diff options
Diffstat (limited to 'docs/source/markdown/podman-create.1.md')
| -rw-r--r-- | docs/source/markdown/podman-create.1.md | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 82d2e8f6a..fdc2edf39 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -204,6 +204,10 @@ Specify the key sequence for detaching a container. Format is a single character Add a host device to the container. The format is `<device-on-host>[:<device-on-container>][:<permissions>]` (e.g. --device=/dev/sdc:/dev/xvdc:rwm) +Note: if the user only has access rights via a group then accessing the device +from inside a rootless container will fail. The `crun` runtime offers a +workaround for this by adding the option `--annotation io.crun.keep_original_groups=1`. + **--device-read-bps**=*path* Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb) @@ -415,6 +419,17 @@ Logging driver specific options. Used to set the path to the container log file `--log-opt path=/var/log/container/mycontainer.json` +**--log-opt**=*tag* + +Set custom logging configuration. Presently supports the `tag` option +which specified a custom log tag for the container. For example: + +`--log-opt tag="{{.ImageName}}"` + +It supports the same keys as `podman inspect --format`. + +It is currently supported only by the journald log driver. + **--mac-address**=*address* Container MAC address (e.g. 92:d0:c6:0a:29:33) @@ -571,7 +586,7 @@ To make a pod with more granular options, use the `podman pod create` command be Give extended privileges to this container. The default is *false*. By default, Podman containers are -“unprivileged” (=false) and cannot, for example, modify parts of the kernel. +“unprivileged” (=false) and cannot, for example, modify parts of the operating system. This is because by default a container is not allowed to access any devices. A “privileged” container is given access to all devices. @@ -580,6 +595,8 @@ to all devices on the host, turns off graphdriver mount options, as well as turning off most of the security measures protecting the host from the container. +Rootless containers cannot have more privileges than the account that launched them. + **--publish**, **-p**=*port* Publish a container's port, or range of ports, to the host |