Add a new containers.conf attribute to define how to set interface name inside containers.
Relates to: containers/podman#21313
Signed-off-by: Vikas Goel <vikas.goel@gmail.com>
Forcing a single upstream default for the init path is bad as some
distro use different install locations for various reasons.
To fix this use the existing helper_binaries_dir field to lookup in all
directories. To keep backwards compatibility we keep using the old
default and both Containers.InitPath and Engine.InitPath. Yes that is
right, somehow we ended up with the same config field under the
containers and engine section and they are both used in podman!
Thus we need to keep supporting both, only the field under the container
section was documented and now recommends the use of helper_binaries_dir.
To make the docs more clear also document what binaries are currently
looked up in helper_binaries_dir.
Note this needs further integration in podman.
Fixes#1110
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Podman should default to sqlite for new installs, however to not break
upgrades we should detect if a boltdb database exists and use that in
such case. Now in order to distinguish between an explicitly set
"sqlite" and "boltdb" and nothing set we use an empty default.
With that podman can know if we really should use the default or if it
was configured for a db explicitly. The actual detection logic must be
implemented in podman as we only know the file locations there.
This commit also drops the unused StateType as this was not used at all.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
As requested in containers/podman/issues/20000, add a `privileged` field
to the containers table in containers.conf. I was hesitant to add such
a field at first (for security reasons) but I understand that such a
field can come in handy when using modules - certain workloads require a
privileged container.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add a new concept to containers.conf called "modules". A "module" is
a containers.conf file located at a specific directory. More than one
module can be loaded in the specified order, following existing
override semantics.
There are three directories to load modules from:
- $CONFIG_HOME/containers/containers.conf.modules
- /etc/containers/containers.conf.modules
- /usr/share/containers/containers.conf.modules
With CONFIG_HOME pointing to $HOME/.config or, if set, $XDG_CONFIG_HOME.
Absolute paths will be loaded as is, relative paths will be resolved
relative to the three directories above allowing for admin configs
(/etc/) to override system configs (/usr/share/) and user configs
($CONFIG_HOME) to override admin configs.
Also move some functions from config.go for locality.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add two new fields Farms and DefaultFarm to the Config
to be used by the new podman buildfarm command.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
We want to allow HPC Customers and others to specify mounts
inside of containers.conf, so that they can have a default
list of mounts into all of thier containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Specify one or more external providers for the compose command. The
first found provider is used for execution. Can be an absolute path or a
(file) name. Relative names are invalid. File names are evaluated via
$PATH look ups.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Emit logs on each invocation of the compose command indicating that an
external compose provider is being executed.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
- Fix the type of the options.
- service_destinations should be engine.service_destinations
Related: https://github.com/containers/podman/issues/15615
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
Add a new field to the network section to allow users to set the default
network program which is used when running rootless containers.
This should be used when you run something like --network private or
--network default as rootless user.
The current default is slirp4netns so we keep that for now. Once I
integrate pasta in the rootless netns then we can consider switching the
default to pasta.
This setting will also be useful then for distros who may not ship pasta
so that they could set it back to slirp if needed.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Users way wish to configure a set of default options that should be used
when running pasta. Options that are given on the cli will be appended,
however the implementation of this needs to happen in podman.
For slirp4netns we already support the network_cmd_options field.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Correct a sentence stating that Podman would not run with CHROOT.
It only did for a short period of time but CHROOT had to be added
back since many uses (e.g., in-container builds) depend on it.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The original SELinux support in Docker and Podman does not follow the
default SELinux rules for how label transitions are supposed to be
handled. Containers always switch their user and role to
system_u:system_r, rather then maintain the collers user and role.
For example
unconfined_u:unconfined_r:container_t:s0:c1,c2
Advanced SELinux administrators want to confine users but still allow
them to create containers from their role, but not allow them to launch
a privileged container like spc_t.
This means if a user running as
container_user_u:container_user_r:container_user_t:s0
Ran a container they would get
container_user_u:container_user_r:container_t:s0:c1,c2
If they run a privileged container they would run it with:
container_user_u:container_user_r:container_user_t:s0
If they want to force the label they would get an error
podman run --security-opt label=type:spc_t ...
Should fail. Because the container_user_r can not run with the spc_t.
SELinux rules would also prevent the user from forcing system_u user and
the sytem_r role.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Document the `database_backend` option which has been added earlier but
intentionally left undocumented to avoid the impression sqlite would be
ready for prime-time.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The kube_generate_type field can be used to set what kind
of k8s object, i.e pod or deployment, that the podman kube
generate command should generate by default.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Add yet another environment variable for loading containers.conf.
When CONTAINERS_CONF_OVERRIDE is set, the specified config file
will be loaded last - even when CONTAINERS_CONF is set.
This mechanism is needed to preserve system settings and other
environment variables. Setting CONTAINERS_CONF will load only
the specified config file and ignore all system and user paths.
That makes testing hard as many Podman tests use CONTAINERS_CONF
for testing.
The intended use of CONTAINERS_CONF_OVERRIDE is to set it during tests
and point it to a specific configuration of Podman (e.g., netavark with
sqlite backend).
Similar needs have popped up talking to users in the automotive and
high-performance computing space. In a way, such a setting allows for
specifying a specific "flavor" of Podman while preserving all existing
settings on the system.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
We are getting a lot of issues on our removal of CAP_SYS_CHROOT
from the default list of capabilities used by Podman, so adding
it back until we do a major release.
This capabilty is also needed to successfully run the
quay.io/buildah/stable image with Podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This will allows users to set all containers to automatically
set certain cgroup fields globally for all of their containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
On MacOS, mount /Users, /private/, /var/folders by default for better docker compat. The homedir on MacOS is /Users/<username>, so that will be mounted automatically anyway with this change.
Docker also mounts /Volumes and /tmp, /Volumes fails with a Too many levels of symbolic links, as Volumes on Mac is just a symlink to / which seems like a bad idea to mount anyway.
/tmp fails because the Podman machine uses the tmp directory inside the machine and writes content to it on boot, causing the mount to fail. However, on Mac, /tmp is symlinked to /private/tmp anyway, so those files are accessible from there.
Signed-off-by: Ashley Cui <acui@redhat.com>
Add an option to create a more verbose container-create event which
includes a JSON payload with detailed information about the container.
Jira: https://issues.redhat.com/browse/RUN-1702
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Vikas Goel
Lokesh Mandvekar
Oleksandr Redko
Chetan Giradkar
Valentin Rothberg
Paul Holzinger
Daniel J Walsh
Aditya R
OpenShift Merge Robot
Urvashi Mohnani
Lokesh Mandvekar
Martin Skøtt
Giuseppe Scrivano
Toshiki Sonoda
Erik Sjölund
Arthur Sengileyev
Ashley Cui