Skip to content

rpm: update config files for drop ins #795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Luap99 wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

rpm: update config files for drop ins #795

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d8873f1
rpm: update config files for drop ins and move to /usr
Luap99 Apr 27, 2026
74aaa60
rpm: add conflicts for old podman/buildah/skopeo
Luap99 Apr 29, 2026
ec2b76a
rpm: require netavark v2
Luap99 Apr 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions common/rpm/00-containers.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[containers]
log_driver = "journald"

[engine]
runtime = "crun"
5 changes: 5 additions & 0 deletions common/rpm/00-fedora-registries.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Default search registries for fedora
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io"]

# Enforcing mode for short names is default for Fedora 34 and newer
short-name-mode="enforcing"
5 changes: 5 additions & 0 deletions common/rpm/00-rhel-registries.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Default search registries for RHEL
unqualified-search-registries = ["registry.access.redhat.com", "registry.redhat.io", "docker.io"]

# Enforcing mode for short names is default for Fedora 34 and newer
Copy link
Copy Markdown
Contributor

@jnovy jnovy Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this still relevant as this is RHEL registries?

Copy link
Copy Markdown
Member Author

@Luap99 Luap99 Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I should just drop the comment I guess

short-name-mode="enforcing"
2 changes: 2 additions & 0 deletions common/rpm/00-storage-additional-store.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[storage.options]
additionalimagestores = ["/usr/lib/containers/storage"]
6 changes: 6 additions & 0 deletions common/rpm/00-storage.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
[storage]
driver = "overlay"

[storage.options.overlay]
# mountopt specifies comma separated list of extra mount options
mountopt = "nodev,metacopy=on"
76 changes: 57 additions & 19 deletions common/rpm/containers-common.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,11 @@ Requires: (fuse-overlayfs if fedora-release-identity-server)
%else
Suggests: fuse-overlayfs
%endif
# Conflict versions using the old config file loading to avoid mismatch between code and configs.
Conflicts: podman < 5:6
Conflicts: buildah < 2:1.44
Conflicts: skopeo < 1:1.23
Comment on lines +46 to +48
Copy link
Copy Markdown
Member

@lsm5 lsm5 Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This works.

PTAL as well @inknos @jankaluza @jnovy .


URL: https://github.com/%{project}/%{repo}
Source0: %{url}/archive/refs/tags/common/v%{version}.tar.gz
Source1: https://raw.githubusercontent.com/containers/shortnames/refs/heads/main/shortnames.conf
Expand All @@ -65,11 +70,10 @@ Requires: container-network-stack
Requires: oci-runtime
Requires: passt
%if %{defined fedora}
Conflicts: podman < 5:5.0.0~rc4-1
Recommends: composefs
Recommends: crun
Requires: (crun if fedora-release-identity-server)
Requires: netavark >= %{netavark_epoch}:1.10.3-1
Requires: netavark >= %{netavark_epoch}:2
Suggests: slirp4netns
Recommends: qemu-user-static
Requires: (qemu-user-static-aarch64 if fedora-release-identity-server)
Expand All @@ -84,10 +88,6 @@ not required by Skopeo.
%prep
%autosetup -Sgit -n %{repo}-common-v%{version}

# Fine-grain distro- and release-specific tuning of config files,
# e.g., seccomp, composefs, registries on different RHEL/Fedora versions
bash common/rpm/update-config-files.sh

%build
mkdir -p man5
for i in common/docs/*.5.md image/docs/*.5.md storage/docs/*.5.md; do
Expand All @@ -96,7 +96,7 @@ done

%install
# install config and policy files for registries
install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,networks,systemd}
install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,networks,systemd,registries.conf.d,registries.d}
install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
install -dp %{buildroot}%{_datadir}/containers/systemd
install -dp %{buildroot}%{_prefix}/lib/containers/storage
Expand All @@ -105,20 +105,32 @@ touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-images/images.lock
install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers
touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers/layers.lock

install -Dp -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
install -Dp -m0644 image/default.yaml %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
install -Dp -m0644 image/default-policy.json %{buildroot}%{_sysconfdir}/containers/policy.json
install -Dp -m0644 image/registries.conf %{buildroot}%{_sysconfdir}/containers/registries.conf
install -Dp -m0644 %{SOURCE1} %{buildroot}%{_datadir}/containers/registries.conf.d/000-shortnames.conf
install -Dp -m0644 image/default.yaml %{buildroot}%{_datadir}/containers/registries.d/default.yaml
install -Dp -m0644 image/default-policy.json %{buildroot}%{_datadir}/containers/policy.json
install -Dp -m0644 image/registries.conf %{buildroot}%{_datadir}/containers/registries.conf
install -Dp -m0644 storage/storage.conf %{buildroot}%{_datadir}/containers/storage.conf

# install custom vendor overwrites
install -Dp -m0644 common/rpm/00-containers.conf %{buildroot}%{_datadir}/containers/containers.conf.d/00-vendor.conf
install -Dp -m0644 common/rpm/00-storage.conf %{buildroot}%{_datadir}/containers/storage.conf.d/00-vendor.conf
install -Dp -m0644 common/rpm/00-storage-additional-store.conf %{buildroot}%{_datadir}/containers/storage.rootful.conf.d/00-vendor-additional-store.conf
Comment thread
mtrmac marked this conversation as resolved.

%if %{defined fedora}
install -Dp -m0644 common/rpm/00-fedora-registries.conf %{buildroot}%{_datadir}/containers/registries.conf.d/00-vendor.conf
%else
install -Dp -m0644 common/rpm/00-rhel-registries.conf %{buildroot}%{_datadir}/containers/registries.conf.d/00-vendor.conf
%endif


# RPM-GPG-KEY-redhat-release already exists on rhel envs, install only on
# fedora and centos
%if %{defined fedora} || %{defined centos}
install -Dp -m0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
%endif

install -Dp -m0644 common/contrib/redhat/registry.access.redhat.com.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
install -Dp -m0644 common/contrib/redhat/registry.redhat.io.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
install -Dp -m0644 common/contrib/redhat/registry.access.redhat.com.yaml -t %{buildroot}%{_datadir}/containers/registries.d
install -Dp -m0644 common/contrib/redhat/registry.redhat.io.yaml -t %{buildroot}%{_datadir}/containers/registries.d

# install manpages
for i in man5/*.5; do
Expand All @@ -141,6 +153,22 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
# Placeholder check to silence rpmlint warnings
%check

%posttrans
# Restore user-modified config files from .rpmsave
for file in \
policy.json \
registries.conf \
registries.conf.d/000-shortnames.conf \
registries.d/default.yaml \
registries.d/registry.redhat.io.yaml \
registries.d/registry.access.redhat.com.yaml
do
file="%{_sysconfdir}/containers/${file}"
if [ -f "${file}.rpmsave" ]; then
mv "${file}.rpmsave" "${file}"
fi
done

%files
%dir %{_sysconfdir}/containers
%dir %{_sysconfdir}/containers/certs.d
Expand All @@ -157,15 +185,10 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
%{_prefix}/lib/containers/storage/overlay-images/images.lock
%{_prefix}/lib/containers/storage/overlay-layers/layers.lock

%config(noreplace) %{_sysconfdir}/containers/policy.json
%config(noreplace) %{_sysconfdir}/containers/registries.conf
%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf

%if 0%{?fedora} || 0%{?centos}
%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
%endif
%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
%config(noreplace) %{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
%ghost %{_sysconfdir}/containers/storage.conf
%ghost %{_sysconfdir}/containers/containers.conf
%dir %{_sharedstatedir}/containers/sigstore
Expand All @@ -179,6 +202,21 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
%{_datadir}/containers/containers.conf
%{_datadir}/containers/mounts.conf
Copy link
Copy Markdown
Member

@danishprakash danishprakash Apr 29, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

off-topic: would it be helpful to add drop-in support for mounts? base mounts.conf currently has /usr/share/rhel/secrets:/run/secrets, which, even though it's a no-op for non-rhel distributions (iiuc), fits better as a drop-in, much in line with what this PR implements.

Copy link
Copy Markdown
Member Author

@Luap99 Luap99 Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that was not in scope for our config file rewrite. I have not seen user complains about it so I never considered it.
If you want to file an issue for it sure, but it won't be in time for 6.0. Adding drop ins later for this should be safe enough I guess as it would not be a breaking change for mounts.conf.

%{_datadir}/containers/seccomp.json
%{_datadir}/containers/policy.json
%{_datadir}/containers/registries.conf
%dir %{_datadir}/containers/registries.conf.d
%{_datadir}/containers/registries.conf.d/000-shortnames.conf
%{_datadir}/containers/registries.conf.d/00-vendor.conf
%dir %{_datadir}/containers/registries.d
%{_datadir}/containers/registries.d/default.yaml
%{_datadir}/containers/registries.d/registry.redhat.io.yaml
%{_datadir}/containers/registries.d/registry.access.redhat.com.yaml
%dir %{_datadir}/containers/containers.conf.d
%{_datadir}/containers/containers.conf.d/00-vendor.conf
%dir %{_datadir}/containers/storage.conf.d
%{_datadir}/containers/storage.conf.d/00-vendor.conf
%dir %{_datadir}/containers/storage.rootful.conf.d
%{_datadir}/containers/storage.rootful.conf.d/00-vendor-additional-store.conf
Comment thread
mtrmac marked this conversation as resolved.
%dir %{_datadir}/rhel
%dir %{_datadir}/rhel/secrets
%{_datadir}/rhel/secrets/*
Expand Down
49 changes: 0 additions & 49 deletions common/rpm/update-config-files.sh
View file
Open in desktop

This file was deleted.

Loading