summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/source/markdown/podman-build.1.md8
-rw-r--r--docs/source/markdown/podman-create.1.md9
-rw-r--r--docs/source/markdown/podman-run.1.md9
-rw-r--r--docs/source/markdown/podman-unshare.1.md8
4 files changed, 30 insertions, 4 deletions
diff --git a/docs/source/markdown/podman-build.1.md b/docs/source/markdown/podman-build.1.md
index 5a867c574..835df7693 100644
--- a/docs/source/markdown/podman-build.1.md
+++ b/docs/source/markdown/podman-build.1.md
@@ -774,6 +774,14 @@ content label. Shared volume labels allow all containers to read/write content.
The `Z` option tells Podman to label the content with a private unshared label.
Only the current container can use a private volume.
+Note: Do not relabel system files and directories. Relabeling system content
+might cause other confined services on your machine to fail. For these types
+of containers, disabling SELinux separation is recommended. The option
+`--security-opt label=disable` disables SELinux separation for the container.
+For example, if a user wanted to volume mount their entire home directory into the build containers, they need to disable SELinux separation.
+
+ $ podman build --security-opt label=disable -v $HOME:/home/user .
+
`Overlay Volume Mounts`
The `:O` flag tells Podman to mount the directory from the host as a
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index 3ff736adb..9a37a1dd0 100644
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@@ -1249,6 +1249,15 @@ content label. Shared volume labels allow all containers to read/write content.
The `Z` option tells Podman to label the content with a private unshared label.
Only the current container can use a private volume.
+Note: Do not relabel system files and directories. Relabeling system content
+might cause other confined services on your machine to fail. For these types
+of containers we recommend that disable SELinux separation. The option
+`--security-opt label=disable` disables SELinux separation for containers used in the build.
+For example if a user wanted to volume mount their entire home directory into a
+container, they need to disable SELinux separation.
+
+ $ podman create --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
+
`Overlay Volume Mounts`
The `:O` flag tells Podman to mount the directory from the host as a
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index a1170253f..ce1e86afe 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -1314,6 +1314,15 @@ share the volume content. As a result, Podman labels the content with a shared
content label. Shared volume labels allow all containers to read/write content.
The **Z** option tells Podman to label the content with a private unshared label.
+Note: Do not relabel system files and directories. Relabeling system content
+might cause other confined services on your machine to fail. For these types
+of containers we recommend that disable SELinux separation. The option
+`--security-opt label=disable` disables SELinux separation for the container.
+For example if a user wanted to volume mount their entire home directory into a
+container, they need to disable SELinux separation.
+
+ $ podman run --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
+
`Overlay Volume Mounts`
The `:O` flag tells Podman to mount the directory from the host as a
diff --git a/docs/source/markdown/podman-unshare.1.md b/docs/source/markdown/podman-unshare.1.md
index 72821b6e5..fa5259ae1 100644
--- a/docs/source/markdown/podman-unshare.1.md
+++ b/docs/source/markdown/podman-unshare.1.md
@@ -30,10 +30,10 @@ The unshare session defines two environment variables:
Print usage statement
-#### **--rootless-cni**
+#### **--rootless-netns**
-Join the rootless network namespace used for CNI networking. It can be used to
-connect to a rootless container via IP address (CNI networking). This is otherwise
+Join the rootless network namespace used for CNI and netavark networking. It can be used to
+connect to a rootless container via IP address (bridge networking). This is otherwise
not possible from the host network namespace.
_Note: Using this option with more than one unshare session can have unexpected results._
@@ -78,7 +78,7 @@ $ podman unshare cat /proc/self/uid_map /proc/self/gid_map
0 1000 1
1 10000 65536
-$ podman unshare --rootless-cni ip addr
+$ podman unshare --rootless-netns ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo