skopeo-1.3.0-3.el9

- update to new versions of vendored components - fail is there is an issue in communication with Pyxis API - understand devel branch in update.sh script, use pkg wrapper - sync with Pyxis - use containers-mounts.conf.5.md from containers/common - Related: #1970747 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
2021-06-14 10:46:08 +02:00 · 2021-06-14 10:46:08 +02:00 · f340c8ed1c
commit f340c8ed1c
parent 7a89be9c52
19 changed files with 1482 additions and 1227 deletions
--- a/001-rhel-shortnames-pyxis.conf
+++ b/001-rhel-shortnames-pyxis.conf
--- a/002-rhel-shortnames-overrides.conf
+++ b/002-rhel-shortnames-overrides.conf
@ -0,0 +1,8 @@
 [aliases]
 "skopeo"  = "registry.access.redhat.com/ubi8/skopeo"
 "ubi8/skopeo" = "registry.access.redhat.com/ubi8/skopeo"
 "buildah" = "registry.access.redhat.com/ubi8/buildah"
 "ubi8/buildah" = "registry.access.redhat.com/ubi8/buildah"
 "podman" = "registry.access.redhat.com/ubi8/podman"
 "ubi8/podman" = "registry.access.redhat.com/ubi8/podman"
 "rhel8/podman" = "registry.redhat.io/rhel8/podman"
--- a/containers-certs.d.5.md
+++ b/containers-certs.d.5.md
@ -15,7 +15,7 @@ A certs directory can contain one or more files with the following extensions:
 * `*.key`  files with this extensions will be interpreted as client keys
 Note that the client certificate-key pair will be selected by the file name (e.g., `client.{cert,key}`).
-An examplary setup for a registry running at `my-registry.com:5000` may look as follows:
+An exemplary setup for a registry running at `my-registry.com:5000` may look as follows:
 ```
 /etc/containers/certs.d/    <- Certificate directory
 └── my-registry.com:5000    <- Hostname:port
--- a/containers-mounts.conf.5.md
+++ b/containers-mounts.conf.5.md
@ -1,16 +0,0 @@
 % containers-mounts.conf(5)
 ## NAME
 containers-mounts.conf - configuration file for default mounts in containers
 ## DESCRIPTION
 The mounts.conf file specifies volume mount directories that are automatically mounted inside containers. Container processes can then use this content. Usually these directories are used for passing secrets or credentials required by the package software to access remote package repositories. Note that for security reasons, tools adhering to the mounts.conf are expected to copy the contents instead of bind mounting the paths from the host.
 ## FORMAT
 The format of the mounts.conf is the volume format `/SRC:/DEST`, one mount per line. For example, a mounts.conf with the line `/usr/share/secrets:/run/secrets` would cause the contents of the `/usr/share/secrets` directory on the host to be mounted on the `/run/secrets` directory inside the container. Setting mountpoints allows containers to use the files of the host, for instance, to use the host's subscription to some enterprise Linux distribution.
 ## FILES
 Some distributions may provide a `/usr/share/containers/mounts.conf` file to provide default mounts, but users can create a `/etc/containers/mounts.conf`, to specify their own special volumes to mount in the container. When Podman runs in rootless mode, the file `$HOME/.config/containers/mounts.conf` will override the default if it exists.
 ## HISTORY
 Aug 2018, Originally compiled by Valentin Rothberg <vrothberg@suse.com>
--- a/containers-policy.json.5.md
+++ b/containers-policy.json.5.md
@ -114,7 +114,7 @@ Scopes are ignored.
 Using the mechanisms above, a set of policy requirements is looked up.  The policy requirements
 are represented as a JSON array of individual requirement objects.  For an image to be accepted,
-*all* of the requirements must be satisfied simulatenously.
+*all* of the requirements must be satisfied simultaneously.
 The policy requirements can also be used to decide whether an individual signature is accepted (= is signed by a recognized key of a known author);
 in that case some requirements may apply only to some signatures, but each signature must be accepted by *at least one* requirement object.
--- a/containers-registries.conf.5.md
+++ b/containers-registries.conf.5.md
@ -16,6 +16,9 @@ Container engines will use the `$HOME/.config/containers/registries.conf` if it
 `unqualified-search-registries`
 : An array of _host_[`:`_port_] registries to try when pulling an unqualified image, in order.
 `credential-helpers`
 : An array of default credential helpers used as external credential stores.  Note that "containers-auth.json" is a reserved value to use auth files as specified in containers-auth.json(5).  The credential helpers are set to `["containers-auth.json"]` if none are specified.
 ### NAMESPACED `[[registry]]` SETTINGS
 The bulk of the configuration is represented as an array of `[[registry]]`
@ -26,16 +29,20 @@ as well as among different namespaces/repositories within a registry.
 Given an image name, a single `[[registry]]` TOML table is chosen based on its `prefix` field.
-`prefix`
+`prefix`: A prefix of the user-specified image name, i.e. using one of the following formats:
-: A prefix of the user-specified image name, i.e. using one of the following formats:
+  - _host_[`:`_port_]
-    - _host_[`:`_port_]
+  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
-    - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
+  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
-    - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
+  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
-    - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
+  - [`*.`]_host_
    The user-specified image name must start with the specified `prefix` (and continue
    with the appropriate separator) for a particular `[[registry]]` TOML table to be
-    considered; (only) the TOML table with the longest match is used.
+    considered; (only) the TOML table with the longest match is used. It can
    also include wildcarded subdomains in the format `*.example.com` along as mentioned
    above. The wildcard should only be present at the beginning as shown in the formats
    above. Other cases will not work. For example, `*.example.com` is valid but
    `example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not.
    As a special case, the `prefix` field can be missing; if so, it defaults to the value
    of the `location` field (described below).
@ -75,6 +82,19 @@ internet without having to change `Dockerfile`s, or to add redundancy).
    requests for the image `example.com/foo/myimage:latest` will actually work with the
    `internal-registry-for-example.net/bar/myimage:latest` image.
    With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching,
    the location can be empty. In such a case,
    prefix matching will occur, but no reference rewrite will occur. The
    original requested image string will be used as-is. But other settings like
    `insecure` / `blocked` / `mirrors` will be applied to matching images.
    Example: Given
    ```
    prefix = "*.example.com"
    ```
    requests for the image `blah.example.com/foo/myimage:latest` will be used
    as-is. But other settings like insecure/blocked/mirrors will be applied to matching images
 `mirror`
 : An array of TOML tables specifying (possibly-partial) mirrors for the
    `prefix`-rooted namespace.
@ -271,7 +291,7 @@ the destination registry is unambiguous. Pulling by digest
 tags.
 # SEE ALSO
-  containers-certs.d(5)
+ containers-auth.json(5) containers-certs.d(5)
 # HISTORY
 Dec 2019, Warning added for unqualified image names by Tom Sweeney <tsweeney@redhat.com>
--- a/containers-registries.conf.d.5.md
+++ b/containers-registries.conf.d.5.md
@ -17,7 +17,7 @@ Once the main configuration at `/etc/containers/registries.conf` is loaded, the
 files in `/etc/containers/registries.conf.d` are loaded in alpha-numerical
 order. Then the conf files in `$HOME/.config/containers/registries.conf.d` are loaded in alpha-numerical order, if they exist. If the `$HOME/.config/containers/registries.conf` is loaded, only the conf files under `$HOME/.config/containers/registries.conf.d` are loaded in alpha-numerical order.
 Specified fields in a conf file will overwrite any previous setting.  Note
-that only files with the `.conf` prefix are loaded, other files and
+that only files with the `.conf` suffix are loaded, other files and
 sub-directories are ignored.
 For instance, setting the `unqualified-search-registries` in
--- a/containers-storage.conf.5.md
+++ b/containers-storage.conf.5.md
@ -29,7 +29,10 @@ The `storage` table supports the following options:
 **driver**=""
  container storage driver
  Default Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem.
-  This field is requiered to guarantee proper operation.
+  This field is required to guarantee proper operation.
  Valid rootless drivers are "btrfs", "overlay", and "vfs".
  Rootless users default to the driver defined in the system configuration when possible.
  When the system configuration uses an unsupported rootless driver, rootless users default to "overlay" if available, otherwise "vfs".
 **graphroot**=""
  container storage graph dir (default: "/var/lib/containers/storage")
@ -84,6 +87,9 @@ The `storage.options` table supports the following options:
 **auto-userns-max-size**=65536
  Auto-userns-max-size is the maximum size for a user namespace created automatically.
 **disable-volatile**=true
  If disable-volatile is set, then the "volatile" mount optimization is disabled for all the containers.
 ### STORAGE OPTIONS FOR AUFS TABLE
 The `storage.options.aufs` table supports the following options:
--- a/containers.conf
+++ b/containers.conf
@ -60,7 +60,6 @@
 # the default capabilities defined in the container engine will be added.
 #
 default_capabilities = [
    "NET_RAW",
    "CHOWN",
    "DAC_OVERRIDE",
    "FOWNER",
@ -74,7 +73,6 @@ default_capabilities = [
    "SYS_CHROOT"
 ]
 # A list of sysctls to be set in containers by default,
 # specified as "name=value",
 # for example:"net.ipv4.ping_group_range = 0 0".
@ -242,14 +240,28 @@ default_sysctls = [
 #
 # cni_plugin_dirs = ["/usr/libexec/cni"]
 # The network name of the default CNI network to attach pods to.
 # default_network = "podman"
 # The default subnet for the default CNI network given in default_network.
 # If a network with that name does not exist, a new network using that name and
 # this subnet will be created.
 # Must be a valid IPv4 CIDR prefix.
 #default_subnet = "10.88.0.0/16"
 # Path to the directory where CNI configuration files are located.
 #
 # network_config_dir = "/etc/cni/net.d/"
 [engine]
-# ImageBuildFormat indicates the default image format to building
+# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
-# container images. Valid values are "oci" (default) or "docker".
+# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
-# image_build_format = "oci"
+# image_parallel_copies=0
 # Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
 # container images. By default image pulled and pushed match the format of the
 # source image. Building/committing defaults to OCI.
 # image_default_format = ""
 # Cgroup management implementation used for the runtime.
 # Valid options "systemd" or "cgroupfs"
@ -299,7 +311,7 @@ default_sysctls = [
 # Selects which logging mechanism to use for container engine events.
 # Valid values are `journald`, `file` and `none`.
 #
-events_logger = "file"
+# events_logger = "journald"
 # Path to OCI hooks directories for automatically executed hooks.
 #
@ -320,7 +332,7 @@ events_logger = "file"
 # associated with the  pod.  This container does nothing other then sleep,
 # reserving the pods resources for the lifetime of the pod.
 #
-# infra_image = "k8s.gcr.io/pause:3.2"
+# infra_image = "k8s.gcr.io/pause:3.4.1"
 # Specify the locking mechanism to use; valid values are "shm" and "file".
 # Change the default only if you are sure of what you are doing, in general
@ -330,6 +342,11 @@ events_logger = "file"
 #
 # lock_type** = "shm"
 # Indicates if Podman is running inside a VM via Podman Machine.
 # Podman uses this value to do extra setup around networking from the
 # container inside the VM to to host.
 # machine_enabled=false
 # MultiImageArchive - if true, the container engine allows for storing archives
 # (e.g., of the docker-archive transport) with multiple images.  By default,
 # Podman creates single-image archives.
@ -397,7 +414,7 @@ events_logger = "file"
 # List of the OCI runtimes that support --format=json.  When json is supported
 # engine will use it for reporting nicer errors.
 #
-# runtime_supports_json = ["crun", "runc", "kata"]
+# runtime_supports_json = ["crun", "runc", "kata", "runsc"]
 # List of the OCI runtimes that supports running containers without cgroups.
 #
@ -426,7 +443,7 @@ events_logger = "file"
 #     Path to file containing ssh identity key
 #     identity = "~/.ssh/id_rsa"
-# Paths to look for a valid OCI runtime (crun, runc, kata, etc)
+# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, etc)
 [engine.runtimes]
 # crun = [
 #            "/usr/bin/crun",
@ -459,6 +476,16 @@ events_logger = "file"
 #            "/usr/bin/kata-fc",
 # ]
 # runsc = [
 #            "/usr/bin/runsc",
 #            "/usr/sbin/runsc",
 #            "/usr/local/bin/runsc",
 #            "/usr/local/sbin/runsc",
 #            "/bin/runsc",
 #            "/sbin/runsc",
 #            "/run/current-system/sw/bin/runsc",
 # ]
 [engine.volume_plugins]
 # testplugin = "/run/podman/plugins/test.sock"
--- a/containers.conf.5.md
+++ b/containers.conf.5.md
@ -46,32 +46,16 @@ TOML can be simplified to:
 The containers table contains settings pertaining to the OCI runtime that can
 configure and manage the OCI runtime.
-**devices**=[]
+**annotations** = []
 List of annotations. Specified as "key=value" pairs to be added to all containers.
-List of devices.
+Example: "run.oci.keep_original_groups=1"
 Specified as 'device-on-host:device-on-container:permissions'.
 Example: "/dev/sdc:/dev/xvdc:rwm".
 **volumes**=[]
 List of volumes.
 Specified as "directory-on-host:directory-in-container:options".
 Example:  "/db:/var/lib/db:ro".
 **apparmor_profile**="container-default"
 Used to change the name of the default AppArmor profile of container engines.
 The default profile name is "container-default".
 **cgroupns**="private"
 Default way to to create a cgroup namespace for the container.
 Options are:
 `private` Create private Cgroup Namespace for the container.
 `host`    Share host Cgroup Namespace with the container.
 **cgroups**="enabled"
 Determines  whether  the  container will create CGroups.
@ -80,6 +64,13 @@ Options are:
  `disabled`  Disable cgroup support, will inherit cgroups from parent
  `no-conmon` Do not create a cgroup dedicated to conmon.
 **cgroupns**="private"
 Default way to to create a cgroup namespace for the container.
 Options are:
 `private` Create private Cgroup Namespace for the container.
 `host`    Share host Cgroup Namespace with the container.
 **default_capabilities**=[]
 List of default capabilities for containers.
@ -117,6 +108,13 @@ specified as "name=soft-limit:hard-limit".
 Example: "nofile=1024:2048".
 **devices**=[]
 List of devices.
 Specified as 'device-on-host:device-on-container:permissions'.
 Example: "/dev/sdc:/dev/xvdc:rwm".
 **dns_options**=[]
 List of default DNS options to be added to /etc/resolv.conf inside of the
@ -201,11 +199,6 @@ Options are:
 Create /etc/hosts for the container.  By default, container engines manage
 /etc/hosts, automatically adding  the container's  own  IP  address.
 **pids_limit**=1024
 Maximum number of processes allowed in a container. 0 indicates that no limit
 is imposed.
