diff --git a/.containers-common.metadata b/.containers-common.metadata index e69de29..d153956 100644 --- a/.containers-common.metadata +++ b/.containers-common.metadata @@ -0,0 +1 @@ +a72daf8585b41529269cdffcca3a0b3d4e2f21cd SOURCES/RPM-GPG-KEY-redhat-beta diff --git a/.gitignore b/.gitignore index e69de29..8caeece 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/RPM-GPG-KEY-redhat-beta diff --git a/SOURCES/Containerfile.5.md b/SOURCES/Containerfile.5.md index 141e99d..90226bc 100644 --- a/SOURCES/Containerfile.5.md +++ b/SOURCES/Containerfile.5.md @@ -118,7 +118,7 @@ Current supported mount TYPES are bind, cache, secret and tmpfs. · dst, destination, target: mount destination spec. - · ro, read-only: true or false (default). + · ro, read-only: true (default) or false. Options specific to bind: @@ -128,6 +128,8 @@ Current supported mount TYPES are bind, cache, secret and tmpfs. · from: stage or image name for the root of the source. Defaults to the build context. + · rw, read-write: allows writes on the mount. + Options specific to tmpfs: · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux. @@ -150,6 +152,8 @@ Current supported mount TYPES are bind, cache, secret and tmpfs. · from: stage name for the root of the source. Defaults to host cache directory. + · rw, read-write: allows writes on the mount. + **RUN Secrets** diff --git a/SOURCES/containers-storage.conf.5.md b/SOURCES/containers-storage.conf.5.md index e5cc7c0..877c6ea 100644 --- a/SOURCES/containers-storage.conf.5.md +++ b/SOURCES/containers-storage.conf.5.md @@ -27,45 +27,37 @@ No bare options are used. The format of TOML can be simplified to: The `storage` table supports the following options: **driver**="" - container storage driver - Default Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem. - This field is required to guarantee proper operation. - Valid rootless drivers are "btrfs", "overlay", and "vfs". - Rootless users default to the driver defined in the system configuration when possible. - When the system configuration uses an unsupported rootless driver, rootless users default to "overlay" if available, otherwise "vfs". + Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem. +This field is required to guarantee proper operation. +Valid rootless drivers are "btrfs", "overlay", and "vfs". +Rootless users default to the driver defined in the system configuration when possible. +When the system configuration uses an unsupported rootless driver, rootless users default to "overlay" if available, otherwise "vfs". **graphroot**="" container storage graph dir (default: "/var/lib/containers/storage") - Default directory to store all writable content created by container storage programs. - The rootless graphroot path supports environment variable substitutions (ie. `$HOME/containers/storage`) - When changing the graphroot location on an SELINUX system, ensure - the labeling matches the default locations labels with the - following commands: +Default directory to store all writable content created by container storage programs. +The rootless graphroot path supports environment variable substitutions (ie. `$HOME/containers/storage`). +When changing the graphroot location on an SELINUX system, ensure the labeling matches the default locations labels with the following commands: ``` # semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH # restorecon -R -v /NEWSTORAGEPATH ``` - In Rootless Mode you would set +In rootless mode you would set ``` # semanage fcontext -a -e $HOME/.local/share/containers NEWSTORAGEPATH $ restorecon -R -v /NEWSTORAGEPATH ``` **rootless_storage_path**="$HOME/.local/share/containers/storage" - Storage path for rootless users. By default the graphroot for rootless users - is set to `$XDG_DATA_HOME/containers/storage`, if XDG_DATA_HOME is set. - Otherwise `$HOME/.local/share/containers/storage` is used. This field can - be used if administrators need to change the storage location for all users. - The rootless storage path supports environment variable substitutions (ie. `$HOME/containers/storage`) + Storage path for rootless users. By default the graphroot for rootless users is set to `$XDG_DATA_HOME/containers/storage`, if XDG_DATA_HOME is set. Otherwise `$HOME/.local/share/containers/storage` is used. This field can be used if administrators need to change the storage location for all users. The rootless storage path supports environment variable substitutions (ie. `$HOME/containers/storage`) - A common use case for this field is to provide a local storage directory when user home directories are NFS-mounted (podman does not support container storage over NFS). +A common use case for this field is to provide a local storage directory when user home directories are NFS-mounted (podman does not support container storage over NFS). **runroot**="" container storage run dir (default: "/run/containers/storage") - Default directory to store all temporary writable content created by container storage programs. - The rootless runroot path supports environment variable substitutions (ie. `$HOME/containers/storage`) +Default directory to store all temporary writable content created by container storage programs. The rootless runroot path supports environment variable substitutions (ie. `$HOME/containers/storage`) ### STORAGE OPTIONS TABLE @@ -216,21 +208,20 @@ The `storage.options.overlay` table supports the following options: **force_mask** = "0000|shared|private" ForceMask specifies the permissions mask that is used for new files and -directories. -The values "shared" and "private" are accepted. (default: ""). Octal permission +directories. The values "shared" and "private" are accepted. (default: ""). Octal permission masks are also accepted. - ``: Not set - All files/directories, get set with the permissions identified within the +- ``: Not set + All files/directories, get set with the permissions identified within the image. - `private`: it is equivalent to 0700. - All files/directories get set with 0700 permissions. The owner has rwx +- `private`: it is equivalent to 0700. + All files/directories get set with 0700 permissions. The owner has rwx access to the files. No other users on the system can access the files. This setting could be used with networked based home directories. - `shared`: it is equivalent to 0755. - The owner has rwx access to the files and everyone else can read, access +- `shared`: it is equivalent to 0755. + The owner has rwx access to the files and everyone else can read, access and execute them. This setting is useful for sharing containers storage with other users. For instance, a storage owned by root could be shared to rootless users as an additional store. @@ -244,7 +235,7 @@ Note: The force_mask Flag is an experimental feature, it could change in the future. When "force_mask" is set the original permission mask is stored in the "user.containers.override_stat" xattr and the "mount_program" option must be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the extended -attribute permissions to processes within containers rather then the +attribute permissions to processes within containers rather than the "force_mask" permissions. **mount_program**="" diff --git a/SOURCES/containers-transports.5.md b/SOURCES/containers-transports.5.md index 6c94d0a..b79f1e5 100644 --- a/SOURCES/containers-transports.5.md +++ b/SOURCES/containers-transports.5.md @@ -11,6 +11,11 @@ containers-transports - description of supported transports for copying and stor Tools which use the containers/image library, including skopeo(1), buildah(1), podman(1), all share a common syntax for referring to container images in various locations. The general form of the syntax is _transport:details_, where details are dependent on the specified transport, which are documented below. +The semantics of the image names ultimately depend on the environment where +they are evaluated. For example: if evaluated on a remote server, image names +might refer to paths on that server; relative paths are relative to the current +directory of the image consumer. + ### **containers-storage**:[**[**storage-specifier**]**]{image-id|docker-reference[@image-id]} An image located in a local containers storage. diff --git a/SOURCES/containers.conf b/SOURCES/containers.conf index 6db7a94..89dcc55 100644 --- a/SOURCES/containers.conf +++ b/SOURCES/containers.conf @@ -53,7 +53,7 @@ # the default capabilities defined in the container engine will be added. # default_capabilities = [ - "NET_RAW", + "NET_RAW", "CHOWN", "DAC_OVERRIDE", "FOWNER", @@ -610,6 +610,12 @@ runtime = "runc" # #volume_path = "/var/lib/containers/storage/volumes" +# Default timeout (in seconds) for volume plugin operations. +# Plugins are external programs accessed via a REST API; this sets a timeout +# for requests to that API. +# A value of 0 is treated as no timeout. +#volume_plugin_timeout = 5 + # Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc) [engine.runtimes] #crun = [ @@ -670,9 +676,16 @@ runtime = "runc" # #disk_size=10 -# The image used when creating a podman-machine VM. +# Default image URI when creating a new VM using `podman machine init`. +# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major +# version of the OS (e.g `36`) for Fedora 36. For all platforms you can +# alternatively specify a custom download URL to an image. Container engines +# translate URIs $OS and $ARCH to the native OS and ARCH. URI +# "https://example.com/$OS/$ARCH/foobar.ami" becomes +# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine. +# The default value is `testing`. # -#image = "testing" +# image = "testing" # Memory in MB a machine is created with. # diff --git a/SOURCES/containers.conf.5.md b/SOURCES/containers.conf.5.md index 1f2bd5e..b64e475 100644 --- a/SOURCES/containers.conf.5.md +++ b/SOURCES/containers.conf.5.md @@ -197,9 +197,9 @@ the container. Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems. -**log_driver**="k8s-file" +**log_driver**="" -Logging driver for the container. Available options: `k8s-file` and `journald`. +Logging driver for the container. Currently available options are k8s-file, journald, none and passthrough, with json-file aliased to k8s-file for scripting compatibility. The journald driver is used by default if the systemd journal is readable and writable. Otherwise, the k8s-file driver is used. **log_size_max**=-1 @@ -441,7 +441,7 @@ and the logfile will not be rotated. **events_logger**="journald" -The default method to use when logging events. +The default method to use when logging events. The default method is different based on the platform that Podman is being run upon. To determine the current value, @@ -711,11 +711,13 @@ The size of the disk in GB created when init-ing a podman-machine VM **image**="" -Default image used when creating a new VM using `podman machine init`. +Default image URI when creating a new VM using `podman machine init`. Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major -version of the OS (e.g `35`). For all platforms you can alternatively specify -a custom path or download URL to an image. The default is `testing` on -Linux/Mac, and `35` on Windows. +version of the OS (e.g `36`) for Fedora 36. For all platforms you can +alternatively specify a custom download URL to an image. Container engines +translate URIs $OS and $ARCH to the native OS and ARCH. URI "https://example.com/$OS/$ARCH/foobar.ami" would become "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine. +The default value +is `testing` on Linux/Mac, and on Windows. **memory**=2048 diff --git a/SOURCES/default.yaml b/SOURCES/default.yaml index fa2ea36..a7f3d28 100644 --- a/SOURCES/default.yaml +++ b/SOURCES/default.yaml @@ -1,8 +1,8 @@ # This is a default registries.d configuration file. You may # add to this file or create additional files in registries.d/. # -# lookaside: indicates a location that is read and write -# lookaside-staging: indicates a location that is only for write +# lookaside: for reading/writing simple signing signatures +# lookaside-staging: for writing simple signing signatures, preferred over lookaside # # lookaside and lookaside-staging take a value of the following: # lookaside: {schema}://location @@ -10,10 +10,12 @@ # For reading signatures, schema may be http, https, or file. # For writing signatures, schema may only be file. -# This is the default signature write location for docker registries. +# The default locations are built-in, for both reading and writing: +# /var/lib/containers/sigstore for root, or +# ~/.local/share/containers/sigstore for non-root users. default-docker: -# lookaside: file:///var/lib/containers/sigstore - lookaside-staging: file:///var/lib/containers/sigstore +# lookaside: https://… +# lookaside-staging: file:///… # The 'docker' indicator here is the start of the configuration # for docker registries. @@ -21,6 +23,6 @@ default-docker: # docker: # # privateregistry.com: -# lookaside: http://privateregistry.com/sigstore/ +# lookaside: https://privateregistry.com/sigstore/ # lookaside-staging: /mnt/nfs/privateregistry/sigstore diff --git a/SOURCES/shortnames.conf b/SOURCES/shortnames.conf index 4dfba37..2009c4c 100644 --- a/SOURCES/shortnames.conf +++ b/SOURCES/shortnames.conf @@ -3,7 +3,7 @@ "almalinux" = "docker.io/library/almalinux" "almalinux-minimal" = "docker.io/library/almalinux-minimal" # Arch Linux - "archlinux" = "docker.io/archlinux/archlinux" + "archlinux" = "docker.io/library/archlinux" # centos "centos" = "quay.io/centos/centos" # containers @@ -42,6 +42,10 @@ "sles12sp5" = "registry.suse.com/suse/sles12sp5" "sles12sp4" = "registry.suse.com/suse/sles12sp4" "sles12sp3" = "registry.suse.com/suse/sles12sp3" + "bci/bci-base" = "registry.suse.com/bci/bci-base" + "bci/bci-micro" = "registry.suse.com/bci/bci-micro" + "bci/bci-minimal" = "registry.suse.com/bci/bci-minimal" + "bci/bci-busybox" = "registry.suse.com/bci/bci-busybox" # Red Hat Enterprise Linux "rhel" = "registry.access.redhat.com/rhel" "rhel6" = "registry.access.redhat.com/rhel6" @@ -111,5 +115,7 @@ "php" = "docker.io/library/php" # python "python" = "docker.io/library/python" + # rust + "rust" = "docker.io/library/rust" # node "node" = "docker.io/library/node" diff --git a/SOURCES/storage.conf b/SOURCES/storage.conf index e26d02b..806af8f 100644 --- a/SOURCES/storage.conf +++ b/SOURCES/storage.conf @@ -1,4 +1,4 @@ -# This file is is the configuration file for all tools +# This file is the configuration file for all tools # that use the containers/storage library. The storage.conf file # overrides all other storage.conf files. Container engines using the # container/storage library do not inherit fields from other storage.conf @@ -150,7 +150,7 @@ mountopt = "nodev,metacopy=on" # future. When "force_mask" is set the original permission mask is stored in # the "user.containers.override_stat" xattr and the "mount_program" option must # be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the -# extended attribute permissions to processes within containers rather then the +# extended attribute permissions to processes within containers rather than the # "force_mask" permissions. # # force_mask = "" diff --git a/SOURCES/update.sh b/SOURCES/update.sh index 2e83bac..6a6e38d 100755 --- a/SOURCES/update.sh +++ b/SOURCES/update.sh @@ -31,6 +31,11 @@ ensure containers.conf runtime \"runc\" ensure containers.conf events_logger \"file\" ensure containers.conf log_driver \"k8s-file\" ensure containers.conf network_backend \"cni\" +if ! grep \"NET_RAW\" containers.conf > /dev/null +then + sed -i '/^default_capabilities/a \ + "NET_RAW",' containers.conf +fi else ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"] ensure registries.conf short-name-mode \"enforcing\" @@ -40,8 +45,3 @@ fi "keyctl",' seccomp.json sed -i '/\"socketcall\",/i \ "socket",' seccomp.json -if ! grep \"NET_RAW\" containers.conf > /dev/null -then - sed -i '/^default_capabilities/a \ - "NET_RAW",' containers.conf -fi diff --git a/SPECS/containers-common.spec b/SPECS/containers-common.spec index ff213c1..8666dc3 100644 --- a/SPECS/containers-common.spec +++ b/SPECS/containers-common.spec @@ -4,15 +4,15 @@ # pick the oldest version on c/image, c/common, c/storage vendored in # podman/skopeo/podman. %global skopeo_branch main -%global image_branch v5.22.0 -%global common_branch v0.49.1 -%global storage_branch v1.42.0 +%global image_branch v5.23.0 +%global common_branch v0.50.1 +%global storage_branch v1.43.0 %global shortnames_branch main Epoch: 2 Name: containers-common Version: 1 -Release: 40%{?dist} +Release: 49%{?dist} Summary: Common configuration and documentation for containers License: ASL 2.0 # arch limitation because of go-md2man (missing on i686) @@ -62,6 +62,7 @@ Source25: https://raw.githubusercontent.com/containers/skopeo/%{skopeo_branch}/d # FIXME: fix the branch once these are available via regular c/common branch Source26: https://raw.githubusercontent.com/containers/common/main/docs/Containerfile.5.md Source27: https://raw.githubusercontent.com/containers/common/main/docs/containerignore.5.md +Source28: RPM-GPG-KEY-redhat-beta # scripts used for synchronization with upstream and shortname generation Source100: update.sh @@ -92,6 +93,7 @@ install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf %if !0%{?rhel} || 0%{?centos} install -dp %{buildroot}%{_sysconfdir}/pki/rpm-gpg install -m0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/pki/rpm-gpg +install -m0644 %{SOURCE28} %{buildroot}%{_sysconfdir}/pki/rpm-gpg %endif install -dp %{buildroot}%{_sysconfdir}/containers/registries.d install -m0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/containers/registries.d @@ -150,6 +152,7 @@ EOF %dir %{_sysconfdir}/containers/registries.conf.d %if !0%{?rhel} || 0%{?centos} %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta %endif %config(noreplace) %{_sysconfdir}/containers/policy.json %config(noreplace) %{_sysconfdir}/containers/storage.conf @@ -169,6 +172,42 @@ EOF %{_datadir}/rhel/secrets/* %changelog +* Mon Jan 02 2023 Jindrich Novy - 2:1-49 +- update vendored components and configuration files +- Related: #2123641 + +* Fri Dec 02 2022 Jindrich Novy - 2:1-48 +- update vendored components and configuration files +- Related: #2123641 + +* Mon Nov 14 2022 Jindrich Novy - 2:1-47 +- enable NET_RAW capability for RHEL8 only +- Related: #2123641 + +* Tue Nov 08 2022 Jindrich Novy - 2:1-46 +- update vendored components and configuration files +- Related: #2123641 + +* Fri Oct 21 2022 Jindrich Novy - 2:1-45 +- update vendored components and configuration files +- Related: #2123641 + +* Mon Oct 17 2022 Jindrich Novy - 2:1-44 +- update vendored components and configuration files +- Related: #2123641 + +* Thu Oct 06 2022 Jindrich Novy - 2:1-43 +- update vendored components and configuration files +- Related: #2123641 + +* Wed Sep 21 2022 Jindrich Novy - 2:1-42 +- update vendored components and configuration files +- Related: #2123641 + +* Tue Sep 06 2022 Jindrich Novy - 2:1-41 +- add beta GPG key +- Related: #2123641 + * Tue Aug 23 2022 Jindrich Novy - 2:1-40 - add beta keys to default-policy.json - Related: #2061390