github.com/jandre/docker@v1.7.0/man/docker-run.1.md (about) 1 % DOCKER(1) Docker User Manuals 2 % Docker Community 3 % JUNE 2014 4 # NAME 5 docker-run - Run a command in a new container 6 7 # SYNOPSIS 8 **docker run** 9 [**-a**|**--attach**[=*[]*]] 10 [**--add-host**[=*[]*]] 11 [**--blkio-weight**[=*[BLKIO-WEIGHT]*]] 12 [**-c**|**--cpu-shares**[=*0*]] 13 [**--cap-add**[=*[]*]] 14 [**--cap-drop**[=*[]*]] 15 [**--cidfile**[=*CIDFILE*]] 16 [**--cpu-period**[=*0*]] 17 [**--cpuset-cpus**[=*CPUSET-CPUS*]] 18 [**--cpuset-mems**[=*CPUSET-MEMS*]] 19 [**-d**|**--detach**[=*false*]] 20 [**--cpu-quota**[=*0*]] 21 [**--device**[=*[]*]] 22 [**--dns-search**[=*[]*]] 23 [**--dns**[=*[]*]] 24 [**-e**|**--env**[=*[]*]] 25 [**--entrypoint**[=*ENTRYPOINT*]] 26 [**--env-file**[=*[]*]] 27 [**--expose**[=*[]*]] 28 [**-h**|**--hostname**[=*HOSTNAME*]] 29 [**--help**] 30 [**-i**|**--interactive**[=*false*]] 31 [**--ipc**[=*IPC*]] 32 [**-l**|**--label**[=*[]*]] 33 [**--label-file**[=*[]*]] 34 [**--link**[=*[]*]] 35 [**--lxc-conf**[=*[]*]] 36 [**--log-driver**[=*[]*]] 37 [**--log-opt**[=*[]*]] 38 [**-m**|**--memory**[=*MEMORY*]] 39 [**--memory-swap**[=*MEMORY-SWAP*]] 40 [**--mac-address**[=*MAC-ADDRESS*]] 41 [**--name**[=*NAME*]] 42 [**--net**[=*"bridge"*]] 43 [**--oom-kill-disable**[=*false*]] 44 [**-P**|**--publish-all**[=*false*]] 45 [**-p**|**--publish**[=*[]*]] 46 [**--pid**[=*[]*]] 47 [**--uts**[=*[]*]] 48 [**--privileged**[=*false*]] 49 [**--read-only**[=*false*]] 50 [**--restart**[=*RESTART*]] 51 [**--rm**[=*false*]] 52 [**--security-opt**[=*[]*]] 53 [**--sig-proxy**[=*true*]] 54 [**-t**|**--tty**[=*false*]] 55 [**-u**|**--user**[=*USER*]] 56 [**-v**|**--volume**[=*[]*]] 57 [**--volumes-from**[=*[]*]] 58 [**-w**|**--workdir**[=*WORKDIR*]] 59 [**--cgroup-parent**[=*CGROUP-PATH*]] 60 IMAGE [COMMAND] [ARG...] 61 62 # DESCRIPTION 63 64 Run a process in a new container. **docker run** starts a process with its own 65 file system, its own networking, and its own isolated process tree. The IMAGE 66 which starts the process may define defaults related to the process that will be 67 run in the container, the networking to expose, and more, but **docker run** 68 gives final control to the operator or administrator who starts the container 69 from the image. For that reason **docker run** has more options than any other 70 Docker command. 71 72 If the IMAGE is not already loaded then **docker run** will pull the IMAGE, and 73 all image dependencies, from the repository in the same way running **docker 74 pull** IMAGE, before it starts the container from that image. 75 76 # OPTIONS 77 **-a**, **--attach**=[] 78 Attach to STDIN, STDOUT or STDERR. 79 80 In foreground mode (the default when **-d** 81 is not specified), **docker run** can start the process in the container 82 and attach the console to the process’s standard input, output, and standard 83 error. It can even pretend to be a TTY (this is what most commandline 84 executables expect) and pass along signals. The **-a** option can be set for 85 each of stdin, stdout, and stderr. 86 87 **--add-host**=[] 88 Add a custom host-to-IP mapping (host:ip) 89 90 Add a line to /etc/hosts. The format is hostname:ip. The **--add-host** 91 option can be set multiple times. 92 93 **--blkio-weight**=0 94 Block IO weight (relative weight) accepts a weight value between 10 and 1000. 95 96 **-c**, **--cpu-shares**=0 97 CPU shares (relative weight) 98 99 By default, all containers get the same proportion of CPU cycles. This proportion 100 can be modified by changing the container's CPU share weighting relative 101 to the weighting of all other running containers. 102 103 To modify the proportion from the default of 1024, use the **-c** or **--cpu-shares** 104 flag to set the weighting to 2 or higher. 105 106 The proportion will only apply when CPU-intensive processes are running. 107 When tasks in one container are idle, other containers can use the 108 left-over CPU time. The actual amount of CPU time will vary depending on 109 the number of containers running on the system. 110 111 For example, consider three containers, one has a cpu-share of 1024 and 112 two others have a cpu-share setting of 512. When processes in all three 113 containers attempt to use 100% of CPU, the first container would receive 114 50% of the total CPU time. If you add a fourth container with a cpu-share 115 of 1024, the first container only gets 33% of the CPU. The remaining containers 116 receive 16.5%, 16.5% and 33% of the CPU. 117 118 On a multi-core system, the shares of CPU time are distributed over all CPU 119 cores. Even if a container is limited to less than 100% of CPU time, it can 120 use 100% of each individual CPU core. 121 122 For example, consider a system with more than three cores. If you start one 123 container **{C0}** with **-c=512** running one process, and another container 124 **{C1}** with **-c=1024** running two processes, this can result in the following 125 division of CPU shares: 126 127 PID container CPU CPU share 128 100 {C0} 0 100% of CPU0 129 101 {C1} 1 100% of CPU1 130 102 {C1} 2 100% of CPU2 131 132 **--cap-add**=[] 133 Add Linux capabilities 134 135 **--cap-drop**=[] 136 Drop Linux capabilities 137 138 **--cgroup-parent**="" 139 Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. 140 141 **--cidfile**="" 142 Write the container ID to the file 143 144 **--cpu-period**=0 145 Limit the CPU CFS (Completely Fair Scheduler) period 146 147 Limit the container's CPU usage. This flag tell the kernel to restrict the container's CPU usage to the period you specify. 148 149 **--cpuset-cpus**="" 150 CPUs in which to allow execution (0-3, 0,1) 151 152 **--cpuset-mems**="" 153 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. 154 155 If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1` 156 then processes in your Docker container will only use memory from the first 157 two memory nodes. 158 159 **--cpu-quota**=0 160 Limit the CPU CFS (Completely Fair Scheduler) quota 161 162 Limit the container's CPU usage. By default, containers run with the full 163 CPU resource. This flag tell the kernel to restrict the container's CPU usage 164 to the quota you specify. 165 166 **-d**, **--detach**=*true*|*false* 167 Detached mode: run the container in the background and print the new container ID. The default is *false*. 168 169 At any time you can run **docker ps** in 170 the other shell to view a list of the running containers. You can reattach to a 171 detached container with **docker attach**. If you choose to run a container in 172 the detached mode, then you cannot use the **-rm** option. 173 174 When attached in the tty mode, you can detach from a running container without 175 stopping the process by pressing the keys CTRL-P CTRL-Q. 176 177 **--device**=[] 178 Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm) 179 180 **--dns-search**=[] 181 Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain) 182 183 **--dns**=[] 184 Set custom DNS servers 185 186 This option can be used to override the DNS 187 configuration passed to the container. Typically this is necessary when the 188 host DNS configuration is invalid for the container (e.g., 127.0.0.1). When this 189 is the case the **--dns** flags is necessary for every run. 190 191 **-e**, **--env**=[] 192 Set environment variables 193 194 This option allows you to specify arbitrary 195 environment variables that are available for the process that will be launched 196 inside of the container. 197 198 **--entrypoint**="" 199 Overwrite the default ENTRYPOINT of the image 200 201 This option allows you to overwrite the default entrypoint of the image that 202 is set in the Dockerfile. The ENTRYPOINT of an image is similar to a COMMAND 203 because it specifies what executable to run when the container starts, but it is 204 (purposely) more difficult to override. The ENTRYPOINT gives a container its 205 default nature or behavior, so that when you set an ENTRYPOINT you can run the 206 container as if it were that binary, complete with default options, and you can 207 pass in more options via the COMMAND. But, sometimes an operator may want to run 208 something else inside the container, so you can override the default ENTRYPOINT 209 at runtime by using a **--entrypoint** and a string to specify the new 210 ENTRYPOINT. 211 212 **--env-file**=[] 213 Read in a line delimited file of environment variables 214 215 **--expose**=[] 216 Expose a port, or a range of ports (e.g. --expose=3300-3310), from the container without publishing it to your host 217 218 **-h**, **--hostname**="" 219 Container host name 220 221 Sets the container host name that is available inside the container. 222 223 **--help** 224 Print usage statement 225 226 **-i**, **--interactive**=*true*|*false* 227 Keep STDIN open even if not attached. The default is *false*. 228 229 When set to true, keep stdin open even if not attached. The default is false. 230 231 **--ipc**="" 232 Default is to create a private IPC namespace (POSIX SysV IPC) for the container 233 'container:<name|id>': reuses another container shared memory, semaphores and message queues 234 'host': use the host shared memory,semaphores and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure. 235 236 **-l**, **--label**=[] 237 Set metadata on the container (e.g., --label com.example.key=value) 238 239 **--label-file**=[] 240 Read in a line delimited file of labels 241 242 **--link**=[] 243 Add link to another container in the form of <name or id>:alias or just <name or id> 244 in which case the alias will match the name 245 246 If the operator 247 uses **--link** when starting the new client container, then the client 248 container can access the exposed port via a private networking interface. Docker 249 will set some environment variables in the client container to help indicate 250 which interface and port to use. 251 252 **--lxc-conf**=[] 253 (lxc exec-driver only) Add custom lxc options --lxc-conf="lxc.cgroup.cpuset.cpus = 0,1" 254 255 **--log-driver**="|*json-file*|*syslog*|*journald*|*none*" 256 Logging driver for container. Default is defined by daemon `--log-driver` flag. 257 **Warning**: `docker logs` command works only for `json-file` logging driver. 258 259 **--log-opt**=[] 260 Logging driver specific options. 261 262 **-m**, **--memory**="" 263 Memory limit (format: <number><optional unit>, where unit = b, k, m or g) 264 265 Allows you to constrain the memory available to a container. If the host 266 supports swap memory, then the **-m** memory setting can be larger than physical 267 RAM. If a limit of 0 is specified (not using **-m**), the container's memory is 268 not limited. The actual limit may be rounded up to a multiple of the operating 269 system's page size (the value would be very large, that's millions of trillions). 270 271 **--memory-swap**="" 272 Total memory limit (memory + swap) 273 274 Set `-1` to disable swap (format: <number><optional unit>, where unit = b, k, m or g). 275 This value should always larger than **-m**, so you should always use this with **-m**. 276 277 **--mac-address**="" 278 Container MAC address (e.g. 92:d0:c6:0a:29:33) 279 280 Remember that the MAC address in an Ethernet network must be unique. 281 The IPv6 link-local address will be based on the device's MAC address 282 according to RFC4862. 283 284 **--name**="" 285 Assign a name to the container 286 287 The operator can identify a container in three ways: 288 UUID long identifier (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”) 289 UUID short identifier (“f78375b1c487”) 290 Name (“jonah”) 291 292 The UUID identifiers come from the Docker daemon, and if a name is not assigned 293 to the container with **--name** then the daemon will also generate a random 294 string name. The name is useful when defining links (see **--link**) (or any 295 other place you need to identify a container). This works for both background 296 and foreground Docker containers. 297 298 **--net**="bridge" 299 Set the Network mode for the container 300 'bridge': creates a new network stack for the container on the docker bridge 301 'none': no networking for this container 302 'container:<name|id>': reuses another container network stack 303 'host': use the host network stack inside the container. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. 304 305 **--oom-kill-disable**=*true*|*false* 306 Whether to disable OOM Killer for the container or not. 307 308 **-P**, **--publish-all**=*true*|*false* 309 Publish all exposed ports to random ports on the host interfaces. The default is *false*. 310 311 When set to true publish all exposed ports to the host interfaces. The 312 default is false. If the operator uses -P (or -p) then Docker will make the 313 exposed port accessible on the host and the ports will be available to any 314 client that can reach the host. When using -P, Docker will bind any exposed 315 port to a random port on the host within an *ephemeral port range* defined by 316 `/proc/sys/net/ipv4/ip_local_port_range`. To find the mapping between the host 317 ports and the exposed ports, use `docker port`. 318 319 **-p**, **--publish**=[] 320 Publish a container's port, or range of ports, to the host. 321 format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort 322 Both hostPort and containerPort can be specified as a range of ports. 323 When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g., `-p 1234-1236:1234-1236/tcp`) 324 (use 'docker port' to see the actual mapping) 325 326 **--pid**=host 327 Set the PID mode for the container 328 **host**: use the host's PID namespace inside the container. 329 Note: the host mode gives the container full access to local PID and is therefore considered insecure. 330 331 **--uts**=host 332 Set the UTS mode for the container 333 **host**: use the host's UTS namespace inside the container. 334 Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure. 335 336 **--privileged**=*true*|*false* 337 Give extended privileges to this container. The default is *false*. 338 339 By default, Docker containers are 340 “unprivileged” (=false) and cannot, for example, run a Docker daemon inside the 341 Docker container. This is because by default a container is not allowed to 342 access any devices. A “privileged” container is given access to all devices. 343 344 When the operator executes **docker run --privileged**, Docker will enable access 345 to all devices on the host as well as set some configuration in AppArmor to 346 allow the container nearly all the same access to the host as processes running 347 outside of a container on the host. 348 349 **--read-only**=*true*|*false* 350 Mount the container's root filesystem as read only. 351 352 By default a container will have its root filesystem writable allowing processes 353 to write files anywhere. By specifying the `--read-only` flag the container will have 354 its root filesystem mounted as read only prohibiting any writes. 355 356 **--restart**="no" 357 Restart policy to apply when a container exits (no, on-failure[:max-retry], always) 358 359 **--rm**=*true*|*false* 360 Automatically remove the container when it exits (incompatible with -d). The default is *false*. 361 362 **--security-opt**=[] 363 Security Options 364 365 "label:user:USER" : Set the label user for the container 366 "label:role:ROLE" : Set the label role for the container 367 "label:type:TYPE" : Set the label type for the container 368 "label:level:LEVEL" : Set the label level for the container 369 "label:disable" : Turn off label confinement for the container 370 371 **--sig-proxy**=*true*|*false* 372 Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true*. 373 374 **-t**, **--tty**=*true*|*false* 375 Allocate a pseudo-TTY. The default is *false*. 376 377 When set to true Docker can allocate a pseudo-tty and attach to the standard 378 input of any container. This can be used, for example, to run a throwaway 379 interactive shell. The default is value is false. 380 381 The **-t** option is incompatible with a redirection of the docker client 382 standard input. 383 384 **-u**, **--user**="" 385 Sets the username or UID used and optionally the groupname or GID for the specified command. 386 387 The followings examples are all valid: 388 --user [user | user:group | uid | uid:gid | user:gid | uid:group ] 389 390 Without this argument the command will be run as root in the container. 391 392 **-v**, **--volume**=[] 393 Bind mount a volume (e.g., from the host: -v /host:/container, from Docker: -v /container) 394 395 The **-v** option can be used one or 396 more times to add one or more mounts to a container. These mounts can then be 397 used in other containers using the **--volumes-from** option. 398 399 The volume may be optionally suffixed with :ro or :rw to mount the volumes in 400 read-only or read-write mode, respectively. By default, the volumes are mounted 401 read-write. See examples. 402 403 Labeling systems like SELinux require proper labels be placed on volume content 404 mounted into a container, otherwise the secuirty system might prevent the 405 processes running inside the container from using the content. By default, 406 volumes are not relabeled. 407 408 Two suffixes :z or :Z can be added to the volume mount. These suffixes tell 409 Docker to relabel file objects on the shared volumes. The 'z' option tells 410 Docker that the volume content will be shared between containers. Docker will 411 label the content with a shared content label. Shared volumes labels allow all 412 containers to read/write content. The 'Z' option tells Docker to label the 413 content with a private unshared label. Private volumes can only be used by the 414 current container. 415 416 Note: Multiple Volume options can be added separated by a "," 417 418 **--volumes-from**=[] 419 Mount volumes from the specified container(s) 420 421 Mounts already mounted volumes from a source container onto another 422 container. You must supply the source's container-id. To share 423 a volume, use the **--volumes-from** option when running 424 the target container. You can share volumes even if the source container 425 is not running. 426 427 By default, Docker mounts the volumes in the same mode (read-write or 428 read-only) as it is mounted in the source container. Optionally, you 429 can change this by suffixing the container-id with either the `:ro` or 430 `:rw ` keyword. 431 432 If the location of the volume from the source container overlaps with 433 data residing on a target container, then the volume hides 434 that data on the target. 435 436 **-w**, **--workdir**="" 437 Working directory inside the container 438 439 The default working directory for 440 running binaries within a container is the root directory (/). The developer can 441 set a different default with the Dockerfile WORKDIR instruction. The operator 442 can override the working directory by using the **-w** option. 443 444 # EXAMPLES 445 446 ## Exposing log messages from the container to the host's log 447 448 If you want messages that are logged in your container to show up in the host's 449 syslog/journal then you should bind mount the /dev/log directory as follows. 450 451 # docker run -v /dev/log:/dev/log -i -t fedora /bin/bash 452 453 From inside the container you can test this by sending a message to the log. 454 455 (bash)# logger "Hello from my container" 456 457 Then exit and check the journal. 458 459 # exit 460 461 # journalctl -b | grep Hello 462 463 This should list the message sent to logger. 464 465 ## Attaching to one or more from STDIN, STDOUT, STDERR 466 467 If you do not specify -a then Docker will attach everything (stdin,stdout,stderr) 468 . You can specify to which of the three standard streams (stdin, stdout, stderr) 469 you’d like to connect instead, as in: 470 471 # docker run -a stdin -a stdout -i -t fedora /bin/bash 472 473 ## Sharing IPC between containers 474 475 Using shm_server.c available here: https://www.cs.cf.ac.uk/Dave/C/node27.html 476 477 Testing `--ipc=host` mode: 478 479 Host shows a shared memory segment with 7 pids attached, happens to be from httpd: 480 481 ``` 482 $ sudo ipcs -m 483 484 ------ Shared Memory Segments -------- 485 key shmid owner perms bytes nattch status 486 0x01128e25 0 root 600 1000 7 487 ``` 488 489 Now run a regular container, and it correctly does NOT see the shared memory segment from the host: 490 491 ``` 492 $ docker run -it shm ipcs -m 493 494 ------ Shared Memory Segments -------- 495 key shmid owner perms bytes nattch status 496 ``` 497 498 Run a container with the new `--ipc=host` option, and it now sees the shared memory segment from the host httpd: 499 500 ``` 501 $ docker run -it --ipc=host shm ipcs -m 502 503 ------ Shared Memory Segments -------- 504 key shmid owner perms bytes nattch status 505 0x01128e25 0 root 600 1000 7 506 ``` 507 Testing `--ipc=container:CONTAINERID` mode: 508 509 Start a container with a program to create a shared memory segment: 510 ``` 511 $ docker run -it shm bash 512 $ sudo shm/shm_server & 513 $ sudo ipcs -m 514 515 ------ Shared Memory Segments -------- 516 key shmid owner perms bytes nattch status 517 0x0000162e 0 root 666 27 1 518 ``` 519 Create a 2nd container correctly shows no shared memory segment from 1st container: 520 ``` 521 $ docker run shm ipcs -m 522 523 ------ Shared Memory Segments -------- 524 key shmid owner perms bytes nattch status 525 ``` 526 527 Create a 3rd container using the new --ipc=container:CONTAINERID option, now it shows the shared memory segment from the first: 528 529 ``` 530 $ docker run -it --ipc=container:ed735b2264ac shm ipcs -m 531 $ sudo ipcs -m 532 533 ------ Shared Memory Segments -------- 534 key shmid owner perms bytes nattch status 535 0x0000162e 0 root 666 27 1 536 ``` 537 538 ## Linking Containers 539 540 The link feature allows multiple containers to communicate with each other. For 541 example, a container whose Dockerfile has exposed port 80 can be run and named 542 as follows: 543 544 # docker run --name=link-test -d -i -t fedora/httpd 545 546 A second container, in this case called linker, can communicate with the httpd 547 container, named link-test, by running with the **--link=<name>:<alias>** 548 549 # docker run -t -i --link=link-test:lt --name=linker fedora /bin/bash 550 551 Now the container linker is linked to container link-test with the alias lt. 552 Running the **env** command in the linker container shows environment variables 553 with the LT (alias) context (**LT_**) 554 555 # env 556 HOSTNAME=668231cb0978 557 TERM=xterm 558 LT_PORT_80_TCP=tcp://172.17.0.3:80 559 LT_PORT_80_TCP_PORT=80 560 LT_PORT_80_TCP_PROTO=tcp 561 LT_PORT=tcp://172.17.0.3:80 562 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 563 PWD=/ 564 LT_NAME=/linker/lt 565 SHLVL=1 566 HOME=/ 567 LT_PORT_80_TCP_ADDR=172.17.0.3 568 _=/usr/bin/env 569 570 When linking two containers Docker will use the exposed ports of the container 571 to create a secure tunnel for the parent to access. 572 573 574 ## Mapping Ports for External Usage 575 576 The exposed port of an application can be mapped to a host port using the **-p** 577 flag. For example, a httpd port 80 can be mapped to the host port 8080 using the 578 following: 579 580 # docker run -p 8080:80 -d -i -t fedora/httpd 581 582 ## Creating and Mounting a Data Volume Container 583 584 Many applications require the sharing of persistent data across several 585 containers. Docker allows you to create a Data Volume Container that other 586 containers can mount from. For example, create a named container that contains 587 directories /var/volume1 and /tmp/volume2. The image will need to contain these 588 directories so a couple of RUN mkdir instructions might be required for you 589 fedora-data image: 590 591 # docker run --name=data -v /var/volume1 -v /tmp/volume2 -i -t fedora-data true 592 # docker run --volumes-from=data --name=fedora-container1 -i -t fedora bash 593 594 Multiple --volumes-from parameters will bring together multiple data volumes from 595 multiple containers. And it's possible to mount the volumes that came from the 596 DATA container in yet another container via the fedora-container1 intermediary 597 container, allowing to abstract the actual data source from users of that data: 598 599 # docker run --volumes-from=fedora-container1 --name=fedora-container2 -i -t fedora bash 600 601 ## Mounting External Volumes 602 603 To mount a host directory as a container volume, specify the absolute path to 604 the directory and the absolute path for the container directory separated by a 605 colon: 606 607 # docker run -v /var/db:/data1 -i -t fedora bash 608 609 When using SELinux, be aware that the host has no knowledge of container SELinux 610 policy. Therefore, in the above example, if SELinux policy is enforced, the 611 `/var/db` directory is not writable to the container. A "Permission Denied" 612 message will occur and an avc: message in the host's syslog. 613 614 615 To work around this, at time of writing this man page, the following command 616 needs to be run in order for the proper SELinux policy type label to be attached 617 to the host directory: 618 619 # chcon -Rt svirt_sandbox_file_t /var/db 620 621 622 Now, writing to the /data1 volume in the container will be allowed and the 623 changes will also be reflected on the host in /var/db. 624 625 ## Using alternative security labeling 626 627 You can override the default labeling scheme for each container by specifying 628 the `--security-opt` flag. For example, you can specify the MCS/MLS level, a 629 requirement for MLS systems. Specifying the level in the following command 630 allows you to share the same content between containers. 631 632 # docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash 633 634 An MLS example might be: 635 636 # docker run --security-opt label:level:TopSecret -i -t rhel7 bash 637 638 To disable the security labeling for this container versus running with the 639 `--permissive` flag, use the following command: 640 641 # docker run --security-opt label:disable -i -t fedora bash 642 643 If you want a tighter security policy on the processes within a container, 644 you can specify an alternate type for the container. You could run a container 645 that is only allowed to listen on Apache ports by executing the following 646 command: 647 648 # docker run --security-opt label:type:svirt_apache_t -i -t centos bash 649 650 Note: 651 652 You would have to write policy defining a `svirt_apache_t` type. 653 654 # HISTORY 655 April 2014, Originally compiled by William Henry (whenry at redhat dot com) 656 based on docker.com source material and internal work. 657 June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> 658 July 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>