1 files changed, 25 insertions, 414 deletions
diff --git a/docs/source/markdown/podman-run.1.md.in b/docs/source/markdown/podman-run.1.md.in
index c7985d7e1..493a7494a 100644
--- a/docs/source/markdown/podman-run.1.md.in
+++ b/docs/source/markdown/podman-run.1.md.in
@@ -1,4 +1,4 @@
-% podman-run(1)
+% podman-run 1
 
 ## NAME
 podman\-run - Run a command in a new container
@@ -159,50 +159,21 @@ Specify the key sequence for detaching a container. Format is a single character
 
 This option can also be set in **containers.conf**(5) file.
 
-#### **--device**=*host-device[:container-device][:permissions]*
-
-Add a host device to the container. Optional *permissions* parameter
-can be used to specify device permissions by combining
-**r** for read, **w** for write, and **m** for **mknod**(2).
-
-Example: **--device=/dev/sdc:/dev/xvdc:rwm**.
-
-Note: if _host_device_ is a symbolic link then it will be resolved first.
-The container will only store the major and minor numbers of the host device.
+@@option device
 
 Note: if the user only has access rights via a group, accessing the device
 from inside a rootless container will fail. Use the `--group-add keep-groups`
 flag to pass the user's supplementary group access into the container.
 
-Podman may load kernel modules required for using the specified
-device. The devices that Podman will load modules when necessary are:
-/dev/fuse.
-
 @@option device-cgroup-rule
 
-#### **--device-read-bps**=*path:rate*
-
-Limit read rate (in bytes per second) from a device (e.g. **--device-read-bps=/dev/sda:1mb**).
-
-This option is not supported on cgroups V1 rootless systems.
-
-#### **--device-read-iops**=*path:rate*
+@@option device-read-bps
 
-Limit read rate (in IO operations per second) from a device (e.g. **--device-read-iops=/dev/sda:1000**).
+@@option device-read-iops
 
-This option is not supported on cgroups V1 rootless systems.
+@@option device-write-bps
 
-#### **--device-write-bps**=*path:rate*
-
-Limit write rate (in bytes per second) to a device (e.g. **--device-write-bps=/dev/sda:1mb**).
-
-This option is not supported on cgroups V1 rootless systems.
-
-#### **--device-write-iops**=*path:rate*
-
-Limit write rate (in IO operations per second) to a device (e.g. **--device-write-iops=/dev/sda:1000**).
-
-This option is not supported on cgroups V1 rootless systems.
+@@option device-write-iops
 
 @@option disable-content-trust
 
@@ -218,14 +189,9 @@ is the case the **--dns** flag is necessary for every run.
 The special value **none** can be specified to disable creation of _/etc/resolv.conf_ in the container by Podman.
 The _/etc/resolv.conf_ file in the image will be used without changes.
 
-#### **--dns-opt**=*option*
-
-Set custom DNS options. Invalid if using **--dns-opt** with **--network** that is set to **none** or **container:**_id_.
-
-#### **--dns-search**=*domain*
+@@option dns-opt.container
 
-Set custom DNS search domains. Invalid if using **--dns-search** and **--network** that is set to **none** or **container:**_id_.
-Use **--dns-search=.** if you don't wish to set the search domain.
+@@option dns-search.container
 
 @@option entrypoint
 
@@ -255,6 +221,8 @@ Read in a line delimited file of environment variables. See **Environment** note
 
 @@option health-interval
 
+@@option health-on-failure
+
 @@option health-retries
 
 @@option health-start-period
@@ -269,20 +237,7 @@ Print usage statement
 
 @@option hostuser
 
-#### **--http-proxy**
-
-By default proxy environment variables are passed into the container if set
-for the Podman process. This can be disabled by setting the value to **false**.
-The environment variables passed in include **http_proxy**,
-**https_proxy**, **ftp_proxy**, **no_proxy**, and also the upper case versions of
-those. This option is only needed when the host system must use a proxy but
-the container should not use any proxy. Proxy environment variables specified
-for the container in any other way will override the values that would have
-been passed through from the host. (Other ways to specify the proxy for the
-container include passing the values with the **--env** flag, or hard coding the
-proxy environment at container build time.) (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
-
-Defaults to **true**.
+@@option http-proxy
 
 @@option image-volume
 
@@ -314,9 +269,7 @@ To specify multiple static IPv6 addresses per container, set multiple networks u
 
 @@option ipc
 
-#### **--label**, **-l**=*key=value*
-
-Add metadata to a container.
+@@option label
 
 @@option label-file
 
@@ -343,62 +296,17 @@ This option is currently supported only by the **journald** log driver.
 
 @@option mac-address
 
-#### **--memory**, **-m**=*number[unit]*
-
-Memory limit. A _unit_ can be **b** (bytes), **k** (kibibytes), **m** (mebibytes), or **g** (gibibytes).
-
-Allows you to constrain the memory available to a container. If the host
-supports swap memory, then the **-m** memory setting can be larger than physical
-RAM. If a limit of 0 is specified (not using **-m**), the container's memory is
-not limited. The actual limit may be rounded up to a multiple of the operating
-system's page size (the value would be very large, that's millions of trillions).
-
-This option is not supported on cgroups V1 rootless systems.
-
-#### **--memory-reservation**=*number[unit]*
-
-Memory soft limit. A _unit_ can be **b** (bytes), **k** (kibibytes), **m** (mebibytes), or **g** (gibibytes).
-
-After setting memory reservation, when the system detects memory contention
-or low memory, containers are forced to restrict their consumption to their
-reservation. So you should always set the value below **--memory**, otherwise the
-hard limit will take precedence. By default, memory reservation will be the same
-as memory limit.
-
-This option is not supported on cgroups V1 rootless systems.
-
-#### **--memory-swap**=*number[unit]*
-
-A limit value equal to memory plus swap.
-A _unit_ can be **b** (bytes), **k** (kibibytes), **m** (mebibytes), or **g** (gibibytes).
+@@option memory
 
-Must be used with the **-m** (**--memory**) flag.
-The argument value should always be larger than that of
- **-m** (**--memory**) By default, it is set to double
-the value of **--memory**.
+@@option memory-reservation
 
-Set _number_ to **-1** to enable unlimited swap.
-
-This option is not supported on cgroups V1 rootless systems.
+@@option memory-swap
 
 @@option memory-swappiness
 
 @@option mount
 
-#### **--name**=*name*
-
-Assign a name to the container.
-
-The operator can identify a container in three ways:
-
-- UUID long identifier (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”);
-- UUID short identifier (“f78375b1c487”);
-- Name (“jonah”).
-
-Podman generates a UUID for each container, and if a name is not assigned
-to the container with **--name** then it will generate a random
-string name. The name is useful any place you need to identify a container.
-This works for both background and foreground containers.
+@@option name.container
 
 #### **--network**=*mode*, **--net**
 
@@ -479,20 +387,7 @@ If a container is run with a pod, and the pod has an infra-container, the infra-
 Pass down to the process N additional file descriptors (in addition to 0, 1, 2).
 The total FDs will be 3+N. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
 
-#### **--privileged**
-
-Give extended privileges to this container. The default is **false**.
-
-By default, Podman containers are unprivileged (**=false**) and cannot, for
-example, modify parts of the operating system. This is because by default a
-container is only allowed limited access to devices. A "privileged" container
-is given the same access to devices as the user launching the container.
-
-A privileged container turns off the security features that isolate the
-container from the host. Dropped Capabilities, limited devices, read-only mount
-points, Apparmor/SELinux separation, and Seccomp filters are all disabled.
-
-Rootless containers cannot have more privileges than the account that launched them.
+@@option privileged
 
 #### **--publish**, **-p**=*[[ip:][hostPort]:]containerPort[/protocol]*
 
@@ -549,21 +444,7 @@ Suppress output information when pulling images
 
 @@option requires
 
-#### **--restart**=*policy*
-
-Restart policy to follow when containers exit.
-Restart policy will not take effect if a container is stopped via the **podman kill** or **podman stop** commands.
-
-Valid _policy_ values are:
-
-- `no`                       : Do not restart containers on exit
-- `on-failure[:max_retries]` : Restart containers when they exit with a non-zero exit code, retrying indefinitely or until the optional *max_retries* count is hit
-- `always`                   : Restart containers when they exit, regardless of status, retrying indefinitely
-- `unless-stopped`           : Identical to **always**
-
-Please note that restart will not restart containers after a system reboot.
-If this functionality is required in your environment, you can invoke Podman from a **systemd.unit**(5) file, or create an init script for whichever init system is in use.
-To generate systemd unit files, please see **podman generate systemd**.
+@@option restart
 
 #### **--rm**
 
@@ -646,71 +527,13 @@ Sets whether the signals sent to the **podman run** command are proxied to the c
 
 @@option stop-timeout
 
-#### **--subgidname**=*name*
-
-Run the container in a new user namespace using the map with _name_ in the _/etc/subgid_ file.
-If calling **podman run** as an unprivileged user, the user needs to have the right to use the mapping. See **subgid**(5).
-This flag conflicts with **--userns** and **--gidmap**.
-
-#### **--subuidname**=*name*
-
-Run the container in a new user namespace using the map with _name_ in the _/etc/subuid_ file.
-If calling **podman run** as an unprivileged user, the user needs to have the right to use the mapping. See **subuid**(5).
-This flag conflicts with **--userns** and **--uidmap**.
-
-#### **--sysctl**=*name=value*
-
-Configure namespaced kernel parameters at runtime.
-
-For the IPC namespace, the following sysctls are allowed:
-
-- kernel.msgmax
-- kernel.msgmnb
-- kernel.msgmni
-- kernel.sem
-- kernel.shmall
-- kernel.shmmax
-- kernel.shmmni
-- kernel.shm_rmid_forced
-- Sysctls beginning with fs.mqueue.\*
-
-Note: if you use the **--ipc=host** option, the above sysctls will not be allowed.
-
-For the network namespace, the following sysctls are allowed:
-
-- Sysctls beginning with net.\*
-
-Note: if you use the **--network=host** option, these sysctls will not be allowed.
-
-#### **--systemd**=*true* | *false* | *always*
-
-Run container in systemd mode. The default is **true**.
-
-The value *always* enforces the systemd mode is enforced without
-looking at the executable name. Otherwise, if set to true and the
-command you are running inside the container is **systemd**, **/usr/sbin/init**,
-**/sbin/init** or **/usr/local/sbin/init**.
+@@option subgidname
 
-Running the container in systemd mode causes the following changes:
+@@option subuidname
 
-* Podman mounts tmpfs file systems on the following directories
-  * _/run_
-  * _/run/lock_
-  * _/tmp_
-  * _/sys/fs/cgroup/systemd_
-  * _/var/lib/journal_
-* Podman sets the default stop signal to **SIGRTMIN+3**.
-* Podman sets **container_uuid** environment variable in the container to the
-first 32 characters of the container id.
+@@option sysctl
 
-This allows systemd to run in a confined container without any modifications.
-
-Note that on **SELinux** systems, systemd attempts to write to the cgroup
-file system. Containers writing to the cgroup file system are denied by default.
-The **container_manage_cgroup** boolean must be enabled for this to be allowed on an SELinux separated system.
-```
-setsebool -P container_manage_cgroup true
-```
+@@option systemd
 
 @@option timeout
 
@@ -754,228 +577,16 @@ Without this argument, the command will run as the user specified in the contain
 
 When a user namespace is not in use, the UID and GID used within the container and on the host will match. When user namespaces are in use, however, the UID and GID in the container may correspond to another UID and GID on the host. In rootless containers, for example, a user namespace is always used, and root in the container will by default correspond to the UID and GID of the user invoking Podman.
 
-#### **--userns**=*mode*
-
-Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the **--uidmap** and **--gidmap** options.
-
-Rootless user --userns=Key mappings:
-
-Key       | Host User |  Container User
-----------|---------------|---------------------
-""        |$UID           |0 (Default User account mapped to root user in container.)
-keep-id   |$UID           |$UID (Map user account to same UID within container.)
-auto      |$UID           | nil (Host User UID is not mapped into container.)
-nomap     |$UID           | nil (Host User UID is not mapped into container.)
-
-Valid _mode_ values are:
-
-**auto**[:_OPTIONS,..._]: automatically create a unique user namespace.
-
-The `--userns=auto` flag, requires that the user name `containers` and a range of subordinate user ids that the Podman container is allowed to use be specified in the /etc/subuid and /etc/subgid files.
-
-Example: `containers:2147483647:2147483648`.
-
-Podman allocates unique ranges of UIDs and GIDs from the `containers` subordinate user ids. The size of the ranges is based on the number of UIDs required in the image. The number of UIDs and GIDs can be overridden with the `size` option.
-
-The rootless option `--userns=keep-id` uses all the subuids and subgids of the user. Using `--userns=auto` when starting new containers will not work as long as any containers exist that were started with `--userns=keep-id`.
-
-  Valid `auto` options:
-
-  - *gidmapping*=_CONTAINER_GID:HOST_GID:SIZE_: to force a GID mapping to be present in the user namespace.
-  - *size*=_SIZE_: to specify an explicit size for the automatic user namespace. e.g. `--userns=auto:size=8192`. If `size` is not specified, `auto` will estimate a size for the user namespace.
-  - *uidmapping*=_CONTAINER_UID:HOST_UID:SIZE_: to force a UID mapping to be present in the user namespace.
-
-**container:**_id_: join the user namespace of the specified container.
-
-**host**: run in the user namespace of the caller. The processes running in the container will have the same privileges on the host as any other process launched by the calling user (default).
-
-**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created by the root user.
-
-**nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user.
-
-**ns:**_namespace_: run the container in the given existing user namespace.
-
-**private**: create a new namespace for the container.
-This option is incompatible with **--gidmap**, **--uidmap**, **--subuidname** and **--subgidname**.
+@@option userns.container
 
 @@option uts.container
 
 #### **--variant**=*VARIANT*
 Use _VARIANT_ instead of the default architecture variant of the container image. Some images can use multiple variants of the arm architectures, such as arm/v5 and arm/v7.
 
-#### **--volume**, **-v**=*[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*
-
-Create a bind mount. If you specify _/HOST-DIR_:_/CONTAINER-DIR_, Podman
-bind mounts _host-dir_ in the host to _CONTAINER-DIR_ in the Podman
-container. Similarly, _SOURCE-VOLUME_:_/CONTAINER-DIR_ will mount the volume
-in the host to the container. If no such named volume exists, Podman will
-create one. (Note when using the remote client, including Mac and Windows (excluding WSL2) machines, the volumes will be mounted from the remote server, not necessarily the client machine.)
-
-The _options_ is a comma-separated list and can be: <sup>[[1]](#Footnote1)</sup>
-
-* **rw**|**ro**
-* **z**|**Z**
-* [**O**]
-* [**U**]
-* [**no**]**copy**
-* [**no**]**dev**
-* [**no**]**exec**
-* [**no**]**suid**
-* [**r**]**bind**
-* [**r**]**shared**|[**r**]**slave**|[**r**]**private**[**r**]**unbindable**
-
-The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The volume
-will be mounted into the container at this directory.
-
-Volumes may specify a source as well, as either a directory on the host
-or the name of a named volume. If no source is given, the volume will be created as an
-anonymously named volume with a randomly generated name, and will be removed when
-the container is removed via the `--rm` flag or `podman rm --volumes`.
+@@option volume
 
-If a volume source is specified, it must be a path on the host or the name of a
-named volume. Host paths are allowed to be absolute or relative; relative paths
-are resolved relative to the directory Podman is run in. If the source does not
-exist, Podman will return an error. Users must pre-create the source files or
-directories.
-
-Any source that does not begin with a `.` or `/` will be treated as the name of
-a named volume. If a volume with that name does not exist, it will be created.
-Volumes created with names are not anonymous, and they are not removed by the `--rm`
-option and the `podman rm --volumes` command.
-
-You can specify multiple **-v** options to mount one or more volumes into a
-container.
-
-  `Write Protected Volume Mounts`
-
-You can add **:ro** or **:rw** option to mount a volume in read-only or
-read-write mode, respectively. By default, the volumes are mounted read-write.
-
-  `Chowning Volume Mounts`
-
-By default, Podman does not change the owner and group of source volume
-directories mounted into containers. If a container is created in a new user
-namespace, the UID and GID in the container may correspond to another UID and
-GID on the host.
-
-The `:U` suffix tells Podman to use the correct host UID and GID based on the
-UID and GID within the container, to change recursively the owner and group of
-the source volume.
-
-**Warning** use with caution since this will modify the host filesystem.
-
-  `Labeling Volume Mounts`
-
-Labeling systems like SELinux require that proper labels are placed on volume
-content mounted into a container. Without a label, the security system might
-prevent the processes running inside the container from using the content. By
-default, Podman does not change the labels set by the OS.
-
-To change a label in the container context, you can add either of two suffixes
-**:z** or **:Z** to the volume mount. These suffixes tell Podman to relabel file
-objects on the shared volumes. The **z** option tells Podman that two containers
-share the volume content. As a result, Podman labels the content with a shared
-content label. Shared volume labels allow all containers to read/write content.
-The **Z** option tells Podman to label the content with a private unshared label.
-
-Note: Do not relabel system files and directories. Relabeling system content
-might cause other confined services on your machine to fail.  For these types
-of containers we recommend disabling SELinux separation.  The option
-`--security-opt label=disable` disables SELinux separation for the container.
-For example if a user wanted to volume mount their entire home directory into a
-container, they need to disable SELinux separation.
-
-	   $ podman run --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
-
-  `Overlay Volume Mounts`
-
-   The `:O` flag tells Podman to mount the directory from the host as a
-temporary storage using the `overlay file system`. The container processes
-can modify content within the mountpoint which is stored in the
-container storage in a separate directory. In overlay terms, the source
-directory will be the lower, and the container storage directory will be the
-upper. Modifications to the mount point are destroyed when the container
-finishes executing, similar to a tmpfs mount point being unmounted.
-
-  For advanced users overlay option also supports custom non-volatile `upperdir` and `workdir`
-for the overlay mount. Custom `upperdir` and `workdir` can be fully managed by the users themselves
-and `podman` will not remove it on lifecycle completion. Example `:O,upperdir=/some/upper,workdir=/some/work`
-
-  Subsequent executions of the container will see the original source directory
-content, any changes from previous container executions no longer exist.
-
-  One use case of the overlay mount is sharing the package cache from the
-host into the container to allow speeding up builds.
-
-  Note:
-
-     - The `O` flag conflicts with other options listed above.
-Content mounted into the container is labeled with the private label.
-       On SELinux systems, labels in the source directory must be readable
-by the container label. Usually containers can read/execute `container_share_t`
-and can read/write `container_file_t`. If you cannot change the labels on a
-source volume, SELinux container separation must be disabled for the container
-to work.
-     - The source directory mounted into the container with an overlay mount
-should not be modified, it can cause unexpected failures. It is recommended
-that you do not modify the directory until the container finishes running.
-
-Only the current container can use a private volume.
-
-  `Mounts propagation`
-
-By default bind mounted volumes are `private`. That means any mounts done
-inside container will not be visible on host and vice versa. One can change
-this behavior by specifying a volume mount propagation property. Making a
-volume shared mounts done under that volume inside container will be
-visible on host and vice versa. Making a volume **slave** enables only one
-way mount propagation and that is mounts done on host under that volume
-will be visible inside container but not the other way around. <sup>[[1]](#Footnote1)</sup>
-
-To control mount propagation property of a volume one can use the [**r**]**shared**,
-[**r**]**slave**, [**r**]**private** or the [**r**]**unbindable** propagation flag.
-For mount propagation to work the source mount point (the mount point where source dir
-is mounted on) has to have the right propagation properties. For shared volumes, the
-source mount point has to be shared. And for slave volumes, the source mount point
-has to be either shared or slave. <sup>[[1]](#Footnote1)</sup>
-
-If you want to recursively mount a volume and all of its submounts into a
-container, then you can use the **rbind** option. By default the bind option is
-used, and submounts of the source directory will not be mounted into the
-container.
-
-Mounting the volume with the **nosuid** options means that SUID applications on
-the volume will not be able to change their privilege. By default volumes
-are mounted with **nosuid**.
-
-Mounting the volume with the **noexec** option means that no executables on the
-volume will be able to be executed within the container.
-
-Mounting the volume with the **nodev** option means that no devices on the volume
-will be able to be used by processes within the container. By default volumes
-are mounted with **nodev**.
-
-If the _host-dir_ is a mount point, then **dev**, **suid**, and **exec** options are
-ignored by the kernel.
-
-Use **df $hostdir** to figure out the source mount, and then use
-**findmnt -o TARGET,PROPAGATION _source-mount-dir_** to figure out propagation
-properties of source mount. If **findmnt**(1) utility is not available, then one
-can look at mount entry for source mount point in _/proc/self/mountinfo_. Look
-at the "optional fields" and see if any propagation properties are specified.
-In there, **shared:N** means the mount is shared, **master:N** means mount
-is slave, and if nothing is there, the mount is private. <sup>[[1]](#Footnote1)</sup>
-
-To change propagation properties of a mount point, use **mount**(8) command. For
-example, if one wants to bind mount source directory _/foo_, one can do
-**mount --bind /foo /foo** and **mount --make-private --make-shared /foo**. This
-will convert /foo into a shared mount point. Alternatively, one can directly
-change propagation properties of source mount. Say, if _/_ is source mount for
-_/foo_, then use **mount --make-shared /** to convert _/_ into a shared mount.
-
-Note: if the user only has access rights via a group, accessing the volume
-from inside a rootless container will fail. Use the `--group-add keep-groups`
-flag to pass the user's supplementary group access into the container.
+Use the **--group-add keep-groups** option to pass the user's supplementary group access into the container.
 
 #### **--volumes-from**=*CONTAINER[:OPTIONS]*