From b163640c61dcb10953949a1ee28599d8a19fd046 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 27 Feb 2020 14:19:07 -0400 Subject: Allow devs to set labels in container images for default capabilities. This patch allows users to specify the list of capabilities required to run their container image. Setting a image/container label "io.containers.capabilities=setuid,setgid" tells podman that the contained image should work fine with just these two capabilties, instead of running with the default capabilities, podman will launch the container with just these capabilties. If the user or image specified capabilities that are not in the default set, the container will print an error message and will continue to run with the default capabilities. Signed-off-by: Daniel J Walsh --- docs/source/markdown/podman-build.1.md | 10 ++++++++++ docs/source/markdown/podman-commit.1.md | 20 ++++++++++++++++---- 2 files changed, 26 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/docs/source/markdown/podman-build.1.md b/docs/source/markdown/podman-build.1.md index 12f099e65..951d39e02 100644 --- a/docs/source/markdown/podman-build.1.md +++ b/docs/source/markdown/podman-build.1.md @@ -279,6 +279,16 @@ BUILDAH\_ISOLATION environment variable. `export BUILDAH_ISOLATION=oci` Add an image *label* (e.g. label=*value*) to the image metadata. Can be used multiple times. +Users can set a special LABEL **io.containers.capabilities=CAP1,CAP2,CAP3** in +a Containerfile that specified the list of Linux capabilities required for the +container to run properly. This label specified in a container image tells +Podman to run the container with just these capabilties. Podman launches the +container with just the specified capabilties, as long as this list of +capabilities is a subset of the default list. + +If the specified capabilities are not in the default set, the container will +print an error message and will run the container with the default capabilities. + **--layers** Cache intermediate images during the build process (Default is `true`). diff --git a/docs/source/markdown/podman-commit.1.md b/docs/source/markdown/podman-commit.1.md index 66d8811aa..13e46a899 100644 --- a/docs/source/markdown/podman-commit.1.md +++ b/docs/source/markdown/podman-commit.1.md @@ -60,8 +60,9 @@ Suppress output ## EXAMPLES +### Create image from container with entrypoint and label ``` -$ podman commit --change CMD=/bin/bash --change ENTRYPOINT=/bin/sh --change LABEL=blue=image reverent_golick image-committed +$ podman commit --change CMD=/bin/bash --change ENTRYPOINT=/bin/sh --change "LABEL blue=image" reverent_golick image-committed Getting image source signatures Copying blob sha256:b41deda5a2feb1f03a5c1bb38c598cbc12c9ccd675f438edc6acd815f7585b86 25.80 MB / 25.80 MB [======================================================] 0s @@ -72,26 +73,37 @@ Storing signatures e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8 ``` +### Create image from container with commit message ``` -$ podman commit -q --message "committing container to image" reverent_golick image-committed -e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8 +$ podman commit -q --message "committing container to image" +reverent_golick image-committed +e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8 ``` ``` +### Create image from container with author ``` $ podman commit -q --author "firstName lastName" reverent_golick image-committed e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8 ``` +### Pause a running container while creating the image ``` -$ podman commit -q --pause=false containerID image-committed +$ podman commit -q --pause=true containerID image-committed e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8 ``` +### Create an image from a container with a default image tag ``` $ podman commit containerID e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8 ``` +### Create an image from container with default required capabilities are SETUID and SETGID +``` +$ podman commit -q --change LABEL=io.containers.capabilities=setuid,setgid epic_nobel privimage +400d31a3f36dca751435e80a0e16da4859beb51ff84670ce6bdc5edb30b94066 +``` + ## SEE ALSO podman(1), podman-run(1), podman-create(1) -- cgit v1.2.3-54-g00ecf From f678b3fcf13d78cf45ea4fdb7f9f0937773b8371 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 2 Mar 2020 12:28:28 -0500 Subject: Update docs/source/markdown/podman-build.1.md Signed-off-by: Valentin Rothberg Signed-off-by: Daniel J Walsh --- docs/source/markdown/podman-build.1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/source/markdown/podman-build.1.md b/docs/source/markdown/podman-build.1.md index 951d39e02..3f0bfc57b 100644 --- a/docs/source/markdown/podman-build.1.md +++ b/docs/source/markdown/podman-build.1.md @@ -286,7 +286,7 @@ Podman to run the container with just these capabilties. Podman launches the container with just the specified capabilties, as long as this list of capabilities is a subset of the default list. -If the specified capabilities are not in the default set, the container will +If the specified capabilities are not in the default set, Podman will print an error message and will run the container with the default capabilities. **--layers** -- cgit v1.2.3-54-g00ecf