diff options
Diffstat (limited to 'docs/source/markdown/podman-run.1.md')
| -rw-r--r-- | docs/source/markdown/podman-run.1.md | 34 |
1 files changed, 25 insertions, 9 deletions
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index e1177cb34..d9fdd9650 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -210,6 +210,10 @@ Specify the key sequence for detaching a container. Format is a single character Add a host device to the container. The format is `<device-on-host>[:<device-on-container>][:<permissions>]` (e.g. --device=/dev/sdc:/dev/xvdc:rwm) +Note: if the user only has access rights via a group then accessing the device +from inside a rootless container will fail. The `crun` runtime offers a +workaround for this by adding the option `--annotation io.crun.keep_original_groups=1`. + **--device-read-bps**=*path* Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb) @@ -422,10 +426,21 @@ Logging driver for the container. Currently available options are *k8s-file* an **--log-opt**=*path* -Logging driver specific options. Used to set the path to the container log file. For example: +Set custom logging configuration. Presently supports the `tag` option +which specified a custom log tag for the container. For example: `--log-opt path=/var/log/container/mycontainer.json` +**--log-opt**=*tag* + +Specify a custom log tag for the container. For example: + +`--log-opt tag="{{.ImageName}}"` + +It supports the same keys as `podman inspect --format`. + +It is currently supported only by the journald log driver. + **--mac-address**=*address* Container MAC address (e.g. `92:d0:c6:0a:29:33`) @@ -584,15 +599,16 @@ If a container is run with a pod, and the pod has an infra-container, the infra- Give extended privileges to this container. The default is *false*. -By default, Podman containers are “unprivileged” (=false) and cannot, -for example, modify parts of the kernel. This is because by default a -container is not allowed to access any devices. A “privileged” container -is given access to all devices. +By default, Podman containers are “unprivileged” (=false) and cannot, for +example, modify parts of the operating system. This is because by default a +container is only allowed limited access to devices. A "privileged" container +is given the same access to devices as the user launching the container. -When the operator executes **podman run --privileged**, Podman enables access -to all devices on the host, turns off graphdriver mount options, as well as -turning off most of the security measures protecting the host from the -container. +A privileged container turns off the security features that isolate the +container from the host. Dropped Capabilities, limited devices, read/only mount +points, Apparmor/SELinux separation, and Seccomp filters are all disabled. + +Rootless containers cannot have more privileges than the account that launched them. **--publish**, **-p**=*port* |