rpms/skopeo
7
0
Fork 0
Code Issues Pull Requests Releases Activity

skopeo-1.2.1-1.el9

Browse Source 
- ship preconfigured /etc/containers/registries.d/ files with containers-common

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
Jindrich Novy 2021-01-14 09:26:12 +01:00
parent c056adfab1
commit a08e52fb3b
18 changed files with 417 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
containers-auth.json.5.md
View File

@ -6,8 +6,15 @@ containers-auth.json - syntax for the registry authentication file
# DESCRIPTION
A credentials file in JSON format used to authenticate against container image registries.
On Linux it is stored at `${XDG_RUNTIME_DIR}/containers/auth.json`;
on Windows and macOS, at `$HOME/.config/containers/auth.json`
The primary (read/write) file is stored at `${XDG_RUNTIME_DIR}/containers/auth.json` on Linux;
on Windows and macOS, at `$HOME/.config/containers/auth.json`.
When searching for the credential for a registry, the following files will be read in sequence until the valid credential is found:
first reading the primary (read/write) file, or the explicit override using an option of the calling application.
If credentials are not present, search in `${XDG\_CONFIG\_HOME}/containers/auth.json`, `$HOME/.docker/config.json`, `$HOME/.dockercfg`.
Except the primary (read/write) file, other files are read-only, unless the user use an option of the calling application explicitly points at it as an override.
## FORMAT

41
containers-policy.json.5.md
View File

@ -177,7 +177,7 @@ One of the following alternatives are supported:
```json
{"type":"matchRepoDigestOrExact"}
```
- The identity in the signature must be in the same repository as the image identity. This is useful e.g. to pull an image using the `:latest` tag when the image is signed with a tag specifing an exact image version.
- The identity in the signature must be in the same repository as the image identity. This is useful e.g. to pull an image using the `:latest` tag when the image is signed with a tag specifying an exact image version.
```json
{"type":"matchRepository"}
@ -200,6 +200,30 @@ One of the following alternatives are supported:
"dockerRepository": docker_repository_value
}
```
- Prefix remapping:
If the image identity matches the specified prefix, that prefix is replaced by the specified “signed prefix”
(otherwise it is used as unchanged and no remapping takes place);
matching then follows the `matchRepoDigestOrExact` semantics documented above
(i.e. if the image identity carries a tag, the identity in the signature must exactly match,
if it uses a digest reference, the repository must match).
The `prefix` and `signedPrefix` values can be either host[:port] values
(matching exactly the same host[:port], string),
repository namespaces, or repositories (i.e. they must not contain tags/digests),
and match as prefixes *of the fully expanded form*.
For example, `docker.io/library/busybox` (*not* `busybox`) to specify that single repository,
or `docker.io/library` (not an empty string) to specify the parent namespace of `docker.io/library/busybox`==`busybox`).
The `prefix` value is usually the same as the scope containing the parent `signedBy` requirement.
```js
{
"type": "remapIdentity",
"prefix": prefix,
"signedPrefix": prefix,
}
```
If the `signedIdentity` field is missing, it is treated as `matchRepoDigestOrExact`.
@ -260,6 +284,21 @@ selectively allow individual transports and scopes as desired.
"keyType": "GPGKeys",
"keyPath": "/path/to/reviewer-pubkey.gpg"
}
],
/* A way to mirror many repositories from a single vendor */
"private-mirror:5000/vendor-mirror": [
{ /* Require the image to be signed by the original vendor, using the vendor's repository location.
For example, private-mirror:5000/vendor-mirror/productA/image1:latest needs to be signed as
vendor.example/productA/image1:latest . */
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/path/to/vendor-pubkey.gpg",
"signedIdentity": {
"type": "remapIdentity",
"prefix": "private-mirror:5000/vendor-mirror",
"signedPrefix": "vendor.example.com",
}
}
]
}
}

