diff options
Diffstat (limited to 'docs/source/markdown/podman-build.1.md')
-rw-r--r-- | docs/source/markdown/podman-build.1.md | 174 |
1 files changed, 91 insertions, 83 deletions
diff --git a/docs/source/markdown/podman-build.1.md b/docs/source/markdown/podman-build.1.md index 24093d414..1bb3c2c3a 100644 --- a/docs/source/markdown/podman-build.1.md +++ b/docs/source/markdown/podman-build.1.md @@ -45,14 +45,14 @@ command to see these containers. External containers can be removed with the ## OPTIONS -#### **--add-host**=*host* +#### **\-\-add-host**=*host* Add a custom host-to-IP mapping (host:ip) -Add a line to /etc/hosts. The format is hostname:ip. The **--add-host** option +Add a line to /etc/hosts. The format is hostname:ip. The **\-\-add-host** option can be set multiple times. -#### **--annotation**=*annotation* +#### **\-\-annotation**=*annotation* Add an image *annotation* (e.g. annotation=*value*) to the image metadata. Can be used multiple times. @@ -60,12 +60,12 @@ be used multiple times. Note: this information is not present in Docker image formats, so it is discarded when writing images in Docker formats. -#### **--arch**=*arch* +#### **\-\-arch**=*arch* Set the ARCH of the image to the provided value instead of the architecture of the host. -#### **--authfile**=*path* +#### **\-\-authfile**=*path* Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`. @@ -76,26 +76,26 @@ Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` -#### **--build-arg**=*arg=value* +#### **\-\-build-arg**=*arg=value* Specifies a build argument and its value, which will be interpolated in instructions read from the Containerfiles in the same way that environment variables are, but which will not be added to environment variable list in the resulting image's configuration. -#### **--cache-from** +#### **\-\-cache-from** Images to utilize as potential cache sources. Podman does not currently support caching so this is a NOOP. (This option is not available with the remote Podman client) -#### **--cap-add**=*CAP\_xxx* +#### **\-\-cap-add**=*CAP\_xxx* When executing RUN instructions, run the command specified in the instruction with the specified capability added to its capability set. Certain capabilities are granted by default; this option can be used to add more. -#### **--cap-drop**=*CAP\_xxx* +#### **\-\-cap-drop**=*CAP\_xxx* When executing RUN instructions, run the command specified in the instruction with the specified capability removed from its capability set. @@ -104,40 +104,40 @@ CAP\_FSETID, CAP\_KILL, CAP\_MKNOD, CAP\_NET\_BIND\_SERVICE, CAP\_SETFCAP, CAP\_SETGID, CAP\_SETPCAP, CAP\_SETUID, and CAP\_SYS\_CHROOT capabilities are granted by default; this option can be used to remove them. -If a capability is specified to both the **--cap-add** and **--cap-drop** +If a capability is specified to both the **\-\-cap-add** and **\-\-cap-drop** options, it will be dropped, regardless of the order in which the options were given. -#### **--cert-dir**=*path* +#### **\-\-cert-dir**=*path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. Default certificates directory is _/etc/containers/certs.d_. (This option is not available with the remote Podman client) -#### **--cgroup-parent**=*path* +#### **\-\-cgroup-parent**=*path* Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. -#### **--compress** +#### **\-\-compress** This option is added to be aligned with other containers CLIs. Podman doesn't communicate with a daemon or a remote server. Thus, compressing the data before sending it is irrelevant to Podman. (This option is not available with the remote Podman client) -#### **--cni-config-dir**=*directory* +#### **\-\-cni-config-dir**=*directory* Location of CNI configuration files which will dictate which plugins will be used to configure network interfaces and routing for containers created for handling `RUN` instructions, if those containers will be run in their own network namespaces, and networking is not disabled. -#### **--cni-plugin-path**=*directory[:directory[:directory[...]]]* +#### **\-\-cni-plugin-path**=*directory[:directory[:directory[...]]]* List of directories in which the CNI plugins which will be used for configuring network namespaces can be found. -#### **--cpu-period**=*limit* +#### **\-\-cpu-period**=*limit* Set the CPU period for the Completely Fair Scheduler (CFS), which is a duration in microseconds. Once the container's CPU quota is used up, it will @@ -148,20 +148,20 @@ On some systems, changing the CPU limits may not be allowed for non-root users. For more details, see https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error -#### **--cpu-quota**=*limit* +#### **\-\-cpu-quota**=*limit* Limit the CPU Completely Fair Scheduler (CFS) quota. Limit the container's CPU usage. By default, containers run with the full CPU resource. The limit is a number in microseconds. If you provide a number, the container will be allowed to use that much CPU time until the CPU period -ends (controllable via **--cpu-period**). +ends (controllable via **\-\-cpu-period**). On some systems, changing the CPU limits may not be allowed for non-root users. For more details, see https://github.com/containers/podman/blob/master/troubleshooting.md#26-running-containers-with-cpu-limits-fails-with-a-permissions-error -#### **--cpu-shares**, **-c**=*shares* +#### **\-\-cpu-shares**, **-c**=*shares* CPU shares (relative weight) @@ -169,7 +169,7 @@ By default, all containers get the same proportion of CPU cycles. This proportion can be modified by changing the container's CPU share weighting relative to the weighting of all other running containers. -To modify the proportion from the default of 1024, use the **--cpu-shares** +To modify the proportion from the default of 1024, use the **\-\-cpu-shares** flag to set the weighting to 2 or higher. The proportion will only apply when CPU-intensive processes are running. @@ -199,11 +199,11 @@ division of CPU shares: 101 {C1} 1 100% of CPU1 102 {C1} 2 100% of CPU2 -#### **--cpuset-cpus**=*num* +#### **\-\-cpuset-cpus**=*num* CPUs in which to allow execution (0-3, 0,1) -#### **--cpuset-mems**=*nodes* +#### **\-\-cpuset-mems**=*nodes* Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. @@ -212,26 +212,26 @@ If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1` then processes in your container will only use memory from the first two memory nodes. -#### **--creds**=*creds* +#### **\-\-creds**=*creds* The [username[:password]] to use to authenticate with the registry if required. If one or both values are not supplied, a command line prompt will appear and the value can be entered. The password is entered without echo. -#### **--decryption-key**=*key[:passphrase]* +#### **\-\-decryption-key**=*key[:passphrase]* The [key[:passphrase]] to be used for decryption of images. Key can point to keys and/or certificates. Decryption will be tried with all keys. If the key is protected by a passphrase, it is required to be passed in the argument and omitted otherwise. -#### **--device**=_host-device_[**:**_container-device_][**:**_permissions_] +#### **\-\-device**=_host-device_[**:**_container-device_][**:**_permissions_] Add a host device to the container. Optional *permissions* parameter can be used to specify device permissions, it is combination of **r** for read, **w** for write, and **m** for **mknod**(2). -Example: **--device=/dev/sdc:/dev/xvdc:rwm**. +Example: **\-\-device=/dev/sdc:/dev/xvdc:rwm**. Note: if _host_device_ is a symbolic link then it will be resolved first. The container will only store the major and minor numbers of the host device. @@ -239,24 +239,24 @@ The container will only store the major and minor numbers of the host device. Note: if the user only has access rights via a group, accessing the device from inside a rootless container will fail. The **crun**(1) runtime offers a workaround for this by adding the option -#### **--annotation run.oci.keep_original_groups=1**. +#### **\-\-annotation run.oci.keep_original_groups=1**. -#### **--disable-compression**, **-D** +#### **\-\-disable-compression**, **-D** Don't compress filesystem layers when building the image unless it is required by the location where the image is being written. This is the default setting, because image layers are compressed automatically when they are pushed to registries, and images being written to local storage would only need to be decompressed again to be stored. Compression can be forced in all cases by -specifying **--disable-compression=false**. +specifying **\-\-disable-compression=false**. -#### **--disable-content-trust** +#### **\-\-disable-content-trust** This is a Docker specific option to disable image verification to a Docker registry and is not supported by Podman. This flag is a NOOP and provided solely for scripting compatibility. (This option is not available with the remote Podman client) -#### **--dns**=*dns* +#### **\-\-dns**=*dns* Set custom DNS servers to be used during the build. @@ -269,15 +269,15 @@ The special value **none** can be specified to disable creation of /etc/resolv.conf in the container by Podman. The /etc/resolv.conf file in the image will be used without changes. -#### **--dns-option**=*option* +#### **\-\-dns-option**=*option* Set custom DNS options to be used during the build. -#### **--dns-search**=*domain* +#### **\-\-dns-search**=*domain* Set custom DNS search domains to be used during the build. -#### **--file**, **-f**=*Containerfile* +#### **\-\-file**, **-f**=*Containerfile* Specifies a Containerfile which contains instructions for building the image, either a local file or an **http** or **https** URL. If more than one @@ -290,12 +290,12 @@ context. If you specify `-f -`, the Containerfile contents will be read from stdin. -#### **--force-rm**=*true|false* +#### **\-\-force-rm**=*true|false* Always remove intermediate containers after a build, even if the build fails (default true). -#### **--format** +#### **\-\-format** Control the format for the built image's manifest and configuration data. Recognized formats include *oci* (OCI image-spec v1.0, the default) and @@ -304,28 +304,28 @@ Recognized formats include *oci* (OCI image-spec v1.0, the default) and Note: You can also override the default format by setting the BUILDAH\_FORMAT environment variable. `export BUILDAH_FORMAT=docker` -#### **--from** +#### **\-\-from** Overrides the first `FROM` instruction within the Containerfile. If there are multiple FROM instructions in a Containerfile, only the first is changed. -**-h**, **--help** +**-h**, **\-\-help** Print usage statement -#### **--http-proxy** +#### **\-\-http-proxy** Pass through HTTP Proxy environment variables. -#### **--iidfile**=*ImageIDfile* +#### **\-\-iidfile**=*ImageIDfile* Write the image ID to the file. -#### **--ignorefile** +#### **\-\-ignorefile** Path to an alternative .dockerignore file. -#### **--ipc**=*how* +#### **\-\-ipc**=*how* Sets the configuration for IPC namespaces when handling `RUN` instructions. The configured value can be "" (the empty string) or "container" to indicate @@ -334,7 +334,7 @@ that the IPC namespace in which `podman` itself is being run should be reused, or it can be the path to an IPC namespace which is already in use by another process. -#### **--isolation**=*type* +#### **\-\-isolation**=*type* Controls what type of isolation is used for running processes as part of `RUN` instructions. Recognized types include *oci* (OCI-compatible runtime, the @@ -348,13 +348,13 @@ chroot(1) than container technology). Note: You can also override the default isolation type by setting the BUILDAH\_ISOLATION environment variable. `export BUILDAH_ISOLATION=oci` -#### **--jobs**=*number* +#### **\-\-jobs**=*number* Run up to N concurrent stages in parallel. If the number of jobs is greater than 1, stdin will be read from /dev/null. If 0 is specified, then there is no limit in the number of jobs that run in parallel. -#### **--label**=*label* +#### **\-\-label**=*label* Add an image *label* (e.g. label=*value*) to the image metadata. Can be used multiple times. @@ -369,30 +369,30 @@ capabilities is a subset of the default list. If the specified capabilities are not in the default set, Podman will print an error message and will run the container with the default capabilities. -#### **--layers** +#### **\-\-layers** Cache intermediate images during the build process (Default is `true`). Note: You can also override the default value of layers by setting the BUILDAH\_LAYERS environment variable. `export BUILDAH_LAYERS=true` -#### **--logfile**=*filename* +#### **\-\-logfile**=*filename* Log output which would be sent to standard output and standard error to the specified file instead of to standard output and standard error. -#### **--loglevel**=*number* +#### **\-\-loglevel**=*number* Adjust the logging level up or down. Valid option values range from -2 to 3, with 3 being roughly equivalent to using the global *--debug* option, and values below 0 omitting even error messages which accompany fatal errors. -#### **--manifest** "manifest" +#### **\-\-manifest** "manifest" Name of the manifest list to which the image will be added. Creates the manifest list if it does not exist. This option is useful for building multi architecture images. -#### **--memory**, **-m**=*LIMIT* +#### **\-\-memory**, **-m**=*LIMIT* Memory limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) @@ -403,18 +403,18 @@ not limited. The actual limit may be rounded up to a multiple of the operating system's page size (the value would be very large, that's millions of trillions). -#### **--memory-swap**=*LIMIT* +#### **\-\-memory-swap**=*LIMIT* A limit value equal to memory plus swap. Must be used with the **-m** -(**--memory**) flag. The swap `LIMIT` should always be larger than **-m** -(**--memory**) value. By default, the swap `LIMIT` will be set to double +(**\-\-memory**) flag. The swap `LIMIT` should always be larger than **-m** +(**\-\-memory**) value. By default, the swap `LIMIT` will be set to double the value of --memory. The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you don't specify a unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap. -#### **--network**=*mode*, **--net** +#### **\-\-network**=*mode*, **\-\-net** Sets the configuration for network namespaces when handling `RUN` instructions. @@ -427,17 +427,17 @@ considered insecure. - **ns:**_path_: path to a network namespace to join. - **private**: create a new namespace for the container (default). -#### **--no-cache** +#### **\-\-no-cache** Do not use existing cached images for the container build. Build from the start with a new set of cached layers. -#### **--os**=*string* +#### **\-\-os**=*string* Set the OS to the provided value instead of the current operating system of the host. -#### **--pid**=*pid* +#### **\-\-pid**=*pid* Sets the configuration for PID namespaces when handling `RUN` instructions. The configured value can be "" (the empty string) or "container" to indicate @@ -446,13 +446,13 @@ that the PID namespace in which `podman` itself is being run should be reused, or it can be the path to a PID namespace which is already in use by another process. -#### **--platform**="Linux" +#### **\-\-platform**="Linux" This option has no effect on the build. Other container engines use this option to control the execution platform for the build (e.g., Windows, Linux) which is not required for Buildah as it supports only Linux. -#### **--pull** +#### **\-\-pull** When the option is specified or set to "true", pull the image. Raise an error if the image could not be pulled, even if the image is present locally. @@ -461,28 +461,28 @@ If the option is disabled (with *--pull=false*) or not specified, pull the image from the registry only if the image is not present locally. Raise an error if the image is not found in the registries and is not present locally. -#### **--pull-always** +#### **\-\-pull-always** Pull the image from the first registry it is found in as listed in registries.conf. Raise an error if not found in the registries, even if the image is present locally. -#### **--pull-never** +#### **\-\-pull-never** Do not pull the image from the registry, use only the local version. Raise an error if the image is not present locally. -#### **--quiet**, **-q** +#### **\-\-quiet**, **-q** Suppress output messages which indicate which instruction is being processed, and of progress when pulling images from a registry, and when writing the output image. -#### **--rm**=*true|false* +#### **\-\-rm**=*true|false* Remove intermediate containers after a successful build (default true). -#### **--runtime**=*path* +#### **\-\-runtime**=*path* The *path* to an alternate OCI-compatible runtime, which will be used to run commands specified by the **RUN** instruction. @@ -490,7 +490,7 @@ commands specified by the **RUN** instruction. Note: You can also override the default runtime by setting the BUILDAH\_RUNTIME environment variable. `export BUILDAH_RUNTIME=/usr/local/bin/runc` -#### **--security-opt**=*option* +#### **\-\-security-opt**=*option* Security Options @@ -510,7 +510,7 @@ container - `seccomp=profile.json` : White listed syscalls seccomp Json file to be used as a seccomp filter -#### **--shm-size**=*size* +#### **\-\-shm-size**=*size* Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. @@ -518,40 +518,40 @@ Unit is optional and can be `b` (bytes), `k` (kilobytes), `m`(megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`. -#### **--sign-by**=*fingerprint* +#### **\-\-sign-by**=*fingerprint* Sign the image using a GPG key with the specified FINGERPRINT. (This option is not available with the remote Podman client) -#### **--squash** +#### **\-\-squash** Squash all of the image's new layers into a single new layer; any preexisting layers are not squashed. -#### **--squash-all** +#### **\-\-squash-all** Squash all of the new image's layers (including those inherited from a base image) into a single new layer. -#### **--stdin** +#### **\-\-stdin** Pass stdin into the RUN containers. Sometime commands being RUN within a Containerfile want to request information from the user. For example apt asking for a confirmation for install. Use --stdin to be able to interact from the terminal during the build. -#### **--tag**, **-t**=*imageName* +#### **\-\-tag**, **-t**=*imageName* Specifies the name which will be assigned to the resulting image if the build process completes successfully. If _imageName_ does not include a registry name, the registry name *localhost* will be prepended to the image name. -#### **--target**=*stageName* +#### **\-\-target**=*stageName* Set the target build stage to build. When building a Containerfile with multiple build stages, --target can be used to specify an intermediate build stage by name as the final stage for the resulting image. Commands after the target stage will be skipped. -#### **--timestamp** *seconds* +#### **\-\-timestamp** *seconds* Set the create timestamp to seconds since epoch to allow for deterministic builds (defaults to current time). By default, the created timestamp is changed @@ -562,12 +562,12 @@ specified and therefore not changed, allowing the image's sha256 hash to remain same. All files committed to the layers of the image will be created with the timestamp. -#### **--tls-verify**=*true|false* +#### **\-\-tls-verify**=*true|false* Require HTTPS and verify certificates when talking to container registries (defaults to true). (This option is not available with the remote Podman client) -#### **--ulimit**=*type*=*soft-limit*[:*hard-limit*] +#### **\-\-ulimit**=*type*=*soft-limit*[:*hard-limit*] Specifies resource limits to apply to processes launched when processing `RUN` instructions. This option can be specified multiple times. Recognized resource @@ -588,7 +588,7 @@ types include: "sigpending": maximum number of pending signals (ulimit -i) "stack": maximum stack size (ulimit -s) -#### **--userns**=*how* +#### **\-\-userns**=*how* Sets the configuration for user namespaces when handling `RUN` instructions. The configured value can be "" (the empty string) or "container" to indicate @@ -597,7 +597,7 @@ the user namespace in which `podman` itself is being run should be reused, or it can be the path to an user namespace which is already in use by another process. -#### **--userns-uid-map**=*mapping* +#### **\-\-userns-uid-map**=*mapping* Directly specifies a UID mapping which should be used to set ownership, at the filesystem level, on the working container's contents. @@ -618,7 +618,7 @@ If none of --userns-uid-map-user, --userns-gid-map-group, or --userns-uid-map are specified, but --userns-gid-map is specified, the UID map will be set to use the same numeric values as the GID map. -#### **--userns-gid-map**=*mapping* +#### **\-\-userns-gid-map**=*mapping* Directly specifies a GID mapping which should be used to set ownership, at the filesystem level, on the working container's contents. @@ -639,7 +639,7 @@ If none of --userns-uid-map-user, --userns-gid-map-group, or --userns-gid-map are specified, but --userns-uid-map is specified, the GID map will be set to use the same numeric values as the UID map. -#### **--userns-uid-map-user**=*user* +#### **\-\-userns-uid-map-user**=*user* Specifies that a UID mapping which should be used to set ownership, at the filesystem level, on the working container's contents, can be found in entries @@ -650,7 +650,11 @@ If --userns-gid-map-group is specified, but --userns-uid-map-user is not specified, `podman` will assume that the specified group name is also a suitable user name to use as the default setting for this option. -#### **--userns-gid-map-group**=*group* +**NOTE:** When this option is specified by a rootless user, the specified +mappings are relative to the rootless usernamespace in the container, rather +than being relative to the host as it would be when run rootful. + +#### **\-\-userns-gid-map-group**=*group* Specifies that a GID mapping which should be used to set ownership, at the filesystem level, on the working container's contents, can be found in entries @@ -661,7 +665,11 @@ If --userns-uid-map-user is specified, but --userns-gid-map-group is not specified, `podman` will assume that the specified user name is also a suitable group name to use as the default setting for this option. -#### **--uts**=*how* +**NOTE:** When this option is specified by a rootless user, the specified +mappings are relative to the rootless usernamespace in the container, rather +than being relative to the host as it would be when run rootful. + +#### **\-\-uts**=*how* Sets the configuration for UTS namespaces when the handling `RUN` instructions. The configured value can be "" (the empty string) or "container" to indicate @@ -670,11 +678,11 @@ that the UTS namespace in which `podman` itself is being run should be reused, or it can be the path to a UTS namespace which is already in use by another process. -#### **--variant**="" +#### **\-\-variant**="" Set the architecture variant of the image to be pulled. -#### **--volume**, **-v**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*] +#### **\-\-volume**, **-v**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*] Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, Podman bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Podman |