diff options
Diffstat (limited to 'docs/source/markdown/podman-run.1.md.in')
| -rw-r--r-- | docs/source/markdown/podman-run.1.md.in | 56 |
1 files changed, 4 insertions, 52 deletions
diff --git a/docs/source/markdown/podman-run.1.md.in b/docs/source/markdown/podman-run.1.md.in index 3ad338662..2bb3098e2 100644 --- a/docs/source/markdown/podman-run.1.md.in +++ b/docs/source/markdown/podman-run.1.md.in @@ -1,4 +1,4 @@ -% podman-run(1) +% podman-run 1 ## NAME podman\-run - Run a command in a new container @@ -159,25 +159,12 @@ Specify the key sequence for detaching a container. Format is a single character This option can also be set in **containers.conf**(5) file. -#### **--device**=*host-device[:container-device][:permissions]* - -Add a host device to the container. Optional *permissions* parameter -can be used to specify device permissions by combining -**r** for read, **w** for write, and **m** for **mknod**(2). - -Example: **--device=/dev/sdc:/dev/xvdc:rwm**. - -Note: if _host_device_ is a symbolic link then it will be resolved first. -The container will only store the major and minor numbers of the host device. +@@option device Note: if the user only has access rights via a group, accessing the device from inside a rootless container will fail. Use the `--group-add keep-groups` flag to pass the user's supplementary group access into the container. -Podman may load kernel modules required for using the specified -device. The devices that Podman will load modules when necessary are: -/dev/fuse. - @@option device-cgroup-rule @@option device-read-bps @@ -398,20 +385,7 @@ If a container is run with a pod, and the pod has an infra-container, the infra- Pass down to the process N additional file descriptors (in addition to 0, 1, 2). The total FDs will be 3+N. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) -#### **--privileged** - -Give extended privileges to this container. The default is **false**. - -By default, Podman containers are unprivileged (**=false**) and cannot, for -example, modify parts of the operating system. This is because by default a -container is only allowed limited access to devices. A "privileged" container -is given the same access to devices as the user launching the container. - -A privileged container turns off the security features that isolate the -container from the host. Dropped Capabilities, limited devices, read-only mount -points, Apparmor/SELinux separation, and Seccomp filters are all disabled. - -Rootless containers cannot have more privileges than the account that launched them. +@@option privileged #### **--publish**, **-p**=*[[ip:][hostPort]:]containerPort[/protocol]* @@ -555,29 +529,7 @@ Sets whether the signals sent to the **podman run** command are proxied to the c @@option subuidname -#### **--sysctl**=*name=value* - -Configure namespaced kernel parameters at runtime. - -For the IPC namespace, the following sysctls are allowed: - -- kernel.msgmax -- kernel.msgmnb -- kernel.msgmni -- kernel.sem -- kernel.shmall -- kernel.shmmax -- kernel.shmmni -- kernel.shm_rmid_forced -- Sysctls beginning with fs.mqueue.\* - -Note: if you use the **--ipc=host** option, the above sysctls will not be allowed. - -For the network namespace, the following sysctls are allowed: - -- Sysctls beginning with net.\* - -Note: if you use the **--network=host** option, these sysctls will not be allowed. +@@option sysctl @@option systemd |