51 KiB
% "DOCKER" "1" "JUNE 2014" "Docker Community" "Docker User Manuals"
NAME
docker-run - Create and run a new container from an image
SYNOPSIS
docker run [-a|--attach[=[]]] [--add-host[=[]]] [--annotation[=[]]] [--blkio-weight[=[BLKIO-WEIGHT]]] [--blkio-weight-device[=[]]] [-c|--cpu-shares[=0]] [--cap-add[=[]]] [--cap-drop[=[]]] [--cgroupns[=[]]] [--cgroup-parent[=CGROUP-PATH]] [--cidfile[=CIDFILE]] [--cpu-count[=0]] [--cpu-percent[=0]] [--cpu-period[=0]] [--cpu-quota[=0]] [--cpu-rt-period[=0]] [--cpu-rt-runtime[=0]] [--cpus[=0.0]] [--cpuset-cpus[=CPUSET-CPUS]] [--cpuset-mems[=CPUSET-MEMS]] [-d|--detach] [--detach-keys[=[]]] [--device[=[]]] [--device-cgroup-rule[=[]]] [--device-read-bps[=[]]] [--device-read-iops[=[]]] [--device-write-bps[=[]]] [--device-write-iops[=[]]] [--dns[=[]]] [--dns-option[=[]]] [--dns-search[=[]]] [--domainname[=DOMAINNAME]] [-e|--env[=[]]] [--entrypoint[=ENTRYPOINT]] [--env-file[=[]]] [--expose[=[]]] [--group-add[=[]]] [-h|--hostname[=HOSTNAME]] [--help] [--init] [-i|--interactive] [--ip[=IPv4-ADDRESS]] [--ip6[=IPv6-ADDRESS]] [--ipc[=IPC]] [--isolation[=default]] [--kernel-memory[=KERNEL-MEMORY]] [-l|--label[=[]]] [--label-file[=[]]] [--link[=[]]] [--link-local-ip[=[]]] [--log-driver[=[]]] [--log-opt[=[]]] [-m|--memory[=MEMORY]] [--mac-address[=MAC-ADDRESS]] [--memory-reservation[=MEMORY-RESERVATION]] [--memory-swap[=LIMIT]] [--memory-swappiness[=MEMORY-SWAPPINESS]] [--mount[=[MOUNT]]] [--name[=NAME]] [--network-alias[=[]]] [--network[="bridge"]] [--oom-kill-disable] [--oom-score-adj[=0]] [-P|--publish-all] [-p|--publish[=[]]] [--pid[=[PID]]] [--userns[=[]]] [--pids-limit[=PIDS_LIMIT]] [--privileged] [--read-only] [--restart[=RESTART]] [--rm] [--security-opt[=[]]] [--storage-opt[=[]]] [--stop-signal[=SIGNAL]] [--stop-timeout[=TIMEOUT]] [--shm-size[=[]]] [--sig-proxy[=true]] [--sysctl[=[]]] [-t|--tty] [--tmpfs[=[CONTAINER-DIR[:OPTIONS]]] [-u|--user[=USER]] [--ulimit[=[]]] [--uts[=[]]] [-v|--volume[=HOST-DIR:]CONTAINER-DIR[:OPTIONS]] [--volume-driver[=DRIVER]] [--volumes-from[=[]]] [-w|--workdir[=WORKDIR]] IMAGE [COMMAND] [ARG...]
DESCRIPTION
Run a process in a new container. docker run starts a process with its own filesystem, its own networking, and its own isolated process tree. The IMAGE which starts the process may define defaults related to the process that will be run in the container, the networking to expose, and more, but docker run gives final control to the operator or administrator who starts the container from the image. For that reason docker run has more options than any other Docker command.
If the IMAGE is not already loaded then docker run will pull the IMAGE, and all image dependencies, from the repository in the same way running docker pull IMAGE, before it starts the container from that image.
OPTIONS
-a, --attach [] Attach to STDIN, STDOUT or STDERR.
In foreground mode (the default when -d is not specified), docker run can start the process in the container and attach the console to the process's standard input, output, and standard error. It can even pretend to be a terminal (this is what most commandline executables expect) and pass along signals. The -a option can be set for each of stdin, stdout, and stderr.
--add-host [] Add a custom host-to-IP mapping (host=ip, or host:ip)
Add a line to /etc/hosts. The format is hostname=ip, or hostname:ip. The --add-host option can be set multiple times.
--annotation [] Add an annotation to the container (passed through to the OCI run time).
The annotations are provided to the OCI run time.
--blkio-weight 0 Block IO weight (relative weight) accepts a weight value between 10 and 1000.
--blkio-weight-device []
Block IO weight (relative device weight, format: DEVICE_NAME:WEIGHT).
-c, --cpu-shares 0 CPU shares (relative weight).
By default, all containers get the same proportion of CPU cycles. This proportion can be modified by changing the container's CPU share weighting relative to the weighting of all other running containers.
To modify the proportion from the default of 1024, use the -c or --cpu-shares flag to set the weighting to 2 or higher.
The proportion will only apply when CPU-intensive processes are running. When tasks in one container are idle, other containers can use the left-over CPU time. The actual amount of CPU time will vary depending on the number of containers running on the system.
For example, consider three containers, one has a cpu-share of 1024 and two others have a cpu-share setting of 512. When processes in all three containers attempt to use 100% of CPU, the first container would receive 50% of the total CPU time. If you add a fourth container with a cpu-share of 1024, the first container only gets 33% of the CPU. The remaining containers receive 16.5%, 16.5% and 33% of the CPU.
On a multi-core system, the shares of CPU time are distributed over all CPU cores. Even if a container is limited to less than 100% of CPU time, it can use 100% of each individual CPU core.
For example, consider a system with more than three cores. If you start one container {C0} with -c=512 running one process, and another container {C1} with -c=1024 running two processes, this can result in the following division of CPU shares:
PID container CPU CPU share
100 {C0} 0 100% of CPU0
101 {C1} 1 100% of CPU1
102 {C1} 2 100% of CPU2
--cap-add [] Add Linux capabilities.
--cap-drop [] Drop Linux capabilities.
--cgroupns "" Set the cgroup namespace mode for the container. host: run the container in the host's cgroup namespace. private: run the container in its own private cgroup namespace. "": (unset) use the daemon's default configuration (host on cgroup v1, private on cgroup v2).
--cgroup-parent "" Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist.
--cidfile "" Write the container ID to the file.
--cpu-count 0 Limit the number of CPUs available for execution by the container.
On Windows Server containers, this is approximated as a percentage of total CPU usage.
On Windows Server containers, the processor resource controls are mutually exclusive, the order of precedence is CPUCount first, then CPUShares, and CPUPercent last.
--cpu-percent 0 Limit the percentage of CPU available for execution by a container running on a Windows daemon.
On Windows Server containers, the processor resource controls are mutually exclusive, the order of precedence is CPUCount first, then CPUShares, and CPUPercent last.
--cpu-period 0 Limit the CPU CFS (Completely Fair Scheduler) period.
Limit the container's CPU usage. This flag tell the kernel to restrict the container's CPU usage to the period you specify.
--cpuset-cpus "" CPUs in which to allow execution (0-3, 0,1).
--cpuset-mems "" Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.
If you have four memory nodes on your system (0-3), use --cpuset-mems=0,1
then processes in your Docker container will only use memory from the first
two memory nodes.
--cpu-quota 0 Limit the CPU CFS (Completely Fair Scheduler) quota.
Limit the container's CPU usage. By default, containers run with the full CPU resource. This flag tell the kernel to restrict the container's CPU usage to the quota you specify.
--cpu-rt-period 0 Limit the CPU real-time period in microseconds.
Limit the container's Real-Time CPU usage. This flag tell the kernel to restrict the container's Real-Time CPU usage to the period you specify.
--cpu-rt-runtime 0 Limit the CPU real-time run time in microseconds.
Limit the containers Real-Time CPU usage. This flag tells the kernel to limit the amount of time in a given CPU period Real-Time tasks may consume. Ex: Period of 1,000,000us and Run time of 950,000us means that this container could consume 95% of available CPU and leave the remaining 5% to normal priority tasks.
The sum of all run times across containers cannot exceed the amount allotted to the parent cgroup.
--cpus 0.0 Number of CPUs. The default is 0.0 which means no limit.
-d, --detach true|false Detached mode: run the container in the background and print the new container ID. The default is false.
At any time you can run docker ps in the other shell to view a list of the running containers. You can reattach to a detached container with docker attach.
When attached in the terminal mode, you can detach from the container (and leave it
running) using a configurable key sequence. The default sequence is CTRL-p CTRL-q.
You configure the key sequence using the --detach-keys option or a configuration file.
See config-json(5) for documentation on using a configuration file.
--detach-keys key Override the key sequence for detaching a container; key is a single character from the [a-Z] range, or ctrl-value, where value is one of: a-z, @, ^, [, ,, or _.
--device onhost:incontainer[:mode] Add a host device onhost to the container under the incontainer name. Optional mode parameter can be used to specify device permissions, it is a combination of r (for read), w (for write), and m (for mknod(2)).
For example, --device=/dev/sdc:/dev/xvdc:rwm will give a container all permissions for the host device /dev/sdc, seen as /dev/xvdc inside the container.
--device-cgroup-rule" type major:minor mode" Add a rule to the cgroup allowed devices list. The rule is expected to be in the format specified in the Linux kernel documentation (Documentation/cgroup-v1/devices.txt): - type: a (all), c (char), or b (block); - major and minor: either a number, or * for all; - mode: a composition of r (read), w (write), and m (mknod(2)).
Example: --device-cgroup-rule "c 1:3 mr": allow for a character device idendified by 1:3 to be created and read.
--device-read-bps [] Limit read rate from a device (e.g. --device-read-bps=/dev/sda:1mb).
--device-read-iops [] Limit read rate from a device (e.g. --device-read-iops=/dev/sda:1000).
--device-write-bps [] Limit write rate to a device (e.g. --device-write-bps=/dev/sda:1mb).
--device-write-iops [] Limit write rate to a device (e.g. --device-write-iops=/dev/sda:1000).
--dns-search [] Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain).
--dns-option [] Set custom DNS options.
--dns [] Set custom DNS servers.
This option can be used to override the DNS configuration passed to the container. Typically this is necessary when the host DNS configuration is invalid for the container (e.g., 127.0.0.1). When this is the case the --dns flags is necessary for every run.
--domainname "" Container NIS domain name.
Sets the container's NIS domain name (see also setdomainname(2)) that is available inside the container.
-e, --env [] Set environment variables.
This option allows you to specify arbitrary environment variables that are available for the process that will be launched inside of the container.
--entrypoint "" Overwrite the default ENTRYPOINT of the image.
This option allows you to overwrite the default entrypoint of the image that is set in the Dockerfile. The ENTRYPOINT of an image is similar to a COMMAND because it specifies what executable to run when the container starts, but it is (purposely) more difficult to override. The ENTRYPOINT gives a container its default nature or behavior, so that when you set an ENTRYPOINT you can run the container as if it were that binary, complete with default options, and you can pass in more options via the COMMAND. But, sometimes an operator may want to run something else inside the container, so you can override the default ENTRYPOINT at run time by using a --entrypoint and a string to specify the new ENTRYPOINT.
--env-file [] Read in a line delimited file of environment variables.
--expose [] Expose a port, or a range of ports (e.g. --expose=3300-3310) informs Docker that the container listens on the specified network ports at run time. Docker uses this information to interconnect containers using links and to set up port redirection on the host system.
--group-add [] Add additional groups to run as.
-h, --hostname "" Container hostname.
Sets the container hostname that is available inside the container.
--help Print usage statement.
--init Run an init inside the container that forwards signals and reaps processes.
-i, --interactive true|false Keep STDIN open even if not attached. The default is false.
When set to true, keep stdin open even if not attached.
--ip"" Sets the container's interface IPv4 address (e.g., 172.23.0.9).
It can only be used in conjunction with --network for user-defined networks.
--ip6"" Sets the container's interface IPv6 address (e.g., 2001:db8::1b99).
It can only be used in conjunction with --network for user-defined networks.
--ipc"" Sets the IPC mode for the container. The following values are accepted:
| Value | Description |
|---|---|
| (empty) | Use daemon's default. |
| none | Own private IPC namespace, with /dev/shm not mounted. |
| private | Own private IPC namespace. |
| shareable | Own private IPC namespace, with a possibility to share it with other containers. |
| container:name-or-ID | Join another ("shareable") container's IPC namespace. |
| host | Use the host system's IPC namespace. |
If not specified, daemon default is used, which can either be private or shareable, depending on the daemon version and configuration.
--isolation "default"
Isolation specifies the type of isolation technology used by containers. Note
that the default on Windows server is process, and the default on Windows client
is hyperv. Linux only supports default.
-l, --label key=value Set metadata on the container (for example, --label com.example.key=value).
--kernel-memory number[S] Kernel memory limit; S is an optional suffix which can be one of b, k, m, or g.
Constrains the kernel memory available to a container. If a limit of 0 is specified (not using --kernel-memory), the container's kernel memory is not limited. If you specify a limit, it may be rounded up to a multiple of the operating system's page size and the value can be very large, millions of trillions.
--label-file [] Read in a line delimited file of labels.
--linkname-or-id[:alias] Add link to another container.
If the operator uses --link when starting the new client container, then the client container can access the exposed port via a private networking interface. Docker will set some environment variables in the client container to help indicate which interface and port to use.
--link-local-ip [] Add one or more link-local IPv4/IPv6 addresses to the container's interface.
--log-driver "json-file|syslog|journald|gelf|fluentd|awslogs|splunk|etwlogs|gcplogs|none"
Logging driver for the container. Default is defined by daemon --log-driver flag.
Warning: the docker logs command works only for the json-file and
journald logging drivers.
--log-opt [] Logging driver specific options.
-m, --memory number[S] Memory limit; S is an optional suffix which can be one of b, k, m, or g.
Allows you to constrain the memory available to a container. If the host supports swap memory, then the -m memory setting can be larger than physical RAM. If a limit of 0 is specified (not using -m), the container's memory is not limited. The actual limit may be rounded up to a multiple of the operating system's page size (the value would be very large, that's millions of trillions).
--memory-reservation number[S] Memory soft limit; S is an optional suffix which can be one of b, k, m, or g.
After setting memory reservation, when the system detects memory contention or low memory, containers are forced to restrict their consumption to their reservation. So you should always set the value below --memory, otherwise the hard limit will take precedence. By default, memory reservation will be the same as memory limit.
--memory-swap number[S] Combined memory plus swap limit; S is an optional suffix which can be one of b, k, m, or g.
This option can only be used together with --memory. The argument should always be larger than that of --memory. Default is double the value of --memory. Set to -1 to enable unlimited swap.
--mac-address "" Container MAC address (e.g., 92:d0:c6:0a:29:33).
Remember th