blob: b71fcb6f090bbcf28f93736813ea30c8b868f6f4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
package common
import (
"fmt"
"os"
"github.com/containers/buildah/pkg/parse"
"github.com/containers/libpod/pkg/apparmor"
"github.com/containers/libpod/pkg/cgroups"
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/libpod/pkg/sysinfo"
"github.com/opencontainers/selinux/go-selinux"
)
// TODO these options are directly embedded into many of the CLI cobra values, as such
// this approach will not work in a remote client. so we will need to likely do something like a
// supported and unsupported approach here and backload these options into the specgen
// once we are "on" the host system.
func getDefaultSecurityOptions() []string {
securityOpts := []string{}
if defaultContainerConfig.Containers.SeccompProfile != "" && defaultContainerConfig.Containers.SeccompProfile != parse.SeccompDefaultPath {
securityOpts = append(securityOpts, fmt.Sprintf("seccomp=%s", defaultContainerConfig.Containers.SeccompProfile))
}
if apparmor.IsEnabled() && defaultContainerConfig.Containers.ApparmorProfile != "" {
securityOpts = append(securityOpts, fmt.Sprintf("apparmor=%s", defaultContainerConfig.Containers.ApparmorProfile))
}
if selinux.GetEnabled() && !defaultContainerConfig.Containers.EnableLabeling {
securityOpts = append(securityOpts, fmt.Sprintf("label=%s", selinux.DisableSecOpt()[0]))
}
return securityOpts
}
// getDefaultSysctls
func getDefaultSysctls() []string {
return defaultContainerConfig.Containers.DefaultSysctls
}
func getDefaultVolumes() []string {
return defaultContainerConfig.Containers.Volumes
}
func getDefaultDevices() []string {
return defaultContainerConfig.Containers.Devices
}
func getDefaultDNSServers() []string { //nolint
return defaultContainerConfig.Containers.DNSServers
}
func getDefaultDNSSearches() []string { //nolint
return defaultContainerConfig.Containers.DNSSearches
}
func getDefaultDNSOptions() []string { //nolint
return defaultContainerConfig.Containers.DNSOptions
}
func getDefaultEnv() []string {
return defaultContainerConfig.Containers.Env
}
func getDefaultInitPath() string {
return defaultContainerConfig.Containers.InitPath
}
func getDefaultIPCNS() string {
return defaultContainerConfig.Containers.IPCNS
}
func getDefaultPidNS() string {
return defaultContainerConfig.Containers.PidNS
}
func getDefaultNetNS() string { //nolint
if defaultContainerConfig.Containers.NetNS == "private" && rootless.IsRootless() {
return "slirp4netns"
}
return defaultContainerConfig.Containers.NetNS
}
func getDefaultCgroupNS() string {
return defaultContainerConfig.Containers.CgroupNS
}
func getDefaultUTSNS() string {
return defaultContainerConfig.Containers.UTSNS
}
func getDefaultShmSize() string {
return defaultContainerConfig.Containers.ShmSize
}
func getDefaultUlimits() []string {
return defaultContainerConfig.Containers.DefaultUlimits
}
func getDefaultUserNS() string {
userns := os.Getenv("PODMAN_USERNS")
if userns != "" {
return userns
}
return defaultContainerConfig.Containers.UserNS
}
func getDefaultPidsLimit() int64 {
if rootless.IsRootless() {
cgroup2, _ := cgroups.IsCgroup2UnifiedMode()
if cgroup2 {
return defaultContainerConfig.Containers.PidsLimit
}
}
return sysinfo.GetDefaultPidsLimit()
}
func getDefaultPidsDescription() string {
return "Tune container pids limit (set 0 for unlimited)"
}
func GetDefaultDetachKeys() string {
return defaultContainerConfig.Engine.DetachKeys
}
|
