Make sure we use the config field to know if we should use pasta or
slirp4netns as default.
While at it fix broken code which sets the default at two different
places, also do not set in Validate() as this should not modify the
specgen IMO, so set it directly before that.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This adds define.BindOptions to declare the mount options for bind-like
mounts (nullfs on FreeBSD). Note: this mirrors identical declarations in
buildah and it may be preferable to use buildah's copies throughout
podman.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
This is limited to images that don't depend on complex cgroup or capability
setups but does cover enough functionality to be useful.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
This fixes a lint issue, but I'm keeping it in its own commit so
it can be reverted independently if necessary; I don't know what
side effects this may have. I don't *think* there are any
issues, but I'm not sure why it wasn't a pointer in the first
place, so there may have been a reason.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This probably should have been in the API since the beginning,
but it's not too late to start now.
The extra information is returned (both via the REST API, and to
the CLI handler for `podman rm`) but is not yet printed - it
feels like adding it to the output could be a breaking change?
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Also reflect removed/deprecated fields in the compat API.
[NO NEW TESTS NEEDED]
Signed-off-by: Renovate Bot <bot@renovateapp.com>
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
These annotations can have security implications - crun, for
example, allows rootless containers to preserve the user's groups
through an annotation. We absolutely should not include
annotations from an untrusted image off the internet by default.
We may consider whitelisting some annotations (e.g. the legacy
WASM annotations), but given that there is now a more explicit
way of specifying an image uses the WASM runtime in the OCI image
spec, I'm just tearing this out entirely for now.
Signed-off-by: Matt Heon <mheon@redhat.com>
Restart policy of initContainers should not be overriden by pod and
the restart policy should always be "no".
See #16343
Signed-off-by: Tony Duan <tony.duan@gapp.nthu.edu.tw>
Add --restart flag to pod create to allow users to set the
restart policy for the pod, which applies to all the containers
in the pod. This reuses the restart policy already there for
containers and has the same restart policy options.
Add "never" to the restart policy options to match k8s syntax.
It is a synonym for "no" and does the exact same thing where the
containers are not restarted once exited.
Only the containers that have exited will be restarted based on the
restart policy, running containers will not be restarted when an exited
container is restarted in the same pod (same as is done in k8s).
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
The problem right now is that --ns contianer: syntax causes use to add
the namespace path to the spec which means the runtime will try to call
setns on that. This works fine for private namespaces but when the host
namspace is used by the container a rootless user is not allowed to
join that namespace so the setns call will return with permission
denied.
The fix is to effectively switch the container to the `host` mode
instead of `container:` when the mention container used the host ns. I
tried to fix this deep into the libpod call when we assign these
namespaces but the problem is that this does not work correctly because
these namespace require much more setup. Mainly different kind of mount
points to work correctly.
We already have similar work-arounds in place for pods because they also
need this.
For some reason this does not work with the user namespace, I don't know
why and I don't think it is really needed so I left this out just to get
at least the rest working. The original issue only reported this for the
network namespace.
Fixes#18027
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If resource limits is not set, do not display the following warning message:
`Resource limits are not supported and ignored on cgroups V1 rootless systems`
Ref: #17582
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
At the time of making this commit, the package `github.com/ghodss/yaml`
is no longer actively maintained.
`sigs.k8s.io/yaml` is a permanent fork of `ghodss/yaml` and is actively
maintained by Kubernetes SIG.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
add a function to securely mount a subpath inside a volume. We cannot
trust that the subpath is safe since it is beneath a volume that could
be controlled by a separate container. To avoid TOCTOU races between
when we check the subpath and when the OCI runtime mounts it, we open
the subpath, validate it, bind mount to a temporary directory and use
it instead of the original path.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
If the kube yaml volumes has secret.items set, then use
the values from that to set up the paths inside the container
similar to what we do for configMap.
Add tests for this as well.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Currently Podman prevents SELinux container separation,
when running within a container. This PR adds a new
--security-opt label=nested
When setting this option, Podman unmasks and mountsi
/sys/fs/selinux into the containers making /sys/fs/selinux
fully exposed. Secondly Podman sets the attribute
run.oci.mount_context_type=rootcontext
This attribute tells crun to mount volumes with rootcontext=MOUNTLABEL
as opposed to context=MOUNTLABEL.
With these two settings Podman inside the container is allowed to set
its own SELinux labels on tmpfs file systems mounted into its parents
container, while still being confined by SELinux. Thus you can have
nested SELinux labeling inside of a container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* add tests
* add documentation for --shm-size-systemd
* add support for both pod and standalone run
Signed-off-by: danishprakash <danish.prakash@suse.com>
Add a podman ulimit annotation to kube generate and play.
If a container has a container with ulimits set, kube gen
will add those as an annotation to the generated yaml.
If kube play encounters the ulimit annotation, it will set
ulimits for the container being played.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
when using --userns=auto or --userns=pod, we should bind mount /sys
from the host instead of creating a new /sys in the container,
otherwise we rely on the fallback provided by crun, which might not be
available in other runtimes.
Also, in the last version of crun the fallback is stricter than it
used to be before and it uses a recursive bind mount through the new
mount API. That can be missing on old kernel.
Closes: https://github.com/containers/crun/issues/1131
[NO NEW TESTS NEEDED] to trigger the failure, we need a specific
combination of kernel, libc and OCI runtime.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The function which generates and assigns a random
port number for the --publish-all functionality
was not properly marking some ports as "used".
In very rare occasions this can cause a randomly
"generated" port to be used twice creating an
impossible container configuration.
Signed-off-by: telday <ellis.wright@cyberark.com>
if /sys is bind mounted from the host then also add an explicit mount
for /sys/fs/cgroup so that 'ro' is honored.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
