From 901b4b2f8d539b1a828fa9238c88d3a589065a94 Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Sun, 20 Oct 2019 09:19:54 -0400 Subject: system/podman: update to 1.6.2 Signed-off-by: Vincent Batts --- system/podman/README | 6 +++ system/podman/doinst.sh | 18 +++++++++ system/podman/mounts.conf | 1 + system/podman/podman.SlackBuild | 19 ++++++++-- system/podman/podman.info | 8 ++-- system/podman/policy.json | 14 +++++++ system/podman/registries.conf | 82 +++++++++++++++++++++++++++++++++++++++++ 7 files changed, 141 insertions(+), 7 deletions(-) create mode 100644 system/podman/doinst.sh create mode 100644 system/podman/mounts.conf create mode 100644 system/podman/policy.json create mode 100644 system/podman/registries.conf (limited to 'system') diff --git a/system/podman/README b/system/podman/README index 5295426059..f7d3cfec14 100644 --- a/system/podman/README +++ b/system/podman/README @@ -13,3 +13,9 @@ At a high level, the scope of libpod and podman is the following: * Resource isolation of containers and pods. These container runtimes can run as non-root, but require sub-uid/gid mappings + +To run podman as a user: + + echo 'user.max_user_namespaces=30111' >> /etc/sysctl.conf + echo ':100000:65536' >> /etc/subuid + echo ':100000:65536' >> /etc/subgid diff --git a/system/podman/doinst.sh b/system/podman/doinst.sh new file mode 100644 index 0000000000..b93a3a48a2 --- /dev/null +++ b/system/podman/doinst.sh @@ -0,0 +1,18 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +config etc/containers/libpod.conf.new +config etc/containers/registries.conf.new +config etc/containers/mounts.conf.new +config etc/containers/seccomp.json.new +config etc/containers/policy.json.new diff --git a/system/podman/mounts.conf b/system/podman/mounts.conf new file mode 100644 index 0000000000..270d316922 --- /dev/null +++ b/system/podman/mounts.conf @@ -0,0 +1 @@ +/etc/containers/secrets:/run/secrets diff --git a/system/podman/podman.SlackBuild b/system/podman/podman.SlackBuild index cd009b749e..0513860b8c 100644 --- a/system/podman/podman.SlackBuild +++ b/system/podman/podman.SlackBuild @@ -2,6 +2,7 @@ # Slackware build script for podman +# Copyright 2019 Gabriel Diaz, Madrid, Spain # Copyright 2019 Vincent Batts, Raleigh, NC, USA # All rights reserved. # @@ -24,8 +25,8 @@ PRGNAM=podman REPONAME=libpod -VERSION=${VERSION:-1.0.1} -GIT_COMMIT="2c74edd0ac6509d6e533cb4e012e3e3f9e03434d" +VERSION=${VERSION:-1.6.2} +GIT_COMMIT="f3ffda1e08f19e9a6a88484136b5eed76533f21a" BUILD=${BUILD:-1} TAG=${TAG:-_SBo} @@ -79,7 +80,7 @@ find -L . \ export GOPATH="$TMP/$REPONAME-$VERSION" make GIT_COMMIT="$GIT_COMMIT" -make install DESTDIR="$PKG" PREFIX="$PKG/usr" MANDIR="$PKG/usr/man" GIT_COMMIT="$GIT_COMMIT" +make install DESTDIR="$PKG" PREFIX="/usr/" MANDIR="/usr/man/" GIT_COMMIT="$GIT_COMMIT" find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \ | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true @@ -95,6 +96,18 @@ cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild mkdir -p $PKG/install cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +mkdir -p $PKG/etc/containers/secrets + +# use upstream's default seccomp policy +cp seccomp.json $PKG/etc/containers/seccomp.json.new +# use upstream config, but default to cgroupfs +cat libpod.conf | sed 's/^cgroup_manager = "systemd"/cgroup_manager = "cgroupfs"/g' > $PKG/etc/containers/libpod.conf.new + +cp $CWD/registries.conf $PKG/etc/containers/registries.conf.new +cp $CWD/mounts.conf $PKG/etc/containers/mounts.conf.new +cp $CWD/policy.json $PKG/etc/containers/policy.json.new cd $PKG /sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/system/podman/podman.info b/system/podman/podman.info index dc8a7903f9..725e924d15 100644 --- a/system/podman/podman.info +++ b/system/podman/podman.info @@ -1,10 +1,10 @@ PRGNAM="podman" -VERSION="1.0.1" +VERSION="1.6.2" HOMEPAGE="https://github.com/containers/libpod" -DOWNLOAD="https://github.com/containers/libpod/archive/v1.0.1/libpod-1.0.1.tar.gz" -MD5SUM="d7ce87cad867fc7d1980a2b07566282f" +DOWNLOAD="https://github.com/containers/libpod/archive/v1.6.2/libpod-1.6.2.tar.gz" +MD5SUM="bf43121bc45b19404d8bcfaf87e5046d" DOWNLOAD_x86_64="" MD5SUM_x86_64="" -REQUIRES="runc go-md2man slirp4netns" +REQUIRES="cni-plugins conmon runc go-md2man slirp4netns" MAINTAINER="Vincent Batts" EMAIL="vbatts@hashbangbash.com" diff --git a/system/podman/policy.json b/system/podman/policy.json new file mode 100644 index 0000000000..dffc54a626 --- /dev/null +++ b/system/podman/policy.json @@ -0,0 +1,14 @@ +{ + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": + { + "docker-daemon": + { + "": [{"type":"insecureAcceptAnything"}] + } + } +} diff --git a/system/podman/registries.conf b/system/podman/registries.conf new file mode 100644 index 0000000000..21ddef2871 --- /dev/null +++ b/system/podman/registries.conf @@ -0,0 +1,82 @@ +# For more information on this configuration file, see containers-registries.conf(5). +# +# There are multiple versions of the configuration syntax available, where the +# second iteration is backwards compatible to the first one. Mixing up both +# formats will result in an runtime error. +# +# The initial configuration format looks like this: +# +# Registries to search for images that are not fully-qualified. +# i.e. foobar.com/my_image:latest vs my_image:latest +[registries.search] +registries = ['docker.io', 'quay.io', 'registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org'] + +# Registries that do not use TLS when pulling images or uses self-signed +# certificates. +[registries.insecure] +registries = [] + +# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry. If you specify +# "*", then the docker daemon will only be allowed to pull from registries listed above in the search +# registries. Blocked Registries is deprecated because other container runtimes and tools will not use it. +# It is recommended that you use the trust policy file /etc/containers/policy.json to control which +# registries you want to allow users to pull and push from. policy.json gives greater flexibility, and +# supports all container runtimes and tools including the docker daemon, cri-o, buildah ... +# The atomic CLI `atomic trust` can be used to easily configure the policy.json file. +[registries.block] +registries = [] + +# The second version of the configuration format allows to specify registry +# mirrors: +# +# # An array of host[:port] registries to try when pulling an unqualified image, in order. +# unqualified-search-registries = ["example.com"] +# +# [[registry]] +# # The "prefix" field is used to choose the relevant [[registry]] TOML table; +# # (only) the TOML table with the longest match for the input image name +# # (taking into account namespace/repo/tag/digest separators) is used. +# # +# # If the prefix field is missing, it defaults to be the same as the "location" field. +# prefix = "example.com/foo" +# +# # If true, unencrypted HTTP as well as TLS connections with untrusted +# # certificates are allowed. +# insecure = false +# +# # If true, pulling images with matching names is forbidden. +# blocked = false +# +# # The physical location of the "prefix"-rooted namespace. +# # +# # By default, this equal to "prefix" (in which case "prefix" can be omitted +# # and the [[registry]] TOML table can only specify "location"). +# # +# # Example: Given +# # prefix = "example.com/foo" +# # location = "internal-registry-for-example.net/bar" +# # requests for the image example.com/foo/myimage:latest will actually work with the +# # internal-registry-for-example.net/bar/myimage:latest image. +# location = internal-registry-for-example.com/bar" +# +# # (Possibly-partial) mirrors for the "prefix"-rooted namespace. +# # +# # The mirrors are attempted in the specified order; the first one that can be +# # contacted and contains the image will be used (and if none of the mirrors contains the image, +# # the primary location specified by the "registry.location" field, or using the unmodified +# # user-specified reference, is tried last). +# # +# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics +# # as if specified in the [[registry]] TOML table directly: +# # - location +# # - insecure +# [[registry.mirror]] +# location = "example-mirror-0.local/mirror-for-foo" +# [[registry.mirror]] +# location = "example-mirror-1.local/mirrors/foo" +# insecure = true +# # Given the above, a pull of example.com/foo/image:latest will try: +# # 1. example-mirror-0.local/mirror-for-foo/image:latest +# # 2. example-mirror-1.local/mirrors/foo/image:latest +# # 3. internal-registry-for-example.net/bar/myimage:latest +# # in order, and use the first one that exists. -- cgit v1.2.3