diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/libpod.conf.5.md | 4 | ||||
| -rw-r--r-- | docs/podman-create.1.md | 26 | ||||
| -rw-r--r-- | docs/podman-exec.1.md | 8 | ||||
| -rw-r--r-- | docs/podman-image-sign.1.md | 52 | ||||
| -rw-r--r-- | docs/podman-image.1.md | 3 | ||||
| -rw-r--r-- | docs/podman-run.1.md | 26 | ||||
| -rw-r--r-- | docs/podman.1.md | 4 |
7 files changed, 95 insertions, 28 deletions
diff --git a/docs/libpod.conf.5.md b/docs/libpod.conf.5.md index c02d247fb..98eb5bece 100644 --- a/docs/libpod.conf.5.md +++ b/docs/libpod.conf.5.md @@ -37,7 +37,9 @@ libpod to manage containers. For the bind-mount conditions, only mounts explicitly requested by the caller via `--volume` are considered. Bind mounts that libpod inserts by default (e.g. `/dev/shm`) are not considered. - If `hooks_dir` is unset for root callers, Podman and libpod will currently default to `/usr/share/containers/oci/hooks.d` and `/etc/containers/oci/hooks.d` in order of increasing precedence. Using these defaults is deprecated, and callers should migrate to explicitly setting `hooks_dir`. + Podman and libpod currently support an additional `precreate` state which is called before the runtime's `create` operation. Unlike the other stages, which receive the container state on their standard input, `precreate` hooks receive the proposed runtime configuration on their standard input. They may alter that configuration as they see fit, and write the altered form to their standard output. + + **WARNING**: the `precreate` hook lets you do powerful things, such as adding additional mounts to the runtime configuration. That power also makes it easy to break things. Before reporting libpod errors, try running your container with `precreate` hooks disabled to see if the problem is due to one of your hooks. **static_dir**="" Directory for persistent libpod files (database, etc) diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md index 3a75a4b00..178542f0d 100644 --- a/docs/podman-create.1.md +++ b/docs/podman-create.1.md @@ -29,7 +29,7 @@ option can be set multiple times. Add an annotation to the container. The format is key=value. The **--annotation** option can be set multiple times. -**-a**, **--attach**=[] +**--attach**, **-a**=[] Attach to STDIN, STDOUT or STDERR. @@ -158,7 +158,7 @@ If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1` then processes in your container will only use memory from the first two memory nodes. -**-d**, **--detach**=*true*|*false* +**--detach**, **-d**=*true*|*false* Detached mode: run the container in the background and print the new container ID. The default is *false*. @@ -230,7 +230,7 @@ ENTRYPOINT. You need to specify multi option commands in the form of a json string. -**-e**, **--env**=[] +**--env**, **-e**=[] Set environment variables @@ -284,7 +284,7 @@ Run an init inside the container that forwards signals and reaps processes. Path to the container-init binary. -**-i**, **--interactive**=*true*|*false* +**--interactive**, **-i**=*true*|*false* Keep STDIN open even if not attached. The default is *false*. @@ -315,7 +315,7 @@ is not limited. If you specify a limit, it may be rounded up to a multiple of the operating system's page size and the value can be very large, millions of trillions. -**-l**, **--label**=[] +**--label**, **-l**=[] Add metadata to a container (e.g., --label com.example.key=value) @@ -347,7 +347,7 @@ according to RFC4862. Not currently supported -**-m**, **--memory**="" +**--memory**, **-m**="" Memory limit (format: <number>[<unit>], where unit = b, k, m or g) @@ -426,7 +426,7 @@ to the container with **--name** then it will generate a random string name. The name is useful any place you need to identify a container. This works for both background and foreground containers. -**--net**, **--network**="*bridge*" +**--network**, **--net**="*bridge*" Set the Network mode for the container 'bridge': create a network stack on the default bridge @@ -480,7 +480,7 @@ to all devices on the host, turns off graphdriver mount options, as well as turning off most of the security measures protecting the host from the container. -**-p**, **--publish**=[] +**--publish**, **-p**=[] Publish a container's port, or range of ports, to the host @@ -492,7 +492,7 @@ but not `podman run -p 1230-1236:1230-1240 --name RangeContainerPortsBiggerThanR With ip: `podman run -p 127.0.0.1:$HOSTPORT:$CONTAINERPORT --name CONTAINER -t someimage` Use `podman port` to see the actual mapping: `podman port CONTAINER $CONTAINERPORT` -**-P**, **--publish-all**=*true*|*false* +**--publish-all**, **-P**=*true*|*false* Publish all exposed ports to random ports on the host interfaces. The default is *false*. @@ -621,7 +621,7 @@ options are the same as the Linux default `mount` flags. If you do not specify any options, the systems uses the following options: `rw,noexec,nosuid,nodev,size=65536k`. -**-t**, **--tty**=*true*|*false* +**--tty**, **-t**=*true*|*false* Allocate a pseudo-TTY. The default is *false*. @@ -642,7 +642,7 @@ The following example maps uids 0-2000 in the container to the uids 30000-31999 Ulimit options -**-u**, **--user**="" +**--user**, **-u**="" Sets the username or UID used and optionally the groupname or GID for the specified command. @@ -665,7 +665,7 @@ Set the UTS mode for the container **ns**: specify the usernamespace to use. Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure. -**-v**|**--volume**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*] +**--volume**, **-v**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*] Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, podman bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the podman @@ -764,7 +764,7 @@ If the location of the volume from the source container overlaps with data residing on a target container, then the volume hides that data on the target. -**-w**, **--workdir**="" +**--workdir**, **-w**="" Working directory inside the container diff --git a/docs/podman-exec.1.md b/docs/podman-exec.1.md index 284fa5a4a..77317b0ca 100644 --- a/docs/podman-exec.1.md +++ b/docs/podman-exec.1.md @@ -38,6 +38,14 @@ Sets the username or UID used and optionally the groupname or GID for the specif The following examples are all valid: --user [user | user:group | uid | uid:gid | user:gid | uid:group ] +**--workdir**, **-w**="" + +Working directory inside the container + +The default working directory for running binaries within a container is the root directory (/). +The image developer can set a different default with the WORKDIR instruction, which can be overridden +when creating the container. + ## SEE ALSO podman(1), podman-run(1) diff --git a/docs/podman-image-sign.1.md b/docs/podman-image-sign.1.md new file mode 100644 index 000000000..c4f3c6676 --- /dev/null +++ b/docs/podman-image-sign.1.md @@ -0,0 +1,52 @@ +% podman-image-sign(1) + +# NAME +podman-image-sign- Create a signature for an image + +# SYNOPSIS +**podman image sign** +[**-h**|**--help**] +[**-d**, **--directory**] +[**--sign-by**] +[ IMAGE... ] + +# DESCRIPTION +**podmain image sign** will create a local signature for one or more local images that have +been pulled from a registry. The signature will be written to a directory +derived from the registry configuration files in /etc/containers/registries.d. By default, the signature will be written into /var/lib/containers/sigstore directory. + +# OPTIONS +**-h** **--help** + Print usage statement. + +**-d** **--directory** + Store the signatures in the specified directory. Default: /var/lib/containers/sigstore + +**--sign-by** + Override the default identity of the signature. + +# EXAMPLES +Sign the busybox image with the identify of foo@bar.com with a user's keyring and save the signature in /tmp/signatures/. + + sudo podman image sign --sign-by foo@bar.com -d /tmp/signatures transport://privateregistry.example.com/foobar + +# RELATED CONFIGURATION + +The write (and read) location for signatures is defined in YAML-based +configuration files in /etc/containers/registries.d/. When you sign +an image, podman will use those configuration files to determine +where to write the signature based on the the name of the originating +registry or a default storage value unless overriden with the -d +option. For example, consider the following configuration file. + +docker: + privateregistry.example.com: + sigstore: file:///var/lib/containers/sigstore + +When signing an image preceeded with the registry name 'privateregistry.example.com', +the signature will be written into subdirectories of +/var/lib/containers/sigstore/privateregistry.example.com. The use of 'sigstore' also means +the signature will be 'read' from that same location on a pull-related function. + +# HISTORY +November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com) diff --git a/docs/podman-image.1.md b/docs/podman-image.1.md index 19893dfda..5a0c4e5f9 100644 --- a/docs/podman-image.1.md +++ b/docs/podman-image.1.md @@ -27,7 +27,8 @@ The image command allows you to manage images | rm | [podman-rm(1)](podman-rmi.1.md) | Removes one or more locally stored images. | | save | [podman-save(1)](podman-save.1.md) | Save an image to docker-archive or oci. | | tag | [podman-tag(1)](podman-tag.1.md) | Add an additional name to a local image. | -| trust | [podman-image-trust(1)](podman-image-trust.1.md) | Manage container image trust policy. +| trust | [podman-image-trust(1)](podman-image-trust.1.md) | Manage container image trust policy. | +| sign | [podman-image-sign(1)](podman-image-sign.1.md) | Sign an image. | ## SEE ALSO podman diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md index 971b8829a..8b96ea6d9 100644 --- a/docs/podman-run.1.md +++ b/docs/podman-run.1.md @@ -41,7 +41,7 @@ option can be set multiple times. Add an annotation to the container. The format is key=value. The **--annotation** option can be set multiple times. -**-a**, **--attach**=[] +**--attach**, **-a**=[] Attach to STDIN, STDOUT or STDERR. @@ -162,7 +162,7 @@ If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1` then processes in your container will only use memory from the first two memory nodes. -**-d**, **--detach**=*true*|*false* +**--detach**, **-d**=*true*|*false* Detached mode: run the container in the background and print the new container ID. The default is *false*. @@ -235,7 +235,7 @@ ENTRYPOINT. You need to specify multi option commands in the form of a json string. -**-e**, **--env**=[] +**--env**, **-e**=[] Set environment variables @@ -293,7 +293,7 @@ Run an init inside the container that forwards signals and reaps processes. Path to the container-init binary. -**-i**, **--interactive**=*true*|*false* +**--interactive**, **-i**=*true*|*false* Keep STDIN open even if not attached. The default is *false*. @@ -327,7 +327,7 @@ is not limited. If you specify a limit, it may be rounded up to a multiple of the operating system's page size and the value can be very large, millions of trillions. -**-l**, **--label**=[] +**--label**, **-l**=[] Add metadata to a container (e.g., --label com.example.key=value) @@ -359,7 +359,7 @@ according to RFC4862. Not currently supported -**-m**, **--memory**="" +**--memory**, **-m**="" Memory limit (format: <number>[<unit>], where unit = b, k, m or g) @@ -408,7 +408,7 @@ to the container with **--name** then it will generate a random string name. The name is useful any place you need to identify a container. This works for both background and foreground containers. -**--net**, **--network**="*bridge*" +**--network**, **--net**="*bridge*" Set the Network mode for the container: - `bridge`: create a network stack on the default bridge @@ -464,7 +464,7 @@ to all devices on the host, turns off graphdriver mount options, as well as turning off most of the security measures protecting the host from the container. -**-p**, **--publish**=[] +**--publish**, **-p**=[] Publish a container's port, or range of ports, to the host @@ -480,7 +480,7 @@ With ip: `podman run -p 127.0.0.1:$HOSTPORT:$CONTAINERPORT --name CONTAINER -t s Use `podman port` to see the actual mapping: `podman port CONTAINER $CONTAINERPORT` -**-P**, **--publish-all**=*true*|*false* +**--publish-all**, **-P**=*true*|*false* Publish all exposed ports to random ports on the host interfaces. The default is *false*. @@ -623,7 +623,7 @@ options are the same as the Linux default `mount` flags. If you do not specify any options, the systems uses the following options: `rw,noexec,nosuid,nodev,size=65536k`. -**-t**, **--tty**=*true*|*false* +**--tty**, **-t**=*true*|*false* Allocate a pseudo-TTY. The default is *false*. @@ -645,7 +645,7 @@ The example maps uids 0-2000 in the container to the uids 30000-31999 on the hos Ulimit options -**-u**, **--user**="" +**--user**, **-u**="" Sets the username or UID used and optionally the groupname or GID for the specified command. @@ -703,7 +703,7 @@ Current supported mount TYPES are bind, and tmpfs. ยท tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux. -**-v**|**--volume**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*] +**--volume**, **-v**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*] Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, podman bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the podman @@ -802,7 +802,7 @@ If the location of the volume from the source container overlaps with data residing on a target container, then the volume hides that data on the target. -**-w**, **--workdir**="" +**--workdir**, **-w**="" Working directory inside the container diff --git a/docs/podman.1.md b/docs/podman.1.md index bde349e6f..a73ebb55e 100644 --- a/docs/podman.1.md +++ b/docs/podman.1.md @@ -43,6 +43,10 @@ For the bind-mount conditions, only mounts explicitly requested by the caller vi If `--hooks-dir` is unset for root callers, Podman and libpod will currently default to `/usr/share/containers/oci/hooks.d` and `/etc/containers/oci/hooks.d` in order of increasing precedence. Using these defaults is deprecated, and callers should migrate to explicitly setting `--hooks-dir`. +Podman and libpod currently support an additional `precreate` state which is called before the runtime's `create` operation. Unlike the other stages, which receive the container state on their standard input, `precreate` hooks receive the proposed runtime configuration on their standard input. They may alter that configuration as they see fit, and write the altered form to their standard output. + +**WARNING**: the `precreate` hook lets you do powerful things, such as adding additional mounts to the runtime configuration. That power also makes it easy to break things. Before reporting libpod errors, try running your container with `precreate` hooks disabled to see if the problem is due to one of your hooks. + **--log-level** Log messages above specified level: debug, info, warn, error (default), fatal or panic |