diff --git a/containers-policy.json.5.md b/containers-policy.json.5.md index 4f6d4b6..f0d416e 100644 --- a/containers-policy.json.5.md +++ b/containers-policy.json.5.md @@ -200,6 +200,30 @@ One of the following alternatives are supported: "dockerRepository": docker_repository_value } ``` +- Prefix remapping: + + If the image identity matches the specified prefix, that prefix is replaced by the specified “signed prefix” + (otherwise it is used as unchanged and no remapping takes place); + matching then follows the `matchRepoDigestOrExact` semantics documented above + (i.e. if the image identity carries a tag, the identity in the signature must exactly match, + if it uses a digest reference, the repository must match). + + The `prefix` and `signedPrefix` values can be either host[:port] values + (matching exactly the same host[:port], string), + repository namespaces, or repositories (i.e. they must not contain tags/digests), + and match as prefixes *of the fully expanded form*. + For example, `docker.io/library/busybox` (*not* `busybox`) to specify that single repository, + or `docker.io/library` (not an empty string) to specify the parent namespace of `docker.io/library/busybox`==`busybox`). + + The `prefix` value is usually the same as the scope containing the parent `signedBy` requirement. + + ```js + { + "type": "remapIdentity", + "prefix": prefix, + "signedPrefix": prefix, + } + ``` If the `signedIdentity` field is missing, it is treated as `matchRepoDigestOrExact`. @@ -260,6 +284,21 @@ selectively allow individual transports and scopes as desired. "keyType": "GPGKeys", "keyPath": "/path/to/reviewer-pubkey.gpg" } + ], + /* A way to mirror many repositories from a single vendor */ + "private-mirror:5000/vendor-mirror": [ + { /* Require the image to be signed by the original vendor, using the vendor's repository location. + For example, private-mirror:5000/vendor-mirror/productA/image1:latest needs to be signed as + vendor.example/productA/image1:latest . */ + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/path/to/vendor-pubkey.gpg", + "signedIdentity": { + "type": "remapIdentity", + "prefix": "private-mirror:5000/vendor-mirror", + "signedPrefix": "vendor.example.com", + } + } ] } } diff --git a/containers-storage.conf.5.md b/containers-storage.conf.5.md index 356be89..14c92e1 100644 --- a/containers-storage.conf.5.md +++ b/containers-storage.conf.5.md @@ -27,8 +27,9 @@ No bare options are used. The format of TOML can be simplified to: The `storage` table supports the following options: **driver**="" - container storage driver (default: "overlay") + container storage driver Default Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem. + This field is requiered to guarantee proper operation. **graphroot**="" container storage graph dir (default: "/var/lib/containers/storage") diff --git a/containers.conf b/containers.conf index e8519b2..12fbecc 100644 --- a/containers.conf +++ b/containers.conf @@ -146,9 +146,13 @@ default_sysctls = [ # # ipcns = "private" -# Flag tells container engine to whether to use container separation using -# MAC(SELinux)labeling or not. -# Flag is ignored on label disabled systems. +# keyring tells the container engine whether to create +# a kernel keyring for use within the container. +# keyring = true + +# label tells the container engine whether to use container separation using +# MAC(SELinux) labeling or not. +# The label flag is ignored on label disabled systems. # # label = true @@ -344,6 +348,11 @@ default_sysctls = [ # # network_cmd_path="" +# Default options to pass to the slirp4netns binary. +# For example "allow_host_loopback=true" +# +# network_cmd_options=[] + # Whether to use chroot instead of pivot_root in the runtime # # no_pivot_root = false @@ -382,7 +391,7 @@ default_sysctls = [ # Default OCI runtime # -# runtime = "runc" +# runtime = "crun" # List of the OCI runtimes that support --format=json. When json is supported # engine will use it for reporting nicer errors. @@ -449,8 +458,11 @@ default_sysctls = [ # "/usr/bin/kata-fc", # ] -# The [engine.runtimes] table MUST be the last entry in this file. +[engine.volume_plugins] +# testplugin = "/run/podman/plugins/test.sock" + +# The [engine.volume_plugins] table MUST be the last entry in this file. # (Unless another table is added) # TOML does not provide a way to end a table other than a further table being -# defined, so every key hereafter will be part of [runtimes] and not the main -# config. +# defined, so every key hereafter will be part of [volume_plugins] and not the +# main config. diff --git a/containers.conf.5.md b/containers.conf.5.md index bb9f14b..5836ee7 100644 --- a/containers.conf.5.md +++ b/containers.conf.5.md @@ -50,12 +50,14 @@ configure and manage the OCI runtime. List of devices. Specified as 'device-on-host:device-on-container:permissions'. + Example: "/dev/sdc:/dev/xvdc:rwm". **volumes**=[] List of volumes. Specified as "directory-on-host:directory-in-container:options". + Example: "/db:/var/lib/db:ro". **apparmor_profile**="container-default" @@ -105,12 +107,14 @@ default_capabilities = [ A list of sysctls to be set in containers by default, specified as "name=value". + Example:"net.ipv4.ping_group_range=0 1000". **default_ulimits**=[] A list of ulimits to be set in containers by default, specified as "name=soft-limit:hard-limit". + Example: "nofile=1024:2048". **dns_options**=[] @@ -164,9 +168,14 @@ Options are: `private` Create private IPC Namespace for the container. `host` Share host IPC Namespace with the container. +**keyring**=true + +Indicates whether the container engines create a kernel keyring for use within +the container. + **label**=true -Indicates whether the container engines use MAC(SELinux) container separation via via labeling. Flag is ignored on disabled systems. +Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems. **log_driver**="k8s-file" @@ -222,6 +231,7 @@ the system uses `65536k`. Set timezone in container. Takes IANA timezones as well as `local`, which sets the timezone in the container to match the host machine. If not set, then containers will run with the time zone specified in the image. + Examples: `tz="local"` `tz="America/New_York"` @@ -375,6 +385,12 @@ and pods are visible. Path to the slirp4netns binary. +**network_cmd_options**=[] + +Default options to pass to the slirp4netns binary. + +Example "allow_host_loopback=true" + **no_pivot_root**=false Whether to use chroot instead of pivot_root in the runtime. @@ -393,6 +409,7 @@ Name of destination for accessing the Podman service. **[service_destinations]** **[service_destinations.{name}]** + **uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"** Example URIs: @@ -458,6 +475,13 @@ By default this will be configured relative to where containers/storage store containers. This convention is followed by the default volume driver, but may not be by other drivers. +**[engine.volume_plugins]** + +A table of all the enabled volume plugins on the system. Volume plugins can be +used as the backend for Podman named volumes. Individual plugins are specified +below, as a map of the plugin name (what the plugin will be called) to its path +(filepath of the plugin's unix socket). + # FILES **containers.conf** diff --git a/skopeo.spec b/skopeo.spec index f9f0003..d2ee776 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -43,7 +43,7 @@ Name: %{repo} Epoch: %{conditional_epoch} Version: 1.2.1 -Release: 32.dev.git%{shortcommit0}%{?dist} +Release: 33.dev.git%{shortcommit0}%{?dist} Summary: Inspect container images and repositories on registries License: ASL 2.0 URL: %{git0} @@ -460,6 +460,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_datadir}/%{name}/test %changelog +* Tue Dec 8 2020 Dan Walsh - 1:1.2.1-33.dev.git4aaa9b4 +- Update man pages and conf files for containers-common + * Tue Dec 8 2020 RH Container Bot - 1:1.2.1-32.dev.git4aaa9b4 - autobuilt 4aaa9b4 diff --git a/storage.conf b/storage.conf index 9477b56..72735b6 100644 --- a/storage.conf +++ b/storage.conf @@ -4,7 +4,7 @@ # The "container storage" table contains all of the server options. [storage] -# Default Storage Driver +# Default Storage Driver, Must be set for proper operation. driver = "overlay" # Temporary storage location