Update man pages and conf files for containers-common

This commit is contained in:
Daniel J Walsh 2020-12-08 15:23:21 -05:00
parent 7f2b6832e8
commit 903ccf91ed
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
6 changed files with 90 additions and 11 deletions

View File

@ -200,6 +200,30 @@ One of the following alternatives are supported:
"dockerRepository": docker_repository_value "dockerRepository": docker_repository_value
} }
``` ```
- Prefix remapping:
If the image identity matches the specified prefix, that prefix is replaced by the specified “signed prefix”
(otherwise it is used as unchanged and no remapping takes place);
matching then follows the `matchRepoDigestOrExact` semantics documented above
(i.e. if the image identity carries a tag, the identity in the signature must exactly match,
if it uses a digest reference, the repository must match).
The `prefix` and `signedPrefix` values can be either host[:port] values
(matching exactly the same host[:port], string),
repository namespaces, or repositories (i.e. they must not contain tags/digests),
and match as prefixes *of the fully expanded form*.
For example, `docker.io/library/busybox` (*not* `busybox`) to specify that single repository,
or `docker.io/library` (not an empty string) to specify the parent namespace of `docker.io/library/busybox`==`busybox`).
The `prefix` value is usually the same as the scope containing the parent `signedBy` requirement.
```js
{
"type": "remapIdentity",
"prefix": prefix,
"signedPrefix": prefix,
}
```
If the `signedIdentity` field is missing, it is treated as `matchRepoDigestOrExact`. If the `signedIdentity` field is missing, it is treated as `matchRepoDigestOrExact`.
@ -260,6 +284,21 @@ selectively allow individual transports and scopes as desired.
"keyType": "GPGKeys", "keyType": "GPGKeys",
"keyPath": "/path/to/reviewer-pubkey.gpg" "keyPath": "/path/to/reviewer-pubkey.gpg"
} }
],
/* A way to mirror many repositories from a single vendor */
"private-mirror:5000/vendor-mirror": [
{ /* Require the image to be signed by the original vendor, using the vendor's repository location.
For example, private-mirror:5000/vendor-mirror/productA/image1:latest needs to be signed as
vendor.example/productA/image1:latest . */
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/path/to/vendor-pubkey.gpg",
"signedIdentity": {
"type": "remapIdentity",
"prefix": "private-mirror:5000/vendor-mirror",
"signedPrefix": "vendor.example.com",
}
}
] ]
} }
} }

View File

@ -27,8 +27,9 @@ No bare options are used. The format of TOML can be simplified to:
The `storage` table supports the following options: The `storage` table supports the following options:
**driver**="" **driver**=""
container storage driver (default: "overlay") container storage driver
Default Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem. Default Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem.
This field is requiered to guarantee proper operation.
**graphroot**="" **graphroot**=""
container storage graph dir (default: "/var/lib/containers/storage") container storage graph dir (default: "/var/lib/containers/storage")

View File

@ -146,9 +146,13 @@ default_sysctls = [
# #
# ipcns = "private" # ipcns = "private"
# Flag tells container engine to whether to use container separation using # keyring tells the container engine whether to create
# MAC(SELinux)labeling or not. # a kernel keyring for use within the container.
# Flag is ignored on label disabled systems. # keyring = true
# label tells the container engine whether to use container separation using
# MAC(SELinux) labeling or not.
# The label flag is ignored on label disabled systems.
# #
# label = true # label = true
@ -344,6 +348,11 @@ default_sysctls = [
# #
# network_cmd_path="" # network_cmd_path=""
# Default options to pass to the slirp4netns binary.
# For example "allow_host_loopback=true"
#
# network_cmd_options=[]
# Whether to use chroot instead of pivot_root in the runtime # Whether to use chroot instead of pivot_root in the runtime
# #
# no_pivot_root = false # no_pivot_root = false
@ -382,7 +391,7 @@ default_sysctls = [
# Default OCI runtime # Default OCI runtime
# #
# runtime = "runc" # runtime = "crun"
# List of the OCI runtimes that support --format=json. When json is supported # List of the OCI runtimes that support --format=json. When json is supported
# engine will use it for reporting nicer errors. # engine will use it for reporting nicer errors.
@ -449,8 +458,11 @@ default_sysctls = [
# "/usr/bin/kata-fc", # "/usr/bin/kata-fc",
# ] # ]
# The [engine.runtimes] table MUST be the last entry in this file. [engine.volume_plugins]
# testplugin = "/run/podman/plugins/test.sock"
# The [engine.volume_plugins] table MUST be the last entry in this file.
# (Unless another table is added) # (Unless another table is added)
# TOML does not provide a way to end a table other than a further table being # TOML does not provide a way to end a table other than a further table being
# defined, so every key hereafter will be part of [runtimes] and not the main # defined, so every key hereafter will be part of [volume_plugins] and not the
# config. # main config.

View File

@ -50,12 +50,14 @@ configure and manage the OCI runtime.
List of devices. List of devices.
Specified as 'device-on-host:device-on-container:permissions'. Specified as 'device-on-host:device-on-container:permissions'.
Example: "/dev/sdc:/dev/xvdc:rwm". Example: "/dev/sdc:/dev/xvdc:rwm".
**volumes**=[] **volumes**=[]
List of volumes. List of volumes.
Specified as "directory-on-host:directory-in-container:options". Specified as "directory-on-host:directory-in-container:options".
Example: "/db:/var/lib/db:ro". Example: "/db:/var/lib/db:ro".
**apparmor_profile**="container-default" **apparmor_profile**="container-default"
@ -105,12 +107,14 @@ default_capabilities = [
A list of sysctls to be set in containers by default, A list of sysctls to be set in containers by default,
specified as "name=value". specified as "name=value".
Example:"net.ipv4.ping_group_range=0 1000". Example:"net.ipv4.ping_group_range=0 1000".
**default_ulimits**=[] **default_ulimits**=[]
A list of ulimits to be set in containers by default, A list of ulimits to be set in containers by default,
specified as "name=soft-limit:hard-limit". specified as "name=soft-limit:hard-limit".
Example: "nofile=1024:2048". Example: "nofile=1024:2048".
**dns_options**=[] **dns_options**=[]
@ -164,9 +168,14 @@ Options are:
`private` Create private IPC Namespace for the container. `private` Create private IPC Namespace for the container.
`host` Share host IPC Namespace with the container. `host` Share host IPC Namespace with the container.
**keyring**=true
Indicates whether the container engines create a kernel keyring for use within
the container.
**label**=true **label**=true
Indicates whether the container engines use MAC(SELinux) container separation via via labeling. Flag is ignored on disabled systems. Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.
**log_driver**="k8s-file" **log_driver**="k8s-file"
@ -222,6 +231,7 @@ the system uses `65536k`.
Set timezone in container. Takes IANA timezones as well as `local`, which sets the timezone in the container to match the host machine. Set timezone in container. Takes IANA timezones as well as `local`, which sets the timezone in the container to match the host machine.
If not set, then containers will run with the time zone specified in the image. If not set, then containers will run with the time zone specified in the image.
Examples: Examples:
`tz="local"` `tz="local"`
`tz="America/New_York"` `tz="America/New_York"`
@ -375,6 +385,12 @@ and pods are visible.
Path to the slirp4netns binary. Path to the slirp4netns binary.
**network_cmd_options**=[]
Default options to pass to the slirp4netns binary.
Example "allow_host_loopback=true"
**no_pivot_root**=false **no_pivot_root**=false
Whether to use chroot instead of pivot_root in the runtime. Whether to use chroot instead of pivot_root in the runtime.
@ -393,6 +409,7 @@ Name of destination for accessing the Podman service.
**[service_destinations]** **[service_destinations]**
**[service_destinations.{name}]** **[service_destinations.{name}]**
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"** **uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
Example URIs: Example URIs:
@ -458,6 +475,13 @@ By default this will be configured relative to where containers/storage store
containers. This convention is followed by the default volume driver, but may containers. This convention is followed by the default volume driver, but may
not be by other drivers. not be by other drivers.
**[engine.volume_plugins]**
A table of all the enabled volume plugins on the system. Volume plugins can be
used as the backend for Podman named volumes. Individual plugins are specified
below, as a map of the plugin name (what the plugin will be called) to its path
(filepath of the plugin's unix socket).
# FILES # FILES
**containers.conf** **containers.conf**

View File

@ -43,7 +43,7 @@
Name: %{repo} Name: %{repo}
Epoch: %{conditional_epoch} Epoch: %{conditional_epoch}
Version: 1.2.1 Version: 1.2.1
Release: 32.dev.git%{shortcommit0}%{?dist} Release: 33.dev.git%{shortcommit0}%{?dist}
Summary: Inspect container images and repositories on registries Summary: Inspect container images and repositories on registries
License: ASL 2.0 License: ASL 2.0
URL: %{git0} URL: %{git0}
@ -460,6 +460,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%{_datadir}/%{name}/test %{_datadir}/%{name}/test
%changelog %changelog
* Tue Dec 8 2020 Dan Walsh <dwalsh@fedoraproject.org> - 1:1.2.1-33.dev.git4aaa9b4
- Update man pages and conf files for containers-common
* Tue Dec 8 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1:1.2.1-32.dev.git4aaa9b4 * Tue Dec 8 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1:1.2.1-32.dev.git4aaa9b4
- autobuilt 4aaa9b4 - autobuilt 4aaa9b4

View File

@ -4,7 +4,7 @@
# The "container storage" table contains all of the server options. # The "container storage" table contains all of the server options.
[storage] [storage]
# Default Storage Driver # Default Storage Driver, Must be set for proper operation.
driver = "overlay" driver = "overlay"
# Temporary storage location # Temporary storage location