podman-run(1)

1podman-run(1)()                                                podman-run(1)()
2
3
4

NAME

6       podman-run - Run a command in a new container
7
8

SYNOPSIS

10       podman run [options] image [command [arg ...]]
11
12
13       podman container run [options] image [command [arg ...]]
14
15

DESCRIPTION

17       Run  a process in a new container. podman run starts a process with its
18       own file system, its own networking, and its own isolated process tree.
19       The  image  which starts the process may define defaults related to the
20       process that will be run in the container, the  networking  to  expose,
21       and  more, but podman run gives final control to the operator or admin‐
22       istrator who starts the container from the image. For that reason  pod‐
23       man run has more options than any other Podman command.
24
25
26       If the image is not already loaded then podman run will pull the image,
27       and all image dependencies, from the repository in the same way running
28       podman pull image , before it starts the container from that image.
29
30
31       Several files will be automatically created within the container. These
32       include /etc/hosts, /etc/hostname, and /etc/resolv.conf to manage  net‐
33       working.   These  will  be  based  on  the host's version of the files,
34       though they can be customized with options  (for  example,  --dns  will
35       override  the host's DNS servers in the created resolv.conf). Addition‐
36       ally, a container environment file is  created  in  each  container  to
37       indicate  to  programs  they  are  running in a container. This file is
38       located at /run/.containerenv. When using  the  --privileged  flag  the
39       .containerenv contains name/value pairs indicating the container engine
40       version, whether the engine is running in rootless mode, the  container
41       name  and  id,  as  well as the image name and id that the container is
42       based on.
43
44
45       When   running   from   a   user   defined   network   namespace,   the
46       /etc/netns/NSNAME/resolv.conf  will  be  used  if  it exists, otherwise
47       /etc/resolv.conf will be used.
48
49
50       Default settings are defined  in  containers.conf.  Most  settings  for
51       remote  connections  use the servers containers.conf, except when docu‐
52       mented in man pages.
53
54

IMAGE

56       The image is specified using transport:path format. If no transport  is
57       specified,  the  docker  (container registry) transport will be used by
58       default. For remote Podman, docker is the only allowed transport.
59
60
61       dir:path
62         An existing local directory path storing the manifest, layer tarballs
63       and  signatures as individual files. This is a non-standardized format,
64       primarily useful for debugging or noninvasive container inspection.
65
66
67              $ podman save --format docker-dir fedora -o /tmp/fedora
68              $ podman run dir:/tmp/fedora echo hello
69
70
71
72       docker://docker-reference (Default)
73         An image reference stored in a remote container image registry. Exam‐
74       ple:  "quay.io/podman/stable:latest".  The reference can include a path
75       to a specific registry; if it does not, the registries listed  in  reg‐
76       istries.conf  will  be  queried  to find a matching image.  By default,
77       credentials from  podman  login  (stored  at  $XDG_RUNTIME_DIR/contain‐
78       ers/auth.json  by  default)  will be used to authenticate; otherwise it
79       falls back to using credentials in $HOME/.docker/config.json.
80
81
82              $ podman run registry.fedoraproject.org/fedora:latest echo hello
83
84
85
86       docker-archive:path[:docker-reference] An image stored  in  the  docker
87       save formatted file. docker-reference is only used when creating such a
88       file, and it must not contain a digest.
89
90
91              $ podman save --format docker-archive fedora -o /tmp/fedora
92              $ podman run docker-archive:/tmp/fedora echo hello
93
94
95
96       docker-daemon:docker-reference
97         An image in docker-reference  format  stored  in  the  docker  daemon
98       internal  storage.  The  docker-reference  can  also  be  an  image  ID
99       (docker-daemon:algo:digest).
100
101
102              $ sudo docker pull fedora
103              $ sudo podman run docker-daemon:docker.io/library/fedora echo hello
104
105
106
107       oci-archive:path:tag
108         An image in a directory compliant with the "Open Container Image Lay‐
109       out Specification" at the specified path and specified with a tag.
110
111
112              $ podman save --format oci-archive fedora -o /tmp/fedora
113              $ podman run oci-archive:/tmp/fedora echo hello
114
115
116

OPTIONS

118   --add-host=host:ip
119       Add  a  line  to  container's /etc/hosts for custom host-to-IP mapping.
120       This option can be set multiple times.
121
122
123   --annotation=key=value
124       Add an annotation to the container.  This option can  be  set  multiple
125       times.
126
127
128   --arch=ARCH
129       Override  the  architecture,  defaults  to  hosts,  of  the image to be
130       pulled. For example, arm.
131
132
133   --attach, -a=stdin|stdout|stderr
134       Attach to STDIN, STDOUT or STDERR.
135
136
137       In foreground mode (the default when -d is not specified),  podman  run
138       can  start  the  process in the container and attach the console to the
139       process's standard input, output, and error. It can even pretend to  be
140       a TTY (this is what most commandline executables expect) and pass along
141       signals. The -a option can be  set  for  each  of  stdin,  stdout,  and
142       stderr.
143
144
145   --authfile[=path]
146       Path to the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
147       ers/auth.json.
148
149
150       Note: You can also override the default path of the authentication file
151       by setting the REGISTRY_AUTH_FILE environment variable.
152
153
154   --blkio-weight=weight
155       Block IO relative weight. The weight is a value between 10 and 1000.
156
157
158   --blkio-weight-device=device:weight
159       Block IO relative device weight.
160
161
162   --cap-add=capability
163       Add Linux capabilities.
164
165
166   --cap-drop=capability
167       Drop Linux capabilities.
168
169
170   --cgroupns=mode
171       Set the cgroup namespace mode for the container.
172
173
174              · host: use the host's cgroup namespace inside the container.
175
176              · container:id: join the namespace of the specified container.
177
178              · private: create a new cgroup namespace.
179
180              · ns:path: join the namespace at the specified path.
181
182
183
184       If the host uses cgroups v1, the default is set to host. On cgroups v2,
185       the default is private.
186
187
188   --cgroups=enabled|disabled|no-conmon|split
189       Determines whether the container will create CGroups.
190
191
192       Default is enabled.
193
194
195       The enabled option will create a new cgroup  under  the  cgroup-parent.
196       The disabled option will force the container to not create CGroups, and
197       thus conflicts with CGroup options  (--cgroupns  and  --cgroup-parent).
198       The no-conmon option disables a new CGroup only for the conmon process.
199       The split option splits the current cgroup in two sub-cgroups: one  for
200       conmon  and  one  for  the container payload. It is not possible to set
201       --cgroup-parent with split.
202
203
204   --cgroup-parent=path
205       Path to cgroups under which the cgroup for the container will  be  cre‐
206       ated.  If  the path is not absolute, the path is considered to be rela‐
207       tive to the cgroups path of the init process. Cgroups will  be  created
208       if they do not already exist.
209
210
211   --cgroup-conf=KEY=VALUE
212       When  running on cgroup v2, specify the cgroup file to write to and its
213       value. For example --cgroup-conf=memory.high=1073741824 sets  the  mem‐
214       ory.high limit to 1GB.
215
216
217   --cidfile=file
218       Write the container ID to file.
219
220
221   --conmon-pidfile=file
222       Write the pid of the conmon process to a file. As conmon runs in a sep‐
223       arate process than Podman, this is  necessary  when  using  systemd  to
224       restart Podman containers.
225
226
227   --cpu-period=limit
228       Set  the CPU period for the Completely Fair Scheduler (CFS), which is a
229       duration in microseconds. Once the container's CPU quota is used up, it
230       will not be scheduled to run until the current period ends. Defaults to
231       100000 microseconds.
232
233
234       On some systems, changing  the  CPU  limits  may  not  be  allowed  for
235       non-root  users.  For  more  details,  see  https://github.com/contain‐
236       ers/podman/blob/master/troubleshooting.md#26-running-contain‐
237       ers-with-cpu-limits-fails-with-a-permissions-error
238
239
240   --cpu-quota=limit
241       Limit the CPU Completely Fair Scheduler (CFS) quota.
242
243
244       Limit  the  container's  CPU usage. By default, containers run with the
245       full CPU resource. The limit is a number in microseconds. If  you  pro‐
246       vide  a number, the container will be allowed to use that much CPU time
247       until the CPU period ends (controllable via --cpu-period).
248
249
250       On some systems, changing  the  CPU  limits  may  not  be  allowed  for
251       non-root  users.  For  more  details,  see  https://github.com/contain‐
252       ers/podman/blob/master/troubleshooting.md#26-running-contain‐
253       ers-with-cpu-limits-fails-with-a-permissions-error
254
255
256   --cpu-rt-period=microseconds
257       Limit the CPU real-time period in microseconds.
258
259
260       Limit the container's Real Time CPU usage. This flag tell the kernel to
261       restrict the container's Real Time CPU usage to the period you specify.
262
263
264   --cpu-rt-runtime=microseconds
265       Limit the CPU real-time runtime in microseconds.
266
267
268       Limit the containers Real Time CPU usage. This flag tells the kernel to
269       limit the amount of time in a given CPU period Real Time tasks may con‐
270       sume. Ex: Period of 1,000,000us and Runtime  of  950,000us  means  that
271       this container could consume 95% of available CPU and leave the remain‐
272       ing 5% to normal priority tasks.
273
274
275       The sum of all runtimes across  containers  cannot  exceed  the  amount
276       allotted to the parent cgroup.
277
278
279   --cpu-shares=shares
280       CPU shares (relative weight).
281
282
283       By  default, all containers get the same proportion of CPU cycles. This
284       proportion can be  modified  by  changing  the  container's  CPU  share
285       weighting  relative  to the combined weight of all the running contain‐
286       ers. Default weight is 1024.
287
288
289       The proportion will only apply when CPU-intensive  processes  are  run‐
290       ning.   When  tasks in one container are idle, other containers can use
291       the left-over CPU time. The actual amount of CPU time will vary depend‐
292       ing on the number of containers running on the system.
293
294
295       For example, consider three containers, one has a cpu-share of 1024 and
296       two others have a cpu-share setting of 512. When processes in all three
297       containers  attempt  to  use  100%  of  CPU,  the first container would
298       receive 50% of the total CPU time. If you add a fourth container with a
299       cpu-share  of  1024,  the first container only gets 33% of the CPU. The
300       remaining containers receive 16.5%, 16.5% and 33% of the CPU.
301
302
303       On a multi-core system, the shares of CPU time are distributed over all
304       CPU  cores.  Even  if  a  container is limited to less than 100% of CPU
305       time, it can use 100% of each individual CPU core.
306
307
308       For example, consider a system with more than three cores. If you start
309       one  container  {C0}  with  --cpu-shares=512  running  one process, and
310       another container {C1} with --cpu-shares=1024  running  two  processes,
311       this can result in the following division of CPU shares:
312
313
314       ┌────┬───────────┬─────┬──────────────┐
315       │PID │ container │ CPU │ CPU share    │
316       ├────┼───────────┼─────┼──────────────┤
317       │100 │ {C0}      │ 0   │ 100% of CPU0 │
318       ├────┼───────────┼─────┼──────────────┤
319       │101 │ {C1}      │ 1   │ 100% of CPU1 │
320       ├────┼───────────┼─────┼──────────────┤
321       │102 │ {C1}      │ 2   │ 100% of CPU2 │
322       ├────┼───────────┼─────┼──────────────┤
323       │    │           │     │              │
324       └────┴───────────┴─────┴──────────────┘
325
326   --cpus=number
327       Number of CPUs. The default is 0.0 which means no limit. This is short‐
328       hand for --cpu-period and --cpu-quota, so you may only set either
329
330
331   --cpus or --cpu-period and --cpu-quota.
332       On some systems, changing  the  CPU  limits  may  not  be  allowed  for
333       non-root  users.  For  more  details,  see  https://github.com/contain‐
334       ers/podman/blob/master/troubleshooting.md#26-running-contain‐
335       ers-with-cpu-limits-fails-with-a-permissions-error
336
337
338   --cpuset-cpus=number
339       CPUs in which to allow execution. Can be specified as a comma-separated
340       list (e.g. 0,1), as a range (e.g.  0-3),  or  any  combination  thereof
341       (e.g. 0-3,7,11-15).
342
343
344   --cpuset-mems=nodes
345       Memory nodes (MEMs) in which to allow execution. Only effective on NUMA
346       systems.
347
348
349       For example, if you have four memory nodes (0-3) on  your  system,  use
350       --cpuset-mems=0,1 to only use memory from the first two memory nodes.
351
352
353   --detach, -d=true|false
354       Detached  mode:  run  the container in the background and print the new
355       container ID. The default is false.
356
357
358       At any time you can run podman ps in the other shell to view a list  of
359       the  running  containers. You can reattach to a detached container with
360       podman attach.
361
362
363       When attached in the tty mode, you can detach from the  container  (and
364       leave  it  running)  using  a  configurable  key  sequence. The default
365       sequence is ctrl-p,ctrl-q.   Configure  the  keys  sequence  using  the
366       --detach-keys option, or specifying it in the containers.conf file: see
367       containers.conf(5) for more information.
368
369
370   --detach-keys=sequence
371       Specify the key sequence for detaching a container. Format is a  single
372       character [a-Z] or one or more ctrl-<value> characters where <value> is
373       one of: a-z, @, ^, [, , or _. Specifying "" will disable this  feature.
374       The default is ctrl-p,ctrl-q.
375
376
377       This option can also be set in containers.conf(5) file.
378
379
380       Specifying "" will disable this feature. The default is ctrl-p,ctrl-q.
381
382
383   --device=host-device[:container-device][:permissions]
384       Add  a host device to the container. Optional permissions parameter can
385       be used to specify device permissions, it is combination of r for read,
386       w for write, and m for mknod(2).
387
388
389       Example: --device=/dev/sdc:/dev/xvdc:rwm.
390
391
392       Note: if _hostdevice is a symbolic link then it will be resolved first.
393       The container will only store the major and minor numbers of  the  host
394       device.
395
396
397       Note:  if  the  user  only has access rights via a group, accessing the
398       device from inside a rootless container will fail. The crun(1)  runtime
399       offers  a  workaround  for  this  by  adding  the  option  --annotation
400       run.oci.keep_original_groups=1.
401
402
