NAME
podman-run - Run a command in a new containerSYNOPSIS
podman run [options] image [command [arg ...]]DESCRIPTION
Run a process in a new container. podman run starts a process with its own file system, its own networking, and its own isolated process tree. The image which starts the process may define defaults related to the process that will be run in the container, the networking to expose, and more, but podman run gives final control to the operator or administrator who starts the container from the image. For that reason podman run has more options than any other Podman command.IMAGE
The image is specified using transport:path format. If no transport is specified, the docker (container registry) transport will be used by default. For remote Podman, including Mac and Windows (excluding WSL2) machines, docker is the only allowed transport.An existing local directory path storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
$ podman save --format docker-dir fedora -o /tmp/fedora $ podman run dir:/tmp/fedora echo hello
An image reference stored in a remote container image registry. Example: "quay.io/podman/stable:latest". The reference can include a path to a specific registry; if it does not, the registries listed in registries.conf will be queried to find a matching image. By default, credentials from podman login (stored at $XDG_RUNTIME_DIR/containers/auth.json by default) will be used to authenticate; otherwise it falls back to using credentials in $HOME/.docker/config.json.
$ podman run registry.fedoraproject.org/fedora:latest echo hello
$ podman save --format docker-archive fedora -o /tmp/fedora $ podman run docker-archive:/tmp/fedora echo hello
An image in docker-reference format stored in the docker daemon internal storage. The docker-reference can also be an image ID (docker-daemon:algo:digest).
$ sudo docker pull fedora $ sudo podman run docker-daemon:docker.io/library/fedora echo hello
An image in a directory compliant with the "Open Container Image Layout Specification" at the specified path and specified with a tag.
$ podman save --format oci-archive fedora -o /tmp/fedora $ podman run oci-archive:/tmp/fedora echo hello
OPTIONS
--add-host=host:ip
Add a custom host-to-IP mapping (host:ip)--annotation=key=value
Add an annotation to the container. This option can be set multiple times.--arch=ARCH
Override the architecture, defaults to hosts, of the image to be pulled. For example, arm. Unless overridden, subsequent lookups of the same image in the local storage will match this architecture, regardless of the host.--attach, -a=stdin | stdout | stderr
Attach to STDIN, STDOUT or STDERR.--authfile=path
Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json, which is set using podman login. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using docker login.--blkio-weight=weight
Block IO relative weight. The weight is a value between 10 and 1000.--blkio-weight-device=device:weight
Block IO relative device weight.--cap-add=capability
Add Linux capabilities.--cap-drop=capability
Drop Linux capabilities.--cgroup-conf=KEY=VALUE
When running on cgroup v2, specify the cgroup file to write to and its value. For example --cgroup-conf=memory.high=1073741824 sets the memory.high limit to 1GB.--cgroup-parent=path
Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist.--cgroupns=mode
Set the cgroup namespace mode for the container.- •
- host: use the host's cgroup namespace inside the container.
- •
- container:id: join the namespace of the specified container.
- •
- private: create a new cgroup namespace.
- •
- ns:path: join the namespace at the specified path.
--cgroups=how
Determines whether the container will create CGroups.--chrootdirs=path
Path to a directory inside the container that should be treated as a chroot directory. Any Podman managed file (e.g., /etc/resolv.conf, /etc/hosts, etc/hostname) that is mounted into the root directory will be mounted into that location as well. Multiple directories should be separated with a comma.--cidfile=file
Write the container ID to file.--conmon-pidfile=file
Write the pid of the conmon process to a file. As conmon runs in a separate process than Podman, this is necessary when using systemd to restart Podman containers. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)--cpu-period=limit
Set the CPU period for the Completely Fair Scheduler (CFS), which is a duration in microseconds. Once the container's CPU quota is used up, it will not be scheduled to run until the current period ends. Defaults to 100000 microseconds.--cpu-quota=limit
Limit the CPU Completely Fair Scheduler (CFS) quota.--cpu-rt-period=microseconds
Limit the CPU real-time period in microseconds.--cpu-rt-runtime=microseconds
Limit the CPU real-time runtime in microseconds.--cpu-shares, -c=shares
CPU shares (relative weight).| PID | container | CPU | CPU share |
| 100 | C0 | 0 | 100% of CPU0 |
| 101 | C1 | 1 | 100% of CPU1 |
| 102 | C1 | 2 | 100% of CPU2 |
--cpus=number
Number of CPUs. The default is 0.0 which means no limit. This is shorthand for --cpu-period and --cpu-quota, so you may only set either --cpus or --cpu-period and --cpu-quota.--cpuset-cpus=number
CPUs in which to allow execution. Can be specified as a comma-separated list (e.g. 0,1), as a range (e.g. 0-3), or any combination thereof (e.g. 0-3,7,11-15).--cpuset-mems=nodes
Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.--detach, -d
Detached mode: run the container in the background and print the new container ID. The default is false.--detach-keys=sequence
Specify the key sequence for detaching a container. Format is a single character [a-Z] or one or more ctrl-<value> characters where <value> is one of: a-z, @, ^, [, , or _. Specifying "" will disable this feature. The default is ctrl-p,ctrl-q.--device=host-device[:container-device][:permissions]
Add a host device to the container. Optional permissions parameter can be used to specify device permissions by combining r for read, w for write, and m for mknod(2).--device-cgroup-rule="type major:minor mode"
Add a rule to the cgroup allowed devices list. The rule is expected to be in the format specified in the Linux kernel documentation (Documentation/cgroup-v1/devices.txt):- type: a (all), c (char), or b (block);
- major and minor: either a number, or * for all;
- mode: a composition of r (read), w (write), and m (mknod(2)).
--device-read-bps=path:rate
Limit read rate (in bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb).--device-read-iops=path:rate
Limit read rate (in IO operations per second) from a device (e.g. --device-read-iops=/dev/sda:1000).--device-write-bps=path:rate
Limit write rate (in bytes per second) to a device (e.g. --device-write-bps=/dev/sda:1mb).--device-write-iops=path:rate
Limit write rate (in IO operations per second) to a device (e.g. --device-write-iops=/dev/sda:1000).--disable-content-trust
This is a Docker-specific option to disable image verification to a container registry and is not supported by Podman. This option is a NOOP and provided solely for scripting compatibility.--dns=ipaddr
Set custom DNS servers.--dns-option=option
Set custom DNS options. Invalid if using --dns-option with --network that is set to none or container:id.--dns-search=domain
Set custom DNS search domains. Invalid if using --dns-search with --network that is set to none or container:id. Use --dns-search=. if you don't wish to set the search domain.--entrypoint="command" | '["command", arg1 , ...]'
Overwrite the default ENTRYPOINT of the image.--env, -e=env
Set environment variables.--env-file=file
Read in a line-delimited file of environment variables.--env-host
Use host environment inside of the container. See Environment note below for precedence. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)--env-merge=env
Preprocess default environment variables for the containers. For example if image contains environment variable hello=world user can preprocess it using --env-merge hello=${hello}-some so new value will be hello=world-some.--expose=port
Expose a port, or a range of ports (e.g. --expose=3300-3310) to set up port redirection on the host system.--gidmap=container_gid:host_gid:amount
Run the container in a new user namespace using the supplied GID mapping. This option conflicts with the --userns and --subgidname options. This option provides a way to map host GIDs to container GIDs in the same way as --uidmap maps host UIDs to container UIDs. For details see --uidmap.--group-add=group | keep-groups
Assign additional groups to the primary user running within the container process.- •
- keep-groups is a special flag that tells Podman to keep the supplementary group access.
--health-cmd="command" | '["command", arg1 , ...]'
Set or alter a healthcheck command for a container. The command is a command to be executed inside your container that determines your container health. The command is required for other healthcheck options to be applied. A value of none disables existing healthchecks.--health-interval=interval
Set an interval for the healthchecks. An interval of disable results in no automatic timer setup. The default is 30s.--health-on-failure=action
Action to take once the container transitions to an unhealthy state. The default is none.- •
- none: Take no action.
- •
- kill: Kill the container.
- •
- restart: Restart the container. Do not combine the restart action with the --restart flag. When running inside of a systemd unit, consider using the kill or stop action instead to make use of systemd's restart policy.
- •
- stop: Stop the container.
--health-retries=retries
The number of retries allowed before a healthcheck is considered to be unhealthy. The default value is 3.--health-start-period=period
The initialization time needed for a container to bootstrap. The value can be expressed in time format like 2m3s. The default value is 0s.--health-timeout=timeout
The maximum time allowed to complete the healthcheck before an interval is considered failed. Like start-period, the value can be expressed in a time format such as 1m22s. The default value is 30s.--help
Print usage statement--hostname, -h=name
Container host name--hostuser=name
Add a user account to /etc/passwd from the host to the container. The Username or UID must exist on the host system.--http-proxy
By default proxy environment variables are passed into the container if set for the Podman process. This can be disabled by setting the value to false. The environment variables passed in include http_proxy, https_proxy, ftp_proxy, no_proxy, and also the upper case versions of those. This option is only needed when the host system must use a proxy but the container should not use any proxy. Proxy environment variables specified for the container in any other way will override the values that would have been passed through from the host. (Other ways to specify the proxy for the container include passing the values with the --env flag, or hard coding the proxy environment at container build time.) (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)--image-volume=bind | tmpfs | ignore
Tells Podman how to handle the builtin image volumes. Default is bind.- •
- bind: An anonymous named volume will be created and mounted into the container.
- •
- tmpfs: The volume is mounted onto the container as a tmpfs, which allows the users to create content that disappears when the container is stopped.
- •
- ignore: All volumes are just ignored and no action is taken.
--init
Run an init inside the container that forwards signals and reaps processes. The container-init binary is mounted at /run/podman-init. Mounting over /run will hence break container execution.--init-path=path
Path to the container-init binary.--interactive, -i
When set to true, keep stdin open even if not attached. The default is false.--ip=ipv4
Specify a static IPv4 address for the container, for example 10.88.64.128. This option can only be used if the container is joined to only a single network - i.e., --network=network-name is used at most once - and if the container is not joining another container's network namespace via --network=container:id. The address must be within the network's IP address pool (default 10.88.0.0/16 ).--ip6=ipv6
Specify a static IPv6 address for the container, for example fd46:db93:aa76:ac37::10. This option can only be used if the container is joined to only a single network - i.e., --network=network-name is used at most once - and if the container is not joining another container's network namespace via --network=container:id. The address must be within the network's IPv6 address pool.--ipc=ipc
Set the IPC namespace mode for a container. The default is to create a private IPC namespace.- •
- "": Use Podman's default, defined in containers.conf.
- •
- container:id: reuses another container's shared memory, semaphores, and message queues
- •
- host: use the host's shared memory, semaphores, and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure.
- •
- none: private IPC namespace, with /dev/shm not mounted.
- •
- ns:path: path to an IPC namespace to join.
- •
- private: private IPC namespace. = shareable: private IPC namespace with a possibility to share it with other containers.
--label, -l=key=value
Add metadata to a container.--label-file=file
Read in a line-delimited file of labels.--link-local-ip=ip
Not implemented.--log-driver=driver
Logging driver for the container. Currently available options are k8s-file, journald, none and passthrough, with json-file aliased to k8s-file for scripting compatibility. (Default journald).
$ podman info --format '{{ .Host.LogDriver }}'
journald
--log-opt=name=value
Logging driver specific options.(e.g. --log-opt path=/var/log/container/mycontainer.json);
(e.g. --log-opt max-size=10mb);
(e.g. --log-opt tag="{{.ImageName}}". It supports the same keys as podman inspect --format. This option is currently supported only by the journald log driver.
--mac-address=address
Container network interface MAC address (e.g. 92:d0:c6:0a:29:33) This option can only be used if the container is joined to only a single network - i.e., --network= network-name is used at most once - and if the container is not joining another container's network namespace via --network=container:id.--memory, -m=number[unit]
Memory limit. A unit can be b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes).--memory-reservation=number[unit]
Memory soft limit. A unit can be b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes).--memory-swap=number[unit]
A limit value equal to memory plus swap. A unit can be b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes).-m (--memory) By default, it is set to double the value of --memory.
--memory-swappiness=number
Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.--mount=type=TYPE,TYPE-SPECIFIC-OPTION[,...]
Attach a filesystem mount to the container
e.g.
type=bind,source=/path/on/host,destination=/path/in/container
type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared
type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared,U=true
type=volume,source=vol1,destination=/path/in/container,ro=true
type=tmpfs,tmpfs-size=512M,destination=/path/in/container
type=image,source=fedora,destination=/fedora-image,rw=true
type=devpts,destination=/dev/pts
Common Options:
· src, source: mount source spec for bind and volume. Mandatory for bind.
· dst, destination, target: mount destination spec.
Options specific to volume:
· ro, readonly: true or false (default).
. U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container.
· idmap: true or false (default). If specified, create an idmapped mount to the target user namespace in the container.
Options specific to image:
· rw, readwrite: true or false (default).
Options specific to bind:
· ro, readonly: true or false (default).
· bind-propagation: shared, slave, private, unbindable, rshared, rslave, runbindable, or rprivate(default). See also mount(2).
. bind-nonrecursive: do not set up a recursive bind mount. By default it is recursive.
. relabel: shared, private.
· idmap: true or false (default). If specified, create an idmapped mount to the target user namespace in the container.
. U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container.
Options specific to tmpfs:
· ro, readonly: true or false (default).
· tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.
· tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux.
· tmpcopyup: Enable copyup from the image directory at the same location to the tmpfs. Used by default.
· notmpcopyup: Disable copying files from the image to the tmpfs.
. U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container.
Options specific to devpts:
· uid: UID of the file owner (default 0).
· gid: GID of the file owner (default 0).
· mode: permission mask for the file (default 600).
· max: maximum number of PTYs (default 1048576).
--name=name
Assign a name to the container.- •
- UUID long identifier (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”);
- •
- UUID short identifier (“f78375b1c487”);
- •
- Name (“jonah”).
--network=mode, --net
Set the network mode for the container.- •
- bridge[:OPTIONS,...]: Create a network stack on the default bridge. This is the default for rootful containers. It is possible to specify these additional options:
- •
- alias=name: Add network-scoped alias for the container.
- •
- ip=IPv4: Specify a static ipv4 address for this container.
- •
- ip=IPv6: Specify a static ipv6 address for this container.
- •
- mac=MAC: Specify a static mac address for this container.
- •
- interface_name: Specify a name for the created network interface inside the container.
- allow_host_loopback=true|false: Allow slirp4netns to reach the host loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr subnet when changed, see the cidr option below). The default is false.
- mtu=MTU: Specify the MTU to use for this network. (Default is 65520).
- cidr=CIDR: Specify ip range to use for this network. (Default is 10.0.2.0/24).
- enable_ipv6=true|false: Enable IPv6. Default is true. (Required for outbound_addr6).
- outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only).
- outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to.
- outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only).
- outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to.
- port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.
Note: Rootlesskit changes the source IP address of incoming packets to an IP address in the container network namespace, usually 10.0.2.100. If your application requires the real source IP address, e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for rootless containers when connected to user-defined networks.
- port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but preserves the correct source IP address. This port handler cannot be used for user-defined networks.
--network-alias=alias
Add a network-scoped alias for the container, setting the alias for all networks that the container joins. To set a name only for a specific network, use the alias option as described under the --network option. If the network has DNS enabled ( podman network inspect -f {{.DNSEnabled}} <name>), these aliases can be used for name resolution on the given network. This option can be specified multiple times. NOTE: When using CNI a container will only have access to aliases on the first network that it joins. This limitation does not exist with netavark/aardvark-dns.--no-healthcheck
Disable any defined healthchecks for container.--no-hosts
Do not create /etc/hosts for the container. By default, Podman will manage /etc/hosts, adding the container's own IP address and any hosts from --add-host. --no-hosts disables this, and the image's /etc/hosts will be preserved unmodified.--oom-kill-disable
Whether to disable OOM Killer for the container or not.--oom-score-adj=num
Tune the host's OOM preferences for containers (accepts values from -1000 to 1000).--os=OS
Override the OS, defaults to hosts, of the image to be pulled. For example, windows. Unless overridden, subsequent lookups of the same image in the local storage will match this OS, regardless of the host.--passwd
Allow Podman to add entries to /etc/passwd and /etc/group when used in conjunction with the --user option. This is used to override the Podman provided user setup in favor of entrypoint configurations such as libnss-extrausers.--passwd-entry=ENTRY
Customize the entry that is written to the /etc/passwd file within the container when --passwd is used.--personality=persona
Personality sets the execution domain via Linux personality(2).--pid=mode
Set the PID namespace mode for the container. The default is to create a private PID namespace for the container.- •
- container:id: join another container's PID namespace;
- •
- host: use the host's PID namespace for the container. Note the host mode gives the container full access to local PID and is therefore considered insecure;
- •
- ns:path: join the specified PID namespace;
- •
- private: create a new namespace for the container (default).
--pidfile=path
When the pidfile location is specified, the container process' PID will be written to the pidfile. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) If the pidfile option is not specified, the container process' PID will be written to /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile.
$ podman inspect --format '{{ .PidFile }}' $CID
/run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile
--pids-limit=limit
Tune the container's pids limit. Set to -1 to have unlimited pids for the container. The default is 4096 on systems that support "pids" cgroup controller.--platform=OS/ARCH
Specify the platform for selecting the image. (Conflicts with --arch and --os) The --platform option can be used to override the current architecture and operating system. Unless overridden, subsequent lookups of the same image in the local storage will match this platform, regardless of the host.--pod=name
Run container in an existing pod. If you want Podman to make the pod for you, prefix the pod name with new:. To make a pod with more granular options, use the podman pod create command before creating a container. If a container is run with a pod, and the pod has an infra-container, the infra-container will be started before the container is.--pod-id-file=file
Run container in an existing pod and read the pod's ID from the specified file. If a container is run within a pod, and the pod has an infra-container, the infra-container will be started before the container is.--preserve-fds=N
Pass down to the process N additional file descriptors (in addition to 0, 1, 2). The total FDs will be 3+N. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)--privileged
Give extended privileges to this container. The default is false.--publish, -p=[[ip:][hostPort]:]containerPort[/protocol]
Publish a container's port, or range of ports, to the host.--publish-all, -P
Publish all exposed ports to random ports on the host interfaces. The default is false.--pull=policy
Pull image policy. The default is missing.- •
- always: Always pull the image and throw an error if the pull fails.
