File storage.conf of Package libcontainers-common
# This file is the configuration file for all tools # that use the containers/storage library. The storage.conf file # overrides all other storage.conf files. Container engines using the # container/storage library do not inherit fields from other storage.conf # files. # # Note: The storage.conf file overrides other storage.conf files based on this precedence: # /usr/containers/storage.conf # /etc/containers/storage.conf # $HOME/.config/containers/storage.conf # $XDG_CONFIG_HOME/containers/storage.conf (if XDG_CONFIG_HOME is set) # See man 5 containers-storage.conf for more information # The "storage" table contains all of the server options. [storage] # Default storage driver, must be set for proper operation. driver = "overlay" # Temporary storage location runroot = "/run/containers/storage" # Priority list for the storage drivers that will be tested one # after the other to pick the storage driver if it is not defined. # driver_priority = ["overlay", "btrfs"] # Primary Read/Write location of container storage # When changing the graphroot location on an SELinux system, you must # ensure the labeling matches the default location's labels with the # following commands: # semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH # restorecon -R -v /NEWSTORAGEPATH graphroot = "/var/lib/containers/storage" # Optional alternate location of image store if a location separate from the # container store is required. If set, it must be different than graphroot. # imagestore = "" # Storage path for rootless users # # rootless_storage_path = "$HOME/.local/share/containers/storage" # Transient store mode makes all container metadata be saved in temporary storage # (i.e. runroot above). This is faster, but doesn't persist across reboots. # Additional garbage collection must also be performed at boot-time, so this # option should remain disabled in most configurations. # transient_store = true [storage.options] # Storage options to be passed to underlying storage drivers # AdditionalImageStores is used to pass paths to additional Read/Only image stores # Must be comma separated list. additionalimagestores = [ ] # Options controlling how storage is populated when pulling images. [storage.options.pull_options] # Enable the "zstd:chunked" feature, which allows partial pulls, reusing # content that already exists on the system. This is disabled by default, # and must be explicitly enabled to be used. For more on zstd:chunked, see # https://github.com/containers/storage/blob/main/docs/containers-storage-zstd-chunked.md # This is a "string bool": "false" | "true" (cannot be native TOML boolean) # enable_partial_images = "false" # Tells containers/storage to use hard links rather then create new files in # the image, if an identical file already existed in storage. # This is a "string bool": "false" | "true" (cannot be native TOML boolean) # use_hard_links = "false" # Path to an ostree repository that might have # previously pulled content which can be used when attempting to avoid # pulling content from the container registry. # ostree_repos="" # If set to "true", containers/storage will convert images that are # not already in zstd:chunked format to that format before processing # in order to take advantage of local deduplication and hard linking. # It is an expensive operation so it is not enabled by default. # This is a "string bool": "false" | "true" (cannot be native TOML boolean) # convert_images = "false" # This should ALMOST NEVER be set. # It allows partial pulls of images without guaranteeing that "partial # pulls" and non-partial pulls both result in consistent image contents. # This allows pulling estargz images and early versions of zstd:chunked images; # otherwise, these layers always use the traditional non-partial pull path. # # This option should be enabled EXTREMELY rarely, only if ALL images that could # EVER be conceivably pulled on this system are GUARANTEED (e.g. using a signature policy) # to come from a build system trusted to never attack image integrity. # # If this consistency enforcement were disabled, malicious images could be built # in a way designed to evade other audit mechanisms, so presence of most other audit # mechanisms is not a replacement for the above-mentioned need for all images to come # from a trusted build system. # # As a side effect, enabling this option will also make image IDs unpredictable # (usually not equal to the traditional value matching the config digest). # insecure_allow_unpredictable_image_contents = "false" # Root-auto-userns-user is a user name which can be used to look up one or more UID/GID # ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned # to containers configured to create automatically a user namespace. Containers # configured to automatically create a user namespace can still overlap with containers # having an explicit mapping set. # This setting is ignored when running as rootless. # root-auto-userns-user = "storage" # # Auto-userns-min-size is the minimum size for a user namespace created automatically. # auto-userns-min-size=1024 # # Auto-userns-max-size is the maximum size for a user namespace created automatically. # auto-userns-max-size=65536 [storage.options.overlay] # ignore_chown_errors can be set to allow a non privileged user running with # a single UID within a user namespace to run containers. The user can pull # and use any image even those with multiple uids. Note multiple UIDs will be # squashed down to the default uid in the container. These images will have no # separation between the users in the container. Only supported for the overlay # and vfs drivers. # This is a "string bool": "false" | "true" (cannot be native TOML boolean) #ignore_chown_errors = "false" # Inodes is used to set a maximum inodes of the container image. # inodes = "" # Path to an helper program to use for mounting the file system instead of mounting it # directly. #mount_program = "/usr/bin/fuse-overlayfs" # mountopt specifies comma separated list of extra mount options mountopt = "nodev" # Set to skip a PRIVATE bind mount on the storage home directory. # This is a "string bool": "false" | "true" (cannot be native TOML boolean) # skip_mount_home = "false" # Set to use composefs to mount data layers with overlay. # This is a "string bool": "false" | "true" (cannot be native TOML boolean) # use_composefs = "false" # Size is used to set a maximum size of the container image. # size = "" # ForceMask specifies the permissions mask that is used for new files and # directories. # # The values "shared" and "private" are accepted. # Octal permission masks are also accepted. # # "": No value specified. # All files/directories, get set with the permissions identified within the # image. # "private": it is equivalent to 0700. # All files/directories get set with 0700 permissions. The owner has rwx # access to the files. No other users on the system can access the files. # This setting could be used with networked based homedirs. # "shared": it is equivalent to 0755. # The owner has rwx access to the files and everyone else can read, access # and execute them. This setting is useful for sharing containers storage # with other users. For instance have a storage owned by root but shared # to rootless users as an additional store. # NOTE: All files within the image are made readable and executable by any # user on the system. Even /etc/shadow within your image is now readable by # any user. # # OCTAL: Users can experiment with other OCTAL Permissions. # # Note: The force_mask Flag is an experimental feature, it could change in the # future. When "force_mask" is set the original permission mask is stored in # the "user.containers.override_stat" xattr and the "mount_program" option must # be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the # extended attribute permissions to processes within containers rather than the # "force_mask" permissions. # # force_mask = ""
