oracular (1) docker-container-runlabel.1.gz

Provided by: podman_5.0.3+ds1-5ubuntu1_amd64 bug

NAME
       podman-container-runlabel - Execute a command as described by a container-image label


SYNOPSIS
       podman container runlabel [options] label image [arg...]


DESCRIPTION
       podman  container runlabel reads the specified label of the image and executes it as command on the host.
       If the label does not exist, Podman exits with an  error.   Additional  arguments  are  appended  to  the
       command.

       Historically,  container  images  describe the contents (e.g., layers) and how a container runtime (e.g.,
       crun(1) or runc(1)) executes the container.  For instance, an image  may  set  the  environment  and  the
       command  in its configuration.  However, a container image cannot directly specify how a container engine
       such as Podman executes it.  For instance, an image configuration does not include information about  log
       drivers, namespaces, or which capabilities it needs to run correctly.

       podman  container  runlabel  addresses  the limitation of container images in a simple yet efficient way.
       Podman reads the contents of the label and interpret it as a command that is executed on the host.   This
       way  an  image can describe exactly how it is executed by Podman.  For instance, a label with the content
       /usr/bin/podman run -d --pid=host --privileged  \${IMAGE}  instructs  the  image  to  be  executed  in  a
       detached,  privileged  container  that  is  using  the  PID  namespace of the host.  This lifts the self-
       description of a container image from "what" to "how".

       Note that the runlabel command is intended to be run in  trusted  environments  exclusively.   Using  the
       command on untrusted images is not recommended.


VARIABLES
       The  contents  of  a label may refer to the following variables which is substituted while processing the
       label.

       IMAGE The name of the image.  When executing podman container runlabel label fedora the IMAGE variable is
       replaced with fedora.  Valid formats are IMAGE, $IMAGE, ${IMAGE} and =IMAGE.

       NAME As specified by the --name option.  The format is identical to the one of the IMAGE attribute.

       PWD Will be replaced with the current working directory.


OPTIONS
   --authfile=path
       Path  of  the  authentication  file.  Default  is  ${XDG_RUNTIME_DIR}/containers/auth.json  on Linux, and
       $HOME/.config/containers/auth.json on Windows/macOS.  The  file  is  created  by  podman  login.  If  the
       authorization  state  is not found there, $HOME/.docker/config.json is checked, which is set using docker
       login.

       Note: There is also the option to override the default path of the authentication  file  by  setting  the
       REGISTRY_AUTH_FILE environment variable. This can be done with export REGISTRY_AUTH_FILE=path.

   --cert-dir=path
       Use   certificates   at   path   (*.crt,   *.cert,   *.key)   to   connect  to  the  registry.  (Default:
       /etc/containers/certs.d) For details, see containers-certs.d(5).  (This option is not available with  the
       remote Podman client, including Mac and Windows (excluding WSL2) machines)

   --creds=[username[:password]]
       The  [username[:password]]  to use to authenticate with the registry, if required.  If one or both values
       are not supplied, a command line prompt appears and the value can be entered.  The  password  is  entered
       without echo.

       Note  that  the  specified credentials are only used to authenticate against target registries.  They are
       not used for mirrors  or  when  the  registry  gets  rewritten  (see  containers-registries.conf(5));  to
       authenticate against those consider using a containers-auth.json(5) file.

   --display
       Display  the label's value of the image having populated its environment variables.  The runlabel command
       is not executed if --display is specified.

   --help, -h
       Print usage statement

   --name, -n=name
       Use this name for creating content for the container.  If not specified, name defaults to the name of the
       image.

   --quiet, -q
       Suppress output information when pulling images

   --replace
       If  a  container exists with the current name, it is stopped, deleted and a new container is created from
       this image.

   --tls-verify
       Require HTTPS and verify certificates when contacting registries (default: true).  If explicitly  set  to
       true,  TLS  verification  is used.  If set to false, TLS verification is not used.  If not specified, TLS
       verification is used unless the target  registry  is  listed  as  an  insecure  registry  in  containers-
       registries.conf(5)


EXAMPLES
       Execute the run label of an image called foobar.

       $ podman container runlabel run foobar

       Execute the install label of an image called foobar with additional arguments.

       $ podman container runlabel install foobar apples oranges

       Display the contents of the run label of image foobar.

       $ podman container runlabel --display run foobar


SEE ALSO
       podman(1),     crun(1),     runc(8),    containers-certs.d(5),    containers-auth.json(5),    containers-
       registries.conf(5)


HISTORY
       August 2021, Refinements by Valentin Rothberg (rothberg at redhat dot com)

       September 2018, Originally compiled by Brent Baude (bbaude at redhat dot com)

                                                                                    podman-container-runlabel(1)