[TOC]
### **Docker run命令**
docker run命令的用法如下,我们可以传入很多的options
```
$ docker run --help
Usage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...]
Run a command in a new container
Options:
--add-host list Add a custom host-to-IP mapping (host:ip)
-a, --attach list Attach to STDIN, STDOUT or STDERR
--blkio-weight uint16 Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)
--blkio-weight-device list Block IO weight (relative device weight) (default [])
--cap-add list Add Linux capabilities
--cap-drop list Drop Linux capabilities
--cgroup-parent string Optional parent cgroup for the container
--cidfile string Write the container ID to the file
--cpu-period int Limit CPU CFS (Completely Fair Scheduler) period
--cpu-quota int Limit CPU CFS (Completely Fair Scheduler) quota
--cpu-rt-period int Limit CPU real-time period in microseconds
--cpu-rt-runtime int Limit CPU real-time runtime in microseconds
-c, --cpu-shares int CPU shares (relative weight)
--cpus decimal Number of CPUs
--cpuset-cpus string CPUs in which to allow execution (0-3, 0,1)
--cpuset-mems string MEMs in which to allow execution (0-3, 0,1)
-d, --detach Run container in background and print container ID
--detach-keys string Override the key sequence for detaching a container
--device list Add a host device to the container
--device-cgroup-rule list Add a rule to the cgroup allowed devices list
--device-read-bps list Limit read rate (bytes per second) from a device (default [])
--device-read-iops list Limit read rate (IO per second) from a device (default [])
--device-write-bps list Limit write rate (bytes per second) to a device (default [])
--device-write-iops list Limit write rate (IO per second) to a device (default [])
--disable-content-trust Skip image verification (default true)
--dns list Set custom DNS servers
--dns-option list Set DNS options
--dns-search list Set custom DNS search domains
--entrypoint string Overwrite the default ENTRYPOINT of the image
-e, --env list Set environment variables
--env-file list Read in a file of environment variables
--expose list Expose a port or a range of ports
--group-add list Add additional groups to join
--health-cmd string Command to run to check health
--health-interval duration Time between running the check (ms|s|m|h) (default 0s)
--health-retries int Consecutive failures needed to report unhealthy
--health-start-period duration Start period for the container to initialize before starting health-retries countdown (ms|s|m|h) (default 0s)
--health-timeout duration Maximum time to allow one check to run (ms|s|m|h) (default 0s)
--help Print usage
-h, --hostname string Container host name
--init Run an init inside the container that forwards signals and reaps processes
-i, --interactive Keep STDIN open even if not attached
--ip string IPv4 address (e.g., 172.30.100.104)
--ip6 string IPv6 address (e.g., 2001:db8::33)
--ipc string IPC mode to use
--isolation string Container isolation technology
--kernel-memory bytes Kernel memory limit
-l, --label list Set meta data on a container
--label-file list Read in a line delimited file of labels
--link list Add link to another container
--link-local-ip list Container IPv4/IPv6 link-local addresses
--log-driver string Logging driver for the container
--log-opt list Log driver options
--mac-address string Container MAC address (e.g., 92:d0:c6:0a:29:33)
-m, --memory bytes Memory limit
--memory-reservation bytes Memory soft limit
--memory-swap bytes Swap limit equal to memory plus swap: '-1' to enable unlimited swap
--memory-swappiness int Tune container memory swappiness (0 to 100) (default -1)
--mount mount Attach a filesystem mount to the container
--name string Assign a name to the container
--network string Connect a container to a network (default "default")
--network-alias list Add network-scoped alias for the container
--no-healthcheck Disable any container-specified HEALTHCHECK
--oom-kill-disable Disable OOM Killer
--oom-score-adj int Tune host's OOM preferences (-1000 to 1000)
--pid string PID namespace to use
--pids-limit int Tune container pids limit (set -1 for unlimited)
--privileged Give extended privileges to this container
-p, --publish list Publish a container's port(s) to the host
-P, --publish-all Publish all exposed ports to random ports
--read-only Mount the container's root filesystem as read only
--restart string Restart policy to apply when a container exits (default "no")
--rm Automatically remove the container when it exits
--runtime string Runtime to use for this container
--security-opt list Security Options
--shm-size bytes Size of /dev/shm
--sig-proxy Proxy received signals to the process (default true)
--stop-signal string Signal to stop a container (default "SIGTERM")
--stop-timeout int Timeout (in seconds) to stop a container
--storage-opt list Storage driver options for the container
--sysctl map Sysctl options (default map[])
--tmpfs list Mount a tmpfs directory
-t, --tty Allocate a pseudo-TTY
--ulimit ulimit Ulimit options (default [])
-u, --user string Username or UID (format: <name|uid>[:<group|gid>])
--userns string User namespace to use
--uts string UTS namespace to use
-v, --volume list Bind mount a volume
--volume-driver string Optional volume driver for the container
--volumes-from list Mount volumes from the specified container(s)
-w, --workdir string Working directory inside the container
```
接下来,我们来了解一下这些OPTIONS以及它们与K8S的Yaml文件的对应关系。
### **--add-host list**
。。。
### **--cidfile string**
string是一个文件的路径,比如`/xxx/file`。把容器的ID写入到这个文件当中。注意这个文件不能存在。
比如:
```
$ docker run --cidfile /root/cidfile-centos7 centos:7
$ docker ps -a --no-trunc
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3ee6e672cce06df201bfe3d1792f0d98ed0e9ed7c2b947a0a3b38ea357dbf724 centos:7 "/bin/bash" 17 seconds ago Exited (0) 16 seconds ago flamboyant_vaughan
$cat /root/cidfile-centos7
3ee6e672cce06df201bfe3d1792f0d98ed0e9ed7c2b947a0a3b38ea357dbf724
```
### **--cap-add(--cap-drop) list**
参考 https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
向容器添加(或删除)linux权限,比如:
```
$ docker run --add-cap AUDIT_CONTROL,AUDIT_READ
```
在Pod中的设置如下:
```
apiVersion: v1
kind: Pod
metadata:
...
spec:
...
containers:
- name: container1
securityContext:
capacities:
add: [AUDIT_CONTROL,AUDIT_READ]
drop: []
```
### **--security-opt list**
示例如下:
```
--security-opt seccomp=unconfined,apparmor=unconfined
```
seccomp(securecomputing)在Pod的yaml文件中如下:
```
pod.spec:
containers:
- name: container1
securityContext:
seccompProfile:
type: unconfined
```
对于apparmor,需要在Pod的annotation中为Container设置(参考[文章](https://kubernetes.io/zh/docs/tutorials/clusters/apparmor/))。目前该我还处于测试阶段,所以需要在Pod的annotation中设置:
```
pod.metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/<container_name>: <profile_ref>
```
`<container_name>`的名称是容器的简称,用以描述简介,并且简称为`<profile_ref>`。`<profile_ref>`可以作为其中之一:
* `runtime/default`应用运行时的默认配置
* Equivalent to not specifying a profile (without a PodSecurityPolicy default), except it still requires AppArmor to be enabled.
* For Docker, this resolves to the `docker-default` profile for non-privileged containers, and unconfined (no profile) for privileged containers
* `localhost/<profile_name>`应用在名为`<profile_name>`的主机上加载的配置文件
* `unconfined`表示不加载配置文件
对于docker来说,如果我们不为Pod设置annotation,那么特权容器默认配置为`unconfined`,非特权容器默认配置为`docker-default`
### **--device list**
示例:
```
docker run --device /dev/fuse:/dev/fuse:rwm --device /dev/dri/renderD128:/dev/dri/renderD128:rwm
```
Pod的yaml文件中不支持device的直接挂载,如果要做到,有两种方法,一是把Pod设置为特权模式,然后使用hostpath把设备挂载进去;二是自行开发device-plugin,比如GPU。
参考:https://cloud.tencent.com/developer/article/1506474
### **参考**
* https://docs.docker.com/engine/reference/commandline/run/
* https://docs.docker.com/engine/reference/run/
* https://cloud.tencent.com/developer/article/1506474
- 安装
- 在线安装
- 离线安装
- 下载镜像
- 下载DockerHub镜像
- 下载Google镜像
- 阿里云镜像中心
- 下载ARM镜像
- 容器命名空间
- Linux命名空间概述
- 根据PID快速定位到容器
- 进入到容器的命名空间
- Dockerfile
- 基本语法
- 前台运行
- 镜像存储
- 本地存储
- Registry中的存储
- 如何判断两个镜像是否是同一个
- Registry
- Notification
- Auth
- 基本原理
- Token认证的设计
- API
- Pull镜像
- Push镜像
- Docker设置代理
- 日志
- 磁盘占用与清理
- Docker选项与K8S的Yaml
- 运维总结
- 常用命令
- DockerCompose
- 构建ARM版本
- 跨架构
- x86架构下构建arm64镜像
- Containerd
- ctr-crictl-nerdctl
- ctr
- Insecure-Registry
- Kata
- 构建OS镜像
- 进入到kata虚机