config

package
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 21, 2020 License: Apache-2.0 Imports: 18 Imported by: 172

Documentation

Index

Constants

View Source
const (
	// DefaultContainersConfig holds the default containers config path
	DefaultContainersConfig = "/usr/share/containers/containers.conf"
	// OverrideContainersConfig holds the default config paths overridden by the root user
	OverrideContainersConfig = "/etc/containers/containers.conf"
	// UserOverrideContainersConfig holds the containers config path overridden by the rootless user
	UserOverrideContainersConfig = ".config/containers/containers.conf"
)
View Source
const (

	// CgroupfsCgroupsManager represents cgroupfs native cgroup manager
	CgroupfsCgroupsManager = "cgroupfs"
	// DefaultApparmorProfile  specifies the default apparmor profile for the container.
	DefaultApparmorProfile = "container-default"
	// SystemdCgroupsManager represents systemd native cgroup manager
	SystemdCgroupsManager = "systemd"
	// DefaultLogDriver is the default type of log files
	DefaultLogDriver = "k8s-file"
	// DefaultLogSizeMax is the default value for the maximum log size
	// allowed for a container. Negative values mean that no limit is imposed.
	DefaultLogSizeMax = -1
	// DefaultPidsLimit is the default value for maximum number of processes
	// allowed inside a container
	DefaultPidsLimit = 2048
	// rootless policy.json file.
	DefaultRootlessSignaturePolicyPath = ".config/containers/policy.json"
	// DefaultShmSize default value
	DefaultShmSize = "65536k"
	// DefaultUserNSSize default value
	DefaultUserNSSize = 65536
	// OCIBufSize limits maximum LogSizeMax
	OCIBufSize = 8192
	// SeccompOverridePath if this exists it overrides the default seccomp path.
	SeccompOverridePath = _etcDir + "/crio/seccomp.json"
	// SeccompDefaultPath defines the default seccomp path.
	SeccompDefaultPath = _installPrefix + "/share/containers/seccomp.json"
)

Variables

View Source
var (
	// DefaultInitPath is the default path to the container-init binary
	DefaultInitPath = "/usr/libexec/podman/catatonit"
	// DefaultInfraImage to use for infra container
	DefaultInfraImage = "k8s.gcr.io/pause:3.1"
	// DefaultInfraCommand to be run in an infra container
	DefaultInfraCommand = "/pause"
	// DefaultRootlessSHMLockPath is the default path for rootless SHM locks
	DefaultRootlessSHMLockPath = "/libpod_rootless_lock"
	// DefaultDetachKeys is the default keys sequence for detaching a
	// container
	DefaultDetachKeys = "ctrl-p,ctrl-q"
)
View Source
var (
	// ErrConmonOutdated indicates the version of conmon found (whether via the configuration or $PATH)
	// is out of date for the current podman version
	ErrConmonOutdated = errors.New("outdated conmon version")
	// ErrInvalidArg indicates that an invalid argument was passed
	ErrInvalidArg = errors.New("invalid argument")
	// DefaultHooksDirs defines the default hooks directory
	DefaultHooksDirs = []string{"/usr/share/containers/oci/hooks.d"}
	// DefaultCapabilities for the default_capabilities option in the containers.conf file
	DefaultCapabilities = []string{
		"CAP_AUDIT_WRITE",
		"CAP_CHOWN",
		"CAP_DAC_OVERRIDE",
		"CAP_FOWNER",
		"CAP_FSETID",
		"CAP_KILL",
		"CAP_MKNOD",
		"CAP_NET_BIND_SERVICE",
		"CAP_NET_RAW",
		"CAP_SETGID",
		"CAP_SETPCAP",
		"CAP_SETUID",
		"CAP_SYS_CHROOT",
	}
)

Functions

func Device

func Device(device string) (string, string, string, error)

Device parses device mapping string to a src, dest & permissions string Valid values for device looklike:

'/dev/sdc"
'/dev/sdc:/dev/xvdc"
'/dev/sdc:/dev/xvdc:rwm"
'/dev/sdc:rm"

func IsDirectory

func IsDirectory(path string) error

IsDirectory tests whether the given path exists and is a directory. It follows symlinks.

func IsValidDeviceMode

func IsValidDeviceMode(mode string) bool

IsValidDeviceMode checks if the mode for device is valid or not. IsValid mode is a composition of r (read), w (write), and m (mknod).

