diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/podman-build.1.md | 24 | ||||
| -rw-r--r-- | docs/podman-create.1.md | 32 | ||||
| -rw-r--r-- | docs/podman-generate-systemd.1.md | 67 | ||||
| -rw-r--r-- | docs/podman-generate.1.md | 9 | ||||
| -rw-r--r-- | docs/podman-network-inspect.1.md | 50 | ||||
| -rw-r--r-- | docs/podman-network-ls.1.md | 43 | ||||
| -rw-r--r-- | docs/podman-network-rm.1.md | 25 | ||||
| -rw-r--r-- | docs/podman-network.1.md | 21 | ||||
| -rw-r--r-- | docs/podman-push.1.md | 18 | ||||
| -rw-r--r-- | docs/podman-run.1.md | 26 | ||||
| -rw-r--r-- | docs/podman-stats.1.md | 20 | ||||
| -rw-r--r-- | docs/podman.1.md | 1 | ||||
| -rw-r--r-- | docs/tutorials/rootless_tutorial.md | 2 |
13 files changed, 270 insertions, 68 deletions
diff --git a/docs/podman-build.1.md b/docs/podman-build.1.md index 878b31080..8deb8811e 100644 --- a/docs/podman-build.1.md +++ b/docs/podman-build.1.md @@ -375,18 +375,18 @@ to podman build, the option given would be `--runtime-flag log-format=json`. Security Options - "label=user:USER" : Set the label user for the container - "label=role:ROLE" : Set the label role for the container - "label=type:TYPE" : Set the label type for the container - "label=level:LEVEL" : Set the label level for the container - "label=disable" : Turn off label confinement for the container - "no-new-privileges" : Not supported - - "seccomp=unconfined" : Turn off seccomp confinement for the container - "seccomp=profile.json : White listed syscalls seccomp Json file to be used as a seccomp filter - - "apparmor=unconfined" : Turn off apparmor confinement for the container - "apparmor=your-profile" : Set the apparmor confinement profile for the container +- `apparmor=unconfined` : Turn off apparmor confinement for the container +- `apparmor=your-profile` : Set the apparmor confinement profile for the container + +- `label=user:USER` : Set the label user for the container processes +- `label=role:ROLE` : Set the label role for the container processes +- `label=type:TYPE` : Set the label process type for the container processes +- `label=level:LEVEL` : Set the label level for the container processes +- `label=filetype:TYPE` : Set the label file type for the container files +- `label=disable` : Turn off label separation for the container + +- `seccomp=unconfined` : Turn off seccomp confinement for the container +- `seccomp=profile.json` : White listed syscalls seccomp Json file to be used as a seccomp filter **--shm-size**=*size* diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md index 50fca3541..7634408f5 100644 --- a/docs/podman-create.1.md +++ b/docs/podman-create.1.md @@ -582,6 +582,15 @@ port to a random port on the host within an *ephemeral port range* defined by `/proc/sys/net/ipv4/ip_local_port_range`. To find the mapping between the host ports and the exposed ports, use `podman port`. +**--pull**=*missing* + +Pull image before creating ("always"|"missing"|"never") (default "missing"). + 'missing': default value, attempt to pull the latest image from the registries listed in registries.conf if a local image does not exist.Raise an error if the image is not in any listed registry and is not present locally. + 'always': Pull the image from the first registry it is found in as listed in registries.conf. Raise an error if not found in the registries, even if the image is present locally. + 'never': do not pull the image from the registry, use only the local version. Raise an error if the image is not present locally. + +Defaults to *missing*. + **--quiet**, **-q** Suppress output information when pulling images @@ -631,19 +640,20 @@ of the container is assumed to be managed externally. Security Options -"apparmor=unconfined" : Turn off apparmor confinement for the container -"apparmor=your-profile" : Set the apparmor confinement profile for the container +- `apparmor=unconfined` : Turn off apparmor confinement for the container +- `apparmor=your-profile` : Set the apparmor confinement profile for the container -"label=user:USER" : Set the label user for the container -"label=role:ROLE" : Set the label role for the container -"label=type:TYPE" : Set the label type for the container -"label=level:LEVEL" : Set the label level for the container -"label=disable" : Turn off label confinement for the container +- `label=user:USER` : Set the label user for the container processes +- `label=role:ROLE` : Set the label role for the container processes +- `label=type:TYPE` : Set the label process type for the container processes +- `label=level:LEVEL` : Set the label level for the container processes +- `label=filetype:TYPE` : Set the label file type for the container files +- `label=disable` : Turn off label separation for the container -"no-new-privileges" : Disable container processes from gaining additional privileges +- `no-new-privileges` : Disable container processes from gaining additional privileges -"seccomp=unconfined" : Turn off seccomp confinement for the container -"seccomp=profile.json : White listed syscalls seccomp Json file to be used as a seccomp filter +- `seccomp=unconfined` : Turn off seccomp confinement for the container +- `seccomp=profile.json` : White listed syscalls seccomp Json file to be used as a seccomp filter Note: Labeling can be disabled for all containers by setting label=false in the **libpod.conf** (`/etc/containers/libpod.conf`) file. @@ -715,7 +725,7 @@ $ podman run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image This command mounts a `tmpfs` at `/tmp` within the container. The supported mount options are the same as the Linux default `mount` flags. If you do not specify any options, the systems uses the following options: -`rw,noexec,nosuid,nodev,size=65536k`. +`rw,noexec,nosuid,nodev`. **--tty**, **-t**=*true|false* diff --git a/docs/podman-generate-systemd.1.md b/docs/podman-generate-systemd.1.md index ea72fdfae..b4962f28b 100644 --- a/docs/podman-generate-systemd.1.md +++ b/docs/podman-generate-systemd.1.md @@ -4,16 +4,20 @@ podman-generate-systemd- Generate Systemd Unit file ## SYNOPSIS -**podman generate systemd** [*options*] *container* +**podman generate systemd** [*options*] *container|pod* ## DESCRIPTION -**podman generate systemd** will create a Systemd unit file that can be used to control a container. The -command will dynamically create the unit file and output it to stdout where it can be piped by the user -to a file. The options can be used to influence the results of the output as well. +**podman generate systemd** will create a systemd unit file that can be used to control a container or pod. +By default, the command will print the content of the unit files to stdout. +Note that this command is not supported for the remote client. ## OPTIONS: +**--files**, **-f** + +Generate files instead of printing to stdout. The generated files are named {container,pod}-{ID,name}.service and will be placed in the current working directory. + **--name**, **-n** Use the name of the container for the start, stop, and description in the unit file @@ -27,41 +31,66 @@ Set the systemd restart policy. The restart-policy must be one of: "no", "on-su "on-watchdog", "on-abort", or "always". The default policy is *on-failure*. ## Examples -Create a systemd unit file for a container running nginx: +Create and print a systemd unit file for a container running nginx with an *always* restart policy and 1-second timeout to stdout. ``` -$ sudo podman generate systemd nginx +$ podman create --name nginx nginx:latest +$ podman generate systemd --restart-policy=always -t 1 nginx +# container-de1e3223b1b888bc02d0962dd6cb5855eb00734061013ffdd3479d225abacdc6.service +# autogenerated by Podman 1.5.2 +# Wed Aug 21 09:46:45 CEST 2019 + [Unit] -Description=c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc Podman Container +Description=Podman container-de1e3223b1b888bc02d0962dd6cb5855eb00734061013ffdd3479d225abacdc6.service +Documentation=man:podman-generate-systemd(1) + [Service] -Restart=on-failure -ExecStart=/usr/bin/podman start c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc -ExecStop=/usr/bin/podman stop -t 10 c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc +Restart=always +ExecStart=/usr/bin/podman start de1e3223b1b888bc02d0962dd6cb5855eb00734061013ffdd3479d225abacdc6 +ExecStop=/usr/bin/podman stop -t 1 de1e3223b1b888bc02d0962dd6cb5855eb00734061013ffdd3479d225abacdc6 KillMode=none Type=forking -PIDFile=/var/run/containers/storage/overlay-containers/c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc/userdata/conmon.pid +PIDFile=/run/user/1000/overlay-containers/de1e3223b1b888bc02d0962dd6cb5855eb00734061013ffdd3479d225abacdc6/userdata/conmon.pid + [Install] WantedBy=multi-user.target ``` -Create a systemd unit file for a container running nginx with an *always* restart policy and 1-second timeout. +Create systemd unit files for a pod with two simple alpine containers. Note that these container services cannot be started or stopped individually via `systemctl`; they are managed by the pod service. You can still use `systemctl status` or journalctl to examine them. ``` -$ sudo podman generate systemd --restart-policy=always -t 1 nginx +$ podman pod create --name systemd-pod +$ podman create --pod systemd-pod alpine top +$ podman create --pod systemd-pod alpine top +$ podman generate systemd --files --name systemd-pod +/home/user/pod-systemd-pod.service +/home/user/container-amazing_chandrasekhar.service +/home/user/container-jolly_shtern.service +$ cat pod-systemd-pod.service +# pod-systemd-pod.service +# autogenerated by Podman 1.5.2 +# Wed Aug 21 09:52:37 CEST 2019 + [Unit] -Description=c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc Podman Container +Description=Podman pod-systemd-pod.service +Documentation=man:podman-generate-systemd(1) +Requires=container-amazing_chandrasekhar.service container-jolly_shtern.service +Before=container-amazing_chandrasekhar.service container-jolly_shtern.service + [Service] -Restart=always -ExecStart=/usr/bin/podman start c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc -ExecStop=/usr/bin/podman stop -t 1 c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc +Restart=on-failure +ExecStart=/usr/bin/podman start 77a818221650-infra +ExecStop=/usr/bin/podman stop -t 10 77a818221650-infra KillMode=none Type=forking -PIDFile=/var/run/containers/storage/overlay-containers/c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc/userdata/conmon.pid +PIDFile=/run/user/1000/overlay-containers/ccfd5c71a088768774ca7bd05888d55cc287698dde06f475c8b02f696a25adcd/userdata/conmon.pid + [Install] WantedBy=multi-user.target ``` ## SEE ALSO -podman(1), podman-container(1) +podman(1), podman-container(1), systemctl(1), systemd.unit(5), systemd.service(5) ## HISTORY +August 2019, Updated with pod support by Valentin Rothberg (rothberg at redhat dot com) April 2019, Originally compiled by Brent Baude (bbaude at redhat dot com) diff --git a/docs/podman-generate.1.md b/docs/podman-generate.1.md index 5a2386778..50050f2c1 100644 --- a/docs/podman-generate.1.md +++ b/docs/podman-generate.1.md @@ -11,10 +11,11 @@ The generate command will create structured output (like YAML) based on a contai ## COMMANDS -| Command | Man Page | Description | -| ------- | --------------------------------------------------- | ---------------------------------------------------------------------------- | -| kube | [podman-generate-kube(1)](podman-generate-kube.1.md)| Generate Kubernetes YAML based on a pod or container. | -| systemd | [podman-generate-systemd(1)](podman-generate-systemd.1.md)| Generate a systemd unit file for a container. | +| Command | Man Page | Description | +|---------|------------------------------------------------------------|-------------------------------------------------------------------------------------| +| kube | [podman-generate-kube(1)](podman-generate-kube.1.md) | Generate Kubernetes YAML based on a pod or container. | +| systemd | [podman-generate-systemd(1)](podman-generate-systemd.1.md) | Generate systemd unit file(s) for a container. Not supported for the remote client. | + ## SEE ALSO podman, podman-pod, podman-container diff --git a/docs/podman-network-inspect.1.md b/docs/podman-network-inspect.1.md new file mode 100644 index 000000000..576e61c79 --- /dev/null +++ b/docs/podman-network-inspect.1.md @@ -0,0 +1,50 @@ +% podman-network-inspect(1) + +## NAME +podman\-network-inspect- Inspect one or more Podman networks + +## SYNOPSIS +**podman network inspect** [*network* ...] + +## DESCRIPTION +Display the raw (JSON format) network configuration. This command is not available for rootless users. + +## EXAMPLE + +Inspect the default podman network + +``` +# podman network inspect podman +[{ + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.1.0/24", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] +} +] +``` + +## SEE ALSO +podman(1), podman-network(1), podman-network-ls(1) + +## HISTORY +August 2019, Originally compiled by Brent Baude <bbaude@redhat.com> diff --git a/docs/podman-network-ls.1.md b/docs/podman-network-ls.1.md new file mode 100644 index 000000000..725e07dbb --- /dev/null +++ b/docs/podman-network-ls.1.md @@ -0,0 +1,43 @@ +% podman-network-ls(1) + +## NAME +podman\-network-ls- Display a summary of CNI networks + +## SYNOPSIS +**podman network ls** [*options*] + +## DESCRIPTION +Displays a list of existing podman networks. This command is not available for rootless users. + +## OPTIONS +**--quiet**, **-q** + +The `quiet` options will restrict the output to only the network names + +## EXAMPLE + +Display networks + +``` +# podman network ls +NAME VERSION PLUGINS +podman 0.3.0 bridge,portmap +podman2 0.3.0 bridge,portmap +outside 0.3.0 bridge +podman9 0.3.0 bridge,portmap +``` + +Display only network names +``` +# podman network ls -q +podman +podman2 +outside +podman9 +``` + +## SEE ALSO +podman(1), podman-network(1), podman-network-inspect(1) + +## HISTORY +August 2019, Originally compiled by Brent Baude <bbaude@redhat.com> diff --git a/docs/podman-network-rm.1.md b/docs/podman-network-rm.1.md new file mode 100644 index 000000000..f72d6a694 --- /dev/null +++ b/docs/podman-network-rm.1.md @@ -0,0 +1,25 @@ +% podman-network-rm(1) + +## NAME +podman\-network-rm- Delete a Podman CNI network + +## SYNOPSIS +**podman network rm** [*network...*] + +## DESCRIPTION +Delete one or more Podman networks. + +## EXAMPLE + +Delete the `podman9` network + +``` +# podman network rm podman +Deleted: podman9 +``` + +## SEE ALSO +podman(1), podman-network(1), podman-network-inspect(1) + +## HISTORY +August 2019, Originally compiled by Brent Baude <bbaude@redhat.com> diff --git a/docs/podman-network.1.md b/docs/podman-network.1.md new file mode 100644 index 000000000..c01adc23e --- /dev/null +++ b/docs/podman-network.1.md @@ -0,0 +1,21 @@ +% podman-network(1) + +## NAME +podman\-network- Manage podman CNI networks + +## SYNOPSIS +**podman network** *subcommand* + +## DESCRIPTION +The network command manages CNI networks for Podman. It is not supported for rootless users. + +## COMMANDS + +| Command | Man Page | Description | +| ------- | --------------------------------------------------- | ---------------------------------------------------------------------------- | +| inspect | [podman-network-inspect(1)](podman-network-inspect.1.md)| Displays the raw CNI network configuration for one or more networks| +| ls | [podman-network-ls(1)](podman-network-ls.1.md)| Display a summary of CNI networks | +| rm | [podman-network-rm(1)](podman-network-rm.1.md)| Remove one or more CNI networks | + +## SEE ALSO +podman(1) diff --git a/docs/podman-push.1.md b/docs/podman-push.1.md index 2058a432c..29e4044a3 100644 --- a/docs/podman-push.1.md +++ b/docs/podman-push.1.md @@ -61,13 +61,17 @@ value can be entered. The password is entered without echo. **--cert-dir**=*path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. -Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands) (Not available for remote commands) +Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands) **--compress** Compress tarball image layers when pushing to a directory using the 'dir' transport. (default is same compression type, compressed or uncompressed, as source) Note: This flag can only be set when using the **dir** transport +**--digestfile** *Digestfile* + +After copying the image, write the digest of the resulting image to the file. (Not available for remote commands) + **--format**, **-f**=*format* Manifest Type (oci, v2s1, or v2s2) to use when pushing an image to a directory using the 'dir:' transport (default is manifest type of source) @@ -93,19 +97,23 @@ TLS verification will be used unless the target registry is listed as an insecur ## EXAMPLE -This example extracts the imageID image to a local directory in docker format. +This example pushes the image specified by the imageID to a local directory in docker format. `# podman push imageID dir:/path/to/image` -This example extracts the imageID image to a local directory in oci format. +This example pushes the image specified by the imageID to a local directory in oci format. `# podman push imageID oci-archive:/path/to/layout:image:tag` -This example extracts the imageID image to a container registry named registry.example.com +This example pushes the image specified by the imageID to a container registry named registry.example.com `# podman push imageID docker://registry.example.com/repository:tag` -This example extracts the imageID image and puts into the local docker container store +This example pushes the image specified by the imageID to a container registry named registry.example.com and saves the digest in the specified digestfile. + + `# podman push --digestfile=/tmp/mydigest imageID docker://registry.example.com/repository:tag` + +This example pushes the image specified by the imageID and puts it into the local docker container store `# podman push imageID docker-daemon:image:tag` diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md index e7c898b25..447d4f282 100644 --- a/docs/podman-run.1.md +++ b/docs/podman-run.1.md @@ -601,6 +601,15 @@ When using -P, podman will bind any exposed port to a random port on the host within an *ephemeral port range* defined by `/proc/sys/net/ipv4/ip_local_port_range`. To find the mapping between the host ports and the exposed ports, use `podman port`. +**--pull**=*missing* + +Pull image before running ("always"|"missing"|"never") (default "missing"). + 'missing': default value, attempt to pull the latest image from the registries listed in registries.conf if a local image does not exist.Raise an error if the image is not in any listed registry and is not present locally. + 'always': Pull the image from the first registry it is found in as listed in registries.conf. Raise an error if not found in the registries, even if the image is present locally. + 'never': do not pull the image from the registry, use only the local version. Raise an error if the image is not present locally. + +Defaults to *missing*. + **--quiet**, **-q** Suppress output information when pulling images @@ -656,11 +665,12 @@ Security Options - `apparmor=unconfined` : Turn off apparmor confinement for the container - `apparmor=your-profile` : Set the apparmor confinement profile for the container -- `label=user:USER` : Set the label user for the container -- `label=role:ROLE` : Set the label role for the container -- `label=type:TYPE` : Set the label type for the container -- `label=level:LEVEL` : Set the label level for the container -- `label=disable` : Turn off label confinement for the container +- `label=user:USER` : Set the label user for the container processes +- `label=role:ROLE` : Set the label role for the container processes +- `label=type:TYPE` : Set the label process type for the container processes +- `label=level:LEVEL` : Set the label level for the container processes +- `label=filetype:TYPE` : Set the label file type for the container files +- `label=disable` : Turn off label separation for the container - `no-new-privileges` : Disable container processes from gaining additional privileges @@ -726,14 +736,14 @@ Note: if you use the `--network=host` option these sysctls will not be allowed. Run container in systemd mode. The default is *true*. -If the command you running inside of the container is systemd or init, podman +If the command you are running inside of the container is systemd or init, podman will setup tmpfs mount points in the following directories: /run, /run/lock, /tmp, /sys/fs/cgroup/systemd, /var/lib/journal It will also set the default stop signal to SIGRTMIN+3. -This allow systemd to run in a confined container without any modifications. +This allows systemd to run in a confined container without any modifications. Note: On `SELinux` systems, systemd attempts to write to the cgroup file system. Containers writing to the cgroup file system are denied by default. @@ -752,7 +762,7 @@ $ podman run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image This command mounts a `tmpfs` at `/tmp` within the container. The supported mount options are the same as the Linux default `mount` flags. If you do not specify any options, the systems uses the following options: -`rw,noexec,nosuid,nodev,size=65536k`. +`rw,noexec,nosuid,nodev`. **--tty**, **-t**=*true|false* diff --git a/docs/podman-stats.1.md b/docs/podman-stats.1.md index c1a87f210..2f604644f 100644 --- a/docs/podman-stats.1.md +++ b/docs/podman-stats.1.md @@ -9,6 +9,10 @@ podman\-stats - Display a live stream of 1 or more containers' resource usage st ## DESCRIPTION Display a live stream of one or more containers' resource usage statistics +Note: Podman stats will not work in rootless environments that use CGroups V1. +Podman stats relies on CGroup information for statistics, and CGroup v1 is not +supported for rootless use cases. + ## OPTIONS **--all**, **-a** @@ -69,14 +73,14 @@ a9f807ffaacd frosty_hodgkin -- 3.092MB / 16.7GB 0.02% -- / -- -- # podman stats --no-stream --format=json a9f80 [ { - "id": "a9f807ffaacd", - "name": "frosty_hodgkin", - "cpu_percent": "--", - "mem_usage": "3.092MB / 16.7GB", - "mem_percent": "0.02%", - "netio": "-- / --", - "blocki": "-- / --", - "pids": "2" + "id": "a9f807ffaacd", + "name": "frosty_hodgkin", + "cpu_percent": "--", + "mem_usage": "3.092MB / 16.7GB", + "mem_percent": "0.02%", + "netio": "-- / --", + "blocki": "-- / --", + "pids": "2" } ] ``` diff --git a/docs/podman.1.md b/docs/podman.1.md index 12b7866ca..33ea81ef6 100644 --- a/docs/podman.1.md +++ b/docs/podman.1.md @@ -161,6 +161,7 @@ the exit codes follow the `chroot` standard, see below: | [podman-logout(1)](podman-logout.1.md) | Logout of a container registry. | | [podman-logs(1)](podman-logs.1.md) | Display the logs of a container. | | [podman-mount(1)](podman-mount.1.md) | Mount a working container's root filesystem. | +| [podman-network(1)](podman-network.1.md) | Manage Podman CNI networks. | | [podman-pause(1)](podman-pause.1.md) | Pause one or more containers. | | [podman-play(1)](podman-play.1.md) | Play pods and containers based on a structured input file. | | [podman-pod(1)](podman-pod.1.md) | Management tool for groups of containers, called pods. | diff --git a/docs/tutorials/rootless_tutorial.md b/docs/tutorials/rootless_tutorial.md index 9453e3855..92595dd02 100644 --- a/docs/tutorials/rootless_tutorial.md +++ b/docs/tutorials/rootless_tutorial.md @@ -46,7 +46,7 @@ The format of this file is USERNAME:UID:RANGE This means the user johndoe is allocated UIDS 100000-165535 as well as their standard UID in the /etc/passwd file. NOTE: this is not currently supported with network installs. These files must be available locally to the host machine. It is not possible to configure this with LDAP or Active Directory. -If you update either the /etc/subuid or the /etc/subgid file, you need to stop all the running containers owned by the user and kill the pause process that is running on the system for that user. This can be done automatically by using the `[podman system migrate](https://github.com/containers/libpod/blob/master/docs/podman-system-migrate.1.md)` command which will stop all the containers for the user and will kill the pause process. +If you update either the /etc/subuid or the /etc/subgid file, you need to stop all the running containers owned by the user and kill the pause process that is running on the system for that user. This can be done automatically by using the [`podman system migrate`](https://github.com/containers/libpod/blob/master/docs/podman-system-migrate.1.md) command which will stop all the containers for the user and will kill the pause process. Rather than updating the files directly, the usermod program can be used to assign UIDs and GIDs to a user. |