1buildah-from(1) General Commands Manual buildah-from(1)
2
3
4
6 buildah-from - Creates a new working container, either from scratch or
7 using a specified image as a starting point.
8
9
11 buildah from [options] image
12
13
15 Creates a working container based upon the specified image name. If
16 the supplied image name is "scratch" a new empty container is created.
17 Image names use a "transport":"details" format.
18
19
20 Multiple transports are supported:
21
22
23 dir:path
24 An existing local directory path containing the manifest, layer tar‐
25 balls, and signatures in individual files. This is a non-standardized
26 format, primarily useful for debugging or noninvasive image inspection.
27
28
29 docker://docker-reference (Default)
30 An image in a registry implementing the "Docker Registry HTTP API
31 V2". By default, uses the authorization state in $XDG\_RUN‐
32 TIME\_DIR/containers/auth.json, which is set using (buildah login). If
33 the authorization state is not found there, $HOME/.docker/config.json
34 is checked, which is set using (docker login).
35 If docker-reference does not include a registry name, localhost will
36 be consulted first, followed by any registries named in the registries
37 configuration.
38
39
40 docker-archive:path
41 An image is retrieved as a docker load formatted file.
42
43
44 docker-daemon:docker-reference
45 An image docker-reference stored in the docker daemon's internal
46 storage. docker-reference must include either a tag or a digest.
47 Alternatively, when reading images, the format can also be docker-dae‐
48 mon:algo:digest (an image ID).
49
50
51 oci:path:tag**
52 An image tag in a directory compliant with "Open Container Image Lay‐
53 out Specification" at path.
54
55
56 oci-archive:path:tag
57 An image tag in a directory compliant with "Open Container Image Lay‐
58 out Specification" at path.
59
60
61 DEPENDENCIES
62 Buildah resolves the path to the registry to pull from by using the
63 /etc/containers/registries.conf file, registries.conf(5). If the buil‐
64 dah from command fails with an "image not known" error, first verify
65 that the registries.conf file is installed and configured appropri‐
66 ately.
67
68
70 The container ID of the container that was created. On error 1 is
71 returned.
72
73
75 --add-host=[]
76
77
78 Add a custom host-to-IP mapping (host:ip)
79
80
81 Add a line to /etc/hosts. The format is hostname:ip. The --add-host
82 option can be set multiple times.
83
84
85 --authfile path
86
87
88 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
89 ers/auth.json, which is set using buildah login. If the authorization
90 state is not found there, $HOME/.docker/config.json is checked, which
91 is set using docker login.
92
93
94 --cap-add=CAP_xxx
95
96
97 Add the specified capability to the default set of capabilities which
98 will be supplied for subsequent buildah run invocations which use this
99 container. Certain capabilities are granted by default; this option
100 can be used to add more.
101
102
103 --cap-drop=CAP_xxx
104
105
106 Remove the specified capability from the default set of capabilities
107 which will be supplied for subsequent buildah run invocations which use
108 this container. The CAP_AUDIT_WRITE, CAP_CHOWN, CAP_DAC_OVERRIDE,
109 CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_MKNOD, CAP_NET_BIND_SERVICE,
110 CAP_SETFCAP, CAP_SETGID, CAP_SETPCAP, CAP_SETUID, and CAP_SYS_CHROOT
111 capabilities are granted by default; this option can be used to remove
112 them.
113
114
115 If a capability is specified to both the --cap-add and --cap-drop
116 options, it will be dropped, regardless of the order in which the
117 options were given.
118
119
120 --cert-dir path
121
122
123 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
124 istry. The default certificates directory is /etc/containers/certs.d.
125
126
127 --cgroup-parent=""
128
129
130 Path to cgroups under which the cgroup for the container will be cre‐
131 ated. If the path is not absolute, the path is considered to be rela‐
132 tive to the cgroups path of the init process. Cgroups will be created
133 if they do not already exist.
134
135
136 --cidfile ContainerIDFile
137
138
139 Write the container ID to the file.
140
141
142 --cni-config-dir=directory
143
144
145 Location of CNI configuration files which will dictate which plugins
146 will be used to configure network interfaces and routing when the con‐
147 tainer is subsequently used for buildah run, if processes to be started
148 will be run in their own network namespaces, and networking is not dis‐
149 abled.
150
151
152 --cni-plugin-path=directory[:directory[:directory[...]]]
153
154
155 List of directories in which the CNI plugins which will be used for
156 configuring network namespaces can be found.
157
158
159 --cpu-period=0
160
161
162 Limit the CPU CFS (Completely Fair Scheduler) period
163
164
165 Limit the container's CPU usage. This flag tell the kernel to restrict
166 the container's CPU usage to the period you specify.
167
168
169 --cpu-quota=0
170
171
172 Limit the CPU CFS (Completely Fair Scheduler) quota
173
174
175 Limit the container's CPU usage. By default, containers run with the
176 full CPU resource. This flag tell the kernel to restrict the con‐
177 tainer's CPU usage to the quota you specify.
178
179
180 --cpu-shares, -c=0
181
182
183 CPU shares (relative weight)
184
185
186 By default, all containers get the same proportion of CPU cycles. This
187 proportion can be modified by changing the container's CPU share
188 weighting relative to the weighting of all other running containers.
189
190
191 To modify the proportion from the default of 1024, use the --cpu-shares
192 flag to set the weighting to 2 or higher.
193
194
195 The proportion will only apply when CPU-intensive processes are run‐
196 ning. When tasks in one container are idle, other containers can use
197 the left-over CPU time. The actual amount of CPU time will vary depend‐
198 ing on the number of containers running on the system.
199
200
201 For example, consider three containers, one has a cpu-share of 1024 and
202 two others have a cpu-share setting of 512. When processes in all three
203 containers attempt to use 100% of CPU, the first container would
204 receive 50% of the total CPU time. If you add a fourth container with a
205 cpu-share of 1024, the first container only gets 33% of the CPU. The
206 remaining containers receive 16.5%, 16.5% and 33% of the CPU.
207
208
209 On a multi-core system, the shares of CPU time are distributed over all
210 CPU cores. Even if a container is limited to less than 100% of CPU
211 time, it can use 100% of each individual CPU core.
212
213
214 For example, consider a system with more than three cores. If you start
215 one container {C0} with -c=512 running one process, and another con‐
216 tainer {C1} with -c=1024 running two processes, this can result in the
217 following division of CPU shares:
218
219
220 PID container CPU CPU share
221 100 {C0} 0 100% of CPU0
222 101 {C1} 1 100% of CPU1
223 102 {C1} 2 100% of CPU2
224
225
226
227 --cpuset-cpus=""
228
229
230 CPUs in which to allow execution (0-3, 0,1)
231
232
233 --cpuset-mems=""
234
235
236 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effec‐
237 tive on NUMA systems.
238
239
240 If you have four memory nodes on your system (0-3), use
241 --cpuset-mems=0,1 then processes in your container will only use memory
242 from the first two memory nodes.
243
244
245 --creds creds
246
247
248 The [username[:password]] to use to authenticate with the registry if
249 required. If one or both values are not supplied, a command line
250 prompt will appear and the value can be entered. The password is
251 entered without echo.
252
253
254 --device=device
255
256
257 Add a host device or devices under a directory to the container. The
258 format is <device-on-host>[:<device-on-container>][:<permissions>]
259 (e.g. --device=/dev/sdc:/dev/xvdc:rwm)
260
261
262 --dns=[]
263
264
265 Set custom DNS servers
266
267
268 This option can be used to override the DNS configuration passed to the
269 container. Typically this is necessary when the host DNS configuration
270 is invalid for the container (e.g., 127.0.0.1). When this is the case
271 the --dns flag is necessary for every run.
272
273
274 The special value none can be specified to disable creation of
275 /etc/resolv.conf in the container by Buildah. The /etc/resolv.conf file
276 in the image will be used without changes.
277
278
279 --dns-option=[]
280
281
282 Set custom DNS options
283
284
285 --dns-search=[]
286
287
288 Set custom DNS search domains
289
290
291 --http-proxy
292
293
294 By default proxy environment variables are passed into the container if
295 set for the Buildah process. This can be disabled by setting the
296 --http-proxy option to false. The environment variables passed in
297 include http_proxy, https_proxy, ftp_proxy, no_proxy, and also the
298 upper case versions of those.
299
300
301 Defaults to true
302
303
304 --ipc how
305
306
307 Sets the configuration for IPC namespaces when the container is subse‐
308 quently used for buildah run. The configured value can be "" (the
309 empty string) or "container" to indicate that a new IPC namespace
310 should be created, or it can be "host" to indicate that the IPC names‐
311 pace in which Buildah itself is being run should be reused, or it can
312 be the path to an IPC namespace which is already in use by another
313 process.
314
315
316 --isolation type
317
318
319 Controls what type of isolation is used for running processes under
320 buildah run. Recognized types include oci (OCI-compatible runtime, the
321 default), rootless (OCI-compatible runtime invoked using a modified
322 configuration, with --no-new-keyring added to its create invocation,
323 with network and UTS namespaces disabled, and IPC, PID, and user names‐
324 paces enabled; the default for unprivileged users), and chroot (an
325 internal wrapper that leans more toward chroot(1) than container tech‐
326 nology).
327
328
329 Note: You can also override the default isolation type by setting the
330 BUILDAH_ISOLATION environment variable. export BUILDAH_ISOLATION=oci
331
332
333 --memory, -m=""
334
335
336 Memory limit (format: [], where unit = b, k, m or g)
337
338
339 Allows you to constrain the memory available to a container. If the
340 host supports swap memory, then the -m memory setting can be larger
341 than physical RAM. If a limit of 0 is specified (not using -m), the
342 container's memory is not limited. The actual limit may be rounded up
343 to a multiple of the operating system's page size (the value would be
344 very large, that's millions of trillions).
345
346
347 --memory-swap="LIMIT"
348
349
350 A limit value equal to memory plus swap. Must be used with the -m
351 (--memory) flag. The swap LIMIT should always be larger than -m (--mem‐
352 ory) value. By default, the swap LIMIT will be set to double the value
353 of --memory.
354
355
356 The format of LIMIT is <number>[<unit>]. Unit can be b (bytes), k
357 (kilobytes), m (megabytes), or g (gigabytes). If you don't specify a
358 unit, b is used. Set LIMIT to -1 to enable unlimited swap.
359
360
361 --name name
362
363
364 A name for the working container
365
366
367 --net how --network how
368
369
370 Sets the configuration for network namespaces when the container is
371 subsequently used for buildah run. The configured value can be "" (the
372 empty string) or "container" to indicate that a new network namespace
373 should be created, or it can be "host" to indicate that the network
374 namespace in which Buildah itself is being run should be reused, or it
375 can be the path to a network namespace which is already in use by
376 another process.
377
378
379 --pid how
380
381
382 Sets the configuration for PID namespaces when the container is subse‐
383 quently used for buildah run. The configured value can be "" (the
384 empty string) or "container" to indicate that a new PID namespace
385 should be created, or it can be "host" to indicate that the PID names‐
386 pace in which Buildah itself is being run should be reused, or it can
387 be the path to a PID namespace which is already in use by another
388 process.
389
390
391 --pull
392
393
394 When the flag is enabled, attempt to pull the latest image from the
395 registries listed in registries.conf if a local image does not exist or
396 the image is newer than the one in storage. Raise an error if the image
397 is not in any listed registry and is not present locally.
398
399
400 If the flag is disabled (with --pull=false), do not pull the image from
401 the registry, use only the local version. Raise an error if the image
402 is not present locally.
403
404
405 Defaults to true.
406
407
408 --pull-always
409
410
411 Pull the image from the first registry it is found in as listed in reg‐
412 istries.conf. Raise an error if not found in the registries, even if
413 the image is present locally.
414
415
416 --pull-never
417
418
419 Do not pull the image from the registry, use only the local version.
420 Raise an error if the image is not present locally.
421
422
423 --quiet, -q
424
425
426 If an image needs to be pulled from the registry, suppress progress
427 output.
428
429
430 --security-opt=[]
431
432
433 Security Options
434
435
436 "label=user:USER" : Set the label user for the container
437 "label=role:ROLE" : Set the label role for the container
438 "label=type:TYPE" : Set the label type for the container
439 "label=level:LEVEL" : Set the label level for the container
440 "label=disable" : Turn off label confinement for the container
441 "no-new-privileges" : Not supported
442
443
444 "seccomp=unconfined" : Turn off seccomp confinement for the container
445 "seccomp=profile.json : White listed syscalls seccomp Json file to
446 be used as a seccomp filter
447
448
449 "apparmor=unconfined" : Turn off apparmor confinement for the container
450 "apparmor=your-profile" : Set the apparmor confinement profile for
451 the container
452
453
454 --shm-size=""
455
456
457 Size of /dev/shm. The format is <number><unit>. number must be greater
458 than 0. Unit is optional and can be b (bytes), k (kilobytes),
459 m(megabytes), or g (gigabytes). If you omit the unit, the system uses
460 bytes. If you omit the size entirely, the system uses 64m.
461
462
463 --tls-verify bool-value
464
465
466 Require HTTPS and verify certificates when talking to container reg‐
467 istries (defaults to true)
468
469
470 --ulimit type=soft-limit[:hard-limit]
471
472
473 Specifies resource limits to apply to processes launched during buildah
474 run. This option can be specified multiple times. Recognized resource
475 types include:
476 "core": maximum core dump size (ulimit -c)
477 "cpu": maximum CPU time (ulimit -t)
478 "data": maximum size of a process's data segment (ulimit -d)
479 "fsize": maximum size of new files (ulimit -f)
480 "locks": maximum number of file locks (ulimit -x)
481 "memlock": maximum amount of locked memory (ulimit -l)
482 "msgqueue": maximum amount of data in message queues (ulimit -q)
483 "nice": niceness adjustment (nice -n, ulimit -e)
484 "nofile": maximum number of open files (ulimit -n)
485 "nofile": maximum number of open files (1048576); when run by root
486 "nproc": maximum number of processes (ulimit -u)
487 "nproc": maximum number of processes (1048576); when run by root
488 "rss": maximum size of a process's (ulimit -m)
489 "rtprio": maximum real-time scheduling priority (ulimit -r)
490 "rttime": maximum amount of real-time execution between blocking
491 syscalls
492 "sigpending": maximum number of pending signals (ulimit -i)
493 "stack": maximum stack size (ulimit -s)
494
495
496 --userns how
497
498
499 Sets the configuration for user namespaces when the container is subse‐
500 quently used for buildah run. The configured value can be "" (the
501 empty string) or "container" to indicate that a new user namespace
502 should be created, it can be "host" to indicate that the user namespace
503 in which Buildah itself is being run should be reused, or it can be the
504 path to an user namespace which is already in use by another process.
505
506
507 --userns-uid-map mapping
508
509
510 Directly specifies a UID mapping which should be used to set ownership,
511 at the filesystem level, on the container's contents. Commands run
512 using buildah run will default to being run in their own user names‐
513 paces, configured using the UID and GID maps.
514
515
516 Entries in this map take the form of one or more triples of a starting
517 in-container UID, a corresponding starting host-level UID, and the num‐
518 ber of consecutive IDs which the map entry represents.
519
520
521 This option overrides the remap-uids setting in the options section of
522 /etc/containers/storage.conf.
523
524
525 If this option is not specified, but a global --userns-uid-map setting
526 is supplied, settings from the global option will be used.
527
528
529 If none of --userns-uid-map-user, --userns-gid-map-group, or
530 --userns-uid-map are specified, but --userns-gid-map is specified, the
531 UID map will be set to use the same numeric values as the GID map.
532
533
534 --userns-gid-map mapping
535
536
537 Directly specifies a GID mapping which should be used to set ownership,
538 at the filesystem level, on the container's contents. Commands run
539 using buildah run will default to being run in their own user names‐
540 paces, configured using the UID and GID maps.
541
542
543 Entries in this map take the form of one or more triples of a starting
544 in-container GID, a corresponding starting host-level GID, and the num‐
545 ber of consecutive IDs which the map entry represents.
546
547
548 This option overrides the remap-gids setting in the options section of
549 /etc/containers/storage.conf.
550
551
552 If this option is not specified, but a global --userns-gid-map setting
553 is supplied, settings from the global option will be used.
554
555
556 If none of --userns-uid-map-user, --userns-gid-map-group, or
557 --userns-gid-map are specified, but --userns-uid-map is specified, the
558 GID map will be set to use the same numeric values as the UID map.
559
560
561 --userns-uid-map-user user
562
563
564 Specifies that a UID mapping which should be used to set ownership, at
565 the filesystem level, on the container's contents, can be found in
566 entries in the /etc/subuid file which correspond to the specified user.
567 Commands run using buildah run will default to being run in their own
568 user namespaces, configured using the UID and GID maps. If
569 --userns-gid-map-group is specified, but --userns-uid-map-user is not
570 specified, Buildah will assume that the specified group name is also a
571 suitable user name to use as the default setting for this option.
572
573
574 --userns-gid-map-group group
575
576
577 Specifies that a GID mapping which should be used to set ownership, at
578 the filesystem level, on the container's contents, can be found in
579 entries in the /etc/subgid file which correspond to the specified
580 group. Commands run using buildah run will default to being run in
581 their own user namespaces, configured using the UID and GID maps. If
582 --userns-uid-map-user is specified, but --userns-gid-map-group is not
583 specified, Buildah will assume that the specified user name is also a
584 suitable group name to use as the default setting for this option.
585
586
587 --uts how
588
589
590 Sets the configuration for UTS namespaces when the container is subse‐
591 quently used for buildah run. The configured value can be "" (the
592 empty string) or "container" to indicate that a new UTS namespace
593 should be created, or it can be "host" to indicate that the UTS names‐
594 pace in which Buildah itself is being run should be reused, or it can
595 be the path to a UTS namespace which is already in use by another
596 process.
597
598
599 --volume, -v[=[HOST-DIR:CONTAINER-DIR[:OPTIONS]]]
600
601
602 Create a bind mount. If you specify, -v /HOST-DIR:/CONTAINER-DIR, Buil‐
603 dah
604 bind mounts /HOST-DIR in the host to /CONTAINER-DIR in the Buildah
605 container. The OPTIONS are a comma delimited list and can be:
606
607
608 · [rw|ro]
609
610 · [z|Z|O]
611
612 · [[r]shared|[r]slave|[r]private|[r]unbindable]
613
614
615
616 The CONTAINER-DIR must be an absolute path such as /src/docs. The
617 HOST-DIR must be an absolute path as well. Buildah bind-mounts the
618 HOST-DIR to the path you specify. For example, if you supply /foo as
619 the host path, Buildah copies the contents of /foo to the container
620 filesystem on the host and bind mounts that into the container.
621
622
623 You can specify multiple -v options to mount one or more mounts to a
624 container.
625
626
627 You can add the :ro or :rw suffix to a volume to mount it read-only or
628 read-write mode, respectively. By default, the volumes are mounted
629 read-write. See examples.
630
631
632 Labeling Volume Mounts
633
634
635 Labeling systems like SELinux require that proper labels are placed on
636 volume content mounted into a container. Without a label, the security
637 system might prevent the processes running inside the container from
638 using the content. By default, Buildah does not change the labels set
639 by the OS.
640
641
642 To change a label in the container context, you can add either of two
643 suffixes :z or :Z to the volume mount. These suffixes tell Buildah to
644 relabel file objects on the shared volumes. The z option tells Buildah
645 that two containers share the volume content. As a result, Buildah
646 labels the content with a shared content label. Shared volume labels
647 allow all containers to read/write content. The Z option tells Buildah
648 to label the content with a private unshared label. Only the current
649 container can use a private volume.
650
651
652 Overlay Volume Mounts
653
654
655 The :O flag tells Buildah to mount the directory from the host as a
656 temporary storage using the Overlay file system. The RUN command con‐
657 tainers are allowed to modify contents within the mountpoint and are
658 stored in the container storage in a separate directory. In Ovelay FS
659 terms the source directory will be the lower, and the container storage
660 directory will be the upper. Modifications to the mount point are
661 destroyed when the RUN command finishes executing, similar to a tmpfs
662 mount point.
663
664
665 Any subsequent execution of RUN commands sees the original source
666 directory content, any changes from previous RUN commands no longer
667 exists.
668
669
670 One use case of the overlay mount is sharing the package cache from the
671 host into the container to allow speeding up builds.
672
673
674 Note:
675
676
677 - Overlay mounts are not currently supported in rootless mode.
678 - The `O` flag is not allowed to be specified with the `Z` or `z` flags. Content mounted into the container is labeled with the private label.
679 On SELinux systems, labels in the source directory needs to be readable by the container label. If not, SELinux container separation must be disabled for the container to work.
680 - Modification of the directory volume mounted into the container with an overlay mount can cause unexpected failures. It is recommended that you do not modify the directory until the container finishes running.
681
682
683
684 By default bind mounted volumes are private. That means any mounts done
685 inside container will not be visible on the host and vice versa. This
686 behavior can be changed by specifying a volume mount propagation prop‐
687 erty.
688
689
690 When the mount propagation policy is set to shared, any mounts com‐
691 pleted inside the container on that volume will be visible to both the
692 host and container. When the mount propagation policy is set to slave,
693 one way mount propagation is enabled and any mounts completed on the
694 host for that volume will be visible only inside of the container. To
695 control the mount propagation property of the volume use the
696 :[r]shared, :[r]slave, [r]private or [r]unbindablepropagation flag. The
697 propagation property can be specified only for bind mounted volumes and
698 not for internal volumes or named volumes. For mount propagation to
699 work on the source mount point (the mount point where source dir is
700 mounted on) it has to have the right propagation properties. For shared
701 volumes, the source mount point has to be shared. And for slave vol‐
702 umes, the source mount has to be either shared or slave.
703
704
705 Use df <source-dir> to determine the source mount and then use findmnt
706 -o TARGET,PROPAGATION <source-mount-dir> to determine propagation prop‐
707 erties of source mount, if findmnt utility is not available, the source
708 mount point can be determined by looking at the mount entry in
709 /proc/self/mountinfo. Look at optional fields and see if any propagaion
710 properties are specified. shared:X means the mount is shared, master:X
711 means the mount is slave and if nothing is there that means the mount
712 is private.
713
714
715 To change propagation properties of a mount point use the mount com‐
716 mand. For example, to bind mount the source directory /foo do mount
717 --bind /foo /foo and mount --make-private --make-shared /foo. This will
718 convert /foo into a shared mount point. The propagation properties of
719 the source mount can be changed directly. For instance if / is the
720 source mount for /foo, then use mount --make-shared / to convert / into
721 a shared mount.
722
723
725 buildah from --pull imagename
726
727
728 buildah from --pull docker://myregistry.example.com/imagename
729
730
731 buildah from docker-daemon:imagename:imagetag
732
733
734 buildah from --name mycontainer docker-archive:filename
735
736
737 buildah from oci-archive:filename
738
739
740 buildah from --name mycontainer dir:directoryname
741
742
743 buildah from --pull-always --name "mycontainer" docker://myreg‐
744 istry.example.com/imagename
745
746
747 buildah from --tls-verify=false myregistry/myrepository/image‐
748 name:imagetag
749
750
751 buildah from --creds=myusername:mypassword --cert-dir /auth myreg‐
752 istry/myrepository/imagename:imagetag
753
754
755 buildah from --authfile=/tmp/auths/myauths.json myregistry/myreposi‐
756 tory/imagename:imagetag
757
758
759 buildah from --memory 40m --cpu-shares 2 --cpuset-cpus 0,2 --secu‐
760 rity-opt label=level:s0:c100,c200 myregistry/myrepository/image‐
761 name:imagetag
762
763
764 buildah from --ulimit nofile=1024:1028 --cgroup-parent
765 /path/to/cgroup/parent myregistry/myrepository/imagename:imagetag
766
767
768 buildah from --volume /home/test:/myvol:ro,Z myregistry/myreposi‐
769 tory/imagename:imagetag
770
771
772 buildah from -v /var/lib/yum:/var/lib/yum:O myregistry/myreposi‐
773 tory/imagename:imagetag
774
775
777 BUILD_REGISTRY_SOURCES
778
779
780 BUILD_REGISTRY_SOURCES, if set, is treated as a JSON object which con‐
781 tains lists of registry names under the keys insecureRegistries,
782 blockedRegistries, and allowedRegistries.
783
784
785 When pulling an image from a registry, if the name of the registry
786 matches any of the items in the blockedRegistries list, the image pull
787 attempt is denied. If there are registries in the allowedRegistries
788 list, and the registry's name is not in the list, the pull attempt is
789 denied.
790
791
793 registries.conf (/etc/containers/registries.conf)
794
795
796 registries.conf is the configuration file which specifies which con‐
797 tainer registries should be consulted when completing image names which
798 do not include a registry or domain portion.
799
800
801 policy.json (/etc/containers/policy.json)
802
803
804 Signature policy file. This defines the trust policy for container
805 images. Controls which container registries can be used for image, and
806 whether or not the tool should trust the images.
807
808
810 buildah(1), buildah-pull(1), buildah-login(1), docker-login(1), names‐
811 paces(7), pid_namespaces(7), policy.json(5), registries.conf(5),
812 user_namespaces(7)
813
814
815
816buildah March 2017 buildah-from(1)