 **pidns**="private"
 Default way to to create a PID namespace for the container.
@ -213,6 +206,11 @@ Options are:
  `private` Create private PID Namespace for the container.
  `host`    Share host PID Namespace with the container.
 **pids_limit**=1024
 Maximum number of processes allowed in a container. 0 indicates that no limit
 is imposed.
 **seccomp_profile**="/usr/share/containers/seccomp.json"
 Path to the seccomp.json profile which is used as the default seccomp profile
@ -240,13 +238,6 @@ Examples:
 Sets umask inside the container.
 **utsns**="private"
 Default way to to create a UTS namespace for the container.
 Options are:
  `private` Create private UTS Namespace for the container.
  `host`    Share host UTS Namespace with the container.
 **userns**="host"
 Default way to to create a USER namespace for the container.
@ -259,6 +250,14 @@ Options are:
 Number of UIDs to allocate for the automatic container creation. UIDs are
 allocated from the “container” UIDs listed in /etc/subuid & /etc/subgid.
 **utsns**="private"
 Default way to to create a UTS namespace for the container.
 Options are:
  `private` Create private UTS Namespace for the container.
  `host`    Share host UTS Namespace with the container.
 ## NETWORK TABLE
 The `network` table contains settings pertaining to the management of CNI
 plugins.
@ -271,15 +270,28 @@ List of paths to directories where CNI plugin binaries are located.
 The network name of the default CNI network to attach pods to.
 **default_subnet**="10.88.0.0/16"
 The subnet to use for the default CNI network (named above in **default_network**).
 If the default network does not exist, it will be automatically created the first time a tool is run using this subnet.
 **network_config_dir**="/etc/cni/net.d/"
 Path to the directory where CNI configuration files are located.
 **volumes**=[]
 List of volumes.
 Specified as "directory-on-host:directory-in-container:options".
 Example:  "/db:/var/lib/db:ro".
 ## ENGINE TABLE
 The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
-**image_build_format**="oci"
+**active_service**=""
-The default image format to building container images. Valid values are "oci" (default) or "docker".
+
 Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below.
 **cgroup_check**=false
@ -346,15 +358,27 @@ Valid values: `file`, `journald`, and `none`.
 Path to the OCI hooks directories for automatically executed hooks.
 **image_default_format**="oci"|"v2s2"|"v2s1"
 Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
 container images. By default images pulled and pushed match the format of the
 source image. Building/committing defaults to OCI.
 Note: **image_build_format** is deprecated.
 **image_default_transport**="docker://"
 Default transport method for pulling and pushing images.
 **image_parallel_copies**=0
 Maximum number of image layers to be copied (pulled/pushed) simultaneously.
 Not setting this field will fall back to containers/image defaults. (6)
 **infra_command**="/pause"
 Command to run the infra container.
-**infra_image**="k8s.gcr.io/pause:3.2"
+**infra_image**="k8s.gcr.io/pause:3.4.1"
 Infra (pause) container image name for pod infra containers.  When running a
 pod, we start a `pause` process in a container to hold open the namespaces
@ -369,6 +393,12 @@ Change the default only if you are sure of what you are doing, in general
 faster "shm" lock type.  You may need to run "podman system renumber" after you
 change the lock type.
 **machine_enabled**=false
 Indicates if Podman is running inside a VM via Podman Machine.
 Podman uses this value to do extra setup around networking from the
 container inside the VM to to host.
 **multi_image_archive**=false
 Allows for creating archives (e.g., tarballs) with more than one image.  Some container engines, such as Podman, interpret additional arguments as tags for one image and hence do not store more than one image.  The default behavior can be altered with this option.
@ -402,27 +432,6 @@ pod consumes one lock.  The default number available is 2048.  If this is
 changed, a lock renumbering must be performed, using the
 `podman system renumber` command.
 **active_service**=""
 Name of destination for accessing the Podman service.
 **[service_destinations]**
 **[service_destinations.{name}]**
 **uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
  Example URIs:
 - **rootless local**  - unix://run/user/1000/podman/podman.sock
 - **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
 - **rootfull local**  - unix://run/podman/podman.sock
 - **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
 **identity="~/.ssh/id_rsa**
 Path to file containing ssh identity key
 **pull_policy**="always"|"missing"|"never"
 Pull image before running or creating a container. The default is **missing**.
@ -441,7 +450,7 @@ Default OCI specific runtime in runtimes that will be used by default. Must
 refer to a member of the runtimes table. Default runtime will be searched for
 on the system using the priority: "crun", "runc", "kata".
-**runtime_supports_json**=["crun", "runc", "kata"]
+**runtime_supports_json**=["crun", "runc", "kata", "runsc"]
 The list of the OCI runtimes that support `--format=json`.
@ -468,6 +477,24 @@ Number of seconds to wait for container to exit before sending kill signal.
 The path to a temporary directory to store per-boot container.
 Must be a tmpfs (wiped after reboot).
 ## SERVICE DESTINATION TABLE
 The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
 **[service_destinations.{name}]**
 URI to access the Podman service
 **uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
  Example URIs:
 - **rootless local**  - unix://run/user/1000/podman/podman.sock
 - **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
 - **rootfull local**  - unix://run/podman/podman.sock
 - **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
 **identity="~/.ssh/id_rsa**
 Path to file containing ssh identity key
 **volume_path**="/var/lib/containers/storage/volumes"
 Directory where named volumes will be created in using the default volume
--- a/pyxis.sh
+++ b/pyxis.sh
@ -0,0 +1,76 @@
 #!/bin/bash
 #set -e
 rm -f /tmp/pyxis*.json
 TOTAL=`curl -s --negotiate -u: -H 'Content-Type: application/json' -H 'Accept: application/json' -X GET "https://pyxis.engineering.redhat.com/v1/repositories?page_size=1" | jq .total`
 if [ "$TOTAL" == "null" ]; then
  echo "Error comunicating with Pyxis API."
  exit 1
 fi
 PAGES=$(($TOTAL/500))
 for P in `seq 0 $PAGES`; do
  curl -s --negotiate -u: -H 'Content-Type: application/json' -H 'Accept: application/json' -X GET "https://pyxis.engineering.redhat.com/v1/repositories?page_size=500&page=$P" > /tmp/pyxis$P.json
 done
 cat /tmp/pyxis*.json > /tmp/pyx.json
 rm -f /tmp/rhel-shortnames.conf
 while read -r LINE; do
  if [[ "$LINE" == *\"_id\":* ]] || [[ "$LINE" == *\"total\":* ]]; then
    if [ -z $REGISTRY ] ||
       [ -z $PUBLISHED ] ||
       [ -z $REPOSITORY ] ||
       [  $REPOSITORY == \"\" ] ||
       [ "$AVAILABLE" != "Generally Available" ] ||
       [[ $REPOSITORY == *[@:]* ]] ||
       [[ "$REGISTRY" == *non_registry* ]] ||
       [[ $REGISTRY != *.* ]]
     then
      continue
    fi
    if [[ $REGISTRY == *quay.io* ]] ||
       [[ $REGISTRY == *redhat.com* ]]; then
      if [ "$REQUIRES_TERMS" == "1" ]; then
        REGISTRY=registry.redhat.io
      fi
      echo "\"$REPOSITORY\" = \"$REGISTRY/$REPOSITORY\""
      echo "\"$REPOSITORY\" = \"$REGISTRY/$REPOSITORY\"" >> /tmp/rhel-shortnames.conf
    fi
    REGISTRY=""
    PUBLISHED=""
    AVAILABLE=""
    REPOSITORY=""
    REQUIRES_TERMS=""
    continue
  fi
  if [[ "$LINE" == *\"published\":\ true,* ]]; then
    PUBLISHED=1
  fi
  if [[ "$LINE" == *\"requires_terms\":\ true,* ]]; then
    REQUIRES_TERMS=1
  fi
  if [[ "$LINE" == *\"repository\":\ * ]]; then
    REPOSITORY=`echo $LINE | sed 's,^.* ",,' | sed 's;",$;;'`
  fi
  if [[ "$LINE" == *\"registry\":\ * ]]; then
    REGISTRY=`echo $LINE | sed -e 's,^.*:\ ",,' -e 's,".*,,'`
  fi
  if [[ "$LINE" == *\"release_categories\":\ * ]]; then
    read -r LINE
    AVAILABLE=`echo $LINE | sed 's,",,g'`
  fi
 done < /tmp/pyx.json
 cp /tmp/rhel-shortnames.conf /tmp/r.conf
 for D in `cut -d\  -f1 /tmp/r.conf | sort | uniq -d`; do
  echo $D
  M=`grep ^$D /tmp/r.conf | grep 'redhat.com' | tail -n1`
  [ -z "$M" ] && M=`grep ^$D /tmp/r.conf | tail -n1`
  echo $M
  if [ ! -z "$M" ]; then
    echo "replacing $D with $M"
    grep -v "^$D.*" /tmp/r.conf > /tmp/r2.conf
    echo "$M" >> /tmp/r2.conf
    mv /tmp/r2.conf /tmp/r.conf
  fi
 done
 echo "[aliases]" > 001-rhel-shortnames-pyxis.conf
 sort /tmp/r.conf >> 001-rhel-shortnames-pyxis.conf
--- a/registries.conf
+++ b/registries.conf
@ -61,7 +61,7 @@ registries = []
 # mirrors:
 #
 # # An array of host[:port] registries to try when pulling an unqualified image, in order.
-unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]
+unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "quay.io", "docker.io"]
 #
 # [[registry]]
 # # The "prefix" field is used to choose the relevant [[registry]] TOML table;
@ -111,5 +111,3 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.
 # # 2. example-mirror-1.local/mirrors/foo/image:latest
 # # 3. internal-registry-for-example.net/bar/myimage:latest
 # # in order, and use the first one that exists.
 # Enforcing mode for short names is default for RHEL9.
 short-name-mode = "enforcing"
--- a/seccomp.json
+++ b/seccomp.json
@ -303,6 +303,7 @@
 				"sendmmsg",
 				"sendmsg",
 				"sendto",
 				"setns",
 				"set_robust_list",
 				"set_thread_area",
 				"set_tid_address",
@ -340,7 +341,6 @@
 				"signalfd",
 				"signalfd4",
 				"sigreturn",
 				"socket",
 				"socketcall",
 				"socketpair",
 				"splice",
@ -583,19 +583,13 @@
 		{
 			"names": [
 				"bpf",
 				"clone",
 				"fanotify_init",
 				"lookup_dcookie",
 				"mount",
 				"name_to_handle_at",
 				"perf_event_open",
 				"quotactl",
 				"setdomainname",
 				"sethostname",
-				"setns",
+				"setns"
 				"umount",
 				"umount2",
 				"unshare"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"args": [],
@ -607,71 +601,6 @@
 			},
 			"excludes": {}
 		},
 		{
 			"names": [
 				"clone"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"args": [
 				{
 					"index": 0,
 					"value": 2080505856,
 					"valueTwo": 0,
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
 			],
 			"comment": "",
 			"includes": {},
 			"excludes": {
 				"caps": [
 					"CAP_SYS_ADMIN"
 				],
 				"arches": [
 					"s390",
 					"s390x"
 				]
 			}
 		},
 		{
 			"names": [
 				"clone"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"args": [
 				{
 					"index": 1,
 					"value": 2080505856,
 					"valueTwo": 0,
 					"op": "SCMP_CMP_MASKED_EQ"
 				}
 			],
 			"comment": "s390 parameter ordering for clone is different",
 			"includes": {
 				"arches": [
 					"s390",
 					"s390x"
 				]
 			},
 			"excludes": {
 				"caps": [
 					"CAP_SYS_ADMIN"
 				]
 			}
 		},
 		{
 			"names": [
 				"reboot"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"args": [],
 			"comment": "",
 			"includes": {
 				"caps": [
 					"CAP_SYS_BOOT"
 				]
 			},
 			"excludes": {}
 		},
 		{
 			"names": [
 				"chroot"
@ -707,7 +636,6 @@
 			"names": [
 				"get_mempolicy",
 				"mbind",
 				"name_to_handle_at",
 				"set_mempolicy"
 			],
 			"action": "SCMP_ACT_ALLOW",
@ -904,4 +832,4 @@
 			"excludes": {}
 		}
 	]
-}
+}
--- a/shortnames.conf
+++ b/shortnames.conf
@ -24,6 +24,8 @@
  "tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf"
  "tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf"
  "leap" = "registry.opensuse.org/opensuse/leap"
  "leap-dnf" = "registry.opensuse.org/opensuse/leap-dnf"
  "leap-microdnf" = "registry.opensuse.org/opensuse/leap-microdnf"
  "tw-busybox" = "registry.opensuse.org/opensuse/busybox"
  # SUSE
  "suse/sle15" = "registry.suse.com/suse/sle15"
@ -51,5 +53,13 @@
  "ubi8/ubi-micro" = "registry.access.redhat.com/ubi8-micro"
  # Debian
  "debian" = "docker.io/library/debian"
  # Ubuntu
  "ubuntu" = "docker.io/library/ubuntu"
  # Oracle Linux
-  "oraclelinux" = "container-registry.oracle.com/os/oraclelinux"
+  "oraclelinux" = "docker.io/library/oraclelinux"
  # busybox
  "busybox" = "docker.io/library/busybox"
  # php
  "php" = "docker.io/library/php"
  #python
  "python" = "docker.io/library/python"
--- a/skopeo.spec
+++ b/skopeo.spec
@ -1,4 +1,5 @@
 %global _lto_cflags %{nil}
 %global with_check 0
 %global _find_debuginfo_dwz_opts %{nil}
@ -19,17 +20,17 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
 # pick the oldest version on c/image, c/common, c/storage vendored in
 # podman/skopeo/podman.
 %global podman_branch master
-%global image_branch  v5.10.2
+%global image_branch v5.12.0
-%global common_branch v0.33.4
+%global common_branch v0.38.4
-%global storage_branch v1.24.6
+%global storage_branch v1.31.1
 %global shortnames_branch main
-%global commit0 e72dd9c5c834f3cd7fb8b1aab4021d9d4412f305
+%global commit0 c35944bec010fe9b534881aca153ef5964f5a010
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 Epoch: 1
 Name: skopeo
-Version: 1.2.2
+Version: 1.3.0
-Release: 4%{?dist}
+Release: 3%{?dist}
 Summary: Inspect container images and repositories on registries
 License: ASL 2.0
 URL: %{git0}
@ -48,7 +49,7 @@ Source4: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs
 Source5: registries.conf
 Source6: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-policy.json.5.md
 Source7: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/seccomp/seccomp.json
-Source8: https://raw.githubusercontent.com/containers/podman/%{podman_branch}/docs/source/markdown/containers-mounts.conf.5.md
+Source8: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers-mounts.conf.5.md
 Source9: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-signature.5.md
 Source10: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-transports.5.md
 Source11: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-certs.d.5.md
@ -59,14 +60,18 @@ Source15: https://raw.githubusercontent.com/containers/image/%{image_branch}/doc
 Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.d.5.md
 Source17: https://raw.githubusercontent.com/containers/shortnames/%{shortnames_branch}/shortnames.conf
 Source18: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.5.md
-Source19: rhel-shortnames.conf
+Source19: 001-rhel-shortnames-pyxis.conf
-BuildRequires: git
+Source20: 002-rhel-shortnames-overrides.conf
 # scripts used for synchronization with upstream and shortname generation
 Source100: update.sh
 Source101: update-vendored.sh
 Source102: pyxis.sh
 BuildRequires: git-core
 BuildRequires: golang >= 1.12.12-4
 BuildRequires: go-md2man
 BuildRequires: gpgme-devel
 BuildRequires: libassuan-devel
 BuildRequires: pkgconfig(devmapper)
 BuildRequires: ostree-devel
 BuildRequires: glib2-devel
 BuildRequires: make
 Requires: containers-common = %{epoch}:%{version}-%{release}
@ -82,6 +87,7 @@ Conflicts: atomic-registries <= 1:1.22.1-1
 Obsoletes: docker-rhsubscription <= 2:1.13.1-31
 Provides: %{name}-containers = %{epoch}:%{version}-%{release}
 Obsoletes: %{name}-containers <= 1:0.1.31-3
 Requires: crun >= 0.19
 Recommends: fuse-overlayfs
 Recommends: slirp4netns
 Suggests: subscription-manager
@ -98,6 +104,7 @@ Requires: gnupg
 Requires: jq
 Requires: podman
 Requires: httpd-tools
 Requires: openssl
 %description tests
 %{summary}
@ -128,7 +135,7 @@ done
 export GOPATH=$(pwd):$(pwd)/vendor:%{gopath}
 export GO111MODULE=off
 export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
-export BUILDTAGS="exclude_graphdriver_btrfs btrfs_noversion $(hack/libdm_tag.sh) $(hack/ostree_tag.sh)"
+export BUILDTAGS="exclude_graphdriver_btrfs btrfs_noversion $(hack/libdm_tag.sh)"
 mkdir -p bin
 %gobuild -o bin/%{name} ./cmd/%{name}
 %{__make} docs
@ -136,13 +143,16 @@ mkdir -p bin
 %install
 make \
   DESTDIR=%{buildroot} \
-   SIGSTOREDIR=%{buildroot}%{_sharedstatedir}/containers/sigstore \
+   PREFIX=%{buildroot}%{_prefix} \
   install
 install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.d,registries.conf.d}
 install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf
 install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf
 install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
-install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/rhel-shortnames.conf
+install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/001-rhel-shortnames.conf
 install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/002-rhel-shortnames-overrides.conf
 # for containers-common
 install -dp %{buildroot}%{_mandir}/man5
 go-md2man -in %{SOURCE2} -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5
 go-md2man -in %{SOURCE4} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.5
@ -207,8 +217,7 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
 %config(noreplace) %{_sysconfdir}/containers/storage.conf
 %config(noreplace) %{_sysconfdir}/containers/registries.conf
-%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
+%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/*.conf
 %config(noreplace) %{_sysconfdir}/containers/registries.conf.d/rhel-shortnames.conf
 %config(noreplace) %{_sysconfdir}/containers/registries.d/*.yaml
 %ghost %{_sysconfdir}/containers/containers.conf
 %dir %{_sharedstatedir}/containers/sigstore
@ -234,6 +243,14 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %{_datadir}/%{name}/test
 %changelog
 * Mon Jun 14 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.3.0-3
 - update to new versions of vendored components
 - fail is there is an issue in communication with Pyxis API
 - understand devel branch in update.sh script, use pkg wrapper
 - sync with Pyxis
 - use containers-mounts.conf.5.md from containers/common
 - Related: #1970747
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.2.2-4
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (skopeo-1.2.2-e72dd9c.tar.gz) = a9d2b0ef07f5be8a2873285d8c4078d6a5334df69207248ff8a725a5744a99f1c577c5a7c2da3bd8c4b394f445c6c14b25464626148ad7a205a55c636b39d068
+SHA512 (skopeo-1.3.0-c35944b.tar.gz) = c948c96cb6b9394a5159ec7c7c762bc93c3cfd8d8363ac1454c9b04e70865a3bc544433d90898b810256f39b42edb2940821c0ae70b84ad559dc26a5b0e21096
--- a/storage.conf
+++ b/storage.conf
@ -74,7 +74,7 @@ additionalimagestores = [
 #mount_program = "/usr/bin/fuse-overlayfs"
 # mountopt specifies comma separated list of extra mount options
-mountopt = "nodev,metacopy=on"
+mountopt = "nodev"
