1containers.conf(5) configuration containers.conf(5)
2
6 containers.conf - The container engine configuration file specifies de‐
7 fault configuration options and command-line flags for container en‐
8 gines.
9
13 Container engines like Podman & Buildah read containers.conf file, if
14 it exists and modify the defaults for running containers on the host.
15 containers.conf uses a TOML format that can be easily modified and ver‐
16 sioned.
17 Container engines read the /usr/share/containers/containers.conf,
20 /etc/containers/containers.conf, and /etc/containers/contain‐
21 ers.conf.d/*.conf files if they exist. When running in rootless mode,
22 they also read $HOME/.config/containers/containers.conf and $HOME/.con‐
23 fig/containers/containers.conf.d/*.conf files.
24 Fields specified in containers conf override the default options, as
27 well as options in previously read containers.conf files.
28 Config files in the .d directories, are added in alpha numeric sorted
31 order and must end in .conf.
32 Not all options are supported in all container engines.
35 Note, container engines also use other configuration files for config‐
38 uring the environment.
39 • storage.conf for configuration of container and images stor‐
42 age.
43 • registries.conf for definition of container registries to
45 search while pulling. container images.
46 • policy.conf for controlling which images can be pulled to the
48 system.
49
54 The TOML format ⟨https://github.com/toml-lang/toml⟩ is used as the en‐
55 coding of the configuration file. Every option is nested under its ta‐
56 ble. No bare options are used. The format of TOML can be simplified to:
57 [table1]
60 option = value
61 [table2]
63 option = value
64 [table3]
66 option = value
67 [table3.subtable1]
69 option = value
70
74 The containers table contains settings to configure and manage the OCI
75 runtime.
76 annotations = []
79 List of annotations. Specified as "key=value" pairs to be added to all
82 containers.
83 Example: "run.oci.keep_original_groups=1"
86 apparmor_profile="container-default"
89 Used to change the name of the default AppArmor profile of container
92 engines. The default profile name is "container-default".
93 base_hosts_file=""
96 The hosts entries from the base hosts file are added to the containers
99 hosts file. This must be either an absolute path or as special values
100 "image" which uses the hosts file from the container image or "none"
101 which means no base hosts file is used. The default is "" which will
102 use /etc/hosts.
103 cgroup_conf=[]
106 List of cgroup_conf entries specifying a list of cgroup files to write
109 to and their values. For example memory.high=1073741824 sets the mem‐
110 ory.high limit to 1GB.
111 cgroups="enabled"
114 Determines whether the container will create CGroups. Options are:
117 enabled Enable cgroup support within container
118 disabled Disable cgroup support, will inherit cgroups from parent
119 no-conmon Do not create a cgroup dedicated to conmon.
120 cgroupns="private"
123 Default way to to create a cgroup namespace for the container. Options
126 are: private Create private Cgroup Namespace for the container. host
127 Share host Cgroup Namespace with the container.
128 default_capabilities=[]
131 List of default capabilities for containers.
134 The default list is:
137 default_capabilities = [
140 "CHOWN",
141 "DAC_OVERRIDE",
142 "FOWNER",
143 "FSETID",
144 "KILL",
145 "NET_BIND_SERVICE",
146 "SETFCAP",
147 "SETGID",
148 "SETPCAP",
149 "SETUID",
150 "SYS_CHROOT",
151 ]
152 Note, by default container engines using containers.conf, run with less
156 capabilities than Docker. Docker runs additionally with "AUDIT_WRITE",
157 "MKNOD", "NET_RAW", "CHROOT". If you need to add one of these capabili‐
158 ties for a particular container, you can use the --cap-add option or
159 edit your system's containers.conf.
160 default_sysctls=[]
163 A list of sysctls to be set in containers by default, specified as
166 "name=value".
167 Example:"net.ipv4.ping_group_range=0 1000".
170 default_ulimits=[]
173 A list of ulimits to be set in containers by default, specified as
176 "name=soft-limit:hard-limit".
177 Example: "nofile=1024:2048".
180 devices=[]
183 List of devices. Specified as 'device-on-host:device-on-container:per‐
186 missions'.
187 Example: "/dev/sdc:/dev/xvdc:rwm".
190 dns_options=[]
193 List of default DNS options to be added to /etc/resolv.conf inside of
196 the container.
