In root running containers we want to approach the MAX Number of processes and
open files, so that services running Podman will work when they have lots of open
files or processes. In rootless containers this number can not be changed. This
patch will only increase the numbers if the process is allowed.
Docker set the limit to 2**20 (1048576), it looks like this was the max for RHEL5 OS.
So we fall back to attempt to set this limit if the MAC_PROC limit is not allowed.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This is the initial Code of Conduct document for use across
all of the projects under the github.com/containers repository.
The projects will each link to this document from each of their
repos.
This document was pulled from libpod which had pulled it from
Kubernetes who had pulled it from the CNCF.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
This is causing issues in rootless and remote mode. We should not be creating
directories on the fly.
Also stop exporting functions that are not used by Buildah and Podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The default alternative path for seccomp.json should be /etc/containers/seccomp.json
The DefaultNetwork in network config should be bridge
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
if CGO is enabled, make sure to use C.getenv instead of os.Getenv to
read environment variables. It is required since rootless libpod
joins the user namespace through Cgo.
The variables set via C.setenv are not visible through os.Getenv, as
the latter uses sync.Once to read the variables once.
Requires: https://github.com/containers/libpod/pull/4911
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
at the moment the cgroups package is used only by Podman and by CRI-O
(that is already vendoring libpod). So let's simplify and not have a
duplicate here.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The Capability check handles merging of Default capabiltiies along
with user specified add and drop capabilities.
Fork docker/docker/oci/caps file to prevent a huge vendor
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We also want to be able to default namespaces to host, so that HPC
machines can default to not using most of the namespaces by default.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Daniel J Walsh
TomSweeneyRedHat
Valentin Rothberg
Giuseppe Scrivano