podman
1package specgen2
3import (4"errors"5"net"6"strings"7"syscall"8
9nettypes "github.com/containers/common/libnetwork/types"10"github.com/containers/image/v5/manifest"11"github.com/containers/podman/v5/libpod/define"12"github.com/containers/storage/types"13spec "github.com/opencontainers/runtime-spec/specs-go"14)
15
16// LogConfig describes the logging characteristics for a container
17// swagger:model LogConfigLibpod
18type LogConfig struct {19// LogDriver is the container's log driver.20// Optional.21Driver string `json:"driver,omitempty"`22// LogPath is the path the container's logs will be stored at.23// Only available if LogDriver is set to "json-file" or "k8s-file".24// Optional.25Path string `json:"path,omitempty"`26// Size is the maximum size of the log file27// Optional.28Size int64 `json:"size,omitempty"`29// A set of options to accompany the log driver.30// Optional.31Options map[string]string `json:"options,omitempty"`32}
33
34// ContainerBasicConfig contains the basic parts of a container.
35type ContainerBasicConfig struct {36// Name is the name the container will be given.37// If no name is provided, one will be randomly generated.38// Optional.39Name string `json:"name,omitempty"`40// Pod is the ID of the pod the container will join.41// Optional.42Pod string `json:"pod,omitempty"`43// Entrypoint is the container's entrypoint.44// If not given and Image is specified, this will be populated by the45// image's configuration.46// Optional.47Entrypoint []string `json:"entrypoint,omitempty"`48// Command is the container's command.49// If not given and Image is specified, this will be populated by the50// image's configuration.51// Optional.52Command []string `json:"command,omitempty"`53// EnvHost indicates that the host environment should be added to container54// Optional.55EnvHost *bool `json:"env_host,omitempty"`56// EnvHTTPProxy indicates that the http host proxy environment variables57// should be added to container58// Optional.59HTTPProxy *bool `json:"httpproxy,omitempty"`60// Env is a set of environment variables that will be set in the61// container.62// Optional.63Env map[string]string `json:"env,omitempty"`64// Terminal is whether the container will create a PTY.65// Optional.66Terminal *bool `json:"terminal,omitempty"`67// Stdin is whether the container will keep its STDIN open.68// Optional.69Stdin *bool `json:"stdin,omitempty"`70// Labels are key-value pairs that are used to add metadata to71// containers.72// Optional.73Labels map[string]string `json:"labels,omitempty"`74// Annotations are key-value options passed into the container runtime75// that can be used to trigger special behavior.76// Optional.77Annotations map[string]string `json:"annotations,omitempty"`78// StopSignal is the signal that will be used to stop the container.79// Must be a non-zero integer below SIGRTMAX.80// If not provided, the default, SIGTERM, will be used.81// Will conflict with Systemd if Systemd is set to "true" or "always".82// Optional.83StopSignal *syscall.Signal `json:"stop_signal,omitempty"`84// StopTimeout is a timeout between the container's stop signal being85// sent and SIGKILL being sent.86// If not provided, the default will be used.87// If 0 is used, stop signal will not be sent, and SIGKILL will be sent88// instead.89// Optional.90StopTimeout *uint `json:"stop_timeout,omitempty"`91// Timeout is a maximum time in seconds the container will run before92// main process is sent SIGKILL.93// If 0 is used, signal will not be sent. Container can run indefinitely94// if they do not stop after the default termination signal.95// Optional.96Timeout uint `json:"timeout,omitempty"`97// LogConfiguration describes the logging for a container including98// driver, path, and options.99// Optional100LogConfiguration *LogConfig `json:"log_configuration,omitempty"`101// ConmonPidFile is a path at which a PID file for Conmon will be102// placed.103// If not given, a default location will be used.104// Optional.105ConmonPidFile string `json:"conmon_pid_file,omitempty"`106// RestartPolicy is the container's restart policy - an action which107// will be taken when the container exits.108// If not given, the default policy, which does nothing, will be used.109// Optional.110RestartPolicy string `json:"restart_policy,omitempty"`111// RestartRetries is the number of attempts that will be made to restart112// the container.113// Only available when RestartPolicy is set to "on-failure".114// Optional.115RestartRetries *uint `json:"restart_tries,omitempty"`116// OCIRuntime is the name of the OCI runtime that will be used to create117// the container.118// If not specified, the default will be used.119// Optional.120OCIRuntime string `json:"oci_runtime,omitempty"`121// Systemd is whether the container will be started in systemd mode.122// Valid options are "true", "false", and "always".123// "true" enables this mode only if the binary run in the container is124// /sbin/init or systemd. "always" unconditionally enables systemd mode.125// "false" unconditionally disables systemd mode.126// If enabled, mounts and stop signal will be modified.127// If set to "always" or set to "true" and conditionally triggered,128// conflicts with StopSignal.129// If not specified, "false" will be assumed.130// Optional.131Systemd string `json:"systemd,omitempty"`132// Determine how to handle the NOTIFY_SOCKET - do we participate or pass it through133// "container" - let the OCI runtime deal with it, advertise conmon's MAINPID134// "conmon-only" - advertise conmon's MAINPID, send READY when started, don't pass to OCI135// "ignore" - unset NOTIFY_SOCKET136// Optional.137SdNotifyMode string `json:"sdnotifyMode,omitempty"`138// PidNS is the container's PID namespace.139// It defaults to private.140// Mandatory.141PidNS Namespace `json:"pidns,omitempty"`142// UtsNS is the container's UTS namespace.143// It defaults to private.144// Must be set to Private to set Hostname.145// Mandatory.146UtsNS Namespace `json:"utsns,omitempty"`147// Hostname is the container's hostname. If not set, the hostname will148// not be modified (if UtsNS is not private) or will be set to the149// container ID (if UtsNS is private).150// Conflicts with UtsNS if UtsNS is not set to private.151// Optional.152Hostname string `json:"hostname,omitempty"`153// HostUsers is a list of host usernames or UIDs to add to the container154// /etc/passwd file155HostUsers []string `json:"hostusers,omitempty"`156// Sysctl sets kernel parameters for the container157Sysctl map[string]string `json:"sysctl,omitempty"`158// Remove indicates if the container should be removed once it has been started159// and exits.160// Optional.161Remove *bool `json:"remove,omitempty"`162// ContainerCreateCommand is the command that was used to create this163// container.164// This will be shown in the output of Inspect() on the container, and165// may also be used by some tools that wish to recreate the container166// (e.g. `podman generate systemd --new`).167// Optional.168ContainerCreateCommand []string `json:"containerCreateCommand,omitempty"`169// PreserveFDs is a number of additional file descriptors (in addition170// to 0, 1, 2) that will be passed to the executed process. The total FDs171// passed will be 3 + PreserveFDs.172// set tags as `json:"-"` for not supported remote173// Optional.174PreserveFDs uint `json:"-"`175// PreserveFD is a list of additional file descriptors (in addition176// to 0, 1, 2) that will be passed to the executed process.177// set tags as `json:"-"` for not supported remote178// Optional.179PreserveFD []uint `json:"-"`180// Timezone is the timezone inside the container.181// Local means it has the same timezone as the host machine182// Optional.183Timezone string `json:"timezone,omitempty"`184// DependencyContainers is an array of containers this container185// depends on. Dependency containers must be started before this186// container. Dependencies can be specified by name or full/partial ID.187// Optional.188DependencyContainers []string `json:"dependencyContainers,omitempty"`189// PidFile is the file that saves container's PID.190// Not supported for remote clients, so not serialized in specgen JSON.191// Optional.192PidFile string `json:"-"`193// EnvSecrets are secrets that will be set as environment variables194// Optional.195EnvSecrets map[string]string `json:"secret_env,omitempty"`196// InitContainerType describes if this container is an init container197// and if so, what type: always or once.198// Optional.199InitContainerType string `json:"init_container_type"`200// Personality allows users to configure different execution domains.201// Execution domains tell Linux how to map signal numbers into signal actions.202// The execution domain system allows Linux to provide limited support203// for binaries compiled under other UNIX-like operating systems.204// Optional.205Personality *spec.LinuxPersonality `json:"personality,omitempty"`206// EnvMerge takes the specified environment variables from image and preprocess them before injecting them into the207// container.208// Optional.209EnvMerge []string `json:"envmerge,omitempty"`210// UnsetEnv unsets the specified default environment variables from the image or from buildin or containers.conf211// Optional.212UnsetEnv []string `json:"unsetenv,omitempty"`213// UnsetEnvAll unsetall default environment variables from the image or from buildin or containers.conf214// UnsetEnvAll unsets all default environment variables from the image or from buildin215// Optional.216UnsetEnvAll *bool `json:"unsetenvall,omitempty"`217// Passwd is a container run option that determines if we are validating users/groups before running the container218Passwd *bool `json:"manage_password,omitempty"`219// PasswdEntry specifies an arbitrary string to append to the container's /etc/passwd file.220// Optional.221PasswdEntry string `json:"passwd_entry,omitempty"`222// GroupEntry specifies an arbitrary string to append to the container's /etc/group file.223// Optional.224GroupEntry string `json:"group_entry,omitempty"`225}
226
227// ContainerStorageConfig contains information on the storage configuration of a
228// container.
229type ContainerStorageConfig struct {230// Image is the image the container will be based on. The image will be231// used as the container's root filesystem, and its environment vars,232// volumes, and other configuration will be applied to the container.233// Conflicts with Rootfs.234// At least one of Image or Rootfs must be specified.235Image string `json:"image"`236// RawImageName is the user-specified and unprocessed input referring237// to a local or a remote image.238// Optional, but strongly encouraged to be set if Image is set.239RawImageName string `json:"raw_image_name,omitempty"`240// ImageOS is the user-specified OS of the image.241// Used to select a different variant from a manifest list.242// Optional.243ImageOS string `json:"image_os,omitempty"`244// ImageArch is the user-specified image architecture.245// Used to select a different variant from a manifest list.246// Optional.247ImageArch string `json:"image_arch,omitempty"`248// ImageVariant is the user-specified image variant.249// Used to select a different variant from a manifest list.250// Optional.251ImageVariant string `json:"image_variant,omitempty"`252// Rootfs is the path to a directory that will be used as the253// container's root filesystem. No modification will be made to the254// directory, it will be directly mounted into the container as root.255// Conflicts with Image.256// At least one of Image or Rootfs must be specified.257Rootfs string `json:"rootfs,omitempty"`258// RootfsOverlay tells if rootfs is actually an overlay on top of base path.259// Optional.260RootfsOverlay *bool `json:"rootfs_overlay,omitempty"`261// RootfsMapping specifies if there are UID/GID mappings to apply to the rootfs.262// Optional.263RootfsMapping *string `json:"rootfs_mapping,omitempty"`264// ImageVolumeMode indicates how image volumes will be created.265// Supported modes are "ignore" (do not create), "tmpfs" (create as266// tmpfs), and "anonymous" (create as anonymous volumes).267// The default if unset is anonymous.268// Optional.269ImageVolumeMode string `json:"image_volume_mode,omitempty"`270// VolumesFrom is a set of containers whose volumes will be added to271// this container. The name or ID of the container must be provided, and272// may optionally be followed by a : and then one or more273// comma-separated options. Valid options are 'ro', 'rw', and 'z'.274// Options will be used for all volumes sourced from the container.275// Optional.276VolumesFrom []string `json:"volumes_from,omitempty"`277// Init specifies that an init binary will be mounted into the278// container, and will be used as PID1.279// Optional.280Init *bool `json:"init,omitempty"`281// InitPath specifies the path to the init binary that will be added if282// Init is specified above. If not specified, the default set in the283// Libpod config will be used. Ignored if Init above is not set.284// Optional.285InitPath string `json:"init_path,omitempty"`286// Mounts are mounts that will be added to the container.287// These will supersede Image Volumes and VolumesFrom volumes where288// there are conflicts.289// Optional.290Mounts []spec.Mount `json:"mounts,omitempty"`291// Volumes are named volumes that will be added to the container.292// These will supersede Image Volumes and VolumesFrom volumes where293// there are conflicts.294// Optional.295Volumes []*NamedVolume `json:"volumes,omitempty"`296// Overlay volumes are named volumes that will be added to the container.297// Optional.298OverlayVolumes []*OverlayVolume `json:"overlay_volumes,omitempty"`299// Image volumes bind-mount a container-image mount into the container.300// Optional.301ImageVolumes []*ImageVolume `json:"image_volumes,omitempty"`302// Devices are devices that will be added to the container.303// Optional.304Devices []spec.LinuxDevice `json:"devices,omitempty"`305// DeviceCgroupRule are device cgroup rules that allow containers306// to use additional types of devices.307DeviceCgroupRule []spec.LinuxDeviceCgroup `json:"device_cgroup_rule,omitempty"`308// DevicesFrom specifies that this container will mount the device(s) from other container(s).309// Optional.310DevicesFrom []string `json:"devices_from,omitempty"`311// HostDeviceList is used to recreate the mounted device on inherited containers312HostDeviceList []spec.LinuxDevice `json:"host_device_list,omitempty"`313// IpcNS is the container's IPC namespace.314// Default is private.315// Conflicts with ShmSize if not set to private.316// Mandatory.317IpcNS Namespace `json:"ipcns,omitempty"`318// ShmSize is the size of the tmpfs to mount in at /dev/shm, in bytes.319// Conflicts with ShmSize if IpcNS is not private.320// Optional.321ShmSize *int64 `json:"shm_size,omitempty"`322// ShmSizeSystemd is the size of systemd-specific tmpfs mounts323// specifically /run, /run/lock, /var/log/journal and /tmp.324// Optional325ShmSizeSystemd *int64 `json:"shm_size_systemd,omitempty"`326// WorkDir is the container's working directory.327// If unset, the default, /, will be used.328// Optional.329WorkDir string `json:"work_dir,omitempty"`330// Create the working directory if it doesn't exist.331// If unset, it doesn't create it.332// Optional.333CreateWorkingDir *bool `json:"create_working_dir,omitempty"`334// StorageOpts is the container's storage options335// Optional.336StorageOpts map[string]string `json:"storage_opts,omitempty"`337// RootfsPropagation is the rootfs propagation mode for the container.338// If not set, the default of rslave will be used.339// Optional.340RootfsPropagation string `json:"rootfs_propagation,omitempty"`341// Secrets are the secrets that will be added to the container342// Optional.343Secrets []Secret `json:"secrets,omitempty"`344// Volatile specifies whether the container storage can be optimized345// at the cost of not syncing all the dirty files in memory.346// Optional.347Volatile *bool `json:"volatile,omitempty"`348// ChrootDirs is an additional set of directories that need to be349// treated as root directories. Standard bind mounts will be mounted350// into paths relative to these directories.351// Optional.352ChrootDirs []string `json:"chroot_directories,omitempty"`353}
354
355// ContainerSecurityConfig is a container's security features, including
356// SELinux, Apparmor, and Seccomp.
357type ContainerSecurityConfig struct {358// Privileged is whether the container is privileged.359// Privileged does the following:360// - Adds all devices on the system to the container.361// - Adds all capabilities to the container.362// - Disables Seccomp, SELinux, and Apparmor confinement.363// (Though SELinux can be manually re-enabled).364// TODO: this conflicts with things.365// TODO: this does more.366// Optional.367Privileged *bool `json:"privileged,omitempty"`368// User is the user the container will be run as.369// Can be given as a UID or a username; if a username, it will be370// resolved within the container, using the container's /etc/passwd.371// If unset, the container will be run as root.372// Optional.373User string `json:"user,omitempty"`374// Groups are a list of supplemental groups the container's user will375// be granted access to.376// Optional.377Groups []string `json:"groups,omitempty"`378// CapAdd are capabilities which will be added to the container.379// Conflicts with Privileged.380// Optional.381CapAdd []string `json:"cap_add,omitempty"`382// CapDrop are capabilities which will be removed from the container.383// Conflicts with Privileged.384// Optional.385CapDrop []string `json:"cap_drop,omitempty"`386// SelinuxProcessLabel is the process label the container will use.387// If SELinux is enabled and this is not specified, a label will be388// automatically generated if not specified.389// Optional.390SelinuxOpts []string `json:"selinux_opts,omitempty"`391// ApparmorProfile is the name of the Apparmor profile the container392// will use.393// Optional.394ApparmorProfile string `json:"apparmor_profile,omitempty"`395// SeccompPolicy determines which seccomp profile gets applied396// the container. valid values: empty,default,image397SeccompPolicy string `json:"seccomp_policy,omitempty"`398// SeccompProfilePath is the path to a JSON file containing the399// container's Seccomp profile.400// If not specified, no Seccomp profile will be used.401// Optional.402SeccompProfilePath string `json:"seccomp_profile_path,omitempty"`403// NoNewPrivileges is whether the container will set the no new404// privileges flag on create, which disables gaining additional405// privileges (e.g. via setuid) in the container.406// Optional.407NoNewPrivileges *bool `json:"no_new_privileges,omitempty"`408// UserNS is the container's user namespace.409// It defaults to host, indicating that no user namespace will be410// created.411// If set to private, IDMappings must be set.412// Mandatory.413UserNS Namespace `json:"userns,omitempty"`414// IDMappings are UID and GID mappings that will be used by user415// namespaces.416// Required if UserNS is private.417IDMappings *types.IDMappingOptions `json:"idmappings,omitempty"`418// ReadOnlyFilesystem indicates that everything will be mounted419// as read-only.420// Optional.421ReadOnlyFilesystem *bool `json:"read_only_filesystem,omitempty"`422// ReadWriteTmpfs indicates that when running with a ReadOnlyFilesystem423// mount temporary file systems.424// Optional.425ReadWriteTmpfs *bool `json:"read_write_tmpfs,omitempty"`426
427// LabelNested indicates whether or not the container is allowed to428// run fully nested containers including SELinux labelling.429// Optional.430LabelNested *bool `json:"label_nested,omitempty"`431
432// Umask is the umask the init process of the container will be run with.433Umask string `json:"umask,omitempty"`434// ProcOpts are the options used for the proc mount.435ProcOpts []string `json:"procfs_opts,omitempty"`436// Mask is the path we want to mask in the container. This masks the paths437// given in addition to the default list.438// Optional439Mask []string `json:"mask,omitempty"`440// Unmask a path in the container. Some paths are masked by default,441// preventing them from being accessed within the container; this undoes442// that masking. If ALL is passed, all paths will be unmasked.443// Optional.444Unmask []string `json:"unmask,omitempty"`445}
446
447// ContainerCgroupConfig contains configuration information about a container's
448// cgroups.
449type ContainerCgroupConfig struct {450// CgroupNS is the container's cgroup namespace.451// It defaults to private.452// Mandatory.453CgroupNS Namespace `json:"cgroupns,omitempty"`454// CgroupsMode sets a policy for how cgroups will be created for the455// container, including the ability to disable creation entirely.456// Optional.457CgroupsMode string `json:"cgroups_mode,omitempty"`458// CgroupParent is the container's Cgroup parent.459// If not set, the default for the current cgroup driver will be used.460// Optional.461CgroupParent string `json:"cgroup_parent,omitempty"`462}
463
464// ContainerNetworkConfig contains information on a container's network
465// configuration.
466type ContainerNetworkConfig struct {467// NetNS is the configuration to use for the container's network468// namespace.469// Mandatory.470NetNS Namespace `json:"netns,omitempty"`471// PortBindings is a set of ports to map into the container.472// Only available if NetNS is set to bridge, slirp, or pasta.473// Optional.474PortMappings []nettypes.PortMapping `json:"portmappings,omitempty"`475// PublishExposedPorts will publish ports specified in the image to476// random unused ports (guaranteed to be above 1024) on the host.477// This is based on ports set in Expose below, and any ports specified478// by the Image (if one is given).479// Only available if NetNS is set to Bridge or Slirp.480// Optional.481PublishExposedPorts *bool `json:"publish_image_ports,omitempty"`482// Expose is a number of ports that will be forwarded to the container483// if PublishExposedPorts is set.484// Expose is a map of uint16 (port number) to a string representing485// protocol i.e map[uint16]string. Allowed protocols are "tcp", "udp", and "sctp", or some486// combination of the three separated by commas.487// If protocol is set to "" we will assume TCP.488// Only available if NetNS is set to Bridge or Slirp, and489// PublishExposedPorts is set.490// Optional.491Expose map[uint16]string `json:"expose,omitempty"`492// Map of networks names or ids that the container should join.493// You can request additional settings for each network, you can494// set network aliases, static ips, static mac address and the495// network interface name for this container on the specific network.496// If the map is empty and the bridge network mode is set the container497// will be joined to the default network.498// Optional.499Networks map[string]nettypes.PerNetworkOptions500// CNINetworks is a list of CNI networks to join the container to.501// If this list is empty, the default CNI network will be joined502// instead. If at least one entry is present, we will not join the503// default network (unless it is part of this list).504// Only available if NetNS is set to bridge.505// Optional.506// Deprecated: as of podman 4.0 use "Networks" instead.507CNINetworks []string `json:"cni_networks,omitempty"`508// UseImageResolvConf indicates that resolv.conf should not be managed509// by Podman, but instead sourced from the image.510// Conflicts with DNSServer, DNSSearch, DNSOption.511// Optional.512UseImageResolvConf *bool `json:"use_image_resolve_conf,omitempty"`513// DNSServers is a set of DNS servers that will be used in the514// container's resolv.conf, replacing the host's DNS Servers which are515// used by default.516// Conflicts with UseImageResolvConf.517// Optional.518DNSServers []net.IP `json:"dns_server,omitempty"`519// DNSSearch is a set of DNS search domains that will be used in the520// container's resolv.conf, replacing the host's DNS search domains521// which are used by default.522// Conflicts with UseImageResolvConf.523// Optional.524DNSSearch []string `json:"dns_search,omitempty"`525// DNSOptions is a set of DNS options that will be used in the526// container's resolv.conf, replacing the host's DNS options which are527// used by default.528// Conflicts with UseImageResolvConf.529// Optional.530DNSOptions []string `json:"dns_option,omitempty"`531// UseImageHosts indicates that /etc/hosts should not be managed by532// Podman, and instead sourced from the image.533// Conflicts with HostAdd.534// Optional.535UseImageHosts *bool `json:"use_image_hosts,omitempty"`536// BaseHostsFile is the path to a hosts file, the entries from this file537// are added to the containers hosts file. As special value "image" is538// allowed which uses the /etc/hosts file from within the image and "none"539// which uses no base file at all. If it is empty we should default540// to the base_hosts_file configuration in containers.conf.541// Optional.542BaseHostsFile string `json:"base_hosts_file,omitempty"`543// HostAdd is a set of hosts which will be added to the container's544// /etc/hosts file.545// Conflicts with UseImageHosts.546// Optional.547HostAdd []string `json:"hostadd,omitempty"`548// NetworkOptions are additional options for each network549// Optional.550NetworkOptions map[string][]string `json:"network_options,omitempty"`551}
552
553// ContainerResourceConfig contains information on container resource limits.
554type ContainerResourceConfig struct {555// IntelRdt defines the Intel RDT CAT Class of Service (COS) that all processes556// of the container should run in.557// Optional.558IntelRdt *spec.LinuxIntelRdt `json:"intelRdt,omitempty"`559// ResourceLimits are resource limits to apply to the container.,560// Can only be set as root on cgroups v1 systems, but can be set as561// rootless as well for cgroups v2.562// Optional.563ResourceLimits *spec.LinuxResources `json:"resource_limits,omitempty"`564// Rlimits are POSIX rlimits to apply to the container.565// Optional.566Rlimits []spec.POSIXRlimit `json:"r_limits,omitempty"`567// OOMScoreAdj adjusts the score used by the OOM killer to determine568// processes to kill for the container's process.569// Optional.570OOMScoreAdj *int `json:"oom_score_adj,omitempty"`571// Weight per cgroup per device, can override BlkioWeight572WeightDevice map[string]spec.LinuxWeightDevice `json:"weightDevice,omitempty"`573// IO read rate limit per cgroup per device, bytes per second574ThrottleReadBpsDevice map[string]spec.LinuxThrottleDevice `json:"throttleReadBpsDevice,omitempty"`575// IO write rate limit per cgroup per device, bytes per second576ThrottleWriteBpsDevice map[string]spec.LinuxThrottleDevice `json:"throttleWriteBpsDevice,omitempty"`577// IO read rate limit per cgroup per device, IO per second578ThrottleReadIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleReadIOPSDevice,omitempty"`579// IO write rate limit per cgroup per device, IO per second580ThrottleWriteIOPSDevice map[string]spec.LinuxThrottleDevice `json:"throttleWriteIOPSDevice,omitempty"`581// CgroupConf are key-value options passed into the container runtime582// that are used to configure cgroup v2.583// Optional.584CgroupConf map[string]string `json:"unified,omitempty"`585}
586
587// ContainerHealthCheckConfig describes a container healthcheck with attributes
588// like command, retries, interval, start period, and timeout.
589type ContainerHealthCheckConfig struct {590HealthConfig *manifest.Schema2HealthConfig `json:"healthconfig,omitempty"`591HealthCheckOnFailureAction define.HealthCheckOnFailureAction `json:"health_check_on_failure_action,omitempty"`592// Startup healthcheck for a container.593// Requires that HealthConfig be set.594// Optional.595StartupHealthConfig *define.StartupHealthCheck `json:"startupHealthConfig,omitempty"`596}
597
598// SpecGenerator creates an OCI spec and Libpod configuration options to create
599// a container based on the given configuration.
600// swagger:model SpecGenerator
601type SpecGenerator struct {602ContainerBasicConfig
603ContainerStorageConfig
604ContainerSecurityConfig
605ContainerCgroupConfig
606ContainerNetworkConfig
607ContainerResourceConfig
608ContainerHealthCheckConfig
609
610//nolint:unused // this is needed for the local client but golangci-lint611// does not seems to happy when we test the remote stub612cacheLibImage
613}
614
615func (s *SpecGenerator) IsPrivileged() bool {616if s.Privileged != nil {617return *s.Privileged618}619return false620}
621
622func (s *SpecGenerator) IsInitContainer() bool {623return len(s.InitContainerType) != 0624}
625
626type Secret struct {627Source string628Target string629UID uint32630GID uint32631Mode uint32632}
633
634var (635// ErrNoStaticIPRootless is used when a rootless user requests to assign a static IP address636// to a pod or container637ErrNoStaticIPRootless = errors.New("rootless containers and pods cannot be assigned static IP addresses")638// ErrNoStaticMACRootless is used when a rootless user requests to assign a static MAC address639// to a pod or container640ErrNoStaticMACRootless = errors.New("rootless containers and pods cannot be assigned static MAC addresses")641// Multiple volume mounts to the same destination is not allowed642ErrDuplicateDest = errors.New("duplicate mount destination")643)
644
645// NewSpecGenerator returns a SpecGenerator struct given one of two mandatory inputs
646func NewSpecGenerator(arg string, rootfs bool) *SpecGenerator {647csc := ContainerStorageConfig{}648if rootfs {649csc.Rootfs = arg650// check if rootfs should use overlay651lastColonIndex := strings.LastIndex(csc.Rootfs, ":")652if lastColonIndex != -1 {653lastPart := csc.Rootfs[lastColonIndex+1:]654if lastPart == "O" {655localTrue := true656csc.RootfsOverlay = &localTrue657csc.Rootfs = csc.Rootfs[:lastColonIndex]658} else if lastPart == "idmap" || strings.HasPrefix(lastPart, "idmap=") {659csc.RootfsMapping = &lastPart660csc.Rootfs = csc.Rootfs[:lastColonIndex]661}662}663} else {664csc.Image = arg665}666return &SpecGenerator{667ContainerStorageConfig: csc,668}669}
670
671// NewSpecGenerator returns a SpecGenerator struct given one of two mandatory inputs
672func NewSpecGeneratorWithRootfs(rootfs string) *SpecGenerator {673csc := ContainerStorageConfig{Rootfs: rootfs}674return &SpecGenerator{ContainerStorageConfig: csc}675}
676
677func StringSlicesEqual(a, b []string) bool {678if len(a) != len(b) {679return false680}681for i, v := range a {682if v != b[i] {683return false684}685}686return true687}
688