1containers.conf(5) configuration containers.conf(5)
2
6 containers.conf - The container engine configuration file specifies de‐
7 fault configuration options and command-line flags for container en‐
8 gines.
9
13 Container engines like Podman & Buildah read containers.conf file, if
14 it exists and modify the defaults for running containers on the host.
15 containers.conf uses a TOML format that can be easily modified and ver‐
16 sioned.
17 Container engines read the /usr/share/containers/containers.conf,
20 /etc/containers/containers.conf, and /etc/containers/contain‐
21 ers.conf.d/*.conf files if they exist. When running in rootless mode,
22 they also read $HOME/.config/containers/containers.conf and $HOME/.con‐
23 fig/containers/containers.conf.d/*.conf files.
24 Fields specified in containers conf override the default options, as
27 well as options in previously read containers.conf files.
28 Config files in the .d directories, are added in alpha numeric sorted
31 order and must end in .conf.
32 Not all options are supported in all container engines.
35 Note, container engines also use other configuration files for config‐
38 uring the environment.
39 • storage.conf for configuration of container and images stor‐
42 age.
43 • registries.conf for definition of container registries to
45 search while pulling. container images.
46 • policy.conf for controlling which images can be pulled to the
48 system.
49
54 The TOML format ⟨https://github.com/toml-lang/toml⟩ is used as the en‐
55 coding of the configuration file. Every option is nested under its ta‐
56 ble. No bare options are used. The format of TOML can be simplified to:
57 [table1]
60 option = value
61 [table2]
63 option = value
64 [table3]
66 option = value
67 [table3.subtable1]
69 option = value
70
74 The containers table contains settings to configure and manage the OCI
75 runtime.
76 annotations = []
79 List of annotations. Specified as "key=value" pairs to be added to all
82 containers.
83 Example: "run.oci.keep_original_groups=1"
86 apparmor_profile="container-default"
89 Used to change the name of the default AppArmor profile of container
92 engines. The default profile name is "container-default".
93 base_hosts_file=""
96 The hosts entries from the base hosts file are added to the containers
99 hosts file. This must be either an absolute path or as special values
100 "image" which uses the hosts file from the container image or "none"
101 which means no base hosts file is used. The default is "" which will
102 use /etc/hosts.
103 cgroup_conf=[]
106 List of cgroup_conf entries specifying a list of cgroup files to write
109 to and their values. For example memory.high=1073741824 sets the mem‐
110 ory.high limit to 1GB.
111 cgroups="enabled"
114 Determines whether the container will create CGroups. Options are:
117 enabled Enable cgroup support within container
118 disabled Disable cgroup support, will inherit cgroups from parent
119 no-conmon Do not create a cgroup dedicated to conmon.
120 cgroupns="private"
123 Default way to to create a cgroup namespace for the container. Options
126 are: private Create private Cgroup Namespace for the container. host
127 Share host Cgroup Namespace with the container.
128 default_capabilities=[]
131 List of default capabilities for containers.
134 The default list is:
137 default_capabilities = [
140 "CHOWN",
141 "DAC_OVERRIDE",
142 "FOWNER",
143 "FSETID",
144 "KILL",
145 "NET_BIND_SERVICE",
146 "SETFCAP",
147 "SETGID",
148 "SETPCAP",
149 "SETUID",
150 "SYS_CHROOT",
151 ]
152 Note, by default container engines using containers.conf, run with less
156 capabilities than Docker. Docker runs additionally with "AUDIT_WRITE",
157 "MKNOD" and "NET_RAW". If you need to add one of these capabilities for
158 a particular container, you can use the --cap-add option or edit your
159 system's containers.conf.
160 default_sysctls=[]
163 A list of sysctls to be set in containers by default, specified as
166 "name=value".
167 Example:"net.ipv4.ping_group_range=0 1000".
170 default_ulimits=[]
173 A list of ulimits to be set in containers by default, specified as
176 "name=soft-limit:hard-limit".
