1podman-build(1)() podman-build(1)()
2
3
4
6 podman-build - Build a container image using a Containerfile
7
8
10 podman build [options] [context]
11
12
13 podman image build [options] [context]
14
15
17 podman build Builds an image using instructions from one or more Con‐
18 tainerfiles or Dockerfiles and a specified build context directory. A
19 Containerfile uses the same syntax as a Dockerfile internally. For this
20 document, a file referred to as a Containerfile can be a file named
21 either 'Containerfile' or 'Dockerfile'.
22
23
24 The build context directory can be specified as the http(s) URL of an
25 archive, git repository or Containerfile.
26
27
28 If no context directory is specified, then Podman will assume the cur‐
29 rent working directory as the build context, which should contain the
30 Containerfile.
31
32
33 Containerfiles ending with a ".in" suffix will be preprocessed via
34 CPP(1). This can be useful to decompose Containerfiles into several
35 reusable parts that can be used via CPP's #include directive. Notice,
36 a Containerfile.in file can still be used by other tools when manually
37 preprocessing them via cpp -E.
38
39
40 When the URL is an archive, the contents of the URL is downloaded to a
41 temporary location and extracted before execution.
42
43
44 When the URL is an Containerfile, the Containerfile is downloaded to a
45 temporary location.
46
47
48 When a Git repository is set as the URL, the repository is cloned
49 locally and then set as the context.
50
51
53 --add-host=host
54
55
56 Add a custom host-to-IP mapping (host:ip)
57
58
59 Add a line to /etc/hosts. The format is hostname:ip. The --add-host
60 option can be set multiple times.
61
62
63 --annotation=annotation
64
65
66 Add an image annotation (e.g. annotation=value) to the image metadata.
67 Can be used multiple times.
68
69
70 Note: this information is not present in Docker image formats, so it is
71 discarded when writing images in Docker formats.
72
73
74 --authfile=path
75
76
77 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
78 ers/auth.json, which is set using podman login. If the authorization
79 state is not found there, $HOME/.docker/config.json is checked, which
80 is set using docker login. (Not available for remote commands)
81
82
83 Note: You can also override the default path of the authentication file
84 by setting the REGISTRY_AUTH_FILE environment variable. export REG‐
85 ISTRY_AUTH_FILE=path
86
87
88 --build-arg=arg=value
89
90
91 Specifies a build argument and its value, which will be interpolated in
92 instructions read from the Containerfiles in the same way that environ‐
93 ment variables are, but which will not be added to environment variable
94 list in the resulting image's configuration.
95
96
97 --cache-from
98
99
100 Images to utilize as potential cache sources. Podman does not currently
101 support caching so this is a NOOP.
102
103
104 --cap-add=CAP_xxx
105
106
107 When executing RUN instructions, run the command specified in the
108 instruction with the specified capability added to its capability set.
109 Certain capabilities are granted by default; this option can be used to
110 add more.
111
112
113 --cap-drop=CAP_xxx
114
115
116 When executing RUN instructions, run the command specified in the
117 instruction with the specified capability removed from its capability
118 set. The CAP_AUDIT_WRITE, CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER,
119 CAP_FSETID, CAP_KILL, CAP_MKNOD, CAP_NET_BIND_SERVICE, CAP_SETFCAP,
120 CAP_SETGID, CAP_SETPCAP, CAP_SETUID, and CAP_SYS_CHROOT capabilities
121 are granted by default; this option can be used to remove them.
122
123
124 If a capability is specified to both the --cap-add and --cap-drop
125 options, it will be dropped, regardless of the order in which the
126 options were given.
127
128
129 --cert-dir=path
130
131
132 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
133 istry. Default certificates directory is /etc/containers/certs.d. (Not
134 available for remote commands)
135
136
137 --cgroup-parent=path
138
139
140 Path to cgroups under which the cgroup for the container will be cre‐
141 ated. If the path is not absolute, the path is considered to be rela‐
142 tive to the cgroups path of the init process. Cgroups will be created
143 if they do not already exist.
