diff --git a/common/pkg/config/containers.conf b/common/pkg/config/containers.conf index d7a0afbf1b..b4222924a5 100644 --- a/common/pkg/config/containers.conf +++ b/common/pkg/config/containers.conf @@ -17,6 +17,11 @@ # profile name is "container-default". # apparmor_profile = "container-default" +# Default way to to create a cgroup namespace for the container +# Options are: +# `private` Create private Cgroup Namespace for the container. +# `host` Share host Cgroup Namespace with the container. +# cgroupns="private" # Cgroup management implementation used for the runtime. # cgroup_manager = "systemd" @@ -53,43 +58,106 @@ # default_sysctls = [ # ] +# Set default DNS servers. +# This option can be used to override the DNS configuration passed to the container. Typically this is necessary +# when the host DNS configuration is invalid for the container (e.g., 127.0.0.1). +# When this is the case the --dns flags is necessary for every run. +# The special value none can be specified to disable creation of /etc/resolv.conf in the container. +# The /etc/resolv.conf file in the image will be used without changes. +# dns= + +# Set default DNS options. +# dns-option= + +# Set default DNS search domains. +# dns-search= + # Environment variable list for the conmon process, used for passing necessary # environment variables to conmon or the runtime. # env = [ # "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", # ] +# Use host environment inside of the container. See Environment note below for precedence. +# env-host=false + # Path to OCI hooks directories for automatically executed hooks. # hooks_dir = [ +# “/usr/share/containers/oci/hooks.d”, # ] # Run an init inside the container that forwards signals and reaps processes. # init = false +# Default proxy environment variables passed into the container. The environment variables passed in include +# http_proxy, https_proxy, ftp_proxy, no_proxy, and also the upper case versions of these. This option is +# only needed when the host system must use a proxy but the container should not use any proxy. Proxy envi‐ +# ronment variables specified for the container in any other way will override the values that would have +# been passed thru from the host. (Other ways to specify the proxy for the container include passing the +# values with the --env flag, or hard coding the proxy environment at container build time.) # proxy environment variables are passed into the container -# http_proxy = [ -# ] +# http_proxy=true -# whether the container tool will support container labeling. +# container engines use container separation using MAC(SELinux) labeling. # label = true +# Tells container engines how to handle the builtin image volumes. +# The options are: bind, tmpfs, or ignore (default bind) +# · bind: A directory is created inside the container state directory and bind mounted into the +# container for the volumes. +# · tmpfs: The volume is mounted onto the container as a tmpfs, which allows the users to create +# content that disappears when the container is stopped. +# · ignore: All volumes are just ignored and no action is taken. +# image-volume="bind" + +# Default way to to create a IPC namespace (POSIX SysV IPC) for the container +# Options are: +# `private` Create private IPC Namespace for the container. +# `host` Share host IPC Namespace with the container. +# ipcns="private" + +# Logging driver for the container. Available options: k8s-file and journald +# log-driver="k8s-file" + # Maximum size allowed for the container log file. Negative numbers indicate # that no size limit is imposed. If it is positive, it must be >= 8192 to # match/exceed conmon's read buffer. The file is truncated and re-opened so the # limit is never exceeded. # log_size_max = -1 +# Default way to to create a Network namespace for the container +# Options are: +# `private` Create private Network Namespace for the container. +# `host` Share host Network Namespace with the container. +# `none` Containers do not use the netwoek +# netns="private" + +# Create /etc/hosts for the container. By default, container engines manage /etc/hosts, adding the +# container's own IP address. +# no-host="false" + +# Default way to to create a PID namespace for the container +# Options are: +# `private` Create private PID Namespace for the container. +# `host` Share host PID Namespace with the container. +# pidns="private" + # Maximum number of processes allowed in a container. # pids_limit = 2048 # Path to the seccomp.json profile which is used as the default seccomp profile # for the runtime. -# seccomp_profile = "/tmp/seccomp.json" +# seccomp_profile = "/usr/share/containers/seccomp.json" # Size of /dev/shm. Specified as . # Unit is optional and can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). If the unit is omitted, the system uses bytes. # shm_size = "65536k" +# Default way to to create a UTS namespace for the container +# Options are: # `private` Create private UTS Namespace for the container. +# `host` Share host UTS Namespace with the container. +# utsns="private" + # The network table containers settings pertaining to the management of # CNI plugins. [network] @@ -172,7 +240,7 @@ # Uncomment to change location from this default. # volume_path = "/var/lib/containers/storage/volumes" -# Selects which logging mechanism to use for Podman events. Valid values +# Selects which logging mechanism to use for container engine events. Valid values # are `journald` or `file`. # events_logger = "file" @@ -193,7 +261,7 @@ # Paths to look for a valid OCI runtime (runc, runv, etc) [libpod.runtimes] # runc = [ -# "/usr/bin/runc", +# "/usr/bin/runc", # "/usr/sbin/runc", # "/usr/local/bin/runc", # "/usr/local/sbin/runc", @@ -217,3 +285,13 @@ # TOML does not provide a way to end a table other than a further table being # defined, so every key hereafter will be part of [runtimes] and not the main # config. + +# The network table containers settings pertaining to the management of +# CNI plugins. +[network] + +# Path to directory where CNI plugin binaries are located. +# cni_plugin_dirs = ["/usr/libexec/cni"] + +# Path to the directory where CNI configuration files are located. +# network_config_dir = "/etc/cni/net.d/"