177 Example: "nofile=1024:2048".
180 devices=[]
183 List of devices. Specified as 'device-on-host:device-on-container:per‐
186 missions'.
187 Example: "/dev/sdc:/dev/xvdc:rwm".
190 dns_options=[]
193 List of default DNS options to be added to /etc/resolv.conf inside of
196 the container.
197 dns_searches=[]
200 List of default DNS search domains to be added to /etc/resolv.conf in‐
203 side of the container.
204 dns_servers=[]
207 A list of dns servers to override the DNS configuration passed to the
210 container. The special value “none” can be specified to disable cre‐
211 ation of /etc/resolv.conf in the container.
212 env=["PATH=/usr/local/sbin:/usr/lo‐
215 cal/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
216 Environment variable list for the container process, used for passing
219 environment variables to the container.
220 env_host=false
223 Pass all host environment variables into the container.
226 host_containers_internal_ip=""
229 Set the ip for the host.containers.internal entry in the containers
232 /etc/hosts file. This can be set to "none" to disable adding this en‐
233 try. By default it will automatically choose the host ip.
234 NOTE: When using podman machine this entry will never be added to the
237 containers hosts file instead the gvproxy dns resolver will resolve
238 this hostname. Therefore it is not possible to disable the entry in
239 this case.
240 http_proxy=true
243 Default proxy environment variables will be passed into the container.
246 The environment variables passed in include: http_proxy, https_proxy,
247 ftp_proxy, no_proxy, and the upper case versions of these. The no_proxy
248 option is needed when host system uses a proxy but container should not
249 use proxy. Proxy environment variables specified for the container in
250 any other way will override the values passed from the host.
251 init=false
254 Run an init inside the container that forwards signals and reaps pro‐
257 cesses.
258 init_path="/usr/libexec/podman/catatonit"
261 Path to the container-init binary, which forwards signals and reaps
264 processes within containers. Note that the container-init binary will
265 only be used when the --init for podman-create and podman-run is set.
266 ipcns="shareable"
269 Default way to to create a IPC namespace for the container. Options
272 are:
273 host Share host IPC Namespace with the container.
274 none Create shareable IPC Namespace for the container without a
275 private /dev/shm.
276 private Create private IPC Namespace for the container, other con‐
277 tainers are not allowed to share it.
278 shareable Create shareable IPC Namespace for the container.
279 keyring=true
282 Indicates whether the container engines create a kernel keyring for use
285 within the container.
286 label=true
289 Indicates whether the container engine uses MAC(SELinux) container sep‐
292 aration via labeling. This option is ignored on disabled systems.
293 label_users=false
296 label_users indicates whether to enforce confined users in containers
299 on SELinux systems. This option causes containers to maintain the cur‐
300 rent user and role field of the calling process. By default SELinux
301 containers run with the user system_u, and the role system_r.
302 log_driver=""
305 Logging driver for the container. Currently available options are k8s-
308 file, journald, none and passthrough, with json-file aliased to k8s-
309 file for scripting compatibility. The journald driver is used by de‐
310 fault if the systemd journal is readable and writable. Otherwise, the
311 k8s-file driver is used.
312 log_size_max=-1
315 Maximum size allowed for the container's log file. Negative numbers in‐
318 dicate that no size limit is imposed. If it is positive, it must be >=
319 8192 to match/exceed conmon's read buffer. The file is truncated and
320 re-opened so the limit is never exceeded.
321 log_tag=""
324 Default format tag for container log messages. This is useful for cre‐
327 ating a specific tag for container log messages. Container log messages
328 default to using the truncated container ID as a tag.
329 mounts=[]
332 List of mounts. Specified as "type=TYPE,source=,destination=,"
335 Example: [ "type=bind,source=/var/lib/foobar,destination=/var/lib/foo‐
338 bar,ro", ]
339 netns="private"
342 Default way to to create a NET namespace for the container. Options
345 are:
346 private Create private NET Namespace for the container.
347 host Share host NET Namespace with the container.
348 none Containers do not use the network.
349 no_hosts=false
352 Create /etc/hosts for the container. By default, container engines man‐
355 age /etc/hosts, automatically adding the container's own IP ad‐
356 dress.
357 oom_score_adj=0
360 Tune the host's OOM preferences for containers (accepts values from
363 -1000 to 1000).
364 pidns="private"
367 Default way to to create a PID namespace for the container. Options
370 are:
371 private Create private PID Namespace for the container.
372 host Share host PID Namespace with the container.
373 pids_limit=1024
376 Maximum number of processes allowed in a container. 0 indicates that no
379 limit is imposed.
380 prepare_volume_on_create=false
383 Copy the content from the underlying image into the newly created vol‐
386 ume when the container is created instead of when it is started. If
387 false, the container engine will not copy the content until the con‐
388 tainer is started. Setting it to true may have negative performance im‐
389 plications.
390 read_only=true|false
393 Run all containers with root file system mounted read-only. Set to
396 false by default.
397 seccomp_profile="/usr/share/containers/seccomp.json"
400 Path to the seccomp.json profile which is used as the default seccomp
403 profile for the runtime.
404 shm_size="65536k"
407 Size of /dev/shm. The format is <number><unit>. number must be greater
410 than 0. Unit is optional and can be: b (bytes), k (kilobytes),
411 m(megabytes), or g (gigabytes). If you omit the unit, the system uses
412 bytes. If you omit the size entirely, the system uses 65536k.
413 tz=""
416 Set timezone in container. Takes IANA timezones as well as local, which
419 sets the timezone in the container to match the host machine. If not
420 set, then containers will run with the time zone specified in the im‐
421 age.
422 Examples:
425 tz="local"
426 tz="America/New_York"
427 umask="0022"
430 Sets umask inside the container.
433 userns="host"
436 Default way to to create a USER namespace for the container. Options
439 are:
440 private Create private USER Namespace for the container.
441 host Share host USER Namespace with the container.
442 utsns="private"
445 Default way to to create a UTS namespace for the container. Options
448 are:
449 private Create private UTS Namespace for the container.
450 host Share host UTS Namespace with the container.
451 volumes=[]
454 List of volumes. Specified as "directory-on-host:directory-in-con‐
457 tainer:options".
458 Example: "/db:/var/lib/db:ro".
461
464 The network table contains settings pertaining to the management of CNI
465 plugins.
466 network_backend=""
469 Network backend determines what network driver will be used to set up
472 and tear down container networks. Valid values are "cni" and "ne‐
473 tavark". The default value is empty which means that it will automati‐
474 cally choose CNI or netavark. If there are already containers/images or
475 CNI networks preset it will choose CNI.
476 Before changing this value all containers must be stopped otherwise it
479 is likely that iptables rules and network interfaces might leak on the
480 host. A reboot will fix this.
481 cni_plugin_dirs=[]
484 List of paths to directories where CNI plugin binaries are located.
487 The default list is:
490 cni_plugin_dirs = [
493 "/usr/local/libexec/cni",
494 "/usr/libexec/cni",
495 "/usr/local/lib/cni",
496 "/usr/lib/cni",
497 "/opt/cni/bin",
498 ]
499 netavark_plugin_dirs=[]
503 List of directories that will be searched for netavark plugins.
506 The default list is:
509 netavark_plugin_dirs = [
512 "/usr/local/libexec/netavark",
513 "/usr/libexec/netavark",
514 "/usr/local/lib/netavark",
515 "/usr/lib/netavark",
516 ]
517 default_network="podman"
521 The network name of the default network to attach pods to.
524 default_subnet="10.88.0.0/16"
527 The subnet to use for the default network (named above in default_net‐
530 work). If the default network does not exist, it will be automatically
531 created the first time a tool is run using this subnet.
532 default_subnet_pools=[]
535 DefaultSubnetPools is a list of subnets and size which are used to al‐
538 locate subnets automatically for podman network create. It will iter‐
539 ate through the list and will pick the first free subnet with the given
540 size. This is only used for ipv4 subnets, ipv6 subnets are always as‐
541 signed randomly.
542 The default list is (10.89.0.0-10.255.255.0/24):
545 default_subnet_pools = [
548 {"base" = "10.89.0.0/16", "size" = 24},
549 {"base" = "10.90.0.0/15", "size" = 24},
550 {"base" = "10.92.0.0/14", "size" = 24},
551 {"base" = "10.96.0.0/11", "size" = 24},
552 {"base" = "10.128.0.0/9", "size" = 24},
553 ]
554 default_rootless_network_cmd="slirp4netns"
558 Configure which rootless network program to use by default. Valid op‐
561 tions are slirp4netns (default) and pasta.
562 network_config_dir="/etc/cni/net.d/"
565 Path to the directory where network configuration files are located.
568 For the CNI backend the default is /etc/cni/net.d as root and
569 $HOME/.config/cni/net.d as rootless. For the netavark backend
570 "/etc/containers/networks" is used as root and "$graphroot/networks" as
571 rootless.
572 dns_bind_port=53
575 Port to use for dns forwarding daemon with netavark in rootful bridge
578 mode and dns enabled. Using an alternate port might be useful if other
579 dns services should run on the machine.
580 pasta_options = []
583 A list of default pasta options that should be used running pasta. It
586 accepts the pasta cli options, see pasta(1) for the full list of op‐
587 tions.
588
591 The engine table contains configuration options used to set up con‐
592 tainer engines such as Podman and Buildah.
593 active_service=""
596 Name of destination for accessing the Podman service. See SERVICE DES‐
599 TINATION TABLE below.
600 cgroup_manager="systemd"
603 The cgroup management implementation used for the runtime. Supports
606 cgroupfs and systemd.
607 compat_api_enforce_docker_hub=true
610 Enforce using docker.io for completing short names in Podman's compati‐
613 bility REST API. Note that this will ignore unqualified-search-reg‐
614 istries and short-name aliases defined in containers-reg‐
615 istries.conf(5).
616 compose_providers=[]
619 Specify one or more external providers for the compose command. The
622 first found provider is used for execution. Can be an absolute and
623 relative path or a (file) name.
624 compose_warning_logs=true
627 Emit logs on each invocation of the compose command indicating that an
630 external compose provider is being executed.
631 conmon_env_vars=[]
634 Environment variables to pass into Conmon.
637 conmon_path=[]
640 Paths to search for the conmon container manager binary. If the paths
643 are empty or no valid path was found, then the $PATH environment vari‐
644 able will be used as the fallback.
645 The default list is:
648 conmon_path=[
651 "/usr/libexec/podman/conmon",
652 "/usr/local/libexec/podman/conmon",
653 "/usr/local/lib/podman/conmon",
654 "/usr/bin/conmon",
655 "/usr/sbin/conmon",
656 "/usr/local/bin/conmon",
657 "/usr/local/sbin/conmon",
658 "/run/current-system/sw/bin/conmon",
659 ]
660 database_backend="boltdb"
664 The database backend of Podman. Supported values are "boltdb" (de‐
667 fault) and "sqlite". Please run podman-system-reset prior to changing
668 the database backend of an existing deployment, to make sure Podman can
669 operate correctly.
670 detach_keys="ctrl-p,ctrl-q"
673 Keys sequence used for detaching a container. Specify the keys se‐
676 quence used to detach a container. Format is a single character [a-Z]
677 or a comma separated sequence of ctrl-<value>, where <value> is one of:
678 a-z, @, ^, [, \, ], ^ or _ Specifying "" disables this feature.
679 enable_port_reservation=true
682 Determines whether the engine will reserve ports on the host when they
685 are forwarded to containers. When enabled, when ports are forwarded to
686 containers, they are held open by conmon as long as the container is
687 running, ensuring that they cannot be reused by other programs on the
688 host. However, this can cause significant memory usage if a container
689 has many ports forwarded to it. Disabling this can save memory.
