Update registries.conf to use version 2 definitions

Update containers.conf to include latest changes
Update seccomp.json to allow a few more syscalls for contaners within containers.
Update storage.conf to match upstream
This commit is contained in:
Daniel J Walsh 2020-04-24 07:16:30 -04:00
parent 4ce99533d5
commit bddf1e45dd
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
5 changed files with 59 additions and 22 deletions

View File

@ -47,6 +47,15 @@
# #
# cgroupns = "private" # cgroupns = "private"
# Control container cgroup configuration
# Determines whether the container will create CGroups.
# Options are:
# `enabled` Enable cgroup support within container
# `disabled` Disable cgroup support, will inherit cgroups from parent
# `no-conmon` Container engine runs run without conmon
#
# cgroups = "enabled"
# List of default capabilities for containers. If it is empty or commented out, # List of default capabilities for containers. If it is empty or commented out,
# the default capabilities defined in the container engine will be added. # the default capabilities defined in the container engine will be added.
# #

View File

@ -9,20 +9,21 @@
# Registries to search for images that are not fully-qualified. # Registries to search for images that are not fully-qualified.
# i.e. foobar.com/my_image:latest vs my_image:latest # i.e. foobar.com/my_image:latest vs my_image:latest
# #
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES. # NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
# Pulling an image that is not fully qualified, i.e., one that includes the # We recommend always using fully qualified image names including the registry
# image name but does not include the registry or tag, is not recommended. # server (full dns name), namespace, image name, and tag
# There is a risk that the image being pulled could be spoofed. An example # (e.g., registry.redhat.io/ubi8/ubi:latest). When using short names, there is
# of this would be if a user wanted to pull an image named `foobar` from a # always an inherent risk that the image being pulled could be spoofed. For
# registry and expect it to come from myregistry.com. If myregistry.com is # example, a user wants to pull an image named `foobar` from a registry and
# not first in the search list, an attacker could place a different `foobar` # expects it to come from myregistry.com. If myregistry.com is not first in the
# image at a registry earlier in the search list. Now you would accidentally # search list, an attacker could place a different `foobar` image at a registry
# run the attackers code rather than the intended content. Registries that # earlier in the search list. The user would accidentally pull and run the
# are added to this list should be completely controlled, i.e., not allow # attacker's image and code rather than the intended content. We recommend only
# unknown/arbitrary users being able to create accounts with arbitrary names # adding registries which are completely trusted, i.e. registries which don't
# to prevent an image from being spoofed, squatted or otherwise made # allow unknown or anonymous users to create accounts with arbitrary names. This
# insecure. If it is necessary to use one of these registries, it should be # will prevent an image from being spoofed, squatted or otherwise made insecure.
# added at the end of the list. # If it is necessary to use one of these registries, it should be added at the
# end of the list.
# #
# It is recommended to use fully-qualified images for pulling as the # It is recommended to use fully-qualified images for pulling as the
# destination registry is unambiguous. Pulling by digest # destination registry is unambiguous. Pulling by digest
@ -30,7 +31,7 @@
# tags. # tags.
[registries.search] [registries.search]
registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io'] # registries = []
# Registries that do not use TLS when pulling images or uses self-signed # Registries that do not use TLS when pulling images or uses self-signed
# certificates. # certificates.
@ -52,7 +53,7 @@ registries = []
# #
# NOTE: Please read the note about the risk of unqualified images identified above. # NOTE: Please read the note about the risk of unqualified images identified above.
# # An array of host[:port] registries to try when pulling an unqualified image, in order. # # An array of host[:port] registries to try when pulling an unqualified image, in order.
# unqualified-search-registries = ["example.com"] unqualified-search-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']
# #
# [[registry]] # [[registry]]
# # The "prefix" field is used to choose the relevant [[registry]] TOML table; # # The "prefix" field is used to choose the relevant [[registry]] TOML table;
@ -100,5 +101,5 @@ registries = []
# # Given the above, a pull of example.com/foo/image:latest will try: # # Given the above, a pull of example.com/foo/image:latest will try:
# # 1. example-mirror-0.local/mirror-for-foo/image:latest # # 1. example-mirror-0.local/mirror-for-foo/image:latest
# # 2. example-mirror-1.local/mirrors/foo/image:latest # # 2. example-mirror-1.local/mirrors/foo/image:latest
# # 3. internal-registry-for-example.net/bar/myimage:latest # # 3. internal-registry-for-example.net/bar/image:latest
# # in order, and use the first one that exists. # # in order, and use the first one that exists.

