github.com/45cali/docker@v1.11.1/docs/reference/commandline/run.md (about) 1 <!--[metadata]> 2 +++ 3 title = "run" 4 description = "The run command description and usage" 5 keywords = ["run, command, container"] 6 [menu.main] 7 parent = "smn_cli" 8 +++ 9 <![end-metadata]--> 10 11 # run 12 13 Usage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...] 14 15 Run a command in a new container 16 17 -a, --attach=[] Attach to STDIN, STDOUT or STDERR 18 --add-host=[] Add a custom host-to-IP mapping (host:ip) 19 --blkio-weight=0 Block IO weight (relative weight) 20 --blkio-weight-device=[] Block IO weight (relative device weight, format: `DEVICE_NAME:WEIGHT`) 21 --cpu-shares=0 CPU shares (relative weight) 22 --cap-add=[] Add Linux capabilities 23 --cap-drop=[] Drop Linux capabilities 24 --cgroup-parent="" Optional parent cgroup for the container 25 --cidfile="" Write the container ID to the file 26 --cpu-period=0 Limit CPU CFS (Completely Fair Scheduler) period 27 --cpu-quota=0 Limit CPU CFS (Completely Fair Scheduler) quota 28 --cpuset-cpus="" CPUs in which to allow execution (0-3, 0,1) 29 --cpuset-mems="" Memory nodes (MEMs) in which to allow execution (0-3, 0,1) 30 -d, --detach Run container in background and print container ID 31 --detach-keys Specify the escape key sequence used to detach a container 32 --device=[] Add a host device to the container 33 --device-read-bps=[] Limit read rate (bytes per second) from a device (e.g., --device-read-bps=/dev/sda:1mb) 34 --device-read-iops=[] Limit read rate (IO per second) from a device (e.g., --device-read-iops=/dev/sda:1000) 35 --device-write-bps=[] Limit write rate (bytes per second) to a device (e.g., --device-write-bps=/dev/sda:1mb) 36 --device-write-iops=[] Limit write rate (IO per second) to a device (e.g., --device-write-bps=/dev/sda:1000) 37 --disable-content-trust=true Skip image verification 38 --dns=[] Set custom DNS servers 39 --dns-opt=[] Set custom DNS options 40 --dns-search=[] Set custom DNS search domains 41 -e, --env=[] Set environment variables 42 --entrypoint="" Overwrite the default ENTRYPOINT of the image 43 --env-file=[] Read in a file of environment variables 44 --expose=[] Expose a port or a range of ports 45 --group-add=[] Add additional groups to run as 46 -h, --hostname="" Container host name 47 --help Print usage 48 -i, --interactive Keep STDIN open even if not attached 49 --ip="" Container IPv4 address (e.g. 172.30.100.104) 50 --ip6="" Container IPv6 address (e.g. 2001:db8::33) 51 --ipc="" IPC namespace to use 52 --isolation="" Container isolation technology 53 --kernel-memory="" Kernel memory limit 54 -l, --label=[] Set metadata on the container (e.g., --label=com.example.key=value) 55 --label-file=[] Read in a file of labels (EOL delimited) 56 --link=[] Add link to another container 57 --log-driver="" Logging driver for container 58 --log-opt=[] Log driver specific options 59 -m, --memory="" Memory limit 60 --mac-address="" Container MAC address (e.g. 92:d0:c6:0a:29:33) 61 --memory-reservation="" Memory soft limit 62 --memory-swap="" A positive integer equal to memory plus swap. Specify -1 to enable unlimited swap. 63 --memory-swappiness="" Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. 64 --name="" Assign a name to the container 65 --net="bridge" Connect a container to a network 66 'bridge': create a network stack on the default Docker bridge 67 'none': no networking 68 'container:<name|id>': reuse another container's network stack 69 'host': use the Docker host network stack 70 '<network-name>|<network-id>': connect to a user-defined network 71 --net-alias=[] Add network-scoped alias for the container 72 --oom-kill-disable Whether to disable OOM Killer for the container or not 73 --oom-score-adj=0 Tune the host's OOM preferences for containers (accepts -1000 to 1000) 74 -P, --publish-all Publish all exposed ports to random ports 75 -p, --publish=[] Publish a container's port(s) to the host 76 --pid="" PID namespace to use 77 --pids-limit=-1 Tune container pids limit (set -1 for unlimited), kernel >= 4.3 78 --privileged Give extended privileges to this container 79 --read-only Mount the container's root filesystem as read only 80 --restart="no" Restart policy (no, on-failure[:max-retry], always, unless-stopped) 81 --rm Automatically remove the container when it exits 82 --shm-size=[] Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`. 83 --security-opt=[] Security Options 84 --sig-proxy=true Proxy received signals to the process 85 --stop-signal="SIGTERM" Signal to stop a container 86 -t, --tty Allocate a pseudo-TTY 87 -u, --user="" Username or UID (format: <name|uid>[:<group|gid>]) 88 --userns="" Container user namespace 89 'host': Use the Docker host user namespace 90 '': Use the Docker daemon user namespace specified by `--userns-remap` option. 91 --ulimit=[] Ulimit options 92 --uts="" UTS namespace to use 93 -v, --volume=[host-src:]container-dest[:<options>] 94 Bind mount a volume. The comma-delimited 95 `options` are [rw|ro], [z|Z], 96 [[r]shared|[r]slave|[r]private], and 97 [nocopy]. The 'host-src' is an absolute path 98 or a name value. 99 --volume-driver="" Container's volume driver 100 --volumes-from=[] Mount volumes from the specified container(s) 101 -w, --workdir="" Working directory inside the container 102 103 The `docker run` command first `creates` a writeable container layer over the 104 specified image, and then `starts` it using the specified command. That is, 105 `docker run` is equivalent to the API `/containers/create` then 106 `/containers/(id)/start`. A stopped container can be restarted with all its 107 previous changes intact using `docker start`. See `docker ps -a` to view a list 108 of all containers. 109 110 The `docker run` command can be used in combination with `docker commit` to 111 [*change the command that a container runs*](commit.md). There is additional detailed information about `docker run` in the [Docker run reference](../run.md). 112 113 For information on connecting a container to a network, see the ["*Docker network overview*"](../../userguide/networking/index.md). 114 115 ## Examples 116 117 ### Assign name and allocate pseudo-TTY (--name, -it) 118 119 $ docker run --name test -it debian 120 root@d6c0fe130dba:/# exit 13 121 $ echo $? 122 13 123 $ docker ps -a | grep test 124 d6c0fe130dba debian:7 "/bin/bash" 26 seconds ago Exited (13) 17 seconds ago test 125 126 This example runs a container named `test` using the `debian:latest` 127 image. The `-it` instructs Docker to allocate a pseudo-TTY connected to 128 the container's stdin; creating an interactive `bash` shell in the container. 129 In the example, the `bash` shell is quit by entering 130 `exit 13`. This exit code is passed on to the caller of 131 `docker run`, and is recorded in the `test` container's metadata. 132 133 ### Capture container ID (--cidfile) 134 135 $ docker run --cidfile /tmp/docker_test.cid ubuntu echo "test" 136 137 This will create a container and print `test` to the console. The `cidfile` 138 flag makes Docker attempt to create a new file and write the container ID to it. 139 If the file exists already, Docker will return an error. Docker will close this 140 file when `docker run` exits. 141 142 ### Full container capabilities (--privileged) 143 144 $ docker run -t -i --rm ubuntu bash 145 root@bc338942ef20:/# mount -t tmpfs none /mnt 146 mount: permission denied 147 148 This will *not* work, because by default, most potentially dangerous kernel 149 capabilities are dropped; including `cap_sys_admin` (which is required to mount 150 filesystems). However, the `--privileged` flag will allow it to run: 151 152 $ docker run -t -i --privileged ubuntu bash 153 root@50e3f57e16e6:/# mount -t tmpfs none /mnt 154 root@50e3f57e16e6:/# df -h 155 Filesystem Size Used Avail Use% Mounted on 156 none 1.9G 0 1.9G 0% /mnt 157 158 The `--privileged` flag gives *all* capabilities to the container, and it also 159 lifts all the limitations enforced by the `device` cgroup controller. In other 160 words, the container can then do almost everything that the host can do. This 161 flag exists to allow special use-cases, like running Docker within Docker. 162 163 ### Set working directory (-w) 164 165 $ docker run -w /path/to/dir/ -i -t ubuntu pwd 166 167 The `-w` lets the command being executed inside directory given, here 168 `/path/to/dir/`. If the path does not exists it is created inside the container. 169 170 ### Mount tmpfs (--tmpfs) 171 172 $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image 173 174 The `--tmpfs` flag mounts an empty tmpfs into the container with the `rw`, 175 `noexec`, `nosuid`, `size=65536k` options. 176 177 ### Mount volume (-v, --read-only) 178 179 $ docker run -v `pwd`:`pwd` -w `pwd` -i -t ubuntu pwd 180 181 The `-v` flag mounts the current working directory into the container. The `-w` 182 lets the command being executed inside the current working directory, by 183 changing into the directory to the value returned by `pwd`. So this 184 combination executes the command using the container, but inside the 185 current working directory. 186 187 $ docker run -v /doesnt/exist:/foo -w /foo -i -t ubuntu bash 188 189 When the host directory of a bind-mounted volume doesn't exist, Docker 190 will automatically create this directory on the host for you. In the 191 example above, Docker will create the `/doesnt/exist` 192 folder before starting your container. 193 194 $ docker run --read-only -v /icanwrite busybox touch /icanwrite here 195 196 Volumes can be used in combination with `--read-only` to control where 197 a container writes files. The `--read-only` flag mounts the container's root 198 filesystem as read only prohibiting writes to locations other than the 199 specified volumes for the container. 200 201 $ docker run -t -i -v /var/run/docker.sock:/var/run/docker.sock -v /path/to/static-docker-binary:/usr/bin/docker busybox sh 202 203 By bind-mounting the docker unix socket and statically linked docker 204 binary (refer to [get the linux binary]( 205 ../../installation/binaries.md#get-the-linux-binary)), 206 you give the container the full access to create and manipulate the host's 207 Docker daemon. 208 209 ### Publish or expose port (-p, --expose) 210 211 $ docker run -p 127.0.0.1:80:8080 ubuntu bash 212 213 This binds port `8080` of the container to port `80` on `127.0.0.1` of the host 214 machine. The [Docker User 215 Guide](../../userguide/networking/default_network/dockerlinks.md) 216 explains in detail how to manipulate ports in Docker. 217 218 $ docker run --expose 80 ubuntu bash 219 220 This exposes port `80` of the container without publishing the port to the host 221 system's interfaces. 222 223 ### Set environment variables (-e, --env, --env-file) 224 225 $ docker run -e MYVAR1 --env MYVAR2=foo --env-file ./env.list ubuntu bash 226 227 This sets simple (non-array) environmental variables in the container. For 228 illustration all three 229 flags are shown here. Where `-e`, `--env` take an environment variable and 230 value, or if no `=` is provided, then that variable's current value is passed 231 through (i.e. `$MYVAR1` from the host is set to `$MYVAR1` in the container). 232 When no `=` is provided and that variable is not defined in the client's 233 environment then that variable will be removed from the container's list of 234 environment variables. 235 All three flags, `-e`, `--env` and `--env-file` can be repeated. 236 237 Regardless of the order of these three flags, the `--env-file` are processed 238 first, and then `-e`, `--env` flags. This way, the `-e` or `--env` will 239 override variables as needed. 240 241 $ cat ./env.list 242 TEST_FOO=BAR 243 $ docker run --env TEST_FOO="This is a test" --env-file ./env.list busybox env | grep TEST_FOO 244 TEST_FOO=This is a test 245 246 The `--env-file` flag takes a filename as an argument and expects each line 247 to be in the `VAR=VAL` format, mimicking the argument passed to `--env`. Comment 248 lines need only be prefixed with `#` 249 250 An example of a file passed with `--env-file` 251 252 $ cat ./env.list 253 TEST_FOO=BAR 254 255 # this is a comment 256 TEST_APP_DEST_HOST=10.10.0.127 257 TEST_APP_DEST_PORT=8888 258 _TEST_BAR=FOO 259 TEST_APP_42=magic 260 helloWorld=true 261 123qwe=bar 262 org.spring.config=something 263 264 # pass through this variable from the caller 265 TEST_PASSTHROUGH 266 $ TEST_PASSTHROUGH=howdy docker run --env-file ./env.list busybox env 267 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 268 HOSTNAME=5198e0745561 269 TEST_FOO=BAR 270 TEST_APP_DEST_HOST=10.10.0.127 271 TEST_APP_DEST_PORT=8888 272 _TEST_BAR=FOO 273 TEST_APP_42=magic 274 helloWorld=true 275 TEST_PASSTHROUGH=howdy 276 HOME=/root 277 123qwe=bar 278 org.spring.config=something 279 280 $ docker run --env-file ./env.list busybox env 281 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 282 HOSTNAME=5198e0745561 283 TEST_FOO=BAR 284 TEST_APP_DEST_HOST=10.10.0.127 285 TEST_APP_DEST_PORT=8888 286 _TEST_BAR=FOO 287 TEST_APP_42=magic 288 helloWorld=true 289 TEST_PASSTHROUGH= 290 HOME=/root 291 123qwe=bar 292 org.spring.config=something 293 294 ### Set metadata on container (-l, --label, --label-file) 295 296 A label is a `key=value` pair that applies metadata to a container. To label a container with two labels: 297 298 $ docker run -l my-label --label com.example.foo=bar ubuntu bash 299 300 The `my-label` key doesn't specify a value so the label defaults to an empty 301 string(`""`). To add multiple labels, repeat the label flag (`-l` or `--label`). 302 303 The `key=value` must be unique to avoid overwriting the label value. If you 304 specify labels with identical keys but different values, each subsequent value 305 overwrites the previous. Docker uses the last `key=value` you supply. 306 307 Use the `--label-file` flag to load multiple labels from a file. Delimit each 308 label in the file with an EOL mark. The example below loads labels from a 309 labels file in the current directory: 310 311 $ docker run --label-file ./labels ubuntu bash 312 313 The label-file format is similar to the format for loading environment 314 variables. (Unlike environment variables, labels are not visible to processes 315 running inside a container.) The following example illustrates a label-file 316 format: 317 318 com.example.label1="a label" 319 320 # this is a comment 321 com.example.label2=another\ label 322 com.example.label3 323 324 You can load multiple label-files by supplying multiple `--label-file` flags. 325 326 For additional information on working with labels, see [*Labels - custom 327 metadata in Docker*](../../userguide/labels-custom-metadata.md) in the Docker User 328 Guide. 329 330 ### Connect a container to a network (--net) 331 332 When you start a container use the `--net` flag to connect it to a network. 333 This adds the `busybox` container to the `my-net` network. 334 335 ```bash 336 $ docker run -itd --net=my-net busybox 337 ``` 338 339 You can also choose the IP addresses for the container with `--ip` and `--ip6` 340 flags when you start the container on a user-defined network. 341 342 ```bash 343 $ docker run -itd --net=my-net --ip=10.10.9.75 busybox 344 ``` 345 346 If you want to add a running container to a network use the `docker network connect` subcommand. 347 348 You can connect multiple containers to the same network. Once connected, the 349 containers can communicate easily need only another container's IP address 350 or name. For `overlay` networks or custom plugins that support multi-host 351 connectivity, containers connected to the same multi-host network but launched 352 from different Engines can also communicate in this way. 353 354 **Note**: Service discovery is unavailable on the default bridge network. 355 Containers can communicate via their IP addresses by default. To communicate 356 by name, they must be linked. 357 358 You can disconnect a container from a network using the `docker network 359 disconnect` command. 360 361 ### Mount volumes from container (--volumes-from) 362 363 $ docker run --volumes-from 777f7dc92da7 --volumes-from ba8c0c54f0f2:ro -i -t ubuntu pwd 364 365 The `--volumes-from` flag mounts all the defined volumes from the referenced 366 containers. Containers can be specified by repetitions of the `--volumes-from` 367 argument. The container ID may be optionally suffixed with `:ro` or `:rw` to 368 mount the volumes in read-only or read-write mode, respectively. By default, 369 the volumes are mounted in the same mode (read write or read only) as 370 the reference container. 371 372 Labeling systems like SELinux require that proper labels are placed on volume 373 content mounted into a container. Without a label, the security system might 374 prevent the processes running inside the container from using the content. By 375 default, Docker does not change the labels set by the OS. 376 377 To change the label in the container context, you can add either of two suffixes 378 `:z` or `:Z` to the volume mount. These suffixes tell Docker to relabel file 379 objects on the shared volumes. The `z` option tells Docker that two containers 380 share the volume content. As a result, Docker labels the content with a shared 381 content label. Shared volume labels allow all containers to read/write content. 382 The `Z` option tells Docker to label the content with a private unshared label. 383 Only the current container can use a private volume. 384 385 ### Attach to STDIN/STDOUT/STDERR (-a) 386 387 The `-a` flag tells `docker run` to bind to the container's `STDIN`, `STDOUT` 388 or `STDERR`. This makes it possible to manipulate the output and input as 389 needed. 390 391 $ echo "test" | docker run -i -a stdin ubuntu cat - 392 393 This pipes data into a container and prints the container's ID by attaching 394 only to the container's `STDIN`. 395 396 $ docker run -a stderr ubuntu echo test 397 398 This isn't going to print anything unless there's an error because we've 399 only attached to the `STDERR` of the container. The container's logs 400 still store what's been written to `STDERR` and `STDOUT`. 401 402 $ cat somefile | docker run -i -a stdin mybuilder dobuild 403 404 This is how piping a file into a container could be done for a build. 405 The container's ID will be printed after the build is done and the build 406 logs could be retrieved using `docker logs`. This is 407 useful if you need to pipe a file or something else into a container and 408 retrieve the container's ID once the container has finished running. 409 410 ### Add host device to container (--device) 411 412 $ docker run --device=/dev/sdc:/dev/xvdc --device=/dev/sdd --device=/dev/zero:/dev/nulo -i -t ubuntu ls -l /dev/{xvdc,sdd,nulo} 413 brw-rw---- 1 root disk 8, 2 Feb 9 16:05 /dev/xvdc 414 brw-rw---- 1 root disk 8, 3 Feb 9 16:05 /dev/sdd 415 crw-rw-rw- 1 root root 1, 5 Feb 9 16:05 /dev/nulo 416 417 It is often necessary to directly expose devices to a container. The `--device` 418 option enables that. For example, a specific block storage device or loop 419 device or audio device can be added to an otherwise unprivileged container 420 (without the `--privileged` flag) and have the application directly access it. 421 422 By default, the container will be able to `read`, `write` and `mknod` these devices. 423 This can be overridden using a third `:rwm` set of options to each `--device` 424 flag: 425 426 427 $ docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk /dev/xvdc 428 429 Command (m for help): q 430 $ docker run --device=/dev/sda:/dev/xvdc:r --rm -it ubuntu fdisk /dev/xvdc 431 You will not be able to write the partition table. 432 433 Command (m for help): q 434 435 $ docker run --device=/dev/sda:/dev/xvdc:rw --rm -it ubuntu fdisk /dev/xvdc 436 437 Command (m for help): q 438 439 $ docker run --device=/dev/sda:/dev/xvdc:m --rm -it ubuntu fdisk /dev/xvdc 440 fdisk: unable to open /dev/xvdc: Operation not permitted 441 442 > **Note:** 443 > `--device` cannot be safely used with ephemeral devices. Block devices 444 > that may be removed should not be added to untrusted containers with 445 > `--device`. 446 447 ### Restart policies (--restart) 448 449 Use Docker's `--restart` to specify a container's *restart policy*. A restart 450 policy controls whether the Docker daemon restarts a container after exit. 451 Docker supports the following restart policies: 452 453 <table> 454 <thead> 455 <tr> 456 <th>Policy</th> 457 <th>Result</th> 458 </tr> 459 </thead> 460 <tbody> 461 <tr> 462 <td><strong>no</strong></td> 463 <td> 464 Do not automatically restart the container when it exits. This is the 465 default. 466 </td> 467 </tr> 468 <tr> 469 <td> 470 <span style="white-space: nowrap"> 471 <strong>on-failure</strong>[:max-retries] 472 </span> 473 </td> 474 <td> 475 Restart only if the container exits with a non-zero exit status. 476 Optionally, limit the number of restart retries the Docker 477 daemon attempts. 478 </td> 479 </tr> 480 <tr> 481 <td><strong>always</strong></td> 482 <td> 483 Always restart the container regardless of the exit status. 484 When you specify always, the Docker daemon will try to restart 485 the container indefinitely. The container will also always start 486 on daemon startup, regardless of the current state of the container. 487 </td> 488 </tr> 489 <tr> 490 <td><strong>unless-stopped</strong></td> 491 <td> 492 Always restart the container regardless of the exit status, but 493 do not start it on daemon startup if the container has been put 494 to a stopped state before. 495 </td> 496 </tr> 497 </tbody> 498 </table> 499 500 $ docker run --restart=always redis 501 502 This will run the `redis` container with a restart policy of **always** 503 so that if the container exits, Docker will restart it. 504 505 More detailed information on restart policies can be found in the 506 [Restart Policies (--restart)](../run.md#restart-policies-restart) 507 section of the Docker run reference page. 508 509 ### Add entries to container hosts file (--add-host) 510 511 You can add other hosts into a container's `/etc/hosts` file by using one or 512 more `--add-host` flags. This example adds a static address for a host named 513 `docker`: 514 515 $ docker run --add-host=docker:10.180.0.1 --rm -it debian 516 $$ ping docker 517 PING docker (10.180.0.1): 48 data bytes 518 56 bytes from 10.180.0.1: icmp_seq=0 ttl=254 time=7.600 ms 519 56 bytes from 10.180.0.1: icmp_seq=1 ttl=254 time=30.705 ms 520 ^C--- docker ping statistics --- 521 2 packets transmitted, 2 packets received, 0% packet loss 522 round-trip min/avg/max/stddev = 7.600/19.152/30.705/11.553 ms 523 524 Sometimes you need to connect to the Docker host from within your 525 container. To enable this, pass the Docker host's IP address to 526 the container using the `--add-host` flag. To find the host's address, 527 use the `ip addr show` command. 