kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

docs: markdown and textual fixups in reference/run.md

Browse source 
This fixes markdown formatting, and formatting of tables;

 - Our markdown engine doesn't support spanning rows, so
   re-wrapped table contents.
 - Added a CSS-styles to prevent "code" blocks in tables
   from wrapping
 - The "logging drivers" table didn't have a header
 - Aligned table borders in source code for better readability.
 - Standardize on using `-it` in stead of -i -t or -ti
 - Some markup issues
 - Some minor textual fixups

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2015-12-04 13:09:46 +01:00
parent cb6a1a6042
commit c60c0c4e9b
1 changed files with 119 additions and 113 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

232
docs/reference/run.md
View file

@ -10,7 +10,10 @@ parent = "mn_reference"
<!-- TODO (@thaJeztah) define more flexible table/td classes --> <!-- TODO (@thaJeztah) define more flexible table/td classes -->
<style> <style>
.content-body table .no-wrap { table .no-wrap {
white-space: nowrap;
}
table code {
white-space: nowrap; white-space: nowrap;
} }
</style> </style>
@ -135,7 +138,8 @@ For interactive processes (like a shell), you must use `-i -t` together in
order to allocate a tty for the container process. `-i -t` is often written `-it` order to allocate a tty for the container process. `-i -t` is often written `-it`
as you'll see in later examples. Specifying `-t` is forbidden when the client as you'll see in later examples. Specifying `-t` is forbidden when the client
standard output is redirected or piped, such as in: standard output is redirected or piped, such as in:
`echo test | docker run -i busybox cat`.
$ echo test | docker run -i busybox cat
>**Note**: A process running as PID 1 inside a container is treated >**Note**: A process running as PID 1 inside a container is treated
>specially by Linux: it ignores any signal with the default action. >specially by Linux: it ignores any signal with the default action.
@ -148,10 +152,11 @@ standard output is redirected or piped, such as in:
The operator can identify a container in three ways: The operator can identify a container in three ways:
- UUID long identifier | Identifier type | Example value |
("f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778") | --------------------- | ------------------------------------------------------------------ |
- UUID short identifier ("f78375b1c487") | UUID long identifier | "f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778" |
- Name ("evil_ptolemy") | UUID short identifier | "f78375b1c487" |
| Name | "evil_ptolemy" |
The UUID identifiers come from the Docker daemon. If you do not assign a The UUID identifiers come from the Docker daemon. If you do not assign a
container name with the `--name` option, then the daemon generates a random container name with the `--name` option, then the daemon generates a random
@ -160,7 +165,8 @@ container. If you specify a `name`, you can use it when referencing the
container within a Docker network. This works for both background and foreground container within a Docker network. This works for both background and foreground
Docker containers. Docker containers.
**Note**: Containers on the default bridge network must be linked to communicate by name. > **Note**: Containers on the default bridge network must be linked to
> communicate by name.
### PID equivalent ### PID equivalent
@ -390,7 +396,7 @@ $ docker run --net=my-net -itd --name=container3 busybox
### Managing /etc/hosts ### Managing /etc/hosts
Your container will have lines in `/etc/hosts` which define the hostname of the Your container will have lines in `/etc/hosts` which define the hostname of the
container itself as well as `localhost` and a few other common things. The container itself as well as `localhost` and a few other common things. The
`--add-host` flag can be used to add additional lines to `/etc/hosts`. `--add-host` flag can be used to add additional lines to `/etc/hosts`.
$ docker run -it --add-host db-static:86.75.30.9 ubuntu cat /etc/hosts $ docker run -it --add-host db-static:86.75.30.9 ubuntu cat /etc/hosts
@ -579,23 +585,23 @@ the `--security-opt` flag. For example, you can specify the MCS/MLS level, a
requirement for MLS systems. Specifying the level in the following command requirement for MLS systems. Specifying the level in the following command
allows you to share the same content between containers. allows you to share the same content between containers.
$ docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash $ docker run --security-opt label:level:s0:c100,c200 -it fedora bash
An MLS example might be: An MLS example might be:
$ docker run --security-opt label:level:TopSecret -i -t rhel7 bash $ docker run --security-opt label:level:TopSecret -it rhel7 bash
To disable the security labeling for this container versus running with the To disable the security labeling for this container versus running with the
`--permissive` flag, use the following command: `--permissive` flag, use the following command:
$ docker run --security-opt label:disable -i -t fedora bash $ docker run --security-opt label:disable -it fedora bash
If you want a tighter security policy on the processes within a container, If you want a tighter security policy on the processes within a container,
you can specify an alternate type for the container. You could run a container you can specify an alternate type for the container. You could run a container
that is only allowed to listen on Apache ports by executing the following that is only allowed to listen on Apache ports by executing the following
command: command:
$ docker run --security-opt label:type:svirt_apache_t -i -t centos bash $ docker run --security-opt label:type:svirt_apache_t -it centos bash
> **Note**: You would have to write policy defining a `svirt_apache_t` type. > **Note**: You would have to write policy defining a `svirt_apache_t` type.
@ -611,29 +617,24 @@ parent group.
The operator can also adjust the performance parameters of the The operator can also adjust the performance parameters of the
container: container:
| Option | Description | | Option | Description |
|----------------------------|---------------------------------------------------------------------------------------------| | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
| `-m`, `--memory="" ` | Memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g) | | `-m`, `--memory=""` | Memory limit (format: `<number>[<unit>]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`. |
| `--memory-swap=""` | Total memory limit (memory + swap, format: `<number>[<unit>]`, where unit = b, k, m or g) | | `--memory-swap=""` | Total memory limit (memory + swap, format: `<number>[<unit>]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`. |
| `--memory-reservation=""` | Memory soft limit (format: `<number>[<unit>]`, where unit = b, k, m or g) | | `--memory-reservation=""` | Memory soft limit (format: `<number>[<unit>]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`. |
| `--kernel-memory=""` | Kernel memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g) | | `--kernel-memory=""` | Kernel memory limit (format: `<number>[<unit>]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`. |
| `-c`, `--cpu-shares=0` | CPU shares (relative weight) | | `-c`, `--cpu-shares=0` | CPU shares (relative weight) |
| `--cpu-period=0` | Limit the CPU CFS (Completely Fair Scheduler) period | | `--cpu-period=0` | Limit the CPU CFS (Completely Fair Scheduler) period |
| `--cpuset-cpus="" ` | CPUs in which to allow execution (0-3, 0,1) | | `--cpuset-cpus=""` | CPUs in which to allow execution (0-3, 0,1) |
| `--cpuset-mems=""` | Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. | | `--cpuset-mems=""` | Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. |
| `--cpu-quota=0` | Limit the CPU CFS (Completely Fair Scheduler) quota | | `--cpu-quota=0` | Limit the CPU CFS (Completely Fair Scheduler) quota |
| `--blkio-weight=0` | Block IO weight (relative weight) accepts a weight value between 10 and 1000. | | `--blkio-weight=0` | Block IO weight (relative weight) accepts a weight value between 10 and 1000. |
| `--blkio-weight-device=""` | Block IO weight (relative device weight, format: `DEVICE_NAME:WEIGHT`) | | `--blkio-weight-device=""` | Block IO weight (relative device weight, format: `DEVICE_NAME:WEIGHT`) |
| `--device-read-bps="" ` | Limit read rate from a device (format: `<device-path>:<number>[<unit>]`. | | `--device-read-bps=""` | Limit read rate from a device (format: `<device-path>:<number>[<unit>]`). Number is a positive integer. Unit can be one of `kb`, `mb`, or `gb`. |
| | Number is a positive integer. Unit can be one of kb, mb, or gb. | | `--device-write-bps=""` | Limit write rate to a device (format: `<device-path>:<number>[<unit>]`). Number is a positive integer. Unit can be one of `kb`, `mb`, or `gb`. |
| `--device-write-bps="" ` | Limit write rate to a device (format: `<device-path>:<number>[<unit>]`. | | `--oom-kill-disable=false` | Whether to disable OOM Killer for the container or not. |
| | Number is a positive integer. Unit can be one of kb, mb, or gb. | | `--memory-swappiness=""` | Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. |
| `--oom-kill-disable=false` | Whether to disable OOM Killer for the container or not. | | `--shm-size=""` | Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`. |
| `--memory-swappiness="" ` | Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. |
| `--shm-size="" ` | Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. |
| | Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or |
| | `g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the size |
| | entirely, the system uses `64m`. |
### User memory constraints ### User memory constraints
@ -687,25 +688,25 @@ We have four ways to set user memory usage:
Examples: Examples:
$ docker run -ti ubuntu:14.04 /bin/bash $ docker run -it ubuntu:14.04 /bin/bash
We set nothing about memory, this means the processes in the container can use We set nothing about memory, this means the processes in the container can use
as much memory and swap memory as they need. as much memory and swap memory as they need.
