The current description is wrong it says that no-common does
not use cgrous, when it should say there is no cgroup
created for the conmon process.
Fixes: https://github.com/containers/common/issues/321
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We want to use pkg/formats within skopeo, but
do not want to pull buildah code in. Moving this
to common would make the vendoring easier.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In Fedora Rawhide, I have eliminated some CAPABILITIES from the
default list to make containers more secure. The containers.conf
should be listed here as well. The default list in code is still
the Docker defaults, but I have eliminated three from the default
list
AUDIT_WRITE, MKNOD, NET_RAW
In Fedora 33 we have eliminated just MKNOD and NET_RAW.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Both podman and buildah can use these completion functions.
In order to prevent duplication lets define them here.
The new automplete functions are:
- AutocompleteSubuidName
- AutocompleteSubgidName
- AutocompleteCapabilities
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Some users want to stick to "docker" format escecially since some older
container registries don't properly support OCI images.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The PR containers/podman#6442 enables a new way to create
shell completions scripts. The shell completion is handled
by cobra and since the login/logout flags are defined here
the completion functions for this should be defined here
as well. For Reference see:
https://github.com/spf13/cobra/blob/master/shell_completions.md
I added a unit test to ensure that the flags have a
completion function set.
This could also be used by skopeo and buildah if
someone wants to implement such completions for them.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
This syscall is proposed for the kernel but does not exists yet. Having it in
the default syscall table is causing crun to print warning messages.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Users on the MAC have pointed out that they could have multiple connections
to different servers, and they asked to be able to specify the connection
name via environmnet variable rather then to always have to specify the
connection on the command line if they did not want to use the default
setting.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
faccessat2, openat2, fchmodat2 are all new syscalls to help eliminate
race conditions, current containers get the older versions of these syscalls
so adding them by default makes sense.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Set pullpolicy case-insensitive for fixing https://github.com/containers/podman/issues/7246. And replce the duplicate code in podman with c/common code.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Add the following default syscalls:
"clock_adjtime" -- Already allow adjtimex
"clone" -- Needed so we can use a usernamespace within a container.
Since this is allowed for non root users, it should be safe
to use, and can allow us to support containers/user namespaces
within locked down containers.
"pivot_root" -- Can be used by containers within containers
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
dependabot-preview[bot]
OpenShift Merge Robot
Daniel J Walsh
Paul Holzinger
Valentin Rothberg
Qi Wang