docker run命令-运行一个新的容器

run 运行一个新的容器

Usage: docker run [OPTIONS] IMAGE [COMMAND][ARG...]Run a command in a new container

-a,--attach=[]Attach to STDIN, STDOUT or STDERR.-c,--cpu-shares=0 CPU shares (relative weight)--cidfile=""Write the container ID to the file
--cpuset=""CPUsin which to allow execution (0-3,0,1)-d,--detach=falseDetached mode: run container in the background andprintnew container ID
--dns=[]Set custom DNS servers
--dns-search=[]Set custom DNS search domains
-e,--env=[]Set environment variables
--entrypoint=""Overwrite the default ENTRYPOINT of the image
--env-file=[]Readin a line delimited file of environment variables
--expose=[]Expose a port from the container without publishing it to your host
-h,--hostname=""Container host name
-i,--interactive=falseKeep STDIN open even ifnot attached
--link=[]Add link to another container in the form of name:alias--lxc-conf=[](lxc exec-driver only)Add custom lxc options --lxc-conf="lxc.cgroup.cpuset.cpus = 0,1"-m,--memory=""Memory limit (format:<number><optional unit>,where unit = b, k, m or g)--name=""Assign a name to the container
--net="bridge"Set the Network mode for the container
'bridge': creates a new network stack for the container on the docker bridge
'none':no networking forthis container
'container:<name|id>': reuses another container network stack
'host':use the host network stack inside the container.Note: the host mode gives the container full access to local system services such as D-bus andis therefore considered insecure.-P,--publish-all=falsePublish all exposed ports to the host interfaces
-p,--publish=[]Publish a container's port to the host
format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort
(use '
docker port' to see the actual mapping)
--privileged=false Give extended privileges to this container
--rm=false Automatically remove the container when it exits (incompatible with -d)
--sig-proxy=true Proxy received signals to the process (even in non-TTY mode). SIGCHLD, SIGSTOP, and SIGKILL are not proxied.
-t, --tty=false Allocate a pseudo-TTY
-u, --user="" Username or UID
-v, --volume=[] Bind mount a volume (e.g., from the host: -v /host:/container, from Docker: -v /container)
--volumes-from=[] Mount volumes from the specified container(s)
-w, --workdir="" Working directory inside the container

The docker run command first creates 创建一个新可写的image, 然后 starts 启动. That is, docker run 相当于执行了 API/containers/create then /containers/(id)/start. 一个已经存在容器 可以使用start来启动

The docker run command can be used in combination with docker commit to change the command that a container runs.

See the Docker User Guide for more detailed information about the --expose-p-P and --linkparameters, and linking containers.

Known Issues (run –volumes-from)已知的bug

  • Issue 2702: "lxc-start: Permission denied - failed to mount" could indicate a permissions problem with AppArmor. Please see the issue for a workaround.


$ sudo docker run --cidfile /tmp/docker_test.cid ubuntu echo "test"

这个容器将输出 test 在console. The cidfile 创建一个新的文件并把容器id写入. 如果文件已经存在就返回错误.  docker run 退出时,将释放cid文件.

$ sudo docker run -t -i --rm ubuntu bash

:/# mount -t tmpfs none /mnt
: permission denied

cap_sys_admin  --privileged 需要显式的指定权限才能进行mount等高权限操作:

$ sudo docker run --privileged ubuntu bash

:/# mount -t tmpfs none /mnt
:/# df -h
Filesystem Size Used Avail Use% Mounted on
none 1.9G 0 1.9G 0% /

The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.

$ sudo docker  run -w /path/to/dir/-i -t  ubuntu pwd

The -w lets the command being executed inside directory given, here /path/to/dir/. If the path does not exists it is created inside the container.

$ sudo docker  run  -v `pwd`:`pwd`-w `pwd`-i -t  ubuntu pwd

The -v flag mounts the current working directory into the container. The -w lets the command being executed inside the current working directory, by changing into the directory to the value returned by pwd. So this combination executes the command using the container, but inside the current working directory.

$ sudo docker run -v /doesnt/exist:/foo -w /foo -i -t ubuntu bash

When the host directory of a bind-mounted volume doesn't exist, Docker will automatically create this directory on the host for you. In the example above, Docker will create the /doesnt/exist folder before starting your container.

$ sudo docker run -t -i -v /var/run/docker.sock:/var/run/docker.sock -v ./static-docker:/usr/bin/docker busybox sh

By bind-mounting the docker unix socket and statically linked docker binary (such as that provided by, you give the container the full access to create and manipulate the host's docker daemon.

$ sudo docker run -p ubuntu bash

This binds port 8080 of the container to port 80 on of the host machine. The Docker User Guide explains in detail how to manipulate ports in Docker.

$ sudo docker run --expose 80 ubuntu bash

This exposes port 80 of the container for use within a link without publishing the port to the host system's interfaces. The Docker User Guide explains in detail how to manipulate ports in Docker.

$ sudo docker run -e MYVAR1 --env MYVAR2=foo --env-file ./env.list ubuntu bash

This sets environmental variables in the container. For illustration all three flags are shown here. Where -e--env take an environment variable and value, or if no "=" is provided, then that variable's current value is passed through (i.e. $MYVAR1 from the host is set to $MYVAR1 in the container). All three flags, -e--env and --env-file can be repeated.

Regardless of the order of these three flags, the --env-file are processed first, and then -e--env flags. This way, the -e or --env will override variables as needed.

$ cat ./env.list

$ sudo docker run
--env TEST_FOO="This is a test"--env-file ./env.list busybox env | grep TEST_FOO
=Thisis a test

The --env-file flag takes a filename as an argument and expects each line to be in the VAR=VAL format, mimicking the argument passed to --env. Comment lines need only be prefixed with #

An example of a file passed with --env-file

$ cat ./env.list


# this is a comment
=8888# pass through this variable from the caller
=howdy docker run --env-file ./env.list busybox env

$ sudo docker run
--name console -t -i ubuntu bash

This will create and run a new container with the container name being console.

$ sudo docker run --link /redis:redis --name console ubuntu bash

The --link flag will link the container named /redis into the newly created container with the aliasredis. The new container can access the network and environment of the redis container via environment variables. The --name flag will assign the name console to the newly created container.

$ sudo docker run --volumes-from777f7dc92da7,ba8c0c54f0f2:ro -i -t ubuntu pwd

The --volumes-from flag mounts all the defined volumes from the referenced containers. Containers can be specified by a comma separated list or by repetitions of the --volumes-from argument. The container ID may be optionally suffixed with :ro or :rw to mount the volumes in read-only or read-write mode, respectively. By default, the volumes are mounted in the same mode (read write or read only) as the reference container.

The -a flag tells docker run to bind to the container's STDINSTDOUT or STDERR. This makes it possible to manipulate the output and input as needed.

$ echo "test"| sudo docker run -i -a stdin ubuntu cat -

This pipes data into a container and prints the container's ID by attaching only to the container's STDIN.

$ sudo docker run -a stderr ubuntu echo test

This isn't going to print anything unless there's an error because we've only attached to the STDERR of the container. The container's logs still store what's been written to STDERR and STDOUT.

$ cat somefile | sudo docker run -i -a stdin mybuilder dobuild

This is how piping a file into a container could be done for a build. The container's ID will be printed after the build is done and the build logs could be retrieved using docker logs. This is useful if you need to pipe a file or something else into a container and retrieve the container's ID once the container has finished running.

A complete example:

$ sudo docker run -d --name staticstatic-web-files sh

$ sudo docker run
-d --expose=8098--name riak riakserver
$ sudo docker run
-d -m 100m-e DEVELOPMENT=1-e BRANCH=example-code -v $(pwd):/app/bin:ro --name app appserver
$ sudo docker run
-d -p -v /var/log/httpd --volumes-fromstatic--link riak --link app -h --name web webserver
$ sudo docker run
-t -i --rm --volumes-from web -w /var/log/httpd busybox tail -f access.log

This example shows 5 containers that might be set up to test a web application change:

  1. Start a pre-prepared volume image static-web-files (in the background) that has CSS, image and static HTML in it, (with a VOLUME instruction in the Dockerfile to allow the web server to use those files);
  2. Start a pre-prepared riakserver image, give the container name riak and expose port 8098 to any containers that link to it;
  3. Start the appserver image, restricting its memory usage to 100MB, setting two environment variables DEVELOPMENT and BRANCH and bind-mounting the current directory ($(pwd)) in the container in read-only mode as /app/bin;
  4. Start the webserver, mapping port 443 in the container to port 1443 on the Docker server, setting the DNS server to and DNS search domain to, creating a volume to put the log files into (so we can access it from another container), then importing the files from the volume exposed by the static container, and linking to all exposed ports from riak and app. Lastly, we set the hostname to so its consistent with the pre-generated SSL certificate;
  5. Finally, we create a container that runs tail -f access.log using the logs volume from the webcontainer, setting the workdir to /var/log/httpd. The --rm option means that when the container exits, the container's layer is removed.