system/podman: update to 1.6.2

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>

7 files changed, 141 insertions, 7 deletions

diff --git a/system/podman/README b/system/podman/README
index 5295426059..f7d3cfec14 100644
--- a/system/podman/README
+++ b/system/podman/README
@@ -13,3 +13,9 @@ At a high level, the scope of libpod and podman is the following:
 * Resource isolation of containers and pods.
 
 These container runtimes can run as non-root, but require sub-uid/gid mappings
+
+To run podman as a user:
+
+    echo 'user.max_user_namespaces=30111' >> /etc/sysctl.conf
+    echo '<YOUR_USER>:100000:65536' >> /etc/subuid
+    echo '<YOUR_USER>:100000:65536' >> /etc/subgid
diff --git a/system/podman/doinst.sh b/system/podman/doinst.sh
new file mode 100644
index 0000000000..b93a3a48a2
--- /dev/null
+++ b/system/podman/doinst.sh
@@ -0,0 +1,18 @@
+config() {
+  NEW="$1"
+  OLD="$(dirname $NEW)/$(basename $NEW .new)"
+  # If there's no config file by that name, mv it over:
+  if [ ! -r $OLD ]; then
+    mv $NEW $OLD
+  elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
+    # toss the redundant copy
+    rm $NEW
+  fi
+  # Otherwise, we leave the .new copy for the admin to consider...
+}
+
+config etc/containers/libpod.conf.new
+config etc/containers/registries.conf.new
+config etc/containers/mounts.conf.new
+config etc/containers/seccomp.json.new
+config etc/containers/policy.json.new
diff --git a/system/podman/mounts.conf b/system/podman/mounts.conf
new file mode 100644
index 0000000000..270d316922
--- /dev/null
+++ b/system/podman/mounts.conf
@@ -0,0 +1 @@
+/etc/containers/secrets:/run/secrets
diff --git a/system/podman/podman.SlackBuild b/system/podman/podman.SlackBuild
index cd009b749e..0513860b8c 100644
--- a/system/podman/podman.SlackBuild
+++ b/system/podman/podman.SlackBuild
@@ -2,6 +2,7 @@
 
 # Slackware build script for podman
 
+# Copyright 2019 Gabriel Diaz, Madrid, Spain
 # Copyright 2019 Vincent Batts, Raleigh, NC, USA
 # All rights reserved.
 #
@@ -24,8 +25,8 @@
 
 PRGNAM=podman
 REPONAME=libpod
-VERSION=${VERSION:-1.0.1}
-GIT_COMMIT="2c74edd0ac6509d6e533cb4e012e3e3f9e03434d"
+VERSION=${VERSION:-1.6.2}
+GIT_COMMIT="f3ffda1e08f19e9a6a88484136b5eed76533f21a"
 BUILD=${BUILD:-1}
 TAG=${TAG:-_SBo}
 
@@ -79,7 +80,7 @@ find -L . \
 export GOPATH="$TMP/$REPONAME-$VERSION"
 
 make GIT_COMMIT="$GIT_COMMIT"
-make install DESTDIR="$PKG" PREFIX="$PKG/usr" MANDIR="$PKG/usr/man" GIT_COMMIT="$GIT_COMMIT"
+make install DESTDIR="$PKG" PREFIX="/usr/" MANDIR="/usr/man/" GIT_COMMIT="$GIT_COMMIT"
 
 find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
   | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
@@ -95,6 +96,18 @@ cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
 
 mkdir -p $PKG/install
 cat $CWD/slack-desc > $PKG/install/slack-desc
+cat $CWD/doinst.sh > $PKG/install/doinst.sh
+
+mkdir -p $PKG/etc/containers/secrets
+
+# use upstream's default seccomp policy
+cp seccomp.json $PKG/etc/containers/seccomp.json.new
+# use upstream config, but default to cgroupfs
+cat libpod.conf | sed 's/^cgroup_manager = "systemd"/cgroup_manager = "cgroupfs"/g' > $PKG/etc/containers/libpod.conf.new
+
+cp $CWD/registries.conf $PKG/etc/containers/registries.conf.new
+cp $CWD/mounts.conf $PKG/etc/containers/mounts.conf.new
+cp $CWD/policy.json $PKG/etc/containers/policy.json.new
 
 cd $PKG
 /sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
diff --git a/system/podman/podman.info b/system/podman/podman.info
index dc8a7903f9..725e924d15 100644
--- a/system/podman/podman.info
+++ b/system/podman/podman.info
@@ -1,10 +1,10 @@
 PRGNAM="podman"
-VERSION="1.0.1"
+VERSION="1.6.2"
 HOMEPAGE="https://github.com/containers/libpod"
-DOWNLOAD="https://github.com/containers/libpod/archive/v1.0.1/libpod-1.0.1.tar.gz"
-MD5SUM="d7ce87cad867fc7d1980a2b07566282f"
+DOWNLOAD="https://github.com/containers/libpod/archive/v1.6.2/libpod-1.6.2.tar.gz"
+MD5SUM="bf43121bc45b19404d8bcfaf87e5046d"
 DOWNLOAD_x86_64=""
 MD5SUM_x86_64=""
-REQUIRES="runc go-md2man slirp4netns"
+REQUIRES="cni-plugins conmon runc go-md2man slirp4netns"
 MAINTAINER="Vincent Batts"
 EMAIL="vbatts@hashbangbash.com"
diff --git a/system/podman/policy.json b/system/podman/policy.json
new file mode 100644
index 0000000000..dffc54a626
--- /dev/null
+++ b/system/podman/policy.json
@@ -0,0 +1,14 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports":
+        {
+            "docker-daemon":
+                {
+                    "": [{"type":"insecureAcceptAnything"}]
+                }
+        }
+}
diff --git a/system/podman/registries.conf b/system/podman/registries.conf
new file mode 100644
index 0000000000..21ddef2871
--- /dev/null
+++ b/system/podman/registries.conf
@@ -0,0 +1,82 @@
+# For more information on this configuration file, see containers-registries.conf(5).
+#
+# There are multiple versions of the configuration syntax available, where the
+# second iteration is backwards compatible to the first one. Mixing up both
+# formats will result in an runtime error.
+#
+# The initial configuration format looks like this:
+#
+# Registries to search for images that are not fully-qualified.
+# i.e. foobar.com/my_image:latest vs my_image:latest
+[registries.search]
+registries = ['docker.io', 'quay.io', 'registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org']
+
+# Registries that do not use TLS when pulling images or uses self-signed
+# certificates.
+[registries.insecure]
+registries = []
+
+# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry.  If you specify
+# "*", then the docker daemon will only be allowed to pull from registries listed above in the search
+# registries.  Blocked Registries is deprecated because other container runtimes and tools will not use it.
+# It is recommended that you use the trust policy file /etc/containers/policy.json to control which
+# registries you want to allow users to pull and push from.  policy.json gives greater flexibility, and
+# supports all container runtimes and tools including the docker daemon, cri-o, buildah ...
+# The atomic CLI `atomic trust` can be used to easily configure the policy.json file.
+[registries.block]
+registries = []
+
+# The second version of the configuration format allows to specify registry
+# mirrors:
+#
+# # An array of host[:port] registries to try when pulling an unqualified image, in order.
+# unqualified-search-registries = ["example.com"]
+#
+# [[registry]]
+# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
+# # (only) the TOML table with the longest match for the input image name
+# # (taking into account namespace/repo/tag/digest separators) is used.
+# #
+# # If the prefix field is missing, it defaults to be the same as the "location" field.
+# prefix = "example.com/foo"
+#
+# # If true, unencrypted HTTP as well as TLS connections with untrusted
+# # certificates are allowed.
+# insecure = false
+#
+# # If true, pulling images with matching names is forbidden.
+# blocked = false
+#
+# # The physical location of the "prefix"-rooted namespace.
+# #
+# # By default, this equal to "prefix" (in which case "prefix" can be omitted
+# # and the [[registry]] TOML table can only specify "location").
+# #
+# # Example: Given
+# #   prefix = "example.com/foo"
+# #   location = "internal-registry-for-example.net/bar"
+# # requests for the image example.com/foo/myimage:latest will actually work with the
+# # internal-registry-for-example.net/bar/myimage:latest image.
+# location = internal-registry-for-example.com/bar"
+#
+# # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
+# #
+# # The mirrors are attempted in the specified order; the first one that can be
+# # contacted and contains the image will be used (and if none of the mirrors contains the image,
+# # the primary location specified by the "registry.location" field, or using the unmodified
+# # user-specified reference, is tried last).
+# #
+# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics
+# # as if specified in the [[registry]] TOML table directly:
+# # - location
+# # - insecure
+# [[registry.mirror]]
+# location = "example-mirror-0.local/mirror-for-foo"
+# [[registry.mirror]]
+# location = "example-mirror-1.local/mirrors/foo"
+# insecure = true
+# # Given the above, a pull of example.com/foo/image:latest will try:
+# # 1. example-mirror-0.local/mirror-for-foo/image:latest
+# # 2. example-mirror-1.local/mirrors/foo/image:latest
+# # 3. internal-registry-for-example.net/bar/myimage:latest
+# # in order, and use the first one that exists.