skopeo-1.2.1-1.el9
- ship preconfigured /etc/containers/registries.d/ files with containers-common Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
parent
c056adfab1
commit
a08e52fb3b
@ -6,8 +6,15 @@ containers-auth.json - syntax for the registry authentication file
|
||||
# DESCRIPTION
|
||||
|
||||
A credentials file in JSON format used to authenticate against container image registries.
|
||||
On Linux it is stored at `${XDG_RUNTIME_DIR}/containers/auth.json`;
|
||||
on Windows and macOS, at `$HOME/.config/containers/auth.json`
|
||||
The primary (read/write) file is stored at `${XDG_RUNTIME_DIR}/containers/auth.json` on Linux;
|
||||
on Windows and macOS, at `$HOME/.config/containers/auth.json`.
|
||||
|
||||
When searching for the credential for a registry, the following files will be read in sequence until the valid credential is found:
|
||||
first reading the primary (read/write) file, or the explicit override using an option of the calling application.
|
||||
If credentials are not present, search in `${XDG\_CONFIG\_HOME}/containers/auth.json`, `$HOME/.docker/config.json`, `$HOME/.dockercfg`.
|
||||
|
||||
Except the primary (read/write) file, other files are read-only, unless the user use an option of the calling application explicitly points at it as an override.
|
||||
|
||||
|
||||
## FORMAT
|
||||
|
||||
|
@ -177,7 +177,7 @@ One of the following alternatives are supported:
|
||||
```json
|
||||
{"type":"matchRepoDigestOrExact"}
|
||||
```
|
||||
- The identity in the signature must be in the same repository as the image identity. This is useful e.g. to pull an image using the `:latest` tag when the image is signed with a tag specifing an exact image version.
|
||||
- The identity in the signature must be in the same repository as the image identity. This is useful e.g. to pull an image using the `:latest` tag when the image is signed with a tag specifying an exact image version.
|
||||
|
||||
```json
|
||||
{"type":"matchRepository"}
|
||||
@ -200,6 +200,30 @@ One of the following alternatives are supported:
|
||||
"dockerRepository": docker_repository_value
|
||||
}
|
||||
```
|
||||
- Prefix remapping:
|
||||
|
||||
If the image identity matches the specified prefix, that prefix is replaced by the specified “signed prefix”
|
||||
(otherwise it is used as unchanged and no remapping takes place);
|
||||
matching then follows the `matchRepoDigestOrExact` semantics documented above
|
||||
(i.e. if the image identity carries a tag, the identity in the signature must exactly match,
|
||||
if it uses a digest reference, the repository must match).
|
||||
|
||||
The `prefix` and `signedPrefix` values can be either host[:port] values
|
||||
(matching exactly the same host[:port], string),
|
||||
repository namespaces, or repositories (i.e. they must not contain tags/digests),
|
||||
and match as prefixes *of the fully expanded form*.
|
||||
For example, `docker.io/library/busybox` (*not* `busybox`) to specify that single repository,
|
||||
or `docker.io/library` (not an empty string) to specify the parent namespace of `docker.io/library/busybox`==`busybox`).
|
||||
|
||||
The `prefix` value is usually the same as the scope containing the parent `signedBy` requirement.
|
||||
|
||||
```js
|
||||
{
|
||||
"type": "remapIdentity",
|
||||
"prefix": prefix,
|
||||
"signedPrefix": prefix,
|
||||
}
|
||||
```
|
||||
|
||||
If the `signedIdentity` field is missing, it is treated as `matchRepoDigestOrExact`.
|
||||
|
||||
@ -260,6 +284,21 @@ selectively allow individual transports and scopes as desired.
|
||||
"keyType": "GPGKeys",
|
||||
"keyPath": "/path/to/reviewer-pubkey.gpg"
|
||||
}
|
||||
],
|
||||
/* A way to mirror many repositories from a single vendor */
|
||||
"private-mirror:5000/vendor-mirror": [
|
||||
{ /* Require the image to be signed by the original vendor, using the vendor's repository location.
|
||||
For example, private-mirror:5000/vendor-mirror/productA/image1:latest needs to be signed as
|
||||
vendor.example/productA/image1:latest . */
|
||||
"type": "signedBy",
|
||||
"keyType": "GPGKeys",
|
||||
"keyPath": "/path/to/vendor-pubkey.gpg",
|
||||
"signedIdentity": {
|
||||
"type": "remapIdentity",
|
||||
"prefix": "private-mirror:5000/vendor-mirror",
|
||||
"signedPrefix": "vendor.example.com",
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
@ -102,6 +102,75 @@ internet without having to change `Dockerfile`s, or to add redundancy).
|
||||
*Note*: Redirection and mirrors are currently processed only when reading images, not when pushing
|
||||
to a registry; that may change in the future.
|
||||
|
||||
#### Short-Name Aliasing
|
||||
The use of unqualified-search registries entails an ambiguity as it is
|
||||
unclear from which registry a given image, referenced by a short name,
|
||||
may be pulled from.
|
||||
|
||||
As mentioned in the note at the end of this man page, using short names is
|
||||
subject to the risk of hitting squatted registry namespaces. If the
|
||||
unqualified-search registries are set to `["registry1.com", "registry2.com"]`
|
||||
an attacker may take over a namespace of registry1.com such that an image may
|
||||
be pulled from registry1.com instead of the intended source registry2.com.
|
||||
|
||||
While it is highly recommended to always use fully-qualified image references,
|
||||
existing deployments using short names may not be easily changed. To
|
||||
circumvent the aforementioned ambiguity, so called short-name aliases can be
|
||||
configured that point to a fully-qualified image
|
||||
reference.
|
||||
|
||||
Short-name aliases can be configured in the `[aliases]` table in the form of
|
||||
`"name"="value"` with the left-hand `name` being the short name (e.g., "image")
|
||||
and the right-hand `value` being the fully-qualified image reference (e.g.,
|
||||
"registry.com/namespace/image"). Note that neither "name" nor "value" can
|
||||
include a tag or digest. Moreover, "name" must be a short name and hence
|
||||
cannot include a registry domain or refer to localhost.
