NAME 名称

podman-container-runlabel - Execute a command as described by a container-image label
podman-container-runlabel - 根据容器镜像标签描述执行命令

SYNOPSIS 概要

podman container runlabel [options] label image [arg…]

DESCRIPTION 描述

podman container runlabel reads the specified label of the image and executes it as command on the host. If the label does not exist, Podman exits with an error. Additional arguments are appended to the command.
podman container runlabel 读取指定的 label ,并将其作为命令在主机上执行。如果标签不存在,Podman 将以错误退出。附加参数将附加到命令中。

Historically, container images describe the contents (e.g., layers) and how a container runtime (e.g., crun(1) or runc(1)) executes the container. For instance, an image may set the environment and the command in its configuration. However, a container image cannot directly specify how a container engine such as Podman executes it. For instance, an image configuration does not include information about log drivers, namespaces, or which capabilities it needs to run correctly.
从历史上看,容器镜像描述了内容(例如,层)以及容器运行时(例如,crun(1)或 runc(1))如何执行容器。例如,镜像可以在其配置中设置环境和命令。然而,容器镜像无法直接指定像 Podman 这样的容器引擎如何执行它。例如,镜像配置不包括有关日志驱动程序、命名空间或其需要正确运行的功能的信息。

podman container runlabel addresses the limitation of container images in a simple yet efficient way. Podman reads the contents of the label and interpret it as a command that is executed on the host. This way an image can describe exactly how it is executed by Podman. For instance, a label with the content /usr/bin/podman run -d --pid=host --privileged \${IMAGE} instructs the image to be executed in a detached, privileged container that is using the PID namespace of the host. This lifts the self-description of a container image from “what” to “how”.
podman container runlabel 以简单而高效的方式解决了容器镜像的限制。Podman 读取标签的内容并将其解释为在主机上执行的命令。这样,镜像可以准确描述 Podman 如何执行它。例如,具有内容 /usr/bin/podman run -d --pid=host --privileged \${IMAGE} 的标签指示镜像在使用主机的 PID 命名空间的分离、特权容器中执行。这将容器镜像的自我描述从“是什么”提升到“如何”。

Note that the runlabel command is intended to be run in trusted environments exclusively. Using the command on untrusted images is not recommended.
请注意, runlabel 命令旨在仅在受信任的环境中运行。不建议在不受信任的镜像上使用该命令。

VARIABLES 变量

The contents of a label may refer to the following variables which is substituted while processing the label.
标签的内容可能涉及以下变量,在处理标签时进行替换。

IMAGE The name of the image. When executing podman container runlabel label fedora the IMAGE variable is replaced with fedora. Valid formats are IMAGE, $IMAGE, ${IMAGE} and =IMAGE.
图像的名称。执行 podman container runlabel label fedora 时, IMAGE 变量将被替换为 fedora 。有效格式为 IMAGE$IMAGE${IMAGE}=IMAGE

NAME As specified by the --name option. The format is identical to the one of the IMAGE attribute.
NAME 如 --name 选项指定的那样。其格式与 IMAGE 属性的格式相同。

PWD Will be replaced with the current working directory.
PWD 将被替换为当前工作目录。

OPTIONS 选项

--authfile=path

Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json on Linux, and $HOME/.config/containers/auth.json on Windows/macOS. The file is created by podman login. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using docker login.
认证文件的路径。在 Linux 上默认为 ${XDG_RUNTIME_DIR}/containers/auth.json ,在 Windows/macOS 上默认为 $HOME/.config/containers/auth.json 。该文件由 podman login 创建。如果授权状态未在那里找到,则会检查 $HOME/.docker/config.json ,该值是使用 docker login 设置的。

Note: There is also the option to override the default path of the authentication file by setting the REGISTRY_AUTH_FILE environment variable. This can be done with export REGISTRY_AUTH_FILE=path.
注意:还有一种选择,可以通过设置 REGISTRY_AUTH_FILE 环境变量来覆盖认证文件的默认路径。可以通过 export REGISTRY_AUTH_FILE=path 来实现。

--cert-dir=path

Use certificates at path (*.crt, *.cert, *.key) to connect to the registry. (Default: /etc/containers/certs.d) For details, see containers-certs.d(5). (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
使用证书路径(*.crt, *.cert, *.key)连接到注册表。 (默认值:/etc/containers/certs.d)有关详细信息,请参阅 containers-certs.d(5)。 (此选项不适用于远程 Podman 客户端,包括 Mac 和 Windows(不包括 WSL2)机器)

--creds=[username[:password]]
--creds=[用户名[:密码]] ¶

The [username[:password]] to use to authenticate with the registry, if required. If one or both values are not supplied, a command line prompt appears and the value can be entered. The password is entered without echo.
如果需要,用于与注册表进行身份验证的[用户名[:密码]]。如果一个或两个值未提供,将出现命令行提示,并可以输入该值。密码输入时不会显示。

Note that the specified credentials are only used to authenticate against target registries. They are not used for mirrors or when the registry gets rewritten (see containers-registries.conf(5)); to authenticate against those consider using a containers-auth.json(5) file.
请注意,指定的凭据仅用于对目标注册表进行身份验证。它们不用于镜像或注册表被重写时(请参阅 containers-registries.conf(5) );要对其进行身份验证,请考虑使用 containers-auth.json(5) 文件。

--display --display

Display the label’s value of the image having populated its environment variables. The runlabel command is not executed if --display is specified.
显示填充其环境变量的图像的标签值。如果指定了 --display,则不执行 runlabel 命令。

--help, -h --help,-h ¶

Print usage statement 打印使用说明

--name, -n=name

Use this name for creating content for the container. If not specified, name defaults to the name of the image.
用于为容器创建内容的名称。如果未指定,则名称默认为图像的名称。

--quiet, -q

Suppress output information when pulling images
在拉取图像时抑制输出信息。

--replace --替换 ¶

If a container exists with the current name, it is stopped, deleted and a new container is created from this image.
如果存在当前名称的容器,则停止、删除该容器,并从此镜像创建一个新容器。

--tls-verify

Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, TLS verification is used. If set to false, TLS verification is not used. If not specified, TLS verification is used unless the target registry is listed as an insecure registry in containers-registries.conf(5)
在联系注册表时需要 HTTPS 并验证证书(默认值为 true)。如果显式设置为 true,则使用 TLS 验证。如果设置为 false,则不使用 TLS 验证。如果未指定,则除非目标注册表在 containers-registries.conf(5) 中被列为不安全注册表,否则将使用 TLS 验证。

EXAMPLES 示例

Execute the run label of an image called foobar.
执行名为 foobar 的镜像的 run 标签。

$ podman container runlabel run foobar

Execute the install label of an image called foobar with additional arguments.
使用附加参数执行名为 foobar 的图像的 install 标签。

$ podman container runlabel install foobar apples oranges

Display the contents of the run label of image foobar.
显示图像 foobar 的 run 标签的内容。

$ podman container runlabel --display run foobar

SEE ALSO 参见 ¶

podman(1), crun(1), runc(8), containers-certs.d(5), containers-auth.json(5), containers-registries.conf(5)

HISTORY 历史 ¶

August 2021, Refinements by Valentin Rothberg (rothberg at redhat dot com)
2021 年 8 月,由 Valentin Rothberg(rothberg at redhat dot com)进行了改进

September 2018, Originally compiled by Brent Baude (bbaude at redhat dot com)
2018 年 9 月,最初由 Brent Baude(bbaude at redhat dot com)编译