- •
- missing: Pull the image only if it could not be found in the local containers storage. Throw an error if no image could be found and the pull fails.
- •
- never: Never pull the image but use the one from the local containers storage. Throw an error if no image could be found.
- •
- newer: Pull if the image on the registry is newer than the one in the local containers storage. An image is considered to be newer when the digests are different. Comparing the time stamps is prone to errors. Pull errors are suppressed if a local image was found.
--quiet, -q
Suppress output information when pulling images--read-only
Mount the container's root filesystem as read-only.--read-only-tmpfs
If container is running in --read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp. The default is true.--replace
If another container with the same name already exists, replace and remove it. The default is false.--requires=container
Specify one or more requirements. A requirement is a dependency container that will be started before this container. Containers can be specified by name or ID, with multiple containers being separated by commas.--restart=policy
Restart policy to follow when containers exit. Restart policy will not take effect if a container is stopped via the podman kill or podman stop commands.- •
- no : Do not restart containers on exit
- •
- on-failure[:max_retries] : Restart containers when they exit with a non-zero exit code, retrying indefinitely or until the optional max_retries count is hit
- •
- always : Restart containers when they exit, regardless of status, retrying indefinitely
- •
- unless-stopped : Identical to always
--rm
Automatically remove the container when it exits. The default is false.--rmi
After exit of the container, remove the image unless another container is using it. The default is false.--rootfs
If specified, the first argument refers to an exploded container on the file system.--sdnotify=container | conmon | ignore
Determines how to use the NOTIFY_SOCKET, as passed with systemd and Type=notify.--seccomp-policy=policy
Specify the policy to select the seccomp profile. If set to image, Podman will look for a "io.containers.seccomp.profile" label in the container-image config and use its value as a seccomp profile. Otherwise, Podman will follow the default policy by applying the default profile unless specified otherwise via --security-opt seccomp as described below.--secret=secret[,opt=opt ...]
Give the container access to a secret. Can be specified multiple times.- •
- type=mount|env : How the secret will be exposed to the container. Default mount.
- •
- target=target : Target of secret. Defaults to secret name.
- •
- uid=0 : UID of secret. Defaults to 0. Mount secret type only.
- •
- gid=0 : GID of secret. Defaults to 0. Mount secret type only.
- •
- mode=0 : Mode of secret. Defaults to 0444. Mount secret type only.
--security-opt=option
Security Options- •
- apparmor=unconfined : Turn off apparmor confinement for the container
- •
- apparmor=your-profile : Set the apparmor confinement profile for the container
- •
- label=user:USER: Set the label user for the container processes
- •
- label=role:ROLE: Set the label role for the container processes
- •
- label=type:TYPE: Set the label process type for the container processes
- •
- label=level:LEVEL: Set the label level for the container processes
- •
- label=filetype:TYPE_: Set the label file type for the container files
- •
- label=disable: Turn off label separation for the container
- •
- mask=/path/1:/path/2: The paths to mask separated by a colon. A masked path cannot be accessed inside the container.
- •
- no-new-privileges: Disable container processes from gaining additional privileges
- •
- seccomp=unconfined: Turn off seccomp confinement for the container.
- •
- seccomp=profile.json: JSON file to be used as a seccomp filter. Note that the io.podman.annotations.seccomp annotation is set with the specified value as shown in podman inspect.
- •
- proc-opts=OPTIONS : Comma-separated list of options to use for the /proc mount. More details for the possible mount options are specified in the proc(5) man page.
- •
- unmask=ALL or /path/1:/path/2, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to ALL, it will unmask all the paths that are masked or made read-only by default. The default masked paths are /proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.. The default paths that are read-only are /proc/asound, /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup.
--shm-size=number[unit]
Size of /dev/shm. A unit can be b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes). If the unit is omitted, the system uses bytes. If the size is omitted, the default is 64m. When size is 0, there is no limit on the amount of memory used for IPC by the container. This option conflicts with --ipc=host.--sig-proxy
Proxy received signals to the container process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied.--stop-signal=signal
Signal to stop a container. Default is SIGTERM.--stop-timeout=seconds
Timeout to stop a container. Default is 10. Remote connections use local containers.conf for defaults--subgidname=name
Run the container in a new user namespace using the map with name in the /etc/subgid file. If running rootless, the user needs to have the right to use the mapping. See subgid(5). This flag conflicts with --userns and --gidmap.--subuidname=name
Run the container in a new user namespace using the map with name in the /etc/subuid file. If running rootless, the user needs to have the right to use the mapping. See subuid(5). This flag conflicts with --userns and --uidmap.--sysctl=name=value
Configure namespaced kernel parameters at runtime.- •
- kernel.msgmax
- •
- kernel.msgmnb
- •
- kernel.msgmni
- •
- kernel.sem
- •
- kernel.shmall
- •
- kernel.shmmax
- •
- kernel.shmmni
- •
- kernel.shm_rmid_forced
- •
- Sysctls beginning with fs.mqueue.*
--systemd=true | false | always
Run container in systemd mode. The default is true.- •
- Podman mounts tmpfs file systems on the following directories
- •
- /run
- •
- /run/lock
- •
- /tmp
- •
- /sys/fs/cgroup/systemd
- •
- /var/lib/journal
- •
- Podman sets the default stop signal to SIGRTMIN+3.
- •
- Podman sets container_uuid environment variable in the container to the first 32 characters of the container id.
setsebool -P container_manage_cgroup true
--timeout=seconds
Maximum time a container is allowed to run before conmon sends it the kill signal. By default containers will run until they exit or are stopped by podman stop.--tls-verify
Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, TLS verification will be used. If set to false, TLS verification will not be used. If not specified, TLS verification will be used unless the target registry is listed as an insecure registry in containers-registries.conf(5)--tmpfs=fs
Create a tmpfs mount.$ podman run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image
--tty, -t
Allocate a pseudo-TTY. The default is false.echo "asdf" | podman run --rm -i someimage /bin/cat
--tz=timezone
Set timezone in container. This flag takes area-based timezones, GMT time, as well as local, which sets the timezone in the container to match the host machine. See /usr/share/zoneinfo/ for valid timezones. Remote connections use local containers.conf for defaults--uidmap=container_uid:from_uid:amount
Run the container in a new user namespace using the supplied UID mapping. This option conflicts with the --userns and --subuidname options. This option provides a way to map host UIDs to container UIDs. It can be passed several times to map different ranges.--ulimit=option
Ulimit options. You can use host to copy the current configuration from the host.--umask=umask
Set the umask inside the container. Defaults to 0022. Remote connections use local containers.conf for defaults--unsetenv=env
Unset default environment variables for the container. Default environment variables include variables provided natively by Podman, environment variables configured by the image, and environment variables from containers.conf.--unsetenv-all
Unset all default environment variables for the container. Default environment variables include variables provided natively by Podman, environment variables configured by the image, and environment variables from containers.conf.--user, -u=user[:group]
Sets the username or UID used and, optionally, the groupname or GID for the specified command. Both user and group may be symbolic or numeric.--userns=mode
Set the user namespace mode for the container. It defaults to the PODMAN_USERNS environment variable. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the --uidmap and --gidmap options.| Key | Host User | Container User |
| "" | $UID | 0 (Default User account mapped to root user in container.) |
| keep-id | $UID | $UID (Map user account to same UID within container.) |
| auto | $UID | nil (Host User UID is not mapped into container.) |
| nomap | $UID | nil (Host User UID is not mapped into container.) |
- •
- gidmapping=_CONTAINER_GID:HOSTGID:SIZE: to force a GID mapping to be present in the user namespace.
- •
- size=SIZE: to specify an explicit size for the automatic user namespace. e.g. --userns=auto:size=8192. If size is not specified, auto will estimate a size for the user namespace.
- •
- uidmapping=_CONTAINER_UID:HOSTUID:SIZE: to force a UID mapping to be present in the user namespace.
- •
- uid=UID: override the UID inside the container that will be used to map the current rootless user to.
- •
- gid=GID: override the GID inside the container that will be used to map the current rootless user to.
--uts=mode
Set the UTS namespace mode for the container. The following values are supported:- •
- host: use the host's UTS namespace inside the container.
- •
- private: create a new namespace for the container (default).
- •
- ns:[path]: run the container in the given existing UTS namespace.
- •
- container:[container]: join the UTS namespace of the specified container.
--variant=VARIANT
Use VARIANT instead of the default architecture variant of the container image. Some images can use multiple variants of the arm architectures, such as arm/v5 and arm/v7.--volume, -v=[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]
Create a bind mount. If -v /HOST-DIR:/CONTAINER-DIR is specified, Podman bind mounts /HOST-DIR from the host into /CONTAINER-DIR in the Podman container. Similarly, -v SOURCE-VOLUME:/CONTAINER-DIR will mount the named volume from the host into the container. If no such named volume exists, Podman will create one. If no source is given, the volume will be created as an anonymously named volume with a randomly generated name, and will be removed when the container is removed via the --rm flag or the podman rm --volumes command.- •
- rw|ro
- •
- z|Z
- •
- [O]
- •
- [U]
- •
- [no]copy
- •
- [no]dev
- •
- [no]exec
- •
- [no]suid
- •
- [r]bind
- •
- [r]shared|[r]slave|[r]private[r]unbindable
$ podman run --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
- The `O` flag conflicts with other options listed above.
