From 4a7af72ea95bd6ebba19db8d052527c5beb9c0eb Mon Sep 17 00:00:00 2001 From: Urvashi Mohnani Date: Mon, 15 Nov 2021 10:05:42 -0500 Subject: Add note about volume with unprivileged container Add a note to the generated kube yaml if we detect a volume is being mounted. The note lets the user know what needs to be done to avoid permission denied error when trying to access the volume for an unprivileged container. Add the same note to the man pages. NO NEW TESTS NEEDED Signed-off-by: Urvashi Mohnani --- docs/source/markdown/podman-generate-kube.1.md | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'docs/source') diff --git a/docs/source/markdown/podman-generate-kube.1.md b/docs/source/markdown/podman-generate-kube.1.md index a583afcf9..0add97144 100644 --- a/docs/source/markdown/podman-generate-kube.1.md +++ b/docs/source/markdown/podman-generate-kube.1.md @@ -19,6 +19,12 @@ Potential name conflicts between volumes are avoided by using a standard naming Note that if an init container is created with type `once` and the pod has been started, the init container will not show up in the generated kube YAML as `once` type init containers are deleted after they are run. If the pod has only been created and not started, it will be in the generated kube YAML. Init containers created with type `always` will always be generated in the kube YAML as they are never deleted, even after running to completion. +*Note*: When using volumes and generating a Kubernetes YAML for an unprivileged and rootless podman container on an **SELinux enabled system**, one of the following options must be completed: + * Add the "privileged: true" option to the pod spec + * Add `type: spc_t` under the `securityContext` `seLinuxOptions` in the pod spec + * Relabel the volume via the CLI command `chcon -t container_file_t context -R ` +Once completed, the correct permissions will be in place to access the volume when the pod/container is created in a Kubernetes cluster. + Note that the generated Kubernetes YAML file can be used to re-run the deployment via podman-play-kube(1). ## OPTIONS -- cgit v1.2.3-54-g00ecf From e2d6948157123922e9be0f451074256b1a26222a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 25 Nov 2021 05:48:25 -0500 Subject: List /etc/containers/certs.d as default for --cert-path Helps Document https://github.com/containers/podman/issues/10116 Signed-off-by: Daniel J Walsh --- docs/source/markdown/podman-build.1.md | 2 +- docs/source/markdown/podman-container-runlabel.1.md | 3 ++- docs/source/markdown/podman-image-sign.1.md | 2 +- docs/source/markdown/podman-login.1.md | 2 +- docs/source/markdown/podman-manifest-add.1.md | 2 +- docs/source/markdown/podman-manifest-push.1.md | 2 +- docs/source/markdown/podman-play-kube.1.md | 2 +- docs/source/markdown/podman-pull.1.md | 2 +- docs/source/markdown/podman-push.1.md | 2 +- 9 files changed, 10 insertions(+), 9 deletions(-) (limited to 'docs/source') diff --git a/docs/source/markdown/podman-build.1.md b/docs/source/markdown/podman-build.1.md index 965f5319f..44232513a 100644 --- a/docs/source/markdown/podman-build.1.md +++ b/docs/source/markdown/podman-build.1.md @@ -114,7 +114,7 @@ given. #### **--cert-dir**=*path* -Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. +Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client) #### **--cgroup-parent**=*path* diff --git a/docs/source/markdown/podman-container-runlabel.1.md b/docs/source/markdown/podman-container-runlabel.1.md index ec67a2687..7818ab7c3 100644 --- a/docs/source/markdown/podman-container-runlabel.1.md +++ b/docs/source/markdown/podman-container-runlabel.1.md @@ -41,7 +41,8 @@ Display the label's value of the image having populated its environment variable #### **--cert-dir**=*path* -Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client) +Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) +Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client) #### **--creds**=*[username[:password]]* diff --git a/docs/source/markdown/podman-image-sign.1.md b/docs/source/markdown/podman-image-sign.1.md index 616aab8ff..f92d25519 100644 --- a/docs/source/markdown/podman-image-sign.1.md +++ b/docs/source/markdown/podman-image-sign.1.md @@ -25,7 +25,7 @@ Sign all the manifests of the multi-architecture image (default false). #### **--cert-dir**=*path* -Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. +Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client) #### **--directory**, **-d**=*dir* diff --git a/docs/source/markdown/podman-login.1.md b/docs/source/markdown/podman-login.1.md index 3e23600fa..35eeb7056 100644 --- a/docs/source/markdown/podman-login.1.md +++ b/docs/source/markdown/podman-login.1.md @@ -37,7 +37,7 @@ environment variable. `export REGISTRY_AUTH_FILE=path` #### **--cert-dir**=*path* -Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. +Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client) #### **--get-login** diff --git a/docs/source/markdown/podman-manifest-add.1.md b/docs/source/markdown/podman-manifest-add.1.md index 376301589..ad478232e 100644 --- a/docs/source/markdown/podman-manifest-add.1.md +++ b/docs/source/markdown/podman-manifest-add.1.md @@ -43,7 +43,7 @@ environment variable. `export