docker container run (original) (raw)

Description Create and run a new container from an image
Usage docker container run [OPTIONS] IMAGE [COMMAND] [ARG...]
AliasesAn alias is a short or memorable alternative for a longer command. docker run

The docker run command runs a command in a new container, pulling the image if needed and starting the container.

You can restart a stopped container with all its previous changes intact using docker start. Use docker ps -a to view a list of all containers, including those that are stopped.

Option Default Description
--add-host Add a custom host-to-IP mapping (host:ip)
--annotation API 1.43+Add an annotation to the container (passed through to the OCI runtime)
-a, --attach Attach to STDIN, STDOUT or STDERR
--blkio-weight Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)
--blkio-weight-device Block IO weight (relative device weight)
--cap-add Add Linux capabilities
--cap-drop Drop Linux capabilities
--cgroup-parent Optional parent cgroup for the container
--cgroupns API 1.41+Cgroup namespace to use (host|private)'host': Run the container in the Docker host's cgroup namespace'private': Run the container in its own private cgroup namespace'': Use the cgroup namespace as configured by thedefault-cgroupns-mode option on the daemon (default)
--cidfile Write the container ID to the file
--cpu-count CPU count (Windows only)
--cpu-percent CPU percent (Windows only)
--cpu-period Limit CPU CFS (Completely Fair Scheduler) period
--cpu-quota Limit CPU CFS (Completely Fair Scheduler) quota
--cpu-rt-period API 1.25+Limit CPU real-time period in microseconds
--cpu-rt-runtime API 1.25+Limit CPU real-time runtime in microseconds
-c, --cpu-shares CPU shares (relative weight)
--cpus API 1.25+Number of CPUs
--cpuset-cpus CPUs in which to allow execution (0-3, 0,1)
--cpuset-mems MEMs in which to allow execution (0-3, 0,1)
-d, --detach Run container in background and print container ID
--detach-keys Override the key sequence for detaching a container
--device Add a host device to the container
--device-cgroup-rule Add a rule to the cgroup allowed devices list
--device-read-bps Limit read rate (bytes per second) from a device
--device-read-iops Limit read rate (IO per second) from a device
--device-write-bps Limit write rate (bytes per second) to a device
--device-write-iops Limit write rate (IO per second) to a device
--disable-content-trust true Skip image verification
--dns Set custom DNS servers
--dns-option Set DNS options
--dns-search Set custom DNS search domains
--domainname Container NIS domain name
--entrypoint Overwrite the default ENTRYPOINT of the image
-e, --env Set environment variables
--env-file Read in a file of environment variables
--expose Expose a port or a range of ports
--gpus API 1.40+GPU devices to add to the container ('all' to pass all GPUs)
--group-add Add additional groups to join
--health-cmd Command to run to check health
--health-interval Time between running the check (ms|s m
--health-retries Consecutive failures needed to report unhealthy
--health-start-interval API 1.44+Time between running the check during the start period (ms|s m
--health-start-period API 1.29+Start period for the container to initialize before starting health-retries countdown (ms|s m
--health-timeout Maximum time to allow one check to run (ms|s m
--help Print usage
-h, --hostname Container host name
--init API 1.25+Run an init inside the container that forwards signals and reaps processes
-i, --interactive Keep STDIN open even if not attached
--io-maxbandwidth Maximum IO bandwidth limit for the system drive (Windows only)
--io-maxiops Maximum IOps limit for the system drive (Windows only)
--ip IPv4 address (e.g., 172.30.100.104)
--ip6 IPv6 address (e.g., 2001:db8::33)
--ipc IPC mode to use
--isolation Container isolation technology
--kernel-memory Kernel memory limit
-l, --label Set meta data on a container
--label-file Read in a line delimited file of labels
--link Add link to another container
--link-local-ip Container IPv4/IPv6 link-local addresses
--log-driver Logging driver for the container
--log-opt Log driver options
--mac-address Container MAC address (e.g., 92:d0:c6:0a:29:33)
-m, --memory Memory limit
--memory-reservation Memory soft limit
--memory-swap Swap limit equal to memory plus swap: '-1' to enable unlimited swap
--memory-swappiness -1 Tune container memory swappiness (0 to 100)
--mount Attach a filesystem mount to the container
--name Assign a name to the container
--network Connect a container to a network
--network-alias Add network-scoped alias for the container
--no-healthcheck Disable any container-specified HEALTHCHECK
--oom-kill-disable Disable OOM Killer
--oom-score-adj Tune host's OOM preferences (-1000 to 1000)
--pid PID namespace to use
--pids-limit Tune container pids limit (set -1 for unlimited)
--platform API 1.32+Set platform if server is multi-platform capable
--privileged Give extended privileges to this container
-p, --publish Publish a container's port(s) to the host
-P, --publish-all Publish all exposed ports to random ports
--pull missing Pull image before running (always, missing, never)
-q, --quiet Suppress the pull output
--read-only Mount the container's root filesystem as read only
--restart no Restart policy to apply when a container exits
--rm Automatically remove the container and its associated anonymous volumes when it exits
--runtime Runtime to use for this container
--security-opt Security Options
--shm-size Size of /dev/shm
--sig-proxy true Proxy received signals to the process
--stop-signal Signal to stop the container
--stop-timeout API 1.25+Timeout (in seconds) to stop a container
--storage-opt Storage driver options for the container
--sysctl Sysctl options
--tmpfs Mount a tmpfs directory
-t, --tty Allocate a pseudo-TTY
--ulimit Ulimit options
--use-api-socket Bind mount Docker API socket and required auth
-u, --user Username or UID (format: <name|uid>[:<group gid>])
--userns User namespace to use
--uts UTS namespace to use
-v, --volume Bind mount a volume
--volume-driver Optional volume driver for the container
--volumes-from Mount volumes from the specified container(s)
-w, --workdir Working directory inside the container

