1containers.conf(5) configuration containers.conf(5)
2
3
4
6 containers.conf - The container engine configuration file specifies de‐
7 fault configuration options and command-line flags for container en‐
8 gines.
9
10
11
13 Container engines like Podman & Buildah read containers.conf file, if
14 it exists and modify the defaults for running containers on the host.
15 containers.conf uses a TOML format that can be easily modified and ver‐
16 sioned.
17
18
19 Container engines read the /usr/share/containers/containers.conf and
20 /etc/containers/containers.conf, and /etc/containers/contain‐
21 ers.conf.d/.conf files if they exist. When running in rootless mode,
22 they also read $HOME/.config/containers/containers.conf and $HOME/.con‐
23 fig/containers/containers.conf.d/.conf files.
24
25
26 Fields specified in containers conf override the default options, as
27 well as options in previously read containers.conf files.
28
29
30 Config files in the .d directories, are added in alpha numeric sorted
31 order and must end in .conf.
32
33
34 Not all options are supported in all container engines.
35
36
37 Note container engines also use other configuration files for configur‐
38 ing the environment.
39
40
41 • storage.conf for configuration of container and images stor‐
42 age.
43
44 • registries.conf for definition of container registires to
45 search while pulling. container images.
46
47 • policy.conf for controlling which images can be pulled to the
48 system.
49
50
51
52
54 The TOML format ⟨https://github.com/toml-lang/toml⟩ is used as the en‐
55 coding of the configuration file. Every option is nested under its ta‐
56 ble. No bare options are used. The format of TOML can be simplified to:
57
58
59 [table1]
60 option = value
61
62 [table2]
63 option = value
64
65 [table3]
66 option = value
67
68 [table3.subtable1]
69 option = value
70
71
72
74 The containers table contains settings to configure and manage the OCI
75 runtime.
76
77
78 annotations = [] List of annotations. Specified as "key=value" pairs to
79 be added to all containers.
80
81
82 Example: "run.oci.keep_original_groups=1"
83
84
85 apparmor_profile="container-default"
86
87
88 Used to change the name of the default AppArmor profile of container
89 engines. The default profile name is "container-default".
90
91
92 base_hosts_file=""
93
94
95 The hosts entries from the base hosts file are added to the containers
96 hosts file. This must be either an absolute path or as special values
97 "image" which uses the hosts file from the container image or "none"
98 which means no base hosts file is used. The default is "" which will
99 use /etc/hosts.
100
101
102 cgroups="enabled"
103
104
105 Determines whether the container will create CGroups. Options are:
106 enabled Enable cgroup support within container
107 disabled Disable cgroup support, will inherit cgroups from parent
108 no-conmon Do not create a cgroup dedicated to conmon.
109
110
111 cgroupns="private"
112
113
114 Default way to to create a cgroup namespace for the container. Options
115 are: private Create private Cgroup Namespace for the container. host
116 Share host Cgroup Namespace with the container.
117
118
119 default_capabilities=[]
120
121
122 List of default capabilities for containers.
123
124
125 The default list is:
126
127
128 default_capabilities = [
129 "CHOWN",
130 "DAC_OVERRIDE",
131 "FOWNER",
132 "FSETID",
133 "KILL",
134 "NET_BIND_SERVICE",
135 "SETFCAP",
136 "SETGID",
137 "SETPCAP",
138 "SETUID",
139 ]
140
141
142
143 Note, by default container engines using containers.conf, run with less
144 capabilities than Docker. Docker runs additionally with "AUDIT_WRITE",
145 "MKNOD", "NET_RAW", "CHROOT". If you need to add one of these capabili‐
146 ties for a particular container, you can use the --cap-add option or
147 edit your system's containers.conf.
148
149
150 default_sysctls=[]
151
152
153 A list of sysctls to be set in containers by default, specified as
154 "name=value".
155
156
157 Example:"net.ipv4.ping_group_range=0 1000".
158
159
160 default_ulimits=[]
161
162
163 A list of ulimits to be set in containers by default, specified as
164 "name=soft-limit:hard-limit".
165
166
167 Example: "nofile=1024:2048".
168
169
170 devices=[]
171
172
173 List of devices. Specified as 'device-on-host:device-on-container:per‐
174 missions'.
175
176
177 Example: "/dev/sdc:/dev/xvdc:rwm".
178
179
180 dns_options=[]
181
182
183 List of default DNS options to be added to /etc/resolv.conf inside of
184 the container.
