1podman-build(1)() podman-build(1)()
2
6 podman-build - Build a container image using a Containerfile
7
10 podman build [options] [context]
11 podman image build [options] [context]
14
17 podman build Builds an image using instructions from one or more Con‐
18 tainerfiles or Dockerfiles and a specified build context directory. A
19 Containerfile uses the same syntax as a Dockerfile internally. For this
20 document, a file referred to as a Containerfile can be a file named
21 either 'Containerfile' or 'Dockerfile'.
22 The build context directory can be specified as the http(s) URL of an
25 archive, git repository or Containerfile.
26 If no context directory is specified, then Podman will assume the cur‐
29 rent working directory as the build context, which should contain the
30 Containerfile.
31 Containerfiles ending with a ".in" suffix will be preprocessed via
34 CPP(1). This can be useful to decompose Containerfiles into several
35 reusable parts that can be used via CPP's #include directive. Notice,
36 a Containerfile.in file can still be used by other tools when manually
37 preprocessing them via cpp -E.
38 When the URL is an archive, the contents of the URL is downloaded to a
41 temporary location and extracted before execution.
42 When the URL is an Containerfile, the Containerfile is downloaded to a
45 temporary location.
46 When a Git repository is set as the URL, the repository is cloned
49 locally and then set as the context.
50
53 --add-host=host
54 Add a custom host-to-IP mapping (host:ip)
57 Add a line to /etc/hosts. The format is hostname:ip. The --add-host
60 option can be set multiple times.
61 --annotation=annotation
64 Add an image annotation (e.g. annotation=value) to the image metadata.
67 Can be used multiple times.
68 Note: this information is not present in Docker image formats, so it is
71 discarded when writing images in Docker formats.
72 --authfile=path
75 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
78 ers/auth.json, which is set using podman login. If the authorization
79 state is not found there, $HOME/.docker/config.json is checked, which
80 is set using docker login. (Not available for remote commands)
81 Note: You can also override the default path of the authentication file
84 by setting the REGISTRY_AUTH_FILE environment variable. export REG‐
85 ISTRY_AUTH_FILE=path
86 --build-arg=arg=value
89 Specifies a build argument and its value, which will be interpolated in
92 instructions read from the Containerfiles in the same way that environ‐
93 ment variables are, but which will not be added to environment variable
94 list in the resulting image's configuration.
95 --cache-from
98 Images to utilize as potential cache sources. Podman does not currently
101 support caching so this is a NOOP.
102 --cap-add=CAP_xxx
105 When executing RUN instructions, run the command specified in the
108 instruction with the specified capability added to its capability set.
109 Certain capabilities are granted by default; this option can be used to
110 add more.
111 --cap-drop=CAP_xxx
114 When executing RUN instructions, run the command specified in the
117 instruction with the specified capability removed from its capability
118 set. The CAP_AUDIT_WRITE, CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER,
119 CAP_FSETID, CAP_KILL, CAP_MKNOD, CAP_NET_BIND_SERVICE, CAP_SETFCAP,
120 CAP_SETGID, CAP_SETPCAP, CAP_SETUID, and CAP_SYS_CHROOT capabilities
121 are granted by default; this option can be used to remove them.
122 If a capability is specified to both the --cap-add and --cap-drop
125 options, it will be dropped, regardless of the order in which the
126 options were given.
127 --cert-dir=path
130 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
133 istry. Default certificates directory is /etc/containers/certs.d. (Not
134 available for remote commands)
135 --cgroup-parent=path
138 Path to cgroups under which the cgroup for the container will be cre‐
141 ated. If the path is not absolute, the path is considered to be rela‐
142 tive to the cgroups path of the init process. Cgroups will be created
143 if they do not already exist.
144 --compress
147 This option is added to be aligned with other containers CLIs. Podman
150 doesn't communicate with a daemon or a remote server. Thus, compress‐
151 ing the data before sending it is irrelevant to Podman.
152 --cni-config-dir=directory
155 Location of CNI configuration files which will dictate which plugins
158 will be used to configure network interfaces and routing for containers
159 created for handling RUN instructions, if those containers will be run
160 in their own network namespaces, and networking is not disabled.
161 --cni-plugin-path=directory[:directory[:directory[...]]]
