1DOCKER(1)(Docker) DOCKER(1)(Docker)
2
3
4
5Docker Community JUNE 2014
6
7
9 docker-run - Run a command in a new container
10
11
12
14 docker run [-a|--attach[=[]]] [--add-host[=[]]]
15 [--blkio-weight[=[BLKIO-WEIGHT]]] [--blkio-weight-device[=[]]]
16 [--cpu-shares[=0]] [--cap-add[=[]]] [--cap-drop[=[]]] [--cgroup-par‐
17 ent[=CGROUP-PATH]] [--cidfile[=CIDFILE]] [--cpu-count[=0]] [--cpu-per‐
18 cent[=0]] [--cpu-period[=0]] [--cpu-quota[=0]] [--cpu-rt-period[=0]]
19 [--cpu-rt-runtime[=0]] [--cpus[=0.0]] [--cpuset-cpus[=CPUSET-CPUS]]
20 [--cpuset-mems[=CPUSET-MEMS]] [-d|--detach] [--detach-keys[=[]]]
21 [--device[=[]]] [--device-cgroup-rule[=[]]] [--device-read-bps[=[]]]
22 [--device-read-iops[=[]]] [--device-write-bps[=[]]]
23 [--device-write-iops[=[]]] [--dns[=[]]] [--dns-option[=[]]]
24 [--dns-search[=[]]] [--domainname[=DOMAINNAME]] [-e|--env[=[]]]
25 [--entrypoint[=ENTRYPOINT]] [--env-file[=[]]] [--expose[=[]]]
26 [--group-add[=[]]] [-h|--hostname[=HOSTNAME]] [--help] [--init]
27 [-i|--interactive] [--ip[=IPv4-ADDRESS]] [--ip6[=IPv6-ADDRESS]]
28 [--ipc[=IPC]] [--isolation[=default]] [--kernel-memory[=KERNEL-MEMORY]]
29 [-l|--label[=[]]] [--label-file[=[]]] [--link[=[]]]
30 [--link-local-ip[=[]]] [--log-driver[=[]]] [--log-opt[=[]]] [-m|--mem‐
31 ory[=MEMORY]] [--mac-address[=MAC-ADDRESS]] [--memory-reservation[=MEM‐
32 ORY-RESERVATION]] [--memory-swap[=LIMIT]] [--memory-swappiness[=MEM‐
33 ORY-SWAPPINESS]] [--mount[=[MOUNT]]] [--name[=NAME]] [--net‐
34 work-alias[=[]]] [--network[="bridge"]] [--oom-kill-disable]
35 [--oom-score-adj[=0]] [-P|--publish-all] [-p|--publish[=[]]]
36 [--pid[=[PID]]] [--userns[=[]]] [--pids-limit[=PIDS_LIMIT]] [--privi‐
37 leged] [--read-only] [--restart[=RESTART]] [--rm] [--security-opt[=[]]]
38 [--storage-opt[=[]]] [--stop-signal[=SIGNAL]] [--stop-timeout[=TIME‐
39 OUT]] [--shm-size[=[]]] [--sig-proxy[=true]] [--sysctl[=[]]] [-t|--tty]
40 [--tmpfs[=[CONTAINER-DIR[:OPTIONS]]] [-u|--user[=USER]] [--ulimit[=[]]]
41 [--uts[=[]]] [-v|--volume[=[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]]]
42 [--volume-driver[=DRIVER]] [--volumes-from[=[]]]
43 [-w|--workdir[=WORKDIR]] IMAGE [COMMAND] [ARG...]
44
45
46
48 Run a process in a new container. docker run starts a process with its
49 own file system, its own networking, and its own isolated process tree.
50 The IMAGE which starts the process may define defaults related to the
51 process that will be run in the container, the networking to expose,
52 and more, but docker run gives final control to the operator or admin‐
53 istrator who starts the container from the image. For that reason
54 docker run has more options than any other Docker command.
55
56
57 If the IMAGE is not already loaded then docker run will pull the IMAGE,
58 and all image dependencies, from the repository in the same way running
59 docker pull IMAGE, before it starts the container from that image.
60
61
62
64 -a, --attach=[]
65 Attach to STDIN, STDOUT or STDERR.
66
67
68 In foreground mode (the default when -d is not specified), docker run
69 can start the process in the container and attach the console to the
70 process's standard input, output, and standard error. It can even pre‐
71 tend to be a TTY (this is what most commandline executables expect) and
72 pass along signals. The -a option can be set for each of stdin, stdout,
73 and stderr.
74
75
76 --add-host=[]
77 Add a custom host-to-IP mapping (host:ip)
78
79
80 Add a line to /etc/hosts. The format is hostname:ip. The --add-host
81 option can be set multiple times.
82
83
84 --blkio-weight=0
85 Block IO weight (relative weight) accepts a weight value between 10
86 and 1000.
87
88
89 --blkio-weight-device=[]
90 Block IO weight (relative device weight, format:
91 DEVICE_NAME:WEIGHT).
92
93
94 --cpu-shares=0
95 CPU shares (relative weight)
96
97
98 By default, all containers get the same proportion of CPU cycles. This
99 proportion can be modified by changing the container's CPU share
100 weighting relative to the weighting of all other running containers.
101
102
103 To modify the proportion from the default of 1024, use the --cpu-shares
104 flag to set the weighting to 2 or higher.
105
106
107 The proportion will only apply when CPU-intensive processes are run‐
108 ning. When tasks in one container are idle, other containers can use
109 the left-over CPU time. The actual amount of CPU time will vary depend‐
110 ing on the number of containers running on the system.
111
112
113 For example, consider three containers, one has a cpu-share of 1024 and
114 two others have a cpu-share setting of 512. When processes in all three
115 containers attempt to use 100% of CPU, the first container would
116 receive 50% of the total CPU time. If you add a fourth container with a
117 cpu-share of 1024, the first container only gets 33% of the CPU. The
118 remaining containers receive 16.5%, 16.5% and 33% of the CPU.
119
120
121 On a multi-core system, the shares of CPU time are distributed over all
122 CPU cores. Even if a container is limited to less than 100% of CPU
123 time, it can use 100% of each individual CPU core.
124
125
126 For example, consider a system with more than three cores. If you start
127 one container {C0} with -c=512 running one process, and another con‐
128 tainer {C1} with -c=1024 running two processes, this can result in the
129 following division of CPU shares:
130
131
132 PID container CPU CPU share
133 100 {C0} 0 100% of CPU0
134 101 {C1} 1 100% of CPU1
135 102 {C1} 2 100% of CPU2
136
137
138
139 --cap-add=[]
140 Add Linux capabilities
141
142
143 --cap-drop=[]
144 Drop Linux capabilities
145
146
147 --cgroup-parent=""
148 Path to cgroups under which the cgroup for the container will be
149 created. If the path is not absolute, the path is considered to be rel‐
150 ative to the cgroups path of the init process. Cgroups will be created
151 if they do not already exist.
152
153
154 --cidfile=""
155 Write the container ID to the file
156
157
158 --cpu-count=0
159 Limit the number of CPUs available for execution by the container.
160
161
162 On Windows Server containers, this is approximated as a percentage of total CPU usage.
163
164 On Windows Server containers, the processor resource controls are mutually exclusive, the order of precedence is CPUCount first, then CPUShares, and CPUPercent last.
165
166
167
168 --cpu-percent=0
169 Limit the percentage of CPU available for execution by a container
170 running on a Windows daemon.
171
172
173 On Windows Server containers, the processor resource controls are mutually exclusive, the order of precedence is CPUCount first, then CPUShares, and CPUPercent last.
174
175
176
177 --cpu-period=0
178 Limit the CPU CFS (Completely Fair Scheduler) period
179
180
181 Limit the container's CPU usage. This flag tell the kernel to restrict
182 the container's CPU usage to the period you specify.
183
184
185 --cpuset-cpus=""
186 CPUs in which to allow execution (0-3, 0,1)
187
188
189 --cpuset-mems=""
190 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only
191 effective on NUMA systems.
192
193
194 If you have four memory nodes on your system (0-3), use
195 --cpuset-mems=0,1 then processes in your Docker container will only use
196 memory from the first two memory nodes.
197
198
199 --cpu-quota=0
200 Limit the CPU CFS (Completely Fair Scheduler) quota
201
202
203 Limit the container's CPU usage. By default, containers run with the
204 full CPU resource. This flag tell the kernel to restrict the con‐
205 tainer's CPU usage to the quota you specify.
206
207
208 --cpu-rt-period=0
209 Limit the CPU real-time period in microseconds
210
211
212 Limit the container's Real Time CPU usage. This flag tell the kernel to
213 restrict the container's Real Time CPU usage to the period you specify.
214
215
216 --cpu-rt-runtime=0
217 Limit the CPU real-time runtime in microseconds
218
219
220 Limit the containers Real Time CPU usage. This flag tells the kernel to
221 limit the amount of time in a given CPU period Real Time tasks may con‐
222 sume. Ex:
223 Period of 1,000,000us and Runtime of 950,000us means that this con‐
224 tainer could consume 95% of available CPU and leave the remaining 5% to
225 normal priority tasks.
226
227
228 The sum of all runtimes across containers cannot exceed the amount
229 allotted to the parent cgroup.
230
231
232 --cpus=0.0
233 Number of CPUs. The default is 0.0 which means no limit.
234
235
236 -d, --detach=true|false
237 Detached mode: run the container in the background and print the new
238 container ID. The default is false.
239
240
241 At any time you can run docker ps in the other shell to view a list of
242 the running containers. You can reattach to a detached container with
243 docker attach.
244
245
246 When attached in the tty mode, you can detach from the container (and
247 leave it running) using a configurable key sequence. The default
248 sequence is CTRL-p CTRL-q. You configure the key sequence using the
249 --detach-keys option or a configuration file. See config-json(5) for
250 documentation on using a configuration file.
251
252
253 --detach-keys=key
254 Override the key sequence for detaching a container; key is a single
255 character from the [a-Z] range, or ctrl-value, where value is one of:
256 a-z, @, ^, [, ,, or _.
257
258
259 --device=onhost:incontainer[:mode]
260 Add a host device onhost to the container under the incontainer
261 name. Optional mode parameter can be used to specify device permis‐
262 sions, it is a combination of r (for read), w (for write), and m (for
263 mknod(2)).
264
265
266 For example, --device=/dev/sdc:/dev/xvdc:rwm will give a container all
267 permissions for the host device /dev/sdc, seen as /dev/xvdc inside the
268 container.
269
270
271 --device-cgroup-rule="type major:minor mode"
272 Add a rule to the cgroup allowed devices list. The rule is expected
273 to be in the format specified in the Linux kernel documentation (Docu‐
274 mentation/cgroup-v1/devices.txt):
275 - type: a (all), c (char), or b (block);
276 - major and minor: either a number, or * for all;
277 - mode: a composition of r (read), w (write), and m (mknod(2)).
278
279
280 Example: --device-cgroup-rule "c 1:3 mr": allow for a character device
281 idendified by 1:3 to be created and read.
282
283
284 --device-read-bps=[]
285 Limit read rate from a device (e.g. --device-read-bps=/dev/sda:1mb)
286
287
288 --device-read-iops=[]
289 Limit read rate from a device (e.g.
290 --device-read-iops=/dev/sda:1000)
291
292
293 --device-write-bps=[]
294 Limit write rate to a device (e.g. --device-write-bps=/dev/sda:1mb)
295
296
297 --device-write-iops=[]
298 Limit write rate to a device (e.g.
299 --device-write-iops=/dev/sda:1000)
300
301
302 --dns-search=[]
303 Set custom DNS search domains (Use --dns-search=. if you don't wish
304 to set the search domain)
305
306
307 --dns-option=[]
308 Set custom DNS options
309
310
311 --dns=[]
312 Set custom DNS servers
313
314
315 This option can be used to override the DNS configuration passed to the
316 container. Typically this is necessary when the host DNS configuration
317 is invalid for the container (e.g., 127.0.0.1). When this is the case
318 the --dns flags is necessary for every run.
319
320
321 --domainname=""
322 Container NIS domain name
323
324
325 Sets the container's NIS domain name (see also setdomainname(2)) that
326 is
327 available inside the container.
328
329
330 -e, --env=[]
331 Set environment variables
332
333
334 This option allows you to specify arbitrary environment variables that
335 are available for the process that will be launched inside of the con‐
336 tainer.
