github.com/squaremo/docker@v1.3.2-0.20150516120342-42cfc9554972/docs/man/docker-run.1.md (about) 1 % DOCKER(1) Docker User Manuals 2 % Docker Community 3 % JUNE 2014 4 # NAME 5 docker-run - Run a command in a new container 6 7 # SYNOPSIS 8 **docker run** 9 [**-a**|**--attach**[=*[]*]] 10 [**--add-host**[=*[]*]] 11 [**--blkio-weight**[=*[BLKIO-WEIGHT]*]] 12 [**-c**|**--cpu-shares**[=*0*]] 13 [**--cap-add**[=*[]*]] 14 [**--cap-drop**[=*[]*]] 15 [**--cidfile**[=*CIDFILE*]] 16 [**--cpu-period**[=*0*]] 17 [**--cpuset-cpus**[=*CPUSET-CPUS*]] 18 [**--cpuset-mems**[=*CPUSET-MEMS*]] 19 [**-d**|**--detach**[=*false*]] 20 [**--cpu-quota**[=*0*]] 21 [**--device**[=*[]*]] 22 [**--dns-search**[=*[]*]] 23 [**--dns**[=*[]*]] 24 [**-e**|**--env**[=*[]*]] 25 [**--entrypoint**[=*ENTRYPOINT*]] 26 [**--env-file**[=*[]*]] 27 [**--expose**[=*[]*]] 28 [**-h**|**--hostname**[=*HOSTNAME*]] 29 [**--help**] 30 [**-i**|**--interactive**[=*false*]] 31 [**--ipc**[=*IPC*]] 32 [**-l**|**--label**[=*[]*]] 33 [**--label-file**[=*[]*]] 34 [**--link**[=*[]*]] 35 [**--lxc-conf**[=*[]*]] 36 [**--log-driver**[=*[]*]] 37 [**-m**|**--memory**[=*MEMORY*]] 38 [**--memory-swap**[=*MEMORY-SWAP*]] 39 [**--mac-address**[=*MAC-ADDRESS*]] 40 [**--name**[=*NAME*]] 41 [**--net**[=*"bridge"*]] 42 [**--oom-kill-disable**[=*false*]] 43 [**-P**|**--publish-all**[=*false*]] 44 [**-p**|**--publish**[=*[]*]] 45 [**--pid**[=*[]*]] 46 [**--uts**[=*[]*]] 47 [**--privileged**[=*false*]] 48 [**--read-only**[=*false*]] 49 [**--restart**[=*RESTART*]] 50 [**--rm**[=*false*]] 51 [**--security-opt**[=*[]*]] 52 [**--sig-proxy**[=*true*]] 53 [**-t**|**--tty**[=*false*]] 54 [**-u**|**--user**[=*USER*]] 55 [**-v**|**--volume**[=*[]*]] 56 [**--volumes-from**[=*[]*]] 57 [**-w**|**--workdir**[=*WORKDIR*]] 58 [**--cgroup-parent**[=*CGROUP-PATH*]] 59 IMAGE [COMMAND] [ARG...] 60 61 # DESCRIPTION 62 63 Run a process in a new container. **docker run** starts a process with its own 64 file system, its own networking, and its own isolated process tree. The IMAGE 65 which starts the process may define defaults related to the process that will be 66 run in the container, the networking to expose, and more, but **docker run** 67 gives final control to the operator or administrator who starts the container 68 from the image. For that reason **docker run** has more options than any other 69 Docker command. 70 71 If the IMAGE is not already loaded then **docker run** will pull the IMAGE, and 72 all image dependencies, from the repository in the same way running **docker 73 pull** IMAGE, before it starts the container from that image. 74 75 # OPTIONS 76 **-a**, **--attach**=[] 77 Attach to STDIN, STDOUT or STDERR. 78 79 In foreground mode (the default when **-d** 80 is not specified), **docker run** can start the process in the container 81 and attach the console to the process’s standard input, output, and standard 82 error. It can even pretend to be a TTY (this is what most commandline 83 executables expect) and pass along signals. The **-a** option can be set for 84 each of stdin, stdout, and stderr. 85 86 **--add-host**=[] 87 Add a custom host-to-IP mapping (host:ip) 88 89 Add a line to /etc/hosts. The format is hostname:ip. The **--add-host** 90 option can be set multiple times. 91 92 **--blkio-weight**=0 93 Block IO weight (relative weight) accepts a weight value between 10 and 1000. 94 95 **-c**, **--cpu-shares**=0 96 CPU shares (relative weight) 97 98 By default, all containers get the same proportion of CPU cycles. This proportion 99 can be modified by changing the container's CPU share weighting relative 100 to the weighting of all other running containers. 101 102 To modify the proportion from the default of 1024, use the **-c** or **--cpu-shares** 103 flag to set the weighting to 2 or higher. 104 105 The proportion will only apply when CPU-intensive processes are running. 106 When tasks in one container are idle, other containers can use the 107 left-over CPU time. The actual amount of CPU time will vary depending on 108 the number of containers running on the system. 