1podman-systemd.unit(5) File Formats Manual podman-systemd.unit(5)
2
6 podman-systemd.unit - systemd units using Podman Quadlet
7
10 name.container, name.volume, name.network, name.kube name.image
11 Podman unit search path
14 • /etc/containers/systemd/
15 • /usr/share/containers/systemd/
17 Podman user unit search path
21 • $XDG_CONFIG_HOME/containers/systemd/ or ~/.config/contain‐
22 ers/systemd/
23 • /etc/containers/systemd/users/$(UID)
25 • /etc/containers/systemd/users/
27 Using symbolic links
31 Quadlet supports using symbolic links for the base of the search paths.
32 Symbolic links below the search paths are not supported.
33
36 Podman supports starting containers (and creating volumes) via systemd
37 by using a systemd generator. These files are read during boot (and
38 when systemctl daemon-reload is run) and generate corresponding regular
39 systemd service unit files. Both system and user systemd units are sup‐
40 ported. All options and tables available in standard systemd unit
41 files are supported. For example, options defined in the [Service] ta‐
42 ble and [Install] tables pass directly to systemd and are handled by
43 it. See systemd.unit(5) man page for more information.
44 The Podman generator reads the search paths above and reads files with
47 the extensions .container .volume and *.kube, and for each file gener‐
48 ates a similarly named .service file. Be aware that existing vendor
49 services (i.e., in /usr/) are replaced if they have the same name. The
50 generated unit files can be started and managed with systemctl like any
51 other systemd service. systemctl {--user} list-unit-files lists exist‐
52 ing unit files on the system.
53 Files with the .network extension are only read if they are mentioned
56 in a .container file. See the Network= key.
57 The Podman files use the same format as regular systemd unit files.
60 Each file type has a custom section (for example, [Container]) that is
61 handled by Podman, and all other sections are passed on untouched, al‐
62 lowing the use of any normal systemd configuration options like depen‐
63 dencies or cgroup limits.
64 For rootless containers, when administrators place Quadlet files in the
67 /etc/containers/systemd/users directory, all users' sessions execute
68 the Quadlet when the login session begins. If the administrator places
69 a Quadlet file in the /etc/containers/systemd/users/${UID}/ directory,
70 then only the user with the matching UID execute the Quadlet when the
71 login session gets started. For unit files placed in subdirectories
72 within /etc/containers/systemd/user/${UID}/ and the other user unit
73 search paths, Quadlet will recursively search and run the unit files
74 present in these subdirectories.
75 Note: When a Quadlet is starting, Podman often pulls one more container
78 images which may take a considerable amount of time. Systemd defaults
79 service start time to 90 seconds, or fails the service. Pre-pulling the
80 image or extending the systemd timeout time for the service using the
81 TimeoutStartSec Service option can fix the problem.
82 Adding the following snippet to a Quadlet file extends the systemd
85 timeout to 15 minutes.
86 [Service]
88 TimeoutStartSec=900
89 Quadlet requires the use of cgroup v2, use podman info --format
93 {{.Host.CgroupsVersion}} to check on the system.
94 Service Type
97 By default, the Type field of the Service section of the Quadlet file
98 does not need to be set. Quadlet will set it to notify for .container
99 and .kube files and to oneshot for .volume, .network and .image files.
100 However, Type may be explicitly set to oneshot for .container and .kube
103 files when no containers are expected to run once podman exits.
104 When setting Type=oneshot, it is recommended to also set Re‐
107 mainAfterExit=yes to prevent the service state from becoming inactive
108 (dead)
109 Examples for such cases: - .container file with an image that exits af‐
112 ter their entrypoint has finished ` -.kube` file pointing to a Kuber‐
113 netes Yaml file that does not define any containers. E.g. PVCs only
114 Enabling unit files
117 The services created by Podman are considered transient by systemd,
118 which means they don't have the same persistence rules as regular
119 units. In particular, it is not possible to "systemctl enable" them in
120 order for them to become automatically enabled on the next boot.
121 To compensate for this, the generator manually applies the [Install]
124 section of the container definition unit files during generation, in
125 the same way systemctl enable does when run later.
126 For example, to start a container on boot, add something like this to
129 the file:
130 [Install]
132 WantedBy=default.target
133 Currently, only the Alias, WantedBy and RequiredBy keys are supported.
137 NOTE: To express dependencies between containers, use the generated
140 names of the service. In other words WantedBy=other.service, not Want‐
141 edBy=other.container. The same is true for other kinds of dependencies,
142 too, like After=other.service.
143 Debugging unit files
146 After placing the unit file in one of the unit search paths (mentioned
147 above), you can start it with systemctl start {--user}. If it fails
148 with "Failed to start example.service: Unit example.service not
149 found.", then it is possible that you used incorrect syntax or you used
150 an option from a newer version of Podman Quadlet and the generator
151 failed to create a service file.
152 View the generated files and/or error messages with:
155 /usr/lib/systemd/system-generators/podman-system-generator {--user} --dryrun
157 Debugging a limited set of unit files
161 If you would like to debug a limited set of unit files, you can copy
162 them to a separate directory and set the QUADLET_UNIT_DIRS environment
163 variable to this directory when running the command below:
164 QUADLET_UNIT_DIRS=<Directory> /usr/lib/systemd/system-generators/podman-system-generator {--user} --dryrun
166 This will instruct Quadlet to look for units in this directory instead
170 of the common ones and by that limit the output to only the units you
171 are debugging.
172
175 Container units are named with a .container extension and contain a
176 [Container] section describing the container that is run as a service.
177 The resulting service file contains a line like ExecStart=podman run …
178 image-name, and most of the keys in this section control the command-
179 line options passed to Podman. However, some options also affect the
180 details of how systemd is set up to run and interact with the con‐
181 tainer.
182 By default, the Podman container has the same name as the unit, but
185 with a systemd- prefix, i.e. a $name.container file creates a
186 $name.service unit and a systemd-$name Podman container. The Container‐
187 Name option allows for overriding this default name with a user-pro‐
188 vided one.
189 There is only one required key, Image, which defines the container im‐
192 age the service runs.
