summaryrefslogtreecommitdiff
path: root/data/templates
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-12-31 07:35:39 +0100
committerGitHub <noreply@github.com>2022-12-31 07:35:39 +0100
commitede589d61889ecafc767a9aa52da5327012867e5 (patch)
tree05939302892e1310c1b0855601369132618cce3c /data/templates
parent1b5bb6cb9424c09e09bbeec8314ccf4e9c83bd98 (diff)
parent0c8b53e6f7a94e914a7815328bbd16c0b3943d40 (diff)
downloadvyos-1x-ede589d61889ecafc767a9aa52da5327012867e5.tar.gz
vyos-1x-ede589d61889ecafc767a9aa52da5327012867e5.zip
Merge pull request #1731 from c-po/t578-container-backport
container: T578: backport podman from 1.4 development branch (equuleus)
Diffstat (limited to 'data/templates')
-rw-r--r--data/templates/container/registries.conf.j227
-rw-r--r--data/templates/container/storage.conf.j24
-rw-r--r--data/templates/container/systemd-unit.j217
3 files changed, 48 insertions, 0 deletions
diff --git a/data/templates/container/registries.conf.j2 b/data/templates/container/registries.conf.j2
new file mode 100644
index 000000000..c583e0ad5
--- /dev/null
+++ b/data/templates/container/registries.conf.j2
@@ -0,0 +1,27 @@
+### Autogenerated by container.py ###
+
+# For more information on this configuration file, see containers-registries.conf(5).
+#
+# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
+# We recommend always using fully qualified image names including the registry
+# server (full dns name), namespace, image name, and tag
+# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
+# quay.io/repository/name@digest) further eliminates the ambiguity of tags.
+# When using short names, there is always an inherent risk that the image being
+# pulled could be spoofed. For example, a user wants to pull an image named
+# `foobar` from a registry and expects it to come from myregistry.com. If
+# myregistry.com is not first in the search list, an attacker could place a
+# different `foobar` image at a registry earlier in the search list. The user
+# would accidentally pull and run the attacker's image and code rather than the
+# intended content. We recommend only adding registries which are completely
+# trusted (i.e., registries which don't allow unknown or anonymous users to
+# create accounts with arbitrary names). This will prevent an image from being
+# spoofed, squatted or otherwise made insecure. If it is necessary to use one
+# of these registries, it should be added at the end of the list.
+#
+# An array of host[:port] registries to try when pulling an unqualified image, in order.
+# unqualified-search-registries = ["example.com"]
+
+{% if registry is defined and registry is not none %}
+unqualified-search-registries = {{ registry }}
+{% endif %}
diff --git a/data/templates/container/storage.conf.j2 b/data/templates/container/storage.conf.j2
new file mode 100644
index 000000000..39a072c70
--- /dev/null
+++ b/data/templates/container/storage.conf.j2
@@ -0,0 +1,4 @@
+### Autogenerated by container.py ###
+[storage]
+ driver = "overlay2"
+ graphroot = "/usr/lib/live/mount/persistence/container/storage"
diff --git a/data/templates/container/systemd-unit.j2 b/data/templates/container/systemd-unit.j2
new file mode 100644
index 000000000..fa48384ab
--- /dev/null
+++ b/data/templates/container/systemd-unit.j2
@@ -0,0 +1,17 @@
+### Autogenerated by container.py ###
+[Unit]
+Description=VyOS Container {{ name }}
+
+[Service]
+Environment=PODMAN_SYSTEMD_UNIT=%n
+Restart=on-failure
+ExecStartPre=/bin/rm -f %t/%n.pid %t/%n.cid
+ExecStart=/usr/bin/podman run \
+ --conmon-pidfile %t/%n.pid --cidfile %t/%n.cid --cgroups=no-conmon \
+ {{ run_args }}
+ExecStop=/usr/bin/podman stop --ignore --cidfile %t/%n.cid -t 5
+ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/%n.cid
+ExecStopPost=/bin/rm -f %t/%n.cid
+PIDFile=%t/%n.pid
+KillMode=none
+Type=forking