diff options
Diffstat (limited to 'docs/source/markdown/podman-create.1.md')
| -rw-r--r-- | docs/source/markdown/podman-create.1.md | 37 |
1 files changed, 29 insertions, 8 deletions
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index c8f1ec3a5..e3647b194 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -410,6 +410,11 @@ Container host name Sets the container host name that is available inside the container. Can only be used with a private UTS namespace `--uts=private` (default). If `--pod` is specified and the pod shares the UTS namespace (default) the pod's hostname will be used. +#### **--hostuser**=*name* + +Add a user account to /etc/passwd from the host to the container. The Username +or UID must exist on the host system. + #### **--help** Print usage statement @@ -469,19 +474,24 @@ Path to the container-init binary. Keep STDIN open even if not attached. The default is *false*. -#### **--ip6**=*ip* - -Not implemented +#### **--ip**=*ipv4* -#### **--ip**=*ip* - -Specify a static IP address for the container, for example **10.88.64.128**. +Specify a static IPv4 address for the container, for example **10.88.64.128**. This option can only be used if the container is joined to only a single network - i.e., **--network=network-name** is used at most once - and if the container is not joining another container's network namespace via **--network=container:_id_**. The address must be within the network's IP address pool (default **10.88.0.0/16**). To specify multiple static IP addresses per container, set multiple networks using the **--network** option with a static IP address specified for each using the `ip` mode for that option. +#### **--ip6**=*ipv6* + +Specify a static IPv6 address for the container, for example **fd46:db93:aa76:ac37::10**. +This option can only be used if the container is joined to only a single network - i.e., **--network=network-name** is used at most once - +and if the container is not joining another container's network namespace via **--network=container:_id_**. +The address must be within the network's IPv6 address pool. + +To specify multiple static IPv6 addresses per container, set multiple networks using the **--network** option with a static IPv6 address specified for each using the `ip6` mode for that option. + #### **--ipc**=*ipc* @@ -949,12 +959,13 @@ Note: Labeling can be disabled for all containers by setting label=false in the - `no-new-privileges` : Disable container processes from gaining additional privileges -- `seccomp=unconfined` : Turn off seccomp confinement for the container -- `seccomp=profile.json` : White listed syscalls seccomp Json file to be used as a seccomp filter +- `seccomp=unconfined` : Turn off seccomp confinement for the container. +- `seccomp=profile.json` : JSON file to be used as a seccomp filter. Note that the `io.podman.annotations.seccomp` annotation is set with the specified value as shown in `podman inspect`. - `proc-opts=OPTIONS` : Comma-separated list of options to use for the /proc mount. More details for the possible mount options are specified in the **proc(5)** man page. + - **unmask**=_ALL_ or _/path/1:/path/2_, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to **ALL**, it will unmask all the paths that are masked or made read only by default. The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.** The default paths that are read only are **/proc/asound, /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup**. @@ -1142,10 +1153,20 @@ If for example _amount_ is **5** the second mapping step would look like: | _from_uid_ + 3 | _container_uid_ + 3 | | _from_uid_ + 4 | _container_uid_ + 4 | +The current user ID is mapped to UID=0 in the rootless user namespace. +Every additional range is added sequentially afterward: + +| host |rootless user namespace | length | +| - | - | - | +| $UID | 0 | 1 | +| 1 | $FIRST_RANGE_ID | $FIRST_RANGE_LENGTH | +| 1+$FIRST_RANGE_LENGTH | $SECOND_RANGE_ID | $SECOND_RANGE_LENGTH| + Even if a user does not have any subordinate UIDs in _/etc/subuid_, **--uidmap** could still be used to map the normal UID of the user to a container UID by running `podman create --uidmap $container_uid:0:1 --user $container_uid ...`. + #### **--ulimit**=*option* Ulimit options |