197 dns_searches=[]
200 List of default DNS search domains to be added to /etc/resolv.conf in‐
203 side of the container.
204 dns_servers=[]
207 A list of dns servers to override the DNS configuration passed to the
210 container. The special value “none” can be specified to disable cre‐
211 ation of /etc/resolv.conf in the container.
212 env=["PATH=/usr/local/sbin:/usr/lo‐
215 cal/bin:/usr/sbin:/usr/bin:/sbin:/bin", "TERM=xterm"]
216 Environment variable list for the container process, used for passing
219 environment variables to the container.
220 env_host=false
223 Pass all host environment variables into the container.
226 host_containers_internal_ip=""
229 Set the ip for the host.containers.internal entry in the containers
232 /etc/hosts file. This can be set to "none" to disable adding this en‐
233 try. By default it will automatically choose the host ip.
234 NOTE: When using podman machine this entry will never be added to the
237 containers hosts file instead the gvproxy dns resolver will resolve
238 this hostname. Therefore it is not possible to disable the entry in
239 this case.
240 http_proxy=true
243 Default proxy environment variables will be passed into the container.
246 The environment variables passed in include: http_proxy, https_proxy,
247 ftp_proxy, no_proxy, and the upper case versions of these. The no_proxy
248 option is needed when host system uses a proxy but container should not
249 use proxy. Proxy environment variables specified for the container in
250 any other way will override the values passed from the host.
251 init=false
254 Run an init inside the container that forwards signals and reaps pro‐
257 cesses.
258 init_path="/usr/libexec/podman/catatonit"
261 Path to the container-init binary, which forwards signals and reaps
264 processes within containers. Note that the container-init binary will
265 only be used when the --init for podman-create and podman-run is set.
266 ipcns="shareable"
269 Default way to to create a IPC namespace for the container. Options
272 are:
273 host Share host IPC Namespace with the container.
274 none Create shareable IPC Namespace for the container without a
275 private /dev/shm.
276 private Create private IPC Namespace for the container, other con‐
277 tainers are not allowed to share it.
278 shareable Create shareable IPC Namespace for the container.
279 keyring=true
282 Indicates whether the container engines create a kernel keyring for use
285 within the container.
286 label=true
289 Indicates whether the container engine uses MAC(SELinux) container sep‐
292 aration via labeling. This option is ignored on disabled systems.
293 log_driver=""
296 Logging driver for the container. Currently available options are k8s-
299 file, journald, none and passthrough, with json-file aliased to k8s-
300 file for scripting compatibility. The journald driver is used by de‐
301 fault if the systemd journal is readable and writable. Otherwise, the
302 k8s-file driver is used.
303 log_size_max=-1
306 Maximum size allowed for the container's log file. Negative numbers in‐
309 dicate that no size limit is imposed. If it is positive, it must be >=
310 8192 to match/exceed conmon's read buffer. The file is truncated and
311 re-opened so the limit is never exceeded.
312 log_tag=""
315 Default format tag for container log messages. This is useful for cre‐
318 ating a specific tag for container log messages. Container log messages
319 default to using the truncated container ID as a tag.
320 netns="private"
323 Default way to to create a NET namespace for the container. Options
326 are:
327 private Create private NET Namespace for the container.
328 host Share host NET Namespace with the container.
329 none Containers do not use the network.
330 no_hosts=false
333 Create /etc/hosts for the container. By default, container engines man‐
336 age /etc/hosts, automatically adding the container's own IP ad‐
337 dress.
338 oom_score_adj=0
341 Tune the host's OOM preferences for containers (accepts values from
344 -1000 to 1000).
345 pidns="private"
348 Default way to to create a PID namespace for the container. Options
351 are:
352 private Create private PID Namespace for the container.
353 host Share host PID Namespace with the container.
354 pids_limit=1024
357 Maximum number of processes allowed in a container. 0 indicates that no
360 limit is imposed.
361 prepare_volume_on_create=false
364 Copy the content from the underlying image into the newly created vol‐
367 ume when the container is created instead of when it is started. If
368 false, the container engine will not copy the content until the con‐
369 tainer is started. Setting it to true may have negative performance im‐
370 plications.
371 read_only=true|false
374 Run all containers with root file system mounted read-only. Set to
377 false by default.
378 seccomp_profile="/usr/share/containers/seccomp.json"
381 Path to the seccomp.json profile which is used as the default seccomp
384 profile for the runtime.
385 shm_size="65536k"
388 Size of /dev/shm. The format is <number><unit>. number must be greater
391 than 0. Unit is optional and can be: b (bytes), k (kilobytes),
392 m(megabytes), or g (gigabytes). If you omit the unit, the system uses
393 bytes. If you omit the size entirely, the system uses 65536k.
394 tz=""
397 Set timezone in container. Takes IANA timezones as well as local, which
400 sets the timezone in the container to match the host machine. If not
401 set, then containers will run with the time zone specified in the im‐
402 age.
403 Examples:
406 tz="local"
407 tz="America/New_York"
408 umask="0022"
411 Sets umask inside the container.
414 userns="host"
417 Default way to to create a USER namespace for the container. Options
420 are:
421 private Create private USER Namespace for the container.
422 host Share host USER Namespace with the container.
423 utsns="private"
426 Default way to to create a UTS namespace for the container. Options
429 are:
430 private Create private UTS Namespace for the container.
431 host Share host UTS Namespace with the container.
432 volumes=[]
435 List of volumes. Specified as "directory-on-host:directory-in-con‐
438 tainer:options".
439 Example: "/db:/var/lib/db:ro".
442
445 The network table contains settings pertaining to the management of CNI
446 plugins.
447 network_backend=""
450 Network backend determines what network driver will be used to set up
453 and tear down container networks. Valid values are "cni" and "ne‐
454 tavark". The default value is empty which means that it will automati‐
455 cally choose CNI or netavark. If there are already containers/images or
456 CNI networks preset it will choose CNI.
457 Before changing this value all containers must be stopped otherwise it
460 is likely that iptables rules and network interfaces might leak on the
461 host. A reboot will fix this.
462 cni_plugin_dirs=[]
465 List of paths to directories where CNI plugin binaries are located.
468 The default list is:
471 cni_plugin_dirs = [
474 "/usr/local/libexec/cni",
475 "/usr/libexec/cni",
476 "/usr/local/lib/cni",
477 "/usr/lib/cni",
478 "/opt/cni/bin",
479 ]
480 netavark_plugin_dirs=[]
484 List of directories that will be searched for netavark plugins.
487 The default list is:
490 netavark_plugin_dirs = [
493 "/usr/local/libexec/netavark",
494 "/usr/libexec/netavark",
495 "/usr/local/lib/netavark",
496 "/usr/lib/netavark",
497 ]
498 default_network="podman"
502 The network name of the default network to attach pods to.
505 default_subnet="10.88.0.0/16"
508 The subnet to use for the default network (named above in default_net‐
511 work). If the default network does not exist, it will be automatically
512 created the first time a tool is run using this subnet.
513 default_subnet_pools=[]
516 DefaultSubnetPools is a list of subnets and size which are used to al‐
519 locate subnets automatically for podman network create. It will iter‐
520 ate through the list and will pick the first free subnet with the given
521 size. This is only used for ipv4 subnets, ipv6 subnets are always as‐
522 signed randomly.
523 The default list is (10.89.0.0-10.255.255.0/24):
526 default_subnet_pools = [
529 {"base" = "10.89.0.0/16", "size" = 24},
530 {"base" = "10.90.0.0/15", "size" = 24},
531 {"base" = "10.92.0.0/14", "size" = 24},
532 {"base" = "10.96.0.0/11", "size" = 24},
533 {"base" = "10.128.0.0/9", "size" = 24},
534 ]
535 network_config_dir="/etc/cni/net.d/"
539 Path to the directory where network configuration files are located.
542 For the CNI backend the default is /etc/cni/net.d as root and
543 $HOME/.config/cni/net.d as rootless. For the netavark backend
544 "/etc/containers/networks" is used as root and "$graphroot/networks" as
545 rootless.
546 dns_bind_port=53
549 Port to use for dns forwarding daemon with netavark in rootful bridge
552 mode and dns enabled. Using an alternate port might be useful if other
553 dns services should run on the machine.
554
557 The engine table contains configuration options used to set up con‐
558 tainer engines such as Podman and Buildah.
559 active_service=""
562 Name of destination for accessing the Podman service. See SERVICE DES‐
565 TINATION TABLE below.
566 cgroup_manager="systemd"
569 The cgroup management implementation used for the runtime. Supports
572 cgroupfs and systemd.
573 conmon_env_vars=[]
576 Environment variables to pass into Conmon.
579 conmon_path=[]
582 Paths to search for the conmon container manager binary. If the paths
585 are empty or no valid path was found, then the $PATH environment vari‐
586 able will be used as the fallback.
587 The default list is:
590 conmon_path=[
593 "/usr/libexec/podman/conmon",
594 "/usr/local/libexec/podman/conmon",
595 "/usr/local/lib/podman/conmon",
596 "/usr/bin/conmon",
597 "/usr/sbin/conmon",
598 "/usr/local/bin/conmon",
599 "/usr/local/sbin/conmon",
600 "/run/current-system/sw/bin/conmon",
601 ]
602 detach_keys="ctrl-p,ctrl-q"
606 Keys sequence used for detaching a container. Specify the keys se‐
609 quence used to detach a container. Format is a single character [a-Z]
610 or a comma separated sequence of ctrl-<value>, where <value> is one of:
611 a-z, @, ^, [, \, ], ^ or _
612 enable_port_reservation=true
615 Determines whether the engine will reserve ports on the host when they
618 are forwarded to containers. When enabled, when ports are forwarded to
619 containers, they are held open by conmon as long as the container is
620 running, ensuring that they cannot be reused by other programs on the
621 host. However, this can cause significant memory usage if a container
622 has many ports forwarded to it. Disabling this can save memory.
623 env=[]
626 Environment variables to be used when running the container engine
629 (e.g., Podman, Buildah). For example "http_proxy=internal.proxy.com‐
630 pany.com". Note these environment variables will not be used within
631 the container. Set the env section under [containers] table, if you
632 want to set environment variables for the container.
633 events_logfile_path=""
636 Define where event logs will be stored, when events_logger is "file".
639 events_logfile_max_size="1m"
642 Sets the maximum size for events_logfile_path. The unit can be b
645 (bytes), k (kilobytes), m (megabytes) or g (gigabytes). The format for
646 the size is <number><unit>, e.g., 1b or 3g. If no unit is included
647 then the size will be in bytes. When the limit is exceeded, the log‐
648 file will be rotated and the old one will be deleted. If the maximumn
649 size is set to 0, then no limit will be applied, and the logfile will
650 not be rotated.
651 events_logger="journald"
654 The default method to use when logging events.
657 The default method is different based on the platform that Podman is
660 being run upon. To determine the current value, use this command:
661 podman info --format {{.Host.EventLogger}
664 Valid values are: file, journald, and none.
667 events_container_create_inspect_data=true|false
670 Creates a more verbose container-create event which includes a JSON
673 payload with detailed information about the container. Set to false by
674 default.
675 helper_binaries_dir=["/usr/libexec/podman", ...]
678 A is a list of directories which are used to search for helper bina‐
681 ries.
682 The default paths on Linux are:
685 • /usr/local/libexec/podman
688 • /usr/local/lib/podman
690 • /usr/libexec/podman
692 • /usr/lib/podman
694 The default paths on macOS are:
698 • /usr/local/opt/podman/libexec
701 • /opt/homebrew/bin
703 • /opt/homebrew/opt/podman/libexec
705 • /usr/local/bin
707 • /usr/local/libexec/podman
709 • /usr/local/lib/podman
711 • /usr/libexec/podman
713 • /usr/lib/podman
715 The default path on Windows is:
719 • C:\Program Files\RedHat\Podman
722 hooks_dir=["/etc/containers/oci/hooks.d", ...]
726 Path to the OCI hooks directories for automatically executed hooks.
729 image_default_format="oci"|"v2s2"|"v2s1"
732 Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, build‐
735 ing container images. By default images pulled and pushed match the
736 format of the source image. Building/committing defaults to OCI. Note:
737 image_build_format is deprecated.
738 image_default_transport="docker://"
741 Default transport method for pulling and pushing images.
744 image_parallel_copies=0
747 Maximum number of image layers to be copied (pulled/pushed) simultane‐
750 ously. Not setting this field will fall back to containers/image de‐
751 faults. (6)
752 image_volume_mode="bind"
755 Tells container engines how to handle the built-in image volumes.
758 • bind: An anonymous named volume will be created and mounted
761 into the container.
762 • tmpfs: The volume is mounted onto the container as a tmpfs,
764 which allows the users to create content that disappears when
765 the container is stopped.
766 • ignore: All volumes are just ignored and no action is taken.
768 infra_command="/pause"
772 Infra (pause) container image command for pod infra containers. When
775 running a pod, we start a /pause process in a container to hold open
776 the namespaces associated with the pod. This container does nothing
777 other than sleep, reserving the pod's resources for the lifetime of the
778 pod.
779 infra_image=""
782 Infra (pause) container image for pod infra containers. When running a
785 pod, we start a pause process in a container to hold open the name‐
786 spaces associated with the pod. This container does nothing other than
787 sleep, reserving the pod's resources for the lifetime of the pod. By
788 default container engines run a built-in container using the pause exe‐
789 cutable. If you want override specify an image to pull.
790 kube_generate_type="pod"
793 Default Kubernetes kind/specification of the kubernetes yaml generated
796 with the podman kube generate command. The possible options are pod and
797 deployment.
798 lock_type="shm"
801 Specify the locking mechanism to use; valid values are "shm" and
804 "file". Change the default only if you are sure of what you are doing,
805 in general "file" is useful only on platforms where cgo is not avail‐
806 able for using the faster "shm" lock type. You may need to run "podman
807 system renumber" after you change the lock type.
808 multi_image_archive=false
811 Allows for creating archives (e.g., tarballs) with more than one image.
814 Some container engines, such as Podman, interpret additional arguments
815 as tags for one image and hence do not store more than one image. The
816 default behavior can be altered with this option.
817 namespace=""
820 Default engine namespace. If the engine is joined to a namespace, it
823 will see only containers and pods that were created in the same name‐
824 space, and will create new containers and pods in that namespace. The
825 default namespace is "", which corresponds to no namespace. When no
826 namespace is set, all containers and pods are visible.
827 network_cmd_path=""
830 Path to the slirp4netns binary.
833 network_cmd_options=[]
836 Default options to pass to the slirp4netns binary.
839 Valid options values are:
842 • allow_host_loopback=true|false: Allow the slirp4netns to reach
845 the host loopback IP (10.0.2.2). Default is false.
846 • mtu=MTU: Specify the MTU to use for this network. (Default is
848 65520).
849 • cidr=CIDR: Specify ip range to use for this network. (Default
851 is 10.0.2.0/24).
852 • enable_ipv6=true|false: Enable IPv6. Default is true. (Re‐
854 quired for outbound_addr6).
855 • outbound_addr=INTERFACE: Specify the outbound interface slirp
857 should bind to (ipv4 traffic only).
858 • outbound_addr=IPv4: Specify the outbound ipv4 address slirp
860 should bind to.
861 • outbound_addr6=INTERFACE: Specify the outbound interface slirp
863 should bind to (ipv6 traffic only).
864 • outbound_addr6=IPv6: Specify the outbound ipv6 address slirp
866 should bind to.
867 • port_handler=rootlesskit: Use rootlesskit for port forwarding.
869 Default. Note: Rootlesskit changes the source IP address of
870 incoming packets to a IP address in the container network
871 namespace, usually 10.0.2.100. If your application requires
872 the real source IP address, e.g. web server logs, use the
873 slirp4netns port handler. The rootlesskit port handler is also
874 used for rootless containers when connected to user-defined
875 networks.
876 • port_handler=slirp4netns: Use the slirp4netns port forwarding,
878 it is slower than rootlesskit but preserves the correct source
879 IP address. This port handler cannot be used for user-defined
880 networks.
881 no_pivot_root=false
885 Whether to use chroot instead of pivot_root in the runtime.
888 num_locks=2048
891 Number of locks available for containers and pods. Each created con‐
894 tainer or pod consumes one lock. The default number available is 2048.
895 If this is changed, a lock renumbering must be performed, using the
896 podman system renumber command.
897 pod_exit_policy="continue"
900 Set the exit policy of the pod when the last container exits. Sup‐
903 ported policies are:
904 ┌────────────┬────────────────────────────┐
907 │Exit Policy │ Description │
908 ├────────────┼────────────────────────────┤
909 │continue │ The pod continues running │
910 │ │ when the last container │
911 │ │ exits. Used by default. │
912 ├────────────┼────────────────────────────┤
913 │stop │ The pod is stopped when │
914 │ │ the last container exits. │
915 │ │ Used in play kube. │
916 └────────────┴────────────────────────────┘
917 pull_policy="always"|"missing"|"never"
919 Pull image before running or creating a container. The default is miss‐
922 ing.
923 • missing: attempt to pull the latest image from the registries
926 listed in registries.conf if a local image does not exist.
927 Raise an error if the image is not in any listed registry and
928 is not present locally.
929 • always: pull the image from the first registry it is found in
931 as listed in registries.conf. Raise an error if not found in
932 the registries, even if the image is present locally.
933 • never: do not pull the image from the registry, use only the
935 local version. Raise an error if the image is not present lo‐
936 cally.
937 remote = false
941 Indicates whether the application should be running in remote mode.
944 This flag modifies the --remote option on container engines. Setting
945 the flag to true will default podman --remote=true for access to the
946 remote Podman service.
947 runtime=""
950 Default OCI specific runtime in runtimes that will be used by default.
953 Must refer to a member of the runtimes table. Default runtime will be
954 searched for on the system using the priority: "crun", "runc", "kata".
955 runtime_supports_json=["crun", "runc", "kata", "runsc", "youki",
958 "krun"]
959 The list of the OCI runtimes that support --format=json.
962 runtime_supports_kvm=["kata", "krun"]
965 The list of OCI runtimes that support running containers with KVM sepa‐
968 ration.
969 runtime_supports_nocgroups=["crun", "krun"]
972 The list of OCI runtimes that support running containers without
975 CGroups.
976 image_copy_tmp_dir="/var/tmp"
979 Default location for storing temporary container image content. Can be
982 overridden with the TMPDIR environment variable. If you specify "stor‐
983 age", then the location of the container/storage tmp directory will be
984 used. If set then it is the users responsibility to cleanup storage.
985 Configure tmpfiles.d(5) to cleanup storage.
986 service_timeout=5
989 Number of seconds to wait without a connection before the podman sys‐
992 tem service times out and exits
993 static_dir="/var/lib/containers/storage/libpod"
996 Directory for persistent libpod files (database, etc). By default this
999 will be configured relative to where containers/storage stores contain‐
1000 ers.
1001 stop_timeout=10
1004 Number of seconds to wait for container to exit before sending kill
1007 signal.
1008 exit_command_delay=300
1011 Number of seconds to wait for the API process for the exec call before
1014 sending exit command mimicking the Docker behavior of 5 minutes (in
1015 seconds).
1016 tmp_dir="/run/libpod"
1019 The path to a temporary directory to store per-boot container. Must be
1022 a tmpfs (wiped after reboot).
1023 volume_path="/var/lib/containers/storage/volumes"
1026 Directory where named volumes will be created in using the default vol‐
1029 ume driver. By default this will be configured relative to where con‐
1030 tainers/storage store containers. This convention is followed by the
1031 default volume driver, but may not be by other drivers.
1032 chown_copied_files=true
1035 Determines whether file copied into a container will have changed own‐
1038 ership to the primary uid/gid of the container.
1039 compression_format=""
1042 Specifies the compression format to use when pushing an image. Sup‐
1045 ported values are: gzip, zstd and zstd:chunked.
1046
1049 The service_destinations table contains configuration options used to
1050 set up remote connections to the podman service for the podman API.
1051 [service_destinations.{name}] URI to access the Podman service
1054 uri="ssh://user@production.example.com/run/user/1001/podman/pod‐
1055 man.sock"
1056 Example URIs:
1059 • rootless local - unix://run/user/1000/podman/podman.sock
1062 • rootless remote - ssh://user@engineering.lab.com‐
1064 pany.com/run/user/1000/podman/podman.sock
1065 • rootful local - unix://run/podman/podman.sock
1067 • rootful remote - ssh://root@10.10.1.136:22/run/podman/pod‐
1069 man.sock
1070 identity="~/.ssh/id_rsa
1074 Path to file containing ssh identity key
1077 [engine.volume_plugins]
1080 A table of all the enabled volume plugins on the system. Volume plugins
1083 can be used as the backend for Podman named volumes. Individual plugins
1084 are specified below, as a map of the plugin name (what the plugin will
1085 be called) to its path (filepath of the plugin's unix socket).
1086 [engine.platform_to_oci_runtime]
1089 Allows end users to switch the OCI runtime on the bases of container
1092 image's platform string. Following config field contains a map of
1093 platform/string = oci_runtime.
1094
1097 The secret table contains settings for the configuration of the secret
1098 subsystem.
1099 driver=file
1102 Name of the secret driver to be used. Currently valid values are:
1105 * file
1106 * pass
1107 [secrets.opts]
1110 The driver specific options object.
1113
1116 The machine table contains configurations for podman machine VMs
1117 cpus=1 Number of CPU's a machine is created with.
1120 disk_size=10
1123 The size of the disk in GB created when init-ing a podman-machine VM
1126 image=""
1129 Default image URI when creating a new VM using podman machine init.
1132 Options: On Linux/Mac, testing, stable, next. On Windows, the major
1133 version of the OS (e.g 36) for Fedora 36. For all platforms you can al‐
1134 ternatively specify a custom download URL to an image. Container en‐
1135 gines translate URIs $OS and $ARCH to the native OS and ARCH. URI
1136 "https://example.com/$OS/$ARCH/foobar.ami" would become "https://exam‐
1137 ple.com/linux/amd64/foobar.ami" on a Linux AMD machine. The default
1138 value is testing on Linux/Mac, and on Windows.
1139 memory=2048
1142 Memory in MB a machine is created with.
1145 user=""
1148 Username to use and create on the podman machine OS for rootless con‐
1151 tainer access. The default value is user. On Linux/Mac the default is‐
1152 core.
1153 volumes=["$HOME:$HOME"]
1156 Host directories to be mounted as volumes into the VM by default. En‐
1159 vironment variables like $HOME as well as complete paths are supported
1160 for the source and destination. An optional third field :ro can be used
1161 to tell the container engines to mount the volume readonly.
1162 On Mac, the default volumes are:
1165 [ "/Users:/Users", "/private:/private", "/var/folders:/var/folders" ]
1168 provider=""
1171 Virtualization provider to be used for running a podman-machine VM.
1174 Empty value is interpreted as the default provider for the current host
1175 OS. On Linux/Mac default is QEMU and on Windows it is WSL.
1176
1180 containers.conf
1181 Distributions often provide a /usr/share/containers/containers.conf
1184 file to provide a default configuration. Administrators can override
1185 fields in this file by creating /etc/containers/containers.conf to
1186 specify their own configuration. They may also drop .conf files in
1187 /etc/containers/containers.conf.d which will be loaded in alphanumeric
1188 order. Rootless users can further override fields in the config by
1189 creating a config file stored in the $HOME/.config/containers/contain‐
1190 ers.conf file or .conf files in $HOME/.config/containers/contain‐
1191 ers.conf.d.
1192 If the CONTAINERS_CONF environment variable is set, all system and user
1195 config files are ignored and only the specified config file will be
1196 loaded.
1197 If the CONTAINERS_CONF_OVERRIDE path environment variable is set, the
1200 config file will be loaded last even when CONTAINERS_CONF is set.
1201 The values of both environment variables may be absolute or relative
1204 paths, for instance, CONTAINERS_CONF=/tmp/my_containers.conf.
1205 Fields specified in a containers.conf file override the default op‐
1208 tions, as well as options in previously loaded containers.conf files.
1209 storage.conf
1212 The /etc/containers/storage.conf file is the default storage configura‐
1215 tion file. Rootless users can override fields in the storage config by
1216 creating $HOME/.config/containers/storage.conf.
1217 If the CONTAINERS_STORAGE_CONF path environment variable is set, this
1220 path is used for the storage.conf file rather than the default. This
1221 is primarily used for testing.
1222
1226 containers-storage.conf(5), containers-policy.json(5), containers-reg‐
1227 istries.conf(5), tmpfiles.d(5)
1228engine Container containers.conf(5)