1podman(1) General Commands Manual podman(1)
2
3
4
6 podman - Simple management tool for pods, containers and images
7
8
10 podman [options] command
11
12
14 Podman (Pod Manager) is a fully featured container engine that is a
15 simple daemonless tool. Podman provides a Docker-CLI comparable com‐
16 mand line that eases the transition from other container engines and
17 allows the management of pods, containers and images. Simply put:
18 alias docker=podman. Most Podman commands can be run as a regular
19 user, without requiring additional privileges.
20
21
22 Podman uses Buildah(1) internally to create container images. Both
23 tools share image (not container) storage, hence each can use or manip‐
24 ulate images (but not containers) created by the other.
25
26
27 Default settings for flags are defined in containers.conf. Most set‐
28 tings for Remote connections use the server's containers.conf, except
29 when documented in man pages.
30
31
32 podman [GLOBAL OPTIONS]
33
34
36 --cgroup-manager=manager
37 The CGroup manager to use for container cgroups. Supported values are
38 cgroupfs or systemd. Default is systemd unless overridden in the con‐
39 tainers.conf file.
40
41
42 Note: Setting this flag can cause certain commands to break when called
43 on containers previously created by the other CGroup manager type.
44 Note: CGroup manager is not supported in rootless mode when using
45 CGroups Version V1.
46
47
48 --conmon
49 Path of the conmon binary (Default path is configured in contain‐
50 ers.conf)
51
52
53 --connection, -c
54 Connection to use for remote podman, including Mac and Windows (exclud‐
55 ing WSL2) machines, (Default connection is configured in contain‐
56 ers.conf) Setting this option will switch the --remote option to true.
57 Remote connections use local containers.conf for default.
58
59
60 --events-backend=type
61 Backend to use for storing events. Allowed values are file, journald,
62 and none. When file is specified, the events are stored under <tm‐
63 pdir>/events/events.log (see --tmpdir below).
64
65
66 --help, -h
67 Print usage statement
68
69
70 --hooks-dir=path
71 Each *.json file in the path configures a hook for Podman containers.
72 For more details on the syntax of the JSON files and the semantics of
73 hook injection, see oci-hooks(5). Podman and libpod currently support
74 both the 1.0.0 and 0.1.0 hook schemas, although the 0.1.0 schema is
75 deprecated.
76
77
78 This option may be set multiple times; paths from later options have
79 higher precedence (oci-hooks(5) discusses directory precedence).
80
81
82 For the annotation conditions, libpod uses any annotations set in the
83 generated OCI configuration.
84
85
86 For the bind-mount conditions, only mounts explicitly requested by the
87 caller via --volume are considered. Bind mounts that libpod inserts by
88 default (e.g. /dev/shm) are not considered.
89
90
91 If --hooks-dir is unset for root callers, Podman and libpod will cur‐
92 rently default to /usr/share/containers/oci/hooks.d and /etc/contain‐
93 ers/oci/hooks.d in order of increasing precedence. Using these de‐
94 faults is deprecated, and callers should migrate to explicitly setting
95 --hooks-dir.
96
97
98 Podman and libpod currently support an additional precreate state which
99 is called before the runtime's create operation. Unlike the other
100 stages, which receive the container state on their standard input,
101 precreate hooks receive the proposed runtime configuration on their
102 standard input. They may alter that configuration as they see fit, and
103 write the altered form to their standard output.
104
105
106 WARNING: the precreate hook lets you do powerful things, such as adding
107 additional mounts to the runtime configuration. That power also makes
108 it easy to break things. Before reporting libpod errors, try running
109 your container with precreate hooks disabled to see if the problem is
110 due to one of your hooks.
111
112
113 --identity=path
114 Path to ssh identity file. If the identity file has been encrypted,
115 podman prompts the user for the passphrase. If no identity file is
116 provided and no user is given, podman defaults to the user running the
117 podman command. Podman prompts for the login password on the remote
118 server.
119
120
121 Identity value resolution precedence:
122 - command line value
123 - environment variable CONTAINER_SSHKEY, if CONTAINER_HOST is found
124 - containers.conf Remote connections use local containers.conf for de‐
125 fault.
126
127
128 --log-level=level
129 Log messages at and above specified level: debug, info, warn, error,
130 fatal or panic (default: "warn")
131
132
133 --namespace=namespace
134 Set libpod namespace. Namespaces are used to separate groups of con‐
135 tainers and pods in libpod's state. When namespace is set, created
136 containers and pods will join the given namespace, and only containers
137 and pods in the given namespace will be visible to Podman.
138
139
140 --network-cmd-path=path
141 Path to the command binary to use for setting up a network. It is cur‐
142 rently only used for setting up a slirp4netns network. If "" is used
143 then the binary is looked up using the $PATH environment variable.
144
145
146 --network-config-dir=directory
147 Path to the directory where network configuration files are located.
148 For the CNI backend the default is "/etc/cni/net.d" as root and
149 "$HOME/.config/cni/net.d" as rootless. For the netavark backend
150 "/etc/containers/networks" is used as root and "$graphroot/networks" as
151 rootless.
152
153
154 --noout
155 Redirect stdout to /dev/null. This command will prevent all stdout from
156 the Podman command. The --noout option will not block stderr or stdout
157 from containers.
158
159
160 --remote, -r
161 When true, access to the Podman service will be remote. Defaults to
162 false. Settings can be modified in the containers.conf file. If the
163 CONTAINER_HOST environment variable is set, the --remote option de‐
164 faults to true.
165
166
167 --root=value
168 Storage root dir in which data, including images, is stored (default:
169 "/var/lib/containers/storage" for UID 0, "$HOME/.local/share/contain‐
170 ers/storage" for other users). Default root dir configured in
171 /etc/containers/storage.conf.
172
173
174 Overriding this option will cause the storage-opt settings in /etc/con‐
175 tainers/storage.conf to be ignored. The user must specify additional
176 options via the --storage-opt flag.
177
178
179 --runroot=value
180 Storage state directory where all state information is stored (default:
181 "/run/containers/storage" for UID 0, "/run/user/$UID/run" for other
182 users). Default state dir configured in /etc/containers/storage.conf.
183
184
185 --runtime=value
186 Name of the OCI runtime as specified in containers.conf or absolute
187 path to the OCI compatible binary used to run containers.
188
189
190 --runtime-flag=flag
191 Adds global flags for the container runtime. To list the supported
192 flags, please consult the manpages of the selected container runtime
193 (runc is the default runtime, the manpage to consult is runc(8). When
194 the machine is configured for cgroup V2, the default runtime is crun,
195 the manpage to consult is crun(8).).
196
197
198 Note: Do not pass the leading -- to the flag. To pass the runc flag
199 --log-format json to podman build, the option given would be --runtime-
200 flag log-format=json.
201
202
203 --ssh=value
204 This option allows the user to change the ssh mode, meaning that rather
205 than using the default golang mode, one can instead use --ssh=native to
206 use the installed ssh binary and config file declared in contain‐
207 ers.conf.
208
209
210 --storage-driver=value
211 Storage driver. The default storage driver for UID 0 is configured in
212 /etc/containers/storage.conf ($HOME/.config/containers/storage.conf in
213 rootless mode), and is vfs for non-root users when fuse-overlayfs is
214 not available. The STORAGE_DRIVER environment variable overrides the
215 default. The --storage-driver specified driver overrides all.
216
217
218 Overriding this option will cause the storage-opt settings in /etc/con‐
219 tainers/storage.conf to be ignored. The user must specify additional
220 options via the --storage-opt flag.
221
222
223 --storage-opt=value
224 Storage driver option, Default storage driver options are configured in
225 /etc/containers/storage.conf ($HOME/.config/containers/storage.conf in
226 rootless mode). The STORAGE_OPTS environment variable overrides the de‐
227 fault. The --storage-opt specified options overrides all. If you spec‐
228 ify --storage-opt="", no storage options will be used.
229
230
231 --syslog
232 Output logging information to syslog as well as the console (default
233 false).
234
235
236 On remote clients, including Mac and Windows (excluding WSL2) machines,
237 logging is directed to the file $HOME/.config/containers/podman.log.
238
239
240 --tmpdir
241 Path to the tmp directory, for libpod runtime content. Defaults to
242 $XDG\_RUNTIME\_DIR/libpod/tmp as rootless and run/libpod/tmp as root‐
243 ful.
244
245
246 NOTE --tmpdir is not used for the temporary storage of downloaded im‐
247 ages. Use the environment variable TMPDIR to change the temporary
248 storage location of downloaded container images. Podman defaults to use
249 /var/tmp.
250
251
252 --url=value
253 URL to access Podman service (default from containers.conf, rootless
254 unix://run/user/$UID/podman/podman.sock or as root unix://run/pod‐
255 man/podman.sock). Setting this option will switch the --remote option
256 to true.
257
258
259 • CONTAINER_HOST is of the format <schema>://[<user[:<pass‐
260 word>]@]<host>[:<port>][<path>]
261
262
263
264 Details:
265 - schema is one of:
266 * ssh (default): a local unix(7) socket on the named host and port,
267 reachable via SSH
268 * tcp: an unencrypted, unauthenticated TCP connection to the named
269 host and port
270 * unix: a local unix(7) socket at the specified path, or the default
271 for the user
272 - user will default to either root or the current running user (ssh
273 only)
274 - password has no default (ssh only)
275 - host must be provided and is either the IP or name of the machine
276 hosting the Podman service (ssh and tcp)
277 - port defaults to 22 (ssh and tcp)
278 - path defaults to either /run/podman/podman.sock, or
279 /run/user/$UID/podman/podman.sock if running rootless (unix), or must
280 be explicitly specified (ssh)
281
282
283 URL value resolution precedence:
284 - command line value
285 - environment variable CONTAINER_HOST
286 - containers.conf service_destinations table
287 - unix://run/podman/podman.sock
288
289
290 Remote connections use local containers.conf for default.
291
292
293 Some example URL values in valid formats:
294 - unix://run/podman/podman.sock
295 - unix://run/user/$UID/podman/podman.sock
296 - ssh://notroot@localhost:22/run/user/$UID/podman/podman.sock
297 - ssh://root@localhost:22/run/podman/podman.sock
298 - tcp://localhost:34451
299 - tcp://127.0.0.1:34451
300
301
302 --version, -v
303 Print the version
304
305
306 --volumepath=value
307 Volume directory where builtin volume information is stored (default:
308 "/var/lib/containers/storage/volumes" for UID 0, "$HOME/.lo‐
309 cal/share/containers/storage/volumes" for other users). Default volume
310 path can be overridden in containers.conf.
311
312
314 Podman can set up environment variables from env of [engine] table in
315 containers.conf. These variables can be overridden by passing environ‐
316 ment variables before the podman commands.
317
318
319 CONTAINERS_CONF
320 Set default locations of containers.conf file
321
322
323 CONTAINERS_REGISTRIES_CONF
324 Set default location of the registries.conf file.
325
326
327 CONTAINERS_STORAGE_CONF
328 Set default location of the storage.conf file.
329
330
331 CONTAINER_CONNECTION
332 Override default --connection value to access Podman service. Also en‐
333 abled --remote option.
334
335
336 CONTAINER_HOST
337 Set default --url value to access Podman service. Also enabled --remote
338 option.
339
340
341 CONTAINER_SSHKEY
342 Set default --identity path to ssh key file value used to access Podman
343 service.
344
345
346 STORAGE_DRIVER
347 Set default --storage-driver value.
348
349
350 STORAGE_OPTS
351 Set default --storage-opts value.
352
353
354 TMPDIR
355 Set the temporary storage location of downloaded container images. Pod‐
356 man defaults to use /var/tmp.
357
358
359 XDG_CONFIG_HOME
360 In Rootless mode configuration files are read from XDG_CONFIG_HOME when
361 specified, otherwise in the home directory of the user under
362 $HOME/.config/containers.
363
364
365 XDG_DATA_HOME
366 In Rootless mode images are pulled under XDG_DATA_HOME when specified,
367 otherwise in the home directory of the user under $HOME/.lo‐
368 cal/share/containers/storage.
369
370
371 XDG_RUNTIME_DIR
372 In Rootless mode temporary configuration data is stored in ${XDG_RUN‐
373 TIME_DIR}/containers.
374
375
377 The Podman command can be used with remote services using the --remote
378 flag. Connections can be made using local unix domain sockets, ssh or
379 directly to tcp sockets. When specifying the podman --remote flag, only
380 the global options --url, --identity, --log-level, --connection are
381 used.
382
383
384 Connection information can also be managed using the containers.conf
385 file.
386
387
389 The exit code from podman gives information about why the container
390 failed to run or why it exited. When podman commands exit with a non-
391 zero code, the exit codes follow the chroot standard, see below:
392
393
394 125 The error is with podman itself
395
396
397 $ podman run --foo busybox; echo $?
398 Error: unknown flag: --foo
399 125
400
401
402
403 126 Executing a contained command and the command cannot be invoked
404
405
406 $ podman run busybox /etc; echo $?
407 Error: container_linux.go:346: starting container process caused "exec: \"/etc\": permission denied": OCI runtime error
408 126
409
410
411
412 127 Executing a contained command and the command cannot be found
413 $ podman run busybox foo; echo $?
414 Error: container_linux.go:346: starting container process caused
415 "exec: \"foo\": executable file not found in $PATH": OCI runtime error
416 127
417
418
419 Exit code contained command exit code
420
421
422 $ podman run busybox /bin/sh -c 'exit 3'; echo $?
423 3
424
425
426
428 ┌──────────────────────┬────────────────────────────────┐
429 │Command │ Description │
430 ├──────────────────────┼────────────────────────────────┤
431 │podman-attach(1) │ Attach to a running container. │
432 ├──────────────────────┼────────────────────────────────┤
433 │podman-auto-update(1) │ Auto update containers accord‐ │
434 │ │ ing to their auto-update pol‐ │
435 │ │ icy │
436 ├──────────────────────┼────────────────────────────────┤
437 │podman-build(1) │ Build a container image using │
438 │ │ a Containerfile. │
439 ├──────────────────────┼────────────────────────────────┤
440 │podman-commit(1) │ Create new image based on the │
441 │ │ changed container. │
442 ├──────────────────────┼────────────────────────────────┤
443 │podman-completion(1) │ Generate shell completion │
444 │ │ scripts │
445 ├──────────────────────┼────────────────────────────────┤
446 │podman-container(1) │ Manage containers. │
447 ├──────────────────────┼────────────────────────────────┤
448 │podman-cp(1) │ Copy files/folders between a │
449 │ │ container and the local │
450 │ │ filesystem. │
451 ├──────────────────────┼────────────────────────────────┤
452 │podman-create(1) │ Create a new container. │
453 ├──────────────────────┼────────────────────────────────┤
454 │podman-diff(1) │ Inspect changes on a container │
455 │ │ or image's filesystem. │
456 ├──────────────────────┼────────────────────────────────┤
457 │podman-events(1) │ Monitor Podman events │
458 ├──────────────────────┼────────────────────────────────┤
459 │podman-exec(1) │ Execute a command in a running │
460 │ │ container. │
461 ├──────────────────────┼────────────────────────────────┤
462 │podman-export(1) │ Export a container's filesys‐ │
463 │ │ tem contents as a tar archive. │
464 ├──────────────────────┼────────────────────────────────┤
465 │podman-generate(1) │ Generate structured data based │
466 │ │ on containers, pods or vol‐ │
467 │ │ umes. │
468 ├──────────────────────┼────────────────────────────────┤
469 │podman-healthcheck(1) │ Manage healthchecks for con‐ │
470 │ │ tainers │
471 ├──────────────────────┼────────────────────────────────┤
472 │podman-history(1) │ Show the history of an image. │
473 ├──────────────────────┼────────────────────────────────┤
474 │podman-image(1) │ Manage images. │
475 ├──────────────────────┼────────────────────────────────┤
476 │podman-images(1) │ List images in local storage. │
477 ├──────────────────────┼────────────────────────────────┤
478 │podman-import(1) │ Import a tarball and save it │
479 │ │ as a filesystem image. │
480 ├──────────────────────┼────────────────────────────────┤
481 │podman-info(1) │ Displays Podman related system │
482 │ │ information. │
483 ├──────────────────────┼────────────────────────────────┤
484 │podman-init(1) │ Initialize one or more con‐ │
485 │ │ tainers │
486 ├──────────────────────┼────────────────────────────────┤
487 │podman-inspect(1) │ Display a container, image, │
488 │ │ volume, network, or pod's con‐ │
489 │ │ figuration. │
490 ├──────────────────────┼────────────────────────────────┤
491 │podman-kill(1) │ Kill the main process in one │
492 │ │ or more containers. │
493 ├──────────────────────┼────────────────────────────────┤
494 │podman-load(1) │ Load image(s) from a tar ar‐ │
495 │ │ chive into container storage. │
496 ├──────────────────────┼────────────────────────────────┤
497 │podman-login(1) │ Login to a container registry. │
498 ├──────────────────────┼────────────────────────────────┤
499 │podman-logout(1) │ Logout of a container reg‐ │
500 │ │ istry. │
501 ├──────────────────────┼────────────────────────────────┤
502 │podman-logs(1) │ Display the logs of one or │
503 │ │ more containers. │
504 ├──────────────────────┼────────────────────────────────┤
505 │podman-machine(1) │ Manage Podman's virtual ma‐ │
506 │ │ chine │
507 ├──────────────────────┼────────────────────────────────┤
508 │podman-manifest(1) │ Create and manipulate manifest │
509 │ │ lists and image indexes. │
510 ├──────────────────────┼────────────────────────────────┤
511 │podman-mount(1) │ Mount a working container's │
512 │ │ root filesystem. │
513 ├──────────────────────┼────────────────────────────────┤
514 │podman-network(1) │ Manage Podman networks. │
515 ├──────────────────────┼────────────────────────────────┤
516 │podman-pause(1) │ Pause one or more containers. │
517 ├──────────────────────┼────────────────────────────────┤
518 │podman-kube(1) │ Play containers, pods or vol‐ │
519 │ │ umes based on a structured in‐ │
520 │ │ put file. │
521 ├──────────────────────┼────────────────────────────────┤
522 │podman-pod(1) │ Management tool for groups of │
523 │ │ containers, called pods. │
524 ├──────────────────────┼────────────────────────────────┤
525 │podman-port(1) │ List port mappings for a con‐ │
526 │ │ tainer. │
527 ├──────────────────────┼────────────────────────────────┤
528 │podman-ps(1) │ Prints out information about │
529 │ │ containers. │
530 ├──────────────────────┼────────────────────────────────┤
531 │podman-pull(1) │ Pull an image from a registry. │
532 ├──────────────────────┼────────────────────────────────┤
533 │podman-push(1) │ Push an image, manifest list │
534 │ │ or image index from local │
535 │ │ storage to elsewhere. │
536 ├──────────────────────┼────────────────────────────────┤
537 │podman-rename(1) │ Rename an existing container. │
538 ├──────────────────────┼────────────────────────────────┤
539 │podman-restart(1) │ Restart one or more contain‐ │
540 │ │ ers. │
541 ├──────────────────────┼────────────────────────────────┤
542 │podman-rm(1) │ Remove one or more containers. │
543 ├──────────────────────┼────────────────────────────────┤
544 │podman-rmi(1) │ Removes one or more locally │
545 │ │ stored images. │
546 ├──────────────────────┼────────────────────────────────┤
547 │podman-run(1) │ Run a command in a new con‐ │
548 │ │ tainer. │
549 ├──────────────────────┼────────────────────────────────┤
550 │podman-save(1) │ Save image(s) to an archive. │
551 ├──────────────────────┼────────────────────────────────┤
552 │podman-search(1) │ Search a registry for an im‐ │
553 │ │ age. │
554 ├──────────────────────┼────────────────────────────────┤
555 │podman-secret(1) │ Manage podman secrets. │
556 ├──────────────────────┼────────────────────────────────┤
557 │podman-start(1) │ Start one or more containers. │
558 ├──────────────────────┼────────────────────────────────┤
559 │podman-stats(1) │ Display a live stream of one │
560 │ │ or more container's resource │
561 │ │ usage statistics. │
562 ├──────────────────────┼────────────────────────────────┤
563 │podman-stop(1) │ Stop one or more running con‐ │
564 │ │ tainers. │
565 ├──────────────────────┼────────────────────────────────┤
566 │podman-system(1) │ Manage podman. │
567 ├──────────────────────┼────────────────────────────────┤
568 │podman-tag(1) │ Add an additional name to a │
569 │ │ local image. │
570 ├──────────────────────┼────────────────────────────────┤
571 │podman-top(1) │ Display the running processes │
572 │ │ of a container. │
573 ├──────────────────────┼────────────────────────────────┤
574 │podman-unmount(1) │ Unmount a working container's │
575 │ │ root filesystem. │
576 ├──────────────────────┼────────────────────────────────┤
577 │podman-unpause(1) │ Unpause one or more contain‐ │
578 │ │ ers. │
579 ├──────────────────────┼────────────────────────────────┤
580 │podman-unshare(1) │ Run a command inside of a mod‐ │
581 │ │ ified user namespace. │
582 ├──────────────────────┼────────────────────────────────┤
583 │podman-untag(1) │ Removes one or more names from │
584 │ │ a locally-stored image. │
585 ├──────────────────────┼────────────────────────────────┤
586 │podman-update(1) │ Updates the cgroup configura‐ │
587 │ │ tion of a given container. │
588 ├──────────────────────┼────────────────────────────────┤
589 │podman-version(1) │ Display the Podman version in‐ │
590 │ │ formation. │
591 ├──────────────────────┼────────────────────────────────┤
592 │podman-volume(1) │ Simple management tool for │
593 │ │ volumes. │
594 ├──────────────────────┼────────────────────────────────┤
595 │podman-wait(1) │ Wait on one or more containers │
596 │ │ to stop and print their exit │
597 │ │ codes. │
598 └──────────────────────┴────────────────────────────────┘
599
601 containers.conf (/usr/share/containers/containers.conf, /etc/contain‐
602 ers/containers.conf, $HOME/.config/containers/containers.conf)
603
604
605 Podman has builtin defaults for command line options. These defaults
606 can be overridden using the containers.conf configuration files.
607
608
609 Distributions ship the /usr/share/containers/containers.conf file with
610 their default settings. Administrators can override fields in this file
611 by creating the /etc/containers/containers.conf file. Users can fur‐
612 ther modify defaults by creating the $HOME/.config/containers/contain‐
613 ers.conf file. Podman merges its builtin defaults with the specified
614 fields from these files, if they exist. Fields specified in the users
615 file override the administrator's file, which overrides the distribu‐
616 tion's file, which override the built-in defaults.
617
618
619 Podman uses builtin defaults if no containers.conf file is found.
620
621
622 If the CONTAINERS_CONF environment variable is set, then its value is
623 used for the containers.conf file rather than the default.
624
625
626 mounts.conf (/usr/share/containers/mounts.conf)
627
628
629 The mounts.conf file specifies volume mount directories that are auto‐
630 matically mounted inside containers when executing the podman run or
631 podman start commands. Administrators can override the defaults file by
632 creating /etc/containers/mounts.conf.
633
634
635 When Podman runs in rootless mode, the file $HOME/.config/contain‐
636 ers/mounts.conf will override the default if it exists. Please refer to
637 containers-mounts.conf(5) for further details.
638
639
640 policy.json (/etc/containers/policy.json)
641
642
643 Signature verification policy files are used to specify policy, e.g.
644 trusted keys, applicable when deciding whether to accept an image, or
645 individual signatures of that image, as valid.
646
647
648 registries.conf (/etc/containers/registries.conf, $HOME/.config/con‐
649 tainers/registries.conf)
650
651
652 registries.conf is the configuration file which specifies which con‐
653 tainer registries should be consulted when completing image names which
654 do not include a registry or domain portion.
655
656
657 Non root users of Podman can create the $HOME/.config/containers/reg‐
658 istries.conf file to be used instead of the system defaults.
659
660
661 If the CONTAINERS_REGISTRIES_CONF environment variable is set, then its
662 value is used for the registries.conf file rather than the default.
663
664
665 storage.conf (/etc/containers/storage.conf, $HOME/.config/contain‐
666 ers/storage.conf)
667
668
669 storage.conf is the storage configuration file for all tools using con‐
670 tainers/storage
671
672
673 The storage configuration file specifies all of the available container
674 storage options for tools using shared container storage.
675
676
677 When Podman runs in rootless mode, the file $HOME/.config/contain‐
678 ers/storage.conf is used instead of the system defaults.
679
680
681 If the CONTAINERS_STORAGE_CONF environment variable is set, then its
682 value is used for the storage.conf file rather than the default.
683
684
686 Podman can also be used as non-root user. When podman runs in rootless
687 mode, a user namespace is automatically created for the user, defined
688 in /etc/subuid and /etc/subgid.
689
690
691 Containers created by a non-root user are not visible to other users
692 and are not seen or managed by Podman running as root.
693
694
695 It is required to have multiple uids/gids set for a user. Be sure the
696 user is present in the files /etc/subuid and /etc/subgid.
697
698
699 If you have a recent version of usermod, you can execute the following
700 commands to add the ranges to the files
701
702
703 $ sudo usermod --add-subuids 10000-75535 USERNAME
704 $ sudo usermod --add-subgids 10000-75535 USERNAME
705
706
707
708 Or just add the content manually.
709
710
711 $ echo USERNAME:10000:65536 >> /etc/subuid
712 $ echo USERNAME:10000:65536 >> /etc/subgid
713
714
715
716 See the subuid(5) and subgid(5) man pages for more information.
717
718
719 Images are pulled under XDG_DATA_HOME when specified, otherwise in the
720 home directory of the user under .local/share/containers/storage.
721
722
723 Currently the slirp4netns package is required to be installed to create
724 a network device, otherwise rootless containers need to run in the net‐
725 work namespace of the host.
726
727
728 In certain environments like HPC (High Performance Computing), users
729 cannot take advantage of the additional UIDs and GIDs from the
730 /etc/subuid and /etc/subgid systems. However, in this environment,
731 rootless Podman can operate with a single UID. To make this work, set
732 the ignore_chown_errors option in the /etc/containers/storage.conf or
733 in ~/.config/containers/storage.conf files. This option tells Podman
734 when pulling an image to ignore chown errors when attempting to change
735 a file in a container image to match the non-root UID in the image.
736 This means all files get saved as the user's UID. Note this could cause
737 issues when running the container.
738
739
740 NOTE: Unsupported file systems in rootless mode
741 The Overlay file system (OverlayFS) is not supported with kernels prior
742 to 5.12.9 in rootless mode. The fuse-overlayfs package is a tool that
743 provides the functionality of OverlayFS in user namespace that allows
744 mounting file systems in rootless environments. It is recommended to
745 install the fuse-overlayfs package. In rootless mode, Podman will au‐
746 tomatically use the fuse-overlayfs program as the mount_program if in‐
747 stalled, as long as the $HOME/.config/containers/storage.conf file was
748 not previously created. If storage.conf exists in the homedir, add
749 mount_program = "/usr/bin/fuse-overlayfs" under [storage.options.over‐
750 lay] to enable this feature.
751
752
753 The Network File System (NFS) and other distributed file systems (for
754 example: Lustre, Spectrum Scale, the General Parallel File System
755 (GPFS)) are not supported when running in rootless mode as these file
756 systems do not understand user namespace. However, rootless Podman can
757 make use of an NFS Homedir by modifying the $HOME/.config/contain‐
758 ers/storage.conf to have the graphroot option point to a directory
759 stored on local (Non NFS) storage.
760
761
762 For more information, please refer to the Podman Troubleshooting Page.
763
764
766 containers-mounts.conf(5), containers.conf(5), containers-reg‐
767 istries.conf(5), containers-storage.conf(5), buildah(1), oci-hooks(5),
768 containers-policy.json(5), crun(1), runc(8), subuid(5), subgid(5),
769 slirp4netns(1), conmon(8)
770
771
773 Dec 2016, Originally compiled by Dan Walsh dwalsh@redhat.com
774 ⟨mailto:dwalsh@redhat.com⟩
775
776
777
778 podman(1)