github.com/DaoCloud/dao@v0.0.0-20161212064103-c3dbfd13ee36/man/docker-create.1.md (about) 1 % DOCKER(1) Docker User Manuals 2 % Docker Community 3 % JUNE 2014 4 # NAME 5 docker-create - Create a new container 6 7 # SYNOPSIS 8 **docker create** 9 [**-a**|**--attach**[=*[]*]] 10 [**--add-host**[=*[]*]] 11 [**--blkio-weight**[=*[BLKIO-WEIGHT]*]] 12 [**--blkio-weight-device**[=*[]*]] 13 [**--cpu-shares**[=*0*]] 14 [**--cap-add**[=*[]*]] 15 [**--cap-drop**[=*[]*]] 16 [**--cgroup-parent**[=*CGROUP-PATH*]] 17 [**--cidfile**[=*CIDFILE*]] 18 [**--cpu-period**[=*0*]] 19 [**--cpu-quota**[=*0*]] 20 [**--cpuset-cpus**[=*CPUSET-CPUS*]] 21 [**--cpuset-mems**[=*CPUSET-MEMS*]] 22 [**--device**[=*[]*]] 23 [**--device-read-bps**[=*[]*]] 24 [**--device-read-iops**[=*[]*]] 25 [**--device-write-bps**[=*[]*]] 26 [**--device-write-iops**[=*[]*]] 27 [**--dns**[=*[]*]] 28 [**--dns-search**[=*[]*]] 29 [**--dns-opt**[=*[]*]] 30 [**-e**|**--env**[=*[]*]] 31 [**--entrypoint**[=*ENTRYPOINT*]] 32 [**--env-file**[=*[]*]] 33 [**--expose**[=*[]*]] 34 [**--group-add**[=*[]*]] 35 [**-h**|**--hostname**[=*HOSTNAME*]] 36 [**--help**] 37 [**-i**|**--interactive**] 38 [**--ip**[=*IPv4-ADDRESS*]] 39 [**--ip6**[=*IPv6-ADDRESS*]] 40 [**--ipc**[=*IPC*]] 41 [**--isolation**[=*default*]] 42 [**--kernel-memory**[=*KERNEL-MEMORY*]] 43 [**-l**|**--label**[=*[]*]] 44 [**--label-file**[=*[]*]] 45 [**--link**[=*[]*]] 46 [**--link-local-ip**[=*[]*]] 47 [**--log-driver**[=*[]*]] 48 [**--log-opt**[=*[]*]] 49 [**-m**|**--memory**[=*MEMORY*]] 50 [**--mac-address**[=*MAC-ADDRESS*]] 51 [**--memory-reservation**[=*MEMORY-RESERVATION*]] 52 [**--memory-swap**[=*LIMIT*]] 53 [**--memory-swappiness**[=*MEMORY-SWAPPINESS*]] 54 [**--name**[=*NAME*]] 55 [**--network-alias**[=*[]*]] 56 [**--network**[=*"bridge"*]] 57 [**--oom-kill-disable**] 58 [**--oom-score-adj**[=*0*]] 59 [**-P**|**--publish-all**] 60 [**-p**|**--publish**[=*[]*]] 61 [**--pid**[=*[PID]*]] 62 [**--userns**[=*[]*]] 63 [**--pids-limit**[=*PIDS_LIMIT*]] 64 [**--privileged**] 65 [**--read-only**] 66 [**--restart**[=*RESTART*]] 67 [**--security-opt**[=*[]*]] 68 [**--storage-opt**[=*[]*]] 69 [**--stop-signal**[=*SIGNAL*]] 70 [**--shm-size**[=*[]*]] 71 [**--sysctl**[=*[]*]] 72 [**-t**|**--tty**] 73 [**--tmpfs**[=*[CONTAINER-DIR[:<OPTIONS>]*]] 74 [**-u**|**--user**[=*USER*]] 75 [**--ulimit**[=*[]*]] 76 [**--uts**[=*[]*]] 77 [**-v**|**--volume**[=*[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*]] 78 [**--volume-driver**[=*DRIVER*]] 79 [**--volumes-from**[=*[]*]] 80 [**-w**|**--workdir**[=*WORKDIR*]] 81 IMAGE [COMMAND] [ARG...] 82 83 # DESCRIPTION 84 85 Creates a writeable container layer over the specified image and prepares it for 86 running the specified command. The container ID is then printed to STDOUT. This 87 is similar to **docker run -d** except the container is never started. You can 88 then use the **docker start <container_id>** command to start the container at 89 any point. 90 91 The initial status of the container created with **docker create** is 'created'. 92 93 # OPTIONS 94 **-a**, **--attach**=[] 95 Attach to STDIN, STDOUT or STDERR. 96 97 **--add-host**=[] 98 Add a custom host-to-IP mapping (host:ip) 99 100 **--blkio-weight**=*0* 101 Block IO weight (relative weight) accepts a weight value between 10 and 1000. 102 103 **--blkio-weight-device**=[] 104 Block IO weight (relative device weight, format: `DEVICE_NAME:WEIGHT`). 105 106 **--cpu-shares**=*0* 107 CPU shares (relative weight) 108 109 **--cap-add**=[] 110 Add Linux capabilities 111 112 **--cap-drop**=[] 113 Drop Linux capabilities 114 115 **--cgroup-parent**="" 116 Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. 117 118 **--cidfile**="" 119 Write the container ID to the file 120 121 **--cpu-period**=*0* 122 Limit the CPU CFS (Completely Fair Scheduler) period 123 124 **--cpuset-cpus**="" 125 CPUs in which to allow execution (0-3, 0,1) 126 127 **--cpuset-mems**="" 128 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. 129 130 If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1` 131 then processes in your Docker container will only use memory from the first 132 two memory nodes. 133 134 **--cpu-quota**=*0* 135 Limit the CPU CFS (Completely Fair Scheduler) quota 136 137 **--device**=[] 138 Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm) 139 140 **--device-read-bps**=[] 141 Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb) 142 143 **--device-read-iops**=[] 144 Limit read rate (IO per second) from a device (e.g. --device-read-iops=/dev/sda:1000) 145 146 **--device-write-bps**=[] 147 Limit write rate (bytes per second) to a device (e.g. --device-write-bps=/dev/sda:1mb) 148 149 **--device-write-iops**=[] 150 Limit write rate (IO per second) to a device (e.g. --device-write-iops=/dev/sda:1000) 151 152 **--dns**=[] 153 Set custom DNS servers 154 155 **--dns-opt**=[] 156 Set custom DNS options 157 158 **--dns-search**=[] 159 Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain) 160 161 **-e**, **--env**=[] 162 Set environment variables 163 164 **--entrypoint**="" 165 Overwrite the default ENTRYPOINT of the image 166 167 **--env-file**=[] 168 Read in a line-delimited file of environment variables 169 170 **--expose**=[] 171 Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host 172 173 **--group-add**=[] 174 Add additional groups to run as 175 176 **-h**, **--hostname**="" 177 Container host name 178 179 **--help** 180 Print usage statement 181 182 **-i**, **--interactive**=*true*|*false* 183 Keep STDIN open even if not attached. The default is *false*. 184 185 **--ip**="" 186 Sets the container's interface IPv4 address (e.g. 172.23.0.9) 187 188 It can only be used in conjunction with **--net** for user-defined networks 189 190 **--ip6**="" 191 Sets the container's interface IPv6 address (e.g. 2001:db8::1b99) 192 193 It can only be used in conjunction with **--net** for user-defined networks 194 195 **--ipc**="" 196 Default is to create a private IPC namespace (POSIX SysV IPC) for the container 197 'container:<name|id>': reuses another container shared memory, semaphores and message queues 198 'host': use the host shared memory,semaphores and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure. 199 200 **--isolation**="*default*" 201 Isolation specifies the type of isolation technology used by containers. Note 202 that the default on Windows server is `process`, and the default on Windows client 203 is `hyperv`. Linux only supports `default`. 204 205 **--kernel-memory**="" 206 Kernel memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g) 207 208 Constrains the kernel memory available to a container. If a limit of 0 209 is specified (not using `--kernel-memory`), the container's kernel memory 210 is not limited. If you specify a limit, it may be rounded up to a multiple 211 of the operating system's page size and the value can be very large, 212 millions of trillions. 213 214 **-l**, **--label**=[] 215 Adds metadata to a container (e.g., --label=com.example.key=value) 216 217 **--label-file**=[] 218 Read labels from a file. Delimit each label with an EOL. 219 220 **--link**=[] 221 Add link to another container in the form of <name or id>:alias or just 222 <name or id> in which case the alias will match the name. 223 224 **--link-local-ip**=[] 225 Add one or more link-local IPv4/IPv6 addresses to the container's interface 226 227 **--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*splunk*|*etwlogs*|*gcplogs*|*none*" 228 Logging driver for the container. Default is defined by daemon `--log-driver` flag. 229 **Warning**: the `docker logs` command works only for the `json-file` and 230 `journald` logging drivers. 231 232 **--log-opt**=[] 233 Logging driver specific options. 234 235 **-m**, **--memory**="" 236 Memory limit (format: <number>[<unit>], where unit = b, k, m or g) 237 238 Allows you to constrain the memory available to a container. If the host 239 supports swap memory, then the **-m** memory setting can be larger than physical 240 RAM. If a limit of 0 is specified (not using **-m**), the container's memory is 241 not limited. The actual limit may be rounded up to a multiple of the operating 242 system's page size (the value would be very large, that's millions of trillions). 243 244 **--mac-address**="" 245 Container MAC address (e.g. 92:d0:c6:0a:29:33) 246 247 **--memory-reservation**="" 248 Memory soft limit (format: <number>[<unit>], where unit = b, k, m or g) 249 250 After setting memory reservation, when the system detects memory contention 251 or low memory, containers are forced to restrict their consumption to their 252 reservation. So you should always set the value below **--memory**, otherwise the 253 hard limit will take precedence. By default, memory reservation will be the same 254 as memory limit. 255 256 **--memory-swap**="LIMIT" 257 A limit value equal to memory plus swap. Must be used with the **-m** 258 (**--memory**) flag. The swap `LIMIT` should always be larger than **-m** 259 (**--memory**) value. 260 261 The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes), 262 `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you don't specify a 263 unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap. 264 265 **--memory-swappiness**="" 266 Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. 267 268 **--name**="" 269 Assign a name to the container 270 271 **--net**="*bridge*" 272 Set the Network mode for the container 273 'bridge': create a network stack on the default Docker bridge 274 'none': no networking 275 'container:<name|id>': reuse another container's network stack 276 'host': use the Docker host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. 277 '<network-name>|<network-id>': connect to a user-defined network 278 279 **--network-alias**=[] 280 Add network-scoped alias for the container 281 282 **--oom-kill-disable**=*true*|*false* 283 Whether to disable OOM Killer for the container or not. 284 285 **--oom-score-adj**="" 286 Tune the host's OOM preferences for containers (accepts -1000 to 1000) 287 288 **-P**, **--publish-all**=*true*|*false* 289 Publish all exposed ports to random ports on the host interfaces. The default is *false*. 290 291 **-p**, **--publish**=[] 292 Publish a container's port, or a range of ports, to the host 293 format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort 294 Both hostPort and containerPort can be specified as a range of ports. 295 When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g., `-p 1234-1236:1234-1236/tcp`) 296 (use 'docker port' to see the actual mapping) 297 298 **--pid**="" 299 Set the PID mode for the container 300 Default is to create a private PID namespace for the container 301 'container:<name|id>': join another container's PID namespace 302 'host': use the host's PID namespace for the container. Note: the host mode gives the container full access to local PID and is therefore considered insecure. 303 304 **--userns**="" 305 Set the usernamespace mode for the container when `userns-remap` option is enabled. 306 **host**: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`). 307 308 **--pids-limit**="" 309 Tune the container's pids limit. Set `-1` to have unlimited pids for the container. 310 311 **--privileged**=*true*|*false* 312 Give extended privileges to this container. The default is *false*. 313 314 **--read-only**=*true*|*false* 315 Mount the container's root filesystem as read only. 316 317 **--restart**="*no*" 318 Restart policy to apply when a container exits (no, on-failure[:max-retry], always, unless-stopped). 319 320 **--shm-size**="" 321 Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. 322 Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. 323 If you omit the size entirely, the system uses `64m`. 324 325 **--security-opt**=[] 326 Security Options 327 328 "label:user:USER" : Set the label user for the container 329 "label:role:ROLE" : Set the label role for the container 330 "label:type:TYPE" : Set the label type for the container 331 "label:level:LEVEL" : Set the label level for the container 332 "label:disable" : Turn off label confinement for the container 333 "no-new-privileges" : Disable container processes from gaining additional privileges 334 "seccomp:unconfined" : Turn off seccomp confinement for the container 335 "seccomp:profile.json : White listed syscalls seccomp Json file to be used as a seccomp filter 336 337 **--storage-opt**=[] 338 Storage driver options per container 339 340 $ docker create -it --storage-opt size=120G fedora /bin/bash 341 342 This (size) will allow to set the container rootfs size to 120G at creation time. User cannot pass a size less than the Default BaseFS Size. 343 This option is only available for the `devicemapper`, `btrfs`, and `zfs` graph drivers. 344 345 **--stop-signal**=*SIGTERM* 346 Signal to stop a container. Default is SIGTERM. 347 348 **--sysctl**=SYSCTL 349 Configure namespaced kernel parameters at runtime 350 351 IPC Namespace - current sysctls allowed: 352 353 kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced 354 Sysctls beginning with fs.mqueue.* 355 356 Note: if you use --ipc=host using these sysctls will not be allowed. 357 358 Network Namespace - current sysctls allowed: 359 Sysctls beginning with net.* 360 361 Note: if you use --net=host using these sysctls will not be allowed. 362 363 **-t**, **--tty**=*true*|*false* 364 Allocate a pseudo-TTY. The default is *false*. 365 366 **--tmpfs**=[] Create a tmpfs mount 367 368 Mount a temporary filesystem (`tmpfs`) mount into a container, for example: 369 370 $ docker run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image 371 372 This command mounts a `tmpfs` at `/tmp` within the container. The supported mount 373 options are the same as the Linux default `mount` flags. If you do not specify 374 any options, the systems uses the following options: 375 `rw,noexec,nosuid,nodev,size=65536k`. 376 377 **-u**, **--user**="" 378 Username or UID 379 380 **--ulimit**=[] 381 Ulimit options 382 383 **--uts**=*host* 384 Set the UTS mode for the container 385 **host**: use the host's UTS namespace inside the container. 386 Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure. 387 388 **-v**|**--volume**[=*[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*] 389 Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, Docker 390 bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Docker 391 container. If 'HOST-DIR' is omitted, Docker automatically creates the new 392 volume on the host. The `OPTIONS` are a comma delimited list and can be: 393 394 * [rw|ro] 395 * [z|Z] 396 * [`[r]shared`|`[r]slave`|`[r]private`] 397 398 The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The `HOST-DIR` 399 can be an absolute path or a `name` value. A `name` value must start with an 400 alphanumeric character, followed by `a-z0-9`, `_` (underscore), `.` (period) or 401 `-` (hyphen). An absolute path starts with a `/` (forward slash). 402 403 If you supply a `HOST-DIR` that is an absolute path, Docker bind-mounts to the 404 path you specify. If you supply a `name`, Docker creates a named volume by that 405 `name`. For example, you can specify either `/foo` or `foo` for a `HOST-DIR` 406 value. If you supply the `/foo` value, Docker creates a bind-mount. If you 407 supply the `foo` specification, Docker creates a named volume. 408 409 You can specify multiple **-v** options to mount one or more mounts to a 410 container. To use these same mounts in other containers, specify the 411 **--volumes-from** option also. 412 413 You can add `:ro` or `:rw` suffix to a volume to mount it read-only or 414 read-write mode, respectively. By default, the volumes are mounted read-write. 415 See examples. 416 417 Labeling systems like SELinux require that proper labels are placed on volume 418 content mounted into a container. Without a label, the security system might 419 prevent the processes running inside the container from using the content. By 420 default, Docker does not change the labels set by the OS. 421 422 To change a label in the container context, you can add either of two suffixes 423 `:z` or `:Z` to the volume mount. These suffixes tell Docker to relabel file 424 objects on the shared volumes. The `z` option tells Docker that two containers 425 share the volume content. As a result, Docker labels the content with a shared 426 content label. Shared volume labels allow all containers to read/write content. 427 The `Z` option tells Docker to label the content with a private unshared label. 428 Only the current container can use a private volume. 