Update registries.conf to use version 2 definitions

Update containers.conf to include latest changes
Update seccomp.json to allow a few more syscalls for contaners within containers.
Update storage.conf to match upstream
This commit is contained in:
Daniel J Walsh 2020-04-24 07:16:30 -04:00
parent 4ce99533d5
commit bddf1e45dd
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
5 changed files with 59 additions and 22 deletions

View File

@ -47,6 +47,15 @@
#
# cgroupns = "private"
# Control container cgroup configuration
# Determines whether the container will create CGroups.
# Options are:
# `enabled` Enable cgroup support within container
# `disabled` Disable cgroup support, will inherit cgroups from parent
# `no-conmon` Container engine runs run without conmon
#
# cgroups = "enabled"
# List of default capabilities for containers. If it is empty or commented out,
# the default capabilities defined in the container engine will be added.
#

View File

@ -9,20 +9,21 @@
# Registries to search for images that are not fully-qualified.
# i.e. foobar.com/my_image:latest vs my_image:latest
#
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES.
# Pulling an image that is not fully qualified, i.e., one that includes the
# image name but does not include the registry or tag, is not recommended.
# There is a risk that the image being pulled could be spoofed. An example
# of this would be if a user wanted to pull an image named `foobar` from a
# registry and expect it to come from myregistry.com. If myregistry.com is
# not first in the search list, an attacker could place a different `foobar`
# image at a registry earlier in the search list. Now you would accidentally
# run the attackers code rather than the intended content. Registries that
# are added to this list should be completely controlled, i.e., not allow
# unknown/arbitrary users being able to create accounts with arbitrary names
# to prevent an image from being spoofed, squatted or otherwise made
# insecure. If it is necessary to use one of these registries, it should be
# added at the end of the list.
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
# We recommend always using fully qualified image names including the registry
# server (full dns name), namespace, image name, and tag
# (e.g., registry.redhat.io/ubi8/ubi:latest). When using short names, there is
# always an inherent risk that the image being pulled could be spoofed. For
# example, a user wants to pull an image named `foobar` from a registry and
# expects it to come from myregistry.com. If myregistry.com is not first in the
# search list, an attacker could place a different `foobar` image at a registry
# earlier in the search list. The user would accidentally pull and run the
# attacker's image and code rather than the intended content. We recommend only
# adding registries which are completely trusted, i.e. registries which don't
# allow unknown or anonymous users to create accounts with arbitrary names. This
# will prevent an image from being spoofed, squatted or otherwise made insecure.
# If it is necessary to use one of these registries, it should be added at the
# end of the list.
#
# It is recommended to use fully-qualified images for pulling as the
# destination registry is unambiguous. Pulling by digest
@ -30,7 +31,7 @@
# tags.
[registries.search]
registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']
# registries = []
# Registries that do not use TLS when pulling images or uses self-signed
# certificates.
@ -52,7 +53,7 @@ registries = []
#
# NOTE: Please read the note about the risk of unqualified images identified above.
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
# unqualified-search-registries = ["example.com"]
unqualified-search-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']
#
# [[registry]]
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
@ -100,5 +101,5 @@ registries = []
# # Given the above, a pull of example.com/foo/image:latest will try:
# # 1. example-mirror-0.local/mirror-for-foo/image:latest
# # 2. example-mirror-1.local/mirrors/foo/image:latest
# # 3. internal-registry-for-example.net/bar/myimage:latest
# # 3. internal-registry-for-example.net/bar/image:latest
# # in order, and use the first one that exists.

View File

@ -69,6 +69,7 @@
"clock_getres",
"clock_gettime",
"clock_nanosleep",
"clone",
"close",
"connect",
"copy_file_range",
@ -168,6 +169,7 @@
"io_setup",
"io_submit",
"ipc",
"keyctl",
"kill",
"lchown",
"lchown32",
@ -219,6 +221,7 @@
"pause",
"pipe",
"pipe2",
"pivot_root",
"poll",
"ppoll",
"prctl",

View File

@ -46,7 +46,7 @@ Epoch: 1
Epoch: 2
%endif
Version: 0.2.0
Release: 0.1.dev.git%{shortcommit0}%{?dist}
Release: 0.2.dev.git%{shortcommit0}%{?dist}
Summary: Inspect container images and repositories on registries
License: ASL 2.0
URL: %{git0}
@ -436,6 +436,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%{_datadir}/%{name}/test
%changelog
* Fri Apr 24 2020 Dan Walsh <dwalsh@fedoraproject.org> - 1:0.2.0-0.2.dev.git2415f3f
- Update registries.conf to use version 2 definitions
- Update containers.conf to include latest changes
- Update seccomp.json to allow a few more syscalls for contaners within containers.
- Update storage.conf to match upstream
* Thu Apr 09 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1:0.2.0-0.1.dev.git2415f3f
- bump to 0.2.0
- autobuilt 2415f3f

View File

@ -13,6 +13,10 @@ runroot = "/var/run/containers/storage"
# Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage"
# Storage path for rootless users
#
# rootless_storage_path = "$HOME/.local/share/containers/storage"
[storage.options]
# Storage options to be passed to underlying storage drivers
@ -39,8 +43,22 @@ additionalimagestores = [
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
# until all of the entries have been used for maps.
#
# remap-user = "storage"
# remap-group = "storage"
# remap-user = "containers"
# remap-group = "containers"
# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partioned
# to containers configured to create automatically a user namespace. Containers
# configured to automatically create a user namespace can still overlap with containers
# having an explicit mapping set.
# This setting is ignored when running as rootless.
# root-auto-userns-user = "storage"
#
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
# auto-userns-min-size=1024
#
# Auto-userns-max-size is the minimum size for a user namespace created automatically.
# auto-userns-max-size=65536
[storage.options.overlay]
# ignore_chown_errors can be set to allow a non privileged user running with
@ -107,7 +125,7 @@ mountopt = "nodev,metacopy=on"
# Value 0% disables
# min_free_space = "10%"
# mkfsarg specifies extra mkfs arguments to be used when creating the base.
# mkfsarg specifies extra mkfs arguments to be used when creating the base
# device.
# mkfsarg = ""