144
145
146 --compress
147
148
149 This option is added to be aligned with other containers CLIs. Podman
150 doesn't communicate with a daemon or a remote server. Thus, compress‐
151 ing the data before sending it is irrelevant to Podman.
152
153
154 --cni-config-dir=directory
155
156
157 Location of CNI configuration files which will dictate which plugins
158 will be used to configure network interfaces and routing for containers
159 created for handling RUN instructions, if those containers will be run
160 in their own network namespaces, and networking is not disabled.
161
162
163 --cni-plugin-path=directory[:directory[:directory[...]]]
164
165
166 List of directories in which the CNI plugins which will be used for
167 configuring network namespaces can be found.
168
169
170 --cpu-period=limit
171
172
173 Limit the CPU CFS (Completely Fair Scheduler) period
174
175
176 Limit the container's CPU usage. This flag tell the kernel to restrict
177 the container's CPU usage to the period you specify.
178
179
180 --cpu-quota=limit
181
182
183 Limit the CPU CFS (Completely Fair Scheduler) quota
184
185
186 Limit the container's CPU usage. By default, containers run with the
187 full CPU resource. This flag tell the kernel to restrict the con‐
188 tainer's CPU usage to the quota you specify.
189
190
191 --cpu-shares, -c=shares
192
193
194 CPU shares (relative weight)
195
196
197 By default, all containers get the same proportion of CPU cycles. This
198 proportion can be modified by changing the container's CPU share
199 weighting relative to the weighting of all other running containers.
200
201
202 To modify the proportion from the default of 1024, use the --cpu-shares
203 flag to set the weighting to 2 or higher.
204
205
206 The proportion will only apply when CPU-intensive processes are run‐
207 ning. When tasks in one container are idle, other containers can use
208 the left-over CPU time. The actual amount of CPU time will vary depend‐
209 ing on the number of containers running on the system.
210
211
212 For example, consider three containers, one has a cpu-share of 1024 and
213 two others have a cpu-share setting of 512. When processes in all three
214 containers attempt to use 100% of CPU, the first container would
215 receive 50% of the total CPU time. If you add a fourth container with a
216 cpu-share of 1024, the first container only gets 33% of the CPU. The
217 remaining containers receive 16.5%, 16.5% and 33% of the CPU.
218
219
220 On a multi-core system, the shares of CPU time are distributed over all
221 CPU cores. Even if a container is limited to less than 100% of CPU
222 time, it can use 100% of each individual CPU core.
223
224
225 For example, consider a system with more than three cores. If you start
226 one container {C0} with -c=512 running one process, and another con‐
227 tainer {C1} with -c=1024 running two processes, this can result in the
228 following division of CPU shares:
229
230
231 PID container CPU CPU share
232 100 {C0} 0 100% of CPU0
233 101 {C1} 1 100% of CPU1
234 102 {C1} 2 100% of CPU2
235
236
237
238 --cpuset-cpus=num
239
240
241 CPUs in which to allow execution (0-3, 0,1)
242
243
244 --cpuset-mems=nodes
245
246
247 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effec‐
248 tive on NUMA systems.
249
250
251 If you have four memory nodes on your system (0-3), use
252 --cpuset-mems=0,1 then processes in your container will only use memory
253 from the first two memory nodes.
254
255
256 --creds=creds
257
258
259 The [username[:password]] to use to authenticate with the registry if
260 required. If one or both values are not supplied, a command line
261 prompt will appear and the value can be entered. The password is
262 entered without echo.
263
264
265 --device=device
266
267
268 Add a host device to the container. The format is
269 <device-on-host>[:<device-on-container>][:<permissions>] (e.g.
270 --device=/dev/sdc:/dev/xvdc:rwm)
271
272
273 --disable-compression, -D
274
275
276 Don't compress filesystem layers when building the image unless it is
277 required by the location where the image is being written. This is the
278 default setting, because image layers are compressed automatically when
279 they are pushed to registries, and images being written to local stor‐
280 age would only need to be decompressed again to be stored. Compression
281 can be forced in all cases by specifying --disable-compression=false.
282
283
284 --disable-content-trust
285
286
287 This is a Docker specific option to disable image verification to a
288 Docker registry and is not supported by Podman. This flag is a NOOP
289 and provided solely for scripting compatibility.
290
291
292 --dns=dns
293
294
295 Set custom DNS servers
296
297
298 This option can be used to override the DNS configuration passed to the
299 container. Typically this is necessary when the host DNS configuration
300 is invalid for the container (e.g., 127.0.0.1). When this is the case
301 the --dns flag is necessary for every run.
302
303
304 The special value none can be specified to disable creation of
305 /etc/resolv.conf in the container by Podman. The /etc/resolv.conf file
306 in the image will be used without changes.
307
308
309 --dns-option=option
310
311
312 Set custom DNS options
313
314
315 --dns-search=domain
316
317
318 Set custom DNS search domains
319
320
321 --file, -f=Containerfile
322
323
324 Specifies a Containerfile which contains instructions for building the
325 image, either a local file or an http or https URL. If more than one
326 Containerfile is specified, FROM instructions will only be accepted
327 from the first specified file.
328
329
330 If a build context is not specified, and at least one Containerfile is
331 a local file, the directory in which it resides will be used as the
332 build context.
333
334
335 If you specify -f -, the Containerfile contents will be read from
336 stdin.
337
338
339 --force-rm=true|false
340
341
342 Always remove intermediate containers after a build, even if the build
343 fails (default false).
344
345
346 --format
347
348
349 Control the format for the built image's manifest and configuration
350 data. Recognized formats include oci (OCI image-spec v1.0, the
351 default) and docker (version 2, using schema format 2 for the mani‐
352 fest).
353
354
355 Note: You can also override the default format by setting the BUIL‐
356 DAH_FORMAT environment variable. export BUILDAH_FORMAT=docker
357
358
359 -h, --help
360
361
362 Print usage statement
363
364
365 --iidfile=ImageIDfile
366
367
368 Write the image ID to the file.
369
370
371 --ipc=how
372
373
374 Sets the configuration for IPC namespaces when handling RUN instruc‐
375 tions. The configured value can be "" (the empty string) or "con‐
376 tainer" to indicate that a new IPC namespace should be created, or it
377 can be "host" to indicate that the IPC namespace in which podman itself
378 is being run should be reused, or it can be the path to an IPC names‐
379 pace which is already in use by another process.
380
381
382 --isolation=type
383
384
385 Controls what type of isolation is used for running processes as part
386 of RUN instructions. Recognized types include oci (OCI-compatible run‐
387 time, the default), rootless (OCI-compatible runtime invoked using a
388 modified configuration and its --rootless flag enabled, with
389 --no-new-keyring --no-pivot added to its create invocation, with net‐
390 work and UTS namespaces disabled, and IPC, PID, and user namespaces
391 enabled; the default for unprivileged users), and chroot (an internal
392 wrapper that leans more toward chroot(1) than container technology).
393
394
395 Note: You can also override the default isolation type by setting the
396 BUILDAH_ISOLATION environment variable. export BUILDAH_ISOLATION=oci
397
398
399 --label=label
400
401
402 Add an image label (e.g. label=value) to the image metadata. Can be
403 used multiple times.
404
405
406 --layers
407
408
409 Cache intermediate images during the build process (Default is true).
410
411
412 Note: You can also override the default value of layers by setting the
413 BUILDAH_LAYERS environment variable. export BUILDAH_LAYERS=true
414
415
416 --logfile=filename
417
418
419 Log output which would be sent to standard output and standard error to
420 the specified file instead of to standard output and standard error.
421
422
423 --loglevel number
424
425
426 Adjust the logging level up or down. Valid option values range from -2
427 to 3, with 3 being roughly equivalent to using the global --debug
428 option, and values below 0 omitting even error messages which accompany
429 fatal errors.
430
431
432 --memory, -m=LIMIT Memory limit (format: [], where unit = b (bytes), k
433 (kilobytes), m (megabytes), or g (gigabytes))
434
435
436 Allows you to constrain the memory available to a container. If the
437 host supports swap memory, then the -m memory setting can be larger
438 than physical RAM. If a limit of 0 is specified (not using -m), the
439 container's memory is not limited. The actual limit may be rounded up
440 to a multiple of the operating system's page size (the value would be
441 very large, that's millions of trillions).
442
443
444 --memory-swap=LIMIT
445
446
447 A limit value equal to memory plus swap. Must be used with the -m
448 (--memory) flag. The swap LIMIT should always be larger than -m (--mem‐
449 ory) value. By default, the swap LIMIT will be set to double the value
450 of --memory.
451
452
453 The format of LIMIT is <number>[<unit>]. Unit can be b (bytes), k
454 (kilobytes), m (megabytes), or g (gigabytes). If you don't specify a
455 unit, b is used. Set LIMIT to -1 to enable unlimited swap.
456
457
458 --net, --network=string
459
460
461 Sets the configuration for network namespaces when handling RUN
462 instructions. The configured value can be "" (the empty string) or
463 "container" to indicate that a new network namespace should be created,
464 or it can be "host" to indicate that the network namespace in which
465 podman itself is being run should be reused, or it can be the path to a
466 network namespace which is already in use by another process.
467
468
469 --no-cache
470
471
472 Do not use existing cached images for the container build. Build from
473 the start with a new set of cached layers.
474
475
476 --pid=pid
477
478
479 Sets the configuration for PID namespaces when handling RUN instruc‐
480 tions. The configured value can be "" (the empty string) or "con‐
481 tainer" to indicate that a new PID namespace should be created, or it
482 can be "host" to indicate that the PID namespace in which podman itself
483 is being run should be reused, or it can be the path to a PID namespace
484 which is already in use by another process.
485
486
487 --platform="Linux"
488
489
490 This option has no effect on the build. Other container engines use
491 this option to control the execution platform for the build (e.g., Win‐
492 dows, Linux) which is not required for Buildah as it supports only
493 Linux.
494
495
496 --pull
497
498
499 When the flag is enabled, attempt to pull the latest image from the
500 registries listed in registries.conf if a local image does not exist or
501 the image is newer than the one in storage. Raise an error if the image
502 is not in any listed registry and is not present locally.
503
504
505 If the flag is disabled (with --pull=false), do not pull the image from
506 the registry, use only the local version. Raise an error if the image
507 is not present locally.
508
509
510 Defaults to true.
511
512
513 --pull-always
514
515
516 Pull the image from the first registry it is found in as listed in reg‐
517 istries.conf. Raise an error if not found in the registries, even if
518 the image is present locally.
519
520
521 --quiet, -q
522
523
524 Suppress output messages which indicate which instruction is being pro‐
525 cessed, and of progress when pulling images from a registry, and when
526 writing the output image.
527
528
529 --rm=true|false
530
531
532 Remove intermediate containers after a successful build (default true).
533
534
535 --runtime=path
536
537
538 The path to an alternate OCI-compatible runtime, which will be used to
539 run commands specified by the RUN instruction.
540
541
542 Note: You can also override the default runtime by setting the BUIL‐
543 DAH_RUNTIME environment variable. export BUILDAH_RUN‐
544 TIME=/usr/local/bin/runc
545
546
547 --runtime-flag=flag
548
549
550 Adds global flags for the container runtime. To list the supported
551 flags, please consult the manpages of the selected container runtime
552 (runc is the default runtime, the manpage to consult is runc(8). When
553 the machine is configured for cgroup V2, the default runtime is crun,
554 the manpage to consult is crun(8).).
555
556
557 Note: Do not pass the leading -- to the flag. To pass the runc flag
558 --log-format json to podman build, the option given would be --run‐
559 time-flag log-format=json.
