Struct podman_api::models::ContainerSecurityConfig[][src]

pub struct ContainerSecurityConfig {
Show 17 fields
    pub apparmor_profile: Option<String>,
    pub cap_add: Option<Vec<String, Global>>,
    pub cap_drop: Option<Vec<String, Global>>,
    pub groups: Option<Vec<String, Global>>,
    pub idmappings: Option<IdMappingOptions>,
    pub mask: Option<Vec<String, Global>>,
    pub no_new_privileges: Option<bool>,
    pub privileged: Option<bool>,
    pub procfs_opts: Option<Vec<String, Global>>,
    pub read_only_filesystem: Option<bool>,
    pub seccomp_policy: Option<String>,
    pub seccomp_profile_path: Option<String>,
    pub selinux_opts: Option<Vec<String, Global>>,
    pub umask: Option<String>,
    pub unmask: Option<Vec<String, Global>>,
    pub user: Option<String>,
    pub userns: Option<Namespace>,

}
Expand description

ContainerSecurityConfig is a container’s security features, including SELinux, Apparmor, and Seccomp.

Fields

apparmor_profile: Option<String>

ApparmorProfile is the name of the Apparmor profile the container will use. Optional.

cap_add: Option<Vec<String, Global>>

CapAdd are capabilities which will be added to the container. Conflicts with Privileged. Optional.

cap_drop: Option<Vec<String, Global>>

CapDrop are capabilities which will be removed from the container. Conflicts with Privileged. Optional.

groups: Option<Vec<String, Global>>

Groups are a list of supplemental groups the container’s user will be granted access to. Optional.

idmappings: Option<IdMappingOptions>mask: Option<Vec<String, Global>>

Mask is the path we want to mask in the container. This masks the paths given in addition to the default list. Optional

no_new_privileges: Option<bool>

NoNewPrivileges is whether the container will set the no new privileges flag on create, which disables gaining additional privileges (e.g. via setuid) in the container.

privileged: Option<bool>

Privileged is whether the container is privileged. Privileged does the following: Adds all devices on the system to the container. Adds all capabilities to the container. Disables Seccomp, SELinux, and Apparmor confinement. (Though SELinux can be manually re-enabled). TODO: this conflicts with things. TODO: this does more.

procfs_opts: Option<Vec<String, Global>>

ProcOpts are the options used for the proc mount.

read_only_filesystem: Option<bool>

ReadOnlyFilesystem indicates that everything will be mounted as read-only

seccomp_policy: Option<String>

SeccompPolicy determines which seccomp profile gets applied the container. valid values: empty,default,image

seccomp_profile_path: Option<String>

SeccompProfilePath is the path to a JSON file containing the container’s Seccomp profile. If not specified, no Seccomp profile will be used. Optional.

selinux_opts: Option<Vec<String, Global>>

SelinuxProcessLabel is the process label the container will use. If SELinux is enabled and this is not specified, a label will be automatically generated if not specified. Optional.

umask: Option<String>

Umask is the umask the init process of the container will be run with.

unmask: Option<Vec<String, Global>>

Unmask is the path we want to unmask in the container. To override all the default paths that are masked, set unmask=ALL.

user: Option<String>

User is the user the container will be run as. Can be given as a UID or a username; if a username, it will be resolved within the container, using the container’s /etc/passwd. If unset, the container will be run as root. Optional.

userns: Option<Namespace>

Trait Implementations

Returns a copy of the value. Read more

Performs copy-assignment from source. Read more

Formats the value using the given formatter. Read more

Deserialize this value from the given Serde deserializer. Read more

This method tests for self and other values to be equal, and is used by ==. Read more

This method tests for !=.

Serialize this value into the given Serde serializer. Read more

Auto Trait Implementations

Blanket Implementations

Gets the TypeId of self. Read more

Immutably borrows from an owned value. Read more

Mutably borrows from an owned value. Read more

Performs the conversion.

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

Performs the conversion.

The resulting type after obtaining ownership.

Creates owned data from borrowed data, usually by cloning. Read more

🔬 This is a nightly-only experimental API. (toowned_clone_into)

Uses borrowed data to replace owned data, usually by cloning. Read more

The type returned in the event of a conversion error.

Performs the conversion.

The type returned in the event of a conversion error.

Performs the conversion.

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more