github.com/pritambaral/docker@v1.4.2-0.20150120174542-b2fe1b3dd952/docs/man/docker-run.1.md (about) 1 % DOCKER(1) Docker User Manuals 2 % Docker Community 3 % JUNE 2014 4 # NAME 5 docker-run - Run a command in a new container 6 7 # SYNOPSIS 8 **docker run** 9 [**-a**|**--attach**[=*[]*]] 10 [**--add-host**[=*[]*]] 11 [**-c**|**--cpu-shares**[=*0*]] 12 [**--cap-add**[=*[]*]] 13 [**--cap-drop**[=*[]*]] 14 [**--cidfile**[=*CIDFILE*]] 15 [**--cpuset**[=*CPUSET*]] 16 [**-d**|**--detach**[=*false*]] 17 [**--device**[=*[]*]] 18 [**--dns-search**[=*[]*]] 19 [**--dns**[=*[]*]] 20 [**-e**|**--env**[=*[]*]] 21 [**--entrypoint**[=*ENTRYPOINT*]] 22 [**--env-file**[=*[]*]] 23 [**--expose**[=*[]*]] 24 [**-h**|**--hostname**[=*HOSTNAME*]] 25 [**--help**] 26 [**-i**|**--interactive**[=*false*]] 27 [**--ipc**[=*IPC*]] 28 [**--link**[=*[]*]] 29 [**--lxc-conf**[=*[]*]] 30 [**-m**|**--memory**[=*MEMORY*]] 31 [**--mac-address**[=*MAC-ADDRESS*]] 32 [**--name**[=*NAME*]] 33 [**--net**[=*"bridge"*]] 34 [**-P**|**--publish-all**[=*false*]] 35 [**-p**|**--publish**[=*[]*]] 36 [**--pid**[=*[]*]] 37 [**--privileged**[=*false*]] 38 [**--read-only**[=*false*]] 39 [**--restart**[=*RESTART*]] 40 [**--rm**[=*false*]] 41 [**--security-opt**[=*[]*]] 42 [**--sig-proxy**[=*true*]] 43 [**-t**|**--tty**[=*false*]] 44 [**-u**|**--user**[=*USER*]] 45 [**-v**|**--volume**[=*[]*]] 46 [**--volumes-from**[=*[]*]] 47 [**-w**|**--workdir**[=*WORKDIR*]] 48 IMAGE [COMMAND] [ARG...] 49 50 # DESCRIPTION 51 52 Run a process in a new container. **docker run** starts a process with its own 53 file system, its own networking, and its own isolated process tree. The IMAGE 54 which starts the process may define defaults related to the process that will be 55 run in the container, the networking to expose, and more, but **docker run** 56 gives final control to the operator or administrator who starts the container 57 from the image. For that reason **docker run** has more options than any other 58 Docker command. 59 60 If the IMAGE is not already loaded then **docker run** will pull the IMAGE, and 61 all image dependencies, from the repository in the same way running **docker 62 pull** IMAGE, before it starts the container from that image. 63 64 # OPTIONS 65 **-a**, **--attach**=[] 66 Attach to STDIN, STDOUT or STDERR. 67 68 In foreground mode (the default when **-d** 69 is not specified), **docker run** can start the process in the container 70 and attach the console to the process’s standard input, output, and standard 71 error. It can even pretend to be a TTY (this is what most commandline 72 executables expect) and pass along signals. The **-a** option can be set for 73 each of stdin, stdout, and stderr. 74 75 **--add-host**=[] 76 Add a custom host-to-IP mapping (host:ip) 77 78 Add a line to /etc/hosts. The format is hostname:ip. The **--add-host** 79 option can be set multiple times. 80 81 **-c**, **--cpu-shares**=0 82 CPU shares (relative weight) 83 84 You can increase the priority of a container 85 with the -c option. By default, all containers run at the same priority and get 86 the same proportion of CPU cycles, but you can tell the kernel to give more 87 shares of CPU time to one or more containers when you start them via **docker 88 run**. 89 90 **--cap-add**=[] 91 Add Linux capabilities 92 93 **--cap-drop**=[] 94 Drop Linux capabilities 95 96 **--cidfile**="" 97 Write the container ID to the file 98 99 **--cpuset**="" 100 CPUs in which to allow execution (0-3, 0,1) 101 102 **-d**, **--detach**=*true*|*false* 103 Detached mode: run the container in the background and print the new container ID. The default is *false*. 104 105 At any time you can run **docker ps** in 106 the other shell to view a list of the running containers. You can reattach to a 107 detached container with **docker attach**. If you choose to run a container in 108 the detached mode, then you cannot use the **-rm** option. 109 110 When attached in the tty mode, you can detach from a running container without 111 stopping the process by pressing the keys CTRL-P CTRL-Q. 112 113 **--device**=[] 114 Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm) 115 116 **--dns-search**=[] 117 Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain) 118 119 **--dns**=[] 120 Set custom DNS servers 121 122 This option can be used to override the DNS 123 configuration passed to the container. Typically this is necessary when the 124 host DNS configuration is invalid for the container (e.g., 127.0.0.1). When this 125 is the case the **--dns** flags is necessary for every run. 126 127 **-e**, **--env**=[] 128 Set environment variables 129 130 This option allows you to specify arbitrary 131 environment variables that are available for the process that will be launched 132 inside of the container. 133 134 **--entrypoint**="" 135 Overwrite the default ENTRYPOINT of the image 136 137 This option allows you to overwrite the default entrypoint of the image that 138 is set in the Dockerfile. The ENTRYPOINT of an image is similar to a COMMAND 139 because it specifies what executable to run when the container starts, but it is 140 (purposely) more difficult to override. The ENTRYPOINT gives a container its 141 default nature or behavior, so that when you set an ENTRYPOINT you can run the 142 container as if it were that binary, complete with default options, and you can 143 pass in more options via the COMMAND. But, sometimes an operator may want to run 144 something else inside the container, so you can override the default ENTRYPOINT 145 at runtime by using a **--entrypoint** and a string to specify the new 146 ENTRYPOINT. 147 148 **--env-file**=[] 149 Read in a line delimited file of environment variables 150 151 **--expose**=[] 152 Expose a port, or a range of ports (e.g. --expose=3300-3310), from the container without publishing it to your host 153 154 **-h**, **--hostname**="" 155 Container host name 156 157 Sets the container host name that is available inside the container. 158 159 **--help** 160 Print usage statement 161 162 **-i**, **--interactive**=*true*|*false* 163 Keep STDIN open even if not attached. The default is *false*. 164 165 When set to true, keep stdin open even if not attached. The default is false. 166 167 **--ipc**="" 168 Default is to create a private IPC namespace (POSIX SysV IPC) for the container 169 'container:<name|id>': reuses another container shared memory, semaphores and message queues 170 'host': use the host shared memory,semaphores and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure. 171 172 **--link**=[] 173 Add link to another container in the form of <name or id>:alias 174 175 If the operator 176 uses **--link** when starting the new client container, then the client 177 container can access the exposed port via a private networking interface. Docker 178 will set some environment variables in the client container to help indicate 179 which interface and port to use. 180 181 **--lxc-conf**=[] 182 (lxc exec-driver only) Add custom lxc options --lxc-conf="lxc.cgroup.cpuset.cpus = 0,1" 183 184 **-m**, **--memory**="" 185 Memory limit (format: <number><optional unit>, where unit = b, k, m or g) 186 187 Allows you to constrain the memory available to a container. If the host 188 supports swap memory, then the -m memory setting can be larger than physical 189 RAM. If a limit of 0 is specified, the container's memory is not limited. The 190 actual limit may be rounded up to a multiple of the operating system's page 191 size, if it is not already. The memory limit should be formatted as follows: 192 `<number><optional unit>`, where unit = b, k, m or g. 193 194 **--mac-address**="" 195 Container MAC address (e.g. 92:d0:c6:0a:29:33) 196 197 Remember that the MAC address in an Ethernet network must be unique. 198 The IPv6 link-local address will be based on the device's MAC address 199 according to RFC4862. 200 201 **--name**="" 202 Assign a name to the container 203 204 The operator can identify a container in three ways: 205 UUID long identifier (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”) 206 UUID short identifier (“f78375b1c487”) 207 Name (“jonah”) 208 209 The UUID identifiers come from the Docker daemon, and if a name is not assigned 210 to the container with **--name** then the daemon will also generate a random 211 string name. The name is useful when defining links (see **--link**) (or any 212 other place you need to identify a container). This works for both background 213 and foreground Docker containers. 214 215 **--net**="bridge" 216 Set the Network mode for the container 217 'bridge': creates a new network stack for the container on the docker bridge 218 'none': no networking for this container 219 'container:<name|id>': reuses another container network stack 220 'host': use the host network stack inside the container. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. 221 222 **-P**, **--publish-all**=*true*|*false* 223 Publish all exposed ports to random ports on the host interfaces. The default is *false*. 224 225 When set to true publish all exposed ports to the host interfaces. The 226 default is false. If the operator uses -P (or -p) then Docker will make the 227 exposed port accessible on the host and the ports will be available to any 228 client that can reach the host. When using -P, Docker will bind the exposed 229 ports to a random port on the host between 49153 and 65535. To find the 230 mapping between the host ports and the exposed ports, use **docker port**. 231 232 **-p**, **--publish**=[] 233 Publish a container's port, or range of ports, to the host. 234 format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort 235 Both hostPort and containerPort can be specified as a range of ports. 236 When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g., `-p 1234-1236:1234-1236/tcp`) 237 (use 'docker port' to see the actual mapping) 238 239 **--pid**=host 240 Set the PID mode for the container 241 **host**: use the host's PID namespace inside the container. 242 Note: the host mode gives the container full access to local PID and is therefore considered insecure. 243 244 **--privileged**=*true*|*false* 245 Give extended privileges to this container. The default is *false*. 246 247 By default, Docker containers are 248 “unprivileged” (=false) and cannot, for example, run a Docker daemon inside the 249 Docker container. This is because by default a container is not allowed to 250 access any devices. A “privileged” container is given access to all devices. 251 252 When the operator executes **docker run --privileged**, Docker will enable access 253 to all devices on the host as well as set some configuration in AppArmor to 254 allow the container nearly all the same access to the host as processes running 255 outside of a container on the host. 256 257 **--read-only**=*true*|*false* 258 Mount the container's root filesystem as read only. 259 260 By default a container will have its root filesystem writable allowing processes 261 to write files anywhere. By specifying the `--read-only` flag the container will have 262 its root filesystem mounted as read only prohibiting any writes. 263 264 **--restart**="" 265 Restart policy to apply when a container exits (no, on-failure[:max-retry], always) 266 267 **--rm**=*true*|*false* 268 Automatically remove the container when it exits (incompatible with -d). The default is *false*. 269 270 **--security-opt**=[] 271 Security Options 272 273 "label:user:USER" : Set the label user for the container 274 "label:role:ROLE" : Set the label role for the container 275 "label:type:TYPE" : Set the label type for the container 276 "label:level:LEVEL" : Set the label level for the container 277 "label:disable" : Turn off label confinement for the container 278 279 **--sig-proxy**=*true*|*false* 280 Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true*. 281 282 **-t**, **--tty**=*true*|*false* 283 Allocate a pseudo-TTY. The default is *false*. 284 285 When set to true Docker can allocate a pseudo-tty and attach to the standard 286 input of any container. This can be used, for example, to run a throwaway 287 interactive shell. The default is value is false. 288 289 The **-t** option is incompatible with a redirection of the docker client 290 standard input. 291 292 **-u**, **--user**="" 293 Username or UID 294 295 **-v**, **--volume**=[] 296 Bind mount a volume (e.g., from the host: -v /host:/container, from Docker: -v /container) 297 298 The **-v** option can be used one or 299 more times to add one or more mounts to a container. These mounts can then be 300 used in other containers using the **--volumes-from** option. 301 302 The volume may be optionally suffixed with :ro or :rw to mount the volumes in 303 read-only or read-write mode, respectively. By default, the volumes are mounted 304 read-write. See examples. 305 306 **--volumes-from**=[] 307 Mount volumes from the specified container(s) 308 309 Will mount volumes from the specified container identified by container-id. 310 Once a volume is mounted in a one container it can be shared with other 311 containers using the **--volumes-from** option when running those other 312 containers. The volumes can be shared even if the original container with the 313 mount is not running. 314 315 The container ID may be optionally suffixed with :ro or 316 :rw to mount the volumes in read-only or read-write mode, respectively. By 317 default, the volumes are mounted in the same mode (read write or read only) as 318 the reference container. 319 320 **-w**, **--workdir**="" 321 Working directory inside the container 322 323 The default working directory for 324 running binaries within a container is the root directory (/). The developer can 325 set a different default with the Dockerfile WORKDIR instruction. The operator 326 can override the working directory by using the **-w** option. 327 328 # EXAMPLES 329 330 ## Exposing log messages from the container to the host's log 331 332 If you want messages that are logged in your container to show up in the host's 333 syslog/journal then you should bind mount the /dev/log directory as follows. 334 335 # docker run -v /dev/log:/dev/log -i -t fedora /bin/bash 336 337 From inside the container you can test this by sending a message to the log. 338 339 (bash)# logger "Hello from my container" 340 341 Then exit and check the journal. 342 343 # exit 344 345 # journalctl -b | grep Hello 346 347 This should list the message sent to logger. 348 349 ## Attaching to one or more from STDIN, STDOUT, STDERR 350 351 If you do not specify -a then Docker will attach everything (stdin,stdout,stderr) 352 . You can specify to which of the three standard streams (stdin, stdout, stderr) 353 you’d like to connect instead, as in: 354 355 # docker run -a stdin -a stdout -i -t fedora /bin/bash 356 357 ## Sharing IPC between containers 358 359 Using shm_server.c available here: http://www.cs.cf.ac.uk/Dave/C/node27.html 360 361 Testing `--ipc=host` mode: 362 363 Host shows a shared memory segment with 7 pids attached, happens to be from httpd: 364 365 ``` 366 $ sudo ipcs -m 367 368 ------ Shared Memory Segments -------- 369 key shmid owner perms bytes nattch status 370 0x01128e25 0 root 600 1000 7 371 ``` 372 373 Now run a regular container, and it correctly does NOT see the shared memory segment from the host: 374 375 ``` 376 $ sudo docker run -it shm ipcs -m 377 378 ------ Shared Memory Segments -------- 379 key shmid owner perms bytes nattch status 380 ``` 381 382 Run a container with the new `--ipc=host` option, and it now sees the shared memory segment from the host httpd: 383 384 ``` 385 $ sudo docker run -it --ipc=host shm ipcs -m 386 387 ------ Shared Memory Segments -------- 388 key shmid owner perms bytes nattch status 389 0x01128e25 0 root 600 1000 7 390 ``` 391 Testing `--ipc=container:CONTAINERID` mode: 392 393 Start a container with a program to create a shared memory segment: 394 ``` 395 sudo docker run -it shm bash 396 $ sudo shm/shm_server & 397 $ sudo ipcs -m 398 399 ------ Shared Memory Segments -------- 400 key shmid owner perms bytes nattch status 401 0x0000162e 0 root 666 27 1 402 ``` 403 Create a 2nd container correctly shows no shared memory segment from 1st container: 404 ``` 405 $ sudo docker run shm ipcs -m 406 407 ------ Shared Memory Segments -------- 408 key shmid owner perms bytes nattch status 409 ``` 410 411 Create a 3rd container using the new --ipc=container:CONTAINERID option, now it shows the shared memory segment from the first: 412 413 ``` 414 $ sudo docker run -it --ipc=container:ed735b2264ac shm ipcs -m 415 $ sudo ipcs -m 416 417 ------ Shared Memory Segments -------- 418 key shmid owner perms bytes nattch status 419 0x0000162e 0 root 666 27 1 420 ``` 421 422 ## Linking Containers 423 424 The link feature allows multiple containers to communicate with each other. For 425 example, a container whose Dockerfile has exposed port 80 can be run and named 426 as follows: 427 428 # docker run --name=link-test -d -i -t fedora/httpd 429 430 A second container, in this case called linker, can communicate with the httpd 431 container, named link-test, by running with the **--link=<name>:<alias>** 432 433 # docker run -t -i --link=link-test:lt --name=linker fedora /bin/bash 434 435 Now the container linker is linked to container link-test with the alias lt. 436 Running the **env** command in the linker container shows environment variables 437 with the LT (alias) context (**LT_**) 438 439 # env 440 HOSTNAME=668231cb0978 441 TERM=xterm 442 LT_PORT_80_TCP=tcp://172.17.0.3:80 443 LT_PORT_80_TCP_PORT=80 444 LT_PORT_80_TCP_PROTO=tcp 445 LT_PORT=tcp://172.17.0.3:80 446 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 447 PWD=/ 448 LT_NAME=/linker/lt 449 SHLVL=1 450 HOME=/ 451 LT_PORT_80_TCP_ADDR=172.17.0.3 452 _=/usr/bin/env 453 454 When linking two containers Docker will use the exposed ports of the container 455 to create a secure tunnel for the parent to access. 456 457 458 ## Mapping Ports for External Usage 459 460 The exposed port of an application can be mapped to a host port using the **-p** 461 flag. For example, a httpd port 80 can be mapped to the host port 8080 using the 462 following: 463 464 # docker run -p 8080:80 -d -i -t fedora/httpd 465 466 ## Creating and Mounting a Data Volume Container 467 468 Many applications require the sharing of persistent data across several 469 containers. Docker allows you to create a Data Volume Container that other 470 containers can mount from. For example, create a named container that contains 471 directories /var/volume1 and /tmp/volume2. The image will need to contain these 472 directories so a couple of RUN mkdir instructions might be required for you 473 fedora-data image: 474 475 # docker run --name=data -v /var/volume1 -v /tmp/volume2 -i -t fedora-data true 476 # docker run --volumes-from=data --name=fedora-container1 -i -t fedora bash 477 478 Multiple --volumes-from parameters will bring together multiple data volumes from 479 multiple containers. And it's possible to mount the volumes that came from the 480 DATA container in yet another container via the fedora-container1 intermediary 481 container, allowing to abstract the actual data source from users of that data: 482 483 # docker run --volumes-from=fedora-container1 --name=fedora-container2 -i -t fedora bash 484 485 ## Mounting External Volumes 486 487 To mount a host directory as a container volume, specify the absolute path to 488 the directory and the absolute path for the container directory separated by a 489 colon: 490 491 # docker run -v /var/db:/data1 -i -t fedora bash 492 493 When using SELinux, be aware that the host has no knowledge of container SELinux 494 policy. Therefore, in the above example, if SELinux policy is enforced, the 495 `/var/db` directory is not writable to the container. A "Permission Denied" 496 message will occur and an avc: message in the host's syslog. 497 498 499 To work around this, at time of writing this man page, the following command 500 needs to be run in order for the proper SELinux policy type label to be attached 501 to the host directory: 502 503 # chcon -Rt svirt_sandbox_file_t /var/db 504 505 506 Now, writing to the /data1 volume in the container will be allowed and the 507 changes will also be reflected on the host in /var/db. 508 509 ## Using alternative security labeling 510 511 You can override the default labeling scheme for each container by specifying 512 the `--security-opt` flag. For example, you can specify the MCS/MLS level, a 513 requirement for MLS systems. Specifying the level in the following command 514 allows you to share the same content between containers. 515 516 # docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash 517 518 An MLS example might be: 519 520 # docker run --security-opt label:level:TopSecret -i -t rhel7 bash 521 522 To disable the security labeling for this container versus running with the 523 `--permissive` flag, use the following command: 524 525 # docker run --security-opt label:disable -i -t fedora bash 526 527 If you want a tighter security policy on the processes within a container, 528 you can specify an alternate type for the container. You could run a container 529 that is only allowed to listen on Apache ports by executing the following 530 command: 531 532 # docker run --security-opt label:type:svirt_apache_t -i -t centos bash 533 534 Note: 535 536 You would have to write policy defining a `svirt_apache_t` type. 537 538 # HISTORY 539 April 2014, Originally compiled by William Henry (whenry at redhat dot com) 540 based on docker.com source material and internal work. 541 June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> 542 July 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>