Types

type Config

type Config struct {
	// Containers specify settings that configure how containers will run ont the system
	Containers ContainersConfig `toml:"containers"`
	// Libpod specifies how the container engine based on Libpod will run
	Libpod LibpodConfig `toml:"libpod"`
	// Network section defines the configuration of CNI Plugins
	Network NetworkConfig `toml:"network"`
}

Config contains configuration options for container tools

func DefaultConfig

func DefaultConfig() (*Config, error)

DefaultConfig defines the default values from containers.conf

func NewConfig added in v0.0.4

func NewConfig(userConfigPath string) (*Config, error)

NewConfig creates a new Config. It starts with an empty config and, if specified, merges the config at `userConfigPath` path. Depending if we're running as root or rootless, we then merge the system configuration followed by merging the default config (hard-coded default in memory). Note that the OCI runtime is hard-set to `crun` if we're running on a system with cgroupsv2. Other OCI runtimes are not yet supporting cgroupsv2. This might change in the future.

func ReadConfigFromFile added in v0.0.4

func ReadConfigFromFile(path string, config *Config) (*Config, error)

ReadConfigFromFile reads the specified config file at `path` and attempts to unmarshal its content into a Config. The config param specifies the previous default config. If the path, only specifies a few fields in the Toml file the defaults from the config parameter will be used for all other fields.

func (*Config) Capabilities added in v0.1.0

func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []string) []string

Capabilities returns the capabilities parses the Add and Drop capability list from the default capabiltiies for the container

func (*Config) FindConmon added in v0.0.4

func (c *Config) FindConmon() (string, error)

FindConmon iterates over (*Config).ConmonPath and returns the path to first (version) matching conmon binary. If non is found, we try to do a path lookup of "conmon".

func (*Config) GetDefaultEnv added in v0.0.7

func (c *Config) GetDefaultEnv() []string

GetDefaultEnv returns the environment variables for the container. It will checn the HTTPProxy and HostEnv booleans and add the appropriate environment variables to the container.

func (*Config) MergeDBConfig added in v0.0.4

func (c *Config) MergeDBConfig(dbConfig *DBConfig) error

MergeDBConfig merges the configuration from the database.

func (*Config) Validate

func (c *Config) Validate(onExecution bool) error

Validate is the main entry point for library configuration validation. The parameter `onExecution` specifies if the validation should include execution checks. It returns an `error` on validation failure, otherwise `nil`.

type ContainersConfig

type ContainersConfig struct {

	// Devices to add to all containers
	AdditionalDevices []string `toml:"additional_devices"`

	// Volumes to add to all containers
	AdditionalVolumes []string `toml:"additional_volumes"`

	// ApparmorProfile is the apparmor profile name which is used as the
	// default for the runtime.
	ApparmorProfile string `toml:"apparmor_profile"`

	// CGroupManager is the CGroup Manager to use Valid values are "cgroupfs"
	// and "systemd".
	CgroupManager string `toml:"cgroup_manager"`

	// Default way to create a cgroup namespace for the container
	CgroupNS string `toml:"cgroupns"`

	// Capabilities to add to all containers.
	DefaultCapabilities []string `toml:"default_capabilities"`

	// Sysctls to add to all containers.
	DefaultSysctls []string `toml:"default_sysctls"`

	// DefaultUlimits specifies the default ulimits to apply to containers
	DefaultUlimits []string `toml:"default_ulimits"`

	// DefaultMountsFile is the path to the default mounts file for testing
	DefaultMountsFile string `toml:"-"`

	// DNSServers set default DNS servers.
	DNSServers []string `toml:"dns_servers"`

	// DNSOptions set default DNS options.
	DNSOptions []string `toml:"dns_options"`

	// DNSSearches set default DNS search domains.
	DNSSearches []string `toml:"dns_searches"`

	// EnableLabeling tells the container engines whether to use MAC
	// Labeling to separate containers (SELinux)
	EnableLabeling bool `toml:"label"`

	// Env is the environment variable list for container process.
	Env []string `toml:"env"`

	// EnvHost Pass all host environment variables into the container.
	EnvHost bool `toml:"env_host"`

	// HTTPProxy is the proxy environment variable list to apply to container process
	HTTPProxy bool `toml:"http_proxy"`

	// Init tells container runtimes whether to run init inside the
	// container that forwards signals and reaps processes.
	Init bool `toml:"init"`

	// InitPath is the path for init to run if the Init bool is enabled
	InitPath string `toml:"init_path"`

	// IPCNS way to to create a ipc namespace for the container
	IPCNS string `toml:"ipcns"`

	// LogDriver  for the container.  For example: k8s-file and journald
	LogDriver string `toml:"log_driver"`

	// LogSizeMax is the maximum number of bytes after which the log file
	// will be truncated. It can be expressed as a human-friendly string
	// that is parsed to bytes.
	// Negative values indicate that the log file won't be truncated.
	LogSizeMax int64 `toml:"log_size_max"`

	// NetNS indicates how to create a network namespace for the container
	NetNS string `toml:"netns"`

	// NoHosts tells container engine whether to create its own /etc/hosts
	NoHosts bool `toml:"no_hosts"`

	// PidsLimit is the number of processes each container is restricted to
	// by the cgroup process number controller.
	PidsLimit int64 `toml:"pids_limit"`

	// PidNS indicates how to create a pid namespace for the container
	PidNS string `toml:"pidns"`

	// SeccompProfile is the seccomp.json profile path which is used as the
	// default for the runtime.
	SeccompProfile string `toml:"seccomp_profile"`

	// ShmSize holds the size of /dev/shm.
	ShmSize string `toml:"shm_size"`

	// SignaturePolicyPath is the path to a signature policy to use for
	// validating images. If left empty, the containers/image default signature
	// policy will be used.
	SignaturePolicyPath string `toml:"_"`

	// UTSNS indicates how to create a UTS namespace for the container
	UTSNS string `toml:"utsns"`

	// UserNS indicates how to create a User namespace for the container
	UserNS string `toml:"userns"`

	// UserNSSize how many UIDs to allocate for automatically created UserNS
	UserNSSize int `toml:"userns_size"`
}

ContainersConfig represents the "containers" TOML config table containers global options for containers tools

func (*ContainersConfig) Validate

func (c *ContainersConfig) Validate() error

Validate is the main entry point for containers configuration validation It returns an `error` on validation failure, otherwise `nil`.

type DBConfig added in v0.0.4

type DBConfig struct {
	LibpodRoot  string
	LibpodTmp   string
	StorageRoot string
	StorageTmp  string
	GraphDriver string
	VolumePath  string
}

DBConfig is a set of Libpod runtime configuration settings that are saved in a State when it is first created, and can subsequently be retrieved.

type LibpodConfig added in v0.0.4

type LibpodConfig struct {

	// ConmonEnvVars are environment variables to pass to the Conmon binary
	// when it is launched.
	ConmonEnvVars []string `toml:"conmon_env_vars"`

	// ConmonPath is the path to the Conmon binary used for managing containers.
	// The first path pointing to a valid file will be used.
	ConmonPath []string `toml:"conmon_path"`

	//DetachKeys is the sequence of keys used to detach a container.
	DetachKeys string `toml:"detach_keys"`

