-- To make the container run the same executable every time, use **ENTRYPOINT** in
|
||||
combination with **CMD**.
|
||||
If the user specifies arguments to `podman run` or `docker run`, the specified commands
|
||||
override the default in **CMD**.
|
||||
Do not confuse **RUN** with **CMD**. **RUN** runs a command and commits the result.
|
||||
**CMD** executes nothing at build time, but specifies the intended command for
|
||||
the image.
|
||||
|
||||
**LABEL**
|
||||
-- `LABEL <key>=<value> [<key>=<value> ...]`or
|
||||
```
|
||||
LABEL <key>[ <value>]
|
||||
LABEL <key>[ <value>]
|
||||
...
|
||||
```
|
||||
The **LABEL** instruction adds metadata to an image. A **LABEL** is a
|
||||
key-value pair. To specify a **LABEL** without a value, simply use an empty
|
||||
string. To include spaces within a **LABEL** value, use quotes and
|
||||
backslashes as you would in command-line parsing.
|
||||
|
||||
```
|
||||
LABEL com.example.vendor="ACME Incorporated"
|
||||
LABEL com.example.vendor "ACME Incorporated"
|
||||
LABEL com.example.vendor.is-beta ""
|
||||
LABEL com.example.vendor.is-beta=
|
||||
LABEL com.example.vendor.is-beta=""
|
||||
```
|
||||
|
||||
An image can have more than one label. To specify multiple labels, separate
|
||||
each key-value pair by a space.
|
||||
|
||||
Labels are additive including `LABEL`s in `FROM` images. As the system
|
||||
encounters and then applies a new label, new `key`s override any previous
|
||||
labels with identical keys.
|
||||
|
||||
To display an image's labels, use the `buildah inspect` command.
|
||||
|
||||
**EXPOSE**
|
||||
-- `EXPOSE <port> [<port>...]`
|
||||
The **EXPOSE** instruction informs the container engine that the container listens on the
|
||||
specified network ports at runtime. The container engine uses this information to
|
||||
interconnect containers using links and to set up port redirection on the host
|
||||
system.
|
||||
|
||||
**ENV**
|
||||
-- `ENV <key> <value>`
|
||||
The **ENV** instruction sets the environment variable <key> to
|
||||
the value `<value>`. This value is passed to all future
|
||||
**RUN**, **ENTRYPOINT**, and **CMD** instructions. This is
|
||||
functionally equivalent to prefixing the command with `<key>=<value>`. The
|
||||
environment variables that are set with **ENV** persist when a container is run
|
||||
from the resulting image. Use `podman inspect` to inspect these values, and
|
||||
change them using `podman run --env <key>=<value>`.
|
||||
|
||||
Note that setting "`ENV DEBIAN_FRONTEND=noninteractive`" may cause
|
||||
unintended consequences, because it will persist when the container is run
|
||||
interactively, as with the following command: `podman run -t -i image bash`
|
||||
|
||||
**ADD**
|
||||
-- **ADD** has two forms:
|
||||
|
||||
```
|
||||
ADD <src> <dest>
|
||||
|
||||
# Required for paths with whitespace
|
||||
ADD ["<src>",... "<dest>"]
|
||||
```
|
||||
|
||||
The **ADD** instruction copies new files, directories
|
||||
or remote file URLs to the filesystem of the container at path `<dest>`.
|
||||
Multiple `<src>` resources may be specified but if they are files or directories
|
||||
then they must be relative to the source directory that is being built
|
||||
(the context of the build). The `<dest>` is the absolute path, or path relative
|
||||
to **WORKDIR**, into which the source is copied inside the target container.
|
||||
If the `<src>` argument is a local file in a recognized compression format
|
||||
(tar, gzip, bzip2, etc) then it is unpacked at the specified `<dest>` in the
|
||||
container's filesystem. Note that only local compressed files will be unpacked,
|
||||
i.e., the URL download and archive unpacking features cannot be used together.
|
||||
All new directories are created with mode 0755 and with the uid and gid of **0**.
|
||||
|
||||
**COPY**
|
||||
-- **COPY** has two forms:
|
||||
|
||||
```
|
||||
COPY <src> <dest>
|
||||
|
||||
# Required for paths with whitespace
|
||||
COPY ["<src>",... "<dest>"]
|
||||
```
|
||||
|
||||
The **COPY** instruction copies new files from `<src>` and
|
||||
adds them to the filesystem of the container at path <dest>. The `<src>` must be
|
||||
the path to a file or directory relative to the source directory that is
|
||||
being built (the context of the build) or a remote file URL. The `<dest>` is an
|
||||
absolute path, or a path relative to **WORKDIR**, into which the source will
|
||||
be copied inside the target container. If you **COPY** an archive file it will
|
||||
land in the container exactly as it appears in the build context without any
|
||||
attempt to unpack it. All new files and directories are created with mode **0755**
|
||||
and with the uid and gid of **0**.
|
||||
|
||||
**ENTRYPOINT**
|
||||
-- **ENTRYPOINT** has two forms:
|
||||
|
||||
```
|
||||
# executable form
|
||||
ENTRYPOINT ["executable", "param1", "param2"]`
|
||||
|
||||
# run command in a shell - /bin/sh -c
|
||||
ENTRYPOINT command param1 param2
|
||||
```
|
||||
|
||||
-- An **ENTRYPOINT** helps you configure a
|
||||
container that can be run as an executable. When you specify an **ENTRYPOINT**,
|
||||
the whole container runs as if it was only that executable. The **ENTRYPOINT**
|
||||
instruction adds an entry command that is not overwritten when arguments are
|
||||
passed to `podman run`. This is different from the behavior of **CMD**. This allows
|
||||
arguments to be passed to the entrypoint, for instance `podman run <image> -d`
|
||||
passes the -d argument to the **ENTRYPOINT**. Specify parameters either in the
|
||||
**ENTRYPOINT** JSON array (as in the preferred exec form above), or by using a **CMD**
|
||||
statement. Parameters in the **ENTRYPOINT** are not overwritten by the `podman run` arguments. Parameters specified via **CMD** are overwritten by `podman run` arguments. Specify a plain string for the **ENTRYPOINT**, and it will execute in
|
||||
`/bin/sh -c`, like a **CMD** instruction:
|
||||
|
||||
```
|
||||
FROM ubuntu
|
||||
ENTRYPOINT wc -l -
|
||||
```
|
||||
|
||||
This means that the Containerfile's image always takes stdin as input (that's
|
||||
what "-" means), and prints the number of lines (that's what "-l" means). To
|
||||
make this optional but default, use a **CMD**:
|
||||
|
||||
```
|
||||
FROM ubuntu
|
||||
CMD ["-l", "-"]
|
||||
ENTRYPOINT ["/usr/bin/wc"]
|
||||
```
|
||||
|
||||
**VOLUME**
|
||||
-- `VOLUME ["/data"]`
|
||||
The **VOLUME** instruction creates a mount point with the specified name and marks
|
||||
it as holding externally-mounted volumes from the native host or from other
|
||||
containers.
|
||||
|
||||
**USER**
|
||||
-- `USER daemon`
|
||||
Sets the username or UID used for running subsequent commands.
|
||||
|
||||
The **USER** instruction can optionally be used to set the group or GID. The
|
||||
following examples are all valid:
|
||||
USER [user | user:group | uid | uid:gid | user:gid | uid:group ]
|
||||
|
||||
Until the **USER** instruction is set, instructions will be run as root. The USER
|
||||
instruction can be used any number of times in a Containerfile, and will only affect
|
||||
subsequent commands.
|
||||
|
||||
**WORKDIR**
|
||||
-- `WORKDIR /path/to/workdir`
|
||||
The **WORKDIR** instruction sets the working directory for the **RUN**, **CMD**,
|
||||
**ENTRYPOINT**, **COPY** and **ADD** Containerfile commands that follow it. It can
|
||||
be used multiple times in a single Containerfile. Relative paths are defined
|
||||
relative to the path of the previous **WORKDIR** instruction. For example:
|
||||
|
||||
```
|
||||
WORKDIR /a
|
||||
WORKDIR b
|
||||
WORKDIR c
|
||||
RUN pwd
|
||||
```
|
||||
|
||||
In the above example, the output of the **pwd** command is **a/b/c**.
|
||||
|
||||
**ARG**
|
||||
-- ARG <name>[=<default value>]
|
||||
|
||||
The `ARG` instruction defines a variable that users can pass at build-time to
|
||||
the builder with the `podman build` and `buildah build` commands using the
|
||||
`--build-arg <varname>=<value>` flag. If a user specifies a build argument that
|
||||
was not defined in the Containerfile, the build outputs a warning.
|
||||
|
||||
Note that a second FROM in a Containerfile sets the values associated with an
|
||||
Arg variable to nil and they must be reset if they are to be used later in
|
||||
the Containerfile
|
||||
|
||||
```
|
||||
[Warning] One or more build-args [foo] were not consumed
|
||||
```
|
||||
|
||||
The Containerfile author can define a single variable by specifying `ARG` once or many
|
||||
variables by specifying `ARG` more than once. For example, a valid Containerfile:
|
||||
|
||||
```
|
||||
FROM busybox
|
||||
ARG user1
|
||||
ARG buildno
|
||||
...
|
||||
```
|
||||
|
||||
A Containerfile author may optionally specify a default value for an `ARG` instruction:
|
||||
|
||||
```
|
||||
FROM busybox
|
||||
ARG user1=someuser
|
||||
ARG buildno=1
|
||||
...
|
||||
```
|
||||
|
||||
If an `ARG` value has a default and if there is no value passed at build-time, the
|
||||
builder uses the default.
|
||||
|
||||
An `ARG` variable definition comes into effect from the line on which it is
|
||||
defined in the `Containerfile` not from the argument's use on the command-line or
|
||||
elsewhere. For example, consider this Containerfile:
|
||||
|
||||
```
|
||||
1 FROM busybox
|
||||
2 USER ${user:-some_user}
|
||||
3 ARG user
|
||||
4 USER $user
|
||||
...
|
||||
```
|
||||
A user builds this file by calling:
|
||||
|
||||
```
|
||||
$ podman build --build-arg user=what_user Containerfile
|
||||
```
|
||||
|
||||
The `USER` at line 2 evaluates to `some_user` as the `user` variable is defined on the
|
||||
subsequent line 3. The `USER` at line 4 evaluates to `what_user` as `user` is
|
||||
defined and the `what_user` value was passed on the command line. Prior to its definition by an
|
||||
`ARG` instruction, any use of a variable results in an empty string.
|
||||
|
||||
> **Warning:** It is not recommended to use build-time variables for
|
||||
> passing secrets like github keys, user credentials etc. Build-time variable
|
||||
> values are visible to any user of the image with the `podman history` command.
