From 56039cffd7923d682bd620e5a5a974aabc94dd1b Mon Sep 17 00:00:00 2001 From: Ed Santiago Date: Tue, 2 Aug 2022 06:02:04 -0600 Subject: [PATCH] Refactor common options in man pages podman-create and -run have many options in common. To date, these are copy-pasted and haphazardly maintained. Solution: add an include mechanism, '@@option foo', such that multiple md source files can fetch from one common file. This is a Phase One commit, a very small subset of what's possible. Purpose of this commit is ease of review. If this passes review, much more (trickier stuff) will be forthcoming. Signed-off-by: Ed Santiago --- Makefile | 32 ++- docs/Makefile | 3 +- docs/source/markdown/.gitignore | 2 + docs/source/markdown/options/cgroup-conf.md | 3 + docs/source/markdown/options/chrootdirs.md | 5 + docs/source/markdown/options/env-host.md | 3 + docs/source/markdown/options/group-add.md | 11 + docs/source/markdown/options/hostuser.md | 4 + docs/source/markdown/options/image-volume.md | 8 + docs/source/markdown/options/init-path.md | 3 + docs/source/markdown/options/init.md | 5 + docs/source/markdown/options/mount.md | 77 +++++++ .../source/markdown/options/no-healthcheck.md | 3 + .../markdown/options/oom-kill-disable.md | 5 + docs/source/markdown/options/passwd-entry.md | 5 + docs/source/markdown/options/personality.md | 3 + docs/source/markdown/options/pidfile.md | 9 + docs/source/markdown/options/sdnotify.md | 10 + .../source/markdown/options/seccomp-policy.md | 5 + docs/source/markdown/options/timeout.md | 5 + docs/source/markdown/options/tz.md | 4 + docs/source/markdown/options/umask.md | 4 + docs/source/markdown/options/unsetenv-all.md | 5 + ...dman-create.1.md => podman-create.1.md.in} | 197 ++---------------- .../{podman-run.1.md => podman-run.1.md.in} | 197 ++---------------- hack/markdown-preprocess | 68 ++++++ 26 files changed, 311 insertions(+), 365 deletions(-) create mode 100644 docs/source/markdown/.gitignore create mode 100644 docs/source/markdown/options/cgroup-conf.md create mode 100644 docs/source/markdown/options/chrootdirs.md create mode 100644 docs/source/markdown/options/env-host.md create mode 100644 docs/source/markdown/options/group-add.md create mode 100644 docs/source/markdown/options/hostuser.md create mode 100644 docs/source/markdown/options/image-volume.md create mode 100644 docs/source/markdown/options/init-path.md create mode 100644 docs/source/markdown/options/init.md create mode 100644 docs/source/markdown/options/mount.md create mode 100644 docs/source/markdown/options/no-healthcheck.md create mode 100644 docs/source/markdown/options/oom-kill-disable.md create mode 100644 docs/source/markdown/options/passwd-entry.md create mode 100644 docs/source/markdown/options/personality.md create mode 100644 docs/source/markdown/options/pidfile.md create mode 100644 docs/source/markdown/options/sdnotify.md create mode 100644 docs/source/markdown/options/seccomp-policy.md create mode 100644 docs/source/markdown/options/timeout.md create mode 100644 docs/source/markdown/options/tz.md create mode 100644 docs/source/markdown/options/umask.md create mode 100644 docs/source/markdown/options/unsetenv-all.md rename docs/source/markdown/{podman-create.1.md => podman-create.1.md.in} (89%) rename docs/source/markdown/{podman-run.1.md => podman-run.1.md.in} (91%) create mode 100755 hack/markdown-preprocess diff --git a/Makefile b/Makefile index ad4b0f5944..4f222d6d41 100644 --- a/Makefile +++ b/Makefile @@ -77,7 +77,12 @@ BUILDTAGS_CROSS ?= containers_image_openpgp exclude_graphdriver_btrfs exclude_gr CONTAINER_RUNTIME := $(shell command -v podman 2> /dev/null || echo docker) OCI_RUNTIME ?= "" -MANPAGES_MD ?= $(wildcard docs/source/markdown/*.md) +# The 'sort' below is crucial: without it, 'make docs' behaves differently +# on the first run than on subsequent ones, because the generated .md +MANPAGES_SOURCE_DIR = docs/source/markdown +MANPAGES_MD_IN ?= $(wildcard $(MANPAGES_SOURCE_DIR)/*.md.in) +MANPAGES_MD_GENERATED ?= $(MANPAGES_MD_IN:%.md.in=%.md) +MANPAGES_MD ?= $(sort $(wildcard $(MANPAGES_SOURCE_DIR)/*.md) $(MANPAGES_MD_GENERATED)) MANPAGES ?= $(MANPAGES_MD:%.md=%) MANPAGES_DEST ?= $(subst markdown,man, $(subst source,build,$(MANPAGES))) @@ -416,17 +421,24 @@ completions: podman podman-remote pkg/api/swagger.yaml: make -C pkg/api -$(MANPAGES): %: %.md .install.md2man docdir +$(MANPAGES_MD_GENERATED): %.md: %.md.in $(MANPAGES_SOURCE_DIR)/options/*.md + hack/markdown-preprocess $< -### sed is used to filter http/s links as well as relative links -### replaces "\" at the end of a line with two spaces -### this ensures that manpages are renderd correctly +$(MANPAGES): %: %.md .install.md2man docdir - @$(SED) -e 's/\((podman[^)]*\.md\(#.*\)\?)\)//g' \ - -e 's/\[\(podman[^]]*\)\]/\1/g' \ - -e 's/\[\([^]]*\)](http[^)]\+)/\1/g' \ - -e 's;<\(/\)\?\(a\|a\s\+[^>]*\|sup\)>;;g' \ - -e 's/\\$$/ /g' $< | \ +# This does a bunch of filtering needed for man pages: +# 1. Strip markdown link targets like '[podman(1)](podman.1.md)' +# to just '[podman(1)]', because man pages have no link mechanism; +# 2. Then remove the brackets: '[podman(1)]' -> 'podman(1)'; +# 3. Then do the same for all other markdown links, +# like '[cgroups(7)](https://.....)' -> just 'cgroups(7)'; +# 4. Remove HTML-ish stuff like '..' and '..' +# 5. Replace "\" (backslash) at EOL with two spaces (no idea why) + @$(SED) -e 's/\((podman[^)]*\.md\(#.*\)\?)\)//g' \ + -e 's/\[\(podman[^]]*\)\]/\1/g' \ + -e 's/\[\([^]]*\)](http[^)]\+)/\1/g' \ + -e 's;<\(/\)\?