mirror of
				https://github.com/containers/podman.git
				synced 2025-10-27 03:06:22 +08:00 
			
		
		
		
	 8c76738571
			
		
	
	8c76738571
	
	
	
		
			
			Accumulated cleanup from the man-page deduplication effort.
Various minor things that slipped.
 --publish-all : remove duplicate "default is false" (toth @dilyanpalauzov)
 --shm-size    : rephrase 'you' and 'y'all'
 --tls-verify  : make narrower, add asterisks to true/false,
                 and linkify containers-registries.conf
  --volume     : incorporate feedback from @mheon
  rename pid.md to pid.container.md, because there's a pid.pod.md
  for the --pid option used in pod-related man pages.
  ...and some whitespace, comma, other minor edits
Fixes: #15356
Signed-off-by: Ed Santiago <santiago@redhat.com>
		
	
		
			
				
	
	
		
			557 lines
		
	
	
		
			17 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			557 lines
		
	
	
		
			17 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| % podman-create 1
 | |
| 
 | |
| ## NAME
 | |
| podman\-create - Create a new container
 | |
| 
 | |
| ## SYNOPSIS
 | |
| **podman create** [*options*] *image* [*command* [*arg* ...]]
 | |
| 
 | |
| **podman container create** [*options*] *image* [*command* [*arg* ...]]
 | |
| 
 | |
| ## DESCRIPTION
 | |
| 
 | |
| Creates a writable container layer over the specified image and prepares it for
 | |
| running the specified command. The container ID is then printed to STDOUT. This
 | |
| is similar to **podman run -d** except the container is never started. You can
 | |
| then use the **podman start** *container* command to start the container at
 | |
| any point.
 | |
| 
 | |
| The initial status of the container created with **podman create** is 'created'.
 | |
| 
 | |
| Default settings for flags are defined in `containers.conf`. Most settings for
 | |
| remote connections use the server's containers.conf, except when documented in
 | |
| man pages.
 | |
| 
 | |
| ## IMAGE
 | |
| 
 | |
|   The image is specified using transport:path format. If no transport is specified, the `docker` (container registry)
 | |
| transport will be used by default. For remote Podman, including Mac and Windows (excluding WSL2) machines, `docker` is the only allowed transport.
 | |
| 
 | |
|   **dir:**_path_
 | |
|   An existing local directory _path_ storing the manifest, layer tarballs and signatures as individual files. This
 | |
| is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
 | |
| 
 | |
|     $ podman save --format docker-dir fedora -o /tmp/fedora
 | |
|     $ podman create dir:/tmp/fedora echo hello
 | |
| 
 | |
|   **docker://**_docker-reference_ (Default)
 | |
|   An image reference stored in  a remote container image registry. Example: "quay.io/podman/stable:latest".
 | |
| The reference can include a path to a specific registry; if it does not, the
 | |
| registries listed in registries.conf will be queried to find a matching image.
 | |
| By default, credentials from `podman login` (stored at
 | |
| $XDG_RUNTIME_DIR/containers/auth.json by default) will be used to authenticate;
 | |
| otherwise it falls back to using credentials in $HOME/.docker/config.json.
 | |
| 
 | |
|     $ podman create registry.fedoraproject.org/fedora:latest echo hello
 | |
| 
 | |
|   **docker-archive:**_path_[**:**_docker-reference_]
 | |
| An image stored in the `docker save` formatted file. _docker-reference_ is only used when creating such a
 | |
| file, and it must not contain a digest.
 | |
| 
 | |
|     $ podman save --format docker-archive fedora -o /tmp/fedora
 | |
|     $ podman create docker-archive:/tmp/fedora echo hello
 | |
| 
 | |
|   **docker-daemon:**_docker-reference_
 | |
|   An image in _docker-reference_ format stored in the docker daemon internal storage. The _docker-reference_ can also be an image ID (docker-daemon:algo:digest).
 | |
| 
 | |
|     $ sudo docker pull fedora
 | |
|     $ sudo podman create docker-daemon:docker.io/library/fedora echo hello
 | |
| 
 | |
|   **oci-archive:**_path_**:**_tag_
 | |
|   An image in a directory compliant with the "Open Container Image Layout Specification" at the specified _path_
 | |
| and specified with a _tag_.
 | |
| 
 | |
|     $ podman save --format oci-archive fedora -o /tmp/fedora
 | |
|     $ podman create oci-archive:/tmp/fedora echo hello
 | |
| 
 | |
| ## OPTIONS
 | |
| 
 | |
| @@option add-host
 | |
| 
 | |
| @@option annotation.container
 | |
| 
 | |
| @@option arch
 | |
| 
 | |
| @@option attach
 | |
| 
 | |
| @@option authfile
 | |
| 
 | |
| @@option blkio-weight
 | |
| 
 | |
| @@option blkio-weight-device
 | |
| 
 | |
| @@option cap-add
 | |
| 
 | |
| @@option cap-drop
 | |
| 
 | |
| @@option cgroup-conf
 | |
| 
 | |
| @@option cgroup-parent
 | |
| 
 | |
| @@option cgroupns
 | |
| 
 | |
| @@option cgroups
 | |
| 
 | |
| @@option chrootdirs
 | |
| 
 | |
| @@option cidfile.write
 | |
| 
 | |
| @@option conmon-pidfile
 | |
| 
 | |
| @@option cpu-period
 | |
| 
 | |
| @@option cpu-quota
 | |
| 
 | |
| @@option cpu-rt-period
 | |
| 
 | |
| @@option cpu-rt-runtime
 | |
| 
 | |
| @@option cpu-shares
 | |
| 
 | |
| @@option cpus.container
 | |
| 
 | |
| @@option cpuset-cpus
 | |
| 
 | |
| @@option cpuset-mems
 | |
| 
 | |
| @@option device
 | |
| 
 | |
| Note: if the user only has access rights via a group, accessing the device
 | |
| from inside a rootless container will fail. Use the `--group-add keep-groups`
 | |
| flag to pass the user's supplementary group access into the container.
 | |
| 
 | |
| @@option device-cgroup-rule
 | |
| 
 | |
| @@option device-read-bps
 | |
| 
 | |
| @@option device-read-iops
 | |
| 
 | |
| @@option device-write-bps
 | |
| 
 | |
| @@option device-write-iops
 | |
| 
 | |
| @@option disable-content-trust
 | |
| 
 | |
| @@option dns
 | |
| 
 | |
| This option cannot be combined with **--network** that is set to **none** or **container:**_id_.
 | |
| 
 | |
| @@option dns-option.container
 | |
| 
 | |
| @@option dns-search.container
 | |
| 
 | |
| @@option entrypoint
 | |
| 
 | |
| @@option env
 | |
| 
 | |
| See [**Environment**](#environment) note below for precedence and examples.
 | |
| 
 | |
| @@option env-file
 | |
| 
 | |
| See [**Environment**](#environment) note below for precedence and examples.
 | |
| 
 | |
| @@option env-host
 | |
| 
 | |
| @@option env-merge
 | |
| 
 | |
| @@option expose
 | |
| 
 | |
| @@option gidmap.container
 | |
| 
 | |
| @@option group-add
 | |
| 
 | |
| @@option health-cmd
 | |
| 
 | |
| @@option health-interval
 | |
| 
 | |
| @@option health-on-failure
 | |
| 
 | |
| @@option health-retries
 | |
| 
 | |
| @@option health-start-period
 | |
| 
 | |
| @@option health-timeout
 | |
| 
 | |
| #### **--help**
 | |
| 
 | |
| Print usage statement
 | |
| 
 | |
| @@option hostname.container
 | |
| 
 | |
| @@option hostuser
 | |
| 
 | |
| @@option http-proxy
 | |
| 
 | |
| @@option image-volume
 | |
| 
 | |
| @@option init
 | |
| 
 | |
| #### **--init-ctr**=*type*
 | |
| 
 | |
| (Pods only).
 | |
| When using pods, create an init style container, which is run after the infra container is started
 | |
| but before regular pod containers are started.  Init containers are useful for running
 | |
| setup operations for the pod's applications.
 | |
| 
 | |
| Valid values for `init-ctr` type are *always* or *once*.  The *always* value
 | |
| means the container will run with each and every `pod start`, whereas the *once*
 | |
| value means the container will only run once when the pod is started and then the container is removed.
 | |
| 
 | |
| Init containers are only run on pod `start`.  Restarting a pod will not execute any init
 | |
| containers should they be present.  Furthermore, init containers can only be created in a
 | |
| pod when that pod is not running.
 | |
| 
 | |
| @@option init-path
 | |
| 
 | |
| @@option interactive
 | |
| 
 | |
| @@option ip
 | |
| 
 | |
| @@option ip6
 | |
| 
 | |
| @@option ipc
 | |
| 
 | |
| @@option label
 | |
| 
 | |
| @@option label-file
 | |
| 
 | |
| @@option link-local-ip
 | |
| 
 | |
| @@option log-driver
 | |
| 
 | |
| @@option log-opt
 | |
| 
 | |
| @@option mac-address
 | |
| 
 | |
| @@option memory
 | |
| 
 | |
| @@option memory-reservation
 | |
| 
 | |
| @@option memory-swap
 | |
| 
 | |
| @@option memory-swappiness
 | |
| 
 | |
| @@option mount
 | |
| 
 | |
| @@option name.container
 | |
| 
 | |
| @@option network
 | |
| 
 | |
| Invalid if using **--dns**, **--dns-option**, or **--dns-search** with **--network** set to **none** or **container:**_id_.
 | |
| 
 | |
| If used together with **--pod**, the container will not join the pod's network namespace.
 | |
| 
 | |
| @@option network-alias
 | |
| 
 | |
| @@option no-healthcheck
 | |
| 
 | |
| @@option no-hosts
 | |
| 
 | |
| This option conflicts with **--add-host**.
 | |
| 
 | |
| @@option oom-kill-disable
 | |
| 
 | |
| @@option oom-score-adj
 | |
| 
 | |
| @@option os.pull
 | |
| 
 | |
| @@option passwd-entry
 | |
| 
 | |
| @@option personality
 | |
| 
 | |
| @@option pid.container
 | |
| 
 | |
| @@option pidfile
 | |
| 
 | |
| @@option pids-limit
 | |
| 
 | |
| @@option platform
 | |
| 
 | |
| @@option pod.run
 | |
| 
 | |
| @@option pod-id-file.container
 | |
| 
 | |
| @@option privileged
 | |
| 
 | |
| @@option publish
 | |
| 
 | |
| **Note:** If a container will be run within a pod, it is not necessary to publish the port for
 | |
| the containers in the pod. The port must only be published by the pod itself. Pod network
 | |
| stacks act like the network stack on the host - you have a variety of containers in the pod,
 | |
| and programs in the container, all sharing a single interface and IP address, and
 | |
| associated ports. If one container binds to a port, no other container can use that port
 | |
| within the pod while it is in use. Containers in the pod can also communicate over localhost
 | |
| by having one container bind to localhost in the pod, and another connect to that port.
 | |
| 
 | |
| @@option publish-all
 | |
| 
 | |
| @@option pull
 | |
| 
 | |
| #### **--quiet**, **-q**
 | |
| 
 | |
| Suppress output information when pulling images
 | |
| 
 | |
| @@option read-only
 | |
| 
 | |
| @@option read-only-tmpfs
 | |
| 
 | |
| @@option replace
 | |
| 
 | |
| @@option requires
 | |
| 
 | |
| @@option restart
 | |
| 
 | |
| #### **--rm**
 | |
| 
 | |
| Automatically remove the container when it exits. The default is *false*.
 | |
| 
 | |
| @@option rootfs
 | |
| 
 | |
| @@option sdnotify
 | |
| 
 | |
| @@option seccomp-policy
 | |
| 
 | |
| @@option secret
 | |
| 
 | |
| #### **--security-opt**=*option*
 | |
| 
 | |
| Security Options
 | |
| 
 | |
| - `apparmor=unconfined` : Turn off apparmor confinement for the container
 | |
| - `apparmor=your-profile` : Set the apparmor confinement profile for the container
 | |
| 
 | |
| - `label=user:USER`     : Set the label user for the container processes
 | |
| - `label=role:ROLE`     : Set the label role for the container processes
 | |
| - `label=type:TYPE`     : Set the label process type for the container processes
 | |
| - `label=level:LEVEL`   : Set the label level for the container processes
 | |
| - `label=filetype:TYPE` : Set the label file type for the container files
 | |
| - `label=disable`       : Turn off label separation for the container
 | |
| 
 | |
| Note: Labeling can be disabled for all containers by setting label=false in the **containers.conf** (`/etc/containers/containers.conf` or `$HOME/.config/containers/containers.conf`) file.
 | |
| 
 | |
| - `mask=/path/1:/path/2` : The paths to mask separated by a colon. A masked path
 | |
|   cannot be accessed inside the container.
 | |
| 
 | |
| - `no-new-privileges` : Disable container processes from gaining additional privileges
 | |
| 
 | |
| - `seccomp=unconfined` : Turn off seccomp confinement for the container.
 | |
| - `seccomp=profile.json` : JSON file to be used as a seccomp filter. Note that the `io.podman.annotations.seccomp` annotation is set with the specified value as shown in `podman inspect`.
 | |
| 
 | |
| - `proc-opts=OPTIONS` : Comma-separated list of options to use for the /proc mount. More details for the
 | |
|   possible mount options are specified in the **proc(5)** man page.
 | |
| 
 | |
| 
 | |
| - **unmask**=_ALL_ or _/path/1:/path/2_, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to **ALL**, it will unmask all the paths that are masked or made read-only by default.
 | |
|   The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux.**  The default paths that are read-only are **/proc/asound, /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup**.
 | |
| 
 | |
| Note: Labeling can be disabled for all containers by setting label=false in the **containers.conf** (`/etc/containers/containers.conf` or `$HOME/.config/containers/containers.conf`) file.
 | |
| 
 | |
| @@option shm-size
 | |
| 
 | |
| @@option stop-signal
 | |
| 
 | |
| @@option stop-timeout
 | |
| 
 | |
| @@option subgidname
 | |
| 
 | |
| @@option subuidname
 | |
| 
 | |
| @@option sysctl
 | |
| 
 | |
| @@option systemd
 | |
| 
 | |
| @@option timeout
 | |
| 
 | |
| @@option tls-verify
 | |
| 
 | |
| @@option tmpfs
 | |
| 
 | |
| @@option tty
 | |
| 
 | |
| @@option tz
 | |
| 
 | |
| @@option uidmap.container
 | |
| 
 | |
| @@option ulimit
 | |
| 
 | |
| @@option umask
 | |
| 
 | |
| @@option unsetenv
 | |
| 
 | |
| @@option unsetenv-all
 | |
| 
 | |
| @@option user
 | |
| 
 | |
| @@option userns.container
 | |
| 
 | |
| @@option uts.container
 | |
| 
 | |
| @@option variant.container
 | |
| 
 | |
| @@option volume
 | |
| 
 | |
| Use the **--group-add keep-groups** option to pass the user's supplementary group access into the container.
 | |
| 
 | |
| @@option volumes-from
 | |
| 
 | |
| @@option workdir
 | |
| 
 | |
| ## EXAMPLES
 | |
| 
 | |
| ### Create a container using a local image
 | |
| 
 | |
| ```
 | |
| $ podman create alpine ls
 | |
| ```
 | |
| 
 | |
| ### Create a container using a local image and annotate it
 | |
| 
 | |
| ```
 | |
| $ podman create --annotation HELLO=WORLD alpine ls
 | |
| ```
 | |
| 
 | |
| ### Create a container using a local image, allocating a pseudo-TTY, keeping stdin open and name it myctr
 | |
| 
 | |
| ```
 | |
|   podman create -t -i --name myctr alpine ls
 | |
| ```
 | |
| 
 | |
| ### Set UID/GID mapping in a new user namespace
 | |
| 
 | |
| Running a container in a new user namespace requires a mapping of
 | |
| the uids and gids from the host.
 | |
| 
 | |
| ```
 | |
| $ podman create --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
