苦与乐
0%

docker命令分析--run命令

Posted on Edited on In ,
Symbols count in article: Reading time ≈ NaN:aN

作者: 耗子007

所有命令均基于docker1.11版本

容器最常用,也最复杂的命令应该是run命令了,这篇文章主要对docker run进行简单的分析。

使用手册

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
Usage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...]

Run a command in a new container

  -a, --attach=[]               Attach to STDIN, STDOUT or STDERR
  --add-host=[]                 Add a custom host-to-IP mapping (host:ip)
  --blkio-weight=0              Block IO weight (relative weight)
  --blkio-weight-device=[]      Block IO weight (relative device weight, format: `DEVICE_NAME:WEIGHT`)
  --cpu-shares=0                CPU shares (relative weight)
  --cap-add=[]                  Add Linux capabilities
  --cap-drop=[]                 Drop Linux capabilities
  --cgroup-parent=""            Optional parent cgroup for the container
  --cidfile=""                  Write the container ID to the file
  --cpu-period=0                Limit CPU CFS (Completely Fair Scheduler) period
  --cpu-quota=0                 Limit CPU CFS (Completely Fair Scheduler) quota
  --cpuset-cpus=""              CPUs in which to allow execution (0-3, 0,1)
  --cpuset-mems=""              Memory nodes (MEMs) in which to allow execution (0-3, 0,1)
  -d, --detach                  Run container in background and print container ID
  --detach-keys                 Specify the escape key sequence used to detach a container
  --device=[]                   Add a host device to the container
  --device-read-bps=[]          Limit read rate (bytes per second) from a device (e.g., --device-read-bps=/dev/sda:1mb)
  --device-read-iops=[]         Limit read rate (IO per second) from a device (e.g., --device-read-iops=/dev/sda:1000)
  --device-write-bps=[]         Limit write rate (bytes per second) to a device (e.g., --device-write-bps=/dev/sda:1mb)
  --device-write-iops=[]        Limit write rate (IO per second) to a device (e.g., --device-write-bps=/dev/sda:1000)
  --disable-content-trust=true  Skip image verification
  --dns=[]                      Set custom DNS servers
  --dns-opt=[]                  Set custom DNS options
  --dns-search=[]               Set custom DNS search domains
  -e, --env=[]                  Set environment variables
  --entrypoint=""               Overwrite the default ENTRYPOINT of the image
  --env-file=[]                 Read in a file of environment variables
  --expose=[]                   Expose a port or a range of ports
  --group-add=[]                Add additional groups to run as
  -h, --hostname=""             Container host name
  --help                        Print usage
  -i, --interactive             Keep STDIN open even if not attached
  --ip=""                       Container IPv4 address (e.g. 172.30.100.104)
  --ip6=""                      Container IPv6 address (e.g. 2001:db8::33)
  --ipc=""                      IPC namespace to use
  --isolation=""                Container isolation technology
  --kernel-memory=""            Kernel memory limit
  -l, --label=[]                Set metadata on the container (e.g., --label=com.example.key=value)
  --label-file=[]               Read in a file of labels (EOL delimited)
  --link=[]                     Add link to another container
  --log-driver=""               Logging driver for container
  --log-opt=[]                  Log driver specific options
  -m, --memory=""               Memory limit
  --mac-address=""              Container MAC address (e.g. 92:d0:c6:0a:29:33)
  --memory-reservation=""       Memory soft limit
  --memory-swap=""              A positive integer equal to memory plus swap. Specify -1 to enable unlimited swap.
  --memory-swappiness=""        Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
  --name=""                     Assign a name to the container
  --net="bridge"                Connect a container to a network
                                'bridge': create a network stack on the default Docker bridge
                                'none': no networking
                                'container:<name|id>': reuse another container's network stack
                                'host': use the Docker host network stack
                                '<network-name>|<network-id>': connect to a user-defined network
  --net-alias=[]                Add network-scoped alias for the container
  --oom-kill-disable            Whether to disable OOM Killer for the container or not
  --oom-score-adj=0             Tune the host's OOM preferences for containers (accepts -1000 to 1000)
  -P, --publish-all             Publish all exposed ports to random ports
  -p, --publish=[]              Publish a container's port(s) to the host
  --pid=""                      PID namespace to use
  --pids-limit=-1                Tune container pids limit (set -1 for unlimited), kernel >= 4.3
  --privileged                  Give extended privileges to this container
  --read-only                   Mount the container's root filesystem as read only
  --restart="no"                Restart policy (no, on-failure[:max-retry], always, unless-stopped)
  --rm                          Automatically remove the container when it exits
  --shm-size=[]                 Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`.  Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`.
  --security-opt=[]             Security Options
  --sig-proxy=true              Proxy received signals to the process
  --stop-signal="SIGTERM"       Signal to stop a container
  -t, --tty                     Allocate a pseudo-TTY
  -u, --user=""                 Username or UID (format: <name|uid>[:<group|gid>])
  --userns=""                   Container user namespace
                                'host': Use the Docker host user namespace
                                '': Use the Docker daemon user namespace specified by `--userns-remap` option.
  --ulimit=[]                   Ulimit options
  --uts=""                      UTS namespace to use
  -v, --volume=[host-src:]container-dest[:<options>]
                                Bind mount a volume. The comma-delimited
                                `options` are [rw|ro], [z|Z],
                                [[r]shared|[r]slave|[r]private], and
                                [nocopy]. The 'host-src' is an absolute path
                                or a name value.
  --volume-driver=""            Container's volume driver
  --volumes-from=[]             Mount volumes from the specified container(s)
  -w, --workdir=""              Working directory inside the container

上面的手册可以使用“docker run –help”或者到Docker官网查看。
run用于在新容器中执行一条命令,首先会创建一个新容器然后执行一条指令,其实这里包含了create、start以及exec命令的作用。
基本用法是:“docker run [OPTIONS] IMAGE [COMMAND] [ARG…]”
注:

  • 可选选项OPTIONS:run具有丰富的选项,可以设置容器的一些特性
  • IMAGE:指定容器运行的基础镜像
  • 可选命令COMMAND:容器运行时执行的命令
  • 可选参数ARG:命令带的参数

基础用法

指定容器名并分配伪终端

1
2
3
$ docker run --name hello -it ubuntu
root@a37b3b659c24:/#
root@a37b3b659c24:/#

创建一个名字为hello的容器,并且分配一个伪终端,-i链接到容器的STDIN。

获取容器ID(–cidfile)

1
2
3
4
5
6
$ docker run --cidfile ./test.cid --name hello ubuntu
$ cat test.cid
b504823b5a2d281e0f8ee329e14a8052bbeb171f7e50720fe0dab98ebd75587fV2R1C00B003
$ docker run --cidfile ./test.cid --name hello ubuntu
docker: Container ID file found, make sure the other container isn't running or delete ./test.cid.
See 'docker run --help'.

通过–cidfile指定写入容器ID的文件路径,如果test.cid文件存在,命令会返回错误。

特权容器

1
2
3
$ docker run -t -i --rm ubuntu bash
root@bc338942ef20:/# mount -t tmpfs none /mnt
mount: permission denied

默认,大部分危险的内核能力是对容器关闭的,因此上面执行失败。关于具体权限分析,参考run的权限设置文章

1
2
3
4
5
$ docker run -t -i --privileged ubuntu bash
root@50e3f57e16e6:/# mount -t tmpfs none /mnt
root@50e3f57e16e6:/# df -h
Filesystem      Size  Used Avail Use% Mounted on
none            1.9G     0  1.9G   0% /mnt

–privileged选项会赋给容器所有的能力,此时的容器具有和host相同的能力,这种用法是很危险,不建议这么使用。
细分权限,可以参考run的权限设置文章

设置工作目录

1
2
3
4
$ docker run --rm --name hello -it ubuntu pwd
/
$ docker run -w /test --rm --name hello -it ubuntu pwd
/test

默认情况下,容器的工作目录是根目录,-w可以设置该目录,如果该目录不存在,docker会在容器中创建该目录。

挂载数据卷

1
2
3
4
5
6
--volume=[host-src:]container-dest[:<options>]
     Bind mount a volume. The comma-delimited
     `options` are [rw|ro], [z|Z],
     [[r]shared|[r]slave|[r]private], and
     [nocopy]. The 'host-src' is an absolute path
     or a name value.

可以把host上的文件或者目录透传到容器内指定路径,例如:

1
2
$ docker  run  -v `pwd`:`pwd` -w `pwd` -i -t  ubuntu pwd
$ docker run -t -i -v /var/run/docker.sock:/var/run/docker.sock -v /path/to/static-docker-binary:/usr/bin/docker busybox sh

可以设置容器内对该数据卷的读写权限。

可以从另外的容器挂载数据卷:

1
$ docker run --volumes-from 777f7dc92da7 --volumes-from ba8c0c54f0f2:ro -i -t ubuntu pwd

设置容器的元数据

1
2
$ docker run -l my-label --label com.example.foo=bar ubuntu bash
$ docker run --label-file ./labels ubuntu bash

三种方式设置:-l、–label以及–label-file。
label的格式为key=value,可以没有value,如果key相同,value不同,后面的会覆盖前面的value。

透传设备到容器

1
2
3
4
$ docker run --device=/dev/sdc:/dev/xvdc --device=/dev/sdd --device=/dev/zero:/dev/nulo -i -t ubuntu ls -l /dev/{xvdc,sdd,nulo}
brw-rw---- 1 root disk 8, 2 Feb  9 16:05 /dev/xvdc
brw-rw---- 1 root disk 8, 3 Feb  9 16:05 /dev/sdd
crw-rw-rw- 1 root root 1, 5 Feb  9 16:05 /dev/nulo

–device可以把host的设备透传到容器。

设置容器的ulimit

ulimit可以设置soft和hard限制,格式如:=[:]
例如:

1
2
3
4
$ docker run --ulimit nofile=1024:1024 --rm ubuntu sh -c "ulimit -n"
1024
$ docker run --rm ubuntu sh -c "ulimit -n"
1048576

注意:

  • 如果没有指定hard limit,那么soft limit的值也会被设置给hard limit
  • 如果没有设置ulimit,继承daemon设置的默认ulimit

退出自动清理容器

默认情况下,容器退出后,容器的数据都是保存的。如果要删除退出不用的容器,需要手动用rm命令删除。
有时候,可能容器退出就没有意义了,可以设置–rm,保证容器退出之后,会被自动清理掉。例如:

1
docker run --rm ubuntu sh -c "ulimit -n"

注意:不能和-d一起使用