Update registries.conf to use version 2 definitions
Update containers.conf to include latest changes Update seccomp.json to allow a few more syscalls for contaners within containers. Update storage.conf to match upstream
This commit is contained in:
parent
4ce99533d5
commit
bddf1e45dd
@ -47,6 +47,15 @@
|
||||
#
|
||||
# cgroupns = "private"
|
||||
|
||||
# Control container cgroup configuration
|
||||
# Determines whether the container will create CGroups.
|
||||
# Options are:
|
||||
# `enabled` Enable cgroup support within container
|
||||
# `disabled` Disable cgroup support, will inherit cgroups from parent
|
||||
# `no-conmon` Container engine runs run without conmon
|
||||
#
|
||||
# cgroups = "enabled"
|
||||
|
||||
# List of default capabilities for containers. If it is empty or commented out,
|
||||
# the default capabilities defined in the container engine will be added.
|
||||
#
|
||||
|
@ -9,20 +9,21 @@
|
||||
# Registries to search for images that are not fully-qualified.
|
||||
# i.e. foobar.com/my_image:latest vs my_image:latest
|
||||
#
|
||||
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES.
|
||||
# Pulling an image that is not fully qualified, i.e., one that includes the
|
||||
# image name but does not include the registry or tag, is not recommended.
|
||||
# There is a risk that the image being pulled could be spoofed. An example
|
||||
# of this would be if a user wanted to pull an image named `foobar` from a
|
||||
# registry and expect it to come from myregistry.com. If myregistry.com is
|
||||
# not first in the search list, an attacker could place a different `foobar`
|
||||
# image at a registry earlier in the search list. Now you would accidentally
|
||||
# run the attackers code rather than the intended content. Registries that
|
||||
# are added to this list should be completely controlled, i.e., not allow
|
||||
# unknown/arbitrary users being able to create accounts with arbitrary names
|
||||
# to prevent an image from being spoofed, squatted or otherwise made
|
||||
# insecure. If it is necessary to use one of these registries, it should be
|
||||
# added at the end of the list.
|
||||
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
|
||||
# We recommend always using fully qualified image names including the registry
|
||||
# server (full dns name), namespace, image name, and tag
|
||||
# (e.g., registry.redhat.io/ubi8/ubi:latest). When using short names, there is
|
||||
# always an inherent risk that the image being pulled could be spoofed. For
|
||||
# example, a user wants to pull an image named `foobar` from a registry and
|
||||
# expects it to come from myregistry.com. If myregistry.com is not first in the
|
||||
# search list, an attacker could place a different `foobar` image at a registry
|
||||
# earlier in the search list. The user would accidentally pull and run the
|
||||
# attacker's image and code rather than the intended content. We recommend only
|
||||
# adding registries which are completely trusted, i.e. registries which don't
|
||||
# allow unknown or anonymous users to create accounts with arbitrary names. This
|
||||
# will prevent an image from being spoofed, squatted or otherwise made insecure.
|
||||
# If it is necessary to use one of these registries, it should be added at the
|
||||
# end of the list.
|
||||
#
|
||||
# It is recommended to use fully-qualified images for pulling as the
|
||||
# destination registry is unambiguous. Pulling by digest
|
||||
@ -30,7 +31,7 @@
|
||||
# tags.
|
||||
|
||||
[registries.search]
|
||||
registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']
|
||||
# registries = []
|
||||
|
||||
# Registries that do not use TLS when pulling images or uses self-signed
|
||||
# certificates.
|
||||
@ -52,7 +53,7 @@ registries = []
|
||||
#
|
||||
# NOTE: Please read the note about the risk of unqualified images identified above.
|
||||
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
|
||||
# unqualified-search-registries = ["example.com"]
|
||||
unqualified-search-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']
|
||||
#
|
||||
# [[registry]]
|
||||
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
|
||||
@ -100,5 +101,5 @@ registries = []
