diff options
-rwxr-xr-x | API.md | 2 | ||||
-rw-r--r-- | cmd/podman/README.md | 4 | ||||
-rw-r--r-- | cmd/podman/varlink/io.podman.varlink | 2 | ||||
-rw-r--r-- | contrib/cirrus/README.md | 4 | ||||
-rw-r--r-- | contrib/podmanimage/README.md | 2 | ||||
-rw-r--r-- | dependencies/analyses/README.md | 2 | ||||
-rw-r--r-- | docs/podman-build.1.md | 14 | ||||
-rw-r--r-- | docs/podman-commit.1.md | 2 | ||||
-rw-r--r-- | docs/podman-create.1.md | 48 | ||||
-rw-r--r-- | docs/podman-events.1.md | 10 | ||||
-rw-r--r-- | docs/podman-exec.1.md | 2 | ||||
-rw-r--r-- | docs/podman-generate-kube.1.md | 2 | ||||
-rw-r--r-- | docs/podman-image-sign.1.md | 2 | ||||
-rw-r--r-- | docs/podman-image-tree.1.md | 2 | ||||
-rw-r--r-- | docs/podman-run.1.md | 94 | ||||
-rw-r--r-- | docs/tutorials/rootless_tutorial.md | 2 | ||||
-rw-r--r-- | troubleshooting.md | 14 |
17 files changed, 112 insertions, 96 deletions
@@ -1732,7 +1732,7 @@ uptime [string](https://godoc.org/builtin#string) eventlogger [string](https://godoc.org/builtin#string) ### <a name="InfoPodmanBinary"></a>type InfoPodmanBinary -InfoPodman provides details on the podman binary +InfoPodman provides details on the Podman binary compiler [string](https://godoc.org/builtin#string) diff --git a/cmd/podman/README.md b/cmd/podman/README.md index 0fee7eafa..937eef510 100644 --- a/cmd/podman/README.md +++ b/cmd/podman/README.md @@ -1,5 +1,5 @@ -# podman - Simple debugging tool for pods and images -podman is a daemonless container runtime for managing containers, pods, and container images. +# Podman - Simple debugging tool for pods and images +Podman is a daemonless container runtime for managing containers, pods, and container images. It is intended as a counterpart to CRI-O, to provide low-level debugging not available through the CRI interface used by Kubernetes. It can also act as a container runtime independent of CRI-O, creating and managing its own set of containers. diff --git a/cmd/podman/varlink/io.podman.varlink b/cmd/podman/varlink/io.podman.varlink index 2e46b31ce..4692525e3 100644 --- a/cmd/podman/varlink/io.podman.varlink +++ b/cmd/podman/varlink/io.podman.varlink @@ -249,7 +249,7 @@ type InfoStore ( run_root: string ) -# InfoPodman provides details on the podman binary +# InfoPodman provides details on the Podman binary type InfoPodmanBinary ( compiler: string, go_version: string, diff --git a/contrib/cirrus/README.md b/contrib/cirrus/README.md index ada362d95..7aa8881d6 100644 --- a/contrib/cirrus/README.md +++ b/contrib/cirrus/README.md @@ -72,7 +72,7 @@ and `darwin` targets. ### ``special_testing_cgroupv2`` Task Use the latest Fedora release with the required kernel options pre-set for -exercising cgroups v2 with podman integration tests. Also depends on +exercising cgroups v2 with Podman integration tests. Also depends on having `SPECIALMODE` set to 'cgroupv2` @@ -272,7 +272,7 @@ values follows: * `rootless`: Causes a random, ordinary user account to be created and utilized for testing. * `in_podman`: Causes testing to occur within a container executed by - podman on the host. + Podman on the host. * `cgroupv2`: The kernel on this VM was prepared with options to enable v2 cgroups * `windows`: See **darwin** * `darwin`: Signals the ``special_testing_cross`` task to cross-compile the remote client. diff --git a/contrib/podmanimage/README.md b/contrib/podmanimage/README.md index 3dc07ad63..ab55f3189 100644 --- a/contrib/podmanimage/README.md +++ b/contrib/podmanimage/README.md @@ -5,7 +5,7 @@ ## Overview This directory contains the Dockerfiles necessary to create the three podmanimage container -images that are housed on quay.io under the podman account. All three repositories where +images that are housed on quay.io under the Podman account. All three repositories where the images live are public and can be pulled without credentials. These container images are secured and the resulting containers can run safely with privileges within the container. The container images are built using the latest Fedora and then Podman is installed into them: diff --git a/dependencies/analyses/README.md b/dependencies/analyses/README.md index a440a0ebd..67dab6f75 100644 --- a/dependencies/analyses/README.md +++ b/dependencies/analyses/README.md @@ -13,7 +13,7 @@ The analysis script will then read and parse the build data and print a sorted t Running such an analysis on libpod may look as follows: ``` -# 1) Build the podman binary with `-work -a`. +# 1) Build the Podman binary with `-work -a`. [libpod]$ BUILDFLAGS="-work -a" make podman [...] WORK=/tmp/go-build794287815 diff --git a/docs/podman-build.1.md b/docs/podman-build.1.md index 20f4d6aab..1a04f8224 100644 --- a/docs/podman-build.1.md +++ b/docs/podman-build.1.md @@ -521,8 +521,8 @@ process. **--volume**, **-v**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*] - Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, podman - bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the podman + Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, Podman + bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Podman container. The `OPTIONS` are a comma delimited list and can be: * [rw|ro] @@ -547,14 +547,14 @@ See examples. Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By -default, podman does not change the labels set by the OS. +default, Podman does not change the labels set by the OS. To change a label in the container context, you can add either of two suffixes -`:z` or `:Z` to the volume mount. These suffixes tell podman to relabel file -objects on the shared volumes. The `z` option tells podman that two containers -share the volume content. As a result, podman labels the content with a shared +`:z` or `:Z` to the volume mount. These suffixes tell Podman to relabel file +objects on the shared volumes. The `z` option tells Podman that two containers +share the volume content. As a result, Podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content. -The `Z` option tells podman to label the content with a private unshared label. +The `Z` option tells Podman to label the content with a private unshared label. Only the current container can use a private volume. `Overlay Volume Mounts` diff --git a/docs/podman-commit.1.md b/docs/podman-commit.1.md index 5b0ba48aa..07a885ae2 100644 --- a/docs/podman-commit.1.md +++ b/docs/podman-commit.1.md @@ -15,7 +15,7 @@ configured with the `--change` flag and a commit message can be set using the `--message` flag. The container and its processes are paused while the image is committed. This minimizes the likelihood of data corruption when creating the new image. If this is not desired, the `--pause` flag can be set to false. When the commit -is complete, podman will print out the ID of the new image. +is complete, Podman will print out the ID of the new image. If *image* does not begin with a registry name component, `localhost` will be added to the name. diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md index 9924e7dff..8a0334765 100644 --- a/docs/podman-create.1.md +++ b/docs/podman-create.1.md @@ -322,7 +322,7 @@ Print usage statement **--http-proxy**=*true|false* By default proxy environment variables are passed into the container if set -for the podman process. This can be disabled by setting the `--http-proxy` +for the Podman process. This can be disabled by setting the `--http-proxy` option to `false`. The environment variables passed in include `http_proxy`, `https_proxy`, `ftp_proxy`, `no_proxy`, and also the upper case versions of those. This option is only needed when the host system must use a proxy but @@ -341,7 +341,7 @@ Defaults to `true` **--image-volume**, **builtin-volume**=*bind|tmpfs|ignore* -Tells podman how to handle the builtin image volumes. The options are: 'bind', 'tmpfs', or 'ignore' (default 'bind'). +Tells Podman how to handle the builtin image volumes. The options are: 'bind', 'tmpfs', or 'ignore' (default 'bind'). bind: A directory is created inside the container state directory and bind mounted into the container for the volumes. tmpfs: The volume is mounted onto the container as a tmpfs, which allows the users to create @@ -505,7 +505,7 @@ Set the Network mode for the container. Invalid if using **--dns**, **--dns-opti 'bridge': create a network stack on the default bridge 'none': no networking 'container:<name|id>': reuse another container's network stack - 'host': use the podman host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. + 'host': use the Podman host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. '<network-name>|<network-id>': connect to a user-defined network 'ns:<path>': path to a network namespace to join 'slirp4netns': use slirp4netns to create a user network stack. This is the default for rootless containers @@ -543,19 +543,19 @@ Tune the container's pids limit. Set `-1` to have unlimited pids for the contain **--pod**=*name* -Run container in an existing pod. If you want podman to make the pod for you, preference the pod name with `new:`. +Run container in an existing pod. If you want Podman to make the pod for you, preference the pod name with `new:`. To make a pod with more granular options, use the `podman pod create` command before creating a container. **--privileged**=*true|false* Give extended privileges to this container. The default is *false*. -By default, podman containers are +By default, Podman containers are “unprivileged” (=false) and cannot, for example, modify parts of the kernel. This is because by default a container is not allowed to access any devices. A “privileged” container is given access to all devices. -When the operator executes a privileged container, podman enables access +When the operator executes a privileged container, Podman enables access to all devices on the host, turns off graphdriver mount options, as well as turning off most of the security measures protecting the host from the container. @@ -577,9 +577,9 @@ Use `podman port` to see the actual mapping: `podman port CONTAINER $CONTAINERPO Publish all exposed ports to random ports on the host interfaces. The default is *false*. When set to true publish all exposed ports to the host interfaces. The -default is false. If the operator uses -P (or -p) then podman will make the +default is false. If the operator uses -P (or -p) then Podman will make the exposed port accessible on the host and the ports will be available to any -client that can reach the host. When using -P, podman will bind any exposed +client that can reach the host. When using -P, Podman will bind any exposed port to a random port on the host within an *ephemeral port range* defined by `/proc/sys/net/ipv4/ip_local_port_range`. To find the mapping between the host ports and the exposed ports, use `podman port`. @@ -733,11 +733,11 @@ any options, the systems uses the following options: Allocate a pseudo-TTY. The default is *false*. -When set to true podman will allocate a pseudo-tty and attach to the standard +When set to true Podman will allocate a pseudo-tty and attach to the standard input of the container. This can be used, for example, to run a throwaway interactive shell. The default is false. -Note: The **-t** option is incompatible with a redirection of the podman client +Note: The **-t** option is incompatible with a redirection of the Podman client standard input. **--uidmap**=*container_uid:host_uid:amount* @@ -793,8 +793,8 @@ container. The `OPTIONS` are a comma delimited list and can be: * [`[r]shared`|`[r]slave`|`[r]private`] The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The `HOST-DIR` -must be an absolute path as well. podman bind-mounts the `HOST-DIR` to the -path you specify. For example, if you supply the `/foo` value, podman creates a bind-mount. +must be an absolute path as well. Podman bind-mounts the `HOST-DIR` to the +path you specify. For example, if you supply the `/foo` value, Podman creates a bind-mount. You can specify multiple **-v** options to mount one or more mounts to a container. @@ -806,14 +806,14 @@ See examples. Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By -default, podman does not change the labels set by the OS. +default, Podman does not change the labels set by the OS. To change a label in the container context, you can add either of two suffixes -`:z` or `:Z` to the volume mount. These suffixes tell podman to relabel file -objects on the shared volumes. The `z` option tells podman that two containers -share the volume content. As a result, podman labels the content with a shared +`:z` or `:Z` to the volume mount. These suffixes tell Podman to relabel file +objects on the shared volumes. The `z` option tells Podman that two containers +share the volume content. As a result, Podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content. -The `Z` option tells podman to label the content with a private unshared label. +The `Z` option tells Podman to label the content with a private unshared label. Only the current container can use a private volume. By default bind mounted volumes are `private`. That means any mounts done @@ -861,7 +861,7 @@ To share a volume, use the --volumes-from option when running the target container. You can share volumes even if the source container is not running. -By default, podman mounts the volumes in the same mode (read-write or +By default, Podman mounts the volumes in the same mode (read-write or read-only) as it is mounted in the source container. Optionally, you can change this by suffixing the container-id with either the `ro` or `rw` keyword. @@ -869,11 +869,11 @@ can change this by suffixing the container-id with either the `ro` or Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By -default, podman does not change the labels set by the OS. +default, Podman does not change the labels set by the OS. To change a label in the container context, you can add `z` to the volume mount. -This suffix tells podman to relabel file objects on the shared volumes. The `z` -option tells podman that two containers share the volume content. As a result, +This suffix tells Podman to relabel file objects on the shared volumes. The `z` +option tells Podman that two containers share the volume content. As a result, podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content. @@ -927,7 +927,7 @@ Note: RHEL7 and Centos 7 will not have this feature until RHEL7.7 is released. In order for users to run rootless, there must be an entry for their username in /etc/subuid and /etc/subgid which lists the UIDs for their user namespace. -Rootless podman works better if the fuse-overlayfs and slirp4netns packages are installed. +Rootless Podman works better if the fuse-overlayfs and slirp4netns packages are installed. The fuse-overlay package provides a userspace overlay storage driver, otherwise users need to use the vfs storage driver, which is diskspace expensive and does not perform well. slirp4netns is required for VPN, without it containers need to be run with the --net=host flag. @@ -937,7 +937,7 @@ required for VPN, without it containers need to be run with the --net=host flag. Environment variables within containers can be set using multiple different options: This section describes the precedence. Precedence Order: - **--env-host** : Host environment of the process executing podman is added. + **--env-host** : Host environment of the process executing Podman is added. Container image : Any environment variables specified in the container image. @@ -967,7 +967,7 @@ b subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8), slirp4netns(1), fuse-overlayfs(1) ## HISTORY -October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com> +October 2017, converted from Docker documentation to Podman by Dan Walsh for Podman <dwalsh@redhat.com> November 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> diff --git a/docs/podman-events.1.md b/docs/podman-events.1.md index ed3faedfd..a5a715098 100644 --- a/docs/podman-events.1.md +++ b/docs/podman-events.1.md @@ -98,7 +98,7 @@ The *since* and *until* values can be RFC3339Nano time stamps or a Go duration s ## EXAMPLES -Showing podman events +Showing Podman events ``` $ podman events 2019-03-02 10:33:42.312377447 -0600 CST container create 34503c192940 (image=docker.io/library/alpine:latest, name=friendly_allen) @@ -108,7 +108,7 @@ $ podman events 2019-03-02 10:33:51.047104966 -0600 CST container cleanup 34503c192940 (image=docker.io/library/alpine:latest, name=friendly_allen) ``` -Show only podman create events +Show only Podman create events ``` $ podman events --filter event=create 2019-03-02 10:36:01.375685062 -0600 CST container create 20dc581f6fbf (image=docker.io/library/alpine:latest, name=sharp_morse) @@ -117,7 +117,7 @@ $ podman events --filter event=create 2019-03-02 10:36:29.978806894 -0600 CST container create d81e30f1310f (image=docker.io/library/busybox:latest, name=musing_newton) ``` -Show only podman pod create events +Show only Podman pod create events ``` $ podman events --filter event=create --filter type=pod 2019-03-02 10:44:29.601746633 -0600 CST pod create 1df5ebca7b44 (image=, name=confident_hawking) @@ -125,7 +125,7 @@ $ podman events --filter event=create --filter type=pod 2019-03-02 10:44:47.486759133 -0600 CST pod create 71e807fc3a8e (image=, name=reverent_swanson) ``` -Show only podman events created in the last five minutes: +Show only Podman events created in the last five minutes: ``` $ sudo podman events --since 5m 2019-03-02 10:44:29.598835409 -0600 CST container create b629d10d3831 (image=k8s.gcr.io/pause:3.1, name=1df5ebca7b44-infra) @@ -134,7 +134,7 @@ $ sudo podman events --since 5m 2019-03-02 10:44:42.374637304 -0600 CST pod create ca731231718e (image=, name=webapp) ``` -Show podman events in JSON Lines format +Show Podman events in JSON Lines format ``` events --format json {"ID":"683b0909d556a9c02fa8cd2b61c3531a965db42158627622d1a67b391964d519","Image":"localhost/myshdemo:latest","Name":"agitated_diffie","Status":"cleanup","Time":"2019-04-27T22:47:00.849932843-04:00","Type":"container"} diff --git a/docs/podman-exec.1.md b/docs/podman-exec.1.md index f71b21126..4c17c056a 100644 --- a/docs/podman-exec.1.md +++ b/docs/podman-exec.1.md @@ -64,7 +64,7 @@ when creating the container. The exit code from `podman exec` gives information about why the command within the container failed to run or why it exited. When `podman exec` exits with a non-zero code, the exit codes follow the `chroot` standard, see below: -**_125_** if the error is with podman **_itself_** +**_125_** if the error is with Podman **_itself_** $ podman exec --foo ctrID /bin/sh; echo $? Error: unknown flag: --foo diff --git a/docs/podman-generate-kube.1.md b/docs/podman-generate-kube.1.md index 8f15e14ba..f4b4cd482 100644 --- a/docs/podman-generate-kube.1.md +++ b/docs/podman-generate-kube.1.md @@ -6,7 +6,7 @@ podman-generate-kube - Generate Kubernetes YAML based on a pod or container **podman generate kube** [*options*] *container* | *pod* ## DESCRIPTION -**podman generate kube** will generate Kubernetes Pod YAML (v1 specification) from a podman container or pod. Whether +**podman generate kube** will generate Kubernetes Pod YAML (v1 specification) from a Podman container or pod. Whether the input is for a container or pod, Podman will always generate the specification as a Pod. The input may be in the form of a pod or container name or ID. diff --git a/docs/podman-image-sign.1.md b/docs/podman-image-sign.1.md index ca438b438..62845e715 100644 --- a/docs/podman-image-sign.1.md +++ b/docs/podman-image-sign.1.md @@ -39,7 +39,7 @@ Sign the busybox image with the identify of foo@bar.com with a user's keyring an The write (and read) location for signatures is defined in YAML-based configuration files in /etc/containers/registries.d/. When you sign -an image, podman will use those configuration files to determine +an image, Podman will use those configuration files to determine where to write the signature based on the the name of the originating registry or a default storage value unless overriden with the --directory option. For example, consider the following configuration file. diff --git a/docs/podman-image-tree.1.md b/docs/podman-image-tree.1.md index 5ffd995f6..c4624e05c 100644 --- a/docs/podman-image-tree.1.md +++ b/docs/podman-image-tree.1.md @@ -9,7 +9,7 @@ podman\-image\-tree - Prints layer hierarchy of an image in a tree format ## DESCRIPTION Prints layer hierarchy of an image in a tree format. -If you do not provide a *tag*, podman will default to `latest` for the *image*. +If you do not provide a *tag*, Podman will default to `latest` for the *image*. Layers are indicated with image tags as `Top Layer of`, when the tag is known locally. ## OPTIONS diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md index c642b50b6..8f46e8f22 100644 --- a/docs/podman-run.1.md +++ b/docs/podman-run.1.md @@ -282,7 +282,7 @@ on the host system. **--gidmap**=*container_gid:host_gid:amount* Run the container in a new user namespace using the supplied mapping. This option conflicts with the --userns and --subgidname flags. -This option can be passed several times to map different ranges. If calling podman run as an unprivileged user, the user needs to have the right to use the mapping. See `subuid(5)`. +This option can be passed several times to map different ranges. If calling Podman run as an unprivileged user, the user needs to have the right to use the mapping. See `subuid(5)`. The example maps gids 0-2000 in the container to the gids 30000-31999 on the host. `--gidmap=0:30000:2000` **--group-add**=*group* @@ -329,7 +329,7 @@ Sets the container host name that is available inside the container. **--http-proxy**=*true|false* By default proxy environment variables are passed into the container if set -for the podman process. This can be disabled by setting the `--http-proxy` +for the Podman process. This can be disabled by setting the `--http-proxy` option to `false`. The environment variables passed in include `http_proxy`, `https_proxy`, `ftp_proxy`, `no_proxy`, and also the upper case versions of those. This option is only needed when the host system must use a proxy but @@ -348,7 +348,7 @@ Defaults to `true` **--image-volume**, **builtin-volume**=*bind|tmpfs|ignore* -Tells podman how to handle the builtin image volumes. +Tells Podman how to handle the builtin image volumes. The options are: `bind`, `tmpfs`, or `ignore` (default `bind`) @@ -475,6 +475,8 @@ Current supported mount TYPES are bind, and tmpfs. type=bind,source=/path/on/host,destination=/path/in/container + type=bind,source=volume-name,destination=/path/in/container + type=tmpfs,tmpfs-size=512M,destination=/path/in/container Common Options: @@ -516,7 +518,7 @@ Set the Network mode for the container. Invalid if using **--dns**, **--dns-opti - `bridge`: create a network stack on the default bridge - `none`: no networking - `container:<name|id>`: reuse another container's network stack -- `host`: use the podman host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. +- `host`: use the Podman host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. - `<network-name>|<network-id>`: connect to a user-defined network - `ns:<path>`: path to a network namespace to join - `slirp4netns`: use slirp4netns to create a user network stack. This is the default for rootless containers @@ -556,7 +558,7 @@ Tune the container's pids limit. Set `-1` to have unlimited pids for the contain **--pod**=*name* -Run container in an existing pod. If you want podman to make the pod for you, preference the pod name with `new:`. +Run container in an existing pod. If you want Podman to make the pod for you, preference the pod name with `new:`. To make a pod with more granular options, use the `podman pod create` command before creating a container. If a container is run with a pod, and the pod has an infra-container, the infra-container will be started before the container is. @@ -564,12 +566,12 @@ If a container is run with a pod, and the pod has an infra-container, the infra- Give extended privileges to this container. The default is *false*. -By default, podman containers are “unprivileged” (=false) and cannot, +By default, Podman containers are “unprivileged” (=false) and cannot, for example, modify parts of the kernel. This is because by default a container is not allowed to access any devices. A “privileged” container is given access to all devices. -When the operator executes **podman run --privileged**, podman enables access +When the operator executes **podman run --privileged**, Podman enables access to all devices on the host, turns off graphdriver mount options, as well as turning off most of the security measures protecting the host from the container. @@ -595,11 +597,11 @@ Use `podman port` to see the actual mapping: `podman port CONTAINER $CONTAINERPO Publish all exposed ports to random ports on the host interfaces. The default is *false*. When set to true publish all exposed ports to the host interfaces. The -default is false. If the operator uses -P (or -p) then podman will make the +default is false. If the operator uses -P (or -p) then Podman will make the exposed port accessible on the host and the ports will be available to any client that can reach the host. -When using -P, podman will bind any exposed port to a random port on the host +When using -P, Podman will bind any exposed port to a random port on the host within an *ephemeral port range* defined by `/proc/sys/net/ipv4/ip_local_port_range`. To find the mapping between the host ports and the exposed ports, use `podman port`. @@ -702,13 +704,13 @@ Timeout (in seconds) to stop a container. Default is 10. **--subgidname**=*name* Run the container in a new user namespace using the map with 'name' in the `/etc/subgid` file. -If calling podman run as an unprivileged user, the user needs to have the right to use the mapping. See `subgid(5)`. +If calling Podman run as an unprivileged user, the user needs to have the right to use the mapping. See `subgid(5)`. This flag conflicts with `--userns` and `--gidmap`. **--subuidname**=*name* Run the container in a new user namespace using the map with 'name' in the `/etc/subuid` file. -If calling podman run as an unprivileged user, the user needs to have the right to use the mapping. See `subuid(5)`. +If calling Podman run as an unprivileged user, the user needs to have the right to use the mapping. See `subuid(5)`. This flag conflicts with `--userns` and `--uidmap`. **--sysctl**=SYSCTL @@ -738,7 +740,7 @@ Note: if you use the `--network=host` option these sysctls will not be allowed. Run container in systemd mode. The default is *true*. -If the command you are running inside of the container is systemd or init, podman +If the command you are running inside of the container is systemd or init, Podman will setup tmpfs mount points in the following directories: /run, /run/lock, /tmp, /sys/fs/cgroup/systemd, /var/lib/journal @@ -770,17 +772,17 @@ any options, the systems uses the following options: Allocate a pseudo-TTY. The default is *false*. -When set to true podman will allocate a pseudo-tty and attach to the standard +When set to true Podman will allocate a pseudo-tty and attach to the standard input of the container. This can be used, for example, to run a throwaway interactive shell. The default is false. -**NOTE**: The **-t** option is incompatible with a redirection of the podman client +**NOTE**: The **-t** option is incompatible with a redirection of the Podman client standard input. **--uidmap**=*container_uid:host_uid:amount* Run the container in a new user namespace using the supplied mapping. This option conflicts with the --userns and --subuidname flags. -This option can be passed several times to map different ranges. If calling podman run as an unprivileged user, the user needs to have the right to use the mapping. See `subuid(5)`. +This option can be passed several times to map different ranges. If calling Podman run as an unprivileged user, the user needs to have the right to use the mapping. See `subuid(5)`. The example maps uids 0-2000 in the container to the uids 30000-31999 on the host. `--uidmap=0:30000:2000` **--ulimit**=*option* @@ -821,19 +823,23 @@ Set the UTS mode for the container **NOTE**: the host mode gives the container access to changing the host's hostname and is therefore considered insecure. -**--volume**, **-v**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*] +**--volume**, **-v**[=*[HOST-DIR-OR-VOUME-NAME:CONTAINER-DIR[:OPTIONS]]*] + +Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, Podman +bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Podman +container. Similarly, `-v VOLUME-NAME:/CONTAINER-DIR` will mount the volume +in the host to the container. If no such named volume exists, Podman will +create one. -Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, podman -bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the podman -container. The `OPTIONS` are a comma delimited list and can be: + The `OPTIONS` are a comma delimited list and can be: * [`rw`|`ro`] * [`z`|`Z`] * [`[r]shared`|`[r]slave`|`[r]private`] -The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The `HOST-DIR` -must be an absolute path as well. podman bind-mounts the `HOST-DIR` to the -path you specify. For example, if you supply the `/foo` value, podman creates a bind-mount. +The `/CONTAINER-DIR` must be an absolute path such as `/src/docs`. The `/HOST-DIR` +must be an absolute path as well. Podman bind-mounts the `HOST-DIR` to the +path you specify. For example, if you supply the `/foo` value, Podman creates a bind-mount. You can specify multiple **-v** options to mount one or more mounts to a container. @@ -845,14 +851,14 @@ See examples. Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By -default, podman does not change the labels set by the OS. +default, Podman does not change the labels set by the OS. To change a label in the container context, you can add either of two suffixes -`:z` or `:Z` to the volume mount. These suffixes tell podman to relabel file -objects on the shared volumes. The `z` option tells podman that two containers -share the volume content. As a result, podman labels the content with a shared +`:z` or `:Z` to the volume mount. These suffixes tell Podman to relabel file +objects on the shared volumes. The `z` option tells Podman that two containers +share the volume content. As a result, Podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content. -The `Z` option tells podman to label the content with a private unshared label. +The `Z` option tells Podman to label the content with a private unshared label. Only the current container can use a private volume. By default bind mounted volumes are `private`. That means any mounts done @@ -900,7 +906,7 @@ To share a volume, use the --volumes-from option when running the target container. You can share volumes even if the source container is not running. -By default, podman mounts the volumes in the same mode (read-write or +By default, Podman mounts the volumes in the same mode (read-write or read-only) as it is mounted in the source container. Optionally, you can change this by suffixing the container-id with either the `ro` or `rw` keyword. @@ -908,11 +914,11 @@ can change this by suffixing the container-id with either the `ro` or Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By -default, podman does not change the labels set by the OS. +default, Podman does not change the labels set by the OS. To change a label in the container context, you can add `z` to the volume mount. -This suffix tells podman to relabel file objects on the shared volumes. The `z` -option tells podman that two containers share the volume content. As a result, +This suffix tells Podman to relabel file objects on the shared volumes. The `z` +option tells Podman that two containers share the volume content. As a result, podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content. @@ -934,7 +940,7 @@ The exit code from `podman run` gives information about why the container failed to run or why it exited. When `podman run` exits with a non-zero code, the exit codes follow the `chroot` standard, see below: -**_125_** if the error is with podman **_itself_** +**_125_** if the error is with Podman **_itself_** $ podman run --foo busybox; echo $? Error: unknown flag: --foo @@ -1005,7 +1011,7 @@ This should list the message sent to logger. ### Attaching to one or more from STDIN, STDOUT, STDERR -If you do not specify -a then podman will attach everything (stdin,stdout,stderr). +If you do not specify -a then Podman will attach everything (stdin,stdout,stderr). You can specify to which of the three standard streams (stdin, stdout, stderr) you'd like to connect instead, as in: @@ -1092,18 +1098,26 @@ $ podman run -p 8080:80 -d -i -t fedora/httpd To mount a host directory as a container volume, specify the absolute path to the directory and the absolute path for the container directory separated by a -colon: +colon. If the source is a named volume maintained by Podman, it's recommended to +use it's name rather than the path to the volume. Otherwise the volume will be +considered as an orphan and wiped if you execute `podman volume prune`: ``` $ podman run -v /var/db:/data1 -i -t fedora bash + +$ podman run -v data:/data2 -i -t fedora bash ``` Using --mount flags, To mount a host directory as a container folder, specify -the absolute path to the directory and the absolute path for the container -directory: +the absolute path to the directory or the volume name, and the absolute path +within the container directory: +```` $ podman run --mount type=bind,src=/var/db,target=/data1 busybox sh +$ podman run --mount type=bind,src=volume-name,target=/data1 busybox sh +```` + When using SELinux, be aware that the host has no knowledge of container SELinux policy. Therefore, in the above example, if SELinux policy is enforced, the `/var/db` directory is not writable to the container. A "Permission Denied" @@ -1178,7 +1192,7 @@ $ podman run --sysctl net.ipv4.ip_forward=1 someimage Note: -Not all sysctls are namespaced. podman does not support changing sysctls +Not all sysctls are namespaced. Podman does not support changing sysctls inside of a container that also modify the host system. As the kernel evolves we expect to see more sysctls become namespaced. @@ -1212,7 +1226,7 @@ Note: RHEL7 and Centos 7 will not have this feature until RHEL7.7 is released. In order for users to run rootless, there must be an entry for their username in /etc/subuid and /etc/subgid which lists the UIDs for their user namespace. -Rootless podman works better if the fuse-overlayfs and slirp4netns packages are installed. +Rootless Podman works better if the fuse-overlayfs and slirp4netns packages are installed. The fuse-overlay package provides a userspace overlay storage driver, otherwise users need to use the vfs storage driver, which is diskspace expensive and does not perform well. slirp4netns is required for VPN, without it containers need to be run with the --net=host flag. @@ -1223,7 +1237,7 @@ Environment variables within containers can be set using multiple different opti Precedence Order: - **--env-host** : Host environment of the process executing podman is added. + **--env-host** : Host environment of the process executing Podman is added. Container image : Any environment variables specified in the container image. @@ -1253,7 +1267,7 @@ subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8), slirp4netns ## HISTORY September 2018, updated by Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> -October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com> +October 2017, converted from Docker documentation to Podman by Dan Walsh for Podman <dwalsh@redhat.com> November 2015, updated by Sally O'Malley <somalley@redhat.com> diff --git a/docs/tutorials/rootless_tutorial.md b/docs/tutorials/rootless_tutorial.md index 91962fead..c98e74c96 100644 --- a/docs/tutorials/rootless_tutorial.md +++ b/docs/tutorials/rootless_tutorial.md @@ -22,6 +22,8 @@ The [slirp4netns](https://github.com/rootless-containers/slirp4netns) package pr When using Podman in a rootless environment, it is recommended to use fuse-overlayfs rather than the VFS file system. Installing the fuse3-devel package gives Podman the dependencies it needs to install, build and use fuse-overlayfs in a rootless environment for you. The fuse-overlayfs project is also available from [GitHub](https://github.com/containers/fuse-overlayfs). This especially needs to be checked on Ubuntu distributions as fuse-overlayfs is not generally installed by default. +If podman is installed before fuse-overlayfs, it may be necessary to change the `driver` option under `[storage]` to `"overlay"`. + ### Enable user namespaces (on RHEL7 machines) The number of user namespaces that are allowed on the system is specified in the file `/proc/sys/user/max_user_namespaces`. On most Linux platforms this is preset by default and no adjustment is necessary. However on RHEL7 machines a user with root privileges may need to set that to a reasonable value by using this command: `sysctl user.max_user_namespaces=15000`. diff --git a/troubleshooting.md b/troubleshooting.md index 9a5b38e01..89c850356 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -146,11 +146,11 @@ If the entry in the Dockerfile looked like: RUN useradd -u 99999000 -g users new ### 7) Permission denied when running Podman commands -When rootless podman attempts to execute a container on a non exec home directory a permission error will be raised. +When rootless Podman attempts to execute a container on a non exec home directory a permission error will be raised. #### Symptom -If you are running podman or buildah on a home directory that is mounted noexec, +If you are running Podman or buildah on a home directory that is mounted noexec, then they will fail. With a message like: ``` @@ -194,11 +194,11 @@ processes to write to the cgroup file system. Turn on this boolean, on SELinux s ### 9) Newuidmap missing when running rootless Podman commands -Rootless podman requires the newuidmap and newgidmap programs to be installed. +Rootless Podman requires the newuidmap and newgidmap programs to be installed. #### Symptom -If you are running podman or buildah as a not root user, you get an error complaining about +If you are running Podman or buildah as a not root user, you get an error complaining about a missing newuidmap executable. ``` @@ -212,7 +212,7 @@ Install a version of shadow-utils that includes these executables. Note RHEL7 a ### 10) rootless setup user: invalid argument -Rootless podman requires the user running it to have a range of UIDs listed in /etc/subuid and /etc/subgid. +Rootless Podman requires the user running it to have a range of UIDs listed in /etc/subuid and /etc/subgid. #### Symptom @@ -262,7 +262,7 @@ grep johndoe /etc/subuid /etc/subgid ### 11) Changing the location of the Graphroot leads to permission denied When I change the graphroot storage location in storage.conf, the next time I -run podman I get an error like: +run Podman I get an error like: ``` # podman run -p 5000:5000 -it centos bash @@ -360,7 +360,7 @@ Choose one of the following: * Setup containers/storage in a different directory, not on an NFS share. * Create a directory on a local file system. * Edit `~/.config/containers/libpod.conf` and point the `volume_path` option to that local directory. - * Otherwise just run podman as root, via `sudo podman` + * Otherwise just run Podman as root, via `sudo podman` ### 15) Rootless 'podman build' fails when using OverlayFS: |