185
186
187 dns_searches=[]
188
189
190 List of default DNS search domains to be added to /etc/resolv.conf in‐
191 side of the container.
192
193
194 dns_servers=[]
195
196
197 A list of dns servers to override the DNS configuration passed to the
198 container. The special value “none” can be specified to disable cre‐
199 ation of /etc/resolv.conf in the container.
200
201
202 env=["PATH=/usr/local/sbin:/usr/lo‐
203 cal/bin:/usr/sbin:/usr/bin:/sbin:/bin", "TERM=xterm"]
204
205
206 Environment variable list for the container process, used for passing
207 environment variables to the container.
208
209
210 env_host=false
211
212
213 Pass all host environment variables into the container.
214
215
216 host_containers_internal_ip=""
217
218
219 Set the ip for the host.containers.internal entry in the containers
220 /etc/hosts file. This can be set to "none" to disable adding this en‐
221 try. By default it will automatically choose the host ip.
222
223
224 NOTE: When using podman machine this entry will never be added to the
225 containers hosts file instead the gvproxy dns resolver will resolve
226 this hostname. Therefore it is not possible to disable the entry in
227 this case.
228
229
230 http_proxy=true
231
232
233 Default proxy environment variables will be passed into the container.
234 The environment variables passed in include: http_proxy, https_proxy,
235 ftp_proxy, no_proxy, and the upper case versions of these. The no_proxy
236 option is needed when host system uses a proxy but container should not
237 use proxy. Proxy environment variables specified for the container in
238 any other way will override the values passed from the host.
239
240
241 init=false
242
243
244 Run an init inside the container that forwards signals and reaps pro‐
245 cesses.
246
247
248 init_path="/usr/libexec/podman/catatonit"
249
250
251 Path to the container-init binary, which forwards signals and reaps
252 processes within containers. Note that the container-init binary will
253 only be used when the --init for podman-create and podman-run is set.
254
255
256 ipcns="shareable"
257
258
259 Default way to to create a IPC namespace for the container. Options
260 are:
261 host Share host IPC Namespace with the container.
262 none Create shareable IPC Namespace for the container without a
263 private /dev/shm.
264 private Create private IPC Namespace for the container, other con‐
265 tainers are not allowed to share it.
266 shareable Create shareable IPC Namespace for the container.
267
268
269 keyring=true
270
271
272 Indicates whether the container engines create a kernel keyring for use
273 within the container.
274
275
276 label=true
277
278
279 Indicates whether the container engine uses MAC(SELinux) container sep‐
280 aration via labeling. This option is ignored on disabled systems.
281
282
283 log_driver=""
284
285
286 Logging driver for the container. Currently available options are k8s-
287 file, journald, none and passthrough, with json-file aliased to k8s-
288 file for scripting compatibility. The journald driver is used by de‐
289 fault if the systemd journal is readable and writable. Otherwise, the
290 k8s-file driver is used.
291
292
293 log_size_max=-1
294
295
296 Maximum size allowed for the container's log file. Negative numbers in‐
297 dicate that no size limit is imposed. If it is positive, it must be >=
298 8192 to match/exceed conmon's read buffer. The file is truncated and
299 re-opened so the limit is never exceeded.
300
301
302 log_tag=""
303
304
305 Default format tag for container log messages. This is useful for cre‐
306 ating a specific tag for container log messages. Container log messages
307 default to using the truncated container ID as a tag.
308
309
310 netns="private"
311
312
313 Default way to to create a NET namespace for the container. Options
314 are:
315 private Create private NET Namespace for the container.
316 host Share host NET Namespace with the container.
317 none Containers do not use the network.
318
319
320 no_hosts=false
321
322
323 Create /etc/hosts for the container. By default, container engines man‐
324 age /etc/hosts, automatically adding the container's own IP ad‐
325 dress.
326
327
328 pidns="private"
329
330
331 Default way to to create a PID namespace for the container. Options
332 are:
333 private Create private PID Namespace for the container.
334 host Share host PID Namespace with the container.
335
336
337 pids_limit=1024
338
339
340 Maximum number of processes allowed in a container. 0 indicates that no
341 limit is imposed.
342
343
344 prepare_volume_on_create=false
345
346
347 Copy the content from the underlying image into the newly created vol‐
348 ume when the container is created instead of when it is started. If
349 false, the container engine will not copy the content until the con‐
350 tainer is started. Setting it to true may have negative performance im‐
351 plications.
352
353
354 read_only=true|false
355
356
357 Run all containers with root file system mounted read-only. Set to
358 false by default.
359
360
361 seccomp_profile="/usr/share/containers/seccomp.json"
362
363
364 Path to the seccomp.json profile which is used as the default seccomp
365 profile for the runtime.
366
367
368 shm_size="65536k"
369
370
371 Size of /dev/shm. The format is <number><unit>. number must be greater
372 than 0. Unit is optional and can be: b (bytes), k (kilobytes),
373 m(megabytes), or g (gigabytes). If you omit the unit, the system uses
374 bytes. If you omit the size entirely, the system uses 65536k.
375
376
377 tz=""
378
379
380 Set timezone in container. Takes IANA timezones as well as local, which
381 sets the timezone in the container to match the host machine. If not
382 set, then containers will run with the time zone specified in the im‐
383 age.
384
385
386 Examples:
387 tz="local"
388 tz="America/New_York"
389
390
391 umask="0022"
392
393
394 Sets umask inside the container.
395
396
397 userns="host"
398
399
400 Default way to to create a USER namespace for the container. Options
401 are:
402 private Create private USER Namespace for the container.
403 host Share host USER Namespace with the container.
404
405
406 utsns="private"
407
408
409 Default way to to create a UTS namespace for the container. Options
410 are:
411 private Create private UTS Namespace for the container.
412 host Share host UTS Namespace with the container.
413
414
415 volumes=[]
416
417
418 List of volumes. Specified as "directory-on-host:directory-in-con‐
419 tainer:options".
420
421
422 Example: "/db:/var/lib/db:ro".
423
424
426 The network table contains settings pertaining to the management of CNI
427 plugins.
428
429
430 network_backend=""
431
432
433 Network backend determines what network driver will be used to set up
434 and tear down container networks. Valid values are "cni" and "ne‐
435 tavark". The default value is empty which means that it will automati‐
436 cally choose CNI or netavark. If there are already containers/images or
437 CNI networks preset it will choose CNI.
438
439
440 Before changing this value all containers must be stopped otherwise it
441 is likely that iptables rules and network interfaces might leak on the
442 host. A reboot will fix this.
443
444
445 cni_plugin_dirs=[]
446
447
448 List of paths to directories where CNI plugin binaries are located.
449
450
451 The default list is:
452
453
454 cni_plugin_dirs = [
455 "/usr/local/libexec/cni",
456 "/usr/libexec/cni",
457 "/usr/local/lib/cni",
458 "/usr/lib/cni",
459 "/opt/cni/bin",
460 ]
461
462
463
464 default_network="podman"
465
466
467 The network name of the default network to attach pods to.
468
469
470 default_subnet="10.88.0.0/16"
471
472
473 The subnet to use for the default network (named above in default_net‐
474 work). If the default network does not exist, it will be automatically
475 created the first time a tool is run using this subnet.
476
477
478 default_subnet_pools=[]
479
480
481 DefaultSubnetPools is a list of subnets and size which are used to al‐
482 locate subnets automatically for podman network create. It will iter‐
483 ate through the list and will pick the first free subnet with the given
484 size. This is only used for ipv4 subnets, ipv6 subnets are always as‐
485 signed randomly.
486
487
488 The default list is (10.89.0.0-10.255.255.0/24):
489
490
491 default_subnet_pools = [
492 {"base" = "10.89.0.0/16", "size" = 24},
493 {"base" = "10.90.0.0/15", "size" = 24},
494 {"base" = "10.92.0.0/14", "size" = 24},
495 {"base" = "10.96.0.0/11", "size" = 24},
496 {"base" = "10.128.0.0/9", "size" = 24},
497 ]
498
499
500
501 network_config_dir="/etc/cni/net.d/"
502
503
504 Path to the directory where network configuration files are located.
505 For the CNI backend the default is "/etc/cni/net.d" as root and
506 "$HOME/.config/cni/net.d" as rootless. For the netavark backend
507 "/etc/containers/networks" is used as root and "$graphroot/networks" as
508 rootless.
509
510
511 dns_bind_port=53
512
513
514 Port to use for dns forwarding daemon with netavark in rootful bridge
515 mode and dns enabled. Using an alternate port might be useful if other
516 dns services should run on the machine.
517
518
520 The engine table contains configuration options used to set up con‐
521 tainer engines such as Podman and Buildah.
522
523
524 active_service=""
525
526
527 Name of destination for accessing the Podman service. See SERVICE DES‐
528 TINATION TABLE below.
529
530
531 cgroup_manager="systemd"
532
533
534 The cgroup management implementation used for the runtime. Supports
535 cgroupfs and systemd.
536
537
538 conmon_env_vars=[]
539
540
541 Environment variables to pass into Conmon.
542
543
544 conmon_path=[]
545
546
547 Paths to search for the conmon container manager binary. If the paths
548 are empty or no valid path was found, then the $PATH environment vari‐
549 able will be used as the fallback.
550
551
552 The default list is:
553
554
555 conmon_path=[
556 "/usr/libexec/podman/conmon",
557 "/usr/local/libexec/podman/conmon",
558 "/usr/local/lib/podman/conmon",
559 "/usr/bin/conmon",
560 "/usr/sbin/conmon",
561 "/usr/local/bin/conmon",
562 "/usr/local/sbin/conmon",
563 "/run/current-system/sw/bin/conmon",
564 ]
565
566
567
568 detach_keys="ctrl-p,ctrl-q"
569
570
571 Keys sequence used for detaching a container. Specify the keys se‐
572 quence used to detach a container. Format is a single character [a-Z]
573 or a comma separated sequence of ctrl-<value>, where <value> is one of:
574 a-z, @, ^, [, \, ], ^ or _
575
576
577 enable_port_reservation=true
578
579
580 Determines whether the engine will reserve ports on the host when they
581 are forwarded to containers. When enabled, when ports are forwarded to
582 containers, they are held open by conmon as long as the container is
583 running, ensuring that they cannot be reused by other programs on the
584 host. However, this can cause significant memory usage if a container
585 has many ports forwarded to it. Disabling this can save memory.
586
587
588 env=[]
589
590
591 Environment variables to be used when running the container engine
592 (e.g., Podman, Buildah). For example "http_proxy=internal.proxy.com‐
593 pany.com". Note these environment variables will not be used within
594 the container. Set the env section under [containers] table, if you
595 want to set environment variables for the container.
596
597
598 events_logfile_path=""
599
600
601 Define where event logs will be stored, when events_logger is "file".
602
603
604 events_logfile_max_size="1m"
605
606
607 Sets the maximum size for events_logfile_path. The unit can be b
608 (bytes), k (kilobytes), m (megabytes) or g (gigabytes). The format for
609 the size is <number><unit>, e.g., 1b or 3g. If no unit is included
610 then the size will be in bytes. When the limit is exceeded, the log‐
611 file will be rotated and the old one will be deleted. If the maximumn
612 size is set to 0, then no limit will be applied, and the logfile will
613 not be rotated.
614
615
616 events_logger="journald"
617
618
619 The default method to use when logging events.
620
621
622 The default method is different based on the platform that Podman is
623 being run upon. To determine the current value, use this command:
624
625
626 podman info --format {{.Host.EventLogger}
627
628
629 Valid values are: file, journald, and none.
630
631
632 events_container_create_inspect_data=true|false
633
634
635 Creates a more verbose container-create event which includes a JSON
636 payload with detailed information about the container. Set to false by
637 default.
638
639
640 helper_binaries_dir=["/usr/libexec/podman", ...]
641
642
643 A is a list of directories which are used to search for helper bina‐
644 ries.
645
646
647 The default paths on Linux are: - /usr/local/libexec/podman - /usr/lo‐
648 cal/lib/podman - /usr/libexec/podman - /usr/lib/podman
649
650
651 The default paths on macOS are: - /usr/local/opt/podman/libexec
652 - /opt/homebrew/bin - /opt/homebrew/opt/podman/libexec - /usr/lo‐
653 cal/bin - /usr/local/libexec/podman - /usr/local/lib/podman
654 - /usr/libexec/podman - /usr/lib/podman
655
656
657 The default path on Windows is: - C:\Program Files\RedHat\Podman
658
659
660 hooks_dir=["/etc/containers/oci/hooks.d", ...]
661
662
663 Path to the OCI hooks directories for automatically executed hooks.
664
665
666 image_default_format="oci"|"v2s2"|"v2s1"
667
668
669 Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, build‐
670 ing container images. By default images pulled and pushed match the
671 format of the source image. Building/committing defaults to OCI. Note:
672 image_build_format is deprecated.
673
674
675 image_default_transport="docker://"
676
677
678 Default transport method for pulling and pushing images.
679
680
681 image_parallel_copies=0
682
683
684 Maximum number of image layers to be copied (pulled/pushed) simultane‐
685 ously. Not setting this field will fall back to containers/image de‐
686 faults. (6)
687
688
689 image_volume_mode="bind"
690
691
692 Tells container engines how to handle the builtin image volumes.
693
694
695 • bind: An anonymous named volume will be created and mounted
696 into the container.
697
698 • tmpfs: The volume is mounted onto the container as a tmpfs,
699 which allows the users to create content that disappears when
700 the container is stopped.
701
702 • ignore: All volumes are just ignored and no action is taken.
703
704
705
706 infra_command="/pause"
707
708
709 Infra (pause) container image command for pod infra containers. When
710 running a pod, we start a /pause process in a container to hold open
711 the namespaces associated with the pod. This container does nothing
712 other then sleep, reserving the pods resources for the lifetime of the
713 pod.
714
715
716 infra_image=""
717
718
719 Infra (pause) container image for pod infra containers. When running a
720 pod, we start a pause process in a container to hold open the name‐
721 spaces associated with the pod. This container does nothing other then
722 sleep, reserving the pods resources for the lifetime of the pod. By de‐
723 fault container engines run a builtin container using the pause exe‐
724 cutable. If you want override specify an image to pull.
725
726
727 lock_type="shm"
728
729
730 Specify the locking mechanism to use; valid values are "shm" and
731 "file". Change the default only if you are sure of what you are doing,
732 in general "file" is useful only on platforms where cgo is not avail‐
733 able for using the faster "shm" lock type. You may need to run "podman
734 system renumber" after you change the lock type.
735
736
737 multi_image_archive=false
738
739
740 Allows for creating archives (e.g., tarballs) with more than one image.
741 Some container engines, such as Podman, interpret additional arguments
742 as tags for one image and hence do not store more than one image. The
743 default behavior can be altered with this option.
744
745
746 namespace=""
747
748
749 Default engine namespace. If the engine is joined to a namespace, it
750 will see only containers and pods that were created in the same name‐
751 space, and will create new containers and pods in that namespace. The
752 default namespace is "", which corresponds to no namespace. When no
753 namespace is set, all containers and pods are visible.
754
755
756 network_cmd_path=""
757
758
759 Path to the slirp4netns binary.
760
761
762 network_cmd_options=[]
763
764
765 Default options to pass to the slirp4netns binary.
766
767
768 Valid options values are:
769
770
771 • allow_host_loopback=true|false: Allow the slirp4netns to reach
772 the host loopback IP (10.0.2.2). Default is false.
773
774 • mtu=MTU: Specify the MTU to use for this network. (Default is
775 65520).
776
777 • cidr=CIDR: Specify ip range to use for this network. (Default
778 is 10.0.2.0/24).
779
780 • enable_ipv6=true|false: Enable IPv6. Default is true. (Re‐
781 quired for outbound_addr6).
782
783 • outbound_addr=INTERFACE: Specify the outbound interface slirp
784 should bind to (ipv4 traffic only).
785
786 • outbound_addr=IPv4: Specify the outbound ipv4 address slirp
787 should bind to.
788
789 • outbound_addr6=INTERFACE: Specify the outbound interface slirp
790 should bind to (ipv6 traffic only).
791
792 • outbound_addr6=IPv6: Specify the outbound ipv6 address slirp
793 should bind to.
794
795 • port_handler=rootlesskit: Use rootlesskit for port forwarding.
796 Default. Note: Rootlesskit changes the source IP address of
797 incoming packets to a IP address in the container network
798 namespace, usually 10.0.2.100. If your application requires
799 the real source IP address, e.g. web server logs, use the
800 slirp4netns port handler. The rootlesskit port handler is also
801 used for rootless containers when connected to user-defined
802 networks.
803
804 • port_handler=slirp4netns: Use the slirp4netns port forwarding,
805 it is slower than rootlesskit but preserves the correct source
806 IP address. This port handler cannot be used for user-defined
807 networks.
808
809
810
811 no_pivot_root=false
812
813
814 Whether to use chroot instead of pivot_root in the runtime.
815
816
817 num_locks=2048
818
819
820 Number of locks available for containers and pods. Each created con‐
821 tainer or pod consumes one lock. The default number available is 2048.
822 If this is changed, a lock renumbering must be performed, using the
823 podman system renumber command.
824
825
826 pod_exit_policy="continue"
827
828
829 Set the exit policy of the pod when the last container exits. Sup‐
830 ported policies are:
831
832
833 ┌────────────┬────────────────────────────┐
834 │Exit Policy │ Description │
835 ├────────────┼────────────────────────────┤
836 │continue │ The pod continues running │
837 │ │ when the last container │
838 │ │ exits. Used by default. │
839 ├────────────┼────────────────────────────┤
840 │stop │ The pod is stopped when │
841 │ │ the last container exits. │
842 │ │ Used in play kube. │
843 └────────────┴────────────────────────────┘
844
845 pull_policy="always"|"missing"|"never"
846
847
848 Pull image before running or creating a container. The default is miss‐
849 ing.
850
851
852 • missing: attempt to pull the latest image from the registries
853 listed in registries.conf if a local image does not exist.
854 Raise an error if the image is not in any listed registry and
855 is not present locally.
856
857 • always: pull the image from the first registry it is found in
858 as listed in registries.conf. Raise an error if not found in
859 the registries, even if the image is present locally.
860
861 • never: do not pull the image from the registry, use only the
862 local version. Raise an error if the image is not present lo‐
863 cally.
864
865
866
867 remote = false Indicates whether the application should be running in
868 remote mode. This flag modifies the --remote option on container en‐
869 gines. Setting the flag to true will default podman --remote=true for
870 access to the remote Podman service.
871
872
873 runtime=""
874
875
876 Default OCI specific runtime in runtimes that will be used by default.
877 Must refer to a member of the runtimes table. Default runtime will be
878 searched for on the system using the priority: "crun", "runc", "kata".
879
880
881 runtime_supports_json=["crun", "runc", "kata", "runsc", "youki",
882 "krun"]
883
884
885 The list of the OCI runtimes that support --format=json.
886
887
888 runtime_supports_kvm=["kata", "krun"]
889
890
891 The list of OCI runtimes that support running containers with KVM sepa‐
892 ration.
893
894
895 runtime_supports_nocgroups=["crun", "krun"]
896
897
898 The list of OCI runtimes that support running containers without
899 CGroups.
900
901
902 image_copy_tmp_dir="/var/tmp"
903
904
905 Default location for storing temporary container image content. Can be
906 overridden with the TMPDIR environment variable. If you specify "stor‐
907 age", then the location of the container/storage tmp directory will be
908 used. If set then it is the users responsibility to cleanup storage.
909 Configure tmpfiles.d(5) to cleanup storage.
910
911
912 service_timeout=5
913
914
915 Number of seconds to wait without a connection before the podman sys‐
916 tem service times out and exits
917
918
919 static_dir="/var/lib/containers/storage/libpod"
920
921
922 Directory for persistent libpod files (database, etc). By default this
923 will be configured relative to where containers/storage stores contain‐
924 ers.
925
926
927 stop_timeout=10
928
929
930 Number of seconds to wait for container to exit before sending kill
931 signal.
932
933
934 exit_command_delay=300
935
936
937 Number of seconds to wait for the API process for the exec call before
938 sending exit command mimicking the Docker behavior of 5 minutes (in
939 seconds).
940
941
942 tmp_dir="/run/libpod"
943
944
945 The path to a temporary directory to store per-boot container. Must be
946 a tmpfs (wiped after reboot).
947
948
949 volume_path="/var/lib/containers/storage/volumes"
950
951
952 Directory where named volumes will be created in using the default vol‐
953 ume driver. By default this will be configured relative to where con‐
954 tainers/storage store containers. This convention is followed by the
955 default volume driver, but may not be by other drivers.
956
957
958 chown_copied_files=true
959
960
961 Determines whether file copied into a container will have changed own‐
962 ership to the primary uid/gid of the container.
963
964
965 compression_format=""
966
967
968 Specifies the compression format to use when pushing an image. Sup‐
969 ported values are: gzip, zstd and zstd:chunked.
970
971
973 The service_destinations table contains configuration options used to
974 set up remote connections to the podman service for the podman API.
975
976
977 [service_destinations.{name}] URI to access the Podman service
978 uri="ssh://user@production.example.com/run/user/1001/podman/pod‐
979 man.sock"
980
981
982 Example URIs:
983
984
985 • rootless local - unix://run/user/1000/podman/podman.sock
986
987 • rootless remote - ssh://user@engineering.lab.com‐
988 pany.com/run/user/1000/podman/podman.sock
989
990 • rootful local - unix://run/podman/podman.sock
991
992 • rootful remote - ssh://root@10.10.1.136:22/run/podman/pod‐
993 man.sock
994
995
996
997 identity="~/.ssh/id_rsa
998
999
1000 Path to file containing ssh identity key
1001
1002
1003 [engine.volume_plugins]
1004
1005
1006 A table of all the enabled volume plugins on the system. Volume plugins
1007 can be used as the backend for Podman named volumes. Individual plugins
1008 are specified below, as a map of the plugin name (what the plugin will
1009 be called) to its path (filepath of the plugin's unix socket).
1010
1011
1012 [engine.platform_to_oci_runtime]
1013
1014
1015 Allows end users to switch the OCI runtime on the bases of container
1016 image's platform string. Following config field contains a map of
1017 platform/string = oci_runtime.
1018
1019
1021 The secret table contains settings for the configuration of the secret
1022 subsystem.
1023
1024
1025 driver=file
1026
1027
1028 Name of the secret driver to be used. Currently valid values are:
1029 * file
1030 * pass
1031
1032
1033 [secrets.opts]
1034
1035
1036 The driver specific options object.
1037
1038
1040 The machine table contains configurations for podman machine VMs
1041
1042
1043 cpus=1 Number of CPU's a machine is created with.
1044
1045
1046 disk_size=10
1047
1048
1049 The size of the disk in GB created when init-ing a podman-machine VM
1050
1051
1052 image=""
1053
1054
1055 Default image URI when creating a new VM using podman machine init.
1056 Options: On Linux/Mac, testing, stable, next. On Windows, the major
1057 version of the OS (e.g 36) for Fedora 36. For all platforms you can al‐
1058 ternatively specify a custom download URL to an image. Container en‐
1059 gines translate URIs $OS and $ARCH to the native OS and ARCH. URI
1060 "https://example.com/$OS/$ARCH/foobar.ami" would become "https://exam‐
1061 ple.com/linux/amd64/foobar.ami" on a Linux AMD machine. The default
1062 value is testing on Linux/Mac, and on Windows.
1063
1064
1065 memory=2048
1066
1067
1068 Memory in MB a machine is created with.
1069
1070
1071 user=""
1072
1073
1074 Username to use and create on the podman machine OS for rootless con‐
1075 tainer access. The default value is user. On Linux/Mac the default is‐
1076 core.
1077
1078
1079 volumes=["$HOME:$HOME"]
1080
1081
1082 Host directories to be mounted as volumes into the VM by default. En‐
1083 vironment variables like $HOME as well as complete paths are supported
1084 for the source and destination. An optional third field :ro can be used
1085 to tell the container engines to mount the volume readonly.
1086
1087
1088 On Mac, the default volumes are: "/Users:/Users", "/private:/private",
1089 "/var/folders:/var/folders"
1090
1091
1092 provider=""
1093
1094
1095 Virtualization provider to be used for running a podman-machine VM.
1096 Empty value is interpreted as the default provider for the current host
1097 OS. On Linux/Mac default is QEMU and on Windows it is WSL.
1098
1099
1100
1102 containers.conf
1103
1104
1105 Distributions often provide a /usr/share/containers/containers.conf
1106 file to define default container configuration. Administrators can
1107 override fields in this file by creating /etc/containers/contain‐
1108 ers.conf to specify their own configuration. Rootless users can further
1109 override fields in the config by creating a config file stored in the
1110 $HOME/.config/containers/containers.conf file.
1111
1112
1113 If the CONTAINERS_CONF path environment variable is set, just this path
1114 will be used. This is primarily used for testing.
1115
1116
1117 Fields specified in the containers.conf file override the default op‐
1118 tions, as well as options in previously read containers.conf files.
1119
1120
1121 storage.conf
1122
1123
1124 The /etc/containers/storage.conf file is the default storage configura‐
1125 tion file. Rootless users can override fields in the storage config by
1126 creating $HOME/.config/containers/storage.conf.
1127
1128
1129 If the CONTAINERS_STORAGE_CONF path environment variable is set, this
1130 path is used for the storage.conf file rather than the default. This
1131 is primarily used for testing.
1132
1133
1134
1136 containers-storage.conf(5), containers-policy.json(5), containers-reg‐
1137 istries.conf(5), tmpfiles.d(5)
1138
1139
1140
1141engine Container containers.conf(5)