164 List of directories in which the CNI plugins which will be used for
167 configuring network namespaces can be found.
168 --cpu-period=limit
171 Limit the CPU CFS (Completely Fair Scheduler) period
174 Limit the container's CPU usage. This flag tell the kernel to restrict
177 the container's CPU usage to the period you specify.
178 --cpu-quota=limit
181 Limit the CPU CFS (Completely Fair Scheduler) quota
184 Limit the container's CPU usage. By default, containers run with the
187 full CPU resource. This flag tell the kernel to restrict the con‐
188 tainer's CPU usage to the quota you specify.
189 --cpu-shares, -c=shares
192 CPU shares (relative weight)
195 By default, all containers get the same proportion of CPU cycles. This
198 proportion can be modified by changing the container's CPU share
199 weighting relative to the weighting of all other running containers.
200 To modify the proportion from the default of 1024, use the --cpu-shares
203 flag to set the weighting to 2 or higher.
204 The proportion will only apply when CPU-intensive processes are run‐
207 ning. When tasks in one container are idle, other containers can use
208 the left-over CPU time. The actual amount of CPU time will vary depend‐
209 ing on the number of containers running on the system.
210 For example, consider three containers, one has a cpu-share of 1024 and
213 two others have a cpu-share setting of 512. When processes in all three
214 containers attempt to use 100% of CPU, the first container would
215 receive 50% of the total CPU time. If you add a fourth container with a
216 cpu-share of 1024, the first container only gets 33% of the CPU. The
217 remaining containers receive 16.5%, 16.5% and 33% of the CPU.
218 On a multi-core system, the shares of CPU time are distributed over all
221 CPU cores. Even if a container is limited to less than 100% of CPU
222 time, it can use 100% of each individual CPU core.
223 For example, consider a system with more than three cores. If you start
226 one container {C0} with -c=512 running one process, and another con‐
227 tainer {C1} with -c=1024 running two processes, this can result in the
228 following division of CPU shares:
229 PID container CPU CPU share
232 100 {C0} 0 100% of CPU0
233 101 {C1} 1 100% of CPU1
234 102 {C1} 2 100% of CPU2
235 --cpuset-cpus=num
239 CPUs in which to allow execution (0-3, 0,1)
242 --cpuset-mems=nodes
245 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effec‐
248 tive on NUMA systems.
249 If you have four memory nodes on your system (0-3), use
252 --cpuset-mems=0,1 then processes in your container will only use memory
253 from the first two memory nodes.
254 --creds=creds
257 The [username[:password]] to use to authenticate with the registry if
260 required. If one or both values are not supplied, a command line
261 prompt will appear and the value can be entered. The password is
262 entered without echo.
263 --device=device
266 Add a host device to the container. The format is
269 <device-on-host>[:<device-on-container>][:<permissions>] (e.g.
270 --device=/dev/sdc:/dev/xvdc:rwm)
271 --disable-compression, -D
274 Don't compress filesystem layers when building the image unless it is
277 required by the location where the image is being written. This is the
278 default setting, because image layers are compressed automatically when
279 they are pushed to registries, and images being written to local stor‐
280 age would only need to be decompressed again to be stored. Compression
281 can be forced in all cases by specifying --disable-compression=false.
282 --disable-content-trust
285 This is a Docker specific option to disable image verification to a
288 Docker registry and is not supported by Podman. This flag is a NOOP
289 and provided solely for scripting compatibility.
290 --dns=dns
293 Set custom DNS servers
296 This option can be used to override the DNS configuration passed to the
299 container. Typically this is necessary when the host DNS configuration
300 is invalid for the container (e.g., 127.0.0.1). When this is the case
301 the --dns flag is necessary for every run.
302 The special value none can be specified to disable creation of
305 /etc/resolv.conf in the container by Podman. The /etc/resolv.conf file
306 in the image will be used without changes.
307 --dns-option=option
310 Set custom DNS options
313 --dns-search=domain
316 Set custom DNS search domains
319 --file, -f=Containerfile
322 Specifies a Containerfile which contains instructions for building the
325 image, either a local file or an http or https URL. If more than one
326 Containerfile is specified, FROM instructions will only be accepted
327 from the first specified file.
328 If a build context is not specified, and at least one Containerfile is
331 a local file, the directory in which it resides will be used as the
332 build context.
333 If you specify -f -, the Containerfile contents will be read from
336 stdin.
337 --force-rm=true|false
340 Always remove intermediate containers after a build, even if the build
343 fails (default false).
344 --format
347 Control the format for the built image's manifest and configuration
350 data. Recognized formats include oci (OCI image-spec v1.0, the
351 default) and docker (version 2, using schema format 2 for the mani‐
352 fest).
353 Note: You can also override the default format by setting the BUIL‐
356 DAH_FORMAT environment variable. export BUILDAH_FORMAT=docker
357 -h, --help
360 Print usage statement
363 --iidfile=ImageIDfile
366 Write the image ID to the file.
369 --ipc=how
372 Sets the configuration for IPC namespaces when handling RUN instruc‐
375 tions. The configured value can be "" (the empty string) or "con‐
376 tainer" to indicate that a new IPC namespace should be created, or it
377 can be "host" to indicate that the IPC namespace in which podman itself
378 is being run should be reused, or it can be the path to an IPC names‐
379 pace which is already in use by another process.
380 --isolation=type
383 Controls what type of isolation is used for running processes as part
386 of RUN instructions. Recognized types include oci (OCI-compatible run‐
387 time, the default), rootless (OCI-compatible runtime invoked using a
388 modified configuration and its --rootless flag enabled, with
389 --no-new-keyring --no-pivot added to its create invocation, with net‐
390 work and UTS namespaces disabled, and IPC, PID, and user namespaces
391 enabled; the default for unprivileged users), and chroot (an internal
392 wrapper that leans more toward chroot(1) than container technology).
393 Note: You can also override the default isolation type by setting the
396 BUILDAH_ISOLATION environment variable. export BUILDAH_ISOLATION=oci
397 --label=label
400 Add an image label (e.g. label=value) to the image metadata. Can be
403 used multiple times.
404 --layers
407 Cache intermediate images during the build process (Default is true).
410 Note: You can also override the default value of layers by setting the
413 BUILDAH_LAYERS environment variable. export BUILDAH_LAYERS=true
414 --logfile=filename
417 Log output which would be sent to standard output and standard error to
420 the specified file instead of to standard output and standard error.
421 --loglevel number
424 Adjust the logging level up or down. Valid option values range from -2
427 to 3, with 3 being roughly equivalent to using the global --debug
428 option, and values below 0 omitting even error messages which accompany
429 fatal errors.
430 --memory, -m=LIMIT Memory limit (format: [], where unit = b (bytes), k
433 (kilobytes), m (megabytes), or g (gigabytes))
434 Allows you to constrain the memory available to a container. If the
437 host supports swap memory, then the -m memory setting can be larger
438 than physical RAM. If a limit of 0 is specified (not using -m), the
439 container's memory is not limited. The actual limit may be rounded up
440 to a multiple of the operating system's page size (the value would be
441 very large, that's millions of trillions).
442 --memory-swap=LIMIT
445 A limit value equal to memory plus swap. Must be used with the -m
448 (--memory) flag. The swap LIMIT should always be larger than -m (--mem‐
449 ory) value. By default, the swap LIMIT will be set to double the value
450 of --memory.
451 The format of LIMIT is <number>[<unit>]. Unit can be b (bytes), k
454 (kilobytes), m (megabytes), or g (gigabytes). If you don't specify a
455 unit, b is used. Set LIMIT to -1 to enable unlimited swap.
456 --net, --network=string
459 Sets the configuration for network namespaces when handling RUN
462 instructions. The configured value can be "" (the empty string) or
463 "container" to indicate that a new network namespace should be created,
464 or it can be "host" to indicate that the network namespace in which
465 podman itself is being run should be reused, or it can be the path to a
466 network namespace which is already in use by another process.
467 --no-cache
470 Do not use existing cached images for the container build. Build from
473 the start with a new set of cached layers.
474 --pid=pid
477 Sets the configuration for PID namespaces when handling RUN instruc‐
480 tions. The configured value can be "" (the empty string) or "con‐
481 tainer" to indicate that a new PID namespace should be created, or it
482 can be "host" to indicate that the PID namespace in which podman itself
483 is being run should be reused, or it can be the path to a PID namespace
484 which is already in use by another process.
485 --platform="Linux"
488 This option has no effect on the build. Other container engines use
491 this option to control the execution platform for the build (e.g., Win‐
492 dows, Linux) which is not required for Buildah as it supports only
493 Linux.
494 --pull
497 When the flag is enabled, attempt to pull the latest image from the
500 registries listed in registries.conf if a local image does not exist or
501 the image is newer than the one in storage. Raise an error if the image
502 is not in any listed registry and is not present locally.
503 If the flag is disabled (with --pull=false), do not pull the image from
506 the registry, use only the local version. Raise an error if the image
507 is not present locally.
508 Defaults to true.
511 --pull-always
514 Pull the image from the first registry it is found in as listed in reg‐
517 istries.conf. Raise an error if not found in the registries, even if
518 the image is present locally.
519 --quiet, -q
522 Suppress output messages which indicate which instruction is being pro‐
525 cessed, and of progress when pulling images from a registry, and when
526 writing the output image.
527 --rm=true|false
530 Remove intermediate containers after a successful build (default true).
533 --runtime=path
536 The path to an alternate OCI-compatible runtime, which will be used to
539 run commands specified by the RUN instruction.
540 Note: You can also override the default runtime by setting the BUIL‐
543 DAH_RUNTIME environment variable. export BUILDAH_RUN‐
544 TIME=/usr/local/bin/runc
545 --runtime-flag=flag
548 Adds global flags for the container runtime. To list the supported
551 flags, please consult the manpages of the selected container runtime
552 (runc is the default runtime, the manpage to consult is runc(8). When
553 the machine is configured for cgroup V2, the default runtime is crun,
554 the manpage to consult is crun(8).).
555 Note: Do not pass the leading -- to the flag. To pass the runc flag
558 --log-format json to podman build, the option given would be --run‐
559 time-flag log-format=json.
560 --security-opt=option
563 Security Options
566 · apparmor=unconfined : Turn off apparmor confinement for the
569 container
570 · apparmor=your-profile : Set the apparmor confinement profile
572 for the container
573 · label=user:USER : Set the label user for the container
575 processes
576 · label=role:ROLE : Set the label role for the container
578 processes
579 · label=type:TYPE : Set the label process type for the con‐
581 tainer processes
582 · label=level:LEVEL : Set the label level for the container
584 processes
585 · label=filetype:TYPE : Set the label file type for the con‐
587 tainer files
588 · label=disable : Turn off label separation for the con‐
590 tainer
591 · seccomp=unconfined : Turn off seccomp confinement for the con‐
593 tainer
594 · seccomp=profile.json : White listed syscalls seccomp Json
596 file to be used as a seccomp filter
597 --shm-size=size
601 Size of /dev/shm. The format is <number><unit>. number must be greater
604 than 0. Unit is optional and can be b (bytes), k (kilobytes),
605 m(megabytes), or g (gigabytes). If you omit the unit, the system uses
606 bytes. If you omit the size entirely, the system uses 64m.
607 --squash
610 Squash all of the image's new layers into a single new layer; any pre‐
613 existing layers are not squashed.
614 --squash-all
617 Squash all of the new image's layers (including those inherited from a
620 base image) into a single new layer.
621 --tag, -t=imageName
624 Specifies the name which will be assigned to the resulting image if the
627 build process completes successfully. If imageName does not include a
628 registry name, the registry name localhost will be prepended to the
629 image name.
630 --target=stageName
633 Set the target build stage to build. When building a Containerfile
636 with multiple build stages, --target can be used to specify an interme‐
637 diate build stage by name as the final stage for the resulting image.
638 Commands after the target stage will be skipped.
639 --tls-verify=true|false
642 Require HTTPS and verify certificates when talking to container reg‐
645 istries (defaults to true). (Not available for remote commands)
646 --ulimit=type=soft-limit[:hard-limit]
649 Specifies resource limits to apply to processes launched when process‐
652 ing RUN instructions. This option can be specified multiple times.
653 Recognized resource types include:
654 "core": maximum core dump size (ulimit -c)
655 "cpu": maximum CPU time (ulimit -t)
656 "data": maximum size of a process's data segment (ulimit -d)
657 "fsize": maximum size of new files (ulimit -f)
658 "locks": maximum number of file locks (ulimit -x)
659 "memlock": maximum amount of locked memory (ulimit -l)
660 "msgqueue": maximum amount of data in message queues (ulimit -q)
661 "nice": niceness adjustment (nice -n, ulimit -e)
662 "nofile": maximum number of open files (ulimit -n)
663 "nproc": maximum number of processes (ulimit -u)
664 "rss": maximum size of a process's (ulimit -m)
665 "rtprio": maximum real-time scheduling priority (ulimit -r)
666 "rttime": maximum amount of real-time execution between blocking
667 syscalls
668 "sigpending": maximum number of pending signals (ulimit -i)
669 "stack": maximum stack size (ulimit -s)
670 --userns=how
673 Sets the configuration for user namespaces when handling RUN instruc‐
676 tions. The configured value can be "" (the empty string) or "con‐
677 tainer" to indicate that a new user namespace should be created, it can
678 be "host" to indicate that the user namespace in which podman itself is
679 being run should be reused, or it can be the path to an user namespace
680 which is already in use by another process.
681 --userns-uid-map=mapping
684 Directly specifies a UID mapping which should be used to set ownership,
687 at the filesystem level, on the working container's contents. Commands
688 run when handling RUN instructions will default to being run in their
689 own user namespaces, configured using the UID and GID maps.
690 Entries in this map take the form of one or more triples of a starting
693 in-container UID, a corresponding starting host-level UID, and the num‐
694 ber of consecutive IDs which the map entry represents.
695 This option overrides the remap-uids setting in the options section of
698 /etc/containers/storage.conf.
699 If this option is not specified, but a global --userns-uid-map setting
702 is supplied, settings from the global option will be used.
703 If none of --userns-uid-map-user, --userns-gid-map-group, or
706 --userns-uid-map are specified, but --userns-gid-map is specified, the
707 UID map will be set to use the same numeric values as the GID map.
708 --userns-gid-map=mapping
711 Directly specifies a GID mapping which should be used to set ownership,
714 at the filesystem level, on the working container's contents. Commands
715 run when handling RUN instructions will default to being run in their
716 own user namespaces, configured using the UID and GID maps.
717 Entries in this map take the form of one or more triples of a starting
720 in-container GID, a corresponding starting host-level GID, and the num‐
721 ber of consecutive IDs which the map entry represents.
722 This option overrides the remap-gids setting in the options section of
725 /etc/containers/storage.conf.
726 If this option is not specified, but a global --userns-gid-map setting
729 is supplied, settings from the global option will be used.
730 If none of --userns-uid-map-user, --userns-gid-map-group, or
733 --userns-gid-map are specified, but --userns-uid-map is specified, the
734 GID map will be set to use the same numeric values as the UID map.
735 --userns-uid-map-user=user
738 Specifies that a UID mapping which should be used to set ownership, at
741 the filesystem level, on the working container's contents, can be found
742 in entries in the /etc/subuid file which correspond to the specified
743 user. Commands run when handling RUN instructions will default to
744 being run in their own user namespaces, configured using the UID and
745 GID maps. If --userns-gid-map-group is specified, but
746 --userns-uid-map-user is not specified, podman will assume that the
747 specified group name is also a suitable user name to use as the default
748 setting for this option.
749 --userns-gid-map-group=group
752 Specifies that a GID mapping which should be used to set ownership, at
755 the filesystem level, on the working container's contents, can be found
756 in entries in the /etc/subgid file which correspond to the specified
757 group. Commands run when handling RUN instructions will default to
758 being run in their own user namespaces, configured using the UID and
759 GID maps. If --userns-uid-map-user is specified, but
760 --userns-gid-map-group is not specified, podman will assume that the
761 specified user name is also a suitable group name to use as the default
762 setting for this option.
763 --uts=how
766 Sets the configuration for UTS namespaces when the handling RUN
769 instructions. The configured value can be "" (the empty string) or
770 "container" to indicate that a new UTS namespace should be created, or
771 it can be "host" to indicate that the UTS namespace in which podman
772 itself is being run should be reused, or it can be the path to a UTS
773 namespace which is already in use by another process.
774 --volume, -v[=[HOST-DIR:CONTAINER-DIR[:OPTIONS]]]
777 Create a bind mount. If you specify, -v /HOST-DIR:/CONTAINER-DIR, Pod‐
780 man
781 bind mounts /HOST-DIR in the host to /CONTAINER-DIR in the Podman
782 container. The OPTIONS are a comma delimited list and can be:
783 · [rw|ro]
786 · [z|Z|O]
788 · [[r]shared|[r]slave|[r]private]
790 The CONTAINER-DIR must be an absolute path such as /src/docs. The
794 HOST-DIR must be an absolute path as well. Podman bind-mounts the
795 HOST-DIR to the path you specify. For example, if you supply /foo as
796 the host path, Podman copies the contents of /foo to the container
797 filesystem on the host and bind mounts that into the container.
798 You can specify multiple -v options to mount one or more mounts to a
801 container.
802 You can add the :ro or :rw suffix to a volume to mount it read-only or
805 read-write mode, respectively. By default, the volumes are mounted
806 read-write. See examples.
807 Labeling Volume Mounts
810 Labeling systems like SELinux require that proper labels are placed on
813 volume content mounted into a container. Without a label, the security
814 system might prevent the processes running inside the container from
815 using the content. By default, Podman does not change the labels set by
816 the OS.
817 To change a label in the container context, you can add either of two
820 suffixes :z or :Z to the volume mount. These suffixes tell Podman to
821 relabel file objects on the shared volumes. The z option tells Podman
822 that two containers share the volume content. As a result, Podman
823 labels the content with a shared content label. Shared volume labels
824 allow all containers to read/write content. The Z option tells Podman
825 to label the content with a private unshared label. Only the current
826 container can use a private volume.
827 Overlay Volume Mounts
830 The :O flag tells Podman to mount the directory from the host as a tem‐
833 porary storage using the Overlay file system. The RUN command contain‐
834 ers are allowed to modify contents within the mountpoint and are stored
835 in the container storage in a separate directory. In Overlay FS terms
836 the source directory will be the lower, and the container storage
837 directory will be the upper. Modifications to the mount point are
838 destroyed when the RUN command finishes executing, similar to a tmpfs
839 mount point.
840 Any subsequent execution of RUN commands sees the original source
843 directory content, any changes from previous RUN commands no longer
844 exists.
845 One use case of the overlay mount is sharing the package cache from the
848 host into the container to allow speeding up builds.
849 Note:
852 - Overlay mounts are not currently supported in rootless mode.
855 - The `O` flag is not allowed to be specified with the `Z` or `z` flags. Content mounted into the container is labeled with the private label.
856 On SELinux systems, labels in the source directory needs to be readable by the container label. If not, SELinux container separation must be disabled for the container to work.
857 - Modification of the directory volume mounted into the container with an overlay mount can cause unexpected failures. It is recommended that you do not modify the directory until the container finishes running.
858 By default bind mounted volumes are private. That means any mounts done
862 inside container will not be visible on the host and vice versa. This
863 behavior can be changed by specifying a volume mount propagation prop‐
864 erty.
865 When the mount propagation policy is set to shared, any mounts com‐
868 pleted inside the container on that volume will be visible to both the
869 host and container. When the mount propagation policy is set to slave,
870 one way mount propagation is enabled and any mounts completed on the
871 host for that volume will be visible only inside of the container. To
872 control the mount propagation property of volume use the :[r]shared,
873 :[r]slave or :[r]private propagation flag. The propagation property can
874 be specified only for bind mounted volumes and not for internal volumes
875 or named volumes. For mount propagation to work on the source mount
876 point (mount point where source dir is mounted on) has to have the
877 right propagation properties. For shared volumes, the source mount
878 point has to be shared. And for slave volumes, the source mount has to
879 be either shared or slave.
880 Use df <source-dir> to determine the source mount and then use findmnt
883 -o TARGET,PROPAGATION <source-mount-dir> to determine propagation prop‐
884 erties of source mount, if findmnt utility is not available, the source
885 mount point can be determined by looking at the mount entry in
886 /proc/self/mountinfo. Look at optional fields and see if any propaga‐
887 tion properties are specified. shared:X means the mount is shared,
888 master:X means the mount is slave and if nothing is there that means
889 the mount is private.
890 To change propagation properties of a mount point use the mount com‐
893 mand. For example, to bind mount the source directory /foo do mount
894 --bind /foo /foo and mount --make-private --make-shared /foo. This will
895 convert /foo into a shared mount point. The propagation properties of
896 the source mount can be changed directly. For instance if / is the
897 source mount for /foo, then use mount --make-shared / to convert / into
898 a shared mount.
899
902 Build an image using local Containerfiles
903 $ podman build .
904 $ podman build -f Containerfile.simple .
906 $ cat /Dockerfile | podman build -f - .
908 $ podman build -f Dockerfile.simple -f Containerfile.notsosimple .
910 $ podman build -f Dockerfile.in
912 $ podman build -t imageName .
914 $ podman build --tls-verify=true -t imageName -f Dockerfile.simple .
916 $ podman build --tls-verify=false -t imageName .
918 $ podman build --runtime-flag log-format=json .
920 $ podman build --runtime-flag debug .
922 $ podman build --authfile /tmp/auths/myauths.json --cert-dir /auth --tls-verify=true --creds=username:password -t imageName -f Dockerfile.simple .
924 $ podman build --memory 40m --cpu-period 10000 --cpu-quota 50000 --ulimit nofile=1024:1028 -t imageName .
926 $ podman build --security-opt label=level:s0:c100,c200 --cgroup-parent /path/to/cgroup/parent -t imageName .
928 $ podman build --volume /home/test:/myvol:ro,Z -t imageName .
930 $ podman build -v /var/lib/yum:/var/lib/yum:O -t imageName .
932 $ podman build --layers -t imageName .
934 $ podman build --no-cache -t imageName .
936 $ podman build --layers --force-rm -t imageName .
938 $ podman build --no-cache --rm=false -t imageName .
940 Building an image using a URL, Git repo, or archive
944 The build context directory can be specified as a URL to a Container‐
945 file, a Git repository, or URL to an archive. If the URL is a Contain‐
946 erfile, it is downloaded to a temporary location and used as the con‐
947 text. When a Git repository is set as the URL, the repository is cloned
948 locally to a temporary location and then used as the context. Lastly,
949 if the URL is an archive, it is downloaded to a temporary location and
950 extracted before being used as the context.
951 Building an image using a URL to a Containerfile
954 Podman will download the Containerfile to a temporary location and then
955 use it as the build context.
956 $ podman build https://10.10.10.1/podman/Containerfile
959 Building an image using a Git repository
963 Podman will clone the specified GitHub repository to a temporary loca‐
964 tion and use it as the context. The Containerfile at the root of the
965 repository will be used and it only works if the GitHub repository is a
966 dedicated repository.
967 $ podman build git://github.com/scollier/purpletest
970 Building an image using a URL to an archive
974 Podman will fetch the archive file, decompress it, and use its contents
975 as the build context. The Containerfile at the root of the archive and
976 the rest of the archive will get used as the context of the build. If
977 you pass -f PATH/Containerfile option as well, the system will look for
978 that file inside the contents of the archive.
979 $ podman build -f dev/Containerfile https://10.10.10.1/podman/context.tar.gz
982 Note: supported compression formats are 'xz', 'bzip2', 'gzip' and
986 'identity' (no compression).
987
990 registries.conf (/etc/containers/registries.conf)
991 registries.conf is the configuration file which specifies which con‐
994 tainer registries should be consulted when completing image names which
995 do not include a registry or domain portion.
996
999 If you are using a useradd command within a Containerfile with a large
1000 UID/GID, it will create a large sparse file /var/log/lastlog. This can
1001 cause the build to hang forever. Go language does not support sparse
1002 files correctly, which can lead to some huge files being created in
1003 your container image.
1004 Solution
1007 If you are using useradd within your build script, you should pass the
1008 --no-log-init or -l option to the useradd command. This option tells
1009 useradd to stop creating the lastlog file.
1010
1013 podman(1), buildah(1), containers-registries.conf(5), crun(8), runc(8),
1014 useradd(8)
1015
1018 May 2018, Minor revisions added by Joe Doss joe@solidadmin.com
1019 ⟨mailto:joe@solidadmin.com⟩
1020 December 2017, Originally compiled by Tom Sweeney tsweeney@redhat.com
1023 ⟨mailto:tsweeney@redhat.com⟩
1024 podman-build(1)()