Docker runs processes in isolated containers. A container is a processwhich runs on a host. The host may be local or remote. When youexecutedocker run, the container process that runs is isolated inthat it has its own file system, its own networking, and its ownisolated process tree separate from the host.

This page details how to use thedocker run command to run containers.

General form

Adocker run command takes the following form:

$ docker run[OPTIONS] IMAGE[:TAG|@DIGEST][COMMAND][ARG...]

Thedocker run command must specify animage referenceto create the container from.

Image references

The image reference is the name and version of the image. You can use the imagereference to create or run a container based on an image.

• docker run IMAGE[:TAG][@DIGEST]
• docker create IMAGE[:TAG][@DIGEST]

An image tag is the image version, which defaults tolatest when omitted. Usethe tag to run a container from specific version of an image. For example, torun version24.04 of theubuntu image:docker run ubuntu:24.04.

Image digests

Images using the v2 or later image format have a content-addressable identifiercalled a digest. As long as the input used to generate the image is unchanged,the digest value is predictable.

The following example runs a container from thealpine image with thesha256:9cacb71397b640eca97488cf08582ae4e4068513101088e9f96c9814bfda95e0 digest:

$ docker run alpine@sha256:9cacb71397b640eca97488cf08582ae4e4068513101088e9f96c9814bfda95e0 date

Options

[OPTIONS] let you configure options for the container. For example, you cangive the container a name (--name), or run it as a background process (-d).You can also set options to control things like resource constraints andnetworking.

Commands and arguments

You can use the[COMMAND] and[ARG...] positional arguments to specifycommands and arguments for the container to run when it starts up. For example,you can specifysh as the[COMMAND], combined with the-i and-t flags,to start an interactive shell in the container (if the image you select has ansh executable onPATH).

$ docker run -it IMAGE sh

Note

Depending on your Docker system configuration, you may berequired to preface thedocker run command withsudo. To avoidhaving to usesudo with thedocker command, your systemadministrator can create a Unix group calleddocker and add users toit. For more information about this configuration, refer to the Dockerinstallation documentation for your operating system.

Foreground and background

When you start a container, the container runs in the foreground by default.If you want to run the container in the background instead, you can use the--detach (or-d) flag. This starts the container without occupying yourterminal window.

$ docker run -d <IMAGE>

While the container runs in the background, you can interact with the containerusing other CLI commands. For example,docker logs lets you view the logs forthe container, anddocker attach brings it to the foreground.

$ docker run -d nginx0246aa4d1448a401cabd2ce8f242192b6e7af721527e48a810463366c7ff54f1$ docker psCONTAINER ID   IMAGE     COMMAND                  CREATED         STATUS        PORTS     NAMES0246aa4d1448   nginx     "/docker-entrypoint.…"   2 seconds ago   Up 1 second   80/tcp    pedantic_liskov$ docker logs -n5 0246aa4d14482023/11/06 15:58:23 [notice] 1#1: start worker process 332023/11/06 15:58:23 [notice] 1#1: start worker process 342023/11/06 15:58:23 [notice] 1#1: start worker process 352023/11/06 15:58:23 [notice] 1#1: start worker process 362023/11/06 15:58:23 [notice] 1#1: start worker process 37$ docker attach 0246aa4d1448^C2023/11/06 15:58:40 [notice] 1#1: signal 2 (SIGINT) received, exiting...

For more information aboutdocker run flags related to foreground andbackground modes, see:

• docker run --detach: run container in background
• docker run --attach: attach tostdin,stdout, andstderr
• docker run --tty: allocate a pseudo-tty
• docker run --interactive: keepstdin open even if not attached

For more information about re-attaching to a background container, seedocker attach.

Container identification

You can identify a container in three ways:

The UUID identifier is a random ID assigned to the container by the daemon.

The daemon generates a random string name for containers automatically. You canalso define a custom name usingthe--name flag.Defining aname can be a handy way to add meaning to a container. If youspecify aname, you can use it when referring to the container in auser-defined network. This works for both background and foreground Dockercontainers.

A container identifier is not the same thing as an image reference. The imagereference specifies which image to use when you run a container. You can't rundocker exec nginx:alpine sh to open a shell in a container based on thenginx:alpine image, becausedocker exec expects a container identifier(name or ID), not an image.

While the image used by a container is not an identifier for the container, youfind out the IDs of containers using an image by using the--filter flag. Forexample, the followingdocker ps command gets the IDs of all runningcontainers based on thenginx:alpine image:

$ docker ps -q --filterancestor=nginx:alpine

For more information about using filters, seeFiltering.

Container networking

Containers have networking enabled by default, and they can make outgoingconnections. If you're running multiple containers that need to communicatewith each other, you can create a custom network and attach the containers tothe network.

When multiple containers are attached to the same custom network, they cancommunicate with each other using the container names as a DNS hostname. Thefollowing example creates a custom network namedmy-net, and runs twocontainers that attach to the network.

$ docker network create my-net$ docker run -d --name web --network my-net nginx:alpine$ docker run --rm -it --network my-net busybox/ # ping webPING web (172.18.0.2): 56 data bytes64 bytes from 172.18.0.2: seq=0 ttl=64 time=0.326 ms64 bytes from 172.18.0.2: seq=1 ttl=64 time=0.257 ms64 bytes from 172.18.0.2: seq=2 ttl=64 time=0.281 ms^C--- web ping statistics ---3 packets transmitted, 3 packets received, 0% packet lossround-trip min/avg/max = 0.257/0.288/0.326 ms

For more information about container networking, seeNetworkingoverview

Filesystem mounts

By default, the data in a container is stored in an ephemeral, writablecontainer layer. Removing the container also removes its data. If you want touse persistent data with containers, you can use filesystem mounts to store thedata persistently on the host system. Filesystem mounts can also let you sharedata between containers and the host.

Docker supports two main categories of mounts:

• Volume mounts
• Bind mounts

Volume mounts are great for persistently storing data for containers, and forsharing data between containers. Bind mounts, on the other hand, are forsharing data between a container and the host.

You can add a filesystem mount to a container using the--mount flag for thedocker run command.

The following sections show basic examples of how to create volumes and bindmounts. For more in-depth examples and descriptions, refer to the section ofthestorage section in the documentation.

Volume mounts

To create a volume mount:

$ docker run --mountsource=<VOLUME_NAME>,target=[PATH][IMAGE][COMMAND...]

The--mount flag takes two parameters in this case:source andtarget.The value for thesource parameter is the name of the volume. The value oftarget is the mount location of the volume inside the container. Once you'vecreated the volume, any data you write to the volume is persisted, even if youstop or remove the container:

$ docker run --rm --mountsource=my_volume,target=/foo busybox\  echo "hello, volume!" > /foo/hello.txt$ docker run --mountsource=my_volume,target=/bar busybox  cat /bar/hello.txthello, volume!

Thetarget must always be an absolute path, such as/src/docs. An absolutepath starts with a/ (forward slash). Volume names must start with analphanumeric character, followed bya-z0-9,_ (underscore),. (period) or- (hyphen).

Bind mounts

To create a bind mount:

$ docker run -it --mounttype=bind,source=[PATH],target=[PATH] busybox

In this case, the--mount flag takes three parameters. A type (bind), andtwo paths. Thesource path is the location on the host that you want tobind mount into the container. Thetarget path is the mount destinationinside the container.

Bind mounts are read-write by default, meaning that you can both read and writefiles to and from the mounted location from the container. Changes that youmake, such as adding or editing files, are reflected on the host filesystem:

$ docker run -it --mounttype=bind,source=.,target=/foo busybox/ # echo "hello from container" > /foo/hello.txt/ # exit$ cat hello.txthello from container

Exit status

The exit code fromdocker run gives information about why the containerfailed to run or why it exited. The following sections describe the meanings ofdifferent container exit codes values.

125

Exit code125 indicates that the error is with Docker daemon itself.

$ docker run --foo busybox;echo$?flag provided but not defined: --fooSee 'docker run --help'.125

126

Exit code126 indicates that the specified contained command can't be invoked.The container command in the following example is:/etc.

$ docker run busybox /etc;echo$?docker: Error response from daemon: Container command '/etc' could not be invoked.126

127

Exit code127 indicates that the contained command can't be found.

$ docker run busybox foo;echo$?docker: Error response from daemon: Container command 'foo' not found or does not exist.127

Other exit codes

Any exit code other than125,126, and127 represent the exit code of theprovided container command.

$ docker run busybox /bin/sh -c'exit 3'$echo$?3

Runtime constraints on resources

The operator can also adjust the performance parameters of thecontainer:

User memory constraints

We have four ways to set user memory usage:

Examples:

$ docker run -it ubuntu:24.04 /bin/bash

We set nothing about memory, this means the processes in the container can useas much memory and swap memory as they need.

$ docker run -it -m 300M --memory-swap -1 ubuntu:24.04 /bin/bash

We set memory limit and disabled swap memory limit, this means the processes inthe container can use 300M memory and as much swap memory as they need (if thehost supports swap memory).

$ docker run -it -m 300M ubuntu:24.04 /bin/bash

We set memory limit only, this means the processes in the container can use300M memory and 300M swap memory, by default, the total virtual memory size(--memory-swap) will be set as double of memory, in this case, memory + swapwould be 2*300M, so processes can use 300M swap memory as well.

$ docker run -it -m 300M --memory-swap 1G ubuntu:24.04 /bin/bash

We set both memory and swap memory, so the processes in the container can use300M memory and 700M swap memory.

Memory reservation is a kind of memory soft limit that allows for greatersharing of memory. Under normal circumstances, containers can use as much ofthe memory as needed and are constrained only by the hard limits set with the-m/--memory option. When memory reservation is set, Docker detects memorycontention or low memory and forces containers to restrict their consumption toa reservation limit.

Always set the memory reservation value below the hard limit, otherwise the hardlimit takes precedence. A reservation of 0 is the same as setting noreservation. By default (without reservation set), memory reservation is thesame as the hard memory limit.

Memory reservation is a soft-limit feature and does not guarantee the limitwon't be exceeded. Instead, the feature attempts to ensure that, when memory isheavily contended for, memory is allocated based on the reservation hints/setup.

The following example limits the memory (-m) to 500M and sets the memoryreservation to 200M.

$ docker run -it -m 500M --memory-reservation 200M ubuntu:24.04 /bin/bash

Under this configuration, when the container consumes memory more than 200M andless than 500M, the next system memory reclaim attempts to shrink containermemory below 200M.

The following example set memory reservation to 1G without a hard memory limit.

$ docker run -it --memory-reservation 1G ubuntu:24.04 /bin/bash

The container can use as much memory as it needs. The memory reservation settingensures the container doesn't consume too much memory for long time, becauseevery memory reclaim shrinks the container's consumption to the reservation.

By default, kernel kills processes in a container if an out-of-memory (OOM)error occurs. To change this behaviour, use the--oom-kill-disable option.Only disable the OOM killer on containers where you have also set the-m/--memory option. If the-m flag is not set, this can result in the hostrunning out of memory and require killing the host's system processes to freememory.

The following example limits the memory to 100M and disables the OOM killer forthis container:

$ docker run -it -m 100M --oom-kill-disable ubuntu:24.04 /bin/bash

The following example, illustrates a dangerous way to use the flag:

$ docker run -it --oom-kill-disable ubuntu:24.04 /bin/bash

The container has unlimited memory which can cause the host to run out memoryand require killing system processes to free memory. The--oom-score-adjparameter can be changed to select the priority of which containers willbe killed when the system is out of memory, with negative scores making themless likely to be killed, and positive scores more likely.

Kernel memory constraints

Kernel memory is fundamentally different than user memory as kernel memory can'tbe swapped out. The inability to swap makes it possible for the container toblock system services by consuming too much kernel memory. Kernel memory includes：

• stack pages
• slab pages
• sockets memory pressure
• tcp memory pressure

You can setup kernel memory limit to constrain these kinds of memory. For example,every process consumes some stack pages. By limiting kernel memory, you canprevent new processes from being created when the kernel memory usage is too high.

Kernel memory is never completely independent of user memory. Instead, you limitkernel memory in the context of the user memory limit. Assume "U" is the user memorylimit and "K" the kernel limit. There are three possible ways to set limits:

Examples:

$ docker run -it -m 500M --kernel-memory 50M ubuntu:24.04 /bin/bash

We set memory and kernel memory, so the processes in the container can use500M memory in total, in this 500M memory, it can be 50M kernel memory tops.

$ docker run -it --kernel-memory 50M ubuntu:24.04 /bin/bash

We set kernel memory without-m, so the processes in the container canuse as much memory as they want, but they can only use 50M kernel memory.

Swappiness constraint

By default, a container's kernel can swap out a percentage of anonymous pages.To set this percentage for a container, specify a--memory-swappiness valuebetween 0 and 100. A value of 0 turns off anonymous page swapping. A value of100 sets all anonymous pages as swappable. By default, if you are not using--memory-swappiness, memory swappiness value will be inherited from the parent.

For example, you can set:

$ docker run -it --memory-swappiness=0 ubuntu:24.04 /bin/bash

Setting the--memory-swappiness option is helpful when you want to retain thecontainer's working set and to avoid swapping performance penalties.

CPU share constraint

By default, all containers get the same proportion of CPU cycles. This proportioncan be modified by changing the container's CPU share weighting relativeto the weighting of all other running containers.

To modify the proportion from the default of 1024, use the-c or--cpu-sharesflag to set the weighting to 2 or higher. If 0 is set, the system will ignore thevalue and use the default of 1024.

The proportion will only apply when CPU-intensive processes are running.When tasks in one container are idle, other containers can use theleft-over CPU time. The actual amount of CPU time will vary depending onthe number of containers running on the system.

For example, consider three containers, one has a cpu-share of 1024 andtwo others have a cpu-share setting of 512. When processes in all threecontainers attempt to use 100% of CPU, the first container would receive50% of the total CPU time. If you add a fourth container with a cpu-shareof 1024, the first container only gets 33% of the CPU. The remaining containersreceive 16.5%, 16.5% and 33% of the CPU.

On a multi-core system, the shares of CPU time are distributed over all CPUcores. Even if a container is limited to less than 100% of CPU time, it canuse 100% of each individual CPU core.

For example, consider a system with more than three cores. If you start onecontainer{C0} with-c=512 running one process, and another container{C1} with-c=1024 running two processes, this can result in the followingdivision of CPU shares:

PID    containerCPUCPU share100    {C0}0100% of CPU0101    {C1}1100% of CPU1102    {C1}2100% of CPU2

CPU period constraint

The default CPU CFS (Completely Fair Scheduler) period is 100ms. We can use--cpu-period to set the period of CPUs to limit the container's CPU usage.And usually--cpu-period should work with--cpu-quota.

Examples:

$ docker run -it --cpu-period=50000 --cpu-quota=25000 ubuntu:24.04 /bin/bash

If there is 1 CPU, this means the container can get 50% CPU worth of run-time every 50ms.

In addition to use--cpu-period and--cpu-quota for setting CPU period constraints,it is possible to specify--cpus with a float number to achieve the same purpose.For example, if there is 1 CPU, then--cpus=0.5 will achieve the same result assetting--cpu-period=50000 and--cpu-quota=25000 (50% CPU).

The default value for--cpus is0.000, which means there is no limit.

For more information, see theCFS documentation on bandwidth limiting.

Cpuset constraint

We can set cpus in which to allow execution for containers.

Examples:

$ docker run -it --cpuset-cpus="1,3" ubuntu:24.04 /bin/bash

This means processes in container can be executed on cpu 1 and cpu 3.

$ docker run -it --cpuset-cpus="0-2" ubuntu:24.04 /bin/bash

This means processes in container can be executed on cpu 0, cpu 1 and cpu 2.

We can set mems in which to allow execution for containers. Only effectiveon NUMA systems.

Examples:

$ docker run -it --cpuset-mems="1,3" ubuntu:24.04 /bin/bash

This example restricts the processes in the container to only use memory frommemory nodes 1 and 3.

$ docker run -it --cpuset-mems="0-2" ubuntu:24.04 /bin/bash

This example restricts the processes in the container to only use memory frommemory nodes 0, 1 and 2.

CPU quota constraint

The--cpu-quota flag limits the container's CPU usage. The default 0 valueallows the container to take 100% of a CPU resource (1 CPU). The CFS (Completely FairScheduler) handles resource allocation for executing processes and is defaultLinux Scheduler used by the kernel. Set this value to 50000 to limit the containerto 50% of a CPU resource. For multiple CPUs, adjust the--cpu-quota as necessary.For more information, see theCFS documentation on bandwidth limiting.

Block IO bandwidth (Blkio) constraint

By default, all containers get the same proportion of block IO bandwidth(blkio). This proportion is 500. To modify this proportion, change thecontainer's blkio weight relative to the weighting of all other runningcontainers using the--blkio-weight flag.

Note

The blkio weight setting is only available for direct IO. Buffered IO is notcurrently supported.

The--blkio-weight flag can set the weighting to a value between 10 to 1000.For example, the commands below create two containers with different blkioweight:

$ docker run -it --name c1 --blkio-weight300 ubuntu:24.04 /bin/bash$ docker run -it --name c2 --blkio-weight600 ubuntu:24.04 /bin/bash

If you do block IO in the two containers at the same time, by, for example:

$time ddif=/mnt/zerofileof=test.outbs=1Mcount=1024oflag=direct

You'll find that the proportion of time is the same as the proportion of blkioweights of the two containers.

The--blkio-weight-device="DEVICE_NAME:WEIGHT" flag sets a specific device weight.TheDEVICE_NAME:WEIGHT is a string containing a colon-separated device name and weight.For example, to set/dev/sda device weight to200:

$ docker run -it\    --blkio-weight-device "/dev/sda:200" \    ubuntu

If you specify both the--blkio-weight and--blkio-weight-device, Dockeruses the--blkio-weight as the default weight and uses--blkio-weight-deviceto override this default with a new value on a specific device.The following example uses a default weight of300 and overrides this defaulton/dev/sda setting that weight to200:

$ docker run -it\    --blkio-weight 300 \    --blkio-weight-device "/dev/sda:200" \    ubuntu

The--device-read-bps flag limits the read rate (bytes per second) from a device.For example, this command creates a container and limits the read rate to1mbper second from/dev/sda:

$ docker run -it --device-read-bps /dev/sda:1mb ubuntu

The--device-write-bps flag limits the write rate (bytes per second) to a device.For example, this command creates a container and limits the write rate to1mbper second for/dev/sda:

$ docker run -it --device-write-bps /dev/sda:1mb ubuntu

Both flags take limits in the<device-path>:<limit>[unit] format. Both readand write rates must be a positive integer. You can specify the rate inkb(kilobytes),mb (megabytes), orgb (gigabytes).

The--device-read-iops flag limits read rate (IO per second) from a device.For example, this command creates a container and limits the read rate to1000 IO per second from/dev/sda:

$ docker run -it --device-read-iops /dev/sda:1000 ubuntu

The--device-write-iops flag limits write rate (IO per second) to a device.For example, this command creates a container and limits the write rate to1000 IO per second to/dev/sda:

$ docker run -it --device-write-iops /dev/sda:1000 ubuntu

Both flags take limits in the<device-path>:<limit> format. Both read andwrite rates must be a positive integer.

Additional groups

--group-add: Add additional groups to run as

By default, the docker container process runs with the supplementary groups lookedup for the specified user. If one wants to add more to that list of groups, thenone can use this flag:

$ docker run --rm --group-add audio --group-add nogroup --group-add777 busybox iduid=0(root) gid=0(root) groups=10(wheel),29(audio),99(nogroup),777

Runtime privilege and Linux capabilities

By default, Docker containers are "unprivileged" and cannot, forexample, run a Docker daemon inside a Docker container. This is becauseby default a container is not allowed to access any devices, but a"privileged" container is given access to all devices (seethe documentation oncgroups devices).

The--privileged flag gives all capabilities to the container. When the operatorexecutesdocker run --privileged, Docker enables access to all devices onthe host, and reconfigures AppArmor or SELinux to allow the containernearly all the same access to the host as processes running outsidecontainers on the host. Use this flag with caution.For more information about the--privileged flag, see thedocker run reference.

If you want to limit access to a specific device or devices you can usethe--device flag. It allows you to specify one or more devices thatwill be accessible within the container.

$ docker run --device=/dev/snd:/dev/snd ...

By default, the container will be able toread,write, andmknod these devices.This can be overridden using a third:rwm set of options to each--device flag:

$ docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk  /dev/xvdcCommand (m for help): q$ docker run --device=/dev/sda:/dev/xvdc:r --rm -it ubuntu fdisk  /dev/xvdcYou will not be able to write the partition table.Command (m for help): q$ docker run --device=/dev/sda:/dev/xvdc:w --rm -it ubuntu fdisk  /dev/xvdc    crash....$ docker run --device=/dev/sda:/dev/xvdc:m --rm -it ubuntu fdisk  /dev/xvdcfdisk: unable to open /dev/xvdc: Operation not permitted

In addition to--privileged, the operator can have fine grain control over thecapabilities using--cap-add and--cap-drop. By default, Docker has a defaultlist of capabilities that are kept. The following table lists the Linux capabilityoptions which are allowed by default and can be dropped.

The next table shows the capabilities which are not granted by default and may be added.

Further reference information is available on thecapabilities(7) - Linux man page,and in theLinux kernel source code.

Both flags support the valueALL, so to allow a container to use all capabilitiesexcept forMKNOD:

$ docker run --cap-add=ALL --cap-drop=MKNOD ...

The--cap-add and--cap-drop flags accept capabilities to be specified withaCAP_ prefix. The following examples are therefore equivalent:

$ docker run --cap-add=SYS_ADMIN ...$ docker run --cap-add=CAP_SYS_ADMIN ...

For interacting with the network stack, instead of using--privileged theyshould use--cap-add=NET_ADMIN to modify the network interfaces.

$ docker run -it --rm  ubuntu:24.04 ip link add dummy0type dummyRTNETLINK answers: Operation not permitted$ docker run -it --rm --cap-add=NET_ADMIN ubuntu:24.04 ip link add dummy0type dummy

To mount a FUSE based filesystem, you need to combine both--cap-add and--device:

$ docker run --rm -it --cap-add SYS_ADMIN sshfs sshfs sven@10.10.10.20:/home/sven /mntfuse: failed to open /dev/fuse: Operation not permitted$ docker run --rm -it --device /dev/fuse sshfs sshfs sven@10.10.10.20:/home/sven /mntfusermount: mount failed: Operation not permitted$ docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse sshfs# sshfs sven@10.10.10.20:/home/sven /mntThe authenticity of host '10.10.10.20 (10.10.10.20)' can't be established.ECDSA key fingerprint is 25:34:85:75:25:b0:17:46:05:19:04:93:b5:dd:5f:c6.Are you sure you want to continue connecting (yes/no)? yessven@10.10.10.20's password:root@30aa0cfaf1b5:/# ls -la /mnt/src/dockertotal 1516drwxrwxr-x 1 1000 1000   4096 Dec  4 06:08 .drwxrwxr-x 1 1000 1000   4096 Dec  4 11:46 ..-rw-rw-r-- 1 1000 1000     16 Oct  8 00:09 .dockerignore-rwxrwxr-x 1 1000 1000    464 Oct  8 00:09 .drone.ymldrwxrwxr-x 1 1000 1000   4096 Dec  4 06:11 .git-rw-rw-r-- 1 1000 1000    461 Dec  4 06:08 .gitignore....

The default seccomp profile will adjust to the selected capabilities, in order to allowuse of facilities allowed by the capabilities, so you should not have to adjust this.

Overriding image defaults

When you build an image from aDockerfile,or when committing it, you can set a number of default parameters that takeeffect when the image starts up as a container. When you run an image, you canoverride those defaults using flags for thedocker run command.

• Default entrypoint
• Default command and options
• Expose ports
• Environment variables
• Healthcheck
• User
• Working directory

Default command and options

The command syntax fordocker run supports optionally specifying commands andarguments to the container's entrypoint, represented as[COMMAND] and[ARG...] in the following synopsis example:

$ docker run[OPTIONS] IMAGE[:TAG|@DIGEST][COMMAND][ARG...]

This command is optional because whoever created theIMAGE may have alreadyprovided a defaultCOMMAND, using the DockerfileCMD instruction. When yourun a container, you can override thatCMD instruction just by specifying anewCOMMAND.

If the image also specifies anENTRYPOINT then theCMD orCOMMANDget appended as arguments to theENTRYPOINT.

Default entrypoint

--entrypoint="": Overwrite the default entrypoint set by the image

The entrypoint refers to the default executable that's invoked when you run acontainer. A container's entrypoint is defined using the DockerfileENTRYPOINT instruction. It's similar to specifying a default command becauseit specifies, but the difference is that you need to pass an explicit flag tooverride the entrypoint, whereas you can override default commands withpositional arguments. The defines a container's default behavior, with the ideathat when you set an entrypoint you can run the containeras if it were thatbinary, complete with default options, and you can pass in more options ascommands. But there are cases where you may want to run something else insidethe container. This is when overriding the default entrypoint at runtime comesin handy, using the--entrypoint flag for thedocker run command.

The--entrypoint flag expects a string value, representing the name or pathof the binary that you want to invoke when the container starts. The followingexample shows you how to run a Bash shell in a container that has been set upto automatically run some other binary (like/usr/bin/redis-server):

$ docker run -it --entrypoint /bin/bash example/redis

The following examples show how to pass additional parameters to the customentrypoint, using the positional command arguments:

$ docker run -it --entrypoint /bin/bash example/redis -c ls -l$ docker run -it --entrypoint /usr/bin/redis-cli example/redis --help

You can reset a containers entrypoint by passing an empty string, for example:

$ docker run -it --entrypoint="" mysql bash

Note

Passing--entrypoint clears out any default command set on the image. Thatis, anyCMD instruction in the Dockerfile used to build it.

Exposed ports

By default, when you run a container, none of the container's ports are exposedto the host. This means you won't be able to access any ports that thecontainer might be listening on. To make a container's ports accessible fromthe host, you need to publish the ports.

You can start the container with the-P or-p flags to expose its ports:

• The-P (or--publish-all) flag publishes all the exposed ports to thehost. Docker binds each exposed port to a random port on the host.

  The-P flag only publishes port numbers that are explicitly flagged asexposed, either using the DockerfileEXPOSE instruction or the--exposeflag for thedocker run command.

• The-p (or--publish) flag lets you explicitly map a single port or rangeof ports in the container to the host.

The port number inside the container (where the service listens) doesn't needto match the port number published on the outside of the container (whereclients connect). For example, inside the container an HTTP service might belistening on port 80. At runtime, the port might be bound to 42800 on the host.To find the mapping between the host ports and the exposed ports, use thedocker port command.

Environment variables

Docker automatically sets some environment variables when creating a Linuxcontainer. Docker doesn't set any environment variables when creating a Windowscontainer.

The following environment variables are set for Linux containers:

Additionally, you can set any environment variable in the container by usingone or more-e flags. You can even override the variables mentioned above, orvariables defined using a DockerfileENV instruction when building the image.

If you name an environment variable without specifying a value, the currentvalue of the named variable on the host is propagated into the container'senvironment:

$exporttoday=Wednesday$ docker run -e"deep=purple" -e today --rm alpine envPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binHOSTNAME=d2219b854598deep=purpletoday=WednesdayHOME=/root

PSC:\>dockerrun--rm-e"foo=bar"microsoft/nanoservercmd/s/csetALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\ContainerAdministrator\AppData\RoamingCommonProgramFiles=C:\ProgramFiles\CommonFilesCommonProgramFiles(x86)=C:\ProgramFiles(x86)\CommonFilesCommonProgramW6432=C:\ProgramFiles\CommonFilesCOMPUTERNAME=C2FAEFCC8253ComSpec=C:\Windows\system32\cmd.exefoo=barLOCALAPPDATA=C:\Users\ContainerAdministrator\AppData\LocalNUMBER_OF_PROCESSORS=8OS=Windows_NTPath=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\ContainerAdministrator\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMDPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64Family6Model62Stepping4,GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=3e04ProgramData=C:\ProgramDataProgramFiles=C:\ProgramFilesProgramFiles(x86)=C:\ProgramFiles(x86)ProgramW6432=C:\ProgramFilesPROMPT=$P$GPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\ContainerAdministrator\AppData\Local\TempTMP=C:\Users\ContainerAdministrator\AppData\Local\TempUSERDOMAIN=UserManagerUSERNAME=ContainerAdministratorUSERPROFILE=C:\Users\ContainerAdministratorwindir=C:\Windows

Healthchecks

The following flags for thedocker run command let you control the parametersfor container healthchecks:

Example:

$ docker run --name=test -d\    --health-cmd='stat /etc/passwd || exit 1' \    --health-interval=2s \    busybox sleep 1d$ sleep 2; docker inspect --format='{{.State.Health.Status}}'testhealthy$ dockerexectest rm /etc/passwd$ sleep 2; docker inspect --format='{{json .State.Health}}'test{  "Status": "unhealthy",  "FailingStreak": 3,  "Log": [    {      "Start": "2016-05-25T17:22:04.635478668Z",      "End": "2016-05-25T17:22:04.7272552Z",      "ExitCode": 0,      "Output": "  File: /etc/passwd\n  Size: 334       \tBlocks: 8          IO Block: 4096   regular file\nDevice: 32h/50d\tInode: 12          Links: 1\nAccess: (0664/-rw-rw-r--)  Uid: (    0/    root)   Gid: (    0/    root)\nAccess: 2015-12-05 22:05:32.000000000\nModify: 2015..."    },    {      "Start": "2016-05-25T17:22:06.732900633Z",      "End": "2016-05-25T17:22:06.822168935Z",      "ExitCode": 0,      "Output": "  File: /etc/passwd\n  Size: 334       \tBlocks: 8          IO Block: 4096   regular file\nDevice: 32h/50d\tInode: 12          Links: 1\nAccess: (0664/-rw-rw-r--)  Uid: (    0/    root)   Gid: (    0/    root)\nAccess: 2015-12-05 22:05:32.000000000\nModify: 2015..."    },    {      "Start": "2016-05-25T17:22:08.823956535Z",      "End": "2016-05-25T17:22:08.897359124Z",      "ExitCode": 1,      "Output": "stat: can't stat '/etc/passwd': No such file or directory\n"    },    {      "Start": "2016-05-25T17:22:10.898802931Z",      "End": "2016-05-25T17:22:10.969631866Z",      "ExitCode": 1,      "Output": "stat: can't stat '/etc/passwd': No such file or directory\n"    },    {      "Start": "2016-05-25T17:22:12.971033523Z",      "End": "2016-05-25T17:22:13.082015516Z",      "ExitCode": 1,      "Output": "stat: can't stat '/etc/passwd': No such file or directory\n"    }  ]}

The health status is also displayed in thedocker ps output.

User

The default user within a container isroot (uid = 0). You can set a defaultuser to run the first process with the DockerfileUSER instruction. Whenstarting a container, you can override theUSER instruction by passing the-u option.

-u="", --user="": Sets the username or UID used and optionally the groupname or GID for the specified command.

The followings examples are all valid:

--user=[ user | user:group | uid | uid:gid | user:gid | uid:group ]

Note

If you pass a numeric user ID, it must be in the range of 0-2147483647. Ifyou pass a username, the user must exist in the container.

Working directory

The default working directory for running binaries within a container is theroot directory (/). The default working directory of an image is set usingthe DockerfileWORKDIR command. You can override the default workingdirectory for an image using the-w (or--workdir) flag for thedocker run command:

$ docker run --rm -w /my/workdir alpine pwd/my/workdir

If the directory doesn't already exist in the container, it's created.