 # Set to skip a PRIVATE bind mount on the storage home directory.
 # skip_mount_home = "false"
--- a/update-vendored.sh
+++ b/update-vendored.sh
@ -0,0 +1,33 @@
 #!/bin/bash
 # This script assures we always deliver the current documentation/configs
 # for the c/storage, c/image and c/common vendored in podman, skopeo, buildah
 # For questions reach to Jindrich Novy <jnovy@redhat.com>
 set -xe
 rm -f /tmp/ver_image /tmp/ver_common /tmp/ver_storage
 B=`pkg switch-branch | grep ^* | cut -d\  -f2`
 echo $B
 for P in podman skopeo buildah; do
  BRN=`pwd | sed 's,^.*/,,'`
  rm -rf $P
  pkg clone $P
  cd $P
  pkg switch-branch $B
  if [ $BRN != stream-container-tools-rhel8 ]; then
    pkg prep
  else
    pkg --release rhel-8 prep
  fi
  DIR=`ls -d -- */ | grep -v ^tests | head -n1`
  grep github.com/containers/image $DIR/go.mod | cut -d\  -f2 >> /tmp/ver_image
  grep github.com/containers/common $DIR/go.mod | cut -d\  -f2 >> /tmp/ver_common
  grep github.com/containers/storage $DIR/go.mod | cut -d\  -f2 >> /tmp/ver_storage
  cd -
 done
 IMAGE_VER=`sort -n /tmp/ver_image | head -n1`
 COMMON_VER=`sort -n /tmp/ver_common | head -n1`
 STORAGE_VER=`sort -n /tmp/ver_storage | head -n1`
 sed -i "s,^%global.*image_branch.*,%global image_branch $IMAGE_VER," skopeo.spec
 sed -i "s,^%global.*common_branch.*,%global common_branch $COMMON_VER," skopeo.spec
 sed -i "s,^%global.*storage_branch.*,%global storage_branch $STORAGE_VER," skopeo.spec
 rm -f /tmp/ver_image /tmp/ver_common /tmp/ver_storage
 rm -rf podman skopeo buildah
--- a/update.sh
+++ b/update.sh
@ -1,21 +1,39 @@
 #!/bin/bash
 # This script delivers current documentation/configs and assures it has the intended
 # settings for a particular branch/release.
 # For questions reach to Jindrich Novy <jnovy@redhat.com>
 ensure() {
  if grep ^$2[[:blank:]].*= $1 > /dev/null
  then
    sed -i "s;^$2[[:blank:]]=.*;$2 = $3;" $1
  else
    if grep ^\#.*$2[[:blank:]].*= $1 > /dev/null
    then
      sed -i "/^#.*$2[[:blank:]].*=/a \
 $2 = $3" $1
    else
      echo "$2 = \"$3\"" >> $1
    fi
  fi
 }
 ./pyxis.sh
 ./update-vendored.sh
 spectool -f -g skopeo.spec
-sed -i -e 's/^driver.*=.*/driver = "overlay"/' -e 's/^mountopt.*=.*/mountopt = "nodev,metacopy=on"/' storage.conf
+ensure storage.conf    driver                        \"overlay\"
 ensure storage.conf    mountopt                      \"nodev,metacopy=on\"
 ensure registries.conf unqualified-search-registries [\"registry.fedoraproject.org\",\ \"registry.access.redhat.com\",\ \"registry.centos.org\",\ \"quay.io\",\ \"docker.io\"]
 ensure containers.conf events_logger                 \"file\"
 ensure containers.conf infra_image                   \"registry.access.redhat.com/ubi9/pause\"
 ensure containers.conf runtime                       \"crun\"
 ensure containers.conf short-names-mode              \"enforcing\"
 [ `grep "keyctl" seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \
 				"keyctl",' seccomp.json
 sed -i '/\"socketcall\",/i \
 				"socket",' seccomp.json
-sed -i 's/^#.*unqualified-search-registries.*=.*/unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]/g' registries.conf
+if ! grep \"NET_RAW\" containers.conf > /dev/null
 sed -i 's,#.*events_logger.*=.*"journald",events_logger = "file",' containers.conf
 if ! grep \"NET_RAW\" containers.conf
 then
  sed -i '/^default_capabilities/a \
    "NET_RAW",' containers.conf
 fi
 if ! grep ^short-name-mode.*= registries.conf
 then
  echo "# Enforcing mode for short names is default for RHEL9." >> registries.conf
  echo 'short-name-mode = "enforcing"' >> registries.conf
 else
  sed -i 's/^short-name-mode.*=.*/short-name-mode = "enforcing"/' registries.conf
 fi
`@ -1 +1 @@`
	`SHA512 (skopeo-1.2.2-e72dd9c.tar.gz) = a9d2b0ef07f5be8a2873285d8c4078d6a5334df69207248ff8a725a5744a99f1c577c5a7c2da3bd8c4b394f445c6c14b25464626148ad7a205a55c636b39d068`	`SHA512 (skopeo-1.3.0-c35944b.tar.gz) = c948c96cb6b9394a5159ec7c7c762bc93c3cfd8d8363ac1454c9b04e70865a3bc544433d90898b810256f39b42edb2940821c0ae70b84ad559dc26a5b0e21096`