containers-storage.conf(5)

1containers-storage.conf(5)(Container)Filecontainers-storage.conf(5)(Container)
2
3
4
5Dan Walsh May 2017
6
7

NAME

9       storage.conf - Syntax of Container Storage configuration file
10
11

DESCRIPTION

13       The STORAGE configuration file specifies all of the available container
14       storage options for tools using shared container storage, but in a TOML
15       format that can be more easily modified and versioned.
16
17

FORMAT

19       The  [TOML  format][toml]  is used as the encoding of the configuration
20       file.  Every option and subtable listed here is nested under  a  global
21       "storage"  table.   No bare options are used. The format of TOML can be
22       simplified to:
23
24
25              [table]
26              option = value
27
28              [table.subtable1]
29              option = value
30
31              [table.subtable2]
32              option = value
33
34
35

STORAGE TABLE

37       The storage table supports the following options:
38
39
40       driver=""
41         Copy On Write (COW)  container  storage  driver.  Valid  drivers  are
42       "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers
43       (for example, "zfs", "btrfs", and "aufs") may not work if  your  kernel
44       lacks  support for the filesystem.  This field is required to guarantee
45       proper operation.  Valid rootless drivers are "btrfs",  "overlay",  and
46       "vfs".  Rootless users default to the driver defined in the system con‐
47       figuration when possible.  When the system configuration uses an unsup‐
48       ported  rootless  driver, rootless users default to "overlay" if avail‐
49       able, otherwise "vfs".
50
51
52       graphroot=""
53         container storage graph dir (default:  "/var/lib/containers/storage")
54       Default  directory  to  store all writable content created by container
55       storage programs.  The rootless  graphroot  path  supports  environment
56       variable  substitutions  (ie. $HOME/containers/storage).  When changing
57       the graphroot location  on  an  SELINUX  system,  ensure  the  labeling
58       matches the default locations labels with the following commands:
59
60
61              # semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH
62              # restorecon -R -v /NEWSTORAGEPATH
63
64
65
66       In rootless mode you would set
67
68
69              # semanage fcontext -a -e $HOME/.local/share/containers NEWSTORAGEPATH
70              $ restorecon -R -v /NEWSTORAGEPATH
71
72
73
74       rootless_storage_path="$HOME/.local/share/containers/storage"
75         Storage  path  for rootless users. By default the graphroot for root‐
76       less   users   is   set   to   $XDG_DATA_HOME/containers/storage,    if
77       XDG_DATA_HOME  is  set. Otherwise $HOME/.local/share/containers/storage
78       is used. This field can be used if administrators need  to  change  the
79       storage  location for all users. The rootless storage path supports en‐
80       vironment variable substitutions (ie. $HOME/containers/storage)
81
82
83       A common use case for this field is to provide a local  storage  direc‐
84       tory  when  user home directories are NFS-mounted (podman does not sup‐
85       port container storage over NFS).
86
87
88       imagestore=""
89         Path of imagestore different from graphroot, by default  storage  li‐
90       brary  stores  all images in graphroot but if imagestore is provided it
91       will store newly pulled images in provided imagestore but will keep us‐
92       ing graphroot for everything else. If user is using overlay driver then
93       images which were already part of graphroot will still be accessible  (
94       Internally  storage library will mount graphroot as an additionalImage‐
95       Store to allow this behaviour ).
96
97
98       A common use case for this field is for the users who want to split the
99       file-system  in  different  parts  i.e disk which stores images vs disk
100       used by the container created by the image.
101
102
103       runroot=""
104         container storage run dir  (default:  "/run/containers/storage")  De‐
105       fault directory to store all temporary writable content created by con‐
106       tainer storage programs. The rootless runroot path supports environment
107       variable substitutions (ie. $HOME/containers/storage)
108
109
110       driver_priority=[]
111         Priority  list  for the storage drivers that will be tested one after
112       the other to pick the storage driver if it is not  defined.  The  first
113       storage driver in this list that can be used, will be picked as the new
114       one and all subsequent ones will not be tried. If all drivers  in  this
115       list are not viable, then all known drivers will be tried and the first
116       working one will be picked.  By default, the storage driver is set  via
117       the  driver  option. If it is not defined, then the best driver will be
118       picked according to the current platform. This  option  allows  you  to
119       override  this  internal priority list with a custom one to prefer cer‐
120       tain drivers.  Setting this option only has  an  effect  if  the  local
121       storage has not been initialized yet and the driver name is not set.
122
123
124       transient_store = "false" | "true"
125
126
127       Transient store mode makes all container metadata be saved in temporary
128       storage (i.e. runroot above).  This  is  faster,  but  doesn't  persist
129       across  reboots.   Additional garbage collection must also be performed
130       at boot-time, so this option should remain disabled in most  configura‐
131       tions. (default: false)
132
133
134   STORAGE OPTIONS TABLE
135       The storage.options table supports the following options:
136
137
138       additionalimagestores=[]
139         Paths  to  additional  container  image  stores.  Usually  these  are
140       read/only and stored on remote network shares.
141
142
143       pull_options  =  {enable_partial_images  =  "false",  use_hard_links  =
144       "false", ostree_repos=""}
145
146
147       Allows  specification  of how storage is populated when pulling images.
148       This option can speed the pulling process  of  images  compressed  with
149       format  zstd:chunked.  Containers/storage looks for files within images
150       that are being pulled from a container registry  that  were  previously
151       pulled  to the host.  It can copy or create a hard link to the existing
152       file when it finds them, eliminating the need to  pull  them  from  the
153       container  registry.  These options can deduplicate pulling of content,
154       disk storage of content and can allow the kernel  to  use  less  memory
155       when running containers.
156
157
158       containers/storage supports three keys
159         * enable_partial_images="true" | "false"
160           Tells  containers/storage  to  look  for files previously pulled in
161       storage
162           rather then always pulling them from the container registry.
163         * use_hard_links = "false" | "true"
164           Tells containers/storage to use hard links rather then  create  new
165       files in
166           the image, if an identical file already existed in storage.
167         * ostree_repos = ""
168           Tells  containers/storage  where  an  ostree repository exists that
169       might have
170           previously pulled content which can  be  used  when  attempting  to
171       avoid
172           pulling content from the container registry
173
174
175       remap-uids="" remap-gids=""
176         Remap-UIDs/GIDs  is  the mapping from UIDs/GIDs as they should appear
177       inside of a container, to the UIDs/GIDs outside of the  container,  and
178       the  length  of  the range of UIDs/GIDs.  Additional mapped sets can be
179       listed and will be heeded by libraries, but there  are  limits  to  the
180       number  of  mappings which the kernel will allow when you later attempt
181       to run a container.
182
183
184       Example
185            remap-uids = "0:1668442479:65536"
186            remap-gids = "0:1668442479:65536"
187
188
189       These mappings tell the container engines to map UID 0  inside  of  the
190       container  to  UID  1668442479  outside.   UID  1  will  be  mapped  to
191       1668442480. UID 2 will be mapped to 1668442481, etc, for the next 65533
192       UIDs in succession.
193
194
195       remap-user="" remap-group=""
196         Remap-User/Group  is  a user name which can be used to look up one or
197       more UID/GID ranges in the /etc/subuid or /etc/subgid  file.   Mappings
198       are  set up starting with an in-container ID of 0 and then a host-level
199       ID taken from the lowest range that matches the specified name, and us‐
200       ing  the length of that range. Additional ranges are then assigned, us‐
201       ing the ranges which specify the lowest host-level IDs  first,  to  the
202       lowest  not-yet-mapped  in-container  ID, until all of the entries have
203       been used for maps.  This setting overrides  the  Remap-UIDs/GIDs  set‐
204       ting.
205
206
207       Example
208            remap-user = "containers"
209            remap-group = "containers"
210
211
212       root-auto-userns-user=""
213         Root-auto-userns-user is a user name which can be used to look up one
214       or more UID/GID ranges in the /etc/subuid and /etc/subgid file.   These
215       ranges will be partitioned to containers configured to create automati‐
216       cally a user namespace.  Containers configured to automatically  create
217       a  user  namespace can still overlap with containers having an explicit
218       mapping set.  This setting is ignored when running as rootless.
219
220
221       auto-userns-min-size=1024
222         Auto-userns-min-size is the minimum size for a user namespace created
223       automatically.
224
225
226       auto-userns-max-size=65536
227         Auto-userns-max-size is the maximum size for a user namespace created
228       automatically.
229
230
231       disable-volatile=true
232         If disable-volatile is set, then the "volatile" mount optimization is
233       disabled for all the containers.
234
235
236   STORAGE OPTIONS FOR AUFS TABLE
237       The storage.options.aufs table supports the following options:
238
239
240       mountopt=""
241         Comma separated list of default options to be used to mount container
242       images.  Suggested value "nodev". Mount options are documented  in  the
243       mount(8) man page.
244
245
246   STORAGE OPTIONS FOR BTRFS TABLE
247       The storage.options.btrfs table supports the following options:
248
249
250       min_space=""
251         Specifies the min space in a btrfs volume.
252
253
254       size=""
255         Maximum  size  of  a  container image.   This flag can be used to set
256       quota on the size of container images. (format:  [],  where  unit  =  b
257       (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
258
259
260   STORAGE OPTIONS FOR THINPOOL (devicemapper) TABLE
261       The  storage.options.thinpool  table supports the following options for
262       the devicemapper driver:
263
264
265       autoextend_percent=""
266         Tells the thinpool driver the amount by which the thinpool  needs  to
267       be  grown.  This is specified in terms of % of pool size. So a value of
268       20 means that when threshold is hit, pool will be grown by 20%  of  ex‐
269       isting pool size. (default: 20%)
270
271
272       autoextend_threshold=""
273         Tells  the  driver  the thinpool extension threshold in terms of per‐
274       centage of pool size. For example, if threshold is 60, that means  when
275       pool is 60% full, threshold has been hit. (default: 80%)
276
277
278       basesize=""
279         Specifies the size to use when creating the base device, which limits
280       the size of images and containers. (default: 10g)
281
282
283       blocksize=""
284         Specifies a custom blocksize to use for the thin pool. (default: 64k)
285
286
287       directlvm_device=""
288         Specifies a custom block storage device to use for the thin pool. Re‐
289       quired for using graphdriver devicemapper.
290
291
292       directlvm_device_force=""
293         Tells driver to wipe device (directlvm_device) even if device already
294       has a filesystem.  (default: false)
295
296
297       fs="xfs"
298         Specifies the filesystem type to use for the base  device.  (default:
299       xfs)
300
301
302       log_level=""
303         Sets the log level of devicemapper.
304
305
306              0: LogLevelSuppress 0 (default)
307              2: LogLevelFatal
308              3: LogLevelErr
309              4: LogLevelWarn
310              5: LogLevelNotice
311              6: LogLevelInfo
312              7: LogLevelDebug
313
314
315
316       metadata_size=""
317         metadata_size is used to set the pvcreate --metadatasize options when
318       creating thin devices. (Default 128k)
319
320
321       min_free_space=""
322         Specifies the min free space percent in a thin pool required for  new
323       device  creation  to  succeed. Valid values are from 0% - 99%. Value 0%
324       disables. (default: 10%)
325
326
327       mkfsarg=""
328         Specifies extra mkfs arguments to be used when creating the base  de‐
329       vice.
330
331
332       mountopt=""
333         Comma separated list of default options to be used to mount container
334       images.  Suggested value "nodev". Mount options are documented  in  the
335       mount(8) man page.
336
337
338       size=""
339         Maximum  size  of  a  container  image.  This flag can be used to set
340       quota on the size of container images. (format:  [],  where  unit  =  b
341       (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
342
343
344       use_deferred_deletion=""
345         Marks  thinpool  device  for deferred deletion. If the thinpool is in
346       use when the driver attempts to delete it, the driver will  attempt  to
347       delete  device  every 30 seconds until successful, or when it restarts.
348       Deferred deletion permanently deletes the device and all data stored in
349       the device will be lost. (default: true).
350
351
352       use_deferred_removal=""
353         Marks  devicemapper block device for deferred removal.  If the device
354       is in use when its driver attempts to remove it, the driver  tells  the
355       kernel  to  remove  the device as soon as possible.  Note this does not
356       free up the disk space, use deferred deletion to fully remove the thin‐
357       pool.  (default: true).
358
359
360       xfs_nospace_max_retries=""
361         Specifies  the  maximum  number of retries XFS should attempt to com‐
362       plete IO when ENOSPC (no space) error is returned by underlying storage
363       device. (default: 0, which means to try continuously.)
364
365
366   STORAGE OPTIONS FOR OVERLAY TABLE
367       The storage.options.overlay table supports the following options:
368
369
370       ignore_chown_errors = "false"
371         ignore_chown_errors can be set to allow a non privileged user running
372       with a  single UID within a user namespace to run containers. The  user
373       can  pull and use any image even those with multiple uids.  Note multi‐
374       ple UIDs will be squashed down to the default  uid  in  the  container.
375       These  images  will  have  no  separation between the users in the con‐
376       tainer. (default: false)
377
378
379       inodes=""
380         Maximum inodes in a read/write layer.   This flag can be used to  set
381       a quota on the inodes allocated for a read/write layer of a container.
382
383
384       force_mask = "0000|shared|private"
385         ForceMask  specifies  the permissions mask that is used for new files
386       and directories. The values "shared" and "private" are accepted.   (de‐
387       fault: ""). Octal permission masks are also accepted.
388
389
390              • ``:  Not  set  All files/directories, get set with the permis‐
391                sions identified within the image.
392
393              • private: it is equivalent to 0700.  All files/directories  get
394                set  with  0700  permissions.  The owner has rwx access to the
395                files. No other users on the  system  can  access  the  files.
396                This  setting could be used with networked based home directo‐
397                ries.
398
399              • shared: it is equivalent to 0755.  The owner has rwx access to
400                the files and everyone else can read, access and execute them.
401                This setting is useful for  sharing  containers  storage  with
402                other  users.   For instance, a storage owned by root could be
403                shared to rootless users as an additional store.   NOTE:   All
404                files within the image are made readable and executable by any
405                user on the system. Even /etc/shadow within your image is  now
406                readable by any user.
407
408
409
410       OCTAL: Users can experiment with other OCTAL Permissions.
411
412
413       Note:  The  force_mask Flag is an experimental feature, it could change
414       in the future.  When "force_mask" is set the original  permission  mask
415       is   stored   in  the  "user.containers.override_stat"  xattr  and  the
416       "mount_program"  option  must  be  specified.   Mount   programs   like
417       "/usr/bin/fuse-overlayfs" present the extended attribute permissions to
418       processes within containers rather than the "force_mask"  permissions.
419
420
421       mount_program=""
422         Specifies the path to a custom program to use instead of using kernel
423       defaults  for  mounting  the file system. In rootless mode, without the
424       CAP_SYS_ADMIN capability, many kernels prevent mounting of overlay file
425       systems,  requiring  you  to specify a mount_program. The mount_program
426       option is also required on systems  where  the  underlying  storage  is
427       btrfs, aufs, zfs, overlay, or ecryptfs based file systems.
428         mount_program = "/usr/bin/fuse-overlayfs"
429
430
431       mountopt=""
432         Comma separated list of default options to be used to mount container
433       images.  Suggested value "nodev". Mount options are documented  in  the
434       mount(8) man page.
435
436
437       skip_mount_home=""
438         Tell storage drivers to not create a PRIVATE bind mount on their home
439       directory.
440
441
442       size=""
443         Maximum size of a read/write layer.   This flag can be  used  to  set
444       quota  on  the  size of a read/write layer of a container. (format: [],
445       where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
446
447
448   STORAGE OPTIONS FOR VFS TABLE
449       The storage.options.vfs table supports the following options:
450
451
452       ignore_chown_errors = "false"
453         ignore_chown_errors can be set to allow a non privileged user running
454       with  a  single UID within a user namespace to run containers. The user
455       can pull and use any image even those with multiple uids.  Note  multi‐
456       ple  UIDs  will  be  squashed down to the default uid in the container.
457       These images will have no separation between  the  users  in  the  con‐
458       tainer. (default: false)
459
460
461   STORAGE OPTIONS FOR ZFS TABLE
462       The storage.options.zfs table supports the following options:
463
464
465       fsname=""
466         File System name for the zfs driver
467
468
469       mountopt=""
470         Comma separated list of default options to be used to mount container
471       images.  Suggested value "nodev". Mount options are documented  in  the
472       mount(8) man page.
473
474
475       size=""
476         Maximum  size  of  a  container image.   This flag can be used to set
477       quota on the size of container images. (format:  [],  where  unit  =  b
478       (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
479
480

