1podman-run(1)()                                                podman-run(1)()
2
3
4

NAME

6       podman-run - Run a command in a new container
7
8

SYNOPSIS

10       podman run [options] image [command [arg ...]]
11
12
13       podman container run [options] image [command [arg ...]]
14
15

DESCRIPTION

17       Run  a process in a new container. podman run starts a process with its
18       own file system, its own networking, and its own isolated process tree.
19       The  image  which starts the process may define defaults related to the
20       process that will be run in the container, the  networking  to  expose,
21       and  more, but podman run gives final control to the operator or admin‐
22       istrator who starts the container from the image. For that reason  pod‐
23       man run has more options than any other Podman command.
24
25
26       If the image is not already loaded then podman run will pull the image,
27       and all image dependencies, from the repository in the same way running
28       podman pull image , before it starts the container from that image.
29
30
31       Several files will be automatically created within the container. These
32       include /etc/hosts, /etc/hostname, and /etc/resolv.conf to manage  net‐
33       working.   These  will  be  based  on  the host's version of the files,
34       though they can be customized with options  (for  example,  --dns  will
35       override  the host's DNS servers in the created resolv.conf). Addition‐
36       ally, a container environment file is created in each container to  in‐
37       dicate  to  programs  they are running in a container. This file is lo‐
38       cated at /run/.containerenv. When using the --privileged flag the .con‐
39       tainerenv  contains  name/value  pairs  indicating the container engine
40       version, whether the engine is running in rootless mode, the  container
41       name  and  id,  as  well as the image name and id that the container is
42       based on.
43
44
45       When   running   from   a   user   defined   network   namespace,   the
46       /etc/netns/NSNAME/resolv.conf  will  be  used  if  it exists, otherwise
47       /etc/resolv.conf will be used.
48
49
50       Default settings are defined in containers.conf. Most settings for  re‐
51       mote  connections  use  the  servers containers.conf, except when docu‐
52       mented in man pages.
53
54

IMAGE

56       The image is specified using transport:path format. If no transport  is
57       specified,  the  docker  (container registry) transport will be used by
58       default. For remote Podman, docker is the only allowed transport.
59
60
61       dir:path
62         An existing local directory path storing the manifest, layer tarballs
63       and  signatures as individual files. This is a non-standardized format,
64       primarily useful for debugging or noninvasive container inspection.
65
66
67              $ podman save --format docker-dir fedora -o /tmp/fedora
68              $ podman run dir:/tmp/fedora echo hello
69
70
71
72       docker://docker-reference (Default)
73         An image reference stored in a remote container image registry. Exam‐
74       ple:  "quay.io/podman/stable:latest".  The reference can include a path
75       to a specific registry; if it does not, the registries listed  in  reg‐
76       istries.conf  will  be  queried  to find a matching image.  By default,
77       credentials from  podman  login  (stored  at  $XDG_RUNTIME_DIR/contain‐
78       ers/auth.json  by  default)  will be used to authenticate; otherwise it
79       falls back to using credentials in $HOME/.docker/config.json.
80
81
82              $ podman run registry.fedoraproject.org/fedora:latest echo hello
83
84
85
86       docker-archive:path[:docker-reference] An image stored  in  the  docker
87       save formatted file. docker-reference is only used when creating such a
88       file, and it must not contain a digest.
89
90
91              $ podman save --format docker-archive fedora -o /tmp/fedora
92              $ podman run docker-archive:/tmp/fedora echo hello
93
94
95
96       docker-daemon:docker-reference
97         An image in docker-reference format stored in the docker  daemon  in‐
98       ternal   storage.   The  docker-reference  can  also  be  an  image  ID
99       (docker-daemon:algo:digest).
100
101
102              $ sudo docker pull fedora
103              $ sudo podman run docker-daemon:docker.io/library/fedora echo hello
104
105
106
107       oci-archive:path:tag
108         An image in a directory compliant with the "Open Container Image Lay‐
109       out Specification" at the specified path and specified with a tag.
110
111
112              $ podman save --format oci-archive fedora -o /tmp/fedora
113              $ podman run oci-archive:/tmp/fedora echo hello
114
115
116

OPTIONS

118   --add-host=host:ip
119       Add  a  line  to  container's /etc/hosts for custom host-to-IP mapping.
120       This option can be set multiple times.
121
122
123   --annotation=key=value
124       Add an annotation to the container.  This option can  be  set  multiple
125       times.
126
127
128   --arch=ARCH
129       Override  the  architecture,  defaults  to  hosts,  of  the image to be
130       pulled. For example, arm.
131
132
133   --attach, -a=stdin|stdout|stderr
134       Attach to STDIN, STDOUT or STDERR.
135
136
137       In foreground mode (the default when -d is not specified),  podman  run
138       can  start  the  process in the container and attach the console to the
139       process's standard input, output, and error. It can even pretend to  be
140       a TTY (this is what most commandline executables expect) and pass along
141       signals. The -a option can be  set  for  each  of  stdin,  stdout,  and
142       stderr.
143
144
145   --authfile[=path]
146       Path to the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
147       ers/auth.json.
148
149
150       Note: You can also override the default path of the authentication file
151       by setting the REGISTRY_AUTH_FILE environment variable.
152
153
154   --blkio-weight=weight
155       Block IO relative weight. The weight is a value between 10 and 1000.
156
157
158   --blkio-weight-device=device:weight
159       Block IO relative device weight.
160
161
162   --cap-add=capability
163       Add Linux capabilities.
164
165
166   --cap-drop=capability
167       Drop Linux capabilities.
168
169
170   --cgroupns=mode
171       Set the cgroup namespace mode for the container.
172
173
174host: use the host's cgroup namespace inside the container.
175
176container:id: join the namespace of the specified container.
177
178private: create a new cgroup namespace.
179
180ns:path: join the namespace at the specified path.
181
182
183
184       If the host uses cgroups v1, the default is set to host. On cgroups v2,
185       the default is private.
186
187
188   --cgroups=enabled|disabled|no-conmon|split
189       Determines whether the container will create CGroups.
190
191
192       Default is enabled.
193
194
195       The enabled option will create a new cgroup  under  the  cgroup-parent.
196       The disabled option will force the container to not create CGroups, and
197       thus conflicts with CGroup options  (--cgroupns  and  --cgroup-parent).
198       The no-conmon option disables a new CGroup only for the conmon process.
199       The split option splits the current CGroup in two sub-cgroups: one  for
200       conmon  and  one  for  the container payload. It is not possible to set
201       --cgroup-parent with split.
202
203
204   --cgroup-parent=path
205       Path to cgroups under which the cgroup for the container will  be  cre‐
206       ated.  If  the path is not absolute, the path is considered to be rela‐
207       tive to the cgroups path of the init process. Cgroups will  be  created
208       if they do not already exist.
209
210
211   --cgroup-conf=KEY=VALUE
212       When  running on cgroup v2, specify the cgroup file to write to and its
213       value. For example --cgroup-conf=memory.high=1073741824 sets  the  mem‐
214       ory.high limit to 1GB.
215
216
217   --cidfile=file
218       Write the container ID to file.
219
220
221   --conmon-pidfile=file
222       Write the pid of the conmon process to a file. As conmon runs in a sep‐
223       arate process than Podman, this is  necessary  when  using  systemd  to
224       restart  Podman containers.  (This option is not available with the re‐
225       mote Podman client)
226
227
228   --cpu-period=limit
229       Set the CPU period for the Completely Fair Scheduler (CFS), which is  a
230       duration in microseconds. Once the container's CPU quota is used up, it
231       will not be scheduled to run until the current period ends. Defaults to
232       100000 microseconds.
233
234
235       On  some  systems,  changing  the  CPU  limits  may  not be allowed for
236       non-root  users.  For  more  details,  see  https://github.com/contain
237       ers/podman/blob/master/troubleshooting.md#26-running-contain‐
238       ers-with-cpu-limits-fails-with-a-permissions-error
239
240
241   --cpu-quota=limit
242       Limit the CPU Completely Fair Scheduler (CFS) quota.
243
244
245       Limit the container's CPU usage. By default, containers  run  with  the
246       full  CPU  resource. The limit is a number in microseconds. If you pro‐
247       vide a number, the container will be allowed to use that much CPU  time
248       until the CPU period ends (controllable via --cpu-period).
249
250
251       On  some  systems,  changing  the  CPU  limits  may  not be allowed for
252       non-root  users.  For  more  details,  see  https://github.com/contain
253       ers/podman/blob/master/troubleshooting.md#26-running-contain‐
254       ers-with-cpu-limits-fails-with-a-permissions-error
255
256
257   --cpu-rt-period=microseconds
258       Limit the CPU real-time period in microseconds.
259
260
261       Limit the container's Real Time CPU usage. This flag tell the kernel to
262       restrict the container's Real Time CPU usage to the period you specify.
263
264
265   --cpu-rt-runtime=microseconds
266       Limit the CPU real-time runtime in microseconds.
267
268
269       Limit the containers Real Time CPU usage. This flag tells the kernel to
270       limit the amount of time in a given CPU period Real Time tasks may con‐
271       sume.  Ex:  Period  of  1,000,000us and Runtime of 950,000us means that
272       this container could consume 95% of available CPU and leave the remain‐
273       ing 5% to normal priority tasks.
274
275
276       The  sum of all runtimes across containers cannot exceed the amount al‐
277       lotted to the parent cgroup.
278
279
280   --cpu-shares=shares
281       CPU shares (relative weight).
282
283
284       By default, all containers get the same proportion of CPU cycles.  This
285       proportion  can  be  modified  by  changing  the  container's CPU share
286       weighting relative to the combined weight of all the  running  contain‐
287       ers. Default weight is 1024.
288
289
290       The  proportion  will  only apply when CPU-intensive processes are run‐
291       ning.  When tasks in one container are idle, other containers  can  use
292       the left-over CPU time. The actual amount of CPU time will vary depend‐
293       ing on the number of containers running on the system.
294
295
296       For example, consider three containers, one has a cpu-share of 1024 and
297       two others have a cpu-share setting of 512. When processes in all three
298       containers attempt to use 100% of CPU, the first  container  would  re‐
299       ceive  50%  of the total CPU time. If you add a fourth container with a
300       cpu-share of 1024, the first container only gets 33% of  the  CPU.  The
301       remaining containers receive 16.5%, 16.5% and 33% of the CPU.
302
303
304       On a multi-core system, the shares of CPU time are distributed over all
305       CPU cores. Even if a container is limited to  less  than  100%  of  CPU
306       time, it can use 100% of each individual CPU core.
307
308
309       For example, consider a system with more than three cores. If you start
310       one container {C0} with --cpu-shares=512 running one process,  and  an‐
311       other container {C1} with --cpu-shares=1024 running two processes, this
312       can result in the following division of CPU shares:
313
314
315       ┌────┬───────────┬─────┬──────────────┐
316PID container CPU CPU share    
317       ├────┼───────────┼─────┼──────────────┤
318       │100 │ {C0}      │ 0   │ 100% of CPU0 │
319       ├────┼───────────┼─────┼──────────────┤
320       │101 │ {C1}      │ 1   │ 100% of CPU1 │
321       ├────┼───────────┼─────┼──────────────┤
322       │102 │ {C1}      │ 2   │ 100% of CPU2 │
323       ├────┼───────────┼─────┼──────────────┤
324       │    │           │     │              │
325       └────┴───────────┴─────┴──────────────┘
326
327   --cpus=number
328       Number of CPUs. The default is 0.0 which means no limit. This is short‐
329       hand for --cpu-period and --cpu-quota, so you may only set either
330
331
332   --cpus or --cpu-period and --cpu-quota.
333       On  some  systems,  changing  the  CPU  limits  may  not be allowed for
334       non-root  users.  For  more  details,  see  https://github.com/contain
335       ers/podman/blob/master/troubleshooting.md#26-running-contain‐
336       ers-with-cpu-limits-fails-with-a-permissions-error
337
338
339   --cpuset-cpus=number
340       CPUs in which to allow execution. Can be specified as a comma-separated
341       list  (e.g.  0,1),  as  a  range (e.g. 0-3), or any combination thereof
342       (e.g. 0-3,7,11-15).
343
344
345   --cpuset-mems=nodes
346       Memory nodes (MEMs) in which to allow execution. Only effective on NUMA
347       systems.
348
349
350       For  example,  if  you have four memory nodes (0-3) on your system, use
351       --cpuset-mems=0,1 to only use memory from the first two memory nodes.
352
353
354   --detach, -d=true|false
355       Detached mode: run the container in the background and  print  the  new
356       container ID. The default is false.
357
358
359       At  any time you can run podman ps in the other shell to view a list of
360       the running containers. You can reattach to a detached  container  with
361       podman attach.
362
363
364       When  attached  in the tty mode, you can detach from the container (and
365       leave it running) using a configurable key sequence.  The  default  se‐
366       quence  is  ctrl-p,ctrl-q.  Configure the keys sequence using the --de‐
367       tach-keys option, or specifying it in  the  containers.conf  file:  see
368       containers.conf(5) for more information.
369
370
371   --detach-keys=sequence
372       Specify  the key sequence for detaching a container. Format is a single
373       character [a-Z] or one or more ctrl-<value> characters where <value> is
374       one  of: a-z, @, ^, [, , or _. Specifying "" will disable this feature.
375       The default is ctrl-p,ctrl-q.
376
377
378       This option can also be set in containers.conf(5) file.
379
380
381       Specifying "" will disable this feature. The default is ctrl-p,ctrl-q.
382
383
384   --device=host-device[:container-device][:permissions]
385       Add a host device to the container. Optional permissions parameter  can
386       be used to specify device permissions, it is combination of r for read,
387       w for write, and m for mknod(2).
388
389
390       Example: --device=/dev/sdc:/dev/xvdc:rwm.
391
392
393       Note: if _hostdevice is a symbolic link then it will be resolved first.
394       The  container  will only store the major and minor numbers of the host
395       device.
396
397
398       Note: if the user only has access rights via a group, accessing the de‐
399       vice  from  inside  a rootless container will fail. Use the --group-add
400       keep-groups flag to pass the user's supplementary group access into the
401       container.
402
403
404       Podman may load kernel modules required for using the specified device.
405       The  devices  that  Podman  will  load  modules  when  necessary   are:
406       /dev/fuse.
407
408
409   --device-cgroup-rule=rule
410       Add a rule to the cgroup allowed devices list
411
412
413   --device-read-bps=path:rate
414       Limit  read  rate  (in  bytes  per  second)  from  a device (e.g. --de‐
415       vice-read-bps=/dev/sda:1mb).
416
417
418   --device-read-iops=path:rate
419       Limit read rate (in IO operations per second) from a device (e.g. --de‐
420       vice-read-iops=/dev/sda:1000).
421
422
423   --device-write-bps=path:rate
424       Limit  write  rate  (in  bytes  per  second)  to  a  device (e.g. --de‐
425       vice-write-bps=/dev/sda:1mb).
426
427
428   --device-write-iops=path:rate
429       Limit write rate (in IO operations per second) to a device (e.g.  --de‐
430       vice-write-iops=/dev/sda:1000).
431
432
433   --disable-content-trust
434       This  is  a  Docker  specific option to disable image verification to a
435       Docker registry and is not supported by Podman. This flag is a NOOP and
436       provided solely for scripting compatibility.
437
438
439   --dns=ipaddr
440       Set  custom  DNS servers. Invalid if using --dns with --network that is
441       set to none or container:id.
442
443
444       This option can be used to override the DNS configuration passed to the
445       container.  Typically this is necessary when the host DNS configuration
446       is invalid for the container (e.g., 127.0.0.1). When this is  the  case
447       the --dns flags is necessary for every run.
448
449
450       The special value none can be specified to disable creation of /etc/re‐
451       solv.conf in the container by Podman.  The /etc/resolv.conf file in the
452       image will be used without changes.
453
454
455   --dns-opt=option
456       Set  custom DNS options. Invalid if using --dns-opt with --network that
457       is set to none or container:id.
458
459
460   --dns-search=domain
461       Set custom DNS search domains. Invalid if using --dns-search and --net‐
462       work  that  is  set to none or container:id.  Use --dns-search=. if you
463       don't wish to set the search domain.
464
465
466   --entrypoint="command" | '["command", arg1 , ...]'
467       Overwrite the default ENTRYPOINT of the image.
468
469
470       This option allows you to overwrite the default entrypoint of  the  im‐
471       age.
472
473
474       The ENTRYPOINT of an image is similar to a COMMAND because it specifies
475       what executable to run when the container starts, but it is (purposely)
476       more  difficult  to  override. The ENTRYPOINT gives a container its de‐
477       fault nature or behavior, so that when you set an  ENTRYPOINT  you  can
478       run  the container as if it were that binary, complete with default op‐
479       tions, and you can pass in more options via the COMMAND. But, sometimes
480       an operator may want to run something else inside the container, so you
481       can override the default ENTRYPOINT at runtime by using a  --entrypoint
482       and a string to specify the new ENTRYPOINT.
483
484
485       You need to specify multi option commands in the form of a json string.
486
487
488   --env, -e=env
489       Set environment variables.
490
491
492       This  option  allows arbitrary environment variables that are available
493       for the process to be launched inside of the container. If an  environ‐
494       ment  variable is specified without a value, Podman will check the host
495       environment for a value and set the variable only if it is set  on  the
496       host.  If an environment variable ending in * is specified, Podman will
497       search the host environment for variables starting with the prefix  and
498       will  add  those variables to the container. If an environment variable
499       with a trailing ***** is specified, then a value must be supplied.
500
501
502       See Environment ⟨#environment⟩ note below for precedence and examples.
503
504
505   --env-host=true|false
506       Use host environment inside of the container. See Environment note  be‐
507       low  for precedence. (This option is not available with the remote Pod‐
508       man client)
509
510
511   --env-file=file
512       Read in a line delimited file of environment variables. See Environment
513       note below for precedence.
514
515
516   --expose=port
517       Expose  a port, or a range of ports (e.g. --expose=3300-3310) to set up
518       port redirection on the host system.
519
520
521   --gidmap=container_gid:host_gid:amount
522       Run the container in a new user namespace using the  supplied  mapping.
523       This  option  conflicts with the --userns and --subgidname flags.  This
524       option can be passed several times to map different ranges. If  calling
525       podman run as an unprivileged user, the user needs to have the right to
526       use the mapping. See subuid(5).  The example maps gids  0-1999  in  the
527       container to the gids 30000-31999 on the host: --gidmap=0:30000:2000.
528
529
530       Important  note:  The  new  user namespace mapping based on --gidmap is
531       based on the initial mapping made in the  /etc/subgid  file.   Assuming
532       there is a  /etc/subgid  mapping groupname:100000:65536, then groupname
533       is initially mapped to a namespace starting with gid 100000  for  65536
534       ids.  From here the --gidmap mapping to the new namespace starts from 0
535       again, but is based on the initial mapping.  Meaning groupname is  ini‐
536       tially  mapped  to gid 100000 which is referenced as 0 in the following
537       --gidmap mapping. In terms of the example above: The group groupname is
538       mapped  to group 100000 of the initial namespace then the 30000st id of
539       this namespace (which is gid 130000 in this  namespace)  is  mapped  to
540       container namespace group id 0. (groupname -> 100000 / 30000 -> 0)
541
542
543   --group-add=group|keep-groups
544       Add additional groups to assign to primary user running within the con‐
545       tainer process.
546
547
548keep-groups is a special flag that tells Podman  to  keep  the
549                supplementary group access.
550
551
552
553       Allows  container to use the user's supplementary group access. If file
554       systems or devices are only accessible by the  rootless  user's  group,
555       this  flag tells the OCI runtime to pass the group access into the con‐
556       tainer. Currently only available  with  the  crun  OCI  runtime.  Note:
557       keep-groups  is  exclusive,  you  cannot add any other groups with this
558       flag. (Not available for remote commands)
559
560
561   --health-cmd="command" | '["command", arg1 , ...]'
562       Set or alter a healthcheck command for a container. The  command  is  a
563       command  to be executed inside your container that determines your con‐
564       tainer health. The command is required for other healthcheck options to
565       be applied. A value of none disables existing healthchecks.
566
567
568       Multiple  options can be passed in the form of a JSON array; otherwise,
569       the command will be interpreted as an argument to /bin/sh -c.
570
571
572   --health-interval=interval
573       Set an interval for the healthchecks. An interval of disable results in
574       no automatic timer setup. The default is 30s.
575
576
577   --health-retries=retries
578       The  number of retries allowed before a healthcheck is considered to be
579       unhealthy. The default value is 3.
580
581
582   --health-start-period=period
583       The initialization time needed for a container to bootstrap. The  value
584       can be expressed in time format like 2m3s. The default value is 0s.
585
586
587   --health-timeout=timeout
588       The maximum time allowed to complete the healthcheck before an interval
589       is considered failed. Like start-period, the value can be expressed  in
590       a time format such as 1m22s. The default value is 30s.
591
592
593   --help
594       Print usage statement
595
596
597   --hostname=name, -h
598       Container host name
599
600
601       Sets  the  container  host name that is available inside the container.
602       Can only be used with a private UTS namespace --uts=private  (default).
603       If  --pod  is  specified and the pod shares the UTS namespace (default)
604       the pod's hostname will be used.
605
606
607   --http-proxy=true|false
608       By default proxy environment variables are passed into the container if
609       set  for  the Podman process. This can be disabled by setting the value
610       to false.  The environment  variables  passed  in  include  http_proxy,
611       https_proxy,  ftp_proxy,  no_proxy, and also the upper case versions of
612       those. This option is only needed when the host system must use a proxy
613       but the container should not use any proxy. Proxy environment variables
614       specified for the container in any other way will override  the  values
615       that would have been passed through from the host. (Other ways to spec‐
616       ify the proxy for the container include passing  the  values  with  the
617       --env  flag,  or  hard  coding the proxy environment at container build
618       time.) (This option is not available with the remote Podman client)
619
620
621       Defaults to true.
622
623
624   --image-volume, builtin-volume=bind|tmpfs|ignore
625       Tells Podman how to handle the builtin image volumes. Default is bind.
626
627
628bind: An anonymous named volume will be  created  and  mounted
629                into the container.
630
631tmpfs:  The  volume  is mounted onto the container as a tmpfs,
632                which allows the users to create content that disappears  when
633                the container is stopped.
634
635ignore: All volumes are just ignored and no action is taken.
636
637
638
639   --init
640       Run  an  init inside the container that forwards signals and reaps pro‐
641       cesses.
642
643
644   --init-path=path
645       Path to the container-init binary.
646
647
648   --interactive, -i=true|false
649       When set to true, keep stdin open even if not attached. The default  is
650       false.
651
652
653   --ip6=ip
654       Not implemented.
655
656
657   --ip=ip
658       Specify   a   static   IP   address  for  the  container,  for  example
659       10.88.64.128.  This option can only be used if the container is  joined
660       to  only  a  single network - i.e., --network=_network-name_ is used at
661       most once and if the container is not joining another container's  net‐
662       work  namespace  via  --network=container:_id_.   The  address  must be
663       within the CNI network's IP address pool (default 10.88.0.0/16).
664
665
666   --ipc=mode
667       Set the IPC namespace mode for a container. The default is to create  a
668       private IPC namespace.
669
670
671container:id:  reuses  another  container shared memory, sema‐
672                phores and message queues
673
674host: use the host shared memory,semaphores and message queues
675                inside  the container. Note: the host mode gives the container
676                full access to local shared memory and is therefore considered
677                insecure.
678
679ns:path: path to an IPC namespace to join.
680
681
682
683   --kernel-memory=number[unit]
684       Kernel  memory  limit.  A  unit  can  be  b  (bytes),  k (kilobytes), m
685       (megabytes), or g (gigabytes).
686
687
688       Constrains the kernel memory available to a container. If a limit of  0
689       is specified (not using --kernel-memory), the container's kernel memory
690       is not limited. If you specify a limit, it may be rounded up to a  mul‐
691       tiple  of  the  operating  system's page size and the value can be very
692       large, millions of trillions.
693
694
695   --label, -l=key=value
696       Add metadata to a container.
697
698
699   --label-file=file
700       Read in a line-delimited file of labels.
701
702
703   --link-local-ip=ip
704       Not implemented.
705
706
707   --log-driver="driver"
708       Logging driver for  the  container.  Currently  available  options  are
709       k8s-file,  journald,  and  none, with json-file aliased to k8s-file for
710       scripting compatibility.
711
712
713   --log-opt=name=value
714       Logging driver specific options.
715
716
717       Set custom logging configuration. The following *name*s are supported:
718
719
720       path: specify a path to the log file
721           (e.g. --log-opt path=/var/log/container/mycontainer.json);
722
723
724       max-size: specify a max size of the log file
725           (e.g. --log-opt max-size=10mb);
726
727
728       tag: specify a custom log tag for the container
729          (e.g. --log-opt tag="{{.ImageName}}".
730
731
732       This option is currently supported only by the journald log driver.
733
734
735   --mac-address=address
736       Container MAC address (e.g. 92:d0:c6:0a:29:33).
737
738
739       Remember that the MAC address in an Ethernet network  must  be  unique.
740       The  IPv6  link-local address will be based on the device's MAC address
741       according to RFC4862.
742
743
744   --memory, -m=number[unit]
745       Memory limit. A unit can be b (bytes), k (kilobytes), m (megabytes), or
746       g (gigabytes).
747
748
749       Allows  you  to  constrain  the memory available to a container. If the
750       host supports swap memory, then the -m memory  setting  can  be  larger
751       than  physical  RAM.  If  a limit of 0 is specified (not using -m), the
752       container's memory is not limited. The actual limit may be  rounded  up
753       to  a  multiple of the operating system's page size (the value would be
754       very large, that's millions of trillions).
755
756
757   --memory-reservation=number[unit]
758       Memory  soft  limit.  A  unit  can  be  b  (bytes),  k  (kilobytes),  m
759       (megabytes), or g (gigabytes).
760
761
762       After  setting  memory reservation, when the system detects memory con‐
763       tention or low memory, containers are forced to restrict their consump‐
764       tion  to  their  reservation.  So you should always set the value below
765       --memory, otherwise the hard limit will take  precedence.  By  default,
766       memory reservation will be the same as memory limit.
767
768
769   --memory-swap=number[unit]
770       A  limit  value  equal to memory plus swap.  A unit can be b (bytes), k
771       (kilobytes), m (megabytes), or g (gigabytes).
772
773
774       Must be used with the -m (--memory) flag.  The  argument  value  should
775       always be larger than that of
776        -m (--memory) By default, it is set to double the value of --memory.
777
778
779       Set number to -1 to enable unlimited swap.
780
781
782   --memory-swappiness=number
783       Tune  a  container's memory swappiness behavior. Accepts an integer be‐
784       tween 0 and 100.
785
786
787   --mount=type=TYPE,TYPE-SPECIFIC-OPTION[,...]
788       Attach a filesystem mount to the container
789
790
791       Current supported mount TYPEs are bind, volume, image,  tmpfs  and  de‐
792       vpts. [1] ⟨#Footnote1⟩
793
794
795                 e.g.
796
797                 type=bind,source=/path/on/host,destination=/path/in/container
798
799                 type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared
800
801                 type=volume,source=vol1,destination=/path/in/container,ro=true
802
803                 type=tmpfs,tmpfs-size=512M,destination=/path/in/container
804
805                 type=image,source=fedora,destination=/fedora-image,rw=true
806
807                 type=devpts,destination=/dev/pts
808
809                 Common Options:
810
811                    · src, source: mount source spec for bind and volume. Mandatory for bind.
812
813                    · dst, destination, target: mount destination spec.
814
815                 Options specific to volume:
816
817                    · ro, readonly: true or false (default).
818
819                 Options specific to image:
820
821                    · rw, readwrite: true or false (default).
822
823                 Options specific to bind:
824
825                    · ro, readonly: true or false (default).
826
827                    · bind-propagation: shared, slave, private, unbindable, rshared, rslave, runbindable, or rprivate(default). See also mount(2).
828
829                    . bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive.
830
831                    . relabel: shared, private.
832
833                 Options specific to tmpfs:
834
835                    · ro, readonly: true or false (default).
836
837                    · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.
838
839                    · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux.
840
841                    · tmpcopyup: Enable copyup from the image directory at the same location to the tmpfs. Used by default.
842
843                    · notmpcopyup: Disable copying files from the image to the tmpfs.
844
845
846
847   --name=name
848       Assign a name to the container.
849
850
851       The operator can identify a container in three ways:
852
853
854              • UUID                      long                      identifier
855                (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”);
856
857              • UUID short identifier (“f78375b1c487”);
858
859              • Name (“jonah”).
860
861
862
863       Podman  generates  a  UUID for each container, and if a name is not as‐
864       signed to the container with --name then  it  will  generate  a  random
865       string  name.  The name is useful any place you need to identify a con‐
866       tainer.  This works for both background and foreground containers.
867
868
869   --network=mode, --net
870       Set the network  mode  for  the  container.  Invalid  if  using  --dns,
871       --dns-opt,  or  --dns-search with --network that is set to none or con‐
872       tainer:id. If used together with --pod, the container will not join the
873       pods network namespace.
874
875
876       Valid mode values are:
877
878
879bridge: create a network stack on the default bridge;
880
881none: no networking;
882
883container:id: reuse another container's network stack;
884
885host:  use  the Podman host network stack. Note: the host mode
886                gives the container full access to local system services  such
887                as D-bus and is therefore considered insecure;
888
889network-id:  connect  to a user-defined network, multiple net‐
890                works should be comma-separated;
891
892ns:path: path to a network namespace to join;
893
894private: create a new namespace for the container (default)
895
896slirp4netns[:OPTIONS,...]: use slirp4netns(1) to create a user
897                network stack. This is the default for rootless containers. It
898                is possible to specify these additional options:
899
900allow_host_loopback=true|false:  Allow  the  slirp4netns  to
901                  reach the host loopback IP (10.0.2.2). Default is false.
902
903mtu=MTU:  Specify  the MTU to use for this network. (Default
904                  is 65520).
905
906cidr=CIDR: Specify ip range to use for  this  network.  (De‐
907                  fault is 10.0.2.0/24).
908
909enable_ipv6=true|false:  Enable IPv6. Default is false. (Re‐
910                  quired for outbound_addr6).
911
912outbound_addr=INTERFACE:  Specify  the  outbound   interface
913                  slirp should bind to (ipv4 traffic only).
914
915outbound_addr=IPv4:  Specify the outbound ipv4 address slirp
916                  should bind to.
917
918outbound_addr6=INTERFACE:  Specify  the  outbound  interface
919                  slirp should bind to (ipv6 traffic only).
920
921outbound_addr6=IPv6: Specify the outbound ipv6 address slirp
922                  should bind to.
923
924port_handler=rootlesskit: Use rootlesskit for port  forward‐
925                  ing. Default.
926
927port_handler=slirp4netns:  Use the slirp4netns port forward‐
928                  ing.
929
930
931
932
933
934   --network-alias=alias
935       Add network-scoped alias for the container
936
937
938   --no-healthcheck=true|false
939       Disable any defined healthchecks for container.
940
941
942   --no-hosts=true|false
943       Do not create /etc/hosts for the container.
944
945
946       By default, Podman will manage /etc/hosts, adding the  container's  own
947       IP address and any hosts from --add-host.
948
949
950   --no-hosts  disables this, and the image's /etc/hosts will be preserved un‐
951       modified.
952       This option conflicts with --add-host.
953
954
955   --oom-kill-disable=true|false
956       Whether to disable OOM Killer for the container or not.
957
958
959   --oom-score-adj=num
960       Tune the host's OOM preferences for  containers  (accepts  values  from
961       -1000 to 1000).
962
963
964   --os=OS
965       Override  the OS, defaults to hosts, of the image to be pulled. For ex‐
966       ample, windows.
967
968
969   --pid=mode
970       Set the PID namespace mode for the container.  The default is to create
971       a private PID namespace for the container.
972
973
974container:id: join another container's PID namespace;
975
976host: use the host's PID namespace for the container. Note the
977                host mode gives the container full access to local PID and  is
978                therefore considered insecure;
979
980private: create a new namespace for the container (default)
981
982ns:path: join the specified PID namespace.
983
984
985
986   --pids-limit=limit
987       Tune  the  container's  pids limit. Set to 0 to have unlimited pids for
988       the container. The default is  4096  on  systems  that  support  "pids"
989       cgroup controller.
990
991
992   --platform=OS/ARCH
993       Specify  the  platform for selecting the image.  (Conflicts with --arch
994       and --os) The --platform option can be used to override the current ar‐
995       chitecture and operating system.
996
997
998   --pod=name
999       Run  container  in  an existing pod. If you want Podman to make the pod
1000       for you, prefix the pod name with new:.  To make a pod with more granu‐
1001       lar  options,  use the podman pod create command before creating a con‐
1002       tainer.  If a container is run with a pod,  and  the  pod  has  an  in‐
1003       fra-container, the infra-container will be started before the container
1004       is.
1005
1006
1007   --pod-id-file=path
1008       Run container in an existing pod and read the pod's ID from the  speci‐
1009       fied  file.  If a container is run within a pod, and the pod has an in‐
1010       fra-container, the infra-container will be started before the container
1011       is.
1012
1013
1014   --preserve-fds=N
1015       Pass  down to the process N additional file descriptors (in addition to
1016       0, 1, 2).  The total FDs will be 3+N. (This  option  is  not  available
1017       with the remote Podman client)
1018
1019
1020   --privileged=true|false
1021       Give extended privileges to this container. The default is false.
1022
1023
1024       By default, Podman containers are unprivileged (=false) and cannot, for
1025       example, modify parts of the operating system. This is because  by  de‐
1026       fault  a container is only allowed limited access to devices. A "privi‐
1027       leged" container is given the  same  access  to  devices  as  the  user
1028       launching the container.
1029
1030
1031       A privileged container turns off the security features that isolate the
1032       container  from  the  host.  Dropped  Capabilities,  limited   devices,
1033       read-only  mount  points, Apparmor/SELinux separation, and Seccomp fil‐
1034       ters are all disabled.
1035
1036
1037       Rootless containers cannot have more privileges than the  account  that
1038       launched them.
1039
1040
1041   --publish, -p=ip:hostPort:containerPort | ip::containerPort | hostPort:con‐
1042       tainerPort | containerPort
1043       Publish a container's port, or range of ports, to the host.
1044
1045
1046       Both hostPort and containerPort can be specified as a range of ports.
1047
1048
1049       When specifying ranges for both, the number of container ports  in  the
1050       range must match the number of host ports in the range.
1051
1052
1053       If  host IP is set to 0.0.0.0 or not set at all, the port will be bound
1054       on all IPs on the host.
1055
1056
1057       Host  port  does  not  have  to  be  specified  (e.g.  podman  run   -p
1058       127.0.0.1::80).   If it is not, the container port will be randomly as‐
1059       signed a port on the host.
1060
1061
1062       Use podman port to see the actual mapping: podman port $CONTAINER $CON‐
1063       TAINERPORT.
1064
1065
1066       Note:  if  a container will be run within a pod, it is not necessary to
1067       publish the port for the containers in the pod. The port must  only  be
1068       published  by  the  pod itself. Pod network stacks act like the network
1069       stack on the host - you have a variety of containers in  the  pod,  and
1070       programs  in  the  container, all sharing a single interface and IP ad‐
1071       dress, and associated ports. If one container binds to a port, no other
1072       container can use that port within the pod while it is in use. Contain‐
1073       ers in the pod can also communicate over localhost by having  one  con‐
1074       tainer bind to localhost in the pod, and another connect to that port.
1075
1076
1077   --publish-all, -P=true|false
1078       Publish  all  exposed ports to random ports on the host interfaces. The
1079       default is false.
1080
1081
1082       When set to true, publish all exposed ports to the host interfaces. The
1083       default is false. If the operator uses -P (or -p) then Podman will make
1084       the exposed port accessible on the host and the ports will be available
1085       to any client that can reach the host.
1086
1087
1088       When  using  this option, Podman will bind any exposed port to a random
1089       port  on  the  host  within  an  ephemeral  port   range   defined   by
1090       /proc/sys/net/ipv4/ip_local_port_range.   To  find  the mapping between
1091       the host ports and the exposed ports, use podman port.
1092
1093
1094   --pull=always|missing|never
1095       Pull image before running. The default is missing.
1096
1097
1098missing: attempt to pull the latest image from the  registries
1099                listed  in  registries.conf  if  a  local  image  does not ex‐
1100                ist.Raise an error if the image is not in any listed  registry
1101                and is not present locally.
1102
1103always:  Pull the image from the first registry it is found in
1104                as listed in registries.conf. Raise an error if not  found  in
1105                the registries, even if the image is present locally.
1106
1107never:  do  not pull the image from the registry, use only the
1108                local version. Raise an error if the image is not present  lo‐
1109                cally.
1110
1111
1112
1113   --quiet, -q
1114       Suppress output information when pulling images
1115
1116
1117   --read-only=true|false
1118       Mount the container's root filesystem as read only.
1119
1120
1121       By  default a container will have its root filesystem writable allowing
1122       processes to write files anywhere. By specifying the --read-only  flag,
1123       the  container  will have its root filesystem mounted as read only pro‐
1124       hibiting any writes.
1125
1126
1127   --read-only-tmpfs=true|false
1128       If container is running in --read-only mode, then  mount  a  read-write
1129       tmpfs on /run, /tmp, and /var/tmp. The default is true.
1130
1131
1132   --replace=true|false
1133       If another container with the same name already exists, replace and re‐
1134       move it. The default is false.
1135
1136
1137   --requires=container
1138       Specify one or more requirements.  A requirement is a  dependency  con‐
1139       tainer  that  will be started before this container.  Containers can be
1140       specified by name or ID, with multiple containers  being  separated  by
1141       commas.
1142
1143
1144   --restart=policy
1145       Restart policy to follow when containers exit.  Restart policy will not
1146       take effect if a container is stopped via the  podman  kill  or  podman
1147       stop commands.
1148
1149
1150       Valid policy values are:
1151
1152
1153no                       : Do not restart containers on exit
1154
1155on-failure[:max_retries]  :  Restart containers when they exit
1156                with a non-zero exit code, retrying indefinitely or until  the
1157                optional max_retries count is hit
1158
1159always                    : Restart containers when they exit,
1160                regardless of status, retrying indefinitely
1161
1162unless-stopped           : Identical to always
1163
1164
1165
1166       Please note that restart will not restart containers after a system re‐
1167       boot.   If  this functionality is required in your environment, you can
1168       invoke Podman from a systemd.unit(5) file, or create an init script for
1169       whichever  init  system  is  in  use.   To generate systemd unit files,
1170       please see podman generate systemd.
1171
1172
1173   --rm=true|false
1174       Automatically remove the container when it exits. The default is false.
1175
1176
1177   --rmi=true|false
1178       After exit of the container, remove the image unless another  container
1179       is using it. The default is false.
1180
1181
1182   --rootfs
1183       If specified, the first argument refers to an exploded container on the
1184       file system.
1185
1186
1187       This is useful to run a container without requiring any  image  manage‐
1188       ment, the rootfs of the container is assumed to be managed externally.
1189
1190
1191       Note:  On SELinux systems, the rootfs needs the correct label, which is
1192       by default unconfined_u:object_r:container_file_t.
1193
1194
1195   --sdnotify=container|conmon|ignore
1196       Determines how to use the NOTIFY_SOCKET, as  passed  with  systemd  and
1197       Type=notify.
1198
1199
1200       Default  is  container,  which means allow the OCI runtime to proxy the
1201       socket into the container to receive ready  notification.  Podman  will
1202       set  the  MAINPID  to  conmon's pid.  The conmon option sets MAINPID to
1203       conmon's pid, and sends READY  when  the  container  has  started.  The
1204       socket is never passed to the runtime or the container.  The ignore op‐
1205       tion removes NOTIFY_SOCKET from the environment for  itself  and  child
1206       processes,  for the case where some other process above Podman uses NO‐
1207       TIFY_SOCKET and Podman should not use it.
1208
1209
1210   --seccomp-policy=policy
1211       Specify the policy to select the seccomp profile. If set to image, Pod‐
1212       man  will  look for a "io.containers.seccomp.profile" label in the con‐
1213       tainer-image config and use its value as a seccomp profile.  Otherwise,
1214       Podman  will  follow the default policy by applying the default profile
1215       unless specified otherwise via --security-opt seccomp as described  be‐
1216       low.
1217
1218
1219       Note that this feature is experimental and may change in the future.
1220
1221
1222   --secret=secret[,opt=opt ...]
1223       Give the container access to a secret. Can be specified multiple times.
1224
1225
1226       A secret is a blob of sensitive data which a container needs at runtime
1227       but should not be stored in the image or in  source  control,  such  as
1228       usernames  and  passwords, TLS certificates and keys, SSH keys or other
1229       important generic strings or binary content (up to 500 kb in size).
1230
1231
1232       When secrets are specified as type mount, the secrets  are  copied  and
1233       mounted  into  the container when a container is created.  When secrets
1234       are specified as type env, the secret will be  set  as  an  environment
1235       variable within the container.  Secrets are written in the container at
1236       the time of container creation, and modifying the secret  using  podman
1237       secret  commands after the container is created will not affect the se‐
1238       cret inside the container.
1239
1240
1241       Secrets and its storage are managed using the podman secret command.
1242
1243
1244       Secret Options
1245
1246
1247type=mount|env    : How the secret will be exposed to the con‐
1248                tainer. Default mount.
1249
1250target=target     : Target of secret. Defauts to secret name.
1251
1252
1253
1254   --security-opt=option
1255       Security Options
1256
1257
1258apparmor=unconfined  :  Turn  off apparmor confinement for the
1259                container
1260
1261apparmor=your-profile : Set the apparmor  confinement  profile
1262                for the container
1263
1264label=user:USER:  Set  the  label  user for the container pro‐
1265                cesses
1266
1267label=role:ROLE: Set the label role  for  the  container  pro‐
1268                cesses
1269
1270label=type:TYPE:  Set the label process type for the container
1271                processes
1272
1273label=level:LEVEL: Set the label level for the container  pro‐
1274                cesses
1275
1276label=filetype:TYPE_:  Set  the  label  file type for the con‐
1277                tainer files
1278
1279label=disable: Turn off label separation for the container
1280
1281
1282
1283       Note: Labeling can be  disabled  for  all  containers  by  setting  la‐
1284       bel=false  in  the  containers.conf (/etc/containers/containers.conf or
1285       $HOME/.config/containers/containers.conf) file.
1286
1287
1288mask=/path/1:/path/2: The paths to mask separated by a  colon.
1289                A masked path cannot be accessed inside the container.
1290
1291no-new-privileges:  Disable  container  processes from gaining
1292                additional privileges
1293
1294seccomp=unconfined: Turn off seccomp confinement for the  con‐
1295                tainer
1296
1297seccomp=profile.json:  Allowed  syscall list seccomp JSON file
1298                to be used as a seccomp filter
1299
1300proc-opts=OPTIONS : Comma-separated list of options to use for
1301                the  /proc  mount. More details for the possible mount options
1302                are specified in the proc(5) man page.
1303
1304unmask=ALL  or  /path/1:/path/2,  or  shell   expanded   paths
1305                (/proc/*):  Paths  to  unmask  separated by a colon. If set to
1306                ALL, it will unmask all the paths that are masked or made read
1307                only  by  default.   The  default masked paths are /proc/acpi,
1308                /proc/kcore, /proc/keys, /proc/latency_stats,  /proc/sched_de‐
1309                bug,    /proc/scsi,    /proc/timer_list,    /proc/timer_stats,
1310                /sys/firmware, and /sys/fs/selinux..  The default  paths  that
1311                are   read   only   are   /proc/asound,  /proc/bus,  /proc/fs,
1312                /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup.
1313
1314
1315
1316       Note: Labeling can be  disabled  for  all  containers  by  setting  la‐
1317       bel=false in the containers.conf(5) file.
1318
1319
1320   --shm-size=number[unit]
1321       Size   of  /dev/shm.  A  unit  can  be  b  (bytes),  k  (kilobytes),  m
1322       (megabytes), or g (gigabytes).  If you omit the unit, the  system  uses
1323       bytes. If you omit the size entirely, the default is 64m.  When size is
1324       0, there is no limit on the amount of memory used for IPC by  the  con‐
1325       tainer.
1326
1327
1328   --sig-proxy=true|false
1329       Sets  whether the signals sent to the podman run command are proxied to
1330       the container process. SIGCHLD, SIGSTOP, and SIGKILL are  not  proxied.
1331       The default is true.
1332
1333
1334   --stop-signal=signal
1335       Signal to stop a container. Default is SIGTERM.
1336
1337
1338   --stop-timeout=seconds
1339       Timeout to stop a container. Default is 10.  Remote connections use lo‐
1340       cal containers.conf for defaults
1341
1342
1343   --subgidname=name
1344       Run the container in a new user namespace using the map  with  name  in
1345       the  /etc/subgid  file.  If calling podman run as an unprivileged user,
1346       the user needs to have the right to use  the  mapping.  See  subgid(5).
1347       This flag conflicts with --userns and --gidmap.
1348
1349
1350   --subuidname=name
1351       Run  the  container  in a new user namespace using the map with name in
1352       the /etc/subuid file.  If calling podman run as an  unprivileged  user,
1353       the  user  needs  to  have the right to use the mapping. See subuid(5).
1354       This flag conflicts with --userns and --uidmap.
1355
1356
1357   --sysctl=name=value
1358       Configure namespaced kernel parameters at runtime.
1359
1360
