github.com/feiyang21687/docker@v1.5.0/docs/man/docker-run.1.md (about)

     1  % DOCKER(1) Docker User Manuals
     2  % Docker Community
     3  % JUNE 2014
     4  # NAME
     5  docker-run - Run a command in a new container
     6  
     7  # SYNOPSIS
     8  **docker run**
     9  [**-a**|**--attach**[=*[]*]]
    10  [**--add-host**[=*[]*]]
    11  [**-c**|**--cpu-shares**[=*0*]]
    12  [**--cap-add**[=*[]*]]
    13  [**--cap-drop**[=*[]*]]
    14  [**--cidfile**[=*CIDFILE*]]
    15  [**--cpuset**[=*CPUSET*]]
    16  [**-d**|**--detach**[=*false*]]
    17  [**--device**[=*[]*]]
    18  [**--dns-search**[=*[]*]]
    19  [**--dns**[=*[]*]]
    20  [**-e**|**--env**[=*[]*]]
    21  [**--entrypoint**[=*ENTRYPOINT*]]
    22  [**--env-file**[=*[]*]]
    23  [**--expose**[=*[]*]]
    24  [**-h**|**--hostname**[=*HOSTNAME*]]
    25  [**--help**]
    26  [**-i**|**--interactive**[=*false*]]
    27  [**--ipc**[=*IPC*]]
    28  [**--link**[=*[]*]]
    29  [**--lxc-conf**[=*[]*]]
    30  [**-m**|**--memory**[=*MEMORY*]]
    31  [**--memory-swap**[=*MEMORY-SWAP]]
    32  [**--mac-address**[=*MAC-ADDRESS*]]
    33  [**--name**[=*NAME*]]
    34  [**--net**[=*"bridge"*]]
    35  [**-P**|**--publish-all**[=*false*]]
    36  [**-p**|**--publish**[=*[]*]]
    37  [**--pid**[=*[]*]]
    38  [**--privileged**[=*false*]]
    39  [**--read-only**[=*false*]]
    40  [**--restart**[=*RESTART*]]
    41  [**--rm**[=*false*]]
    42  [**--security-opt**[=*[]*]]
    43  [**--sig-proxy**[=*true*]]
    44  [**-t**|**--tty**[=*false*]]
    45  [**-u**|**--user**[=*USER*]]
    46  [**-v**|**--volume**[=*[]*]]
    47  [**--volumes-from**[=*[]*]]
    48  [**-w**|**--workdir**[=*WORKDIR*]]
    49  IMAGE [COMMAND] [ARG...]
    50  
    51  # DESCRIPTION
    52  
    53  Run a process in a new container. **docker run** starts a process with its own
    54  file system, its own networking, and its own isolated process tree. The IMAGE
    55  which starts the process may define defaults related to the process that will be
    56  run in the container, the networking to expose, and more, but **docker run**
    57  gives final control to the operator or administrator who starts the container
    58  from the image. For that reason **docker run** has more options than any other
    59  Docker command.
    60  
    61  If the IMAGE is not already loaded then **docker run** will pull the IMAGE, and
    62  all image dependencies, from the repository in the same way running **docker
    63  pull** IMAGE, before it starts the container from that image.
    64  
    65  # OPTIONS
    66  **-a**, **--attach**=[]
    67     Attach to STDIN, STDOUT or STDERR.
    68  
    69     In foreground mode (the default when **-d**
    70  is not specified), **docker run** can start the process in the container
    71  and attach the console to the process’s standard input, output, and standard
    72  error. It can even pretend to be a TTY (this is what most commandline
    73  executables expect) and pass along signals. The **-a** option can be set for
    74  each of stdin, stdout, and stderr.
    75  
    76  **--add-host**=[]
    77     Add a custom host-to-IP mapping (host:ip)
    78  
    79     Add a line to /etc/hosts. The format is hostname:ip.  The **--add-host**
    80  option can be set multiple times.
    81  
    82  **-c**, **--cpu-shares**=0
    83     CPU shares (relative weight)
    84  
    85     You can increase the priority of a container
    86  with the -c option. By default, all containers run at the same priority and get
    87  the same proportion of CPU cycles, but you can tell the kernel to give more
    88  shares of CPU time to one or more containers when you start them via **docker
    89  run**.
    90  
    91  **--cap-add**=[]
    92     Add Linux capabilities
    93  
    94  **--cap-drop**=[]
    95     Drop Linux capabilities
    96  
    97  **--cidfile**=""
    98     Write the container ID to the file
    99  
   100  **--cpuset**=""
   101     CPUs in which to allow execution (0-3, 0,1)
   102  
   103  **-d**, **--detach**=*true*|*false*
   104     Detached mode: run the container in the background and print the new container ID. The default is *false*.
   105  
   106     At any time you can run **docker ps** in
   107  the other shell to view a list of the running containers. You can reattach to a
   108  detached container with **docker attach**. If you choose to run a container in
   109  the detached mode, then you cannot use the **-rm** option.
   110  
   111     When attached in the tty mode, you can detach from a running container without
   112  stopping the process by pressing the keys CTRL-P CTRL-Q.
   113  
   114  **--device**=[]
   115     Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm)
   116  
   117  **--dns-search**=[]
   118     Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain)
   119  
   120  **--dns**=[]
   121     Set custom DNS servers
   122  
   123     This option can be used to override the DNS
   124  configuration passed to the container. Typically this is necessary when the
   125  host DNS configuration is invalid for the container (e.g., 127.0.0.1). When this
   126  is the case the **--dns** flags is necessary for every run.
   127  
   128  **-e**, **--env**=[]
   129     Set environment variables
   130  
   131     This option allows you to specify arbitrary
   132  environment variables that are available for the process that will be launched
   133  inside of the container.
   134  
   135  **--entrypoint**=""
   136     Overwrite the default ENTRYPOINT of the image
   137  
   138     This option allows you to overwrite the default entrypoint of the image that
   139  is set in the Dockerfile. The ENTRYPOINT of an image is similar to a COMMAND
   140  because it specifies what executable to run when the container starts, but it is
   141  (purposely) more difficult to override. The ENTRYPOINT gives a container its
   142  default nature or behavior, so that when you set an ENTRYPOINT you can run the
   143  container as if it were that binary, complete with default options, and you can
   144  pass in more options via the COMMAND. But, sometimes an operator may want to run
   145  something else inside the container, so you can override the default ENTRYPOINT
   146  at runtime by using a **--entrypoint** and a string to specify the new
   147  ENTRYPOINT.
   148  
   149  **--env-file**=[]
   150     Read in a line delimited file of environment variables
   151  
   152  **--expose**=[]
   153     Expose a port, or a range of ports (e.g. --expose=3300-3310), from the container without publishing it to your host
   154  
   155  **-h**, **--hostname**=""
   156     Container host name
   157  
   158     Sets the container host name that is available inside the container.
   159  
   160  **--help**
   161    Print usage statement
   162  
   163  **-i**, **--interactive**=*true*|*false*
   164     Keep STDIN open even if not attached. The default is *false*.
   165  
   166     When set to true, keep stdin open even if not attached. The default is false.
   167  
   168  **--ipc**=""
   169     Default is to create a private IPC namespace (POSIX SysV IPC) for the container
   170                                 'container:<name|id>': reuses another container shared memory, semaphores and message queues
   171                                 'host': use the host shared memory,semaphores and message queues inside the container.  Note: the host mode gives the container full access to local shared memory and is therefore considered insecure.
   172  
   173  **--link**=[]
   174     Add link to another container in the form of <name or id>:alias
   175  
   176     If the operator
   177  uses **--link** when starting the new client container, then the client
   178  container can access the exposed port via a private networking interface. Docker
   179  will set some environment variables in the client container to help indicate
   180  which interface and port to use.
   181  
   182  **--lxc-conf**=[]
   183     (lxc exec-driver only) Add custom lxc options --lxc-conf="lxc.cgroup.cpuset.cpus = 0,1"
   184  
   185  **-m**, **--memory**=""
   186     Memory limit (format: <number><optional unit>, where unit = b, k, m or g)
   187  
   188     Allows you to constrain the memory available to a container. If the host
   189  supports swap memory, then the -m memory setting can be larger than physical
   190  RAM. If a limit of 0 is specified, the container's memory is not limited. The
   191  actual limit may be rounded up to a multiple of the operating system's page
   192  size, if it is not already. The memory limit should be formatted as follows:
   193  `<number><optional unit>`, where unit = b, k, m or g.
   194  
   195  **--memory-swap**=""
   196      Total memory usage (memory + swap)
   197  
   198      Set '-1' to disable swap (format: <number><optional unit>, where unit = b, k, m or g)
   199  
   200  **--mac-address**=""
   201     Container MAC address (e.g. 92:d0:c6:0a:29:33)
   202  
   203     Remember that the MAC address in an Ethernet network must be unique.
   204  The IPv6 link-local address will be based on the device's MAC address
   205  according to RFC4862.
   206  
   207  **--name**=""
   208     Assign a name to the container
   209  
   210     The operator can identify a container in three ways:
   211      UUID long identifier (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”)
   212      UUID short identifier (“f78375b1c487”)
   213      Name (“jonah”)
   214  
   215     The UUID identifiers come from the Docker daemon, and if a name is not assigned
   216  to the container with **--name** then the daemon will also generate a random
   217  string name. The name is useful when defining links (see **--link**) (or any
   218  other place you need to identify a container). This works for both background
   219  and foreground Docker containers.
   220  
   221  **--net**="bridge"
   222     Set the Network mode for the container
   223                                 'bridge': creates a new network stack for the container on the docker bridge
   224                                 'none': no networking for this container
   225                                 'container:<name|id>': reuses another container network stack
   226                                 'host': use the host network stack inside the container.  Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.
   227  
   228  **-P**, **--publish-all**=*true*|*false*
   229     Publish all exposed ports to random ports on the host interfaces. The default is *false*.
   230  
   231     When set to true publish all exposed ports to the host interfaces. The
   232  default is false. If the operator uses -P (or -p) then Docker will make the
   233  exposed port accessible on the host and the ports will be available to any
   234  client that can reach the host. When using -P, Docker will bind the exposed
   235  ports to a random port on the host between 49153 and 65535. To find the
   236  mapping between the host ports and the exposed ports, use **docker port**.
   237  
   238  **-p**, **--publish**=[]
   239     Publish a container's port, or range of ports, to the host.
   240                                 format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort
   241                                 Both hostPort and containerPort can be specified as a range of ports. 
   242                                 When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g., `-p 1234-1236:1234-1236/tcp`)
   243                                 (use 'docker port' to see the actual mapping)
   244  
   245  **--pid**=host
   246     Set the PID mode for the container
   247       **host**: use the host's PID namespace inside the container.
   248       Note: the host mode gives the container full access to local PID and is therefore considered insecure.
   249  
   250  **--privileged**=*true*|*false*
   251     Give extended privileges to this container. The default is *false*.
   252  
   253     By default, Docker containers are
   254  “unprivileged” (=false) and cannot, for example, run a Docker daemon inside the
   255  Docker container. This is because by default a container is not allowed to
   256  access any devices. A “privileged” container is given access to all devices.
   257  
   258     When the operator executes **docker run --privileged**, Docker will enable access
   259  to all devices on the host as well as set some configuration in AppArmor to
   260  allow the container nearly all the same access to the host as processes running
   261  outside of a container on the host.
   262  
   263  **--read-only**=*true*|*false*
   264      Mount the container's root filesystem as read only.
   265  
   266      By default a container will have its root filesystem writable allowing processes
   267  to write files anywhere.  By specifying the `--read-only` flag the container will have
   268  its root filesystem mounted as read only prohibiting any writes.
   269  
   270  **--restart**=""
   271     Restart policy to apply when a container exits (no, on-failure[:max-retry], always)
   272  
   273  **--rm**=*true*|*false*
   274     Automatically remove the container when it exits (incompatible with -d). The default is *false*.
   275  
   276  **--security-opt**=[]
   277     Security Options
   278  
   279     "label:user:USER"   : Set the label user for the container
   280      "label:role:ROLE"   : Set the label role for the container
   281      "label:type:TYPE"   : Set the label type for the container
   282      "label:level:LEVEL" : Set the label level for the container
   283      "label:disable"     : Turn off label confinement for the container
   284  
   285  **--sig-proxy**=*true*|*false*
   286     Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true*.
   287  
   288  **-t**, **--tty**=*true*|*false*
   289     Allocate a pseudo-TTY. The default is *false*.
   290  
   291     When set to true Docker can allocate a pseudo-tty and attach to the standard
   292  input of any container. This can be used, for example, to run a throwaway
   293  interactive shell. The default is value is false.
   294  
   295  The **-t** option is incompatible with a redirection of the docker client
   296  standard input.
   297  
   298  **-u**, **--user**=""
   299     Username or UID
   300  
   301  **-v**, **--volume**=[]
   302     Bind mount a volume (e.g., from the host: -v /host:/container, from Docker: -v /container)
   303  
   304     The **-v** option can be used one or
   305  more times to add one or more mounts to a container. These mounts can then be
   306  used in other containers using the **--volumes-from** option.
   307  
   308     The volume may be optionally suffixed with :ro or :rw to mount the volumes in
   309  read-only or read-write mode, respectively. By default, the volumes are mounted
   310  read-write. See examples.
   311  
   312  **--volumes-from**=[]
   313     Mount volumes from the specified container(s)
   314  
   315     Will mount volumes from the specified container identified by container-id.
   316  Once a volume is mounted in a one container it can be shared with other
   317  containers using the **--volumes-from** option when running those other
   318  containers. The volumes can be shared even if the original container with the
   319  mount is not running.
   320  
   321     The container ID may be optionally suffixed with :ro or
   322  :rw to mount the volumes in read-only or read-write mode, respectively. By
   323  default, the volumes are mounted in the same mode (read write or read only) as
   324  the reference container.
   325  
   326  **-w**, **--workdir**=""
   327     Working directory inside the container
   328  
   329     The default working directory for
   330  running binaries within a container is the root directory (/). The developer can
   331  set a different default with the Dockerfile WORKDIR instruction. The operator
   332  can override the working directory by using the **-w** option.
   333  
   334  # EXAMPLES
   335  
   336  ## Exposing log messages from the container to the host's log
   337  
   338  If you want messages that are logged in your container to show up in the host's
   339  syslog/journal then you should bind mount the /dev/log directory as follows.
   340  
   341      # docker run -v /dev/log:/dev/log -i -t fedora /bin/bash
   342  
   343  From inside the container you can test this by sending a message to the log.
   344  
   345      (bash)# logger "Hello from my container"
   346  
   347  Then exit and check the journal.
   348  
   349      # exit
   350  
   351      # journalctl -b | grep Hello
   352  
   353  This should list the message sent to logger.
   354  
   355  ## Attaching to one or more from STDIN, STDOUT, STDERR
   356  
   357  If you do not specify -a then Docker will attach everything (stdin,stdout,stderr)
   358  . You can specify to which of the three standard streams (stdin, stdout, stderr)
   359  you’d like to connect instead, as in:
   360  
   361      # docker run -a stdin -a stdout -i -t fedora /bin/bash
   362  
   363  ## Sharing IPC between containers
   364  
   365  Using shm_server.c available here: http://www.cs.cf.ac.uk/Dave/C/node27.html
   366  
   367  Testing `--ipc=host` mode:
   368  
   369  Host shows a shared memory segment with 7 pids attached, happens to be from httpd:
   370  
   371  ```
   372   $ sudo ipcs -m
   373  
   374   ------ Shared Memory Segments --------
   375   key        shmid      owner      perms      bytes      nattch     status      
   376   0x01128e25 0          root       600        1000       7                       
   377  ```
   378  
   379  Now run a regular container, and it correctly does NOT see the shared memory segment from the host:
   380  
   381  ```
   382   $ sudo docker run -it shm ipcs -m
   383  
   384   ------ Shared Memory Segments --------	
   385   key        shmid      owner      perms      bytes      nattch     status      
   386  ```
   387  
   388  Run a container with the new `--ipc=host` option, and it now sees the shared memory segment from the host httpd:
   389  
   390   ```
   391   $ sudo docker run -it --ipc=host shm ipcs -m
   392  
   393   ------ Shared Memory Segments --------
   394   key        shmid      owner      perms      bytes      nattch     status      
   395   0x01128e25 0          root       600        1000       7                   
   396  ```
   397  Testing `--ipc=container:CONTAINERID` mode:
   398  
   399  Start a container with a program to create a shared memory segment:
   400  ```
   401   sudo docker run -it shm bash
   402   $ sudo shm/shm_server &
   403   $ sudo ipcs -m
   404  
   405   ------ Shared Memory Segments --------
   406   key        shmid      owner      perms      bytes      nattch     status      
   407   0x0000162e 0          root       666        27         1                       
   408  ```
   409  Create a 2nd container correctly shows no shared memory segment from 1st container:
   410  ```
   411   $ sudo docker run shm ipcs -m
   412  
   413   ------ Shared Memory Segments --------
   414   key        shmid      owner      perms      bytes      nattch     status      
   415  ```
   416  
   417  Create a 3rd container using the new --ipc=container:CONTAINERID option, now it shows the shared memory segment from the first:
   418  
   419  ```
   420   $ sudo docker run -it --ipc=container:ed735b2264ac shm ipcs -m
   421   $ sudo ipcs -m
   422  
   423   ------ Shared Memory Segments --------
   424   key        shmid      owner      perms      bytes      nattch     status      
   425   0x0000162e 0          root       666        27         1
   426  ```
   427  
   428  ## Linking Containers
   429  
   430  The link feature allows multiple containers to communicate with each other. For
   431  example, a container whose Dockerfile has exposed port 80 can be run and named
   432  as follows:
   433  
   434      # docker run --name=link-test -d -i -t fedora/httpd
   435  
   436  A second container, in this case called linker, can communicate with the httpd
   437  container, named link-test, by running with the **--link=<name>:<alias>**
   438  
   439      # docker run -t -i --link=link-test:lt --name=linker fedora /bin/bash
   440  
   441  Now the container linker is linked to container link-test with the alias lt.
   442  Running the **env** command in the linker container shows environment variables
   443   with the LT (alias) context (**LT_**)
   444  
   445      # env
   446      HOSTNAME=668231cb0978
   447      TERM=xterm
   448      LT_PORT_80_TCP=tcp://172.17.0.3:80
   449      LT_PORT_80_TCP_PORT=80
   450      LT_PORT_80_TCP_PROTO=tcp
   451      LT_PORT=tcp://172.17.0.3:80
   452      PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
   453      PWD=/
   454      LT_NAME=/linker/lt
   455      SHLVL=1
   456      HOME=/
   457      LT_PORT_80_TCP_ADDR=172.17.0.3
   458      _=/usr/bin/env
   459  
   460  When linking two containers Docker will use the exposed ports of the container
   461  to create a secure tunnel for the parent to access.
   462  
   463  
   464  ## Mapping Ports for External Usage
   465  
   466  The exposed port of an application can be mapped to a host port using the **-p**
   467  flag. For example, a httpd port 80 can be mapped to the host port 8080 using the
   468  following:
   469  
   470      # docker run -p 8080:80 -d -i -t fedora/httpd
   471  
   472  ## Creating and Mounting a Data Volume Container
   473  
   474  Many applications require the sharing of persistent data across several
   475  containers. Docker allows you to create a Data Volume Container that other
   476  containers can mount from. For example, create a named container that contains
   477  directories /var/volume1 and /tmp/volume2. The image will need to contain these
   478  directories so a couple of RUN mkdir instructions might be required for you
   479  fedora-data image:
   480  
   481      # docker run --name=data -v /var/volume1 -v /tmp/volume2 -i -t fedora-data true
   482      # docker run --volumes-from=data --name=fedora-container1 -i -t fedora bash
   483  
   484  Multiple --volumes-from parameters will bring together multiple data volumes from
   485  multiple containers. And it's possible to mount the volumes that came from the
   486  DATA container in yet another container via the fedora-container1 intermediary
   487  container, allowing to abstract the actual data source from users of that data:
   488  
   489      # docker run --volumes-from=fedora-container1 --name=fedora-container2 -i -t fedora bash
   490  
   491  ## Mounting External Volumes
   492  
   493  To mount a host directory as a container volume, specify the absolute path to
   494  the directory and the absolute path for the container directory separated by a
   495  colon:
   496  
   497      # docker run -v /var/db:/data1 -i -t fedora bash
   498  
   499  When using SELinux, be aware that the host has no knowledge of container SELinux
   500  policy. Therefore, in the above example, if SELinux policy is enforced, the
   501  `/var/db` directory is not writable to the container. A "Permission Denied"
   502  message will occur and an avc: message in the host's syslog.
   503  
   504  
   505  To work around this, at time of writing this man page, the following command
   506  needs to be run in order for the proper SELinux policy type label to be attached
   507  to the host directory:
   508  
   509      # chcon -Rt svirt_sandbox_file_t /var/db
   510  
   511  
   512  Now, writing to the /data1 volume in the container will be allowed and the
   513  changes will also be reflected on the host in /var/db.
   514  
   515  ## Using alternative security labeling
   516  
   517  You can override the default labeling scheme for each container by specifying
   518  the `--security-opt` flag. For example, you can specify the MCS/MLS level, a
   519  requirement for MLS systems. Specifying the level in the following command
   520  allows you to share the same content between containers.
   521  
   522      # docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash
   523  
   524  An MLS example might be:
   525  
   526      # docker run --security-opt label:level:TopSecret -i -t rhel7 bash
   527  
   528  To disable the security labeling for this container versus running with the
   529  `--permissive` flag, use the following command:
   530  
   531      # docker run --security-opt label:disable -i -t fedora bash
   532  
   533  If you want a tighter security policy on the processes within a container,
   534  you can specify an alternate type for the container. You could run a container
   535  that is only allowed to listen on Apache ports by executing the following
   536  command:
   537  
   538      # docker run --security-opt label:type:svirt_apache_t -i -t centos bash
   539  
   540  Note:
   541  
   542  You would have to write policy defining a `svirt_apache_t` type.
   543  
   544  # HISTORY
   545  April 2014, Originally compiled by William Henry (whenry at redhat dot com)
   546  based on docker.com source material and internal work.
   547  June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>
   548  July 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>