1podman-container-runlabel(1)()                  podman-container-runlabel(1)()
2
3
4

NAME

6       podman-container-runlabel  -  Executes a command as described by a con‐
7       tainer-image label
8
9

SYNOPSIS

11       podman container runlabel [options] label image [arg...]
12
13

DESCRIPTION

15       podman container runlabel reads the specified label of  the  image  and
16       executes  it as command on the host.  If the label does not exist, Pod‐
17       man will exit with an error.  Additional arguments will be appended  to
18       the command.
19
20
21       Historically, container images describe the contents (e.g., layers) and
22       how a container runtime (e.g., crun(1) or runc(1)) should  execute  the
23       container.  For instance, an image may set the environment and the com‐
24       mand in its configuration.  However, a container image cannot  directly
25       specify  how  a container engine such as Podman should execute it.  For
26       instance, an image configuration does not include information about log
27       drivers, namespaces or which capabilities it needs to run correctly.
28
29
30       podman  container runlabel addresses the limitation of container images
31       in a simple yet efficient way.  Podman will read the  contents  of  the
32       label  and interpret it as a command that will be executed on the host.
33       This way an image can describe exactly how it  should  be  executed  by
34       Podman.   For instance, a label with the content /usr/bin/podman run -d
35       --pid=host --privileged \${IMAGE} instructs the image to be executed in
36       a detached, privileged container that is using the PID namespace of the
37       host.  This lifts the self-description of a container image from "what"
38       to "how".
39
40
41       Please  note that the runlabel command is intended to be run in trusted
42       environments exclusively.  Using the command on untrusted images is not
43       recommended.
44
45

VARIABLES

47       The contents of a label may refer to the following variables which will
48       be substituted while processing the label.
49
50
51       IMAGE The name of the image.  When executing podman container  runlabel
52       label  fedora  the  IMAGE variable will be replaced with fedora.  Valid
53       formats are IMAGE, $IMAGE, ${IMAGE} and =IMAGE.
54
55
56       NAME As specified by the --name option.  The format is identical to the
57       one of the IMAGE attribute.
58
59
60       PWD Will be replaced with the current working directory.
61
62

OPTIONS

64   --authfile=path
65       Path   of  the  containers-auth.json(5)  file.  Default  is  ${XDG_RUN‐
66       TIME_DIR}/containers/auth.json, which is set using  podman  login.   If
67       the  authorization  state is not found there, $HOME/.docker/config.json
68       is checked, which is set using docker login.
69
70
71       Note: You can also override the default path of the authentication file
72       by  setting  the  REGISTRY_AUTH_FILE  environment variable. export REG‐
73       ISTRY_AUTH_FILE=path
74
75
76   --cert-dir=path
77       Use certificates at path (*.crt, *.cert, *.key) to connect to the  reg‐
78       istry.  (Default:  /etc/containers/certs.d) Please refer to containers-
79       certs.d(5) for details. (This option is not available with  the  remote
80       Podman client, including Mac and Windows (excluding WSL2) machines)
81
82
83   --creds=[username[:password]]
84       The  [username[:password]]  to use to authenticate with the registry if
85       required.  If one or both values  are  not  supplied,  a  command  line
86       prompt  will  appear and the value can be entered.  The password is en‐
87       tered without echo.
88
89
90   --display
91       Display the label's value of the image having populated its environment
92       variables.  The runlabel command will not execute if --display is spec‐
93       ified.
94
95
96   --help, -h
97       Print usage statement
98
99
100   --name, -n=name
101       Use this name for creating content for the container.   If  not  speci‐
102       fied, name defaults to the name of the image.
103
104
105   --quiet, -q
106       Suppress output information when pulling images
107
108
109   --replace
110       If  a  container exists of the default or given name, as needed it will
111       be stopped, deleted and a new container will be created from  this  im‐
112       age.
113
114
115   --tls-verify
116       Require  HTTPS  and verify certificates when contacting registries (de‐
117       fault: true). If explicitly set to true, then TLS verification will  be
118       used.  If  set to false, then TLS verification will not be used. If not
119       specified, TLS verification will be used unless the target registry  is
120       listed as an insecure registry in containers-registries.conf(5).
121
122

EXAMPLES

124       Execute the run label of an image called foobar.
125
126
127              $ podman container runlabel run foobar
128
129
130
131       Execute the install label of an image called foobar with additional ar‐
132       guments.
133
134
135              $ podman container runlabel install foobar apples oranges
136
137
138
139       Display the contents of the run label of image foobar.
140
141
142              $ podman container runlabel --display run foobar
143
144
145

SEE ALSO

147       podman(1),   crun(1),   runc(8),   containers-certs.d(5),   containers-
148       auth.json(5), containers-registries.conf(5)
149
150

HISTORY

152       August  2021,  Refinements by Valentin Rothberg (rothberg at redhat dot
153       com)
154
155
156       September 2018, Originally compiled by Brent Baude  (bbaude  at  redhat
157       dot com)
158
159
160
161                                                podman-container-runlabel(1)()
Impressum