Update registries.conf to use version 2 definitions

Update containers.conf to include latest changes Update seccomp.json to allow a few more syscalls for contaners within containers. Update storage.conf to match upstream
2020-04-24 07:16:30 -04:00 · 2020-04-24 07:16:30 -04:00 · bddf1e45dd
commit bddf1e45dd
parent 4ce99533d5
5 changed files with 59 additions and 22 deletions
--- a/containers.conf
+++ b/containers.conf
@ -47,6 +47,15 @@
 #
 # cgroupns = "private"

+# Control container cgroup configuration
+# Determines  whether  the  container will create CGroups.
+# Options are:
+# `enabled`   Enable cgroup support within container
+# `disabled`  Disable cgroup support, will inherit cgroups from parent
+# `no-conmon` Container engine runs run without conmon
+#
+# cgroups = "enabled"
+
 # List of default capabilities for containers. If it is empty or commented out,
 # the default capabilities defined in the container engine will be added.
 #
--- a/registries.conf
+++ b/registries.conf
@ -9,20 +9,21 @@
 # Registries to search for images that are not fully-qualified.
 # i.e. foobar.com/my_image:latest vs my_image:latest
 #
-# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES.
-# Pulling an image that is not fully qualified, i.e., one that includes the
-# image name but does not include the registry or  tag, is not recommended.
-# There is a risk that the image being pulled could be spoofed. An example
-# of this would be if a user wanted to pull an image named `foobar` from a
-# registry and expect it to come from myregistry.com.  If myregistry.com is
-# not first in the search list, an attacker could place a different `foobar`
-# image at a registry earlier in the search list.  Now you would accidentally
-# run the attackers code rather than the intended content. Registries that
-# are added to this list should be completely controlled, i.e., not allow
-# unknown/arbitrary users being able to create accounts with arbitrary names
-# to prevent an image from being spoofed, squatted or otherwise made
-# insecure.  If it is necessary to use one of these registries, it should be
-# added at the end of the list.
+# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
+# We recommend always using fully qualified image names including the registry
+# server (full dns name), namespace, image name, and tag
+# (e.g., registry.redhat.io/ubi8/ubi:latest). When using short names, there is
+# always an inherent risk that the image being pulled could be spoofed. For
+# example, a user wants to pull an image named `foobar` from a registry and
+# expects it to come from myregistry.com. If myregistry.com is not first in the
+# search list, an attacker could place a different `foobar` image at a registry
+# earlier in the search list. The user would accidentally pull and run the
+# attacker's image and code rather than the intended content. We recommend only
+# adding registries which are completely trusted, i.e. registries which don't
+# allow unknown or anonymous users to create accounts with arbitrary names. This
+# will prevent an image from being spoofed, squatted or otherwise made insecure.
+# If it is necessary to use one of these registries, it should be added at the
+# end of the list.
 #
 # It is recommended to use fully-qualified images for pulling as the
 # destination registry is unambiguous. Pulling by digest
@ -30,7 +31,7 @@
 # tags.

 [registries.search]
-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']
+# registries = []

 # Registries that do not use TLS when pulling images or uses self-signed
 # certificates.
@ -52,7 +53,7 @@ registries = []
 #
 # NOTE: Please read the note about the risk of unqualified images identified above.
 # # An array of host[:port] registries to try when pulling an unqualified image, in order.
-# unqualified-search-registries = ["example.com"]
+unqualified-search-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']
 #
 # [[registry]]
 # # The "prefix" field is used to choose the relevant [[registry]] TOML table;
@ -100,5 +101,5 @@ registries = []
 # # Given the above, a pull of example.com/foo/image:latest will try:
 # # 1. example-mirror-0.local/mirror-for-foo/image:latest
 # # 2. example-mirror-1.local/mirrors/foo/image:latest
-# # 3. internal-registry-for-example.net/bar/myimage:latest
+# # 3. internal-registry-for-example.net/bar/image:latest
 # # in order, and use the first one that exists.
--- a/seccomp.json
+++ b/seccomp.json
@ -69,6 +69,7 @@
 				"clock_getres",
 				"clock_gettime",
 				"clock_nanosleep",
+			        "clone",
 				"close",
 				"connect",
 				"copy_file_range",
@ -168,6 +169,7 @@
 				"io_setup",
 				"io_submit",
 				"ipc",
+   			        "keyctl",
 				"kill",
 				"lchown",
 				"lchown32",
@ -219,6 +221,7 @@
 				"pause",
 				"pipe",
 				"pipe2",
+				"pivot_root",
 				"poll",
 				"ppoll",
 				"prctl",
--- a/skopeo.spec
+++ b/skopeo.spec
@ -46,7 +46,7 @@ Epoch: 1
 Epoch: 2
 %endif
 Version: 0.2.0
-Release: 0.1.dev.git%{shortcommit0}%{?dist}
+Release: 0.2.dev.git%{shortcommit0}%{?dist}
 Summary: Inspect container images and repositories on registries
 License: ASL 2.0
 URL: %{git0}
@ -436,6 +436,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %{_datadir}/%{name}/test

 %changelog
+* Fri Apr 24 2020 Dan Walsh <dwalsh@fedoraproject.org> - 1:0.2.0-0.2.dev.git2415f3f
+- Update registries.conf to use version 2 definitions
+- Update containers.conf to include latest changes
+- Update seccomp.json to allow a few more syscalls for contaners within containers.
+- Update storage.conf to match upstream
+
 * Thu Apr 09 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1:0.2.0-0.1.dev.git2415f3f
 - bump to 0.2.0
 - autobuilt 2415f3f
--- a/storage.conf
+++ b/storage.conf
@ -13,6 +13,10 @@ runroot = "/var/run/containers/storage"
 # Primary Read/Write location of container storage
 graphroot = "/var/lib/containers/storage"

+# Storage path for rootless users
+#
+# rootless_storage_path = "$HOME/.local/share/containers/storage"
+
 [storage.options]
 # Storage options to be passed to underlying storage drivers

@ -39,8 +43,22 @@ additionalimagestores = [
 # lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
 # until all of the entries have been used for maps.
 #
-# remap-user = "storage"
-# remap-group = "storage"
+# remap-user = "containers"
+# remap-group = "containers"
+
+# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
+# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partioned
+# to containers configured to create automatically a user namespace.  Containers
+# configured to automatically create a user namespace can still overlap with containers
+# having an explicit mapping set.
+# This setting is ignored when running as rootless.
+# root-auto-userns-user = "storage"
+#
+# Auto-userns-min-size is the minimum size for a user namespace created automatically.
+# auto-userns-min-size=1024
+#
+# Auto-userns-max-size is the minimum size for a user namespace created automatically.
+# auto-userns-max-size=65536

 [storage.options.overlay]
 # ignore_chown_errors can be set to allow a non privileged user running with
@ -107,7 +125,7 @@ mountopt = "nodev,metacopy=on"
 # Value 0% disables
 # min_free_space = "10%"

-# mkfsarg specifies extra mkfs arguments to be used when creating the base.
+# mkfsarg specifies extra mkfs arguments to be used when creating the base
 # device.
 # mkfsarg = ""

@ -115,7 +133,7 @@ mountopt = "nodev,metacopy=on"
 # size = ""

 # use_deferred_removal marks devicemapper block device for deferred removal.
-# If the thinpool is in use when the driver attempts to remove it, the driver 
+# If the thinpool is in use when the driver attempts to remove it, the driver
 # tells the kernel to remove it as soon as possible. Note this does not free
 # up the disk space, use deferred deletion to fully remove the thinpool.
 # use_deferred_removal = "True"