diff --git a/containers.conf b/containers.conf index 710288b..16b57fe 100644 --- a/containers.conf +++ b/containers.conf @@ -16,36 +16,29 @@ [containers] -# List of devices. Specified as -# "::", for example: -# "/dev/sdc:/dev/xvdc:rwm". -# If it is empty or commented out, only the default devices will be used +# List of annotation. Specified as +# "key = value" +# If it is empty or commented out, no annotations will be added # -# devices = [] - -# List of volumes. Specified as -# "::", for example: -# "/db:/var/lib/db:ro". -# If it is empty or commented out, no volumes will be added -# -# volumes = [] +#annotations = [] # Used to change the name of the default AppArmor profile of container engine. # -# apparmor_profile = "container-default" +#apparmor_profile = "container-default" -# List of annotation. Specified as -# "key=value" -# If it is empty or commented out, no annotations will be added +# The hosts entries from the base hosts file are added to the containers hosts +# file. This must be either an absolute path or as special values "image" which +# uses the hosts file from the container image or "none" which means +# no base hosts file is used. The default is "" which will use /etc/hosts. # -# annotations = [] +#base_hosts_file = "" # Default way to to create a cgroup namespace for the container # Options are: # `private` Create private Cgroup Namespace for the container. # `host` Share host Cgroup Namespace with the container. # -# cgroupns = "private" +#cgroupns = "private" # Control container cgroup configuration # Determines whether the container will create CGroups. @@ -54,34 +47,32 @@ # `disabled` Disable cgroup support, will inherit cgroups from parent # `no-conmon` Do not create a cgroup dedicated to conmon. # -# cgroups = "enabled" +#cgroups = "enabled" # List of default capabilities for containers. If it is empty or commented out, # the default capabilities defined in the container engine will be added. # -# default_capabilities = [ -# "AUDIT_WRITE", -# "CHOWN", -# "DAC_OVERRIDE", -# "FOWNER", -# "FSETID", -# "KILL", -# "MKNOD", -# "NET_BIND_SERVICE", -# "NET_RAW", -# "SETGID", -# "SETPCAP", -# "SETUID", -# "SYS_CHROOT", -# ] +default_capabilities = [ + "CHOWN", + "DAC_OVERRIDE", + "FOWNER", + "FSETID", + "KILL", + "NET_BIND_SERVICE", + "SETFCAP", + "SETGID", + "SETPCAP", + "SETUID", + "SYS_CHROOT" +] # A list of sysctls to be set in containers by default, # specified as "name=value", -# for example:"net.ipv4.ping_group_range = 0 0". +# for example:"net.ipv4.ping_group_range=0 0". # -#default_sysctls = [ -# "net.ipv4.ping_group_range=0 0", -#] +default_sysctls = [ + "net.ipv4.ping_group_range=0 0", +] # A list of ulimits to be set in containers by default, specified as # "=:", for example: @@ -91,17 +82,24 @@ # container engine. # Ulimits has limits for non privileged container engines. # -# default_ulimits = [ +#default_ulimits = [ # "nofile=1280:2560", -# ] +#] + +# List of devices. Specified as +# "::", for example: +# "/dev/sdc:/dev/xvdc:rwm". +# If it is empty or commented out, only the default devices will be used +# +#devices = [] # List of default DNS options to be added to /etc/resolv.conf inside of the container. # -# dns_options = [] +#dns_options = [] # List of default DNS search domains to be added to /etc/resolv.conf inside of the container. # -# dns_searches = [] +#dns_searches = [] # Set default DNS servers. # This option can be used to override the DNS configuration passed to the @@ -109,19 +107,29 @@ # /etc/resolv.conf in the container. # The /etc/resolv.conf file in the image will be used without changes. # -# dns_servers = [] +#dns_servers = [] # Environment variable list for the conmon process; used for passing necessary # environment variables to conmon or the runtime. # -# env = [ -# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", -# "TERM=xterm", -# ] +#env = [ +# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", +# "TERM=xterm", +#] # Pass all host environment variables into the container. # -# env_host = false +#env_host = false + +# Set the ip for the host.containers.internal entry in the containers /etc/hosts +# file. This can be set to "none" to disable adding this entry. By default it +# will automatically choose the host ip. +# +# NOTE: When using podman machine this entry will never be added to the containers +# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore +# it is not possible to disable the entry in this case. +# +#host_containers_internal_ip = "" # Default proxy environment variables passed into the container. # The environment variables passed in include: @@ -130,43 +138,52 @@ # should not use proxy. Proxy environment variables specified for the container # in any other way will override the values passed from the host. # -# http_proxy = true +#http_proxy = true # Run an init inside the container that forwards signals and reaps processes. # -# init = false +#init = false -# Container init binary, if init=true, this is the init binary to be used for containers. +# Container init binary, if init=true, this is the init binary to be used for containers. # init_path = "/usr/bin/catatonit" # Default way to to create an IPC namespace (POSIX SysV IPC) for the container # Options are: -# `private` Create private IPC Namespace for the container. -# `host` Share host IPC Namespace with the container. +# "host" Share host IPC Namespace with the container. +# "none" Create shareable IPC Namespace for the container without a private /dev/shm. +# "private" Create private IPC Namespace for the container, other containers are not allowed to share it. +# "shareable" Create shareable IPC Namespace for the container. # -# ipcns = "private" +#ipcns = "shareable" # keyring tells the container engine whether to create # a kernel keyring for use within the container. -# keyring = true +# +#keyring = true # label tells the container engine whether to use container separation using # MAC(SELinux) labeling or not. # The label flag is ignored on label disabled systems. # -# label = true +#label = true # Logging driver for the container. Available options: k8s-file and journald. # -# log_driver = "k8s-file" +log_driver = "journald" # Maximum size allowed for the container log file. Negative numbers indicate # that no size limit is imposed. If positive, it must be >= 8192 to match or # exceed conmon's read buffer. The file is truncated and re-opened so the # limit is never exceeded. # -# log_size_max = -1 +#log_size_max = -1 + +# Specifies default format tag for container log messages. +# This is useful for creating a specific tag for container log messages. +# Containers logs default to truncated container ID as a tag. +# +#log_tag = "" # Default way to to create a Network namespace for the container # Options are: @@ -174,112 +191,186 @@ init_path = "/usr/bin/catatonit" # `host` Share host Network Namespace with the container. # `none` Containers do not use the network # -# netns = "private" +#netns = "private" # Create /etc/hosts for the container. By default, container engine manage # /etc/hosts, automatically adding the container's own IP address. # -# no_hosts = false - -# Maximum number of processes allowed in a container. -# -# pids_limit = 2048 +#no_hosts = false # Default way to to create a PID namespace for the container # Options are: # `private` Create private PID Namespace for the container. # `host` Share host PID Namespace with the container. # -# pidns = "private" +#pidns = "private" + +# Maximum number of processes allowed in a container. +# +#pids_limit = 2048 + +# Copy the content from the underlying image into the newly created volume +# when the container is created instead of when it is started. If false, +# the container engine will not copy the content until the container is started. +# Setting it to true may have negative performance implications. +# +#prepare_volume_on_create = false # Path to the seccomp.json profile which is used as the default seccomp profile # for the runtime. # -# seccomp_profile = "/usr/share/containers/seccomp.json" +#seccomp_profile = "/usr/share/containers/seccomp.json" # Size of /dev/shm. Specified as . # Unit is optional, values: # b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). # If the unit is omitted, the system uses bytes. # -# shm_size = "65536k" +#shm_size = "65536k" # Set timezone in container. Takes IANA timezones as well as "local", # which sets the timezone in the container to match the host machine. # -# tz = "" +#tz = "" # Set umask inside the container # -# umask="0022" - -# Default way to to create a UTS namespace for the container -# Options are: -# `private` Create private UTS Namespace for the container. -# `host` Share host UTS Namespace with the container. -# -# utsns = "private" +#umask = "0022" # Default way to to create a User namespace for the container # Options are: # `auto` Create unique User Namespace for the container. # `host` Share host User Namespace with the container. # -# userns = "host" +#userns = "host" # Number of UIDs to allocate for the automatic container creation. # UIDs are allocated from the "container" UIDs listed in # /etc/subuid & /etc/subgid # -# userns_size=65536 +#userns_size = 65536 -# The network table contains settings pertaining to the management of -# CNI plugins. +# Default way to to create a UTS namespace for the container +# Options are: +# `private` Create private UTS Namespace for the container. +# `host` Share host UTS Namespace with the container. +# +#utsns = "private" + +# List of volumes. Specified as +# "::", for example: +# "/db:/var/lib/db:ro". +# If it is empty or commented out, no volumes will be added +# +#volumes = [] + +[secrets] +#driver = "file" + +[secrets.opts] +#root = "/example/directory" [network] +# Network backend determines what network driver will be used to set up and tear down container networks. +# Valid values are "cni" and "netavark". +# The default value is empty which means that it will automatically choose CNI or netavark. If there are +# already containers/images or CNI networks preset it will choose CNI. +# +# Before changing this value all containers must be stopped otherwise it is likely that +# iptables rules and network interfaces might leak on the host. A reboot will fix this. +# +#network_backend = "" + # Path to directory where CNI plugin binaries are located. # -cni_plugin_dirs = ["@LIBEXECDIR@/cni"] +cni_plugin_dirs = ["@LIBEXECDIR]/cni"] -# Path to the directory where CNI configuration files are located. +# The network name of the default network to attach pods to. # -# network_config_dir = "/etc/cni/net.d/" +#default_network = "podman" + +# The default subnet for the default network given in default_network. +# If a network with that name does not exist, a new network using that name and +# this subnet will be created. +# Must be a valid IPv4 CIDR prefix. +# +#default_subnet = "10.88.0.0/16" + +# DefaultSubnetPools is a list of subnets and size which are used to +# allocate subnets automatically for podman network create. +# It will iterate through the list and will pick the first free subnet +# with the given size. This is only used for ipv4 subnets, ipv6 subnets +# are always assigned randomly. +# +#default_subnet_pools = [ +# {"base" = "10.89.0.0/16", "size" = 24}, +# {"base" = "10.90.0.0/15", "size" = 24}, +# {"base" = "10.92.0.0/14", "size" = 24}, +# {"base" = "10.96.0.0/11", "size" = 24}, +# {"base" = "10.128.0.0/9", "size" = 24}, +#] + +# Path to the directory where network configuration files are located. +# For the CNI backend the default is "/etc/cni/net.d" as root +# and "$HOME/.config/cni/net.d" as rootless. +# For the netavark backend "/etc/containers/networks" is used as root +# and "$graphroot/networks" as rootless. +# +#network_config_dir = "/etc/cni/net.d/" + +# Port to use for dns forwarding daemon with netavark in rootful bridge +# mode and dns enabled. +# Using an alternate port might be useful if other dns services should +# run on the machine. +# +#dns_bind_port = 53 [engine] -# ImageBuildFormat indicates the default image format to building -# container images. Valid values are "oci" (default) or "docker". -# image_build_format = "oci" +# Index to the active service +# +#active_service = production + +# The compression format to use when pushing an image. +# Valid options are: `gzip`, `zstd` and `zstd:chunked`. +# +#compression_format = "gzip" + # Cgroup management implementation used for the runtime. # Valid options "systemd" or "cgroupfs" # -# cgroup_manager = "systemd" +#cgroup_manager = "systemd" # Environment variables to pass into conmon # -# conmon_env_vars = [ -# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -# ] +#conmon_env_vars = [ +# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +#] # Paths to look for the conmon container manager binary # -# conmon_path = [ -# "/usr/libexec/podman/conmon", -# "/usr/local/libexec/podman/conmon", -# "/usr/local/lib/podman/conmon", -# "/usr/bin/conmon", -# "/usr/sbin/conmon", -# "/usr/local/bin/conmon", -# "/usr/local/sbin/conmon" -# ] +#conmon_path = [ +# "/usr/libexec/podman/conmon", +# "/usr/local/libexec/podman/conmon", +# "/usr/local/lib/podman/conmon", +# "/usr/bin/conmon", +# "/usr/sbin/conmon", +# "/usr/local/bin/conmon", +# "/usr/local/sbin/conmon" +#] + +# Enforces using docker.io for completing short names in Podman's compatibility +# REST API. Note that this will ignore unqualified-search-registries and +# short-name aliases defined in containers-registries.conf(5). +#compat_api_enforce_docker_hub = true # Specify the keys sequence used to detach a container. # Format is a single character [a-Z] or a comma separated sequence of # `ctrl-`, where `` is one of: # `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_` # -# detach_keys = "ctrl-p,ctrl-q" +#detach_keys = "ctrl-p,ctrl-q" # Determines whether engine will reserve ports on the host when they are # forwarded to containers. When enabled, when ports are forwarded to containers, @@ -288,53 +379,98 @@ cni_plugin_dirs = ["@LIBEXECDIR@/cni"] # significant memory usage if a container has many ports forwarded to it. # Disabling this can save memory. # -# enable_port_reservation = true +#enable_port_reservation = true # Environment variables to be used when running the container engine (e.g., Podman, Buildah). # For example "http_proxy=internal.proxy.company.com". # Note these environment variables will not be used within the container. # Set the env section under [containers] table, if you want to set environment variables for the container. -# env = [] +# +#env = [] + +# Define where event logs will be stored, when events_logger is "file". +#events_logfile_path="" + +# Sets the maximum size for events_logfile_path. +# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). +# The format for the size is ``, e.g., `1b` or `3g`. +# If no unit is included then the size will be read in bytes. +# When the limit is exceeded, the logfile will be rotated and the old one will be deleted. +# If the maximum size is set to 0, then no limit will be applied, +# and the logfile will not be rotated. +#events_logfile_max_size = "1m" # Selects which logging mechanism to use for container engine events. # Valid values are `journald`, `file` and `none`. # -# events_logger = "journald" +#events_logger = "journald" + +# A is a list of directories which are used to search for helper binaries. +# +#helper_binaries_dir = [ +# "/usr/local/libexec/podman", +# "/usr/local/lib/podman", +# "/usr/libexec/podman", +# "/usr/lib/podman", +#] # Path to OCI hooks directories for automatically executed hooks. # -# hooks_dir = [ -# "/usr/share/containers/oci/hooks.d", -# ] +#hooks_dir = [ +# "/usr/share/containers/oci/hooks.d", +#] + +# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building +# container images. By default image pulled and pushed match the format of the +# source image. Building/committing defaults to OCI. +# +#image_default_format = "" # Default transport method for pulling and pushing for images # -# image_default_transport = "docker://" +#image_default_transport = "docker://" + +# Maximum number of image layers to be copied (pulled/pushed) simultaneously. +# Not setting this field, or setting it to zero, will fall back to containers/image defaults. +# +#image_parallel_copies = 0 + +# Tells container engines how to handle the builtin image volumes. +# * bind: An anonymous named volume will be created and mounted +# into the container. +# * tmpfs: The volume is mounted onto the container as a tmpfs, +# which allows users to create content that disappears when +# the container is stopped. +# * ignore: All volumes are just ignored and no action is taken. +# +#image_volume_mode = "" # Default command to run the infra container # -# infra_command = "/pause" +#infra_command = "/pause" # Infra (pause) container image name for pod infra containers. When running a # pod, we start a `pause` process in a container to hold open the namespaces # associated with the pod. This container does nothing other then sleep, -# reserving the pods resources for the lifetime of the pod. +# reserving the pods resources for the lifetime of the pod. By default container +# engines run a builtin container using the pause executable. If you want override +# specify an image to pull. # -# infra_image = "k8s.gcr.io/pause:3.2" +#infra_image = "" # Specify the locking mechanism to use; valid values are "shm" and "file". # Change the default only if you are sure of what you are doing, in general # "file" is useful only on platforms where cgo is not available for using the -# faster "shm" lock type. You may need to run "podman system renumber" after +# faster "shm" lock type. You may need to run "podman system renumber" after # you change the lock type. # -# lock_type** = "shm" +#lock_type** = "shm" # MultiImageArchive - if true, the container engine allows for storing archives # (e.g., of the docker-archive transport) with multiple images. By default, # Podman creates single-image archives. # -# multi_image_archive = "false" +#multi_image_archive = "false" # Default engine namespace # If engine is joined to a namespace, it will see only containers and pods @@ -343,127 +479,210 @@ cni_plugin_dirs = ["@LIBEXECDIR@/cni"] # The default namespace is "", which corresponds to no namespace. When no # namespace is set, all containers and pods are visible. # -# namespace = "" +#namespace = "" # Path to the slirp4netns binary # -# network_cmd_path="" +#network_cmd_path = "" # Default options to pass to the slirp4netns binary. -# For example "allow_host_loopback=true" +# Valid options values are: # -# network_cmd_options=[] +# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`). +# Default is false. +# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`). +# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`). +# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`). +# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only). +# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to. +# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only). +# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to. +# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default. +# Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container +# network namespace, usually `10.0.2.100`. If your application requires the real source IP address, +# e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for +# rootless containers when connected to user-defined networks. +# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but +# preserves the correct source IP address. This port handler cannot be used for user-defined networks. +# +#network_cmd_options = [] # Whether to use chroot instead of pivot_root in the runtime # -# no_pivot_root = false +#no_pivot_root = false # Number of locks available for containers and pods. # If this is changed, a lock renumber must be performed (e.g. with the # 'podman system renumber' command). # -# num_locks = 2048 +#num_locks = 2048 + +# Set the exit policy of the pod when the last container exits. +#pod_exit_policy = "continue" # Whether to pull new image before running a container -# pull_policy = "missing" +# +#pull_policy = "missing" # Indicates whether the application should be running in remote mode. This flag modifies the # --remote option on container engines. Setting the flag to true will default # `podman --remote=true` for access to the remote Podman service. -# remote = false +# +#remote = false + +# Default OCI runtime +# +#runtime = "crun" + +# List of the OCI runtimes that support --format=json. When json is supported +# engine will use it for reporting nicer errors. +# +#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"] + +# List of the OCI runtimes that supports running containers with KVM Separation. +# +#runtime_supports_kvm = ["kata", "krun"] + +# List of the OCI runtimes that supports running containers without cgroups. +# +#runtime_supports_nocgroups = ["crun", "krun"] + +# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment +# variable. If you specify "storage", then the location of the +# container/storage tmp directory will be used. +# image_copy_tmp_dir="/var/tmp" + +# Number of seconds to wait without a connection +# before the `podman system service` times out and exits +# +#service_timeout = 5 # Directory for persistent engine files (database, etc) # By default, this will be configured relative to where the containers/storage # stores containers # Uncomment to change location from this default # -# static_dir = "/var/lib/containers/storage/libpod" +#static_dir = "/var/lib/containers/storage/libpod" + +# Number of seconds to wait for container to exit before sending kill signal. +# +#stop_timeout = 10 + +# Number of seconds to wait before exit command in API process is given to. +# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds). +# +#exit_command_delay = 300 + +# map of service destinations +# +#[service_destinations] +# [service_destinations.production] +# URI to access the Podman service +# Examples: +# rootless "unix://run/user/$UID/podman/podman.sock" (Default) +# rootful "unix://run/podman/podman.sock (Default) +# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock +# remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock +# +# uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock" +# Path to file containing ssh identity key +# identity = "~/.ssh/id_rsa" # Directory for temporary files. Must be tmpfs (wiped after reboot) # -# tmp_dir = "/var/run/libpod" +#tmp_dir = "/run/libpod" # Directory for libpod named volumes. # By default, this will be configured relative to where containers/storage # stores containers. # Uncomment to change location from this default. # -# volume_path = "/var/lib/containers/storage/volumes" +#volume_path = "/var/lib/containers/storage/volumes" -# Default OCI runtime -# -# runtime = "runc" - -# List of the OCI runtimes that support --format=json. When json is supported -# engine will use it for reporting nicer errors. -# -# runtime_supports_json = ["crun", "runc", "kata"] - -# List of the OCI runtimes that supports running containers without cgroups. -# -# runtime_supports_nocgroups = ["crun"] - -# List of the OCI runtimes that supports running containers with KVM Separation. -# -# runtime_supports_kvm = ["kata"] - -# Number of seconds to wait for container to exit before sending kill signal. -# stop_timeout = 10 - -# Index to the active service -# active_service = production - -# map of service destinations -# [service_destinations] -# [service_destinations.production] -# URI to access the Podman service -# Examples: -# rootless "unix://run/user/$UID/podman/podman.sock" (Default) -# rootfull "unix://run/podman/podman.sock (Default) -# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock -# remote rootfull ssh://root@10.10.1.136:22/run/podman/podman.sock -# uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock" -# Path to file containing ssh identity key -# identity = "~/.ssh/id_rsa" - -# Paths to look for a valid OCI runtime (crun, runc, kata, etc) +# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc) [engine.runtimes] -# runc = [ -# "/usr/bin/runc", -# "/usr/sbin/runc", -# "/usr/local/bin/runc", -# "/usr/local/sbin/runc", -# "/sbin/runc", -# "/bin/runc", -# "/usr/lib/cri-o-runc/sbin/runc", -# ] +#crun = [ +# "/usr/bin/crun", +# "/usr/sbin/crun", +# "/usr/local/bin/crun", +# "/usr/local/sbin/crun", +# "/sbin/crun", +# "/bin/crun", +# "/run/current-system/sw/bin/crun", +#] -# crun = [ -# "/usr/bin/crun", -# "/usr/sbin/crun", -# "/usr/local/bin/crun", -# "/usr/local/sbin/crun", -# "/sbin/crun", -# "/bin/crun", -# "/run/current-system/sw/bin/crun", -# ] +#kata = [ +# "/usr/bin/kata-runtime", +# "/usr/sbin/kata-runtime", +# "/usr/local/bin/kata-runtime", +# "/usr/local/sbin/kata-runtime", +# "/sbin/kata-runtime", +# "/bin/kata-runtime", +# "/usr/bin/kata-qemu", +# "/usr/bin/kata-fc", +#] -# kata = [ -# "/usr/bin/kata-runtime", -# "/usr/sbin/kata-runtime", -# "/usr/local/bin/kata-runtime", -# "/usr/local/sbin/kata-runtime", -# "/sbin/kata-runtime", -# "/bin/kata-runtime", -# "/usr/bin/kata-qemu", -# "/usr/bin/kata-fc", -# ] +#runc = [ +# "/usr/bin/runc", +# "/usr/sbin/runc", +# "/usr/local/bin/runc", +# "/usr/local/sbin/runc", +# "/sbin/runc", +# "/bin/runc", +# "/usr/lib/cri-o-runc/sbin/runc", +#] + +#runsc = [ +# "/usr/bin/runsc", +# "/usr/sbin/runsc", +# "/usr/local/bin/runsc", +# "/usr/local/sbin/runsc", +# "/bin/runsc", +# "/sbin/runsc", +# "/run/current-system/sw/bin/runsc", +#] + +#krun = [ +# "/usr/bin/krun", +# "/usr/local/bin/krun", +#] [engine.volume_plugins] -# testplugin = "/run/podman/plugins/test.sock" +#testplugin = "/run/podman/plugins/test.sock" -# The [engine.volume_plugins] table MUST be the last entry in this file. +[machine] +# Number of CPU's a machine is created with. +# +#cpus=1 + +# The size of the disk in GB created when init-ing a podman-machine VM. +# +#disk_size=10 + +# The image used when creating a podman-machine VM. +# +#image = "testing" + +# Memory in MB a machine is created with. +# +#memory=2048 + +# The username to use and create on the podman machine OS for rootless +# container access. +# +#user = "core" + +# Host directories to be mounted as volumes into the VM by default. +# Environment variables like $HOME as well as complete paths are supported for +# the source and destination. An optional third field `:ro` can be used to +# tell the container engines to mount the volume readonly. +# +# volumes = [ +# "$HOME:$HOME", +#] + +# The [machine] table MUST be the last entry in this file. # (Unless another table is added) # TOML does not provide a way to end a table other than a further table being -# defined, so every key hereafter will be part of [volume_plugins] and not the +# defined, so every key hereafter will be part of [machine] and not the # main config. diff --git a/libcontainers-common.changes b/libcontainers-common.changes index 155db66..63cae2a 100644 --- a/libcontainers-common.changes +++ b/libcontainers-common.