From d8873f19257aed10771f3060b500bddc3cf2556d Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Mon, 27 Apr 2026 20:21:19 +0200
Subject: [PATCH 1/3] rpm: update config files for drop ins and move to /usr

Ship the fedora overwrites as proper drop ins. This allows us to remove
the fragile script to patch the files but also makes it much clearer
that we can ship the real upstream default as main file and then only
have small drop in files for the distro customization.

Also move remaining files from /etc to /usr as the code should now
search there and this better to not conflict with admin level
overwrites.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 common/rpm/00-containers.conf               |  5 ++
 common/rpm/00-fedora-registries.conf        |  5 ++
 common/rpm/00-rhel-registries.conf          |  5 ++
 common/rpm/00-storage-additional-store.conf |  2 +
 common/rpm/00-storage.conf                  |  6 ++
 common/rpm/containers-common.spec           | 68 +++++++++++++++------
 common/rpm/update-config-files.sh           | 49 ---------------
 7 files changed, 74 insertions(+), 66 deletions(-)
 create mode 100644 common/rpm/00-containers.conf
 create mode 100644 common/rpm/00-fedora-registries.conf
 create mode 100644 common/rpm/00-rhel-registries.conf
 create mode 100644 common/rpm/00-storage-additional-store.conf
 create mode 100644 common/rpm/00-storage.conf
 delete mode 100755 common/rpm/update-config-files.sh

diff --git a/common/rpm/00-containers.conf b/common/rpm/00-containers.conf
new file mode 100644
index 0000000000..012c200bce
--- /dev/null
+++ b/common/rpm/00-containers.conf
@@ -0,0 +1,5 @@
+[containers]
+log_driver = "journald"
+
+[engine]
+runtime = "crun"
diff --git a/common/rpm/00-fedora-registries.conf b/common/rpm/00-fedora-registries.conf
new file mode 100644
index 0000000000..9c7bb1a8ea
--- /dev/null
+++ b/common/rpm/00-fedora-registries.conf
@@ -0,0 +1,5 @@
+# Default search registries for fedora
+unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io"]
+
+# Enforcing mode for short names is default for Fedora 34 and newer
+short-name-mode="enforcing"
diff --git a/common/rpm/00-rhel-registries.conf b/common/rpm/00-rhel-registries.conf
new file mode 100644
index 0000000000..2ed52cff1c
--- /dev/null
+++ b/common/rpm/00-rhel-registries.conf
@@ -0,0 +1,5 @@
+# Default search registries for RHEL
+unqualified-search-registries = ["registry.access.redhat.com", "registry.redhat.io", "docker.io"]
+
+# Enforcing mode for short names is default for Fedora 34 and newer
+short-name-mode="enforcing"
diff --git a/common/rpm/00-storage-additional-store.conf b/common/rpm/00-storage-additional-store.conf
new file mode 100644
index 0000000000..8bb671127b
--- /dev/null
+++ b/common/rpm/00-storage-additional-store.conf
@@ -0,0 +1,2 @@
+[storage.options]
+additionalimagestores = ["/usr/lib/containers/storage"]
diff --git a/common/rpm/00-storage.conf b/common/rpm/00-storage.conf
new file mode 100644
index 0000000000..2574bcd794
--- /dev/null
+++ b/common/rpm/00-storage.conf
@@ -0,0 +1,6 @@
+[storage]
+driver = "overlay"
+
+[storage.options.overlay]
+# mountopt specifies comma separated list of extra mount options
+mountopt = "nodev,metacopy=on"
diff --git a/common/rpm/containers-common.spec b/common/rpm/containers-common.spec
index d478ab7dee..53a2d40697 100644
--- a/common/rpm/containers-common.spec
+++ b/common/rpm/containers-common.spec
@@ -84,10 +84,6 @@ not required by Skopeo.
 %prep
 %autosetup -Sgit -n %{repo}-common-v%{version}
 
-# Fine-grain distro- and release-specific tuning of config files,
-# e.g., seccomp, composefs, registries on different RHEL/Fedora versions
-bash common/rpm/update-config-files.sh
-
 %build
 mkdir -p man5
 for i in common/docs/*.5.md image/docs/*.5.md storage/docs/*.5.md; do
@@ -96,7 +92,7 @@ done
 
 %install
 # install config and policy files for registries
-install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,networks,systemd}
+install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,networks,systemd,registries.conf.d,registries.d}
 install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
 install -dp %{buildroot}%{_datadir}/containers/systemd
 install -dp %{buildroot}%{_prefix}/lib/containers/storage
@@ -105,20 +101,32 @@ touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-images/images.lock
 install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers
 touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers/layers.lock
 
-install -Dp -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
-install -Dp -m0644 image/default.yaml %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
-install -Dp -m0644 image/default-policy.json %{buildroot}%{_sysconfdir}/containers/policy.json
-install -Dp -m0644 image/registries.conf %{buildroot}%{_sysconfdir}/containers/registries.conf
+install -Dp -m0644 %{SOURCE1} %{buildroot}%{_datadir}/containers/registries.conf.d/000-shortnames.conf
+install -Dp -m0644 image/default.yaml %{buildroot}%{_datadir}/containers/registries.d/default.yaml
+install -Dp -m0644 image/default-policy.json %{buildroot}%{_datadir}/containers/policy.json
+install -Dp -m0644 image/registries.conf %{buildroot}%{_datadir}/containers/registries.conf
 install -Dp -m0644 storage/storage.conf %{buildroot}%{_datadir}/containers/storage.conf
 
+# install custom vendor overwrites
+install -Dp -m0644 common/rpm/00-containers.conf %{buildroot}%{_datadir}/containers/containers.conf.d/00-vendor.conf
+install -Dp -m0644 common/rpm/00-storage.conf %{buildroot}%{_datadir}/containers/storage.conf.d/00-vendor.conf
+install -Dp -m0644 common/rpm/00-storage-additional-store.conf %{buildroot}%{_datadir}/containers/storage.rootful.conf.d/00-vendor-additional-store.conf
+
+%if %{defined fedora}
+install -Dp -m0644 common/rpm/00-fedora-registries.conf %{buildroot}%{_datadir}/containers/registries.conf.d/00-vendor.conf
+%else
+install -Dp -m0644 common/rpm/00-rhel-registries.conf %{buildroot}%{_datadir}/containers/registries.conf.d/00-vendor.conf
+%endif
+
+
 # RPM-GPG-KEY-redhat-release already exists on rhel envs, install only on
 # fedora and centos
 %if %{defined fedora} || %{defined centos}
 install -Dp -m0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 %endif
 
-install -Dp -m0644 common/contrib/redhat/registry.access.redhat.com.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
-install -Dp -m0644 common/contrib/redhat/registry.redhat.io.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
+install -Dp -m0644 common/contrib/redhat/registry.access.redhat.com.yaml -t %{buildroot}%{_datadir}/containers/registries.d
+install -Dp -m0644 common/contrib/redhat/registry.redhat.io.yaml -t %{buildroot}%{_datadir}/containers/registries.d
 
 # install manpages
 for i in man5/*.5; do
@@ -141,6 +149,22 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
 # Placeholder check to silence rpmlint warnings
 %check
 
+%posttrans
+  # Restore user-modified config files from .rpmsave
+  for file in \
+      policy.json \
+      registries.conf \
+      registries.conf.d/000-shortnames.conf \
+      registries.d/default.yaml \
+      registries.d/registry.redhat.io.yaml \
+      registries.d/registry.access.redhat.com.yaml
+  do
+      file="%{_sysconfdir}/containers/${file}"
+      if [ -f "${file}.rpmsave" ]; then
+          mv "${file}.rpmsave" "${file}"
+      fi
+  done
+
 %files
 %dir %{_sysconfdir}/containers
 %dir %{_sysconfdir}/containers/certs.d
@@ -157,15 +181,10 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
 %{_prefix}/lib/containers/storage/overlay-images/images.lock
 %{_prefix}/lib/containers/storage/overlay-layers/layers.lock
 
-%config(noreplace) %{_sysconfdir}/containers/policy.json
-%config(noreplace) %{_sysconfdir}/containers/registries.conf
-%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
+
 %if 0%{?fedora} || 0%{?centos}
 %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 %endif
-%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
-%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
-%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
 %ghost %{_sysconfdir}/containers/storage.conf
 %ghost %{_sysconfdir}/containers/containers.conf
 %dir %{_sharedstatedir}/containers/sigstore
@@ -179,6 +198,21 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
 %{_datadir}/containers/containers.conf
 %{_datadir}/containers/mounts.conf
 %{_datadir}/containers/seccomp.json
+%{_datadir}/containers/policy.json
+%{_datadir}/containers/registries.conf
+%dir %{_datadir}/containers/registries.conf.d
+%{_datadir}/containers/registries.conf.d/000-shortnames.conf
+%{_datadir}/containers/registries.conf.d/00-vendor.conf
+%dir %{_datadir}/containers/registries.d
+%{_datadir}/containers/registries.d/default.yaml
+%{_datadir}/containers/registries.d/registry.redhat.io.yaml
+%{_datadir}/containers/registries.d/registry.access.redhat.com.yaml
+%dir %{_datadir}/containers/containers.conf.d
+%{_datadir}/containers/containers.conf.d/00-vendor.conf
+%dir %{_datadir}/containers/storage.conf.d
+%{_datadir}/containers/storage.conf.d/00-vendor.conf
+%dir %{_datadir}/containers/storage.rootful.conf.d
+%{_datadir}/containers/storage.rootful.conf.d/00-vendor-additional-store.conf
 %dir %{_datadir}/rhel
 %dir %{_datadir}/rhel/secrets
 %{_datadir}/rhel/secrets/*
diff --git a/common/rpm/update-config-files.sh b/common/rpm/update-config-files.sh
deleted file mode 100755
index f2dfd5794e..0000000000
--- a/common/rpm/update-config-files.sh
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/usr/bin/env bash
-# This script delivers current documentation/configs and assures it has the intended
-# settings for a particular branch/release.
-
-set -exo pipefail
-
-ensure() {
-  if [[ ! -f "$1" ]]; then
-      echo "File not found:" "$1"
-      exit 1
-  fi
-  if grep "^$2[[:blank:]].*=" "$1" > /dev/null
-  then
-    sed -i "s;^$2[[:blank:]]=.*;$2 = $3;" "$1"
-  else
-    if grep "^\#.*$2[[:blank:]].*=" "$1" > /dev/null
-    then
-      sed -i "/^#.*$2[[:blank:]].*=/a \
-$2 = $3" "$1"
-    else
-      echo "$2 = $3" >> "$1"
-    fi
-  fi
-}
-
-# Common options enabled across all fedora, centos, rhel
-# TBD: Can these be enabled by default upstream?
-ensure image/registries.conf              short-name-mode     \"enforcing\"
-
-ensure storage/storage.conf               driver              \"overlay\"
-ensure storage/storage.conf               mountopt            \"nodev,metacopy=on\"
-
-ensure common/pkg/config/containers.conf  runtime             \"crun\"
-ensure common/pkg/config/containers.conf  log_driver          \"journald\"
-
-FEDORA=$(rpm --eval '%{?fedora}')
-RHEL=$(rpm --eval '%{?rhel}')
-
-# Set search registries
-if [[ -n "$FEDORA" ]]; then
-    ensure image/registries.conf unqualified-search-registries [\"registry.fedoraproject.org\",\ \"registry.access.redhat.com\",\ \"docker.io\"]
-else
-    ensure image/registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
-fi
-
-# Set these on all Fedora and RHEL 10+
-if [[ -n "$FEDORA" ]] || [[ "$RHEL" -ge 10 ]]; then
-    sed -i -e '/^additionalimagestores\ =\ \[/a "\/usr\/lib\/containers\/storage",' storage/storage.conf
-fi

From 74aaa600a256f7604e204f45a55154051dc6cfe7 Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Wed, 29 Apr 2026 16:21:51 +0200
Subject: [PATCH 2/3] rpm: add conflicts for old podman/buildah/skopeo

In order to avoid someone installing the new config files that the old
tools cannot read.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 common/rpm/containers-common.spec | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/common/rpm/containers-common.spec b/common/rpm/containers-common.spec
index 53a2d40697..44dab8a7b1 100644
--- a/common/rpm/containers-common.spec
+++ b/common/rpm/containers-common.spec
@@ -42,6 +42,11 @@ Requires: (fuse-overlayfs if fedora-release-identity-server)
 %else
 Suggests: fuse-overlayfs
 %endif
+# Conflict versions using the old config file loading to avoid mismatch between code and configs.
+Conflicts: podman < 5:6
+Conflicts: buildah < 2:1.44
+Conflicts: skopeo < 1:1.23
+
 URL: https://github.com/%{project}/%{repo}
 Source0: %{url}/archive/refs/tags/common/v%{version}.tar.gz
 Source1: https://raw.githubusercontent.com/containers/shortnames/refs/heads/main/shortnames.conf
@@ -65,7 +70,6 @@ Requires: container-network-stack
 Requires: oci-runtime
 Requires: passt
 %if %{defined fedora}
-Conflicts: podman < 5:5.0.0~rc4-1
 Recommends: composefs
 Recommends: crun
 Requires: (crun if fedora-release-identity-server)

From ec2b76a1140f31894ffbe9ce5ce6e2c7eda9d528 Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Wed, 29 Apr 2026 16:23:54 +0200
Subject: [PATCH 3/3] rpm: require netavark v2

The new network code uses a different json format that only netavark v2
can understand so ensure we require that.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 common/rpm/containers-common.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/rpm/containers-common.spec b/common/rpm/containers-common.spec
index 44dab8a7b1..a3010484f1 100644
--- a/common/rpm/containers-common.spec
+++ b/common/rpm/containers-common.spec
@@ -73,7 +73,7 @@ Requires: passt
 Recommends: composefs
 Recommends: crun
 Requires: (crun if fedora-release-identity-server)
-Requires: netavark >= %{netavark_epoch}:1.10.3-1
+Requires: netavark >= %{netavark_epoch}:2
 Suggests: slirp4netns
 Recommends: qemu-user-static
 Requires: (qemu-user-static-aarch64 if fedora-release-identity-server)