Add a new field to the network section to allow users to set the default
network program which is used when running rootless containers.
This should be used when you run something like --network private or
--network default as rootless user.
The current default is slirp4netns so we keep that for now. Once I
integrate pasta in the rootless netns then we can consider switching the
default to pasta.
This setting will also be useful then for distros who may not ship pasta
so that they could set it back to slirp if needed.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Users way wish to configure a set of default options that should be used
when running pasta. Options that are given on the cli will be appended,
however the implementation of this needs to happen in podman.
For slirp4netns we already support the network_cmd_options field.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Correct a sentence stating that Podman would not run with CHROOT.
It only did for a short period of time but CHROOT had to be added
back since many uses (e.g., in-container builds) depend on it.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The original SELinux support in Docker and Podman does not follow the
default SELinux rules for how label transitions are supposed to be
handled. Containers always switch their user and role to
system_u:system_r, rather then maintain the collers user and role.
For example
unconfined_u:unconfined_r:container_t:s0:c1,c2
Advanced SELinux administrators want to confine users but still allow
them to create containers from their role, but not allow them to launch
a privileged container like spc_t.
This means if a user running as
container_user_u:container_user_r:container_user_t:s0
Ran a container they would get
container_user_u:container_user_r:container_t:s0:c1,c2
If they run a privileged container they would run it with:
container_user_u:container_user_r:container_user_t:s0
If they want to force the label they would get an error
podman run --security-opt label=type:spc_t ...
Should fail. Because the container_user_r can not run with the spc_t.
SELinux rules would also prevent the user from forcing system_u user and
the sytem_r role.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Document the `database_backend` option which has been added earlier but
intentionally left undocumented to avoid the impression sqlite would be
ready for prime-time.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The kube_generate_type field can be used to set what kind
of k8s object, i.e pod or deployment, that the podman kube
generate command should generate by default.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Add yet another environment variable for loading containers.conf.
When CONTAINERS_CONF_OVERRIDE is set, the specified config file
will be loaded last - even when CONTAINERS_CONF is set.
This mechanism is needed to preserve system settings and other
environment variables. Setting CONTAINERS_CONF will load only
the specified config file and ignore all system and user paths.
That makes testing hard as many Podman tests use CONTAINERS_CONF
for testing.
The intended use of CONTAINERS_CONF_OVERRIDE is to set it during tests
and point it to a specific configuration of Podman (e.g., netavark with
sqlite backend).
Similar needs have popped up talking to users in the automotive and
high-performance computing space. In a way, such a setting allows for
specifying a specific "flavor" of Podman while preserving all existing
settings on the system.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
We are getting a lot of issues on our removal of CAP_SYS_CHROOT
from the default list of capabilities used by Podman, so adding
it back until we do a major release.
This capabilty is also needed to successfully run the
quay.io/buildah/stable image with Podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This will allows users to set all containers to automatically
set certain cgroup fields globally for all of their containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
On MacOS, mount /Users, /private/, /var/folders by default for better docker compat. The homedir on MacOS is /Users/<username>, so that will be mounted automatically anyway with this change.
Docker also mounts /Volumes and /tmp, /Volumes fails with a Too many levels of symbolic links, as Volumes on Mac is just a symlink to / which seems like a bad idea to mount anyway.
/tmp fails because the Podman machine uses the tmp directory inside the machine and writes content to it on boot, causing the mount to fail. However, on Mac, /tmp is symlinked to /private/tmp anyway, so those files are accessible from there.
Signed-off-by: Ashley Cui <acui@redhat.com>
Add an option to create a more verbose container-create event which
includes a JSON payload with detailed information about the container.
Jira: https://issues.redhat.com/browse/RUN-1702
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This reverts commit 962dbc3281.
As shown in containers/podman/pull/16610 the changes require a number of
changes in Podman's CI. While many issues have been fixed in that PR,
there are some potentially controversial changes such as dropping
NET_RAW.
Let's revert the commit to unblock ongoing work. For the next
iteration, Podman CI must be green before merging.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
For a couple of years now we have been shipping containers.conf settings
to use only 10 capabities. Docker uses 14, with the difference being
CAP_AUDIT_ALLOW, CAP_NET_RAW, CAP_MKNOD, CAP_CHROOT.
This allows us to run with a tighter security then Docker.
This PR makes the change to default config, so that if no
containers.conf overrides are present, we will run with the tighter
security. Currently most distros that ship the containers.conf already
run with this setting, but this makes it formal, and changes the man
page to match the defaults.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Podman and Buildah do not use this field, and I
know of no users of it, remove it from docs and
the default conf file, so users will not expect
it to do anything.
Leaving implementation in the slight chance someone
has used it in a non containers project.
Fixes: https://github.com/containers/podman/issues/16562
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Containers.conf now supports `platform_to_oci_runtime` which allows end
users to map variant of OCI runtime for a particular platform.
Most ideal use-case of this feature is switching to crun's variant when
platform string is `wasm32/wasi`.
Example
```toml
[engine.platform_to_oci_runtime]
"wasi/wasm" = "crun-wasm"
"wasm/wasm32" = "crun-wasm"
"wasm/wasm64" = "crun-wasm"
```
Signed-off-by: Aditya R <arajan@redhat.com>
Allow distributions to specify the location of the podman image VM
images in the form of URIs with $ARCH and $OS specified. This would
allow a distribution to pull the image based on the current OS and Arch.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit allows using aardvark with an alternate port as per
implementation in containers/netavark#323
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
We have received two Bugzilla's about the upstream
documentation being incorrect about the default value of the
events_logger field in containers.conf. The are:
https://bugzilla.redhat.com/show_bug.cgi?id=2076664https://bugzilla.redhat.com/show_bug.cgi?id=2076665
From what I can see, we use `file` in RHEL and the podman machine,
in all other distributions were' using journald. I've
attempted to change the man page to reflect that.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Add a new `pod_exit_policy` field to the containers.conf's engine table.
A pod's exit policy determines the behaviour when the last container of
a pod exits.
Required-in: containers/podman/pull/13859
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
machine.IsPodmanMachine replaces MachineEnabled
machine.MachineHostType informs the type unknown, qemu, wsl, etc
machine.IsGvProxyBased used to make specific determinations re gvproxy
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
Set the ip for the host.containers.internal entry in the containers /etc/hosts
file. This can be set to "none" to disable adding this entry. By default it
will automatically choose the host ip.
Also add a function to get the correct host.containers.internal ip. This
should be used by podman and buildah and then passed to the New()
function.
Ref https://github.com/containers/podman/issues/13224
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
base_hosts_file can be used to overwrite the default base host file
/etc/hosts which is used to copy hosts entries from this file into the
containers /etc/hosts file. As special value "image" can be used to copy
the entries from the image hosts file or "none" to not use a base file
at all. IF the value is empty we should use /etc/hosts as default.
Ref https://github.com/containers/podman/issues/13277
Ref https://github.com/containers/podman/issues/13748
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Slirp4netns options were changed to always default to ipv6 so it does
not need the extra setting. Update the documentation to reflect this.
see https://github.com/containers/podman/pull/13929
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Changing the value for events_logfile_max_size from 0 to 1048576. This allows
up to 10,000 events to be written to the events log file before rotation occurs.
Also adding new values to default.go
Signed-off-by: Niall Crowe <nicrowe@redhat.com>
This will allow users to specify which volumes they want podman machine
to automatically mount into the machine. These volumes can later be used
to volume mount into containers.
Environment variables like $HOME can be used and are translated at the
time of machine start.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Docker defined --ipc=private to mean that the container's IPC Namespace
can NOT be shared with another container. While --ipc=shareable can,
which is our current default. Docker also defines "none" which means
the container runs in a IPC namespace but does NOT mount a /dev/shm.
"Host" means the container runs in the host namespace, and
container:UUID means run new container in other containers namespace.
ns:PATH means run in the namepsace designated in PATH.2
This Patch, fixes containers/common to reflect the correct default.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Daniel J Walsh
Paul Holzinger
Valentin Rothberg
Urvashi Mohnani
OpenShift Merge Robot
Erik Sjölund
Aditya R
Arthur Sengileyev
Ashley Cui
unknowndevQwQ
Dominique Martinet
tomsweeneyredhat
Jason T. Greene
Niall Crowe
Kir Kolyshkin