Quadlet .volume: recommended way to set noexec,nosuid,nodev and nocopy

[flomickl]

Hi,

I’m trying to define a rootless Quadlet volume unit (.volume) to pre-create a named volume. The core of my question is specifically about the recommended / Quadlet-native way to set these two podman volume create options:

• --opt o=noexec,nosuid,nodev
• --opt nocopy

The goal is to reproduce the following CLI behavior, which works as expected:

podman volume create \
  --driver local \
  --ignore \
  --opt o=noexec,nosuid,nodev \
  --opt nocopy \
  --label environment=production \
  --label purpose=database \
  --label application=demo-example \
  pgdata

This behaves exactly as intended.

My Quadlet attempt (~/.config/containers/systemd/pgdata.volume) looks like this:

[Unit]
Description=Named Volume pgdata (policy)

[Volume]
Driver=local

User=1000
Group=1000

PodmanArgs=--opt o=noexec,nosuid,nodev
PodmanArgs=--opt nocopy

Label=environment=production
Label=purpose=database
Label=application=demo-example

After starting the generated unit via:

systemctl --user start pgdata-volume.service

the resulting volume looks like this:

[
     {
          "Name": "pgdata",
          "Driver": "local",
          "Mountpoint": "/home/pody/.local/share/containers/storage/volumes/pgdata/_data",
          "CreatedAt": "2026-02-21T22:42:14.540821061+01:00",
          "Labels": {
               "application": "demo-example",
               "environment": "production",
               "purpose": "database"
          },
          "Scope": "local",
          "Options": {
               "nocopy": "",
               "o": "noexec,nosuid,nodev"
          },
          "MountCount": 0,
          "NeedsCopyUp": true,
          "NeedsChown": true,
          "LockNumber": 2
     }
]

This suggests that the desired driver options (o=noexec,nosuid,nodev and nocopy) have been applied successfully.

However, if I try to use:

Options=noexec,nosuid,nodev

instead of PodmanArgs, the generator fails with:

quadlet-generator: converting "pgdata.volume": key Options can't be used without Device

According to the documentation, PodmanArgs= should be used for unsupported features, but it is also marked as “not recommended” because the generator cannot reason about unexpected interactions.

Docs reference:
https://docs.podman.io/en/v5.6.0/markdown/podman-systemd.unit.5.html#volume-units-volume

My questions:

1. For Driver=local volumes without Device=, what is the recommended / supported Quadlet-native way to set --opt o=noexec,nosuid,nodev?
2. For Driver=local volumes without Device=, what is the recommended / supported Quadlet-native way to set --opt nocopy?
3. If there is no Quadlet-native way for one or both of these, is using PodmanArgs the intended/accepted approach for this scenario despite the “not recommended” note?

Environment:

• Rootless Quadlet (~/.config/containers/systemd)
• Podman version: 5.6.0

Thanks in advance.

[ygalblum]

Quick answers.

1. Currently, Quadlet supports mount options only when using a device. IIRC, this has been the case since the first implementation. But, I can't say for sure why. The question is whether it should. @Luap99 @mheon WDYT?
2. To set --opt nocopy use Copy=false. The key is documented here: https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#copy-default-to-true. But, I guess it is not clear that setting it to false will result in nocopy.
3. PodmanArgs was added exactly for these cases in which Quadlet does not directly support a key. When the right key exists, it's always recommended to use it. But, when it isn't, that's why PodmanArgs is there.

[Luap99]

I think the typical judgement applies, if the cli allows something quadlet should too unless there is clear reason why that would not work under quadlet.

I don't see a reason for that so we should just allow it

[mheon]

Concur, I don't see a real reason not to support it? It's a valid Podman feature with real uses

[ygalblum]

See #28161

[ygalblum]

@flomickl The PR addressing this was merged: #28161.
Can we mark this as answered?

[flomickl]

@ygalblum

Thanks for the clarification and the discussion around this.

I noticed that PR #28161 was opened to address this.

A few quick follow-up questions to make sure I understand the intended result correctly:

1. In which Podman version is this expected to land?

   I am currently working on RHEL 10 with Podman 5.6. +
   I am not very familiar with the internal release / backport process, so I am trying to understand whether this is something that might still land in the 5.x series or only in a later major version.

2. Will this mean that driver options like --opt o=noexec,nosuid,nodev can then be expressed directly via Options= in a .volume unit even when no Device= is used?

   For example something like:

   Options=o=noexec,nosuid,nodev
   

   or

   Options=noexec,nosuid,nodev
   

   I am not fully sure which form would be the intended one.

3. If this changes the current behavior of Options=, should the documentation for .volume units be updated as well?

   I mean this section specifically: +
   https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#volume-units-volume

   At the moment it states that Options cannot be used without Device.

[Luap99]

Release wise things land in the next minor or major version. The next version in May will be Podman 6 and that will find its way into RHEL 10 eventually

[ygalblum]

Yes, this is exactly what this change allows - passing mount options even without a device. Do not prepend the options with o=, Quadlet will do that. So Options=noexec,nosuid,nodev is the way to go

At the moment it states that Options cannot be used without Device

I'm sorry, but I can't seem to find this comment. Can you please copy paste it so I can see it?