$ docker run -ti -m 300M --memory-swap -1 ubuntu:14.04 /bin/bash $ docker run -it -m 300M --memory-swap -1 ubuntu:14.04 /bin/bash
We set memory limit and disabled swap memory limit, this means the processes in We set memory limit and disabled swap memory limit, this means the processes in
the container can use 300M memory and as much swap memory as they need (if the the container can use 300M memory and as much swap memory as they need (if the
host supports swap memory). host supports swap memory).
$ docker run -ti -m 300M ubuntu:14.04 /bin/bash $ docker run -it -m 300M ubuntu:14.04 /bin/bash
We set memory limit only, this means the processes in the container can use We set memory limit only, this means the processes in the container can use
300M memory and 300M swap memory, by default, the total virtual memory size 300M memory and 300M swap memory, by default, the total virtual memory size
(--memory-swap) will be set as double of memory, in this case, memory + swap (--memory-swap) will be set as double of memory, in this case, memory + swap
would be 2*300M, so processes can use 300M swap memory as well. would be 2*300M, so processes can use 300M swap memory as well.
$ docker run -ti -m 300M --memory-swap 1G ubuntu:14.04 /bin/bash $ docker run -it -m 300M --memory-swap 1G ubuntu:14.04 /bin/bash
We set both memory and swap memory, so the processes in the container can use We set both memory and swap memory, so the processes in the container can use
300M memory and 700M swap memory. 300M memory and 700M swap memory.
@ -730,7 +731,7 @@ The following example limits the memory (`-m`) to 500M and sets the memory
reservation to 200M. reservation to 200M.
```bash ```bash
$ docker run -ti -m 500M --memory-reservation 200M ubuntu:14.04 /bin/bash $ docker run -it -m 500M --memory-reservation 200M ubuntu:14.04 /bin/bash
``` ```
Under this configuration, when the container consumes memory more than 200M and Under this configuration, when the container consumes memory more than 200M and
@ -740,7 +741,7 @@ memory below 200M.
The following example set memory reservation to 1G without a hard memory limit. The following example set memory reservation to 1G without a hard memory limit.
```bash ```bash
$ docker run -ti --memory-reservation 1G ubuntu:14.04 /bin/bash $ docker run -it --memory-reservation 1G ubuntu:14.04 /bin/bash
``` ```
The container can use as much memory as it needs. The memory reservation setting The container can use as much memory as it needs. The memory reservation setting
@ -757,11 +758,11 @@ memory.
The following example limits the memory to 100M and disables the OOM killer for The following example limits the memory to 100M and disables the OOM killer for
this container: this container:
$ docker run -ti -m 100M --oom-kill-disable ubuntu:14.04 /bin/bash $ docker run -it -m 100M --oom-kill-disable ubuntu:14.04 /bin/bash
The following example, illustrates a dangerous way to use the flag: The following example, illustrates a dangerous way to use the flag:
$ docker run -ti --oom-kill-disable ubuntu:14.04 /bin/bash $ docker run -it --oom-kill-disable ubuntu:14.04 /bin/bash
The container has unlimited memory which can cause the host to run out memory The container has unlimited memory which can cause the host to run out memory
and require killing system processes to free memory. and require killing system processes to free memory.