1361       For the IPC namespace, the following sysctls are allowed:
1362
1363
1364              • kernel.msgmax
1365
1366              • kernel.msgmnb
1367
1368              • kernel.msgmni
1369
1370              • kernel.sem
1371
1372              • kernel.shmall
1373
1374              • kernel.shmmax
1375
1376              • kernel.shmmni
1377
1378              • kernel.shm_rmid_forced
1379
1380              • Sysctls beginning with fs.mqueue.*
1381
1382
1383
1384       Note: if you use the --ipc=host option, the above sysctls will  not  be
1385       allowed.
1386
1387
1388       For the network namespace, the following sysctls are allowed:
1389
1390
1391              • Sysctls beginning with net.*
1392
1393
1394
1395       Note:  if  you use the --network=host option, these sysctls will not be
1396       allowed.
1397
1398
1399   --systemd=true|false|always
1400       Run container in systemd mode. The default is true.
1401
1402
1403       The value always enforces the systemd mode is enforced without  looking
1404       at  the  executable name. Otherwise, if set to true and the command you
1405       are running inside the container is systemd, /usr/sbin/init, /sbin/init
1406       or /usr/local/sbin/init.
1407
1408
1409       If  the command you are running inside of the container is systemd Pod‐
1410       man will setup tmpfs mount points in the following directories:
1411
1412
1413/run
1414
1415/run/lock
1416
1417/tmp
1418
1419/sys/fs/cgroup/systemd
1420
1421/var/lib/journal
1422
1423
1424
1425       It will also set the default stop signal to SIGRTMIN+3.
1426
1427
1428       This allows systemd to run in a confined container without any  modifi‐
1429       cations.
1430
1431
1432       Note  that  on SELinux systems, systemd attempts to write to the cgroup
1433       file system. Containers writing to the cgroup file system are denied by
1434       default.   The container_manage_cgroup boolean must be enabled for this
1435       to be allowed on an SELinux separated system.
1436
1437
1438              setsebool -P container_manage_cgroup true
1439
1440
1441
1442   --timeout=seconds
1443       Maximum time a container is allowed to run before conmon sends  it  the
1444       kill  signal.   By  default  containers will run until they exit or are
1445       stopped by podman stop.
1446
1447
1448   --tmpfs=fs
1449       Create a tmpfs mount.
1450
1451
1452       Mount a temporary filesystem (tmpfs) mount into a container, for  exam‐
1453       ple:
1454
1455
1456              $ podman run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image
1457
1458
1459
1460       This command mounts a tmpfs at /tmp within the container. The supported
1461       mount options are the same as the Linux default mount flags. If you  do
1462       not  specify  any  options,  the  systems  uses  the following options:
1463       rw,noexec,nosuid,nodev.
1464
1465
1466   --tty, -t=true|false
1467       Allocate a pseudo-TTY. The default is false.
1468
1469
1470       When set to true, Podman will allocate a pseudo-tty and attach  to  the
1471       standard  input of the container. This can be used, for example, to run
1472       a throwaway interactive shell. The default is false.
1473
1474
1475       NOTE: The --tty flag prevents redirection of standard output.  It  com‐
1476       bines  STDOUT  and STDERR, it can insert control characters, and it can
1477       hang pipes. This option should only be used when run interactively in a
1478       terminal. When feeding input to Podman, use -i only, not -it.
1479
1480
1481              echo "asdf" | podman run --rm -i someimage /bin/cat
1482
1483
1484
1485   --tz=timezone
1486       Set  timezone  in  container. This flag takes area-based timezones, GMT
1487       time, as well as local, which sets the timezone  in  the  container  to
1488       match  the  host machine. See /usr/share/zoneinfo/ for valid timezones.
1489       Remote connections use local containers.conf for defaults
1490
1491
1492   --umask=umask
1493       Set the umask inside the container. Defaults to 0022.   Remote  connec‐
1494       tions use local containers.conf for defaults
1495
1496
1497   --uidmap=container_uid:from_uid:amount
1498       Run  the  container in a new user namespace using the supplied mapping.
1499       This option conflicts with the --userns and --subuidname options.  This
1500       option  provides  a  way  to map host UIDs to container UIDs. It can be
1501       passed several times to map different ranges.
1502
1503
1504       The _fromuid value is based upon the user running the  command,  either
1505       rootfull    or    rootless    users.     *    rootfull    user:    con‐
1506       tainer_uid:host_uid:amount *  rootless  user:  container_uid:intermedi‐
1507       ate_uid:amount
1508
1509
1510       When  podman  run  is  called by a privileged user, the option --uidmap
1511       works as a direct mapping between host UIDs and container UIDs.
1512
1513
1514       host UID -> container UID
1515
1516
1517       The amount specifies the  number  of  consecutive  UIDs  that  will  be
1518       mapped.  If for example amount is 4 the mapping would look like:
1519
1520
1521       |    host  UID      |     container  UID     |  |  -               |  -
1522       | | _fromuid     | _containeruid     | | _fromuid + 1 | _containeruid +
1523       1 | | _fromuid + 2 | _containeruid + 2 | | _fromuid + 3 | _containeruid
1524       + 3 |
1525
1526
1527       When podman run is called by an unprivileged user (i.e.  running  root‐
1528       less),  the  value _fromuid is interpreted as an "intermediate UID". In
1529       the rootless case, host UIDs are not mapped directly to container UIDs.
1530       Instead the mapping happens over two mapping steps:
1531
1532
1533       host UID -> intermediate UID -> container UID
1534
1535
1536       The --uidmap option only influences the second mapping step.
1537
1538
1539       The  first  mapping  step is derived by Podman from the contents of the
1540       file /etc/subuid and the UID of the user calling Podman.
1541
1542
1543       First mapping step:
1544
1545
1546       | host UID                                         | intermediate UID |
1547       | -                                                |                - |
1548       | UID for the user starting Podman                 |                0 |
1549       | 1st subordinate UID for the user starting Podman |                1 |
1550       | 2nd subordinate UID for the user starting Podman |                2 |
1551       | 3rd subordinate UID for the user starting Podman |                3 |
1552       | nth subordinate UID for the user starting Podman |                n |
1553
1554
1555       To be able to use intermediate UIDs greater than zero, the  user  needs
1556       to have subordinate UIDs configured in /etc/subuid. See subuid(5).
1557
1558
1559       The second mapping step is configured with --uidmap.
1560
1561
1562       If for example amount is 5 the second mapping step would look like:
1563
1564
1565       |   intermediate UID   |    container UID    | | -                    |
1566       -                   | |  _fromuid            |  _containeruid      |  |
1567       _fromuid  +  1       | _containeruid + 1 | | _fromuid + 2       | _con‐
1568       taineruid + 2 | | _fromuid + 3       | _containeruid + 3 | | _fromuid +
1569       4       | _containeruid + 4 |
1570
1571
1572       Even  if  a  user  does  not have any subordinate UIDs in  /etc/subuid,
1573       --uidmap could still be used to map the normal UID of  the  user  to  a
1574       container  UID by running podman run --uidmap $container_uid:0:1 --user
1575       $container_uid ....
1576
1577
1578   --ulimit=option
1579       Ulimit options. You can use host to copy the current configuration from
1580       the host.
1581
1582
1583   --user, -u=[user | user:group | uid | uid:gid | user:gid | uid:group ]
1584       Sets  the  username or UID used and optionally the groupname or GID for
1585       the specified command.
1586
1587
1588       Without this argument, the command will run as the  user  specified  in
1589       the  container  image.  Unless overridden by a USER command in the Con‐
1590       tainerfile or by a value passed to this option, this user generally de‐
1591       faults to root.
1592
1593
1594       When  a  user  namespace is not in use, the UID and GID used within the
1595       container and on the host will match. When user namespaces are in  use,
1596       however, the UID and GID in the container may correspond to another UID
1597       and GID on the host. In rootless containers, for example, a user  name‐
1598       space  is always used, and root in the container will by default corre‐
1599       spond to the UID and GID of the user invoking Podman.
1600
1601
1602   --userns=mode
1603       Set the user namespace mode for the container. It defaults to the  POD‐
1604       MAN_USERNS  environment  variable. An empty value ("") means user name‐
1605       spaces are disabled unless an explicit mapping is set with the --uidmap
1606       and --gidmap options.
1607
1608
1609       Valid mode values are:
1610
1611
1612auto[:OPTIONS,...]:  automatically  create  a namespace. It is
1613                possible to specify these options to auto:
1614
1615gidmapping=_HOST_GID:CONTAINERGID:SIZE: to force a GID  map‐
1616                  ping to be present in the user namespace.
1617
1618size=SIZE:  to  specify  an  explicit size for the automatic
1619                  user namespace. e.g. --userns=auto:size=8192. If size is not
1620                  specified, auto will estimate a size for the user namespace.
1621
1622uidmapping=_HOST_UID:CONTAINERUID:SIZE:  to force a UID map‐
1623                  ping to be present in the user namespace.
1624
1625
1626
1627container:id: join the user namespace of  the  specified  con‐
1628                tainer.
1629
1630host:  run  in the user namespace of the caller. The processes
1631                running in the container will have the same privileges on  the
1632                host  as  any  other process launched by the calling user (de‐
1633                fault).
1634
1635keep-id: creates a user namespace where the  current  rootless
1636                user's UID:GID are mapped to the same values in the container.
1637                This option is ignored for  containers  created  by  the  root
1638                user.
1639
1640ns:namespace:  run  the  container  in the given existing user
1641                namespace.
1642
1643private: create a new namespace for the container.
1644
1645
1646
1647       This option is incompatible with --gidmap, --uidmap,  --subuidname  and
1648       --subgidname.
1649
1650
1651   --uts=mode
1652       Set  the UTS namespace mode for the container. The following values are
1653       supported:
1654
1655
1656host: use the host's UTS namespace inside the container.
1657
1658private: create a new namespace for the container (default).
1659
1660ns:[path]: run the container in the given existing  UTS  name‐
1661                space.
1662
1663container:[container]: join the UTS namespace of the specified
1664                container.
1665
1666
1667
1668   --variant=VARIANT
1669       Use VARIANT instead of the default architecture  variant  of  the  con‐
1670       tainer  image.  Some images can use multiple variants of the arm archi‐
1671       tectures, such as arm/v5 and arm/v7.
1672
1673
1674   --volume, -v[=[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]]
1675       Create a bind mount. If you  specify  /HOST-DIR:/CONTAINER-DIR,  Podman
1676       bind  mounts  host-dir  in the host to CONTAINER-DIR in the Podman con‐
1677       tainer. Similarly, SOURCE-VOLUME:/CONTAINER-DIR will mount  the  volume
1678       in  the  host  to the container. If no such named volume exists, Podman
1679       will create one. (Note when using the remote client, the  volumes  will
1680       be mounted from the remote server, not necessarily the client machine.)
1681
1682
1683       The options is a comma-separated list and can be: [1] ⟨#Footnote1⟩
1684
1685
1686rw|ro
1687
1688z|Z
1689
1690              • [r]shared|[r]slave|[r]private[r]unbindable
1691
1692              • [r]bind
1693
1694              • [no]exec
1695
1696              • [no]dev
1697
1698              • [no]suid
1699
1700              • [O]
1701
1702              • [U]
1703
1704
1705
1706       The  CONTAINER-DIR must be an absolute path such as /src/docs. The vol‐
1707       ume will be mounted into the container at this directory.
1708
1709
1710       Volumes may specify a source as well, as either a directory on the host
1711       or  the  name of a named volume. If no source is given, the volume will
1712       be created as an anonymously named volume  with  a  randomly  generated
1713       name,  and  will  be removed when the container is removed via the --rm
1714       flag or podman rm --volumes.
1715
1716
1717       If a volume source is specified, it must be a path on the host  or  the
1718       name  of a named volume. Host paths are allowed to be absolute or rela‐
1719       tive; relative paths are resolved relative to the directory  Podman  is
1720       run  in.  If  the  source  does not exist, Podman will return an error.
1721       Users must pre-create the source files or directories.
1722
1723
1724       Any source that does not begin with a . or / will  be  treated  as  the
1725       name  of  a named volume. If a volume with that name does not exist, it
1726       will be created.  Volumes created with names  are  not  anonymous,  and
1727       they  are  not  removed  by the --rm option and the podman rm --volumes
1728       command.
1729
1730
1731       You can specify multiple -v options to mount one or more volumes into a
1732       container.
1733
1734
1735       Write Protected Volume Mounts
1736
1737
1738       You  can  add  :ro  or  :rw  option  to  mount a volume in read-only or
1739       read-write mode, respectively. By  default,  the  volumes  are  mounted
1740       read-write.
1741
1742
1743       Chowning Volume Mounts
1744
1745
1746       By default, Podman does not change the owner and group of source volume
1747       directories mounted into containers. If a container is created in a new
1748       user  namespace, the UID and GID in the container may correspond to an‐
1749       other UID and GID on the host.
1750
1751
1752       The :U suffix tells Podman to use the correct host UID and GID based on
1753       the  UID  and GID within the container, to change recursively the owner
1754       and group of the source volume.
1755
1756
1757       Warning use with caution since this will modify the host filesystem.
1758
1759
1760       Labeling Volume Mounts
1761
1762
1763       Labeling systems like SELinux require that proper labels are placed  on
1764       volume  content mounted into a container. Without a label, the security
1765       system might prevent the processes running inside  the  container  from
1766       using the content. By default, Podman does not change the labels set by
1767       the OS.
1768
1769
1770       To change a label in the container context, you can add either  of  two
1771       suffixes  :z  or  :Z to the volume mount. These suffixes tell Podman to
1772       relabel file objects on the shared volumes. The z option  tells  Podman
1773       that  two  containers share the volume content. As a result, Podman la‐
1774       bels the content with a shared content label. Shared volume labels  al‐
1775       low all containers to read/write content.  The Z option tells Podman to
1776       label the content with a private unshared label.
1777
1778
1779       Overlay Volume Mounts
1780
1781
1782       The :O flag tells Podman to mount the directory from the host as a tem‐
1783       porary  storage  using the overlay file system. The container processes
1784       can modify content within the mountpoint which is stored  in  the  con‐
1785       tainer  storage  in  a separate directory. In overlay terms, the source
1786       directory will be the lower, and the container storage  directory  will
1787       be  the  upper. Modifications to the mount point are destroyed when the
1788       container finishes executing, similar to a tmpfs mount point being  un‐
1789       mounted.
1790
1791
1792       Subsequent executions of the container will see the original source di‐
1793       rectory content, any changes  from  previous  container  executions  no
1794       longer exist.
1795
1796
1797       One use case of the overlay mount is sharing the package cache from the
1798       host into the container to allow speeding up builds.
1799
1800
1801       Note:
1802
1803
1804               - The `O` flag conflicts with other options listed above.
1805
1806
1807
1808       Content mounted into the container is labeled with the private label.
1809              On SELinux systems, labels in the source directory must be read‐
1810       able  by  the container label. Usually containers can read/execute con‐
1811       tainer_share_t and  can  read/write  container_file_t.  If  you  cannot
1812       change the labels on a source volume, SELinux container separation must
1813       be disabled for the container to work.
1814            - The source directory mounted into the container with an  overlay
1815       mount  should  not be modified, it can cause unexpected failures. It is
1816       recommended that you do not modify the directory  until  the  container
1817       finishes running.
1818
1819
1820       Only the current container can use a private volume.
1821
1822
1823       Mounts propagation
1824
1825
1826       By default bind mounted volumes are private. That means any mounts done
1827       inside container will not be visible on host and vice  versa.  One  can
1828       change this behavior by specifying a volume mount propagation property.
1829       Making a volume shared mounts done under that volume  inside  container
1830       will  be  visible on host and vice versa. Making a volume slave enables
1831       only one way mount propagation and that is mounts done  on  host  under
1832       that  volume  will  be  visible  inside container but not the other way
1833       around. [1] ⟨#Footnote1⟩
1834
1835
1836       To control mount propagation property of volume one can use  [r]shared,
1837       [r]slave,  [r]private  or  [r]unbindable propagation flag.  Propagation
1838       property can be specified only for bind mounted volumes and not for in‐
1839       ternal  volumes  or named volumes. For mount propagation to work source
1840       mount point (mount point where source dir is mounted on)  has  to  have
1841       right  propagation  properties.  For shared volumes, source mount point
1842       has to be shared. And for slave volumes, source mount has to be  either
1843       shared or slave.  [1] ⟨#Footnote1⟩
1844
1845
1846       If you want to recursively mount a volume and all of its submounts into
1847       a container, then you can use the rbind option. By default the bind op‐
1848       tion is used, and submounts of the source directory will not be mounted
1849       into the container.
1850
1851
1852       Mounting the volume with the nosuid options means  that  SUID  applica‐
1853       tions  on the volume will not be able to change their privilege. By de‐
1854       fault volumes are mounted with nosuid.
1855
1856
1857       Mounting the volume with the noexec option means that no executables on
1858       the volume will be able to executed within the container.
1859
1860
1861       Mounting  the volume with the nodev option means that no devices on the
1862       volume will be able to be used by processes within  the  container.  By
1863       default volumes are mounted with nodev.
1864
1865
1866       If  the host-dir is a mount point, then dev, suid, and exec options are
1867       ignored by the kernel.
1868
1869
1870       Use df $hostdir to figure out the source mount, and then use findmnt -o
1871       TARGET,PROPAGATION  source-mount-dir  to figure out propagation proper‐
1872       ties of source mount. If findmnt(1) utility is not available, then  one
1873       can look at mount entry for source mount point in /proc/self/mountinfo.
1874       Look at the "optional fields" and see if any propagation properties are
1875       specified.   In  there,  shared:N  means  the mount is shared, master:N
1876       means mount is slave, and if nothing is there, the  mount  is  private.
1877       [1] ⟨#Footnote1⟩
1878
1879
1880       To  change  propagation  properties of a mount point, use mount(8) com‐
1881       mand. For example, if one wants to bind mount  source  directory  /foo,
1882       one   can   do   mount   --bind  /foo  /foo  and  mount  --make-private
1883       --make-shared /foo. This will convert /foo into a shared  mount  point.
1884       Alternatively, one can directly change propagation properties of source
1885       mount. Say, if / is source mount for /foo, then use mount --make-shared
1886       / to convert / into a shared mount.
1887
1888
1889       Note:  if  the  user  only has access rights via a group, accessing the
1890       volume from inside a rootless container will fail. Use the  --group-add
1891       keep-groups flag to pass the user's supplementary group access into the
1892       container.
1893
1894
1895   --volumes-from[=CONTAINER[:OPTIONS]]
1896       Mount volumes from the specified container(s). Used  to  share  volumes
1897       between containers. The options is a comma-separated list with the fol‐
1898       lowing available elements:
1899
1900
1901rw|ro
1902
1903z
1904
1905
1906
1907       Mounts already mounted volumes from a  source  container  onto  another
1908       container. You must supply the source's container-id or container-name.
1909       To share a volume, use the --volumes-from option when running the  tar‐
1910       get  container.  You  can share volumes even if the source container is
1911       not running.
1912
1913
1914       By default, Podman mounts the volumes in the same mode  (read-write  or
1915       read-only)  as  it  is mounted in the source container.  You can change
1916       this by adding a ro or rw option.
1917
1918
1919       Labeling systems like SELinux require that proper labels are placed  on
1920       volume  content mounted into a container. Without a label, the security
1921       system might prevent the processes running inside  the  container  from
1922       using the content. By default, Podman does not change the labels set by
1923       the OS.
1924
1925
1926       To change a label in the container context, you can add z to the volume
1927       mount.   This suffix tells Podman to relabel file objects on the shared
1928       volumes. The z option tells Podman that two containers share the volume
1929       content.  As  a result, Podman labels the content with a shared content
1930       label. Shared volume labels allow all containers to read/write content.
1931
1932
1933       If the location of the volume from the source container  overlaps  with
1934       data residing on a target container, then the volume hides that data on
1935       the target.
1936
1937
1938   --workdir, -w=dir
1939       Working directory inside the container.
1940
1941
1942       The default working directory for running binaries within  a  container
1943       is the root directory (/).  The image developer can set a different de‐
1944       fault with the WORKDIR instruction. The operator can override the work‐
1945       ing directory by using the -w option.
1946
1947
1948   --pidfile=path
1949       When the pidfile location is specified, the container process' PID will
1950       be written to the pidfile. (This option is not available with  the  re‐
1951       mote  Podman  client)  If the pidfile option is not specified, the con‐
1952       tainer process' PID will be written to  /run/containers/storage/${stor‐
1953       age-driver}-containers/$CID/userdata/pidfile.
1954
1955
1956       After  the  container  is  started, the location for the pidfile can be
1957       discovered with the following podman inspect command:
1958
1959
1960              $ podman inspect --format '{{ .PidFile }}' $CID
1961              /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile
1962
1963
1964

Exit Status

1966       The exit code from podman run gives information about why the container
1967       failed  to  run or why it exited. When podman run exits with a non-zero
1968       code, the exit codes follow the chroot(1) standard, see below:
1969
1970
1971       125 The error is with Podman itself
1972
1973
1974              $ podman run --foo busybox; echo $?
1975              Error: unknown flag: --foo
1976              125
1977
1978
1979
1980       126 The contained command cannot be invoked
1981
1982
1983              $ podman run busybox /etc; echo $?
1984              Error: container_linux.go:346: starting container process caused "exec: \"/etc\": permission denied": OCI runtime error
1985              126
1986
1987
1988
1989       127 The contained command cannot be found
1990
1991
1992              $ podman run busybox foo; echo $?
1993              Error: container_linux.go:346: starting container process caused "exec: \"foo\": executable file not found in $PATH": OCI runtime error
1994              127
1995
1996
1997
1998       Exit code contained command exit code
1999
2000
2001              $ podman run busybox /bin/sh -c 'exit 3'; echo $?
2002              3
2003
2004
2005

EXAMPLES

2007   Running container in read-only mode
2008       During container image development, containers often need to  write  to
2009       the  image content. Installing packages into /usr, for example. In pro‐
2010       duction, applications seldom need to write to the image.  Container ap‐
2011       plications  write  to  volumes if they need to write to file systems at
2012       all. Applications can be made more secure by running them in  read-only
2013       mode  using the --read-only switch.  This protects the containers image
2014       from modification. Read only containers may still need to write  tempo‐
2015       rary data. The best way to handle this is to mount tmpfs directories on
2016       /run and /tmp.
2017
2018
2019              $ podman run --read-only -i -t fedora /bin/bash
2020
2021              $ podman run --read-only --read-only-tmpfs=false --tmpfs /run -i -t fedora /bin/bash
2022
2023
2024
2025   Exposing log messages from the container to the host's log
2026       If you want messages that are logged in your container to  show  up  in
2027       the  host's  syslog/journal then you should bind mount the /dev/log di‐
2028       rectory as follows.
2029
2030
2031              $ podman run -v /dev/log:/dev/log -i -t fedora /bin/bash
2032
2033
2034
2035       From inside the container you can test this by sending a message to the
2036       log.
2037
2038
2039              (bash)# logger "Hello from my container"
2040
2041
2042
2043       Then exit and check the journal.
2044
2045
2046              (bash)# exit
2047
2048              $ journalctl -b | grep Hello
2049
2050
2051
2052       This should list the message sent to logger.
2053
2054
2055   Attaching to one or more from STDIN, STDOUT, STDERR
2056       If you do not specify -a, Podman will attach everything (stdin, stdout,
2057       stderr).  You can specify  to  which  of  the  three  standard  streams
2058       (stdin, stdout, stderr) you'd like to connect instead, as in:
2059
2060
2061              $ podman run -a stdin -a stdout -i -t fedora /bin/bash
2062
2063
2064
2065   Sharing IPC between containers
2066       Using              shm_server.c             available             here:
2067       https://www.cs.cf.ac.uk/Dave/C/node27.html
2068
2069
2070       Testing --ipc=host mode:
2071
2072
2073       Host shows a shared memory segment with 7 pids attached, happens to  be
2074       from httpd:
2075
2076
2077              $ sudo ipcs -m
2078
2079              ------ Shared Memory Segments --------
2080              key        shmid      owner      perms      bytes      nattch     status
2081              0x01128e25 0          root       600        1000       7
2082
2083
2084
2085       Now  run  a regular container, and it correctly does NOT see the shared
2086       memory segment from the host:
2087
2088
2089              $ podman run -it shm ipcs -m
2090
2091              ------ Shared Memory Segments --------
2092              key        shmid      owner      perms      bytes      nattch     status
2093
2094
2095
2096       Run a container with the new --ipc=host option, and  it  now  sees  the
2097       shared memory segment from the host httpd:
2098
2099
2100              $ podman run -it --ipc=host shm ipcs -m
2101
2102              ------ Shared Memory Segments --------
2103              key        shmid      owner      perms      bytes      nattch     status
2104              0x01128e25 0          root       600        1000       7
2105
2106
2107
2108       Testing --ipc=container:id mode:
2109
2110
2111       Start a container with a program to create a shared memory segment:
2112
2113
2114              $ podman run -it shm bash
2115              $ sudo shm/shm_server
2116              $ sudo ipcs -m
2117
2118              ------ Shared Memory Segments --------
2119              key        shmid      owner      perms      bytes      nattch     status
2120              0x0000162e 0          root       666        27         1
2121
2122
2123
2124       Create  a  2nd  container correctly shows no shared memory segment from
2125       1st container:
2126
2127
2128              $ podman run shm ipcs -m
2129
2130              ------ Shared Memory Segments --------
2131              key        shmid      owner      perms      bytes      nattch     status
2132
2133
2134
2135       Create a 3rd container using  the  --ipc=container:id  option,  now  it
2136       shows the shared memory segment from the first:
2137
2138
2139              $ podman run -it --ipc=container:ed735b2264ac shm ipcs -m
2140              $ sudo ipcs -m
2141
2142              ------ Shared Memory Segments --------
2143              key        shmid      owner      perms      bytes      nattch     status
2144              0x0000162e 0          root       666        27         1
2145
2146
2147
2148   Mapping Ports for External Usage
2149       The  exposed  port of an application can be mapped to a host port using
2150       the -p flag. For example, an httpd port 80 can be mapped  to  the  host
2151       port 8080 using the following:
2152
2153
2154              $ podman run -p 8080:80 -d -i -t fedora/httpd
2155
2156
2157
2158   Mounting External Volumes
2159       To  mount  a host directory as a container volume, specify the absolute
2160       path to the directory and the absolute path for the container directory
2161       separated  by  a  colon.  If the source is a named volume maintained by
2162       Podman, it is recommended to use its name rather than the path  to  the
2163       volume.  Otherwise the volume will be considered as an orphan and wiped
2164       if you execute podman volume prune:
2165
2166
2167              $ podman run -v /var/db:/data1 -i -t fedora bash
2168
2169              $ podman run -v data:/data2 -i -t fedora bash
2170
2171              $ podman run -v /var/cache/dnf:/var/cache/dnf:O -ti fedora dnf -y update
2172
2173              $ podman run -d -e MYSQL_ROOT_PASSWORD=root --user mysql --userns=keep-id -v ~/data:/var/lib/mysql:z,U mariadb
2174
2175
2176
2177       Using --mount flags to mount a host directory as  a  container  folder,
2178       specify  the absolute path to the directory or the volume name, and the
2179       absolute path within the container directory:
2180
2181
2182              $ podman run --mount type=bind,src=/var/db,target=/data1 busybox sh
2183
2184              $ podman run --mount type=bind,src=volume-name,target=/data1 busybox sh
2185
2186
2187
2188       When using SELinux, be aware that the host has  no  knowledge  of  con‐
2189       tainer SELinux policy. Therefore, in the above example, if SELinux pol‐
2190       icy is enforced, the /var/db directory is  not  writable  to  the  con‐
2191       tainer. A "Permission Denied" message will occur and an avc: message in
2192       the host's syslog.
2193
2194
2195       To work around this, at time of writing this man  page,  the  following
2196       command needs to be run in order for the proper SELinux policy type la‐
2197       bel to be attached to the host directory:
2198
2199
2200              $ chcon -Rt svirt_sandbox_file_t /var/db
2201
2202
2203
2204       Now, writing to the /data1 volume in the container will be allowed  and
2205       the changes will also be reflected on the host in /var/db.
2206
2207
2208   Using alternative security labeling
2209       You  can  override  the  default  labeling scheme for each container by
2210       specifying the --security-opt flag. For example, you  can  specify  the
2211       MCS/MLS  level,  a requirement for MLS systems. Specifying the level in
2212       the following command allows you to share the same content between con‐
2213       tainers.
2214
2215
2216              podman run --security-opt label=level:s0:c100,c200 -i -t fedora bash
2217
2218
2219
2220       An MLS example might be:
2221
2222
2223              $ podman run --security-opt label=level:TopSecret -i -t rhel7 bash
2224
2225
2226
2227       To disable the security labeling for this container versus running with
2228       the
2229
2230
2231   --permissive flag, use the following command:
2232              $ podman run --security-opt label=disable -i -t fedora bash
2233
2234
2235
2236       If you want a tighter security policy on the processes  within  a  con‐
2237       tainer,  you can specify an alternate type for the container. You could
2238       run a container that is only allowed to listen on Apache ports by  exe‐
2239       cuting the following command:
2240
2241
2242              $ podman run --security-opt label=type:svirt_apache_t -i -t centos bash
2243
2244
2245
2246       Note you would have to write policy defining a svirt_apache_t type.
2247
2248
2249       To  mask  additional specific paths in the container, specify the paths
2250       separated by a colon using the  mask  option  with  the  --security-opt
2251       flag.
2252
2253
2254              $ podman run --security-opt mask=/foo/bar:/second/path fedora bash
2255
2256
2257
2258       To  unmask all the paths that are masked by default, set the unmask op‐
2259       tion to ALL. Or to only unmask specific paths,  specify  the  paths  as
2260       shown above with the mask option.
2261
2262
2263              $ podman run --security-opt unmask=ALL fedora bash
2264
2265
2266
2267       To unmask all the paths that start with /proc, set the unmask option to
2268       /proc/*.
2269
2270
2271              $ podman run --security-opt unmask=/proc/* fedora bash
2272
2273
2274
2275              $ podman run --security-opt unmask=/foo/bar:/sys/firmware fedora bash
2276
2277
2278
2279   Setting device weight
2280       If you want to set /dev/sda device weight to 200, you can  specify  the
2281       device weight by --blkio-weight-device flag. Use the following command:
2282
2283
2284              $ podman run -it --blkio-weight-device "/dev/sda:200" ubuntu
2285
2286
2287
2288   Using a podman container with input from a pipe
2289              $ echo "asdf" | podman run --rm -i --entrypoint /bin/cat someimage
2290              asdf
2291
2292
2293
2294   Setting Namespaced Kernel Parameters (Sysctls)
2295       The  --sysctl  sets  namespaced kernel parameters (sysctls) in the con‐
2296       tainer. For example, to turn on IP forwarding in the containers network
2297       namespace, run this command:
2298
2299
2300              $ podman run --sysctl net.ipv4.ip_forward=1 someimage
2301
2302
2303
2304       Note  that  not  all  sysctls  are  namespaced. Podman does not support
2305       changing sysctls inside of a container that also modify the  host  sys‐
2306       tem.  As the kernel evolves we expect to see more sysctls become names‐
2307       paced.
2308
2309
2310       See the definition of the --sysctl option above for the current list of
2311       supported sysctls.
2312
2313
2314   Set UID/GID mapping in a new user namespace
2315       Running  a  container in a new user namespace requires a mapping of the
2316       uids and gids from the host.
2317
2318
2319              $ podman run --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
2320
2321
2322
2323   Configuring Storage Options from the command line
2324       Podman allows for the configuration of storage by changing  the  values
2325       in  the  /etc/container/storage.conf  or  by using global options. This
2326       shows how to setup and use fuse-overlayfs for a one time run of busybox
2327       using global options.
2328
2329
2330              podman --log-level=debug --storage-driver overlay --storage-opt "overlay.mount_program=/usr/bin/fuse-overlayfs" run busybox /bin/sh
2331
2332
2333
2334   Configure timezone in a container
2335              $ podman run --tz=local alpine date
2336              $ podman run --tz=Asia/Shanghai alpine date
2337              $ podman run --tz=US/Eastern alpine date
2338
2339
2340
2341   Adding dependency containers
2342       The  first container, container1, is not started initially, but must be
2343       running before container2 will start.   The  podman  run  command  will
2344       start the container automatically before starting container2.
2345
2346
2347              $ podman create --name container1 -t -i fedora bash
2348              $ podman run --name container2 --requires container1 -t -i fedora bash
2349
2350
2351
2352       Multiple containers can be required.
2353
2354
2355              $ podman create --name container1 -t -i fedora bash
2356              $ podman create --name container2 -t -i fedora bash
2357              $ podman run --name container3 --requires container1,container2 -t -i fedora bash
2358
2359
2360
2361   Configure keep supplemental groups for access to volume
2362              $ podman run -v /var/lib/design:/var/lib/design --group-add keep-groups ubi8
2363
2364
2365
2366   Rootless Containers
2367       Podman  runs  as a non root user on most systems. This feature requires
2368       that  a  new  enough  version  of  shadow-utils   be   installed.   The
2369       shadow-utils package must include the newuidmap(1) and newgidmap(1) ex‐
2370       ecutables.
2371
2372
2373       Note: RHEL7 and Centos 7 will not have this feature  until  RHEL7.7  is
2374       released.
2375
2376
2377       In  order  for  users to run rootless, there must be an entry for their
2378       username in /etc/subuid and /etc/subgid which lists the UIDs for  their
2379       user namespace.
2380
2381
2382       Rootless  Podman  works  better  if  the fuse-overlayfs and slirp4netns
2383       packages are installed.  The fuse-overlay package provides a  userspace
2384       overlay  storage  driver,  otherwise  users need to use the vfs storage
2385       driver, which  is  diskspace  expensive  and  does  not  perform  well.
2386       slirp4netns  is  required for VPN, without it containers need to be run
2387       with the --network=host flag.
2388
2389

ENVIRONMENT

2391       Environment variables within containers can be set using multiple  dif‐
2392       ferent  options,  in  the  following order of precedence (later entries
2393       override earlier entries):
2394
2395
2396              • Container image: Any environment variables  specified  in  the
2397                container image.
2398
2399--http-proxy:  By  default, several environment variables will
2400                be passed in from the host, such as http_proxy  and  no_proxy.
2401                See --http-proxy for details.
2402
2403--env-host:  Host  environment of the process executing Podman
2404                is added.
2405
2406--env-file: Any environment variables specified via env-files.
2407                If  multiple files specified, then they override each other in
2408                order of entry.
2409
2410--env: Any environment variables specified will override  pre‐
2411                vious settings.
2412
2413
2414
2415       Run containers and set the environment ending with a * and a *****:
2416
2417
2418              $ export ENV1=a
2419              $ podman run --env ENV* alpine printenv ENV1
2420              a
2421
2422              $ podman run --env ENV*****=b alpine printenv ENV*****
2423              b
2424
2425
2426

CONMON

2428       When Podman starts a container it actually executes the conmon program,
2429       which then executes the OCI Runtime.  Conmon is the container  monitor.
2430       It  is a small program whose job is to watch the primary process of the
2431       container, and if the container dies, save  the  exit  code.   It  also
2432       holds  open  the  tty  of  the container, so that it can be attached to
2433       later. This is what allows  Podman  to  run  in  detached  mode  (back‐
2434       grounded),  so  Podman can exit but conmon continues to run.  Each con‐
2435       tainer has their own instance of conmon. Conmon waits for the container
2436       to  exit,  gathers  and saves the exit code, and then launches a Podman
2437       process to complete the container cleanup, by shutting down the network
2438       and  storage.    For  more  information on conmon, please reference the
2439       conmon(8) man page.
2440
2441

FILES

2443       /etc/subuid
2444
2445
2446       /etc/subgid
2447
2448
2449       NOTE: Use the environment variable TMPDIR to change the temporary stor‐
2450       age  location  of  downloaded  container images. Podman defaults to use
2451       /var/tmp.
2452
2453

SEE ALSO

2455       podman(1),   podman-save(1),   podman-ps(1),   podman-attach(1),   pod‐
2456       man-pod-create(1),   podman-port(1),  podman-start(1),  podman-kill(1),
2457       podman-stop(1),  podman-generate-systemd(1)  podman-rm(1),   subgid(5),
2458       subuid(5),     containers.conf(5),    systemd.unit(5),    setsebool(8),
2459       slirp4netns(1), fuse-overlayfs(1), proc(5), conmon(8).
2460
2461

HISTORY

2463       September   2018,   updated    by    Kunal    Kushwaha    <kushwaha_ku‐
2464       nal_v7@lab.ntt.co.jp>
2465
2466
2467       October  2017,  converted  from  Docker  documentation to Podman by Dan
2468       Walsh for Podman <dwalsh@redhat.com>
2469
2470
2471       November 2015, updated by Sally O'Malley <somalley@redhat.com>
2472
2473
2474       June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>
2475
2476
2477       April 2014, Originally compiled by  William  Henry  <whenry@redhat.com>
2478       based on docker.com source material and internal work.
2479
2480

FOOTNOTES

2482       1: The Podman project is committed to inclusivity, a core value of open
2483       source. The master and slave mount propagation terminology used here is
2484       problematic  and  divisive, and should be changed. However, these terms
2485       are currently used within the Linux kernel and must be  used  as-is  at
2486       this  time. When the kernel maintainers rectify this usage, Podman will
2487       follow suit immediately.
2488
2489
2490
2491                                                               podman-run(1)()
Impressum