403       Podman may load kernel modules required for using the specified device.
404       The   devices  that  Podman  will  load  modules  when  necessary  are:
405       /dev/fuse.
406
407
408   --device-cgroup-rule=rule
409       Add a rule to the cgroup allowed devices list
410
411
412   --device-read-bps=path:rate
413       Limit  read  rate  (in  bytes  per  second)   from   a   device   (e.g.
414       --device-read-bps=/dev/sda:1mb).
415
416
417   --device-read-iops=path:rate
418       Limit  read  rate  (in  IO  operations  per second) from a device (e.g.
419       --device-read-iops=/dev/sda:1000).
420
421
422   --device-write-bps=path:rate
423       Limit  write  rate  (in  bytes  per   second)   to   a   device   (e.g.
424       --device-write-bps=/dev/sda:1mb).
425
426
427   --device-write-iops=path:rate
428       Limit  write  rate  (in  IO  operations  per  second) to a device (e.g.
429       --device-write-iops=/dev/sda:1000).
430
431
432   --disable-content-trust
433       This is a Docker specific option to disable  image  verification  to  a
434       Docker registry and is not supported by Podman. This flag is a NOOP and
435       provided solely for scripting compatibility.
436
437
438   --dns=ipaddr
439       Set custom DNS servers. Invalid if using --dns with --network  that  is
440       set to none or container:id.
441
442
443       This option can be used to override the DNS configuration passed to the
444       container. Typically this is necessary when the host DNS  configuration
445       is  invalid  for the container (e.g., 127.0.0.1). When this is the case
446       the --dns flags is necessary for every run.
447
448
449       The special  value  none  can  be  specified  to  disable  creation  of
450       /etc/resolv.conf in the container by Podman.  The /etc/resolv.conf file
451       in the image will be used without changes.
452
453
454   --dns-opt=option
455       Set custom DNS options. Invalid if using --dns-opt with --network  that
456       is set to none or container:id.
457
458
459   --dns-search=domain
460       Set custom DNS search domains. Invalid if using --dns-search and --net‐
461       work that is set to none or container:id.  Use  --dns-search=.  if  you
462       don't wish to set the search domain.
463
464
465   --entrypoint="command" | '["command", arg1 , ...]'
466       Overwrite the default ENTRYPOINT of the image.
467
468
469       This  option  allows  you  to  overwrite  the default entrypoint of the
470       image.
471
472
473       The ENTRYPOINT of an image is similar to a COMMAND because it specifies
474       what executable to run when the container starts, but it is (purposely)
475       more difficult to  override.  The  ENTRYPOINT  gives  a  container  its
476       default  nature or behavior, so that when you set an ENTRYPOINT you can
477       run the container as if it were  that  binary,  complete  with  default
478       options,  and  you can pass in more options via the COMMAND. But, some‐
479       times an operator may want to run something else inside the  container,
480       so  you  can  override  the  default  ENTRYPOINT  at runtime by using a
481       --entrypoint and a string to specify the new ENTRYPOINT.
482
483
484       You need to specify multi option commands in the form of a json string.
485
486
487   --env, -e=env
488       Set environment variables.
489
490
491       This option allows arbitrary environment variables that  are  available
492       for  the process to be launched inside of the container. If an environ‐
493       ment variable is specified without a value, Podman will check the  host
494       environment  for  a value and set the variable only if it is set on the
495       host. If an environment variable ending in * is specified, Podman  will
496       search  the host environment for variables starting with the prefix and
497       will add those variables to the container. If an  environment  variable
498       with a trailing ***** is specified, then a value must be supplied.
499
500
501       See Environment ⟨#environment⟩ note below for precedence and examples.
502
503
504   --env-host=true|false
505       Use  host  environment  inside  of  the container. See Environment note
506       below for precedence. (Not available for remote commands)
507
508
509   --env-file=file
510       Read in a line delimited file of environment variables. See Environment
511       note below for precedence.
512
513
514   --expose=port
515       Expose  a port, or a range of ports (e.g. --expose=3300-3310) to set up
516       port redirection on the host system.
517
518
519   --gidmap=container_gid:host_gid:amount
520       Run the container in a new user namespace using the  supplied  mapping.
521       This  option  conflicts with the --userns and --subgidname flags.  This
522       option can be passed several times to map different ranges. If  calling
523       podman run as an unprivileged user, the user needs to have the right to
524       use the mapping. See subuid(5).  The example maps gids  0-1999  in  the
525       container to the gids 30000-31999 on the host: --gidmap=0:30000:2000.
526
527
528       Important  note:  The  new  user namespace mapping based on --gidmap is
529       based on the initial mapping made in the  /etc/subgid  file.   Assuming
530       there is a  /etc/subgid  mapping groupname:100000:65536, then groupname
531       is initially mapped to a namespace starting with gid 100000  for  65536
532       ids.  From here the --gidmap mapping to the new namespace starts from 0
533       again, but is based on the initial mapping.  Meaning groupname is  ini‐
534       tially  mapped  to gid 100000 which is referenced as 0 in the following
535       --gidmap mapping. In terms of the example above: The group groupname is
536       mapped  to group 100000 of the initial namespace then the 30000st id of
537       this namespace (which is gid 130000 in this  namespace)  is  mapped  to
538       container namespace group id 0. (groupname -> 100000 / 30000 -> 0)
539
540
541   --group-add=group
542       Add additional groups to run as
543
544
545   --health-cmd="command" | '["command", arg1 , ...]'
546       Set  or  alter  a healthcheck command for a container. The command is a
547       command to be executed inside your container that determines your  con‐
548       tainer health. The command is required for other healthcheck options to
549       be applied. A value of none disables existing healthchecks.
550
551
552       Multiple options can be passed in the form of a JSON array;  otherwise,
553       the command will be interpreted as an argument to /bin/sh -c.
554
555
556   --health-interval=interval
557       Set an interval for the healthchecks. An interval of disable results in
558       no automatic timer setup. The default is 30s.
559
560
561   --health-retries=retries
562       The number of retries allowed before a healthcheck is considered to  be
563       unhealthy. The default value is 3.
564
565
566   --health-start-period=period
567       The  initialization time needed for a container to bootstrap. The value
568       can be expressed in time format like 2m3s. The default value is 0s.
569
570
571   --health-timeout=timeout
572       The maximum time allowed to complete the healthcheck before an interval
573       is  considered failed. Like start-period, the value can be expressed in
574       a time format such as 1m22s. The default value is 30s.
575
576
577   --help
578       Print usage statement
579
580
581   --hostname=name, -h
582       Container host name
583
584
585       Sets the container host name that is available  inside  the  container.
586       Can  only be used with a private UTS namespace --uts=private (default).
587       If --pod is specified and the pod shares the  UTS  namespace  (default)
588       the pod's hostname will be used.
589
590
591   --http-proxy=true|false
592       By default proxy environment variables are passed into the container if
593       set for the Podman process. This can be disabled by setting  the  value
594       to  false.   The  environment  variables  passed in include http_proxy,
595       https_proxy, ftp_proxy, no_proxy, and also the upper case  versions  of
596       those. This option is only needed when the host system must use a proxy
597       but the container should not use any proxy. Proxy environment variables
598       specified  for  the container in any other way will override the values
599       that would have been passed through from the host. (Other ways to spec‐
600       ify  the  proxy  for  the container include passing the values with the
601       --env flag, or hard coding the proxy  environment  at  container  build
602       time.) (Not available for remote commands)
603
604
605       Defaults to true.
606
607
608   --image-volume, builtin-volume=bind|tmpfs|ignore
609       Tells Podman how to handle the builtin image volumes. Default is bind.
610
611
612              · bind:  An  anonymous  named volume will be created and mounted
613                into the container.
614
615              · tmpfs: The volume is mounted onto the container  as  a  tmpfs,
616                which  allows the users to create content that disappears when
617                the container is stopped.
618
619              · ignore: All volumes are just ignored and no action is taken.
620
621
622
623   --init
624       Run an init inside the container that forwards signals and  reaps  pro‐
625       cesses.
626
627
628   --init-path=path
629       Path to the container-init binary.
630
631
632   --interactive, -i=true|false
633       When  set to true, keep stdin open even if not attached. The default is
634       false.
635
636
637   --ip6=ip
638       Not implemented.
639
640
641   --ip=ip
642       Specify  a  static  IP  address  for   the   container,   for   example
643       10.88.64.128.   This option can only be used if the container is joined
644       to only a single network - i.e., --network=_network-name_  is  used  at
645       most  once and if the container is not joining another container's net‐
646       work namespace  via  --network=container:_id_.   The  address  must  be
647       within the CNI network's IP address pool (default 10.88.0.0/16).
648
649
650   --ipc=mode
651       Set  the IPC namespace mode for a container. The default is to create a
652       private IPC namespace.
653
654
655              · container:id: reuses another container  shared  memory,  sema‐
656                phores and message queues
657
658              · host: use the host shared memory,semaphores and message queues
659                inside the container. Note: the host mode gives the  container
660                full access to local shared memory and is therefore considered
661                insecure.
662
663              · ns:path: path to an IPC namespace to join.
664
665
666
667   --kernel-memory=number[unit]
668       Kernel memory limit.  A  unit  can  be  b  (bytes),  k  (kilobytes),  m
669       (megabytes), or g (gigabytes).
670
671
672       Constrains  the kernel memory available to a container. If a limit of 0
673       is specified (not using --kernel-memory), the container's kernel memory
674       is  not limited. If you specify a limit, it may be rounded up to a mul‐
675       tiple of the operating system's page size and the  value  can  be  very
676       large, millions of trillions.
677
678
679   --label, -l=key=value
680       Add metadata to a container.
681
682
683   --label-file=file
684       Read in a line-delimited file of labels.
685
686
687   --link-local-ip=ip
688       Not implemented.
689
690
691   --log-driver="driver"
692       Logging  driver  for  the  container.  Currently  available options are
693       k8s-file, journald, and none, with json-file aliased  to  k8s-file  for
694       scripting compatibility.
695
696
697   --log-opt=name=value
698       Logging driver specific options.
699
700
701       Set custom logging configuration. The following *name*s are supported:
702
703
704       path: specify a path to the log file
705           (e.g. --log-opt path=/var/log/container/mycontainer.json);
706
707
708       max-size: specify a max size of the log file
709           (e.g. --log-opt max-size=10mb);
710
711
712       tag: specify a custom log tag for the container
713          (e.g. --log-opt tag="{{.ImageName}}".
714
715
716       This option is currently supported only by the journald log driver.
717
718
719   --mac-address=address
720       Container MAC address (e.g. 92:d0:c6:0a:29:33).
721
722
723       Remember  that  the  MAC address in an Ethernet network must be unique.
724       The IPv6 link-local address will be based on the device's  MAC  address
725       according to RFC4862.
726
727
728   --memory, -m=number[unit]
729       Memory limit. A unit can be b (bytes), k (kilobytes), m (megabytes), or
730       g (gigabytes).
731
732
733       Allows you to constrain the memory available to  a  container.  If  the
734       host  supports  swap  memory,  then the -m memory setting can be larger
735       than physical RAM. If a limit of 0 is specified  (not  using  -m),  the
736       container's  memory  is not limited. The actual limit may be rounded up
737       to a multiple of the operating system's page size (the value  would  be
738       very large, that's millions of trillions).
739
740
741   --memory-reservation=number[unit]
742       Memory  soft  limit.  A  unit  can  be  b  (bytes),  k  (kilobytes),  m
743       (megabytes), or g (gigabytes).
744
745
746       After setting memory reservation, when the system detects  memory  con‐
747       tention or low memory, containers are forced to restrict their consump‐
748       tion to their reservation. So you should always  set  the  value  below
749       --memory,  otherwise  the  hard limit will take precedence. By default,
750       memory reservation will be the same as memory limit.
751
752
753   --memory-swap=number[unit]
754       A limit value equal to memory plus swap.  A unit can be  b  (bytes),  k
755       (kilobytes), m (megabytes), or g (gigabytes).
756
757
758       Must  be  used  with the -m (--memory) flag.  The argument value should
759       always be larger than that of
760        -m (--memory) By default, it is set to double the value of --memory.
761
762
763       Set number to -1 to enable unlimited swap.
764
765
766   --memory-swappiness=number
767       Tune a container's  memory  swappiness  behavior.  Accepts  an  integer
768       between 0 and 100.
769
770
771   --mount=type=TYPE,TYPE-SPECIFIC-OPTION[,...]
772       Attach a filesystem mount to the container
773
774
775       Current  supported  mount  TYPEs  are  bind,  volume,  image, tmpfs and
776       devpts. [1] ⟨#Footnote1⟩
777
778
779                 e.g.
780
781                 type=bind,source=/path/on/host,destination=/path/in/container
782
783                 type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared
784
785                 type=volume,source=vol1,destination=/path/in/container,ro=true
786
787                 type=tmpfs,tmpfs-size=512M,destination=/path/in/container
788
789                 type=image,source=fedora,destination=/fedora-image,rw=true
790
791                 type=devpts,destination=/dev/pts
792
793                 Common Options:
794
795                    · src, source: mount source spec for bind and volume. Mandatory for bind.
796
797                    · dst, destination, target: mount destination spec.
798
799                 Options specific to volume:
800
801                    · ro, readonly: true or false (default).
802
803                 Options specific to image:
804
805                    · rw, readwrite: true or false (default).
806
807                 Options specific to bind:
808
809                    · ro, readonly: true or false (default).
810
811                    · bind-propagation: shared, slave, private, unbindable, rshared, rslave, runbindable, or rprivate(default). See also mount(2).
812
813                    . bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive.
814
815                    . relabel: shared, private.
816
817                 Options specific to tmpfs:
818
819                    · ro, readonly: true or false (default).
820
821                    · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.
822
823                    · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux.
824
825                    · tmpcopyup: Enable copyup from the image directory at the same location to the tmpfs. Used by default.
826
827                    · notmpcopyup: Disable copying files from the image to the tmpfs.
828
829
830
831   --name=name
832       Assign a name to the container.
833
834
835       The operator can identify a container in three ways:
836
837
838              · UUID                      long                      identifier
839                (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”);
840
841              · UUID short identifier (“f78375b1c487”);
842
843              · Name (“jonah”).
844
845
846
847       Podman generates a UUID for each  container,  and  if  a  name  is  not
848       assigned  to  the  container with --name then it will generate a random
849       string name. The name is useful any place you need to identify  a  con‐
850       tainer.  This works for both background and foreground containers.
851
852
853   --network=mode, --net
854       Set  the  network  mode  for  the  container.  Invalid  if using --dns,
855       --dns-opt, or --dns-search with --network that is set to none  or  con‐
856       tainer:id. If used together with --pod, the container will not join the
857       pods network namespace.
858
859
860       Valid mode values are:
861
862
863              · bridge: create a network stack on the default bridge;
864
865              · none: no networking;
866
867              · container:id: reuse another container's network stack;
868
869              · host: use the Podman host network stack. Note: the  host  mode
870                gives  the container full access to local system services such
871                as D-bus and is therefore considered insecure;
872
873              · network-id: connect to a user-defined network,  multiple  net‐
874                works should be comma separated;
875
876              · ns:path: path to a network namespace to join;
877
878              · private: create a new namespace for the container (default)
879
880              · slirp4netns[:OPTIONS,...]: use slirp4netns(1) to create a user
881                network stack. This is the default for rootless containers. It
882                is possible to specify these additional options:
883
884                · allow_host_loopback=true|false:  Allow  the  slirp4netns  to
885                  reach the host loopback IP (10.0.2.2). Default is false.
886
887                · mtu=MTU: Specify the MTU to use for this  network.  (Default
888                  is 65520).
889
890                · cidr=CIDR:  Specify  ip  range  to  use  for  this  network.
891                  (Default is 10.0.2.0/24).
892
893                · enable_ipv6=true|false:  Enable  IPv6.  Default  is   false.
894                  (Required for outbound_addr6).
895
896                · outbound_addr=INTERFACE:   Specify  the  outbound  interface
897                  slirp should bind to (ipv4 traffic only).
898
899                · outbound_addr=IPv4: Specify the outbound ipv4 address  slirp
900                  should bind to.
901
902                · outbound_addr6=INTERFACE:  Specify  the  outbound  interface
903                  slirp should bind to (ipv6 traffic only).
904
905                · outbound_addr6=IPv6: Specify the outbound ipv6 address slirp
906                  should bind to.
907
908                · port_handler=rootlesskit:  Use rootlesskit for port forward‐
909                  ing. Default.
910
911                · port_handler=slirp4netns: Use the slirp4netns port  forward‐
912                  ing.
913
914
915
916
917
918   --network-alias=alias
919       Add network-scoped alias for the container
920
921
922   --no-healthcheck=true|false
923       Disable any defined healthchecks for container.
924
925
926   --no-hosts=true|false
927       Do not create /etc/hosts for the container.
928
929
930       By  default,  Podman will manage /etc/hosts, adding the container's own
931       IP address and any hosts from --add-host.
932
933
934   --no-hosts disables this, and the  image's  /etc/hosts  will  be  preserved
935       unmodified.
936       This option conflicts with --add-host.
937
938
939   --oom-kill-disable=true|false
940       Whether to disable OOM Killer for the container or not.
941
942
943   --oom-score-adj=num
944       Tune  the  host's  OOM  preferences for containers (accepts values from
945       -1000 to 1000).
946
947
948   --os=OS
949       Override the OS, defaults to hosts, of the  image  to  be  pulled.  For
950       example, windows.
951
952
953   --pid=mode
954       Set  the PID namespace mode for the container.  The efault is to create
955       a private PID namespace for the container.
956
957
958              · container:id: join another container's PID namespace;
959
960              · host: use the host's PID namespace for the container. Note the
961                host  mode gives the container full access to local PID and is
962                therefore considered insecure;
963
964              · private: create a new namespace for the container (default)
965
966              · ns:path: join the specified PID namespace.
967
968
969
970   --pids-limit=limit
971       Tune the container's pids limit. Set to 0 to have  unlimited  pids  for
972       the  container.  The  default  is  4096  on systems that support "pids"
973       cgroup controller.
974
975
976   --platform=OS/ARCH
977       Specify the platform for selecting the image.  (Conflicts  with  --arch
978       and  --os)  The  --platform  option can be used to override the current
979       architecture and operating system.
980
981
982   --pod=name
983       Run container in an existing pod. If you want Podman to  make  the  pod
984       for you, prefix the pod name with new:.  To make a pod with more granu‐
985       lar options, use the podman pod create command before creating  a  con‐
986       tainer.   If  a  container  is  run  with  a  pod,  and  the pod has an
987       infra-container, the infra-container will be started  before  the  con‐