|
||||
# # Given the above, a pull of example.com/foo/image:latest will try:
|
||||
# # 1. example-mirror-0.local/mirror-for-foo/image:latest
|
||||
# # 2. example-mirror-1.local/mirrors/foo/image:latest
|
||||
# # 3. internal-registry-for-example.net/bar/myimage:latest
|
||||
# # 3. internal-registry-for-example.net/bar/image:latest
|
||||
# # in order, and use the first one that exists.
|
||||
|
@ -69,6 +69,7 @@
|
||||
"clock_getres",
|
||||
"clock_gettime",
|
||||
"clock_nanosleep",
|
||||
"clone",
|
||||
"close",
|
||||
"connect",
|
||||
"copy_file_range",
|
||||
@ -168,6 +169,7 @@
|
||||
"io_setup",
|
||||
"io_submit",
|
||||
"ipc",
|
||||
"keyctl",
|
||||
"kill",
|
||||
"lchown",
|
||||
"lchown32",
|
||||
@ -219,6 +221,7 @@
|
||||
"pause",
|
||||
"pipe",
|
||||
"pipe2",
|
||||
"pivot_root",
|
||||
"poll",
|
||||
"ppoll",
|
||||
"prctl",
|
||||
|
@ -46,7 +46,7 @@ Epoch: 1
|
||||
Epoch: 2
|
||||
%endif
|
||||
Version: 0.2.0
|
||||
Release: 0.1.dev.git%{shortcommit0}%{?dist}
|
||||
Release: 0.2.dev.git%{shortcommit0}%{?dist}
|
||||
Summary: Inspect container images and repositories on registries
|
||||
License: ASL 2.0
|
||||
URL: %{git0}
|
||||
@ -436,6 +436,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
||||
%{_datadir}/%{name}/test
|
||||
|
||||
%changelog
|
||||
* Fri Apr 24 2020 Dan Walsh <dwalsh@fedoraproject.org> - 1:0.2.0-0.2.dev.git2415f3f
|
||||
- Update registries.conf to use version 2 definitions
|
||||
- Update containers.conf to include latest changes
|
||||
- Update seccomp.json to allow a few more syscalls for contaners within containers.
|
||||
- Update storage.conf to match upstream
|
||||
|
||||
* Thu Apr 09 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1:0.2.0-0.1.dev.git2415f3f
|
||||
- bump to 0.2.0
|
||||
- autobuilt 2415f3f
|
||||
|
24
storage.conf
24
storage.conf
@ -13,6 +13,10 @@ runroot = "/var/run/containers/storage"
|
||||
# Primary Read/Write location of container storage
|
||||
graphroot = "/var/lib/containers/storage"
|
||||
|
||||
# Storage path for rootless users
|
||||
#
|
||||
# rootless_storage_path = "$HOME/.local/share/containers/storage"
|
||||
|
||||
[storage.options]
|
||||
# Storage options to be passed to underlying storage drivers
|
||||
|
||||
@ -39,8 +43,22 @@ additionalimagestores = [
|
||||
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
|
||||
# until all of the entries have been used for maps.
|
||||
#
|
||||
# remap-user = "storage"
|
||||
# remap-group = "storage"
|
||||
# remap-user = "containers"
|
||||
# remap-group = "containers"
|
||||
|
||||
# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
|
||||
# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partioned
|
||||
# to containers configured to create automatically a user namespace. Containers
|
||||
# configured to automatically create a user namespace can still overlap with containers
|
||||
# having an explicit mapping set.
|
||||
# This setting is ignored when running as rootless.
|
||||
# root-auto-userns-user = "storage"
|
||||
#
|
||||
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
|
||||
# auto-userns-min-size=1024
|
||||
#
|
||||
# Auto-userns-max-size is the minimum size for a user namespace created automatically.
|
||||
# auto-userns-max-size=65536
|
||||
|
||||
[storage.options.overlay]
|
||||
# ignore_chown_errors can be set to allow a non privileged user running with
|
||||
@ -107,7 +125,7 @@ mountopt = "nodev,metacopy=on"
|
||||
# Value 0% disables
|
||||
# min_free_space = "10%"
|
||||
|
||||
# mkfsarg specifies extra mkfs arguments to be used when creating the base.
|
||||
# mkfsarg specifies extra mkfs arguments to be used when creating the base
|
||||
# device.
|
||||
# mkfsarg = ""
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user