	// EnablePortReservation determines whether libpod will reserve ports on the
	// host when they are forwarded to containers. When enabled, when ports are
	// forwarded to containers, they are held open by conmon as long as the
	// container is running, ensuring that they cannot be reused by other
	// programs on the host. However, this can cause significant memory usage if
	// a container has many ports forwarded to it. Disabling this can save
	// memory.
	EnablePortReservation bool `toml:"enable_port_reservation"`

	// EventsLogFilePath is where the events log is stored.
	EventsLogFilePath string `toml:"events_logfile_path"`

	// EventsLogger determines where events should be logged.
	EventsLogger string `toml:"events_logger"`

	// configuration files. When the same filename is present in in
	// multiple directories, the file in the directory listed last in
	// this slice takes precedence.
	HooksDir []string `toml:"hooks_dir"`

	// ImageDefaultTransport is the default transport method used to fetch
	// images.
	ImageDefaultTransport string `toml:"image_default_transport"`

	// InfraCommand is the command run to start up a pod infra container.
	InfraCommand string `toml:"infra_command"`

	// InfraImage is the image a pod infra container will use to manage
	// namespaces.
	InfraImage string `toml:"infra_image"`

	// InitPath is the path to the container-init binary.
	InitPath string `toml:"init_path"`

	// LockType is the type of locking to use.
	LockType string `toml:"lock_type,omitempty"`

	// Namespace is the libpod namespace to use. Namespaces are used to create
	// scopes to separate containers and pods in the state. When namespace is
	// set, libpod will only view containers and pods in the same namespace. All
	// containers and pods created will default to the namespace set here. A
	// namespace of "", the empty string, is equivalent to no namespace, and all
	// containers and pods will be visible. The default namespace is "".
	Namespace string `toml:"namespace,omitempty"`

	// NetworkCmdPath is the path to the slirp4netns binary.
	NetworkCmdPath string `toml:"network_cmd_path"`

	// NoPivotRoot sets whether to set no-pivot-root in the OCI runtime.
	NoPivotRoot bool `toml:"no_pivot_root"`

	// NumLocks is the number of locks to make available for containers and
	// pods.
	NumLocks uint32 `toml:"num_locks,omitempty"`

	// OCIRuntime is the OCI runtime to use.
	OCIRuntime string `toml:"runtime"`

	// OCIRuntimes are the set of configured OCI runtimes (default is runc).
	OCIRuntimes map[string][]string `toml:"runtimes"`

	// RuntimeSupportsJSON is the list of the OCI runtimes that support
	// --format=json.
	RuntimeSupportsJSON []string `toml:"runtime_supports_json"`

	// RuntimeSupportsNoCgroups is a list of OCI runtimes that support
	// running containers without CGroups.
	RuntimeSupportsNoCgroups []string `toml:"runtime_supports_nocgroups"`

	// SetOptions contains a subset of config options. It's used to indicate if
	// a given option has either been set by the user or by a parsed libpod
	// configuration file.  If not, the corresponding option might be
	// overwritten by values from the database.  This behavior guarantess
	// backwards compat with older version of libpod and Podman.
	SetOptions

	// SDNotify tells container engine to allow containers to notify the host systemd of
	// readiness using the SD_NOTIFY mechanism.
	SDNotify bool

	// StateType is the type of the backing state store. Avoid using multiple
	// values for this with the same containers/storage configuration on the
	// same system. Different state types do not interact, and each will see a
	// separate set of containers, which may cause conflicts in
	// containers/storage. As such this is not exposed via the config file.
	StateType RuntimeStateStore `toml:"-"`

	// StaticDir is the path to a persistent directory to store container
	// files.
	StaticDir string `toml:"static_dir"`

	// StorageConfig is the configuration used by containers/storage Not
	// included in the on-disk config, use the dedicated containers/storage
	// configuration file instead.
	StorageConfig storage.StoreOptions `toml:"-"`

	// TmpDir is the path to a temporary directory to store per-boot container
	// files. Must be stored in a tmpfs.
	TmpDir string `toml:"tmp_dir"`