\(a\|a\s\+[^>]*\|sup\)>;;g' \ + -e 's/\\$$/ /g' $< |\ $(GOMD2MAN) -in /dev/stdin -out $(subst source/markdown,build/man,$@) .PHONY: docdir diff --git a/docs/Makefile b/docs/Makefile index fb67e266cc..c9192f5e63 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -13,7 +13,8 @@ help: @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) clean: - rm -fr build/ + $(RM) -fr build + cd source/markdown && $(RM) -f $$(<.gitignore) .PHONY: help Makefile diff --git a/docs/source/markdown/.gitignore b/docs/source/markdown/.gitignore new file mode 100644 index 0000000000..c441d74c52 --- /dev/null +++ b/docs/source/markdown/.gitignore @@ -0,0 +1,2 @@ +podman-create.1.md +podman-run.1.md diff --git a/docs/source/markdown/options/cgroup-conf.md b/docs/source/markdown/options/cgroup-conf.md new file mode 100644 index 0000000000..91d724ab6c --- /dev/null +++ b/docs/source/markdown/options/cgroup-conf.md @@ -0,0 +1,3 @@ +#### **--cgroup-conf**=*KEY=VALUE* + +When running on cgroup v2, specify the cgroup file to write to and its value. For example **--cgroup-conf=memory.high=1073741824** sets the memory.high limit to 1GB. diff --git a/docs/source/markdown/options/chrootdirs.md b/docs/source/markdown/options/chrootdirs.md new file mode 100644 index 0000000000..624a106243 --- /dev/null +++ b/docs/source/markdown/options/chrootdirs.md @@ -0,0 +1,5 @@ +#### **--chrootdirs**=*path* + +Path to a directory inside the container that should be treated as a `chroot` directory. +Any Podman managed file (e.g., /etc/resolv.conf, /etc/hosts, etc/hostname) that is mounted into the root directory will be mounted into that location as well. +Multiple directories should be separated with a comma. diff --git a/docs/source/markdown/options/env-host.md b/docs/source/markdown/options/env-host.md new file mode 100644 index 0000000000..665fca016a --- /dev/null +++ b/docs/source/markdown/options/env-host.md @@ -0,0 +1,3 @@ +#### **--env-host** + +Use host environment inside of the container. See **Environment** note below for precedence. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) diff --git a/docs/source/markdown/options/group-add.md b/docs/source/markdown/options/group-add.md new file mode 100644 index 0000000000..ac9ade3a78 --- /dev/null +++ b/docs/source/markdown/options/group-add.md @@ -0,0 +1,11 @@ +#### **--group-add**=*group* | *keep-groups* + +Assign additional groups to the primary user running within the container process. + +- `keep-groups` is a special flag that tells Podman to keep the supplementary group access. + +Allows container to use the user's supplementary group access. If file systems or +devices are only accessible by the rootless user's group, this flag tells the OCI +runtime to pass the group access into the container. Currently only available +with the `crun` OCI runtime. Note: `keep-groups` is exclusive, you cannot add any other groups +with this flag. (Not available for remote commands, including Mac and Windows (excluding WSL2) machines) diff --git a/docs/source/markdown/options/hostuser.md b/docs/source/markdown/options/hostuser.md new file mode 100644 index 0000000000..d1d12c88fb --- /dev/null +++ b/docs/source/markdown/options/hostuser.md @@ -0,0 +1,4 @@ +#### **--hostuser**=*name* + +Add a user account to /etc/passwd from the host to the container. The Username +or UID must exist on the host system. diff --git a/docs/source/markdown/options/image-volume.md b/docs/source/markdown/options/image-volume.md new file mode 100644 index 0000000000..2a549ef3c4 --- /dev/null +++ b/docs/source/markdown/options/image-volume.md @@ -0,0 +1,8 @@ +#### **--image-volume**=**bind** | *tmpfs* | *ignore* + +Tells Podman how to handle the builtin image volumes. Default is **bind**. + +- **bind**: An anonymous named volume will be created and mounted into the container. +- **tmpfs**: The volume is mounted onto the container as a tmpfs, which allows the users to create +content that disappears when the container is stopped. +- **ignore**: All volumes are just ignored and no action is taken. diff --git a/docs/source/markdown/options/init-path.md b/docs/source/markdown/options/init-path.md new file mode 100644 index 0000000000..c2be278749 --- /dev/null +++ b/docs/source/markdown/options/init-path.md @@ -0,0 +1,3 @@ +#### **--init-path**=*path* + +Path to the container-init binary. diff --git a/docs/source/markdown/options/init.md b/docs/source/markdown/options/init.md new file mode 100644 index 0000000000..caf300efe7 --- /dev/null +++ b/docs/source/markdown/options/init.md @@ -0,0 +1,5 @@ +#### **--init** + +Run an init inside the container that forwards signals and reaps processes. +The container-init binary is mounted at `/run/podman-init`. +Mounting over `/run` will hence break container execution. diff --git a/docs/source/markdown/options/mount.md b/docs/source/markdown/options/mount.md new file mode 100644 index 0000000000..e81af539de --- /dev/null +++ b/docs/source/markdown/options/mount.md @@ -0,0 +1,77 @@ +#### **--mount**=*type=TYPE,TYPE-SPECIFIC-OPTION[,...]* + +Attach a filesystem mount to the container + +Current supported mount TYPEs are **bind**, **volume**, **image**, **tmpfs** and **devpts**. [[1]](#Footnote1) + + e.g. + + type=bind,source=/path/on/host,destination=/path/in/container + + type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared + + type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared,U=true + + type=volume,source=vol1,destination=/path/in/container,ro=true + + type=tmpfs,tmpfs-size=512M,destination=/path/in/container + + type=image,source=fedora,destination=/fedora-image,rw=true + + type=devpts,destination=/dev/pts + + Common Options: + + · src, source: mount source spec for bind and volume. Mandatory for bind. + + · dst, destination, target: mount destination spec. + + Options specific to volume: + + · ro, readonly: true or false (default). + + . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container. + + · idmap: true or false (default). If specified, create an idmapped mount to the target user namespace in the container. + + Options specific to image: + + · rw, readwrite: true or false (default). + + Options specific to bind: + + · ro, readonly: true or false (default). + + · bind-propagation: shared, slave, private, unbindable, rshared, rslave, runbindable, or rprivate(default). See also mount(2). + + . bind-nonrecursive: do not set up a recursive bind mount. By default it is recursive. + + . relabel: shared, private. + + · idmap: true or false (default). If specified, create an idmapped mount to the target user namespace in the container. + + . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container. + + Options specific to tmpfs: + + · ro, readonly: true or false (default). + + · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux. + + · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux. + + · tmpcopyup: Enable copyup from the image directory at the same location to the tmpfs. Used by default. + + · notmpcopyup: Disable copying files from the image to the tmpfs. + + . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container. + + Options specific to devpts: + + · uid: UID of the file owner (default 0). + + · gid: GID of the file owner (default 0). + + · mode: permission mask for the file (default 600). + + · max: maximum number of PTYs (default 1048576). diff --git a/docs/source/markdown/options/no-healthcheck.md b/docs/source/markdown/options/no-healthcheck.md new file mode 100644 index 0000000000..a722ac5b5f --- /dev/null +++ b/docs/source/markdown/options/no-healthcheck.md @@ -0,0 +1,3 @@ +#### **--no-healthcheck** + +Disable any defined healthchecks for container. diff --git a/docs/source/markdown/options/oom-kill-disable.md b/docs/source/markdown/options/oom-kill-disable.md new file mode 100644 index 0000000000..24ed9a8892 --- /dev/null +++ b/docs/source/markdown/options/oom-kill-disable.md @@ -0,0 +1,5 @@ +#### **--oom-kill-disable** + +Whether to disable OOM Killer for the container or not. + +This flag is not supported on cgroups V2 systems. diff --git a/docs/source/markdown/options/passwd-entry.md b/docs/source/markdown/options/passwd-entry.md new file mode 100644 index 0000000000..33c179d121 --- /dev/null +++ b/docs/source/markdown/options/passwd-entry.md @@ -0,0 +1,5 @@ +#### **--passwd-entry**=*ENTRY* + +Customize the entry that is written to the `/etc/passwd` file within the container when `--passwd` is used. + +The variables $USERNAME, $UID, $GID, $NAME, $HOME are automatically replaced with their value at runtime. diff --git a/docs/source/markdown/options/personality.md b/docs/source/markdown/options/personality.md new file mode 100644 index 0000000000..663f14782e --- /dev/null +++ b/docs/source/markdown/options/personality.md @@ -0,0 +1,3 @@ +#### **--personality**=*persona* + +Personality sets the execution domain via Linux personality(2). diff --git a/docs/source/markdown/options/pidfile.md b/docs/source/markdown/options/pidfile.md new file mode 100644 index 0000000000..a494b522e4 --- /dev/null +++ b/docs/source/markdown/options/pidfile.md @@ -0,0 +1,9 @@ +#### **--pidfile**=*path* + +When the pidfile location is specified, the container process' PID will be written to the pidfile. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) +If the pidfile option is not specified, the container process' PID will be written to /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile. + +After the container is started, the location for the pidfile can be discovered with the following `podman inspect` command: + + $ podman inspect --format '{{ .PidFile }}' $CID + /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile diff --git a/docs/source/markdown/options/sdnotify.md b/docs/source/markdown/options/sdnotify.md new file mode 100644 index 0000000000..d090cbf7c7 --- /dev/null +++ b/docs/source/markdown/options/sdnotify.md @@ -0,0 +1,10 @@ +#### **--sdnotify**=**container** | *conmon* | *ignore* + +Determines how to use the NOTIFY_SOCKET, as passed with systemd and Type=notify. + +Default is **container**, which means allow the OCI runtime to proxy the socket into the +container to receive ready notification. Podman will set the MAINPID to conmon's pid. +The **conmon** option sets MAINPID to conmon's pid, and sends READY when the container +has started. The socket is never passed to the runtime or the container. +The **ignore** option removes NOTIFY_SOCKET from the environment for itself and child processes, +for the case where some other process above Podman uses NOTIFY_SOCKET and Podman should not use it. diff --git a/docs/source/markdown/options/seccomp-policy.md b/docs/source/markdown/options/seccomp-policy.md new file mode 100644 index 0000000000..3b2eb75530 --- /dev/null +++ b/docs/source/markdown/options/seccomp-policy.md @@ -0,0 +1,5 @@ +#### **--seccomp-policy**=*policy* + +Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.containers.seccomp.profile" label in the container-image config and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below. + +Note that this feature is experimental and may change in the future. diff --git a/docs/source/markdown/options/timeout.md b/docs/source/markdown/options/timeout.md new file mode 100644 index 0000000000..731feb973f --- /dev/null +++ b/docs/source/markdown/options/timeout.md @@ -0,0 +1,5 @@ +#### **--timeout**=*seconds* + +Maximum time a container is allowed to run before conmon sends it the kill +signal. By default containers will run until they exit or are stopped by +`podman stop`. diff --git a/docs/source/markdown/options/tz.md b/docs/source/markdown/options/tz.md new file mode 100644 index 0000000000..0442e8a763 --- /dev/null +++ b/docs/source/markdown/options/tz.md @@ -0,0 +1,4 @@ +#### **--tz**=*timezone* + +Set timezone in container. This flag takes area-based timezones, GMT time, as well as `local`, which sets the timezone in the container to match the host machine. See `/usr/share/zoneinfo/` for valid timezones. +Remote connections use local containers.conf for defaults diff --git a/docs/source/markdown/options/umask.md b/docs/source/markdown/options/umask.md new file mode 100644 index 0000000000..55668b6da0 --- /dev/null +++ b/docs/source/markdown/options/umask.md @@ -0,0 +1,4 @@ +#### **--umask**=*umask* + +Set the umask inside the container. Defaults to `0022`. +Remote connections use local containers.conf for defaults diff --git a/docs/source/markdown/options/unsetenv-all.md b/docs/source/markdown/options/unsetenv-all.md new file mode 100644 index 0000000000..3aad2e805e --- /dev/null +++ b/docs/source/markdown/options/unsetenv-all.md @@ -0,0 +1,5 @@ +#### **--unsetenv-all** + +Unset all default environment variables for the container. Default environment +variables include variables provided natively by Podman, environment variables +configured by the image, and environment variables from containers.conf. diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md.in similarity index 89% rename from docs/source/markdown/podman-create.1.md rename to docs/source/markdown/podman-create.1.md.in index b3e707e45f..008c3c18f7 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md.in @@ -115,9 +115,7 @@ Add Linux capabilities Drop Linux capabilities -#### **--cgroup-conf**=*KEY=VALUE* - -When running on cgroup v2, specify the cgroup file to write to and its value. For example **--cgroup-conf=memory.high=1073741824** sets the memory.high limit to 1GB. +@@option cgroup-conf #### **--cgroup-parent**=*path* @@ -143,11 +141,7 @@ The *disabled* option will force the container to not create CGroups, and thus c The *no-conmon* option disables a new CGroup only for the conmon process. The *split* option splits the current cgroup in two sub-cgroups: one for conmon and one for the container payload. It is not possible to set *--cgroup-parent* with *split*. -#### **--chrootdirs**=*path* - -Path to a directory inside the container that should be treated as a `chroot` directory. -Any Podman managed file (e.g., /etc/resolv.conf, /etc/hosts, etc/hostname) that is mounted into the root directory will be mounted into that location as well. -Multiple directories should be separated with a comma. +@@option chrootdirs #### **--cidfile**=*id* @@ -358,9 +352,7 @@ See [**Environment**](#environment) note below for precedence and examples. Read in a line delimited file of environment variables. See **Environment** note below for precedence. -#### **--env-host** - -Use host environment inside of the container. See **Environment** note below for precedence. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) +@@option env-host #### **--expose**=*port* @@ -376,17 +368,7 @@ __--uidmap__ maps host UIDs to container UIDs. For details see __--uidmap__. Note: the **--gidmap** flag cannot be called in conjunction with the **--pod** flag as a gidmap cannot be set on the container level when in a pod. -#### **--group-add**=*group* | *keep-groups* - -Assign additional groups to the primary user running within the container process. - -- `keep-groups` is a special flag that tells Podman to keep the supplementary group access. - -Allows container to use the user's supplementary group access. If file systems or -devices are only accessible by the rootless user's group, this flag tells the OCI -runtime to pass the group access into the container. Currently only available -with the `crun` OCI runtime. Note: `keep-groups` is exclusive, you cannot add any other groups -with this flag. (Not available for remote commands, including Mac and Windows (excluding WSL2) machines) +@@option group-add #### **--health-cmd**=*"command"* | *'["command", "arg1", ...]'* @@ -425,10 +407,7 @@ Container host name Sets the container host name that is available inside the container. Can only be used with a private UTS namespace `--uts=private` (default). If `--pod` is specified and the pod shares the UTS namespace (default) the pod's hostname will be used. -#### **--hostuser**=*name* - -Add a user account to /etc/passwd from the host to the container. The Username -or UID must exist on the host system. +@@option hostuser #### **--http-proxy** @@ -450,20 +429,9 @@ container: Defaults to `true` -#### **--image-volume**=**bind** | *tmpfs* | *ignore* - -Tells Podman how to handle the builtin image volumes. Default is **bind**. - -- **bind**: An anonymous named volume will be created and mounted into the container. -- **tmpfs**: The volume is mounted onto the container as a tmpfs, which allows the users to create -content that disappears when the container is stopped. -- **ignore**: All volumes are just ignored and no action is taken. +@@option image-volume -#### **--init** - -Run an init inside the container that forwards signals and reaps processes. -The container-init binary is mounted at `/run/podman-init`. -Mounting over `/run` will hence break container execution. +@@option init #### **--init-ctr**=*type* @@ -480,9 +448,7 @@ Init containers are only run on pod `start`. Restarting a pod will not execute containers should they be present. Furthermore, init containers can only be created in a pod when that pod is not running. -#### **--init-path**=*path* - -Path to the container-init binary. +@@option init-path #### **--interactive**, **-i** @@ -611,83 +577,7 @@ Tune a container's memory swappiness behavior. Accepts an integer between 0 and This flag is not supported on cgroups V2 systems. -#### **--mount**=*type=TYPE,TYPE-SPECIFIC-OPTION[,...]* - -Attach a filesystem mount to the container - -Current supported mount TYPEs are **bind**, **volume**, **image**, **tmpfs** and **devpts**. [[1]](#Footnote1) - - e.g. - - type=bind,source=/path/on/host,destination=/path/in/container - - type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared - - type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared,U=true - - type=volume,source=vol1,destination=/path/in/container,ro=true - - type=tmpfs,tmpfs-size=512M,destination=/path/in/container - - type=image,source=fedora,destination=/fedora-image,rw=true - - type=devpts,destination=/dev/pts - - Common Options: - - · src, source: mount source spec for bind and volume. Mandatory for bind. - - · dst, destination, target: mount destination spec. - - Options specific to volume: - - · ro, readonly: true or false (default). - - . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container. - - · idmap: true or false (default). If specified, create an idmapped mount to the target user namespace in the container. - - Options specific to image: - - · rw, readwrite: true or false (default). - - Options specific to bind: - - · ro, readonly: true or false (default). - - · bind-propagation: shared, slave, private, unbindable, rshared, rslave, runbindable, or rprivate(default). See also mount(2). - - . bind-nonrecursive: do not set up a recursive bind mount. By default it is recursive. - - . relabel: shared, private. - - · idmap: true or false (default). If specified, create an idmapped mount to the target user namespace in the container. - - . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container. - - Options specific to tmpfs: - - · ro, readonly: true or false (default). - - · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux. - - · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux. - - · tmpcopyup: Enable copyup from the image directory at the same location to the tmpfs. Used by default. - - · notmpcopyup: Disable copying files from the image to the tmpfs. - - . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container. - - Options specific to devpts: - - · uid: UID of the file owner (default 0). - - · gid: GID of the file owner (default 0). - - · mode: permission mask for the file (default 600). - - · max: maximum number of PTYs (default 1048576). +@@option mount #### **--name**=*name* @@ -745,9 +635,7 @@ these aliases can be used for name resolution on the given network. This option NOTE: When using CNI a container will only have access to aliases on the first network that it joins. This limitation does not exist with netavark/aardvark-dns. -#### **--no-healthcheck** - -Disable any defined healthchecks for container. +@@option no-healthcheck #### **--no-hosts** @@ -756,11 +644,7 @@ By default, Podman will manage _/etc/hosts_, adding the container's own IP addre **--no-hosts** disables this, and the image's _/etc/hosts_ will be preserved unmodified. This option conflicts with **--add-host**. -#### **--oom-kill-disable** - -Whether to disable OOM Killer for the container or not. - -This flag is not supported on cgroups V2 systems. +@@option oom-kill-disable #### **--oom-score-adj**=*num* @@ -769,15 +653,9 @@ Tune the host's OOM preferences for containers (accepts -1000 to 1000) #### **--os**=*OS* Override the OS, defaults to hosts, of the image to be pulled. For example, `windows`. -#### **--passwd-entry**=*ENTRY* - -Customize the entry that is written to the `/etc/passwd` file within the container when `--passwd` is used. +@@option passwd-entry -The variables $USERNAME, $UID, $GID, $NAME, $HOME are automatically replaced with their value at runtime. - -#### **--personality**=*persona* - -Personality sets the execution domain via Linux personality(2). +@@option personality #### **--pid**=*pid* @@ -788,15 +666,7 @@ Default is to create a private PID namespace for the container - `ns`: join the specified PID namespace - `private`: create a new namespace for the container (default) -#### **--pidfile**=*path* - -When the pidfile location is specified, the container process' PID will be written to the pidfile. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) -If the pidfile option is not specified, the container process' PID will be written to /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile. - -After the container is started, the location for the pidfile can be discovered with the following `podman inspect` command: - - $ podman inspect --format '{{ .PidFile }}' $CID - /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile +@@option pidfile #### **--pids-limit**=*limit* @@ -944,22 +814,9 @@ directory will be the lower, and the container storage directory will be the upper. Modifications to the mount point are destroyed when the container finishes executing, similar to a tmpfs mount point being unmounted. -#### **--sdnotify**=**container** | *conmon* | *ignore* - -Determines how to use the NOTIFY_SOCKET, as passed with systemd and Type=notify. - -Default is **container**, which means allow the OCI runtime to proxy the socket into the -container to receive ready notification. Podman will set the MAINPID to conmon's pid. -The **conmon** option sets MAINPID to conmon's pid, and sends READY when the container -has started. The socket is never passed to the runtime or the container. -The **ignore** option removes NOTIFY_SOCKET from the environment for itself and child processes, -for the case where some other process above Podman uses NOTIFY_SOCKET and Podman should not use it. - -#### **--seccomp-policy**=*policy* - -Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.containers.seccomp.profile" label in the container-image config and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below. +@@option sdnotify -Note that this feature is experimental and may change in the future. +@@option seccomp-policy #### **--secret**=*secret[,opt=opt ...]* @@ -1085,11 +942,7 @@ The `container_manage_cgroup` boolean must be enabled for this to be allowed on `setsebool -P container_manage_cgroup true` -#### **--timeout**=*seconds* - -Maximum time a container is allowed to run before conmon sends it the kill -signal. By default containers will run until they exit or are stopped by -`podman stop`. +@@option timeout #### **--tls-verify** @@ -1119,10 +972,7 @@ interactive shell. The default is false. Note: The **-t** option is incompatible with a redirection of the Podman client standard input. -#### **--tz**=*timezone* - -Set timezone in container. This flag takes area-based timezones, GMT time, as well as `local`, which sets the timezone in the container to match the host machine. See `/usr/share/zoneinfo/` for valid timezones. -Remote connections use local containers.conf for defaults +@@option tz #### **--uidmap**=*container_uid:from_uid:amount* @@ -1208,10 +1058,7 @@ Ulimit options You can pass `host` to copy the current configuration from the host. -#### **--umask**=*umask* - -Set the umask inside the container. Defaults to `0022`. -Remote connections use local containers.conf for defaults +@@option umask #### **--unsetenv**=*env* @@ -1219,11 +1066,7 @@ Unset default environment variables for the container. Default environment variables include variables provided natively by Podman, environment variables configured by the image, and environment variables from containers.conf. -#### **--unsetenv-all** - -Unset all default environment variables for the container. Default environment -variables include variables provided natively by Podman, environment variables -configured by the image, and environment variables from containers.conf. +@@option unsetenv-all #### **--user**, **-u**=*user* diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md.in similarity index 91% rename from docs/source/markdown/podman-run.1.md rename to docs/source/markdown/podman-run.1.md.in index 8c889f0a50..df4c43c414 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md.in @@ -132,9 +132,7 @@ Add Linux capabilities. Drop Linux capabilities. -#### **--cgroup-conf**=*KEY=VALUE* - -When running on cgroup v2, specify the cgroup file to write to and its value. For example **--cgroup-conf=memory.high=1073741824** sets the memory.high limit to 1GB. +@@option cgroup-conf #### **--cgroup-parent**=*path* @@ -162,11 +160,7 @@ The **disabled** option will force the container to not create CGroups, and thus The **no-conmon** option disables a new CGroup only for the **conmon** process. The **split** option splits the current CGroup in two sub-cgroups: one for conmon and one for the container payload. It is not possible to set **--cgroup-parent** with **split**. -#### **--chrootdirs**=*path* - -Path to a directory inside the container that should be treated as a `chroot` directory. -Any Podman managed file (e.g., /etc/resolv.conf, /etc/hosts, etc/hostname) that is mounted into the root directory will be mounted into that location as well. -Multiple directories should be separated with a comma. +@@option chrootdirs #### **--cidfile**=*file* @@ -393,9 +387,7 @@ See [**Environment**](#environment) note below for precedence and examples. Read in a line delimited file of environment variables. See **Environment** note below for precedence. -#### **--env-host** - -Use host environment inside of the container. See **Environment** note below for precedence. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) +@@option env-host #### **--expose**=*port* @@ -411,17 +403,7 @@ __--uidmap__ maps host UIDs to container UIDs. For details see __--uidmap__. Note: the **--gidmap** flag cannot be called in conjunction with the **--pod** flag as a gidmap cannot be set on the container level when in a pod. -#### **--group-add**=*group* | *keep-groups* - -Assign additional groups to the primary user running within the container process. - -- `keep-groups` is a special flag that tells Podman to keep the supplementary group access. - -Allows container to use the user's supplementary group access. If file systems or -devices are only accessible by the rootless user's group, this flag tells the OCI -runtime to pass the group access into the container. Currently only available -with the `crun` OCI runtime. Note: `keep-groups` is exclusive, you cannot add any other groups -with this flag. (Not available for remote commands, including Mac and Windows (excluding WSL2) machines) +@@option group-add #### **--health-cmd**=*"command"* | *'["command", "arg1", ...]'* @@ -460,10 +442,7 @@ Container host name Sets the container host name that is available inside the container. Can only be used with a private UTS namespace `--uts=private` (default). If `--pod` is specified and the pod shares the UTS namespace (default) the pod's hostname will be used. -#### **--hostuser**=*name* - -Add a user account to /etc/passwd from the host to the container. The Username -or UID must exist on the host system. +@@option hostuser #### **--http-proxy** @@ -480,24 +459,11 @@ proxy environment at container build time.) (This option is not available with t Defaults to **true**. -#### **--image-volume**=**bind** | *tmpfs* | *ignore* - -Tells Podman how to handle the builtin image volumes. Default is **bind**. - -- **bind**: An anonymous named volume will be created and mounted into the container. -- **tmpfs**: The volume is mounted onto the container as a tmpfs, which allows the users to create -content that disappears when the container is stopped. -- **ignore**: All volumes are just ignored and no action is taken. +@@option image-volume -#### **--init** +@@option init -Run an init inside the container that forwards signals and reaps processes. -The container-init binary is mounted at `/run/podman-init`. -Mounting over `/run` will hence break container execution. - -#### **--init-path**=*path* - -Path to the container-init binary. +@@option init-path #### **--interactive**, **-i** @@ -627,83 +593,7 @@ Tune a container's memory swappiness behavior. Accepts an integer between *0* an This flag is not supported on cgroups V2 systems. -#### **--mount**=*type=TYPE,TYPE-SPECIFIC-OPTION[,...]* - -Attach a filesystem mount to the container - -Current supported mount TYPEs are **bind**, **volume**, **image**, **tmpfs** and **devpts**. [[1]](#Footnote1) - - e.g. - - type=bind,source=/path/on/host,destination=/path/in/container - - type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared - - type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared,U=true - - type=volume,source=vol1,destination=/path/in/container,ro=true - - type=tmpfs,tmpfs-size=512M,destination=/path/in/container - - type=image,source=fedora,destination=/fedora-image,rw=true - - type=devpts,destination=/dev/pts - - Common Options: - - · src, source: mount source spec for bind and volume. Mandatory for bind. - - · dst, destination, target: mount destination spec. - - Options specific to volume: - - · ro, readonly: true or false (default). - - . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container. - - · idmap: true or false (default). If specified, create an idmapped mount to the target user namespace in the container. - - Options specific to image: - - · rw, readwrite: true or false (default). - - Options specific to bind: - - · ro, readonly: true or false (default). - - · bind-propagation: shared, slave, private, unbindable, rshared, rslave, runbindable, or rprivate(default). See also mount(2). - - . bind-nonrecursive: do not set up a recursive bind mount. By default it is recursive. - - . relabel: shared, private. - - · idmap: true or false (default). If specified, create an idmapped mount to the target user namespace in the container. - - . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container. - - Options specific to tmpfs: - - · ro, readonly: true or false (default). - - · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux. - - · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux. - - · tmpcopyup: Enable copyup from the image directory at the same location to the tmpfs. Used by default. - - · notmpcopyup: Disable copying files from the image to the tmpfs. - - . U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container. - - Options specific to devpts: - - · uid: UID of the file owner (default 0). - - · gid: GID of the file owner (default 0). - - · mode: permission mask for the file (default 600). - - · max: maximum number of PTYs (default 1048576). +@@option mount #### **--name**=*name* @@ -762,9 +652,7 @@ these aliases can be used for name resolution on the given network. This option NOTE: When using CNI a container will only have access to aliases on the first network that it joins. This limitation does not exist with netavark/aardvark-dns. -#### **--no-healthcheck** - -Disable any defined healthchecks for container. +@@option no-healthcheck #### **--no-hosts** @@ -773,11 +661,7 @@ By default, Podman will manage _/etc/hosts_, adding the container's own IP addre **--no-hosts** disables this, and the image's _/etc/hosts_ will be preserved unmodified. This option conflicts with **--add-host**. -#### **--oom-kill-disable** - -Whether to disable OOM Killer for the container or not. - -This flag is not supported on cgroups V2 systems. +@@option oom-kill-disable #### **--oom-score-adj**=*num* @@ -791,15 +675,9 @@ Override the OS, defaults to hosts, of the image to be pulled. For example, `win Allow Podman to add entries to /etc/passwd and /etc/group when used in conjunction with the --user option. This is used to override the Podman provided user setup in favor of entrypoint configurations such as libnss-extrausers. -#### **--passwd-entry**=*ENTRY* - -Customize the entry that is written to the `/etc/passwd` file within the container when `--passwd` is used. +@@option passwd-entry -The variables $USERNAME, $UID, $GID, $NAME, $HOME are automatically replaced with their value at runtime. - -#### **--personality**=*persona* - -Personality sets the execution domain via Linux personality(2). +@@option personality #### **--pid**=*mode* @@ -811,15 +689,7 @@ The default is to create a private PID namespace for the container. - **private**: create a new namespace for the container (default) - **ns:**_path_: join the specified PID namespace. -#### **--pidfile**=*path* - -When the pidfile location is specified, the container process' PID will be written to the pidfile. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) -If the pidfile option is not specified, the container process' PID will be written to /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile. - -After the container is started, the location for the pidfile can be discovered with the following `podman inspect` command: - - $ podman inspect --format '{{ .PidFile }}' $CID - /run/containers/storage/${storage-driver}-containers/$CID/userdata/pidfile +@@option pidfile #### **--pids-limit**=*limit* @@ -982,22 +852,9 @@ finishes executing, similar to a tmpfs mount point being unmounted. Note: On **SELinux** systems, the rootfs needs the correct label, which is by default **unconfined_u:object_r:container_file_t**. -#### **--sdnotify**=**container** | *conmon* | *ignore* - -Determines how to use the NOTIFY_SOCKET, as passed with systemd and Type=notify. - -Default is **container**, which means allow the OCI runtime to proxy the socket into the -container to receive ready notification. Podman will set the MAINPID to conmon's pid. -The **conmon** option sets MAINPID to conmon's pid, and sends READY when the container -has started. The socket is never passed to the runtime or the container. -The **ignore** option removes NOTIFY_SOCKET from the environment for itself and child processes, -for the case where some other process above Podman uses NOTIFY_SOCKET and Podman should not use it. - -#### **--seccomp-policy**=*policy* - -Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.containers.seccomp.profile" label in the container-image config and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below. +@@option sdnotify -Note that this feature is experimental and may change in the future. +@@option seccomp-policy #### **--secret**=*secret[,opt=opt ...]* @@ -1139,11 +996,7 @@ The **container_manage_cgroup** boolean must be enabled for this to be allowed o setsebool -P container_manage_cgroup true ``` -#### **--timeout**=*seconds* - -Maximum time a container is allowed to run before conmon sends it the kill -signal. By default containers will run until they exit or are stopped by -`podman stop`. +@@option timeout #### **--tls-verify** @@ -1178,10 +1031,7 @@ interactive shell. The default is **false**. echo "asdf" | podman run --rm -i someimage /bin/cat ``` -#### **--tz**=*timezone* - -Set timezone in container. This flag takes area-based timezones, GMT time, as well as `local`, which sets the timezone in the container to match the host machine. See `/usr/share/zoneinfo/` for valid timezones. -Remote connections use local containers.conf for defaults +@@option tz #### **--uidmap**=*container_uid:from_uid:amount* @@ -1267,10 +1117,7 @@ Note: the **--uidmap** flag cannot be called in conjunction with the **--pod** f Ulimit options. You can use **host** to copy the current configuration from the host. -#### **--umask**=*umask* - -Set the umask inside the container. Defaults to `0022`. -Remote connections use local containers.conf for defaults +@@option umask #### **--unsetenv**=*env* @@ -1278,11 +1125,7 @@ Unset default environment variables for the container. Default environment variables include variables provided natively by Podman, environment variables configured by the image, and environment variables from containers.conf. -#### **--unsetenv-all** - -Unset all default environment variables for the container. Default environment -variables include variables provided natively by Podman, environment variables -configured by the image, and environment variables from containers.conf. +@@option unsetenv-all #### **--user**, **-u**=*user[:group]* diff --git a/hack/markdown-preprocess b/hack/markdown-preprocess new file mode 100755 index 0000000000..ec641b6b86 --- /dev/null +++ b/hack/markdown-preprocess @@ -0,0 +1,68 @@ +#!/usr/bin/env python3 +# +# markdown-preprocess - filter *.md.in files, convert to .md +# + +import glob +import os +import sys + +def main(): + try: + os.chdir("docs/source/markdown") + except FileNotFoundError: + raise Exception("Please invoke me from the base repo dir") + + # If called with args, process only those files + infiles = [ os.path.basename(x) for x in sys.argv[1:] ] + if len(infiles) == 0: + # Called without args: process all *.md.in files + infiles = glob.glob('*.md.in') + for infile in infiles: + process(infile) + +def process(infile): + # Some options are the same between containers and pods; determine + # which description to use from the name of the source man page. + pod_or_container = 'container' + if '-pod-' in infile: + pod_or_container = 'pod' + + # Sometimes a man page includes the subcommand. + subcommand = infile.removeprefix("podman-").removesuffix(".1.md.in").replace("-", " ") + + # foo.md.in -> foo.md -- but always write to a tmpfile + outfile = os.path.splitext(infile)[0] + outfile_tmp = outfile + '.tmp.' + str(os.getpid()) + +# print("got here: ",infile, " -> ", outfile) + + with open(infile, 'r') as fh_in, open(outfile_tmp, 'w') as fh_out: + for line in fh_in: + # '@@option foo' -> include file options/foo.md + if line.startswith('@@option '): + _, optionname = line.strip().split(" ") + optionfile = os.path.join("options", optionname + '.md') + fh_out.write("[//]: # (BEGIN included file " + optionfile + ")\n") + with open(optionfile, 'r') as fh_optfile: + for opt_line in fh_optfile: + opt_line = opt_line.replace('', pod_or_container) + opt_line = opt_line.replace('', subcommand) + fh_out.write(opt_line) + + # Weird special case: options/image-volume.md ends in a + # list, and in markdown lists are continued across lines, + # so without an intervening blank line the '[//]' comment + # becomes part of the final list entry. + if opt_line.startswith('-'): + fh_out.write("\n") + + fh_out.write("[//]: # (END included file " + optionfile + ")\n") + else: + fh_out.write(line) + + os.chmod(outfile_tmp, 0o444) + os.rename(outfile_tmp, outfile) + +if __name__ == "__main__": + main()