aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/source/markdown/options/README.md3
-rw-r--r--docs/source/markdown/options/ip.md8
-rw-r--r--docs/source/markdown/options/rootfs.md19
-rw-r--r--docs/source/markdown/options/volume.md176
-rw-r--r--docs/source/markdown/options/volumes-from.md32
-rw-r--r--docs/source/markdown/podman-create.1.md.in229
-rw-r--r--docs/source/markdown/podman-generate-systemd.1.md4
-rw-r--r--docs/source/markdown/podman-pod-clone.1.md.in198
-rw-r--r--docs/source/markdown/podman-pod-create.1.md.in205
-rw-r--r--docs/source/markdown/podman-run.1.md.in236
-rw-r--r--docs/source/markdown/podman.1.md6
-rw-r--r--docs/tutorials/image_signing.md2
12 files changed, 265 insertions, 853 deletions
diff --git a/docs/source/markdown/options/README.md b/docs/source/markdown/options/README.md
index 92f3d374e..d8b608fb7 100644
--- a/docs/source/markdown/options/README.md
+++ b/docs/source/markdown/options/README.md
@@ -43,4 +43,5 @@ This allows the shared use of examples in the option file:
Example: podman <<subcommand>> --foo --bar
```
As a special case, `podman-pod-X` becomes just `X` (the "pod" is removed).
-This makes the `pod-id-file` man page more useful.
+This makes the `pod-id-file` man page more useful. To get the full
+subcommand including 'pod', use `<<fullsubcommand>>`.
diff --git a/docs/source/markdown/options/ip.md b/docs/source/markdown/options/ip.md
new file mode 100644
index 000000000..8f251ee2e
--- /dev/null
+++ b/docs/source/markdown/options/ip.md
@@ -0,0 +1,8 @@
+#### **--ip**=*ipv4*
+
+Specify a static IPv4 address for the <<container|pod>>, for example **10.88.64.128**.
+This option can only be used if the <<container|pod>> is joined to only a single network - i.e., **--network=network-name** is used at most once -
+and if the <<container|pod>> is not joining another container's network namespace via **--network=container:_id_**.
+The address must be within the network's IP address pool (default **10.88.0.0/16**).
+
+To specify multiple static IP addresses per <<container|pod>>, set multiple networks using the **--network** option with a static IP address specified for each using the `ip` mode for that option.
diff --git a/docs/source/markdown/options/rootfs.md b/docs/source/markdown/options/rootfs.md
new file mode 100644
index 000000000..a03c4eef1
--- /dev/null
+++ b/docs/source/markdown/options/rootfs.md
@@ -0,0 +1,19 @@
+#### **--rootfs**
+
+If specified, the first argument refers to an exploded container on the file system.
+
+This is useful to run a container without requiring any image management, the rootfs
+of the container is assumed to be managed externally.
+
+ `Overlay Rootfs Mounts`
+
+ The `:O` flag tells Podman to mount the directory from the rootfs path as
+storage using the `overlay file system`. The container processes
+can modify content within the mount point which is stored in the
+container storage in a separate directory. In overlay terms, the source
+directory will be the lower, and the container storage directory will be the
+upper. Modifications to the mount point are destroyed when the container
+finishes executing, similar to a tmpfs mount point being unmounted.
+
+Note: On **SELinux** systems, the rootfs needs the correct label, which is by default
+**unconfined_u:object_r:container_file_t:s0**.
diff --git a/docs/source/markdown/options/volume.md b/docs/source/markdown/options/volume.md
new file mode 100644
index 000000000..9c4a7f981
--- /dev/null
+++ b/docs/source/markdown/options/volume.md
@@ -0,0 +1,176 @@
+#### **--volume**, **-v**=*[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*
+
+Create a bind mount. If `-v /HOST-DIR:/CONTAINER-DIR` is specified, Podman
+bind mounts `/HOST-DIR` from the host into `/CONTAINER-DIR` in the Podman
+container. Similarly, `-v SOURCE-VOLUME:/CONTAINER-DIR` will mount the named
+volume from the host into the container. If no such named volume exists, Podman will
+create one. (Note when using the remote client, including Mac and Windows (excluding WSL2) machines, the volumes will be mounted from the remote server, not necessarily the client machine.)
+
+The _OPTIONS_ is a comma-separated list and can be: <sup>[[1]](#Footnote1)</sup>
+
+* **rw**|**ro**
+* **z**|**Z**
+* [**O**]
+* [**U**]
+* [**no**]**copy**
+* [**no**]**dev**
+* [**no**]**exec**
+* [**no**]**suid**
+* [**r**]**bind**
+* [**r**]**shared**|[**r**]**slave**|[**r**]**private**[**r**]**unbindable**
+
+The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The volume
+will be mounted into the container at this directory.
+
+Volumes may specify a source as well, as either a directory on the host
+or the name of a named volume. If no source is given, the volume will be created as an
+anonymously named volume with a randomly generated name, and will be removed when
+the <<container|pod>> is removed via the `--rm` flag or the `podman rm --volumes` command.
+
+If a volume source is specified, it must be a path on the host or the name of a
+named volume. Host paths are allowed to be absolute or relative; relative paths
+are resolved relative to the directory Podman is run in. If the source does not
+exist, Podman will return an error. Users must pre-create the source files or
+directories.
+
+Any source that does not begin with a `.` or `/` will be treated as the name of
+a named volume. If a volume with that name does not exist, it will be created.
+Volumes created with names are not anonymous, and they are not removed by the `--rm`
+option and the `podman rm --volumes` command.
+
+Specify multiple **-v** options to mount one or more volumes into a
+<<container|pod>>.
+
+ `Write Protected Volume Mounts`
+
+Add **:ro** or **:rw** option to mount a volume in read-only or
+read-write mode, respectively. By default, the volumes are mounted read-write.
+See examples.
+
+ `Chowning Volume Mounts`
+
+By default, Podman does not change the owner and group of source volume
+directories mounted into containers. If a <<container|pod>> is created in a new user
+namespace, the UID and GID in the container may correspond to another UID and
+GID on the host.
+
+The `:U` suffix tells Podman to use the correct host UID and GID based on the
+UID and GID within the <<container|pod>>, to change recursively the owner and group of
+the source volume.
+
+**Warning** use with caution since this will modify the host filesystem.
+
+ `Labeling Volume Mounts`
+
+Labeling systems like SELinux require that proper labels are placed on volume
+content mounted into a <<container|pod>>. Without a label, the security system might
+prevent the processes running inside the <<container|pod>> from using the content. By
+default, Podman does not change the labels set by the OS.
+
+To change a label in the <<container|pod>> context, add either of two suffixes
+**:z** or **:Z** to the volume mount. These suffixes tell Podman to relabel file
+objects on the shared volumes. The **z** option tells Podman that two <<containers|pods>>
+share the volume content. As a result, Podman labels the content with a shared
+content label. Shared volume labels allow all containers to read/write content.
+The **Z** option tells Podman to label the content with a private unshared label.
+Only the current <<container|pod>> can use a private volume.
+
+Note: Do not relabel system files and directories. Relabeling system content
+might cause other confined services on your machine to fail. For these types
+of containers we recommend disabling SELinux separation. The option
+**--security-opt label=disable** disables SELinux separation for the <<container|pod>>.
