diff options
Diffstat (limited to 'docs/source/markdown/podman-run.1.md')
| -rw-r--r-- | docs/source/markdown/podman-run.1.md | 75 |
1 files changed, 61 insertions, 14 deletions
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 0d9e6dbcd..b98e563ef 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -446,6 +446,11 @@ The initialization time needed for a container to bootstrap. The value can be ex The maximum time allowed to complete the healthcheck before an interval is considered failed. Like start-period, the value can be expressed in a time format such as **1m22s**. The default value is **30s**. +#### **--hostuser**=*name* + +Add a user account to /etc/passwd from the host to the container. The Username +or UID must exist on the host system. + #### **--help** Print usage statement @@ -492,16 +497,23 @@ Path to the container-init binary. When set to **true**, keep stdin open even if not attached. The default is **false**. -#### **--ip6**=*ip* +#### **--ip**=*ipv4* -Not implemented. +Specify a static IPv4 address for the container, for example **10.88.64.128**. +This option can only be used if the container is joined to only a single network - i.e., **--network=network-name** is used at most once - +and if the container is not joining another container's network namespace via **--network=container:_id_**. +The address must be within the network's IP address pool (default **10.88.0.0/16**). + +To specify multiple static IP addresses per container, set multiple networks using the **--network** option with a static IP address specified for each using the `ip` mode for that option. -#### **--ip**=*ip* +#### **--ip6**=*ipv6* -Specify a static IP address for the container, for example **10.88.64.128**. -This option can only be used if the container is joined to only a single network - i.e., `--network=_network-name_` is used at most once -and if the container is not joining another container's network namespace via `--network=container:_id_`. -The address must be within the CNI network's IP address pool (default **10.88.0.0/16**). +Specify a static IPv6 address for the container, for example **fd46:db93:aa76:ac37::10**. +This option can only be used if the container is joined to only a single network - i.e., **--network=network-name** is used at most once - +and if the container is not joining another container's network namespace via **--network=container:_id_**. +The address must be within the network's IPv6 address pool. + +To specify multiple static IPv6 addresses per container, set multiple networks using the **--network** option with a static IPv6 address specified for each using the `ip6` mode for that option. #### **--ipc**=*mode* @@ -557,12 +569,16 @@ This option is currently supported only by the **journald** log driver. #### **--mac-address**=*address* -Container MAC address (e.g. **92:d0:c6:0a:29:33**). +Container network interface MAC address (e.g. 92:d0:c6:0a:29:33) +This option can only be used if the container is joined to only a single network - i.e., **--network=_network-name_** is used at most once - +and if the container is not joining another container's network namespace via **--network=container:_id_**. Remember that the MAC address in an Ethernet network must be unique. The IPv6 link-local address will be based on the device's MAC address according to RFC4862. +To specify multiple static MAC addresses per container, set multiple networks using the **--network** option with a static MAC address specified for each using the `mac` mode for that option. + #### **--memory**, **-m**=_number_[_unit_] Memory limit. A _unit_ can be **b** (bytes), **k** (kilobytes), **m** (megabytes), or **g** (gigabytes). @@ -696,15 +712,22 @@ This works for both background and foreground containers. #### **--network**=*mode*, **--net** -Set the network mode for the container. Invalid if using **--dns**, **--dns-opt**, or **--dns-search** with **--network** that is set to **none** or **container:**_id_. If used together with **--pod**, the container will not join the pods network namespace. +Set the network mode for the container. Invalid if using **--dns**, **--dns-opt**, or **--dns-search** with **--network** set to **none** or **container:**_id_. If used together with **--pod**, the container will not join the pod's network namespace. Valid _mode_ values are: -- **bridge**: Create a network stack on the default bridge. This is the default for rootfull containers. +- **bridge[:OPTIONS,...]**: Create a network stack on the default bridge. This is the default for rootfull containers. It is possible to specify these additional options: + - **alias=name**: Add network-scoped alias for the container. + - **ip=IPv4**: Specify a static ipv4 address for this container. + - **ip=IPv6**: Specify a static ipv6 address for this container. + - **mac=MAC**: Specify a static mac address address for this container. + - **interface_name**: Specify a name for the created network interface inside the container. + + For example to set a static ipv4 address and a static mac address, use `--network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99`. +- \<network name or ID\>[:OPTIONS,...]: Connect to a user-defined network; this is the network name or ID from a network created by **[podman network create](podman-network-create.1.md)**. Using the network name implies the bridge network mode. It is possible to specify the same options described under the bridge mode above. You can use the **--network** option multiple times to specify additional networks. - **none**: Create a network namespace for the container but do not configure network interfaces for it, thus the container has no network connectivity. - **container:**_id_: Reuse another container's network stack. - **host**: Do not create a network namespace, the container will use the host's network. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. -- **network**: Connect to a user-defined network, multiple networks should be comma-separated. - **ns:**_path_: Path to a network namespace to join. - **private**: Create a new namespace for the container. This will use the **bridge** mode for rootfull containers and **slirp4netns** for rootless ones. - **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. This is the default for rootless containers. It is possible to specify these additional options: @@ -722,7 +745,9 @@ Valid _mode_ values are: #### **--network-alias**=*alias* -Add network-scoped alias for the container. NOTE: A container will only have access to aliases on the first network that it joins. This is a limitation that will be removed in a later release. +Add a network-scoped alias for the container, setting the alias for all networks that the container joins. To set a name only for a specific network, use the alias option as described under the **--network** option. +Network aliases work only with the bridge networking mode. This option can be specified multiple times. +NOTE: A container will only have access to aliases on the first network that it joins. This is a limitation that will be removed in a later release. #### **--no-healthcheck** @@ -747,6 +772,11 @@ Tune the host's OOM preferences for containers (accepts values from **-1000** to #### **--os**=*OS* Override the OS, defaults to hosts, of the image to be pulled. For example, `windows`. +#### **--passwd** + +Allow Podman to add entries to /etc/passwd and /etc/group when used in conjunction with the --user option. +This is used to override the Podman provided user setup in favor of entrypoint configurations such as libnss-extrausers. + #### **--personality**=*persona* Personality sets the execution domain via Linux personality(2). @@ -977,8 +1007,8 @@ Note: Labeling can be disabled for all containers by setting label=false in the - **no-new-privileges**: Disable container processes from gaining additional privileges -- **seccomp=unconfined**: Turn off seccomp confinement for the container -- **seccomp**=_profile.json_: Allowed syscall list seccomp JSON file to be used as a seccomp filter +- **seccomp=unconfined**: Turn off seccomp confinement for the container. +- **seccomp=profile.json**: JSON file to be used as a seccomp filter. Note that the `io.podman.annotations.seccomp` annotation is set with the specified value as shown in `podman inspect`. - **proc-opts**=_OPTIONS_ : Comma-separated list of options to use for the /proc mount. More details for the possible mount options are specified in the **proc(5)** man page. @@ -1196,6 +1226,17 @@ If for example _amount_ is **5** the second mapping step would look like: | _from_uid_ + 3 | _container_uid_ + 3 | | _from_uid_ + 4 | _container_uid_ + 4 | +When running as rootless, Podman will use all the ranges configured in the _/etc/subuid_ file. + +The current user ID is mapped to UID=0 in the rootless user namespace. +Every additional range is added sequentially afterward: + +| host |rootless user namespace | length | +| - | - | - | +| $UID | 0 | 1 | +| 1 | $FIRST_RANGE_ID | $FIRST_RANGE_LENGTH | +| 1+$FIRST_RANGE_LENGTH | $SECOND_RANGE_ID | $SECOND_RANGE_LENGTH| + Even if a user does not have any subordinate UIDs in _/etc/subuid_, **--uidmap** could still be used to map the normal UID of the user to a container UID by running `podman run --uidmap $container_uid:0:1 --user $container_uid ...`. @@ -1867,6 +1908,12 @@ Forcing UTC: Fri Nov 19 23:10:55 UTC 2021 ``` +### Run a container connected to two networks (called net1 and net2) with a static ip + +``` +$ podman run --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10 alpine ip addr +``` + ### Rootless Containers Podman runs as a non root user on most systems. This feature requires that a new enough version of **shadow-utils** |