SELINUX LABELING

482       When  running  on an SELinux system, if you move the containers storage
483       graphroot directory, you must make sure the labeling is correct.
484
485
486       Tell SELinux about the new containers storage by setting up an  equiva‐
487       lence  record.  This tells SELinux to label content under the new path,
488       as if it was stored under /var/lib/containers/storage.
489
490
491              semanage fcontext -a -e /var/lib/containers NEWSTORAGEPATH
492              restorecon -R -v NEWSTORAGEPATH
493
494
495
496       In rootless mode, you would set
497
498
499              semanage fcontext -a -e $HOME/.local/share/containers NEWSTORAGEPATH
500              restorecon -R -v NEWSTORAGEPATH
501
502
503
504       The semanage command above tells SELinux to setup the default  labeling
505       of NEWSTORAGEPATH to match /var/lib/containers.  The restorecon command
506       tells SELinux to apply the labels to the actual content.
507
508
509       Now all new content created in these directories will automatically  be
510       created with the correct label.
511
512

QUOTAS

514       Container  storage  implements  XFS  project quota controls for overlay
515       storage containers and volumes. The directory used to  store  the  con‐
516       tainers  must  be an XFS file system and be mounted with the pquota op‐
517       tion.
518
519
520       Example /etc/fstab entry:
521
522
523              /dev/podman/podman-var /var xfs defaults,x-systemd.device-timeout=0,pquota 1 2
524
525
526
527       Container storage generates project ids for each container and  builtin
528       volume,  but  these project ids need to be unique for the XFS file sys‐
529       tem.
530
531
532       The xfs_quota tool can be used to assign a project id  to  the  storage
533       driver directory, e.g.:
534
535
536              echo 100000:/var/lib/containers/storage/overlay >> /etc/projects
537              echo 200000:/var/lib/containers/storage/volumes >> /etc/projects
538              echo storage:100000 >> /etc/projid
539              echo volumes:200000 >> /etc/projid
540              xfs_quota -x -c 'project -s storage volumes' /<xfs mount point>
541
542
543
544       In  the example above, the storage directory project id will be used as
545       a "start offset" and all containers will be assigned larger project ids
546       (e.g.  >=  100000).  Then the volumes directory project id will be used
547       as a "start offset" and all volumes will be assigned larger project ids
548       (e.g.  >=  200000).  This is a way to prevent xfs_quota management from
549       conflicting with containers/storage.
550
551

FILES

553       Distributions often provide a  /usr/share/containers/storage.conf  file
554       to  define  default  storage configuration. Administrators can override
555       this file by creating /etc/containers/storage.conf to specify their own
556       configuration.  Likewise  rootless users can create a storage.conf file
557       to override the system storage.conf files. Files should  be  stored  in
558       the $XDG_CONFIG_HOME/containers/storage.conf file.  If $XDG_CONFIG_HOME
559       is not set then the file $HOME/.config/containers/storage.conf is used.
560
561
562       Note: The storage.conf file overrides  all  other  storage.conf  files.
563       Container  engines  run by users with a storage.conf file in their home
564       directory do not use options in the system storage.conf files.
565
566
567       /etc/projects - XFS persistent project root  definition  /etc/projid  -
568       XFS project name mapping file
569
570

HISTORY

577       May  2017,  Originally  compiled   by   Dan   Walsh   dwalsh@redhat.com
578       ⟨mailto:dwalsh@redhat.com⟩  Format  copied from crio.conf man page cre‐
579       ated by Aleksa Sarai asarai@suse.de ⟨mailto:asarai@suse.de⟩
580
581
582
583Configuration                       Storagceontainers-storage.conf(5)(Container)