ここ3年くらいのPodmanの変化を確認

以前にざっくりまとめたのが2020年11月だったので、その時点と現在のPodmanの変化をさらっとまとめてみます。

今、改めてUbuntuでPodmanを使う(2020年11月)

UpstreamとUbuntuに収録されているPodmanのバージョン

• Ubuntu 20.10 Groovy Gorilla → 2.0.6
• Ubuntu 22.04 Jammy Jellyfish → 3.4.4
• Ubuntu 23.04 Lunar Lobster → 4.3.1
• 現在のUpstreamのPodmanのバージョン → 4.5.1

なので、Ubuntuで標準でインストールできるPodmanを使う場合はいくらか変更がある可能性はあります。今回はJoshua Riek氏のビルドしたUbuntu Server 22.04(Kernel 5.10)でPodman環境を構築します。

$ uname -a
Linux ubuntu 5.10.160-rockchip #6 SMP Thu Jul 13 03:49:20 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

Podmanのインストール

# apt-get install podman
(snip)
Selecting previously unselected package slirp4netns.
Preparing to unpack .../33-slirp4netns_1.0.1-2_arm64.deb ...
Unpacking slirp4netns (1.0.1-2) ...
Setting up session-migration (0.3.6) ...
Created symlink /etc/systemd/user/graphical-session-pre.target.wants/session-migration.service → /usr/lib/systemd/user/session-migration.service.
(snip)
Setting up podman (3.4.4+ds1-1ubuntu1.22.04.1) ...
Created symlink /etc/systemd/user/default.target.wants/podman.service → /usr/lib/systemd/user/podman.service.
Created symlink /etc/systemd/user/sockets.target.wants/podman.socket → /usr/lib/systemd/user/podman.socket.
Created symlink /etc/systemd/system/default.target.wants/podman.service → /lib/systemd/system/podman.service.
Created symlink /etc/systemd/system/sockets.target.wants/podman.socket → /lib/systemd/system/podman.socket.
Created symlink /etc/systemd/system/default.target.wants/podman-auto-update.service → /lib/systemd/system/podman-auto-update.service.
Created symlink /etc/systemd/system/timers.target.wants/podman-auto-update.timer → /lib/systemd/system/podman-auto-update.timer.
Created symlink /etc/systemd/system/default.target.wants/podman-restart.service → /lib/systemd/system/podman-restart.service.

一応バージョンを確認します。

$ podman -v
podman version 3.4.4
$ podman info
host:
  arch: arm64
  buildahVersion: 1.23.1
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: 'conmon: /usr/bin/conmon'
    path: /usr/bin/conmon
    version: 'conmon version 2.0.25, commit: unknown'
  cpus: 8
  distribution:
    codename: jammy
    distribution: ubuntu
    version: "22.04"
  eventLogger: journald
  hostname: ubuntu
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1002
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
  kernel: 5.10.160-rockchip
  linkmode: dynamic
  logDriver: journald
  memFree: 15774879744
  memTotal: 16479313920
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version 0.17
      commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1001/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: 'slirp4netns: /usr/bin/slirp4netns'
    version: |-
      slirp4netns version 1.0.1
      commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
      libslirp: 4.6.1
  swapFree: 2147479552
  swapTotal: 2147479552
  uptime: 2h 11m 11.42s (Approximately 0.08 days)
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/hogehoge/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: 'fuse-overlayfs: /usr/bin/fuse-overlayfs'
      Version: |-
        fusermount3 version: 3.10.5
        fuse-overlayfs: version 1.7.1
        FUSE library version 3.10.5
        using FUSE kernel interface version 7.31
  graphRoot: /home/hogehoge/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 0
  runRoot: /run/user/1001/containers
  volumePath: /home/hogehoge/.local/share/containers/storage/volumes
version:
  APIVersion: 3.4.4
  Built: 0
  BuiltTime: Thu Jan  1 09:00:00 1970
  GitCommit: ""
  GoVersion: go1.18.1
  OsArch: linux/arm64
  Version: 3.4.4

ストレージドライバーについて

dockerで一度痛い目に遭っているストレージドライバーについて、途中で変更ができない¹ので少し念入りに確認します。

Dockerを23にアップグレードしたら-g(–graph)オプションが廃止されてdockerdが起動できなくなっていた

overlayについて

overlayという単語はコンテナ界隈では3つあるようなので、確認します。

• overlay(オリジナル) → Dockerがaufsの代わりに作った実装
• overlay2 → overlayの改良版
• fuse-overlayfs → FUSEを使ってoverlayを実現

Oracleの説明によれば

The storage driver is used to define how images and containers are stored. In Docker, there were options to use overlay or overlay2 drivers, but Podman treats these as interchangeable to mean overlay2. Oracle has tested the overlay2 driver with XFS, Ext4 and Btrfs where kernel support is available. Although you can change the storage driver to use another file system that is capable of layering, Oracle only supports the overlay2 driver in conjunction with the tested file systems.

この説明の中で

In Docker, there were options to use overlay or overlay2 drivers, but Podman treats these as interchangeable to mean overlay2.

Dockerではoverlayとoverlay2を使うオプションがあったが、Podmanではoverlay2を意味するものとして扱う

Oracle only supports the overlay2 driver in conjunction with the tested file systems.

Oracleでは、テストされたファイルシステムと組み合わせたoverlay2だけをサポートする(ファイルシステムとは前の文にあるXFS, Ext4,Btrfs)

Configuring Storage for Podman

とのことなので、Podmanにおいてoverlayと書いてある場合はoverlay2を指していると思って良さそうです。

Kernel 5.13以降であればrootlessでネイティブのOverlayが使える

Redhat曰く、元々5.11でサポートが入ったもののSELinuxのバグで使えなかったのが5.13で修正されたとのこと。

Podman is gaining rootless overlay support | Enable Sysadmin

なんですが、今回Podmanを使う環境はKernel5.10なので残念ながらネイティブのoverlayは使えず、fuse-overlayfsを使うことになります。

ちなみに、先に実行したpodman infoの実行結果でgraphDriverName: overlay と Native Overlay Diff: "true"が出力されていればネイティブのoverlayが使えるそうです。

  graphDriverName: overlay
    Native Overlay Diff: "false"

はい残念。

Podman - ArchWiki

設定変更

今回、ストレージドライバーとイメージ・コンテナ保存場所はデフォルトから変更したいので、その変更方法を見ます。

Ubuntu Manpage: storage.conf - Syntax of Container Storage configuration file

   driver=""
     container storage driver
     Default  Copy  On  Write  (COW)  container  storage driver. Valid drivers are "overlay",
   "vfs", "devmapper", "aufs", "btrfs", and "zfs". Some drivers (for example, "zfs", "btrfs",
   and "aufs") may not work if your kernel lacks support for the filesystem.
     This field is required to guarantee proper operation.
     Valid rootless drivers are "btrfs", "overlay", and "vfs".
     Rootless users default to the driver defined in the system configuration when possible.
     When  the  system  configuration  uses  an  unsupported  rootless driver, rootless users
   default to "overlay" if available, otherwise "vfs".

使えるドライバーはoverlay, vfs, devmapper, aufs, btrfs, zfsで、zfs, btrfs, aufs等はkernelがファイルシステムをサポートしていないと使えない。 rootlessはシステム設定に定義されているものが使える場合にデフォルトで使うことができる システム設定の定義がrootlessとしてサポートされていない場合、rootlessは可能であればデフォルトでoverlayを使い、そうでなければvfsを使う。

ちなみに、このmanpageはcontainers-storageパッケージに入っているので、入れました。入れたことで何かが変わるのかは未検証です。

# apt-get install containers-storage

設定ファイルについて(把握している分)

Podmanの設定ファイルについてわかっているのは以下の通りです。また、デフォルトで存在するファイルの内容は長いのでこの記事の末尾に記載します。

containers-policy.json

コンテナレジストリのポリシーを記載する

containers-registries.conf

コンテナレジストリの定義を記載する

containers-storage.conf

ストレージドライバーやイメージ格納場所などの設定を記載する

ローカルにダウンロードするイメージ・コンテナのパスを変更する

ダウンロード先のディレクトリ/var/containers/storage_hogehogeを作成し、Podman実行ユーザーhogehogeで書き込みができるようにオーナーとパーミッションを変更します。

# mkdir -p /var/containers/storage_hogehoge
# chmod -R a+rx /var/containers/storage_hogehoge
# chown hogehoge:hogehoge /var/containers/storage_hogehoge

Podman実行ユーザーごとのcontainers-storage.confである~/.config/containers/storage.confを以下の内容で作ります。なお、デフォルトだと~/.config/containers/ディレクトリは存在しないので先に作ります。

[storage]
  driver = "overlay"
  runroot = "/run/user/1001" # 1001はid -uの実行結果
  graphroot = "/var/containers/storage_hogehoge"
[storage.options]
  mount_program = "/usr/bin/fuse-overlayfs"

podman infoを実行します。

$ podman info
host:
  arch: arm64
  buildahVersion: 1.23.1
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: 'conmon: /usr/bin/conmon'
    path: /usr/bin/conmon
    version: 'conmon version 2.0.25, commit: unknown'
  cpus: 8
  distribution:
    codename: jammy
    distribution: ubuntu
    version: "22.04"
  eventLogger: journald
  hostname: ubuntu
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1002
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
  kernel: 5.10.160-rockchip
  linkmode: dynamic
  logDriver: journald
  memFree: 15965040640
  memTotal: 16479313920
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version 0.17
      commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1001/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: 'slirp4netns: /usr/bin/slirp4netns'
    version: |-
      slirp4netns version 1.0.1
      commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
      libslirp: 4.6.1
  swapFree: 2147479552
  swapTotal: 2147479552
  uptime: 4m 6.71s
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/hogehoge/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: 'fuse-overlayfs: /usr/bin/fuse-overlayfs'
      Version: |-
        fusermount3 version: 3.10.5
        fuse-overlayfs: version 1.7.1
        FUSE library version 3.10.5
        using FUSE kernel interface version 7.31
  graphRoot: /var/containers/storage_hogehoge
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 0
  runRoot: /run/user/1001
  volumePath: /var/containers/storage_hogehoge/volumes
version:
  APIVersion: 3.4.4
  Built: 0
  BuiltTime: Thu Jan  1 09:00:00 1970
  GitCommit: ""
  GoVersion: go1.18.1
  OsArch: linux/arm64
  Version: 3.4.4

コンテナのダウンロードと実行

$ podman run quay.io/podman/hello
Trying to pull quay.io/podman/hello:latest...
Getting image source signatures
Copying blob a1f2913de360 done  
Copying config cc746af2ba done  
Writing manifest to image destination
Storing signatures
!... Hello Podman World ...!

         .--"--.           
       / -     - \         
      / (O)   (O) \        
   ~~~| -=(,Y,)=- |         
    .---. /`  \   |~~      
 ~/  o  o \~~~~.----. ~~   
  | =(X)= |~  / (O (O) \   
   ~~~~~~~  ~| =(Y_)=-  |   
  ~~~~    ~~~|   U      |~~ 

Project:   https://github.com/containers/podman
Website:   https://podman.io
Documents: https://docs.podman.io
Twitter:   @Podman_io

設定変更した場所が使われていることを確認します。

$ ls -l /var/containers/storage_hogehoge/
total 32
drwx------ 2 hogehoge hogehoge 4096 Jul 15 22:24 libpod
drwx------ 2 hogehoge hogehoge 4096 Jul 15 22:24 mounts
drwx------ 5 hogehoge hogehoge 4096 Jul 15 22:24 overlay
drwx------ 3 hogehoge hogehoge 4096 Jul 15 22:24 overlay-containers
drwx------ 3 hogehoge hogehoge 4096 Jul 15 22:24 overlay-images
drwx------ 2 hogehoge hogehoge 4096 Jul 15 22:24 overlay-layers
-rw-r--r-- 1 hogehoge hogehoge   64 Jul 15 22:24 storage.lock
drwx------ 2 hogehoge hogehoge 4096 Jul 15 22:24 tmp
-rw-r--r-- 1 hogehoge hogehoge    0 Jul 15 22:24 userns.lock

イメージとコンテナを確認します。

$ podman container ls -a
CONTAINER ID  IMAGE                        COMMAND               CREATED        STATUS                    PORTS       NAMES
37449d1c0a2a  quay.io/podman/hello:latest  /usr/local/bin/po...  3 minutes ago  Exited (0) 3 minutes ago              intelligent_tharp
$ podman image ls -a
REPOSITORY            TAG         IMAGE ID      CREATED       SIZE
quay.io/podman/hello  latest      cc746af2ba2b  19 hours ago  142 kB

また、runrootに指定した/run/user/1001/の下にもcontainers overlay overlay-locks overlay-containers overlay-layers libpodが作られるようです。²

その他

rootless podmanを使う場合は実行する一般ユーザーが/etc/subuidと/etc/subgidにいることが必要ですが、一般的な手順でセットアップした場合は追加されています。

$ cat /etc/subuid
ubuntu:100000:65536
hogehoge:165536:65536
$ cat /etc/subgid
ubuntu:100000:65536
hogehoge:165536:65536

また、設定ファイルを変更した後にpodman infoを実行して正常終了しなかった場合、原因となった設定値を書き換えても同じ箇所が原因で失敗し続けるという救いのない状態になりました。

$ podman info --log-level debug
INFO[0000] podman filtering at log level debug          
DEBU[0000] Called info.PersistentPreRunE(podman info --log-level debug) 
DEBU[0000] Merged system config "/usr/share/containers/containers.conf" 
DEBU[0000] Using conmon: "/usr/bin/conmon"              
DEBU[0000] Initializing boltdb state at /var/containers/storage_hogehoge/libpod/bolt_state.db 
DEBU[0000] Overriding run root "/var/tmp/$(id -u)/containers" with "/run/user/$(id -u)" from database 
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /var/containers/storage_hogehoge 
DEBU[0000] Using run root /run/user/$(id -u)            
DEBU[0000] Using static dir /var/containers/storage_hogehoge/libpod 
DEBU[0000] Using tmp dir /run/user/1001/libpod/tmp      
DEBU[0000] Using volume path /var/containers/storage_hogehoge/volumes 
DEBU[0000] Set libpod namespace to ""                   
Error: mkdir /run/user/$(id -u): permission denied

上の場合、最初に「/run/user/$(id -u)/」という値で実行して失敗して、「/var/tmp/$(id -u)/containers」という値に書き換えて実行しても前と同じエラーが発生しているように見えるログですが、「DEBU[0000] Overriding 〜〜 “〜〜” with “〜〜” from database」の場合は失敗した時の値をdbに格納していて値を変えても何故か再びdbに格納している値で実行するので永久にエラーになり続けます。

また、このdbはpodman system resetでも削除されることがないので、普通にやっていると永久に解決することができません³。

上の行に「Initializing boltdb state at /var/containers/storage_hogehoge/libpod/bolt_state.db」とある通り、boltdbのファイルがあるので、これを削除してから設定ファイルの値を変更してpodman infoを実行するとdbがないので設定ファイルの値を使うので、そこまでしてようやく設定ファイルの内容で実行しようとします。

設定ファイルのデフォルト値

containers-policy.json

/etc/containers/policy.json

{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ]
}

containers-registries.conf

/etc/containers/registries.conf.d/shortnames.conf

コメント行は削除しています。

[aliases]
  "almalinux" = "docker.io/library/almalinux"
  "almalinux-minimal" = "docker.io/library/almalinux-minimal"
  "centos" = "quay.io/centos/centos"
  "skopeo" = "quay.io/skopeo/stable"
  "buildah" = "quay.io/buildah/stable"
  "podman" = "quay.io/podman/stable"
  "alpine" = "docker.io/library/alpine"
  "docker" = "docker.io/library/docker"
  "registry" = "docker.io/library/registry"
  "hello-world" = "docker.io/library/hello-world"
  "swarm" = "docker.io/library/swarm"
  "fedora-minimal" = "registry.fedoraproject.org/fedora-minimal"
  "fedora" = "registry.fedoraproject.org/fedora"
  "opensuse/tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed"
  "opensuse/tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf"
  "opensuse/tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf"
  "opensuse/leap" = "registry.opensuse.org/opensuse/leap"
  "opensuse/busybox" = "registry.opensuse.org/opensuse/busybox"
  "tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed"
  "tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf"
  "tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf"
  "leap" = "registry.opensuse.org/opensuse/leap"
  "leap-dnf" = "registry.opensuse.org/opensuse/leap-dnf"
  "leap-microdnf" = "registry.opensuse.org/opensuse/leap-microdnf"
  "tw-busybox" = "registry.opensuse.org/opensuse/busybox"
  "suse/sle15" = "registry.suse.com/suse/sle15"
  "suse/sles12sp5" = "registry.suse.com/suse/sles12sp5"
  "suse/sles12sp4" = "registry.suse.com/suse/sles12sp4"
  "suse/sles12sp3" = "registry.suse.com/suse/sles12sp3"
  "sle15" = "registry.suse.com/suse/sle15"
  "sles12sp5" = "registry.suse.com/suse/sles12sp5"
  "sles12sp4" = "registry.suse.com/suse/sles12sp4"
  "sles12sp3" = "registry.suse.com/suse/sles12sp3"
  "rhel" = "registry.access.redhat.com/rhel"
  "rhel6" = "registry.access.redhat.com/rhel6"
  "rhel7" = "registry.access.redhat.com/rhel7"
  "ubi7" = "registry.access.redhat.com/ubi7"
  "ubi7-init" = "registry.access.redhat.com/ubi7-init"
  "ubi7-minimal" = "registry.access.redhat.com/ubi7-minimal"
  "ubi8" = "registry.access.redhat.com/ubi8"
  "ubi8-minimal" = "registry.access.redhat.com/ubi8-minimal"
  "ubi8-init" = "registry.access.redhat.com/ubi8-init"
  "ubi8-micro" = "registry.access.redhat.com/ubi8-micro"
  "ubi8/ubi" = "registry.access.redhat.com/ubi8/ubi"
  "ubi8/ubi-minimal" = "registry.access.redhat.com/ubi8-minimal"
  "ubi8/ubi-init" = "registry.access.redhat.com/ubi8-init"
  "ubi8/ubi-micro" = "registry.access.redhat.com/ubi8-micro"
  "rockylinux" = "docker.io/library/rockylinux"
  "debian" = "docker.io/library/debian"
  "kali-bleeding-edge" = "docker.io/kalilinux/kali-bleeding-edge"
  "kali-dev" = "docker.io/kalilinux/kali-dev"
  "kali-experimental" = "docker.io/kalilinux/kali-experimental"
  "kali-last-release" = "docker.io/kalilinux/kali-last-release"
  "kali-rolling" = "docker.io/kalilinux/kali-rolling"
  "ubuntu" = "docker.io/library/ubuntu"
  "oraclelinux" = "container-registry.oracle.com/os/oraclelinux"
  "busybox" = "docker.io/library/busybox"
  "php" = "docker.io/library/php"
  "python" = "docker.io/library/python"
  "node" = "docker.io/library/node"

containers-storage.conf

/usr/share/containers/storage.conf

# This file is is the configuration file for all tools
# that use the containers/storage library.
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
[storage]

# Default Storage Driver, Must be set for proper operation.
driver = "overlay"

# Temporary storage location
runroot = "/run/containers/storage"

# Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage"

# Storage path for rootless users
#
# rootless_storage_path = "$HOME/.local/share/containers/storage"

[storage.options]
# Storage options to be passed to underlying storage drivers

# AdditionalImageStores is used to pass paths to additional Read/Only image stores
# Must be comma separated list.
additionalimagestores = [
]

# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
# a container, to the UIDs/GIDs as they should appear outside of the container,
# and the length of the range of UIDs/GIDs.  Additional mapped sets can be
# listed and will be heeded by libraries, but there are limits to the number of
# mappings which the kernel will allow when you later attempt to run a
# container.
#
# remap-uids = 0:1668442479:65536
# remap-gids = 0:1668442479:65536

# Remap-User/Group is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
# with an in-container ID of 0 and then a host-level ID taken from the lowest
# range that matches the specified name, and using the length of that range.
# Additional ranges are then assigned, using the ranges which specify the
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
# until all of the entries have been used for maps.
#
# remap-user = "containers"
# remap-group = "containers"

# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
# to containers configured to create automatically a user namespace.  Containers
# configured to automatically create a user namespace can still overlap with containers
# having an explicit mapping set.
# This setting is ignored when running as rootless.
# root-auto-userns-user = "storage"
#
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
# auto-userns-min-size=1024
#
# Auto-userns-max-size is the minimum size for a user namespace created automatically.
# auto-userns-max-size=65536

[storage.options.overlay]
# ignore_chown_errors can be set to allow a non privileged user running with
# a single UID within a user namespace to run containers. The user can pull
# and use any image even those with multiple uids.  Note multiple UIDs will be
# squashed down to the default uid in the container.  These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
#ignore_chown_errors = "false"

# Inodes is used to set a maximum inodes of the container image.
# inodes = ""

# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
#mount_program = "/usr/bin/fuse-overlayfs"

# mountopt specifies comma separated list of extra mount options
mountopt = "nodev"

# Set to skip a PRIVATE bind mount on the storage home directory.
# skip_mount_home = "false"

# Size is used to set a maximum size of the container image.
# size = ""

# ForceMask specifies the permissions mask that is used for new files and
# directories.
#
# The values "shared" and "private" are accepted.
# Octal permission masks are also accepted.
#
#  "": No value specified.
#     All files/directories, get set with the permissions identified within the
#     image.
#  "private": it is equivalent to 0700.
#     All files/directories get set with 0700 permissions.  The owner has rwx
#     access to the files. No other users on the system can access the files.
#     This setting could be used with networked based homedirs.
#  "shared": it is equivalent to 0755.
#     The owner has rwx access to the files and everyone else can read, access
#     and execute them. This setting is useful for sharing containers storage
#     with other users.  For instance have a storage owned by root but shared
#     to rootless users as an additional store.
#     NOTE:  All files within the image are made readable and executable by any
#     user on the system. Even /etc/shadow within your image is now readable by
#     any user.
#
#   OCTAL: Users can experiment with other OCTAL Permissions.
#
#  Note: The force_mask Flag is an experimental feature, it could change in the
#  future.  When "force_mask" is set the original permission mask is stored in
#  the "user.containers.override_stat" xattr and the "mount_program" option must
#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
#  extended attribute permissions to processes within containers rather then the
#  "force_mask"  permissions.
#
# force_mask = ""

[storage.options.thinpool]
# Storage Options for thinpool

# autoextend_percent determines the amount by which pool needs to be
# grown. This is specified in terms of % of pool size. So a value of 20 means
# that when threshold is hit, pool will be grown by 20% of existing
# pool size.
# autoextend_percent = "20"

# autoextend_threshold determines the pool extension threshold in terms
# of percentage of pool size. For example, if threshold is 60, that means when
# pool is 60% full, threshold has been hit.
# autoextend_threshold = "80"

# basesize specifies the size to use when creating the base device, which
# limits the size of images and containers.
# basesize = "10G"

# blocksize specifies a custom blocksize to use for the thin pool.
# blocksize="64k"

# directlvm_device specifies a custom block storage device to use for the
# thin pool. Required if you setup devicemapper.
# directlvm_device = ""

# directlvm_device_force wipes device even if device already has a filesystem.
# directlvm_device_force = "True"

# fs specifies the filesystem type to use for the base device.
# fs="xfs"

# log_level sets the log level of devicemapper.
# 0: LogLevelSuppress 0 (Default)
# 2: LogLevelFatal
# 3: LogLevelErr
# 4: LogLevelWarn
# 5: LogLevelNotice
# 6: LogLevelInfo
# 7: LogLevelDebug
# log_level = "7"

# min_free_space specifies the min free space percent in a thin pool require for
# new device creation to succeed. Valid values are from 0% - 99%.
# Value 0% disables
# min_free_space = "10%"

# mkfsarg specifies extra mkfs arguments to be used when creating the base
# device.
# mkfsarg = ""

# metadata_size is used to set the `pvcreate --metadatasize` options when
# creating thin devices. Default is 128k
# metadata_size = ""

# Size is used to set a maximum size of the container image.
# size = ""

# use_deferred_removal marks devicemapper block device for deferred removal.
# If the thinpool is in use when the driver attempts to remove it, the driver
# tells the kernel to remove it as soon as possible. Note this does not free
# up the disk space, use deferred deletion to fully remove the thinpool.
# use_deferred_removal = "True"

# use_deferred_deletion marks thinpool device for deferred deletion.
# If the device is busy when the driver attempts to delete it, the driver
# will attempt to delete device every 30 seconds until successful.
# If the program using the driver exits, the driver will continue attempting
# to cleanup the next time the driver is used. Deferred deletion permanently
# deletes the device and all data stored in device will be lost.
# use_deferred_deletion = "True"

# xfs_nospace_max_retries specifies the maximum number of retries XFS should
# attempt to complete IO when ENOSPC (no space) error is returned by
# underlying storage device.
# xfs_nospace_max_retries = "0"

スポンサーリンク

• ← Previous Post
• Next Post →