690 env=[]
693 Environment variables to be used when running the container engine
696 (e.g., Podman, Buildah). For example "http_proxy=internal.proxy.com‐
697 pany.com". Note these environment variables will not be used within
698 the container. Set the env section under [containers] table, if you
699 want to set environment variables for the container.
700 events_logfile_path=""
703 Define where event logs will be stored, when events_logger is "file".
706 events_logfile_max_size="1m"
709 Sets the maximum size for events_logfile_path. The unit can be b
712 (bytes), k (kilobytes), m (megabytes) or g (gigabytes). The format for
713 the size is <number><unit>, e.g., 1b or 3g. If no unit is included
714 then the size will be in bytes. When the limit is exceeded, the log‐
715 file will be rotated and the old one will be deleted. If the maximumn
716 size is set to 0, then no limit will be applied, and the logfile will
717 not be rotated.
718 events_logger="journald"
721 The default method to use when logging events.
724 The default method is different based on the platform that Podman is
727 being run upon. To determine the current value, use this command:
728 podman info --format {{.Host.EventLogger}
731 Valid values are: file, journald, and none.
734 events_container_create_inspect_data=true|false
737 Creates a more verbose container-create event which includes a JSON
740 payload with detailed information about the container. Set to false by
741 default.
742 helper_binaries_dir=["/usr/libexec/podman", ...]
745 A is a list of directories which are used to search for helper bina‐
748 ries.
749 The default paths on Linux are:
752 • /usr/local/libexec/podman
755 • /usr/local/lib/podman
757 • /usr/libexec/podman
759 • /usr/lib/podman
761 The default paths on macOS are:
765 • /usr/local/opt/podman/libexec
768 • /opt/homebrew/bin
770 • /opt/homebrew/opt/podman/libexec
772 • /usr/local/bin
774 • /usr/local/libexec/podman
776 • /usr/local/lib/podman
778 • /usr/libexec/podman
780 • /usr/lib/podman
782 The default path on Windows is:
786 • C:\Program Files\RedHat\Podman
789 hooks_dir=["/etc/containers/oci/hooks.d", ...]
793 Path to the OCI hooks directories for automatically executed hooks.
796 image_default_format="oci"|"v2s2"|"v2s1"
799 Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, build‐
802 ing container images. By default images pulled and pushed match the
803 format of the source image. Building/committing defaults to OCI. Note:
804 image_build_format is deprecated.
805 image_default_transport="docker://"
808 Default transport method for pulling and pushing images.
811 image_parallel_copies=0
814 Maximum number of image layers to be copied (pulled/pushed) simultane‐
817 ously. Not setting this field will fall back to containers/image de‐
818 faults. (6)
819 image_volume_mode="bind"
822 Tells container engines how to handle the built-in image volumes.
825 • bind: An anonymous named volume will be created and mounted
828 into the container.
829 • tmpfs: The volume is mounted onto the container as a tmpfs,
831 which allows the users to create content that disappears when
832 the container is stopped.
833 • ignore: All volumes are just ignored and no action is taken.
835 infra_command="/pause"
839 Infra (pause) container image command for pod infra containers. When
842 running a pod, we start a /pause process in a container to hold open
843 the namespaces associated with the pod. This container does nothing
844 other than sleep, reserving the pod's resources for the lifetime of the
845 pod.
846 infra_image=""
849 Infra (pause) container image for pod infra containers. When running a
852 pod, we start a pause process in a container to hold open the name‐
853 spaces associated with the pod. This container does nothing other than
854 sleep, reserving the pod's resources for the lifetime of the pod. By
855 default container engines run a built-in container using the pause exe‐
856 cutable. If you want override specify an image to pull.
857 kube_generate_type="pod"
860 Default Kubernetes kind/specification of the kubernetes yaml generated
863 with the podman kube generate command. The possible options are pod and
864 deployment.
865 lock_type="shm"
868 Specify the locking mechanism to use; valid values are "shm" and
871 "file". Change the default only if you are sure of what you are doing,
872 in general "file" is useful only on platforms where cgo is not avail‐
873 able for using the faster "shm" lock type. You may need to run "podman
874 system renumber" after you change the lock type.
875 multi_image_archive=false
878 Allows for creating archives (e.g., tarballs) with more than one image.
881 Some container engines, such as Podman, interpret additional arguments
882 as tags for one image and hence do not store more than one image. The
883 default behavior can be altered with this option.
884 namespace=""
887 Default engine namespace. If the engine is joined to a namespace, it
890 will see only containers and pods that were created in the same name‐
891 space, and will create new containers and pods in that namespace. The
892 default namespace is "", which corresponds to no namespace. When no
893 namespace is set, all containers and pods are visible.
894 network_cmd_path=""
897 Path to the slirp4netns binary.
900 network_cmd_options=[]
903 Default options to pass to the slirp4netns binary.
906 Valid options values are:
909 • allow_host_loopback=true|false: Allow the slirp4netns to reach
912 the host loopback IP (10.0.2.2). Default is false.
913 • mtu=MTU: Specify the MTU to use for this network. (Default is
915 65520).
916 • cidr=CIDR: Specify ip range to use for this network. (Default
918 is 10.0.2.0/24).
919 • enable_ipv6=true|false: Enable IPv6. Default is true. (Re‐
921 quired for outbound_addr6).
922 • outbound_addr=INTERFACE: Specify the outbound interface slirp
924 should bind to (ipv4 traffic only).
925 • outbound_addr=IPv4: Specify the outbound ipv4 address slirp
927 should bind to.
928 • outbound_addr6=INTERFACE: Specify the outbound interface slirp
930 should bind to (ipv6 traffic only).
931 • outbound_addr6=IPv6: Specify the outbound ipv6 address slirp
933 should bind to.
934 • port_handler=rootlesskit: Use rootlesskit for port forwarding.
936 Default. Note: Rootlesskit changes the source IP address of
937 incoming packets to a IP address in the container network
938 namespace, usually 10.0.2.100. If your application requires
939 the real source IP address, e.g. web server logs, use the
940 slirp4netns port handler. The rootlesskit port handler is also
941 used for rootless containers when connected to user-defined
942 networks.
943 • port_handler=slirp4netns: Use the slirp4netns port forwarding,
945 it is slower than rootlesskit but preserves the correct source
946 IP address. This port handler cannot be used for user-defined
947 networks.
948 no_pivot_root=false
952 Whether to use chroot instead of pivot_root in the runtime.
955 num_locks=2048
958 Number of locks available for containers and pods. Each created con‐
961 tainer or pod consumes one lock. The default number available is 2048.
962 If this is changed, a lock renumbering must be performed, using the
963 podman system renumber command.
964 pod_exit_policy="continue"
967 Set the exit policy of the pod when the last container exits. Sup‐
970 ported policies are:
971 ┌────────────┬────────────────────────────┐
974 │Exit Policy │ Description │
975 ├────────────┼────────────────────────────┤
976 │continue │ The pod continues running │
977 │ │ when the last container │
978 │ │ exits. Used by default. │
979 ├────────────┼────────────────────────────┤
980 │stop │ The pod is stopped when │
981 │ │ the last container exits. │
982 │ │ Used in play kube. │
983 └────────────┴────────────────────────────┘
984 pull_policy="always"|"missing"|"never"
986 Pull image before running or creating a container. The default is miss‐
989 ing.
990 • missing: attempt to pull the latest image from the registries
993 listed in registries.conf if a local image does not exist.
994 Raise an error if the image is not in any listed registry and
995 is not present locally.
996 • always: pull the image from the first registry it is found in
998 as listed in registries.conf. Raise an error if not found in
999 the registries, even if the image is present locally.
1000 • never: do not pull the image from the registry, use only the
1002 local version. Raise an error if the image is not present lo‐
1003 cally.
1004 remote = false
1008 Indicates whether the application should be running in remote mode.
1011 This flag modifies the --remote option on container engines. Setting
1012 the flag to true will default podman --remote=true for access to the
1013 remote Podman service.
1014 runtime=""
1017 Default OCI specific runtime in runtimes that will be used by default.
1020 Must refer to a member of the runtimes table. Default runtime will be
1021 searched for on the system using the priority: "crun", "runc", "kata".
1022 runtime_supports_json=["crun", "runc", "kata", "runsc", "youki",
1025 "krun"]
1026 The list of the OCI runtimes that support --format=json.
1029 runtime_supports_kvm=["kata", "krun"]
1032 The list of OCI runtimes that support running containers with KVM sepa‐
1035 ration.
1036 runtime_supports_nocgroups=["crun", "krun"]
1039 The list of OCI runtimes that support running containers without
1042 CGroups.
1043 image_copy_tmp_dir="/var/tmp"
1046 Default location for storing temporary container image content. Can be
1049 overridden with the TMPDIR environment variable. If you specify "stor‐
1050 age", then the location of the container/storage tmp directory will be
1051 used. If set then it is the users responsibility to cleanup storage.
1052 Configure tmpfiles.d(5) to cleanup storage.
1053 service_timeout=5
1056 Number of seconds to wait without a connection before the podman sys‐
1059 tem service times out and exits
1060 static_dir="/var/lib/containers/storage/libpod"
1063 Directory for persistent libpod files (database, etc). By default this
1066 will be configured relative to where containers/storage stores contain‐
1067 ers.
1068 stop_timeout=10
1071 Number of seconds to wait for container to exit before sending kill
1074 signal.
1075 exit_command_delay=300
1078 Number of seconds to wait for the API process for the exec call before
1081 sending exit command mimicking the Docker behavior of 5 minutes (in
1082 seconds).
1083 tmp_dir="/run/libpod"
1086 The path to a temporary directory to store per-boot container. Must be
1089 a tmpfs (wiped after reboot).
1090 volume_path="/var/lib/containers/storage/volumes"
1093 Directory where named volumes will be created in using the default vol‐
1096 ume driver. By default this will be configured relative to where con‐
1097 tainers/storage store containers. This convention is followed by the
1098 default volume driver, but may not be by other drivers.
1099 chown_copied_files=true
1102 Determines whether file copied into a container will have changed own‐
1105 ership to the primary uid/gid of the container.
1106 compression_format="gzip"
1109 Specifies the compression format to use when pushing an image. Sup‐
1112 ported values are: gzip, zstd and zstd:chunked.
1113 compression_level="5"
1116 The compression level to use when pushing an image. Valid options de‐
1119 pend on the compression format used. For gzip, valid options are 1-9,
1120 with a default of 5. For zstd, valid options are 1-20, with a default
1121 of 3.
1122 podmansh_timeout=30
1125 Number of seconds to wait for podmansh logins.
1128
1131 The engine.service_destinations table contains configuration options
1132 used to set up remote connections to the podman service for the podman
1133 API.
1134 [engine.service_destinations.{name}] URI to access the Podman service
1137 uri="ssh://user@production.example.com/run/user/1001/podman/pod‐
1138 man.sock"
1139 Example URIs:
1142 • rootless local - unix://run/user/1000/podman/podman.sock
1145 • rootless remote - ssh://user@engineering.lab.com‐
1147 pany.com/run/user/1000/podman/podman.sock
1148 • rootful local - unix://run/podman/podman.sock
1150 • rootful remote - ssh://root@10.10.1.136:22/run/podman/pod‐
1152 man.sock
1153 identity="~/.ssh/id_rsa
1157 Path to file containing ssh identity key
1160 [engine.volume_plugins]
1163 A table of all the enabled volume plugins on the system. Volume plugins
1166 can be used as the backend for Podman named volumes. Individual plugins
1167 are specified below, as a map of the plugin name (what the plugin will
1168 be called) to its path (filepath of the plugin's unix socket).
1169 [engine.platform_to_oci_runtime]
1172 Allows end users to switch the OCI runtime on the bases of container
1175 image's platform string. Following config field contains a map of
1176 platform/string = oci_runtime.
1177
1180 The secret table contains settings for the configuration of the secret
1181 subsystem.
1182 driver=file
1185 Name of the secret driver to be used. Currently valid values are:
1188 * file
1189 * pass
1190 [secrets.opts]
1193 The driver specific options object.
1196
1199 The machine table contains configurations for podman machine VMs
1200 cpus=1 Number of CPU's a machine is created with.
1203 disk_size=10
1206 The size of the disk in GB created when init-ing a podman-machine VM
1209 image=""
1212 Default image URI when creating a new VM using podman machine init.
1215 Options: On Linux/Mac, testing, stable, next. On Windows, the major
1216 version of the OS (e.g 36) for Fedora 36. For all platforms you can al‐
1217 ternatively specify a custom download URL to an image. Container en‐
1218 gines translate URIs $OS and $ARCH to the native OS and ARCH. URI
1219 "https://example.com/$OS/$ARCH/foobar.ami" would become "https://exam‐
1220 ple.com/linux/amd64/foobar.ami" on a Linux AMD machine. The default
1221 value is testing on Linux/Mac, and on Windows.
1222 memory=2048
1225 Memory in MB a machine is created with.
1228 user=""
1231 Username to use and create on the podman machine OS for rootless con‐
1234 tainer access. The default value is user. On Linux/Mac the default is‐
1235 core.
1236 volumes=["$HOME:$HOME"]
1239 Host directories to be mounted as volumes into the VM by default. En‐
1242 vironment variables like $HOME as well as complete paths are supported
1243 for the source and destination. An optional third field :ro can be used
1244 to tell the container engines to mount the volume readonly.
1245 On Mac, the default volumes are:
1248 [ "/Users:/Users", "/private:/private", "/var/folders:/var/folders" ]
1251 provider=""
1254 Virtualization provider to be used for running a podman-machine VM.
1257 Empty value is interpreted as the default provider for the current host
1258 OS. On Linux/Mac default is QEMU and on Windows it is WSL.
1259
1262 The farms table contains configuration options used to group up remote
1263 connections into farms that will be used when sending out builds to
1264 different machines in a farm via podman buildfarm.
1265 default=""
1268 The default farm to use when farming out builds.
1271 [farms.list]
1274 Map of farms created where the key is the farm name and the value is
1277 the list of system connections.
1278
1282 containers.conf
1283 Distributions often provide a /usr/share/containers/containers.conf
1286 file to provide a default configuration. Administrators can override
1287 fields in this file by creating /etc/containers/containers.conf to
1288 specify their own configuration. They may also drop .conf files in
1289 /etc/containers/containers.conf.d which will be loaded in alphanumeric
1290 order. Rootless users can further override fields in the config by
1291 creating a config file stored in the $HOME/.config/containers/contain‐
1292 ers.conf file or .conf files in $HOME/.config/containers/contain‐
1293 ers.conf.d.
1294 If the CONTAINERS_CONF environment variable is set, all system and user
1297 config files are ignored and only the specified config file will be
1298 loaded.
1299 If the CONTAINERS_CONF_OVERRIDE path environment variable is set, the
1302 config file will be loaded last even when CONTAINERS_CONF is set.
1303 The values of both environment variables may be absolute or relative
1306 paths, for instance, CONTAINERS_CONF=/tmp/my_containers.conf.
1307 Fields specified in a containers.conf file override the default op‐
1310 tions, as well as options in previously loaded containers.conf files.
1311 storage.conf
1314 The /etc/containers/storage.conf file is the default storage configura‐
1317 tion file. Rootless users can override fields in the storage config by
1318 creating $HOME/.config/containers/storage.conf.
1319 If the CONTAINERS_STORAGE_CONF path environment variable is set, this
1322 path is used for the storage.conf file rather than the default. This
1323 is primarily used for testing.
1324
1328 containers-storage.conf(5), containers-policy.json(5), containers-reg‐
1329 istries.conf(5), tmpfiles.d(5)
1330engine Container containers.conf(5)