1podman-container-runlabel(1)()                  podman-container-runlabel(1)()
2
3
4

NAME

6       podman-container-runlabel  -  Executes a command as described by a con‐
7       tainer-image label
8
9

SYNOPSIS

11       podman container runlabel [options] label image [arg...]
12
13

DESCRIPTION

15       podman container runlabel reads the specified label of  the  image  and
16       executes  it as command on the host.  If the label does not exist, Pod‐
17       man will exit with an error.  Additional arguments will be appended  to
18       the command.
19
20
21       Historically, container images describe the contents (e.g., layers) and
22       how a container runtime (e.g., crun(1) or runc(1)) should  execute  the
23       container.  For instance, an image may set the environment and the com‐
24       mand in its configuration.  However, a container image cannot  directly
25       specify  how  a container engine such as Podman should execute it.  For
26       instance, an image configuration does not include information about log
27       drivers, namespaces or which capabilities it needs to run correctly.
28
29
30       podman  container runlabel addresses the limitation of container images
31       in a simple yet efficient way.  Podman will read the  contents  of  the
32       label  and interpret it as a command that will be executed on the host.
33       This way an image can describe exactly how it  should  be  executed  by
34       Podman.   For instance, a label with the content /usr/bin/podman run -d
35       --pid=host --privileged \${IMAGE} instructs the image to be executed in
36       a detached, privileged container that is using the PID namespace of the
37       host.  This lifts the self-description of a container image from "what"
38       to "how".
39
40
41       Please  note that the runlabel command is intended to be run in trusted
42       environments exclusively.  Using the command on untrusted images is not
43       recommended.
44
45

VARIABLES

47       The contents of a label may refer to the following variables which will
48       be substituted while processing the label.
49
50
51       IMAGE The name of the image.  When executing podman container  runlabel
52       label  fedora  the  IMAGE variable will be replaced with fedora.  Valid
53       formats are IMAGE, $IMAGE, ${IMAGE} and =IMAGE.
54
55
56       NAME As specified by the --name option.  The format is identical to the
57       one of the IMAGE attribute.
58
59
60       PWD Will be replaced with the current working directory.
61
62

OPTIONS

64   --authfile=path
65       Path   of  the  containers-auth.json(5)  file.  Default  is  ${XDG_RUN‐
66       TIME_DIR}/containers/auth.json, which is set using  podman  login.   If
67       the  authorization  state is not found there, $HOME/.docker/config.json
68       is checked, which is set using docker login.
69
70
71       Note: You can also override the default path of the authentication file
72       by  setting  the  REGISTRY_AUTH_FILE  environment variable. export REG‐
73       ISTRY_AUTH_FILE=path
74
75
76   --display
77       Display the label's value of the image having populated its environment
78       variables.  The runlabel command will not execute if --display is spec‐
79       ified.
80
81
82   --cert-dir=path
83       Use certificates at path (*.crt, *.cert, *.key) to connect to the  reg‐
84       istry.  Please refer to containers-certs.d(5) for details. (This option
85       is not available with the remote Podman client)
86
87
88   --creds=[username[:password]]
89       The [username[:password]] to use to authenticate with the  registry  if
90       required.   If  one  or  both  values  are not supplied, a command line
91       prompt will appear and the value can be entered.  The password  is  en‐
92       tered without echo.
93
94
95   --help, -h
96       Print usage statement
97
98
99   --name, -n=name
100       Use  this  name  for creating content for the container.  If not speci‐
101       fied, name defaults to the name of the image.
102
103
104   --quiet, -q
105       Suppress output information when pulling images
106
107
108   --replace
109       If a container exists of the default or given name, as needed  it  will
110       be  stopped,  deleted and a new container will be created from this im‐
111       age.
112
113
114   --tls-verify
115       Require HTTPS and verify certificates when contacting  registries  (de‐
116       fault:  true). If explicitly set to true, then TLS verification will be
117       used. If set to false, then TLS verification will not be used.  If  not
118       specified,  TLS verification will be used unless the target registry is
119       listed as an insecure registry in containers-registries.conf(5).
120
121

EXAMPLES

123       Execute the run label of an image called foobar.
124
125
126              $ podman container runlabel run foobar
127
128
129
130       Execute the install label of an image called foobar with additional ar‐
131       guments.
132
133
134              $ podman container runlabel install foobar apples oranges
135
136
137
138       Display the contents of the run label of image foobar.
139
140
141              $ podman container runlabel --display run foobar
142
143
144

SEE ALSO

146       podman(1),   crun(1),   runc(1),  containers-auth.json(5),  containers-
147       certs.d(5), containers-registries.conf(5)
148
149

HISTORY

151       August 2021, Refinements by Valentin Rothberg (rothberg at  redhat  dot
152       com)
153
154
155       September  2018,  Originally  compiled by Brent Baude (bbaude at redhat
156       dot com)
157
158
159
160                                                podman-container-runlabel(1)()
Impressum