Update registries.conf to use version 2 definitions
Update containers.conf to include latest changes Update seccomp.json to allow a few more syscalls for contaners within containers. Update storage.conf to match upstream
This commit is contained in:
parent
4ce99533d5
commit
bddf1e45dd
@ -47,6 +47,15 @@
|
|||||||
#
|
#
|
||||||
# cgroupns = "private"
|
# cgroupns = "private"
|
||||||
|
|
||||||
|
# Control container cgroup configuration
|
||||||
|
# Determines whether the container will create CGroups.
|
||||||
|
# Options are:
|
||||||
|
# `enabled` Enable cgroup support within container
|
||||||
|
# `disabled` Disable cgroup support, will inherit cgroups from parent
|
||||||
|
# `no-conmon` Container engine runs run without conmon
|
||||||
|
#
|
||||||
|
# cgroups = "enabled"
|
||||||
|
|
||||||
# List of default capabilities for containers. If it is empty or commented out,
|
# List of default capabilities for containers. If it is empty or commented out,
|
||||||
# the default capabilities defined in the container engine will be added.
|
# the default capabilities defined in the container engine will be added.
|
||||||
#
|
#
|
||||||
|
@ -9,20 +9,21 @@
|
|||||||
# Registries to search for images that are not fully-qualified.
|
# Registries to search for images that are not fully-qualified.
|
||||||
# i.e. foobar.com/my_image:latest vs my_image:latest
|
# i.e. foobar.com/my_image:latest vs my_image:latest
|
||||||
#
|
#
|
||||||
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES.
|
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
|
||||||
# Pulling an image that is not fully qualified, i.e., one that includes the
|
# We recommend always using fully qualified image names including the registry
|
||||||
# image name but does not include the registry or tag, is not recommended.
|
# server (full dns name), namespace, image name, and tag
|
||||||
# There is a risk that the image being pulled could be spoofed. An example
|
# (e.g., registry.redhat.io/ubi8/ubi:latest). When using short names, there is
|
||||||
# of this would be if a user wanted to pull an image named `foobar` from a
|
# always an inherent risk that the image being pulled could be spoofed. For
|
||||||
# registry and expect it to come from myregistry.com. If myregistry.com is
|
# example, a user wants to pull an image named `foobar` from a registry and
|
||||||
# not first in the search list, an attacker could place a different `foobar`
|
# expects it to come from myregistry.com. If myregistry.com is not first in the
|
||||||
# image at a registry earlier in the search list. Now you would accidentally
|
# search list, an attacker could place a different `foobar` image at a registry
|
||||||
# run the attackers code rather than the intended content. Registries that
|
# earlier in the search list. The user would accidentally pull and run the
|
||||||
# are added to this list should be completely controlled, i.e., not allow
|
# attacker's image and code rather than the intended content. We recommend only
|
||||||
# unknown/arbitrary users being able to create accounts with arbitrary names
|
# adding registries which are completely trusted, i.e. registries which don't
|
||||||
# to prevent an image from being spoofed, squatted or otherwise made
|
# allow unknown or anonymous users to create accounts with arbitrary names. This
|
||||||
# insecure. If it is necessary to use one of these registries, it should be
|
# will prevent an image from being spoofed, squatted or otherwise made insecure.
|
||||||
# added at the end of the list.
|
# If it is necessary to use one of these registries, it should be added at the
|
||||||
|
# end of the list.
|
||||||
#
|
#
|
||||||
# It is recommended to use fully-qualified images for pulling as the
|
# It is recommended to use fully-qualified images for pulling as the
|
||||||
# destination registry is unambiguous. Pulling by digest
|
# destination registry is unambiguous. Pulling by digest
|
||||||
@ -30,7 +31,7 @@
|
|||||||
# tags.
|
# tags.
|
||||||
|
|
||||||
[registries.search]
|
[registries.search]
|
||||||
registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']
|
# registries = []
|
||||||
|
|
||||||
# Registries that do not use TLS when pulling images or uses self-signed
|
# Registries that do not use TLS when pulling images or uses self-signed
|
||||||
# certificates.
|
# certificates.
|
||||||
@ -52,7 +53,7 @@ registries = []
|
|||||||
#
|
#
|
||||||
# NOTE: Please read the note about the risk of unqualified images identified above.
|
# NOTE: Please read the note about the risk of unqualified images identified above.
|
||||||
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
|
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
|
||||||
# unqualified-search-registries = ["example.com"]
|
unqualified-search-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']
|
||||||
#
|
#
|
||||||
# [[registry]]
|
# [[registry]]
|
||||||
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
|
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
|
||||||
@ -100,5 +101,5 @@ registries = []
