Can services in a Docker (OCI) container read the container's annotations added by the LABEL command?

Question

I have a dockerfile that creates a container that houses an API service. The dockerfile tags the image with a few annotations like so:

LABEL org.opencontainers.image.vendor="MyCompany"
LABEL org.opencontainers.image.created="2021-02-12T12:10:15Z"
LABEL org.opencontainers.image.version="2.0.5"
LABEL org.opencontainers.image.revision="<gitcommithash>"

I want to expose an endpoint on that API service, /api/version, that returns version information. The version information is already stamped on the container in the LABEL statements above. I was wondering if our API service inside the container would somehow be able to retrieve these annotations.

Can a container read its own LABEL annotations?

Answer 1

First a quick clarification that labels and annotations are two different things. The annotation would go on the OCI manifest, and these labels go in the image config. Unfortunately I don't think we have much in the way of tooling to set and read annotations, so everyone just uses labels instead.

From inside of a container, I'm not aware of any way to inspect the labels on the container. You would need to either make the runtime engine accessible from inside the container, or have that engine inject something like an environment variable or file that includes these values. The former is a security hole, and I haven't heard of any runtimes doing the latter. A quick search shows this old issue looking for a standard way to provide container introspection, not unlike how AWS has a metadata service for EC2 instances.