We should be sourcing from the image CMD/ENTRYPOINT by default.
Having a default prevents us from doing that - we should only be
using this for user-configured values that do not come from the
image.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Fix handling of storage.conf path, so that we can use it when testing podman.
Currently the Environment variable is not handled correctly.
There is a matching patches in containers/storage and eventually
containers/podman to allow the user of alternative storage.conf files in testing.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Some users want to stick to "docker" format escecially since some older
container registries don't properly support OCI images.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We want to make sure that the TERM envionment variable is always
set. TERM defaulted to ansi might be better, but we want to match
Docker defaults, so we will stick at xterm.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently it is difficult to modify the path to the storage.conf
file for setting up testing. It is hard coded to use /etc/containers/storage.conf.
Adding this envionment variable, will allow us to write tests on storage.conf
that do not override the system defaults.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Use XDG_CONFIG_HOME if it is defined.
XDG_CONFIG_HOME is already respected for configuration files such as containers.conf, storage.conf, and registry.conf but here `~/.config` was hardcoded.
Signed-off-by: David Scherer <david.scherer@antithesis.com>
I am experimenting with supporting CNI in rootless Podman. There is
no harm in preparing common to support such case and allow a custom
per-user configuration.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Only return the Pids Limit for container engines running as root or
with cgroupv2 and Systemd as a cgroup manager.
Trying to do this will rootless containers on cgroup V1 is not allowed.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Modify validate functions to work on a remote clients.
Any of the path checks will not work on remote machines or make
sense on remote clients. Therefore they should not be checked.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently if a rootless user runs podman in his homedir, and does
not have /etc/containers/policy.json on the system and does not
have ~/config/policy.json in his homedir, the command fails with
an error.
$ podman pull fedora
Error: error pulling image "fedora": unable to pull fedora: open /etc/containers/policy.json: no such file or directory
If the user has no root rights on the system, he can not create the file.
However the system would work fine if he created the file in his homedir.
With this change, we will force the default to be the file in his homedir if
BOTH files do not exist. Now the error message for a rootless container would
be.
$ podman pull fedora
Error: unable to pull fedora: open /home/dwalsh/.config/containers/policy.json: no such file or directory
And the user has an idea how to fix this situation.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
cgroupns="private" should be used only on cgroup v2.
On cgroup v1 it would be a breaking change, and also we'd need to
check whether the kernel supports cgroup namespaces.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
by default do not create a user namespace. A user namespace also
requires mappings to be specified and that is not possible with a
static setting. We cannot default to "auto" as it requires additional
configuration for the root user.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
We need to identify the list of containers that support KVM separation, these
containers can run with a different SELinux label, and we might be able to
make different decisions in the container engines about how to launch these
containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Move pkg/sysinfo and pkg/apparmor out of libpod into containers/common.
This will allow other packages to use these libraries without requiring all of libpod.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The `pause:3.1` has wrong configs for non-amd64 images as they all claim
to be for amd64. The issue has now been fixed in the latest
`pause:3.2`.
[1] https://github.com/kubernetes/kubernetes/issues/87325
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
containers/common pkg/config is for more engines then just libpod.
We want to use the 'libpod' section to configure parts of buildah. Renaming this
section to engine, makes it more obvious to users that these fields can effect other
container engines.
Certain fields are still libpod specific, so we do not change those fields.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Callers should use containers/storage directly.
Also remove MergeDBConfig, this is no longer used by any callers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
pull_policy is the same as podman run --pull option to determin whether to pull a new image when running a container.
Accepted "always", "missing", and "never". Default value is "missing".
Signed-off-by: Qi Wang <qiwan@redhat.com>
Allow users to modify the default ammount of time to wait to send SIGKILL
after you tell a container to stop with a SIGINT.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In root running containers we want to approach the MAX Number of processes and
open files, so that services running Podman will work when they have lots of open
files or processes. In rootless containers this number can not be changed. This
patch will only increase the numbers if the process is allowed.
Docker set the limit to 2**20 (1048576), it looks like this was the max for RHEL5 OS.
So we fall back to attempt to set this limit if the MAC_PROC limit is not allowed.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The default alternative path for seccomp.json should be /etc/containers/seccomp.json
The DefaultNetwork in network config should be bridge
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
at the moment the cgroups package is used only by Podman and by CRI-O
(that is already vendoring libpod). So let's simplify and not have a
duplicate here.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Fix handling of toml files
No longer need merge, since we can specify a default conf for each toml file.
The toml code will retain the previous defaults and only use the newly specified
values.
This greatly simplifies the code.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We want to hide Optional Bools from the default configuration. Callers should only have to deal with boolean
fields and not deal with optionals.
Add accessor functions for all optional bools, easier.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add configurations from libpod.conf to containers.conf.Use merge code from libpod to read and merge configurations from file.
Add unshare_linux for build linux: HomeDir should buildah not only for linux. so add unshare_linux for linux and unshare.go for other
convert bool to optinalbool:Use OptionalBool for on-disk configurations so we can distinguish field is undefined vs. user set to false.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Daniel J Walsh
Matthew Heon
David Scherer
Valentin Rothberg
Ashley Cui
Giuseppe Scrivano
Qi Wang
Carlos Eduardo Arango Gutierrez