Docker run 指令详解

Posted 2023-02-27

参考技术A 本文翻译自docker官网： https://github.com/docker/cli/blob/master/docs/reference/commandline/run.md

The docker run command first creates a writeable container layer over the
specified image, and then starts it using the specified command. That is,
docker run is equivalent to the API /containers/create then
/containers/(id)/start . A stopped container can be restarted with all its
previous changes intact using docker start . See docker ps -a to view a list
of all containers.

The docker run command can be used in combination with docker commit to
change the command that a container runs . There is additional detailed information about docker run in the Docker run reference .

For information on connecting a container to a network, see the " Docker network overview " .

This example runs a container named test using the debian:latest
image. The -it instructs Docker to allocate a pseudo-TTY connected to
the container's stdin; creating an interactive bash shell in the container.
In the example, the bash shell is quit by entering
exit 13 . This exit code is passed on to the caller of
docker run , and is recorded in the test container's metadata.

This will create a container and print test to the console. The cidfile
flag makes Docker attempt to create a new file and write the container ID to it.
If the file exists already, Docker will return an error. Docker will close this
file when docker run exits.

This will not work, because by default, most potentially dangerous kernel
capabilities are dropped; including cap_sys_admin (which is required to mount
filesystems). However, the --privileged flag will allow it to run:

The --privileged flag gives all capabilities to the container, and it also
lifts all the limitations enforced by the device cgroup controller. In other
words, the container can then do almost everything that the host can do. This
flag exists to allow special use-cases, like running Docker within Docker.

The -w lets the command being executed inside directory given, here
/path/to/dir/ . If the path does not exist it is created inside the container.

This (size) will allow to set the container rootfs size to 120G at creation time.
This option is only available for the devicemapper , btrfs , overlay2 ,
windowsfilter and zfs graph drivers.
For the devicemapper , btrfs , windowsfilter and zfs graph drivers,
user cannot pass a size less than the Default BaseFS Size.
For the overlay2 storage driver, the size option is only available if the
backing fs is xfs and mounted with the pquota mount option.
Under these conditions, user can pass any size less than the backing fs size.

The --tmpfs flag mounts an empty tmpfs into the container with the rw ,
noexec , nosuid , size=65536k options.

The -v flag mounts the current working directory into the container. The -w
lets the command being executed inside the current working directory, by
changing into the directory to the value returned by pwd . So this
combination executes the command using the container, but inside the
current working directory.

When the host directory of a bind-mounted volume doesn't exist, Docker
will automatically create this directory on the host for you. In the
example above, Docker will create the /doesnt/exist
folder before starting your container.

Volumes can be used in combination with --read-only to control where
a container writes files. The --read-only flag mounts the container's root
filesystem as read only prohibiting writes to locations other than the
specified volumes for the container.

By bind-mounting the docker unix socket and statically linked docker
binary (refer to get the linux binary ),
you give the container the full access to create and manipulate the host's
Docker daemon.

On Windows, the paths must be specified using Windows-style semantics.

The following examples will fail when using Windows-based containers, as the
destination of a volume or bind mount inside the container must be one of:
a non-existing or empty directory; or a drive other than C:. Further, the source
of a bind mount must be a local directory, not a file.

For in-depth information about volumes, refer to manage data in containers

The --mount flag allows you to mount volumes, host-directories and tmpfs
mounts in a container.

The --mount flag supports most options that are supported by the -v or the
--volume flag, but uses a different syntax. For in-depth information on the
--mount flag, and a comparison between --volume and --mount , refer to
the service create command reference .

Even though there is no plan to deprecate --volume , usage of --mount is recommended.

Examples:

This binds port 8080 of the container to TCP port 80 on 127.0.0.1 of the host
machine. You can also specify udp and sctp ports.
The Docker User Guide
explains in detail how to manipulate ports in Docker.

Note that ports which are not bound to the host (i.e., -p 80:80 instead of
-p 127.0.0.1:80:80 ) will be accessible from the outside. This also applies if
you configured UFW to block this specific port, as Docker manages his
own iptables rules. Read more

This exposes port 80 of the container without publishing the port to the host
system's interfaces.

Use the -e , --env , and --env-file flags to set simple (non-array)
environment variables in the container you're running, or overwrite variables
that are defined in the Dockerfile of the image you're running.

You can define the variable and its value when running the container:

You can also use variables that you've exported to your local environment:

When running the command, the Docker CLI client checks the value the variable
has in your local environment and passes it to the container.
If no = is provided and that variable is not exported in your local
environment, the variable won't be set in the container.

