diff --git a/.gitignore b/.gitignore index 7bbfa6c..12ca7cc 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/release-1.3-038f70e.tar.gz +SOURCES/release-1.4-a44da44.tar.gz diff --git a/.skopeo.metadata b/.skopeo.metadata index 2ae6682..4629f78 100644 --- a/.skopeo.metadata +++ b/.skopeo.metadata @@ -1 +1 @@ -574c9200f48f44e9df626f4bd50f710bf3b09ca9 SOURCES/release-1.3-038f70e.tar.gz +57fcf42eb601e54559ecfba64a692d3158faa0db SOURCES/release-1.4-a44da44.tar.gz diff --git a/SOURCES/RPM-GPG-KEY-redhat-release b/SOURCES/RPM-GPG-KEY-redhat-release new file mode 100644 index 0000000..0009a3e --- /dev/null +++ b/SOURCES/RPM-GPG-KEY-redhat-release @@ -0,0 +1,34 @@ +pub 4096R/FD431D51 2009-10-22 + Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51 +uid Red Hat, Inc. (release key 2) <security@redhat.com> + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.5 (GNU/Linux) + +mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF +0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF +0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c +u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh +XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H +5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW +9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj +/DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1 +PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY +HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF +buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB +tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0 +LmNvbT6JAjYEEwECACAFAkrgSTsCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAK +CRAZni+R/UMdUWzpD/9s5SFR/ZF3yjY5VLUFLMXIKUztNN3oc45fyLdTI3+UClKC +2tEruzYjqNHhqAEXa2sN1fMrsuKec61Ll2NfvJjkLKDvgVIh7kM7aslNYVOP6BTf +C/JJ7/ufz3UZmyViH/WDl+AYdgk3JqCIO5w5ryrC9IyBzYv2m0HqYbWfphY3uHw5 +un3ndLJcu8+BGP5F+ONQEGl+DRH58Il9Jp3HwbRa7dvkPgEhfFR+1hI+Btta2C7E +0/2NKzCxZw7Lx3PBRcU92YKyaEihfy/aQKZCAuyfKiMvsmzs+4poIX7I9NQCJpyE +IGfINoZ7VxqHwRn/d5mw2MZTJjbzSf+Um9YJyA0iEEyD6qjriWQRbuxpQXmlAJbh +8okZ4gbVFv1F8MzK+4R8VvWJ0XxgtikSo72fHjwha7MAjqFnOq6eo6fEC/75g3NL +Ght5VdpGuHk0vbdENHMC8wS99e5qXGNDued3hlTavDMlEAHl34q2H9nakTGRF5Ki +JUfNh3DVRGhg8cMIti21njiRh7gyFI2OccATY7bBSr79JhuNwelHuxLrCFpY7V25 +OFktl15jZJaMxuQBqYdBgSay2G0U6D1+7VsWufpzd/Abx1/c3oi9ZaJvW22kAggq +dzdA27UUYjWvx42w9menJwh/0jeQcTecIUd0d0rFcw/c1pvgMMl/Q73yzKgKYw== +=zbHE +-----END PGP PUBLIC KEY BLOCK----- + diff --git a/SOURCES/containers-auth.json.5.md b/SOURCES/containers-auth.json.5.md index e85d79c..081a984 100644 --- a/SOURCES/containers-auth.json.5.md +++ b/SOURCES/containers-auth.json.5.md @@ -21,9 +21,23 @@ Except the primary (read/write) file, other files are read-only, unless the user The auth.json file stores encrypted authentication information for the user to container image registries. The file can have zero to many entries and is created by a `login` command from a container tool such as `podman login`, -`buildah login` or `skopeo login`. Each entry includes the name of the registry and then an auth -token in the form of a base64 encoded string from the concatenation of the -username, a colon, and the password. +`buildah login` or `skopeo login`. Each entry either contains a single +hostname (e.g. `docker.io`) or a namespace (e.g. `quay.io/user/image`) as a key +and an auth token in the form of a base64 encoded string as value of `auth`. The +token is built from the concatenation of the username, a colon, and the +password. The registry name can additionally contain a repository name (an image +name without tag or digest) and namespaces. The path (or namespace) is matched +in its hierarchical order when checking for available authentications. For +example, an image pull for `my-registry.local/namespace/user/image:latest` will +result in a lookup in `auth.json` in the following order: + +- `my-registry.local/namespace/user/image` +- `my-registry.local/namespace/user` +- `my-registry.local/namespace` +- `my-registry.local` + +This way it is possible to setup multiple credentials for a single registry +which can be distinguished by their path. The following example shows the values found in auth.json after the user logged in to their accounts on quay.io and docker.io: @@ -41,6 +55,25 @@ their accounts on quay.io and docker.io: } ``` +This example demonstrates how to use multiple paths for a single registry, while +preserving a fallback for `my-registry.local`: + +``` +{ + "auths": { + "my-registry.local/foo/bar/image": { + "auth": "…" + }, + "my-registry.local/foo": { + "auth": "…" + }, + "my-registry.local": { + "auth": "…" + }, + } +} +``` + An entry can be removed by using a `logout` command from a container tool such as `podman logout` or `buildah logout`. diff --git a/SOURCES/containers-policy.json.5.md b/SOURCES/containers-policy.json.5.md index cb294f5..ced943a 100644 --- a/SOURCES/containers-policy.json.5.md +++ b/SOURCES/containers-policy.json.5.md @@ -68,7 +68,7 @@ i.e. either specifying a complete name of a tagged image, or prefix denoting a host/namespace/image stream or a wildcarded expression for matching all subdomains. For wildcarded subdomain matching, `*.example.com` is a valid case, but `example*.*.com` is not. -*Note:* The _hostname_ and _port_ refer to the Docker registry host and port (the one used +*Note:* The _hostname_ and _port_ refer to the container registry host and port (the one used e.g. for `docker pull`), _not_ to the OpenShift API host and port. ### `dir:` diff --git a/SOURCES/containers-registries.conf.5.md b/SOURCES/containers-registries.conf.5.md index cb72deb..a10c819 100644 --- a/SOURCES/containers-registries.conf.5.md +++ b/SOURCES/containers-registries.conf.5.md @@ -36,28 +36,28 @@ Given an image name, a single `[[registry]]` TOML table is chosen based on its ` - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_) - [`*.`]_host_ - The user-specified image name must start with the specified `prefix` (and continue - with the appropriate separator) for a particular `[[registry]]` TOML table to be - considered; (only) the TOML table with the longest match is used. It can - also include wildcarded subdomains in the format `*.example.com` along as mentioned - above. The wildcard should only be present at the beginning as shown in the formats - above. Other cases will not work. For example, `*.example.com` is valid but - `example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not. +The user-specified image name must start with the specified `prefix` (and continue +with the appropriate separator) for a particular `[[registry]]` TOML table to be +considered; (only) the TOML table with the longest match is used. It can +also include wildcarded subdomains in the format `*.example.com`. +The wildcard should only be present at the beginning as shown in the formats +above. Other cases will not work. For example, `*.example.com` is valid but +`example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not. - As a special case, the `prefix` field can be missing; if so, it defaults to the value - of the `location` field (described below). +As a special case, the `prefix` field can be missing; if so, it defaults to the value +of the `location` field (described below). #### Per-namespace settings `insecure` : `true` or `false`. - By default, container runtimes require TLS when retrieving images from a registry. - If `insecure` is set to `true`, unencrypted HTTP as well as TLS connections with untrusted - certificates are allowed. +By default, container runtimes require TLS when retrieving images from a registry. +If `insecure` is set to `true`, unencrypted HTTP as well as TLS connections with untrusted +certificates are allowed. `blocked` : `true` or `false`. - If `true`, pulling images with matching names is forbidden. +If `true`, pulling images with matching names is forbidden. #### Remapping and mirroring registries @@ -69,55 +69,55 @@ internet without having to change `Dockerfile`s, or to add redundancy). `location` : Accepts the same format as the `prefix` field, and specifies the physical location - of the `prefix`-rooted namespace. - - By default, this equal to `prefix` (in which case `prefix` can be omitted and the - `[[registry]]` TOML table can only specify `location`). - - Example: Given - ``` - prefix = "example.com/foo" - location = "internal-registry-for-example.net/bar" - ``` - requests for the image `example.com/foo/myimage:latest` will actually work with the - `internal-registry-for-example.net/bar/myimage:latest` image. - - With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching, - the location can be empty. In such a case, - prefix matching will occur, but no reference rewrite will occur. The - original requested image string will be used as-is. But other settings like - `insecure` / `blocked` / `mirrors` will be applied to matching images. - - Example: Given - ``` - prefix = "*.example.com" - ``` - requests for the image `blah.example.com/foo/myimage:latest` will be used - as-is. But other settings like insecure/blocked/mirrors will be applied to matching images +of the `prefix`-rooted namespace. + +By default, this equal to `prefix` (in which case `prefix` can be omitted and the +`[[registry]]` TOML table can only specify `location`). + +Example: Given +``` +prefix = "example.com/foo" +location = "internal-registry-for-example.net/bar" +``` +requests for the image `example.com/foo/myimage:latest` will actually work with the +`internal-registry-for-example.net/bar/myimage:latest` image. + +With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching, +the location can be empty. In such a case, +prefix matching will occur, but no reference rewrite will occur. The +original requested image string will be used as-is. But other settings like +`insecure` / `blocked` / `mirrors` will be applied to matching images. + +Example: Given +``` +prefix = "*.example.com" +``` +requests for the image `blah.example.com/foo/myimage:latest` will be used +as-is. But other settings like insecure/blocked/mirrors will be applied to matching images `mirror` : An array of TOML tables specifying (possibly-partial) mirrors for the - `prefix`-rooted namespace. +`prefix`-rooted namespace. - The mirrors are attempted in the specified order; the first one that can be - contacted and contains the image will be used (and if none of the mirrors contains the image, - the primary location specified by the `registry.location` field, or using the unmodified - user-specified reference, is tried last). +The mirrors are attempted in the specified order; the first one that can be +contacted and contains the image will be used (and if none of the mirrors contains the image, +the primary location specified by the `registry.location` field, or using the unmodified +user-specified reference, is tried last). - Each TOML table in the `mirror` array can contain the following fields, with the same semantics - as if specified in the `[[registry]]` TOML table directly: - - `location` - - `insecure` +Each TOML table in the `mirror` array can contain the following fields, with the same semantics +as if specified in the `[[registry]]` TOML table directly: +- `location` +- `insecure` `mirror-by-digest-only` : `true` or `false`. - If `true`, mirrors will only be used during pulling if the image reference includes a digest. - Referencing an image by digest ensures that the same is always used - (whereas referencing an image by a tag may cause different registries to return - different images if the tag mapping is out of sync). +If `true`, mirrors will only be used during pulling if the image reference includes a digest. +Referencing an image by digest ensures that the same is always used +(whereas referencing an image by a tag may cause different registries to return +different images if the tag mapping is out of sync). - Note that if this is `true`, images referenced by a tag will only use the primary - registry, failing if that registry is not accessible. +Note that if this is `true`, images referenced by a tag will only use the primary +registry, failing if that registry is not accessible. *Note*: Redirection and mirrors are currently processed only when reading images, not when pushing to a registry; that may change in the future. diff --git a/SOURCES/containers-storage.conf.5.md b/SOURCES/containers-storage.conf.5.md index dba3e7b..d06ca09 100644 --- a/SOURCES/containers-storage.conf.5.md +++ b/SOURCES/containers-storage.conf.5.md @@ -174,6 +174,9 @@ The `storage.options.overlay` table supports the following options: **ignore_chown_errors** = "false" ignore_chown_errors can be set to allow a non privileged user running with a single UID within a user namespace to run containers. The user can pull and use any image even those with multiple uids. Note multiple UIDs will be squashed down to the default uid in the container. These images will have no separation between the users in the container. (default: false) +**inodes**="" + Maximum inodes in a read/write layer. This flag can be used to set a quota on the inodes allocated for a read/write layer of a container. + **force_mask** = "0000|shared|private" ForceMask specifies the permissions mask that is used for new files and directories. @@ -220,7 +223,7 @@ based file systems. Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page. **size**="" - Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) + Maximum size of a read/write layer. This flag can be used to set quota on the size of a read/write layer of a container. (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) ### STORAGE OPTIONS FOR VFS TABLE @@ -260,13 +263,45 @@ The semanage command above tells SELinux to setup the default labeling of `NEWST Now all new content created in these directories will automatically be created with the correct label. -## SEE ALSO -`semanage(8)`, `restorecon(8)`, `mount(8)`, `fuse-overlayfs(1)` +## QUOTAS + +Container storage implements `XFS project quota controls` for overlay storage +containers and volumes. The directory used to store the containers must be an +`XFS` file system and be mounted with the `pquota` option. + +Example /etc/fstab entry: +``` +/dev/podman/podman-var /var xfs defaults,x-systemd.device-timeout=0,pquota 1 2 +``` + +Container storage generates project ids for each container and builtin volume, but these project ids need to be unique for the XFS file system. + +The xfs_quota tool can be used to assign a project id to the storage driver directory, e.g.: + +``` +echo 100000:/var/lib/containers/storage/overlay >> /etc/projects +echo 200000:/var/lib/containers/storage/volumes >> /etc/projects +echo storage:100000 >> /etc/projid +echo volumes:200000 >> /etc/projid +xfs_quota -x -c 'project -s storage volumes' /<xfs mount point> +``` + +In the example above, the storage directory project id will be used as a "start offset" +and all containers will be assigned larger project ids (e.g. >= 100000). +Then the volumes directory project id will be used as a "start offset" +and all volumes will be assigned larger project ids (e.g. >= 200000). +This is a way to prevent xfs_quota management from conflicting with containers/storage. ## FILES Distributions often provide a `/usr/share/containers/storage.conf` file to define default storage configuration. Administrators can override this file by creating `/etc/containers/storage.conf` to specify their own configuration. The storage.conf file for rootless users is stored in the `$XDG_CONFIG_HOME/containers/storage.conf` file. If `$XDG_CONFIG_HOME` is not set then the file `$HOME/.config/containers/storage.conf` is used. +/etc/projects - XFS persistent project root definition +/etc/projid - XFS project name mapping file + +## SEE ALSO +`semanage(8)`, `restorecon(8)`, `mount(8)`, `fuse-overlayfs(1)`, `xfs_quota(8)`, `projects(5)`, `projid(5)` + ## HISTORY May 2017, Originally compiled by Dan Walsh <dwalsh@redhat.com> Format copied from crio.conf man page created by Aleksa Sarai <asarai@suse.de> diff --git a/SOURCES/containers.conf b/SOURCES/containers.conf index 8424d70..2ba2b5d 100644 --- a/SOURCES/containers.conf +++ b/SOURCES/containers.conf @@ -16,30 +16,16 @@ [containers] -# List of devices. Specified as -# "<device-on-host>:<device-on-container>:<permissions>", for example: -# "/dev/sdc:/dev/xvdc:rwm". -# If it is empty or commented out, only the default devices will be used -# -# devices = [] - -# List of volumes. Specified as -# "<directory-on-host>:<directory-in-container>:<options>", for example: -# "/db:/var/lib/db:ro". -# If it is empty or commented out, no volumes will be added +# List of annotation. Specified as +# "key = value" +# If it is empty or commented out, no annotations will be added # -# volumes = [] +# annotations = [] # Used to change the name of the default AppArmor profile of container engine. # # apparmor_profile = "container-default" -# List of annotation. Specified as -# "key=value" -# If it is empty or commented out, no annotations will be added -# -# annotations = [] - # Default way to to create a cgroup namespace for the container # Options are: # `private` Create private Cgroup Namespace for the container. @@ -94,6 +80,13 @@ default_sysctls = [ # "nofile=1280:2560", # ] +# List of devices. Specified as +# "<device-on-host>:<device-on-container>:<permissions>", for example: +# "/dev/sdc:/dev/xvdc:rwm". +# If it is empty or commented out, only the default devices will be used +# +# devices = [] + # List of default DNS options to be added to /etc/resolv.conf inside of the container. # # dns_options = [] @@ -167,6 +160,12 @@ default_sysctls = [ # # log_size_max = -1 +# Specifies default format tag for container log messages. +# This is useful for creating a specific tag for container log messages. +# Containers logs default to truncated container ID as a tag. +# +# log_tag = "" + # Default way to to create a Network namespace for the container # Options are: # `private` Create private Network Namespace for the container. @@ -180,10 +179,6 @@ default_sysctls = [ # # no_hosts = false -# Maximum number of processes allowed in a container. -# -# pids_limit = 2048 - # Default way to to create a PID namespace for the container # Options are: # `private` Create private PID Namespace for the container. @@ -191,6 +186,20 @@ default_sysctls = [ # # pidns = "private" +# Maximum number of processes allowed in a container. +# +# pids_limit = 2048 + +# Copy the content from the underlying image into the newly created volume +# when the container is created instead of when it is started. If false, +# the container engine will not copy the content until the container is started. +# Setting it to true may have negative performance implications. +# +# prepare_volume_on_create = false + +# Indicates the networking to be used for rootless containers +# rootless_networking = "slirp4netns" + # Path to the seccomp.json profile which is used as the default seccomp profile # for the runtime. # @@ -210,14 +219,7 @@ default_sysctls = [ # Set umask inside the container # -# umask="0022" - -# Default way to to create a UTS namespace for the container -# Options are: -# `private` Create private UTS Namespace for the container. -# `host` Share host UTS Namespace with the container. -# -# utsns = "private" +# umask = "0022" # Default way to to create a User namespace for the container # Options are: @@ -230,11 +232,31 @@ default_sysctls = [ # UIDs are allocated from the "container" UIDs listed in # /etc/subuid & /etc/subgid # -# userns_size=65536 +# userns_size = 65536 + +# Default way to to create a UTS namespace for the container +# Options are: +# `private` Create private UTS Namespace for the container. +# `host` Share host UTS Namespace with the container. +# +# utsns = "private" + +# List of volumes. Specified as +# "<directory-on-host>:<directory-in-container>:<options>", for example: +# "/db:/var/lib/db:ro". +# If it is empty or commented out, no volumes will be added +# +# volumes = [] # The network table contains settings pertaining to the management of # CNI plugins. +[secrets] +# driver = "file" + +[secrets.opts] +# root = "/example/directory" + [network] # Path to directory where CNI plugin binaries are located. @@ -255,14 +277,8 @@ default_sysctls = [ # network_config_dir = "/etc/cni/net.d/" [engine] -# Maximum number of image layers to be copied (pulled/pushed) simultaneously. -# Not setting this field, or setting it to zero, will fall back to containers/image defaults. -# image_parallel_copies=0 - -# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building -# container images. By default image pulled and pushed match the format of the -# source image. Building/committing defaults to OCI. -# image_default_format = "" +# Index to the active service +# active_service = production # Cgroup management implementation used for the runtime. # Valid options "systemd" or "cgroupfs" @@ -321,10 +337,19 @@ events_logger = "file" # "/usr/share/containers/oci/hooks.d", # ] +# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building +# container images. By default image pulled and pushed match the format of the +# source image. Building/committing defaults to OCI. +# image_default_format = "" + # Default transport method for pulling and pushing for images # # image_default_transport = "docker://" +# Maximum number of image layers to be copied (pulled/pushed) simultaneously. +# Not setting this field, or setting it to zero, will fall back to containers/image defaults. +# image_parallel_copies = 0 + # Default command to run the infra container # # infra_command = "/pause" @@ -348,7 +373,7 @@ infra_image = "registry.access.redhat.com/ubi8/pause" # Indicates if Podman is running inside a VM via Podman Machine. # Podman uses this value to do extra setup around networking from the # container inside the VM to to host. -# machine_enabled=false +# machine_enabled = false # MultiImageArchive - if true, the container engine allows for storing archives # (e.g., of the docker-archive transport) with multiple images. By default, @@ -367,12 +392,12 @@ infra_image = "registry.access.redhat.com/ubi8/pause" # Path to the slirp4netns binary # -# network_cmd_path="" +# network_cmd_path = "" # Default options to pass to the slirp4netns binary. # For example "allow_host_loopback=true" # -# network_cmd_options=[] +# network_cmd_options = [] # Whether to use chroot instead of pivot_root in the runtime # @@ -392,24 +417,6 @@ infra_image = "registry.access.redhat.com/ubi8/pause" # `podman --remote=true` for access to the remote Podman service. # remote = false -# Directory for persistent engine files (database, etc) -# By default, this will be configured relative to where the containers/storage -# stores containers -# Uncomment to change location from this default -# -# static_dir = "/var/lib/containers/storage/libpod" - -# Directory for temporary files. Must be tmpfs (wiped after reboot) -# -# tmp_dir = "/run/libpod" - -# Directory for libpod named volumes. -# By default, this will be configured relative to where containers/storage -# stores containers. -# Uncomment to change location from this default. -# -# volume_path = "/var/lib/containers/storage/volumes" - # Default OCI runtime # # runtime = "crun" @@ -420,20 +427,24 @@ runtime = "runc" # # runtime_supports_json = ["crun", "runc", "kata", "runsc"] +# List of the OCI runtimes that supports running containers with KVM Separation. +# +# runtime_supports_kvm = ["kata"] + # List of the OCI runtimes that supports running containers without cgroups. # # runtime_supports_nocgroups = ["crun"] -# List of the OCI runtimes that supports running containers with KVM Separation. +# Directory for persistent engine files (database, etc) +# By default, this will be configured relative to where the containers/storage +# stores containers +# Uncomment to change location from this default # -# runtime_supports_kvm = ["kata"] +# static_dir = "/var/lib/containers/storage/libpod" # Number of seconds to wait for container to exit before sending kill signal. # stop_timeout = 10 -# Index to the active service -# active_service = production - # map of service destinations # [service_destinations] # [service_destinations.production] @@ -443,10 +454,21 @@ runtime = "runc" # rootfull "unix://run/podman/podman.sock (Default) # remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock # remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock -# uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock" +# uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock" # Path to file containing ssh identity key # identity = "~/.ssh/id_rsa" +# Directory for temporary files. Must be tmpfs (wiped after reboot) +# +# tmp_dir = "/run/libpod" + +# Directory for libpod named volumes. +# By default, this will be configured relative to where containers/storage +# stores containers. +# Uncomment to change location from this default. +# +# volume_path = "/var/lib/containers/storage/volumes" + # Paths to look for a valid OCI runtime (crun, runc, kata, runsc, etc) [engine.runtimes] # crun = [ @@ -459,16 +481,6 @@ runtime = "runc" # "/run/current-system/sw/bin/crun", # ] -# runc = [ -# "/usr/bin/runc", -# "/usr/sbin/runc", -# "/usr/local/bin/runc", -# "/usr/local/sbin/runc", -# "/sbin/runc", -# "/bin/runc", -# "/usr/lib/cri-o-runc/sbin/runc", -# ] - # kata = [ # "/usr/bin/kata-runtime", # "/usr/sbin/kata-runtime", @@ -480,6 +492,16 @@ runtime = "runc" # "/usr/bin/kata-fc", # ] +# runc = [ +# "/usr/bin/runc", +# "/usr/sbin/runc", +# "/usr/local/bin/runc", +# "/usr/local/sbin/runc", +# "/sbin/runc", +# "/bin/runc", +# "/usr/lib/cri-o-runc/sbin/runc", +# ] + # runsc = [ # "/usr/bin/runsc", # "/usr/sbin/runsc", diff --git a/SOURCES/containers.conf.5.md b/SOURCES/containers.conf.5.md index a42332e..14ac609 100644 --- a/SOURCES/containers.conf.5.md +++ b/SOURCES/containers.conf.5.md @@ -10,12 +10,16 @@ and modify the defaults for running containers on the host. containers.conf uses a TOML format that can be easily modified and versioned. Container engines read the /usr/share/containers/containers.conf and -/etc/containers/containers.conf files if they exists. When running in rootless -mode, they also read $HOME/.config/containers/containers.conf files. +/etc/containers/containers.conf, and /etc/containers/containers.conf.d/*.conf files +if they exist. When running in rootless mode, they also read +$HOME/.config/containers/containers.conf and +$HOME/.config/containers/containers.conf.d/*.conf files. Fields specified in containers conf override the default options, as well as options in previously read containers.conf files. +Config files in the `.d` directories, are added in alpha numeric sorted order and must end in `.conf`. + Not all options are supported in all container engines. Note container engines also use other configuration files for configuring the environment. @@ -186,6 +190,10 @@ that no size limit is imposed. If it is positive, it must be >= 8192 to match/exceed conmon's read buffer. The file is truncated and re-opened so the limit is never exceeded. +**log_tag**="" + +Default format tag for container log messages. This is useful for creating a specific tag for container log messages. Container log messages default to using the truncated container ID as a tag. + **netns**="private" Default way to to create a NET namespace for the container. @@ -211,6 +219,15 @@ Options are: Maximum number of processes allowed in a container. 0 indicates that no limit is imposed. +**prepare_volume_on_create**=false + +Copy the content from the underlying image into the newly created volume when the container is created instead of when it is started. If `false`, the container engine will not copy the content until the container is started. Setting it to `true` may have negative performance implications. + +**rootless_networking**="slirp4netns" + +Set type of networking rootless containers should use. Valid options are `slirp4netns` +or `cni`. + **seccomp_profile**="/usr/share/containers/seccomp.json" Path to the seccomp.json profile which is used as the default seccomp profile @@ -293,10 +310,6 @@ The `engine` table contains configuration options used to set up container engin Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below. -**cgroup_check**=false - -CgroupCheck indicates the configuration has been rewritten after an upgrade to Fedora 31 to change the default OCI runtime for cgroupsv2. - **cgroup_manager**="systemd" The cgroup management implementation used for the runtime. Supports `cgroupfs` @@ -454,14 +467,14 @@ on the system using the priority: "crun", "runc", "kata". The list of the OCI runtimes that support `--format=json`. -**runtime_supports_nocgroups**=["crun"] - -The list of OCI runtimes that support running containers without CGroups. - **runtime_supports_kvm**=["kata"] The list of OCI runtimes that support running containers with KVM separation. +**runtime_supports_nocgroups**=["crun"] + +The list of OCI runtimes that support running containers without CGroups. + **static_dir**="/var/lib/containers/storage/libpod" Directory for persistent libpod files (database, etc). @@ -477,6 +490,19 @@ Number of seconds to wait for container to exit before sending kill signal. The path to a temporary directory to store per-boot container. Must be a tmpfs (wiped after reboot). +**volume_path**="/var/lib/containers/storage/volumes" + +Directory where named volumes will be created in using the default volume +driver. +By default this will be configured relative to where containers/storage store +containers. This convention is followed by the default volume driver, but may +not be by other drivers. + +**chown_copied_files**=true + +Determines whether file copied into a container will have changed ownership to +the primary uid/gid of the container. + ## SERVICE DESTINATION TABLE The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API. @@ -495,14 +521,6 @@ URI to access the Podman service Path to file containing ssh identity key -**volume_path**="/var/lib/containers/storage/volumes" - -Directory where named volumes will be created in using the default volume -driver. -By default this will be configured relative to where containers/storage store -containers. This convention is followed by the default volume driver, but may -not be by other drivers. - **[engine.volume_plugins]** A table of all the enabled volume plugins on the system. Volume plugins can be @@ -510,6 +528,21 @@ used as the backend for Podman named volumes. Individual plugins are specified below, as a map of the plugin name (what the plugin will be called) to its path (filepath of the plugin's unix socket). + +## SECRET TABLE +The `secret` table contains settings for the configuration of the secret subsystem. + +**driver**=file + +Name of the secret driver to be used. +Currently valid values are: + * file + * pass + +**[secrets.opts]** + +The driver specific options object. + # FILES **containers.conf** @@ -518,8 +551,7 @@ Distributions often provide a `/usr/share/containers/containers.conf` file to define default container configuration. Administrators can override fields in this file by creating `/etc/containers/containers.conf` to specify their own configuration. Rootless users can further override fields in the config by -creating a config file stored in the -`$HOME/.config/containers/containers.conf` file. +creating a config file stored in the `$HOME/.config/containers/containers.conf` file. If the `CONTAINERS_CONF` path environment variable is set, just this path will be used. This is primarily used for testing. diff --git a/SOURCES/default-policy.json b/SOURCES/default-policy.json new file mode 100644 index 0000000..7ed16d6 --- /dev/null +++ b/SOURCES/default-policy.json @@ -0,0 +1,32 @@ +{ + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": { + "docker": { + "registry.access.redhat.com": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "registry.redhat.io": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} diff --git a/SOURCES/default.yaml b/SOURCES/default.yaml new file mode 100644 index 0000000..943ea17 --- /dev/null +++ b/SOURCES/default.yaml @@ -0,0 +1,26 @@ +# This is a default registries.d configuration file. You may +# add to this file or create additional files in registries.d/. +# +# sigstore: indicates a location that is read and write +# sigstore-staging: indicates a location that is only for write +# +# sigstore and sigstore-staging take a value of the following: +# sigstore: {schema}://location +# +# For reading signatures, schema may be http, https, or file. +# For writing signatures, schema may only be file. + +# This is the default signature write location for docker registries. +default-docker: +# sigstore: file:///var/lib/containers/sigstore + sigstore-staging: file:///var/lib/containers/sigstore + +# The 'docker' indicator here is the start of the configuration +# for docker registries. +# +# docker: +# +# privateregistry.com: +# sigstore: http://privateregistry.com/sigstore/ +# sigstore-staging: /mnt/nfs/privateregistry/sigstore + diff --git a/SOURCES/registries.conf b/SOURCES/registries.conf index 771be23..ef74aeb 100644 --- a/SOURCES/registries.conf +++ b/SOURCES/registries.conf @@ -1,72 +1,33 @@ # For more information on this configuration file, see containers-registries.conf(5). # -# There are multiple versions of the configuration syntax available, where the -# second iteration is backwards compatible to the first one. Mixing up both -# formats will result in an runtime error. -# -# The initial configuration format looks like this: -# # NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES -# Red Hat recommends always using fully qualified image names including the registry server (full dns name), -# namespace, image name, and tag (ex. registry.redhat.io/ubi8/ubu:latest). When using short names, there is -# always an inherent risk that the image being pulled could be spoofed. For example, a user wants to. -# pull an image named `foobar` from a registry and expects it to come from myregistry.com. If myregistry.com -# is not first in the search list, an attacker could place a different `foobar` image at a registry earlier -# in the search list. The user would accidentally pull and run the attacker's image and code rather than the -# intended content. Red Hat recommends only adding registries which are completely trusted, i.e. registries -# which don't allow unknown or anonymous users to create accounts with arbitrary names. This will prevent -# an image from being spoofed, squatted or otherwise made insecure. If it is necessary to use one of these -# registries, it should be added at the end of the list. +# We recommend always using fully qualified image names including the registry +# server (full dns name), namespace, image name, and tag +# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e., +# quay.io/repository/name@digest) further eliminates the ambiguity of tags. +# When using short names, there is always an inherent risk that the image being +# pulled could be spoofed. For example, a user wants to pull an image named +# `foobar` from a registry and expects it to come from myregistry.com. If +# myregistry.com is not first in the search list, an attacker could place a +# different `foobar` image at a registry earlier in the search list. The user +# would accidentally pull and run the attacker's image and code rather than the +# intended content. We recommend only adding registries which are completely +# trusted (i.e., registries which don't allow unknown or anonymous users to +# create accounts with arbitrary names). This will prevent an image from being +# spoofed, squatted or otherwise made insecure. If it is necessary to use one +# of these registries, it should be added at the end of the list. # -# It is recommended to use fully-qualified images for pulling as the -# destination registry is unambiguous. Pulling by digest -# (i.e., quay.io/repository/name@digest) further eliminates the ambiguity of -# tags. - -# The following registries are a set of secure defaults provided by Red Hat. -# Each of these registries provides container images curated, patched -# and maintained by Red Hat and its partners -#[registries.search] -#registries = ['registry.access.redhat.com', 'registry.redhat.io'] +# # An array of host[:port] registries to try when pulling an unqualified image, in order. -# To ensure compatibility with docker we've included docker.io in the default search list. However Red Hat -# does not curate, patch or maintain container images from the docker.io registry. -[registries.search] -registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io'] unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"] -# The following registries entry can be used for convenience but includes -# container images built by the community. This set of content comes with all -# of the risks of any user generated content including security and performance -# issues. To use this list first comment out the default list, then uncomment -# the following list -#[registries.search] -#registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io', 'quay.io'] - -# Registries that do not use TLS when pulling images or uses self-signed -# certificates. -[registries.insecure] -registries = [] - -# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry. If you specify -# "*", then the docker daemon will only be allowed to pull from registries listed above in the search -# registries. Blocked Registries is deprecated because other container runtimes and tools will not use it. -# It is recommended that you use the trust policy file /etc/containers/policy.json to control which -# registries you want to allow users to pull and push from. policy.json gives greater flexibility, and -# supports all container runtimes and tools including the docker daemon, cri-o, buildah ... -# The atomic CLI `atomic trust` can be used to easily configure the policy.json file. -[registries.block] -registries = [] - -# The second version of the configuration format allows to specify registry -# mirrors: -# -# # An array of host[:port] registries to try when pulling an unqualified image, in order. -# # [[registry]] # # The "prefix" field is used to choose the relevant [[registry]] TOML table; # # (only) the TOML table with the longest match for the input image name # # (taking into account namespace/repo/tag/digest separators) is used. +# # +# # The prefix can also be of the form: *.example.com for wildcard subdomain +# # matching. # # # # If the prefix field is missing, it defaults to be the same as the "location" field. # prefix = "example.com/foo" @@ -80,7 +41,7 @@ registries = [] # # # The physical location of the "prefix"-rooted namespace. # # -# # By default, this equal to "prefix" (in which case "prefix" can be omitted +# # By default, this is equal to "prefix" (in which case "prefix" can be omitted # # and the [[registry]] TOML table can only specify "location"). # # # # Example: Given @@ -88,6 +49,10 @@ registries = [] # # location = "internal-registry-for-example.net/bar" # # requests for the image example.com/foo/myimage:latest will actually work with the # # internal-registry-for-example.net/bar/myimage:latest image. +# +# # The location can be empty iff prefix is in a +# # wildcarded format: "*.example.com". In this case, the input reference will +# # be used as-is without any rewrite. # location = internal-registry-for-example.com/bar" # # # (Possibly-partial) mirrors for the "prefix"-rooted namespace. @@ -109,5 +74,6 @@ registries = [] # # Given the above, a pull of example.com/foo/image:latest will try: # # 1. example-mirror-0.local/mirror-for-foo/image:latest # # 2. example-mirror-1.local/mirrors/foo/image:latest -# # 3. internal-registry-for-example.net/bar/myimage:latest +# # 3. internal-registry-for-example.net/bar/image:latest # # in order, and use the first one that exists. +short-name-mode = "enforcing" diff --git a/SOURCES/registry.access.redhat.com.yaml b/SOURCES/registry.access.redhat.com.yaml new file mode 100644 index 0000000..b426a4b --- /dev/null +++ b/SOURCES/registry.access.redhat.com.yaml @@ -0,0 +1,3 @@ +docker: + registry.access.redhat.com: + sigstore: https://access.redhat.com/webassets/docker/content/sigstore diff --git a/SOURCES/registry.redhat.io.yaml b/SOURCES/registry.redhat.io.yaml new file mode 100644 index 0000000..35f2c61 --- /dev/null +++ b/SOURCES/registry.redhat.io.yaml @@ -0,0 +1,3 @@ +docker: + registry.redhat.io: + sigstore: https://registry.redhat.io/containers/sigstore diff --git a/SOURCES/seccomp.json b/SOURCES/seccomp.json index ce72dce..99d88e2 100644 --- a/SOURCES/seccomp.json +++ b/SOURCES/seccomp.json @@ -1,5 +1,6 @@ { "defaultAction": "SCMP_ACT_ERRNO", + "defaultErrnoRet": 38, "archMap": [ { "architecture": "SCMP_ARCH_X86_64", @@ -52,6 +53,44 @@ "syscalls": [ { "names": [ + "bdflush", + "io_pgetevents", + "kexec_file_load", + "kexec_load", + "migrate_pages", + "move_pages", + "nfsservctl", + "nice", + "oldfstat", + "oldlstat", + "oldolduname", + "oldstat", + "olduname", + "pciconfig_iobase", + "pciconfig_read", + "pciconfig_write", + "sgetmask", + "ssetmask", + "swapcontext", + "swapoff", + "swapon", + "sysfs", + "uselib", + "userfaultfd", + "ustat", + "vm86", + "vm86old", + "vmsplice" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": {}, + "errnoRet": 1 + }, + { + "names": [ "_llseek", "_newselect", "accept", @@ -76,6 +115,7 @@ "clock_nanosleep", "clock_nanosleep_time64", "clone", + "clone3", "close", "close_range", "connect", @@ -132,6 +172,7 @@ "ftruncate", "ftruncate64", "futex", + "futex_time64", "futimesat", "get_robust_list", "get_thread_area", @@ -148,6 +189,7 @@ "getgroups", "getgroups32", "getitimer", + "get_mempolicy", "getpeername", "getpgid", "getpgrp", @@ -198,6 +240,7 @@ "lstat", "lstat64", "madvise", + "mbind", "memfd_create", "mincore", "mkdir", @@ -216,7 +259,9 @@ "mq_notify", "mq_open", "mq_timedreceive", + "mq_timedreceive_time64", "mq_timedsend", + "mq_timedsend_time64", "mq_unlink", "mremap", "msgctl", @@ -241,6 +286,9 @@ "pipe", "pipe2", "pivot_root", + "pkey_alloc", + "pkey_free", + "pkey_mprotect", "poll", "ppoll", "ppoll_time64", @@ -256,6 +304,7 @@ "pwritev2", "read", "readahead", + "readdir", "readlink", "readlinkat", "readv", @@ -263,6 +312,7 @@ "recv", "recvfrom", "recvmmsg", + "recvmmsg_time64", "recvmsg", "remap_file_pages", "removexattr", @@ -271,6 +321,7 @@ "renameat2", "restart_syscall", "rmdir", + "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", @@ -278,6 +329,7 @@ "rt_sigreturn", "rt_sigsuspend", "rt_sigtimedwait", + "rt_sigtimedwait_time64", "rt_tgsigqueueinfo", "sched_get_priority_max", "sched_get_priority_min", @@ -286,6 +338,7 @@ "sched_getparam", "sched_getscheduler", "sched_rr_get_interval", + "sched_rr_get_interval_time64", "sched_setaffinity", "sched_setattr", "sched_setparam", @@ -297,6 +350,7 @@ "semget", "semop", "semtimedop", + "semtimedop_time64", "send", "sendfile", "sendfile64", @@ -304,6 +358,7 @@ "sendmsg", "sendto", "setns", + "set_mempolicy", "set_robust_list", "set_thread_area", "set_tid_address", @@ -366,6 +421,7 @@ "timer_gettime", "timer_gettime64", "timer_settime", + "timer_settime64", "timerfd_create", "timerfd_gettime", "timerfd_gettime64", @@ -583,6 +639,21 @@ }, { "names": [ + "open_by_handle_at" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_DAC_READ_SEARCH" + ] + }, + "errnoRet": 1 + }, + { + "names": [ "bpf", "fanotify_init", "lookup_dcookie", @@ -604,6 +675,28 @@ }, { "names": [ + "bpf", + "fanotify_init", + "lookup_dcookie", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + }, + "errnoRet": 1 + }, + { + "names": [ "chroot" ], "action": "SCMP_ACT_ALLOW", @@ -618,6 +711,21 @@ }, { "names": [ + "chroot" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_CHROOT" + ] + }, + "errnoRet": 1 + }, + { + "names": [ "delete_module", "init_module", "finit_module", @@ -635,19 +743,21 @@ }, { "names": [ - "get_mempolicy", - "mbind", - "set_mempolicy" + "delete_module", + "init_module", + "finit_module", + "query_module" ], - "action": "SCMP_ACT_ALLOW", + "action": "SCMP_ACT_ERRNO", "args": [], "comment": "", - "includes": { + "includes": {}, + "excludes": { "caps": [ - "CAP_SYS_NICE" + "CAP_SYS_MODULE" ] }, - "excludes": {} + "errnoRet": 1 }, { "names": [ @@ -665,6 +775,21 @@ }, { "names": [ + "acct" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_PACCT" + ] + }, + "errnoRet": 1 + }, + { + "names": [ "kcmp", "process_madvise", "process_vm_readv", @@ -683,6 +808,25 @@ }, { "names": [ + "kcmp", + "process_madvise", + "process_vm_readv", + "process_vm_writev", + "ptrace" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_PTRACE" + ] + }, + "errnoRet": 1 + }, + { + "names": [ "iopl", "ioperm" ], @@ -698,6 +842,22 @@ }, { "names": [ + "iopl", + "ioperm" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_RAWIO" + ] + }, + "errnoRet": 1 + }, + { + "names": [ "settimeofday", "stime", "clock_settime", @@ -715,6 +875,24 @@ }, { "names": [ + "settimeofday", + "stime", + "clock_settime", + "clock_settime64" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_TIME" + ] + }, + "errnoRet": 1 + }, + { + "names": [ "vhangup" ], "action": "SCMP_ACT_ALLOW", @@ -729,6 +907,21 @@ }, { "names": [ + "vhangup" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_TTY_CONFIG" + ] + }, + "errnoRet": 1 + }, + { + "names": [ "socket" ], "action": "SCMP_ACT_ERRNO", diff --git a/SOURCES/storage.conf b/SOURCES/storage.conf index 7372e5a..9cc45a1 100644 --- a/SOURCES/storage.conf +++ b/SOURCES/storage.conf @@ -69,6 +69,9 @@ additionalimagestores = [ # and vfs drivers. #ignore_chown_errors = "false" +# Inodes is used to set a maximum inodes of the container image. +# inodes = "" + # Path to an helper program to use for mounting the file system instead of mounting it # directly. #mount_program = "/usr/bin/fuse-overlayfs" diff --git a/SOURCES/update-vendored.sh b/SOURCES/update-vendored.sh index af20165..dc0ae54 100755 --- a/SOURCES/update-vendored.sh +++ b/SOURCES/update-vendored.sh @@ -4,23 +4,27 @@ # For questions reach to Jindrich Novy <jnovy@redhat.com> set -xe rm -f /tmp/ver_image /tmp/ver_common /tmp/ver_storage -B=`rhpkg switch-branch | grep ^* | cut -d\ -f2` +B=`pkg switch-branch | grep ^* | cut -d\ -f2` +git branch | grep c9s > /dev/null +if [ $? == 0 ]; then + B=c9s +fi echo $B for P in podman skopeo buildah; do BRN=`pwd | sed 's,^.*/,,'` rm -rf $P - rhpkg clone $P + pkg clone $P cd $P - rhpkg switch-branch $B + [ $B != c9s ] && pkg switch-branch $B if [ $BRN != stream-container-tools-rhel8 ]; then - rhpkg prep + pkg prep else - rhpkg --release rhel-8 prep + pkg --release rhel-8 prep fi DIR=`ls -d -- */ | grep -v ^tests | head -n1` - grep github.com/containers/image $DIR/go.mod | cut -d\ -f2 >> /tmp/ver_image - grep github.com/containers/common $DIR/go.mod | cut -d\ -f2 >> /tmp/ver_common - grep github.com/containers/storage $DIR/go.mod | cut -d\ -f2 >> /tmp/ver_storage + grep github.com/containers/image $DIR/go.mod | grep -v - | cut -d\ -f2 >> /tmp/ver_image + grep github.com/containers/common $DIR/go.mod | grep -v - | cut -d\ -f2 >> /tmp/ver_common + grep github.com/containers/storage $DIR/go.mod | grep -v - | cut -d\ -f2 >> /tmp/ver_storage cd - done IMAGE_VER=`sort -n /tmp/ver_image | head -n1` diff --git a/SOURCES/update.sh b/SOURCES/update.sh index 7ef2054..de439ec 100755 --- a/SOURCES/update.sh +++ b/SOURCES/update.sh @@ -18,15 +18,23 @@ $2 = $3" $1 fi } -./pyxis.sh -./update-vendored.sh +#./pyxis.sh +#./update-vendored.sh spectool -f -g skopeo.spec ensure storage.conf driver \"overlay\" ensure storage.conf mountopt \"nodev,metacopy=on\" -ensure registries.conf unqualified-search-registries [\"registry.fedoraproject.org\",\ \"registry.access.redhat.com\",\ \"registry.centos.org\",\ \"docker.io\"] ensure containers.conf events_logger \"file\" +if pwd | grep rhel-8 > /dev/null +then +ensure registries.conf unqualified-search-registries [\"registry.fedoraproject.org\",\ \"registry.access.redhat.com\",\ \"registry.centos.org\",\ \"docker.io\"] ensure containers.conf infra_image \"registry.access.redhat.com/ubi8/pause\" ensure containers.conf runtime \"runc\" +else +ensure registries.conf unqualified-search-registries [\"registry.fedoraproject.org\",\ \"registry.access.redhat.com\",\ \"registry.centos.org\",\ \"quay.io\",\ \"docker.io\"] +ensure registries.conf short-name-mode \"enforcing\" +ensure containers.conf infra_image \"registry.access.redhat.com/ubi9/pause\" +ensure containers.conf runtime \"crun\" +fi [ `grep "keyctl" seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \ "keyctl",' seccomp.json sed -i '/\"socketcall\",/i \ diff --git a/SPECS/skopeo.spec b/SPECS/skopeo.spec index cc8f14d..36c6e1e 100644 --- a/SPECS/skopeo.spec +++ b/SPECS/skopeo.spec @@ -13,24 +13,24 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl %endif %global import_path github.com/containers/skopeo -%global branch release-1.3 +%global branch release-1.4 # Bellow definitions are used to deliver config files from a particular branch # of c/image, c/common, c/storage vendored in all podman, skopeo, buildah. # These vendored components must have the same version. If it is not the case, # pick the oldest version on c/image, c/common, c/storage vendored in # podman/skopeo/podman. -%global podman_branch main -%global image_branch v5.12.0 -%global common_branch v0.38.12 -%global storage_branch v1.31.3 +%global podman_branch v3.3 +%global image_branch v5.15.0 +%global common_branch v0.42.0 +%global storage_branch v1.33.1 %global shortnames_branch main -%global commit0 038f70e6f52ca354534b2d38ce9611b8fc5537c4 +%global commit0 a44da449d35e4621e9993f406d5a4f98dd89965e %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) Epoch: 1 Name: skopeo -Version: 1.3.1 -Release: 7%{?dist} +Version: 1.4.0 +Release: 4%{?dist} Summary: Inspect container images and repositories on registries License: ASL 2.0 URL: %{git0} @@ -48,7 +48,7 @@ Source4: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs #Source5: https://raw.githubusercontent.com/containers/image/%%{image_branch}/registries.conf Source5: registries.conf Source6: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-policy.json.5.md -Source7: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/seccomp/seccomp.json +Source7: https://raw.githubusercontent.com/containers/common/main/pkg/seccomp/seccomp.json Source8: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers-mounts.conf.5.md Source9: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-signature.5.md Source10: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-transports.5.md @@ -59,9 +59,14 @@ Source14: https://raw.githubusercontent.com/containers/common/%{common_branch}/d Source15: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-auth.json.5.md Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.d.5.md Source17: https://raw.githubusercontent.com/containers/shortnames/%{shortnames_branch}/shortnames.conf -Source18: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-registries.conf.5.md Source19: 001-rhel-shortnames-pyxis.conf Source20: 002-rhel-shortnames-overrides.conf +Source21: RPM-GPG-KEY-redhat-release +Source22: registry.access.redhat.com.yaml +Source23: registry.redhat.io.yaml +#Source24: https://raw.githubusercontent.com/containers/skopeo/%%{branch}/default-policy.json +Source24: default-policy.json +Source25: https://raw.githubusercontent.com/containers/skopeo/%{branch}/default.yaml # scripts used for synchronization with upstream and shortname generation Source100: update.sh Source101: update-vendored.sh @@ -75,6 +80,7 @@ BuildRequires: pkgconfig(devmapper) BuildRequires: glib2-devel BuildRequires: make Requires: containers-common = %{epoch}:%{version}-%{release} +Requires: system-release %description Command line utility to inspect images and repositories directly on Docker @@ -87,7 +93,11 @@ Conflicts: atomic-registries <= 1:1.22.1-1 Obsoletes: docker-rhsubscription <= 2:1.13.1-31 Provides: %{name}-containers = %{epoch}:%{version}-%{release} Obsoletes: %{name}-containers <= 1:0.1.31-3 +%if 0%{?rhel} >= 9 || 0%{?fedora} +Requires: crun >= 0.19 +%else Requires: runc +%endif Recommends: fuse-overlayfs Recommends: slirp4netns Suggests: subscription-manager @@ -141,10 +151,7 @@ mkdir -p bin %{__make} docs %install -make \ - DESTDIR=%{buildroot} \ - PREFIX=%{buildroot}%{_prefix} \ - install +make install DESTDIR=%{buildroot} PREFIX=%{_prefix} install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,registries.d,registries.conf.d} install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/storage.conf install -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/containers/registries.conf @@ -152,6 +159,18 @@ install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/001-rhel-shortnames.conf install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/002-rhel-shortnames-overrides.conf +# for signature verification +%if !0%{?rhel} || 0%{?centos} +install -dp %{buildroot}%{_sysconfdir}/pki/rpm-gpg +install -m0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/pki/rpm-gpg +%endif +install -dp %{buildroot}%{_sysconfdir}/containers/registries.d +install -m0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/containers/registries.d +install -m0644 %{SOURCE23} %{buildroot}%{_sysconfdir}/containers/registries.d +install -m0644 %{SOURCE24} %{buildroot}%{_sysconfdir}/containers/policy.json +install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore +install -m0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml + # for containers-common install -dp %{buildroot}%{_mandir}/man5 go-md2man -in %{SOURCE2} -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5 @@ -162,7 +181,6 @@ go-md2man -in %{SOURCE9} -out %{buildroot}%{_mandir}/man5/containers-signature.5 go-md2man -in %{SOURCE10} -out %{buildroot}%{_mandir}/man5/containers-transports.5 go-md2man -in %{SOURCE11} -out %{buildroot}%{_mandir}/man5/containers-certs.d.5 go-md2man -in %{SOURCE12} -out %{buildroot}%{_mandir}/man5/containers-registries.d.5 -go-md2man -in %{SOURCE18} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.d.5 go-md2man -in %{SOURCE14} -out %{buildroot}%{_mandir}/man5/containers.conf.5 go-md2man -in %{SOURCE15} -out %{buildroot}%{_mandir}/man5/containers-auth.json.5 go-md2man -in %{SOURCE16} -out %{buildroot}%{_mandir}/man5/containers-registries.conf.d.5 @@ -210,9 +228,14 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %dir %{_sysconfdir}/containers %dir %{_sysconfdir}/containers/certs.d %dir %{_sysconfdir}/containers/registries.d +%{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml +%{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml %dir %{_sysconfdir}/containers/oci %dir %{_sysconfdir}/containers/oci/hooks.d %dir %{_sysconfdir}/containers/registries.conf.d +%if !0%{?rhel} || 0%{?centos} +%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +%endif %config(noreplace) %{_sysconfdir}/containers/policy.json %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml %config(noreplace) %{_sysconfdir}/containers/storage.conf @@ -229,6 +252,7 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %dir %{_datadir}/rhel/secrets %{_datadir}/rhel/secrets/* + %files %license LICENSE %doc README.md @@ -243,6 +267,24 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_datadir}/%{name}/test %changelog +* Wed Aug 04 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.4.0-4 +- don't define short-name-mode in RHEL8 +- Related: #1934415 + +* Tue Aug 03 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.4.0-3 +- re-add Requires: runc +- Related: #1934415 + +* Tue Aug 03 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.4.0-2 +- update to 1.4.0 release and switch to the release-1.4 maint branch +- Related: #1934415 + +* Mon Aug 02 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.4.0-1 +- update vendored components +- ship /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release only on non-RHEL and + CentOS distros +- Related: #1934415 + * Wed Jul 21 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.3.1-7 - switch to "main" branch of podman - Related: #1934415