github.com/uppal0016/docker_new@v0.0.0-20240123060250-1c98be13ac2c/man/docker-create.1.md (about) 1 % DOCKER(1) Docker User Manuals 2 % Docker Community 3 % JUNE 2014 4 # NAME 5 docker-create - Create a new container 6 7 # SYNOPSIS 8 **docker create** 9 [**-a**|**--attach**[=*[]*]] 10 [**--add-host**[=*[]*]] 11 [**--blkio-weight**[=*[BLKIO-WEIGHT]*]] 12 [**--blkio-weight-device**[=*[]*]] 13 [**--cpu-shares**[=*0*]] 14 [**--cap-add**[=*[]*]] 15 [**--cap-drop**[=*[]*]] 16 [**--cgroup-parent**[=*CGROUP-PATH*]] 17 [**--cidfile**[=*CIDFILE*]] 18 [**--cpu-period**[=*0*]] 19 [**--cpu-quota**[=*0*]] 20 [**--cpuset-cpus**[=*CPUSET-CPUS*]] 21 [**--cpuset-mems**[=*CPUSET-MEMS*]] 22 [**--device**[=*[]*]] 23 [**--device-read-bps**[=*[]*]] 24 [**--device-read-iops**[=*[]*]] 25 [**--device-write-bps**[=*[]*]] 26 [**--device-write-iops**[=*[]*]] 27 [**--dns**[=*[]*]] 28 [**--dns-search**[=*[]*]] 29 [**--dns-opt**[=*[]*]] 30 [**-e**|**--env**[=*[]*]] 31 [**--entrypoint**[=*ENTRYPOINT*]] 32 [**--env-file**[=*[]*]] 33 [**--expose**[=*[]*]] 34 [**--group-add**[=*[]*]] 35 [**-h**|**--hostname**[=*HOSTNAME*]] 36 [**--help**] 37 [**-i**|**--interactive**] 38 [**--ip**[=*IPv4-ADDRESS*]] 39 [**--ip6**[=*IPv6-ADDRESS*]] 40 [**--ipc**[=*IPC*]] 41 [**--isolation**[=*default*]] 42 [**--kernel-memory**[=*KERNEL-MEMORY*]] 43 [**-l**|**--label**[=*[]*]] 44 [**--label-file**[=*[]*]] 45 [**--link**[=*[]*]] 46 [**--log-driver**[=*[]*]] 47 [**--log-opt**[=*[]*]] 48 [**-m**|**--memory**[=*MEMORY*]] 49 [**--mac-address**[=*MAC-ADDRESS*]] 50 [**--memory-reservation**[=*MEMORY-RESERVATION*]] 51 [**--memory-swap**[=*LIMIT*]] 52 [**--memory-swappiness**[=*MEMORY-SWAPPINESS*]] 53 [**--name**[=*NAME*]] 54 [**--net**[=*"bridge"*]] 55 [**--net-alias**[=*[]*]] 56 [**--oom-kill-disable**] 57 [**--oom-score-adj**[=*0*]] 58 [**-P**|**--publish-all**] 59 [**-p**|**--publish**[=*[]*]] 60 [**--pid**[=*[]*]] 61 [**--userns**[=*[]*]] 62 [**--pids-limit**[=*PIDS_LIMIT*]] 63 [**--privileged**] 64 [**--read-only**] 65 [**--restart**[=*RESTART*]] 66 [**--security-opt**[=*[]*]] 67 [**--storage-opt**[=*[]*]] 68 [**--stop-signal**[=*SIGNAL*]] 69 [**--shm-size**[=*[]*]] 70 [**--sysctl**[=*[]*]] 71 [**-t**|**--tty**] 72 [**--tmpfs**[=*[CONTAINER-DIR[:<OPTIONS>]*]] 73 [**-u**|**--user**[=*USER*]] 74 [**--ulimit**[=*[]*]] 75 [**--uts**[=*[]*]] 76 [**-v**|**--volume**[=*[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*]] 77 [**--volume-driver**[=*DRIVER*]] 78 [**--volumes-from**[=*[]*]] 79 [**-w**|**--workdir**[=*WORKDIR*]] 80 IMAGE [COMMAND] [ARG...] 81 82 # DESCRIPTION 83 84 Creates a writeable container layer over the specified image and prepares it for 85 running the specified command. The container ID is then printed to STDOUT. This 86 is similar to **docker run -d** except the container is never started. You can 87 then use the **docker start <container_id>** command to start the container at 88 any point. 89 90 The initial status of the container created with **docker create** is 'created'. 91 92 # OPTIONS 93 **-a**, **--attach**=[] 94 Attach to STDIN, STDOUT or STDERR. 95 96 **--add-host**=[] 97 Add a custom host-to-IP mapping (host:ip) 98 99 **--blkio-weight**=*0* 100 Block IO weight (relative weight) accepts a weight value between 10 and 1000. 101 102 **--blkio-weight-device**=[] 103 Block IO weight (relative device weight, format: `DEVICE_NAME:WEIGHT`). 104 105 **--cpu-shares**=*0* 106 CPU shares (relative weight) 107 108 **--cap-add**=[] 109 Add Linux capabilities 110 111 **--cap-drop**=[] 112 Drop Linux capabilities 113 114 **--cgroup-parent**="" 115 Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. 116 117 **--cidfile**="" 118 Write the container ID to the file 119 120 **--cpu-period**=*0* 121 Limit the CPU CFS (Completely Fair Scheduler) period 122 123 **--cpuset-cpus**="" 124 CPUs in which to allow execution (0-3, 0,1) 125 126 **--cpuset-mems**="" 127 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. 128 129 If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1` 130 then processes in your Docker container will only use memory from the first 131 two memory nodes. 132 133 **--cpu-quota**=*0* 134 Limit the CPU CFS (Completely Fair Scheduler) quota 135 136 **--device**=[] 137 Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm) 138 139 **--device-read-bps**=[] 140 Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb) 141 142 **--device-read-iops**=[] 143 Limit read rate (IO per second) from a device (e.g. --device-read-iops=/dev/sda:1000) 144 145 **--device-write-bps**=[] 146 Limit write rate (bytes per second) to a device (e.g. --device-write-bps=/dev/sda:1mb) 147 148 **--device-write-iops**=[] 149 Limit write rate (IO per second) to a device (e.g. --device-write-iops=/dev/sda:1000) 150 151 **--dns**=[] 152 Set custom DNS servers 153 154 **--dns-opt**=[] 155 Set custom DNS options 156 157 **--dns-search**=[] 158 Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain) 159 160 **-e**, **--env**=[] 161 Set environment variables 162 163 **--entrypoint**="" 164 Overwrite the default ENTRYPOINT of the image 165 166 **--env-file**=[] 167 Read in a line-delimited file of environment variables 168 169 **--expose**=[] 170 Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host 171 172 **--group-add**=[] 173 Add additional groups to run as 174 175 **-h**, **--hostname**="" 176 Container host name 177 178 **--help** 179 Print usage statement 180 181 **-i**, **--interactive**=*true*|*false* 182 Keep STDIN open even if not attached. The default is *false*. 183 184 **--ip**="" 185 Sets the container's interface IPv4 address (e.g. 172.23.0.9) 186 187 It can only be used in conjunction with **--net** for user-defined networks 188 189 **--ip6**="" 190 Sets the container's interface IPv6 address (e.g. 2001:db8::1b99) 191 192 It can only be used in conjunction with **--net** for user-defined networks 193 194 **--ipc**="" 195 Default is to create a private IPC namespace (POSIX SysV IPC) for the container 196 'container:<name|id>': reuses another container shared memory, semaphores and message queues 197 'host': use the host shared memory,semaphores and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure. 198 199 **--isolation**="*default*" 200 Isolation specifies the type of isolation technology used by containers. 201 202 **--kernel-memory**="" 203 Kernel memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g) 204 205 Constrains the kernel memory available to a container. If a limit of 0 206 is specified (not using `--kernel-memory`), the container's kernel memory 207 is not limited. If you specify a limit, it may be rounded up to a multiple 208 of the operating system's page size and the value can be very large, 209 millions of trillions. 210 211 **-l**, **--label**=[] 212 Adds metadata to a container (e.g., --label=com.example.key=value) 213 214 **--label-file**=[] 215 Read labels from a file. Delimit each label with an EOL. 216 217 **--link**=[] 218 Add link to another container in the form of <name or id>:alias or just 219 <name or id> in which case the alias will match the name. 220 221 **--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*splunk*|*etwlogs*|*gcplogs*|*none*" 222 Logging driver for container. Default is defined by daemon `--log-driver` flag. 223 **Warning**: the `docker logs` command works only for the `json-file` and 224 `journald` logging drivers. 225 226 **--log-opt**=[] 227 Logging driver specific options. 228 229 **-m**, **--memory**="" 230 Memory limit (format: <number>[<unit>], where unit = b, k, m or g) 231 232 Allows you to constrain the memory available to a container. If the host 233 supports swap memory, then the **-m** memory setting can be larger than physical 234 RAM. If a limit of 0 is specified (not using **-m**), the container's memory is 235 not limited. The actual limit may be rounded up to a multiple of the operating 236 system's page size (the value would be very large, that's millions of trillions). 237 238 **--mac-address**="" 239 Container MAC address (e.g. 92:d0:c6:0a:29:33) 240 241 **--memory-reservation**="" 242 Memory soft limit (format: <number>[<unit>], where unit = b, k, m or g) 243 244 After setting memory reservation, when the system detects memory contention 245 or low memory, containers are forced to restrict their consumption to their 246 reservation. So you should always set the value below **--memory**, otherwise the 247 hard limit will take precedence. By default, memory reservation will be the same 248 as memory limit. 249 250 **--memory-swap**="LIMIT" 251 A limit value equal to memory plus swap. Must be used with the **-m** 252 (**--memory**) flag. The swap `LIMIT` should always be larger than **-m** 253 (**--memory**) value. 254 255 The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes), 256 `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you don't specify a 257 unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap. 258 259 **--memory-swappiness**="" 260 Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. 261 262 **--name**="" 263 Assign a name to the container 264 265 **--net**="*bridge*" 266 Set the Network mode for the container 267 'bridge': create a network stack on the default Docker bridge 268 'none': no networking 269 'container:<name|id>': reuse another container's network stack 270 'host': use the Docker host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. 271 '<network-name>|<network-id>': connect to a user-defined network 272 273 **--net-alias**=[] 274 Add network-scoped alias for the container 275 276 **--oom-kill-disable**=*true*|*false* 277 Whether to disable OOM Killer for the container or not. 278 279 **--oom-score-adj**="" 280 Tune the host's OOM preferences for containers (accepts -1000 to 1000) 281 282 **-P**, **--publish-all**=*true*|*false* 283 Publish all exposed ports to random ports on the host interfaces. The default is *false*. 284 285 **-p**, **--publish**=[] 286 Publish a container's port, or a range of ports, to the host 287 format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort 288 Both hostPort and containerPort can be specified as a range of ports. 289 When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g., `-p 1234-1236:1234-1236/tcp`) 290 (use 'docker port' to see the actual mapping) 291 292 **--pid**=*host* 293 Set the PID mode for the container 294 **host**: use the host's PID namespace inside the container. 295 Note: the host mode gives the container full access to local PID and is therefore considered insecure. 296 297 **--userns**="" 298 Set the usernamespace mode for the container when `userns-remap` option is enabled. 299 **host**: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`). 300 301 **--pids-limit**="" 302 Tune the container's pids limit. Set `-1` to have unlimited pids for the container. 303 304 **--privileged**=*true*|*false* 305 Give extended privileges to this container. The default is *false*. 306 307 **--read-only**=*true*|*false* 308 Mount the container's root filesystem as read only. 309 310 **--restart**="*no*" 311 Restart policy to apply when a container exits (no, on-failure[:max-retry], always, unless-stopped). 312 313 **--shm-size**="" 314 Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. 315 Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. 316 If you omit the size entirely, the system uses `64m`. 317 318 **--security-opt**=[] 319 Security Options 320 321 "label:user:USER" : Set the label user for the container 322 "label:role:ROLE" : Set the label role for the container 323 "label:type:TYPE" : Set the label type for the container 324 "label:level:LEVEL" : Set the label level for the container 325 "label:disable" : Turn off label confinement for the container 326 "no-new-privileges" : Disable container processes from gaining additional privileges 327 "seccomp:unconfined" : Turn off seccomp confinement for the container 328 "seccomp:profile.json : White listed syscalls seccomp Json file to be used as a seccomp filter 329 330 **--storage-opt**=[] 331 Storage driver options per container 332 333 $ docker create -it --storage-opt size=120G fedora /bin/bash 334 335 This (size) will allow to set the container rootfs size to 120G at creation time. User cannot pass a size less than the Default BaseFS Size. 336 337 **--stop-signal**=*SIGTERM* 338 Signal to stop a container. Default is SIGTERM. 339 340 **--sysctl**=SYSCTL 341 Configure namespaced kernel parameters at runtime 342 343 IPC Namespace - current sysctls allowed: 344 345 kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced 346 Sysctls beginning with fs.mqueue.* 347 348 Note: if you use --ipc=host using these sysctls will not be allowed. 349 350 Network Namespace - current sysctls allowed: 351 Sysctls beginning with net.* 352 353 Note: if you use --net=host using these sysctls will not be allowed. 354 355 **-t**, **--tty**=*true*|*false* 356 Allocate a pseudo-TTY. The default is *false*. 357 358 **--tmpfs**=[] Create a tmpfs mount 359 360 Mount a temporary filesystem (`tmpfs`) mount into a container, for example: 361 362 $ docker run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image 363 364 This command mounts a `tmpfs` at `/tmp` within the container. The supported mount 365 options are the same as the Linux default `mount` flags. If you do not specify 366 any options, the systems uses the following options: 367 `rw,noexec,nosuid,nodev,size=65536k`. 368 369 **-u**, **--user**="" 370 Username or UID 371 372 **--ulimit**=[] 373 Ulimit options 374 375 **--uts**=*host* 376 Set the UTS mode for the container 377 **host**: use the host's UTS namespace inside the container. 378 Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure. 379 380 **-v**|**--volume**[=*[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*] 381 Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, Docker 382 bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Docker 383 container. If 'HOST-DIR' is omitted, Docker automatically creates the new 384 volume on the host. The `OPTIONS` are a comma delimited list and can be: 385 386 * [rw|ro] 387 * [z|Z] 388 * [`[r]shared`|`[r]slave`|`[r]private`] 389 390 The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The `HOST-DIR` 391 can be an absolute path or a `name` value. A `name` value must start with an 392 alphanumeric character, followed by `a-z0-9`, `_` (underscore), `.` (period) or 393 `-` (hyphen). An absolute path starts with a `/` (forward slash). 394 395 If you supply a `HOST-DIR` that is an absolute path, Docker bind-mounts to the 396 path you specify. If you supply a `name`, Docker creates a named volume by that 397 `name`. For example, you can specify either `/foo` or `foo` for a `HOST-DIR` 398 value. If you supply the `/foo` value, Docker creates a bind-mount. If you 399 supply the `foo` specification, Docker creates a named volume. 400 401 You can specify multiple **-v** options to mount one or more mounts to a 402 container. To use these same mounts in other containers, specify the 403 **--volumes-from** option also. 404 405 You can add `:ro` or `:rw` suffix to a volume to mount it read-only or 406 read-write mode, respectively. By default, the volumes are mounted read-write. 407 See examples. 408 409 Labeling systems like SELinux require that proper labels are placed on volume 410 content mounted into a container. Without a label, the security system might 411 prevent the processes running inside the container from using the content. By 412 default, Docker does not change the labels set by the OS. 413 414 To change a label in the container context, you can add either of two suffixes 415 `:z` or `:Z` to the volume mount. These suffixes tell Docker to relabel file 416 objects on the shared volumes. The `z` option tells Docker that two containers 417 share the volume content. As a result, Docker labels the content with a shared 418 content label. Shared volume labels allow all containers to read/write content. 419 The `Z` option tells Docker to label the content with a private unshared label. 420 Only the current container can use a private volume. 421 422 By default bind mounted volumes are `private`. That means any mounts done 423 inside container will not be visible on host and vice-a-versa. One can change 424 this behavior by specifying a volume mount propagation property. Making a 425 volume `shared` mounts done under that volume inside container will be 426 visible on host and vice-a-versa. Making a volume `slave` enables only one 427 way mount propagation and that is mounts done on host under that volume 428 will be visible inside container but not the other way around. 429 430 To control mount propagation property of volume one can use `:[r]shared`, 431 `:[r]slave` or `:[r]private` propagation flag. Propagation property can 432 be specified only for bind mounted volumes and not for internal volumes or 433 named volumes. For mount propagation to work source mount point (mount point 434 where source dir is mounted on) has to have right propagation properties. For 435 shared volumes, source mount point has to be shared. And for slave volumes, 436 source mount has to be either shared or slave. 437 438 Use `df <source-dir>` to figure out the source mount and then use 439 `findmnt -o TARGET,PROPAGATION <source-mount-dir>` to figure out propagation 440 properties of source mount. If `findmnt` utility is not available, then one 441 can look at mount entry for source mount point in `/proc/self/mountinfo`. Look 442 at `optional fields` and see if any propagaion properties are specified. 443 `shared:X` means mount is `shared`, `master:X` means mount is `slave` and if 444 nothing is there that means mount is `private`. 445 446 To change propagation properties of a mount point use `mount` command. For 447 example, if one wants to bind mount source directory `/foo` one can do 448 `mount --bind /foo /foo` and `mount --make-private --make-shared /foo`. This 449 will convert /foo into a `shared` mount point. Alternatively one can directly 450 change propagation properties of source mount. Say `/` is source mount for 451 `/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount. 452 453 > **Note**: 454 > When using systemd to manage the Docker daemon's start and stop, in the systemd 455 > unit file there is an option to control mount propagation for the Docker daemon 456 > itself, called `MountFlags`. The value of this setting may cause Docker to not 457 > see mount propagation changes made on the mount point. For example, if this value 458 > is `slave`, you may not be able to use the `shared` or `rshared` propagation on 459 > a volume. 460 461 462 To disable automatic copying of data from the container path to the volume, use 463 the `nocopy` flag. The `nocopy` flag can be set on bind mounts and named volumes. 464 465 **--volume-driver**="" 466 Container's volume driver. This driver creates volumes specified either from 467 a Dockerfile's `VOLUME` instruction or from the `docker run -v` flag. 468 See **docker-volume-create(1)** for full details. 469 470 **--volumes-from**=[] 471 Mount volumes from the specified container(s) 472 473 **-w**, **--workdir**="" 474 Working directory inside the container 475 476 # EXAMPLES 477 478 ## Specify isolation technology for container (--isolation) 479 480 This option is useful in situations where you are running Docker containers on 481 Windows. The `--isolation=<value>` option sets a container's isolation 482 technology. On Linux, the only supported is the `default` option which uses 483 Linux namespaces. On Microsoft Windows, you can specify these values: 484 485 * `default`: Use the value specified by the Docker daemon's `--exec-opt` . If the `daemon` does not specify an isolation technology, Microsoft Windows uses `process` as its default value. 486 * `process`: Namespace isolation only. 487 * `hyperv`: Hyper-V hypervisor partition-based isolation. 488 489 Specifying the `--isolation` flag without a value is the same as setting `--isolation="default"`. 490 491 # HISTORY 492 August 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> 493 September 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> 494 November 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>