1podman-build(1)()                                            podman-build(1)()
2
3
4

NAME

6       podman-build - Build a container image using a Containerfile
7
8

SYNOPSIS

10       podman build [options] [context]
11
12
13       podman image build [options] [context]
14
15

DESCRIPTION

17       podman  build  Builds an image using instructions from one or more Con‐
18       tainerfiles or Dockerfiles and a specified build context  directory.  A
19       Containerfile uses the same syntax as a Dockerfile internally. For this
20       document, a file referred to as a Containerfile can  be  a  file  named
21       either 'Containerfile' or 'Dockerfile'.
22
23
24       The  build  context directory can be specified as the http(s) URL of an
25       archive, git repository or Containerfile.
26
27
28       If no context directory is specified, then Podman will assume the  cur‐
29       rent  working  directory as the build context, which should contain the
30       Containerfile.
31
32
33       Containerfiles ending with a ".in"  suffix  will  be  preprocessed  via
34       CPP(1).   This  can  be useful to decompose Containerfiles into several
35       reusable parts that can be used via CPP's #include directive.   Notice,
36       a  Containerfile.in file can still be used by other tools when manually
37       preprocessing them via cpp -E.
38
39
40       When the URL is an archive, the contents of the URL is downloaded to  a
41       temporary location and extracted before execution.
42
43
44       When  the URL is an Containerfile, the Containerfile is downloaded to a
45       temporary location.
46
47
48       When a Git repository is set as  the  URL,  the  repository  is  cloned
49       locally and then set as the context.
50
51

OPTIONS

53       --add-host=host
54
55
56       Add a custom host-to-IP mapping (host:ip)
57
58
59       Add  a  line  to  /etc/hosts. The format is hostname:ip. The --add-host
60       option can be set multiple times.
61
62
63       --annotation=annotation
64
65
66       Add an image annotation (e.g. annotation=value) to the image  metadata.
67       Can be used multiple times.
68
69
70       Note: this information is not present in Docker image formats, so it is
71       discarded when writing images in Docker formats.
72
73
74       --authfile=path
75
76
77       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
78       ers/auth.json,  which  is set using podman login.  If the authorization
79       state is not found there, $HOME/.docker/config.json is  checked,  which
80       is set using docker login. (Not available for remote commands)
81
82
83       Note: You can also override the default path of the authentication file
84       by setting the REGISTRY_AUTH_FILE  environment  variable.  export  REG‐
85       ISTRY_AUTH_FILE=path
86
87
88       --build-arg=arg=value
89
90
91       Specifies a build argument and its value, which will be interpolated in
92       instructions read from the Containerfiles in the same way that environ‐
93       ment variables are, but which will not be added to environment variable
94       list in the resulting image's configuration.
95
96
97       --cache-from
98
99
100       Images to utilize as potential cache sources. Podman does not currently
101       support caching so this is a NOOP.
102
103
104       --cap-add=CAP_xxx
105
106
107       When  executing  RUN  instructions,  run  the  command specified in the
108       instruction with the specified capability added to its capability  set.
109       Certain capabilities are granted by default; this option can be used to
110       add more.
111
112
113       --cap-drop=CAP_xxx
114
115
116       When executing RUN instructions,  run  the  command  specified  in  the
117       instruction  with  the specified capability removed from its capability
118       set.  The  CAP_AUDIT_WRITE,  CAP_CHOWN,  CAP_DAC_OVERRIDE,  CAP_FOWNER,
119       CAP_FSETID,  CAP_KILL,  CAP_MKNOD,  CAP_NET_BIND_SERVICE,  CAP_SETFCAP,
120       CAP_SETGID, CAP_SETPCAP, CAP_SETUID,  and  CAP_SYS_CHROOT  capabilities
121       are granted by default; this option can be used to remove them.
122
123
124       If  a  capability  is  specified  to  both the --cap-add and --cap-drop
125       options, it will be dropped, regardless  of  the  order  in  which  the
126       options were given.
127
128
129       --cert-dir=path
130
131
132       Use  certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
133       istry.  Default certificates directory is /etc/containers/certs.d. (Not
134       available for remote commands)
135
136
137       --cgroup-parent=path
138
139
140       Path  to  cgroups under which the cgroup for the container will be cre‐
141       ated. If the path is not absolute, the path is considered to  be  rela‐
142       tive  to  the cgroups path of the init process. Cgroups will be created
143       if they do not already exist.
144
145
146       --compress
147
148
149       This option is added to be aligned with other containers CLIs.   Podman
150       doesn't  communicate with a daemon or a remote server.  Thus, compress‐
151       ing the data before sending it is irrelevant to Podman.
152
153
154       --cni-config-dir=directory
155
156
157       Location of CNI configuration files which will  dictate  which  plugins
158       will be used to configure network interfaces and routing for containers
159       created for handling RUN instructions, if those containers will be  run
160       in their own network namespaces, and networking is not disabled.
161
162
163       --cni-plugin-path=directory[:directory[:directory[...]]]
164
165
166       List  of  directories  in  which the CNI plugins which will be used for
167       configuring network namespaces can be found.
168
169
170       --cpu-period=limit
171
172
173       Limit the CPU CFS (Completely Fair Scheduler) period
174
175
176       Limit the container's CPU usage. This flag tell the kernel to  restrict
177       the container's CPU usage to the period you specify.
178
179
180       --cpu-quota=limit
181
182
183       Limit the CPU CFS (Completely Fair Scheduler) quota
184
185
186       Limit  the  container's  CPU usage. By default, containers run with the
187       full CPU resource. This flag tell  the  kernel  to  restrict  the  con‐
188       tainer's CPU usage to the quota you specify.
189
190
191       --cpu-shares, -c=shares
192
193
194       CPU shares (relative weight)
195
196
197       By  default, all containers get the same proportion of CPU cycles. This
198       proportion can be  modified  by  changing  the  container's  CPU  share
199       weighting relative to the weighting of all other running containers.
200
201
202       To modify the proportion from the default of 1024, use the --cpu-shares
203       flag to set the weighting to 2 or higher.
204
205
206       The proportion will only apply when CPU-intensive  processes  are  run‐
207       ning.   When  tasks in one container are idle, other containers can use
208       the left-over CPU time. The actual amount of CPU time will vary depend‐
209       ing on the number of containers running on the system.
210
211
212       For example, consider three containers, one has a cpu-share of 1024 and
213       two others have a cpu-share setting of 512. When processes in all three
214       containers  attempt  to  use  100%  of  CPU,  the first container would
215       receive 50% of the total CPU time. If you add a fourth container with a
216       cpu-share  of  1024,  the first container only gets 33% of the CPU. The
217       remaining containers receive 16.5%, 16.5% and 33% of the CPU.
218
219
220       On a multi-core system, the shares of CPU time are distributed over all
221       CPU  cores.  Even  if  a  container is limited to less than 100% of CPU
222       time, it can use 100% of each individual CPU core.
223
224
225       For example, consider a system with more than three cores. If you start
226       one  container  {C0}  with -c=512 running one process, and another con‐
227       tainer {C1} with -c=1024 running two processes, this can result in  the
228       following division of CPU shares:
229
230
231              PID    container    CPU  CPU share
232              100    {C0}         0    100% of CPU0
233              101    {C1}         1    100% of CPU1
234              102    {C1}         2    100% of CPU2
235
236
237
238       --cpuset-cpus=num
239
240
241       CPUs in which to allow execution (0-3, 0,1)
242
243
244       --cpuset-mems=nodes
245
246
247       Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effec‐
248       tive on NUMA systems.
249
250
251       If  you  have  four  memory   nodes   on   your   system   (0-3),   use
252       --cpuset-mems=0,1 then processes in your container will only use memory
253       from the first two memory nodes.
254
255
256       --creds=creds
257
258
259       The [username[:password]] to use to authenticate with the  registry  if
260       required.   If  one  or  both  values  are not supplied, a command line
261       prompt will appear and the value  can  be  entered.   The  password  is
262       entered without echo.
263
264
265       --device=device
266
267
268       Add    a    host    device    to   the   container.   The   format   is
269       <device-on-host>[:<device-on-container>][:<permissions>]          (e.g.
270       --device=/dev/sdc:/dev/xvdc:rwm)
271
272
273       --disable-compression, -D
274
275
276       Don't  compress  filesystem layers when building the image unless it is
277       required by the location where the image is being written.  This is the
278       default setting, because image layers are compressed automatically when
279       they are pushed to registries, and images being written to local  stor‐
280       age would only need to be decompressed again to be stored.  Compression
281       can be forced in all cases by specifying --disable-compression=false.
282
283
284       --disable-content-trust
285
286
287       This is a Docker specific option to disable  image  verification  to  a
288       Docker  registry  and  is not supported by Podman.  This flag is a NOOP
289       and provided solely for scripting compatibility.
290
291
292       --dns=dns
293
294
295       Set custom DNS servers
296
297
298       This option can be used to override the DNS configuration passed to the
299       container.  Typically this is necessary when the host DNS configuration
300       is invalid for the container (e.g., 127.0.0.1). When this is  the  case
301       the --dns flag is necessary for every run.
302
303
304       The  special  value  none  can  be  specified  to  disable  creation of
305       /etc/resolv.conf in the container by Podman. The /etc/resolv.conf  file
306       in the image will be used without changes.
307
308
309       --dns-option=option
310
311
312       Set custom DNS options
313
314
315       --dns-search=domain
316
317
318       Set custom DNS search domains
319
320
321       --file, -f=Containerfile
322
323
324       Specifies  a Containerfile which contains instructions for building the
325       image, either a local file or an http or https URL.  If more  than  one
326       Containerfile  is  specified,  FROM  instructions will only be accepted
327       from the first specified file.
328
329
330       If a build context is not specified, and at least one Containerfile  is
331       a  local  file,  the  directory in which it resides will be used as the
332       build context.
333
334
335       If you specify -f -, the  Containerfile  contents  will  be  read  from
336       stdin.
337
338
339       --force-rm=true|false
340
341
342       Always  remove intermediate containers after a build, even if the build
343       fails (default false).
344
345
346       --format
347
348
349       Control the format for the built  image's  manifest  and  configuration
350       data.   Recognized  formats  include  oci  (OCI  image-spec  v1.0,  the
351       default) and docker (version 2, using schema format  2  for  the  mani‐
352       fest).
353
354
355       Note:  You  can  also  override the default format by setting the BUIL‐
356       DAH_FORMAT environment variable.  export BUILDAH_FORMAT=docker
357
358
359       -h, --help
360
361
362       Print usage statement
363
364
365       --iidfile=ImageIDfile
366
367
368       Write the image ID to the file.
369
370
371       --ipc=how
372
373
374       Sets the configuration for IPC namespaces when  handling  RUN  instruc‐
375       tions.   The  configured  value  can  be "" (the empty string) or "con‐
376       tainer" to indicate that a new IPC namespace should be created,  or  it
377       can be "host" to indicate that the IPC namespace in which podman itself
378       is being run should be reused, or it can be the path to an  IPC  names‐
379       pace which is already in use by another process.
380
381
382       --isolation=type
383
384
385       Controls  what  type of isolation is used for running processes as part
386       of RUN instructions.  Recognized types include oci (OCI-compatible run‐
387       time,  the  default),  rootless (OCI-compatible runtime invoked using a
388       modified  configuration  and  its   --rootless   flag   enabled,   with
389       --no-new-keyring  --no-pivot  added to its create invocation, with net‐
390       work and UTS namespaces disabled, and IPC,  PID,  and  user  namespaces
391       enabled;  the  default for unprivileged users), and chroot (an internal
392       wrapper that leans more toward chroot(1) than container technology).
393
394
395       Note: You can also override the default isolation type by  setting  the
396       BUILDAH_ISOLATION environment variable.  export BUILDAH_ISOLATION=oci
397
398
399       --label=label
400
401
402       Add  an  image  label  (e.g. label=value) to the image metadata. Can be
403       used multiple times.
404
405
406       --layers
407
408
409       Cache intermediate images during the build process (Default is true).
410
411
412       Note: You can also override the default value of layers by setting  the
413       BUILDAH_LAYERS environment variable. export BUILDAH_LAYERS=true
414
415
416       --logfile=filename
417
418
419       Log output which would be sent to standard output and standard error to
420       the specified file instead of to standard output and standard error.
421
422
423       --loglevel number
424
425
426       Adjust the logging level up or down.  Valid option values range from -2
427       to  3,  with  3  being  roughly  equivalent to using the global --debug
428       option, and values below 0 omitting even error messages which accompany
429       fatal errors.
430
431
432       --memory,  -m=LIMIT Memory limit (format: [], where unit = b (bytes), k
433       (kilobytes), m (megabytes), or g (gigabytes))
434
435
436       Allows you to constrain the memory available to  a  container.  If  the
437       host  supports  swap  memory,  then the -m memory setting can be larger
438       than physical RAM. If a limit of 0 is specified  (not  using  -m),  the
439       container's  memory  is not limited. The actual limit may be rounded up
440       to a multiple of the operating system's page size (the value  would  be
441       very large, that's millions of trillions).
442
443
444       --memory-swap=LIMIT
445
446
447       A  limit  value  equal  to  memory plus swap. Must be used with the  -m
448       (--memory) flag. The swap LIMIT should always be larger than -m (--mem‐
449       ory) value.  By default, the swap LIMIT will be set to double the value
450       of --memory.
451
452
453       The format of LIMIT is <number>[<unit>].  Unit  can  be  b  (bytes),  k
454       (kilobytes),  m  (megabytes),  or g (gigabytes). If you don't specify a
455       unit, b is used. Set LIMIT to -1 to enable unlimited swap.
456
457
458       --net, --network=string
459
460
461       Sets  the  configuration  for  network  namespaces  when  handling  RUN
462       instructions.   The  configured  value  can be "" (the empty string) or
463       "container" to indicate that a new network namespace should be created,
464       or  it  can  be  "host" to indicate that the network namespace in which
465       podman itself is being run should be reused, or it can be the path to a
466       network namespace which is already in use by another process.
467
468
469       --no-cache
470
471
472       Do  not  use existing cached images for the container build. Build from
473       the start with a new set of cached layers.
474
475
476       --pid=pid
477
478
479       Sets the configuration for PID namespaces when  handling  RUN  instruc‐
480       tions.   The  configured  value  can  be "" (the empty string) or "con‐
481       tainer" to indicate that a new PID namespace should be created,  or  it
482       can be "host" to indicate that the PID namespace in which podman itself
483       is being run should be reused, or it can be the path to a PID namespace
484       which is already in use by another process.
485
486
487       --platform="Linux"
488
489
490       This  option  has  no  effect on the build. Other container engines use
491       this option to control the execution platform for the build (e.g., Win‐
492       dows,  Linux)  which  is  not  required for Buildah as it supports only
493       Linux.
494
495
496       --pull
497
498
499       When the flag is enabled, attempt to pull the  latest  image  from  the
500       registries listed in registries.conf if a local image does not exist or
501       the image is newer than the one in storage. Raise an error if the image
502       is not in any listed registry and is not present locally.
503
504
505       If the flag is disabled (with --pull=false), do not pull the image from
506       the registry, use only the local version. Raise an error if  the  image
507       is not present locally.
508
509
510       Defaults to true.
511
512
513       --pull-always
514
515
516       Pull the image from the first registry it is found in as listed in reg‐
517       istries.conf.  Raise an error if not found in the registries,  even  if
518       the image is present locally.
519
520
521       --quiet, -q
522
523
524       Suppress output messages which indicate which instruction is being pro‐
525       cessed, and of progress when pulling images from a registry,  and  when
526       writing the output image.
527
528
529       --rm=true|false
530
531
532       Remove intermediate containers after a successful build (default true).
533
534
535       --runtime=path
536
537
538       The  path to an alternate OCI-compatible runtime, which will be used to
539       run commands specified by the RUN instruction.
540
541
542       Note: You can also override the default runtime by  setting  the  BUIL‐
543       DAH_RUNTIME      environment     variable.      export     BUILDAH_RUN‐
544       TIME=/usr/local/bin/runc
545
546
547       --runtime-flag=flag
548
549
550       Adds global flags for the container  runtime.  To  list  the  supported
551       flags,  please  consult  the manpages of the selected container runtime
552       (runc is the default runtime, the manpage to consult is runc(8).   When
553       the  machine  is configured for cgroup V2, the default runtime is crun,
554       the manpage to consult is crun(8).).
555
556
557       Note: Do not pass the leading -- to the flag. To  pass  the  runc  flag
558       --log-format  json  to  podman  build, the option given would be --run‐
559       time-flag log-format=json.
560
561
562       --security-opt=option
563
564
565       Security Options
566
567
568              · apparmor=unconfined : Turn off apparmor  confinement  for  the
569                container
570
571              · apparmor=your-profile  :  Set the apparmor confinement profile
572                for the container
573
574              · label=user:USER     : Set the label  user  for  the  container
575                processes
576
577              · label=role:ROLE      :  Set  the  label role for the container
578                processes
579
580              · label=type:TYPE     : Set the label process type for the  con‐
581                tainer processes
582
583              · label=level:LEVEL    :  Set  the label level for the container
584                processes
585
586              · label=filetype:TYPE : Set the label file  type  for  the  con‐
587                tainer files
588
589              · label=disable        :  Turn off label separation for the con‐
590                tainer
591
592              · seccomp=unconfined : Turn off seccomp confinement for the con‐
593                tainer
594
595              · seccomp=profile.json  :   White  listed  syscalls seccomp Json
596                file to be used as a seccomp filter
597
598
599
600       --shm-size=size
601
602
603       Size of /dev/shm. The format is <number><unit>. number must be  greater
604       than  0.   Unit  is  optional  and  can  be  b  (bytes), k (kilobytes),
605       m(megabytes), or g (gigabytes).  If you omit the unit, the system  uses
606       bytes. If you omit the size entirely, the system uses 64m.
607
608
609       --squash
610
611
612       Squash  all of the image's new layers into a single new layer; any pre‐
613       existing layers are not squashed.
614
615
616       --squash-all
617
618
619       Squash all of the new image's layers (including those inherited from  a
620       base image) into a single new layer.
621
622
623       --tag, -t=imageName
624
625
626       Specifies the name which will be assigned to the resulting image if the
627       build process completes successfully.  If imageName does not include  a
628       registry  name,  the  registry  name localhost will be prepended to the
629       image name.
630
631
632       --target=stageName
633
634
635       Set the target build stage to build.   When  building  a  Containerfile
636       with multiple build stages, --target can be used to specify an interme‐
637       diate build stage by name as the final stage for the  resulting  image.
638       Commands after the target stage will be skipped.
639
640
641       --tls-verify=true|false
642
643
644       Require  HTTPS  and  verify certificates when talking to container reg‐
645       istries (defaults to true). (Not available for remote commands)
646
647
648       --ulimit=type=soft-limit[:hard-limit]
649
650
651       Specifies resource limits to apply to processes launched when  process‐
652       ing  RUN  instructions.   This  option can be specified multiple times.
653       Recognized resource types include:
654         "core": maximum core dump size (ulimit -c)
655         "cpu": maximum CPU time (ulimit -t)
656         "data": maximum size of a process's data segment (ulimit -d)
657         "fsize": maximum size of new files (ulimit -f)
658         "locks": maximum number of file locks (ulimit -x)
659         "memlock": maximum amount of locked memory (ulimit -l)
660         "msgqueue": maximum amount of data in message queues (ulimit -q)
661         "nice": niceness adjustment (nice -n, ulimit -e)
662         "nofile": maximum number of open files (ulimit -n)
663         "nproc": maximum number of processes (ulimit -u)
664         "rss": maximum size of a process's (ulimit -m)
665         "rtprio": maximum real-time scheduling priority (ulimit -r)
666         "rttime": maximum amount  of  real-time  execution  between  blocking
667       syscalls
668         "sigpending": maximum number of pending signals (ulimit -i)
669         "stack": maximum stack size (ulimit -s)
670
671
672       --userns=how
673
674
675       Sets  the  configuration for user namespaces when handling RUN instruc‐
676       tions.  The configured value can be ""  (the  empty  string)  or  "con‐
677       tainer" to indicate that a new user namespace should be created, it can
678       be "host" to indicate that the user namespace in which podman itself is
679       being  run should be reused, or it can be the path to an user namespace
680       which is already in use by another process.
681
682
683       --userns-uid-map=mapping
684
685
686       Directly specifies a UID mapping which should be used to set ownership,
687       at the filesystem level, on the working container's contents.  Commands
688       run when handling RUN instructions will default to being run  in  their
689       own user namespaces, configured using the UID and GID maps.
690
691
692       Entries  in this map take the form of one or more triples of a starting
693       in-container UID, a corresponding starting host-level UID, and the num‐
694       ber of consecutive IDs which the map entry represents.
695
696
697       This  option overrides the remap-uids setting in the options section of
698       /etc/containers/storage.conf.
699
700
701       If this option is not specified, but a global --userns-uid-map  setting
702       is supplied, settings from the global option will be used.
703
704
705       If    none   of   --userns-uid-map-user,   --userns-gid-map-group,   or
706       --userns-uid-map are specified, but --userns-gid-map is specified,  the
707       UID map will be set to use the same numeric values as the GID map.
708
709
710       --userns-gid-map=mapping
711
712
713       Directly specifies a GID mapping which should be used to set ownership,
714       at the filesystem level, on the working container's contents.  Commands
715       run  when  handling RUN instructions will default to being run in their
716       own user namespaces, configured using the UID and GID maps.
717
718
719       Entries in this map take the form of one or more triples of a  starting
720       in-container GID, a corresponding starting host-level GID, and the num‐
721       ber of consecutive IDs which the map entry represents.
722
723
724       This option overrides the remap-gids setting in the options section  of
725       /etc/containers/storage.conf.
726
727
728       If  this option is not specified, but a global --userns-gid-map setting
729       is supplied, settings from the global option will be used.
730
731
732       If   none   of   --userns-uid-map-user,   --userns-gid-map-group,    or
733       --userns-gid-map  are specified, but --userns-uid-map is specified, the
734       GID map will be set to use the same numeric values as the UID map.
735
736
737       --userns-uid-map-user=user
738
739
740       Specifies that a UID mapping which should be used to set ownership,  at
741       the filesystem level, on the working container's contents, can be found
742       in entries in the /etc/subuid file which correspond  to  the  specified
743       user.   Commands  run  when  handling  RUN instructions will default to
744       being run in their own user namespaces, configured using  the  UID  and
745       GID    maps.     If    --userns-gid-map-group    is    specified,   but
746       --userns-uid-map-user is not specified, podman  will  assume  that  the
747       specified group name is also a suitable user name to use as the default
748       setting for this option.
749
750
751       --userns-gid-map-group=group
752
753
754       Specifies that a GID mapping which should be used to set ownership,  at
755       the filesystem level, on the working container's contents, can be found
756       in entries in the /etc/subgid file which correspond  to  the  specified
757       group.   Commands  run  when  handling RUN instructions will default to
758       being run in their own user namespaces, configured using  the  UID  and
759       GID    maps.     If    --userns-uid-map-user    is    specified,    but
760       --userns-gid-map-group is not specified, podman will  assume  that  the
761       specified user name is also a suitable group name to use as the default
762       setting for this option.
763
764
765       --uts=how
766
767
768       Sets the  configuration  for  UTS  namespaces  when  the  handling  RUN
769       instructions.   The  configured  value  can be "" (the empty string) or
770       "container" to indicate that a new UTS namespace should be created,  or
771       it  can  be  "host"  to indicate that the UTS namespace in which podman
772       itself is being run should be reused, or it can be the path  to  a  UTS
773       namespace which is already in use by another process.
774
775
776       --volume, -v[=[HOST-DIR:CONTAINER-DIR[:OPTIONS]]]
777
778
779       Create  a bind mount. If you specify, -v /HOST-DIR:/CONTAINER-DIR, Pod‐
780       man
781          bind mounts /HOST-DIR in the host to /CONTAINER-DIR in the Podman
782          container. The OPTIONS are a comma delimited list and can be:
783
784
785              · [rw|ro]
786
787              · [z|Z|O]
788
789              · [[r]shared|[r]slave|[r]private]
790
791
792
793       The CONTAINER-DIR must be an  absolute  path  such  as  /src/docs.  The
794       HOST-DIR  must  be  an  absolute  path  as well. Podman bind-mounts the
795       HOST-DIR to the path you specify. For example, if you  supply  /foo  as
796       the  host  path,  Podman  copies  the contents of /foo to the container
797       filesystem on the host and bind mounts that into the container.
798
799
800       You can specify multiple  -v options to mount one or more mounts  to  a
801       container.
802
803
804       You  can add the :ro or :rw suffix to a volume to mount it read-only or
805       read-write mode, respectively. By  default,  the  volumes  are  mounted
806       read-write.  See examples.
807
808
809       Labeling Volume Mounts
810
811
812       Labeling  systems like SELinux require that proper labels are placed on
813       volume content mounted into a container. Without a label, the  security
814       system  might  prevent  the processes running inside the container from
815       using the content. By default, Podman does not change the labels set by
816       the OS.
817
818
819       To  change  a label in the container context, you can add either of two
820       suffixes :z or :Z to the volume mount. These suffixes  tell  Podman  to
821       relabel  file  objects on the shared volumes. The z option tells Podman
822       that two containers share the  volume  content.  As  a  result,  Podman
823       labels  the  content  with a shared content label. Shared volume labels
824       allow all containers to read/write content.  The Z option tells  Podman
825       to  label  the content with a private unshared label.  Only the current
826       container can use a private volume.
827
828
829       Overlay Volume Mounts
830
831
832       The :O flag tells Podman to mount the directory from the host as a tem‐
833       porary  storage using the Overlay file system. The RUN command contain‐
834       ers are allowed to modify contents within the mountpoint and are stored
835       in  the container storage in a separate directory.  In Overlay FS terms
836       the source directory will be  the  lower,  and  the  container  storage
837       directory  will  be  the  upper.  Modifications  to the mount point are
838       destroyed when the RUN command finishes executing, similar to  a  tmpfs
839       mount point.
840
841
842       Any  subsequent  execution  of  RUN  commands  sees the original source
843       directory content, any changes from previous  RUN  commands  no  longer
844       exists.
845
846
847       One use case of the overlay mount is sharing the package cache from the
848       host into the container to allow speeding up builds.
849
850
851       Note:
852
853
854               - Overlay mounts are not currently supported in rootless mode.
855               - The `O` flag is not allowed to be specified with the `Z` or `z` flags. Content mounted into the container is labeled with the private label.
856                 On SELinux systems, labels in the source directory needs to be readable by the container label. If not, SELinux container separation must be disabled for the container to work.
857               - Modification of the directory volume mounted into the container with an overlay mount can cause unexpected failures.  It is recommended that you do not modify the directory until the container finishes running.
858
859
860
861       By default bind mounted volumes are private. That means any mounts done
862       inside  container  will not be visible on the host and vice versa. This
863       behavior can be changed by specifying a volume mount propagation  prop‐
864       erty.
865
866
867       When  the  mount  propagation  policy is set to shared, any mounts com‐
868       pleted inside the container on that volume will be visible to both  the
869       host  and container. When the mount propagation policy is set to slave,
870       one way mount propagation is enabled and any mounts  completed  on  the
871       host  for that volume will be visible only inside of the container.  To
872       control the mount propagation property of volume  use  the  :[r]shared,
873       :[r]slave or :[r]private propagation flag. The propagation property can
874       be specified only for bind mounted volumes and not for internal volumes
875       or  named  volumes.  For  mount propagation to work on the source mount
876       point (mount point where source dir is mounted  on)  has  to  have  the
877       right  propagation  properties.  For  shared  volumes, the source mount
878       point has to be shared. And for slave volumes, the source mount has  to
879       be either shared or slave.
880
881
882       Use  df <source-dir> to determine the source mount and then use findmnt
883       -o TARGET,PROPAGATION <source-mount-dir> to determine propagation prop‐
884       erties of source mount, if findmnt utility is not available, the source
885       mount point can  be  determined  by  looking  at  the  mount  entry  in
886       /proc/self/mountinfo.  Look  at optional fields and see if any propaga‐
887       tion properties are specified.  shared:X means  the  mount  is  shared,
888       master:X  means  the  mount is slave and if nothing is there that means
889       the mount is private.
890
891
892       To change propagation properties of a mount point use  the  mount  com‐
893       mand.  For  example,  to  bind mount the source directory /foo do mount
894       --bind /foo /foo and mount --make-private --make-shared /foo. This will
895       convert  /foo into a shared mount point.  The propagation properties of
896       the source mount can be changed directly. For  instance  if  /  is  the
897       source mount for /foo, then use mount --make-shared / to convert / into
898       a shared mount.
899
900

EXAMPLES

902   Build an image using local Containerfiles
903              $ podman build .
904
905              $ podman build -f Containerfile.simple .
906
907              $ cat  /Dockerfile | podman build -f - .
908
909              $ podman build -f Dockerfile.simple -f Containerfile.notsosimple .
910
911              $ podman build -f Dockerfile.in
912
913              $ podman build -t imageName .
914
915              $ podman build --tls-verify=true -t imageName -f Dockerfile.simple .
916
917              $ podman build --tls-verify=false -t imageName .
918
919              $ podman build --runtime-flag log-format=json .
920
921              $ podman build --runtime-flag debug .
922
923              $ podman build --authfile /tmp/auths/myauths.json --cert-dir  /auth --tls-verify=true --creds=username:password -t imageName -f Dockerfile.simple .
924
925              $ podman build --memory 40m --cpu-period 10000 --cpu-quota 50000 --ulimit nofile=1024:1028 -t imageName .
926
927              $ podman build --security-opt label=level:s0:c100,c200 --cgroup-parent /path/to/cgroup/parent -t imageName .
928
929              $ podman build --volume /home/test:/myvol:ro,Z -t imageName .
930
931              $ podman build -v /var/lib/yum:/var/lib/yum:O -t imageName .
932
933              $ podman build --layers -t imageName .
934
935              $ podman build --no-cache -t imageName .
936
937              $ podman build --layers --force-rm -t imageName .
938
939              $ podman build --no-cache --rm=false -t imageName .
940
941
942
943   Building an image using a URL, Git repo, or archive
944       The build context directory can be specified as a URL to  a  Container‐
945       file,  a Git repository, or URL to an archive. If the URL is a Contain‐
946       erfile, it is downloaded to a temporary location and used as  the  con‐
947       text. When a Git repository is set as the URL, the repository is cloned
948       locally to a temporary location and then used as the  context.  Lastly,
949       if  the URL is an archive, it is downloaded to a temporary location and
950       extracted before being used as the context.
951
952
953   Building an image using a URL to a Containerfile
954       Podman will download the Containerfile to a temporary location and then
955       use it as the build context.
956
957
958              $ podman build https://10.10.10.1/podman/Containerfile
959
960
961
962   Building an image using a Git repository
963       Podman  will clone the specified GitHub repository to a temporary loca‐
964       tion and use it as the context. The Containerfile at the  root  of  the
965       repository will be used and it only works if the GitHub repository is a
966       dedicated repository.
967
968
969              $ podman build git://github.com/scollier/purpletest
970
971
972
973   Building an image using a URL to an archive
974       Podman will fetch the archive file, decompress it, and use its contents
975       as  the build context. The Containerfile at the root of the archive and
976       the rest of the archive will get used as the context of the  build.  If
977       you pass -f PATH/Containerfile option as well, the system will look for
978       that file inside the contents of the archive.
979
980
981              $ podman build -f dev/Containerfile https://10.10.10.1/podman/context.tar.gz
982
983
984
985       Note: supported compression  formats  are  'xz',  'bzip2',  'gzip'  and
986       'identity' (no compression).
987
988

Files

990       registries.conf (/etc/containers/registries.conf)
991
992
993       registries.conf  is  the  configuration file which specifies which con‐
994       tainer registries should be consulted when completing image names which
995       do not include a registry or domain portion.
996
997

Troubleshooting

999       If  you are using a useradd command within a Containerfile with a large
1000       UID/GID, it will create a large sparse file /var/log/lastlog.  This can
1001       cause  the  build to hang forever.  Go language does not support sparse
1002       files correctly, which can lead to some huge  files  being  created  in
1003       your container image.
1004
1005
1006   Solution
1007       If  you are using useradd within your build script, you should pass the
1008       --no-log-init or -l option to the useradd command.  This  option  tells
1009       useradd to stop creating the lastlog file.
1010
1011

SEE ALSO

1013       podman(1), buildah(1), containers-registries.conf(5), crun(8), runc(8),
1014       useradd(8)
1015
1016

HISTORY

1018       May  2018,  Minor  revisions  added  by  Joe  Doss   joe@solidadmin.com
1019       ⟨mailto:joe@solidadmin.com⟩
1020
1021
1022       December  2017,  Originally compiled by Tom Sweeney tsweeney@redhat.com
1023       ⟨mailto:tsweeney@redhat.com⟩
1024
1025
1026
1027                                                             podman-build(1)()
Impressum