1DOCKER(1) JUNE 2014 DOCKER(1)
2
6 docker-create - Create a new container
7
11 docker create [-a|--attach[=[]]] [--add-host[=[]]]
12 [--blkio-weight[=[BLKIO-WEIGHT]]] [--blkio-weight-device[=[]]]
13 [--cpu-shares[=0]] [--cap-add[=[]]] [--cap-drop[=[]]]
14 [--cgroup-parent[=CGROUP-PATH]] [--cidfile[=CIDFILE]] [--cpu-count[=0]]
15 [--cpu-percent[=0]] [--cpu-period[=0]] [--cpu-quota[=0]]
16 [--cpu-rt-period[=0]] [--cpu-rt-runtime[=0]] [--cpus[=0.0]]
17 [--cpuset-cpus[=CPUSET-CPUS]] [--cpuset-mems[=CPUSET-MEMS]]
18 [--device[=[]]] [--device-read-bps[=[]]] [--device-read-iops[=[]]]
19 [--device-write-bps[=[]]] [--device-write-iops[=[]]] [--dns[=[]]]
20 [--dns-search[=[]]] [--dns-option[=[]]] [-e|--env[=[]]]
21 [--entrypoint[=ENTRYPOINT]] [--env-file[=[]]] [--expose[=[]]]
22 [--group-add[=[]]] [-h|--hostname[=HOSTNAME]] [--help]
23 [-i|--interactive] [--ip[=IPv4-ADDRESS]] [--ip6[=IPv6-ADDRESS]]
24 [--ipc[=IPC]] [--isolation[=default]] [--kernel-memory[=KERNEL-MEMORY]]
25 [-l|--label[=[]]] [--label-file[=[]]] [--link[=[]]]
26 [--link-local-ip[=[]]] [--log-driver[=[]]] [--log-opt[=[]]]
27 [-m|--memory[=MEMORY]] [--mac-address[=MAC-ADDRESS]]
28 [--memory-reservation[=MEMORY-RESERVATION]] [--memory-swap[=LIMIT]]
29 [--memory-swappiness[=MEMORY-SWAPPINESS]] [--name[=NAME]]
30 [--network-alias[=[]]] [--network[="bridge"]] [--oom-kill-disable]
31 [--oom-score-adj[=0]] [-P|--publish-all] [-p|--publish[=[]]]
32 [--pid[=[PID]]] [--userns[=[]]] [--pids-limit[=PIDS_LIMIT]]
33 [--privileged] [--read-only] [--restart[=RESTART]] [--rm]
34 [--security-opt[=[]]] [--storage-opt[=[]]] [--stop-signal[=SIGNAL]]
35 [--stop-timeout[=TIMEOUT]] [--shm-size[=[]]] [--sysctl[=[]]] [-t|--tty]
36 [--tmpfs[=[CONTAINER-DIR[:<OPTIONS>]]] [-u|--user[=USER]]
37 [--ulimit[=[]]] [--uts[=[]]]
38 [-v|--volume[=[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]]]
39 [--volume-driver[=DRIVER]] [--volumes-from[=[]]]
40 [-w|--workdir[=WORKDIR]] IMAGE [COMMAND] [ARG...]
41
45 Creates a writeable container layer over the specified image and
46 prepares it for running the specified command. The container ID is then
47 printed to STDOUT. This is similar to docker run -d except the
48 container is never started. You can then use the docker start
49 <container_id> command to start the container at any point.
50 The initial status of the container created with docker create is
53 'created'.
54
58 -a, --attach=[]
59 Attach to STDIN, STDOUT or STDERR.
60 --add-host=[]
63 Add a custom host-to-IP mapping (host:ip)
64 --blkio-weight=0
67 Block IO weight (relative weight) accepts a weight value between 10
68 and 1000.
69 --blkio-weight-device=[]
72 Block IO weight (relative device weight, format:
73 DEVICE_NAME:WEIGHT).
74 --cpu-shares=0
77 CPU shares (relative weight)
78 --cap-add=[]
81 Add Linux capabilities
82 --cap-drop=[]
85 Drop Linux capabilities
86 --cgroup-parent=""
89 Path to cgroups under which the cgroup for the container will be
90 created. If the path is not absolute, the path is considered to be
91 relative to the cgroups path of the init process. Cgroups will be
92 created if they do not already exist.
93 --cidfile=""
96 Write the container ID to the file
97 --cpu-count=0
100 Limit the number of CPUs available for execution by the container.
101 On Windows Server containers, this is approximated as a percentage of total CPU usage.
104 On Windows Server containers, the processor resource controls are mutually exclusive, the order of precedence is CPUCount first, then CPUShares, and CPUPercent last.
