1podman-run(1)               General Commands Manual              podman-run(1)
2
3
4

NAME

6       podman-run - Run a command in a new container
7
8

SYNOPSIS

10       podman run [options] image [command [arg ...]]
11
12
13       podman container run [options] image [command [arg ...]]
14
15

DESCRIPTION

17       Run  a process in a new container. podman run starts a process with its
18       own file system, its own networking, and its own isolated process tree.
19       The  image  which starts the process may define defaults related to the
20       process that will be run in the container, the  networking  to  expose,
21       and  more, but podman run gives final control to the operator or admin‐
22       istrator who starts the container from the image. For that reason  pod‐
23       man run has more options than any other Podman command.
24
25
26       If the image is not already loaded then podman run will pull the image,
27       and all image dependencies, from the repository in the same way running
28       podman pull image , before it starts the container from that image.
29
30
31       Several files will be automatically created within the container. These
32       include /etc/hosts, /etc/hostname, and /etc/resolv.conf to manage  net‐
33       working.   These  will  be  based  on  the host's version of the files,
34       though they can be customized with options  (for  example,  --dns  will
35       override  the host's DNS servers in the created resolv.conf). Addition‐
36       ally, a container environment file is created in each container to  in‐
37       dicate  to  programs  they are running in a container. This file is lo‐
38       cated at /run/.containerenv (or /var/run/.containerenv for FreeBSD con‐
39       tainers).  When  using the --privileged flag the .containerenv contains
40       name/value pairs indicating the container engine version,  whether  the
41       engine  is running in rootless mode, the container name and ID, as well
42       as the image name  and  ID  that  the  container  is  based  on.  Note:
43       /run/.containerenv  will  not  be  created  when a volume is mounted on
44       /run.
45
46
47       When   running   from   a   user   defined   network   namespace,   the
48       /etc/netns/NSNAME/resolv.conf  will  be  used  if  it exists, otherwise
49       /etc/resolv.conf will be used.
50
51
52       Default settings are defined in containers.conf. Most settings for  re‐
53       mote  connections  use  the  servers containers.conf, except when docu‐
54       mented in man pages.
55
56

IMAGE

58       The image is specified using transport:path format. If no transport  is
59       specified,  the  docker  (container  registry) transport is used by de‐
60       fault. For remote Podman, including Mac and  Windows  (excluding  WSL2)
61       machines, docker is the only allowed transport.
62
63
64       dir:path
65         An existing local directory path storing the manifest, layer tarballs
66       and signatures as individual files. This is a non-standardized  format,
67       primarily useful for debugging or noninvasive container inspection.
68
69       $ podman save --format docker-dir fedora -o /tmp/fedora
70       $ podman run dir:/tmp/fedora echo hello
71
72
73
74       docker://docker-reference (Default)
75         An image reference stored in a remote container image registry. Exam‐
76       ple: "quay.io/podman/stable:latest".  The reference can include a  path
77       to  a  specific registry; if it does not, the registries listed in reg‐
78       istries.conf are queried to find a matching image.  By default, creden‐
79       tials   from   podman   login   (stored   at  $XDG_RUNTIME_DIR/contain‐
80       ers/auth.json by default) are used to authenticate; otherwise it  falls
81       back to using credentials in $HOME/.docker/config.json.
82
83       $ podman run registry.fedoraproject.org/fedora:latest echo hello
84
85
86
87       docker-archive:path[:docker-reference]  An  image  stored in the docker
88       save formatted file. docker-reference is only used when creating such a
89       file, and it must not contain a digest.
90
91       $ podman save --format docker-archive fedora -o /tmp/fedora
92       $ podman run docker-archive:/tmp/fedora echo hello
93
94
95
96       docker-daemon:docker-reference
97         An  image  in docker-reference format stored in the docker daemon in‐
98       ternal storage. The docker-reference can also be an image  ID  (docker-
99       daemon:algo:digest).
100
101       $ sudo docker pull fedora
102       $ sudo podman run docker-daemon:docker.io/library/fedora echo hello
103
104
105
106       oci-archive:path:tag
107         An image in a directory compliant with the "Open Container Image Lay‐
108       out Specification" at the specified path and specified with a tag.
109
110       $ podman save --format oci-archive fedora -o /tmp/fedora
111       $ podman run oci-archive:/tmp/fedora echo hello
112
113
114

OPTIONS

116   --add-host=host:ip
117       Add a custom host-to-IP mapping (host:ip)
118
119
120       Add a line to /etc/hosts. The format is hostname:ip. The --add-host op‐
121       tion can be set multiple times. Conflicts with the --no-hosts option.
122
123
124   --annotation=key=value
125       Add  an  annotation  to  the container. This option can be set multiple
126       times.
127
128
129   --arch=ARCH
130       Override the architecture, defaults  to  hosts,  of  the  image  to  be
131       pulled. For example, arm.  Unless overridden, subsequent lookups of the
132       same image in the local storage matches this  architecture,  regardless
133       of the host.
134
135
136   --attach, -a=stdin | stdout | stderr
137       Attach to STDIN, STDOUT or STDERR.
138
139
140       In  foreground  mode (the default when -d is not specified), podman run
141       can start the process in the container and attach the  console  to  the
142       process's  standard input, output, and error. It can even pretend to be
143       a TTY (this is what most  command-line  executables  expect)  and  pass
144       along  signals. The -a option can be set for each of stdin, stdout, and
145       stderr.
146
147
148   --authfile=path
149       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
150       ers/auth.json  on Linux, and $HOME/.config/containers/auth.json on Win‐
151       dows/macOS.  The file is created by podman login. If the  authorization
152       state  is  not found there, $HOME/.docker/config.json is checked, which
153       is set using docker login.
154
155
156       Note: There is also the option to override the default path of the  au‐
157       thentication  file  by setting the REGISTRY_AUTH_FILE environment vari‐
158       able. This can be done with export REGISTRY_AUTH_FILE=path.
159
160
161   --blkio-weight=weight
162       Block IO relative weight. The weight is a value between 10 and 1000.
163
164
165       This option is not supported on cgroups V1 rootless systems.
166
167
168   --blkio-weight-device=device:weight
169       Block IO relative device weight.
170
171
172   --cap-add=capability
173       Add Linux capabilities.
174
175
176   --cap-drop=capability
177       Drop Linux capabilities.
178
179
180   --cgroup-conf=KEY=VALUE
181       When running on cgroup v2, specify the cgroup file to write to and  its
182       value.  For  example --cgroup-conf=memory.high=1073741824 sets the mem‐
183       ory.high limit to 1GB.
184
185
186   --cgroup-parent=path
187       Path to cgroups under which the cgroup for the container is created. If
188       the  path is not absolute, the path is considered to be relative to the
189       cgroups path of the init process. Cgroups are created if  they  do  not
190       already exist.
191
192
193   --cgroupns=mode
194       Set the cgroup namespace mode for the container.
195
196
197host: use the host's cgroup namespace inside the container.
198
199container:id: join the namespace of the specified container.
200
201private: create a new cgroup namespace.
202
203ns:path: join the namespace at the specified path.
204
205
206
207       If the host uses cgroups v1, the default is set to host. On cgroups v2,
208       the default is private.
209
210
211   --cgroups=how
212       Determines whether the container creates CGroups.
213
214
215       Default is enabled.
216
217
218       The enabled option creates a new cgroup under the  cgroup-parent.   The
219       disabled  option  forces  the container to not create CGroups, and thus
220       conflicts with CGroup options (--cgroupns  and  --cgroup-parent).   The
221       no-conmon  option  disables  a  new CGroup only for the conmon process.
222       The split option splits the current CGroup in two sub-cgroups: one  for
223       conmon  and  one  for  the container payload. It is not possible to set
224       --cgroup-parent with split.
225
226
227   --chrootdirs=path
228       Path to a directory inside the container that is treated  as  a  chroot
229       directory.    Any   Podman   managed   file   (e.g.,  /etc/resolv.conf,
230       /etc/hosts, etc/hostname) that is mounted into the  root  directory  is
231       mounted into that location as well.  Multiple directories are separated
232       with a comma.
233
234
235   --cidfile=file
236       Write the container ID to file.  The file is  removed  along  with  the
237       container,  except  when used with podman --remote run on detached con‐
238       tainers.
239
240
241   --conmon-pidfile=file
242       Write the pid of the conmon process to a file. As conmon runs in a sep‐
243       arate  process  than  Podman,  this  is necessary when using systemd to
244       restart Podman containers.  (This option is not available with the  re‐
245       mote  Podman  client,  including  Mac  and Windows (excluding WSL2) ma‐
246       chines)
247
248
249   --cpu-period=limit
250       Set the CPU period for the Completely Fair Scheduler (CFS), which is  a
251       duration in microseconds. Once the container's CPU quota is used up, it
252       will not be scheduled to run until the current period ends. Defaults to
253       100000 microseconds.
254
255
256       On  some  systems,  changing the resource limits may not be allowed for
257       non-root  users.  For  more  details,  see  https://github.com/contain
258       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
259       source-limits-fails-with-a-permissions-error
260
261
262       This option is not supported on cgroups V1 rootless systems.
263
264
265   --cpu-quota=limit
266       Limit the CPU Completely Fair Scheduler (CFS) quota.
267
268
269       Limit the container's CPU usage. By default, containers  run  with  the
270       full  CPU  resource. The limit is a number in microseconds. If a number
271       is provided, the container is allowed to use that much CPU  time  until
272       the CPU period ends (controllable via --cpu-period).
273
274
275       On  some  systems,  changing the resource limits may not be allowed for
276       non-root  users.  For  more  details,  see  https://github.com/contain
277       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
278       source-limits-fails-with-a-permissions-error
279
280
281       This option is not supported on cgroups V1 rootless systems.
282
283
284   --cpu-rt-period=microseconds
285       Limit the CPU real-time period in microseconds.
286
287
288       Limit the container's Real Time CPU usage. This option tells the kernel
289       to  restrict  the  container's Real Time CPU usage to the period speci‐
290       fied.
291
292
293       This option is only supported on cgroups V1 rootful systems.
294
295
296   --cpu-rt-runtime=microseconds
297       Limit the CPU real-time runtime in microseconds.
298
299
300       Limit the containers Real Time CPU usage. This option tells the  kernel
301       to  limit  the amount of time in a given CPU period Real Time tasks may
302       consume. Ex: Period of 1,000,000us and Runtime of 950,000us means  that
303       this container can consume 95% of available CPU and leave the remaining
304       5% to normal priority tasks.
305
306
307       The sum of all runtimes across containers cannot exceed the amount  al‐
308       lotted to the parent cgroup.
309
310
311       This option is only supported on cgroups V1 rootful systems.
312
313
314   --cpu-shares, -c=shares
315       CPU shares (relative weight).
316
317
318       By  default, all containers get the same proportion of CPU cycles. This
319       proportion can be  modified  by  changing  the  container's  CPU  share
320       weighting  relative  to the combined weight of all the running contain‐
321       ers.  Default weight is 1024.
322
323
324       The proportion only applies when CPU-intensive processes  are  running.
325       When  tasks  in  one  container  are idle, other containers can use the
326       left-over CPU time. The actual amount of CPU time varies  depending  on
327       the number of containers running on the system.
328
329
330       For example, consider three containers, one has a cpu-share of 1024 and
331       two others have a cpu-share setting of 512. When processes in all three
332       containers attempt to use 100% of CPU, the first container receives 50%
333       of the total CPU time. If a fourth container is added with a  cpu-share
334       of  1024,  the  first container only gets 33% of the CPU. The remaining
335       containers receive 16.5%, 16.5% and 33% of the CPU.
336
337
338       On a multi-core system, the shares of CPU time are distributed over all
339       CPU  cores.  Even  if  a  container is limited to less than 100% of CPU
340       time, it can use 100% of each individual CPU core.
341
342
343       For example, consider a system with more than three cores.  If the con‐
344       tainer C0 is started with --cpu-shares=512 running one process, and an‐
345       other container C1 with --cpu-shares=1024 running two  processes,  this
346       can result in the following division of CPU shares:
347
348
349       ┌────┬───────────┬─────┬──────────────┐
350PID container CPU CPU share    
351       ├────┼───────────┼─────┼──────────────┤
352       │100 │ C0        │ 0   │ 100% of CPU0 │
353       ├────┼───────────┼─────┼──────────────┤
354       │101 │ C1        │ 1   │ 100% of CPU1 │
355       ├────┼───────────┼─────┼──────────────┤
356       │102 │ C1        │ 2   │ 100% of CPU2 │
357       └────┴───────────┴─────┴──────────────┘
358
359       On  some  systems,  changing the resource limits may not be allowed for
360       non-root  users.  For  more  details,  see  https://github.com/contain
361       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
362       source-limits-fails-with-a-permissions-error
363
364
365       This option is not supported on cgroups V1 rootless systems.
366
367
368   --cpus=number
369       Number of CPUs. The default is 0.0 which means no limit. This is short‐
370       hand  for  --cpu-period and --cpu-quota, therefore the option cannot be
371       specified with --cpu-period or --cpu-quota.
372
373
374       On some systems, changing the CPU limits may not be  allowed  for  non-
375       root  users.  For  more details, see https://github.com/containers/pod
376       man/blob/main/troubleshooting.md#26-running-containers-with-resource-
377       limits-fails-with-a-permissions-error
378
379
380       This option is not supported on cgroups V1 rootless systems.
381
382
383   --cpuset-cpus=number
384       CPUs in which to allow execution. Can be specified as a comma-separated
385       list (e.g. 0,1), as a range (e.g.  0-3),  or  any  combination  thereof
386       (e.g. 0-3,7,11-15).
387
388
389       On  some  systems,  changing the resource limits may not be allowed for
390       non-root  users.  For  more  details,  see  https://github.com/contain
391       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
392       source-limits-fails-with-a-permissions-error
393
394
395       This option is not supported on cgroups V1 rootless systems.
396
397
398   --cpuset-mems=nodes
399       Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effec‐
400       tive on NUMA systems.
401
402
403       If  there  are  four  memory  nodes  on the system (0-3), use --cpuset-
404       mems=0,1 then processes in the container  only  uses  memory  from  the
405       first two memory nodes.
406
407
408       On  some  systems,  changing the resource limits may not be allowed for
409       non-root  users.  For  more  details,  see  https://github.com/contain
410       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
411       source-limits-fails-with-a-permissions-error
412
413
414       This option is not supported on cgroups V1 rootless systems.
415
416
417   --decryption-key=key[:passphrase]
418       The [key[:passphrase]] to be used for decryption  of  images.  Key  can
419       point  to  keys and/or certificates. Decryption is tried with all keys.
420       If the key is protected by a passphrase, it is required to be passed in
421       the argument and omitted otherwise.
422
423
424   --detach, -d
425       Detached  mode:  run  the container in the background and print the new
426       container ID. The default is false.
427
428
429       At any time run podman ps in the other shell to view a list of the run‐
430       ning  containers.  Reattach  to a detached container with podman attach
431       command.
432
433
434       When attached via tty mode, detach from the  container  (and  leave  it
435       running)  using  a  configurable  key sequence. The default sequence is
436       ctrl-p,ctrl-q.  Specify the key sequence using  the  --detach-keys  op‐
437       tion,  or  configure  it  in  the  containers.conf  file:  see contain‐
438       ers.conf(5) for more information.
439
440
441   --detach-keys=sequence
442       Specify the key sequence for detaching a container. Format is a  single
443       character [a-Z] or one or more ctrl-<value> characters where <value> is
444       one of: a-z, @, ^, [, , or _. Specifying "" disables this feature.  The
445       default is ctrl-p,ctrl-q.
446
447
448       This option can also be set in containers.conf(5) file.
449
450
451   --device=host-device[:container-device][:permissions]
452       Add  a host device to the container. Optional permissions parameter can
453       be used to specify device permissions by combining r for  read,  w  for
454       write, and m for mknod(2).
455
456
457       Example: --device=/dev/sdc:/dev/xvdc:rwm.
458
459
460       Note: if host-device is a symbolic link then it is resolved first.  The
461       container only stores the major and minor numbers of the host device.
462
463
464       Podman may load kernel modules required for using the specified device.
465       The   devices  that  Podman  loads  modules  for  when  necessary  are:
466       /dev/fuse.
467
468
469       In rootless mode, the new device is bind mounted in the container  from
470       the host rather than Podman creating it within the container space. Be‐
471       cause the bind mount retains its SELinux label on SELinux systems,  the
472       container  can get permission denied when accessing the mounted device.
473       Modify SELinux settings to allow containers to use  all  device  labels
474       via the following command:
475
476
477       $ sudo setsebool -P  container_use_devices=true
478
479
480       Note: if the user only has access rights via a group, accessing the de‐
481       vice from inside a rootless container fails. Use the --group-add  keep-
482       groups flag to pass the user's supplementary group access into the con‐
483       tainer.
484
485
486   --device-cgroup-rule="type major:minor mode"
487       Add a rule to the cgroup allowed devices list. The rule is expected  to
488       be  in the format specified in the Linux kernel documentation (Documen‐
489       tation/cgroup-v1/devices.txt):
490              - type: a (all), c (char), or b (block);
491              - major and minor: either a number, or * for all;
492              - mode: a composition of r (read), w (write), and m (mknod(2)).
493
494
495   --device-read-bps=path:rate
496       Limit read rate (in bytes per second) from  a  device  (e.g.  --device-
497       read-bps=/dev/sda:1mb).
498
499
500       On  some  systems,  changing the resource limits may not be allowed for
501       non-root  users.  For  more  details,  see  https://github.com/contain
502       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
503       source-limits-fails-with-a-permissions-error
504
505
506       This option is not supported on cgroups V1 rootless systems.
507
508
509   --device-read-iops=path:rate
510       Limit read rate (in IO operations per second) from a device (e.g. --de‐
511       vice-read-iops=/dev/sda:1000).
512
513
514       On  some  systems,  changing the resource limits may not be allowed for
515       non-root  users.  For  more  details,  see  https://github.com/contain
516       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
517       source-limits-fails-with-a-permissions-error
518
519
520       This option is not supported on cgroups V1 rootless systems.
521
522
523   --device-write-bps=path:rate
524       Limit write rate (in bytes per second)  to  a  device  (e.g.  --device-
525       write-bps=/dev/sda:1mb).
526
527
528       On  some  systems,  changing the resource limits may not be allowed for
529       non-root  users.  For  more  details,  see  https://github.com/contain
530       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
531       source-limits-fails-with-a-permissions-error
532
533
534       This option is not supported on cgroups V1 rootless systems.
535
536
537   --device-write-iops=path:rate
538       Limit write rate (in IO operations per second) to a device (e.g.  --de‐
539       vice-write-iops=/dev/sda:1000).
540
541
542       On  some  systems,  changing the resource limits may not be allowed for
543       non-root  users.  For  more  details,  see  https://github.com/contain
544       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
545       source-limits-fails-with-a-permissions-error
546
547
548       This option is not supported on cgroups V1 rootless systems.
549
550
551   --disable-content-trust
552       This is a Docker-specific option to disable  image  verification  to  a
553       container  registry  and  is  not supported by Podman. This option is a
554       NOOP and provided solely for scripting compatibility.
555
556
557   --dns=ipaddr
558       Set custom DNS servers.
559
560
561       This option can be used to override the DNS configuration passed to the
562       container.  Typically this is necessary when the host DNS configuration
563       is invalid for the container (e.g., 127.0.0.1). When this is  the  case
564       the --dns flag is necessary for every run.
565
566
567       The special value none can be specified to disable creation of /etc/re‐
568       solv.conf in the container by Podman.  The /etc/resolv.conf file in the
569       image is used without changes.
570
571
572       This  option  cannot  be combined with --network that is set to none or
573       container:id.
574
575
576   --dns-option=option
577       Set custom DNS options. Invalid if using  --dns-option  with  --network
578       that is set to none or container:id.
579
580
581   --dns-search=domain
582       Set  custom  DNS  search  domains.  Invalid  if using --dns-search with
583       --network that is set to none or container:id.  Use  --dns-search=.  to
584       remove the search domain.
585
586
587   --entrypoint="command" | '["command", arg1 , ...]'
588       Override the default ENTRYPOINT from the image.
589
590
591       The ENTRYPOINT of an image is similar to a COMMAND because it specifies
592       what executable to run when the container starts, but it is (purposely)
593       more  difficult  to  override. The ENTRYPOINT gives a container its de‐
594       fault nature or behavior. When the ENTRYPOINT  is  set,  the  container
595       runs as if it were that binary, complete with default options. More op‐
596       tions can be passed in via the COMMAND. But, if a  user  wants  to  run
597       something  else  inside the container, the --entrypoint option allows a
598       new ENTRYPOINT to be specified.
599
600
601       Specify multi option commands in the form of a json string.
602
603
604   --env, -e=env
605       Set environment variables.
606
607
608       This option allows arbitrary environment variables that  are  available
609       for  the process to be launched inside of the container. If an environ‐
610       ment variable is specified without a value, Podman checks the host  en‐
611       vironment  for  a  value  and set the variable only if it is set on the
612       host. As a special case, if an environment  variable  ending  in  *  is
613       specified  without  a  value,  Podman searches the host environment for
614       variables starting with the prefix and adds those variables to the con‐
615       tainer.
616
617
618       See ⟨#environment⟩ note below for precedence and examples.
619
620
621   --env-file=file
622       Read in a line-delimited file of environment variables.
623
624
625       See ⟨#environment⟩ note below for precedence and examples.
626
627
628   --env-host
629       Use  host environment inside of the container. See Environment note be‐
630       low for precedence. (This option is not available with the remote  Pod‐
631       man client, including Mac and Windows (excluding WSL2) machines)
632
633
634   --env-merge=env
635       Preprocess  default environment variables for the containers. For exam‐
636       ple if image contains environment variable hello=world user can prepro‐
637       cess   it   using  --env-merge  hello=${hello}-some  so  new  value  is
638       hello=world-some.
639
640
641       Please note that if the environment variable hello is  not  present  in
642       the  image,  then  it'll  be  replaced  by an empty string and so using
643       --env-merge hello=${hello}-some  would  result  in  the  new  value  of
644       hello=-some, notice the leading - delimiter.
645
646
647   --expose=port
648       Expose  a port, or a range of ports (e.g. --expose=3300-3310) to set up
649       port redirection on the host system.
650
651
652   --gidmap=[flags]container_uid:from_uid[:amount]
653       Run the container in a new user namespace using the supplied  GID  map‐
654       ping. This option conflicts with the --userns and --subgidname options.
655       This option provides a way to map host GIDs to container  GIDs  in  the
656       same  way as --uidmap maps host UIDs to container UIDs. For details see
657       --uidmap.
658
659
660       Note: the --gidmap option cannot be  called  in  conjunction  with  the
661       --pod option as a gidmap cannot be set on the container level when in a
662       pod.
663
664
665   --group-add=group | keep-groups
666       Assign additional groups to the primary user running  within  the  con‐
667       tainer process.
668
669
670keep-groups  is  a  special flag that tells Podman to keep the
671                supplementary group access.
672
673
674
675       Allows container to use the user's supplementary group access. If  file
676       systems  or  devices  are only accessible by the rootless user's group,
677       this flag tells the OCI runtime to pass the group access into the  con‐
678       tainer. Currently only available with the crun OCI runtime. Note: keep-
679       groups is exclusive, other groups cannot be specified with  this  flag.
680       (Not  available for remote commands, including Mac and Windows (exclud‐
681       ing WSL2) machines)
682
683
684   --group-entry=ENTRY
685       Customize the entry that is written to the /etc/group file  within  the
686       container when --user is used.
687
688
689       The  variables  $GROUPNAME,  $GID,  and $USERLIST are automatically re‐
690       placed with their value at runtime if present.
691
692
693   --health-cmd="command" | '["command", arg1 , ...]'
694       Set or alter a healthcheck command for a container. The  command  is  a
695       command  to  be  executed inside the container that determines the con‐
696       tainer health. The command is required for other healthcheck options to
697       be applied. A value of none disables existing healthchecks.
698
699
700       Multiple  options can be passed in the form of a JSON array; otherwise,
701       the command is interpreted as an argument to /bin/sh -c.
702
703
704   --health-interval=interval
705       Set an interval for the healthchecks. An interval of disable results in
706       no automatic timer setup. The default is 30s.
707
708
709   --health-on-failure=action
710       Action  to  take  once the container transitions to an unhealthy state.
711       The default is none.
712
713
714none: Take no action.
715
716kill: Kill the container.
717
718restart: Restart the container.  Do not  combine  the  restart
719                action with the --restart flag.  When running inside of a sys‐
720                temd unit, consider using the kill or stop action  instead  to
721                make use of systemd's restart policy.
722
723stop: Stop the container.
724
725
726
727   --health-retries=retries
728       The  number of retries allowed before a healthcheck is considered to be
729       unhealthy. The default value is 3.
730
731
732   --health-start-period=period
733       The initialization time needed for a container to bootstrap. The  value
734       can be expressed in time format like 2m3s. The default value is 0s.
735
736
737   --health-startup-cmd="command" | '["command", arg1 , ...]'
738       Set a startup healthcheck command for a container. This command is exe‐
739       cuted inside the container and is used to gate the regular healthcheck.
740       When  the  startup command succeeds, the regular healthcheck begins and
741       the startup healthcheck ceases. Optionally, if the command fails for  a
742       set   number  of  attempts,  the  container  is  restarted.  A  startup
743       healthcheck can be used to ensure  that  containers  with  an  extended
744       startup  period  are  not  marked  as  unhealthy  until  they are fully
745       started.  Startup  healthchecks  can  only  be  used  when  a   regular
746       healthcheck  (from the container's image or the --health-cmd option) is
747       also set.
748
749
750   --health-startup-interval=interval
751       Set an interval for the startup healthcheck. An interval of disable re‐
752       sults in no automatic timer setup. The default is 30s.
753
754
755   --health-startup-retries=retries
756       The  number of attempts allowed before the startup healthcheck restarts
757       the container. If set to 0, the container is never restarted.  The  de‐
758       fault is 0.
759
760
761   --health-startup-success=retries
762       The  number  of successful runs required before the startup healthcheck
763       succeeds and the regular healthcheck begins. A value of  0  means  that
764       any success begins the regular healthcheck. The default is 0.
765
766
767   --health-startup-timeout=timeout
768       The  maximum  time a startup healthcheck command has to complete before
769       it is marked as failed. The value can be expressed  in  a  time  format
770       like 2m3s. The default value is 30s.
771
772
773   --health-timeout=timeout
774       The maximum time allowed to complete the healthcheck before an interval
775       is considered failed. Like start-period, the value can be expressed  in
776       a time format such as 1m22s. The default value is 30s.
777
778
779   --help
780       Print usage statement
781
782
783   --hostname, -h=name
784       Container host name
785
786
787       Sets  the  container  host name that is available inside the container.
788       Can only be used with a private UTS namespace --uts=private  (default).
789       If  --pod  is  specified and the pod shares the UTS namespace (default)
790       the pod's hostname is used.
791
792
793   --hostuser=name
794       Add a user account to /etc/passwd from the host to the  container.  The
795       Username or UID must exist on the host system.
796
797
798   --http-proxy
799       By default proxy environment variables are passed into the container if
800       set for the Podman process. This can be disabled by setting  the  value
801       to  false.   The  environment  variables  passed in include http_proxy,
802       https_proxy, ftp_proxy, no_proxy, and also the upper case  versions  of
803       those. This option is only needed when the host system must use a proxy
804       but the container does not use any proxy. Proxy  environment  variables
805       specified  for the container in any other way overrides the values that
806       have been passed through from the host.  (Other  ways  to  specify  the
807       proxy for the container include passing the values with the --env flag,
808       or hard coding the proxy environment at container  build  time.)   When
809       used  with  the  remote  client it uses the proxy environment variables
810       that are set on the server process.
811
812
813       Defaults to true.
814
815
816   --image-volume=bind | tmpfs | ignore
817       Tells Podman how to handle the builtin image volumes. Default is bind.
818
819
820bind: An anonymous named volume is created  and  mounted  into
821                the container.
822
823tmpfs:  The  volume  is mounted onto the container as a tmpfs,
824                which allows the users to create content that disappears  when
825                the container is stopped.
826
827ignore: All volumes are just ignored and no action is taken.
828
829
830
831   --init
832       Run  an  init inside the container that forwards signals and reaps pro‐
833       cesses.  The container-init  binary  is  mounted  at  /run/podman-init.
834       Mounting over /run breaks container execution.
835
836
837   --init-path=path
838       Path to the container-init binary.
839
840
841   --interactive, -i
842       When  set to true, keep stdin open even if not attached. The default is
843       false.
844
845
846   --ip=ipv4
847       Specify  a  static  IPv4  address  for  the  container,   for   example
848       10.88.64.128.   This option can only be used if the container is joined
849       to only a single network - i.e., --network=network-name is used at most
850       once  - and if the container is not joining another container's network
851       namespace via --network=container:id.  The address must be  within  the
852       network's IP address pool (default 10.88.0.0/16).
853
854
855       To  specify  multiple  static  IP addresses per container, set multiple
856       networks using the --network option with a static IP address  specified
857       for each using the ip mode for that option.
858
859
860   --ip6=ipv6
861       Specify   a   static  IPv6  address  for  the  container,  for  example
862       fd46:db93:aa76:ac37::10.  This option can only be used if the container
863       is  joined  to  only a single network - i.e., --network=network-name is
864       used at most once - and if the container is not  joining  another  con‐
865       tainer's  network  namespace  via  --network=container:id.  The address
866       must be within the network's IPv6 address pool.
867
868
869       To specify multiple static IPv6 addresses per container,  set  multiple
870       networks  using  the --network option with a static IPv6 address speci‐
871       fied for each using the ip6 mode for that option.
872
873
874   --ipc=ipc
875       Set the IPC namespace mode for a container. The default is to create  a
876       private IPC namespace.
877
878
879              • "": Use Podman's default, defined in containers.conf.
880
881container:id:  reuses another container's shared memory, sema‐
882                phores, and message queues
883
884host: use the host's shared memory,  semaphores,  and  message
885                queues  inside  the  container.  Note: the host mode gives the
886                container full access to local shared memory and is  therefore
887                considered insecure.
888
889none:  private IPC namespace, with /dev/shm not mounted.
890
891ns:path: path to an IPC namespace to join.
892
893private: private IPC namespace.
894
895shareable:  private  IPC namespace with a possibility to share
896                it with other containers.
897
898
899
900   --label, -l=key=value
901       Add metadata to a container.
902
903
904   --label-file=file
905       Read in a line-delimited file of labels.
906
907
908   --link-local-ip=ip
909       Not implemented.
910
911
912   --log-driver=driver
913       Logging driver for the container. Currently available options are  k8s-
914       file,  journald,  none  and passthrough, with json-file aliased to k8s-
915       file for scripting compatibility. (Default journald).
916
917
918       The podman info command below displays the default log-driver  for  the
919       system.
920
921       $ podman info --format '{{ .Host.LogDriver }}'
922       journald
923
924
925
926       The passthrough driver passes down the standard streams (stdin, stdout,
927       stderr) to the container.  It is not allowed  with  the  remote  Podman
928       client,  including  Mac and Windows (excluding WSL2) machines, and on a
929       tty, since it is vulnerable to attacks via TIOCSTI.
930
931
932   --log-opt=name=value
933       Logging driver specific options.
934
935
936       Set custom logging configuration. The following *name*s are supported:
937
938
939       path: specify a path to the log file
940           (e.g. --log-opt path=/var/log/container/mycontainer.json);
941
942
943       max-size: specify a max size of the log file
944           (e.g. --log-opt max-size=10mb);
945
946
947       tag: specify a custom log tag for the container
948           (e.g. --log-opt tag="{{.ImageName}}".  It supports the same keys as
949       podman  inspect  --format.   This option is currently supported only by
950       the journald log driver.
951
952
953   --mac-address=address
954       Container network interface MAC address (e.g.  92:d0:c6:0a:29:33)  This
955       option  can  only  be  used if the container is joined to only a single
956       network - i.e., --network=network-name is used at most once  -  and  if
957       the  container is not joining another container's network namespace via
958       --network=container:id.
959
960
961       Remember that the MAC address in an Ethernet network  must  be  unique.
962       The  IPv6  link-local  address is based on the device's MAC address ac‐
963       cording to RFC4862.
964
965
966       To specify multiple static MAC addresses per  container,  set  multiple
967       networks using the --network option with a static MAC address specified
968       for each using the mac mode for that option.
969
970
971   --memory, -m=number[unit]
972       Memory limit. A unit can be b (bytes), k (kibibytes), m (mebibytes), or
973       g (gibibytes).
974
975
976       Allows  the  memory  available to a container to be constrained. If the
977       host supports swap memory, then the -m memory  setting  can  be  larger
978       than  physical  RAM.  If  a limit of 0 is specified (not using -m), the
979       container's memory is not limited. The actual limit may be  rounded  up
980       to  a  multiple  of the operating system's page size (the value is very
981       large, that's millions of trillions).
982
983
984       This option is not supported on cgroups V1 rootless systems.
985
986
987   --memory-reservation=number[unit]
988       Memory  soft  limit.  A  unit  can  be  b  (bytes),  k  (kibibytes),  m
989       (mebibytes), or g (gibibytes).
990
991
992       After  setting  memory reservation, when the system detects memory con‐
993       tention or low memory, containers are forced to restrict their consump‐
994       tion to their reservation. So always set the value below --memory, oth‐
995       erwise the hard limit takes precedence. By default, memory  reservation
996       is the same as memory limit.
997
998
999       This option is not supported on cgroups V1 rootless systems.
1000
1001
1002   --memory-swap=number[unit]
1003       A  limit  value  equal to memory plus swap.  A unit can be b (bytes), k
1004       (kibibytes), m (mebibytes), or g (gibibytes).
1005
1006
1007       Must be used with the -m (--memory) flag.  The argument value  must  be
1008       larger than that of
1009        -m (--memory) By default, it is set to double the value of --memory.
1010
1011
1012       Set number to -1 to enable unlimited swap.
1013
1014
1015       This option is not supported on cgroups V1 rootless systems.
1016
1017
1018   --memory-swappiness=number
1019       Tune  a  container's memory swappiness behavior. Accepts an integer be‐
1020       tween 0 and 100.
1021
1022
1023       This flag is only supported on cgroups V1 rootful systems.
1024
1025
1026   --mount=type=TYPE,TYPE-SPECIFIC-OPTION[,...]
1027       Attach a filesystem mount to the container
1028
1029
1030       Current supported mount TYPEs are bind,  devpts,  glob,  image,  ramfs,
1031       tmpfs and volume. [1] ⟨#Footnote1⟩
1032
1033          e.g.
1034          type=bind,source=/path/on/host,destination=/path/in/container
1035
1036          type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared
1037
1038          type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared,U=true
1039
1040          type=devpts,destination=/dev/pts
1041
1042          type=glob,src=/usr/lib/libfoo*,destination=/usr/lib,ro=true
1043
1044          type=image,source=fedora,destination=/fedora-image,rw=true
1045
1046          type=ramfs,tmpfs-size=512M,destination=/path/in/container
1047
1048          type=tmpfs,tmpfs-size=512M,destination=/path/in/container
1049
1050          type=tmpfs,destination=/path/in/container,noswap
1051
1052          type=volume,source=vol1,destination=/path/in/container,ro=true
1053
1054          Common Options:
1055
1056             · src, source: mount source spec for bind, glob, and volume. Mandatory for bind and glob.
1057
1058             · dst, destination, target: mount destination spec.
1059
1060             When source globs are specified without the destination directory,
1061                 the files and directories are mounted with their complete path
1062             within the container. When the destination is specified, the
1063             files and directories matching the glob on the base file name
1064             on the destination directory are mounted. The option
1065             `type=glob,src=/foo*,destination=/tmp/bar` tells container engines
1066             to mount host files matching /foo* to the /tmp/bar/
1067             directory in the container.
1068
1069          Options specific to volume:
1070
1071             · ro, readonly: true or false (default).
1072
1073             . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container.
1074
1075             · idmap: true or false (default).  If specified, create an idmapped mount to the target user namespace in the container.
1076             The idmap option supports a custom mapping that can be different than the user namespace used by the container.
1077             The mapping can be specified after the idmap option like: `idmap=uids=0-1-10#10-11-10;gids=0-100-10`.  For each triplet, the first value is the
1078             start of the backing file system IDs that are mapped to the second value on the host.  The length of this mapping is given in the third value.
1079             Multiple ranges are separated with #.  If the specified mapping is prepended with a '@' then the mapping is considered relative to the container
1080             user namespace. The host ID for the mapping is changed to account for the relative position of the container user in the container user namespace.
1081
1082          Options specific to image:
1083
1084             · rw, readwrite: true or false (default).
1085
1086          Options specific to bind and glob:
1087
1088             · ro, readonly: true or false (default).
1089
1090             · bind-propagation: shared, slave, private, unbindable, rshared, rslave, runbindable, or rprivate(default). See also mount(2).
1091
1092             . bind-nonrecursive: do not set up a recursive bind mount. By default it is recursive.
1093
1094             . relabel: shared, private.
1095
1096             · idmap: true or false (default).  If specified, create an idmapped mount to the target user namespace in the container.
1097
1098             . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container.
1099
1100          Options specific to tmpfs and ramfs:
1101
1102             · ro, readonly: true or false (default).
1103
1104             · tmpfs-size: Size of the tmpfs/ramfs mount in bytes. Unlimited by default in Linux.
1105
1106             · tmpfs-mode: File mode of the tmpfs/ramfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux.
1107
1108             · tmpcopyup: Enable copyup from the image directory at the same location to the tmpfs/ramfs. Used by default.
1109
1110             · notmpcopyup: Disable copying files from the image to the tmpfs/ramfs.
1111
1112             . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container.
1113
1114          Options specific to devpts:
1115
1116             · uid: UID of the file owner (default 0).
1117
1118             · gid: GID of the file owner (default 0).
1119
1120             · mode: permission mask for the file (default 600).
1121
1122             · max: maximum number of PTYs (default 1048576).
1123
1124
1125
1126   --name=name
1127       Assign a name to the container.
1128
1129
1130       The operator can identify a container in three ways:
1131
1132
1133              • UUID                      long                      identifier
1134                (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”);
1135
1136              • UUID short identifier (“f78375b1c487”);
1137
1138              • Name (“jonah”).
1139
1140
1141
1142       Podman  generates  a  UUID for each container, and if a name is not as‐
1143       signed to the container with --name then it generates a  random  string
1144       name.  The  name can be useful as a more human-friendly way to identify
1145       containers.  This works for both background and foreground containers.
1146
1147
1148   --network=mode, --net
1149       Set the network mode for the container.
1150
1151
1152       Valid mode values are:
1153
1154
1155bridge[:OPTIONS,...]: Create a network stack  on  the  default
1156                bridge. This is the default for rootful containers. It is pos‐
1157                sible to specify these additional options:
1158
1159alias=name: Add network-scoped alias for the container.
1160
1161ip=IPv4: Specify a static ipv4 address for this container.
1162
1163ip=IPv6: Specify a static ipv6 address for this container.
1164
1165mac=MAC: Specify a static mac address for this container.
1166
1167interface_name: Specify a name for the created  network  in‐
1168                  terface inside the container.
1169
1170              For  example  to  set a static ipv4 address and a static mac ad‐
1171              dress, use --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99.
1172
1173              • <network name or ID>[:OPTIONS,...]: Connect to a  user-defined
1174                network; this is the network name or ID from a network created
1175                by podman network create. Using the network name  implies  the
1176                bridge  network  mode.  It is possible to specify the same op‐
1177                tions described under the bridge mode above. Use the --network
1178                option  multiple  times  to  specify additional networks.  For
1179                backwards compatibility it is also possible  to  specify  net‐
1180                works comma separated on the first --network argument, however
1181                this prevents you from using the options described  under  the
1182                bridge section above.
1183
1184none:  Create a network namespace for the container but do not
1185                configure network interfaces for it, thus the container has no
1186                network connectivity.
1187
1188container:id: Reuse another container's network stack.
1189
1190host:  Do  not  create a network namespace, the container uses
1191                the host's network. Note: The host mode  gives  the  container
1192                full  access  to  local  system  services such as D-bus and is
1193                therefore considered insecure.
1194
1195ns:path: Path to a network namespace to join.
1196
1197private: Create a new namespace for the container.  This  uses
1198                the  bridge  mode  for  rootful containers and slirp4netns for
1199                rootless ones.
1200
1201slirp4netns[:OPTIONS,...]: use slirp4netns(1) to create a user
1202                network stack. This is the default for rootless containers. It
1203                is possible to specify these additional options, they can also
1204                be set with network_cmd_options in containers.conf:
1205
1206allow_host_loopback=true|false:  Allow  slirp4netns to reach
1207                  the host loopback IP (default is 10.0.2.2 or the  second  IP
1208                  from  slirp4netns cidr subnet when changed, see the cidr op‐
1209                  tion below). The default is false.
1210
1211mtu=MTU: Specify the MTU to use for this  network.  (Default
1212                  is 65520).
1213
1214cidr=CIDR:  Specify  ip  range to use for this network. (De‐
1215                  fault is 10.0.2.0/24).
1216
1217enable_ipv6=true|false: Enable IPv6. Default is  true.  (Re‐
1218                  quired for outbound_addr6).
1219
1220outbound_addr=INTERFACE:   Specify  the  outbound  interface
1221                  slirp binds to (ipv4 traffic only).
1222
1223outbound_addr=IPv4: Specify the outbound ipv4 address  slirp
1224                  binds to.
1225
1226outbound_addr6=INTERFACE:  Specify  the  outbound  interface
1227                  slirp binds to (ipv6 traffic only).
1228
1229outbound_addr6=IPv6: Specify the outbound ipv6 address slirp
1230                  binds to.
1231
1232port_handler=rootlesskit:  Use rootlesskit for port forward‐
1233                  ing. Default.  Note: Rootlesskit changes the source  IP  ad‐
1234                  dress  of incoming packets to an IP address in the container
1235                  network namespace, usually 10.0.2.100.  If  the  application
1236                  requires  the  real source IP address, e.g. web server logs,
1237                  use the slirp4netns port handler. The rootlesskit port  han‐
1238                  dler  is also used for rootless containers when connected to
1239                  user-defined networks.
1240
1241port_handler=slirp4netns: Use the slirp4netns port  forward‐
1242                  ing, it is slower than rootlesskit but preserves the correct
1243                  source IP address. This port  handler  cannot  be  used  for
1244                  user-defined networks.
1245
1246
1247
1248pasta[:OPTIONS,...]:  use  pasta(1) to create a user-mode net‐
1249                working stack.
1250                This is only supported in rootless mode.
1251                By default, IPv4 and IPv6 addresses and routes, as well as the
1252                pod interface name, are copied from the host. If port forward‐
1253                ing isn't configured, ports are forwarded dynamically as  ser‐
1254                vices  are  bound  on either side (init namespace or container
1255                namespace). Port forwarding preserves the original  source  IP
1256                address.  Options  described  in  pasta(1) can be specified as
1257                comma-separated arguments.
1258                In terms of pasta(1) options, --config-net  is  given  by  de‐
1259                fault,  in order to configure networking when the container is
1260                started, and --no-map-gw is also assumed by default, to  avoid
1261                direct  access  from  container  to host using the gateway ad‐
1262                dress. The latter can be overridden by passing --map-gw in the
1263                pasta-specific  options  (despite not being an actual pasta(1)
1264                option).
1265                Also, -t none and -u none are passed if, respectively, no  TCP
1266                or  UDP  port forwarding from host to container is configured,
1267                to disable automatic port forwarding  based  on  bound  ports.
1268                Similarly,  -T  none and -U none are given to disable the same
1269                functionality from container to host.
1270                Some examples:
1271
1272pasta:--map-gw: Allow the container to  directly  reach  the
1273                  host using the gateway address.
1274
1275pasta:--mtu,1500:  Specify  a 1500 bytes MTU for the tap in‐
1276                  terface in the container.
1277
1278pasta:--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-for‐
1279                  ward,10.0.2.3,-m,1500,--no-ndp,--no-dhcpv6,--no-dhcp, equiv‐
1280                  alent to default slirp4netns(1) options: disable  IPv6,  as‐
1281                  sign  10.0.2.0/24  to  the  tap0 interface in the container,
1282                  with gateway 10.0.2.3, enable  DNS  forwarder  reachable  at
1283                  10.0.2.3,  set  MTU  to  1500 bytes, disable NDP, DHCPv6 and
1284                  DHCP support.
1285
1286pasta:-I,tap0,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-
1287                  forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp,  equivalent
1288                  to default slirp4netns(1)  options  with  Podman  overrides:
1289                  same as above, but leave the MTU to 65520 bytes
1290
1291pasta:-t,auto,-u,auto,-T,auto,-U,auto: enable automatic port
1292                  forwarding based on observed bound ports from both host  and
1293                  container sides
1294
1295pasta:-T,5201:  enable forwarding of TCP port 5201 from con‐
1296                  tainer to host, using the loopback interface instead of  the
1297                  tap interface for improved performance
1298
1299              NOTE:  For backward compatibility reasons, if there is an exist‐
1300              ing network named pasta, Podman uses it  instead  of  the  pasta
1301              mode."?
1302
1303
1304
1305       Invalid  if  using  --dns, --dns-option, or --dns-search with --network
1306       set to none or container:id.
1307
1308
1309       If used together with --pod, the  container  joins  the  pod's  network
1310       namespace.
1311
1312
1313   --network-alias=alias
1314       Add a network-scoped alias for the container, setting the alias for all
1315       networks that the container joins. To set a name only  for  a  specific
1316       network,  use the alias option as described under the --network option.
1317       If the network has DNS enabled (podman  network  inspect  -f  {{.DNSEn‐
1318       abled}}  <name>),  these aliases can be used for name resolution on the
1319       given network. This option can be specified multiple times.  NOTE: When
1320       using  CNI  a container only has access to aliases on the first network
1321       that it joins. This limitation does not exist  with  netavark/aardvark-
1322       dns.
1323
1324
1325   --no-healthcheck
1326       Disable any defined healthchecks for container.
1327
1328
1329   --no-hosts
1330       Do not create /etc/hosts for the container.  By default, Podman manages
1331       /etc/hosts, adding the container's own IP address and  any  hosts  from
1332       --add-host.   --no-hosts  disables  this, and the image's /etc/hosts is
1333       preserved unmodified.
1334
1335
1336       This option conflicts with --add-host.
1337
1338
1339   --oom-kill-disable
1340       Whether to disable OOM Killer for the container or not.
1341
1342
1343       This flag is not supported on cgroups V2 systems.
1344
1345
1346   --oom-score-adj=num
1347       Tune the host's OOM preferences for  containers  (accepts  values  from
1348       -1000 to 1000).
1349
1350
1351       When  running in rootless mode, the specified value can't be lower than
1352       the oom_score_adj for the current process. In this case, the oom-score-
1353       adj is clamped to the current process value.
1354
1355
1356   --os=OS
1357       Override  the OS, defaults to hosts, of the image to be pulled. For ex‐
1358       ample, windows.  Unless overridden, subsequent lookups of the same  im‐
1359       age in the local storage matches this OS, regardless of the host.
1360
1361
1362   --passwd
1363       Allow  Podman to add entries to /etc/passwd and /etc/group when used in
1364       conjunction with the --user option.  This is used to override the  Pod‐
1365       man  provided  user setup in favor of entrypoint configurations such as
1366       libnss-extrausers.
1367
1368
1369   --passwd-entry=ENTRY
1370       Customize the entry that is written to the /etc/passwd file within  the
1371       container when --passwd is used.
1372
1373
1374       The variables $USERNAME, $UID, $GID, $NAME, $HOME are automatically re‐
1375       placed with their value at runtime.
1376
1377
1378   --personality=persona
1379       Personality sets the execution domain via Linux personality(2).
1380
1381
1382   --pid=mode
1383       Set the PID namespace mode for the container.  The default is to create
1384       a private PID namespace for the container.
1385
1386
1387container:id: join another container's PID namespace;
1388
1389host: use the host's PID namespace for the container. Note the
1390                host mode gives the container full access to local PID and  is
1391                therefore considered insecure;
1392
1393ns:path: join the specified PID namespace;
1394
1395private: create a new namespace for the container (default).
1396
1397
1398
1399   --pidfile=path
1400       When  the  pidfile location is specified, the container process' PID is
1401       written to the pidfile. (This option is not available with  the  remote
1402       Podman  client, including Mac and Windows (excluding WSL2) machines) If
1403       the pidfile option is not specified,  the  container  process'  PID  is
1404       written      to      /run/containers/storage/${storage-driver}-contain‐
1405       ers/$CID/userdata/pidfile.
1406
1407
1408       After the container is started, the location for  the  pidfile  can  be
1409       discovered with the following podman inspect command:
1410
1411       $ podman inspect --format '{{ .PidFile }}' $CID
1412       /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile
1413
1414
1415
1416   --pids-limit=limit
1417       Tune  the  container's pids limit. Set to -1 to have unlimited pids for
1418       the container. The default is  2048  on  systems  that  support  "pids"
1419       cgroup controller.
1420
1421
1422   --platform=OS/ARCH
1423       Specify  the  platform for selecting the image.  (Conflicts with --arch
1424       and --os) The --platform option can be used to override the current ar‐
1425       chitecture and operating system.  Unless overridden, subsequent lookups
1426       of the same image in the local storage matches this  platform,  regard‐
1427       less of the host.
1428
1429
1430   --pod=name
1431       Run container in an existing pod. Podman makes the pod automatically if
1432       the pod name is prefixed with new:.  To make a pod with  more  granular
1433       options, use the podman pod create command before creating a container.
1434       When a container is run with a pod with an infra-container, the  infra-
1435       container is started first.
1436
1437
1438   --pod-id-file=file
1439       Run  container in an existing pod and read the pod's ID from the speci‐
1440       fied file.  When a container is run within a pod which  has  an  infra-
1441       container, the infra-container starts first.
1442
1443
1444   --preserve-fds=N
1445       Pass  down to the process N additional file descriptors (in addition to
1446       0, 1, 2).  The total FDs are 3+N.  (This option is not  available  with
1447       the  remote  Podman  client, including Mac and Windows (excluding WSL2)
1448       machines)
1449
1450
1451   --privileged
1452       Give extended privileges to this container. The default is false.
1453
1454
1455       By default, Podman containers are unprivileged (=false) and cannot, for
1456       example,  modify  parts of the operating system. This is because by de‐
1457       fault a container is only allowed limited access to devices. A  "privi‐
1458       leged"  container  is  given  the  same  access  to devices as the user
1459       launching  the  container,  with  the  exception  of  virtual  consoles
1460       (/dev/tty\d+) when running in systemd mode (--systemd=always).
1461
1462
1463       A privileged container turns off the security features that isolate the
1464       container from the host. Dropped Capabilities, limited  devices,  read-
1465       only mount points, Apparmor/SELinux separation, and Seccomp filters are
1466       all disabled.  Due to the disabled security  features,  the  privileged
1467       field  should almost never be set as containers can easily break out of
1468       confinement.
1469
1470
1471       Containers running in a user namespace (e.g., rootless containers) can‐
1472       not have more privileges than the user that launched them.
1473
1474
1475   --publish, -p=[[ip:][hostPort]:]containerPort[/protocol]
1476       Publish a container's port, or range of ports, to the host.
1477
1478
1479       Both  hostPort  and containerPort can be specified as a range of ports.
1480       When specifying ranges for both, the number of container ports  in  the
1481       range must match the number of host ports in the range.
1482
1483
1484       If  host  IP  is set to 0.0.0.0 or not set at all, the port is bound on
1485       all IPs on the host.
1486
1487
1488       By default, Podman publishes TCP ports. To publish a UDP port  instead,
1489       give  udp as protocol. To publish both TCP and UDP ports, set --publish
1490       twice, with tcp, and udp as protocols respectively. Rootful  containers
1491       can also publish ports using the sctp protocol.
1492
1493
1494       Host   port  does  not  have  to  be  specified  (e.g.  podman  run  -p
1495       127.0.0.1::80).  If it is not, the container port is randomly  assigned
1496       a port on the host.
1497
1498
1499       Use podman port to see the actual mapping: podman port $CONTAINER $CON‐
1500       TAINERPORT.
1501
1502
1503       Note that the network drivers macvlan and ipvlan do  not  support  port
1504       forwarding, it will have no effect on these networks.
1505
1506
1507       Note:  If a container runs within a pod, it is not necessary to publish
1508       the port for the containers in the pod. The port must only be published
1509       by the pod itself. Pod network stacks act like the network stack on the
1510       host - meaning a variety of containers in the pod and programs  in  the
1511       container  all  share  a  single  interface, IP address, and associated
1512       ports. If one container binds to a port, no  other  container  can  use
1513       that  port within the pod while it is in use. Containers in the pod can
1514       also communicate over localhost by having one container bind to  local‐
1515       host in the pod, and another connect to that port.
1516
1517
1518   --publish-all, -P
1519       Publish  all  exposed ports to random ports on the host interfaces. The
1520       default is false.
1521
1522
1523       When set to true, publish all exposed ports to the host interfaces.  If
1524       the  operator uses -P (or -p) then Podman makes the exposed port acces‐
1525       sible on the host and the ports are available to any  client  that  can
1526       reach the host.
1527
1528
1529       When  using this option, Podman binds any exposed port to a random port
1530       on   the   host   within   an   ephemeral   port   range   defined   by
1531       /proc/sys/net/ipv4/ip_local_port_range.   To  find  the mapping between
1532       the host ports and the exposed ports, use podman port.
1533
1534
1535   --pull=policy
1536       Pull image policy. The default is missing.
1537
1538
1539always: Always pull the image and throw an error if  the  pull
1540                fails.
1541
1542missing:  Pull the image only when the image is not in the lo‐
1543                cal containers storage.  Throw an error if no image  is  found
1544                and the pull fails.
1545
1546never:  Never  pull  the  image but use the one from the local
1547                containers storage.  Throw an error if no image is found.
1548
1549newer: Pull if the image on the registry is newer than the one
1550                in the local containers storage.  An image is considered to be
1551                newer when the digests  are  different.   Comparing  the  time
1552                stamps  is  prone  to errors.  Pull errors are suppressed if a
1553                local image was found.
1554
1555
1556
1557   --quiet, -q
1558       Suppress output information when pulling images
1559
1560
1561   --rdt-class=intel-rdt-class-of-service
1562       Rdt-class sets the class of service (CLOS or COS) for the container  to
1563       run  in. Based on the Cache Allocation Technology (CAT) feature that is
1564       part of Intel's Resource Director Technology  (RDT)  feature  set,  all
1565       container  processes will run within the pre-configured COS, represent‐
1566       ing a part of the cache. The COS has to be created and configured using
1567       a  pseudo  file  system  (usually  mounted at /sys/fs/resctrl) that the
1568       resctrl kernel driver provides. Assigning the container to  a  COS  re‐
1569       quires root privileges and thus doesn't work in a rootless environment.
1570       Currently, the feature is only supported using runc as a  runtime.  See
1571https://docs.kernel.org/arch/x86/resctrl.html⟩  for  more  details  on
1572       creating a COS before a container can be assigned to it.
1573
1574
1575   --read-only
1576       Mount the container's root filesystem as read-only.
1577
1578
1579       By default, container root filesystems are writable, allowing processes
1580       to  write  files anywhere. By specifying the --read-only flag, the con‐
1581       tainers root filesystem are mounted read-only prohibiting any writes.
1582
1583
1584   --read-only-tmpfs
1585       When running --read-only containers, mount a read-write tmpfs on  /dev,
1586       /dev/shm, /run, /tmp, and /var/tmp. The default is true.
1587
1588
1589       ┌────────────┬───────────────────┬─────┬──────────────────────┐
1590--read-only --read-only-tmpfs /   /run, /tmp, /var/tmp 
1591       ├────────────┼───────────────────┼─────┼──────────────────────┤
1592       │true        │ true              │ r/o │ r/w                  │
1593       ├────────────┼───────────────────┼─────┼──────────────────────┤
1594       │true        │ false             │ r/o │ r/o                  │
1595       ├────────────┼───────────────────┼─────┼──────────────────────┤
1596       │false       │ false             │ r/w │ r/w                  │
1597       ├────────────┼───────────────────┼─────┼──────────────────────┤
1598       │false       │ true              │ r/w │ r/w                  │
1599       └────────────┴───────────────────┴─────┴──────────────────────┘
1600
1601       When  --read-only=true  and --read-only-tmpfs=true additional tmpfs are
1602       mounted on the /tmp, /run, and /var/tmp directories.
1603
1604
1605       When --read-only=true and --read-only-tmpfs=false /dev and /dev/shm are
1606       marked  Read/Only  and no tmpfs are mounted on /tmp, /run and /var/tmp.
1607       The directories are exposed from the underlying image, meaning they are
1608       read-only  by  default.  This makes the container totally read-only. No
1609       writable directories exist within the container. In this mode  writable
1610       directories need to be added via external volumes or mounts.
1611
1612
1613       By   default,   when  --read-only=false,  the  /dev  and  /dev/shm  are
1614       read/write, and the /tmp, /run, and /var/tmp are read/write directories
1615       from the container image.
1616
1617
1618   --replace
1619       If another container with the same name already exists, replace and re‐
1620       move it. The default is false.
1621
1622
1623   --requires=container
1624       Specify one or more requirements.  A requirement is a  dependency  con‐
1625       tainer that is started before this container.  Containers can be speci‐
1626       fied by name or ID, with multiple containers being separated by commas.
1627
1628
1629   --restart=policy
1630       Restart policy to follow when containers exit.  Restart policy does not
1631       take  effect  if  a  container is stopped via the podman kill or podman
1632       stop commands.
1633
1634
1635       Valid policy values are:
1636
1637
1638no                       : Do not restart containers on exit
1639
1640never                    : Synonym for no; do not restart con‐
1641                tainers on exit
1642
1643on-failure[:max_retries]  :  Restart containers when they exit
1644                with a non-zero exit code, retrying indefinitely or until  the
1645                optional max_retries count is hit
1646
1647always                    : Restart containers when they exit,
1648                regardless of status, retrying indefinitely
1649
1650unless-stopped           : Identical to always
1651
1652
1653
1654       Podman provides a  systemd  unit  file,  podman-restart.service,  which
1655       restarts containers after a system reboot.
1656
1657
1658       When  running containers in systemd services, use the restart function‐
1659       ality provided by systemd.  In other words, do not use this option in a
1660       container unit, instead set the Restart= systemd directive in the [Ser‐
1661       vice] section.  See podman-systemd.unit(5) and systemd.service(5).
1662
1663
1664   --rm
1665       Automatically remove the container and any anonymous unnamed volume as‐
1666       sociated with the container when it exits. The default is false.
1667
1668
1669   --rmi
1670       After  exit of the container, remove the image unless another container
1671       is using it. Implies --rm on the new container. The default is false.
1672
1673
1674   --rootfs
1675       If specified, the first argument refers to an exploded container on the
1676       file system.
1677
1678
1679       This  is  useful to run a container without requiring any image manage‐
1680       ment, the rootfs of the container is assumed to be managed externally.
1681
1682
1683       Overlay Rootfs Mounts
1684
1685
1686       The :O flag tells Podman to mount the directory from the rootfs path as
1687       storage using the overlay file system. The container processes can mod‐
1688       ify content within the mount point which is  stored  in  the  container
1689       storage in a separate directory. In overlay terms, the source directory
1690       is the lower, and the container storage directory is the upper. Modifi‐
1691       cations  to  the  mount point are destroyed when the container finishes
1692       executing, similar to a tmpfs mount point being unmounted.
1693
1694
1695       Note: On SELinux systems, the rootfs needs the correct label, which  is
1696       by default unconfined_u:object_r:container_file_t:s0.
1697
1698
1699       idmap
1700
1701
1702       If  idmap  is  specified,  create  an idmapped mount to the target user
1703       namespace in the container.  The idmap option supports a custom mapping
1704       that  can  be  different than the user namespace used by the container.
1705       The  mapping  can  be  specified   after   the   idmap   option   like:
1706       idmap=uids=0-1-10#10-11-10;gids=0-100-10.   For each triplet, the first
1707       value is the start of the backing file system IDs that  are  mapped  to
1708       the  second  value on the host.  The length of this mapping is given in
1709       the third value.  Multiple ranges are separated with #.
1710
1711
1712   --sdnotify=container | conmon | healthy | ignore
1713       Determines how to use the NOTIFY_SOCKET, as  passed  with  systemd  and
1714       Type=notify.
1715
1716
1717       Default  is  container,  which means allow the OCI runtime to proxy the
1718       socket into the container to receive ready  notification.  Podman  sets
1719       the  MAINPID  to  conmon's pid.  The conmon option sets MAINPID to con‐
1720       mon's pid, and sends READY when the container has started.  The  socket
1721       is  never  passed  to the runtime or the container.  The healthy option
1722       sets MAINPID to conmon's pid, and sends READY when  the  container  has
1723       turned  healthy;  requires a healthcheck to be set. The socket is never
1724       passed to the runtime or the container.  The ignore option removes  NO‐
1725       TIFY_SOCKET  from  the  environment for itself and child processes, for
1726       the case where some other process above Podman uses  NOTIFY_SOCKET  and
1727       Podman does not use it.
1728
1729
1730   --seccomp-policy=policy
1731       Specify the policy to select the seccomp profile. If set to image, Pod‐
1732       man looks for a "io.containers.seccomp.profile" label in the container-
1733       image  config and use its value as a seccomp profile. Otherwise, Podman
1734       follows the default policy by applying the default profile unless spec‐
1735       ified otherwise via --security-opt seccomp as described below.
1736
1737
1738       Note that this feature is experimental and may change in the future.
1739
1740
1741   --secret=secret[,opt=opt ...]
1742       Give the container access to a secret. Can be specified multiple times.
1743
1744
1745       A secret is a blob of sensitive data which a container needs at runtime
1746       but is not stored in the image or in source control, such as  usernames
1747       and  passwords,  TLS certificates and keys, SSH keys or other important
1748       generic strings or binary content (up to 500 kb in size).
1749
1750
1751       When secrets are specified as type mount, the secrets  are  copied  and
1752       mounted  into  the container when a container is created.  When secrets
1753       are specified as type env, the secret is set as an environment variable
1754       within the container.  Secrets are written in the container at the time
1755       of container creation, and modifying the  secret  using  podman  secret
1756       commands  after  the container is created affects the secret inside the
1757       container.
1758
1759
1760       Secrets and its storage are managed using the podman secret command.
1761
1762
1763       Secret Options
1764
1765
1766type=mount|env    : How the secret  is  exposed  to  the  con‐
1767                tainer.
1768                                    mount mounts the secret into the container
1769                as a file.
1770                                    env exposes the secret as  an  environment
1771                variable.
1772                                    Defaults to mount.
1773
1774target=target     : Target of secret.
1775                                    For  mounted  secrets, this is the path to
1776                the secret inside the container.
1777                                    If a fully qualified path is provided, the
1778                secret is mounted at that location.
1779                                    Otherwise, the secret is mounted to
1780                                    /run/secrets/target  for  linux containers
1781                or
1782                                    /var/run/secrets/target for  freebsd  con‐
1783                tainers.
1784                                    If  the  target  is not set, the secret is
1785                mounted to /run/secrets/secretname by default.
1786                                    For env secrets, this is  the  environment
1787                variable key. Defaults to secretname.
1788
1789uid=0             : UID of secret. Defaults to 0. Mount secret
1790                type only.
1791
1792gid=0             : GID of secret. Defaults to 0. Mount secret
1793                type only.
1794
1795mode=0             :  Mode  of secret. Defaults to 0444. Mount
1796                secret type only.
1797
1798
1799
1800       Examples
1801
1802
1803       Mount at /my/location/mysecret with UID 1:
1804
1805       --secret mysecret,target=/my/location/mysecret,uid=1
1806
1807
1808
1809       Mount at /run/secrets/customtarget with mode 0777:
1810
1811       --secret mysecret,target=customtarget,mode=0777
1812
1813
1814
1815       Create a secret environment variable called ENVSEC:
1816
1817       --secret mysecret,type=env,target=ENVSEC
1818
1819
1820
1821   --security-opt=option
1822       Security Options
1823
1824
1825apparmor=unconfined : Turn off apparmor  confinement  for  the
1826                container
1827
1828apparmor=alternate-profile : Set the apparmor confinement pro‐
1829                file for the container
1830
1831label=user:USER: Set the label user  for  the  container  pro‐
1832                cesses
1833
1834label=role:ROLE:  Set  the  label  role for the container pro‐
1835                cesses
1836
1837label=type:TYPE: Set the label process type for the  container
1838                processes
1839
1840label=level:LEVEL:  Set the label level for the container pro‐
1841                cesses
1842
1843label=filetype:TYPE: Set the label file type for the container
1844                files
1845
1846label=disable: Turn off label separation for the container
1847
1848
1849
1850       Note:  Labeling  can  be  disabled  for  all  containers by setting la‐
1851       bel=false in the  containers.conf  (/etc/containers/containers.conf  or
1852       $HOME/.config/containers/containers.conf) file.
1853
1854
1855label=nested:  Allows  SELinux  modifications  within the con‐
1856                tainer. Containers are allowed to  modify  SELinux  labels  on
1857                files and processes, as long as SELinux policy allows. Without
1858                nested, containers view SELinux as disabled, even when  it  is
1859                enabled on the host. Containers are prevented from setting any
1860                labels.
1861
1862mask=/path/1:/path/2: The paths to mask separated by a  colon.
1863                A masked path cannot be accessed inside the container.
1864
1865no-new-privileges:  Disable  container  processes from gaining
1866                additional privileges.
1867
1868seccomp=unconfined: Turn off seccomp confinement for the  con‐
1869                tainer.
1870
1871seccomp=profile.json:  JSON  file to be used as a seccomp fil‐
1872                ter. Note that the io.podman.annotations.seccomp annotation is
1873                set with the specified value as shown in podman inspect.
1874
1875proc-opts=OPTIONS : Comma-separated list of options to use for
1876                the /proc mount. More details for the possible  mount  options
1877                are specified in the proc(5) man page.
1878
1879unmask=ALL   or   /path/1:/path/2,  or  shell  expanded  paths
1880                (/proc/*): Paths to unmask separated by a  colon.  If  set  to
1881                ALL,  it  unmasks  all the paths that are masked or made read-
1882                only by default.  The default  masked  paths  are  /proc/acpi,
1883                /proc/kcore,  /proc/keys, /proc/latency_stats, /proc/sched_de‐
1884                bug,    /proc/scsi,    /proc/timer_list,    /proc/timer_stats,
1885                /sys/firmware,  and /sys/fs/selinux, /sys/devices/virtual/pow‐
1886                ercap.  The default paths that are read-only are /proc/asound,
1887                /proc/bus,  /proc/fs,  /proc/irq, /proc/sys, /proc/sysrq-trig‐
1888                ger, /sys/fs/cgroup.
1889
1890
1891
1892       Note: Labeling can be  disabled  for  all  containers  by  setting  la‐
1893       bel=false in the containers.conf(5) file.
1894
1895
1896   --shm-size=number[unit]
1897       Size   of  /dev/shm.  A  unit  can  be  b  (bytes),  k  (kibibytes),  m
1898       (mebibytes), or g (gibibytes).  If the unit is omitted, the system uses
1899       bytes.  If  the  size  is omitted, the default is 64m.  When size is 0,
1900       there is no limit on the amount of memory used  for  IPC  by  the  con‐
1901       tainer.  This option conflicts with --ipc=host.
1902
1903
1904   --shm-size-systemd=number[unit]
1905       Size   of  systemd-specific  tmpfs  mounts  such  as  /run,  /run/lock,
1906       /var/log/journal and /tmp.  A unit can be b (bytes), k  (kibibytes),  m
1907       (mebibytes), or g (gibibytes).  If the unit is omitted, the system uses
1908       bytes. If the size is omitted, the default is 64m.  When size is 0, the
1909       usage is limited to 50% of the host's available memory.
1910
1911
1912   --sig-proxy
1913       Proxy  received  signals  to  the  container  process. SIGCHLD, SIGURG,
1914       SIGSTOP, and SIGKILL are not proxied.
1915
1916
1917       The default is true.
1918
1919
1920   --stop-signal=signal
1921       Signal to stop a container. Default is SIGTERM.
1922
1923
1924   --stop-timeout=seconds
1925       Timeout to stop a container. Default is 10.  Remote connections use lo‐
1926       cal containers.conf for defaults.
1927
1928
1929   --subgidname=name
1930       Run  the  container  in a new user namespace using the map with name in
1931       the /etc/subgid file.  If running rootless, the user needs to have  the
1932       right  to  use  the  mapping.  See subgid(5).  This flag conflicts with
1933       --userns and --gidmap.
1934
1935
1936   --subuidname=name
1937       Run the container in a new user namespace using the map  with  name  in
1938       the  /etc/subuid file.  If running rootless, the user needs to have the
1939       right to use the mapping. See  subuid(5).   This  flag  conflicts  with
1940       --userns and --uidmap.
1941
1942
1943   --sysctl=name=value
1944       Configure namespaced kernel parameters at runtime.
1945
1946
1947       For the IPC namespace, the following sysctls are allowed:
1948
1949
1950              • kernel.msgmax
1951
1952              • kernel.msgmnb
1953
1954              • kernel.msgmni
1955
1956              • kernel.sem
1957
1958              • kernel.shmall
1959
1960              • kernel.shmmax
1961
1962              • kernel.shmmni
1963
1964              • kernel.shm_rmid_forced
1965
1966              • Sysctls beginning with fs.mqueue.*
1967
1968
1969
1970       Note:  if  using  the  --ipc=host option, the above sysctls are not al‐
1971       lowed.
1972
1973
1974       For the network namespace, only sysctls beginning with  net.*  are  al‐
1975       lowed.
1976
1977
1978       Note: if using the --network=host option, the above sysctls are not al‐
1979       lowed.
1980
1981
1982   --systemd=true | false | always
1983       Run container in systemd mode. The default is true.
1984
1985
1986true enables systemd mode only when the command  executed  in‐
1987                side  the  container is systemd, /usr/sbin/init, /sbin/init or
1988                /usr/local/sbin/init.
1989
1990false disables systemd mode.
1991
1992always enforces the systemd mode to be enabled.
1993
1994
1995
1996       Running the container in systemd mode causes the following changes:
1997
1998
1999              • Podman mounts tmpfs file systems on the following directories
2000
2001/run
2002
2003/run/lock
2004
2005/tmp
2006
2007/sys/fs/cgroup/systemd (on a cgroup v1 system)
2008
2009/var/lib/journal
2010
2011
2012
2013              • Podman sets the default stop signal to SIGRTMIN+3.
2014
2015              • Podman sets container_uuid environment variable  in  the  con‐
2016                tainer to the first 32 characters of the container ID.
2017
2018              • Podman does not mount virtual consoles (/dev/tty\d+) when run‐
2019                ning with --privileged.
2020
2021              • On cgroup v2, /sys/fs/cgroup is mounted writeable.
2022
2023
2024
2025       This allows systemd to run in a confined container without any  modifi‐
2026       cations.
2027
2028
2029       Note  that  on SELinux systems, systemd attempts to write to the cgroup
2030       file system. Containers writing to the cgroup file system are denied by
2031       default.   The container_manage_cgroup boolean must be enabled for this
2032       to be allowed on an SELinux separated system.
2033
2034       setsebool -P container_manage_cgroup true
2035
2036
2037
2038   --timeout=seconds
2039       Maximum time a container is allowed to run before conmon sends  it  the
2040       kill  signal.  By default containers run until they exit or are stopped
2041       by podman stop.
2042
2043
2044   --tls-verify
2045       Require HTTPS and verify certificates when contacting  registries  (de‐
2046       fault: true).  If explicitly set to true, TLS verification is used.  If
2047       set to false, TLS verification is not used.  If not specified, TLS ver‐
2048       ification  is  used unless the target registry is listed as an insecure
2049       registry in containers-registries.conf(5)
2050
2051
2052   --tmpfs=fs
2053       Create a tmpfs mount.
2054
2055
2056       Mount a temporary filesystem (tmpfs) mount into a container, for  exam‐
2057       ple:
2058
2059       $ podman run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image
2060
2061
2062
2063       This command mounts a tmpfs at /tmp within the container. The supported
2064       mount options are the same as the Linux default mount flags. If no  op‐
2065       tions   are   specified,   the   system  uses  the  following  options:
2066       rw,noexec,nosuid,nodev.
2067
2068
2069   --tty, -t
2070       Allocate a pseudo-TTY. The default is false.
2071
2072
2073       When set to true, Podman allocates a pseudo-tty and attach to the stan‐
2074       dard  input  of  the container. This can be used, for example, to run a
2075       throwaway interactive shell.
2076
2077
2078       NOTE: The --tty flag prevents redirection of standard output.  It  com‐
2079       bines  STDOUT  and STDERR, it can insert control characters, and it can
2080       hang pipes. This option is only used when run interactively in a termi‐
2081       nal. When feeding input to Podman, use -i only, not -it.
2082
2083       echo "asdf" | podman run --rm -i someimage /bin/cat
2084
2085
2086
2087   --tz=timezone
2088       Set  timezone  in  container. This flag takes area-based timezones, GMT
2089       time, as well as local, which sets the timezone  in  the  container  to
2090       match  the  host machine. See /usr/share/zoneinfo/ for valid timezones.
2091       Remote connections use local containers.conf for defaults
2092
2093
2094   --uidmap=[flags]container_uid:from_uid[:amount]
2095       Run the container in a new user namespace using the supplied  UID  map‐
2096       ping. This option conflicts with the --userns and --subuidname options.
2097       This option provides a way to map host UIDs to container UIDs.  It  can
2098       be passed several times to map different ranges.
2099
2100
2101       The possible values of the optional flags are discussed further down on
2102       this page.  The amount value is optional and assumed to  be  1  if  not
2103       given.
2104
2105
2106       The  from_uid  value is based upon the user running the command, either
2107       rootful or rootless users.
2108
2109
2110              • rootful user:  [flags]container_uid:host_uid[:amount]
2111
2112              • rootless user: [flags]container_uid:intermediate_uid[:amount]
2113
2114
2115
2116       Rootful mappings
2117
2118
2119       When podman run is called by a privileged  user,  the  option  --uidmap
2120       works as a direct mapping between host UIDs and container UIDs.
2121
2122
2123       host UID -> container UID
2124
2125
2126       The amount specifies the number of consecutive UIDs that is mapped.  If
2127       for example amount is 4 the mapping looks like:
2128
2129
2130       ┌─────────────┬───────────────────┐
2131host UID     container UID     
2132       ├─────────────┼───────────────────┤
2133from_uidcontainer_uid
2134       ├─────────────┼───────────────────┤
2135from_uid + 1 │ container_uid + 1 │
2136       ├─────────────┼───────────────────┤
2137from_uid + 2 │ container_uid + 2 │
2138       ├─────────────┼───────────────────┤
2139from_uid + 3 │ container_uid + 3 │
2140       └─────────────┴───────────────────┘
2141
2142       Rootless mappings
2143
2144
2145       When podman run is called by an unprivileged user (i.e.  running  root‐
2146       less),  the  value from_uid is interpreted as an "intermediate UID". In
2147       the rootless case, host UIDs are not mapped directly to container UIDs.
2148       Instead the mapping happens over two mapping steps:
2149
2150
2151       host UID -> intermediate UID -> container UID
2152
2153
2154       The --uidmap option only influences the second mapping step.
2155
2156
2157       The  first  mapping  step is derived by Podman from the contents of the
2158       file /etc/subuid and the UID of the user calling Podman.
2159
2160
2161       First mapping step:
2162
2163
2164       ┌────────────────────┬──────────────────┐
2165host UID            intermediate UID 
2166       ├────────────────────┼──────────────────┤
2167       │UID for Podman user │ 0                │
2168       ├────────────────────┼──────────────────┤
2169       │1st subordinate UID │ 1                │
2170       ├────────────────────┼──────────────────┤
2171       │2nd subordinate UID │ 2                │
2172       ├────────────────────┼──────────────────┤
2173       │3rd subordinate UID │ 3                │
2174       ├────────────────────┼──────────────────┤
2175       │nth subordinate UID │ n                │
2176       └────────────────────┴──────────────────┘
2177
2178       To be able to use intermediate UIDs greater than zero, the  user  needs
2179       to have subordinate UIDs configured in /etc/subuid. See subuid(5).
2180
2181
2182       The second mapping step is configured with --uidmap.
2183
2184
2185       If for example amount is 5 the second mapping step looks like:
2186
2187
2188       ┌─────────────────┬───────────────────┐
2189intermediate UID container UID     
2190       ├─────────────────┼───────────────────┤
2191from_uidcontainer_uid
2192       ├─────────────────┼───────────────────┤
2193from_uid + 1     │ container_uid + 1 │
2194       ├─────────────────┼───────────────────┤
2195from_uid + 2     │ container_uid + 2 │
2196       ├─────────────────┼───────────────────┤
2197from_uid + 3     │ container_uid + 3 │
2198       ├─────────────────┼───────────────────┤
2199from_uid + 4     │ container_uid + 4 │
2200       └─────────────────┴───────────────────┘
2201
2202       When  running as rootless, Podman uses all the ranges configured in the
2203       /etc/subuid file.
2204
2205
2206       The current user ID is mapped to UID=0 in the rootless user  namespace.
2207       Every additional range is added sequentially afterward:
2208
2209
2210       ┌──────────────────────┬─────────────────────────┬──────────────────────┐
2211host                  rootless user namespace length               
2212       ├──────────────────────┼─────────────────────────┼──────────────────────┤
2213       │$UID                  │ 0                       │ 1                    │
2214       ├──────────────────────┼─────────────────────────┼──────────────────────┤
2215       │1                     │ $FIRST_RANGE_ID         │ $FIRST_RANGE_LENGTH  │
2216       ├──────────────────────┼─────────────────────────┼──────────────────────┤
2217       │1+$FIRST_RANGE_LENGTH │ $SECOND_RANGE_ID        │ $SECOND_RANGE_LENGTH │
2218       └──────────────────────┴─────────────────────────┴──────────────────────┘
2219
2220       Referencing a host ID from the parent namespace
2221
2222
2223       As a rootless user, the given host ID in --uidmap or --gidmap is mapped
2224       from the intermediate namespace generated by Podman.  Sometimes  it  is
2225       desirable  to  refer  directly at the host namespace. It is possible to
2226       manually do so, by running podman unshare cat /proc/self/gid_map, find‐
2227       ing the desired host id at the second column of the output, and getting
2228       the corresponding intermediate id from the first column.
2229
2230
2231       Podman can perform all that by preceding the host  id  in  the  mapping
2232       with the @ symbol. For instance, by specifying --gidmap 100000:@2000:1,
2233       podman will look up the intermediate id corresponding to host  id  2000
2234       and  it  will map the found intermediate id to the container id 100000.
2235       The given host id must have been subordinated (otherwise it  would  not
2236       be mapped into the intermediate space in the first place).
2237
2238
2239       If  the  length  is  greater  than  one,  for  instance  with  --gidmap
2240       100000:@2000:2, Podman will map host ids 2000 and 2001  to  100000  and
2241       100001, respectively, regardless of how the intermediate mapping is de‐
2242       fined.
2243
2244
2245       Extending previous mappings
2246
2247
2248       Some mapping modifications may be  cumbersome.  For  instance,  a  user
2249       starts  with  a  mapping such as --gidmap="0:0:65000", that needs to be
2250       changed such as the parent id 1000 is mapped to container id 100000 in‐
2251       stead,  leaving  container  id 1 unassigned. The corresponding --gidmap
2252       becomes --gidmap="0:0:1" --gidmap="2:2:65534" --gidmap="100000:1:1".
2253
2254
2255       This notation can be simplified using the + flag, that  takes  care  of
2256       breaking previous mappings removing any conflicting assignment with the
2257       given mapping. The flag is given before the container  id  as  follows:
2258       --gidmap="0:0:65000" --gidmap="+100000:1:1"
2259
2260
2261       ┌─────┬─────────────┬─────────────────────────────┐
2262Flag Example     Description                 
2263       ├─────┼─────────────┼─────────────────────────────┤
2264+    +100000:1:1 │ Extend the previous mapping │
2265       └─────┴─────────────┴─────────────────────────────┘
2266
2267       This  notation leads to gaps in the assignment, so it may be convenient
2268       to     fill     those     gaps     afterwards:     --gidmap="0:0:65000"
2269       --gidmap="+100000:1:1" --gidmap="1:65001:1"
2270
2271
2272       One  specific  use  case  for  this  flag is in the context of rootless
2273       users. A rootless user may specify mappings  with  the  +  flag  as  in
2274       --gidmap="+100000:1:1".  Podman will then "fill the gaps" starting from
2275       zero with all the remaining intermediate ids. This is convenient when a
2276       user wants to map a specific intermediate id to a container id, leaving
2277       the rest of subordinate ids to be mapped by Podman at will.
2278
2279
2280       Passing only one of --uidmap or --gidmap
2281
2282
2283       Usually, subordinated user and group ids are  assigned  simultaneously,
2284       and for any user the subordinated user ids match the subordinated group
2285       ids.  For convenience, if only one of --uidmap or  --gidmap  is  given,
2286       podman assumes the mapping refers to both UIDs and GIDs and applies the
2287       given mapping to both. If only  one  value  of  the  two  needs  to  be
2288       changed,  the  mappings  should include the u or the g flags to specify
2289       that they only apply to UIDs or GIDs and should not be copied over.
2290
2291
2292       ┌─────┬───────────────┬─────────────────────┐
2293flag Example       Description         
2294       ├─────┼───────────────┼─────────────────────┤
2295u    u20000:2000:1 │ The  mapping   only │
2296       │     │               │ applies to UIDs     │
2297       ├─────┼───────────────┼─────────────────────┤
2298g    g10000:1000:1 │ The   mapping  only │
2299       │     │               │ applies to GIDs     │
2300       └─────┴───────────────┴─────────────────────┘
2301
2302       For instance given the command
2303
2304       podman run --gidmap "0:0:1000" --gidmap "g2000:2000:1"
2305
2306
2307
2308       Since no --uidmap is given, the --gidmap is copied to --uidmap,  giving
2309       a command equivalent to
2310
2311       podman run --gidmap "0:0:1000" --gidmap "2000:2000:1" --uidmap "0:0:1000"
2312
2313
2314
2315       The  --gidmap  "g2000:2000:1"  used the g flag and therefore it was not
2316       copied to --uidmap.
2317
2318
2319       Rootless mapping of additional host GIDs
2320
2321
2322       A rootless user may desire to map a specific host group  that  has  al‐
2323       ready  been subordinated within /etc/subgid without specifying the rest
2324       of the mapping.
2325
2326
2327       This can be done with --gidmap "+gcontainer_gid:@host_gid"
2328
2329
2330       Where:
2331
2332
2333              • The host GID is given through the @ symbol
2334
2335              • The mapping of this GID is not copied over to --usermap thanks
2336                to the g flag.
2337
2338              • The  rest  of the container IDs will be mapped starting from 0
2339                to n, with all the remaining subordinated GIDs, thanks to  the
2340                + flag.
2341
2342
2343
2344       For  instance,  if  a  user belongs to the group 2000 and that group is
2345       subordinated to that user (with usermod --add-subgids 2000-2000 $USER),
2346       the    user    can   map   the   group   into   the   container   with:
2347       --gidmap=+g100000:@2000.
2348
2349
2350       If this mapping is combined with the  option,  --group-add=keep-groups,
2351       the process in the container will belong to group 100000, and files be‐
2352       longing to group 2000 in the host will appear as being owned  by  group
2353       100000 inside the container.
2354
2355       podman run --group-add=keep-groups --gidmap="+g100000:@2000" ...
2356
2357
2358
2359       No subordinate UIDs
2360
2361
2362       Even  if  a  user  does  not have any subordinate UIDs in  /etc/subuid,
2363       --uidmap can be used to map the normal UID of the user to  a  container
2364       UID  by  running  podman  run  --uidmap $container_uid:0:1 --user $con‐
2365       tainer_uid ....
2366
2367
2368       Pods
2369
2370
2371       The --uidmap option cannot be called in conjunction with the --pod  op‐
2372       tion as a uidmap cannot be set on the container level when in a pod.
2373
2374
2375   --ulimit=option
2376       Ulimit options. Sets the ulimits values inside of the container.
2377
2378
2379       --ulimit with a soft and hard limit in the format =[:]. For example:
2380
2381
2382       $ podman run --ulimit nofile=1024:1024 --rm ubi9 ulimit -n 1024
2383
2384
2385       Set -1 for the soft or hard limit to set the limit to the maximum limit
2386       of the current process. In rootful mode this is often unlimited.
2387
2388
2389       Use host to copy the current configuration from the host.
2390
2391
2392       Don't use nproc with the ulimit flag as Linux uses  nproc  to  set  the
2393       maximum number of processes available to a user, not to a container.
2394
2395
2396       Use  the  --pids-limit option to modify the cgroup control to limit the
2397       number of processes within a container.
2398
2399
2400   --umask=umask
2401       Set the umask inside the container. Defaults to 0022.   Remote  connec‐
2402       tions use local containers.conf for defaults
2403
2404
2405   --unsetenv=env
2406       Unset default environment variables for the container. Default environ‐
2407       ment variables include variables provided natively by Podman,  environ‐
2408       ment  variables configured by the image, and environment variables from
2409       containers.conf.
2410
2411
2412   --unsetenv-all
2413       Unset all default environment variables for the container. Default  en‐
2414       vironment  variables include variables provided natively by Podman, en‐
2415       vironment variables configured by the image, and environment  variables
2416       from containers.conf.
2417
2418
2419   --user, -u=user[:group]
2420       Sets the username or UID used and, optionally, the groupname or GID for
2421       the specified command. Both user and group may be symbolic or numeric.
2422
2423
2424       Without this argument, the command runs as the user  specified  in  the
2425       container  image. Unless overridden by a USER command in the Container‐
2426       file or by a value passed to this option, this user generally  defaults
2427       to root.
2428
2429
2430       When  a  user  namespace is not in use, the UID and GID used within the
2431       container and on the host match. When user namespaces are in use,  how‐
2432       ever,  the  UID  and GID in the container may correspond to another UID
2433       and GID on the host. In rootless containers, for example, a user  name‐
2434       space  is always used, and root in the container by default corresponds
2435       to the UID and GID of the user invoking Podman.
2436
2437
2438   --userns=mode
2439       Set the user namespace mode for the container.
2440
2441
2442       If --userns is not set, the default value is determined as follows.   -
2443       If  --pod is set, --userns is ignored and the user namespace of the pod
2444       is used.  - If the environment variable PODMAN_USERNS is set its  value
2445       is  used.   -  If  userns is specified in containers.conf this value is
2446       used.  - Otherwise, --userns=host is assumed.
2447
2448
2449       --userns="" (i.e., an empty string) is an alias for --userns=host.
2450
2451
2452       This option is incompatible with --gidmap, --uidmap,  --subuidname  and
2453       --subgidname.
2454
2455
2456       Rootless user --userns=Key mappings:
2457
2458
2459       ┌────────────────────────┬───────────┬─────────────────────┐
2460Key                     Host User Container User      
2461       ├────────────────────────┼───────────┼─────────────────────┤
2462       │auto                    │ $UID      │ nil  (Host User UID │
2463       │                        │           │ is not mapped  into │
2464       │                        │           │ container.)         │
2465       ├────────────────────────┼───────────┼─────────────────────┤
2466       │host                    │ $UID      │ 0 (Default User ac‐ │
2467       │                        │           │ count   mapped   to │
2468       │                        │           │ root  user  in con‐ │
2469       │                        │           │ tainer.)            │
2470       ├────────────────────────┼───────────┼─────────────────────┤
2471       │keep-id                 │ $UID      │ $UID (Map user  ac‐ │
2472       │                        │           │ count  to  same UID │
2473       │                        │           │ within container.)  │
2474       ├────────────────────────┼───────────┼─────────────────────┤
2475       │keep-id:uid=200,gid=210 │ $UID      │ 200:210  (Map  user │
2476       │                        │           │ account  to  speci‐ │
2477       │                        │           │ fied UID, GID value │
2478       │                        │           │ within container.)  │
2479       ├────────────────────────┼───────────┼─────────────────────┤
2480       │nomap                   │ $UID      │ nil  (Host User UID │
2481       │                        │           │ is not mapped  into │
2482       │                        │           │ container.)         │
2483       └────────────────────────┴───────────┴─────────────────────┘
2484
2485       Valid mode values are:
2486
2487
2488       auto[:OPTIONS,...]: automatically create a unique user namespace.
2489
2490
2491rootful  mode:  The  --userns=auto flag requires that the user
2492                name containers be specified in the /etc/subuid and  /etc/sub‐
2493                gid  files,  with an unused range of subordinate user IDs that
2494                Podman containers are allowed to allocate.
2495
2496
2497
2498                                  Example: containers:2147483647:2147483648.
2499
2500
2501rootless mode:  The  users  range  from  the  /etc/subuid  and
2502                /etc/subgid  files  will  be  used. Note running a single con‐
2503                tainer without using --userns=auto will use the  entire  range
2504                of UIDs and not allow further subdividing. See subuid(5).
2505
2506
2507
2508       Podman  allocates  unique  ranges  of UIDs and GIDs from the containers
2509       subordinate user IDs. The size of the ranges is based on the number  of
2510       UIDs required in the image. The number of UIDs and GIDs can be overrid‐
2511       den with the size option.
2512
2513
2514       The option --userns=keep-id uses all the subuids  and  subgids  of  the
2515       user.   The  option  --userns=nomap uses all the subuids and subgids of
2516       the user except the user's own ID.  Using --userns=auto  when  starting
2517       new  containers does not work as long as any containers exist that were
2518       started with --userns=keep-id or --userns=nomap.
2519
2520
2521       Valid auto options:
2522
2523
2524gidmapping=CONTAINER_GID:HOST_GID:SIZE: to force a GID mapping
2525                to be present in the user namespace.
2526
2527size=SIZE:  to specify an explicit size for the automatic user
2528                namespace. e.g. --userns=auto:size=8192. If size is not speci‐
2529                fied, auto estimates a size for the user namespace.
2530
2531uidmapping=CONTAINER_UID:HOST_UID:SIZE: to force a UID mapping
2532                to be present in the user namespace.
2533
2534
2535
2536       container:id: join the user namespace of the specified container.
2537
2538
2539       host or "" (empty string): run in the user namespace of the caller. The
2540       processes running in the container have the same privileges on the host
2541       as any other process launched by the calling user.
2542
2543
2544       keep-id: creates a user namespace where the current user's UID:GID  are
2545       mapped  to  the same values in the container. For containers created by
2546       root, the current mapping is created into a new user namespace.
2547
2548
2549       Valid keep-id options:
2550
2551
2552uid=UID: override the UID inside the container that is used to
2553                map the current user to.
2554
2555gid=GID: override the GID inside the container that is used to
2556                map the current user to.
2557
2558
2559
2560       nomap: creates a user  namespace  where  the  current  rootless  user's
2561       UID:GID  are  not mapped into the container. This option is not allowed
2562       for containers created by the root user.
2563
2564
2565       ns:namespace: run the container in the given existing user namespace.
2566
2567
2568   --uts=mode
2569       Set the UTS namespace mode for the container. The following values  are
2570       supported:
2571
2572
2573host: use the host's UTS namespace inside the container.
2574
2575private: create a new namespace for the container (default).
2576
2577ns:[path]:  run  the container in the given existing UTS name‐
2578                space.
2579
2580container:[container]: join the UTS namespace of the specified
2581                container.
2582
2583
2584
2585   --variant=VARIANT
2586       Use  VARIANT  instead  of  the default architecture variant of the con‐
2587       tainer image. Some images can use multiple variants of the  arm  archi‐
2588       tectures, such as arm/v5 and arm/v7.
2589
2590
2591   --volume, -v=[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]
2592       Create  a bind mount. If -v /HOST-DIR:/CONTAINER-DIR is specified, Pod‐
2593       man bind mounts /HOST-DIR from the host into /CONTAINER-DIR in the Pod‐
2594       man  container.  Similarly,  -v SOURCE-VOLUME:/CONTAINER-DIR mounts the
2595       named volume from the host into the container. If no such named  volume
2596       exists,  Podman  creates one. If no source is given, the volume is cre‐
2597       ated as an anonymously named volume with a randomly generated name, and
2598       is  removed when the container is removed via the --rm flag or the pod‐
2599       man rm --volumes command.
2600
2601
2602       (Note when using the remote client, including Mac and Windows  (exclud‐
2603       ing WSL2) machines, the volumes are mounted from the remote server, not
2604       necessarily the client machine.)
2605
2606
2607       The OPTIONS is a comma-separated list and can be: [1] ⟨#Footnote1⟩
2608
2609
2610rw|ro
2611
2612z|Z
2613
2614              • [O]
2615
2616              • [U]
2617
2618              • [no]copy
2619
2620              • [no]dev
2621
2622              • [no]exec
2623
2624              • [no]suid
2625
2626              • [r]bind
2627
2628              • [r]shared|[r]slave|[r]private[r]unbindable
2629
2630idmap[=options]
2631
2632
2633
2634       The CONTAINER-DIR must be an absolute path such as /src/docs. The  vol‐
2635       ume is mounted into the container at this directory.
2636
2637
2638       If  a  volume source is specified, it must be a path on the host or the
2639       name of a named volume. Host paths are allowed to be absolute or  rela‐
2640       tive;  relative  paths are resolved relative to the directory Podman is
2641       run in. If the source does not exist, Podman returns  an  error.  Users
2642       must pre-create the source files or directories.
2643
2644
2645       Any  source that does not begin with a . or / is treated as the name of
2646       a named volume. If a volume with that name does not exist, it  is  cre‐
2647       ated.   Volumes  created with names are not anonymous, and they are not
2648       removed by the --rm option and the podman rm --volumes command.
2649
2650
2651       Specify multiple -v options to mount one or more volumes  into  a  con‐
2652       tainer.
2653
2654
2655       Write Protected Volume Mounts
2656
2657
2658       Add  :ro  or  :rw  option  to mount a volume in read-only or read-write
2659       mode, respectively. By default, the  volumes  are  mounted  read-write.
2660       See examples.
2661
2662
2663       Chowning Volume Mounts
2664
2665
2666       By default, Podman does not change the owner and group of source volume
2667       directories mounted into containers. If a container is created in a new
2668       user  namespace, the UID and GID in the container may correspond to an‐
2669       other UID and GID on the host.
2670
2671
2672       The :U suffix tells Podman to use the correct host UID and GID based on
2673       the  UID  and GID within the container, to change recursively the owner
2674       and group of the source volume. Chowning walks the  file  system  under
2675       the  volume  and  changes  the  UID/GID on each file. If the volume has
2676       thousands of inodes, this process takes a long time, delaying the start
2677       of the container.
2678
2679
2680       Warning use with caution since this modifies the host filesystem.
2681
2682
2683       Labeling Volume Mounts
2684
2685
2686       Labeling  systems like SELinux require that proper labels are placed on
2687       volume content mounted into a container. Without a label, the  security
2688       system  might  prevent  the processes running inside the container from
2689       using the content. By default, Podman does not change the labels set by
2690       the OS.
2691
2692
2693       To  change a label in the container context, add either of two suffixes
2694       :z or :Z to the volume mount. These suffixes  tell  Podman  to  relabel
2695       file  objects on the shared volumes. The z option tells Podman that two
2696       or more containers share the volume content. As a result, Podman labels
2697       the content with a shared content label. Shared volume labels allow all
2698       containers to read/write content. The Z option tells  Podman  to  label
2699       the  content  with  a private unshared label Only the current container
2700       can use a private volume. Relabeling walks the file  system  under  the
2701       volume  and changes the label on each file, if the volume has thousands
2702       of inodes, this process takes a long time, delaying the  start  of  the
2703       container.  If  the  volume was previously relabeled with the z option,
2704       Podman is optimized to not relabel a second time. If  files  are  moved
2705       into  the volume, then the labels can be manually change with the chcon
2706       -Rt container_file_t PATH command.
2707
2708
2709       Note: Do not relabel system files and  directories.  Relabeling  system
2710       content  might  cause  other  confined services on the machine to fail.
2711       For these types of containers we recommend  disabling  SELinux  separa‐
2712       tion.  The option --security-opt label=disable disables SELinux separa‐
2713       tion for the container.  For example if a user wanted to  volume  mount
2714       their  entire  home  directory  into  a container, they need to disable
2715       SELinux separation.
2716
2717          $ podman run --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
2718
2719
2720
2721       Overlay Volume Mounts
2722
2723
2724       The :O flag tells Podman to mount the directory from the host as a tem‐
2725       porary  storage  using the overlay file system. The container processes
2726       can modify content within the mountpoint which is stored  in  the  con‐
2727       tainer  storage  in  a separate directory. In overlay terms, the source
2728       directory is the lower, and the container storage directory is the  up‐
2729       per.  Modifications to the mount point are destroyed when the container
2730       finishes executing, similar to a tmpfs mount point being unmounted.
2731
2732
2733       For advanced users,  the  overlay  option  also  supports  custom  non-
2734       volatile  upperdir  and  workdir for the overlay mount. Custom upperdir
2735       and workdir can be fully managed by the users  themselves,  and  Podman
2736       does   not   remove   it   on  lifecycle  completion.   Example  :O,up‐
2737       perdir=/some/upper,workdir=/some/work
2738
2739
2740       Subsequent executions of the container sees the original source  direc‐
2741       tory  content, any changes from previous container executions no longer
2742       exist.
2743
2744
2745       One use case of the overlay mount is sharing the package cache from the
2746       host into the container to allow speeding up builds.
2747
2748
2749       Note: The O flag conflicts with other options listed above.
2750
2751
2752       Content mounted into the container is labeled with the private label.
2753              On SELinux systems, labels in the source directory must be read‐
2754       able by the  container label. Usually containers can read/execute  con‐
2755       tainer_share_t and can read/write container_file_t. If unable to change
2756       the labels on a source volume, SELinux  container  separation  must  be
2757       disabled for the  container to work.
2758            -  Do  not  modify the source directory mounted into the container
2759       with an overlay mount, it can cause unexpected  failures.  Only  modify
2760       the directory after the container finishes running.
2761
2762
2763       Mounts propagation
2764
2765
2766       By default bind mounted volumes are private. That means any mounts done
2767       inside the container is not visible on host and  vice  versa.  One  can
2768       change this behavior by specifying a volume mount propagation property.
2769       Making a volume shared mounts done under that volume  inside  the  con‐
2770       tainer is visible on host and vice versa. Making a volume slave enables
2771       only one way mount propagation and that is mounts done  on  host  under
2772       that  volume  is visible inside container but not the other way around.
2773       [1] ⟨#Footnote1⟩
2774
2775
2776       To control mount propagation property of  a  volume  one  can  use  the
2777       [r]shared,  [r]slave, [r]private or the [r]unbindable propagation flag.
2778       Propagation property can be specified only for bind mounted volumes and
2779       not  for  internal  volumes  or named volumes. For mount propagation to
2780       work the source mount point  (the  mount  point  where  source  dir  is
2781       mounted  on)  has  to have the right propagation properties. For shared
2782       volumes, the source mount point has to be shared. And  for  slave  vol‐
2783       umes,  the  source  mount  point has to be either shared or slave.  [1]
2784       ⟨#Footnote1⟩
2785
2786
2787       To recursively mount a volume and all of  its  submounts  into  a  con‐
2788       tainer,  use  the rbind option. By default the bind option is used, and
2789       submounts of the source directory is not mounted into the container.
2790
2791
2792       Mounting the volume with a copy option tells  podman  to  copy  content
2793       from  the  underlying destination directory onto newly created internal
2794       volumes. The copy only happens on the initial creation of  the  volume.
2795       Content  is  not copied up when the volume is subsequently used on dif‐
2796       ferent containers. The copy option is ignored on bind mounts and has no
2797       effect.
2798
2799
2800       Mounting volumes with the nosuid options means that SUID executables on
2801       the volume can not be used by applications to change  their  privilege.
2802       By default volumes are mounted with nosuid.
2803
2804
2805       Mounting the volume with the noexec option means that no executables on
2806       the volume can be executed within the container.
2807
2808
2809       Mounting the volume with the nodev option means that no devices on  the
2810       volume  can  be used by processes within the container. By default vol‐
2811       umes are mounted with nodev.
2812
2813
2814       If the HOST-DIR is a mount point, then dev, suid, and exec options  are
2815       ignored by the kernel.
2816
2817
2818       Use  df  HOST-DIR  to  figure out the source mount, then use findmnt -o
2819       TARGET,PROPAGATION source-mount-dir to figure out  propagation  proper‐
2820       ties  of source mount. If findmnt(1) utility is not available, then one
2821       can  look  at  the  mount  entry  for  the  source   mount   point   in
2822       /proc/self/mountinfo.  Look  at  the  "optional  fields" and see if any
2823       propagation properties are specified.  In  there,  shared:N  means  the
2824       mount  is  shared,  master:N  means  mount  is slave, and if nothing is
2825       there, the mount is private. [1] ⟨#Footnote1⟩
2826
2827
2828       To change propagation properties of a mount point,  use  mount(8)  com‐
2829       mand.  For  example,  if one wants to bind mount source directory /foo,
2830       one can do mount --bind /foo  /foo  and  mount  --make-private  --make-
2831       shared  /foo.  This  converts  /foo into a shared mount point. Alterna‐
2832       tively, one can directly change propagation properties of source mount.
2833       Say  / is source mount for /foo, then use mount --make-shared / to con‐
2834       vert / into a shared mount.
2835
2836
2837       Note: if the user only has access rights via  a  group,  accessing  the
2838       volume from inside a rootless container fails.
2839
2840
2841       Idmapped mount
2842
2843
2844       If  idmap  is  specified,  create  an idmapped mount to the target user
2845       namespace in the container. The idmap option supports a custom  mapping
2846       that  can  be  different than the user namespace used by the container.
2847       The  mapping  can  be  specified   after   the   idmap   option   like:
2848       idmap=uids=0-1-10#10-11-10;gids=0-100-10.   For each triplet, the first
2849       value is the start of the backing file system IDs that  are  mapped  to
2850       the  second  value on the host.  The length of this mapping is given in
2851       the third value.  Multiple ranges are separated with #.
2852
2853
2854       Use the --group-add keep-groups option to pass the user's supplementary
2855       group access into the container.
2856
2857
2858   --volumes-from=CONTAINER[:OPTIONS]
2859       Mount  volumes  from  the specified container(s). Used to share volumes
2860       between containers. The options is a comma-separated list with the fol‐
2861       lowing available elements:
2862
2863
2864rw|ro
2865
2866z
2867
2868
2869
2870       Mounts  already  mounted  volumes  from a source container onto another
2871       container. CONTAINER may be a name or ID.  To share a volume,  use  the
2872       --volumes-from option when running the target container. Volumes can be
2873       shared even if the source container is not running.
2874
2875
2876       By default, Podman mounts the volumes in the same mode  (read-write  or
2877       read-only)  as  it  is  mounted  in  the source container.  This can be
2878       changed by adding a ro or rw option.
2879
2880
2881       Labeling systems like SELinux require that proper labels are placed  on
2882       volume  content mounted into a container. Without a label, the security
2883       system might prevent the processes running inside  the  container  from
2884       using the content. By default, Podman does not change the labels set by
2885       the OS.
2886
2887
2888       To change a label in the container context, add z to the volume  mount.
2889       This suffix tells Podman to relabel file objects on the shared volumes.
2890       The z option tells Podman that two entities share the  volume  content.
2891       As  a  result,  Podman  labels the content with a shared content label.
2892       Shared volume labels allow all containers to read/write content.
2893
2894
2895       If the location of the volume from the source container  overlaps  with
2896       data residing on a target container, then the volume hides that data on
2897       the target.
2898
2899
2900   --workdir, -w=dir
2901       Working directory inside the container.
2902
2903
2904       The default working directory for running binaries within  a  container
2905       is the root directory (/).  The image developer can set a different de‐
2906       fault with the WORKDIR instruction. The operator can override the work‐
2907       ing directory by using the -w option.
2908
2909

Exit Status

2911       The exit code from podman run gives information about why the container
2912       failed to run or why it exited. When podman run exits with  a  non-zero
2913       code, the exit codes follow the chroot(1) standard, see below:
2914
2915
2916       125 The error is with Podman itself
2917
2918       $ podman run --foo busybox; echo $?
2919       Error: unknown flag: --foo
2920       125
2921
2922
2923
2924       126 The contained command cannot be invoked
2925
2926       $ podman run busybox /etc; echo $?
2927       Error: container_linux.go:346: starting container process caused "exec: \"/etc\": permission denied": OCI runtime error
2928       126
2929
2930
2931
2932       127 The contained command cannot be found
2933
2934       $ podman run busybox foo; echo $?
2935       Error: container_linux.go:346: starting container process caused "exec: \"foo\": executable file not found in $PATH": OCI runtime error
2936       127
2937
2938
2939
2940       Exit code contained command exit code
2941
2942       $ podman run busybox /bin/sh -c 'exit 3'; echo $?
2943       3
2944
2945
2946

EXAMPLES

2948   Running container in read-only mode
2949       During  container  image development, containers often need to write to
2950       the image content. Installing packages into /usr, for example. In  pro‐
2951       duction, applications seldom need to write to the image.  Container ap‐
2952       plications write to volumes if they need to write to  file  systems  at
2953       all.  Applications can be made more secure by running them in read-only
2954       mode using the --read-only switch.  This protects the container's image
2955       from  modification. By default read-only containers can write to tempo‐
2956       rary data. Podman mounts a tmpfs on /run and /tmp within the container.
2957       If  the  container  does  not  write to any file system within the con‐
2958       tainer, including tmpfs, set --read-only-tmpfs=false.
2959
2960       $ podman run --read-only -i -t fedora /bin/bash
2961
2962       $ podman run --read-only --read-only-tmpfs=false --tmpfs /run -i -t fedora /bin/bash
2963
2964
2965
2966   Exposing shared libraries inside of container as read-only using a glob
2967       $ podman run --mount type=glob,src=/usr/lib64/libnvidia\*,ro=true -i -t fedora /bin/bash
2968
2969
2970
2971   Exposing log messages from the container to the host's log
2972       Bind mount the /dev/log directory to have messages that are  logged  in
2973       the container  show up in the host's syslog/journal.
2974
2975       $ podman run -v /dev/log:/dev/log -i -t fedora /bin/bash
2976
2977
2978
2979       From inside the container test this by sending a message to the log.
2980
2981       (bash)# logger "Hello from my container"
2982
2983
2984
2985       Then exit and check the journal.
2986
2987       (bash)# exit
2988
2989       $ journalctl -b | grep Hello
2990
2991
2992
2993       This lists the message sent to the logger.
2994
2995
2996   Attaching to one or more from STDIN, STDOUT, STDERR
2997       Without  specifying  the  -a option, Podman attaches everything (stdin,
2998       stdout, stderr).  Override the default by specifying -a (stdin, stdout,
2999       stderr), as in:
3000
3001       $ podman run -a stdin -a stdout -i -t fedora /bin/bash
3002
3003
3004
3005   Sharing IPC between containers
3006       Using              shm_server.c             available             here:
3007       https://www.cs.cf.ac.uk/Dave/C/node27.html
3008
3009
3010       Testing --ipc=host mode:
3011
3012
3013       Host shows a shared memory segment with 7 pids attached, happens to  be
3014       from httpd:
3015
3016       $ sudo ipcs -m
3017
3018       ------ Shared Memory Segments --------
3019       key        shmid      owner      perms      bytes      nattch     status
3020       0x01128e25 0          root       600        1000       7
3021
3022
3023
3024       Now  run  a regular container, and it correctly does NOT see the shared
3025       memory segment from the host:
3026
3027       $ podman run -it shm ipcs -m
3028
3029       ------ Shared Memory Segments --------
3030       key        shmid      owner      perms      bytes      nattch     status
3031
3032
3033
3034       Run a container with the new --ipc=host option, and  it  now  sees  the
3035       shared memory segment from the host httpd:
3036
3037       $ podman run -it --ipc=host shm ipcs -m
3038
3039       ------ Shared Memory Segments --------
3040       key        shmid      owner      perms      bytes      nattch     status
3041       0x01128e25 0          root       600        1000       7
3042
3043
3044
3045       Testing --ipc=container:id mode:
3046
3047
3048       Start a container with a program to create a shared memory segment:
3049
3050       $ podman run -it shm bash
3051       $ sudo shm/shm_server &
3052       $ sudo ipcs -m
3053
3054       ------ Shared Memory Segments --------
3055       key        shmid      owner      perms      bytes      nattch     status
3056       0x0000162e 0          root       666        27         1
3057
3058
3059
3060       Create  a  2nd  container correctly shows no shared memory segment from
3061       1st container:
3062
3063       $ podman run shm ipcs -m
3064
3065       ------ Shared Memory Segments --------
3066       key        shmid      owner      perms      bytes      nattch     status
3067
3068
3069
3070       Create a 3rd container using  the  --ipc=container:id  option,  now  it
3071       shows the shared memory segment from the first:
3072
3073       $ podman run -it --ipc=container:ed735b2264ac shm ipcs -m
3074       $ sudo ipcs -m
3075
3076       ------ Shared Memory Segments --------
3077       key        shmid      owner      perms      bytes      nattch     status
3078       0x0000162e 0          root       666        27         1
3079
3080
3081
3082   Mapping Ports for External Usage
3083       The  exposed  port of an application can be mapped to a host port using
3084       the -p flag. For example, an httpd port 80 can be mapped  to  the  host
3085       port 8080 using the following:
3086
3087       $ podman run -p 8080:80 -d -i -t fedora/httpd
3088
3089
3090
3091   Mounting External Volumes
3092       To  mount  a host directory as a container volume, specify the absolute
3093       path to the directory and the absolute path for the container directory
3094       separated  by  a  colon.  If the source is a named volume maintained by
3095       Podman, it is recommended to use its name rather than the path  to  the
3096       volume.  Otherwise  the volume is considered an orphan and wiped by the
3097       podman volume prune command:
3098
3099       $ podman run -v /var/db:/data1 -i -t fedora bash
3100
3101       $ podman run -v data:/data2 -i -t fedora bash
3102
3103       $ podman run -v /var/cache/dnf:/var/cache/dnf:O -ti fedora dnf -y update
3104
3105
3106
3107       If the container needs a writeable mounted volume by a  non  root  user
3108       inside  the  container,  use  the U option. This option tells Podman to
3109       chown the source volume to match the default UID and  GID  used  within
3110       the container.
3111
3112       $ podman run -d -e MYSQL_ROOT_PASSWORD=root --user mysql --userns=keep-id -v ~/data:/var/lib/mysql:Z,U mariadb
3113
3114
3115
3116       Alternatively  if  the  container needs a writable volume by a non root
3117       user inside of the container, the --userns=keep-id option allows  users
3118       to  specify  the  UID  and GID of the user executing Podman to specific
3119       UIDs and GIDs within the container. Since the processes running in  the
3120       container run as the user's UID, they can read/write files owned by the
3121       user.
3122
3123       $ podman run -d -e MYSQL_ROOT_PASSWORD=root --user mysql --userns=keep-id:uid=999,gid=999 -v ~/data:/var/lib/mysql:Z mariadb
3124
3125
3126
3127       Using --mount flags to mount a host directory as  a  container  folder,
3128       specify  the absolute path to the directory or the volume name, and the
3129       absolute path within the container directory:
3130
3131       $ podman run --mount type=bind,src=/var/db,target=/data1 busybox sh
3132
3133       $ podman run --mount type=bind,src=volume-name,target=/data1 busybox sh
3134
3135
3136
3137       When using SELinux, be aware that the host has  no  knowledge  of  con‐
3138       tainer SELinux policy. Therefore, in the above example, if SELinux pol‐
3139       icy is enforced, the /var/db directory is  not  writable  to  the  con‐
3140       tainer.  A  "Permission  Denied" message occurs, and an avc: message is
3141       added to the host's syslog.
3142
3143
3144       To work around this, at time of writing this man  page,  the  following
3145       command needs to be run in order for the proper SELinux policy type la‐
3146       bel to be attached to the host directory:
3147
3148       $ chcon -Rt svirt_sandbox_file_t /var/db
3149
3150
3151
3152       Now, writing to the /data1 volume in the container is allowed  and  the
3153       changes are reflected on the host in /var/db.
3154
3155
3156   Using alternative security labeling
3157       Override  the  default labeling scheme for each container by specifying
3158       the --security-opt flag. For example, specify the MCS/MLS level, a  re‐
3159       quirement  for  MLS systems. Specifying the level in the following com‐
3160       mand allows the same content to be shared between containers.
3161
3162       podman run --security-opt label=level:s0:c100,c200 -i -t fedora bash
3163
3164
3165
3166       An MLS example might be:
3167
3168       $ podman run --security-opt label=level:TopSecret -i -t rhel7 bash
3169
3170
3171
3172       To disable the security labeling for this container versus running with
3173       the
3174
3175
3176   --permissive flag, use the following command:
3177       $ podman run --security-opt label=disable -i -t fedora bash
3178
3179
3180
3181       Tighten  the  security  policy  on  the processes within a container by
3182       specifying an alternate type for the container. For example, run a con‐
3183       tainer  that is only allowed to listen on Apache ports by executing the
3184       following command:
3185
3186       $ podman run --security-opt label=type:svirt_apache_t -i -t centos bash
3187
3188
3189
3190       Note that an SELinux policy defining  a  svirt_apache_t  type  must  be
3191       written.
3192
3193
3194       To  mask  additional specific paths in the container, specify the paths
3195       separated by a colon using the  mask  option  with  the  --security-opt
3196       flag.
3197
3198       $ podman run --security-opt mask=/foo/bar:/second/path fedora bash
3199
3200
3201
3202       To  unmask all the paths that are masked by default, set the unmask op‐
3203       tion to ALL. Or to only unmask specific paths,  specify  the  paths  as
3204       shown above with the mask option.
3205
3206       $ podman run --security-opt unmask=ALL fedora bash
3207
3208
3209
3210       To unmask all the paths that start with /proc, set the unmask option to
3211       /proc/*.
3212
3213       $ podman run --security-opt unmask=/proc/* fedora bash
3214
3215
3216       $ podman run --security-opt unmask=/foo/bar:/sys/firmware fedora bash
3217
3218
3219
3220   Setting device weight via --blkio-weight-device flag.
3221       $ podman run -it --blkio-weight-device "/dev/sda:200" ubuntu
3222
3223
3224
3225   Using a podman container with input from a pipe
3226       $ echo "asdf" | podman run --rm -i --entrypoint /bin/cat someimage
3227       asdf
3228
3229
3230
3231   Setting automatic user namespace separated containers
3232       # podman run --userns=auto:size=65536 ubi8-micro cat /proc/self/uid_map
3233       0 2147483647      65536
3234       # podman run --userns=auto:size=65536 ubi8-micro cat /proc/self/uid_map
3235       0 2147549183      65536
3236
3237
3238
3239   Setting Namespaced Kernel Parameters (Sysctls)
3240       The --sysctl sets namespaced kernel parameters (sysctls)  in  the  con‐
3241       tainer. For example, to turn on IP forwarding in the containers network
3242       namespace, run this command:
3243
3244       $ podman run --sysctl net.ipv4.ip_forward=1 someimage
3245
3246
3247
3248       Note that not all sysctls  are  namespaced.  Podman  does  not  support
3249       changing  sysctls  inside of a container that also modify the host sys‐
3250       tem. As the kernel evolves we expect to see more sysctls become  names‐
3251       paced.
3252
3253
3254       See the definition of the --sysctl option above for the current list of
3255       supported sysctls.
3256
3257
3258   Set UID/GID mapping in a new user namespace
3259       Running a container in a new user namespace requires a mapping  of  the
3260       UIDs and GIDs from the host.
3261
3262       $ podman run --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
3263
3264
3265
3266   Configuring Storage Options from the command line
3267       Podman  allows  for the configuration of storage by changing the values
3268       in the /etc/container/storage.conf or by  using  global  options.  This
3269       shows  how to set up and use fuse-overlayfs for a one-time run of busy‐
3270       box using global options.
3271
3272       podman --log-level=debug --storage-driver overlay --storage-opt "overlay.mount_program=/usr/bin/fuse-overlayfs" run busybox /bin/sh
3273
3274
3275
3276   Configure timezone in a container
3277       $ podman run --tz=local alpine date
3278       $ podman run --tz=Asia/Shanghai alpine date
3279       $ podman run --tz=US/Eastern alpine date
3280
3281
3282
3283   Adding dependency containers
3284       The first container, container1, is not started initially, but must  be
3285       running  before  container2  starts.  The podman run command starts the
3286       container automatically before starting container2.
3287
3288       $ podman create --name container1 -t -i fedora bash
3289       $ podman run --name container2 --requires container1 -t -i fedora bash
3290
3291
3292
3293       Multiple containers can be required.
3294
3295       $ podman create --name container1 -t -i fedora bash
3296       $ podman create --name container2 -t -i fedora bash
3297       $ podman run --name container3 --requires container1,container2 -t -i fedora bash
3298
3299
3300
3301   Configure keep supplemental groups for access to volume
3302       $ podman run -v /var/lib/design:/var/lib/design --group-add keep-groups ubi8
3303
3304
3305
3306   Configure execution domain for containers using personality flag
3307       $ podman run --name container1 --personality=LINUX32 fedora bash
3308
3309
3310
3311   Run a container with external rootfs mounted as an overlay
3312       $ podman run --name container1 --rootfs /path/to/rootfs:O bash
3313
3314
3315
3316   Handling Timezones in java applications in a container.
3317       In order to use a timezone other than UTC when running a Java  applica‐
3318       tion within a container, the TZ environment variable must be set within
3319       the container. Java applications ignores the value set  with  the  --tz
3320       option.
3321
3322       # Example run
3323       podman run -ti --rm  -e TZ=EST mytzimage
3324       lrwxrwxrwx. 1 root root 29 Nov  3 08:51 /etc/localtime -> ../usr/share/zoneinfo/Etc/UTC
3325       Now with default timezone:
3326       Fri Nov 19 18:10:55 EST 2021
3327       Java default sees the following timezone:
3328       2021-11-19T18:10:55.651130-05:00
3329       Forcing UTC:
3330       Fri Nov 19 23:10:55 UTC 2021
3331
3332
3333
3334   Run  a  container  connected  to two networks (called net1 and net2) with a
3335       static ip
3336       $ podman run --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10 alpine ip addr
3337
3338
3339
3340   Rootless Containers
3341       Podman runs as a non-root user on most systems. This  feature  requires
3342       that  a  new  enough  version of shadow-utils be installed. The shadow-
3343       utils package must include the newuidmap(1) and  newgidmap(1)  executa‐
3344       bles.
3345
3346
3347       In  order  for  users to run rootless, there must be an entry for their
3348       username in /etc/subuid and /etc/subgid which lists the UIDs for  their
3349       user namespace.
3350
3351
3352       Rootless  Podman  works  better  if  the fuse-overlayfs and slirp4netns
3353       packages  are  installed.   The  fuse-overlayfs  package   provides   a
3354       userspace  overlay  storage driver, otherwise users need to use the vfs
3355       storage driver, which can be disk space expensive and  less  performant
3356       than other drivers.
3357
3358
3359       To enable VPN on the container, slirp4netns or pasta needs to be speci‐
3360       fied; without either, containers need to be run with the --network=host
3361       flag.
3362
3363

ENVIRONMENT

3365       Environment  variables within containers can be set using multiple dif‐
3366       ferent options, in the following order  of  precedence  (later  entries
3367       override earlier entries):
3368
3369
3370              • Container  image:  Any  environment variables specified in the
3371                container image.
3372
3373--http-proxy: By default, several  environment  variables  are
3374                passed  in from the host, such as http_proxy and no_proxy. See
3375                --http-proxy for details.
3376
3377--env-host: Host environment of the process  executing  Podman
3378                is added.
3379
3380--env-file: Any environment variables specified via env-files.
3381                If multiple files are specified, then they override each other
3382                in order of entry.
3383
3384--env:  Any environment variables specified overrides previous
3385                settings.
3386
3387
3388
3389       Run containers and set the environment ending with a *.  The trailing *
3390       glob functionality is only active when no value is specified:
3391
3392       $ export ENV1=a
3393       $ podman run --env 'ENV*' alpine env | grep ENV
3394       ENV1=a
3395       $ podman run --env 'ENV*=b' alpine env | grep ENV
3396       ENV*=b
3397
3398
3399

CONMON

3401       When Podman starts a container it actually executes the conmon program,
3402       which then executes the OCI Runtime.  Conmon is the container  monitor.
3403       It  is a small program whose job is to watch the primary process of the
3404       container, and if the container dies, save  the  exit  code.   It  also
3405       holds  open  the  tty  of  the container, so that it can be attached to
3406       later. This is what allows  Podman  to  run  in  detached  mode  (back‐
3407       grounded),  so  Podman can exit but conmon continues to run.  Each con‐
3408       tainer has their own instance of conmon. Conmon waits for the container
3409       to  exit,  gathers  and saves the exit code, and then launches a Podman
3410       process to complete the container cleanup, by shutting down the network
3411       and storage.   For more information about conmon, see the conmon(8) man
3412       page.
3413
3414

FILES

3416       /etc/subuid
3417
3418
3419       /etc/subgid
3420
3421
3422       NOTE: Use the environment variable TMPDIR to change the temporary stor‐
3423       age  location  of  downloaded  container images. Podman defaults to use
3424       /var/tmp.
3425
3426

SEE ALSO

3428       podman(1), podman-save(1), podman-ps(1), podman-attach(1),  podman-pod-
3429       create(1),  podman-port(1),  podman-start(1),  podman-kill(1),  podman-
3430       stop(1),  podman-generate-systemd(1),  podman-rm(1),  subgid(5),   sub‐
3431       uid(5),      containers.conf(5),     systemd.unit(5),     setsebool(8),
3432       slirp4netns(1), pasta(1), fuse-overlayfs(1), proc(5),  conmon(8),  per‐
3433       sonality(2)
3434
3435

HISTORY

3437       September    2018,    updated    by    Kunal   Kushwaha   <kushwaha_ku‐
3438       nal_v7@lab.ntt.co.jp>
3439
3440
3441       October 2017, converted from Docker  documentation  to  Podman  by  Dan
3442       Walsh for Podman <dwalsh@redhat.com>
3443
3444
3445       November 2015, updated by Sally O'Malley <somalley@redhat.com>
3446
3447
3448       June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>
3449
3450
3451       April  2014,  Originally  compiled by William Henry <whenry@redhat.com>
3452       based on docker.com source material and internal work.
3453
3454

FOOTNOTES

3456       1: The Podman project is committed to inclusivity, a core value of open
3457       source. The master and slave mount propagation terminology used here is
3458       problematic and divisive, and needs to be changed. However, these terms
3459       are  currently  used  within the Linux kernel and must be used as-is at
3460       this time. When the kernel maintainers rectify this usage, Podman  will
3461       follow suit immediately.
3462
3463
3464
3465                                                                 podman-run(1)
Impressum