429 430 By default bind mounted volumes are `private`. That means any mounts done 431 inside container will not be visible on host and vice-a-versa. One can change 432 this behavior by specifying a volume mount propagation property. Making a 433 volume `shared` mounts done under that volume inside container will be 434 visible on host and vice-a-versa. Making a volume `slave` enables only one 435 way mount propagation and that is mounts done on host under that volume 436 will be visible inside container but not the other way around. 437 438 To control mount propagation property of volume one can use `:[r]shared`, 439 `:[r]slave` or `:[r]private` propagation flag. Propagation property can 440 be specified only for bind mounted volumes and not for internal volumes or 441 named volumes. For mount propagation to work source mount point (mount point 442 where source dir is mounted on) has to have right propagation properties. For 443 shared volumes, source mount point has to be shared. And for slave volumes, 444 source mount has to be either shared or slave. 445 446 Use `df <source-dir>` to figure out the source mount and then use 447 `findmnt -o TARGET,PROPAGATION <source-mount-dir>` to figure out propagation 448 properties of source mount. If `findmnt` utility is not available, then one 449 can look at mount entry for source mount point in `/proc/self/mountinfo`. Look 450 at `optional fields` and see if any propagaion properties are specified. 451 `shared:X` means mount is `shared`, `master:X` means mount is `slave` and if 452 nothing is there that means mount is `private`. 453 454 To change propagation properties of a mount point use `mount` command. For 455 example, if one wants to bind mount source directory `/foo` one can do 456 `mount --bind /foo /foo` and `mount --make-private --make-shared /foo`. This 457 will convert /foo into a `shared` mount point. Alternatively one can directly 458 change propagation properties of source mount. Say `/` is source mount for 459 `/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount. 460 461 > **Note**: 462 > When using systemd to manage the Docker daemon's start and stop, in the systemd 463 > unit file there is an option to control mount propagation for the Docker daemon 464 > itself, called `MountFlags`. The value of this setting may cause Docker to not 465 > see mount propagation changes made on the mount point. For example, if this value 466 > is `slave`, you may not be able to use the `shared` or `rshared` propagation on 467 > a volume. 468 469 470 To disable automatic copying of data from the container path to the volume, use 471 the `nocopy` flag. The `nocopy` flag can be set on bind mounts and named volumes. 472 473 **--volume-driver**="" 474 Container's volume driver. This driver creates volumes specified either from 475 a Dockerfile's `VOLUME` instruction or from the `docker run -v` flag. 476 See **docker-volume-create(1)** for full details. 477 478 **--volumes-from**=[] 479 Mount volumes from the specified container(s) 480 481 **-w**, **--workdir**="" 482 Working directory inside the container 483 484 # EXAMPLES 485 486 ## Specify isolation technology for container (--isolation) 487 488 This option is useful in situations where you are running Docker containers on 489 Windows. The `--isolation=<value>` option sets a container's isolation 490 technology. On Linux, the only supported is the `default` option which uses 491 Linux namespaces. On Microsoft Windows, you can specify these values: 492 493 * `default`: Use the value specified by the Docker daemon's `--exec-opt` . If the `daemon` does not specify an isolation technology, Microsoft Windows uses `process` as its default value. 494 * `process`: Namespace isolation only. 495 * `hyperv`: Hyper-V hypervisor partition-based isolation. 496 497 Specifying the `--isolation` flag without a value is the same as setting `--isolation="default"`. 498 499 # HISTORY 500 August 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> 501 September 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> 502 November 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>