Vendor in latest containers/common with default capabilities

Also update vendor of containers/storage and image Cleanup display of added/dropped capabilties as well Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-06-06 15:00:40 +08:00 · 2022-12-06 19:49:31 -05:00
parent 1cc22631f6
commit 3718ac8e96
141 changed files with 2344 additions and 1555 deletions
--- a/docs/source/markdown/podman-build.1.md.in
+++ b/docs/source/markdown/podman-build.1.md.in
@ -162,7 +162,7 @@ When executing RUN instructions, run the command specified in the instruction
 with the specified capability removed from its capability set.
 The CAP\_CHOWN, CAP\_DAC\_OVERRIDE, CAP\_FOWNER,
 CAP\_FSETID, CAP\_KILL, CAP\_NET\_BIND\_SERVICE, CAP\_SETFCAP,
-CAP\_SETGID, CAP\_SETPCAP, CAP\_SETUID, and CAP\_SYS\_CHROOT capabilities are
+CAP\_SETGID, CAP\_SETPCAP, and CAP\_SETUID capabilities are
 granted by default; this option can be used to remove them.

 If a capability is specified to both the **--cap-add** and **--cap-drop**
--- a/docs/source/markdown/podman-container-inspect.1.md.in
+++ b/docs/source/markdown/podman-container-inspect.1.md.in
@ -129,7 +129,6 @@ $ podman container inspect foobar
            "CAP_SETGID",
            "CAP_SETPCAP",
            "CAP_SETUID",
-            "CAP_SYS_CHROOT"
        ],
        "BoundingCaps": [
            "CAP_CHOWN",
@ -142,7 +141,6 @@ $ podman container inspect foobar
            "CAP_SETGID",
            "CAP_SETPCAP",
            "CAP_SETUID",
-            "CAP_SYS_CHROOT"
        ],
        "ExecIDs": [],
        "GraphDriver": {
@ -248,11 +246,7 @@ $ podman container inspect foobar
            "VolumeDriver": "",
            "VolumesFrom": null,
            "CapAdd": [],
-            "CapDrop": [
-                "CAP_AUDIT_WRITE",
-                "CAP_MKNOD",
-                "CAP_NET_RAW"
-            ],
+            "CapDrop": [],
            "Dns": [],
            "DnsOptions": [],
            "DnsSearch": [],
@ -325,7 +319,7 @@ overlay

 ```
 $ podman container inspect --latest --format {{.EffectiveCaps}}
-[CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_NET_BIND_SERVICE CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT]
+[CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_NET_BIND_SERVICE CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID]
 ```

 ## SEE ALSO
--- a/docs/source/markdown/podman-info.1.md
+++ b/docs/source/markdown/podman-info.1.md
@ -91,7 +91,7 @@ host:
    path: /run/user/3267/podman/podman.sock
  security:
    apparmorEnabled: false
-    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
+    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
@ -224,7 +224,7 @@ $ podman info --format json
    "serviceIsRemote": false,
    "security": {
      "apparmorEnabled": false,
-      "capabilities": "CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT",
+      "capabilities": "CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID",
      "rootless": true,
      "seccompEnabled": true,
      "seccompProfilePath": "/usr/share/containers/seccomp.json",
--- a/docs/source/markdown/podman-inspect.1.md.in
+++ b/docs/source/markdown/podman-inspect.1.md.in
@ -138,7 +138,7 @@ size:   4405240

 ```
 podman container inspect --latest --format {{.EffectiveCaps}}
-[CAP_CHOWN CAP_DAC_OVERRIDE CAP_FSETID CAP_FOWNER CAP_MKNOD CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETFCAP CAP_SETPCAP CAP_NET_BIND_SERVICE CAP_SYS_CHROOT CAP_KILL CAP_AUDIT_WRITE]
+[CAP_CHOWN CAP_DAC_OVERRIDE CAP_FSETID CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SETFCAP CAP_SETPCAP CAP_NET_BIND_SERVICE CAP_KILL]
 ```

 ```
--- a/docs/source/markdown/podman-kube-generate.1.md
+++ b/docs/source/markdown/podman-kube-generate.1.md
@ -78,12 +78,6 @@ spec:
    - containerPort: 3306
      hostPort: 36533
    resources: {}
-    securityContext:
-      capabilities:
-        drop:
-        - CAP_MKNOD
-        - CAP_NET_RAW
-        - CAP_AUDIT_WRITE
    tty: true
 status: {}
 ```
@ -109,12 +103,6 @@ spec:
    image: docker.io/library/alpine:latest
    name: test-bind-mount
    resources: {}
-    securityContext:
-      capabilities:
-        drop:
-        - CAP_MKNOD
-        - CAP_NET_RAW
-        - CAP_AUDIT_WRITE
    volumeMounts:
    - mountPath: /volume
      name: home-user-my-data-host
@ -148,12 +136,6 @@ spec:
    image: docker.io/library/alpine:latest
    name: test-bind-mount
    resources: {}
-    securityContext:
-      capabilities:
-        drop:
-        - CAP_MKNOD
-        - CAP_NET_RAW
-        - CAP_AUDIT_WRITE
    volumeMounts:
    - mountPath: /volume
      name: priceless-data-pvc