1containers-storage.conf(5)(Container)Filecontainers-storage.conf(5)(Container)
2
3
4
5Dan Walsh May 2017
6
7
9 storage.conf - Syntax of Container Storage configuration file
10
11
13 The STORAGE configuration file specifies all of the available container
14 storage options for tools using shared container storage, but in a TOML
15 format that can be more easily modified and versioned.
16
17
19 The [TOML format][toml] is used as the encoding of the configuration
20 file. Every option and subtable listed here is nested under a global
21 "storage" table. No bare options are used. The format of TOML can be
22 simplified to:
23
24
25 [table]
26 option = value
27
28 [table.subtable1]
29 option = value
30
31 [table.subtable2]
32 option = value
33
34
35
37 The storage table supports the following options:
38
39
40 driver=""
41 container storage driver
42 Default Copy On Write (COW) container storage driver. Valid drivers
43 are "overlay", "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some
44 drivers (for example, "zfs", "btrfs", and "aufs") may not work if your
45 kernel lacks support for the filesystem.
46 This field is required to guarantee proper operation.
47 Valid rootless drivers are "btrfs", "overlay", and "vfs".
48 Rootless users default to the driver defined in the system configura‐
49 tion when possible.
50 When the system configuration uses an unsupported rootless driver,
51 rootless users default to "overlay" if available, otherwise "vfs".
52
53
54 graphroot=""
55 container storage graph dir (default: "/var/lib/containers/storage")
56 Default directory to store all writable content created by container
57 storage programs.
58 The rootless graphroot path supports environment variable substitu‐
59 tions (ie. $HOME/containers/storage)
60 When changing the graphroot location on an SELINUX system, ensure
61 the labeling matches the default locations labels with the
62 following commands:
63
64
65 # semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH
66 # restorecon -R -v /NEWSTORAGEPATH
67
68
69
70 In Rootless Mode you would set
71
72
73 # semanage fcontext -a -e $HOME/.local/share/containers NEWSTORAGEPATH
74 $ restorecon -R -v /NEWSTORAGEPATH
75
76
77
78 rootless_storage_path="$HOME/.local/share/containers/storage"
79 Storage path for rootless users. By default the graphroot for root‐
80 less users
81 is set to $XDG_DATA_HOME/containers/storage, if XDG_DATA_HOME is set.
82 Otherwise $HOME/.local/share/containers/storage is used. This field
83 can
84 be used if administrators need to change the storage location for all
85 users.
86 The rootless storage path supports environment variable substitutions
87 (ie. $HOME/containers/storage)
88
89
90 A common use case for this field is to provide a local storage direc‐
91 tory when user home directories are NFS-mounted (podman does not sup‐
92 port container storage over NFS).
93
94
95 runroot=""
96 container storage run dir (default: "/run/containers/storage")
97 Default directory to store all temporary writable content created by
98 container storage programs.
99 The rootless runroot path supports environment variable substitutions
100 (ie. $HOME/containers/storage)
101
102
103 STORAGE OPTIONS TABLE
104 The storage.options table supports the following options:
105
106
107 additionalimagestores=[]
108 Paths to additional container image stores. Usually these are
109 read/only and stored on remote network shares.
110
111
112 remap-uids="" remap-gids=""
113 Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear
114 inside of a container, to the UIDs/GIDs outside of the container, and
115 the length of the range of UIDs/GIDs. Additional mapped sets can be
116 listed and will be heeded by libraries, but there are limits to the
117 number of mappings which the kernel will allow when you later attempt
118 to run a container.
119
120
121 Example
122 remap-uids = 0:1668442479:65536
123 remap-gids = 0:1668442479:65536
124
125
126 These mappings tell the container engines to map UID 0 inside of the
127 container to UID 1668442479 outside. UID 1 will be mapped to
128 1668442480. UID 2 will be mapped to 1668442481, etc, for the next 65533
129 UIDs in succession.
130
131
132 remap-user="" remap-group=""
133 Remap-User/Group is a user name which can be used to look up one or
134 more UID/GID ranges in the /etc/subuid or /etc/subgid file. Mappings
135 are set up starting with an in-container ID of 0 and then a host-level
136 ID taken from the lowest range that matches the specified name, and us‐
137 ing the length of that range. Additional ranges are then assigned, us‐
138 ing the ranges which specify the lowest host-level IDs first, to the
139 lowest not-yet-mapped in-container ID, until all of the entries have
140 been used for maps.
141
142
143 Example
144 remap-user = "containers"
145 remap-group = "containers"
146
147
148 root-auto-userns-user=""
149 Root-auto-userns-user is a user name which can be used to look up one
150 or more UID/GID ranges in the /etc/subuid and /etc/subgid file. These
151 ranges will be partitioned to containers configured to create automati‐
152 cally a user namespace. Containers configured to automatically create
153 a user namespace can still overlap with containers having an explicit
154 mapping set. This setting is ignored when running as rootless.
155
156
157 auto-userns-min-size=1024
158 Auto-userns-min-size is the minimum size for a user namespace created
159 automatically.
160
161
162 auto-userns-max-size=65536
163 Auto-userns-max-size is the maximum size for a user namespace created
164 automatically.
165
166
167 disable-volatile=true
168 If disable-volatile is set, then the "volatile" mount optimization is
169 disabled for all the containers.
170
171
172 STORAGE OPTIONS FOR AUFS TABLE
173 The storage.options.aufs table supports the following options:
174
175
176 mountopt=""
177 Comma separated list of default options to be used to mount container
178 images. Suggested value "nodev". Mount options are documented in the
179 mount(8) man page.
180
181
182 STORAGE OPTIONS FOR BTRFS TABLE
183 The storage.options.btrfs table supports the following options:
184
185
186 min_space=""
187 Specifies the min space in a btrfs volume.
188
189
190 size=""
191 Maximum size of a container image. This flag can be used to set
192 quota on the size of container images. (format: [], where unit = b
193 (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
194
195
196 STORAGE OPTIONS FOR THINPOOL (devicemapper) TABLE
197 The storage.options.thinpool table supports the following options for
198 the devicemapper driver:
199
200
201 autoextend_percent=""
202 Tells the thinpool driver the amount by which the thinpool needs to
203 be grown. This is specified in terms of % of pool size. So a value of
204 20 means that when threshold is hit, pool will be grown by 20% of ex‐
205 isting pool size. (default: 20%)
206
207
208 autoextend_threshold=""
209 Tells the driver the thinpool extension threshold in terms of per‐
210 centage of pool size. For example, if threshold is 60, that means when
211 pool is 60% full, threshold has been hit. (default: 80%)
212
213
214 basesize=""
215 Specifies the size to use when creating the base device, which limits
216 the size of images and containers. (default: 10g)
217
218
219 blocksize=""
220 Specifies a custom blocksize to use for the thin pool. (default: 64k)
221
222
223 directlvm_device=""
224 Specifies a custom block storage device to use for the thin pool. Re‐
225 quired for using graphdriver devicemapper.
226
227
228 directlvm_device_force=""
229 Tells driver to wipe device (directlvm_device) even if device already
230 has a filesystem. (default: false)
231
232
233 fs="xfs"
234 Specifies the filesystem type to use for the base device. (default:
235 xfs)
236
237
238 log_level=""
239 Sets the log level of devicemapper.
240
241
242 0: LogLevelSuppress 0 (default)
243 2: LogLevelFatal
244 3: LogLevelErr
245 4: LogLevelWarn
246 5: LogLevelNotice
247 6: LogLevelInfo
248 7: LogLevelDebug
249
250
251
252 metadata_size=""
253 metadata_size is used to set the pvcreate --metadatasize options when
254 creating thin devices. (Default 128k)
255
256
257 min_free_space=""
258 Specifies the min free space percent in a thin pool required for new
259 device creation to succeed. Valid values are from 0% - 99%. Value 0%
260 disables. (default: 10%)
261
262
263 mkfsarg=""
264 Specifies extra mkfs arguments to be used when creating the base de‐
265 vice.
266
267
268 mountopt=""
269 Comma separated list of default options to be used to mount container
270 images. Suggested value "nodev". Mount options are documented in the
271 mount(8) man page.
272
273
274 size=""
275 Maximum size of a container image. This flag can be used to set
276 quota on the size of container images. (format: [], where unit = b
277 (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
278
279
280 use_deferred_deletion=""
281 Marks thinpool device for deferred deletion. If the thinpool is in
282 use when the driver attempts to delete it, the driver will attempt to
283 delete device every 30 seconds until successful, or when it restarts.
284 Deferred deletion permanently deletes the device and all data stored in
285 the device will be lost. (default: true).
286
287
288 use_deferred_removal=""
289 Marks devicemapper block device for deferred removal. If the device
290 is in use when its driver attempts to remove it, the driver tells the
291 kernel to remove the device as soon as possible. Note this does not
292 free up the disk space, use deferred deletion to fully remove the thin‐
293 pool. (default: true).
294
295
296 xfs_nospace_max_retries=""
297 Specifies the maximum number of retries XFS should attempt to com‐
298 plete IO when ENOSPC (no space) error is returned by underlying storage
299 device. (default: 0, which means to try continuously.)
300
301
302 STORAGE OPTIONS FOR OVERLAY TABLE
303 The storage.options.overlay table supports the following options:
304
305
306 ignore_chown_errors = "false"
307 ignore_chown_errors can be set to allow a non privileged user running
308 with a single UID within a user namespace to run containers. The user
309 can pull and use any image even those with multiple uids. Note multi‐
310 ple UIDs will be squashed down to the default uid in the container.
311 These images will have no separation between the users in the con‐
312 tainer. (default: false)
313
314
315 inodes=""
316 Maximum inodes in a read/write layer. This flag can be used to set
317 a quota on the inodes allocated for a read/write layer of a container.
318
319
320 force_mask = "0000|shared|private"
321 ForceMask specifies the permissions mask that is used for new files
322 and directories. The values "shared" and "private" are accepted. (de‐
323 fault: ""). Octal permission masks are also accepted.
324
325
326 ``: Not set
327 All files/directories, get set with the permissions identified
328 within the image.
329
330
331 private: it is equivalent to 0700.
332 All files/directories get set with 0700 permissions. The owner
333 has rwx access to the files. No other users on the system can access
334 the files. This setting could be used with networked based home direc‐
335 tories.
336
337
338 shared: it is equivalent to 0755.
339 The owner has rwx access to the files and everyone else can read,
340 access and execute them. This setting is useful for sharing containers
341 storage with other users. For instance, a storage owned by root could
342 be shared to rootless users as an additional store. NOTE: All files
343 within the image are made readable and executable by any user on the
344 system. Even /etc/shadow within your image is now readable by any user.
345
346
347 OCTAL: Users can experiment with other OCTAL Permissions.
348
349
350 Note: The force_mask Flag is an experimental feature, it could change
351 in the future. When "force_mask" is set the original permission mask
352 is stored in the "user.containers.override_stat" xattr and the
353 "mount_program" option must be specified. Mount programs like
354 "/usr/bin/fuse-overlayfs" present the extended attribute permissions to
355 processes within containers rather then the "force_mask" permissions.
356
357
358 mount_program=""
359 Specifies the path to a custom program to use instead of using kernel
360 defaults for mounting the file system. In rootless mode, without the
361 CAP_SYS_ADMIN capability, many kernels prevent mounting of overlay file
362 systems, requiring you to specify a mount_program. The mount_program
363 option is also required on systems where the underlying storage is
364 btrfs, aufs, zfs, overlay, or ecryptfs based file systems.
365 mount_program = "/usr/bin/fuse-overlayfs"
366
367
368 mountopt=""
369 Comma separated list of default options to be used to mount container
370 images. Suggested value "nodev". Mount options are documented in the
371 mount(8) man page.
372
373
374 size=""
375 Maximum size of a read/write layer. This flag can be used to set
376 quota on the size of a read/write layer of a container. (format: [],
377 where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
378
379
380 STORAGE OPTIONS FOR VFS TABLE
381 The storage.options.vfs table supports the following options:
382
383
384 ignore_chown_errors = "false"
385 ignore_chown_errors can be set to allow a non privileged user running
386 with a single UID within a user namespace to run containers. The user
387 can pull and use any image even those with multiple uids. Note multi‐
388 ple UIDs will be squashed down to the default uid in the container.
389 These images will have no separation between the users in the con‐
390 tainer. (default: false)
391
392
393 STORAGE OPTIONS FOR ZFS TABLE
394 The storage.options.zfs table supports the following options:
395
396
397 fsname=""
398 File System name for the zfs driver
399
400
401 mountopt=""
402 Comma separated list of default options to be used to mount container
403 images. Suggested value "nodev". Mount options are documented in the
404 mount(8) man page.
405
406
407 skip_mount_home=""
408 Tell storage drivers to not create a PRIVATE bind mount on their home
409 directory.
410
411
412 size=""
413 Maximum size of a container image. This flag can be used to set
414 quota on the size of container images. (format: [], where unit = b
415 (bytes), k (kilobytes), m (megabytes), or g (gigabytes))
416
417
419 When running on an SELinux system, if you move the containers storage
420 graphroot directory, you must make sure the labeling is correct.
421
422
423 Tell SELinux about the new containers storage by setting up an equiva‐
424 lence record. This tells SELinux to label content under the new path,
425 as if it was stored under /var/lib/containers/storage.
426
427
428 semanage fcontext -a -e /var/lib/containers NEWSTORAGEPATH
429 restorecon -R -v NEWSTORAGEPATH
430
431
432
433 In rootless mode, you would set
434
435
436 semanage fcontext -a -e $HOME/.local/share/containers NEWSTORAGEPATH
437 restorecon -R -v NEWSTORAGEPATH
438
439
440
441 The semanage command above tells SELinux to setup the default labeling
442 of NEWSTORAGEPATH to match /var/lib/containers. The restorecon command
443 tells SELinux to apply the labels to the actual content.
444
445
446 Now all new content created in these directories will automatically be
447 created with the correct label.
448
449
451 Container storage implements XFS project quota controls for overlay
452 storage containers and volumes. The directory used to store the con‐
453 tainers must be an XFS file system and be mounted with the pquota op‐
454 tion.
455
456
457 Example /etc/fstab entry:
458
459
460 /dev/podman/podman-var /var xfs defaults,x-systemd.device-timeout=0,pquota 1 2
461
462
463
464 Container storage generates project ids for each container and builtin
465 volume, but these project ids need to be unique for the XFS file sys‐
466 tem.
467
468
469 The xfs_quota tool can be used to assign a project id to the storage
470 driver directory, e.g.:
471
472
473 echo 100000:/var/lib/containers/storage/overlay >> /etc/projects
474 echo 200000:/var/lib/containers/storage/volumes >> /etc/projects
475 echo storage:100000 >> /etc/projid
476 echo volumes:200000 >> /etc/projid
477 xfs_quota -x -c 'project -s storage volumes' /<xfs mount point>
478
479
480
481 In the example above, the storage directory project id will be used as
482 a "start offset" and all containers will be assigned larger project ids
483 (e.g. >= 100000). Then the volumes directory project id will be used
484 as a "start offset" and all volumes will be assigned larger project ids
485 (e.g. >= 200000). This is a way to prevent xfs_quota management from
486 conflicting with containers/storage.
487
488
490 Distributions often provide a /usr/share/containers/storage.conf file
491 to define default storage configuration. Administrators can override
492 this file by creating /etc/containers/storage.conf to specify their own
493 configuration. Likewise rootless users can create a storage.conf file
494 to override the system storage.conf files. Files should be stored in
495 the $XDG_CONFIG_HOME/containers/storage.conf file. If $XDG_CONFIG_HOME
496 is not set then the file $HOME/.config/containers/storage.conf is used.
497
498
499 Note: The storage.conf file overrides all other strorage.conf files.
500 Container engines run by users with a storage.conf file in their home
501 directory do not use options in the system storage.conf files.
502
503
504 /etc/projects - XFS persistent project root definition /etc/projid -
505 XFS project name mapping file
506
507
509 semanage(8), restorecon(8), mount(8), fuse-overlayfs(1), xfs_quota(8),
510 projects(5), projid(5)
511
512
514 May 2017, Originally compiled by Dan Walsh dwalsh@redhat.com
515 ⟨mailto:dwalsh@redhat.com⟩ Format copied from crio.conf man page cre‐
516 ated by Aleksa Sarai asarai@suse.de ⟨mailto:asarai@suse.de⟩
517
518
519
520Configuration Storagceontainers-storage.conf(5)(Container)