+For example if a user wanted to volume mount their entire home directory into a
+<<container|pod>>, they need to disable SELinux separation.
+
+ $ podman <<fullsubcommand>> --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
+
+ `Overlay Volume Mounts`
+
+ The `:O` flag tells Podman to mount the directory from the host as a
+temporary storage using the `overlay file system`. The <<container|pod>> processes
+can modify content within the mountpoint which is stored in the
+container storage in a separate directory. In overlay terms, the source
+directory will be the lower, and the container storage directory will be the
+upper. Modifications to the mount point are destroyed when the <<container|pod>>
+finishes executing, similar to a tmpfs mount point being unmounted.
+
+For advanced users, the **overlay** option also supports custom non-volatile
+**upperdir** and **workdir** for the overlay mount. Custom **upperdir** and
+**workdir** can be fully managed by the users themselves, and Podman will not
+remove it on lifecycle completion.
+Example **:O,upperdir=/some/upper,workdir=/some/work**
+
+ Subsequent executions of the container will see the original source directory
+content, any changes from previous <<container|pod>> executions no longer exist.
+
+ One use case of the overlay mount is sharing the package cache from the
+host into the container to allow speeding up builds.
+
+ Note:
+
+ - The `O` flag conflicts with other options listed above.
+Content mounted into the container is labeled with the private label.
+ On SELinux systems, labels in the source directory must be readable
+by the <<|pod infra>> container label. Usually containers can read/execute `container_share_t`
+and can read/write `container_file_t`. If unable to change the labels on a
+source volume, SELinux container separation must be disabled for the <<|pod or infra>> container
+to work.
+ - The source directory mounted into the <<container|pod>> with an overlay mount
+should not be modified, it can cause unexpected failures. It is recommended
+to not modify the directory until the container finishes running.
+
+ `Mounts propagation`
+
+By default bind mounted volumes are `private`. That means any mounts done
+inside the <<container|pod>> will not be visible on host and vice versa. One can change
+this behavior by specifying a volume mount propagation property. Making a
+volume shared mounts done under that volume inside the <<container|pod>> will be
+visible on host and vice versa. Making a volume **slave** enables only one
+way mount propagation and that is mounts done on host under that volume
+will be visible inside container but not the other way around. <sup>[[1]](#Footnote1)</sup>
+
+To control mount propagation property of a volume one can use the [**r**]**shared**,
+[**r**]**slave**, [**r**]**private** or the [**r**]**unbindable** propagation flag.
+Propagation property can be specified only for bind mounted volumes and not for
+internal volumes or named volumes. For mount propagation to work the source mount
+point (the mount point where source dir is mounted on) has to have the right propagation
+properties. For shared volumes, the source mount point has to be shared. And for
+slave volumes, the source mount point has to be either shared or slave.
+<sup>[[1]](#Footnote1)</sup>
+
+To recursively mount a volume and all of its submounts into a
+<<container|pod>>, use the **rbind** option. By default the bind option is
+used, and submounts of the source directory will not be mounted into the
+<<container|pod>>.
+
+Mounting the volume with the **nosuid** options means that SUID applications on
+the volume will not be able to change their privilege. By default volumes
+are mounted with **nosuid**.
+
+Mounting the volume with the **noexec** option means that no executables on the
+volume will be able to be executed within the <<container|pod>>.
+
+Mounting the volume with the **nodev** option means that no devices on the volume
+will be able to be used by processes within the <<container|pod>>. By default volumes
+are mounted with **nodev**.
+
+If the _HOST-DIR_ is a mount point, then **dev**, **suid**, and **exec** options are
+ignored by the kernel.
+
+Use **df HOST-DIR** to figure out the source mount, then use
+**findmnt -o TARGET,PROPAGATION _source-mount-dir_** to figure out propagation
+properties of source mount. If **findmnt**(1) utility is not available, then one
+can look at the mount entry for the source mount point in _/proc/self/mountinfo_. Look
+at the "optional fields" and see if any propagation properties are specified.
+In there, **shared:N** means the mount is shared, **master:N** means mount
+is slave, and if nothing is there, the mount is private. <sup>[[1]](#Footnote1)</sup>
+
+To change propagation properties of a mount point, use **mount**(8) command. For
+example, if one wants to bind mount source directory _/foo_, one can do
+**mount --bind /foo /foo** and **mount --make-private --make-shared /foo**. This
+will convert /foo into a shared mount point. Alternatively, one can directly
+change propagation properties of source mount. Say _/_ is source mount for
+_/foo_, then use **mount --make-shared /** to convert _/_ into a shared mount.
+
+Note: if the user only has access rights via a group, accessing the volume
+from inside a rootless <<container|pod>> will fail.
diff --git a/docs/source/markdown/options/volumes-from.md b/docs/source/markdown/options/volumes-from.md
new file mode 100644
index 000000000..ebef116e7
--- /dev/null
+++ b/docs/source/markdown/options/volumes-from.md
@@ -0,0 +1,32 @@
+#### **--volumes-from**=*CONTAINER[:OPTIONS]*
+
+Mount volumes from the specified container(s). Used to share volumes between
+containers<<| and pods>>. The *options* is a comma-separated list with the following available elements:
+
+* **rw**|**ro**
+* **z**
+
+Mounts already mounted volumes from a source container onto another
+<<container|pod>>. _CONTAINER_ may be a name or ID.
+To share a volume, use the --volumes-from option when running
+the target container. Volumes can be shared even if the source container
+is not running.
+
+By default, Podman mounts the volumes in the same mode (read-write or
+read-only) as it is mounted in the source container.
+This can be changed by adding a `ro` or `rw` _option_.
+
+Labeling systems like SELinux require that proper labels are placed on volume
+content mounted into a <<container|pod>>. Without a label, the security system might
+prevent the processes running inside the container from using the content. By
+default, Podman does not change the labels set by the OS.
+
+To change a label in the <<container|pod>> context, add `z` to the volume mount.
+This suffix tells Podman to relabel file objects on the shared volumes. The `z`
+option tells Podman that two entities share the volume content. As a result,
+Podman labels the content with a shared content label. Shared volume labels allow
+all containers to read/write content.
+
+If the location of the volume from the source container overlaps with
+data residing on a target <<container|pod>>, then the volume hides
+that data on the target.
diff --git a/docs/source/markdown/podman-create.1.md.in b/docs/source/markdown/podman-create.1.md.in
index f74429848..e2e7644f7 100644
--- a/docs/source/markdown/podman-create.1.md.in
+++ b/docs/source/markdown/podman-create.1.md.in
@@ -228,14 +228,7 @@ pod when that pod is not running.
Keep STDIN open even if not attached. The default is *false*.
-#### **--ip**=*ipv4*
-
-Specify a static IPv4 address for the container, for example **10.88.64.128**.
-This option can only be used if the container is joined to only a single network - i.e., **--network=network-name** is used at most once -
-and if the container is not joining another container's network namespace via **--network=container:_id_**.
-The address must be within the network's IP address pool (default **10.88.0.0/16**).
-
-To specify multiple static IP addresses per container, set multiple networks using the **--network** option with a static IP address specified for each using the `ip` mode for that option.