193 Valid options for [Container] are listed below:
196 ┌───────────────────────────────────┬────────────────────────────────┐
199 │[Container] options │ podman run equivalent │
200 ├───────────────────────────────────┼────────────────────────────────┤
201 │AddCapability=CAP │ --cap-add CAP │
202 ├───────────────────────────────────┼────────────────────────────────┤
203 │AddDevice=/dev/foo │ --device /dev/foo │
204 ├───────────────────────────────────┼────────────────────────────────┤
205 │Annotation="XYZ" │ --annotation "XYZ" │
206 ├───────────────────────────────────┼────────────────────────────────┤
207 │AutoUpdate=registry │ --label "io.containers.autoup‐ │
208 │ │ date=registry" │
209 ├───────────────────────────────────┼────────────────────────────────┤
210 │ContainerName=name │ --name name │
211 ├───────────────────────────────────┼────────────────────────────────┤
212 │ContainersConfModule=/etc/nvd.conf │ --module=/etc/nvd.conf │
213 ├───────────────────────────────────┼────────────────────────────────┤
214 │DNS=192.168.55.1 │ --dns=192.168.55.1 │
215 ├───────────────────────────────────┼────────────────────────────────┤
216 │DNSSearch=foo.com │ --dns-search=foo.com │
217 ├───────────────────────────────────┼────────────────────────────────┤
218 │DNSOption=ndots:1 │ --dns-option=ndots:1 │
219 ├───────────────────────────────────┼────────────────────────────────┤
220 │DropCapability=CAP │ --cap-drop=CAP │
221 ├───────────────────────────────────┼────────────────────────────────┤
222 │Environment=foo=bar │ --env foo=bar │
223 ├───────────────────────────────────┼────────────────────────────────┤
224 │EnvironmentFile=/tmp/env │ --env-file /tmp/env │
225 ├───────────────────────────────────┼────────────────────────────────┤
226 │EnvironmentHost=true │ --env-host │
227 ├───────────────────────────────────┼────────────────────────────────┤
228 │Exec=/usr/bin/command │ Command after image specifica‐ │
229 │ │ tion - /usr/bin/command │
230 ├───────────────────────────────────┼────────────────────────────────┤
231 │ExposeHostPort=50-59 │ --expose 50-59 │
232 ├───────────────────────────────────┼────────────────────────────────┤
233 │GIDMap=0:10000:10 │ --gidmap=0:10000:10 │
234 ├───────────────────────────────────┼────────────────────────────────┤
235 │Group=1234 │ --user UID:1234 │
236 ├───────────────────────────────────┼────────────────────────────────┤
237 │GlobalArgs=--log-level=debug │ --log-level=debug │
238 ├───────────────────────────────────┼────────────────────────────────┤
239 │HealthCmd="/usr/bin/command" │ --health-cmd="/usr/bin/com‐ │
240 │ │ mand" │
241 ├───────────────────────────────────┼────────────────────────────────┤
242 │HealthInterval=2m │ --health-interval=2m │
243 ├───────────────────────────────────┼────────────────────────────────┤
244 │HealthOnFailure=kill │ --health-on-failure=kill │
245 ├───────────────────────────────────┼────────────────────────────────┤
246 │HealthRetries=5 │ --health-retries=5 │
247 ├───────────────────────────────────┼────────────────────────────────┤
248 │HealthStartPeriod=1m │ --health-start-period=pe‐ │
249 │ │ riod=1m │
250 ├───────────────────────────────────┼────────────────────────────────┤
251 │HealthStartupCmd="command" │ --health-startup-cmd="command" │
252 ├───────────────────────────────────┼────────────────────────────────┤
253 │HealthStartupInterval=1m │ --health-startup-interval=1m │
254 ├───────────────────────────────────┼────────────────────────────────┤
255 │HealthStartupRetries=8 │ --health-startup-retries=8 │
256 ├───────────────────────────────────┼────────────────────────────────┤
257 │HealthStartupSuccess=2 │ --health-startup-success=2 │
258 ├───────────────────────────────────┼────────────────────────────────┤
259 │HealthStartupTimeout=1m33s │ --health-startup-timeout=1m33s │
260 ├───────────────────────────────────┼────────────────────────────────┤
261 │HealthTimeout=20s │ --health-timeout=20s │
262 ├───────────────────────────────────┼────────────────────────────────┤
263 │HostName=new-host-name │ --hostname="new-host-name" │
264 ├───────────────────────────────────┼────────────────────────────────┤
265 │Image=ubi8 │ Image specification - ubi8 │
266 ├───────────────────────────────────┼────────────────────────────────┤
267 │IP=192.5.0.1 │ --ip 192.5.0.1 │
268 ├───────────────────────────────────┼────────────────────────────────┤
269 │IP6=2001:db8::1 │ --ip6 2001:db8::1 │
270 ├───────────────────────────────────┼────────────────────────────────┤
271 │Label="XYZ" │ --label "XYZ" │
272 ├───────────────────────────────────┼────────────────────────────────┤
273 │LogDriver=journald │ --log-driver journald │
274 ├───────────────────────────────────┼────────────────────────────────┤
275 │Mount=type=... │ --mount type=... │
276 ├───────────────────────────────────┼────────────────────────────────┤
277 │Network=host │ --net host │
278 ├───────────────────────────────────┼────────────────────────────────┤
279 │NoNewPrivileges=true │ --security-opt no-new-privi‐ │
280 │ │ leges │
281 ├───────────────────────────────────┼────────────────────────────────┤
282 │Rootfs=/var/lib/rootfs │ --rootfs /var/lib/rootfs │
283 ├───────────────────────────────────┼────────────────────────────────┤
284 │Notify=true │ --sdnotify container │
285 ├───────────────────────────────────┼────────────────────────────────┤
286 │PidsLimit=10000 │ --pids-limit 10000 │
287 ├───────────────────────────────────┼────────────────────────────────┤
288 │PodmanArgs=--add-host foobar │ --add-host foobar │
289 ├───────────────────────────────────┼────────────────────────────────┤
290 │PublishPort=50-59 │ --publish 50-59 │
291 ├───────────────────────────────────┼────────────────────────────────┤
292 │Pull=never │ --pull=never │
293 ├───────────────────────────────────┼────────────────────────────────┤
294 │ReadOnly=true │ --read-only │
295 ├───────────────────────────────────┼────────────────────────────────┤
296 │ReadOnlyTmpfs=true │ --read-only-tmpfs │
297 ├───────────────────────────────────┼────────────────────────────────┤
298 │RunInit=true │ --init │
299 ├───────────────────────────────────┼────────────────────────────────┤
300 │SeccompProfile=/tmp/s.json │ --security-opt sec‐ │
301 │ │ comp=/tmp/s.json │
302 ├───────────────────────────────────┼────────────────────────────────┤
303 │SecurityLabelDisable=true │ --security-opt label=disable │
304 ├───────────────────────────────────┼────────────────────────────────┤
305 │SecurityLabelFileType=usr_t │ --security-opt label=file‐ │
306 │ │ type:usr_t │
307 ├───────────────────────────────────┼────────────────────────────────┤
308 │SecurityLabelLevel=s0:c1,c2 │ --security-opt la‐ │
309 │ │ bel=level:s0:c1,c2 │
310 ├───────────────────────────────────┼────────────────────────────────┤
311 │SecurityLabelNested=true │ --security-opt label=nested │
312 ├───────────────────────────────────┼────────────────────────────────┤
313 │SecurityLabelType=spc_t │ --security-opt la‐ │
314 │ │ bel=type:spc_t │
315 ├───────────────────────────────────┼────────────────────────────────┤
316 │ShmSize=100m │ --shm-size=100m │
317 ├───────────────────────────────────┼────────────────────────────────┤
318 │SubGIDMap=gtest │ --subgidname=gtest │
319 ├───────────────────────────────────┼────────────────────────────────┤
320 │SubUIDMap=utest │ --subuidname=utest │
321 ├───────────────────────────────────┼────────────────────────────────┤
322 │Sysctl=name=value │ --sysctl=name=value │
323 ├───────────────────────────────────┼────────────────────────────────┤
324 │Timezone=local │ --tz local │
325 ├───────────────────────────────────┼────────────────────────────────┤
326 │Tmpfs=/work │ --tmpfs /work │
327 ├───────────────────────────────────┼────────────────────────────────┤
328 │UIDMap=0:10000:10 │ --uidmap=0:10000:10 │
329 ├───────────────────────────────────┼────────────────────────────────┤
330 │Ulimit=nofile:1000:10000 │ --ulimit nofile:1000:10000 │
331 ├───────────────────────────────────┼────────────────────────────────┤
332 │User=bin │ --user bin │
333 ├───────────────────────────────────┼────────────────────────────────┤
334 │UserNS=keep-id:uid=200,gid=210 │ --userns keep- │
335 │ │ id:uid=200,gid=210 │
336 ├───────────────────────────────────┼────────────────────────────────┤
337 │Volume=/source:/dest │ --volume /source:/dest │
338 ├───────────────────────────────────┼────────────────────────────────┤
339 │WorkingDir=$HOME │ --workdir $HOME │
340 └───────────────────────────────────┴────────────────────────────────┘
341 Description of [Container] section are:
343 AddCapability=
346 Add these capabilities, in addition to the default Podman capability
347 set, to the container.
348 This is a space separated list of capabilities. This key can be listed
351 multiple times.
352 For example:
355 AddCapability=CAP_DAC_OVERRIDE CAP_IPC_OWNER
357 AddDevice=
361 Adds a device node from the host into the container. The format of this
362 is HOST-DEVICE[:CONTAINER-DEVICE][:PERMISSIONS], where HOST-DEVICE is
363 the path of the device node on the host, CONTAINER-DEVICE is the path
364 of the device node in the container, and PERMISSIONS is a list of per‐
365 missions combining 'r' for read, only if it exists on the host.
366 This key can be listed multiple times.
369 Annotation=
372 Set one or more OCI annotations on the container. The format is a list
373 of key=value items, similar to Environment.
374 This key can be listed multiple times.
377 AutoUpdate=
380 Indicates whether the container will be auto-updated (podman-auto-up‐
381 date(1)). The following values are supported:
382 • registry: Requires a fully-qualified image reference (e.g.,
385 quay.io/podman/stable:latest) to be used to create the con‐
386 tainer. This enforcement is necessary to know which image to
387 actually check and pull. If an image ID was used, Podman does
388 not know which image to check/pull anymore.
389 • local: Tells Podman to compare the image a container is using
391 to the image with its raw name in local storage. If an image
392 is updated locally, Podman simply restarts the systemd unit
393 executing the container.
394 ContainerName=
398 The (optional) name of the Podman container. If this is not specified,
399 the default value of systemd-%N is used, which is the same as the ser‐
400 vice name but with a systemd- prefix to avoid conflicts with user-man‐
401 aged containers.
402 ContainersConfModule=
405 Load the specified containers.conf(5) module. Equivalent to the Podman
406 --module option.
407 This key can be listed multiple times.
410 DNS=
413 Set network-scoped DNS resolver/nameserver for containers in this net‐
414 work.
415 This key can be listed multiple times.
418 DNSOption=
421 Set custom DNS options.
422 This key can be listed multiple times.
425 DNSSearch=
428 Set custom DNS search domains. Use DNSSearch=. to remove the search do‐
429 main.
430 This key can be listed multiple times.
433 DropCapability=
436 Drop these capabilities from the default podman capability set, or all
437 to drop all capabilities.
438 This is a space separated list of capabilities. This key can be listed
441 multiple times.
442 For example:
445 DropCapability=CAP_DAC_OVERRIDE CAP_IPC_OWNER
447 Environment=
451 Set an environment variable in the container. This uses the same format
452 as services in systemd and can be listed multiple times.
453 EnvironmentFile=
456 Use a line-delimited file to set environment variables in the con‐
457 tainer. The path may be absolute or relative to the location of the
458 unit file. This key may be used multiple times, and the order persists
459 when passed to podman run.
460 EnvironmentHost=
463 Use the host environment inside of the container.
464 Exec=
467 If this is set then it defines what command line to run in the con‐
468 tainer. If it is not set the default entry point of the container image
469 is used. The format is the same as for systemd command lines.
470 ExposeHostPort=
473 Exposes a port, or a range of ports (e.g. 50-59), from the host to the
474 container. Equivalent to the Podman --expose option.
475 This key can be listed multiple times.
478 GIDMap=
481 Run the container in a new user namespace using the supplied GID map‐
482 ping. Equivalent to the Podman --gidmap option.
483 This key can be listed multiple times.
486 GlobalArgs=
489 This key contains a list of arguments passed directly between podman
490 and run in the generated file (right before the image name in the com‐
491 mand line). It can be used to access Podman features otherwise unsup‐
492 ported by the generator. Since the generator is unaware of what unex‐
493 pected interactions can be caused by these arguments, it is not recom‐
494 mended to use this option.
495 The format of this is a space separated list of arguments, which can
498 optionally be individually escaped to allow inclusion of whitespace and
499 other control characters.
500 This key can be listed multiple times.
503 Group=
506 The (numeric) GID to run as inside the container. This does not need to
507 match the GID on the host, which can be modified with UsersNS, but if
508 that is not specified, this GID is also used on the host.
509 HealthCmd=
512 Set or alter a healthcheck command for a container. A value of none
513 disables existing healthchecks. Equivalent to the Podman --health-cmd
514 option.
515 HealthInterval=
518 Set an interval for the healthchecks. An interval of disable results in
519 no automatic timer setup. Equivalent to the Podman --health-interval
520 option.
521 HealthOnFailure=
524 Action to take once the container transitions to an unhealthy state.
525 The "kill" action in combination integrates best with systemd. Once the
526 container turns unhealthy, it gets killed, and systemd restarts the
527 service. Equivalent to the Podman --health-on-failure option.
528 HealthRetries=
531 The number of retries allowed before a healthcheck is considered to be
532 unhealthy. Equivalent to the Podman --health-retries option.
533 HealthStartPeriod=
536 The initialization time needed for a container to bootstrap. Equiva‐
537 lent to the Podman --health-start-period option.
538 HealthStartupCmd=
541 Set a startup healthcheck command for a container. Equivalent to the
542 Podman --health-startup-cmd option.
543 HealthStartupInterval=
546 Set an interval for the startup healthcheck. An interval of disable re‐
547 sults in no automatic timer setup. Equivalent to the Podman --health-
548 startup-interval option.
549 HealthStartupRetries=
552 The number of attempts allowed before the startup healthcheck restarts
553 the container. Equivalent to the Podman --health-startup-retries op‐
554 tion.
555 HealthStartupSuccess=
558 The number of successful runs required before the startup healthcheck
559 succeeds and the regular healthcheck begins. Equivalent to the Podman
560 --health-startup-success option.
561 HealthStartupTimeout=
564 The maximum time a startup healthcheck command has to complete before
565 it is marked as failed. Equivalent to the Podman --health-startup-
566 timeout option.
567 HealthTimeout=
570 The maximum time allowed to complete the healthcheck before an interval
571 is considered failed. Equivalent to the Podman --health-timeout op‐
572 tion.
573 HostName=
576 Sets the host name that is available inside the container. Equivalent
577 to the Podman --hostname option.
578 Image=
581 The image to run in the container. It is recommended to use a fully
582 qualified image name rather than a short name, both for performance and
583 robustness reasons.
584 The format of the name is the same as when passed to podman pull. So,
587 it supports using :tag or digests to guarantee the specific image ver‐
588 sion.
589 As a special case, if the name of the image ends with .image, Quadlet
592 will use the image pulled by the corresponding .image file, and the
593 generated systemd service contains a dependency on the $name-image.ser‐
594 vice. Note that the corresponding .image file must exist.
595 IP=
598 Specify a static IPv4 address for the container, for example
599 10.88.64.128. Equivalent to the Podman --ip option.
600 IP6=
603 Specify a static IPv6 address for the container, for example
604 fd46:db93:aa76:ac37::10. Equivalent to the Podman --ip6 option.
605 Label=
608 Set one or more OCI labels on the container. The format is a list of
609 key=value items, similar to Environment.
610 This key can be listed multiple times.
613 LogDriver=
616 Set the log-driver used by Podman when running the container. Equiva‐
617 lent to the Podman --log-driver option.
618 Mount=
621 Attach a filesystem mount to the container. This is equivalent to the
622 Podman --mount option, and generally has the form type=TYPE,TYPE-SPE‐
623 CIFIC-OPTION[,...].
624 As a special case, for type=volume if source ends with .volume, a Pod‐
627 man named volume called systemd-$name is used as the source, and the
628 generated systemd service contains a dependency on the $name-vol‐
629 ume.service. Such a volume can be automatically be lazily created by
630 using a $name.volume Quadlet file.
631 This key can be listed multiple times.
634 Network=
637 Specify a custom network for the container. This has the same format as
638 the --network option to podman run. For example, use host to use the
639 host network in the container, or none to not set up networking in the
640 container.
641 As a special case, if the name of the network ends with .network, a
644 Podman network called systemd-$name is used, and the generated systemd
645 service contains a dependency on the $name-network.service. Such a net‐
646 work can be automatically created by using a $name.network Quadlet
647 file.
648 This key can be listed multiple times.
651 NoNewPrivileges= (defaults to no)
654 If enabled, this disables the container processes from gaining addi‐
655 tional privileges via things like setuid and file capabilities.
656 Rootfs=
659 The rootfs to use for the container. Rootfs points to a directory on
660 the system that contains the content to be run within the container.
661 This option conflicts with the Image option.
662 The format of the rootfs is the same as when passed to podman run
665 --rootfs, so it supports overlay mounts as well.
666 Note: On SELinux systems, the rootfs needs the correct label, which is
669 by default unconfined_u:object_r:container_file_t:s0.
670 Notify= (defaults to no)
673 By default, Podman is run in such a way that the systemd startup notify
674 command is handled by the container runtime. In other words, the ser‐
675 vice is deemed started when the container runtime starts the child in
676 the container. However, if the container application supports sd_no‐
677 tify, then setting Notify to true passes the notification details to
678 the container allowing it to notify of startup on its own.
679 PidsLimit=
682 Tune the container's pids limit. This is equivalent to the Podman
683 --pids-limit option.
684 PodmanArgs=
687 This key contains a list of arguments passed directly to the end of the
688 podman run command in the generated file (right before the image name
689 in the command line). It can be used to access Podman features other‐
690 wise unsupported by the generator. Since the generator is unaware of
691 what unexpected interactions can be caused by these arguments, it is
692 not recommended to use this option.
693 The format of this is a space separated list of arguments, which can
696 optionally be individually escaped to allow inclusion of whitespace and
697 other control characters.
698 This key can be listed multiple times.
701 PublishPort=
704 Exposes a port, or a range of ports (e.g. 50-59), from the container to
705 the host. Equivalent to the Podman --publish option. The format is sim‐
706 ilar to the Podman options, which is of the form ip:hostPort:container‐
707 Port, ip::containerPort, hostPort:containerPort or containerPort, where
708 the number of host and container ports must be the same (in the case of
709 a range).
710 If the IP is set to 0.0.0.0 or not set at all, the port is bound on all
713 IPv4 addresses on the host; use [::] for IPv6.
714 Note that not listing a host port means that Podman automatically se‐
717 lects one, and it may be different for each invocation of service. This
718 makes that a less useful option. The allocated port can be found with
719 the podman port command.
720 This key can be listed multiple times.
723 Pull=
726 Set the image pull policy. This is equivalent to the Podman --pull op‐
727 tion
728 ReadOnly= (defaults to no)
731 If enabled, makes the image read-only.
732 ReadOnlyTmpfs= (defaults to yes)
735 If ReadOnly is set to yes, mount a read-write tmpfs on /dev, /dev/shm,
736 /run, /tmp, and /var/tmp.
737 RunInit= (default to no)
740 If enabled, the container has a minimal init process inside the con‐
741 tainer that forwards signals and reaps processes.
742 SeccompProfile=
745 Set the seccomp profile to use in the container. If unset, the default
746 podman profile is used. Set to either the pathname of a json file, or
747 unconfined to disable the seccomp filters.
748 SecurityLabelDisable=
751 Turn off label separation for the container.
752 SecurityLabelFileType=
755 Set the label file type for the container files.
756 SecurityLabelLevel=
759 Set the label process level for the container processes.
760 SecurityLabelNested=
763 Allow SecurityLabels to function within the container. This allows sep‐
764 aration of containers created within the container.
765 SecurityLabelType=
768 Set the label process type for the container processes.
769 Secret=
772 Use a Podman secret in the container either as a file or an environment
773 variable. This is equivalent to the Podman --secret option and gener‐
774 ally has the form secret[,opt=opt ...]
775 ShmSize=
778 Size of /dev/shm.
779 This is equivalent to the Podman --shm-size option and generally has
782 the form number[unit]
783 SubGIDMap=
786 Run the container in a new user namespace using the map with name in
787 the /etc/subgid file. Equivalent to the Podman --subgidname option.
788 SubUIDMap=
791 Run the container in a new user namespace using the map with name in
792 the /etc/subuid file. Equivalent to the Podman --subuidname option.
793 Sysctl=
796 Configures namespaced kernel parameters for the container. The format
797 is Sysctl=name=value.
798 This is a space separated list of kernel parameters. This key can be
801 listed multiple times.
802 For example:
805 Sysctl=net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.all.use_tempaddr=1
807 Tmpfs=
811 Mount a tmpfs in the container. This is equivalent to the Podman
812 --tmpfs option, and generally has the form CONTAINER-DIR[:OPTIONS].
813 This key can be listed multiple times.
816 Timezone= (if unset uses system-configured default)
819 The timezone to run the container in.
820 UIDMap=
823 Run the container in a new user namespace using the supplied UID map‐
824 ping. Equivalent to the Podman --uidmap option.
825 This key can be listed multiple times.
828 Ulimit=
831 Ulimit options. Sets the ulimits values inside of the container.
832 User=
835 The (numeric) UID to run as inside the container. This does not need to
836 match the UID on the host, which can be modified with UserNS, but if
837 that is not specified, this UID is also used on the host.
838 UserNS=
841 Set the user namespace mode for the container. This is equivalent to
842 the Podman --userns option and generally has the form MODE[:OP‐
843 TIONS,...].
844 Volume=
847 Mount a volume in the container. This is equivalent to the Podman
848 --volume option, and generally has the form [[SOURCE-VOLUME|HOST-
849 DIR:]CONTAINER-DIR[:OPTIONS]].
850 If SOURCE-VOLUME starts with ., Quadlet resolves the path relative to
853 the location of the unit file.
854 As a special case, if SOURCE-VOLUME ends with .volume, a Podman named
857 volume called systemd-$name is used as the source, and the generated
858 systemd service contains a dependency on the $name-volume.service. Such
859 a volume can be automatically be lazily created by using a $name.volume
860 Quadlet file.
861 This key can be listed multiple times.
864 WorkingDir=
867 Working directory inside the container.
868 The default working directory for running binaries within a container
871 is the root directory (/). The image developer can set a different de‐
872 fault with the WORKDIR instruction. This option overrides the working
873 directory by using the -w option.
874
877 Kube units are named with a .kube extension and contain a [Kube] sec‐
878 tion describing how podman kube play runs as a service. The resulting
879 service file contains a line like ExecStart=podman kube play …
880 file.yml, and most of the keys in this section control the command-line
881 options passed to Podman. However, some options also affect the details
882 of how systemd is set up to run and interact with the container.
883 There is only one required key, Yaml, which defines the path to the Ku‐
886 bernetes YAML file.
887 Valid options for [Kube] are listed below:
890 ┌───────────────────────────────────┬────────────────────────────────────────────────────────────────┐
893 │[Kube] options │ podman kube play equivalent │
894 ├───────────────────────────────────┼────────────────────────────────────────────────────────────────┤
895 │AutoUpdate=registry │ --annotation "io.containers.autoupdate=registry" │
896 ├───────────────────────────────────┼────────────────────────────────────────────────────────────────┤
897 │ConfigMap=/tmp/config.map │ --config-map /tmp/config.map │
898 ├───────────────────────────────────┼────────────────────────────────────────────────────────────────┤
899 │ContainersConfModule=/etc/nvd.conf │ --module=/etc/nvd.conf │
900 ├───────────────────────────────────┼────────────────────────────────────────────────────────────────┤
901 │GlobalArgs=--log-level=debug │ --log-level=debug │
902 ├───────────────────────────────────┼────────────────────────────────────────────────────────────────┤
903 │KubeDownForce=true │ --force (for podman kube down) │
904 ├───────────────────────────────────┼────────────────────────────────────────────────────────────────┤
905 │LogDriver=journald │ --log-driver journald │
906 ├───────────────────────────────────┼────────────────────────────────────────────────────────────────┤
907 │Network=host │ --net host │
908 ├───────────────────────────────────┼────────────────────────────────────────────────────────────────┤
909 │PodmanArgs=--annotation=key=value │ --annotation=key=value │
910 ├───────────────────────────────────┼────────────────────────────────────────────────────────────────┤
911 │PublishPort=59-60 │ --publish=59-60 │
912 ├───────────────────────────────────┼────────────────────────────────────────────────────────────────┤
913 │SetWorkingDirectory=yaml │ Set WorkingDirectory of unit file to location of the YAML file │
914 ├───────────────────────────────────┼────────────────────────────────────────────────────────────────┤
915 │UserNS=keep-id:uid=200,gid=210 │ --userns keep-id:uid=200,gid=210 │
916 ├───────────────────────────────────┼────────────────────────────────────────────────────────────────┤
917 │Yaml=/tmp/kube.yaml │ podman kube play /tmp/kube.yaml │
918 └───────────────────────────────────┴────────────────────────────────────────────────────────────────┘
919 Supported keys in the [Kube] section are:
921 AutoUpdate=
924 Indicates whether containers will be auto-updated (podman-auto-up‐
925 date(1)). AutoUpdate can be specified multiple times. The following
926 values are supported:
927 • registry: Requires a fully-qualified image reference (e.g.,
930 quay.io/podman/stable:latest) to be used to create the con‐
931 tainer. This enforcement is necessary to know which images to
932 actually check and pull. If an image ID was used, Podman does
933 not know which image to check/pull anymore.
934 • local: Tells Podman to compare the image a container is using
936 to the image with its raw name in local storage. If an image
937 is updated locally, Podman simply restarts the systemd unit
938 executing the Kubernetes Quadlet.
939 • name/(local|registry): Tells Podman to perform the local or
941 registry autoupdate on the specified container name.
942 ConfigMap=
946 Pass the Kubernetes ConfigMap YAML path to podman kube play via the
947 --configmap argument. Unlike the configmap argument, the value may
948 contain only one path but it may be absolute or relative to the loca‐
949 tion of the unit file.
950 This key may be used multiple times
953 ContainersConfModule=
956 Load the specified containers.conf(5) module. Equivalent to the Podman
957 --module option.
958 This key can be listed multiple times.
961 ExitCodePropagation=
964 Control how the main PID of the systemd service should exit. The fol‐
965 lowing values are supported: - all: exit non-zero if all containers
966 have failed (i.e., exited non-zero) - any: exit non-zero if any con‐
967 tainer has failed - none: exit zero and ignore failed containers
968 The current default value is none.
971 GlobalArgs=
974 This key contains a list of arguments passed directly between podman
975 and kube in the generated file (right before the image name in the com‐
976 mand line). It can be used to access Podman features otherwise unsup‐
977 ported by the generator. Since the generator is unaware of what unex‐
978 pected interactions can be caused by these arguments, it is not recom‐
979 mended to use this option.
980 The format of this is a space separated list of arguments, which can
983 optionally be individually escaped to allow inclusion of whitespace and
984 other control characters.
985 This key can be listed multiple times.
988 KubeDownForce=
991 Remove all resources, including volumes, when calling podman kube down.
992 Equivalent to the Podman --force option.
993 LogDriver=
996 Set the log-driver Podman uses when running the container. Equivalent
997 to the Podman --log-driver option.
998 Mask=
1001 Specify the paths to mask separated by a colon. Mask=/path/1:/path/2. A
1002 masked path cannot be accessed inside the container.
1003 Network=
1006 Specify a custom network for the container. This has the same format as
1007 the --network option to podman kube play. For example, use host to use
1008 the host network in the container, or none to not set up networking in
1009 the container.
1010 As a special case, if the name of the network ends with .network, a
1013 Podman network called systemd-$name is used, and the generated systemd
1014 service contains a dependency on the $name-network.service. Such a net‐
1015 work can be automatically created by using a $name.network Quadlet
1016 file.
1017 This key can be listed multiple times.
1020 PodmanArgs=
1023 This key contains a list of arguments passed directly to the end of the
1024 podman kube play command in the generated file (right before the path
1025 to the yaml file in the command line). It can be used to access Podman
1026 features otherwise unsupported by the generator. Since the generator is
1027 unaware of what unexpected interactions can be caused by these argu‐
1028 ments, is not recommended to use this option.
1029 The format of this is a space separated list of arguments, which can
1032 optionally be individually escaped to allow inclusion of whitespace and
1033 other control characters.
1034 This key can be listed multiple times.
1037 PublishPort=
1040 Exposes a port, or a range of ports (e.g. 50-59), from the container to
1041 the host. Equivalent to the podman kube play's --publish option. The
1042 format is similar to the Podman options, which is of the form ip:host‐
1043 Port:containerPort, ip::containerPort, hostPort:containerPort or con‐
1044 tainerPort, where the number of host and container ports must be the
1045 same (in the case of a range).
1046 If the IP is set to 0.0.0.0 or not set at all, the port is bound on all
1049 IPv4 addresses on the host; use [::] for IPv6.
1050 The list of published ports specified in the unit file is merged with
1053 the list of ports specified in the Kubernetes YAML file. If the same
1054 container port and protocol is specified in both, the entry from the
1055 unit file takes precedence
1056 This key can be listed multiple times.
1059 SetWorkingDirectory=
1062 Set the WorkingDirectory field of the Service group of the Systemd ser‐
1063 vice unit file. Used to allow podman kube play to correctly resolve
1064 relative paths. Supported values are yaml and unit to set the working
1065 directory to that of the YAML or Quadlet Unit file respectively.
1066 Alternatively, users can explicitly set the WorkingDirectory field of
1069 the Service group in the .kube file. Please note that if the Work‐
1070 ingDirectory field of the Service group is set, Quadlet will not set it
1071 even if SetWorkingDirectory is set
1072 Unmask=
1075 Specify the paths to unmask separated by a colon. unmask=ALL or
1076 /path/1:/path/2, or shell expanded paths (/proc/*):
1077 If set to ALL, Podman will unmask all the paths that are masked or made
1080 read-only by default.
1081 The default masked paths are /proc/acpi, /proc/kcore, /proc/keys,
1084 /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list,
1085 /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.
1086 The default paths that are read-only are /proc/asound, /proc/bus,
1089 /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup.
1090 UserNS=
1093 Set the user namespace mode for the container. This is equivalent to
1094 the Podman --userns option and generally has the form MODE[:OP‐
1095 TIONS,...].
1096 Yaml=
1099 The path, absolute or relative to the location of the unit file, to the
1100 Kubernetes YAML file to use.
1101
1104 Network files are named with a .network extension and contain a section
1105 [Network] describing the named Podman network. The generated service is
1106 a one-time command that ensures that the network exists on the host,
1107 creating it if needed.
1108 By default, the Podman network has the same name as the unit, but with
1111 a systemd- prefix, i.e. for a network file named $NAME.network, the
1112 generated Podman network is called systemd-$NAME, and the generated
1113 service file is $NAME-network.service. The NetworkName option allows
1114 for overriding this default name with a user-provided one.
1115 Please note that stopping the corresponding service will not remove the
1118 podman network. In addition, updating an existing network is not sup‐
1119 ported. In order to update the network parameters you will first need
1120 to manually remove the podman network and then restart the service.
1121 Using network units allows containers to depend on networks being auto‐
1124 matically pre-created. This is particularly interesting when using spe‐
1125 cial options to control network creation, as Podman otherwise creates
1126 networks with the default options.
1127 Valid options for [Network] are listed below:
1130 ┌───────────────────────────────────┬──────────────────────────────────┐
1133 │[Network] options │ podman network create equivalent │
1134 ├───────────────────────────────────┼──────────────────────────────────┤
1135 │ContainersConfModule=/etc/nvd.conf │ --module=/etc/nvd.conf │
1136 ├───────────────────────────────────┼──────────────────────────────────┤
1137 │DisableDNS=true │ --disable-dns │
1138 ├───────────────────────────────────┼──────────────────────────────────┤
1139 │DNS=192.168.55.1 │ --dns=192.168.55.1 │
1140 ├───────────────────────────────────┼──────────────────────────────────┤
1141 │Driver=bridge │ --driver bridge │
1142 ├───────────────────────────────────┼──────────────────────────────────┤
1143 │Gateway=192.168.55.3 │ --gateway 192.168.55.3 │
1144 ├───────────────────────────────────┼──────────────────────────────────┤
1145 │GlobalArgs=--log-level=debug │ --log-level=debug │
1146 ├───────────────────────────────────┼──────────────────────────────────┤
1147 │Internal=true │ --internal │
1148 ├───────────────────────────────────┼──────────────────────────────────┤
1149 │IPAMDriver=dhcp │ --ipam-driver dhcp │
1150 ├───────────────────────────────────┼──────────────────────────────────┤
1151 │IPRange=192.168.55.128/25 │ --ip-range 192.168.55.128/25 │
1152 ├───────────────────────────────────┼──────────────────────────────────┤
1153 │IPv6=true │ --ipv6 │
1154 ├───────────────────────────────────┼──────────────────────────────────┤
1155 │Label="XYZ" │ --label "XYZ" │
1156 ├───────────────────────────────────┼──────────────────────────────────┤
1157 │NetworkName=foo │ podman network create foo │
1158 ├───────────────────────────────────┼──────────────────────────────────┤
1159 │Options=isolate │ --opt isolate │
1160 ├───────────────────────────────────┼──────────────────────────────────┤
1161 │PodmanArgs=--dns=192.168.55.1 │ --dns=192.168.55.1 │
1162 ├───────────────────────────────────┼──────────────────────────────────┤
1163 │Subnet=192.5.0.0/16 │ --subnet 192.5.0.0/16 │
1164 └───────────────────────────────────┴──────────────────────────────────┘
1165 Supported keys in [Network] section are:
1167 ContainersConfModule=
1170 Load the specified containers.conf(5) module. Equivalent to the Podman
1171 --module option.
1172 This key can be listed multiple times.
1175 DisableDNS= (defaults to no)
1178 If enabled, disables the DNS plugin for this network.
1179 This is equivalent to the Podman --disable-dns option
1182 DNS=
1185 Set network-scoped DNS resolver/nameserver for containers in this net‐
1186 work.
1187 This key can be listed multiple times.
1190 Driver= (defaults to bridge)
1193 Driver to manage the network. Currently bridge, macvlan and ipvlan are
1194 supported.
1195 This is equivalent to the Podman --driver option
1198 Gateway=
1201 Define a gateway for the subnet. If you want to provide a gateway ad‐
1202 dress, you must also provide a subnet option.
1203 This is equivalent to the Podman --gateway option
1206 This key can be listed multiple times.
1209 GlobalArgs=
1212 This key contains a list of arguments passed directly between podman
1213 and network in the generated file (right before the image name in the
1214 command line). It can be used to access Podman features otherwise un‐
1215 supported by the generator. Since the generator is unaware of what un‐
1216 expected interactions can be caused by these arguments, it is not rec‐
1217 ommended to use this option.
1218 The format of this is a space separated list of arguments, which can
1221 optionally be individually escaped to allow inclusion of whitespace and
1222 other control characters.
1223 This key can be listed multiple times.
1226 Internal= (defaults to no)
1229 Restrict external access of this network.
1230 This is equivalent to the Podman --internal option
1233 IPAMDriver=
1236 Set the ipam driver (IP Address Management Driver) for the network.
1237 Currently host-local, dhcp and none are supported.
1238 This is equivalent to the Podman --ipam-driver option
1241 IPRange=
1244 Allocate container IP from a range. The range must be a either a com‐
1245 plete subnet in CIDR notation or be in the <startIP>-<endIP> syntax
1246 which allows for a more flexible range compared to the CIDR subnet.
1247 The ip-range option must be used with a subnet option.
1248 This is equivalent to the Podman --ip-range option
1251 This key can be listed multiple times.
1254 IPv6=
1257 Enable IPv6 (Dual Stack) networking.
1258 This is equivalent to the Podman --ipv6 option
1261 Label=
1264 Set one or more OCI labels on the network. The format is a list of
1265 key=value items, similar to Environment.
1266 This key can be listed multiple times.
1269 NetworkName=
1272 The (optional) name of the Podman network. If this is not specified,
1273 the default value of systemd-%N is used, which is the same as the unit
1274 name but with a systemd- prefix to avoid conflicts with user-managed
1275 networks.
1276 Options=
1279 Set driver specific options.
1280 This is equivalent to the Podman --opt option
1283 PodmanArgs=
1286 This key contains a list of arguments passed directly to the end of the
1287 podman network create command in the generated file (right before the
1288 name of the network in the command line). It can be used to access Pod‐
1289 man features otherwise unsupported by the generator. Since the genera‐
1290 tor is unaware of what unexpected interactions can be caused by these
1291 arguments, is not recommended to use this option.
1292 The format of this is a space separated list of arguments, which can
1295 optionally be individually escaped to allow inclusion of whitespace and
1296 other control characters.
1297 This key can be listed multiple times.
1300 Subnet=
1303 The subnet in CIDR notation.
1304 This is equivalent to the Podman --subnet option
1307 This key can be listed multiple times.
1310
1313 Volume files are named with a .volume extension and contain a section
1314 [Volume] describing the named Podman volume. The generated service is a
1315 one-time command that ensures that the volume exists on the host, cre‐
1316 ating it if needed.
1317 By default, the Podman volume has the same name as the unit, but with a
1320 systemd- prefix, i.e. for a volume file named $NAME.volume, the gener‐
1321 ated Podman volume is called systemd-$NAME, and the generated service
1322 file is $NAME-volume.service. The VolumeName option allows for overrid‐
1323 ing this default name with a user-provided one.
1324 Using volume units allows containers to depend on volumes being auto‐
1327 matically pre-created. This is particularly interesting when using spe‐
1328 cial options to control volume creation, as Podman otherwise creates
1329 volumes with the default options.
1330 Valid options for [Volume] are listed below:
1333 ┌───────────────────────────────────┬─────────────────────────────────┐
1336 │[Volume] options │ podman volume create equivalent │
1337 ├───────────────────────────────────┼─────────────────────────────────┤
1338 │ContainersConfModule=/etc/nvd.conf │ --module=/etc/nvd.conf │
1339 ├───────────────────────────────────┼─────────────────────────────────┤
1340 │Copy=true │ --opt copy │
1341 ├───────────────────────────────────┼─────────────────────────────────┤
1342 │Device=tmpfs │ --opt device=tmpfs │
1343 ├───────────────────────────────────┼─────────────────────────────────┤
1344 │Driver=image │ --driver=image │
1345 ├───────────────────────────────────┼─────────────────────────────────┤
1346 │GlobalArgs=--log-level=debug │ --log-level=debug │
1347 ├───────────────────────────────────┼─────────────────────────────────┤
1348 │Group=192 │ --opt group=192 │
1349 ├───────────────────────────────────┼─────────────────────────────────┤
1350 │Image=quay.io/centos/centos:latest │ --opt image=quay.io/centos/cen‐ │
1351 │ │ tos:latest │
1352 ├───────────────────────────────────┼─────────────────────────────────┤
1353 │Label="foo=bar" │ --label "foo=bar" │
1354 ├───────────────────────────────────┼─────────────────────────────────┤
1355 │Options=XYZ │ --opt XYZ │
1356 ├───────────────────────────────────┼─────────────────────────────────┤
1357 │PodmanArgs=--driver=image │ --driver=image │
1358 ├───────────────────────────────────┼─────────────────────────────────┤
1359 │VolumeName=foo │ podman volume create foo │
1360 └───────────────────────────────────┴─────────────────────────────────┘
1361 Supported keys in [Volume] section are:
1363 ContainersConfModule=
1366 Load the specified containers.conf(5) module. Equivalent to the Podman
1367 --module option.
1368 This key can be listed multiple times.
1371 Copy= (default to yes)
1374 If enabled, the content of the image located at the mountpoint of the
1375 volume is copied into the volume on the first run.
1376 Device=
1379 The path of a device which is mounted for the volume.
1380 Driver=
1383 Specify the volume driver name. When set to image, the Image key must
1384 also be set.
1385 This is equivalent to the Podman --driver option.
1388 GlobalArgs=
1391 This key contains a list of arguments passed directly between podman
1392 and volume in the generated file (right before the image name in the
1393 command line). It can be used to access Podman features otherwise un‐
1394 supported by the generator. Since the generator is unaware of what un‐
1395 expected interactions can be caused by these arguments, it is not rec‐
1396 ommended to use this option.
1397 The format of this is a space separated list of arguments, which can
1400 optionally be individually escaped to allow inclusion of whitespace and
1401 other control characters.
1402 This key can be listed multiple times.
1405 Group=
1408 The host (numeric) GID, or group name to use as the group for the vol‐
1409 ume
1410 Image=
1413 Specifies the image the volume is based on when Driver is set to the
1414 image. It is recommended to use a fully qualified image name rather
1415 than a short name, both for performance and robustness reasons.
1416 The format of the name is the same as when passed to podman pull. So,
1419 it supports using :tag or digests to guarantee the specific image ver‐
1420 sion.
1421 As a special case, if the name of the image ends with .image, Quadlet
1424 will use the image pulled by the corresponding .image file, and the
1425 generated systemd service contains a dependency on the $name-image.ser‐
1426 vice. Note that the corresponding .image file must exist.
1427 Label=
1430 Set one or more OCI labels on the volume. The format is a list of
1431 key=value items, similar to Environment.
1432 This key can be listed multiple times.
1435 Options=
1438 The mount options to use for a filesystem as used by the mount(8) com‐
1439 mand -o option.
1440 PodmanArgs=
1443 This key contains a list of arguments passed directly to the end of the
1444 podman volume create command in the generated file (right before the
1445 name of the network in the command line). It can be used to access Pod‐
1446 man features otherwise unsupported by the generator. Since the genera‐
1447 tor is unaware of what unexpected interactions can be caused by these
1448 arguments, is not recommended to use this option.
1449 The format of this is a space separated list of arguments, which can
1452 optionally be individually escaped to allow inclusion of whitespace and
1453 other control characters.
1454 This key can be listed multiple times.
1457 Type=
1460 The filesystem type of Device as used by the mount(8) commands -t op‐
1461 tion.
1462 User=
1465 The host (numeric) UID, or user name to use as the owner for the volume
1466 VolumeName=
1469 The (optional) name of the Podman volume. If this is not specified, the
1470 default value of systemd-%N is used, which is the same as the unit name
1471 but with a systemd- prefix to avoid conflicts with user-managed vol‐
1472 umes.
1473
1476 Image files are named with a .image extension and contain a section
1477 [Image] describing the container image pull command. The generated ser‐
1478 vice is a one-time command that ensures that the image exists on the
1479 host, pulling it if needed.
1480 Using image units allows containers and volumes to depend on images be‐
1483 ing automatically pulled. This is particularly interesting when using
1484 special options to control image pulls.
1485 Valid options for [Image] are listed below:
1488 ┌──────────────────────────────────────┬────────────────────────────────────────────────┐
1491 │[Image] options │ podman image pull equivalent │
1492 ├──────────────────────────────────────┼────────────────────────────────────────────────┤
1493 │AllTags=true │ --all-tags │
1494 ├──────────────────────────────────────┼────────────────────────────────────────────────┤
1495 │Arch=aarch64 │ --arch=aarch64 │
1496 ├──────────────────────────────────────┼────────────────────────────────────────────────┤
1497 │AuthFile=/etc/registry/auth.json │ --authfile=/etc/registry/auth.json │
1498 ├──────────────────────────────────────┼────────────────────────────────────────────────┤
1499 │CertDir=/etc/registry/certs │ --cert-dir=/etc/registry/certs │
1500 ├──────────────────────────────────────┼────────────────────────────────────────────────┤
1501 │ContainersConfModule=/etc/nvd.conf │ --module=/etc/nvd.conf │
1502 ├──────────────────────────────────────┼────────────────────────────────────────────────┤
1503 │Creds=myname:mypassword │ --creds=myname:mypassword │
1504 ├──────────────────────────────────────┼────────────────────────────────────────────────┤
1505 │DecryptionKey=/etc/registry.key │ --decryption-key=/etc/registry.key │
1506 ├──────────────────────────────────────┼────────────────────────────────────────────────┤
1507 │GlobalArgs=--log-level=debug │ --log-level=debug │
1508 ├──────────────────────────────────────┼────────────────────────────────────────────────┤
1509 │Image=quay.io/centos/centos:latest │ podman image pull quay.io/centos/centos:latest │
1510 ├──────────────────────────────────────┼────────────────────────────────────────────────┤
1511 │ImageTag=quay.io/centos/centos:latest │ Use this name when resolving .image references │
1512 ├──────────────────────────────────────┼────────────────────────────────────────────────┤
1513 │OS=windows │ --os=windows │
1514 ├──────────────────────────────────────┼────────────────────────────────────────────────┤
1515 │PodmanArgs=--os=linux │ --os=linux │
1516 ├──────────────────────────────────────┼────────────────────────────────────────────────┤
1517 │TLSVerify=false │ --tls-verify=false │
1518 ├──────────────────────────────────────┼────────────────────────────────────────────────┤
1519 │Variant=arm/v7 │ --variant=arm/v7 │
1520 └──────────────────────────────────────┴────────────────────────────────────────────────┘
1521 AllTags=
1523 All tagged images in the repository are pulled.
1524 This is equivalent to the Podman --all-tags option.
1527 Arch=
1530 Override the architecture, defaults to hosts, of the image to be
1531 pulled.
1532 This is equivalent to the Podman --arch option.
1535 AuthFile=
1538 Path of the authentication file.
1539 This is equivalent to the Podman --authfile option.
1542 CertDir=
1545 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
1546 istry.
1547 This is equivalent to the Podman --cert-dir option.
1550 ContainersConfModule=
1553 Load the specified containers.conf(5) module. Equivalent to the Podman
1554 --module option.
1555 This key can be listed multiple times.
1558 Creds=
1561 The [username[:password]] to use to authenticate with the registry, if
1562 required.
1563 This is equivalent to the Podman --creds option.
1566 DecryptionKey=
1569 The [key[:passphrase]] to be used for decryption of images.
1570 This is equivalent to the Podman --decryption-key option.
1573 GlobalArgs=
1576 This key contains a list of arguments passed directly between podman
1577 and image in the generated file (right before the image name in the
1578 command line). It can be used to access Podman features otherwise un‐
1579 supported by the generator. Since the generator is unaware of what un‐
1580 expected interactions can be caused by these arguments, it is not rec‐
1581 ommended to use this option.
1582 The format of this is a space separated list of arguments, which can
1585 optionally be individually escaped to allow inclusion of whitespace and
1586 other control characters.
1587 This key can be listed multiple times.
1590 Image=
1593 The image to pull. It is recommended to use a fully qualified image
1594 name rather than a short name, both for performance and robustness rea‐
1595 sons.
1596 The format of the name is the same as when passed to podman pull. So,
1599 it supports using :tag or digests to guarantee the specific image ver‐
1600 sion.
1601 ImageTag=
1604 Actual FQIN of the referenced Image. Only meaningful when source is a
1605 file or directory archive.
1606 For example, an image saved into a docker-archive with the following
1609 Podman command:
1610 podman image save --format docker-archive --output /tmp/archive-
1613 file.tar quay.io/podman/stable:latest
1614 requires setting - Image=docker-archive:/tmp/archive-file.tar - Image‐
1617 Tag=quay.io/podman/stable:latest
1618 OS=
1621 Override the OS, defaults to hosts, of the image to be pulled.
1622 This is equivalent to the Podman --os option.
1625 PodmanArgs=
1628 This key contains a list of arguments passed directly to the end of the
1629 podman image pull command in the generated file (right before the image
1630 name in the command line). It can be used to access Podman features
1631 otherwise unsupported by the generator. Since the generator is unaware
1632 of what unexpected interactions can be caused by these arguments, it is
1633 not recommended to use this option.
1634 The format of this is a space separated list of arguments, which can
1637 optionally be individually escaped to allow inclusion of whitespace and
1638 other control characters.
1639 This key can be listed multiple times.
1642 TLSVerify=
1645 Require HTTPS and verification of certificates when contacting reg‐
1646 istries.
1647 This is equivalent to the Podman --tls-verify option.
1650 Variant=
1653 Override the default architecture variant of the container image.
1654 This is equivalent to the Podman --variant option.
1657
1660 Example test.container:
1661 [Unit]
1663 Description=A minimal container
1664 [Container]
1666 # Use the centos image
1667 Image=quay.io/centos/centos:latest
1668 # Use volume and network defined below
1670 Volume=test.volume:/data
1671 Network=test.network
1672 # In the container we just run sleep
1674 Exec=sleep 60
1675 [Service]
1677 # Restart service when sleep finishes
1678 Restart=always
1679 # Extend Timeout to allow time to pull the image
1680 TimeoutStartSec=900
1681 # ExecStartPre flag and other systemd commands can go here, see systemd.unit(5) man page.
1682 ExecStartPre=/usr/share/mincontainer/setup.sh
1683 [Install]
1685 # Start by default on boot
1686 WantedBy=multi-user.target default.target
1687 Example test.kube:
1691 [Unit]
1693 Description=A kubernetes yaml based service
1694 Before=local-fs.target
1695 [Kube]
1697 Yaml=/opt/k8s/deployment.yml
1698 [Install]
1700 # Start by default on boot
1701 WantedBy=multi-user.target default.target
1702 Example test.volume:
1706 [Volume]
1708 User=root
1709 Group=root
1710 Label=org.test.Key=value
1711 Example test.network:
1715 [Network]
1717 Subnet=172.16.0.0/24
1718 Gateway=172.16.0.1
1719 IPRange=172.16.0.0/28
1720 Label=org.test.Key=value
1721
1725 systemd.unit(5), systemd.service(5), podman-run(1), podman-network-cre‐
1726 ate(1), podman-auto-update(1) [systemd.unit(5)]
1727 podman-systemd.unit(5)