buildah/util/types.go

package util

const (
	// DefaultRuntime is the default command to use to run the container.
	DefaultRuntime = "runc"
	// DefaultCNIPluginPath is the default location of CNI plugin helpers.
	DefaultCNIPluginPath = "/usr/libexec/cni:/opt/cni/bin"
	// DefaultCNIConfigDir is the default location of CNI configuration files.
	DefaultCNIConfigDir = "/etc/cni/net.d"
)

var (
	// DefaultCapabilities is the list of capabilities which we grant by
	// default to containers which are running under UID 0.
	DefaultCapabilities = []string{
		"CAP_AUDIT_WRITE",
		"CAP_CHOWN",
		"CAP_DAC_OVERRIDE",
		"CAP_FOWNER",
		"CAP_FSETID",
		"CAP_KILL",
		"CAP_MKNOD",
		"CAP_NET_BIND_SERVICE",
		"CAP_SETFCAP",
		"CAP_SETGID",
		"CAP_SETPCAP",
		"CAP_SETUID",
		"CAP_SYS_CHROOT",
	}
	// DefaultNetworkSysctl is the list of Kernel parameters which we
	// grant by default to containers which are running under UID 0.
	DefaultNetworkSysctl = map[string]string{
		"net.ipv4.ping_group_range": "0 0",
	}
)
Use CNI to configure container networks Use CNI to configure networks for containers for which we create new network namespaces. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #700 Approved by: rhatdan 2018-04-14 06:20:25 +08:00			`package util`

			`const (`
			`// DefaultRuntime is the default command to use to run the container.`
			`DefaultRuntime = "runc"`
			`// DefaultCNIPluginPath is the default location of CNI plugin helpers.`
			`DefaultCNIPluginPath = "/usr/libexec/cni:/opt/cni/bin"`
			`// DefaultCNIConfigDir is the default location of CNI configuration files.`
			`DefaultCNIConfigDir = "/etc/cni/net.d"`
			`)`
Run(): add options for adding and removing capabilities Add RunOptions and BuildOptions flags for modifying the list of granted capabilities from the default. Default to granting the current (as of this writing) defaults from runtime-tools, with CAP_NET_RAW removed: * CAP_AUDIT_WRITE * CAP_CHOWN * CAP_DAC_OVERRIDE * CAP_FOWNER * CAP_FSETID * CAP_KILL * CAP_MKNOD * CAP_NET_BIND_SERVICE * CAP_SETFCAP * CAP_SETGID * CAP_SETPCAP * CAP_SETUID * CAP_SYS_CHROOT Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #799 Approved by: rhatdan 2018-06-05 05:36:26 +08:00
			`var (`
			`// DefaultCapabilities is the list of capabilities which we grant by`
			`// default to containers which are running under UID 0.`
			`DefaultCapabilities = []string{`
			`"CAP_AUDIT_WRITE",`
			`"CAP_CHOWN",`
			`"CAP_DAC_OVERRIDE",`
			`"CAP_FOWNER",`
			`"CAP_FSETID",`
			`"CAP_KILL",`
			`"CAP_MKNOD",`
			`"CAP_NET_BIND_SERVICE",`
			`"CAP_SETFCAP",`
			`"CAP_SETGID",`
			`"CAP_SETPCAP",`
			`"CAP_SETUID",`
			`"CAP_SYS_CHROOT",`
			`}`
Allow ping command without NET_RAW Capabilities Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #818 Approved by: nalind 2018-06-26 00:39:57 +08:00			`// DefaultNetworkSysctl is the list of Kernel parameters which we`
			`// grant by default to containers which are running under UID 0.`
			`DefaultNetworkSysctl = map[string]string{`
			`"net.ipv4.ping_group_range": "0 0",`
			`}`
Run(): add options for adding and removing capabilities Add RunOptions and BuildOptions flags for modifying the list of granted capabilities from the default. Default to granting the current (as of this writing) defaults from runtime-tools, with CAP_NET_RAW removed: * CAP_AUDIT_WRITE * CAP_CHOWN * CAP_DAC_OVERRIDE * CAP_FOWNER * CAP_FSETID * CAP_KILL * CAP_MKNOD * CAP_NET_BIND_SERVICE * CAP_SETFCAP * CAP_SETGID * CAP_SETPCAP * CAP_SETUID * CAP_SYS_CHROOT Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #799 Approved by: rhatdan 2018-06-05 05:36:26 +08:00			`)`