From e6af32344b1647f59543cbc659704bb9ef08be5f Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 1 May 2022 18:43:47 +0200 Subject: container: T4353: fix Jinja2 linting errors --- data/templates/container/registries.conf.j2 | 27 +++++++++++++++++++++++++++ data/templates/container/storage.conf.j2 | 5 +++++ data/templates/containers/registries.conf.j2 | 27 --------------------------- data/templates/containers/storage.conf.j2 | 5 ----- 4 files changed, 32 insertions(+), 32 deletions(-) create mode 100644 data/templates/container/registries.conf.j2 create mode 100644 data/templates/container/storage.conf.j2 delete mode 100644 data/templates/containers/registries.conf.j2 delete mode 100644 data/templates/containers/storage.conf.j2 (limited to 'data/templates') diff --git a/data/templates/container/registries.conf.j2 b/data/templates/container/registries.conf.j2 new file mode 100644 index 000000000..4057bb452 --- /dev/null +++ b/data/templates/container/registries.conf.j2 @@ -0,0 +1,27 @@ +### Autogenerated by /usr/libexec/vyos/conf_mode/containers.py ### + +# For more information on this configuration file, see containers-registries.conf(5). +# +# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES +# We recommend always using fully qualified image names including the registry +# server (full dns name), namespace, image name, and tag +# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e., +# quay.io/repository/name@digest) further eliminates the ambiguity of tags. +# When using short names, there is always an inherent risk that the image being +# pulled could be spoofed. For example, a user wants to pull an image named +# `foobar` from a registry and expects it to come from myregistry.com. If +# myregistry.com is not first in the search list, an attacker could place a +# different `foobar` image at a registry earlier in the search list. The user +# would accidentally pull and run the attacker's image and code rather than the +# intended content. We recommend only adding registries which are completely +# trusted (i.e., registries which don't allow unknown or anonymous users to +# create accounts with arbitrary names). This will prevent an image from being +# spoofed, squatted or otherwise made insecure. If it is necessary to use one +# of these registries, it should be added at the end of the list. +# +# An array of host[:port] registries to try when pulling an unqualified image, in order. +# unqualified-search-registries = ["example.com"] + +{% if registry is vyos_defined %} +unqualified-search-registries = {{ registry }} +{% endif %} diff --git a/data/templates/container/storage.conf.j2 b/data/templates/container/storage.conf.j2 new file mode 100644 index 000000000..3a69b7252 --- /dev/null +++ b/data/templates/container/storage.conf.j2 @@ -0,0 +1,5 @@ +### Autogenerated by /usr/libexec/vyos/conf_mode/containers.py ### + +[storage] + driver = "vfs" + graphroot = "/config/containers/storage" diff --git a/data/templates/containers/registries.conf.j2 b/data/templates/containers/registries.conf.j2 deleted file mode 100644 index 4057bb452..000000000 --- a/data/templates/containers/registries.conf.j2 +++ /dev/null @@ -1,27 +0,0 @@ -### Autogenerated by /usr/libexec/vyos/conf_mode/containers.py ### - -# For more information on this configuration file, see containers-registries.conf(5). -# -# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES -# We recommend always using fully qualified image names including the registry -# server (full dns name), namespace, image name, and tag -# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e., -# quay.io/repository/name@digest) further eliminates the ambiguity of tags. -# When using short names, there is always an inherent risk that the image being -# pulled could be spoofed. For example, a user wants to pull an image named -# `foobar` from a registry and expects it to come from myregistry.com. If -# myregistry.com is not first in the search list, an attacker could place a -# different `foobar` image at a registry earlier in the search list. The user -# would accidentally pull and run the attacker's image and code rather than the -# intended content. We recommend only adding registries which are completely -# trusted (i.e., registries which don't allow unknown or anonymous users to -# create accounts with arbitrary names). This will prevent an image from being -# spoofed, squatted or otherwise made insecure. If it is necessary to use one -# of these registries, it should be added at the end of the list. -# -# An array of host[:port] registries to try when pulling an unqualified image, in order. -# unqualified-search-registries = ["example.com"] - -{% if registry is vyos_defined %} -unqualified-search-registries = {{ registry }} -{% endif %} diff --git a/data/templates/containers/storage.conf.j2 b/data/templates/containers/storage.conf.j2 deleted file mode 100644 index 3a69b7252..000000000 --- a/data/templates/containers/storage.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -### Autogenerated by /usr/libexec/vyos/conf_mode/containers.py ### - -[storage] - driver = "vfs" - graphroot = "/config/containers/storage" -- cgit v1.2.3