|
|||||||
# # Given the above, a pull of example.com/foo/image:latest will try:
|
# # Given the above, a pull of example.com/foo/image:latest will try:
|
||||||
# # 1. example-mirror-0.local/mirror-for-foo/image:latest
|
# # 1. example-mirror-0.local/mirror-for-foo/image:latest
|
||||||
# # 2. example-mirror-1.local/mirrors/foo/image:latest
|
# # 2. example-mirror-1.local/mirrors/foo/image:latest
|
||||||
# # 3. internal-registry-for-example.net/bar/myimage:latest
|
# # 3. internal-registry-for-example.net/bar/image:latest
|
||||||
# # in order, and use the first one that exists.
|
# # in order, and use the first one that exists.
|
||||||
|
@ -69,6 +69,7 @@
|
|||||||
"clock_getres",
|
"clock_getres",
|
||||||
"clock_gettime",
|
"clock_gettime",
|
||||||
"clock_nanosleep",
|
"clock_nanosleep",
|
||||||
|
"clone",
|
||||||
"close",
|
"close",
|
||||||
"connect",
|
"connect",
|
||||||
"copy_file_range",
|
"copy_file_range",
|
||||||
@ -168,6 +169,7 @@
|
|||||||
"io_setup",
|
"io_setup",
|
||||||
"io_submit",
|
"io_submit",
|
||||||
"ipc",
|
"ipc",
|
||||||
|
"keyctl",
|
||||||
"kill",
|
"kill",
|
||||||
"lchown",
|
"lchown",
|
||||||
"lchown32",
|
"lchown32",
|
||||||
@ -219,6 +221,7 @@
|
|||||||
"pause",
|
"pause",
|
||||||
"pipe",
|
"pipe",
|
||||||
"pipe2",
|
"pipe2",
|
||||||
|
"pivot_root",
|
||||||
"poll",
|
"poll",
|
||||||
"ppoll",
|
"ppoll",
|
||||||
"prctl",
|
"prctl",
|
||||||
|
@ -46,7 +46,7 @@ Epoch: 1
|
|||||||
Epoch: 2
|
Epoch: 2
|
||||||
%endif
|
%endif
|
||||||
Version: 0.2.0
|
Version: 0.2.0
|
||||||
Release: 0.1.dev.git%{shortcommit0}%{?dist}
|
Release: 0.2.dev.git%{shortcommit0}%{?dist}
|
||||||
Summary: Inspect container images and repositories on registries
|
Summary: Inspect container images and repositories on registries
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: %{git0}
|
URL: %{git0}
|
||||||
@ -436,6 +436,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
|||||||
%{_datadir}/%{name}/test
|
%{_datadir}/%{name}/test
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Apr 24 2020 Dan Walsh <dwalsh@fedoraproject.org> - 1:0.2.0-0.2.dev.git2415f3f
|
||||||
|
- Update registries.conf to use version 2 definitions
|
||||||
|
- Update containers.conf to include latest changes
|
||||||
|
- Update seccomp.json to allow a few more syscalls for contaners within containers.
|
||||||
|
- Update storage.conf to match upstream
|
||||||
|
|
||||||
* Thu Apr 09 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1:0.2.0-0.1.dev.git2415f3f
|
* Thu Apr 09 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1:0.2.0-0.1.dev.git2415f3f
|
||||||
- bump to 0.2.0
|
- bump to 0.2.0
|
||||||
- autobuilt 2415f3f
|
- autobuilt 2415f3f
|
||||||
|
24
storage.conf
24
storage.conf
@ -13,6 +13,10 @@ runroot = "/var/run/containers/storage"
|
|||||||
# Primary Read/Write location of container storage
|
# Primary Read/Write location of container storage
|
||||||
graphroot = "/var/lib/containers/storage"
|
graphroot = "/var/lib/containers/storage"
|
||||||
|
|
||||||
|
# Storage path for rootless users
|
||||||
|
#
|
||||||
|
# rootless_storage_path = "$HOME/.local/share/containers/storage"
|
||||||
|
|
||||||
[storage.options]
|
[storage.options]
|
||||||
# Storage options to be passed to underlying storage drivers
|
# Storage options to be passed to underlying storage drivers
|
||||||
|
|
||||||
@ -39,8 +43,22 @@ additionalimagestores = [
|
|||||||
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
|
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
|
||||||
# until all of the entries have been used for maps.
|
# until all of the entries have been used for maps.
|
||||||
#
|
#
|
||||||
# remap-user = "storage"
|
# remap-user = "containers"
|
||||||
# remap-group = "storage"
|
# remap-group = "containers"
|
||||||
|
|
||||||
|
# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
|
||||||
|
# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partioned
|
||||||
|
# to containers configured to create automatically a user namespace. Containers
|
||||||
|
# configured to automatically create a user namespace can still overlap with containers
|
||||||
|
# having an explicit mapping set.
|
||||||
|
# This setting is ignored when running as rootless.
|
||||||
|
# root-auto-userns-user = "storage"
|
||||||
|
#
|
||||||
|
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
|
||||||
|
# auto-userns-min-size=1024
|
||||||
|
#
|
||||||
|
# Auto-userns-max-size is the minimum size for a user namespace created automatically.
|
||||||
|
# auto-userns-max-size=65536
|
||||||
|
|
||||||
[storage.options.overlay]
|
[storage.options.overlay]
|
||||||
# ignore_chown_errors can be set to allow a non privileged user running with
|
# ignore_chown_errors can be set to allow a non privileged user running with
|
||||||
@ -107,7 +125,7 @@ mountopt = "nodev,metacopy=on"
|
|||||||
# Value 0% disables
|
# Value 0% disables
|
||||||
# min_free_space = "10%"
|
# min_free_space = "10%"
|
||||||
|
|
||||||
# mkfsarg specifies extra mkfs arguments to be used when creating the base.
|
# mkfsarg specifies extra mkfs arguments to be used when creating the base
|
||||||
# device.
|
# device.
|
||||||
# mkfsarg = ""
|
# mkfsarg = ""
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user