From a4983b05fbd95a6c351e92dea5d00a792837d7e8 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 18 Nov 2019 09:36:00 -0800 Subject: Document other bind options on --volumes flag Signed-off-by: Daniel J Walsh --- docs/source/markdown/podman-create.1.md | 23 +++++++++++++++++++++++ docs/source/markdown/podman-run.1.md | 23 +++++++++++++++++++++++ 2 files changed, 46 insertions(+) (limited to 'docs/source') diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 0ddcc7ed8..82d2e8f6a 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -817,6 +817,10 @@ container. The `OPTIONS` are a comma delimited list and can be: * [rw|ro] * [z|Z] * [`[r]shared`|`[r]slave`|`[r]private`] +* [`[r]bind`] +* [`noexec`|`exec`] +* [`nodev`|`dev`] +* [`nosuid`|`suid`] The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The volume will be mounted into the container at this directory. @@ -870,6 +874,25 @@ where source dir is mounted on) has to have right propagation properties. For shared volumes, source mount point has to be shared. And for slave volumes, source mount has to be either shared or slave. +If you want to recursively mount a volume and all of it's submounts into a +container, then you can use the `rbind` option. By default the bind option is +used, and submounts of the source directory will not be mounted into the +container. + +Mounting the volume with the `nosuid` options means that SUID applications on +the volume will not be able to change their privilege. By default volumes +are mounted with `nosuid`. + +Mounting the volume with the noexec option means that no executables on the +volume will be able to executed within the container. + +Mounting the volume with the nodev option means that no devices on the volume +will be able to be used by processes within the container. By default volumes +are mounted with `nodev`. + +If the is a mount point, then "dev", "suid", and "exec" options are +ignored by the kernel. + Use `df ` to figure out the source mount and then use `findmnt -o TARGET,PROPAGATION ` to figure out propagation properties of source mount. If `findmnt` utility is not available, then one diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index d487af235..e1177cb34 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -860,6 +860,10 @@ create one. * [`rw`|`ro`] * [`z`|`Z`] * [`[r]shared`|`[r]slave`|`[r]private`] +* [`[r]bind`] +* [`noexec`|`exec`] +* [`nodev`|`dev`] +* [`nosuid`|`suid`] The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The volume will be mounted into the container at this directory. @@ -913,6 +917,25 @@ where source dir is mounted on) has to have right propagation properties. For shared volumes, source mount point has to be shared. And for slave volumes, source mount has to be either shared or slave. +If you want to recursively mount a volume and all of it's submounts into a +container, then you can use the `rbind` option. By default the bind option is +used, and submounts of the source directory will not be mounted into the +container. + +Mounting the volume with the `nosuid` options means that SUID applications on +the volume will not be able to change their privilege. By default volumes +are mounted with `nosuid`. + +Mounting the volume with the noexec option means that no executables on the +volume will be able to executed within the container. + +Mounting the volume with the nodev option means that no devices on the volume +will be able to be used by processes within the container. By default volumes +are mounted with `nodev`. + +If the is a mount point, then "dev", "suid", and "exec" options are +ignored by the kernel. + Use `df ` to figure out the source mount and then use `findmnt -o TARGET,PROPAGATION ` to figure out propagation properties of source mount. If `findmnt` utility is not available, then one -- cgit v1.2.3-54-g00ecf