podman-pod-create

podman-pod-create(1) General Commands Manual podman-pod-create(1)

NAME

   podman-pod-create - Create a new pod

SYNOPSIS

   podman pod create [options] [name]

DESCRIPTION

   Creates an empty pod, or unit of multiple containers, and prepares it to have containers added to it. The pod can be created with a specific name. If a name is not given a random name
   is generated. The pod ID is printed to STDOUT. You can then use podman create --pod <pod_id|pod_name> ... to add containers to the pod, and podman pod start <pod_id|pod_name> to start
   the pod.

   The  operator  can  identify a pod in three ways: UUID long identifier (f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778) UUID short identifier (f78375b1c487) Name
   (jonah)

   podman generates a UUID for each pod, and if a name is not assigned to the container with --name then a random string name is generated for it. This name is useful to identify a pod.

   Note: resource limit related flags work by setting the limits explicitly in the pod's cgroup parent for all containers joining the pod. A container can override  the  resource  limits
   when  joining a pod.  For example, if a pod was created via podman pod create --cpus=5, specifying podman container create --pod=<pod_id|pod_name> --cpus=4 causes the container to use
   the smaller limit. Also, containers which specify their own cgroup, such as --cgroupns=host, do NOT get the assigned pod level cgroup resources.

OPTIONS --add-host=hostname[;hostname[;...]]:ip

   Add a custom host-to-IP mapping to the pod's /etc/hosts file.

   The option takes one or multiple semicolon-separated hostnames to be mapped to a single IPv4 or IPv6 address, separated by a colon. It can also be used to overwrite the  IP  addresses
   of  hostnames  Podman adds to /etc/hosts by default (also see the --name and --hostname options). This option can be specified multiple times to add additional mappings to /etc/hosts.
   It conflicts with the --no-hosts option and conflicts with no_hosts=true in containers.conf.

   Instead of an IP address, the special flag host-gateway can be given. This resolves to an IP address the container can use to connect to the host. The IP  address  chosen  depends  on
   your  network  setup,  thus  there's no guarantee that Podman can determine the host-gateway address automatically, which will then cause Podman to fail with an error message. You can
   overwrite this IP address using the host_containers_internal_ip option in containers.conf.

   The host-gateway address is also used by Podman to automatically add the host.containers.internal and host.docker.internal hostnames to /etc/hosts.  You can  prevent  that  by  either
   giving the --no-hosts option, or by setting host_containers_internal_ip="none" in containers.conf. If no host-gateway address was configured manually and Podman fails to determine the
   IP  address  automatically,  Podman will silently skip adding these internal hostnames to /etc/hosts. If Podman is running in a virtual machine using podman machine (this includes Mac
   and Windows hosts), Podman will silently skip adding the internal hostnames to /etc/hosts, unless an IP address was configured manually; the internal hostnames  are  resolved  by  the
   gvproxy DNS resolver instead.

   Podman  will use the /etc/hosts file of the host as a basis by default, i.e.  any hostname present in this file will also be present in the /etc/hosts file of the container. A differ
   ent base file can be configured using the base_hosts_file config in containers.conf.

   The /etc/hosts file is shared between all containers in the pod.

--blkio-weight=weight

   Block IO relative weight. The weight is a value between 10 and 1000.

   This option is not supported on cgroups V1 rootless systems.

--blkio-weight-device=device:weight

   Block IO relative device weight.

--cgroup-parent=path

   Path to cgroups under which the cgroup for the pod is created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups  are
   created if they do not already exist.

--cpu-shares, -c=shares

   CPU shares (relative weight).

   By  default,  all  containers get the same proportion of CPU cycles. This proportion can be modified by changing the container's CPU share weighting relative to the combined weight of
   all the running containers.  Default weight is 1024.

   The proportion only applies when CPU-intensive processes are running.  When tasks in one container are idle, other containers can use the left-over CPU time. The actual amount of  CPU
   time varies depending on the number of containers running on the system.

   For  example, consider three containers, one has a cpu-share of 1024 and two others have a cpu-share setting of 512. When processes in all three containers attempt to use 100% of CPU,
   the first container receives 50% of the total CPU time. If a fourth container is added with a cpu-share of 1024, the first container only gets 33% of the CPU. The remaining containers
   receive 16.5%, 16.5% and 33% of the CPU.

   On a multi-core system, the shares of CPU time are distributed over all CPU cores. Even if a container is limited to less than 100% of CPU time, it can use 100% of each individual CPU
   core.

   For example, consider a system with more than three cores.  If the container C0 is started with --cpu-shares=512 running one process, and another container C1  with  --cpu-shares=1024
   running two processes, this can result in the following division of CPU shares:

   
    PID  container  CPU  CPU share    
   
    100  C0         0    100% of CPU0 
   
    101  C1         1    100% of CPU1 
   
    102  C1         2    100% of CPU2 
   

   On  some  systems,  changing the resource limits may not be allowed for non-root users. For more details, see https://github.com/containers/podman/blob/main/troubleshooting.md#26-run‐
   ning-containers-with-resource-limits-fails-with-a-permissions-error

   This option is not supported on cgroups V1 rootless systems.

--cpus=amount

   Set the total number of CPUs delegated to the pod. Default is 0.000 which indicates that there is no limit on computation power.

--cpuset-cpus=number

   CPUs in which to allow execution. Can be specified as a comma-separated list (e.g. 0,1), as a range (e.g. 0-3), or any combination thereof (e.g. 0-3,7,11-15).

   On some systems, changing the resource limits may not be allowed for non-root users. For more  details,  see  https://github.com/containers/podman/blob/main/troubleshooting.md#26-run‐
   ning-containers-with-resource-limits-fails-with-a-permissions-error

   This option is not supported on cgroups V1 rootless systems.

--cpuset-mems=nodes

   Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.

   If there are four memory nodes on the system (0-3), use --cpuset-mems=0,1 then processes in the container only uses memory from the first two memory nodes.

   On  some  systems,  changing the resource limits may not be allowed for non-root users. For more details, see https://github.com/containers/podman/blob/main/troubleshooting.md#26-run‐
   ning-containers-with-resource-limits-fails-with-a-permissions-error

   This option is not supported on cgroups V1 rootless systems.

--device=host-device[:container-device][:permissions]

   Add a host device to the pod. Optional permissions parameter can be used to specify device permissions by combining r for read, w for write, and m for mknod(2).

   Example: --device=/dev/sdc:/dev/xvdc:rwm.

   Note: if host-device is a symbolic link then it is resolved first.  The pod only stores the major and minor numbers of the host device.

   Podman may load kernel modules required for using the specified device. The devices that Podman loads modules for when necessary are: /dev/fuse.

   In rootless mode, the new device is bind mounted in the container from the host rather than Podman creating it within the container space. Because the bind mount retains  its  SELinux
   label  on SELinux systems, the container can get permission denied when accessing the mounted device. Modify SELinux settings to allow containers to use all device labels via the fol
   lowing command:

   $ sudo setsebool -P  container_use_devices=true

   Note: the pod implements devices by storing the initial configuration passed by the user and recreating the device on each container added to the pod.

--device-read-bps=path:rate

   Limit read rate (in bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb).

   On some systems, changing the resource limits may not be allowed for non-root users. For more  details,  see  https://github.com/containers/podman/blob/main/troubleshooting.md#26-run‐
   ning-containers-with-resource-limits-fails-with-a-permissions-error

   This option is not supported on cgroups V1 rootless systems.

--device-write-bps=path:rate

   Limit write rate (in bytes per second) to a device (e.g. --device-write-bps=/dev/sda:1mb).

   On  some  systems,  changing the resource limits may not be allowed for non-root users. For more details, see https://github.com/containers/podman/blob/main/troubleshooting.md#26-run‐
   ning-containers-with-resource-limits-fails-with-a-permissions-error

   This option is not supported on cgroups V1 rootless systems.

--dns=ipaddr

   Set custom DNS servers in the /etc/resolv.conf file that is shared between all containers in the pod. A special option, "none" is allowed which disables creation  of  /etc/resolv.conf
   for the pod.

--dns-option=option

   Set custom DNS options in the /etc/resolv.conf file that is shared between all containers in the pod.

--dns-search=domain

   Set custom DNS search domains in the /etc/resolv.conf file that is shared between all containers in the pod.

--exit-policy=continue | stop

   Set the exit policy of the pod when the last container exits.  Supported policies are:

   
    Exit Policy  Description                                                     
   
    continue     The  pod  continues  running,  by  keeping  its infra container 
                 alive, when the last container exits. Used by default.          
   
    stop         The pod (including its infra container)  is  stopped  when  the 
                 last container exits. Used in kube play.                        
   

--gidmap=pod_gid:host_gid:amount

   GID map for the user namespace. Using this flag runs all containers in the pod with user namespace enabled.  It conflicts with the --userns and --subgidname flags.

--gpus=ENTRY

   GPU devices to add to the container ('all' to pass all GPUs) Currently only Nvidia devices are supported.

--help, -h

   Print usage statement.

--hostname=name

   Set the pod's hostname inside all containers.

   The given hostname is also added to the /etc/hosts file using the container's primary IP address (also see the --add-host option).

--hosts-file=path | none | image

   Base file to create the /etc/hosts file inside the container. This must either be an absolute path to a file on the host system, or one of the following special flags:
     ""      Follow the base_hosts_file configuration in containers.conf (the default)
     none  Do not use a base file (i.e. start with an empty file)
     image Use the container image's /etc/hosts file as base file

--infra

   Create an infra container and associate it with the pod. An infra container is a lightweight container used to coordinate the shared kernel namespace of a pod. Default: true.

--infra-command=command

   The command that is run to start the infra container. Default: "/pause".

--infra-conmon-pidfile=file

   Write the pid of the infra container's conmon process to a file. As conmon runs in a separate process than Podman, this is necessary when using systemd to manage Podman containers and
   pods.

--infra-image=image

   The custom image that is used for the infra container.  Unless specified, Podman builds a custom local image which does not require pulling down an image.

--infra-name=name

   The name that is used for the pod's infra container.

--ip=ipv4

   Specify a static IPv4 address for the pod, for example 10.88.64.128.  This option can only be used if the pod is joined to only a single network - i.e., --network=network-name is used
   at  most  once  -  and  if  the pod is not joining another container's network namespace via --network=container:id.  The address must be within the network's IP address pool (default
   10.88.0.0/16).

   To specify multiple static IP addresses per pod, set multiple networks using the --network option with a static IP address specified for each using the ip mode for that option.

--ip6=ipv6

   Specify a static IPv6 address for the pod, for example fd46:db93:aa76:ac37::10.  This option can only be used if the pod is joined to only a single network - i.e.,  --network=network-
   name  is  used  at  most  once - and if the pod is not joining another container's network namespace via --network=container:id.  The address must be within the network's IPv6 address
   pool.

   To specify multiple static IPv6 addresses per pod, set multiple networks using the --network option with a static IPv6 address specified for each using the ip6 mode for that option.

--label, -l=key=value

   Add metadata to a pod.

--label-file=file

   Read in a line-delimited file of labels.

--mac-address=address

   Pod network interface MAC address (e.g. 92:d0:c6:0a:29:33) This option can only be used if the pod is joined to only a single network - i.e., --network=network-name is  used  at  most
   once - and if the pod is not joining another container's network namespace via --network=container:id.

   Remember that the MAC address in an Ethernet network must be unique.  The IPv6 link-local address is based on the device's MAC address according to RFC4862.

   To specify multiple static MAC addresses per pod, set multiple networks using the --network option with a static MAC address specified for each using the mac mode for that option.

--memory, -m=number[unit]

   Memory limit. A unit can be b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes).

   Allows  the  memory available to a container to be constrained. If the host supports swap memory, then the -m memory setting can be larger than physical RAM. If a limit of 0 is speci
   fied (not using -m), the container's memory is not limited. The actual limit may be rounded up to a multiple of the operating system's page size (the value is very large, that's  mil
   lions of trillions).

   This option is not supported on cgroups V1 rootless systems.

--memory-swap=number[unit]

   A limit value equal to memory plus swap.  A unit can be b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes).

   Must be used with the -m (--memory) flag.  The argument value must be larger than that of
    -m (--memory) By default, it is set to double the value of --memory.

   Set number to -1 to enable unlimited swap.

   This option is not supported on cgroups V1 rootless systems.

--name, -n=name

   Assign a name to the pod.

--network=mode, --net

   Set the network mode for the pod.

   Valid mode values are:

           bridge[:OPTIONS,...]: Create a network stack on the default bridge. This is the default for rootful containers. It is possible to specify these additional options:

             alias=name: Add network-scoped alias for the container.

             ip=IPv4: Specify a static IPv4 address for this container.

             ip6=IPv6: Specify a static IPv6 address for this container.

             mac=MAC: Specify a static MAC address for this container.

             interface_name=name: Specify a name for the created network interface inside the container.

             host_interface_name=name: Specify a name for the created network interface outside the container.

          Any  other options will be passed through to netavark without validation. This can be useful to pass arguments to netavark plugins.For example, to set a static ipv4 address and
          a static mac address, use --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99.

           <network name or ID>[:OPTIONS,...]: Connect to a user-defined network; this is the network name or ID from a network created by podman network create. It is possible to spec
            ify the same options described under the bridge mode above. Use the --network option multiple times to specify additional networks.
            For backwards compatibility it is also possible to specify comma-separated networks on the first --network argument, however this prevents you  from  using  the  options  de
            scribed under the bridge section above.

           none: Create a network namespace for the container but do not configure network interfaces for it, thus the container has no network connectivity.

           container:id: Reuse another container's network stack.

          • host: Do not create a network namespace, the container uses the host's network. Note: The host mode gives the container full access to local system services such as D-bus and
            is therefore considered insecure.

           ns:path: Path to a network namespace to join.

           private: Create a new namespace for the container. This uses the bridge mode for rootful containers and slirp4netns for rootless ones.

           slirp4netns[:OPTIONS,...]:  use  slirp4netns(1)  to create a user network stack. It is possible to specify these additional options, they can also be set with network_cmd_op
            tions in containers.conf:

             allow_host_loopback=true|false: Allow slirp4netns to reach the host loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr subnet  when  changed,  see  the
              cidr option below). The default is false.

             mtu=MTU: Specify the MTU to use for this network. (Default is 65520).

             cidr=CIDR: Specify ip range to use for this network. (Default is 10.0.2.0/24).

             enable_ipv6=true|false: Enable IPv6. Default is true. (Required for outbound_addr6).

             outbound_addr=INTERFACE: Specify the outbound interface slirp binds to (ipv4 traffic only).

             outbound_addr=IPv4: Specify the outbound ipv4 address slirp binds to.

             outbound_addr6=INTERFACE: Specify the outbound interface slirp binds to (ipv6 traffic only).

             outbound_addr6=IPv6: Specify the outbound ipv6 address slirp binds to.

             port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.
              Note: Rootlesskit changes the source IP address of incoming packets to an IP address in the container network namespace, usually 10.0.2.100. If the application requires the
              real source IP address, e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for rootless containers when connected to user-de
              fined networks.

             port_handler=slirp4netns:  Use  the slirp4netns port forwarding, it is slower than rootlesskit but preserves the correct source IP address. This port handler cannot be used
              for user-defined networks.

           pasta[:OPTIONS,...]: use pasta(1) to create a user-mode networking stack.
            This is the default for rootless containers and only supported in rootless mode.
            By default, IPv4 and IPv6 addresses and routes, as well as the pod interface name, are copied from the host. If port forwarding isn't configured, ports are forwarded  dynami
            cally  as  services  are bound on either side (init namespace or container namespace). Port forwarding preserves the original source IP address. Options described in pasta(1)
            can be specified as comma-separated arguments.
            In terms of pasta(1) options, --config-net is given by default, in order to configure networking when the container is started, and --no-map-gw is also assumed by default, to
            avoid direct access from container to host using the gateway address. The latter can be overridden by passing --map-gw in the pasta-specific options (despite not being an ac
            tual pasta(1) option).
            Also, -t none and -u none are passed if, respectively, no TCP or UDP port forwarding from host to container is configured, to disable automatic port forwarding based on bound
            ports. Similarly, -T none and -U none are given to disable the same functionality from container to host.
            Some examples:

             pasta:--map-gw: Allow the container to directly reach the host using the gateway address.

             pasta:--mtu,1500: Specify a 1500 bytes MTU for the tap interface in the container.

             pasta:--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,-m,1500,--no-ndp,--no-dhcpv6,--no-dhcp, equivalent to default slirp4netns(1) options:  disable  IPv6,
              assign 10.0.2.0/24 to the tap0 interface in the container, with gateway 10.0.2.3, enable DNS forwarder reachable at 10.0.2.3, set MTU to 1500 bytes, disable NDP, DHCPv6 and
              DHCP support.

             pasta:-I,tap0,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp,  equivalent  to  default  slirp4netns(1)  options with Podman
              overrides: same as above, but leave the MTU to 65520 bytes

             pasta:-t,auto,-u,auto,-T,auto,-U,auto: enable automatic port forwarding based on observed bound ports from both host and container sides

             pasta:-T,5201: enable forwarding of TCP port 5201 from container to host, using the loopback interface instead of the tap interface for improved performance

   Invalid if using --dns, --dns-option, or --dns-search with --network set to none or container:id.

--network-alias=alias

   Add a network-scoped alias for the pod, setting the alias for all networks that the container joins. To set a name only for a specific network, use the alias option as described under
   the --network option.  If the network has DNS enabled (podman network inspect -f {{.DNSEnabled}} <name>), these aliases can be used for name resolution on the given network. This  op
   tion can be specified multiple times.  NOTE: When using CNI a pod only has access to aliases on the first network that it joins. This limitation does not exist with netavark/aardvark-
   dns.

--no-hostname

   Do not create the /etc/hostname file in the containers.

   By  default,  Podman manages the /etc/hostname file, adding the container's own hostname.  When the --no-hostname option is set, the image's /etc/hostname will be preserved unmodified
   if it exists.

--no-hosts

   Do not modify the /etc/hosts file in the pod.

   Podman assumes control over the pod's /etc/hosts file by default and adds entries for the container's name (see --name option) and  hostname  (see  --hostname  option),  the  internal
   host.containers.internal and host.docker.internal hosts, as well as any hostname added using the --add-host option. Refer to the --add-host option for details. Passing --no-hosts dis
   ables this, so that the image's /etc/hosts file is kept unmodified. The same can be achieved globally by setting no_hosts=true in containers.conf.

   This option conflicts with --add-host.

--pid=pid

   Set the PID mode for the pod. The default is to create a private PID namespace for the pod. Requires the PID namespace to be shared via --share.

   host: use the hosts PID namespace for the pod
   ns: join the specified PID namespace
   private: create a new namespace for the pod (default)

--pod-id-file=path

   Write the pod ID to the file.

--publish, -p=[[ip:][hostPort]:]containerPort[/protocol]

   Publish a container's port, or range of ports, within this pod to the host.

   Both  hostPort and containerPort can be specified as a range of ports.  When specifying ranges for both, the number of container ports in the range must match the number of host ports
   in the range.

   If host IP is set to 0.0.0.0 or not set at all, the port is bound on all IPs on the host.

   By default, Podman publishes TCP ports. To publish a UDP port instead, give udp as protocol. To publish both TCP and UDP ports, set --publish twice, with tcp, and udp as protocols re
   spectively. Rootful containers can also publish ports using the sctp protocol.

   Host port does not have to be specified (e.g. podman run -p 127.0.0.1::80).  If it is not, the container port is randomly assigned a port on the host.

   Use podman port to see the actual mapping: podman port $CONTAINER $CONTAINERPORT.

   Note that the network drivers macvlan and ipvlan do not support port forwarding, it will have no effect on these networks.

   Note: You must not publish ports of containers in the pod individually, but only by the pod itself.

   Note: This cannot be modified once the pod is created.

--replace

   If another pod with the same name already exists, replace and remove it. The default is false.

--restart=policy

   Restart policy to follow when containers exit.  Restart policy does not take effect if a container is stopped via the podman kill or podman stop commands.

   Valid policy values are:

           no                       : Do not restart containers on exit

           never                    : Synonym for no; do not restart containers on exit

           on-failure[:max_retries] : Restart containers when they exit with a non-zero exit code, retrying indefinitely or until the optional max_retries count is hit

           always                   : Restart containers when they exit, regardless of status, retrying indefinitely

           unless-stopped           : Identical to always

   Podman provides a systemd unit file, podman-restart.service, which restarts containers after a system reboot.

   When running containers in systemd services, use the restart functionality provided by systemd.  In other words, do not use this option in a container unit, instead set  the  Restart=
   systemd directive in the [Service] section.  See podman-systemd.unit(5) and systemd.service(5).

   Default restart policy for all the containers in a pod.

--security-opt=option

   Security Options

           apparmor=unconfined : Turn off apparmor confinement for the pod

           apparmor=alternate-profile : Set the apparmor confinement profile for the pod

           label=user:USER: Set the label user for the pod processes

           label=role:ROLE: Set the label role for the pod processes

           label=type:TYPE: Set the label process type for the pod processes

           label=level:LEVEL: Set the label level for the pod processes

           label=filetype:TYPE: Set the label file type for the pod files

           label=disable: Turn off label separation for the pod

   Note:  Labeling  can  be  disabled  for all pods/containers by setting label=false in the containers.conf (/etc/containers/containers.conf or $HOME/.config/containers/containers.conf)
   file.

           label=nested: Allows SELinux modifications within the container. Containers are allowed to modify SELinux labels on files and processes, as long  as  SELinux  policy  allows.
            Without nested, containers view SELinux as disabled, even when it is enabled on the host. Containers are prevented from setting any labels.

           mask=/path/1:/path/2: The paths to mask separated by a colon. A masked path cannot be accessed inside the containers within the pod.

           no-new-privileges: Disable container processes from gaining additional privileges.

           seccomp=unconfined: Turn off seccomp confinement for the pod.

           seccomp=profile.json:  JSON file to be used as a seccomp filter. Note that the io.podman.annotations.seccomp annotation is set with the specified value as shown in podman in
            spect.

           proc-opts=OPTIONS : Comma-separated list of options to use for the /proc mount. More details for the possible mount options are specified in the proc(5) man page.

           unmask=ALL or /path/1:/path/2, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to ALL, it unmasks all the paths that are masked or made  read-
            only  by  default.  The default masked paths are /proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats,
            /sys/firmware, and /sys/fs/selinux, /sys/devices/virtual/powercap.  The default paths  that  are  read-only  are  /proc/asound,  /proc/bus,  /proc/fs,  /proc/irq,  /proc/sys,
            /proc/sysrq-trigger, /sys/fs/cgroup.

   Note: Labeling can be disabled for all containers by setting label=false in the containers.conf(5) file.

--share=namespace

   A  comma-separated  list  of  kernel  namespaces to share. If none or "" is specified, no namespaces are shared, and the infra container is not created unless explicitly specified via
   --infra=true. The namespaces to choose from are cgroup, ipc, net, pid, uts. If the option is prefixed with a "+", the namespace is appended to the default list. Otherwise, it replaces
   the default list. Defaults match Kubernetes default (ipc, net, uts)

--share-parent

   This boolean determines whether or not all containers entering the pod use the pod as their cgroup parent. The default value of this option is true. Use the --share  option  to  share
   the cgroup namespace rather than a cgroup parent in a pod.

   Note: This option conflicts with the --share=cgroup option since that option sets the pod as the cgroup parent but enters the container into the same cgroupNS as the infra container.

--shm-size=number[unit]

   Size  of /dev/shm. A unit can be b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes).  If the unit is omitted, the system uses bytes. If the size is omitted, the default is 64m.
   When size is 0, there is no limit on the amount of memory used for IPC by the pod.  This option conflicts with --ipc=host.

--shm-size-systemd=number[unit]

   Size of systemd-specific tmpfs mounts such as /run, /run/lock, /var/log/journal and /tmp.  A unit can be b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes).   If  the  unit  is
   omitted, the system uses bytes. If the size is omitted, the default is 64m.  When size is 0, the usage is limited to 50% of the host's available memory.

--subgidname=name

   Run  the  container  in a new user namespace using the map with name in the /etc/subgid file.  If running rootless, the user needs to have the right to use the mapping. See subgid(5).
   This flag conflicts with --userns and --gidmap.

--subuidname=name

   Run the container in a new user namespace using the map with name in the /etc/subuid file.  If running rootless, the user needs to have the right to use the  mapping.  See  subuid(5).
   This flag conflicts with --userns and --uidmap.

--sysctl=name=value

   Configure namespaced kernel parameters for all containers in the pod.

   For the IPC namespace, the following sysctls are allowed:

           kernel.msgmax

           kernel.msgmnb

           kernel.msgmni

           kernel.sem

           kernel.shmall

           kernel.shmmax

           kernel.shmmni

           kernel.shm_rmid_forced

           Sysctls beginning with fs.mqueue.*

   Note: if the ipc namespace is not shared within the pod, the above sysctls are not allowed.

   For the network namespace, only sysctls beginning with net.* are allowed.

   Note: if the network namespace is not shared within the pod, the above sysctls are not allowed.

--uidmap=container_uid:from_uid:amount

   Run  all  containers in the pod in a new user namespace using the supplied mapping. This option conflicts with the --userns and --subuidname options. This option provides a way to map
   host UIDs to container UIDs. It can be passed several times to map different ranges.

--userns=mode

   Set the user namespace mode for all the containers in a pod. It defaults to the PODMAN_USERNS environment variable. An empty value ("") means user namespaces are disabled.

   Rootless user --userns=Key mappings:

   
    Key      Host User  Container User                                  
   
    ""       $UID       0 (Default User account mapped to root user  in 
                        container.)                                     
   
    host     $UID       0  (Default User account mapped to root user in 
                        container.)                                     
   
    keep-id  $UID       $UID (Map user account to same UID within  con 
                        tainer.)                                        
   
    auto     $UID       nil  (Host  User  UID  is  not mapped into con 
                        tainer.)                                        
   
    nomap    $UID       nil (Host User UID  is  not  mapped  into  con 
                        tainer.)                                        
   

   Valid mode values are:

           auto[:OPTIONS,...]: automatically create a namespace. It is possible to specify these options to auto:

             gidmapping=CONTAINER_GID:HOST_GID:SIZE to force a GID mapping to be present in the user namespace.

             size=SIZE:  to specify an explicit size for the automatic user namespace. e.g. --userns=auto:size=8192. If size is not specified, auto estimates the size for the user name
              space.

             uidmapping=CONTAINER_UID:HOST_UID:SIZE to force a UID mapping to be present in the user namespace.

           host: run in the user namespace of the caller. The processes running in the container have the same privileges on the host as any other process launched by the  calling  user
            (default).

           keep-id:  creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created
            by the root user.

          • nomap: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers  created  by  the  root
            user.

--uts=mode

   Set the UTS namespace mode for the pod. The following values are supported:

           host: use the host's UTS namespace inside the pod.

           private: create a new namespace for the pod (default).

           ns:[path]: run the pod in the given existing UTS namespace.

--volume, -v=[[SOURCE-VOLUME|HOST-DIR:]CONTAINER-DIR[:OPTIONS]]

   Create  a  bind  mount.  If -v /HOST-DIR:/CONTAINER-DIR is specified, Podman bind mounts /HOST-DIR from the host into /CONTAINER-DIR in the Podman container. Similarly, -v SOURCE-VOL
   UME:/CONTAINER-DIR mounts the named volume from the host into the container. If no such named volume exists, Podman creates one. If no source is given, the volume  is  created  as  an
   anonymously named volume with a randomly generated name, and is removed when the pod is removed via the --rm flag or the podman rm --volumes command.

   (Note when using the remote client, including Mac and Windows (excluding WSL2) machines, the volumes are mounted from the remote server, not necessarily the client machine.)

   The OPTIONS is a comma-separated list and can be one or more of:

           rw|ro

           z|Z

           [O]

           [U]

           [no]copy

           [no]dev

           [no]exec

           [no]suid

           [r]bind

           [r]shared|[r]slave|[r]private[r]unbindable [1] #Footnote1⟩

           idmap[=options]

   The CONTAINER-DIR must be an absolute path such as /src/docs. The volume is mounted into the container at this directory.