 | |
| ```
 | |
| 
 | |
| ### Setting automatic user namespace separated containers
 | |
| 
 | |
| ```
 | |
| # podman create --userns=auto:size=65536 ubi8-init
 | |
| ```
 | |
| 
 | |
| ### Configure timezone in a container
 | |
| 
 | |
| ```
 | |
| $ podman create --tz=local alpine date
 | |
| $ podman create --tz=Asia/Shanghai alpine date
 | |
| $ podman create --tz=US/Eastern alpine date
 | |
| ```
 | |
| 
 | |
| ### Adding dependency containers
 | |
| 
 | |
| Podman will make sure the first container, container1, is running before the second container (container2) is started.
 | |
| 
 | |
| ```
 | |
| $ podman create --name container1 -t -i fedora bash
 | |
| $ podman create --name container2 --requires container1 -t -i fedora bash
 | |
| $ podman start --attach container2
 | |
| ```
 | |
| 
 | |
| Multiple containers can be required.
 | |
| 
 | |
| ```
 | |
| $ podman create --name container1 -t -i fedora bash
 | |
| $ podman create --name container2 -t -i fedora bash
 | |
| $ podman create --name container3 --requires container1,container2 -t -i fedora bash
 | |
| $ podman start --attach container3
 | |
| ```
 | |
| 
 | |
| ### Configure keep supplemental groups for access to volume
 | |
| 
 | |
| ```
 | |
| $ podman create -v /var/lib/design:/var/lib/design --group-add keep-groups ubi8
 | |
| ```
 | |
| 
 | |
| ### Configure execution domain for containers using personality flag
 | |
| 
 | |
| ```
 | |
| $ podman create --name container1 --personality=LINUX32 fedora bash
 | |
| ```
 | |
| 
 | |
| ### Create a container with external rootfs mounted as an overlay
 | |
| 
 | |
| ```
 | |
| $ podman create --name container1 --rootfs /path/to/rootfs:O bash
 | |
| ```
 | |
| 
 | |
| ### Create a container connected to two networks (called net1 and net2) with a static ip
 | |
| 
 | |
| ```
 | |
| $ podman create --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10 alpine ip addr
 | |
| ```
 | |
| 
 | |
| ### Rootless Containers
 | |
| 
 | |
| Podman runs as a non-root user on most systems. This feature requires that a new enough version of shadow-utils
 | |
| be installed. The shadow-utils package must include the newuidmap and newgidmap executables.
 | |
| 
 | |
| In order for users to run rootless, there must be an entry for their username in /etc/subuid and /etc/subgid which lists the UIDs for their user namespace.
 | |
| 
 | |
| Rootless Podman works better if the fuse-overlayfs and slirp4netns packages are installed.
 | |
| The fuse-overlayfs package provides a userspace overlay storage driver, otherwise users need to use
 | |
| the vfs storage driver, which is diskspace expensive and does not perform well. slirp4netns is
 | |
| required for VPN, without it containers need to be run with the --network=host flag.
 | |
| 
 | |
| ## ENVIRONMENT
 | |
| 
 | |
| Environment variables within containers can be set using multiple different options:  This section describes the precedence.
 | |
| 
 | |
| Precedence order (later entries override earlier entries):
 | |
| 
 | |
| - **--env-host** : Host environment of the process executing Podman is added.
 | |
| - **--http-proxy**: By default, several environment variables will be passed in from the host, such as **http_proxy** and **no_proxy**. See **--http-proxy** for details.
 | |
| - Container image : Any environment variables specified in the container image.
 | |
| - **--env-file** : Any environment variables specified via env-files. If multiple files specified, then they override each other in order of entry.
 | |
| - **--env** : Any environment variables specified will override previous settings.
 | |
| 
