diff --git a/containers.conf b/containers.conf index fbc691f..a029aed 100644 --- a/containers.conf +++ b/containers.conf @@ -47,6 +47,15 @@ # # cgroupns = "private" +# Control container cgroup configuration +# Determines whether the container will create CGroups. +# Options are: +# `enabled` Enable cgroup support within container +# `disabled` Disable cgroup support, will inherit cgroups from parent +# `no-conmon` Container engine runs run without conmon +# +# cgroups = "enabled" + # List of default capabilities for containers. If it is empty or commented out, # the default capabilities defined in the container engine will be added. # diff --git a/registries.conf b/registries.conf index e8e239c..e3da7db 100644 --- a/registries.conf +++ b/registries.conf @@ -9,20 +9,21 @@ # Registries to search for images that are not fully-qualified. # i.e. foobar.com/my_image:latest vs my_image:latest # -# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES. -# Pulling an image that is not fully qualified, i.e., one that includes the -# image name but does not include the registry or tag, is not recommended. -# There is a risk that the image being pulled could be spoofed. An example -# of this would be if a user wanted to pull an image named `foobar` from a -# registry and expect it to come from myregistry.com. If myregistry.com is -# not first in the search list, an attacker could place a different `foobar` -# image at a registry earlier in the search list. Now you would accidentally -# run the attackers code rather than the intended content. Registries that -# are added to this list should be completely controlled, i.e., not allow -# unknown/arbitrary users being able to create accounts with arbitrary names -# to prevent an image from being spoofed, squatted or otherwise made -# insecure. If it is necessary to use one of these registries, it should be -# added at the end of the list. +# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES +# We recommend always using fully qualified image names including the registry +# server (full dns name), namespace, image name, and tag +# (e.g., registry.redhat.io/ubi8/ubi:latest). When using short names, there is +# always an inherent risk that the image being pulled could be spoofed. For +# example, a user wants to pull an image named `foobar` from a registry and +# expects it to come from myregistry.com. If myregistry.com is not first in the +# search list, an attacker could place a different `foobar` image at a registry +# earlier in the search list. The user would accidentally pull and run the +# attacker's image and code rather than the intended content. We recommend only +# adding registries which are completely trusted, i.e. registries which don't +# allow unknown or anonymous users to create accounts with arbitrary names. This +# will prevent an image from being spoofed, squatted or otherwise made insecure. +# If it is necessary to use one of these registries, it should be added at the +# end of the list. # # It is recommended to use fully-qualified images for pulling as the # destination registry is unambiguous. Pulling by digest @@ -30,7 +31,7 @@ # tags. [registries.search] -registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io'] +# registries = [] # Registries that do not use TLS when pulling images or uses self-signed # certificates. @@ -52,7 +53,7 @@ registries = [] # # NOTE: Please read the note about the risk of unqualified images identified above. # # An array of host[:port] registries to try when pulling an unqualified image, in order. -# unqualified-search-registries = ["example.com"] +unqualified-search-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io'] # # [[registry]] # # The "prefix" field is used to choose the relevant [[registry]] TOML table; @@ -100,5 +101,5 @@ registries = [] # # Given the above, a pull of example.com/foo/image:latest will try: # # 1. example-mirror-0.local/mirror-for-foo/image:latest # # 2. example-mirror-1.local/mirrors/foo/image:latest -# # 3. internal-registry-for-example.net/bar/myimage:latest +# # 3. internal-registry-for-example.net/bar/image:latest # # in order, and use the first one that exists. diff --git a/seccomp.json b/seccomp.json index 664f46d..f060bea 100644 --- a/seccomp.json +++ b/seccomp.json @@ -69,6 +69,7 @@ "clock_getres", "clock_gettime", "clock_nanosleep", + "clone", "close", "connect", "copy_file_range", @@ -168,6 +169,7 @@ "io_setup", "io_submit", "ipc", + "keyctl", "kill", "lchown", "lchown32", @@ -219,6 +221,7 @@ "pause", "pipe", "pipe2", + "pivot_root", "poll", "ppoll", "prctl", diff --git a/skopeo.spec b/skopeo.spec index 9e69bd1..41f0f47 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -50,7 +50,7 @@ ExcludeArch: ppc64 Name: %{repo} Epoch: %{conditional_epoch} Version: 0.2.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Inspect container images and repositories on registries License: ASL 2.0 URL: %{git0} @@ -440,6 +440,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_datadir}/%{name}/test %changelog +* Fri Apr 24 2020 Dan Walsh - 1:0.2.0-3 +- Update registries.conf to use version 2 definitions +- Update containers.conf to include latest changes +- Update seccomp.json to allow a few more syscalls for contaners within containers. +- Update storage.conf to match upstream + * Tue Apr 21 2020 Lokesh Mandvekar - 1:0.2.0-2 - update spec for autobuilder diff --git a/storage.conf b/storage.conf index b2002a7..6dafb34 100644 --- a/storage.conf +++ b/storage.conf @@ -13,6 +13,10 @@ runroot = "/var/run/containers/storage" # Primary Read/Write location of container storage graphroot = "/var/lib/containers/storage" +# Storage path for rootless users +# +# rootless_storage_path = "$HOME/.local/share/containers/storage" + [storage.options] # Storage options to be passed to underlying storage drivers @@ -39,8 +43,22 @@ additionalimagestores = [ # lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, # until all of the entries have been used for maps. # -# remap-user = "storage" -# remap-group = "storage" +# remap-user = "containers" +# remap-group = "containers" + +# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID +# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partioned +# to containers configured to create automatically a user namespace. Containers +# configured to automatically create a user namespace can still overlap with containers +# having an explicit mapping set. +# This setting is ignored when running as rootless. +# root-auto-userns-user = "storage" +# +# Auto-userns-min-size is the minimum size for a user namespace created automatically. +# auto-userns-min-size=1024 +# +# Auto-userns-max-size is the minimum size for a user namespace created automatically. +# auto-userns-max-size=65536 [storage.options.overlay] # ignore_chown_errors can be set to allow a non privileged user running with @@ -107,7 +125,7 @@ mountopt = "nodev,metacopy=on" # Value 0% disables # min_free_space = "10%" -# mkfsarg specifies extra mkfs arguments to be used when creating the base. +# mkfsarg specifies extra mkfs arguments to be used when creating the base # device. # mkfsarg = "" @@ -115,7 +133,7 @@ mountopt = "nodev,metacopy=on" # size = "" # use_deferred_removal marks devicemapper block device for deferred removal. -# If the thinpool is in use when the driver attempts to remove it, the driver +# If the thinpool is in use when the driver attempts to remove it, the driver # tells the kernel to remove it as soon as possible. Note this does not free # up the disk space, use deferred deletion to fully remove the thinpool. # use_deferred_removal = "True"