On SELinux systems, labels in the source directory must be readable by the container label. Usually containers can read/execute container_share_t and can read/write container_file_t. If unable to change the labels on a source volume, SELinux container separation must be disabled for the container to work.
- The source directory mounted into the container with an overlay mount should not be modified, it can cause unexpected failures. It is recommended to not modify the directory until the container finishes running.
--volumes-from=CONTAINER[:OPTIONS]
Mount volumes from the specified container(s). Used to share volumes between containers. The options is a comma-separated list with the following available elements:- •
- rw|ro
- •
- z
--workdir, -w=dir
Working directory inside the container.Exit Status
The exit code from podman run gives information about why the container failed to run or why it exited. When podman run exits with a non-zero code, the exit codes follow the chroot(1) standard, see below:$ podman run --foo busybox; echo $? Error: unknown flag: --foo 125
$ podman run busybox /etc; echo $? Error: container_linux.go:346: starting container process caused "exec: \"/etc\": permission denied": OCI runtime error 126
$ podman run busybox foo; echo $? Error: container_linux.go:346: starting container process caused "exec: \"foo\": executable file not found in $PATH": OCI runtime error 127
$ podman run busybox /bin/sh -c 'exit 3'; echo $? 3
EXAMPLES
Running container in read-only mode
During container image development, containers often need to write to the image content. Installing packages into /usr, for example. In production, applications seldom need to write to the image. Container applications write to volumes if they need to write to file systems at all. Applications can be made more secure by running them in read-only mode using the --read-only switch. This protects the container's image from modification. Read-only containers may still need to write temporary data. The best way to handle this is to mount tmpfs directories on /run and /tmp.$ podman run --read-only -i -t fedora /bin/bash $ podman run --read-only --read-only-tmpfs=false --tmpfs /run -i -t fedora /bin/bash
Exposing log messages from the container to the host's log
If you want messages that are logged in your container to show up in the host's syslog/journal then you should bind mount the /dev/log directory as follows.$ podman run -v /dev/log:/dev/log -i -t fedora /bin/bash
(bash)# logger "Hello from my container"
(bash)# exit $ journalctl -b | grep Hello
Attaching to one or more from STDIN, STDOUT, STDERR
If you do not specify -a, Podman will attach everything (stdin, stdout, stderr). You can specify to which of the three standard streams (stdin, stdout, stderr) you'd like to connect instead, as in:$ podman run -a stdin -a stdout -i -t fedora /bin/bash
Sharing IPC between containers
Using shm_server.c available here: https://www.cs.cf.ac.uk/Dave/C/node27.html$ sudo ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x01128e25 0 root 600 1000 7
$ podman run -it shm ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status
$ podman run -it --ipc=host shm ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x01128e25 0 root 600 1000 7
$ podman run -it shm bash $ sudo shm/shm_server & $ sudo ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x0000162e 0 root 666 27 1
$ podman run shm ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status
$ podman run -it --ipc=container:ed735b2264ac shm ipcs -m $ sudo ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x0000162e 0 root 666 27 1
Mapping Ports for External Usage
The exposed port of an application can be mapped to a host port using the -p flag. For example, an httpd port 80 can be mapped to the host port 8080 using the following:$ podman run -p 8080:80 -d -i -t fedora/httpd
Mounting External Volumes
To mount a host directory as a container volume, specify the absolute path to the directory and the absolute path for the container directory separated by a colon. If the source is a named volume maintained by Podman, it is recommended to use its name rather than the path to the volume. Otherwise the volume will be considered as an orphan and wiped if you execute podman volume prune:$ podman run -v /var/db:/data1 -i -t fedora bash $ podman run -v data:/data2 -i -t fedora bash $ podman run -v /var/cache/dnf:/var/cache/dnf:O -ti fedora dnf -y update $ podman run -d -e MYSQL_ROOT_PASSWORD=root --user mysql --userns=keep-id -v ~/data:/var/lib/mysql:z,U mariadb
$ podman run --mount type=bind,src=/var/db,target=/data1 busybox sh $ podman run --mount type=bind,src=volume-name,target=/data1 busybox sh
$ chcon -Rt svirt_sandbox_file_t /var/db
Using alternative security labeling
You can override the default labeling scheme for each container by specifying the --security-opt flag. For example, you can specify the MCS/MLS level, a requirement for MLS systems. Specifying the level in the following command allows you to share the same content between containers.podman run --security-opt label=level:s0:c100,c200 -i -t fedora bash
$ podman run --security-opt label=level:TopSecret -i -t rhel7 bash
--permissive flag, use the following command:
$ podman run --security-opt label=disable -i -t fedora bash
$ podman run --security-opt label=type:svirt_apache_t -i -t centos bash
$ podman run --security-opt mask=/foo/bar:/second/path fedora bash
$ podman run --security-opt unmask=ALL fedora bash
$ podman run --security-opt unmask=/proc/* fedora bash
$ podman run --security-opt unmask=/foo/bar:/sys/firmware fedora bash
Setting device weight
If you want to set /dev/sda device weight to 200, you can specify the device weight by --blkio-weight-device flag. Use the following command:$ podman run -it --blkio-weight-device "/dev/sda:200" ubuntu
Using a podman container with input from a pipe
$ echo "asdf" | podman run --rm -i --entrypoint /bin/cat someimage asdf
Setting automatic user namespace separated containers
# podman run --userns=auto:size=65536 ubi8-micro cat /proc/self/uid_map 0 2147483647 65536 # podman run --userns=auto:size=65536 ubi8-micro cat /proc/self/uid_map 0 2147549183 65536
Setting Namespaced Kernel Parameters (Sysctls)
The --sysctl sets namespaced kernel parameters (sysctls) in the container. For example, to turn on IP forwarding in the containers network namespace, run this command:$ podman run --sysctl net.ipv4.ip_forward=1 someimage
Set UID/GID mapping in a new user namespace
Running a container in a new user namespace requires a mapping of the uids and gids from the host.$ podman run --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
Configuring Storage Options from the command line
Podman allows for the configuration of storage by changing the values in the /etc/container/storage.conf or by using global options. This shows how to set up and use fuse-overlayfs for a one-time run of busybox using global options.podman --log-level=debug --storage-driver overlay --storage-opt "overlay.mount_program=/usr/bin/fuse-overlayfs" run busybox /bin/sh
Configure timezone in a container
$ podman run --tz=local alpine date $ podman run --tz=Asia/Shanghai alpine date $ podman run --tz=US/Eastern alpine date
Adding dependency containers
The first container, container1, is not started initially, but must be running before container2 will start. The podman run command will start the container automatically before starting container2.$ podman create --name container1 -t -i fedora bash $ podman run --name container2 --requires container1 -t -i fedora bash
$ podman create --name container1 -t -i fedora bash $ podman create --name container2 -t -i fedora bash $ podman run --name container3 --requires container1,container2 -t -i fedora bash
Configure keep supplemental groups for access to volume
$ podman run -v /var/lib/design:/var/lib/design --group-add keep-groups ubi8
Configure execution domain for containers using personality flag
$ podman run --name container1 --personality=LINUX32 fedora bash
Run a container with external rootfs mounted as an overlay
$ podman run --name container1 --rootfs /path/to/rootfs:O bash
Handling Timezones in java applications in a container.
In order to use a timezone other than UTC when running a Java application within a container, the TZ environment variable must be set within the container. Java applications will ignore the value set with the --tz option.# Example run podman run -ti --rm -e TZ=EST mytzimage lrwxrwxrwx. 1 root root 29 Nov 3 08:51 /etc/localtime -> ../usr/share/zoneinfo/Etc/UTC Now with default timezone: Fri Nov 19 18:10:55 EST 2021 Java default sees the following timezone: 2021-11-19T18:10:55.651130-05:00 Forcing UTC: Fri Nov 19 23:10:55 UTC 2021
Run a container connected to two networks (called net1 and net2) with a static ip
$ podman run --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10 alpine ip addr
Rootless Containers
Podman runs as a non-root user on most systems. This feature requires that a new enough version of shadow-utils be installed. The shadow-utils package must include the newuidmap(1) and newgidmap(1) executables.ENVIRONMENT
Environment variables within containers can be set using multiple different options, in the following order of precedence (later entries override earlier entries):- •
- Container image: Any environment variables specified in the container image.
- •
- --http-proxy: By default, several environment variables will be passed in from the host, such as http_proxy and no_proxy. See --http-proxy for details.
- •
- --env-host: Host environment of the process executing Podman is added.
- •
- --env-file: Any environment variables specified via env-files. If multiple files are specified, then they override each other in order of entry.
- •
- --env: Any environment variables specified will override previous settings.
$ export ENV1=a $ podman run --env 'ENV*' alpine env | grep ENV ENV1=a $ podman run --env 'ENV*=b' alpine env | grep ENV ENV*=b