Docker Run Reference

Posted on | Edited on | In

This is a summary from Docker run reference

Docker runs processes in isolated containers. A container is a process which runs on a host. The host may be local or remote. When an operator executes docker run, the container process that runs is isolated in that it has its own file system, its own networking, and its own isolated process tree separate from the host.

1
docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...]

The docker run command can override nearly all the defaults set from docker image.

Let’s first see the docker run command I encountered:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
docker run --detach \
--name=${DB2_XMETA_HOST} \
--restart=always \
--privileged=false \
--cap-add=SYS_NICE \
--cap-add=IPC_OWNER \
--cap-add=SETFCAP  \
--user 1000 \
-e MY_POD_NAMESPACE=${MY_POD_NAMESPACE} \
-e SHARED_VOL=${SHARED_REPOS_VOLPATH} \
--hostname=${DB2_XMETA_HOST} \
-p ${DB2_XMETA_PORT}:${DB2_XMETA_PORT} \
-v ${SHARED_VOL}:${SHARED_VOL} \
is-xmetadocker:11.7.1 \

Detched [-d]

To start a container in detached mode, you use -d=true or just -d option. By design, containers started in detached mode exit when the root process used to run the container exits, unless you also specify the --rm option. If you use -d with --rm, the container is removed when it exits or when the daemon exits, whichever happens first.

This is why we specify tail -f /dev/null at end of start script in container.

Foreground

In foreground mode (the default when -d is not specified), docker run can start the process in the container and attach the console to the process’s standard input, output, and standard error. It can even pretend to be a TTY (this is what most command line executables expect) and pass along signals.

For interactive processes (like a shell), you must use -it together in order to allocate a tty for the container process.

For example:

1
docker run -it --rm busybox /bin/sh

This will directly open a shell to operate on container, once exit, container will be removed.

Name [--name]

Specify container name. If you do not assign a container name with the --name option, then the daemon generates a random string name for you. Defining a name can be a handy way to add meaning to a container.

IPC settings [--ipc]

1
--ipc="MODE"  : Set the IPC mode for the container

IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues.

Shared memory segments are used to accelerate inter-process communication at memory speed, rather than through pipes or through the network stack.

1
--ipc=<Value>

Value Description

  • “”: Use daemon’s default.
  • “none”: Own private IPC namespace, with /dev/shm not mounted.
  • “private”: Own private IPC namespace.
  • “shareable”:Own private IPC namespace, with a possibility to share it with other containers.
  • “container: <name-or-ID>”: Join another (“shareable”) container’s IPC namespace.
  • “*host”: Use the host system’s IPC namespace.

If not specified, daemon default is used, which can either be private or shareable, depending on the daemon version and configuration.

If these types of applications are broken into multiple containers, you might need to share the IPC mechanisms of the containers, using “shareable” mode for the main container, and container:<donor-name-or-ID> for other containers.

Network settings

1
2
3
4
5
6
7
8
9
10
11
12
13
14
--dns=[]           : Set custom dns servers for the container
--network="bridge" : Connect a container to a network
                      'bridge': create a network stack on the default Docker bridge
                      'none': no networking
                      # set this to join other's network
                      'container:<name|id>': reuse another container's network stack
                      'host': use the Docker host network stack
                      '<network-name>|<network-id>': connect to a user-defined network
--network-alias=[] : Add network-scoped alias for the container
--add-host=""      : Add a line to /etc/hosts (host:IP)
--mac-address=""   : Sets the container's Ethernet device's MAC address
--ip=""            : Sets the container's Ethernet device's IPv4 address
--ip6=""           : Sets the container's Ethernet device's IPv6 address
--link-local-ip=[] : Sets one or more container's Ethernet device's link local IPv4/IPv6 addresses

I meet --add-host flag in service docker:

1
--add-host="${SERVICES_HOST} ${DB2_XMETA_HOST} ${ENGINE_HOST}":${SERVICES_HOST_IP} \

Restart policies (--restart)

Using the --restart flag on Docker run you can specify a restart policy for how a container should or should not be restarted on exit.

When a restart policy is active on a container, it will be shown as either Up or Restarting in docker ps.

Exit Status

The exit code from docker run gives information about why the container failed to run or why it exited. When docker run exits with a non-zero code, the exit codes follow the chroot standard.

Clean up [--rm]

By default a container’s file system persists even after the container exits. This makes debugging a lot easier (since you can inspect the final state) and you retain all your data by default. But if you are running short-term foreground processes, these container file systems can really pile up. If instead you’d like Docker to automatically clean up the container and remove the file system when the container exits, you can add the --rm flag.

HOSTNAME [--hostname]

1
--hostname="xxx"		Container host name

Set the hostname of the container.

Runtime privilege and Linux capabilities

I separate this section to the blog <<Docker Capability>> since it’s important to me.

Logging drivers [--log-driver]

The container can have a different logging driver than the Docker daemon. Use the --log-driver=VALUE with the docker run command to configure the container’s logging driver.

Default logging driver is json format. The docker logs command is available only for the json-file and journald logging drivers.

Overriding Dockerfile image defaults

I separate this section to the blog <<Docker Image Defaults>> since it’s important to me.

-p

Remember, the first part of the -p value is the host port and the second part is the port within the container

VOLUME (shared filesystems)

When use -v option binds mount a volume from host machine to inside container, if the container originally has contents inside the mount target folder, they will all be removed when mount and replaced by contents from source host machine folder.

Note that docker commit will not include any data contained in volumes mounted inside the container.

0%