@ -5,30 +5,33 @@ containers-auth.json - syntax for the registry authentication file
# DESCRIPTION
A credentials file in JSON format used to authenticate against container image registries.
A file in JSON format controlling authentication against container image registries.
The primary (read/write) file is stored at `${XDG_RUNTIME_DIR}/containers/auth.json` on Linux;
on Windows and macOS, at `$HOME/.config/containers/auth.json`.
When searching for the credential for a registry, the following files will be read in sequence until the valid credential is found:
first reading the primary (read/write) file, or the explicit override using an option of the calling application.
If credentials are not present, search in `${XDG_CONFIG_HOME}/containers/auth.json` (usually `~/.config/containers/auth.json`), `$HOME/.docker/config.json`, `$HOME/.dockercfg`.
If credentials are not present there,
the search continues in `${XDG_CONFIG_HOME}/containers/auth.json` (usually `~/.config/containers/auth.json`), `$HOME/.docker/config.json`, `$HOME/.dockercfg`.
Except the primary (read/write) file, other files are read-only, unless the user use an option of the calling application explicitly points at it as an override.
Except for the primary (read/write) file, other files are read-only unless the user, using an option of the calling application, explicitly points at it as an override.
## FORMAT
The auth.json file stores encrypted authentication information for the
user to container image registries. The file can have zero to many entries and
is created by a `login` command from a container tool such as `podman login`,
`buildah login` or `skopeo login`. Each entry either contains a single
hostname (e.g. `docker.io`) or a namespace (e.g. `quay.io/user/image`) as a key
and an auth token in the form of a base64 encoded string as value of `auth`. The
token is built from the concatenation of the username, a colon, and the
password. The registry name can additionally contain a repository name (an image
name without tag or digest) and namespaces. The path (or namespace) is matched
in its hierarchical order when checking for available authentications. For
example, an image pull for `my-registry.local/namespace/user/image:latest` will
The auth.json file stores, or references, credentials that allow the user to authenticate
to container image registries.
It is primarily managed by a `login` command from a container tool such as `podman login`,
`buildah login`, or `skopeo login`.
Each entry contains a single hostname (e.g., `docker.io`) or a namespace (e.g., `quay.io/user/image`) as a key,
and credentials in the form of a base64-encoded string as value of `auth`. The
base64-encoded string contains a concatenation of the username, a colon, and the
password.
When checking for available credentials, the relevant repository is matched
against available keys in its hierarchical order, going from most-specific to least-specific.
For example, an image pull for `my-registry.local/namespace/user/image:latest` will
result in a lookup in `auth.json` in the following order:
- `my-registry.local/namespace/user/image`
@ -77,10 +80,8 @@ preserving a fallback for `my-registry.local`:
An entry can be removed by using a `logout` command from a container
tool such as `podman logout` or `buildah logout`.
In addition, credential helpers can be configured for specific registries and the credentials-helper
software can be used to manage the credentials in a more secure way than depending on the base64 encoded authentication
provided by `login`. If the credential helpers are configured for specific registries, the base64 encoded authentication will not be used
for operations concerning credentials of the specified registries.
In addition, credential helpers can be configured for specific registries, and the credentials-helper
software can be used to manage the credentials more securely than storing only base64-encoded credentials in `auth.json`.
When the credential helper is in use on a Linux platform, the auth.json file would contain keys that specify the registry domain, and values that specify the suffix of the program to use (i.e. everything after docker-credential-). For example:
@ -282,7 +282,7 @@ signed by the provided public key.
The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above.
Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag).
To use this with images hosted on image registries, the relevant registry or repository must have the `use-sigstore-attachments` option enabled in containers-registries.d(5).
To use this with images hosted on image registries, the `use-sigstore-attachments` option needs to be enabled for the relevant registry or repository in the client's containers-registries.d(5).
A common use case for this field is to provide a local storage directory when user home directories are NFS-mounted (podman does not support container storage over NFS).
**imagestore**=""
Path of imagestore different from `graphroot`, by default storage library stores all images in `graphroot` but if `imagestore` is provided it will store newly pulled images in provided `imagestore` but will keep using `graphroot` for everything else. If user is using `overlay` driver then images which were already part of `graphroot` will still be accessible ( Internally storage library will mount `graphroot` as an `additionalImageStore` to allow this behaviour ).
A common use case for this field is for the users who want to split the file-system in different parts i.e disk which stores images vs disk used by the container created by the image.
**runroot**=""
container storage run dir (default: "/run/containers/storage")
Default directory to store all temporary writable content created by container storage programs. The rootless runroot path supports environment variable substitutions (ie. `$HOME/containers/storage`)
@ -64,6 +69,12 @@ Default directory to store all temporary writable content created by container s
By default, the storage driver is set via the `driver` option. If it is not defined, then the best driver will be picked according to the current platform. This option allows you to override this internal priority list with a custom one to prefer certain drivers.
Setting this option only has an effect if the local storage has not been initialized yet and the driver name is not set.
**transient_store** = "false" | "true"
Transient store mode makes all container metadata be saved in temporary storage
(i.e. runroot above). This is faster, but doesn't persist across reboots.
Additional garbage collection must also be performed at boot-time, so this option should remain disabled in most configurations. (default: false)
### STORAGE OPTIONS TABLE
The `storage.options` table supports the following options:
@ -82,7 +93,7 @@ container registry. These options can deduplicate pulling of content, disk
storage of content and can allow the kernel to use less memory when running
containers.
containers/storage supports four keys
containers/storage supports three keys
* enable_partial_images="true" | "false"
Tells containers/storage to look for files previously pulled in storage
rather then always pulling them from the container registry.
@ -99,14 +110,14 @@ containers/storage supports four keys
Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to the UIDs/GIDs outside of the container, and the length of the range of UIDs/GIDs. Additional mapped sets can be listed and will be heeded by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container.
Example
remap-uids = 0:1668442479:65536
remap-gids = 0:1668442479:65536
remap-uids = "0:1668442479:65536"
remap-gids = "0:1668442479:65536"
These mappings tell the container engines to map UID 0 inside of the container to UID 1668442479 outside. UID 1 will be mapped to 1668442480. UID 2 will be mapped to 1668442481, etc, for the next 65533 UIDs in succession.
**remap-user**=""
**remap-group**=""
Remap-User/Group is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting with an in-container ID of 0 and then a host-level ID taken from the lowest range that matches the specified name, and using the length of that range. Additional ranges are then assigned, using the ranges which specify the lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, until all of the entries have been used for maps.
Remap-User/Group is a user name which can be used to look up one or more UID/GID ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting with an in-container ID of 0 and then a host-level ID taken from the lowest range that matches the specified name, and using the length of that range. Additional ranges are then assigned, using the ranges which specify the lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, until all of the entries have been used for maps. This setting overrides the Remap-UIDs/GIDs setting.
Fields specified in containers conf override the default options, as well as
options in previously read containers.conf files.
@ -22,10 +23,10 @@ Config files in the `.d` directories, are added in alpha numeric sorted order an
Not all options are supported in all container engines.
Note container engines also use other configuration files for configuring the environment.
Note, container engines also use other configuration files for configuring the environment.
* `storage.conf` for configuration of container and images storage.
* `registries.conf` for definition of container registires to search while pulling.
* `registries.conf` for definition of container registries to search while pulling.
container images.
* `policy.conf` for controlling which images can be pulled to the system.
@ -50,6 +51,7 @@ TOML can be simplified to:
The containers table contains settings to configure and manage the OCI runtime.
**annotations** = []
List of annotations. Specified as "key=value" pairs to be added to all containers.
Example: "run.oci.keep_original_groups=1"
@ -66,6 +68,12 @@ file. This must be either an absolute path or as special values "image" which
uses the hosts file from the container image or "none" which means
no base hosts file is used. The default is "" which will use /etc/hosts.
**cgroup_conf**=[]
List of cgroup_conf entries specifying a list of cgroup files to write to and
their values. For example `memory.high=1073741824` sets the
memory.high limit to 1GB.
**cgroups**="enabled"
Determines whether the container will create CGroups.
@ -98,12 +106,12 @@ default_capabilities = [
"SETGID",
"SETPCAP",
"SETUID",
"SYS_CHROOT",
]
```
Note, by default container engines using containers.conf, run with less
capabilities than Docker. Docker runs additionally with "AUDIT_WRITE", "MKNOD",
"NET_RAW", "CHROOT". If you need to add one of these capabilities for a
capabilities than Docker. Docker runs additionally with "AUDIT_WRITE", "MKNOD" and "NET_RAW". If you need to add one of these capabilities for a
particular container, you can use the --cap-add option or edit your system's containers.conf.
**default_sysctls**=[]
@ -199,6 +207,13 @@ the container.
Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.
**label_users**=false
label_users indicates whether to enforce confined users in containers on
SELinux systems. This option causes containers to maintain the current user
and role field of the calling process. By default SELinux containers run with
the user system_u, and the role system_r.
**log_driver**=""
Logging driver for the container. Currently available options are k8s-file, journald, none and passthrough, with json-file aliased to k8s-file for scripting compatibility. The journald driver is used by default if the systemd journal is readable and writable. Otherwise, the k8s-file driver is used.
@ -227,6 +242,10 @@ Options are:
Create /etc/hosts for the container. By default, container engines manage
/etc/hosts, automatically adding the container's own IP address.
**oom_score_adj**=0
Tune the host's OOM preferences for containers (accepts values from -1000 to 1000).
**pidns**="private"
Default way to to create a PID namespace for the container.
@ -324,6 +343,20 @@ cni_plugin_dirs = [
]
```
**netavark_plugin_dirs**=[]
List of directories that will be searched for netavark plugins.
The default list is:
```
netavark_plugin_dirs = [
"/usr/local/libexec/netavark",
"/usr/libexec/netavark",
"/usr/local/lib/netavark",
"/usr/lib/netavark",
]
```
**default_network**="podman"
The network name of the default network to attach pods to.
@ -352,11 +385,16 @@ default_subnet_pools = [
]
```
**default_rootless_network_cmd**="slirp4netns"
Configure which rootless network program to use by default. Valid options are
`slirp4netns` (default) and `pasta`.
**network_config_dir**="/etc/cni/net.d/"
Path to the directory where network configuration files are located.
For the CNI backend the default is "/etc/cni/net.d" as root
and "$HOME/.config/cni/net.d" as rootless.
For the CNI backend the default is __/etc/cni/net.d__ as root
and __$HOME/.config/cni/net.d__ as rootless.
For the netavark backend "/etc/containers/networks" is used as root
and "$graphroot/networks" as rootless.
@ -367,6 +405,11 @@ mode and dns enabled.
Using an alternate port might be useful if other dns services should
run on the machine.
**pasta_options** = []
A list of default pasta options that should be used running pasta.
It accepts the pasta cli options, see pasta(1) for the full list of options.
## ENGINE TABLE
The `engine` table contains configuration options used to set up container engines such as Podman and Buildah.
@ -403,6 +446,12 @@ conmon_path=[
]
```
**database_backend**="boltdb"
The database backend of Podman. Supported values are "boltdb" (default) and
"sqlite". Please run `podman-system-reset` prior to changing the database
backend of an existing deployment, to make sure Podman can operate correctly.
**detach_keys**="ctrl-p,ctrl-q"
Keys sequence used for detaching a container.
@ -410,6 +459,7 @@ Specify the keys sequence used to detach a container.
Format is a single character `[a-Z]` or a comma separated sequence of
`ctrl-<value>`, where `<value>` is one of:
`a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`
Specifying "" disables this feature.
**enable_port_reservation**=true
@ -462,12 +512,14 @@ with detailed information about the container. Set to false by default.
A is a list of directories which are used to search for helper binaries.
The default paths on Linux are:
- `/usr/local/libexec/podman`
- `/usr/local/lib/podman`
- `/usr/libexec/podman`
- `/usr/lib/podman`
The default paths on macOS are:
- `/usr/local/opt/podman/libexec`
- `/opt/homebrew/bin`
- `/opt/homebrew/opt/podman/libexec`
@ -478,6 +530,7 @@ The default paths on macOS are:
@ -502,7 +555,7 @@ Not setting this field will fall back to containers/image defaults. (6)
**image_volume_mode**="bind"
Tells container engines how to handle the builtin image volumes.
Tells container engines how to handle the built-in image volumes.
* bind: An anonymous named volume will be created and mounted into the container.
* tmpfs: The volume is mounted onto the container as a tmpfs, which allows the users to create content that disappears when the container is stopped.
@ -512,18 +565,22 @@ Tells container engines how to handle the builtin image volumes.
Infra (pause) container image command for pod infra containers. When running a
pod, we start a `/pause` process in a container to hold open the namespaces
associated with the pod. This container does nothing other then sleep,
reserving the pods resources for the lifetime of the pod.
associated with the pod. This container does nothing other than sleep,
reserving the pod's resources for the lifetime of the pod.
**infra_image**=""
Infra (pause) container image for pod infra containers. When running a
pod, we start a `pause` process in a container to hold open the namespaces
associated with the pod. This container does nothing other then sleep,
reserving the pods resources for the lifetime of the pod. By default container
engines run a builtin container using the pause executable. If you want override
associated with the pod. This container does nothing other than sleep,
reserving the pod's resources for the lifetime of the pod. By default container
engines run a built-in container using the pause executable. If you want override
specify an image to pull.
**kube_generate_type**="pod"
Default Kubernetes kind/specification of the kubernetes yaml generated with the `podman kube generate` command. The possible options are `pod` and `deployment`.
**lock_type**="shm"
Specify the locking mechanism to use; valid values are "shm" and "file".
@ -595,6 +652,7 @@ Pull image before running or creating a container. The default is **missing**.
- **never**: do not pull the image from the registry, use only the local version. Raise an error if the image is not present locally.
**remote** = false
Indicates whether the application should be running in remote mode. This flag modifies the
--remote option on container engines. Setting the flag to true will default `podman --remote=true` for access to the remote Podman service.
@ -661,14 +719,21 @@ not be by other drivers.
Determines whether file copied into a container will have changed ownership to
the primary uid/gid of the container.
**compression_format**=""
**compression_format**="gzip"
Specifies the compression format to use when pushing an image. Supported values are: `gzip` and `zstd`.
Specifies the compression format to use when pushing an image. Supported values are: `gzip`, `zstd` and `zstd:chunked`.
**compression_level**="5"
The compression level to use when pushing an image. Valid options
depend on the compression format used. For gzip, valid options are
1-9, with a default of 5. For zstd, valid options are 1-20, with a
default of 3.
## SERVICE DESTINATION TABLE
The `service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.
The `engine.service_destinations` table contains configuration options used to set up remote connections to the podman service for the podman API.