diff options
Diffstat (limited to 'docs/source')
37 files changed, 918 insertions, 212 deletions
diff --git a/docs/source/Tutorials.rst b/docs/source/Tutorials.rst index c2cbcb8a9..024e6847c 100644 --- a/docs/source/Tutorials.rst +++ b/docs/source/Tutorials.rst @@ -4,11 +4,11 @@ Tutorials ========= Here are a number of useful tutorials to get you up and running with Podman. If you are familiar with the Docker `Container Engine`_ the command in Podman_ should be quite familiar. If you are brand new to containers, take a look at our `Introduction`. -* `Basic Setup and Use of Podman <https://github.com/containers/podman/blob/main/docs/tutorials/podman_tutorial.md>`_: Learn how to setup Podman and perform some basic commands with the utility. -* `Basic Setup and Use of Podman in a Rootless environment <https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md>`_: The steps required to setup rootless Podman are enumerated. +* `Basic Setup and Use of Podman <https://github.com/containers/podman/blob/main/docs/tutorials/podman_tutorial.md>`_: Learn how to set up Podman and perform some basic commands with the utility. +* `Basic Setup and Use of Podman in a Rootless environment <https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md>`_: The steps required to set up rootless Podman are enumerated. * `Podman for Windows <https://github.com/containers/podman/blob/main/docs/tutorials/podman-for-windows.md>`_: A guide to installing and using Podman on Windows. * `Podman Remote Clients on Mac/Windows <https://github.com/containers/podman/blob/main/docs/tutorials/mac_win_client.md>`_: Advanced setup for connecting to a remote Linux system using the Podman remote client on Mac and Windows. -* `How to sign and distribute container images using Podman <https://github.com/containers/podman/blob/main/docs/tutorials/image_signing.md>`_: Learn how to setup and use image signing with Podman. +* `How to sign and distribute container images using Podman <https://github.com/containers/podman/blob/main/docs/tutorials/image_signing.md>`_: Learn how to set up and use image signing with Podman. * `Podman remote-client tutorial <https://github.com/containers/podman/blob/main/docs/tutorials/remote_client.md>`_: A brief how-to on using the Podman remote-client. * `How to use libpod for custom/derivative projects <https://github.com/containers/podman/blob/main/docs/tutorials/podman-derivative-api.md>`_: How the libpod API can be used within your own project. * `How to use Podman's Go RESTful bindings <https://github.com/containers/podman/tree/main/pkg/bindings>`_: An introduction to using our RESTful Golang bindings in an external application. diff --git a/docs/source/markdown/podman-build.1.md b/docs/source/markdown/podman-build.1.md index b372bfce6..bf710022e 100644 --- a/docs/source/markdown/podman-build.1.md +++ b/docs/source/markdown/podman-build.1.md @@ -91,6 +91,33 @@ instructions read from the Containerfiles in the same way that environment variables are, but which will not be added to environment variable list in the resulting image's configuration. +#### **--build-context**=*name=value* + +Specify an additional build context using its short name and its location. +Additional build contexts can be referenced in the same manner as we access +different stages in COPY instruction. + +Valid values could be: + +* Local directory – e.g. --build-context project2=../path/to/project2/src (This option is not available with the remote Podman client. On Podman machine setup (i.e macOS and Winows) path must exists on the machine VM) +* HTTP URL to a tarball – e.g. --build-context src=https://example.org/releases/src.tar +* Container image – specified with a container-image:// prefix, e.g. --build-context alpine=container-image://alpine:3.15, (also accepts docker://, docker-image://) + +On the Containerfile side, you can reference the build context on all +commands that accept the “from” parameter. Here’s how that might look: + +```dockerfile +FROM [name] +COPY --from=[name] ... +RUN --mount=from=[name] … +``` + +The value of [name] is matched with the following priority order: + +* Named build context defined with --build-context [name]=.. +* Stage defined with AS [name] inside Containerfile +* Image [name], either local or in a remote registry + #### **--cache-from** Images to utilize as potential cache sources. Podman does not currently support @@ -140,6 +167,10 @@ This option is added to be aligned with other containers CLIs. Podman doesn't communicate with a daemon or a remote server. Thus, compressing the data before sending it is irrelevant to Podman. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) +#### **--cpp-flag**=*flags* + +Set additional flags to pass to the C Preprocessor cpp(1). Containerfiles ending with a ".in" suffix will be preprocessed via cpp(1). This option can be used to pass additional flags to cpp.Note: You can also set default CPPFLAGS by setting the BUILDAH_CPPFLAGS environment variable (e.g., export BUILDAH_CPPFLAGS="-DDEBUG"). + #### **--cpu-period**=*limit* Set the CPU period for the Completely Fair Scheduler (CFS), which is a @@ -396,6 +427,16 @@ BUILDAH\_LAYERS environment variable. `export BUILDAH_LAYERS=true` Log output which would be sent to standard output and standard error to the specified file instead of to standard output and standard error. +This option is not supported on the remote client, including Mac and Windows +(excluding WSL2) machines. + +#### **--logsplit** *bool-value* + +If `--logfile` and `--platform` are specified, the `--logsplit` option allows +end-users to split the log file for each platform into different files in the +following format: `${logfile}_${platform-os}_${platform-arch}`. +This option is not supported on the remote client, including Mac and Windows +(excluding WSL2) machines. #### **--manifest** "manifest" @@ -404,8 +445,8 @@ if it does not exist. This option is useful for building multi architecture imag #### **--memory**, **-m**=*LIMIT* -Memory limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kilobytes), -m (megabytes), or g (gigabytes)) +Memory limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kibibytes), +m (mebibytes), or g (gibibytes)) Allows you to constrain the memory available to a container. If the host supports swap memory, then the **-m** memory setting can be larger than physical @@ -422,7 +463,7 @@ A limit value equal to memory plus swap. Must be used with the **-m** the value of --memory. The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes), -`k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you don't specify a +`k` (kibibytes), `m` (mebibytes), or `g` (gibibytes). If you don't specify a unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap. #### **--network**=*mode*, **--net** @@ -451,6 +492,15 @@ By default, Podman will manage _/etc/hosts_, adding the container's own IP addre **--no-hosts** disables this, and the image's _/etc/hosts_ will be preserved unmodified. This option conflicts with **--add-host**. +#### **--omit-history** + +Omit build history information in the built image. (default false). + +This option is useful for the cases where end users explicitly +want to set `--omit-history` to omit the optional `History` from +built images or when working with images built using build tools that +do not include `History` information in their images. + #### **--os**=*string* Set the OS of the image to be built, and that of the base image to be pulled, @@ -526,27 +576,14 @@ While `podman build` is happy to use base images and build images for any platform that exists, `RUN` instructions will not be able to succeed without the help of emulation provided by packages like `qemu-user-static`. -#### **--pull** - -When the option is enabled or set explicitly to `true` (with *--pull=true*) -pull the image from the first registry it is found in as listed in registries.conf. -Raise an error if the image could not be pulled, even if the image is present locally. - -If the option is disabled (with *--pull=false*), pull the image from the -registry only if the image is not present locally. Raise an error if the image is not -in the registries and not present locally. - -If the pull option is set to `always` (with *--pull=always*), -pull the image from the first registry it is found in as listed in registries.conf. -Raise an error if not found in the registries, even if the image is present locally. +#### **--pull**=**always**|**missing**|**never**|**newer** -If the pull option is set to `missing` (with *--pull=missing*), -Pull the image only if it is not present in the local storage. Raise an error if it -could neither be found in the local storage or on a registry. +Pull image policy. The default is **always**. -If the pull option is set to `never` (with *--pull=never*), -Do not pull the image from the registry, use only the local version. Raise an error -if the image is not present locally. +- **always**, **true**: Always pull the image and throw an error if the pull fails. +- **missing**: Pull the image only if it could not be found in the local containers storage. Throw an error if no image could be found and the pull fails. +- **never**, **false**: Never pull the image but use the one from the local containers storage. Throw an error if no image could be found. +- **newer**: Pull if the image on the registry is newer than the one in the local containers storage. An image is considered to be newer when the digests are different. Comparing the time stamps is prone to errors. Pull errors are suppressed if a local image was found. #### **--quiet**, **-q** @@ -600,8 +637,8 @@ as a seccomp filter Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. -Unit is optional and can be `b` (bytes), `k` (kilobytes), `m`(megabytes), or -`g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the +Unit is optional and can be `b` (bytes), `k` (kibibytes), `m`(mebibytes), or +`g` (gibibytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`. #### **--sign-by**=*fingerprint* @@ -882,12 +919,10 @@ container. When the mount propagation policy is set to `slave`, one way mount propagation is enabled and any mounts completed on the host for that volume will be visible only inside of the container. To control the mount propagation property of volume use the `:[r]shared`, `:[r]slave` or `:[r]private` -propagation flag. The propagation property can be specified only for bind mounted -volumes and not for internal volumes or named volumes. For mount propagation to -work on the source mount point (mount point where source dir is mounted on) has -to have the right propagation properties. For shared volumes, the source mount -point has to be shared. And for slave volumes, the source mount has to be either -shared or slave. <sup>[[1]](#Footnote1)</sup> +propagation flag. For mount propagation to work on the source mount point (mount +point where source dir is mounted on) has to have the right propagation properties. +For shared volumes, the source mount point has to be shared. And for slave volumes, +the source mount has to be either shared or slave. <sup>[[1]](#Footnote1)</sup> Use `df <source-dir>` to determine the source mount and then use `findmnt -o TARGET,PROPAGATION <source-mount-dir>` to determine propagation diff --git a/docs/source/markdown/podman-container-cleanup.1.md b/docs/source/markdown/podman-container-cleanup.1.md index 0f182eded..0ad09efd3 100644 --- a/docs/source/markdown/podman-container-cleanup.1.md +++ b/docs/source/markdown/podman-container-cleanup.1.md @@ -1,7 +1,7 @@ % podman-container-cleanup(1) ## NAME -podman\-container\-cleanup - Cleanup the container's network and mountpoints +podman\-container\-cleanup - Clean up the container's network and mountpoints ## SYNOPSIS **podman container cleanup** [*options*] *container* [*container* ...] @@ -13,7 +13,7 @@ Sometimes container mount points and network stacks can remain if the podman com ## OPTIONS #### **--all**, **-a** -Cleanup all *containers*.\ +Clean up all *containers*.\ The default is **false**.\ *IMPORTANT: This OPTION does not need a container name or ID as input argument.* @@ -40,12 +40,12 @@ After cleanup, remove the image entirely.\ The default is **false**. ## EXAMPLES -Cleanup the container "mywebserver". +Clean up the container "mywebserver". ``` $ podman container cleanup mywebserver ``` -Cleanup the containers with the names "mywebserver", "myflaskserver", "860a4b23". +Clean up the containers with the names "mywebserver", "myflaskserver", "860a4b23". ``` $ podman container cleanup mywebserver myflaskserver 860a4b23 ``` diff --git a/docs/source/markdown/podman-container-clone.1.md b/docs/source/markdown/podman-container-clone.1.md index 69423113d..6d552db75 100644 --- a/docs/source/markdown/podman-container-clone.1.md +++ b/docs/source/markdown/podman-container-clone.1.md @@ -131,7 +131,7 @@ Force removal of the original container that we are cloning. Can only be used in #### **--memory**, **-m**=*limit* -Memory limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) +Memory limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes)) Allows the memory available to a container to be constrained. If the host supports swap memory, then the **-m** memory setting can be larger than physical @@ -143,7 +143,7 @@ If no memory limits are specified, the original container's will be used. #### **--memory-reservation**=*limit* -Memory soft limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) +Memory soft limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes)) After setting memory reservation, when the system detects memory contention or low memory, containers are forced to restrict their consumption to their @@ -159,7 +159,7 @@ A limit value equal to memory plus swap. Must be used with the **-m** the value of --memory if specified. Otherwise, the container being cloned will be used to derive the swap value. The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes), -`k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you don't specify a +`k` (kibibytes), `m` (mebibytes), or `g` (gibibytes). If you don't specify a unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap. #### **--memory-swappiness**=*number* diff --git a/docs/source/markdown/podman-container.1.md b/docs/source/markdown/podman-container.1.md index 36623c718..a66e2789d 100644 --- a/docs/source/markdown/podman-container.1.md +++ b/docs/source/markdown/podman-container.1.md @@ -15,7 +15,7 @@ The container command allows you to manage containers | --------- | --------------------------------------------------- | ---------------------------------------------------------------------------- | | attach | [podman-attach(1)](podman-attach.1.md) | Attach to a running container. | | checkpoint | [podman-container-checkpoint(1)](podman-container-checkpoint.1.md) | Checkpoints one or more running containers. | -| cleanup | [podman-container-cleanup(1)](podman-container-cleanup.1.md) | Cleanup the container's network and mountpoints. | +| cleanup | [podman-container-cleanup(1)](podman-container-cleanup.1.md) | Clean up the container's network and mountpoints. | | clone | [podman-container-clone(1)](podman-container-clone.1.md) | Creates a copy of an existing container. | | commit | [podman-commit(1)](podman-commit.1.md) | Create new image based on the changed container. | | cp | [podman-cp(1)](podman-cp.1.md) | Copy files/folders between a container and the local filesystem. | diff --git a/docs/source/markdown/podman-cp.1.md b/docs/source/markdown/podman-cp.1.md index 0c375675d..bb86e3f13 100644 --- a/docs/source/markdown/podman-cp.1.md +++ b/docs/source/markdown/podman-cp.1.md @@ -63,6 +63,10 @@ When set to true, files copied to a container will have changed ownership to the When set to false, maintain uid/gid from archive sources instead of changing them to the primary uid/gid of the destination container. The default is **true**. +#### **--overwrite** + +Allow directories to be overwritten with non-directories and vice versa. By default, `podman cp` errors out when attempting to overwrite, for instance, a regular file with a directory. Use this option, if you want to allow this behavior. + ## ALTERNATIVES Podman has much stronger capabilities than just `podman cp` to achieve copying files between the host and containers. diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 009209343..de73071c9 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -349,7 +349,7 @@ You need to specify multi option commands in the form of a json string. Set environment variables -This option allows arbitrary environment variables that are available for the process to be launched inside of the container. If an environment variable is specified without a value, Podman will check the host environment for a value and set the variable only if it is set on the host. If an environment variable ending in __*__ is specified, Podman will search the host environment for variables starting with the prefix and will add those variables to the container. If an environment variable with a trailing ***** is specified, then a value must be supplied. +This option allows arbitrary environment variables that are available for the process to be launched inside of the container. If an environment variable is specified without a value, Podman will check the host environment for a value and set the variable only if it is set on the host. As a special case, if an environment variable ending in __*__ is specified without a value, Podman will search the host environment for variables starting with the prefix and will add those variables to the container. See [**Environment**](#environment) note below for precedence and examples. @@ -573,7 +573,7 @@ To specify multiple static MAC addresses per container, set multiple networks us #### **--memory**, **-m**=*limit* -Memory limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) +Memory limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes)) Allows you to constrain the memory available to a container. If the host supports swap memory, then the **-m** memory setting can be larger than physical @@ -583,7 +583,7 @@ system's page size (the value would be very large, that's millions of trillions) #### **--memory-reservation**=*limit* -Memory soft limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) +Memory soft limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes)) After setting memory reservation, when the system detects memory contention or low memory, containers are forced to restrict their consumption to their @@ -599,7 +599,7 @@ A limit value equal to memory plus swap. Must be used with the **-m** the value of --memory. The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes), -`k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you don't specify a +`k` (kibibytes), `m` (mebibytes), or `g` (gibibytes). If you don't specify a unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap. #### **--memory-swappiness**=*number* @@ -654,7 +654,7 @@ Current supported mount TYPEs are **bind**, **volume**, **image**, **tmpfs** and · bind-propagation: shared, slave, private, unbindable, rshared, rslave, runbindable, or rprivate(default). See also mount(2). - . bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive. + . bind-nonrecursive: do not set up a recursive bind mount. By default it is recursive. . relabel: shared, private. @@ -826,22 +826,27 @@ container. Rootless containers cannot have more privileges than the account that launched them. -#### **--publish**, **-p**=*port* +#### **--publish**, **-p**=[[_ip_:][_hostPort_]:]_containerPort_[/_protocol_] -Publish a container's port, or range of ports, to the host +Publish a container's port, or range of ports, to the host. -Format: `ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort` Both hostPort and containerPort can be specified as a range of ports. -When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. -(e.g., `podman run -p 1234-1236:1222-1224 --name thisWorks -t busybox` -but not `podman run -p 1230-1236:1230-1240 --name RangeContainerPortsBiggerThanRangeHostPorts -t busybox`) -With host IP: `podman run -p 127.0.0.1:$HOSTPORT:$CONTAINERPORT --name CONTAINER -t someimage` +When specifying ranges for both, the number of container ports in the +range must match the number of host ports in the range. + If host IP is set to 0.0.0.0 or not set at all, the port will be bound on all IPs on the host. + +By default, Podman will publish TCP ports. To publish a UDP port instead, give +`udp` as protocol. To publish both TCP and UDP ports, set `--publish` twice, +with `tcp`, and `udp` as protocols respectively. Rootful containers can also +publish ports using the `sctp` protocol. + Host port does not have to be specified (e.g. `podman run -p 127.0.0.1::80`). If it is not, the container port will be randomly assigned a port on the host. -Use `podman port` to see the actual mapping: `podman port CONTAINER $CONTAINERPORT` -**Note:** if a container will be run within a pod, it is not necessary to publish the port for +Use **podman port** to see the actual mapping: `podman port $CONTAINER $CONTAINERPORT`. + +**Note:** If a container will be run within a pod, it is not necessary to publish the port for the containers in the pod. The port must only be published by the pod itself. Pod network stacks act like the network stack on the host - you have a variety of containers in the pod, and programs in the container, all sharing a single interface and IP address, and @@ -861,14 +866,14 @@ port to a random port on the host within an *ephemeral port range* defined by `/proc/sys/net/ipv4/ip_local_port_range`. To find the mapping between the host ports and the exposed ports, use `podman port`. -#### **--pull**=*missing* +#### **--pull**=**always**|**missing**|**never**|**newer** -Pull image before creating ("always"|"missing"|"never") (default "missing"). - 'missing': default value, attempt to pull the latest image from the registries listed in registries.conf if a local image does not exist.Raise an error if the image is not in any listed registry and is not present locally. - 'always': Pull the image from the first registry it is found in as listed in registries.conf. Raise an error if not found in the registries, even if the image is present locally. - 'never': do not pull the image from the registry, use only the local version. Raise an error if the image is not present locally. +Pull image policy. The default is **missing**. -Defaults to *missing*. +- **always**: Always pull the image and throw an error if the pull fails. +- **missing**: Pull the image only if it could not be found in the local containers storage. Throw an error if no image could be found and the pull fails. +- **never**: Never pull the image but use the one from the local containers storage. Throw an error if no image could be found. +- **newer**: Pull if the image on the registry is newer than the one in the local containers storage. An image is considered to be newer when the digests are different. Comparing the time stamps is prone to errors. Pull errors are suppressed if a local image was found. #### **--quiet**, **-q** @@ -876,11 +881,11 @@ Suppress output information when pulling images #### **--read-only** -Mount the container's root filesystem as read only. +Mount the container's root filesystem as read-only. By default a container will have its root filesystem writable allowing processes to write files anywhere. By specifying the `--read-only` flag the container will have -its root filesystem mounted as read only prohibiting any writes. +its root filesystem mounted as read-only prohibiting any writes. #### **--read-only-tmpfs** @@ -1001,14 +1006,14 @@ Note: Labeling can be disabled for all containers by setting label=false in the possible mount options are specified in the **proc(5)** man page. -- **unmask**=_ALL_ or _/path/1:/path/2_, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to **ALL**, it will unmask all the paths that are masked or made read only by default. - The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.** The default paths that are read only are **/proc/asound, /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup**. +- **unmask**=_ALL_ or _/path/1:/path/2_, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to **ALL**, it will unmask all the paths that are masked or made read-only by default. + The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.** The default paths that are read-only are **/proc/asound, /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup**. Note: Labeling can be disabled for all containers by setting label=false in the **containers.conf** (`/etc/containers/containers.conf` or `$HOME/.config/containers/containers.conf`) file. #### **--shm-size**=*size* -Size of `/dev/shm` (format: `<number>[<unit>]`, where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) +Size of `/dev/shm` (format: `<number>[<unit>]`, where unit = b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes)) If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`. When size is `0`, there is no limit on the amount of memory used for IPC by the container. @@ -1256,9 +1261,9 @@ Podman allocates unique ranges of UIDs and GIDs from the `containers` subordinat **host**: run in the user namespace of the caller. The processes running in the container will have the same privileges on the host as any other process launched by the calling user (default). -**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is ignored for containers created by the root user. +**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created by the root user. -**nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is ignored for containers created by the root user. +**nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user. **ns:**_namespace_: run the container in the given existing user namespace. @@ -1290,13 +1295,14 @@ The _options_ is a comma-separated list and can be: * **rw**|**ro** * **z**|**Z** -* [**r**]**shared**|[**r**]**slave**|[**r**]**private**[**r**]**unbindable** -* [**r**]**bind** -* [**no**]**exec** -* [**no**]**dev** -* [**no**]**suid** * [**O**] * [**U**] +* [**no**]**copy** +* [**no**]**dev** +* [**no**]**exec** +* [**no**]**suid** +* [**r**]**bind** +* [**r**]**shared**|[**r**]**slave**|[**r**]**private**[**r**]**unbindable** The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The volume will be mounted into the container at this directory. @@ -1404,12 +1410,10 @@ will be visible inside container but not the other way around. <sup>[[1]](#Footn To control mount propagation property of a volume one can use the [**r**]**shared**, [**r**]**slave**, [**r**]**private** or the [**r**]**unbindable** propagation flag. -Propagation property can be specified only for bind mounted volumes and not for -internal volumes or named volumes. For mount propagation to work the source mount -point (the mount point where source dir is mounted on) has to have the right propagation -properties. For shared volumes, the source mount point has to be shared. And for -slave volumes, the source mount point has to be either shared or slave. -<sup>[[1]](#Footnote1)</sup> +For mount propagation to work the source mount point (the mount point where source dir +is mounted on) has to have the right propagation properties. For shared volumes, the +source mount point has to be shared. And for slave volumes, the source mount point +has to be either shared or slave. <sup>[[1]](#Footnote1)</sup> If you want to recursively mount a volume and all of its submounts into a container, then you can use the `rbind` option. By default the bind option is @@ -1600,17 +1604,17 @@ Precedence order (later entries override earlier entries): - **--env-file** : Any environment variables specified via env-files. If multiple files specified, then they override each other in order of entry. - **--env** : Any environment variables specified will override previous settings. -Create containers and set the environment ending with a __*__ and a ***** +Create containers and set the environment ending with a __*__. +The trailing __*__ glob functionality is only active when no value is specified: ``` $ export ENV1=a -$ podman create --name ctr --env ENV* alpine printenv ENV1 -$ podman start --attach ctr -a - -$ podman create --name ctr --env ENV*****=b alpine printenv ENV***** -$ podman start --attach ctr -b +$ podman create --name ctr1 --env 'ENV*' alpine env +$ podman start --attach ctr1 | grep ENV +ENV1=a +$ podman create --name ctr2 --env 'ENV*=b' alpine env +$ podman start --attach ctr2 | grep ENV +ENV*=b ``` ## CONMON diff --git a/docs/source/markdown/podman-exec.1.md b/docs/source/markdown/podman-exec.1.md index 5fb4ceace..da61f3456 100644 --- a/docs/source/markdown/podman-exec.1.md +++ b/docs/source/markdown/podman-exec.1.md @@ -21,10 +21,11 @@ Start the exec session, but do not attach to it. The command will run in the bac Specify the key sequence for detaching a container. Format is a single character `[a-Z]` or one or more `ctrl-<value>` characters where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`. Specifying "" will disable this feature. The default is *ctrl-p,ctrl-q*. -#### **--env**, **-e** +#### **--env**, **-e**=*env* -You may specify arbitrary environment variables that are available for the -command to be executed. +Set environment variables. + +This option allows arbitrary environment variables that are available for the process to be launched inside of the container. If an environment variable is specified without a value, Podman will check the host environment for a value and set the variable only if it is set on the host. As a special case, if an environment variable ending in __*__ is specified without a value, Podman will search the host environment for variables starting with the prefix and will add those variables to the container. #### **--env-file**=*file* diff --git a/docs/source/markdown/podman-generate-systemd.1.md b/docs/source/markdown/podman-generate-systemd.1.md index 8c3c32d04..56ad4e446 100644 --- a/docs/source/markdown/podman-generate-systemd.1.md +++ b/docs/source/markdown/podman-generate-systemd.1.md @@ -14,6 +14,17 @@ Generating unit files for a pod requires the pod to be created with an infra con _Note: If you use this command with the remote client, including Mac and Windows (excluding WSL2) machines, you would still have to place the generated units on the remote system. Moreover, please make sure that the XDG_RUNTIME_DIR environment variable is set. If unset, you may set it via `export XDG_RUNTIME_DIR=/run/user/$(id -u)`._ +### Kubernetes Integration + +A Kubernetes YAML can be executed in systemd via the `podman-kube@.service` systemd template. The template's argument is the path to the YAML file. Given a `workload.yaml` file in the home directory, it can be executed as follows: + +``` +$ escaped=$(systemd-escape ~/sysadmin.yaml) +$ systemctl --user start podman-kube@$escaped.service +$ systemctl --user is-active podman-kube@$escaped.service +active +``` + ## OPTIONS #### **--after**=*dependency_name* diff --git a/docs/source/markdown/podman-image-scp.1.md b/docs/source/markdown/podman-image-scp.1.md index 1d902da91..b6b610a7d 100644 --- a/docs/source/markdown/podman-image-scp.1.md +++ b/docs/source/markdown/podman-image-scp.1.md @@ -33,7 +33,7 @@ Suppress the output ``` $ podman image scp alpine -Loaded image(s): docker.io/library/alpine:latest +Loaded image: docker.io/library/alpine:latest ``` ``` @@ -43,12 +43,12 @@ Copying blob 72e830a4dff5 done Copying config 85f9dc67c7 done Writing manifest to image destination Storing signatures -Loaded image(s): docker.io/library/alpine:latest +Loaded image: docker.io/library/alpine:latest ``` ``` $ podman image scp Fedora::alpine RHEL:: -Loaded image(s): docker.io/library/alpine:latest +Loaded image: docker.io/library/alpine:latest ``` ``` @@ -59,7 +59,7 @@ Copying blob 9450ef9feb15 [--------------------------------------] 0.0b / 0.0b Copying config 1f97f0559c done Writing manifest to image destination Storing signatures -Loaded image(s): docker.io/library/alpine:latest +Loaded image: docker.io/library/alpine:latest ``` ``` @@ -73,7 +73,7 @@ Copying blob 5eb901baf107 skipped: already exists Copying config 696d33ca15 done Writing manifest to image destination Storing signatures -Loaded image(s): docker.io/library/alpine:latest +Loaded image: docker.io/library/alpine:latest ``` ``` @@ -87,7 +87,7 @@ Copying blob 5eb901baf107 Copying config 696d33ca15 done Writing manifest to image destination Storing signatures -Loaded image(s): docker.io/library/alpine:latest +Loaded image: docker.io/library/alpine:latest ``` ## SEE ALSO diff --git a/docs/source/markdown/podman-kill.1.md b/docs/source/markdown/podman-kill.1.md index 35ca9f74f..a4f80ac81 100644 --- a/docs/source/markdown/podman-kill.1.md +++ b/docs/source/markdown/podman-kill.1.md @@ -14,7 +14,7 @@ The main process inside each container specified will be sent SIGKILL, or any si ## OPTIONS #### **--all**, **-a** -Signal all running containers. This does not include paused containers. +Signal all running and paused containers. #### **--cidfile** diff --git a/docs/source/markdown/podman-machine-info.1.md b/docs/source/markdown/podman-machine-info.1.md new file mode 100644 index 000000000..33c207d32 --- /dev/null +++ b/docs/source/markdown/podman-machine-info.1.md @@ -0,0 +1,36 @@ +% podman-machine-info(1) + +## NAME +podman\-machine\-info - Display machine host info + +## SYNOPSIS +**podman machine info** + +## DESCRIPTION + +Display information pertaining to the machine host. +Rootless only, as all `podman machine` commands can be only be used with rootless Podman. + +## OPTIONS + +#### **--format**=*format*, **-f** + +Change output format to "json" or a Go template. + +#### **--help** + +Print usage statement. + +## EXAMPLES + +``` +$ podman machine info +$ podman machine info --format json +$ podman machine info --format {{.Host.Arch}} +``` + +## SEE ALSO +**[podman(1)](podman.1.md)**, **[podman-machine(1)](podman-machine.1.md)** + +## HISTORY +June 2022, Originally compiled by Ashley Cui <acui@redhat.com> diff --git a/docs/source/markdown/podman-machine-init.1.md b/docs/source/markdown/podman-machine-init.1.md index 33947bbba..21c98b2c7 100644 --- a/docs/source/markdown/podman-machine-init.1.md +++ b/docs/source/markdown/podman-machine-init.1.md @@ -10,9 +10,12 @@ podman\-machine\-init - Initialize a new virtual machine Initialize a new virtual machine for Podman. -Podman on macOS requires a virtual machine. This is because containers are Linux - +Rootless only. + +Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux - containers do not run on any other OS because containers' core functionality are -tied to the Linux kernel. +tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines, +but can be optionally used on Linux. **podman machine init** initializes a new Linux virtual machine where containers are run. SSH keys are automatically generated to access the VM, and system connections to the root account @@ -73,15 +76,33 @@ Set the timezone for the machine and containers. Valid values are `local` or a `timezone` such as `America/Chicago`. A value of `local`, which is the default, means to use the timezone of the machine host. -#### **--volume**, **-v**=*source:target* +#### **--volume**, **-v**=*source:target[:options]* Mounts a volume from source to target. Create a mount. If /host-dir:/machine-dir is specified as the `*source:target*`, Podman mounts _host-dir_ in the host to _machine-dir_ in the Podman machine. -The root filesystem is mounted read-only in the default operating system, -so mounts must be created under the /mnt directory. +Additional options may be specified as a comma-separated string. Recognized +options are: +* **ro**: mount volume read-only +* **rw**: mount volume read/write (default) +* **security_model=[model]**: specify 9p security model (see below) + +The 9p security model [determines] https://wiki.qemu.org/Documentation/9psetup#Starting_the_Guest_directly +if and how the 9p filesystem translates some filesystem operations before +actual storage on the host. The +default value of *mapped-xattr* specifies that 9p store symlinks and some file +attributes as extended attributes on the host. This is suitable when the host +and the guest do not need to interoperate on the shared filesystem, but has +caveats for actual shared access; notably, symlinks on the host are not usable +on the guest and vice versa. If interoperability is required, then choose +*none* instead, but keep in mind that the guest will not be able to do things +that the user running the virtual machine cannot do, e.g. create files owned by +another user. Using *none* is almost certainly the best choice for read-only +volumes. + +Example: `-v "$HOME/git:$HOME/git:ro,security_model=none"` Default volume mounts are defined in *containers.conf*. Unless changed, the default values is `$HOME:$HOME`. diff --git a/docs/source/markdown/podman-machine-inspect.1.md b/docs/source/markdown/podman-machine-inspect.1.md index 38eb66b0d..29cd775c2 100644 --- a/docs/source/markdown/podman-machine-inspect.1.md +++ b/docs/source/markdown/podman-machine-inspect.1.md @@ -13,6 +13,8 @@ Inspect one or more virtual machines Obtain greater detail about Podman virtual machines. More than one virtual machine can be inspected at once. +Rootless only. + ## OPTIONS #### **--format** diff --git a/docs/source/markdown/podman-machine-list.1.md b/docs/source/markdown/podman-machine-list.1.md index 0c5310463..a25aae090 100644 --- a/docs/source/markdown/podman-machine-list.1.md +++ b/docs/source/markdown/podman-machine-list.1.md @@ -12,9 +12,12 @@ podman\-machine\-list - List virtual machines List Podman managed virtual machines. -Podman on macOS requires a virtual machine. This is because containers are Linux - -containers do not run on any other OS because containers' core functionality is -tied to the Linux kernel. +Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux - +containers do not run on any other OS because containers' core functionality are +tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines, +but can be optionally used on Linux. + +Rootless only. ## OPTIONS diff --git a/docs/source/markdown/podman-machine-rm.1.md b/docs/source/markdown/podman-machine-rm.1.md index 4a2c59173..d90b615ce 100644 --- a/docs/source/markdown/podman-machine-rm.1.md +++ b/docs/source/markdown/podman-machine-rm.1.md @@ -16,6 +16,7 @@ generated for that VM are also removed as is its image file on the filesystem. Users get a display of what will be deleted and are required to confirm unless the option `--force` is used. +Rootless only. ## OPTIONS diff --git a/docs/source/markdown/podman-machine-set.1.md b/docs/source/markdown/podman-machine-set.1.md index de90ee4b0..1daf97a61 100644 --- a/docs/source/markdown/podman-machine-set.1.md +++ b/docs/source/markdown/podman-machine-set.1.md @@ -10,6 +10,8 @@ podman\-machine\-set - Sets a virtual machine setting Change a machine setting. +Rootless only. + ## OPTIONS #### **--cpus**=*number* diff --git a/docs/source/markdown/podman-machine-ssh.1.md b/docs/source/markdown/podman-machine-ssh.1.md index db0350961..5432f0e9f 100644 --- a/docs/source/markdown/podman-machine-ssh.1.md +++ b/docs/source/markdown/podman-machine-ssh.1.md @@ -14,6 +14,9 @@ first argument must be the virtual machine name. The optional command to execute can then follow. If no command is provided, an interactive session with the virtual machine is established. +The exit code from ssh command will be forwarded to the podman machine ssh caller, see [Exit Codes](#Exit-Codes). + +Rootless only. ## OPTIONS @@ -25,6 +28,35 @@ Print usage statement. Username to use when SSH-ing into the VM. +## Exit Codes + +The exit code from `podman machine ssh` gives information about why the command failed. +When `podman machine ssh` commands exit with a non-zero code, +the exit codes follow the `chroot` standard, see below: + + **125** The error is with podman **_itself_** + + $ podman machine ssh --foo; echo $? + Error: unknown flag: --foo + 125 + + **126** Executing a _contained command_ and the _command_ cannot be invoked + + $ podman machine ssh /etc; echo $? + Error: fork/exec /etc: permission denied + 126 + + **127** Executing a _contained command_ and the _command_ cannot be found + + $ podman machine ssh foo; echo $? + Error: fork/exec /usr/bin/bogus: no such file or directory + 127 + + **Exit code** _contained command_ exit code + + $ podman machine ssh /bin/sh -c 'exit 3'; echo $? + 3 + ## EXAMPLES To get an interactive session with the default virtual machine: diff --git a/docs/source/markdown/podman-machine-start.1.md b/docs/source/markdown/podman-machine-start.1.md index e55dcab13..b92494dda 100644 --- a/docs/source/markdown/podman-machine-start.1.md +++ b/docs/source/markdown/podman-machine-start.1.md @@ -10,9 +10,12 @@ podman\-machine\-start - Start a virtual machine Starts a virtual machine for Podman. -Podman on macOS requires a virtual machine. This is because containers are Linux - +Rootless only. + +Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux - containers do not run on any other OS because containers' core functionality are -tied to the Linux kernel. +tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines, +but can be optionally used on Linux. Only one Podman managed VM can be active at a time. If a VM is already running, `podman machine start` will return an error. diff --git a/docs/source/markdown/podman-machine-stop.1.md b/docs/source/markdown/podman-machine-stop.1.md index 9aa781561..29f3e81f4 100644 --- a/docs/source/markdown/podman-machine-stop.1.md +++ b/docs/source/markdown/podman-machine-stop.1.md @@ -10,9 +10,12 @@ podman\-machine\-stop - Stop a virtual machine Stops a virtual machine. -Podman on macOS requires a virtual machine. This is because containers are Linux - +Rootless only. + +Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux - containers do not run on any other OS because containers' core functionality are -tied to the Linux kernel. +tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines, +but can be optionally used on Linux. **podman machine stop** stops a Linux virtual machine where containers are run. diff --git a/docs/source/markdown/podman-machine.1.md b/docs/source/markdown/podman-machine.1.md index e9f6c7d20..6197b8d4e 100644 --- a/docs/source/markdown/podman-machine.1.md +++ b/docs/source/markdown/podman-machine.1.md @@ -7,12 +7,20 @@ podman\-machine - Manage Podman's virtual machine **podman machine** *subcommand* ## DESCRIPTION -`podman machine` is a set of subcommands that manage Podman's virtual machine on macOS. +`podman machine` is a set of subcommands that manage Podman's virtual machine. + +Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux - +containers do not run on any other OS because containers' core functionality are +tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines, +but can be optionally used on Linux. + +All `podman machine` commands are rootless only. ## SUBCOMMANDS | Command | Man Page | Description | |---------|------------------------------------------------------|-----------------------------------| +| info | [podman-machine-info(1)](podman-machine-info.1.md) | Display machine host info | | init | [podman-machine-init(1)](podman-machine-init.1.md) | Initialize a new virtual machine | | inspect | [podman-machine-inspect(1)](podman-machine-inspect.1.md) | Inspect one or more virtual machines | | list | [podman-machine-list(1)](podman-machine-list.1.md) | List virtual machines | @@ -23,7 +31,7 @@ podman\-machine - Manage Podman's virtual machine | stop | [podman-machine-stop(1)](podman-machine-stop.1.md) | Stop a virtual machine | ## SEE ALSO -**[podman(1)](podman.1.md)**, **[podman-machine-init(1)](podman-machine-init.1.md)**, **[podman-machine-list(1)](podman-machine-list.1.md)**, **[podman-machine-rm(1)](podman-machine-rm.1.md)**, **[podman-machine-ssh(1)](podman-machine-ssh.1.md)**, **[podman-machine-start(1)](podman-machine-start.1.md)**, **[podman-machine-stop(1)](podman-machine-stop.1.md)**, **[podman-machine-inspect(1)](podman-machine-inspect.1.md)** +**[podman(1)](podman.1.md)**, **[podman-machine-info(1)](podman-machine-info.1.md)**, **[podman-machine-init(1)](podman-machine-init.1.md)**, **[podman-machine-list(1)](podman-machine-list.1.md)**, **[podman-machine-rm(1)](podman-machine-rm.1.md)**, **[podman-machine-ssh(1)](podman-machine-ssh.1.md)**, **[podman-machine-start(1)](podman-machine-start.1.md)**, **[podman-machine-stop(1)](podman-machine-stop.1.md)**, **[podman-machine-inspect(1)](podman-machine-inspect.1.md)** ## HISTORY March 2021, Originally compiled by Ashley Cui <acui@redhat.com> diff --git a/docs/source/markdown/podman-network-create.1.md b/docs/source/markdown/podman-network-create.1.md index 0cdb6fe88..1d89b12e3 100644 --- a/docs/source/markdown/podman-network-create.1.md +++ b/docs/source/markdown/podman-network-create.1.md @@ -4,7 +4,7 @@ podman\-network-create - Create a Podman network ## SYNOPSIS -**podman network create** [*options*] name +**podman network create** [*options*] [*name*] ## DESCRIPTION Create a CNI-network configuration for use with Podman. By default, Podman creates a bridge connection. diff --git a/docs/source/markdown/podman-network-ls.1.md b/docs/source/markdown/podman-network-ls.1.md index b341083f9..3c696d404 100644 --- a/docs/source/markdown/podman-network-ls.1.md +++ b/docs/source/markdown/podman-network-ls.1.md @@ -25,6 +25,7 @@ Supported filters: | label | Filter by network with (or without, in the case of label!=[...] is used) the specified labels. | | name | Filter by network name (accepts `regex`). | | until | Filter by networks created before given timestamp. | +| dangling | Filter by networks with no containers attached. | The `driver` filter accepts values: `bridge`, `macvlan`, `ipvlan`. @@ -33,6 +34,8 @@ The `label` *filter* accepts two formats. One is the `label`=*key* or `label`=*k The `until` *filter* can be Unix timestamps, date formatted timestamps, or Go duration strings (e.g. 10m, 1h30m) computed relative to the machine’s time. +The `dangling` *filter* accepts values `true` or `false`. + #### **--format**=*format* Change the default output format. This can be of a supported type like 'json' diff --git a/docs/source/markdown/podman-play-kube.1.md b/docs/source/markdown/podman-play-kube.1.md index 5c4bdc8c4..92cb694b0 100644 --- a/docs/source/markdown/podman-play-kube.1.md +++ b/docs/source/markdown/podman-play-kube.1.md @@ -20,7 +20,7 @@ Currently, the supported Kubernetes kinds are: `Kubernetes Pods or Deployments` -Only two volume types are supported by play kube, the *hostPath* and *persistentVolumeClaim* volume types. For the *hostPath* volume type, only the *default (empty)*, *DirectoryOrCreate*, *Directory*, *FileOrCreate*, *File*, and *Socket* subtypes are supported. The *CharDevice* and *BlockDevice* subtypes are not supported. Podman interprets the value of *hostPath* *path* as a file path when it contains at least one forward slash, otherwise Podman treats the value as the name of a named volume. When using a *persistentVolumeClaim*, the value for *claimName* is the name for the Podman named volume. +Only two volume types are supported by play kube, the *hostPath* and *persistentVolumeClaim* volume types. For the *hostPath* volume type, only the *default (empty)*, *DirectoryOrCreate*, *Directory*, *FileOrCreate*, *File*, *Socket*, *CharDevice* and *BlockDevice* subtypes are supported. Podman interprets the value of *hostPath* *path* as a file path when it contains at least one forward slash, otherwise Podman treats the value as the name of a named volume. When using a *persistentVolumeClaim*, the value for *claimName* is the name for the Podman named volume. Note: When playing a kube YAML with init containers, the init container will be created with init type value `always`. @@ -103,6 +103,19 @@ spec: and as a result environment variable `FOO` will be set to `bar` for container `container-1`. +### Systemd Integration + +A Kubernetes YAML can be executed in systemd via the `podman-kube@.service` systemd template. The template's argument is the path to the YAML file. Given a `workload.yaml` file in the home directory, it can be executed as follows: + +``` +$ escaped=$(systemd-escape ~/sysadmin.yaml) +$ systemctl --user start podman-kube@$escaped.service +$ systemctl --user is-active podman-kube@$escaped.service +active +``` + +Note that the path to the YAML file must be escaped via `systemd-escape`. + ## OPTIONS #### **--annotation**=*key=value* @@ -276,9 +289,9 @@ Podman allocates unique ranges of UIDs and GIDs from the `containers` subordinat **host**: create a new namespace for the container. -**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is ignored for containers created by the root user. +**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created by the root user. -**nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is ignored for containers created by the root user. +**nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user. **ns:**_namespace_: run the pod in the given existing user namespace. diff --git a/docs/source/markdown/podman-pod-clone.1.md b/docs/source/markdown/podman-pod-clone.1.md new file mode 100644 index 000000000..d90d1efb9 --- /dev/null +++ b/docs/source/markdown/podman-pod-clone.1.md @@ -0,0 +1,443 @@ +% podman-pod-clone(1) + +## NAME +podman\-pod\-clone - Creates a copy of an existing pod + +## SYNOPSIS +**podman pod clone** [*options*] *pod* *name* + +## DESCRIPTION +**podman pod clone** creates a copy of a pod, recreating the identical config for the pod and for all of its containers. Users can modify the pods new name and select pod details within the infra container + +## OPTIONS + +#### **--cgroup-parent**=*path* + +Path to cgroups under which the cgroup for the pod will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. + +#### **--cpus** + +Set a number of CPUs for the pod that overrides the original pods CPU limits. If none are specified, the original pod's Nano CPUs are used. + +#### **--cpuset-cpus** + +CPUs in which to allow execution (0-3, 0,1). If none are specified, the original pod's CPUset is used. + +#### **--destroy** + +Remove the original pod that we are cloning once used to mimic the configuration. + +#### **--device**=_host-device_[**:**_container-device_][**:**_permissions_] + +Add a host device to the pod. Optional *permissions* parameter +can be used to specify device permissions. It is a combination of +**r** for read, **w** for write, and **m** for **mknod**(2). + +Example: **--device=/dev/sdc:/dev/xvdc:rwm**. + +Note: if _host_device_ is a symbolic link then it will be resolved first. +The pod will only store the major and minor numbers of the host device. + +Note: the pod implements devices by storing the initial configuration passed by the user and recreating the device on each container added to the pod. + +Podman may load kernel modules required for using the specified +device. The devices that Podman will load modules for when necessary are: +/dev/fuse. + +#### **--device-read-bps**=*path* + +Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb). + +#### **--gidmap**=*pod_gid:host_gid:amount* + +GID map for the user namespace. Using this flag will run all containers in the pod with user namespace enabled. It conflicts with the `--userns` and `--subgidname` flags. + +#### **--help**, **-h** + +Print usage statement. + +#### **--hostname**=name + +Set a hostname to the pod. + +#### **--infra-command**=*command* + +The command that will be run to start the infra container. Default: "/pause". + +#### **--infra-conmon-pidfile**=*file* + +Write the pid of the infra container's **conmon** process to a file. As **conmon** runs in a separate process than Podman, this is necessary when using systemd to manage Podman containers and pods. + +#### **--infra-name**=*name* + +The name that will be used for the pod's infra container. + +#### **--label**=*label*, **-l** + +Add metadata to a pod (e.g., --label com.example.key=value). + +#### **--label-file**=*label* + +Read in a line delimited file of labels. + +#### **--memory**, **-m**=*limit* + +Memory limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes)) + +Constrains the memory available to a container. If the host +supports swap memory, then the **-m** memory setting can be larger than physical +RAM. If a limit of 0 is specified (not using **-m**), the container's memory is +not limited. The actual limit may be rounded up to a multiple of the operating +system's page size (the value would be very large, that's millions of trillions). + +#### **--name**, **-n** + +Set a custom name for the cloned pod. The default if not specified is of the syntax: **<ORIGINAL_NAME>-clone** + +#### **--pid**=*pid* + +Set the PID mode for the pod. The default is to create a private PID namespace for the pod. Requires the PID namespace to be shared via --share. + + host: use the host’s PID namespace for the pod + ns: join the specified PID namespace + private: create a new namespace for the pod (default) + +#### **--security-opt**=*option* + +Security Options + +- `apparmor=unconfined` : Turn off apparmor confinement for the pod +- `apparmor=your-profile` : Set the apparmor confinement profile for the pod + +- `label=user:USER` : Set the label user for the pod processes +- `label=role:ROLE` : Set the label role for the pod processes +- `label=type:TYPE` : Set the label process type for the pod processes +- `label=level:LEVEL` : Set the label level for the pod processes +- `label=filetype:TYPE` : Set the label file type for the pod files +- `label=disable` : Turn off label separation for the pod + +Note: Labeling can be disabled for all pods/containers by setting label=false in the **containers.conf** (`/etc/containers/containers.conf` or `$HOME/.config/containers/containers.conf`) file. + +- `mask=/path/1:/path/2` : The paths to mask separated by a colon. A masked path + cannot be accessed inside the containers within the pod. + +- `no-new-privileges` : Disable container processes from gaining additional privileges. + +- `seccomp=unconfined` : Turn off seccomp confinement for the pod +- `seccomp=profile.json` : Whitelisted syscalls seccomp Json file to be used as a seccomp filter + +- `proc-opts=OPTIONS` : Comma-separated list of options to use for the /proc mount. More details for the + possible mount options are specified in the **proc(5)** man page. + +- **unmask**=_ALL_ or _/path/1:/path/2_, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to **ALL**, it will unmask all the paths that are masked or made read-only by default. + The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.** The default paths that are read-only are **/proc/asound, /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup**. + +Note: Labeling can be disabled for all containers by setting label=false in the **containers.conf** (`/etc/containers/containers.conf` or `$HOME/.config/containers/containers.conf`) file. + +#### **--shm-size**=*size* + +Size of `/dev/shm` (format: `<number>[<unit>]`, where unit = b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes)) +If the unit is omitted, the system uses bytes. If the size is omitted, the system uses `64m`. +When size is `0`, there is no limit on the amount of memory used for IPC by the pod. This option conflicts with **--ipc=host** when running containers. + +#### **--start** + +When set to true, this flag starts the newly created pod after the +clone process has completed. All containers within the pod are started. + +#### **--subgidname**=*name* + +Name for GID map from the `/etc/subgid` file. Using this flag will run the container with user namespace enabled. This flag conflicts with `--userns` and `--gidmap`. + +#### **--subuidname**=*name* + +Name for UID map from the `/etc/subuid` file. Using this flag will run the container with user namespace enabled. This flag conflicts with `--userns` and `--uidmap`. + +#### **--sysctl**=_name_=_value_ + +Configure namespace kernel parameters for all containers in the new pod. + +For the IPC namespace, the following sysctls are allowed: + +- kernel.msgmax +- kernel.msgmnb +- kernel.msgmni +- kernel.sem +- kernel.shmall +- kernel.shmmax +- kernel.shmmni +- kernel.shm_rmid_forced +- Sysctls beginning with fs.mqueue.\* + +Note: if the ipc namespace is not shared within the pod, these sysctls are not allowed. + +For the network namespace, only sysctls beginning with net.\* are allowed. + +Note: if the network namespace is not shared within the pod, these sysctls are not allowed. + +#### **--uidmap**=*container_uid*:*from_uid*:*amount* + +Run all containers in the pod in a new user namespace using the supplied mapping. This +option conflicts with the **--userns** and **--subuidname** options. This +option provides a way to map host UIDs to container UIDs. It can be passed +several times to map different ranges. + +#### **--userns**=*mode* + +Set the user namespace mode for all the containers in a pod. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") means user namespaces are disabled. + +Rootless user --userns=Key mappings: + +Key | Host User | Container User +----------|---------------|--------------------- +"" |$UID |0 (Default User account mapped to root user in container.) +keep-id |$UID |$UID (Map user account to same UID within container.) +auto |$UID | nil (Host User UID is not mapped into container.) +nomap |$UID | nil (Host User UID is not mapped into container.) + +Valid _mode_ values are: + + - *auto[:*_OPTIONS,..._*]*: automatically create a namespace. It is possible to specify these options to `auto`: + + - *gidmapping=*_CONTAINER_GID:HOST_GID:SIZE_ to force a GID mapping to be present in the user namespace. + + - *size=*_SIZE_: to specify an explicit size for the automatic user namespace. e.g. `--userns=auto:size=8192`. If `size` is not specified, `auto` will estimate a size for the user namespace. + + - *uidmapping=*_CONTAINER_UID:HOST_UID:SIZE_ to force a UID mapping to be present in the user namespace. + + - *host*: run in the user namespace of the caller. The processes running in the container will have the same privileges on the host as any other process launched by the calling user (default). + + - *keep-id*: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is ignored for containers created by the root user. + + - *nomap*: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is ignored for containers created by the root user. + +#### **--uts**=*mode* + +Set the UTS namespace mode for the pod. The following values are supported: + +- **host**: use the host's UTS namespace inside the pod. +- **private**: create a new namespace for the pod (default). +- **ns:[path]**: run the pod in the given existing UTS namespace. + + +#### **--volume**, **-v**[=*[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*] + +Create a bind mount. If ` -v /HOST-DIR:/CONTAINER-DIR` is specified, Podman +bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Podman +container. Similarly, `-v SOURCE-VOLUME:/CONTAINER-DIR` will mount the volume +in the host to the container. If no such named volume exists, Podman will +create one. The `OPTIONS` are a comma-separated list and can be: <sup>[[1]](#Footnote1)</sup> (Note when using the remote client, including Mac and Windows (excluding WSL2) machines, the volumes will be mounted from the remote server, not necessarily the client machine.) + +The _options_ is a comma-separated list and can be: + +* **rw**|**ro** +* **z**|**Z** +* [**r**]**shared**|[**r**]**slave**|[**r**]**private**[**r**]**unbindable** +* [**r**]**bind** +* [**no**]**exec** +* [**no**]**dev** +* [**no**]**suid** +* [**O**] +* [**U**] + +The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The volume +will be mounted into the container at this directory. + +Volumes may specify a source as well, as either a directory on the host +or the name of a named volume. If no source is given, the volume will be created as an +anonymously named volume with a randomly generated name, and will be removed when +the pod is removed via the `--rm` flag or `podman rm --volumes` commands. + +If a volume source is specified, it must be a path on the host or the name of a +named volume. Host paths are allowed to be absolute or relative; relative paths +are resolved relative to the directory Podman is run in. If the source does not +exist, Podman will return an error. Users must pre-create the source files or +directories. + +Any source that does not begin with a `.` or `/` will be treated as the name of +a named volume. If a volume with that name does not exist, it will be created. +Volumes created with names are not anonymous, and they are not removed by the `--rm` +option and the `podman rm --volumes` command. + +Specify multiple **-v** options to mount one or more volumes into a +pod. + + `Write Protected Volume Mounts` + +Add `:ro` or `:rw` suffix to a volume to mount it read-only or +read-write mode, respectively. By default, the volumes are mounted read-write. +See examples. + + `Chowning Volume Mounts` + +By default, Podman does not change the owner and group of source volume +directories mounted into containers. If a pod is created in a new user +namespace, the UID and GID in the container may correspond to another UID and +GID on the host. + +The `:U` suffix tells Podman to use the correct host UID and GID based on the +UID and GID within the pod, to change recursively the owner and group of +the source volume. + +**Warning** use with caution since this will modify the host filesystem. + + `Labeling Volume Mounts` + +Labeling systems like SELinux require that proper labels are placed on volume +content mounted into a pod. Without a label, the security system might +prevent the processes running inside the pod from using the content. By +default, Podman does not change the labels set by the OS. + +To change a label in the pod context, add either of two suffixes +`:z` or `:Z` to the volume mount. These suffixes tell Podman to relabel file +objects on the shared volumes. The `z` option tells Podman that two pods +share the volume content. As a result, Podman labels the content with a shared +content label. Shared volume labels allow all containers to read/write content. +The `Z` option tells Podman to label the content with a private unshared label. +Only the current pod can use a private volume. + + `Overlay Volume Mounts` + + The `:O` flag tells Podman to mount the directory from the host as a +temporary storage using the `overlay file system`. The pod processes +can modify content within the mountpoint which is stored in the +container storage in a separate directory. In overlay terms, the source +directory will be the lower, and the container storage directory will be the +upper. Modifications to the mount point are destroyed when the pod +finishes executing, similar to a tmpfs mount point being unmounted. + + Subsequent executions of the container will see the original source directory +content, any changes from previous pod executions no longer exist. + + One use case of the overlay mount is sharing the package cache from the +host into the container to allow speeding up builds. + + Note: + + - The `O` flag conflicts with other options listed above. +Content mounted into the container is labeled with the private label. + On SELinux systems, labels in the source directory must be readable +by the infra container label. Usually containers can read/execute `container_share_t` +and can read/write `container_file_t`. If unable to change the labels on a +source volume, SELinux container separation must be disabled for the infra container/pod +to work. + - The source directory mounted into the pod with an overlay mount +should not be modified, it can cause unexpected failures. It is recommended +to not modify the directory until the container finishes running. + + `Mounts propagation` + +By default bind mounted volumes are `private`. That means any mounts done +inside pod will not be visible on host and vice versa. One can change +this behavior by specifying a volume mount propagation property. Making a +volume `shared` mounts done under that volume inside pod will be +visible on host and vice versa. Making a volume `slave` enables only one +way mount propagation and that is mounts done on host under that volume +will be visible inside container but not the other way around. <sup>[[1]](#Footnote1)</sup> + +To control mount propagation property of a volume one can use the [**r**]**shared**, +[**r**]**slave**, [**r**]**private** or the [**r**]**unbindable** propagation flag. +Propagation property can be specified only for bind mounted volumes and not for +internal volumes or named volumes. For mount propagation to work the source mount +point (the mount point where source dir is mounted on) has to have the right propagation +properties. For shared volumes, the source mount point has to be shared. And for +slave volumes, the source mount point has to be either shared or slave. +<sup>[[1]](#Footnote1)</sup> + +To recursively mount a volume and all of its submounts into a +pod, use the `rbind` option. By default the bind option is +used, and submounts of the source directory will not be mounted into the +pod. + +Mounting the volume with the `nosuid` options means that SUID applications on +the volume will not be able to change their privilege. By default volumes +are mounted with `nosuid`. + +Mounting the volume with the noexec option means that no executables on the +volume will be able to executed within the pod. + +Mounting the volume with the nodev option means that no devices on the volume +will be able to be used by processes within the pod. By default volumes +are mounted with `nodev`. + +If the `<source-dir>` is a mount point, then "dev", "suid", and "exec" options are +ignored by the kernel. + +Use `df <source-dir>` to figure out the source mount and then use +`findmnt -o TARGET,PROPAGATION <source-mount-dir>` to figure out propagation +properties of source mount. If `findmnt` utility is not available, then one +can look at the mount entry for the source mount point in `/proc/self/mountinfo`. Look +at `optional fields` and see if any propagation properties are specified. +`shared:X` means mount is `shared`, `master:X` means mount is `slave` and if +nothing is there that means mount is `private`. <sup>[[1]](#Footnote1)</sup> + +To change propagation properties of a mount point use `mount` command. For +example, if one wants to bind mount source directory `/foo` one can do +`mount --bind /foo /foo` and `mount --make-private --make-shared /foo`. This +will convert /foo into a `shared` mount point. Alternatively one can directly +change propagation properties of source mount. Say `/` is source mount for +`/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount. + +Note: if the user only has access rights via a group, accessing the volume +from inside a rootless pod will fail. + +#### **--volumes-from**[=*CONTAINER*[:*OPTIONS*]] + +Mount volumes from the specified container(s). Used to share volumes between +containers and pods. The *options* is a comma-separated list with the following available elements: + +* **rw**|**ro** +* **z** + +Mounts already mounted volumes from a source container into another +pod. Must supply the source's container-id or container-name. +To share a volume, use the --volumes-from option when running +the target container. Volumes can be shared even if the source container +is not running. + +By default, Podman mounts the volumes in the same mode (read-write or +read-only) as it is mounted in the source container. +This can be changed by adding a `ro` or `rw` _option_. + +Labeling systems like SELinux require that proper labels are placed on volume +content mounted into a pod. Without a label, the security system might +prevent the processes running inside the container from using the content. By +default, Podman does not change the labels set by the OS. + +To change a label in the pod context, add `z` to the volume mount. +This suffix tells Podman to relabel file objects on the shared volumes. The `z` +option tells Podman that two entities share the volume content. As a result, +Podman labels the content with a shared content label. Shared volume labels allow +all containers to read/write content. + +If the location of the volume from the source container overlaps with +data residing on a target pod, then the volume hides +that data on the target. + + +## EXAMPLES +``` +# podman pod clone pod-name +6b2c73ff8a1982828c9ae2092954bcd59836a131960f7e05221af9df5939c584 +``` + +``` +# podman pod clone --name=cloned-pod +d0cf1f782e2ed67e8c0050ff92df865a039186237a4df24d7acba5b1fa8cc6e7 +6b2c73ff8a1982828c9ae2092954bcd59836a131960f7e05221af9df5939c584 +``` + +``` +# podman pod clone --destroy --cpus=5 d0cf1f782e2ed67e8c0050ff92df865a039186237a4df24d7acba5b1fa8cc6e7 +6b2c73ff8a1982828c9ae2092954bcd59836a131960f7e05221af9df5939c584 +``` + +``` +# podman pod clone 2d4d4fca7219b4437e0d74fcdc272c4f031426a6eacd207372691207079551de new_name +5a9b7851013d326aa4ac4565726765901b3ecc01fcbc0f237bc7fd95588a24f9 +``` +## SEE ALSO +**[podman-pod-create(1)](podman-pod-create.1.md)** + +## HISTORY +May 2022, Originally written by Charlie Doern <cdoern@redhat.com> diff --git a/docs/source/markdown/podman-pod-create.1.md b/docs/source/markdown/podman-pod-create.1.md index fa431b611..53d1e3327 100644 --- a/docs/source/markdown/podman-pod-create.1.md +++ b/docs/source/markdown/podman-pod-create.1.md @@ -4,14 +4,24 @@ podman\-pod\-create - Create a new pod ## SYNOPSIS -**podman pod create** [*options*] +**podman pod create** [*options*] [*name*] ## DESCRIPTION Creates an empty pod, or unit of multiple containers, and prepares it to have -containers added to it. The pod id is printed to STDOUT. You can then use -**podman create --pod `<pod_id|pod_name>` ...** to add containers to the pod, and -**podman pod start `<pod_id|pod_name>`** to start the pod. +containers added to it. The pod can be created with a specific name. If a name +is not given a random name is generated. The pod id is printed to STDOUT. You +can then use **podman create --pod `<pod_id|pod_name>` ...** to add containers +to the pod, and **podman pod start `<pod_id|pod_name>`** to start the pod. + +The operator can identify a pod in three ways: +UUID long identifier (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”) +UUID short identifier (“f78375b1c487”) +Name (“jonah”) + +podman generates a UUID for each pod, and if a name is not assigned +to the container with **--name** then a random string name will be generated +for it. The name is useful any place you need to identify a pod. ## OPTIONS @@ -154,6 +164,16 @@ according to RFC4862. To specify multiple static MAC addresses per pod, set multiple networks using the **--network** option with a static MAC address specified for each using the `mac` mode for that option. +#### **--memory**, **-m**=*limit* + +Memory limit (format: `<number>[<unit>]`, where unit = b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes)) + +Constrains the memory available to a container. If the host +supports swap memory, then the **-m** memory setting can be larger than physical +RAM. If a limit of 0 is specified (not using **-m**), the container's memory is +not limited. The actual limit may be rounded up to a multiple of the operating +system's page size (the value would be very large, that's millions of trillions). + #### **--name**=*name*, **-n** @@ -217,16 +237,30 @@ Set the PID mode for the pod. The default is to create a private PID namespace f Write the pod ID to the file. -#### **--publish**=*port*, **-p** +#### **--publish**, **-p**=[[_ip_:][_hostPort_]:]_containerPort_[/_protocol_] -Publish a port or range of ports from the pod to the host. +Publish a container's port, or range of ports, within this pod to the host. -Format: `ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort` Both hostPort and containerPort can be specified as a range of ports. -When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. -Use `podman port` to see the actual mapping: `podman port CONTAINER $CONTAINERPORT`. +When specifying ranges for both, the number of container ports in the +range must match the number of host ports in the range. + +If host IP is set to 0.0.0.0 or not set at all, the port will be bound on all IPs on the host. + +By default, Podman will publish TCP ports. To publish a UDP port instead, give +`udp` as protocol. To publish both TCP and UDP ports, set `--publish` twice, +with `tcp`, and `udp` as protocols respectively. Rootful containers can also +publish ports using the `sctp` protocol. + +Host port does not have to be specified (e.g. `podman run -p 127.0.0.1::80`). +If it is not, the container port will be randomly assigned a port on the host. + +Use **podman port** to see the actual mapping: `podman port $CONTAINER $CONTAINERPORT`. + +**Note:** You must not publish ports of containers in the pod individually, +but only by the pod itself. -NOTE: This cannot be modified once the pod is created. +**Note:** This cannot be modified once the pod is created. #### **--replace** @@ -259,23 +293,14 @@ Note: Labeling can be disabled for all pods/containers by setting label=false in - `proc-opts=OPTIONS` : Comma-separated list of options to use for the /proc mount. More details for the possible mount options are specified in the **proc(5)** man page. -- **unmask**=_ALL_ or _/path/1:/path/2_, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to **ALL**, it will unmask all the paths that are masked or made read only by default. - The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.** The default paths that are read only are **/proc/asound, /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup**. +- **unmask**=_ALL_ or _/path/1:/path/2_, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to **ALL**, it will unmask all the paths that are masked or made read-only by default. + The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.** The default paths that are read-only are **/proc/asound, /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup**. Note: Labeling can be disabled for all containers by setting label=false in the **containers.conf** (`/etc/containers/containers.conf` or `$HOME/.config/containers/containers.conf`) file. #### **--share**=*namespace* -A comma-separated list of kernel namespaces to share. If none or "" is specified, no namespaces will be shared. The namespaces to choose from are cgroup, ipc, net, pid, uts. - -The operator can identify a pod in three ways: -UUID long identifier (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”) -UUID short identifier (“f78375b1c487”) -Name (“jonah”) - -podman generates a UUID for each pod, and if a name is not assigned -to the container with **--name** then a random string name will be generated -for it. The name is useful any place you need to identify a pod. +A comma-separated list of kernel namespaces to share. If none or "" is specified, no namespaces will be shared. The namespaces to choose from are cgroup, ipc, net, pid, uts. If the option is prefixed with a "+" then the namespace is appended to the default list, otherwise it replaces the default list. Defaults matches Kubernetes default (ipc, net, uts) #### **--share-parent** @@ -283,6 +308,12 @@ This boolean determines whether or not all containers entering the pod will use Note: This options conflict with **--share=cgroup** since that would set the pod as the cgroup parent but enter the container into the same cgroupNS as the infra container. +#### **--shm-size**=*size* + +Size of `/dev/shm` (format: `<number>[<unit>]`, where unit = b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes)) +If the unit is omitted, the system uses bytes. If the size is omitted, the system uses `64m`. +When size is `0`, there is no limit on the amount of memory used for IPC by the pod. This option conflicts with **--ipc=host** when running containers. + #### **--subgidname**=*name* Name for GID map from the `/etc/subgid` file. Using this flag will run the container with user namespace enabled. This flag conflicts with `--userns` and `--gidmap`. @@ -291,6 +322,7 @@ Name for GID map from the `/etc/subgid` file. Using this flag will run the conta Name for UID map from the `/etc/subuid` file. Using this flag will run the container with user namespace enabled. This flag conflicts with `--userns` and `--uidmap`. + #### **--sysctl**=_name_=_value_ Configure namespace kernel parameters for all containers in the pod. @@ -345,9 +377,17 @@ Valid _mode_ values are: - *host*: run in the user namespace of the caller. The processes running in the container will have the same privileges on the host as any other process launched by the calling user (default). - - *keep-id*: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is ignored for containers created by the root user. + - *keep-id*: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created by the root user. - - *nomap*: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is ignored for containers created by the root user. + - *nomap*: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user. + +#### **--uts**=*mode* + +Set the UTS namespace mode for the pod. The following values are supported: + +- **host**: use the host's UTS namespace inside the pod. +- **private**: create a new namespace for the pod (default). +- **ns:[path]**: run the pod in the given existing UTS namespace. #### **--volume**, **-v**[=*[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*] @@ -466,12 +506,10 @@ will be visible inside container but not the other way around. <sup>[[1]](#Footn To control mount propagation property of a volume one can use the [**r**]**shared**, [**r**]**slave**, [**r**]**private** or the [**r**]**unbindable** propagation flag. -Propagation property can be specified only for bind mounted volumes and not for -internal volumes or named volumes. For mount propagation to work the source mount -point (the mount point where source dir is mounted on) has to have the right propagation -properties. For shared volumes, the source mount point has to be shared. And for -slave volumes, the source mount point has to be either shared or slave. -<sup>[[1]](#Footnote1)</sup> +For mount propagation to work the source mount point (the mount point where source dir +is mounted on) has to have the right propagation properties. For shared volumes, the +source mount point has to be shared. And for slave volumes, the source mount point +has to be either shared or slave. <sup>[[1]](#Footnote1)</sup> If you want to recursively mount a volume and all of its submounts into a pod, then you can use the `rbind` option. By default the bind option is @@ -549,9 +587,11 @@ that data on the target. ``` $ podman pod create --name test +$ podman pod create mypod + $ podman pod create --infra=false -$ podman pod create --infra-command /top +$ podman pod create --infra-command /top toppod $ podman pod create --publish 8443:443 diff --git a/docs/source/markdown/podman-pod.1.md b/docs/source/markdown/podman-pod.1.md index 71e4dcb59..c38235e89 100644 --- a/docs/source/markdown/podman-pod.1.md +++ b/docs/source/markdown/podman-pod.1.md @@ -13,6 +13,7 @@ podman pod is a set of subcommands that manage pods, or groups of containers. | Command | Man Page | Description | | ------- | ------------------------------------------------- | --------------------------------------------------------------------------------- | +| clone | [podman-pod-clone(1)](podman-pod-clone.1.md) | Creates a copy of an existing pod. | | create | [podman-pod-create(1)](podman-pod-create.1.md) | Create a new pod. | | exists | [podman-pod-exists(1)](podman-pod-exists.1.md) | Check if a pod exists in local storage. | | inspect | [podman-pod-inspect(1)](podman-pod-inspect.1.md) | Displays information describing a pod. | diff --git a/docs/source/markdown/podman-port.1.md b/docs/source/markdown/podman-port.1.md index a72fc12bf..ebfeeccd7 100644 --- a/docs/source/markdown/podman-port.1.md +++ b/docs/source/markdown/podman-port.1.md @@ -9,7 +9,7 @@ podman\-port - List port mappings for a container **podman container port** [*options*] *container* [*private-port*[/*proto*]] ## DESCRIPTION -List port mappings for the *container* or lookup the public-facing port that is NAT-ed to the *private-port*. +List port mappings for the *container* or look up the public-facing port that is NAT-ed to the *private-port*. ## OPTIONS diff --git a/docs/source/markdown/podman-push.1.md b/docs/source/markdown/podman-push.1.md index 74555c11b..25c1e024a 100644 --- a/docs/source/markdown/podman-push.1.md +++ b/docs/source/markdown/podman-push.1.md @@ -95,7 +95,7 @@ When writing the output image, suppress progress output #### **--remove-signatures** -Discard any pre-existing signatures in the image. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) +Discard any pre-existing signatures in the image. #### **--sign-by**=*key* diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index a16ee9394..84e93efbe 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -385,7 +385,7 @@ You need to specify multi option commands in the form of a json string. Set environment variables. -This option allows arbitrary environment variables that are available for the process to be launched inside of the container. If an environment variable is specified without a value, Podman will check the host environment for a value and set the variable only if it is set on the host. If an environment variable ending in __*__ is specified, Podman will search the host environment for variables starting with the prefix and will add those variables to the container. If an environment variable with a trailing __*__ is specified, then a value must be supplied. +This option allows arbitrary environment variables that are available for the process to be launched inside of the container. If an environment variable is specified without a value, Podman will check the host environment for a value and set the variable only if it is set on the host. As a special case, if an environment variable ending in __*__ is specified without a value, Podman will search the host environment for variables starting with the prefix and will add those variables to the container. See [**Environment**](#environment) note below for precedence and examples. @@ -597,7 +597,7 @@ To specify multiple static MAC addresses per container, set multiple networks us #### **--memory**, **-m**=_number_[_unit_] -Memory limit. A _unit_ can be **b** (bytes), **k** (kilobytes), **m** (megabytes), or **g** (gigabytes). +Memory limit. A _unit_ can be **b** (bytes), **k** (kibibytes), **m** (mebibytes), or **g** (gibibytes). Allows you to constrain the memory available to a container. If the host supports swap memory, then the **-m** memory setting can be larger than physical @@ -607,7 +607,7 @@ system's page size (the value would be very large, that's millions of trillions) #### **--memory-reservation**=_number_[_unit_] -Memory soft limit. A _unit_ can be **b** (bytes), **k** (kilobytes), **m** (megabytes), or **g** (gigabytes). +Memory soft limit. A _unit_ can be **b** (bytes), **k** (kibibytes), **m** (mebibytes), or **g** (gibibytes). After setting memory reservation, when the system detects memory contention or low memory, containers are forced to restrict their consumption to their @@ -618,7 +618,7 @@ as memory limit. #### **--memory-swap**=_number_[_unit_] A limit value equal to memory plus swap. -A _unit_ can be **b** (bytes), **k** (kilobytes), **m** (megabytes), or **g** (gigabytes). +A _unit_ can be **b** (bytes), **k** (kibibytes), **m** (mebibytes), or **g** (gibibytes). Must be used with the **-m** (**--memory**) flag. The argument value should always be larger than that of @@ -679,7 +679,7 @@ Current supported mount TYPEs are **bind**, **volume**, **image**, **tmpfs** and · bind-propagation: shared, slave, private, unbindable, rshared, rslave, runbindable, or rprivate(default). See also mount(2). - . bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive. + . bind-nonrecursive: do not set up a recursive bind mount. By default it is recursive. . relabel: shared, private. @@ -864,22 +864,27 @@ points, Apparmor/SELinux separation, and Seccomp filters are all disabled. Rootless containers cannot have more privileges than the account that launched them. -#### **--publish**, **-p**=_ip_:_hostPort_:_containerPort_ | _ip_::_containerPort_ | _hostPort_:_containerPort_ | _containerPort_ +#### **--publish**, **-p**=[[_ip_:][_hostPort_]:]_containerPort_[/_protocol_] Publish a container's port, or range of ports, to the host. Both hostPort and containerPort can be specified as a range of ports. - -When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. +When specifying ranges for both, the number of container ports in the +range must match the number of host ports in the range. If host IP is set to 0.0.0.0 or not set at all, the port will be bound on all IPs on the host. +By default, Podman will publish TCP ports. To publish a UDP port instead, give +`udp` as protocol. To publish both TCP and UDP ports, set `--publish` twice, +with `tcp`, and `udp` as protocols respectively. Rootful containers can also +publish ports using the `sctp` protocol. + Host port does not have to be specified (e.g. `podman run -p 127.0.0.1::80`). If it is not, the container port will be randomly assigned a port on the host. -Use **podman port** to see the actual mapping: **podman port $CONTAINER $CONTAINERPORT**. +Use **podman port** to see the actual mapping: `podman port $CONTAINER $CONTAINERPORT`. -**Note:** if a container will be run within a pod, it is not necessary to publish the port for +**Note:** If a container will be run within a pod, it is not necessary to publish the port for the containers in the pod. The port must only be published by the pod itself. Pod network stacks act like the network stack on the host - you have a variety of containers in the pod, and programs in the container, all sharing a single interface and IP address, and @@ -900,13 +905,14 @@ When using this option, Podman will bind any exposed port to a random port on th within an ephemeral port range defined by */proc/sys/net/ipv4/ip_local_port_range*. To find the mapping between the host ports and the exposed ports, use **podman port**. -#### **--pull**=**always**|**missing**|**never** +#### **--pull**=**always**|**missing**|**never**|**newer** -Pull image before running. The default is **missing**. +Pull image policy. The default is **missing**. -- **missing**: attempt to pull the latest image from the registries listed in registries.conf if a local image does not exist.Raise an error if the image is not in any listed registry and is not present locally. -- **always**: Pull the image from the first registry it is found in as listed in registries.conf. Raise an error if not found in the registries, even if the image is present locally. -- **never**: do not pull the image from the registry, use only the local version. Raise an error if the image is not present locally. +- **always**: Always pull the image and throw an error if the pull fails. +- **missing**: Pull the image only if it could not be found in the local containers storage. Throw an error if no image could be found and the pull fails. +- **never**: Never pull the image but use the one from the local containers storage. Throw an error if no image could be found. +- **newer**: Pull if the image on the registry is newer than the one in the local containers storage. An image is considered to be newer when the digests are different. Comparing the time stamps is prone to errors. Pull errors are suppressed if a local image was found. #### **--quiet**, **-q** @@ -914,11 +920,11 @@ Suppress output information when pulling images #### **--read-only** -Mount the container's root filesystem as read only. +Mount the container's root filesystem as read-only. By default a container will have its root filesystem writable allowing processes to write files anywhere. By specifying the **--read-only** flag, the container will have -its root filesystem mounted as read only prohibiting any writes. +its root filesystem mounted as read-only prohibiting any writes. #### **--read-only-tmpfs** @@ -1046,14 +1052,14 @@ Note: Labeling can be disabled for all containers by setting label=false in the - **proc-opts**=_OPTIONS_ : Comma-separated list of options to use for the /proc mount. More details for the possible mount options are specified in the **proc(5)** man page. -- **unmask**=_ALL_ or _/path/1:/path/2_, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to **ALL**, it will unmask all the paths that are masked or made read only by default. - The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.**. The default paths that are read only are **/proc/asound**, **/proc/bus**, **/proc/fs**, **/proc/irq**, **/proc/sys**, **/proc/sysrq-trigger**, **/sys/fs/cgroup**. +- **unmask**=_ALL_ or _/path/1:/path/2_, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to **ALL**, it will unmask all the paths that are masked or made read-only by default. + The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.**. The default paths that are read-only are **/proc/asound**, **/proc/bus**, **/proc/fs**, **/proc/irq**, **/proc/sys**, **/proc/sysrq-trigger**, **/sys/fs/cgroup**. Note: Labeling can be disabled for all containers by setting **label=false** in the **containers.conf**(5) file. #### **--shm-size**=_number_[_unit_] -Size of _/dev/shm_. A _unit_ can be **b** (bytes), **k** (kilobytes), **m** (megabytes), or **g** (gigabytes). +Size of _/dev/shm_. A _unit_ can be **b** (bytes), **k** (kibibytes), **m** (mebibytes), or **g** (gibibytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the default is **64m**. When _size_ is **0**, there is no limit on the amount of memory used for IPC by the container. @@ -1324,9 +1330,9 @@ The rootless option `--userns=keep-id` uses all the subuids and subgids of the u **host**: run in the user namespace of the caller. The processes running in the container will have the same privileges on the host as any other process launched by the calling user (default). -**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is ignored for containers created by the root user. +**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created by the root user. -**nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is ignored for containers created by the root user. +**nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user. **ns:**_namespace_: run the container in the given existing user namespace. @@ -1357,13 +1363,14 @@ The _options_ is a comma-separated list and can be: <sup>[[1]](#Footnote1)</sup> * **rw**|**ro** * **z**|**Z** -* [**r**]**shared**|[**r**]**slave**|[**r**]**private**[**r**]**unbindable** -* [**r**]**bind** -* [**no**]**exec** -* [**no**]**dev** -* [**no**]**suid** * [**O**] * [**U**] +* [**no**]**copy** +* [**no**]**dev** +* [**no**]**exec** +* [**no**]**suid** +* [**r**]**bind** +* [**r**]**shared**|[**r**]**slave**|[**r**]**private**[**r**]**unbindable** The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The volume will be mounted into the container at this directory. @@ -1473,14 +1480,12 @@ visible on host and vice versa. Making a volume **slave** enables only one way mount propagation and that is mounts done on host under that volume will be visible inside container but not the other way around. <sup>[[1]](#Footnote1)</sup> -To control mount propagation property of volume one can use [**r**]**shared**, -[**r**]**slave**, [**r**]**private** or [**r**]**unbindable** propagation flag. -Propagation property can be specified only for bind mounted volumes and not for -internal volumes or named volumes. For mount propagation to work source mount -point (mount point where source dir is mounted on) has to have right propagation -properties. For shared volumes, source mount point has to be shared. And for -slave volumes, source mount has to be either shared or slave. -<sup>[[1]](#Footnote1)</sup> +To control mount propagation property of a volume one can use the [**r**]**shared**, +[**r**]**slave**, [**r**]**private** or the [**r**]**unbindable** propagation flag. +For mount propagation to work the source mount point (the mount point where source dir +is mounted on) has to have the right propagation properties. For shared volumes, the +source mount point has to be shared. And for slave volumes, the source mount point +has to be either shared or slave. <sup>[[1]](#Footnote1)</sup> If you want to recursively mount a volume and all of its submounts into a container, then you can use the **rbind** option. By default the bind option is @@ -1599,7 +1604,7 @@ content. Installing packages into _/usr_, for example. In production, applications seldom need to write to the image. Container applications write to volumes if they need to write to file systems at all. Applications can be made more secure by running them in read-only mode using the **--read-only** switch. -This protects the containers image from modification. Read only containers may +This protects the containers image from modification. Read-only containers may still need to write temporary data. The best way to handle this is to mount tmpfs directories on _/run_ and _/tmp_. @@ -1880,7 +1885,7 @@ $ podman run --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello Podman allows for the configuration of storage by changing the values in the _/etc/container/storage.conf_ or by using global options. This -shows how to setup and use fuse-overlayfs for a one time run of busybox +shows how to set up and use fuse-overlayfs for a one time run of busybox using global options. ``` @@ -1979,15 +1984,15 @@ in the following order of precedence (later entries override earlier entries): - **--env-file**: Any environment variables specified via env-files. If multiple files specified, then they override each other in order of entry. - **--env**: Any environment variables specified will override previous settings. -Run containers and set the environment ending with a __*__ and a __*****__: +Run containers and set the environment ending with a __*__. +The trailing __*__ glob functionality is only active when no value is specified: ``` $ export ENV1=a -$ podman run --env ENV* alpine printenv ENV1 -a - -$ podman run --env ENV*****=b alpine printenv ENV***** -b +$ podman run --env 'ENV*' alpine env | grep ENV +ENV1=a +$ podman run --env 'ENV*=b' alpine env | grep ENV +ENV*=b ``` ## CONMON diff --git a/docs/source/markdown/podman-system-prune.1.md b/docs/source/markdown/podman-system-prune.1.md index fb9ed44d6..c4c17fbe5 100644 --- a/docs/source/markdown/podman-system-prune.1.md +++ b/docs/source/markdown/podman-system-prune.1.md @@ -1,13 +1,13 @@ % podman-system-prune(1) ## NAME -podman\-system\-prune - Remove all unused pod, container, image and volume data +podman\-system\-prune - Remove all unused pods, containers, images, networks, and volume data ## SYNOPSIS **podman system prune** [*options*] ## DESCRIPTION -**podman system prune** removes all unused containers (both dangling and unreferenced), pods and optionally, volumes from local storage. +**podman system prune** removes all unused containers (both dangling and unreferenced), pods, networks, and optionally, volumes from local storage. With the **--all** option, you can delete all unused images. Unused images are dangling images as well as any image that does not have any containers based on it. @@ -16,7 +16,7 @@ By default, volumes are not removed to prevent important data from being deleted ## OPTIONS #### **--all**, **-a** -Recursively remove all unused pod, container, image and volume data (Maximum 50 iterations.) +Recursively remove all unused pods, containers, images, networks, and volume data. (Maximum 50 iterations.) #### **--filter**=*filters* diff --git a/docs/source/markdown/podman-system-service.1.md b/docs/source/markdown/podman-system-service.1.md index 176d73eda..99fde8ce4 100644 --- a/docs/source/markdown/podman-system-service.1.md +++ b/docs/source/markdown/podman-system-service.1.md @@ -21,6 +21,10 @@ The REST API provided by **podman system service** is split into two parts: a co Documentation for the latter is available at *https://docs.podman.io/en/latest/_static/api.html*. Both APIs are versioned, but the server will not reject requests with an unsupported version set. +Please note that the API grants full access to Podman's capabilities, and as such should be treated as allowing arbitrary code execution as the user running the API. +As such, we strongly recommend against making the API socket available via the network. +The default configuration (a Unix socket with permissions set to only allow the user running Podman) is the most secure way of running the API. + Note: The default systemd unit files (system and user) change the log-level option to *info* from *error*. This change provides additional information on each API call. ## OPTIONS diff --git a/docs/source/markdown/podman-system.1.md b/docs/source/markdown/podman-system.1.md index ae18aca88..7469eb79d 100644 --- a/docs/source/markdown/podman-system.1.md +++ b/docs/source/markdown/podman-system.1.md @@ -11,16 +11,16 @@ The system command allows you to manage the podman systems ## COMMANDS -| Command | Man Page | Description | -| ------- | ------------------------------------------------------------ | -------------------------------------------------------------------- | -| connection | [podman-system-connection(1)](podman-system-connection.1.md) | Manage the destination(s) for Podman service(s) | -| df | [podman-system-df(1)](podman-system-df.1.md) | Show podman disk usage. | -| info | [podman-system-info(1)](podman-info.1.md) | Displays Podman related system information. | -| migrate | [podman-system-migrate(1)](podman-system-migrate.1.md) | Migrate existing containers to a new podman version. | -| prune | [podman-system-prune(1)](podman-system-prune.1.md) | Remove all unused pod, container, image and volume data. | -| renumber | [podman-system-renumber(1)](podman-system-renumber.1.md) | Migrate lock numbers to handle a change in maximum number of locks. | -| reset | [podman-system-reset(1)](podman-system-reset.1.md) | Reset storage back to initial state. | -| service | [podman-system-service(1)](podman-system-service.1.md) | Run an API service | +| Command | Man Page | Description | +| ------- | ------------------------------------------------------------ | ------------------------------------------------------------------------ | +| connection | [podman-system-connection(1)](podman-system-connection.1.md) | Manage the destination(s) for Podman service(s) | +| df | [podman-system-df(1)](podman-system-df.1.md) | Show podman disk usage. | +| info | [podman-system-info(1)](podman-info.1.md) | Displays Podman related system information. | +| migrate | [podman-system-migrate(1)](podman-system-migrate.1.md) | Migrate existing containers to a new podman version. | +| prune | [podman-system-prune(1)](podman-system-prune.1.md) | Remove all unused pods, containers, images, networks, and volume data. | +| renumber | [podman-system-renumber(1)](podman-system-renumber.1.md) | Migrate lock numbers to handle a change in maximum number of locks. | +| reset | [podman-system-reset(1)](podman-system-reset.1.md) | Reset storage back to initial state. | +| service | [podman-system-service(1)](podman-system-service.1.md) | Run an API service | ## SEE ALSO **[podman(1)](podman.1.md)** diff --git a/docs/source/markdown/podman-volume-create.1.md b/docs/source/markdown/podman-volume-create.1.md index 06fadcaa1..f43e647bf 100644 --- a/docs/source/markdown/podman-volume-create.1.md +++ b/docs/source/markdown/podman-volume-create.1.md @@ -4,7 +4,7 @@ podman\-volume\-create - Create a new volume ## SYNOPSIS -**podman volume create** [*options*] +**podman volume create** [*options*] [*name*] ## DESCRIPTION @@ -31,16 +31,17 @@ Set metadata for a volume (e.g., --label mykey=value). Set driver specific options. For the default driver, **local**, this allows a volume to be configured to mount a filesystem on the host. -For the `local` driver the following options are supported: `type`, `device`, and `o`. +For the `local` driver the following options are supported: `type`, `device`, `o`, and `[no]copy`. The `type` option sets the type of the filesystem to be mounted, and is equivalent to the `-t` flag to **mount(8)**. The `device` option sets the device to be mounted, and is equivalent to the `device` argument to **mount(8)**. +The `copy` option enables copying files from the container image path where the mount is created to the newly created volume on the first run. `copy` is the default. The `o` option sets options for the mount, and is equivalent to the `-o` flag to **mount(8)** with these exceptions: - The `o` option supports `uid` and `gid` options to set the UID and GID of the created volume that are not normally supported by **mount(8)**. - The `o` option supports the `size` option to set the maximum size of the created volume, the `inodes` option to set the maximum number of inodes for the volume and `noquota` to completely disable quota support even for tracking of disk usage. Currently these flags are only supported on "xfs" file system mounted with the `prjquota` flag described in the **xfs_quota(8)** man page. - - The `o` option supports . - - Using volume options other then the UID/GID options with the **local** driver requires root privileges. + - The `o` option supports using volume options other than the UID/GID options with the **local** driver and requires root privileges. + - The `o` options supports the `timeout` option which allows users to set a driver specific timeout in seconds before volume creation fails. For example, **--opts=o=timeout=10** sets a driver timeout of 10 seconds. When not using the **local** driver, the given options are passed directly to the volume plugin. In this case, supported options are dictated by the plugin in question, not Podman. diff --git a/docs/source/markdown/podman-volume-import.1.md b/docs/source/markdown/podman-volume-import.1.md index 71956f43a..4ae9ae1e2 100644 --- a/docs/source/markdown/podman-volume-import.1.md +++ b/docs/source/markdown/podman-volume-import.1.md @@ -1,7 +1,7 @@ % podman-volume-import(1) ## NAME -podman\-volume\-import - Import tarball contents into a podman volume +podman\-volume\-import - Import tarball contents into an existing podman volume ## SYNOPSIS **podman volume import** *volume* [*source*] @@ -11,9 +11,9 @@ podman\-volume\-import - Import tarball contents into a podman volume **podman volume import** imports the contents of a tarball into the podman volume's mount point. **podman volume import** can consume piped input when using `-` as source path. -Note: Following command is not supported by podman-remote. +The given volume must already exist and will not be created by podman volume import. -**podman volume import VOLUME [SOURCE]** +Note: Following command is not supported by podman-remote. #### **--help** diff --git a/docs/source/markdown/podman-volume-reload.1.md b/docs/source/markdown/podman-volume-reload.1.md new file mode 100644 index 000000000..5b9e9b9ac --- /dev/null +++ b/docs/source/markdown/podman-volume-reload.1.md @@ -0,0 +1,29 @@ +% podman-volume-reload(1) + +## NAME +podman\-volume\-reload - Reload all volumes from volumes plugins + +## SYNOPSIS +**podman volume reload** + +## DESCRIPTION + +**podman volume reload** checks all configured volume plugins and updates the libpod database with all available volumes. +Existing volumes are also removed from the database when they are no longer present in the plugin. + +This command it is best effort and cannot guarantee a perfect state because plugins can be modified from the outside at any time. + +Note: This command is not supported with podman-remote. + +## EXAMPLES + +``` +$ podman volume reload +Added: +vol6 +Removed: +t3 +``` + +## SEE ALSO +**[podman(1)](podman.1.md)**, **[podman-volume(1)](podman-volume.1.md)** diff --git a/docs/source/markdown/podman-volume.1.md b/docs/source/markdown/podman-volume.1.md index d05f007c8..a437590b3 100644 --- a/docs/source/markdown/podman-volume.1.md +++ b/docs/source/markdown/podman-volume.1.md @@ -16,11 +16,12 @@ podman volume is a set of subcommands that manage volumes. | create | [podman-volume-create(1)](podman-volume-create.1.md) | Create a new volume. | | exists | [podman-volume-exists(1)](podman-volume-exists.1.md) | Check if the given volume exists. | | export | [podman-volume-export(1)](podman-volume-export.1.md) | Exports volume to external tar. | -| import | [podman-volume-import(1)](podman-volume-import.1.md) | Import tarball contents into a podman volume. | +| import | [podman-volume-import(1)](podman-volume-import.1.md) | Import tarball contents into an existing podman volume. | | inspect | [podman-volume-inspect(1)](podman-volume-inspect.1.md) | Get detailed information on one or more volumes. | | ls | [podman-volume-ls(1)](podman-volume-ls.1.md) | List all the available volumes. | | mount | [podman-volume-mount(1)](podman-volume-mount.1.md) | Mount a volume filesystem. | | prune | [podman-volume-prune(1)](podman-volume-prune.1.md) | Remove all unused volumes. | +| reload | [podman-volume-reload(1)](podman-volume-reload.1.md) | Reload all volumes from volumes plugins. | | rm | [podman-volume-rm(1)](podman-volume-rm.1.md) | Remove one or more volumes. | | unmount | [podman-volume-unmount(1)](podman-volume-unmount.1.md) | Unmount a volume. | |