Assign name (--name)

The --name flag lets you specify a custom identifier for a container. The following example runs a container named test using the nginx:alpine image in detached mode.

You can reference the container by name with other commands. For example, the following commands stop and remove a container named test:

If you don't specify a custom name using the --name flag, the daemon assigns a randomly generated name, such as vibrant_cannon, to the container. Using a custom-defined name provides the benefit of having an easy-to-remember ID for a container.

Moreover, if you connect the container to a user-defined bridge network, other containers on the same network can refer to the container by name via DNS.

Capture container ID (--cidfile)

To help with automation, you can have Docker write the container ID out to a file of your choosing. This is similar to how some programs might write out their process ID to a file (you might've seen them as PID files):

This creates a container and prints test to the console. The cidfileflag makes Docker attempt to create a new file and write the container ID to it. If the file exists already, Docker returns an error. Docker closes this file when docker run exits.

PID settings (--pid)

By default, all containers have the PID namespace enabled.

PID namespace provides separation of processes. The PID Namespace removes the view of the system processes, and allows process ids to be reused including PID 1.

In certain cases you want your container to share the host's process namespace, allowing processes within the container to see all of the processes on the system. For example, you could build a container with debugging tools likestrace or gdb, but want to use these tools when debugging processes within the container.

Example: run htop inside a container

To run htop in a container that shares the process namespac of the host:

  1. Run an alpine container with the --pid=host option:
  2. Install htop in the container:
  3. Invoke the htop command.

Example, join another container's PID namespace

Joining another container's PID namespace can be useful for debugging that container.

  1. Start a container running a Redis server:
  2. Run an Alpine container that attaches the --pid namespace to themy-nginx container:
  3. Install strace in the Alpine container:
  4. Attach to process 1, the process ID of the my-nginx container:

Disable namespace remapping for a container (--userns)

If you enable user namespaces on the daemon, all containers are started with user namespaces enabled by default. To disable user namespace remapping for a specific container, you can set the --userns flag to host.

host is the only valid value for the --userns flag.

For more information, refer toIsolate containers with a user namespace.

UTS settings (--uts)

The UTS namespace is for setting the hostname and the domain that's visible to running processes in that namespace. By default, all containers, including those with --network=host, have their own UTS namespace. Setting --uts tohost results in the container using the same UTS namespace as the host.

Docker disallows combining the --hostname and --domainname flags with--uts=host. This is to prevent containers running in the host's UTS namespace from attempting to change the hosts' configuration.

You may wish to share the UTS namespace with the host if you would like the hostname of the container to change as the hostname of the host changes. A more advanced use case would be changing the host's hostname from a container.

IPC settings (--ipc)

The --ipc flag accepts the following values:

Value Description
"" Use daemon's default.
"none" Own private IPC namespace, with /dev/shm not mounted.
"private" Own private IPC namespace.
"shareable" Own private IPC namespace, with a possibility to share it with other containers.
"container:<_name-or-ID_>" Join another ("shareable") container's IPC namespace.
"host" Use the host system's IPC namespace.

If not specified, daemon default is used, which can either be "private"or "shareable", depending on the daemon version and configuration.

System V interprocess communication (IPC)namespaces provide separation of named shared memory segments, semaphores and message queues.

Shared memory segments are used to accelerate inter-process communication at memory speed, rather than through pipes or through the network stack. Shared memory is commonly used by databases and custom-built (typically C/OpenMPI, C++/using boost libraries) high performance applications for scientific computing and financial services industries. If these types of applications are broken into multiple containers, you might need to share the IPC mechanisms of the containers, using "shareable" mode for the main (i.e. "donor") container, and "container:<donor-name-or-ID>" for other containers.

Escalate container privileges (--privileged)

The --privileged flag gives the following capabilities to a container:

In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.

Use the --privileged flag with caution. A container with --privileged is not a securely sandboxed process. Containers in this mode can get a root shell on the host and take control over the system.

For most use cases, this flag should not be the preferred solution. If your container requires escalated privileges, you should prefer to explicitly grant the necessary permissions, for example by adding individual kernel capabilities with --cap-add.

For more information, seeRuntime privilege and Linux capabilities

The following example doesn't work, because by default, Docker drops most potentially dangerous kernel capabilities, including CAP_SYS_ADMIN (which is required to mount filesystems).

It works when you add the --privileged flag:

Set working directory (-w, --workdir)

The -w option runs the command executed inside the directory specified, in this example,/path/to/dir/. If the path doesn't exist, Docker creates it inside the container.

Set storage driver options per container (--storage-opt)

This (size) constraints the container filesystem size to 120G at creation time. This option is only available for the btrfs, overlay2, windowsfilter, and zfs storage drivers.

For the overlay2 storage driver, the size option is only available if the backing filesystem is xfs and mounted with the pquota mount option. Under these conditions, you can pass any size less than the backing filesystem size.

For the windowsfilter, btrfs, and zfs storage drivers, you cannot pass a size less than the Default BaseFS Size.

Mount tmpfs (--tmpfs)

The --tmpfs flag lets you create a tmpfs mount.

The options that you can pass to --tmpfs are identical to the Linux mount -t tmpfs -o command. The following example mounts an empty tmpfs into the container with the rw, noexec, nosuid, size=65536k options.

For more information, seetmpfs mounts.

Mount volume (-v)

The example above mounts the current directory into the container at the same path using the -v flag, sets it as the working directory, and then runs the pwd command inside the container.

As of Docker Engine version 23, you can use relative paths on the host.

The example above mounts the content directory in the current directory into the container at the/content path using the -v flag, sets it as the working directory, and then runs the pwd command inside the container.

When the host directory of a bind-mounted volume doesn't exist, Docker automatically creates this directory on the host for you. In the example above, Docker creates the /doesnt/existfolder before starting your container.

Mount volume read-only (--read-only)

You can use volumes in combination with the --read-only flag to control where a container writes files. The --read-only flag mounts the container's root filesystem as read only prohibiting writes to locations other than the specified volumes for the container.

By bind-mounting the Docker Unix socket and statically linked Docker binary (refer toget the Linux binary), you give the container the full access to create and manipulate the host's Docker daemon.

On Windows, you must specify the paths using Windows-style path semantics.

The following examples fails when using Windows-based containers, as the destination of a volume or bind mount inside the container must be one of: a non-existing or empty directory; or a drive other than C:. Further, the source of a bind mount must be a local directory, not a file.

For in-depth information about volumes, refer tomanage data in containers

Add bind mounts or volumes using the --mount flag

The --mount flag allows you to mount volumes, host-directories, and tmpfsmounts in a container.

The --mount flag supports most options supported by the -v or the--volume flag, but uses a different syntax. For in-depth information on the--mount flag, and a comparison between --volume and --mount, refer toBind mounts.

Even though there is no plan to deprecate --volume, usage of --mount is recommended.

Examples:

Publish or expose port (-p, --expose)

This binds port 8080 of the container to TCP port 80 on 127.0.0.1 of the host. You can also specify udp and sctp ports. TheNetworking overview page explains in detail how to publish ports with Docker.

If you don't specify an IP address (i.e., -p 80:80 instead of -p 127.0.0.1:80:80) when publishing a container's ports, Docker publishes the port on all interfaces (address 0.0.0.0) by default. These ports are externally accessible. This also applies if you configured UFW to block this specific port, as Docker manages its own iptables rules.Read more

This exposes port 80 of the container without publishing the port to the host system's interfaces.

Publish all exposed ports (-P, --publish-all)

The -P, or --publish-all, flag publishes all the exposed ports to the host. Docker binds each exposed port to a random port on the host.

The -P flag only publishes port numbers that are explicitly flagged as exposed, either using the Dockerfile EXPOSE instruction or the --exposeflag for the docker run command.

The range of ports are within an ephemeral port range defined by/proc/sys/net/ipv4/ip_local_port_range. Use the -p flag to explicitly map a single port or range of ports.

Set the pull policy (--pull)

Use the --pull flag to set the image pull policy when creating (and running) the container.

The --pull flag can take one of these values:

Value Description
missing (default) Pull the image if it was not found in the image cache, or use the cached image otherwise.
never Do not pull the image, even if it's missing, and produce an error if the image does not exist in the image cache.
always Always perform a pull before creating the container.

When creating (and running) a container from an image, the daemon checks if the image exists in the local image cache. If the image is missing, an error is returned to the CLI, allowing it to initiate a pull.

The default (missing) is to only pull the image if it's not present in the daemon's image cache. This default allows you to run images that only exist locally (for example, images you built from a Dockerfile, but that have not been pushed to a registry), and reduces networking.

The always option always initiates a pull before creating the container. This option makes sure the image is up-to-date, and prevents you from using outdated images, but may not be suitable in situations where you want to test a locally built image before pushing (as pulling the image overwrites the existing image in the image cache).

The never option disables (implicit) pulling images when creating containers, and only uses images that are available in the image cache. If the specified image is not found, an error is produced, and the container is not created. This option is useful in situations where networking is not available, or to prevent images from being pulled implicitly when creating containers.

The following example shows docker run with the --pull=never option set, which produces en error as the image is missing in the image-cache:

Set environment variables (-e, --env, --env-file)

Use the -e, --env, and --env-file flags to set simple (non-array) environment variables in the container you're running, or overwrite variables defined in the Dockerfile of the image you're running.

You can define the variable and its value when running the container:

You can also use variables exported to your local environment:

When running the command, the Docker CLI client checks the value the variable has in your local environment and passes it to the container. If no = is provided and that variable isn't exported in your local environment, the variable is unset in the container.

You can also load the environment variables from a file. This file should use the syntax <variable>=value (which sets the variable to the given value) or<variable> (which takes the value from the local environment), and # for comments. Lines beginning with # are treated as line comments and are ignored, whereas a # appearing anywhere else in a line is treated as part of the variable value.

Set metadata on container (-l, --label, --label-file)

A label is a key=value pair that applies metadata to a container. To label a container with two labels:

The my-label key doesn't specify a value so the label defaults to an empty string (""). To add multiple labels, repeat the label flag (-l or --label).

The key=value must be unique to avoid overwriting the label value. If you specify labels with identical keys but different values, each subsequent value overwrites the previous. Docker uses the last key=value you supply.

Use the --label-file flag to load multiple labels from a file. Delimit each label in the file with an EOL mark. The example below loads labels from a labels file in the current directory:

The label-file format is similar to the format for loading environment variables. (Unlike environment variables, labels are not visible to processes running inside a container.) The following example shows a label-file format:

You can load multiple label-files by supplying multiple --label-file flags.

For additional information on working with labels, seeLabels.

Connect a container to a network (--network)

To start a container and connect it to a network, use the --network option.

If you want to add a running container to a network use the docker network connect subcommand.

You can connect multiple containers to the same network. Once connected, the containers can communicate using only another container's IP address or name. For overlay networks or custom plugins that support multi-host connectivity, containers connected to the same multi-host network but launched from different Engines can also communicate in this way.

The default bridge network only allows containers to communicate with each other using internal IP addresses. User-created bridge networks provide DNS resolution between containers using container names.

You can disconnect a container from a network using the docker network disconnect command.

The following commands create a network named my-net and add a busybox container to the my-net network.

You can also choose the IP addresses for the container with --ip and --ip6flags when you start the container on a user-defined network. To assign a static IP to containers, you must specify subnet block for the network.

To connect the container to more than one network, repeat the --network option.

To specify options when connecting to more than one network, use the extended syntax for the --network flag. Comma-separated options that can be specified in the extended--network syntax are:

Option Top-level Equivalent Description
name The name of the network (mandatory)
alias --network-alias Add network-scoped alias for the container
ip --ip IPv4 address (e.g., 172.30.100.104)
ip6 --ip6 IPv6 address (e.g., 2001:db8::33)
mac-address --mac-address Container MAC address (e.g., 92:d0:c6:0a:29:33)
link-local-ip --link-local-ip Container IPv4/IPv6 link-local addresses
driver-opt docker network connect --driver-opt Network driver options
gw-priority Highest gw-priority provides the default gateway. Accepts positive and negative values.

sysctl settings that start with net.ipv4., net.ipv6. or net.mpls. can be set per-interface using driver-opt label com.docker.network.endpoint.sysctls. The interface name must be the string IFNAME.

To set more than one sysctl for an interface, quote the whole driver-opt field, remembering to escape the quotes for the shell if necessary. For example, if the interface to my-net is given name eth0, the following example sets sysctlsnet.ipv4.conf.eth0.log_martians=1 and net.ipv4.conf.eth0.forwarding=0, and assigns the IPv4 address 192.0.2.42.

Network drivers may restrict the sysctl settings that can be modified and, to protect the operation of the network, new restrictions may be added in the future.

For more information on connecting a container to a network when using the run command, see theDocker network overview.

Mount volumes from container (--volumes-from)

The --volumes-from flag mounts all the defined volumes from the referenced containers. You can specify more than one container by repetitions of the --volumes-fromargument. The container ID may be optionally suffixed with :ro or :rw to mount the volumes in read-only or read-write mode, respectively. By default, Docker mounts the volumes in the same mode (read write or read only) as the reference container.

Labeling systems like SELinux require placing proper labels on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By default, Docker does not change the labels set by the OS.

To change the label in the container context, you can add either of two suffixes:z or :Z to the volume mount. These suffixes tell Docker to relabel file objects on the shared volumes. The z option tells Docker that two containers share the volume content. As a result, Docker labels the content with a shared content label. Shared volume labels allow all containers to read/write content. The Z option tells Docker to label the content with a private unshared label. Only the current container can use a private volume.

Detached mode (-d, --detach)

The --detach (or -d) flag starts a container as a background process that doesn't occupy your terminal window. By design, containers started in detached mode exit when the root process used to run the container exits, unless you also specify the --rm option. If you use -d with --rm, the container is removed when it exits or when the daemon exits, whichever happens first.

Don't pass a service x start command to a detached container. For example, this command attempts to start the nginx service.

This succeeds in starting the nginx service inside the container. However, it fails the detached container paradigm in that, the root process (service nginx start) returns and the detached container stops as designed. As a result, thenginx service starts but can't be used. Instead, to start a process such as the nginx web server do the following:

To do input/output with a detached container use network connections or shared volumes. These are required because the container is no longer listening to the command line where docker run was run.

Override the detach sequence (--detach-keys)

Use the --detach-keys option to override the Docker key sequence for detach. This is useful if the Docker default sequence conflicts with key sequence you use for other applications. There are two ways to define your own detach key sequence, as a per-container override or as a configuration property on your entire configuration.

To override the sequence for an individual container, use the--detach-keys="<sequence>" flag with the docker attach command. The format of the <sequence> is either a letter [a-Z], or the ctrl- combined with any of the following:

These a, ctrl-a, X, or ctrl-\\ values are all examples of valid key sequences. To configure a different configuration default key sequence for all containers, seeConfiguration file section.

Add host device to container (--device)

It's often necessary to directly expose devices to a container. The --deviceoption enables that. For example, adding a specific block storage device or loop device or audio device to an otherwise unprivileged container (without the --privileged flag) and have the application directly access it.

By default, the container is able to read, write and mknod these devices. This can be overridden using a third :rwm set of options to each --deviceflag. If the container is running in privileged mode, then Docker ignores the specified permissions.

The --device option cannot be safely used with ephemeral devices. You shouldn't add block devices that may be removed to untrusted containers with --device.

For Windows, the format of the string passed to the --device option is in the form of --device=<IdType>/<Id>. Beginning with Windows Server 2019 and Windows 10 October 2018 Update, Windows only supports an IdType ofclass and the Id as a device interface class GUID. Refer to the table defined in the Windows container docsfor a list of container-supported device interface class GUIDs.

If you specify this option for a process-isolated Windows container, Docker makes_all_ devices that implement the requested device interface class GUID available in the container. For example, the command below makes all COM ports on the host visible in the container.

The --device option is only supported on process-isolated Windows containers, and produces an error if the container isolation is hyperv.

CDI devices

The CDI feature is experimental, and potentially subject to change. CDI is currently only supported for Linux containers.

Container Device Interface (CDI)is a standardized mechanism for container runtimes to create containers which are able to interact with third party devices.

With CDI, device configurations are declaratively defined using a JSON or YAML file. In addition to enabling the container to interact with the device node, it also lets you specify additional configuration for the device, such as environment variables, host mounts (such as shared objects), and executable hooks.

You can reference a CDI device with the --device flag using the fully-qualified name of the device, as shown in the following example:

This starts an ubuntu container with access to the specified CDI device,vendor.com/class=device-name, assuming that:

Attach to STDIN/STDOUT/STDERR (-a, --attach)

The --attach (or -a) flag tells docker run to bind to the container'sSTDIN, STDOUT or STDERR. This makes it possible to manipulate the output and input as needed. You can specify to which of the three standard streams (STDIN, STDOUT, STDERR) you'd like to connect instead, as in:

The following example pipes data into a container and prints the container's ID by attaching only to the container's STDIN.

The following example doesn't print anything to the console unless there's an error because output is only attached to the STDERR of the container. The container's logs still store what's written to STDERR and STDOUT.

The following example shows a way of using --attach to pipe a file into a container. The command prints the container's ID after the build completes and you can retrieve the build logs using docker logs. This is useful if you need to pipe a file or something else into a container and retrieve the container's ID once the container has finished running.

A process running as PID 1 inside a container is treated specially by Linux: it ignores any signal with the default action. So, the process doesn't terminate on SIGINT or SIGTERM unless it's coded to do so.

See alsothe docker cp command.

Keep STDIN open (-i, --interactive)

The --interactive (or -i) flag keeps the container's STDIN open, and lets you send input to the container through standard input.

The -i flag is most often used together with the --tty flag to bind the I/O streams of the container to a pseudo terminal, creating an interactive terminal session for the container. See Allocate a pseudo-TTY for more examples.

Using the -i flag on its own allows for composition, such as piping input to containers:

Specify an init process

You can use the --init flag to indicate that an init process should be used as the PID 1 in the container. Specifying an init process ensures the usual responsibilities of an init system, such as reaping zombie processes, are performed inside the created container.

The default init process used is the first docker-init executable found in the system path of the Docker daemon process. This docker-init binary, included in the default installation, is backed by tini.

Allocate a pseudo-TTY (-t, --tty)

The --tty (or -t) flag attaches a pseudo-TTY to the container, connecting your terminal to the I/O streams of the container. Allocating a pseudo-TTY to the container means that you get access to input and output feature that TTY devices provide.

For example, the following command runs the passwd command in a debiancontainer, to set a new password for the root user.

If you run this command with only the -i flag (which lets you send text toSTDIN of the container), the passwd prompt displays the password in plain text. However, if you try the same thing but also adding the -t flag, the password is hidden:

This is because passwd can suppress the output of characters to the terminal using the echo-off TTY feature.

You can use the -t flag without -i flag. This still allocates a pseudo-TTY to the container, but with no way of writing to STDIN. The only time this might be useful is if the output of the container requires a TTY environment.

Specify custom cgroups

Using the --cgroup-parent flag, you can pass a specific cgroup to run a container in. This allows you to create and manage cgroups on their own. You can define custom resources for those cgroups and put containers under a common parent group.

Using dynamically created devices (--device-cgroup-rule)

Docker assigns devices available to a container at creation time. The assigned devices are added to the cgroup.allow file and created into the container when it runs. This poses a problem when you need to add a new device to running container.

One solution is to add a more permissive rule to a container allowing it access to a wider range of devices. For example, supposing the container needs access to a character device with major 42 and any number of minor numbers (added as new devices appear), add the following rule:

Then, a user could ask udev to execute a script that would docker exec my-container mknod newDevX c 42 <minor>the required device when it is added.

You still need to explicitly add initially present devices to thedocker run / docker create command.

Access an NVIDIA GPU

The --gpus flag allows you to access NVIDIA GPU resources. First you need to install the nvidia-container-runtime.

You can also specify a GPU as a CDI device with the --device flag, seeCDI devices.

ReadSpecify a container's resourcesfor more information.

To use --gpus, specify which GPUs (or all) to use. If you provide no value, Docker uses all available GPUs. The example below exposes all available GPUs.

Use the device option to specify GPUs. The example below exposes a specific GPU.

The example below exposes the first and third GPUs.

Restart policies (--restart)

Use the --restart flag to specify a container's restart policy. A restart policy controls whether the Docker daemon restarts a container after exit. Docker supports the following restart policies:

Flag Description
no Don't automatically restart the container. (Default)
on-failure[:max-retries] Restart the container if it exits due to an error, which manifests as a non-zero exit code. Optionally, limit the number of times the Docker daemon attempts to restart the container using the :max-retries option. The on-failure policy only prompts a restart if the container exits with a failure. It doesn't restart the container if the daemon restarts.
always Always restart the container if it stops. If it's manually stopped, it's restarted only when Docker daemon restarts or the container itself is manually restarted.
unless-stopped Similar to always, except that when the container is stopped (manually or otherwise), it isn't restarted even after Docker daemon restarts.

This runs the redis container with a restart policy of always. If the container exits, Docker restarts it.

When a restart policy is active on a container, it shows as either Up orRestarting indocker ps. It can also be useful to usedocker events to see the restart policy in effect.

An increasing delay (double the previous delay, starting at 100 milliseconds) is added before each restart to prevent flooding the server. This means the daemon waits for 100 ms, then 200 ms, 400, 800, 1600, and so on until either the on-failure limit, the maximum delay of 1 minute is hit, or when youdocker stop or docker rm -f the container.

If a container is successfully restarted (the container is started and runs for at least 10 seconds), the delay is reset to its default value of 100 ms.

Specify a limit for restart attempts

You can specify the maximum amount of times Docker attempts to restart the container when using the on-failure policy. By default, Docker never stops attempting to restart the container.

The following example runs the redis container with a restart policy ofon-failure and a maximum restart count of 10.

If the redis container exits with a non-zero exit status more than 10 times in a row, Docker stops trying to restart the container. Providing a maximum restart limit is only valid for the on-failure policy.

Inspect container restarts

The number of (attempted) restarts for a container can be obtained using thedocker inspect command. For example, to get the number of restarts for container "my-container";

Or, to get the last time the container was (re)started;

Combining --restart (restart policy) with the --rm (clean up) flag results in an error. On container restart, attached clients are disconnected.

Clean up (--rm)

By default, a container's file system persists even after the container exits. This makes debugging a lot easier, since you can inspect the container's final state and you retain all your data.

If you are running short-term foreground processes, these container file systems can start to pile up. If you'd like Docker to automatically clean up the container and remove the file system when the container exits, use the--rm flag:

If you set the --rm flag, Docker also removes the anonymous volumes associated with the container when the container is removed. This is similar to running docker rm -v my-container. Only volumes that are specified without a name are removed. For example, when running the following command, volume /foo is removed, but not /bar:

Volumes inherited via --volumes-from are removed with the same logic: if the original volume was specified with a name it isn't removed.

Add entries to container hosts file (--add-host)

You can add other hosts into a container's /etc/hosts file by using one or more --add-host flags. This example adds a static address for a host namedmy-hostname:

You can wrap an IPv6 address in square brackets:

The --add-host flag supports a special host-gateway value that resolves to the internal IP address of the host. This is useful when you want containers to connect to services running on the host machine.

It's conventional to use host.docker.internal as the hostname referring tohost-gateway. Docker Desktop automatically resolves this hostname, seeExplore networking features.

The following example shows how the special host-gateway value works. The example runs an HTTP server that serves a file from host to container over thehost.docker.internal hostname, which resolves to the host's internal IP.

The --add-host flag also accepts a : separator, for example:

Logging drivers (--log-driver)

The container can have a different logging driver than the Docker daemon. Use the --log-driver=<DRIVER> with the docker run command to configure the container's logging driver.

To learn about the supported logging drivers and how to use them, refer toConfigure logging drivers.

To disable logging for a container, set the --log-driver flag to none:

Set ulimits in container (--ulimit)

Since setting ulimit settings in a container requires extra privileges not available in the default container, you can set these using the --ulimit flag. Specify --ulimit with a soft and hard limit in the format<type>=<soft limit>[:<hard limit>]. For example:

If you don't provide a hard limit value, Docker uses the soft limit value for both values. If you don't provide any values, they are inherited from the default ulimits set on the daemon.

The as option is deprecated. In other words, the following script is not supported:

Supported options for --ulimit:

Option Description
core Maximum size of core files created (RLIMIT_CORE)
cpu CPU time limit in seconds (RLIMIT_CPU)
data Maximum data segment size (RLIMIT_DATA)
fsize Maximum file size (RLIMIT_FSIZE)
locks Maximum number of file locks (RLIMIT_LOCKS)
memlock Maximum locked-in-memory address space (RLIMIT_MEMLOCK)
msgqueue Maximum bytes in POSIX message queues (RLIMIT_MSGQUEUE)
nice Maximum nice priority adjustment (RLIMIT_NICE)
nofile Maximum number of open file descriptors (RLIMIT_NOFILE)
nproc Maximum number of processes available (RLIMIT_NPROC)
rss Maximum resident set size (RLIMIT_RSS)
rtprio Maximum real-time scheduling priority (RLIMIT_RTPRIO)
rttime Maximum real-time execution time (RLIMIT_RTTIME)
sigpending Maximum number of pending signals (RLIMIT_SIGPENDING)
stack Maximum stack size (RLIMIT_STACK)

Docker sends the values to the appropriate OS syscall and doesn't perform any byte conversion. Take this into account when setting the values.