|
||||
|
||||
You can use an `ARG` or an `ENV` instruction to specify variables that are
|
||||
available to the `RUN` instruction. Environment variables defined using the
|
||||
`ENV` instruction always override an `ARG` instruction of the same name. Consider
|
||||
this Containerfile with an `ENV` and `ARG` instruction.
|
||||
|
||||
```
|
||||
1 FROM ubuntu
|
||||
2 ARG CONT_IMG_VER
|
||||
3 ENV CONT_IMG_VER=v1.0.0
|
||||
4 RUN echo $CONT_IMG_VER
|
||||
```
|
||||
Then, assume this image is built with this command:
|
||||
|
||||
```
|
||||
$ podman build --build-arg CONT_IMG_VER=v2.0.1 Containerfile
|
||||
```
|
||||
|
||||
In this case, the `RUN` instruction uses `v1.0.0` instead of the `ARG` setting
|
||||
passed by the user:`v2.0.1` This behavior is similar to a shell
|
||||
script where a locally scoped variable overrides the variables passed as
|
||||
arguments or inherited from environment, from its point of definition.
|
||||
|
||||
Using the example above but a different `ENV` specification you can create more
|
||||
useful interactions between `ARG` and `ENV` instructions:
|
||||
|
||||
```
|
||||
1 FROM ubuntu
|
||||
2 ARG CONT_IMG_VER
|
||||
3 ENV CONT_IMG_VER=${CONT_IMG_VER:-v1.0.0}
|
||||
4 RUN echo $CONT_IMG_VER
|
||||
```
|
||||
|
||||
Unlike an `ARG` instruction, `ENV` values are always persisted in the built
|
||||
image. Consider a `podman build` without the --build-arg flag:
|
||||
|
||||
```
|
||||
$ podman build Containerfile
|
||||
```
|
||||
|
||||
Using this Containerfile example, `CONT_IMG_VER` is still persisted in the image but
|
||||
its value would be `v1.0.0` as it is the default set in line 3 by the `ENV` instruction.
|
||||
|
||||
The variable expansion technique in this example allows you to pass arguments
|
||||
from the command line and persist them in the final image by leveraging the
|
||||
`ENV` instruction. Variable expansion is only supported for [a limited set of
|
||||
Containerfile instructions.](#environment-replacement)
|
||||
|
||||
Container engines have a set of predefined `ARG` variables that you can use without a
|
||||
corresponding `ARG` instruction in the Containerfile.
|
||||
|
||||
* `HTTP_PROXY`
|
||||
* `http_proxy`
|
||||
* `HTTPS_PROXY`
|
||||
* `https_proxy`
|
||||
* `FTP_PROXY`
|
||||
* `ftp_proxy`
|
||||
* `NO_PROXY`
|
||||
* `no_proxy`
|
||||
* `ALL_PROXY`
|
||||
* `all_proxy`
|
||||
|
||||
To use these, pass them on the command line using `--build-arg` flag, for
|
||||
example:
|
||||
|
||||
```
|
||||
$ podman build --build-arg HTTPS_PROXY=https://my-proxy.example.com .
|
||||
```
|
||||
|
||||
**ONBUILD**
|
||||
-- `ONBUILD [INSTRUCTION]`
|
||||
The **ONBUILD** instruction adds a trigger instruction to an image. The
|
||||
trigger is executed at a later time, when the image is used as the base for
|
||||
another build. Container engines execute the trigger in the context of the downstream
|
||||
build, as if the trigger existed immediately after the **FROM** instruction in
|
||||
the downstream Containerfile.
|
||||
|
||||
You can register any build instruction as a trigger. A trigger is useful if
|
||||
you are defining an image to use as a base for building other images. For
|
||||
example, if you are defining an application build environment or a daemon that
|
||||
is customized with a user-specific configuration.
|
||||
|
||||
Consider an image intended as a reusable python application builder. It must
|
||||
add application source code to a particular directory, and might need a build
|
||||
script called after that. You can't just call **ADD** and **RUN** now, because
|
||||
you don't yet have access to the application source code, and it is different
|
||||
for each application build.
|
||||
|
||||
-- Providing application developers with a boilerplate Containerfile to copy-paste
|
||||
into their application is inefficient, error-prone, and
|
||||
difficult to update because it mixes with application-specific code.
|
||||
The solution is to use **ONBUILD** to register instructions in advance, to
|
||||
run later, during the next build stage.
|
||||
|
||||
## SEE ALSO
|
||||
buildah(1), podman(1), docker(1)
|
||||
|
||||
# HISTORY
|
||||
```
|
||||
May 2014, Compiled by Zac Dover (zdover at redhat dot com) based on docker.com Dockerfile documentation.
|
||||
Feb 2015, updated by Brian Goff (cpuguy83@gmail.com) for readability
|
||||
Sept 2015, updated by Sally O'Malley (somalley@redhat.com)
|
||||
Oct 2016, updated by Addam Hardy (addam.hardy@gmail.com)
|
||||
Aug 2021, converted Dockerfile man page to Containerfile by Dan Walsh (dwalsh@redhat.com)
|
||||
```
|
87
SOURCES/containerignore.5.md
Normal file
87
SOURCES/containerignore.5.md
Normal file
@ -0,0 +1,87 @@
|
||||
% ".containerignore" "28" "Sep 2021" "" "Container User Manuals"
|
||||
|
||||
# NAME
|
||||
|
||||
.containerignore(.dockerignore) - files to ignore buildah or podman build context directory
|
||||
|
||||
# INTRODUCTION
|
||||
|
||||
Before container engines build an image, they look for a file named .containerignore or .dockerignore in the root
|
||||
context directory. If one of these file exists, the CLI modifies the context to exclude files and
|
||||
directories that match patterns specified in the file. This avoids adding them to images using the ADD or COPY
|
||||
instruction.
|
||||
|
||||
The CLI interprets the .containerignore or .dockerignore file as a newline-separated list of patterns similar to
|
||||
the file globs of Unix shells. For the purposes of matching, the root of the context is considered to be both the
|
||||
working and the root directory. For example, the patterns /foo/bar and foo/bar both exclude a file or directory
|
||||
named bar in the foo subdirectory of PATH or in the root of the git repository located at URL. Neither excludes
|
||||
anything else.
|
||||
|
||||
If a line in .containerignore or .dockerignore file starts with # in column 1, then this line is considered as a
|
||||
comment and is ignored before interpreted by the CLI.
|
||||
|
||||
# EXAMPLES
|
||||
|
||||
Here is an example .containerignore file:
|
||||
|
||||
```
|
||||
# comment
|
||||
*/temp*
|
||||
*/*/temp*
|
||||
temp?
|
||||
```
|
||||
|
||||
This file causes the following build behavior:
|
||||
Rule Behavior
|
||||
```
|
||||
# comment Ignored.
|
||||
*/temp* Exclude files and directories whose names start with temp in any immediate subdirectory of the root.
|
||||
For example, the plain file /somedir/temporary.txt is excluded, as is the directory /somedir/temp.
|
||||
*/*/temp* Exclude files and directories starting with temp from any subdirectory that is two levels below the
|
||||
root. For example, /somedir/subdir/temporary.txt is excluded.
|
||||
temp? Exclude files and directories in the root directory whose names are a one-character extension of temp. For example, /tempa and /tempb are excluded.
|
||||
```
|
||||
Matching is done using Go’s filepath.Match rules. A preprocessing step removes leading and trailing whitespace and
|
||||
eliminates . and .. elements using Go’s filepath.Clean. Lines that are blank after preprocessing are ignored.
|
||||
|
||||
Beyond Go’s filepath.Match rules, Docker also supports a special wildcard string ** that matches any number of
|
||||
directories (including zero). For example, **/*.go will exclude all files that end with .go that are found in all
|
||||
directories, including the root of the build context.
|
||||
|
||||
Lines starting with ! (exclamation mark) can be used to make exceptions to exclusions. The following is an example .containerignore file that uses this mechanism:
|
||||
```
|
||||
*.md
|
||||
!README.md
|
||||
```
|
||||
All markdown files except README.md are excluded from the context.
|
||||
|
||||
The placement of ! exception rules influences the behavior: the last line of the .containerignore that matches a
|
||||
particular file determines whether it is included or excluded. Consider the following example:
|
||||
```
|
||||
*.md
|
||||
!README*.md
|
||||
README-secret.md
|
||||
```
|
||||
No markdown files are included in the context except README files other than README-secret.md.
|
||||
|
||||
Now consider this example:
|
||||
```
|
||||
*.md
|
||||
README-secret.md
|
||||
!README*.md
|
||||
```
|
||||
All of the README files are included. The middle line has no effect because !README*.md matches README-secret.md and
|
||||
comes last.
|
||||
|
||||
You can even use the .containerignore file to exclude the Containerfile or Dockerfile and .containerignore files.
|
||||
These files are still sent to the daemon because it needs them to do its job. But the ADD and COPY instructions do
|
||||
not copy them to the image.
|
||||
|
||||
Finally, you may want to specify which files to include in the context, rather than which to exclude. To achieve
|
||||
this, specify * as the first pattern, followed by one or more ! exception patterns.
|
||||
|
||||
## SEE ALSO
|
||||
buildah-build(1), podman-build(1), docker-build(1)
|
||||
|
||||
# HISTORY
|
||||
*Sep 2021, Compiled by Dan Walsh (dwalsh at redhat dot com) based on docker.com .dockerignore documentation.
|
@ -149,20 +149,21 @@ This requirement rejects every image, and every signature.
|
||||
|
||||
### `signedBy`
|
||||
|
||||
This requirement requires an image to be signed with an expected identity, or accepts a signature if it is using an expected identity and key.
|
||||
This requirement requires an image to be signed using “simple signing” with an expected identity, or accepts a signature if it is using an expected identity and key.
|
||||
|
||||
```js
|
||||
{
|
||||
"type": "signedBy",
|
||||
"keyType": "GPGKeys", /* The only currently supported value */
|
||||
"keyPath": "/path/to/local/keyring/file",
|
||||
"keyPaths": ["/path/to/local/keyring/file1","/path/to/local/keyring/file2"…],
|
||||
"keyData": "base64-encoded-keyring-data",
|
||||
"signedIdentity": identity_requirement
|
||||
}
|
||||
```
|
||||
<!-- Later: other keyType values -->
|
||||
|
||||
Exactly one of `keyPath` and `keyData` must be present, containing a GPG keyring of one or more public keys. Only signatures made by these keys are accepted.
|
||||
Exactly one of `keyPath`, `keyPaths` and `keyData` must be present, containing a GPG keyring of one or more public keys. Only signatures made by these keys are accepted.
|
||||
|
||||
The `signedIdentity` field, a JSON object, specifies what image identity the signature claims about the image.
|
||||
One of the following alternatives are supported:
|
||||
@ -236,6 +237,26 @@ used with `exactReference` or `exactRepository`.
|
||||
|
||||
<!-- ### `signedBaseLayer` -->
|
||||
|
||||
|
||||
### `sigstoreSigned`
|
||||
|
||||
This requirement requires an image to be signed using a sigstore signature with an expected identity and key.
|
||||
|
||||
```js
|
||||
{
|
||||
"type": "sigstoreSigned",
|
||||
"keyPath": "/path/to/local/keyring/file",
|
||||
"keyData": "base64-encoded-keyring-data",
|
||||
"signedIdentity": identity_requirement
|
||||
}
|
||||
```
|
||||
Exactly one of `keyPath` and `keyData` must be present, containing a sigstore public key. Only signatures made by this key is accepted.
|
||||
|
||||
The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above.
|
||||
Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag).
|
||||
|
||||
To use this with images hosted on image registries, the relevant registry or repository must have the `use-sigstore-attachments` option enabled in containers-registries.d(5).
|
||||
|
||||
## Examples
|
||||
|
||||
It is *strongly* recommended to set the `default` policy to `reject`, and then
|
||||
@ -255,9 +276,24 @@ selectively allow individual transports and scopes as desired.
|
||||
"docker.io/openshift": [{"type": "insecureAcceptAnything"}],
|
||||
/* Similarly, allow installing the “official” busybox images. Note how the fully expanded
|
||||
form, with the explicit /library/, must be used. */
|
||||
"docker.io/library/busybox": [{"type": "insecureAcceptAnything"}]
|
||||
"docker.io/library/busybox": [{"type": "insecureAcceptAnything"}],
|
||||
/* Allow installing images from all subdomains */
|
||||
"*.temporary-project.example.com": [{"type": "insecureAcceptAnything"}]
|
||||
"*.temporary-project.example.com": [{"type": "insecureAcceptAnything"}],
|
||||
/* A sigstore-signed repository */
|
||||
"hostname:5000/myns/sigstore-signed-with-full-references": [
|
||||
{
|
||||
"type": "sigstoreSigned",
|
||||
"keyPath": "/path/to/sigstore-pubkey.pub"
|
||||
}
|
||||
],
|
||||
/* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */
|
||||
"hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [
|
||||
{
|
||||
"type": "sigstoreSigned",
|
||||
"keyPath": "/path/to/sigstore-pubkey.pub",
|
||||
"signedIdentity": {"type": "matchRepository"}
|
||||
}
|
||||
]
|
||||
/* Other docker: images use the global default policy and are rejected */
|
||||
},
|
||||
"dir": {
|
||||
@ -301,7 +337,7 @@ selectively allow individual transports and scopes as desired.
|
||||
"signedIdentity": {
|
||||
"type": "remapIdentity",
|
||||
"prefix": "private-mirror:5000/vendor-mirror",
|
||||
"signedPrefix": "vendor.example.com",
|
||||
"signedPrefix": "vendor.example.com"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
@ -43,6 +43,8 @@ also include wildcarded subdomains in the format `*.example.com`.
|
||||
The wildcard should only be present at the beginning as shown in the formats
|
||||
above. Other cases will not work. For example, `*.example.com` is valid but
|
||||
`example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not.
|
||||
Note that `*` matches an arbitrary number of subdomains. `*.example.com` will hence
|
||||
match `bar.example.com`, `foo.bar.example.com` and so on.
|
||||
|
||||
As a special case, the `prefix` field can be missing; if so, it defaults to the value
|
||||
of the `location` field (described below).
|
||||
@ -97,27 +99,33 @@ as-is. But other settings like insecure/blocked/mirrors will be applied to match
|
||||
|
||||
`mirror`
|
||||
: An array of TOML tables specifying (possibly-partial) mirrors for the
|
||||
`prefix`-rooted namespace.
|
||||
`prefix`-rooted namespace (i.e., the current `[[registry]]` TOML table).
|
||||
|
||||
The mirrors are attempted in the specified order; the first one that can be
|
||||
contacted and contains the image will be used (and if none of the mirrors contains the image,
|
||||
the primary location specified by the `registry.location` field, or using the unmodified
|
||||
user-specified reference, is tried last).
|
||||
|
||||
Each TOML table in the `mirror` array can contain the following fields, with the same semantics
|
||||
as if specified in the `[[registry]]` TOML table directly:
|
||||
- `location`
|
||||
- `insecure`
|
||||
Each TOML table in the `mirror` array can contain the following fields:
|
||||
- `location`: same semantics
|
||||
as specified in the `[[registry]]` TOML table
|
||||
- `insecure`: same semantics
|
||||
as specified in the `[[registry]]` TOML table
|
||||
- `pull-from-mirror`: `all`, `digest-only` or `tag-only`. If "digest-only", mirrors will only be used for digest pulls. Pulling images by tag can potentially yield different images, depending on which endpoint we pull from. Restricting mirrors to pulls by digest avoids that issue. If "tag-only", mirrors will only be used for tag pulls. For a more up-to-date and expensive mirror that it is less likely to be out of sync if tags move, it should not be unnecessarily used for digest references. Default is "all" (or left empty), mirrors will be used for both digest pulls and tag pulls unless the mirror-by-digest-only is set for the primary registry.
|
||||
Note that this per-mirror setting is allowed only when `mirror-by-digest-only` is not configured for the primary registry.
|
||||
|
||||
`mirror-by-digest-only`
|
||||
: `true` or `false`.
|
||||
If `true`, mirrors will only be used during pulling if the image reference includes a digest.
|
||||
Note that if all mirrors are configured to be digest-only, images referenced by a tag will only use the primary
|
||||
registry.
|
||||
If all mirrors are configured to be tag-only, images referenced by a digest will only use the primary
|
||||
registry.
|
||||
|
||||
Referencing an image by digest ensures that the same is always used
|
||||
(whereas referencing an image by a tag may cause different registries to return
|
||||
different images if the tag mapping is out of sync).
|
||||
|
||||
Note that if this is `true`, images referenced by a tag will only use the primary
|
||||
registry, failing if that registry is not accessible.
|
||||
|
||||
*Note*: Redirection and mirrors are currently processed only when reading images, not when pushing
|
||||
to a registry; that may change in the future.
|
||||
@ -228,14 +236,23 @@ location = "example-mirror-0.local/mirror-for-foo"
|
||||
[[registry.mirror]]
|
||||
location = "example-mirror-1.local/mirrors/foo"
|
||||
insecure = true
|
||||
|
||||
[[registry]]
|
||||
location = "registry.com"
|
||||
|
||||
[[registry.mirror]]
|
||||
location = "mirror.registry.com"
|
||||
```
|
||||
Given the above, a pull of `example.com/foo/image:latest` will try:
|
||||
1. `example-mirror-0.local/mirror-for-foo/image:latest`
|
||||
2. `example-mirror-1.local/mirrors/foo/image:latest`
|
||||
3. `internal-registry-for-example.net/bar/image:latest`
|
||||
|
||||
1. `example-mirror-0.local/mirror-for-foo/image:latest`
|
||||
2. `example-mirror-1.local/mirrors/foo/image:latest`
|
||||
3. `internal-registry-for-example.net/bar/image:latest`
|
||||
|
||||
in order, and use the first one that exists.
|
||||
|
||||
Note that a mirror is associated only with the current `[[registry]]` TOML table. If using the example above, pulling the image `registry.com/image:latest` will hence only reach out to `mirror.registry.com`, and the mirrors associated with `example.com/foo` will not be considered.
|
||||
|
||||
## VERSION 1 FORMAT - DEPRECATED
|
||||
VERSION 1 format is still supported but it does not support
|
||||
using registry mirrors, longest-prefix matches, or location rewriting.
|
||||
|
@ -63,25 +63,31 @@ more general scopes is ignored. For example, if _any_ configuration exists for
|
||||
|
||||
### Built-in Defaults
|
||||
|
||||
If no `docker` section can be found for the container image, and no `default-docker` section is configured,
|
||||
the default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user, will be used for reading and writing signatures.
|
||||
If no `docker` section can be found for the container image, and no `default-docker` section is configured:
|
||||
|
||||
- The default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user, will be used for reading and writing signatures.
|
||||
- Sigstore attachments will not be read/written.
|
||||
|
||||
## Individual Configuration Sections
|
||||
|
||||
A single configuration section is selected for a container image using the process
|
||||
described above. The configuration section is a YAML mapping, with the following keys:
|
||||
|
||||
- `sigstore-staging` defines an URL of of the signature storage, used for editing it (adding or deleting signatures).
|
||||
<!-- `sigstore` and `sigstore-staging` are deprecated and intentionally not documented here. -->
|
||||
|
||||
This key is optional; if it is missing, `sigstore` below is used.
|
||||
- `lookaside-staging` defines an URL of of the signature storage, used for editing it (adding or deleting signatures).
|
||||
|
||||
- `sigstore` defines an URL of the signature storage.
|
||||
This key is optional; if it is missing, `lookaside` below is used.
|
||||
|
||||
- `lookaside` defines an URL of the signature storage.
|
||||
This URL is used for reading existing signatures,
|
||||
and if `sigstore-staging` does not exist, also for adding or removing them.
|
||||
and if `lookaside-staging` does not exist, also for adding or removing them.
|
||||
|
||||
This key is optional; if it is missing, no signature storage is defined (no signatures
|
||||
are download along with images, adding new signatures is possible only if `sigstore-staging` is defined).
|
||||
are download along with images, adding new signatures is possible only if `lookaside-staging` is defined).
|
||||
|
||||
- `use-sigstore-attachments` specifies whether sigstore image attachments (signatures, attestations and the like) are going to be read/written along with the image.
|
||||
If disabled, the images are treated as if no attachments exist; attempts to write attachments fail.
|
||||
|
||||
## Examples
|
||||
|
||||
@ -92,11 +98,11 @@ The following demonstrates how to to consume and run images from various registr
|
||||
```yaml
|
||||
docker:
|
||||
registry.database-supplier.com:
|
||||
sigstore: https://sigstore.database-supplier.com
|
||||
lookaside: https://lookaside.database-supplier.com
|
||||
distribution.great-middleware.org:
|
||||
sigstore: https://security-team.great-middleware.org/sigstore
|
||||
lookaside: https://security-team.great-middleware.org/lookaside
|
||||
docker.io/web-framework:
|
||||
sigstore: https://sigstore.web-framework.io:8080
|
||||
lookaside: https://lookaside.web-framework.io:8080
|
||||
```
|
||||
|
||||
### Developing and Signing Containers, Staging Signatures
|
||||
@ -110,13 +116,13 @@ For developers in `example.com`:
|
||||
```yaml
|
||||
docker:
|
||||
registry.example.com:
|
||||
sigstore: https://registry-sigstore.example.com
|
||||
lookaside: https://registry-lookaside.example.com
|
||||
registry.example.com/mydepartment:
|
||||
sigstore: https://sigstore.mydepartment.example.com
|
||||
sigstore-staging: file:///mnt/mydepartment/sigstore-staging
|
||||
lookaside: https://lookaside.mydepartment.example.com
|
||||
lookaside-staging: file:///mnt/mydepartment/lookaside-staging
|
||||
registry.example.com/mydepartment/myproject:mybranch:
|
||||
sigstore: http://localhost:4242/sigstore
|
||||
sigstore-staging: file:///home/useraccount/webroot/sigstore
|
||||
lookaside: http://localhost:4242/lookaside
|
||||
lookaside-staging: file:///home/useraccount/webroot/lookaside
|
||||
```
|
||||
|
||||
### A Global Default
|
||||
@ -126,7 +132,7 @@ without listing each domain individually. This is expected to rarely happen, usu
|
||||
|
||||
```yaml
|
||||
default-docker:
|
||||
sigstore-staging: file:///mnt/company/common-sigstore-staging
|
||||
lookaside-staging: file:///mnt/company/common-lookaside-staging
|
||||
```
|
||||
|
||||
# AUTHORS
|
||||
|
@ -74,6 +74,29 @@ The `storage.options` table supports the following options:
|
||||
**additionalimagestores**=[]
|
||||
Paths to additional container image stores. Usually these are read/only and stored on remote network shares.
|
||||
|
||||
**pull_options** = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
|
||||
|
||||
Allows specification of how storage is populated when pulling images. This
|
||||
option can speed the pulling process of images compressed with format zstd:chunked. Containers/storage looks
|
||||
for files within images that are being pulled from a container registry that
|
||||
were previously pulled to the host. It can copy or create
|
||||
a hard link to the existing file when it finds them, eliminating the need to pull them from the
|
||||
container registry. These options can deduplicate pulling of content, disk
|
||||
storage of content and can allow the kernel to use less memory when running
|
||||
containers.
|
||||
|
||||
containers/storage supports four keys
|
||||
* enable_partial_images="true" | "false"
|
||||
Tells containers/storage to look for files previously pulled in storage
|
||||
rather then always pulling them from the container registry.
|
||||
* use_hard_links = "false" | "true"
|
||||
Tells containers/storage to use hard links rather then create new files in
|
||||
the image, if an identical file already existed in storage.
|
||||
* ostree_repos = ""
|
||||
Tells containers/storage where an ostree repository exists that might have
|
||||
previously pulled content which can be used when attempting to avoid
|
||||
pulling content from the container registry
|
||||
|
||||
**remap-uids=**""
|
||||
**remap-gids=**""
|
||||
Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to the UIDs/GIDs outside of the container, and the length of the range of UIDs/GIDs. Additional mapped sets can be listed and will be heeded by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container.
|
||||
@ -236,6 +259,9 @@ based file systems.
|
||||
**mountopt**=""
|
||||
Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page.
|
||||
|
||||
**skip_mount_home=""**
|
||||
Tell storage drivers to not create a PRIVATE bind mount on their home directory.
|
||||
|
||||
**size**=""
|
||||
Maximum size of a read/write layer. This flag can be used to set quota on the size of a read/write layer of a container. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
|
||||
|
||||
@ -256,9 +282,6 @@ The `storage.options.zfs` table supports the following options:
|
||||
**mountopt**=""
|
||||
Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page.
|
||||
|
||||
**skip_mount_home=""**
|
||||
Tell storage drivers to not create a PRIVATE bind mount on their home directory.
|
||||
|
||||
**size**=""
|
||||
Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
|
||||
|
||||
|
@ -26,6 +26,13 @@
|
||||
#
|
||||
#apparmor_profile = "container-default"
|
||||
|
||||
# The hosts entries from the base hosts file are added to the containers hosts
|
||||
# file. This must be either an absolute path or as special values "image" which
|
||||
# uses the hosts file from the container image or "none" which means
|
||||
# no base hosts file is used. The default is "" which will use /etc/hosts.
|
||||
#
|
||||
#base_hosts_file = ""
|
||||
|
||||
# Default way to to create a cgroup namespace for the container
|
||||
# Options are:
|
||||
# `private` Create private Cgroup Namespace for the container.
|
||||
@ -115,6 +122,16 @@ default_sysctls = [
|
||||
#
|
||||
#env_host = false
|
||||
|
||||
# Set the ip for the host.containers.internal entry in the containers /etc/hosts
|
||||
# file. This can be set to "none" to disable adding this entry. By default it
|
||||
# will automatically choose the host ip.
|
||||
#
|
||||
# NOTE: When using podman machine this entry will never be added to the containers
|
||||
# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore
|
||||
# it is not possible to disable the entry in this case.
|
||||
#
|
||||
#host_containers_internal_ip = ""
|
||||
|
||||
# Default proxy environment variables passed into the container.
|
||||
# The environment variables passed in include:
|
||||
# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of
|
||||
@ -134,10 +151,12 @@ default_sysctls = [
|
||||
|
||||
# Default way to to create an IPC namespace (POSIX SysV IPC) for the container
|
||||
# Options are:
|
||||
# `private` Create private IPC Namespace for the container.
|
||||
# `host` Share host IPC Namespace with the container.
|
||||
# "host" Share host IPC Namespace with the container.
|
||||
# "none" Create shareable IPC Namespace for the container without a private /dev/shm.
|
||||
# "private" Create private IPC Namespace for the container, other containers are not allowed to share it.
|
||||
# "shareable" Create shareable IPC Namespace for the container.
|
||||
#
|
||||
#ipcns = "private"
|
||||
#ipcns = "shareable"
|
||||
|
||||
# keyring tells the container engine whether to create
|
||||
# a kernel keyring for use within the container.
|
||||
@ -285,6 +304,20 @@ default_sysctls = [
|
||||
#
|
||||
#default_subnet = "10.88.0.0/16"
|
||||
|
||||
# DefaultSubnetPools is a list of subnets and size which are used to
|
||||
# allocate subnets automatically for podman network create.
|
||||
# It will iterate through the list and will pick the first free subnet
|
||||
# with the given size. This is only used for ipv4 subnets, ipv6 subnets
|
||||
# are always assigned randomly.
|
||||
#
|
||||
#default_subnet_pools = [
|
||||
# {"base" = "10.89.0.0/16", "size" = 24},
|
||||
# {"base" = "10.90.0.0/15", "size" = 24},
|
||||
# {"base" = "10.92.0.0/14", "size" = 24},
|
||||
# {"base" = "10.96.0.0/11", "size" = 24},
|
||||
# {"base" = "10.128.0.0/9", "size" = 24},
|
||||
#]
|
||||
|
||||
# Path to the directory where network configuration files are located.
|
||||
# For the CNI backend the default is "/etc/cni/net.d" as root
|
||||
# and "$HOME/.config/cni/net.d" as rootless.
|
||||
@ -293,6 +326,13 @@ default_sysctls = [
|
||||
#
|
||||
#network_config_dir = "/etc/cni/net.d/"
|
||||
|
||||
# Port to use for dns forwarding daemon with netavark in rootful bridge
|
||||
# mode and dns enabled.
|
||||
# Using an alternate port might be useful if other dns services should
|
||||
# run on the machine.
|
||||
#
|
||||
#dns_bind_port = 53
|
||||
|
||||
[engine]
|
||||
# Index to the active service
|
||||
#
|
||||
@ -358,6 +398,15 @@ default_sysctls = [
|
||||
# Define where event logs will be stored, when events_logger is "file".
|
||||
#events_logfile_path=""
|
||||
|
||||
# Sets the maximum size for events_logfile_path.
|
||||
# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
|
||||
# The format for the size is `<number><unit>`, e.g., `1b` or `3g`.
|
||||
# If no unit is included then the size will be read in bytes.
|
||||
# When the limit is exceeded, the logfile will be rotated and the old one will be deleted.
|
||||
# If the maximum size is set to 0, then no limit will be applied,
|
||||
# and the logfile will not be rotated.
|
||||
#events_logfile_max_size = "1m"
|
||||
|
||||
# Selects which logging mechanism to use for container engine events.
|
||||
# Valid values are `journald`, `file` and `none`.
|
||||
#
|
||||
@ -393,6 +442,16 @@ default_sysctls = [
|
||||
#
|
||||
#image_parallel_copies = 0
|
||||
|
||||
# Tells container engines how to handle the builtin image volumes.
|
||||
# * bind: An anonymous named volume will be created and mounted
|
||||
# into the container.
|
||||
# * tmpfs: The volume is mounted onto the container as a tmpfs,
|
||||
# which allows users to create content that disappears when
|
||||
# the container is stopped.
|
||||
# * ignore: All volumes are just ignored and no action is taken.
|
||||
#
|
||||
#image_volume_mode = ""
|
||||
|
||||
# Default command to run the infra container
|
||||
#
|
||||
#infra_command = "/pause"
|
||||
@ -414,12 +473,6 @@ default_sysctls = [
|
||||
#
|
||||
#lock_type** = "shm"
|
||||
|
||||
# Indicates if Podman is running inside a VM via Podman Machine.
|
||||
# Podman uses this value to do extra setup around networking from the
|
||||
# container inside the VM to to host.
|
||||
#
|
||||
#machine_enabled = false
|
||||
|
||||
# MultiImageArchive - if true, the container engine allows for storing archives
|
||||
# (e.g., of the docker-archive transport) with multiple images. By default,
|
||||
# Podman creates single-image archives.
|
||||
@ -440,9 +493,26 @@ default_sysctls = [
|
||||
#network_cmd_path = ""
|
||||
|
||||
# Default options to pass to the slirp4netns binary.
|
||||
# For example "allow_host_loopback=true"
|
||||
# Valid options values are:
|
||||
#
|
||||
#network_cmd_options = ["enable_ipv6=true",]
|
||||
# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`).
|
||||
# Default is false.
|
||||
# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`).
|
||||
# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`).
|
||||
# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`).
|
||||
# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only).
|
||||
# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to.
|
||||
# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only).
|
||||
# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to.
|
||||
# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.
|
||||
# Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container
|
||||
# network namespace, usually `10.0.2.100`. If your application requires the real source IP address,
|
||||
# e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for
|
||||
# rootless containers when connected to user-defined networks.
|
||||
# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but
|
||||
# preserves the correct source IP address. This port handler cannot be used for user-defined networks.
|
||||
#
|
||||
#network_cmd_options = []
|
||||
|
||||
# Whether to use chroot instead of pivot_root in the runtime
|
||||
#
|
||||
@ -454,6 +524,9 @@ default_sysctls = [
|
||||
#
|
||||
#num_locks = 2048
|
||||
|
||||
# Set the exit policy of the pod when the last container exits.
|
||||
#pod_exit_policy = "continue"
|
||||
|
||||
# Whether to pull new image before running a container
|
||||
#
|
||||
#pull_policy = "missing"
|
||||
@ -503,6 +576,11 @@ runtime = "crun"
|
||||
#
|
||||
#stop_timeout = 10
|
||||
|
||||
# Number of seconds to wait before exit command in API process is given to.
|
||||
# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds).
|
||||
#
|
||||
#exit_command_delay = 300
|
||||
|
||||
# map of service destinations
|
||||
#
|
||||
#[service_destinations]
|
||||
@ -510,9 +588,9 @@ runtime = "crun"
|
||||
# URI to access the Podman service
|
||||
# Examples:
|
||||
# rootless "unix://run/user/$UID/podman/podman.sock" (Default)
|
||||
# rootfull "unix://run/podman/podman.sock (Default)
|
||||
# rootful "unix://run/podman/podman.sock (Default)
|
||||
# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
|
||||
# remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock
|
||||
# remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock
|
||||
#
|
||||
# uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"
|
||||
# Path to file containing ssh identity key
|
||||
@ -602,6 +680,15 @@ runtime = "crun"
|
||||
#
|
||||
#user = "core"
|
||||
|
||||
# Host directories to be mounted as volumes into the VM by default.
|
||||
# Environment variables like $HOME as well as complete paths are supported for
|
||||
# the source and destination. An optional third field `:ro` can be used to
|
||||
# tell the container engines to mount the volume readonly.
|
||||
#
|
||||
# volumes = [
|
||||
# "$HOME:$HOME",
|
||||
#]
|
||||
|
||||
# The [machine] table MUST be the last entry in this file.
|
||||
# (Unless another table is added)
|
||||
# TOML does not provide a way to end a table other than a further table being
|
||||
|
@ -59,6 +59,13 @@ Example: "run.oci.keep_original_groups=1"
|
||||
Used to change the name of the default AppArmor profile of container engines.
|
||||
The default profile name is "container-default".
|
||||
|
||||
**base_hosts_file**=""
|
||||
|
||||
The hosts entries from the base hosts file are added to the containers hosts
|
||||
file. This must be either an absolute path or as special values "image" which
|
||||
uses the hosts file from the container image or "none" which means
|
||||
no base hosts file is used. The default is "" which will use /etc/hosts.
|
||||
|
||||
**cgroups**="enabled"
|
||||
|
||||
Determines whether the container will create CGroups.
|
||||
@ -143,6 +150,16 @@ environment variables to the container.
|
||||
|
||||
Pass all host environment variables into the container.
|
||||
|
||||
**host_containers_internal_ip**=""
|
||||
|
||||
Set the ip for the host.containers.internal entry in the containers /etc/hosts
|
||||
file. This can be set to "none" to disable adding this entry. By default it
|
||||
will automatically choose the host ip.
|
||||
|
||||
NOTE: When using podman machine this entry will never be added to the containers
|
||||
hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore
|
||||
it is not possible to disable the entry in this case.
|
||||
|
||||
**http_proxy**=true
|
||||
|
||||
Default proxy environment variables will be passed into the container.
|
||||
@ -162,12 +179,14 @@ Path to the container-init binary, which forwards signals and reaps processes
|
||||
within containers. Note that the container-init binary will only be used when
|
||||
the `--init` for podman-create and podman-run is set.
|
||||
|
||||
**ipcns**="private"
|
||||
**ipcns**="shareable"
|
||||
|
||||
Default way to to create a IPC namespace for the container.
|
||||
Options are:
|
||||
`private` Create private IPC Namespace for the container.
|
||||
`host` Share host IPC Namespace with the container.
|
||||
`none` Create shareable IPC Namespace for the container without a private /dev/shm.
|
||||
`private` Create private IPC Namespace for the container, other containers are not allowed to share it.
|
||||
`shareable` Create shareable IPC Namespace for the container.
|
||||
|
||||
**keyring**=true
|
||||
|
||||
@ -268,6 +287,12 @@ Options are:
|
||||
`private` Create private UTS Namespace for the container.
|
||||
`host` Share host UTS Namespace with the container.
|
||||
|
||||
**volumes**=[]
|
||||
|
||||
List of volumes.
|
||||
Specified as "directory-on-host:directory-in-container:options".
|
||||
|
||||
Example: "/db:/var/lib/db:ro".
|
||||
|
||||
## NETWORK TABLE
|
||||
The `network` table contains settings pertaining to the management of CNI
|
||||
@ -307,6 +332,25 @@ The network name of the default network to attach pods to.
|
||||
The subnet to use for the default network (named above in **default_network**).
|
||||
If the default network does not exist, it will be automatically created the first time a tool is run using this subnet.
|
||||
|
||||
**default_subnet_pools**=[]
|
||||
|
||||
DefaultSubnetPools is a list of subnets and size which are used to
|
||||
allocate subnets automatically for podman network create.
|
||||
It will iterate through the list and will pick the first free subnet
|
||||
with the given size. This is only used for ipv4 subnets, ipv6 subnets
|
||||
are always assigned randomly.
|
||||
|
||||
The default list is (10.89.0.0-10.255.255.0/24):
|
||||
```
|
||||
default_subnet_pools = [
|
||||
{"base" = "10.89.0.0/16", "size" = 24},
|
||||
{"base" = "10.90.0.0/15", "size" = 24},
|
||||
{"base" = "10.92.0.0/14", "size" = 24},
|
||||
{"base" = "10.96.0.0/11", "size" = 24},
|
||||
{"base" = "10.128.0.0/9", "size" = 24},
|
||||
]
|
||||
```
|
||||
|
||||
**network_config_dir**="/etc/cni/net.d/"
|
||||
|
||||
Path to the directory where network configuration files are located.
|
||||
@ -315,12 +359,12 @@ and "$HOME/.config/cni/net.d" as rootless.
|
||||
For the netavark backend "/etc/containers/networks" is used as root
|
||||
and "$graphroot/networks" as rootless.
|
||||
|
||||
**volumes**=[]
|
||||
**dns_bind_port**=53
|
||||
|
||||
List of volumes.
|
||||
Specified as "directory-on-host:directory-in-container:options".
|
||||
|
||||
Example: "/db:/var/lib/db:ro".
|
||||
Port to use for dns forwarding daemon with netavark in rootful bridge
|
||||
mode and dns enabled.
|
||||
Using an alternate port might be useful if other dns services should
|
||||
run on the machine.
|
||||
|
||||
## ENGINE TABLE
|
||||
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
|
||||
@ -385,10 +429,27 @@ if you want to set environment variables for the container.
|
||||
|
||||
Define where event logs will be stored, when events_logger is "file".
|
||||
|
||||
**events_logfile_max_size**="1m"
|
||||
|
||||
Sets the maximum size for events_logfile_path.
|
||||
The unit can be b (bytes), k (kilobytes), m (megabytes) or g (gigabytes).
|
||||
The format for the size is `<number><unit>`, e.g., `1b` or `3g`.
|
||||
If no unit is included then the size will be in bytes.
|
||||
When the limit is exceeded, the logfile will be rotated and the old one will be deleted.
|
||||
If the maximumn size is set to 0, then no limit will be applied,
|
||||
and the logfile will not be rotated.
|
||||
|
||||
**events_logger**="journald"
|
||||
|
||||
Default method to use when logging events.
|
||||
Valid values: `file`, `journald`, and `none`.
|
||||
The default method to use when logging events.
|
||||
|
||||
The default method is different based on the platform that
|
||||
Podman is being run upon. To determine the current value,
|
||||
use this command:
|
||||
|
||||
`podman info --format {{.Host.EventLogger}`
|
||||
|
||||
Valid values are: `file`, `journald`, and `none`.
|
||||
|
||||
**helper_binaries_dir**=["/usr/libexec/podman", ...]
|
||||
|
||||
@ -433,6 +494,14 @@ Default transport method for pulling and pushing images.
|
||||
Maximum number of image layers to be copied (pulled/pushed) simultaneously.
|
||||
Not setting this field will fall back to containers/image defaults. (6)
|
||||
|
||||
**image_volume_mode**="bind"
|
||||
|
||||
Tells container engines how to handle the builtin image volumes.
|
||||
|
||||
* bind: An anonymous named volume will be created and mounted into the container.
|
||||
* tmpfs: The volume is mounted onto the container as a tmpfs, which allows the users to create content that disappears when the container is stopped.
|
||||
* ignore: All volumes are just ignored and no action is taken.
|
||||
|
||||
**infra_command**="/pause"
|
||||
|
||||
Infra (pause) container image command for pod infra containers. When running a
|
||||
@ -457,12 +526,6 @@ Change the default only if you are sure of what you are doing, in general
|
||||
faster "shm" lock type. You may need to run "podman system renumber" after you
|
||||
change the lock type.
|
||||
|
||||
**machine_enabled**=false
|
||||
|
||||
Indicates if Podman is running inside a VM via Podman Machine.
|
||||
Podman uses this value to do extra setup around networking from the
|
||||
container inside the VM to to host.
|
||||
|
||||
**multi_image_archive**=false
|
||||
|
||||
Allows for creating archives (e.g., tarballs) with more than one image. Some container engines, such as Podman, interpret additional arguments as tags for one image and hence do not store more than one image. The default behavior can be altered with this option.
|
||||
@ -479,16 +542,16 @@ and pods are visible.
|
||||
|
||||
Path to the slirp4netns binary.
|
||||
|
||||
**network_cmd_options**=["enable_ipv6=true",]
|
||||
**network_cmd_options**=[]
|
||||
|
||||
Default options to pass to the slirp4netns binary.
|
||||
|
||||
Valid options values are:
|
||||
|
||||
- **allow_host_loopback=true|false**: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`, which is added to `/etc/hosts` as `host.containers.internal` for your convenience). Default is false.
|
||||
- **allow_host_loopback=true|false**: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`). Default is false.
|
||||
- **mtu=MTU**: Specify the MTU to use for this network. (Default is `65520`).
|
||||
- **cidr=CIDR**: Specify ip range to use for this network. (Default is `10.0.2.0/24`).
|
||||
- **enable_ipv6=true|false**: Enable IPv6. Default is false. (Required for `outbound_addr6`).
|
||||
- **enable_ipv6=true|false**: Enable IPv6. Default is true. (Required for `outbound_addr6`).
|
||||
- **outbound_addr=INTERFACE**: Specify the outbound interface slirp should bind to (ipv4 traffic only).
|
||||
- **outbound_addr=IPv4**: Specify the outbound ipv4 address slirp should bind to.
|
||||
- **outbound_addr6=INTERFACE**: Specify the outbound interface slirp should bind to (ipv6 traffic only).
|
||||
@ -508,6 +571,15 @@ pod consumes one lock. The default number available is 2048. If this is
|
||||
changed, a lock renumbering must be performed, using the
|
||||
`podman system renumber` command.
|
||||
|
||||
**pod_exit_policy**="continue"
|
||||
|
||||
Set the exit policy of the pod when the last container exits. Supported policies are:
|
||||
|
||||
| Exit Policy | Description |
|
||||
| ------------------ | --------------------------------------------------------------------------- |
|
||||
| *continue* | The pod continues running when the last container exits. Used by default. |
|
||||
| *stop* | The pod is stopped when the last container exits. Used in `play kube`. |
|
||||
|
||||
**pull_policy**="always"|"missing"|"never"
|
||||
|
||||
Pull image before running or creating a container. The default is **missing**.
|
||||
@ -561,6 +633,10 @@ stores containers.
|
||||
|
||||
Number of seconds to wait for container to exit before sending kill signal.
|
||||
|
||||
**exit_command_delay**=300
|
||||
|
||||
Number of seconds to wait for the API process for the exec call before sending exit command mimicking the Docker behavior of 5 minutes (in seconds).
|
||||
|
||||
**tmp_dir**="/run/libpod"
|
||||
|
||||
The path to a temporary directory to store per-boot container.
|
||||
@ -594,8 +670,8 @@ URI to access the Podman service
|
||||
|
||||
- **rootless local** - unix://run/user/1000/podman/podman.sock
|
||||
- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
|
||||
- **rootfull local** - unix://run/podman/podman.sock
|
||||
- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
|
||||
- **rootful local** - unix://run/podman/podman.sock
|
||||
- **rootful remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
|
||||
|
||||
**identity="~/.ssh/id_rsa**
|
||||
|
||||
@ -650,6 +726,13 @@ Memory in MB a machine is created with.
|
||||
Username to use and create on the podman machine OS for rootless container
|
||||
access. The default value is `user`. On Linux/Mac the default is`core`.
|
||||
|
||||
**volumes**=["$HOME:$HOME"]
|
||||
|
||||
Host directories to be mounted as volumes into the VM by default.
|
||||
Environment variables like $HOME as well as complete paths are supported for
|
||||
the source and destination. An optional third field `:ro` can be used to
|
||||
tell the container engines to mount the volume readonly.
|
||||
|
||||
# FILES
|
||||
|
||||
**containers.conf**
|
||||
|
@ -10,14 +10,14 @@
|
||||
{
|
||||
"type": "signedBy",
|
||||
"keyType": "GPGKeys",
|
||||
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
|
||||
"keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
|
||||
}
|
||||
],
|
||||
"registry.redhat.io": [
|
||||
{
|
||||
"type": "signedBy",
|
||||
"keyType": "GPGKeys",
|
||||
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
|
||||
"keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
|
||||
}
|
||||
]
|
||||
},
|
||||
|
@ -1,19 +1,19 @@
|
||||
# This is a default registries.d configuration file. You may
|
||||
# add to this file or create additional files in registries.d/.
|
||||
#
|
||||
# sigstore: indicates a location that is read and write
|
||||
# sigstore-staging: indicates a location that is only for write
|
||||
# lookaside: indicates a location that is read and write
|
||||
# lookaside-staging: indicates a location that is only for write
|
||||
#
|
||||
# sigstore and sigstore-staging take a value of the following:
|
||||
# sigstore: {schema}://location
|
||||
# lookaside and lookaside-staging take a value of the following:
|
||||
# lookaside: {schema}://location
|
||||
#
|
||||
# For reading signatures, schema may be http, https, or file.
|
||||
# For writing signatures, schema may only be file.
|
||||
|
||||
# This is the default signature write location for docker registries.
|
||||
default-docker:
|
||||
# sigstore: file:///var/lib/containers/sigstore
|
||||
sigstore-staging: file:///var/lib/containers/sigstore
|
||||
# lookaside: file:///var/lib/containers/sigstore
|
||||
lookaside-staging: file:///var/lib/containers/sigstore
|
||||
|
||||
# The 'docker' indicator here is the start of the configuration
|
||||
# for docker registries.
|
||||
@ -21,6 +21,6 @@ default-docker:
|
||||
# docker:
|
||||
#
|
||||
# privateregistry.com:
|
||||
# sigstore: http://privateregistry.com/sigstore/
|
||||
# sigstore-staging: /mnt/nfs/privateregistry/sigstore
|
||||
# lookaside: http://privateregistry.com/sigstore/
|
||||
# lookaside-staging: /mnt/nfs/privateregistry/sigstore
|
||||
|
||||
|
@ -73,5 +73,6 @@ for D in `cut -d\ -f1 /tmp/r.conf | sort | uniq -d`; do
|
||||
fi
|
||||
done
|
||||
|
||||
sed -i '/.*rhel.*-els\/.*$/d' /tmp/r.conf
|
||||
echo "[aliases]" > 001-rhel-shortnames-pyxis.conf
|
||||
sort /tmp/r.conf >> 001-rhel-shortnames-pyxis.conf
|
||||
|
@ -19,7 +19,7 @@
|
||||
#
|
||||
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
|
||||
|
||||
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "quay.io", "docker.io"]
|
||||
unqualified-search-registries = ["registry.access.redhat.com", "registry.redhat.io", "docker.io"]
|
||||
|
||||
# [[registry]]
|
||||
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
|
||||
|
@ -176,6 +176,7 @@
|
||||
"futex",
|
||||
"futex_time64",
|
||||
"futimesat",
|
||||
"get_mempolicy",
|
||||
"get_robust_list",
|
||||
"get_thread_area",
|
||||
"getcpu",
|
||||
@ -191,7 +192,6 @@
|
||||
"getgroups",
|
||||
"getgroups32",
|
||||
"getitimer",
|
||||
"get_mempolicy",
|
||||
"getpeername",
|
||||
"getpgid",
|
||||
"getpgrp",
|
||||
@ -228,6 +228,9 @@
|
||||
"ipc",
|
||||
"keyctl",
|
||||
"kill",
|
||||
"landlock_add_rule",
|
||||
"landlock_create_ruleset",
|
||||
"landlock_restrict_self",
|
||||
"lchown",
|
||||
"lchown32",
|
||||
"lgetxattr",
|
||||
@ -243,6 +246,7 @@
|
||||
"lstat64",
|
||||
"madvise",
|
||||
"mbind",
|
||||
"membarrier",
|
||||
"memfd_create",
|
||||
"memfd_secret",
|
||||
"mincore",
|
||||
@ -256,6 +260,7 @@
|
||||
"mmap",
|
||||
"mmap2",
|
||||
"mount",
|
||||
"mount_setattr",
|
||||
"move_mount",
|
||||
"mprotect",
|
||||
"mq_getsetattr",
|
||||
@ -279,9 +284,9 @@
|
||||
"nanosleep",
|
||||
"newfstatat",
|
||||
"open",
|
||||
"open_tree",
|
||||
"openat",
|
||||
"openat2",
|
||||
"open_tree",
|
||||
"pause",
|
||||
"pidfd_getfd",
|
||||
"pidfd_open",
|
||||
@ -300,8 +305,12 @@
|
||||
"preadv",
|
||||
"preadv2",
|
||||
"prlimit64",
|
||||
"process_mrelease",
|
||||
"process_vm_readv",
|
||||
"process_vm_writev",
|
||||
"pselect6",
|
||||
"pselect6_time64",
|
||||
"ptrace",
|
||||
"pwrite64",
|
||||
"pwritev",
|
||||
"pwritev2",
|
||||
@ -360,7 +369,6 @@
|
||||
"sendmmsg",
|
||||
"sendmsg",
|
||||
"sendto",
|
||||
"setns",
|
||||
"set_mempolicy",
|
||||
"set_robust_list",
|
||||
"set_thread_area",
|
||||
@ -374,6 +382,7 @@
|
||||
"setgroups",
|
||||
"setgroups32",
|
||||
"setitimer",
|
||||
"setns",
|
||||
"setpgid",
|
||||
"setpriority",
|
||||
"setregid",
|
||||
@ -395,10 +404,15 @@
|
||||
"shmdt",
|
||||
"shmget",
|
||||
"shutdown",
|
||||
"sigaction",
|
||||
"sigaltstack",
|
||||
"signal",
|
||||
"signalfd",
|
||||
"signalfd4",
|
||||
"sigpending",
|
||||
"sigprocmask",
|
||||
"sigreturn",
|
||||
"sigsuspend",
|
||||
"socket",
|
||||
"socketcall",
|
||||
"socketpair",
|
||||
@ -413,6 +427,7 @@
|
||||
"sync",
|
||||
"sync_file_range",
|
||||
"syncfs",
|
||||
"syscall",
|
||||
"sysinfo",
|
||||
"syslog",
|
||||
"tee",
|
||||
@ -425,6 +440,7 @@
|
||||
"timer_gettime64",
|
||||
"timer_settime",
|
||||
"timer_settime64",
|
||||
"timerfd",
|
||||
"timerfd_create",
|
||||
"timerfd_gettime",
|
||||
"timerfd_gettime64",
|
||||
@ -562,10 +578,10 @@
|
||||
"names": [
|
||||
"arm_fadvise64_64",
|
||||
"arm_sync_file_range",
|
||||
"sync_file_range2",
|
||||
"breakpoint",
|
||||
"cacheflush",
|
||||
"set_tls"
|
||||
"set_tls",
|
||||
"sync_file_range2"
|
||||
],
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": [],
|
||||
@ -733,8 +749,8 @@
|
||||
{
|
||||
"names": [
|
||||
"delete_module",
|
||||
"init_module",
|
||||
"finit_module",
|
||||
"init_module",
|
||||
"query_module"
|
||||
],
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
@ -750,8 +766,8 @@
|
||||
{
|
||||
"names": [
|
||||
"delete_module",
|
||||
"init_module",
|
||||
"finit_module",
|
||||
"init_module",
|
||||
"query_module"
|
||||
],
|
||||
"action": "SCMP_ACT_ERRNO",
|
||||
@ -799,10 +815,7 @@
|
||||
{
|
||||
"names": [
|
||||
"kcmp",
|
||||
"process_madvise",
|
||||
"process_vm_readv",
|
||||
"process_vm_writev",
|
||||
"ptrace"
|
||||
"process_madvise"
|
||||
],
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": [],
|
||||
@ -817,10 +830,7 @@
|
||||
{
|
||||
"names": [
|
||||
"kcmp",
|
||||
"process_madvise",
|
||||
"process_vm_readv",
|
||||
"process_vm_writev",
|
||||
"ptrace"
|
||||
"process_madvise"
|
||||
],
|
||||
"action": "SCMP_ACT_ERRNO",
|
||||
"args": [],
|
||||
@ -836,8 +846,8 @@
|
||||
},
|
||||
{
|
||||
"names": [
|
||||
"iopl",
|
||||
"ioperm"
|
||||
"ioperm",
|
||||
"iopl"
|
||||
],
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": [],
|
||||
@ -851,8 +861,8 @@
|
||||
},
|
||||
{
|
||||
"names": [
|
||||
"iopl",
|
||||
"ioperm"
|
||||
"ioperm",
|
||||
"iopl"
|
||||
],
|
||||
"action": "SCMP_ACT_ERRNO",
|
||||
"args": [],
|
||||
@ -868,10 +878,10 @@
|
||||
},
|
||||
{
|
||||
"names": [
|
||||
"settimeofday",
|
||||
"stime",
|
||||
"clock_settime",
|
||||
"clock_settime64"
|
||||
"clock_settime64",
|
||||
"settimeofday",
|
||||
"stime"
|
||||
],
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": [],
|
||||
@ -885,10 +895,10 @@
|
||||
},
|
||||
{
|
||||
"names": [
|
||||
"settimeofday",
|
||||
"stime",
|
||||
"clock_settime",
|
||||
"clock_settime64"
|
||||
"clock_settime64",
|
||||
"settimeofday",
|
||||
"stime"
|
||||
],
|
||||
"action": "SCMP_ACT_ERRNO",
|
||||
"args": [],
|
||||
|
@ -10,11 +10,12 @@
|
||||
"skopeo" = "quay.io/skopeo/stable"
|
||||
"buildah" = "quay.io/buildah/stable"
|
||||
"podman" = "quay.io/podman/stable"
|
||||
"hello" = "quay.io/podman/hello"
|
||||
"hello-world" = "quay.io/podman/hello"
|
||||
# docker
|
||||
"alpine" = "docker.io/library/alpine"
|
||||
"docker" = "docker.io/library/docker"
|
||||
"registry" = "docker.io/library/registry"
|
||||
"hello-world" = "docker.io/library/hello-world"
|
||||
"swarm" = "docker.io/library/swarm"
|
||||
# Fedora
|
||||
"fedora-minimal" = "registry.fedoraproject.org/fedora-minimal"
|
||||
@ -72,6 +73,9 @@
|
||||
"ubi8/ubi-minimal" = "registry.access.redhat.com/ubi8-minimal"
|
||||
"ubi8/ubi-init" = "registry.access.redhat.com/ubi8-init"
|
||||
"ubi8/ubi-micro" = "registry.access.redhat.com/ubi8-micro"
|
||||
"ubi8/podman" = "registry.access.redhat.com/ubi8/podman"
|
||||
"ubi8/buildah" = "registry.access.redhat.com/ubi8/buildah"
|
||||
"ubi8/skopeo" = "registry.access.redhat.com/ubi8/skopeo"
|
||||
"rhel9" = "registry.access.redhat.com/ubi9"
|
||||
"rhel9-init" = "registry.access.redhat.com/ubi9-init"
|
||||
"rhel9-minimal" = "registry.access.redhat.com/ubi9-minimal"
|
||||
@ -84,6 +88,9 @@
|
||||
"ubi9/ubi-minimal" = "registry.access.redhat.com/ubi9-minimal"
|
||||
"ubi9/ubi-init" = "registry.access.redhat.com/ubi9-init"
|
||||
"ubi9/ubi-micro" = "registry.access.redhat.com/ubi9-micro"
|
||||
"ubi9/podman" = "registry.access.redhat.com/ubi9/podman"
|
||||
"ubi9/buildah" = "registry.access.redhat.com/ubi9/buildah"
|
||||
"ubi9/skopeo" = "registry.access.redhat.com/ubi9/skopeo"
|
||||
# Rocky Linux
|
||||
"rockylinux" = "docker.io/library/rockylinux"
|
||||
# Debian
|
||||
|
@ -40,6 +40,28 @@ graphroot = "/var/lib/containers/storage"
|
||||
additionalimagestores = [
|
||||
]
|
||||
|
||||
# Allows specification of how storage is populated when pulling images. This
|
||||
# option can speed the pulling process of images compressed with format
|
||||
# zstd:chunked. Containers/storage looks for files within images that are being
|
||||
# pulled from a container registry that were previously pulled to the host. It
|
||||
# can copy or create a hard link to the existing file when it finds them,
|
||||
# eliminating the need to pull them from the container registry. These options
|
||||
# can deduplicate pulling of content, disk storage of content and can allow the
|
||||
# kernel to use less memory when running containers.
|
||||
|
||||
# containers/storage supports four keys
|
||||
# * enable_partial_images="true" | "false"
|
||||
# Tells containers/storage to look for files previously pulled in storage
|
||||
# rather then always pulling them from the container registry.
|
||||
# * use_hard_links = "false" | "true"
|
||||
# Tells containers/storage to use hard links rather then create new files in
|
||||
# the image, if an identical file already existed in storage.
|
||||
# * ostree_repos = ""
|
||||
# Tells containers/storage where an ostree repository exists that might have
|
||||
# previously pulled content which can be used when attempting to avoid
|
||||
# pulling content from the container registry
|
||||
pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
|
||||
|
||||
# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
|
||||
# a container, to the UIDs/GIDs as they should appear outside of the container,
|
||||
# and the length of the range of UIDs/GIDs. Additional mapped sets can be
|
||||
|
@ -25,14 +25,14 @@ ensure storage.conf driver \"overlay\"
|
||||
ensure storage.conf mountopt \"nodev,metacopy=on\"
|
||||
if pwd | grep rhel-8 > /dev/null
|
||||
then
|
||||
ensure registries.conf unqualified-search-registries [\"registry.fedoraproject.org\",\ \"registry.access.redhat.com\",\ \"registry.centos.org\",\ \"docker.io\"]
|
||||
ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
|
||||
ensure registries.conf short-name-mode \"permissive\"
|
||||
ensure containers.conf runtime \"runc\"
|
||||
ensure containers.conf events_logger \"file\"
|
||||
ensure containers.conf log_driver \"k8s-file\"
|
||||
ensure containers.conf network_backend \"cni\"
|
||||
else
|
||||
ensure registries.conf unqualified-search-registries [\"registry.fedoraproject.org\",\ \"registry.access.redhat.com\",\ \"registry.centos.org\",\ \"quay.io\",\ \"docker.io\"]
|
||||
ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
|
||||
ensure registries.conf short-name-mode \"enforcing\"
|
||||
ensure containers.conf runtime \"crun\"
|
||||
fi
|
||||
|
@ -4,17 +4,18 @@
|
||||
# pick the oldest version on c/image, c/common, c/storage vendored in
|
||||
# podman/skopeo/podman.
|
||||
%global skopeo_branch main
|
||||
%global image_branch v5.19.1
|
||||
%global common_branch v0.47.4
|
||||
%global storage_branch v1.38.2
|
||||
%global image_branch v5.22.0
|
||||
%global common_branch v0.49.1
|
||||
%global storage_branch v1.42.0
|
||||
%global shortnames_branch main
|
||||
|
||||
Epoch: 2
|
||||
Name: containers-common
|
||||
Version: 1
|
||||
Release: 33%{?dist}
|
||||
Release: 44%{?dist}
|
||||
Summary: Common configuration and documentation for containers
|
||||
License: ASL 2.0
|
||||
ExclusiveArch: %{go_arches}
|
||||
BuildRequires: /usr/bin/go-md2man
|
||||
Provides: skopeo-containers = %{epoch}:%{version}-%{release}
|
||||
Conflicts: %{name} <= 2:1-22
|
||||
@ -56,33 +57,15 @@ Source23: registry.redhat.io.yaml
|
||||
#Source24: https://raw.githubusercontent.com/containers/skopeo/%%{skopeo_branch}/default-policy.json
|
||||
Source24: default-policy.json
|
||||
Source25: https://raw.githubusercontent.com/containers/skopeo/%{skopeo_branch}/default.yaml
|
||||
# FIXME: fix the branch once these are available via regular c/common branch
|
||||
Source26: https://raw.githubusercontent.com/containers/common/main/docs/Containerfile.5.md
|
||||
Source27: https://raw.githubusercontent.com/containers/common/main/docs/containerignore.5.md
|
||||
|
||||
# scripts used for synchronization with upstream and shortname generation
|
||||
Source100: update.sh
|
||||
Source101: update-vendored.sh
|
||||
Source102: pyxis.sh
|
||||
|
||||
%global aardvark_dns_version v1.0.1
|
||||
%global aardvark_dns_branch v1.0.1-rhel
|
||||
%global aardvark_dns_commit0 0a8eabf6f696f4f1ab14e5722578829362304e0b
|
||||
%global aardvark_dns_shortcommit0 %(c=%{aardvark_dns_commit0}; echo ${c:0:7})
|
||||
%if 0%{?aardvark_dns_branch:1}
|
||||
Source200: https://github.com/containers/aardvark-dns/tarball/%{aardvark_dns_commit0}/%{aardvark_dns_branch}-%{aardvark_dns_shortcommit0}.tar.gz
|
||||
%else
|
||||
Source200: https://github.com/containers/aardvark-dns/archive/%{aardvark_dns_commit0}/aardvark-dns-%{aardvark_dns_version}-%{aardvark_dns_shortcommit0}.tar.gz
|
||||
%endif
|
||||
Source201: https://github.com/containers/aardvark-dns/releases/download/%{aardvark_dns_version}/aardvark-dns-%{aardvark_dns_version}-vendor.tar.gz
|
||||
|
||||
%global netavark_version v1.0.1
|
||||
%global netavark_branch v1.0.1-rhel
|
||||
%global netavark_commit0 93af39418a38c9cc901816240c3e7ccb715108c0
|
||||
%global netavark_shortcommit0 %(c=%{netavark_commit0}; echo ${c:0:7})
|
||||
%if 0%{?netavark_branch:1}
|
||||
Source300: https://github.com/containers/netavark/tarball/%{netavark_commit0}/%{netavark_branch}-%{netavark_shortcommit0}.tar.gz
|
||||
%else
|
||||
Source300: https://github.com/containers/netavark/archive/%{netavark_commit0}/netavark-%{netavark_version}-%{netavark_shortcommit0}.tar.gz
|
||||
%endif
|
||||
Source301: https://github.com/containers/netavark/releases/download/%{netavark_version}/netavark-%{netavark_version}-vendor.tar.gz
|
||||
|
||||
%description
|
||||
This package contains common configuration files and documentation for container
|
||||
tools ecosystem, such as Podman, Buildah and Skopeo.
|
||||
@ -91,141 +74,11 @@ It is required because the most of configuration files and docs come from projec
|
||||
which are vendored into Podman, Buildah, Skopeo, etc. but they are not packaged
|
||||
separately.
|
||||
|
||||
%package -n aardvark-dns
|
||||
Version: 1.0.1
|
||||
Release: 33%{?dist}
|
||||
URL: https://github.com/containers/aardvark-dns
|
||||
Summary: Authoritative DNS server for A/AAAA container records
|
||||
License: ASL 2.0 and BSD and MIT
|
||||
BuildRequires: cargo
|
||||
BuildRequires: git-core
|
||||
BuildRequires: make
|
||||
BuildRequires: rust-srpm-macros
|
||||
BuildRequires: rust-toolset
|
||||
#ExclusiveArch: %%{rust_arches}
|
||||
ExclusiveArch: aarch64 ppc64le s390x x86_64
|
||||
|
||||
%description -n aardvark-dns
|
||||
%{summary}
|
||||
|
||||
Forwards other request to configured resolvers.
|
||||
Read more about configuration in `src/backend/mod.rs`.
|
||||
|
||||
%package -n netavark
|
||||
Version: 1.0.1
|
||||
Release: 33%{?dist}
|
||||
URL: https://github.com/containers/netavark
|
||||
Summary: OCI network stack
|
||||
License: ASL 2.0 and BSD and MIT
|
||||
BuildRequires: cargo
|
||||
BuildRequires: make
|
||||
BuildRequires: rust-srpm-macros
|
||||
BuildRequires: git-core
|
||||
BuildRequires: /usr/bin/go-md2man
|
||||
Recommends: aardvark-dns
|
||||
Provides: container-network-stack = 2
|
||||
BuildRequires: rust-toolset
|
||||
#ExclusiveArch: #%%{rust_arches}
|
||||
ExclusiveArch: aarch64 ppc64le s390x x86_64
|
||||
|
||||
%description -n netavark
|
||||
%{summary}
|
||||
|
||||
Netavark is a rust based network stack for containers. It is being
|
||||
designed to work with Podman but is also applicable for other OCI
|
||||
container management applications.
|
||||
|
||||
Netavark is a tool for configuring networking for Linux containers.
|
||||
Its features include:
|
||||
* Configuration of container networks via JSON configuration file
|
||||
* Creation and management of required network interfaces,
|
||||
including MACVLAN networks
|
||||
* All required firewall configuration to perform NAT and port
|
||||
forwarding as required for containers
|
||||
* Support for iptables and firewalld at present, with support
|
||||
for nftables planned in a future release
|
||||
* Support for rootless containers
|
||||
* Support for IPv4 and IPv6
|
||||
* Support for container DNS resolution via aardvark-dns.
|
||||
|
||||
%prep
|
||||
tar fx %{SOURCE200}
|
||||
%if 0%{?aardvark_dns_branch:1}
|
||||
pushd containers-aardvark-dns-%{aardvark_dns_shortcommit0}
|
||||
%else
|
||||
pushd aardvark-dns-%{aardvark_dns_commit0}
|
||||
%endif
|
||||
tar fx %{SOURCE201}
|
||||
mkdir -p .cargo
|
||||
cat >.cargo/config << EOF
|
||||
[source.crates-io]
|
||||
replace-with = "vendored-sources"
|
||||
|
||||
[source.vendored-sources]
|
||||
directory = "vendor"
|
||||
EOF
|
||||
popd
|
||||
tar fx %{SOURCE300}
|
||||
%if 0%{?netavark_branch:1}
|
||||
pushd containers-netavark-%{netavark_shortcommit0}
|
||||
%else
|
||||
pushd netavark-%{netavark_commit0}
|
||||
%endif
|
||||
tar fx %{SOURCE301}
|
||||
mkdir -p .cargo
|
||||
cat >.cargo/config << EOF
|
||||
[source.crates-io]
|
||||
replace-with = "vendored-sources"
|
||||
|
||||
[source.vendored-sources]
|
||||
directory = "vendor"
|
||||
EOF
|
||||
popd
|
||||
|
||||
%build
|
||||
%if 0%{?build_rustflags:1}
|
||||
export RUSTFLAGS="%{build_rustflags}"
|
||||
%endif
|
||||
|
||||
%if 0%{?aardvark_dns_branch:1}
|
||||
pushd containers-aardvark-dns-%{aardvark_dns_shortcommit0}
|
||||
%else
|
||||
pushd aardvark-dns-%{aardvark_dns_commit0}
|
||||
%endif
|
||||
%__scm_setup_git -q
|
||||
%make_build build
|
||||
popd
|
||||
|
||||
%if 0%{?netavark_branch:1}
|
||||
pushd containers-netavark-%{netavark_shortcommit0}
|
||||
%else
|
||||
pushd netavark-%{netavark_commit0}
|
||||
%endif
|
||||
%__scm_setup_git -q
|
||||
%make_build build
|
||||
pushd docs
|
||||
go-md2man -in netavark.1.md -out netavark.1
|
||||
popd
|
||||
%{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} install
|
||||
popd
|
||||
|
||||
%install
|
||||
%if 0%{?aardvark_dns_branch:1}
|
||||
pushd containers-aardvark-dns-%{aardvark_dns_shortcommit0}
|
||||
%else
|
||||
pushd aardvark-dns-%{aardvark_dns_commit0}
|
||||
%endif
|
||||
%{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} install
|
||||
popd
|
||||
|
||||
%if 0%{?netavark_branch:1}
|
||||
pushd containers-netavark-%{netavark_shortcommit0}
|
||||
%else
|
||||
pushd netavark-%{netavark_commit0}
|
||||
%endif
|
||||
%{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} install
|
||||
popd
|
||||
|
||||
install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.d,registries.conf.d}
|
||||
install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf
|
||||
install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf
|
||||
@ -258,6 +111,8 @@ go-md2man -in %{SOURCE12} -out %{buildroot}%{_mandir}/man5/containers-registries
|
||||
go-md2man -in %{SOURCE14} -out %{buildroot}%{_mandir}/man5/containers.conf.5
|
||||
go-md2man -in %{SOURCE15} -out %{buildroot}%{_mandir}/man5/containers-auth.json.5
|
||||
go-md2man -in %{SOURCE16} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.d.5
|
||||
go-md2man -in %{SOURCE26} -out %{buildroot}%{_mandir}/man5/Containerfile.5
|
||||
go-md2man -in %{SOURCE27} -out %{buildroot}%{_mandir}/man5/containerignore.5
|
||||
|
||||
install -dp %{buildroot}%{_datadir}/containers
|
||||
install -m0644 %{SOURCE3} %{buildroot}%{_datadir}/containers/mounts.conf
|
||||
@ -288,8 +143,6 @@ EOF
|
||||
%dir %{_sysconfdir}/containers
|
||||
%dir %{_sysconfdir}/containers/certs.d
|
||||
%dir %{_sysconfdir}/containers/registries.d
|
||||
%{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
|
||||
%{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
|
||||
%dir %{_sysconfdir}/containers/oci
|
||||
%dir %{_sysconfdir}/containers/oci/hooks.d
|
||||
%dir %{_sysconfdir}/containers/registries.conf.d
|
||||
@ -297,11 +150,12 @@ EOF
|
||||
%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
|
||||
%endif
|
||||
%config(noreplace) %{_sysconfdir}/containers/policy.json
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
|
||||
%config(noreplace) %{_sysconfdir}/containers/storage.conf
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.conf
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/*.conf
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.d/*.yaml
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
|
||||
%ghost %{_sysconfdir}/containers/containers.conf
|
||||
%dir %{_sharedstatedir}/containers/sigstore
|
||||
%{_mandir}/man5/*
|
||||
@ -312,19 +166,57 @@ EOF
|
||||
%dir %{_datadir}/rhel/secrets
|
||||
%{_datadir}/rhel/secrets/*
|
||||
|
||||
%files -n aardvark-dns
|
||||
%dir %{_libexecdir}/podman
|
||||
%{_libexecdir}/podman/aardvark-dns
|
||||
|
||||
%files -n netavark
|
||||
%dir %{_libexecdir}/podman
|
||||
%{_libexecdir}/podman/netavark
|
||||
%{_mandir}/man1/netavark.1*
|
||||
|
||||
%changelog
|
||||
* Mon Mar 28 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-33
|
||||
- Removal of invalid vendored project with unwanted license in aardvark-dns/netavark
|
||||
- Resolves: #2065706
|
||||
* Tue Aug 23 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-44
|
||||
- exclude non-go arches because of go-md2man
|
||||
- Related: #2061316
|
||||
|
||||
* Tue Aug 23 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-43
|
||||
- add beta keys to default-policy.json
|
||||
- Related: #2061316
|
||||
|
||||
* Mon Aug 08 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-42
|
||||
- update shortnames
|
||||
- Related: #2061316
|
||||
|
||||
* Wed Aug 03 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-41
|
||||
- drop aardvark-dns and netavark - packaged separately
|
||||
- update vendored components
|
||||
- Related: #2061316
|
||||
|
||||
* Mon Jun 27 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-40
|
||||
- remove rhel-els and update shortnames
|
||||
- Related: #2061316
|
||||
|
||||
* Tue Jun 14 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-39
|
||||
- update shortnames
|
||||
- Related: #2061316
|
||||
|
||||
* Thu Jun 09 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-38
|
||||
- fix unqualified registries in registries.conf generation code
|
||||
- Related: #2088139
|
||||
|
||||
* Mon May 23 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-37
|
||||
- update unqualified registries list
|
||||
- Related: #2088139
|
||||
|
||||
* Mon May 09 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-36
|
||||
- update aardvark-dns and netavark to 1.0.3
|
||||
- update vendored components
|
||||
- Related: #2061316
|
||||
|
||||
* Wed Apr 20 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-35
|
||||
- add missing man pages from Fedora
|
||||
- Related: #2061316
|
||||
|
||||
* Wed Apr 06 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-34
|
||||
- update to netavark and aardvark-dns 1.0.2
|
||||
- update vendored components
|
||||
- Related: #2061316
|
||||
|
||||
* Mon Mar 21 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-33
|
||||
- allow consuming aardvark-dns and netavark from upstream branches
|
||||
- Related: #2061316
|
||||
|
||||
* Mon Feb 28 2022 Jindrich Novy <jnovy@redhat.com> - 2:1-32
|
||||
- build rust packages with RUSTFLAGS set to make ExecShield happy (Lokesh Mandvekar)
|
||||
|
Loading…
Reference in New Issue
Block a user