rpms/skopeo
7
0
Fork 0
Code Issues Pull Requests Releases Activity

skopeo-1.3.0-3.el9

Browse Source 
- update to new versions of vendored components
- fail is there is an issue in communication with Pyxis API
- understand devel branch in update.sh script, use pkg wrapper
- sync with Pyxis
- use containers-mounts.conf.5.md from containers/common
- Related: #1970747

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
Jindrich Novy 2021-06-14 10:46:08 +02:00
parent 7a89be9c52
commit f340c8ed1c
19 changed files with 1482 additions and 1227 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2157
rhel-shortnames.conf → 001-rhel-shortnames-pyxis.conf
View File

File diff suppressed because it is too large Load Diff

8
002-rhel-shortnames-overrides.conf Normal file
View File

@ -0,0 +1,8 @@
[aliases]
"skopeo" = "registry.access.redhat.com/ubi8/skopeo"
"ubi8/skopeo" = "registry.access.redhat.com/ubi8/skopeo"
"buildah" = "registry.access.redhat.com/ubi8/buildah"
"ubi8/buildah" = "registry.access.redhat.com/ubi8/buildah"
"podman" = "registry.access.redhat.com/ubi8/podman"
"ubi8/podman" = "registry.access.redhat.com/ubi8/podman"
"rhel8/podman" = "registry.redhat.io/rhel8/podman"

2
containers-certs.d.5.md
View File

@ -15,7 +15,7 @@ A certs directory can contain one or more files with the following extensions:
* `*.key` files with this extensions will be interpreted as client keys
Note that the client certificate-key pair will be selected by the file name (e.g., `client.{cert,key}`).
An examplary setup for a registry running at `my-registry.com:5000` may look as follows:
An exemplary setup for a registry running at `my-registry.com:5000` may look as follows:
```
/etc/containers/certs.d/ <- Certificate directory
└── my-registry.com:5000 <- Hostname:port

16
containers-mounts.conf.5.md
View File

@ -1,16 +0,0 @@
% containers-mounts.conf(5)
## NAME
containers-mounts.conf - configuration file for default mounts in containers
## DESCRIPTION
The mounts.conf file specifies volume mount directories that are automatically mounted inside containers. Container processes can then use this content. Usually these directories are used for passing secrets or credentials required by the package software to access remote package repositories. Note that for security reasons, tools adhering to the mounts.conf are expected to copy the contents instead of bind mounting the paths from the host.
## FORMAT
The format of the mounts.conf is the volume format `/SRC:/DEST`, one mount per line. For example, a mounts.conf with the line `/usr/share/secrets:/run/secrets` would cause the contents of the `/usr/share/secrets` directory on the host to be mounted on the `/run/secrets` directory inside the container. Setting mountpoints allows containers to use the files of the host, for instance, to use the host's subscription to some enterprise Linux distribution.
## FILES
Some distributions may provide a `/usr/share/containers/mounts.conf` file to provide default mounts, but users can create a `/etc/containers/mounts.conf`, to specify their own special volumes to mount in the container. When Podman runs in rootless mode, the file `$HOME/.config/containers/mounts.conf` will override the default if it exists.
## HISTORY
Aug 2018, Originally compiled by Valentin Rothberg <vrothberg@suse.com>

2
containers-policy.json.5.md
View File

@ -114,7 +114,7 @@ Scopes are ignored.
Using the mechanisms above, a set of policy requirements is looked up. The policy requirements
are represented as a JSON array of individual requirement objects. For an image to be accepted,
*all* of the requirements must be satisfied simulatenously.
*all* of the requirements must be satisfied simultaneously.
The policy requirements can also be used to decide whether an individual signature is accepted (= is signed by a recognized key of a known author);
in that case some requirements may apply only to some signatures, but each signature must be accepted by *at least one* requirement object.

28
containers-registries.conf.5.md
View File

@ -16,6 +16,9 @@ Container engines will use the `$HOME/.config/containers/registries.conf` if it
`unqualified-search-registries`
: An array of _host_[`:`_port_] registries to try when pulling an unqualified image, in order.
`credential-helpers`
: An array of default credential helpers used as external credential stores. Note that "containers-auth.json" is a reserved value to use auth files as specified in containers-auth.json(5). The credential helpers are set to `["containers-auth.json"]` if none are specified.
### NAMESPACED `[[registry]]` SETTINGS
The bulk of the configuration is represented as an array of `[[registry]]`
@ -26,16 +29,20 @@ as well as among different namespaces/repositories within a registry.
Given an image name, a single `[[registry]]` TOML table is chosen based on its `prefix` field.
`prefix`
: A prefix of the user-specified image name, i.e. using one of the following formats:
`prefix`: A prefix of the user-specified image name, i.e. using one of the following formats:
- _host_[`:`_port_]
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
- [`*.`]_host_
The user-specified image name must start with the specified `prefix` (and continue
with the appropriate separator) for a particular `[[registry]]` TOML table to be
considered; (only) the TOML table with the longest match is used.
considered; (only) the TOML table with the longest match is used. It can
also include wildcarded subdomains in the format `*.example.com` along as mentioned
above. The wildcard should only be present at the beginning as shown in the formats
above. Other cases will not work. For example, `*.example.com` is valid but
`example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not.
As a special case, the `prefix` field can be missing; if so, it defaults to the value
of the `location` field (described below).
@ -75,6 +82,19 @@ internet without having to change `Dockerfile`s, or to add redundancy).
requests for the image `example.com/foo/myimage:latest` will actually work with the
`internal-registry-for-example.net/bar/myimage:latest` image.
With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching,
the location can be empty. In such a case,
prefix matching will occur, but no reference rewrite will occur. The
original requested image string will be used as-is. But other settings like
`insecure` / `blocked` / `mirrors` will be applied to matching images.
Example: Given
```
prefix = "*.example.com"
```
requests for the image `blah.example.com/foo/myimage:latest` will be used
as-is. But other settings like insecure/blocked/mirrors will be applied to matching images
`mirror`
: An array of TOML tables specifying (possibly-partial) mirrors for the
`prefix`-rooted namespace.
@ -271,7 +291,7 @@ the destination registry is unambiguous. Pulling by digest
tags.
# SEE ALSO
containers-certs.d(5)
containers-auth.json(5) containers-certs.d(5)
# HISTORY
Dec 2019, Warning added for unqualified image names by Tom Sweeney <tsweeney@redhat.com>

2
containers-registries.conf.d.5.md
View File

@ -17,7 +17,7 @@ Once the main configuration at `/etc/containers/registries.conf` is loaded, the
files in `/etc/containers/registries.conf.d` are loaded in alpha-numerical
order. Then the conf files in `$HOME/.config/containers/registries.conf.d` are loaded in alpha-numerical order, if they exist. If the `$HOME/.config/containers/registries.conf` is loaded, only the conf files under `$HOME/.config/containers/registries.conf.d` are loaded in alpha-numerical order.
Specified fields in a conf file will overwrite any previous setting. Note
that only files with the `.conf` prefix are loaded, other files and
that only files with the `.conf` suffix are loaded, other files and
sub-directories are ignored.
For instance, setting the `unqualified-search-registries` in

8
containers-storage.conf.5.md
View File

@ -29,7 +29,10 @@ The `storage` table supports the following options:
**driver**=""
container storage driver
Default Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem.
This field is requiered to guarantee proper operation.
This field is required to guarantee proper operation.
Valid rootless drivers are "btrfs", "overlay", and "vfs".
Rootless users default to the driver defined in the system configuration when possible.
When the system configuration uses an unsupported rootless driver, rootless users default to "overlay" if available, otherwise "vfs".
**graphroot**=""
container storage graph dir (default: "/var/lib/containers/storage")
@ -84,6 +87,9 @@ The `storage.options` table supports the following options:
**auto-userns-max-size**=65536
Auto-userns-max-size is the maximum size for a user namespace created automatically.
**disable-volatile**=true
If disable-volatile is set, then the "volatile" mount optimization is disabled for all the containers.
### STORAGE OPTIONS FOR AUFS TABLE
The `storage.options.aufs` table supports the following options:

45
containers.conf
View File

@ -60,7 +60,6 @@
# the default capabilities defined in the container engine will be added.
#
default_capabilities = [
"NET_RAW",
"CHOWN",
"DAC_OVERRIDE",
"FOWNER",
@ -74,7 +73,6 @@ default_capabilities = [
"SYS_CHROOT"
]
# A list of sysctls to be set in containers by default,
# specified as "name=value",
# for example:"net.ipv4.ping_group_range = 0 0".
@ -242,14 +240,28 @@ default_sysctls = [
#
# cni_plugin_dirs = ["/usr/libexec/cni"]
# The network name of the default CNI network to attach pods to.
# default_network = "podman"
# The default subnet for the default CNI network given in default_network.
# If a network with that name does not exist, a new network using that name and
# this subnet will be created.
# Must be a valid IPv4 CIDR prefix.
#default_subnet = "10.88.0.0/16"
# Path to the directory where CNI configuration files are located.
#
# network_config_dir = "/etc/cni/net.d/"
[engine]
# ImageBuildFormat indicates the default image format to building
# container images. Valid values are "oci" (default) or "docker".
# image_build_format = "oci"
# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
# image_parallel_copies=0
# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
# container images. By default image pulled and pushed match the format of the
# source image. Building/committing defaults to OCI.
# image_default_format = ""
# Cgroup management implementation used for the runtime.
# Valid options "systemd" or "cgroupfs"
@ -299,7 +311,7 @@ default_sysctls = [
# Selects which logging mechanism to use for container engine events.
# Valid values are `journald`, `file` and `none`.
#
events_logger = "file"
# events_logger = "journald"
# Path to OCI hooks directories for automatically executed hooks.
#
@ -320,7 +332,7 @@ events_logger = "file"
# associated with the pod. This container does nothing other then sleep,
# reserving the pods resources for the lifetime of the pod.
#
# infra_image = "k8s.gcr.io/pause:3.2"
# infra_image = "k8s.gcr.io/pause:3.4.1"
# Specify the locking mechanism to use; valid values are "shm" and "file".
# Change the default only if you are sure of what you are doing, in general
@ -330,6 +342,11 @@ events_logger = "file"
#
# lock_type** = "shm"
# Indicates if Podman is running inside a VM via Podman Machine.
# Podman uses this value to do extra setup around networking from the
# container inside the VM to to host.
# machine_enabled=false
# MultiImageArchive - if true, the container engine allows for storing archives
# (e.g., of the docker-archive transport) with multiple images. By default,
# Podman creates single-image archives.
@ -397,7 +414,7 @@ events_logger = "file"
# List of the OCI runtimes that support --format=json. When json is supported
# engine will use it for reporting nicer errors.
#
# runtime_supports_json = ["crun", "runc", "kata"]
# runtime_supports_json = ["crun", "runc", "kata", "runsc"]
# List of the OCI runtimes that supports running containers without cgroups.
#
@ -426,7 +443,7 @@ events_logger = "file"
# Path to file containing ssh identity key
# identity = "~/.ssh/id_rsa"
# Paths to look for a valid OCI runtime (crun, runc, kata, etc)
# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, etc)
[engine.runtimes]
# crun = [
# "/usr/bin/crun",
@ -459,6 +476,16 @@ events_logger = "file"
# "/usr/bin/kata-fc",
# ]
# runsc = [
# "/usr/bin/runsc",
# "/usr/sbin/runsc",
# "/usr/local/bin/runsc",
# "/usr/local/sbin/runsc",
# "/bin/runsc",
# "/sbin/runsc",
# "/run/current-system/sw/bin/runsc",
# ]
[engine.volume_plugins]
# testplugin = "/run/podman/plugins/test.sock"

139
containers.conf.5.md
View File

@ -46,32 +46,16 @@ TOML can be simplified to:
The containers table contains settings pertaining to the OCI runtime that can
configure and manage the OCI runtime.
**devices**=[]
**annotations** = []
List of annotations. Specified as "key=value" pairs to be added to all containers.
List of devices.
Specified as 'device-on-host:device-on-container:permissions'.
Example: "/dev/sdc:/dev/xvdc:rwm".
**volumes**=[]
List of volumes.
Specified as "directory-on-host:directory-in-container:options".
Example: "/db:/var/lib/db:ro".
Example: "run.oci.keep_original_groups=1"
**apparmor_profile**="container-default"
Used to change the name of the default AppArmor profile of container engines.
The default profile name is "container-default".
**cgroupns**="private"
Default way to to create a cgroup namespace for the container.
Options are:
`private` Create private Cgroup Namespace for the container.
`host` Share host Cgroup Namespace with the container.
**cgroups**="enabled"
Determines whether the container will create CGroups.
@ -80,6 +64,13 @@ Options are:
`disabled` Disable cgroup support, will inherit cgroups from parent
`no-conmon` Do not create a cgroup dedicated to conmon.
**cgroupns**="private"
Default way to to create a cgroup namespace for the container.
Options are:
`private` Create private Cgroup Namespace for the container.
`host` Share host Cgroup Namespace with the container.
**default_capabilities**=[]
List of default capabilities for containers.
@ -117,6 +108,13 @@ specified as "name=soft-limit:hard-limit".
Example: "nofile=1024:2048".
**devices**=[]
List of devices.
Specified as 'device-on-host:device-on-container:permissions'.
Example: "/dev/sdc:/dev/xvdc:rwm".
