github.com/thajeztah/cli@v0.0.0-20240223162942-dc6bfac81a8b/docs/reference/commandline/container_run.md (about)

     1  # run
     2  
     3  <!---MARKER_GEN_START-->
     4  Create and run a new container from an image
     5  
     6  ### Aliases
     7  
     8  `docker container run`, `docker run`
     9  
    10  ### Options
    11  
    12  | Name                                                  | Type          | Default   | Description                                                                                                                                                                                                                                                                                                      |
    13  |:------------------------------------------------------|:--------------|:----------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
    14  | [`--add-host`](#add-host)                             | `list`        |           | Add a custom host-to-IP mapping (host:ip)                                                                                                                                                                                                                                                                        |
    15  | `--annotation`                                        | `map`         | `map[]`   | Add an annotation to the container (passed through to the OCI runtime)                                                                                                                                                                                                                                           |
    16  | [`-a`](#attach), [`--attach`](#attach)                | `list`        |           | Attach to STDIN, STDOUT or STDERR                                                                                                                                                                                                                                                                                |
    17  | `--blkio-weight`                                      | `uint16`      | `0`       | Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)                                                                                                                                                                                                                                     |
    18  | `--blkio-weight-device`                               | `list`        |           | Block IO weight (relative device weight)                                                                                                                                                                                                                                                                         |
    19  | `--cap-add`                                           | `list`        |           | Add Linux capabilities                                                                                                                                                                                                                                                                                           |
    20  | `--cap-drop`                                          | `list`        |           | Drop Linux capabilities                                                                                                                                                                                                                                                                                          |
    21  | [`--cgroup-parent`](#cgroup-parent)                   | `string`      |           | Optional parent cgroup for the container                                                                                                                                                                                                                                                                         |
    22  | `--cgroupns`                                          | `string`      |           | Cgroup namespace to use (host\|private)<br>'host':    Run the container in the Docker host's cgroup namespace<br>'private': Run the container in its own private cgroup namespace<br>'':        Use the cgroup namespace as configured by the<br>           default-cgroupns-mode option on the daemon (default) |
    23  | [`--cidfile`](#cidfile)                               | `string`      |           | Write the container ID to the file                                                                                                                                                                                                                                                                               |
    24  | `--cpu-count`                                         | `int64`       | `0`       | CPU count (Windows only)                                                                                                                                                                                                                                                                                         |
    25  | `--cpu-percent`                                       | `int64`       | `0`       | CPU percent (Windows only)                                                                                                                                                                                                                                                                                       |
    26  | `--cpu-period`                                        | `int64`       | `0`       | Limit CPU CFS (Completely Fair Scheduler) period                                                                                                                                                                                                                                                                 |
    27  | `--cpu-quota`                                         | `int64`       | `0`       | Limit CPU CFS (Completely Fair Scheduler) quota                                                                                                                                                                                                                                                                  |
    28  | `--cpu-rt-period`                                     | `int64`       | `0`       | Limit CPU real-time period in microseconds                                                                                                                                                                                                                                                                       |
    29  | `--cpu-rt-runtime`                                    | `int64`       | `0`       | Limit CPU real-time runtime in microseconds                                                                                                                                                                                                                                                                      |
    30  | `-c`, `--cpu-shares`                                  | `int64`       | `0`       | CPU shares (relative weight)                                                                                                                                                                                                                                                                                     |
    31  | `--cpus`                                              | `decimal`     |           | Number of CPUs                                                                                                                                                                                                                                                                                                   |
    32  | `--cpuset-cpus`                                       | `string`      |           | CPUs in which to allow execution (0-3, 0,1)                                                                                                                                                                                                                                                                      |
    33  | `--cpuset-mems`                                       | `string`      |           | MEMs in which to allow execution (0-3, 0,1)                                                                                                                                                                                                                                                                      |
    34  | [`-d`](#detach), [`--detach`](#detach)                |               |           | Run container in background and print container ID                                                                                                                                                                                                                                                               |
    35  | [`--detach-keys`](#detach-keys)                       | `string`      |           | Override the key sequence for detaching a container                                                                                                                                                                                                                                                              |
    36  | [`--device`](#device)                                 | `list`        |           | Add a host device to the container                                                                                                                                                                                                                                                                               |
    37  | [`--device-cgroup-rule`](#device-cgroup-rule)         | `list`        |           | Add a rule to the cgroup allowed devices list                                                                                                                                                                                                                                                                    |
    38  | `--device-read-bps`                                   | `list`        |           | Limit read rate (bytes per second) from a device                                                                                                                                                                                                                                                                 |
    39  | `--device-read-iops`                                  | `list`        |           | Limit read rate (IO per second) from a device                                                                                                                                                                                                                                                                    |
    40  | `--device-write-bps`                                  | `list`        |           | Limit write rate (bytes per second) to a device                                                                                                                                                                                                                                                                  |
    41  | `--device-write-iops`                                 | `list`        |           | Limit write rate (IO per second) to a device                                                                                                                                                                                                                                                                     |
    42  | `--disable-content-trust`                             | `bool`        | `true`    | Skip image verification                                                                                                                                                                                                                                                                                          |
    43  | `--dns`                                               | `list`        |           | Set custom DNS servers                                                                                                                                                                                                                                                                                           |
    44  | `--dns-option`                                        | `list`        |           | Set DNS options                                                                                                                                                                                                                                                                                                  |
    45  | `--dns-search`                                        | `list`        |           | Set custom DNS search domains                                                                                                                                                                                                                                                                                    |
    46  | `--domainname`                                        | `string`      |           | Container NIS domain name                                                                                                                                                                                                                                                                                        |
    47  | `--entrypoint`                                        | `string`      |           | Overwrite the default ENTRYPOINT of the image                                                                                                                                                                                                                                                                    |
    48  | [`-e`](#env), [`--env`](#env)                         | `list`        |           | Set environment variables                                                                                                                                                                                                                                                                                        |
    49  | `--env-file`                                          | `list`        |           | Read in a file of environment variables                                                                                                                                                                                                                                                                          |
    50  | `--expose`                                            | `list`        |           | Expose a port or a range of ports                                                                                                                                                                                                                                                                                |
    51  | [`--gpus`](#gpus)                                     | `gpu-request` |           | GPU devices to add to the container ('all' to pass all GPUs)                                                                                                                                                                                                                                                     |
    52  | `--group-add`                                         | `list`        |           | Add additional groups to join                                                                                                                                                                                                                                                                                    |
    53  | `--health-cmd`                                        | `string`      |           | Command to run to check health                                                                                                                                                                                                                                                                                   |
    54  | `--health-interval`                                   | `duration`    | `0s`      | Time between running the check (ms\|s\|m\|h) (default 0s)                                                                                                                                                                                                                                                        |
    55  | `--health-retries`                                    | `int`         | `0`       | Consecutive failures needed to report unhealthy                                                                                                                                                                                                                                                                  |
    56  | `--health-start-interval`                             | `duration`    | `0s`      | Time between running the check during the start period (ms\|s\|m\|h) (default 0s)                                                                                                                                                                                                                                |
    57  | `--health-start-period`                               | `duration`    | `0s`      | Start period for the container to initialize before starting health-retries countdown (ms\|s\|m\|h) (default 0s)                                                                                                                                                                                                 |
    58  | `--health-timeout`                                    | `duration`    | `0s`      | Maximum time to allow one check to run (ms\|s\|m\|h) (default 0s)                                                                                                                                                                                                                                                |
    59  | `--help`                                              |               |           | Print usage                                                                                                                                                                                                                                                                                                      |
    60  | `-h`, `--hostname`                                    | `string`      |           | Container host name                                                                                                                                                                                                                                                                                              |
    61  | [`--init`](#init)                                     |               |           | Run an init inside the container that forwards signals and reaps processes                                                                                                                                                                                                                                       |
    62  | [`-i`](#interactive), [`--interactive`](#interactive) |               |           | Keep STDIN open even if not attached                                                                                                                                                                                                                                                                             |
    63  | `--io-maxbandwidth`                                   | `bytes`       | `0`       | Maximum IO bandwidth limit for the system drive (Windows only)                                                                                                                                                                                                                                                   |
    64  | `--io-maxiops`                                        | `uint64`      | `0`       | Maximum IOps limit for the system drive (Windows only)                                                                                                                                                                                                                                                           |
    65  | `--ip`                                                | `string`      |           | IPv4 address (e.g., 172.30.100.104)                                                                                                                                                                                                                                                                              |
    66  | `--ip6`                                               | `string`      |           | IPv6 address (e.g., 2001:db8::33)                                                                                                                                                                                                                                                                                |
    67  | [`--ipc`](#ipc)                                       | `string`      |           | IPC mode to use                                                                                                                                                                                                                                                                                                  |
    68  | [`--isolation`](#isolation)                           | `string`      |           | Container isolation technology                                                                                                                                                                                                                                                                                   |
    69  | `--kernel-memory`                                     | `bytes`       | `0`       | Kernel memory limit                                                                                                                                                                                                                                                                                              |
    70  | [`-l`](#label), [`--label`](#label)                   | `list`        |           | Set meta data on a container                                                                                                                                                                                                                                                                                     |
    71  | `--label-file`                                        | `list`        |           | Read in a line delimited file of labels                                                                                                                                                                                                                                                                          |
    72  | `--link`                                              | `list`        |           | Add link to another container                                                                                                                                                                                                                                                                                    |
    73  | `--link-local-ip`                                     | `list`        |           | Container IPv4/IPv6 link-local addresses                                                                                                                                                                                                                                                                         |
    74  | [`--log-driver`](#log-driver)                         | `string`      |           | Logging driver for the container                                                                                                                                                                                                                                                                                 |
    75  | `--log-opt`                                           | `list`        |           | Log driver options                                                                                                                                                                                                                                                                                               |
    76  | `--mac-address`                                       | `string`      |           | Container MAC address (e.g., 92:d0:c6:0a:29:33)                                                                                                                                                                                                                                                                  |
    77  | [`-m`](#memory), [`--memory`](#memory)                | `bytes`       | `0`       | Memory limit                                                                                                                                                                                                                                                                                                     |
    78  | `--memory-reservation`                                | `bytes`       | `0`       | Memory soft limit                                                                                                                                                                                                                                                                                                |
    79  | `--memory-swap`                                       | `bytes`       | `0`       | Swap limit equal to memory plus swap: '-1' to enable unlimited swap                                                                                                                                                                                                                                              |
    80  | `--memory-swappiness`                                 | `int64`       | `-1`      | Tune container memory swappiness (0 to 100)                                                                                                                                                                                                                                                                      |
    81  | [`--mount`](#mount)                                   | `mount`       |           | Attach a filesystem mount to the container                                                                                                                                                                                                                                                                       |
    82  | [`--name`](#name)                                     | `string`      |           | Assign a name to the container                                                                                                                                                                                                                                                                                   |
    83  | [`--network`](#network)                               | `network`     |           | Connect a container to a network                                                                                                                                                                                                                                                                                 |
    84  | `--network-alias`                                     | `list`        |           | Add network-scoped alias for the container                                                                                                                                                                                                                                                                       |
    85  | `--no-healthcheck`                                    |               |           | Disable any container-specified HEALTHCHECK                                                                                                                                                                                                                                                                      |
    86  | `--oom-kill-disable`                                  |               |           | Disable OOM Killer                                                                                                                                                                                                                                                                                               |
    87  | `--oom-score-adj`                                     | `int`         | `0`       | Tune host's OOM preferences (-1000 to 1000)                                                                                                                                                                                                                                                                      |
    88  | [`--pid`](#pid)                                       | `string`      |           | PID namespace to use                                                                                                                                                                                                                                                                                             |
    89  | `--pids-limit`                                        | `int64`       | `0`       | Tune container pids limit (set -1 for unlimited)                                                                                                                                                                                                                                                                 |
    90  | `--platform`                                          | `string`      |           | Set platform if server is multi-platform capable                                                                                                                                                                                                                                                                 |
    91  | [`--privileged`](#privileged)                         |               |           | Give extended privileges to this container                                                                                                                                                                                                                                                                       |
    92  | [`-p`](#publish), [`--publish`](#publish)             | `list`        |           | Publish a container's port(s) to the host                                                                                                                                                                                                                                                                        |
    93  | [`-P`](#publish-all), [`--publish-all`](#publish-all) |               |           | Publish all exposed ports to random ports                                                                                                                                                                                                                                                                        |
    94  | [`--pull`](#pull)                                     | `string`      | `missing` | Pull image before running (`always`, `missing`, `never`)                                                                                                                                                                                                                                                         |
    95  | `-q`, `--quiet`                                       |               |           | Suppress the pull output                                                                                                                                                                                                                                                                                         |
    96  | [`--read-only`](#read-only)                           |               |           | Mount the container's root filesystem as read only                                                                                                                                                                                                                                                               |
    97  | [`--restart`](#restart)                               | `string`      | `no`      | Restart policy to apply when a container exits                                                                                                                                                                                                                                                                   |
    98  | [`--rm`](#rm)                                         |               |           | Automatically remove the container when it exits                                                                                                                                                                                                                                                                 |
    99  | `--runtime`                                           | `string`      |           | Runtime to use for this container                                                                                                                                                                                                                                                                                |
   100  | [`--security-opt`](#security-opt)                     | `list`        |           | Security Options                                                                                                                                                                                                                                                                                                 |
   101  | `--shm-size`                                          | `bytes`       | `0`       | Size of /dev/shm                                                                                                                                                                                                                                                                                                 |
   102  | `--sig-proxy`                                         | `bool`        | `true`    | Proxy received signals to the process                                                                                                                                                                                                                                                                            |
   103  | [`--stop-signal`](#stop-signal)                       | `string`      |           | Signal to stop the container                                                                                                                                                                                                                                                                                     |
   104  | [`--stop-timeout`](#stop-timeout)                     | `int`         | `0`       | Timeout (in seconds) to stop a container                                                                                                                                                                                                                                                                         |
   105  | [`--storage-opt`](#storage-opt)                       | `list`        |           | Storage driver options for the container                                                                                                                                                                                                                                                                         |
   106  | [`--sysctl`](#sysctl)                                 | `map`         | `map[]`   | Sysctl options                                                                                                                                                                                                                                                                                                   |
   107  | [`--tmpfs`](#tmpfs)                                   | `list`        |           | Mount a tmpfs directory                                                                                                                                                                                                                                                                                          |
   108  | [`-t`](#tty), [`--tty`](#tty)                         |               |           | Allocate a pseudo-TTY                                                                                                                                                                                                                                                                                            |
   109  | [`--ulimit`](#ulimit)                                 | `ulimit`      |           | Ulimit options                                                                                                                                                                                                                                                                                                   |
   110  | `-u`, `--user`                                        | `string`      |           | Username or UID (format: <name\|uid>[:<group\|gid>])                                                                                                                                                                                                                                                             |
   111  | `--userns`                                            | `string`      |           | User namespace to use                                                                                                                                                                                                                                                                                            |
   112  | [`--uts`](#uts)                                       | `string`      |           | UTS namespace to use                                                                                                                                                                                                                                                                                             |
   113  | [`-v`](#volume), [`--volume`](#volume)                | `list`        |           | Bind mount a volume                                                                                                                                                                                                                                                                                              |
   114  | `--volume-driver`                                     | `string`      |           | Optional volume driver for the container                                                                                                                                                                                                                                                                         |
   115  | [`--volumes-from`](#volumes-from)                     | `list`        |           | Mount volumes from the specified container(s)                                                                                                                                                                                                                                                                    |
   116  | [`-w`](#workdir), [`--workdir`](#workdir)             | `string`      |           | Working directory inside the container                                                                                                                                                                                                                                                                           |
   117  
   118  
   119  <!---MARKER_GEN_END-->
   120  
   121  ## Description
   122  
   123  The `docker run` command runs a command in a new container, pulling the image if needed and starting the container.
   124  
   125  You can restart a stopped container with all its previous changes intact using `docker start`.
   126  Use `docker ps -a` to view a list of all containers, including those that are stopped.
   127  
   128  ## Examples
   129  
   130  ### <a name="name"></a> Assign name (--name)
   131  
   132  The `--name` flag lets you specify a custom identifier for a container. The
   133  following example runs a container named `test` using the `nginx:alpine` image
   134  in [detached mode](#detach).
   135  
   136  ```console
   137  $ docker run --name test -d nginx:alpine
   138  4bed76d3ad428b889c56c1ecc2bf2ed95cb08256db22dc5ef5863e1d03252a19
   139  $ docker ps
   140  CONTAINER ID   IMAGE          COMMAND                  CREATED        STATUS                  PORTS     NAMES
   141  4bed76d3ad42   nginx:alpine   "/docker-entrypoint.…"   1 second ago   Up Less than a second   80/tcp    test
   142  ```
   143  
   144  You can reference the container by name with other commands. For example, the
   145  following commands stop and remove a container named `test`:
   146  
   147  ```console
   148  $ docker stop test
   149  test
   150  $ docker rm test
   151  test
   152  ```
   153  
   154  If you don't specify a custom name using the `--name` flag, the daemon assigns
   155  a randomly generated name, such as `vibrant_cannon`, to the container. Using a
   156  custom-defined name provides the benefit of having an easy-to-remember ID for a
   157  container.
   158  
   159  Moreover, if you connect the container to a user-defined bridge network, other
   160  containers on the same network can refer to the container by name via DNS.
   161  
   162  ```console
   163  $ docker network create mynet
   164  cb79f45948d87e389e12013fa4d969689ed2c3316985dd832a43aaec9a0fe394
   165  $ docker run --name test --net mynet -d nginx:alpine
   166  58df6ecfbc2ad7c42d088ed028d367f9e22a5f834d7c74c66c0ab0485626c32a
   167  $ docker run --net mynet busybox:latest ping test
   168  PING test (172.18.0.2): 56 data bytes
   169  64 bytes from 172.18.0.2: seq=0 ttl=64 time=0.073 ms
   170  64 bytes from 172.18.0.2: seq=1 ttl=64 time=0.411 ms
   171  64 bytes from 172.18.0.2: seq=2 ttl=64 time=0.319 ms
   172  64 bytes from 172.18.0.2: seq=3 ttl=64 time=0.383 ms
   173  ...
   174  ```
   175  
   176  ### <a name="cidfile"></a> Capture container ID (--cidfile)
   177  
   178  To help with automation, you can have Docker write the container ID out to a
   179  file of your choosing. This is similar to how some programs might write out
   180  their process ID to a file (you might've seen them as PID files):
   181  
   182  ```console
   183  $ docker run --cidfile /tmp/docker_test.cid ubuntu echo "test"
   184  ```
   185  
   186  This creates a container and prints `test` to the console. The `cidfile`
   187  flag makes Docker attempt to create a new file and write the container ID to it.
   188  If the file exists already, Docker returns an error. Docker closes this
   189  file when `docker run` exits.
   190  
   191  ### <a name="pid"></a> PID settings (--pid)
   192  
   193  ```text
   194  --pid=""  : Set the PID (Process) Namespace mode for the container,
   195               'container:<name|id>': joins another container's PID namespace
   196               'host': use the host's PID namespace inside the container
   197  ```
   198  
   199  By default, all containers have the PID namespace enabled.
   200  
   201  PID namespace provides separation of processes. The PID Namespace removes the
   202  view of the system processes, and allows process ids to be reused including
   203  PID 1.
   204  
   205  In certain cases you want your container to share the host's process namespace,
   206  allowing processes within the container to see all of the processes on the
   207  system. For example, you could build a container with debugging tools like
   208  `strace` or `gdb`, but want to use these tools when debugging processes within
   209  the container.
   210  
   211  #### Example: run htop inside a container
   212  
   213  To run `htop` in a container that shares the process namespac of the host:
   214  
   215  1. Run an alpine container with the `--pid=host` option:
   216  
   217     ```console
   218     $ docker run --rm -it --pid=host alpine
   219     ```
   220  
   221  2. Install `htop` in the container:
   222  
   223     ```console
   224     / # apk add htop
   225     fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/aarch64/APKINDEX.tar.gz
   226     fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/aarch64/APKINDEX.tar.gz
   227     (1/3) Installing ncurses-terminfo-base (6.4_p20230506-r0)
   228     (2/3) Installing libncursesw (6.4_p20230506-r0)
   229     (3/3) Installing htop (3.2.2-r1)
   230     Executing busybox-1.36.1-r2.trigger
   231     OK: 9 MiB in 18 packages
   232     ```
   233  
   234  3. Invoke the `htop` command.
   235  
   236     ```console
   237     / # htop
   238     ```
   239  
   240  #### Example, join another container's PID namespace
   241  
   242  Joining another container's PID namespace can be useful for debugging that
   243  container.
   244  
   245  1. Start a container running a Redis server:
   246  
   247     ```console
   248     $ docker run --rm --name my-nginx -d nginx:alpine
   249     ```
   250  
   251  2. Run an Alpine container that attaches the `--pid` namespace to the
   252     `my-nginx` container:
   253  
   254     ```console
   255     $ docker run --rm -it --pid=container:my-nginx \
   256       --cap-add SYS_PTRACE \
   257       --security-opt seccomp=unconfined \
   258       alpine
   259     ```
   260  
   261  3. Install `strace` in the Alpine container:
   262  
   263     ```console
   264     / # apk add strace
   265     ```
   266  
   267  4. Attach to process 1, the process ID of the `my-nginx` container:
   268  
   269     ```console
   270     / # strace -p 1
   271     strace: Process 1 attached
   272     ```
   273  
   274  ### <a name="uts"></a> UTS settings (--uts)
   275  
   276  ```text
   277  --uts=""  : Set the UTS namespace mode for the container
   278              'host': use the host's UTS namespace inside the container
   279  ```
   280  
   281  The UTS namespace is for setting the hostname and the domain that's visible to
   282  running processes in that namespace. By default, all containers, including
   283  those with `--network=host`, have their own UTS namespace. Setting `--uts` to
   284  `host` results in the container using the same UTS namespace as the host.
   285  
   286  > **Note**
   287  >
   288  > Docker disallows combining the `--hostname` and `--domainname` flags with
   289  > `--uts=host`. This is to prevent containers running in the host's UTS
   290  > namespace from attempting to change the hosts' configuration.
   291  
   292  You may wish to share the UTS namespace with the host if you would like the
   293  hostname of the container to change as the hostname of the host changes. A more
   294  advanced use case would be changing the host's hostname from a container.
   295  
   296  ### <a name="ipc"></a> IPC settings (--ipc)
   297  
   298  ```text
   299  --ipc="MODE"  : Set the IPC mode for the container
   300  ```
   301  
   302  The `--ipc` flag accepts the following values:
   303  
   304  | Value                      | Description                                                                       |
   305  |:---------------------------|:----------------------------------------------------------------------------------|
   306  | ""                         | Use daemon's default.                                                             |
   307  | "none"                     | Own private IPC namespace, with /dev/shm not mounted.                             |
   308  | "private"                  | Own private IPC namespace.                                                        |
   309  | "shareable"                | Own private IPC namespace, with a possibility to share it with other containers.  |
   310  | "container:<_name-or-ID_>" | Join another ("shareable") container's IPC namespace.                             |
   311  | "host"                     | Use the host system's IPC namespace.                                              |
   312  
   313  If not specified, daemon default is used, which can either be `"private"`
   314  or `"shareable"`, depending on the daemon version and configuration.
   315  
   316  [System V interprocess communication (IPC)](https://linux.die.net/man/5/ipc)
   317  namespaces provide separation of named shared memory segments, semaphores and
   318  message queues.
   319  
   320  Shared memory segments are used to accelerate inter-process communication at
   321  memory speed, rather than through pipes or through the network stack. Shared
   322  memory is commonly used by databases and custom-built (typically C/OpenMPI,
   323  C++/using boost libraries) high performance applications for scientific
   324  computing and financial services industries. If these types of applications
   325  are broken into multiple containers, you might need to share the IPC mechanisms
   326  of the containers, using `"shareable"` mode for the main (i.e. "donor")
   327  container, and `"container:<donor-name-or-ID>"` for other containers.
   328  
   329  ### <a name="privileged"></a> Full container capabilities (--privileged)
   330  
   331  The following example doesn't work, because by default, Docker drops most
   332  potentially dangerous kernel capabilities, including `CAP_SYS_ADMIN ` (which is
   333  required to mount filesystems).
   334  
   335  ```console
   336  $ docker run -t -i --rm ubuntu bash
   337  root@bc338942ef20:/# mount -t tmpfs none /mnt
   338  mount: permission denied
   339  ```
   340  
   341  It works when you add the `--privileged` flag:
   342  
   343  ```console
   344  $ docker run -t -i --privileged ubuntu bash
   345  root@50e3f57e16e6:/# mount -t tmpfs none /mnt
   346  root@50e3f57e16e6:/# df -h
   347  Filesystem      Size  Used Avail Use% Mounted on
   348  none            1.9G     0  1.9G   0% /mnt
   349  ```
   350  
   351  The `--privileged` flag gives all capabilities to the container, and it also
   352  lifts all the limitations enforced by the `device` cgroup controller. In other
   353  words, the container can then do almost everything that the host can do. This
   354  flag exists to allow special use-cases, like running Docker within Docker.
   355  
   356  ### <a name="workdir"></a> Set working directory (-w, --workdir)
   357  
   358  ```console
   359  $ docker run -w /path/to/dir/ -i -t ubuntu pwd
   360  ```
   361  
   362  The `-w` option runs the command executed inside the directory specified, in this example,
   363  `/path/to/dir/`. If the path doesn't exist, Docker creates it inside the container.
   364  
   365  ### <a name="storage-opt"></a> Set storage driver options per container (--storage-opt)
   366  
   367  ```console
   368  $ docker run -it --storage-opt size=120G fedora /bin/bash
   369  ```
   370  
   371  This (size) constraints the container filesystem size to 120G at creation time.
   372  This option is only available for the `btrfs`, `overlay2`, `windowsfilter`,
   373  and `zfs` storage drivers.
   374  
   375  For the `overlay2` storage driver, the size option is only available if the
   376  backing filesystem is `xfs` and mounted with the `pquota` mount option.
   377  Under these conditions, you can pass any size less than the backing filesystem size.
   378  
   379  For the `windowsfilter`, `btrfs`, and `zfs` storage drivers, you cannot pass a
   380  size less than the Default BaseFS Size.
   381  
   382  ### <a name="tmpfs"></a> Mount tmpfs (--tmpfs)
   383  
   384  The `--tmpfs` flag lets you create a `tmpfs` mount.
   385  
   386  The options that you can pass to `--tmpfs` are identical to the Linux `mount -t
   387  tmpfs -o` command. The following example mounts an empty `tmpfs` into the
   388  container with the `rw`, `noexec`, `nosuid`, `size=65536k` options.
   389  
   390  ```console
   391  $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image
   392  ```
   393  
   394  For more information, see [tmpfs mounts](https://docs.docker.com/storage/tmpfs/).
   395  
   396  ### <a name="volume"></a> Mount volume (-v)
   397  
   398  ```console
   399  $ docker  run  -v $(pwd):$(pwd) -w $(pwd) -i -t  ubuntu pwd
   400  ```
   401  
   402  The example above mounts the current directory into the container at the same path
   403  using the `-v` flag, sets it as the working directory, and then runs the `pwd` command inside the container.
   404  
   405  As of Docker Engine version 23, you can use relative paths on the host.
   406  
   407  ```console
   408  $ docker  run  -v ./content:/content -w /content -i -t  ubuntu pwd
   409  ```
   410  
   411  The example above mounts the `content` directory in the current directory into the container at the
   412  `/content` path using the `-v` flag, sets it as the working directory, and then
   413  runs the `pwd` command inside the container.
   414  
   415  ```console
   416  $ docker run -v /doesnt/exist:/foo -w /foo -i -t ubuntu bash
   417  ```
   418  
   419  When the host directory of a bind-mounted volume doesn't exist, Docker
   420  automatically creates this directory on the host for you. In the
   421  example above, Docker creates the `/doesnt/exist`
   422  folder before starting your container.
   423  
   424  ### <a name="read-only"></a> Mount volume read-only (--read-only)
   425  
   426  ```console
   427  $ docker run --read-only -v /icanwrite busybox touch /icanwrite/here
   428  ```
   429  
   430  You can use volumes in combination with the `--read-only` flag to control where
   431  a container writes files. The `--read-only` flag mounts the container's root
   432  filesystem as read only prohibiting writes to locations other than the
   433  specified volumes for the container.
