You should be able to specify --cap-add=all --cap-drop=cap_perfmon
And end up with all capabilties except cap_perfmon.
You should not be allowed to specify --cap-add all --cap-drop all
The outcome would be undefined.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Commit ebfe786429 changed the default logging driver k8s-file to
journald. The only consumer of the log-driver is Podman which I think
still needs some more time to stabilize. Vendoring containers/common
into Podman has revealed quite some warts (see
containers/podman/pull/10222) which reduced my confidence level.
To resolve the chicken-egg-problem of maturing the journald driver, I
want to only partially revert commit ebfe786429. The built-in default
remains k8s-file while the containers.conf sets it to journald. The
intention behind is to make sure that running systems are not impacted
but we can change Fedora to journald to increase coverage.
Once the confidence level is back to normal, we can change the default
to journald. Latest before RHEL9.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We got some crashes in Fedora 34 testing.
Second part of this PR is to fix the config_test which is accitendtly
picking up a containers.conf settings from the host. This change forces
the default settings.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This eliminates the concern of log files growing infinitely and also
records all containers for posterity rather then allowing the removal
of a container to destroy the record.
Partially fixes: https://github.com/containers/podman/issues/9158
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
follow up to "capabilities: add new method BoundingSet()".
When ALL is used, limit it to the known capabilities in the bounding
set instead of ALL the known capabilities.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This reverts commit 451f5fb68b.
Journald is not yet passing Podman CI. We need to temporarily revert
the commit to unblock secrets work.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Currently when pulling/pushing images we default to the format
of the source image. When Building images we default to OCI.
Customers have asked us to allow them to force a specific image
type when pushing to a registry.
We already have a flag to building images.
This PR adds image_default_format to define the format to be used
by all tools create/building/pulling and pusing images.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This will allow users to configure the amount of parallel copies that
the container engines are allowed to do. This allows users to configure
their systems to match their available network settings.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Need to be able to getdefault container environment
based on use provided functions on httpProxy and use
the environment from the host.
This way users can modify the environment from podman
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In the containers.conf we default to true, but in code and man page
it is defaulted to false. Since Podman wants it defaulted to true
we need to change default and man page to match.
Also fixed the testing for SELinux, which would never succeed on an SELinux box.
Helps fix: https://github.com/containers/podman/pull/8844
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Users on the MAC have pointed out that they could have multiple connections
to different servers, and they asked to be able to specify the connection
name via environmnet variable rather then to always have to specify the
connection on the command line if they did not want to use the default
setting.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Set pullpolicy case-insensitive for fixing https://github.com/containers/podman/issues/7246. And replce the duplicate code in podman with c/common code.
Signed-off-by: Qi Wang <qiwan@redhat.com>
We want to make sure that the TERM envionment variable is always
set. TERM defaulted to ansi might be better, but we want to match
Docker defaults, so we will stick at xterm.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The default AppArmor profile is now prefixed with
`container-default-$VERSION`, whereas the version is now part of a new
`version` package.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
We need to normalize the capadd and capdrop functions, and
we need to return errors if the caller gives us bad input.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We need to identify the list of containers that support KVM separation, these
containers can run with a different SELinux label, and we might be able to
make different decisions in the container engines about how to launch these
containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
containers/common pkg/config is for more engines then just libpod.
We want to use the 'libpod' section to configure parts of buildah. Renaming this
section to engine, makes it more obvious to users that these fields can effect other
container engines.
Certain fields are still libpod specific, so we do not change those fields.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In NewConfig(), settings in the file whose name we're passed should
matter more than the hardwired default files, or the file named in the
CONTAINERS_CONF environment variable.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
pull_policy is the same as podman run --pull option to determin whether to pull a new image when running a container.
Accepted "always", "missing", and "never". Default value is "missing".
Signed-off-by: Qi Wang <qiwan@redhat.com>
Replace pkg/caps with pkg/capabilities (from libpod). It's also a fork
from Docker but attributes its origing with copyright notes and has a
trimmed down (and faster) API.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This is causing issues in rootless and remote mode. We should not be creating
directories on the fly.
Also stop exporting functions that are not used by Buildah and Podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The Capability check handles merging of Default capabiltiies along
with user specified add and drop capabilities.
Fork docker/docker/oci/caps file to prevent a huge vendor
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Fix handling of toml files
No longer need merge, since we can specify a default conf for each toml file.
The toml code will retain the previous defaults and only use the newly specified
values.
This greatly simplifies the code.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add configurations from libpod.conf to containers.conf.Use merge code from libpod to read and merge configurations from file.
Add unshare_linux for build linux: HomeDir should buildah not only for linux. so add unshare_linux for linux and unshare.go for other
convert bool to optinalbool:Use OptionalBool for on-disk configurations so we can distinguish field is undefined vs. user set to false.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Daniel J Walsh
Valentin Rothberg
Giuseppe Scrivano
Qi Wang
Jhon Honce
Nalin Dahyabhai
Sascha Grunert
dependabot-preview[bot]
Carlos Eduardo Arango Gutierrez