github.com/rsampaio/docker@v0.7.2-0.20150827203920-fdc73cc3fc31/man/docker-run.1.md (about) 1 % DOCKER(1) Docker User Manuals 2 % Docker Community 3 % JUNE 2014 4 # NAME 5 docker-run - Run a command in a new container 6 7 # SYNOPSIS 8 **docker run** 9 [**-a**|**--attach**[=*[]*]] 10 [**--add-host**[=*[]*]] 11 [**--blkio-weight**[=*[BLKIO-WEIGHT]*]] 12 [**-c**|**--cpu-shares**[=*0*]] 13 [**--cap-add**[=*[]*]] 14 [**--cap-drop**[=*[]*]] 15 [**--cgroup-parent**[=*CGROUP-PATH*]] 16 [**--cidfile**[=*CIDFILE*]] 17 [**--cpu-period**[=*0*]] 18 [**--cpu-quota**[=*0*]] 19 [**--cpuset-cpus**[=*CPUSET-CPUS*]] 20 [**--cpuset-mems**[=*CPUSET-MEMS*]] 21 [**-d**|**--detach**[=*false*]] 22 [**--device**[=*[]*]] 23 [**--dns**[=*[]*]] 24 [**--dns-search**[=*[]*]] 25 [**-e**|**--env**[=*[]*]] 26 [**--entrypoint**[=*ENTRYPOINT*]] 27 [**--env-file**[=*[]*]] 28 [**--expose**[=*[]*]] 29 [**--group-add**[=*[]*]] 30 [**-h**|**--hostname**[=*HOSTNAME*]] 31 [**--help**] 32 [**-i**|**--interactive**[=*false*]] 33 [**--ipc**[=*IPC*]] 34 [**--kernel-memory**[=*KERNEL-MEMORY*]] 35 [**-l**|**--label**[=*[]*]] 36 [**--label-file**[=*[]*]] 37 [**--link**[=*[]*]] 38 [**--log-driver**[=*[]*]] 39 [**--log-opt**[=*[]*]] 40 [**--lxc-conf**[=*[]*]] 41 [**-m**|**--memory**[=*MEMORY*]] 42 [**--mac-address**[=*MAC-ADDRESS*]] 43 [**--memory-swap**[=*MEMORY-SWAP*]] 44 [**--memory-swappiness**[=*MEMORY-SWAPPINESS*]] 45 [**--name**[=*NAME*]] 46 [**--net**[=*"bridge"*]] 47 [**--oom-kill-disable**[=*false*]] 48 [**-P**|**--publish-all**[=*false*]] 49 [**-p**|**--publish**[=*[]*]] 50 [**--pid**[=*[]*]] 51 [**--privileged**[=*false*]] 52 [**--read-only**[=*false*]] 53 [**--restart**[=*RESTART*]] 54 [**--rm**[=*false*]] 55 [**--security-opt**[=*[]*]] 56 [**--sig-proxy**[=*true*]] 57 [**-t**|**--tty**[=*false*]] 58 [**-u**|**--user**[=*USER*]] 59 [**-v**|**--volume**[=*[]*]] 60 [**--ulimit**[=*[]*]] 61 [**--uts**[=*[]*]] 62 [**--volumes-from**[=*[]*]] 63 [**-w**|**--workdir**[=*WORKDIR*]] 64 IMAGE [COMMAND] [ARG...] 65 66 # DESCRIPTION 67 68 Run a process in a new container. **docker run** starts a process with its own 69 file system, its own networking, and its own isolated process tree. The IMAGE 70 which starts the process may define defaults related to the process that will be 71 run in the container, the networking to expose, and more, but **docker run** 72 gives final control to the operator or administrator who starts the container 73 from the image. For that reason **docker run** has more options than any other 74 Docker command. 75 76 If the IMAGE is not already loaded then **docker run** will pull the IMAGE, and 77 all image dependencies, from the repository in the same way running **docker 78 pull** IMAGE, before it starts the container from that image. 79 80 # OPTIONS 81 **-a**, **--attach**=[] 82 Attach to STDIN, STDOUT or STDERR. 83 84 In foreground mode (the default when **-d** 85 is not specified), **docker run** can start the process in the container 86 and attach the console to the process’s standard input, output, and standard 87 error. It can even pretend to be a TTY (this is what most commandline 88 executables expect) and pass along signals. The **-a** option can be set for 89 each of stdin, stdout, and stderr. 90 91 **--add-host**=[] 92 Add a custom host-to-IP mapping (host:ip) 93 94 Add a line to /etc/hosts. The format is hostname:ip. The **--add-host** 95 option can be set multiple times. 96 97 **--blkio-weight**=0 98 Block IO weight (relative weight) accepts a weight value between 10 and 1000. 99 100 **-c**, **--cpu-shares**=0 101 CPU shares (relative weight) 102 103 By default, all containers get the same proportion of CPU cycles. This proportion 104 can be modified by changing the container's CPU share weighting relative 105 to the weighting of all other running containers. 106 107 To modify the proportion from the default of 1024, use the **-c** or **--cpu-shares** 108 flag to set the weighting to 2 or higher. 109 110 The proportion will only apply when CPU-intensive processes are running. 111 When tasks in one container are idle, other containers can use the 112 left-over CPU time. The actual amount of CPU time will vary depending on 113 the number of containers running on the system. 114 115 For example, consider three containers, one has a cpu-share of 1024 and 116 two others have a cpu-share setting of 512. When processes in all three 117 containers attempt to use 100% of CPU, the first container would receive 118 50% of the total CPU time. If you add a fourth container with a cpu-share 119 of 1024, the first container only gets 33% of the CPU. The remaining containers 120 receive 16.5%, 16.5% and 33% of the CPU. 121 122 On a multi-core system, the shares of CPU time are distributed over all CPU 123 cores. Even if a container is limited to less than 100% of CPU time, it can 124 use 100% of each individual CPU core. 125 126 For example, consider a system with more than three cores. If you start one 127 container **{C0}** with **-c=512** running one process, and another container 128 **{C1}** with **-c=1024** running two processes, this can result in the following 129 division of CPU shares: 130 131 PID container CPU CPU share 132 100 {C0} 0 100% of CPU0 133 101 {C1} 1 100% of CPU1 134 102 {C1} 2 100% of CPU2 135 136 **--cap-add**=[] 137 Add Linux capabilities 138 139 **--cap-drop**=[] 140 Drop Linux capabilities 141 142 **--cgroup-parent**="" 143 Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. 144 145 **--cidfile**="" 146 Write the container ID to the file 147 148 **--cpu-period**=0 149 Limit the CPU CFS (Completely Fair Scheduler) period 150 151 Limit the container's CPU usage. This flag tell the kernel to restrict the container's CPU usage to the period you specify. 152 153 **--cpuset-cpus**="" 154 CPUs in which to allow execution (0-3, 0,1) 155 156 **--cpuset-mems**="" 157 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. 158 159 If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1` 160 then processes in your Docker container will only use memory from the first 161 two memory nodes. 162 163 **--cpu-quota**=0 164 Limit the CPU CFS (Completely Fair Scheduler) quota 165 166 Limit the container's CPU usage. By default, containers run with the full 167 CPU resource. This flag tell the kernel to restrict the container's CPU usage 168 to the quota you specify. 169 170 **-d**, **--detach**=*true*|*false* 171 Detached mode: run the container in the background and print the new container ID. The default is *false*. 172 173 At any time you can run **docker ps** in 174 the other shell to view a list of the running containers. You can reattach to a 175 detached container with **docker attach**. If you choose to run a container in 176 the detached mode, then you cannot use the **-rm** option. 177 178 When attached in the tty mode, you can detach from a running container without 179 stopping the process by pressing the keys CTRL-P CTRL-Q. 180 181 **--device**=[] 182 Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm) 183 184 **--dns-search**=[] 185 Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain) 186 187 **--dns**=[] 188 Set custom DNS servers 189 190 This option can be used to override the DNS 191 configuration passed to the container. Typically this is necessary when the 192 host DNS configuration is invalid for the container (e.g., 127.0.0.1). When this 193 is the case the **--dns** flags is necessary for every run. 194 195 **-e**, **--env**=[] 196 Set environment variables 197 198 This option allows you to specify arbitrary 199 environment variables that are available for the process that will be launched 200 inside of the container. 201 202 **--entrypoint**="" 203 Overwrite the default ENTRYPOINT of the image 204 205 This option allows you to overwrite the default entrypoint of the image that 206 is set in the Dockerfile. The ENTRYPOINT of an image is similar to a COMMAND 207 because it specifies what executable to run when the container starts, but it is 208 (purposely) more difficult to override. The ENTRYPOINT gives a container its 209 default nature or behavior, so that when you set an ENTRYPOINT you can run the 210 container as if it were that binary, complete with default options, and you can 211 pass in more options via the COMMAND. But, sometimes an operator may want to run 212 something else inside the container, so you can override the default ENTRYPOINT 213 at runtime by using a **--entrypoint** and a string to specify the new 214 ENTRYPOINT. 215 216 **--env-file**=[] 217 Read in a line delimited file of environment variables 218 219 **--expose**=[] 220 Expose a port, or a range of ports (e.g. --expose=3300-3310), from the container without publishing it to your host 221 222 **--group-add**=[] 223 Add additional groups to run as 224 225 **-h**, **--hostname**="" 226 Container host name 227 228 Sets the container host name that is available inside the container. 229 230 **--help** 231 Print usage statement 232 233 **-i**, **--interactive**=*true*|*false* 234 Keep STDIN open even if not attached. The default is *false*. 235 236 When set to true, keep stdin open even if not attached. The default is false. 237 238 **--ipc**="" 239 Default is to create a private IPC namespace (POSIX SysV IPC) for the container 240 'container:<name|id>': reuses another container shared memory, semaphores and message queues 241 'host': use the host shared memory,semaphores and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure. 242 243 **-l**, **--label**=[] 244 Set metadata on the container (e.g., --label com.example.key=value) 245 246 **--kernel-memory**="" 247 Kernel memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g) 248 249 Constrains the kernel memory available to a container. If a limit of 0 250 is specified (not using `--kernel-memory`), the container's kernel memory 251 is not limited. If you specify a limit, it may be rounded up to a multiple 252 of the operating system's page size and the value can be very large, 253 millions of trillions. 254 255 **--label-file**=[] 256 Read in a line delimited file of labels 257 258 **--link**=[] 259 Add link to another container in the form of <name or id>:alias or just <name or id> 260 in which case the alias will match the name 261 262 If the operator 263 uses **--link** when starting the new client container, then the client 264 container can access the exposed port via a private networking interface. Docker 265 will set some environment variables in the client container to help indicate 266 which interface and port to use. 267 268 **--lxc-conf**=[] 269 (lxc exec-driver only) Add custom lxc options --lxc-conf="lxc.cgroup.cpuset.cpus = 0,1" 270 271 **--log-driver**="|*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*none*" 272 Logging driver for container. Default is defined by daemon `--log-driver` flag. 273 **Warning**: `docker logs` command works only for `json-file` logging driver. 274 275 **--log-opt**=[] 276 Logging driver specific options. 277 278 **-m**, **--memory**="" 279 Memory limit (format: <number>[<unit>], where unit = b, k, m or g) 280 281 Allows you to constrain the memory available to a container. If the host 282 supports swap memory, then the **-m** memory setting can be larger than physical 283 RAM. If a limit of 0 is specified (not using **-m**), the container's memory is 284 not limited. The actual limit may be rounded up to a multiple of the operating 285 system's page size (the value would be very large, that's millions of trillions). 286 287 **--memory-swap**="" 288 Total memory limit (memory + swap) 289 290 Set `-1` to disable swap (format: <number>[<unit>], where unit = b, k, m or g). 291 This value should always larger than **-m**, so you should always use this with **-m**. 292 293 **--mac-address**="" 294 Container MAC address (e.g. 92:d0:c6:0a:29:33) 295 296 Remember that the MAC address in an Ethernet network must be unique. 297 The IPv6 link-local address will be based on the device's MAC address 298 according to RFC4862. 299 300 **--name**="" 301 Assign a name to the container 302 303 The operator can identify a container in three ways: 304 UUID long identifier (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”) 305 UUID short identifier (“f78375b1c487”) 306 Name (“jonah”) 307 308 The UUID identifiers come from the Docker daemon, and if a name is not assigned 309 to the container with **--name** then the daemon will also generate a random 310 string name. The name is useful when defining links (see **--link**) (or any 311 other place you need to identify a container). This works for both background 312 and foreground Docker containers. 313 314 **--net**="bridge" 315 Set the Network mode for the container 316 'bridge': creates a new network stack for the container on the docker bridge 317 'none': no networking for this container 318 'container:<name|id>': reuses another container network stack 319 'host': use the host network stack inside the container. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. 320 321 **--oom-kill-disable**=*true*|*false* 322 Whether to disable OOM Killer for the container or not. 323 324 **-P**, **--publish-all**=*true*|*false* 325 Publish all exposed ports to random ports on the host interfaces. The default is *false*. 326 327 When set to true publish all exposed ports to the host interfaces. The 328 default is false. If the operator uses -P (or -p) then Docker will make the 329 exposed port accessible on the host and the ports will be available to any 330 client that can reach the host. When using -P, Docker will bind any exposed 331 port to a random port on the host within an *ephemeral port range* defined by 332 `/proc/sys/net/ipv4/ip_local_port_range`. To find the mapping between the host 333 ports and the exposed ports, use `docker port`. 334 335 **-p**, **--publish**=[] 336 Publish a container's port, or range of ports, to the host. 337 format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort 338 Both hostPort and containerPort can be specified as a range of ports. 339 When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g., `-p 1234-1236:1234-1236/tcp`) 340 (use 'docker port' to see the actual mapping) 341 342 **--pid**=host 343 Set the PID mode for the container 344 **host**: use the host's PID namespace inside the container. 345 Note: the host mode gives the container full access to local PID and is therefore considered insecure. 346 347 **--uts**=host 348 Set the UTS mode for the container 349 **host**: use the host's UTS namespace inside the container. 350 Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure. 351 352 **--privileged**=*true*|*false* 353 Give extended privileges to this container. The default is *false*. 354 355 By default, Docker containers are 356 “unprivileged” (=false) and cannot, for example, run a Docker daemon inside the 357 Docker container. This is because by default a container is not allowed to 358 access any devices. A “privileged” container is given access to all devices. 359 360 When the operator executes **docker run --privileged**, Docker will enable access 361 to all devices on the host as well as set some configuration in AppArmor to 362 allow the container nearly all the same access to the host as processes running 363 outside of a container on the host. 364 365 **--read-only**=*true*|*false* 366 Mount the container's root filesystem as read only. 367 368 By default a container will have its root filesystem writable allowing processes 369 to write files anywhere. By specifying the `--read-only` flag the container will have 370 its root filesystem mounted as read only prohibiting any writes. 371 372 **--restart**="no" 373 Restart policy to apply when a container exits (no, on-failure[:max-retry], always, unless-stopped). 374 375 **--rm**=*true*|*false* 376 Automatically remove the container when it exits (incompatible with -d). The default is *false*. 377 378 **--security-opt**=[] 379 Security Options 380 381 "label:user:USER" : Set the label user for the container 382 "label:role:ROLE" : Set the label role for the container 383 "label:type:TYPE" : Set the label type for the container 384 "label:level:LEVEL" : Set the label level for the container 385 "label:disable" : Turn off label confinement for the container 386 387 **--sig-proxy**=*true*|*false* 388 Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true*. 389 390 **--memory-swappiness**="" 391 Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. 392 393 **-t**, **--tty**=*true*|*false* 394 Allocate a pseudo-TTY. The default is *false*. 395 396 When set to true Docker can allocate a pseudo-tty and attach to the standard 397 input of any container. This can be used, for example, to run a throwaway 398 interactive shell. The default is value is false. 399 400 The **-t** option is incompatible with a redirection of the docker client 401 standard input. 402 403 **-u**, **--user**="" 404 Sets the username or UID used and optionally the groupname or GID for the specified command. 405 406 The followings examples are all valid: 407 --user [user | user:group | uid | uid:gid | user:gid | uid:group ] 408 409 Without this argument the command will be run as root in the container. 410 411 ""--ulimit""=[] 412 Ulimit options 413 414 **-v**, **--volume**=[] 415 Bind mount a volume (e.g., from the host: -v /host:/container, from Docker: -v /container) 416 417 The **-v** option can be used one or 418 more times to add one or more mounts to a container. These mounts can then be 419 used in other containers using the **--volumes-from** option. 420 421 The volume may be optionally suffixed with :ro or :rw to mount the volumes in 422 read-only or read-write mode, respectively. By default, the volumes are mounted 423 read-write. See examples. 424 425 Labeling systems like SELinux require that proper labels are placed on volume 426 content mounted into a container. Without a label, the security system might 427 prevent the processes running inside the container from using the content. By 428 default, Docker does not change the labels set by the OS. 429 430 To change a label in the container context, you can add either of two suffixes 431 `:z` or `:Z` to the volume mount. These suffixes tell Docker to relabel file 432 objects on the shared volumes. The `z` option tells Docker that two containers 433 share the volume content. As a result, Docker labels the content with a shared 434 content label. Shared volume labels allow all containers to read/write content. 435 The `Z` option tells Docker to label the content with a private unshared label. 436 Only the current container can use a private volume. 437 438 Note: Multiple Volume options can be added separated by a "," 439 440 **--volumes-from**=[] 441 Mount volumes from the specified container(s) 442 443 Mounts already mounted volumes from a source container onto another 444 container. You must supply the source's container-id. To share 445 a volume, use the **--volumes-from** option when running 446 the target container. You can share volumes even if the source container 447 is not running. 448 449 By default, Docker mounts the volumes in the same mode (read-write or 450 read-only) as it is mounted in the source container. Optionally, you 451 can change this by suffixing the container-id with either the `:ro` or 452 `:rw ` keyword. 453 454 If the location of the volume from the source container overlaps with 455 data residing on a target container, then the volume hides 456 that data on the target. 457 458 **-w**, **--workdir**="" 459 Working directory inside the container 460 461 The default working directory for 462 running binaries within a container is the root directory (/). The developer can 463 set a different default with the Dockerfile WORKDIR instruction. The operator 464 can override the working directory by using the **-w** option. 465 466 # EXAMPLES 467 468 ## Exposing log messages from the container to the host's log 469 470 If you want messages that are logged in your container to show up in the host's 471 syslog/journal then you should bind mount the /dev/log directory as follows. 472 473 # docker run -v /dev/log:/dev/log -i -t fedora /bin/bash 474 475 From inside the container you can test this by sending a message to the log. 476 477 (bash)# logger "Hello from my container" 478 479 Then exit and check the journal. 480 481 # exit 482 483 # journalctl -b | grep Hello 484 485 This should list the message sent to logger. 486 487 ## Attaching to one or more from STDIN, STDOUT, STDERR 488 489 If you do not specify -a then Docker will attach everything (stdin,stdout,stderr) 490 . You can specify to which of the three standard streams (stdin, stdout, stderr) 491 you’d like to connect instead, as in: 492 493 # docker run -a stdin -a stdout -i -t fedora /bin/bash 494 495 ## Sharing IPC between containers 496 497 Using shm_server.c available here: https://www.cs.cf.ac.uk/Dave/C/node27.html 498 499 Testing `--ipc=host` mode: 500 501 Host shows a shared memory segment with 7 pids attached, happens to be from httpd: 502 503 ``` 504 $ sudo ipcs -m 505 506 ------ Shared Memory Segments -------- 507 key shmid owner perms bytes nattch status 508 0x01128e25 0 root 600 1000 7 509 ``` 510 511 Now run a regular container, and it correctly does NOT see the shared memory segment from the host: 512 513 ``` 514 $ docker run -it shm ipcs -m 515 516 ------ Shared Memory Segments -------- 517 key shmid owner perms bytes nattch status 518 ``` 519 520 Run a container with the new `--ipc=host` option, and it now sees the shared memory segment from the host httpd: 521 522 ``` 523 $ docker run -it --ipc=host shm ipcs -m 524 525 ------ Shared Memory Segments -------- 526 key shmid owner perms bytes nattch status 527 0x01128e25 0 root 600 1000 7 528 ``` 529 Testing `--ipc=container:CONTAINERID` mode: 530 531 Start a container with a program to create a shared memory segment: 532 ``` 533 $ docker run -it shm bash 534 $ sudo shm/shm_server & 535 $ sudo ipcs -m 536 537 ------ Shared Memory Segments -------- 538 key shmid owner perms bytes nattch status 539 0x0000162e 0 root 666 27 1 540 ``` 541 Create a 2nd container correctly shows no shared memory segment from 1st container: 542 ``` 543 $ docker run shm ipcs -m 544 545 ------ Shared Memory Segments -------- 546 key shmid owner perms bytes nattch status 547 ``` 548 549 Create a 3rd container using the new --ipc=container:CONTAINERID option, now it shows the shared memory segment from the first: 550 551 ``` 552 $ docker run -it --ipc=container:ed735b2264ac shm ipcs -m 553 $ sudo ipcs -m 554 555 ------ Shared Memory Segments -------- 556 key shmid owner perms bytes nattch status 557 0x0000162e 0 root 666 27 1 558 ``` 559 560 ## Linking Containers 561 562 The link feature allows multiple containers to communicate with each other. For 563 example, a container whose Dockerfile has exposed port 80 can be run and named 564 as follows: 565 566 # docker run --name=link-test -d -i -t fedora/httpd 567 568 A second container, in this case called linker, can communicate with the httpd 569 container, named link-test, by running with the **--link=<name>:<alias>** 570 571 # docker run -t -i --link=link-test:lt --name=linker fedora /bin/bash 572 573 Now the container linker is linked to container link-test with the alias lt. 574 Running the **env** command in the linker container shows environment variables 575 with the LT (alias) context (**LT_**) 576 577 # env 578 HOSTNAME=668231cb0978 579 TERM=xterm 580 LT_PORT_80_TCP=tcp://172.17.0.3:80 581 LT_PORT_80_TCP_PORT=80 582 LT_PORT_80_TCP_PROTO=tcp 583 LT_PORT=tcp://172.17.0.3:80 584 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 585 PWD=/ 586 LT_NAME=/linker/lt 587 SHLVL=1 588 HOME=/ 589 LT_PORT_80_TCP_ADDR=172.17.0.3 590 _=/usr/bin/env 591 592 When linking two containers Docker will use the exposed ports of the container 593 to create a secure tunnel for the parent to access. 594 595 596 ## Mapping Ports for External Usage 597 598 The exposed port of an application can be mapped to a host port using the **-p** 599 flag. For example, a httpd port 80 can be mapped to the host port 8080 using the 600 following: 601 602 # docker run -p 8080:80 -d -i -t fedora/httpd 603 604 ## Creating and Mounting a Data Volume Container 605 606 Many applications require the sharing of persistent data across several 607 containers. Docker allows you to create a Data Volume Container that other 608 containers can mount from. For example, create a named container that contains 609 directories /var/volume1 and /tmp/volume2. The image will need to contain these 610 directories so a couple of RUN mkdir instructions might be required for you 611 fedora-data image: 612 613 # docker run --name=data -v /var/volume1 -v /tmp/volume2 -i -t fedora-data true 614 # docker run --volumes-from=data --name=fedora-container1 -i -t fedora bash 615 616 Multiple --volumes-from parameters will bring together multiple data volumes from 617 multiple containers. And it's possible to mount the volumes that came from the 618 DATA container in yet another container via the fedora-container1 intermediary 619 container, allowing to abstract the actual data source from users of that data: 620 621 # docker run --volumes-from=fedora-container1 --name=fedora-container2 -i -t fedora bash 622 623 ## Mounting External Volumes 624 625 To mount a host directory as a container volume, specify the absolute path to 626 the directory and the absolute path for the container directory separated by a 627 colon: 628 629 # docker run -v /var/db:/data1 -i -t fedora bash 630 631 When using SELinux, be aware that the host has no knowledge of container SELinux 632 policy. Therefore, in the above example, if SELinux policy is enforced, the 633 `/var/db` directory is not writable to the container. A "Permission Denied" 634 message will occur and an avc: message in the host's syslog. 635 636 637 To work around this, at time of writing this man page, the following command 638 needs to be run in order for the proper SELinux policy type label to be attached 639 to the host directory: 640 641 # chcon -Rt svirt_sandbox_file_t /var/db 642 643 644 Now, writing to the /data1 volume in the container will be allowed and the 645 changes will also be reflected on the host in /var/db. 646 647 ## Using alternative security labeling 648 649 You can override the default labeling scheme for each container by specifying 650 the `--security-opt` flag. For example, you can specify the MCS/MLS level, a 651 requirement for MLS systems. Specifying the level in the following command 652 allows you to share the same content between containers. 653 654 # docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash 655 656 An MLS example might be: 657 658 # docker run --security-opt label:level:TopSecret -i -t rhel7 bash 659 660 To disable the security labeling for this container versus running with the 661 `--permissive` flag, use the following command: 662 663 # docker run --security-opt label:disable -i -t fedora bash 664 665 If you want a tighter security policy on the processes within a container, 666 you can specify an alternate type for the container. You could run a container 667 that is only allowed to listen on Apache ports by executing the following 668 command: 669 670 # docker run --security-opt label:type:svirt_apache_t -i -t centos bash 671 672 Note: 673 674 You would have to write policy defining a `svirt_apache_t` type. 675 676 # HISTORY 677 April 2014, Originally compiled by William Henry (whenry at redhat dot com) 678 based on docker.com source material and internal work. 679 June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> 680 July 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>