1podman-run(1) General Commands Manual podman-run(1)
2
3
4
6 podman-run - Run a command in a new container
7
8
10 podman run [options] image [command [arg ...]]
11
12
13 podman container run [options] image [command [arg ...]]
14
15
17 Run a process in a new container. podman run starts a process with its
18 own file system, its own networking, and its own isolated process tree.
19 The image which starts the process may define defaults related to the
20 process that will be run in the container, the networking to expose,
21 and more, but podman run gives final control to the operator or admin‐
22 istrator who starts the container from the image. For that reason pod‐
23 man run has more options than any other Podman command.
24
25
26 If the image is not already loaded then podman run will pull the image,
27 and all image dependencies, from the repository in the same way running
28 podman pull image , before it starts the container from that image.
29
30
31 Several files will be automatically created within the container. These
32 include /etc/hosts, /etc/hostname, and /etc/resolv.conf to manage net‐
33 working. These will be based on the host's version of the files,
34 though they can be customized with options (for example, --dns will
35 override the host's DNS servers in the created resolv.conf). Addition‐
36 ally, a container environment file is created in each container to in‐
37 dicate to programs they are running in a container. This file is lo‐
38 cated at /run/.containerenv. When using the --privileged flag the .con‐
39 tainerenv contains name/value pairs indicating the container engine
40 version, whether the engine is running in rootless mode, the container
41 name and id, as well as the image name and id that the container is
42 based on.
43
44
45 When running from a user defined network namespace, the
46 /etc/netns/NSNAME/resolv.conf will be used if it exists, otherwise
47 /etc/resolv.conf will be used.
48
49
50 Default settings are defined in containers.conf. Most settings for re‐
51 mote connections use the servers containers.conf, except when docu‐
52 mented in man pages.
53
54
56 The image is specified using transport:path format. If no transport is
57 specified, the docker (container registry) transport will be used by
58 default. For remote Podman, including Mac and Windows (excluding WSL2)
59 machines, docker is the only allowed transport.
60
61
62 dir:path
63 An existing local directory path storing the manifest, layer tarballs
64 and signatures as individual files. This is a non-standardized format,
65 primarily useful for debugging or noninvasive container inspection.
66
67
68 $ podman save --format docker-dir fedora -o /tmp/fedora
69 $ podman run dir:/tmp/fedora echo hello
70
71
72
73 docker://docker-reference (Default)
74 An image reference stored in a remote container image registry. Exam‐
75 ple: "quay.io/podman/stable:latest". The reference can include a path
76 to a specific registry; if it does not, the registries listed in reg‐
77 istries.conf will be queried to find a matching image. By default,
78 credentials from podman login (stored at $XDG_RUNTIME_DIR/contain‐
79 ers/auth.json by default) will be used to authenticate; otherwise it
80 falls back to using credentials in $HOME/.docker/config.json.
81
82
83 $ podman run registry.fedoraproject.org/fedora:latest echo hello
84
85
86
87 docker-archive:path[:docker-reference] An image stored in the docker
88 save formatted file. docker-reference is only used when creating such a
89 file, and it must not contain a digest.
90
91
92 $ podman save --format docker-archive fedora -o /tmp/fedora
93 $ podman run docker-archive:/tmp/fedora echo hello
94
95
96
97 docker-daemon:docker-reference
98 An image in docker-reference format stored in the docker daemon in‐
99 ternal storage. The docker-reference can also be an image ID (docker-
100 daemon:algo:digest).
101
102
103 $ sudo docker pull fedora
104 $ sudo podman run docker-daemon:docker.io/library/fedora echo hello
105
106
107
108 oci-archive:path:tag
109 An image in a directory compliant with the "Open Container Image Lay‐
110 out Specification" at the specified path and specified with a tag.
111
112
113 $ podman save --format oci-archive fedora -o /tmp/fedora
114 $ podman run oci-archive:/tmp/fedora echo hello
115
116
117
119 --add-host=host:ip
120 Add a custom host-to-IP mapping (host:ip)
121
122
123 Add a line to /etc/hosts. The format is hostname:ip. The --add-host op‐
124 tion can be set multiple times. Conflicts with the --no-hosts option.
125
126
127 --annotation=key=value
128 Add an annotation to the container. This option can be set multiple
129 times.
130
131
132 --arch=ARCH
133 Override the architecture, defaults to hosts, of the image to be
134 pulled. For example, arm. Unless overridden, subsequent lookups of the
135 same image in the local storage will match this architecture, regard‐
136 less of the host.
137
138
139 --attach, -a=stdin | stdout | stderr
140 Attach to STDIN, STDOUT or STDERR.
141
142
143 In foreground mode (the default when -d is not specified), podman run
144 can start the process in the container and attach the console to the
145 process's standard input, output, and error. It can even pretend to be
146 a TTY (this is what most command-line executables expect) and pass
147 along signals. The -a option can be set for each of stdin, stdout, and
148 stderr.
149
150
151 --authfile=path
152 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
153 ers/auth.json, which is set using podman login. If the authorization
154 state is not found there, $HOME/.docker/config.json is checked, which
155 is set using docker login.
156
157
158 Note: There is also the option to override the default path of the au‐
159 thentication file by setting the REGISTRY_AUTH_FILE environment vari‐
160 able. This can be done with export REGISTRY_AUTH_FILE=path.
161
162
163 --blkio-weight=weight
164 Block IO relative weight. The weight is a value between 10 and 1000.
165
166
167 This option is not supported on cgroups V1 rootless systems.
168
169
170 --blkio-weight-device=device:weight
171 Block IO relative device weight.
172
173
174 --cap-add=capability
175 Add Linux capabilities.
176
177
178 --cap-drop=capability
179 Drop Linux capabilities.
180
181
182 --cgroup-conf=KEY=VALUE
183 When running on cgroup v2, specify the cgroup file to write to and its
184 value. For example --cgroup-conf=memory.high=1073741824 sets the mem‐
185 ory.high limit to 1GB.
186
187
188 --cgroup-parent=path
189 Path to cgroups under which the cgroup for the container will be cre‐
190 ated. If the path is not absolute, the path is considered to be rela‐
191 tive to the cgroups path of the init process. Cgroups will be created
192 if they do not already exist.
193
194
195 --cgroupns=mode
196 Set the cgroup namespace mode for the container.
197
198
199 • host: use the host's cgroup namespace inside the container.
200
201 • container:id: join the namespace of the specified container.
202
203 • private: create a new cgroup namespace.
204
205 • ns:path: join the namespace at the specified path.
206
207
208
209 If the host uses cgroups v1, the default is set to host. On cgroups v2,
210 the default is private.
211
212
213 --cgroups=how
214 Determines whether the container will create CGroups.
215
216
217 Default is enabled.
218
219
220 The enabled option will create a new cgroup under the cgroup-parent.
221 The disabled option will force the container to not create CGroups, and
222 thus conflicts with CGroup options (--cgroupns and --cgroup-parent).
223 The no-conmon option disables a new CGroup only for the conmon process.
224 The split option splits the current CGroup in two sub-cgroups: one for
225 conmon and one for the container payload. It is not possible to set
226 --cgroup-parent with split.
227
228
229 --chrootdirs=path
230 Path to a directory inside the container that should be treated as a
231 chroot directory. Any Podman managed file (e.g., /etc/resolv.conf,
232 /etc/hosts, etc/hostname) that is mounted into the root directory will
233 be mounted into that location as well. Multiple directories should be
234 separated with a comma.
235
236
237 --cidfile=file
238 Write the container ID to file.
239
240
241 --conmon-pidfile=file
242 Write the pid of the conmon process to a file. As conmon runs in a sep‐
243 arate process than Podman, this is necessary when using systemd to
244 restart Podman containers. (This option is not available with the re‐
245 mote Podman client, including Mac and Windows (excluding WSL2) ma‐
246 chines)
247
248
249 --cpu-period=limit
250 Set the CPU period for the Completely Fair Scheduler (CFS), which is a
251 duration in microseconds. Once the container's CPU quota is used up, it
252 will not be scheduled to run until the current period ends. Defaults to
253 100000 microseconds.
254
255
256 On some systems, changing the resource limits may not be allowed for
257 non-root users. For more details, see https://github.com/contain‐
258 ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
259 source-limits-fails-with-a-permissions-error
260
261
262 This option is not supported on cgroups V1 rootless systems.
263
264
265 --cpu-quota=limit
266 Limit the CPU Completely Fair Scheduler (CFS) quota.
267
268
269 Limit the container's CPU usage. By default, containers run with the
270 full CPU resource. The limit is a number in microseconds. If a number
271 is provided, the container will be allowed to use that much CPU time
272 until the CPU period ends (controllable via --cpu-period).
273
274
275 On some systems, changing the resource limits may not be allowed for
276 non-root users. For more details, see https://github.com/contain‐
277 ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
278 source-limits-fails-with-a-permissions-error
279
280
281 This option is not supported on cgroups V1 rootless systems.
282
283
284 --cpu-rt-period=microseconds
285 Limit the CPU real-time period in microseconds.
286
287
288 Limit the container's Real Time CPU usage. This option tells the kernel
289 to restrict the container's Real Time CPU usage to the period speci‐
290 fied.
291
292
293 This option is only supported on cgroups V1 rootful systems.
294
295
296 --cpu-rt-runtime=microseconds
297 Limit the CPU real-time runtime in microseconds.
298
299
300 Limit the containers Real Time CPU usage. This option tells the kernel
301 to limit the amount of time in a given CPU period Real Time tasks may
302 consume. Ex: Period of 1,000,000us and Runtime of 950,000us means that
303 this container could consume 95% of available CPU and leave the remain‐
304 ing 5% to normal priority tasks.
305
306
307 The sum of all runtimes across containers cannot exceed the amount al‐
308 lotted to the parent cgroup.
309
310
311 This option is only supported on cgroups V1 rootful systems.
312
313
314 --cpu-shares, -c=shares
315 CPU shares (relative weight).
316
317
318 By default, all containers get the same proportion of CPU cycles. This
319 proportion can be modified by changing the container's CPU share
320 weighting relative to the combined weight of all the running contain‐
321 ers. Default weight is 1024.
322
323
324 The proportion will only apply when CPU-intensive processes are run‐
325 ning. When tasks in one container are idle, other containers can use
326 the left-over CPU time. The actual amount of CPU time will vary depend‐
327 ing on the number of containers running on the system.
328
329
330 For example, consider three containers, one has a cpu-share of 1024 and
331 two others have a cpu-share setting of 512. When processes in all three
332 containers attempt to use 100% of CPU, the first container would re‐
333 ceive 50% of the total CPU time. If a fourth container is added with a
334 cpu-share of 1024, the first container only gets 33% of the CPU. The
335 remaining containers receive 16.5%, 16.5% and 33% of the CPU.
336
337
338 On a multi-core system, the shares of CPU time are distributed over all
339 CPU cores. Even if a container is limited to less than 100% of CPU
340 time, it can use 100% of each individual CPU core.
341
342
343 For example, consider a system with more than three cores. If the con‐
344 tainer C0 is started with --cpu-shares=512 running one process, and an‐
345 other container C1 with --cpu-shares=1024 running two processes, this
346 can result in the following division of CPU shares:
347
348
349 ┌────┬───────────┬─────┬──────────────┐
350 │PID │ container │ CPU │ CPU share │
351 ├────┼───────────┼─────┼──────────────┤
352 │100 │ C0 │ 0 │ 100% of CPU0 │
353 ├────┼───────────┼─────┼──────────────┤
354 │101 │ C1 │ 1 │ 100% of CPU1 │
355 ├────┼───────────┼─────┼──────────────┤
356 │102 │ C1 │ 2 │ 100% of CPU2 │
357 └────┴───────────┴─────┴──────────────┘
358
359 On some systems, changing the resource limits may not be allowed for
360 non-root users. For more details, see https://github.com/contain‐
361 ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
362 source-limits-fails-with-a-permissions-error
363
364
365 This option is not supported on cgroups V1 rootless systems.
366
367
368 --cpus=number
369 Number of CPUs. The default is 0.0 which means no limit. This is short‐
370 hand for --cpu-period and --cpu-quota, so you may only set either
371 --cpus or --cpu-period and --cpu-quota.
372
373
374 On some systems, changing the CPU limits may not be allowed for non-
375 root users. For more details, see https://github.com/containers/pod‐
376 man/blob/main/troubleshooting.md#26-running-containers-with-resource-
377 limits-fails-with-a-permissions-error
378
379
380 This option is not supported on cgroups V1 rootless systems.
381
382
383 --cpuset-cpus=number
384 CPUs in which to allow execution. Can be specified as a comma-separated
385 list (e.g. 0,1), as a range (e.g. 0-3), or any combination thereof
386 (e.g. 0-3,7,11-15).
387
388
389 On some systems, changing the resource limits may not be allowed for
390 non-root users. For more details, see https://github.com/contain‐
391 ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
392 source-limits-fails-with-a-permissions-error
393
394
395 This option is not supported on cgroups V1 rootless systems.
396
397
398 --cpuset-mems=nodes
399 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effec‐
400 tive on NUMA systems.
401
402
403 If there are four memory nodes on the system (0-3), use --cpuset-
404 mems=0,1 then processes in the container will only use memory from the
405 first two memory nodes.
406
407
408 On some systems, changing the resource limits may not be allowed for
409 non-root users. For more details, see https://github.com/contain‐
410 ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
411 source-limits-fails-with-a-permissions-error
412
413
414 This option is not supported on cgroups V1 rootless systems.
415
416
417 --detach, -d
418 Detached mode: run the container in the background and print the new
419 container ID. The default is false.
420
421
422 At any time you can run podman ps in the other shell to view a list of
423 the running containers. You can reattach to a detached container with
424 podman attach.
425
426
427 When attached in the tty mode, you can detach from the container (and
428 leave it running) using a configurable key sequence. The default se‐
429 quence is ctrl-p,ctrl-q. Specify the key sequence using the --detach-
430 keys option, or configure it in the containers.conf file: see contain‐
431 ers.conf(5) for more information.
432
433
434 --detach-keys=sequence
435 Specify the key sequence for detaching a container. Format is a single
436 character [a-Z] or one or more ctrl-<value> characters where <value> is
437 one of: a-z, @, ^, [, , or _. Specifying "" will disable this feature.
438 The default is ctrl-p,ctrl-q.
439
440
441 This option can also be set in containers.conf(5) file.
442
443
444 --device=host-device[:container-device][:permissions]
445 Add a host device to the container. Optional permissions parameter can
446 be used to specify device permissions by combining r for read, w for
447 write, and m for mknod(2).
448
449
450 Example: --device=/dev/sdc:/dev/xvdc:rwm.
451
452
453 Note: if host-device is a symbolic link then it will be resolved first.
454 The container will only store the major and minor numbers of the host
455 device.
456
457
458 Podman may load kernel modules required for using the specified device.
459 The devices that Podman will load modules for when necessary are:
460 /dev/fuse.
461
462
463 In rootless mode, the new device is bind mounted in the container from
464 the host rather than Podman creating it within the container space. Be‐
465 cause the bind mount retains its SELinux label on SELinux systems, the
466 container can get permission denied when accessing the mounted device.
467 Modify SELinux settings to allow containers to use all device labels
468 via the following command:
469
470
471 $ sudo setsebool -P container_use_devices=true
472
473
474 Note: if the user only has access rights via a group, accessing the de‐
475 vice from inside a rootless container will fail. Use the --group-add
476 keep-groups flag to pass the user's supplementary group access into the
477 container.
478
479
480 --device-cgroup-rule="type major:minor mode"
481 Add a rule to the cgroup allowed devices list. The rule is expected to
482 be in the format specified in the Linux kernel documentation (Documen‐
483 tation/cgroup-v1/devices.txt):
484 - type: a (all), c (char), or b (block);
485 - major and minor: either a number, or * for all;
486 - mode: a composition of r (read), w (write), and m (mknod(2)).
487
488
489 --device-read-bps=path:rate
490 Limit read rate (in bytes per second) from a device (e.g. --device-
491 read-bps=/dev/sda:1mb).
492
493
494 On some systems, changing the resource limits may not be allowed for
495 non-root users. For more details, see https://github.com/contain‐
496 ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
497 source-limits-fails-with-a-permissions-error
498
499
500 This option is not supported on cgroups V1 rootless systems.
501
502
503 --device-read-iops=path:rate
504 Limit read rate (in IO operations per second) from a device (e.g. --de‐
505 vice-read-iops=/dev/sda:1000).
506
507
508 On some systems, changing the resource limits may not be allowed for
509 non-root users. For more details, see https://github.com/contain‐
510 ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
511 source-limits-fails-with-a-permissions-error
512
513
514 This option is not supported on cgroups V1 rootless systems.
515
516
517 --device-write-bps=path:rate
518 Limit write rate (in bytes per second) to a device (e.g. --device-
519 write-bps=/dev/sda:1mb).
520
521
522 On some systems, changing the resource limits may not be allowed for
523 non-root users. For more details, see https://github.com/contain‐
524 ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
525 source-limits-fails-with-a-permissions-error
526
527
528 This option is not supported on cgroups V1 rootless systems.
529
530
531 --device-write-iops=path:rate
532 Limit write rate (in IO operations per second) to a device (e.g. --de‐
533 vice-write-iops=/dev/sda:1000).
534
535
536 On some systems, changing the resource limits may not be allowed for
537 non-root users. For more details, see https://github.com/contain‐
538 ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
539 source-limits-fails-with-a-permissions-error
540
541
542 This option is not supported on cgroups V1 rootless systems.
543
544
545 --disable-content-trust
546 This is a Docker-specific option to disable image verification to a
547 container registry and is not supported by Podman. This option is a
548 NOOP and provided solely for scripting compatibility.
549
550
551 --dns=ipaddr
552 Set custom DNS servers.
553
554
555 This option can be used to override the DNS configuration passed to the
556 container. Typically this is necessary when the host DNS configuration
557 is invalid for the container (e.g., 127.0.0.1). When this is the case
558 the --dns flag is necessary for every run.
559
560
561 The special value none can be specified to disable creation of /etc/re‐
562 solv.conf in the container by Podman. The /etc/resolv.conf file in the
563 image will be used without changes.
564
565
566 This option cannot be combined with --network that is set to none or
567 container:id.
568
569
570 --dns-option=option
571 Set custom DNS options. Invalid if using --dns-option with --network
572 that is set to none or container:id.
573
574
575 --dns-search=domain
576 Set custom DNS search domains. Invalid if using --dns-search with
577 --network that is set to none or container:id. Use --dns-search=. if
578 you don't wish to set the search domain.
579
580
581 --entrypoint="command" | '["command", arg1 , ...]'
582 Overwrite the default ENTRYPOINT of the image.
583
584
585 This option allows you to overwrite the default entrypoint of the im‐
586 age.
587
588
589 The ENTRYPOINT of an image is similar to a COMMAND because it specifies
590 what executable to run when the container starts, but it is (purposely)
591 more difficult to override. The ENTRYPOINT gives a container its de‐
592 fault nature or behavior, so that when you set an ENTRYPOINT you can
593 run the container as if it were that binary, complete with default op‐
594 tions, and you can pass in more options via the COMMAND. But, sometimes
595 an operator may want to run something else inside the container, so you
596 can override the default ENTRYPOINT at runtime by using a --entrypoint
597 and a string to specify the new ENTRYPOINT.
598
599
600 You need to specify multi option commands in the form of a json string.
601
602
603 --env, -e=env
604 Set environment variables.
605
606
607 This option allows arbitrary environment variables that are available
608 for the process to be launched inside of the container. If an environ‐
609 ment variable is specified without a value, Podman will check the host
610 environment for a value and set the variable only if it is set on the
611 host. As a special case, if an environment variable ending in * is
612 specified without a value, Podman will search the host environment for
613 variables starting with the prefix and will add those variables to the
614 container.
615
616
617 See Environment ⟨#environment⟩ note below for precedence and examples.
618
619
620 --env-file=file
621 Read in a line-delimited file of environment variables.
622
623
624 See Environment ⟨#environment⟩ note below for precedence and examples.
625
626
627 --env-host
628 Use host environment inside of the container. See Environment note be‐
629 low for precedence. (This option is not available with the remote Pod‐
630 man client, including Mac and Windows (excluding WSL2) machines)
631
632
633 --env-merge=env
634 Preprocess default environment variables for the containers. For exam‐
635 ple if image contains environment variable hello=world user can prepro‐
636 cess it using --env-merge hello=${hello}-some so new value will be
637 hello=world-some.
638
639
640 --expose=port
641 Expose a port, or a range of ports (e.g. --expose=3300-3310) to set up
642 port redirection on the host system.
643
644
645 --gidmap=container_gid:host_gid:amount
646 Run the container in a new user namespace using the supplied GID map‐
647 ping. This option conflicts with the --userns and --subgidname options.
648 This option provides a way to map host GIDs to container GIDs in the
649 same way as --uidmap maps host UIDs to container UIDs. For details see
650 --uidmap.
651
652
653 Note: the --gidmap flag cannot be called in conjunction with the --pod
654 flag as a gidmap cannot be set on the container level when in a pod.
655
656
657 --group-add=group | keep-groups
658 Assign additional groups to the primary user running within the con‐
659 tainer process.
660
661
662 • keep-groups is a special flag that tells Podman to keep the
663 supplementary group access.
664
665
666
667 Allows container to use the user's supplementary group access. If file
668 systems or devices are only accessible by the rootless user's group,
669 this flag tells the OCI runtime to pass the group access into the con‐
670 tainer. Currently only available with the crun OCI runtime. Note: keep-
671 groups is exclusive, you cannot add any other groups with this flag.
672 (Not available for remote commands, including Mac and Windows (exclud‐
673 ing WSL2) machines)
674
675
676 --health-cmd="command" | '["command", arg1 , ...]'
677 Set or alter a healthcheck command for a container. The command is a
678 command to be executed inside your container that determines your con‐
679 tainer health. The command is required for other healthcheck options to
680 be applied. A value of none disables existing healthchecks.
681
682
683 Multiple options can be passed in the form of a JSON array; otherwise,
684 the command will be interpreted as an argument to /bin/sh -c.
685
686
687 --health-interval=interval
688 Set an interval for the healthchecks. An interval of disable results in
689 no automatic timer setup. The default is 30s.
690
691
692 --health-on-failure=action
693 Action to take once the container transitions to an unhealthy state.
694 The default is none.
695
696
697 • none: Take no action.
698
699 • kill: Kill the container.
700
701 • restart: Restart the container. Do not combine the restart
702 action with the --restart flag. When running inside of a sys‐
703 temd unit, consider using the kill or stop action instead to
704 make use of systemd's restart policy.
705
706 • stop: Stop the container.
707
708
709
710 --health-retries=retries
711 The number of retries allowed before a healthcheck is considered to be
712 unhealthy. The default value is 3.
713
714
715 --health-start-period=period
716 The initialization time needed for a container to bootstrap. The value
717 can be expressed in time format like 2m3s. The default value is 0s.
718
719
720 --health-timeout=timeout
721 The maximum time allowed to complete the healthcheck before an interval
722 is considered failed. Like start-period, the value can be expressed in
723 a time format such as 1m22s. The default value is 30s.
724
725
726 --help
727 Print usage statement
728
729
730 --hostname, -h=name
731 Container host name
732
733
734 Sets the container host name that is available inside the container.
735 Can only be used with a private UTS namespace --uts=private (default).
736 If --pod is specified and the pod shares the UTS namespace (default)
737 the pod's hostname will be used.
738
739
740 --hostuser=name
741 Add a user account to /etc/passwd from the host to the container. The
742 Username or UID must exist on the host system.
743
744
745 --http-proxy
746 By default proxy environment variables are passed into the container if
747 set for the Podman process. This can be disabled by setting the value
748 to false. The environment variables passed in include http_proxy,
749 https_proxy, ftp_proxy, no_proxy, and also the upper case versions of
750 those. This option is only needed when the host system must use a proxy
751 but the container should not use any proxy. Proxy environment variables
752 specified for the container in any other way will override the values
753 that would have been passed through from the host. (Other ways to spec‐
754 ify the proxy for the container include passing the values with the
755 --env flag, or hard coding the proxy environment at container build
756 time.) (This option is not available with the remote Podman client,
757 including Mac and Windows (excluding WSL2) machines)
758
759
760 Defaults to true.
761
762
763 --image-volume=bind | tmpfs | ignore
764 Tells Podman how to handle the builtin image volumes. Default is bind.
765
766
767 • bind: An anonymous named volume will be created and mounted
768 into the container.
769
770 • tmpfs: The volume is mounted onto the container as a tmpfs,
771 which allows the users to create content that disappears when
772 the container is stopped.
773
774 • ignore: All volumes are just ignored and no action is taken.
775
776
777
778 --init
779 Run an init inside the container that forwards signals and reaps pro‐
780 cesses. The container-init binary is mounted at /run/podman-init.
781 Mounting over /run will hence break container execution.
782
783
784 --init-path=path
785 Path to the container-init binary.
786
787
788 --interactive, -i
789 When set to true, keep stdin open even if not attached. The default is
790 false.
791
792
793 --ip=ipv4
794 Specify a static IPv4 address for the container, for example
795 10.88.64.128. This option can only be used if the container is joined
796 to only a single network - i.e., --network=network-name is used at most
797 once - and if the container is not joining another container's network
798 namespace via --network=container:id. The address must be within the
799 network's IP address pool (default 10.88.0.0/16).
800
801
802 To specify multiple static IP addresses per container, set multiple
803 networks using the --network option with a static IP address specified
804 for each using the ip mode for that option.
805
806
807 --ip6=ipv6
808 Specify a static IPv6 address for the container, for example
809 fd46:db93:aa76:ac37::10. This option can only be used if the container
810 is joined to only a single network - i.e., --network=network-name is
811 used at most once - and if the container is not joining another con‐
812 tainer's network namespace via --network=container:id. The address
813 must be within the network's IPv6 address pool.
814
815
816 To specify multiple static IPv6 addresses per container, set multiple
817 networks using the --network option with a static IPv6 address speci‐
818 fied for each using the ip6 mode for that option.
819
820
821 --ipc=ipc
822 Set the IPC namespace mode for a container. The default is to create a
823 private IPC namespace.
824
825
826 • "": Use Podman's default, defined in containers.conf.
827
828 • container:id: reuses another container's shared memory, sema‐
829 phores, and message queues
830
831 • host: use the host's shared memory, semaphores, and message
832 queues inside the container. Note: the host mode gives the
833 container full access to local shared memory and is therefore
834 considered insecure.
835
836 • none: private IPC namespace, with /dev/shm not mounted.
837
838 • ns:path: path to an IPC namespace to join.
839
840 • private: private IPC namespace. = shareable: private IPC
841 namespace with a possibility to share it with other contain‐
842 ers.
843
844
845
846 --label, -l=key=value
847 Add metadata to a container.
848
849
850 --label-file=file
851 Read in a line-delimited file of labels.
852
853
854 --link-local-ip=ip
855 Not implemented.
856
857
858 --log-driver=driver
859 Logging driver for the container. Currently available options are k8s-
860 file, journald, none and passthrough, with json-file aliased to k8s-
861 file for scripting compatibility. (Default journald).
862
863
864 The podman info command below will display the default log-driver for
865 the system.
866
867
868 $ podman info --format '{{ .Host.LogDriver }}'
869 journald
870
871
872
873 The passthrough driver passes down the standard streams (stdin, stdout,
874 stderr) to the container. It is not allowed with the remote Podman
875 client, including Mac and Windows (excluding WSL2) machines, and on a
876 tty, since it is vulnerable to attacks via TIOCSTI.
877
878
879 --log-opt=name=value
880 Logging driver specific options.
881
882
883 Set custom logging configuration. The following *name*s are supported:
884
885
886 path: specify a path to the log file
887 (e.g. --log-opt path=/var/log/container/mycontainer.json);
888
889
890 max-size: specify a max size of the log file
891 (e.g. --log-opt max-size=10mb);
892
893
894 tag: specify a custom log tag for the container
895 (e.g. --log-opt tag="{{.ImageName}}". It supports the same keys as
896 podman inspect --format. This option is currently supported only by
897 the journald log driver.
898
899
900 --mac-address=address
901 Container network interface MAC address (e.g. 92:d0:c6:0a:29:33) This
902 option can only be used if the container is joined to only a single
903 network - i.e., --network=network-name is used at most once - and if
904 the container is not joining another container's network namespace via
905 --network=container:id.
906
907
908 Remember that the MAC address in an Ethernet network must be unique.
909 The IPv6 link-local address will be based on the device's MAC address
910 according to RFC4862.
911
912
913 To specify multiple static MAC addresses per container, set multiple
914 networks using the --network option with a static MAC address specified
915 for each using the mac mode for that option.
916
917
918 --memory, -m=number[unit]
919 Memory limit. A unit can be b (bytes), k (kibibytes), m (mebibytes), or
920 g (gibibytes).
921
922
923 Allows the memory available to a container to be constrained. If the
924 host supports swap memory, then the -m memory setting can be larger
925 than physical RAM. If a limit of 0 is specified (not using -m), the
926 container's memory is not limited. The actual limit may be rounded up
927 to a multiple of the operating system's page size (the value would be
928 very large, that's millions of trillions).
929
930
931 This option is not supported on cgroups V1 rootless systems.
932
933
934 --memory-reservation=number[unit]
935 Memory soft limit. A unit can be b (bytes), k (kibibytes), m
936 (mebibytes), or g (gibibytes).
937
938
939 After setting memory reservation, when the system detects memory con‐
940 tention or low memory, containers are forced to restrict their consump‐
941 tion to their reservation. So you should always set the value below
942 --memory, otherwise the hard limit will take precedence. By default,
943 memory reservation will be the same as memory limit.
944
945
946 This option is not supported on cgroups V1 rootless systems.
947
948
949 --memory-swap=number[unit]
950 A limit value equal to memory plus swap. A unit can be b (bytes), k
951 (kibibytes), m (mebibytes), or g (gibibytes).
952
953
954 Must be used with the -m (--memory) flag. The argument value should
955 always be larger than that of
956 -m (--memory) By default, it is set to double the value of --memory.
957
958
959 Set number to -1 to enable unlimited swap.
960
961
962 This option is not supported on cgroups V1 rootless systems.
963
964
965 --memory-swappiness=number
966 Tune a container's memory swappiness behavior. Accepts an integer be‐
967 tween 0 and 100.
968
969
970 This flag is only supported on cgroups V1 rootful systems.
971
972
973 --mount=type=TYPE,TYPE-SPECIFIC-OPTION[,...]
974 Attach a filesystem mount to the container
975
976
977 Current supported mount TYPEs are bind, volume, image, tmpfs and de‐
978 vpts. [1] ⟨#Footnote1⟩
979
980
981 e.g.
982
983 type=bind,source=/path/on/host,destination=/path/in/container
984
985 type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared
986
987 type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared,U=true
988
989 type=volume,source=vol1,destination=/path/in/container,ro=true
990
991 type=tmpfs,tmpfs-size=512M,destination=/path/in/container
992
993 type=image,source=fedora,destination=/fedora-image,rw=true
994
995 type=devpts,destination=/dev/pts
996
997 Common Options:
998
999 · src, source: mount source spec for bind and volume. Mandatory for bind.
1000
1001 · dst, destination, target: mount destination spec.
1002
1003 Options specific to volume:
1004
1005 · ro, readonly: true or false (default).
1006
1007 . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container.
1008
1009 · idmap: true or false (default). If specified, create an idmapped mount to the target user namespace in the container.
1010
1011 Options specific to image:
1012
1013 · rw, readwrite: true or false (default).
1014
1015 Options specific to bind:
1016
1017 · ro, readonly: true or false (default).
1018
1019 · bind-propagation: shared, slave, private, unbindable, rshared, rslave, runbindable, or rprivate(default). See also mount(2).
1020
1021 . bind-nonrecursive: do not set up a recursive bind mount. By default it is recursive.
1022
1023 . relabel: shared, private.
1024
1025 · idmap: true or false (default). If specified, create an idmapped mount to the target user namespace in the container.
1026
1027 . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container.
1028
1029 Options specific to tmpfs:
1030
1031 · ro, readonly: true or false (default).
1032
1033 · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.
1034
1035 · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux.
1036
1037 · tmpcopyup: Enable copyup from the image directory at the same location to the tmpfs. Used by default.
1038
1039 · notmpcopyup: Disable copying files from the image to the tmpfs.
1040
1041 . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container.
1042
1043 Options specific to devpts:
1044
1045 · uid: UID of the file owner (default 0).
1046
1047 · gid: GID of the file owner (default 0).
1048
1049 · mode: permission mask for the file (default 600).
1050
1051 · max: maximum number of PTYs (default 1048576).
1052
1053
1054
1055 --name=name
1056 Assign a name to the container.
1057
1058
1059 The operator can identify a container in three ways:
1060
1061
1062 • UUID long identifier
1063 (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”);
1064
1065 • UUID short identifier (“f78375b1c487”);
1066
1067 • Name (“jonah”).
1068
1069
1070
1071 Podman generates a UUID for each container, and if a name is not as‐
1072 signed to the container with --name then it will generate a random
1073 string name. The name is useful any place you need to identify a con‐
1074 tainer. This works for both background and foreground containers.
1075
1076
1077 --network=mode, --net
1078 Set the network mode for the container.
1079
1080
1081 Valid mode values are:
1082
1083
1084 • bridge[:OPTIONS,...]: Create a network stack on the default
1085 bridge. This is the default for rootful containers. It is pos‐
1086 sible to specify these additional options:
1087
1088 • alias=name: Add network-scoped alias for the container.
1089
1090 • ip=IPv4: Specify a static ipv4 address for this container.
1091
1092 • ip=IPv6: Specify a static ipv6 address for this container.
1093
1094 • mac=MAC: Specify a static mac address for this container.
1095
1096 • interface_name: Specify a name for the created network in‐
1097 terface inside the container.
1098
1099
1100
1101
1102
1103 For example to set a static ipv4 address and a static mac address, use
1104 --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99. - <network name
1105 or ID>[:OPTIONS,...]: Connect to a user-defined network; this is the
1106 network name or ID from a network created by podman network create. Us‐
1107 ing the network name implies the bridge network mode. It is possible to
1108 specify the same options described under the bridge mode above. You can
1109 use the --network option multiple times to specify additional networks.
1110 - none: Create a network namespace for the container but do not config‐
1111 ure network interfaces for it, thus the container has no network con‐
1112 nectivity. - container:id: Reuse another container's network stack. -
1113 host: Do not create a network namespace, the container will use the
1114 host's network. Note: The host mode gives the container full access to
1115 local system services such as D-bus and is therefore considered inse‐
1116 cure. - ns:path: Path to a network namespace to join. - private: Cre‐
1117 ate a new namespace for the container. This will use the bridge mode
1118 for rootful containers and slirp4netns for rootless ones. -
1119 slirp4netns[:OPTIONS,...]: use slirp4netns(1) to create a user network
1120 stack. This is the default for rootless containers. It is possible to
1121 specify these additional options, they can also be set with net‐
1122 work_cmd_options in containers.conf:
1123 - allow_host_loopback=true|false: Allow slirp4netns to reach the host
1124 loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr
1125 subnet when changed, see the cidr option below). The default is false.
1126 - mtu=MTU: Specify the MTU to use for this network. (Default is
1127 65520).
1128 - cidr=CIDR: Specify ip range to use for this network. (Default is
1129 10.0.2.0/24).
1130 - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for
1131 outbound_addr6).
1132 - outbound_addr=INTERFACE: Specify the outbound interface slirp
1133 should bind to (ipv4 traffic only).
1134 - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should
1135 bind to.
1136 - outbound_addr6=INTERFACE: Specify the outbound interface slirp
1137 should bind to (ipv6 traffic only).
1138 - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should
1139 bind to.
1140 - port_handler=rootlesskit: Use rootlesskit for port forwarding. De‐
1141 fault.
1142 Note: Rootlesskit changes the source IP address of incoming packets
1143 to an IP address in the container network namespace, usually
1144 10.0.2.100. If your application requires the real source IP address,
1145 e.g. web server logs, use the slirp4netns port handler. The rootlesskit
1146 port handler is also used for rootless containers when connected to
1147 user-defined networks.
1148 - port_handler=slirp4netns: Use the slirp4netns port forwarding, it
1149 is slower than rootlesskit but preserves the correct source IP address.
1150 This port handler cannot be used for user-defined networks.
1151
1152
1153 Invalid if using --dns, --dns-option, or --dns-search with --network
1154 set to none or container:id.
1155
1156
1157 If used together with --pod, the container will not join the pod's net‐
1158 work namespace.
1159
1160
1161 --network-alias=alias
1162 Add a network-scoped alias for the container, setting the alias for all
1163 networks that the container joins. To set a name only for a specific
1164 network, use the alias option as described under the --network option.
1165 If the network has DNS enabled (podman network inspect -f {{.DNSEn‐
1166 abled}} <name>), these aliases can be used for name resolution on the
1167 given network. This option can be specified multiple times. NOTE: When
1168 using CNI a container will only have access to aliases on the first
1169 network that it joins. This limitation does not exist with ne‐
1170 tavark/aardvark-dns.
1171
1172
1173 --no-healthcheck
1174 Disable any defined healthchecks for container.
1175
1176
1177 --no-hosts
1178 Do not create /etc/hosts for the container. By default, Podman will
1179 manage /etc/hosts, adding the container's own IP address and any hosts
1180 from --add-host. --no-hosts disables this, and the image's /etc/hosts
1181 will be preserved unmodified.
1182
1183
1184 This option conflicts with --add-host.
1185
1186
1187 --oom-kill-disable
1188 Whether to disable OOM Killer for the container or not.
1189
1190
1191 This flag is not supported on cgroups V2 systems.
1192
1193
1194 --oom-score-adj=num
1195 Tune the host's OOM preferences for containers (accepts values from
1196 -1000 to 1000).
1197
1198
1199 --os=OS
1200 Override the OS, defaults to hosts, of the image to be pulled. For ex‐
1201 ample, windows. Unless overridden, subsequent lookups of the same im‐
1202 age in the local storage will match this OS, regardless of the host.
1203
1204
1205 --passwd
1206 Allow Podman to add entries to /etc/passwd and /etc/group when used in
1207 conjunction with the --user option. This is used to override the Pod‐
1208 man provided user setup in favor of entrypoint configurations such as
1209 libnss-extrausers.
1210
1211
1212 --passwd-entry=ENTRY
1213 Customize the entry that is written to the /etc/passwd file within the
1214 container when --passwd is used.
1215
1216
1217 The variables $USERNAME, $UID, $GID, $NAME, $HOME are automatically re‐
1218 placed with their value at runtime.
1219
1220
1221 --personality=persona
1222 Personality sets the execution domain via Linux personality(2).
1223
1224
1225 --pid=mode
1226 Set the PID namespace mode for the container. The default is to create
1227 a private PID namespace for the container.
1228
1229
1230 • container:id: join another container's PID namespace;
1231
1232 • host: use the host's PID namespace for the container. Note the
1233 host mode gives the container full access to local PID and is
1234 therefore considered insecure;
1235
1236 • ns:path: join the specified PID namespace;
1237
1238 • private: create a new namespace for the container (default).
1239
1240
1241
1242 --pidfile=path
1243 When the pidfile location is specified, the container process' PID will
1244 be written to the pidfile. (This option is not available with the re‐
1245 mote Podman client, including Mac and Windows (excluding WSL2) ma‐
1246 chines) If the pidfile option is not specified, the container process'
1247 PID will be written to /run/containers/storage/${storage-driver}-con‐
1248 tainers/$CID/userdata/pidfile.
1249
1250
1251 After the container is started, the location for the pidfile can be
1252 discovered with the following podman inspect command:
1253
1254
1255 $ podman inspect --format '{{ .PidFile }}' $CID
1256 /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile
1257
1258
1259
1260 --pids-limit=limit
1261 Tune the container's pids limit. Set to -1 to have unlimited pids for
1262 the container. The default is 4096 on systems that support "pids"
1263 cgroup controller.
1264
1265
1266 --platform=OS/ARCH
1267 Specify the platform for selecting the image. (Conflicts with --arch
1268 and --os) The --platform option can be used to override the current ar‐
1269 chitecture and operating system. Unless overridden, subsequent lookups
1270 of the same image in the local storage will match this platform, re‐
1271 gardless of the host.
1272
1273
1274 --pod=name
1275 Run container in an existing pod. If you want Podman to make the pod
1276 for you, prefix the pod name with new:. To make a pod with more granu‐
1277 lar options, use the podman pod create command before creating a con‐
1278 tainer. If a container is run with a pod, and the pod has an infra-
1279 container, the infra-container will be started before the container is.
1280
1281
1282 --pod-id-file=file
1283 Run container in an existing pod and read the pod's ID from the speci‐
1284 fied file. If a container is run within a pod, and the pod has an in‐
1285 fra-container, the infra-container will be started before the container
1286 is.
1287
1288
1289 --preserve-fds=N
1290 Pass down to the process N additional file descriptors (in addition to
1291 0, 1, 2). The total FDs will be 3+N. (This option is not available
1292 with the remote Podman client, including Mac and Windows (excluding
1293 WSL2) machines)
1294
1295
1296 --privileged
1297 Give extended privileges to this container. The default is false.
1298
1299
1300 By default, Podman containers are unprivileged (=false) and cannot, for
1301 example, modify parts of the operating system. This is because by de‐
1302 fault a container is only allowed limited access to devices. A "privi‐
1303 leged" container is given the same access to devices as the user
1304 launching the container.
1305
1306
1307 A privileged container turns off the security features that isolate the
1308 container from the host. Dropped Capabilities, limited devices, read-
1309 only mount points, Apparmor/SELinux separation, and Seccomp filters are
1310 all disabled.
1311
1312
1313 Rootless containers cannot have more privileges than the account that
1314 launched them.
1315
1316
1317 --publish, -p=[[ip:][hostPort]:]containerPort[/protocol]
1318 Publish a container's port, or range of ports, to the host.
1319
1320
1321 Both hostPort and containerPort can be specified as a range of ports.
1322 When specifying ranges for both, the number of container ports in the
1323 range must match the number of host ports in the range.
1324
1325
1326 If host IP is set to 0.0.0.0 or not set at all, the port will be bound
1327 on all IPs on the host.
1328
1329
1330 By default, Podman will publish TCP ports. To publish a UDP port in‐
1331 stead, give udp as protocol. To publish both TCP and UDP ports, set
1332 --publish twice, with tcp, and udp as protocols respectively. Rootful
1333 containers can also publish ports using the sctp protocol.
1334
1335
1336 Host port does not have to be specified (e.g. podman run -p
1337 127.0.0.1::80). If it is not, the container port will be randomly as‐
1338 signed a port on the host.
1339
1340
1341 Use podman port to see the actual mapping: podman port $CONTAINER $CON‐
1342 TAINERPORT.
1343
1344
1345 Note: If a container will be run within a pod, it is not necessary to
1346 publish the port for the containers in the pod. The port must only be
1347 published by the pod itself. Pod network stacks act like the network
1348 stack on the host - you have a variety of containers in the pod, and
1349 programs in the container, all sharing a single interface and IP ad‐
1350 dress, and associated ports. If one container binds to a port, no other
1351 container can use that port within the pod while it is in use. Contain‐
1352 ers in the pod can also communicate over localhost by having one con‐
1353 tainer bind to localhost in the pod, and another connect to that port.
1354
1355
1356 --publish-all, -P
1357 Publish all exposed ports to random ports on the host interfaces. The
1358 default is false.
1359
1360
1361 When set to true, publish all exposed ports to the host interfaces. If
1362 the operator uses -P (or -p) then Podman will make the exposed port ac‐
1363 cessible on the host and the ports will be available to any client that
1364 can reach the host.
1365
1366
1367 When using this option, Podman will bind any exposed port to a random
1368 port on the host within an ephemeral port range defined by
1369 /proc/sys/net/ipv4/ip_local_port_range. To find the mapping between
1370 the host ports and the exposed ports, use podman port.
1371
1372
1373 --pull=policy
1374 Pull image policy. The default is missing.
1375
1376
1377 • always: Always pull the image and throw an error if the pull
1378 fails.
1379
1380 • missing: Pull the image only if it could not be found in the
1381 local containers storage. Throw an error if no image could be
1382 found and the pull fails.
1383
1384 • never: Never pull the image but use the one from the local
1385 containers storage. Throw an error if no image could be
1386 found.
1387
1388 • newer: Pull if the image on the registry is newer than the one
1389 in the local containers storage. An image is considered to be
1390 newer when the digests are different. Comparing the time
1391 stamps is prone to errors. Pull errors are suppressed if a
1392 local image was found.
1393
1394
1395
1396 --quiet, -q
1397 Suppress output information when pulling images
1398
1399
1400 --read-only
1401 Mount the container's root filesystem as read-only.
1402
1403
1404 By default a container will have its root filesystem writable allowing
1405 processes to write files anywhere. By specifying the --read-only flag,
1406 the container will have its root filesystem mounted as read-only pro‐
1407 hibiting any writes.
1408
1409
1410 --read-only-tmpfs
1411 If container is running in --read-only mode, then mount a read-write
1412 tmpfs on /run, /tmp, and /var/tmp. The default is true.
1413
1414
1415 --replace
1416 If another container with the same name already exists, replace and re‐
1417 move it. The default is false.
1418
1419
1420 --requires=container
1421 Specify one or more requirements. A requirement is a dependency con‐
1422 tainer that will be started before this container. Containers can be
1423 specified by name or ID, with multiple containers being separated by
1424 commas.
1425
1426
1427 --restart=policy
1428 Restart policy to follow when containers exit. Restart policy will not
1429 take effect if a container is stopped via the podman kill or podman
1430 stop commands.
1431
1432
1433 Valid policy values are:
1434
1435
1436 • no : Do not restart containers on exit
1437
1438 • on-failure[:max_retries] : Restart containers when they exit
1439 with a non-zero exit code, retrying indefinitely or until the
1440 optional max_retries count is hit
1441
1442 • always : Restart containers when they exit,
1443 regardless of status, retrying indefinitely
1444
1445 • unless-stopped : Identical to always
1446
1447
1448
1449 Please note that restart will not restart containers after a system re‐
1450 boot. If this functionality is required in your environment, you can
1451 invoke Podman from a systemd.unit(5) file, or create an init script for
1452 whichever init system is in use. To generate systemd unit files,
1453 please see podman generate systemd.
1454
1455
1456 --rm
1457 Automatically remove the container when it exits. The default is false.
1458
1459
1460 --rmi
1461 After exit of the container, remove the image unless another container
1462 is using it. The default is false.
1463
1464
1465 --rootfs
1466 If specified, the first argument refers to an exploded container on the
1467 file system.
1468
1469
1470 This is useful to run a container without requiring any image manage‐
1471 ment, the rootfs of the container is assumed to be managed externally.
1472
1473
1474 Overlay Rootfs Mounts
1475
1476
1477 The :O flag tells Podman to mount the directory from the rootfs path as
1478 storage using the overlay file system. The container processes can mod‐
1479 ify content within the mount point which is stored in the container
1480 storage in a separate directory. In overlay terms, the source directory
1481 will be the lower, and the container storage directory will be the up‐
1482 per. Modifications to the mount point are destroyed when the container
1483 finishes executing, similar to a tmpfs mount point being unmounted.
1484
1485
1486 Note: On SELinux systems, the rootfs needs the correct label, which is
1487 by default unconfined_u:object_r:container_file_t:s0.
1488
1489
1490 --sdnotify=container | conmon | ignore
1491 Determines how to use the NOTIFY_SOCKET, as passed with systemd and
1492 Type=notify.
1493
1494
1495 Default is container, which means allow the OCI runtime to proxy the
1496 socket into the container to receive ready notification. Podman will
1497 set the MAINPID to conmon's pid. The conmon option sets MAINPID to
1498 conmon's pid, and sends READY when the container has started. The
1499 socket is never passed to the runtime or the container. The ignore op‐
1500 tion removes NOTIFY_SOCKET from the environment for itself and child
1501 processes, for the case where some other process above Podman uses NO‐
1502 TIFY_SOCKET and Podman should not use it.
1503
1504
1505 --seccomp-policy=policy
1506 Specify the policy to select the seccomp profile. If set to image, Pod‐
1507 man will look for a "io.containers.seccomp.profile" label in the con‐
1508 tainer-image config and use its value as a seccomp profile. Otherwise,
1509 Podman will follow the default policy by applying the default profile
1510 unless specified otherwise via --security-opt seccomp as described be‐
1511 low.
1512
1513
1514 Note that this feature is experimental and may change in the future.
1515
1516
1517 --secret=secret[,opt=opt ...]
1518 Give the container access to a secret. Can be specified multiple times.
1519
1520
1521 A secret is a blob of sensitive data which a container needs at runtime
1522 but should not be stored in the image or in source control, such as
1523 usernames and passwords, TLS certificates and keys, SSH keys or other
1524 important generic strings or binary content (up to 500 kb in size).
1525
1526
1527 When secrets are specified as type mount, the secrets are copied and
1528 mounted into the container when a container is created. When secrets
1529 are specified as type env, the secret will be set as an environment
1530 variable within the container. Secrets are written in the container at
1531 the time of container creation, and modifying the secret using podman
1532 secret commands after the container is created will not affect the se‐
1533 cret inside the container.
1534
1535
1536 Secrets and its storage are managed using the podman secret command.
1537
1538
1539 Secret Options
1540
1541
1542 • type=mount|env : How the secret will be exposed to the con‐
1543 tainer. Default mount.
1544
1545 • target=target : Target of secret. Defaults to secret name.
1546
1547 • uid=0 : UID of secret. Defaults to 0. Mount secret
1548 type only.
1549
1550 • gid=0 : GID of secret. Defaults to 0. Mount secret
1551 type only.
1552
1553 • mode=0 : Mode of secret. Defaults to 0444. Mount
1554 secret type only.
1555
1556
1557
1558 --security-opt=option
1559 Security Options
1560
1561
1562 • apparmor=unconfined : Turn off apparmor confinement for the
1563 container
1564
1565 • apparmor=your-profile : Set the apparmor confinement profile
1566 for the container
1567
1568 • label=user:USER: Set the label user for the container pro‐
1569 cesses
1570
1571 • label=role:ROLE: Set the label role for the container pro‐
1572 cesses
1573
1574 • label=type:TYPE: Set the label process type for the container
1575 processes
1576
1577 • label=level:LEVEL: Set the label level for the container pro‐
1578 cesses
1579
1580 • label=filetype:TYPE_: Set the label file type for the con‐
1581 tainer files
1582
1583 • label=disable: Turn off label separation for the container
1584
1585
1586
1587 Note: Labeling can be disabled for all containers by setting la‐
1588 bel=false in the containers.conf (/etc/containers/containers.conf or
1589 $HOME/.config/containers/containers.conf) file.
1590
1591
1592 • mask=/path/1:/path/2: The paths to mask separated by a colon.
1593 A masked path cannot be accessed inside the container.
1594
1595 • no-new-privileges: Disable container processes from gaining
1596 additional privileges
1597
1598 • seccomp=unconfined: Turn off seccomp confinement for the con‐
1599 tainer.
1600
1601 • seccomp=profile.json: JSON file to be used as a seccomp fil‐
1602 ter. Note that the io.podman.annotations.seccomp annotation is
1603 set with the specified value as shown in podman inspect.
1604
1605 • proc-opts=OPTIONS : Comma-separated list of options to use for
1606 the /proc mount. More details for the possible mount options
1607 are specified in the proc(5) man page.
1608
1609 • unmask=ALL or /path/1:/path/2, or shell expanded paths
1610 (/proc/*): Paths to unmask separated by a colon. If set to
1611 ALL, it will unmask all the paths that are masked or made
1612 read-only by default. The default masked paths are
1613 /proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats,
1614 /proc/sched_debug, /proc/scsi, /proc/timer_list,
1615 /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.. The
1616 default paths that are read-only are /proc/asound, /proc/bus,
1617 /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger,
1618 /sys/fs/cgroup.
1619
1620
1621
1622 Note: Labeling can be disabled for all containers by setting la‐
1623 bel=false in the containers.conf(5) file.
1624
1625
1626 --shm-size=number[unit]
1627 Size of /dev/shm. A unit can be b (bytes), k (kibibytes), m
1628 (mebibytes), or g (gibibytes). If the unit is omitted, the system uses
1629 bytes. If the size is omitted, the default is 64m. When size is 0,
1630 there is no limit on the amount of memory used for IPC by the con‐
1631 tainer. This option conflicts with --ipc=host.
1632
1633
1634 --sig-proxy
1635 Proxy received signals to the container process (non-TTY mode only).
1636 SIGCHLD, SIGSTOP, and SIGKILL are not proxied.
1637
1638
1639 The default is true.
1640
1641
1642 --stop-signal=signal
1643 Signal to stop a container. Default is SIGTERM.
1644
1645
1646 --stop-timeout=seconds
1647 Timeout to stop a container. Default is 10. Remote connections use lo‐
1648 cal containers.conf for defaults
1649
1650
1651 --subgidname=name
1652 Run the container in a new user namespace using the map with name in
1653 the /etc/subgid file. If running rootless, the user needs to have the
1654 right to use the mapping. See subgid(5). This flag conflicts with
1655 --userns and --gidmap.
1656
1657
1658 --subuidname=name
1659 Run the container in a new user namespace using the map with name in
1660 the /etc/subuid file. If running rootless, the user needs to have the
1661 right to use the mapping. See subuid(5). This flag conflicts with
1662 --userns and --uidmap.
1663
1664
1665 --sysctl=name=value
1666 Configure namespaced kernel parameters at runtime.
1667
1668
1669 For the IPC namespace, the following sysctls are allowed:
1670
1671
1672 • kernel.msgmax
1673
1674 • kernel.msgmnb
1675
1676 • kernel.msgmni
1677
1678 • kernel.sem
1679
1680 • kernel.shmall
1681
1682 • kernel.shmmax
1683
1684 • kernel.shmmni
1685
1686 • kernel.shm_rmid_forced
1687
1688 • Sysctls beginning with fs.mqueue.*
1689
1690
1691
1692 Note: if you use the --ipc=host option, the above sysctls are not al‐
1693 lowed.
1694
1695
1696 For the network namespace, only sysctls beginning with net.* are al‐
1697 lowed.
1698
1699
1700 Note: if you use the --network=host option, the above sysctls are not
1701 allowed.
1702
1703
1704 --systemd=true | false | always
1705 Run container in systemd mode. The default is true.
1706
1707
1708 The value always enforces the systemd mode is enforced without looking
1709 at the executable name. Otherwise, if set to true and the command you
1710 are running inside the container is systemd, /usr/sbin/init, /sbin/init
1711 or /usr/local/sbin/init.
1712
1713
1714 Running the container in systemd mode causes the following changes:
1715
1716
1717 • Podman mounts tmpfs file systems on the following directories
1718
1719 • /run
1720
1721 • /run/lock
1722
1723 • /tmp
1724
1725 • /sys/fs/cgroup/systemd
1726
1727 • /var/lib/journal
1728
1729
1730
1731 • Podman sets the default stop signal to SIGRTMIN+3.
1732
1733 • Podman sets container_uuid environment variable in the con‐
1734 tainer to the first 32 characters of the container id.
1735
1736
1737
1738 This allows systemd to run in a confined container without any modifi‐
1739 cations.
1740
1741
1742 Note that on SELinux systems, systemd attempts to write to the cgroup
1743 file system. Containers writing to the cgroup file system are denied by
1744 default. The container_manage_cgroup boolean must be enabled for this
1745 to be allowed on an SELinux separated system.
1746
1747
1748 setsebool -P container_manage_cgroup true
1749
1750
1751
1752 --timeout=seconds
1753 Maximum time a container is allowed to run before conmon sends it the
1754 kill signal. By default containers will run until they exit or are
1755 stopped by podman stop.
1756
1757
1758 --tls-verify
1759 Require HTTPS and verify certificates when contacting registries (de‐
1760 fault: true). If explicitly set to true, TLS verification will be
1761 used. If set to false, TLS verification will not be used. If not
1762 specified, TLS verification will be used unless the target registry is
1763 listed as an insecure registry in containers-registries.conf(5)
1764
1765
1766 --tmpfs=fs
1767 Create a tmpfs mount.
1768
1769
1770 Mount a temporary filesystem (tmpfs) mount into a container, for exam‐
1771 ple:
1772
1773
1774 $ podman run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image
1775
1776
1777
1778 This command mounts a tmpfs at /tmp within the container. The supported
1779 mount options are the same as the Linux default mount flags. If you do
1780 not specify any options, the system uses the following options:
1781 rw,noexec,nosuid,nodev.
1782
1783
1784 --tty, -t
1785 Allocate a pseudo-TTY. The default is false.
1786
1787
1788 When set to true, Podman will allocate a pseudo-tty and attach to the
1789 standard input of the container. This can be used, for example, to run
1790 a throwaway interactive shell.
1791
1792
1793 NOTE: The --tty flag prevents redirection of standard output. It com‐
1794 bines STDOUT and STDERR, it can insert control characters, and it can
1795 hang pipes. This option should only be used when run interactively in a
1796 terminal. When feeding input to Podman, use -i only, not -it.
1797
1798
1799 echo "asdf" | podman run --rm -i someimage /bin/cat
1800
1801
1802
1803 --tz=timezone
1804 Set timezone in container. This flag takes area-based timezones, GMT
1805 time, as well as local, which sets the timezone in the container to
1806 match the host machine. See /usr/share/zoneinfo/ for valid timezones.
1807 Remote connections use local containers.conf for defaults
1808
1809
1810 --uidmap=container_uid:from_uid:amount
1811 Run the container in a new user namespace using the supplied UID map‐
1812 ping. This option conflicts with the --userns and --subuidname options.
1813 This option provides a way to map host UIDs to container UIDs. It can
1814 be passed several times to map different ranges.
1815
1816
1817 The _fromuid value is based upon the user running the command, either
1818 rootful or rootless users. * rootful user: con‐
1819 tainer_uid:host_uid:amount * rootless user: container_uid:intermedi‐
1820 ate_uid:amount
1821
1822
1823 When podman run is called by a privileged user, the option --uidmap
1824 works as a direct mapping between host UIDs and container UIDs.
1825
1826
1827 host UID -> container UID
1828
1829
1830 The amount specifies the number of consecutive UIDs that will be
1831 mapped. If for example amount is 4 the mapping would look like:
1832
1833
1834 | host UID | container UID | | - | -
1835 | | _fromuid | _containeruid | | _fromuid + 1 | _containeruid +
1836 1 | | _fromuid + 2 | _containeruid + 2 | | _fromuid + 3 | _containeruid
1837 + 3 |
1838
1839
1840 When podman run is called by an unprivileged user (i.e. running root‐
1841 less), the value _fromuid is interpreted as an "intermediate UID". In
1842 the rootless case, host UIDs are not mapped directly to container UIDs.
1843 Instead the mapping happens over two mapping steps:
1844
1845
1846 host UID -> intermediate UID -> container UID
1847
1848
1849 The --uidmap option only influences the second mapping step.
1850
1851
1852 The first mapping step is derived by Podman from the contents of the
1853 file /etc/subuid and the UID of the user calling Podman.
1854
1855
1856 First mapping step:
1857
1858
1859 | host UID | intermediate UID |
1860 | - | - |
1861 | UID for the user starting Podman | 0 |
1862 | 1st subordinate UID for the user starting Podman | 1 |
1863 | 2nd subordinate UID for the user starting Podman | 2 |
1864 | 3rd subordinate UID for the user starting Podman | 3 |
1865 | nth subordinate UID for the user starting Podman | n |
1866
1867
1868 To be able to use intermediate UIDs greater than zero, the user needs
1869 to have subordinate UIDs configured in /etc/subuid. See subuid(5).
1870
1871
1872 The second mapping step is configured with --uidmap.
1873
1874
1875 If for example amount is 5 the second mapping step would look like:
1876
1877
1878 | intermediate UID | container UID | | - |
1879 - | | _fromuid | _containeruid | |
1880 _fromuid + 1 | _containeruid + 1 | | _fromuid + 2 | _con‐
1881 taineruid + 2 | | _fromuid + 3 | _containeruid + 3 | | _fromuid +
1882 4 | _containeruid + 4 |
1883
1884
1885 When running as rootless, Podman will use all the ranges configured in
1886 the /etc/subuid file.
1887
1888
1889 The current user ID is mapped to UID=0 in the rootless user namespace.
1890 Every additional range is added sequentially afterward:
1891
1892
1893 | host |rootless user namespace | length
1894 | | - | - | -
1895 | | $UID | 0 | 1
1896 | | 1 | $FIRST_RANGE_ID |
1897 $FIRST_RANGE_LENGTH | | 1+$FIRST_RANGE_LENGTH | $SECOND_RANGE_ID
1898 | $SECOND_RANGE_LENGTH|
1899
1900
1901 Even if a user does not have any subordinate UIDs in /etc/subuid,
1902 --uidmap could still be used to map the normal UID of the user to a
1903 container UID by running podman run --uidmap $container_uid:0:1 --user
1904 $container_uid ....
1905
1906
1907 Note: the --uidmap flag cannot be called in conjunction with the --pod
1908 flag as a uidmap cannot be set on the container level when in a pod.
1909
1910
1911 --ulimit=option
1912 Ulimit options. You can use host to copy the current configuration from
1913 the host.
1914
1915
1916 --umask=umask
1917 Set the umask inside the container. Defaults to 0022. Remote connec‐
1918 tions use local containers.conf for defaults
1919
1920
1921 --unsetenv=env
1922 Unset default environment variables for the container. Default environ‐
1923 ment variables include variables provided natively by Podman, environ‐
1924 ment variables configured by the image, and environment variables from
1925 containers.conf.
1926
1927
1928 --unsetenv-all
1929 Unset all default environment variables for the container. Default en‐
1930 vironment variables include variables provided natively by Podman, en‐
1931 vironment variables configured by the image, and environment variables
1932 from containers.conf.
1933
1934
1935 --user, -u=user[:group]
1936 Sets the username or UID used and, optionally, the groupname or GID for
1937 the specified command. Both user and group may be symbolic or numeric.
1938
1939
1940 Without this argument, the command will run as the user specified in
1941 the container image. Unless overridden by a USER command in the Con‐
1942 tainerfile or by a value passed to this option, this user generally de‐
1943 faults to root.
1944
1945
1946 When a user namespace is not in use, the UID and GID used within the
1947 container and on the host will match. When user namespaces are in use,
1948 however, the UID and GID in the container may correspond to another UID
1949 and GID on the host. In rootless containers, for example, a user name‐
1950 space is always used, and root in the container will by default corre‐
1951 spond to the UID and GID of the user invoking Podman.
1952
1953
1954 --userns=mode
1955 Set the user namespace mode for the container. It defaults to the POD‐
1956 MAN_USERNS environment variable. An empty value ("") means user name‐
1957 spaces are disabled unless an explicit mapping is set with the --uidmap
1958 and --gidmap options.
1959
1960
1961 This option is incompatible with --gidmap, --uidmap, --subuidname and
1962 --subgidname.
1963
1964
1965 Rootless user --userns=Key mappings:
1966
1967
1968 ┌────────┬───────────┬─────────────────────┐
1969 │Key │ Host User │ Container User │
1970 ├────────┼───────────┼─────────────────────┤
1971 │"" │ $UID │ 0 (Default User ac‐ │
1972 │ │ │ count mapped to │
1973 │ │ │ root user in con‐ │
1974 │ │ │ tainer.) │
1975 ├────────┼───────────┼─────────────────────┤
1976 │keep-id │ $UID │ $UID (Map user ac‐ │
1977 │ │ │ count to same UID │
1978 │ │ │ within container.) │
1979 ├────────┼───────────┼─────────────────────┤
1980 │auto │ $UID │ nil (Host User UID │
1981 │ │ │ is not mapped into │
1982 │ │ │ container.) │
1983 ├────────┼───────────┼─────────────────────┤
1984 │nomap │ $UID │ nil (Host User UID │
1985 │ │ │ is not mapped into │
1986 │ │ │ container.) │
1987 └────────┴───────────┴─────────────────────┘
1988
1989 Valid mode values are:
1990
1991
1992 auto[:OPTIONS,...]: automatically create a unique user namespace.
1993
1994
1995 The --userns=auto flag, requires that the user name containers and a
1996 range of subordinate user ids that the Podman container is allowed to
1997 use be specified in the /etc/subuid and /etc/subgid files.
1998
1999
2000 Example: containers:2147483647:2147483648.
2001
2002
2003 Podman allocates unique ranges of UIDs and GIDs from the containers
2004 subordinate user ids. The size of the ranges is based on the number of
2005 UIDs required in the image. The number of UIDs and GIDs can be overrid‐
2006 den with the size option.
2007
2008
2009 The rootless option --userns=keep-id uses all the subuids and subgids
2010 of the user. Using --userns=auto when starting new containers will not
2011 work as long as any containers exist that were started with
2012 --userns=keep-id.
2013
2014
2015 Valid auto options:
2016
2017
2018 • gidmapping=_CONTAINER_GID:HOSTGID:SIZE: to force a GID mapping
2019 to be present in the user namespace.
2020
2021 • size=SIZE: to specify an explicit size for the automatic user
2022 namespace. e.g. --userns=auto:size=8192. If size is not speci‐
2023 fied, auto will estimate a size for the user namespace.
2024
2025 • uidmapping=_CONTAINER_UID:HOSTUID:SIZE: to force a UID mapping
2026 to be present in the user namespace.
2027
2028
2029
2030 container:id: join the user namespace of the specified container.
2031
2032
2033 host: run in the user namespace of the caller. The processes running in
2034 the container will have the same privileges on the host as any other
2035 process launched by the calling user (default).
2036
2037
2038 keep-id: creates a user namespace where the current rootless user's
2039 UID:GID are mapped to the same values in the container. This option is
2040 not allowed for containers created by the root user.
2041
2042
2043 Valid keep-id options:
2044
2045
2046 • uid=UID: override the UID inside the container that will be
2047 used to map the current rootless user to.
2048
2049 • gid=GID: override the GID inside the container that will be
2050 used to map the current rootless user to.
2051
2052
2053
2054 nomap: creates a user namespace where the current rootless user's
2055 UID:GID are not mapped into the container. This option is not allowed
2056 for containers created by the root user.
2057
2058
2059 ns:namespace: run the container in the given existing user namespace.
2060
2061
2062 --uts=mode
2063 Set the UTS namespace mode for the container. The following values are
2064 supported:
2065
2066
2067 • host: use the host's UTS namespace inside the container.
2068
2069 • private: create a new namespace for the container (default).
2070
2071 • ns:[path]: run the container in the given existing UTS name‐
2072 space.
2073
2074 • container:[container]: join the UTS namespace of the specified
2075 container.
2076
2077
2078
2079 --variant=VARIANT
2080 Use VARIANT instead of the default architecture variant of the con‐
2081 tainer image. Some images can use multiple variants of the arm archi‐
2082 tectures, such as arm/v5 and arm/v7.
2083
2084
2085 --volume, -v=[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]
2086 Create a bind mount. If -v /HOST-DIR:/CONTAINER-DIR is specified, Pod‐
2087 man bind mounts /HOST-DIR from the host into /CONTAINER-DIR in the Pod‐
2088 man container. Similarly, -v SOURCE-VOLUME:/CONTAINER-DIR will mount
2089 the named volume from the host into the container. If no such named
2090 volume exists, Podman will create one. If no source is given, the vol‐
2091 ume will be created as an anonymously named volume with a randomly gen‐
2092 erated name, and will be removed when the container is removed via the
2093 --rm flag or the podman rm --volumes command.
2094
2095
2096 (Note when using the remote client, including Mac and Windows (exclud‐
2097 ing WSL2) machines, the volumes will be mounted from the remote server,
2098 not necessarily the client machine.)
2099
2100
2101 The OPTIONS is a comma-separated list and can be: [1] ⟨#Footnote1⟩
2102
2103
2104 • rw|ro
2105
2106 • z|Z
2107
2108 • [O]
2109
2110 • [U]
2111
2112 • [no]copy
2113
2114 • [no]dev
2115
2116 • [no]exec
2117
2118 • [no]suid
2119
2120 • [r]bind
2121
2122 • [r]shared|[r]slave|[r]private[r]unbindable
2123
2124
2125
2126 The CONTAINER-DIR must be an absolute path such as /src/docs. The vol‐
2127 ume will be mounted into the container at this directory.
2128
2129
2130 If a volume source is specified, it must be a path on the host or the
2131 name of a named volume. Host paths are allowed to be absolute or rela‐
2132 tive; relative paths are resolved relative to the directory Podman is
2133 run in. If the source does not exist, Podman will return an error.
2134 Users must pre-create the source files or directories.
2135
2136
2137 Any source that does not begin with a . or / will be treated as the
2138 name of a named volume. If a volume with that name does not exist, it
2139 will be created. Volumes created with names are not anonymous, and
2140 they are not removed by the --rm option and the podman rm --volumes
2141 command.
2142
2143
2144 Specify multiple -v options to mount one or more volumes into a con‐
2145 tainer.
2146
2147
2148 Write Protected Volume Mounts
2149
2150
2151 Add :ro or :rw option to mount a volume in read-only or read-write
2152 mode, respectively. By default, the volumes are mounted read-write.
2153 See examples.
2154
2155
2156 Chowning Volume Mounts
2157
2158
2159 By default, Podman does not change the owner and group of source volume
2160 directories mounted into containers. If a container is created in a new
2161 user namespace, the UID and GID in the container may correspond to an‐
2162 other UID and GID on the host.
2163
2164
2165 The :U suffix tells Podman to use the correct host UID and GID based on
2166 the UID and GID within the container, to change recursively the owner
2167 and group of the source volume.
2168
2169
2170 Warning use with caution since this will modify the host filesystem.
2171
2172
2173 Labeling Volume Mounts
2174
2175
2176 Labeling systems like SELinux require that proper labels are placed on
2177 volume content mounted into a container. Without a label, the security
2178 system might prevent the processes running inside the container from
2179 using the content. By default, Podman does not change the labels set by
2180 the OS.
2181
2182
2183 To change a label in the container context, add either of two suffixes
2184 :z or :Z to the volume mount. These suffixes tell Podman to relabel
2185 file objects on the shared volumes. The z option tells Podman that two
2186 containers share the volume content. As a result, Podman labels the
2187 content with a shared content label. Shared volume labels allow all
2188 containers to read/write content. The Z option tells Podman to label
2189 the content with a private unshared label. Only the current container
2190 can use a private volume.
2191
2192
2193 Note: Do not relabel system files and directories. Relabeling system
2194 content might cause other confined services on your machine to fail.
2195 For these types of containers we recommend disabling SELinux separa‐
2196 tion. The option --security-opt label=disable disables SELinux separa‐
2197 tion for the container. For example if a user wanted to volume mount
2198 their entire home directory into a container, they need to disable
2199 SELinux separation.
2200
2201
2202 $ podman run --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
2203
2204
2205
2206 Overlay Volume Mounts
2207
2208
2209 The :O flag tells Podman to mount the directory from the host as a tem‐
2210 porary storage using the overlay file system. The container processes
2211 can modify content within the mountpoint which is stored in the con‐
2212 tainer storage in a separate directory. In overlay terms, the source
2213 directory will be the lower, and the container storage directory will
2214 be the upper. Modifications to the mount point are destroyed when the
2215 container finishes executing, similar to a tmpfs mount point being un‐
2216 mounted.
2217
2218
2219 For advanced users, the overlay option also supports custom non-
2220 volatile upperdir and workdir for the overlay mount. Custom upperdir
2221 and workdir can be fully managed by the users themselves, and Podman
2222 will not remove it on lifecycle completion. Example :O,up‐
2223 perdir=/some/upper,workdir=/some/work
2224
2225
2226 Subsequent executions of the container will see the original source di‐
2227 rectory content, any changes from previous container executions no
2228 longer exist.
2229
2230
2231 One use case of the overlay mount is sharing the package cache from the
2232 host into the container to allow speeding up builds.
2233
2234
2235 Note:
2236
2237
2238 - The `O` flag conflicts with other options listed above.
2239
2240
2241
2242 Content mounted into the container is labeled with the private label.
2243 On SELinux systems, labels in the source directory must be read‐
2244 able by the container label. Usually containers can read/execute con‐
2245 tainer_share_t and can read/write container_file_t. If unable to change
2246 the labels on a source volume, SELinux container separation must be
2247 disabled for the container to work.
2248 - The source directory mounted into the container with an overlay
2249 mount should not be modified, it can cause unexpected failures. It is
2250 recommended to not modify the directory until the container finishes
2251 running.
2252
2253
2254 Mounts propagation
2255
2256
2257 By default bind mounted volumes are private. That means any mounts done
2258 inside the container will not be visible on host and vice versa. One
2259 can change this behavior by specifying a volume mount propagation prop‐
2260 erty. Making a volume shared mounts done under that volume inside the
2261 container will be visible on host and vice versa. Making a volume slave
2262 enables only one way mount propagation and that is mounts done on host
2263 under that volume will be visible inside container but not the other
2264 way around. [1] ⟨#Footnote1⟩
2265
2266
2267 To control mount propagation property of a volume one can use the
2268 [r]shared, [r]slave, [r]private or the [r]unbindable propagation flag.
2269 Propagation property can be specified only for bind mounted volumes and
2270 not for internal volumes or named volumes. For mount propagation to
2271 work the source mount point (the mount point where source dir is
2272 mounted on) has to have the right propagation properties. For shared
2273 volumes, the source mount point has to be shared. And for slave vol‐
2274 umes, the source mount point has to be either shared or slave. [1]
2275 ⟨#Footnote1⟩
2276
2277
2278 To recursively mount a volume and all of its submounts into a con‐
2279 tainer, use the rbind option. By default the bind option is used, and
2280 submounts of the source directory will not be mounted into the con‐
2281 tainer.
2282
2283
2284 Mounting the volume with the nosuid options means that SUID applica‐
2285 tions on the volume will not be able to change their privilege. By de‐
2286 fault volumes are mounted with nosuid.
2287
2288
2289 Mounting the volume with the noexec option means that no executables on
2290 the volume will be able to be executed within the container.
2291
2292
2293 Mounting the volume with the nodev option means that no devices on the
2294 volume will be able to be used by processes within the container. By
2295 default volumes are mounted with nodev.
2296
2297
2298 If the HOST-DIR is a mount point, then dev, suid, and exec options are
2299 ignored by the kernel.
2300
2301
2302 Use df HOST-DIR to figure out the source mount, then use findmnt -o
2303 TARGET,PROPAGATION source-mount-dir to figure out propagation proper‐
2304 ties of source mount. If findmnt[4m(1) utility is not available, then one
2305 can look at the mount entry for the source mount point in
2306 /proc/self/mountinfo. Look at the "optional fields" and see if any
2307 propagation properties are specified. In there, shared:N means the
2308 mount is shared, master:N means mount is slave, and if nothing is
2309 there, the mount is private. [1] ⟨#Footnote1⟩
2310
2311
2312 To change propagation properties of a mount point, use mount(8) com‐
2313 mand. For example, if one wants to bind mount source directory /foo,
2314 one can do mount --bind /foo /foo and mount --make-private --make-
2315 shared /foo. This will convert /foo into a shared mount point. Alterna‐
2316 tively, one can directly change propagation properties of source mount.
2317 Say / is source mount for /foo, then use mount --make-shared / to con‐
2318 vert / into a shared mount.
2319
2320
2321 Note: if the user only has access rights via a group, accessing the
2322 volume from inside a rootless container will fail.
2323
2324
2325 Use the --group-add keep-groups option to pass the user's supplementary
2326 group access into the container.
2327
2328
2329 --volumes-from=CONTAINER[:OPTIONS]
2330 Mount volumes from the specified container(s). Used to share volumes
2331 between containers. The options is a comma-separated list with the fol‐
2332 lowing available elements:
2333
2334
2335 • rw|ro
2336
2337 • z
2338
2339
2340
2341 Mounts already mounted volumes from a source container onto another
2342 container. CONTAINER may be a name or ID. To share a volume, use the
2343 --volumes-from option when running the target container. Volumes can be
2344 shared even if the source container is not running.
2345
2346
2347 By default, Podman mounts the volumes in the same mode (read-write or
2348 read-only) as it is mounted in the source container. This can be
2349 changed by adding a ro or rw option.
2350
2351
2352 Labeling systems like SELinux require that proper labels are placed on
2353 volume content mounted into a container. Without a label, the security
2354 system might prevent the processes running inside the container from
2355 using the content. By default, Podman does not change the labels set by
2356 the OS.
2357
2358
2359 To change a label in the container context, add z to the volume mount.
2360 This suffix tells Podman to relabel file objects on the shared volumes.
2361 The z option tells Podman that two entities share the volume content.
2362 As a result, Podman labels the content with a shared content label.
2363 Shared volume labels allow all containers to read/write content.
2364
2365
2366 If the location of the volume from the source container overlaps with
2367 data residing on a target container, then the volume hides that data on
2368 the target.
2369
2370
2371 --workdir, -w=dir
2372 Working directory inside the container.
2373
2374
2375 The default working directory for running binaries within a container
2376 is the root directory (/). The image developer can set a different de‐
2377 fault with the WORKDIR instruction. The operator can override the work‐
2378 ing directory by using the -w option.
2379
2380
2382 The exit code from podman run gives information about why the container
2383 failed to run or why it exited. When podman run exits with a non-zero
2384 code, the exit codes follow the chroot(1) standard, see below:
2385
2386
2387 125 The error is with Podman itself
2388
2389
2390 $ podman run --foo busybox; echo $?
2391 Error: unknown flag: --foo
2392 125
2393
2394
2395
2396 126 The contained command cannot be invoked
2397
2398
2399 $ podman run busybox /etc; echo $?
2400 Error: container_linux.go:346: starting container process caused "exec: \"/etc\": permission denied": OCI runtime error
2401 126
2402
2403
2404
2405 127 The contained command cannot be found
2406
2407
2408 $ podman run busybox foo; echo $?
2409 Error: container_linux.go:346: starting container process caused "exec: \"foo\": executable file not found in $PATH": OCI runtime error
2410 127
2411
2412
2413
2414 Exit code contained command exit code
2415
2416
2417 $ podman run busybox /bin/sh -c 'exit 3'; echo $?
2418 3
2419
2420
2421
2423 Running container in read-only mode
2424 During container image development, containers often need to write to
2425 the image content. Installing packages into /usr, for example. In pro‐
2426 duction, applications seldom need to write to the image. Container ap‐
2427 plications write to volumes if they need to write to file systems at
2428 all. Applications can be made more secure by running them in read-only
2429 mode using the --read-only switch. This protects the container's image
2430 from modification. Read-only containers may still need to write tempo‐
2431 rary data. The best way to handle this is to mount tmpfs directories on
2432 /run and /tmp.
2433
2434
2435 $ podman run --read-only -i -t fedora /bin/bash
2436
2437 $ podman run --read-only --read-only-tmpfs=false --tmpfs /run -i -t fedora /bin/bash
2438
2439
2440
2441 Exposing log messages from the container to the host's log
2442 If you want messages that are logged in your container to show up in
2443 the host's syslog/journal then you should bind mount the /dev/log di‐
2444 rectory as follows.
2445
2446
2447 $ podman run -v /dev/log:/dev/log -i -t fedora /bin/bash
2448
2449
2450
2451 From inside the container you can test this by sending a message to the
2452 log.
2453
2454
2455 (bash)# logger "Hello from my container"
2456
2457
2458
2459 Then exit and check the journal.
2460
2461
2462 (bash)# exit
2463
2464 $ journalctl -b | grep Hello
2465
2466
2467
2468 This should list the message sent to logger.
2469
2470
2471 Attaching to one or more from STDIN, STDOUT, STDERR
2472 If you do not specify -a, Podman will attach everything (stdin, stdout,
2473 stderr). You can specify to which of the three standard streams
2474 (stdin, stdout, stderr) you'd like to connect instead, as in:
2475
2476
2477 $ podman run -a stdin -a stdout -i -t fedora /bin/bash
2478
2479
2480
2481 Sharing IPC between containers
2482 Using shm_server.c available here:
2483 https://www.cs.cf.ac.uk/Dave/C/node27.html
2484
2485
2486 Testing --ipc=host mode:
2487
2488
2489 Host shows a shared memory segment with 7 pids attached, happens to be
2490 from httpd:
2491
2492
2493 $ sudo ipcs -m
2494
2495 ------ Shared Memory Segments --------
2496 key shmid owner perms bytes nattch status
2497 0x01128e25 0 root 600 1000 7
2498
2499
2500
2501 Now run a regular container, and it correctly does NOT see the shared
2502 memory segment from the host:
2503
2504
2505 $ podman run -it shm ipcs -m
2506
2507 ------ Shared Memory Segments --------
2508 key shmid owner perms bytes nattch status
2509
2510
2511
2512 Run a container with the new --ipc=host option, and it now sees the
2513 shared memory segment from the host httpd:
2514
2515
2516 $ podman run -it --ipc=host shm ipcs -m
2517
2518 ------ Shared Memory Segments --------
2519 key shmid owner perms bytes nattch status
2520 0x01128e25 0 root 600 1000 7
2521
2522
2523
2524 Testing --ipc=container:id mode:
2525
2526
2527 Start a container with a program to create a shared memory segment:
2528
2529
2530 $ podman run -it shm bash
2531 $ sudo shm/shm_server &
2532 $ sudo ipcs -m
2533
2534 ------ Shared Memory Segments --------
2535 key shmid owner perms bytes nattch status
2536 0x0000162e 0 root 666 27 1
2537
2538
2539
2540 Create a 2nd container correctly shows no shared memory segment from
2541 1st container:
2542
2543
2544 $ podman run shm ipcs -m
2545
2546 ------ Shared Memory Segments --------
2547 key shmid owner perms bytes nattch status
2548
2549
2550
2551 Create a 3rd container using the --ipc=container:id option, now it
2552 shows the shared memory segment from the first:
2553
2554
2555 $ podman run -it --ipc=container:ed735b2264ac shm ipcs -m
2556 $ sudo ipcs -m
2557
2558 ------ Shared Memory Segments --------
2559 key shmid owner perms bytes nattch status
2560 0x0000162e 0 root 666 27 1
2561
2562
2563
2564 Mapping Ports for External Usage
2565 The exposed port of an application can be mapped to a host port using
2566 the -p flag. For example, an httpd port 80 can be mapped to the host
2567 port 8080 using the following:
2568
2569
2570 $ podman run -p 8080:80 -d -i -t fedora/httpd
2571
2572
2573
2574 Mounting External Volumes
2575 To mount a host directory as a container volume, specify the absolute
2576 path to the directory and the absolute path for the container directory
2577 separated by a colon. If the source is a named volume maintained by
2578 Podman, it is recommended to use its name rather than the path to the
2579 volume. Otherwise the volume will be considered as an orphan and wiped
2580 if you execute podman volume prune:
2581
2582
2583 $ podman run -v /var/db:/data1 -i -t fedora bash
2584
2585 $ podman run -v data:/data2 -i -t fedora bash
2586
2587 $ podman run -v /var/cache/dnf:/var/cache/dnf:O -ti fedora dnf -y update
2588
2589 $ podman run -d -e MYSQL_ROOT_PASSWORD=root --user mysql --userns=keep-id -v ~/data:/var/lib/mysql:z,U mariadb
2590
2591
2592
2593 Using --mount flags to mount a host directory as a container folder,
2594 specify the absolute path to the directory or the volume name, and the
2595 absolute path within the container directory:
2596
2597
2598 $ podman run --mount type=bind,src=/var/db,target=/data1 busybox sh
2599
2600 $ podman run --mount type=bind,src=volume-name,target=/data1 busybox sh
2601
2602
2603
2604 When using SELinux, be aware that the host has no knowledge of con‐
2605 tainer SELinux policy. Therefore, in the above example, if SELinux pol‐
2606 icy is enforced, the /var/db directory is not writable to the con‐
2607 tainer. A "Permission Denied" message will occur and an avc: message in
2608 the host's syslog.
2609
2610
2611 To work around this, at time of writing this man page, the following
2612 command needs to be run in order for the proper SELinux policy type la‐
2613 bel to be attached to the host directory:
2614
2615
2616 $ chcon -Rt svirt_sandbox_file_t /var/db
2617
2618
2619
2620 Now, writing to the /data1 volume in the container will be allowed and
2621 the changes will also be reflected on the host in /var/db.
2622
2623
2624 Using alternative security labeling
2625 You can override the default labeling scheme for each container by
2626 specifying the --security-opt flag. For example, you can specify the
2627 MCS/MLS level, a requirement for MLS systems. Specifying the level in
2628 the following command allows you to share the same content between con‐
2629 tainers.
2630
2631
2632 podman run --security-opt label=level:s0:c100,c200 -i -t fedora bash
2633
2634
2635
2636 An MLS example might be:
2637
2638
2639 $ podman run --security-opt label=level:TopSecret -i -t rhel7 bash
2640
2641
2642
2643 To disable the security labeling for this container versus running with
2644 the
2645
2646
2647 --permissive flag, use the following command:
2648 $ podman run --security-opt label=disable -i -t fedora bash
2649
2650
2651
2652 If you want a tighter security policy on the processes within a con‐
2653 tainer, you can specify an alternate type for the container. You could
2654 run a container that is only allowed to listen on Apache ports by exe‐
2655 cuting the following command:
2656
2657
2658 $ podman run --security-opt label=type:svirt_apache_t -i -t centos bash
2659
2660
2661
2662 Note you would have to write policy defining a svirt_apache_t type.
2663
2664
2665 To mask additional specific paths in the container, specify the paths
2666 separated by a colon using the mask option with the --security-opt
2667 flag.
2668
2669
2670 $ podman run --security-opt mask=/foo/bar:/second/path fedora bash
2671
2672
2673
2674 To unmask all the paths that are masked by default, set the unmask op‐
2675 tion to ALL. Or to only unmask specific paths, specify the paths as
2676 shown above with the mask option.
2677
2678
2679 $ podman run --security-opt unmask=ALL fedora bash
2680
2681
2682
2683 To unmask all the paths that start with /proc, set the unmask option to
2684 /proc/*.
2685
2686
2687 $ podman run --security-opt unmask=/proc/* fedora bash
2688
2689
2690
2691 $ podman run --security-opt unmask=/foo/bar:/sys/firmware fedora bash
2692
2693
2694
2695 Setting device weight
2696 If you want to set /dev/sda device weight to 200, you can specify the
2697 device weight by --blkio-weight-device flag. Use the following command:
2698
2699
2700 $ podman run -it --blkio-weight-device "/dev/sda:200" ubuntu
2701
2702
2703
2704 Using a podman container with input from a pipe
2705 $ echo "asdf" | podman run --rm -i --entrypoint /bin/cat someimage
2706 asdf
2707
2708
2709
2710 Setting automatic user namespace separated containers
2711 # podman run --userns=auto:size=65536 ubi8-micro cat /proc/self/uid_map
2712 0 2147483647 65536
2713 # podman run --userns=auto:size=65536 ubi8-micro cat /proc/self/uid_map
2714 0 2147549183 65536
2715
2716
2717
2718 Setting Namespaced Kernel Parameters (Sysctls)
2719 The --sysctl sets namespaced kernel parameters (sysctls) in the con‐
2720 tainer. For example, to turn on IP forwarding in the containers network
2721 namespace, run this command:
2722
2723
2724 $ podman run --sysctl net.ipv4.ip_forward=1 someimage
2725
2726
2727
2728 Note that not all sysctls are namespaced. Podman does not support
2729 changing sysctls inside of a container that also modify the host sys‐
2730 tem. As the kernel evolves we expect to see more sysctls become names‐
2731 paced.
2732
2733
2734 See the definition of the --sysctl option above for the current list of
2735 supported sysctls.
2736
2737
2738 Set UID/GID mapping in a new user namespace
2739 Running a container in a new user namespace requires a mapping of the
2740 uids and gids from the host.
2741
2742
2743 $ podman run --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
2744
2745
2746
2747 Configuring Storage Options from the command line
2748 Podman allows for the configuration of storage by changing the values
2749 in the /etc/container/storage.conf or by using global options. This
2750 shows how to set up and use fuse-overlayfs for a one-time run of busy‐
2751 box using global options.
2752
2753
2754 podman --log-level=debug --storage-driver overlay --storage-opt "overlay.mount_program=/usr/bin/fuse-overlayfs" run busybox /bin/sh
2755
2756
2757
2758 Configure timezone in a container
2759 $ podman run --tz=local alpine date
2760 $ podman run --tz=Asia/Shanghai alpine date
2761 $ podman run --tz=US/Eastern alpine date
2762
2763
2764
2765 Adding dependency containers
2766 The first container, container1, is not started initially, but must be
2767 running before container2 will start. The podman run command will
2768 start the container automatically before starting container2.
2769
2770
2771 $ podman create --name container1 -t -i fedora bash
2772 $ podman run --name container2 --requires container1 -t -i fedora bash
2773
2774
2775
2776 Multiple containers can be required.
2777
2778
2779 $ podman create --name container1 -t -i fedora bash
2780 $ podman create --name container2 -t -i fedora bash
2781 $ podman run --name container3 --requires container1,container2 -t -i fedora bash
2782
2783
2784
2785 Configure keep supplemental groups for access to volume
2786 $ podman run -v /var/lib/design:/var/lib/design --group-add keep-groups ubi8
2787
2788
2789
2790 Configure execution domain for containers using personality flag
2791 $ podman run --name container1 --personality=LINUX32 fedora bash
2792
2793
2794
2795 Run a container with external rootfs mounted as an overlay
2796 $ podman run --name container1 --rootfs /path/to/rootfs:O bash
2797
2798
2799
2800 Handling Timezones in java applications in a container.
2801 In order to use a timezone other than UTC when running a Java applica‐
2802 tion within a container, the TZ environment variable must be set within
2803 the container. Java applications will ignore the value set with the
2804 --tz option.
2805
2806
2807 # Example run
2808 podman run -ti --rm -e TZ=EST mytzimage
2809 lrwxrwxrwx. 1 root root 29 Nov 3 08:51 /etc/localtime -> ../usr/share/zoneinfo/Etc/UTC
2810 Now with default timezone:
2811 Fri Nov 19 18:10:55 EST 2021
2812 Java default sees the following timezone:
2813 2021-11-19T18:10:55.651130-05:00
2814 Forcing UTC:
2815 Fri Nov 19 23:10:55 UTC 2021
2816
2817
2818
2819 Run a container connected to two networks (called net1 and net2) with a
2820 static ip
2821 $ podman run --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10 alpine ip addr
2822
2823
2824
2825 Rootless Containers
2826 Podman runs as a non-root user on most systems. This feature requires
2827 that a new enough version of shadow-utils be installed. The shadow-
2828 utils package must include the newuidmap(1) and newgidmap(1) executa‐
2829 bles.
2830
2831
2832 In order for users to run rootless, there must be an entry for their
2833 username in /etc/subuid and /etc/subgid which lists the UIDs for their
2834 user namespace.
2835
2836
2837 Rootless Podman works better if the fuse-overlayfs and slirp4netns
2838 packages are installed. The fuse-overlayfs package provides a
2839 userspace overlay storage driver, otherwise users need to use the vfs
2840 storage driver, which is diskspace expensive and does not perform well.
2841 slirp4netns is required for VPN, without it containers need to be run
2842 with the --network=host flag.
2843
2844
2846 Environment variables within containers can be set using multiple dif‐
2847 ferent options, in the following order of precedence (later entries
2848 override earlier entries):
2849
2850
2851 • Container image: Any environment variables specified in the
2852 container image.
2853
2854 • --http-proxy: By default, several environment variables will
2855 be passed in from the host, such as http_proxy and no_proxy.
2856 See --http-proxy for details.
2857
2858 • --env-host: Host environment of the process executing Podman
2859 is added.
2860
2861 • --env-file: Any environment variables specified via env-files.
2862 If multiple files are specified, then they override each other
2863 in order of entry.
2864
2865 • --env: Any environment variables specified will override pre‐
2866 vious settings.
2867
2868
2869
2870 Run containers and set the environment ending with a *. The trailing *
2871 glob functionality is only active when no value is specified:
2872
2873
2874 $ export ENV1=a
2875 $ podman run --env 'ENV*' alpine env | grep ENV
2876 ENV1=a
2877 $ podman run --env 'ENV*=b' alpine env | grep ENV
2878 ENV*=b
2879
2880
2881
2883 When Podman starts a container it actually executes the conmon program,
2884 which then executes the OCI Runtime. Conmon is the container monitor.
2885 It is a small program whose job is to watch the primary process of the
2886 container, and if the container dies, save the exit code. It also
2887 holds open the tty of the container, so that it can be attached to
2888 later. This is what allows Podman to run in detached mode (back‐
2889 grounded), so Podman can exit but conmon continues to run. Each con‐
2890 tainer has their own instance of conmon. Conmon waits for the container
2891 to exit, gathers and saves the exit code, and then launches a Podman
2892 process to complete the container cleanup, by shutting down the network
2893 and storage. For more information on conmon, please reference the
2894 conmon(8) man page.
2895
2896
2898 /etc/subuid
2899
2900
2901 /etc/subgid
2902
2903
2904 NOTE: Use the environment variable TMPDIR to change the temporary stor‐
2905 age location of downloaded container images. Podman defaults to use
2906 /var/tmp.
2907
2908
2910 podman(1), podman-save(1), podman-ps(1), podman-attach(1), podman-pod-
2911 create(1), podman-port(1), podman-start(1), podman-kill(1), podman-
2912 stop(1), podman-generate-systemd(1), podman-rm(1), subgid(5), sub‐
2913 uid(5), containers.conf(5), systemd.unit(5), setsebool(8),
2914 slirp4netns(1), fuse-overlayfs(1), proc(5), conmon(8), personality(2)
2915
2916
2918 September 2018, updated by Kunal Kushwaha <kushwaha_ku‐
2919 nal_v7@lab.ntt.co.jp>
2920
2921
2922 October 2017, converted from Docker documentation to Podman by Dan
2923 Walsh for Podman <dwalsh@redhat.com>
2924
2925
2926 November 2015, updated by Sally O'Malley <somalley@redhat.com>
2927
2928
2929 June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>
2930
2931
2932 April 2014, Originally compiled by William Henry <whenry@redhat.com>
2933 based on docker.com source material and internal work.
2934
2935
2937 1: The Podman project is committed to inclusivity, a core value of open
2938 source. The master and slave mount propagation terminology used here is
2939 problematic and divisive, and should be changed. However, these terms
2940 are currently used within the Linux kernel and must be used as-is at
2941 this time. When the kernel maintainers rectify this usage, Podman will
2942 follow suit immediately.
2943
2944
2945
2946 podman-run(1)