106 --cpu-percent=0
110 Limit the percentage of CPU available for execution by a container
111 running on a Windows daemon.
112 On Windows Server containers, the processor resource controls are mutually exclusive, the order of precedence is CPUCount first, then CPUShares, and CPUPercent last.
115 --cpu-period=0
119 Limit the CPU CFS (Completely Fair Scheduler) period
120 Limit the container's CPU usage. This flag tell the kernel to restrict the container's CPU usage to the period you specify.
123 --cpuset-cpus=""
127 CPUs in which to allow execution (0-3, 0,1)
128 --cpuset-mems=""
131 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only
132 effective on NUMA systems.
133 If you have four memory nodes on your system (0-3), use
136 --cpuset-mems=0,1 then processes in your Docker container will only use
137 memory from the first two memory nodes.
138 --cpu-quota=0
141 Limit the CPU CFS (Completely Fair Scheduler) quota
142 --cpu-rt-period=0
145 Limit the CPU real-time period in microseconds
146 Limit the container's Real Time CPU usage. This flag tell the kernel to
149 restrict the container's Real Time CPU usage to the period you specify.
150 --cpu-rt-runtime=0
153 Limit the CPU real-time runtime in microseconds
154 Limit the containers Real Time CPU usage. This flag tells the kernel to
157 limit the amount of time in a given CPU period Real Time tasks may
158 consume. Ex:
159 Period of 1,000,000us and Runtime of 950,000us means that this
160 container could consume 95% of available CPU and leave the remaining 5%
161 to normal priority tasks.
162 The sum of all runtimes across containers cannot exceed the amount
165 allotted to the parent cgroup.
166 --cpus=0.0
169 Number of CPUs. The default is 0.0.
170 --device=[]
173 Add a host device to the container (e.g.
174 --device=/dev/sdc:/dev/xvdc:rwm)
175 --device-read-bps=[]
178 Limit read rate (bytes per second) from a device (e.g.
179 --device-read-bps=/dev/sda:1mb)
180 --device-read-iops=[]
183 Limit read rate (IO per second) from a device (e.g.
184 --device-read-iops=/dev/sda:1000)
185 --device-write-bps=[]
188 Limit write rate (bytes per second) to a device (e.g.
189 --device-write-bps=/dev/sda:1mb)
190 --device-write-iops=[]
193 Limit write rate (IO per second) to a device (e.g.
194 --device-write-iops=/dev/sda:1000)
195 --dns=[]
198 Set custom DNS servers
199 --dns-option=[]
202 Set custom DNS options
203 --dns-search=[]
206 Set custom DNS search domains (Use --dns-search=. if you don't wish
207 to set the search domain)
208 -e, --env=[]
211 Set environment variables
212 --entrypoint=""
215 Overwrite the default ENTRYPOINT of the image
216 --env-file=[]
219 Read in a line-delimited file of environment variables
220 --expose=[]
223 Expose a port or a range of ports (e.g. --expose=3300-3310) from the
224 container without publishing it to your host
225 --group-add=[]
228 Add additional groups to run as
229 -h, --hostname=""
232 Container host name
233 --help
236 Print usage statement
237 -i, --interactive=true|false
240 Keep STDIN open even if not attached. The default is false.
241 --ip=""
244 Sets the container's interface IPv4 address (e.g. 172.23.0.9)
245 It can only be used in conjunction with --network for user-defined
248 networks
249 --ip6=""
252 Sets the container's interface IPv6 address (e.g. 2001:db8::1b99)
253 It can only be used in conjunction with --network for user-defined
256 networks
257 --ipc=""
260 Default is to create a private IPC namespace (POSIX SysV IPC) for
261 the container
262 'container:<name|id>': reuses another
263 container shared memory, semaphores and message queues
264 'host': use the host shared
265 memory,semaphores and message queues inside the container. Note: the
266 host mode gives the container full access to local shared memory and is
267 therefore considered insecure.
268 --isolation="default"
271 Isolation specifies the type of isolation technology used by
272 containers. Note that the default on Windows server is process, and the
273 default on Windows client is hyperv. Linux only supports default.
274 --kernel-memory=""
277 Kernel memory limit (format: <number>[<unit>], where unit = b, k, m
278 or g)
279 Constrains the kernel memory available to a container. If a limit of 0
282 is specified (not using --kernel-memory), the container's kernel memory
283 is not limited. If you specify a limit, it may be rounded up to a
284 multiple of the operating system's page size and the value can be very
285 large, millions of trillions.
286 -l, --label=[]
289 Adds metadata to a container (e.g., --label=com.example.key=value)
290 --label-file=[]
293 Read labels from a file. Delimit each label with an EOL.
294 --link=[]
297 Add link to another container in the form of <name or id>:alias or
298 just
299 <name or id> in which case the alias will match the name.
300 --link-local-ip=[]
303 Add one or more link-local IPv4/IPv6 addresses to the container's
304 interface
305 --log-driver="json-file|syslog|journald|gelf|fluentd|awslogs|splunk|etwlogs|gcplogs|none"
308 Logging driver for the container. Default is defined by daemon
309 --log-driver flag.
310 Warning: the docker logs command works only for the json-file and
311 journald logging drivers.
312 --log-opt=[]
315 Logging driver specific options.
316 -m, --memory=""
319 Memory limit (format: <number>[<unit>], where unit = b, k, m or g)
320 Allows you to constrain the memory available to a container. If the
323 host supports swap memory, then the -m memory setting can be larger
324 than physical RAM. If a limit of 0 is specified (not using -m), the
325 container's memory is not limited. The actual limit may be rounded up
326 to a multiple of the operating system's page size (the value would be
327 very large, that's millions of trillions).
328 --mac-address=""
331 Container MAC address (e.g. 92:d0:c6:0a:29:33)
332 --memory-reservation=""
335 Memory soft limit (format: <number>[<unit>], where unit = b, k, m or
336 g)
337 After setting memory reservation, when the system detects memory
340 contention or low memory, containers are forced to restrict their
341 consumption to their reservation. So you should always set the value
342 below --memory, otherwise the hard limit will take precedence. By
343 default, memory reservation will be the same as memory limit.
344 --memory-swap="LIMIT"
347 A limit value equal to memory plus swap. Must be used with the -m
348 (--memory) flag. The swap LIMIT should always be larger than -m
349 (--memory) value.
350 The format of LIMIT is <number>[<unit>]. Unit can be b (bytes), k
353 (kilobytes), m (megabytes), or g (gigabytes). If you don't specify a
354 unit, b is used. Set LIMIT to -1 to enable unlimited swap.
355 --memory-swappiness=""
358 Tune a container's memory swappiness behavior. Accepts an integer
359 between 0 and 100.
360 --name=""
363 Assign a name to the container
364 --network="bridge"
367 Set the Network mode for the container
368 'bridge': create a network stack on the
369 default Docker bridge
370 'none': no networking
371 'container:<name|id>': reuse another
372 container's network stack
373 'host': use the Docker host network
374 stack. Note: the host mode gives the container full access to local
375 system services such as D-bus and is therefore considered insecure.
376 '<network-name>|<network-id>': connect
377 to a user-defined network
378 --network-alias=[]
381 Add network-scoped alias for the container
382 --oom-kill-disable=true|false
385 Whether to disable OOM Killer for the container or not.
386 --oom-score-adj=""
389 Tune the host's OOM preferences for containers (accepts -1000 to
390 1000)
391 -P, --publish-all=true|false
394 Publish all exposed ports to random ports on the host interfaces.
395 The default is false.
396 -p, --publish=[]
399 Publish a container's port, or a range of ports, to the host
400 format: ip:hostPort:containerPort |
401 ip::containerPort | hostPort:containerPort | containerPort
402 Both hostPort and containerPort can be
403 specified as a range of ports.
404 When specifying ranges for both, the
405 number of container ports in the range must match the number of host
406 ports in the range. (e.g., -p 1234-1236:1234-1236/tcp)
407 (use 'docker port' to see the actual
408 mapping)
409 --pid=""
412 Set the PID mode for the container
413 Default is to create a private PID namespace for the container
414 'container:<name|id>': join another
415 container's PID namespace
416 'host': use the host's PID namespace for
417 the container. Note: the host mode gives the container full access to
418 local PID and is therefore considered insecure.
419 --userns=""
422 Set the usernamespace mode for the container when userns-remap
423 option is enabled.
424 host: use the host usernamespace and enable all privileged options
425 (e.g., pid=host or --privileged).
426 --pids-limit=""
429 Tune the container's pids limit. Set -1 to have unlimited pids for
430 the container.
