Previous code and tests did not reflect actual users input and expected
output.
Add remaining compatibilty golang template funcs
- json
- pad
- truncate
https://bugzilla.redhat.com/show_bug.cgi?id=1922077Fixes#8702
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Currently when pulling/pushing images we default to the format
of the source image. When Building images we default to OCI.
Customers have asked us to allow them to force a specific image
type when pushing to a registry.
We already have a flag to building images.
This PR adds image_default_format to define the format to be used
by all tools create/building/pulling and pusing images.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
check whether the user owns the specified XDG_RUNTIME_DIR. Hopefully
it will help catching errors when running in a "sudo -u" session that
uses the wrong value for XDG_RUNTIME_DIR.
Closes: https://github.com/containers/podman/issues/9114
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This mirrors the Docker and containerd changes, with the caveat that
because mount(2) is permitted under podman for all containers we
therefore add all of the v2 mount API syscalls as available to all
containers.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
The generate.go script used to fill the default seccomp profile file is
quite important as otherwise distributions will end up having outdated
seccomp filters even after a podman update.
This script comes from the Docker repo.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Several syscalls were enabled globally (SCMP_ACT_ALLOW without any
conditions for all containers), but also had conditional rules later in
the profile (likely inherited from Docker). The following syscalls do
not need special casing because they were globally enabled:
* clone, unshare, mount, umount, umount2 all had special CAP_SYS_ADMIN
restrictions but those don't make sense since they were also enabled
for all containers.
* reboot was permitted for CAP_SYS_BOOT and all containers.
* name_to_handle_at was permitted for CAP_SYS_ADMIN, CAP_SYS_NICE(?),
and all containers.
And certain syscalls had globally-enabled rules when they shouldn't
have:
* socket has special rules for CAP_AUDIT_WRITE but it also had a global
"allow unconditionally" rule. It turns out that libseccomp will
override unconditional rules with conditional ones but this is
somewhat of an implementation detail and it's much safer to remove
the rule and use the existing cases.
Now the only syscalls remaining with complicated rules (meaning they
appear more than once in the profile) are:
* sync_file_range2 which is architecture specific (though in principle
we could move it to enabled-without-rules because runc ignores
unknown syscalls).
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This will allow users to configure the amount of parallel copies that
the container engines are allowed to do. This allows users to configure
their systems to match their available network settings.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Fix a bug where if the secret name was a prefix of an existing id, secrets would reject the new name
Now, you can use the secret name as expected
Example: if a secret with id "abcdefg" already exists:
Previously, it would error if you tried to create a secret with name "abc"
Now it allows you to do so
Signed-off-by: Ashley Cui <acui@redhat.com>
OpenShift Merge Robot
Jhon Honce
dependabot-preview[bot]
Daniel J Walsh
Eduardo Vega
Giuseppe Scrivano
Aleksa Sarai
Ashley Cui
baude
naveen