1containers.conf(5)               configuration              containers.conf(5)
2
3
4

NAME

6       containers.conf - The container engine configuration file specifies de‐
7       fault configuration options and command-line flags  for  container  en‐
8       gines.
9
10
11

DESCRIPTION

13       Container  engines  like Podman & Buildah read containers.conf file, if
14       it exists and modify the defaults for running containers on  the  host.
15       containers.conf uses a TOML format that can be easily modified and ver‐
16       sioned.
17
18
19       Container engines read  the  /usr/share/containers/containers.conf  and
20       /etc/containers/containers.conf,      and      /etc/containers/contain‐
21       ers.conf.d/.conf files if they exist. When running  in  rootless  mode,
22       they also read $HOME/.config/containers/containers.conf and $HOME/.con‐
23       fig/containers/containers.conf.d/.conf files.
24
25
26       Fields specified in containers conf override the  default  options,  as
27       well as options in previously read containers.conf files.
28
29
30       Config  files  in the .d directories, are added in alpha numeric sorted
31       order and must end in .conf.
32
33
34       Not all options are supported in all container engines.
35
36
37       Note container engines also use other configuration files for configur‐
38       ing the environment.
39
40
41storage.conf  for  configuration of container and images stor‐
42                age.
43
44registries.conf for  definition  of  container  registires  to
45                search while pulling.  container images.
46
47policy.conf  for controlling which images can be pulled to the
48                system.
49
50
51
52

FORMAT

54       The TOML format ⟨https://github.com/toml-lang/toml⟩ is used as the  en‐
55       coding of the configuration file.  Every option is nested under its ta‐
56       ble. No bare options are used. The format of TOML can be simplified to:
57
58
59              [table1]
60              option = value
61
62              [table2]
63              option = value
64
65              [table3]
66              option = value
67
68              [table3.subtable1]
69              option = value
70
71
72

CONTAINERS TABLE

74       The containers table contains settings to configure and manage the  OCI
75       runtime.
76
77
78       annotations = [] List of annotations. Specified as "key=value" pairs to
79       be added to all containers.
80
81
82       Example: "run.oci.keep_original_groups=1"
83
84
85       apparmor_profile="container-default"
86
87
88       Used to change the name of the default AppArmor  profile  of  container
89       engines.  The default profile name is "container-default".
90
91
92       base_hosts_file=""
93
94
95       The  hosts entries from the base hosts file are added to the containers
96       hosts file. This must be either an absolute path or as  special  values
97       "image"  which  uses  the hosts file from the container image or "none"
98       which means no base hosts file is used. The default is  ""  which  will
99       use /etc/hosts.
100
101
102       cgroups="enabled"
103
104
105       Determines  whether  the  container will create CGroups.  Options are:
106         enabled   Enable cgroup support within container
107         disabled  Disable cgroup support, will inherit cgroups from parent
108         no-conmon Do not create a cgroup dedicated to conmon.
109
110
111       cgroupns="private"
112
113
114       Default way to to create a cgroup namespace for the container.  Options
115       are: private Create private Cgroup Namespace for the  container.   host
116       Share host Cgroup Namespace with the container.
117
118
119       default_capabilities=[]
120
121
122       List of default capabilities for containers.
123
124
125       The default list is:
126
127
128              default_capabilities = [
129                    "CHOWN",
130                    "DAC_OVERRIDE",
131                    "FOWNER",
132                    "FSETID",
133                    "KILL",
134                    "NET_BIND_SERVICE",
135                    "SETFCAP",
136                    "SETGID",
137                    "SETPCAP",
138                    "SETUID",
139              ]
140
141
142
143       Note, by default container engines using containers.conf, run with less
144       capabilities than Docker. Docker runs additionally with  "AUDIT_WRITE",
145       "MKNOD", "NET_RAW", "CHROOT". If you need to add one of these capabili‐
146       ties for a particular container, you can use the  --cap-add  option  or
147       edit your system's containers.conf.
148
149
150       default_sysctls=[]
151
152
153       A  list  of  sysctls  to  be set in containers by default, specified as
154       "name=value".
155
156
157       Example:"net.ipv4.ping_group_range=0 1000".
158
159
160       default_ulimits=[]
161
162
163       A list of ulimits to be set in  containers  by  default,  specified  as
164       "name=soft-limit:hard-limit".
165
166
167       Example: "nofile=1024:2048".
168
169
170       devices=[]
171
172
173       List of devices.  Specified as 'device-on-host:device-on-container:per‐
174       missions'.
175
176
177       Example: "/dev/sdc:/dev/xvdc:rwm".
178
179
180       dns_options=[]
181
182
183       List of default DNS options to be added to /etc/resolv.conf  inside  of
184       the container.
185
186
187       dns_searches=[]
188
189
190       List  of default DNS search domains to be added to /etc/resolv.conf in‐
191       side of the container.
192
193
194       dns_servers=[]
195
196
197       A list of dns servers to override the DNS configuration passed  to  the
198       container.  The  special  value “none” can be specified to disable cre‐
199       ation of /etc/resolv.conf in the container.
200
201
202       env=["PATH=/usr/local/sbin:/usr/lo‐
203       cal/bin:/usr/sbin:/usr/bin:/sbin:/bin", "TERM=xterm"]
204
205
206       Environment  variable  list for the container process, used for passing
207       environment variables to the container.
208
209
210       env_host=false
211
212
213       Pass all host environment variables into the container.
214
215
216       host_containers_internal_ip=""
217
218
219       Set the ip for the host.containers.internal  entry  in  the  containers
220       /etc/hosts  file.  This can be set to "none" to disable adding this en‐
221       try. By default it will automatically choose the host ip.
222
223
224       NOTE: When using podman machine this entry will never be added  to  the
225       containers  hosts  file  instead  the gvproxy dns resolver will resolve
226       this hostname. Therefore it is not possible to  disable  the  entry  in
227       this case.
228
229
230       http_proxy=true
231
232
233       Default  proxy environment variables will be passed into the container.
234       The environment variables passed in include:  http_proxy,  https_proxy,
235       ftp_proxy, no_proxy, and the upper case versions of these. The no_proxy
236       option is needed when host system uses a proxy but container should not
237       use  proxy.  Proxy environment variables specified for the container in
238       any other way will override the values passed from the host.
239
240
241       init=false
242
243
244       Run an init inside the container that forwards signals and  reaps  pro‐
245       cesses.
246
247
248       init_path="/usr/libexec/podman/catatonit"
249
250
251       Path  to  the  container-init  binary, which forwards signals and reaps
252       processes within containers. Note that the container-init  binary  will
253       only be used when the --init for podman-create and podman-run is set.
254
255
256       ipcns="shareable"
257
258
259       Default  way  to  to create a IPC namespace for the container.  Options
260       are:
261         host     Share host IPC Namespace with the container.
262         none     Create shareable IPC Namespace for the container  without  a
263       private /dev/shm.
264         private   Create  private IPC Namespace for the container, other con‐
265       tainers are not allowed to share it.
266         shareable Create shareable IPC Namespace for the container.
267
268
269       keyring=true
270
271
272       Indicates whether the container engines create a kernel keyring for use
273       within the container.
274
275
276       label=true
277
278
279       Indicates whether the container engine uses MAC(SELinux) container sep‐
280       aration via labeling. This option is ignored on disabled systems.
281
282
283       log_driver=""
284
285
286       Logging driver for the container. Currently available options are  k8s-
287       file,  journald,  none  and passthrough, with json-file aliased to k8s-
288       file for scripting compatibility.  The journald driver is used  by  de‐
289       fault  if the systemd journal is readable and writable.  Otherwise, the
290       k8s-file driver is used.
291
292
293       log_size_max=-1
294
295
296       Maximum size allowed for the container's log file. Negative numbers in‐
297       dicate  that no size limit is imposed. If it is positive, it must be >=
298       8192 to match/exceed conmon's read buffer. The file  is  truncated  and
299       re-opened so the limit is never exceeded.
300
301
302       log_tag=""
303
304
305       Default  format tag for container log messages. This is useful for cre‐
306       ating a specific tag for container log messages. Container log messages
307       default to using the truncated container ID as a tag.
308
309
310       netns="private"
311
312
313       Default  way  to  to create a NET namespace for the container.  Options
314       are:
315         private Create private NET Namespace for the container.
316         host    Share host NET Namespace with the container.
317         none    Containers do not use the network.
318
319
320       no_hosts=false
321
322
323       Create /etc/hosts for the container. By default, container engines man‐
324       age  /etc/hosts,  automatically  adding   the container's  own  IP  ad‐
325       dress.
326
327
328       pidns="private"
329
330
331       Default way to to create a PID namespace for  the  container.   Options
332       are:
333         private Create private PID Namespace for the container.
334         host    Share host PID Namespace with the container.
335
336
337       pids_limit=1024
338
339
340       Maximum number of processes allowed in a container. 0 indicates that no
341       limit is imposed.
342
343
344       prepare_volume_on_create=false
345
346
347       Copy the content from the underlying image into the newly created  vol‐
348       ume  when  the  container  is created instead of when it is started. If
349       false, the container engine will not copy the content  until  the  con‐
350       tainer is started. Setting it to true may have negative performance im‐
351       plications.
352
353
354       read_only=true|false
355
356
357       Run all containers with root file  system  mounted  read-only.  Set  to
358       false by default.
359
360
361       seccomp_profile="/usr/share/containers/seccomp.json"
362
363
364       Path  to  the seccomp.json profile which is used as the default seccomp
365       profile for the runtime.
366
367
368       shm_size="65536k"
369
370
371       Size of /dev/shm. The format is <number><unit>. number must be  greater
372       than  0.   Unit  is  optional  and  can  be:  b (bytes), k (kilobytes),
373       m(megabytes), or g (gigabytes).  If you omit the unit, the system  uses
374       bytes. If you omit the size entirely, the system uses 65536k.
375
376
377       tz=""
378
379
380       Set timezone in container. Takes IANA timezones as well as local, which
381       sets the timezone in the container to match the host machine.   If  not
382       set,  then  containers will run with the time zone specified in the im‐
383       age.
384
385
386       Examples:
387         tz="local"
388         tz="America/New_York"
389
390
391       umask="0022"
392
393
394       Sets umask inside the container.
395
396
397       userns="host"
398
399
400       Default way to to create a USER namespace for the  container.   Options
401       are:
402         private Create private USER Namespace for the container.
403         host    Share host USER Namespace with the container.
404
405
406       utsns="private"
407
408
409       Default  way  to  to create a UTS namespace for the container.  Options
410       are:
411         private Create private UTS Namespace for the container.
412         host    Share host UTS Namespace with the container.
413
414
415       volumes=[]
416
417
418       List of  volumes.   Specified  as  "directory-on-host:directory-in-con‐
419       tainer:options".
420
421
422       Example:  "/db:/var/lib/db:ro".
423
424

NETWORK TABLE

426       The network table contains settings pertaining to the management of CNI
427       plugins.
428
429
430       network_backend=""
431
432
433       Network backend determines what network driver will be used to  set  up
434       and  tear  down  container  networks.   Valid values are "cni" and "ne‐
435       tavark".  The default value is empty which means that it will automati‐
436       cally choose CNI or netavark. If there are already containers/images or
437       CNI networks preset it will choose CNI.
438
439
440       Before changing this value all containers must be stopped otherwise  it
441       is  likely that iptables rules and network interfaces might leak on the
442       host. A reboot will fix this.
443
444
445       cni_plugin_dirs=[]
446
447
448       List of paths to directories where CNI plugin binaries are located.
449
450
451       The default list is:
452
453
454              cni_plugin_dirs = [
455                "/usr/local/libexec/cni",
456                "/usr/libexec/cni",
457                "/usr/local/lib/cni",
458                "/usr/lib/cni",
459                "/opt/cni/bin",
460              ]
461
462
463
464       default_network="podman"
465
466
467       The network name of the default network to attach pods to.
468
469
470       default_subnet="10.88.0.0/16"
471
472
473       The subnet to use for the default network (named above in  default_net‐
474       work).  If the default network does not exist, it will be automatically
475       created the first time a tool is run using this subnet.
476
477
478       default_subnet_pools=[]
479
480
481       DefaultSubnetPools is a list of subnets and size which are used to  al‐
482       locate  subnets automatically for podman network create.  It will iter‐
483       ate through the list and will pick the first free subnet with the given
484       size.  This  is only used for ipv4 subnets, ipv6 subnets are always as‐
485       signed randomly.
486
487
488       The default list is (10.89.0.0-10.255.255.0/24):
489
490
491              default_subnet_pools = [
492                {"base" = "10.89.0.0/16", "size" = 24},
493                {"base" = "10.90.0.0/15", "size" = 24},
494                {"base" = "10.92.0.0/14", "size" = 24},
495                {"base" = "10.96.0.0/11", "size" = 24},
496                {"base" = "10.128.0.0/9", "size" = 24},
497              ]
498
499
500
501       network_config_dir="/etc/cni/net.d/"
502
503
504       Path to the directory where network configuration  files  are  located.
505       For  the  CNI  backend  the  default  is  "/etc/cni/net.d"  as root and
506       "$HOME/.config/cni/net.d"  as  rootless.   For  the  netavark   backend
507       "/etc/containers/networks" is used as root and "$graphroot/networks" as
508       rootless.
509
510
511       dns_bind_port=53
512
513
514       Port to use for dns forwarding daemon with netavark in  rootful  bridge
515       mode and dns enabled.  Using an alternate port might be useful if other
516       dns services should run on the machine.
517
518