   434  
   435  ```console
   436  $ docker run -t -i -v /var/run/docker.sock:/var/run/docker.sock -v /path/to/static-docker-binary:/usr/bin/docker busybox sh
   437  ```
   438  
   439  By bind-mounting the Docker Unix socket and statically linked Docker
   440  binary (refer to [get the Linux binary](https://docs.docker.com/engine/install/binaries/#install-static-binaries)),
   441  you give the container the full access to create and manipulate the host's
   442  Docker daemon.
   443  
   444  On Windows, you must specify the paths using Windows-style path semantics.
   445  
   446  ```powershell
   447  PS C:\> docker run -v c:\foo:c:\dest microsoft/nanoserver cmd /s /c type c:\dest\somefile.txt
   448  Contents of file
   449  
   450  PS C:\> docker run -v c:\foo:d: microsoft/nanoserver cmd /s /c type d:\somefile.txt
   451  Contents of file
   452  ```
   453  
   454  The following examples fails when using Windows-based containers, as the
   455  destination of a volume or bind mount inside the container must be one of:
   456  a non-existing or empty directory; or a drive other than `C:`. Further, the source
   457  of a bind mount must be a local directory, not a file.
   458  
   459  ```powershell
   460  net use z: \\remotemachine\share
   461  docker run -v z:\foo:c:\dest ...
   462  docker run -v \\uncpath\to\directory:c:\dest ...
   463  docker run -v c:\foo\somefile.txt:c:\dest ...
   464  docker run -v c:\foo:c: ...
   465  docker run -v c:\foo:c:\existing-directory-with-contents ...
   466  ```
   467  
   468  For in-depth information about volumes, refer to [manage data in containers](https://docs.docker.com/storage/volumes/)
   469  
   470  ### <a name="mount"></a> Add bind mounts or volumes using the --mount flag
   471  
   472  The `--mount` flag allows you to mount volumes, host-directories, and `tmpfs`
   473  mounts in a container.
   474  
   475  The `--mount` flag supports most options supported by the `-v` or the
   476  `--volume` flag, but uses a different syntax. For in-depth information on the
   477  `--mount` flag, and a comparison between `--volume` and `--mount`, refer to
   478  [Bind mounts](https://docs.docker.com/storage/bind-mounts/).
   479  
   480  Even though there is no plan to deprecate `--volume`, usage of `--mount` is recommended.
   481  
   482  Examples:
   483  
   484  ```console
   485  $ docker run --read-only --mount type=volume,target=/icanwrite busybox touch /icanwrite/here
   486  ```
   487  
   488  ```console
   489  $ docker run -t -i --mount type=bind,src=/data,dst=/data busybox sh
   490  ```
   491  
   492  ### <a name="publish"></a> Publish or expose port (-p, --expose)
   493  
   494  ```console
   495  $ docker run -p 127.0.0.1:80:8080/tcp nginx:alpine
   496  ```
   497  
   498  This binds port `8080` of the container to TCP port `80` on `127.0.0.1` of the
   499  host. You can also specify `udp` and `sctp` ports. The [Networking overview
   500  page](https://docs.docker.com/network/) explains in detail how to publish ports
   501  with Docker.
   502  
   503  > **Note**
   504  >
   505  > If you don't specify an IP address (i.e., `-p 80:80` instead of `-p
   506  > 127.0.0.1:80:80`) when publishing a container's ports, Docker publishes the
   507  > port on all interfaces (address `0.0.0.0`) by default. These ports are
   508  > externally accessible. This also applies if you configured UFW to block this
   509  > specific port, as Docker manages its own iptables rules. [Read
   510  > more](https://docs.docker.com/network/packet-filtering-firewalls/)
   511  
   512  ```console
   513  $ docker run --expose 80 nginx:alpine
   514  ```
   515  
   516  This exposes port `80` of the container without publishing the port to the host
   517  system's interfaces.
   518  
   519  ### <a name="publish-all"></a> Publish all exposed ports (-P, --publish-all)
   520  
   521  ```console
   522  $ docker run -P nginx:alpine
   523  ```
   524  
   525  The `-P`, or `--publish-all`, flag publishes all the exposed ports to the host.
   526  Docker binds each exposed port to a random port on the host.
   527  
   528  The `-P` flag only publishes port numbers that are explicitly flagged as
   529  exposed, either using the Dockerfile `EXPOSE` instruction or the `--expose`
   530  flag for the `docker run` command.
   531  
   532  The range of ports are within an *ephemeral port range* defined by
   533  `/proc/sys/net/ipv4/ip_local_port_range`. Use the `-p` flag to explicitly map a
   534  single port or range of ports.
   535  
   536  ### <a name="pull"></a> Set the pull policy (--pull)
   537  
   538  Use the `--pull` flag to set the image pull policy when creating (and running)
   539  the container.
   540  
   541  The `--pull` flag can take one of these values:
   542  
   543  | Value               | Description                                                                                                       |
   544  |:--------------------|:------------------------------------------------------------------------------------------------------------------|
   545  | `missing` (default) | Pull the image if it was not found in the image cache, or use the cached image otherwise.                         |
   546  | `never`             | Do not pull the image, even if it's missing, and produce an error if the image does not exist in the image cache. |
   547  | `always`            | Always perform a pull before creating the container.                                                              |
   548  
   549  When creating (and running) a container from an image, the daemon checks if the
   550  image exists in the local image cache. If the image is missing, an error is
   551  returned to the CLI, allowing it to initiate a pull.
   552  
   553  The default (`missing`) is to only pull the image if it's not present in the
   554  daemon's image cache. This default allows you to run images that only exist
   555  locally (for example, images you built from a Dockerfile, but that have not
   556  been pushed to a registry), and reduces networking.
   557  
   558  The `always` option always initiates a pull before creating the container. This
   559  option makes sure the image is up-to-date, and prevents you from using outdated
   560  images, but may not be suitable in situations where you want to test a locally
   561  built image before pushing (as pulling the image overwrites the existing image
   562  in the image cache).
   563  
   564  The `never` option disables (implicit) pulling images when creating containers,
   565  and only uses images that are available in the image cache. If the specified
   566  image is not found, an error is produced, and the container is not created.
   567  This option is useful in situations where networking is not available, or to
   568  prevent images from being pulled implicitly when creating containers.
   569  
   570  The following example shows `docker run` with the `--pull=never` option set,
   571  which produces en error as the image is missing in the image-cache:
   572  
   573  ```console
   574  $ docker run --pull=never hello-world
   575  docker: Error response from daemon: No such image: hello-world:latest.
   576  ```
   577  
   578  ### <a name="env"></a> Set environment variables (-e, --env, --env-file)
   579  
   580  ```console
   581  $ docker run -e MYVAR1 --env MYVAR2=foo --env-file ./env.list ubuntu bash
   582  ```
   583  
   584  Use the `-e`, `--env`, and `--env-file` flags to set simple (non-array)
   585  environment variables in the container you're running, or overwrite variables
   586  defined in the Dockerfile of the image you're running.
   587  
   588  You can define the variable and its value when running the container:
   589  
   590  ```console
   591  $ docker run --env VAR1=value1 --env VAR2=value2 ubuntu env | grep VAR
   592  VAR1=value1
   593  VAR2=value2
   594  ```
   595  
   596  You can also use variables exported to your local environment:
   597  
   598  ```console
   599  export VAR1=value1
   600  export VAR2=value2
   601  
   602  $ docker run --env VAR1 --env VAR2 ubuntu env | grep VAR
   603  VAR1=value1
   604  VAR2=value2
   605  ```
   606  
   607  When running the command, the Docker CLI client checks the value the variable
   608  has in your local environment and passes it to the container.
   609  If no `=` is provided and that variable isn't exported in your local
   610  environment, the variable is unset in the container.
   611  
   612  You can also load the environment variables from a file. This file should use
   613  the syntax `<variable>=value` (which sets the variable to the given value) or
   614  `<variable>` (which takes the value from the local environment), and `#` for
   615  comments. Lines beginning with `#` are treated as line comments and are
   616  ignored, whereas a `#` appearing anywhere else in a line is treated as part of
   617  the variable value.
   618  
   619  ```console
   620  $ cat env.list
   621  # This is a comment
   622  VAR1=value1
   623  VAR2=value2
   624  USER
   625  
   626  $ docker run --env-file env.list ubuntu env | grep -E 'VAR|USER'
   627  VAR1=value1
   628  VAR2=value2
   629  USER=jonzeolla
   630  ```
   631  
   632  ### <a name="label"></a> Set metadata on container (-l, --label, --label-file)
   633  
   634  A label is a `key=value` pair that applies metadata to a container. To label a container with two labels:
   635  
   636  ```console
   637  $ docker run -l my-label --label com.example.foo=bar ubuntu bash
   638  ```
   639  
   640  The `my-label` key doesn't specify a value so the label defaults to an empty
   641  string (`""`). To add multiple labels, repeat the label flag (`-l` or `--label`).
   642  
   643  The `key=value` must be unique to avoid overwriting the label value. If you
   644  specify labels with identical keys but different values, each subsequent value
   645  overwrites the previous. Docker uses the last `key=value` you supply.
   646  
   647  Use the `--label-file` flag to load multiple labels from a file. Delimit each
   648  label in the file with an EOL mark. The example below loads labels from a
   649  labels file in the current directory:
   650  
   651  ```console
   652  $ docker run --label-file ./labels ubuntu bash
   653  ```
   654  
   655  The label-file format is similar to the format for loading environment
   656  variables. (Unlike environment variables, labels are not visible to processes
   657  running inside a container.) The following example shows a label-file
   658  format:
   659  
   660  ```console
   661  com.example.label1="a label"
   662  
   663  # this is a comment
   664  com.example.label2=another\ label
   665  com.example.label3
   666  ```
   667  
   668  You can load multiple label-files by supplying multiple  `--label-file` flags.
   669  
   670  For additional information on working with labels, see
   671  [Labels](https://docs.docker.com/config/labels-custom-metadata/).
   672  
   673  ### <a name="network"></a> Connect a container to a network (--network)
   674  
   675  To start a container and connect it to a network, use the `--network` option.
   676  
   677  The following commands create a network named `my-net` and adds a `busybox` container
   678  to the `my-net` network.
   679  
   680  ```console
   681  $ docker network create my-net
   682  $ docker run -itd --network=my-net busybox
   683  ```
   684  
   685  You can also choose the IP addresses for the container with `--ip` and `--ip6`
   686  flags when you start the container on a user-defined network. To assign a
   687  static IP to containers, you must specify subnet block for the network.
   688  
   689  ```console
   690  $ docker network create --subnet 192.0.2.0/24 my-net
   691  $ docker run -itd --network=my-net --ip=192.0.2.69 busybox
   692  ```
   693  
   694  If you want to add a running container to a network use the `docker network connect` subcommand.
   695  
   696  You can connect multiple containers to the same network. Once connected, the
   697  containers can communicate using only another container's IP address
   698  or name. For `overlay` networks or custom plugins that support multi-host
   699  connectivity, containers connected to the same multi-host network but launched
   700  from different Engines can also communicate in this way.
   701  
   702  > **Note**
   703  >
   704  > The default bridge network only allow containers to communicate with each other using
   705  > internal IP addresses. User-created bridge networks provide DNS resolution between
   706  > containers using container names.
   707  
   708  You can disconnect a container from a network using the `docker network
   709  disconnect` command.
   710  
   711  For more information on connecting a container to a network when using the `run` command, see the ["*Docker network overview*"](https://docs.docker.com/network/).
   712  
   713  ### <a name="volumes-from"></a> Mount volumes from container (--volumes-from)
   714  
   715  ```console
   716  $ docker run --volumes-from 777f7dc92da7 --volumes-from ba8c0c54f0f2:ro -i -t ubuntu pwd
   717  ```
   718  
   719  The `--volumes-from` flag mounts all the defined volumes from the referenced
   720  containers. You can specify more than one container by repetitions of the `--volumes-from`
   721  argument. The container ID may be optionally suffixed with `:ro` or `:rw` to
   722  mount the volumes in read-only or read-write mode, respectively. By default,
   723  Docker mounts the volumes in the same mode (read write or read only) as
   724  the reference container.
   725  
   726  Labeling systems like SELinux require placing proper labels on volume
   727  content mounted into a container. Without a label, the security system might
   728  prevent the processes running inside the container from using the content. By
   729  default, Docker does not change the labels set by the OS.
   730  
   731  To change the label in the container context, you can add either of two suffixes
   732  `:z` or `:Z` to the volume mount. These suffixes tell Docker to relabel file
   733  objects on the shared volumes. The `z` option tells Docker that two containers
   734  share the volume content. As a result, Docker labels the content with a shared
   735  content label. Shared volume labels allow all containers to read/write content.
   736  The `Z` option tells Docker to label the content with a private unshared label.
   737  Only the current container can use a private volume.
   738  
   739  ### <a name="detach"></a> Detached mode (-d, --detach)
   740  
   741  The `--detach` (or `-d`) flag starts a container as a background process that
   742  doesn't occupy your terminal window. By design, containers started in detached
   743  mode exit when the root process used to run the container exits, unless you
   744  also specify the `--rm` option. If you use `-d` with `--rm`, the container is
   745  removed when it exits or when the daemon exits, whichever happens first.
   746  
   747  Don't pass a `service x start` command to a detached container. For example,
   748  this command attempts to start the `nginx` service.
   749  
   750  ```console
   751  $ docker run -d -p 80:80 my_image service nginx start
   752  ```
   753  
   754  This succeeds in starting the `nginx` service inside the container. However, it
   755  fails the detached container paradigm in that, the root process (`service nginx
   756  start`) returns and the detached container stops as designed. As a result, the
   757  `nginx` service starts but can't be used. Instead, to start a process such as
   758  the `nginx` web server do the following:
   759  
   760  ```console
   761  $ docker run -d -p 80:80 my_image nginx -g 'daemon off;'
   762  ```
   763  
   764  To do input/output with a detached container use network connections or shared
   765  volumes. These are required because the container is no longer listening to the
   766  command line where `docker run` was run.
   767  
   768  ### <a name="detach-keys"></a> Override the detach sequence (--detach-keys)
   769  
   770  Use the `--detach-keys` option to override the Docker key sequence for detach.
   771  This is useful if the Docker default sequence conflicts with key sequence you
   772  use for other applications. There are two ways to define your own detach key
   773  sequence, as a per-container override or as a configuration property on  your
   774  entire configuration.
   775  
   776  To override the sequence for an individual container, use the
   777  `--detach-keys="<sequence>"` flag with the `docker attach` command. The format of
   778  the `<sequence>` is either a letter [a-Z], or the `ctrl-` combined with any of
   779  the following:
   780  
   781  * `a-z` (a single lowercase alpha character )
   782  * `@` (at sign)
   783  * `[` (left bracket)
   784  * `\\` (two backward slashes)
   785  *  `_` (underscore)
   786  * `^` (caret)
   787  
   788  These `a`, `ctrl-a`, `X`, or `ctrl-\\` values are all examples of valid key
   789  sequences. To configure a different configuration default key sequence for all
   790  containers, see [**Configuration file** section](https://docs.docker.com/engine/reference/commandline/cli/#configuration-files).
   791  
   792  ### <a name="device"></a> Add host device to container (--device)
   793  
   794  ```console
   795  $ docker run -it --rm \
   796      --device=/dev/sdc:/dev/xvdc \
   797      --device=/dev/sdd \
   798      --device=/dev/zero:/dev/foobar \
   799      ubuntu ls -l /dev/{xvdc,sdd,foobar}
   800  
   801  brw-rw---- 1 root disk 8, 2 Feb  9 16:05 /dev/xvdc
   802  brw-rw---- 1 root disk 8, 3 Feb  9 16:05 /dev/sdd
   803  crw-rw-rw- 1 root root 1, 5 Feb  9 16:05 /dev/foobar
   804  ```
   805  
   806  It's often necessary to directly expose devices to a container. The `--device`
   807  option enables that. For example, adding a specific block storage device or loop
   808  device or audio device to an otherwise unprivileged container
   809  (without the `--privileged` flag) and have the application directly access it.
   810  
   811  By default, the container is able to `read`, `write` and `mknod` these devices.
   812  This can be overridden using a third `:rwm` set of options to each `--device`
   813  flag. If the container is running in privileged mode, then Docker ignores the
   814  specified permissions.
   815  
   816  ```console
   817  $ docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk  /dev/xvdc
   818  
   819  Command (m for help): q
   820  $ docker run --device=/dev/sda:/dev/xvdc:r --rm -it ubuntu fdisk  /dev/xvdc
   821  You will not be able to write the partition table.
   822  
   823  Command (m for help): q
   824  
   825  $ docker run --device=/dev/sda:/dev/xvdc:rw --rm -it ubuntu fdisk  /dev/xvdc
   826  
   827  Command (m for help): q
   828  
   829  $ docker run --device=/dev/sda:/dev/xvdc:m --rm -it ubuntu fdisk  /dev/xvdc
   830  fdisk: unable to open /dev/xvdc: Operation not permitted
   831  ```
   832  
   833  > **Note**
   834  >
   835  > The `--device` option cannot be safely used with ephemeral devices. You shouldn't 
   836  > add block devices that may be removed to untrusted containers with `--device`.
   837  
   838  For Windows, the format of the string passed to the `--device` option is in
   839  the form of `--device=<IdType>/<Id>`. Beginning with Windows Server 2019
   840  and Windows 10 October 2018 Update, Windows only supports an IdType of
   841  `class` and the Id as a [device interface class
   842  GUID](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/overview-of-device-interface-classes).
   843  Refer to the table defined in the [Windows container
   844  docs](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/hardware-devices-in-containers)
   845  for a list of container-supported device interface class GUIDs.
   846  
   847  If you specify this option for a process-isolated Windows container, Docker makes
   848  _all_ devices that implement the requested device interface class GUID
   849  available in the container. For example, the command below makes all COM
   850  ports on the host visible in the container.
   851  
   852  ```powershell
   853  PS C:\> docker run --device=class/86E0D1E0-8089-11D0-9CE4-08003E301F73 mcr.microsoft.com/windows/servercore:ltsc2019
   854  ```
   855  
   856  > **Note**
   857  >
   858  > The `--device` option is only supported on process-isolated Windows containers,
   859  > and produces an error if the container isolation is `hyperv`.
   860  
   861  #### CDI devices
   862  
   863  > **Note**
   864  >
   865  > This is experimental feature and as such doesn't represent a stable API.
   866  
   867  Container Device Interface (CDI) is a
   868  [standardized](https://github.com/cncf-tags/container-device-interface/blob/main/SPEC.md)
   869  mechanism for container runtimes to create containers which are able to
   870  interact with third party devices.
   871  
   872  With CDI, device configurations are defined using a JSON file. In addition to
   873  enabling the container to interact with the device node, it also lets you
   874  specify additional configuration for the device, such as kernel modules, host
   875  libraries, and environment variables.
   876  
   877  You can reference a CDI device with the `--device` flag using the
   878  fully-qualified name of the device, as shown in the following example:
   879  
   880  ```console
   881  $ docker run --device=vendor.com/class=device-name --rm -it ubuntu
   882  ```
   883  
   884  This starts an `ubuntu` container with access to the specified CDI device,
   885  `vendor.com/class=device-name`, assuming that:
   886  
   887  - A valid CDI specification (JSON file) for the requested device is available
   888    on the system running the daemon, in one of the configured CDI specification
   889    directories.
