rpms/containers-common
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to grab latest man pages and configuration files, also switch to using some main rather then master branches

Browse Source
This commit is contained in:
Daniel J Walsh 2021-07-15 12:26:10 -04:00
parent abac6aa948
commit fcf99dc5d1
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
6 changed files with 112 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
containers-auth.json.5.md
View File

@ -23,7 +23,20 @@ user to container image registries. The file can have zero to many entries and
is created by a `login` command from a container tool such as `podman login`, is created by a `login` command from a container tool such as `podman login`,
`buildah login` or `skopeo login`. Each entry includes the name of the registry and then an auth `buildah login` or `skopeo login`. Each entry includes the name of the registry and then an auth
token in the form of a base64 encoded string from the concatenation of the token in the form of a base64 encoded string from the concatenation of the
username, a colon, and the password. username, a colon, and the password. The registry name can additionally contain
a path or repository name (an image name without tag or digest). The path (or
namespace) is matched in its hierarchical order when checking for available
authentications. For example, an image pull for
`my-registry.local/namespace/user/image:latest` will result in a lookup in
`auth.json` in the following order:
- `my-registry.local/namespace/user/image`
- `my-registry.local/namespace/user`
- `my-registry.local/namespace`
- `my-registry.local`
This way it is possible to setup multiple credentials for a single registry
which can be distinguished by their path.
The following example shows the values found in auth.json after the user logged in to The following example shows the values found in auth.json after the user logged in to
their accounts on quay.io and docker.io: their accounts on quay.io and docker.io:
@ -41,6 +54,25 @@ their accounts on quay.io and docker.io:
} }
``` ```
This example demonstrates how to use multiple paths for a single registry, while
preserving a fallback for `my-registry.local`:
```
{
"auths": {
"my-registry.local/foo/bar/image": {
"auth": "…"
},
"my-registry.local/foo": {
"auth": "…"
},
"my-registry.local": {
"auth": "…"
},
}
}
```
An entry can be removed by using a `logout` command from a container An entry can be removed by using a `logout` command from a container
tool such as `podman logout` or `buildah logout`. tool such as `podman logout` or `buildah logout`.

9
containers-common.spec
View File

@ -3,8 +3,8 @@
# These vendored components must have the same version. If it is not the case, # These vendored components must have the same version. If it is not the case,
# pick the oldest version on c/image, c/common, c/storage vendored in # pick the oldest version on c/image, c/common, c/storage vendored in
# Buildah/Podman/Skopeo. # Buildah/Podman/Skopeo.
%global skopeo_branch master %global skopeo_branch main
%global podman_branch master %global podman_branch main
%global image_branch main %global image_branch main
%global common_branch main %global common_branch main
%global storage_branch main %global storage_branch main
@ -15,7 +15,7 @@
Epoch: 4 Epoch: 4
Name: containers-common Name: containers-common
Version: 1 Version: 1
Release: 21%{?dist} Release: 22%{?dist}
Summary: Common configuration and documentation for containers Summary: Common configuration and documentation for containers
License: ASL 2.0 License: ASL 2.0
BuildArch: noarch BuildArch: noarch
@ -136,6 +136,9 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret
%{_datadir}/rhel/secrets/* %{_datadir}/rhel/secrets/*
%changelog %changelog
* Thu Jul 15 2021 Dan Walsh <dwalsh@fedoraproject.org> - 4:1-22
- Update to grab latest man pages and configuration files, also switch to using some main rather then master branches
* Tue Jun 29 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-21 * Tue Jun 29 2021 Lokesh Mandvekar <lsm5@fedoraproject.org> - 4:1-21
- fetch latest upstream configs - fetch latest upstream configs

2
containers-policy.json.5.md
View File

@ -68,7 +68,7 @@ i.e. either specifying a complete name of a tagged image, or prefix denoting
a host/namespace/image stream or a wildcarded expression for matching all a host/namespace/image stream or a wildcarded expression for matching all
subdomains. For wildcarded subdomain matching, `*.example.com` is a valid case, but `example*.*.com` is not. subdomains. For wildcarded subdomain matching, `*.example.com` is a valid case, but `example*.*.com` is not.
*Note:* The _hostname_ and _port_ refer to the Docker registry host and port (the one used *Note:* The _hostname_ and _port_ refer to the container registry host and port (the one used
e.g. for `docker pull`), _not_ to the OpenShift API host and port. e.g. for `docker pull`), _not_ to the OpenShift API host and port.
### `dir:` ### `dir:`

98
containers-registries.conf.5.md
View File

@ -36,28 +36,28 @@ Given an image name, a single `[[registry]]` TOML table is chosen based on its `
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_) - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
- [`*.`]_host_ - [`*.`]_host_
The user-specified image name must start with the specified `prefix` (and continue The user-specified image name must start with the specified `prefix` (and continue
with the appropriate separator) for a particular `[[registry]]` TOML table to be with the appropriate separator) for a particular `[[registry]]` TOML table to be
considered; (only) the TOML table with the longest match is used. It can considered; (only) the TOML table with the longest match is used. It can
also include wildcarded subdomains in the format `*.example.com` along as mentioned also include wildcarded subdomains in the format `*.example.com`.
above. The wildcard should only be present at the beginning as shown in the formats The wildcard should only be present at the beginning as shown in the formats
above. Other cases will not work. For example, `*.example.com` is valid but above. Other cases will not work. For example, `*.example.com` is valid but
`example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not. `example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not.
As a special case, the `prefix` field can be missing; if so, it defaults to the value As a special case, the `prefix` field can be missing; if so, it defaults to the value
of the `location` field (described below). of the `location` field (described below).
#### Per-namespace settings #### Per-namespace settings
`insecure` `insecure`
: `true` or `false`. : `true` or `false`.
By default, container runtimes require TLS when retrieving images from a registry. By default, container runtimes require TLS when retrieving images from a registry.
If `insecure` is set to `true`, unencrypted HTTP as well as TLS connections with untrusted If `insecure` is set to `true`, unencrypted HTTP as well as TLS connections with untrusted
certificates are allowed. certificates are allowed.
`blocked` `blocked`
: `true` or `false`. : `true` or `false`.
If `true`, pulling images with matching names is forbidden. If `true`, pulling images with matching names is forbidden.
#### Remapping and mirroring registries #### Remapping and mirroring registries
@ -69,55 +69,55 @@ internet without having to change `Dockerfile`s, or to add redundancy).
`location` `location`
: Accepts the same format as the `prefix` field, and specifies the physical location : Accepts the same format as the `prefix` field, and specifies the physical location
of the `prefix`-rooted namespace. of the `prefix`-rooted namespace.
By default, this equal to `prefix` (in which case `prefix` can be omitted and the By default, this equal to `prefix` (in which case `prefix` can be omitted and the
`[[registry]]` TOML table can only specify `location`). `[[registry]]` TOML table can only specify `location`).
Example: Given Example: Given
``` ```
prefix = "example.com/foo" prefix = "example.com/foo"
location = "internal-registry-for-example.net/bar" location = "internal-registry-for-example.net/bar"
``` ```
requests for the image `example.com/foo/myimage:latest` will actually work with the requests for the image `example.com/foo/myimage:latest` will actually work with the
`internal-registry-for-example.net/bar/myimage:latest` image. `internal-registry-for-example.net/bar/myimage:latest` image.
With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching, With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching,
the location can be empty. In such a case, the location can be empty. In such a case,
prefix matching will occur, but no reference rewrite will occur. The prefix matching will occur, but no reference rewrite will occur. The
original requested image string will be used as-is. But other settings like original requested image string will be used as-is. But other settings like
`insecure` / `blocked` / `mirrors` will be applied to matching images. `insecure` / `blocked` / `mirrors` will be applied to matching images.
Example: Given Example: Given
``` ```
prefix = "*.example.com" prefix = "*.example.com"
``` ```
requests for the image `blah.example.com/foo/myimage:latest` will be used requests for the image `blah.example.com/foo/myimage:latest` will be used
as-is. But other settings like insecure/blocked/mirrors will be applied to matching images as-is. But other settings like insecure/blocked/mirrors will be applied to matching images
`mirror` `mirror`
: An array of TOML tables specifying (possibly-partial) mirrors for the : An array of TOML tables specifying (possibly-partial) mirrors for the
`prefix`-rooted namespace. `prefix`-rooted namespace.
The mirrors are attempted in the specified order; the first one that can be The mirrors are attempted in the specified order; the first one that can be
contacted and contains the image will be used (and if none of the mirrors contains the image, contacted and contains the image will be used (and if none of the mirrors contains the image,
the primary location specified by the `registry.location` field, or using the unmodified the primary location specified by the `registry.location` field, or using the unmodified
user-specified reference, is tried last). user-specified reference, is tried last).
Each TOML table in the `mirror` array can contain the following fields, with the same semantics Each TOML table in the `mirror` array can contain the following fields, with the same semantics
as if specified in the `[[registry]]` TOML table directly: as if specified in the `[[registry]]` TOML table directly:
- `location` - `location`
- `insecure` - `insecure`
`mirror-by-digest-only` `mirror-by-digest-only`
: `true` or `false`. : `true` or `false`.
If `true`, mirrors will only be used during pulling if the image reference includes a digest. If `true`, mirrors will only be used during pulling if the image reference includes a digest.
Referencing an image by digest ensures that the same is always used Referencing an image by digest ensures that the same is always used
(whereas referencing an image by a tag may cause different registries to return (whereas referencing an image by a tag may cause different registries to return
different images if the tag mapping is out of sync). different images if the tag mapping is out of sync).
Note that if this is `true`, images referenced by a tag will only use the primary Note that if this is `true`, images referenced by a tag will only use the primary
registry, failing if that registry is not accessible. registry, failing if that registry is not accessible.
*Note*: Redirection and mirrors are currently processed only when reading images, not when pushing *Note*: Redirection and mirrors are currently processed only when reading images, not when pushing
to a registry; that may change in the future. to a registry; that may change in the future.

19
containers.conf
View File

@ -189,6 +189,13 @@ log_driver = "journald"
# #
# pids_limit = 2048 # pids_limit = 2048
# Copy the content from the underlying image into the newly created volume
# when the container is created instead of when it is started. If false,
# the container engine will not copy the content until the container is started.
# Setting it to true may have negative performance implications.
#
# prepare_volume_on_create = false
# Indicates the networking to be used for rootless containers # Indicates the networking to be used for rootless containers
# rootless_networking = "slirp4netns" # rootless_networking = "slirp4netns"
@ -243,6 +250,12 @@ log_driver = "journald"
# The network table contains settings pertaining to the management of # The network table contains settings pertaining to the management of
# CNI plugins. # CNI plugins.
[secrets]
# driver = "file"
[secrets.opts]
# root = "/example/directory"
[network] [network]
# Path to directory where CNI plugin binaries are located. # Path to directory where CNI plugin binaries are located.
@ -503,9 +516,3 @@ log_driver = "journald"
# TOML does not provide a way to end a table other than a further table being # TOML does not provide a way to end a table other than a further table being
# defined, so every key hereafter will be part of [volume_plugins] and not the # defined, so every key hereafter will be part of [volume_plugins] and not the
# main config. # main config.
[secret]
# driver = "file"
[secret.opts]
# root = "/example/directory"

11
containers.conf.5.md
View File

@ -219,6 +219,10 @@ Options are:
Maximum number of processes allowed in a container. 0 indicates that no limit Maximum number of processes allowed in a container. 0 indicates that no limit
is imposed. is imposed.
**prepare_volume_on_create**=false
Copy the content from the underlying image into the newly created volume when the container is created instead of when it is started. If `false`, the container engine will not copy the content until the container is started. Setting it to `true` may have negative performance implications.
**rootless_networking**="slirp4netns" **rootless_networking**="slirp4netns"
Set type of networking rootless containers should use. Valid options are `slirp4netns` Set type of networking rootless containers should use. Valid options are `slirp4netns`
@ -494,6 +498,11 @@ By default this will be configured relative to where containers/storage store
containers. This convention is followed by the default volume driver, but may containers. This convention is followed by the default volume driver, but may
not be by other drivers. not be by other drivers.
**chown_copied_files**=true
Determines whether file copied into a container will have changed ownership to
the primary uid/gid of the container.
## SERVICE DESTINATION TABLE ## SERVICE DESTINATION TABLE
The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API. The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
@ -530,7 +539,7 @@ Currently valid values are:
* file * file
* pass * pass
**opts**={} **[secrets.opts]**
The driver specific options object. The driver specific options object.