# This file is the configuration file for all tools

# that use the containers/storage library. The storage.conf file

# overrides all other storage.conf files. Container engines using the

# container/storage library do not inherit fields from other storage.conf

# files.

#

#  Note: The storage.conf file overrides other storage.conf files based on this precedence:

#      /usr/containers/storage.conf

#      /etc/containers/storage.conf

#      $HOME/.config/containers/storage.conf

#      $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set)

# See man 5 containers-storage.conf for more information

# The "container storage" table contains all of the server options.

[storage]

# Default Storage Driver, Must be set for proper operation.

driver = "overlay"

# Temporary storage location

runroot = "/run/containers/storage"

# Primary Read/Write location of container storage

# When changing the graphroot location on an SELINUX system, you must

# ensure  the labeling matches the default locations labels with the

# following commands:

# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH

# restorecon -R -v /NEWSTORAGEPATH

graphroot = "/var/lib/containers/storage"

# Storage path for rootless users

#

# rootless_storage_path = "$HOME/.local/share/containers/storage"

# Transient store mode makes all container metadata be saved in temporary storage

# (i.e. runroot above). This is faster, but doesn't persist across reboots.

# transient_store = true

[storage.options]

# Storage options to be passed to underlying storage drivers

# AdditionalImageStores is used to pass paths to additional Read/Only image stores

# Must be comma separated list.

additionalimagestores = [

]

# Allows specification of how storage is populated when pulling images. This

# option can speed the pulling process of images compressed with format

# zstd:chunked. Containers/storage looks for files within images that are being

# pulled from a container registry that were previously pulled to the host.  It

# can copy or create a hard link to the existing file when it finds them,

# eliminating the need to pull them from the container registry. These options

# can deduplicate pulling of content, disk storage of content and can allow the

# kernel to use less memory when running containers.

# containers/storage supports four keys

#   * enable_partial_images="true" | "false"

#     Tells containers/storage to look for files previously pulled in storage

#     rather then always pulling them from the container registry.

#   * use_hard_links = "false" | "true"

#     Tells containers/storage to use hard links rather then create new files in

#     the image, if an identical file already existed in storage.

#   * ostree_repos = ""

#     Tells containers/storage where an ostree repository exists that might have

#     previously pulled content which can be used when attempting to avoid

#     pulling content from the container registry

pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}

# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of

# a container, to the UIDs/GIDs as they should appear outside of the container,

# and the length of the range of UIDs/GIDs.  Additional mapped sets can be

# listed and will be heeded by libraries, but there are limits to the number of

# mappings which the kernel will allow when you later attempt to run a

# container.

#

# remap-uids = 0:1668442479:65536

# remap-gids = 0:1668442479:65536

# Remap-User/Group is a user name which can be used to look up one or more UID/GID

# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting

# with an in-container ID of 0 and then a host-level ID taken from the lowest

# range that matches the specified name, and using the length of that range.

# Additional ranges are then assigned, using the ranges which specify the

# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,

# until all of the entries have been used for maps.

#

# remap-user = "containers"

# remap-group = "containers"

# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID

# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned

# to containers configured to create automatically a user namespace.  Containers

# configured to automatically create a user namespace can still overlap with containers

# having an explicit mapping set.

# This setting is ignored when running as rootless.

# root-auto-userns-user = "storage"

#

# Auto-userns-min-size is the minimum size for a user namespace created automatically.

# auto-userns-min-size=1024

#

# Auto-userns-max-size is the minimum size for a user namespace created automatically.

# auto-userns-max-size=65536

[storage.options.overlay]

# ignore_chown_errors can be set to allow a non privileged user running with

# a single UID within a user namespace to run containers. The user can pull

# and use any image even those with multiple uids.  Note multiple UIDs will be

# squashed down to the default uid in the container.  These images will have no

# separation between the users in the container. Only supported for the overlay

# and vfs drivers.

#ignore_chown_errors = "false"

# Inodes is used to set a maximum inodes of the container image.

# inodes = ""

# Path to an helper program to use for mounting the file system instead of mounting it

# directly.

#mount_program = "/usr/bin/fuse-overlayfs"

# mountopt specifies comma separated list of extra mount options

mountopt = "nodev,metacopy=on"

# Set to skip a PRIVATE bind mount on the storage home directory.

# skip_mount_home = "false"

# Size is used to set a maximum size of the container image.

# size = ""

# ForceMask specifies the permissions mask that is used for new files and

# directories.

#

# The values "shared" and "private" are accepted.

# Octal permission masks are also accepted.

#

#  "": No value specified.

#     All files/directories, get set with the permissions identified within the

#     image.

#  "private": it is equivalent to 0700.

#     All files/directories get set with 0700 permissions.  The owner has rwx

#     access to the files. No other users on the system can access the files.

#     This setting could be used with networked based homedirs.

#  "shared": it is equivalent to 0755.

#     The owner has rwx access to the files and everyone else can read, access

#     and execute them. This setting is useful for sharing containers storage

#     with other users.  For instance have a storage owned by root but shared

#     to rootless users as an additional store.

#     NOTE:  All files within the image are made readable and executable by any

#     user on the system. Even /etc/shadow within your image is now readable by

#     any user.

#

#   OCTAL: Users can experiment with other OCTAL Permissions.

#

#  Note: The force_mask Flag is an experimental feature, it could change in the

#  future.  When "force_mask" is set the original permission mask is stored in

#  the "user.containers.override_stat" xattr and the "mount_program" option must

#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the

#  extended attribute permissions to processes within containers rather than the

#  "force_mask"  permissions.

#

# force_mask = ""

[storage.options.thinpool]

# Storage Options for thinpool

# autoextend_percent determines the amount by which pool needs to be

# grown. This is specified in terms of % of pool size. So a value of 20 means

# that when threshold is hit, pool will be grown by 20% of existing

# pool size.

# autoextend_percent = "20"

# autoextend_threshold determines the pool extension threshold in terms

# of percentage of pool size. For example, if threshold is 60, that means when

# pool is 60% full, threshold has been hit.

# autoextend_threshold = "80"

# basesize specifies the size to use when creating the base device, which

# limits the size of images and containers.

# basesize = "10G"

# blocksize specifies a custom blocksize to use for the thin pool.

# blocksize="64k"

# directlvm_device specifies a custom block storage device to use for the

# thin pool. Required if you setup devicemapper.

# directlvm_device = ""

# directlvm_device_force wipes device even if device already has a filesystem.

# directlvm_device_force = "True"

# fs specifies the filesystem type to use for the base device.

# fs="xfs"

# log_level sets the log level of devicemapper.

# 0: LogLevelSuppress 0 (Default)

# 2: LogLevelFatal

# 3: LogLevelErr

# 4: LogLevelWarn

# 5: LogLevelNotice

# 6: LogLevelInfo

# 7: LogLevelDebug

# log_level = "7"

# min_free_space specifies the min free space percent in a thin pool require for

# new device creation to succeed. Valid values are from 0% - 99%.

# Value 0% disables

# min_free_space = "10%"

# mkfsarg specifies extra mkfs arguments to be used when creating the base

# device.

# mkfsarg = ""

# metadata_size is used to set the `pvcreate --metadatasize` options when

# creating thin devices. Default is 128k

# metadata_size = ""

# Size is used to set a maximum size of the container image.

# size = ""

# use_deferred_removal marks devicemapper block device for deferred removal.

# If the thinpool is in use when the driver attempts to remove it, the driver

# tells the kernel to remove it as soon as possible. Note this does not free

# up the disk space, use deferred deletion to fully remove the thinpool.

# use_deferred_removal = "True"

# use_deferred_deletion marks thinpool device for deferred deletion.

# If the device is busy when the driver attempts to delete it, the driver

# will attempt to delete device every 30 seconds until successful.

# If the program using the driver exits, the driver will continue attempting

# to cleanup the next time the driver is used. Deferred deletion permanently

# deletes the device and all data stored in device will be lost.

# use_deferred_deletion = "True"

# xfs_nospace_max_retries specifies the maximum number of retries XFS should

# attempt to complete IO when ENOSPC (no space) error is returned by

# underlying storage device.

# xfs_nospace_max_retries = "0"