560
561
562 --security-opt=option
563
564
565 Security Options
566
567
568 · apparmor=unconfined : Turn off apparmor confinement for the
569 container
570
571 · apparmor=your-profile : Set the apparmor confinement profile
572 for the container
573
574 · label=user:USER : Set the label user for the container
575 processes
576
577 · label=role:ROLE : Set the label role for the container
578 processes
579
580 · label=type:TYPE : Set the label process type for the con‐
581 tainer processes
582
583 · label=level:LEVEL : Set the label level for the container
584 processes
585
586 · label=filetype:TYPE : Set the label file type for the con‐
587 tainer files
588
589 · label=disable : Turn off label separation for the con‐
590 tainer
591
592 · seccomp=unconfined : Turn off seccomp confinement for the con‐
593 tainer
594
595 · seccomp=profile.json : White listed syscalls seccomp Json
596 file to be used as a seccomp filter
597
598
599
600 --shm-size=size
601
602
603 Size of /dev/shm. The format is <number><unit>. number must be greater
604 than 0. Unit is optional and can be b (bytes), k (kilobytes),
605 m(megabytes), or g (gigabytes). If you omit the unit, the system uses
606 bytes. If you omit the size entirely, the system uses 64m.
607
608
609 --squash
610
611
612 Squash all of the image's new layers into a single new layer; any pre‐
613 existing layers are not squashed.
614
615
616 --squash-all
617
618
619 Squash all of the new image's layers (including those inherited from a
620 base image) into a single new layer.
621
622
623 --tag, -t=imageName
624
625
626 Specifies the name which will be assigned to the resulting image if the
627 build process completes successfully. If imageName does not include a
628 registry name, the registry name localhost will be prepended to the
629 image name.
630
631
632 --target=stageName
633
634
635 Set the target build stage to build. When building a Containerfile
636 with multiple build stages, --target can be used to specify an interme‐
637 diate build stage by name as the final stage for the resulting image.
638 Commands after the target stage will be skipped.
639
640
641 --tls-verify=true|false
642
643
644 Require HTTPS and verify certificates when talking to container reg‐
645 istries (defaults to true). (Not available for remote commands)
646
647
648 --ulimit=type=soft-limit[:hard-limit]
649
650
651 Specifies resource limits to apply to processes launched when process‐
652 ing RUN instructions. This option can be specified multiple times.
653 Recognized resource types include:
654 "core": maximum core dump size (ulimit -c)
655 "cpu": maximum CPU time (ulimit -t)
656 "data": maximum size of a process's data segment (ulimit -d)
657 "fsize": maximum size of new files (ulimit -f)
658 "locks": maximum number of file locks (ulimit -x)
659 "memlock": maximum amount of locked memory (ulimit -l)
660 "msgqueue": maximum amount of data in message queues (ulimit -q)
661 "nice": niceness adjustment (nice -n, ulimit -e)
662 "nofile": maximum number of open files (ulimit -n)
663 "nproc": maximum number of processes (ulimit -u)
664 "rss": maximum size of a process's (ulimit -m)
665 "rtprio": maximum real-time scheduling priority (ulimit -r)
666 "rttime": maximum amount of real-time execution between blocking
667 syscalls
668 "sigpending": maximum number of pending signals (ulimit -i)
669 "stack": maximum stack size (ulimit -s)
670
671
672 --userns=how
673
674
675 Sets the configuration for user namespaces when handling RUN instruc‐
676 tions. The configured value can be "" (the empty string) or "con‐
677 tainer" to indicate that a new user namespace should be created, it can
678 be "host" to indicate that the user namespace in which podman itself is
679 being run should be reused, or it can be the path to an user namespace
680 which is already in use by another process.
681
682
683 --userns-uid-map=mapping
684
685
686 Directly specifies a UID mapping which should be used to set ownership,
687 at the filesystem level, on the working container's contents. Commands
688 run when handling RUN instructions will default to being run in their
689 own user namespaces, configured using the UID and GID maps.
690
691
692 Entries in this map take the form of one or more triples of a starting
693 in-container UID, a corresponding starting host-level UID, and the num‐
694 ber of consecutive IDs which the map entry represents.
695
696
697 This option overrides the remap-uids setting in the options section of
698 /etc/containers/storage.conf.
699
700
701 If this option is not specified, but a global --userns-uid-map setting
702 is supplied, settings from the global option will be used.
703
704
705 If none of --userns-uid-map-user, --userns-gid-map-group, or
706 --userns-uid-map are specified, but --userns-gid-map is specified, the
707 UID map will be set to use the same numeric values as the GID map.
708
709
710 --userns-gid-map=mapping
711
712
713 Directly specifies a GID mapping which should be used to set ownership,
714 at the filesystem level, on the working container's contents. Commands
715 run when handling RUN instructions will default to being run in their
716 own user namespaces, configured using the UID and GID maps.
717
718
719 Entries in this map take the form of one or more triples of a starting
720 in-container GID, a corresponding starting host-level GID, and the num‐
721 ber of consecutive IDs which the map entry represents.
722
723
724 This option overrides the remap-gids setting in the options section of
725 /etc/containers/storage.conf.
726
727
728 If this option is not specified, but a global --userns-gid-map setting
729 is supplied, settings from the global option will be used.
730
731
732 If none of --userns-uid-map-user, --userns-gid-map-group, or
733 --userns-gid-map are specified, but --userns-uid-map is specified, the
734 GID map will be set to use the same numeric values as the UID map.
735
736
737 --userns-uid-map-user=user
738
739
740 Specifies that a UID mapping which should be used to set ownership, at
741 the filesystem level, on the working container's contents, can be found
742 in entries in the /etc/subuid file which correspond to the specified
743 user. Commands run when handling RUN instructions will default to
744 being run in their own user namespaces, configured using the UID and
745 GID maps. If --userns-gid-map-group is specified, but
746 --userns-uid-map-user is not specified, podman will assume that the
747 specified group name is also a suitable user name to use as the default
748 setting for this option.
749
750
751 --userns-gid-map-group=group
752
753
754 Specifies that a GID mapping which should be used to set ownership, at
755 the filesystem level, on the working container's contents, can be found
756 in entries in the /etc/subgid file which correspond to the specified
757 group. Commands run when handling RUN instructions will default to
758 being run in their own user namespaces, configured using the UID and
759 GID maps. If --userns-uid-map-user is specified, but
760 --userns-gid-map-group is not specified, podman will assume that the
761 specified user name is also a suitable group name to use as the default
762 setting for this option.
763
764
765 --uts=how
766
767
768 Sets the configuration for UTS namespaces when the handling RUN
769 instructions. The configured value can be "" (the empty string) or
770 "container" to indicate that a new UTS namespace should be created, or
771 it can be "host" to indicate that the UTS namespace in which podman
772 itself is being run should be reused, or it can be the path to a UTS
773 namespace which is already in use by another process.
774
775
776 --volume, -v[=[HOST-DIR:CONTAINER-DIR[:OPTIONS]]]
777
778
779 Create a bind mount. If you specify, -v /HOST-DIR:/CONTAINER-DIR, Pod‐
780 man
781 bind mounts /HOST-DIR in the host to /CONTAINER-DIR in the Podman
782 container. The OPTIONS are a comma delimited list and can be:
783
784
785 · [rw|ro]
786
787 · [z|Z|O]
788
789 · [[r]shared|[r]slave|[r]private]
790
791
792
793 The CONTAINER-DIR must be an absolute path such as /src/docs. The
794 HOST-DIR must be an absolute path as well. Podman bind-mounts the
795 HOST-DIR to the path you specify. For example, if you supply /foo as
796 the host path, Podman copies the contents of /foo to the container
797 filesystem on the host and bind mounts that into the container.
798
799
800 You can specify multiple -v options to mount one or more mounts to a
801 container.
802
803
804 You can add the :ro or :rw suffix to a volume to mount it read-only or
805 read-write mode, respectively. By default, the volumes are mounted
806 read-write. See examples.
807
808
809 Labeling Volume Mounts
810
811
812 Labeling systems like SELinux require that proper labels are placed on
813 volume content mounted into a container. Without a label, the security
814 system might prevent the processes running inside the container from
815 using the content. By default, Podman does not change the labels set by
816 the OS.
817
818
819 To change a label in the container context, you can add either of two
820 suffixes :z or :Z to the volume mount. These suffixes tell Podman to
821 relabel file objects on the shared volumes. The z option tells Podman
822 that two containers share the volume content. As a result, Podman
823 labels the content with a shared content label. Shared volume labels
824 allow all containers to read/write content. The Z option tells Podman
825 to label the content with a private unshared label. Only the current
826 container can use a private volume.
827
828
829 Overlay Volume Mounts
830
831
832 The :O flag tells Podman to mount the directory from the host as a tem‐
833 porary storage using the Overlay file system. The RUN command contain‐
834 ers are allowed to modify contents within the mountpoint and are stored
835 in the container storage in a separate directory. In Overlay FS terms
836 the source directory will be the lower, and the container storage
837 directory will be the upper. Modifications to the mount point are
838 destroyed when the RUN command finishes executing, similar to a tmpfs
839 mount point.
840
841
842 Any subsequent execution of RUN commands sees the original source
843 directory content, any changes from previous RUN commands no longer
844 exists.
845
846
847 One use case of the overlay mount is sharing the package cache from the
848 host into the container to allow speeding up builds.
849
850
851 Note:
852
853
854 - Overlay mounts are not currently supported in rootless mode.
855 - The `O` flag is not allowed to be specified with the `Z` or `z` flags. Content mounted into the container is labeled with the private label.
856 On SELinux systems, labels in the source directory needs to be readable by the container label. If not, SELinux container separation must be disabled for the container to work.
857 - Modification of the directory volume mounted into the container with an overlay mount can cause unexpected failures. It is recommended that you do not modify the directory until the container finishes running.
858
859
860
861 By default bind mounted volumes are private. That means any mounts done
862 inside container will not be visible on the host and vice versa. This
863 behavior can be changed by specifying a volume mount propagation prop‐
864 erty.
865
866
867 When the mount propagation policy is set to shared, any mounts com‐
868 pleted inside the container on that volume will be visible to both the
869 host and container. When the mount propagation policy is set to slave,
870 one way mount propagation is enabled and any mounts completed on the
871 host for that volume will be visible only inside of the container. To
872 control the mount propagation property of volume use the :[r]shared,
873 :[r]slave or :[r]private propagation flag. The propagation property can
874 be specified only for bind mounted volumes and not for internal volumes
875 or named volumes. For mount propagation to work on the source mount
876 point (mount point where source dir is mounted on) has to have the
877 right propagation properties. For shared volumes, the source mount
878 point has to be shared. And for slave volumes, the source mount has to
879 be either shared or slave.
880
881
882 Use df <source-dir> to determine the source mount and then use findmnt
883 -o TARGET,PROPAGATION <source-mount-dir> to determine propagation prop‐
884 erties of source mount, if findmnt utility is not available, the source
885 mount point can be determined by looking at the mount entry in
886 /proc/self/mountinfo. Look at optional fields and see if any propaga‐
887 tion properties are specified. shared:X means the mount is shared,
888 master:X means the mount is slave and if nothing is there that means
889 the mount is private.
890
891
892 To change propagation properties of a mount point use the mount com‐
893 mand. For example, to bind mount the source directory /foo do mount
894 --bind /foo /foo and mount --make-private --make-shared /foo. This will
895 convert /foo into a shared mount point. The propagation properties of
896 the source mount can be changed directly. For instance if / is the
897 source mount for /foo, then use mount --make-shared / to convert / into
898 a shared mount.
899
900
902 Build an image using local Containerfiles
903 $ podman build .
904
905 $ podman build -f Containerfile.simple .
906
907 $ cat /Dockerfile | podman build -f - .
908
909 $ podman build -f Dockerfile.simple -f Containerfile.notsosimple .
910
911 $ podman build -f Dockerfile.in
912
913 $ podman build -t imageName .
914
915 $ podman build --tls-verify=true -t imageName -f Dockerfile.simple .
916
917 $ podman build --tls-verify=false -t imageName .
918
919 $ podman build --runtime-flag log-format=json .
920
921 $ podman build --runtime-flag debug .
922
923 $ podman build --authfile /tmp/auths/myauths.json --cert-dir /auth --tls-verify=true --creds=username:password -t imageName -f Dockerfile.simple .
924
925 $ podman build --memory 40m --cpu-period 10000 --cpu-quota 50000 --ulimit nofile=1024:1028 -t imageName .
926
927 $ podman build --security-opt label=level:s0:c100,c200 --cgroup-parent /path/to/cgroup/parent -t imageName .
928
929 $ podman build --volume /home/test:/myvol:ro,Z -t imageName .
930
931 $ podman build -v /var/lib/yum:/var/lib/yum:O -t imageName .
932
933 $ podman build --layers -t imageName .
934
935 $ podman build --no-cache -t imageName .
936
937 $ podman build --layers --force-rm -t imageName .
938
939 $ podman build --no-cache --rm=false -t imageName .
940
941
942
943 Building an image using a URL, Git repo, or archive
944 The build context directory can be specified as a URL to a Container‐
945 file, a Git repository, or URL to an archive. If the URL is a Contain‐
946 erfile, it is downloaded to a temporary location and used as the con‐
947 text. When a Git repository is set as the URL, the repository is cloned
948 locally to a temporary location and then used as the context. Lastly,
949 if the URL is an archive, it is downloaded to a temporary location and
950 extracted before being used as the context.
951
952
953 Building an image using a URL to a Containerfile
954 Podman will download the Containerfile to a temporary location and then
955 use it as the build context.
956
957
958 $ podman build https://10.10.10.1/podman/Containerfile
959
960
961
962 Building an image using a Git repository
963 Podman will clone the specified GitHub repository to a temporary loca‐
964 tion and use it as the context. The Containerfile at the root of the
965 repository will be used and it only works if the GitHub repository is a
966 dedicated repository.
967
968
969 $ podman build git://github.com/scollier/purpletest
970
971
972
973 Building an image using a URL to an archive
974 Podman will fetch the archive file, decompress it, and use its contents
975 as the build context. The Containerfile at the root of the archive and
976 the rest of the archive will get used as the context of the build. If
977 you pass -f PATH/Containerfile option as well, the system will look for
978 that file inside the contents of the archive.
979
980
981 $ podman build -f dev/Containerfile https://10.10.10.1/podman/context.tar.gz
982
983
984
985 Note: supported compression formats are 'xz', 'bzip2', 'gzip' and
986 'identity' (no compression).
987
988
990 registries.conf (/etc/containers/registries.conf)
991
992
993 registries.conf is the configuration file which specifies which con‐
994 tainer registries should be consulted when completing image names which
995 do not include a registry or domain portion.
996
997
999 If you are using a useradd command within a Containerfile with a large
1000 UID/GID, it will create a large sparse file /var/log/lastlog. This can
1001 cause the build to hang forever. Go language does not support sparse
1002 files correctly, which can lead to some huge files being created in
1003 your container image.
1004
1005
1006 Solution
1007 If you are using useradd within your build script, you should pass the
1008 --no-log-init or -l option to the useradd command. This option tells
1009 useradd to stop creating the lastlog file.
1010
1011
1013 podman(1), buildah(1), containers-registries.conf(5), crun(8), runc(8),
1014 useradd(8)
1015
1016
1018 May 2018, Minor revisions added by Joe Doss joe@solidadmin.com
1019 ⟨mailto:joe@solidadmin.com⟩
1020
1021
1022 December 2017, Originally compiled by Tom Sweeney tsweeney@redhat.com
1023 ⟨mailto:tsweeney@redhat.com⟩
1024
1025
1026
1027 podman-build(1)()