github.com/eikeon/docker@v1.5.0-rc4/docs/man/docker-run.1.md (about) 1 % DOCKER(1) Docker User Manuals 2 % Docker Community 3 % JUNE 2014 4 # NAME 5 docker-run - Run a command in a new container 6 7 # SYNOPSIS 8 **docker run** 9 [**-a**|**--attach**[=*[]*]] 10 [**--add-host**[=*[]*]] 11 [**-c**|**--cpu-shares**[=*0*]] 12 [**--cap-add**[=*[]*]] 13 [**--cap-drop**[=*[]*]] 14 [**--cidfile**[=*CIDFILE*]] 15 [**--cpuset**[=*CPUSET*]] 16 [**-d**|**--detach**[=*false*]] 17 [**--device**[=*[]*]] 18 [**--dns-search**[=*[]*]] 19 [**--dns**[=*[]*]] 20 [**-e**|**--env**[=*[]*]] 21 [**--entrypoint**[=*ENTRYPOINT*]] 22 [**--env-file**[=*[]*]] 23 [**--expose**[=*[]*]] 24 [**-h**|**--hostname**[=*HOSTNAME*]] 25 [**--help**] 26 [**-i**|**--interactive**[=*false*]] 27 [**--ipc**[=*IPC*]] 28 [**--link**[=*[]*]] 29 [**--lxc-conf**[=*[]*]] 30 [**-m**|**--memory**[=*MEMORY*]] 31 [**--memory-swap**[=*MEMORY-SWAP]] 32 [**--mac-address**[=*MAC-ADDRESS*]] 33 [**--name**[=*NAME*]] 34 [**--net**[=*"bridge"*]] 35 [**-P**|**--publish-all**[=*false*]] 36 [**-p**|**--publish**[=*[]*]] 37 [**--pid**[=*[]*]] 38 [**--privileged**[=*false*]] 39 [**--read-only**[=*false*]] 40 [**--restart**[=*RESTART*]] 41 [**--rm**[=*false*]] 42 [**--security-opt**[=*[]*]] 43 [**--sig-proxy**[=*true*]] 44 [**-t**|**--tty**[=*false*]] 45 [**-u**|**--user**[=*USER*]] 46 [**-v**|**--volume**[=*[]*]] 47 [**--volumes-from**[=*[]*]] 48 [**-w**|**--workdir**[=*WORKDIR*]] 49 IMAGE [COMMAND] [ARG...] 50 51 # DESCRIPTION 52 53 Run a process in a new container. **docker run** starts a process with its own 54 file system, its own networking, and its own isolated process tree. The IMAGE 55 which starts the process may define defaults related to the process that will be 56 run in the container, the networking to expose, and more, but **docker run** 57 gives final control to the operator or administrator who starts the container 58 from the image. For that reason **docker run** has more options than any other 59 Docker command. 60 61 If the IMAGE is not already loaded then **docker run** will pull the IMAGE, and 62 all image dependencies, from the repository in the same way running **docker 63 pull** IMAGE, before it starts the container from that image. 64 65 # OPTIONS 66 **-a**, **--attach**=[] 67 Attach to STDIN, STDOUT or STDERR. 68 69 In foreground mode (the default when **-d** 70 is not specified), **docker run** can start the process in the container 71 and attach the console to the process’s standard input, output, and standard 72 error. It can even pretend to be a TTY (this is what most commandline 73 executables expect) and pass along signals. The **-a** option can be set for 74 each of stdin, stdout, and stderr. 75 76 **--add-host**=[] 77 Add a custom host-to-IP mapping (host:ip) 78 79 Add a line to /etc/hosts. The format is hostname:ip. The **--add-host** 80 option can be set multiple times. 81 82 **-c**, **--cpu-shares**=0 83 CPU shares (relative weight) 84 85 You can increase the priority of a container 86 with the -c option. By default, all containers run at the same priority and get 87 the same proportion of CPU cycles, but you can tell the kernel to give more 88 shares of CPU time to one or more containers when you start them via **docker 89 run**. 90 91 **--cap-add**=[] 92 Add Linux capabilities 93 94 **--cap-drop**=[] 95 Drop Linux capabilities 96 97 **--cidfile**="" 98 Write the container ID to the file 99 100 **--cpuset**="" 101 CPUs in which to allow execution (0-3, 0,1) 102 103 **-d**, **--detach**=*true*|*false* 104 Detached mode: run the container in the background and print the new container ID. The default is *false*. 105 106 At any time you can run **docker ps** in 107 the other shell to view a list of the running containers. You can reattach to a 108 detached container with **docker attach**. If you choose to run a container in 109 the detached mode, then you cannot use the **-rm** option. 110 111 When attached in the tty mode, you can detach from a running container without 112 stopping the process by pressing the keys CTRL-P CTRL-Q. 113 114 **--device**=[] 115 Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm) 116 117 **--dns-search**=[] 118 Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain) 119 120 **--dns**=[] 121 Set custom DNS servers 122 123 This option can be used to override the DNS 124 configuration passed to the container. Typically this is necessary when the 125 host DNS configuration is invalid for the container (e.g., 127.0.0.1). When this 126 is the case the **--dns** flags is necessary for every run. 127 128 **-e**, **--env**=[] 129 Set environment variables 130 131 This option allows you to specify arbitrary 132 environment variables that are available for the process that will be launched 133 inside of the container. 134 135 **--entrypoint**="" 136 Overwrite the default ENTRYPOINT of the image 137 138 This option allows you to overwrite the default entrypoint of the image that 139 is set in the Dockerfile. The ENTRYPOINT of an image is similar to a COMMAND 140 because it specifies what executable to run when the container starts, but it is 141 (purposely) more difficult to override. The ENTRYPOINT gives a container its 142 default nature or behavior, so that when you set an ENTRYPOINT you can run the 143 container as if it were that binary, complete with default options, and you can 144 pass in more options via the COMMAND. But, sometimes an operator may want to run 145 something else inside the container, so you can override the default ENTRYPOINT 146 at runtime by using a **--entrypoint** and a string to specify the new 147 ENTRYPOINT. 148 149 **--env-file**=[] 150 Read in a line delimited file of environment variables 151 152 **--expose**=[] 153 Expose a port, or a range of ports (e.g. --expose=3300-3310), from the container without publishing it to your host 154 155 **-h**, **--hostname**="" 156 Container host name 157 158 Sets the container host name that is available inside the container. 159 160 **--help** 161 Print usage statement 162 163 **-i**, **--interactive**=*true*|*false* 164 Keep STDIN open even if not attached. The default is *false*. 165 166 When set to true, keep stdin open even if not attached. The default is false. 167 168 **--ipc**="" 169 Default is to create a private IPC namespace (POSIX SysV IPC) for the container 170 'container:<name|id>': reuses another container shared memory, semaphores and message queues 171 'host': use the host shared memory,semaphores and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure. 172 173 **--link**=[] 174 Add link to another container in the form of <name or id>:alias 175 176 If the operator 177 uses **--link** when starting the new client container, then the client 178 container can access the exposed port via a private networking interface. Docker 179 will set some environment variables in the client container to help indicate 180 which interface and port to use. 181 182 **--lxc-conf**=[] 183 (lxc exec-driver only) Add custom lxc options --lxc-conf="lxc.cgroup.cpuset.cpus = 0,1" 184 185 **-m**, **--memory**="" 186 Memory limit (format: <number><optional unit>, where unit = b, k, m or g) 187 188 Allows you to constrain the memory available to a container. If the host 189 supports swap memory, then the -m memory setting can be larger than physical 190 RAM. If a limit of 0 is specified, the container's memory is not limited. The 191 actual limit may be rounded up to a multiple of the operating system's page 192 size, if it is not already. The memory limit should be formatted as follows: 193 `<number><optional unit>`, where unit = b, k, m or g. 194 195 **--memory-swap**="" 196 Total memory usage (memory + swap) 197 198 Set '-1' to disable swap (format: <number><optional unit>, where unit = b, k, m or g) 199 200 **--mac-address**="" 201 Container MAC address (e.g. 92:d0:c6:0a:29:33) 202 203 Remember that the MAC address in an Ethernet network must be unique. 204 The IPv6 link-local address will be based on the device's MAC address 205 according to RFC4862. 206 207 **--name**="" 208 Assign a name to the container 209 210 The operator can identify a container in three ways: 211 UUID long identifier (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”) 212 UUID short identifier (“f78375b1c487”) 213 Name (“jonah”) 214 215 The UUID identifiers come from the Docker daemon, and if a name is not assigned 216 to the container with **--name** then the daemon will also generate a random 217 string name. The name is useful when defining links (see **--link**) (or any 218 other place you need to identify a container). This works for both background 219 and foreground Docker containers. 220 221 **--net**="bridge" 222 Set the Network mode for the container 223 'bridge': creates a new network stack for the container on the docker bridge 224 'none': no networking for this container 225 'container:<name|id>': reuses another container network stack 226 'host': use the host network stack inside the container. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. 227 228 **-P**, **--publish-all**=*true*|*false* 229 Publish all exposed ports to random ports on the host interfaces. The default is *false*. 230 231 When set to true publish all exposed ports to the host interfaces. The 232 default is false. If the operator uses -P (or -p) then Docker will make the 233 exposed port accessible on the host and the ports will be available to any 234 client that can reach the host. When using -P, Docker will bind the exposed 235 ports to a random port on the host between 49153 and 65535. To find the 236 mapping between the host ports and the exposed ports, use **docker port**. 237 238 **-p**, **--publish**=[] 239 Publish a container's port, or range of ports, to the host. 240 format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort 241 Both hostPort and containerPort can be specified as a range of ports. 242 When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g., `-p 1234-1236:1234-1236/tcp`) 243 (use 'docker port' to see the actual mapping) 244 245 **--pid**=host 246 Set the PID mode for the container 247 **host**: use the host's PID namespace inside the container. 248 Note: the host mode gives the container full access to local PID and is therefore considered insecure. 249 250 **--privileged**=*true*|*false* 251 Give extended privileges to this container. The default is *false*. 252 253 By default, Docker containers are 254 “unprivileged” (=false) and cannot, for example, run a Docker daemon inside the 255 Docker container. This is because by default a container is not allowed to 256 access any devices. A “privileged” container is given access to all devices. 257 258 When the operator executes **docker run --privileged**, Docker will enable access 259 to all devices on the host as well as set some configuration in AppArmor to 260 allow the container nearly all the same access to the host as processes running 261 outside of a container on the host. 262 263 **--read-only**=*true*|*false* 264 Mount the container's root filesystem as read only. 265 266 By default a container will have its root filesystem writable allowing processes 267 to write files anywhere. By specifying the `--read-only` flag the container will have 268 its root filesystem mounted as read only prohibiting any writes. 269 270 **--restart**="" 271 Restart policy to apply when a container exits (no, on-failure[:max-retry], always) 272 273 **--rm**=*true*|*false* 274 Automatically remove the container when it exits (incompatible with -d). The default is *false*. 275 276 **--security-opt**=[] 277 Security Options 278 279 "label:user:USER" : Set the label user for the container 280 "label:role:ROLE" : Set the label role for the container 281 "label:type:TYPE" : Set the label type for the container 282 "label:level:LEVEL" : Set the label level for the container 283 "label:disable" : Turn off label confinement for the container 284 285 **--sig-proxy**=*true*|*false* 286 Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true*. 287 288 **-t**, **--tty**=*true*|*false* 289 Allocate a pseudo-TTY. The default is *false*. 290 291 When set to true Docker can allocate a pseudo-tty and attach to the standard 292 input of any container. This can be used, for example, to run a throwaway 293 interactive shell. The default is value is false. 294 295 The **-t** option is incompatible with a redirection of the docker client 296 standard input. 297 298 **-u**, **--user**="" 299 Username or UID 300 301 **-v**, **--volume**=[] 302 Bind mount a volume (e.g., from the host: -v /host:/container, from Docker: -v /container) 303 304 The **-v** option can be used one or 305 more times to add one or more mounts to a container. These mounts can then be 306 used in other containers using the **--volumes-from** option. 307 308 The volume may be optionally suffixed with :ro or :rw to mount the volumes in 309 read-only or read-write mode, respectively. By default, the volumes are mounted 310 read-write. See examples. 311 312 **--volumes-from**=[] 313 Mount volumes from the specified container(s) 314 315 Will mount volumes from the specified container identified by container-id. 316 Once a volume is mounted in a one container it can be shared with other 317 containers using the **--volumes-from** option when running those other 318 containers. The volumes can be shared even if the original container with the 319 mount is not running. 320 321 The container ID may be optionally suffixed with :ro or 322 :rw to mount the volumes in read-only or read-write mode, respectively. By 323 default, the volumes are mounted in the same mode (read write or read only) as 324 the reference container. 325 326 **-w**, **--workdir**="" 327 Working directory inside the container 328 329 The default working directory for 330 running binaries within a container is the root directory (/). The developer can 331 set a different default with the Dockerfile WORKDIR instruction. The operator 332 can override the working directory by using the **-w** option. 333 334 # EXAMPLES 335 336 ## Exposing log messages from the container to the host's log 337 338 If you want messages that are logged in your container to show up in the host's 339 syslog/journal then you should bind mount the /dev/log directory as follows. 340 341 # docker run -v /dev/log:/dev/log -i -t fedora /bin/bash 342 343 From inside the container you can test this by sending a message to the log. 344 345 (bash)# logger "Hello from my container" 346 347 Then exit and check the journal. 348 349 # exit 350 351 # journalctl -b | grep Hello 352 353 This should list the message sent to logger. 354 355 ## Attaching to one or more from STDIN, STDOUT, STDERR 356 357 If you do not specify -a then Docker will attach everything (stdin,stdout,stderr) 358 . You can specify to which of the three standard streams (stdin, stdout, stderr) 359 you’d like to connect instead, as in: 360 361 # docker run -a stdin -a stdout -i -t fedora /bin/bash 362 363 ## Sharing IPC between containers 364 365 Using shm_server.c available here: http://www.cs.cf.ac.uk/Dave/C/node27.html 366 367 Testing `--ipc=host` mode: 368 369 Host shows a shared memory segment with 7 pids attached, happens to be from httpd: 370 371 ``` 372 $ sudo ipcs -m 373 374 ------ Shared Memory Segments -------- 375 key shmid owner perms bytes nattch status 376 0x01128e25 0 root 600 1000 7 377 ``` 378 379 Now run a regular container, and it correctly does NOT see the shared memory segment from the host: 380 381 ``` 382 $ sudo docker run -it shm ipcs -m 383 384 ------ Shared Memory Segments -------- 385 key shmid owner perms bytes nattch status 386 ``` 387 388 Run a container with the new `--ipc=host` option, and it now sees the shared memory segment from the host httpd: 389 390 ``` 391 $ sudo docker run -it --ipc=host shm ipcs -m 392 393 ------ Shared Memory Segments -------- 394 key shmid owner perms bytes nattch status 395 0x01128e25 0 root 600 1000 7 396 ``` 397 Testing `--ipc=container:CONTAINERID` mode: 398 399 Start a container with a program to create a shared memory segment: 400 ``` 401 sudo docker run -it shm bash 402 $ sudo shm/shm_server & 403 $ sudo ipcs -m 404 405 ------ Shared Memory Segments -------- 406 key shmid owner perms bytes nattch status 407 0x0000162e 0 root 666 27 1 408 ``` 409 Create a 2nd container correctly shows no shared memory segment from 1st container: 410 ``` 411 $ sudo docker run shm ipcs -m 412 413 ------ Shared Memory Segments -------- 414 key shmid owner perms bytes nattch status 415 ``` 416 417 Create a 3rd container using the new --ipc=container:CONTAINERID option, now it shows the shared memory segment from the first: 418 419 ``` 420 $ sudo docker run -it --ipc=container:ed735b2264ac shm ipcs -m 421 $ sudo ipcs -m 422 423 ------ Shared Memory Segments -------- 424 key shmid owner perms bytes nattch status 425 0x0000162e 0 root 666 27 1 426 ``` 427 428 ## Linking Containers 429 430 The link feature allows multiple containers to communicate with each other. For 431 example, a container whose Dockerfile has exposed port 80 can be run and named 432 as follows: 433 434 # docker run --name=link-test -d -i -t fedora/httpd 435 436 A second container, in this case called linker, can communicate with the httpd 437 container, named link-test, by running with the **--link=<name>:<alias>** 438 439 # docker run -t -i --link=link-test:lt --name=linker fedora /bin/bash 440 441 Now the container linker is linked to container link-test with the alias lt. 442 Running the **env** command in the linker container shows environment variables 443 with the LT (alias) context (**LT_**) 444 445 # env 446 HOSTNAME=668231cb0978 447 TERM=xterm 448 LT_PORT_80_TCP=tcp://172.17.0.3:80 449 LT_PORT_80_TCP_PORT=80 450 LT_PORT_80_TCP_PROTO=tcp 451 LT_PORT=tcp://172.17.0.3:80 452 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 453 PWD=/ 454 LT_NAME=/linker/lt 455 SHLVL=1 456 HOME=/ 457 LT_PORT_80_TCP_ADDR=172.17.0.3 458 _=/usr/bin/env 459 460 When linking two containers Docker will use the exposed ports of the container 461 to create a secure tunnel for the parent to access. 462 463 464 ## Mapping Ports for External Usage 465 466 The exposed port of an application can be mapped to a host port using the **-p** 467 flag. For example, a httpd port 80 can be mapped to the host port 8080 using the 468 following: 469 470 # docker run -p 8080:80 -d -i -t fedora/httpd 471 472 ## Creating and Mounting a Data Volume Container 473 474 Many applications require the sharing of persistent data across several 475 containers. Docker allows you to create a Data Volume Container that other 476 containers can mount from. For example, create a named container that contains 477 directories /var/volume1 and /tmp/volume2. The image will need to contain these 478 directories so a couple of RUN mkdir instructions might be required for you 479 fedora-data image: 480 481 # docker run --name=data -v /var/volume1 -v /tmp/volume2 -i -t fedora-data true 482 # docker run --volumes-from=data --name=fedora-container1 -i -t fedora bash 483 484 Multiple --volumes-from parameters will bring together multiple data volumes from 485 multiple containers. And it's possible to mount the volumes that came from the 486 DATA container in yet another container via the fedora-container1 intermediary 487 container, allowing to abstract the actual data source from users of that data: 488 489 # docker run --volumes-from=fedora-container1 --name=fedora-container2 -i -t fedora bash 490 491 ## Mounting External Volumes 492 493 To mount a host directory as a container volume, specify the absolute path to 494 the directory and the absolute path for the container directory separated by a 495 colon: 496 497 # docker run -v /var/db:/data1 -i -t fedora bash 498 499 When using SELinux, be aware that the host has no knowledge of container SELinux 500 policy. Therefore, in the above example, if SELinux policy is enforced, the 501 `/var/db` directory is not writable to the container. A "Permission Denied" 502 message will occur and an avc: message in the host's syslog. 503 504 505 To work around this, at time of writing this man page, the following command 506 needs to be run in order for the proper SELinux policy type label to be attached 507 to the host directory: 508 509 # chcon -Rt svirt_sandbox_file_t /var/db 510 511 512 Now, writing to the /data1 volume in the container will be allowed and the 513 changes will also be reflected on the host in /var/db. 514 515 ## Using alternative security labeling 516 517 You can override the default labeling scheme for each container by specifying 518 the `--security-opt` flag. For example, you can specify the MCS/MLS level, a 519 requirement for MLS systems. Specifying the level in the following command 520 allows you to share the same content between containers. 521 522 # docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash 523 524 An MLS example might be: 525 526 # docker run --security-opt label:level:TopSecret -i -t rhel7 bash 527 528 To disable the security labeling for this container versus running with the 529 `--permissive` flag, use the following command: 530 531 # docker run --security-opt label:disable -i -t fedora bash 532 533 If you want a tighter security policy on the processes within a container, 534 you can specify an alternate type for the container. You could run a container 535 that is only allowed to listen on Apache ports by executing the following 536 command: 537 538 # docker run --security-opt label:type:svirt_apache_t -i -t centos bash 539 540 Note: 541 542 You would have to write policy defining a `svirt_apache_t` type. 543 544 # HISTORY 545 April 2014, Originally compiled by William Henry (whenry at redhat dot com) 546 based on docker.com source material and internal work. 547 June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> 548 July 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>