@ -826,12 +827,12 @@ limit and "K" the kernel limit. There are three possible ways to set limits:
Examples: Examples:
$ docker run -ti -m 500M --kernel-memory 50M ubuntu:14.04 /bin/bash $ docker run -it -m 500M --kernel-memory 50M ubuntu:14.04 /bin/bash
We set memory and kernel memory, so the processes in the container can use We set memory and kernel memory, so the processes in the container can use
500M memory in total, in this 500M memory, it can be 50M kernel memory tops. 500M memory in total, in this 500M memory, it can be 50M kernel memory tops.
$ docker run -ti --kernel-memory 50M ubuntu:14.04 /bin/bash $ docker run -it --kernel-memory 50M ubuntu:14.04 /bin/bash
We set kernel memory without **-m**, so the processes in the container can We set kernel memory without **-m**, so the processes in the container can
use as much memory as they want, but they can only use 50M kernel memory. use as much memory as they want, but they can only use 50M kernel memory.
@ -846,7 +847,7 @@ between 0 and 100. A value of 0 turns off anonymous page swapping. A value of
For example, you can set: For example, you can set:
$ docker run -ti --memory-swappiness=0 ubuntu:14.04 /bin/bash $ docker run -it --memory-swappiness=0 ubuntu:14.04 /bin/bash
Setting the `--memory-swappiness` option is helpful when you want to retain the Setting the `--memory-swappiness` option is helpful when you want to retain the
container's working set and to avoid swapping performance penalties. container's working set and to avoid swapping performance penalties.
@ -895,7 +896,7 @@ And usually `--cpu-period` should work with `--cpu-quota`.
Examples: Examples:
$ docker run -ti --cpu-period=50000 --cpu-quota=25000 ubuntu:14.04 /bin/bash $ docker run -it --cpu-period=50000 --cpu-quota=25000 ubuntu:14.04 /bin/bash
If there is 1 CPU, this means the container can get 50% CPU worth of run-time every 50ms. If there is 1 CPU, this means the container can get 50% CPU worth of run-time every 50ms.
@ -907,11 +908,11 @@ We can set cpus in which to allow execution for containers.
Examples: Examples:
$ docker run -ti --cpuset-cpus="1,3" ubuntu:14.04 /bin/bash $ docker run -it --cpuset-cpus="1,3" ubuntu:14.04 /bin/bash
This means processes in container can be executed on cpu 1 and cpu 3. This means processes in container can be executed on cpu 1 and cpu 3.
$ docker run -ti --cpuset-cpus="0-2" ubuntu:14.04 /bin/bash $ docker run -it --cpuset-cpus="0-2" ubuntu:14.04 /bin/bash
This means processes in container can be executed on cpu 0, cpu 1 and cpu 2. This means processes in container can be executed on cpu 0, cpu 1 and cpu 2.
@ -920,12 +921,12 @@ on NUMA systems.
Examples: Examples:
$ docker run -ti --cpuset-mems="1,3" ubuntu:14.04 /bin/bash $ docker run -it --cpuset-mems="1,3" ubuntu:14.04 /bin/bash
This example restricts the processes in the container to only use memory from This example restricts the processes in the container to only use memory from
memory nodes 1 and 3. memory nodes 1 and 3.
$ docker run -ti --cpuset-mems="0-2" ubuntu:14.04 /bin/bash $ docker run -it --cpuset-mems="0-2" ubuntu:14.04 /bin/bash
This example restricts the processes in the container to only use memory from This example restricts the processes in the container to only use memory from
memory nodes 0, 1 and 2. memory nodes 0, 1 and 2.
@ -953,8 +954,8 @@ The `--blkio-weight` flag can set the weighting to a value between 10 to 1000.