337
338
339 --entrypoint=""
340 Overwrite the default ENTRYPOINT of the image
341
342
343 This option allows you to overwrite the default entrypoint of the image
344 that is set in the Dockerfile. The ENTRYPOINT of an image is similar to
345 a COMMAND because it specifies what executable to run when the con‐
346 tainer starts, but it is (purposely) more difficult to override. The
347 ENTRYPOINT gives a container its default nature or behavior, so that
348 when you set an ENTRYPOINT you can run the container as if it were that
349 binary, complete with default options, and you can pass in more options
350 via the COMMAND. But, sometimes an operator may want to run something
351 else inside the container, so you can override the default ENTRYPOINT
352 at runtime by using a --entrypoint and a string to specify the new
353 ENTRYPOINT.
354
355
356 --env-file=[]
357 Read in a line delimited file of environment variables
358
359
360 --expose=[]
361 Expose a port, or a range of ports (e.g. --expose=3300-3310) informs
362 Docker that the container listens on the specified network ports at
363 runtime. Docker uses this information to interconnect containers using
364 links and to set up port redirection on the host system.
365
366
367 --group-add=[]
368 Add additional groups to run as
369
370
371 -h, --hostname=""
372 Container host name
373
374
375 Sets the container host name that is available inside the container.
376
377
378 --help
379 Print usage statement
380
381
382 --init
383 Run an init inside the container that forwards signals and reaps
384 processes
385
386
387 -i, --interactive=true|false
388 Keep STDIN open even if not attached. The default is false.
389
390
391 When set to true, keep stdin open even if not attached.
392
393
394 --ip=""
395 Sets the container's interface IPv4 address (e.g., 172.23.0.9)
396
397
398 It can only be used in conjunction with --network for user-defined net‐
399 works
400
401
402 --ip6=""
403 Sets the container's interface IPv6 address (e.g., 2001:db8::1b99)
404
405
406 It can only be used in conjunction with --network for user-defined net‐
407 works
408
409
410 --ipc=""
411 Sets the IPC mode for the container. The following values are
412 accepted:
413
414
415 ┌─────────────────────┬────────────────────────────┐
416 │Value │ Description │
417 ├─────────────────────┼────────────────────────────┤
418 │(empty) │ Use daemon's default. │
419 ├─────────────────────┼────────────────────────────┤
420 │none │ Own private IPC namespace, │
421 │ │ with /dev/shm not mounted. │
422 ├─────────────────────┼────────────────────────────┤
423 │private │ Own private IPC namespace. │
424 ├─────────────────────┼────────────────────────────┤
425 │shareable │ Own private IPC namespace, │
426 │ │ with a possibility to │
427 │ │ share it with other con‐ │
428 │ │ tainers. │
429 ├─────────────────────┼────────────────────────────┤
430 │container:name-or-ID │ Join another ("shareable") │
431 │ │ container's IPC namespace. │
432 ├─────────────────────┼────────────────────────────┤
433 │host │ Use the host system's IPC │
434 │ │ namespace. │
435 └─────────────────────┴────────────────────────────┘
436
437 If not specified, daemon default is used, which can either be private
438 or shareable, depending on the daemon version and configuration.
439
440
441 --isolation="default"
442 Isolation specifies the type of isolation technology used by con‐
443 tainers. Note that the default on Windows server is process, and the
444 default on Windows client is hyperv. Linux only supports default.
445
446
447 -l, --label key=value
448 Set metadata on the container (for example, --label com.exam‐
449 ple.key=value).
450
451
452 --kernel-memory=number[S]
453 Kernel memory limit; S is an optional suffix which can be one of b,
454 k, m, or g.
455
456
457 Constrains the kernel memory available to a container. If a limit of 0
458 is specified (not using --kernel-memory), the container's kernel memory
459 is not limited. If you specify a limit, it may be rounded up to a mul‐
460 tiple of the operating system's page size and the value can be very
461 large, millions of trillions.
462
463
464 --label-file=[]
465 Read in a line delimited file of labels
466
467
468 --link=name-or-id[:alias]
469 Add link to another container.
470
471
472 If the operator uses --link when starting the new client container,
473 then the client container can access the exposed port via a private
474 networking interface. Docker will set some environment variables in the
475 client container to help indicate which interface and port to use.
476
477
478 --link-local-ip=[]
479 Add one or more link-local IPv4/IPv6 addresses to the container's
480 interface
481
482
483 --log-driver="json-file|syslog|journald|gelf|flu‐
484 entd|awslogs|splunk|etwlogs|gcplogs|none"
485 Logging driver for the container. Default is defined by daemon
486 --log-driver flag.
487 Warning: the docker logs command works only for the json-file and
488 journald logging drivers.
489
490
491 --log-opt=[]
492 Logging driver specific options.
493
494
495 -m, --memory=number[*S]
496 Memory limit; S is an optional suffix which can be one of b, k, m,
497 or g.
498
499
500 Allows you to constrain the memory available to a container. If the
501 host supports swap memory, then the -m memory setting can be larger
502 than physical RAM. If a limit of 0 is specified (not using -m), the
503 container's memory is not limited. The actual limit may be rounded up
504 to a multiple of the operating system's page size (the value would be
505 very large, that's millions of trillions).
506
507
508 --memory-reservation=number[*S]
509 Memory soft limit; S is an optional suffix which can be one of b, k,
510 m, or g.
511
512
513 After setting memory reservation, when the system detects memory con‐
514 tention or low memory, containers are forced to restrict their consump‐
515 tion to their reservation. So you should always set the value below
516 --memory, otherwise the hard limit will take precedence. By default,
517 memory reservation will be the same as memory limit.
518
519
520 --memory-swap=number[S]
521 Combined memory plus swap limit; S is an optional suffix which can
522 be one of b, k, m, or g.
523
524
525 This option can only be used together with --memory. The argument
526 should always be larger than that of --memory. Default is double the
527 value of --memory. Set to -1 to enable unlimited swap.
528
529
530 --mac-address=""
531 Container MAC address (e.g., 92:d0:c6:0a:29:33)
532
533
534 Remember that the MAC address in an Ethernet network must be unique.
535 The IPv6 link-local address will be based on the device's MAC address
536 according to RFC4862.
537
538
539 --mount type=TYPE,TYPE-SPECIFIC-OPTION[,...]
540 Attach a filesystem mount to the container
541
542
543 Current supported mount TYPES are bind, volume, and tmpfs.
544
545
546 e.g.
547
548
549 type=bind,source=/path/on/host,destination=/path/in/container
550
551
552 type=volume,source=my-volume,destination=/path/in/container,vol‐
553 ume-label="color=red",volume-label="shape=round"
554
555
556 type=tmpfs,tmpfs-size=512M,destination=/path/in/container
557
558
559 Common Options:
560
561
562 · src, source: mount source spec for bind and volume. Mandatory
563 for bind.
564
565 · dst, destination, target: mount destination spec.
566
567 · ro, readonly: true or false (default).
568
569
570
571 Note: setting readonly for a bind mount does not make its submounts
572 read-only on the current Linux implementation. See also bind-nonre‐
573 cursive.
574
575
576 Options specific to bind:
577
578
579 · bind-propagation: shared, slave, private, rshared, rslave, or
580 rprivate(default). See also mount(2).
581
582 · consistency: consistent(default), cached, or delegated. Cur‐
583 rently, only effective for Docker for Mac.
584
585 · bind-nonrecursive: true or false (default). If set to true,
586 submounts are not recursively bind-mounted. This option is
587 useful for readonly bind mount.
588
589
590
591 Options specific to volume:
592
593
594 · volume-driver: Name of the volume-driver plugin.
595
596 · volume-label: Custom metadata.
597
598 · volume-nocopy: true(default) or false. If set to false, the
599 Engine copies existing files and directories under the
600 mount-path into the volume, allowing the host to access them.
601
602 · volume-opt: specific to a given volume driver.
603
604
605
606 Options specific to tmpfs:
607
608
609 · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by
610 default in Linux.
611
612 · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or
613 0700.) Defaults to 1777 in Linux.
614
615
616
617 --name=""
618 Assign a name to the container
619
620
621 The operator can identify a container in three ways:
622
623
624 ┌──────────────────────┬────────────────────────────────────────────────────────────────────┐
625 │Identifier type │ Example value │
626 ├──────────────────────┼────────────────────────────────────────────────────────────────────┤
627 │UUID long identifier │ "f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778" │
628 ├──────────────────────┼────────────────────────────────────────────────────────────────────┤
629 │UUID short identifier │ "f78375b1c487" │
630 ├──────────────────────┼────────────────────────────────────────────────────────────────────┤
631 │Name │ "evil_ptolemy" │
632 └──────────────────────┴────────────────────────────────────────────────────────────────────┘
633
634 The UUID identifiers come from the Docker daemon, and if a name is not
635 assigned to the container with --name then the daemon will also gener‐
636 ate a random string name. The name is useful when defining links (see
637 --link) (or any other place you need to identify a container). This
638 works for both background and foreground Docker containers.
639
640
641 --network=type
642 Set the Network mode for the container. Supported values are:
643
644
645 ┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────────────────────────┐
646 │Value │ Description │
647 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
648 │none │ No networking in the con‐ │
649 │ │ tainer. │
650 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
651 │bridge │ Connect the container to │
652 │ │ the default Docker bridge │
653 │ │ via veth interfaces. │
654 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
655 │host │ Use the host's network │
656 │ │ stack inside the con‐ │
657 │ │ tainer. │
658 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
659 │container:name │ │
660 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
661 │idnetwork-name │ │
662 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
663 │network-id.TE │ │
664 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
665 │ │ │
666 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
667 │ │ │
668 │Default is bridge. │ │
669 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
670 │ │ │
671 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
672 │ │ │
673 │--network-alias=[] │ │
674 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
675 │ Add network-scoped alias for the container │ │
676 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
677 │ │ │
678 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
679 │ │ │
680 │--oom-kill-disable=true|false │ │
681 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
682 │ Whether to disable OOM Killer for the container or not. │ │
683 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
684 │ │ │
685 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
686 │ │ │
687 │--oom-score-adj="" │ │
688 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
689 │ Tune the host's OOM preferences for containers (accepts -1000 to 1000) │ │
690 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
691 │ │ │
692 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
693 │ │ │
694 │-P, --publish-all=true|false │ │
695 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
696 │ Publish all exposed ports to random ports on the host interfaces. The default is false. │ │
697 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
698 │ │ │
699 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
700 │ │ │
701 │When set to true publish all exposed ports to the host interfaces. The │ │
702 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
703 │default is false. If the operator uses -P (or -p) then Docker will make the │ │
704 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
705 │exposed port accessible on the host and the ports will be available to any │ │
706 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
707 │client that can reach the host. When using -P, Docker will bind any exposed │ │
708 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
709 │port to a random port on the host within an ephemeral port range defined by │ │
710 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
711 │/proc/sys/net/ipv4/ip_local_port_range. To find the mapping between the host │ │
712 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
713 │ports and the exposed ports, use docker port(1). │ │
714 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
715 │ │ │
716 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
717 │ │ │
718 │-p, --publish ip:[hostPort]:containerPort | [hostPort:]containerPort │ │
719 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
720 │ Publish a container's port, or range of ports, to the host. │ │
721 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
722 │ │ │
723 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
724 │ │ │
725 │Both hostPort and containerPort can be specified as a range. │ │
726 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
727 │When specifying ranges for both, the number of ports in ranges should be equal. │ │
728 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
729 │ │ │
730 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
731 │ │ │
732 │Examples: -p 1234-1236:1222-1224, -p 127.0.0.1:$HOSTPORT:$CONTAINERPORT. │ │
733 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
734 │ │ │
735 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
736 │ │ │
737 │Use docker port(1) to see the actual mapping, e.g. docker port CONTAINER $CONTAINERPORT. │ │
738 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
739 │ │ │
740 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
741 │ │ │
742 │--pid="" │ │
743 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
744 │ Set the PID mode for the container │ │
745 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
746 │ Default is to create a private PID namespace for the container │ │
747 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
748 │ 'container:': join another container's PID namespace │ │
749 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
750 │ 'host': use the host's PID namespace for the container. Note: the host mode gives the container full access to local PID and is therefore considered insecure. │ │
751 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
752 │ │ │
753 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
754 │ │ │
755 │--userns="" │ │
756 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
757 │ Set the usernamespace mode for the container when userns-remap option is enabled. │ │
758 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
759 │ host: use the host usernamespace and enable all privileged options (e.g., pid=host or --privileged). │ │
760 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
761 │ │ │
762 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
763 │ │ │
764 │--pids-limit="" │ │
765 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
766 │ Tune the container's pids (process IDs) limit. Set to -1 to have unlimited pids for the container. │ │
767 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
768 │ │ │
769 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
770 │ │ │
771 │--uts=type │ │
772 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
773 │ Set the UTS mode for the container. The only possible type is host, meaning to │ │
774 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
775 │use the host's UTS namespace inside the container. │ │
776 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
777 │ Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure. │ │
778 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
779 │ │ │
780 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
781 │ │ │
782 │--privileged [true|false] │ │
783 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
784 │ Give extended privileges to this container. A "privileged" container is given access to all devices. │ │
785 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
786 │ │ │
787 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
788 │ │ │
789 │When the operator executes docker run --privileged, Docker will enable access │ │
790 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
791 │to all devices on the host as well as set some configuration in AppArmor to │ │
792 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
793 │allow the container nearly all the same access to the host as processes running │ │
794 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
795 │outside of a container on the host. │ │
796 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
797 │ │ │
798 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
799 │ │ │
800 │--read-only=true|false │ │
801 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
802 │ Mount the container's root filesystem as read only. │ │
803 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
804 │ │ │
805 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
806 │ │ │
807 │By default a container will have its root filesystem writable allowing processes │ │
808 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
809 │to write files anywhere. By specifying the --read-only flag the container will have │ │
810 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
811 │its root filesystem mounted as read only prohibiting any writes. │ │
812 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
813 │ │ │
814 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
815 │ │ │
816 │--restart policy │ │
817 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
818 │ Restart policy to apply when a container exits. Supported values are: │ │
819 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
820 │ │ │
821 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
822 │ │ │
823 │allbox; │ │
824 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
825 │l l │ │
826 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
827 │l l . │ │
828 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
829 │Policy │ Result │
830 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
831 │no │ Do not automatically │
832 │ │ restart the container when │
833 │ │ it exits. │
834 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
835 │on-failure[:max-retries] │ Restart only if the con‐ │
836 │ │ tainer exits with a │
837 │ │ non-zero exit status. │
838 │ │ Optionally, limit the num‐ │
839 │ │ ber of restart retries the │
840 │ │ Docker daemon attempts. │
841 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
842 │always │ Always restart the con‐ │
843 │ │ tainer regardless of the │
844 │ │ exit status. When you │
845 │ │ specify always, the Docker │
846 │ │ daemon will try to restart │
847 │ │ the container indefi‐ │
848 │ │ nitely. The container will │
849 │ │ also always start on dae‐ │
850 │ │ mon startup, regardless of │
851 │ │ the current state of the │
852 │ │ container. │
853 ├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────┤
854 │unless-stopped │ Always restart the con‐ │
855 │ │ tainer regardless of the │
856 │ │ exit status, but do not │
857 │ │ start it on daemon startup │
858 │ │ if the container has been │
859 │ │ put to a stopped state │
860 │ │ before. │
861 └──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────────────────────────┘
862
863 Default is no.
864
865
866 --rm true|false
867 Automatically remove the container when it exits. The default is
868 false.
869 --rm flag can work together with -d, and auto-removal will be done
870 on daemon side. Note that it's incompatible with any restart policy
871 other than none.
872
873
874 --security-opt value[,...]
875 Security Options for the container. The following options can be
876 given:
877
878
879 "label=user:USER" : Set the label user for the container
880 "label=role:ROLE" : Set the label role for the container
881 "label=type:TYPE" : Set the label type for the container
882 "label=level:LEVEL" : Set the label level for the container
883 "label=disable" : Turn off label confinement for the container
884 "no-new-privileges" : Disable container processes from gaining additional privileges
885
886 "seccomp=unconfined" : Turn off seccomp confinement for the container
887 "seccomp=profile.json : White listed syscalls seccomp Json file to be used as a seccomp filter
888
889 "apparmor=unconfined" : Turn off apparmor confinement for the container
890 "apparmor=your-profile" : Set the apparmor confinement profile for the container
891
892
893
894 --storage-opt
895 Storage driver options per container
896
897
898 $ docker run -it --storage-opt size=120G fedora /bin/bash
899
900
901 This (size) will allow to set the container rootfs size to 120G at cre‐
902 ation time.
903 This option is only available for the devicemapper, btrfs, overlay2
904 and zfs graph drivers.
905 For the devicemapper, btrfs and zfs storage drivers, user cannot
906 pass a size less than the Default BaseFS Size.
907 For the overlay2 storage driver, the size option is only available
908 if the backing fs is xfs and mounted with the pquota mount option.
909 Under these conditions, user can pass any size less than the backing
910 fs size.
911
912
913 --stop-signal=SIGTERM
914 Signal to stop a container. Default is SIGTERM.
915
916
917 --stop-timeout=10
918 Timeout (in seconds) to stop a container. Default is 10.
919
920
921 --shm-size=""
922 Size of /dev/shm. The format is <number><unit>.
923 number must be greater than 0. Unit is optional and can be b
924 (bytes), k (kilobytes), m(megabytes), or g (gigabytes).
925 If you omit the unit, the system uses bytes. If you omit the size
926 entirely, the system uses 64m.
927
928
929 --sysctl=SYSCTL
930 Configure namespaced kernel parameters at runtime
931
932
933 IPC Namespace - current sysctls allowed:
934
935
936 kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall,
937 kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced
938 Sysctls beginning with fs.mqueue.*
939
940
941 If you use the --ipc=host option these sysctls will not be allowed.
942
943
944 Network Namespace - current sysctls allowed:
945 Sysctls beginning with net.*
946
947
948 If you use the --network=host option these sysctls will not be allowed.
949
950
951 --sig-proxy=true|false
952 Proxy received signals to the process (non-TTY mode only). SIGCHLD,
953 SIGSTOP, and SIGKILL are not proxied. The default is true.
954
955
956 --memory-swappiness=""
957 Tune a container's memory swappiness behavior. Accepts an integer
958 between 0 and 100.
959
960
961 -t, --tty=true|false
962 Allocate a pseudo-TTY. The default is false.
963
964
965 When set to true Docker can allocate a pseudo-tty and attach to the
966 standard input of any container. This can be used, for example, to run
967 a throwaway interactive shell. The default is false.
968
969
970 The -t option is incompatible with a redirection of the docker client
971 standard input.
972
973
974 --tmpfs=[] Create a tmpfs mount
975
976
977 Mount a temporary filesystem (tmpfs) mount into a container, for exam‐
978 ple:
979
980
981 $ docker run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image
982
983
984 This command mounts a tmpfs at /tmp within the container. The sup‐
985 ported mount options are the same as the Linux default mount flags. If
986 you do not specify any options, the systems uses the following options:
987 rw,noexec,nosuid,nodev,size=65536k.
988
989
990 See also --mount, which is the successor of --tmpfs and --volume.
991 Even though there is no plan to deprecate --tmpfs, usage of --mount
992 is recommended.
993
994
995 -u, --user=""
996 Sets the username or UID used and optionally the groupname or GID
997 for the specified command.
