clarify io.podman.annotations.seccomp
#12679
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vrothberg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@containers/podman-maintainers PTAL |
vrothberg
changed the title
io.podman.annotations.seccompio.podman.annotations.seccomp
|
@containers/podman-maintainers PTAL @rhatdan please note the 2nd commit. |
|
Quay.io is down -> CI is red. |
|
/retest |
|
LGTM |
| @@ -156,7 +156,9 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat | |||
|
|
|||
| // Add annotations from the image | |||
| for k, v := range inspectData.Annotations { | |||
| annotations[k] = v | |||
| if !define.IsReservedAnnotation(k) { | |||
There was a problem hiding this comment.
Seems like it would be at least worth warning about completely ignoring a user-defined annotation?
There was a problem hiding this comment.
A warning seems too aggressive IMO since it's not defined by the user but by the image. Note that Docker does not apply image annotations to the containers.
Cool with a debug message?
docs/source/markdown/podman-run.1.md
Outdated
| - **seccomp=unconfined**: Turn off seccomp confinement for the container | ||
| - **seccomp**=_profile.json_: Allowed syscall list seccomp JSON file to be used as a seccomp filter | ||
| - **seccomp=unconfined**: Turn off seccomp confinement for the container. | ||
| - **seccomp=profile.json**: White listed syscalls seccomp Json file to be used as a seccomp filter. Note that the `io.podman.annotations.seccomp` annotation is set with the specified value as shown in `podman inspect`. |
There was a problem hiding this comment.
| - **seccomp=profile.json**: White listed syscalls seccomp Json file to be used as a seccomp filter. Note that the `io.podman.annotations.seccomp` annotation is set with the specified value as shown in `podman inspect`. | |
| - **seccomp=profile.json**: Whitelisted syscalls seccomp JSON file to be used as a seccomp filter. Note that the `io.podman.annotations.seccomp` annotation is set with the specified value as shown in `podman inspect`. |
There was a problem hiding this comment.
since we are at it, should we s|white|allow|?
There was a problem hiding this comment.
I think it should be JSON file to be used as a seccomp filter since it could be any kind of filter.
Clarify the semantics of the `io.podman.annotations.seccomp` annotation which is set when a container has been created with a custom seccomp profile. Fixes: containers#12671 Signed-off-by: Valentin Rothberg <[email protected]>
Do not apply reserved annotations from the image to the container. Reserved annotations are applied during container creation to retrieve certain information (e.g., custom seccomp profile or autoremoval) once a container has been created. Context: containers#12671 Signed-off-by: Valentin Rothberg <[email protected]>
|
/lgtm |
openshift-ci
bot
added
the
do-not-merge/hold
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
github-actions
bot
added
the
locked - please file new issue/PR
Clarify the semantics of the
io.podman.annotations.seccompannotationwhich is set when a container has been created with a custom seccomp
profile.
Fixes: #12671
Signed-off-by: Valentin Rothberg [email protected]