69
containers-registries.conf.5.md
View File

@ -102,6 +102,75 @@ internet without having to change `Dockerfile`s, or to add redundancy).
*Note*: Redirection and mirrors are currently processed only when reading images, not when pushing
to a registry; that may change in the future.
#### Short-Name Aliasing
The use of unqualified-search registries entails an ambiguity as it is
unclear from which registry a given image, referenced by a short name,
may be pulled from.
As mentioned in the note at the end of this man page, using short names is
subject to the risk of hitting squatted registry namespaces. If the
unqualified-search registries are set to `["registry1.com", "registry2.com"]`
an attacker may take over a namespace of registry1.com such that an image may
be pulled from registry1.com instead of the intended source registry2.com.
While it is highly recommended to always use fully-qualified image references,
existing deployments using short names may not be easily changed. To
circumvent the aforementioned ambiguity, so called short-name aliases can be
configured that point to a fully-qualified image
reference.
Short-name aliases can be configured in the `[aliases]` table in the form of
`"name"="value"` with the left-hand `name` being the short name (e.g., "image")
and the right-hand `value` being the fully-qualified image reference (e.g.,
"registry.com/namespace/image"). Note that neither "name" nor "value" can
include a tag or digest. Moreover, "name" must be a short name and hence
cannot include a registry domain or refer to localhost.
When pulling a short name, the configured aliases table will be used for
resolving the short name. If a matching alias is found, it will be used
without further consulting the unqualified-search registries list. If no
matching alias is found, the behavior can be controlled via the
`short-name-mode` option as described below.
Note that tags and digests are stripped off a user-specified short name for
alias resolution. Hence, "image", "image:tag" and "image@digest" all resolve
to the same alias (i.e., "image"). Stripped off tags and digests are later
appended to the resolved alias.
Further note that drop-in configuration files (see containers-registries.conf.d(5))
can override aliases in the specific loading order of the files. If the "value" of
an alias is empty (i.e., ""), the alias will be erased. However, a given
"name" may only be specified once in a single config file.
#### Short-Name Aliasing: Modes
The `short-name-mode` option supports three modes to control the behaviour of
short-name resolution.
* `enforcing`: If only one unqualified-search registry is set, use it as there
is no ambiguity. If there is more than one registry and the user program is
running in a terminal (i.e., stdout & stdin are a TTY), prompt the user to
select one of the specified search registries. If the program is not running
in a terminal, the ambiguity cannot be resolved which will lead to an error.
* `permissive`: Behaves as enforcing but does not lead to an error if the
program is not running in a terminal. Instead, fallback to using all
unqualified-search registries.
* `disabled`: Use all unqualified-search registries without prompting.
If `short-name-mode` is not specified at all or left empty, default to the
`permissive` mode. If the user-specified short name was not aliased already,
the `enforcing` and `permissive` mode if prompted, will record a new alias
after a successful pull. Note that the recorded alias will be written to
`$XDG_CONFIG_HOME/containers/short-name-aliases.conf` to have a clear
separation between possibly human-edited registries.conf files and the
machine-generated `short-name-aliases-conf`. Note that `$HOME/.config` is used
if `$XDG_CONFIG_HOME` is not set. If an alias is specified in a
`registries.conf` file and also the machine-generated
`short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence.
#### Normalization of docker.io references
The Docker Hub `docker.io` is handled in a special way: every push and pull

6
containers-registries.d.5.md
View File

@ -61,6 +61,11 @@ more general scopes is ignored. For example, if _any_ configuration exists for
`docker.io/library/busybox`, the configuration for `docker.io` is ignored
(even if some element of the configuration is defined for `docker.io` and not for `docker.io/library/busybox`).
### Built-in Defaults
If no `docker` section can be found for the container image, and no `default-docker` section is configured,
the default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user, will be used for reading and writing signatures.
## Individual Configuration Sections
A single configuration section is selected for a container image using the process
@ -77,6 +82,7 @@ described above. The configuration section is a YAML mapping, with the followin
This key is optional; if it is missing, no signature storage is defined (no signatures
are download along with images, adding new signatures is possible only if `sigstore-staging` is defined).
## Examples
### Using Containers from Various Origins

2
containers-signature.5.md
View File

@ -224,7 +224,7 @@ The contents of this string is not defined in detail; however each implementatio
Consumers of container signatures MAY recognize specific values or sets of values of `optional.creator`
(perhaps augmented with `optional.timestamp`),
and MAY change their processing of the signature based on these values
(usually to acommodate violations of this specification in past versions of the signing software which cannot be fixed retroactively),
(usually to accommodate violations of this specification in past versions of the signing software which cannot be fixed retroactively),
as long as the semantics of the invalid document, as created by such an implementation, is clear.
If consumers of signatures do change their behavior based on the `optional.creator` value,

