From fcf99dc5d1ba88c3f9696f7891099354a230276c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 15 Jul 2021 12:26:10 -0400 Subject: [PATCH] Update to grab latest man pages and configuration files, also switch to using some main rather then master branches --- containers-auth.json.5.md | 34 +++++++++++- containers-common.spec | 9 ++- containers-policy.json.5.md | 2 +- containers-registries.conf.5.md | 98 ++++++++++++++++----------------- containers.conf | 19 +++++-- containers.conf.5.md | 11 +++- 6 files changed, 112 insertions(+), 61 deletions(-) diff --git a/containers-auth.json.5.md b/containers-auth.json.5.md index e85d79c..7acc0dd 100644 --- a/containers-auth.json.5.md +++ b/containers-auth.json.5.md @@ -23,7 +23,20 @@ user to container image registries. The file can have zero to many entries and is created by a `login` command from a container tool such as `podman login`, `buildah login` or `skopeo login`. Each entry includes the name of the registry and then an auth token in the form of a base64 encoded string from the concatenation of the -username, a colon, and the password. +username, a colon, and the password. The registry name can additionally contain +a path or repository name (an image name without tag or digest). The path (or +namespace) is matched in its hierarchical order when checking for available +authentications. For example, an image pull for +`my-registry.local/namespace/user/image:latest` will result in a lookup in +`auth.json` in the following order: + +- `my-registry.local/namespace/user/image` +- `my-registry.local/namespace/user` +- `my-registry.local/namespace` +- `my-registry.local` + +This way it is possible to setup multiple credentials for a single registry +which can be distinguished by their path. The following example shows the values found in auth.json after the user logged in to their accounts on quay.io and docker.io: @@ -41,6 +54,25 @@ their accounts on quay.io and docker.io: } ``` +This example demonstrates how to use multiple paths for a single registry, while +preserving a fallback for `my-registry.local`: + +``` +{ + "auths": { + "my-registry.local/foo/bar/image": { + "auth": "…" + }, + "my-registry.local/foo": { + "auth": "…" + }, + "my-registry.local": { + "auth": "…" + }, + } +} +``` + An entry can be removed by using a `logout` command from a container tool such as `podman logout` or `buildah logout`. diff --git a/containers-common.spec b/containers-common.spec index f327b96..73d7de5 100644 --- a/containers-common.spec +++ b/containers-common.spec @@ -3,8 +3,8 @@ # These vendored components must have the same version. If it is not the case, # pick the oldest version on c/image, c/common, c/storage vendored in # Buildah/Podman/Skopeo. -%global skopeo_branch master -%global podman_branch master +%global skopeo_branch main +%global podman_branch main %global image_branch main %global common_branch main %global storage_branch main @@ -15,7 +15,7 @@ Epoch: 4 Name: containers-common Version: 1 -Release: 21%{?dist} +Release: 22%{?dist} Summary: Common configuration and documentation for containers License: ASL 2.0 BuildArch: noarch @@ -136,6 +136,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret %{_datadir}/rhel/secrets/* %changelog +* Thu Jul 15 2021 Dan Walsh - 4:1-22 +- Update to grab latest man pages and configuration files, also switch to using some main rather then master branches + * Tue Jun 29 2021 Lokesh Mandvekar - 4:1-21 - fetch latest upstream configs diff --git a/containers-policy.json.5.md b/containers-policy.json.5.md index cb294f5..ced943a 100644 --- a/containers-policy.json.5.md +++ b/containers-policy.json.5.md @@ -68,7 +68,7 @@ i.e. either specifying a complete name of a tagged image, or prefix denoting a host/namespace/image stream or a wildcarded expression for matching all subdomains. For wildcarded subdomain matching, `*.example.com` is a valid case, but `example*.*.com` is not. -*Note:* The _hostname_ and _port_ refer to the Docker registry host and port (the one used +*Note:* The _hostname_ and _port_ refer to the container registry host and port (the one used e.g. for `docker pull`), _not_ to the OpenShift API host and port. ### `dir:` diff --git a/containers-registries.conf.5.md b/containers-registries.conf.5.md index cb72deb..a10c819 100644 --- a/containers-registries.conf.5.md +++ b/containers-registries.conf.5.md @@ -36,28 +36,28 @@ Given an image name, a single `[[registry]]` TOML table is chosen based on its ` - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_) - [`*.`]_host_ - The user-specified image name must start with the specified `prefix` (and continue - with the appropriate separator) for a particular `[[registry]]` TOML table to be - considered; (only) the TOML table with the longest match is used. It can - also include wildcarded subdomains in the format `*.example.com` along as mentioned - above. The wildcard should only be present at the beginning as shown in the formats - above. Other cases will not work. For example, `*.example.com` is valid but - `example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not. +The user-specified image name must start with the specified `prefix` (and continue +with the appropriate separator) for a particular `[[registry]]` TOML table to be +considered; (only) the TOML table with the longest match is used. It can +also include wildcarded subdomains in the format `*.example.com`. +The wildcard should only be present at the beginning as shown in the formats +above. Other cases will not work. For example, `*.example.com` is valid but +`example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not. - As a special case, the `prefix` field can be missing; if so, it defaults to the value - of the `location` field (described below). +As a special case, the `prefix` field can be missing; if so, it defaults to the value +of the `location` field (described below). #### Per-namespace settings `insecure` : `true` or `false`. - By default, container runtimes require TLS when retrieving images from a registry. - If `insecure` is set to `true`, unencrypted HTTP as well as TLS connections with untrusted - certificates are allowed. +By default, container runtimes require TLS when retrieving images from a registry. +If `insecure` is set to `true`, unencrypted HTTP as well as TLS connections with untrusted +certificates are allowed. `blocked` : `true` or `false`. - If `true`, pulling images with matching names is forbidden. +If `true`, pulling images with matching names is forbidden. #### Remapping and mirroring registries @@ -69,55 +69,55 @@ internet without having to change `Dockerfile`s, or to add redundancy). `location` : Accepts the same format as the `prefix` field, and specifies the physical location - of the `prefix`-rooted namespace. +of the `prefix`-rooted namespace. - By default, this equal to `prefix` (in which case `prefix` can be omitted and the - `[[registry]]` TOML table can only specify `location`). +By default, this equal to `prefix` (in which case `prefix` can be omitted and the +`[[registry]]` TOML table can only specify `location`). - Example: Given - ``` - prefix = "example.com/foo" - location = "internal-registry-for-example.net/bar" - ``` - requests for the image `example.com/foo/myimage:latest` will actually work with the - `internal-registry-for-example.net/bar/myimage:latest` image. +Example: Given +``` +prefix = "example.com/foo" +location = "internal-registry-for-example.net/bar" +``` +requests for the image `example.com/foo/myimage:latest` will actually work with the +`internal-registry-for-example.net/bar/myimage:latest` image. - With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching, - the location can be empty. In such a case, - prefix matching will occur, but no reference rewrite will occur. The - original requested image string will be used as-is. But other settings like - `insecure` / `blocked` / `mirrors` will be applied to matching images. +With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching, +the location can be empty. In such a case, +prefix matching will occur, but no reference rewrite will occur. The +original requested image string will be used as-is. But other settings like +`insecure` / `blocked` / `mirrors` will be applied to matching images. - Example: Given - ``` - prefix = "*.example.com" - ``` - requests for the image `blah.example.com/foo/myimage:latest` will be used - as-is. But other settings like insecure/blocked/mirrors will be applied to matching images +Example: Given +``` +prefix = "*.example.com" +``` +requests for the image `blah.example.com/foo/myimage:latest` will be used +as-is. But other settings like insecure/blocked/mirrors will be applied to matching images `mirror` : An array of TOML tables specifying (possibly-partial) mirrors for the - `prefix`-rooted namespace. +`prefix`-rooted namespace. - The mirrors are attempted in the specified order; the first one that can be - contacted and contains the image will be used (and if none of the mirrors contains the image, - the primary location specified by the `registry.location` field, or using the unmodified - user-specified reference, is tried last). +The mirrors are attempted in the specified order; the first one that can be +contacted and contains the image will be used (and if none of the mirrors contains the image, +the primary location specified by the `registry.location` field, or using the unmodified +user-specified reference, is tried last). - Each TOML table in the `mirror` array can contain the following fields, with the same semantics - as if specified in the `[[registry]]` TOML table directly: - - `location` - - `insecure` +Each TOML table in the `mirror` array can contain the following fields, with the same semantics +as if specified in the `[[registry]]` TOML table directly: +- `location` +- `insecure` `mirror-by-digest-only` : `true` or `false`. - If `true`, mirrors will only be used during pulling if the image reference includes a digest. - Referencing an image by digest ensures that the same is always used - (whereas referencing an image by a tag may cause different registries to return - different images if the tag mapping is out of sync). +If `true`, mirrors will only be used during pulling if the image reference includes a digest. +Referencing an image by digest ensures that the same is always used +(whereas referencing an image by a tag may cause different registries to return +different images if the tag mapping is out of sync). - Note that if this is `true`, images referenced by a tag will only use the primary - registry, failing if that registry is not accessible. +Note that if this is `true`, images referenced by a tag will only use the primary +registry, failing if that registry is not accessible. *Note*: Redirection and mirrors are currently processed only when reading images, not when pushing to a registry; that may change in the future. diff --git a/containers.conf b/containers.conf index e24dee6..d1d7fba 100644 --- a/containers.conf +++ b/containers.conf @@ -189,6 +189,13 @@ log_driver = "journald" # # pids_limit = 2048 +# Copy the content from the underlying image into the newly created volume +# when the container is created instead of when it is started. If false, +# the container engine will not copy the content until the container is started. +# Setting it to true may have negative performance implications. +# +# prepare_volume_on_create = false + # Indicates the networking to be used for rootless containers # rootless_networking = "slirp4netns" @@ -243,6 +250,12 @@ log_driver = "journald" # The network table contains settings pertaining to the management of # CNI plugins. +[secrets] +# driver = "file" + +[secrets.opts] +# root = "/example/directory" + [network] # Path to directory where CNI plugin binaries are located. @@ -503,9 +516,3 @@ log_driver = "journald" # TOML does not provide a way to end a table other than a further table being # defined, so every key hereafter will be part of [volume_plugins] and not the # main config. - -[secret] -# driver = "file" - -[secret.opts] -# root = "/example/directory" diff --git a/containers.conf.5.md b/containers.conf.5.md index 64b5bf4..14ac609 100644 --- a/containers.conf.5.md +++ b/containers.conf.5.md @@ -219,6 +219,10 @@ Options are: Maximum number of processes allowed in a container. 0 indicates that no limit is imposed. +**prepare_volume_on_create**=false + +Copy the content from the underlying image into the newly created volume when the container is created instead of when it is started. If `false`, the container engine will not copy the content until the container is started. Setting it to `true` may have negative performance implications. + **rootless_networking**="slirp4netns" Set type of networking rootless containers should use. Valid options are `slirp4netns` @@ -494,6 +498,11 @@ By default this will be configured relative to where containers/storage store containers. This convention is followed by the default volume driver, but may not be by other drivers. +**chown_copied_files**=true + +Determines whether file copied into a container will have changed ownership to +the primary uid/gid of the container. + ## SERVICE DESTINATION TABLE The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API. @@ -530,7 +539,7 @@ Currently valid values are: * file * pass -**opts**={} +**[secrets.opts]** The driver specific options object.