1podman-pod-clone(1)         General Commands Manual        podman-pod-clone(1)
2
3
4

NAME

6       podman-pod-clone - Creates a copy of an existing pod
7
8

SYNOPSIS

10       podman pod clone [options] pod name
11
12

DESCRIPTION

14       podman pod clone creates a copy of a pod, recreating the identical con‐
15       fig for the pod and for all of its containers.  Users  can  modify  the
16       pods new name and select pod details within the infra container
17
18

OPTIONS

20   --blkio-weight=weight
21       Block IO relative weight. The weight is a value between 10 and 1000.
22
23
24       This option is not supported on cgroups V1 rootless systems.
25
26
27   --blkio-weight-device=device:weight
28       Block IO relative device weight.
29
30
31   --cgroup-parent=path
32       Path  to cgroups under which the cgroup for the pod will be created. If
33       the path is not absolute, the path is considered to be relative to  the
34       cgroups  path  of  the init process. Cgroups will be created if they do
35       not already exist.
36
37
38   --cpu-shares, -c=shares
39       CPU shares (relative weight).
40
41
42       By default, all containers get the same proportion of CPU cycles.  This
43       proportion  can  be  modified  by  changing  the  container's CPU share
44       weighting relative to the combined weight of all the  running  contain‐
45       ers.  Default weight is 1024.
46
47
48       The  proportion  will  only apply when CPU-intensive processes are run‐
49       ning.  When tasks in one container are idle, other containers  can  use
50       the left-over CPU time. The actual amount of CPU time will vary depend‐
51       ing on the number of containers running on the system.
52
53
54       For example, consider three containers, one has a cpu-share of 1024 and
55       two others have a cpu-share setting of 512. When processes in all three
56       containers attempt to use 100% of CPU, the first  container  would  re‐
57       ceive  50% of the total CPU time. If a fourth container is added with a
58       cpu-share of 1024, the first container only gets 33% of  the  CPU.  The
59       remaining containers receive 16.5%, 16.5% and 33% of the CPU.
60
61
62       On a multi-core system, the shares of CPU time are distributed over all
63       CPU cores. Even if a container is limited to  less  than  100%  of  CPU
64       time, it can use 100% of each individual CPU core.
65
66
67       For example, consider a system with more than three cores.  If the con‐
68       tainer C0 is started with --cpu-shares=512 running one process, and an‐
69       other  container  C1 with --cpu-shares=1024 running two processes, this
70       can result in the following division of CPU shares:
71
72
73       ┌────┬───────────┬─────┬──────────────┐
74PID container CPU CPU share    
75       ├────┼───────────┼─────┼──────────────┤
76       │100 │ C0        │ 0   │ 100% of CPU0 │
77       ├────┼───────────┼─────┼──────────────┤
78       │101 │ C1        │ 1   │ 100% of CPU1 │
79       ├────┼───────────┼─────┼──────────────┤
80       │102 │ C1        │ 2   │ 100% of CPU2 │
81       └────┴───────────┴─────┴──────────────┘
82
83       On some systems, changing the resource limits may not  be  allowed  for
84       non-root  users.  For  more  details,  see  https://github.com/contain
85       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
86       source-limits-fails-with-a-permissions-error
87
88
89       This option is not supported on cgroups V1 rootless systems.
90
91
92   --cpus
93       Set  a  number of CPUs for the pod that overrides the original pods CPU
94       limits. If none are specified, the original pod's Nano CPUs are used.
95
96
97   --cpuset-cpus=number
98       CPUs in which to allow execution. Can be specified as a comma-separated
99       list  (e.g.  0,1),  as  a  range (e.g. 0-3), or any combination thereof
100       (e.g. 0-3,7,11-15).
101
102
103       On some systems, changing the resource limits may not  be  allowed  for
104       non-root  users.  For  more  details,  see  https://github.com/contain
105       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
106       source-limits-fails-with-a-permissions-error
107
108
109       This option is not supported on cgroups V1 rootless systems.
110
111
112       If none are specified, the original pod's CPUset is used.
113
114
115   --cpuset-mems=nodes
116       Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effec‐
117       tive on NUMA systems.
118
119
120       If there are four memory nodes  on  the  system  (0-3),  use  --cpuset-
121       mems=0,1  then processes in the container will only use memory from the
122       first two memory nodes.
123
124
125       On some systems, changing the resource limits may not  be  allowed  for
126       non-root  users.  For  more  details,  see  https://github.com/contain
127       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
128       source-limits-fails-with-a-permissions-error
129
130
131       This option is not supported on cgroups V1 rootless systems.
132
133
134   --destroy
135       Remove the original pod that we are cloning once used to mimic the con‐
136       figuration.
137
138
139   --device=host-device[:container-device][:permissions]
140       Add a host device to the pod. Optional  permissions  parameter  can  be
141       used  to  specify  device  permissions  by  combining r for read, w for
142       write, and m for mknod(2).
143
144
145       Example: --device=/dev/sdc:/dev/xvdc:rwm.
146
147
148       Note: if host-device is a symbolic link then it will be resolved first.
149       The pod will only store the major and minor numbers of the host device.
150
151
152       Podman may load kernel modules required for using the specified device.
153       The devices that Podman will  load  modules  for  when  necessary  are:
154       /dev/fuse.
155
156
157       In  rootless mode, the new device is bind mounted in the container from
158       the host rather than Podman creating it within the container space. Be‐
159       cause  the bind mount retains its SELinux label on SELinux systems, the
160       container can get permission denied when accessing the mounted  device.
161       Modify  SELinux  settings  to allow containers to use all device labels
162       via the following command:
163
164
165       $ sudo setsebool -P  container_use_devices=true
166
167
168       Note: the pod implements devices by storing the  initial  configuration
169       passed by the user and recreating the device on each container added to
170       the pod.
171
172
173   --device-read-bps=path:rate
174       Limit read rate (in bytes per second) from  a  device  (e.g.  --device-
175       read-bps=/dev/sda:1mb).
176
177
178       On  some  systems,  changing the resource limits may not be allowed for
179       non-root  users.  For  more  details,  see  https://github.com/contain
180       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
181       source-limits-fails-with-a-permissions-error
182
183
184       This option is not supported on cgroups V1 rootless systems.
185
186
187   --device-write-bps=path:rate
188       Limit write rate (in bytes per second)  to  a  device  (e.g.  --device-
189       write-bps=/dev/sda:1mb).
190
191
192       On  some  systems,  changing the resource limits may not be allowed for
193       non-root  users.  For  more  details,  see  https://github.com/contain
194       ers/podman/blob/main/troubleshooting.md#26-running-containers-with-re‐
195       source-limits-fails-with-a-permissions-error
196
197
198       This option is not supported on cgroups V1 rootless systems.
199
200
201   --gidmap=pod_gid:host_gid:amount
202       GID map for the user namespace. Using this flag will run all containers
203       in the pod with user namespace enabled.  It conflicts with the --userns
204       and --subgidname flags.
205
206
207   --help, -h
208       Print usage statement.
209
210
211   --hostname=name
212       Set a hostname to the pod.
213
214
215   --infra-command=command
216       The command that will be run to start  the  infra  container.  Default:
217       "/pause".
218
219
220   --infra-conmon-pidfile=file
221       Write  the  pid  of  the infra container's conmon process to a file. As
222       conmon runs in a separate process than Podman, this is  necessary  when
223       using systemd to manage Podman containers and pods.
224
225
226   --infra-name=name
227       The name that will be used for the pod's infra container.
228
229
230   --label, -l=key=value
231       Add metadata to a pod.
232
233
234   --label-file=file
235       Read in a line-delimited file of labels.
236
237
238   --memory, -m=number[unit]
239       Memory limit. A unit can be b (bytes), k (kibibytes), m (mebibytes), or
240       g (gibibytes).
241
242
243       Allows the memory available to a container to be  constrained.  If  the
244       host  supports  swap  memory,  then the -m memory setting can be larger
245       than physical RAM. If a limit of 0 is specified  (not  using  -m),  the
246       container's  memory  is not limited. The actual limit may be rounded up
247       to a multiple of the operating system's page size (the value  would  be
248       very large, that's millions of trillions).
249
250
251       This option is not supported on cgroups V1 rootless systems.
252
253
254   --memory-swap=number[unit]
255       A  limit  value  equal to memory plus swap.  A unit can be b (bytes), k
256       (kibibytes), m (mebibytes), or g (gibibytes).
257
258
259       Must be used with the -m (--memory) flag.  The  argument  value  should
260       always be larger than that of
261        -m (--memory) By default, it is set to double the value of --memory.
262
263
264       Set number to -1 to enable unlimited swap.
265
266
267       This option is not supported on cgroups V1 rootless systems.
268
269
270   --name, -n
271       Set  a  custom name for the cloned pod. The default if not specified is
272       of the syntax: -clone
273
274
275   --pid=pid
276       Set the PID mode for the pod. The default is to create  a  private  PID
277       namespace  for  the  pod.  Requires  the PID namespace to be shared via
278       --share.
279
280
281              host: use the host’s PID namespace for the pod
282              ns: join the specified PID namespace
283              private: create a new namespace for the pod (default)
284
285
286
287   --security-opt=option
288       Security Options
289
290
291apparmor=unconfined : Turn off apparmor  confinement  for  the
292                pod
293
294apparmor=your-profile  :  Set the apparmor confinement profile
295                for the pod
296
297label=user:USER     : Set the label user for the pod processes
298
299label=role:ROLE     : Set the label role for the pod processes
300
301label=type:TYPE     : Set the label process type for  the  pod
302                processes
303
304label=level:LEVEL    :  Set  the  label level for the pod pro‐
305                cesses
306
307label=filetype:TYPE : Set the label  file  type  for  the  pod
308                files
309
310label=disable       : Turn off label separation for the pod
311
312
313
314       Note:  Labeling  can be disabled for all pods/containers by setting la‐
315       bel=false in the  containers.conf  (/etc/containers/containers.conf  or
316       $HOME/.config/containers/containers.conf) file.
317
318
319mask=/path/1:/path/2 : The paths to mask separated by a colon.
320                A masked path cannot be accessed inside the containers  within
321                the pod.
322
323no-new-privileges  :  Disable container processes from gaining
324                additional privileges.
325
326seccomp=unconfined : Turn off seccomp confinement for the pod
327
328seccomp=profile.json :  Whitelisted syscalls seccomp Json file
329                to be used as a seccomp filter
330
331proc-opts=OPTIONS : Comma-separated list of options to use for
332                the /proc mount. More details for the possible  mount  options
333                are specified in the proc(5) man page.
334
335unmask=ALL   or   /path/1:/path/2,  or  shell  expanded  paths
336                (/proc/*): Paths to unmask separated by a  colon.  If  set  to
337                ALL,  it  will  unmask  all  the paths that are masked or made
338                read-only  by  default.   The   default   masked   paths   are
339                /proc/acpi,   /proc/kcore,   /proc/keys,  /proc/latency_stats,
340                /proc/sched_debug,        /proc/scsi,        /proc/timer_list,
341                /proc/timer_stats,  /sys/firmware,  and  /sys/fs/selinux.  The
342                default paths that are read-only are /proc/asound,  /proc/bus,
343                /proc/fs,     /proc/irq,    /proc/sys,    /proc/sysrq-trigger,
344                /sys/fs/cgroup.
345
346
347
348       Note: Labeling can be  disabled  for  all  containers  by  setting  la‐
349       bel=false  in  the  containers.conf (/etc/containers/containers.conf or
350       $HOME/.config/containers/containers.conf) file.
351
352
353   --shm-size=number[unit]
354       Size  of  /dev/shm.  A  unit  can  be  b  (bytes),  k  (kibibytes),   m
355       (mebibytes), or g (gibibytes).  If the unit is omitted, the system uses
356       bytes. If the size is omitted, the default is 64m.   When  size  is  0,
357       there  is  no  limit  on  the amount of memory used for IPC by the pod.
358       This option conflicts with --ipc=host.
359
360
361   --start
362       When set to true, this flag starts the  newly  created  pod  after  the
363       clone process has completed. All containers within the pod are started.
364
365
366   --subgidname=name
367       Run  the  container  in a new user namespace using the map with name in
368       the /etc/subgid file.  If running rootless, the user needs to have  the
369       right  to  use  the  mapping.  See subgid(5).  This flag conflicts with
370       --userns and --gidmap.
371
372
373   --subuidname=name
374       Run the container in a new user namespace using the map  with  name  in
375       the  /etc/subuid file.  If running rootless, the user needs to have the
376       right to use the mapping. See  subuid(5).   This  flag  conflicts  with
377       --userns and --uidmap.
378
379
380   --sysctl=name=value
381       Configure namespaced kernel parameters for all containers in the pod.
382
383
384       For the IPC namespace, the following sysctls are allowed:
385
386
387              • kernel.msgmax
388
389              • kernel.msgmnb
390
391              • kernel.msgmni
392
393              • kernel.sem
394
395              • kernel.shmall
396
397              • kernel.shmmax
398
399              • kernel.shmmni
400
401              • kernel.shm_rmid_forced
402
403              • Sysctls beginning with fs.mqueue.*
404
405
406
407       Note:  if  the  ipc  namespace  is not shared within the pod, the above
408       sysctls are not allowed.
409
410
411       For the network namespace, only sysctls beginning with  net.*  are  al‐
412       lowed.
413
414
415       Note:  if the network namespace is not shared within the pod, the above
416       sysctls are not allowed.
417
418
419   --uidmap=container_uid:from_uid:amount
420       Run all containers in the pod in a new user namespace  using  the  sup‐
421       plied mapping. This option conflicts with the --userns and --subuidname
422       options. This option provides a way to map host UIDs to container UIDs.
423       It can be passed several times to map different ranges.
424
425
426   --userns=mode
427       Set  the  user  namespace  mode for all the containers in a pod. It de‐
428       faults to the PODMAN_USERNS environment variable. An empty  value  ("")
429       means user namespaces are disabled.
430
431
432       Rootless user --userns=Key mappings:
433
434
435       ┌────────┬───────────┬─────────────────────┐
436Key     Host User Container User      
437       ├────────┼───────────┼─────────────────────┤
438       │""      │ $UID      │ 0 (Default User ac‐ │
439       │        │           │ count   mapped   to │
440       │        │           │ root  user  in con‐ │
441       │        │           │ tainer.)            │
442       ├────────┼───────────┼─────────────────────┤
443       │keep-id │ $UID      │ $UID (Map user  ac‐ │
444       │        │           │ count  to  same UID │
445       │        │           │ within container.)  │
446       ├────────┼───────────┼─────────────────────┤
447       │auto    │ $UID      │ nil (Host User  UID │
448       │        │           │ is  not mapped into │
449       │        │           │ container.)         │
450       ├────────┼───────────┼─────────────────────┤
451       │nomap   │ $UID      │ nil (Host User  UID │
452       │        │           │ is  not mapped into │
453       │        │           │ container.)         │
454       └────────┴───────────┴─────────────────────┘
455
456       Valid mode values are:
457
458
459auto[:OPTIONS,...]: automatically create a  namespace.  It  is
460                possible to specify these options to auto:
461
462gidmapping=_CONTAINER_GID:HOSTGID:SIZE  to force a GID mapping
463                to be present in the user namespace.
464
465size=SIZE: to specify an explicit size for the automatic  user
466                namespace. e.g. --userns=auto:size=8192. If size is not speci‐
467                fied, auto will estimate a size for the user namespace.
468
469uidmapping=_CONTAINER_UID:HOSTUID:SIZE to force a UID  mapping
470                to be present in the user namespace.
471
472host:  run  in the user namespace of the caller. The processes
473                running in the container will have the same privileges on  the
474                host  as  any  other process launched by the calling user (de‐
475                fault).
476
477keep-id: creates a user namespace where the  current  rootless
478                user's UID:GID are mapped to the same values in the container.
479                This option is not allowed for containers created by the  root
480                user.
481
482nomap:  creates  a  user  namespace where the current rootless
483                user's UID:GID are not mapped into the container. This  option
484                is not allowed for containers created by the root user.
485
486
487
488   --uts=mode
489       Set  the  UTS namespace mode for the pod. The following values are sup‐
490       ported:
491
492
493host: use the host's UTS namespace inside the pod.
494
495private: create a new namespace for the pod (default).
496
497ns:[path]: run the pod in the given existing UTS namespace.
498
499
500
501   --volume, -v=[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]
502       Create a bind mount. If -v /HOST-DIR:/CONTAINER-DIR is specified,  Pod‐
503       man bind mounts /HOST-DIR from the host into /CONTAINER-DIR in the Pod‐
504       man container. Similarly, -v  SOURCE-VOLUME:/CONTAINER-DIR  will  mount
505       the  named  volume  from  the host into the container. If no such named
506       volume exists, Podman will create one. If no source is given, the  vol‐
507       ume will be created as an anonymously named volume with a randomly gen‐
508       erated name, and will be removed when the pod is removed via  the  --rm
509       flag or the podman rm --volumes command.
510
511
512       (Note  when using the remote client, including Mac and Windows (exclud‐
513       ing WSL2) machines, the volumes will be mounted from the remote server,
514       not necessarily the client machine.)
515
516
517       The OPTIONS is a comma-separated list and can be: [1] ⟨#Footnote1⟩
518
519
520rw|ro
521
522z|Z
523
524              • [O]
525
526              • [U]
527
528              • [no]copy
529
530              • [no]dev
531
532              • [no]exec
533
534              • [no]suid
535
536              • [r]bind
537
538              • [r]shared|[r]slave|[r]private[r]unbindable
539
540
541
542       The  CONTAINER-DIR must be an absolute path such as /src/docs. The vol‐
543       ume will be mounted into the container at this directory.
544
545
546       If a volume source is specified, it must be a path on the host  or  the
547       name  of a named volume. Host paths are allowed to be absolute or rela‐
548       tive; relative paths are resolved relative to the directory  Podman  is
549       run  in.  If  the  source  does not exist, Podman will return an error.
550       Users must pre-create the source files or directories.
551
552
553       Any source that does not begin with a . or / will  be  treated  as  the
554       name  of  a named volume. If a volume with that name does not exist, it
555       will be created.  Volumes created with names  are  not  anonymous,  and
556       they  are  not  removed  by the --rm option and the podman rm --volumes
557       command.
558
559
560       Specify multiple -v options to mount one or more volumes into a pod.
561
562
563       Write Protected Volume Mounts
564
565
566       Add :ro or :rw option to mount a  volume  in  read-only  or  read-write
567       mode,  respectively.  By  default,  the volumes are mounted read-write.
568       See examples.
569
570
571       Chowning Volume Mounts
572
573
574       By default, Podman does not change the owner and group of source volume
575       directories  mounted into containers. If a pod is created in a new user
576       namespace, the UID and GID in the container may correspond  to  another
577       UID and GID on the host.
578
579
580       The :U suffix tells Podman to use the correct host UID and GID based on
581       the UID and GID within the pod, to change  recursively  the  owner  and
582       group of the source volume.
583
584
585       Warning use with caution since this will modify the host filesystem.
586
587
588       Labeling Volume Mounts
589
590
591       Labeling  systems like SELinux require that proper labels are placed on
592       volume content mounted into a pod. Without a label, the security system
593       might  prevent the processes running inside the pod from using the con‐
594       tent. By default, Podman does not change the labels set by the OS.
595
596
597       To change a label in the pod context, add either of two suffixes :z  or
598       :Z  to the volume mount. These suffixes tell Podman to relabel file ob‐
599       jects on the shared volumes. The z option tells Podman  that  two  pods
600       share the volume content. As a result, Podman labels the content with a
601       shared content label. Shared volume  labels  allow  all  containers  to
602       read/write  content.   The  Z  option tells Podman to label the content
603       with a private unshared label.  Only the current pod can use a  private
604       volume.
605
606
607       Note:  Do  not  relabel system files and directories. Relabeling system
608       content might cause other confined services on your  machine  to  fail.
609       For  these  types  of containers we recommend disabling SELinux separa‐
610       tion.  The option --security-opt label=disable disables SELinux separa‐
611       tion  for  the pod.  For example if a user wanted to volume mount their
612       entire home directory into a pod, they need to disable SELinux  separa‐
613       tion.
614
615
616                 $ podman pod clone --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
617
618
619
620       Overlay Volume Mounts
621
622
623       The :O flag tells Podman to mount the directory from the host as a tem‐
624       porary storage using the overlay file system.  The  pod  processes  can
625       modify  content  within the mountpoint which is stored in the container
626       storage in a separate directory. In overlay terms, the source directory
627       will  be the lower, and the container storage directory will be the up‐
628       per. Modifications to the mount point are destroyed when the  pod  fin‐
629       ishes executing, similar to a tmpfs mount point being unmounted.
630
631
632       For  advanced  users,  the  overlay  option  also  supports custom non-
633       volatile upperdir and workdir for the overlay  mount.  Custom  upperdir
634       and  workdir  can  be fully managed by the users themselves, and Podman
635       will  not  remove  it  on   lifecycle   completion.    Example   :O,up‐
636       perdir=/some/upper,workdir=/some/work
637
638
639       Subsequent executions of the container will see the original source di‐
640       rectory content, any changes from previous pod executions no longer ex‐
641       ist.
642
643
644       One use case of the overlay mount is sharing the package cache from the
645       host into the container to allow speeding up builds.
646
647
648       Note:
649
650
651               - The `O` flag conflicts with other options listed above.
652
653
654
655       Content mounted into the container is labeled with the private label.
656              On SELinux systems, labels in the source directory must be read‐
657       able by the pod infra container label. Usually containers can read/exe‐
658       cute container_share_t and can read/write container_file_t.  If  unable
659       to  change  the labels on a source volume, SELinux container separation
660       must be disabled for the pod or infra container to work.
661            - The source directory mounted into the pod with an overlay  mount
662       should  not be modified, it can cause unexpected failures. It is recom‐
663       mended to not modify the directory until the  container  finishes  run‐
664       ning.
665
666
667       Mounts propagation
668
669
670       By default bind mounted volumes are private. That means any mounts done
671       inside the pod will not be visible on host  and  vice  versa.  One  can
672       change this behavior by specifying a volume mount propagation property.
673       Making a volume shared mounts done under that  volume  inside  the  pod
674       will  be  visible on host and vice versa. Making a volume slave enables
675       only one way mount propagation and that is mounts done  on  host  under
676       that  volume  will  be  visible  inside container but not the other way
677       around. [1] ⟨#Footnote1⟩
678
679
680       To control mount propagation property of  a  volume  one  can  use  the
681       [r]shared,  [r]slave, [r]private or the [r]unbindable propagation flag.
682       Propagation property can be specified only for bind mounted volumes and
683       not  for  internal  volumes  or named volumes. For mount propagation to
684       work the source mount point  (the  mount  point  where  source  dir  is
685       mounted  on)  has  to have the right propagation properties. For shared
686       volumes, the source mount point has to be shared. And  for  slave  vol‐
687       umes,  the  source  mount  point has to be either shared or slave.  [1]
688       ⟨#Footnote1⟩
689
690
691       To recursively mount a volume and all of its submounts into a pod,  use
692       the  rbind option. By default the bind option is used, and submounts of
693       the source directory will not be mounted into the pod.
694
695
696       Mounting the volume with the nosuid options means  that  SUID  applica‐
697       tions  on the volume will not be able to change their privilege. By de‐
698       fault volumes are mounted with nosuid.
699
700
701       Mounting the volume with the noexec option means that no executables on
702       the volume will be able to be executed within the pod.
703
704
705       Mounting  the volume with the nodev option means that no devices on the
706       volume will be able to be used by processes within the pod. By  default
707       volumes are mounted with nodev.
708
709
710       If  the HOST-DIR is a mount point, then dev, suid, and exec options are
711       ignored by the kernel.
712
713
714       Use df HOST-DIR to figure out the source mount,  then  use  findmnt  -o
715       TARGET,PROPAGATION  source-mount-dir  to figure out propagation proper‐
716       ties of source mount. If findmnt(1) utility is not available, then  one
717       can   look   at   the  mount  entry  for  the  source  mount  point  in
718       /proc/self/mountinfo. Look at the "optional  fields"  and  see  if  any
719       propagation  properties  are  specified.   In there, shared:N means the
720       mount is shared, master:N means mount  is  slave,  and  if  nothing  is
721       there, the mount is private. [1] ⟨#Footnote1⟩
722
723
724       To  change  propagation  properties of a mount point, use mount(8) com‐
725       mand. For example, if one wants to bind mount  source  directory  /foo,
726       one  can  do  mount  --bind  /foo /foo and mount --make-private --make-
727       shared /foo. This will convert /foo into a shared mount point. Alterna‐
728       tively, one can directly change propagation properties of source mount.
729       Say / is source mount for /foo, then use mount --make-shared / to  con‐
730       vert / into a shared mount.
731
732
733       Note:  if  the  user  only has access rights via a group, accessing the
734       volume from inside a rootless pod will fail.
735
736
737   --volumes-from=CONTAINER[:OPTIONS]
738       Mount volumes from the specified container(s). Used  to  share  volumes
739       between containers and pods. The options is a comma-separated list with
740       the following available elements:
741
742
743rw|ro
744
745z
746
747
748
749       Mounts already mounted volumes from a  source  container  onto  another
750       pod.  CONTAINER may be a name or ID.  To share a volume, use the --vol‐
751       umes-from option when running the  target  container.  Volumes  can  be
752       shared even if the source container is not running.
753
754
755       By  default,  Podman mounts the volumes in the same mode (read-write or
756       read-only) as it is mounted in  the  source  container.   This  can  be
757       changed by adding a ro or rw option.
758
759
760       Labeling  systems like SELinux require that proper labels are placed on
761       volume content mounted into a pod. Without a label, the security system
762       might prevent the processes running inside the container from using the
763       content. By default, Podman does not change the labels set by the OS.
764
765
766       To change a label in the pod context, add z to the volume mount.   This
767       suffix  tells Podman to relabel file objects on the shared volumes. The
768       z option tells Podman that two entities share the volume content. As  a
769       result,  Podman  labels the content with a shared content label. Shared
770       volume labels allow all containers to read/write content.
771
772
773       If the location of the volume from the source container  overlaps  with
774       data  residing  on a target pod, then the volume hides that data on the
775       target.
776
777

EXAMPLES

779              # podman pod clone pod-name
780              6b2c73ff8a1982828c9ae2092954bcd59836a131960f7e05221af9df5939c584
781
782
783
784              # podman pod clone --name=cloned-pod
785              d0cf1f782e2ed67e8c0050ff92df865a039186237a4df24d7acba5b1fa8cc6e7
786              6b2c73ff8a1982828c9ae2092954bcd59836a131960f7e05221af9df5939c584
787
788
789
790              # podman pod clone --destroy --cpus=5 d0cf1f782e2ed67e8c0050ff92df865a039186237a4df24d7acba5b1fa8cc6e7
791              6b2c73ff8a1982828c9ae2092954bcd59836a131960f7e05221af9df5939c584
792
793
794
795              # podman pod clone 2d4d4fca7219b4437e0d74fcdc272c4f031426a6eacd207372691207079551de new_name
796              5a9b7851013d326aa4ac4565726765901b3ecc01fcbc0f237bc7fd95588a24f9
797
798
799

SEE ALSO

801       podman-pod-create(1)
802
803

HISTORY

805       May  2022,  Originally  written  by  Charlie  Doern   cdoern@redhat.com
806       ⟨mailto:cdoern@redhat.com⟩
807
808

FOOTNOTES

810       1: The Podman project is committed to inclusivity, a core value of open
811       source. The master and slave mount propagation terminology used here is
812       problematic  and  divisive, and should be changed. However, these terms
813       are currently used within the Linux kernel and must be  used  as-is  at
814       this  time. When the kernel maintainers rectify this usage, Podman will
815       follow suit immediately.
816
817
818
819                                                           podman-pod-clone(1)
Impressum