Struct podman_api::models::ContainerSecurityConfig
source · pub struct ContainerSecurityConfig {Show 17 fields
pub apparmor_profile: Option<String>,
pub cap_add: Option<Vec<String, Global>>,
pub cap_drop: Option<Vec<String, Global>>,
pub groups: Option<Vec<String, Global>>,
pub idmappings: Option<IdMappingOptions>,
pub mask: Option<Vec<String, Global>>,
pub no_new_privileges: Option<bool>,
pub privileged: Option<bool>,
pub procfs_opts: Option<Vec<String, Global>>,
pub read_only_filesystem: Option<bool>,
pub seccomp_policy: Option<String>,
pub seccomp_profile_path: Option<String>,
pub selinux_opts: Option<Vec<String, Global>>,
pub umask: Option<String>,
pub unmask: Option<Vec<String, Global>>,
pub user: Option<String>,
pub userns: Option<Namespace>,
}Expand description
ContainerSecurityConfig is a container’s security features, including SELinux, Apparmor, and Seccomp.
Fields§
§apparmor_profile: Option<String>ApparmorProfile is the name of the Apparmor profile the container will use. Optional.
cap_add: Option<Vec<String, Global>>CapAdd are capabilities which will be added to the container. Conflicts with Privileged. Optional.
cap_drop: Option<Vec<String, Global>>CapDrop are capabilities which will be removed from the container. Conflicts with Privileged. Optional.
groups: Option<Vec<String, Global>>Groups are a list of supplemental groups the container’s user will be granted access to. Optional.
idmappings: Option<IdMappingOptions>§mask: Option<Vec<String, Global>>Mask is the path we want to mask in the container. This masks the paths given in addition to the default list. Optional
no_new_privileges: Option<bool>NoNewPrivileges is whether the container will set the no new privileges flag on create, which disables gaining additional privileges (e.g. via setuid) in the container.
privileged: Option<bool>Privileged is whether the container is privileged. Privileged does the following: Adds all devices on the system to the container. Adds all capabilities to the container. Disables Seccomp, SELinux, and Apparmor confinement. (Though SELinux can be manually re-enabled). TODO: this conflicts with things. TODO: this does more.
procfs_opts: Option<Vec<String, Global>>ProcOpts are the options used for the proc mount.
read_only_filesystem: Option<bool>ReadOnlyFilesystem indicates that everything will be mounted as read-only
seccomp_policy: Option<String>SeccompPolicy determines which seccomp profile gets applied the container. valid values: empty,default,image
seccomp_profile_path: Option<String>SeccompProfilePath is the path to a JSON file containing the container’s Seccomp profile. If not specified, no Seccomp profile will be used. Optional.
selinux_opts: Option<Vec<String, Global>>SelinuxProcessLabel is the process label the container will use. If SELinux is enabled and this is not specified, a label will be automatically generated if not specified. Optional.
umask: Option<String>Umask is the umask the init process of the container will be run with.
unmask: Option<Vec<String, Global>>Unmask is the path we want to unmask in the container. To override all the default paths that are masked, set unmask=ALL.
user: Option<String>User is the user the container will be run as. Can be given as a UID or a username; if a username, it will be resolved within the container, using the container’s /etc/passwd. If unset, the container will be run as root. Optional.
userns: Option<Namespace>Trait Implementations§
source§impl Clone for ContainerSecurityConfig
impl Clone for ContainerSecurityConfig
source§fn clone(&self) -> ContainerSecurityConfig
fn clone(&self) -> ContainerSecurityConfig
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more