   If  a  volume source is specified, it must be a path on the host or the name of a named volume. Host paths are allowed to be absolute or relative; relative paths are resolved relative
   to the directory Podman is run in. If the source does not exist, Podman returns an error. Users must pre-create the source files or directories.

   Any source that does not begin with a . or / is treated as the name of a named volume. If a volume with that name does not exist, it is created.  Volumes created with  names  are  not
   anonymous, and they are not removed by the --rm option and the podman rm --volumes command.

   Specify multiple -v options to mount one or more volumes into a pod.

   Write Protected Volume Mounts

   Add :ro or :rw option to mount a volume in read-only or read-write mode, respectively. By default, the volumes are mounted read-write.  See examples.

   Chowning Volume Mounts

   By  default,  Podman does not change the owner and group of source volume directories mounted into containers. If a pod is created in a new user namespace, the UID and GID in the con
   tainer may correspond to another UID and GID on the host.

   The :U suffix tells Podman to use the correct host UID and GID based on the UID and GID within the pod, to change recursively the owner and group of the source volume. Chowning  walks
   the file system under the volume and changes the UID/GID on each file. If the volume has thousands of inodes, this process takes a long time, delaying the start of the pod.

   Warning use with caution since this modifies the host filesystem.

   Labeling Volume Mounts

   Labeling  systems like SELinux require that proper labels are placed on volume content mounted into a pod. Without a label, the security system might prevent the processes running in
   side the pod from using the content. By default, Podman does not change the labels set by the OS.

   To change a label in the pod context, add either of two suffixes :z or :Z to the volume mount. These suffixes tell Podman to relabel file objects on the shared volumes. The  z  option
   tells  Podman  that  two  or  more  pods  share  the  volume  content. As a result, Podman labels the content with a shared content label. Shared volume labels allow all containers to
   read/write content. The Z option tells Podman to label the content with a private unshared label Only the current pod can use a private volume. Note: all containers within a pod share
   the same SELinux label. This means all containers within said pod can read/write volumes shared into the container created with the :Z on any of one the containers.  Relabeling  walks
   the  file system under the volume and changes the label on each file, if the volume has thousands of inodes, this process takes a long time, delaying the start of the pod. If the vol
   ume was previously relabeled with the z option, Podman is optimized to not relabel a second time. If files are moved into the volume, then the labels can be manually change  with  the
   chcon -Rt container_file_t PATH command.

   Note:  Do  not  relabel system files and directories. Relabeling system content might cause other confined services on the machine to fail.  For these types of containers we recommend
   disabling SELinux separation.  The option --security-opt label=disable disables SELinux separation for the pod.  For example if a user wanted to volume mount their entire home  direc
   tory into a pod, they need to disable SELinux separation.

   $ podman pod create --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file

   Overlay Volume Mounts

   The :O flag tells Podman to mount the directory from the host as a temporary storage using the overlay file system. The pod processes can modify content within the mountpoint which is
   stored  in  the  container storage in a separate directory. In overlay terms, the source directory is the lower, and the container storage directory is the upper. Modifications to the
   mount point are destroyed when the pod finishes executing, similar to a tmpfs mount point being unmounted.

   For advanced users, the overlay option also supports custom non-volatile upperdir and workdir for the overlay mount. Custom upperdir and workdir can be  fully  managed  by  the  users
   themselves, and Podman does not remove it on lifecycle completion.  Example :O,upperdir=/some/upper,workdir=/some/work

   Subsequent executions of the container sees the original source directory content, any changes from previous pod executions no longer exist.

   One use case of the overlay mount is sharing the package cache from the host into the container to allow speeding up builds.

   Note: The O flag conflicts with other options listed above.

   Content  mounted  into  the container is labeled with the private label.  On SELinux systems, labels in the source directory must be readable by the pod infra container label. Usually
   containers can read/execute container_share_t and can read/write container_file_t. If unable to change the labels on a source volume, SELinux container separation must be disabled for
   the pod or infra container to work.

   Do not modify the source directory mounted into the pod with an overlay mount, it can cause unexpected failures. Only modify the directory after the container finishes running.

   Mounts propagation

   By default, bind-mounted volumes are private. That means any mounts done inside the pod are not visible on the host and vice versa.  One can change this behavior by specifying a  vol
   ume  mount  propagation  property.  When a volume is shared, mounts done under that volume inside the pod are visible on host and vice versa. Making a volume slave[1] #Footnote1⟩ en‐
   ables only one-way mount propagation: mounts done on the host under that volume are visible inside the container but not the other way around.

   To control mount propagation property of a volume one can use the [r]shared, [r]slave, [r]private or the [r]unbindable propagation flag.  Propagation property can  be  specified  only
   for  bind  mounted  volumes and not for internal volumes or named volumes. For mount propagation to work the source mount point (the mount point where source dir is mounted on) has to
   have the right propagation properties. For shared volumes, the source mount point has to be shared. And for slave volumes, the source mount point has to be  either  shared  or  slave.
   [1] #Footnote1⟩

   To  recursively mount a volume and all of its submounts into a pod, use the rbind option. By default the bind option is used, and submounts of the source directory is not mounted into
   the pod.

   Mounting the volume with a copy option tells podman to copy content from the underlying destination directory onto newly created internal volumes. The copy only happens on the initial
   creation of the volume. Content is not copied up when the volume is subsequently used on different containers. The copy option is ignored on bind mounts and has no effect.

   Mounting volumes with the nosuid options means that SUID executables on the volume can not be used by applications to change their privilege. By default volumes are mounted  with  no
   suid.

   Mounting the volume with the noexec option means that no executables on the volume can be executed within the pod.

   Mounting the volume with the nodev option means that no devices on the volume can be used by processes within the pod. By default volumes are mounted with nodev.

   If the HOST-DIR is a mount point, then dev, suid, and exec options are ignored by the kernel.

   Use  df HOST-DIR to figure out the source mount, then use findmnt -o TARGET,PROPAGATION source-mount-dir to figure out propagation properties of source mount. If findmnt(1) utility is
   not available, then one can look at the mount entry for the source mount point in /proc/self/mountinfo. Look at the "optional fields" and see if any propagation properties are  speci
   fied.  In there, shared:N means the mount is shared, master:N means mount is slave, and if nothing is there, the mount is private. [1] #Footnote1⟩

   To  change  propagation  properties  of a mount point, use mount(8) command. For example, if one wants to bind mount source directory /foo, one can do mount --bind /foo /foo and mount
   --make-private --make-shared /foo. This converts /foo into a shared mount point. Alternatively, one can directly change propagation properties of source mount. Say / is  source  mount
   for /foo, then use mount --make-shared / to convert / into a shared mount.

   Note: if the user only has access rights via a group, accessing the volume from inside a rootless pod fails.

   Idmapped mount

   If idmap is specified, create an idmapped mount to the target user namespace in the container. The idmap option supports a custom mapping that can be different than the user namespace
   used by the container. The mapping can be specified after the idmap option like: idmap=uids=0-1-10#10-11-10;gids=0-100-10.  For each triplet, the first value is the start of the back‐
   ing file system IDs that are mapped to the second value on the host.  The length of this mapping is given in the third value.  Multiple ranges are separated with #.

--volumes-from=CONTAINER[:OPTIONS]

   Mount volumes from the specified container(s). Used to share volumes between containers and pods. The options is a comma-separated list with the following available elements:

           rw|ro

           z

   Mounts  already mounted volumes from a source container onto another pod. CONTAINER may be a name or ID.  To share a volume, use the --volumes-from option when running the target con
   tainer. Volumes can be shared even if the source container is not running.

   By default, Podman mounts the volumes in the same mode (read-write or read-only) as it is mounted in the source container.  This can be changed by adding a ro or rw option.

   Labeling systems like SELinux require that proper labels are placed on volume content mounted into a pod. Without a label, the security system might prevent the processes running  in
   side the container from using the content. By default, Podman does not change the labels set by the OS.

   To  change  a label in the pod context, add z to the volume mount.  This suffix tells Podman to relabel file objects on the shared volumes. The z option tells Podman that two entities
   share the volume content. As a result, Podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content.

   If the location of the volume from the source container overlaps with data residing on a target pod, then the volume hides that data on the target.

EXAMPLES

   Create a named pod.

   $ podman pod create --name test

   Create a named pod.

   $ podman pod create mypod

   Create a pod without an infra container.

   $ podman pod create --infra=false

   Create a named pod with infra container command to run.

   $ podman pod create --infra-command /top toppod

   Create a pod with published ports on the host.

   $ podman pod create --publish 8443:443

   Create a pod with the specified network configuration.

   $ podman pod create --network slirp4netns:outbound_addr=127.0.0.1,allow_host_loopback=true

   Create a pod with the specified network.

   $ podman pod create --network pasta

   Create a pod on two networks.

   $ podman pod create --network net1:ip=10.89.1.5 --network net2:ip=10.89.10.10

SEE ALSO

   podman(1), podman-pod(1), podman-kube-play(1), containers.conf(1), cgroups(7)

Troubleshooting

   See podman-troubleshooting(7) for solutions to common issues.

HISTORY

   July 2018, Originally compiled by Peter Hunt pehunt@redhat.com mailto:pehunt@redhat.com

FOOTNOTES

   1: The Podman project is committed to inclusivity, a core value of open source. The master and slave mount propagation terminology used here is problematic and divisive, and needs  to
   be  changed.  However,  these  terms are currently used within the Linux kernel and must be used as-is at this time. When the kernel maintainers rectify this usage, Podman will follow
   suit immediately.

                                                                                                                                                                      podman-pod-create(1)