1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
|
# The containers configuration file specifies all of the available configuration
# options and command-line flags for container runtime tools like podman & buildah
# but in a TOML format that can be easily modified and versioned.
#
# Please refer to containers.conf(5) for details of all configuration options.
[containers]
cgroup_conf = [
"memory.high=1073741824",
]
# List of devices. Specified as
# "<device-on-host>:<device-on-container>:<permissions>", for example: "--device=/dev/sdc:/dev/xvdc:rwm".
#If it is empty or commented out, only the devices
# defined in the container json file by the user/kube will be added.
devices = [
]
# Used to change the name of the default AppArmor profile of container engines. The default
# profile name is "container-default".
apparmor_profile = "container-default"
base_hosts_file = "/etc/hosts2"
container_name_as_hostname = true
# List of default capabilities for containers. If it is empty or commented out,
# only the capabilities defined in the containers json file by the user/kube
# will be added.
default_capabilities = [
"AUDIT_WRITE",
"CHOWN",
"DAC_OVERRIDE",
"FOWNER",
"FSETID",
"KILL",
"MKNOD",
"NET_BIND_SERVICE",
"NET_RAW",
"SETGID",
"SETFCAP",
"SETPCAP",
"SETUID",
"SYS_CHROOT",
]
# A list of ulimits to be set in containers by default, specified as
# "<ulimit name>=<soft limit>:<hard limit>", for example:
# "nofile=1024:2048"
# See setrlimit(2) for a list of resource names.
# Any limit not specified here will be inherited from the process launching the container engine
default_ulimits = [
]
# List of default sysctls. If it is empty or commented out, only the sysctls
# defined in the container json file by the user/kube will be added.
default_sysctls = [
]
# Environment variable list for the conmon process, used for passing necessary
# environment variables to conmon or the runtime.
env = [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
]
# Run an init inside the container that forwards signals and reaps processes.
init = false
# Set interface name inside container in legacy way, ethX.
interface_name = ""
host_containers_internal_ip = "1.2.3.4"
# proxy environment variables are passed into the container
http_proxy = false
# whether the container tool will support container labeling.
label = true
# Maximum size allowed for the container log file. Negative numbers indicate
# that no size limit is imposed. If it is positive, it must be >= 8192 to
# match/exceed conmon's read buffer. The file is truncated and re-opened so the
# limit is never exceeded.
log_size_max = -1
log_path = "/var/log/containers"
mounts= [
"type=glob,source=/tmp/test2*,ro=true",
"type=bind,source=/etc/services,destination=/etc/services,ro",
]
oom_score_adj = 750
# Maximum number of processes allowed in a container.
pids_limit = 2048
# Path to the seccomp.json profile which is used as the default seccomp profile
# for the runtime.
# seccomp_profile = "/tmp/seccomp.json"
# Size of /dev/shm. Specified as <number><unit>.
# Unit is optional and can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). If the unit is omitted, the system uses bytes.
shm_size = "65536k"
#Umask inside the container
umask="0002"
# default network mode
netns="bridge"
# The network table containers settings pertaining to the management of
# CNI plugins.
[network]
# Path to directory where CNI plugin binaries are located.
cni_plugin_dirs = [
"/usr/libexec/cni",
"/tmp",
]
# Path to the directory where CNI configuration files are located.
network_config_dir = "/etc/cni/net.d/"
default_subnet_pools = [{"base" = "10.89.0.0/16", "size" = 24}, {"base" = "10.90.0.0/15", "size" = 24}]
default_rootless_network_cmd = "slirp4netns"
# firewall driver to be used by default
firewall_driver = "none"
# dns port for netavark/aardvark
dns_bind_port = 1153
netavark_plugin_dirs = [
"/usr/netavark"
]
pasta_options = ["-t", "auto"]
[engine]
add_compression = ["zstd", "zstd:chunked"]
# Cgroup management implementation used for the runtime.
cgroup_manager = "systemd"
database_backend = "sqlite"
# Default transport method for pulling and pushing for images
image_default_transport = "docker://"
# Environment variables to pass into conmon
conmon_env_vars = [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
]
image_copy_tmp_dir="storage"
image_volume_mode = "tmpfs"
# Paths to look for the Conmon container manager binary
conmon_path = [
"/usr/libexec/podman/conmon",
"/usr/local/libexec/podman/conmon",
"/usr/local/lib/podman/conmon",
"/usr/bin/conmon",
"/usr/sbin/conmon",
"/usr/local/bin/conmon",
"/usr/local/sbin/conmon"
]
# Enforces using docker.io for completing short names in Podman's compatibility
# REST API. Note that this will ignore unqualified-search-registries and
# short-name aliases defined in containers-registries.conf(5).
compat_api_enforce_docker_hub = false
# Specify one or more external providers for the compose command. The first
# found provider is used for execution. Can be an absolute and relative path or
# a (file) name.
compose_providers=["/some/thing/else", "/than/before"]
# Emit logs on each invocation of the compose command indicating that an
# external compose provider is being executed.
compose_warning_logs = false
# Environment variables to be used when running the container engine (e.g., Podman, Buildah).
# For example "http_proxy=internal.proxy.company.com".
# Note these environment variables will not be used within the container.
# Set the env section under [containers] table, if you want to set environment variables for the container.
env = ["super=duper", "foo=bar"]
# Container init binary
#init_path = "/usr/libexec/podman/catatonit"
# Directory for persistent libpod files (database, etc)
# By default, this will be configured relative to where containers/storage
# stores containers
# Uncomment to change location from this default
#static_dir = "/var/lib/containers/storage/libpod"
# Directory for temporary files. Must be tmpfs (wiped after reboot)
tmp_dir = "/run/libpod"
# Whether to use chroot instead of pivot_root in the runtime
no_pivot_root = false
# Default engine namespace
# If engine is joined to a namespace, it will see only containers and pods
# that were created in the same namespace, and will create new containers and
# pods in that namespace.
# The default namespace is "", which corresponds to no namespace. When no
# namespace is set, all containers and pods are visible.
#namespace = ""
healthcheck_events = false
# A is a list of directories which are used to search for helper binaries.
#
helper_binaries_dir = [
"/somepath",
]
retry=5
retry_delay="10s"
# Path to OCI hooks directories for automatically executed hooks.
hooks_dir = [
]
# Directories to scan for CDI Spec files.
# cdi_spec_dirs = [ "/etc/cdi", "/var/run/cdi" ]
# Default infra (pause) image name for pod infra containers
infra_image = "registry.k8s.io/pause:3.4.1"
# Default command to run the infra container
infra_command = "/pause"
# Default k8s kind/type to generate with `podman kube generate`
kube_generate_type = "pod"
# Number of seconds to wait without a connection
# before the `podman system service` times out and exits
#
service_timeout=300
# Determines whether engine will reserve ports on the host when they are
# forwarded to containers. When enabled, when ports are forwarded to containers,
# they are held open by conmon as long as the container is running, ensuring that
# they cannot be reused by other programs on the host. However, this can cause
# significant memory usage if a container has many ports forwarded to it.
# Disabling this can save memory.
#enable_port_reservation = true
# Default engine support for container labeling
# label=true
# Number of locks available for containers and pods.
# If this is changed, a lock renumber must be performed (e.g. with the
# 'podman system renumber' command).
num_locks = 2048
# Directory for engine named volumes.
# By default, this will be configured relative to where containers/storage
# stores containers.
# Uncomment to change location from this default.
#volume_path = "/var/lib/containers/storage/volumes"
# Selects which logging mechanism to use for Podman events. Valid values
# are `journald` or `file`.
# events_logger = "journald"
# Specify the keys sequence used to detach a container.
# Format is a single character [a-Z] or a comma separated sequence of
# `ctrl-<value>`, where `<value>` is one of:
# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`
#
# detach_keys = "ctrl-p,ctrl-q"
# Default OCI runtime
runtime = "runc"
# List of the OCI runtimes that support --format=json. When json is supported
# engine will use it for reporting nicer errors.
runtime_supports_json = ["runc"]
# SSH config file path
ssh_config = "/foo/bar/.ssh/config"
# Deprecated in favor of podmansh.Timeout, should not be used anymore.
podmansh_timeout = 300
# Paths to look for a valid OCI runtime (runc, runv, etc)
[engine.runtimes]
runc = [
"/usr/bin/runc",
"/usr/sbin/runc",
"/usr/local/bin/runc",
"/usr/local/sbin/runc",
"/sbin/runc",
"/bin/runc",
"/usr/lib/cri-o-runc/sbin/runc",
]
crun = [
"/usr/bin/crun",
"/usr/local/bin/crun",
]
# Default flags for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)
# Note: Do not pass the leading -- to the flag. To pass the runc flag --log-format json, the option given is log-format=json.
[engine.runtimes_flags]
crun = [
"debug"
]
runsc = [
"net-raw"
]
[podmansh]
# Shell to start in container. Default: /bin/sh.
shell = "/bin/zsh"
# Name of the container the podmansh user should join.
container = "podmansh-1"
# Number of seconds to wait for podmansh logins.
timeout = 42
[machine]
# Number of CPU's a machine is created with.
cpus=1
# The size of the disk in GB created when init-ing a podman-machine VM
disk_size = 20
# The image used when creating a podman-machine VM.
image = "https://example.com/$OS/$ARCH/foobar.ami"
# Memory in MB a machine is created with.
memory=1024
# Rosetta supports running x86_64 Linux binaries on a Podman machine on Apple silicon.
# The default value is `true`. Supported on AppleHV(arm64) machines only.
rosetta=false
# The [machine] table MUST be the last thing in this file.
# (Unless another table is added)
# TOML does not provide a way to end a table other than a further table being
# defined, so every key hereafter will be part of [machine] and not the main
# config.
|