For example, the commands below create two containers with different blkio For example, the commands below create two containers with different blkio
weight: weight:
$ docker run -ti --name c1 --blkio-weight 300 ubuntu:14.04 /bin/bash $ docker run -it --name c1 --blkio-weight 300 ubuntu:14.04 /bin/bash
$ docker run -ti --name c2 --blkio-weight 600 ubuntu:14.04 /bin/bash $ docker run -it --name c2 --blkio-weight 600 ubuntu:14.04 /bin/bash
If you do block IO in the two containers at the same time, by, for example: If you do block IO in the two containers at the same time, by, for example:
@ -967,9 +968,9 @@ The `--blkio-weight-device="DEVICE_NAME:WEIGHT"` flag sets a specific device wei
The `DEVICE_NAME:WEIGHT` is a string containing a colon-separated device name and weight. The `DEVICE_NAME:WEIGHT` is a string containing a colon-separated device name and weight.
For example, to set `/dev/sda` device weight to `200`: For example, to set `/dev/sda` device weight to `200`:
$ docker run -it \ $ docker run -it \
--blkio-weight-device "/dev/sda:200" \ --blkio-weight-device "/dev/sda:200" \
ubuntu ubuntu
If you specify both the `--blkio-weight` and `--blkio-weight-device`, Docker If you specify both the `--blkio-weight` and `--blkio-weight-device`, Docker
uses the `--blkio-weight` as the default weight and uses `--blkio-weight-device` uses the `--blkio-weight` as the default weight and uses `--blkio-weight-device`
@ -977,22 +978,26 @@ to override this default with a new value on a specific device.
The following example uses a default weight of `300` and overrides this default The following example uses a default weight of `300` and overrides this default
on `/dev/sda` setting that weight to `200`: on `/dev/sda` setting that weight to `200`:
$ docker run -it \ $ docker run -it \
--blkio-weight 300 \ --blkio-weight 300 \
--blkio-weight-device "/dev/sda:200" \ --blkio-weight-device "/dev/sda:200" \
ubuntu ubuntu
The `--device-read-bps` flag can limit read rate from a device. The `--device-read-bps` flag limits the read rate from a device. For example,
For example, the command creates a container and limits theread rate to `1mb` per second from `/dev/sda`: this command creates a container and limits the read rate to `1mb` per second
from `/dev/sda`:
$ docker run -ti --device-read-bps /dev/sda:1mb ubuntu $ docker run -it --device-read-bps /dev/sda:1mb ubuntu
The `--device-write-bps` flag can limit write rate to a device. The `--device-write-bps` flag limits the write rate to a device. For example,
For example, the command creates a container and limits write rate to `1mb` per second to `/dev/sda`: this command creates a container and limits the write rate to `1mb` per second
for `/dev/sda`:
$ docker run -ti --device-write-bps /dev/sda:1mb ubuntu $ docker run -it --device-write-bps /dev/sda:1mb ubuntu
Both flags take limits in the `<device-path>:<limit>[unit]` format. Both read and write rates must be a positive integer. You can specify the rate in `kb` (kilobytes), `mb` (megabytes), or `gb` (gigabytes). Both flags take limits in the `<device-path>:<limit>[unit]` format. Both read
and write rates must be a positive integer. You can specify the rate in `kb`
(kilobytes), `mb` (megabytes), or `gb` (gigabytes).
## Additional groups ## Additional groups
--group-add: Add Linux capabilities --group-add: Add Linux capabilities
@ -1001,7 +1006,7 @@ By default, the docker container process runs with the supplementary groups look
up for the specified user. If one wants to add more to that list of groups, then up for the specified user. If one wants to add more to that list of groups, then
one can use this flag: one can use this flag:
$ docker run -ti --rm --group-add audio --group-add dbus --group-add 777 busybox id $ docker run -it --rm --group-add audio --group-add dbus --group-add 777 busybox id
uid=0(root) gid=0(root) groups=10(wheel),29(audio),81(dbus),777 uid=0(root) gid=0(root) groups=10(wheel),29(audio),81(dbus),777
## Runtime privilege and Linux capabilities ## Runtime privilege and Linux capabilities
@ -1051,45 +1056,45 @@ In addition to `--privileged`, the operator can have fine grain control over the
capabilities using `--cap-add` and `--cap-drop`. By default, Docker has a default capabilities using `--cap-add` and `--cap-drop`. By default, Docker has a default
list of capabilities that are kept. The following table lists the Linux capability options which can be added or dropped. list of capabilities that are kept. The following table lists the Linux capability options which can be added or dropped.
| Capability Key | Capability Description | | Capability Key | Capability Description |
| -------------- | ---------------------- | | ---------------- | ----------------------------------------------------------------------------------------------------------------------------- |
| SETPCAP | Modify process capabilities. | | SETPCAP | Modify process capabilities. |
| SYS_MODULE| Load and unload kernel modules. | | SYS_MODULE | Load and unload kernel modules. |
| SYS_RAWIO | Perform I/O port operations (iopl(2) and ioperm(2)). | | SYS_RAWIO | Perform I/O port operations (iopl(2) and ioperm(2)). |
| SYS_PACCT | Use acct(2), switch process accounting on or off. | | SYS_PACCT | Use acct(2), switch process accounting on or off. |
| SYS_ADMIN | Perform a range of system administration operations. | | SYS_ADMIN | Perform a range of system administration operations. |
| SYS_NICE | Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes. | | SYS_NICE | Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes. |
| SYS_RESOURCE | Override resource Limits. | | SYS_RESOURCE | Override resource Limits. |
| SYS_TIME | Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock. | | SYS_TIME | Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock. |
| SYS_TTY_CONFIG | Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. | | SYS_TTY_CONFIG | Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. |
| MKNOD | Create special files using mknod(2). | | MKNOD | Create special files using mknod(2). |
| AUDIT_WRITE | Write records to kernel auditing log. | | AUDIT_WRITE | Write records to kernel auditing log. |
| AUDIT_CONTROL | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. | | AUDIT_CONTROL | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. |
| MAC_OVERRIDE | Allow MAC configuration or state changes. Implemented for the Smack LSM. | | MAC_OVERRIDE | Allow MAC configuration or state changes. Implemented for the Smack LSM. |
| MAC_ADMIN | Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). | | MAC_ADMIN | Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). |
| NET_ADMIN | Perform various network-related operations. | | NET_ADMIN | Perform various network-related operations. |
| SYSLOG | Perform privileged syslog(2) operations. | | SYSLOG | Perform privileged syslog(2) operations. |
| CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). | | CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). |
| NET_RAW | Use RAW and PACKET sockets. | | NET_RAW | Use RAW and PACKET sockets. |
| DAC_OVERRIDE | Bypass file read, write, and execute permission checks. | | DAC_OVERRIDE | Bypass file read, write, and execute permission checks. |
| FOWNER | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. | | FOWNER | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. |
| DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks. | | DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks. |
| FSETID | Don't clear set-user-ID and set-group-ID permission bits when a file is modified. | | FSETID | Don't clear set-user-ID and set-group-ID permission bits when a file is modified. |
| KILL | Bypass permission checks for sending signals. | | KILL | Bypass permission checks for sending signals. |
| SETGID | Make arbitrary manipulations of process GIDs and supplementary GID list. | | SETGID | Make arbitrary manipulations of process GIDs and supplementary GID list. |
| SETUID | Make arbitrary manipulations of process UIDs. | | SETUID | Make arbitrary manipulations of process UIDs. |
| LINUX_IMMUTABLE | Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. | | LINUX_IMMUTABLE | Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. |
| NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). | | NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). |
| NET_BROADCAST | Make socket broadcasts, and listen to multicasts. | | NET_BROADCAST | Make socket broadcasts, and listen to multicasts. |
| IPC_LOCK | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). | | IPC_LOCK | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). |
| IPC_OWNER | Bypass permission checks for operations on System V IPC objects. | | IPC_OWNER | Bypass permission checks for operations on System V IPC objects. |
| SYS_CHROOT | Use chroot(2), change root directory. | | SYS_CHROOT | Use chroot(2), change root directory. |
| SYS_PTRACE | Trace arbitrary processes using ptrace(2). | | SYS_PTRACE | Trace arbitrary processes using ptrace(2). |
| SYS_BOOT | Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. | | SYS_BOOT | Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. |
| LEASE | Establish leases on arbitrary files (see fcntl(2)). | | LEASE | Establish leases on arbitrary files (see fcntl(2)). |
| SETFCAP | Set file capabilities.| | SETFCAP | Set file capabilities. |
| WAKE_ALARM | Trigger something that will wake up the system. | | WAKE_ALARM | Trigger something that will wake up the system. |
| BLOCK_SUSPEND | Employ features that can block system suspend. | | BLOCK_SUSPEND | Employ features that can block system suspend.
Further reference information is available on the [capabilities(7) - Linux man page](http://linux.die.net/man/7/capabilities) Further reference information is available on the [capabilities(7) - Linux man page](http://linux.die.net/man/7/capabilities)
@ -1101,9 +1106,9 @@ operator wants to have all capabilities but `MKNOD` they could use:
For interacting with the network stack, instead of using `--privileged` they For interacting with the network stack, instead of using `--privileged` they
should use `--cap-add=NET_ADMIN` to modify the network interfaces. should use `--cap-add=NET_ADMIN` to modify the network interfaces.
$ docker run -t -i --rm ubuntu:14.04 ip link add dummy0 type dummy $ docker run -it --rm ubuntu:14.04 ip link add dummy0 type dummy
RTNETLINK answers: Operation not permitted RTNETLINK answers: Operation not permitted
$ docker run -t -i --rm --cap-add=NET_ADMIN ubuntu:14.04 ip link add dummy0 type dummy $ docker run -it --rm --cap-add=NET_ADMIN ubuntu:14.04 ip link add dummy0 type dummy
To mount a FUSE based filesystem, you need to combine both `--cap-add` and To mount a FUSE based filesystem, you need to combine both `--cap-add` and
`--device`: `--device`:
@ -1135,8 +1140,9 @@ The container can have a different logging driver than the Docker daemon. Use
the `--log-driver=VALUE` with the `docker run` command to configure the the `--log-driver=VALUE` with the `docker run` command to configure the
container's logging driver. The following options are supported: container's logging driver. The following options are supported:
| Driver | Description |
| ----------- | ----------------------------------------------------------------------------------------------------------------------------- |
| `none` | Disables any logging for the container. `docker logs` won't be available with this driver. | | `none` | Disables any logging for the container. `docker logs` won't be available with this driver. |
|-------------|-------------------------------------------------------------------------------------------------------------------------------|
| `json-file` | Default logging driver for Docker. Writes JSON messages to file. No logging options are supported for this driver. | | `json-file` | Default logging driver for Docker. Writes JSON messages to file. No logging options are supported for this driver. |
| `syslog` | Syslog logging driver for Docker. Writes log messages to syslog. | | `syslog` | Syslog logging driver for Docker. Writes log messages to syslog. |
| `journald` | Journald logging driver for Docker. Writes log messages to `journald`. | | `journald` | Journald logging driver for Docker. Writes log messages to `journald`. |
@ -1202,12 +1208,12 @@ runtime by using a string to specify the new `ENTRYPOINT`. Here is an
example of how to run a shell in a container that has been set up to example of how to run a shell in a container that has been set up to
automatically run something else (like `/usr/bin/redis-server`): automatically run something else (like `/usr/bin/redis-server`):
$ docker run -i -t --entrypoint /bin/bash example/redis $ docker run -it --entrypoint /bin/bash example/redis
or two examples of how to pass more parameters to that ENTRYPOINT: or two examples of how to pass more parameters to that ENTRYPOINT:
$ docker run -i -t --entrypoint /bin/bash example/redis -c ls -l $ docker run -it --entrypoint /bin/bash example/redis -c ls -l
$ docker run -i -t --entrypoint /usr/bin/redis-cli example/redis --help $ docker run -it --entrypoint /usr/bin/redis-cli example/redis --help
### EXPOSE (incoming ports) ### EXPOSE (incoming ports)