From a9e568061a512c4310faabb90bc196a2b0a7c5be Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 12 Sep 2020 07:23:40 -0400 Subject: [PATCH] Update docs and seccomp files Signed-off-by: Daniel J Walsh --- containers-policy.json.5.md | 2 +- containers-registries.d.5.md | 2 +- containers-signature.5.md | 2 +- containers-storage.conf.5.md | 2 +- containers-transports.5.md | 8 ++++++-- seccomp.json | 5 ++++- skopeo.spec | 8 +++++++- storage.conf | 2 +- 8 files changed, 22 insertions(+), 9 deletions(-) diff --git a/containers-policy.json.5.md b/containers-policy.json.5.md index 9c6b43e..4f6d4b6 100644 --- a/containers-policy.json.5.md +++ b/containers-policy.json.5.md @@ -177,7 +177,7 @@ One of the following alternatives are supported: ```json {"type":"matchRepoDigestOrExact"} ``` -- The identity in the signature must be in the same repository as the image identity. This is useful e.g. to pull an image using the `:latest` tag when the image is signed with a tag specifing an exact image version. +- The identity in the signature must be in the same repository as the image identity. This is useful e.g. to pull an image using the `:latest` tag when the image is signed with a tag specifying an exact image version. ```json {"type":"matchRepository"} diff --git a/containers-registries.d.5.md b/containers-registries.d.5.md index 263002b..892f617 100644 --- a/containers-registries.d.5.md +++ b/containers-registries.d.5.md @@ -12,7 +12,7 @@ The registries configuration directory contains configuration for various regist so that the configuration does not have to be provided in command-line options over and over for every command, and so that it can be shared by all users of containers/image. -By default (unless overridden at compile-time), the registries configuration directory is `/etc/containers/registries.d`; +By default, the registries configuration directory is `$HOME/.config/containers/registries.d` if it exists, otherwise `/etc/containers/registries.d` (unless overridden at compile-time); applications may allow using a different directory instead. ## Directory Structure diff --git a/containers-signature.5.md b/containers-signature.5.md index 9f2ba93..1b18ff0 100644 --- a/containers-signature.5.md +++ b/containers-signature.5.md @@ -224,7 +224,7 @@ The contents of this string is not defined in detail; however each implementatio Consumers of container signatures MAY recognize specific values or sets of values of `optional.creator` (perhaps augmented with `optional.timestamp`), and MAY change their processing of the signature based on these values -(usually to acommodate violations of this specification in past versions of the signing software which cannot be fixed retroactively), +(usually to accommodate violations of this specification in past versions of the signing software which cannot be fixed retroactively), as long as the semantics of the invalid document, as created by such an implementation, is clear. If consumers of signatures do change their behavior based on the `optional.creator` value, diff --git a/containers-storage.conf.5.md b/containers-storage.conf.5.md index b229583..c527936 100644 --- a/containers-storage.conf.5.md +++ b/containers-storage.conf.5.md @@ -75,7 +75,7 @@ The `storage.options` table supports the following options: remap-group = "containers" **root-auto-userns-user**="" - Root-auto-userns-user is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid and /etc/subgid file. These ranges will be partioned to containers configured to create automatically a user namespace. Containers configured to automatically create a user namespace can still overlap with containers having an explicit mapping set. This setting is ignored when running as rootless. + Root-auto-userns-user is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned to containers configured to create automatically a user namespace. Containers configured to automatically create a user namespace can still overlap with containers having an explicit mapping set. This setting is ignored when running as rootless. **auto-userns-min-size**=1024 Auto-userns-min-size is the minimum size for a user namespace created automatically. diff --git a/containers-transports.5.md b/containers-transports.5.md index 6176324..c87283f 100644 --- a/containers-transports.5.md +++ b/containers-transports.5.md @@ -41,10 +41,14 @@ If `name` does not contain a slash, it is treated as `docker.io/library/name`. Otherwise, the component before the first slash is checked if it is recognized as a `hostname[:port]` (i.e., it contains either a . or a :, or the component is exactly localhost). If the first component of name is not recognized as a `hostname[:port]`, `name` is treated as `docker.io/name`. -### **docker-archive:**_path[:docker-reference]_ +### **docker-archive:**_path[:{docker-reference|@source-index}]_ An image is stored in the docker-save(1) formatted file. -_docker-reference_ is only used when creating such a file, and it must not contain a digest. +_docker-reference_ must not contain a digest. +Alternatively, for reading archives, @_source-index_ is a zero-based index in archive manifest +(to access untagged images). +If neither _docker-reference_ nor @_source_index is specified when reading an archive, the archive must contain exactly one image. + It is further possible to copy data to stdin by specifying `docker-archive:/dev/stdin` but note that the used file must be seekable. ### **docker-daemon:**_docker-reference|algo:digest_ diff --git a/seccomp.json b/seccomp.json index d2cedab..9b537db 100644 --- a/seccomp.json +++ b/seccomp.json @@ -71,7 +71,7 @@ "clock_getres", "clock_gettime", "clock_nanosleep", - "clone", + "clone", "close", "connect", "copy_file_range", @@ -93,6 +93,7 @@ "exit", "exit_group", "faccessat", + "faccessat2", "fadvise64", "fadvise64_64", "fallocate", @@ -100,6 +101,7 @@ "fchdir", "fchmod", "fchmodat", + "fchmodat2", "fchown", "fchown32", "fchownat", @@ -220,6 +222,7 @@ "newfstatat", "open", "openat", + "openat2", "pause", "pipe", "pipe2", diff --git a/skopeo.spec b/skopeo.spec index 51cb7fa..1848436 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -46,7 +46,7 @@ Epoch: 1 Epoch: 2 %endif Version: 1.1.1 -Release: 42.dev.git%{shortcommit0}%{?dist} +Release: 43.dev.git%{shortcommit0}%{?dist} Summary: Inspect container images and repositories on registries License: ASL 2.0 URL: %{git0} @@ -447,6 +447,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_datadir}/%{name}/test %changelog +* Sat Sep 12 2020 Dan Walsh - 1:1.1.1-43.dev.git5d5756c +- update man pages +- Update seccomp rules +- Update configuration files in containers-common +- Update configuration files in containers-storage + * Fri Sep 11 19:12:27 UTC 2020 RH Container Bot - 1:1.1.1-42.dev.git45a9efb - autobuilt 45a9efb diff --git a/storage.conf b/storage.conf index 77423d3..a341e25 100644 --- a/storage.conf +++ b/storage.conf @@ -47,7 +47,7 @@ additionalimagestores = [ # remap-group = "containers" # Root-auto-userns-user is a user name which can be used to look up one or more UID/GID -# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partioned +# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned # to containers configured to create automatically a user namespace. Containers # configured to automatically create a user namespace can still overlap with containers # having an explicit mapping set.