1containers-storage.conf(5)(Container)Filecontainers-storage.conf(5)(Container)
2
3
4
5Dan Walsh May 2017
6
7
9 storage.conf - Syntax of Container Storage configuration file
10
11
13 The STORAGE configuration file specifies all of the available container
14 storage options for tools using shared container storage, but in a TOML
15 format that can be more easily modified and versioned.
16
17
19 The [TOML format][toml] is used as the encoding of the configuration
20 file. Every option and subtable listed here is nested under a global
21 "storage" table. No bare options are used. The format of TOML can be
22 simplified to:
23
24
25 [table]
26 option = value
27
28 [table.subtable1]
29 option = value
30
31 [table.subtable2]
32 option = value
33
34
35
37 The storage table supports the following options:
38
39
40 driver=""
41 container storage driver
42 Default Copy On Write (COW) container storage driver. Valid drivers
43 are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some
44 drivers (for example, "zfs", "btrfs", and "aufs") may not work if your
45 kernel lacks support for the filesystem.
46 This field is required to guarantee proper operation.
47 Valid rootless drivers are "btrfs", "overlay", and "vfs".
48 Rootless users default to the driver defined in the system configura‐
49 tion when possible.
50 When the system configuration uses an unsupported rootless driver,
51 rootless users default to "overlay" if available, otherwise "vfs".
52
53
54 graphroot=""
55 container storage graph dir (default: "/var/lib/containers/storage")
56 Default directory to store all writable content created by container
57 storage programs.
58 The rootless graphroot path supports environment variable substitu‐
59 tions (ie. $HOME/containers/storage)
60
61
62 rootless_storage_path="$HOME/.local/share/containers/storage"
63 Storage path for rootless users. By default the graphroot for root‐
64 less users
65 is set to $XDG_DATA_HOME/containers/storage, if XDG_DATA_HOME is set.
66 Otherwise $HOME/.local/share/containers/storage is used. This field
67 can
68 be used if administrators need to change the storage location for all
69 users.
70 The rootless storage path supports environment variable substitutions
71 (ie. $HOME/containers/storage)
72
73
74 A common use case for this field is to provide a local storage direc‐
75 tory when user home directories are NFS-mounted (podman does not sup‐
76 port container storage over NFS).
77
78
79 runroot=""
80 container storage run dir (default: "/run/containers/storage")
81 Default directory to store all temporary writable content created by
82 container storage programs.
83 The rootless runroot path supports environment variable substitutions
84 (ie. $HOME/containers/storage)
85
86
87 STORAGE OPTIONS TABLE
88 The storage.options table supports the following options:
89
90
91 additionalimagestores=[]
92 Paths to additional container image stores. Usually these are
93 read/only and stored on remote network shares.
94
95
96 remap-uids="" remap-gids=""
97 Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear
98 inside of a container, to the UIDs/GIDs outside of the container, and
99 the length of the range of UIDs/GIDs. Additional mapped sets can be
100 listed and will be heeded by libraries, but there are limits to the
101 number of mappings which the kernel will allow when you later attempt
102 to run a container.
103
104
105 Example
106 remap-uids = 0:1668442479:65536
107 remap-gids = 0:1668442479:65536
108
109
110 These mappings tell the container engines to map UID 0 inside of the
111 container to UID 1668442479 outside. UID 1 will be mapped to
112 1668442480. UID 2 will be mapped to 1668442481, etc, for the next 65533
113 UIDs in succession.
114
115
116 remap-user="" remap-group=""
117 Remap-User/Group is a user name which can be used to look up one or
118 more UID/GID ranges in the /etc/subuid or /etc/subgid file. Mappings
119 are set up starting with an in-container ID of 0 and then a host-level
120 ID taken from the lowest range that matches the specified name, and us‐
121 ing the length of that range. Additional ranges are then assigned, us‐
122 ing the ranges which specify the lowest host-level IDs first, to the
123 lowest not-yet-mapped in-container ID, until all of the entries have
124 been used for maps.
125
126
127 Example
128 remap-user = "containers"
129 remap-group = "containers"
130
131
132 root-auto-userns-user=""
133 Root-auto-userns-user is a user name which can be used to look up one
134 or more UID/GID ranges in the /etc/subuid and /etc/subgid file. These
135 ranges will be partitioned to containers configured to create automati‐
136 cally a user namespace. Containers configured to automatically create
137 a user namespace can still overlap with containers having an explicit
138 mapping set. This setting is ignored when running as rootless.
139
140
141 auto-userns-min-size=1024
142 Auto-userns-min-size is the minimum size for a user namespace created
143 automatically.
144
145
146 auto-userns-max-size=65536
147 Auto-userns-max-size is the maximum size for a user namespace created
148 automatically.
149
150
151 disable-volatile=true
152 If disable-volatile is set, then the "volatile" mount optimization is
153 disabled for all the containers.
154
155
156 STORAGE OPTIONS FOR AUFS TABLE
157 The storage.options.aufs table supports the following options:
158
159
160 mountopt=""
161 Comma separated list of default options to be used to mount container
162 images. Suggested value "nodev". Mount options are documented in the
163 mount(8) man page.
164
165
166 STORAGE OPTIONS FOR BTRFS TABLE
167 The storage.options.btrfs table supports the following options:
168
169
170 min_space=""
171 Specifies the min space in a btrfs volume.
172
173
174 size=""
175 Maximum size of a container image. This flag can be used to set
176 quota on the size of container images. (format: [], where unit = b
177 (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
178
179
180 STORAGE OPTIONS FOR THINPOOL (devicemapper) TABLE
181 The storage.options.thinpool table supports the following options for
182 the devicemapper driver:
183
184
185 autoextend_percent=""
186 Tells the thinpool driver the amount by which the thinpool needs to
187 be grown. This is specified in terms of % of pool size. So a value of
188 20 means that when threshold is hit, pool will be grown by 20% of ex‐
189 isting pool size. (default: 20%)
190
191
192 autoextend_threshold=""
193 Tells the driver the thinpool extension threshold in terms of per‐
194 centage of pool size. For example, if threshold is 60, that means when
195 pool is 60% full, threshold has been hit. (default: 80%)
196
197
198 basesize=""
199 Specifies the size to use when creating the base device, which limits
200 the size of images and containers. (default: 10g)
201
202
203 blocksize=""
204 Specifies a custom blocksize to use for the thin pool. (default: 64k)
205
206
207 directlvm_device=""
208 Specifies a custom block storage device to use for the thin pool. Re‐
209 quired for using graphdriver devicemapper.
210
211
212 directlvm_device_force=""
213 Tells driver to wipe device (directlvm_device) even if device already
214 has a filesystem. (default: false)
215
216
217 fs="xfs"
218 Specifies the filesystem type to use for the base device. (default:
219 xfs)
220
221
222 log_level=""
223 Sets the log level of devicemapper.
224
225
226 0: LogLevelSuppress 0 (default)
227 2: LogLevelFatal
228 3: LogLevelErr
229 4: LogLevelWarn
230 5: LogLevelNotice
231 6: LogLevelInfo
232 7: LogLevelDebug
233
234
235
236 metadata_size=""
237 metadata_size is used to set the pvcreate --metadatasize options when
238 creating thin devices. (Default 128k)
239
240
241 min_free_space=""
242 Specifies the min free space percent in a thin pool required for new
243 device creation to succeed. Valid values are from 0% - 99%. Value 0%
244 disables. (default: 10%)
245
246
247 mkfsarg=""
248 Specifies extra mkfs arguments to be used when creating the base de‐
249 vice.
250
251
252 mountopt=""
253 Comma separated list of default options to be used to mount container
254 images. Suggested value "nodev". Mount options are documented in the
255 mount(8) man page.
256
257
258 size=""
259 Maximum size of a container image. This flag can be used to set
260 quota on the size of container images. (format: [], where unit = b
261 (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
262
263
264 use_deferred_deletion=""
265 Marks thinpool device for deferred deletion. If the thinpool is in
266 use when the driver attempts to delete it, the driver will attempt to
267 delete device every 30 seconds until successful, or when it restarts.
268 Deferred deletion permanently deletes the device and all data stored in
269 the device will be lost. (default: true).
270
271
272 use_deferred_removal=""
273 Marks devicemapper block device for deferred removal. If the device
274 is in use when its driver attempts to remove it, the driver tells the
275 kernel to remove the device as soon as possible. Note this does not
276 free up the disk space, use deferred deletion to fully remove the thin‐
277 pool. (default: true).
278
279
280 xfs_nospace_max_retries=""
281 Specifies the maximum number of retries XFS should attempt to com‐
282 plete IO when ENOSPC (no space) error is returned by underlying storage
283 device. (default: 0, which means to try continuously.)
284
285
286 STORAGE OPTIONS FOR OVERLAY TABLE
287 The storage.options.overlay table supports the following options:
288
289
290 ignore_chown_errors = "false"
291 ignore_chown_errors can be set to allow a non privileged user running
292 with a single UID within a user namespace to run containers. The user
293 can pull and use any image even those with multiple uids. Note multi‐
294 ple UIDs will be squashed down to the default uid in the container.
295 These images will have no separation between the users in the con‐
296 tainer. (default: false)
297
298
299 inodes=""
300 Maximum inodes in a read/write layer. This flag can be used to set
301 a quota on the inodes allocated for a read/write layer of a container.
302
303
304 force_mask = "0000|shared|private"
305 ForceMask specifies the permissions mask that is used for new files
306 and directories. The values "shared" and "private" are accepted. (de‐
307 fault: ""). Octal permission masks are also accepted.
308
309
310 ``: Not set
311 All files/directories, get set with the permissions identified
312 within the image.
313
314
315 private: it is equivalent to 0700.
316 All files/directories get set with 0700 permissions. The owner
317 has rwx access to the files. No other users on the system can access
318 the files. This setting could be used with networked based home direc‐
319 tories.
320
321
322 shared: it is equivalent to 0755.
323 The owner has rwx access to the files and everyone else can read,
324 access and execute them. This setting is useful for sharing containers
325 storage with other users. For instance, a storage owned by root could
326 be shared to rootless users as an additional store. NOTE: All files
327 within the image are made readable and executable by any user on the
328 system. Even /etc/shadow within your image is now readable by any user.
329
330
331 OCTAL: Users can experiment with other OCTAL Permissions.
332
333
334 Note: The force_mask Flag is an experimental feature, it could change
335 in the future. When "force_mask" is set the original permission mask
336 is stored in the "user.containers.override_stat" xattr and the
337 "mount_program" option must be specified. Mount programs like
338 "/usr/bin/fuse-overlayfs" present the extended attribute permissions to
339 processes within containers rather then the "force_mask" permissions.
340
341
342 mount_program=""
343 Specifies the path to a custom program to use instead of using kernel
344 defaults for mounting the file system. In rootless mode, without the
345 CAP_SYS_ADMIN capability, many kernels prevent mounting of overlay file
346 systems, requiring you to specify a mount_program. The mount_program
347 option is also required on systems where the underlying storage is
348 btrfs, aufs, zfs, overlay, or ecryptfs based file systems.
349 mount_program = "/usr/bin/fuse-overlayfs"
350
351
352 mountopt=""
353 Comma separated list of default options to be used to mount container
354 images. Suggested value "nodev". Mount options are documented in the
355 mount(8) man page.
356
357
358 size=""
359 Maximum size of a read/write layer. This flag can be used to set
360 quota on the size of a read/write layer of a container. (format: [],
361 where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
362
363
364 STORAGE OPTIONS FOR VFS TABLE
365 The storage.options.vfs table supports the following options:
366
367
368 ignore_chown_errors = "false"
369 ignore_chown_errors can be set to allow a non privileged user running
370 with a single UID within a user namespace to run containers. The user
371 can pull and use any image even those with multiple uids. Note multi‐
372 ple UIDs will be squashed down to the default uid in the container.
373 These images will have no separation between the users in the con‐
374 tainer. (default: false)
375
376
377 STORAGE OPTIONS FOR ZFS TABLE
378 The storage.options.zfs table supports the following options:
379
380
381 fsname=""
382 File System name for the zfs driver
383
384
385 mountopt=""
386 Comma separated list of default options to be used to mount container
387 images. Suggested value "nodev". Mount options are documented in the
388 mount(8) man page.
389
390
391 skip_mount_home=""
392 Tell storage drivers to not create a PRIVATE bind mount on their home
393 directory.
394
395
396 size=""
397 Maximum size of a container image. This flag can be used to set
398 quota on the size of container images. (format: [], where unit = b
399 (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
400
401
403 When running on an SELinux system, if you move the containers storage
404 graphroot directory, you must make sure the labeling is correct.
405
406
407 Tell SELinux about the new containers storage by setting up an equiva‐
408 lence record. This tells SELinux to label content under the new path,
409 as if it was stored under /var/lib/containers/storage.
410
411
412 semanage fcontext -a -e /var/lib/containers NEWSTORAGEPATH
413 restorecon -R -v NEWSTORAGEPATH
414
415
416
417 The semanage command above tells SELinux to setup the default labeling
418 of NEWSTORAGEPATH to match /var/lib/containers. The restorecon command
419 tells SELinux to apply the labels to the actual content.
420
421
422 Now all new content created in these directories will automatically be
423 created with the correct label.
424
425
427 Container storage implements XFS project quota controls for overlay
428 storage containers and volumes. The directory used to store the con‐
429 tainers must be an XFS file system and be mounted with the pquota op‐
430 tion.
431
432
433 Example /etc/fstab entry:
434
435
436 /dev/podman/podman-var /var xfs defaults,x-systemd.device-timeout=0,pquota 1 2
437
438
439
440 Container storage generates project ids for each container and builtin
441 volume, but these project ids need to be unique for the XFS file sys‐
442 tem.
443
444
445 The xfs_quota tool can be used to assign a project id to the storage
446 driver directory, e.g.:
447
448
449 echo 100000:/var/lib/containers/storage/overlay >> /etc/projects
450 echo 200000:/var/lib/containers/storage/volumes >> /etc/projects
451 echo storage:100000 >> /etc/projid
452 echo volumes:200000 >> /etc/projid
453 xfs_quota -x -c 'project -s storage volumes' /<xfs mount point>
454
455
456
457 In the example above, the storage directory project id will be used as
458 a "start offset" and all containers will be assigned larger project ids
459 (e.g. >= 100000). Then the volumes directory project id will be used
460 as a "start offset" and all volumes will be assigned larger project ids
461 (e.g. >= 200000). This is a way to prevent xfs_quota management from
462 conflicting with containers/storage.
463
464
466 Distributions often provide a /usr/share/containers/storage.conf file
467 to define default storage configuration. Administrators can override
468 this file by creating /etc/containers/storage.conf to specify their own
469 configuration. The storage.conf file for rootless users is stored in
470 the $XDG_CONFIG_HOME/containers/storage.conf file. If $XDG_CONFIG_HOME
471 is not set then the file $HOME/.config/containers/storage.conf is used.
472
473
474 /etc/projects - XFS persistent project root definition /etc/projid -
475 XFS project name mapping file
476
477
479 semanage(8), restorecon(8), mount(8), fuse-overlayfs(1), xfs_quota(8),
480 projects(5), projid(5)
481
482
484 May 2017, Originally compiled by Dan Walsh dwalsh@redhat.com
485 ⟨mailto:dwalsh@redhat.com⟩ Format copied from crio.conf man page cre‐
486 ated by Aleksa Sarai asarai@suse.de ⟨mailto:asarai@suse.de⟩
487
488
489
490Configuration Storagceontainers-storage.conf(5)(Container)