View File

@ -69,6 +69,7 @@
"clock_getres", "clock_getres",
"clock_gettime", "clock_gettime",
"clock_nanosleep", "clock_nanosleep",
"clone",
"close", "close",
"connect", "connect",
"copy_file_range", "copy_file_range",
@ -168,6 +169,7 @@
"io_setup", "io_setup",
"io_submit", "io_submit",
"ipc", "ipc",
"keyctl",
"kill", "kill",
"lchown", "lchown",
"lchown32", "lchown32",
@ -219,6 +221,7 @@
"pause", "pause",
"pipe", "pipe",
"pipe2", "pipe2",
"pivot_root",
"poll", "poll",
"ppoll", "ppoll",
"prctl", "prctl",

View File

@ -46,7 +46,7 @@ Epoch: 1
Epoch: 2 Epoch: 2
%endif %endif
Version: 0.2.0 Version: 0.2.0
Release: 0.1.dev.git%{shortcommit0}%{?dist} Release: 0.2.dev.git%{shortcommit0}%{?dist}
Summary: Inspect container images and repositories on registries Summary: Inspect container images and repositories on registries
License: ASL 2.0 License: ASL 2.0
URL: %{git0} URL: %{git0}
@ -436,6 +436,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%{_datadir}/%{name}/test %{_datadir}/%{name}/test
%changelog %changelog
* Fri Apr 24 2020 Dan Walsh <dwalsh@fedoraproject.org> - 1:0.2.0-0.2.dev.git2415f3f
- Update registries.conf to use version 2 definitions
- Update containers.conf to include latest changes
- Update seccomp.json to allow a few more syscalls for contaners within containers.
- Update storage.conf to match upstream
* Thu Apr 09 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1:0.2.0-0.1.dev.git2415f3f * Thu Apr 09 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1:0.2.0-0.1.dev.git2415f3f
- bump to 0.2.0 - bump to 0.2.0
- autobuilt 2415f3f - autobuilt 2415f3f

View File

@ -13,6 +13,10 @@ runroot = "/var/run/containers/storage"
# Primary Read/Write location of container storage # Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage" graphroot = "/var/lib/containers/storage"
# Storage path for rootless users
#
# rootless_storage_path = "$HOME/.local/share/containers/storage"
[storage.options] [storage.options]
# Storage options to be passed to underlying storage drivers # Storage options to be passed to underlying storage drivers
@ -39,8 +43,22 @@ additionalimagestores = [
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, # lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
# until all of the entries have been used for maps. # until all of the entries have been used for maps.
# #
# remap-user = "storage" # remap-user = "containers"
# remap-group = "storage" # remap-group = "containers"
# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partioned
# to containers configured to create automatically a user namespace. Containers
# configured to automatically create a user namespace can still overlap with containers
# having an explicit mapping set.
# This setting is ignored when running as rootless.
# root-auto-userns-user = "storage"
#
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
# auto-userns-min-size=1024
#
# Auto-userns-max-size is the minimum size for a user namespace created automatically.
# auto-userns-max-size=65536
[storage.options.overlay] [storage.options.overlay]
# ignore_chown_errors can be set to allow a non privileged user running with # ignore_chown_errors can be set to allow a non privileged user running with
@ -107,7 +125,7 @@ mountopt = "nodev,metacopy=on"
# Value 0% disables # Value 0% disables
# min_free_space = "10%" # min_free_space = "10%"
# mkfsarg specifies extra mkfs arguments to be used when creating the base. # mkfsarg specifies extra mkfs arguments to be used when creating the base
# device. # device.
# mkfsarg = "" # mkfsarg = ""