+@@option ip
#### **--ip6**=*ipv6*
@@ -418,22 +411,7 @@ Suppress output information when pulling images
Automatically remove the container when it exits. The default is *false*.
-#### **--rootfs**
-
-If specified, the first argument refers to an exploded container on the file system.
-
-This is useful to run a container without requiring any image management, the rootfs
-of the container is assumed to be managed externally.
-
- `Overlay Rootfs Mounts`
-
- The `:O` flag tells Podman to mount the directory from the rootfs path as
-storage using the `overlay file system`. The container processes
-can modify content within the mount point which is stored in the
-container storage in a separate directory. In overlay terms, the source
-directory will be the lower, and the container storage directory will be the
-upper. Modifications to the mount point are destroyed when the container
-finishes executing, similar to a tmpfs mount point being unmounted.
+@@option rootfs
@@option sdnotify
@@ -539,208 +517,11 @@ Without this argument the command will be run as root in the container.
#### **--variant**=*VARIANT*
Use _VARIANT_ instead of the default architecture variant of the container image. Some images can use multiple variants of the arm architectures, such as arm/v5 and arm/v7.
-#### **--volume**, **-v**=*[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*
-
-Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, Podman
-bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Podman
-container. Similarly, `-v SOURCE-VOLUME:/CONTAINER-DIR` will mount the volume
-in the host to the container. If no such named volume exists, Podman will
-create one. The `OPTIONS` are a comma-separated list and can be: <sup>[[1]](#Footnote1)</sup> (Note when using the remote client, including Mac and Windows (excluding WSL2) machines, the volumes will be mounted from the remote server, not necessarily the client machine.)
-
-The _options_ is a comma-separated list and can be:
-
-* **rw**|**ro**
-* **z**|**Z**
-* [**O**]
-* [**U**]
-* [**no**]**copy**
-* [**no**]**dev**
-* [**no**]**exec**
-* [**no**]**suid**
-* [**r**]**bind**
-* [**r**]**shared**|[**r**]**slave**|[**r**]**private**[**r**]**unbindable**
-
-The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The volume
-will be mounted into the container at this directory.
-
-Volumes may specify a source as well, as either a directory on the host
-or the name of a named volume. If no source is given, the volume will be created as an
-anonymously named volume with a randomly generated name, and will be removed when
-the container is removed via the `--rm` flag or `podman rm --volumes`.
-
-If a volume source is specified, it must be a path on the host or the name of a
-named volume. Host paths are allowed to be absolute or relative; relative paths
-are resolved relative to the directory Podman is run in. If the source does not
-exist, Podman will return an error. Users must pre-create the source files or
-directories.
-
-Any source that does not begin with a `.` or `/` will be treated as the name of
-a named volume. If a volume with that name does not exist, it will be created.
-Volumes created with names are not anonymous, and they are not removed by the `--rm`
-option and the `podman rm --volumes` command.
-
-You can specify multiple **-v** options to mount one or more volumes into a
-container.
-
- `Write Protected Volume Mounts`
-
-You can add `:ro` or `:rw` suffix to a volume to mount it read-only or
-read-write mode, respectively. By default, the volumes are mounted read-write.
-See examples.
-
- `Chowning Volume Mounts`
-
-By default, Podman does not change the owner and group of source volume
-directories mounted into containers. If a container is created in a new user
-namespace, the UID and GID in the container may correspond to another UID and
-GID on the host.
-
-The `:U` suffix tells Podman to use the correct host UID and GID based on the
-UID and GID within the container, to change recursively the owner and group of
-the source volume.
-
-**Warning** use with caution since this will modify the host filesystem.
-
- `Labeling Volume Mounts`
-
-Labeling systems like SELinux require that proper labels are placed on volume
-content mounted into a container. Without a label, the security system might
-prevent the processes running inside the container from using the content. By
-default, Podman does not change the labels set by the OS.
-
-To change a label in the container context, you can add either of two suffixes
-`:z` or `:Z` to the volume mount. These suffixes tell Podman to relabel file
-objects on the shared volumes. The `z` option tells Podman that two containers
-share the volume content. As a result, Podman labels the content with a shared
-content label. Shared volume labels allow all containers to read/write content.
-The `Z` option tells Podman to label the content with a private unshared label.
-Only the current container can use a private volume.
-
-Note: Do not relabel system files and directories. Relabeling system content
-might cause other confined services on your machine to fail. For these types
-of containers we recommend disabling SELinux separation. The option
-`--security-opt label=disable` disables SELinux separation for containers used in the build.
-For example if a user wanted to volume mount their entire home directory into a
-container, they need to disable SELinux separation.
-
- $ podman create --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
-
- `Overlay Volume Mounts`
-
- The `:O` flag tells Podman to mount the directory from the host as a
-temporary storage using the `overlay file system`. The container processes
-can modify content within the mountpoint which is stored in the
-container storage in a separate directory. In overlay terms, the source
-directory will be the lower, and the container storage directory will be the
-upper. Modifications to the mount point are destroyed when the container
-finishes executing, similar to a tmpfs mount point being unmounted.
-
- Subsequent executions of the container will see the original source directory
-content, any changes from previous container executions no longer exist.
-
- One use case of the overlay mount is sharing the package cache from the
-host into the container to allow speeding up builds.
-
- Note:
-
- - The `O` flag conflicts with other options listed above.
-Content mounted into the container is labeled with the private label.
- On SELinux systems, labels in the source directory must be readable
-by the container label. Usually containers can read/execute `container_share_t`
-and can read/write `container_file_t`. If you cannot change the labels on a
-source volume, SELinux container separation must be disabled for the container
-to work.
- - The source directory mounted into the container with an overlay mount
-should not be modified, it can cause unexpected failures. It is recommended
-that you do not modify the directory until the container finishes running.
-
- `Mounts propagation`
-
-By default bind mounted volumes are `private`. That means any mounts done
-inside container will not be visible on host and vice versa. One can change
-this behavior by specifying a volume mount propagation property. Making a
-volume `shared` mounts done under that volume inside container will be
-visible on host and vice versa. Making a volume `slave` enables only one
-way mount propagation and that is mounts done on host under that volume
-will be visible inside container but not the other way around. <sup>[[1]](#Footnote1)</sup>
-
-To control mount propagation property of a volume one can use the [**r**]**shared**,
-[**r**]**slave**, [**r**]**private** or the [**r**]**unbindable** propagation flag.
-For mount propagation to work the source mount point (the mount point where source dir
-is mounted on) has to have the right propagation properties. For shared volumes, the
-source mount point has to be shared. And for slave volumes, the source mount point
-has to be either shared or slave. <sup>[[1]](#Footnote1)</sup>
-
-If you want to recursively mount a volume and all of its submounts into a
-container, then you can use the `rbind` option. By default the bind option is
-used, and submounts of the source directory will not be mounted into the
-container.
-
-Mounting the volume with the `nosuid` options means that SUID applications on
-the volume will not be able to change their privilege. By default volumes
-are mounted with `nosuid`.
-
-Mounting the volume with the noexec option means that no executables on the
-volume will be able to be executed within the container.
-
-Mounting the volume with the nodev option means that no devices on the volume
-will be able to be used by processes within the container. By default volumes
-are mounted with `nodev`.
-
-If the `<source-dir>` is a mount point, then "dev", "suid", and "exec" options are
-ignored by the kernel.
-
-Use `df <source-dir>` to figure out the source mount and then use
-`findmnt -o TARGET,PROPAGATION <source-mount-dir>` to figure out propagation
-properties of source mount. If `findmnt` utility is not available, then one
-can look at mount entry for source mount point in `/proc/self/mountinfo`. Look
-at `optional fields` and see if any propagation properties are specified.
-`shared:X` means mount is `shared`, `master:X` means mount is `slave` and if
-nothing is there that means mount is `private`. <sup>[[1]](#Footnote1)</sup>
-
-To change propagation properties of a mount point use `mount` command. For
-example, if one wants to bind mount source directory `/foo` one can do
-`mount --bind /foo /foo` and `mount --make-private --make-shared /foo`. This
-will convert /foo into a `shared` mount point. Alternatively one can directly
-change propagation properties of source mount. Say `/` is source mount for
-`/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount.
-
-Note: if the user only has access rights via a group, accessing the volume
-from inside a rootless container will fail. Use the `--group-add keep-groups`
-flag to pass the user's supplementary group access into the container.
-
-#### **--volumes-from**=*CONTAINER[:OPTIONS]]*
-
-Mount volumes from the specified container(s). Used to share volumes between
-containers. The *options* is a comma-separated list with the following available elements:
-
-* **rw**|**ro**
-* **z**
-
-Mounts already mounted volumes from a source container onto another
-container. You must supply the source's container-id or container-name.
-To share a volume, use the --volumes-from option when running
-the target container. You can share volumes even if the source container
-is not running.
-
-By default, Podman mounts the volumes in the same mode (read-write or
-read-only) as it is mounted in the source container.
-You can change this by adding a `ro` or `rw` _option_.
-
-Labeling systems like SELinux require that proper labels are placed on volume
-content mounted into a container. Without a label, the security system might
-prevent the processes running inside the container from using the content. By
-default, Podman does not change the labels set by the OS.
+@@option volume
-To change a label in the container context, you can add `z` to the volume mount.
-This suffix tells Podman to relabel file objects on the shared volumes. The `z`
-option tells Podman that two containers share the volume content. As a result,
-Podman labels the content with a shared content label. Shared volume labels allow
-all containers to read/write content.
+Use the **--group-add keep-groups** option to pass the user's supplementary group access into the container.
-If the location of the volume from the source container overlaps with
-data residing on a target container, then the volume hides
-that data on the target.
+@@option volumes-from
@@option workdir
diff --git a/docs/source/markdown/podman-generate-systemd.1.md b/docs/source/markdown/podman-generate-systemd.1.md
index ee649c95b..b733cff8d 100644
--- a/docs/source/markdown/podman-generate-systemd.1.md
+++ b/docs/source/markdown/podman-generate-systemd.1.md
@@ -85,7 +85,9 @@ Set the systemd unit requires (`Requires=`) option. Similar to wants, but declar
#### **--restart-policy**=*policy*
Set the systemd restart policy. The restart-policy must be one of: "no", "on-success", "on-failure", "on-abnormal",
-"on-watchdog", "on-abort", or "always". The default policy is *on-failure*.
+"on-watchdog", "on-abort", or "always". The default policy is *on-failure* unless the container was created with a custom restart policy.
+
+Note that generating a unit without `--new` on a container with a custom restart policy can lead to issues on shutdown; systemd will attempt to stop the unit while Podman tries to restart it. It is recommended to to create the container without `--restart` and use the `--restart-policy` option instead when generating the unit file.
#### **--restart-sec**=*time*
diff --git a/docs/source/markdown/podman-pod-clone.1.md.in b/docs/source/markdown/podman-pod-clone.1.md.in
index 011efc5b7..15f7ec208 100644
--- a/docs/source/markdown/podman-pod-clone.1.md.in
+++ b/docs/source/markdown/podman-pod-clone.1.md.in
@@ -122,200 +122,9 @@ clone process has completed. All containers within the pod are started.
@@option uts.pod
-#### **--volume**, **-v**=*[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*
-
-Create a bind mount. If ` -v /HOST-DIR:/CONTAINER-DIR` is specified, Podman
-bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Podman
-container. Similarly, `-v SOURCE-VOLUME:/CONTAINER-DIR` will mount the volume
-in the host to the container. If no such named volume exists, Podman will
-create one. The `OPTIONS` are a comma-separated list and can be: <sup>[[1]](#Footnote1)</sup> (Note when using the remote client, including Mac and Windows (excluding WSL2) machines, the volumes will be mounted from the remote server, not necessarily the client machine.)
-
-The _options_ is a comma-separated list and can be:
-
-* **rw**|**ro**
-* **z**|**Z**
-* [**r**]**shared**|[**r**]**slave**|[**r**]**private**[**r**]**unbindable**
-* [**r**]**bind**
-* [**no**]**exec**
-* [**no**]**dev**
-* [**no**]**suid**
-* [**O**]
-* [**U**]
-
-The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The volume
-will be mounted into the container at this directory.
-
-Volumes may specify a source as well, as either a directory on the host
-or the name of a named volume. If no source is given, the volume will be created as an
-anonymously named volume with a randomly generated name, and will be removed when
-the pod is removed via the `--rm` flag or `podman rm --volumes` commands.
-
-If a volume source is specified, it must be a path on the host or the name of a
-named volume. Host paths are allowed to be absolute or relative; relative paths
-are resolved relative to the directory Podman is run in. If the source does not
-exist, Podman will return an error. Users must pre-create the source files or
-directories.
-
-Any source that does not begin with a `.` or `/` will be treated as the name of
-a named volume. If a volume with that name does not exist, it will be created.
-Volumes created with names are not anonymous, and they are not removed by the `--rm`
-option and the `podman rm --volumes` command.
-
-Specify multiple **-v** options to mount one or more volumes into a
-pod.
-
- `Write Protected Volume Mounts`
-
-Add `:ro` or `:rw` suffix to a volume to mount it read-only or
-read-write mode, respectively. By default, the volumes are mounted read-write.
-See examples.
-
- `Chowning Volume Mounts`
-
-By default, Podman does not change the owner and group of source volume
-directories mounted into containers. If a pod is created in a new user
-namespace, the UID and GID in the container may correspond to another UID and
-GID on the host.
-
-The `:U` suffix tells Podman to use the correct host UID and GID based on the
-UID and GID within the pod, to change recursively the owner and group of
-the source volume.
-
-**Warning** use with caution since this will modify the host filesystem.
-
- `Labeling Volume Mounts`
-
-Labeling systems like SELinux require that proper labels are placed on volume
-content mounted into a pod. Without a label, the security system might
-prevent the processes running inside the pod from using the content. By
-default, Podman does not change the labels set by the OS.
-
-To change a label in the pod context, add either of two suffixes
-`:z` or `:Z` to the volume mount. These suffixes tell Podman to relabel file
-objects on the shared volumes. The `z` option tells Podman that two pods
-share the volume content. As a result, Podman labels the content with a shared
-content label. Shared volume labels allow all containers to read/write content.
-The `Z` option tells Podman to label the content with a private unshared label.
-Only the current pod can use a private volume.
-
- `Overlay Volume Mounts`
-
- The `:O` flag tells Podman to mount the directory from the host as a
-temporary storage using the `overlay file system`. The pod processes
-can modify content within the mountpoint which is stored in the
-container storage in a separate directory. In overlay terms, the source
-directory will be the lower, and the container storage directory will be the
-upper. Modifications to the mount point are destroyed when the pod
-finishes executing, similar to a tmpfs mount point being unmounted.
-
- Subsequent executions of the container will see the original source directory
-content, any changes from previous pod executions no longer exist.
-
- One use case of the overlay mount is sharing the package cache from the
-host into the container to allow speeding up builds.
-
- Note:
-
- - The `O` flag conflicts with other options listed above.
-Content mounted into the container is labeled with the private label.
- On SELinux systems, labels in the source directory must be readable
-by the infra container label. Usually containers can read/execute `container_share_t`
-and can read/write `container_file_t`. If unable to change the labels on a
-source volume, SELinux container separation must be disabled for the infra container/pod
-to work.
- - The source directory mounted into the pod with an overlay mount
-should not be modified, it can cause unexpected failures. It is recommended
-to not modify the directory until the container finishes running.
-
- `Mounts propagation`
-
-By default bind mounted volumes are `private`. That means any mounts done
-inside pod will not be visible on host and vice versa. One can change
-this behavior by specifying a volume mount propagation property. Making a
-volume `shared` mounts done under that volume inside pod will be
-visible on host and vice versa. Making a volume `slave` enables only one
-way mount propagation and that is mounts done on host under that volume
-will be visible inside container but not the other way around. <sup>[[1]](#Footnote1)</sup>
-
-To control mount propagation property of a volume one can use the [**r**]**shared**,
-[**r**]**slave**, [**r**]**private** or the [**r**]**unbindable** propagation flag.
-Propagation property can be specified only for bind mounted volumes and not for
-internal volumes or named volumes. For mount propagation to work the source mount
-point (the mount point where source dir is mounted on) has to have the right propagation
-properties. For shared volumes, the source mount point has to be shared. And for
-slave volumes, the source mount point has to be either shared or slave.
-<sup>[[1]](#Footnote1)</sup>
-
-To recursively mount a volume and all of its submounts into a
-pod, use the `rbind` option. By default the bind option is
-used, and submounts of the source directory will not be mounted into the
-pod.
-
-Mounting the volume with the `nosuid` options means that SUID applications on
-the volume will not be able to change their privilege. By default volumes
-are mounted with `nosuid`.
-
-Mounting the volume with the noexec option means that no executables on the
-volume will be able to executed within the pod.
-
-Mounting the volume with the nodev option means that no devices on the volume
-will be able to be used by processes within the pod. By default volumes
-are mounted with `nodev`.
-
-If the `<source-dir>` is a mount point, then "dev", "suid", and "exec" options are
-ignored by the kernel.
-
-Use `df <source-dir>` to figure out the source mount and then use
-`findmnt -o TARGET,PROPAGATION <source-mount-dir>` to figure out propagation
-properties of source mount. If `findmnt` utility is not available, then one
-can look at the mount entry for the source mount point in `/proc/self/mountinfo`. Look
-at `optional fields` and see if any propagation properties are specified.
-`shared:X` means mount is `shared`, `master:X` means mount is `slave` and if
-nothing is there that means mount is `private`. <sup>[[1]](#Footnote1)</sup>
-
-To change propagation properties of a mount point use `mount` command. For
-example, if one wants to bind mount source directory `/foo` one can do
-`mount --bind /foo /foo` and `mount --make-private --make-shared /foo`. This
-will convert /foo into a `shared` mount point. Alternatively one can directly
-change propagation properties of source mount. Say `/` is source mount for
-`/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount.
-
-Note: if the user only has access rights via a group, accessing the volume
-from inside a rootless pod will fail.
-
-#### **--volumes-from**=*container[:options]]*
-
-Mount volumes from the specified container(s). Used to share volumes between
-containers and pods. The *options* is a comma-separated list with the following available elements:
-
-* **rw**|**ro**
-* **z**
-
-Mounts already mounted volumes from a source container into another
-pod. Must supply the source's container-id or container-name.
-To share a volume, use the --volumes-from option when running
-the target container. Volumes can be shared even if the source container
-is not running.
-
-By default, Podman mounts the volumes in the same mode (read-write or
-read-only) as it is mounted in the source container.
-This can be changed by adding a `ro` or `rw` _option_.
-
-Labeling systems like SELinux require that proper labels are placed on volume
-content mounted into a pod. Without a label, the security system might
-prevent the processes running inside the container from using the content. By
-default, Podman does not change the labels set by the OS.
-
-To change a label in the pod context, add `z` to the volume mount.
-This suffix tells Podman to relabel file objects on the shared volumes. The `z`
-option tells Podman that two entities share the volume content. As a result,
-Podman labels the content with a shared content label. Shared volume labels allow
-all containers to read/write content.
-
-If the location of the volume from the source container overlaps with
-data residing on a target pod, then the volume hides
-that data on the target.
+@@option volume
+@@option volumes-from
## EXAMPLES
```
@@ -343,3 +152,6 @@ d0cf1f782e2ed67e8c0050ff92df865a039186237a4df24d7acba5b1fa8cc6e7
## HISTORY
May 2022, Originally written by Charlie Doern <cdoern@redhat.com>
+
+## FOOTNOTES
+<a name="Footnote1">1</a>: The Podman project is committed to inclusivity, a core value of open source. The `master` and `slave` mount propagation terminology used here is problematic and divisive, and should be changed. However, these terms are currently used within the Linux kernel and must be used as-is at this time. When the kernel maintainers rectify this usage, Podman will follow suit immediately.
diff --git a/docs/source/markdown/podman-pod-create.1.md.in b/docs/source/markdown/podman-pod-create.1.md.in
index 24edbb918..e519518c1 100644
--- a/docs/source/markdown/podman-pod-create.1.md.in
+++ b/docs/source/markdown/podman-pod-create.1.md.in
@@ -99,14 +99,7 @@ The custom image that will be used for the infra container. Unless specified, P
@@option infra-name
-#### **--ip**=*ip*
-
-Specify a static IP address for the pod, for example **10.88.64.128**.
-This option can only be used if the pod is joined to only a single network - i.e., **--network=network-name** is used at most once -
-and if the pod is not joining another container's network namespace via **--network=container:_id_**.
-The address must be within the network's IP address pool (default **10.88.0.0/16**).
-
-To specify multiple static IP addresses per pod, set multiple networks using the **--network** option with a static IP address specified for each using the `ip` mode for that option.
+@@option ip
#### **--ip6**=*ipv6*
@@ -263,198 +256,9 @@ When size is `0`, there is no limit on the amount of memory used for IPC by the
@@option uts.pod
-#### **--volume**, **-v**=*[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*
-
-Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, Podman
-bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Podman
-container. Similarly, `-v SOURCE-VOLUME:/CONTAINER-DIR` will mount the volume
-in the host to the container. If no such named volume exists, Podman will
-create one. The `OPTIONS` are a comma-separated list and can be: <sup>[[1]](#Footnote1)</sup> (Note when using the remote client, including Mac and Windows (excluding WSL2) machines, the volumes will be mounted from the remote server, not necessarily the client machine.)
-
-The _options_ is a comma-separated list and can be:
-
-* **rw**|**ro**
-* **z**|**Z**
-* [**r**]**shared**|[**r**]**slave**|[**r**]**private**[**r**]**unbindable**
-* [**r**]**bind**
-* [**no**]**exec**
-* [**no**]**dev**
-* [**no**]**suid**
-* [**O**]
-* [**U**]
-
-The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The volume
-will be mounted into the container at this directory.
-
-Volumes may specify a source as well, as either a directory on the host
-or the name of a named volume. If no source is given, the volume will be created as an
-anonymously named volume with a randomly generated name, and will be removed when
-the pod is removed via the `--rm` flag or `podman rm --volumes` commands.
-
-If a volume source is specified, it must be a path on the host or the name of a
-named volume. Host paths are allowed to be absolute or relative; relative paths
-are resolved relative to the directory Podman is run in. If the source does not
-exist, Podman will return an error. Users must pre-create the source files or
-directories.
-
-Any source that does not begin with a `.` or `/` will be treated as the name of
-a named volume. If a volume with that name does not exist, it will be created.
-Volumes created with names are not anonymous, and they are not removed by the `--rm`
-option and the `podman rm --volumes` command.
-
-You can specify multiple **-v** options to mount one or more volumes into a
-pod.
-
- `Write Protected Volume Mounts`
-
-You can add `:ro` or `:rw` suffix to a volume to mount it read-only or
-read-write mode, respectively. By default, the volumes are mounted read-write.
-See examples.
-
- `Chowning Volume Mounts`
-
-By default, Podman does not change the owner and group of source volume
-directories mounted into containers. If a pod is created in a new user
-namespace, the UID and GID in the container may correspond to another UID and
-GID on the host.
-
-The `:U` suffix tells Podman to use the correct host UID and GID based on the
-UID and GID within the pod, to change recursively the owner and group of
-the source volume.
-
-**Warning** use with caution since this will modify the host filesystem.
-
- `Labeling Volume Mounts`
-
-Labeling systems like SELinux require that proper labels are placed on volume
-content mounted into a pod. Without a label, the security system might
-prevent the processes running inside the pod from using the content. By
-default, Podman does not change the labels set by the OS.
-
-To change a label in the pod context, you can add either of two suffixes
-`:z` or `:Z` to the volume mount. These suffixes tell Podman to relabel file
-objects on the shared volumes. The `z` option tells Podman that two pods
-share the volume content. As a result, Podman labels the content with a shared
-content label. Shared volume labels allow all containers to read/write content.
-The `Z` option tells Podman to label the content with a private unshared label.
-Only the current pod can use a private volume.
-
- `Overlay Volume Mounts`
-
- The `:O` flag tells Podman to mount the directory from the host as a
-temporary storage using the `overlay file system`. The pod processes
-can modify content within the mountpoint which is stored in the
-container storage in a separate directory. In overlay terms, the source
-directory will be the lower, and the container storage directory will be the
-upper. Modifications to the mount point are destroyed when the pod
-finishes executing, similar to a tmpfs mount point being unmounted.
-
- Subsequent executions of the container will see the original source directory
-content, any changes from previous pod executions no longer exist.
-
- One use case of the overlay mount is sharing the package cache from the
-host into the container to allow speeding up builds.
-
- Note:
-
- - The `O` flag conflicts with other options listed above.
-Content mounted into the container is labeled with the private label.
- On SELinux systems, labels in the source directory must be readable
-by the infra container label. Usually containers can read/execute `container_share_t`
-and can read/write `container_file_t`. If you cannot change the labels on a
-source volume, SELinux container separation must be disabled for the infra container/pod
-to work.
- - The source directory mounted into the pod with an overlay mount
-should not be modified, it can cause unexpected failures. It is recommended
-that you do not modify the directory until the container finishes running.
-
- `Mounts propagation`
-
-By default bind mounted volumes are `private`. That means any mounts done
-inside pod will not be visible on host and vice versa. One can change
-this behavior by specifying a volume mount propagation property. Making a
-volume `shared` mounts done under that volume inside pod will be
-visible on host and vice versa. Making a volume `slave` enables only one
-way mount propagation and that is mounts done on host under that volume
-will be visible inside container but not the other way around. <sup>[[1]](#Footnote1)</sup>
-
-To control mount propagation property of a volume one can use the [**r**]**shared**,
-[**r**]**slave**, [**r**]**private** or the [**r**]**unbindable** propagation flag.
-For mount propagation to work the source mount point (the mount point where source dir
-is mounted on) has to have the right propagation properties. For shared volumes, the
-source mount point has to be shared. And for slave volumes, the source mount point
-has to be either shared or slave. <sup>[[1]](#Footnote1)</sup>
-
-If you want to recursively mount a volume and all of its submounts into a
-pod, then you can use the `rbind` option. By default the bind option is
-used, and submounts of the source directory will not be mounted into the
-pod.
-
-Mounting the volume with the `nosuid` options means that SUID applications on
-the volume will not be able to change their privilege. By default volumes
-are mounted with `nosuid`.
-
-Mounting the volume with the noexec option means that no executables on the
-volume will be able to executed within the pod.
-
-Mounting the volume with the nodev option means that no devices on the volume
-will be able to be used by processes within the pod. By default volumes
-are mounted with `nodev`.
-
-If the `<source-dir>` is a mount point, then "dev", "suid", and "exec" options are
-ignored by the kernel.
-
-Use `df <source-dir>` to figure out the source mount and then use
-`findmnt -o TARGET,PROPAGATION <source-mount-dir>` to figure out propagation
-properties of source mount. If `findmnt` utility is not available, then one
-can look at the mount entry for the source mount point in `/proc/self/mountinfo`. Look
-at `optional fields` and see if any propagation properties are specified.
-`shared:X` means mount is `shared`, `master:X` means mount is `slave` and if
-nothing is there that means mount is `private`. <sup>[[1]](#Footnote1)</sup>
-
-To change propagation properties of a mount point use `mount` command. For
-example, if one wants to bind mount source directory `/foo` one can do
-`mount --bind /foo /foo` and `mount --make-private --make-shared /foo`. This
-will convert /foo into a `shared` mount point. Alternatively one can directly
-change propagation properties of source mount. Say `/` is source mount for
-`/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount.
-
-Note: if the user only has access rights via a group, accessing the volume
-from inside a rootless pod will fail.
-
-#### **--volumes-from**=*container[:options]]*
-
-Mount volumes from the specified container(s). Used to share volumes between
-containers and pods. The *options* is a comma-separated list with the following available elements:
-
-* **rw**|**ro**
-* **z**
-
-Mounts already mounted volumes from a source container into another
-pod. You must supply the source's container-id or container-name.
-To share a volume, use the --volumes-from option when running
-the target container. You can share volumes even if the source container
-is not running.
-
-By default, Podman mounts the volumes in the same mode (read-write or
-read-only) as it is mounted in the source container.
-You can change this by adding a `ro` or `rw` _option_.
-
-Labeling systems like SELinux require that proper labels are placed on volume
-content mounted into a pod. Without a label, the security system might
-prevent the processes running inside the container from using the content. By
-default, Podman does not change the labels set by the OS.
-
-To change a label in the pod context, you can add `z` to the volume mount.
-This suffix tells Podman to relabel file objects on the shared volumes. The `z`
-option tells Podman that two entities share the volume content. As a result,
-Podman labels the content with a shared content label. Shared volume labels allow
-all containers to read/write content.
-
-If the location of the volume from the source container overlaps with
-data residing on a target pod, then the volume hides
-that data on the target.
+@@option volume
+@@option volumes-from
## EXAMPLES
@@ -482,3 +286,6 @@ $ podman pod create --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10
## HISTORY
July 2018, Originally compiled by Peter Hunt <pehunt@redhat.com>
+
+## FOOTNOTES
+<a name="Footnote1">1</a>: The Podman project is committed to inclusivity, a core value of open source. The `master` and `slave` mount propagation terminology used here is problematic and divisive, and should be changed. However, these terms are currently used within the Linux kernel and must be used as-is at this time. When the kernel maintainers rectify this usage, Podman will follow suit immediately.
diff --git a/docs/source/markdown/podman-run.1.md.in b/docs/source/markdown/podman-run.1.md.in
index 86066ad9c..c360c2e5d 100644
--- a/docs/source/markdown/podman-run.1.md.in
+++ b/docs/source/markdown/podman-run.1.md.in
@@ -249,14 +249,7 @@ Print usage statement
When set to **true**, keep stdin open even if not attached. The default is **false**.
-#### **--ip**=*ipv4*
-
-Specify a static IPv4 address for the container, for example **10.88.64.128**.
-This option can only be used if the container is joined to only a single network - i.e., **--network=network-name** is used at most once -
-and if the container is not joining another container's network namespace via **--network=container:_id_**.
-The address must be within the network's IP address pool (default **10.88.0.0/16**).
-
-To specify multiple static IP addresses per container, set multiple networks using the **--network** option with a static IP address specified for each using the `ip` mode for that option.
+@@option ip
#### **--ip6**=*ipv6*
@@ -455,25 +448,7 @@ Automatically remove the container when it exits. The default is **false**.
After exit of the container, remove the image unless another
container is using it. The default is *false*.
-#### **--rootfs**
-
-If specified, the first argument refers to an exploded container on the file system.
-
-This is useful to run a container without requiring any image management, the rootfs
-of the container is assumed to be managed externally.
-
- `Overlay Rootfs Mounts`
-
- The `:O` flag tells Podman to mount the directory from the rootfs path as
-storage using the `overlay file system`. The container processes
-can modify content within the mount point which is stored in the
-container storage in a separate directory. In overlay terms, the source
-directory will be the lower, and the container storage directory will be the
-upper. Modifications to the mount point are destroyed when the container
-finishes executing, similar to a tmpfs mount point being unmounted.
-
-Note: On **SELinux** systems, the rootfs needs the correct label, which is by default
-**unconfined_u:object_r:container_file_t**.
+@@option rootfs
@@option sdnotify
@@ -584,212 +559,11 @@ When a user namespace is not in use, the UID and GID used within the container a
#### **--variant**=*VARIANT*
Use _VARIANT_ instead of the default architecture variant of the container image. Some images can use multiple variants of the arm architectures, such as arm/v5 and arm/v7.
-#### **--volume**, **-v**=*[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*
-
-Create a bind mount. If you specify _/HOST-DIR_:_/CONTAINER-DIR_, Podman
-bind mounts _host-dir_ in the host to _CONTAINER-DIR_ in the Podman
-container. Similarly, _SOURCE-VOLUME_:_/CONTAINER-DIR_ will mount the volume
-in the host to the container. If no such named volume exists, Podman will
-create one. (Note when using the remote client, including Mac and Windows (excluding WSL2) machines, the volumes will be mounted from the remote server, not necessarily the client machine.)
-
-The _options_ is a comma-separated list and can be: <sup>[[1]](#Footnote1)</sup>
-
-* **rw**|**ro**
-* **z**|**Z**
-* [**O**]
-* [**U**]
-* [**no**]**copy**
-* [**no**]**dev**
-* [**no**]**exec**
-* [**no**]**suid**
-* [**r**]**bind**
-* [**r**]**shared**|[**r**]**slave**|[**r**]**private**[**r**]**unbindable**
-
-The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The volume
-will be mounted into the container at this directory.
-
-Volumes may specify a source as well, as either a directory on the host
-or the name of a named volume. If no source is given, the volume will be created as an
-anonymously named volume with a randomly generated name, and will be removed when
-the container is removed via the `--rm` flag or `podman rm --volumes`.
-
-If a volume source is specified, it must be a path on the host or the name of a
-named volume. Host paths are allowed to be absolute or relative; relative paths
-are resolved relative to the directory Podman is run in. If the source does not
-exist, Podman will return an error. Users must pre-create the source files or
-directories.
-
-Any source that does not begin with a `.` or `/` will be treated as the name of
-a named volume. If a volume with that name does not exist, it will be created.
-Volumes created with names are not anonymous, and they are not removed by the `--rm`
-option and the `podman rm --volumes` command.
-
-You can specify multiple **-v** options to mount one or more volumes into a
-container.
-
- `Write Protected Volume Mounts`
-
-You can add **:ro** or **:rw** option to mount a volume in read-only or
-read-write mode, respectively. By default, the volumes are mounted read-write.
-
- `Chowning Volume Mounts`
-
-By default, Podman does not change the owner and group of source volume
-directories mounted into containers. If a container is created in a new user
-namespace, the UID and GID in the container may correspond to another UID and
-GID on the host.
-
-The `:U` suffix tells Podman to use the correct host UID and GID based on the
-UID and GID within the container, to change recursively the owner and group of
-the source volume.
-
-**Warning** use with caution since this will modify the host filesystem.
-
- `Labeling Volume Mounts`
-
-Labeling systems like SELinux require that proper labels are placed on volume
-content mounted into a container. Without a label, the security system might
-prevent the processes running inside the container from using the content. By
-default, Podman does not change the labels set by the OS.
-
-To change a label in the container context, you can add either of two suffixes
-**:z** or **:Z** to the volume mount. These suffixes tell Podman to relabel file
-objects on the shared volumes. The **z** option tells Podman that two containers
-share the volume content. As a result, Podman labels the content with a shared
-content label. Shared volume labels allow all containers to read/write content.
-The **Z** option tells Podman to label the content with a private unshared label.
-
-Note: Do not relabel system files and directories. Relabeling system content
-might cause other confined services on your machine to fail. For these types
-of containers we recommend disabling SELinux separation. The option
-`--security-opt label=disable` disables SELinux separation for the container.
-For example if a user wanted to volume mount their entire home directory into a
-container, they need to disable SELinux separation.
-
- $ podman run --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
-
- `Overlay Volume Mounts`
-
- The `:O` flag tells Podman to mount the directory from the host as a
-temporary storage using the `overlay file system`. The container processes
-can modify content within the mountpoint which is stored in the
-container storage in a separate directory. In overlay terms, the source
-directory will be the lower, and the container storage directory will be the
-upper. Modifications to the mount point are destroyed when the container
-finishes executing, similar to a tmpfs mount point being unmounted.
