1podman-create(1)() podman-create(1)()
2
6 podman-create - Create a new container
7
10 podman create [options] image [command [arg ...]]
11 podman container create [options] image [command [arg ...]]
14
17 Creates a writable container layer over the specified image and pre‐
18 pares it for running the specified command. The container ID is then
19 printed to STDOUT. This is similar to podman run -d except the con‐
20 tainer is never started. You can then use the podman start container
21 command to start the container at any point.
22 The initial status of the container created with podman create is 'cre‐
25 ated'.
26
29 --add-host=host
30 Add a custom host-to-IP mapping (host:ip)
33 Add a line to /etc/hosts. The format is hostname:ip. The --add-host
36 option can be set multiple times.
37 --annotation=key=value
40 Add an annotation to the container. The format is key=value. The
43 --annotation option can be set multiple times.
44 --attach, -a=location
47 Attach to STDIN, STDOUT or STDERR.
50 In foreground mode (the default when -d is not specified), podman run
53 can start the process in the container and attach the console to the
54 process's standard input, output, and standard error. It can even pre‐
55 tend to be a TTY (this is what most commandline executables expect) and
56 pass along signals. The -a option can be set for each of stdin, stdout,
57 and stderr.
58 --authfile=path
61 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
64 ers/auth.json
65 Note: You can also override the default path of the authentication file
68 by setting the REGISTRY_AUTH_FILE environment variable. export REG‐
69 ISTRY_AUTH_FILE=path (Not available for remote commands)
70 --blkio-weight=weight
73 Block IO weight (relative weight) accepts a weight value between 10 and
76 1000.
77 --blkio-weight-device=weight
80 Block IO weight (relative device weight, format: DEVICE_NAME:WEIGHT).
83 --cap-add=capability
86 Add Linux capabilities
89 --cap-drop=capability
92 Drop Linux capabilities
95 --cgroupns=mode
98 Set the cgroup namespace mode for the container.
101 host: use the host's cgroup namespace inside the container.
102 container:: join the namespace of the specified container.
103 ns:: join the namespace at the specified path.
104 private: create a new cgroup namespace.
105 If the host uses cgroups v1, the default is set to host. On cgroups v2
108 the default is private.
109 --cgroups=mode
112 Determines whether the container will create CGroups. Valid values are
115 enabled, disabled, no-conmon, which the default being enabled. The
116 disabled option will force the container to not create CGroups, and
117 thus conflicts with CGroup options (--cgroupns and --cgroup-parent).
118 The no-conmon option disables a new CGroup only for the conmon process.
119 --cgroup-parent=path
122 Path to cgroups under which the cgroup for the container will be cre‐
125 ated. If the path is not absolute, the path is considered to be rela‐
126 tive to the cgroups path of the init process. Cgroups will be created
127 if they do not already exist.
128 --cidfile=id
131 Write the container ID to the file
134 --conmon-pidfile=path
137 Write the pid of the conmon process to a file. conmon runs in a sepa‐
140 rate process than Podman, so this is necessary when using systemd to
141 restart Podman containers.
142 --cpu-period=limit
145 Limit the CPU CFS (Completely Fair Scheduler) period
148 Limit the container's CPU usage. This flag tell the kernel to restrict
151 the container's CPU usage to the period you specify.
152 --cpu-quota=limit
155 Limit the CPU CFS (Completely Fair Scheduler) quota
158 Limit the container's CPU usage. By default, containers run with the
161 full CPU resource. This flag tell the kernel to restrict the con‐
162 tainer's CPU usage to the quota you specify.
163 --cpu-rt-period=microseconds
166 Limit the CPU real-time period in microseconds
169 Limit the container's Real Time CPU usage. This flag tell the kernel to
172 restrict the container's Real Time CPU usage to the period you specify.
173 --cpu-rt-runtime=microseconds
176 Limit the CPU real-time runtime in microseconds
179 Limit the containers Real Time CPU usage. This flag tells the kernel to
182 limit the amount of time in a given CPU period Real Time tasks may con‐
183 sume. Ex: Period of 1,000,000us and Runtime of 950,000us means that
184 this container could consume 95% of available CPU and leave the remain‐
185 ing 5% to normal priority tasks.
186 The sum of all runtimes across containers cannot exceed the amount
189 allotted to the parent cgroup.
190 --cpu-shares=shares
193 CPU shares (relative weight)
196 By default, all containers get the same proportion of CPU cycles. This
199 proportion can be modified by changing the container's CPU share
200 weighting relative to the weighting of all other running containers.
201 To modify the proportion from the default of 1024, use the --cpu-shares
204 flag to set the weighting to 2 or higher.
205 The proportion will only apply when CPU-intensive processes are run‐
208 ning. When tasks in one container are idle, other containers can use
209 the left-over CPU time. The actual amount of CPU time will vary depend‐
210 ing on the number of containers running on the system.
211 For example, consider three containers, one has a cpu-share of 1024 and
214 two others have a cpu-share setting of 512. When processes in all three
215 containers attempt to use 100% of CPU, the first container would
216 receive 50% of the total CPU time. If you add a fourth container with a
217 cpu-share of 1024, the first container only gets 33% of the CPU. The
218 remaining containers receive 16.5%, 16.5% and 33% of the CPU.
219 On a multi-core system, the shares of CPU time are distributed over all
222 CPU cores. Even if a container is limited to less than 100% of CPU
223 time, it can use 100% of each individual CPU core.
224 For example, consider a system with more than three cores. If you start
227 one container {C0} with -c=512 running one process, and another con‐
228 tainer {C1} with -c=1024 running two processes, this can result in the
229 following division of CPU shares:
230 PID container CPU CPU share 100 {C0} 0 100% of
233 CPU0 101 {C1} 1 100% of CPU1 102
234 {C1} 2 100% of CPU2
235 --cpus=number
238 Number of CPUs. The default is 0.0 which means no limit.
241 --cpuset-cpus=cpus
244 CPUs in which to allow execution (0-3, 0,1)
247 --cpuset-mems=nodes
250 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effec‐
253 tive on NUMA systems.
254 If you have four memory nodes on your system (0-3), use
257 --cpuset-mems=0,1 then processes in your container will only use memory
258 from the first two memory nodes.
259 --detach, -d=true|false
262 Detached mode: run the container in the background and print the new
265 container ID. The default is false.
266 At any time you can run podman ps in the other shell to view a list of
269 the running containers. You can reattach to a detached container with
270 podman attach.
271 When attached in the tty mode, you can detach from the container (and
274 leave it running) using a configurable key sequence. The default
275 sequence is ctrl-p,ctrl-q. Configure the keys sequence using the
276 --detach-keys option, or specifying it in the libpod.conf file: see
277 libpod.conf(5) for more information.
278 --detach-keys=sequence
281 Specify the key sequence for detaching a container. Format is a single
284 character [a-Z] or one or more ctrl-<value> characters where <value> is
285 one of: a-z, @, ^, [, , or _. Specifying "" will disable this feature.
286 The default is ctrl-p,ctrl-q.
287 --device=host-device[:container-device][:permissions]
290 Add a host device to the container. Optional permissions parameter can
293 be used to specify device permissions, it is combination of r for read,
294 w for write, and m for mknod(2).
295 Example: --device=/dev/sdc:/dev/xvdc:rwm.
298 Note: if _hostdevice is a symbolic link then it will be resolved first.
301 The container will only store the major and minor numbers of the host
302 device.
303 Note: if the user only has access rights via a group, accessing the
306 device from inside a rootless container will fail. The crun(1) runtime
307 offers a workaround for this by adding the option --annotation
308 run.oci.keep_original_groups=1.
309 --device-cgroup-rule="type major:minor mode"
312 Add a rule to the cgroup allowed devices list. The rule is expected to
315 be in the format specified in the Linux kernel documentation (Documen‐
316 tation/cgroup-v1/devices.txt):
317 - type: a (all), c (char), or b (block);
318 - major and minor: either a number, or * for all;
319 - mode: a composition of r (read), w (write), and m (mknod(2)).
320 --device-read-bps=path
323 Limit read rate (bytes per second) from a device (e.g.
326 --device-read-bps=/dev/sda:1mb)
327 --device-read-iops=path
330 Limit read rate (IO per second) from a device (e.g.
333 --device-read-iops=/dev/sda:1000)
334 --device-write-bps=path
337 Limit write rate (bytes per second) to a device (e.g.
340 --device-write-bps=/dev/sda:1mb)
341 --device-write-iops=path
344 Limit write rate (IO per second) to a device (e.g.
347 --device-write-iops=/dev/sda:1000)
348 --dns=dns
351 Set custom DNS servers. Invalid if using --dns and --network that is
354 set to 'none' or 'container:'.
355 This option can be used to override the DNS configuration passed to the
358 container. Typically this is necessary when the host DNS configuration
359 is invalid for the container (e.g., 127.0.0.1). When this is the case
360 the --dns flags is necessary for every run.
361 The special value none can be specified to disable creation of
364 /etc/resolv.conf in the container by Podman. The /etc/resolv.conf file
365 in the image will be used without changes.
366 --dns-opt=option
369 Set custom DNS options. Invalid if using --dns-opt and --network that
372 is set to 'none' or 'container:'.
373 --dns-search=domain
376 Set custom DNS search domains. Invalid if using --dns-search and --net‐
379 work that is set to 'none' or 'container:'. (Use --dns-search=. if you
380 don't wish to set the search domain)
381 --entrypoint="command" | '["command", "arg1", ...]'
384 Overwrite the default ENTRYPOINT of the image
387 This option allows you to overwrite the default entrypoint of the
390 image. The ENTRYPOINT of an image is similar to a COMMAND because it
391 specifies what executable to run when the container starts, but it is
392 (purposely) more difficult to override. The ENTRYPOINT gives a con‐
393 tainer its default nature or behavior, so that when you set an ENTRY‐
394 POINT you can run the container as if it were that binary, complete
395 with default options, and you can pass in more options via the COMMAND.
396 But, sometimes an operator may want to run something else inside the
397 container, so you can override the default ENTRYPOINT at runtime by
398 using a --entrypoint and a string to specify the new ENTRYPOINT.
399 You need to specify multi option commands in the form of a json string.
402 --env, -e=env
405 Set environment variables
408 This option allows arbitrary environment variables that are available
411 for the process to be launched inside of the container. If an environ‐
412 ment variable is specified without a value, Podman will check the host
413 environment for a value and set the variable only if it is set on the
414 host. If an environment variable ending in * is specified, Podman will
415 search the host environment for variables starting with the prefix and
416 will add those variables to the container. If an environment variable
417 with a trailing ***** is specified, then a value must be supplied.
418 See Environment ⟨#environment⟩ note below for precedence and examples.
421 --env-host=true|false
424 Use host environment inside of the container. See Environment note
427 below for precedence.
428 --env-file=file
431 Read in a line delimited file of environment variables. See Environment
434 note below for precedence.
435 --expose=port
438 Expose a port, or a range of ports (e.g. --expose=3300-3310) to set up
441 port redirection on the host system.
442 --gidmap=container_gid:host_gid:amount
445 GID map for the user namespace. Using this flag will run the container
448 with user namespace enabled. It conflicts with the --userns and --sub‐
449 gidname flags.
450 The following example maps uids 0-2000 in the container to the uids
453 30000-31999 on the host and gids 0-2000 in the container to the gids
454 30000-31999 on the host. --gidmap=0:30000:2000
455 --group-add=group
458 Add additional groups to run as
461 --health-cmd="command" | '["command", "arg1", ...]'
464 Set or alter a healthcheck command for a container. The command is a
467 command to be executed inside your container that determines your con‐
468 tainer health. The command is required for other healthcheck options
469 to be applied. A value of none disables existing healthchecks.
470 Multiple options can be passed in the form of a JSON array; otherwise,
473 the command will be interpreted as an argument to /bin/sh -c.
474 --health-interval=interval
477 Set an interval for the healthchecks (a value of disable results in no
480 automatic timer setup) (default "30s")
481 --health-retries=retries
484 The number of retries allowed before a healthcheck is considered to be
487 unhealthy. The default value is 3.
488 --health-start-period=period
491 The initialization time needed for a container to bootstrap. The value
494 can be expressed in time format like 2m3s. The default value is 0s
495 --health-timeout=timeout
498 The maximum time allowed to complete the healthcheck before an interval
501 is considered failed. Like start-period, the value can be expressed in
502 a time format such as 1m22s. The default value is 30s.
503 -h, --hostname=name
506 Container host name
509 Sets the container host name that is available inside the container.
512 --help
515 Print usage statement
518 --http-proxy=true|false
521 By default proxy environment variables are passed into the container if
524 set for the Podman process. This can be disabled by setting the
525 --http-proxy option to false. The environment variables passed in
526 include http_proxy, https_proxy, ftp_proxy, no_proxy, and also the
527 upper case versions of those. This option is only needed when the host
528 system must use a proxy but the container should not use any proxy.
529 Proxy environment variables specified for the container in any other
530 way will override the values that would have been passed through from
531 the host. (Other ways to specify the proxy for the container include
532 passing the values with the --env flag, or hard coding the proxy envi‐
533 ronment at container build time.)
534 For example, to disable passing these environment variables from host
537 to container:
538 --http-proxy=false
541 Defaults to true
544 --image-volume, builtin-volume=bind|tmpfs|ignore
547 Tells Podman how to handle the builtin image volumes. The options are:
550 'bind', 'tmpfs', or 'ignore' (default 'bind'). bind: A directory is
551 created inside the container state directory and bind mounted into the
552 container for the volumes. tmpfs: The volume is mounted onto the con‐
553 tainer as a tmpfs, which allows the users to create content that disap‐
554 pears when the container is stopped. ignore: All volumes are just
555 ignored and no action is taken.
556 --init
559 Run an init inside the container that forwards signals and reaps pro‐
562 cesses.
563 --init-path=path
566 Path to the container-init binary.
569 --interactive, -i=true|false
572 Keep STDIN open even if not attached. The default is false.
575 --ip6=ip
578 Not implemented
581 --ip=ip
584 Specify a static IP address for the container, for example
587 '10.88.64.128'. Can only be used if no additional CNI networks to join
588 were specified via '--network=', and if the container is not joining
589 another container's network namespace via '--network=container:'. The
590 address must be within the default CNI network's pool (default
591 10.88.0.0/16).
592 --ipc=ipc
595 Default is to create a private IPC namespace (POSIX SysV IPC) for the
598 container
599 'container:': reuses another container shared memory,
600 semaphores and message queues
601 'host': use the host shared memory,semaphores and mes‐
602 sage queues inside the container. Note: the host mode gives the con‐
603 tainer full access to local shared memory and is therefore considered
604 insecure.
605 'ns:' path to an IPC namespace to join.
606 --kernel-memory=number[unit]
609 Kernel memory limit (format: <number>[<unit>], where unit = b (bytes),
612 k (kilobytes), m (megabytes), or g (gigabytes))
613 Constrains the kernel memory available to a container. If a limit of 0
616 is specified (not using --kernel-memory), the container's kernel memory
617 is not limited. If you specify a limit, it may be rounded up to a mul‐
618 tiple of the operating system's page size and the value can be very
619 large, millions of trillions.
620 --label, -l=label
623 Add metadata to a container (e.g., --label com.example.key=value)
626 --label-file=file
629 Read in a line delimited file of labels
632 --link-local-ip=ip
635 Not implemented
638 --log-driver="k8s-file"
641 Logging driver for the container. Currently available options are
644 k8s-file and journald, with json-file aliased to k8s-file for scripting
645 compatibility.
646 --log-opt=path
649 Logging driver specific options. Used to set the path to the container
652 log file. For example:
653 --log-opt path=/var/log/container/mycontainer.json
656 --log-opt=tag
659 Set custom logging configuration. Presently supports the tag option
662 which specified a custom log tag for the container. For example:
663 --log-opt tag="{{.ImageName}}"
666 It supports the same keys as podman inspect --format.
669 It is currently supported only by the journald log driver.
672 --mac-address=address
675 Container MAC address (e.g. 92:d0:c6:0a:29:33)
678 Remember that the MAC address in an Ethernet network must be unique.
681 The IPv6 link-local address will be based on the device's MAC address
682 according to RFC4862.
683 Not currently supported
686 --memory, -m=limit
689 Memory limit (format: [], where unit = b (bytes), k (kilobytes), m
692 (megabytes), or g (gigabytes))
693 Allows you to constrain the memory available to a container. If the
696 host supports swap memory, then the -m memory setting can be larger
697 than physical RAM. If a limit of 0 is specified (not using -m), the
698 container's memory is not limited. The actual limit may be rounded up
699 to a multiple of the operating system's page size (the value would be
700 very large, that's millions of trillions).
701 --memory-reservation=limit
704 Memory soft limit (format: [], where unit = b (bytes), k (kilobytes), m
707 (megabytes), or g (gigabytes))
708 After setting memory reservation, when the system detects memory con‐
711 tention or low memory, containers are forced to restrict their consump‐
712 tion to their reservation. So you should always set the value below
713 --memory, otherwise the hard limit will take precedence. By default,
714 memory reservation will be the same as memory limit.
715 --memory-swap=limit
718 A limit value equal to memory plus swap. Must be used with the -m
721 (--memory) flag. The swap LIMIT should always be larger than -m (--mem‐
722 ory) value. By default, the swap LIMIT will be set to double the value
723 of --memory.
724 The format of LIMIT is <number>[<unit>]. Unit can be b (bytes), k
727 (kilobytes), m (megabytes), or g (gigabytes). If you don't specify a
728 unit, b is used. Set LIMIT to -1 to enable unlimited swap.
729 --memory-swappiness=number
732 Tune a container's memory swappiness behavior. Accepts an integer
735 between 0 and 100.
736 --mount=type=TYPE,TYPE-SPECIFIC-OPTION[,...]
739 Attach a filesystem mount to the container
742 Current supported mount TYPES are bind, volume, and tmpfs.
745 e.g.
748 type=bind,source=/path/on/host,destination=/path/in/container
750 type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared
752 type=volume,source=vol1,destination=/path/in/container,ro=true
754 type=tmpfs,tmpfs-size=512M,destination=/path/in/container
756 Common Options:
758 · src, source: mount source spec for bind and volume. Mandatory for bind.
760 · dst, destination, target: mount destination spec.
762 · ro, read-only: true or false (default).
764 Options specific to bind:
766 · bind-propagation: shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2).
768 . bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive.
770 . relabel: shared, private.
772 Options specific to tmpfs:
774 · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.
776 · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux.
778 · tmpcopyup: Enable copyup from the image directory at the same location to the tmpfs. Used by default.
780 · notmpcopyup: Disable copying files from the image to the tmpfs.
782 --name=name
786 Assign a name to the container
789 The operator can identify a container in three ways: UUID long identi‐
792 fier
793 (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”)
794 UUID short identifier (“f78375b1c487”) Name (“jonah”)
795 podman generates a UUID for each container, and if a name is not
798 assigned to the container with --name then it will generate a random
799 string name. The name is useful any place you need to identify a con‐
800 tainer. This works for both background and foreground containers.
801 --network, --net="bridge"
804 Set the Network mode for the container. Invalid if using --dns,
807 --dns-opt, or --dns-search with --network that is set to 'none' or
808 'container:'.
809 Valid values are:
812 · bridge: create a network stack on the default bridge
815 · none: no networking
817 · container:<name|id>: reuse another container's network stack
819 · host: use the Podman host network stack. Note: the host mode
821 gives the container full access to local system services such
822 as D-bus and is therefore considered insecure.
823 · <network-name>|<network-id>: connect to a user-defined net‐
825 work, multiple networks should be comma separated
826 · ns:<path>: path to a network namespace to join
828 · private: create a new namespace for the container (default)
830 · slirp4netns: use slirp4netns to create a user network stack.
832 This is the default for rootless containers
833 --network-alias=alias
837 Not implemented
840 --no-healthcheck=true|false
843 Disable any defined healthchecks for container.
846 --no-hosts=true|false
849 Do not create /etc/hosts for the container. By default, Podman will
852 manage /etc/hosts, adding the container's own IP address and any hosts
853 from --add-host. --no-hosts disables this, and the image's /etc/host
854 will be preserved unmodified. This option conflicts with --add-host.
855 --oom-kill-disable=true|false
858 Whether to disable OOM Killer for the container or not.
861 --oom-score-adj=num
864 Tune the host's OOM preferences for containers (accepts -1000 to 1000)
867 --pid=pid
870 Set the PID mode for the container Default is to create a private PID
873 namespace for the container - container:<name|id>: join another con‐
874 tainer's PID namespace - host: use the host's PID namespace for the
875 container. Note: the host mode gives the container full access to local
876 PID and is therefore considered insecure. - ns: join the specified PID
877 namespace - private: create a new namespace for the container (default)
878 --pids-limit=limit
881 Tune the container's pids limit. Set 0 to have unlimited pids for the
884 container. (default "4096" on systems that support PIDS cgroups).
885 --pod=name
888 Run container in an existing pod. If you want Podman to make the pod
891 for you, preference the pod name with new:. To make a pod with more
892 granular options, use the podman pod create command before creating a
893 container.
894 --privileged=true|false
897 Give extended privileges to this container. The default is false.
900 By default, Podman containers are “unprivileged” (=false) and cannot,
903 for example, modify parts of the operating system. This is because by
904 default a container is not allowed to access any devices. A “privi‐
905 leged” container is given access to all devices.
906 When the operator executes a privileged container, Podman enables
909 access to all devices on the host, turns off graphdriver mount options,
910 as well as turning off most of the security measures protecting the
911 host from the container.
912 Rootless containers cannot have more privileges than the account that
915 launched them.
916 --publish, -p=port
919 Publish a container's port, or range of ports, to the host
922 Format: ip:hostPort:containerPort | ip::containerPort | hostPort:con‐
925 tainerPort | containerPort Both hostPort and containerPort can be spec‐
926 ified as a range of ports. When specifying ranges for both, the number
927 of container ports in the range must match the number of host ports in
928 the range. (e.g., podman run -p 1234-1236:1222-1224 --name thisWorks
929 -t busybox but not podman run -p 1230-1236:1230-1240 --name RangeCon‐
930 tainerPortsBiggerThanRangeHostPorts -t busybox) With ip: podman run -p
931 127.0.0.1:$HOSTPORT:$CONTAINERPORT --name CONTAINER -t someimage Use
932 podman port to see the actual mapping: podman port CONTAINER $CONTAIN‐
933 ERPORT
934 --publish-all, -P=true|false
937 Publish all exposed ports to random ports on the host interfaces. The
940 default is false.
941 When set to true publish all exposed ports to the host interfaces. The
944 default is false. If the operator uses -P (or -p) then Podman will make
945 the exposed port accessible on the host and the ports will be available
946 to any client that can reach the host. When using -P, Podman will bind
947 any exposed port to a random port on the host within an ephemeral port
948 range defined by /proc/sys/net/ipv4/ip_local_port_range. To find the
949 mapping between the host ports and the exposed ports, use podman port.
950 --pull=missing
953 Pull image before creating ("always"|"missing"|"never") (default "miss‐
956 ing").
957 'missing': default value, attempt to pull the latest image from
958 the registries listed in registries.conf if a local image does not
959 exist.Raise an error if the image is not in any listed registry and is
960 not present locally.
961 'always': Pull the image from the first registry it is found in
962 as listed in registries.conf. Raise an error if not found in the reg‐
963 istries, even if the image is present locally.
964 'never': do not pull the image from the registry, use only the
965 local version. Raise an error if the image is not present locally.
966 Defaults to missing.
969 --quiet, -q
972 Suppress output information when pulling images
975 --read-only=true|false
978 Mount the container's root filesystem as read only.
981 By default a container will have its root filesystem writable allowing
984 processes to write files anywhere. By specifying the --read-only flag
985 the container will have its root filesystem mounted as read only pro‐
986 hibiting any writes.
987 --read-only-tmpfs=true|false
990 If container is running in --read-only mode, then mount a read-write
993 tmpfs on /run, /tmp, and /var/tmp. The default is true
994 --restart=policy
997 Restart policy to follow when containers exit. Restart policy will not
1000 take effect if a container is stopped via the podman kill or podman
1001 stop commands.
1002 Valid values are:
1005 · no : Do not restart containers on exit
1008 · on-failure[:max_retries] : Restart containers when they exit
1010 with a non-0 exit code, retrying indefinitely or until the
1011 optional max_retries count is hit
1012 · always : Restart containers when they exit,
1014 regardless of status, retrying indefinitely
1015 Please note that restart will not restart containers after a system
1019 reboot. If this functionality is required in your environment, you can
1020 invoke Podman from a systemd unit file, or create an init script for
1021 whichever init system is in use. To generate systemd unit files,
1022 please see podman generate systemd
1023 --rm=true|false
1026 Automatically remove the container when it exits. The default is false.
1029 Note that the container will not be removed when it could not be cre‐
1032 ated or started successfully. This allows the user to inspect the con‐
1033 tainer after failure.
1034 --rootfs
1037 If specified, the first argument refers to an exploded container on the
1040 file system.
1041 This is useful to run a container without requiring any image manage‐
1044 ment, the rootfs of the container is assumed to be managed externally.
1045 --seccomp-policy=policy
1048 Specify the policy to select the seccomp profile. If set to image, Pod‐
1051 man will look for a "io.podman.seccomp.profile" label in the con‐
1052 tainer-image config and use its value as a seccomp profile. Otherwise,
1053 Podman will follow the default policy by applying the default profile
1054 unless specified otherwise via --security-opt seccomp as described
1055 below.
1056 Note that this feature is experimental and may change in the future.
1059 --security-opt=option
1062 Security Options
1065 · apparmor=unconfined : Turn off apparmor confinement for the
1068 container
1069 · apparmor=your-profile : Set the apparmor confinement profile
1071 for the container
1072 · label=user:USER : Set the label user for the container
1074 processes
1075 · label=role:ROLE : Set the label role for the container
1077 processes
1078 · label=type:TYPE : Set the label process type for the con‐
1080 tainer processes
1081 · label=level:LEVEL : Set the label level for the container
1083 processes
1084 · label=filetype:TYPE : Set the label file type for the con‐
1086 tainer files
1087 · label=disable : Turn off label separation for the con‐
1089 tainer
1090 · no-new-privileges : Disable container processes from gaining
1092 additional privileges
1093 · seccomp=unconfined : Turn off seccomp confinement for the con‐
1095 tainer
1096 · seccomp=profile.json : White listed syscalls seccomp Json
1098 file to be used as a seccomp filter
1099 Note: Labeling can be disabled for all containers by setting
1103 label=false in the libpod.conf (/etc/containers/libpod.conf) file.
1104 --shm-size=size
1107 Size of /dev/shm (format: [], where unit = b (bytes), k (kilobytes), m
1110 (megabytes), or g (gigabytes)) If you omit the unit, the system uses
1111 bytes. If you omit the size entirely, the system uses 64m. When size
1112 is 0, there is no limit on the amount of memory used for IPC by the
1113 container.
1114 --stop-signal=SIGTERM
1117 Signal to stop a container. Default is SIGTERM.
1120 --stop-timeout=seconds
1123 Timeout (in seconds) to stop a container. Default is 10.
1126 --subgidname=name
1129 Name for GID map from the /etc/subgid file. Using this flag will run
1132 the container with user namespace enabled. This flag conflicts with
1133 --userns and --gidmap.
1134 --subuidname=name
1137 Name for UID map from the /etc/subuid file. Using this flag will run
1140 the container with user namespace enabled. This flag conflicts with
1141 --userns and --uidmap.
1142 --sysctl=SYSCTL
1145 Configure namespaced kernel parameters at runtime
1148 IPC Namespace - current sysctls allowed:
1151 kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall,
1154 kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced Sysctls beginning
1155 with fs.mqueue.*
1156 Note: if you use the --ipc=host option these sysctls will not be
1159 allowed.
1160 Network Namespace - current sysctls allowed:
1163 Sysctls beginning with net.*
1164 Note: if you use the --network=host option these sysctls will not be
1167 allowed.
1168 --systemd=true|false|always
1171 Run container in systemd mode. The default is true.
1174 The value always enforces the systemd mode is enforced without looking
1177 at the executable name. Otherwise, if set to true and the command you
1178 are running inside the container is systemd, /usr/sbin/init or
1179 /sbin/init.
1180 If the command you are running inside of the container is systemd, Pod‐
1183 man will setup tmpfs mount points in the following directories:
1184 /run, /run/lock, /tmp, /sys/fs/cgroup/systemd, /var/lib/journal
1187 It will also set the default stop signal to SIGRTMIN+3.
1190 This allow systemd to run in a confined container without any modifica‐
1193 tions.
1194 Note: On SELinux systems, systemd attempts to write to the cgroup file
1197 system. Containers writing to the cgroup file system are denied by
1198 default. The container_manage_cgroup boolean must be enabled for this
1199 to be allowed on an SELinux separated system.
1200 setsebool -P container_manage_cgroup true
1203 --tmpfs=fs
1206 Create a tmpfs mount
1209 Mount a temporary filesystem (tmpfs) mount into a container, for exam‐
1212 ple:
1213 $ podman run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image
1216 This command mounts a tmpfs at /tmp within the container. The sup‐
1219 ported mount options are the same as the Linux default mount flags. If
1220 you do not specify any options, the systems uses the following options:
1221 rw,noexec,nosuid,nodev.
1222 --tty, -t=true|false
1225 Allocate a pseudo-TTY. The default is false.
1228 When set to true Podman will allocate a pseudo-tty and attach to the
1231 standard input of the container. This can be used, for example, to run
1232 a throwaway interactive shell. The default is false.
1233 Note: The -t option is incompatible with a redirection of the Podman
1236 client standard input.
1237 --uidmap=container_uid:host_uid:amount
1240 UID map for the user namespace. Using this flag will run the container
1243 with user namespace enabled. It conflicts with the --userns and --sub‐
1244 uidname flags.
1245 The following example maps uids 0-2000 in the container to the uids
1248 30000-31999 on the host and gids 0-2000 in the container to the gids
1249 30000-31999 on the host. --uidmap=0:30000:2000
1250 --ulimit=option
1253 Ulimit options
1256 You can pass host to copy the current configuration from the host.
1259 --user, -u=user
1262 Sets the username or UID used and optionally the groupname or GID for
1265 the specified command.
1266 The following examples are all valid: --user [user | user:group | uid |
1269 uid:gid | user:gid | uid:group ]
1270 Without this argument the command will be run as root in the container.
1273 --userns=auto[:OPTIONS] --userns=host --userns=keep-id --userns=con‐
1276 tainer:container --userns=private --userns=ns:my_namespace
1277 Set the user namespace mode for the container. It defaults to the POD‐
1280 MAN_USERNS environment variable. An empty value means user namespaces
1281 are disabled.
1282 · auto: automatically create a namespace. It is possible to
1285 specify other options to auto. The supported options are
1286 size=SIZE to specify an explicit size for the automatic user
1287 namespace. e.g. --userns=auto:size=8192. If size is not
1288 specified, auto will guess a size for the user namespace.
1289 uidmapping=HOST_UID:CONTAINER_UID:SIZE to force a UID mapping
1290 to be present in the user namespace. gidmapping=HOST_UID:CON‐
1291 TAINER_UID:SIZE to force a GID mapping to be present in the
1292 user namespace.
1293 · container: join the user namespace of the specified container.
1295 · host: run in the user namespace of the caller. This is the
1297 default if no user namespace options are set. The processes
1298 running in the container will have the same privileges on the
1299 host as any other process launched by the calling user.
1300 · keep-id: creates a user namespace where the current rootless
1302 user's UID:GID are mapped to the same values in the container.
1303 This option is ignored for containers created by the root
1304 user.
1305 · ns: run the container in the given existing user namespace.
1307 · private: create a new namespace for the container (default)
1309 This option is incompatible with --gidmap, --uidmap, --subuid and
1313 --subgid
1314 --uts=host
1317 Set the UTS mode for the container
1320 host: use the host's UTS namespace inside the container.
1321 ns: specify the user namespace to use.
1322 Note: the host mode gives the container access to changing the
1323 host's hostname and is therefore considered insecure.
1324 --volume, -v[=[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]]
1327 Create a bind mount. If you specify, -v /HOST-DIR:/CONTAINER-DIR, pod‐
1330 man bind mounts /HOST-DIR in the host to /CONTAINER-DIR in the podman
1331 container. The OPTIONS are a comma delimited list and can be:
1332 · [rw|ro]
1335 · [z|Z]
1337 · [[r]shared|[r]slave|[r]private]
1339 · [[r]bind]
1341 · [noexec|exec]
1343 · [nodev|dev]
1345 · [nosuid|suid]
1347 The CONTAINER-DIR must be an absolute path such as /src/docs. The vol‐
1351 ume will be mounted into the container at this directory.
1352 Volumes may specify a source as well, as either a directory on the host
1355 or the name of a named volume. If no source is given, the volume will
1356 be created as an anonymous named volume with a randomly generated name,
1357 and will be removed when the container is removed via the --rm flag or
1358 podman rm --volumes.
1359 If a volume source is specified, it must be a path on the host or the
1362 name of a named volume. Host paths are allowed to be absolute or rela‐
1363 tive; relative paths are resolved relative to the directory Podman is
1364 run in. Any source that does not begin with a . or / it will be treated
1365 as the name of a named volume. If a volume with that name does not
1366 exist, it will be created. Volumes created with names are not anonymous
1367 and are not removed by --rm and podman rm --volumes.
1368 You can specify multiple -v options to mount one or more volumes into
1371 a container.
1372 You can add :ro or :rw suffix to a volume to mount it read-only or
1375 read-write mode, respectively. By default, the volumes are mounted
1376 read-write. See examples.
1377 Labeling systems like SELinux require that proper labels are placed on
1380 volume content mounted into a container. Without a label, the security
1381 system might prevent the processes running inside the container from
1382 using the content. By default, Podman does not change the labels set by
1383 the OS.
1384 To change a label in the container context, you can add either of two
1387 suffixes :z or :Z to the volume mount. These suffixes tell Podman to
1388 relabel file objects on the shared volumes. The z option tells Podman
1389 that two containers share the volume content. As a result, Podman
1390 labels the content with a shared content label. Shared volume labels
1391 allow all containers to read/write content. The Z option tells Podman
1392 to label the content with a private unshared label. Only the current
1393 container can use a private volume.
1394 By default bind mounted volumes are private. That means any mounts done
1397 inside container will not be visible on host and vice versa. One can
1398 change this behavior by specifying a volume mount propagation property.
1399 Making a volume shared mounts done under that volume inside container
1400 will be visible on host and vice versa. Making a volume slave enables
1401 only one way mount propagation and that is mounts done on host under
1402 that volume will be visible inside container but not the other way
1403 around.
1404 To control mount propagation property of volume one can use :[r]shared,
1407 :[r]slave or :[r]private propagation flag. Propagation property can be
1408 specified only for bind mounted volumes and not for internal volumes or
1409 named volumes. For mount propagation to work source mount point (mount
1410 point where source dir is mounted on) has to have right propagation
1411 properties. For shared volumes, source mount point has to be shared.
1412 And for slave volumes, source mount has to be either shared or slave.
1413 If you want to recursively mount a volume and all of it's submounts
1416 into a container, then you can use the rbind option. By default the
1417 bind option is used, and submounts of the source directory will not be
1418 mounted into the container.
1419 Mounting the volume with the nosuid options means that SUID applica‐
1422 tions on the volume will not be able to change their privilege. By
1423 default volumes are mounted with nosuid.
1424 Mounting the volume with the noexec option means that no executables on
1427 the volume will be able to executed within the container.
1428 Mounting the volume with the nodev option means that no devices on the
1431 volume will be able to be used by processes within the container. By
1432 default volumes are mounted with nodev.
1433 If the is a mount point, then "dev", "suid", and "exec" options are
1436 ignored by the kernel.
1437 Use df <source-dir> to figure out the source mount and then use findmnt
1440 -o TARGET,PROPAGATION <source-mount-dir> to figure out propagation
1441 properties of source mount. If findmnt utility is not available, then
1442 one can look at mount entry for source mount point in
1443 /proc/self/mountinfo. Look at optional fields and see if any propaga‐
1444 tion properties are specified. shared:X means mount is shared, mas‐
1445 ter:X means mount is slave and if nothing is there that means mount is
1446 private.
1447 To change propagation properties of a mount point use mount command.
1450 For example, if one wants to bind mount source directory /foo one can
1451 do mount --bind /foo /foo and mount --make-private --make-shared /foo.
1452 This will convert /foo into a shared mount point. Alternatively one can
1453 directly change propagation properties of source mount. Say / is source
1454 mount for /foo, then use mount --make-shared / to convert / into a
1455 shared mount.
1456 --volumes-from[=CONTAINER[:OPTIONS]]
1459 Mount volumes from the specified container(s). OPTIONS is a comma
1462 delimited list with the following available elements:
1463 · [rw|ro]
1466 · z
1468 Mounts already mounted volumes from a source container onto another
1472 container. You must supply the source's container-id or container-name.
1473 To share a volume, use the --volumes-from option when running the tar‐
1474 get container. You can share volumes even if the source container is
1475 not running.
1476 By default, Podman mounts the volumes in the same mode (read-write or
1479 read-only) as it is mounted in the source container. Optionally, you
1480 can change this by suffixing the container-id with either the ro or rw
1481 keyword.
1482 Labeling systems like SELinux require that proper labels are placed on
1485 volume content mounted into a container. Without a label, the security
1486 system might prevent the processes running inside the container from
1487 using the content. By default, Podman does not change the labels set by
1488 the OS.
1489 To change a label in the container context, you can add z to the volume
1492 mount. This suffix tells Podman to relabel file objects on the shared
1493 volumes. The z option tells Podman that two containers share the volume
1494 content. As a result, podman labels the content with a shared content
1495 label. Shared volume labels allow all containers to read/write content.
1496 If the location of the volume from the source container overlaps with
1499 data residing on a target container, then the volume hides that data on
1500 the target.
1501 --workdir, -w=dir
1504 Working directory inside the container
1507 The default working directory for running binaries within a container
1510 is the root directory (/). The image developer can set a different
1511 default with the WORKDIR instruction. The operator can override the
1512 working directory by using the -w option.
1513
1516 Create a container using a local image
1517 $ podman create alpine ls
1518 Create a container using a local image and annotate it
1522 $ podman create --annotation HELLO=WORLD alpine ls
1523 Create a container using a local image, allocating a pseudo-TTY, keeping
1527 stdin open and name it myctr
1528 podman create -t -i --name myctr alpine ls
1529 Set UID/GID mapping in a new user namespace
1533 Running a container in a new user namespace requires a mapping of the
1534 uids and gids from the host.
1535 $ podman create --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
1538 Rootless Containers
1542 Podman runs as a non root user on most systems. This feature requires
1543 that a new enough version of shadow-utils be installed. The
1544 shadow-utils package must include the newuidmap and newgidmap executa‐
1545 bles.
1546 Note: RHEL7 and Centos 7 will not have this feature until RHEL7.7 is
1549 released.
1550 In order for users to run rootless, there must be an entry for their
1553 username in /etc/subuid and /etc/subgid which lists the UIDs for their
1554 user namespace.
1555 Rootless Podman works better if the fuse-overlayfs and slirp4netns
1558 packages are installed. The fuse-overlay package provides a userspace
1559 overlay storage driver, otherwise users need to use the vfs storage
1560 driver, which is diskspace expensive and does not perform well.
1561 slirp4netns is required for VPN, without it containers need to be run
1562 with the --network=host flag.
1563
1566 Environment variables within containers can be set using multiple dif‐
1567 ferent options: This section describes the precedence.
1568 Precedence Order: --env-host : Host environment of the process
1571 executing Podman is added.
1572 Container image : Any environment variables specified in the container image.
1575 **--env-file** : Any environment variables specified via env-files. If multiple files specified, then they override each other in order of entry.
1577 **--env** : Any environment variables specified will override previous settings.
1579 Create containers and set the environment ending with a * and a *****
1583 $ export ENV1=a
1586 $ podman create --name ctr --env ENV* alpine printenv ENV1
1587 $ podman start --attach ctr
1588 a
1589 $ podman create --name ctr --env ENV*****=b alpine printenv ENV*****
1591 $ podman start --attach ctr
1592 b
1593
1597 /etc/subuid /etc/subgid
1598 NOTE: Use the environment variable TMPDIR to change the temporary stor‐
1601 age location of downloaded container images. Podman defaults to use
1602 /var/tmp.
1603
1606 subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8),
1607 slirp4netns(1), fuse-overlayfs(1)
1608
1611 October 2017, converted from Docker documentation to Podman by Dan
1612 Walsh for Podman dwalsh@redhat.com ⟨mailto:dwalsh@redhat.com⟩
1613 November 2014, updated by Sven Dowideit SvenDowideit@home.org.au
1616 ⟨mailto:SvenDowideit@home.org.au⟩
1617 September 2014, updated by Sven Dowideit SvenDowideit@home.org.au
1620 ⟨mailto:SvenDowideit@home.org.au⟩
1621 August 2014, updated by Sven Dowideit SvenDowideit@home.org.au
1624 ⟨mailto:SvenDowideit@home.org.au⟩
1625 podman-create(1)()