431 --privileged=true|false
434 Give extended privileges to this container. The default is false.
435 --read-only=true|false
438 Mount the container's root filesystem as read only.
439 --restart="no"
442 Restart policy to apply when a container exits (no,
443 on-failure[:max-retry], always, unless-stopped).
444 --rm=true|false
447 Automatically remove the container when it exits. The default is
448 false.
449 --shm-size=""
452 Size of /dev/shm. The format is <number><unit>. number must be
453 greater than 0.
454 Unit is optional and can be b (bytes), k (kilobytes), m (megabytes),
455 or g (gigabytes). If you omit the unit, the system uses bytes.
456 If you omit the size entirely, the system uses 64m.
457 --security-opt=[]
460 Security Options
461 "label:user:USER" : Set the label user for the container
464 "label:role:ROLE" : Set the label role for the container
465 "label:type:TYPE" : Set the label type for the container
466 "label:level:LEVEL" : Set the label level for the container
467 "label:disable" : Turn off label confinement for the container
468 "no-new-privileges" : Disable container processes from gaining
469 additional privileges
470 "seccomp:unconfined" : Turn off seccomp confinement for the
471 container
472 "seccomp:profile.json : White listed syscalls seccomp Json file to
473 be used as a seccomp filter
474 --storage-opt=[]
477 Storage driver options per container
478 $ docker create -it --storage-opt size=120G fedora /bin/bash
481 This (size) will allow to set the container rootfs size to 120G at
484 creation time.
485 This option is only available for the devicemapper, btrfs, overlay2
486 and zfs graph drivers.
487 For the devicemapper, btrfs and zfs storage drivers, user cannot
488 pass a size less than the Default BaseFS Size.
489 For the overlay2 storage driver, the size option is only available
490 if the backing fs is xfs and mounted with the pquota mount option.
491 Under these conditions, user can pass any size less then the backing
492 fs size.
493 --stop-signal=SIGTERM
496 Signal to stop a container. Default is SIGTERM.
497 --stop-timeout=10
500 Timeout (in seconds) to stop a container. Default is 10.
501 --sysctl=SYSCTL
504 Configure namespaced kernel parameters at runtime
505 IPC Namespace - current sysctls allowed:
508 kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall,
511 kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced
512 Sysctls beginning with fs.mqueue.*
513 Note: if you use --ipc=host using these sysctls will not be allowed.
516 Network Namespace - current sysctls allowed:
519 Sysctls beginning with net.*
520 Note: if you use --network=host using these sysctls will not be
523 allowed.
524 -t, --tty=true|false
527 Allocate a pseudo-TTY. The default is false.
528 --tmpfs=[] Create a tmpfs mount
531 Mount a temporary filesystem (tmpfs) mount into a container, for
534 example:
535 $ docker run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image
538 This command mounts a tmpfs at /tmp within the container. The
541 supported mount options are the same as the Linux default mount flags.
542 If you do not specify any options, the systems uses the following
543 options: rw,noexec,nosuid,nodev,size=65536k.
544 -u, --user=""
547 Sets the username or UID used and optionally the groupname or GID
548 for the specified command.
549 The followings examples are all valid:
552 --user [user | user:group | uid | uid:gid | user:gid | uid:group ]
553 Without this argument root user will be used in the container by
556 default.
557 --ulimit=[]
560 Ulimit options
561 --uts=host
564 Set the UTS mode for the container
565 host: use the host's UTS namespace inside the container.
566 Note: the host mode gives the container access to changing the
567 host's hostname and is therefore considered insecure.
568 -v|--volume[=[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]]
571 Create a bind mount. If you specify, -v /HOST-DIR:/CONTAINER-DIR,
572 Docker
573 bind mounts /HOST-DIR in the host to /CONTAINER-DIR in the Docker
574 container. If 'HOST-DIR' is omitted, Docker automatically creates
575 the new
576 volume on the host. The OPTIONS are a comma delimited list and can
577 be:
578 · [rw|ro]
581 · [z|Z]
583 · [[r]shared|[r]slave|[r]private]
585 The CONTAINER-DIR must be an absolute path such as /src/docs. The
589 HOST-DIR can be an absolute path or a name value. A name value must
590 start with an alphanumeric character, followed by a-z0-9, _
591 (underscore), . (period) or - (hyphen). An absolute path starts with a
592 / (forward slash).
593 If you supply a HOST-DIR that is an absolute path, Docker bind-mounts
596 to the path you specify. If you supply a name, Docker creates a named
597 volume by that name. For example, you can specify either /foo or foo
598 for a HOST-DIR value. If you supply the /foo value, Docker creates a
599 bind-mount. If you supply the foo specification, Docker creates a named
600 volume.
601 You can specify multiple -v options to mount one or more mounts to a
604 container. To use these same mounts in other containers, specify the
605 --volumes-from option also.
606 You can add :ro or :rw suffix to a volume to mount it read-only or
609 read-write mode, respectively. By default, the volumes are mounted
610 read-write. See examples.
611 Labeling systems like SELinux require that proper labels are placed on
614 volume content mounted into a container. Without a label, the security
615 system might prevent the processes running inside the container from
616 using the content. By default, Docker does not change the labels set by
617 the OS.
618 To change a label in the container context, you can add either of two
621 suffixes :z or :Z to the volume mount. These suffixes tell Docker to
622 relabel file objects on the shared volumes. The z option tells Docker
623 that two containers share the volume content. As a result, Docker
624 labels the content with a shared content label. Shared volume labels
625 allow all containers to read/write content. The Z option tells Docker
626 to label the content with a private unshared label. Only the current
627 container can use a private volume.
628 By default bind mounted volumes are private. That means any mounts done
631 inside container will not be visible on host and vice-a-versa. One can
632 change this behavior by specifying a volume mount propagation property.
633 Making a volume shared mounts done under that volume inside container
634 will be visible on host and vice-a-versa. Making a volume slave enables
635 only one way mount propagation and that is mounts done on host under
636 that volume will be visible inside container but not the other way
637 around.
638 To control mount propagation property of volume one can use :[r]shared,
641 :[r]slave or :[r]private propagation flag. Propagation property can be
642 specified only for bind mounted volumes and not for internal volumes or
643 named volumes. For mount propagation to work source mount point (mount
644 point where source dir is mounted on) has to have right propagation
645 properties. For shared volumes, source mount point has to be shared.
646 And for slave volumes, source mount has to be either shared or slave.
647 Use df <source-dir> to figure out the source mount and then use findmnt
650 -o TARGET,PROPAGATION <source-mount-dir> to figure out propagation
651 properties of source mount. If findmnt utility is not available, then
652 one can look at mount entry for source mount point in
653 /proc/self/mountinfo. Look at optional fields and see if any propagaion
654 properties are specified. shared:X means mount is shared, master:X
655 means mount is slave and if nothing is there that means mount is
656 private.
657 To change propagation properties of a mount point use mount command.
660 For example, if one wants to bind mount source directory /foo one can
661 do mount --bind /foo /foo and mount --make-private --make-shared /foo.
662 This will convert /foo into a shared mount point. Alternatively one can
663 directly change propagation properties of source mount. Say / is source
664 mount for /foo, then use mount --make-shared / to convert / into a
665 shared mount.
666 Note: When using systemd to manage the Docker daemon's start and
669 stop, in the systemd unit file there is an option to control
670 mount propagation for the Docker daemon itself, called
671 MountFlags. The value of this setting may cause Docker to not
672 see mount propagation changes made on the mount point. For
673 example, if this value is slave, you may not be able to use the
674 shared or rshared propagation on a volume.
675 To disable automatic copying of data from the container path to the
678 volume, use the nocopy flag. The nocopy flag can be set on bind mounts
679 and named volumes.
680 --volume-driver=""
683 Container's volume driver. This driver creates volumes specified
684 either from
685 a Dockerfile's VOLUME instruction or from the docker run -v flag.
686 See docker-volume-create(1) for full details.
687 --volumes-from=[]
690 Mount volumes from the specified container(s)
691 -w, --workdir=""
694 Working directory inside the container
695
700 This option is useful in situations where you are running Docker
701 containers on Windows. The --isolation=<value> option sets a
702 container's isolation technology. On Linux, the only supported is the
703 default option which uses Linux namespaces. On Microsoft Windows, you
704 can specify these values:
705 · default: Use the value specified by the Docker daemon's
708 --exec-opt . If the daemon does not specify an isolation
709 technology, Microsoft Windows uses process as its default
710 value.
711 · process: Namespace isolation only.
713 · hyperv: Hyper-V hypervisor partition-based isolation.
715 Specifying the --isolation flag without a value is the same as setting
719 --isolation="default".
720
724 August 2014, updated by Sven Dowideit ⟨SvenDowideit@home.org.au⟩
725 September 2014, updated by Sven Dowideit ⟨SvenDowideit@home.org.au⟩
726 November 2014, updated by Sven Dowideit ⟨SvenDowideit@home.org.au⟩
727Docker Community Docker User Manuals DOCKER(1)