 | |
| Create containers and set the environment ending with a __*__.
 | |
| The trailing __*__ glob functionality is only active when no value is specified:
 | |
| 
 | |
| ```
 | |
| $ export ENV1=a
 | |
| $ podman create --name ctr1 --env 'ENV*' alpine env
 | |
| $ podman start --attach ctr1 | grep ENV
 | |
| ENV1=a
 | |
| $ podman create --name ctr2 --env 'ENV*=b' alpine env
 | |
| $ podman start --attach ctr2 | grep ENV
 | |
| ENV*=b
 | |
| ```
 | |
| 
 | |
| ## CONMON
 | |
| 
 | |
| When Podman starts a container it actually executes the conmon program, which
 | |
| then executes the OCI Runtime.  Conmon is the container monitor.  It is a small
 | |
| program whose job is to watch the primary process of the container, and if the
 | |
| container dies, save the exit code.  It also holds open the tty of the
 | |
| container, so that it can be attached to later. This is what allows Podman to
 | |
| run in detached mode (backgrounded), so Podman can exit but conmon continues to
 | |
| run.  Each container has their own instance of conmon. Conmon waits for the
 | |
| container to exit, gathers and saves the exit code, and then launches a Podman
 | |
| process to complete the container cleanup, by shutting down the network and
 | |
| storage.   For more information on conmon, please reference the conmon(8) man
 | |
| page.
 | |
| 
 | |
| ## FILES
 | |
| 
 | |
| **/etc/subuid**
 | |
| **/etc/subgid**
 | |
| 
 | |
| NOTE: Use the environment variable `TMPDIR` to change the temporary storage location of downloaded container images. Podman defaults to use `/var/tmp`.
 | |
| 
 | |
| ## SEE ALSO
 | |
| **[podman(1)](podman.1.md)**, **[podman-save(1)](podman-save.1.md)**, **[podman-ps(1)](podman-ps.1.md)**, **[podman-attach(1)](podman-attach.1.md)**, **[podman-pod-create(1)](podman-pod-create.1.md)**, **[podman-port(1)](podman-port.1.md)**, **[podman-start(1)](podman-start.1.md)**, **[podman-kill(1)](podman-kill.1.md)**, **[podman-stop(1)](podman-stop.1.md)**, **[podman-generate-systemd(1)](podman-generate-systemd.1.md)**, **[podman-rm(1)](podman-rm.1.md)**, **[subgid(5)](https://www.unix.com/man-page/linux/5/subgid)**, **[subuid(5)](https://www.unix.com/man-page/linux/5/subuid)**, **[containers.conf(5)](https://github.com/containers/common/blob/main/docs/containers.conf.5.md)**, **[systemd.unit(5)](https://www.freedesktop.org/software/systemd/man/systemd.unit.html)**, **[setsebool(8)](https://man7.org/linux/man-pages/man8/setsebool.8.html)**, **[slirp4netns(1)](https://github.com/rootless-containers/slirp4netns/blob/master/slirp4netns.1.md)**, **[fuse-overlayfs(1)](https://github.com/containers/fuse-overlayfs/blob/main/fuse-overlayfs.1.md)**, **proc(5)**, **[conmon(8)](https://github.com/containers/conmon/blob/main/docs/conmon.8.md)**, **personality(2)**
 | |
| 
 | |
| ## HISTORY
 | |
| October 2017, converted from Docker documentation to Podman by Dan Walsh for Podman `<dwalsh@redhat.com>`
 | |
| 
 | |
| November 2014, updated by Sven Dowideit `<SvenDowideit@home.org.au>`
 | |
| 
 | |
| September 2014, updated by Sven Dowideit `<SvenDowideit@home.org.au>`
 | |
| 
 | |
| August 2014, updated by Sven Dowideit `<SvenDowideit@home.org.au>`
 | |
| 
 | |
| ## FOOTNOTES
 | |
| <a name="Footnote1">1</a>: The Podman project is committed to inclusivity, a core value of open source. The `master` and `slave` mount propagation terminology used here is problematic and divisive, and should be changed. However, these terms are currently used within the Linux kernel and must be used as-is at this time. When the kernel maintainers rectify this usage, Podman will follow suit immediately.
 |