skopeo-1.4.0-0.2.el9
- update vendored components - ship /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release only on non-RHEL and CentOS distros - Related: #1970747 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
parent
c701a7c529
commit
0549f5d4f9
@ -21,9 +21,23 @@ Except the primary (read/write) file, other files are read-only, unless the user
|
||||
The auth.json file stores encrypted authentication information for the
|
||||
user to container image registries. The file can have zero to many entries and
|
||||
is created by a `login` command from a container tool such as `podman login`,
|
||||
`buildah login` or `skopeo login`. Each entry includes the name of the registry and then an auth
|
||||
token in the form of a base64 encoded string from the concatenation of the
|
||||
username, a colon, and the password.
|
||||
`buildah login` or `skopeo login`. Each entry either contains a single
|
||||
hostname (e.g. `docker.io`) or a namespace (e.g. `quay.io/user/image`) as a key
|
||||
and an auth token in the form of a base64 encoded string as value of `auth`. The
|
||||
token is built from the concatenation of the username, a colon, and the
|
||||
password. The registry name can additionally contain a repository name (an image
|
||||
name without tag or digest) and namespaces. The path (or namespace) is matched
|
||||
in its hierarchical order when checking for available authentications. For
|
||||
example, an image pull for `my-registry.local/namespace/user/image:latest` will
|
||||
result in a lookup in `auth.json` in the following order:
|
||||
|
||||
- `my-registry.local/namespace/user/image`
|
||||
- `my-registry.local/namespace/user`
|
||||
- `my-registry.local/namespace`
|
||||
- `my-registry.local`
|
||||
|
||||
This way it is possible to setup multiple credentials for a single registry
|
||||
which can be distinguished by their path.
|
||||
|
||||
The following example shows the values found in auth.json after the user logged in to
|
||||
their accounts on quay.io and docker.io:
|
||||
@ -41,6 +55,25 @@ their accounts on quay.io and docker.io:
|
||||
}
|
||||
```
|
||||
|
||||
This example demonstrates how to use multiple paths for a single registry, while
|
||||
preserving a fallback for `my-registry.local`:
|
||||
|
||||
```
|
||||
{
|
||||
"auths": {
|
||||
"my-registry.local/foo/bar/image": {
|
||||
"auth": "…"
|
||||
},
|
||||
"my-registry.local/foo": {
|
||||
"auth": "…"
|
||||
},
|
||||
"my-registry.local": {
|
||||
"auth": "…"
|
||||
},
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
An entry can be removed by using a `logout` command from a container
|
||||
tool such as `podman logout` or `buildah logout`.
|
||||
|
||||
|
@ -68,7 +68,7 @@ i.e. either specifying a complete name of a tagged image, or prefix denoting
|
||||
a host/namespace/image stream or a wildcarded expression for matching all
|
||||
subdomains. For wildcarded subdomain matching, `*.example.com` is a valid case, but `example*.*.com` is not.
|
||||
|
||||
*Note:* The _hostname_ and _port_ refer to the Docker registry host and port (the one used
|
||||
*Note:* The _hostname_ and _port_ refer to the container registry host and port (the one used
|
||||
e.g. for `docker pull`), _not_ to the OpenShift API host and port.
|
||||
|
||||
### `dir:`
|
||||
|
@ -36,28 +36,28 @@ Given an image name, a single `[[registry]]` TOML table is chosen based on its `
|
||||
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
|
||||
- [`*.`]_host_
|
||||
|
||||
The user-specified image name must start with the specified `prefix` (and continue
|
||||
with the appropriate separator) for a particular `[[registry]]` TOML table to be
|
||||
considered; (only) the TOML table with the longest match is used. It can
|
||||
also include wildcarded subdomains in the format `*.example.com` along as mentioned
|
||||
above. The wildcard should only be present at the beginning as shown in the formats
|
||||
above. Other cases will not work. For example, `*.example.com` is valid but
|
||||
`example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not.
|
||||
The user-specified image name must start with the specified `prefix` (and continue
|
||||
with the appropriate separator) for a particular `[[registry]]` TOML table to be
|
||||
considered; (only) the TOML table with the longest match is used. It can
|
||||
also include wildcarded subdomains in the format `*.example.com`.
|
||||
The wildcard should only be present at the beginning as shown in the formats
|
||||
above. Other cases will not work. For example, `*.example.com` is valid but
|
||||
`example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not.
|
||||
|
||||
As a special case, the `prefix` field can be missing; if so, it defaults to the value
|
||||
of the `location` field (described below).
|
||||
As a special case, the `prefix` field can be missing; if so, it defaults to the value
|
||||
of the `location` field (described below).
|
||||
|
||||
#### Per-namespace settings
|
||||
|
||||
`insecure`
|
||||
: `true` or `false`.
|
||||
By default, container runtimes require TLS when retrieving images from a registry.
|
||||
If `insecure` is set to `true`, unencrypted HTTP as well as TLS connections with untrusted
|
||||
certificates are allowed.
|
||||
By default, container runtimes require TLS when retrieving images from a registry.
|
||||
If `insecure` is set to `true`, unencrypted HTTP as well as TLS connections with untrusted
|
||||
certificates are allowed.
|
||||
|
||||
`blocked`
|
||||
: `true` or `false`.
|
||||
If `true`, pulling images with matching names is forbidden.
|
||||
If `true`, pulling images with matching names is forbidden.
|
||||
|
||||
#### Remapping and mirroring registries
|
||||
|
||||
@ -69,55 +69,55 @@ internet without having to change `Dockerfile`s, or to add redundancy).
|
||||
|
||||
`location`
|
||||
: Accepts the same format as the `prefix` field, and specifies the physical location
|
||||
of the `prefix`-rooted namespace.
|
||||
of the `prefix`-rooted namespace.
|
||||
|
||||
By default, this equal to `prefix` (in which case `prefix` can be omitted and the
|
||||
`[[registry]]` TOML table can only specify `location`).
|
||||
By default, this equal to `prefix` (in which case `prefix` can be omitted and the
|
||||
`[[registry]]` TOML table can only specify `location`).
|
||||
|
||||
Example: Given
|
||||
```
|
||||
prefix = "example.com/foo"
|
||||
location = "internal-registry-for-example.net/bar"
|
||||
```
|
||||
requests for the image `example.com/foo/myimage:latest` will actually work with the
|
||||
`internal-registry-for-example.net/bar/myimage:latest` image.
|
||||
Example: Given
|
||||
```
|
||||
prefix = "example.com/foo"
|
||||
location = "internal-registry-for-example.net/bar"
|
||||
```
|
||||
requests for the image `example.com/foo/myimage:latest` will actually work with the
|
||||
`internal-registry-for-example.net/bar/myimage:latest` image.
|
||||
|
||||
With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching,
|
||||
the location can be empty. In such a case,
|
||||
prefix matching will occur, but no reference rewrite will occur. The
|
||||
original requested image string will be used as-is. But other settings like
|
||||
`insecure` / `blocked` / `mirrors` will be applied to matching images.
|
||||
With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching,
|
||||
the location can be empty. In such a case,
|
||||
prefix matching will occur, but no reference rewrite will occur. The
|
||||
original requested image string will be used as-is. But other settings like
|
||||
`insecure` / `blocked` / `mirrors` will be applied to matching images.
|
||||
|
||||
Example: Given
|
||||
```
|
||||
prefix = "*.example.com"
|
||||
```
|
||||
requests for the image `blah.example.com/foo/myimage:latest` will be used
|
||||
as-is. But other settings like insecure/blocked/mirrors will be applied to matching images
|
||||
Example: Given
|
||||
```
|
||||
prefix = "*.example.com"
|
||||
```
|
||||
requests for the image `blah.example.com/foo/myimage:latest` will be used
|
||||
as-is. But other settings like insecure/blocked/mirrors will be applied to matching images
|
||||
|
||||
`mirror`
|
||||
: An array of TOML tables specifying (possibly-partial) mirrors for the
|
||||
`prefix`-rooted namespace.
|
||||
`prefix`-rooted namespace.
|
||||
|
||||
The mirrors are attempted in the specified order; the first one that can be
|
||||
contacted and contains the image will be used (and if none of the mirrors contains the image,
|
||||
the primary location specified by the `registry.location` field, or using the unmodified
|
||||
user-specified reference, is tried last).
|
||||
The mirrors are attempted in the specified order; the first one that can be
|
||||
contacted and contains the image will be used (and if none of the mirrors contains the image,
|
||||
the primary location specified by the `registry.location` field, or using the unmodified
|
||||
user-specified reference, is tried last).
|
||||
|
||||
Each TOML table in the `mirror` array can contain the following fields, with the same semantics
|
||||
as if specified in the `[[registry]]` TOML table directly:
|
||||
- `location`
|
||||
- `insecure`
|
||||
Each TOML table in the `mirror` array can contain the following fields, with the same semantics
|
||||
as if specified in the `[[registry]]` TOML table directly:
|
||||
- `location`
|
||||
- `insecure`
|
||||
|
||||
`mirror-by-digest-only`
|
||||
: `true` or `false`.
|
||||
If `true`, mirrors will only be used during pulling if the image reference includes a digest.
|
||||
Referencing an image by digest ensures that the same is always used
|
||||
(whereas referencing an image by a tag may cause different registries to return
|
||||
different images if the tag mapping is out of sync).
|
||||
If `true`, mirrors will only be used during pulling if the image reference includes a digest.
|
||||
Referencing an image by digest ensures that the same is always used
|
||||
(whereas referencing an image by a tag may cause different registries to return
|
||||
different images if the tag mapping is out of sync).
|
||||
|
||||
Note that if this is `true`, images referenced by a tag will only use the primary
|
||||
registry, failing if that registry is not accessible.
|
||||
Note that if this is `true`, images referenced by a tag will only use the primary
|
||||
registry, failing if that registry is not accessible.
|
||||
|
||||
*Note*: Redirection and mirrors are currently processed only when reading images, not when pushing
|
||||
to a registry; that may change in the future.
|
||||
|
@ -174,6 +174,9 @@ The `storage.options.overlay` table supports the following options:
|
||||
**ignore_chown_errors** = "false"
|
||||
ignore_chown_errors can be set to allow a non privileged user running with a single UID within a user namespace to run containers. The user can pull and use any image even those with multiple uids. Note multiple UIDs will be squashed down to the default uid in the container. These images will have no separation between the users in the container. (default: false)
|
||||
|
||||
**inodes**=""
|
||||
Maximum inodes in a read/write layer. This flag can be used to set a quota on the inodes allocated for a read/write layer of a container.
|
||||
|
||||
**force_mask** = "0000|shared|private"
|
||||
ForceMask specifies the permissions mask that is used for new files and
|
||||
directories.
|
||||
@ -220,7 +223,7 @@ based file systems.
|
||||
Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page.
|
||||
|
||||
**size**=""
|
||||
Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
|
||||
Maximum size of a read/write layer. This flag can be used to set quota on the size of a read/write layer of a container. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
|
||||
|
||||
### STORAGE OPTIONS FOR VFS TABLE
|
||||
|
||||
|
193
containers.conf
193
containers.conf
@ -16,30 +16,16 @@
|
||||
|
||||
[containers]
|
||||
|
||||
# List of devices. Specified as
|
||||
# "<device-on-host>:<device-on-container>:<permissions>", for example:
|
||||
# "/dev/sdc:/dev/xvdc:rwm".
|
||||
# If it is empty or commented out, only the default devices will be used
|
||||
# List of annotation. Specified as
|
||||
# "key = value"
|
||||
# If it is empty or commented out, no annotations will be added
|
||||
#
|
||||
# devices = []
|
||||
|
||||
# List of volumes. Specified as
|
||||
# "<directory-on-host>:<directory-in-container>:<options>", for example:
|
||||
# "/db:/var/lib/db:ro".
|
||||
# If it is empty or commented out, no volumes will be added
|
||||
#
|
||||
# volumes = []
|
||||
# annotations = []
|
||||
|
||||
# Used to change the name of the default AppArmor profile of container engine.
|
||||
#
|
||||
# apparmor_profile = "container-default"
|
||||
|
||||
# List of annotation. Specified as
|
||||
# "key=value"
|
||||
# If it is empty or commented out, no annotations will be added
|
||||
#
|
||||
# annotations = []
|
||||
|
||||
# Default way to to create a cgroup namespace for the container
|
||||
# Options are:
|
||||
# `private` Create private Cgroup Namespace for the container.
|
||||
@ -94,6 +80,13 @@ default_sysctls = [
|
||||
# "nofile=1280:2560",
|
||||
# ]
|
||||
|
||||
# List of devices. Specified as
|
||||
# "<device-on-host>:<device-on-container>:<permissions>", for example:
|
||||
# "/dev/sdc:/dev/xvdc:rwm".
|
||||
# If it is empty or commented out, only the default devices will be used
|
||||
#
|
||||
# devices = []
|
||||
|
||||
# List of default DNS options to be added to /etc/resolv.conf inside of the container.
|
||||
#
|
||||
# dns_options = []
|
||||
@ -167,6 +160,12 @@ default_sysctls = [
|
||||
#
|
||||
# log_size_max = -1
|
||||
|
||||
# Specifies default format tag for container log messages.
|
||||
# This is useful for creating a specific tag for container log messages.
|
||||
# Containers logs default to truncated container ID as a tag.
|
||||
#
|
||||
# log_tag = ""
|
||||
|
||||
# Default way to to create a Network namespace for the container
|
||||
# Options are:
|
||||
# `private` Create private Network Namespace for the container.
|
||||
@ -180,10 +179,6 @@ default_sysctls = [
|
||||
#
|
||||
# no_hosts = false
|
||||
|
||||
# Maximum number of processes allowed in a container.
|
||||
#
|
||||
# pids_limit = 2048
|
||||
|
||||
# Default way to to create a PID namespace for the container
|
||||
# Options are:
|
||||
# `private` Create private PID Namespace for the container.
|
||||
@ -191,6 +186,13 @@ default_sysctls = [
|
||||
#
|
||||
# pidns = "private"
|
||||
|
||||
# Maximum number of processes allowed in a container.
|
||||
#
|
||||
# pids_limit = 2048
|
||||
|
||||
# Indicates the networking to be used for rootless containers
|
||||
# rootless_networking = "slirp4netns"
|
||||
|
||||
# Path to the seccomp.json profile which is used as the default seccomp profile
|
||||
# for the runtime.
|
||||
#
|
||||
@ -210,14 +212,7 @@ default_sysctls = [
|
||||
|
||||
# Set umask inside the container
|
||||
#
|
||||
# umask="0022"
|
||||
|
||||
# Default way to to create a UTS namespace for the container
|
||||
# Options are:
|
||||
# `private` Create private UTS Namespace for the container.
|
||||
# `host` Share host UTS Namespace with the container.
|
||||
#
|
||||
# utsns = "private"
|
||||
# umask = "0022"
|
||||
|
||||
# Default way to to create a User namespace for the container
|
||||
# Options are:
|
||||
@ -230,11 +225,31 @@ default_sysctls = [
|
||||
# UIDs are allocated from the "container" UIDs listed in
|
||||
# /etc/subuid & /etc/subgid
|
||||
#
|
||||
# userns_size=65536
|
||||
# userns_size = 65536
|
||||
|
||||
# Default way to to create a UTS namespace for the container
|
||||
# Options are:
|
||||
# `private` Create private UTS Namespace for the container.
|
||||
# `host` Share host UTS Namespace with the container.
|
||||
#
|
||||
# utsns = "private"
|
||||
|
||||
# List of volumes. Specified as
|
||||
# "<directory-on-host>:<directory-in-container>:<options>", for example:
|
||||
# "/db:/var/lib/db:ro".
|
||||
# If it is empty or commented out, no volumes will be added
|
||||
#
|
||||
# volumes = []
|
||||
|
||||
# The network table contains settings pertaining to the management of
|
||||
# CNI plugins.
|
||||
|
||||
[secrets]
|
||||
# driver = "file"
|
||||
|
||||
[secrets.opts]
|
||||
# root = "/example/directory"
|
||||
|
||||
[network]
|
||||
|
||||
# Path to directory where CNI plugin binaries are located.
|
||||
@ -255,14 +270,8 @@ default_sysctls = [
|
||||
# network_config_dir = "/etc/cni/net.d/"
|
||||
|
||||
[engine]
|
||||
# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
|
||||
# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
|
||||
# image_parallel_copies=0
|
||||
|
||||
# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
|
||||
# container images. By default image pulled and pushed match the format of the
|
||||
# source image. Building/committing defaults to OCI.
|
||||
# image_default_format = ""
|
||||
# Index to the active service
|
||||
# active_service = production
|
||||
|
||||
# Cgroup management implementation used for the runtime.
|
||||
# Valid options "systemd" or "cgroupfs"
|
||||
@ -321,10 +330,19 @@ events_logger = "file"
|
||||
# "/usr/share/containers/oci/hooks.d",
|
||||
# ]
|
||||
|
||||
# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
|
||||
# container images. By default image pulled and pushed match the format of the
|
||||
# source image. Building/committing defaults to OCI.
|
||||
# image_default_format = ""
|
||||
|
||||
# Default transport method for pulling and pushing for images
|
||||
#
|
||||
# image_default_transport = "docker://"
|
||||
|
||||
# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
|
||||
# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
|
||||
# image_parallel_copies = 0
|
||||
|
||||
# Default command to run the infra container
|
||||
#
|
||||
# infra_command = "/pause"
|
||||
@ -348,7 +366,7 @@ infra_image = "registry.access.redhat.com/ubi9/pause"
|
||||
# Indicates if Podman is running inside a VM via Podman Machine.
|
||||
# Podman uses this value to do extra setup around networking from the
|
||||
# container inside the VM to to host.
|
||||
# machine_enabled=false
|
||||
# machine_enabled = false
|
||||
|
||||
# MultiImageArchive - if true, the container engine allows for storing archives
|
||||
# (e.g., of the docker-archive transport) with multiple images. By default,
|
||||
@ -367,12 +385,12 @@ infra_image = "registry.access.redhat.com/ubi9/pause"
|
||||
|
||||
# Path to the slirp4netns binary
|
||||
#
|
||||
# network_cmd_path=""
|
||||
# network_cmd_path = ""
|
||||
|
||||
# Default options to pass to the slirp4netns binary.
|
||||
# For example "allow_host_loopback=true"
|
||||
#
|
||||
# network_cmd_options=[]
|
||||
# network_cmd_options = []
|
||||
|
||||
# Whether to use chroot instead of pivot_root in the runtime
|
||||
#
|
||||
@ -392,6 +410,24 @@ infra_image = "registry.access.redhat.com/ubi9/pause"
|
||||
# `podman --remote=true` for access to the remote Podman service.
|
||||
# remote = false
|
||||
|
||||
# Default OCI runtime
|
||||
#
|
||||
# runtime = "crun"
|
||||
runtime = "crun"
|
||||
|
||||
# List of the OCI runtimes that support --format=json. When json is supported
|
||||
# engine will use it for reporting nicer errors.
|
||||
#
|
||||
# runtime_supports_json = ["crun", "runc", "kata", "runsc"]
|
||||
|
||||
# List of the OCI runtimes that supports running containers with KVM Separation.
|
||||
#
|
||||
# runtime_supports_kvm = ["kata"]
|
||||
|
||||
# List of the OCI runtimes that supports running containers without cgroups.
|
||||
#
|
||||
# runtime_supports_nocgroups = ["crun"]
|
||||
|
||||
# Directory for persistent engine files (database, etc)
|
||||
# By default, this will be configured relative to where the containers/storage
|
||||
# stores containers
|
||||
@ -399,6 +435,22 @@ infra_image = "registry.access.redhat.com/ubi9/pause"
|
||||
#
|
||||
# static_dir = "/var/lib/containers/storage/libpod"
|
||||
|
||||
# Number of seconds to wait for container to exit before sending kill signal.
|
||||
# stop_timeout = 10
|
||||
|
||||
# map of service destinations
|
||||
# [service_destinations]
|
||||
# [service_destinations.production]
|
||||
# URI to access the Podman service
|
||||
# Examples:
|
||||
# rootless "unix://run/user/$UID/podman/podman.sock" (Default)
|
||||
# rootfull "unix://run/podman/podman.sock (Default)
|
||||
# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
|
||||
# remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock
|
||||
# uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"
|
||||
# Path to file containing ssh identity key
|
||||
# identity = "~/.ssh/id_rsa"
|
||||
|
||||
# Directory for temporary files. Must be tmpfs (wiped after reboot)
|
||||
#
|
||||
# tmp_dir = "/run/libpod"
|
||||
@ -410,43 +462,6 @@ infra_image = "registry.access.redhat.com/ubi9/pause"
|
||||
#
|
||||
# volume_path = "/var/lib/containers/storage/volumes"
|
||||
|
||||
# Default OCI runtime
|
||||
#
|
||||
# runtime = "crun"
|
||||
runtime = "crun"
|
||||
|
||||
# List of the OCI runtimes that support --format=json. When json is supported
|
||||
# engine will use it for reporting nicer errors.
|
||||
#
|
||||
# runtime_supports_json = ["crun", "runc", "kata", "runsc"]
|
||||
|
||||
# List of the OCI runtimes that supports running containers without cgroups.
|
||||
#
|
||||
# runtime_supports_nocgroups = ["crun"]
|
||||
|
||||
# List of the OCI runtimes that supports running containers with KVM Separation.
|
||||
#
|
||||
# runtime_supports_kvm = ["kata"]
|
||||
|
||||
# Number of seconds to wait for container to exit before sending kill signal.
|
||||
# stop_timeout = 10
|
||||
|
||||
# Index to the active service
|
||||
# active_service = production
|
||||
|
||||
# map of service destinations
|
||||
# [service_destinations]
|
||||
# [service_destinations.production]
|
||||
# URI to access the Podman service
|
||||
# Examples:
|
||||
# rootless "unix://run/user/$UID/podman/podman.sock" (Default)
|
||||
# rootfull "unix://run/podman/podman.sock (Default)
|
||||
# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
|
||||
# remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock
|
||||
# uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"
|
||||
# Path to file containing ssh identity key
|
||||
# identity = "~/.ssh/id_rsa"
|
||||
|
||||
# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, etc)
|
||||
[engine.runtimes]
|
||||
# crun = [
|
||||
@ -459,16 +474,6 @@ runtime = "crun"
|
||||
# "/run/current-system/sw/bin/crun",
|
||||
# ]
|
||||
|
||||
# runc = [
|
||||
# "/usr/bin/runc",
|
||||
# "/usr/sbin/runc",
|
||||
# "/usr/local/bin/runc",
|
||||
# "/usr/local/sbin/runc",
|
||||
# "/sbin/runc",
|
||||
# "/bin/runc",
|
||||
# "/usr/lib/cri-o-runc/sbin/runc",
|
||||
# ]
|
||||
|
||||
# kata = [
|
||||
# "/usr/bin/kata-runtime",
|
||||
# "/usr/sbin/kata-runtime",
|
||||
@ -480,6 +485,16 @@ runtime = "crun"
|
||||
# "/usr/bin/kata-fc",
|
||||
# ]
|
||||
|
||||
# runc = [
|
||||
# "/usr/bin/runc",
|
||||
# "/usr/sbin/runc",
|
||||
# "/usr/local/bin/runc",
|
||||
# "/usr/local/sbin/runc",
|
||||
# "/sbin/runc",
|
||||
# "/bin/runc",
|
||||
# "/usr/lib/cri-o-runc/sbin/runc",
|
||||
# ]
|
||||
|
||||
# runsc = [
|
||||
# "/usr/bin/runsc",
|
||||
# "/usr/sbin/runsc",
|
||||
|
@ -10,12 +10,16 @@ and modify the defaults for running containers on the host. containers.conf uses
|
||||
a TOML format that can be easily modified and versioned.
|
||||
|
||||
Container engines read the /usr/share/containers/containers.conf and
|
||||
/etc/containers/containers.conf files if they exists. When running in rootless
|
||||
mode, they also read $HOME/.config/containers/containers.conf files.
|
||||
/etc/containers/containers.conf, and /etc/containers/containers.conf.d/*.conf files
|
||||
if they exist. When running in rootless mode, they also read
|
||||
$HOME/.config/containers/containers.conf and
|
||||
$HOME/.config/containers/containers.conf.d/*.conf files.
|
||||
|
||||
Fields specified in containers conf override the default options, as well as
|
||||
options in previously read containers.conf files.
|
||||
|
||||
Config files in the `.d` directories, are added in alpha numeric sorted order and must end in `.conf`.
|
||||
|
||||
Not all options are supported in all container engines.
|
||||
|
||||
Note container engines also use other configuration files for configuring the environment.
|
||||
@ -186,6 +190,10 @@ that no size limit is imposed. If it is positive, it must be >= 8192 to
|
||||
match/exceed conmon's read buffer. The file is truncated and re-opened so the
|
||||
limit is never exceeded.
|
||||
|
||||
**log_tag**=""
|
||||
|
||||
Default format tag for container log messages. This is useful for creating a specific tag for container log messages. Container log messages default to using the truncated container ID as a tag.
|
||||
|
||||
**netns**="private"
|
||||
|
||||
Default way to to create a NET namespace for the container.
|
||||
@ -211,6 +219,11 @@ Options are:
|
||||
Maximum number of processes allowed in a container. 0 indicates that no limit
|
||||
is imposed.
|
||||
|
||||
**rootless_networking**="slirp4netns"
|
||||
|
||||
Set type of networking rootless containers should use. Valid options are `slirp4netns`
|
||||
or `cni`.
|
||||
|
||||
**seccomp_profile**="/usr/share/containers/seccomp.json"
|
||||
|
||||
Path to the seccomp.json profile which is used as the default seccomp profile
|
||||
@ -293,10 +306,6 @@ The `engine` table contains configuration options used to set up container engin
|
||||
|
||||
Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below.
|
||||
|
||||
**cgroup_check**=false
|
||||
|
||||
CgroupCheck indicates the configuration has been rewritten after an upgrade to Fedora 31 to change the default OCI runtime for cgroupsv2.
|
||||
|
||||
**cgroup_manager**="systemd"
|
||||
|
||||
The cgroup management implementation used for the runtime. Supports `cgroupfs`
|
||||
@ -454,14 +463,14 @@ on the system using the priority: "crun", "runc", "kata".
|
||||
|
||||
The list of the OCI runtimes that support `--format=json`.
|
||||
|
||||
**runtime_supports_nocgroups**=["crun"]
|
||||
|
||||
The list of OCI runtimes that support running containers without CGroups.
|
||||
|
||||
**runtime_supports_kvm**=["kata"]
|
||||
|
||||
The list of OCI runtimes that support running containers with KVM separation.
|
||||
|
||||
**runtime_supports_nocgroups**=["crun"]
|
||||
|
||||
The list of OCI runtimes that support running containers without CGroups.
|
||||
|
||||
**static_dir**="/var/lib/containers/storage/libpod"
|
||||
|
||||
Directory for persistent libpod files (database, etc).
|
||||
@ -477,6 +486,14 @@ Number of seconds to wait for container to exit before sending kill signal.
|
||||
The path to a temporary directory to store per-boot container.
|
||||
Must be a tmpfs (wiped after reboot).
|
||||
|
||||
**volume_path**="/var/lib/containers/storage/volumes"
|
||||
|
||||
Directory where named volumes will be created in using the default volume
|
||||
driver.
|
||||
By default this will be configured relative to where containers/storage store
|
||||
containers. This convention is followed by the default volume driver, but may
|
||||
not be by other drivers.
|
||||
|
||||
## SERVICE DESTINATION TABLE
|
||||
The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
|
||||
|
||||
@ -495,14 +512,6 @@ URI to access the Podman service
|
||||
|
||||
Path to file containing ssh identity key
|
||||
|
||||
**volume_path**="/var/lib/containers/storage/volumes"
|
||||
|
||||
Directory where named volumes will be created in using the default volume
|
||||
driver.
|
||||
By default this will be configured relative to where containers/storage store
|
||||
containers. This convention is followed by the default volume driver, but may
|
||||
not be by other drivers.
|
||||
|
||||
**[engine.volume_plugins]**
|
||||
|
||||
A table of all the enabled volume plugins on the system. Volume plugins can be
|
||||
@ -510,6 +519,21 @@ used as the backend for Podman named volumes. Individual plugins are specified
|
||||
below, as a map of the plugin name (what the plugin will be called) to its path
|
||||
(filepath of the plugin's unix socket).
|
||||
|
||||
|
||||
## SECRET TABLE
|
||||
The `secret` table contains settings for the configuration of the secret subsystem.
|
||||
|
||||
**driver**=file
|
||||
|
||||
Name of the secret driver to be used.
|
||||
Currently valid values are:
|
||||
* file
|
||||
* pass
|
||||
|
||||
**[secrets.opts]**
|
||||
|
||||
The driver specific options object.
|
||||
|
||||
# FILES
|
||||
|
||||
**containers.conf**
|
||||
@ -518,8 +542,7 @@ Distributions often provide a `/usr/share/containers/containers.conf` file to
|
||||
define default container configuration. Administrators can override fields in
|
||||
this file by creating `/etc/containers/containers.conf` to specify their own
|
||||
configuration. Rootless users can further override fields in the config by
|
||||
creating a config file stored in the
|
||||
`$HOME/.config/containers/containers.conf` file.
|
||||
creating a config file stored in the `$HOME/.config/containers/containers.conf` file.
|
||||
|
||||
If the `CONTAINERS_CONF` path environment variable is set, just
|
||||
this path will be used. This is primarily used for testing.
|
||||
|
21
skopeo.spec
21
skopeo.spec
@ -20,17 +20,17 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
|
||||
# pick the oldest version on c/image, c/common, c/storage vendored in
|
||||
# podman/skopeo/podman.
|
||||
%global podman_branch master
|
||||
%global image_branch v5.12.0
|
||||
%global common_branch v0.38.12
|
||||
%global storage_branch v1.31.3
|
||||
%global image_branch v5.14.0
|
||||
%global common_branch v0.41.0
|
||||
%global storage_branch v1.33.0
|
||||
%global shortnames_branch main
|
||||
%global commit0 64dc748e5e871da30e50edc496911094e3fe0114
|
||||
%global commit0 caf1469b1d6d1a7a23716a8fc797563d75e81902
|
||||
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
||||
|
||||
Epoch: 1
|
||||
Name: skopeo
|
||||
Version: 1.4.0
|
||||
Release: 0.1%{?dist}
|
||||
Release: 0.2%{?dist}
|
||||
Summary: Inspect container images and repositories on registries
|
||||
License: ASL 2.0
|
||||
URL: %{git0}
|
||||
@ -80,6 +80,7 @@ BuildRequires: pkgconfig(devmapper)
|
||||
BuildRequires: glib2-devel
|
||||
BuildRequires: make
|
||||
Requires: containers-common = %{epoch}:%{version}-%{release}
|
||||
Requires: system-release
|
||||
|
||||
%description
|
||||
Command line utility to inspect images and repositories directly on Docker
|
||||
@ -155,8 +156,10 @@ install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf
|
||||
install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/002-rhel-shortnames-overrides.conf
|
||||
|
||||
# for signature verification
|
||||
%if !0%{?rhel} || 0%{?centos}
|
||||
install -dp %{buildroot}%{_sysconfdir}/pki/rpm-gpg
|
||||
install -m0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/pki/rpm-gpg
|
||||
%endif
|
||||
install -dp %{buildroot}%{_sysconfdir}/containers/registries.d
|
||||
install -m0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/containers/registries.d
|
||||
install -m0644 %{SOURCE23} %{buildroot}%{_sysconfdir}/containers/registries.d
|
||||
@ -226,7 +229,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
||||
%dir %{_sysconfdir}/containers/oci
|
||||
%dir %{_sysconfdir}/containers/oci/hooks.d
|
||||
%dir %{_sysconfdir}/containers/registries.conf.d
|
||||
%if !0%{?rhel} || 0%{?centos}
|
||||
%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
|
||||
%endif
|
||||
%config(noreplace) %{_sysconfdir}/containers/policy.json
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
|
||||
%config(noreplace) %{_sysconfdir}/containers/storage.conf
|
||||
@ -258,6 +263,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
||||
%{_datadir}/%{name}/test
|
||||
|
||||
%changelog
|
||||
* Mon Aug 02 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.4.0-0.2
|
||||
- update vendored components
|
||||
- ship /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release only on non-RHEL and
|
||||
CentOS distros
|
||||
- Related: #1970747
|
||||
|
||||
* Thu Jul 29 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.4.0-0.1
|
||||
- switch to the main branch of skopeo
|
||||
- Related: #1970747
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (main-64dc748.tar.gz) = 3d46051530d01415a9d56971018fc641d67143b3f5348881d52550651df8c0d39f1f293d3c1fa2404eeb106d32a87576f871f362424cdefa2dc32f91735086ee
|
||||
SHA512 (main-caf1469.tar.gz) = be3db2ff0373b9fc330fa308920f60b68a150ab171cffe51dc940154163439e9ef86066bcfa357a522b982d2d8715339dfe24ce3f01eb4b1cf23244eeb6bb9c8
|
||||
|
@ -69,6 +69,9 @@ additionalimagestores = [
|
||||
# and vfs drivers.
|
||||
#ignore_chown_errors = "false"
|
||||
|
||||
# Inodes is used to set a maximum inodes of the container image.
|
||||
# inodes = ""
|
||||
|
||||
# Path to an helper program to use for mounting the file system instead of mounting it
|
||||
# directly.
|
||||
#mount_program = "/usr/bin/fuse-overlayfs"
|
||||
|
@ -22,9 +22,9 @@ for P in podman skopeo buildah; do
|
||||
pkg --release rhel-8 prep
|
||||
fi
|
||||
DIR=`ls -d -- */ | grep -v ^tests | head -n1`
|
||||
grep github.com/containers/image $DIR/go.mod | cut -d\ -f2 >> /tmp/ver_image
|
||||
grep github.com/containers/common $DIR/go.mod | cut -d\ -f2 >> /tmp/ver_common
|
||||
grep github.com/containers/storage $DIR/go.mod | cut -d\ -f2 >> /tmp/ver_storage
|
||||
grep github.com/containers/image $DIR/go.mod | grep -v - | cut -d\ -f2 >> /tmp/ver_image
|
||||
grep github.com/containers/common $DIR/go.mod | grep -v - | cut -d\ -f2 >> /tmp/ver_common
|
||||
grep github.com/containers/storage $DIR/go.mod | grep -v - | cut -d\ -f2 >> /tmp/ver_storage
|
||||
cd -
|
||||
done
|
||||
IMAGE_VER=`sort -n /tmp/ver_image | head -n1`
|
||||
|
Loading…
Reference in New Issue
Block a user