   890  - The CDI feature has been enabled on the daemon side, see [Enable CDI
   891    devices](https://docs.docker.com/reference/cli/dockerd/#enable-cdi-devices).
   892  
   893  ### <a name="attach"></a> Attach to STDIN/STDOUT/STDERR (-a, --attach)
   894  
   895  The `--attach` (or `-a`) flag tells `docker run` to bind to the container's
   896  `STDIN`, `STDOUT` or `STDERR`. This makes it possible to manipulate the output
   897  and input as needed. You can specify to which of the three standard streams
   898  (`STDIN`, `STDOUT`, `STDERR`) you'd like to connect instead, as in:
   899  
   900  ```console
   901  $ docker run -a stdin -a stdout -i -t ubuntu /bin/bash
   902  ```
   903  
   904  The following example pipes data into a container and prints the container's ID
   905  by attaching only to the container's `STDIN`.
   906  
   907  ```console
   908  $ echo "test" | docker run -i -a stdin ubuntu cat -
   909  ```
   910  
   911  The following example doesn't print anything to the console unless there's an
   912  error because output is only attached to the `STDERR` of the container. The
   913  container's logs still store what's written to `STDERR` and `STDOUT`.
   914  
   915  ```console
   916  $ docker run -a stderr ubuntu echo test
   917  ```
   918  
   919  The following example shows a way of using `--attach` to pipe a file into a
   920  container. The command prints the container's ID after the build completes and
   921  you can retrieve the build logs using `docker logs`. This is useful if you need
   922  to pipe a file or something else into a container and retrieve the container's
   923  ID once the container has finished running.
   924  
   925  ```console
   926  $ cat somefile | docker run -i -a stdin mybuilder dobuild
   927  ```
   928  
   929  > **Note**
   930  >
   931  > A process running as PID 1 inside a container is treated specially by
   932  > Linux: it ignores any signal with the default action. So, the process
   933  > doesn't terminate on `SIGINT` or `SIGTERM` unless it's coded to do so.
   934  
   935  See also [the `docker cp` command](container_cp.md).
   936  
   937  ### <a name="interactive"></a> Keep STDIN open (-i, --interactive)
   938  
   939  The `--interactive` (or `-i`) flag keeps the container's `STDIN` open, and lets
   940  you send input to the container through standard input.
   941  
   942  ```console
   943  $ echo hello | docker run --rm -i busybox cat
   944  hello
   945  ```
   946  
   947  The `-i` flag is most often used together with the `--tty` flag to bind the I/O
   948  streams of the container to a pseudo terminal, creating an interactive terminal
   949  session for the container. See [Allocate a pseudo-TTY](#tty) for more examples.
   950  
   951  ```console
   952  $ docker run -it debian
   953  root@10a3e71492b0:/# factor 90
   954  90: 2 3 3 5
   955  root@10a3e71492b0:/# exit
   956  exit
   957  ```
   958  
   959  Using the `-i` flag on its own allows for composition, such as piping input to
   960  containers:
   961  
   962  ```console
   963  $ docker run --rm -i busybox echo "foo bar baz" \
   964    | docker run --rm -i busybox awk '{ print $2 }' \
   965    | docker run --rm -i busybox rev
   966  rab
   967  ```
   968  
   969  ### <a name="init"></a> Specify an init process
   970  
   971  You can use the `--init` flag to indicate that an init process should be used as
   972  the PID 1 in the container. Specifying an init process ensures the usual
   973  responsibilities of an init system, such as reaping zombie processes, are
   974  performed inside the created container.
   975  
   976  The default init process used is the first `docker-init` executable found in the
   977  system path of the Docker daemon process. This `docker-init` binary, included in
   978  the default installation, is backed by [tini](https://github.com/krallin/tini).
   979  
   980  ### <a name="tty"></a> Allocate a pseudo-TTY (-t, --tty)
   981  
   982  The `--tty` (or `-t`) flag attaches a pseudo-TTY to the container, connecting
   983  your terminal to the I/O streams of the container. Allocating a pseudo-TTY to
   984  the container means that you get access to input and output feature that TTY
   985  devices provide.
   986  
   987  For example, the following command runs the `passwd` command in a `debian`
   988  container, to set a new password for the `root` user.
   989  
   990  ```console
   991  $ docker run -i debian passwd root
   992  New password: karjalanpiirakka9
   993  Retype new password: karjalanpiirakka9
   994  passwd: password updated successfully
   995  ```
   996  
   997  If you run this command with only the `-i` flag (which lets you send text to
   998  `STDIN` of the container), the `passwd` prompt displays the password in plain
   999  text. However, if you try the same thing but also adding the `-t` flag, the
  1000  password is hidden:
  1001  
  1002  ```console
  1003  $ docker run -i debian passwd root
  1004  New password:
  1005  Retype new password:
  1006  passwd: password updated successfully
  1007  ```
  1008  
  1009  This is because `passwd` can suppress the output of characters to the terminal
  1010  using the echo-off TTY feature.
  1011  
  1012  You can use the `-t` flag without `-i` flag. This still allocates a pseudo-TTY
  1013  to the container, but with no way of writing to `STDIN`. The only time this
  1014  might be useful is if the output of the container requires a TTY environment.
  1015  
  1016  ### <a name="cgroup-parent"></a> Specify custom cgroups
  1017  
  1018  Using the `--cgroup-parent` flag, you can pass a specific cgroup to run a
  1019  container in. This allows you to create and manage cgroups on their own. You can
  1020  define custom resources for those cgroups and put containers under a common
  1021  parent group.
  1022  
  1023  ### <a name="device-cgroup-rule"></a> Using dynamically created devices (--device-cgroup-rule)
  1024  
  1025  Docker assigns devices available to a container at creation time. The
  1026  assigned devices are added to the cgroup.allow file and
  1027  created into the container when it runs. This poses a problem when
  1028  you need to add a new device to running container.
  1029  
  1030  One solution is to add a more permissive rule to a container
  1031  allowing it access to a wider range of devices. For example, supposing
  1032  the container needs access to a character device with major `42` and
  1033  any number of minor numbers (added as new devices appear), add the
  1034  following rule:
  1035  
  1036  ```console
  1037  $ docker run -d --device-cgroup-rule='c 42:* rmw' --name my-container my-image
  1038  ```
  1039  
  1040  Then, a user could ask `udev` to execute a script that would `docker exec my-container mknod newDevX c 42 <minor>`
  1041  the required device when it is added.
  1042  
  1043  > **Note**: You still need to explicitly add initially present devices to the
  1044  > `docker run` / `docker create` command.
  1045  
  1046  ### <a name="gpus"></a> Access an NVIDIA GPU
  1047  
  1048  The `--gpus` flag allows you to access NVIDIA GPU resources. First you need to
  1049  install the [nvidia-container-runtime](https://nvidia.github.io/nvidia-container-runtime/).
  1050  
  1051  > **Note**
  1052  >
  1053  > You can also specify a GPU as a CDI device with the `--device` flag, see
  1054  > [CDI devices](#cdi-devices).
  1055  
  1056  Read [Specify a container's resources](https://docs.docker.com/config/containers/resource_constraints/)
  1057  for more information.
  1058  
  1059  To use `--gpus`, specify which GPUs (or all) to use. If you provide no value, Docker uses all
  1060  available GPUs. The example below exposes all available GPUs.
  1061  
  1062  ```console
  1063  $ docker run -it --rm --gpus all ubuntu nvidia-smi
  1064  ```
  1065  
  1066  Use the `device` option to specify GPUs. The example below exposes a specific
  1067  GPU.
  1068  
  1069  ```console
  1070  $ docker run -it --rm --gpus device=GPU-3a23c669-1f69-c64e-cf85-44e9b07e7a2a ubuntu nvidia-smi
  1071  ```
  1072  
  1073  The example below exposes the first and third GPUs.
  1074  
  1075  ```console
  1076  $ docker run -it --rm --gpus '"device=0,2"' ubuntu nvidia-smi
  1077  ```
  1078  
  1079  ### <a name="restart"></a> Restart policies (--restart)
  1080  
  1081  Use the `--restart` flag to specify a container's *restart policy*. A restart
  1082  policy controls whether the Docker daemon restarts a container after exit.
  1083  Docker supports the following restart policies:
  1084  
  1085  | Policy                     | Result                                                                                                                                                                                                                                                           |
  1086  |:---------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
  1087  | `no`                       | Do not automatically restart the container when it exits. This is the default.                                                                                                                                                                                   |
  1088  | `on-failure[:max-retries]` | Restart only if the container exits with a non-zero exit status. Optionally, limit the number of restart retries the Docker daemon attempts.                                                                                                                     |
  1089  | `unless-stopped`           | Restart the container unless it's explicitly stopped or Docker itself is stopped or restarted.                                                                                                                                                                  |
  1090  | `always`                   | Always restart the container regardless of the exit status. When you specify always, the Docker daemon tries to restart the container indefinitely. The container always starts on daemon startup, regardless of the current state of the container. |
  1091  
  1092  ```console
  1093  $ docker run --restart=always redis
  1094  ```
  1095  
  1096  This runs the `redis` container with a restart policy of **always**.
  1097  If the container exits, Docker restarts it.
  1098  
  1099  When a restart policy is active on a container, it shows as either `Up` or
  1100  `Restarting` in [`docker ps`](container_ls.md). It can also be useful to use
  1101  [`docker events`](system_events.md) to see the restart policy in effect.
  1102  
  1103  An increasing delay (double the previous delay, starting at 100 milliseconds)
  1104  is added before each restart to prevent flooding the server. This means the
  1105  daemon waits for 100 ms, then 200 ms, 400, 800, 1600, and so on until either
  1106  the `on-failure` limit, the maximum delay of 1 minute is hit, or when you
  1107  `docker stop` or `docker rm -f` the container.
  1108  
  1109  If a container is successfully restarted (the container is started and runs
  1110  for at least 10 seconds), the delay is reset to its default value of 100 ms.
  1111  
  1112  #### Specify a limit for restart attempts
  1113  
  1114  You can specify the maximum amount of times Docker attempts to restart the
  1115  container when using the **on-failure** policy. By default, Docker never stops
  1116  attempting to restart the container.
  1117  
  1118  The following example runs the `redis` container with a restart policy of
  1119  **on-failure** and a maximum restart count of 10.
  1120  
  1121  ```console
  1122  $ docker run --restart=on-failure:10 redis
  1123  ```
  1124  
  1125  If the `redis` container exits with a non-zero exit status more than 10 times
  1126  in a row, Docker stops trying to restart the container. Providing a maximum
  1127  restart limit is only valid for the **on-failure** policy.
  1128  
  1129  #### Inspect container restarts
  1130  
  1131  The number of (attempted) restarts for a container can be obtained using the
  1132  [`docker inspect`](inspect.md) command. For example, to get the number of
  1133  restarts for container "my-container";
  1134  
  1135  ```console
  1136  $ docker inspect -f "{{ .RestartCount }}" my-container
  1137  2
  1138  ```
  1139  
  1140  Or, to get the last time the container was (re)started;
  1141  
  1142  ```console
  1143  $ docker inspect -f "{{ .State.StartedAt }}" my-container
  1144  2015-03-04T23:47:07.691840179Z
  1145  ```
  1146  
  1147  Combining `--restart` (restart policy) with the `--rm` (clean up) flag results
  1148  in an error. On container restart, attached clients are disconnected.
  1149  
  1150  ### <a name="rm"></a> Clean up (--rm)
  1151  
  1152  By default, a container's file system persists even after the container exits.
  1153  This makes debugging a lot easier, since you can inspect the container's final
  1154  state and you retain all your data.
  1155  
  1156  If you are running short-term **foreground** processes, these container file
  1157  systems can start to pile up. If you'd like Docker to automatically clean up
  1158  the container and remove the file system when the container exits, use the
  1159  `--rm` flag:
  1160  
  1161  ```text
  1162  --rm=false: Automatically remove the container when it exits
  1163  ```
  1164  
  1165  > **Note**
  1166  >
  1167  > If you set the `--rm` flag, Docker also removes the anonymous volumes
  1168  > associated with the container when the container is removed. This is similar
  1169  > to running `docker rm -v my-container`. Only volumes that are specified
  1170  > without a name are removed. For example, when running the following command,
  1171  > volume `/foo` is removed, but not `/bar`:
  1172  >
  1173  > ```console
  1174  > $ docker run --rm -v /foo -v awesome:/bar busybox top
  1175  > ```
  1176  >
  1177  > Volumes inherited via `--volumes-from` are removed with the same logic:
  1178  > if the original volume was specified with a name it isn't removed.
  1179  
  1180  ### <a name="add-host"></a> Add entries to container hosts file (--add-host)
  1181  
  1182  You can add other hosts into a container's `/etc/hosts` file by using one or
  1183  more `--add-host` flags. This example adds a static address for a host named
  1184  `my-hostname`:
  1185  
  1186  ```console
  1187  $ docker run --add-host=my-hostname=8.8.8.8 --rm -it alpine
  1188  
  1189  / # ping my-hostname
  1190  PING my-hostname (8.8.8.8): 56 data bytes
  1191  64 bytes from 8.8.8.8: seq=0 ttl=37 time=93.052 ms
  1192  64 bytes from 8.8.8.8: seq=1 ttl=37 time=92.467 ms
  1193  64 bytes from 8.8.8.8: seq=2 ttl=37 time=92.252 ms
  1194  ^C
  1195  --- my-hostname ping statistics ---
  1196  4 packets transmitted, 4 packets received, 0% packet loss
  1197  round-trip min/avg/max = 92.209/92.495/93.052 ms
  1198  ```
  1199  
  1200  You can wrap an IPv6 address in square brackets:
  1201  
  1202  ```console
  1203  $ docker run --add-host my-hostname=[2001:db8::33] --rm -it alpine
  1204  ```
  1205  
  1206  The `--add-host` flag supports a special `host-gateway` value that resolves to
  1207  the internal IP address of the host. This is useful when you want containers to
  1208  connect to services running on the host machine.
  1209  
  1210  It's conventional to use `host.docker.internal` as the hostname referring to
  1211  `host-gateway`. Docker Desktop automatically resolves this hostname, see
  1212  [Explore networking features](https://docs.docker.com/desktop/networking/#i-want-to-connect-from-a-container-to-a-service-on-the-host).
  1213  
  1214  The following example shows how the special `host-gateway` value works. The
  1215  example runs an HTTP server that serves a file from host to container over the
  1216  `host.docker.internal` hostname, which resolves to the host's internal IP.
  1217  
  1218  ```console
  1219  $ echo "hello from host!" > ./hello
  1220  $ python3 -m http.server 8000
  1221  Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
  1222  $ docker run \
  1223    --add-host host.docker.internal=host-gateway \
  1224    curlimages/curl -s host.docker.internal:8000/hello
  1225  hello from host!
  1226  ```
  1227  
  1228  The `--add-host` flag also accepts a `:` separator, for example:
  1229  
  1230  ```console
  1231  $ docker run --add-host=my-hostname:8.8.8.8 --rm -it alpine
  1232  ```
  1233  
  1234  ### <a name="log-driver"></a> Logging drivers (--log-driver)
  1235  
  1236  The container can have a different logging driver than the Docker daemon. Use
  1237  the `--log-driver=<DRIVER>` with the `docker run` command to configure the
  1238  container's logging driver.
  1239  
  1240  To learn about the supported logging drivers and how to use them, refer to
  1241  [Configure logging drivers](https://docs.docker.com/config/containers/logging/configure/).
  1242  
  1243  To disable logging for a container, set the `--log-driver` flag to `none`:
  1244  
  1245  ```console
  1246  $ docker run --log-driver=none -d nginx:alpine
  1247  5101d3b7fe931c27c2ba0e65fd989654d297393ad65ae238f20b97a020e7295b
  1248  $ docker logs 5101d3b
  1249  Error response from daemon: configured logging driver does not support reading
  1250  ```
  1251  
  1252  ### <a name="ulimit"></a> Set ulimits in container (--ulimit)
  1253  
  1254  Since setting `ulimit` settings in a container requires extra privileges not
  1255  available in the default container, you can set these using the `--ulimit` flag.
  1256  Specify `--ulimit` with a soft and hard limit in the format
  1257  `<type>=<soft limit>[:<hard limit>]`. For example:
  1258  
  1259  ```console
  1260  $ docker run --ulimit nofile=1024:1024 --rm debian sh -c "ulimit -n"
  1261  1024
  1262  ```
  1263  
  1264  > **Note**
  1265  >
  1266  > If you don't provide a hard limit value, Docker uses the soft limit value
  1267  > for both values. If you don't provide any values, they are inherited from
  1268  > the default `ulimits` set on the daemon.
  1269  
  1270  > **Note**
  1271  >
  1272  > The `as` option is deprecated.
  1273  > In other words, the following script is not supported:
  1274  >
  1275  > ```console
  1276  > $ docker run -it --ulimit as=1024 fedora /bin/bash
  1277  > ```
  1278  
  1279  Docker sends the values to the appropriate OS `syscall` and doesn't perform any byte conversion.
  1280  Take this into account when setting the values.
  1281  
  1282  #### For `nproc` usage
  1283  
  1284  Be careful setting `nproc` with the `ulimit` flag as Linux uses `nproc` to set the
  1285  maximum number of processes available to a user, not to a container. For example, start four
  1286  containers with `daemon` user:
  1287  
  1288  ```console
  1289  $ docker run -d -u daemon --ulimit nproc=3 busybox top
  1290  
  1291  $ docker run -d -u daemon --ulimit nproc=3 busybox top
  1292  
  1293  $ docker run -d -u daemon --ulimit nproc=3 busybox top
  1294  
  1295  $ docker run -d -u daemon --ulimit nproc=3 busybox top
  1296  ```
  1297  
  1298  The 4th container fails and reports a "[8] System error: resource temporarily unavailable" error.
  1299  This fails because the caller set `nproc=3` resulting in the first three containers using up
  1300  the three processes quota set for the `daemon` user.
  1301  
  1302  ### <a name="stop-signal"></a> Stop container with signal (--stop-signal)
  1303  
  1304  The `--stop-signal` flag sends the system call signal to the
  1305  container to exit. This signal can be a signal name in the format `SIG<NAME>`,
  1306  for instance `SIGKILL`, or an unsigned number that matches a position in the
  1307  kernel's syscall table, for instance `9`.
  1308  
  1309  The default value is defined by [`STOPSIGNAL`](https://docs.docker.com/reference/dockerfile/#stopsignal)
  1310  in the image, or `SIGTERM` if the image has no `STOPSIGNAL` defined.
  1311  
  1312  ### <a name="security-opt"></a> Optional security options (--security-opt)
  1313  
  1314  | Option                                    | Description                                                                                                                                                                                                      |
  1315  |:------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
  1316  | `--security-opt="label=user:USER"`        | Set the label user for the container                                                                                                                                                                             |
  1317  | `--security-opt="label=role:ROLE"`        | Set the label role for the container                                                                                                                                                                             |
  1318  | `--security-opt="label=type:TYPE"`        | Set the label type for the container                                                                                                                                                                             |
  1319  | `--security-opt="label=level:LEVEL"`      | Set the label level for the container                                                                                                                                                                            |
  1320  | `--security-opt="label=disable"`          | Turn off label confinement for the container                                                                                                                                                                     |
  1321  | `--security-opt="apparmor=PROFILE"`       | Set the apparmor profile to be applied to the container                                                                                                                                                          |
  1322  | `--security-opt="no-new-privileges=true"` | Disable container processes from gaining new privileges                                                                                                                                                          |
  1323  | `--security-opt="seccomp=unconfined"`     | Turn off seccomp confinement for the container                                                                                                                                                                   |
  1324  | `--security-opt="seccomp=builtin"`        | Use the default (built-in) seccomp profile for the container. This can be used to enable seccomp for a container running on a daemon with a custom default profile set, or with seccomp disabled ("unconfined"). |
  1325  | `--security-opt="seccomp=profile.json"`   | White-listed syscalls seccomp Json file to be used as a seccomp filter                                                                                                                                           |
  1326  
  1327  The `--security-opt` flag lets you override the default labeling scheme for a
  1328  container. Specifying the level in the following command allows you to share
  1329  the same content between containers.
  1330  
  1331  ```console
  1332  $ docker run --security-opt label=level:s0:c100,c200 -it fedora bash
  1333  ```
  1334  
  1335  > **Note**
  1336  >
  1337  > Automatic translation of MLS labels isn't supported.
  1338  
  1339  To disable the security labeling for a container entirely, you can use
  1340  `label=disable`:
  1341  
  1342  ```console
  1343  $ docker run --security-opt label=disable -it ubuntu bash
  1344  ```
  1345  
  1346  If you want a tighter security policy on the processes within a container, you
  1347  can specify a custom `type` label. The following example runs a container
  1348  that's only allowed to listen on Apache ports:
  1349  
  1350  ```console
  1351  $ docker run --security-opt label=type:svirt_apache_t -it ubuntu bash
  1352  ```
  1353  
  1354  > **Note**
  1355  >
  1356  > You would have to write policy defining a `svirt_apache_t` type.
  1357  
  1358  To prevent your container processes from gaining additional privileges, you can
  1359  use the following command:
  1360  
  1361  ```console
  1362  $ docker run --security-opt no-new-privileges -it ubuntu bash
  1363  ```
  1364  
  1365  This means that commands that raise privileges such as `su` or `sudo` no longer work.
  1366  It also causes any seccomp filters to be applied later, after privileges have been dropped
  1367  which may mean you can have a more restrictive set of filters.
  1368  For more details, see the [kernel documentation](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt).
  1369  
  1370  On Windows, you can use the `--security-opt` flag to specify the `credentialspec` option.
  1371  The `credentialspec` must be in the format `file://spec.txt` or `registry://keyname`.
  1372  
  1373  ### <a name="stop-timeout"></a> Stop container with timeout (--stop-timeout)
  1374  
  1375  The `--stop-timeout` flag sets the number of seconds to wait for the container
  1376  to stop after sending the pre-defined (see `--stop-signal`) system call signal.
  1377  If the container does not exit after the timeout elapses, it's forcibly killed
  1378  with a `SIGKILL` signal.
  1379  
  1380  If you set `--stop-timeout` to `-1`, no timeout is applied, and the daemon
  1381  waits indefinitely for the container to exit.
  1382  
  1383  The Daemon determines the default, and is 10 seconds for Linux containers,
  1384  and 30 seconds for Windows containers.
  1385  
  1386  ### <a name="isolation"></a> Specify isolation technology for container (--isolation)
  1387  
  1388  This option is useful in situations where you are running Docker containers on
  1389  Windows. The `--isolation=<value>` option sets a container's isolation technology.
  1390  On Linux, the only supported is the `default` option which uses Linux namespaces.
  1391  These two commands are equivalent on Linux:
  1392  
  1393  ```console
  1394  $ docker run -d busybox top
  1395  $ docker run -d --isolation default busybox top
  1396  ```
  1397  
  1398  On Windows, `--isolation` can take one of these values:
  1399  
  1400  | Value     | Description                                                                                |
  1401  |:----------|:-------------------------------------------------------------------------------------------|
  1402  | `default` | Use the value specified by the Docker daemon's `--exec-opt` or system default (see below). |
  1403  | `process` | Shared-kernel namespace isolation.                                                         |
  1404  | `hyperv`  | Hyper-V hypervisor partition-based isolation.                                              |
  1405  
  1406  The default isolation on Windows server operating systems is `process`, and `hyperv`
  1407  on Windows client operating systems, such as Windows 10. Process isolation has better
  1408  performance, but requires that the image and host use the same kernel version.
  1409  
  1410  On Windows server, assuming the default configuration, these commands are equivalent
  1411  and result in `process` isolation:
  1412  
  1413  ```powershell
  1414  PS C:\> docker run -d microsoft/nanoserver powershell echo process
  1415  PS C:\> docker run -d --isolation default microsoft/nanoserver powershell echo process
  1416  PS C:\> docker run -d --isolation process microsoft/nanoserver powershell echo process
  1417  ```
  1418  
  1419  If you have set the `--exec-opt isolation=hyperv` option on the Docker `daemon`, or
  1420  are running against a Windows client-based daemon, these commands are equivalent and
  1421  result in `hyperv` isolation:
  1422  
  1423  ```powershell
  1424  PS C:\> docker run -d microsoft/nanoserver powershell echo hyperv
  1425  PS C:\> docker run -d --isolation default microsoft/nanoserver powershell echo hyperv
  1426  PS C:\> docker run -d --isolation hyperv microsoft/nanoserver powershell echo hyperv
  1427  ```
  1428  
  1429  ### <a name="memory"></a> Specify hard limits on memory available to containers (-m, --memory)
  1430  
  1431  These parameters always set an upper limit on the memory available to the container. Linux sets this
  1432  on the cgroup and applications in a container can query it at `/sys/fs/cgroup/memory/memory.limit_in_bytes`.
  1433  
  1434  On Windows, this affects containers differently depending on what type of isolation you use.
  1435  
  1436  - With `process` isolation, Windows reports the full memory of the host system, not the limit to applications running inside the container
  1437  
  1438      ```powershell
  1439      PS C:\> docker run -it -m 2GB --isolation=process microsoft/nanoserver powershell Get-ComputerInfo *memory*
  1440  
  1441      CsTotalPhysicalMemory      : 17064509440
  1442      CsPhyicallyInstalledMemory : 16777216
  1443      OsTotalVisibleMemorySize   : 16664560
  1444      OsFreePhysicalMemory       : 14646720
  1445      OsTotalVirtualMemorySize   : 19154928
  1446      OsFreeVirtualMemory        : 17197440
  1447      OsInUseVirtualMemory       : 1957488
  1448      OsMaxProcessMemorySize     : 137438953344
  1449      ```
  1450  
  1451  - With `hyperv` isolation, Windows creates a utility VM that is big enough to hold the memory limit, plus the minimal OS needed to host the container. That size is reported as "Total Physical Memory."
  1452  
  1453      ```powershell
  1454      PS C:\> docker run -it -m 2GB --isolation=hyperv microsoft/nanoserver powershell Get-ComputerInfo *memory*
  1455  
  1456      CsTotalPhysicalMemory      : 2683355136
  1457      CsPhyicallyInstalledMemory :
  1458      OsTotalVisibleMemorySize   : 2620464
  1459      OsFreePhysicalMemory       : 2306552
  1460      OsTotalVirtualMemorySize   : 2620464
  1461      OsFreeVirtualMemory        : 2356692
  1462      OsInUseVirtualMemory       : 263772
  1463      OsMaxProcessMemorySize     : 137438953344
  1464      ```
  1465  
  1466  ### <a name="sysctl"></a> Configure namespaced kernel parameters (sysctls) at runtime (--sysctl)
  1467  
  1468  The `--sysctl` sets namespaced kernel parameters (sysctls) in the
  1469  container. For example, to turn on IP forwarding in the containers
  1470  network namespace, run this command:
  1471  
  1472  ```console
  1473  $ docker run --sysctl net.ipv4.ip_forward=1 someimage
  1474  ```
  1475  
  1476  > **Note**
  1477  >
  1478  > Not all sysctls are namespaced. Docker does not support changing sysctls
  1479  > inside of a container that also modify the host system. As the kernel
  1480  > evolves we expect to see more sysctls become namespaced.
  1481  
  1482  
  1483  #### Currently supported sysctls
  1484  
  1485  IPC Namespace:
  1486  
  1487  - `kernel.msgmax`, `kernel.msgmnb`, `kernel.msgmni`, `kernel.sem`,
  1488    `kernel.shmall`, `kernel.shmmax`, `kernel.shmmni`, `kernel.shm_rmid_forced`.
  1489  - Sysctls beginning with `fs.mqueue.*`
  1490  - If you use the `--ipc=host` option these sysctls are not allowed.
  1491  
  1492  Network Namespace:
  1493  
  1494  - Sysctls beginning with `net.*`
  1495  - If you use the `--network=host` option using these sysctls are not allowed.
  1496  
  1497  ## Command internals
  1498  
  1499  The `docker run` command is equivalent to the following API calls:
  1500  
  1501  - `/<API version>/containers/create`
  1502    - If that call returns a 404 (image not found), and depending on the `--pull` option ("always", "missing", "never") the call can trigger a `docker pull <image>`.
  1503  - `/containers/create` again after pulling the image.
  1504  - `/containers/(id)/start` to start the container.
  1505  - `/containers/(id)/attach` to attach to the container when starting with the `-it` flags for interactive containers.