1podman-run(1)               General Commands Manual              podman-run(1)
2
3
4

NAME

6       podman-run - Run a command in a new container
7
8

SYNOPSIS

10       podman run [options] image [command [arg ...]]
11
12
13       podman container run [options] image [command [arg ...]]
14
15

DESCRIPTION

17       Run  a process in a new container. podman run starts a process with its
18       own file system, its own networking, and its own isolated process tree.
19       The  image  which starts the process may define defaults related to the
20       process that will be run in the container, the  networking  to  expose,
21       and  more, but podman run gives final control to the operator or admin‐
22       istrator who starts the container from the image. For that reason  pod‐
23       man run has more options than any other Podman command.
24
25
26       If the image is not already loaded then podman run will pull the image,
27       and all image dependencies, from the repository in the same way running
28       podman pull image , before it starts the container from that image.
29
30
31       Several files will be automatically created within the container. These
32       include /etc/hosts, /etc/hostname, and /etc/resolv.conf to manage  net‐
33       working.   These  will  be  based  on  the host's version of the files,
34       though they can be customized with options  (for  example,  --dns  will
35       override  the host's DNS servers in the created resolv.conf). Addition‐
36       ally, a container environment file is created in each container to  in‐
37       dicate  to  programs  they are running in a container. This file is lo‐
38       cated at /run/.containerenv. When using the --privileged flag the .con‐
39       tainerenv  contains  name/value  pairs  indicating the container engine
40       version, whether the engine is running in rootless mode, the  container
41       name  and  id,  as  well as the image name and id that the container is
42       based on.
43
44
45       When   running   from   a   user   defined   network   namespace,   the
46       /etc/netns/NSNAME/resolv.conf  will  be  used  if  it exists, otherwise
47       /etc/resolv.conf will be used.
48
49
50       Default settings are defined in containers.conf. Most settings for  re‐
51       mote  connections  use  the  servers containers.conf, except when docu‐
52       mented in man pages.
53
54

IMAGE

56       The image is specified using transport:path format. If no transport  is
57       specified,  the  docker  (container registry) transport will be used by
58       default. For remote Podman, including Mac and Windows (excluding  WSL2)
59       machines, docker is the only allowed transport.
60
61
62       dir:path
63         An existing local directory path storing the manifest, layer tarballs
64       and signatures as individual files. This is a non-standardized  format,
65       primarily useful for debugging or noninvasive container inspection.
66
67
68              $ podman save --format docker-dir fedora -o /tmp/fedora
69              $ podman run dir:/tmp/fedora echo hello
70
71
72
73       docker://docker-reference (Default)
74         An image reference stored in a remote container image registry. Exam‐
75       ple: "quay.io/podman/stable:latest".  The reference can include a  path
76       to  a  specific registry; if it does not, the registries listed in reg‐
77       istries.conf will be queried to find a  matching  image.   By  default,
78       credentials  from  podman  login  (stored  at $XDG_RUNTIME_DIR/contain‐
79       ers/auth.json by default) will be used to  authenticate;  otherwise  it
80       falls back to using credentials in $HOME/.docker/config.json.
81
82
83              $ podman run registry.fedoraproject.org/fedora:latest echo hello
84
85
86
87       docker-archive:path[:docker-reference]  An  image  stored in the docker
88       save formatted file. docker-reference is only used when creating such a
89       file, and it must not contain a digest.
90
91
92              $ podman save --format docker-archive fedora -o /tmp/fedora
93              $ podman run docker-archive:/tmp/fedora echo hello
94
95
96
97       docker-daemon:docker-reference
98         An  image  in docker-reference format stored in the docker daemon in‐
99       ternal storage. The docker-reference can also be an image  ID  (docker-
100       daemon:algo:digest).
101
102
103              $ sudo docker pull fedora
104              $ sudo podman run docker-daemon:docker.io/library/fedora echo hello
105
106
107
108       oci-archive:path:tag
109         An image in a directory compliant with the "Open Container Image Lay‐
110       out Specification" at the specified path and specified with a tag.
111
112
113              $ podman save --format oci-archive fedora -o /tmp/fedora
114              $ podman run oci-archive:/tmp/fedora echo hello
115
116
117

OPTIONS

119   --add-host=host:ip
120       Add a custom host-to-IP mapping (host:ip)
121
122
123       Add a line to /etc/hosts. The format is hostname:ip. The --add-host op‐
124       tion can be set multiple times. Conflicts with the --no-hosts option.
125
126
127   --annotation=key=value
128       Add  an  annotation  to  the container. This option can be set multiple
129       times.
130
131
132   --arch=ARCH
133       Override the architecture, defaults  to  hosts,  of  the  image  to  be
134       pulled. For example, arm.  Unless overridden, subsequent lookups of the
135       same image in the local storage will match this  architecture,  regard‐
136       less of the host.
137
138
139   --attach, -a=stdin | stdout | stderr
140       Attach to STDIN, STDOUT or STDERR.
141
142
143       In  foreground  mode (the default when -d is not specified), podman run
144       can start the process in the container and attach the  console  to  the
145       process's  standard input, output, and error. It can even pretend to be
146       a TTY (this is what most  command-line  executables  expect)  and  pass
147       along  signals. The -a option can be set for each of stdin, stdout, and
148       stderr.
149
150
151   --authfile=path
152       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
153       ers/auth.json,  which  is set using podman login.  If the authorization
154       state is not found there, $HOME/.docker/config.json is  checked,  which
155       is set using docker login.
156
157
158       Note:  There is also the option to override the default path of the au‐
159       thentication file by setting the REGISTRY_AUTH_FILE  environment  vari‐
160       able. This can be done with export REGISTRY_AUTH_FILE=path.
161
162
163   --blkio-weight=weight
164       Block IO relative weight. The weight is a value between 10 and 1000.
165
166
167       This option is not supported on cgroups V1 rootless systems.
168
169
170   --blkio-weight-device=device:weight
171       Block IO relative device weight.
172
173
174   --cap-add=capability
175       Add Linux capabilities.
176
177
178   --cap-drop=capability
179       Drop Linux capabilities.
180
181
182   --cgroup-conf=KEY=VALUE
183       When  running on cgroup v2, specify the cgroup file to write to and its
184       value. For example --cgroup-conf=memory.high=1073741824 sets  the  mem‐
185       ory.high limit to 1GB.
186
187
188   --cgroup-parent=path
189       Path  to  cgroups under which the cgroup for the container will be cre‐
190       ated. If the path is not absolute, the path is considered to  be  rela‐
191       tive  to  the cgroups path of the init process. Cgroups will be created
192       if they do not already exist.
193
194
195   --cgroupns=mode
196       Set the cgroup namespace mode for the container.
197
198
199host: use the host's cgroup namespace inside the container.
200
201container:id: join the namespace of the specified container.
202
203private: create a new cgroup namespace.
204
205ns:path: join the namespace at the specified path.
206
207
208
209       If the host uses cgroups v1, the default is set to host. On cgroups v2,
210       the default is private.
211
212
213   --cgroups=how
214       Determines whether the container will create CGroups.
215
216
217       Default is enabled.
218
219
220       The  enabled  option  will create a new cgroup under the cgroup-parent.
221       The disabled option will force the container to not create CGroups, and
222       thus  conflicts  with  CGroup options (--cgroupns and --cgroup-parent).
223       The no-conmon option disables a new CGroup only for the conmon process.
224       The  split option splits the current CGroup in two sub-cgroups: one for
225       conmon and one for the container payload. It is  not  possible  to  set
226       --cgroup-parent with split.
227
228
229   --chrootdirs=path
230       Path  to  a  directory inside the container that should be treated as a
231       chroot directory.  Any Podman  managed  file  (e.g.,  /etc/resolv.conf,
232       /etc/hosts,  etc/hostname) that is mounted into the root directory will
233       be mounted into that location as well.  Multiple directories should  be
234       separated with a comma.
235
236
237   --cidfile=file
238       Write the container ID to file.
239
240
241   --conmon-pidfile=file
242       Write the pid of the conmon process to a file. As conmon runs in a sep‐
243       arate process than Podman, this is  necessary  when  using  systemd  to
244       restart  Podman containers.  (This option is not available with the re‐
245       mote Podman client, including Mac  and  Windows  (excluding  WSL2)  ma‐
246       chines)
247
248
249   --cpu-period=limit
250       Set  the CPU period for the Completely Fair Scheduler (CFS), which is a
251       duration in microseconds. Once the container's CPU quota is used up, it
252       will not be scheduled to run until the current period ends. Defaults to
253       100000 microseconds.
254
255
256       On some systems, changing the resource limits may not  be  allowed  for
257       non-root  users.  For  more  details,  see  https://github.com/contain
258       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
259       source-limits-fails-with-a-permissions-error
260
261
262       This option is not supported on cgroups V1 rootless systems.
263
264
265   --cpu-quota=limit
266       Limit the CPU Completely Fair Scheduler (CFS) quota.
267
268
269       Limit  the  container's  CPU usage. By default, containers run with the
270       full CPU resource. The limit is a number in microseconds. If  a  number
271       is  provided,  the  container will be allowed to use that much CPU time
272       until the CPU period ends (controllable via --cpu-period).
273
274
275       On some systems, changing the resource limits may not  be  allowed  for
276       non-root  users.  For  more  details,  see  https://github.com/contain
277       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
278       source-limits-fails-with-a-permissions-error
279
280
281       This option is not supported on cgroups V1 rootless systems.
282
283
284   --cpu-rt-period=microseconds
285       Limit the CPU real-time period in microseconds.
286
287
288       Limit the container's Real Time CPU usage. This option tells the kernel
289       to restrict the container's Real Time CPU usage to  the  period  speci‐
290       fied.
291
292
293       This option is only supported on cgroups V1 rootful systems.
294
295
296   --cpu-rt-runtime=microseconds
297       Limit the CPU real-time runtime in microseconds.
298
299
300       Limit  the containers Real Time CPU usage. This option tells the kernel
301       to limit the amount of time in a given CPU period Real Time  tasks  may
302       consume.  Ex: Period of 1,000,000us and Runtime of 950,000us means that
303       this container could consume 95% of available CPU and leave the remain‐
304       ing 5% to normal priority tasks.
305
306
307       The  sum of all runtimes across containers cannot exceed the amount al‐
308       lotted to the parent cgroup.
309
310
311       This option is only supported on cgroups V1 rootful systems.
312
313
314   --cpu-shares, -c=shares
315       CPU shares (relative weight).
316
317
318       By default, all containers get the same proportion of CPU cycles.  This
319       proportion  can  be  modified  by  changing  the  container's CPU share
320       weighting relative to the combined weight of all the  running  contain‐
321       ers.  Default weight is 1024.
322
323
324       The  proportion  will  only apply when CPU-intensive processes are run‐
325       ning.  When tasks in one container are idle, other containers  can  use
326       the left-over CPU time. The actual amount of CPU time will vary depend‐
327       ing on the number of containers running on the system.
328
329
330       For example, consider three containers, one has a cpu-share of 1024 and
331       two others have a cpu-share setting of 512. When processes in all three
332       containers attempt to use 100% of CPU, the first  container  would  re‐
333       ceive  50% of the total CPU time. If a fourth container is added with a
334       cpu-share of 1024, the first container only gets 33% of  the  CPU.  The
335       remaining containers receive 16.5%, 16.5% and 33% of the CPU.
336
337
338       On a multi-core system, the shares of CPU time are distributed over all
339       CPU cores. Even if a container is limited to  less  than  100%  of  CPU
340       time, it can use 100% of each individual CPU core.
341
342
343       For example, consider a system with more than three cores.  If the con‐
344       tainer C0 is started with --cpu-shares=512 running one process, and an‐
345       other  container  C1 with --cpu-shares=1024 running two processes, this
346       can result in the following division of CPU shares:
347
348
349       ┌────┬───────────┬─────┬──────────────┐
350PID container CPU CPU share    
351       ├────┼───────────┼─────┼──────────────┤
352       │100 │ C0        │ 0   │ 100% of CPU0 │
353       ├────┼───────────┼─────┼──────────────┤
354       │101 │ C1        │ 1   │ 100% of CPU1 │
355       ├────┼───────────┼─────┼──────────────┤
356       │102 │ C1        │ 2   │ 100% of CPU2 │
357       └────┴───────────┴─────┴──────────────┘
358
359       On some systems, changing the resource limits may not  be  allowed  for
360       non-root  users.  For  more  details,  see  https://github.com/contain
361       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
362       source-limits-fails-with-a-permissions-error
363
364
365       This option is not supported on cgroups V1 rootless systems.
366
367
368   --cpus=number
369       Number of CPUs. The default is 0.0 which means no limit. This is short‐
370       hand for --cpu-period and --cpu-quota,  so  you  may  only  set  either
371       --cpus or --cpu-period and --cpu-quota.
372
373
374       On  some  systems,  changing the CPU limits may not be allowed for non-
375       root users. For more  details,  see  https://github.com/containers/pod
376       man/blob/main/troubleshooting.md#26-running-containers-with-resource-
377       limits-fails-with-a-permissions-error
378
379
380       This option is not supported on cgroups V1 rootless systems.
381
382
383   --cpuset-cpus=number
384       CPUs in which to allow execution. Can be specified as a comma-separated
385       list  (e.g.  0,1),  as  a  range (e.g. 0-3), or any combination thereof
386       (e.g. 0-3,7,11-15).
387
388
389       On some systems, changing the resource limits may not  be  allowed  for
390       non-root  users.  For  more  details,  see  https://github.com/contain
391       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
392       source-limits-fails-with-a-permissions-error
393
394
395       This option is not supported on cgroups V1 rootless systems.
396
397
398   --cpuset-mems=nodes
399       Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effec‐
400       tive on NUMA systems.
401
402
403       If there are four memory nodes  on  the  system  (0-3),  use  --cpuset-
404       mems=0,1  then processes in the container will only use memory from the
405       first two memory nodes.
406
407
408       On some systems, changing the resource limits may not  be  allowed  for
409       non-root  users.  For  more  details,  see  https://github.com/contain
410       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
411       source-limits-fails-with-a-permissions-error
412
413
414       This option is not supported on cgroups V1 rootless systems.
415
416
417   --detach, -d
418       Detached  mode:  run  the container in the background and print the new
419       container ID. The default is false.
420
421
422       At any time you can run podman ps in the other shell to view a list  of
423       the  running  containers. You can reattach to a detached container with
424       podman attach.
425
426
427       When attached in the tty mode, you can detach from the  container  (and
428       leave  it  running)  using a configurable key sequence. The default se‐
429       quence is ctrl-p,ctrl-q.  Specify the key sequence using the  --detach-
430       keys  option, or configure it in the containers.conf file: see contain‐
431       ers.conf(5) for more information.
432
433
434   --detach-keys=sequence
435       Specify the key sequence for detaching a container. Format is a  single
436       character [a-Z] or one or more ctrl-<value> characters where <value> is
437       one of: a-z, @, ^, [, , or _. Specifying "" will disable this  feature.
438       The default is ctrl-p,ctrl-q.
439
440
441       This option can also be set in containers.conf(5) file.
442
443
444   --device=host-device[:container-device][:permissions]
445       Add  a host device to the container. Optional permissions parameter can
446       be used to specify device permissions by combining r for  read,  w  for
447       write, and m for mknod(2).
448
449
450       Example: --device=/dev/sdc:/dev/xvdc:rwm.
451
452
453       Note: if host-device is a symbolic link then it will be resolved first.
454       The container will only store the major and minor numbers of  the  host
455       device.
456
457
458       Podman may load kernel modules required for using the specified device.
459       The devices that Podman will  load  modules  for  when  necessary  are:
460       /dev/fuse.
461
462
463       In  rootless mode, the new device is bind mounted in the container from
464       the host rather than Podman creating it within the container space. Be‐
465       cause  the bind mount retains its SELinux label on SELinux systems, the
466       container can get permission denied when accessing the mounted  device.
467       Modify  SELinux  settings  to allow containers to use all device labels
468       via the following command:
469
470
471       $ sudo setsebool -P  container_use_devices=true
472
473
474       Note: if the user only has access rights via a group, accessing the de‐
475       vice  from  inside  a rootless container will fail. Use the --group-add
476       keep-groups flag to pass the user's supplementary group access into the
477       container.
478
479
480   --device-cgroup-rule="type major:minor mode"
481       Add  a rule to the cgroup allowed devices list. The rule is expected to
482       be in the format specified in the Linux kernel documentation  (Documen‐
483       tation/cgroup-v1/devices.txt):
484              - type: a (all), c (char), or b (block);
485              - major and minor: either a number, or * for all;
486              - mode: a composition of r (read), w (write), and m (mknod(2)).
487
488
489   --device-read-bps=path:rate
490       Limit  read  rate  (in  bytes per second) from a device (e.g. --device-
491       read-bps=/dev/sda:1mb).
492
493
494       On some systems, changing the resource limits may not  be  allowed  for
495       non-root  users.  For  more  details,  see  https://github.com/contain
496       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
497       source-limits-fails-with-a-permissions-error
498
499
500       This option is not supported on cgroups V1 rootless systems.
501
502
503   --device-read-iops=path:rate
504       Limit read rate (in IO operations per second) from a device (e.g. --de‐
505       vice-read-iops=/dev/sda:1000).
506
507
508       On some systems, changing the resource limits may not  be  allowed  for
509       non-root  users.  For  more  details,  see  https://github.com/contain
510       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
511       source-limits-fails-with-a-permissions-error
512
513
514       This option is not supported on cgroups V1 rootless systems.
515
516
517   --device-write-bps=path:rate
518       Limit  write  rate  (in  bytes  per second) to a device (e.g. --device-
519       write-bps=/dev/sda:1mb).
520
521
522       On some systems, changing the resource limits may not  be  allowed  for
523       non-root  users.  For  more  details,  see  https://github.com/contain
524       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
525       source-limits-fails-with-a-permissions-error
526
527
528       This option is not supported on cgroups V1 rootless systems.
529
530
531   --device-write-iops=path:rate
532       Limit  write rate (in IO operations per second) to a device (e.g. --de‐
533       vice-write-iops=/dev/sda:1000).
534
535
536       On some systems, changing the resource limits may not  be  allowed  for
537       non-root  users.  For  more  details,  see  https://github.com/contain
538       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
539       source-limits-fails-with-a-permissions-error
540
541
542       This option is not supported on cgroups V1 rootless systems.
543
544
545   --disable-content-trust
546       This  is  a  Docker-specific  option to disable image verification to a
547       container registry and is not supported by Podman.  This  option  is  a
548       NOOP and provided solely for scripting compatibility.
549
550
551   --dns=ipaddr
552       Set custom DNS servers.
553
554
555       This option can be used to override the DNS configuration passed to the
556       container. Typically this is necessary when the host DNS  configuration
557       is  invalid  for the container (e.g., 127.0.0.1). When this is the case
558       the --dns flag is necessary for every run.
559
560
561       The special value none can be specified to disable creation of /etc/re‐
562       solv.conf in the container by Podman.  The /etc/resolv.conf file in the
563       image will be used without changes.
564
565
566       This option cannot be combined with --network that is set  to  none  or
567       container:id.
568
569
570   --dns-option=option
571       Set  custom  DNS  options. Invalid if using --dns-option with --network
572       that is set to none or container:id.
573
574
575   --dns-search=domain
576       Set custom DNS search  domains.  Invalid  if  using  --dns-search  with
577       --network  that  is set to none or container:id.  Use --dns-search=. if
578       you don't wish to set the search domain.
579
580
581   --entrypoint="command" | '["command", arg1 , ...]'
582       Overwrite the default ENTRYPOINT of the image.
583
584
585       This option allows you to overwrite the default entrypoint of  the  im‐
586       age.
587
588
589       The ENTRYPOINT of an image is similar to a COMMAND because it specifies
590       what executable to run when the container starts, but it is (purposely)
591       more  difficult  to  override. The ENTRYPOINT gives a container its de‐
592       fault nature or behavior, so that when you set an  ENTRYPOINT  you  can
593       run  the container as if it were that binary, complete with default op‐
594       tions, and you can pass in more options via the COMMAND. But, sometimes
595       an operator may want to run something else inside the container, so you
596       can override the default ENTRYPOINT at runtime by using a  --entrypoint
597       and a string to specify the new ENTRYPOINT.
598
599
600       You need to specify multi option commands in the form of a json string.
601
602
603   --env, -e=env
604       Set environment variables.
605
606
607       This  option  allows arbitrary environment variables that are available
608       for the process to be launched inside of the container. If an  environ‐
609       ment  variable is specified without a value, Podman will check the host
610       environment for a value and set the variable only if it is set  on  the
611       host.  As  a  special  case,  if an environment variable ending in * is
612       specified without a value, Podman will search the host environment  for
613       variables  starting with the prefix and will add those variables to the
614       container.
615
616
617       See Environment ⟨#environment⟩ note below for precedence and examples.
618
619
620   --env-file=file
621       Read in a line-delimited file of environment variables.
622
623
624       See Environment ⟨#environment⟩ note below for precedence and examples.
625
626
627   --env-host
628       Use host environment inside of the container. See Environment note  be‐
629       low  for precedence. (This option is not available with the remote Pod‐
630       man client, including Mac and Windows (excluding WSL2) machines)
631
632
633   --env-merge=env
634       Preprocess default environment variables for the containers. For  exam‐
635       ple if image contains environment variable hello=world user can prepro‐
636       cess it using --env-merge hello=${hello}-some  so  new  value  will  be
637       hello=world-some.
638
639
640   --expose=port
641       Expose  a port, or a range of ports (e.g. --expose=3300-3310) to set up
642       port redirection on the host system.
643
644
645   --gidmap=container_gid:host_gid:amount
646       Run the container in a new user namespace using the supplied  GID  map‐
647       ping. This option conflicts with the --userns and --subgidname options.
648       This option provides a way to map host GIDs to container  GIDs  in  the
649       same  way as --uidmap maps host UIDs to container UIDs. For details see
650       --uidmap.
651
652
653       Note: the --gidmap flag cannot be called in conjunction with the  --pod
654       flag as a gidmap cannot be set on the container level when in a pod.
655
656
657   --group-add=group | keep-groups
658       Assign  additional  groups  to the primary user running within the con‐
659       tainer process.
660
661
662keep-groups is a special flag that tells Podman  to  keep  the
663                supplementary group access.
664
665
666
667       Allows  container to use the user's supplementary group access. If file
668       systems or devices are only accessible by the  rootless  user's  group,
669       this  flag tells the OCI runtime to pass the group access into the con‐
670       tainer. Currently only available with the crun OCI runtime. Note: keep-
671       groups  is  exclusive,  you cannot add any other groups with this flag.
672       (Not available for remote commands, including Mac and Windows  (exclud‐
673       ing WSL2) machines)
674
675
676   --health-cmd="command" | '["command", arg1 , ...]'
677       Set  or  alter  a healthcheck command for a container. The command is a
678       command to be executed inside your container that determines your  con‐
679       tainer health. The command is required for other healthcheck options to
680       be applied. A value of none disables existing healthchecks.
681
682
683       Multiple options can be passed in the form of a JSON array;  otherwise,
684       the command will be interpreted as an argument to /bin/sh -c.
685
686
687   --health-interval=interval
688       Set an interval for the healthchecks. An interval of disable results in
689       no automatic timer setup. The default is 30s.
690
691
692   --health-on-failure=action
693       Action to take once the container transitions to  an  unhealthy  state.
694       The default is none.
695
696
697none: Take no action.
698
699kill: Kill the container.
700
701restart:  Restart  the  container.  Do not combine the restart
702                action with the --restart flag.  When running inside of a sys‐
703                temd  unit,  consider using the kill or stop action instead to
704                make use of systemd's restart policy.
705
706stop: Stop the container.
707
708
709
710   --health-retries=retries
711       The number of retries allowed before a healthcheck is considered to  be
712       unhealthy. The default value is 3.
713
714
715   --health-start-period=period
716       The  initialization time needed for a container to bootstrap. The value
717       can be expressed in time format like 2m3s. The default value is 0s.
718
719
720   --health-timeout=timeout
721       The maximum time allowed to complete the healthcheck before an interval
722       is  considered failed. Like start-period, the value can be expressed in
723       a time format such as 1m22s. The default value is 30s.
724
725
726   --help
727       Print usage statement
728
729
730   --hostname, -h=name
731       Container host name
732
733
734       Sets the container host name that is available  inside  the  container.
735       Can  only be used with a private UTS namespace --uts=private (default).
736       If --pod is specified and the pod shares the  UTS  namespace  (default)
737       the pod's hostname will be used.
738
739
740   --hostuser=name
741       Add  a  user account to /etc/passwd from the host to the container. The
742       Username or UID must exist on the host system.
743
744
745   --http-proxy
746       By default proxy environment variables are passed into the container if
747       set  for  the Podman process. This can be disabled by setting the value
748       to false.  The environment  variables  passed  in  include  http_proxy,
749       https_proxy,  ftp_proxy,  no_proxy, and also the upper case versions of
750       those. This option is only needed when the host system must use a proxy
751       but the container should not use any proxy. Proxy environment variables
752       specified for the container in any other way will override  the  values
753       that would have been passed through from the host. (Other ways to spec‐
754       ify the proxy for the container include passing  the  values  with  the
755       --env  flag,  or  hard  coding the proxy environment at container build
756       time.)  (This option is not available with the  remote  Podman  client,
757       including Mac and Windows (excluding WSL2) machines)
758
759
760       Defaults to true.
761
762
763   --image-volume=bind | tmpfs | ignore
764       Tells Podman how to handle the builtin image volumes. Default is bind.
765
766
767bind:  An  anonymous  named volume will be created and mounted
768                into the container.
769
770tmpfs: The volume is mounted onto the container  as  a  tmpfs,
771                which  allows the users to create content that disappears when
772                the container is stopped.
773
774ignore: All volumes are just ignored and no action is taken.
775
776
777
778   --init
779       Run an init inside the container that forwards signals and  reaps  pro‐
780       cesses.   The  container-init  binary  is  mounted at /run/podman-init.
781       Mounting over /run will hence break container execution.
782
783
784   --init-path=path
785       Path to the container-init binary.
786
787
788   --interactive, -i
789       When set to true, keep stdin open even if not attached. The default  is
790       false.
791
792
793   --ip=ipv4
794       Specify   a   static  IPv4  address  for  the  container,  for  example
795       10.88.64.128.  This option can only be used if the container is  joined
796       to only a single network - i.e., --network=network-name is used at most
797       once - and if the container is not joining another container's  network
798       namespace  via  --network=container:id.  The address must be within the
799       network's IP address pool (default 10.88.0.0/16).
800
801
802       To specify multiple static IP addresses  per  container,  set  multiple
803       networks  using the --network option with a static IP address specified
804       for each using the ip mode for that option.
805
806
807   --ip6=ipv6
808       Specify  a  static  IPv6  address  for  the  container,   for   example
809       fd46:db93:aa76:ac37::10.  This option can only be used if the container
810       is joined to only a single network -  i.e.,  --network=network-name  is
811       used  at  most  once - and if the container is not joining another con‐
812       tainer's network namespace  via  --network=container:id.   The  address
813       must be within the network's IPv6 address pool.
814
815
816       To  specify  multiple static IPv6 addresses per container, set multiple
817       networks using the --network option with a static IPv6  address  speci‐
818       fied for each using the ip6 mode for that option.
819
820
821   --ipc=ipc
822       Set  the IPC namespace mode for a container. The default is to create a
823       private IPC namespace.
824
825
826              • "": Use Podman's default, defined in containers.conf.
827
828container:id: reuses another container's shared memory,  sema‐
829                phores, and message queues
830
831host:  use  the  host's shared memory, semaphores, and message
832                queues inside the container. Note: the  host  mode  gives  the
833                container  full access to local shared memory and is therefore
834                considered insecure.
835
836none:  private IPC namespace, with /dev/shm not mounted.
837
838ns:path: path to an IPC namespace to join.
839
840private: private IPC  namespace.   =  shareable:  private  IPC
841                namespace  with  a possibility to share it with other contain‐
842                ers.
843
844
845
846   --label, -l=key=value
847       Add metadata to a container.
848
849
850   --label-file=file
851       Read in a line-delimited file of labels.
852
853
854   --link-local-ip=ip
855       Not implemented.
856
857
858   --log-driver=driver
859       Logging driver for the container. Currently available options are  k8s-
860       file,  journald,  none  and passthrough, with json-file aliased to k8s-
861       file for scripting compatibility. (Default journald).
862
863
864       The podman info command below will display the default  log-driver  for
865       the system.
866
867
868              $ podman info --format '{{ .Host.LogDriver }}'
869              journald
870
871
872
873       The passthrough driver passes down the standard streams (stdin, stdout,
874       stderr) to the container.  It is not allowed  with  the  remote  Podman
875       client,  including  Mac and Windows (excluding WSL2) machines, and on a
876       tty, since it is vulnerable to attacks via TIOCSTI.
877
878
879   --log-opt=name=value
880       Logging driver specific options.
881
882
883       Set custom logging configuration. The following *name*s are supported:
884
885
886       path: specify a path to the log file
887           (e.g. --log-opt path=/var/log/container/mycontainer.json);
888
889
890       max-size: specify a max size of the log file
891           (e.g. --log-opt max-size=10mb);
892
893
894       tag: specify a custom log tag for the container
895           (e.g. --log-opt tag="{{.ImageName}}".  It supports the same keys as
896       podman  inspect  --format.   This option is currently supported only by
897       the journald log driver.
898
899
900   --mac-address=address
901       Container network interface MAC address (e.g.  92:d0:c6:0a:29:33)  This
902       option  can  only  be  used if the container is joined to only a single
903       network - i.e., --network=network-name is used at most once  -  and  if
904       the  container is not joining another container's network namespace via
905       --network=container:id.
906
907
908       Remember that the MAC address in an Ethernet network  must  be  unique.
909       The  IPv6  link-local address will be based on the device's MAC address
910       according to RFC4862.
911
912
913       To specify multiple static MAC addresses per  container,  set  multiple
914       networks using the --network option with a static MAC address specified
915       for each using the mac mode for that option.
916
917
918   --memory, -m=number[unit]
919       Memory limit. A unit can be b (bytes), k (kibibytes), m (mebibytes), or
920       g (gibibytes).
921
922
923       Allows  the  memory  available to a container to be constrained. If the
924       host supports swap memory, then the -m memory  setting  can  be  larger
925       than  physical  RAM.  If  a limit of 0 is specified (not using -m), the
926       container's memory is not limited. The actual limit may be  rounded  up
927       to  a  multiple of the operating system's page size (the value would be
928       very large, that's millions of trillions).
929
930
931       This option is not supported on cgroups V1 rootless systems.
932
933
934   --memory-reservation=number[unit]
935       Memory  soft  limit.  A  unit  can  be  b  (bytes),  k  (kibibytes),  m
936       (mebibytes), or g (gibibytes).
937
938
939       After  setting  memory reservation, when the system detects memory con‐
940       tention or low memory, containers are forced to restrict their consump‐
941       tion  to  their  reservation.  So you should always set the value below
942       --memory, otherwise the hard limit will take  precedence.  By  default,
943       memory reservation will be the same as memory limit.
944
945
946       This option is not supported on cgroups V1 rootless systems.
947
948
949   --memory-swap=number[unit]
950       A  limit  value  equal to memory plus swap.  A unit can be b (bytes), k
951       (kibibytes), m (mebibytes), or g (gibibytes).
952
953
954       Must be used with the -m (--memory) flag.  The  argument  value  should
955       always be larger than that of
956        -m (--memory) By default, it is set to double the value of --memory.
957
958
959       Set number to -1 to enable unlimited swap.
960
961
962       This option is not supported on cgroups V1 rootless systems.
963
964
965   --memory-swappiness=number
966       Tune  a  container's memory swappiness behavior. Accepts an integer be‐
967       tween 0 and 100.
968
969
970       This flag is only supported on cgroups V1 rootful systems.
971
972
973   --mount=type=TYPE,TYPE-SPECIFIC-OPTION[,...]
974       Attach a filesystem mount to the container
975
976
977       Current supported mount TYPEs are bind, volume, image,  tmpfs  and  de‐
978       vpts. [1] ⟨#Footnote1⟩
979
980
981                 e.g.
982
983                 type=bind,source=/path/on/host,destination=/path/in/container
984
985                 type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared
986
987                 type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared,U=true
988
989                 type=volume,source=vol1,destination=/path/in/container,ro=true
990
991                 type=tmpfs,tmpfs-size=512M,destination=/path/in/container
992
993                 type=image,source=fedora,destination=/fedora-image,rw=true
994
995                 type=devpts,destination=/dev/pts
996
997                 Common Options:
998
999                    · src, source: mount source spec for bind and volume. Mandatory for bind.
1000
1001                    · dst, destination, target: mount destination spec.
1002
1003                 Options specific to volume:
1004
1005                    · ro, readonly: true or false (default).
1006
1007                    . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container.
1008
1009                    · idmap: true or false (default).  If specified, create an idmapped mount to the target user namespace in the container.
1010
1011                 Options specific to image:
1012
1013                    · rw, readwrite: true or false (default).
1014
1015                 Options specific to bind:
1016
1017                    · ro, readonly: true or false (default).
1018
1019                    · bind-propagation: shared, slave, private, unbindable, rshared, rslave, runbindable, or rprivate(default). See also mount(2).
1020
1021                    . bind-nonrecursive: do not set up a recursive bind mount. By default it is recursive.
1022
1023                    . relabel: shared, private.
1024
1025                    · idmap: true or false (default).  If specified, create an idmapped mount to the target user namespace in the container.
1026
1027                    . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container.
1028
1029                 Options specific to tmpfs:
1030
1031                    · ro, readonly: true or false (default).
1032
1033                    · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.
1034
1035                    · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux.
1036
1037                    · tmpcopyup: Enable copyup from the image directory at the same location to the tmpfs. Used by default.
1038
1039                    · notmpcopyup: Disable copying files from the image to the tmpfs.
1040
1041                    . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container.
1042
1043                 Options specific to devpts:
1044
1045                    · uid: UID of the file owner (default 0).
1046
1047                    · gid: GID of the file owner (default 0).
1048
1049                    · mode: permission mask for the file (default 600).
1050
1051                    · max: maximum number of PTYs (default 1048576).
1052
1053
1054
1055   --name=name
1056       Assign a name to the container.
1057
1058
1059       The operator can identify a container in three ways:
1060
1061
1062              • UUID                      long                      identifier
1063                (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”);
1064
1065              • UUID short identifier (“f78375b1c487”);
1066
1067              • Name (“jonah”).
1068
1069
1070
1071       Podman  generates  a  UUID for each container, and if a name is not as‐
1072       signed to the container with --name then  it  will  generate  a  random
1073       string  name.  The name is useful any place you need to identify a con‐
1074       tainer.  This works for both background and foreground containers.
1075
1076
1077   --network=mode, --net
1078       Set the network mode for the container.
1079
1080
1081       Valid mode values are:
1082
1083
1084bridge[:OPTIONS,...]: Create a network stack  on  the  default
1085                bridge. This is the default for rootful containers. It is pos‐
1086                sible to specify these additional options:
1087
1088alias=name: Add network-scoped alias for the container.
1089
1090ip=IPv4: Specify a static ipv4 address for this container.
1091
1092ip=IPv6: Specify a static ipv6 address for this container.
1093
1094mac=MAC: Specify a static mac address for this container.
1095
1096interface_name: Specify a name for the created  network  in‐
1097                  terface inside the container.
1098
1099
1100
1101
1102
1103       For  example to set a static ipv4 address and a static mac address, use
1104       --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99.  - <network  name
1105       or  ID>[:OPTIONS,...]:  Connect  to a user-defined network; this is the
1106       network name or ID from a network created by podman network create. Us‐
1107       ing the network name implies the bridge network mode. It is possible to
1108       specify the same options described under the bridge mode above. You can
1109       use the --network option multiple times to specify additional networks.
1110       - none: Create a network namespace for the container but do not config‐
1111       ure  network  interfaces for it, thus the container has no network con‐
1112       nectivity.  - container:id: Reuse another container's network stack.  -
1113       host:  Do  not  create  a network namespace, the container will use the
1114       host's network. Note: The host mode gives the container full access  to
1115       local  system  services such as D-bus and is therefore considered inse‐
1116       cure.  - ns:path: Path to a network namespace to join.  - private: Cre‐
1117       ate  a  new  namespace for the container. This will use the bridge mode
1118       for  rootful  containers  and  slirp4netns  for   rootless   ones.    -
1119       slirp4netns[:OPTIONS,...]:  use slirp4netns(1) to create a user network
1120       stack. This is the default for rootless containers. It is  possible  to
1121       specify  these  additional  options,  they  can  also  be set with net‐
1122       work_cmd_options in containers.conf:
1123         - allow_host_loopback=true|false: Allow slirp4netns to reach the host
1124       loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr
1125       subnet when changed, see the cidr option below). The default is false.
1126         - mtu=MTU: Specify the MTU to  use  for  this  network.  (Default  is
1127       65520).
1128         -  cidr=CIDR:  Specify  ip range to use for this network. (Default is
1129       10.0.2.0/24).
1130         - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for
1131       outbound_addr6).
1132         -  outbound_addr=INTERFACE:  Specify  the  outbound  interface  slirp
1133       should bind to (ipv4 traffic only).
1134         - outbound_addr=IPv4: Specify the outbound ipv4 address slirp  should
1135       bind to.
1136         -  outbound_addr6=INTERFACE:  Specify  the  outbound  interface slirp
1137       should bind to (ipv6 traffic only).
1138         - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should
1139       bind to.
1140         -  port_handler=rootlesskit: Use rootlesskit for port forwarding. De‐
1141       fault.
1142         Note: Rootlesskit changes the source IP address of  incoming  packets
1143       to   an   IP  address  in  the  container  network  namespace,  usually
1144       10.0.2.100. If your application requires the real  source  IP  address,
1145       e.g. web server logs, use the slirp4netns port handler. The rootlesskit
1146       port handler is also used for rootless  containers  when  connected  to
1147       user-defined networks.
1148         -  port_handler=slirp4netns:  Use the slirp4netns port forwarding, it
1149       is slower than rootlesskit but preserves the correct source IP address.
1150       This port handler cannot be used for user-defined networks.
1151
1152
1153       Invalid  if  using  --dns, --dns-option, or --dns-search with --network
1154       set to none or container:id.
1155
1156
1157       If used together with --pod, the container will not join the pod's net‐
1158       work namespace.
1159
1160
1161   --network-alias=alias
1162       Add a network-scoped alias for the container, setting the alias for all
1163       networks that the container joins. To set a name only  for  a  specific
1164       network,  use the alias option as described under the --network option.
1165       If the network has DNS enabled (podman  network  inspect  -f  {{.DNSEn‐
1166       abled}}  <name>),  these aliases can be used for name resolution on the
1167       given network. This option can be specified multiple times.  NOTE: When
1168       using  CNI  a  container  will only have access to aliases on the first
1169       network that  it  joins.  This  limitation  does  not  exist  with  ne‐
1170       tavark/aardvark-dns.
1171
1172
1173   --no-healthcheck
1174       Disable any defined healthchecks for container.
1175
1176
1177   --no-hosts
1178       Do  not  create  /etc/hosts for the container.  By default, Podman will
1179       manage /etc/hosts, adding the container's own IP address and any  hosts
1180       from  --add-host.  --no-hosts disables this, and the image's /etc/hosts
1181       will be preserved unmodified.
1182
1183
1184       This option conflicts with --add-host.
1185
1186
1187   --oom-kill-disable
1188       Whether to disable OOM Killer for the container or not.
1189
1190
1191       This flag is not supported on cgroups V2 systems.
1192
1193
1194   --oom-score-adj=num
1195       Tune the host's OOM preferences for  containers  (accepts  values  from
1196       -1000 to 1000).
1197
1198
1199   --os=OS
1200       Override  the OS, defaults to hosts, of the image to be pulled. For ex‐
1201       ample, windows.  Unless overridden, subsequent lookups of the same  im‐
1202       age in the local storage will match this OS, regardless of the host.
1203
1204
1205   --passwd
1206       Allow  Podman to add entries to /etc/passwd and /etc/group when used in
1207       conjunction with the --user option.  This is used to override the  Pod‐
1208       man  provided  user setup in favor of entrypoint configurations such as
1209       libnss-extrausers.
1210
1211
1212   --passwd-entry=ENTRY
1213       Customize the entry that is written to the /etc/passwd file within  the
1214       container when --passwd is used.
1215
1216
1217       The variables $USERNAME, $UID, $GID, $NAME, $HOME are automatically re‐
1218       placed with their value at runtime.
1219
1220
1221   --personality=persona
1222       Personality sets the execution domain via Linux personality(2).
1223
1224
1225   --pid=mode
1226       Set the PID namespace mode for the container.  The default is to create
1227       a private PID namespace for the container.
1228
1229
1230container:id: join another container's PID namespace;
1231
1232host: use the host's PID namespace for the container. Note the
1233                host mode gives the container full access to local PID and  is
1234                therefore considered insecure;
1235
1236ns:path: join the specified PID namespace;
1237
1238private: create a new namespace for the container (default).
1239
1240
1241
1242   --pidfile=path
1243       When the pidfile location is specified, the container process' PID will
1244       be written to the pidfile. (This option is not available with  the  re‐
1245       mote  Podman  client,  including  Mac  and Windows (excluding WSL2) ma‐
1246       chines) If the pidfile option is not specified, the container  process'
1247       PID  will  be written to /run/containers/storage/${storage-driver}-con‐
1248       tainers/$CID/userdata/pidfile.
1249
1250
1251       After the container is started, the location for  the  pidfile  can  be
1252       discovered with the following podman inspect command:
1253
1254
1255              $ podman inspect --format '{{ .PidFile }}' $CID
1256              /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile
1257
1258
1259
1260   --pids-limit=limit
1261       Tune  the  container's pids limit. Set to -1 to have unlimited pids for
1262       the container. The default is  4096  on  systems  that  support  "pids"
1263       cgroup controller.
1264
1265
1266   --platform=OS/ARCH
1267       Specify  the  platform for selecting the image.  (Conflicts with --arch
1268       and --os) The --platform option can be used to override the current ar‐
1269       chitecture and operating system.  Unless overridden, subsequent lookups
1270       of the same image in the local storage will match  this  platform,  re‐
1271       gardless of the host.
1272
1273
1274   --pod=name
1275       Run  container  in  an existing pod. If you want Podman to make the pod
1276       for you, prefix the pod name with new:.  To make a pod with more granu‐
1277       lar  options,  use the podman pod create command before creating a con‐
1278       tainer.  If a container is run with a pod, and the pod  has  an  infra-
1279       container, the infra-container will be started before the container is.
1280
1281
1282   --pod-id-file=file
1283       Run  container in an existing pod and read the pod's ID from the speci‐
1284       fied file.  If a container is run within a pod, and the pod has an  in‐
1285       fra-container, the infra-container will be started before the container
1286       is.
1287
1288
1289   --preserve-fds=N
1290       Pass down to the process N additional file descriptors (in addition  to
1291       0,  1,  2).   The total FDs will be 3+N.  (This option is not available
1292       with the remote Podman client, including  Mac  and  Windows  (excluding
1293       WSL2) machines)
1294
1295
1296   --privileged
1297       Give extended privileges to this container. The default is false.
1298
1299
1300       By default, Podman containers are unprivileged (=false) and cannot, for
1301       example, modify parts of the operating system. This is because  by  de‐
1302       fault  a container is only allowed limited access to devices. A "privi‐
1303       leged" container is given the  same  access  to  devices  as  the  user
1304       launching the container.
1305
1306
1307       A privileged container turns off the security features that isolate the
1308       container from the host. Dropped Capabilities, limited  devices,  read-
1309       only mount points, Apparmor/SELinux separation, and Seccomp filters are
1310       all disabled.
1311
1312
1313       Rootless containers cannot have more privileges than the  account  that
1314       launched them.
1315
1316
1317   --publish, -p=[[ip:][hostPort]:]containerPort[/protocol]
1318       Publish a container's port, or range of ports, to the host.
1319
1320
1321       Both  hostPort  and containerPort can be specified as a range of ports.
1322       When specifying ranges for both, the number of container ports  in  the
1323       range must match the number of host ports in the range.
1324
1325
1326       If  host IP is set to 0.0.0.0 or not set at all, the port will be bound
1327       on all IPs on the host.
1328
1329
1330       By default, Podman will publish TCP ports. To publish a  UDP  port  in‐
1331       stead,  give  udp  as  protocol. To publish both TCP and UDP ports, set
1332       --publish twice, with tcp, and udp as protocols  respectively.  Rootful
1333       containers can also publish ports using the sctp protocol.
1334
1335
1336       Host   port  does  not  have  to  be  specified  (e.g.  podman  run  -p
1337       127.0.0.1::80).  If it is not, the container port will be randomly  as‐
1338       signed a port on the host.
1339
1340
1341       Use podman port to see the actual mapping: podman port $CONTAINER $CON‐
1342       TAINERPORT.
1343
1344
1345       Note: If a container will be run within a pod, it is not  necessary  to
1346       publish  the  port for the containers in the pod. The port must only be
1347       published by the pod itself. Pod network stacks act  like  the  network
1348       stack  on  the  host - you have a variety of containers in the pod, and
1349       programs in the container, all sharing a single interface  and  IP  ad‐
1350       dress, and associated ports. If one container binds to a port, no other
1351       container can use that port within the pod while it is in use. Contain‐
1352       ers  in  the pod can also communicate over localhost by having one con‐
1353       tainer bind to localhost in the pod, and another connect to that port.
1354
1355
1356   --publish-all, -P
1357       Publish all exposed ports to random ports on the host  interfaces.  The
1358       default is false.
1359
1360
1361       When set to true, publish all exposed ports to the host interfaces.  If
1362       the operator uses -P (or -p) then Podman will make the exposed port ac‐
1363       cessible on the host and the ports will be available to any client that
1364       can reach the host.
1365
1366
1367       When using this option, Podman will bind any exposed port to  a  random
1368       port   on   the   host  within  an  ephemeral  port  range  defined  by
1369       /proc/sys/net/ipv4/ip_local_port_range.  To find  the  mapping  between
1370       the host ports and the exposed ports, use podman port.
1371
1372
1373   --pull=policy
1374       Pull image policy. The default is missing.
1375
1376
1377always:  Always  pull the image and throw an error if the pull
1378                fails.
1379
1380missing: Pull the image only if it could not be found  in  the
1381                local containers storage.  Throw an error if no image could be
1382                found and the pull fails.
1383
1384never: Never pull the image but use the  one  from  the  local
1385                containers  storage.   Throw  an  error  if  no image could be
1386                found.
1387
1388newer: Pull if the image on the registry is newer than the one
1389                in the local containers storage.  An image is considered to be
1390                newer when the digests  are  different.   Comparing  the  time
1391                stamps  is  prone  to errors.  Pull errors are suppressed if a
1392                local image was found.
1393
1394
1395
1396   --quiet, -q
1397       Suppress output information when pulling images
1398
1399
1400   --read-only
1401       Mount the container's root filesystem as read-only.
1402
1403
1404       By default a container will have its root filesystem writable  allowing
1405       processes  to write files anywhere. By specifying the --read-only flag,
1406       the container will have its root filesystem mounted as  read-only  pro‐
1407       hibiting any writes.
1408
1409
1410   --read-only-tmpfs
1411       If  container  is  running in --read-only mode, then mount a read-write
1412       tmpfs on /run, /tmp, and /var/tmp. The default is true.
1413
1414
1415   --replace
1416       If another container with the same name already exists, replace and re‐
1417       move it. The default is false.
1418
1419
1420   --requires=container
1421       Specify  one  or more requirements.  A requirement is a dependency con‐
1422       tainer that will be started before this container.  Containers  can  be
1423       specified  by  name  or ID, with multiple containers being separated by
1424       commas.
1425
1426
1427   --restart=policy
1428       Restart policy to follow when containers exit.  Restart policy will not
1429       take  effect  if  a  container is stopped via the podman kill or podman
1430       stop commands.
1431
1432
1433       Valid policy values are:
1434
1435
1436no                       : Do not restart containers on exit
1437
1438on-failure[:max_retries] : Restart containers when  they  exit
1439                with  a non-zero exit code, retrying indefinitely or until the
1440                optional max_retries count is hit
1441
1442always                   : Restart containers when they  exit,
1443                regardless of status, retrying indefinitely
1444
1445unless-stopped           : Identical to always
1446
1447
1448
1449       Please note that restart will not restart containers after a system re‐
1450       boot.  If this functionality is required in your environment,  you  can
1451       invoke Podman from a systemd.unit(5) file, or create an init script for
1452       whichever init system is in  use.   To  generate  systemd  unit  files,
1453       please see podman generate systemd.
1454
1455
1456   --rm
1457       Automatically remove the container when it exits. The default is false.
1458
1459
1460   --rmi
1461       After  exit of the container, remove the image unless another container
1462       is using it. The default is false.
1463
1464
1465   --rootfs
1466       If specified, the first argument refers to an exploded container on the
1467       file system.
1468
1469
1470       This  is  useful to run a container without requiring any image manage‐
1471       ment, the rootfs of the container is assumed to be managed externally.
1472
1473
1474       Overlay Rootfs Mounts
1475
1476
1477       The :O flag tells Podman to mount the directory from the rootfs path as
1478       storage using the overlay file system. The container processes can mod‐
1479       ify content within the mount point which is  stored  in  the  container
1480       storage in a separate directory. In overlay terms, the source directory
1481       will be the lower, and the container storage directory will be the  up‐
1482       per.  Modifications to the mount point are destroyed when the container
1483       finishes executing, similar to a tmpfs mount point being unmounted.
1484
1485
1486       Note: On SELinux systems, the rootfs needs the correct label, which  is
1487       by default unconfined_u:object_r:container_file_t:s0.
1488
1489
1490   --sdnotify=container | conmon | ignore
1491       Determines  how  to  use  the NOTIFY_SOCKET, as passed with systemd and
1492       Type=notify.
1493
1494
1495       Default is container, which means allow the OCI runtime  to  proxy  the
1496       socket  into  the  container to receive ready notification. Podman will
1497       set the MAINPID to conmon's pid.  The conmon  option  sets  MAINPID  to
1498       conmon's  pid,  and  sends  READY  when  the container has started. The
1499       socket is never passed to the runtime or the container.  The ignore op‐
1500       tion  removes  NOTIFY_SOCKET  from the environment for itself and child
1501       processes, for the case where some other process above Podman uses  NO‐
1502       TIFY_SOCKET and Podman should not use it.
1503
1504
1505   --seccomp-policy=policy
1506       Specify the policy to select the seccomp profile. If set to image, Pod‐
1507       man will look for a "io.containers.seccomp.profile" label in  the  con‐
1508       tainer-image  config and use its value as a seccomp profile. Otherwise,
1509       Podman will follow the default policy by applying the  default  profile
1510       unless  specified otherwise via --security-opt seccomp as described be‐
1511       low.
1512
1513
1514       Note that this feature is experimental and may change in the future.
1515
1516
1517   --secret=secret[,opt=opt ...]
1518       Give the container access to a secret. Can be specified multiple times.
1519
1520
1521       A secret is a blob of sensitive data which a container needs at runtime
1522       but  should  not  be  stored in the image or in source control, such as
1523       usernames and passwords, TLS certificates and keys, SSH keys  or  other
1524       important generic strings or binary content (up to 500 kb in size).
1525
1526
1527       When  secrets  are  specified as type mount, the secrets are copied and
1528       mounted into the container when a container is created.   When  secrets
1529       are  specified  as  type  env, the secret will be set as an environment
1530       variable within the container.  Secrets are written in the container at
1531       the  time  of container creation, and modifying the secret using podman
1532       secret commands after the container is created will not affect the  se‐
1533       cret inside the container.
1534
1535
1536       Secrets and its storage are managed using the podman secret command.
1537
1538
1539       Secret Options
1540
1541
1542type=mount|env    : How the secret will be exposed to the con‐
1543                tainer. Default mount.
1544
1545target=target     : Target of secret. Defaults to secret name.
1546
1547uid=0             : UID of secret. Defaults to 0. Mount secret
1548                type only.
1549
1550gid=0             : GID of secret. Defaults to 0. Mount secret
1551                type only.
1552
1553mode=0            : Mode of secret. Defaults  to  0444.  Mount
1554                secret type only.
1555
1556
1557
1558   --security-opt=option
1559       Security Options
1560
1561
1562apparmor=unconfined  :  Turn  off apparmor confinement for the
1563                container
1564
1565apparmor=your-profile : Set the apparmor  confinement  profile
1566                for the container
1567
1568label=user:USER:  Set  the  label  user for the container pro‐
1569                cesses
1570
1571label=role:ROLE: Set the label role  for  the  container  pro‐
1572                cesses
1573
1574label=type:TYPE:  Set the label process type for the container
1575                processes
1576
1577label=level:LEVEL: Set the label level for the container  pro‐
1578                cesses
1579
1580label=filetype:TYPE_:  Set  the  label  file type for the con‐
1581                tainer files
1582
1583label=disable: Turn off label separation for the container
1584
1585
1586
1587       Note: Labeling can be  disabled  for  all  containers  by  setting  la‐
1588       bel=false  in  the  containers.conf (/etc/containers/containers.conf or
1589       $HOME/.config/containers/containers.conf) file.
1590
1591
1592mask=/path/1:/path/2: The paths to mask separated by a  colon.
1593                A masked path cannot be accessed inside the container.
1594
1595no-new-privileges:  Disable  container  processes from gaining
1596                additional privileges
1597
1598seccomp=unconfined: Turn off seccomp confinement for the  con‐
1599                tainer.
1600
1601seccomp=profile.json:  JSON  file to be used as a seccomp fil‐
1602                ter. Note that the io.podman.annotations.seccomp annotation is
1603                set with the specified value as shown in podman inspect.
1604
1605proc-opts=OPTIONS : Comma-separated list of options to use for
1606                the /proc mount. More details for the possible  mount  options
1607                are specified in the proc(5) man page.
1608
1609unmask=ALL   or   /path/1:/path/2,  or  shell  expanded  paths
1610                (/proc/*): Paths to unmask separated by a  colon.  If  set  to
1611                ALL,  it  will  unmask  all  the paths that are masked or made
1612                read-only  by  default.   The   default   masked   paths   are
1613                /proc/acpi,   /proc/kcore,   /proc/keys,  /proc/latency_stats,
1614                /proc/sched_debug,        /proc/scsi,        /proc/timer_list,
1615                /proc/timer_stats,  /sys/firmware,  and /sys/fs/selinux..  The
1616                default paths that are read-only are /proc/asound,  /proc/bus,
1617                /proc/fs,     /proc/irq,    /proc/sys,    /proc/sysrq-trigger,
1618                /sys/fs/cgroup.
1619
1620
1621
1622       Note: Labeling can be  disabled  for  all  containers  by  setting  la‐
1623       bel=false in the containers.conf(5) file.
1624
1625
1626   --shm-size=number[unit]
1627       Size   of  /dev/shm.  A  unit  can  be  b  (bytes),  k  (kibibytes),  m
1628       (mebibytes), or g (gibibytes).  If the unit is omitted, the system uses
1629       bytes.  If  the  size  is omitted, the default is 64m.  When size is 0,
1630       there is no limit on the amount of memory used  for  IPC  by  the  con‐
1631       tainer.  This option conflicts with --ipc=host.
1632
1633
1634   --sig-proxy
1635       Proxy  received  signals  to the container process (non-TTY mode only).
1636       SIGCHLD, SIGSTOP, and SIGKILL are not proxied.
1637
1638
1639       The default is true.
1640
1641
1642   --stop-signal=signal
1643       Signal to stop a container. Default is SIGTERM.
1644
1645
1646   --stop-timeout=seconds
1647       Timeout to stop a container. Default is 10.  Remote connections use lo‐
1648       cal containers.conf for defaults
1649
1650
1651   --subgidname=name
1652       Run  the  container  in a new user namespace using the map with name in
1653       the /etc/subgid file.  If running rootless, the user needs to have  the
1654       right  to  use  the  mapping.  See subgid(5).  This flag conflicts with
1655       --userns and --gidmap.
1656
1657
1658   --subuidname=name
1659       Run the container in a new user namespace using the map  with  name  in
1660       the  /etc/subuid file.  If running rootless, the user needs to have the
1661       right to use the mapping. See  subuid(5).   This  flag  conflicts  with
1662       --userns and --uidmap.
1663
1664
1665   --sysctl=name=value
1666       Configure namespaced kernel parameters at runtime.
1667
1668
1669       For the IPC namespace, the following sysctls are allowed:
1670
1671
1672              • kernel.msgmax
1673
1674              • kernel.msgmnb
1675
1676              • kernel.msgmni
1677
1678              • kernel.sem
1679
1680              • kernel.shmall
1681
1682              • kernel.shmmax
1683
1684              • kernel.shmmni
1685
1686              • kernel.shm_rmid_forced
1687
1688              • Sysctls beginning with fs.mqueue.*
1689
1690
1691
1692       Note:  if  you use the --ipc=host option, the above sysctls are not al‐
1693       lowed.
1694
1695
1696       For the network namespace, only sysctls beginning with  net.*  are  al‐
1697       lowed.
1698
1699
1700       Note:  if  you use the --network=host option, the above sysctls are not
1701       allowed.
1702
1703
1704   --systemd=true | false | always
1705       Run container in systemd mode. The default is true.
1706
1707
1708       The value always enforces the systemd mode is enforced without  looking
1709       at  the  executable name. Otherwise, if set to true and the command you
1710       are running inside the container is systemd, /usr/sbin/init, /sbin/init
1711       or /usr/local/sbin/init.
1712
1713
1714       Running the container in systemd mode causes the following changes:
1715
1716
1717              • Podman mounts tmpfs file systems on the following directories
1718
1719/run
1720
1721/run/lock
1722
1723/tmp
1724
1725/sys/fs/cgroup/systemd
1726
1727/var/lib/journal
1728
1729
1730
1731              • Podman sets the default stop signal to SIGRTMIN+3.
1732
1733              • Podman  sets  container_uuid  environment variable in the con‐
1734                tainer to the first 32 characters of the container id.
1735
1736
1737
1738       This allows systemd to run in a confined container without any  modifi‐
1739       cations.
1740
1741
1742       Note  that  on SELinux systems, systemd attempts to write to the cgroup
1743       file system. Containers writing to the cgroup file system are denied by
1744       default.   The container_manage_cgroup boolean must be enabled for this
1745       to be allowed on an SELinux separated system.
1746
1747
1748              setsebool -P container_manage_cgroup true
1749
1750
1751
1752   --timeout=seconds
1753       Maximum time a container is allowed to run before conmon sends  it  the
1754       kill  signal.   By  default  containers will run until they exit or are
1755       stopped by podman stop.
1756
1757
1758   --tls-verify
1759       Require HTTPS and verify certificates when contacting  registries  (de‐
1760       fault:  true).   If  explicitly  set  to true, TLS verification will be
1761       used.  If set to false, TLS verification will  not  be  used.   If  not
1762       specified,  TLS verification will be used unless the target registry is
1763       listed as an insecure registry in containers-registries.conf(5)
1764
1765
1766   --tmpfs=fs
1767       Create a tmpfs mount.
1768
1769
1770       Mount a temporary filesystem (tmpfs) mount into a container, for  exam‐
1771       ple:
1772
1773
1774              $ podman run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image
1775
1776
1777
1778       This command mounts a tmpfs at /tmp within the container. The supported
1779       mount options are the same as the Linux default mount flags. If you  do
1780       not  specify  any  options,  the  system  uses  the  following options:
1781       rw,noexec,nosuid,nodev.
1782
1783
1784   --tty, -t
1785       Allocate a pseudo-TTY. The default is false.
1786
1787
1788       When set to true, Podman will allocate a pseudo-tty and attach  to  the
1789       standard  input of the container. This can be used, for example, to run
1790       a throwaway interactive shell.
1791
1792
1793       NOTE: The --tty flag prevents redirection of standard output.  It  com‐
1794       bines  STDOUT  and STDERR, it can insert control characters, and it can
1795       hang pipes. This option should only be used when run interactively in a
1796       terminal. When feeding input to Podman, use -i only, not -it.
1797
1798
1799              echo "asdf" | podman run --rm -i someimage /bin/cat
1800
1801
1802
1803   --tz=timezone
1804       Set  timezone  in  container. This flag takes area-based timezones, GMT
1805       time, as well as local, which sets the timezone  in  the  container  to
1806       match  the  host machine. See /usr/share/zoneinfo/ for valid timezones.
1807       Remote connections use local containers.conf for defaults
1808
1809
1810   --uidmap=container_uid:from_uid:amount
1811       Run the container in a new user namespace using the supplied  UID  map‐
1812       ping. This option conflicts with the --userns and --subuidname options.
1813       This option provides a way to map host UIDs to container UIDs.  It  can
1814       be passed several times to map different ranges.
1815
1816
1817       The  _fromuid  value is based upon the user running the command, either
1818       rootful    or    rootless    users.     *    rootful    user:      con‐
1819       tainer_uid:host_uid:amount  *  rootless  user: container_uid:intermedi‐
1820       ate_uid:amount
1821
1822
1823       When podman run is called by a privileged  user,  the  option  --uidmap
1824       works as a direct mapping between host UIDs and container UIDs.
1825
1826
1827       host UID -> container UID
1828
1829
1830       The  amount  specifies  the  number  of  consecutive  UIDs that will be
1831       mapped.  If for example amount is 4 the mapping would look like:
1832
1833
1834       |    host  UID      |     container  UID     |  |  -               |  -
1835       | | _fromuid     | _containeruid     | | _fromuid + 1 | _containeruid +
1836       1 | | _fromuid + 2 | _containeruid + 2 | | _fromuid + 3 | _containeruid
1837       + 3 |
1838
1839
1840       When  podman  run is called by an unprivileged user (i.e. running root‐
1841       less), the value _fromuid is interpreted as an "intermediate  UID".  In
1842       the rootless case, host UIDs are not mapped directly to container UIDs.
1843       Instead the mapping happens over two mapping steps:
1844
1845
1846       host UID -> intermediate UID -> container UID
1847
1848
1849       The --uidmap option only influences the second mapping step.
1850
1851
1852       The first mapping step is derived by Podman from the  contents  of  the
1853       file /etc/subuid and the UID of the user calling Podman.
1854
1855
1856       First mapping step:
1857
1858
1859       | host UID                                         | intermediate UID |
1860       | -                                                |                - |
1861       | UID for the user starting Podman                 |                0 |
1862       | 1st subordinate UID for the user starting Podman |                1 |
1863       | 2nd subordinate UID for the user starting Podman |                2 |
1864       | 3rd subordinate UID for the user starting Podman |                3 |
1865       | nth subordinate UID for the user starting Podman |                n |
1866
1867
1868       To  be  able to use intermediate UIDs greater than zero, the user needs
1869       to have subordinate UIDs configured in /etc/subuid. See subuid(5).
1870
1871
1872       The second mapping step is configured with --uidmap.
1873
1874
1875       If for example amount is 5 the second mapping step would look like:
1876
1877
1878       |   intermediate UID   |    container UID    | | -                    |
1879       -                    |  |  _fromuid            |  _containeruid     | |
1880       _fromuid + 1       | _containeruid + 1 | | _fromuid + 2        |  _con‐
1881       taineruid + 2 | | _fromuid + 3       | _containeruid + 3 | | _fromuid +
1882       4       | _containeruid + 4 |
1883
1884
1885       When running as rootless, Podman will use all the ranges configured  in
1886       the /etc/subuid file.
1887
1888
1889       The  current user ID is mapped to UID=0 in the rootless user namespace.
1890       Every additional range is added sequentially afterward:
1891
1892
1893       |     host                  |rootless   user   namespace    |    length
1894       |    |    -                        |    -                         |   -
1895       |   |    $UID                     |    0                         |    1
1896       |     |     1                         |     $FIRST_RANGE_ID           |
1897       $FIRST_RANGE_LENGTH  |  |  1+$FIRST_RANGE_LENGTH   |   $SECOND_RANGE_ID
1898       | $SECOND_RANGE_LENGTH|
1899
1900
1901       Even  if  a  user  does  not have any subordinate UIDs in  /etc/subuid,
1902       --uidmap could still be used to map the normal UID of  the  user  to  a
1903       container  UID by running podman run --uidmap $container_uid:0:1 --user
1904       $container_uid ....
1905
1906
1907       Note: the --uidmap flag cannot be called in conjunction with the  --pod
1908       flag as a uidmap cannot be set on the container level when in a pod.
1909
1910
1911   --ulimit=option
1912       Ulimit options. You can use host to copy the current configuration from
1913       the host.
1914
1915
1916   --umask=umask
1917       Set the umask inside the container. Defaults to 0022.   Remote  connec‐
1918       tions use local containers.conf for defaults
1919
1920
1921   --unsetenv=env
1922       Unset default environment variables for the container. Default environ‐
1923       ment variables include variables provided natively by Podman,  environ‐
1924       ment  variables configured by the image, and environment variables from
1925       containers.conf.
1926
1927
1928   --unsetenv-all
1929       Unset all default environment variables for the container. Default  en‐
1930       vironment  variables include variables provided natively by Podman, en‐
1931       vironment variables configured by the image, and environment  variables
1932       from containers.conf.
1933
1934
1935   --user, -u=user[:group]
1936       Sets the username or UID used and, optionally, the groupname or GID for
1937       the specified command. Both user and group may be symbolic or numeric.
1938
1939
1940       Without this argument, the command will run as the  user  specified  in
1941       the  container  image.  Unless overridden by a USER command in the Con‐
1942       tainerfile or by a value passed to this option, this user generally de‐
1943       faults to root.
1944
1945
1946       When  a  user  namespace is not in use, the UID and GID used within the
1947       container and on the host will match. When user namespaces are in  use,
1948       however, the UID and GID in the container may correspond to another UID
1949       and GID on the host. In rootless containers, for example, a user  name‐
1950       space  is always used, and root in the container will by default corre‐
1951       spond to the UID and GID of the user invoking Podman.
1952
1953
1954   --userns=mode
1955       Set the user namespace mode for the container. It defaults to the  POD‐
1956       MAN_USERNS  environment  variable. An empty value ("") means user name‐
1957       spaces are disabled unless an explicit mapping is set with the --uidmap
1958       and --gidmap options.
1959
1960
1961       This  option  is incompatible with --gidmap, --uidmap, --subuidname and
1962       --subgidname.
1963
1964
1965       Rootless user --userns=Key mappings:
1966
1967
1968       ┌────────┬───────────┬─────────────────────┐
1969Key     Host User Container User      
1970       ├────────┼───────────┼─────────────────────┤
1971       │""      │ $UID      │ 0 (Default User ac‐ │
1972       │        │           │ count   mapped   to │
1973       │        │           │ root user  in  con‐ │
1974       │        │           │ tainer.)            │
1975       ├────────┼───────────┼─────────────────────┤
1976       │keep-id │ $UID      │ $UID  (Map user ac‐ │
1977       │        │           │ count to  same  UID │
1978       │        │           │ within container.)  │
1979       ├────────┼───────────┼─────────────────────┤
1980       │auto    │ $UID      │ nil  (Host User UID │
1981       │        │           │ is not mapped  into │
1982       │        │           │ container.)         │
1983       ├────────┼───────────┼─────────────────────┤
1984       │nomap   │ $UID      │ nil  (Host User UID │
1985       │        │           │ is not mapped  into │
1986       │        │           │ container.)         │
1987       └────────┴───────────┴─────────────────────┘
1988
1989       Valid mode values are:
1990
1991
1992       auto[:OPTIONS,...]: automatically create a unique user namespace.
1993
1994
1995       The  --userns=auto  flag,  requires that the user name containers and a
1996       range of subordinate user ids that the Podman container is  allowed  to
1997       use be specified in the /etc/subuid and /etc/subgid files.
1998
1999
2000       Example: containers:2147483647:2147483648.
2001
2002
2003       Podman  allocates  unique  ranges  of UIDs and GIDs from the containers
2004       subordinate user ids. The size of the ranges is based on the number  of
2005       UIDs required in the image. The number of UIDs and GIDs can be overrid‐
2006       den with the size option.
2007
2008
2009       The rootless option --userns=keep-id uses all the subuids  and  subgids
2010       of  the user. Using --userns=auto when starting new containers will not
2011       work  as  long  as  any  containers  exist  that  were   started   with
2012       --userns=keep-id.
2013
2014
2015       Valid auto options:
2016
2017
2018gidmapping=_CONTAINER_GID:HOSTGID:SIZE: to force a GID mapping
2019                to be present in the user namespace.
2020
2021size=SIZE: to specify an explicit size for the automatic  user
2022                namespace. e.g. --userns=auto:size=8192. If size is not speci‐
2023                fied, auto will estimate a size for the user namespace.
2024
2025uidmapping=_CONTAINER_UID:HOSTUID:SIZE: to force a UID mapping
2026                to be present in the user namespace.
2027
2028
2029
2030       container:id: join the user namespace of the specified container.
2031
2032
2033       host: run in the user namespace of the caller. The processes running in
2034       the container will have the same privileges on the host  as  any  other
2035       process launched by the calling user (default).
2036
2037
2038       keep-id:  creates  a  user  namespace where the current rootless user's
2039       UID:GID are mapped to the same values in the container. This option  is
2040       not allowed for containers created by the root user.
2041
2042
2043       Valid keep-id options:
2044
2045
2046uid=UID:  override  the  UID inside the container that will be
2047                used to map the current rootless user to.
2048
2049gid=GID: override the GID inside the container  that  will  be
2050                used to map the current rootless user to.
2051
2052
2053
2054       nomap:  creates  a  user  namespace  where  the current rootless user's
2055       UID:GID are not mapped into the container. This option is  not  allowed
2056       for containers created by the root user.
2057
2058
2059       ns:namespace: run the container in the given existing user namespace.
2060
2061
2062   --uts=mode
2063       Set  the UTS namespace mode for the container. The following values are
2064       supported:
2065
2066
2067host: use the host's UTS namespace inside the container.
2068
2069private: create a new namespace for the container (default).
2070
2071ns:[path]: run the container in the given existing  UTS  name‐
2072                space.
2073
2074container:[container]: join the UTS namespace of the specified
2075                container.
2076
2077
2078
2079   --variant=VARIANT
2080       Use VARIANT instead of the default architecture  variant  of  the  con‐
2081       tainer  image.  Some images can use multiple variants of the arm archi‐
2082       tectures, such as arm/v5 and arm/v7.
2083
2084
2085   --volume, -v=[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]
2086       Create a bind mount. If -v /HOST-DIR:/CONTAINER-DIR is specified,  Pod‐
2087       man bind mounts /HOST-DIR from the host into /CONTAINER-DIR in the Pod‐
2088       man container. Similarly, -v  SOURCE-VOLUME:/CONTAINER-DIR  will  mount
2089       the  named  volume  from  the host into the container. If no such named
2090       volume exists, Podman will create one. If no source is given, the  vol‐
2091       ume will be created as an anonymously named volume with a randomly gen‐
2092       erated name, and will be removed when the container is removed via  the
2093       --rm flag or the podman rm --volumes command.
2094
2095
2096       (Note  when using the remote client, including Mac and Windows (exclud‐
2097       ing WSL2) machines, the volumes will be mounted from the remote server,
2098       not necessarily the client machine.)
2099
2100
2101       The OPTIONS is a comma-separated list and can be: [1] ⟨#Footnote1⟩
2102
2103
2104rw|ro
2105
2106z|Z
2107
2108              • [O]
2109
2110              • [U]
2111
2112              • [no]copy
2113
2114              • [no]dev
2115
2116              • [no]exec
2117
2118              • [no]suid
2119
2120              • [r]bind
2121
2122              • [r]shared|[r]slave|[r]private[r]unbindable
2123
2124
2125
2126       The  CONTAINER-DIR must be an absolute path such as /src/docs. The vol‐
2127       ume will be mounted into the container at this directory.
2128
2129
2130       If a volume source is specified, it must be a path on the host  or  the
2131       name  of a named volume. Host paths are allowed to be absolute or rela‐
2132       tive; relative paths are resolved relative to the directory  Podman  is
2133       run  in.  If  the  source  does not exist, Podman will return an error.
2134       Users must pre-create the source files or directories.
2135
2136
2137       Any source that does not begin with a . or / will  be  treated  as  the
2138       name  of  a named volume. If a volume with that name does not exist, it
2139       will be created.  Volumes created with names  are  not  anonymous,  and
2140       they  are  not  removed  by the --rm option and the podman rm --volumes
2141       command.
2142
2143
2144       Specify multiple -v options to mount one or more volumes  into  a  con‐
2145       tainer.
2146
2147
2148       Write Protected Volume Mounts
2149
2150
2151       Add  :ro  or  :rw  option  to mount a volume in read-only or read-write
2152       mode, respectively. By default, the  volumes  are  mounted  read-write.
2153       See examples.
2154
2155
2156       Chowning Volume Mounts
2157
2158
2159       By default, Podman does not change the owner and group of source volume
2160       directories mounted into containers. If a container is created in a new
2161       user  namespace, the UID and GID in the container may correspond to an‐
2162       other UID and GID on the host.
2163
2164
2165       The :U suffix tells Podman to use the correct host UID and GID based on
2166       the  UID  and GID within the container, to change recursively the owner
2167       and group of the source volume.
2168
2169
2170       Warning use with caution since this will modify the host filesystem.
2171
2172
2173       Labeling Volume Mounts
2174
2175
2176       Labeling systems like SELinux require that proper labels are placed  on
2177       volume  content mounted into a container. Without a label, the security
2178       system might prevent the processes running inside  the  container  from
2179       using the content. By default, Podman does not change the labels set by
2180       the OS.
2181
2182
2183       To change a label in the container context, add either of two  suffixes
2184       :z  or  :Z  to  the volume mount. These suffixes tell Podman to relabel
2185       file objects on the shared volumes. The z option tells Podman that  two
2186       containers  share  the  volume  content. As a result, Podman labels the
2187       content with a shared content label. Shared  volume  labels  allow  all
2188       containers  to  read/write content.  The Z option tells Podman to label
2189       the content with a private unshared label.  Only the current  container
2190       can use a private volume.
2191
2192
2193       Note:  Do  not  relabel system files and directories. Relabeling system
2194       content might cause other confined services on your  machine  to  fail.
2195       For  these  types  of containers we recommend disabling SELinux separa‐
2196       tion.  The option --security-opt label=disable disables SELinux separa‐
2197       tion  for  the container.  For example if a user wanted to volume mount
2198       their entire home directory into a  container,  they  need  to  disable
2199       SELinux separation.
2200
2201
2202                 $ podman run --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
2203
2204
2205
2206       Overlay Volume Mounts
2207
2208
2209       The :O flag tells Podman to mount the directory from the host as a tem‐
2210       porary storage using the overlay file system. The  container  processes
2211       can  modify  content  within the mountpoint which is stored in the con‐
2212       tainer storage in a separate directory. In overlay  terms,  the  source
2213       directory  will  be the lower, and the container storage directory will
2214       be the upper. Modifications to the mount point are destroyed  when  the
2215       container  finishes executing, similar to a tmpfs mount point being un‐
2216       mounted.
2217
2218
2219       For advanced users,  the  overlay  option  also  supports  custom  non-
2220       volatile  upperdir  and  workdir for the overlay mount. Custom upperdir
2221       and workdir can be fully managed by the users  themselves,  and  Podman
2222       will   not   remove   it   on  lifecycle  completion.   Example  :O,up‐
2223       perdir=/some/upper,workdir=/some/work
2224
2225
2226       Subsequent executions of the container will see the original source di‐
2227       rectory  content,  any  changes  from  previous container executions no
2228       longer exist.
2229
2230
2231       One use case of the overlay mount is sharing the package cache from the
2232       host into the container to allow speeding up builds.
2233
2234
2235       Note:
2236
2237
2238               - The `O` flag conflicts with other options listed above.
2239
2240
2241
2242       Content mounted into the container is labeled with the private label.
2243              On SELinux systems, labels in the source directory must be read‐
2244       able by the  container label. Usually containers can read/execute  con‐
2245       tainer_share_t and can read/write container_file_t. If unable to change
2246       the labels on a source volume, SELinux  container  separation  must  be
2247       disabled for the  container to work.
2248            -  The source directory mounted into the container with an overlay
2249       mount should not be modified, it can cause unexpected failures.  It  is
2250       recommended  to  not  modify the directory until the container finishes
2251       running.
2252
2253
2254       Mounts propagation
2255
2256
2257       By default bind mounted volumes are private. That means any mounts done
2258       inside  the  container  will not be visible on host and vice versa. One
2259       can change this behavior by specifying a volume mount propagation prop‐
2260       erty.  Making  a volume shared mounts done under that volume inside the
2261       container will be visible on host and vice versa. Making a volume slave
2262       enables  only one way mount propagation and that is mounts done on host
2263       under that volume will be visible inside container but  not  the  other
2264       way around. [1] ⟨#Footnote1⟩
2265
2266
2267       To  control  mount  propagation  property  of  a volume one can use the
2268       [r]shared, [r]slave, [r]private or the [r]unbindable propagation  flag.
2269       Propagation property can be specified only for bind mounted volumes and
2270       not for internal volumes or named volumes.  For  mount  propagation  to
2271       work  the  source  mount  point  (the  mount  point where source dir is
2272       mounted on) has to have the right propagation  properties.  For  shared
2273       volumes,  the  source  mount point has to be shared. And for slave vol‐
2274       umes, the source mount point has to be either  shared  or  slave.   [1]
2275       ⟨#Footnote1⟩
2276
2277
2278       To  recursively  mount  a  volume  and all of its submounts into a con‐
2279       tainer, use the rbind option. By default the bind option is  used,  and
2280       submounts  of  the  source  directory will not be mounted into the con‐
2281       tainer.
2282
2283
2284       Mounting the volume with the nosuid options means  that  SUID  applica‐
2285       tions  on the volume will not be able to change their privilege. By de‐
2286       fault volumes are mounted with nosuid.
2287
2288
2289       Mounting the volume with the noexec option means that no executables on
2290       the volume will be able to be executed within the container.
2291
2292
2293       Mounting  the volume with the nodev option means that no devices on the
2294       volume will be able to be used by processes within  the  container.  By
2295       default volumes are mounted with nodev.
2296
2297
2298       If  the HOST-DIR is a mount point, then dev, suid, and exec options are
2299       ignored by the kernel.
2300
2301
2302       Use df HOST-DIR to figure out the source mount,  then  use  findmnt  -o
2303       TARGET,PROPAGATION  source-mount-dir  to figure out propagation proper‐
2304       ties of source mount. If findmnt(1) utility is not available, then  one
2305       can   look   at   the  mount  entry  for  the  source  mount  point  in
2306       /proc/self/mountinfo. Look at the "optional  fields"  and  see  if  any
2307       propagation  properties  are  specified.   In there, shared:N means the
2308       mount is shared, master:N means mount  is  slave,  and  if  nothing  is
2309       there, the mount is private. [1] ⟨#Footnote1⟩
2310
2311
2312       To  change  propagation  properties of a mount point, use mount(8) com‐
2313       mand. For example, if one wants to bind mount  source  directory  /foo,
2314       one  can  do  mount  --bind  /foo /foo and mount --make-private --make-
2315       shared /foo. This will convert /foo into a shared mount point. Alterna‐
2316       tively, one can directly change propagation properties of source mount.
2317       Say / is source mount for /foo, then use mount --make-shared / to  con‐
2318       vert / into a shared mount.
2319
2320
2321       Note:  if  the  user  only has access rights via a group, accessing the
2322       volume from inside a rootless container will fail.
2323
2324
2325       Use the --group-add keep-groups option to pass the user's supplementary
2326       group access into the container.
2327
2328
2329   --volumes-from=CONTAINER[:OPTIONS]
2330       Mount  volumes  from  the specified container(s). Used to share volumes
2331       between containers. The options is a comma-separated list with the fol‐
2332       lowing available elements:
2333
2334
2335rw|ro
2336
2337z
2338
2339
2340
2341       Mounts  already  mounted  volumes  from a source container onto another
2342       container. CONTAINER may be a name or ID.  To share a volume,  use  the
2343       --volumes-from option when running the target container. Volumes can be
2344       shared even if the source container is not running.
2345
2346
2347       By default, Podman mounts the volumes in the same mode  (read-write  or
2348       read-only)  as  it  is  mounted  in  the source container.  This can be
2349       changed by adding a ro or rw option.
2350
2351
2352       Labeling systems like SELinux require that proper labels are placed  on
2353       volume  content mounted into a container. Without a label, the security
2354       system might prevent the processes running inside  the  container  from
2355       using the content. By default, Podman does not change the labels set by
2356       the OS.
2357
2358
2359       To change a label in the container context, add z to the volume  mount.
2360       This suffix tells Podman to relabel file objects on the shared volumes.
2361       The z option tells Podman that two entities share the  volume  content.
2362       As  a  result,  Podman  labels the content with a shared content label.
2363       Shared volume labels allow all containers to read/write content.
2364
2365
2366       If the location of the volume from the source container  overlaps  with
2367       data residing on a target container, then the volume hides that data on
2368       the target.
2369
2370
2371   --workdir, -w=dir
2372       Working directory inside the container.
2373
2374
2375       The default working directory for running binaries within  a  container
2376       is the root directory (/).  The image developer can set a different de‐
2377       fault with the WORKDIR instruction. The operator can override the work‐
2378       ing directory by using the -w option.
2379
2380

Exit Status

2382       The exit code from podman run gives information about why the container
2383       failed to run or why it exited. When podman run exits with  a  non-zero
2384       code, the exit codes follow the chroot(1) standard, see below:
2385
2386
2387       125 The error is with Podman itself
2388
2389
2390              $ podman run --foo busybox; echo $?
2391              Error: unknown flag: --foo
2392              125
2393
2394
2395
2396       126 The contained command cannot be invoked
2397
2398
2399              $ podman run busybox /etc; echo $?
2400              Error: container_linux.go:346: starting container process caused "exec: \"/etc\": permission denied": OCI runtime error
2401              126
2402
2403
2404
2405       127 The contained command cannot be found
2406
2407
2408              $ podman run busybox foo; echo $?
2409              Error: container_linux.go:346: starting container process caused "exec: \"foo\": executable file not found in $PATH": OCI runtime error
2410              127
2411
2412
2413
2414       Exit code contained command exit code
2415
2416
2417              $ podman run busybox /bin/sh -c 'exit 3'; echo $?
2418              3
2419
2420
2421

EXAMPLES

2423   Running container in read-only mode
2424       During  container  image development, containers often need to write to
2425       the image content. Installing packages into /usr, for example. In  pro‐
2426       duction, applications seldom need to write to the image.  Container ap‐
2427       plications write to volumes if they need to write to  file  systems  at
2428       all.  Applications can be made more secure by running them in read-only
2429       mode using the --read-only switch.  This protects the container's image
2430       from  modification. Read-only containers may still need to write tempo‐
2431       rary data. The best way to handle this is to mount tmpfs directories on
2432       /run and /tmp.
2433
2434
2435              $ podman run --read-only -i -t fedora /bin/bash
2436
2437              $ podman run --read-only --read-only-tmpfs=false --tmpfs /run -i -t fedora /bin/bash
2438
2439
2440
2441   Exposing log messages from the container to the host's log
2442       If  you  want  messages that are logged in your container to show up in
2443       the host's syslog/journal then you should bind mount the  /dev/log  di‐
2444       rectory as follows.
2445
2446
2447              $ podman run -v /dev/log:/dev/log -i -t fedora /bin/bash
2448
2449
2450
2451       From inside the container you can test this by sending a message to the
2452       log.
2453
2454
2455              (bash)# logger "Hello from my container"
2456
2457
2458
2459       Then exit and check the journal.
2460
2461
2462              (bash)# exit
2463
2464              $ journalctl -b | grep Hello
2465
2466
2467
2468       This should list the message sent to logger.
2469
2470
2471   Attaching to one or more from STDIN, STDOUT, STDERR
2472       If you do not specify -a, Podman will attach everything (stdin, stdout,
2473       stderr).   You  can  specify  to  which  of  the three standard streams
2474       (stdin, stdout, stderr) you'd like to connect instead, as in:
2475
2476
2477              $ podman run -a stdin -a stdout -i -t fedora /bin/bash
2478
2479
2480
2481   Sharing IPC between containers
2482       Using             shm_server.c             available              here:
2483       https://www.cs.cf.ac.uk/Dave/C/node27.html
2484
2485
2486       Testing --ipc=host mode:
2487
2488
2489       Host  shows a shared memory segment with 7 pids attached, happens to be
2490       from httpd:
2491
2492
2493              $ sudo ipcs -m
2494
2495              ------ Shared Memory Segments --------
2496              key        shmid      owner      perms      bytes      nattch     status
2497              0x01128e25 0          root       600        1000       7
2498
2499
2500
2501       Now run a regular container, and it correctly does NOT see  the  shared
2502       memory segment from the host:
2503
2504
2505              $ podman run -it shm ipcs -m
2506
2507              ------ Shared Memory Segments --------
2508              key        shmid      owner      perms      bytes      nattch     status
2509
2510
2511
2512       Run  a  container  with  the new --ipc=host option, and it now sees the
2513       shared memory segment from the host httpd:
2514
2515
2516              $ podman run -it --ipc=host shm ipcs -m
2517
2518              ------ Shared Memory Segments --------
2519              key        shmid      owner      perms      bytes      nattch     status
2520              0x01128e25 0          root       600        1000       7
2521
2522
2523
2524       Testing --ipc=container:id mode:
2525
2526
2527       Start a container with a program to create a shared memory segment:
2528
2529
2530              $ podman run -it shm bash
2531              $ sudo shm/shm_server &
2532              $ sudo ipcs -m
2533
2534              ------ Shared Memory Segments --------
2535              key        shmid      owner      perms      bytes      nattch     status
2536              0x0000162e 0          root       666        27         1
2537
2538
2539
2540       Create a 2nd container correctly shows no shared  memory  segment  from
2541       1st container:
2542
2543
2544              $ podman run shm ipcs -m
2545
2546              ------ Shared Memory Segments --------
2547              key        shmid      owner      perms      bytes      nattch     status
2548
2549
2550
2551       Create  a  3rd  container  using  the --ipc=container:id option, now it
2552       shows the shared memory segment from the first:
2553
2554
2555              $ podman run -it --ipc=container:ed735b2264ac shm ipcs -m
2556              $ sudo ipcs -m
2557
2558              ------ Shared Memory Segments --------
2559              key        shmid      owner      perms      bytes      nattch     status
2560              0x0000162e 0          root       666        27         1
2561
2562
2563
2564   Mapping Ports for External Usage
2565       The exposed port of an application can be mapped to a host  port  using
2566       the  -p  flag.  For example, an httpd port 80 can be mapped to the host
2567       port 8080 using the following:
2568
2569
2570              $ podman run -p 8080:80 -d -i -t fedora/httpd
2571
2572
2573
2574   Mounting External Volumes
2575       To mount a host directory as a container volume, specify  the  absolute
2576       path to the directory and the absolute path for the container directory
2577       separated by a colon. If the source is a  named  volume  maintained  by
2578       Podman,  it  is recommended to use its name rather than the path to the
2579       volume. Otherwise the volume will be considered as an orphan and  wiped
2580       if you execute podman volume prune:
2581
2582
2583              $ podman run -v /var/db:/data1 -i -t fedora bash
2584
2585              $ podman run -v data:/data2 -i -t fedora bash
2586
2587              $ podman run -v /var/cache/dnf:/var/cache/dnf:O -ti fedora dnf -y update
2588
2589              $ podman run -d -e MYSQL_ROOT_PASSWORD=root --user mysql --userns=keep-id -v ~/data:/var/lib/mysql:z,U mariadb
2590
2591
2592
2593       Using  --mount  flags  to mount a host directory as a container folder,
2594       specify the absolute path to the directory or the volume name, and  the
2595       absolute path within the container directory:
2596
2597
2598              $ podman run --mount type=bind,src=/var/db,target=/data1 busybox sh
2599
2600              $ podman run --mount type=bind,src=volume-name,target=/data1 busybox sh
2601
2602
2603
2604       When  using  SELinux,  be  aware that the host has no knowledge of con‐
2605       tainer SELinux policy. Therefore, in the above example, if SELinux pol‐
2606       icy  is  enforced,  the  /var/db  directory is not writable to the con‐
2607       tainer. A "Permission Denied" message will occur and an avc: message in
2608       the host's syslog.
2609
2610
2611       To  work  around  this, at time of writing this man page, the following
2612       command needs to be run in order for the proper SELinux policy type la‐
2613       bel to be attached to the host directory:
2614
2615
2616              $ chcon -Rt svirt_sandbox_file_t /var/db
2617
2618
2619
2620       Now,  writing to the /data1 volume in the container will be allowed and
2621       the changes will also be reflected on the host in /var/db.
2622
2623
2624   Using alternative security labeling
2625       You can override the default labeling  scheme  for  each  container  by
2626       specifying  the  --security-opt  flag. For example, you can specify the
2627       MCS/MLS level, a requirement for MLS systems. Specifying the  level  in
2628       the following command allows you to share the same content between con‐
2629       tainers.
2630
2631
2632              podman run --security-opt label=level:s0:c100,c200 -i -t fedora bash
2633
2634
2635
2636       An MLS example might be:
2637
2638
2639              $ podman run --security-opt label=level:TopSecret -i -t rhel7 bash
2640
2641
2642
2643       To disable the security labeling for this container versus running with
2644       the
2645
2646
2647   --permissive flag, use the following command:
2648              $ podman run --security-opt label=disable -i -t fedora bash
2649
2650
2651
2652       If  you  want  a tighter security policy on the processes within a con‐
2653       tainer, you can specify an alternate type for the container. You  could
2654       run  a container that is only allowed to listen on Apache ports by exe‐
2655       cuting the following command:
2656
2657
2658              $ podman run --security-opt label=type:svirt_apache_t -i -t centos bash
2659
2660
2661
2662       Note you would have to write policy defining a svirt_apache_t type.
2663
2664
2665       To mask additional specific paths in the container, specify  the  paths
2666       separated  by  a  colon  using  the mask option with the --security-opt
2667       flag.
2668
2669
2670              $ podman run --security-opt mask=/foo/bar:/second/path fedora bash
2671
2672
2673
2674       To unmask all the paths that are masked by default, set the unmask  op‐
2675       tion  to  ALL.  Or  to only unmask specific paths, specify the paths as
2676       shown above with the mask option.
2677
2678
2679              $ podman run --security-opt unmask=ALL fedora bash
2680
2681
2682
2683       To unmask all the paths that start with /proc, set the unmask option to
2684       /proc/*.
2685
2686
2687              $ podman run --security-opt unmask=/proc/* fedora bash
2688
2689
2690
2691              $ podman run --security-opt unmask=/foo/bar:/sys/firmware fedora bash
2692
2693
2694
2695   Setting device weight
2696       If  you  want to set /dev/sda device weight to 200, you can specify the
2697       device weight by --blkio-weight-device flag. Use the following command:
2698
2699
2700              $ podman run -it --blkio-weight-device "/dev/sda:200" ubuntu
2701
2702
2703
2704   Using a podman container with input from a pipe
2705              $ echo "asdf" | podman run --rm -i --entrypoint /bin/cat someimage
2706              asdf
2707
2708
2709
2710   Setting automatic user namespace separated containers
2711              # podman run --userns=auto:size=65536 ubi8-micro cat /proc/self/uid_map
2712              0 2147483647      65536
2713              # podman run --userns=auto:size=65536 ubi8-micro cat /proc/self/uid_map
2714              0 2147549183      65536
2715
2716
2717
2718   Setting Namespaced Kernel Parameters (Sysctls)
2719       The --sysctl sets namespaced kernel parameters (sysctls)  in  the  con‐
2720       tainer. For example, to turn on IP forwarding in the containers network
2721       namespace, run this command:
2722
2723
2724              $ podman run --sysctl net.ipv4.ip_forward=1 someimage
2725
2726
2727
2728       Note that not all sysctls  are  namespaced.  Podman  does  not  support
2729       changing  sysctls  inside of a container that also modify the host sys‐
2730       tem. As the kernel evolves we expect to see more sysctls become  names‐
2731       paced.
2732
2733
2734       See the definition of the --sysctl option above for the current list of
2735       supported sysctls.
2736
2737
2738   Set UID/GID mapping in a new user namespace
2739       Running a container in a new user namespace requires a mapping  of  the
2740       uids and gids from the host.
2741
2742
2743              $ podman run --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
2744
2745
2746
2747   Configuring Storage Options from the command line
2748       Podman  allows  for the configuration of storage by changing the values
2749       in the /etc/container/storage.conf or by  using  global  options.  This
2750       shows  how to set up and use fuse-overlayfs for a one-time run of busy‐
2751       box using global options.
2752
2753
2754              podman --log-level=debug --storage-driver overlay --storage-opt "overlay.mount_program=/usr/bin/fuse-overlayfs" run busybox /bin/sh
2755
2756
2757
2758   Configure timezone in a container
2759              $ podman run --tz=local alpine date
2760              $ podman run --tz=Asia/Shanghai alpine date
2761              $ podman run --tz=US/Eastern alpine date
2762
2763
2764
2765   Adding dependency containers
2766       The first container, container1, is not started initially, but must  be
2767       running  before  container2  will  start.   The podman run command will
2768       start the container automatically before starting container2.
2769
2770
2771              $ podman create --name container1 -t -i fedora bash
2772              $ podman run --name container2 --requires container1 -t -i fedora bash
2773
2774
2775
2776       Multiple containers can be required.
2777
2778
2779              $ podman create --name container1 -t -i fedora bash
2780              $ podman create --name container2 -t -i fedora bash
2781              $ podman run --name container3 --requires container1,container2 -t -i fedora bash
2782
2783
2784
2785   Configure keep supplemental groups for access to volume
2786              $ podman run -v /var/lib/design:/var/lib/design --group-add keep-groups ubi8
2787
2788
2789
2790   Configure execution domain for containers using personality flag
2791              $ podman run --name container1 --personality=LINUX32 fedora bash
2792
2793
2794
2795   Run a container with external rootfs mounted as an overlay
2796              $ podman run --name container1 --rootfs /path/to/rootfs:O bash
2797
2798
2799
2800   Handling Timezones in java applications in a container.
2801       In order to use a timezone other than UTC when running a Java  applica‐
2802       tion within a container, the TZ environment variable must be set within
2803       the container. Java applications will ignore the  value  set  with  the
2804       --tz option.
2805
2806
2807              # Example run
2808              podman run -ti --rm  -e TZ=EST mytzimage
2809              lrwxrwxrwx. 1 root root 29 Nov  3 08:51 /etc/localtime -> ../usr/share/zoneinfo/Etc/UTC
2810              Now with default timezone:
2811              Fri Nov 19 18:10:55 EST 2021
2812              Java default sees the following timezone:
2813              2021-11-19T18:10:55.651130-05:00
2814              Forcing UTC:
2815              Fri Nov 19 23:10:55 UTC 2021
2816
2817
2818
2819   Run  a  container  connected  to two networks (called net1 and net2) with a
2820       static ip
2821              $ podman run --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10 alpine ip addr
2822
2823
2824
2825   Rootless Containers
2826       Podman runs as a non-root user on most systems. This  feature  requires
2827       that  a  new  enough  version of shadow-utils be installed. The shadow-
2828       utils package must include the newuidmap(1) and  newgidmap(1)  executa‐
2829       bles.
2830
2831
2832       In  order  for  users to run rootless, there must be an entry for their
2833       username in /etc/subuid and /etc/subgid which lists the UIDs for  their
2834       user namespace.
2835
2836
2837       Rootless  Podman  works  better  if  the fuse-overlayfs and slirp4netns
2838       packages  are  installed.   The  fuse-overlayfs  package   provides   a
2839       userspace  overlay  storage driver, otherwise users need to use the vfs
2840       storage driver, which is diskspace expensive and does not perform well.
2841       slirp4netns  is  required for VPN, without it containers need to be run
2842       with the --network=host flag.
2843
2844

ENVIRONMENT

2846       Environment variables within containers can be set using multiple  dif‐
2847       ferent  options,  in  the  following order of precedence (later entries
2848       override earlier entries):
2849
2850
2851              • Container image: Any environment variables  specified  in  the
2852                container image.
2853
2854--http-proxy:  By  default, several environment variables will
2855                be passed in from the host, such as http_proxy  and  no_proxy.
2856                See --http-proxy for details.
2857
2858--env-host:  Host  environment of the process executing Podman
2859                is added.
2860
2861--env-file: Any environment variables specified via env-files.
2862                If multiple files are specified, then they override each other
2863                in order of entry.
2864
2865--env: Any environment variables specified will override  pre‐
2866                vious settings.
2867
2868
2869
2870       Run containers and set the environment ending with a *.  The trailing *
2871       glob functionality is only active when no value is specified:
2872
2873
2874              $ export ENV1=a
2875              $ podman run --env 'ENV*' alpine env | grep ENV
2876              ENV1=a
2877              $ podman run --env 'ENV*=b' alpine env | grep ENV
2878              ENV*=b
2879
2880
2881

CONMON

2883       When Podman starts a container it actually executes the conmon program,
2884       which  then executes the OCI Runtime.  Conmon is the container monitor.
2885       It is a small program whose job is to watch the primary process of  the
2886       container,  and  if  the  container  dies, save the exit code.  It also
2887       holds open the tty of the container, so that  it  can  be  attached  to
2888       later.  This  is  what  allows  Podman  to  run in detached mode (back‐
2889       grounded), so Podman can exit but conmon continues to run.   Each  con‐
2890       tainer has their own instance of conmon. Conmon waits for the container
2891       to exit, gathers and saves the exit code, and then  launches  a  Podman
2892       process to complete the container cleanup, by shutting down the network
2893       and storage.   For more information on  conmon,  please  reference  the
2894       conmon(8) man page.
2895
2896

FILES

2898       /etc/subuid
2899
2900
2901       /etc/subgid
2902
2903
2904       NOTE: Use the environment variable TMPDIR to change the temporary stor‐
2905       age location of downloaded container images.  Podman  defaults  to  use
2906       /var/tmp.
2907
2908

SEE ALSO

2910       podman(1),  podman-save(1), podman-ps(1), podman-attach(1), podman-pod-
2911       create(1),  podman-port(1),  podman-start(1),  podman-kill(1),  podman-
2912       stop(1),   podman-generate-systemd(1),  podman-rm(1),  subgid(5),  sub‐
2913       uid(5),     containers.conf(5),     systemd.unit(5),      setsebool(8),
2914       slirp4netns(1), fuse-overlayfs(1), proc(5), conmon(8), personality(2)
2915
2916

HISTORY

2918       September    2018,    updated    by    Kunal   Kushwaha   <kushwaha_ku‐
2919       nal_v7@lab.ntt.co.jp>
2920
2921
2922       October 2017, converted from Docker  documentation  to  Podman  by  Dan
2923       Walsh for Podman <dwalsh@redhat.com>
2924
2925
2926       November 2015, updated by Sally O'Malley <somalley@redhat.com>
2927
2928
2929       June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>
2930
2931
2932       April  2014,  Originally  compiled by William Henry <whenry@redhat.com>
2933       based on docker.com source material and internal work.
2934
2935

FOOTNOTES

2937       1: The Podman project is committed to inclusivity, a core value of open
2938       source. The master and slave mount propagation terminology used here is
2939       problematic and divisive, and should be changed. However,  these  terms
2940       are  currently  used  within the Linux kernel and must be used as-is at
2941       this time. When the kernel maintainers rectify this usage, Podman  will
2942       follow suit immediately.
2943
2944
2945
2946                                                                 podman-run(1)
Impressum