109 110 For example, consider three containers, one has a cpu-share of 1024 and 111 two others have a cpu-share setting of 512. When processes in all three 112 containers attempt to use 100% of CPU, the first container would receive 113 50% of the total CPU time. If you add a fourth container with a cpu-share 114 of 1024, the first container only gets 33% of the CPU. The remaining containers 115 receive 16.5%, 16.5% and 33% of the CPU. 116 117 On a multi-core system, the shares of CPU time are distributed over all CPU 118 cores. Even if a container is limited to less than 100% of CPU time, it can 119 use 100% of each individual CPU core. 120 121 For example, consider a system with more than three cores. If you start one 122 container **{C0}** with **-c=512** running one process, and another container 123 **{C1}** with **-c=1024** running two processes, this can result in the following 124 division of CPU shares: 125 126 PID container CPU CPU share 127 100 {C0} 0 100% of CPU0 128 101 {C1} 1 100% of CPU1 129 102 {C1} 2 100% of CPU2 130 131 **--cap-add**=[] 132 Add Linux capabilities 133 134 **--cap-drop**=[] 135 Drop Linux capabilities 136 137 **--cgroup-parent**="" 138 Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. 139 140 **--cidfile**="" 141 Write the container ID to the file 142 143 **--cpu-period**=0 144 Limit the CPU CFS (Completely Fair Scheduler) period 145 146 Limit the container's CPU usage. This flag tell the kernel to restrict the container's CPU usage to the period you specify. 147 148 **--cpuset-cpus**="" 149 CPUs in which to allow execution (0-3, 0,1) 150 151 **--cpuset-mems**="" 152 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. 153 154 If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1` 155 then processes in your Docker container will only use memory from the first 156 two memory nodes. 157 158 **--cpu-quota**=0 159 Limit the CPU CFS (Completely Fair Scheduler) quota 160 161 Limit the container's CPU usage. By default, containers run with the full 162 CPU resource. This flag tell the kernel to restrict the container's CPU usage 163 to the quota you specify. 164 165 **-d**, **--detach**=*true*|*false* 166 Detached mode: run the container in the background and print the new container ID. The default is *false*. 167 168 At any time you can run **docker ps** in 169 the other shell to view a list of the running containers. You can reattach to a 170 detached container with **docker attach**. If you choose to run a container in 171 the detached mode, then you cannot use the **-rm** option. 172 173 When attached in the tty mode, you can detach from a running container without 174 stopping the process by pressing the keys CTRL-P CTRL-Q. 175 176 **--device**=[] 177 Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm) 178 179 **--dns-search**=[] 180 Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain) 181 182 **--dns**=[] 183 Set custom DNS servers 184 185 This option can be used to override the DNS 186 configuration passed to the container. Typically this is necessary when the 187 host DNS configuration is invalid for the container (e.g., 127.0.0.1). When this 188 is the case the **--dns** flags is necessary for every run. 189 190 **-e**, **--env**=[] 191 Set environment variables 192 193 This option allows you to specify arbitrary 194 environment variables that are available for the process that will be launched 195 inside of the container. 196 197 **--entrypoint**="" 198 Overwrite the default ENTRYPOINT of the image 199 200 This option allows you to overwrite the default entrypoint of the image that 201 is set in the Dockerfile. The ENTRYPOINT of an image is similar to a COMMAND 202 because it specifies what executable to run when the container starts, but it is 203 (purposely) more difficult to override. The ENTRYPOINT gives a container its 204 default nature or behavior, so that when you set an ENTRYPOINT you can run the 205 container as if it were that binary, complete with default options, and you can 206 pass in more options via the COMMAND. But, sometimes an operator may want to run 207 something else inside the container, so you can override the default ENTRYPOINT 208 at runtime by using a **--entrypoint** and a string to specify the new 209 ENTRYPOINT. 210 211 **--env-file**=[] 212 Read in a line delimited file of environment variables 213 214 **--expose**=[] 215 Expose a port, or a range of ports (e.g. --expose=3300-3310), from the container without publishing it to your host 216 217 **-h**, **--hostname**="" 218 Container host name 219 220 Sets the container host name that is available inside the container. 