github.com/vincentwoo/docker@v0.7.3-0.20160116130405-82401a4b13c0/man/docker-create.1.md (about) 1 % DOCKER(1) Docker User Manuals 2 % Docker Community 3 % JUNE 2014 4 # NAME 5 docker-create - Create a new container 6 7 # SYNOPSIS 8 **docker create** 9 [**-a**|**--attach**[=*[]*]] 10 [**--add-host**[=*[]*]] 11 [**--blkio-weight**[=*[BLKIO-WEIGHT]*]] 12 [**--blkio-weight-device**[=*[]*]] 13 [**--cpu-shares**[=*0*]] 14 [**--cap-add**[=*[]*]] 15 [**--cap-drop**[=*[]*]] 16 [**--cgroup-parent**[=*CGROUP-PATH*]] 17 [**--cidfile**[=*CIDFILE*]] 18 [**--cpu-period**[=*0*]] 19 [**--cpu-quota**[=*0*]] 20 [**--cpuset-cpus**[=*CPUSET-CPUS*]] 21 [**--cpuset-mems**[=*CPUSET-MEMS*]] 22 [**--device**[=*[]*]] 23 [**--device-read-bps**[=*[]*]] 24 [**--device-read-iops**[=*[]*]] 25 [**--device-write-bps**[=*[]*]] 26 [**--device-write-iops**[=*[]*]] 27 [**--dns**[=*[]*]] 28 [**--dns-search**[=*[]*]] 29 [**--dns-opt**[=*[]*]] 30 [**-e**|**--env**[=*[]*]] 31 [**--entrypoint**[=*ENTRYPOINT*]] 32 [**--env-file**[=*[]*]] 33 [**--expose**[=*[]*]] 34 [**--group-add**[=*[]*]] 35 [**-h**|**--hostname**[=*HOSTNAME*]] 36 [**--help**] 37 [**-i**|**--interactive**] 38 [**--ip**[=*IPv4-ADDRESS*]] 39 [**--ip6**[=*IPv6-ADDRESS*]] 40 [**--ipc**[=*IPC*]] 41 [**--isolation**[=*default*]] 42 [**--kernel-memory**[=*KERNEL-MEMORY*]] 43 [**-l**|**--label**[=*[]*]] 44 [**--label-file**[=*[]*]] 45 [**--link**[=*[]*]] 46 [**--log-driver**[=*[]*]] 47 [**--log-opt**[=*[]*]] 48 [**-m**|**--memory**[=*MEMORY*]] 49 [**--mac-address**[=*MAC-ADDRESS*]] 50 [**--memory-reservation**[=*MEMORY-RESERVATION*]] 51 [**--memory-swap**[=*LIMIT*]] 52 [**--memory-swappiness**[=*MEMORY-SWAPPINESS*]] 53 [**--name**[=*NAME*]] 54 [**--net**[=*"bridge"*]] 55 [**--net-alias**[=*[]*]] 56 [**--oom-kill-disable**] 57 [**--oom-score-adj**[=*0*]] 58 [**-P**|**--publish-all**] 59 [**-p**|**--publish**[=*[]*]] 60 [**--pid**[=*[]*]] 61 [**--privileged**] 62 [**--read-only**] 63 [**--restart**[=*RESTART*]] 64 [**--security-opt**[=*[]*]] 65 [**--stop-signal**[=*SIGNAL*]] 66 [**--shm-size**[=*[]*]] 67 [**-t**|**--tty**] 68 [**--tmpfs**[=*[CONTAINER-DIR[:<OPTIONS>]*]] 69 [**-u**|**--user**[=*USER*]] 70 [**--ulimit**[=*[]*]] 71 [**--uts**[=*[]*]] 72 [**-v**|**--volume**[=*[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*]] 73 [**--volume-driver**[=*DRIVER*]] 74 [**--volumes-from**[=*[]*]] 75 [**-w**|**--workdir**[=*WORKDIR*]] 76 IMAGE [COMMAND] [ARG...] 77 78 # DESCRIPTION 79 80 Creates a writeable container layer over the specified image and prepares it for 81 running the specified command. The container ID is then printed to STDOUT. This 82 is similar to **docker run -d** except the container is never started. You can 83 then use the **docker start <container_id>** command to start the container at 84 any point. 85 86 The initial status of the container created with **docker create** is 'created'. 87 88 # OPTIONS 89 **-a**, **--attach**=[] 90 Attach to STDIN, STDOUT or STDERR. 91 92 **--add-host**=[] 93 Add a custom host-to-IP mapping (host:ip) 94 95 **--blkio-weight**=*0* 96 Block IO weight (relative weight) accepts a weight value between 10 and 1000. 97 98 **--blkio-weight-device**=[] 99 Block IO weight (relative device weight, format: `DEVICE_NAME:WEIGHT`). 100 101 **--cpu-shares**=*0* 102 CPU shares (relative weight) 103 104 **--cap-add**=[] 105 Add Linux capabilities 106 107 **--cap-drop**=[] 108 Drop Linux capabilities 109 110 **--cgroup-parent**="" 111 Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. 112 113 **--cidfile**="" 114 Write the container ID to the file 115 116 **--cpu-period**=*0* 117 Limit the CPU CFS (Completely Fair Scheduler) period 118 119 **--cpuset-cpus**="" 120 CPUs in which to allow execution (0-3, 0,1) 121 122 **--cpuset-mems**="" 123 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. 124 125 If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1` 126 then processes in your Docker container will only use memory from the first 127 two memory nodes. 128 129 **--cpu-quota**=*0* 130 Limit the CPU CFS (Completely Fair Scheduler) quota 131 132 **--device**=[] 133 Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm) 134 135 **--device-read-bps**=[] 136 Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb) 137 138 **--device-read-iops**=[] 139 Limit read rate (IO per second) from a device (e.g. --device-read-iops=/dev/sda:1000) 140 141 **--device-write-bps**=[] 142 Limit write rate (bytes per second) to a device (e.g. --device-write-bps=/dev/sda:1mb) 143 144 **--device-write-iops**=[] 145 Limit write rate (IO per second) to a device (e.g. --device-write-iops=/dev/sda:1000) 146 147 **--dns**=[] 148 Set custom DNS servers 149 150 **--dns-opt**=[] 151 Set custom DNS options 152 153 **--dns-search**=[] 154 Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain) 155 156 **-e**, **--env**=[] 157 Set environment variables 158 159 **--entrypoint**="" 160 Overwrite the default ENTRYPOINT of the image 161 162 **--env-file**=[] 163 Read in a line-delimited file of environment variables 164 165 **--expose**=[] 166 Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host 167 168 **--group-add**=[] 169 Add additional groups to run as 170 171 **-h**, **--hostname**="" 172 Container host name 173 174 **--help** 175 Print usage statement 176 177 **-i**, **--interactive**=*true*|*false* 178 Keep STDIN open even if not attached. The default is *false*. 179 180 **--ip**="" 181 Sets the container's interface IPv4 address (e.g. 172.23.0.9) 182 183 It can only be used in conjunction with **--net** for user-defined networks 184 185 **--ip6**="" 186 Sets the container's interface IPv6 address (e.g. 2001:db8::1b99) 187 188 It can only be used in conjunction with **--net** for user-defined networks 189 190 **--ipc**="" 191 Default is to create a private IPC namespace (POSIX SysV IPC) for the container 192 'container:<name|id>': reuses another container shared memory, semaphores and message queues 193 'host': use the host shared memory,semaphores and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure. 194 195 **--isolation**="*default*" 196 Isolation specifies the type of isolation technology used by containers. 197 198 **--kernel-memory**="" 199 Kernel memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g) 200 201 Constrains the kernel memory available to a container. If a limit of 0 202 is specified (not using `--kernel-memory`), the container's kernel memory 203 is not limited. If you specify a limit, it may be rounded up to a multiple 204 of the operating system's page size and the value can be very large, 205 millions of trillions. 206 207 **-l**, **--label**=[] 208 Adds metadata to a container (e.g., --label=com.example.key=value) 209 210 **--label-file**=[] 211 Read labels from a file. Delimit each label with an EOL. 212 213 **--link**=[] 214 Add link to another container in the form of <name or id>:alias or just 215 <name or id> in which case the alias will match the name. 216 217 **--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*splunk*|*none*" 218 Logging driver for container. Default is defined by daemon `--log-driver` flag. 219 **Warning**: the `docker logs` command works only for the `json-file` and 220 `journald` logging drivers. 221 222 **--log-opt**=[] 223 Logging driver specific options. 224 225 **-m**, **--memory**="" 226 Memory limit (format: <number>[<unit>], where unit = b, k, m or g) 227 228 Allows you to constrain the memory available to a container. If the host 229 supports swap memory, then the **-m** memory setting can be larger than physical 230 RAM. If a limit of 0 is specified (not using **-m**), the container's memory is 231 not limited. The actual limit may be rounded up to a multiple of the operating 232 system's page size (the value would be very large, that's millions of trillions). 233 234 **--mac-address**="" 235 Container MAC address (e.g. 92:d0:c6:0a:29:33) 236 237 **--memory-reservation**="" 238 Memory soft limit (format: <number>[<unit>], where unit = b, k, m or g) 239 240 After setting memory reservation, when the system detects memory contention 241 or low memory, containers are forced to restrict their consumption to their 242 reservation. So you should always set the value below **--memory**, otherwise the 243 hard limit will take precedence. By default, memory reservation will be the same 244 as memory limit. 245 246 **--memory-swap**="LIMIT" 247 A limit value equal to memory plus swap. Must be used with the **-m** 248 (**--memory**) flag. The swap `LIMIT` should always be larger than **-m** 249 (**--memory**) value. 250 251 The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes), 252 `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you don't specify a 253 unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap. 254 255 **--memory-swappiness**="" 256 Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. 