	// VolumePath is the default location that named volumes will be created
	// under. This convention is followed by the default volume driver, but
	// may not be by other drivers.
	VolumePath string `toml:"volume_path"`
}

LibpodConfig contains configuration options used to set up a libpod runtime

func (*LibpodConfig) Validate added in v0.0.4

func (c *LibpodConfig) Validate() error

Validate is the main entry point for Libpod configuration validation It returns an `error` on validation failure, otherwise `nil`.

type NetworkConfig

type NetworkConfig struct {
	// CNIPluginDirs is where CNI plugin binaries are stored.
	CNIPluginDirs []string `toml:"cni_plugin_dirs"`

	// DefaultNetwork is the network name of the default CNI network
	// to attach pods to.
	DefaultNetwork string `toml:"default_network,omitempty"`

	// NetworkConfigDir is where CNI network configuration files are stored.
	NetworkConfigDir string `toml:"network_config_dir"`
}

NetworkConfig represents the "network" TOML config table

func (*NetworkConfig) Validate

func (c *NetworkConfig) Validate(onExecution bool) error

Validate is the main entry point for network configuration validation. The parameter `onExecution` specifies if the validation should include execution checks. It returns an `error` on validation failure, otherwise `nil`.

type RuntimeStateStore added in v0.0.4

type RuntimeStateStore int

RuntimeStateStore is a constant indicating which state store implementation should be used by libpod

const (
	// InvalidStateStore is an invalid state store
	InvalidStateStore RuntimeStateStore = iota
	// InMemoryStateStore is an in-memory state that will not persist data
	// on containers and pods between libpod instances or after system
	// reboot
	InMemoryStateStore RuntimeStateStore = iota
	// SQLiteStateStore is a state backed by a SQLite database
	// It is presently disabled
	SQLiteStateStore RuntimeStateStore = iota
	// BoltDBStateStore is a state backed by a BoltDB database
	BoltDBStateStore RuntimeStateStore = iota
)

type SetOptions added in v0.0.4

type SetOptions struct {
	// StorageConfigRunRootSet indicates if the RunRoot has been explicitly set
	// by the config or by the user. It's required to guarantee backwards
	// compatibility with older versions of libpod for which we must query the
	// database configuration. Not included in the on-disk config.
	StorageConfigRunRootSet bool `toml:"-"`

	// StorageConfigGraphRootSet indicates if the RunRoot has been explicitly
	// set by the config or by the user. It's required to guarantee backwards
	// compatibility with older versions of libpod for which we must query the
	// database configuration. Not included in the on-disk config.
	StorageConfigGraphRootSet bool `toml:"-"`

	// StorageConfigGraphDriverNameSet indicates if the GraphDriverName has been
	// explicitly set by the config or by the user. It's required to guarantee
	// backwards compatibility with older versions of libpod for which we must
	// query the database configuration. Not included in the on-disk config.
	StorageConfigGraphDriverNameSet bool `toml:"-"`

	// StaticDirSet indicates if the StaticDir has been explicitly set by the
	// config or by the user. It's required to guarantee backwards compatibility
	// with older versions of libpod for which we must query the database
	// configuration. Not included in the on-disk config.
	StaticDirSet bool `toml:"-"`

	// VolumePathSet indicates if the VolumePath has been explicitly set by the
	// config or by the user. It's required to guarantee backwards compatibility
	// with older versions of libpod for which we must query the database
	// configuration. Not included in the on-disk config.
	VolumePathSet bool `toml:"-"`

	// TmpDirSet indicates if the TmpDir has been explicitly set by the config
	// or by the user. It's required to guarantee backwards compatibility with
	// older versions of libpod for which we must query the database
	// configuration. Not included in the on-disk config.
	TmpDirSet bool `toml:"-"`
}

SetOptions contains a subset of options in a Config. It's used to indicate if a given option has either been set by the user or by a parsed libpod configuration file. If not, the corresponding option might be overwritten by values from the database. This behavior guarantess backwards compat with older version of libpod and Podman.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL