3 files changed, 238 insertions, 0 deletions
diff --git a/recipes-containers/container-host-config/container-host-config.bb b/recipes-containers/container-host-config/container-host-config.bb
new file mode 100644
index 00000000..c762dea7
--- /dev/null
+++ b/recipes-containers/container-host-config/container-host-config.bb
@@ -0,0 +1,18 @@
+HOMEPAGE = "https://git.yoctoproject.org/meta-virtualization"
+SUMMARY =  "Configuration Package for container hosts"
+DESCRIPTION = "Common / centralized configuration files for container hosts"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+SRC_URI = " \
+    file://storage.conf \
+    file://registries.conf \
+"
+do_install() {
+        install -d ${D}/${sysconfdir}/containers
+        install ${WORKDIR}/storage.conf ${D}/${sysconfdir}/containers/storage.conf
+        install ${WORKDIR}/registries.conf ${D}/${sysconfdir}/containers/registries.conf
+}
diff --git a/recipes-containers/container-host-config/container-host-config/registries.conf b/recipes-containers/container-host-config/container-host-config/registries.conf
new file mode 100644
index 00000000..ba6c3f6e
--- /dev/null
+++ b/recipes-containers/container-host-config/container-host-config/registries.conf
@@ -0,0 +1,25 @@
+# This is a system-wide configuration file used to
+# keep track of registries for various container backends.
+# It adheres to TOML format and does not support recursive
+# lists of registries.
+# The default location for this configuration file is /etc/containers/registries.conf.
+# The only valid categories are: 'registries.search', 'registries.insecure', 
+# and 'registries.block'.
+[registries.search]
+registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org']
+# If you need to access insecure registries, add the registry's fully-qualified name.
+# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
+[registries.insecure]
+registries = []
+# If you need to block pull access from a registry, uncomment the section below
+# and add the registries fully-qualified name.
+#
+# Docker only
+[registries.block]
+registries = []
diff --git a/recipes-containers/container-host-config/container-host-config/storage.conf b/recipes-containers/container-host-config/container-host-config/storage.conf
new file mode 100644
index 00000000..722750c0
--- /dev/null
+++ b/recipes-containers/container-host-config/container-host-config/storage.conf
@@ -0,0 +1,195 @@
+# This file is is the configuration file for all tools
+# that use the containers/storage library.
+# See man 5 containers-storage.conf for more information
+# The "container storage" table contains all of the server options.
+[storage]
+# Default Storage Driver, Must be set for proper operation.
+driver = "overlay"
+# Temporary storage location
+runroot = "/run/containers/storage"
+# Primary Read/Write location of container storage
+graphroot = "/var/lib/containers/storage"
+# Storage path for rootless users
+#
+# rootless_storage_path = "$HOME/.local/share/containers/storage"
+[storage.options]
+# Storage options to be passed to underlying storage drivers
+# AdditionalImageStores is used to pass paths to additional Read/Only image stores
+# Must be comma separated list.
+additionalimagestores = [
+]
+# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
+# a container, to the UIDs/GIDs as they should appear outside of the container,
+# and the length of the range of UIDs/GIDs.  Additional mapped sets can be
+# listed and will be heeded by libraries, but there are limits to the number of
+# mappings which the kernel will allow when you later attempt to run a
+# container.
+#
+# remap-uids = 0:1668442479:65536
+# remap-gids = 0:1668442479:65536
+# Remap-User/Group is a user name which can be used to look up one or more UID/GID
+# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
+# with an in-container ID of 0 and then a host-level ID taken from the lowest
+# range that matches the specified name, and using the length of that range.
+# Additional ranges are then assigned, using the ranges which specify the
+# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
+# until all of the entries have been used for maps.
+#
+# remap-user = "containers"
+# remap-group = "containers"
+# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
+# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
+# to containers configured to create automatically a user namespace.  Containers
+# configured to automatically create a user namespace can still overlap with containers
+# having an explicit mapping set.
+# This setting is ignored when running as rootless.
+# root-auto-userns-user = "storage"
+#
+# Auto-userns-min-size is the minimum size for a user namespace created automatically.
+# auto-userns-min-size=1024
+#
+# Auto-userns-max-size is the minimum size for a user namespace created automatically.
+# auto-userns-max-size=65536
+[storage.options.overlay]
+# ignore_chown_errors can be set to allow a non privileged user running with
+# a single UID within a user namespace to run containers. The user can pull
+# and use any image even those with multiple uids.  Note multiple UIDs will be
+# squashed down to the default uid in the container.  These images will have no
+# separation between the users in the container. Only supported for the overlay
+# and vfs drivers.
+#ignore_chown_errors = "false"
+# Inodes is used to set a maximum inodes of the container image.
+# inodes = ""
+# Path to an helper program to use for mounting the file system instead of mounting it
+# directly.
+#mount_program = "/usr/bin/fuse-overlayfs"
+# mountopt specifies comma separated list of extra mount options
+mountopt = "nodev"
+# Set to skip a PRIVATE bind mount on the storage home directory.
+# skip_mount_home = "false"
+# Size is used to set a maximum size of the container image.
+# size = ""
+# ForceMask specifies the permissions mask that is used for new files and
+# directories.
+#
+# The values "shared" and "private" are accepted.
+# Octal permission masks are also accepted.
+#
+#  "": No value specified.
+#     All files/directories, get set with the permissions identified within the
+#     image.
+#  "private": it is equivalent to 0700.
+#     All files/directories get set with 0700 permissions.  The owner has rwx
+#     access to the files. No other users on the system can access the files.
+#     This setting could be used with networked based homedirs.
+#  "shared": it is equivalent to 0755.
+#     The owner has rwx access to the files and everyone else can read, access
+#     and execute them. This setting is useful for sharing containers storage
+#     with other users.  For instance have a storage owned by root but shared
+#     to rootless users as an additional store.
+#     NOTE:  All files within the image are made readable and executable by any
+#     user on the system. Even /etc/shadow within your image is now readable by
+#     any user.
+#
+#   OCTAL: Users can experiment with other OCTAL Permissions.
+#
+#  Note: The force_mask Flag is an experimental feature, it could change in the
+#  future.  When "force_mask" is set the original permission mask is stored in
+#  the "user.containers.override_stat" xattr and the "mount_program" option must
+#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
+#  extended attribute permissions to processes within containers rather then the
+#  "force_mask"  permissions.
+#
+# force_mask = ""
+[storage.options.thinpool]
+# Storage Options for thinpool
+# autoextend_percent determines the amount by which pool needs to be
+# grown. This is specified in terms of % of pool size. So a value of 20 means
+# that when threshold is hit, pool will be grown by 20% of existing
+# pool size.
+# autoextend_percent = "20"
+# autoextend_threshold determines the pool extension threshold in terms
+# of percentage of pool size. For example, if threshold is 60, that means when
+# pool is 60% full, threshold has been hit.
+# autoextend_threshold = "80"
+# basesize specifies the size to use when creating the base device, which
+# limits the size of images and containers.
+# basesize = "10G"
+# blocksize specifies a custom blocksize to use for the thin pool.
+# blocksize="64k"
+# directlvm_device specifies a custom block storage device to use for the
+# thin pool. Required if you setup devicemapper.
+# directlvm_device = ""
+# directlvm_device_force wipes device even if device already has a filesystem.
+# directlvm_device_force = "True"
+# fs specifies the filesystem type to use for the base device.
+# fs="xfs"
+# log_level sets the log level of devicemapper.
+# 0: LogLevelSuppress 0 (Default)
+# 2: LogLevelFatal
+# 3: LogLevelErr
+# 4: LogLevelWarn
+# 5: LogLevelNotice
+# 6: LogLevelInfo
+# 7: LogLevelDebug
+# log_level = "7"
+# min_free_space specifies the min free space percent in a thin pool require for
+# new device creation to succeed. Valid values are from 0% - 99%.
+# Value 0% disables
+# min_free_space = "10%"
+# mkfsarg specifies extra mkfs arguments to be used when creating the base
+# device.
+# mkfsarg = ""
+# metadata_size is used to set the `pvcreate --metadatasize` options when
+# creating thin devices. Default is 128k
+# metadata_size = ""
+# Size is used to set a maximum size of the container image.
+# size = ""
+# use_deferred_removal marks devicemapper block device for deferred removal.
+# If the thinpool is in use when the driver attempts to remove it, the driver
+# tells the kernel to remove it as soon as possible. Note this does not free
+# up the disk space, use deferred deletion to fully remove the thinpool.
+# use_deferred_removal = "True"
+# use_deferred_deletion marks thinpool device for deferred deletion.
+# If the device is busy when the driver attempts to delete it, the driver
+# will attempt to delete device every 30 seconds until successful.
+# If the program using the driver exits, the driver will continue attempting
+# to cleanup the next time the driver is used. Deferred deletion permanently
+# deletes the device and all data stored in device will be lost.
+# use_deferred_deletion = "True"
+# xfs_nospace_max_retries specifies the maximum number of retries XFS should
+# attempt to complete IO when ENOSPC (no space) error is returned by
+# underlying storage device.
+# xfs_nospace_max_retries = "0"

diff --git a/recipes-containers/container-host-config/container-host-config.bb b/recipes-containers/container-host-config/container-host-config.bb new file mode 100644 index 00000000..c762dea7 --- /dev/null +++ b/recipes-containers/container-host-config/container-host-config.bb
@@ -0,0 +1,18 @@
	1	HOMEPAGE = "https://git.yoctoproject.org/meta-virtualization"
	2	SUMMARY = "Configuration Package for container hosts"
	3	DESCRIPTION = "Common / centralized configuration files for container hosts"
	4
	5	LICENSE = "MIT"
	6	LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
	7
	8	SRC_URI = " \
	9	file://storage.conf \
	10	file://registries.conf \
	11	"
	12
	13	do_install() {
	14	install -d ${D}/${sysconfdir}/containers
	15
	16	install ${WORKDIR}/storage.conf ${D}/${sysconfdir}/containers/storage.conf
	17	install ${WORKDIR}/registries.conf ${D}/${sysconfdir}/containers/registries.conf
	18	}


diff --git a/recipes-containers/container-host-config/container-host-config/registries.conf b/recipes-containers/container-host-config/container-host-config/registries.conf new file mode 100644 index 00000000..ba6c3f6e --- /dev/null +++ b/recipes-containers/container-host-config/container-host-config/registries.conf
@@ -0,0 +1,25 @@
	1	# This is a system-wide configuration file used to
	2	# keep track of registries for various container backends.
	3	# It adheres to TOML format and does not support recursive
	4	# lists of registries.
	5
	6	# The default location for this configuration file is /etc/containers/registries.conf.
	7
	8	# The only valid categories are: 'registries.search', 'registries.insecure',
	9	# and 'registries.block'.
	10
	11	[registries.search]
	12	registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org']
	13
	14	# If you need to access insecure registries, add the registry's fully-qualified name.
	15	# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
	16	[registries.insecure]
	17	registries = []
	18
	19
	20	# If you need to block pull access from a registry, uncomment the section below
	21	# and add the registries fully-qualified name.
	22	#
	23	# Docker only
	24	[registries.block]
	25	registries = []


diff --git a/recipes-containers/container-host-config/container-host-config/storage.conf b/recipes-containers/container-host-config/container-host-config/storage.conf new file mode 100644 index 00000000..722750c0 --- /dev/null +++ b/recipes-containers/container-host-config/container-host-config/storage.conf
@@ -0,0 +1,195 @@
	1	# This file is is the configuration file for all tools
	2	# that use the containers/storage library.
	3	# See man 5 containers-storage.conf for more information
	4	# The "container storage" table contains all of the server options.
	5	[storage]
	6
	7	# Default Storage Driver, Must be set for proper operation.
	8	driver = "overlay"
	9
	10	# Temporary storage location
	11	runroot = "/run/containers/storage"
	12
	13	# Primary Read/Write location of container storage
	14	graphroot = "/var/lib/containers/storage"
	15
	16	# Storage path for rootless users
	17	#
	18	# rootless_storage_path = "$HOME/.local/share/containers/storage"
	19
	20	[storage.options]
	21	# Storage options to be passed to underlying storage drivers
	22
	23	# AdditionalImageStores is used to pass paths to additional Read/Only image stores
	24	# Must be comma separated list.
	25	additionalimagestores = [
	26	]
	27
	28	# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
	29	# a container, to the UIDs/GIDs as they should appear outside of the container,
	30	# and the length of the range of UIDs/GIDs. Additional mapped sets can be
	31	# listed and will be heeded by libraries, but there are limits to the number of
	32	# mappings which the kernel will allow when you later attempt to run a
	33	# container.
	34	#
	35	# remap-uids = 0:1668442479:65536
	36	# remap-gids = 0:1668442479:65536
	37
	38	# Remap-User/Group is a user name which can be used to look up one or more UID/GID
	39	# ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting
	40	# with an in-container ID of 0 and then a host-level ID taken from the lowest
	41	# range that matches the specified name, and using the length of that range.
	42	# Additional ranges are then assigned, using the ranges which specify the
	43	# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
	44	# until all of the entries have been used for maps.
	45	#
	46	# remap-user = "containers"
	47	# remap-group = "containers"
	48
	49	# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
	50	# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned
	51	# to containers configured to create automatically a user namespace. Containers
	52	# configured to automatically create a user namespace can still overlap with containers
	53	# having an explicit mapping set.
	54	# This setting is ignored when running as rootless.
	55	# root-auto-userns-user = "storage"
	56	#
	57	# Auto-userns-min-size is the minimum size for a user namespace created automatically.
	58	# auto-userns-min-size=1024
	59	#
	60	# Auto-userns-max-size is the minimum size for a user namespace created automatically.
	61	# auto-userns-max-size=65536
	62
	63	[storage.options.overlay]
	64	# ignore_chown_errors can be set to allow a non privileged user running with
	65	# a single UID within a user namespace to run containers. The user can pull
	66	# and use any image even those with multiple uids. Note multiple UIDs will be
	67	# squashed down to the default uid in the container. These images will have no
	68	# separation between the users in the container. Only supported for the overlay
	69	# and vfs drivers.
	70	#ignore_chown_errors = "false"
	71
	72	# Inodes is used to set a maximum inodes of the container image.
	73	# inodes = ""
	74
	75	# Path to an helper program to use for mounting the file system instead of mounting it
	76	# directly.
	77	#mount_program = "/usr/bin/fuse-overlayfs"
	78
	79	# mountopt specifies comma separated list of extra mount options
	80	mountopt = "nodev"
	81
	82	# Set to skip a PRIVATE bind mount on the storage home directory.
	83	# skip_mount_home = "false"
	84
	85	# Size is used to set a maximum size of the container image.
	86	# size = ""
	87
	88	# ForceMask specifies the permissions mask that is used for new files and
	89	# directories.
	90	#
	91	# The values "shared" and "private" are accepted.
	92	# Octal permission masks are also accepted.
	93	#
	94	# "": No value specified.
	95	# All files/directories, get set with the permissions identified within the
	96	# image.
	97	# "private": it is equivalent to 0700.
	98	# All files/directories get set with 0700 permissions. The owner has rwx
	99	# access to the files. No other users on the system can access the files.
	100	# This setting could be used with networked based homedirs.
	101	# "shared": it is equivalent to 0755.
	102	# The owner has rwx access to the files and everyone else can read, access
	103	# and execute them. This setting is useful for sharing containers storage
	104	# with other users. For instance have a storage owned by root but shared
	105	# to rootless users as an additional store.
	106	# NOTE: All files within the image are made readable and executable by any
	107	# user on the system. Even /etc/shadow within your image is now readable by
	108	# any user.
	109	#
	110	# OCTAL: Users can experiment with other OCTAL Permissions.
	111	#
	112	# Note: The force_mask Flag is an experimental feature, it could change in the
	113	# future. When "force_mask" is set the original permission mask is stored in
	114	# the "user.containers.override_stat" xattr and the "mount_program" option must
	115	# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
	116	# extended attribute permissions to processes within containers rather then the
	117	# "force_mask" permissions.
	118	#
	119	# force_mask = ""
	120
	121	[storage.options.thinpool]
	122	# Storage Options for thinpool
	123
	124	# autoextend_percent determines the amount by which pool needs to be
	125	# grown. This is specified in terms of % of pool size. So a value of 20 means
	126	# that when threshold is hit, pool will be grown by 20% of existing
	127	# pool size.
	128	# autoextend_percent = "20"
	129
	130	# autoextend_threshold determines the pool extension threshold in terms
	131	# of percentage of pool size. For example, if threshold is 60, that means when
	132	# pool is 60% full, threshold has been hit.
	133	# autoextend_threshold = "80"
	134
	135	# basesize specifies the size to use when creating the base device, which
	136	# limits the size of images and containers.
	137	# basesize = "10G"
	138
	139	# blocksize specifies a custom blocksize to use for the thin pool.
	140	# blocksize="64k"
	141
	142	# directlvm_device specifies a custom block storage device to use for the
	143	# thin pool. Required if you setup devicemapper.
	144	# directlvm_device = ""
	145
	146	# directlvm_device_force wipes device even if device already has a filesystem.
	147	# directlvm_device_force = "True"
	148
	149	# fs specifies the filesystem type to use for the base device.
	150	# fs="xfs"
	151
	152	# log_level sets the log level of devicemapper.
	153	# 0: LogLevelSuppress 0 (Default)
	154	# 2: LogLevelFatal
	155	# 3: LogLevelErr
	156	# 4: LogLevelWarn
	157	# 5: LogLevelNotice
	158	# 6: LogLevelInfo
	159	# 7: LogLevelDebug
	160	# log_level = "7"
	161
	162	# min_free_space specifies the min free space percent in a thin pool require for
	163	# new device creation to succeed. Valid values are from 0% - 99%.
	164	# Value 0% disables
	165	# min_free_space = "10%"
	166
	167	# mkfsarg specifies extra mkfs arguments to be used when creating the base
	168	# device.
	169	# mkfsarg = ""
	170
	171	# metadata_size is used to set the `pvcreate --metadatasize` options when
	172	# creating thin devices. Default is 128k
	173	# metadata_size = ""
	174
	175	# Size is used to set a maximum size of the container image.
	176	# size = ""
	177
	178	# use_deferred_removal marks devicemapper block device for deferred removal.
	179	# If the thinpool is in use when the driver attempts to remove it, the driver
	180	# tells the kernel to remove it as soon as possible. Note this does not free
	181	# up the disk space, use deferred deletion to fully remove the thinpool.
	182	# use_deferred_removal = "True"
	183
	184	# use_deferred_deletion marks thinpool device for deferred deletion.
	185	# If the device is busy when the driver attempts to delete it, the driver
	186	# will attempt to delete device every 30 seconds until successful.
	187	# If the program using the driver exits, the driver will continue attempting
	188	# to cleanup the next time the driver is used. Deferred deletion permanently
	189	# deletes the device and all data stored in device will be lost.
	190	# use_deferred_deletion = "True"
	191
	192	# xfs_nospace_max_retries specifies the maximum number of retries XFS should
	193	# attempt to complete IO when ENOSPC (no space) error is returned by
	194	# underlying storage device.
	195	# xfs_nospace_max_retries = "0"