Skip to content

Commit

Permalink
RPM: Update config file patching
Browse files Browse the repository at this point in the history
This commit switches to actual patches applied in rpmbuild process so
the build can fail if a patch doesn't apply.

Signed-off-by: Lokesh Mandvekar <[email protected]>
  • Loading branch information
lsm5 committed Sep 4, 2024
1 parent 46d7cf9 commit e2b08d4
Show file tree
Hide file tree
Showing 9 changed files with 122 additions and 6 deletions.
2 changes: 1 addition & 1 deletion pkg/config/containers.conf
Original file line number Diff line number Diff line change
Expand Up @@ -439,7 +439,7 @@ default_sysctls = [
# docker-archive formats. It is also ignored when the manifest format is set
# to v2s2.
#
#compression_format = "gzip"
compression_format = "zstd:chunked"

# The compression level to use when pushing an image.
# Valid options depend on the compression format used.
Expand Down
27 changes: 26 additions & 1 deletion rpm/containers-common.spec
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,14 @@
%define netavark_epoch 2
%endif

%if (%{defined fedora} && 0%{?fedora} >= 41) || (%{defined rhel} && 0%{?rhel} >= 10)
%define zstd_chunked 1
%endif

%if %{defined fedora} || (%{defined rhel} && 0%{?rhel} >= 10)
%define additionalimagestores 1
%endif

Name: containers-common
%if %{defined copr_build}
Epoch: 102
Expand Down Expand Up @@ -71,6 +79,21 @@ Source14: %{raw_github_url}/storage/%{storage_branch}/storage.conf
# a copy in repo or dist-git. Depending on distribution-gpg-keys rpm is also
# not an option because that package doesn't exist on CentOS Stream.
Source15: https://access.redhat.com/security/data/fd431d51.txt
Patch0: containers-conf-all.patch
%if %{defined zstd_chunked}
Patch1: containers-conf-zstd-chunked.patch
%endif
%if %{defined fedora}
Patch2: registries-conf-fedora.patch
%endif
%if %{defined rhel}
Patch3: registries-conf-rhel.patch
%endif
Patch4: seccomp-json.patch
Patch5: storage-conf-all.patch
%if %{defined additionalimagestores}
Patch6: storage-conf-additionalimagestores.patch
%endif

%description
This package contains common configuration files and documentation for container
Expand Down Expand Up @@ -126,9 +149,11 @@ cp %{SOURCE10} shortnames.conf
cp %{SOURCE13} registries.conf
cp %{SOURCE14} storage.conf

%autopatch

# Fine-grain distro- and release-specific tuning of config files,
# e.g., seccomp, composefs, registries on different RHEL/Fedora versions
bash rpm/update-config-files.sh
#bash rpm/update-config-files.sh

%build
mkdir -p man5
Expand Down
13 changes: 13 additions & 0 deletions rpm/containers-conf-all.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
diff --git a/pkg/config/containers.conf b/pkg/config/containers.conf
index c00efecb..a8183ee6 100644
--- a/pkg/config/containers.conf
+++ b/pkg/config/containers.conf
@@ -191,7 +191,7 @@ default_sysctls = [

# Logging driver for the container. Available options: k8s-file and journald.
#
-#log_driver = "k8s-file"
+log_driver = "journald"

# Maximum size allowed for the container log file. Negative numbers indicate
# that no size limit is imposed. If positive, it must be >= 8192 to match or
13 changes: 13 additions & 0 deletions rpm/containers-conf-zstd-chunked.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
diff --git a/pkg/config/containers.conf b/pkg/config/containers.conf
index c00efecb..cc583281 100644
--- a/pkg/config/containers.conf
+++ b/pkg/config/containers.conf
@@ -439,7 +439,7 @@ default_sysctls = [
# docker-archive formats. It is also ignored when the manifest format is set
# to v2s2.
#
-#compression_format = "gzip"
+compression_format = "zstd:chunked"

# The compression level to use when pushing an image.
# Valid options depend on the compression format used.
15 changes: 15 additions & 0 deletions rpm/registries-conf-fedora.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
diff --git a/registries.conf b/registries.conf
index d424dc59..3470df34 100644
--- a/registries.conf
+++ b/registries.conf
@@ -18,7 +18,9 @@
# of these registries, it should be added at the end of the list.
#
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
-# unqualified-search-registries = ["example.com"]
+unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io"]
+
+short-name-mode="enforcing"
#
# [[registry]]
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
15 changes: 15 additions & 0 deletions rpm/registries-conf-rhel.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
diff --git a/registries.conf b/registries.conf
index d424dc59..88327606 100644
--- a/registries.conf
+++ b/registries.conf
@@ -18,7 +18,9 @@
# of these registries, it should be added at the end of the list.
#
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
-# unqualified-search-registries = ["example.com"]
+unqualified-search-registries = ["registry.access.redhat.com", "registry.redhat.io", "docker.io"]
+
+short-name-mode="enforcing"
#
# [[registry]]
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
19 changes: 19 additions & 0 deletions rpm/seccomp-json.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
diff --git a/pkg/seccomp/seccomp.json b/pkg/seccomp/seccomp.json
index 7a82be5d..ffc2ba63 100644
--- a/pkg/seccomp/seccomp.json
+++ b/pkg/seccomp/seccomp.json
@@ -417,6 +417,7 @@
"signalfd4",
"sigprocmask",
"sigreturn",
+ "socket",
"socketcall",
"socketpair",
"splice",
@@ -1127,4 +1128,4 @@
"excludes": {}
}
]
-}
\ No newline at end of file
+}
13 changes: 13 additions & 0 deletions rpm/storage-conf-all.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
diff --git a/storage.conf b/storage.conf
index 7ac8fdf8f..71a614b98 100644
--- a/storage.conf
+++ b/storage.conf
@@ -112,7 +112,7 @@ additionalimagestores = [
#mount_program = "/usr/bin/fuse-overlayfs"

# mountopt specifies comma separated list of extra mount options
-mountopt = "nodev"
+mountopt = "nodev,metacopy=on"

# Set to skip a PRIVATE bind mount on the storage home directory.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
11 changes: 7 additions & 4 deletions rpm/update-config-files.sh
Original file line number Diff line number Diff line change
Expand Up @@ -54,11 +54,14 @@ if [[ -n "$FEDORA" ]] || [[ "$RHEL" -ge 10 ]]; then
sed -i -e '/^additionalimagestores\ =\ \[/a "\/usr\/lib\/containers\/storage",' storage.conf
fi

# Set these on Fedora Rawhide (41+) and RHEL 10+
# Set these on Fedora 41+ and RHEL 10+
# regardless of distro
if [[ "$FEDORA" -gt 40 ]] || [[ "$RHEL" -ge 10 ]]; then
ensure pkg/config/containers.conf compression_format \"zstd:chunked\"
ensure storage.conf pull_options \{enable_partial_images\ =\ \"true\",\ use_hard_links\ =\ \"false\",\ ostree_repos=\"\",\ convert_images\ =\ \"false\"\}
ensure pkg/config/containers.conf compression_format \"zstd:chunked\"
ensure storage.conf enable_partial_images \"true\"
ensure storage.conf ostree_repos \"\"
ensure storage.conf use_hard_links \"false\"
ensure storage.conf convert_images \"false\"
# Leave composefs disabled
ensure storage.conf use_composefs \"false\"
ensure storage.conf use_composefs \"false\"
fi

0 comments on commit e2b08d4

Please sign in to comment.