diff --git a/common/rpm/00-containers.conf b/common/rpm/00-containers.conf new file mode 100644 index 0000000000..012c200bce --- /dev/null +++ b/common/rpm/00-containers.conf @@ -0,0 +1,5 @@ +[containers] +log_driver = "journald" + +[engine] +runtime = "crun" diff --git a/common/rpm/00-fedora-registries.conf b/common/rpm/00-fedora-registries.conf new file mode 100644 index 0000000000..9c7bb1a8ea --- /dev/null +++ b/common/rpm/00-fedora-registries.conf @@ -0,0 +1,5 @@ +# Default search registries for fedora +unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io"] + +# Enforcing mode for short names is default for Fedora 34 and newer +short-name-mode="enforcing" diff --git a/common/rpm/00-rhel-registries.conf b/common/rpm/00-rhel-registries.conf new file mode 100644 index 0000000000..2ed52cff1c --- /dev/null +++ b/common/rpm/00-rhel-registries.conf @@ -0,0 +1,5 @@ +# Default search registries for RHEL +unqualified-search-registries = ["registry.access.redhat.com", "registry.redhat.io", "docker.io"] + +# Enforcing mode for short names is default for Fedora 34 and newer +short-name-mode="enforcing" diff --git a/common/rpm/00-storage-additional-store.conf b/common/rpm/00-storage-additional-store.conf new file mode 100644 index 0000000000..8bb671127b --- /dev/null +++ b/common/rpm/00-storage-additional-store.conf @@ -0,0 +1,2 @@ +[storage.options] +additionalimagestores = ["/usr/lib/containers/storage"] diff --git a/common/rpm/00-storage.conf b/common/rpm/00-storage.conf new file mode 100644 index 0000000000..2574bcd794 --- /dev/null +++ b/common/rpm/00-storage.conf @@ -0,0 +1,6 @@ +[storage] +driver = "overlay" + +[storage.options.overlay] +# mountopt specifies comma separated list of extra mount options +mountopt = "nodev,metacopy=on" diff --git a/common/rpm/containers-common.spec b/common/rpm/containers-common.spec index d478ab7dee..a3010484f1 100644 --- a/common/rpm/containers-common.spec +++ b/common/rpm/containers-common.spec @@ -42,6 +42,11 @@ Requires: (fuse-overlayfs if fedora-release-identity-server) %else Suggests: fuse-overlayfs %endif +# Conflict versions using the old config file loading to avoid mismatch between code and configs. +Conflicts: podman < 5:6 +Conflicts: buildah < 2:1.44 +Conflicts: skopeo < 1:1.23 + URL: https://github.com/%{project}/%{repo} Source0: %{url}/archive/refs/tags/common/v%{version}.tar.gz Source1: https://raw.githubusercontent.com/containers/shortnames/refs/heads/main/shortnames.conf @@ -65,11 +70,10 @@ Requires: container-network-stack Requires: oci-runtime Requires: passt %if %{defined fedora} -Conflicts: podman < 5:5.0.0~rc4-1 Recommends: composefs Recommends: crun Requires: (crun if fedora-release-identity-server) -Requires: netavark >= %{netavark_epoch}:1.10.3-1 +Requires: netavark >= %{netavark_epoch}:2 Suggests: slirp4netns Recommends: qemu-user-static Requires: (qemu-user-static-aarch64 if fedora-release-identity-server) @@ -84,10 +88,6 @@ not required by Skopeo. %prep %autosetup -Sgit -n %{repo}-common-v%{version} -# Fine-grain distro- and release-specific tuning of config files, -# e.g., seccomp, composefs, registries on different RHEL/Fedora versions -bash common/rpm/update-config-files.sh - %build mkdir -p man5 for i in common/docs/*.5.md image/docs/*.5.md storage/docs/*.5.md; do @@ -96,7 +96,7 @@ done %install # install config and policy files for registries -install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,networks,systemd} +install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,networks,systemd,registries.conf.d,registries.d} install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore install -dp %{buildroot}%{_datadir}/containers/systemd install -dp %{buildroot}%{_prefix}/lib/containers/storage @@ -105,20 +105,32 @@ touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-images/images.lock install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers/layers.lock -install -Dp -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf -install -Dp -m0644 image/default.yaml %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml -install -Dp -m0644 image/default-policy.json %{buildroot}%{_sysconfdir}/containers/policy.json -install -Dp -m0644 image/registries.conf %{buildroot}%{_sysconfdir}/containers/registries.conf +install -Dp -m0644 %{SOURCE1} %{buildroot}%{_datadir}/containers/registries.conf.d/000-shortnames.conf +install -Dp -m0644 image/default.yaml %{buildroot}%{_datadir}/containers/registries.d/default.yaml +install -Dp -m0644 image/default-policy.json %{buildroot}%{_datadir}/containers/policy.json +install -Dp -m0644 image/registries.conf %{buildroot}%{_datadir}/containers/registries.conf install -Dp -m0644 storage/storage.conf %{buildroot}%{_datadir}/containers/storage.conf +# install custom vendor overwrites +install -Dp -m0644 common/rpm/00-containers.conf %{buildroot}%{_datadir}/containers/containers.conf.d/00-vendor.conf +install -Dp -m0644 common/rpm/00-storage.conf %{buildroot}%{_datadir}/containers/storage.conf.d/00-vendor.conf +install -Dp -m0644 common/rpm/00-storage-additional-store.conf %{buildroot}%{_datadir}/containers/storage.rootful.conf.d/00-vendor-additional-store.conf + +%if %{defined fedora} +install -Dp -m0644 common/rpm/00-fedora-registries.conf %{buildroot}%{_datadir}/containers/registries.conf.d/00-vendor.conf +%else +install -Dp -m0644 common/rpm/00-rhel-registries.conf %{buildroot}%{_datadir}/containers/registries.conf.d/00-vendor.conf +%endif + + # RPM-GPG-KEY-redhat-release already exists on rhel envs, install only on # fedora and centos %if %{defined fedora} || %{defined centos} install -Dp -m0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release %endif -install -Dp -m0644 common/contrib/redhat/registry.access.redhat.com.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d -install -Dp -m0644 common/contrib/redhat/registry.redhat.io.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d +install -Dp -m0644 common/contrib/redhat/registry.access.redhat.com.yaml -t %{buildroot}%{_datadir}/containers/registries.d +install -Dp -m0644 common/contrib/redhat/registry.redhat.io.yaml -t %{buildroot}%{_datadir}/containers/registries.d # install manpages for i in man5/*.5; do @@ -141,6 +153,22 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/ # Placeholder check to silence rpmlint warnings %check +%posttrans + # Restore user-modified config files from .rpmsave + for file in \ + policy.json \ + registries.conf \ + registries.conf.d/000-shortnames.conf \ + registries.d/default.yaml \ + registries.d/registry.redhat.io.yaml \ + registries.d/registry.access.redhat.com.yaml + do + file="%{_sysconfdir}/containers/${file}" + if [ -f "${file}.rpmsave" ]; then + mv "${file}.rpmsave" "${file}" + fi + done + %files %dir %{_sysconfdir}/containers %dir %{_sysconfdir}/containers/certs.d @@ -157,15 +185,10 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/ %{_prefix}/lib/containers/storage/overlay-images/images.lock %{_prefix}/lib/containers/storage/overlay-layers/layers.lock -%config(noreplace) %{_sysconfdir}/containers/policy.json -%config(noreplace) %{_sysconfdir}/containers/registries.conf -%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf + %if 0%{?fedora} || 0%{?centos} %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release %endif -%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml -%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml -%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml %ghost %{_sysconfdir}/containers/storage.conf %ghost %{_sysconfdir}/containers/containers.conf %dir %{_sharedstatedir}/containers/sigstore @@ -179,6 +202,21 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/ %{_datadir}/containers/containers.conf %{_datadir}/containers/mounts.conf %{_datadir}/containers/seccomp.json +%{_datadir}/containers/policy.json +%{_datadir}/containers/registries.conf +%dir %{_datadir}/containers/registries.conf.d +%{_datadir}/containers/registries.conf.d/000-shortnames.conf +%{_datadir}/containers/registries.conf.d/00-vendor.conf +%dir %{_datadir}/containers/registries.d +%{_datadir}/containers/registries.d/default.yaml +%{_datadir}/containers/registries.d/registry.redhat.io.yaml +%{_datadir}/containers/registries.d/registry.access.redhat.com.yaml +%dir %{_datadir}/containers/containers.conf.d +%{_datadir}/containers/containers.conf.d/00-vendor.conf +%dir %{_datadir}/containers/storage.conf.d +%{_datadir}/containers/storage.conf.d/00-vendor.conf +%dir %{_datadir}/containers/storage.rootful.conf.d +%{_datadir}/containers/storage.rootful.conf.d/00-vendor-additional-store.conf %dir %{_datadir}/rhel %dir %{_datadir}/rhel/secrets %{_datadir}/rhel/secrets/* diff --git a/common/rpm/update-config-files.sh b/common/rpm/update-config-files.sh deleted file mode 100755 index f2dfd5794e..0000000000 --- a/common/rpm/update-config-files.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env bash -# This script delivers current documentation/configs and assures it has the intended -# settings for a particular branch/release. - -set -exo pipefail - -ensure() { - if [[ ! -f "$1" ]]; then - echo "File not found:" "$1" - exit 1 - fi - if grep "^$2[[:blank:]].*=" "$1" > /dev/null - then - sed -i "s;^$2[[:blank:]]=.*;$2 = $3;" "$1" - else - if grep "^\#.*$2[[:blank:]].*=" "$1" > /dev/null - then - sed -i "/^#.*$2[[:blank:]].*=/a \ -$2 = $3" "$1" - else - echo "$2 = $3" >> "$1" - fi - fi -} - -# Common options enabled across all fedora, centos, rhel -# TBD: Can these be enabled by default upstream? -ensure image/registries.conf short-name-mode \"enforcing\" - -ensure storage/storage.conf driver \"overlay\" -ensure storage/storage.conf mountopt \"nodev,metacopy=on\" - -ensure common/pkg/config/containers.conf runtime \"crun\" -ensure common/pkg/config/containers.conf log_driver \"journald\" - -FEDORA=$(rpm --eval '%{?fedora}') -RHEL=$(rpm --eval '%{?rhel}') - -# Set search registries -if [[ -n "$FEDORA" ]]; then - ensure image/registries.conf unqualified-search-registries [\"registry.fedoraproject.org\",\ \"registry.access.redhat.com\",\ \"docker.io\"] -else - ensure image/registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"] -fi - -# Set these on all Fedora and RHEL 10+ -if [[ -n "$FEDORA" ]] || [[ "$RHEL" -ge 10 ]]; then - sed -i -e '/^additionalimagestores\ =\ \[/a "\/usr\/lib\/containers\/storage",' storage/storage.conf -fi