-
- For advanced users overlay option also supports custom non-volatile `upperdir` and `workdir`
-for the overlay mount. Custom `upperdir` and `workdir` can be fully managed by the users themselves
-and `podman` will not remove it on lifecycle completion. Example `:O,upperdir=/some/upper,workdir=/some/work`
-
- Subsequent executions of the container will see the original source directory
-content, any changes from previous container executions no longer exist.
-
- One use case of the overlay mount is sharing the package cache from the
-host into the container to allow speeding up builds.
-
- Note:
-
- - The `O` flag conflicts with other options listed above.
-Content mounted into the container is labeled with the private label.
- On SELinux systems, labels in the source directory must be readable
-by the container label. Usually containers can read/execute `container_share_t`
-and can read/write `container_file_t`. If you cannot change the labels on a
-source volume, SELinux container separation must be disabled for the container
-to work.
- - The source directory mounted into the container with an overlay mount
-should not be modified, it can cause unexpected failures. It is recommended
-that you do not modify the directory until the container finishes running.
-
-Only the current container can use a private volume.
-
- `Mounts propagation`
-
-By default bind mounted volumes are `private`. That means any mounts done
-inside container will not be visible on host and vice versa. One can change
-this behavior by specifying a volume mount propagation property. Making a
-volume shared mounts done under that volume inside container will be
-visible on host and vice versa. Making a volume **slave** enables only one
-way mount propagation and that is mounts done on host under that volume
-will be visible inside container but not the other way around. <sup>[[1]](#Footnote1)</sup>
-
-To control mount propagation property of a volume one can use the [**r**]**shared**,
-[**r**]**slave**, [**r**]**private** or the [**r**]**unbindable** propagation flag.
-For mount propagation to work the source mount point (the mount point where source dir
-is mounted on) has to have the right propagation properties. For shared volumes, the
-source mount point has to be shared. And for slave volumes, the source mount point
-has to be either shared or slave. <sup>[[1]](#Footnote1)</sup>
-
-If you want to recursively mount a volume and all of its submounts into a
-container, then you can use the **rbind** option. By default the bind option is
-used, and submounts of the source directory will not be mounted into the
-container.
-
-Mounting the volume with the **nosuid** options means that SUID applications on
-the volume will not be able to change their privilege. By default volumes
-are mounted with **nosuid**.
-
-Mounting the volume with the **noexec** option means that no executables on the
-volume will be able to be executed within the container.
-
-Mounting the volume with the **nodev** option means that no devices on the volume
-will be able to be used by processes within the container. By default volumes
-are mounted with **nodev**.
-
-If the _host-dir_ is a mount point, then **dev**, **suid**, and **exec** options are
-ignored by the kernel.
-
-Use **df $hostdir** to figure out the source mount, and then use
-**findmnt -o TARGET,PROPAGATION _source-mount-dir_** to figure out propagation
-properties of source mount. If **findmnt**(1) utility is not available, then one
-can look at mount entry for source mount point in _/proc/self/mountinfo_. Look
-at the "optional fields" and see if any propagation properties are specified.
-In there, **shared:N** means the mount is shared, **master:N** means mount
-is slave, and if nothing is there, the mount is private. <sup>[[1]](#Footnote1)</sup>
-
-To change propagation properties of a mount point, use **mount**(8) command. For
-example, if one wants to bind mount source directory _/foo_, one can do
-**mount --bind /foo /foo** and **mount --make-private --make-shared /foo**. This
-will convert /foo into a shared mount point. Alternatively, one can directly
-change propagation properties of source mount. Say, if _/_ is source mount for
-_/foo_, then use **mount --make-shared /** to convert _/_ into a shared mount.
-
-Note: if the user only has access rights via a group, accessing the volume
-from inside a rootless container will fail. Use the `--group-add keep-groups`
-flag to pass the user's supplementary group access into the container.
-
-#### **--volumes-from**=*CONTAINER[:OPTIONS]*
-
-Mount volumes from the specified container(s). Used to share volumes between
-containers. The *options* is a comma-separated list with the following available elements:
-
-* **rw**|**ro**
-* **z**
-
-Mounts already mounted volumes from a source container onto another
-container. You must supply the source's container-id or container-name.
-To share a volume, use the --volumes-from option when running
-the target container. You can share volumes even if the source container
-is not running.
-
-By default, Podman mounts the volumes in the same mode (read-write or
-read-only) as it is mounted in the source container.
-You can change this by adding a `ro` or `rw` _option_.
-
-Labeling systems like SELinux require that proper labels are placed on volume
-content mounted into a container. Without a label, the security system might
-prevent the processes running inside the container from using the content. By
-default, Podman does not change the labels set by the OS.
+@@option volume
-To change a label in the container context, you can add `z` to the volume mount.
-This suffix tells Podman to relabel file objects on the shared volumes. The `z`
-option tells Podman that two containers share the volume content. As a result,
-Podman labels the content with a shared content label. Shared volume labels allow
-all containers to read/write content.
+Use the **--group-add keep-groups** option to pass the user's supplementary group access into the container.
-If the location of the volume from the source container overlaps with
-data residing on a target container, then the volume hides
-that data on the target.
+@@option volumes-from
@@option workdir
diff --git a/docs/source/markdown/podman.1.md b/docs/source/markdown/podman.1.md
index 3b3974dcc..7a8dd7043 100644
--- a/docs/source/markdown/podman.1.md
+++ b/docs/source/markdown/podman.1.md
@@ -43,8 +43,8 @@ Remote connections use local containers.conf for default.
#### **--events-backend**=*type*
Backend to use for storing events. Allowed values are **file**, **journald**, and
-**none**. When *file* is specified, the events are stored under a subdirectory
-of the *tmpdir* location (see **--tmpdir** below).
+**none**. When *file* is specified, the events are stored under
+`<tmpdir>/events/events.log` (see **--tmpdir** below).
#### **--help**, **-h**
@@ -158,7 +158,7 @@ On remote clients, including Mac and Windows (excluding WSL2) machines, logging
#### **--tmpdir**
-Path to the tmp directory, for libpod runtime content.
+Path to the tmp directory, for libpod runtime content. Defaults to `$XDG\_RUNTIME\_DIR/libpod/tmp` as rootless and `run/libpod/tmp` as rootful.
NOTE --tmpdir is not used for the temporary storage of downloaded images. Use the environment variable `TMPDIR` to change the temporary storage location of downloaded container images. Podman defaults to use `/var/tmp`.
diff --git a/docs/tutorials/image_signing.md b/docs/tutorials/image_signing.md
index 0d1d63de2..f17aa0620 100644
--- a/docs/tutorials/image_signing.md
+++ b/docs/tutorials/image_signing.md
@@ -173,7 +173,7 @@ Then a pull is not possible any more:
```bash
sudo podman pull --tls-verify=false localhost:5000/alpine
Trying to pull localhost:5000/alpine...
-Error: error pulling image "localhost:5000/alpine": unable to pull localhost:5000/alpine: unable to pull image: Source image rejected: Invalid GPG signature: …
+Error: pulling image "localhost:5000/alpine": unable to pull localhost:5000/alpine: unable to pull image: Source image rejected: Invalid GPG signature: …
```
So in general there are four main things to be taken into consideration when