For nproc usage

Be careful setting nproc with the ulimit flag as Linux uses nproc to set the maximum number of processes available to a user, not to a container. For example, start four containers with daemon user:

The 4th container fails and reports a "[8] System error: resource temporarily unavailable" error. This fails because the caller set nproc=3 resulting in the first three containers using up the three processes quota set for the daemon user.

Stop container with signal (--stop-signal)

The --stop-signal flag sends the system call signal to the container to exit. This signal can be a signal name in the format SIG<NAME>, for instance SIGKILL, or an unsigned number that matches a position in the kernel's syscall table, for instance 9.

The default value is defined bySTOPSIGNALin the image, or SIGTERM if the image has no STOPSIGNAL defined.

Optional security options (--security-opt)

Option Description
--security-opt="label=user:USER" Set the label user for the container
--security-opt="label=role:ROLE" Set the label role for the container
--security-opt="label=type:TYPE" Set the label type for the container
--security-opt="label=level:LEVEL" Set the label level for the container
--security-opt="label=disable" Turn off label confinement for the container
--security-opt="apparmor=PROFILE" Set the apparmor profile to be applied to the container
--security-opt="no-new-privileges=true" Disable container processes from gaining new privileges
--security-opt="seccomp=unconfined" Turn off seccomp confinement for the container
--security-opt="seccomp=builtin" Use the default (built-in) seccomp profile for the container. This can be used to enable seccomp for a container running on a daemon with a custom default profile set, or with seccomp disabled ("unconfined").
--security-opt="seccomp=profile.json" White-listed syscalls seccomp Json file to be used as a seccomp filter
--security-opt="systempaths=unconfined" Turn off confinement for system paths (masked paths, read-only paths) for the container

The --security-opt flag lets you override the default labeling scheme for a container. Specifying the level in the following command allows you to share the same content between containers.

Automatic translation of MLS labels isn't supported.

To disable the security labeling for a container entirely, you can uselabel=disable:

If you want a tighter security policy on the processes within a container, you can specify a custom type label. The following example runs a container that's only allowed to listen on Apache ports:

You would have to write policy defining a svirt_apache_t type.

To prevent your container processes from gaining additional privileges, you can use the following command:

This means that commands that raise privileges such as su or sudo no longer work. It also causes any seccomp filters to be applied later, after privileges have been dropped which may mean you can have a more restrictive set of filters. For more details, see the kernel documentation.

On Windows, you can use the --security-opt flag to specify the credentialspec option. The credentialspec must be in the format file://spec.txt or registry://keyname.

Stop container with timeout (--stop-timeout)

The --stop-timeout flag sets the number of seconds to wait for the container to stop after sending the pre-defined (see --stop-signal) system call signal. If the container does not exit after the timeout elapses, it's forcibly killed with a SIGKILL signal.

If you set --stop-timeout to -1, no timeout is applied, and the daemon waits indefinitely for the container to exit.

The Daemon determines the default, and is 10 seconds for Linux containers, and 30 seconds for Windows containers.

Specify isolation technology for container (--isolation)

This option is useful in situations where you are running Docker containers on Windows. The --isolation=<value> option sets a container's isolation technology. On Linux, the only supported is the default option which uses Linux namespaces. These two commands are equivalent on Linux:

On Windows, --isolation can take one of these values:

Value Description
default Use the value specified by the Docker daemon's --exec-opt or system default (see below).
process Shared-kernel namespace isolation.
hyperv Hyper-V hypervisor partition-based isolation.

The default isolation on Windows server operating systems is process, and hypervon Windows client operating systems, such as Windows 10. Process isolation has better performance, but requires that the image and host use the same kernel version.

On Windows server, assuming the default configuration, these commands are equivalent and result in process isolation:

If you have set the --exec-opt isolation=hyperv option on the Docker daemon, or are running against a Windows client-based daemon, these commands are equivalent and result in hyperv isolation:

Specify hard limits on memory available to containers (-m, --memory)

These parameters always set an upper limit on the memory available to the container. Linux sets this on the cgroup and applications in a container can query it at /sys/fs/cgroup/memory/memory.limit_in_bytes.

On Windows, this affects containers differently depending on what type of isolation you use.

Configure namespaced kernel parameters (sysctls) at runtime (--sysctl)

The --sysctl sets namespaced kernel parameters (sysctls) in the container. For example, to turn on IP forwarding in the containers network namespace, run this command:

Not all sysctls are namespaced. Docker does not support changing sysctls inside of a container that also modify the host system. As the kernel evolves we expect to see more sysctls become namespaced.

Currently supported sysctls

IPC Namespace:

Network Namespace: