Merge pull request #15675 from thaJeztah/carry-14625

[Carry #14625] run.md: --expose does NOT override Dockerfile EXPOSE
This commit is contained in:
Sebastiaan van Stijn 2015-08-20 00:49:16 +02:00
Родитель 286afb9a77 35cbcc2fc1
Коммит 41ca7c0f13
1 изменённых файлов: 69 добавлений и 52 удалений

Просмотреть файл

@ -16,15 +16,14 @@ parent = "mn_reference"
</style>
# Docker run reference
**Docker runs processes in isolated containers**. When an operator
executes `docker run`, she starts a process with its own file system,
its own networking, and its own isolated process tree. The
[*Image*](/reference/glossary/#image) which starts the process may define
defaults related to the binary to run, the networking to expose, and
more, but `docker run` gives final control to the operator who starts
the container from the image. That's the main reason
[*run*](/reference/commandline/run) has more options than any
other `docker` command.
Docker runs processes in isolated containers. A container is a process
which runs on a host. The host may be local or remote. When an operator
executes `docker run`, the container process that runs is isolated in
that it has its own file system, its own networking, and its own
isolated process tree separate from the host.
This page details how to use the `docker run` command to define the
container's resources at runtime.
## General form
@ -32,11 +31,9 @@ The basic `docker run` command takes this form:
$ docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...]
To learn how to interpret the types of `[OPTIONS]`,
see [*Option types*](/reference/commandline/cli/#option-types).
The `run` options control the image's runtime behavior in a container. These
settings affect:
The `docker run` command must specify an [*IMAGE*](/reference/glossary/#image)
to derive the container from. An image developer can define image
defaults related to:
* detached or foreground running
* container identification
@ -44,16 +41,23 @@ settings affect:
* runtime constraints on CPU and memory
* privileges and LXC configuration
An image developer may set defaults for these same settings when they create the
image using the `docker build` command. Operators, however, can override all
defaults set by the developer using the `run` options. And, operators can also
override nearly all the defaults set by the Docker runtime itself.
With the `docker run [OPTIONS]` an operator can add to or override the
image defaults set by a developer. And, additionally, operators can
override nearly all the defaults set by the Docker runtime itself. The
operator's ability to override image and Docker runtime defaults is why
[*run*](/reference/commandline/cli/run/) has more options than any
other `docker` command.
To learn how to interpret the types of `[OPTIONS]`, see [*Option
types*](/reference/commandline/cli/#option-types).
> **Note**: Depending on your Docker system configuration, you may be
> required to preface the `docker run` command with `sudo`. To avoid
> having to use `sudo` with the `docker` command, your system
> administrator can create a Unix group called `docker` and add users to
> it. For more information about this configuration, refer to the Docker
> installation documentation for your operating system.
Finally, depending on your Docker system configuration, you may be required to
preface each `docker` command with `sudo`. To avoid having to use `sudo` with
the `docker` command, your system administrator can create a Unix group called
`docker` and add users to it. For more information about this configuration,
refer to the Docker installation documentation for your operating system.
## Operator exclusive options
@ -972,46 +976,59 @@ or two examples of how to pass more parameters to that ENTRYPOINT:
### EXPOSE (incoming ports)
The Dockerfile doesn't give much control over networking, only providing
the `EXPOSE` instruction to give a hint to the operator about what
incoming ports might provide services. The following options work with
or override the Dockerfile's exposed defaults:
The following `run` command options work with container networking:
--expose=[]: Expose a port or a range of ports from the container
without publishing it to your host
--expose=[]: Expose a port or a range of ports inside the container.
These are additional to those exposed by the `EXPOSE` instruction
-P=false : Publish all exposed ports to the host interfaces
-p=[] : Publish a container᾿s port or a range of ports to the host
format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort
Both hostPort and containerPort can be specified as a range of ports.
When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g., `-p 1234-1236:1234-1236/tcp`)
When specifying a range for hostPort only, the containerPort must not be a range. In this case the container port is published somewhere within the specified hostPort range. (e.g., `-p 1234-1236:1234/tcp`)
Both hostPort and containerPort can be specified as a
range of ports. When specifying ranges for both, the
number of container ports in the range must match the
number of host ports in the range, for example:
-p 1234-1236:1234-1236/tcp
When specifying a range for hostPort only, the
containerPort must not be a range. In this case the
container port is published somewhere within the
specified hostPort range. (e.g., `-p 1234-1236:1234/tcp`)
(use 'docker port' to see the actual mapping)
--link="" : Add link to another container (<name or id>:alias or <name or id>)
As mentioned previously, `EXPOSE` (and `--expose`) makes ports available
**in** a container for incoming connections. The port number on the
inside of the container (where the service listens) does not need to be
the same number as the port exposed on the outside of the container
(where clients connect), so inside the container you might have an HTTP
service listening on port 80 (and so you `EXPOSE 80` in the Dockerfile),
but outside the container the port might be 42800.
With the exception of the `EXPOSE` directive, an image developer hasn't
got much control over networking. The `EXPOSE` instruction defines the
initial incoming ports that provide services. These ports are available
to processes inside the container. An operator can use the `--expose`
option to add to the exposed ports.
To help a new client container reach the server container's internal
port operator `--expose`'d by the operator or `EXPOSE`'d by the
developer, the operator has three choices: start the server container
with `-P` or `-p,` or start the client container with `--link`.
To expose a container's internal port, an operator can start the
container with the `-P` or `-p` flag. The exposed port is accessible on
the host and the ports are available to any client that can reach the
host.
If the operator uses `-P` or `-p` then Docker will make the exposed port
accessible on the host and the ports will be available to any client that can
reach the host. When using `-P`, Docker will bind the exposed port to a random
port on the host within an *ephemeral port range* defined by
`/proc/sys/net/ipv4/ip_local_port_range`. To find the mapping between the host
ports and the exposed ports, use `docker port`.
The `-P` option publishes all the ports to the host interfaces. Docker
binds each exposed port to a random port on the host. The range of
ports are within an *ephemeral port range* defined by
`/proc/sys/net/ipv4/ip_local_port_range`. Use the `-p` flag to
explicitly map a single port or range of ports.
If the operator uses `--link` when starting the new client container,
The port number inside the container (where the service listens) does
not need to match the port number exposed on the outside of the
container (where clients connect). For example, inside the container an
HTTP service is listening on port 80 (and so the image developer
specifies `EXPOSE 80` in the Dockerfile). At runtime, the port might be
bound to 42800 on the host. To find the mapping between the host ports
and the exposed ports, use `docker port`.
If the operator uses `--link` when starting a new client container,
then the client container can access the exposed port via a private
networking interface. Docker will set some environment variables in the
client container to help indicate which interface and port to use.
networking interface. Docker will set some environment variables in the
client container to help indicate which interface and port to use. For
more information on linking, see [the guide on linking container
together](/userguide/dockerlinks/)
### ENV (environment variables)