988       tainer is.
989
990
991   --pod-id-file=path
992       Run  container in an existing pod and read the pod's ID from the speci‐
993       fied file.  If a container is run within a pod,  and  the  pod  has  an
994       infra-container,  the  infra-container  will be started before the con‐
995       tainer is.
996
997
998   --preserve-fds=N
999       Pass down to the process N additional file descriptors (in addition  to
1000       0, 1, 2).  The total FDs will be 3+N.
1001
1002
1003   --privileged=true|false
1004       Give extended privileges to this container. The default is false.
1005
1006
1007       By default, Podman containers are unprivileged (=false) and cannot, for
1008       example, modify parts of the  operating  system.  This  is  because  by
1009       default a container is only allowed limited access to devices. A "priv‐
1010       ileged" container is given the same  access  to  devices  as  the  user
1011       launching the container.
1012
1013
1014       A privileged container turns off the security features that isolate the
1015       container  from  the  host.  Dropped  Capabilities,  limited   devices,
1016       read-only  mount  points, Apparmor/SELinux separation, and Seccomp fil‐
1017       ters are all disabled.
1018
1019
1020       Rootless containers cannot have more privileges than the  account  that
1021       launched them.
1022
1023
1024   --publish, -p=ip:hostPort:containerPort | ip::containerPort | hostPort:con‐
1025       tainerPort | containerPort
1026       Publish a container's port, or range of ports, to the host.
1027
1028
1029       Both hostPort and containerPort can be specified as a range of ports.
1030
1031
1032       When specifying ranges for both, the number of container ports  in  the
1033       range must match the number of host ports in the range.
1034
1035
1036       If  host IP is set to 0.0.0.0 or not set at all, the port will be bound
1037       on all IPs on the host.
1038
1039
1040       Host  port  does  not  have  to  be  specified  (e.g.  podman  run   -p
1041       127.0.0.1::80).   If  it  is  not,  the container port will be randomly
1042       assigned a port on the host.
1043
1044
1045       Use podman port to see the actual mapping: podman port $CONTAINER $CON‐
1046       TAINERPORT.
1047
1048
1049       Note:  if  a container will be run within a pod, it is not necessary to
1050       publish the port for the containers in the pod. The port must  only  be
1051       published  by  the  pod itself. Pod network stacks act like the network
1052       stack on the host - you have a variety of containers in  the  pod,  and
1053       programs  in  the  container,  all  sharing  a  single interface and IP
1054       address, and associated ports. If one container binds  to  a  port,  no
1055       other  container  can  use that port within the pod while it is in use.
1056       Containers in the pod can also communicate over localhost by having one
1057       container  bind  to  localhost  in the pod, and another connect to that
1058       port.
1059
1060
1061   --publish-all, -P=true|false
1062       Publish all exposed ports to random ports on the host  interfaces.  The
1063       default is false.
1064
1065
1066       When set to true, publish all exposed ports to the host interfaces. The
1067       default is false. If the operator uses -P (or -p) then Podman will make
1068       the exposed port accessible on the host and the ports will be available
1069       to any client that can reach the host.
1070
1071
1072       When using this option, Podman will bind any exposed port to  a  random
1073       port   on   the   host  within  an  ephemeral  port  range  defined  by
1074       /proc/sys/net/ipv4/ip_local_port_range.  To find  the  mapping  between
1075       the host ports and the exposed ports, use podman port.
1076
1077
1078   --pull=always|missing|never
1079       Pull image before running. The default is missing.
1080
1081
1082              · missing:  attempt to pull the latest image from the registries
1083                listed  in  registries.conf  if  a  local   image   does   not
1084                exist.Raise  an  error  if the image is not in any listed reg‐
1085                istry and is not present locally.
1086
1087              · always: Pull the image from the first registry it is found  in
1088                as  listed  in registries.conf. Raise an error if not found in
1089                the registries, even if the image is present locally.
1090
1091              · never: do not pull the image from the registry, use  only  the
1092                local  version.  Raise  an  error  if the image is not present
1093                locally.
1094
1095
1096
1097   --quiet, -q
1098       Suppress output information when pulling images
1099
1100
1101   --read-only=true|false
1102       Mount the container's root filesystem as read only.
1103
1104
1105       By default a container will have its root filesystem writable  allowing
1106       processes  to write files anywhere. By specifying the --read-only flag,
1107       the container will have its root filesystem mounted as read  only  pro‐
1108       hibiting any writes.
1109
1110
1111   --read-only-tmpfs=true|false
1112       If  container  is  running in --read-only mode, then mount a read-write
1113       tmpfs on /run, /tmp, and /var/tmp. The default is true.
1114
1115
1116   --replace=true|false
1117       If another container with the same name  already  exists,  replace  and
1118       remove it. The default is false.
1119
1120
1121   --restart=policy
1122       Restart policy to follow when containers exit.  Restart policy will not
1123       take effect if a container is stopped via the  podman  kill  or  podman
1124       stop commands.
1125
1126
1127       Valid policy values are:
1128
1129
1130              · no                       : Do not restart containers on exit
1131
1132              · on-failure[:max_retries]  :  Restart containers when they exit
1133                with a non-zero exit code, retrying indefinitely or until  the
1134                optional max_retries count is hit
1135
1136              · always                    : Restart containers when they exit,
1137                regardless of status, retrying indefinitely
1138
1139              · unless-stopped           : Identical to always
1140
1141
1142
1143       Please note that restart will not restart  containers  after  a  system
1144       reboot.  If this functionality is required in your environment, you can
1145       invoke Podman from a systemd.unit(5) file, or create an init script for
1146       whichever  init  system  is  in  use.   To generate systemd unit files,
1147       please see podman generate systemd.
1148
1149
1150   --rm=true|false
1151       Automatically remove the container when it exits. The default is false.
1152
1153
1154   --rmi=true|false
1155       After exit of the container, remove the image unless another  container
1156       is using it. The default is false.
1157
1158
1159   --rootfs
1160       If specified, the first argument refers to an exploded container on the
1161       file system.
1162
1163
1164       This is useful to run a container without requiring any  image  manage‐
1165       ment, the rootfs of the container is assumed to be managed externally.
1166
1167
1168       Note:  On SELinux systems, the rootfs needs the correct label, which is
1169       by default unconfined_u:object_r:container_file_t.
1170
1171
1172   --sdnotify=container|conmon|ignore
1173       Determines how to use the NOTIFY_SOCKET, as  passed  with  systemd  and
1174       Type=notify.
1175
1176
1177       Default  is  container,  which means allow the OCI runtime to proxy the
1178       socket into the container to receive ready  notification.  Podman  will
1179       set  the  MAINPID  to  conmon's pid.  The conmon option sets MAINPID to
1180       conmon's pid, and sends READY  when  the  container  has  started.  The
1181       socket  is  never  passed  to the runtime or the container.  The ignore
1182       option removes NOTIFY_SOCKET from the environment for itself and  child
1183       processes,  for  the  case  where  some other process above Podman uses
1184       NOTIFY_SOCKET and Podman should not use it.
1185
1186
1187   --seccomp-policy=policy
1188       Specify the policy to select the seccomp profile. If set to image, Pod‐
1189       man  will  look  for  a  "io.podman.seccomp.profile"  label in the con‐
1190       tainer-image config and use its value as a seccomp profile.  Otherwise,
1191       Podman  will  follow the default policy by applying the default profile
1192       unless specified otherwise  via  --security-opt  seccomp  as  described
1193       below.
1194
1195
1196       Note that this feature is experimental and may change in the future.
1197
1198
1199   --security-opt=option
1200       Security Options
1201
1202
1203              · apparmor=unconfined  :  Turn  off apparmor confinement for the
1204                container
1205
1206              · apparmor=your-profile : Set the apparmor  confinement  profile
1207                for the container
1208
1209              · label=user:USER:  Set  the  label  user for the container pro‐
1210                cesses
1211
1212              · label=role:ROLE: Set the label role  for  the  container  pro‐
1213                cesses
1214
1215              · label=type:TYPE:  Set the label process type for the container
1216                processes
1217
1218              · label=level:LEVEL: Set the label level for the container  pro‐
1219                cesses
1220
1221              · label=filetype:TYPE_:  Set  the  label  file type for the con‐
1222                tainer files
1223
1224              · label=disable: Turn off label separation for the container
1225
1226              · mask=/path/1:/path/2: The paths to mask separated by a  colon.
1227                A masked path cannot be accessed inside the container.
1228
1229              · no-new-privileges:  Disable  container  processes from gaining
1230                additional privileges
1231
1232              · seccomp=unconfined: Turn off seccomp confinement for the  con‐
1233                tainer
1234
1235              · seccomp=profile.json:  Allowed  syscall list seccomp JSON file
1236                to be used as a seccomp filter
1237
1238              · proc-opts=OPTIONS : Comma separated list of options to use for
1239                the  /proc  mount. More details for the possible mount options
1240                are specified at proc(5) man page.
1241
1242              · unmask=ALL or /path/1:/path/2: Paths to unmask separated by  a
1243                colon.  If  set  to ALL, it will unmask all the paths that are
1244                masked or made read only by default.  The default masked paths
1245                are  /proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats,
1246                /proc/sched_debug,        /proc/scsi,        /proc/timer_list,
1247                /proc/timer_stats,  /sys/firmware,  and /sys/fs/selinux..  The
1248                default paths that are read only are /proc/asound,  /proc/bus,
1249                /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger.
1250
1251
