From d74b52d30cfeec2b960c2bbc271f7c452ae4e10baba260e68a17c97dc1d2c291 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 30 May 2025 17:07:32 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main libcontainers-common revision a5658c99a15baa231cb8dfbd851aa624 --- 0002-storage-conf-prio-list.patch | 13 ++ 0003-containers-conf-suse-defaults.patch | 22 +++ _service | 15 +- common-0.58.0.tar.xz | 3 - common-0.62.3.tar.xz | 3 + containers.conf | 98 +++++++++--- image-5.30.0.tar.xz | 3 - image-5.34.3.tar.xz | 3 + libcontainers-common.changes | 62 +++++++- libcontainers-common.spec | 46 +++--- shortnames.conf | 38 ++++- storage-1.53.0.tar.xz | 3 - storage-1.57.2.tar.xz | 3 + storage.conf | 184 ++++++++--------------- 14 files changed, 314 insertions(+), 182 deletions(-) create mode 100644 0002-storage-conf-prio-list.patch create mode 100644 0003-containers-conf-suse-defaults.patch delete mode 100644 common-0.58.0.tar.xz create mode 100644 common-0.62.3.tar.xz delete mode 100644 image-5.30.0.tar.xz create mode 100644 image-5.34.3.tar.xz delete mode 100644 storage-1.53.0.tar.xz create mode 100644 storage-1.57.2.tar.xz diff --git a/0002-storage-conf-prio-list.patch b/0002-storage-conf-prio-list.patch new file mode 100644 index 0000000..81c88f1 --- /dev/null +++ b/0002-storage-conf-prio-list.patch @@ -0,0 +1,13 @@ +Index: storage.conf +=================================================================== +--- storage.conf (revision 71490d8c0a9096277f3511c4adb298db) ++++ storage.conf (working copy) +@@ -21,7 +21,7 @@ + + # Priority list for the storage drivers that will be tested one + # after the other to pick the storage driver if it is not defined. +-# driver_priority = ["overlay", "btrfs"] ++# driver_priority = ["btrfs", "overlay"] + + # Primary Read/Write location of container storage + # When changing the graphroot location on an SELinux system, you must diff --git a/0003-containers-conf-suse-defaults.patch b/0003-containers-conf-suse-defaults.patch new file mode 100644 index 0000000..0e7a5d1 --- /dev/null +++ b/0003-containers-conf-suse-defaults.patch @@ -0,0 +1,22 @@ +Index: containers.conf +=================================================================== +--- containers.conf (revision 71490d8c0a9096277f3511c4adb298db) ++++ containers.conf (working copy) +@@ -378,7 +378,7 @@ + # drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is + # experimental at the moment and not recommend outside of testing). + # +-#firewall_driver = "" ++firewall_driver = "nftables" + + + # The network name of the default network to attach pods to. +@@ -715,7 +715,7 @@ + + # Default OCI runtime + # +-#runtime = "crun" ++runtime = "runc" + + # List of the OCI runtimes that support --format=json. When json is supported + # engine will use it for reporting nicer errors. diff --git a/_service b/_service index 78def79..1e44f3f 100644 --- a/_service +++ b/_service @@ -1,9 +1,10 @@ + - https://github.com/containers/storage.git + https://github.com/containers/common.git git - storage - v1.53.0 + common + v0.62.3 @PARENT_TAG@ v(.*) @@ -11,15 +12,15 @@ https://github.com/containers/image.git git image - v5.30.0 + v5.34.3 @PARENT_TAG@ v(.*) - https://github.com/containers/common.git + https://github.com/containers/storage.git git - common - v0.58.0 + storage + v1.57.2 @PARENT_TAG@ v(.*) diff --git a/common-0.58.0.tar.xz b/common-0.58.0.tar.xz deleted file mode 100644 index dc54ada..0000000 --- a/common-0.58.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7924351cdc3fddce22b5803457694901437bccd4b4e95b0b522e21cfed5be309 -size 8233332 diff --git a/common-0.62.3.tar.xz b/common-0.62.3.tar.xz new file mode 100644 index 0000000..a70618a --- /dev/null +++ b/common-0.62.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:abc23c83b4c482375a9188978fe18bc2ca14bbb1903b427e68dcef27f0420927 +size 8364388 diff --git a/containers.conf b/containers.conf index c54e669..f323d77 100644 --- a/containers.conf +++ b/containers.conf @@ -27,16 +27,19 @@ # #apparmor_profile = "container-default" -# The hosts entries from the base hosts file are added to the containers hosts -# file. This must be either an absolute path or as special values "image" which -# uses the hosts file from the container image or "none" which means -# no base hosts file is used. The default is "" which will use /etc/hosts. +# Base file to create the `/etc/hosts` file inside the container. This must either +# be an absolute path to a file on the host system, or one of the following +# special flags: +# "" Use the host's `/etc/hosts` file (the default) +# `none` Do not use a base file (i.e. start with an empty file) +# `image` Use the container image's `/etc/hosts` file as base file # #base_hosts_file = "" # List of cgroup_conf entries specifying a list of cgroup files to write to and # their values. For example `memory.high=1073741824` sets the # memory.high limit to 1GB. +# # cgroup_conf = [] # Default way to to create a cgroup namespace for the container @@ -55,6 +58,14 @@ # #cgroups = "enabled" +# When no hostname is set for a container, use the container's name, with +# characters not valid for a hostname removed, as the hostname instead of +# the first 12 characters of the container's ID. Containers not running +# in a private UTS namespace will have their hostname set to the host's +# hostname regardless of this setting. +# +#container_name_as_hostname = false + # List of default capabilities for containers. If it is empty or commented out, # the default capabilities defined in the container engine will be added. # @@ -126,13 +137,25 @@ default_sysctls = [ # #env_host = false -# Set the ip for the host.containers.internal entry in the containers /etc/hosts -# file. This can be set to "none" to disable adding this entry. By default it -# will automatically choose the host ip. +# Set the IP address the container should expect to connect to the host. The IP +# address is used by Podman to automatically add the `host.containers.internal` +# and `host.docker.internal` hostnames to the container's `/etc/hosts` file. It +# is also used for the *host-gateway* flag of Podman's `--add-host` CLI option. +# If no IP address is configured (the default), Podman will try to determine it +# automatically, but might fail to do so depending on the container's network +# setup. Adding these internal hostnames to `/etc/hosts` is silently skipped then. +# Set this config to `none` to never add the internal hostnames to `/etc/hosts`. # -# NOTE: When using podman machine this entry will never be added to the containers -# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore -# it is not possible to disable the entry in this case. +# Note: If Podman is running in a virtual machine using `podman machine` (this +# includes Mac and Windows hosts), Podman will silently skip adding the internal +# hostnames to `/etc/hosts`, unless an IP address was configured manually. The +# internal hostnames are resolved by the gvproxy DNS resolver instead. This config +# has no effect on gvproxy. However, since `/etc/hosts` bypasses the DNS resolver, +# a manually configured IP address still takes precedence. +# +# Note: This config doesn't affect the actual network setup, it just tells Podman +# the IP address it should expect. Configuring an IP address here doesn't ensure +# that the container can actually reach the host using this IP address. # #host_containers_internal_ip = "" @@ -221,8 +244,10 @@ default_sysctls = [ # #netns = "private" -# Create /etc/hosts for the container. By default, container engine manage -# /etc/hosts, automatically adding the container's own IP address. +# Do not modify the `/etc/hosts` file in the container. Podman assumes control +# over the container's `/etc/hosts` file by default; refer to the `--add-host` +# CLI option for details. To disable this, either set this config to `true`, or +# use the functionally identical `--no-hosts` CLI option. # #no_hosts = false @@ -350,9 +375,9 @@ default_sysctls = [ # The firewall driver to be used by netavark. # The default is empty which means netavark will pick one accordingly. Current supported -# drivers are "iptables", "none" (no firewall rules will be created) and "firewalld" (firewalld is -# experimental at the moment and not recommend outside of testing). In the future we are -# planning to add support for a "nftables" driver. +# drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is +# experimental at the moment and not recommend outside of testing). +# #firewall_driver = "" @@ -416,6 +441,8 @@ default_sysctls = [ #List of compression algorithms. If set makes sure that requested compression variant #for each platform is added to the manifest list keeping original instance intact in #the same manifest list on every `manifest push`. Supported values are (`gzip`, `zstd` and `zstd:chunked`). +#`zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning +#in that case. # #add_compression = ["gzip", "zstd", "zstd:chunked"] @@ -438,6 +465,8 @@ default_sysctls = [ # This field is ignored when pushing images to the docker-daemon and # docker-archive formats. It is also ignored when the manifest format is set # to v2s2. +# `zstd:chunked` is incompatible with encrypting images, and will be treated as `zstd` with a warning +# in that case. # #compression_format = "gzip" @@ -529,6 +558,15 @@ default_sysctls = [ # with detailed information about the container. #events_container_create_inspect_data = false +# Whenever Podman should log healthcheck events. +# With many running healthcheck on short interval Podman will spam the event +# log a lot as it generates a event for each single healthcheck run. Because +# this event is optional and only useful to external consumers that may want +# to know when a healthcheck is run or failed allow users to turn it off by +# setting it to false. The default is true. +# +#healthcheck_events = true + # A is a list of directories which are used to search for helper binaries. # #helper_binaries_dir = [ @@ -544,6 +582,12 @@ default_sysctls = [ # "/usr/share/containers/oci/hooks.d", #] +# Directories to scan for CDI Spec files. +# +#cdi_spec_dirs = [ +# "/etc/cdi", +#] + # Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building # container images. By default image pulled and pushed match the format of the # source image. Building/committing defaults to OCI. @@ -744,9 +788,6 @@ default_sysctls = [ # A value of 0 is treated as no timeout. #volume_plugin_timeout = 5 -# Default timeout in seconds for podmansh logins. -#podmansh_timeout = 30 - # Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc) [engine.runtimes] #crun = [ @@ -853,7 +894,15 @@ default_sysctls = [ # Virtualization provider used to run Podman machine. # If it is empty or commented out, the default provider will be used. -# +# Linux: +# qemu - Open source machine emulator and virtualizer. (Default) +# Windows: there are currently two options: +# wsl - Windows Subsystem for Linux (Default) +# hyperv - Windows Server Virtualization +# Mac: there are currently two options: +# applehv - Default Apple Hypervisor (Default) +# libkrun - Launch virtual machines using the libkrun platform, optimized +# for sharing GPU with the machine. #provider = "" # Rosetta supports running x86_64 Linux binaries on a Podman machine on Apple silicon. @@ -874,3 +923,14 @@ default_sysctls = [ # # map of existing farms #[farms.list] + +[podmansh] +# Shell to spawn in container. Default: /bin/sh. +#shell = "/bin/sh" +# +# Name of the container the podmansh user should join. +#container = "podmansh" +# +# Default timeout in seconds for podmansh logins. +# Favored over the deprecated "podmansh_timeout" field. +#timeout = 30 diff --git a/image-5.30.0.tar.xz b/image-5.30.0.tar.xz deleted file mode 100644 index 17753e2..0000000 --- a/image-5.30.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:89578b06e33bae568939478650572ee1d932b663d9b0eee47d96c74d6af8d77c -size 488856 diff --git a/image-5.34.3.tar.xz b/image-5.34.3.tar.xz new file mode 100644 index 0000000..23741df --- /dev/null +++ b/image-5.34.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9d40131b1f0461f76fc3dfedbfad71e382b33b244bd65b7cee38585af02d8f8b +size 516712 diff --git a/libcontainers-common.changes b/libcontainers-common.changes index 6619623..93f2b9e 100644 --- a/libcontainers-common.changes +++ b/libcontainers-common.changes @@ -1,3 +1,59 @@ +------------------------------------------------------------------- +Thu May 29 16:30:56 UTC 2025 - Danish Prakash + +- Sync containers.conf & storage.conf with the current c/* versions +- Rename storage-conf-prio-list.patch to 0002-storage-conf-prio-list.patch +- Add patch to set SUSE defaults to containers.conf: + * 0003-containers-conf-suse-defaults.patch + +------------------------------------------------------------------- +Wed Apr 9 05:50:02 UTC 2025 - Danish Prakash + +- containers.conf default configuration modifications: + * set runc as the default OCI runtime (bsc#1239088) + * set nftables as the default firewall driver for netavark +- New release 20250409 + * bump bundled c/common to 0.59.1 + * bump bundled c/image to 5.31.0 + * bump bundled c/storage to 1.54.0 + +------------------------------------------------------------------- +Fri Feb 7 13:31:44 UTC 2025 - Dirk Müller + +- fix shortnames.config by updating them from upstream + +------------------------------------------------------------------- +Mon Jun 24 13:32:55 UTC 2024 - Danish Prakash + +- While migrating config files from /etc/containers/ to /usr/share/containers/, + preserve config files *if* modified by the user (fixes bsc#1226825). + +------------------------------------------------------------------- +Mon Jun 24 07:46:23 UTC 2024 - Dan Čermák + +- update storage.conf & containers.conf to latest versions from upstream + + The only functional changes are in storage.conf: + * change storage.options.pull_options.enable_partial_images from false to true + * change storage.options.overlay.mount_options from `mountopt = + "nodev,metacopy=on"` to `mountopt = "nodev"` + +- add download_files service to fetch the latest config on `osc service mr` +- add storage-conf-prio-list.patch that modifies the upstream storage.conf to + add our storage driver priority list + +------------------------------------------------------------------- +Tue Jun 18 06:53:50 UTC 2024 - Danish Prakash + +- Move the following distro configs files to /usr/share/containers/: + * /etc/containers/mounts.json + * /etc/containers/storage.conf + * /etc/containers/seccomp.json +- New release 20240618 +- bump bundled c/common to 0.59.1 +- bump bundled c/image to 5.31.0 +- bump bundled c/storage to 1.54.0 + ------------------------------------------------------------------- Wed Apr 24 14:56:17 UTC 2024 - Danish Prakash @@ -24,7 +80,7 @@ Wed Mar 20 10:41:40 UTC 2024 - Marcus Meissner ------------------------------------------------------------------- Fri Mar 1 13:16:28 UTC 2024 - Marcus Meissner -- disable the SUSE registry key validation temporary to switch the key on +- disable the SUSE registry key validation temporary to switch the key on registry.suse.com. ------------------------------------------------------------------- @@ -349,7 +405,7 @@ Tue Aug 9 08:49:18 UTC 2022 - Fabian Vogt Wed Aug 3 13:19:58 UTC 2022 - Frederic Crozat - Resync containers.conf / storage.conf with Fedora -- Create /etc/containers/registries.conf.d and +- Create /etc/containers/registries.conf.d and add 000-shortnames.conf to it. ------------------------------------------------------------------- @@ -366,7 +422,7 @@ Tue Jun 14 13:53:43 UTC 2022 - Dan Čermák ------------------------------------------------------------------- Wed Jun 8 12:39:46 UTC 2022 - Richard Brown -- Add missing comma to previous change +- Add missing comma to previous change ------------------------------------------------------------------- Mon Jun 6 12:56:19 UTC 2022 - Lubos Kocman diff --git a/libcontainers-common.spec b/libcontainers-common.spec index 11ca3ee..6ee221d 100644 --- a/libcontainers-common.spec +++ b/libcontainers-common.spec @@ -17,17 +17,17 @@ # commonver - version from containers/common -%define commonver 0.58.0 +%define commonver 0.62.3 # storagever - version from containers/storage -%define storagever 1.53.0 +%define storagever 1.57.2 # imagever - version from containers/image -%define imagever 5.30.0 +%define imagever 5.34.3 # skopeover - version from containers/skopeo -%define skopeover 1.15.0 +%define skopeover 1.14.4 # https://github.com/containers/shortnames -%define shortnamesver 2023.02.20 +%define shortnamesver 8ce3e7d11ca3425a9899fc7291f4256ba5da225c Name: libcontainers-common -Version: 20240408 +Version: 20250409 Release: 0 Summary: Configuration files common to github.com/containers License: Apache-2.0 @@ -38,8 +38,7 @@ Source1: storage-%{storagever}.tar.xz Source2: LICENSE # https://raw.githubusercontent.com/containers/skopeo/main/default-policy.json Source3: https://raw.githubusercontent.com/containers/skopeo/v%{skopeover}/default-policy.json#./policy.json -# https://github.com/containers/storage/blob/main/storage.conf + custom changes -Source4: storage.conf +Source4: https://raw.githubusercontent.com/containers/storage/v%{storagever}/storage.conf # heavily modified version of https://github.com/containers/common/blob/main/pkg/subscriptions/mounts.conf Source5: mounts.conf # https://raw.githubusercontent.com/containers/image/main/registries.conf with our own registries inserted @@ -49,9 +48,12 @@ Source7: default.yaml Source8: common-%{commonver}.tar.xz Source9: https://raw.githubusercontent.com/containers/common/v%{commonver}/pkg/config/containers.conf Source10: %{name}.rpmlintrc -Source11: https://raw.githubusercontent.com/containers/shortnames/v%{shortnamesver}/shortnames.conf +Source11: https://raw.githubusercontent.com/containers/shortnames/%{shortnamesver}/shortnames.conf Source12: openSUSE-policy.json Patch100: 0001-containers.conf-SUSE-clear-cni-config-dir-for-ALP.patch +# Downstream patch to add the commented out storage driver priority list +Patch101: 0002-storage-conf-prio-list.patch +Patch102: 0003-containers-conf-suse-defaults.patch BuildRequires: go-go-md2man Requires(post): %{_bindir}/sed # add SLE-specific mounts for only SLES systems @@ -120,12 +122,14 @@ Ships the upstream registries.conf with registry.opensuse.org and registry.suse. %prep cp %{SOURCE9} . -# Apply CNI config on streams other than ALP (bsc#1213556) -# https://github.com/containers/podman/issues/19327 +# Apply CNI config to streams that support CNI networking backend for podman i.e SLE-15 +# bsc#1213556 (https://github.com/containers/podman/issues/19327) %if 0%{?suse_version} < 1600 && !0%{?is_opensuse} %patch -P100 -p3 sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %_builddir/containers.conf %endif +cp %{SOURCE4} . +%patch -P101 -P102 %setup -q -Tcq -b0 -b1 -b8 # copy the LICENSE file in the build root @@ -182,14 +186,12 @@ install -d -m 0755 %{buildroot}/%{_datadir}/containers/systemd install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/containers/policy.json.default install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/containers/policy.json.openSUSE -install -D -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/containers/storage.conf install -D -m 0644 %{SOURCE5} %{buildroot}/%{_datadir}/containers/mounts.conf -install -D -m 0644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/containers/mounts.conf +install -D -m 0644 storage.conf %{buildroot}/%{_datadir}/containers/storage.conf install -D -m 0644 %{SOURCE11} %{buildroot}/%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf install -D -m 0644 %{SOURCE7} %{buildroot}/%{_sysconfdir}/containers/registries.d/default.yaml install -D -m 0644 %_builddir/containers.conf %{buildroot}/%{_datadir}/containers/containers.conf install -D -m 0644 common-%{commonver}/pkg/seccomp/seccomp.json %{buildroot}/%{_datadir}/containers/seccomp.json -install -D -m 0644 common-%{commonver}/pkg/seccomp/seccomp.json %{buildroot}/%{_sysconfdir}/containers/seccomp.json install -d %{buildroot}/%{_mandir}/man1 install -d %{buildroot}/%{_mandir}/man5 @@ -207,9 +209,19 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/containers/policy.json install -D -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/containers/registries.conf.default install -D -m 0644 registries.conf.suse %{buildroot}/%{_sysconfdir}/containers/registries.conf.suse +%pre +for i in %{_sysconfdir}/containers/{mounts.conf,seccomp.json,storage.conf} ; do + test -f ${i}.rpmsave && mv -v ${i}.rpmsave ${i}.rpmsave.old ||: +done + %post # Comment out ostree_repo if it's blank [boo#1189893] -sed -i 's/ostree_repo = ""/\#ostree_repo = ""/g' %{_sysconfdir}/containers/storage.conf +if [ -f %{_sysconfdir}/containers/storage.conf ]; then sed -i 's/ostree_repo = ""/\#ostree_repo = ""/g' %{_sysconfdir}/containers/storage.conf; fi + +%posttrans +for i in %{_sysconfdir}/containers/{mounts.conf,seccomp.json,storage.conf} ; do + test -f ${i}.rpmsave && mv -v ${i}.rpmsave ${i} ||: +done %files %dir %{_sysconfdir}/containers @@ -223,11 +235,10 @@ sed -i 's/ostree_repo = ""/\#ostree_repo = ""/g' %{_sysconfdir}/containers/stora %dir %{_datadir}/containers/oci/hooks.d %dir %{_datadir}/containers/systemd -%config(noreplace) %{_sysconfdir}/containers/storage.conf -%config(noreplace) %{_sysconfdir}/containers/seccomp.json %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml %config(noreplace) %{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf %{_datadir}/containers/seccomp.json +%{_datadir}/containers/storage.conf %{_datadir}/containers/containers.conf %{_mandir}/man1/*.1%{?ext_man} @@ -235,7 +246,6 @@ sed -i 's/ostree_repo = ""/\#ostree_repo = ""/g' %{_sysconfdir}/containers/stora %license LICENSE %files -n libcontainers-sles-mounts -%config(noreplace) %{_sysconfdir}/containers/mounts.conf %{_datadir}/containers/mounts.conf %files -n libcontainers-openSUSE-policy diff --git a/shortnames.conf b/shortnames.conf index 60c45d7..27d8afa 100644 --- a/shortnames.conf +++ b/shortnames.conf @@ -2,6 +2,8 @@ # almalinux "almalinux" = "docker.io/library/almalinux" "almalinux-minimal" = "docker.io/library/almalinux-minimal" + # Amazon Linux + "amazonlinux" = "public.ecr.aws/amazonlinux/amazonlinux" # Arch Linux "archlinux" = "docker.io/library/archlinux" # centos @@ -18,8 +20,11 @@ "registry" = "docker.io/library/registry" "swarm" = "docker.io/library/swarm" # Fedora + "fedora-bootc" = "registry.fedoraproject.org/fedora-bootc" "fedora-minimal" = "registry.fedoraproject.org/fedora-minimal" "fedora" = "registry.fedoraproject.org/fedora" + # Gentoo + "gentoo" = "docker.io/gentoo/stage3" # openSUSE "opensuse/tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed" "opensuse/tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf" @@ -33,6 +38,21 @@ "leap-dnf" = "registry.opensuse.org/opensuse/leap-dnf" "leap-microdnf" = "registry.opensuse.org/opensuse/leap-microdnf" "tw-busybox" = "registry.opensuse.org/opensuse/busybox" + # OTel (Open Telemetry) - opentelemetry.io + "otel/autoinstrumentation-go" = "docker.io/otel/autoinstrumentation-go" + "otel/autoinstrumentation-nodejs" = "docker.io/otel/autoinstrumentation-nodejs" + "otel/autoinstrumentation-python" = "docker.io/otel/autoinstrumentation-python" + "otel/autoinstrumentation-java" = "docker.io/otel/autoinstrumentation-java" + "otel/autoinstrumentation-dotnet" = "docker.io/otel/autoinstrumentation-dotnet" + "otel/opentelemetry-collector" = "docker.io/otel/opentelemetry-collector" + "otel/opentelemetry-collector-contrib" = "docker.io/otel/opentelemetry-collector-contrib" + "otel/opentelemetry-collector-contrib-dev" = "docker.io/otel/opentelemetry-collector-contrib-dev" + "otel/opentelemetry-collector-k8s" = "docker.io/otel/opentelemetry-collector-k8s" + "otel/opentelemetry-operator" = "docker.io/otel/opentelemetry-operator" + "otel/opentelemetry-operator-bundle" = "docker.io/otel/opentelemetry-operator-bundle" + "otel/operator-opamp-bridge" = "docker.io/otel/operator-opamp-bridge" + "otel/semconvgen" = "docker.io/otel/semconvgen" + "otel/weaver" = "docker.io/otel/weaver" # SUSE "suse/sle15" = "registry.suse.com/suse/sle15" "suse/sles12sp5" = "registry.suse.com/suse/sles12sp5" @@ -52,10 +72,11 @@ "rhel7" = "registry.access.redhat.com/rhel7" "rhel7.9" = "registry.access.redhat.com/rhel7.9" "rhel-atomic" = "registry.access.redhat.com/rhel-atomic" - "rhel-minimal" = "registry.access.redhat.com/rhel-minimum" + "rhel9-bootc" = "registry.redhat.io/rhel9/rhel-bootc" + "rhel-minimal" = "registry.access.redhat.com/rhel-minimal" "rhel-init" = "registry.access.redhat.com/rhel-init" "rhel7-atomic" = "registry.access.redhat.com/rhel7-atomic" - "rhel7-minimal" = "registry.access.redhat.com/rhel7-minimum" + "rhel7-minimal" = "registry.access.redhat.com/rhel7-minimal" "rhel7-init" = "registry.access.redhat.com/rhel7-init" "rhel7/rhel" = "registry.access.redhat.com/rhel7/rhel" "rhel7/rhel-atomic" = "registry.access.redhat.com/rhel7/rhel7/rhel-atomic" @@ -96,7 +117,7 @@ "ubi9/buildah" = "registry.access.redhat.com/ubi9/buildah" "ubi9/skopeo" = "registry.access.redhat.com/ubi9/skopeo" # Rocky Linux - "rockylinux" = "docker.io/library/rockylinux" + "rockylinux" = "quay.io/rockylinux/rockylinux" # Debian "debian" = "docker.io/library/debian" # Kali Linux @@ -111,6 +132,8 @@ "oraclelinux" = "container-registry.oracle.com/os/oraclelinux" # busybox "busybox" = "docker.io/library/busybox" + # golang + "golang" = "docker.io/library/golang" # php "php" = "docker.io/library/php" # python @@ -119,3 +142,12 @@ "rust" = "docker.io/library/rust" # node "node" = "docker.io/library/node" + # Grafana Labs + "grafana/agent" = "docker.io/grafana/agent" + "grafana/grafana" = "docker.io/grafana/grafana" + "grafana/k6" = "docker.io/grafana/k6" + "grafana/loki" = "docker.io/grafana/loki" + "grafana/mimir" = "docker.io/grafana/mimir" + "grafana/oncall" = "docker.io/grafana/oncall" + "grafana/pyroscope" = "docker.io/grafana/pyroscope" + "grafana/tempo" = "docker.io/grafana/tempo" diff --git a/storage-1.53.0.tar.xz b/storage-1.53.0.tar.xz deleted file mode 100644 index 2065954..0000000 --- a/storage-1.53.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f8675a6aaf1209232202cec84794a3b32eb38d4439b4deeec865675eeb995ffc -size 2295056 diff --git a/storage-1.57.2.tar.xz b/storage-1.57.2.tar.xz new file mode 100644 index 0000000..6f2a7f4 --- /dev/null +++ b/storage-1.57.2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:73df456d503ec1bfff4deeb431361a74535eced7012fbde1cdc6fe0618700412 +size 2245744 diff --git a/storage.conf b/storage.conf index 89014a6..9771a1e 100644 --- a/storage.conf +++ b/storage.conf @@ -8,12 +8,12 @@ # /usr/containers/storage.conf # /etc/containers/storage.conf # $HOME/.config/containers/storage.conf -# $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set) +# $XDG_CONFIG_HOME/containers/storage.conf (if XDG_CONFIG_HOME is set) # See man 5 containers-storage.conf for more information -# The "container storage" table contains all of the server options. +# The "storage" table contains all of the server options. [storage] -# Default Storage Driver, Must be set for proper operation. +# Default storage driver, must be set for proper operation. driver = "overlay" # Temporary storage location @@ -21,16 +21,20 @@ runroot = "/run/containers/storage" # Priority list for the storage drivers that will be tested one # after the other to pick the storage driver if it is not defined. -# driver_priority = ["btrfs", "overlay"] +# driver_priority = ["overlay", "btrfs"] # Primary Read/Write location of container storage -# When changing the graphroot location on an SELINUX system, you must -# ensure the labeling matches the default locations labels with the +# When changing the graphroot location on an SELinux system, you must +# ensure the labeling matches the default location's labels with the # following commands: # semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH # restorecon -R -v /NEWSTORAGEPATH graphroot = "/var/lib/containers/storage" +# Optional alternate location of image store if a location separate from the +# container store is required. If set, it must be different than graphroot. +# imagestore = "" + # Storage path for rootless users # @@ -38,6 +42,8 @@ graphroot = "/var/lib/containers/storage" # Transient store mode makes all container metadata be saved in temporary storage # (i.e. runroot above). This is faster, but doesn't persist across reboots. +# Additional garbage collection must also be performed at boot-time, so this +# option should remain disabled in most configurations. # transient_store = true [storage.options] @@ -48,48 +54,50 @@ graphroot = "/var/lib/containers/storage" additionalimagestores = [ ] -# Allows specification of how storage is populated when pulling images. This -# option can speed the pulling process of images compressed with format -# zstd:chunked. Containers/storage looks for files within images that are being -# pulled from a container registry that were previously pulled to the host. It -# can copy or create a hard link to the existing file when it finds them, -# eliminating the need to pull them from the container registry. These options -# can deduplicate pulling of content, disk storage of content and can allow the -# kernel to use less memory when running containers. +# Options controlling how storage is populated when pulling images. +[storage.options.pull_options] +# Enable the "zstd:chunked" feature, which allows partial pulls, reusing +# content that already exists on the system. This is disabled by default, +# and must be explicitly enabled to be used. For more on zstd:chunked, see +# https://github.com/containers/storage/blob/main/docs/containers-storage-zstd-chunked.md +# This is a "string bool": "false" | "true" (cannot be native TOML boolean) +# enable_partial_images = "false" -# containers/storage supports four keys -# * enable_partial_images="true" | "false" -# Tells containers/storage to look for files previously pulled in storage -# rather then always pulling them from the container registry. -# * use_hard_links = "false" | "true" -# Tells containers/storage to use hard links rather then create new files in -# the image, if an identical file already existed in storage. -# * ostree_repos = "" -# Tells containers/storage where an ostree repository exists that might have -# previously pulled content which can be used when attempting to avoid -# pulling content from the container registry -pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} +# Tells containers/storage to use hard links rather then create new files in +# the image, if an identical file already existed in storage. +# This is a "string bool": "false" | "true" (cannot be native TOML boolean) +# use_hard_links = "false" -# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of -# a container, to the UIDs/GIDs as they should appear outside of the container, -# and the length of the range of UIDs/GIDs. Additional mapped sets can be -# listed and will be heeded by libraries, but there are limits to the number of -# mappings which the kernel will allow when you later attempt to run a -# container. +# Path to an ostree repository that might have +# previously pulled content which can be used when attempting to avoid +# pulling content from the container registry. +# ostree_repos="" + +# If set to "true", containers/storage will convert images that are +# not already in zstd:chunked format to that format before processing +# in order to take advantage of local deduplication and hard linking. +# It is an expensive operation so it is not enabled by default. +# This is a "string bool": "false" | "true" (cannot be native TOML boolean) +# convert_images = "false" + +# This should ALMOST NEVER be set. +# It allows partial pulls of images without guaranteeing that "partial +# pulls" and non-partial pulls both result in consistent image contents. +# This allows pulling estargz images and early versions of zstd:chunked images; +# otherwise, these layers always use the traditional non-partial pull path. # -# remap-uids = 0:1668442479:65536 -# remap-gids = 0:1668442479:65536 - -# Remap-User/Group is a user name which can be used to look up one or more UID/GID -# ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting -# with an in-container ID of 0 and then a host-level ID taken from the lowest -# range that matches the specified name, and using the length of that range. -# Additional ranges are then assigned, using the ranges which specify the -# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, -# until all of the entries have been used for maps. +# This option should be enabled EXTREMELY rarely, only if ALL images that could +# EVER be conceivably pulled on this system are GUARANTEED (e.g. using a signature policy) +# to come from a build system trusted to never attack image integrity. # -# remap-user = "containers" -# remap-group = "containers" +# If this consistency enforcement were disabled, malicious images could be built +# in a way designed to evade other audit mechanisms, so presence of most other audit +# mechanisms is not a replacement for the above-mentioned need for all images to come +# from a trusted build system. +# +# As a side effect, enabling this option will also make image IDs unpredictable +# (usually not equal to the traditional value matching the config digest). +# insecure_allow_unpredictable_image_contents = "false" # Root-auto-userns-user is a user name which can be used to look up one or more UID/GID # ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned @@ -102,7 +110,7 @@ pull_options = {enable_partial_images = "false", use_hard_links = "false", ostre # Auto-userns-min-size is the minimum size for a user namespace created automatically. # auto-userns-min-size=1024 # -# Auto-userns-max-size is the minimum size for a user namespace created automatically. +# Auto-userns-max-size is the maximum size for a user namespace created automatically. # auto-userns-max-size=65536 [storage.options.overlay] @@ -112,6 +120,7 @@ pull_options = {enable_partial_images = "false", use_hard_links = "false", ostre # squashed down to the default uid in the container. These images will have no # separation between the users in the container. Only supported for the overlay # and vfs drivers. +# This is a "string bool": "false" | "true" (cannot be native TOML boolean) #ignore_chown_errors = "false" # Inodes is used to set a maximum inodes of the container image. @@ -122,11 +131,16 @@ pull_options = {enable_partial_images = "false", use_hard_links = "false", ostre #mount_program = "/usr/bin/fuse-overlayfs" # mountopt specifies comma separated list of extra mount options -mountopt = "nodev,metacopy=on" +mountopt = "nodev" # Set to skip a PRIVATE bind mount on the storage home directory. +# This is a "string bool": "false" | "true" (cannot be native TOML boolean) # skip_mount_home = "false" +# Set to use composefs to mount data layers with overlay. +# This is a "string bool": "false" | "true" (cannot be native TOML boolean) +# use_composefs = "false" + # Size is used to set a maximum size of the container image. # size = "" @@ -158,83 +172,7 @@ mountopt = "nodev,metacopy=on" # future. When "force_mask" is set the original permission mask is stored in # the "user.containers.override_stat" xattr and the "mount_program" option must # be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the -# extended attribute permissions to processes within containers rather then the +# extended attribute permissions to processes within containers rather than the # "force_mask" permissions. # # force_mask = "" - -[storage.options.thinpool] -# Storage Options for thinpool - -# autoextend_percent determines the amount by which pool needs to be -# grown. This is specified in terms of % of pool size. So a value of 20 means -# that when threshold is hit, pool will be grown by 20% of existing -# pool size. -# autoextend_percent = "20" - -# autoextend_threshold determines the pool extension threshold in terms -# of percentage of pool size. For example, if threshold is 60, that means when -# pool is 60% full, threshold has been hit. -# autoextend_threshold = "80" - -# basesize specifies the size to use when creating the base device, which -# limits the size of images and containers. -# basesize = "10G" - -# blocksize specifies a custom blocksize to use for the thin pool. -# blocksize="64k" - -# directlvm_device specifies a custom block storage device to use for the -# thin pool. Required if you setup devicemapper. -# directlvm_device = "" - -# directlvm_device_force wipes device even if device already has a filesystem. -# directlvm_device_force = "True" - -# fs specifies the filesystem type to use for the base device. -# fs="xfs" - -# log_level sets the log level of devicemapper. -# 0: LogLevelSuppress 0 (Default) -# 2: LogLevelFatal -# 3: LogLevelErr -# 4: LogLevelWarn -# 5: LogLevelNotice -# 6: LogLevelInfo -# 7: LogLevelDebug -# log_level = "7" - -# min_free_space specifies the min free space percent in a thin pool require for -# new device creation to succeed. Valid values are from 0% - 99%. -# Value 0% disables -# min_free_space = "10%" - -# mkfsarg specifies extra mkfs arguments to be used when creating the base -# device. -# mkfsarg = "" - -# metadata_size is used to set the `pvcreate --metadatasize` options when -# creating thin devices. Default is 128k -# metadata_size = "" - -# Size is used to set a maximum size of the container image. -# size = "" - -# use_deferred_removal marks devicemapper block device for deferred removal. -# If the thinpool is in use when the driver attempts to remove it, the driver -# tells the kernel to remove it as soon as possible. Note this does not free -# up the disk space, use deferred deletion to fully remove the thinpool. -# use_deferred_removal = "True" - -# use_deferred_deletion marks thinpool device for deferred deletion. -# If the device is busy when the driver attempts to delete it, the driver -# will attempt to delete device every 30 seconds until successful. -# If the program using the driver exits, the driver will continue attempting -# to cleanup the next time the driver is used. Deferred deletion permanently -# deletes the device and all data stored in device will be lost. -# use_deferred_deletion = "True" - -# xfs_nospace_max_retries specifies the maximum number of retries XFS should -# attempt to complete IO when ENOSPC (no space) error is returned by -# underlying storage device. -# xfs_nospace_max_retries = "0"