Merge pull request #5206 from rhatdan/capabilities

Allow devs to set labels in container images for default capabilities.

2 files changed, 26 insertions, 4 deletions

diff --git a/docs/source/markdown/podman-build.1.md b/docs/source/markdown/podman-build.1.md
index 12f099e65..3f0bfc57b 100644
--- a/docs/source/markdown/podman-build.1.md
+++ b/docs/source/markdown/podman-build.1.md
@@ -279,6 +279,16 @@ BUILDAH\_ISOLATION environment variable.  `export BUILDAH_ISOLATION=oci`
 
 Add an image *label* (e.g. label=*value*) to the image metadata. Can be used multiple times.
 
+Users can set a special LABEL **io.containers.capabilities=CAP1,CAP2,CAP3** in
+a Containerfile that specified the list of Linux capabilities required for the
+container to run properly. This label specified in a container image tells
+Podman to run the container with just these capabilties. Podman launches the
+container with just the specified capabilties, as long as this list of
+capabilities is a subset of the default list.
+
+If the specified capabilities are not in the default set, Podman will
+print an error message and will run the container with the default capabilities.
+
 **--layers**
 
 Cache intermediate images during the build process (Default is `true`).
diff --git a/docs/source/markdown/podman-commit.1.md b/docs/source/markdown/podman-commit.1.md
index 66d8811aa..13e46a899 100644
--- a/docs/source/markdown/podman-commit.1.md
+++ b/docs/source/markdown/podman-commit.1.md
@@ -60,8 +60,9 @@ Suppress output
 
 ## EXAMPLES
 
+### Create image from container with entrypoint and label
 ```
-$ podman commit --change CMD=/bin/bash --change ENTRYPOINT=/bin/sh --change LABEL=blue=image reverent_golick image-committed
+$ podman commit --change CMD=/bin/bash --change ENTRYPOINT=/bin/sh --change "LABEL blue=image" reverent_golick image-committed
 Getting image source signatures
 Copying blob sha256:b41deda5a2feb1f03a5c1bb38c598cbc12c9ccd675f438edc6acd815f7585b86
  25.80 MB / 25.80 MB [======================================================] 0s
@@ -72,26 +73,37 @@ Storing signatures
 e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8
 ```
 
+### Create image from container with commit message
 ```
-$ podman commit -q --message "committing container to image" reverent_golick image-committed
-e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8
+$ podman commit -q --message "committing container to image"
+reverent_golick image-committed
+e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8 ```
 ```
 
+### Create image from container with author
 ```
 $ podman commit -q --author "firstName lastName" reverent_golick image-committed
 e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8
 ```
 
+### Pause a running container while creating the image
 ```
-$ podman commit -q --pause=false containerID image-committed
+$ podman commit -q --pause=true containerID image-committed
 e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8
 ```
 
+### Create an image from a container with a default image tag
 ```
 $ podman commit containerID
 e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8
 ```
 
+### Create an image from container with default required capabilities are SETUID and SETGID
+```
+$ podman commit -q --change LABEL=io.containers.capabilities=setuid,setgid epic_nobel privimage
+400d31a3f36dca751435e80a0e16da4859beb51ff84670ce6bdc5edb30b94066
+```
+
 ## SEE ALSO
 podman(1), podman-run(1), podman-create(1)