podman_autogen_api/models/container_security_config.rs
1/*
2 * supports a RESTful API for the Libpod library
3 *
4 * This documentation describes the Podman v2.x+ RESTful API. It consists of a Docker-compatible API and a Libpod API providing support for Podman’s unique features such as pods. To start the service and keep it running for 5,000 seconds (-t 0 runs forever): podman system service -t 5000 & You can then use cURL on the socket using requests documented below. NOTE: if you install the package podman-docker, it will create a symbolic link for /run/docker.sock to /run/podman/podman.sock NOTE: Some fields in the API response JSON are encoded as omitempty, which means that if said field has a zero value, they will not be encoded in the API response. This is a feature to help reduce the size of the JSON responses returned via the API. NOTE: Due to the limitations of [go-swagger](https://github.com/go-swagger/go-swagger), some field values that have a complex type show up as null in the docs as well as in the API responses. This is because the zero value for the field type is null. The field description in the docs will state what type the field is expected to be for such cases. See podman-system-service(1) for more information. Quick Examples: 'podman info' curl --unix-socket /run/podman/podman.sock http://d/v5.0.0/libpod/info 'podman pull quay.io/containers/podman' curl -XPOST --unix-socket /run/podman/podman.sock -v 'http://d/v5.0.0/images/create?fromImage=quay.io%2Fcontainers%2Fpodman' 'podman list images' curl --unix-socket /run/podman/podman.sock -v 'http://d/v5.0.0/libpod/images/json' | jq
5 *
6 * The version of the OpenAPI document: 5.0.0
7 * Contact: podman@lists.podman.io
8 * Generated by: https://openapi-generator.tech
9 */
10
11use crate::models;
12use serde::{Deserialize, Serialize};
13
14/// ContainerSecurityConfig : ContainerSecurityConfig is a container's security features, including SELinux, Apparmor, and Seccomp.
15#[derive(Clone, Default, Debug, PartialEq, Serialize, Deserialize)]
16pub struct ContainerSecurityConfig {
17 /// ApparmorProfile is the name of the Apparmor profile the container will use. Optional.
18 #[serde(rename = "apparmor_profile", skip_serializing_if = "Option::is_none")]
19 pub apparmor_profile: Option<String>,
20 /// CapAdd are capabilities which will be added to the container. Conflicts with Privileged. Optional.
21 #[serde(rename = "cap_add", skip_serializing_if = "Option::is_none")]
22 pub cap_add: Option<Vec<String>>,
23 /// CapDrop are capabilities which will be removed from the container. Conflicts with Privileged. Optional.
24 #[serde(rename = "cap_drop", skip_serializing_if = "Option::is_none")]
25 pub cap_drop: Option<Vec<String>>,
26 /// Groups are a list of supplemental groups the container's user will be granted access to. Optional.
27 #[serde(rename = "groups", skip_serializing_if = "Option::is_none")]
28 pub groups: Option<Vec<String>>,
29 #[serde(rename = "idmappings", skip_serializing_if = "Option::is_none")]
30 pub idmappings: Option<Box<models::IdMappingOptions>>,
31 /// LabelNested indicates whether or not the container is allowed to run fully nested containers including SELinux labelling. Optional.
32 #[serde(rename = "label_nested", skip_serializing_if = "Option::is_none")]
33 pub label_nested: Option<bool>,
34 /// Mask is the path we want to mask in the container. This masks the paths given in addition to the default list. Optional
35 #[serde(rename = "mask", skip_serializing_if = "Option::is_none")]
36 pub mask: Option<Vec<String>>,
37 /// NoNewPrivileges is whether the container will set the no new privileges flag on create, which disables gaining additional privileges (e.g. via setuid) in the container. Optional.
38 #[serde(rename = "no_new_privileges", skip_serializing_if = "Option::is_none")]
39 pub no_new_privileges: Option<bool>,
40 /// Privileged is whether the container is privileged. Privileged does the following: Adds all devices on the system to the container. Adds all capabilities to the container. Disables Seccomp, SELinux, and Apparmor confinement. (Though SELinux can be manually re-enabled). TODO: this conflicts with things. TODO: this does more. Optional.
41 #[serde(rename = "privileged", skip_serializing_if = "Option::is_none")]
42 pub privileged: Option<bool>,
43 /// ProcOpts are the options used for the proc mount.
44 #[serde(rename = "procfs_opts", skip_serializing_if = "Option::is_none")]
45 pub procfs_opts: Option<Vec<String>>,
46 /// ReadOnlyFilesystem indicates that everything will be mounted as read-only. Optional.
47 #[serde(
48 rename = "read_only_filesystem",
49 skip_serializing_if = "Option::is_none"
50 )]
51 pub read_only_filesystem: Option<bool>,
52 /// ReadWriteTmpfs indicates that when running with a ReadOnlyFilesystem mount temporary file systems. Optional.
53 #[serde(rename = "read_write_tmpfs", skip_serializing_if = "Option::is_none")]
54 pub read_write_tmpfs: Option<bool>,
55 /// SeccompPolicy determines which seccomp profile gets applied the container. valid values: empty,default,image
56 #[serde(rename = "seccomp_policy", skip_serializing_if = "Option::is_none")]
57 pub seccomp_policy: Option<String>,
58 /// SeccompProfilePath is the path to a JSON file containing the container's Seccomp profile. If not specified, no Seccomp profile will be used. Optional.
59 #[serde(
60 rename = "seccomp_profile_path",
61 skip_serializing_if = "Option::is_none"
62 )]
63 pub seccomp_profile_path: Option<String>,
64 /// SelinuxProcessLabel is the process label the container will use. If SELinux is enabled and this is not specified, a label will be automatically generated if not specified. Optional.
65 #[serde(rename = "selinux_opts", skip_serializing_if = "Option::is_none")]
66 pub selinux_opts: Option<Vec<String>>,
67 /// Umask is the umask the init process of the container will be run with.
68 #[serde(rename = "umask", skip_serializing_if = "Option::is_none")]
69 pub umask: Option<String>,
70 /// Unmask a path in the container. Some paths are masked by default, preventing them from being accessed within the container; this undoes that masking. If ALL is passed, all paths will be unmasked. Optional.
71 #[serde(rename = "unmask", skip_serializing_if = "Option::is_none")]
72 pub unmask: Option<Vec<String>>,
73 /// User is the user the container will be run as. Can be given as a UID or a username; if a username, it will be resolved within the container, using the container's /etc/passwd. If unset, the container will be run as root. Optional.
74 #[serde(rename = "user", skip_serializing_if = "Option::is_none")]
75 pub user: Option<String>,
76 #[serde(rename = "userns", skip_serializing_if = "Option::is_none")]
77 pub userns: Option<Box<models::Namespace>>,
78}
79
80impl ContainerSecurityConfig {
81 /// ContainerSecurityConfig is a container's security features, including SELinux, Apparmor, and Seccomp.
82 pub fn new() -> ContainerSecurityConfig {
83 ContainerSecurityConfig {
84 apparmor_profile: None,
85 cap_add: None,
86 cap_drop: None,
87 groups: None,
88 idmappings: None,
89 label_nested: None,
90 mask: None,
91 no_new_privileges: None,
92 privileged: None,
93 procfs_opts: None,
94 read_only_filesystem: None,
95 read_write_tmpfs: None,
96 seccomp_policy: None,
97 seccomp_profile_path: None,
98 selinux_opts: None,
99 umask: None,
100 unmask: None,
101 user: None,
102 userns: None,
103 }
104 }
105}