diff --git a/containers-registries.conf.d.5.md b/containers-registries.conf.d.5.md index 1fb079f..2d85e8b 100644 --- a/containers-registries.conf.d.5.md +++ b/containers-registries.conf.d.5.md @@ -15,7 +15,8 @@ By default, the directory is located at `/etc/containers/registries.conf.d`. Once the main configuration at `/etc/containers/registries.conf` is loaded, the files in `/etc/containers/registries.conf.d` are loaded in alpha-numerical -order. Specified fields in a config will overwrite any previous setting. Note +order. Then the conf files in `$HOME/.config/containers/registries.conf.d` are loaded in alpha-numerical order, if they exist. If the `$HOME/.config/containers/registries.conf` is loaded, only the conf files under `$HOME/.config/containers/registries.conf.d` are loaded in alpha-numerical order. +Specified fields in a conf file will overwrite any previous setting. Note that only files with the `.conf` prefix are loaded, other files and sub-directories are ignored. diff --git a/containers.conf b/containers.conf index 389479f..2d36efd 100644 --- a/containers.conf +++ b/containers.conf @@ -329,6 +329,14 @@ # Whether to pull new image before running a container # pull_policy = "missing" +# Default Remote URI to access the Podman service. +# Examples: +# rootless "unix://run/user/$UID/podman/podman.sock" (Default) +# rootfull "unix://run/podman/podman.sock.(Default) +# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock +# remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock +# remote_uri= "" + # Directory for persistent engine files (database, etc) # By default, this will be configured relative to where the containers/storage # stores containers @@ -364,6 +372,9 @@ # # runtime_supports_kvm = ["kata"] +# Number of seconds to wait for container to exit before sending kill signal. +# stop_timeout = 10 + # Paths to look for a valid OCI runtime (runc, runv, kata, etc) [engine.runtimes] # runc = [ @@ -397,9 +408,6 @@ # "/usr/bin/kata-fc", # ] -# Number of seconds to wait for container to exit before sending kill signal. -#stop_timeout = 10 - # The [engine.runtimes] table MUST be the last entry in this file. # (Unless another table is added) # TOML does not provide a way to end a table other than a further table being diff --git a/seccomp.json b/seccomp.json index f060bea..d2cedab 100644 --- a/seccomp.json +++ b/seccomp.json @@ -52,6 +52,8 @@ "syscalls": [ { "names": [ + "_llseek", + "_newselect", "accept", "accept4", "access", @@ -120,6 +122,8 @@ "ftruncate64", "futex", "futimesat", + "get_robust_list", + "get_thread_area", "getcpu", "getcwd", "getdents", @@ -145,12 +149,10 @@ "getresuid", "getresuid32", "getrlimit", - "get_robust_list", "getrusage", "getsid", "getsockname", "getsockopt", - "get_thread_area", "gettid", "gettimeofday", "getuid", @@ -161,15 +163,15 @@ "inotify_init1", "inotify_rm_watch", "io_cancel", - "ioctl", "io_destroy", "io_getevents", - "ioprio_get", - "ioprio_set", "io_setup", "io_submit", + "ioctl", + "ioprio_get", + "ioprio_set", "ipc", - "keyctl", + "keyctl", "kill", "lchown", "lchown32", @@ -179,7 +181,6 @@ "listen", "listxattr", "llistxattr", - "_llseek", "lremovexattr", "lseek", "lsetxattr", @@ -197,6 +198,7 @@ "mlockall", "mmap", "mmap2", + "mount", "mprotect", "mq_getsetattr", "mq_notify", @@ -213,9 +215,9 @@ "munlock", "munlockall", "munmap", + "name_to_handle_at", "nanosleep", "newfstatat", - "_newselect", "open", "openat", "pause", @@ -238,6 +240,7 @@ "readlink", "readlinkat", "readv", + "reboot", "recv", "recvfrom", "recvmmsg", @@ -257,11 +260,11 @@ "rt_sigsuspend", "rt_sigtimedwait", "rt_tgsigqueueinfo", + "sched_get_priority_max", + "sched_get_priority_min", "sched_getaffinity", "sched_getattr", "sched_getparam", - "sched_get_priority_max", - "sched_get_priority_min", "sched_getscheduler", "sched_rr_get_interval", "sched_setaffinity", @@ -281,6 +284,9 @@ "sendmmsg", "sendmsg", "sendto", + "set_robust_list", + "set_thread_area", + "set_tid_address", "setfsgid", "setfsgid32", "setfsuid", @@ -301,11 +307,8 @@ "setreuid", "setreuid32", "setrlimit", - "set_robust_list", "setsid", "setsockopt", - "set_thread_area", - "set_tid_address", "setuid", "setuid32", "setxattr", @@ -339,21 +342,24 @@ "time", "timer_create", "timer_delete", - "timerfd_create", - "timerfd_gettime", - "timerfd_settime", "timer_getoverrun", "timer_gettime", "timer_settime", + "timerfd_create", + "timerfd_gettime", + "timerfd_settime", "times", "tkill", "truncate", "truncate64", "ugetrlimit", "umask", + "umount", + "umount2", "uname", "unlink", "unlinkat", + "unshare", "utime", "utimensat", "utimes", @@ -363,12 +369,7 @@ "waitid", "waitpid", "write", - "writev", - "mount", - "umount2", - "reboot", - "name_to_handle_at", - "unshare" + "writev" ], "action": "SCMP_ACT_ALLOW", "args": [], @@ -530,8 +531,7 @@ "names": [ "s390_pci_mmio_read", "s390_pci_mmio_write", - "s390_runtime_instr", - "clone" + "s390_runtime_instr" ], "action": "SCMP_ACT_ALLOW", "args": [], @@ -748,9 +748,7 @@ "names": [ "settimeofday", "stime", - "clock_settime", - "clock_adjtime", - "adjtimex" + "clock_settime" ], "action": "SCMP_ACT_ALLOW", "args": [], @@ -775,6 +773,111 @@ ] }, "excludes": {} + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ERRNO", + "args": [ + { + "index": 0, + "value": 16, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + }, + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + }, + "errnoRet": 22 + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 16, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 2, + "value": 9, + "valueTwo": 0, + "op": "SCMP_CMP_NE" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + } + }, + { + "names": [ + "socket" + ], + "action": "SCMP_ACT_ALLOW", + "args": null, + "comment": "", + "includes": { + "caps": [ + "CAP_AUDIT_WRITE" + ] + }, + "excludes": {} } ] } diff --git a/skopeo.spec b/skopeo.spec index 19a0f1f..b8d431e 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -46,7 +46,7 @@ Epoch: 1 Epoch: 2 %endif Version: 1.1.1 -Release: 5.dev.git%{shortcommit0}%{?dist} +Release: 6.dev.git%{shortcommit0}%{?dist} Summary: Inspect container images and repositories on registries License: ASL 2.0 URL: %{git0} @@ -438,6 +438,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_datadir}/%{name}/test %changelog +* Tue Jun 30 2020 Dan Walsh - 1:1.1.1-6.dev.gitba8cbf5 +- Update configuration files in containers-common + * Fri Jun 26 2020 RH Container Bot - 1:1.1.1-5.dev.gitba8cbf5 - autobuilt ba8cbf5 diff --git a/storage.conf b/storage.conf index 6dafb34..f6eeeb1 100644 --- a/storage.conf +++ b/storage.conf @@ -67,7 +67,7 @@ additionalimagestores = [ # squashed down to the default uid in the container. These images will have no # separation between the users in the container. Only supported for the overlay # and vfs drivers. -#ignore_chown_errors = false +#ignore_chown_errors = "false" # Path to an helper program to use for mounting the file system instead of mounting it # directly. @@ -76,6 +76,9 @@ additionalimagestores = [ # mountopt specifies comma separated list of extra mount options mountopt = "nodev,metacopy=on" +# Set to skip a PRIVATE bind mount on the storage home directory. +# skip_mount_home = "false" + # Size is used to set a maximum size of the container image. # size = ""