diff --git a/contrib/completion/bash/docker b/contrib/completion/bash/docker index f2648f70..ced3724e 100644 --- a/contrib/completion/bash/docker +++ b/contrib/completion/bash/docker @@ -1394,6 +1394,7 @@ _docker_run() { --restart --security-opt --stop-signal + --tmpfs --ulimit --user -u --uts @@ -1443,7 +1444,7 @@ _docker_run() { _filedir return ;; - --device|--volume|-v) + --device|--tmpfs|--volume|-v) case "$cur" in *:*) # TODO somehow do _filedir for stuff inside the image, if it's already specified (which is also somewhat difficult to determine) diff --git a/contrib/completion/fish/docker.fish b/contrib/completion/fish/docker.fish index 04a18443..33abfd0d 100644 --- a/contrib/completion/fish/docker.fish +++ b/contrib/completion/fish/docker.fish @@ -339,6 +339,7 @@ complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l sig-proxy -d 'P complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l stop-signal -d 'Signal to kill a container' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s t -l tty -d 'Allocate a pseudo-TTY' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s u -l user -d 'Username or UID' +complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l tmpfs -d 'Mount tmpfs on a directory' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s v -l volume -d 'Bind mount a volume (e.g., from the host: -v /host:/container, from Docker: -v /container)' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l volumes-from -d 'Mount volumes from the specified container(s)' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s w -l workdir -d 'Working directory inside the container' diff --git a/contrib/completion/zsh/_docker b/contrib/completion/zsh/_docker index 91eb5635..cde026b7 100644 --- a/contrib/completion/zsh/_docker +++ b/contrib/completion/zsh/_docker @@ -491,6 +491,7 @@ __docker_subcommand() { "($help)*--security-opt=[Security options]:security option: " "($help -t --tty)"{-t,--tty}"[Allocate a pseudo-tty]" "($help -u --user)"{-u=,--user=}"[Username or UID]:user:_users" + "($help)--tmpfs[mount tmpfs] " "($help)*-v[Bind mount a volume]:volume: " "($help)--volume-driver=[Optional volume driver for the container]:volume driver:(local)" "($help)*--volumes-from=[Mount volumes from the specified container]:volume: " diff --git a/docs/reference/commandline/run.md b/docs/reference/commandline/run.md index 56f5bab2..87cef354 100644 --- a/docs/reference/commandline/run.md +++ b/docs/reference/commandline/run.md @@ -153,6 +153,14 @@ flag exists to allow special use-cases, like running Docker within Docker. The `-w` lets the command being executed inside directory given, here `/path/to/dir/`. If the path does not exists it is created inside the container. +### mount tmpfs (--tmpfs) + + $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image + + The --tmpfs flag mounts a tmpfs into the container with the rw,noexec,nosuid,size=65536k options. + + Underlying content from the /run in the my_image image is copied into tmpfs. + ### Mount volume (-v, --read-only) $ docker run -v `pwd`:`pwd` -w `pwd` -i -t ubuntu pwd diff --git a/docs/reference/run.md b/docs/reference/run.md index e9b3a85a..b40888bf 100644 --- a/docs/reference/run.md +++ b/docs/reference/run.md @@ -1298,6 +1298,14 @@ above, or already defined by the developer with a Dockerfile `ENV`: Similarly the operator can set the **hostname** with `-h`. +### TMPFS (mount tmpfs filesystems) + + --tmpfs=[]: Create a tmpfs mount with: container-dir[:], where the options are identical to the Linux `mount -t tmpfs -o` command. + + Underlying content from the "container-dir" is copied into tmpfs. + + $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image + ### VOLUME (shared filesystems) -v=[]: Create a bind mount with: [host-src:]container-dest[:], where diff --git a/man/docker-create.1.md b/man/docker-create.1.md index bd143639..dc6891da 100644 --- a/man/docker-create.1.md +++ b/man/docker-create.1.md @@ -57,6 +57,7 @@ docker-create - Create a new container [**--stop-signal**[=*SIGNAL*]] [**--shm-size**[=*[]*]] [**-t**|**--tty**[=*false*]] +[**--tmpfs**[=*[CONTAINER-DIR[:]*]] [**-u**|**--user**[=*USER*]] [**--ulimit**[=*[]*]] [**--uts**[=*[]*]] @@ -271,6 +272,20 @@ This value should always larger than **-m**, so you should always use this with **-t**, **--tty**=*true*|*false* Allocate a pseudo-TTY. The default is *false*. +**--tmpfs**=[] Create a tmpfs mount + + Mount a temporary filesystem (`tmpfs`) mount into a container, for example: + + $ docker run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image + + This command mounts a `tmpfs` at `/tmp` within the container. The mount copies +the underlying content of `my_image` into `/tmp`. For example if there was a +directory `/tmp/content` in the base image, docker will copy this directory and +all of its content on top of the tmpfs mounted on `/tmp`. The supported mount +options are the same as the Linux default `mount` flags. If you do not specify +any options, the systems uses the following options: +`rw,noexec,nosuid,nodev,size=65536k`. + **-u**, **--user**="" Username or UID diff --git a/man/docker-run.1.md b/man/docker-run.1.md index 03eb1b66..7c56790f 100644 --- a/man/docker-run.1.md +++ b/man/docker-run.1.md @@ -60,6 +60,7 @@ docker-run - Run a command in a new container [**--shm-size**[=*[]*]] [**--sig-proxy**[=*true*]] [**-t**|**--tty**[=*false*]] +[**--tmpfs**[=*[CONTAINER-DIR[:]*]] [**-u**|**--user**[=*USER*]] [**-v**|**--volume**[=*[]*]] [**--ulimit**[=*[]*]] @@ -436,6 +437,20 @@ interactive shell. The default is false. The **-t** option is incompatible with a redirection of the docker client standard input. +**--tmpfs**=[] Create a tmpfs mount + + Mount a temporary filesystem (`tmpfs`) mount into a container, for example: + + $ docker run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image + + This command mounts a `tmpfs` at `/tmp` within the container. The mount copies +the underlying content of `my_image` into `/tmp`. For example if there was a +directory `/tmp/content` in the base image, docker will copy this directory and +all of its content on top of the tmpfs mounted on `/tmp`. The supported mount +options are the same as the Linux default `mount` flags. If you do not specify +any options, the systems uses the following options: +`rw,noexec,nosuid,nodev,size=65536k`. + **-u**, **--user**="" Sets the username or UID used and optionally the groupname or GID for the specified command. @@ -552,6 +567,19 @@ the exit codes follow the `chroot` standard, see below: # EXAMPLES +## Running container in read-only mode + +During container image development, containers often need to write to the image +content. Installing packages into /usr, for example. In production, +applications seldom need to write to the image. Container applications write +to volumes if they need to write to file systems at all. Applications can be +made more secure by running them in read-only mode using the --read-only switch. +This protects the containers image from modification. Read only containers may +still need to write temporary data. The best way to handle this is to mount +tmpfs directories on /run and /tmp. + + # docker run --read-only --tmpfs /run --tmpfs /tmp -i -t fedora /bin/bash + ## Exposing log messages from the container to the host's log If you want messages that are logged in your container to show up in the host's