4
// RunOCIMountContextType tells the OCI runtime which context mount
5
// type to use. context, rootcontext, fscontext, defcontext
6
RunOCIMountContextType = "run.oci.mount_context_type"
7
// RunOCIKeepOriginalGroups tells the OCI runtime to leak the users
8
// current groups into the container
9
RunOCIKeepOriginalGroups = "run.oci.keep_original_groups"
10
// InspectAnnotationCIDFile is used by Inspect to determine if a
11
// container ID file was created for the container.
12
// If an annotation with this key is found in the OCI spec, it will be
13
// used in the output of Inspect().
14
InspectAnnotationCIDFile = "io.podman.annotations.cid-file"
15
// InspectAnnotationAutoremove is used by Inspect to determine if a
16
// container will be automatically removed on exit.
17
// If an annotation with this key is found in the OCI spec and is one of
18
// the two supported boolean values (InspectResponseTrue and
19
// InspectResponseFalse) it will be used in the output of Inspect().
20
InspectAnnotationAutoremove = "io.podman.annotations.autoremove"
21
// InspectAnnotationPrivileged is used by Inspect to identify containers
22
// which are privileged (IE, running with elevated privileges).
23
// It is expected to be a boolean, populated by one of
24
// InspectResponseTrue or InspectResponseFalse.
25
// If an annotation with this key is found in the OCI spec, it will be
26
// used in the output of Inspect().
27
InspectAnnotationPrivileged = "io.podman.annotations.privileged"
28
// InspectAnnotationPublishAll is used by Inspect to identify containers
29
// which have all the ports from their image published.
30
// It is expected to be a boolean, populated by one of
31
// InspectResponseTrue or InspectResponseFalse.
32
// If an annotation with this key is found in the OCI spec, it will be
33
// used in the output of Inspect().
34
InspectAnnotationPublishAll = "io.podman.annotations.publish-all"
35
// InspectAnnotationInit is used by Inspect to identify containers that
36
// mount an init binary in.
37
// It is expected to be a boolean, populated by one of
38
// InspectResponseTrue or InspectResponseFalse.
39
// If an annotation with this key is found in the OCI spec, it will be
40
// used in the output of Inspect().
41
InspectAnnotationInit = "io.podman.annotations.init"
42
// InspectAnnotationLabel is used by Inspect to identify containers with
43
// special SELinux-related settings. It is used to populate the output
44
// of the SecurityOpt setting.
45
// If an annotation with this key is found in the OCI spec, it will be
46
// used in the output of Inspect().
47
InspectAnnotationLabel = "io.podman.annotations.label"
48
// InspectAnnotationSeccomp is used by Inspect to identify containers
49
// with special Seccomp-related settings. It is used to populate the
50
// output of the SecurityOpt setting in Inspect.
51
// If an annotation with this key is found in the OCI spec, it will be
52
// used in the output of Inspect().
53
InspectAnnotationSeccomp = "io.podman.annotations.seccomp"
54
// InspectAnnotationApparmor is used by Inspect to identify containers
55
// with special Apparmor-related settings. It is used to populate the
56
// output of the SecurityOpt setting.
57
// If an annotation with this key is found in the OCI spec, it will be
58
// used in the output of Inspect().
59
InspectAnnotationApparmor = "io.podman.annotations.apparmor"
60
// InspectResponseTrue is a boolean True response for an inspect
62
InspectResponseTrue = "TRUE"
63
// InspectResponseFalse is a boolean False response for an inspect
65
InspectResponseFalse = "FALSE"
67
// CheckpointAnnotationName is used by Container Checkpoint when creating a
68
// checkpoint image to specify the original human-readable name for the
70
CheckpointAnnotationName = "io.podman.annotations.checkpoint.name"
72
// CheckpointAnnotationRawImageName is used by Container Checkpoint when
73
// creating a checkpoint image to specify the original unprocessed name of
74
// the image used to create the container (as specified by the user).
75
CheckpointAnnotationRawImageName = "io.podman.annotations.checkpoint.rawImageName"
77
// CheckpointAnnotationRootfsImageID is used by Container Checkpoint when
78
// creating a checkpoint image to specify the original ID of the image used
79
// to create the container.
80
CheckpointAnnotationRootfsImageID = "io.podman.annotations.checkpoint.rootfsImageID"
82
// CheckpointAnnotationRootfsImageName is used by Container Checkpoint when
83
// creating a checkpoint image to specify the original image name used to
84
// create the container.
85
CheckpointAnnotationRootfsImageName = "io.podman.annotations.checkpoint.rootfsImageName"
87
// CheckpointAnnotationPodmanVersion is used by Container Checkpoint when
88
// creating a checkpoint image to specify the version of Podman used on the
89
// host where the checkpoint was created.
90
CheckpointAnnotationPodmanVersion = "io.podman.annotations.checkpoint.podman.version"
92
// CheckpointAnnotationCriuVersion is used by Container Checkpoint when
93
// creating a checkpoint image to specify the version of CRIU used on the
94
// host where the checkpoint was created.
95
CheckpointAnnotationCriuVersion = "io.podman.annotations.checkpoint.criu.version"
97
// CheckpointAnnotationRuntimeName is used by Container Checkpoint when
98
// creating a checkpoint image to specify the runtime used on the host where
99
// the checkpoint was created.
100
CheckpointAnnotationRuntimeName = "io.podman.annotations.checkpoint.runtime.name"
102
// CheckpointAnnotationRuntimeVersion is used by Container Checkpoint when
103
// creating a checkpoint image to specify the version of runtime used on the
104
// host where the checkpoint was created.
105
CheckpointAnnotationRuntimeVersion = "io.podman.annotations.checkpoint.runtime.version"
107
// CheckpointAnnotationConmonVersion is used by Container Checkpoint when
108
// creating a checkpoint image to specify the version of conmon used on
109
// the host where the checkpoint was created.
110
CheckpointAnnotationConmonVersion = "io.podman.annotations.checkpoint.conmon.version"
112
// CheckpointAnnotationHostArch is used by Container Checkpoint when
113
// creating a checkpoint image to specify the CPU architecture of the host
114
// on which the checkpoint was created.
115
CheckpointAnnotationHostArch = "io.podman.annotations.checkpoint.host.arch"
117
// CheckpointAnnotationHostKernel is used by Container Checkpoint when
118
// creating a checkpoint image to specify the kernel version used by the
119
// host where the checkpoint was created.
120
CheckpointAnnotationHostKernel = "io.podman.annotations.checkpoint.host.kernel"
122
// CheckpointAnnotationCgroupVersion is used by Container Checkpoint when
123
// creating a checkpoint image to specify the cgroup version used by the
124
// host where the checkpoint was created.
125
CheckpointAnnotationCgroupVersion = "io.podman.annotations.checkpoint.cgroups.version"
127
// CheckpointAnnotationDistributionVersion is used by Container Checkpoint
128
// when creating a checkpoint image to specify the version of host
129
// distribution on which the checkpoint was created.
130
CheckpointAnnotationDistributionVersion = "io.podman.annotations.checkpoint.distribution.version"
132
// CheckpointAnnotationDistributionName is used by Container Checkpoint when
133
// creating a checkpoint image to specify the name of host distribution on
134
// which the checkpoint was created.
135
CheckpointAnnotationDistributionName = "io.podman.annotations.checkpoint.distribution.name"
137
// InitContainerType is used by play kube when playing a kube yaml to specify the type
138
// of the init container.
139
InitContainerType = "io.podman.annotations.init.container.type"
141
// InfraNameAnnotation is used by generate and play kube when the infra container is set by the user during
143
InfraNameAnnotation = "io.podman.annotations.infra.name"
145
// UserNsAnnotation is used by play kube when playing a kube yaml to specify userns
147
UserNsAnnotation = "io.podman.annotations.userns"
149
// UlimitAnnotation is used by kube play when playing a kube yaml to specify the ulimits
151
UlimitAnnotation = "io.podman.annotations.ulimit"
153
// VolumesFromAnnotation is used by by play kube when playing a kube
154
// yaml to specify volumes-from of the container
155
// It is expected to be a semicolon-separated list of container names and/or
156
// IDs optionally with colon separated mount options.
157
VolumesFromAnnotation = "io.podman.annotations.volumes-from"
159
// KubeHealthCheckAnnotation is used by kube play to tell podman that any health checks should follow
160
// the k8s behavior of waiting for the intialDelaySeconds to be over before updating the status
161
KubeHealthCheckAnnotation = "io.podman.annotations.kube.health.check"
163
// TotalAnnotationSizeLimitB is the max length of annotations allowed by Kubernetes.
164
TotalAnnotationSizeLimitB int = 256 * (1 << 10) // 256 kB
167
// IsReservedAnnotation returns true if the specified value corresponds to an
168
// already reserved annotation that Podman sets during container creation.
169
func IsReservedAnnotation(value string) bool {
171
case InspectAnnotationCIDFile, InspectAnnotationAutoremove, InspectAnnotationPrivileged, InspectAnnotationPublishAll, InspectAnnotationInit, InspectAnnotationLabel, InspectAnnotationSeccomp, InspectAnnotationApparmor, InspectResponseTrue, InspectResponseFalse, VolumesFromAnnotation: