1buildah-run(1)              General Commands Manual             buildah-run(1)
2
3
4

NAME

6       buildah-run - Run a command inside of the container.
7
8

SYNOPSIS

10       buildah run [options] [--] container command
11
12

DESCRIPTION

14       Launches  a  container and runs the specified command in that container
15       using the container's root filesystem as a root filesystem, using  con‐
16       figuration  settings  inherited from the container's image or as speci‐
17       fied using previous calls to the buildah config  command.   To  execute
18       buildah run within an interactive shell, specify the --tty option.
19
20

OPTIONS

22       --add-history
23
24
25       Add  an  entry  to  the  history  which will note what command is being
26       invoked.  Defaults to false.
27
28
29       Note: You can also override the default value of --add-history by  set‐
30       ting  the  BUILDAH_HISTORY  environment  variable.  export BUILDAH_HIS‐
31       TORY=true
32
33
34       --cap-add=CAP_xxx
35
36
37       Add the specified capability to the set of capabilities which  will  be
38       granted  to the specified command.  Certain capabilities are granted by
39       default; this option can be used to add more beyond the defaults, which
40       may  have  been  modified by --cap-add and --cap-drop options used with
41       the buildah from invocation which created the container.
42
43
44       --cap-drop=CAP_xxx
45
46
47       Add the specified capability from the set of capabilities which will be
48       granted  to  the  specified  command.   The CAP_AUDIT_WRITE, CAP_CHOWN,
49       CAP_DAC_OVERRIDE,   CAP_FOWNER,   CAP_FSETID,   CAP_KILL,    CAP_MKNOD,
50       CAP_NET_BIND_SERVICE, CAP_SETFCAP, CAP_SETGID, CAP_SETPCAP, CAP_SETUID,
51       and CAP_SYS_CHROOT capabilities are granted by default; this option can
52       be  used to remove them from the defaults, which may have been modified
53       by --cap-add and --cap-drop options used with the buildah from  invoca‐
54       tion which created the container.
55
56
57       If  a  capability  is  specified  to  both the --cap-add and --cap-drop
58       options, it will be dropped, regardless  of  the  order  in  which  the
59       options were given.
60
61
62       --cni-config-dir=directory
63
64
65       Location  of  CNI  configuration files which will dictate which plugins
66       will be used to configure network interfaces  and  routing  inside  the
67       running  container,  if  the  container  will be run in its own network
68       namespace, and networking is not disabled.
69
70
71       --cni-plugin-path=directory[:directory[:directory[...]]]
72
73
74       List of directories in which the CNI plugins which  will  be  used  for
75       configuring network namespaces can be found.
76
77
78       --hostname
79
80
81       Set the hostname inside of the running container.
82
83
84       --ipc how
85
86
87       Sets  the  configuration for the IPC namespaces for the container.  The
88       configured value can be "" (the empty string) or "container"  to  indi‐
89       cate that a new IPC namespace should be created, or it can be "host" to
90       indicate that the IPC namespace in which buildah itself  is  being  run
91       should  be  reused,  or it can be the path to an IPC namespace which is
92       already in use by another process.
93
94
95       --isolation type
96
97
98       Controls what type of isolation is used for running the process.   Rec‐
99       ognized  types include oci (OCI-compatible runtime, the default), root‐
100       less (OCI-compatible runtime invoked using  a  modified  configuration,
101       with  --no-new-keyring added to its create invocation, with network and
102       UTS namespaces disabled, and IPC, PID, and user namespaces enabled; the
103       default  for  unprivileged users), and chroot (an internal wrapper that
104       leans more toward chroot(1) than container technology).
105
106
107       Note: You can also override the default isolation type by  setting  the
108       BUILDAH_ISOLATION environment variable.  export BUILDAH_ISOLATION=oci
109
110
111       --net how --network how
112
113
114       Sets  the  configuration  for  the network namespace for the container.
115       The configured value can be "" (the empty  string)  or  "container"  to
116       indicate  that  a new network namespace should be created, or it can be
117       "host" to indicate that the network namespace in which  buildah  itself
118       is  being  run  should  be  reused,  or it can be the path to a network
119       namespace which is already in use by another process.
120
121
122       --pid how
123
124
125       Sets the configuration for the PID namespace for  the  container.   The
126       configured  value  can be "" (the empty string) or "container" to indi‐
127       cate that a new PID namespace should be created, or it can be "host" to
128       indicate  that  the  PID namespace in which buildah itself is being run
129       should be reused, or it can be the path to a  PID  namespace  which  is
130       already in use by another process.
131
132
133       --runtime path
134
135
136       The path to an alternate OCI-compatible runtime. Default is runc.
137
138
139       Note:  You  can  also override the default runtime by setting the BUIL‐
140       DAH_RUNTIME     environment     variable.      export      BUILDAH_RUN‐
141       TIME=/usr/local/bin/runc
142
143
144       --runtime-flag flag
145
146
147       Adds  global  flags  for  the  container runtime. To list the supported
148       flags, please consult the manpages of the  selected  container  runtime
149       (runc  is  the  default  runtime,  the  manpage to consult is runc(8)).
150       Note: Do not pass the leading -- to the flag. To  pass  the  runc  flag
151       --log-format  json  to  buildah  run,  the option given would be --run‐
152       time-flag log-format=json.
153
154
155       --no-pivot
156
157
158       Do not use pivot root to jail process inside  rootfs.  This  should  be
159       used whenever the rootfs is on top of a ramdisk.
160
161
162       Note:  You  can  make  this  option  the  default  by setting the BUIL‐
163       DAH_NOPIVOT environment variable.  export BUILDAH_NOPIVOT=true
164
165
166       -t, --tty, --terminal
167
168
169       By default a pseudo-TTY is allocated only when buildah's standard input
170       is  attached  to  a  pseudo-TTY.  Setting the --tty option to true will
171       cause a pseudo-TTY to be allocated inside the container connecting  the
172       user's  "terminal"  with  the stdin and stdout stream of the container.
173       Setting the --tty option to false  will  prevent  the  pseudo-TTY  from
174       being allocated.
175
176
177       --user user[:group]
178
179
180       Set  the user to be used for running the command in the container.  The
181       user can be specified as a user name or UID, optionally followed  by  a
182       group  name or GID, separated by a colon (':').  If names are used, the
183       container should include entries for those names in its /etc/passwd and
184       /etc/group files.
185
186
187       --uts how
188
189
190       Sets  the  configuration  for the UTS namespace for the container.  The
191       configured value can be "" (the empty string) or "container"  to  indi‐
192       cate that a new UTS namespace should be created, or it can be "host" to
193       indicate that the UTS namespace in which buildah itself  is  being  run
194       should  be  reused,  or  it can be the path to a UTS namespace which is
195       already in use by another process.
196
197
198       --volume, -v source:destination:options
199
200
201       Create a bind mount. If you specify, -v /HOST-DIR:/CONTAINER-DIR, Buil‐
202       dah  bind mounts /HOST-DIR in the host to /CONTAINER-DIR in the Buildah
203       container. The OPTIONS are a comma delimited list and can be:
204
205
206              · [rw|ro]
207
208              · [z|Z]
209
210              · [[r]shared|[r]slave|[r]private]
211
212
213
214       The CONTAINER-DIR must be an  absolute  path  such  as  /src/docs.  The
215       HOST-DIR  must  be  an  absolute  path as well. Buildah bind-mounts the
216       HOST-DIR to the path you specify. For example, if you  supply  /foo  as
217       the  host  path,  Buildah  copies the contents of /foo to the container
218       filesystem on the host and bind mounts that into the container.
219
220
221       You can specify multiple  -v options to mount one or more mounts  to  a
222       container.
223
224
225       You  can add the :ro or :rw suffix to a volume to mount it read-only or
226       read-write mode, respectively. By  default,  the  volumes  are  mounted
227       read-write.  See examples.
228
229
230       Labeling  systems like SELinux require that proper labels are placed on
231       volume content mounted into a container. Without a label, the  security
232       system  might  prevent  the processes running inside the container from
233       using the content. By default, Buildah does not change the  labels  set
234       by the OS.
235
236
237       To  change  a label in the container context, you can add either of two
238       suffixes :z or :Z to the volume mount. These suffixes tell  Buildah  to
239       relabel  file objects on the shared volumes. The z option tells Buildah
240       that two containers share the volume  content.  As  a  result,  Buildah
241       labels  the  content  with a shared content label. Shared volume labels
242       allow all containers to read/write content.  The Z option tells Buildah
243       to  label  the content with a private unshared label.  Only the current
244       container can use a private volume.
245
246
247       By default bind mounted volumes are private. That means any mounts done
248       inside  container  will not be visible on the host and vice versa. This
249       behavior can be changed by specifying a volume mount propagation  prop‐
250       erty.
251
252
253       When  the  mount  propagation  policy is set to shared, any mounts com‐
254       pleted inside the container on that volume will be visible to both  the
255       host  and container. When the mount propagation policy is set to slave,
256       one way mount propagation is enabled and any mounts  completed  on  the
257       host  for that volume will be visible only inside of the container.  To
258       control  the  mount  propagation  property  of  the  volume   use   the
259       :[r]shared,  :[r]slave or :[r]private propagation flag. The propagation
260       property can be specified only for bind mounted  volumes  and  not  for
261       internal volumes or named volumes. For mount propagation to work on the
262       source mount point (the mount point where source dir is mounted on)  it
263       has  to  have the right propagation properties. For shared volumes, the
264       source mount point has to be shared. And for slave volumes, the  source
265       mount has to be either shared or slave.
266
267
268       Use  df <source-dir> to determine the source mount and then use findmnt
269       -o TARGET,PROPAGATION <source-mount-dir> to determine propagation prop‐
270       erties of source mount, if findmnt utility is not available, the source
271       mount point can  be  determined  by  looking  at  the  mount  entry  in
272       /proc/self/mountinfo. Look at optional fields and see if any propagaion
273       properties are specified.  shared:X means the mount is shared, master:X
274       means  the  mount is slave and if nothing is there that means the mount
275       is private.
276
277
278       To change propagation properties of a mount point use  the  mount  com‐
279       mand.  For  example,  to  bind mount the source directory /foo do mount
280       --bind /foo /foo and mount --make-private --make-shared /foo. This will
281       convert  /foo into a shared mount point.  The propagation properties of
282       the source mount can be changed directly. For  instance  if  /  is  the
283       source mount for /foo, then use mount --make-shared / to convert / into
284       a shared mount.
285
286
287       NOTE: End parsing of options with the -- option, so that other  options
288       can be passed to the command inside of the container.
289
290

EXAMPLE

292       buildah run containerID -- ps -auxw
293
294
295       buildah run --hostname myhost containerID -- ps -auxw
296
297
298       buildah run containerID -- sh -c 'echo $PATH'
299
300
301       buildah run --runtime-flag log-format=json containerID /bin/bash
302
303
304       buildah run --runtime-flag debug containerID /bin/bash
305
306
307       buildah run --tty containerID /bin/bash
308
309
310       buildah run --tty=false containerID ls /
311
312
313       buildah  run --volume /path/on/host:/path/in/container:ro,z containerID
314       sh
315
316

SEE ALSO

318       buildah(1), namespaces(7), pid_namespaces(7)
319
320
321
322buildah                           March 2017                    buildah-run(1)
Impressum