45 | 45 |
The containers table contains settings pertaining to the OCI runtime that can
|
46 | 46 |
configure and manage the OCI runtime.
|
47 | 47 |
|
48 | |
**devices**=[]
|
49 | |
|
50 | |
List of devices.
|
51 | |
Specified as 'device-on-host:device-on-container:permissions'.
|
52 | |
|
53 | |
Example: "/dev/sdc:/dev/xvdc:rwm".
|
54 | |
|
55 | |
**volumes**=[]
|
56 | |
|
57 | |
List of volumes.
|
58 | |
Specified as "directory-on-host:directory-in-container:options".
|
59 | |
|
60 | |
Example: "/db:/var/lib/db:ro".
|
|
48 |
**annotations** = []
|
|
49 |
List of annotations. Specified as "key=value" pairs to be added to all containers.
|
|
50 |
|
|
51 |
Example: "run.oci.keep_original_groups=1"
|
61 | 52 |
|
62 | 53 |
**apparmor_profile**="container-default"
|
63 | 54 |
|
64 | 55 |
Used to change the name of the default AppArmor profile of container engines.
|
65 | 56 |
The default profile name is "container-default".
|
66 | |
|
67 | |
**cgroupns**="private"
|
68 | |
|
69 | |
Default way to to create a cgroup namespace for the container.
|
70 | |
Options are:
|
71 | |
`private` Create private Cgroup Namespace for the container.
|
72 | |
`host` Share host Cgroup Namespace with the container.
|
73 | 57 |
|
74 | 58 |
**cgroups**="enabled"
|
75 | 59 |
|
|
78 | 62 |
`enabled` Enable cgroup support within container
|
79 | 63 |
`disabled` Disable cgroup support, will inherit cgroups from parent
|
80 | 64 |
`no-conmon` Do not create a cgroup dedicated to conmon.
|
|
65 |
|
|
66 |
**cgroupns**="private"
|
|
67 |
|
|
68 |
Default way to to create a cgroup namespace for the container.
|
|
69 |
Options are:
|
|
70 |
`private` Create private Cgroup Namespace for the container.
|
|
71 |
`host` Share host Cgroup Namespace with the container.
|
81 | 72 |
|
82 | 73 |
**default_capabilities**=[]
|
83 | 74 |
|
|
116 | 107 |
|
117 | 108 |
Example: "nofile=1024:2048".
|
118 | 109 |
|
|
110 |
**devices**=[]
|
|
111 |
|
|
112 |
List of devices.
|
|
113 |
Specified as 'device-on-host:device-on-container:permissions'.
|
|
114 |
|
|
115 |
Example: "/dev/sdc:/dev/xvdc:rwm".
|
|
116 |
|
119 | 117 |
**dns_options**=[]
|
120 | 118 |
|
121 | 119 |
List of default DNS options to be added to /etc/resolv.conf inside of the
|
|
200 | 198 |
Create /etc/hosts for the container. By default, container engines manage
|
201 | 199 |
/etc/hosts, automatically adding the container's own IP address.
|
202 | 200 |
|
|
201 |
**pidns**="private"
|
|
202 |
|
|
203 |
Default way to to create a PID namespace for the container.
|
|
204 |
Options are:
|
|
205 |
`private` Create private PID Namespace for the container.
|
|
206 |
`host` Share host PID Namespace with the container.
|
|
207 |
|
203 | 208 |
**pids_limit**=1024
|
204 | 209 |
|
205 | 210 |
Maximum number of processes allowed in a container. 0 indicates that no limit
|
206 | 211 |
is imposed.
|
207 | |
|
208 | |
**pidns**="private"
|
209 | |
|
210 | |
Default way to to create a PID namespace for the container.
|
211 | |
Options are:
|
212 | |
`private` Create private PID Namespace for the container.
|
213 | |
`host` Share host PID Namespace with the container.
|
214 | 212 |
|
215 | 213 |
**seccomp_profile**="/usr/share/containers/seccomp.json"
|
216 | 214 |
|
|
239 | 237 |
|
240 | 238 |
Sets umask inside the container.
|
241 | 239 |
|
|
240 |
**userns**="host"
|
|
241 |
|
|
242 |
Default way to to create a USER namespace for the container.
|
|
243 |
Options are:
|
|
244 |
`private` Create private USER Namespace for the container.
|
|
245 |
`host` Share host USER Namespace with the container.
|
|
246 |
|
|
247 |
**userns_size**=65536
|
|
248 |
|
|
249 |
Number of UIDs to allocate for the automatic container creation. UIDs are
|
|
250 |
allocated from the “container” UIDs listed in /etc/subuid & /etc/subgid.
|
|
251 |
|
242 | 252 |
**utsns**="private"
|
243 | 253 |
|
244 | 254 |
Default way to to create a UTS namespace for the container.
|
|
246 | 256 |
`private` Create private UTS Namespace for the container.
|
247 | 257 |
`host` Share host UTS Namespace with the container.
|
248 | 258 |
|
249 | |
**userns**="host"
|
250 | |
|
251 | |
Default way to to create a USER namespace for the container.
|
252 | |
Options are:
|
253 | |
`private` Create private USER Namespace for the container.
|
254 | |
`host` Share host USER Namespace with the container.
|
255 | |
|
256 | |
**userns_size**=65536
|
257 | |
|
258 | |
Number of UIDs to allocate for the automatic container creation. UIDs are
|
259 | |
allocated from the “container” UIDs listed in /etc/subuid & /etc/subgid.
|
260 | 259 |
|
261 | 260 |
## NETWORK TABLE
|
262 | 261 |
The `network` table contains settings pertaining to the management of CNI
|
|
274 | 273 |
|
275 | 274 |
Path to the directory where CNI configuration files are located.
|
276 | 275 |
|
|
276 |
**volumes**=[]
|
|
277 |
|
|
278 |
List of volumes.
|
|
279 |
Specified as "directory-on-host:directory-in-container:options".
|
|
280 |
|
|
281 |
Example: "/db:/var/lib/db:ro".
|
|
282 |
|
277 | 283 |
## ENGINE TABLE
|
278 | 284 |
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
|
279 | 285 |
|
280 | |
**image_default_format**="oci"|"v2s2"|"v2s1"
|
281 | |
|
282 | |
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
|
283 | |
container images. By default images pulled and pushed match the format of the
|
284 | |
source image. Building/committing defaults to OCI.
|
285 | |
Note: **image_build_format** is deprecated.
|
|
286 |
**active_service**=""
|
|
287 |
|
|
288 |
Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below.
|
286 | 289 |
|
287 | 290 |
**cgroup_check**=false
|
288 | 291 |
|
|
349 | 352 |
|
350 | 353 |
Path to the OCI hooks directories for automatically executed hooks.
|
351 | 354 |
|
|
355 |
**image_default_format**="oci"|"v2s2"|"v2s1"
|
|
356 |
|
|
357 |
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
|
|
358 |
container images. By default images pulled and pushed match the format of the
|
|
359 |
source image. Building/committing defaults to OCI.
|
|
360 |
Note: **image_build_format** is deprecated.
|
|
361 |
|
352 | 362 |
**image_default_transport**="docker://"
|
353 | 363 |
|
354 | 364 |
Default transport method for pulling and pushing images.
|
|
365 |
|
|
366 |
**image_parallel_copies**=0
|
|
367 |
|
|
368 |
Maximum number of image layers to be copied (pulled/pushed) simultaneously.
|
|
369 |
Not setting this field will fall back to containers/image defaults. (6)
|
355 | 370 |
|
356 | 371 |
**infra_command**="/pause"
|
357 | 372 |
|
|
363 | 378 |
pod, we start a `pause` process in a container to hold open the namespaces
|
364 | 379 |
associated with the pod. This container does nothing other then sleep,
|
365 | 380 |
reserving the pods resources for the lifetime of the pod.
|
366 | |
|
367 | |
**image_parallel_copies**=0
|
368 | |
|
369 | |
Maximum number of image layers to be copied (pulled/pushed) simultaneously.
|
370 | |
Not setting this field will fall back to containers/image defaults. (6)
|
371 | 381 |
|
372 | 382 |
**lock_type**="shm"
|
373 | 383 |
|
|
410 | 420 |
changed, a lock renumbering must be performed, using the
|
411 | 421 |
`podman system renumber` command.
|
412 | 422 |
|
413 | |
**active_service**=""
|
414 | |
|
415 | |
Name of destination for accessing the Podman service.
|
416 | |
|
417 | |
**[service_destinations]**
|
|
423 |
**pull_policy**="always"|"missing"|"never"
|
|
424 |
|
|
425 |
Pull image before running or creating a container. The default is **missing**.
|
|
426 |
|
|
427 |
- **missing**: attempt to pull the latest image from the registries listed in registries.conf if a local image does not exist. Raise an error if the image is not in any listed registry and is not present locally.
|
|
428 |
- **always**: pull the image from the first registry it is found in as listed in registries.conf. Raise an error if not found in the registries, even if the image is present locally.
|
|
429 |
- **never**: do not pull the image from the registry, use only the local version. Raise an error if the image is not present locally.
|
|
430 |
|
|
431 |
**remote** = false
|
|
432 |
Indicates whether the application should be running in remote mode. This flag modifies the
|
|
433 |
--remote option on container engines. Setting the flag to true will default `podman --remote=true` for access to the remote Podman service.
|
|
434 |
|
|
435 |
**runtime**=""
|
|
436 |
|
|
437 |
Default OCI specific runtime in runtimes that will be used by default. Must
|
|
438 |
refer to a member of the runtimes table. Default runtime will be searched for
|
|
439 |
on the system using the priority: "crun", "runc", "kata".
|
|
440 |
|
|
441 |
**runtime_supports_json**=["crun", "runc", "kata"]
|
|
442 |
|
|
443 |
The list of the OCI runtimes that support `--format=json`.
|
|
444 |
|
|
445 |
**runtime_supports_nocgroups**=["crun"]
|
|
446 |
|
|
447 |
The list of OCI runtimes that support running containers without CGroups.
|
|
448 |
|
|
449 |
**runtime_supports_kvm**=["kata"]
|
|
450 |
|
|
451 |
The list of OCI runtimes that support running containers with KVM separation.
|
|
452 |
|
|
453 |
**static_dir**="/var/lib/containers/storage/libpod"
|
|
454 |
|
|
455 |
Directory for persistent libpod files (database, etc).
|
|
456 |
By default this will be configured relative to where containers/storage
|
|
457 |
stores containers.
|
|
458 |
|
|
459 |
**stop_timeout**=10
|
|
460 |
|
|
461 |
Number of seconds to wait for container to exit before sending kill signal.
|
|
462 |
|
|
463 |
**tmp_dir**="/run/libpod"
|
|
464 |
|
|
465 |
The path to a temporary directory to store per-boot container.
|
|
466 |
Must be a tmpfs (wiped after reboot).
|
|
467 |
|
|
468 |
## SERVICE DESTINATION TABLE
|
|
469 |
The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
|
418 | 470 |
|
419 | 471 |
**[service_destinations.{name}]**
|
420 | |
|
|
472 |
URI to access the Podman service
|
421 | 473 |
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
|
422 | 474 |
|
423 | 475 |
Example URIs:
|
|
430 | 482 |
**identity="~/.ssh/id_rsa**
|
431 | 483 |
|
432 | 484 |
Path to file containing ssh identity key
|
433 | |
|
434 | |
**pull_policy**="always"|"missing"|"never"
|
435 | |
|
436 | |
Pull image before running or creating a container. The default is **missing**.
|
437 | |
|
438 | |
- **missing**: attempt to pull the latest image from the registries listed in registries.conf if a local image does not exist. Raise an error if the image is not in any listed registry and is not present locally.
|
439 | |
- **always**: pull the image from the first registry it is found in as listed in registries.conf. Raise an error if not found in the registries, even if the image is present locally.
|
440 | |
- **never**: do not pull the image from the registry, use only the local version. Raise an error if the image is not present locally.
|
441 | |
|
442 | |
**remote** = false
|
443 | |
Indicates whether the application should be running in remote mode. This flag modifies the
|
444 | |
--remote option on container engines. Setting the flag to true will default `podman --remote=true` for access to the remote Podman service.
|
445 | |
|
446 | |
**runtime**=""
|
447 | |
|
448 | |
Default OCI specific runtime in runtimes that will be used by default. Must
|
449 | |
refer to a member of the runtimes table. Default runtime will be searched for
|
450 | |
on the system using the priority: "crun", "runc", "kata".
|
451 | |
|
452 | |
**runtime_supports_json**=["crun", "runc", "kata"]
|
453 | |
|
454 | |
The list of the OCI runtimes that support `--format=json`.
|
455 | |
|
456 | |
**runtime_supports_nocgroups**=["crun"]
|
457 | |
|
458 | |
The list of OCI runtimes that support running containers without CGroups.
|
459 | |
|
460 | |
**runtime_supports_kvm**=["kata"]
|
461 | |
|
462 | |
The list of OCI runtimes that support running containers with KVM separation.
|
463 | |
|
464 | |
**static_dir**="/var/lib/containers/storage/libpod"
|
465 | |
|
466 | |
Directory for persistent libpod files (database, etc).
|
467 | |
By default this will be configured relative to where containers/storage
|
468 | |
stores containers.
|
469 | |
|
470 | |
**stop_timeout**=10
|
471 | |
|
472 | |
Number of seconds to wait for container to exit before sending kill signal.
|
473 | |
|
474 | |
**tmp_dir**="/run/libpod"
|
475 | |
|
476 | |
The path to a temporary directory to store per-boot container.
|
477 | |
Must be a tmpfs (wiped after reboot).
|
478 | 485 |
|
479 | 486 |
**volume_path**="/var/lib/containers/storage/volumes"
|
480 | 487 |
|