257 258 **--name**="" 259 Assign a name to the container 260 261 **--net**="*bridge*" 262 Set the Network mode for the container 263 'bridge': create a network stack on the default Docker bridge 264 'none': no networking 265 'container:<name|id>': reuse another container's network stack 266 'host': use the Docker host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. 267 '<network-name>|<network-id>': connect to a user-defined network 268 269 **--net-alias**=[] 270 Add network-scoped alias for the container 271 272 **--oom-kill-disable**=*true*|*false* 273 Whether to disable OOM Killer for the container or not. 274 275 **--oom-score-adj**="" 276 Tune the host's OOM preferences for containers (accepts -1000 to 1000) 277 278 **-P**, **--publish-all**=*true*|*false* 279 Publish all exposed ports to random ports on the host interfaces. The default is *false*. 280 281 **-p**, **--publish**=[] 282 Publish a container's port, or a range of ports, to the host 283 format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort 284 Both hostPort and containerPort can be specified as a range of ports. 285 When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g., `-p 1234-1236:1234-1236/tcp`) 286 (use 'docker port' to see the actual mapping) 287 288 **--pid**=*host* 289 Set the PID mode for the container 290 **host**: use the host's PID namespace inside the container. 291 Note: the host mode gives the container full access to local PID and is therefore considered insecure. 292 293 **--privileged**=*true*|*false* 294 Give extended privileges to this container. The default is *false*. 295 296 **--read-only**=*true*|*false* 297 Mount the container's root filesystem as read only. 298 299 **--restart**="*no*" 300 Restart policy to apply when a container exits (no, on-failure[:max-retry], always, unless-stopped). 301 302 **--shm-size**="" 303 Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. 304 Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. 305 If you omit the size entirely, the system uses `64m`. 306 307 **--security-opt**=[] 308 Security Options 309 310 **--stop-signal**=*SIGTERM* 311 Signal to stop a container. Default is SIGTERM. 312 313 **-t**, **--tty**=*true*|*false* 314 Allocate a pseudo-TTY. The default is *false*. 315 316 **--tmpfs**=[] Create a tmpfs mount 317 318 Mount a temporary filesystem (`tmpfs`) mount into a container, for example: 319 320 $ docker run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image 321 322 This command mounts a `tmpfs` at `/tmp` within the container. The mount copies 323 the underlying content of `my_image` into `/tmp`. For example if there was a 324 directory `/tmp/content` in the base image, docker will copy this directory and 325 all of its content on top of the tmpfs mounted on `/tmp`. The supported mount 326 options are the same as the Linux default `mount` flags. If you do not specify 327 any options, the systems uses the following options: 328 `rw,noexec,nosuid,nodev,size=65536k`. 329 330 **-u**, **--user**="" 331 Username or UID 332 333 **--ulimit**=[] 334 Ulimit options 335 336 **--uts**=*host* 337 Set the UTS mode for the container 338 **host**: use the host's UTS namespace inside the container. 339 Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure. 340 341 **-v**|**--volume**[=*[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*] 342 Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, Docker 343 bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Docker 344 container. If 'HOST-DIR' is omitted, Docker automatically creates the new 345 volume on the host. The `OPTIONS` are a comma delimited list and can be: 346 347 * [rw|ro] 348 * [z|Z] 349 * [`[r]shared`|`[r]slave`|`[r]private`] 350 351 The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The `HOST-DIR` 352 can be an absolute path or a `name` value. A `name` value must start with an 353 alphanumeric character, followed by `a-z0-9`, `_` (underscore), `.` (period) or 354 `-` (hyphen). An absolute path starts with a `/` (forward slash). 355 356 If you supply a `HOST-DIR` that is an absolute path, Docker bind-mounts to the 357 path you specify. If you supply a `name`, Docker creates a named volume by that 358 `name`. For example, you can specify either `/foo` or `foo` for a `HOST-DIR` 359 value. If you supply the `/foo` value, Docker creates a bind-mount. If you 360 supply the `foo` specification, Docker creates a named volume. 361 362 You can specify multiple **-v** options to mount one or more mounts to a 363 container. To use these same mounts in other containers, specify the 364 **--volumes-from** option also. 365 366 You can add `:ro` or `:rw` suffix to a volume to mount it read-only or 367 read-write mode, respectively. By default, the volumes are mounted read-write. 368 See examples. 369 370 Labeling systems like SELinux require that proper labels are placed on volume 371 content mounted into a container. Without a label, the security system might 372 prevent the processes running inside the container from using the content. By 373 default, Docker does not change the labels set by the OS. 374 375 To change a label in the container context, you can add either of two suffixes 376 `:z` or `:Z` to the volume mount. These suffixes tell Docker to relabel file 377 objects on the shared volumes. The `z` option tells Docker that two containers 378 share the volume content. As a result, Docker labels the content with a shared 379 content label. Shared volume labels allow all containers to read/write content. 380 The `Z` option tells Docker to label the content with a private unshared label. 381 Only the current container can use a private volume. 382 383 By default bind mounted volumes are `private`. That means any mounts done 384 inside container will not be visible on host and vice-a-versa. One can change 385 this behavior by specifying a volume mount propagation property. Making a 386 volume `shared` mounts done under that volume inside container will be 387 visible on host and vice-a-versa. Making a volume `slave` enables only one 388 way mount propagation and that is mounts done on host under that volume 389 will be visible inside container but not the other way around. 390 391 To control mount propagation property of volume one can use `:[r]shared`, 392 `:[r]slave` or `:[r]private` propagation flag. Propagation property can 393 be specified only for bind mounted volumes and not for internal volumes or 394 named volumes. For mount propagation to work source mount point (mount point 395 where source dir is mounted on) has to have right propagation properties. For 396 shared volumes, source mount point has to be shared. And for slave volumes, 397 source mount has to be either shared or slave. 398 399 Use `df <source-dir>` to figure out the source mount and then use 400 `findmnt -o TARGET,PROPAGATION <source-mount-dir>` to figure out propagation 401 properties of source mount. If `findmnt` utility is not available, then one 402 can look at mount entry for source mount point in `/proc/self/mountinfo`. Look 403 at `optional fields` and see if any propagaion properties are specified. 404 `shared:X` means mount is `shared`, `master:X` means mount is `slave` and if 405 nothing is there that means mount is `private`. 406 407 To change propagation properties of a mount point use `mount` command. For 408 example, if one wants to bind mount source directory `/foo` one can do 409 `mount --bind /foo /foo` and `mount --make-private --make-shared /foo`. This 410 will convert /foo into a `shared` mount point. Alternatively one can directly 411 change propagation properties of source mount. Say `/` is source mount for 412 `/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount. 413 414 **--volume-driver**="" 415 Container's volume driver. This driver creates volumes specified either from 416 a Dockerfile's `VOLUME` instruction or from the `docker run -v` flag. 417 See **docker-volume-create(1)** for full details. 418 419 **--volumes-from**=[] 420 Mount volumes from the specified container(s) 421 422 **-w**, **--workdir**="" 423 Working directory inside the container 424 425 # EXAMPLES 426 427 ## Specify isolation technology for container (--isolation) 428 429 This option is useful in situations where you are running Docker containers on 430 Windows. The `--isolation=<value>` option sets a container's isolation 431 technology. On Linux, the only supported is the `default` option which uses 432 Linux namespaces. On Microsoft Windows, you can specify these values: 433 434 * `default`: Use the value specified by the Docker daemon's `--exec-opt` . If the `daemon` does not specify an isolation technology, Microsoft Windows uses `process` as its default value. 435 * `process`: Namespace isolation only. 436 * `hyperv`: Hyper-V hypervisor partition-based isolation. 437 438 Specifying the `--isolation` flag without a value is the same as setting `--isolation="default"`. 439 440 # HISTORY 441 August 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> 442 September 2014, updated by Sven Dowideit <SvenDowideit@home.org.au> 443 November 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>