github.com/fcwu/docker@v1.4.2-0.20150115145920-2a69ca89f0df/docs/man/docker-run.1.md (about) 1 % DOCKER(1) Docker User Manuals 2 % Docker Community 3 % JUNE 2014 4 # NAME 5 docker-run - Run a command in a new container 6 7 # SYNOPSIS 8 **docker run** 9 [**-a**|**--attach**[=*[]*]] 10 [**--add-host**[=*[]*]] 11 [**-c**|**--cpu-shares**[=*0*]] 12 [**--cap-add**[=*[]*]] 13 [**--cap-drop**[=*[]*]] 14 [**--cidfile**[=*CIDFILE*]] 15 [**--cpuset**[=*CPUSET*]] 16 [**-d**|**--detach**[=*false*]] 17 [**--device**[=*[]*]] 18 [**--dns-search**[=*[]*]] 19 [**--dns**[=*[]*]] 20 [**-e**|**--env**[=*[]*]] 21 [**--entrypoint**[=*ENTRYPOINT*]] 22 [**--env-file**[=*[]*]] 23 [**--expose**[=*[]*]] 24 [**-h**|**--hostname**[=*HOSTNAME*]] 25 [**--help**] 26 [**-i**|**--interactive**[=*false*]] 27 [**--ipc**[=*IPC*]] 28 [**--link**[=*[]*]] 29 [**--lxc-conf**[=*[]*]] 30 [**-m**|**--memory**[=*MEMORY*]] 31 [**--mac-address**[=*MAC-ADDRESS*]] 32 [**--name**[=*NAME*]] 33 [**--net**[=*"bridge"*]] 34 [**-P**|**--publish-all**[=*false*]] 35 [**-p**|**--publish**[=*[]*]] 36 [**--privileged**[=*false*]] 37 [**--restart**[=*RESTART*]] 38 [**--rm**[=*false*]] 39 [**--security-opt**[=*[]*]] 40 [**--sig-proxy**[=*true*]] 41 [**-t**|**--tty**[=*false*]] 42 [**-u**|**--user**[=*USER*]] 43 [**-v**|**--volume**[=*[]*]] 44 [**--volumes-from**[=*[]*]] 45 [**-w**|**--workdir**[=*WORKDIR*]] 46 IMAGE [COMMAND] [ARG...] 47 48 # DESCRIPTION 49 50 Run a process in a new container. **docker run** starts a process with its own 51 file system, its own networking, and its own isolated process tree. The IMAGE 52 which starts the process may define defaults related to the process that will be 53 run in the container, the networking to expose, and more, but **docker run** 54 gives final control to the operator or administrator who starts the container 55 from the image. For that reason **docker run** has more options than any other 56 Docker command. 57 58 If the IMAGE is not already loaded then **docker run** will pull the IMAGE, and 59 all image dependencies, from the repository in the same way running **docker 60 pull** IMAGE, before it starts the container from that image. 61 62 # OPTIONS 63 **-a**, **--attach**=[] 64 Attach to STDIN, STDOUT or STDERR. 65 66 In foreground mode (the default when **-d** 67 is not specified), **docker run** can start the process in the container 68 and attach the console to the process’s standard input, output, and standard 69 error. It can even pretend to be a TTY (this is what most commandline 70 executables expect) and pass along signals. The **-a** option can be set for 71 each of stdin, stdout, and stderr. 72 73 **--add-host**=[] 74 Add a custom host-to-IP mapping (host:ip) 75 76 Add a line to /etc/hosts. The format is hostname:ip. The **--add-host** 77 option can be set multiple times. 78 79 **-c**, **--cpu-shares**=0 80 CPU shares (relative weight) 81 82 You can increase the priority of a container 83 with the -c option. By default, all containers run at the same priority and get 84 the same proportion of CPU cycles, but you can tell the kernel to give more 85 shares of CPU time to one or more containers when you start them via **docker 86 run**. 87 88 **--cap-add**=[] 89 Add Linux capabilities 90 91 **--cap-drop**=[] 92 Drop Linux capabilities 93 94 **--cidfile**="" 95 Write the container ID to the file 96 97 **--cpuset**="" 98 CPUs in which to allow execution (0-3, 0,1) 99 100 **-d**, **--detach**=*true*|*false* 101 Detached mode: run the container in the background and print the new container ID. The default is *false*. 102 103 At any time you can run **docker ps** in 104 the other shell to view a list of the running containers. You can reattach to a 105 detached container with **docker attach**. If you choose to run a container in 106 the detached mode, then you cannot use the **-rm** option. 107 108 When attached in the tty mode, you can detach from a running container without 109 stopping the process by pressing the keys CTRL-P CTRL-Q. 110 111 **--device**=[] 112 Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm) 113 114 **--dns-search**=[] 115 Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain) 116 117 **--dns**=[] 118 Set custom DNS servers 119 120 This option can be used to override the DNS 121 configuration passed to the container. Typically this is necessary when the 122 host DNS configuration is invalid for the container (e.g., 127.0.0.1). When this 123 is the case the **--dns** flags is necessary for every run. 124 125 **-e**, **--env**=[] 126 Set environment variables 127 128 This option allows you to specify arbitrary 129 environment variables that are available for the process that will be launched 130 inside of the container. 131 132 **--entrypoint**="" 133 Overwrite the default ENTRYPOINT of the image 134 135 This option allows you to overwrite the default entrypoint of the image that 136 is set in the Dockerfile. The ENTRYPOINT of an image is similar to a COMMAND 137 because it specifies what executable to run when the container starts, but it is 138 (purposely) more difficult to override. The ENTRYPOINT gives a container its 139 default nature or behavior, so that when you set an ENTRYPOINT you can run the 140 container as if it were that binary, complete with default options, and you can 141 pass in more options via the COMMAND. But, sometimes an operator may want to run 142 something else inside the container, so you can override the default ENTRYPOINT 143 at runtime by using a **--entrypoint** and a string to specify the new 144 ENTRYPOINT. 145 146 **--env-file**=[] 147 Read in a line delimited file of environment variables 148 149 **--expose**=[] 150 Expose a port, or a range of ports (e.g. --expose=3300-3310), from the container without publishing it to your host 151 152 **-h**, **--hostname**="" 153 Container host name 154 155 Sets the container host name that is available inside the container. 156 157 **--help** 158 Print usage statement 159 160 **-i**, **--interactive**=*true*|*false* 161 Keep STDIN open even if not attached. The default is *false*. 162 163 When set to true, keep stdin open even if not attached. The default is false. 164 165 **--ipc**="" 166 Default is to create a private IPC namespace (POSIX SysV IPC) for the container 167 'container:<name|id>': reuses another container shared memory, semaphores and message queues 168 'host': use the host shared memory,semaphores and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure. 169 170 **--link**=[] 171 Add link to another container in the form of name:alias 172 173 If the operator 174 uses **--link** when starting the new client container, then the client 175 container can access the exposed port via a private networking interface. Docker 176 will set some environment variables in the client container to help indicate 177 which interface and port to use. 178 179 **--lxc-conf**=[] 180 (lxc exec-driver only) Add custom lxc options --lxc-conf="lxc.cgroup.cpuset.cpus = 0,1" 181 182 **-m**, **--memory**="" 183 Memory limit (format: <number><optional unit>, where unit = b, k, m or g) 184 185 Allows you to constrain the memory available to a container. If the host 186 supports swap memory, then the -m memory setting can be larger than physical 187 RAM. If a limit of 0 is specified, the container's memory is not limited. The 188 actual limit may be rounded up to a multiple of the operating system's page 189 size, if it is not already. The memory limit should be formatted as follows: 190 `<number><optional unit>`, where unit = b, k, m or g. 191 192 **--mac-address**="" 193 Container MAC address (e.g. 92:d0:c6:0a:29:33) 194 195 Remember that the MAC address in an Ethernet network must be unique. 196 The IPv6 link-local address will be based on the device's MAC address 197 according to RFC4862. 198 199 **--name**="" 200 Assign a name to the container 201 202 The operator can identify a container in three ways: 203 UUID long identifier (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”) 204 UUID short identifier (“f78375b1c487”) 205 Name (“jonah”) 206 207 The UUID identifiers come from the Docker daemon, and if a name is not assigned 208 to the container with **--name** then the daemon will also generate a random 209 string name. The name is useful when defining links (see **--link**) (or any 210 other place you need to identify a container). This works for both background 211 and foreground Docker containers. 212 213 **--net**="bridge" 214 Set the Network mode for the container 215 'bridge': creates a new network stack for the container on the docker bridge 216 'none': no networking for this container 217 'container:<name|id>': reuses another container network stack 218 'host': use the host network stack inside the container. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. 219 220 **-P**, **--publish-all**=*true*|*false* 221 Publish all exposed ports to random ports on the host interfaces. The default is *false*. 222 223 When set to true publish all exposed ports to the host interfaces. The 224 default is false. If the operator uses -P (or -p) then Docker will make the 225 exposed port accessible on the host and the ports will be available to any 226 client that can reach the host. When using -P, Docker will bind the exposed 227 ports to a random port on the host between 49153 and 65535. To find the 228 mapping between the host ports and the exposed ports, use **docker port**. 229 230 **-p**, **--publish**=[] 231 Publish a container's port, or range of ports, to the host. 232 format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort 233 Both hostPort and containerPort can be specified as a range of ports. 234 When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g., `-p 1234-1236:1234-1236/tcp`) 235 (use 'docker port' to see the actual mapping) 236 237 **--privileged**=*true*|*false* 238 Give extended privileges to this container. The default is *false*. 239 240 By default, Docker containers are 241 “unprivileged” (=false) and cannot, for example, run a Docker daemon inside the 242 Docker container. This is because by default a container is not allowed to 243 access any devices. A “privileged” container is given access to all devices. 244 245 When the operator executes **docker run --privileged**, Docker will enable access 246 to all devices on the host as well as set some configuration in AppArmor to 247 allow the container nearly all the same access to the host as processes running 248 outside of a container on the host. 249 250 **--restart**="" 251 Restart policy to apply when a container exits (no, on-failure[:max-retry], always) 252 253 **--rm**=*true*|*false* 254 Automatically remove the container when it exits (incompatible with -d). The default is *false*. 255 256 **--security-opt**=[] 257 Security Options 258 259 "label:user:USER" : Set the label user for the container 260 "label:role:ROLE" : Set the label role for the container 261 "label:type:TYPE" : Set the label type for the container 262 "label:level:LEVEL" : Set the label level for the container 263 "label:disable" : Turn off label confinement for the container 264 265 **--sig-proxy**=*true*|*false* 266 Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true*. 267 268 **-t**, **--tty**=*true*|*false* 269 Allocate a pseudo-TTY. The default is *false*. 270 271 When set to true Docker can allocate a pseudo-tty and attach to the standard 272 input of any container. This can be used, for example, to run a throwaway 273 interactive shell. The default is value is false. 274 275 The **-t** option is incompatible with a redirection of the docker client 276 standard input. 277 278 **-u**, **--user**="" 279 Username or UID 280 281 **-v**, **--volume**=[] 282 Bind mount a volume (e.g., from the host: -v /host:/container, from Docker: -v /container) 283 284 The **-v** option can be used one or 285 more times to add one or more mounts to a container. These mounts can then be 286 used in other containers using the **--volumes-from** option. 287 288 The volume may be optionally suffixed with :ro or :rw to mount the volumes in 289 read-only or read-write mode, respectively. By default, the volumes are mounted 290 read-write. See examples. 291 292 **--volumes-from**=[] 293 Mount volumes from the specified container(s) 294 295 Will mount volumes from the specified container identified by container-id. 296 Once a volume is mounted in a one container it can be shared with other 297 containers using the **--volumes-from** option when running those other 298 containers. The volumes can be shared even if the original container with the 299 mount is not running. 300 301 The container ID may be optionally suffixed with :ro or 302 :rw to mount the volumes in read-only or read-write mode, respectively. By 303 default, the volumes are mounted in the same mode (read write or read only) as 304 the reference container. 305 306 **-w**, **--workdir**="" 307 Working directory inside the container 308 309 The default working directory for 310 running binaries within a container is the root directory (/). The developer can 311 set a different default with the Dockerfile WORKDIR instruction. The operator 312 can override the working directory by using the **-w** option. 313 314 # EXAMPLES 315 316 ## Exposing log messages from the container to the host's log 317 318 If you want messages that are logged in your container to show up in the host's 319 syslog/journal then you should bind mount the /dev/log directory as follows. 320 321 # docker run -v /dev/log:/dev/log -i -t fedora /bin/bash 322 323 From inside the container you can test this by sending a message to the log. 324 325 (bash)# logger "Hello from my container" 326 327 Then exit and check the journal. 328 329 # exit 330 331 # journalctl -b | grep Hello 332 333 This should list the message sent to logger. 334 335 ## Attaching to one or more from STDIN, STDOUT, STDERR 336 337 If you do not specify -a then Docker will attach everything (stdin,stdout,stderr) 338 . You can specify to which of the three standard streams (stdin, stdout, stderr) 339 you’d like to connect instead, as in: 340 341 # docker run -a stdin -a stdout -i -t fedora /bin/bash 342 343 ## Sharing IPC between containers 344 345 Using shm_server.c available here: http://www.cs.cf.ac.uk/Dave/C/node27.html 346 347 Testing `--ipc=host` mode: 348 349 Host shows a shared memory segment with 7 pids attached, happens to be from httpd: 350 351 ``` 352 $ sudo ipcs -m 353 354 ------ Shared Memory Segments -------- 355 key shmid owner perms bytes nattch status 356 0x01128e25 0 root 600 1000 7 357 ``` 358 359 Now run a regular container, and it correctly does NOT see the shared memory segment from the host: 360 361 ``` 362 $ sudo docker run -it shm ipcs -m 363 364 ------ Shared Memory Segments -------- 365 key shmid owner perms bytes nattch status 366 ``` 367 368 Run a container with the new `--ipc=host` option, and it now sees the shared memory segment from the host httpd: 369 370 ``` 371 $ sudo docker run -it --ipc=host shm ipcs -m 372 373 ------ Shared Memory Segments -------- 374 key shmid owner perms bytes nattch status 375 0x01128e25 0 root 600 1000 7 376 ``` 377 Testing `--ipc=container:CONTAINERID` mode: 378 379 Start a container with a program to create a shared memory segment: 380 ``` 381 sudo docker run -it shm bash 382 $ sudo shm/shm_server & 383 $ sudo ipcs -m 384 385 ------ Shared Memory Segments -------- 386 key shmid owner perms bytes nattch status 387 0x0000162e 0 root 666 27 1 388 ``` 389 Create a 2nd container correctly shows no shared memory segment from 1st container: 390 ``` 391 $ sudo docker run shm ipcs -m 392 393 ------ Shared Memory Segments -------- 394 key shmid owner perms bytes nattch status 395 ``` 396 397 Create a 3rd container using the new --ipc=container:CONTAINERID option, now it shows the shared memory segment from the first: 398 399 ``` 400 $ sudo docker run -it --ipc=container:ed735b2264ac shm ipcs -m 401 $ sudo ipcs -m 402 403 ------ Shared Memory Segments -------- 404 key shmid owner perms bytes nattch status 405 0x0000162e 0 root 666 27 1 406 ``` 407 408 ## Linking Containers 409 410 The link feature allows multiple containers to communicate with each other. For 411 example, a container whose Dockerfile has exposed port 80 can be run and named 412 as follows: 413 414 # docker run --name=link-test -d -i -t fedora/httpd 415 416 A second container, in this case called linker, can communicate with the httpd 417 container, named link-test, by running with the **--link=<name>:<alias>** 418 419 # docker run -t -i --link=link-test:lt --name=linker fedora /bin/bash 420 421 Now the container linker is linked to container link-test with the alias lt. 422 Running the **env** command in the linker container shows environment variables 423 with the LT (alias) context (**LT_**) 424 425 # env 426 HOSTNAME=668231cb0978 427 TERM=xterm 428 LT_PORT_80_TCP=tcp://172.17.0.3:80 429 LT_PORT_80_TCP_PORT=80 430 LT_PORT_80_TCP_PROTO=tcp 431 LT_PORT=tcp://172.17.0.3:80 432 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 433 PWD=/ 434 LT_NAME=/linker/lt 435 SHLVL=1 436 HOME=/ 437 LT_PORT_80_TCP_ADDR=172.17.0.3 438 _=/usr/bin/env 439 440 When linking two containers Docker will use the exposed ports of the container 441 to create a secure tunnel for the parent to access. 442 443 444 ## Mapping Ports for External Usage 445 446 The exposed port of an application can be mapped to a host port using the **-p** 447 flag. For example, a httpd port 80 can be mapped to the host port 8080 using the 448 following: 449 450 # docker run -p 8080:80 -d -i -t fedora/httpd 451 452 ## Creating and Mounting a Data Volume Container 453 454 Many applications require the sharing of persistent data across several 455 containers. Docker allows you to create a Data Volume Container that other 456 containers can mount from. For example, create a named container that contains 457 directories /var/volume1 and /tmp/volume2. The image will need to contain these 458 directories so a couple of RUN mkdir instructions might be required for you 459 fedora-data image: 460 461 # docker run --name=data -v /var/volume1 -v /tmp/volume2 -i -t fedora-data true 462 # docker run --volumes-from=data --name=fedora-container1 -i -t fedora bash 463 464 Multiple --volumes-from parameters will bring together multiple data volumes from 465 multiple containers. And it's possible to mount the volumes that came from the 466 DATA container in yet another container via the fedora-container1 intermediary 467 container, allowing to abstract the actual data source from users of that data: 468 469 # docker run --volumes-from=fedora-container1 --name=fedora-container2 -i -t fedora bash 470 471 ## Mounting External Volumes 472 473 To mount a host directory as a container volume, specify the absolute path to 474 the directory and the absolute path for the container directory separated by a 475 colon: 476 477 # docker run -v /var/db:/data1 -i -t fedora bash 478 479 When using SELinux, be aware that the host has no knowledge of container SELinux 480 policy. Therefore, in the above example, if SELinux policy is enforced, the 481 `/var/db` directory is not writable to the container. A "Permission Denied" 482 message will occur and an avc: message in the host's syslog. 483 484 485 To work around this, at time of writing this man page, the following command 486 needs to be run in order for the proper SELinux policy type label to be attached 487 to the host directory: 488 489 # chcon -Rt svirt_sandbox_file_t /var/db 490 491 492 Now, writing to the /data1 volume in the container will be allowed and the 493 changes will also be reflected on the host in /var/db. 494 495 ## Using alternative security labeling 496 497 You can override the default labeling scheme for each container by specifying 498 the `--security-opt` flag. For example, you can specify the MCS/MLS level, a 499 requirement for MLS systems. Specifying the level in the following command 500 allows you to share the same content between containers. 501 502 # docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash 503 504 An MLS example might be: 505 506 # docker run --security-opt label:level:TopSecret -i -t rhel7 bash 507 508 To disable the security labeling for this container versus running with the 509 `--permissive` flag, use the following command: 510 511 # docker run --security-opt label:disable -i -t fedora bash 512 513 If you want a tighter security policy on the processes within a container, 514 you can specify an alternate type for the container. You could run a container 515 that is only allowed to listen on Apache ports by executing the following 516 command: 517 518 # docker run --security-opt label:type:svirt_apache_t -i -t centos bash 519 520 Note: 521 522 You would have to write policy defining a `svirt_apache_t` type. 523 524 # HISTORY 525 April 2014, Originally compiled by William Henry (whenry at redhat dot com) 526 based on docker.com source material and internal work. 527 June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> 528 July 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>