Documentation ¶
Index ¶
Constants ¶
const ( // DefaultContainersConfig holds the default containers config path DefaultContainersConfig = "/usr/share/containers/containers.conf" // OverrideContainersConfig holds the default config paths overridden by the root user OverrideContainersConfig = "/etc/containers/containers.conf" // UserOverrideContainersConfig holds the containers config path overridden by the rootless user UserOverrideContainersConfig = ".config/containers/containers.conf" )
const ( // CgroupfsCgroupsManager represents cgroupfs native cgroup manager CgroupfsCgroupsManager = "cgroupfs" // DefaultApparmorProfile specifies the default apparmor profile for the container. DefaultApparmorProfile = "container-default" // SystemdCgroupsManager represents systemd native cgroup manager SystemdCgroupsManager = "systemd" // DefaultLogDriver is the default type of log files DefaultLogDriver = "k8s-file" // DefaultLogSizeMax is the default value for the maximum log size // allowed for a container. Negative values mean that no limit is imposed. DefaultLogSizeMax = -1 // DefaultPidsLimit is the default value for maximum number of processes // allowed inside a container DefaultPidsLimit = 2048 // rootless policy.json file. DefaultRootlessSignaturePolicyPath = ".config/containers/policy.json" // DefaultShmSize default value DefaultShmSize = "65536k" // DefaultUserNSSize default value DefaultUserNSSize = 65536 // OCIBufSize limits maximum LogSizeMax OCIBufSize = 8192 // SeccompOverridePath if this exists it overrides the default seccomp path. SeccompOverridePath = _etcDir + "/crio/seccomp.json" // SeccompDefaultPath defines the default seccomp path. SeccompDefaultPath = _installPrefix + "/share/containers/seccomp.json" )
Variables ¶
var ( // DefaultInitPath is the default path to the container-init binary DefaultInitPath = "/usr/libexec/podman/catatonit" // DefaultInfraImage to use for infra container DefaultInfraImage = "k8s.gcr.io/pause:3.1" // DefaultInfraCommand to be run in an infra container DefaultInfraCommand = "/pause" // DefaultRootlessSHMLockPath is the default path for rootless SHM locks DefaultRootlessSHMLockPath = "/libpod_rootless_lock" // DefaultDetachKeys is the default keys sequence for detaching a // container DefaultDetachKeys = "ctrl-p,ctrl-q" )
var ( // ErrConmonOutdated indicates the version of conmon found (whether via the configuration or $PATH) // is out of date for the current podman version ErrConmonOutdated = errors.New("outdated conmon version") // ErrInvalidArg indicates that an invalid argument was passed ErrInvalidArg = errors.New("invalid argument") // DefaultHooksDirs defines the default hooks directory DefaultHooksDirs = []string{"/usr/share/containers/oci/hooks.d"} // DefaultCapabilities for the default_capabilities option in the containers.conf file DefaultCapabilities = []string{ "CAP_AUDIT_WRITE", "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_FOWNER", "CAP_FSETID", "CAP_KILL", "CAP_MKNOD", "CAP_NET_BIND_SERVICE", "CAP_NET_RAW", "CAP_SETGID", "CAP_SETPCAP", "CAP_SETUID", "CAP_SYS_CHROOT", } )
Functions ¶
func Device ¶
Device parses device mapping string to a src, dest & permissions string Valid values for device looklike:
'/dev/sdc" '/dev/sdc:/dev/xvdc" '/dev/sdc:/dev/xvdc:rwm" '/dev/sdc:rm"
func IsDirectory ¶
IsDirectory tests whether the given path exists and is a directory. It follows symlinks.
func IsValidDeviceMode ¶
IsValidDeviceMode checks if the mode for device is valid or not. IsValid mode is a composition of r (read), w (write), and m (mknod).
Types ¶
type Config ¶
type Config struct { // Containers specify settings that configure how containers will run ont the system Containers ContainersConfig `toml:"containers"` // Libpod specifies how the container engine based on Libpod will run Libpod LibpodConfig `toml:"libpod"` // Network section defines the configuration of CNI Plugins Network NetworkConfig `toml:"network"` }
Config contains configuration options for container tools
func DefaultConfig ¶
DefaultConfig defines the default values from containers.conf
func NewConfig ¶ added in v0.0.4
NewConfig creates a new Config. It starts with an empty config and, if specified, merges the config at `userConfigPath` path. Depending if we're running as root or rootless, we then merge the system configuration followed by merging the default config (hard-coded default in memory). Note that the OCI runtime is hard-set to `crun` if we're running on a system with cgroupsv2. Other OCI runtimes are not yet supporting cgroupsv2. This might change in the future.
func ReadConfigFromFile ¶ added in v0.0.4
ReadConfigFromFile reads the specified config file at `path` and attempts to unmarshal its content into a Config. The config param specifies the previous default config. If the path, only specifies a few fields in the Toml file the defaults from the config parameter will be used for all other fields.
func (*Config) Capabilities ¶ added in v0.1.0
Capabilities returns the capabilities parses the Add and Drop capability list from the default capabiltiies for the container
func (*Config) FindConmon ¶ added in v0.0.4
FindConmon iterates over (*Config).ConmonPath and returns the path to first (version) matching conmon binary. If non is found, we try to do a path lookup of "conmon".
func (*Config) GetDefaultEnv ¶ added in v0.0.7
GetDefaultEnv returns the environment variables for the container. It will checn the HTTPProxy and HostEnv booleans and add the appropriate environment variables to the container.
func (*Config) MergeDBConfig ¶ added in v0.0.4
MergeDBConfig merges the configuration from the database.
type ContainersConfig ¶
type ContainersConfig struct { // Devices to add to all containers AdditionalDevices []string `toml:"additional_devices"` // Volumes to add to all containers AdditionalVolumes []string `toml:"additional_volumes"` // ApparmorProfile is the apparmor profile name which is used as the // default for the runtime. ApparmorProfile string `toml:"apparmor_profile"` // CGroupManager is the CGroup Manager to use Valid values are "cgroupfs" // and "systemd". CgroupManager string `toml:"cgroup_manager"` // Default way to create a cgroup namespace for the container CgroupNS string `toml:"cgroupns"` // Capabilities to add to all containers. DefaultCapabilities []string `toml:"default_capabilities"` // Sysctls to add to all containers. DefaultSysctls []string `toml:"default_sysctls"` // DefaultUlimits specifies the default ulimits to apply to containers DefaultUlimits []string `toml:"default_ulimits"` // DefaultMountsFile is the path to the default mounts file for testing DefaultMountsFile string `toml:"-"` // DNSServers set default DNS servers. DNSServers []string `toml:"dns_servers"` // DNSOptions set default DNS options. DNSOptions []string `toml:"dns_options"` // DNSSearches set default DNS search domains. DNSSearches []string `toml:"dns_searches"` // EnableLabeling tells the container engines whether to use MAC // Labeling to separate containers (SELinux) EnableLabeling bool `toml:"label"` // Env is the environment variable list for container process. Env []string `toml:"env"` // EnvHost Pass all host environment variables into the container. EnvHost bool `toml:"env_host"` // HTTPProxy is the proxy environment variable list to apply to container process HTTPProxy bool `toml:"http_proxy"` // Init tells container runtimes whether to run init inside the // container that forwards signals and reaps processes. Init bool `toml:"init"` // InitPath is the path for init to run if the Init bool is enabled InitPath string `toml:"init_path"` // IPCNS way to to create a ipc namespace for the container IPCNS string `toml:"ipcns"` // LogDriver for the container. For example: k8s-file and journald LogDriver string `toml:"log_driver"` // LogSizeMax is the maximum number of bytes after which the log file // will be truncated. It can be expressed as a human-friendly string // that is parsed to bytes. // Negative values indicate that the log file won't be truncated. LogSizeMax int64 `toml:"log_size_max"` // NetNS indicates how to create a network namespace for the container NetNS string `toml:"netns"` // NoHosts tells container engine whether to create its own /etc/hosts NoHosts bool `toml:"no_hosts"` // PidsLimit is the number of processes each container is restricted to // by the cgroup process number controller. PidsLimit int64 `toml:"pids_limit"` // PidNS indicates how to create a pid namespace for the container PidNS string `toml:"pidns"` // SeccompProfile is the seccomp.json profile path which is used as the // default for the runtime. SeccompProfile string `toml:"seccomp_profile"` // ShmSize holds the size of /dev/shm. ShmSize string `toml:"shm_size"` // SignaturePolicyPath is the path to a signature policy to use for // validating images. If left empty, the containers/image default signature // policy will be used. SignaturePolicyPath string `toml:"_"` // UTSNS indicates how to create a UTS namespace for the container UTSNS string `toml:"utsns"` // UserNS indicates how to create a User namespace for the container UserNS string `toml:"userns"` // UserNSSize how many UIDs to allocate for automatically created UserNS UserNSSize int `toml:"userns_size"` }
ContainersConfig represents the "containers" TOML config table containers global options for containers tools
func (*ContainersConfig) Validate ¶
func (c *ContainersConfig) Validate() error
Validate is the main entry point for containers configuration validation It returns an `error` on validation failure, otherwise `nil`.
