1podman(1) General Commands Manual podman(1)
2
6 podman - Simple management tool for pods, containers and images
7
10 podman [options] command
11
14 Podman (Pod Manager) is a fully featured container engine that is a
15 simple daemonless tool. Podman provides a Docker-CLI comparable com‐
16 mand line that eases the transition from other container engines and
17 allows the management of pods, containers and images. Simply put:
18 alias docker=podman. Most Podman commands can be run as a regular
19 user, without requiring additional privileges.
20 Podman uses Buildah(1) internally to create container images. Both
23 tools share image (not container) storage, hence each can use or manip‐
24 ulate images (but not containers) created by the other.
25 Default settings for flags are defined in containers.conf. Most set‐
28 tings for Remote connections use the server's containers.conf, except
29 when documented in man pages.
30 podman [GLOBAL OPTIONS]
33
36 --cgroup-manager=manager
37 The CGroup manager to use for container cgroups. Supported values are
38 cgroupfs or systemd. Default is systemd unless overridden in the con‐
39 tainers.conf file.
40 Note: Setting this flag can cause certain commands to break when called
43 on containers previously created by the other CGroup manager type.
44 Note: CGroup manager is not supported in rootless mode when using
45 CGroups Version V1.
46 --conmon
49 Path of the conmon binary (Default path is configured in contain‐
50 ers.conf)
51 --connection, -c
54 Connection to use for remote podman, including Mac and Windows (exclud‐
55 ing WSL2) machines, (Default connection is configured in contain‐
56 ers.conf) Setting this option switches the --remote option to true.
57 Remote connections use local containers.conf for default.
58 --events-backend=type
61 Backend to use for storing events. Allowed values are file, journald,
62 and none. When file is specified, the events are stored under <tm‐
63 pdir>/events/events.log (see --tmpdir below).
64 --help, -h
67 Print usage statement
68 --hooks-dir=path
71 Each *.json file in the path configures a hook for Podman containers.
72 For more details on the syntax of the JSON files and the semantics of
73 hook injection, see oci-hooks(5). Podman and libpod currently support
74 both the 1.0.0 and 0.1.0 hook schemas, although the 0.1.0 schema is
75 deprecated.
76 This option may be set multiple times; paths from later options have
79 higher precedence (oci-hooks(5) discusses directory precedence).
80 For the annotation conditions, libpod uses any annotations set in the
83 generated OCI configuration.
84 For the bind-mount conditions, only mounts explicitly requested by the
87 caller via --volume are considered. Bind mounts that libpod inserts by
88 default (e.g. /dev/shm) are not considered.
89 If --hooks-dir is unset for root callers, Podman and libpod currently
92 default to /usr/share/containers/oci/hooks.d and /etc/contain‐
93 ers/oci/hooks.d in order of increasing precedence. Using these de‐
94 faults is deprecated. Migrate to explicitly setting --hooks-dir.
95 Podman and libpod currently support an additional precreate state which
98 is called before the runtime's create operation. Unlike the other
99 stages, which receive the container state on their standard input,
100 precreate hooks receive the proposed runtime configuration on their
101 standard input. They may alter that configuration as they see fit, and
102 write the altered form to their standard output.
103 WARNING: the precreate hook allows powerful changes to occur, such as
106 adding additional mounts to the runtime configuration. That power also
107 makes it easy to break things. Before reporting libpod errors, try
108 running a container with precreate hooks disabled to see if the problem
109 is due to one of the hooks.
110 --identity=path
113 Path to ssh identity file. If the identity file has been encrypted,
114 podman prompts the user for the passphrase. If no identity file is
115 provided and no user is given, podman defaults to the user running the
116 podman command. Podman prompts for the login password on the remote
117 server.
118 Identity value resolution precedence:
121 - command line value
122 - environment variable CONTAINER_SSHKEY, if CONTAINER_HOST is found
123 - containers.conf Remote connections use local containers.conf for de‐
124 fault.
125 --imagestore=path
128 Path of the imagestore where images are stored. By default, the stor‐
129 age library stores all the images in the graphroot but if an imagestore
130 is provided, then the storage library will store newly pulled images in
131 the provided imagestore and keep using the graphroot for everything
132 else. If the user is using the overlay driver, then the images which
133 were already part of the graphroot will still be accessible.
134 This will override imagestore option in containers-storage.conf(5), re‐
137 fer to containers-storage.conf(5) for more details.
138 --log-level=level
141 Log messages at and above specified level: debug, info, warn, error,
142 fatal or panic (default: warn)
143 --module=path
146 Load the specified containers.conf(5) module. Can be an absolute or
147 relative path. Please refer to containers.conf(5) for details.
148 This feature is not supported on the remote client, including Mac and
151 Windows (excluding WSL2) machines
152 --network-cmd-path=path
155 Path to the slirp4netns(1) command binary to use for setting up a
156 slirp4netns network. If "" is used, then the binary will first be
157 searched using the helper_binaries_dir option in containers.conf, and
158 second using the $PATH environment variable. Note: This option is dep‐
159 recated and will be removed with Podman 5.0. Use the helper_bina‐
160 ries_dir option in containers.conf instead.
161 --network-config-dir=directory
164 Path to the directory where network configuration files are located.
165 For the netavark backend "/etc/containers/networks" is used as root and
166 "$graphroot/networks" as rootless. For the CNI backend the default is
167 "/etc/cni/net.d" as root and "$HOME/.config/cni/net.d" as rootless. CNI
168 is deprecated from Podman in the future, use netavark.
169 --out=path
172 Redirect the output of podman to the specified path without affecting
173 the container output or its logs. This parameter can be used to capture
174 the output from any of podman's commands directly into a file and en‐
175 able suppression of podman's output by specifying /dev/null as the
176 path. To explicitly disable the container logging, the --log-driver op‐
177 tion should be used.
178 --remote, -r
181 When true, access to the Podman service is remote. Defaults to false.
182 Settings can be modified in the containers.conf file. If the CON‐
183 TAINER_HOST environment variable is set, the --remote option defaults
184 to true.
185 --root=value
188 Storage root dir in which data, including images, is stored (default:
189 "/var/lib/containers/storage" for UID 0, "$HOME/.local/share/contain‐
190 ers/storage" for other users). Default root dir configured in contain‐
191 ers-storage.conf(5).
192 Overriding this option causes the storage-opt settings in containers-
195 storage.conf(5) to be ignored. The user must specify additional op‐
196 tions via the --storage-opt flag.
197 --runroot=value
200 Storage state directory where all state information is stored (default:
201 "/run/containers/storage" for UID 0, "/run/user/$UID/run" for other
202 users). Default state dir configured in containers-storage.conf(5).
203 --runtime=value
206 Name of the OCI runtime as specified in containers.conf or absolute
207 path to the OCI compatible binary used to run containers.
208 --runtime-flag=flag
211 Adds global flags for the container runtime. To list the supported
212 flags, please consult the manpages of the selected container runtime
213 (runc is the default runtime, the manpage to consult is runc(8). When
214 the machine is configured for cgroup V2, the default runtime is crun,
215 the manpage to consult is crun(8).).
216 Note: Do not pass the leading -- to the flag. To pass the runc flag
219 --log-format json to podman build, the option given can be --runtime-
220 flag log-format=json.
221 --ssh=value
224 This option allows the user to change the ssh mode, meaning that rather
225 than using the default golang mode, one can instead use --ssh=native to
226 use the installed ssh binary and config file declared in contain‐
227 ers.conf.
228 --storage-driver=value
231 Storage driver. The default storage driver for UID 0 is configured in
232 containers-storage.conf(5) in rootless mode), and is vfs for non-root
233 users when fuse-overlayfs is not available. The STORAGE_DRIVER envi‐
234 ronment variable overrides the default. The --storage-driver specified
235 driver overrides all.
236 Overriding this option causes the storage-opt settings in containers-
239 storage.conf(5) to be ignored. The user must specify additional op‐
240 tions via the --storage-opt flag.
241 --storage-opt=value
244 Specify a storage driver option. Default storage driver options are
245 configured in containers-storage.conf(5). The STORAGE_OPTS environment
246 variable overrides the default. The --storage-opt specified options
247 override all. Specify --storage-opt="" so no storage options is used.
248 --syslog
251 Output logging information to syslog as well as the console (default
252 false).
253 On remote clients, including Mac and Windows (excluding WSL2) machines,
256 logging is directed to the file $HOME/.config/containers/podman.log.
257 --tmpdir=path
260 Path to the tmp directory, for libpod runtime content. Defaults to
261 $XDG_RUNTIME_DIR/libpod/tmp as rootless and /run/libpod/tmp as rootful.
262 NOTE --tmpdir is not used for the temporary storage of downloaded im‐
265 ages. Use the environment variable TMPDIR to change the temporary
266 storage location of downloaded container images. Podman defaults to use
267 /var/tmp.
268 --transient-store
271 Enables a global transient storage mode where all container metadata is
272 stored on non-persistent media (i.e. in the location specified by
273 --runroot). This mode allows starting containers faster, as well as
274 guaranteeing a fresh state on boot in case of unclean shutdowns or
275 other problems. However it is not compatible with a traditional model
276 where containers persist across reboots.
277 Default value for this is configured in containers-storage.conf(5).
280 --url=value
283 URL to access Podman service (default from containers.conf, rootless
284 unix://run/user/$UID/podman/podman.sock or as root unix://run/pod‐
285 man/podman.sock). Setting this option switches the --remote option to
286 true.
287 • CONTAINER_HOST is of the format <schema>://[<user[:<pass‐
290 word>]@]<host>[:<port>][<path>]
291 Details:
295 - schema is one of:
296 * ssh (default): a local unix(7) socket on the named host and port,
297 reachable via SSH
298 * tcp: an unencrypted, unauthenticated TCP connection to the named
299 host and port
300 * unix: a local unix(7) socket at the specified path, or the default
301 for the user
302 - user defaults to either root or the current running user (ssh only)
303 - password has no default (ssh only)
304 - host must be provided and is either the IP or name of the machine
305 hosting the Podman service (ssh and tcp)
306 - port defaults to 22 (ssh and tcp)
307 - path defaults to either /run/podman/podman.sock, or
308 /run/user/$UID/podman/podman.sock if running rootless (unix), or must
309 be explicitly specified (ssh)
310 URL value resolution precedence:
313 - command line value
314 - environment variable CONTAINER_HOST
315 - engine.service_destinations table in containers.conf, excluding the
316 /usr/share/containers directory
317 - unix://run/podman/podman.sock
318 Remote connections use local containers.conf for default.
321 Some example URL values in valid formats:
324 - unix://run/podman/podman.sock
325 - unix://run/user/$UID/podman/podman.sock
326 - ssh://notroot@localhost:22/run/user/$UID/podman/podman.sock
327 - ssh://root@localhost:22/run/podman/podman.sock
328 - tcp://localhost:34451
329 - tcp://127.0.0.1:34451
330 --version, -v
333 Print the version
334 --volumepath=value
337 Volume directory where builtin volume information is stored (default:
338 "/var/lib/containers/storage/volumes" for UID 0, "$HOME/.lo‐
339 cal/share/containers/storage/volumes" for other users). Default volume
340 path can be overridden in containers.conf.
341
344 Podman can set up environment variables from env of [engine] table in
345 containers.conf. These variables can be overridden by passing environ‐
346 ment variables before the podman commands.
347 CONTAINERS_CONF
350 Set default locations of containers.conf file
351 CONTAINERS_REGISTRIES_CONF
354 Set default location of the registries.conf file.
355 CONTAINERS_STORAGE_CONF
358 Set default location of the storage.conf file.
359 CONTAINER_CONNECTION
362 Override default --connection value to access Podman service. Also en‐
363 abled --remote option.
364 CONTAINER_HOST
367 Set default --url value to access Podman service. Also enabled --remote
368 option.
369 CONTAINER_SSHKEY
372 Set default --identity path to ssh key file value used to access Podman
373 service.
374 STORAGE_DRIVER
377 Set default --storage-driver value.
378 STORAGE_OPTS
381 Set default --storage-opts value.
382 TMPDIR
385 Set the temporary storage location of downloaded container images. Pod‐
386 man defaults to use /var/tmp.
387 XDG_CONFIG_HOME
390 In Rootless mode configuration files are read from XDG_CONFIG_HOME when
391 specified, otherwise in the home directory of the user under
392 $HOME/.config/containers.
393 XDG_DATA_HOME
396 In Rootless mode images are pulled under XDG_DATA_HOME when specified,
397 otherwise in the home directory of the user under $HOME/.lo‐
398 cal/share/containers/storage.
399 XDG_RUNTIME_DIR
402 In Rootless mode temporary configuration data is stored in ${XDG_RUN‐
403 TIME_DIR}/containers.
404
407 The Podman command can be used with remote services using the --remote
408 flag. Connections can be made using local unix domain sockets, ssh or
409 directly to tcp sockets. When specifying the podman --remote flag, only
410 the global options --url, --identity, --log-level, --connection are
411 used.
412 Connection information can also be managed using the containers.conf
415 file.
416
419 The exit code from podman gives information about why the container
420 failed to run or why it exited. When podman commands exit with a non-
421 zero code, the exit codes follow the chroot standard, see below:
422 125 The error is with podman itself
425 $ podman run --foo busybox; echo $?
428 Error: unknown flag: --foo
429 125
430 126 Executing a container command and the command cannot be invoked
434 $ podman run busybox /etc; echo $?
437 Error: container_linux.go:346: starting container process caused "exec: \"/etc\": permission denied": OCI runtime error
438 126
439 127 Executing a container command and the command cannot be found
443 $ podman run busybox foo; echo $?
446 Error: container_linux.go:346: starting container process caused "exec: \"foo\": executable file not found in $PATH": OCI runtime error
447 127
448 Exit code otherwise, podman returns the exit code of the container com‐
452 mand
453 $ podman run busybox /bin/sh -c 'exit 3'; echo $?
456 3
457
461 ┌──────────────────────┬────────────────────────────────┐
462 │Command │ Description │
463 ├──────────────────────┼────────────────────────────────┤
464 │podman-attach(1) │ Attach to a running container. │
465 ├──────────────────────┼────────────────────────────────┤
466 │podman-auto-update(1) │ Auto update containers accord‐ │
467 │ │ ing to their auto-update pol‐ │
468 │ │ icy │
469 ├──────────────────────┼────────────────────────────────┤
470 │podman-build(1) │ Build a container image using │
471 │ │ a Containerfile. │
472 ├──────────────────────┼────────────────────────────────┤
473 │podman-farm(1) │ Farm out builds to machines │
474 │ │ running podman for different │
475 │ │ architectures │
476 ├──────────────────────┼────────────────────────────────┤
477 │podman-commit(1) │ Create new image based on the │
478 │ │ changed container. │
479 ├──────────────────────┼────────────────────────────────┤
480 │podman-completion(1) │ Generate shell completion │
481 │ │ scripts │
482 ├──────────────────────┼────────────────────────────────┤
483 │podman-compose(1) │ Run Compose workloads via an │
484 │ │ external compose provider. │
485 ├──────────────────────┼────────────────────────────────┤
486 │podman-container(1) │ Manage containers. │
487 ├──────────────────────┼────────────────────────────────┤
488 │podman-cp(1) │ Copy files/folders between a │
489 │ │ container and the local │
490 │ │ filesystem. │
491 ├──────────────────────┼────────────────────────────────┤
492 │podman-create(1) │ Create a new container. │
493 ├──────────────────────┼────────────────────────────────┤
494 │podman-diff(1) │ Inspect changes on a container │
495 │ │ or image's filesystem. │
496 ├──────────────────────┼────────────────────────────────┤
497 │podman-events(1) │ Monitor Podman events │
498 ├──────────────────────┼────────────────────────────────┤
499 │podman-exec(1) │ Execute a command in a running │
500 │ │ container. │
501 ├──────────────────────┼────────────────────────────────┤
502 │podman-export(1) │ Export a container's filesys‐ │
503 │ │ tem contents as a tar archive. │
504 ├──────────────────────┼────────────────────────────────┤
505 │podman-generate(1) │ Generate structured data based │
506 │ │ on containers, pods or vol‐ │
507 │ │ umes. │
508 ├──────────────────────┼────────────────────────────────┤
509 │podman-healthcheck(1) │ Manage healthchecks for con‐ │
510 │ │ tainers │
511 ├──────────────────────┼────────────────────────────────┤
512 │podman-history(1) │ Show the history of an image. │
513 ├──────────────────────┼────────────────────────────────┤
514 │podman-image(1) │ Manage images. │
515 ├──────────────────────┼────────────────────────────────┤
516 │podman-images(1) │ List images in local storage. │
517 ├──────────────────────┼────────────────────────────────┤
518 │podman-import(1) │ Import a tarball and save it │
519 │ │ as a filesystem image. │
520 ├──────────────────────┼────────────────────────────────┤
521 │podman-info(1) │ Display Podman related system │
522 │ │ information. │
523 ├──────────────────────┼────────────────────────────────┤
524 │podman-init(1) │ Initialize one or more con‐ │
525 │ │ tainers │
526 ├──────────────────────┼────────────────────────────────┤
527 │podman-inspect(1) │ Display a container, image, │
528 │ │ volume, network, or pod's con‐ │
529 │ │ figuration. │
530 ├──────────────────────┼────────────────────────────────┤
531 │podman-kill(1) │ Kill the main process in one │
532 │ │ or more containers. │
533 ├──────────────────────┼────────────────────────────────┤
534 │podman-load(1) │ Load image(s) from a tar ar‐ │
535 │ │ chive into container storage. │
536 ├──────────────────────┼────────────────────────────────┤
537 │podman-login(1) │ Log in to a container reg‐ │
538 │ │ istry. │
539 ├──────────────────────┼────────────────────────────────┤
540 │podman-logout(1) │ Log out of a container reg‐ │
541 │ │ istry. │
542 ├──────────────────────┼────────────────────────────────┤
543 │podman-logs(1) │ Display the logs of one or │
544 │ │ more containers. │
545 ├──────────────────────┼────────────────────────────────┤
546 │podman-machine(1) │ Manage Podman's virtual ma‐ │
547 │ │ chine │
548 ├──────────────────────┼────────────────────────────────┤
549 │podman-manifest(1) │ Create and manipulate manifest │
550 │ │ lists and image indexes. │
551 ├──────────────────────┼────────────────────────────────┤
552 │podman-mount(1) │ Mount a working container's │
553 │ │ root filesystem. │
554 ├──────────────────────┼────────────────────────────────┤
555 │podman-network(1) │ Manage Podman networks. │
556 ├──────────────────────┼────────────────────────────────┤
557 │podman-pause(1) │ Pause one or more containers. │
558 ├──────────────────────┼────────────────────────────────┤
559 │podman-kube(1) │ Play containers, pods or vol‐ │
560 │ │ umes based on a structured in‐ │
561 │ │ put file. │
562 ├──────────────────────┼────────────────────────────────┤
563 │podman-pod(1) │ Management tool for groups of │
564 │ │ containers, called pods. │
565 ├──────────────────────┼────────────────────────────────┤
566 │podman-port(1) │ List port mappings for a con‐ │
567 │ │ tainer. │
568 ├──────────────────────┼────────────────────────────────┤
569 │podman-ps(1) │ Print out information about │
570 │ │ containers. │
571 ├──────────────────────┼────────────────────────────────┤
572 │podman-pull(1) │ Pull an image from a registry. │
573 ├──────────────────────┼────────────────────────────────┤
574 │podman-push(1) │ Push an image, manifest list │
575 │ │ or image index from local │
576 │ │ storage to elsewhere. │
577 ├──────────────────────┼────────────────────────────────┤
578 │podman-rename(1) │ Rename an existing container. │
579 ├──────────────────────┼────────────────────────────────┤
580 │podman-restart(1) │ Restart one or more contain‐ │
581 │ │ ers. │
582 ├──────────────────────┼────────────────────────────────┤
583 │podman-rm(1) │ Remove one or more containers. │
584 ├──────────────────────┼────────────────────────────────┤
585 │podman-rmi(1) │ Remove one or more locally │
586 │ │ stored images. │
587 ├──────────────────────┼────────────────────────────────┤
588 │podman-run(1) │ Run a command in a new con‐ │
589 │ │ tainer. │
590 ├──────────────────────┼────────────────────────────────┤
591 │podman-save(1) │ Save image(s) to an archive. │
592 ├──────────────────────┼────────────────────────────────┤
593 │podman-search(1) │ Search a registry for an im‐ │
594 │ │ age. │
595 ├──────────────────────┼────────────────────────────────┤
596 │podman-secret(1) │ Manage podman secrets. │
597 ├──────────────────────┼────────────────────────────────┤
598 │podman-start(1) │ Start one or more containers. │
599 ├──────────────────────┼────────────────────────────────┤
600 │podman-stats(1) │ Display a live stream of one │
601 │ │ or more container's resource │
602 │ │ usage statistics. │
603 ├──────────────────────┼────────────────────────────────┤
604 │podman-stop(1) │ Stop one or more running con‐ │
605 │ │ tainers. │
606 ├──────────────────────┼────────────────────────────────┤
607 │podman-system(1) │ Manage podman. │
608 ├──────────────────────┼────────────────────────────────┤
609 │podman-tag(1) │ Add an additional name to a │
610 │ │ local image. │
611 ├──────────────────────┼────────────────────────────────┤
612 │podman-top(1) │ Display the running processes │
613 │ │ of a container. │
614 ├──────────────────────┼────────────────────────────────┤
615 │podman-unmount(1) │ Unmount a working container's │
616 │ │ root filesystem. │
617 ├──────────────────────┼────────────────────────────────┤
618 │podman-unpause(1) │ Unpause one or more contain‐ │
619 │ │ ers. │
620 ├──────────────────────┼────────────────────────────────┤
621 │podman-unshare(1) │ Run a command inside of a mod‐ │
622 │ │ ified user namespace. │
623 ├──────────────────────┼────────────────────────────────┤
624 │podman-untag(1) │ Remove one or more names from │
625 │ │ a locally-stored image. │
626 ├──────────────────────┼────────────────────────────────┤
627 │podman-update(1) │ Update the cgroup configura‐ │
628 │ │ tion of a given container. │
629 ├──────────────────────┼────────────────────────────────┤
630 │podman-version(1) │ Display the Podman version in‐ │
631 │ │ formation. │
632 ├──────────────────────┼────────────────────────────────┤
633 │podman-volume(1) │ Simple management tool for │
634 │ │ volumes. │
635 ├──────────────────────┼────────────────────────────────┤
636 │podman-wait(1) │ Wait on one or more containers │
637 │ │ to stop and print their exit │
638 │ │ codes. │
639 └──────────────────────┴────────────────────────────────┘
640
642 containers.conf (/usr/share/containers/containers.conf, /etc/contain‐
643 ers/containers.conf, $HOME/.config/containers/containers.conf)
644 Podman has builtin defaults for command line options. These defaults
647 can be overridden using the containers.conf configuration files.
648 Distributions ship the /usr/share/containers/containers.conf file with
651 their default settings. Administrators can override fields in this file
652 by creating the /etc/containers/containers.conf file. Users can fur‐
653 ther modify defaults by creating the $HOME/.config/containers/contain‐
654 ers.conf file. Podman merges its builtin defaults with the specified
655 fields from these files, if they exist. Fields specified in the users
656 file override the administrator's file, which overrides the distribu‐
657 tion's file, which override the built-in defaults.
658 Podman uses builtin defaults if no containers.conf file is found.
661 If the CONTAINERS_CONF environment variable is set, then its value is
664 used for the containers.conf file rather than the default.
665 mounts.conf (/usr/share/containers/mounts.conf)
668 The mounts.conf file specifies volume mount directories that are auto‐
671 matically mounted inside containers when executing the podman run or
672 podman start commands. Administrators can override the defaults file by
673 creating /etc/containers/mounts.conf.
674 When Podman runs in rootless mode, the file $HOME/.config/contain‐
677 ers/mounts.conf overrides the default if it exists. For details, see
678 containers-mounts.conf(5).
679 policy.json (/etc/containers/policy.json)
682 Signature verification policy files are used to specify policy, e.g.
685 trusted keys, applicable when deciding whether to accept an image, or
686 individual signatures of that image, as valid.
687 registries.conf (/etc/containers/registries.conf, $HOME/.config/con‐
690 tainers/registries.conf)
691 registries.conf is the configuration file which specifies which con‐
694 tainer registries is consulted when completing image names which do not
695 include a registry or domain portion.
696 Non root users of Podman can create the $HOME/.config/containers/reg‐
699 istries.conf file to be used instead of the system defaults.
700 If the CONTAINERS_REGISTRIES_CONF environment variable is set, then its
703 value is used for the registries.conf file rather than the default.
704 storage.conf (/etc/containers/storage.conf, $HOME/.config/contain‐
707 ers/storage.conf)
708 storage.conf is the storage configuration file for all tools using con‐
711 tainers/storage
712 The storage configuration file specifies all of the available container
715 storage options for tools using shared container storage.
716 When Podman runs in rootless mode, the file $HOME/.config/contain‐
719 ers/storage.conf is used instead of the system defaults.
720 If the CONTAINERS_STORAGE_CONF environment variable is set, then its
723 value is used for the storage.conf file rather than the default.
724
727 Podman can also be used as non-root user. When podman runs in rootless
728 mode, a user namespace is automatically created for the user, defined
729 in /etc/subuid and /etc/subgid.
730 Containers created by a non-root user are not visible to other users
733 and are not seen or managed by Podman running as root.
734 It is required to have multiple UIDS/GIDS set for a user. Be sure the
737 user is present in the files /etc/subuid and /etc/subgid.
738 Execute the following commands to add the ranges to the files
741 $ sudo usermod --add-subuids 10000-75535 USERNAME
744 $ sudo usermod --add-subgids 10000-75535 USERNAME
745 Or just add the content manually.
749 $ echo USERNAME:10000:65536 >> /etc/subuid
752 $ echo USERNAME:10000:65536 >> /etc/subgid
753 See the subuid(5) and subgid(5) man pages for more information.
757 Images are pulled under XDG_DATA_HOME when specified, otherwise in the
760 home directory of the user under .local/share/containers/storage.
761 Currently slirp4netns or pasta is required to be installed to create a
764 network device, otherwise rootless containers need to run in the net‐
765 work namespace of the host.
766 In certain environments like HPC (High Performance Computing), users
769 cannot take advantage of the additional UIDs and GIDs from the
770 /etc/subuid and /etc/subgid systems. However, in this environment,
771 rootless Podman can operate with a single UID. To make this work, set
772 the ignore_chown_errors option in the containers-storage.conf(5) file.
773 This option tells Podman when pulling an image to ignore chown errors
774 when attempting to change a file in a container image to match the non-
775 root UID in the image. This means all files get saved as the user's
776 UID. Note this can cause issues when running the container.
777 NOTE: Unsupported file systems in rootless mode
780 The Overlay file system (OverlayFS) is not supported with kernels prior
781 to 5.12.9 in rootless mode. The fuse-overlayfs package is a tool that
782 provides the functionality of OverlayFS in user namespace that allows
783 mounting file systems in rootless environments. It is recommended to
784 install the fuse-overlayfs package. In rootless mode, Podman automati‐
785 cally uses the fuse-overlayfs program as the mount_program if in‐
786 stalled, as long as the $HOME/.config/containers/storage.conf file was
787 not previously created. If storage.conf exists in the homedir, add
788 mount_program = "/usr/bin/fuse-overlayfs" under [storage.options.over‐
789 lay] to enable this feature.
790 The Network File System (NFS) and other distributed file systems (for
793 example: Lustre, Spectrum Scale, the General Parallel File System
794 (GPFS)) are not supported when running in rootless mode as these file
795 systems do not understand user namespace. However, rootless Podman can
796 make use of an NFS Homedir by modifying the $HOME/.config/contain‐
797 ers/storage.conf to have the graphroot option point to a directory
798 stored on local (Non NFS) storage.
799 For more information, see the Podman Troubleshooting Page.
802
805 containers-mounts.conf(5), containers.conf(5), containers-reg‐
806 istries.conf(5), containers-storage.conf(5), buildah(1), oci-hooks(5),
807 containers-policy.json(5), crun(1), runc(8), subuid(5), subgid(5),
808 slirp4netns(1), pasta(1), conmon(8)
809
812 Dec 2016, Originally compiled by Dan Walsh dwalsh@redhat.com
813 ⟨mailto:dwalsh@redhat.com⟩
814 podman(1)