528 529 The flags you pass to `ip addr show` depend on whether you are 530 using IPv4 or IPv6 networking in your containers. Use the following 531 flags for IPv4 address retrieval for a network device named `eth0`: 532 533 $ HOSTIP=`ip -4 addr show scope global dev eth0 | grep inet | awk '{print \$2}' | cut -d / -f 1` 534 $ docker run --add-host=docker:${HOSTIP} --rm -it debian 535 536 For IPv6 use the `-6` flag instead of the `-4` flag. For other network 537 devices, replace `eth0` with the correct device name (for example `docker0` 538 for the bridge device). 539 540 ### Set ulimits in container (--ulimit) 541 542 Since setting `ulimit` settings in a container requires extra privileges not 543 available in the default container, you can set these using the `--ulimit` flag. 544 `--ulimit` is specified with a soft and hard limit as such: 545 `<type>=<soft limit>[:<hard limit>]`, for example: 546 547 $ docker run --ulimit nofile=1024:1024 --rm debian sh -c "ulimit -n" 548 1024 549 550 > **Note:** 551 > If you do not provide a `hard limit`, the `soft limit` will be used 552 > for both values. If no `ulimits` are set, they will be inherited from 553 > the default `ulimits` set on the daemon. `as` option is disabled now. 554 > In other words, the following script is not supported: 555 > `$ docker run -it --ulimit as=1024 fedora /bin/bash` 556 557 The values are sent to the appropriate `syscall` as they are set. 558 Docker doesn't perform any byte conversion. Take this into account when setting the values. 559 560 #### For `nproc` usage 561 562 Be careful setting `nproc` with the `ulimit` flag as `nproc` is designed by Linux to set the 563 maximum number of processes available to a user, not to a container. For example, start four 564 containers with `daemon` user: 565 566 docker run -d -u daemon --ulimit nproc=3 busybox top 567 docker run -d -u daemon --ulimit nproc=3 busybox top 568 docker run -d -u daemon --ulimit nproc=3 busybox top 569 docker run -d -u daemon --ulimit nproc=3 busybox top 570 571 The 4th container fails and reports "[8] System error: resource temporarily unavailable" error. 572 This fails because the caller set `nproc=3` resulting in the first three containers using up 573 the three processes quota set for the `daemon` user. 574 575 ### Stop container with signal (--stop-signal) 576 577 The `--stop-signal` flag sets the system call signal that will be sent to the container to exit. 578 This signal can be a valid unsigned number that matches a position in the kernel's syscall table, for instance 9, 579 or a signal name in the format SIGNAME, for instance SIGKILL. 580 581 ### Specify isolation technology for container (--isolation) 582 583 This option is useful in situations where you are running Docker containers on 584 Microsoft Windows. The `--isolation <value>` option sets a container's isolation 585 technology. On Linux, the only supported is the `default` option which uses 586 Linux namespaces. These two commands are equivalent on Linux: 587 588 ``` 589 $ docker run -d busybox top 590 $ docker run -d --isolation default busybox top 591 ``` 592 593 On Microsoft Windows, can take any of these values: 594 595 596 | Value | Description | 597 |-----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------| 598 | `default` | Use the value specified by the Docker daemon's `--exec-opt` . If the `daemon` does not specify an isolation technology, Microsoft Windows uses `process` as its default value. | 599 | `process` | Namespace isolation only. | 600 | `hyperv` | Hyper-V hypervisor partition-based isolation. | 601 602 In practice, when running on Microsoft Windows without a `daemon` option set, these two commands are equivalent: 603 604 ``` 605 $ docker run -d --isolation default busybox top 606 $ docker run -d --isolation process busybox top 607 ``` 608 609 If you have set the `--exec-opt isolation=hyperv` option on the Docker `daemon`, any of these commands also result in `hyperv` isolation: 610 611 ``` 612 $ docker run -d --isolation default busybox top 613 $ docker run -d --isolation hyperv busybox top 614 ```