5dd126
% containers.conf(5) Container engine configuration file
5dd126
5dd126
# NAME
5dd126
containers.conf - The container engine configuration file specifies default
5dd126
configuration options and command-line flags for container engines.
5dd126
5dd126
# DESCRIPTION
5dd126
Container engines like Podman & Buildah read containers.conf file, if it exists
5dd126
and modify the defaults for running containers on the host. containers.conf uses
5dd126
a TOML format that can be easily modified and versioned.
5dd126
5dd126
Container engines read the /usr/share/containers/containers.conf and
5dd126
/etc/containers/containers.conf, and /etc/containers/containers.conf.d/*.conf files
5dd126
if they exist.  When running in rootless mode, they also read
5dd126
$HOME/.config/containers/containers.conf and
5dd126
$HOME/.config/containers/containers.conf.d/*.conf files.
5dd126
5dd126
Fields specified in containers conf override the default options, as well as
5dd126
options in previously read containers.conf files.
5dd126
5dd126
Config files in the `.d` directories, are added in alpha numeric sorted order and must end in `.conf`.
5dd126
5dd126
Not all options are supported in all container engines.
5dd126
5dd126
Note container engines also use other configuration files for configuring the environment.
5dd126
5dd126
* `storage.conf` for configuration of container and images storage.
5dd126
* `registries.conf` for definition of container registires to search while pulling.
5dd126
container images.
5dd126
* `policy.conf` for controlling which images can be pulled to the system.
5dd126
5dd126
# FORMAT
5dd126
The [TOML format][toml] is used as the encoding of the configuration file.
5dd126
Every option is nested under its table. No bare options are used. The format of
5dd126
TOML can be simplified to:
5dd126
5dd126
    [table1]
5dd126
    option = value
5dd126
5dd126
    [table2]
5dd126
    option = value
5dd126
5dd126
    [table3]
5dd126
    option = value
5dd126
5dd126
    [table3.subtable1]
5dd126
    option = value
5dd126
5dd126
## CONTAINERS TABLE
5dd126
The containers table contains settings pertaining to the OCI runtime that can
5dd126
configure and manage the OCI runtime.
5dd126
5dd126
**annotations** = []
5dd126
List of annotations. Specified as "key=value" pairs to be added to all containers.
5dd126
5dd126
Example: "run.oci.keep_original_groups=1"
5dd126
5dd126
**apparmor_profile**="container-default"
5dd126
5dd126
Used to change the name of the default AppArmor profile of container engines.
5dd126
The default profile name is "container-default".
5dd126
5dd126
**cgroups**="enabled"
5dd126
5dd126
Determines  whether  the  container will create CGroups.
5dd126
Options are:
5dd126
  `enabled`   Enable cgroup support within container
5dd126
  `disabled`  Disable cgroup support, will inherit cgroups from parent
5dd126
  `no-conmon` Do not create a cgroup dedicated to conmon.
5dd126
5dd126
**cgroupns**="private"
5dd126
5dd126
Default way to to create a cgroup namespace for the container.
5dd126
Options are:
5dd126
`private` Create private Cgroup Namespace for the container.
5dd126
`host`    Share host Cgroup Namespace with the container.
5dd126
5dd126
**default_capabilities**=[]
5dd126
5dd126
List of default capabilities for containers.
5dd126
5dd126
The default list is:
5dd126
```
5dd126
default_capabilities = [
5dd126
"AUDIT_WRITE",
5dd126
      "CHOWN",
5dd126
      "DAC_OVERRIDE",
5dd126
      "FOWNER",
5dd126
      "FSETID",
5dd126
      "KILL",
5dd126
      "MKNOD",
5dd126
      "NET_BIND_SERVICE",
5dd126
      "NET_RAW",
5dd126
      "SETGID",
5dd126
      "SETPCAP",
5dd126
      "SETUID",
5dd126
      "SYS_CHROOT",
5dd126
]
5dd126
```
5dd126
5dd126
**default_sysctls**=[]
5dd126
5dd126
A list of sysctls to be set in containers by default,
5dd126
specified as "name=value".
5dd126
5dd126
Example:"net.ipv4.ping_group_range=0 1000".
5dd126
5dd126
**default_ulimits**=[]
5dd126
5dd126
A list of ulimits to be set in containers by default,
5dd126
specified as "name=soft-limit:hard-limit".
5dd126
5dd126
Example: "nofile=1024:2048".
5dd126
5dd126
**devices**=[]
5dd126
5dd126
List of devices.
5dd126
Specified as 'device-on-host:device-on-container:permissions'.
5dd126
5dd126
Example: "/dev/sdc:/dev/xvdc:rwm".
5dd126
5dd126
**dns_options**=[]
5dd126
5dd126
List of default DNS options to be added to /etc/resolv.conf inside of the
5dd126
container.
5dd126
5dd126
**dns_searches**=[]
5dd126
5dd126
List of default DNS search domains to be added to /etc/resolv.conf inside of
5dd126
the container.
5dd126
5dd126
**dns_servers**=[]
5dd126
5dd126
A list of dns servers to override the DNS configuration passed to the
5dd126
container. The special value “none” can be specified to disable creation of
5dd126
/etc/resolv.conf in the container.
5dd126
5dd126
**env**=["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "TERM=xterm"]
5dd126
5dd126
Environment variable list for the container process, used for passing
5dd126
environment variables to the container.
5dd126
5dd126
**env_host**=false
5dd126
5dd126
Pass all host environment variables into the container.
5dd126
5dd126
**http_proxy**=true
5dd126
5dd126
Default proxy environment variables will be passed into the container.
5dd126
The environment variables passed in include:
5dd126
`http_proxy`, `https_proxy`, `ftp_proxy`, `no_proxy`, and the upper case
5dd126
versions of these. The `no_proxy` option is needed when host system uses a proxy
5dd126
but container should not use proxy. Proxy environment variables specified for
5dd126
the container in any other way will override the values passed from the host.
5dd126
5dd126
**init**=false
5dd126
5dd126
Run an init inside the container that forwards signals and reaps processes.
5dd126
5dd126
**init_path**="/usr/libexec/podman/catatonit"
5dd126
5dd126
Path to the container-init binary, which forwards signals and reaps processes
5dd126
within containers.  Note that the container-init binary will only be used when
5dd126
the `--init` for podman-create and podman-run is set.
5dd126
5dd126
**ipcns**="private"
5dd126
5dd126
Default way to to create a IPC namespace for the container.
5dd126
Options are:
5dd126
  `private` Create private IPC Namespace for the container.
5dd126
  `host`    Share host IPC Namespace with the container.
5dd126
5dd126
**keyring**=true
5dd126
5dd126
Indicates whether the container engines create a kernel keyring for use within
5dd126
the container.
5dd126
5dd126
**label**=true
5dd126
5dd126
Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.
5dd126
5dd126
**log_driver**="k8s-file"
5dd126
5dd126
Logging driver for the container. Available options: `k8s-file` and `journald`.
5dd126
5dd126
**log_size_max**=-1
5dd126
5dd126
Maximum size allowed for the container's log file. Negative numbers indicate
5dd126
that no size limit is imposed. If it is positive, it must be >= 8192 to
5dd126
match/exceed conmon's read buffer. The file is truncated and re-opened so the
5dd126
limit is never exceeded.
5dd126
5dd126
**log_tag**=""
5dd126
5dd126
Default format tag for container log messages.  This is useful for creating a specific tag for container log messages. Container log messages default to using the truncated container ID as a tag.
5dd126
5dd126
**netns**="private"
5dd126
5dd126
Default way to to create a NET namespace for the container.
5dd126
Options are:
5dd126
  `private` Create private NET Namespace for the container.
5dd126
  `host`    Share host NET Namespace with the container.
5dd126
  `none`    Containers do not use the network.
5dd126
5dd126
**no_hosts**=false
5dd126
5dd126
Create /etc/hosts for the container.  By default, container engines manage
5dd126
/etc/hosts, automatically adding  the container's  own  IP  address.
5dd126
5dd126
**pidns**="private"
5dd126
5dd126
Default way to to create a PID namespace for the container.
5dd126
Options are:
5dd126
  `private` Create private PID Namespace for the container.
5dd126
  `host`    Share host PID Namespace with the container.
5dd126
5dd126
**pids_limit**=1024
5dd126
5dd126
Maximum number of processes allowed in a container. 0 indicates that no limit
5dd126
is imposed.
5dd126
5dd126
**prepare_volume_on_create**=false
5dd126
5dd126
Copy the content from the underlying image into the newly created volume when the container is created instead of when it is started. If `false`, the container engine will not copy the content until the container is started. Setting it to `true` may have negative performance implications.
5dd126
5dd126
**rootless_networking**="slirp4netns"
5dd126
5dd126
Set type of networking rootless containers should use.  Valid options are `slirp4netns`
5dd126
or `cni`.
5dd126
5dd126
**seccomp_profile**="/usr/share/containers/seccomp.json"
5dd126
5dd126
Path to the seccomp.json profile which is used as the default seccomp profile
5dd126
for the runtime.
5dd126
5dd126
**shm_size**="65536k"
5dd126
5dd126
Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater
5dd126
than `0`.
5dd126
Unit is optional and can be:
5dd126
`b` (bytes), `k` (kilobytes), `m`(megabytes), or `g` (gigabytes).
5dd126
If you omit the unit, the system uses bytes. If you omit the size entirely,
5dd126
the system uses `65536k`.
5dd126
5dd126
**tz=**""
5dd126
5dd126
Set timezone in container. Takes IANA timezones as well as `local`, which sets the timezone in the container to match the host machine.
5dd126
If not set, then containers will run with the time zone specified in the image.
5dd126
5dd126
Examples:
5dd126
  `tz="local"`
5dd126
  `tz="America/New_York"`
5dd126
5dd126
**umask**="0022"
5dd126
5dd126
Sets umask inside the container.
5dd126
5dd126
**userns**="host"
5dd126
5dd126
Default way to to create a USER namespace for the container.
5dd126
Options are:
5dd126
  `private` Create private USER Namespace for the container.
5dd126
  `host`    Share host USER Namespace with the container.
5dd126
5dd126
**userns_size**=65536
5dd126
5dd126
Number of UIDs to allocate for the automatic container creation. UIDs are
5dd126
allocated from the “container” UIDs listed in /etc/subuid & /etc/subgid.
5dd126
5dd126
**utsns**="private"
5dd126
5dd126
Default way to to create a UTS namespace for the container.
5dd126
Options are:
5dd126
  `private` Create private UTS Namespace for the container.
5dd126
  `host`    Share host UTS Namespace with the container.
5dd126
5dd126
5dd126
## NETWORK TABLE
5dd126
The `network` table contains settings pertaining to the management of CNI
5dd126
plugins.
5dd126
5dd126
**cni_plugin_dirs**=["/opt/cni/bin/",]
5dd126
5dd126
List of paths to directories where CNI plugin binaries are located.
5dd126
5dd126
**default_network**="podman"
5dd126
5dd126
The network name of the default CNI network to attach pods to.
5dd126
5dd126
**default_subnet**="10.88.0.0/16"
5dd126
5dd126
The subnet to use for the default CNI network (named above in **default_network**).
5dd126
If the default network does not exist, it will be automatically created the first time a tool is run using this subnet.
5dd126
5dd126
**network_config_dir**="/etc/cni/net.d/"
5dd126
5dd126
Path to the directory where CNI configuration files are located.
5dd126
5dd126
**volumes**=[]
5dd126
5dd126
List of volumes.
5dd126
Specified as "directory-on-host:directory-in-container:options".
5dd126
5dd126
Example:  "/db:/var/lib/db:ro".
5dd126
5dd126
## ENGINE TABLE
5dd126
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
5dd126
5dd126
**active_service**=""
5dd126
5dd126
Name of destination for accessing the Podman service. See SERVICE DESTINATION TABLE below.
5dd126
5dd126
**cgroup_manager**="systemd"
5dd126
5dd126
The cgroup management implementation used for the runtime. Supports `cgroupfs`
5dd126
and `systemd`.
5dd126
5dd126
**conmon_env_vars**=[]
5dd126
5dd126
Environment variables to pass into Conmon.
5dd126
5dd126
**conmon_path**=[]
5dd126
5dd126
Paths to search for the conmon container manager binary. If the paths are
5dd126
empty or no valid path was found, then the `$PATH` environment variable will be
5dd126
used as the fallback.
5dd126
5dd126
The default list is:
5dd126
```
5dd126
conmon_path=[
5dd126
    "/usr/libexec/podman/conmon",
5dd126
    "/usr/local/libexec/podman/conmon",
5dd126
    "/usr/local/lib/podman/conmon",
5dd126
    "/usr/bin/conmon",
5dd126
    "/usr/sbin/conmon",
5dd126
    "/usr/local/bin/conmon",
5dd126
    "/usr/local/sbin/conmon",
5dd126
    "/run/current-system/sw/bin/conmon",
5dd126
]
5dd126
```
5dd126
5dd126
**detach_keys**="ctrl-p,ctrl-q"
5dd126
5dd126
Keys sequence used for detaching a container.
5dd126
Specify the keys sequence used to detach a container.
5dd126
Format is a single character `[a-Z]` or a comma separated sequence of
5dd126
`ctrl-<value>`, where `<value>` is one of:
5dd126
`a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`
5dd126
5dd126
**enable_port_reservation**=true
5dd126
5dd126
Determines whether the engine will reserve ports on the host when they are
5dd126
forwarded to containers. When enabled, when ports are forwarded to containers,
5dd126
they are held open by conmon as long as the container is running, ensuring that
5dd126
they cannot be reused by other programs on the host. However, this can cause
5dd126
significant memory usage if a container has many ports forwarded to it.
5dd126
Disabling this can save memory.
5dd126
5dd126
**env**=[]
5dd126
5dd126
Environment variables to be used when running the container engine (e.g., Podman, Buildah).  For example "http_proxy=internal.proxy.company.com".
5dd126
Note these environment variables will not be used within the container. Set the env section under [containers] table,
5dd126
if you want to set environment variables for the container.
5dd126
5dd126
**events_logger**="journald"
5dd126
5dd126
Default method to use when logging events.
5dd126
Valid values: `file`, `journald`, and `none`.
5dd126
5dd126
**hooks_dir**=["/etc/containers/oci/hooks.d", ...]
5dd126
5dd126
Path to the OCI hooks directories for automatically executed hooks.
5dd126
5dd126
**image_default_format**="oci"|"v2s2"|"v2s1"
5dd126
5dd126
Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
5dd126
container images. By default images pulled and pushed match the format of the
5dd126
source image. Building/committing defaults to OCI.
5dd126
Note: **image_build_format** is deprecated.
5dd126
5dd126
**image_default_transport**="docker://"
5dd126
5dd126
Default transport method for pulling and pushing images.
5dd126
5dd126
**image_parallel_copies**=0
5dd126
5dd126
Maximum number of image layers to be copied (pulled/pushed) simultaneously.
5dd126
Not setting this field will fall back to containers/image defaults. (6)
5dd126
5dd126
**infra_command**="/pause"
5dd126
5dd126
Command to run the infra container.
5dd126
5dd126
**infra_image**="k8s.gcr.io/pause:3.4.1"
5dd126
5dd126
Infra (pause) container image name for pod infra containers.  When running a
5dd126
pod, we start a `pause` process in a container to hold open the namespaces
5dd126
associated with the  pod.  This container does nothing other then sleep,
5dd126
reserving the pods resources for the lifetime of the pod.
5dd126
5dd126
**lock_type**="shm"
5dd126
5dd126
Specify the locking mechanism to use; valid values are "shm" and "file".
5dd126
Change the default only if you are sure of what you are doing, in general
5dd126
"file" is useful only on platforms where cgo is not available for using the
5dd126
faster "shm" lock type.  You may need to run "podman system renumber" after you
5dd126
change the lock type.
5dd126
5dd126
**machine_enabled**=false
5dd126
5dd126
Indicates if Podman is running inside a VM via Podman Machine.
5dd126
Podman uses this value to do extra setup around networking from the
5dd126
container inside the VM to to host.
5dd126
5dd126
**multi_image_archive**=false
5dd126
5dd126
Allows for creating archives (e.g., tarballs) with more than one image.  Some container engines, such as Podman, interpret additional arguments as tags for one image and hence do not store more than one image.  The default behavior can be altered with this option.
5dd126
5dd126
**namespace**=""
5dd126
5dd126
Default engine namespace. If the engine is joined to a namespace, it will see
5dd126
only containers and pods that were created in the same namespace, and will
5dd126
create new containers and pods in that namespace.  The default namespace is "",
5dd126
which corresponds to no namespace. When no namespace is set, all containers
5dd126
and pods are visible.
5dd126
5dd126
**network_cmd_path**=""
5dd126
5dd126
Path to the slirp4netns binary.
5dd126
5dd126
**network_cmd_options**=[]
5dd126
5dd126
Default options to pass to the slirp4netns binary.
5dd126
5dd126
Example "allow_host_loopback=true"
5dd126
5dd126
**no_pivot_root**=false
5dd126
5dd126
Whether to use chroot instead of pivot_root in the runtime.
5dd126
5dd126
**num_locks**=2048
5dd126
5dd126
Number of locks available for containers and pods. Each created container or
5dd126
pod consumes one lock.  The default number available is 2048.  If this is
5dd126
changed, a lock renumbering must be performed, using the
5dd126
`podman system renumber` command.
5dd126
5dd126
**pull_policy**="always"|"missing"|"never"
5dd126
5dd126
Pull image before running or creating a container. The default is **missing**.
5dd126
5dd126
- **missing**: attempt to pull the latest image from the registries listed in registries.conf if a local image does not exist. Raise an error if the image is not in any listed registry and is not present locally.
5dd126
- **always**: pull the image from the first registry it is found in as listed in registries.conf. Raise an error if not found in the registries, even if the image is present locally.
5dd126
- **never**: do not pull the image from the registry, use only the local version. Raise an error if the image is not present locally.
5dd126
5dd126
**remote** = false
5dd126
Indicates whether the application should be running in remote mode. This flag modifies the
5dd126
--remote option on container engines. Setting the flag to true will default `podman --remote=true` for access to the remote Podman service.
5dd126
5dd126
**runtime**=""
5dd126
5dd126
Default OCI specific runtime in runtimes that will be used by default. Must
5dd126
refer to a member of the runtimes table. Default runtime will be searched for
5dd126
on the system using the priority: "crun", "runc", "kata".
5dd126
5dd126
**runtime_supports_json**=["crun", "runc", "kata", "runsc"]
5dd126
5dd126
The list of the OCI runtimes that support `--format=json`.
5dd126
5dd126
**runtime_supports_kvm**=["kata"]
5dd126
5dd126
The list of OCI runtimes that support running containers with KVM separation.
5dd126
5dd126
**runtime_supports_nocgroups**=["crun"]
5dd126
5dd126
The list of OCI runtimes that support running containers without CGroups.
5dd126
5dd126
**static_dir**="/var/lib/containers/storage/libpod"
5dd126
5dd126
Directory for persistent libpod files (database, etc).