**dns_options**=[]
List of default DNS options to be added to /etc/resolv.conf inside of the
@ -201,11 +199,6 @@ Options are:
Create /etc/hosts for the container. By default, container engines manage
/etc/hosts, automatically adding the container's own IP address.
**pids_limit**=1024
Maximum number of processes allowed in a container. 0 indicates that no limit
is imposed.
**pidns**="private"
Default way to to create a PID namespace for the container.
@ -213,6 +206,11 @@ Options are:
`private` Create private PID Namespace for the container.
`host` Share host PID Namespace with the container.
**pids_limit**=1024
Maximum number of processes allowed in a container. 0 indicates that no limit
is imposed.
**seccomp_profile**="/usr/share/containers/seccomp.json"
Path to the seccomp.json profile which is used as the default seccomp profile
@ -240,13 +238,6 @@ Examples:
Sets umask inside the container.
**utsns**="private"
Default way to to create a UTS namespace for the container.
Options are:
`private` Create private UTS Namespace for the container.
`host` Share host UTS Namespace with the container.
**userns**="host"
Default way to to create a USER namespace for the container.
@ -259,6 +250,14 @@ Options are:
Number of UIDs to allocate for the automatic container creation. UIDs are
allocated from the “container” UIDs listed in /etc/subuid & /etc/subgid.
**utsns**="private"
Default way to to create a UTS namespace for the container.
Options are:
`private` Create private UTS Namespace for the container.
`host` Share host UTS Namespace with the container.
## NETWORK TABLE
The `network` table contains settings pertaining to the management of CNI
plugins.
@ -271,15 +270,28 @@ List of paths to directories where CNI plugin binaries are located.
The network name of the default CNI network to attach pods to.
**default_subnet**="10.88.0.0/16"
The subnet to use for the default CNI network (named above in **default_network**).
If the default network does not exist, it will be automatically created the first time a tool is run using this subnet.
**network_config_dir**="/etc/cni/net.d/"
Path to the directory where CNI configuration files are located.
**volumes**=[]
List of volumes.
Specified as "directory-on-host:directory-in-container:options".
Example: "/db:/var/lib/db:ro".
## ENGINE TABLE
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
**image_build_format**="oci"
The default image format to building container images. Valid values are "oci" (default) or "docker".
**active_service**=""
Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below.
**cgroup_check**=false
@ -346,15 +358,27 @@ Valid values: `file`, `journald`, and `none`.
Path to the OCI hooks directories for automatically executed hooks.
**image_default_format**="oci"|"v2s2"|"v2s1"
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
container images. By default images pulled and pushed match the format of the
source image. Building/committing defaults to OCI.
Note: **image_build_format** is deprecated.
**image_default_transport**="docker://"
Default transport method for pulling and pushing images.
**image_parallel_copies**=0
Maximum number of image layers to be copied (pulled/pushed) simultaneously.
Not setting this field will fall back to containers/image defaults. (6)
**infra_command**="/pause"
Command to run the infra container.
**infra_image**="k8s.gcr.io/pause:3.2"
**infra_image**="k8s.gcr.io/pause:3.4.1"
Infra (pause) container image name for pod infra containers. When running a
pod, we start a `pause` process in a container to hold open the namespaces
@ -369,6 +393,12 @@ Change the default only if you are sure of what you are doing, in general
faster "shm" lock type. You may need to run "podman system renumber" after you
change the lock type.
**machine_enabled**=false
Indicates if Podman is running inside a VM via Podman Machine.
Podman uses this value to do extra setup around networking from the
container inside the VM to to host.
**multi_image_archive**=false
Allows for creating archives (e.g., tarballs) with more than one image. Some container engines, such as Podman, interpret additional arguments as tags for one image and hence do not store more than one image. The default behavior can be altered with this option.
@ -402,27 +432,6 @@ pod consumes one lock. The default number available is 2048. If this is
changed, a lock renumbering must be performed, using the
`podman system renumber` command.
**active_service**=""
Name of destination for accessing the Podman service.
**[service_destinations]**
**[service_destinations.{name}]**
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
Example URIs:
- **rootless local** - unix://run/user/1000/podman/podman.sock
- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
- **rootfull local** - unix://run/podman/podman.sock
- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
**identity="~/.ssh/id_rsa**
Path to file containing ssh identity key
**pull_policy**="always"|"missing"|"never"
Pull image before running or creating a container. The default is **missing**.
@ -441,7 +450,7 @@ Default OCI specific runtime in runtimes that will be used by default. Must
refer to a member of the runtimes table. Default runtime will be searched for
on the system using the priority: "crun", "runc", "kata".
**runtime_supports_json**=["crun", "runc", "kata"]
**runtime_supports_json**=["crun", "runc", "kata", "runsc"]
The list of the OCI runtimes that support `--format=json`.
@ -468,6 +477,24 @@ Number of seconds to wait for container to exit before sending kill signal.
The path to a temporary directory to store per-boot container.
Must be a tmpfs (wiped after reboot).
## SERVICE DESTINATION TABLE
The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
**[service_destinations.{name}]**
URI to access the Podman service
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
Example URIs:
- **rootless local** - unix://run/user/1000/podman/podman.sock
- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
- **rootfull local** - unix://run/podman/podman.sock
- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
**identity="~/.ssh/id_rsa**
Path to file containing ssh identity key
**volume_path**="/var/lib/containers/storage/volumes"
Directory where named volumes will be created in using the default volume

76
pyxis.sh Executable file
View File

@ -0,0 +1,76 @@
#!/bin/bash
#set -e
rm -f /tmp/pyxis*.json
TOTAL=`curl -s --negotiate -u: -H 'Content-Type: application/json' -H 'Accept: application/json' -X GET "https://pyxis.engineering.redhat.com/v1/repositories?page_size=1" | jq .total`
if [ "$TOTAL" == "null" ]; then
echo "Error comunicating with Pyxis API."
exit 1
fi
PAGES=$(($TOTAL/500))
for P in `seq 0 $PAGES`; do
curl -s --negotiate -u: -H 'Content-Type: application/json' -H 'Accept: application/json' -X GET "https://pyxis.engineering.redhat.com/v1/repositories?page_size=500&page=$P" > /tmp/pyxis$P.json
done
cat /tmp/pyxis*.json > /tmp/pyx.json
rm -f /tmp/rhel-shortnames.conf
while read -r LINE; do
if [[ "$LINE" == *\"_id\":* ]] || [[ "$LINE" == *\"total\":* ]]; then
if [ -z $REGISTRY ] ||
[ -z $PUBLISHED ] ||
[ -z $REPOSITORY ] ||
[ $REPOSITORY == \"\" ] ||
[ "$AVAILABLE" != "Generally Available" ] ||
[[ $REPOSITORY == *[@:]* ]] ||
[[ "$REGISTRY" == *non_registry* ]] ||
[[ $REGISTRY != *.* ]]
then
continue
fi
if [[ $REGISTRY == *quay.io* ]] ||
[[ $REGISTRY == *redhat.com* ]]; then
if [ "$REQUIRES_TERMS" == "1" ]; then
REGISTRY=registry.redhat.io
fi
echo "\"$REPOSITORY\" = \"$REGISTRY/$REPOSITORY\""
echo "\"$REPOSITORY\" = \"$REGISTRY/$REPOSITORY\"" >> /tmp/rhel-shortnames.conf
fi
REGISTRY=""
PUBLISHED=""
AVAILABLE=""
REPOSITORY=""
REQUIRES_TERMS=""
continue
fi
if [[ "$LINE" == *\"published\":\ true,* ]]; then
PUBLISHED=1
fi
if [[ "$LINE" == *\"requires_terms\":\ true,* ]]; then
REQUIRES_TERMS=1
fi
if [[ "$LINE" == *\"repository\":\ * ]]; then
REPOSITORY=`echo $LINE | sed 's,^.* ",,' | sed 's;",$;;'`
fi
if [[ "$LINE" == *\"registry\":\ * ]]; then
REGISTRY=`echo $LINE | sed -e 's,^.*:\ ",,' -e 's,".*,,'`
fi
if [[ "$LINE" == *\"release_categories\":\ * ]]; then
read -r LINE
AVAILABLE=`echo $LINE | sed 's,",,g'`
fi
done < /tmp/pyx.json
cp /tmp/rhel-shortnames.conf /tmp/r.conf
for D in `cut -d\ -f1 /tmp/r.conf | sort | uniq -d`; do
echo $D
M=`grep ^$D /tmp/r.conf | grep 'redhat.com' | tail -n1`
[ -z "$M" ] && M=`grep ^$D /tmp/r.conf | tail -n1`
echo $M
if [ ! -z "$M" ]; then
echo "replacing $D with $M"
grep -v "^$D.*" /tmp/r.conf > /tmp/r2.conf
echo "$M" >> /tmp/r2.conf
mv /tmp/r2.conf /tmp/r.conf
fi
done
echo "[aliases]" > 001-rhel-shortnames-pyxis.conf
sort /tmp/r.conf >> 001-rhel-shortnames-pyxis.conf

4
registries.conf
View File

@ -61,7 +61,7 @@ registries = []
# mirrors:
#
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "quay.io", "docker.io"]
#
# [[registry]]
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
@ -111,5 +111,3 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.
# # 2. example-mirror-1.local/mirrors/foo/image:latest
# # 3. internal-registry-for-example.net/bar/myimage:latest
# # in order, and use the first one that exists.
# Enforcing mode for short names is default for RHEL9.
short-name-mode = "enforcing"

76
seccomp.json
View File

@ -303,6 +303,7 @@
"sendmmsg",
"sendmsg",
"sendto",
"setns",
"set_robust_list",
"set_thread_area",
"set_tid_address",
@ -340,7 +341,6 @@
"signalfd",
"signalfd4",
"sigreturn",
"socket",
"socketcall",
"socketpair",
"splice",
@ -583,19 +583,13 @@
{
"names": [
"bpf",
"clone",
"fanotify_init",
"lookup_dcookie",
"mount",
"name_to_handle_at",
"perf_event_open",
"quotactl",
"setdomainname",
"sethostname",
"setns",
"umount",
"umount2",
"unshare"
"setns"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
@ -607,71 +601,6 @@
},
"excludes": {}
},
{
"names": [
"clone"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 2080505856,
"valueTwo": 0,
"op": "SCMP_CMP_MASKED_EQ"
}
],
"comment": "",
"includes": {},
"excludes": {
"caps": [
"CAP_SYS_ADMIN"
],
"arches": [
"s390",
"s390x"
]
}
},
{
"names": [
"clone"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 1,
"value": 2080505856,
"valueTwo": 0,
"op": "SCMP_CMP_MASKED_EQ"
}
],
"comment": "s390 parameter ordering for clone is different",
"includes": {
"arches": [
"s390",
"s390x"
]
},
"excludes": {
"caps": [
"CAP_SYS_ADMIN"
]
}
},
{
"names": [
"reboot"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_SYS_BOOT"
]
},
"excludes": {}
},
{
"names": [
"chroot"
@ -707,7 +636,6 @@
"names": [
"get_mempolicy",
"mbind",
"name_to_handle_at",
"set_mempolicy"
],
"action": "SCMP_ACT_ALLOW",

12
shortnames.conf
View File

@ -24,6 +24,8 @@
"tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf"
"tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf"
"leap" = "registry.opensuse.org/opensuse/leap"
"leap-dnf" = "registry.opensuse.org/opensuse/leap-dnf"
"leap-microdnf" = "registry.opensuse.org/opensuse/leap-microdnf"
"tw-busybox" = "registry.opensuse.org/opensuse/busybox"
# SUSE
"suse/sle15" = "registry.suse.com/suse/sle15"
@ -51,5 +53,13 @@
"ubi8/ubi-micro" = "registry.access.redhat.com/ubi8-micro"
# Debian
"debian" = "docker.io/library/debian"
# Ubuntu
"ubuntu" = "docker.io/library/ubuntu"
# Oracle Linux
"oraclelinux" = "container-registry.oracle.com/os/oraclelinux"
"oraclelinux" = "docker.io/library/oraclelinux"
# busybox
"busybox" = "docker.io/library/busybox"
# php
"php" = "docker.io/library/php"
#python
"python" = "docker.io/library/python"

47
skopeo.spec
View File

@ -1,4 +1,5 @@
%global _lto_cflags %{nil}
%global with_check 0
%global _find_debuginfo_dwz_opts %{nil}
@ -19,17 +20,17 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
# pick the oldest version on c/image, c/common, c/storage vendored in
# podman/skopeo/podman.
%global podman_branch master
%global image_branch v5.10.2
%global common_branch v0.33.4
%global storage_branch v1.24.6
%global image_branch v5.12.0
%global common_branch v0.38.4
%global storage_branch v1.31.1
%global shortnames_branch main
%global commit0 e72dd9c5c834f3cd7fb8b1aab4021d9d4412f305
%global commit0 c35944bec010fe9b534881aca153ef5964f5a010
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
Epoch: 1
Name: skopeo
Version: 1.2.2
Release: 4%{?dist}
Version: 1.3.0
Release: 3%{?dist}
Summary: Inspect container images and repositories on registries
License: ASL 2.0
URL: %{git0}
@ -48,7 +49,7 @@ Source4: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs
Source5: registries.conf
Source6: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-policy.json.5.md
Source7: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/seccomp/seccomp.json
Source8: https://raw.githubusercontent.com/containers/podman/%{podman_branch}/docs/source/markdown/containers-mounts.conf.5.md
Source8: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers-mounts.conf.5.md
Source9: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-signature.5.md
Source10: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-transports.5.md
Source11: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-certs.d.5.md
@ -59,14 +60,18 @@ Source15: https://raw.githubusercontent.com/containers/image/%{image_branch}/doc
Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.d.5.md
Source17: https://raw.githubusercontent.com/containers/shortnames/%{shortnames_branch}/shortnames.conf
Source18: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.5.md
Source19: rhel-shortnames.conf
BuildRequires: git
Source19: 001-rhel-shortnames-pyxis.conf
Source20: 002-rhel-shortnames-overrides.conf
# scripts used for synchronization with upstream and shortname generation
Source100: update.sh
Source101: update-vendored.sh
Source102: pyxis.sh
BuildRequires: git-core
BuildRequires: golang >= 1.12.12-4
BuildRequires: go-md2man
BuildRequires: gpgme-devel
BuildRequires: libassuan-devel
BuildRequires: pkgconfig(devmapper)
BuildRequires: ostree-devel
BuildRequires: glib2-devel
BuildRequires: make
Requires: containers-common = %{epoch}:%{version}-%{release}
@ -82,6 +87,7 @@ Conflicts: atomic-registries <= 1:1.22.1-1
Obsoletes: docker-rhsubscription <= 2:1.13.1-31
Provides: %{name}-containers = %{epoch}:%{version}-%{release}
Obsoletes: %{name}-containers <= 1:0.1.31-3
Requires: crun >= 0.19
Recommends: fuse-overlayfs
Recommends: slirp4netns
Suggests: subscription-manager
@ -98,6 +104,7 @@ Requires: gnupg
Requires: jq
Requires: podman
Requires: httpd-tools
Requires: openssl
%description tests
%{summary}
@ -128,7 +135,7 @@ done
export GOPATH=$(pwd):$(pwd)/vendor:%{gopath}
export GO111MODULE=off
export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
export BUILDTAGS="exclude_graphdriver_btrfs btrfs_noversion $(hack/libdm_tag.sh) $(hack/ostree_tag.sh)"
export BUILDTAGS="exclude_graphdriver_btrfs btrfs_noversion $(hack/libdm_tag.sh)"
mkdir -p bin
%gobuild -o bin/%{name} ./cmd/%{name}
%{__make} docs
@ -136,13 +143,16 @@ mkdir -p bin
%install
make \
DESTDIR=%{buildroot} \
SIGSTOREDIR=%{buildroot}%{_sharedstatedir}/containers/sigstore \
PREFIX=%{buildroot}%{_prefix} \
install
install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.d,registries.conf.d}
install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf
install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf
install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/rhel-shortnames.conf
install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/001-rhel-shortnames.conf
install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/002-rhel-shortnames-overrides.conf
# for containers-common
install -dp %{buildroot}%{_mandir}/man5
go-md2man -in %{SOURCE2} -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5
go-md2man -in %{SOURCE4} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.5
@ -207,8 +217,7 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
%config(noreplace) %{_sysconfdir}/containers/storage.conf
%config(noreplace) %{_sysconfdir}/containers/registries.conf
%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/rhel-shortnames.conf
%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/*.conf
%config(noreplace) %{_sysconfdir}/containers/registries.d/*.yaml
%ghost %{_sysconfdir}/containers/containers.conf
%dir %{_sharedstatedir}/containers/sigstore
@ -234,6 +243,14 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%{_datadir}/%{name}/test
%changelog
* Mon Jun 14 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.3.0-3
- update to new versions of vendored components
- fail is there is an issue in communication with Pyxis API
- understand devel branch in update.sh script, use pkg wrapper
- sync with Pyxis
- use containers-mounts.conf.5.md from containers/common
- Related: #1970747
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.2.2-4
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

2
sources
View File

@ -1 +1 @@
SHA512 (skopeo-1.2.2-e72dd9c.tar.gz) = a9d2b0ef07f5be8a2873285d8c4078d6a5334df69207248ff8a725a5744a99f1c577c5a7c2da3bd8c4b394f445c6c14b25464626148ad7a205a55c636b39d068
SHA512 (skopeo-1.3.0-c35944b.tar.gz) = c948c96cb6b9394a5159ec7c7c762bc93c3cfd8d8363ac1454c9b04e70865a3bc544433d90898b810256f39b42edb2940821c0ae70b84ad559dc26a5b0e21096

2
storage.conf
View File

@ -74,7 +74,7 @@ additionalimagestores = [
#mount_program = "/usr/bin/fuse-overlayfs"
# mountopt specifies comma separated list of extra mount options
mountopt = "nodev,metacopy=on"
mountopt = "nodev"
# Set to skip a PRIVATE bind mount on the storage home directory.
# skip_mount_home = "false"

33
update-vendored.sh Executable file
View File

@ -0,0 +1,33 @@
#!/bin/bash
# This script assures we always deliver the current documentation/configs
# for the c/storage, c/image and c/common vendored in podman, skopeo, buildah
# For questions reach to Jindrich Novy <jnovy@redhat.com>
set -xe
rm -f /tmp/ver_image /tmp/ver_common /tmp/ver_storage
B=`pkg switch-branch | grep ^* | cut -d\ -f2`
echo $B
for P in podman skopeo buildah; do
BRN=`pwd | sed 's,^.*/,,'`
rm -rf $P
pkg clone $P
cd $P
pkg switch-branch $B
if [ $BRN != stream-container-tools-rhel8 ]; then
pkg prep
else
pkg --release rhel-8 prep
fi
DIR=`ls -d -- */ | grep -v ^tests | head -n1`
grep github.com/containers/image $DIR/go.mod | cut -d\ -f2 >> /tmp/ver_image
grep github.com/containers/common $DIR/go.mod | cut -d\ -f2 >> /tmp/ver_common
grep github.com/containers/storage $DIR/go.mod | cut -d\ -f2 >> /tmp/ver_storage
cd -
done
IMAGE_VER=`sort -n /tmp/ver_image | head -n1`
COMMON_VER=`sort -n /tmp/ver_common | head -n1`
STORAGE_VER=`sort -n /tmp/ver_storage | head -n1`
sed -i "s,^%global.*image_branch.*,%global image_branch $IMAGE_VER," skopeo.spec
sed -i "s,^%global.*common_branch.*,%global common_branch $COMMON_VER," skopeo.spec
sed -i "s,^%global.*storage_branch.*,%global storage_branch $STORAGE_VER," skopeo.spec
rm -f /tmp/ver_image /tmp/ver_common /tmp/ver_storage
rm -rf podman skopeo buildah

40
update.sh
View File

@ -1,21 +1,39 @@
#!/bin/bash
# This script delivers current documentation/configs and assures it has the intended
# settings for a particular branch/release.
# For questions reach to Jindrich Novy <jnovy@redhat.com>
ensure() {
if grep ^$2[[:blank:]].*= $1 > /dev/null
then
sed -i "s;^$2[[:blank:]]=.*;$2 = $3;" $1
else
if grep ^\#.*$2[[:blank:]].*= $1 > /dev/null
then
sed -i "/^#.*$2[[:blank:]].*=/a \
$2 = $3" $1
else
echo "$2 = \"$3\"" >> $1
fi
fi
}
./pyxis.sh
./update-vendored.sh
spectool -f -g skopeo.spec
sed -i -e 's/^driver.*=.*/driver = "overlay"/' -e 's/^mountopt.*=.*/mountopt = "nodev,metacopy=on"/' storage.conf
ensure storage.conf driver \"overlay\"
ensure storage.conf mountopt \"nodev,metacopy=on\"
ensure registries.conf unqualified-search-registries [\"registry.fedoraproject.org\",\ \"registry.access.redhat.com\",\ \"registry.centos.org\",\ \"quay.io\",\ \"docker.io\"]
ensure containers.conf events_logger \"file\"
ensure containers.conf infra_image \"registry.access.redhat.com/ubi9/pause\"
ensure containers.conf runtime \"crun\"
ensure containers.conf short-names-mode \"enforcing\"
[ `grep "keyctl" seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \
"keyctl",' seccomp.json
sed -i '/\"socketcall\",/i \
"socket",' seccomp.json
sed -i 's/^#.*unqualified-search-registries.*=.*/unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]/g' registries.conf
sed -i 's,#.*events_logger.*=.*"journald",events_logger = "file",' containers.conf
if ! grep \"NET_RAW\" containers.conf
if ! grep \"NET_RAW\" containers.conf > /dev/null
then
sed -i '/^default_capabilities/a \
"NET_RAW",' containers.conf
fi
if ! grep ^short-name-mode.*= registries.conf
then
echo "# Enforcing mode for short names is default for RHEL9." >> registries.conf
echo 'short-name-mode = "enforcing"' >> registries.conf
else
sed -i 's/^short-name-mode.*=.*/short-name-mode = "enforcing"/' registries.conf
fi