44
containers-storage.conf.5.md
View File

@ -27,8 +27,9 @@ No bare options are used. The format of TOML can be simplified to:
The `storage` table supports the following options:
**driver**=""
container storage driver (default: "overlay")
container storage driver
Default Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem.
This field is requiered to guarantee proper operation.
**graphroot**=""
container storage graph dir (default: "/var/lib/containers/storage")
@ -45,7 +46,7 @@ The `storage` table supports the following options:
A common use case for this field is to provide a local storage directory when user home directories are NFS-mounted (podman does not support container storage over NFS).
**runroot**=""
container storage run dir (default: "/var/run/containers/storage")
container storage run dir (default: "/run/containers/storage")
Default directory to store all temporary writable content created by container storage programs.
The rootless runroot path supports environment variable substitutions (ie. `$HOME/containers/storage`)
@ -75,7 +76,7 @@ The `storage.options` table supports the following options:
remap-group = "containers"
**root-auto-userns-user**=""
Root-auto-userns-user is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid and /etc/subgid file. These ranges will be partioned to containers configured to create automatically a user namespace. Containers configured to automatically create a user namespace can still overlap with containers having an explicit mapping set. This setting is ignored when running as rootless.
Root-auto-userns-user is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned to containers configured to create automatically a user namespace. Containers configured to automatically create a user namespace can still overlap with containers having an explicit mapping set. This setting is ignored when running as rootless.
**auto-userns-min-size**=1024
Auto-userns-min-size is the minimum size for a user namespace created automatically.
@ -149,7 +150,7 @@ The `storage.options.thinpool` table supports the following options for the `dev
Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page.
**size**=""
Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
**use_deferred_deletion**=""
Marks thinpool device for deferred deletion. If the thinpool is in use when the driver attempts to delete it, the driver will attempt to delete device every 30 seconds until successful, or when it restarts. Deferred deletion permanently deletes the device and all data stored in the device will be lost. (default: true).
@ -167,6 +168,39 @@ The `storage.options.overlay` table supports the following options:
**ignore_chown_errors** = "false"
ignore_chown_errors can be set to allow a non privileged user running with a single UID within a user namespace to run containers. The user can pull and use any image even those with multiple uids. Note multiple UIDs will be squashed down to the default uid in the container. These images will have no separation between the users in the container. (default: false)
**force_mask** = "0000|shared|private"
ForceMask specifies the permissions mask that is used for new files and
directories.
The values "shared" and "private" are accepted. (default: ""). Octal permission
masks are also accepted.
``: Not set
All files/directories, get set with the permissions identified within the
image.
`private`: it is equivalent to 0700.
All files/directories get set with 0700 permissions. The owner has rwx
access to the files. No other users on the system can access the files.
This setting could be used with networked based home directories.
`shared`: it is equivalent to 0755.
The owner has rwx access to the files and everyone else can read, access
and execute them. This setting is useful for sharing containers storage
with other users. For instance, a storage owned by root could be shared
to rootless users as an additional store.
NOTE: All files within the image are made readable and executable by any
user on the system. Even /etc/shadow within your image is now readable by
any user.
`OCTAL`: Users can experiment with other OCTAL Permissions.
Note: The force_mask Flag is an experimental feature, it could change in the
future. When "force_mask" is set the original permission mask is stored in the
"user.containers.override_stat" xattr and the "mount_program" option must be
specified. Mount programs like "/usr/bin/fuse-overlayfs" present the extended
attribute permissions to processes within containers rather then the
"force_mask" permissions.
**mount_program**=""
Specifies the path to a custom program to use instead of using kernel defaults
for mounting the file system. In rootless mode, without the CAP_SYS_ADMIN
@ -221,7 +255,7 @@ The semanage command above tells SELinux to setup the default labeling of `NEWST
Now all new content created in these directories will automatically be created with the correct label.
## SEE ALSO
`semanage(8)`, `restorecon(8)`, `mount(8)`
`semanage(8)`, `restorecon(8)`, `mount(8)`, `fuse-overlayfs(1)`
## FILES

99
containers.conf
View File

@ -52,36 +52,35 @@
# Options are:
# `enabled` Enable cgroup support within container
# `disabled` Disable cgroup support, will inherit cgroups from parent
# `no-conmon` Container engine runs run without conmon
# `no-conmon` Do not create a cgroup dedicated to conmon.
#
# cgroups = "enabled"
# List of default capabilities for containers. If it is empty or commented out,
# the default capabilities defined in the container engine will be added.
#
# default_capabilities = [
# "AUDIT_WRITE",
# "CHOWN",
# "DAC_OVERRIDE",
# "FOWNER",
# "FSETID",
# "KILL",
# "MKNOD",
# "NET_BIND_SERVICE",
# "NET_RAW",
# "SETGID",
# "SETPCAP",
# "SETUID",
# "SYS_CHROOT",
# ]
default_capabilities = [
"CHOWN",
"DAC_OVERRIDE",
"FOWNER",
"FSETID",
"KILL",
"NET_BIND_SERVICE",
"SETFCAP",
"SETGID",
"SETPCAP",
"SETUID",
"SYS_CHROOT"
]
# A list of sysctls to be set in containers by default,
# specified as "name=value",
# for example:"net.ipv4.ping_group_range = 0 1000".
# for example:"net.ipv4.ping_group_range = 0 0".
#
# default_sysctls = [
# "net.ipv4.ping_group_range=0 1000",
# ]
default_sysctls = [
"net.ipv4.ping_group_range=0 0",
]
# A list of ulimits to be set in containers by default, specified as
# "<ulimit name>=<soft limit>:<hard limit>", for example:
@ -147,9 +146,13 @@
#
# ipcns = "private"
# Flag tells container engine to whether to use container separation using
# MAC(SELinux)labeling or not.
# Flag is ignored on label disabled systems.
# keyring tells the container engine whether to create
# a kernel keyring for use within the container.
# keyring = true
# label tells the container engine whether to use container separation using
# MAC(SELinux) labeling or not.
# The label flag is ignored on label disabled systems.
#
# label = true
@ -243,6 +246,9 @@
# network_config_dir = "/etc/cni/net.d/"
[engine]
# ImageBuildFormat indicates the default image format to building
# container images. Valid values are "oci" (default) or "docker".
# image_build_format = "oci"
# Cgroup management implementation used for the runtime.
# Valid options "systemd" or "cgroupfs"
@ -292,7 +298,7 @@
# Selects which logging mechanism to use for container engine events.
# Valid values are `journald`, `file` and `none`.
#
# events_logger = "journald"
events_logger = "file"
# Path to OCI hooks directories for automatically executed hooks.
#
@ -342,6 +348,11 @@
#
# network_cmd_path=""
# Default options to pass to the slirp4netns binary.
# For example "allow_host_loopback=true"
#
# network_cmd_options=[]
# Whether to use chroot instead of pivot_root in the runtime
#
# no_pivot_root = false
@ -355,6 +366,11 @@
# Whether to pull new image before running a container
# pull_policy = "missing"
# Indicates whether the application should be running in remote mode. This flag modifies the
# --remote option on container engines. Setting the flag to true will default
# `podman --remote=true` for access to the remote Podman service.
# remote = false
# Directory for persistent engine files (database, etc)
# By default, this will be configured relative to where the containers/storage
# stores containers
@ -364,7 +380,7 @@
# Directory for temporary files. Must be tmpfs (wiped after reboot)
#
# tmp_dir = "/var/run/libpod"
# tmp_dir = "/run/libpod"
# Directory for libpod named volumes.
# By default, this will be configured relative to where containers/storage
@ -375,7 +391,7 @@
# Default OCI runtime
#
# runtime = "runc"
# runtime = "crun"
# List of the OCI runtimes that support --format=json. When json is supported
# engine will use it for reporting nicer errors.
@ -409,18 +425,8 @@
# Path to file containing ssh identity key
# identity = "~/.ssh/id_rsa"
# Paths to look for a valid OCI runtime (runc, runv, kata, etc)
# Paths to look for a valid OCI runtime (crun, runc, kata, etc)
[engine.runtimes]
# runc = [
# "/usr/bin/runc",
# "/usr/sbin/runc",
# "/usr/local/bin/runc",
# "/usr/local/sbin/runc",
# "/sbin/runc",
# "/bin/runc",
# "/usr/lib/cri-o-runc/sbin/runc",
# ]
# crun = [
# "/usr/bin/crun",
# "/usr/sbin/crun",
@ -431,6 +437,16 @@
# "/run/current-system/sw/bin/crun",
# ]
# runc = [
# "/usr/bin/runc",
# "/usr/sbin/runc",
# "/usr/local/bin/runc",
# "/usr/local/sbin/runc",
# "/sbin/runc",
# "/bin/runc",
# "/usr/lib/cri-o-runc/sbin/runc",
# ]
# kata = [
# "/usr/bin/kata-runtime",
# "/usr/sbin/kata-runtime",
@ -442,8 +458,11 @@
# "/usr/bin/kata-fc",
# ]
# The [engine.runtimes] table MUST be the last entry in this file.
[engine.volume_plugins]
# testplugin = "/run/podman/plugins/test.sock"
# The [engine.volume_plugins] table MUST be the last entry in this file.
# (Unless another table is added)
# TOML does not provide a way to end a table other than a further table being
# defined, so every key hereafter will be part of [runtimes] and not the main
# config.
# defined, so every key hereafter will be part of [volume_plugins] and not the
# main config.

44
containers.conf.5.md
View File

@ -50,12 +50,14 @@ configure and manage the OCI runtime.
List of devices.
Specified as 'device-on-host:device-on-container:permissions'.
Example: "/dev/sdc:/dev/xvdc:rwm".
**volumes**=[]
List of volumes.
Specified as "directory-on-host:directory-in-container:options".
Example: "/db:/var/lib/db:ro".
**apparmor_profile**="container-default"
@ -76,7 +78,7 @@ Determines whether the container will create CGroups.
Options are:
`enabled` Enable cgroup support within container
`disabled` Disable cgroup support, will inherit cgroups from parent
`no-conmon` Container engine runs run without conmon
`no-conmon` Do not create a cgroup dedicated to conmon.
**default_capabilities**=[]
@ -105,12 +107,14 @@ default_capabilities = [
A list of sysctls to be set in containers by default,
specified as "name=value".
Example:"net.ipv4.ping_group_range=0 1000".
**default_ulimits**=[]
A list of ulimits to be set in containers by default,
specified as "name=soft-limit:hard-limit".
Example: "nofile=1024:2048".
**dns_options**=[]
@ -138,7 +142,7 @@ environment variables to the container.
Pass all host environment variables into the container.
**http_proxy**=false
**http_proxy**=true
Default proxy environment variables will be passed into the container.
The environment variables passed in include:
@ -164,9 +168,14 @@ Options are:
`private` Create private IPC Namespace for the container.
`host` Share host IPC Namespace with the container.
**keyring**=true
Indicates whether the container engines create a kernel keyring for use within
the container.
**label**=true
Indicates whether the container engines use MAC(SELinux) container separation via via labeling. Flag is ignored on disabled systems.
Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.
**log_driver**="k8s-file"
@ -222,6 +231,7 @@ the system uses `65536k`.
Set timezone in container. Takes IANA timezones as well as `local`, which sets the timezone in the container to match the host machine.
If not set, then containers will run with the time zone specified in the image.
Examples:
`tz="local"`
`tz="America/New_York"`
@ -268,6 +278,9 @@ Path to the directory where CNI configuration files are located.
## ENGINE TABLE
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
**image_build_format**="oci"
The default image format to building container images. Valid values are "oci" (default) or "docker".
**cgroup_check**=false
CgroupCheck indicates the configuration has been rewritten after an upgrade to Fedora 31 to change the default OCI runtime for cgroupsv2.
@ -372,6 +385,12 @@ and pods are visible.
Path to the slirp4netns binary.
**network_cmd_options**=[]
Default options to pass to the slirp4netns binary.
Example "allow_host_loopback=true"
**no_pivot_root**=false
Whether to use chroot instead of pivot_root in the runtime.
@ -390,6 +409,7 @@ Name of destination for accessing the Podman service.
**[service_destinations]**
**[service_destinations.{name}]**
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
Example URIs:
@ -411,10 +431,15 @@ Pull image before running or creating a container. The default is **missing**.
- **always**: pull the image from the first registry it is found in as listed in registries.conf. Raise an error if not found in the registries, even if the image is present locally.
- **never**: do not pull the image from the registry, use only the local version. Raise an error if the image is not present locally.
**runtime**="crun"
**remote** = false
Indicates whether the application should be running in remote mode. This flag modifies the
--remote option on container engines. Setting the flag to true will default `podman --remote=true` for access to the remote Podman service.
**runtime**=""
Default OCI specific runtime in runtimes that will be used by default. Must
refer to a member of the runtimes table.
refer to a member of the runtimes table. Default runtime will be searched for
on the system using the priority: "crun", "runc", "kata".
**runtime_supports_json**=["crun", "runc", "kata"]
@ -438,7 +463,7 @@ stores containers.
Number of seconds to wait for container to exit before sending kill signal.
**tmp_dir**="/var/run/libpod"
**tmp_dir**="/run/libpod"
The path to a temporary directory to store per-boot container.
Must be a tmpfs (wiped after reboot).
@ -451,6 +476,13 @@ By default this will be configured relative to where containers/storage store
containers. This convention is followed by the default volume driver, but may
not be by other drivers.
**[engine.volume_plugins]**
A table of all the enabled volume plugins on the system. Volume plugins can be
used as the backend for Podman named volumes. Individual plugins are specified
below, as a map of the plugin name (what the plugin will be called) to its path
(filepath of the plugin's unix socket).
# FILES
**containers.conf**

14
gating.yaml
View File

@ -1,14 +0,0 @@
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_stable
subject_type: koji_build
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_testing
subject_type: koji_build
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}

19
seccomp.json
View File

@ -68,11 +68,16 @@
"chown",
"chown32",
"clock_adjtime",
"clock_adjtime64",
"clock_getres",
"clock_getres_time64",
"clock_gettime",
"clock_gettime64",
"clock_nanosleep",
"clock_nanosleep_time64",
"clone",
"close",
"close_range",
"connect",
"copy_file_range",
"creat",
@ -101,7 +106,6 @@
"fchdir",
"fchmod",
"fchmodat",
"fchmodat2",
"fchown",
"fchown32",
"fchownat",
@ -224,17 +228,22 @@
"openat",
"openat2",
"pause",
"pidfd_getfd",
"pidfd_open",
"pidfd_send_signal",
"pipe",
"pipe2",
"pivot_root",
"poll",
"ppoll",
"ppoll_time64",
"prctl",
"pread64",
"preadv",
"preadv2",
"prlimit64",
"pselect6",
"pselect6_time64",
"pwrite64",
"pwritev",
"pwritev2",
@ -347,10 +356,13 @@
"timer_delete",
"timer_getoverrun",
"timer_gettime",
"timer_gettime64",
"timer_settime",
"timerfd_create",
"timerfd_gettime",
"timerfd_gettime64",
"timerfd_settime",
"timerfd_settime64",
"times",
"tkill",
"truncate",
@ -365,9 +377,9 @@
"unshare",
"utime",
"utimensat",
"utimensat_time64",
"utimes",
"vfork",
"vmsplice",
"wait4",
"waitid",
"waitpid",
@ -751,7 +763,8 @@
"names": [
"settimeofday",
"stime",
"clock_settime"
"clock_settime",
"clock_settime64"
],
"action": "SCMP_ACT_ALLOW",
"args": [],

55
shortnames.conf Normal file
View File

@ -0,0 +1,55 @@
[aliases]
# centos
"centos" = "registry.centos.org/centos"
# containers
"skopeo" = "quay.io/skopeo/stable"
"buildah" = "quay.io/buildah/stable"
"podman" = "quay.io/podman/stable"
# docker
"alpine" = "docker.io/library/alpine"
"docker" = "docker.io/library/docker"
"registry" = "docker.io/library/registry"
"hello-world" = "docker.io/library/hello-world"
"swarm" = "docker.io/library/swarm"
# Fedora
"fedora-minimal" = "registry.fedoraproject.org/fedora-minimal"
"fedora" = "registry.fedoraproject.org/fedora"
# openSUSE
"opensuse/tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed"
"opensuse/tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf"
"opensuse/tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf"
"opensuse/leap" = "registry.opensuse.org/opensuse/leap"
"opensuse/busybox" = "registry.opensuse.org/opensuse/busybox"
"tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed"
"tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf"
"tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf"
"leap" = "registry.opensuse.org/opensuse/leap"
"tw-busybox" = "registry.opensuse.org/opensuse/busybox"
# SUSE
"suse/sle15" = "registry.suse.com/suse/sle15"
"suse/sles12sp5" = "registry.suse.com/suse/sles12sp5"
"suse/sles12sp4" = "registry.suse.com/suse/sles12sp4"
"suse/sles12sp3" = "registry.suse.com/suse/sles12sp3"
"sle15" = "registry.suse.com/suse/sle15"
"sles12sp5" = "registry.suse.com/suse/sles12sp5"
"sles12sp4" = "registry.suse.com/suse/sles12sp4"
"sles12sp3" = "registry.suse.com/suse/sles12sp3"
# Red Hat Enterprise Linux
"rhel" = "registry.access.redhat.com/rhel"
"rhel6" = "registry.access.redhat.com/rhel6"
"rhel7" = "registry.access.redhat.com/rhel7"
"ubi7" = "registry.access.redhat.com/ubi7"
"ubi7-init" = "registry.access.redhat.com/ubi7-init"
"ubi7-minimal" = "registry.access.redhat.com/ubi7-minimal"
"ubi8" = "registry.access.redhat.com/ubi8"
"ubi8-minimal" = "registry.access.redhat.com/ubi8-minimal"
"ubi8-init" = "registry.access.redhat.com/ubi8-init"
"ubi8-micro" = "registry.access.redhat.com/ubi8-micro"
"ubi8/ubi" = "registry.access.redhat.com/ubi8/ubi"
"ubi8/ubi-minimal" = "registry.access.redhat.com/ubi8-minimal"
"ubi8/ubi-init" = "registry.access.redhat.com/ubi8-init"
"ubi8/ubi-micro" = "registry.access.redhat.com/ubi8-micro"
# Debian
"debian" = "docker.io/library/debian"
# Oracle Linux
"oraclelinux" = "container-registry.oracle.com/os/oraclelinux"

56
skopeo.spec
View File

@ -1,18 +1,13 @@
%global with_debug 1
%global with_check 0
%if 0%{?with_debug}
%global _find_debuginfo_dwz_opts %{nil}
%global _dwz_low_mem_die_limit 0
%else
%global debug_package %{nil}
%endif
%if 0%{?rhel} > 7 && ! 0%{?fedora}
%define gobuild(o:) \
go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v %{?**};
%else
%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v -x %{?**};
%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v %{?**};
%endif
%global import_path github.com/containers/skopeo
@ -22,22 +17,26 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
# These vendored components must have the same version. If it is not the case,
# pick the oldest version on c/image, c/common, c/storage vendored in
# podman/skopeo/podman.
%global podman_branch v2.2
%global image_branch v5.6.0
%global common_branch v0.22.0
%global storage_branch v1.23.5
%global commit0 2b4097bc13e7ba1d16a5225e2292a5cf88072f63
%global podman_branch master
%global image_branch v5.9.0
%global common_branch v0.33.0
%global storage_branch v1.24.5
%global shortnames_branch main
%global commit0 bdb117ded6d37f0a6b0a2e28ba3213c20264ab43
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
Epoch: 1
Name: skopeo
Version: 1.2.0
Release: 6%{?dist}
Version: 1.2.1
Release: 1%{?dist}
Summary: Inspect container images and repositories on registries
License: ASL 2.0
URL: %{git0}
# Build fails with: No matching package to install: 'golang >= 1.12.12-4' on i686
ExcludeArch: i686
# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
#ExclusiveArch: %%{go_arches}
# still use arch exclude as the macro above still refers %%{ix86} in RHEL8.4:
# https://bugzilla.redhat.com/show_bug.cgi?id=1905383
ExcludeArch: %{ix86}
%if 0%{?branch:1}
Source0: https://%{import_path}/tarball/%{commit0}/%{branch}-%{shortcommit0}.tar.gz
%else
@ -60,6 +59,8 @@ Source13: https://raw.githubusercontent.com/containers/common/%{common_branch}/p
Source14: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers.conf.5.md
Source15: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-auth.json.5.md
Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.d.5.md
Source17: https://raw.githubusercontent.com/containers/shortnames/%{shortnames_branch}/shortnames.conf
Source18: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.5.md
BuildRequires: git
BuildRequires: golang >= 1.12.12-4
BuildRequires: go-md2man
@ -138,9 +139,10 @@ make \
DESTDIR=%{buildroot} \
SIGSTOREDIR=%{buildroot}%{_sharedstatedir}/containers/sigstore \
install
install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d}
install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.d,registries.conf.d}
install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf
install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf
install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/shortnames.conf
install -dp %{buildroot}%{_mandir}/man5
go-md2man -in %{SOURCE2} -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5
go-md2man -in %{SOURCE4} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.5
@ -150,6 +152,7 @@ go-md2man -in %{SOURCE9} -out %{buildroot}%{_mandir}/man5/containers-signature.5
go-md2man -in %{SOURCE10} -out %{buildroot}%{_mandir}/man5/containers-transports.5
go-md2man -in %{SOURCE11} -out %{buildroot}%{_mandir}/man5/containers-certs.d.5
go-md2man -in %{SOURCE12} -out %{buildroot}%{_mandir}/man5/containers-registries.d.5
go-md2man -in %{SOURCE18} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.d.5
go-md2man -in %{SOURCE14} -out %{buildroot}%{_mandir}/man5/containers.conf.5
go-md2man -in %{SOURCE15} -out %{buildroot}%{_mandir}/man5/containers-auth.json.5
go-md2man -in %{SOURCE16} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.d.5
@ -166,6 +169,19 @@ ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pk
ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm
ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/redhat.repo
# ship preconfigured /etc/containers/registries.d/ files with containers-common - #1903813
cat <<EOF > %{buildroot}%{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
docker:
registry.access.redhat.com:
sigstore: https://access.redhat.com/webassets/docker/content/sigstore
EOF
cat <<EOF > %{buildroot}%{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
docker:
registry.redhat.io:
sigstore: https://registry.redhat.io/containers/sigstore
EOF
# system tests
install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/
@ -186,10 +202,13 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%dir %{_sysconfdir}/containers/registries.d
%dir %{_sysconfdir}/containers/oci
%dir %{_sysconfdir}/containers/oci/hooks.d
%dir %{_sysconfdir}/containers/registries.conf.d
%config(noreplace) %{_sysconfdir}/containers/policy.json
%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
%config(noreplace) %{_sysconfdir}/containers/storage.conf
%config(noreplace) %{_sysconfdir}/containers/registries.conf
%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/shortnames.conf
%config(noreplace) %{_sysconfdir}/containers/registries.d/*.yaml
%ghost %{_sysconfdir}/containers/containers.conf
%dir %{_sharedstatedir}/containers/sigstore
%{_mandir}/man5/*
@ -214,6 +233,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%{_datadir}/%{name}/test
%changelog
* Thu Jan 14 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.2.1-1
- ship preconfigured /etc/containers/registries.d/ files with containers-common
* Tue Dec 01 2020 Jindrich Novy <jnovy@redhat.com> - 1:1.2.0-6
- unify vendored branches
- add validation script

2
sources
View File

@ -1 +1 @@
a5ed58289138f56752f5d8ff5c9b836d skopeo-1.2.0-2b4097b.tar.gz
SHA512 (skopeo-1.2.1-bdb117d.tar.gz) = 42f4c649fa3c0e343f1d396165f74b2c5e8703535ce6cdd633b82aaa7f8e7a6fb84a82c87e42b1f10a0a4ed5032092a07fa87fc0aafc99b106ccb16c883089b4

39
storage.conf
View File

@ -4,11 +4,11 @@
# The "container storage" table contains all of the server options.
[storage]
# Default Storage Driver
# Default Storage Driver, Must be set for proper operation.
driver = "overlay"
# Temporary storage location
runroot = "/var/run/containers/storage"
runroot = "/run/containers/storage"
# Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage"
@ -47,7 +47,7 @@ additionalimagestores = [
# remap-group = "containers"
# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partioned
# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned
# to containers configured to create automatically a user namespace. Containers
# configured to automatically create a user namespace can still overlap with containers
# having an explicit mapping set.
@ -82,6 +82,39 @@ mountopt = "nodev,metacopy=on"
# Size is used to set a maximum size of the container image.
# size = ""
# ForceMask specifies the permissions mask that is used for new files and
# directories.
#
# The values "shared" and "private" are accepted.
# Octal permission masks are also accepted.
#
# "": No value specified.
# All files/directories, get set with the permissions identified within the
# image.
# "private": it is equivalent to 0700.
# All files/directories get set with 0700 permissions. The owner has rwx
# access to the files. No other users on the system can access the files.
# This setting could be used with networked based homedirs.
# "shared": it is equivalent to 0755.
# The owner has rwx access to the files and everyone else can read, access
# and execute them. This setting is useful for sharing containers storage
# with other users. For instance have a storage owned by root but shared
# to rootless users as an additional store.
# NOTE: All files within the image are made readable and executable by any
# user on the system. Even /etc/shadow within your image is now readable by
# any user.
#
# OCTAL: Users can experiment with other OCTAL Permissions.
#
# Note: The force_mask Flag is an experimental feature, it could change in the
# future. When "force_mask" is set the original permission mask is stored in
# the "user.containers.override_stat" xattr and the "mount_program" option must
# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
# extended attribute permissions to processes within containers rather then the
# "force_mask" permissions.
#
# force_mask = ""
[storage.options.thinpool]
# Storage Options for thinpool

14
tests/test_skopeo.sh
View File

@ -1,14 +0,0 @@
#!/bin/bash -e
# Log program and kernel versions
echo "Important package versions:"
(
uname -r
rpm -qa | egrep 'skopeo|podman|conmon|crun|runc|iptable|slirp|systemd' | sort
) | sed -e 's/^/ /'
# Log environment; or at least the useful bits
echo "Environment:"
env | grep -v LS_COLORS= | sort | sed -e 's/^/ /'
SKOPEO_BINARY=/usr/bin/skopeo bats /usr/share/skopeo/test/system

16
tests/test_skopeo.yml
View File

@ -1,16 +0,0 @@
---
- hosts: localhost
roles:
- role: standard-test-basic
tags:
- classic
- container
required_packages:
- bats
- skopeo
- skopeo-tests
tests:
- root-test:
dir: ./
run: ./test_skopeo.sh
timeout: 15m

1
tests/tests.yml
View File

@ -1 +0,0 @@
- import_playbook: test_skopeo.yml

9
update.sh Executable file
View File

@ -0,0 +1,9 @@
#!/bin/bash
spectool -f -g skopeo.spec
sed -i -e 's/^driver.*=.*/driver = "overlay"/' -e 's/^mountopt.*=.*/mountopt = "nodev,metacopy=on"/' storage.conf
[ `grep "keyctl" seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \
"keyctl",' seccomp.json
sed -i '/\"socketcall\",/i \
"socket",' seccomp.json
sed -i 's/^#.*unqualified-search-registries.*=.*/unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]/g' registries.conf
sed -i 's,#.*events_logger.*=.*"journald",events_logger = "file",' containers.conf