1podman(1) General Commands Manual podman(1)
2
6 podman - Simple management tool for pods, containers and images
7
10 podman [options] command
11
14 Podman (Pod Manager) is a fully featured container engine that is a
15 simple daemonless tool. Podman provides a Docker-CLI comparable com‐
16 mand line that eases the transition from other container engines and
17 allows the management of pods, containers and images. Simply put:
18 alias docker=podman. Most Podman commands can be run as a regular
19 user, without requiring additional privileges.
20 Podman uses Buildah(1) internally to create container images. Both
23 tools share image (not container) storage, hence each can use or manip‐
24 ulate images (but not containers) created by the other.
25 Default settings for flags are defined in containers.conf. Most set‐
28 tings for Remote connections use the server's containers.conf, except
29 when documented in man pages.
30 podman [GLOBAL OPTIONS]
33
36 --cgroup-manager=manager
37 The CGroup manager to use for container cgroups. Supported values are
38 cgroupfs or systemd. Default is systemd unless overridden in the con‐
39 tainers.conf file.
40 Note: Setting this flag can cause certain commands to break when called
43 on containers previously created by the other CGroup manager type.
44 Note: CGroup manager is not supported in rootless mode when using
45 CGroups Version V1.
46 --conmon
49 Path of the conmon binary (Default path is configured in contain‐
50 ers.conf)
51 --connection, -c
54 Connection to use for remote podman, including Mac and Windows (exclud‐
55 ing WSL2) machines, (Default connection is configured in contain‐
56 ers.conf) Setting this option switches the --remote option to true.
57 Remote connections use local containers.conf for default.
58 --events-backend=type
61 Backend to use for storing events. Allowed values are file, journald,
62 and none. When file is specified, the events are stored under <tm‐
63 pdir>/events/events.log (see --tmpdir below).
64 --help, -h
67 Print usage statement
68 --hooks-dir=path
71 Each *.json file in the path configures a hook for Podman containers.
72 For more details on the syntax of the JSON files and the semantics of
73 hook injection, see oci-hooks(5). Podman and libpod currently support
74 both the 1.0.0 and 0.1.0 hook schemas, although the 0.1.0 schema is
75 deprecated.
76 This option may be set multiple times; paths from later options have
79 higher precedence (oci-hooks(5) discusses directory precedence).
80 For the annotation conditions, libpod uses any annotations set in the
83 generated OCI configuration.
84 For the bind-mount conditions, only mounts explicitly requested by the
87 caller via --volume are considered. Bind mounts that libpod inserts by
88 default (e.g. /dev/shm) are not considered.
89 If --hooks-dir is unset for root callers, Podman and libpod currently
92 default to /usr/share/containers/oci/hooks.d and /etc/contain‐
93 ers/oci/hooks.d in order of increasing precedence. Using these de‐
94 faults is deprecated. Migrate to explicitly setting --hooks-dir.
95 Podman and libpod currently support an additional precreate state which
98 is called before the runtime's create operation. Unlike the other
99 stages, which receive the container state on their standard input,
100 precreate hooks receive the proposed runtime configuration on their
101 standard input. They may alter that configuration as they see fit, and
102 write the altered form to their standard output.
103 WARNING: the precreate hook allows powerful changes to occur, such as
106 adding additional mounts to the runtime configuration. That power also
107 makes it easy to break things. Before reporting libpod errors, try
108 running a container with precreate hooks disabled to see if the problem
109 is due to one of the hooks.
110 --identity=path
113 Path to ssh identity file. If the identity file has been encrypted,
114 podman prompts the user for the passphrase. If no identity file is
115 provided and no user is given, podman defaults to the user running the
116 podman command. Podman prompts for the login password on the remote
117 server.
118 Identity value resolution precedence:
121 - command line value
122 - environment variable CONTAINER_SSHKEY, if CONTAINER_HOST is found
123 - containers.conf Remote connections use local containers.conf for de‐
124 fault.
125 --imagestore=path
128 Path of the imagestore where images are stored. By default, the stor‐
129 age library stores all the images in the graphroot but if an imagestore
130 is provided, then the storage library will store newly pulled images in
131 the provided imagestore and keep using the graphroot for everything
132 else. If the user is using the overlay driver, then the images which
133 were already part of the graphroot will still be accessible.