ENGINE TABLE

520       The engine table contains configuration options used  to  set  up  con‐
521       tainer engines such as Podman and Buildah.
522
523
524       active_service=""
525
526
527       Name  of destination for accessing the Podman service. See SERVICE DES‐
528       TINATION TABLE below.
529
530
531       cgroup_manager="systemd"
532
533
534       The cgroup management implementation used  for  the  runtime.  Supports
535       cgroupfs and systemd.
536
537
538       conmon_env_vars=[]
539
540
541       Environment variables to pass into Conmon.
542
543
544       conmon_path=[]
545
546
547       Paths  to  search for the conmon container manager binary. If the paths
548       are empty or no valid path was found, then the $PATH environment  vari‐
549       able will be used as the fallback.
550
551
552       The default list is:
553
554
555              conmon_path=[
556                  "/usr/libexec/podman/conmon",
557                  "/usr/local/libexec/podman/conmon",
558                  "/usr/local/lib/podman/conmon",
559                  "/usr/bin/conmon",
560                  "/usr/sbin/conmon",
561                  "/usr/local/bin/conmon",
562                  "/usr/local/sbin/conmon",
563                  "/run/current-system/sw/bin/conmon",
564              ]
565
566
567
568       detach_keys="ctrl-p,ctrl-q"
569
570
571       Keys  sequence  used  for  detaching a container.  Specify the keys se‐
572       quence used to detach a container.  Format is a single character  [a-Z]
573       or a comma separated sequence of ctrl-<value>, where <value> is one of:
574       a-z, @, ^, [, \, ], ^ or _
575
576
577       enable_port_reservation=true
578
579
580       Determines whether the engine will reserve ports on the host when  they
581       are  forwarded to containers. When enabled, when ports are forwarded to
582       containers, they are held open by conmon as long as  the  container  is
583       running,  ensuring  that they cannot be reused by other programs on the
584       host. However, this can cause significant memory usage if  a  container
585       has many ports forwarded to it.  Disabling this can save memory.
586
587
588       env=[]
589
590
591       Environment  variables  to  be  used  when running the container engine
592       (e.g., Podman, Buildah).  For  example  "http_proxy=internal.proxy.com‐
593       pany.com".   Note  these  environment variables will not be used within
594       the container. Set the env section under  [containers]  table,  if  you
595       want to set environment variables for the container.
596
597
598       events_logfile_path=""
599
600
601       Define where event logs will be stored, when events_logger is "file".
602
603
604       events_logfile_max_size="1m"
605
606
607       Sets  the  maximum  size  for  events_logfile_path.   The unit can be b
608       (bytes), k (kilobytes), m (megabytes) or g (gigabytes).  The format for
609       the  size  is  <number><unit>,  e.g., 1b or 3g.  If no unit is included
610       then the size will be in bytes.  When the limit is exceeded,  the  log‐
611       file  will be rotated and the old one will be deleted.  If the maximumn
612       size is set to 0, then no limit will be applied, and the  logfile  will
613       not be rotated.
614
615
616       events_logger="journald"
617
618
619       The default method to use when logging events.
620
621
622       The  default  method  is different based on the platform that Podman is
623       being run upon.  To determine the current value, use this command:
624
625
626       podman info --format {{.Host.EventLogger}
627
628
629       Valid values are: file, journald, and none.
630
631
632       events_container_create_inspect_data=true|false
633
634
635       Creates a more verbose container-create event  which  includes  a  JSON
636       payload with detailed information about the container.  Set to false by
637       default.
638
639
640       helper_binaries_dir=["/usr/libexec/podman", ...]
641
642
643       A is a list of directories which are used to search  for  helper  bina‐
644       ries.
645
646
647       The  default paths on Linux are: - /usr/local/libexec/podman - /usr/lo‐
648       cal/lib/podman - /usr/libexec/podman - /usr/lib/podman
649
650
651       The  default  paths  on  macOS  are:  -   /usr/local/opt/podman/libexec
652       -    /opt/homebrew/bin -    /opt/homebrew/opt/podman/libexec - /usr/lo‐
653       cal/bin    -    /usr/local/libexec/podman    -    /usr/local/lib/podman
654       -    /usr/libexec/podman -    /usr/lib/podman
655
656
657       The default path on Windows is: - C:\Program Files\RedHat\Podman
658
659
660       hooks_dir=["/etc/containers/oci/hooks.d", ...]
661
662
663       Path to the OCI hooks directories for automatically executed hooks.
664
665
666       image_default_format="oci"|"v2s2"|"v2s1"
667
668
669       Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, build‐
670       ing container images. By default images pulled  and  pushed  match  the
671       format of the source image. Building/committing defaults to OCI.  Note:
672       image_build_format is deprecated.
673
674
675       image_default_transport="docker://"
676
677
678       Default transport method for pulling and pushing images.
679
680
681       image_parallel_copies=0
682
683
684       Maximum number of image layers to be copied (pulled/pushed)  simultane‐
685       ously.   Not  setting this field will fall back to containers/image de‐
686       faults. (6)
687
688
689       image_volume_mode="bind"
690
691
692       Tells container engines how to handle the builtin image volumes.
693
694
695              • bind: An anonymous named volume will be  created  and  mounted
696                into the container.
697
698              • tmpfs:  The  volume  is mounted onto the container as a tmpfs,
699                which allows the users to create content that disappears  when
700                the container is stopped.
701
702              • ignore: All volumes are just ignored and no action is taken.
703
704
705
706       infra_command="/pause"
707
708
709       Infra  (pause)  container  image command for pod infra containers. When
710       running a pod, we start a /pause process in a container  to  hold  open
711       the  namespaces  associated  with  the pod. This container does nothing
712       other then sleep, reserving the pods resources for the lifetime of  the
713       pod.
714
715
716       infra_image=""
717
718
719       Infra  (pause) container image for pod infra containers. When running a
720       pod, we start a pause process in a container to  hold  open  the  name‐
721       spaces  associated with the pod. This container does nothing other then
722       sleep, reserving the pods resources for the lifetime of the pod. By de‐
723       fault  container  engines  run a builtin container using the pause exe‐
724       cutable. If you want override specify an image to pull.
725
726
727       lock_type="shm"
728
729
730       Specify the locking mechanism  to  use;  valid  values  are  "shm"  and
731       "file".  Change the default only if you are sure of what you are doing,
732       in general "file" is useful only on platforms where cgo is  not  avail‐
733       able  for using the faster "shm" lock type. You may need to run "podman
734       system renumber" after you change the lock type.
735
736
737       multi_image_archive=false
738
739
740       Allows for creating archives (e.g., tarballs) with more than one image.
741       Some  container engines, such as Podman, interpret additional arguments
742       as tags for one image and hence do not store more than one  image.  The
743       default behavior can be altered with this option.
744
745
746       namespace=""
747
748
749       Default  engine  namespace.  If the engine is joined to a namespace, it
750       will see only containers and pods that were created in the  same  name‐
751       space,  and  will create new containers and pods in that namespace. The
752       default namespace is "", which corresponds to  no  namespace.  When  no
753       namespace is set, all containers and pods are visible.
754
755
756       network_cmd_path=""
757
758
759       Path to the slirp4netns binary.
760
761
762       network_cmd_options=[]
763
764
765       Default options to pass to the slirp4netns binary.
766
767
768       Valid options values are:
769
770
771allow_host_loopback=true|false: Allow the slirp4netns to reach
772                the host loopback IP (10.0.2.2). Default is false.
773
774mtu=MTU: Specify the MTU to use for this network. (Default  is
775                65520).
776
777cidr=CIDR:  Specify ip range to use for this network. (Default
778                is 10.0.2.0/24).
779
780enable_ipv6=true|false: Enable IPv6.  Default  is  true.  (Re‐
781                quired for outbound_addr6).
782
783outbound_addr=INTERFACE:  Specify the outbound interface slirp
784                should bind to (ipv4 traffic only).
785
786outbound_addr=IPv4: Specify the outbound  ipv4  address  slirp
787                should bind to.
788
789outbound_addr6=INTERFACE: Specify the outbound interface slirp
790                should bind to (ipv6 traffic only).
791
792outbound_addr6=IPv6: Specify the outbound ipv6  address  slirp
793                should bind to.
794
795port_handler=rootlesskit: Use rootlesskit for port forwarding.
796                Default.  Note: Rootlesskit changes the source IP  address  of
797                incoming  packets  to  a  IP  address in the container network
798                namespace, usually 10.0.2.100. If  your  application  requires
799                the  real  source  IP  address,  e.g. web server logs, use the
800                slirp4netns port handler. The rootlesskit port handler is also
801                used  for  rootless  containers when connected to user-defined
802                networks.
803
804port_handler=slirp4netns: Use the slirp4netns port forwarding,
805                it is slower than rootlesskit but preserves the correct source
806                IP address. This port handler cannot be used for  user-defined
807                networks.
808
809
810
811       no_pivot_root=false
812
813
814       Whether to use chroot instead of pivot_root in the runtime.
815
816
817       num_locks=2048
818
819
820       Number  of  locks  available for containers and pods. Each created con‐
821       tainer or pod consumes one lock. The default number available is  2048.
822       If  this  is  changed,  a lock renumbering must be performed, using the
823       podman system renumber command.
824
825
826       pod_exit_policy="continue"
827
828
829       Set the exit policy of the pod when the  last  container  exits.   Sup‐
830       ported policies are:
831
832
833       ┌────────────┬────────────────────────────┐
834Exit Policy Description                
835       ├────────────┼────────────────────────────┤
836continue    │ The  pod continues running │
837       │            │ when  the  last  container │
838       │            │ exits. Used by default.    │
839       ├────────────┼────────────────────────────┤
840stop        │ The  pod  is  stopped when │
841       │            │ the last container  exits. │
842       │            │ Used in play kube.         │
843       └────────────┴────────────────────────────┘
844
845       pull_policy="always"|"missing"|"never"
846
847
848       Pull image before running or creating a container. The default is miss‐
849       ing.
850
851
852missing: attempt to pull the latest image from the  registries
853                listed  in  registries.conf  if  a local image does not exist.
854                Raise an error if the image is not in any listed registry  and
855                is not present locally.
856
857always:  pull the image from the first registry it is found in
858                as listed in registries.conf. Raise an error if not  found  in
859                the registries, even if the image is present locally.
860
861never:  do  not pull the image from the registry, use only the
862                local version. Raise an error if the image is not present  lo‐
863                cally.
864
865
866
867       remote  =  false Indicates whether the application should be running in
868       remote mode. This flag modifies the --remote option  on  container  en‐
869       gines.  Setting  the flag to true will default podman --remote=true for
870       access to the remote Podman service.
871
872
873       runtime=""
874
875
876       Default OCI specific runtime in runtimes that will be used by  default.
877       Must  refer  to a member of the runtimes table. Default runtime will be
878       searched for on the system using the priority: "crun", "runc", "kata".
879
880
881       runtime_supports_json=["crun",  "runc",   "kata",   "runsc",   "youki",
882       "krun"]
883
884
885       The list of the OCI runtimes that support --format=json.
886
887
888       runtime_supports_kvm=["kata", "krun"]
889
890
891       The list of OCI runtimes that support running containers with KVM sepa‐
892       ration.
893
894
895       runtime_supports_nocgroups=["crun", "krun"]
896
897
898       The list of  OCI  runtimes  that  support  running  containers  without
899       CGroups.
900
901
902       image_copy_tmp_dir="/var/tmp"
903
904
905       Default  location for storing temporary container image content. Can be
906       overridden with the TMPDIR environment variable. If you specify  "stor‐
907       age",  then the location of the container/storage tmp directory will be
908       used. If set then it is the users responsibility  to  cleanup  storage.
909       Configure tmpfiles.d(5) to cleanup storage.
910
911
912       service_timeout=5
913
914
915       Number  of seconds to wait without a connection  before the podman sys‐
916       tem service times out and exits
917
918
919       static_dir="/var/lib/containers/storage/libpod"
920
921
922       Directory for persistent libpod files (database, etc).  By default this
923       will be configured relative to where containers/storage stores contain‐
924       ers.
925
926
927       stop_timeout=10
928
929
930       Number of seconds to wait for container to  exit  before  sending  kill
931       signal.
932
933
934       exit_command_delay=300
935
936
937       Number  of seconds to wait for the API process for the exec call before
938       sending exit command mimicking the Docker behavior  of  5  minutes  (in
939       seconds).
940
941
942       tmp_dir="/run/libpod"
943
944
945       The path to a temporary directory to store per-boot container.  Must be
946       a tmpfs (wiped after reboot).
947
948
949       volume_path="/var/lib/containers/storage/volumes"
950
951
952       Directory where named volumes will be created in using the default vol‐
953       ume  driver.  By default this will be configured relative to where con‐
954       tainers/storage store containers. This convention is  followed  by  the
955       default volume driver, but may not be by other drivers.
956
957
958       chown_copied_files=true
959
960
961       Determines  whether file copied into a container will have changed own‐
962       ership to the primary uid/gid of the container.
963
964
965       compression_format=""
966
967
968       Specifies the compression format to use when  pushing  an  image.  Sup‐
969       ported values are: gzip, zstd and zstd:chunked.
970
971

SERVICE DESTINATION TABLE

973       The  service_destinations  table contains configuration options used to
974       set up remote connections to the podman service for the podman API.
975
976
977       [service_destinations.{name}]  URI  to  access   the   Podman   service
978       uri="ssh://user@production.example.com/run/user/1001/podman/pod‐
979       man.sock"
980
981
982       Example URIs:
983
984
985rootless local  - unix://run/user/1000/podman/podman.sock
986
987rootless     remote     -      ssh://user@engineering.lab.com‐
988                pany.com/run/user/1000/podman/podman.sock
989
990rootful local  - unix://run/podman/podman.sock
991
992rootful   remote  -  ssh://root@10.10.1.136:22/run/podman/pod‐
993                man.sock
994
995
996
997       identity="~/.ssh/id_rsa
998
999
1000       Path to file containing ssh identity key
1001
1002
1003       [engine.volume_plugins]
1004
1005
1006       A table of all the enabled volume plugins on the system. Volume plugins
1007       can be used as the backend for Podman named volumes. Individual plugins
1008       are specified below, as a map of the plugin name (what the plugin  will
1009       be called) to its path (filepath of the plugin's unix socket).
1010
1011
1012       [engine.platform_to_oci_runtime]
1013
1014
1015       Allows  end  users  to switch the OCI runtime on the bases of container
1016       image's platform string.  Following config  field  contains  a  map  of
1017       platform/string = oci_runtime.
1018
1019

SECRET TABLE

1021       The  secret table contains settings for the configuration of the secret
1022       subsystem.
1023
1024
1025       driver=file
1026
1027
1028       Name of the secret driver to be used.  Currently valid values are:
1029         * file
1030         * pass
1031
1032
1033       [secrets.opts]
1034
1035
1036       The driver specific options object.
1037
1038

MACHINE TABLE

1040       The machine table contains configurations for podman machine VMs
1041
1042
1043       cpus=1 Number of CPU's a machine is created with.
1044
1045
1046       disk_size=10
1047
1048
1049       The size of the disk in GB created when init-ing a podman-machine VM
1050
1051
1052       image=""
1053
1054
1055       Default image URI when creating a new VM  using  podman  machine  init.
1056       Options:  On  Linux/Mac,  testing,  stable, next. On Windows, the major
1057       version of the OS (e.g 36) for Fedora 36. For all platforms you can al‐
1058       ternatively  specify  a  custom download URL to an image. Container en‐
1059       gines translate URIs $OS and $ARCH to  the  native  OS  and  ARCH.  URI
1060       "https://example.com/$OS/$ARCH/foobar.ami"  would become "https://exam
1061       ple.com/linux/amd64/foobar.ami" on a Linux AMD  machine.   The  default
1062       value is testing on Linux/Mac, and on Windows.
1063
1064
1065       memory=2048
1066
1067
1068       Memory in MB a machine is created with.
1069
1070
1071       user=""
1072
1073
1074       Username  to  use and create on the podman machine OS for rootless con‐
1075       tainer access. The default value is user. On Linux/Mac the default  is‐
1076       core.
1077
1078
1079       volumes=["$HOME:$HOME"]
1080
1081
1082       Host  directories to be mounted as volumes into the VM by default.  En‐
1083       vironment variables like $HOME as well as complete paths are  supported
1084       for the source and destination. An optional third field :ro can be used
1085       to tell the container engines to mount the volume readonly.
1086
1087
1088       On Mac, the default volumes are: "/Users:/Users",  "/private:/private",
1089       "/var/folders:/var/folders"
1090
1091
1092       provider=""
1093
1094
1095       Virtualization  provider  to  be  used for running a podman-machine VM.
1096       Empty value is interpreted as the default provider for the current host
1097       OS. On Linux/Mac default is QEMU and on Windows it is WSL.
1098
1099
1100

FILES

1102       containers.conf
1103
1104
1105       Distributions  often  provide  a  /usr/share/containers/containers.conf
1106       file to define  default  container  configuration.  Administrators  can
1107       override  fields  in  this  file  by  creating /etc/containers/contain‐
1108       ers.conf to specify their own configuration. Rootless users can further
1109       override  fields  in the config by creating a config file stored in the
1110       $HOME/.config/containers/containers.conf file.
1111
1112
1113       If the CONTAINERS_CONF path environment variable is set, just this path
1114       will be used. This is primarily used for testing.
1115
1116
1117       Fields  specified  in the containers.conf file override the default op‐
1118       tions, as well as options in previously read containers.conf files.
1119
1120
1121       storage.conf
1122
1123
1124       The /etc/containers/storage.conf file is the default storage configura‐
1125       tion file.  Rootless users can override fields in the storage config by
1126       creating $HOME/.config/containers/storage.conf.
1127
1128
1129       If the CONTAINERS_STORAGE_CONF path environment variable is  set,  this
1130       path  is  used for the storage.conf file rather than the default.  This
1131       is primarily used for testing.
1132
1133
1134

SEE ALSO

1136       containers-storage.conf(5), containers-policy.json(5),  containers-reg‐
1137       istries.conf(5), tmpfiles.d(5)
1138
1139
1140
1141engine                             Container                containers.conf(5)
Impressum