998
999
1000 The followings examples are all valid:
1001 --user [user | user:group | uid | uid:gid | user:gid | uid:group ]
1002
1003
1004 Without this argument the command will be run as root in the container.
1005
1006
1007 --ulimit=[]
1008 Ulimit options
1009
1010
1011 -v|--volume[=[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]]
1012 Create a bind mount. If you specify, -v /HOST-DIR:/CONTAINER-DIR,
1013 Docker
1014 bind mounts /HOST-DIR in the host to /CONTAINER-DIR in the Docker
1015 container. If 'HOST-DIR' is omitted, Docker automatically creates
1016 the new
1017 volume on the host. The OPTIONS are a comma delimited list and can
1018 be:
1019
1020
1021 · [rw|ro]
1022
1023 · [z|Z]
1024
1025 · [[r]shared|[r]slave|[r]private]
1026
1027 · [delegated|cached|consistent]
1028
1029 · [nocopy]
1030
1031
1032
1033 The CONTAINER-DIR must be an absolute path such as /src/docs. The
1034 HOST-DIR can be an absolute path or a name value. A name value must
1035 start with an alphanumeric character, followed by a-z0-9, _ (under‐
1036 score), . (period) or - (hyphen). An absolute path starts with a /
1037 (forward slash).
1038
1039
1040 If you supply a HOST-DIR that is an absolute path, Docker bind-mounts
1041 to the path you specify. If you supply a name, Docker creates a named
1042 volume by that name. For example, you can specify either /foo or foo
1043 for a HOST-DIR value. If you supply the /foo value, Docker creates a
1044 bind mount. If you supply the foo specification, Docker creates a named
1045 volume.
1046
1047
1048 You can specify multiple -v options to mount one or more mounts to a
1049 container. To use these same mounts in other containers, specify the
1050 --volumes-from option also.
1051
1052
1053 You can supply additional options for each bind mount following an
1054 additional colon. A :ro or :rw suffix mounts a volume in read-only or
1055 read-write mode, respectively. By default, volumes are mounted in
1056 read-write mode. You can also specify the consistency requirement for
1057 the mount, either :consistent (the default), :cached, or :delegated.
1058 Multiple options are separated by commas, e.g. :ro,cached.
1059
1060
1061 Labeling systems like SELinux require that proper labels are placed on
1062 volume content mounted into a container. Without a label, the security
1063 system might prevent the processes running inside the container from
1064 using the content. By default, Docker does not change the labels set by
1065 the OS.
1066
1067
1068 To change a label in the container context, you can add either of two
1069 suffixes :z or :Z to the volume mount. These suffixes tell Docker to
1070 relabel file objects on the shared volumes. The z option tells Docker
1071 that two containers share the volume content. As a result, Docker
1072 labels the content with a shared content label. Shared volume labels
1073 allow all containers to read/write content. The Z option tells Docker
1074 to label the content with a private unshared label. Only the current
1075 container can use a private volume.
1076
1077
1078 By default bind mounted volumes are private. That means any mounts done
1079 inside container will not be visible on host and vice-a-versa. One can
1080 change this behavior by specifying a volume mount propagation property.
1081 Making a volume shared mounts done under that volume inside container
1082 will be visible on host and vice-a-versa. Making a volume slave enables
1083 only one way mount propagation and that is mounts done on host under
1084 that volume will be visible inside container but not the other way
1085 around.
1086
1087
1088 To control mount propagation property of volume one can use :[r]shared,
1089 :[r]slave or :[r]private propagation flag. Propagation property can be
1090 specified only for bind mounted volumes and not for internal volumes or
1091 named volumes. For mount propagation to work source mount point (mount
1092 point where source dir is mounted on) has to have right propagation
1093 properties. For shared volumes, source mount point has to be shared.
1094 And for slave volumes, source mount has to be either shared or slave.
1095
1096
1097 Use df <source-dir> to figure out the source mount and then use findmnt
1098 -o TARGET,PROPAGATION <source-mount-dir> to figure out propagation
1099 properties of source mount. If findmnt utility is not available, then
1100 one can look at mount entry for source mount point in
1101 /proc/self/mountinfo. Look at optional fields and see if any propaga‐
1102 tion properties are specified. shared:X means mount is shared, mas‐
1103 ter:X means mount is slave and if nothing is there that means mount is
1104 private.
1105
1106
1107 To change propagation properties of a mount point use mount command.
1108 For example, if one wants to bind mount source directory /foo one can
1109 do mount --bind /foo /foo and mount --make-private --make-shared /foo.
1110 This will convert /foo into a shared mount point. Alternatively one can
1111 directly change propagation properties of source mount. Say / is source
1112 mount for /foo, then use mount --make-shared / to convert / into a
1113 shared mount.
1114
1115
1116 Note: When using systemd to manage the Docker daemon's start and
1117 stop, in the systemd unit file there is an option to control
1118 mount propagation for the Docker daemon itself, called Mount‐
1119 Flags. The value of this setting may cause Docker to not see
1120 mount propagation changes made on the mount point. For example,
1121 if this value is slave, you may not be able to use the shared or
1122 rshared propagation on a volume.
1123
1124
1125
1126 To disable automatic copying of data from the container path to the
1127 volume, use the nocopy flag. The nocopy flag can be set on bind mounts
1128 and named volumes.
1129
1130
1131 See also --mount, which is the successor of --tmpfs and --volume. Even
1132 though there is no plan to deprecate --volume, usage of --mount is rec‐
1133 ommended.
1134
1135
1136 --volume-driver=""
1137 Container's volume driver. This driver creates volumes specified
1138 either from
1139 a Dockerfile's VOLUME instruction or from the docker run -v flag.
1140 See docker-volume-create(1) for full details.
1141
1142
1143 --volumes-from=[]
1144 Mount volumes from the specified container(s)
1145
1146
1147 Mounts already mounted volumes from a source container onto another
1148 container. You must supply the source's container-id. To share
1149 a volume, use the --volumes-from option when running
1150 the target container. You can share volumes even if the source con‐
1151 tainer
1152 is not running.
1153
1154
1155 By default, Docker mounts the volumes in the same mode (read-write or
1156 read-only) as it is mounted in the source container. Optionally, you
1157 can change this by suffixing the container-id with either the :ro or
1158 :rw keyword.
1159
1160
1161 If the location of the volume from the source container overlaps with
1162 data residing on a target container, then the volume hides
1163 that data on the target.
1164
1165
1166 -w, --workdir=""
1167 Working directory inside the container
1168
1169
1170 The default working directory for running binaries within a container
1171 is the root directory (/). The developer can set a different default
1172 with the Dockerfile WORKDIR instruction. The operator can override the
1173 working directory by using the -w option.
1174
1175
1176
1178 The exit code from docker run gives information about why the container
1179 failed to run or why it exited. When docker run exits with a non-zero
1180 code, the exit codes follow the chroot standard, see below:
1181
1182
1183 125 if the error is with Docker daemon itself
1184
1185
1186 $ docker run --foo busybox; echo $?
1187 # flag provided but not defined: --foo
1188 See 'docker run --help'.
1189 125
1190
1191
1192
1193 126 if the contained command cannot be invoked
1194
1195
1196 $ docker run busybox /etc; echo $?
1197 # exec: "/etc": permission denied
1198 docker: Error response from daemon: Contained command could not be invoked
1199 126
1200
1201
1202
1203 127 if the contained command cannot be found
1204
1205
1206 $ docker run busybox foo; echo $?
1207 # exec: "foo": executable file not found in $PATH
1208 docker: Error response from daemon: Contained command not found or does not exist
1209 127
1210
1211
1212
1213 Exit code of contained command otherwise
1214
1215
1216 $ docker run busybox /bin/sh -c 'exit 3'
1217 # 3
1218
1219
1220
1221
1224 During container image development, containers often need to write to
1225 the image content. Installing packages into /usr, for example. In
1226 production, applications seldom need to write to the image. Container
1227 applications write to volumes if they need to write to file systems at
1228 all. Applications can be made more secure by running them in read-only
1229 mode using the --read-only switch. This protects the containers image
1230 from modification. Read only containers may still need to write tempo‐
1231 rary data. The best way to handle this is to mount tmpfs directories
1232 on /run and /tmp.
1233
1234
1235 # docker run --read-only --tmpfs /run --tmpfs /tmp -i -t fedora /bin/bash
1236
1237
1238
1240 If you want messages that are logged in your container to show up in
1241 the host's syslog/journal then you should bind mount the /dev/log
1242 directory as follows.
1243
1244
1245 # docker run -v /dev/log:/dev/log -i -t fedora /bin/bash
1246
1247
1248
1249 From inside the container you can test this by sending a message to the
1250 log.
1251
1252
1253 (bash)# logger "Hello from my container"
1254
1255
1256
1257 Then exit and check the journal.
1258
1259
1260 # exit
1261
1262 # journalctl -b | grep Hello
1263
1264
1265
1266 This should list the message sent to logger.
1267
1268
1270 If you do not specify -a then Docker will attach everything (stdin,std‐
1271 out,stderr) you'd like to connect instead, as in:
1272
1273
1274 # docker run -a stdin -a stdout -i -t fedora /bin/bash
1275
1276
1277
1279 Using shm_server.c available here:
1280 https://www.cs.cf.ac.uk/Dave/C/node27.html
1281
1282
1283 Testing --ipc=host mode:
1284
1285
1286 Host shows a shared memory segment with 7 pids attached, happens to be
1287 from httpd:
1288
1289
1290 $ sudo ipcs -m
1291
1292 ------ Shared Memory Segments --------
1293 key shmid owner perms bytes nattch status
1294 0x01128e25 0 root 600 1000 7
1295
1296
1297
1298 Now run a regular container, and it correctly does NOT see the shared
1299 memory segment from the host:
1300
1301
1302 $ docker run -it shm ipcs -m
1303
1304 ------ Shared Memory Segments --------
1305 key shmid owner perms bytes nattch status
1306
1307
1308
1309 Run a container with the new --ipc=host option, and it now sees the
1310 shared memory segment from the host httpd:
1311
1312
1313 $ docker run -it --ipc=host shm ipcs -m
1314
1315 ------ Shared Memory Segments --------
1316 key shmid owner perms bytes nattch status
1317 0x01128e25 0 root 600 1000 7
1318
1319
1320
1321 Testing --ipc=container:CONTAINERID mode:
1322
1323
1324 Start a container with a program to create a shared memory segment:
1325
1326
1327 $ docker run -it shm bash
1328 $ sudo shm/shm_server
1329 $ sudo ipcs -m
1330
1331 ------ Shared Memory Segments --------
1332 key shmid owner perms bytes nattch status
1333 0x0000162e 0 root 666 27 1
1334
1335
1336
1337 Create a 2nd container correctly shows no shared memory segment from
1338 1st container:
1339
1340
1341 $ docker run shm ipcs -m
1342
1343 ------ Shared Memory Segments --------
1344 key shmid owner perms bytes nattch status
1345
1346
1347
1348 Create a 3rd container using the new --ipc=container:CONTAINERID
1349 option, now it shows the shared memory segment from the first:
1350
1351
1352 $ docker run -it --ipc=container:ed735b2264ac shm ipcs -m
1353 $ sudo ipcs -m
1354
1355 ------ Shared Memory Segments --------
1356 key shmid owner perms bytes nattch status
1357 0x0000162e 0 root 666 27 1
1358
1359
1360
1362 Note: This section describes linking between containers on the
1363 default (bridge) network, also known as "legacy links". Using
1364 --link on user-defined networks uses the DNS-based discovery,
1365 which does not add entries to /etc/hosts, and does not set envi‐
1366 ronment variables for discovery.
1367
1368
1369
1370 The link feature allows multiple containers to communicate with each
1371 other. For example, a container whose Dockerfile has exposed port 80
1372 can be run and named as follows:
1373
1374
1375 # docker run --name=link-test -d -i -t fedora/httpd
1376
1377
1378
1379 A second container, in this case called linker, can communicate with
1380 the httpd container, named link-test, by running with the --link=:
1381
1382
1383 # docker run -t -i --link=link-test:lt --name=linker fedora /bin/bash
1384
1385
1386
1387 Now the container linker is linked to container link-test with the
1388 alias lt. Running the env command in the linker container shows envi‐
1389 ronment variables
1390 with the LT (alias) context (LT_)
1391
1392
1393 # env
1394 HOSTNAME=668231cb0978
1395 TERM=xterm
1396 LT_PORT_80_TCP=tcp://172.17.0.3:80
1397 LT_PORT_80_TCP_PORT=80
1398 LT_PORT_80_TCP_PROTO=tcp
1399 LT_PORT=tcp://172.17.0.3:80
1400 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
1401 PWD=/
1402 LT_NAME=/linker/lt
1403 SHLVL=1
1404 HOME=/
1405 LT_PORT_80_TCP_ADDR=172.17.0.3
1406 _=/usr/bin/env
1407
1408
1409
1410 When linking two containers Docker will use the exposed ports of the
1411 container to create a secure tunnel for the parent to access.
1412
1413
1414 If a container is connected to the default bridge network and linked
1415 with other containers, then the container's /etc/hosts file is updated
1416 with the linked container's name.
1417
1418
1419 Note Since Docker may live update the container's /etc/hosts
1420 file, there may be situations when processes inside the con‐
1421 tainer can end up reading an empty or incomplete /etc/hosts
1422 file. In most cases, retrying the read again should fix the
1423 problem.
1424
1425
1426
1428 The exposed port of an application can be mapped to a host port using
1429 the -p flag. For example, an httpd port 80 can be mapped to the host
1430 port 8080 using the following:
1431
1432
1433 # docker run -p 8080:80 -d -i -t fedora/httpd
1434
1435
1436
1438 Many applications require the sharing of persistent data across several
1439 containers. Docker allows you to create a Data Volume Container that
1440 other containers can mount from. For example, create a named container
1441 that contains directories /var/volume1 and /tmp/volume2. The image will
1442 need to contain these directories so a couple of RUN mkdir instructions
1443 might be required for you fedora-data image:
1444
1445
1446 # docker run --name=data -v /var/volume1 -v /tmp/volume2 -i -t fedora-data true
1447 # docker run --volumes-from=data --name=fedora-container1 -i -t fedora bash
1448
1449
1450
1451 Multiple --volumes-from parameters will bring together multiple data
1452 volumes from multiple containers. And it's possible to mount the vol‐
1453 umes that came from the DATA container in yet another container via the
1454 fedora-container1 intermediary container, allowing to abstract the
1455 actual data source from users of that data:
1456
1457
1458 # docker run --volumes-from=fedora-container1 --name=fedora-container2 -i -t fedora bash
1459
1460
1461
1463 To mount a host directory as a container volume, specify the absolute
1464 path to the directory and the absolute path for the container directory
1465 separated by a colon:
1466
1467
1468 # docker run -v /var/db:/data1 -i -t fedora bash
1469
1470
1471
1472 When using SELinux, be aware that the host has no knowledge of con‐
1473 tainer SELinux policy. Therefore, in the above example, if SELinux pol‐
1474 icy is enforced, the /var/db directory is not writable to the con‐
1475 tainer. A "Permission Denied" message will occur and an avc: message in
1476 the host's syslog.
1477
1478
1479 To work around this, at time of writing this man page, the following
1480 command needs to be run in order for the proper SELinux policy type
1481 label to be attached to the host directory:
1482
1483
1484 # chcon -Rt svirt_sandbox_file_t /var/db
1485
1486
1487
1488 Now, writing to the /data1 volume in the container will be allowed and
1489 the changes will also be reflected on the host in /var/db.
1490
1491
1493 You can override the default labeling scheme for each container by
1494 specifying the --security-opt flag. For example, you can specify the
1495 MCS/MLS level, a requirement for MLS systems. Specifying the level in
1496 the following command allows you to share the same content between con‐
1497 tainers.
1498
1499
1500 # docker run --security-opt label=level:s0:c100,c200 -i -t fedora bash
1501
1502
1503
1504 An MLS example might be:
1505
1506
1507 # docker run --security-opt label=level:TopSecret -i -t rhel7 bash
1508
1509
1510
1511 To disable the security labeling for this container versus running with
1512 the --permissive flag, use the following command:
1513
1514
1515 # docker run --security-opt label=disable -i -t fedora bash
1516
1517
1518
1519 If you want a tighter security policy on the processes within a con‐
1520 tainer, you can specify an alternate type for the container. You could
1521 run a container that is only allowed to listen on Apache ports by exe‐
1522 cuting the following command:
1523
1524
1525 # docker run --security-opt label=type:svirt_apache_t -i -t centos bash
1526
1527
1528
1529 Note:
1530
1531
1532 You would have to write policy defining a svirt_apache_t type.
1533
1534
1536 If you want to set /dev/sda device weight to 200, you can specify the
1537 device weight by --blkio-weight-device flag. Use the following command:
1538
1539
1540 # docker run -it --blkio-weight-device "/dev/sda:200" ubuntu
1541
1542
1543
1545 This option is useful in situations where you are running Docker con‐
1546 tainers on Microsoft Windows. The --isolation <value> option sets a
1547 container's isolation technology. On Linux, the only supported is the
1548 default option which uses Linux namespaces. These two commands are
1549 equivalent on Linux:
1550
1551
1552 $ docker run -d busybox top
1553 $ docker run -d --isolation default busybox top
1554
1555
1556
1557 On Microsoft Windows, can take any of these values:
1558
1559
1560 · default: Use the value specified by the Docker daemon's
1561 --exec-opt . If the daemon does not specify an isolation tech‐
1562 nology, Microsoft Windows uses process as its default value.
1563
1564 · process: Namespace isolation only.
1565
1566 · hyperv: Hyper-V hypervisor partition-based isolation.
1567
1568
1569
1570 In practice, when running on Microsoft Windows without a daemon option
1571 set, these two commands are equivalent:
1572
1573
1574 $ docker run -d --isolation default busybox top
1575 $ docker run -d --isolation process busybox top
1576
1577
1578
1579 If you have set the --exec-opt isolation=hyperv option on the Docker
1580 daemon, any of these commands also result in hyperv isolation:
1581
1582
1583 $ docker run -d --isolation default busybox top
1584 $ docker run -d --isolation hyperv busybox top
1585
1586
1587
1589 The --sysctl sets namespaced kernel parameters (sysctls) in the con‐
1590 tainer. For example, to turn on IP forwarding in the containers network
1591 namespace, run this command:
1592
1593
1594 $ docker run --sysctl net.ipv4.ip_forward=1 someimage
1595
1596
1597
1598 Note:
1599
1600
1601 Not all sysctls are namespaced. Docker does not support changing
1602 sysctls inside of a container that also modify the host system. As the
1603 kernel evolves we expect to see more sysctls become namespaced.
1604
1605
1606 See the definition of the --sysctl option above for the current list of
1607 supported sysctls.
1608
1609
1610
1612 April 2014, Originally compiled by William Henry (whenry at redhat dot
1613 com) based on docker.com source material and internal work. June 2014,
1614 updated by Sven Dowideit SvenDowideit@home.org.au ⟨mailto:Sven‐
1615 Dowideit@home.org.au⟩ July 2014, updated by Sven Dowideit Sven‐
1616 Dowideit@home.org.au ⟨mailto:SvenDowideit@home.org.au⟩ November 2015,
1617 updated by Sally O'Malley somalley@redhat.com ⟨mailto:somalley@red‐
1618 hat.com⟩
1619
1620
1621
1622Manuals User DOCKER(1)(Docker)