diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-12-30 22:23:05 +0100 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2022-12-30 22:28:25 +0100 |
commit | 0c8b53e6f7a94e914a7815328bbd16c0b3943d40 (patch) | |
tree | eba692b6f044b54db55fa079f3460b4ed920a38b /data/templates/container | |
parent | 4bab998b4e7fe6eca57a3fe9ffba2d2be8f123b2 (diff) | |
download | vyos-1x-0c8b53e6f7a94e914a7815328bbd16c0b3943d40.tar.gz vyos-1x-0c8b53e6f7a94e914a7815328bbd16c0b3943d40.zip |
container: T578: backport podman from 1.4 development branch
Diffstat (limited to 'data/templates/container')
-rw-r--r-- | data/templates/container/registries.conf.j2 | 27 | ||||
-rw-r--r-- | data/templates/container/storage.conf.j2 | 4 | ||||
-rw-r--r-- | data/templates/container/systemd-unit.j2 | 17 |
3 files changed, 48 insertions, 0 deletions
diff --git a/data/templates/container/registries.conf.j2 b/data/templates/container/registries.conf.j2 new file mode 100644 index 000000000..c583e0ad5 --- /dev/null +++ b/data/templates/container/registries.conf.j2 @@ -0,0 +1,27 @@ +### Autogenerated by container.py ### + +# For more information on this configuration file, see containers-registries.conf(5). +# +# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES +# We recommend always using fully qualified image names including the registry +# server (full dns name), namespace, image name, and tag +# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e., +# quay.io/repository/name@digest) further eliminates the ambiguity of tags. +# When using short names, there is always an inherent risk that the image being +# pulled could be spoofed. For example, a user wants to pull an image named +# `foobar` from a registry and expects it to come from myregistry.com. If +# myregistry.com is not first in the search list, an attacker could place a +# different `foobar` image at a registry earlier in the search list. The user +# would accidentally pull and run the attacker's image and code rather than the +# intended content. We recommend only adding registries which are completely +# trusted (i.e., registries which don't allow unknown or anonymous users to +# create accounts with arbitrary names). This will prevent an image from being +# spoofed, squatted or otherwise made insecure. If it is necessary to use one +# of these registries, it should be added at the end of the list. +# +# An array of host[:port] registries to try when pulling an unqualified image, in order. +# unqualified-search-registries = ["example.com"] + +{% if registry is defined and registry is not none %} +unqualified-search-registries = {{ registry }} +{% endif %} diff --git a/data/templates/container/storage.conf.j2 b/data/templates/container/storage.conf.j2 new file mode 100644 index 000000000..39a072c70 --- /dev/null +++ b/data/templates/container/storage.conf.j2 @@ -0,0 +1,4 @@ +### Autogenerated by container.py ### +[storage] + driver = "overlay2" + graphroot = "/usr/lib/live/mount/persistence/container/storage" diff --git a/data/templates/container/systemd-unit.j2 b/data/templates/container/systemd-unit.j2 new file mode 100644 index 000000000..fa48384ab --- /dev/null +++ b/data/templates/container/systemd-unit.j2 @@ -0,0 +1,17 @@ +### Autogenerated by container.py ### +[Unit] +Description=VyOS Container {{ name }} + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +Restart=on-failure +ExecStartPre=/bin/rm -f %t/%n.pid %t/%n.cid +ExecStart=/usr/bin/podman run \ + --conmon-pidfile %t/%n.pid --cidfile %t/%n.cid --cgroups=no-conmon \ + {{ run_args }} +ExecStop=/usr/bin/podman stop --ignore --cidfile %t/%n.cid -t 5 +ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/%n.cid +ExecStopPost=/bin/rm -f %t/%n.cid +PIDFile=%t/%n.pid +KillMode=none +Type=forking |