5f1c70
# This file is the configuration file for all tools
bafb64
# that use the containers/storage library. The storage.conf file
bafb64
# overrides all other storage.conf files. Container engines using the
bafb64
# container/storage library do not inherit fields from other storage.conf
bafb64
# files.
bafb64
#
bafb64
#  Note: The storage.conf file overrides other storage.conf files based on this precedence:
bafb64
#      /usr/containers/storage.conf
bafb64
#      /etc/containers/storage.conf
bafb64
#      $HOME/.config/containers/storage.conf
bafb64
#      $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set)
a415a1
# See man 5 containers-storage.conf for more information
a415a1
# The "container storage" table contains all of the server options.
a415a1
[storage]
a415a1
a415a1
# Default Storage Driver, Must be set for proper operation.
a415a1
driver = "overlay"
a415a1
a415a1
# Temporary storage location
a415a1
runroot = "/run/containers/storage"
a415a1
a415a1
# Primary Read/Write location of container storage
bafb64
# When changing the graphroot location on an SELINUX system, you must
bafb64
# ensure  the labeling matches the default locations labels with the
bafb64
# following commands:
bafb64
# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH
bafb64
# restorecon -R -v /NEWSTORAGEPATH
a415a1
graphroot = "/var/lib/containers/storage"
a415a1
bafb64
a415a1
# Storage path for rootless users
a415a1
#
a415a1
# rootless_storage_path = "$HOME/.local/share/containers/storage"
a415a1
5f1c70
# Transient store mode makes all container metadata be saved in temporary storage
5f1c70
# (i.e. runroot above). This is faster, but doesn't persist across reboots.
5f1c70
# transient_store = true
5f1c70
a415a1
[storage.options]
a415a1
# Storage options to be passed to underlying storage drivers
a415a1
a415a1
# AdditionalImageStores is used to pass paths to additional Read/Only image stores
a415a1
# Must be comma separated list.
a415a1
additionalimagestores = [
a415a1
]
a415a1
893b01
# Allows specification of how storage is populated when pulling images. This
893b01
# option can speed the pulling process of images compressed with format
893b01
# zstd:chunked. Containers/storage looks for files within images that are being
893b01
# pulled from a container registry that were previously pulled to the host.  It
893b01
# can copy or create a hard link to the existing file when it finds them,
893b01
# eliminating the need to pull them from the container registry. These options
893b01
# can deduplicate pulling of content, disk storage of content and can allow the
893b01
# kernel to use less memory when running containers.
893b01
893b01
# containers/storage supports four keys
893b01
#   * enable_partial_images="true" | "false"
893b01
#     Tells containers/storage to look for files previously pulled in storage
893b01
#     rather then always pulling them from the container registry.
893b01
#   * use_hard_links = "false" | "true"
893b01
#     Tells containers/storage to use hard links rather then create new files in
893b01
#     the image, if an identical file already existed in storage.
893b01
#   * ostree_repos = ""
893b01
#     Tells containers/storage where an ostree repository exists that might have
893b01
#     previously pulled content which can be used when attempting to avoid
893b01
#     pulling content from the container registry
893b01
pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
893b01
a415a1
# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
a415a1
# a container, to the UIDs/GIDs as they should appear outside of the container,
a415a1
# and the length of the range of UIDs/GIDs.  Additional mapped sets can be
a415a1
# listed and will be heeded by libraries, but there are limits to the number of
a415a1
# mappings which the kernel will allow when you later attempt to run a
a415a1
# container.
a415a1
#
a415a1
# remap-uids = 0:1668442479:65536
a415a1
# remap-gids = 0:1668442479:65536
a415a1
a415a1
# Remap-User/Group is a user name which can be used to look up one or more UID/GID
a415a1
# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
a415a1
# with an in-container ID of 0 and then a host-level ID taken from the lowest
a415a1
# range that matches the specified name, and using the length of that range.
a415a1
# Additional ranges are then assigned, using the ranges which specify the
a415a1
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
a415a1
# until all of the entries have been used for maps.
a415a1
#
a415a1
# remap-user = "containers"
a415a1
# remap-group = "containers"
a415a1
a415a1
# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
a415a1
# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
a415a1
# to containers configured to create automatically a user namespace.  Containers
a415a1
# configured to automatically create a user namespace can still overlap with containers
a415a1
# having an explicit mapping set.
a415a1
# This setting is ignored when running as rootless.
a415a1
# root-auto-userns-user = "storage"
a415a1
#
a415a1
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
a415a1
# auto-userns-min-size=1024
a415a1
#
a415a1
# Auto-userns-max-size is the minimum size for a user namespace created automatically.
a415a1
# auto-userns-max-size=65536
a415a1
a415a1
[storage.options.overlay]
a415a1
# ignore_chown_errors can be set to allow a non privileged user running with
a415a1
# a single UID within a user namespace to run containers. The user can pull
a415a1
# and use any image even those with multiple uids.  Note multiple UIDs will be
a415a1
# squashed down to the default uid in the container.  These images will have no
a415a1
# separation between the users in the container. Only supported for the overlay
a415a1
# and vfs drivers.
a415a1
#ignore_chown_errors = "false"
a415a1
a415a1
# Inodes is used to set a maximum inodes of the container image.
a415a1
# inodes = ""
a415a1
a415a1
# Path to an helper program to use for mounting the file system instead of mounting it
a415a1
# directly.
a415a1
#mount_program = "/usr/bin/fuse-overlayfs"
a415a1
a415a1
# mountopt specifies comma separated list of extra mount options
a415a1
mountopt = "nodev,metacopy=on"
a415a1
a415a1
# Set to skip a PRIVATE bind mount on the storage home directory.
a415a1
# skip_mount_home = "false"
a415a1
a415a1
# Size is used to set a maximum size of the container image.
a415a1
# size = ""
a415a1
a415a1
# ForceMask specifies the permissions mask that is used for new files and
a415a1
# directories.
a415a1
#
a415a1
# The values "shared" and "private" are accepted.
a415a1
# Octal permission masks are also accepted.
a415a1
#
a415a1
#  "": No value specified.
a415a1
#     All files/directories, get set with the permissions identified within the
a415a1
#     image.
a415a1
#  "private": it is equivalent to 0700.
a415a1
#     All files/directories get set with 0700 permissions.  The owner has rwx
a415a1
#     access to the files. No other users on the system can access the files.
a415a1
#     This setting could be used with networked based homedirs.
a415a1
#  "shared": it is equivalent to 0755.
a415a1
#     The owner has rwx access to the files and everyone else can read, access
a415a1
#     and execute them. This setting is useful for sharing containers storage
a415a1
#     with other users.  For instance have a storage owned by root but shared
a415a1
#     to rootless users as an additional store.
a415a1
#     NOTE:  All files within the image are made readable and executable by any
a415a1
#     user on the system. Even /etc/shadow within your image is now readable by
a415a1
#     any user.
a415a1
#
a415a1
#   OCTAL: Users can experiment with other OCTAL Permissions.
a415a1
#
a415a1
#  Note: The force_mask Flag is an experimental feature, it could change in the
a415a1
#  future.  When "force_mask" is set the original permission mask is stored in
a415a1
#  the "user.containers.override_stat" xattr and the "mount_program" option must
a415a1
#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
5f1c70
#  extended attribute permissions to processes within containers rather than the
a415a1
#  "force_mask"  permissions.
a415a1
#
a415a1
# force_mask = ""
a415a1
a415a1
[storage.options.thinpool]
a415a1
# Storage Options for thinpool
a415a1
a415a1
# autoextend_percent determines the amount by which pool needs to be
a415a1
# grown. This is specified in terms of % of pool size. So a value of 20 means
a415a1
# that when threshold is hit, pool will be grown by 20% of existing
a415a1
# pool size.
a415a1
# autoextend_percent = "20"
a415a1
a415a1
# autoextend_threshold determines the pool extension threshold in terms
a415a1
# of percentage of pool size. For example, if threshold is 60, that means when
a415a1
# pool is 60% full, threshold has been hit.
a415a1
# autoextend_threshold = "80"
a415a1
a415a1
# basesize specifies the size to use when creating the base device, which
a415a1
# limits the size of images and containers.
a415a1
# basesize = "10G"
a415a1
a415a1
# blocksize specifies a custom blocksize to use for the thin pool.
a415a1
# blocksize="64k"
a415a1
a415a1
# directlvm_device specifies a custom block storage device to use for the
a415a1
# thin pool. Required if you setup devicemapper.
a415a1
# directlvm_device = ""
a415a1
a415a1
# directlvm_device_force wipes device even if device already has a filesystem.
a415a1
# directlvm_device_force = "True"
a415a1
a415a1
# fs specifies the filesystem type to use for the base device.
a415a1
# fs="xfs"
a415a1
a415a1
# log_level sets the log level of devicemapper.
a415a1
# 0: LogLevelSuppress 0 (Default)
a415a1
# 2: LogLevelFatal
a415a1
# 3: LogLevelErr
a415a1
# 4: LogLevelWarn
a415a1
# 5: LogLevelNotice
a415a1
# 6: LogLevelInfo
a415a1
# 7: LogLevelDebug
a415a1
# log_level = "7"
a415a1
a415a1
# min_free_space specifies the min free space percent in a thin pool require for
a415a1
# new device creation to succeed. Valid values are from 0% - 99%.
a415a1
# Value 0% disables
a415a1
# min_free_space = "10%"
a415a1
a415a1
# mkfsarg specifies extra mkfs arguments to be used when creating the base
a415a1
# device.
a415a1
# mkfsarg = ""
a415a1
a415a1
# metadata_size is used to set the `pvcreate --metadatasize` options when
a415a1
# creating thin devices. Default is 128k
a415a1
# metadata_size = ""
a415a1
a415a1
# Size is used to set a maximum size of the container image.
a415a1
# size = ""
a415a1
a415a1
# use_deferred_removal marks devicemapper block device for deferred removal.
a415a1
# If the thinpool is in use when the driver attempts to remove it, the driver
a415a1
# tells the kernel to remove it as soon as possible. Note this does not free
a415a1
# up the disk space, use deferred deletion to fully remove the thinpool.
a415a1
# use_deferred_removal = "True"
a415a1
a415a1
# use_deferred_deletion marks thinpool device for deferred deletion.
a415a1
# If the device is busy when the driver attempts to delete it, the driver
a415a1
# will attempt to delete device every 30 seconds until successful.
a415a1
# If the program using the driver exits, the driver will continue attempting
a415a1
# to cleanup the next time the driver is used. Deferred deletion permanently
a415a1
# deletes the device and all data stored in device will be lost.
a415a1
# use_deferred_deletion = "True"
a415a1
a415a1
# xfs_nospace_max_retries specifies the maximum number of retries XFS should
a415a1
# attempt to complete IO when ENOSPC (no space) error is returned by
a415a1
# underlying storage device.
a415a1
# xfs_nospace_max_retries = "0"