- Fix the type of the options.
- service_destinations should be engine.service_destinations
Related: https://github.com/containers/podman/issues/15615
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
Add a new field to the network section to allow users to set the default
network program which is used when running rootless containers.
This should be used when you run something like --network private or
--network default as rootless user.
The current default is slirp4netns so we keep that for now. Once I
integrate pasta in the rootless netns then we can consider switching the
default to pasta.
This setting will also be useful then for distros who may not ship pasta
so that they could set it back to slirp if needed.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Users way wish to configure a set of default options that should be used
when running pasta. Options that are given on the cli will be appended,
however the implementation of this needs to happen in podman.
For slirp4netns we already support the network_cmd_options field.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Correct a sentence stating that Podman would not run with CHROOT.
It only did for a short period of time but CHROOT had to be added
back since many uses (e.g., in-container builds) depend on it.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The original SELinux support in Docker and Podman does not follow the
default SELinux rules for how label transitions are supposed to be
handled. Containers always switch their user and role to
system_u:system_r, rather then maintain the collers user and role.
For example
unconfined_u:unconfined_r:container_t:s0:c1,c2
Advanced SELinux administrators want to confine users but still allow
them to create containers from their role, but not allow them to launch
a privileged container like spc_t.
This means if a user running as
container_user_u:container_user_r:container_user_t:s0
Ran a container they would get
container_user_u:container_user_r:container_t:s0:c1,c2
If they run a privileged container they would run it with:
container_user_u:container_user_r:container_user_t:s0
If they want to force the label they would get an error
podman run --security-opt label=type:spc_t ...
Should fail. Because the container_user_r can not run with the spc_t.
SELinux rules would also prevent the user from forcing system_u user and
the sytem_r role.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Document the `database_backend` option which has been added earlier but
intentionally left undocumented to avoid the impression sqlite would be
ready for prime-time.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The kube_generate_type field can be used to set what kind
of k8s object, i.e pod or deployment, that the podman kube
generate command should generate by default.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Add yet another environment variable for loading containers.conf.
When CONTAINERS_CONF_OVERRIDE is set, the specified config file
will be loaded last - even when CONTAINERS_CONF is set.
This mechanism is needed to preserve system settings and other
environment variables. Setting CONTAINERS_CONF will load only
the specified config file and ignore all system and user paths.
That makes testing hard as many Podman tests use CONTAINERS_CONF
for testing.
The intended use of CONTAINERS_CONF_OVERRIDE is to set it during tests
and point it to a specific configuration of Podman (e.g., netavark with
sqlite backend).
Similar needs have popped up talking to users in the automotive and
high-performance computing space. In a way, such a setting allows for
specifying a specific "flavor" of Podman while preserving all existing
settings on the system.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
We are getting a lot of issues on our removal of CAP_SYS_CHROOT
from the default list of capabilities used by Podman, so adding
it back until we do a major release.
This capabilty is also needed to successfully run the
quay.io/buildah/stable image with Podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This will allows users to set all containers to automatically
set certain cgroup fields globally for all of their containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
On MacOS, mount /Users, /private/, /var/folders by default for better docker compat. The homedir on MacOS is /Users/<username>, so that will be mounted automatically anyway with this change.
Docker also mounts /Volumes and /tmp, /Volumes fails with a Too many levels of symbolic links, as Volumes on Mac is just a symlink to / which seems like a bad idea to mount anyway.
/tmp fails because the Podman machine uses the tmp directory inside the machine and writes content to it on boot, causing the mount to fail. However, on Mac, /tmp is symlinked to /private/tmp anyway, so those files are accessible from there.
Signed-off-by: Ashley Cui <acui@redhat.com>
Add an option to create a more verbose container-create event which
includes a JSON payload with detailed information about the container.
Jira: https://issues.redhat.com/browse/RUN-1702
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This reverts commit 962dbc3281.
As shown in containers/podman/pull/16610 the changes require a number of
changes in Podman's CI. While many issues have been fixed in that PR,
there are some potentially controversial changes such as dropping
NET_RAW.
Let's revert the commit to unblock ongoing work. For the next
iteration, Podman CI must be green before merging.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
For a couple of years now we have been shipping containers.conf settings
to use only 10 capabities. Docker uses 14, with the difference being
CAP_AUDIT_ALLOW, CAP_NET_RAW, CAP_MKNOD, CAP_CHROOT.
This allows us to run with a tighter security then Docker.
This PR makes the change to default config, so that if no
containers.conf overrides are present, we will run with the tighter
security. Currently most distros that ship the containers.conf already
run with this setting, but this makes it formal, and changes the man
page to match the defaults.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Podman and Buildah do not use this field, and I
know of no users of it, remove it from docs and
the default conf file, so users will not expect
it to do anything.
Leaving implementation in the slight chance someone
has used it in a non containers project.
Fixes: https://github.com/containers/podman/issues/16562
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Containers.conf now supports `platform_to_oci_runtime` which allows end
users to map variant of OCI runtime for a particular platform.
Most ideal use-case of this feature is switching to crun's variant when
platform string is `wasm32/wasi`.
Example
```toml
[engine.platform_to_oci_runtime]
"wasi/wasm" = "crun-wasm"
"wasm/wasm32" = "crun-wasm"
"wasm/wasm64" = "crun-wasm"
```
Signed-off-by: Aditya R <arajan@redhat.com>
Allow distributions to specify the location of the podman image VM
images in the form of URIs with $ARCH and $OS specified. This would
allow a distribution to pull the image based on the current OS and Arch.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit allows using aardvark with an alternate port as per
implementation in containers/netavark#323
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
We have received two Bugzilla's about the upstream
documentation being incorrect about the default value of the
events_logger field in containers.conf. The are:
https://bugzilla.redhat.com/show_bug.cgi?id=2076664https://bugzilla.redhat.com/show_bug.cgi?id=2076665
From what I can see, we use `file` in RHEL and the podman machine,
in all other distributions were' using journald. I've
attempted to change the man page to reflect that.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Add a new `pod_exit_policy` field to the containers.conf's engine table.
A pod's exit policy determines the behaviour when the last container of
a pod exits.
Required-in: containers/podman/pull/13859
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
machine.IsPodmanMachine replaces MachineEnabled
machine.MachineHostType informs the type unknown, qemu, wsl, etc
machine.IsGvProxyBased used to make specific determinations re gvproxy
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
Set the ip for the host.containers.internal entry in the containers /etc/hosts
file. This can be set to "none" to disable adding this entry. By default it
will automatically choose the host ip.
Also add a function to get the correct host.containers.internal ip. This
should be used by podman and buildah and then passed to the New()
function.
Ref https://github.com/containers/podman/issues/13224
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
base_hosts_file can be used to overwrite the default base host file
/etc/hosts which is used to copy hosts entries from this file into the
containers /etc/hosts file. As special value "image" can be used to copy
the entries from the image hosts file or "none" to not use a base file
at all. IF the value is empty we should use /etc/hosts as default.
Ref https://github.com/containers/podman/issues/13277
Ref https://github.com/containers/podman/issues/13748
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Slirp4netns options were changed to always default to ipv6 so it does
not need the extra setting. Update the documentation to reflect this.
see https://github.com/containers/podman/pull/13929
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Changing the value for events_logfile_max_size from 0 to 1048576. This allows
up to 10,000 events to be written to the events log file before rotation occurs.
Also adding new values to default.go
Signed-off-by: Niall Crowe <nicrowe@redhat.com>
This will allow users to specify which volumes they want podman machine
to automatically mount into the machine. These volumes can later be used
to volume mount into containers.
Environment variables like $HOME can be used and are translated at the
time of machine start.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Docker defined --ipc=private to mean that the container's IPC Namespace
can NOT be shared with another container. While --ipc=shareable can,
which is our current default. Docker also defines "none" which means
the container runs in a IPC namespace but does NOT mount a /dev/shm.
"Host" means the container runs in the host namespace, and
container:UUID means run new container in other containers namespace.
ns:PATH means run in the namepsace designated in PATH.2
This Patch, fixes containers/common to reflect the correct default.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add a new option to the `[engine]` table in containers.conf
for specifying the maximum size of `events_logfile_path`.
Once exceeded, Podman will rotate the logfile and delete
the old one.
Also add tests to make sure we're not regressing in the future.
Signed-off-by: Niall Crowe <nicrowe@redhat.com>
Add a new field to set the default subnet pools. They can be used to
change the subnet which is automatically allocated by podman network
create.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
These where moved to buildah but because they are useful for podman and
the other tooling they are moved back into the common project.
Reverts 6b57bd6c7c
Signed-off-by: Morten Linderud <morten@linderud.pw>
This field was only needed for machine to force cni, however you can set
netns="bridge" in the config to have the same effect. This is already
done in the machine setup.
The field was more of a hack and just creates confusion for users so we
remove it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* change cni networks to just networks since they also refer to netavark
networks
* add documentation about the network_backend key and what the empty
value means
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Since the network namespace is shared for all rootful libpod instances
we also need to make sure to use the same network config dir and run dir
to ensure that we do not use the same subnet or ip for more than one
container.
Also update the documentation about the network_config_dir field.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This field determines whether CNI or netavark will be used to
create container networks. Default presently set to "cni".
Signed-off-by: Matthew Heon <mheon@redhat.com>
Insisting on “DCO” imposes formalities, that serve self-purpose. One cannot
assume that the submitter has time or will to read texts about symbolism in
software contributions. If the system wants to see the text
nrEAUIEUAIe eanuitdnuae EAIUEAUIAIE »ℓ§444.3.72b)°»°ℓ§euaieauuae
in each commit, people will write this, or any other text, that the system wants to
see. All such text, which presence is mandated by the system, has the same value.
Signed-off-by: Дилян Палаузов <git-dpa@aegee.org>
Add machine teable to configure podman machine options. Move machine_image to the machine table, and add cups, disk size, and memory to the machine table.
Signed-off-by: Ashley Cui <acui@redhat.com>
Allow users to set the default location for the temporary files used
during image pulls and pushes.
Defaults to /var/tmp;
Overridden via "TMPDIR" environment variable.
Allow special flag "storage" to indicate the the storage should use
the tmp directory in containers/storage/tmp.
Needed to fix: https://github.com/containers/podman/issues/11107
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This field contains a list of directories which should be used to store
some helper binaries, e.g. gvproxy.
Also add a FindHelperBinary method to the config struct to get the full
path to a helper binary.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We had a bogus setting for secrets in our default containers.conf
[secret] should have been [secrets].
Also added a test to make sure this never happens again.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Commit ebfe786429 changed the default logging driver k8s-file to
journald. The only consumer of the log-driver is Podman which I think
still needs some more time to stabilize. Vendoring containers/common
into Podman has revealed quite some warts (see
containers/podman/pull/10222) which reduced my confidence level.
To resolve the chicken-egg-problem of maturing the journald driver, I
want to only partially revert commit ebfe786429. The built-in default
remains k8s-file while the containers.conf sets it to journald. The
intention behind is to make sure that running systems are not impacted
but we can change Fedora to journald to increase coverage.
Once the confidence level is back to normal, we can change the default
to journald. Latest before RHEL9.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This eliminates the concern of log files growing infinitely and also
records all containers for posterity rather then allowing the removal
of a container to destroy the record.
Partially fixes: https://github.com/containers/podman/issues/9158
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Toshiki Sonoda