github.com/vieux/docker@v0.6.3-0.20161004191708-e097c2a938c7/man/docker-create.1.md (about) 1 % DOCKER(1) Docker User Manuals 2 % Docker Community 3 % JUNE 2014 4 # NAME 5 docker-create - Create a new container 6 7 # SYNOPSIS 8 **docker create** 9 [**-a**|**--attach**[=*[]*]] 10 [**--add-host**[=*[]*]] 11 [**--blkio-weight**[=*[BLKIO-WEIGHT]*]] 12 [**--blkio-weight-device**[=*[]*]] 13 [**--cpu-shares**[=*0*]] 14 [**--cap-add**[=*[]*]] 15 [**--cap-drop**[=*[]*]] 16 [**--cgroup-parent**[=*CGROUP-PATH*]] 17 [**--cidfile**[=*CIDFILE*]] 18 [**--cpu-period**[=*0*]] 19 [**--cpu-quota**[=*0*]] 20 [**--cpuset-cpus**[=*CPUSET-CPUS*]] 21 [**--cpuset-mems**[=*CPUSET-MEMS*]] 22 [**--device**[=*[]*]] 23 [**--device-read-bps**[=*[]*]] 24 [**--device-read-iops**[=*[]*]] 25 [**--device-write-bps**[=*[]*]] 26 [**--device-write-iops**[=*[]*]] 27 [**--dns**[=*[]*]] 28 [**--dns-search**[=*[]*]] 29 [**--dns-opt**[=*[]*]] 30 [**-e**|**--env**[=*[]*]] 31 [**--entrypoint**[=*ENTRYPOINT*]] 32 [**--env-file**[=*[]*]] 33 [**--expose**[=*[]*]] 34 [**--group-add**[=*[]*]] 35 [**-h**|**--hostname**[=*HOSTNAME*]] 36 [**--help**] 37 [**-i**|**--interactive**] 38 [**--ip**[=*IPv4-ADDRESS*]] 39 [**--ip6**[=*IPv6-ADDRESS*]] 40 [**--ipc**[=*IPC*]] 41 [**--isolation**[=*default*]] 42 [**--kernel-memory**[=*KERNEL-MEMORY*]] 43 [**-l**|**--label**[=*[]*]] 44 [**--label-file**[=*[]*]] 45 [**--link**[=*[]*]] 46 [**--link-local-ip**[=*[]*]] 47 [**--log-driver**[=*[]*]] 48 [**--log-opt**[=*[]*]] 49 [**-m**|**--memory**[=*MEMORY*]] 50 [**--mac-address**[=*MAC-ADDRESS*]] 51 [**--memory-reservation**[=*MEMORY-RESERVATION*]] 52 [**--memory-swap**[=*LIMIT*]] 53 [**--memory-swappiness**[=*MEMORY-SWAPPINESS*]] 54 [**--name**[=*NAME*]] 55 [**--network-alias**[=*[]*]] 56 [**--network**[=*"bridge"*]] 57 [**--oom-kill-disable**] 58 [**--oom-score-adj**[=*0*]] 59 [**-P**|**--publish-all**] 60 [**-p**|**--publish**[=*[]*]] 61 [**--pid**[=*[PID]*]] 62 [**--userns**[=*[]*]] 63 [**--pids-limit**[=*PIDS_LIMIT*]] 64 [**--privileged**] 65 [**--read-only**] 66 [**--restart**[=*RESTART*]] 67 [**--rm**] 68 [**--security-opt**[=*[]*]] 69 [**--storage-opt**[=*[]*]] 70 [**--stop-signal**[=*SIGNAL*]] 71 [**--shm-size**[=*[]*]] 72 [**--sysctl**[=*[]*]] 73 [**-t**|**--tty**] 74 [**--tmpfs**[=*[CONTAINER-DIR[:<OPTIONS>]*]] 75 [**-u**|**--user**[=*USER*]] 76 [**--ulimit**[=*[]*]] 77 [**--uts**[=*[]*]] 78 [**-v**|**--volume**[=*[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*]] 79 [**--volume-driver**[=*DRIVER*]] 80 [**--volumes-from**[=*[]*]] 81 [**-w**|**--workdir**[=*WORKDIR*]] 82 IMAGE [COMMAND] [ARG...] 83 84 # DESCRIPTION 85 86 Creates a writeable container layer over the specified image and prepares it for 87 running the specified command. The container ID is then printed to STDOUT. This 88 is similar to **docker run -d** except the container is never started. You can 89 then use the **docker start <container_id>** command to start the container at 90 any point. 91 92 The initial status of the container created with **docker create** is 'created'. 93 94 # OPTIONS 95 **-a**, **--attach**=[] 96 Attach to STDIN, STDOUT or STDERR. 97 98 **--add-host**=[] 99 Add a custom host-to-IP mapping (host:ip) 100 101 **--blkio-weight**=*0* 102 Block IO weight (relative weight) accepts a weight value between 10 and 1000. 103 104 **--blkio-weight-device**=[] 105 Block IO weight (relative device weight, format: `DEVICE_NAME:WEIGHT`). 106 107 **--cpu-shares**=*0* 108 CPU shares (relative weight) 109 110 **--cap-add**=[] 111 Add Linux capabilities 112 113 **--cap-drop**=[] 114 Drop Linux capabilities 115 116 **--cgroup-parent**="" 117 Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. 118 119 **--cidfile**="" 120 Write the container ID to the file 121 122 **--cpu-period**=*0* 123 Limit the CPU CFS (Completely Fair Scheduler) period 124 125 **--cpuset-cpus**="" 126 CPUs in which to allow execution (0-3, 0,1) 127 128 **--cpuset-mems**="" 129 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. 130 131 If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1` 132 then processes in your Docker container will only use memory from the first 133 two memory nodes. 134 135 **--cpu-quota**=*0* 136 Limit the CPU CFS (Completely Fair Scheduler) quota 137 138 **--device**=[] 139 Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm) 140 141 **--device-read-bps**=[] 142 Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb) 143 144 **--device-read-iops**=[] 145 Limit read rate (IO per second) from a device (e.g. --device-read-iops=/dev/sda:1000) 146 147 **--device-write-bps**=[] 148 Limit write rate (bytes per second) to a device (e.g. --device-write-bps=/dev/sda:1mb) 149 150 **--device-write-iops**=[] 151 Limit write rate (IO per second) to a device (e.g. --device-write-iops=/dev/sda:1000) 152 153 **--dns**=[] 154 Set custom DNS servers 155 156 **--dns-opt**=[] 157 Set custom DNS options 158 159 **--dns-search**=[] 160 Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain) 161 162 **-e**, **--env**=[] 163 Set environment variables 164 165 **--entrypoint**="" 166 Overwrite the default ENTRYPOINT of the image 167 168 **--env-file**=[] 169 Read in a line-delimited file of environment variables 170 171 **--expose**=[] 172 Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host 173 174 **--group-add**=[] 175 Add additional groups to run as 176 177 **-h**, **--hostname**="" 178 Container host name 179 180 **--help** 181 Print usage statement 182 183 **-i**, **--interactive**=*true*|*false* 184 Keep STDIN open even if not attached. The default is *false*. 185 186 **--ip**="" 187 Sets the container's interface IPv4 address (e.g. 172.23.0.9) 188 189 It can only be used in conjunction with **--net** for user-defined networks 190 191 **--ip6**="" 192 Sets the container's interface IPv6 address (e.g. 2001:db8::1b99) 193 194 It can only be used in conjunction with **--net** for user-defined networks 195 196 **--ipc**="" 197 Default is to create a private IPC namespace (POSIX SysV IPC) for the container 198 'container:<name|id>': reuses another container shared memory, semaphores and message queues 199 'host': use the host shared memory,semaphores and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure. 200 201 **--isolation**="*default*" 202 Isolation specifies the type of isolation technology used by containers. Note 203 that the default on Windows server is `process`, and the default on Windows client 204 is `hyperv`. Linux only supports `default`. 205 206 **--kernel-memory**="" 207 Kernel memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g) 208 209 Constrains the kernel memory available to a container. If a limit of 0 210 is specified (not using `--kernel-memory`), the container's kernel memory 211 is not limited. If you specify a limit, it may be rounded up to a multiple 212 of the operating system's page size and the value can be very large, 213 millions of trillions. 214 215 **-l**, **--label**=[] 216 Adds metadata to a container (e.g., --label=com.example.key=value) 217 218 **--label-file**=[] 219 Read labels from a file. Delimit each label with an EOL. 220 221 **--link**=[] 222 Add link to another container in the form of <name or id>:alias or just 223 <name or id> in which case the alias will match the name. 224 225 **--link-local-ip**=[] 226 Add one or more link-local IPv4/IPv6 addresses to the container's interface 227 228 **--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*splunk*|*etwlogs*|*gcplogs*|*none*" 229 Logging driver for the container. Default is defined by daemon `--log-driver` flag. 230 **Warning**: the `docker logs` command works only for the `json-file` and 231 `journald` logging drivers. 232 233 **--log-opt**=[] 234 Logging driver specific options. 235 236 **-m**, **--memory**="" 237 Memory limit (format: <number>[<unit>], where unit = b, k, m or g) 238 239 Allows you to constrain the memory available to a container. If the host 240 supports swap memory, then the **-m** memory setting can be larger than physical 241 RAM. If a limit of 0 is specified (not using **-m**), the container's memory is 242 not limited. The actual limit may be rounded up to a multiple of the operating 243 system's page size (the value would be very large, that's millions of trillions). 244 245 **--mac-address**="" 246 Container MAC address (e.g. 92:d0:c6:0a:29:33) 247 248 **--memory-reservation**="" 249 Memory soft limit (format: <number>[<unit>], where unit = b, k, m or g) 250 251 After setting memory reservation, when the system detects memory contention 252 or low memory, containers are forced to restrict their consumption to their 253 reservation. So you should always set the value below **--memory**, otherwise the 254 hard limit will take precedence. By default, memory reservation will be the same 255 as memory limit. 256 257 **--memory-swap**="LIMIT" 258 A limit value equal to memory plus swap. Must be used with the **-m** 259 (**--memory**) flag. The swap `LIMIT` should always be larger than **-m** 260 (**--memory**) value. 261 262 The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes), 263 `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you don't specify a 264 unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap. 265 266 **--memory-swappiness**="" 267 Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. 268 269 **--name**="" 270 Assign a name to the container 271 272 **--net**="*bridge*" 273 Set the Network mode for the container 274 'bridge': create a network stack on the default Docker bridge 275 'none': no networking 276 'container:<name|id>': reuse another container's network stack 277 'host': use the Docker host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. 278 '<network-name>|<network-id>': connect to a user-defined network 279 280 **--network-alias**=[] 281 Add network-scoped alias for the container 282 283 **--oom-kill-disable**=*true*|*false* 284 Whether to disable OOM Killer for the container or not. 285 286 **--oom-score-adj**="" 287 Tune the host's OOM preferences for containers (accepts -1000 to 1000) 288 289 **-P**, **--publish-all**=*true*|*false* 290 Publish all exposed ports to random ports on the host interfaces. The default is *false*. 291 292 **-p**, **--publish**=[] 293 Publish a container's port, or a range of ports, to the host 294 format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort 295 Both hostPort and containerPort can be specified as a range of ports. 296 When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g., `-p 1234-1236:1234-1236/tcp`) 297 (use 'docker port' to see the actual mapping) 298 299 **--pid**="" 300 Set the PID mode for the container 301 Default is to create a private PID namespace for the container 302 'container:<name|id>': join another container's PID namespace 303 'host': use the host's PID namespace for the container. Note: the host mode gives the container full access to local PID and is therefore considered insecure. 304 305 **--userns**="" 306 Set the usernamespace mode for the container when `userns-remap` option is enabled. 307 **host**: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`). 308 309 **--pids-limit**="" 310 Tune the container's pids limit. Set `-1` to have unlimited pids for the container. 311 312 **--privileged**=*true*|*false* 313 Give extended privileges to this container. The default is *false*. 314 315 **--read-only**=*true*|*false* 316 Mount the container's root filesystem as read only. 317 318 **--restart**="*no*" 319 Restart policy to apply when a container exits (no, on-failure[:max-retry], always, unless-stopped). 320 321 **--rm**=*true*|*false* 322 Automatically remove the container when it exits. The default is *false*. 323 324 **--shm-size**="" 325 Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. 326 Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. 327 If you omit the size entirely, the system uses `64m`. 328 329 **--security-opt**=[] 330 Security Options 331 332 "label:user:USER" : Set the label user for the container 333 "label:role:ROLE" : Set the label role for the container 334 "label:type:TYPE" : Set the label type for the container 335 "label:level:LEVEL" : Set the label level for the container 336 "label:disable" : Turn off label confinement for the container 337 "no-new-privileges" : Disable container processes from gaining additional privileges 338 "seccomp:unconfined" : Turn off seccomp confinement for the container 339 "seccomp:profile.json : White listed syscalls seccomp Json file to be used as a seccomp filter 340 341 **--storage-opt**=[] 342 Storage driver options per container 343 344 $ docker create -it --storage-opt size=120G fedora /bin/bash 345 346 This (size) will allow to set the container rootfs size to 120G at creation time. User cannot pass a size less than the Default BaseFS Size. 347 This option is only available for the `devicemapper`, `btrfs`, and `zfs` graph drivers. 348 349 **--stop-signal**=*SIGTERM* 350 Signal to stop a container. Default is SIGTERM. 351 352 **--sysctl**=SYSCTL 353 Configure namespaced kernel parameters at runtime 354 355 IPC Namespace - current sysctls allowed: 356 357 kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced 358 Sysctls beginning with fs.mqueue.* 359 360 Note: if you use --ipc=host using these sysctls will not be allowed. 361 362 Network Namespace - current sysctls allowed: 363 Sysctls beginning with net.* 364 365 Note: if you use --net=host using these sysctls will not be allowed. 366 367 **-t**, **--tty**=*true*|*false* 368 Allocate a pseudo-TTY. The default is *false*. 369 370 **--tmpfs**=[] Create a tmpfs mount 371 372 Mount a temporary filesystem (`tmpfs`) mount into a container, for example: 373 374 $ docker run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image 375 376 This command mounts a `tmpfs` at `/tmp` within the container. The supported mount 377 options are the same as the Linux default `mount` flags. If you do not specify 378 any options, the systems uses the following options: 379 `rw,noexec,nosuid,nodev,size=65536k`. 380 381 **-u**, **--user**="" 382 Sets the username or UID used and optionally the groupname or GID for the specified command. 383 384 The followings examples are all valid: 385 --user [user | user:group | uid | uid:gid | user:gid | uid:group ] 386 387 Without this argument root user will be used in the container by default. 388 389 **--ulimit**=[] 390 Ulimit options 391 392 **--uts**=*host* 393 Set the UTS mode for the container 394 **host**: use the host's UTS namespace inside the container. 395 Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure. 396 397 **-v**|**--volume**[=*[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*] 398 Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, Docker 399 bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Docker 400 container. If 'HOST-DIR' is omitted, Docker automatically creates the new 401 volume on the host. The `OPTIONS` are a comma delimited list and can be: 402 403 * [rw|ro] 404 * [z|Z] 405 * [`[r]shared`|`[r]slave`|`[r]private`] 406 407 The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The `HOST-DIR` 408 can be an absolute path or a `name` value. A `name` value must start with an 409 alphanumeric character, followed by `a-z0-9`, `_` (underscore), `.` (period) or 410 `-` (hyphen). An absolute path starts with a `/` (forward slash). 411 412 If you supply a `HOST-DIR` that is an absolute path, Docker bind-mounts to the 413 path you specify. If you supply a `name`, Docker creates a named volume by that 414 `name`. For example, you can specify either `/foo` or `foo` for a `HOST-DIR` 415 value. If you supply the `/foo` value, Docker creates a bind-mount. If you 416 supply the `foo` specification, Docker creates a named volume. 417 418 You can specify multiple **-v** options to mount one or more mounts to a 419 container. To use these same mounts in other containers, specify the 420 **--volumes-from** option also. 421 422 You can add `:ro` or `:rw` suffix to a volume to mount it read-only or 423 read-write mode, respectively. By default, the volumes are mounted read-write. 424 See examples. 425 426 Labeling systems like SELinux require that proper labels are placed on volume 427 content mounted into a container. Without a label, the security system might 428 prevent the processes running inside the container from using the content. By 429 default, Docker does not change the labels set by the OS. 430 431 To change a label in the container context, you can add either of two suffixes 432 `:z` or `:Z` to the volume mount. These suffixes tell Docker to relabel file 433 objects on the shared volumes. The `z` option tells Docker that two containers 434 share the volume content. As a result, Docker labels the content with a shared 435 content label. Shared volume labels allow all containers to read/write content. 436 The `Z` option tells Docker to label the content with a private unshared label. 437 Only the current container can use a private volume. 438 439 By default bind mounted volumes are `private`. That means any mounts done 440 inside container will not be visible on host and vice-a-versa. One can change 441 this behavior by specifying a volume mount propagation property. Making a 442 volume `shared` mounts done under that volume inside container will be 443 visible on host and vice-a-versa. Making a volume `slave` enables only one 444 way mount propagation and that is mounts done on host under that volume 445 will be visible inside container but not the other way around. 446 447 To control mount propagation property of volume one can use `:[r]shared`, 448 `:[r]slave` or `:[r]private` propagation flag. Propagation property can 449 be specified only for bind mounted volumes and not for internal volumes or 450 named volumes. For mount propagation to work source mount point (mount point 451 where source dir is mounted on) has to have right propagation properties. For 452 shared volumes, source mount point has to be shared. And for slave volumes, 453 source mount has to be either shared or slave. 454 455 Use `df <source-dir>` to figure out the source mount and then use 456 `findmnt -o TARGET,PROPAGATION <source-mount-dir>` to figure out propagation 457 properties of source mount. If `findmnt` utility is not available, then one 458 can look at mount entry for source mount point in `/proc/self/mountinfo`. Look 459 at `optional fields` and see if any propagaion properties are specified. 460 `shared:X` means mount is `shared`, `master:X` means mount is `slave` and if 461 nothing is there that means mount is `private`. 462 463 To change propagation properties of a mount point use `mount` command. For 464 example, if one wants to bind mount source directory `/foo` one can do 465 `mount --bind /foo /foo` and `mount --make-private --make-shared /foo`. This 466 will convert /foo into a `shared` mount point. Alternatively one can directly 467 change propagation properties of source mount. Say `/` is source mount for 468 `/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount. 469 470 > **Note**: 471 > When using systemd to manage the Docker daemon's start and stop, in the systemd 472 > unit file there is an option to control mount propagation for the Docker daemon 473 > itself, called `MountFlags`. The value of this setting may cause Docker to not 474 > see mount propagation changes made on the mount point. For example, if this value 475 > is `slave`, you may not be able to use the `shared` or `rshared` propagation on 476 > a volume. 477 478 479 To disable automatic copying of data from the container path to the volume, use 480 the `nocopy` flag. The `nocopy` flag can be set on bind mounts and named volumes. 481 482 **--volume-driver**="" 483 Container's volume driver. This driver creates volumes specified either from 484 a Dockerfile's `VOLUME` instruction or from the `docker run -v` flag. 485 See **docker-volume-create(1)** for full details. 486 487 **--volumes-from**=[] 488 Mount volumes from the specified container(s) 489 490 **-w**, **--workdir**="" 491 Working directory inside the container 492 493 # EXAMPLES 494 495 ## Specify isolation technology for container (--isolation) 496 497 This option is useful in situations where you are running Docker containers on 498 Windows. The `--isolation=<value>` option sets a container's isolation 499 technology. On Linux, the only supported is the `default` option which uses 500 Linux namespaces. On Microsoft Windows, you can specify these values: 501 502 * `default`: Use the value specified by the Docker daemon's `--exec-opt` . If the `daemon` does not specify an isolation technology, Microsoft Windows uses `process` as its default value. 503 * `process`: Namespace isolation only. 504 * `hyperv`: Hyper-V hypervisor partition-based isolation. 505 506 Specifying the `--isolation` flag without a value is the same as setting `--isolation="default"`. 507 508 # HISTORY 509 August 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> 510 September 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> 511 November 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>