221 222 **--help** 223 Print usage statement 224 225 **-i**, **--interactive**=*true*|*false* 226 Keep STDIN open even if not attached. The default is *false*. 227 228 When set to true, keep stdin open even if not attached. The default is false. 229 230 **--ipc**="" 231 Default is to create a private IPC namespace (POSIX SysV IPC) for the container 232 'container:<name|id>': reuses another container shared memory, semaphores and message queues 233 'host': use the host shared memory,semaphores and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure. 234 235 **-l**, **--label**=[] 236 Set metadata on the container (e.g., --label com.example.key=value) 237 238 **--label-file**=[] 239 Read in a line delimited file of labels 240 241 **--link**=[] 242 Add link to another container in the form of <name or id>:alias or just <name or id> 243 in which case the alias will match the name 244 245 If the operator 246 uses **--link** when starting the new client container, then the client 247 container can access the exposed port via a private networking interface. Docker 248 will set some environment variables in the client container to help indicate 249 which interface and port to use. 250 251 **--lxc-conf**=[] 252 (lxc exec-driver only) Add custom lxc options --lxc-conf="lxc.cgroup.cpuset.cpus = 0,1" 253 254 **--log-driver**="|*json-file*|*syslog*|*journald*|*none*" 255 Logging driver for container. Default is defined by daemon `--log-driver` flag. 256 **Warning**: `docker logs` command works only for `json-file` logging driver. 257 258 **-m**, **--memory**="" 259 Memory limit (format: <number><optional unit>, where unit = b, k, m or g) 260 261 Allows you to constrain the memory available to a container. If the host 262 supports swap memory, then the **-m** memory setting can be larger than physical 263 RAM. If a limit of 0 is specified (not using **-m**), the container's memory is 264 not limited. The actual limit may be rounded up to a multiple of the operating 265 system's page size (the value would be very large, that's millions of trillions). 266 267 **--memory-swap**="" 268 Total memory limit (memory + swap) 269 270 Set `-1` to disable swap (format: <number><optional unit>, where unit = b, k, m or g). 271 This value should always larger than **-m**, so you should always use this with **-m**. 272 273 **--mac-address**="" 274 Container MAC address (e.g. 92:d0:c6:0a:29:33) 275 276 Remember that the MAC address in an Ethernet network must be unique. 277 The IPv6 link-local address will be based on the device's MAC address 278 according to RFC4862. 279 280 **--name**="" 281 Assign a name to the container 282 283 The operator can identify a container in three ways: 284 UUID long identifier (“f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778”) 285 UUID short identifier (“f78375b1c487”) 286 Name (“jonah”) 287 288 The UUID identifiers come from the Docker daemon, and if a name is not assigned 289 to the container with **--name** then the daemon will also generate a random 290 string name. The name is useful when defining links (see **--link**) (or any 291 other place you need to identify a container). This works for both background 292 and foreground Docker containers. 293 294 **--net**="bridge" 295 Set the Network mode for the container 296 'bridge': creates a new network stack for the container on the docker bridge 297 'none': no networking for this container 298 'container:<name|id>': reuses another container network stack 299 'host': use the host network stack inside the container. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. 300 301 **--oom-kill-disable**=*true*|*false* 302 Whether to disable OOM Killer for the container or not. 303 304 **-P**, **--publish-all**=*true*|*false* 305 Publish all exposed ports to random ports on the host interfaces. The default is *false*. 306 307 When set to true publish all exposed ports to the host interfaces. The 308 default is false. If the operator uses -P (or -p) then Docker will make the 309 exposed port accessible on the host and the ports will be available to any 310 client that can reach the host. When using -P, Docker will bind any exposed 311 port to a random port on the host within an *ephemeral port range* defined by 312 `/proc/sys/net/ipv4/ip_local_port_range`. To find the mapping between the host 313 ports and the exposed ports, use `docker port`. 314 315 **-p**, **--publish**=[] 316 Publish a container's port, or range of ports, to the host. 317 format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort 318 Both hostPort and containerPort can be specified as a range of ports. 319 When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g., `-p 1234-1236:1234-1236/tcp`) 320 (use 'docker port' to see the actual mapping) 321 322 **--pid**=host 323 Set the PID mode for the container 324 **host**: use the host's PID namespace inside the container. 325 Note: the host mode gives the container full access to local PID and is therefore considered insecure. 326 327 **--uts**=host 328 Set the UTS mode for the container 329 **host**: use the host's UTS namespace inside the container. 330 Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure. 331 332 **--privileged**=*true*|*false* 333 Give extended privileges to this container. The default is *false*. 334 335 By default, Docker containers are 336 “unprivileged” (=false) and cannot, for example, run a Docker daemon inside the 337 Docker container. This is because by default a container is not allowed to 338 access any devices. A “privileged” container is given access to all devices. 339 340 When the operator executes **docker run --privileged**, Docker will enable access 341 to all devices on the host as well as set some configuration in AppArmor to 342 allow the container nearly all the same access to the host as processes running 343 outside of a container on the host. 344 345 **--read-only**=*true*|*false* 346 Mount the container's root filesystem as read only. 347 348 By default a container will have its root filesystem writable allowing processes 349 to write files anywhere. By specifying the `--read-only` flag the container will have 350 its root filesystem mounted as read only prohibiting any writes. 351 352 **--restart**="no" 353 Restart policy to apply when a container exits (no, on-failure[:max-retry], always) 354 355 **--rm**=*true*|*false* 356 Automatically remove the container when it exits (incompatible with -d). The default is *false*. 357 358 **--security-opt**=[] 359 Security Options 360 361 "label:user:USER" : Set the label user for the container 362 "label:role:ROLE" : Set the label role for the container 363 "label:type:TYPE" : Set the label type for the container 364 "label:level:LEVEL" : Set the label level for the container 365 "label:disable" : Turn off label confinement for the container 366 367 **--sig-proxy**=*true*|*false* 368 Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true*. 369 370 **-t**, **--tty**=*true*|*false* 371 Allocate a pseudo-TTY. The default is *false*. 372 373 When set to true Docker can allocate a pseudo-tty and attach to the standard 374 input of any container. This can be used, for example, to run a throwaway 375 interactive shell. The default is value is false. 376 377 The **-t** option is incompatible with a redirection of the docker client 378 standard input. 379 380 **-u**, **--user**="" 381 Sets the username or UID used and optionally the groupname or GID for the specified command. 382 383 The followings examples are all valid: 384 --user [user | user:group | uid | uid:gid | user:gid | uid:group ] 385 386 Without this argument the command will be run as root in the container. 387 388 **-v**, **--volume**=[] 389 Bind mount a volume (e.g., from the host: -v /host:/container, from Docker: -v /container) 390 391 The **-v** option can be used one or 392 more times to add one or more mounts to a container. These mounts can then be 393 used in other containers using the **--volumes-from** option. 394 395 The volume may be optionally suffixed with :ro or :rw to mount the volumes in 396 read-only or read-write mode, respectively. By default, the volumes are mounted 397 read-write. See examples. 398 399 **--volumes-from**=[] 400 Mount volumes from the specified container(s) 401 402 Mounts already mounted volumes from a source container onto another 403 container. You must supply the source's container-id. To share 404 a volume, use the **--volumes-from** option when running 405 the target container. You can share volumes even if the source container 406 is not running. 