|
||||
|
||||
When pulling a short name, the configured aliases table will be used for
|
||||
resolving the short name. If a matching alias is found, it will be used
|
||||
without further consulting the unqualified-search registries list. If no
|
||||
matching alias is found, the behavior can be controlled via the
|
||||
`short-name-mode` option as described below.
|
||||
|
||||
Note that tags and digests are stripped off a user-specified short name for
|
||||
alias resolution. Hence, "image", "image:tag" and "image@digest" all resolve
|
||||
to the same alias (i.e., "image"). Stripped off tags and digests are later
|
||||
appended to the resolved alias.
|
||||
|
||||
Further note that drop-in configuration files (see containers-registries.conf.d(5))
|
||||
can override aliases in the specific loading order of the files. If the "value" of
|
||||
an alias is empty (i.e., ""), the alias will be erased. However, a given
|
||||
"name" may only be specified once in a single config file.
|
||||
|
||||
|
||||
#### Short-Name Aliasing: Modes
|
||||
|
||||
The `short-name-mode` option supports three modes to control the behaviour of
|
||||
short-name resolution.
|
||||
|
||||
* `enforcing`: If only one unqualified-search registry is set, use it as there
|
||||
is no ambiguity. If there is more than one registry and the user program is
|
||||
running in a terminal (i.e., stdout & stdin are a TTY), prompt the user to
|
||||
select one of the specified search registries. If the program is not running
|
||||
in a terminal, the ambiguity cannot be resolved which will lead to an error.
|
||||
|
||||
* `permissive`: Behaves as enforcing but does not lead to an error if the
|
||||
program is not running in a terminal. Instead, fallback to using all
|
||||
unqualified-search registries.
|
||||
|
||||
* `disabled`: Use all unqualified-search registries without prompting.
|
||||
|
||||
If `short-name-mode` is not specified at all or left empty, default to the
|
||||
`permissive` mode. If the user-specified short name was not aliased already,
|
||||
the `enforcing` and `permissive` mode if prompted, will record a new alias
|
||||
after a successful pull. Note that the recorded alias will be written to
|
||||
`$XDG_CONFIG_HOME/containers/short-name-aliases.conf` to have a clear
|
||||
separation between possibly human-edited registries.conf files and the
|
||||
machine-generated `short-name-aliases-conf`. Note that `$HOME/.config` is used
|
||||
if `$XDG_CONFIG_HOME` is not set. If an alias is specified in a
|
||||
`registries.conf` file and also the machine-generated
|
||||
`short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence.
|
||||
|
||||
#### Normalization of docker.io references
|
||||
|
||||
The Docker Hub `docker.io` is handled in a special way: every push and pull
|
||||
|
@ -61,6 +61,11 @@ more general scopes is ignored. For example, if _any_ configuration exists for
|
||||
`docker.io/library/busybox`, the configuration for `docker.io` is ignored
|
||||
(even if some element of the configuration is defined for `docker.io` and not for `docker.io/library/busybox`).
|
||||
|
||||
### Built-in Defaults
|
||||
|
||||
If no `docker` section can be found for the container image, and no `default-docker` section is configured,
|
||||
the default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user, will be used for reading and writing signatures.
|
||||
|
||||
## Individual Configuration Sections
|
||||
|
||||
A single configuration section is selected for a container image using the process
|
||||
@ -77,6 +82,7 @@ described above. The configuration section is a YAML mapping, with the followin
|
||||
This key is optional; if it is missing, no signature storage is defined (no signatures
|
||||
are download along with images, adding new signatures is possible only if `sigstore-staging` is defined).
|
||||
|
||||
|
||||
## Examples
|
||||
|
||||
### Using Containers from Various Origins
|
||||
|
@ -224,7 +224,7 @@ The contents of this string is not defined in detail; however each implementatio
|
||||
Consumers of container signatures MAY recognize specific values or sets of values of `optional.creator`
|
||||
(perhaps augmented with `optional.timestamp`),
|
||||
and MAY change their processing of the signature based on these values
|
||||
(usually to acommodate violations of this specification in past versions of the signing software which cannot be fixed retroactively),
|
||||
(usually to accommodate violations of this specification in past versions of the signing software which cannot be fixed retroactively),
|
||||
as long as the semantics of the invalid document, as created by such an implementation, is clear.
|
||||
|
||||
If consumers of signatures do change their behavior based on the `optional.creator` value,
|
||||
|
@ -27,8 +27,9 @@ No bare options are used. The format of TOML can be simplified to:
|
||||
The `storage` table supports the following options:
|
||||
|
||||
**driver**=""
|
||||
container storage driver (default: "overlay")
|
||||
container storage driver
|
||||
Default Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem.
|
||||
This field is requiered to guarantee proper operation.
|
||||
|
||||
**graphroot**=""
|
||||
container storage graph dir (default: "/var/lib/containers/storage")
|
||||
@ -45,7 +46,7 @@ The `storage` table supports the following options:
|
||||
A common use case for this field is to provide a local storage directory when user home directories are NFS-mounted (podman does not support container storage over NFS).
|
||||
|
||||
**runroot**=""
|
||||
container storage run dir (default: "/var/run/containers/storage")
|
||||
container storage run dir (default: "/run/containers/storage")
|
||||
Default directory to store all temporary writable content created by container storage programs.
|
||||
The rootless runroot path supports environment variable substitutions (ie. `$HOME/containers/storage`)
|
||||
|
||||
@ -75,7 +76,7 @@ The `storage.options` table supports the following options:
|
||||
remap-group = "containers"
|
||||
|
||||
**root-auto-userns-user**=""
|
||||
Root-auto-userns-user is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid and /etc/subgid file. These ranges will be partioned to containers configured to create automatically a user namespace. Containers configured to automatically create a user namespace can still overlap with containers having an explicit mapping set. This setting is ignored when running as rootless.
|
||||
Root-auto-userns-user is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned to containers configured to create automatically a user namespace. Containers configured to automatically create a user namespace can still overlap with containers having an explicit mapping set. This setting is ignored when running as rootless.
|
||||
|
||||
**auto-userns-min-size**=1024
|
||||
Auto-userns-min-size is the minimum size for a user namespace created automatically.
|
||||
@ -149,7 +150,7 @@ The `storage.options.thinpool` table supports the following options for the `dev
|
||||
Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page.
|
||||
|
||||
**size**=""
|
||||
Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
|
||||
Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
|
||||
|
||||
**use_deferred_deletion**=""
|
||||
Marks thinpool device for deferred deletion. If the thinpool is in use when the driver attempts to delete it, the driver will attempt to delete device every 30 seconds until successful, or when it restarts. Deferred deletion permanently deletes the device and all data stored in the device will be lost. (default: true).
|
||||
@ -167,6 +168,39 @@ The `storage.options.overlay` table supports the following options:
|
||||
**ignore_chown_errors** = "false"
|
||||
ignore_chown_errors can be set to allow a non privileged user running with a single UID within a user namespace to run containers. The user can pull and use any image even those with multiple uids. Note multiple UIDs will be squashed down to the default uid in the container. These images will have no separation between the users in the container. (default: false)
|
||||
|
||||
**force_mask** = "0000|shared|private"
|
||||
ForceMask specifies the permissions mask that is used for new files and
|
||||
directories.
|
||||
The values "shared" and "private" are accepted. (default: ""). Octal permission
|
||||
masks are also accepted.
|
||||
|
||||
``: Not set
|
||||
All files/directories, get set with the permissions identified within the
|
||||
image.
|
||||
|
||||
`private`: it is equivalent to 0700.
|
||||
All files/directories get set with 0700 permissions. The owner has rwx
|
||||
access to the files. No other users on the system can access the files.
|
||||
This setting could be used with networked based home directories.
|
||||
|
||||
`shared`: it is equivalent to 0755.
|
||||
The owner has rwx access to the files and everyone else can read, access
|
||||
and execute them. This setting is useful for sharing containers storage
|
||||
with other users. For instance, a storage owned by root could be shared
|
||||
to rootless users as an additional store.
|
||||
NOTE: All files within the image are made readable and executable by any
|
||||
user on the system. Even /etc/shadow within your image is now readable by
|
||||
any user.
|
||||
|
||||
`OCTAL`: Users can experiment with other OCTAL Permissions.
|
||||
|
||||
Note: The force_mask Flag is an experimental feature, it could change in the
|
||||
future. When "force_mask" is set the original permission mask is stored in the
|
||||
"user.containers.override_stat" xattr and the "mount_program" option must be
|
||||
specified. Mount programs like "/usr/bin/fuse-overlayfs" present the extended
|
||||
attribute permissions to processes within containers rather then the
|
||||
"force_mask" permissions.
|
||||
|
||||
**mount_program**=""
|
||||
Specifies the path to a custom program to use instead of using kernel defaults
|
||||
for mounting the file system. In rootless mode, without the CAP_SYS_ADMIN
|
||||
@ -221,7 +255,7 @@ The semanage command above tells SELinux to setup the default labeling of `NEWST
|
||||
Now all new content created in these directories will automatically be created with the correct label.
|
||||
|
||||
## SEE ALSO
|
||||
`semanage(8)`, `restorecon(8)`, `mount(8)`
|
||||
`semanage(8)`, `restorecon(8)`, `mount(8)`, `fuse-overlayfs(1)`
|
||||
|
||||
## FILES
|
||||
|
||||
|
@ -52,36 +52,35 @@
|
||||
# Options are:
|
||||
# `enabled` Enable cgroup support within container
|
||||
# `disabled` Disable cgroup support, will inherit cgroups from parent
|
||||
# `no-conmon` Container engine runs run without conmon
|
||||
# `no-conmon` Do not create a cgroup dedicated to conmon.
|
||||
#
|
||||
# cgroups = "enabled"
|
||||
|
||||
# List of default capabilities for containers. If it is empty or commented out,
|
||||
# the default capabilities defined in the container engine will be added.
|
||||
#
|
||||
# default_capabilities = [
|
||||
# "AUDIT_WRITE",
|
||||
# "CHOWN",
|
||||
# "DAC_OVERRIDE",
|
||||
# "FOWNER",
|
||||
# "FSETID",
|
||||
# "KILL",
|
||||
# "MKNOD",
|
||||
# "NET_BIND_SERVICE",
|
||||
# "NET_RAW",
|
||||
# "SETGID",
|
||||
# "SETPCAP",
|
||||
# "SETUID",
|
||||
# "SYS_CHROOT",
|
||||
# ]
|
||||
default_capabilities = [
|
||||
"CHOWN",
|
||||
"DAC_OVERRIDE",
|
||||
"FOWNER",
|
||||
"FSETID",
|
||||
"KILL",
|
||||
"NET_BIND_SERVICE",
|
||||
"SETFCAP",
|
||||
"SETGID",
|
||||
"SETPCAP",
|
||||
"SETUID",
|
||||
"SYS_CHROOT"
|
||||
]
|
||||
|
||||
|
||||
# A list of sysctls to be set in containers by default,
|
||||
# specified as "name=value",
|
||||
# for example:"net.ipv4.ping_group_range = 0 1000".
|
||||
# for example:"net.ipv4.ping_group_range = 0 0".
|
||||
#
|
||||
# default_sysctls = [
|
||||
# "net.ipv4.ping_group_range=0 1000",
|
||||
# ]
|
||||
default_sysctls = [
|
||||
"net.ipv4.ping_group_range=0 0",
|
||||
]
|
||||
|
||||
# A list of ulimits to be set in containers by default, specified as
|
||||
# "<ulimit name>=<soft limit>:<hard limit>", for example:
|
||||
@ -147,9 +146,13 @@
|
||||
#
|
||||
# ipcns = "private"
|
||||
|
||||
# Flag tells container engine to whether to use container separation using
|
||||
# MAC(SELinux)labeling or not.
|
||||
# Flag is ignored on label disabled systems.
|
||||
# keyring tells the container engine whether to create
|
||||
# a kernel keyring for use within the container.
|
||||
# keyring = true
|
||||
|
||||
# label tells the container engine whether to use container separation using
|
||||
# MAC(SELinux) labeling or not.
|
||||
# The label flag is ignored on label disabled systems.
|
||||
#
|
||||
# label = true
|
||||
|
||||
@ -243,6 +246,9 @@
|
||||
# network_config_dir = "/etc/cni/net.d/"
|
||||
|
||||
[engine]
|
||||
# ImageBuildFormat indicates the default image format to building
|
||||
# container images. Valid values are "oci" (default) or "docker".
|
||||
# image_build_format = "oci"
|
||||
|
||||
# Cgroup management implementation used for the runtime.
|
||||
# Valid options "systemd" or "cgroupfs"
|
||||
@ -292,7 +298,7 @@
|
||||
# Selects which logging mechanism to use for container engine events.
|
||||
# Valid values are `journald`, `file` and `none`.
|
||||
#
|
||||
# events_logger = "journald"
|
||||
events_logger = "file"
|
||||
|
||||
# Path to OCI hooks directories for automatically executed hooks.
|
||||
#
|
||||
@ -342,6 +348,11 @@
|
||||
#
|
||||
# network_cmd_path=""
|
||||
|
||||
# Default options to pass to the slirp4netns binary.
|
||||
# For example "allow_host_loopback=true"
|
||||
#
|
||||
# network_cmd_options=[]
|
||||
|
||||
# Whether to use chroot instead of pivot_root in the runtime
|
||||
#
|
||||
# no_pivot_root = false
|
||||
@ -355,6 +366,11 @@
|
||||
# Whether to pull new image before running a container
|
||||
# pull_policy = "missing"
|
||||
|
||||
# Indicates whether the application should be running in remote mode. This flag modifies the
|
||||
# --remote option on container engines. Setting the flag to true will default
|
||||
# `podman --remote=true` for access to the remote Podman service.
|
||||
# remote = false
|
||||
|
||||
# Directory for persistent engine files (database, etc)
|
||||
# By default, this will be configured relative to where the containers/storage
|
||||
# stores containers
|
||||
@ -364,7 +380,7 @@
|
||||
|
||||
# Directory for temporary files. Must be tmpfs (wiped after reboot)
|
||||
#
|
||||
# tmp_dir = "/var/run/libpod"
|
||||
# tmp_dir = "/run/libpod"
|
||||
|
||||
# Directory for libpod named volumes.
|
||||
# By default, this will be configured relative to where containers/storage
|
||||
@ -375,7 +391,7 @@
|
||||
|
||||
# Default OCI runtime
|
||||
#
|
||||
# runtime = "runc"
|
||||
# runtime = "crun"
|
||||
|
||||
# List of the OCI runtimes that support --format=json. When json is supported
|
||||
# engine will use it for reporting nicer errors.
|
||||
@ -409,18 +425,8 @@
|
||||
# Path to file containing ssh identity key
|
||||
# identity = "~/.ssh/id_rsa"
|
||||
|
||||
# Paths to look for a valid OCI runtime (runc, runv, kata, etc)
|
||||
# Paths to look for a valid OCI runtime (crun, runc, kata, etc)
|
||||
[engine.runtimes]
|
||||
# runc = [
|
||||
# "/usr/bin/runc",
|
||||
# "/usr/sbin/runc",
|
||||
# "/usr/local/bin/runc",
|
||||
# "/usr/local/sbin/runc",
|
||||
# "/sbin/runc",
|
||||
# "/bin/runc",
|
||||
# "/usr/lib/cri-o-runc/sbin/runc",
|
||||
# ]
|
||||
|
||||
# crun = [
|
||||
# "/usr/bin/crun",
|
||||
# "/usr/sbin/crun",
|
||||
@ -431,6 +437,16 @@
|
||||
# "/run/current-system/sw/bin/crun",
|
||||
# ]
|
||||
|
||||
# runc = [
|
||||
# "/usr/bin/runc",
|
||||
# "/usr/sbin/runc",
|
||||
# "/usr/local/bin/runc",
|
||||
# "/usr/local/sbin/runc",
|
||||
# "/sbin/runc",
|
||||
# "/bin/runc",
|
||||
# "/usr/lib/cri-o-runc/sbin/runc",
|
||||
# ]
|
||||
|
||||
# kata = [
|
||||
# "/usr/bin/kata-runtime",
|
||||
# "/usr/sbin/kata-runtime",
|
||||
@ -442,8 +458,11 @@
|
||||
# "/usr/bin/kata-fc",
|
||||
# ]
|
||||
|
||||
# The [engine.runtimes] table MUST be the last entry in this file.
|
||||
[engine.volume_plugins]
|
||||
# testplugin = "/run/podman/plugins/test.sock"
|
||||
|
||||
# The [engine.volume_plugins] table MUST be the last entry in this file.
|
||||
# (Unless another table is added)
|
||||
# TOML does not provide a way to end a table other than a further table being
|
||||
# defined, so every key hereafter will be part of [runtimes] and not the main
|
||||
# config.
|
||||
# defined, so every key hereafter will be part of [volume_plugins] and not the
|
||||
# main config.
|
||||
|
@ -50,12 +50,14 @@ configure and manage the OCI runtime.
|
||||
|
||||
List of devices.
|
||||
Specified as 'device-on-host:device-on-container:permissions'.
|
||||
|
||||
Example: "/dev/sdc:/dev/xvdc:rwm".
|
||||
|
||||
**volumes**=[]
|
||||
|
||||
List of volumes.
|
||||
Specified as "directory-on-host:directory-in-container:options".
|
||||
|
||||
Example: "/db:/var/lib/db:ro".
|
||||
|
||||
**apparmor_profile**="container-default"
|
||||
@ -76,7 +78,7 @@ Determines whether the container will create CGroups.
|
||||
Options are:
|
||||
`enabled` Enable cgroup support within container
|
||||
`disabled` Disable cgroup support, will inherit cgroups from parent
|
||||
`no-conmon` Container engine runs run without conmon
|
||||
`no-conmon` Do not create a cgroup dedicated to conmon.
|
||||
|
||||
**default_capabilities**=[]
|
||||
|
||||
@ -105,12 +107,14 @@ default_capabilities = [
|
||||
|
||||
A list of sysctls to be set in containers by default,
|
||||
specified as "name=value".
|
||||
|
||||
Example:"net.ipv4.ping_group_range=0 1000".
|
||||
|
||||
**default_ulimits**=[]
|
||||
|
||||
A list of ulimits to be set in containers by default,
|
||||
specified as "name=soft-limit:hard-limit".
|
||||
|
||||
Example: "nofile=1024:2048".
|
||||
|
||||
**dns_options**=[]
|
||||
@ -138,7 +142,7 @@ environment variables to the container.
|
||||
|
||||
Pass all host environment variables into the container.
|
||||
|
||||
**http_proxy**=false
|
||||
**http_proxy**=true
|
||||
|
||||
Default proxy environment variables will be passed into the container.
|
||||
The environment variables passed in include:
|
||||
@ -164,9 +168,14 @@ Options are:
|
||||
`private` Create private IPC Namespace for the container.
|
||||
`host` Share host IPC Namespace with the container.
|
||||
|
||||
**keyring**=true
|
||||
|
||||
Indicates whether the container engines create a kernel keyring for use within
|
||||
the container.
|
||||
|
||||
**label**=true
|
||||
|
||||
Indicates whether the container engines use MAC(SELinux) container separation via via labeling. Flag is ignored on disabled systems.
|
||||
Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.
|
||||
|
||||
**log_driver**="k8s-file"
|
||||
|
||||
@ -222,6 +231,7 @@ the system uses `65536k`.
|
||||
|
||||
Set timezone in container. Takes IANA timezones as well as `local`, which sets the timezone in the container to match the host machine.
|
||||
If not set, then containers will run with the time zone specified in the image.
|
||||
|
||||
Examples:
|
||||
`tz="local"`
|
||||
`tz="America/New_York"`
|
||||
@ -268,6 +278,9 @@ Path to the directory where CNI configuration files are located.
|
||||
## ENGINE TABLE
|
||||
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
|
||||
|
||||
**image_build_format**="oci"
|
||||
The default image format to building container images. Valid values are "oci" (default) or "docker".
|
||||
|
||||
**cgroup_check**=false
|
||||
|
||||
CgroupCheck indicates the configuration has been rewritten after an upgrade to Fedora 31 to change the default OCI runtime for cgroupsv2.
|
||||
@ -372,6 +385,12 @@ and pods are visible.
|
||||
|
||||
Path to the slirp4netns binary.
|
||||
|
||||
**network_cmd_options**=[]
|
||||
|
||||
Default options to pass to the slirp4netns binary.
|
||||
|
||||
Example "allow_host_loopback=true"
|
||||
|
||||
**no_pivot_root**=false
|
||||
|
||||
Whether to use chroot instead of pivot_root in the runtime.
|
||||
@ -390,6 +409,7 @@ Name of destination for accessing the Podman service.
|
||||
**[service_destinations]**
|
||||
|
||||
**[service_destinations.{name}]**
|
||||
|
||||
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
|
||||
|
||||
Example URIs:
|
||||
@ -411,10 +431,15 @@ Pull image before running or creating a container. The default is **missing**.
|
||||
- **always**: pull the image from the first registry it is found in as listed in registries.conf. Raise an error if not found in the registries, even if the image is present locally.
|
||||
- **never**: do not pull the image from the registry, use only the local version. Raise an error if the image is not present locally.
|
||||
|
||||
**runtime**="crun"
|
||||
**remote** = false
|
||||
Indicates whether the application should be running in remote mode. This flag modifies the
|
||||
--remote option on container engines. Setting the flag to true will default `podman --remote=true` for access to the remote Podman service.
|
||||
|
||||
**runtime**=""
|
||||
|
||||
Default OCI specific runtime in runtimes that will be used by default. Must
|
||||
refer to a member of the runtimes table.
|
||||
refer to a member of the runtimes table. Default runtime will be searched for
|
||||
on the system using the priority: "crun", "runc", "kata".
|
||||
|
||||
**runtime_supports_json**=["crun", "runc", "kata"]
|
||||
|
||||
@ -438,7 +463,7 @@ stores containers.
|
||||
|
||||
Number of seconds to wait for container to exit before sending kill signal.
|
||||
|
||||
**tmp_dir**="/var/run/libpod"
|
||||
**tmp_dir**="/run/libpod"
|
||||
|
||||
The path to a temporary directory to store per-boot container.
|
||||
Must be a tmpfs (wiped after reboot).
|
||||
@ -451,6 +476,13 @@ By default this will be configured relative to where containers/storage store
|
||||
containers. This convention is followed by the default volume driver, but may
|
||||
not be by other drivers.
|
||||
|
||||
**[engine.volume_plugins]**
|
||||
|
||||
A table of all the enabled volume plugins on the system. Volume plugins can be
|
||||
used as the backend for Podman named volumes. Individual plugins are specified
|
||||
below, as a map of the plugin name (what the plugin will be called) to its path
|
||||
(filepath of the plugin's unix socket).
|
||||
|
||||
# FILES
|
||||
|
||||
**containers.conf**
|
||||
|
14
gating.yaml
14
gating.yaml
@ -1,14 +0,0 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- fedora-*
|
||||
decision_context: bodhi_update_push_stable
|
||||
subject_type: koji_build
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- fedora-*
|
||||
decision_context: bodhi_update_push_testing
|
||||
subject_type: koji_build
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
|
19
seccomp.json
19
seccomp.json
@ -68,11 +68,16 @@
|
||||
"chown",
|
||||
"chown32",
|
||||
"clock_adjtime",
|
||||
"clock_adjtime64",
|
||||
"clock_getres",
|
||||
"clock_getres_time64",
|
||||
"clock_gettime",
|
||||
"clock_gettime64",
|
||||
"clock_nanosleep",
|
||||
"clock_nanosleep_time64",
|
||||
"clone",
|
||||
"close",
|
||||
"close_range",
|
||||
"connect",
|
||||
"copy_file_range",
|
||||
"creat",
|
||||
@ -101,7 +106,6 @@
|
||||
"fchdir",
|
||||
"fchmod",
|
||||
"fchmodat",
|
||||
"fchmodat2",
|
||||
"fchown",
|
||||
"fchown32",
|
||||
"fchownat",
|
||||
@ -224,17 +228,22 @@
|
||||
"openat",
|
||||
"openat2",
|
||||
"pause",
|
||||
"pidfd_getfd",
|
||||
"pidfd_open",
|
||||
"pidfd_send_signal",
|
||||
"pipe",
|
||||
"pipe2",
|
||||
"pivot_root",
|
||||
"poll",
|
||||
"ppoll",
|
||||
"ppoll_time64",
|
||||
"prctl",
|
||||
"pread64",
|
||||
"preadv",
|
||||
"preadv2",
|
||||
"prlimit64",
|
||||
"pselect6",
|
||||
"pselect6_time64",
|
||||
"pwrite64",
|
||||
"pwritev",
|
||||
"pwritev2",
|
||||
@ -347,10 +356,13 @@
|
||||
"timer_delete",
|
||||
"timer_getoverrun",
|
||||
"timer_gettime",
|
||||
"timer_gettime64",
|
||||
"timer_settime",
|
||||
"timerfd_create",
|
||||
"timerfd_gettime",
|
||||
"timerfd_gettime64",
|
||||
"timerfd_settime",
|
||||
"timerfd_settime64",
|
||||
"times",
|
||||
"tkill",
|
||||
"truncate",
|
||||
@ -365,9 +377,9 @@
|
||||
"unshare",
|
||||
"utime",
|
||||
"utimensat",
|
||||
"utimensat_time64",
|
||||
"utimes",
|
||||
"vfork",
|
||||
"vmsplice",
|
||||
"wait4",
|
||||
"waitid",
|
||||
"waitpid",
|
||||
@ -751,7 +763,8 @@
|
||||
"names": [
|
||||
"settimeofday",
|
||||
"stime",
|
||||
"clock_settime"
|
||||
"clock_settime",
|
||||
"clock_settime64"
|
||||
],
|
||||
"action": "SCMP_ACT_ALLOW",
|
||||
"args": [],
|
||||
|
55
shortnames.conf
Normal file
55
shortnames.conf
Normal file
@ -0,0 +1,55 @@
|
||||
[aliases]
|
||||
# centos
|
||||
"centos" = "registry.centos.org/centos"
|
||||
# containers
|
||||
"skopeo" = "quay.io/skopeo/stable"
|
||||
"buildah" = "quay.io/buildah/stable"
|
||||
"podman" = "quay.io/podman/stable"
|
||||
# docker
|
||||
"alpine" = "docker.io/library/alpine"
|
||||
"docker" = "docker.io/library/docker"
|
||||
"registry" = "docker.io/library/registry"
|
||||
"hello-world" = "docker.io/library/hello-world"
|
||||
"swarm" = "docker.io/library/swarm"
|
||||
# Fedora
|
||||
"fedora-minimal" = "registry.fedoraproject.org/fedora-minimal"
|
||||
"fedora" = "registry.fedoraproject.org/fedora"
|
||||
# openSUSE
|
||||
"opensuse/tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed"
|
||||
"opensuse/tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf"
|
||||
"opensuse/tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf"
|
||||
"opensuse/leap" = "registry.opensuse.org/opensuse/leap"
|
||||
"opensuse/busybox" = "registry.opensuse.org/opensuse/busybox"
|
||||
"tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed"
|
||||
"tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf"
|
||||
"tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf"
|
||||
"leap" = "registry.opensuse.org/opensuse/leap"
|
||||
"tw-busybox" = "registry.opensuse.org/opensuse/busybox"
|
||||
# SUSE
|
||||
"suse/sle15" = "registry.suse.com/suse/sle15"
|
||||
"suse/sles12sp5" = "registry.suse.com/suse/sles12sp5"
|
||||
"suse/sles12sp4" = "registry.suse.com/suse/sles12sp4"
|
||||
"suse/sles12sp3" = "registry.suse.com/suse/sles12sp3"
|
||||
"sle15" = "registry.suse.com/suse/sle15"
|
||||
"sles12sp5" = "registry.suse.com/suse/sles12sp5"
|
||||
"sles12sp4" = "registry.suse.com/suse/sles12sp4"
|
||||
"sles12sp3" = "registry.suse.com/suse/sles12sp3"
|
||||
# Red Hat Enterprise Linux
|
||||
"rhel" = "registry.access.redhat.com/rhel"
|
||||
"rhel6" = "registry.access.redhat.com/rhel6"
|
||||
"rhel7" = "registry.access.redhat.com/rhel7"
|
||||
"ubi7" = "registry.access.redhat.com/ubi7"
|
||||
"ubi7-init" = "registry.access.redhat.com/ubi7-init"
|
||||
"ubi7-minimal" = "registry.access.redhat.com/ubi7-minimal"
|
||||
"ubi8" = "registry.access.redhat.com/ubi8"
|
||||
"ubi8-minimal" = "registry.access.redhat.com/ubi8-minimal"
|
||||
"ubi8-init" = "registry.access.redhat.com/ubi8-init"
|
||||
"ubi8-micro" = "registry.access.redhat.com/ubi8-micro"
|
||||
"ubi8/ubi" = "registry.access.redhat.com/ubi8/ubi"
|
||||
"ubi8/ubi-minimal" = "registry.access.redhat.com/ubi8-minimal"
|
||||
"ubi8/ubi-init" = "registry.access.redhat.com/ubi8-init"
|
||||
"ubi8/ubi-micro" = "registry.access.redhat.com/ubi8-micro"
|
||||
# Debian
|
||||
"debian" = "docker.io/library/debian"
|
||||
# Oracle Linux
|
||||
"oraclelinux" = "container-registry.oracle.com/os/oraclelinux"
|
56
skopeo.spec
56
skopeo.spec
@ -1,18 +1,13 @@
|
||||
%global with_debug 1
|
||||
%global with_check 0
|
||||
|
||||
%if 0%{?with_debug}
|
||||
%global _find_debuginfo_dwz_opts %{nil}
|
||||
%global _dwz_low_mem_die_limit 0
|
||||
%else
|
||||
%global debug_package %{nil}
|
||||
%endif
|
||||
|
||||
%if 0%{?rhel} > 7 && ! 0%{?fedora}
|
||||
%define gobuild(o:) \
|
||||
go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
|
||||
go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v %{?**};
|
||||
%else
|
||||
%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v -x %{?**};
|
||||
%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v %{?**};
|
||||
%endif
|
||||
|
||||
%global import_path github.com/containers/skopeo
|
||||
@ -22,22 +17,26 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
|
||||
# These vendored components must have the same version. If it is not the case,
|
||||
# pick the oldest version on c/image, c/common, c/storage vendored in
|
||||
# podman/skopeo/podman.
|
||||
%global podman_branch v2.2
|
||||
%global image_branch v5.6.0
|
||||
%global common_branch v0.22.0
|
||||
%global storage_branch v1.23.5
|
||||
%global commit0 2b4097bc13e7ba1d16a5225e2292a5cf88072f63
|
||||
%global podman_branch master
|
||||
%global image_branch v5.9.0
|
||||
%global common_branch v0.33.0
|
||||
%global storage_branch v1.24.5
|
||||
%global shortnames_branch main
|
||||
%global commit0 bdb117ded6d37f0a6b0a2e28ba3213c20264ab43
|
||||
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
||||
|
||||
Epoch: 1
|
||||
Name: skopeo
|
||||
Version: 1.2.0
|
||||
Release: 6%{?dist}
|
||||
Version: 1.2.1
|
||||
Release: 1%{?dist}
|
||||
Summary: Inspect container images and repositories on registries
|
||||
License: ASL 2.0
|
||||
URL: %{git0}
|
||||
# Build fails with: No matching package to install: 'golang >= 1.12.12-4' on i686
|
||||
ExcludeArch: i686
|
||||
# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
|
||||
#ExclusiveArch: %%{go_arches}
|
||||
# still use arch exclude as the macro above still refers %%{ix86} in RHEL8.4:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1905383
|
||||
ExcludeArch: %{ix86}
|
||||
%if 0%{?branch:1}
|
||||
Source0: https://%{import_path}/tarball/%{commit0}/%{branch}-%{shortcommit0}.tar.gz
|
||||
%else
|
||||
@ -60,6 +59,8 @@ Source13: https://raw.githubusercontent.com/containers/common/%{common_branch}/p
|
||||
Source14: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers.conf.5.md
|
||||
Source15: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-auth.json.5.md
|
||||
Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.d.5.md
|
||||
Source17: https://raw.githubusercontent.com/containers/shortnames/%{shortnames_branch}/shortnames.conf
|
||||
Source18: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.5.md
|
||||
BuildRequires: git
|
||||
BuildRequires: golang >= 1.12.12-4
|
||||
BuildRequires: go-md2man
|
||||
@ -138,9 +139,10 @@ make \
|
||||
DESTDIR=%{buildroot} \
|
||||
SIGSTOREDIR=%{buildroot}%{_sharedstatedir}/containers/sigstore \
|
||||
install
|
||||
install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d}
|
||||
install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.d,registries.conf.d}
|
||||
install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf
|
||||
install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf
|
||||
install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/shortnames.conf
|
||||
install -dp %{buildroot}%{_mandir}/man5
|
||||
go-md2man -in %{SOURCE2} -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5
|
||||
go-md2man -in %{SOURCE4} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.5
|
||||
@ -150,6 +152,7 @@ go-md2man -in %{SOURCE9} -out %{buildroot}%{_mandir}/man5/containers-signature.5
|
||||
go-md2man -in %{SOURCE10} -out %{buildroot}%{_mandir}/man5/containers-transports.5
|
||||
go-md2man -in %{SOURCE11} -out %{buildroot}%{_mandir}/man5/containers-certs.d.5
|
||||
go-md2man -in %{SOURCE12} -out %{buildroot}%{_mandir}/man5/containers-registries.d.5
|
||||
go-md2man -in %{SOURCE18} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.d.5
|
||||
go-md2man -in %{SOURCE14} -out %{buildroot}%{_mandir}/man5/containers.conf.5
|
||||
go-md2man -in %{SOURCE15} -out %{buildroot}%{_mandir}/man5/containers-auth.json.5
|
||||
go-md2man -in %{SOURCE16} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.d.5
|
||||
@ -166,6 +169,19 @@ ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pk
|
||||
ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm
|
||||
ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/redhat.repo
|
||||
|
||||
# ship preconfigured /etc/containers/registries.d/ files with containers-common - #1903813
|
||||
cat <<EOF > %{buildroot}%{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
|
||||
docker:
|
||||
registry.access.redhat.com:
|
||||
sigstore: https://access.redhat.com/webassets/docker/content/sigstore
|
||||
EOF
|
||||
|
||||
cat <<EOF > %{buildroot}%{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
|
||||
docker:
|
||||
registry.redhat.io:
|
||||
sigstore: https://registry.redhat.io/containers/sigstore
|
||||
EOF
|
||||
|
||||
# system tests
|
||||
install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
|
||||
cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/
|
||||
@ -186,10 +202,13 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
||||
%dir %{_sysconfdir}/containers/registries.d
|
||||
%dir %{_sysconfdir}/containers/oci
|
||||
%dir %{_sysconfdir}/containers/oci/hooks.d
|
||||
%dir %{_sysconfdir}/containers/registries.conf.d
|
||||
%config(noreplace) %{_sysconfdir}/containers/policy.json
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
|
||||
%config(noreplace) %{_sysconfdir}/containers/storage.conf
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.conf
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/shortnames.conf
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.d/*.yaml
|
||||
%ghost %{_sysconfdir}/containers/containers.conf
|
||||
%dir %{_sharedstatedir}/containers/sigstore
|
||||
%{_mandir}/man5/*
|
||||
@ -214,6 +233,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
||||
%{_datadir}/%{name}/test
|
||||
|
||||
%changelog
|
||||
* Thu Jan 14 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.2.1-1
|
||||
- ship preconfigured /etc/containers/registries.d/ files with containers-common
|
||||
|
||||
* Tue Dec 01 2020 Jindrich Novy <jnovy@redhat.com> - 1:1.2.0-6
|
||||
- unify vendored branches
|
||||
- add validation script
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
a5ed58289138f56752f5d8ff5c9b836d skopeo-1.2.0-2b4097b.tar.gz
|
||||
SHA512 (skopeo-1.2.1-bdb117d.tar.gz) = 42f4c649fa3c0e343f1d396165f74b2c5e8703535ce6cdd633b82aaa7f8e7a6fb84a82c87e42b1f10a0a4ed5032092a07fa87fc0aafc99b106ccb16c883089b4
|
||||
|
39
storage.conf
39
storage.conf
@ -4,11 +4,11 @@
|
||||
# The "container storage" table contains all of the server options.
|
||||
[storage]
|
||||
|
||||
# Default Storage Driver
|
||||
# Default Storage Driver, Must be set for proper operation.
|
||||
driver = "overlay"
|
||||
|
||||
# Temporary storage location
|
||||
runroot = "/var/run/containers/storage"
|
||||
runroot = "/run/containers/storage"
|
||||
|
||||
# Primary Read/Write location of container storage
|
||||
graphroot = "/var/lib/containers/storage"
|
||||
@ -47,7 +47,7 @@ additionalimagestores = [
|
||||
# remap-group = "containers"
|
||||
|
||||
# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
|
||||
# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partioned
|
||||
# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned
|
||||
# to containers configured to create automatically a user namespace. Containers
|
||||
# configured to automatically create a user namespace can still overlap with containers
|
||||
# having an explicit mapping set.
|
||||
@ -82,6 +82,39 @@ mountopt = "nodev,metacopy=on"
|
||||
# Size is used to set a maximum size of the container image.
|
||||
# size = ""
|
||||
|
||||
# ForceMask specifies the permissions mask that is used for new files and
|
||||
# directories.
|
||||
#
|
||||
# The values "shared" and "private" are accepted.
|
||||
# Octal permission masks are also accepted.
|
||||
#
|
||||
# "": No value specified.
|
||||
# All files/directories, get set with the permissions identified within the
|
||||
# image.
|
||||
# "private": it is equivalent to 0700.
|
||||
# All files/directories get set with 0700 permissions. The owner has rwx
|
||||
# access to the files. No other users on the system can access the files.
|
||||
# This setting could be used with networked based homedirs.
|
||||
# "shared": it is equivalent to 0755.
|
||||
# The owner has rwx access to the files and everyone else can read, access
|
||||
# and execute them. This setting is useful for sharing containers storage
|
||||
# with other users. For instance have a storage owned by root but shared
|
||||
# to rootless users as an additional store.
|
||||
# NOTE: All files within the image are made readable and executable by any
|
||||
# user on the system. Even /etc/shadow within your image is now readable by
|
||||
# any user.
|
||||
#
|
||||
# OCTAL: Users can experiment with other OCTAL Permissions.
|
||||
#
|
||||
# Note: The force_mask Flag is an experimental feature, it could change in the
|
||||
# future. When "force_mask" is set the original permission mask is stored in
|
||||
# the "user.containers.override_stat" xattr and the "mount_program" option must
|
||||
# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
|
||||
# extended attribute permissions to processes within containers rather then the
|
||||
# "force_mask" permissions.
|
||||
#
|
||||
# force_mask = ""
|
||||
|
||||
[storage.options.thinpool]
|
||||
# Storage Options for thinpool
|
||||
|
||||
|
@ -1,14 +0,0 @@
|
||||
#!/bin/bash -e
|
||||
|
||||
# Log program and kernel versions
|
||||
echo "Important package versions:"
|
||||
(
|
||||
uname -r
|
||||
rpm -qa | egrep 'skopeo|podman|conmon|crun|runc|iptable|slirp|systemd' | sort
|
||||
) | sed -e 's/^/ /'
|
||||
|
||||
# Log environment; or at least the useful bits
|
||||
echo "Environment:"
|
||||
env | grep -v LS_COLORS= | sort | sed -e 's/^/ /'
|
||||
|
||||
SKOPEO_BINARY=/usr/bin/skopeo bats /usr/share/skopeo/test/system
|
@ -1,16 +0,0 @@
|
||||
---
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- role: standard-test-basic
|
||||
tags:
|
||||
- classic
|
||||
- container
|
||||
required_packages:
|
||||
- bats
|
||||
- skopeo
|
||||
- skopeo-tests
|
||||
tests:
|
||||
- root-test:
|
||||
dir: ./
|
||||
run: ./test_skopeo.sh
|
||||
timeout: 15m
|
@ -1 +0,0 @@
|
||||
- import_playbook: test_skopeo.yml
|
9
update.sh
Executable file
9
update.sh
Executable file
@ -0,0 +1,9 @@
|
||||
#!/bin/bash
|
||||
spectool -f -g skopeo.spec
|
||||
sed -i -e 's/^driver.*=.*/driver = "overlay"/' -e 's/^mountopt.*=.*/mountopt = "nodev,metacopy=on"/' storage.conf
|
||||
[ `grep "keyctl" seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \
|
||||
"keyctl",' seccomp.json
|
||||
sed -i '/\"socketcall\",/i \
|
||||
"socket",' seccomp.json
|
||||
sed -i 's/^#.*unqualified-search-registries.*=.*/unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]/g' registries.conf
|
||||
sed -i 's,#.*events_logger.*=.*"journald",events_logger = "file",' containers.conf
|
Loading…
Reference in New Issue
Block a user