134 This will override imagestore option in containers-storage.conf(5), re‐
137 fer to containers-storage.conf(5) for more details.
138 --log-level=level
141 Log messages at and above specified level: debug, info, warn, error,
142 fatal or panic (default: warn)
143 --module=path
146 Load the specified containers.conf(5) module. Can be an absolute or
147 relative path. Please refer to containers.conf(5) for details.
148 This flag is not supported on the remote client, including Mac and Win‐
151 dows (excluding WSL2) machines. Further note that the flag is a root-
152 level flag and must be specified before any Podman sub-command.
153 --network-cmd-path=path
156 Path to the slirp4netns(1) command binary to use for setting up a
157 slirp4netns network. If "" is used, then the binary will first be
158 searched using the helper_binaries_dir option in containers.conf, and
159 second using the $PATH environment variable. Note: This option is dep‐
160 recated and will be removed with Podman 5.0. Use the helper_bina‐
161 ries_dir option in containers.conf instead.
162 --network-config-dir=directory
165 Path to the directory where network configuration files are located.
166 For the netavark backend "/etc/containers/networks" is used as root and
167 "$graphroot/networks" as rootless. For the CNI backend the default is
168 "/etc/cni/net.d" as root and "$HOME/.config/cni/net.d" as rootless.
169 CNI is deprecated and will be removed in the next major Podman version
170 5.0 in preference of Netavark.
171 --out=path
174 Redirect the output of podman to the specified path without affecting
175 the container output or its logs. This parameter can be used to capture
176 the output from any of podman's commands directly into a file and en‐
177 able suppression of podman's output by specifying /dev/null as the
178 path. To explicitly disable the container logging, the --log-driver op‐
179 tion should be used.
180 --remote, -r
183 When true, access to the Podman service is remote. Defaults to false.
184 Settings can be modified in the containers.conf file. If the CON‐
185 TAINER_HOST environment variable is set, the --remote option defaults
186 to true.
187 --root=value
190 Storage root dir in which data, including images, is stored (default:
191 "/var/lib/containers/storage" for UID 0, "$HOME/.local/share/contain‐
192 ers/storage" for other users). Default root dir configured in contain‐
193 ers-storage.conf(5).
194 Overriding this option causes the storage-opt settings in containers-
197 storage.conf(5) to be ignored. The user must specify additional op‐
198 tions via the --storage-opt flag.
199 --runroot=value
202 Storage state directory where all state information is stored (default:
203 "/run/containers/storage" for UID 0, "/run/user/$UID/run" for other
204 users). Default state dir configured in containers-storage.conf(5).
205 --runtime=value
208 Name of the OCI runtime as specified in containers.conf or absolute
209 path to the OCI compatible binary used to run containers.
210 --runtime-flag=flag
213 Adds global flags for the container runtime. To list the supported
214 flags, please consult the manpages of the selected container runtime
215 (runc is the default runtime, the manpage to consult is runc(8). When
216 the machine is configured for cgroup V2, the default runtime is crun,
217 the manpage to consult is crun(8).).
218 Note: Do not pass the leading -- to the flag. To pass the runc flag
221 --log-format json to podman build, the option given can be --runtime-
222 flag log-format=json.
223 --ssh=value
226 This option allows the user to change the ssh mode, meaning that rather
227 than using the default golang mode, one can instead use --ssh=native to
228 use the installed ssh binary and config file declared in contain‐
229 ers.conf.
230 --storage-driver=value
233 Storage driver. The default storage driver for UID 0 is configured in
234 containers-storage.conf(5) in rootless mode), and is vfs for non-root
235 users when fuse-overlayfs is not available. The STORAGE_DRIVER envi‐
236 ronment variable overrides the default. The --storage-driver specified
237 driver overrides all.
238 Overriding this option causes the storage-opt settings in containers-
241 storage.conf(5) to be ignored. The user must specify additional op‐
242 tions via the --storage-opt flag.
243 --storage-opt=value
246 Specify a storage driver option. Default storage driver options are
247 configured in containers-storage.conf(5). The STORAGE_OPTS environment
248 variable overrides the default. The --storage-opt specified options
249 override all. Specify --storage-opt="" so no storage options is used.
250 --syslog
253 Output logging information to syslog as well as the console (default
254 false).
255 On remote clients, including Mac and Windows (excluding WSL2) machines,
258 logging is directed to the file $HOME/.config/containers/podman.log.
259 --tmpdir=path
262 Path to the tmp directory, for libpod runtime content. Defaults to
263 $XDG_RUNTIME_DIR/libpod/tmp as rootless and /run/libpod/tmp as rootful.
264 NOTE --tmpdir is not used for the temporary storage of downloaded im‐
267 ages. Use the environment variable TMPDIR to change the temporary
268 storage location of downloaded container images. Podman defaults to use
269 /var/tmp.
270 --transient-store
273 Enables a global transient storage mode where all container metadata is
274 stored on non-persistent media (i.e. in the location specified by
275 --runroot). This mode allows starting containers faster, as well as
276 guaranteeing a fresh state on boot in case of unclean shutdowns or
277 other problems. However it is not compatible with a traditional model
278 where containers persist across reboots.
279 Default value for this is configured in containers-storage.conf(5).
282 --url=value
285 URL to access Podman service (default from containers.conf, rootless
286 unix:///run/user/$UID/podman/podman.sock or as root unix:///run/pod‐
287 man/podman.sock). Setting this option switches the --remote option to
288 true.
289 • CONTAINER_HOST is of the format <schema>://[<user[:<pass‐
292 word>]@]<host>[:<port>][<path>]
293 Details:
297 - schema is one of:
298 * ssh (default): a local unix(7) socket on the named host and port,
299 reachable via SSH
300 * tcp: an unencrypted, unauthenticated TCP connection to the named
301 host and port
302 * unix: a local unix(7) socket at the specified path, or the default
303 for the user
304 - user defaults to either root or the current running user (ssh only)
305 - password has no default (ssh only)
306 - host must be provided and is either the IP or name of the machine
307 hosting the Podman service (ssh and tcp)
308 - port defaults to 22 (ssh and tcp)
309 - path defaults to either /run/podman/podman.sock, or
310 /run/user/$UID/podman/podman.sock if running rootless (unix), or must
311 be explicitly specified (ssh)
312 URL value resolution precedence:
315 - command line value
316 - environment variable CONTAINER_HOST
317 - engine.service_destinations table in containers.conf, excluding the
318 /usr/share/containers directory
319 - unix:///run/podman/podman.sock
320 Remote connections use local containers.conf for default.
323 Some example URL values in valid formats:
326 - unix:///run/podman/podman.sock
327 - unix:///run/user/$UID/podman/podman.sock
328 - ssh://notroot@localhost:22/run/user/$UID/podman/podman.sock
329 - ssh://root@localhost:22/run/podman/podman.sock
330 - tcp://localhost:34451
331 - tcp://127.0.0.1:34451
332 --version, -v
335 Print the version
336 --volumepath=value
339 Volume directory where builtin volume information is stored (default:
340 "/var/lib/containers/storage/volumes" for UID 0, "$HOME/.lo‐
341 cal/share/containers/storage/volumes" for other users). Default volume
342 path can be overridden in containers.conf.
343
346 Podman can set up environment variables from env of [engine] table in
347 containers.conf. These variables can be overridden by passing environ‐
348 ment variables before the podman commands.
349 CONTAINERS_CONF
352 Set default locations of containers.conf file
353 CONTAINERS_REGISTRIES_CONF
356 Set default location of the registries.conf file.
357 CONTAINERS_STORAGE_CONF
360 Set default location of the storage.conf file.
361 CONTAINER_CONNECTION
364 Override default --connection value to access Podman service. Also en‐
365 abled --remote option.
366 CONTAINER_HOST
369 Set default --url value to access Podman service. Also enabled --remote
370 option.
371 CONTAINER_SSHKEY
374 Set default --identity path to ssh key file value used to access Podman
375 service.
376 STORAGE_DRIVER
379 Set default --storage-driver value.
380 STORAGE_OPTS
383 Set default --storage-opts value.
384 TMPDIR
387 Set the temporary storage location of downloaded container images. Pod‐
388 man defaults to use /var/tmp.
