From a3a7402ad061faec42e6477d991041d6a40b331fec56e7ca53859999f2cdfa49 Mon Sep 17 00:00:00 2001 From: Danish Prakash Date: Mon, 24 Jun 2024 13:13:13 +0000 Subject: [PATCH] Accepting request 1182968 from home:dancermak:branches:devel:microos update storage.conf & containers.conf to latest versions from upstream OBS-URL: https://build.opensuse.org/request/show/1182968 OBS-URL: https://build.opensuse.org/package/show/devel:microos/libcontainers-common?expand=0&rev=41 --- _service | 1 + containers.conf | 35 +++++++++-- libcontainers-common.changes | 14 +++++ libcontainers-common.spec | 9 ++- storage-conf-prio-list.patch | 15 +++++ storage.conf | 109 +++++++---------------------------- 6 files changed, 87 insertions(+), 96 deletions(-) create mode 100644 storage-conf-prio-list.patch diff --git a/_service b/_service index 0f24959..6f47977 100644 --- a/_service +++ b/_service @@ -1,4 +1,5 @@ + https://github.com/containers/storage.git git diff --git a/containers.conf b/containers.conf index c54e669..c3f7cb6 100644 --- a/containers.conf +++ b/containers.conf @@ -350,9 +350,9 @@ default_sysctls = [ # The firewall driver to be used by netavark. # The default is empty which means netavark will pick one accordingly. Current supported -# drivers are "iptables", "none" (no firewall rules will be created) and "firewalld" (firewalld is -# experimental at the moment and not recommend outside of testing). In the future we are -# planning to add support for a "nftables" driver. +# drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is +# experimental at the moment and not recommend outside of testing). +# #firewall_driver = "" @@ -529,6 +529,15 @@ default_sysctls = [ # with detailed information about the container. #events_container_create_inspect_data = false +# Whenever Podman should log healthcheck events. +# With many running healthcheck on short interval Podman will spam the event +# log a lot as it generates a event for each single healthcheck run. Because +# this event is optional and only useful to external consumers that may want +# to know when a healthcheck is run or failed allow users to turn it off by +# setting it to false. The default is true. +# +#healthcheck_events = true + # A is a list of directories which are used to search for helper binaries. # #helper_binaries_dir = [ @@ -544,6 +553,12 @@ default_sysctls = [ # "/usr/share/containers/oci/hooks.d", #] +# Directories to scan for CDI Spec files. +# +#cdi_spec_dirs = [ +# "/etc/cdi", +#] + # Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building # container images. By default image pulled and pushed match the format of the # source image. Building/committing defaults to OCI. @@ -744,9 +759,6 @@ default_sysctls = [ # A value of 0 is treated as no timeout. #volume_plugin_timeout = 5 -# Default timeout in seconds for podmansh logins. -#podmansh_timeout = 30 - # Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc) [engine.runtimes] #crun = [ @@ -874,3 +886,14 @@ default_sysctls = [ # # map of existing farms #[farms.list] + +[podmansh] +# Shell to spawn in container. Default: /bin/sh. +#shell = "/bin/sh" +# +# Name of the container the podmansh user should join. +#container = "podmansh" +# +# Default timeout in seconds for podmansh logins. +# Favored over the deprecated "podmansh_timeout" field. +#timeout = 30 diff --git a/libcontainers-common.changes b/libcontainers-common.changes index 07a39d6..20a86ed 100644 --- a/libcontainers-common.changes +++ b/libcontainers-common.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Mon Jun 24 07:46:23 UTC 2024 - Dan Čermák + +- update storage.conf & containers.conf to latest versions from upstream + + The only functional changes are in storage.conf: + * change storage.options.pull_options.enable_partial_images from false to true + * change storage.options.overlay.mount_options from `mountopt = + "nodev,metacopy=on"` to `mountopt = "nodev"` + +- add download_files service to fetch the latest config on `osc service mr` +- add storage-conf-prio-list.patch that modifies the upstream storage.conf to + add our storage driver priority list + ------------------------------------------------------------------- Tue Jun 18 06:53:50 UTC 2024 - Danish Prakash diff --git a/libcontainers-common.spec b/libcontainers-common.spec index 6434484..84ce10b 100644 --- a/libcontainers-common.spec +++ b/libcontainers-common.spec @@ -38,8 +38,7 @@ Source1: storage-%{storagever}.tar.xz Source2: LICENSE # https://raw.githubusercontent.com/containers/skopeo/main/default-policy.json Source3: https://raw.githubusercontent.com/containers/skopeo/v%{skopeover}/default-policy.json#./policy.json -# https://github.com/containers/storage/blob/main/storage.conf + custom changes -Source4: storage.conf +Source4: https://raw.githubusercontent.com/containers/storage/main/storage.conf # heavily modified version of https://github.com/containers/common/blob/main/pkg/subscriptions/mounts.conf Source5: mounts.conf # https://raw.githubusercontent.com/containers/image/main/registries.conf with our own registries inserted @@ -52,6 +51,8 @@ Source10: %{name}.rpmlintrc Source11: https://raw.githubusercontent.com/containers/shortnames/v%{shortnamesver}/shortnames.conf Source12: openSUSE-policy.json Patch100: 0001-containers.conf-SUSE-clear-cni-config-dir-for-ALP.patch +# Downstream patch to add the commented out storage driver priority list +Patch101: storage-conf-prio-list.patch BuildRequires: go-go-md2man Requires(post): %{_bindir}/sed # add SLE-specific mounts for only SLES systems @@ -126,6 +127,8 @@ cp %{SOURCE9} . %patch -P100 -p3 sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %_builddir/containers.conf %endif +cp %{SOURCE4} . +%patch -P101 %setup -q -Tcq -b0 -b1 -b8 # copy the LICENSE file in the build root @@ -183,7 +186,7 @@ install -d -m 0755 %{buildroot}/%{_datadir}/containers/systemd install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/containers/policy.json.default install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/containers/policy.json.openSUSE install -D -m 0644 %{SOURCE5} %{buildroot}/%{_datadir}/containers/mounts.conf -install -D -m 0644 %{SOURCE4} %{buildroot}/%{_datadir}/containers/storage.conf +install -D -m 0644 storage.conf %{buildroot}/%{_datadir}/containers/storage.conf install -D -m 0644 %{SOURCE11} %{buildroot}/%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf install -D -m 0644 %{SOURCE7} %{buildroot}/%{_sysconfdir}/containers/registries.d/default.yaml install -D -m 0644 %_builddir/containers.conf %{buildroot}/%{_datadir}/containers/containers.conf diff --git a/storage-conf-prio-list.patch b/storage-conf-prio-list.patch new file mode 100644 index 0000000..d3ebd15 --- /dev/null +++ b/storage-conf-prio-list.patch @@ -0,0 +1,15 @@ +Index: storage.conf +=================================================================== +--- storage.conf (revision 47301679d738dc753ca159ab9b151da5) ++++ storage.conf (working copy) +@@ -19,6 +19,10 @@ + # Temporary storage location + runroot = "/run/containers/storage" + ++# Priority list for the storage drivers that will be tested one ++# after the other to pick the storage driver if it is not defined. ++# driver_priority = ["btrfs", "overlay"] ++ + # Primary Read/Write location of container storage + # When changing the graphroot location on an SELINUX system, you must + # ensure the labeling matches the default locations labels with the diff --git a/storage.conf b/storage.conf index 89014a6..fc98f3b 100644 --- a/storage.conf +++ b/storage.conf @@ -19,10 +19,6 @@ driver = "overlay" # Temporary storage location runroot = "/run/containers/storage" -# Priority list for the storage drivers that will be tested one -# after the other to pick the storage driver if it is not defined. -# driver_priority = ["btrfs", "overlay"] - # Primary Read/Write location of container storage # When changing the graphroot location on an SELINUX system, you must # ensure the labeling matches the default locations labels with the @@ -31,6 +27,10 @@ runroot = "/run/containers/storage" # restorecon -R -v /NEWSTORAGEPATH graphroot = "/var/lib/containers/storage" +# Optional alternate location of image store if a location separate from the +# container store is required. If set, it must be different than graphroot. +# imagestore = "" + # Storage path for rootless users # @@ -38,6 +38,8 @@ graphroot = "/var/lib/containers/storage" # Transient store mode makes all container metadata be saved in temporary storage # (i.e. runroot above). This is faster, but doesn't persist across reboots. +# Additional garbage collection must also be performed at boot-time, so this +# option should remain disabled in most configurations. # transient_store = true [storage.options] @@ -68,7 +70,12 @@ additionalimagestores = [ # Tells containers/storage where an ostree repository exists that might have # previously pulled content which can be used when attempting to avoid # pulling content from the container registry -pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} +# * convert_images = "false" | "true" +# If set to true, containers/storage will convert images to a +# format compatible with partial pulls in order to take advantage +# of local deduplication and hard linking. It is an expensive +# operation so it is not enabled by default. +pull_options = {enable_partial_images = "true", use_hard_links = "false", ostree_repos=""} # Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of # a container, to the UIDs/GIDs as they should appear outside of the container, @@ -77,8 +84,8 @@ pull_options = {enable_partial_images = "false", use_hard_links = "false", ostre # mappings which the kernel will allow when you later attempt to run a # container. # -# remap-uids = 0:1668442479:65536 -# remap-gids = 0:1668442479:65536 +# remap-uids = "0:1668442479:65536" +# remap-gids = "0:1668442479:65536" # Remap-User/Group is a user name which can be used to look up one or more UID/GID # ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting @@ -86,7 +93,8 @@ pull_options = {enable_partial_images = "false", use_hard_links = "false", ostre # range that matches the specified name, and using the length of that range. # Additional ranges are then assigned, using the ranges which specify the # lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, -# until all of the entries have been used for maps. +# until all of the entries have been used for maps. This setting overrides the +# Remap-UIDs/GIDs setting. # # remap-user = "containers" # remap-group = "containers" @@ -102,7 +110,7 @@ pull_options = {enable_partial_images = "false", use_hard_links = "false", ostre # Auto-userns-min-size is the minimum size for a user namespace created automatically. # auto-userns-min-size=1024 # -# Auto-userns-max-size is the minimum size for a user namespace created automatically. +# Auto-userns-max-size is the maximum size for a user namespace created automatically. # auto-userns-max-size=65536 [storage.options.overlay] @@ -122,11 +130,14 @@ pull_options = {enable_partial_images = "false", use_hard_links = "false", ostre #mount_program = "/usr/bin/fuse-overlayfs" # mountopt specifies comma separated list of extra mount options -mountopt = "nodev,metacopy=on" +mountopt = "nodev" # Set to skip a PRIVATE bind mount on the storage home directory. # skip_mount_home = "false" +# Set to use composefs to mount data layers with overlay. +# use_composefs = "false" + # Size is used to set a maximum size of the container image. # size = "" @@ -158,83 +169,7 @@ mountopt = "nodev,metacopy=on" # future. When "force_mask" is set the original permission mask is stored in # the "user.containers.override_stat" xattr and the "mount_program" option must # be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the -# extended attribute permissions to processes within containers rather then the +# extended attribute permissions to processes within containers rather than the # "force_mask" permissions. # # force_mask = "" - -[storage.options.thinpool] -# Storage Options for thinpool - -# autoextend_percent determines the amount by which pool needs to be -# grown. This is specified in terms of % of pool size. So a value of 20 means -# that when threshold is hit, pool will be grown by 20% of existing -# pool size. -# autoextend_percent = "20" - -# autoextend_threshold determines the pool extension threshold in terms -# of percentage of pool size. For example, if threshold is 60, that means when -# pool is 60% full, threshold has been hit. -# autoextend_threshold = "80" - -# basesize specifies the size to use when creating the base device, which -# limits the size of images and containers. -# basesize = "10G" - -# blocksize specifies a custom blocksize to use for the thin pool. -# blocksize="64k" - -# directlvm_device specifies a custom block storage device to use for the -# thin pool. Required if you setup devicemapper. -# directlvm_device = "" - -# directlvm_device_force wipes device even if device already has a filesystem. -# directlvm_device_force = "True" - -# fs specifies the filesystem type to use for the base device. -# fs="xfs" - -# log_level sets the log level of devicemapper. -# 0: LogLevelSuppress 0 (Default) -# 2: LogLevelFatal -# 3: LogLevelErr -# 4: LogLevelWarn -# 5: LogLevelNotice -# 6: LogLevelInfo -# 7: LogLevelDebug -# log_level = "7" - -# min_free_space specifies the min free space percent in a thin pool require for -# new device creation to succeed. Valid values are from 0% - 99%. -# Value 0% disables -# min_free_space = "10%" - -# mkfsarg specifies extra mkfs arguments to be used when creating the base -# device. -# mkfsarg = "" - -# metadata_size is used to set the `pvcreate --metadatasize` options when -# creating thin devices. Default is 128k -# metadata_size = "" - -# Size is used to set a maximum size of the container image. -# size = "" - -# use_deferred_removal marks devicemapper block device for deferred removal. -# If the thinpool is in use when the driver attempts to remove it, the driver -# tells the kernel to remove it as soon as possible. Note this does not free -# up the disk space, use deferred deletion to fully remove the thinpool. -# use_deferred_removal = "True" - -# use_deferred_deletion marks thinpool device for deferred deletion. -# If the device is busy when the driver attempts to delete it, the driver -# will attempt to delete device every 30 seconds until successful. -# If the program using the driver exits, the driver will continue attempting -# to cleanup the next time the driver is used. Deferred deletion permanently -# deletes the device and all data stored in device will be lost. -# use_deferred_deletion = "True" - -# xfs_nospace_max_retries specifies the maximum number of retries XFS should -# attempt to complete IO when ENOSPC (no space) error is returned by -# underlying storage device. -# xfs_nospace_max_retries = "0"