1podman-run(1)() podman-run(1)()
2
3
4
6 podman-run - Run a command in a new container
7
8
10 podman run [options] image [command [arg ...]]
11
12
13 podman container run [options] image [command [arg ...]]
14
15
17 Run a process in a new container. podman run starts a process with its
18 own file system, its own networking, and its own isolated process tree.
19 The image which starts the process may define defaults related to the
20 process that will be run in the container, the networking to expose,
21 and more, but podman run gives final control to the operator or admin‐
22 istrator who starts the container from the image. For that reason pod‐
23 man run has more options than any other Podman command.
24
25
26 If the image is not already loaded then podman run will pull the image,
27 and all image dependencies, from the repository in the same way running
28 podman pull image , before it starts the container from that image.
29
30
31 Several files will be automatically created within the container. These
32 include /etc/hosts, /etc/hostname, and /etc/resolv.conf to manage net‐
33 working. These will be based on the host's version of the files,
34 though they can be customized with options (for example, --dns will
35 override the host's DNS servers in the created resolv.conf). Addition‐
36 ally, a container environment file is created in each container to in‐
37 dicate to programs they are running in a container. This file is lo‐
38 cated at /run/.containerenv. When using the --privileged flag the .con‐
39 tainerenv contains name/value pairs indicating the container engine
40 version, whether the engine is running in rootless mode, the container
41 name and id, as well as the image name and id that the container is
42 based on.
43
44
45 When running from a user defined network namespace, the
46 /etc/netns/NSNAME/resolv.conf will be used if it exists, otherwise
47 /etc/resolv.conf will be used.
48
49
50 Default settings are defined in containers.conf. Most settings for re‐
51 mote connections use the servers containers.conf, except when docu‐
52 mented in man pages.
53
54
56 The image is specified using transport:path format. If no transport is
57 specified, the docker (container registry) transport will be used by
58 default. For remote Podman, docker is the only allowed transport.
59
60
61 dir:path
62 An existing local directory path storing the manifest, layer tarballs
63 and signatures as individual files. This is a non-standardized format,
64 primarily useful for debugging or noninvasive container inspection.
65
66
67 $ podman save --format docker-dir fedora -o /tmp/fedora
68 $ podman run dir:/tmp/fedora echo hello
69
70
71
72 docker://docker-reference (Default)
73 An image reference stored in a remote container image registry. Exam‐
74 ple: "quay.io/podman/stable:latest". The reference can include a path
75 to a specific registry; if it does not, the registries listed in reg‐
76 istries.conf will be queried to find a matching image. By default,
77 credentials from podman login (stored at $XDG_RUNTIME_DIR/contain‐
78 ers/auth.json by default) will be used to authenticate; otherwise it
79 falls back to using credentials in $HOME/.docker/config.json.
80
81
82 $ podman run registry.fedoraproject.org/fedora:latest echo hello
83
84
85
86 docker-archive:path[:docker-reference] An image stored in the docker
87 save formatted file. docker-reference is only used when creating such a
88 file, and it must not contain a digest.
89
90
91 $ podman save --format docker-archive fedora -o /tmp/fedora
92 $ podman run docker-archive:/tmp/fedora echo hello
93
94
95
96 docker-daemon:docker-reference
97 An image in docker-reference format stored in the docker daemon in‐
98 ternal storage. The docker-reference can also be an image ID
99 (docker-daemon:algo:digest).
100
101
102 $ sudo docker pull fedora
103 $ sudo podman run docker-daemon:docker.io/library/fedora echo hello
104
105
106
107 oci-archive:path:tag
108 An image in a directory compliant with the "Open Container Image Lay‐
109 out Specification" at the specified path and specified with a tag.
110
111
112 $ podman save --format oci-archive fedora -o /tmp/fedora
113 $ podman run oci-archive:/tmp/fedora echo hello
114
115
116
118 --add-host=host:ip
119 Add a line to container's /etc/hosts for custom host-to-IP mapping.
120 This option can be set multiple times.
121
122
123 --annotation=key=value
124 Add an annotation to the container. This option can be set multiple
125 times.
126
127
128 --arch=ARCH
129 Override the architecture, defaults to hosts, of the image to be
130 pulled. For example, arm.
131
132
133 --attach, -a=stdin|stdout|stderr
134 Attach to STDIN, STDOUT or STDERR.
135
136
137 In foreground mode (the default when -d is not specified), podman run
138 can start the process in the container and attach the console to the
139 process's standard input, output, and error. It can even pretend to be
140 a TTY (this is what most commandline executables expect) and pass along
141 signals. The -a option can be set for each of stdin, stdout, and
142 stderr.
143
144
145 --authfile[=path]
146 Path to the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
147 ers/auth.json.
148
149
150 Note: You can also override the default path of the authentication file
151 by setting the REGISTRY_AUTH_FILE environment variable.
152
153
154 --blkio-weight=weight
155 Block IO relative weight. The weight is a value between 10 and 1000.
156
157
158 --blkio-weight-device=device:weight
159 Block IO relative device weight.
160
161
162 --cap-add=capability
163 Add Linux capabilities.
164
165
166 --cap-drop=capability
167 Drop Linux capabilities.
168
169
170 --cgroupns=mode
171 Set the cgroup namespace mode for the container.
172
173
174 • host: use the host's cgroup namespace inside the container.
175
176 • container:id: join the namespace of the specified container.
177
178 • private: create a new cgroup namespace.
179
180 • ns:path: join the namespace at the specified path.
181
182
183
184 If the host uses cgroups v1, the default is set to host. On cgroups v2,
185 the default is private.
186
187
188 --cgroups=enabled|disabled|no-conmon|split
189 Determines whether the container will create CGroups.
190
191
192 Default is enabled.
193
194
195 The enabled option will create a new cgroup under the cgroup-parent.
196 The disabled option will force the container to not create CGroups, and
197 thus conflicts with CGroup options (--cgroupns and --cgroup-parent).
198 The no-conmon option disables a new CGroup only for the conmon process.
199 The split option splits the current CGroup in two sub-cgroups: one for
200 conmon and one for the container payload. It is not possible to set
201 --cgroup-parent with split.
202
203
204 --cgroup-parent=path
205 Path to cgroups under which the cgroup for the container will be cre‐
206 ated. If the path is not absolute, the path is considered to be rela‐
207 tive to the cgroups path of the init process. Cgroups will be created
208 if they do not already exist.
209
210
211 --cgroup-conf=KEY=VALUE
212 When running on cgroup v2, specify the cgroup file to write to and its
213 value. For example --cgroup-conf=memory.high=1073741824 sets the mem‐
214 ory.high limit to 1GB.
215
216
217 --cidfile=file
218 Write the container ID to file.
219
220
221 --conmon-pidfile=file
222 Write the pid of the conmon process to a file. As conmon runs in a sep‐
223 arate process than Podman, this is necessary when using systemd to
224 restart Podman containers. (This option is not available with the re‐
225 mote Podman client)
226
227
228 --cpu-period=limit
229 Set the CPU period for the Completely Fair Scheduler (CFS), which is a
230 duration in microseconds. Once the container's CPU quota is used up, it
231 will not be scheduled to run until the current period ends. Defaults to
232 100000 microseconds.
233
234
235 On some systems, changing the CPU limits may not be allowed for
236 non-root users. For more details, see https://github.com/contain‐
237 ers/podman/blob/master/troubleshooting.md#26-running-contain‐
238 ers-with-cpu-limits-fails-with-a-permissions-error
239
240
241 --cpu-quota=limit
242 Limit the CPU Completely Fair Scheduler (CFS) quota.
243
244
245 Limit the container's CPU usage. By default, containers run with the
246 full CPU resource. The limit is a number in microseconds. If you pro‐
247 vide a number, the container will be allowed to use that much CPU time
248 until the CPU period ends (controllable via --cpu-period).
249
250
251 On some systems, changing the CPU limits may not be allowed for
252 non-root users. For more details, see https://github.com/contain‐
253 ers/podman/blob/master/troubleshooting.md#26-running-contain‐
254 ers-with-cpu-limits-fails-with-a-permissions-error
255
256
257 --cpu-rt-period=microseconds
258 Limit the CPU real-time period in microseconds.
259
260
261 Limit the container's Real Time CPU usage. This flag tell the kernel to
262 restrict the container's Real Time CPU usage to the period you specify.
263
264
265 --cpu-rt-runtime=microseconds
266 Limit the CPU real-time runtime in microseconds.
267
268
269 Limit the containers Real Time CPU usage. This flag tells the kernel to
270 limit the amount of time in a given CPU period Real Time tasks may con‐
271 sume. Ex: Period of 1,000,000us and Runtime of 950,000us means that
272 this container could consume 95% of available CPU and leave the remain‐
273 ing 5% to normal priority tasks.
274
275
276 The sum of all runtimes across containers cannot exceed the amount al‐
277 lotted to the parent cgroup.
278
279
280 --cpu-shares=shares
281 CPU shares (relative weight).
282
283
284 By default, all containers get the same proportion of CPU cycles. This
285 proportion can be modified by changing the container's CPU share
286 weighting relative to the combined weight of all the running contain‐
287 ers. Default weight is 1024.
288
289
290 The proportion will only apply when CPU-intensive processes are run‐
291 ning. When tasks in one container are idle, other containers can use
292 the left-over CPU time. The actual amount of CPU time will vary depend‐
293 ing on the number of containers running on the system.
294
295
296 For example, consider three containers, one has a cpu-share of 1024 and
297 two others have a cpu-share setting of 512. When processes in all three
298 containers attempt to use 100% of CPU, the first container would re‐
299 ceive 50% of the total CPU time. If you add a fourth container with a
300 cpu-share of 1024, the first container only gets 33% of the CPU. The
301 remaining containers receive 16.5%, 16.5% and 33% of the CPU.
302
303
304 On a multi-core system, the shares of CPU time are distributed over all
305 CPU cores. Even if a container is limited to less than 100% of CPU
306 time, it can use 100% of each individual CPU core.
307
308
309 For example, consider a system with more than three cores. If you start
310 one container {C0} with --cpu-shares=512 running one process, and an‐
311 other container {C1} with --cpu-shares=1024 running two processes, this
312 can result in the following division of CPU shares:
313
314
315 ┌────┬───────────┬─────┬──────────────┐
316 │PID │ container │ CPU │ CPU share │
317 ├────┼───────────┼─────┼──────────────┤
318 │100 │ {C0} │ 0 │ 100% of CPU0 │
319 ├────┼───────────┼─────┼──────────────┤
320 │101 │ {C1} │ 1 │ 100% of CPU1 │
321 ├────┼───────────┼─────┼──────────────┤
322 │102 │ {C1} │ 2 │ 100% of CPU2 │
323 ├────┼───────────┼─────┼──────────────┤
324 │ │ │ │ │
325 └────┴───────────┴─────┴──────────────┘
326
327 --cpus=number
328 Number of CPUs. The default is 0.0 which means no limit. This is short‐
329 hand for --cpu-period and --cpu-quota, so you may only set either
330
331
332 --cpus or --cpu-period and --cpu-quota.
333 On some systems, changing the CPU limits may not be allowed for
334 non-root users. For more details, see https://github.com/contain‐
335 ers/podman/blob/master/troubleshooting.md#26-running-contain‐
336 ers-with-cpu-limits-fails-with-a-permissions-error
337
338
339 --cpuset-cpus=number
340 CPUs in which to allow execution. Can be specified as a comma-separated
341 list (e.g. 0,1), as a range (e.g. 0-3), or any combination thereof
342 (e.g. 0-3,7,11-15).
343
344
345 --cpuset-mems=nodes
346 Memory nodes (MEMs) in which to allow execution. Only effective on NUMA
347 systems.
348
349
350 For example, if you have four memory nodes (0-3) on your system, use
351 --cpuset-mems=0,1 to only use memory from the first two memory nodes.
352
353
354 --detach, -d=true|false
355 Detached mode: run the container in the background and print the new
356 container ID. The default is false.
357
358
359 At any time you can run podman ps in the other shell to view a list of
360 the running containers. You can reattach to a detached container with
361 podman attach.
362
363
364 When attached in the tty mode, you can detach from the container (and
365 leave it running) using a configurable key sequence. The default se‐
366 quence is ctrl-p,ctrl-q. Configure the keys sequence using the --de‐
367 tach-keys option, or specifying it in the containers.conf file: see
368 containers.conf(5) for more information.
369
370
371 --detach-keys=sequence
372 Specify the key sequence for detaching a container. Format is a single
373 character [a-Z] or one or more ctrl-<value> characters where <value> is
374 one of: a-z, @, ^, [, , or _. Specifying "" will disable this feature.
375 The default is ctrl-p,ctrl-q.
376
377
378 This option can also be set in containers.conf(5) file.
379
380
381 Specifying "" will disable this feature. The default is ctrl-p,ctrl-q.
382
383
384 --device=host-device[:container-device][:permissions]
385 Add a host device to the container. Optional permissions parameter can
386 be used to specify device permissions, it is combination of r for read,
387 w for write, and m for mknod(2).
388
389
390 Example: --device=/dev/sdc:/dev/xvdc:rwm.
391
392
393 Note: if _hostdevice is a symbolic link then it will be resolved first.
394 The container will only store the major and minor numbers of the host
395 device.
396
397
398 Note: if the user only has access rights via a group, accessing the de‐
399 vice from inside a rootless container will fail. Use the --group-add
400 keep-groups flag to pass the user's supplementary group access into the
401 container.
402
403
404 Podman may load kernel modules required for using the specified device.
405 The devices that Podman will load modules when necessary are:
406 /dev/fuse.
407
408
409 --device-cgroup-rule=rule
410 Add a rule to the cgroup allowed devices list
411
412
413 --device-read-bps=path:rate
414 Limit read rate (in bytes per second) from a device (e.g. --de‐
415 vice-read-bps=/dev/sda:1mb).
416
417
418 --device-read-iops=path:rate
419 Limit read rate (in IO operations per second) from a device (e.g. --de‐
420 vice-read-iops=/dev/sda:1000).
421
422
423 --device-write-bps=path:rate
424 Limit write rate (in bytes per second) to a device (e.g. --de‐
425 vice-write-bps=/dev/sda:1mb).
426
427
428 --device-write-iops=path:rate
429 Limit write rate (in IO operations per second) to a device (e.g. --de‐
430 vice-write-iops=/dev/sda:1000).
431
432
433 --disable-content-trust
434 This is a Docker specific option to disable image verification to a
435 Docker registry and is not supported by Podman. This flag is a NOOP and
436 provided solely for scripting compatibility.
437
438
439 --dns=ipaddr
440 Set custom DNS servers. Invalid if using --dns with --network that is
441 set to none or container:id.
442
443
444 This option can be used to override the DNS configuration passed to the
445 container. Typically this is necessary when the host DNS configuration
446 is invalid for the container (e.g., 127.0.0.1). When this is the case
447 the --dns flags is necessary for every run.
448
449
450 The special value none can be specified to disable creation of /etc/re‐
451 solv.conf in the container by Podman. The /etc/resolv.conf file in the
452 image will be used without changes.
453
454
455 --dns-opt=option
456 Set custom DNS options. Invalid if using --dns-opt with --network that
457 is set to none or container:id.
458
459
460 --dns-search=domain
461 Set custom DNS search domains. Invalid if using --dns-search and --net‐
462 work that is set to none or container:id. Use --dns-search=. if you
463 don't wish to set the search domain.
464
465
466 --entrypoint="command" | '["command", arg1 , ...]'
467 Overwrite the default ENTRYPOINT of the image.
468
469
470 This option allows you to overwrite the default entrypoint of the im‐
471 age.
472
473
474 The ENTRYPOINT of an image is similar to a COMMAND because it specifies
475 what executable to run when the container starts, but it is (purposely)
476 more difficult to override. The ENTRYPOINT gives a container its de‐
477 fault nature or behavior, so that when you set an ENTRYPOINT you can
478 run the container as if it were that binary, complete with default op‐
479 tions, and you can pass in more options via the COMMAND. But, sometimes
480 an operator may want to run something else inside the container, so you
481 can override the default ENTRYPOINT at runtime by using a --entrypoint
482 and a string to specify the new ENTRYPOINT.
483
484
485 You need to specify multi option commands in the form of a json string.
486
487
488 --env, -e=env
489 Set environment variables.
490
491
492 This option allows arbitrary environment variables that are available
493 for the process to be launched inside of the container. If an environ‐
494 ment variable is specified without a value, Podman will check the host
495 environment for a value and set the variable only if it is set on the
496 host. If an environment variable ending in * is specified, Podman will
497 search the host environment for variables starting with the prefix and
498 will add those variables to the container. If an environment variable
499 with a trailing ***** is specified, then a value must be supplied.
500
501
502 See Environment ⟨#environment⟩ note below for precedence and examples.
503
504
505 --env-host=true|false
506 Use host environment inside of the container. See Environment note be‐
507 low for precedence. (This option is not available with the remote Pod‐
508 man client)
509
510
511 --env-file=file
512 Read in a line delimited file of environment variables. See Environment
513 note below for precedence.
514
515
516 --expose=port
517 Expose a port, or a range of ports (e.g. --expose=3300-3310) to set up
518 port redirection on the host system.
519
520
521 --gidmap=container_gid:host_gid:amount
522 Run the container in a new user namespace using the supplied mapping.
523 This option conflicts with the --userns and --subgidname flags. This
524 option can be passed several times to map different ranges. If calling
525 podman run as an unprivileged user, the user needs to have the right to
526 use the mapping. See subuid(5). The example maps gids 0-1999 in the
527 container to the gids 30000-31999 on the host: --gidmap=0:30000:2000.
528
529
530 Important note: The new user namespace mapping based on --gidmap is
531 based on the initial mapping made in the /etc/subgid file. Assuming
532 there is a /etc/subgid mapping groupname:100000:65536, then groupname
533 is initially mapped to a namespace starting with gid 100000 for 65536
534 ids. From here the --gidmap mapping to the new namespace starts from 0
535 again, but is based on the initial mapping. Meaning groupname is ini‐
536 tially mapped to gid 100000 which is referenced as 0 in the following
537 --gidmap mapping. In terms of the example above: The group groupname is
538 mapped to group 100000 of the initial namespace then the 30000st id of
539 this namespace (which is gid 130000 in this namespace) is mapped to
540 container namespace group id 0. (groupname -> 100000 / 30000 -> 0)
541
542
543 --group-add=group|keep-groups
544 Add additional groups to assign to primary user running within the con‐
545 tainer process.
546
547
548 • keep-groups is a special flag that tells Podman to keep the
549 supplementary group access.
550
551
552
553 Allows container to use the user's supplementary group access. If file
554 systems or devices are only accessible by the rootless user's group,
555 this flag tells the OCI runtime to pass the group access into the con‐
556 tainer. Currently only available with the crun OCI runtime. Note:
557 keep-groups is exclusive, you cannot add any other groups with this
558 flag. (Not available for remote commands)
559
560
561 --health-cmd="command" | '["command", arg1 , ...]'
562 Set or alter a healthcheck command for a container. The command is a
563 command to be executed inside your container that determines your con‐
564 tainer health. The command is required for other healthcheck options to
565 be applied. A value of none disables existing healthchecks.
566
567
568 Multiple options can be passed in the form of a JSON array; otherwise,
569 the command will be interpreted as an argument to /bin/sh -c.
570
571
572 --health-interval=interval
573 Set an interval for the healthchecks. An interval of disable results in
574 no automatic timer setup. The default is 30s.
575
576
577 --health-retries=retries
578 The number of retries allowed before a healthcheck is considered to be
579 unhealthy. The default value is 3.
580
581
582 --health-start-period=period
583 The initialization time needed for a container to bootstrap. The value
584 can be expressed in time format like 2m3s. The default value is 0s.
585
586
587 --health-timeout=timeout
588 The maximum time allowed to complete the healthcheck before an interval
589 is considered failed. Like start-period, the value can be expressed in
590 a time format such as 1m22s. The default value is 30s.
591
592
593 --help
594 Print usage statement
595
596
597 --hostname=name, -h
598 Container host name
599
600
601 Sets the container host name that is available inside the container.
602 Can only be used with a private UTS namespace --uts=private (default).
603 If --pod is specified and the pod shares the UTS namespace (default)
604 the pod's hostname will be used.
605
606
607 --http-proxy=true|false
608 By default proxy environment variables are passed into the container if
609 set for the Podman process. This can be disabled by setting the value
610 to false. The environment variables passed in include http_proxy,
611 https_proxy, ftp_proxy, no_proxy, and also the upper case versions of
612 those. This option is only needed when the host system must use a proxy
613 but the container should not use any proxy. Proxy environment variables
614 specified for the container in any other way will override the values
615 that would have been passed through from the host. (Other ways to spec‐
616 ify the proxy for the container include passing the values with the
617 --env flag, or hard coding the proxy environment at container build
618 time.) (This option is not available with the remote Podman client)
619
620
621 Defaults to true.
622
623
624 --image-volume, builtin-volume=bind|tmpfs|ignore
625 Tells Podman how to handle the builtin image volumes. Default is bind.
626
627
628 • bind: An anonymous named volume will be created and mounted
629 into the container.
630
631 • tmpfs: The volume is mounted onto the container as a tmpfs,
632 which allows the users to create content that disappears when
633 the container is stopped.
634
635 • ignore: All volumes are just ignored and no action is taken.
636
637
638
639 --init
640 Run an init inside the container that forwards signals and reaps pro‐
641 cesses.
642
643
644 --init-path=path
645 Path to the container-init binary.
646
647
648 --interactive, -i=true|false
649 When set to true, keep stdin open even if not attached. The default is
650 false.
651
652
653 --ip6=ip
654 Not implemented.
655
656
657 --ip=ip
658 Specify a static IP address for the container, for example
659 10.88.64.128. This option can only be used if the container is joined
660 to only a single network - i.e., --network=_network-name_ is used at
661 most once and if the container is not joining another container's net‐
662 work namespace via --network=container:_id_. The address must be
663 within the CNI network's IP address pool (default 10.88.0.0/16).
664
665
666 --ipc=mode
667 Set the IPC namespace mode for a container. The default is to create a
668 private IPC namespace.
669
670
671 • container:id: reuses another container shared memory, sema‐
672 phores and message queues
673
674 • host: use the host shared memory,semaphores and message queues
675 inside the container. Note: the host mode gives the container
676 full access to local shared memory and is therefore considered
677 insecure.
678
679 • ns:path: path to an IPC namespace to join.
680
681
682
683 --kernel-memory=number[unit]
684 Kernel memory limit. A unit can be b (bytes), k (kilobytes), m
685 (megabytes), or g (gigabytes).
686
687
688 Constrains the kernel memory available to a container. If a limit of 0
689 is specified (not using --kernel-memory), the container's kernel memory
690 is not limited. If you specify a limit, it may be rounded up to a mul‐
691 tiple of the operating system's page size and the value can be very
692 large, millions of trillions.
693
694
695 --label, -l=key=value
696 Add metadata to a container.
697
698
699 --label-file=file
700 Read in a line-delimited file of labels.
701
702
703 --link-local-ip=ip
704 Not implemented.
705
706
707 --log-driver="driver"
708 Logging driver for the container. Currently available options are
709 k8s-file, journald, and none, with json-file aliased to k8s-file for
710 scripting compatibility.
711
712
713 --log-opt=name=value
714 Logging driver specific options.
715
716
717 Set custom logging configuration. The following *name*s are supported:
718
719
720 path: specify a path to the log file
721 (e.g. --log-opt path=/var/log/container/mycontainer.json);
722
723
724 max-size: specify a max size of the log file
725 (e.g. --log-opt max-size=10mb);
726
727
728 tag: specify a custom log tag for the container
729 (e.g. --log-opt tag="{{.ImageName}}".
730
731
732 This option is currently supported only by the journald log driver.
733
734
735 --mac-address=address
736 Container MAC address (e.g. 92:d0:c6:0a:29:33).
737
738
739 Remember that the MAC address in an Ethernet network must be unique.
740 The IPv6 link-local address will be based on the device's MAC address
741 according to RFC4862.
742
743
744 --memory, -m=number[unit]
745 Memory limit. A unit can be b (bytes), k (kilobytes), m (megabytes), or
746 g (gigabytes).
747
748
749 Allows you to constrain the memory available to a container. If the
750 host supports swap memory, then the -m memory setting can be larger
751 than physical RAM. If a limit of 0 is specified (not using -m), the
752 container's memory is not limited. The actual limit may be rounded up
753 to a multiple of the operating system's page size (the value would be
754 very large, that's millions of trillions).
755
756
757 --memory-reservation=number[unit]
758 Memory soft limit. A unit can be b (bytes), k (kilobytes), m
759 (megabytes), or g (gigabytes).
760
761
762 After setting memory reservation, when the system detects memory con‐
763 tention or low memory, containers are forced to restrict their consump‐
764 tion to their reservation. So you should always set the value below
765 --memory, otherwise the hard limit will take precedence. By default,
766 memory reservation will be the same as memory limit.
767
768
769 --memory-swap=number[unit]
770 A limit value equal to memory plus swap. A unit can be b (bytes), k
771 (kilobytes), m (megabytes), or g (gigabytes).
772
773
774 Must be used with the -m (--memory) flag. The argument value should
775 always be larger than that of
776 -m (--memory) By default, it is set to double the value of --memory.
777
778
779 Set number to -1 to enable unlimited swap.
780
781
782 --memory-swappiness=number
783 Tune a container's memory swappiness behavior. Accepts an integer be‐
784 tween 0 and 100.
785
786
787 --mount=type=TYPE,TYPE-SPECIFIC-OPTION[,...]
788 Attach a filesystem mount to the container
789
790
791 Current supported mount TYPEs are bind, volume, image, tmpfs and de‐
792 vpts. [1] ⟨#Footnote1⟩
793
794
795 e.g.
796
797 type=bind,source=/path/on/host,destination=/path/in/container
798
799 type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared
800
801 type=volume,source=vol1,destination=/path/in/container,ro=true
802
803 type=tmpfs,tmpfs-size=512M,destination=/path/in/container
804
805 type=image,source=fedora,destination=/fedora-image,rw=true
806
807 type=devpts,destination=/dev/pts
808
809 Common Options:
810
811 · src, source: mount source spec for bind and volume. Mandatory for bind.
812
813 · dst, destination, target: mount destination spec.
814
815 Options specific to volume:
816
817 · ro, readonly: true or false (default).
818
819 Options specific to image:
820
821 · rw, readwrite: true or false (default).
822
823 Options specific to bind:
824
825 · ro, readonly: true or false (default).
826
827 · bind-propagation: shared, slave, private, unbindable, rshared, rslave, runbindable, or rprivate(default). See also mount(2).
828
829 . bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive.
830
831 . relabel: shared, private.
832
833 Options specific to tmpfs:
834
835 · ro, readonly: true or false (default).
836
837 · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.
838
839 · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux.
840
841 · tmpcopyup: Enable copyup from the image directory at the same location to the tmpfs. Used by default.
842
843 · notmpcopyup: Disable copying files from the image to the tmpfs.
844
845
846
847 --name=name
848 Assign a name to the container.
849
850
851 The operator can identify a container in three ways:
852
853
854 • UUID long identifier
855 (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”);
856
857 • UUID short identifier (“f78375b1c487”);
858
859 • Name (“jonah”).
860
861
862
863 Podman generates a UUID for each container, and if a name is not as‐
864 signed to the container with --name then it will generate a random
865 string name. The name is useful any place you need to identify a con‐
866 tainer. This works for both background and foreground containers.
867
868
869 --network=mode, --net
870 Set the network mode for the container. Invalid if using --dns,
871 --dns-opt, or --dns-search with --network that is set to none or con‐
872 tainer:id. If used together with --pod, the container will not join the
873 pods network namespace.
874
875
876 Valid mode values are:
877
878
879 • bridge: create a network stack on the default bridge;
880
881 • none: no networking;
882
883 • container:id: reuse another container's network stack;
884
885 • host: use the Podman host network stack. Note: the host mode
886 gives the container full access to local system services such
887 as D-bus and is therefore considered insecure;
888
889 • network-id: connect to a user-defined network, multiple net‐
890 works should be comma-separated;
891
892 • ns:path: path to a network namespace to join;
893
894 • private: create a new namespace for the container (default)
895
896 • slirp4netns[:OPTIONS,...]: use slirp4netns(1) to create a user
897 network stack. This is the default for rootless containers. It
898 is possible to specify these additional options:
899
900 • allow_host_loopback=true|false: Allow the slirp4netns to
901 reach the host loopback IP (10.0.2.2). Default is false.
902
903 • mtu=MTU: Specify the MTU to use for this network. (Default
904 is 65520).
905
906 • cidr=CIDR: Specify ip range to use for this network. (De‐
907 fault is 10.0.2.0/24).
908
909 • enable_ipv6=true|false: Enable IPv6. Default is false. (Re‐
910 quired for outbound_addr6).
911
912 • outbound_addr=INTERFACE: Specify the outbound interface
913 slirp should bind to (ipv4 traffic only).
914
915 • outbound_addr=IPv4: Specify the outbound ipv4 address slirp
916 should bind to.
917
918 • outbound_addr6=INTERFACE: Specify the outbound interface
919 slirp should bind to (ipv6 traffic only).
920
921 • outbound_addr6=IPv6: Specify the outbound ipv6 address slirp
922 should bind to.
923
924 • port_handler=rootlesskit: Use rootlesskit for port forward‐
925 ing. Default.
926
927 • port_handler=slirp4netns: Use the slirp4netns port forward‐
928 ing.
929
930
931
932
933
934 --network-alias=alias
935 Add network-scoped alias for the container
936
937
938 --no-healthcheck=true|false
939 Disable any defined healthchecks for container.
940
941
942 --no-hosts=true|false
943 Do not create /etc/hosts for the container.
944
945
946 By default, Podman will manage /etc/hosts, adding the container's own
947 IP address and any hosts from --add-host.
948
949
950 --no-hosts disables this, and the image's /etc/hosts will be preserved un‐
951 modified.
952 This option conflicts with --add-host.
953
954
955 --oom-kill-disable=true|false
956 Whether to disable OOM Killer for the container or not.
957
958
959 --oom-score-adj=num
960 Tune the host's OOM preferences for containers (accepts values from
961 -1000 to 1000).
962
963
964 --os=OS
965 Override the OS, defaults to hosts, of the image to be pulled. For ex‐
966 ample, windows.
967
968
969 --pid=mode
970 Set the PID namespace mode for the container. The default is to create
971 a private PID namespace for the container.
972
973
974 • container:id: join another container's PID namespace;
975
976 • host: use the host's PID namespace for the container. Note the
977 host mode gives the container full access to local PID and is
978 therefore considered insecure;
979
980 • private: create a new namespace for the container (default)
981
982 • ns:path: join the specified PID namespace.
983
984
985
986 --pids-limit=limit
987 Tune the container's pids limit. Set to 0 to have unlimited pids for
988 the container. The default is 4096 on systems that support "pids"
989 cgroup controller.
990
991
992 --platform=OS/ARCH
993 Specify the platform for selecting the image. (Conflicts with --arch
994 and --os) The --platform option can be used to override the current ar‐
995 chitecture and operating system.
996
997
998 --pod=name
999 Run container in an existing pod. If you want Podman to make the pod
1000 for you, prefix the pod name with new:. To make a pod with more granu‐
1001 lar options, use the podman pod create command before creating a con‐
1002 tainer. If a container is run with a pod, and the pod has an in‐
1003 fra-container, the infra-container will be started before the container
1004 is.
1005
1006
1007 --pod-id-file=path
1008 Run container in an existing pod and read the pod's ID from the speci‐
1009 fied file. If a container is run within a pod, and the pod has an in‐
1010 fra-container, the infra-container will be started before the container
1011 is.
1012
1013
1014 --preserve-fds=N
1015 Pass down to the process N additional file descriptors (in addition to
1016 0, 1, 2). The total FDs will be 3+N. (This option is not available
1017 with the remote Podman client)
1018
1019
1020 --privileged=true|false
1021 Give extended privileges to this container. The default is false.
1022
1023
1024 By default, Podman containers are unprivileged (=false) and cannot, for
1025 example, modify parts of the operating system. This is because by de‐
1026 fault a container is only allowed limited access to devices. A "privi‐
1027 leged" container is given the same access to devices as the user
1028 launching the container.
1029
1030
1031 A privileged container turns off the security features that isolate the
1032 container from the host. Dropped Capabilities, limited devices,
1033 read-only mount points, Apparmor/SELinux separation, and Seccomp fil‐
1034 ters are all disabled.
1035
1036
1037 Rootless containers cannot have more privileges than the account that
1038 launched them.
1039
1040
1041 --publish, -p=ip:hostPort:containerPort | ip::containerPort | hostPort:con‐
1042 tainerPort | containerPort
1043 Publish a container's port, or range of ports, to the host.
1044
1045
1046 Both hostPort and containerPort can be specified as a range of ports.
1047
1048
1049 When specifying ranges for both, the number of container ports in the
1050 range must match the number of host ports in the range.
1051
1052
1053 If host IP is set to 0.0.0.0 or not set at all, the port will be bound
1054 on all IPs on the host.
1055
1056
1057 Host port does not have to be specified (e.g. podman run -p
1058 127.0.0.1::80). If it is not, the container port will be randomly as‐
1059 signed a port on the host.
1060
1061
1062 Use podman port to see the actual mapping: podman port $CONTAINER $CON‐
1063 TAINERPORT.
1064
1065
1066 Note: if a container will be run within a pod, it is not necessary to
1067 publish the port for the containers in the pod. The port must only be
1068 published by the pod itself. Pod network stacks act like the network
1069 stack on the host - you have a variety of containers in the pod, and
1070 programs in the container, all sharing a single interface and IP ad‐
1071 dress, and associated ports. If one container binds to a port, no other
1072 container can use that port within the pod while it is in use. Contain‐
1073 ers in the pod can also communicate over localhost by having one con‐
1074 tainer bind to localhost in the pod, and another connect to that port.
1075
1076
1077 --publish-all, -P=true|false
1078 Publish all exposed ports to random ports on the host interfaces. The
1079 default is false.
1080
1081
1082 When set to true, publish all exposed ports to the host interfaces. The
1083 default is false. If the operator uses -P (or -p) then Podman will make
1084 the exposed port accessible on the host and the ports will be available
1085 to any client that can reach the host.
1086
1087
1088 When using this option, Podman will bind any exposed port to a random
1089 port on the host within an ephemeral port range defined by
1090 /proc/sys/net/ipv4/ip_local_port_range. To find the mapping between
1091 the host ports and the exposed ports, use podman port.
1092
1093
1094 --pull=always|missing|never
1095 Pull image before running. The default is missing.
1096
1097
1098 • missing: attempt to pull the latest image from the registries
1099 listed in registries.conf if a local image does not ex‐
1100 ist.Raise an error if the image is not in any listed registry
1101 and is not present locally.
1102
1103 • always: Pull the image from the first registry it is found in
1104 as listed in registries.conf. Raise an error if not found in
1105 the registries, even if the image is present locally.
1106
1107 • never: do not pull the image from the registry, use only the
1108 local version. Raise an error if the image is not present lo‐
1109 cally.
1110
1111
1112
1113 --quiet, -q
1114 Suppress output information when pulling images
1115
1116
1117 --read-only=true|false
1118 Mount the container's root filesystem as read only.
1119
1120
1121 By default a container will have its root filesystem writable allowing
1122 processes to write files anywhere. By specifying the --read-only flag,
1123 the container will have its root filesystem mounted as read only pro‐
1124 hibiting any writes.
1125
1126
1127 --read-only-tmpfs=true|false
1128 If container is running in --read-only mode, then mount a read-write
1129 tmpfs on /run, /tmp, and /var/tmp. The default is true.
1130
1131
1132 --replace=true|false
1133 If another container with the same name already exists, replace and re‐
1134 move it. The default is false.
1135
1136
1137 --requires=container
1138 Specify one or more requirements. A requirement is a dependency con‐
1139 tainer that will be started before this container. Containers can be
1140 specified by name or ID, with multiple containers being separated by
1141 commas.
1142
1143
1144 --restart=policy
1145 Restart policy to follow when containers exit. Restart policy will not
1146 take effect if a container is stopped via the podman kill or podman
1147 stop commands.
1148
1149
1150 Valid policy values are:
1151
1152
1153 • no : Do not restart containers on exit
1154
1155 • on-failure[:max_retries] : Restart containers when they exit
1156 with a non-zero exit code, retrying indefinitely or until the
1157 optional max_retries count is hit
1158
1159 • always : Restart containers when they exit,
1160 regardless of status, retrying indefinitely
1161
1162 • unless-stopped : Identical to always
1163
1164
1165
1166 Please note that restart will not restart containers after a system re‐
1167 boot. If this functionality is required in your environment, you can
1168 invoke Podman from a systemd.unit(5) file, or create an init script for
1169 whichever init system is in use. To generate systemd unit files,
1170 please see podman generate systemd.
1171
1172
1173 --rm=true|false
1174 Automatically remove the container when it exits. The default is false.
1175
1176
1177 --rmi=true|false
1178 After exit of the container, remove the image unless another container
1179 is using it. The default is false.
1180
1181
1182 --rootfs
1183 If specified, the first argument refers to an exploded container on the
1184 file system.
1185
1186
1187 This is useful to run a container without requiring any image manage‐
1188 ment, the rootfs of the container is assumed to be managed externally.
1189
1190
1191 Note: On SELinux systems, the rootfs needs the correct label, which is
1192 by default unconfined_u:object_r:container_file_t.
1193
1194
1195 --sdnotify=container|conmon|ignore
1196 Determines how to use the NOTIFY_SOCKET, as passed with systemd and
1197 Type=notify.
1198
1199
1200 Default is container, which means allow the OCI runtime to proxy the
1201 socket into the container to receive ready notification. Podman will
1202 set the MAINPID to conmon's pid. The conmon option sets MAINPID to
1203 conmon's pid, and sends READY when the container has started. The
1204 socket is never passed to the runtime or the container. The ignore op‐
1205 tion removes NOTIFY_SOCKET from the environment for itself and child
1206 processes, for the case where some other process above Podman uses NO‐
1207 TIFY_SOCKET and Podman should not use it.
1208
1209
1210 --seccomp-policy=policy
1211 Specify the policy to select the seccomp profile. If set to image, Pod‐
1212 man will look for a "io.containers.seccomp.profile" label in the con‐
1213 tainer-image config and use its value as a seccomp profile. Otherwise,
1214 Podman will follow the default policy by applying the default profile
1215 unless specified otherwise via --security-opt seccomp as described be‐
1216 low.
1217
1218
1219 Note that this feature is experimental and may change in the future.
1220
1221
1222 --secret=secret[,opt=opt ...]
1223 Give the container access to a secret. Can be specified multiple times.
1224
1225
1226 A secret is a blob of sensitive data which a container needs at runtime
1227 but should not be stored in the image or in source control, such as
1228 usernames and passwords, TLS certificates and keys, SSH keys or other
1229 important generic strings or binary content (up to 500 kb in size).
1230
1231
1232 When secrets are specified as type mount, the secrets are copied and
1233 mounted into the container when a container is created. When secrets
1234 are specified as type env, the secret will be set as an environment
1235 variable within the container. Secrets are written in the container at
1236 the time of container creation, and modifying the secret using podman
1237 secret commands after the container is created will not affect the se‐
1238 cret inside the container.
1239
1240
1241 Secrets and its storage are managed using the podman secret command.
1242
1243
1244 Secret Options
1245
1246
1247 • type=mount|env : How the secret will be exposed to the con‐
1248 tainer. Default mount.
1249
1250 • target=target : Target of secret. Defauts to secret name.
1251
1252
1253
1254 --security-opt=option
1255 Security Options
1256
1257
1258 • apparmor=unconfined : Turn off apparmor confinement for the
1259 container
1260
1261 • apparmor=your-profile : Set the apparmor confinement profile
1262 for the container
1263
1264 • label=user:USER: Set the label user for the container pro‐
1265 cesses
1266
1267 • label=role:ROLE: Set the label role for the container pro‐
1268 cesses
1269
1270 • label=type:TYPE: Set the label process type for the container
1271 processes
1272
1273 • label=level:LEVEL: Set the label level for the container pro‐
1274 cesses
1275
1276 • label=filetype:TYPE_: Set the label file type for the con‐
1277 tainer files
1278
1279 • label=disable: Turn off label separation for the container
1280
1281
1282
1283 Note: Labeling can be disabled for all containers by setting la‐
1284 bel=false in the containers.conf (/etc/containers/containers.conf or
1285 $HOME/.config/containers/containers.conf) file.
1286
1287
1288 • mask=/path/1:/path/2: The paths to mask separated by a colon.
1289 A masked path cannot be accessed inside the container.
1290
1291 • no-new-privileges: Disable container processes from gaining
1292 additional privileges
1293
1294 • seccomp=unconfined: Turn off seccomp confinement for the con‐
1295 tainer
1296
1297 • seccomp=profile.json: Allowed syscall list seccomp JSON file
1298 to be used as a seccomp filter
1299
1300 • proc-opts=OPTIONS : Comma-separated list of options to use for
1301 the /proc mount. More details for the possible mount options
1302 are specified in the proc(5) man page.
1303
1304 • unmask=ALL or /path/1:/path/2, or shell expanded paths
1305 (/proc/*): Paths to unmask separated by a colon. If set to
1306 ALL, it will unmask all the paths that are masked or made read
1307 only by default. The default masked paths are /proc/acpi,
1308 /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_de‐
1309 bug, /proc/scsi, /proc/timer_list, /proc/timer_stats,
1310 /sys/firmware, and /sys/fs/selinux.. The default paths that
1311 are read only are /proc/asound, /proc/bus, /proc/fs,
1312 /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup.
1313
1314
1315
1316 Note: Labeling can be disabled for all containers by setting la‐
1317 bel=false in the containers.conf(5) file.
1318
1319
1320 --shm-size=number[unit]
1321 Size of /dev/shm. A unit can be b (bytes), k (kilobytes), m
1322 (megabytes), or g (gigabytes). If you omit the unit, the system uses
1323 bytes. If you omit the size entirely, the default is 64m. When size is
1324 0, there is no limit on the amount of memory used for IPC by the con‐
1325 tainer.
1326
1327
1328 --sig-proxy=true|false
1329 Sets whether the signals sent to the podman run command are proxied to
1330 the container process. SIGCHLD, SIGSTOP, and SIGKILL are not proxied.
1331 The default is true.
1332
1333
1334 --stop-signal=signal
1335 Signal to stop a container. Default is SIGTERM.
1336
1337
1338 --stop-timeout=seconds
1339 Timeout to stop a container. Default is 10. Remote connections use lo‐
1340 cal containers.conf for defaults
1341
1342
1343 --subgidname=name
1344 Run the container in a new user namespace using the map with name in
1345 the /etc/subgid file. If calling podman run as an unprivileged user,
1346 the user needs to have the right to use the mapping. See subgid(5).
1347 This flag conflicts with --userns and --gidmap.
1348
1349
1350 --subuidname=name
1351 Run the container in a new user namespace using the map with name in
1352 the /etc/subuid file. If calling podman run as an unprivileged user,
1353 the user needs to have the right to use the mapping. See subuid(5).
1354 This flag conflicts with --userns and --uidmap.
1355
1356
1357 --sysctl=name=value
1358 Configure namespaced kernel parameters at runtime.
1359
1360
1361 For the IPC namespace, the following sysctls are allowed:
1362
1363
1364 • kernel.msgmax
1365
1366 • kernel.msgmnb
1367
1368 • kernel.msgmni
1369
1370 • kernel.sem
1371
1372 • kernel.shmall
1373
1374 • kernel.shmmax
1375
1376 • kernel.shmmni
1377
1378 • kernel.shm_rmid_forced
1379
1380 • Sysctls beginning with fs.mqueue.*
1381
1382
1383
1384 Note: if you use the --ipc=host option, the above sysctls will not be
1385 allowed.
1386
1387
1388 For the network namespace, the following sysctls are allowed:
1389
1390
1391 • Sysctls beginning with net.*
1392
1393
1394
1395 Note: if you use the --network=host option, these sysctls will not be
1396 allowed.
1397
1398
1399 --systemd=true|false|always
1400 Run container in systemd mode. The default is true.
1401
1402
1403 The value always enforces the systemd mode is enforced without looking
1404 at the executable name. Otherwise, if set to true and the command you
1405 are running inside the container is systemd, /usr/sbin/init, /sbin/init
1406 or /usr/local/sbin/init.
1407
1408
1409 If the command you are running inside of the container is systemd Pod‐
1410 man will setup tmpfs mount points in the following directories:
1411
1412
1413 • /run
1414
1415 • /run/lock
1416
1417 • /tmp
1418
1419 • /sys/fs/cgroup/systemd
1420
1421 • /var/lib/journal
1422
1423
1424
1425 It will also set the default stop signal to SIGRTMIN+3.
1426
1427
1428 This allows systemd to run in a confined container without any modifi‐
1429 cations.
1430
1431
1432 Note that on SELinux systems, systemd attempts to write to the cgroup
1433 file system. Containers writing to the cgroup file system are denied by
1434 default. The container_manage_cgroup boolean must be enabled for this
1435 to be allowed on an SELinux separated system.
1436
1437
1438 setsebool -P container_manage_cgroup true
1439
1440
1441
1442 --timeout=seconds
1443 Maximum time a container is allowed to run before conmon sends it the
1444 kill signal. By default containers will run until they exit or are
1445 stopped by podman stop.
1446
1447
1448 --tmpfs=fs
1449 Create a tmpfs mount.
1450
1451
1452 Mount a temporary filesystem (tmpfs) mount into a container, for exam‐
1453 ple:
1454
1455
1456 $ podman run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image
1457
1458
1459
1460 This command mounts a tmpfs at /tmp within the container. The supported
1461 mount options are the same as the Linux default mount flags. If you do
1462 not specify any options, the systems uses the following options:
1463 rw,noexec,nosuid,nodev.
1464
1465
1466 --tty, -t=true|false
1467 Allocate a pseudo-TTY. The default is false.
1468
1469
1470 When set to true, Podman will allocate a pseudo-tty and attach to the
1471 standard input of the container. This can be used, for example, to run
1472 a throwaway interactive shell. The default is false.
1473
1474
1475 NOTE: The --tty flag prevents redirection of standard output. It com‐
1476 bines STDOUT and STDERR, it can insert control characters, and it can
1477 hang pipes. This option should only be used when run interactively in a
1478 terminal. When feeding input to Podman, use -i only, not -it.
1479
1480
1481 echo "asdf" | podman run --rm -i someimage /bin/cat
1482
1483
1484
1485 --tz=timezone
1486 Set timezone in container. This flag takes area-based timezones, GMT
1487 time, as well as local, which sets the timezone in the container to
1488 match the host machine. See /usr/share/zoneinfo/ for valid timezones.
1489 Remote connections use local containers.conf for defaults
1490
1491
1492 --umask=umask
1493 Set the umask inside the container. Defaults to 0022. Remote connec‐
1494 tions use local containers.conf for defaults
1495
1496
1497 --uidmap=container_uid:from_uid:amount
1498 Run the container in a new user namespace using the supplied mapping.
1499 This option conflicts with the --userns and --subuidname options. This
1500 option provides a way to map host UIDs to container UIDs. It can be
1501 passed several times to map different ranges.
1502
1503
1504 The _fromuid value is based upon the user running the command, either
1505 rootfull or rootless users. * rootfull user: con‐
1506 tainer_uid:host_uid:amount * rootless user: container_uid:intermedi‐
1507 ate_uid:amount
1508
1509
1510 When podman run is called by a privileged user, the option --uidmap
1511 works as a direct mapping between host UIDs and container UIDs.
1512
1513
1514 host UID -> container UID
1515
1516
1517 The amount specifies the number of consecutive UIDs that will be
1518 mapped. If for example amount is 4 the mapping would look like:
1519
1520
1521 | host UID | container UID | | - | -
1522 | | _fromuid | _containeruid | | _fromuid + 1 | _containeruid +
1523 1 | | _fromuid + 2 | _containeruid + 2 | | _fromuid + 3 | _containeruid
1524 + 3 |
1525
1526
1527 When podman run is called by an unprivileged user (i.e. running root‐
1528 less), the value _fromuid is interpreted as an "intermediate UID". In
1529 the rootless case, host UIDs are not mapped directly to container UIDs.
1530 Instead the mapping happens over two mapping steps:
1531
1532
1533 host UID -> intermediate UID -> container UID
1534
1535
1536 The --uidmap option only influences the second mapping step.
1537
1538
1539 The first mapping step is derived by Podman from the contents of the
1540 file /etc/subuid and the UID of the user calling Podman.
1541
1542
1543 First mapping step:
1544
1545
1546 | host UID | intermediate UID |
1547 | - | - |
1548 | UID for the user starting Podman | 0 |
1549 | 1st subordinate UID for the user starting Podman | 1 |
1550 | 2nd subordinate UID for the user starting Podman | 2 |
1551 | 3rd subordinate UID for the user starting Podman | 3 |
1552 | nth subordinate UID for the user starting Podman | n |
1553
1554
1555 To be able to use intermediate UIDs greater than zero, the user needs
1556 to have subordinate UIDs configured in /etc/subuid. See subuid(5).
1557
1558
1559 The second mapping step is configured with --uidmap.
1560
1561
1562 If for example amount is 5 the second mapping step would look like:
1563
1564
1565 | intermediate UID | container UID | | - |
1566 - | | _fromuid | _containeruid | |
1567 _fromuid + 1 | _containeruid + 1 | | _fromuid + 2 | _con‐
1568 taineruid + 2 | | _fromuid + 3 | _containeruid + 3 | | _fromuid +
1569 4 | _containeruid + 4 |
1570
1571
1572 Even if a user does not have any subordinate UIDs in /etc/subuid,
1573 --uidmap could still be used to map the normal UID of the user to a
1574 container UID by running podman run --uidmap $container_uid:0:1 --user
1575 $container_uid ....
1576
1577
1578 --ulimit=option
1579 Ulimit options. You can use host to copy the current configuration from
1580 the host.
1581
1582
1583 --user, -u=[user | user:group | uid | uid:gid | user:gid | uid:group ]
1584 Sets the username or UID used and optionally the groupname or GID for
1585 the specified command.
1586
1587
1588 Without this argument, the command will run as the user specified in
1589 the container image. Unless overridden by a USER command in the Con‐
1590 tainerfile or by a value passed to this option, this user generally de‐
1591 faults to root.
1592
1593
1594 When a user namespace is not in use, the UID and GID used within the
1595 container and on the host will match. When user namespaces are in use,
1596 however, the UID and GID in the container may correspond to another UID
1597 and GID on the host. In rootless containers, for example, a user name‐
1598 space is always used, and root in the container will by default corre‐
1599 spond to the UID and GID of the user invoking Podman.
1600
1601
1602 --userns=mode
1603 Set the user namespace mode for the container. It defaults to the POD‐
1604 MAN_USERNS environment variable. An empty value ("") means user name‐
1605 spaces are disabled unless an explicit mapping is set with the --uidmap
1606 and --gidmap options.
1607
1608
1609 Valid mode values are:
1610
1611
1612 • auto[:OPTIONS,...]: automatically create a namespace. It is
1613 possible to specify these options to auto:
1614
1615 • gidmapping=_HOST_GID:CONTAINERGID:SIZE: to force a GID map‐
1616 ping to be present in the user namespace.
1617
1618 • size=SIZE: to specify an explicit size for the automatic
1619 user namespace. e.g. --userns=auto:size=8192. If size is not
1620 specified, auto will estimate a size for the user namespace.
1621
1622 • uidmapping=_HOST_UID:CONTAINERUID:SIZE: to force a UID map‐
1623 ping to be present in the user namespace.
1624
1625
1626
1627 • container:id: join the user namespace of the specified con‐
1628 tainer.
1629
1630 • host: run in the user namespace of the caller. The processes
1631 running in the container will have the same privileges on the
1632 host as any other process launched by the calling user (de‐
1633 fault).
1634
1635 • keep-id: creates a user namespace where the current rootless
1636 user's UID:GID are mapped to the same values in the container.
1637 This option is ignored for containers created by the root
1638 user.
1639
1640 • ns:namespace: run the container in the given existing user
1641 namespace.
1642
1643 • private: create a new namespace for the container.
1644
1645
1646
1647 This option is incompatible with --gidmap, --uidmap, --subuidname and
1648 --subgidname.
1649
1650
1651 --uts=mode
1652 Set the UTS namespace mode for the container. The following values are
1653 supported:
1654
1655
1656 • host: use the host's UTS namespace inside the container.
1657
1658 • private: create a new namespace for the container (default).
1659
1660 • ns:[path]: run the container in the given existing UTS name‐
1661 space.
1662
1663 • container:[container]: join the UTS namespace of the specified
1664 container.
1665
1666
1667
1668 --variant=VARIANT
1669 Use VARIANT instead of the default architecture variant of the con‐
1670 tainer image. Some images can use multiple variants of the arm archi‐
1671 tectures, such as arm/v5 and arm/v7.
1672
1673
1674 --volume, -v[=[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]]
1675 Create a bind mount. If you specify /HOST-DIR:/CONTAINER-DIR, Podman
1676 bind mounts host-dir in the host to CONTAINER-DIR in the Podman con‐
1677 tainer. Similarly, SOURCE-VOLUME:/CONTAINER-DIR will mount the volume
1678 in the host to the container. If no such named volume exists, Podman
1679 will create one. (Note when using the remote client, the volumes will
1680 be mounted from the remote server, not necessarily the client machine.)
1681
1682
1683 The options is a comma-separated list and can be: [1] ⟨#Footnote1⟩
1684
1685
1686 • rw|ro
1687
1688 • z|Z
1689
1690 • [r]shared|[r]slave|[r]private[r]unbindable
1691
1692 • [r]bind
1693
1694 • [no]exec
1695
1696 • [no]dev
1697
1698 • [no]suid
1699
1700 • [O]
1701
1702 • [U]
1703
1704
1705
1706 The CONTAINER-DIR must be an absolute path such as /src/docs. The vol‐
1707 ume will be mounted into the container at this directory.
1708
1709
1710 Volumes may specify a source as well, as either a directory on the host
1711 or the name of a named volume. If no source is given, the volume will
1712 be created as an anonymously named volume with a randomly generated
1713 name, and will be removed when the container is removed via the --rm
1714 flag or podman rm --volumes.
1715
1716
1717 If a volume source is specified, it must be a path on the host or the
1718 name of a named volume. Host paths are allowed to be absolute or rela‐
1719 tive; relative paths are resolved relative to the directory Podman is
1720 run in. If the source does not exist, Podman will return an error.
1721 Users must pre-create the source files or directories.
1722
1723
1724 Any source that does not begin with a . or / will be treated as the
1725 name of a named volume. If a volume with that name does not exist, it
1726 will be created. Volumes created with names are not anonymous, and
1727 they are not removed by the --rm option and the podman rm --volumes
1728 command.
1729
1730
1731 You can specify multiple -v options to mount one or more volumes into a
1732 container.
1733
1734
1735 Write Protected Volume Mounts
1736
1737
1738 You can add :ro or :rw option to mount a volume in read-only or
1739 read-write mode, respectively. By default, the volumes are mounted
1740 read-write.
1741
1742
1743 Chowning Volume Mounts
1744
1745
1746 By default, Podman does not change the owner and group of source volume
1747 directories mounted into containers. If a container is created in a new
1748 user namespace, the UID and GID in the container may correspond to an‐
1749 other UID and GID on the host.
1750
1751
1752 The :U suffix tells Podman to use the correct host UID and GID based on
1753 the UID and GID within the container, to change recursively the owner
1754 and group of the source volume.
1755
1756
1757 Warning use with caution since this will modify the host filesystem.
1758
1759
1760 Labeling Volume Mounts
1761
1762
1763 Labeling systems like SELinux require that proper labels are placed on
1764 volume content mounted into a container. Without a label, the security
1765 system might prevent the processes running inside the container from
1766 using the content. By default, Podman does not change the labels set by
1767 the OS.
1768
1769
1770 To change a label in the container context, you can add either of two
1771 suffixes :z or :Z to the volume mount. These suffixes tell Podman to
1772 relabel file objects on the shared volumes. The z option tells Podman
1773 that two containers share the volume content. As a result, Podman la‐
1774 bels the content with a shared content label. Shared volume labels al‐
1775 low all containers to read/write content. The Z option tells Podman to
1776 label the content with a private unshared label.
1777
1778
1779 Overlay Volume Mounts
1780
1781
1782 The :O flag tells Podman to mount the directory from the host as a tem‐
1783 porary storage using the overlay file system. The container processes
1784 can modify content within the mountpoint which is stored in the con‐
1785 tainer storage in a separate directory. In overlay terms, the source
1786 directory will be the lower, and the container storage directory will
1787 be the upper. Modifications to the mount point are destroyed when the
1788 container finishes executing, similar to a tmpfs mount point being un‐
1789 mounted.
1790
1791
1792 Subsequent executions of the container will see the original source di‐
1793 rectory content, any changes from previous container executions no
1794 longer exist.
1795
1796
1797 One use case of the overlay mount is sharing the package cache from the
1798 host into the container to allow speeding up builds.
1799
1800
1801 Note:
1802
1803
1804 - The `O` flag conflicts with other options listed above.
1805
1806
1807
1808 Content mounted into the container is labeled with the private label.
1809 On SELinux systems, labels in the source directory must be read‐
1810 able by the container label. Usually containers can read/execute con‐
1811 tainer_share_t and can read/write container_file_t. If you cannot
1812 change the labels on a source volume, SELinux container separation must
1813 be disabled for the container to work.
1814 - The source directory mounted into the container with an overlay
1815 mount should not be modified, it can cause unexpected failures. It is
1816 recommended that you do not modify the directory until the container
1817 finishes running.
1818
1819
1820 Only the current container can use a private volume.
1821
1822
1823 Mounts propagation
1824
1825
1826 By default bind mounted volumes are private. That means any mounts done
1827 inside container will not be visible on host and vice versa. One can
1828 change this behavior by specifying a volume mount propagation property.
1829 Making a volume shared mounts done under that volume inside container
1830 will be visible on host and vice versa. Making a volume slave enables
1831 only one way mount propagation and that is mounts done on host under
1832 that volume will be visible inside container but not the other way
1833 around. [1] ⟨#Footnote1⟩
1834
1835
1836 To control mount propagation property of volume one can use [r]shared,
1837 [r]slave, [r]private or [r]unbindable propagation flag. Propagation
1838 property can be specified only for bind mounted volumes and not for in‐
1839 ternal volumes or named volumes. For mount propagation to work source
1840 mount point (mount point where source dir is mounted on) has to have
1841 right propagation properties. For shared volumes, source mount point
1842 has to be shared. And for slave volumes, source mount has to be either
1843 shared or slave. [1] ⟨#Footnote1⟩
1844
1845
1846 If you want to recursively mount a volume and all of its submounts into
1847 a container, then you can use the rbind option. By default the bind op‐
1848 tion is used, and submounts of the source directory will not be mounted
1849 into the container.
1850
1851
1852 Mounting the volume with the nosuid options means that SUID applica‐
1853 tions on the volume will not be able to change their privilege. By de‐
1854 fault volumes are mounted with nosuid.
1855
1856
1857 Mounting the volume with the noexec option means that no executables on
1858 the volume will be able to executed within the container.
1859
1860
1861 Mounting the volume with the nodev option means that no devices on the
1862 volume will be able to be used by processes within the container. By
1863 default volumes are mounted with nodev.
1864
1865
1866 If the host-dir is a mount point, then dev, suid, and exec options are
1867 ignored by the kernel.
1868
1869
1870 Use df $hostdir to figure out the source mount, and then use findmnt -o
1871 TARGET,PROPAGATION source-mount-dir to figure out propagation proper‐
1872 ties of source mount. If findmnt[4m(1) utility is not available, then one
1873 can look at mount entry for source mount point in /proc/self/mountinfo.
1874 Look at the "optional fields" and see if any propagation properties are
1875 specified. In there, shared:N means the mount is shared, master:N
1876 means mount is slave, and if nothing is there, the mount is private.
1877 [1] ⟨#Footnote1⟩
1878
1879
1880 To change propagation properties of a mount point, use mount(8) com‐
1881 mand. For example, if one wants to bind mount source directory /foo,
1882 one can do mount --bind /foo /foo and mount --make-private
1883 --make-shared /foo. This will convert /foo into a shared mount point.
1884 Alternatively, one can directly change propagation properties of source
1885 mount. Say, if / is source mount for /foo, then use mount --make-shared
1886 / to convert / into a shared mount.
1887
1888
1889 Note: if the user only has access rights via a group, accessing the
1890 volume from inside a rootless container will fail. Use the --group-add
1891 keep-groups flag to pass the user's supplementary group access into the
1892 container.
1893
1894
1895 --volumes-from[=CONTAINER[:OPTIONS]]
1896 Mount volumes from the specified container(s). Used to share volumes
1897 between containers. The options is a comma-separated list with the fol‐
1898 lowing available elements:
1899
1900
1901 • rw|ro
1902
1903 • z
1904
1905
1906
1907 Mounts already mounted volumes from a source container onto another
1908 container. You must supply the source's container-id or container-name.
1909 To share a volume, use the --volumes-from option when running the tar‐
1910 get container. You can share volumes even if the source container is
1911 not running.
1912
1913
1914 By default, Podman mounts the volumes in the same mode (read-write or
1915 read-only) as it is mounted in the source container. You can change
1916 this by adding a ro or rw option.
1917
1918
1919 Labeling systems like SELinux require that proper labels are placed on
1920 volume content mounted into a container. Without a label, the security
1921 system might prevent the processes running inside the container from
1922 using the content. By default, Podman does not change the labels set by
1923 the OS.
1924
1925
1926 To change a label in the container context, you can add z to the volume
1927 mount. This suffix tells Podman to relabel file objects on the shared
1928 volumes. The z option tells Podman that two containers share the volume
1929 content. As a result, Podman labels the content with a shared content
1930 label. Shared volume labels allow all containers to read/write content.
1931
1932
1933 If the location of the volume from the source container overlaps with
1934 data residing on a target container, then the volume hides that data on
1935 the target.
1936
1937
1938 --workdir, -w=dir
1939 Working directory inside the container.
1940
1941
1942 The default working directory for running binaries within a container
1943 is the root directory (/). The image developer can set a different de‐
1944 fault with the WORKDIR instruction. The operator can override the work‐
1945 ing directory by using the -w option.
1946
1947
1948 --pidfile=path
1949 When the pidfile location is specified, the container process' PID will
1950 be written to the pidfile. (This option is not available with the re‐
1951 mote Podman client) If the pidfile option is not specified, the con‐
1952 tainer process' PID will be written to /run/containers/storage/${stor‐
1953 age-driver}-containers/$CID/userdata/pidfile.
1954
1955
1956 After the container is started, the location for the pidfile can be
1957 discovered with the following podman inspect command:
1958
1959
1960 $ podman inspect --format '{{ .PidFile }}' $CID
1961 /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile
1962
1963
1964
1966 The exit code from podman run gives information about why the container
1967 failed to run or why it exited. When podman run exits with a non-zero
1968 code, the exit codes follow the chroot(1) standard, see below:
1969
1970
1971 125 The error is with Podman itself
1972
1973
1974 $ podman run --foo busybox; echo $?
1975 Error: unknown flag: --foo
1976 125
1977
1978
1979
1980 126 The contained command cannot be invoked
1981
1982
1983 $ podman run busybox /etc; echo $?
1984 Error: container_linux.go:346: starting container process caused "exec: \"/etc\": permission denied": OCI runtime error
1985 126
1986
1987
1988
1989 127 The contained command cannot be found
1990
1991
1992 $ podman run busybox foo; echo $?
1993 Error: container_linux.go:346: starting container process caused "exec: \"foo\": executable file not found in $PATH": OCI runtime error
1994 127
1995
1996
1997
1998 Exit code contained command exit code
1999
2000
2001 $ podman run busybox /bin/sh -c 'exit 3'; echo $?
2002 3
2003
2004
2005
2007 Running container in read-only mode
2008 During container image development, containers often need to write to
2009 the image content. Installing packages into /usr, for example. In pro‐
2010 duction, applications seldom need to write to the image. Container ap‐
2011 plications write to volumes if they need to write to file systems at
2012 all. Applications can be made more secure by running them in read-only
2013 mode using the --read-only switch. This protects the containers image
2014 from modification. Read only containers may still need to write tempo‐
2015 rary data. The best way to handle this is to mount tmpfs directories on
2016 /run and /tmp.
2017
2018
2019 $ podman run --read-only -i -t fedora /bin/bash
2020
2021 $ podman run --read-only --read-only-tmpfs=false --tmpfs /run -i -t fedora /bin/bash
2022
2023
2024
2025 Exposing log messages from the container to the host's log
2026 If you want messages that are logged in your container to show up in
2027 the host's syslog/journal then you should bind mount the /dev/log di‐
2028 rectory as follows.
2029
2030
2031 $ podman run -v /dev/log:/dev/log -i -t fedora /bin/bash
2032
2033
2034
2035 From inside the container you can test this by sending a message to the
2036 log.
2037
2038
2039 (bash)# logger "Hello from my container"
2040
2041
2042
2043 Then exit and check the journal.
2044
2045
2046 (bash)# exit
2047
2048 $ journalctl -b | grep Hello
2049
2050
2051
2052 This should list the message sent to logger.
2053
2054
2055 Attaching to one or more from STDIN, STDOUT, STDERR
2056 If you do not specify -a, Podman will attach everything (stdin, stdout,
2057 stderr). You can specify to which of the three standard streams
2058 (stdin, stdout, stderr) you'd like to connect instead, as in:
2059
2060
2061 $ podman run -a stdin -a stdout -i -t fedora /bin/bash
2062
2063
2064
2065 Sharing IPC between containers
2066 Using shm_server.c available here:
2067 https://www.cs.cf.ac.uk/Dave/C/node27.html
2068
2069
2070 Testing --ipc=host mode:
2071
2072
2073 Host shows a shared memory segment with 7 pids attached, happens to be
2074 from httpd:
2075
2076
2077 $ sudo ipcs -m
2078
2079 ------ Shared Memory Segments --------
2080 key shmid owner perms bytes nattch status
2081 0x01128e25 0 root 600 1000 7
2082
2083
2084
2085 Now run a regular container, and it correctly does NOT see the shared
2086 memory segment from the host:
2087
2088
2089 $ podman run -it shm ipcs -m
2090
2091 ------ Shared Memory Segments --------
2092 key shmid owner perms bytes nattch status
2093
2094
2095
2096 Run a container with the new --ipc=host option, and it now sees the
2097 shared memory segment from the host httpd:
2098
2099
2100 $ podman run -it --ipc=host shm ipcs -m
2101
2102 ------ Shared Memory Segments --------
2103 key shmid owner perms bytes nattch status
2104 0x01128e25 0 root 600 1000 7
2105
2106
2107
2108 Testing --ipc=container:id mode:
2109
2110
2111 Start a container with a program to create a shared memory segment:
2112
2113
2114 $ podman run -it shm bash
2115 $ sudo shm/shm_server
2116 $ sudo ipcs -m
2117
2118 ------ Shared Memory Segments --------
2119 key shmid owner perms bytes nattch status
2120 0x0000162e 0 root 666 27 1
2121
2122
2123
2124 Create a 2nd container correctly shows no shared memory segment from
2125 1st container:
2126
2127
2128 $ podman run shm ipcs -m
2129
2130 ------ Shared Memory Segments --------
2131 key shmid owner perms bytes nattch status
2132
2133
2134
2135 Create a 3rd container using the --ipc=container:id option, now it
2136 shows the shared memory segment from the first:
2137
2138
2139 $ podman run -it --ipc=container:ed735b2264ac shm ipcs -m
2140 $ sudo ipcs -m
2141
2142 ------ Shared Memory Segments --------
2143 key shmid owner perms bytes nattch status
2144 0x0000162e 0 root 666 27 1
2145
2146
2147
2148 Mapping Ports for External Usage
2149 The exposed port of an application can be mapped to a host port using
2150 the -p flag. For example, an httpd port 80 can be mapped to the host
2151 port 8080 using the following:
2152
2153
2154 $ podman run -p 8080:80 -d -i -t fedora/httpd
2155
2156
2157
2158 Mounting External Volumes
2159 To mount a host directory as a container volume, specify the absolute
2160 path to the directory and the absolute path for the container directory
2161 separated by a colon. If the source is a named volume maintained by
2162 Podman, it is recommended to use its name rather than the path to the
2163 volume. Otherwise the volume will be considered as an orphan and wiped
2164 if you execute podman volume prune:
2165
2166
2167 $ podman run -v /var/db:/data1 -i -t fedora bash
2168
2169 $ podman run -v data:/data2 -i -t fedora bash
2170
2171 $ podman run -v /var/cache/dnf:/var/cache/dnf:O -ti fedora dnf -y update
2172
2173 $ podman run -d -e MYSQL_ROOT_PASSWORD=root --user mysql --userns=keep-id -v ~/data:/var/lib/mysql:z,U mariadb
2174
2175
2176
2177 Using --mount flags to mount a host directory as a container folder,
2178 specify the absolute path to the directory or the volume name, and the
2179 absolute path within the container directory:
2180
2181
2182 $ podman run --mount type=bind,src=/var/db,target=/data1 busybox sh
2183
2184 $ podman run --mount type=bind,src=volume-name,target=/data1 busybox sh
2185
2186
2187
2188 When using SELinux, be aware that the host has no knowledge of con‐
2189 tainer SELinux policy. Therefore, in the above example, if SELinux pol‐
2190 icy is enforced, the /var/db directory is not writable to the con‐
2191 tainer. A "Permission Denied" message will occur and an avc: message in
2192 the host's syslog.
2193
2194
2195 To work around this, at time of writing this man page, the following
2196 command needs to be run in order for the proper SELinux policy type la‐
2197 bel to be attached to the host directory:
2198
2199
2200 $ chcon -Rt svirt_sandbox_file_t /var/db
2201
2202
2203
2204 Now, writing to the /data1 volume in the container will be allowed and
2205 the changes will also be reflected on the host in /var/db.
2206
2207
2208 Using alternative security labeling
2209 You can override the default labeling scheme for each container by
2210 specifying the --security-opt flag. For example, you can specify the
2211 MCS/MLS level, a requirement for MLS systems. Specifying the level in
2212 the following command allows you to share the same content between con‐
2213 tainers.
2214
2215
2216 podman run --security-opt label=level:s0:c100,c200 -i -t fedora bash
2217
2218
2219
2220 An MLS example might be:
2221
2222
2223 $ podman run --security-opt label=level:TopSecret -i -t rhel7 bash
2224
2225
2226
2227 To disable the security labeling for this container versus running with
2228 the
2229
2230
2231 --permissive flag, use the following command:
2232 $ podman run --security-opt label=disable -i -t fedora bash
2233
2234
2235
2236 If you want a tighter security policy on the processes within a con‐
2237 tainer, you can specify an alternate type for the container. You could
2238 run a container that is only allowed to listen on Apache ports by exe‐
2239 cuting the following command:
2240
2241
2242 $ podman run --security-opt label=type:svirt_apache_t -i -t centos bash
2243
2244
2245
2246 Note you would have to write policy defining a svirt_apache_t type.
2247
2248
2249 To mask additional specific paths in the container, specify the paths
2250 separated by a colon using the mask option with the --security-opt
2251 flag.
2252
2253
2254 $ podman run --security-opt mask=/foo/bar:/second/path fedora bash
2255
2256
2257
2258 To unmask all the paths that are masked by default, set the unmask op‐
2259 tion to ALL. Or to only unmask specific paths, specify the paths as
2260 shown above with the mask option.
2261
2262
2263 $ podman run --security-opt unmask=ALL fedora bash
2264
2265
2266
2267 To unmask all the paths that start with /proc, set the unmask option to
2268 /proc/*.
2269
2270
2271 $ podman run --security-opt unmask=/proc/* fedora bash
2272
2273
2274
2275 $ podman run --security-opt unmask=/foo/bar:/sys/firmware fedora bash
2276
2277
2278
2279 Setting device weight
2280 If you want to set /dev/sda device weight to 200, you can specify the
2281 device weight by --blkio-weight-device flag. Use the following command:
2282
2283
2284 $ podman run -it --blkio-weight-device "/dev/sda:200" ubuntu
2285
2286
2287
2288 Using a podman container with input from a pipe
2289 $ echo "asdf" | podman run --rm -i --entrypoint /bin/cat someimage
2290 asdf
2291
2292
2293
2294 Setting Namespaced Kernel Parameters (Sysctls)
2295 The --sysctl sets namespaced kernel parameters (sysctls) in the con‐
2296 tainer. For example, to turn on IP forwarding in the containers network
2297 namespace, run this command:
2298
2299
2300 $ podman run --sysctl net.ipv4.ip_forward=1 someimage
2301
2302
2303
2304 Note that not all sysctls are namespaced. Podman does not support
2305 changing sysctls inside of a container that also modify the host sys‐
2306 tem. As the kernel evolves we expect to see more sysctls become names‐
2307 paced.
2308
2309
2310 See the definition of the --sysctl option above for the current list of
2311 supported sysctls.
2312
2313
2314 Set UID/GID mapping in a new user namespace
2315 Running a container in a new user namespace requires a mapping of the
2316 uids and gids from the host.
2317
2318
2319 $ podman run --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
2320
2321
2322
2323 Configuring Storage Options from the command line
2324 Podman allows for the configuration of storage by changing the values
2325 in the /etc/container/storage.conf or by using global options. This
2326 shows how to setup and use fuse-overlayfs for a one time run of busybox
2327 using global options.
2328
2329
2330 podman --log-level=debug --storage-driver overlay --storage-opt "overlay.mount_program=/usr/bin/fuse-overlayfs" run busybox /bin/sh
2331
2332
2333
2334 Configure timezone in a container
2335 $ podman run --tz=local alpine date
2336 $ podman run --tz=Asia/Shanghai alpine date
2337 $ podman run --tz=US/Eastern alpine date
2338
2339
2340
2341 Adding dependency containers
2342 The first container, container1, is not started initially, but must be
2343 running before container2 will start. The podman run command will
2344 start the container automatically before starting container2.
2345
2346
2347 $ podman create --name container1 -t -i fedora bash
2348 $ podman run --name container2 --requires container1 -t -i fedora bash
2349
2350
2351
2352 Multiple containers can be required.
2353
2354
2355 $ podman create --name container1 -t -i fedora bash
2356 $ podman create --name container2 -t -i fedora bash
2357 $ podman run --name container3 --requires container1,container2 -t -i fedora bash
2358
2359
2360
2361 Configure keep supplemental groups for access to volume
2362 $ podman run -v /var/lib/design:/var/lib/design --group-add keep-groups ubi8
2363
2364
2365
2366 Rootless Containers
2367 Podman runs as a non root user on most systems. This feature requires
2368 that a new enough version of shadow-utils be installed. The
2369 shadow-utils package must include the newuidmap(1) and newgidmap(1) ex‐
2370 ecutables.
2371
2372
2373 Note: RHEL7 and Centos 7 will not have this feature until RHEL7.7 is
2374 released.
2375
2376
2377 In order for users to run rootless, there must be an entry for their
2378 username in /etc/subuid and /etc/subgid which lists the UIDs for their
2379 user namespace.
2380
2381
2382 Rootless Podman works better if the fuse-overlayfs and slirp4netns
2383 packages are installed. The fuse-overlay package provides a userspace
2384 overlay storage driver, otherwise users need to use the vfs storage
2385 driver, which is diskspace expensive and does not perform well.
2386 slirp4netns is required for VPN, without it containers need to be run
2387 with the --network=host flag.
2388
2389
2391 Environment variables within containers can be set using multiple dif‐
2392 ferent options, in the following order of precedence (later entries
2393 override earlier entries):
2394
2395
2396 • Container image: Any environment variables specified in the
2397 container image.
2398
2399 • --http-proxy: By default, several environment variables will
2400 be passed in from the host, such as http_proxy and no_proxy.
2401 See --http-proxy for details.
2402
2403 • --env-host: Host environment of the process executing Podman
2404 is added.
2405
2406 • --env-file: Any environment variables specified via env-files.
2407 If multiple files specified, then they override each other in
2408 order of entry.
2409
2410 • --env: Any environment variables specified will override pre‐
2411 vious settings.
2412
2413
2414
2415 Run containers and set the environment ending with a * and a *****:
2416
2417
2418 $ export ENV1=a
2419 $ podman run --env ENV* alpine printenv ENV1
2420 a
2421
2422 $ podman run --env ENV*****=b alpine printenv ENV*****
2423 b
2424
2425
2426
2428 When Podman starts a container it actually executes the conmon program,
2429 which then executes the OCI Runtime. Conmon is the container monitor.
2430 It is a small program whose job is to watch the primary process of the
2431 container, and if the container dies, save the exit code. It also
2432 holds open the tty of the container, so that it can be attached to
2433 later. This is what allows Podman to run in detached mode (back‐
2434 grounded), so Podman can exit but conmon continues to run. Each con‐
2435 tainer has their own instance of conmon. Conmon waits for the container
2436 to exit, gathers and saves the exit code, and then launches a Podman
2437 process to complete the container cleanup, by shutting down the network
2438 and storage. For more information on conmon, please reference the
2439 conmon(8) man page.
2440
2441
2443 /etc/subuid
2444
2445
2446 /etc/subgid
2447
2448
2449 NOTE: Use the environment variable TMPDIR to change the temporary stor‐
2450 age location of downloaded container images. Podman defaults to use
2451 /var/tmp.
2452
2453
2455 podman(1), podman-save(1), podman-ps(1), podman-attach(1), pod‐
2456 man-pod-create(1), podman-port(1), podman-start(1), podman-kill(1),
2457 podman-stop(1), podman-generate-systemd(1) podman-rm(1), subgid(5),
2458 subuid(5), containers.conf(5), systemd.unit(5), setsebool(8),
2459 slirp4netns(1), fuse-overlayfs(1), proc(5), conmon(8).
2460
2461
2463 September 2018, updated by Kunal Kushwaha <kushwaha_ku‐
2464 nal_v7@lab.ntt.co.jp>
2465
2466
2467 October 2017, converted from Docker documentation to Podman by Dan
2468 Walsh for Podman <dwalsh@redhat.com>
2469
2470
2471 November 2015, updated by Sally O'Malley <somalley@redhat.com>
2472
2473
2474 June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>
2475
2476
2477 April 2014, Originally compiled by William Henry <whenry@redhat.com>
2478 based on docker.com source material and internal work.
2479
2480
2482 1: The Podman project is committed to inclusivity, a core value of open
2483 source. The master and slave mount propagation terminology used here is
2484 problematic and divisive, and should be changed. However, these terms
2485 are currently used within the Linux kernel and must be used as-is at
2486 this time. When the kernel maintainers rectify this usage, Podman will
2487 follow suit immediately.
2488
2489
2490
2491 podman-run(1)()