407 408 By default, Docker mounts the volumes in the same mode (read-write or 409 read-only) as it is mounted in the source container. Optionally, you 410 can change this by suffixing the container-id with either the `:ro` or 411 `:rw ` keyword. 412 413 If the location of the volume from the source container overlaps with 414 data residing on a target container, then the volume hides 415 that data on the target. 416 417 **-w**, **--workdir**="" 418 Working directory inside the container 419 420 The default working directory for 421 running binaries within a container is the root directory (/). The developer can 422 set a different default with the Dockerfile WORKDIR instruction. The operator 423 can override the working directory by using the **-w** option. 424 425 # EXAMPLES 426 427 ## Exposing log messages from the container to the host's log 428 429 If you want messages that are logged in your container to show up in the host's 430 syslog/journal then you should bind mount the /dev/log directory as follows. 431 432 # docker run -v /dev/log:/dev/log -i -t fedora /bin/bash 433 434 From inside the container you can test this by sending a message to the log. 435 436 (bash)# logger "Hello from my container" 437 438 Then exit and check the journal. 439 440 # exit 441 442 # journalctl -b | grep Hello 443 444 This should list the message sent to logger. 445 446 ## Attaching to one or more from STDIN, STDOUT, STDERR 447 448 If you do not specify -a then Docker will attach everything (stdin,stdout,stderr) 449 . You can specify to which of the three standard streams (stdin, stdout, stderr) 450 you’d like to connect instead, as in: 451 452 # docker run -a stdin -a stdout -i -t fedora /bin/bash 453 454 ## Sharing IPC between containers 455 456 Using shm_server.c available here: https://www.cs.cf.ac.uk/Dave/C/node27.html 457 458 Testing `--ipc=host` mode: 459 460 Host shows a shared memory segment with 7 pids attached, happens to be from httpd: 461 462 ``` 463 $ sudo ipcs -m 464 465 ------ Shared Memory Segments -------- 466 key shmid owner perms bytes nattch status 467 0x01128e25 0 root 600 1000 7 468 ``` 469 470 Now run a regular container, and it correctly does NOT see the shared memory segment from the host: 471 472 ``` 473 $ docker run -it shm ipcs -m 474 475 ------ Shared Memory Segments -------- 476 key shmid owner perms bytes nattch status 477 ``` 478 479 Run a container with the new `--ipc=host` option, and it now sees the shared memory segment from the host httpd: 480 481 ``` 482 $ docker run -it --ipc=host shm ipcs -m 483 484 ------ Shared Memory Segments -------- 485 key shmid owner perms bytes nattch status 486 0x01128e25 0 root 600 1000 7 487 ``` 488 Testing `--ipc=container:CONTAINERID` mode: 489 490 Start a container with a program to create a shared memory segment: 491 ``` 492 $ docker run -it shm bash 493 $ sudo shm/shm_server & 494 $ sudo ipcs -m 495 496 ------ Shared Memory Segments -------- 497 key shmid owner perms bytes nattch status 498 0x0000162e 0 root 666 27 1 499 ``` 500 Create a 2nd container correctly shows no shared memory segment from 1st container: 501 ``` 502 $ docker run shm ipcs -m 503 504 ------ Shared Memory Segments -------- 505 key shmid owner perms bytes nattch status 506 ``` 507 508 Create a 3rd container using the new --ipc=container:CONTAINERID option, now it shows the shared memory segment from the first: 509 510 ``` 511 $ docker run -it --ipc=container:ed735b2264ac shm ipcs -m 512 $ sudo ipcs -m 513 514 ------ Shared Memory Segments -------- 515 key shmid owner perms bytes nattch status 516 0x0000162e 0 root 666 27 1 517 ``` 518 519 ## Linking Containers 520 521 The link feature allows multiple containers to communicate with each other. For 522 example, a container whose Dockerfile has exposed port 80 can be run and named 523 as follows: 524 525 # docker run --name=link-test -d -i -t fedora/httpd 526 527 A second container, in this case called linker, can communicate with the httpd 528 container, named link-test, by running with the **--link=<name>:<alias>** 529 530 # docker run -t -i --link=link-test:lt --name=linker fedora /bin/bash 531 532 Now the container linker is linked to container link-test with the alias lt. 533 Running the **env** command in the linker container shows environment variables 534 with the LT (alias) context (**LT_**) 535 536 # env 537 HOSTNAME=668231cb0978 538 TERM=xterm 539 LT_PORT_80_TCP=tcp://172.17.0.3:80 540 LT_PORT_80_TCP_PORT=80 541 LT_PORT_80_TCP_PROTO=tcp 542 LT_PORT=tcp://172.17.0.3:80 543 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 544 PWD=/ 545 LT_NAME=/linker/lt 546 SHLVL=1 547 HOME=/ 548 LT_PORT_80_TCP_ADDR=172.17.0.3 549 _=/usr/bin/env 550 551 When linking two containers Docker will use the exposed ports of the container 552 to create a secure tunnel for the parent to access. 553 554 555 ## Mapping Ports for External Usage 556 557 The exposed port of an application can be mapped to a host port using the **-p** 558 flag. For example, a httpd port 80 can be mapped to the host port 8080 using the 559 following: 560 561 # docker run -p 8080:80 -d -i -t fedora/httpd 562 563 ## Creating and Mounting a Data Volume Container 564 565 Many applications require the sharing of persistent data across several 566 containers. Docker allows you to create a Data Volume Container that other 567 containers can mount from. For example, create a named container that contains 568 directories /var/volume1 and /tmp/volume2. The image will need to contain these 569 directories so a couple of RUN mkdir instructions might be required for you 570 fedora-data image: 571 572 # docker run --name=data -v /var/volume1 -v /tmp/volume2 -i -t fedora-data true 573 # docker run --volumes-from=data --name=fedora-container1 -i -t fedora bash 574 575 Multiple --volumes-from parameters will bring together multiple data volumes from 576 multiple containers. And it's possible to mount the volumes that came from the 577 DATA container in yet another container via the fedora-container1 intermediary 578 container, allowing to abstract the actual data source from users of that data: 579 580 # docker run --volumes-from=fedora-container1 --name=fedora-container2 -i -t fedora bash 581 582 ## Mounting External Volumes 583 584 To mount a host directory as a container volume, specify the absolute path to 585 the directory and the absolute path for the container directory separated by a 586 colon: 587 588 # docker run -v /var/db:/data1 -i -t fedora bash 589 590 When using SELinux, be aware that the host has no knowledge of container SELinux 591 policy. Therefore, in the above example, if SELinux policy is enforced, the 592 `/var/db` directory is not writable to the container. A "Permission Denied" 593 message will occur and an avc: message in the host's syslog. 594 595 596 To work around this, at time of writing this man page, the following command 597 needs to be run in order for the proper SELinux policy type label to be attached 598 to the host directory: 599 600 # chcon -Rt svirt_sandbox_file_t /var/db 601 602 603 Now, writing to the /data1 volume in the container will be allowed and the 604 changes will also be reflected on the host in /var/db. 605 606 ## Using alternative security labeling 607 608 You can override the default labeling scheme for each container by specifying 609 the `--security-opt` flag. For example, you can specify the MCS/MLS level, a 610 requirement for MLS systems. Specifying the level in the following command 611 allows you to share the same content between containers. 612 613 # docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash 614 615 An MLS example might be: 616 617 # docker run --security-opt label:level:TopSecret -i -t rhel7 bash 618 619 To disable the security labeling for this container versus running with the 620 `--permissive` flag, use the following command: 621 622 # docker run --security-opt label:disable -i -t fedora bash 623 624 If you want a tighter security policy on the processes within a container, 625 you can specify an alternate type for the container. You could run a container 626 that is only allowed to listen on Apache ports by executing the following 627 command: 628 629 # docker run --security-opt label:type:svirt_apache_t -i -t centos bash 630 631 Note: 632 633 You would have to write policy defining a `svirt_apache_t` type. 634 635 # HISTORY 636 April 2014, Originally compiled by William Henry (whenry at redhat dot com) 637 based on docker.com source material and internal work. 638 June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> 639 July 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>