5dd126
By default this will be configured relative to where containers/storage
5dd126
stores containers.
5dd126
5dd126
**stop_timeout**=10
5dd126
5dd126
Number of seconds to wait for container to exit before sending kill signal.
5dd126
5dd126
**tmp_dir**="/run/libpod"
5dd126
5dd126
The path to a temporary directory to store per-boot container.
5dd126
Must be a tmpfs (wiped after reboot).
5dd126
5dd126
**volume_path**="/var/lib/containers/storage/volumes"
5dd126
5dd126
Directory where named volumes will be created in using the default volume
5dd126
driver.
5dd126
By default this will be configured relative to where containers/storage store
5dd126
containers. This convention is followed by the default volume driver, but may
5dd126
not be by other drivers.
5dd126
5dd126
**chown_copied_files**=true
5dd126
5dd126
Determines whether file copied into a container will have changed ownership to
5dd126
the primary uid/gid of the container.
5dd126
5dd126
## SERVICE DESTINATION TABLE
5dd126
The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
5dd126
5dd126
**[service_destinations.{name}]**
5dd126
URI to access the Podman service
5dd126
**uri="ssh://user@production.example.com/run/user/1001/podman/podman.sock"**
5dd126
5dd126
  Example URIs:
5dd126
5dd126
- **rootless local**  - unix://run/user/1000/podman/podman.sock
5dd126
- **rootless remote** - ssh://user@engineering.lab.company.com/run/user/1000/podman/podman.sock
5dd126
- **rootfull local**  - unix://run/podman/podman.sock
5dd126
- **rootfull remote** - ssh://root@10.10.1.136:22/run/podman/podman.sock
5dd126
5dd126
**identity="~/.ssh/id_rsa**
5dd126
5dd126
Path to file containing ssh identity key
5dd126
5dd126
**[engine.volume_plugins]**
5dd126
5dd126
A table of all the enabled volume plugins on the system. Volume plugins can be
5dd126
used as the backend for Podman named volumes. Individual plugins are specified
5dd126
below, as a map of the plugin name (what the plugin will be called) to its path
5dd126
(filepath of the plugin's unix socket).
5dd126
5dd126
5dd126
## SECRET TABLE
5dd126
The `secret` table contains settings for the configuration of the secret subsystem.
5dd126
5dd126
**driver**=file
5dd126
5dd126
Name of the secret driver to be used.
5dd126
Currently valid values are:
5dd126
  * file
5dd126
  * pass
5dd126
5dd126
**[secrets.opts]**
5dd126
5dd126
The driver specific options object.
5dd126
5dd126
# FILES
5dd126
5dd126
**containers.conf**
5dd126
5dd126
Distributions often provide a `/usr/share/containers/containers.conf` file to
5dd126
define default container configuration. Administrators can override fields in
5dd126
this file by creating `/etc/containers/containers.conf` to specify their own
5dd126
configuration. Rootless users can further override fields in the config by
5dd126
creating a config file stored in the `$HOME/.config/containers/containers.conf` file.
5dd126
5dd126
If the `CONTAINERS_CONF` path environment variable is set, just
5dd126
this path will be used.  This is primarily used for testing.
5dd126
5dd126
Fields specified in the containers.conf file override the default options, as
5dd126
well as options in previously read containers.conf files.
5dd126
5dd126
**storage.conf**
5dd126
5dd126
The `/etc/containers/storage.conf` file is the default storage configuration file.
5dd126
Rootless users can override fields in the storage config by creating
5dd126
`$HOME/.config/containers/storage.conf`.
5dd126
5dd126
If the `CONTAINERS_STORAGE_CONF` path environment variable is set, this path
5dd126
is used for the storage.conf file rather than the default.
5dd126
This is primarily used for testing.
5dd126
5dd126
# SEE ALSO
5dd126
containers-storage.conf(5), containers-policy.json(5), containers-registries.conf(5)
5dd126
5dd126
[toml]: https://github.com/toml-lang/toml