From c81977971cd986be75df0ba1760e2b14a09809d0 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 14 2021 08:23:46 +0000 Subject: import skopeo-1.2.1-3.module+el8.4.0+9425+98db097b --- diff --git a/.gitignore b/.gitignore index d6abdc6..b04b3dd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/release-1.2-2b4097b.tar.gz +SOURCES/skopeo-1.2.1-bdb117d.tar.gz diff --git a/.skopeo.metadata b/.skopeo.metadata index 9e4b852..7586433 100644 --- a/.skopeo.metadata +++ b/.skopeo.metadata @@ -1 +1 @@ -61fb0362a46065dd096e03a13b9cc81d1ba469f6 SOURCES/release-1.2-2b4097b.tar.gz +191b067e524955936681ffad54b08186ff4dac99 SOURCES/skopeo-1.2.1-bdb117d.tar.gz diff --git a/SOURCES/containers-auth.json.5.md b/SOURCES/containers-auth.json.5.md index 4921f01..e85d79c 100644 --- a/SOURCES/containers-auth.json.5.md +++ b/SOURCES/containers-auth.json.5.md @@ -6,8 +6,15 @@ containers-auth.json - syntax for the registry authentication file # DESCRIPTION A credentials file in JSON format used to authenticate against container image registries. -On Linux it is stored at `${XDG_RUNTIME_DIR}/containers/auth.json`; -on Windows and macOS, at `$HOME/.config/containers/auth.json` +The primary (read/write) file is stored at `${XDG_RUNTIME_DIR}/containers/auth.json` on Linux; +on Windows and macOS, at `$HOME/.config/containers/auth.json`. + +When searching for the credential for a registry, the following files will be read in sequence until the valid credential is found: +first reading the primary (read/write) file, or the explicit override using an option of the calling application. +If credentials are not present, search in `${XDG\_CONFIG\_HOME}/containers/auth.json`, `$HOME/.docker/config.json`, `$HOME/.dockercfg`. + +Except the primary (read/write) file, other files are read-only, unless the user use an option of the calling application explicitly points at it as an override. + ## FORMAT diff --git a/SOURCES/containers-policy.json.5.md b/SOURCES/containers-policy.json.5.md index 9c6b43e..f0d416e 100644 --- a/SOURCES/containers-policy.json.5.md +++ b/SOURCES/containers-policy.json.5.md @@ -177,7 +177,7 @@ One of the following alternatives are supported: ```json {"type":"matchRepoDigestOrExact"} ``` -- The identity in the signature must be in the same repository as the image identity. This is useful e.g. to pull an image using the `:latest` tag when the image is signed with a tag specifing an exact image version. +- The identity in the signature must be in the same repository as the image identity. This is useful e.g. to pull an image using the `:latest` tag when the image is signed with a tag specifying an exact image version. ```json {"type":"matchRepository"} @@ -200,6 +200,30 @@ One of the following alternatives are supported: "dockerRepository": docker_repository_value } ``` +- Prefix remapping: + + If the image identity matches the specified prefix, that prefix is replaced by the specified “signed prefix” + (otherwise it is used as unchanged and no remapping takes place); + matching then follows the `matchRepoDigestOrExact` semantics documented above + (i.e. if the image identity carries a tag, the identity in the signature must exactly match, + if it uses a digest reference, the repository must match). + + The `prefix` and `signedPrefix` values can be either host[:port] values + (matching exactly the same host[:port], string), + repository namespaces, or repositories (i.e. they must not contain tags/digests), + and match as prefixes *of the fully expanded form*. + For example, `docker.io/library/busybox` (*not* `busybox`) to specify that single repository, + or `docker.io/library` (not an empty string) to specify the parent namespace of `docker.io/library/busybox`==`busybox`). + + The `prefix` value is usually the same as the scope containing the parent `signedBy` requirement. + + ```js + { + "type": "remapIdentity", + "prefix": prefix, + "signedPrefix": prefix, + } + ``` If the `signedIdentity` field is missing, it is treated as `matchRepoDigestOrExact`. @@ -260,6 +284,21 @@ selectively allow individual transports and scopes as desired. "keyType": "GPGKeys", "keyPath": "/path/to/reviewer-pubkey.gpg" } + ], + /* A way to mirror many repositories from a single vendor */ + "private-mirror:5000/vendor-mirror": [ + { /* Require the image to be signed by the original vendor, using the vendor's repository location. + For example, private-mirror:5000/vendor-mirror/productA/image1:latest needs to be signed as + vendor.example/productA/image1:latest . */ + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/path/to/vendor-pubkey.gpg", + "signedIdentity": { + "type": "remapIdentity", + "prefix": "private-mirror:5000/vendor-mirror", + "signedPrefix": "vendor.example.com", + } + } ] } } diff --git a/SOURCES/containers-registries.conf.5.md b/SOURCES/containers-registries.conf.5.md index 8cfa995..98b8a8d 100644 --- a/SOURCES/containers-registries.conf.5.md +++ b/SOURCES/containers-registries.conf.5.md @@ -102,6 +102,75 @@ internet without having to change `Dockerfile`s, or to add redundancy). *Note*: Redirection and mirrors are currently processed only when reading images, not when pushing to a registry; that may change in the future. +#### Short-Name Aliasing +The use of unqualified-search registries entails an ambiguity as it is +unclear from which registry a given image, referenced by a short name, +may be pulled from. + +As mentioned in the note at the end of this man page, using short names is +subject to the risk of hitting squatted registry namespaces. If the +unqualified-search registries are set to `["registry1.com", "registry2.com"]` +an attacker may take over a namespace of registry1.com such that an image may +be pulled from registry1.com instead of the intended source registry2.com. + +While it is highly recommended to always use fully-qualified image references, +existing deployments using short names may not be easily changed. To +circumvent the aforementioned ambiguity, so called short-name aliases can be +configured that point to a fully-qualified image +reference. + +Short-name aliases can be configured in the `[aliases]` table in the form of +`"name"="value"` with the left-hand `name` being the short name (e.g., "image") +and the right-hand `value` being the fully-qualified image reference (e.g., +"registry.com/namespace/image"). Note that neither "name" nor "value" can +include a tag or digest. Moreover, "name" must be a short name and hence +cannot include a registry domain or refer to localhost. + +When pulling a short name, the configured aliases table will be used for +resolving the short name. If a matching alias is found, it will be used +without further consulting the unqualified-search registries list. If no +matching alias is found, the behavior can be controlled via the +`short-name-mode` option as described below. + +Note that tags and digests are stripped off a user-specified short name for +alias resolution. Hence, "image", "image:tag" and "image@digest" all resolve +to the same alias (i.e., "image"). Stripped off tags and digests are later +appended to the resolved alias. + +Further note that drop-in configuration files (see containers-registries.conf.d(5)) +can override aliases in the specific loading order of the files. If the "value" of +an alias is empty (i.e., ""), the alias will be erased. However, a given +"name" may only be specified once in a single config file. + + +#### Short-Name Aliasing: Modes + +The `short-name-mode` option supports three modes to control the behaviour of +short-name resolution. + +* `enforcing`: If only one unqualified-search registry is set, use it as there + is no ambiguity. If there is more than one registry and the user program is + running in a terminal (i.e., stdout & stdin are a TTY), prompt the user to + select one of the specified search registries. If the program is not running + in a terminal, the ambiguity cannot be resolved which will lead to an error. + +* `permissive`: Behaves as enforcing but does not lead to an error if the + program is not running in a terminal. Instead, fallback to using all + unqualified-search registries. + +* `disabled`: Use all unqualified-search registries without prompting. + +If `short-name-mode` is not specified at all or left empty, default to the +`permissive` mode. If the user-specified short name was not aliased already, +the `enforcing` and `permissive` mode if prompted, will record a new alias +after a successful pull. Note that the recorded alias will be written to +`$XDG_CONFIG_HOME/containers/short-name-aliases.conf` to have a clear +separation between possibly human-edited registries.conf files and the +machine-generated `short-name-aliases-conf`. Note that `$HOME/.config` is used +if `$XDG_CONFIG_HOME` is not set. If an alias is specified in a +`registries.conf` file and also the machine-generated +`short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence. + #### Normalization of docker.io references The Docker Hub `docker.io` is handled in a special way: every push and pull diff --git a/SOURCES/containers-registries.d.5.md b/SOURCES/containers-registries.d.5.md index 892f617..ad58087 100644 --- a/SOURCES/containers-registries.d.5.md +++ b/SOURCES/containers-registries.d.5.md @@ -61,6 +61,11 @@ more general scopes is ignored. For example, if _any_ configuration exists for `docker.io/library/busybox`, the configuration for `docker.io` is ignored (even if some element of the configuration is defined for `docker.io` and not for `docker.io/library/busybox`). +### Built-in Defaults + +If no `docker` section can be found for the container image, and no `default-docker` section is configured, +the default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user, will be used for reading and writing signatures. + ## Individual Configuration Sections A single configuration section is selected for a container image using the process @@ -77,6 +82,7 @@ described above. The configuration section is a YAML mapping, with the followin This key is optional; if it is missing, no signature storage is defined (no signatures are download along with images, adding new signatures is possible only if `sigstore-staging` is defined). + ## Examples ### Using Containers from Various Origins diff --git a/SOURCES/containers-signature.5.md b/SOURCES/containers-signature.5.md index 9f2ba93..1b18ff0 100644 --- a/SOURCES/containers-signature.5.md +++ b/SOURCES/containers-signature.5.md @@ -224,7 +224,7 @@ The contents of this string is not defined in detail; however each implementatio Consumers of container signatures MAY recognize specific values or sets of values of `optional.creator` (perhaps augmented with `optional.timestamp`), and MAY change their processing of the signature based on these values -(usually to acommodate violations of this specification in past versions of the signing software which cannot be fixed retroactively), +(usually to accommodate violations of this specification in past versions of the signing software which cannot be fixed retroactively), as long as the semantics of the invalid document, as created by such an implementation, is clear. If consumers of signatures do change their behavior based on the `optional.creator` value, diff --git a/SOURCES/containers-storage.conf.5.md b/SOURCES/containers-storage.conf.5.md index b229583..ba6fcaa 100644 --- a/SOURCES/containers-storage.conf.5.md +++ b/SOURCES/containers-storage.conf.5.md @@ -27,8 +27,9 @@ No bare options are used. The format of TOML can be simplified to: The `storage` table supports the following options: **driver**="" - container storage driver (default: "overlay") + container storage driver Default Copy On Write (COW) container storage driver. Valid drivers are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs", and "aufs") may not work if your kernel lacks support for the filesystem. + This field is requiered to guarantee proper operation. **graphroot**="" container storage graph dir (default: "/var/lib/containers/storage") @@ -45,7 +46,7 @@ The `storage` table supports the following options: A common use case for this field is to provide a local storage directory when user home directories are NFS-mounted (podman does not support container storage over NFS). **runroot**="" - container storage run dir (default: "/var/run/containers/storage") + container storage run dir (default: "/run/containers/storage") Default directory to store all temporary writable content created by container storage programs. The rootless runroot path supports environment variable substitutions (ie. `$HOME/containers/storage`) @@ -75,7 +76,7 @@ The `storage.options` table supports the following options: remap-group = "containers" **root-auto-userns-user**="" - Root-auto-userns-user is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid and /etc/subgid file. These ranges will be partioned to containers configured to create automatically a user namespace. Containers configured to automatically create a user namespace can still overlap with containers having an explicit mapping set. This setting is ignored when running as rootless. + Root-auto-userns-user is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned to containers configured to create automatically a user namespace. Containers configured to automatically create a user namespace can still overlap with containers having an explicit mapping set. This setting is ignored when running as rootless. **auto-userns-min-size**=1024 Auto-userns-min-size is the minimum size for a user namespace created automatically. @@ -149,7 +150,7 @@ The `storage.options.thinpool` table supports the following options for the `dev Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page. **size**="" - Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: [], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) + Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: [], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) **use_deferred_deletion**="" Marks thinpool device for deferred deletion. If the thinpool is in use when the driver attempts to delete it, the driver will attempt to delete device every 30 seconds until successful, or when it restarts. Deferred deletion permanently deletes the device and all data stored in the device will be lost. (default: true). @@ -167,6 +168,39 @@ The `storage.options.overlay` table supports the following options: **ignore_chown_errors** = "false" ignore_chown_errors can be set to allow a non privileged user running with a single UID within a user namespace to run containers. The user can pull and use any image even those with multiple uids. Note multiple UIDs will be squashed down to the default uid in the container. These images will have no separation between the users in the container. (default: false) +**force_mask** = "0000|shared|private" + ForceMask specifies the permissions mask that is used for new files and +directories. +The values "shared" and "private" are accepted. (default: ""). Octal permission +masks are also accepted. + + ``: Not set + All files/directories, get set with the permissions identified within the +image. + + `private`: it is equivalent to 0700. + All files/directories get set with 0700 permissions. The owner has rwx +access to the files. No other users on the system can access the files. +This setting could be used with networked based home directories. + + `shared`: it is equivalent to 0755. + The owner has rwx access to the files and everyone else can read, access +and execute them. This setting is useful for sharing containers storage +with other users. For instance, a storage owned by root could be shared +to rootless users as an additional store. +NOTE: All files within the image are made readable and executable by any +user on the system. Even /etc/shadow within your image is now readable by +any user. + + `OCTAL`: Users can experiment with other OCTAL Permissions. + +Note: The force_mask Flag is an experimental feature, it could change in the +future. When "force_mask" is set the original permission mask is stored in the +"user.containers.override_stat" xattr and the "mount_program" option must be +specified. Mount programs like "/usr/bin/fuse-overlayfs" present the extended +attribute permissions to processes within containers rather then the +"force_mask" permissions. + **mount_program**="" Specifies the path to a custom program to use instead of using kernel defaults for mounting the file system. In rootless mode, without the CAP_SYS_ADMIN @@ -221,7 +255,7 @@ The semanage command above tells SELinux to setup the default labeling of `NEWST Now all new content created in these directories will automatically be created with the correct label. ## SEE ALSO -`semanage(8)`, `restorecon(8)`, `mount(8)` +`semanage(8)`, `restorecon(8)`, `mount(8)`, `fuse-overlayfs(1)` ## FILES diff --git a/SOURCES/containers.conf b/SOURCES/containers.conf index e657b58..2fc46ee 100644 --- a/SOURCES/containers.conf +++ b/SOURCES/containers.conf @@ -52,36 +52,35 @@ # Options are: # `enabled` Enable cgroup support within container # `disabled` Disable cgroup support, will inherit cgroups from parent -# `no-conmon` Container engine runs run without conmon +# `no-conmon` Do not create a cgroup dedicated to conmon. # # cgroups = "enabled" # List of default capabilities for containers. If it is empty or commented out, # the default capabilities defined in the container engine will be added. # -# default_capabilities = [ -# "AUDIT_WRITE", -# "CHOWN", -# "DAC_OVERRIDE", -# "FOWNER", -# "FSETID", -# "KILL", -# "MKNOD", -# "NET_BIND_SERVICE", -# "NET_RAW", -# "SETGID", -# "SETPCAP", -# "SETUID", -# "SYS_CHROOT", -# ] +default_capabilities = [ + "CHOWN", + "DAC_OVERRIDE", + "FOWNER", + "FSETID", + "KILL", + "NET_BIND_SERVICE", + "SETFCAP", + "SETGID", + "SETPCAP", + "SETUID", + "SYS_CHROOT" +] + # A list of sysctls to be set in containers by default, # specified as "name=value", -# for example:"net.ipv4.ping_group_range = 0 1000". +# for example:"net.ipv4.ping_group_range = 0 0". # -# default_sysctls = [ -# "net.ipv4.ping_group_range=0 1000", -# ] +default_sysctls = [ + "net.ipv4.ping_group_range=0 0", +] # A list of ulimits to be set in containers by default, specified as # "=:", for example: @@ -147,9 +146,13 @@ # # ipcns = "private" -# Flag tells container engine to whether to use container separation using -# MAC(SELinux)labeling or not. -# Flag is ignored on label disabled systems. +# keyring tells the container engine whether to create +# a kernel keyring for use within the container. +# keyring = true + +# label tells the container engine whether to use container separation using +# MAC(SELinux) labeling or not. +# The label flag is ignored on label disabled systems. # # label = true @@ -243,6 +246,9 @@ # network_config_dir = "/etc/cni/net.d/" [engine] +# ImageBuildFormat indicates the default image format to building +# container images. Valid values are "oci" (default) or "docker". +# image_build_format = "oci" # Cgroup management implementation used for the runtime. # Valid options "systemd" or "cgroupfs" @@ -342,6 +348,11 @@ events_logger = "file" # # network_cmd_path="" +# Default options to pass to the slirp4netns binary. +# For example "allow_host_loopback=true" +# +# network_cmd_options=[] + # Whether to use chroot instead of pivot_root in the runtime # # no_pivot_root = false @@ -355,6 +366,11 @@ events_logger = "file" # Whether to pull new image before running a container # pull_policy = "missing" +# Indicates whether the application should be running in remote mode. This flag modifies the +# --remote option on container engines. Setting the flag to true will default +# `podman --remote=true` for access to the remote Podman service. +# remote = false + # Directory for persistent engine files (database, etc) # By default, this will be configured relative to where the containers/storage # stores containers @@ -364,7 +380,7 @@ events_logger = "file" # Directory for temporary files. Must be tmpfs (wiped after reboot) # -# tmp_dir = "/var/run/libpod" +# tmp_dir = "/run/libpod" # Directory for libpod named volumes. # By default, this will be configured relative to where containers/storage @@ -375,7 +391,7 @@ events_logger = "file" # Default OCI runtime # -# runtime = "runc" +# runtime = "crun" # List of the OCI runtimes that support --format=json. When json is supported # engine will use it for reporting nicer errors. @@ -409,18 +425,8 @@ events_logger = "file" # Path to file containing ssh identity key # identity = "~/.ssh/id_rsa" -# Paths to look for a valid OCI runtime (runc, runv, kata, etc) +# Paths to look for a valid OCI runtime (crun, runc, kata, etc) [engine.runtimes] -# runc = [ -# "/usr/bin/runc", -# "/usr/sbin/runc", -# "/usr/local/bin/runc", -# "/usr/local/sbin/runc", -# "/sbin/runc", -# "/bin/runc", -# "/usr/lib/cri-o-runc/sbin/runc", -# ] - # crun = [ # "/usr/bin/crun", # "/usr/sbin/crun", @@ -431,6 +437,16 @@ events_logger = "file" # "/run/current-system/sw/bin/crun", # ] +# runc = [ +# "/usr/bin/runc", +# "/usr/sbin/runc", +# "/usr/local/bin/runc", +# "/usr/local/sbin/runc", +# "/sbin/runc", +# "/bin/runc", +# "/usr/lib/cri-o-runc/sbin/runc", +# ] + # kata = [ # "/usr/bin/kata-runtime", # "/usr/sbin/kata-runtime", @@ -442,8 +458,11 @@ events_logger = "file" # "/usr/bin/kata-fc", # ] -# The [engine.runtimes] table MUST be the last entry in this file. +[engine.volume_plugins] +# testplugin = "/run/podman/plugins/test.sock" + +# The [engine.volume_plugins] table MUST be the last entry in this file. # (Unless another table is added) # TOML does not provide a way to end a table other than a further table being -# defined, so every key hereafter will be part of [runtimes] and not the main -# config. +# defined, so every key hereafter will be part of [volume_plugins] and not the +# main config. diff --git a/SOURCES/containers.conf.5.md b/SOURCES/containers.conf.5.md index 7352649..678eafb 100644 --- a/SOURCES/containers.conf.5.md +++ b/SOURCES/containers.conf.5.md @@ -50,12 +50,14 @@ configure and manage the OCI runtime. List of devices. Specified as 'device-on-host:device-on-container:permissions'. + Example: "/dev/sdc:/dev/xvdc:rwm". **volumes**=[] List of volumes. Specified as "directory-on-host:directory-in-container:options". + Example: "/db:/var/lib/db:ro". **apparmor_profile**="container-default" @@ -76,7 +78,7 @@ Determines whether the container will create CGroups. Options are: `enabled` Enable cgroup support within container `disabled` Disable cgroup support, will inherit cgroups from parent - `no-conmon` Container engine runs run without conmon + `no-conmon` Do not create a cgroup dedicated to conmon. **default_capabilities**=[] @@ -105,12 +107,14 @@ default_capabilities = [ A list of sysctls to be set in containers by default, specified as "name=value". + Example:"net.ipv4.ping_group_range=0 1000". **default_ulimits**=[] A list of ulimits to be set in containers by default, specified as "name=soft-limit:hard-limit". + Example: "nofile=1024:2048". **dns_options**=[] @@ -138,7 +142,7 @@ environment variables to the container. Pass all host environment variables into the container. -**http_proxy**=false +**http_proxy**=true Default proxy environment variables will be passed into the container. The environment variables passed in include: @@ -164,9 +168,14 @@ Options are: `private` Create private IPC Namespace for the container. `host` Share host IPC Namespace with the container. +**keyring**=true + +Indicates whether the container engines create a kernel keyring for use within +the container. + **label**=true -Indicates whether the container engines use MAC(SELinux) container separation via via labeling. Flag is ignored on disabled systems. +Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems. **log_driver**="k8s-file" @@ -222,6 +231,7 @@ the system uses `65536k`. Set timezone in container. Takes IANA timezones as well as `local`, which sets the timezone in the container to match the host machine. If not set, then containers will run with the time zone specified in the image. + Examples: `tz="local"` `tz="America/New_York"` @@ -268,6 +278,9 @@ Path to the directory where CNI configuration files are located. ## ENGINE TABLE The `engine` table contains configuration options used to set up container engines such as Podman and Buildah. +**image_build_format**="oci" +The default image format to building container images. Valid values are "oci" (default) or "docker". + **cgroup_check**=false CgroupCheck indicates the configuration has been rewritten after an upgrade to Fedora 31 to change the default OCI runtime for cgroupsv2. @@ -372,6 +385,12 @@ and pods are visible. Path to the slirp4netns binary. +**network_cmd_options**=[] + +Default options to pass to the slirp4netns binary. + +Example "allow_host_loopback=true" + **no_pivot_root**=false Whether to use chroot instead of pivot_root in the runtime. @@ -390,6 +409,7 @@ Name of destination for accessing the Podman service. **[service_destinations]** **[service_destinations.{name}]** + **uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"** Example URIs: @@ -411,10 +431,15 @@ Pull image before running or creating a container. The default is **missing**. - **always**: pull the image from the first registry it is found in as listed in registries.conf. Raise an error if not found in the registries, even if the image is present locally. - **never**: do not pull the image from the registry, use only the local version. Raise an error if the image is not present locally. -**runtime**="crun" +**remote** = false +Indicates whether the application should be running in remote mode. This flag modifies the +--remote option on container engines. Setting the flag to true will default `podman --remote=true` for access to the remote Podman service. + +**runtime**="" Default OCI specific runtime in runtimes that will be used by default. Must -refer to a member of the runtimes table. +refer to a member of the runtimes table. Default runtime will be searched for +on the system using the priority: "crun", "runc", "kata". **runtime_supports_json**=["crun", "runc", "kata"] @@ -438,7 +463,7 @@ stores containers. Number of seconds to wait for container to exit before sending kill signal. -**tmp_dir**="/var/run/libpod" +**tmp_dir**="/run/libpod" The path to a temporary directory to store per-boot container. Must be a tmpfs (wiped after reboot). @@ -451,6 +476,13 @@ By default this will be configured relative to where containers/storage store containers. This convention is followed by the default volume driver, but may not be by other drivers. +**[engine.volume_plugins]** + +A table of all the enabled volume plugins on the system. Volume plugins can be +used as the backend for Podman named volumes. Individual plugins are specified +below, as a map of the plugin name (what the plugin will be called) to its path +(filepath of the plugin's unix socket). + # FILES **containers.conf** diff --git a/SOURCES/seccomp.json b/SOURCES/seccomp.json index ebac9b9..15876ac 100644 --- a/SOURCES/seccomp.json +++ b/SOURCES/seccomp.json @@ -77,6 +77,7 @@ "clock_nanosleep_time64", "clone", "close", + "close_range", "connect", "copy_file_range", "creat", @@ -228,6 +229,8 @@ "openat2", "pause", "pidfd_getfd", + "pidfd_open", + "pidfd_send_signal", "pipe", "pipe2", "pivot_root", @@ -331,7 +334,6 @@ "signalfd4", "sigreturn", "socket", - "socket", "socketcall", "socketpair", "splice", @@ -378,7 +380,6 @@ "utimensat_time64", "utimes", "vfork", - "vmsplice", "wait4", "waitid", "waitpid", diff --git a/SOURCES/shortnames.conf b/SOURCES/shortnames.conf new file mode 100644 index 0000000..0a336e5 --- /dev/null +++ b/SOURCES/shortnames.conf @@ -0,0 +1,55 @@ +[aliases] + # centos + "centos" = "registry.centos.org/centos" + # containers + "skopeo" = "quay.io/skopeo/stable" + "buildah" = "quay.io/buildah/stable" + "podman" = "quay.io/podman/stable" + # docker + "alpine" = "docker.io/library/alpine" + "docker" = "docker.io/library/docker" + "registry" = "docker.io/library/registry" + "hello-world" = "docker.io/library/hello-world" + "swarm" = "docker.io/library/swarm" + # Fedora + "fedora-minimal" = "registry.fedoraproject.org/fedora-minimal" + "fedora" = "registry.fedoraproject.org/fedora" + # openSUSE + "opensuse/tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed" + "opensuse/tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf" + "opensuse/tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf" + "opensuse/leap" = "registry.opensuse.org/opensuse/leap" + "opensuse/busybox" = "registry.opensuse.org/opensuse/busybox" + "tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed" + "tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf" + "tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf" + "leap" = "registry.opensuse.org/opensuse/leap" + "tw-busybox" = "registry.opensuse.org/opensuse/busybox" + # SUSE + "suse/sle15" = "registry.suse.com/suse/sle15" + "suse/sles12sp5" = "registry.suse.com/suse/sles12sp5" + "suse/sles12sp4" = "registry.suse.com/suse/sles12sp4" + "suse/sles12sp3" = "registry.suse.com/suse/sles12sp3" + "sle15" = "registry.suse.com/suse/sle15" + "sles12sp5" = "registry.suse.com/suse/sles12sp5" + "sles12sp4" = "registry.suse.com/suse/sles12sp4" + "sles12sp3" = "registry.suse.com/suse/sles12sp3" + # Red Hat Enterprise Linux + "rhel" = "registry.access.redhat.com/rhel" + "rhel6" = "registry.access.redhat.com/rhel6" + "rhel7" = "registry.access.redhat.com/rhel7" + "ubi7" = "registry.access.redhat.com/ubi7" + "ubi7-init" = "registry.access.redhat.com/ubi7-init" + "ubi7-minimal" = "registry.access.redhat.com/ubi7-minimal" + "ubi8" = "registry.access.redhat.com/ubi8" + "ubi8-minimal" = "registry.access.redhat.com/ubi8-minimal" + "ubi8-init" = "registry.access.redhat.com/ubi8-init" + "ubi8-micro" = "registry.access.redhat.com/ubi8-micro" + "ubi8/ubi" = "registry.access.redhat.com/ubi8/ubi" + "ubi8/ubi-minimal" = "registry.access.redhat.com/ubi8-minimal" + "ubi8/ubi-init" = "registry.access.redhat.com/ubi8-init" + "ubi8/ubi-micro" = "registry.access.redhat.com/ubi8-micro" + # Debian + "debian" = "docker.io/library/debian" + # Oracle Linux + "oraclelinux" = "container-registry.oracle.com/os/oraclelinux" diff --git a/SOURCES/storage.conf b/SOURCES/storage.conf index 9477b56..7372e5a 100644 --- a/SOURCES/storage.conf +++ b/SOURCES/storage.conf @@ -4,11 +4,11 @@ # The "container storage" table contains all of the server options. [storage] -# Default Storage Driver +# Default Storage Driver, Must be set for proper operation. driver = "overlay" # Temporary storage location -runroot = "/var/run/containers/storage" +runroot = "/run/containers/storage" # Primary Read/Write location of container storage graphroot = "/var/lib/containers/storage" diff --git a/SPECS/skopeo.spec b/SPECS/skopeo.spec index c2f24ce..762afa2 100644 --- a/SPECS/skopeo.spec +++ b/SPECS/skopeo.spec @@ -11,43 +11,45 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl %endif %global import_path github.com/containers/skopeo -%global branch release-1.2 +#%%global branch release-1.2 # Bellow definitions are used to deliver config files from a particular branch # of c/image, c/common, c/storage vendored in all podman, skopeo, buildah. # These vendored components must have the same version. If it is not the case, # pick the oldest version on c/image, c/common, c/storage vendored in # podman/skopeo/podman. -%global podman_branch v2.2.1-rhel -%global image_branch v5.6.0 -%global common_branch v0.22.0 -%global storage_branch v1.23.5 -%global fedora_branch f32 -%global commit0 2b4097bc13e7ba1d16a5225e2292a5cf88072f63 +%global podman_branch master +%global image_branch v5.9.0 +%global common_branch v0.33.0 +%global storage_branch v1.24.5 +%global shortnames_branch main +%global commit0 bdb117ded6d37f0a6b0a2e28ba3213c20264ab43 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) Epoch: 1 Name: skopeo -Version: 1.2.0 -Release: 9%{?dist} +Version: 1.2.1 +Release: 3%{?dist} Summary: Inspect container images and repositories on registries License: ASL 2.0 URL: %{git0} -# Build fails with: No matching package to install: 'golang >= 1.12.12-4' on i686 -ExcludeArch: i686 +# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures +#ExclusiveArch: %%{go_arches} +# still use arch exclude as the macro above still refers %%{ix86} in RHEL8.4: +# https://bugzilla.redhat.com/show_bug.cgi?id=1905383 +ExcludeArch: %{ix86} %if 0%{?branch:1} Source0: https://%{import_path}/tarball/%{commit0}/%{branch}-%{shortcommit0}.tar.gz %else Source0: https://%{import_path}/archive/%{commit0}/%{name}-%{version}-%{shortcommit0}.tar.gz %endif -#Source1: https://raw.githubusercontent.com/containers/storage/%%{storage_branch}/storage.conf -Source1: https://src.fedoraproject.org/rpms/skopeo/raw/%{fedora_branch}/f/storage.conf +Source1: https://raw.githubusercontent.com/containers/storage/%{storage_branch}/storage.conf Source2: https://raw.githubusercontent.com/containers/storage/%{storage_branch}/docs/containers-storage.conf.5.md Source3: mounts.conf Source4: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.5.md +#Source5: https://raw.githubusercontent.com/containers/image/%%{image_branch}/registries.conf Source5: registries.conf Source6: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-policy.json.5.md -#Source7: https://raw.githubusercontent.com/containers/podman/%%{podman_branch}/seccomp.json -Source7: https://src.fedoraproject.org/rpms/skopeo/raw/%{fedora_branch}/f/seccomp.json +Source7: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/seccomp/seccomp.json Source8: https://raw.githubusercontent.com/containers/podman/%{podman_branch}/docs/source/markdown/containers-mounts.conf.5.md Source9: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-signature.5.md Source10: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-transports.5.md @@ -57,6 +59,8 @@ Source13: https://raw.githubusercontent.com/containers/common/%{common_branch}/p Source14: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers.conf.5.md Source15: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-auth.json.5.md Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.d.5.md +Source17: https://raw.githubusercontent.com/containers/shortnames/%{shortnames_branch}/shortnames.conf +Source18: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.5.md BuildRequires: git BuildRequires: golang >= 1.12.12-4 BuildRequires: go-md2man @@ -135,9 +139,10 @@ make \ DESTDIR=%{buildroot} \ SIGSTOREDIR=%{buildroot}%{_sharedstatedir}/containers/sigstore \ install -install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d} +install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.d,registries.conf.d} install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf +install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/shortnames.conf install -dp %{buildroot}%{_mandir}/man5 go-md2man -in %{SOURCE2} -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5 go-md2man -in %{SOURCE4} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.5 @@ -147,6 +152,7 @@ go-md2man -in %{SOURCE9} -out %{buildroot}%{_mandir}/man5/containers-signature.5 go-md2man -in %{SOURCE10} -out %{buildroot}%{_mandir}/man5/containers-transports.5 go-md2man -in %{SOURCE11} -out %{buildroot}%{_mandir}/man5/containers-certs.d.5 go-md2man -in %{SOURCE12} -out %{buildroot}%{_mandir}/man5/containers-registries.d.5 +go-md2man -in %{SOURCE18} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.d.5 go-md2man -in %{SOURCE14} -out %{buildroot}%{_mandir}/man5/containers.conf.5 go-md2man -in %{SOURCE15} -out %{buildroot}%{_mandir}/man5/containers-auth.json.5 go-md2man -in %{SOURCE16} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.d.5 @@ -163,6 +169,19 @@ ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pk ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/redhat.repo +# ship preconfigured /etc/containers/registries.d/ files with containers-common - #1903813 +cat < %{buildroot}%{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml +docker: + registry.access.redhat.com: + sigstore: https://access.redhat.com/webassets/docker/content/sigstore +EOF + +cat < %{buildroot}%{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml +docker: + registry.redhat.io: + sigstore: https://registry.redhat.io/containers/sigstore +EOF + # system tests install -d -p %{buildroot}/%{_datadir}/%{name}/test/system cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/ @@ -183,10 +202,13 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %dir %{_sysconfdir}/containers/registries.d %dir %{_sysconfdir}/containers/oci %dir %{_sysconfdir}/containers/oci/hooks.d +%dir %{_sysconfdir}/containers/registries.conf.d %config(noreplace) %{_sysconfdir}/containers/policy.json %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml %config(noreplace) %{_sysconfdir}/containers/storage.conf %config(noreplace) %{_sysconfdir}/containers/registries.conf +%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/shortnames.conf +%config(noreplace) %{_sysconfdir}/containers/registries.d/*.yaml %ghost %{_sysconfdir}/containers/containers.conf %dir %{_sharedstatedir}/containers/sigstore %{_mandir}/man5/* @@ -211,49 +233,45 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_datadir}/%{name}/test %changelog -* Mon Jan 11 2021 Jindrich Novy - 1:1.2.0-9 -- upload proper source tarball -- Related: #1888571 +* Tue Jan 12 2021 Jindrich Novy - 1:1.2.1-3 +- ship preconfigured /etc/containers/registries.d/ files with containers-common +- Related: #1883490 -* Mon Jan 11 2021 Jindrich Novy - 1:1.2.0-8 -- revert back to version aimed at 8.3.1 - skopeo-1.2.0 -- also downgrade versions of vendored libraries -- Related: #1888571 +* Tue Jan 12 2021 Jindrich Novy - 1:1.2.1-2 +- add shortnames from https://github.com/containers/shortnames +- Related: #1883490 * Mon Jan 11 2021 Jindrich Novy - 1:1.2.1-1 - update vendored component versions - update to the latest content of https://github.com/containers/skopeo/tree/release-1.2 (https://github.com/containers/skopeo/commit/2e90a8a) -- Related: #1888571 +- Related: #1883490 * Fri Jan 08 2021 Jindrich Novy - 1:1.2.0-6 -- always build with debuginfo -- use less verbose output when compiling -- Related: #1888571 +- gating tests fixes and bump podman branch +- Related: #1883490 -* Thu Jan 07 2021 Jindrich Novy - 1:1.2.0-5 -- re-sync config files -- assure events_logger = "file" -- Related: #1888571 +* Tue Dec 08 2020 Jindrich Novy - 1:1.2.0-5 +- still use arch exclude as the go_arches macro is broken for 8.4 +- Related: #1883490 -* Thu Nov 05 2020 Jindrich Novy - 1:1.2.0-4 -- change default logging mechanism to use for container engine events - in containers.conf to be events_logger = "file" - it should fix - RHEL gating tests for podman nonroot (thanks to Dan Walsh) -- Related: #1888571 +* Wed Dec 02 2020 Jindrich Novy - 1:1.2.0-4 +- unify vendored branches +- add validation script +- Related: #1883490 * Thu Nov 05 2020 Jindrich Novy - 1:1.2.0-3 - simplify spec file - use short commit ID in tarball name -- Related: #1888571 +- Related: #1883490 * Fri Oct 23 2020 Jindrich Novy - 1:1.2.0-2 -- use shortcommit ID in branch tarball name -- Related: #1888571 +- synchronize with stream-container-tools-rhel8 +- Related: #1883490 * Thu Oct 22 2020 Jindrich Novy - 1:1.2.0-1 -- synchronize with stream-container-tools-rhel8-rhel-8.4.0 -- Related: #1888571 +- synchronize with stream-container-tools-rhel8 +- Related: #1883490 * Tue Aug 11 2020 Jindrich Novy - 1:1.1.1-3 - propagate proper CFLAGS to CGO_CFLAGS to assure code hardening and optimization