type DBConfig ¶ added in v0.0.4
type DBConfig struct { LibpodRoot string LibpodTmp string StorageRoot string StorageTmp string GraphDriver string VolumePath string }
DBConfig is a set of Libpod runtime configuration settings that are saved in a State when it is first created, and can subsequently be retrieved.
type LibpodConfig ¶ added in v0.0.4
type LibpodConfig struct { // ConmonEnvVars are environment variables to pass to the Conmon binary // when it is launched. ConmonEnvVars []string `toml:"conmon_env_vars"` // ConmonPath is the path to the Conmon binary used for managing containers. // The first path pointing to a valid file will be used. ConmonPath []string `toml:"conmon_path"` //DetachKeys is the sequence of keys used to detach a container. DetachKeys string `toml:"detach_keys"` // EnablePortReservation determines whether libpod will reserve ports on the // host when they are forwarded to containers. When enabled, when ports are // forwarded to containers, they are held open by conmon as long as the // container is running, ensuring that they cannot be reused by other // programs on the host. However, this can cause significant memory usage if // a container has many ports forwarded to it. Disabling this can save // memory. EnablePortReservation bool `toml:"enable_port_reservation"` // EventsLogFilePath is where the events log is stored. EventsLogFilePath string `toml:"events_logfile_path"` // EventsLogger determines where events should be logged. EventsLogger string `toml:"events_logger"` // configuration files. When the same filename is present in in // multiple directories, the file in the directory listed last in // this slice takes precedence. HooksDir []string `toml:"hooks_dir"` // ImageDefaultTransport is the default transport method used to fetch // images. ImageDefaultTransport string `toml:"image_default_transport"` // InfraCommand is the command run to start up a pod infra container. InfraCommand string `toml:"infra_command"` // InfraImage is the image a pod infra container will use to manage // namespaces. InfraImage string `toml:"infra_image"` // InitPath is the path to the container-init binary. InitPath string `toml:"init_path"` // LockType is the type of locking to use. LockType string `toml:"lock_type,omitempty"` // Namespace is the libpod namespace to use. Namespaces are used to create // scopes to separate containers and pods in the state. When namespace is // set, libpod will only view containers and pods in the same namespace. All // containers and pods created will default to the namespace set here. A // namespace of "", the empty string, is equivalent to no namespace, and all // containers and pods will be visible. The default namespace is "". Namespace string `toml:"namespace,omitempty"` // NetworkCmdPath is the path to the slirp4netns binary. NetworkCmdPath string `toml:"network_cmd_path"` // NoPivotRoot sets whether to set no-pivot-root in the OCI runtime. NoPivotRoot bool `toml:"no_pivot_root"` // NumLocks is the number of locks to make available for containers and // pods. NumLocks uint32 `toml:"num_locks,omitempty"` // OCIRuntime is the OCI runtime to use. OCIRuntime string `toml:"runtime"` // OCIRuntimes are the set of configured OCI runtimes (default is runc). OCIRuntimes map[string][]string `toml:"runtimes"` // RuntimeSupportsJSON is the list of the OCI runtimes that support // --format=json. RuntimeSupportsJSON []string `toml:"runtime_supports_json"` // RuntimeSupportsNoCgroups is a list of OCI runtimes that support // running containers without CGroups. RuntimeSupportsNoCgroups []string `toml:"runtime_supports_nocgroups"` // SetOptions contains a subset of config options. It's used to indicate if // a given option has either been set by the user or by a parsed libpod // configuration file. If not, the corresponding option might be // overwritten by values from the database. This behavior guarantess // backwards compat with older version of libpod and Podman. SetOptions // SDNotify tells container engine to allow containers to notify the host systemd of // readiness using the SD_NOTIFY mechanism. SDNotify bool // StateType is the type of the backing state store. Avoid using multiple // values for this with the same containers/storage configuration on the // same system. Different state types do not interact, and each will see a // separate set of containers, which may cause conflicts in // containers/storage. As such this is not exposed via the config file. StateType RuntimeStateStore `toml:"-"` // StaticDir is the path to a persistent directory to store container // files. StaticDir string `toml:"static_dir"` // StorageConfig is the configuration used by containers/storage Not // included in the on-disk config, use the dedicated containers/storage // configuration file instead. StorageConfig storage.StoreOptions `toml:"-"` // TmpDir is the path to a temporary directory to store per-boot container // files. Must be stored in a tmpfs. TmpDir string `toml:"tmp_dir"` // VolumePath is the default location that named volumes will be created // under. This convention is followed by the default volume driver, but // may not be by other drivers. VolumePath string `toml:"volume_path"` }
LibpodConfig contains configuration options used to set up a libpod runtime
func (*LibpodConfig) Validate ¶ added in v0.0.4
func (c *LibpodConfig) Validate() error
Validate is the main entry point for Libpod configuration validation It returns an `error` on validation failure, otherwise `nil`.
type NetworkConfig ¶
type NetworkConfig struct { // CNIPluginDirs is where CNI plugin binaries are stored. CNIPluginDirs []string `toml:"cni_plugin_dirs"` // DefaultNetwork is the network name of the default CNI network // to attach pods to. DefaultNetwork string `toml:"default_network,omitempty"` // NetworkConfigDir is where CNI network configuration files are stored. NetworkConfigDir string `toml:"network_config_dir"` }
NetworkConfig represents the "network" TOML config table
func (*NetworkConfig) Validate ¶
func (c *NetworkConfig) Validate(onExecution bool) error
Validate is the main entry point for network configuration validation. The parameter `onExecution` specifies if the validation should include execution checks. It returns an `error` on validation failure, otherwise `nil`.
type RuntimeStateStore ¶ added in v0.0.4
type RuntimeStateStore int
RuntimeStateStore is a constant indicating which state store implementation should be used by libpod
const ( // InvalidStateStore is an invalid state store InvalidStateStore RuntimeStateStore = iota // InMemoryStateStore is an in-memory state that will not persist data // on containers and pods between libpod instances or after system // reboot InMemoryStateStore RuntimeStateStore = iota // SQLiteStateStore is a state backed by a SQLite database // It is presently disabled SQLiteStateStore RuntimeStateStore = iota // BoltDBStateStore is a state backed by a BoltDB database BoltDBStateStore RuntimeStateStore = iota )
type SetOptions ¶ added in v0.0.4
type SetOptions struct { // StorageConfigRunRootSet indicates if the RunRoot has been explicitly set // by the config or by the user. It's required to guarantee backwards // compatibility with older versions of libpod for which we must query the // database configuration. Not included in the on-disk config. StorageConfigRunRootSet bool `toml:"-"` // StorageConfigGraphRootSet indicates if the RunRoot has been explicitly // set by the config or by the user. It's required to guarantee backwards // compatibility with older versions of libpod for which we must query the // database configuration. Not included in the on-disk config. StorageConfigGraphRootSet bool `toml:"-"` // StorageConfigGraphDriverNameSet indicates if the GraphDriverName has been // explicitly set by the config or by the user. It's required to guarantee // backwards compatibility with older versions of libpod for which we must // query the database configuration. Not included in the on-disk config. StorageConfigGraphDriverNameSet bool `toml:"-"` // StaticDirSet indicates if the StaticDir has been explicitly set by the // config or by the user. It's required to guarantee backwards compatibility // with older versions of libpod for which we must query the database // configuration. Not included in the on-disk config. StaticDirSet bool `toml:"-"` // VolumePathSet indicates if the VolumePath has been explicitly set by the // config or by the user. It's required to guarantee backwards compatibility // with older versions of libpod for which we must query the database // configuration. Not included in the on-disk config. VolumePathSet bool `toml:"-"` // TmpDirSet indicates if the TmpDir has been explicitly set by the config // or by the user. It's required to guarantee backwards compatibility with // older versions of libpod for which we must query the database // configuration. Not included in the on-disk config. TmpDirSet bool `toml:"-"` }
SetOptions contains a subset of options in a Config. It's used to indicate if a given option has either been set by the user or by a parsed libpod configuration file. If not, the corresponding option might be overwritten by values from the database. This behavior guarantess backwards compat with older version of libpod and Podman.