389 XDG_CONFIG_HOME
392 In Rootless mode configuration files are read from XDG_CONFIG_HOME when
393 specified, otherwise in the home directory of the user under
394 $HOME/.config/containers.
395 XDG_DATA_HOME
398 In Rootless mode images are pulled under XDG_DATA_HOME when specified,
399 otherwise in the home directory of the user under $HOME/.lo‐
400 cal/share/containers/storage.
401 XDG_RUNTIME_DIR
404 In Rootless mode temporary configuration data is stored in ${XDG_RUN‐
405 TIME_DIR}/containers.
406
409 The Podman command can be used with remote services using the --remote
410 flag. Connections can be made using local unix domain sockets, ssh or
411 directly to tcp sockets. When specifying the podman --remote flag, only
412 the global options --url, --identity, --log-level, --connection are
413 used.
414 Connection information can also be managed using the containers.conf
417 file.
418
421 The exit code from podman gives information about why the container
422 failed to run or why it exited. When podman commands exit with a non-
423 zero code, the exit codes follow the chroot standard, see below:
424 125 The error is with podman itself
427 $ podman run --foo busybox; echo $?
429 Error: unknown flag: --foo
430 125
431 126 Executing a container command and the command cannot be invoked
435 $ podman run busybox /etc; echo $?
437 Error: container_linux.go:346: starting container process caused "exec: \"/etc\": permission denied": OCI runtime error
438 126
439 127 Executing a container command and the command cannot be found
443 $ podman run busybox foo; echo $?
445 Error: container_linux.go:346: starting container process caused "exec: \"foo\": executable file not found in $PATH": OCI runtime error
446 127
447 Exit code otherwise, podman returns the exit code of the container com‐
451 mand
452 $ podman run busybox /bin/sh -c 'exit 3'; echo $?
454 3
455
459 ┌──────────────────────┬────────────────────────────────┐
460 │Command │ Description │
461 ├──────────────────────┼────────────────────────────────┤
462 │podman-attach(1) │ Attach to a running container. │
463 ├──────────────────────┼────────────────────────────────┤
464 │podman-auto-update(1) │ Auto update containers accord‐ │
465 │ │ ing to their auto-update pol‐ │
466 │ │ icy │
467 ├──────────────────────┼────────────────────────────────┤
468 │podman-build(1) │ Build a container image using │
469 │ │ a Containerfile. │
470 ├──────────────────────┼────────────────────────────────┤
471 │podman-farm(1) │ Farm out builds to machines │
472 │ │ running podman for different │
473 │ │ architectures │
474 ├──────────────────────┼────────────────────────────────┤
475 │podman-commit(1) │ Create new image based on the │
476 │ │ changed container. │
477 ├──────────────────────┼────────────────────────────────┤
478 │podman-completion(1) │ Generate shell completion │
479 │ │ scripts │
480 ├──────────────────────┼────────────────────────────────┤
481 │podman-compose(1) │ Run Compose workloads via an │
482 │ │ external compose provider. │
483 ├──────────────────────┼────────────────────────────────┤
484 │podman-container(1) │ Manage containers. │
485 ├──────────────────────┼────────────────────────────────┤
486 │podman-cp(1) │ Copy files/folders between a │
487 │ │ container and the local │
488 │ │ filesystem. │
489 ├──────────────────────┼────────────────────────────────┤
490 │podman-create(1) │ Create a new container. │
491 ├──────────────────────┼────────────────────────────────┤
492 │podman-diff(1) │ Inspect changes on a container │
493 │ │ or image's filesystem. │
494 ├──────────────────────┼────────────────────────────────┤
495 │podman-events(1) │ Monitor Podman events │
496 ├──────────────────────┼────────────────────────────────┤
497 │podman-exec(1) │ Execute a command in a running │
498 │ │ container. │
499 ├──────────────────────┼────────────────────────────────┤
500 │podman-export(1) │ Export a container's filesys‐ │
501 │ │ tem contents as a tar archive. │
502 ├──────────────────────┼────────────────────────────────┤
503 │podman-generate(1) │ Generate structured data based │
504 │ │ on containers, pods or vol‐ │
505 │ │ umes. │
506 ├──────────────────────┼────────────────────────────────┤
507 │podman-healthcheck(1) │ Manage healthchecks for con‐ │
508 │ │ tainers │
509 ├──────────────────────┼────────────────────────────────┤
510 │podman-history(1) │ Show the history of an image. │
511 ├──────────────────────┼────────────────────────────────┤
512 │podman-image(1) │ Manage images. │
513 ├──────────────────────┼────────────────────────────────┤
514 │podman-images(1) │ List images in local storage. │
515 ├──────────────────────┼────────────────────────────────┤
516 │podman-import(1) │ Import a tarball and save it │
517 │ │ as a filesystem image. │
518 ├──────────────────────┼────────────────────────────────┤
519 │podman-info(1) │ Display Podman related system │
520 │ │ information. │
521 ├──────────────────────┼────────────────────────────────┤
522 │podman-init(1) │ Initialize one or more con‐ │
523 │ │ tainers │
524 ├──────────────────────┼────────────────────────────────┤
525 │podman-inspect(1) │ Display a container, image, │
526 │ │ volume, network, or pod's con‐ │
527 │ │ figuration. │
528 ├──────────────────────┼────────────────────────────────┤
529 │podman-kill(1) │ Kill the main process in one │
530 │ │ or more containers. │
531 ├──────────────────────┼────────────────────────────────┤
532 │podman-load(1) │ Load image(s) from a tar ar‐ │
533 │ │ chive into container storage. │
534 ├──────────────────────┼────────────────────────────────┤
535 │podman-login(1) │ Log in to a container reg‐ │
536 │ │ istry. │
537 ├──────────────────────┼────────────────────────────────┤
538 │podman-logout(1) │ Log out of a container reg‐ │
539 │ │ istry. │
540 ├──────────────────────┼────────────────────────────────┤
541 │podman-logs(1) │ Display the logs of one or │
542 │ │ more containers. │
543 ├──────────────────────┼────────────────────────────────┤
544 │podman-machine(1) │ Manage Podman's virtual ma‐ │
545 │ │ chine │
546 ├──────────────────────┼────────────────────────────────┤
547 │podman-manifest(1) │ Create and manipulate manifest │
548 │ │ lists and image indexes. │
549 ├──────────────────────┼────────────────────────────────┤
550 │podman-mount(1) │ Mount a working container's │
551 │ │ root filesystem. │
552 ├──────────────────────┼────────────────────────────────┤
553 │podman-network(1) │ Manage Podman networks. │
554 ├──────────────────────┼────────────────────────────────┤
555 │podman-pause(1) │ Pause one or more containers. │
556 ├──────────────────────┼────────────────────────────────┤
557 │podman-kube(1) │ Play containers, pods or vol‐ │
558 │ │ umes based on a structured in‐ │
559 │ │ put file. │
560 ├──────────────────────┼────────────────────────────────┤
561 │podman-pod(1) │ Management tool for groups of │
562 │ │ containers, called pods. │
563 ├──────────────────────┼────────────────────────────────┤
564 │podman-port(1) │ List port mappings for a con‐ │
565 │ │ tainer. │
566 ├──────────────────────┼────────────────────────────────┤
567 │podman-ps(1) │ Print out information about │
568 │ │ containers. │
569 ├──────────────────────┼────────────────────────────────┤
570 │podman-pull(1) │ Pull an image from a registry. │
571 ├──────────────────────┼────────────────────────────────┤
572 │podman-push(1) │ Push an image, manifest list │
573 │ │ or image index from local │
574 │ │ storage to elsewhere. │
575 ├──────────────────────┼────────────────────────────────┤
576 │podman-rename(1) │ Rename an existing container. │
577 ├──────────────────────┼────────────────────────────────┤
578 │podman-restart(1) │ Restart one or more contain‐ │
579 │ │ ers. │
580 ├──────────────────────┼────────────────────────────────┤
581 │podman-rm(1) │ Remove one or more containers. │
582 ├──────────────────────┼────────────────────────────────┤
583 │podman-rmi(1) │ Remove one or more locally │
584 │ │ stored images. │
585 ├──────────────────────┼────────────────────────────────┤
586 │podman-run(1) │ Run a command in a new con‐ │
587 │ │ tainer. │
588 ├──────────────────────┼────────────────────────────────┤
589 │podman-save(1) │ Save image(s) to an archive. │
590 ├──────────────────────┼────────────────────────────────┤
591 │podman-search(1) │ Search a registry for an im‐ │
592 │ │ age. │
593 ├──────────────────────┼────────────────────────────────┤
594 │podman-secret(1) │ Manage podman secrets. │
595 ├──────────────────────┼────────────────────────────────┤
596 │podman-start(1) │ Start one or more containers. │
597 ├──────────────────────┼────────────────────────────────┤
598 │podman-stats(1) │ Display a live stream of one │
599 │ │ or more container's resource │
600 │ │ usage statistics. │
601 ├──────────────────────┼────────────────────────────────┤
602 │podman-stop(1) │ Stop one or more running con‐ │
603 │ │ tainers. │
604 ├──────────────────────┼────────────────────────────────┤
605 │podman-system(1) │ Manage podman. │
606 ├──────────────────────┼────────────────────────────────┤
607 │podman-tag(1) │ Add an additional name to a │
608 │ │ local image. │
609 ├──────────────────────┼────────────────────────────────┤
610 │podman-top(1) │ Display the running processes │
611 │ │ of a container. │
612 ├──────────────────────┼────────────────────────────────┤
613 │podman-unmount(1) │ Unmount a working container's │
614 │ │ root filesystem. │
615 ├──────────────────────┼────────────────────────────────┤
616 │podman-unpause(1) │ Unpause one or more contain‐ │
617 │ │ ers. │
618 ├──────────────────────┼────────────────────────────────┤
619 │podman-unshare(1) │ Run a command inside of a mod‐ │
620 │ │ ified user namespace. │
621 ├──────────────────────┼────────────────────────────────┤
622 │podman-untag(1) │ Remove one or more names from │
623 │ │ a locally-stored image. │
624 ├──────────────────────┼────────────────────────────────┤
625 │podman-update(1) │ Update the cgroup configura‐ │
626 │ │ tion of a given container. │
627 ├──────────────────────┼────────────────────────────────┤
628 │podman-version(1) │ Display the Podman version in‐ │
629 │ │ formation. │
630 ├──────────────────────┼────────────────────────────────┤
631 │podman-volume(1) │ Simple management tool for │
632 │ │ volumes. │
633 ├──────────────────────┼────────────────────────────────┤
634 │podman-wait(1) │ Wait on one or more containers │
635 │ │ to stop and print their exit │
636 │ │ codes. │
637 └──────────────────────┴────────────────────────────────┘
638
640 containers.conf (/usr/share/containers/containers.conf, /etc/contain‐
641 ers/containers.conf, $HOME/.config/containers/containers.conf)
642 Podman has builtin defaults for command line options. These defaults
645 can be overridden using the containers.conf configuration files.
646 Distributions ship the /usr/share/containers/containers.conf file with
649 their default settings. Administrators can override fields in this file
650 by creating the /etc/containers/containers.conf file. Users can fur‐
651 ther modify defaults by creating the $HOME/.config/containers/contain‐
652 ers.conf file. Podman merges its builtin defaults with the specified
653 fields from these files, if they exist. Fields specified in the users
654 file override the administrator's file, which overrides the distribu‐
655 tion's file, which override the built-in defaults.
656 Podman uses builtin defaults if no containers.conf file is found.
659 If the CONTAINERS_CONF environment variable is set, then its value is
662 used for the containers.conf file rather than the default.
663 mounts.conf (/usr/share/containers/mounts.conf)
666 The mounts.conf file specifies volume mount directories that are auto‐
669 matically mounted inside containers when executing the podman run or
670 podman start commands. Administrators can override the defaults file by
671 creating /etc/containers/mounts.conf.
672 When Podman runs in rootless mode, the file $HOME/.config/contain‐
675 ers/mounts.conf overrides the default if it exists. For details, see
676 containers-mounts.conf(5).
677 policy.json (/etc/containers/policy.json)
680 Signature verification policy files are used to specify policy, e.g.
683 trusted keys, applicable when deciding whether to accept an image, or
684 individual signatures of that image, as valid.
685 registries.conf (/etc/containers/registries.conf, $HOME/.config/con‐
688 tainers/registries.conf)
689 registries.conf is the configuration file which specifies which con‐
692 tainer registries is consulted when completing image names which do not
693 include a registry or domain portion.
694 Non root users of Podman can create the $HOME/.config/containers/reg‐
697 istries.conf file to be used instead of the system defaults.
698 If the CONTAINERS_REGISTRIES_CONF environment variable is set, then its
701 value is used for the registries.conf file rather than the default.
702 storage.conf (/etc/containers/storage.conf, $HOME/.config/contain‐
705 ers/storage.conf)
706 storage.conf is the storage configuration file for all tools using con‐
709 tainers/storage
710 The storage configuration file specifies all of the available container
713 storage options for tools using shared container storage.
714 When Podman runs in rootless mode, the file $HOME/.config/contain‐
717 ers/storage.conf is used instead of the system defaults.
718 If the CONTAINERS_STORAGE_CONF environment variable is set, then its
721 value is used for the storage.conf file rather than the default.
722
725 Podman can also be used as non-root user. When podman runs in rootless
726 mode, a user namespace is automatically created for the user, defined
727 in /etc/subuid and /etc/subgid.
728 Containers created by a non-root user are not visible to other users
731 and are not seen or managed by Podman running as root.
732 It is required to have multiple UIDS/GIDS set for a user. Be sure the
735 user is present in the files /etc/subuid and /etc/subgid.
736 Execute the following commands to add the ranges to the files
739 $ sudo usermod --add-subuids 10000-75535 USERNAME
741 $ sudo usermod --add-subgids 10000-75535 USERNAME
742 Or just add the content manually.
746 $ echo USERNAME:10000:65536 >> /etc/subuid
748 $ echo USERNAME:10000:65536 >> /etc/subgid
749 See the subuid(5) and subgid(5) man pages for more information.
753 Images are pulled under XDG_DATA_HOME when specified, otherwise in the
756 home directory of the user under .local/share/containers/storage.
757 Currently slirp4netns or pasta is required to be installed to create a
760 network device, otherwise rootless containers need to run in the net‐
761 work namespace of the host.
762 In certain environments like HPC (High Performance Computing), users
765 cannot take advantage of the additional UIDs and GIDs from the
766 /etc/subuid and /etc/subgid systems. However, in this environment,
767 rootless Podman can operate with a single UID. To make this work, set
768 the ignore_chown_errors option in the containers-storage.conf(5) file.
769 This option tells Podman when pulling an image to ignore chown errors
770 when attempting to change a file in a container image to match the non-
771 root UID in the image. This means all files get saved as the user's
772 UID. Note this can cause issues when running the container.
773 NOTE: Unsupported file systems in rootless mode
776 The Overlay file system (OverlayFS) is not supported with kernels prior
777 to 5.12.9 in rootless mode. The fuse-overlayfs package is a tool that
778 provides the functionality of OverlayFS in user namespace that allows
779 mounting file systems in rootless environments. It is recommended to
780 install the fuse-overlayfs package. In rootless mode, Podman automati‐
781 cally uses the fuse-overlayfs program as the mount_program if in‐
782 stalled, as long as the $HOME/.config/containers/storage.conf file was
783 not previously created. If storage.conf exists in the homedir, add
784 mount_program = "/usr/bin/fuse-overlayfs" under [storage.options.over‐
785 lay] to enable this feature.
786 The Network File System (NFS) and other distributed file systems (for
789 example: Lustre, Spectrum Scale, the General Parallel File System
790 (GPFS)) are not supported when running in rootless mode as these file
791 systems do not understand user namespace. However, rootless Podman can
792 make use of an NFS Homedir by modifying the $HOME/.config/contain‐
793 ers/storage.conf to have the graphroot option point to a directory
794 stored on local (Non NFS) storage.
795 For more information, see the Podman Troubleshooting Page.
798
801 containers-mounts.conf(5), containers.conf(5), containers-reg‐
802 istries.conf(5), containers-storage.conf(5), buildah(1), oci-hooks(5),
803 containers-policy.json(5), crun(1), runc(8), subuid(5), subgid(5),
804 slirp4netns(1), pasta(1), conmon(8)
805
808 Dec 2016, Originally compiled by Dan Walsh dwalsh@redhat.com
809 ⟨mailto:dwalsh@redhat.com⟩
810 podman(1)