1containers-storage.conf(5)(Container)Filecontainers-storage.conf(5)(Container)
2
3
4
5Dan Walsh May 2017
6
7
9 storage.conf - Syntax of Container Storage configuration file
10
11
13 The STORAGE configuration file specifies all of the available container
14 storage options for tools using shared container storage, but in a TOML
15 format that can be more easily modified and versioned.
16
17
19 The [TOML format][toml] is used as the encoding of the configuration
20 file. Every option and subtable listed here is nested under a global
21 "storage" table. No bare options are used. The format of TOML can be
22 simplified to:
23
24
25 [table]
26 option = value
27
28 [table.subtable1]
29 option = value
30
31 [table.subtable2]
32 option = value
33
34
35
37 The storage table supports the following options:
38
39
40 driver=""
41 Copy On Write (COW) container storage driver. Valid drivers are
42 "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers
43 (for example, "zfs", "btrfs", and "aufs") may not work if your kernel
44 lacks support for the filesystem. This field is required to guarantee
45 proper operation. Valid rootless drivers are "btrfs", "overlay", and
46 "vfs". Rootless users default to the driver defined in the system con‐
47 figuration when possible. When the system configuration uses an unsup‐
48 ported rootless driver, rootless users default to "overlay" if avail‐
49 able, otherwise "vfs".
50
51
52 graphroot=""
53 container storage graph dir (default: "/var/lib/containers/storage")
54 Default directory to store all writable content created by container
55 storage programs. The rootless graphroot path supports environment
56 variable substitutions (ie. $HOME/containers/storage). When changing
57 the graphroot location on an SELINUX system, ensure the labeling
58 matches the default locations labels with the following commands:
59
60
61 # semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH
62 # restorecon -R -v /NEWSTORAGEPATH
63
64
65
66 In rootless mode you would set
67
68
69 # semanage fcontext -a -e $HOME/.local/share/containers NEWSTORAGEPATH
70 $ restorecon -R -v /NEWSTORAGEPATH
71
72
73
74 rootless_storage_path="$HOME/.local/share/containers/storage"
75 Storage path for rootless users. By default the graphroot for root‐
76 less users is set to $XDG_DATA_HOME/containers/storage, if
77 XDG_DATA_HOME is set. Otherwise $HOME/.local/share/containers/storage
78 is used. This field can be used if administrators need to change the
79 storage location for all users. The rootless storage path supports en‐
80 vironment variable substitutions (ie. $HOME/containers/storage)
81
82
83 A common use case for this field is to provide a local storage direc‐
84 tory when user home directories are NFS-mounted (podman does not sup‐
85 port container storage over NFS).
86
87
88 imagestore=""
89 Path of imagestore different from graphroot, by default storage li‐
90 brary stores all images in graphroot but if imagestore is provided it
91 will store newly pulled images in provided imagestore but will keep us‐
92 ing graphroot for everything else. If user is using overlay driver then
93 images which were already part of graphroot will still be accessible (
94 Internally storage library will mount graphroot as an additionalImage‐
95 Store to allow this behaviour ).
96
97
98 A common use case for this field is for the users who want to split the
99 file-system in different parts i.e disk which stores images vs disk
100 used by the container created by the image.
101
102
103 runroot=""
104 container storage run dir (default: "/run/containers/storage") De‐
105 fault directory to store all temporary writable content created by con‐
106 tainer storage programs. The rootless runroot path supports environment
107 variable substitutions (ie. $HOME/containers/storage)
108
109
110 driver_priority=[]
111 Priority list for the storage drivers that will be tested one after
112 the other to pick the storage driver if it is not defined. The first
113 storage driver in this list that can be used, will be picked as the new
114 one and all subsequent ones will not be tried. If all drivers in this
115 list are not viable, then all known drivers will be tried and the first
116 working one will be picked. By default, the storage driver is set via
117 the driver option. If it is not defined, then the best driver will be
118 picked according to the current platform. This option allows you to
119 override this internal priority list with a custom one to prefer cer‐
120 tain drivers. Setting this option only has an effect if the local
121 storage has not been initialized yet and the driver name is not set.
122
123
124 transient_store = "false" | "true"
125
126
127 Transient store mode makes all container metadata be saved in temporary
128 storage (i.e. runroot above). This is faster, but doesn't persist
129 across reboots. Additional garbage collection must also be performed
130 at boot-time, so this option should remain disabled in most configura‐
131 tions. (default: false)
132
133
134 STORAGE OPTIONS TABLE
135 The storage.options table supports the following options:
136
137
138 additionalimagestores=[]
139 Paths to additional container image stores. Usually these are
140 read/only and stored on remote network shares.
141
142
143 pull_options = {enable_partial_images = "false", use_hard_links =
144 "false", ostree_repos=""}
145
146
147 Allows specification of how storage is populated when pulling images.
148 This option can speed the pulling process of images compressed with
149 format zstd:chunked. Containers/storage looks for files within images
150 that are being pulled from a container registry that were previously
151 pulled to the host. It can copy or create a hard link to the existing
152 file when it finds them, eliminating the need to pull them from the
153 container registry. These options can deduplicate pulling of content,
154 disk storage of content and can allow the kernel to use less memory
155 when running containers.
156
157
158 containers/storage supports three keys
159 * enable_partial_images="true" | "false"
160 Tells containers/storage to look for files previously pulled in
161 storage
162 rather then always pulling them from the container registry.
163 * use_hard_links = "false" | "true"
164 Tells containers/storage to use hard links rather then create new
165 files in
166 the image, if an identical file already existed in storage.
167 * ostree_repos = ""
168 Tells containers/storage where an ostree repository exists that
169 might have
170 previously pulled content which can be used when attempting to
171 avoid
172 pulling content from the container registry
173
174
175 remap-uids="" remap-gids=""
176 Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear
177 inside of a container, to the UIDs/GIDs outside of the container, and
178 the length of the range of UIDs/GIDs. Additional mapped sets can be
179 listed and will be heeded by libraries, but there are limits to the
180 number of mappings which the kernel will allow when you later attempt
181 to run a container.
182
183
184 Example
185 remap-uids = "0:1668442479:65536"
186 remap-gids = "0:1668442479:65536"
187
188
189 These mappings tell the container engines to map UID 0 inside of the
190 container to UID 1668442479 outside. UID 1 will be mapped to
191 1668442480. UID 2 will be mapped to 1668442481, etc, for the next 65533
192 UIDs in succession.
193
194
195 remap-user="" remap-group=""
196 Remap-User/Group is a user name which can be used to look up one or
197 more UID/GID ranges in the /etc/subuid or /etc/subgid file. Mappings
198 are set up starting with an in-container ID of 0 and then a host-level
199 ID taken from the lowest range that matches the specified name, and us‐
200 ing the length of that range. Additional ranges are then assigned, us‐
201 ing the ranges which specify the lowest host-level IDs first, to the
202 lowest not-yet-mapped in-container ID, until all of the entries have
203 been used for maps. This setting overrides the Remap-UIDs/GIDs set‐
204 ting.
205
206
207 Example
208 remap-user = "containers"
209 remap-group = "containers"
210
211
212 root-auto-userns-user=""
213 Root-auto-userns-user is a user name which can be used to look up one
214 or more UID/GID ranges in the /etc/subuid and /etc/subgid file. These
215 ranges will be partitioned to containers configured to create automati‐
216 cally a user namespace. Containers configured to automatically create
217 a user namespace can still overlap with containers having an explicit
218 mapping set. This setting is ignored when running as rootless.
219
220
221 auto-userns-min-size=1024
222 Auto-userns-min-size is the minimum size for a user namespace created
223 automatically.
224
225
226 auto-userns-max-size=65536
227 Auto-userns-max-size is the maximum size for a user namespace created
228 automatically.
229
230
231 disable-volatile=true
232 If disable-volatile is set, then the "volatile" mount optimization is
233 disabled for all the containers.
234
235
236 STORAGE OPTIONS FOR AUFS TABLE
237 The storage.options.aufs table supports the following options:
238
239
240 mountopt=""
241 Comma separated list of default options to be used to mount container
242 images. Suggested value "nodev". Mount options are documented in the
243 mount(8) man page.
244
245
246 STORAGE OPTIONS FOR BTRFS TABLE
247 The storage.options.btrfs table supports the following options:
248
249
250 min_space=""
251 Specifies the min space in a btrfs volume.
252
253
254 size=""
255 Maximum size of a container image. This flag can be used to set
256 quota on the size of container images. (format: [], where unit = b
257 (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
258
259
260 STORAGE OPTIONS FOR THINPOOL (devicemapper) TABLE
261 The storage.options.thinpool table supports the following options for
262 the devicemapper driver:
263
264
265 autoextend_percent=""
266 Tells the thinpool driver the amount by which the thinpool needs to
267 be grown. This is specified in terms of % of pool size. So a value of
268 20 means that when threshold is hit, pool will be grown by 20% of ex‐
269 isting pool size. (default: 20%)
270
271
272 autoextend_threshold=""
273 Tells the driver the thinpool extension threshold in terms of per‐
274 centage of pool size. For example, if threshold is 60, that means when
275 pool is 60% full, threshold has been hit. (default: 80%)
276
277
278 basesize=""
279 Specifies the size to use when creating the base device, which limits
280 the size of images and containers. (default: 10g)
281
282
283 blocksize=""
284 Specifies a custom blocksize to use for the thin pool. (default: 64k)
285
286
287 directlvm_device=""
288 Specifies a custom block storage device to use for the thin pool. Re‐
289 quired for using graphdriver devicemapper.
290
291
292 directlvm_device_force=""
293 Tells driver to wipe device (directlvm_device) even if device already
294 has a filesystem. (default: false)
295
296
297 fs="xfs"
298 Specifies the filesystem type to use for the base device. (default:
299 xfs)
300
301
302 log_level=""
303 Sets the log level of devicemapper.
304
305
306 0: LogLevelSuppress 0 (default)
307 2: LogLevelFatal
308 3: LogLevelErr
309 4: LogLevelWarn
310 5: LogLevelNotice
311 6: LogLevelInfo
312 7: LogLevelDebug
313
314
315
316 metadata_size=""
317 metadata_size is used to set the pvcreate --metadatasize options when
318 creating thin devices. (Default 128k)
319
320
321 min_free_space=""
322 Specifies the min free space percent in a thin pool required for new
323 device creation to succeed. Valid values are from 0% - 99%. Value 0%
324 disables. (default: 10%)
325
326
327 mkfsarg=""
328 Specifies extra mkfs arguments to be used when creating the base de‐
329 vice.
330
331
332 mountopt=""
333 Comma separated list of default options to be used to mount container
334 images. Suggested value "nodev". Mount options are documented in the
335 mount(8) man page.
336
337
338 size=""
339 Maximum size of a container image. This flag can be used to set
340 quota on the size of container images. (format: [], where unit = b
341 (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
342
343
344 use_deferred_deletion=""
345 Marks thinpool device for deferred deletion. If the thinpool is in
346 use when the driver attempts to delete it, the driver will attempt to
347 delete device every 30 seconds until successful, or when it restarts.
348 Deferred deletion permanently deletes the device and all data stored in
349 the device will be lost. (default: true).
350
351
352 use_deferred_removal=""
353 Marks devicemapper block device for deferred removal. If the device
354 is in use when its driver attempts to remove it, the driver tells the
355 kernel to remove the device as soon as possible. Note this does not
356 free up the disk space, use deferred deletion to fully remove the thin‐
357 pool. (default: true).
358
359
360 xfs_nospace_max_retries=""
361 Specifies the maximum number of retries XFS should attempt to com‐
362 plete IO when ENOSPC (no space) error is returned by underlying storage
363 device. (default: 0, which means to try continuously.)
364
365
366 STORAGE OPTIONS FOR OVERLAY TABLE
367 The storage.options.overlay table supports the following options:
368
369
370 ignore_chown_errors = "false"
371 ignore_chown_errors can be set to allow a non privileged user running
372 with a single UID within a user namespace to run containers. The user
373 can pull and use any image even those with multiple uids. Note multi‐
374 ple UIDs will be squashed down to the default uid in the container.
375 These images will have no separation between the users in the con‐
376 tainer. (default: false)
377
378
379 inodes=""
380 Maximum inodes in a read/write layer. This flag can be used to set
381 a quota on the inodes allocated for a read/write layer of a container.
382
383
384 force_mask = "0000|shared|private"
385 ForceMask specifies the permissions mask that is used for new files
386 and directories. The values "shared" and "private" are accepted. (de‐
387 fault: ""). Octal permission masks are also accepted.
388
389
390 • ``: Not set All files/directories, get set with the permis‐
391 sions identified within the image.
392
393 • private: it is equivalent to 0700. All files/directories get
394 set with 0700 permissions. The owner has rwx access to the
395 files. No other users on the system can access the files.
396 This setting could be used with networked based home directo‐
397 ries.
398
399 • shared: it is equivalent to 0755. The owner has rwx access to
400 the files and everyone else can read, access and execute them.
401 This setting is useful for sharing containers storage with
402 other users. For instance, a storage owned by root could be
403 shared to rootless users as an additional store. NOTE: All
404 files within the image are made readable and executable by any
405 user on the system. Even /etc/shadow within your image is now
406 readable by any user.
407
408
409
410 OCTAL: Users can experiment with other OCTAL Permissions.
411
412
413 Note: The force_mask Flag is an experimental feature, it could change
414 in the future. When "force_mask" is set the original permission mask
415 is stored in the "user.containers.override_stat" xattr and the
416 "mount_program" option must be specified. Mount programs like
417 "/usr/bin/fuse-overlayfs" present the extended attribute permissions to
418 processes within containers rather than the "force_mask" permissions.
419
420
421 mount_program=""
422 Specifies the path to a custom program to use instead of using kernel
423 defaults for mounting the file system. In rootless mode, without the
424 CAP_SYS_ADMIN capability, many kernels prevent mounting of overlay file
425 systems, requiring you to specify a mount_program. The mount_program
426 option is also required on systems where the underlying storage is
427 btrfs, aufs, zfs, overlay, or ecryptfs based file systems.
428 mount_program = "/usr/bin/fuse-overlayfs"
429
430
431 mountopt=""
432 Comma separated list of default options to be used to mount container
433 images. Suggested value "nodev". Mount options are documented in the
434 mount(8) man page.
435
436
437 skip_mount_home=""
438 Tell storage drivers to not create a PRIVATE bind mount on their home
439 directory.
440
441
442 size=""
443 Maximum size of a read/write layer. This flag can be used to set
444 quota on the size of a read/write layer of a container. (format: [],
445 where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
446
447
448 STORAGE OPTIONS FOR VFS TABLE
449 The storage.options.vfs table supports the following options:
450
451
452 ignore_chown_errors = "false"
453 ignore_chown_errors can be set to allow a non privileged user running
454 with a single UID within a user namespace to run containers. The user
455 can pull and use any image even those with multiple uids. Note multi‐
456 ple UIDs will be squashed down to the default uid in the container.
457 These images will have no separation between the users in the con‐
458 tainer. (default: false)
459
460
461 STORAGE OPTIONS FOR ZFS TABLE
462 The storage.options.zfs table supports the following options:
463
464
465 fsname=""
466 File System name for the zfs driver
467
468
469 mountopt=""
470 Comma separated list of default options to be used to mount container
471 images. Suggested value "nodev". Mount options are documented in the
472 mount(8) man page.
473
474
475 size=""
476 Maximum size of a container image. This flag can be used to set
477 quota on the size of container images. (format: [], where unit = b
478 (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
479
480
482 When running on an SELinux system, if you move the containers storage
483 graphroot directory, you must make sure the labeling is correct.
484
485
486 Tell SELinux about the new containers storage by setting up an equiva‐
487 lence record. This tells SELinux to label content under the new path,
488 as if it was stored under /var/lib/containers/storage.
489
490
491 semanage fcontext -a -e /var/lib/containers NEWSTORAGEPATH
492 restorecon -R -v NEWSTORAGEPATH
493
494
495
496 In rootless mode, you would set
497
498
499 semanage fcontext -a -e $HOME/.local/share/containers NEWSTORAGEPATH
500 restorecon -R -v NEWSTORAGEPATH
501
502
503
504 The semanage command above tells SELinux to setup the default labeling
505 of NEWSTORAGEPATH to match /var/lib/containers. The restorecon command
506 tells SELinux to apply the labels to the actual content.
507
508
509 Now all new content created in these directories will automatically be
510 created with the correct label.
511
512
514 Container storage implements XFS project quota controls for overlay
515 storage containers and volumes. The directory used to store the con‐
516 tainers must be an XFS file system and be mounted with the pquota op‐
517 tion.
518
519
520 Example /etc/fstab entry:
521
522
523 /dev/podman/podman-var /var xfs defaults,x-systemd.device-timeout=0,pquota 1 2
524
525
526
527 Container storage generates project ids for each container and builtin
528 volume, but these project ids need to be unique for the XFS file sys‐
529 tem.
530
531
532 The xfs_quota tool can be used to assign a project id to the storage
533 driver directory, e.g.:
534
535
536 echo 100000:/var/lib/containers/storage/overlay >> /etc/projects
537 echo 200000:/var/lib/containers/storage/volumes >> /etc/projects
538 echo storage:100000 >> /etc/projid
539 echo volumes:200000 >> /etc/projid
540 xfs_quota -x -c 'project -s storage volumes' /<xfs mount point>
541
542
543
544 In the example above, the storage directory project id will be used as
545 a "start offset" and all containers will be assigned larger project ids
546 (e.g. >= 100000). Then the volumes directory project id will be used
547 as a "start offset" and all volumes will be assigned larger project ids
548 (e.g. >= 200000). This is a way to prevent xfs_quota management from
549 conflicting with containers/storage.
550
551
553 Distributions often provide a /usr/share/containers/storage.conf file
554 to define default storage configuration. Administrators can override
555 this file by creating /etc/containers/storage.conf to specify their own
556 configuration. Likewise rootless users can create a storage.conf file
557 to override the system storage.conf files. Files should be stored in
558 the $XDG_CONFIG_HOME/containers/storage.conf file. If $XDG_CONFIG_HOME
559 is not set then the file $HOME/.config/containers/storage.conf is used.
560
561
562 Note: The storage.conf file overrides all other storage.conf files.
563 Container engines run by users with a storage.conf file in their home
564 directory do not use options in the system storage.conf files.
565
566
567 /etc/projects - XFS persistent project root definition /etc/projid -
568 XFS project name mapping file
569
570
572 semanage(8), restorecon(8), mount(8), fuse-overlayfs(1), xfs_quota(8),
573 projects(5), projid(5)
574
575
577 May 2017, Originally compiled by Dan Walsh dwalsh@redhat.com
578 ⟨mailto:dwalsh@redhat.com⟩ Format copied from crio.conf man page cre‐
579 ated by Aleksa Sarai asarai@suse.de ⟨mailto:asarai@suse.de⟩
580
581
582
583Configuration Storagceontainers-storage.conf(5)(Container)