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Aug 3 13:19:58 UTC 2022 - Frederic Crozat + +- Resync containers.conf / storage.conf with Fedora +- Create /etc/containers/registries.conf.d and + add 000-shortnames.conf to it. + ------------------------------------------------------------------- Wed Jun 15 10:20:16 UTC 2022 - Fabian Vogt diff --git a/libcontainers-common.spec b/libcontainers-common.spec index f712d36..f6a2de4 100644 --- a/libcontainers-common.spec +++ b/libcontainers-common.spec @@ -47,6 +47,7 @@ Source8: default.yaml Source9: common-%{commonver}.tar.xz Source10: containers.conf Source11: %{name}.rpmlintrc +Source12: shortnames.conf BuildRequires: go-go-md2man Provides: libcontainers-image = %{version} Provides: libcontainers-storage = %{version} @@ -111,12 +112,14 @@ install -d -m 0755 %{buildroot}/%{_sysconfdir}/containers install -d -m 0755 %{buildroot}/%{_sysconfdir}/containers/oci/hooks.d install -d -m 0755 %{buildroot}/%{_datadir}/containers/oci/hooks.d install -d -m 0755 %{buildroot}/%{_sysconfdir}/containers/registries.d +install -d -m 0755 %{buildroot}/%{_sysconfdir}/containers/registries.conf.d install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/containers/policy.json install -D -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/containers/storage.conf install -D -m 0644 %{SOURCE5} %{buildroot}/%{_datadir}/containers/mounts.conf install -D -m 0644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/containers/mounts.conf install -D -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/containers/registries.conf +install -D -m 0644 %{SOURCE12} %{buildroot}/%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf install -D -m 0644 %{SOURCE8} %{buildroot}/%{_sysconfdir}/containers/registries.d/default.yaml sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{SOURCE10} install -D -m 0644 %{SOURCE10} %{buildroot}/%{_datadir}/containers/containers.conf @@ -151,6 +154,7 @@ fi %dir %{_sysconfdir}/containers/oci %dir %{_sysconfdir}/containers/oci/hooks.d %dir %{_sysconfdir}/containers/registries.d +%dir %{_sysconfdir}/containers/registries.conf.d %dir %{_datadir}/containers %dir %{_datadir}/containers/oci %dir %{_datadir}/containers/oci/hooks.d @@ -162,6 +166,7 @@ fi %config(noreplace) %{_sysconfdir}/containers/registries.conf %config(noreplace) %{_sysconfdir}/containers/seccomp.json %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml +%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf %{_datadir}/containers/seccomp.json %{_datadir}/containers/containers.conf diff --git a/shortnames.conf b/shortnames.conf new file mode 100644 index 0000000..4d36a0c --- /dev/null +++ b/shortnames.conf @@ -0,0 +1,115 @@ +[aliases] + # almalinux + "almalinux" = "docker.io/library/almalinux" + "almalinux-minimal" = "docker.io/library/almalinux-minimal" + # Arch Linux + "archlinux" = "docker.io/archlinux/archlinux" + # centos + "centos" = "quay.io/centos/centos" + # containers + "skopeo" = "quay.io/skopeo/stable" + "buildah" = "quay.io/buildah/stable" + "podman" = "quay.io/podman/stable" + "hello" = "quay.io/podman/hello" + "hello-world" = "quay.io/podman/hello" + # docker + "alpine" = "docker.io/library/alpine" + "docker" = "docker.io/library/docker" + "registry" = "docker.io/library/registry" + "swarm" = "docker.io/library/swarm" + # Fedora + "fedora-minimal" = "registry.fedoraproject.org/fedora-minimal" + "fedora" = "registry.fedoraproject.org/fedora" + # openSUSE + "opensuse/tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed" + "opensuse/tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf" + "opensuse/tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf" + "opensuse/leap" = "registry.opensuse.org/opensuse/leap" + "opensuse/busybox" = "registry.opensuse.org/opensuse/busybox" + "tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed" + "tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf" + "tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf" + "leap" = "registry.opensuse.org/opensuse/leap" + "leap-dnf" = "registry.opensuse.org/opensuse/leap-dnf" + "leap-microdnf" = "registry.opensuse.org/opensuse/leap-microdnf" + "tw-busybox" = "registry.opensuse.org/opensuse/busybox" + # SUSE + "suse/sle15" = "registry.suse.com/suse/sle15" + "suse/sles12sp5" = "registry.suse.com/suse/sles12sp5" + "suse/sles12sp4" = "registry.suse.com/suse/sles12sp4" + "suse/sles12sp3" = "registry.suse.com/suse/sles12sp3" + "sle15" = "registry.suse.com/suse/sle15" + "sles12sp5" = "registry.suse.com/suse/sles12sp5" + "sles12sp4" = "registry.suse.com/suse/sles12sp4" + "sles12sp3" = "registry.suse.com/suse/sles12sp3" + # Red Hat Enterprise Linux + "rhel" = "registry.access.redhat.com/rhel" + "rhel6" = "registry.access.redhat.com/rhel6" + "rhel7" = "registry.access.redhat.com/rhel7" + "rhel7.9" = "registry.access.redhat.com/rhel7.9" + "rhel-atomic" = "registry.access.redhat.com/rhel-atomic" + "rhel-minimal" = "registry.access.redhat.com/rhel-minimum" + "rhel-init" = "registry.access.redhat.com/rhel-init" + "rhel7-atomic" = "registry.access.redhat.com/rhel7-atomic" + "rhel7-minimal" = "registry.access.redhat.com/rhel7-minimum" + "rhel7-init" = "registry.access.redhat.com/rhel7-init" + "rhel7/rhel" = "registry.access.redhat.com/rhel7/rhel" + "rhel7/rhel-atomic" = "registry.access.redhat.com/rhel7/rhel7/rhel-atomic" + "ubi7/ubi" = "registry.access.redhat.com/ubi7/ubi" + "ubi7/ubi-minimal" = "registry.access.redhat.com/ubi7-minimal" + "ubi7/ubi-init" = "registry.access.redhat.com/ubi7-init" + "ubi7" = "registry.access.redhat.com/ubi7" + "ubi7-init" = "registry.access.redhat.com/ubi7-init" + "ubi7-minimal" = "registry.access.redhat.com/ubi7-minimal" + "rhel8" = "registry.access.redhat.com/ubi8" + "rhel8-init" = "registry.access.redhat.com/ubi8-init" + "rhel8-minimal" = "registry.access.redhat.com/ubi8-minimal" + "rhel8-micro" = "registry.access.redhat.com/ubi8-micro" + "ubi8" = "registry.access.redhat.com/ubi8" + "ubi8-minimal" = "registry.access.redhat.com/ubi8-minimal" + "ubi8-init" = "registry.access.redhat.com/ubi8-init" + "ubi8-micro" = "registry.access.redhat.com/ubi8-micro" + "ubi8/ubi" = "registry.access.redhat.com/ubi8/ubi" + "ubi8/ubi-minimal" = "registry.access.redhat.com/ubi8-minimal" + "ubi8/ubi-init" = "registry.access.redhat.com/ubi8-init" + "ubi8/ubi-micro" = "registry.access.redhat.com/ubi8-micro" + "ubi8/podman" = "registry.access.redhat.com/ubi8/podman" + "ubi8/buildah" = "registry.access.redhat.com/ubi8/buildah" + "ubi8/skopeo" = "registry.access.redhat.com/ubi8/skopeo" + "rhel9" = "registry.access.redhat.com/ubi9" + "rhel9-init" = "registry.access.redhat.com/ubi9-init" + "rhel9-minimal" = "registry.access.redhat.com/ubi9-minimal" + "rhel9-micro" = "registry.access.redhat.com/ubi9-micro" + "ubi9" = "registry.access.redhat.com/ubi9" + "ubi9-minimal" = "registry.access.redhat.com/ubi9-minimal" + "ubi9-init" = "registry.access.redhat.com/ubi9-init" + "ubi9-micro" = "registry.access.redhat.com/ubi9-micro" + "ubi9/ubi" = "registry.access.redhat.com/ubi9/ubi" + "ubi9/ubi-minimal" = "registry.access.redhat.com/ubi9-minimal" + "ubi9/ubi-init" = "registry.access.redhat.com/ubi9-init" + "ubi9/ubi-micro" = "registry.access.redhat.com/ubi9-micro" + "ubi9/podman" = "registry.access.redhat.com/ubi9/podman" + "ubi9/buildah" = "registry.access.redhat.com/ubi9/buildah" + "ubi9/skopeo" = "registry.access.redhat.com/ubi9/skopeo" + # Rocky Linux + "rockylinux" = "docker.io/library/rockylinux" + # Debian + "debian" = "docker.io/library/debian" + # Kali Linux + "kali-bleeding-edge" = "docker.io/kalilinux/kali-bleeding-edge" + "kali-dev" = "docker.io/kalilinux/kali-dev" + "kali-experimental" = "docker.io/kalilinux/kali-experimental" + "kali-last-release" = "docker.io/kalilinux/kali-last-release" + "kali-rolling" = "docker.io/kalilinux/kali-rolling" + # Ubuntu + "ubuntu" = "docker.io/library/ubuntu" + # Oracle Linux + "oraclelinux" = "container-registry.oracle.com/os/oraclelinux" + # busybox + "busybox" = "docker.io/library/busybox" + # php + "php" = "docker.io/library/php" + # python + "python" = "docker.io/library/python" + # node + "node" = "docker.io/library/node" diff --git a/storage.conf b/storage.conf index 2e00e39..1c51771 100644 --- a/storage.conf +++ b/storage.conf @@ -1,18 +1,37 @@ # This file is is the configuration file for all tools -# that use the containers/storage library. +# that use the containers/storage library. The storage.conf file +# overrides all other storage.conf files. Container engines using the +# container/storage library do not inherit fields from other storage.conf +# files. +# +# Note: The storage.conf file overrides other storage.conf files based on this precedence: +# /usr/containers/storage.conf +# /etc/containers/storage.conf +# $HOME/.config/containers/storage.conf +# $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set) # See man 5 containers-storage.conf for more information # The "container storage" table contains all of the server options. [storage] -# Default Storage Driver +# Default Storage Driver, Must be set for proper operation. driver = "overlay" # Temporary storage location -runroot = "/var/run/containers/storage" +runroot = "/run/containers/storage" # Primary Read/Write location of container storage +# When changing the graphroot location on an SELINUX system, you must +# ensure the labeling matches the default locations labels with the +# following commands: +# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH +# restorecon -R -v /NEWSTORAGEPATH graphroot = "/var/lib/containers/storage" + +# Storage path for rootless users +# +# rootless_storage_path = "$HOME/.local/share/containers/storage" + [storage.options] # Storage options to be passed to underlying storage drivers @@ -21,48 +40,121 @@ graphroot = "/var/lib/containers/storage" additionalimagestores = [ ] -# Size is used to set a maximum size of the container image. Only supported by -# certain container storage drivers. -size = "" +# Allows specification of how storage is populated when pulling images. This +# option can speed the pulling process of images compressed with format +# zstd:chunked. Containers/storage looks for files within images that are being +# pulled from a container registry that were previously pulled to the host. It +# can copy or create a hard link to the existing file when it finds them, +# eliminating the need to pull them from the container registry. These options +# can deduplicate pulling of content, disk storage of content and can allow the +# kernel to use less memory when running containers. -# Path to an helper program to use for mounting the file system instead of mounting it -# directly. -#mount_program = "/usr/bin/fuse-overlayfs" - -# OverrideKernelCheck tells the driver to ignore kernel checks based on kernel version -# override_kernel_check = "false" - -# mountopt specifies comma separated list of extra mount options -# mountopt = "nodev" +# containers/storage supports four keys +# * enable_partial_images="true" | "false" +# Tells containers/storage to look for files previously pulled in storage +# rather then always pulling them from the container registry. +# * use_hard_links = "false" | "true" +# Tells containers/storage to use hard links rather then create new files in +# the image, if an identical file already existed in storage. +# * ostree_repos = "" +# Tells containers/storage where an ostree repository exists that might have +# previously pulled content which can be used when attempting to avoid +# pulling content from the container registry +pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} # Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of -# a container, to UIDs/GIDs as they should appear outside of the container, and -# the length of the range of UIDs/GIDs. Additional mapped sets can be listed -# and will be heeded by libraries, but there are limits to the number of +# a container, to the UIDs/GIDs as they should appear outside of the container, +# and the length of the range of UIDs/GIDs. Additional mapped sets can be +# listed and will be heeded by libraries, but there are limits to the number of # mappings which the kernel will allow when you later attempt to run a # container. # # remap-uids = 0:1668442479:65536 # remap-gids = 0:1668442479:65536 -# Remap-User/Group is a name which can be used to look up one or more UID/GID +# Remap-User/Group is a user name which can be used to look up one or more UID/GID # ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting -# with an in-container ID of 0 and the a host-level ID taken from the lowest +# with an in-container ID of 0 and then a host-level ID taken from the lowest # range that matches the specified name, and using the length of that range. # Additional ranges are then assigned, using the ranges which specify the -# lowest host-level IDs first, to the lowest not-yet-mapped container-level ID, +# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, # until all of the entries have been used for maps. # -# remap-user = "storage" -# remap-group = "storage" +# remap-user = "containers" +# remap-group = "containers" -# If specified, use OSTree to deduplicate files with the overlay backend -# ostree_repo = "" +# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID +# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned +# to containers configured to create automatically a user namespace. Containers +# configured to automatically create a user namespace can still overlap with containers +# having an explicit mapping set. +# This setting is ignored when running as rootless. +# root-auto-userns-user = "storage" +# +# Auto-userns-min-size is the minimum size for a user namespace created automatically. +# auto-userns-min-size=1024 +# +# Auto-userns-max-size is the minimum size for a user namespace created automatically. +# auto-userns-max-size=65536 -# Set to skip a PRIVATE bind mount on the storage home directory. Only supported by -# certain container storage drivers +[storage.options.overlay] +# ignore_chown_errors can be set to allow a non privileged user running with +# a single UID within a user namespace to run containers. The user can pull +# and use any image even those with multiple uids. Note multiple UIDs will be +# squashed down to the default uid in the container. These images will have no +# separation between the users in the container. Only supported for the overlay +# and vfs drivers. +#ignore_chown_errors = "false" + +# Inodes is used to set a maximum inodes of the container image. +# inodes = "" + +# Path to an helper program to use for mounting the file system instead of mounting it +# directly. +#mount_program = "/usr/bin/fuse-overlayfs" + +# mountopt specifies comma separated list of extra mount options +mountopt = "nodev,metacopy=on" + +# Set to skip a PRIVATE bind mount on the storage home directory. # skip_mount_home = "false" +# Size is used to set a maximum size of the container image. +# size = "" + +# ForceMask specifies the permissions mask that is used for new files and +# directories. +# +# The values "shared" and "private" are accepted. +# Octal permission masks are also accepted. +# +# "": No value specified. +# All files/directories, get set with the permissions identified within the +# image. +# "private": it is equivalent to 0700. +# All files/directories get set with 0700 permissions. The owner has rwx +# access to the files. No other users on the system can access the files. +# This setting could be used with networked based homedirs. +# "shared": it is equivalent to 0755. +# The owner has rwx access to the files and everyone else can read, access +# and execute them. This setting is useful for sharing containers storage +# with other users. For instance have a storage owned by root but shared +# to rootless users as an additional store. +# NOTE: All files within the image are made readable and executable by any +# user on the system. Even /etc/shadow within your image is now readable by +# any user. +# +# OCTAL: Users can experiment with other OCTAL Permissions. +# +# Note: The force_mask Flag is an experimental feature, it could change in the +# future. When "force_mask" is set the original permission mask is stored in +# the "user.containers.override_stat" xattr and the "mount_program" option must +# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the +# extended attribute permissions to processes within containers rather then the +# "force_mask" permissions. +# +# force_mask = "" + [storage.options.thinpool] # Storage Options for thinpool @@ -109,10 +201,17 @@ size = "" # Value 0% disables # min_free_space = "10%" -# mkfsarg specifies extra mkfs arguments to be used when creating the base. +# mkfsarg specifies extra mkfs arguments to be used when creating the base # device. # mkfsarg = "" +# metadata_size is used to set the `pvcreate --metadatasize` options when +# creating thin devices. Default is 128k +# metadata_size = "" + +# Size is used to set a maximum size of the container image. +# size = "" + # use_deferred_removal marks devicemapper block device for deferred removal. # If the thinpool is in use when the driver attempts to remove it, the driver # tells the kernel to remove it as soon as possible. Note this does not free