REGISTRY_AUTH_FILE=path` #### **--cert-dir**=*path* -Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. +Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client) #### **--creds**=*creds* diff --git a/docs/source/markdown/podman-manifest-push.1.md b/docs/source/markdown/podman-manifest-push.1.md index 2cf1cc375..9342cf8a0 100644 --- a/docs/source/markdown/podman-manifest-push.1.md +++ b/docs/source/markdown/podman-manifest-push.1.md @@ -29,7 +29,7 @@ environment variable. `export REGISTRY_AUTH_FILE=path` #### **--cert-dir**=*path* -Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. +Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client) #### **--creds**=*creds* diff --git a/docs/source/markdown/podman-play-kube.1.md b/docs/source/markdown/podman-play-kube.1.md index 629f16e24..0ba7831c9 100644 --- a/docs/source/markdown/podman-play-kube.1.md +++ b/docs/source/markdown/podman-play-kube.1.md @@ -118,7 +118,7 @@ Build images even if they are found in the local storage. #### **--cert-dir**=*path* -Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. +Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client) #### **--configmap**=*path* diff --git a/docs/source/markdown/podman-pull.1.md b/docs/source/markdown/podman-pull.1.md index d440e8476..863d5809f 100644 --- a/docs/source/markdown/podman-pull.1.md +++ b/docs/source/markdown/podman-pull.1.md @@ -62,7 +62,7 @@ Default is `${XDG\_RUNTIME\_DIR}/containers/auth.json`, which is set using `podm #### **--cert-dir**=*path* -Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. +Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) Please refer to **[containers-certs.d(5)](https://github.com/containers/image/blob/main/docs/containers-certs.d.5.md)** for details. (This option is not available with the remote Podman client) #### **--creds**=*[username[:password]]* diff --git a/docs/source/markdown/podman-push.1.md b/docs/source/markdown/podman-push.1.md index 68478accd..70fc680cb 100644 --- a/docs/source/markdown/podman-push.1.md +++ b/docs/source/markdown/podman-push.1.md @@ -63,7 +63,7 @@ value can be entered. The password is entered without echo. #### **--cert-dir**=*path* -Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. +Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client) #### **--compress** -- cgit v1.2.3-54-g00ecf From 06572041619db7a9e59403c352ea64cab2617f91 Mon Sep 17 00:00:00 2001 From: Miloslav Trmač Date: Thu, 2 Dec 2021 22:28:30 +0100 Subject: Improve documentation of (podman image save --format) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Don't pointlessly repeat the names - Improve documentation of the formats - Use a table, per MANPAGE_SYNTAX.md Signed-off-by: Miloslav Trmač --- docs/source/markdown/podman-save.1.md | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) (limited to 'docs/source') diff --git a/docs/source/markdown/podman-save.1.md b/docs/source/markdown/podman-save.1.md index 1f1f60b22..f5c35747e 100644 --- a/docs/source/markdown/podman-save.1.md +++ b/docs/source/markdown/podman-save.1.md @@ -9,8 +9,8 @@ podman\-save - Save image(s) to an archive **podman image save** [*options*] *name*[:*tag*] ## DESCRIPTION -**podman save** saves an image to either **docker-archive**, **oci-archive**, **oci-dir** (directory with oci manifest type), or **docker-dir** (directory with v2s2 manifest type) on the local machine, -default is **docker-archive**. **podman save** writes to STDOUT by default and can be redirected to a +**podman save** saves an image to a local file or directory. +**podman save** writes to STDOUT by default and can be redirected to a file using the **output** flag. The **quiet** flag suppresses the output when set. **podman save** will save parent layers of the image(s) and the image(s) can be loaded using **podman load**. To export the containers, use the **podman export**. @@ -35,17 +35,18 @@ Write to a file, default is STDOUT #### **--format**=*format* -Save image to **docker-archive**, **oci-archive** (see `containers-transports(5)`), **oci-dir** (`oci` transport), or **docker-dir** (`dir` transport with v2s2 manifest type). -``` ---format docker-archive ---format oci-archive ---format oci-dir ---format docker-dir -``` +An image format to produce, one of: + +| Format | Description | +| ------------------ | ---------------------------------------------------------------------------- | +| **docker-archive** | A tar archive interoperable with **docker load(1)** (the default) | +| **oci-archive** | A tar archive using the OCI Image Format | +| **oci-dir** | A directory using the OCI Image Format | +| **docker-dir** | **dir** transport (see **containers-transports(5)**) with v2s2 manifest type | #### **--multi-image-archive**, **-m** -Allow for creating archives with more than one image. Additional names will be interpreted as images instead of tags. Only supported for **docker-archive**. +Allow for creating archives with more than one image. Additional names will be interpreted as images instead of tags. Only supported for **--format=docker-archive**. The default for this option can be modified via the `multi_image_archive="true"|"false"` flag in containers.conf. #### **--quiet**, **-q** -- cgit v1.2.3-54-g00ecf