1containers-storage.conf(5)(Container)Filecontainers-storage.conf(5)(Container)
2
3
4
5Dan Walsh May 2017
6
7

NAME

9       storage.conf - Syntax of Container Storage configuration file
10
11

DESCRIPTION

13       The STORAGE configuration file specifies all of the available container
14       storage options for tools using shared container storage, but in a TOML
15       format that can be more easily modified and versioned.
16
17

FORMAT

19       The  [TOML  format][toml]  is used as the encoding of the configuration
20       file.  Every option and subtable listed here is nested under  a  global
21       "storage"  table.   No bare options are used. The format of TOML can be
22       simplified to:
23
24
25              [table]
26              option = value
27
28              [table.subtable1]
29              option = value
30
31              [table.subtable2]
32              option = value
33
34
35

STORAGE TABLE

37       The storage table supports the following options:
38
39
40       driver=""
41         container storage driver
42         Default Copy On Write (COW) container storage driver.  Valid  drivers
43       are  "overlay",  "vfs",  "devmapper",  "aufs", "btrfs", and "zfs". Some
44       drivers (for example, "zfs", "btrfs", and "aufs") may not work if  your
45       kernel lacks support for the filesystem.
46         This field is required to guarantee proper operation.
47         Valid rootless drivers are "btrfs", "overlay", and "vfs".
48         Rootless users default to the driver defined in the system configura‐
49       tion when possible.
50         When the system configuration uses an  unsupported  rootless  driver,
51       rootless users default to "overlay" if available, otherwise "vfs".
52
53
54       graphroot=""
55         container storage graph dir (default: "/var/lib/containers/storage")
56         Default  directory to store all writable content created by container
57       storage programs.
58         The rootless graphroot path supports environment  variable  substitu‐
59       tions (ie. $HOME/containers/storage)
60
61
62       rootless_storage_path="$HOME/.local/share/containers/storage"
63         Storage  path  for rootless users. By default the graphroot for root‐
64       less users
65         is set to $XDG_DATA_HOME/containers/storage, if XDG_DATA_HOME is set.
66         Otherwise $HOME/.local/share/containers/storage is used.  This  field
67       can
68         be used if administrators need to change the storage location for all
69       users.
70         The rootless storage path supports environment variable substitutions
71       (ie. $HOME/containers/storage)
72
73
74       A  common  use case for this field is to provide a local storage direc‐
75       tory when user home directories are NFS-mounted (podman does  not  sup‐
76       port container storage over NFS).
77
78
79       runroot=""
80         container storage run dir (default: "/run/containers/storage")
81         Default  directory to store all temporary writable content created by
82       container storage programs.
83         The rootless runroot path supports environment variable substitutions
84       (ie. $HOME/containers/storage)
85
86
87   STORAGE OPTIONS TABLE
88       The storage.options table supports the following options:
89
90
91       additionalimagestores=[]
92         Paths  to  additional  container  image  stores.  Usually  these  are
93       read/only and stored on remote network shares.
94
95
96       remap-uids="" remap-gids=""
97         Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they  should  appear
98       inside  of  a container, to the UIDs/GIDs outside of the container, and
99       the length of the range of UIDs/GIDs.  Additional mapped  sets  can  be
100       listed  and  will  be  heeded by libraries, but there are limits to the
101       number of mappings which the kernel will allow when you  later  attempt
102       to run a container.
103
104
105       Example
106            remap-uids = 0:1668442479:65536
107            remap-gids = 0:1668442479:65536
108
109
110       These  mappings  tell  the container engines to map UID 0 inside of the
111       container  to  UID  1668442479  outside.   UID  1  will  be  mapped  to
112       1668442480. UID 2 will be mapped to 1668442481, etc, for the next 65533
113       UIDs in succession.
114
115
116       remap-user="" remap-group=""
117         Remap-User/Group is a user name which can be used to look up  one  or
118       more  UID/GID  ranges in the /etc/subuid or /etc/subgid file.  Mappings
119       are set up starting with an in-container ID of 0 and then a  host-level
120       ID taken from the lowest range that matches the specified name, and us‐
121       ing the length of that range. Additional ranges are then assigned,  us‐
122       ing  the  ranges  which specify the lowest host-level IDs first, to the
123       lowest not-yet-mapped in-container ID, until all of  the  entries  have
124       been used for maps.
125
126
127       Example
128            remap-user = "containers"
129            remap-group = "containers"
130
131
132       root-auto-userns-user=""
133         Root-auto-userns-user is a user name which can be used to look up one
134       or more UID/GID ranges in the /etc/subuid and /etc/subgid file.   These
135       ranges will be partitioned to containers configured to create automati‐
136       cally a user namespace.  Containers configured to automatically  create
137       a  user  namespace can still overlap with containers having an explicit
138       mapping set.  This setting is ignored when running as rootless.
139
140
141       auto-userns-min-size=1024
142         Auto-userns-min-size is the minimum size for a user namespace created
143       automatically.
144
145
146       auto-userns-max-size=65536
147         Auto-userns-max-size is the maximum size for a user namespace created
148       automatically.
149
150
151       disable-volatile=true
152         If disable-volatile is set, then the "volatile" mount optimization is
153       disabled for all the containers.
154
155
156   STORAGE OPTIONS FOR AUFS TABLE
157       The storage.options.aufs table supports the following options:
158
159
160       mountopt=""
161         Comma separated list of default options to be used to mount container
162       images.  Suggested value "nodev". Mount options are documented  in  the
163       mount(8) man page.
164
165
166   STORAGE OPTIONS FOR BTRFS TABLE
167       The storage.options.btrfs table supports the following options:
168
169
170       min_space=""
171         Specifies the min space in a btrfs volume.
172
173
174       size=""
175         Maximum  size  of  a  container image.   This flag can be used to set
176       quota on the size of container images. (format:  [],  where  unit  =  b
177       (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
178
179
180   STORAGE OPTIONS FOR THINPOOL (devicemapper) TABLE
181       The  storage.options.thinpool  table supports the following options for
182       the devicemapper driver:
183
184
185       autoextend_percent=""
186         Tells the thinpool driver the amount by which the thinpool  needs  to
187       be  grown.  This is specified in terms of % of pool size. So a value of
188       20 means that when threshold is hit, pool will be grown by 20%  of  ex‐
189       isting pool size. (default: 20%)
190
191
192       autoextend_threshold=""
193         Tells  the  driver  the thinpool extension threshold in terms of per‐
194       centage of pool size. For example, if threshold is 60, that means  when
195       pool is 60% full, threshold has been hit. (default: 80%)
196
197
198       basesize=""
199         Specifies the size to use when creating the base device, which limits
200       the size of images and containers. (default: 10g)
201
202
203       blocksize=""
204         Specifies a custom blocksize to use for the thin pool. (default: 64k)
205
206
207       directlvm_device=""
208         Specifies a custom block storage device to use for the thin pool. Re‐
209       quired for using graphdriver devicemapper.
210
211
212       directlvm_device_force=""
213         Tells driver to wipe device (directlvm_device) even if device already
214       has a filesystem.  (default: false)
215
216
217       fs="xfs"
218         Specifies the filesystem type to use for the base  device.  (default:
219       xfs)
220
221
222       log_level=""
223         Sets the log level of devicemapper.
224
225
226              0: LogLevelSuppress 0 (default)
227              2: LogLevelFatal
228              3: LogLevelErr
229              4: LogLevelWarn
230              5: LogLevelNotice
231              6: LogLevelInfo
232              7: LogLevelDebug
233
234
235
236       metadata_size=""
237         metadata_size is used to set the pvcreate --metadatasize options when
238       creating thin devices. (Default 128k)
239
240
241       min_free_space=""
242         Specifies the min free space percent in a thin pool required for  new
243       device  creation  to  succeed. Valid values are from 0% - 99%. Value 0%
244       disables. (default: 10%)
245
246
247       mkfsarg=""
248         Specifies extra mkfs arguments to be used when creating the base  de‐
249       vice.
250
251
252       mountopt=""
253         Comma separated list of default options to be used to mount container
254       images.  Suggested value "nodev". Mount options are documented  in  the
255       mount(8) man page.
256
257
258       size=""
259         Maximum  size  of  a  container  image.  This flag can be used to set
260       quota on the size of container images. (format:  [],  where  unit  =  b
261       (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
262
263
264       use_deferred_deletion=""
265         Marks  thinpool  device  for deferred deletion. If the thinpool is in
266       use when the driver attempts to delete it, the driver will  attempt  to
267       delete  device  every 30 seconds until successful, or when it restarts.
268       Deferred deletion permanently deletes the device and all data stored in
269       the device will be lost. (default: true).
270
271
272       use_deferred_removal=""
273         Marks  devicemapper block device for deferred removal.  If the device
274       is in use when its driver attempts to remove it, the driver  tells  the
275       kernel  to  remove  the device as soon as possible.  Note this does not
276       free up the disk space, use deferred deletion to fully remove the thin‐
277       pool.  (default: true).
278
279
280       xfs_nospace_max_retries=""
281         Specifies  the  maximum  number of retries XFS should attempt to com‐
282       plete IO when ENOSPC (no space) error is returned by underlying storage
283       device. (default: 0, which means to try continuously.)
284
285
286   STORAGE OPTIONS FOR OVERLAY TABLE
287       The storage.options.overlay table supports the following options:
288
289
290       ignore_chown_errors = "false"
291         ignore_chown_errors can be set to allow a non privileged user running
292       with a  single UID within a user namespace to run containers. The  user
293       can  pull and use any image even those with multiple uids.  Note multi‐
294       ple UIDs will be squashed down to the default  uid  in  the  container.
295       These  images  will  have  no  separation between the users in the con‐
296       tainer. (default: false)
297
298
299       inodes=""
300         Maximum inodes in a read/write layer.   This flag can be used to  set
301       a quota on the inodes allocated for a read/write layer of a container.
302
303
304       force_mask = "0000|shared|private"
305         ForceMask  specifies  the permissions mask that is used for new files
306       and directories.  The values "shared" and "private" are accepted.  (de‐
307       fault: ""). Octal permission masks are also accepted.
308
309
310       ``: Not set
311            All  files/directories,  get  set  with the permissions identified
312       within the image.
313
314
315       private: it is equivalent to 0700.
316            All files/directories get set with 0700  permissions.   The  owner
317       has  rwx  access  to the files. No other users on the system can access
318       the files.  This setting could be used with networked based home direc‐
319       tories.
320
321
322       shared: it is equivalent to 0755.
323            The  owner has rwx access to the files and everyone else can read,
324       access and execute them. This setting is useful for sharing  containers
325       storage  with other users.  For instance, a storage owned by root could
326       be shared to rootless users as an additional store.  NOTE:   All  files
327       within  the  image  are made readable and executable by any user on the
328       system. Even /etc/shadow within your image is now readable by any user.
329
330
331       OCTAL: Users can experiment with other OCTAL Permissions.
332
333
334       Note: The force_mask Flag is an experimental feature, it  could  change
335       in  the  future.  When "force_mask" is set the original permission mask
336       is  stored  in  the  "user.containers.override_stat"  xattr   and   the
337       "mount_program"   option   must   be  specified.  Mount  programs  like
338       "/usr/bin/fuse-overlayfs" present the extended attribute permissions to
339       processes within containers rather then the "force_mask"  permissions.
340
341
342       mount_program=""
343         Specifies the path to a custom program to use instead of using kernel
344       defaults for mounting the file system. In rootless  mode,  without  the
345       CAP_SYS_ADMIN capability, many kernels prevent mounting of overlay file
346       systems, requiring you to specify a  mount_program.  The  mount_program
347       option  is  also  required  on  systems where the underlying storage is
348       btrfs, aufs, zfs, overlay, or ecryptfs based file systems.
349         mount_program = "/usr/bin/fuse-overlayfs"
350
351
352       mountopt=""
353         Comma separated list of default options to be used to mount container
354       images.   Suggested  value "nodev". Mount options are documented in the
355       mount(8) man page.
356
357
358       size=""
359         Maximum size of a read/write layer.   This flag can be  used  to  set
360       quota  on  the  size of a read/write layer of a container. (format: [],
361       where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
362
363
364   STORAGE OPTIONS FOR VFS TABLE
365       The storage.options.vfs table supports the following options:
366
367
368       ignore_chown_errors = "false"
369         ignore_chown_errors can be set to allow a non privileged user running
370       with  a  single UID within a user namespace to run containers. The user
371       can pull and use any image even those with multiple uids.  Note  multi‐
372       ple  UIDs  will  be  squashed down to the default uid in the container.
373       These images will have no separation between  the  users  in  the  con‐
374       tainer. (default: false)
375
376
377   STORAGE OPTIONS FOR ZFS TABLE
378       The storage.options.zfs table supports the following options:
379
380
381       fsname=""
382         File System name for the zfs driver
383
384
385       mountopt=""
386         Comma separated list of default options to be used to mount container
387       images.  Suggested value "nodev". Mount options are documented  in  the
388       mount(8) man page.
389
390
391       skip_mount_home=""
392         Tell storage drivers to not create a PRIVATE bind mount on their home
393       directory.
394
395
396       size=""
397         Maximum size of a container image.   This flag can  be  used  to  set
398       quota  on  the  size  of  container images. (format: [], where unit = b
399       (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
400
401

SELINUX LABELING

403       When running on an SELinux system, if you move the  containers  storage
404       graphroot directory, you must make sure the labeling is correct.
405
406
407       Tell  SELinux about the new containers storage by setting up an equiva‐
408       lence record. This tells SELinux to label content under the  new  path,
409       as if it was stored under /var/lib/containers/storage.
410
411
412              semanage fcontext -a -e /var/lib/containers NEWSTORAGEPATH
413              restorecon -R -v NEWSTORAGEPATH
414
415
416
417       The  semanage command above tells SELinux to setup the default labeling
418       of NEWSTORAGEPATH to match /var/lib/containers.  The restorecon command
419       tells SELinux to apply the labels to the actual content.
420
421
422       Now  all new content created in these directories will automatically be
423       created with the correct label.
424
425

QUOTAS

427       Container storage implements XFS project  quota  controls  for  overlay
428       storage  containers  and  volumes. The directory used to store the con‐
429       tainers must be an XFS file system and be mounted with the  pquota  op‐
430       tion.
431
432
433       Example /etc/fstab entry:
434
435
436              /dev/podman/podman-var /var xfs defaults,x-systemd.device-timeout=0,pquota 1 2
437
438
439
440       Container  storage generates project ids for each container and builtin
441       volume, but these project ids need to be unique for the XFS  file  sys‐
442       tem.
443
444
445       The  xfs_quota  tool  can be used to assign a project id to the storage
446       driver directory, e.g.:
447
448
449              echo 100000:/var/lib/containers/storage/overlay >> /etc/projects
450              echo 200000:/var/lib/containers/storage/volumes >> /etc/projects
451              echo storage:100000 >> /etc/projid
452              echo volumes:200000 >> /etc/projid
453              xfs_quota -x -c 'project -s storage volumes' /<xfs mount point>
454
455
456
457       In the example above, the storage directory project id will be used  as
458       a "start offset" and all containers will be assigned larger project ids
459       (e.g. >= 100000).  Then the volumes directory project id will  be  used
460       as a "start offset" and all volumes will be assigned larger project ids
461       (e.g. >= 200000).  This is a way to prevent xfs_quota  management  from
462       conflicting with containers/storage.
463
464

FILES

466       Distributions  often  provide a /usr/share/containers/storage.conf file
467       to define default storage configuration.  Administrators  can  override
468       this file by creating /etc/containers/storage.conf to specify their own
469       configuration. The storage.conf file for rootless users  is  stored  in
470       the $XDG_CONFIG_HOME/containers/storage.conf file.  If $XDG_CONFIG_HOME
471       is not set then the file $HOME/.config/containers/storage.conf is used.
472
473
474       /etc/projects - XFS persistent project root  definition  /etc/projid  -
475       XFS project name mapping file
476
477

SEE ALSO

479       semanage(8),  restorecon(8), mount(8), fuse-overlayfs(1), xfs_quota(8),
480       projects(5), projid(5)
481
482

HISTORY

484       May  2017,  Originally  compiled   by   Dan   Walsh   dwalsh@redhat.com
485       ⟨mailto:dwalsh@redhat.com⟩  Format  copied from crio.conf man page cre‐
486       ated by Aleksa Sarai asarai@suse.de ⟨mailto:asarai@suse.de⟩
487
488
489
490Configuration                       Storagceontainers-storage.conf(5)(Container)
Impressum