1252
1253       Note:   Labeling   can  be  disabled  for  all  containers  by  setting
1254       label=false in the containers.conf(5) file.
1255
1256
1257   --shm-size=number[unit]
1258       Size  of  /dev/shm.  A  unit  can  be  b  (bytes),  k  (kilobytes),   m
1259       (megabytes),  or  g (gigabytes).  If you omit the unit, the system uses
1260       bytes. If you omit the size entirely, the default is 64m.  When size is
1261       0,  there  is no limit on the amount of memory used for IPC by the con‐
1262       tainer.
1263
1264
1265   --sig-proxy=true|false
1266       Sets whether the signals sent to the podman run command are proxied  to
1267       the  container  process. SIGCHLD, SIGSTOP, and SIGKILL are not proxied.
1268       The default is true.
1269
1270
1271   --stop-signal=signal
1272       Signal to stop a container. Default is SIGTERM.
1273
1274
1275   --stop-timeout=seconds
1276       Timeout to stop a container. Default is  10.   Remote  connections  use
1277       local containers.conf for defaults
1278
1279
1280   --subgidname=name
1281       Run  the  container  in a new user namespace using the map with name in
1282       the /etc/subgid file.  If calling podman run as an  unprivileged  user,
1283       the  user  needs  to  have the right to use the mapping. See subgid(5).
1284       This flag conflicts with --userns and --gidmap.
1285
1286
1287   --subuidname=name
1288       Run the container in a new user namespace using the map  with  name  in
1289       the  /etc/subuid  file.  If calling podman run as an unprivileged user,
1290       the user needs to have the right to use  the  mapping.  See  subuid(5).
1291       This flag conflicts with --userns and --uidmap.
1292
1293
1294   --sysctl=name=value
1295       Configure namespaced kernel parameters at runtime.
1296
1297
1298       For the IPC namespace, the following sysctls are allowed:
1299
1300
1301              · kernel.msgmax
1302
1303              · kernel.msgmnb
1304
1305              · kernel.msgmni
1306
1307              · kernel.sem
1308
1309              · kernel.shmall
1310
1311              · kernel.shmmax
1312
1313              · kernel.shmmni
1314
1315              · kernel.shm_rmid_forced
1316
1317              · Sysctls beginning with fs.mqueue.*
1318
1319
1320
1321       Note:  if  you use the --ipc=host option, the above sysctls will not be
1322       allowed.
1323
1324
1325       For the network namespace, the following sysctls are allowed:
1326
1327
1328              · Sysctls beginning with net.*
1329
1330
1331
1332       Note: if you use the --network=host option, these sysctls will  not  be
1333       allowed.
1334
1335
1336   --systemd=true|false|always
1337       Run container in systemd mode. The default is true.
1338
1339
1340       The  value always enforces the systemd mode is enforced without looking
1341       at the executable name. Otherwise, if set to true and the  command  you
1342       are running inside the container is systemd, /usr/sbin/init, /sbin/init
1343       or /usr/local/sbin/init.
1344
1345
1346       If the command you are running inside of the container is systemd  Pod‐
1347       man will setup tmpfs mount points in the following directories:
1348
1349
1350              · /run
1351
1352              · /run/lock
1353
1354              · /tmp
1355
1356              · /sys/fs/cgroup/systemd
1357
1358              · /var/lib/journal
1359
1360
1361
1362       It will also set the default stop signal to SIGRTMIN+3.
1363
1364
1365       This  allows systemd to run in a confined container without any modifi‐
1366       cations.
1367
1368
1369       Note that on SELinux systems, systemd attempts to write to  the  cgroup
1370       file system. Containers writing to the cgroup file system are denied by
1371       default.  The container_manage_cgroup boolean must be enabled for  this
1372       to be allowed on an SELinux separated system.
1373
1374
1375              setsebool -P container_manage_cgroup true
1376
1377
1378
1379   --tmpfs=fs
1380       Create a tmpfs mount.
1381
1382
1383       Mount  a temporary filesystem (tmpfs) mount into a container, for exam‐
1384       ple:
1385
1386
1387              $ podman run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image
1388
1389
1390
1391       This command mounts a tmpfs at /tmp within the container. The supported
1392       mount  options are the same as the Linux default mount flags. If you do
1393       not specify any  options,  the  systems  uses  the  following  options:
1394       rw,noexec,nosuid,nodev.
1395
1396
1397   --tty, -t=true|false
1398       Allocate a pseudo-TTY. The default is false.
1399
1400
1401       When  set  to true, Podman will allocate a pseudo-tty and attach to the
1402       standard input of the container. This can be used, for example, to  run
1403       a throwaway interactive shell. The default is false.
1404
1405
1406       NOTE:  The --tty flag prevents redirection of standard output.  It com‐
1407       bines STDOUT and STDERR, it can insert control characters, and  it  can
1408       hang pipes. This option should only be used when run interactively in a
1409       terminal. When feeding input to Podman, use -i only, not -it.
1410
1411
1412              echo "asdf" | podman run --rm -i someimage /bin/cat
1413
1414
1415
1416   --tz=timezone
1417       Set timezone in container. This flag takes  area-based  timezones,  GMT
1418       time,  as  well  as  local, which sets the timezone in the container to
1419       match the host machine. See /usr/share/zoneinfo/ for  valid  timezones.
1420       Remote connections use local containers.conf for defaults
1421
1422
1423   --umask=umask
1424       Set  the  umask inside the container. Defaults to 0022.  Remote connec‐
1425       tions use local containers.conf for defaults
1426
1427
1428   --uidmap=container_uid:host_uid:amount
1429       Run the container in a new user namespace using the  supplied  mapping.
1430       This  option  conflicts with the --userns and --subuidname flags.  This
1431       option can be passed several times to map different ranges. If  calling
1432       podman run as an unprivileged user, the user needs to have the right to
1433       use the mapping. See subuid(5).
1434
1435
1436       The following example maps uids 0-1999 in the  container  to  the  uids
1437       30000-31999 on the host: --uidmap=0:30000:2000.
1438
1439
1440       Important  note:  The  new  user namespace mapping based on --uidmap is
1441       based on the initial mapping made in the  /etc/subuid  file.   Assuming
1442       there  is  a  /etc/subuid  mapping username:100000:65536, then username
1443       is initially mapped to a namespace starting with uid 100000  for  65536
1444       ids.  From here the --uidmap mapping to the new namespace starts from 0
1445       again, but is based on the initial mapping.  Meaning username  is  ini‐
1446       tially  mapped  to uid 100000 which is referenced as 0 in the following
1447       --uidmap mapping. In terms of the example above: The user  username  is
1448       mapped  to  user 100000 of the initial namespace then the 30000st id of
1449       this namespace (which is uid 130000 in this  namespace)  is  mapped  to
1450       container namespace user id 0. (username -> 100000 / 30000 -> 0)
1451
1452
1453       Note:  A minimal mapping has to have at least container uid 0 mapped to
1454       the parent user namespace.
1455
1456
1457   --ulimit=option
1458       Ulimit options. You can use host to copy the current configuration from
1459       the host.
1460
1461
1462   --user, -u=[user | user:group | uid | uid:gid | user:gid | uid:group ]
1463       Sets  the  username or UID used and optionally the groupname or GID for
1464       the specified command.
1465
1466
1467       Without this argument, the command will run as the  user  specified  in
1468       the  container  image.  Unless overridden by a USER command in the Con‐
1469       tainerfile or by a value passed to this  option,  this  user  generally
1470       defaults to root.
1471
1472
1473       When  a  user  namespace is not in use, the UID and GID used within the
1474       container and on the host will match. When user namespaces are in  use,
1475       however, the UID and GID in the container may correspond to another UID
1476       and GID on the host. In rootless containers, for example, a user names‐
1477       pace  is  always used, and root in the container will by default corre‐
1478       spond to the UID and GID of the user invoking Podman.
1479
1480
1481   --userns=auto|host|keep-id|container:id|ns:namespace
1482       Set the user namespace mode for the container. It defaults to the  POD‐
1483       MAN_USERNS  environment variable. An empty value ("") means user names‐
1484       paces are  disabled  unless  an  explicit  mapping  is  set  with  they
1485       --uidmapping and --gidmapping options.
1486
1487
1488              · auto:  automatically  create  a  namespace.  It is possible to
1489                specify other options  to  auto.  The  supported  options  are
1490                size=SIZE  to  specify an explicit size for the automatic user
1491                namespace. e.g. --userns=auto:size=8192. If size is not speci‐
1492                fied,  auto will guess a size for the user namespace.  uidmap‐
1493                ping=HOST_UID:CONTAINER_UID:SIZE to force a UID mapping to  be
1494                present   in  the  user  namespace.   gidmapping=HOST_UID:CON‐
1495                TAINER_UID:SIZE to force a GID mapping to be  present  in  the
1496                user namespace.
1497
1498              · host:  run  in the user namespace of the caller. The processes
1499                running in the container will have the same privileges on  the
1500                host  as  any  other  process  launched  by  the  calling user
1501                (default).
1502
1503              · keep-id: creates a user namespace where the  current  rootless
1504                user's UID:GID are mapped to the same values in the container.
1505                This option is ignored for  containers  created  by  the  root
1506                user.
1507
1508              · ns: run the container in the given existing user namespace.
1509
1510              · private: create a new namespace for the container.
1511
1512              · container: join the user namespace of the specified container.
1513
1514
1515
1516       This  option  is incompatible with --gidmap, --uidmap, --subuidname and
1517       --subgidname.
1518
1519
1520   --uts=mode
1521       Set the UTS namespace mode for the container. The following values  are
1522       supported:
1523
1524
1525              · host: use the host's UTS namespace inside the container.
1526
1527              · private: create a new namespace for the container (default).
1528
1529              · ns:[path]:  run the container in the given existing UTS names‐
1530                pace.
1531
1532              · container:[container]: join the UTS namespace of the specified
1533                container.
1534
1535
1536
1537   --variant=VARIANT
1538       Use  VARIANT  instead  of  the default architecture variant of the con‐
1539       tainer image. Some images can use multiple variants of the  arm  archi‐
1540       tectures, such as arm/v5 and arm/v7.
1541
1542
1543   --volume, -v[=[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]]
1544       Create  a  bind  mount. If you specify /HOST-DIR:/CONTAINER-DIR, Podman
1545       bind mounts host-dir in the host to CONTAINER-DIR in  the  Podman  con‐
1546       tainer.  Similarly,  SOURCE-VOLUME:/CONTAINER-DIR will mount the volume
1547       in the host to the container. If no such named  volume  exists,  Podman
1548       will create one.
1549
1550
1551       The options is a comma delimited list and can be: [1] ⟨#Footnote1⟩
1552
1553
1554              · rw|ro
1555
1556              · z|Z
1557
1558              · [r]shared|[r]slave|[r]private[r]unbindable
1559
1560              · [r]bind
1561
1562              · [no]exec
1563
1564              · [no]dev
1565
1566              · [no]suid
1567
1568              · [O]
1569
1570
1571
1572       The  CONTAINER-DIR must be an absolute path such as /src/docs. The vol‐
1573       ume will be mounted into the container at this directory.
1574
1575
1576       Volumes may specify a source as well, as either a directory on the host
1577       or  the  name of a named volume. If no source is given, the volume will
1578       be created as an anonymously named volume  with  a  randomly  generated
1579       name,  and  will  be removed when the container is removed via the --rm
1580       flag or podman rm --volumes.
1581
1582
1583       If a volume source is specified, it must be a path on the host  or  the
1584       name  of a named volume. Host paths are allowed to be absolute or rela‐
1585       tive; relative paths are resolved relative to the directory  Podman  is
1586       run  in.  If  the  source  does not exist, Podman will return an error.
1587       Users must pre-create the source files or directories.
1588
1589
1590       Any source that does not begin with a . or / will  be  treated  as  the
1591       name  of  a named volume. If a volume with that name does not exist, it
1592       will be created.  Volumes created with names  are  not  anonymous,  and
1593       they  are  not  removed  by the --rm option and the podman rm --volumes
1594       command.
1595
1596
1597       You can specify multiple -v options to mount one or more volumes into a
1598       container.
1599
1600
1601       Write Protected Volume Mounts
1602
1603
1604       You  can  add  :ro  or  :rw  option  to  mount a volume in read-only or
1605       read-write mode, respectively. By  default,  the  volumes  are  mounted
1606       read-write.
1607
1608
1609       Labeling Volume Mounts
1610
1611
1612       Labeling  systems like SELinux require that proper labels are placed on
1613       volume content mounted into a container. Without a label, the  security
1614       system  might  prevent  the processes running inside the container from
1615       using the content. By default, Podman does not change the labels set by
1616       the OS.
1617
1618
1619       To  change  a label in the container context, you can add either of two
1620       suffixes :z or :Z to the volume mount. These suffixes  tell  Podman  to
1621       relabel  file  objects on the shared volumes. The z option tells Podman
1622       that two containers share the  volume  content.  As  a  result,  Podman
1623       labels  the  content  with a shared content label. Shared volume labels
1624       allow all containers to read/write content.  The Z option tells  Podman
1625       to label the content with a private unshared label.
1626
1627
1628       Overlay Volume Mounts
1629
1630
1631       The :O flag tells Podman to mount the directory from the host as a tem‐
1632       porary storage using the overlay file system. The  container  processes
1633       can  modify  content  within the mountpoint which is stored in the con‐
1634       tainer storage in a separate directory. In overlay  terms,  the  source
1635       directory  will  be the lower, and the container storage directory will
1636       be the upper. Modifications to the mount point are destroyed  when  the
1637       container  finishes  executing,  similar  to  a tmpfs mount point being
1638       unmounted.
1639
1640
1641       Subsequent executions of the container will  see  the  original  source
1642       directory  content,  any  changes from previous container executions no
1643       longer exist.
1644
1645
1646       One use case of the overlay mount is sharing the package cache from the
1647       host into the container to allow speeding up builds.
1648
1649
1650       Note:
1651
1652
1653               - The `O` flag conflicts with other options listed above.
1654
1655
1656
1657       Content mounted into the container is labeled with the private label.
1658              On SELinux systems, labels in the source directory must be read‐
1659       able by the container label. Usually containers can  read/execute  con‐
1660       tainer_share_t  and  can  read/write  container_file_t.  If you can not
1661       change the labels on a source volume, SELinux container separation must
1662       be disabled for the container to work.
1663            -  The source directory mounted into the container with an overlay
1664       mount should not be modified, it can cause unexpected failures.  It  is
1665       recommended  that  you  do not modify the directory until the container
1666       finishes running.
1667
1668
1669       Only the current container can use a private volume.
1670
1671
1672       Mounts propagation
1673
1674
1675       By default bind mounted volumes are private. That means any mounts done
1676       inside  container  will  not be visible on host and vice versa. One can
1677       change this behavior by specifying a volume mount propagation property.
1678       Making  a  volume shared mounts done under that volume inside container
1679       will be visible on host and vice versa. Making a volume  slave  enables
1680       only  one  way  mount propagation and that is mounts done on host under
1681       that volume will be visible inside container  but  not  the  other  way
1682       around. [1] ⟨#Footnote1⟩
1683
1684
1685       To  control mount propagation property of volume one can use [r]shared,
1686       [r]slave, [r]private or [r]unbindable  propagation  flag.   Propagation
1687       property  can  be  specified  only for bind mounted volumes and not for
1688       internal volumes or named volumes. For mount propagation to work source
1689       mount  point  (mount  point where source dir is mounted on) has to have
1690       right propagation properties. For shared volumes,  source  mount  point
1691       has  to be shared. And for slave volumes, source mount has to be either
1692       shared or slave.  [1] ⟨#Footnote1⟩
1693
1694
1695       If you want to recursively mount a volume and all of its submounts into
1696       a  container,  then  you  can use the rbind option. By default the bind
1697       option is used, and submounts of  the  source  directory  will  not  be
1698       mounted into the container.
1699
1700
1701       Mounting  the  volume  with the nosuid options means that SUID applica‐
1702       tions on the volume will not be able  to  change  their  privilege.  By
1703       default volumes are mounted with nosuid.
1704
1705
1706       Mounting the volume with the noexec option means that no executables on
1707       the volume will be able to executed within the container.
1708
1709
1710       Mounting the volume with the nodev option means that no devices on  the
1711       volume  will  be  able to be used by processes within the container. By
1712       default volumes are mounted with nodev.
1713
1714
1715       If the host-dir is a mount point, then dev, suid, and exec options  are
1716       ignored by the kernel.
1717
1718
1719       Use df $hostdir to figure out the source mount, and then use findmnt -o
1720       TARGET,PROPAGATION source-mount-dir to figure out  propagation  proper‐
1721       ties  of source mount. If findmnt[4m(1) utility is not available, then one
1722       can look at mount entry for source mount point in /proc/self/mountinfo.
1723       Look at the "optional fields" and see if any propagation properties are
1724       specified.  In there, shared:N means  the  mount  is  shared,  master:N
1725       means  mount  is  slave, and if nothing is there, the mount is private.
1726       [1] ⟨#Footnote1⟩
1727
1728
1729       To change propagation properties of a mount point,  use  mount(8)  com‐
1730       mand.  For  example,  if one wants to bind mount source directory /foo,
1731       one  can  do  mount  --bind  /foo   /foo   and   mount   --make-private
1732       --make-shared  /foo.  This will convert /foo into a shared mount point.
1733       Alternatively, one can directly change propagation properties of source
1734       mount. Say, if / is source mount for /foo, then use mount --make-shared
1735       / to convert / into a shared mount.
1736
1737
1738   --volumes-from[=CONTAINER[:OPTIONS]]
1739       Mount volumes from the specified container(s). Used  to  share  volumes
1740       between containers. The options is a comma delimited list with the fol‐
1741       lowing available elements:
1742
1743
1744              · rw|ro
1745
1746              · z
1747
1748
1749
1750       Mounts already mounted volumes from a  source  container  onto  another
1751       container. You must supply the source's container-id or container-name.
1752       To share a volume, use the --volumes-from option when running the  tar‐
1753       get  container.  You  can share volumes even if the source container is
1754       not running.
1755
1756
1757       By default, Podman mounts the volumes in the same mode  (read-write  or
1758       read-only)  as  it  is mounted in the source container.  You can change
1759       this by adding a ro or rw option.
1760
1761
1762       Labeling systems like SELinux require that proper labels are placed  on
1763       volume  content mounted into a container. Without a label, the security
1764       system might prevent the processes running inside  the  container  from
1765       using the content. By default, Podman does not change the labels set by
1766       the OS.
1767
1768
1769       To change a label in the container context, you can add z to the volume
1770       mount.   This suffix tells Podman to relabel file objects on the shared
1771       volumes. The z option tells Podman that two containers share the volume
1772       content.  As  a result, Podman labels the content with a shared content
1773       label. Shared volume labels allow all containers to read/write content.
1774
1775
1776       If the location of the volume from the source container  overlaps  with
1777       data residing on a target container, then the volume hides that data on
1778       the target.
1779
1780
1781   --workdir, -w=dir
1782       Working directory inside the container.
1783
1784
1785       The default working directory for running binaries within  a  container
1786       is  the  root  directory  (/).  The image developer can set a different
1787       default with the WORKDIR instruction. The  operator  can  override  the
1788       working directory by using the -w option.
1789
1790

Exit Status

1792       The exit code from podman run gives information about why the container
1793       failed to run or why it exited. When podman run exits with  a  non-zero
1794       code, the exit codes follow the chroot(1) standard, see below:
1795
1796
1797       125 The error is with Podman itself
1798
1799
1800              $ podman run --foo busybox; echo $?
1801              Error: unknown flag: --foo
1802              125
1803
1804
1805
1806       126 The contained command cannot be invoked
1807
1808
1809              $ podman run busybox /etc; echo $?
1810              Error: container_linux.go:346: starting container process caused "exec: \"/etc\": permission denied": OCI runtime error
1811              126
1812
1813
1814
1815       127 The contained command cannot be found
1816
1817
1818              $ podman run busybox foo; echo $?
1819              Error: container_linux.go:346: starting container process caused "exec: \"foo\": executable file not found in $PATH": OCI runtime error
1820              127
1821
1822
1823
1824       Exit code contained command exit code
1825
1826
1827              $ podman run busybox /bin/sh -c 'exit 3'; echo $?
1828              3
1829
1830
1831

EXAMPLES

1833   Running container in read-only mode
1834       During  container  image development, containers often need to write to
1835       the image content. Installing packages into /usr, for example. In  pro‐
1836       duction,  applications  seldom  need  to write to the image.  Container
1837       applications write to volumes if they need to write to file systems  at
1838       all.  Applications can be made more secure by running them in read-only
1839       mode using the --read-only switch.  This protects the containers  image
1840       from  modification. Read only containers may still need to write tempo‐
1841       rary data. The best way to handle this is to mount tmpfs directories on
1842       /run and /tmp.
1843
1844
1845              $ podman run --read-only -i -t fedora /bin/bash
1846
1847              $ podman run --read-only --read-only-tmpfs=false --tmpfs /run -i -t fedora /bin/bash
1848
1849
1850
1851   Exposing log messages from the container to the host's log
1852       If  you  want  messages that are logged in your container to show up in
1853       the host's syslog/journal then  you  should  bind  mount  the  /dev/log
1854       directory as follows.
1855
1856
1857              $ podman run -v /dev/log:/dev/log -i -t fedora /bin/bash
1858
1859
1860
1861       From inside the container you can test this by sending a message to the
1862       log.
1863
1864
1865              (bash)# logger "Hello from my container"
1866
1867
1868
1869       Then exit and check the journal.
1870
1871
1872              (bash)# exit
1873
1874              $ journalctl -b | grep Hello
1875
1876
1877
1878       This should list the message sent to logger.
1879
1880
1881   Attaching to one or more from STDIN, STDOUT, STDERR
1882       If you do not specify -a, Podman will attach everything (stdin, stdout,
1883       stderr).   You  can  specify  to  which  of  the three standard streams
1884       (stdin, stdout, stderr) you'd like to connect instead, as in:
1885
1886
1887              $ podman run -a stdin -a stdout -i -t fedora /bin/bash
1888
1889
1890
1891   Sharing IPC between containers
1892       Using             shm_server.c             available              here:
1893       https://www.cs.cf.ac.uk/Dave/C/node27.html
1894
1895
1896       Testing --ipc=host mode:
1897
1898
1899       Host  shows a shared memory segment with 7 pids attached, happens to be
1900       from httpd:
1901
1902
1903              $ sudo ipcs -m
1904
1905              ------ Shared Memory Segments --------
1906              key        shmid      owner      perms      bytes      nattch     status
1907              0x01128e25 0          root       600        1000       7
1908
1909
1910
1911       Now run a regular container, and it correctly does NOT see  the  shared
1912       memory segment from the host:
1913
1914
1915              $ podman run -it shm ipcs -m
1916
1917              ------ Shared Memory Segments --------
1918              key        shmid      owner      perms      bytes      nattch     status
1919
1920
1921
1922       Run  a  container  with  the new --ipc=host option, and it now sees the
1923       shared memory segment from the host httpd:
1924
1925
1926              $ podman run -it --ipc=host shm ipcs -m
1927
1928              ------ Shared Memory Segments --------
1929              key        shmid      owner      perms      bytes      nattch     status
1930              0x01128e25 0          root       600        1000       7
1931
1932
1933
1934       Testing --ipc=container:id mode:
1935
1936
1937       Start a container with a program to create a shared memory segment:
1938
1939
1940              $ podman run -it shm bash
1941              $ sudo shm/shm_server
1942              $ sudo ipcs -m
1943
1944              ------ Shared Memory Segments --------
1945              key        shmid      owner      perms      bytes      nattch     status
1946              0x0000162e 0          root       666        27         1
1947
1948
1949
1950       Create a 2nd container correctly shows no shared  memory  segment  from
1951       1st container:
1952
1953
1954              $ podman run shm ipcs -m
1955
1956              ------ Shared Memory Segments --------
1957              key        shmid      owner      perms      bytes      nattch     status
1958
1959
1960
1961       Create  a  3rd  container  using  the --ipc=container:id option, now it
1962       shows the shared memory segment from the first:
1963
1964
1965              $ podman run -it --ipc=container:ed735b2264ac shm ipcs -m
1966              $ sudo ipcs -m
1967
1968              ------ Shared Memory Segments --------
1969              key        shmid      owner      perms      bytes      nattch     status
1970              0x0000162e 0          root       666        27         1
1971
1972
1973
1974   Mapping Ports for External Usage
1975       The exposed port of an application can be mapped to a host  port  using
1976       the  -p  flag.  For example, an httpd port 80 can be mapped to the host
1977       port 8080 using the following:
1978
1979
1980              $ podman run -p 8080:80 -d -i -t fedora/httpd
1981
1982
1983
1984   Mounting External Volumes
1985       To mount a host directory as a container volume, specify  the  absolute
1986       path to the directory and the absolute path for the container directory
1987       separated by a colon. If the source is a  named  volume  maintained  by
1988       Podman,  it  is recommended to use its name rather than the path to the
1989       volume. Otherwise the volume will be considered as an orphan and  wiped
1990       if you execute podman volume prune:
1991
1992
1993              $ podman run -v /var/db:/data1 -i -t fedora bash
1994
1995              $ podman run -v data:/data2 -i -t fedora bash
1996
1997              $ podman run -v /var/cache/dnf:/var/cache/dnf:O -ti fedora dnf -y update
1998
1999
2000
2001       Using  --mount  flags  to mount a host directory as a container folder,
2002       specify the absolute path to the directory or the volume name, and  the
2003       absolute path within the container directory:
2004
2005
2006              $ podman run --mount type=bind,src=/var/db,target=/data1 busybox sh
2007
2008              $ podman run --mount type=bind,src=volume-name,target=/data1 busybox sh
2009
2010
2011
2012       When  using  SELinux,  be  aware that the host has no knowledge of con‐
2013       tainer SELinux policy. Therefore, in the above example, if SELinux pol‐
2014       icy  is  enforced,  the  /var/db  directory is not writable to the con‐
2015       tainer. A "Permission Denied" message will occur and an avc: message in
2016       the host's syslog.
2017
2018
2019       To  work  around  this, at time of writing this man page, the following
2020       command needs to be run in order for the  proper  SELinux  policy  type
2021       label to be attached to the host directory:
2022
2023
2024              $ chcon -Rt svirt_sandbox_file_t /var/db
2025
2026
2027
2028       Now,  writing to the /data1 volume in the container will be allowed and
2029       the changes will also be reflected on the host in /var/db.
2030
2031
2032   Using alternative security labeling
2033       You can override the default labeling  scheme  for  each  container  by
2034       specifying  the  --security-opt  flag. For example, you can specify the
2035       MCS/MLS level, a requirement for MLS systems. Specifying the  level  in
2036       the following command allows you to share the same content between con‐
2037       tainers.
2038
2039
2040              podman run --security-opt label=level:s0:c100,c200 -i -t fedora bash
2041
2042
2043
2044       An MLS example might be:
2045
2046
2047              $ podman run --security-opt label=level:TopSecret -i -t rhel7 bash
2048
2049
2050
2051       To disable the security labeling for this container versus running with
2052       the
2053
2054
2055   --permissive flag, use the following command:
2056              $ podman run --security-opt label=disable -i -t fedora bash
2057
2058
2059
2060       If  you  want  a tighter security policy on the processes within a con‐
2061       tainer, you can specify an alternate type for the container. You  could
2062       run  a container that is only allowed to listen on Apache ports by exe‐
2063       cuting the following command:
2064
2065
2066              $ podman run --security-opt label=type:svirt_apache_t -i -t centos bash
2067
2068
2069
2070       Note you would have to write policy defining a svirt_apache_t type.
2071
2072
2073       To mask additional specific paths in the container, specify  the  paths
2074       separated  by  a  colon  using  the mask option with the --security-opt
2075       flag.
2076
2077
2078              $ podman run --security-opt mask=/foo/bar:/second/path fedora bash
2079
2080
2081
2082       To unmask all the paths that are masked  by  default,  set  the  unmask
2083       option  to  ALL. Or to only unmask specific paths, specify the paths as
2084       shown above with the mask option.
2085
2086
2087              $ podman run --security-opt unmask=ALL fedora bash
2088
2089
2090
2091              $ podman run --security-opt unmask=/foo/bar:/sys/firmware fedora bash
2092
2093
2094
2095   Setting device weight
2096       If you want to set /dev/sda device weight to 200, you can  specify  the
2097       device weight by --blkio-weight-device flag. Use the following command:
2098
2099
2100              $ podman run -it --blkio-weight-device "/dev/sda:200" ubuntu
2101
2102
2103
2104   Using a podman container with input from a pipe
2105              $ echo "asdf" | podman run --rm -i --entrypoint /bin/cat someimage
2106              asdf
2107
2108
2109
2110   Setting Namespaced Kernel Parameters (Sysctls)
2111       The  --sysctl  sets  namespaced kernel parameters (sysctls) in the con‐
2112       tainer. For example, to turn on IP forwarding in the containers network
2113       namespace, run this command:
2114
2115
2116              $ podman run --sysctl net.ipv4.ip_forward=1 someimage
2117
2118
2119
2120       Note  that  not  all  sysctls  are  namespaced. Podman does not support
2121       changing sysctls inside of a container that also modify the  host  sys‐
2122       tem.  As the kernel evolves we expect to see more sysctls become names‐
2123       paced.
2124
2125
2126       See the definition of the --sysctl option above for the current list of
2127       supported sysctls.
2128
2129
2130   Set UID/GID mapping in a new user namespace
2131       Running  a  container in a new user namespace requires a mapping of the
2132       uids and gids from the host.
2133
2134
2135              $ podman run --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
2136
2137
2138
2139   Configuring Storage Options from the command line
2140       Podman allows for the configuration of storage by changing  the  values
2141       in  the  /etc/container/storage.conf  or  by using global options. This
2142       shows how to setup and use fuse-overlayfs for a one time run of busybox
2143       using global options.
2144
2145
2146              podman --log-level=debug --storage-driver overlay --storage-opt "overlay.mount_program=/usr/bin/fuse-overlayfs" run busybox /bin/sh
2147
2148
2149
2150   Configure timezone in a container
2151              $ podman run --tz=local alpine date
2152              $ podman run --tz=Asia/Shanghai alpine date
2153              $ podman run --tz=US/Eastern alpine date
2154
2155
2156
2157   Rootless Containers
2158       Podman  runs  as a non root user on most systems. This feature requires
2159       that  a  new  enough  version  of  shadow-utils   be   installed.   The
2160       shadow-utils  package  must  include  the newuidmap(1) and newgidmap(1)
2161       executables.
2162
2163
2164       Note: RHEL7 and Centos 7 will not have this feature  until  RHEL7.7  is
2165       released.
2166
2167
2168       In  order  for  users to run rootless, there must be an entry for their
2169       username in /etc/subuid and /etc/subgid which lists the UIDs for  their
2170       user namespace.
2171
2172
2173       Rootless  Podman  works  better  if  the fuse-overlayfs and slirp4netns
2174       packages are installed.  The fuse-overlay package provides a  userspace
2175       overlay  storage  driver,  otherwise  users need to use the vfs storage
2176       driver, which  is  diskspace  expensive  and  does  not  perform  well.
2177       slirp4netns  is  required for VPN, without it containers need to be run
2178       with the --network=host flag.
2179
2180

ENVIRONMENT

2182       Environment variables within containers can be set using multiple  dif‐
2183       ferent  options,  in  the  following order of precedence (later entries
2184       override earlier entries):
2185
2186
2187              · Container image: Any environment variables  specified  in  the
2188                container image.
2189
2190              · --http-proxy:  By  default, several environment variables will
2191                be passed in from the host, such as http_proxy  and  no_proxy.
2192                See --http-proxy for details.
2193
2194              · --env-host:  Host  environment of the process executing Podman
2195                is added.
2196
2197              · --env-file: Any environment variables specified via env-files.
2198                If  multiple files specified, then they override each other in
2199                order of entry.
2200
2201              · --env: Any environment variables specified will override  pre‐
2202                vious settings.
2203
2204
2205
2206       Run containers and set the environment ending with a * and a *****:
2207
2208
2209              $ export ENV1=a
2210              $ podman run --env ENV* alpine printenv ENV1
2211              a
2212
2213              $ podman run --env ENV*****=b alpine printenv ENV*****
2214              b
2215
2216
2217

FILES

2219       /etc/subuid
2220
2221
2222       /etc/subgid
2223
2224
2225       NOTE: Use the environment variable TMPDIR to change the temporary stor‐
2226       age location of downloaded container images.  Podman  defaults  to  use
2227       /var/tmp.
2228
2229

HISTORY

2239       September 2018, updated by Kunal Kushwaha
2240
2241
2242       October  2017,  converted  from  Docker  documentation to Podman by Dan
2243       Walsh for Podman dwalsh@redhat.com ⟨mailto:dwalsh@redhat.com⟩
2244
2245
2246       November  2015,   updated   by   Sally   O'Malley   somalley@redhat.com
2247       ⟨mailto:somalley@redhat.com⟩
2248
2249
2250       June   2014,   updated   by   Sven   Dowideit  SvenDowideit@home.org.au
2251       ⟨mailto:SvenDowideit@home.org.au⟩
2252
2253
2254       April 2014, Originally  compiled  by  William  Henry  whenry@redhat.com
2255       ⟨mailto:whenry@redhat.com⟩  based  on  docker.com  source  material and
2256       internal work.
2257
2258

FOOTNOTES

2260       1: The Podman project is committed to inclusivity, a core value of open
2261       source. The master and slave mount propagation terminology used here is
2262       problematic and divisive, and should be changed. However,  these  terms
2263       are  currently  used  within the Linux kernel and must be used as-is at
2264       this time. When the kernel maintainers rectify this usage, Podman  will
2265       follow suit immediately.
2266
2267
2268
2269                                                               podman-run(1)()