You can also load the environment variables from a file. This file should use
the syntax <variable>=value (which sets the variable to the given value) or
<variable> (which takes the value from the local environment), and # for comments.

A label is a key=value pair that applies metadata to a container. To label a container with two labels:

The my-label key doesn't specify a value so the label defaults to an empty
string ( "" ). To add multiple labels, repeat the label flag ( -l or --label ).

The key=value must be unique to avoid overwriting the label value. If you
specify labels with identical keys but different values, each subsequent value
overwrites the previous. Docker uses the last key=value you supply.

Use the --label-file flag to load multiple labels from a file. Delimit each
label in the file with an EOL mark. The example below loads labels from a
labels file in the current directory:

The label-file format is similar to the format for loading environment
variables. (Unlike environment variables, labels are not visible to processes
running inside a container.) The following example illustrates a label-file
format:

You can load multiple label-files by supplying multiple --label-file flags.

For additional information on working with labels, see Labels - custom
metadata in Docker in
the Docker User Guide.

When you start a container use the --network flag to connect it to a network.
This adds the busybox container to the my-net network.

You can also choose the IP addresses for the container with --ip and --ip6
flags when you start the container on a user-defined network.

If you want to add a running container to a network use the docker network connect subcommand.

You can connect multiple containers to the same network. Once connected, the
containers can communicate easily need only another container's IP address
or name. For overlay networks or custom plugins that support multi-host
connectivity, containers connected to the same multi-host network but launched
from different Engines can also communicate in this way.

You can disconnect a container from a network using the docker network disconnect command.

The --volumes-from flag mounts all the defined volumes from the referenced
containers. Containers can be specified by repetitions of the --volumes-from
argument. The container ID may be optionally suffixed with :ro or :rw to
mount the volumes in read-only or read-write mode, respectively. By default,
the volumes are mounted in the same mode (read write or read only) as
the reference container.

Labeling systems like SELinux require that proper labels are placed on volume
content mounted into a container. Without a label, the security system might
prevent the processes running inside the container from using the content. By
default, Docker does not change the labels set by the OS.

To change the label in the container context, you can add either of two suffixes
:z or :Z to the volume mount. These suffixes tell Docker to relabel file
objects on the shared volumes. The z option tells Docker that two containers
share the volume content. As a result, Docker labels the content with a shared
content label. Shared volume labels allow all containers to read/write content.
The Z option tells Docker to label the content with a private unshared label.
Only the current container can use a private volume.

The -a flag tells docker run to bind to the container's STDIN , STDOUT
or STDERR . This makes it possible to manipulate the output and input as
needed.

This pipes data into a container and prints the container's ID by attaching
only to the container's STDIN .

This isn't going to print anything unless there's an error because we've
only attached to the STDERR of the container. The container's logs
still store what's been written to STDERR and STDOUT .

This is how piping a file into a container could be done for a build.
The container's ID will be printed after the build is done and the build
logs could be retrieved using docker logs . This is
useful if you need to pipe a file or something else into a container and
retrieve the container's ID once the container has finished running.

It is often necessary to directly expose devices to a container. The --device
option enables that. For example, a specific block storage device or loop
device or audio device can be added to an otherwise unprivileged container
(without the --privileged flag) and have the application directly access it.

By default, the container will be able to read , write and mknod these devices.
This can be overridden using a third :rwm set of options to each --device
flag. If the container is running in privileged mode, then the permissions specified
will be ignored.

For Windows, the format of the string passed to the --device option is in
the form of --device=<IdType>/<Id> . Beginning with Windows Server 2019
and Windows 10 October 2018 Update, Windows only supports an IdType of
class and the Id as a device interface class
GUID .
Refer to the table defined in the Windows container
docs
for a list of container-supported device interface class GUIDs.

If this option is specified for a process-isolated Windows container, all
devices that implement the requested device interface class GUID are made
available in the container. For example, the command below makes all COM
ports on the host visible in the container.

The --gpus flag allows you to access NVIDIA GPU resources. First you need to
install nvidia-container-runtime .
Visit Specify a container's resources
for more information.

To use --gpus , specify which GPUs (or all) to use. If no value is provied, all
available GPUs are used. The example below exposes all available GPUs.

Use the device option to specify GPUs. The example below exposes a specific
GPU.

The example below exposes the first and third GPUs.

Use Docker's --restart to specify a container's restart policy . A restart
policy controls whether the Docker daemon restarts a container after exit.
Docker supports the following restart policies: