pool/libcontainers-common
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1090901 from home:danishprakash:branches:devel:microos

Browse Source 
Enforce BCI verification via Podman on openSUSE distributions
using the already shipped container signing keys.
(bsc#1197030)

OBS-URL: https://build.opensuse.org/request/show/1090901
OBS-URL: https://build.opensuse.org/package/show/devel:microos/libcontainers-common?expand=0&rev=21
This commit is contained in:
Dan Čermák 2023-06-05 14:24:44 +00:00 committed by Git OBS Bridge
parent 6062540fd8
commit 1523b23770
3 changed files with 60 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libcontainers-common.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Jun 5 12:04:33 UTC 2023 - Danish Prakash <danish.prakash@suse.com>
- Enforce BCI verification via Podman on openSUSE distributions
using the already shipped container signing keys.
(bsc#1197030)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue May 16 12:51:34 UTC 2023 - Danish Prakash <danish.prakash@suse.com> Tue May 16 12:51:34 UTC 2023 - Danish Prakash <danish.prakash@suse.com>

34
libcontainers-common.spec
View File

@ -51,11 +51,14 @@ Source8: common-%{commonver}.tar.xz
Source9: containers.conf Source9: containers.conf
Source10: %{name}.rpmlintrc Source10: %{name}.rpmlintrc
Source11: https://raw.githubusercontent.com/containers/shortnames/v%{shortnamesver}/shortnames.conf Source11: https://raw.githubusercontent.com/containers/shortnames/v%{shortnamesver}/shortnames.conf
Source12: openSUSE-policy.json
BuildRequires: go-go-md2man BuildRequires: go-go-md2man
Requires(post): %{_bindir}/grep Requires(post): %{_bindir}/grep
Requires(post): %{_bindir}/sed Requires(post): %{_bindir}/sed
# add SLE-specific mounts for only SLES systems # add SLE-specific mounts for only SLES systems
Requires: (libcontainers-sles-mounts if sles-release) Requires: (libcontainers-sles-mounts if sles-release)
Requires: (libcontainers-openSUSE-policy if openSUSE-release)
Requires: (libcontainers-default-policy if sles-release)
Provides: libcontainers-image = %{version} Provides: libcontainers-image = %{version}
Provides: libcontainers-storage = %{version} Provides: libcontainers-storage = %{version}
Obsoletes: libcontainers-image < %{version} Obsoletes: libcontainers-image < %{version}
@ -72,6 +75,24 @@ Summary: Default mounts for SLE distributions
%description -n libcontainers-sles-mounts %description -n libcontainers-sles-mounts
Updates /etc/containers/mounts.conf with default mounts for SLE distributions Updates /etc/containers/mounts.conf with default mounts for SLE distributions
%package -n libcontainers-openSUSE-policy
Summary: Enforce image verification for BCI
RemovePathPostfixes: .openSUSE
Conflicts: libcontainers-default-policy
%description -n libcontainers-openSUSE-policy
Updates /etc/containers/policy.json with configuration that enforces image verification for SLE BCI
%package -n libcontainers-default-policy
Summary: Disable image verification for BCI
RemovePathPostfixes: .default
Conflicts: libcontainers-openSUSE-policy
%description -n libcontainers-default-policy
Disables image verification for BCI
%prep %prep
%setup -q -Tcq -b0 -b1 -b8 %setup -q -Tcq -b0 -b1 -b8
# copy the LICENSE file in the build root # copy the LICENSE file in the build root
@ -124,7 +145,8 @@ install -d -m 0755 %{buildroot}/%{_sysconfdir}/containers/registries.conf.d
install -d -m 0755 %{buildroot}/%{_sysconfdir}/containers/systemd install -d -m 0755 %{buildroot}/%{_sysconfdir}/containers/systemd
install -d -m 0755 %{buildroot}/%{_datadir}/containers/systemd install -d -m 0755 %{buildroot}/%{_datadir}/containers/systemd
install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/containers/policy.json install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/containers/policy.json.default
install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/containers/policy.json.openSUSE
install -D -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/containers/storage.conf install -D -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/containers/storage.conf
install -D -m 0644 %{SOURCE5} %{buildroot}/%{_datadir}/containers/mounts.conf install -D -m 0644 %{SOURCE5} %{buildroot}/%{_datadir}/containers/mounts.conf
install -D -m 0644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/containers/mounts.conf install -D -m 0644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/containers/mounts.conf
@ -146,6 +168,9 @@ install -D -m 0644 common-%{commonver}/pkg/hooks/docs/oci-hooks.5 %{buildroot}/%
install -D -m 0644 common-%{commonver}/docs/containers-mounts.conf.5 %{buildroot}/%{_mandir}/man5/ install -D -m 0644 common-%{commonver}/docs/containers-mounts.conf.5 %{buildroot}/%{_mandir}/man5/
install -D -m 0644 common-%{commonver}/docs/containers.conf.5 %{buildroot}/%{_mandir}/man5/ install -D -m 0644 common-%{commonver}/docs/containers.conf.5 %{buildroot}/%{_mandir}/man5/
install -D -m 0644 %{SOURCE12} %{buildroot}/%{_sysconfdir}/containers/policy.json.openSUSE
install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/containers/policy.json.default
%post %post
# Comment out ostree_repo if it's blank [boo#1189893] # Comment out ostree_repo if it's blank [boo#1189893]
sed -i 's/ostree_repo = ""/\#ostree_repo = ""/g' %{_sysconfdir}/containers/storage.conf sed -i 's/ostree_repo = ""/\#ostree_repo = ""/g' %{_sysconfdir}/containers/storage.conf
@ -162,7 +187,6 @@ sed -i 's/ostree_repo = ""/\#ostree_repo = ""/g' %{_sysconfdir}/containers/stora
%dir %{_datadir}/containers/oci/hooks.d %dir %{_datadir}/containers/oci/hooks.d
%dir %{_datadir}/containers/systemd %dir %{_datadir}/containers/systemd
%config(noreplace) %{_sysconfdir}/containers/policy.json
%config(noreplace) %{_sysconfdir}/containers/storage.conf %config(noreplace) %{_sysconfdir}/containers/storage.conf
%config(noreplace) %{_sysconfdir}/containers/registries.conf %config(noreplace) %{_sysconfdir}/containers/registries.conf
%config(noreplace) %{_sysconfdir}/containers/seccomp.json %config(noreplace) %{_sysconfdir}/containers/seccomp.json
@ -179,4 +203,10 @@ sed -i 's/ostree_repo = ""/\#ostree_repo = ""/g' %{_sysconfdir}/containers/stora
%config(noreplace) %{_sysconfdir}/containers/mounts.conf %config(noreplace) %{_sysconfdir}/containers/mounts.conf
%{_datadir}/containers/mounts.conf %{_datadir}/containers/mounts.conf
%files -n libcontainers-openSUSE-policy
%config(noreplace) %{_sysconfdir}/containers/policy.json.openSUSE
%files -n libcontainers-default-policy
%config(noreplace) %{_sysconfdir}/containers/policy.json.default
%changelog %changelog

21
openSUSE-policy.json Normal file
View File

@ -0,0 +1,21 @@
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports": {
"docker-daemon": {
"": [{"type":"insecureAcceptAnything"}]
},
"docker": {
"registry.suse.com/bci": [{
"type": "sigstoreSigned",
"keyPath": "/usr/share/pki/containers/suse-container-key.pem",
"signedIdentity": {
"type": "matchRepository"
}
}]
}
}
}