mirror of https://github.com/docker/cli.git
Tibor Vass
GitHub
commit
0ff5f52051
|
|
@ -83,7 +83,7 @@ docker-run - Run a command in a new container
|
||||||
[**--sig-proxy**[=*true*]]
|
[**--sig-proxy**[=*true*]]
|
||||||
[**--sysctl**[=*[]*]]
|
[**--sysctl**[=*[]*]]
|
||||||
[**-t**|**--tty**]
|
[**-t**|**--tty**]
|
||||||
[**--tmpfs**[=*[CONTAINER-DIR[:<OPTIONS>]*]]
|
[**--tmpfs**[=*[CONTAINER-DIR[:OPTIONS]*]]
|
||||||
[**-u**|**--user**[=*USER*]]
|
[**-u**|**--user**[=*USER*]]
|
||||||
[**--ulimit**[=*[]*]]
|
[**--ulimit**[=*[]*]]
|
||||||
[**--uts**[=*[]*]]
|
[**--uts**[=*[]*]]
|
||||||
|
|
@ -240,21 +240,24 @@ running) using a configurable key sequence. The default sequence is `CTRL-p CTRL
|
||||||
You configure the key sequence using the **--detach-keys** option or a configuration file.
|
You configure the key sequence using the **--detach-keys** option or a configuration file.
|
||||||
See **config-json(5)** for documentation on using a configuration file.
|
See **config-json(5)** for documentation on using a configuration file.
|
||||||
|
|
||||||
**--detach-keys**=""
|
**--detach-keys**=*key*
|
||||||
Override the key sequence for detaching a container. Format is a single character `[a-Z]` or `ctrl-<value>` where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`.
|
Override the key sequence for detaching a container; *key* is a single character from the [a-Z] range, or **ctrl**-*value*, where *value* is one of: **a-z**, **@**, **^**, **[**, **,**, or **_**.
|
||||||
|
|
||||||
**--device**=[]
|
**--device**=*onhost*:*incontainer*[:*mode*]
|
||||||
Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm)
|
Add a host device *onhost* to the container under the *incontainer* name.
|
||||||
|
Optional *mode* parameter can be used to specify device permissions, it is
|
||||||
|
a combination of **r** (for read), **w** (for write), and **m** (for **mknod**(2)).
|
||||||
|
|
||||||
**--device-cgroup-rule**=[]
|
For example, **--device=/dev/sdc:/dev/xvdc:rwm** will give a container all
|
||||||
Add a rule to the cgroup allowed devices list.
|
permissions for the host device **/dev/sdc**, seen as **/dev/xvdc** inside the container.
|
||||||
|
|
||||||
The rule is expected to be in the format specified in the Linux kernel documentation (Documentation/cgroup-v1/devices.txt):
|
**--device-cgroup-rule**="*type* *major*:*minor* *mode*"
|
||||||
- type: `a` (all), `c` (char) or `b` (block)
|
Add a rule to the cgroup allowed devices list. The rule is expected to be in the format specified in the Linux kernel documentation (Documentation/cgroup-v1/devices.txt):
|
||||||
- major and minor: either a number or `*` for all
|
- *type*: **a** (all), **c** (char), or **b** (block);
|
||||||
- permission: a composition of `r` (read), `w` (write) and `m` (mknod)
|
- *major* and *minor*: either a number, or __*__ for all;
|
||||||
|
- *mode*: a composition of **r** (read), **w** (write), and **m** (**mknod**(2)).
|
||||||
|
|
||||||
Example: `c 1:3 mr`: allow for character device with major `1` and minor `3` to be created (`m`) and read (`r`)
|
Example: **--device-cgroup-rule "c 1:3 mr"**: allow for a character device idendified by **1:3** to be created and read.
|
||||||
|
|
||||||
**--device-read-bps**=[]
|
**--device-read-bps**=[]
|
||||||
Limit read rate from a device (e.g. --device-read-bps=/dev/sda:1mb)
|
Limit read rate from a device (e.g. --device-read-bps=/dev/sda:1mb)
|
||||||
|
|
@ -329,7 +332,7 @@ redirection on the host system.
|
||||||
**-i**, **--interactive**=*true*|*false*
|
**-i**, **--interactive**=*true*|*false*
|
||||||
Keep STDIN open even if not attached. The default is *false*.
|
Keep STDIN open even if not attached. The default is *false*.
|
||||||
|
|
||||||
When set to true, keep stdin open even if not attached. The default is false.
|
When set to true, keep stdin open even if not attached.
|
||||||
|
|
||||||
**--ip**=""
|
**--ip**=""
|
||||||
Sets the container's interface IPv4 address (e.g., 172.23.0.9)
|
Sets the container's interface IPv4 address (e.g., 172.23.0.9)
|
||||||
|
|
@ -361,14 +364,14 @@ or **shareable**, depending on the daemon version and configuration.
|
||||||
that the default on Windows server is `process`, and the default on Windows client
|
that the default on Windows server is `process`, and the default on Windows client
|
||||||
is `hyperv`. Linux only supports `default`.
|
is `hyperv`. Linux only supports `default`.
|
||||||
|
|
||||||
**-l**, **--label**=[]
|
**-l**, **--label** *key*=*value*
|
||||||
Set metadata on the container (e.g., --label com.example.key=value)
|
Set metadata on the container (for example, **--label com.example.key=value**).
|
||||||
|
|
||||||
**--kernel-memory**=""
|
**--kernel-memory**=*number*[*S*]
|
||||||
Kernel memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g)
|
Kernel memory limit; *S* is an optional suffix which can be one of **b**, **k**, **m**, or **g**.
|
||||||
|
|
||||||
Constrains the kernel memory available to a container. If a limit of 0
|
Constrains the kernel memory available to a container. If a limit of 0
|
||||||
is specified (not using `--kernel-memory`), the container's kernel memory
|
is specified (not using **--kernel-memory**), the container's kernel memory
|
||||||
is not limited. If you specify a limit, it may be rounded up to a multiple
|
is not limited. If you specify a limit, it may be rounded up to a multiple
|
||||||
of the operating system's page size and the value can be very large,
|
of the operating system's page size and the value can be very large,
|
||||||
millions of trillions.
|
millions of trillions.
|
||||||
|
|
@ -376,9 +379,8 @@ millions of trillions.
|
||||||
**--label-file**=[]
|
**--label-file**=[]
|
||||||
Read in a line delimited file of labels
|
Read in a line delimited file of labels
|
||||||
|
|
||||||
**--link**=[]
|
**--link**=*name-or-id*[:*alias*]
|
||||||
Add link to another container in the form of <name or id>:alias or just <name or id>
|
Add link to another container.
|
||||||
in which case the alias will match the name
|
|
||||||
|
|
||||||
If the operator
|
If the operator
|
||||||
uses **--link** when starting the new client container, then the client
|
uses **--link** when starting the new client container, then the client
|
||||||
|
|
@ -390,15 +392,15 @@ which interface and port to use.
|
||||||
Add one or more link-local IPv4/IPv6 addresses to the container's interface
|
Add one or more link-local IPv4/IPv6 addresses to the container's interface
|
||||||
|
|
||||||
**--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*splunk*|*etwlogs*|*gcplogs*|*none*"
|
**--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*splunk*|*etwlogs*|*gcplogs*|*none*"
|
||||||
Logging driver for the container. Default is defined by daemon `--log-driver` flag.
|
Logging driver for the container. Default is defined by daemon **--log-driver** flag.
|
||||||
**Warning**: the `docker logs` command works only for the `json-file` and
|
**Warning**: the `docker logs` command works only for the `json-file` and
|
||||||
`journald` logging drivers.
|
`journald` logging drivers.
|
||||||
|
|
||||||
**--log-opt**=[]
|
**--log-opt**=[]
|
||||||
Logging driver specific options.
|
Logging driver specific options.
|
||||||
|
|
||||||
**-m**, **--memory**=""
|
**-m**, **--memory**=*number*[*S]
|
||||||
Memory limit (format: <number>[<unit>], where unit = b, k, m or g)
|
Memory limit; *S* is an optional suffix which can be one of **b**, **k**, **m**, or **g**.
|
||||||
|
|
||||||
Allows you to constrain the memory available to a container. If the host
|
Allows you to constrain the memory available to a container. If the host
|
||||||
supports swap memory, then the **-m** memory setting can be larger than physical
|
supports swap memory, then the **-m** memory setting can be larger than physical
|
||||||
|
|
@ -406,8 +408,8 @@ RAM. If a limit of 0 is specified (not using **-m**), the container's memory is
|
||||||
not limited. The actual limit may be rounded up to a multiple of the operating
|
not limited. The actual limit may be rounded up to a multiple of the operating
|
||||||
system's page size (the value would be very large, that's millions of trillions).
|
system's page size (the value would be very large, that's millions of trillions).
|
||||||
|
|
||||||
**--memory-reservation**=""
|
**--memory-reservation**=*number*[*S]
|
||||||
Memory soft limit (format: <number>[<unit>], where unit = b, k, m or g)
|
Memory soft limit; *S* is an optional suffix which can be one of **b**, **k**, **m**, or **g**.
|
||||||
|
|
||||||
After setting memory reservation, when the system detects memory contention
|
After setting memory reservation, when the system detects memory contention
|
||||||
or low memory, containers are forced to restrict their consumption to their
|
or low memory, containers are forced to restrict their consumption to their
|
||||||
|
|
@ -415,24 +417,19 @@ reservation. So you should always set the value below **--memory**, otherwise th
|
||||||
hard limit will take precedence. By default, memory reservation will be the same
|
hard limit will take precedence. By default, memory reservation will be the same
|
||||||
as memory limit.
|
as memory limit.
|
||||||
|
|
||||||
**--memory-swap**="LIMIT"
|
**--memory-swap**=*number*[*S*]
|
||||||
A limit value equal to memory plus swap. Must be used with the **-m**
|
Combined memory plus swap limit; *S* is an optional suffix which can be one of **b**, **k**, **m**, or **g**.
|
||||||
(**--memory**) flag. The swap `LIMIT` should always be larger than **-m**
|
|
||||||
(**--memory**) value. By default, the swap `LIMIT` will be set to double
|
|
||||||
the value of --memory.
|
|
||||||
|
|
||||||
The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes),
|
This option can only be used together with **--memory**. The argument should always be larger than that of **--memory**. Default is double the value of **--memory**. Set to **-1** to enable unlimited swap.
|
||||||
`k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you don't specify a
|
|
||||||
unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap.
|
|
||||||
|
|
||||||
**--mac-address**=""
|
**--mac-address**=""
|
||||||
Container MAC address (e.g., 92:d0:c6:0a:29:33)
|
Container MAC address (e.g., **92:d0:c6:0a:29:33**)
|
||||||
|
|
||||||
Remember that the MAC address in an Ethernet network must be unique.
|
Remember that the MAC address in an Ethernet network must be unique.
|
||||||
The IPv6 link-local address will be based on the device's MAC address
|
The IPv6 link-local address will be based on the device's MAC address
|
||||||
according to RFC4862.
|
according to RFC4862.
|
||||||
|
|
||||||
**--mount**=[*[type=TYPE[,TYPE-SPECIFIC-OPTIONS]]*]
|
**--mount** **type=**_TYPE_,*TYPE-SPECIFIC-OPTION*[,...]
|
||||||
Attach a filesystem mount to the container
|
Attach a filesystem mount to the container
|
||||||
|
|
||||||
Current supported mount `TYPES` are `bind`, `volume`, and `tmpfs`.
|
Current supported mount `TYPES` are `bind`, `volume`, and `tmpfs`.
|
||||||
|
|
@ -485,7 +482,7 @@ string name. The name is useful when defining links (see **--link**) (or any
|
||||||
other place you need to identify a container). This works for both background
|
other place you need to identify a container). This works for both background
|
||||||
and foreground Docker containers.
|
and foreground Docker containers.
|
||||||
|
|
||||||
**--network**="*bridge*"
|
**--network**=*type*
|
||||||
Set the Network mode for the container. Supported values are:
|
Set the Network mode for the container. Supported values are:
|
||||||
|
|
||||||
| Value | Description |
|
| Value | Description |
|
||||||
|
|
@ -516,18 +513,17 @@ exposed port accessible on the host and the ports will be available to any
|
||||||
client that can reach the host. When using -P, Docker will bind any exposed
|
client that can reach the host. When using -P, Docker will bind any exposed
|
||||||
port to a random port on the host within an *ephemeral port range* defined by
|
port to a random port on the host within an *ephemeral port range* defined by
|
||||||
`/proc/sys/net/ipv4/ip_local_port_range`. To find the mapping between the host
|
`/proc/sys/net/ipv4/ip_local_port_range`. To find the mapping between the host
|
||||||
ports and the exposed ports, use `docker port`.
|
ports and the exposed ports, use `docker port`(1).
|
||||||
|
|
||||||
**-p**, **--publish**=[]
|
**-p**, **--publish** *ip*:[*hostPort*]:*containerPort* | [*hostPort*:]*containerPort*
|
||||||
Publish a container's port, or range of ports, to the host.
|
Publish a container's port, or range of ports, to the host.
|
||||||
|
|
||||||
Format: `ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort`
|
Both *hostPort* and *containerPort* can be specified as a range.
|
||||||
Both hostPort and containerPort can be specified as a range of ports.
|
When specifying ranges for both, the number of ports in ranges should be equal.
|
||||||
When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range.
|
|
||||||
(e.g., `docker run -p 1234-1236:1222-1224 --name thisWorks -t busybox`
|
Examples: **-p 1234-1236:1222-1224**, **-p 127.0.0.1:$HOSTPORT:$CONTAINERPORT**.
|
||||||
but not `docker run -p 1230-1236:1230-1240 --name RangeContainerPortsBiggerThanRangeHostPorts -t busybox`)
|
|
||||||
With ip: `docker run -p 127.0.0.1:$HOSTPORT:$CONTAINERPORT --name CONTAINER -t someimage`
|
Use `docker port`(1) to see the actual mapping, e.g. `docker port CONTAINER $CONTAINERPORT`.
|
||||||
Use `docker port` to see the actual mapping: `docker port CONTAINER $CONTAINERPORT`
|
|
||||||
|
|
||||||
**--pid**=""
|
**--pid**=""
|
||||||
Set the PID mode for the container
|
Set the PID mode for the container
|
||||||
|
|
@ -540,34 +536,29 @@ Use `docker port` to see the actual mapping: `docker port CONTAINER $CONTAINERPO
|
||||||
**host**: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`).
|
**host**: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`).
|
||||||
|
|
||||||
**--pids-limit**=""
|
**--pids-limit**=""
|
||||||
Tune the container's pids limit. Set `-1` to have unlimited pids for the container.
|
Tune the container's pids (process IDs) limit. Set to `-1` to have unlimited pids for the container.
|
||||||
|
|
||||||
**--uts**=*host*
|
**--uts**=*type*
|
||||||
Set the UTS mode for the container
|
Set the UTS mode for the container. The only possible *type* is **host**, meaning to
|
||||||
**host**: use the host's UTS namespace inside the container.
|
use the host's UTS namespace inside the container.
|
||||||
Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure.
|
Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure.
|
||||||
|
|
||||||
**--privileged**=*true*|*false*
|
**--privileged** [**true**|**false**]
|
||||||
Give extended privileges to this container. The default is *false*.
|
Give extended privileges to this container. A "privileged" container is given access to all devices.
|
||||||
|
|
||||||
By default, Docker containers are
|
|
||||||
“unprivileged” (=false) and cannot, for example, run a Docker daemon inside the
|
|
||||||
Docker container. This is because by default a container is not allowed to
|
|
||||||
access any devices. A “privileged” container is given access to all devices.
|
|
||||||
|
|
||||||
When the operator executes **docker run --privileged**, Docker will enable access
|
When the operator executes **docker run --privileged**, Docker will enable access
|
||||||
to all devices on the host as well as set some configuration in AppArmor to
|
to all devices on the host as well as set some configuration in AppArmor to
|
||||||
allow the container nearly all the same access to the host as processes running
|
allow the container nearly all the same access to the host as processes running
|
||||||
outside of a container on the host.
|
outside of a container on the host.
|
||||||
|
|
||||||
**--read-only**=*true*|*false*
|
**--read-only**=**true**|**false**
|
||||||
Mount the container's root filesystem as read only.
|
Mount the container's root filesystem as read only.
|
||||||
|
|
||||||
By default a container will have its root filesystem writable allowing processes
|
By default a container will have its root filesystem writable allowing processes
|
||||||
to write files anywhere. By specifying the `--read-only` flag the container will have
|
to write files anywhere. By specifying the `--read-only` flag the container will have
|
||||||
its root filesystem mounted as read only prohibiting any writes.
|
its root filesystem mounted as read only prohibiting any writes.
|
||||||
|
|
||||||
**--restart**=""
|
**--restart** *policy*
|
||||||
Restart policy to apply when a container exits. Supported values are:
|
Restart policy to apply when a container exits. Supported values are:
|
||||||
|
|
||||||
| Policy | Result |
|
| Policy | Result |
|
||||||
|
|
@ -579,13 +570,13 @@ its root filesystem mounted as read only prohibiting any writes.
|
||||||
|
|
||||||
Default is **no**.
|
Default is **no**.
|
||||||
|
|
||||||
**--rm**=*true*|*false*
|
**--rm** **true**|**false**
|
||||||
Automatically remove the container when it exits. The default is *false*.
|
Automatically remove the container when it exits. The default is **false**.
|
||||||
`--rm` flag can work together with `-d`, and auto-removal will be done on daemon side. Note that it's
|
`--rm` flag can work together with `-d`, and auto-removal will be done on daemon side. Note that it's
|
||||||
incompatible with any restart policy other than `none`.
|
incompatible with any restart policy other than `none`.
|
||||||
|
|
||||||
**--security-opt**=[]
|
**--security-opt** *value*[,...]
|
||||||
Security Options
|
Security Options for the container. The following options can be given:
|
||||||
|
|
||||||
"label=user:USER" : Set the label user for the container
|
"label=user:USER" : Set the label user for the container
|
||||||
"label=role:ROLE" : Set the label role for the container
|
"label=role:ROLE" : Set the label role for the container
|
||||||
|
|
@ -600,7 +591,7 @@ incompatible with any restart policy other than `none`.
|
||||||
"apparmor=unconfined" : Turn off apparmor confinement for the container
|
"apparmor=unconfined" : Turn off apparmor confinement for the container
|
||||||
"apparmor=your-profile" : Set the apparmor confinement profile for the container
|
"apparmor=your-profile" : Set the apparmor confinement profile for the container
|
||||||
|
|
||||||
**--storage-opt**=[]
|
**--storage-opt**
|
||||||
Storage driver options per container
|
Storage driver options per container
|
||||||
|
|
||||||
$ docker run -it --storage-opt size=120G fedora /bin/bash
|
$ docker run -it --storage-opt size=120G fedora /bin/bash
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue