Management of Docker containers
New in version 2017.7.0.
docker Python module
Note
Older releases of the Python bindings for Docker were called docker-py in
PyPI. All releases of docker, and releases of docker-py >= 1.6.0 are
supported. These python bindings can easily be installed using
pip.install
:
salt myminion pip.install docker
To upgrade from docker-py to docker, you must first uninstall docker-py, and then install docker:
salt myminion pip.uninstall docker-py
salt myminion pip.install docker
These states were moved from the docker
state
module (formerly called dockerng) in the 2017.7.0 release. When running the
docker_container.running
state for the first time after upgrading to 2017.7.0, your container(s) may be
replaced. The changes may show diffs for certain parameters which say that the
old value was an empty string, and the new value is None
. This is due to
the fact that in prior releases Salt was passing empty strings for these values
when creating the container if they were undefined in the SLS file, where now
Salt simply does not pass any arguments not explicitly defined in the SLS file.
Subsequent runs of the state should not replace the container if the
configuration remains unchanged.
Note
To pull from a Docker registry, authentication must be configured. See here for more information on how to configure access to docker registries in Pillar data.
Ensure that a container is absent
Name of the container
Set to True
to remove the container even if it is running
Usage Examples:
mycontainer:
docker_container.absent
multiple_containers:
docker_container.absent:
- names:
- foo
- bar
- baz
The docker_container watcher, called to invoke the watch command.
Note
This state exists to support special handling of the watch
requisite. It should not be called directly.
Parameters for this function should be set by the state being triggered.
New in version 2018.3.0.
Note
If no tag is specified in the image name, and nothing matching the
specified image is pulled on the minion, the docker pull
that
retrieves the image will pull all tags for the image. A tag of
latest
is not implicit for the pull. For this reason, it is
recommended to specify the image in repo:tag
notation.
Like the cmd.run
state, only for Docker.
Does the equivalent of a docker run
and returns information about the
container that was created, as well as its output.
This state accepts the same arguments as docker_container.running
, with the exception of
watch_action
, start
, and shutdown_timeout
(though the force
argument has a different meaning in this state).
In addition, this state accepts the arguments from docker.logs
, with the exception of follow
, to
control how logs are returned.
Additionally, the following arguments are supported:
A path or list of paths. Only run if one or more of the specified paths do not exist on the minion.
If True
, run container in background and do not await or deliver
its results.
Note
This may not be useful in cases where other states depend on the
results of this state. Also, the logs will be inaccessible once the
container exits if auto_remove
is set to True
, so keep this
in mind.
If True
, the state will return a False
result if the exit code
of the container is non-zero. When this argument is set to False
,
the state will return a True
result regardless of the container's
exit code.
Note
This has no effect if bg
is set to True
.
If True
, and if the named container already exists, this will
remove the existing container. The default behavior is to return a
False
result when the container already exists.
If True
, and the named container already exists, and replace
is also set to True
, then the container will be forcibly removed.
Otherwise, the state will not proceed and will return a False
result.
CLI Examples:
salt myminion docker.run_container myuser/myimage command=/usr/local/bin/myscript.sh
USAGE EXAMPLE
{% set pkg_version = salt.pillar.get('pkg_version', '1.0-1') %}
build_package:
docker_container.run:
- image: myuser/builder:latest
- binds: /home/myuser/builds:/build_dir
- command: /scripts/build.sh {{ pkg_version }}
- creates: /home/myuser/builds/myapp-{{ pkg_version }}.noarch.rpm
- replace: True
- networks:
- mynet
- require:
- docker_network: mynet
Ensure that a container with a specific configuration is present and running
Name of the container
Image to use for the container
Note
This state will pull the image if it is not present. However, if
the image needs to be built from a Dockerfile or loaded from a
saved image, or if you would like to use requisites to trigger a
replacement of the container when the image is updated, then the
docker_image.present
state should be used to
manage the image.
Changed in version 2018.3.0: If no tag is specified in the image name, and nothing matching the
specified image is pulled on the minion, the docker pull
that
retrieves the image will pull all tags for the image. A tag of
latest
is no longer implicit for the pull. For this reason, it
is recommended to specify the image in repo:tag
notation.
This function translates Salt CLI or SLS input into the format which docker-py expects. However, in the event that Salt's translation logic fails (due to potential changes in the Docker Remote API, or to bugs in the translation code), this argument can be used to exert granular control over which arguments are translated and which are not.
Pass this argument as a comma-separated list (or Python list) of
arguments, and translation for each passed argument name will be
skipped. Alternatively, pass True
and all translation will be
skipped.
Skipping tranlsation allows for arguments to be formatted directly in the format which docker-py expects. This allows for API changes and other issues to be more easily worked around. An example of using this option to skip translation would be:
For example, imagine that there is an issue with processing the
port_bindings
argument, and the following configuration no longer
works as expected:
mycontainer:
docker_container.running:
- image: 7.3.1611
- port_bindings:
- 10.2.9.10:8080:80
By using skip_translate
, you can forego the input translation and
configure the port binding in the format docker-py needs:
mycontainer:
docker_container.running:
- image: 7.3.1611
- skip_translate: port_bindings
- port_bindings: {8080: [('10.2.9.10', 80)], '4193/udp': 9314}
See the following links for more information:
Since many of docker-py's arguments differ in name from their CLI
counterparts (with which most Docker users are more familiar), Salt
detects usage of these and aliases them to the docker-py version of
that argument so that both CLI and API versions of a given argument are
supported. However, if both the alias and the docker-py version of the
same argument (e.g. env
and environment
) are used, an error
will be raised. Set this argument to True
to suppress these errors
and keep the docker-py version of the argument.
For parameters which accept IP addresses as input, IP address
validation will be performed. To disable, set this to False
Set this parameter to True
to force Salt to re-create the container
irrespective of whether or not it is configured as desired.
Control what type of action is taken when this state watches another state that has changes. The default action
is force
, which runs the state with force
set to True
,
triggering a rebuild of the container.
If any other value is passed, it will be assumed to be a kill signal.
If the container matches the specified configuration, and is running,
then the action will be to send that signal to the container. Kill
signals can be either strings or numbers, and are defined in the
Standard Signals section of the signal(7)
manpage. Run man 7
signal
on a Linux host to browse this manpage. For example:
mycontainer:
docker_container.running:
- image: busybox
- watch_action: SIGHUP
- watch:
- file: some_file
Note
If the container differs from the specified configuration, or is not running, then instead of sending a signal to the container, the container will be re-created/started and no signal will be sent.
Set to False
to suppress starting of the container if it exists,
matches the desired configuration, but is not running. This is useful
for data-only containers, or for non-daemonized container processes,
such as the Django migrate
and collectstatic
commands. In
instances such as this, the container only needs to be started the
first time.
If the container needs to be replaced, the container will be stopped
using docker.stop
. If a
shutdown_timout
is not set, and the container was created using
stop_timeout
, that timeout will be used. If neither of these values
were set, then a timeout of 10 seconds will be used.
Changed in version 2017.7.0: This option was renamed from stop_timeout
to
shutdown_timeout
to accommodate the stop_timeout
container
configuration setting.
Timeout in seconds for the Docker client. This is not a timeout for this function, but for receiving a response from the API.
Note
This is only used if Salt needs to pull the requested image.
NETWORK MANAGEMENT
New in version 2018.3.0.
Changed in version 2019.2.0: If the networks
option is used, any networks (including the default
bridge
network) which are not specified will be disconnected.
The networks
argument can be used to ensure that a container is
attached to one or more networks. Optionally, arguments can be passed to
the networks. In the example below, net1
is being configured with
arguments, while net2
and bridge
are being configured without
arguments:
foo:
docker_container.running:
- image: myuser/myimage:foo
- networks:
- net1:
- aliases:
- bar
- baz
- ipv4_address: 10.0.20.50
- net2
- bridge
- require:
- docker_network: net1
- docker_network: net2
The supported arguments are the ones from the docker-py's
connect_container_to_network function (other than container
and
net_id
).
Important
Unlike with the arguments described in the CONTAINER CONFIGURATION PARAMETERS section below, these network configuration parameters are not translated at all. Consult the connect_container_to_network documentation for the correct type/format of data to pass.
To start a container with no network connectivity (only possible in 2019.2.0 and later) pass this option as an empty list. For example:
foo:
docker_container.running:
- image: myuser/myimage:foo
- networks: []
CONTAINER CONFIGURATION PARAMETERS
Enable auto-removal of the container on daemon side when the
container’s process exits (analogous to running a docker container with
--rm
on the CLI).
foo:
docker_container.running:
- image: bar/baz:latest
- auto_remove: True
Files/directories to bind mount. Each bind mount should be passed in one of the following formats:
<host_path>:<container_path>
- host_path
is mounted within
the container as container_path
with read-write access.
<host_path>:<container_path>:<selinux_context>
- host_path
is
mounted within the container as container_path
with read-write
access. Additionally, the specified selinux context will be set
within the container.
<host_path>:<container_path>:<read_only>
- host_path
is
mounted within the container as container_path
, with the
read-only or read-write setting explicitly defined.
<host_path>:<container_path>:<read_only>,<selinux_context>
-
host_path
is mounted within the container as container_path
,
with the read-only or read-write setting explicitly defined.
Additionally, the specified selinux context will be set within the
container.
<read_only>
can be either rw
for read-write access, or ro
for read-only access. When omitted, it is assumed to be read-write.
<selinux_context>
can be z
if the volume is shared between
multiple containers, or Z
if the volume should be private.
Note
When both <read_only>
and <selinux_context>
are specified,
there must be a comma before <selinux_context>
.
Binds can be expressed as a comma-separated list or a YAML list. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- binds: /srv/www:/var/www:ro,/etc/foo.conf:/usr/local/etc/foo.conf:rw
foo:
docker_container.running:
- image: bar/baz:latest
- binds:
- /srv/www:/var/www:ro
- /home/myuser/conf/foo.conf:/etc/foo.conf:rw
However, in cases where both ro/rw and an selinux context are combined, the only option is to use a YAML list, like so:
foo:
docker_container.running:
- image: bar/baz:latest
- binds:
- /srv/www:/var/www:ro,Z
- /home/myuser/conf/foo.conf:/etc/foo.conf:rw,Z
Since the second bind in the previous example is mounted read-write,
the rw
and comma can be dropped. For example:
foo:
docker_container.running:
- image: bar/baz:latest
- binds:
- /srv/www:/var/www:ro,Z
- /home/myuser/conf/foo.conf:/etc/foo.conf:Z
Block IO weight (relative weight), accepts a weight value between 10 and 1000.
foo:
docker_container.running:
- image: bar/baz:latest
- blkio_weight: 100
Block IO weight (relative device weight), specified as a list of
expressions in the format PATH:RATE
foo:
docker_container.running:
- image: bar/baz:latest
- blkio_weight_device: /dev/sda:100
List of capabilities to add within the container. Can be expressed as a comma-separated list or a Python list. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- cap_add: SYS_ADMIN,MKNOD
foo:
docker_container.running:
- image: bar/baz:latest
- cap_add:
- SYS_ADMIN
- MKNOD
Note
This option requires Docker 1.2.0 or newer.
List of capabilities to drop within the container. Can be expressed as a comma-separated list or a Python list. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- cap_drop: SYS_ADMIN,MKNOD
foo:
docker_container.running:
- image: bar/baz:latest
- cap_drop:
- SYS_ADMIN
- MKNOD
Note
This option requires Docker 1.2.0 or newer.
Command to run in the container
foo:
docker_container.running:
- image: bar/baz:latest
- command: bash
CPUs on which which to allow execution, specified as a string
containing a range (e.g. 0-3
) or a comma-separated list of CPUs
(e.g. 0,1
).
foo:
docker_container.running:
- image: bar/baz:latest
- cpuset_cpus: "0,1"
Memory nodes on which which to allow execution, specified as a string
containing a range (e.g. 0-3
) or a comma-separated list of MEMs
(e.g. 0,1
). Only effective on NUMA systems.
foo:
docker_container.running:
- image: bar/baz:latest
- cpuset_mems: "0,1"
The length of a CPU period in microseconds
foo:
docker_container.running:
- image: bar/baz:latest
- cpu_group: 100000
Microseconds of CPU time that the container can get in a CPU period
foo:
docker_container.running:
- image: bar/baz:latest
- cpu_period: 50000
CPU shares (relative weight), specified as an integer between 2 and 1024.
foo:
docker_container.running:
- image: bar/baz:latest
- cpu_shares: 512
If True
, run the container's command in the background (daemon
mode)
foo:
docker_container.running:
- image: bar/baz:latest
- detach: True
List of host devices to expose within the container. Can be expressed as a comma-separated list or a YAML list. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- devices: /dev/net/tun,/dev/xvda1:/dev/xvda1,/dev/xvdb1:/dev/xvdb1:r
foo:
docker_container.running:
- image: bar/baz:latest
- devices:
- /dev/net/tun
- /dev/xvda1:/dev/xvda1
- /dev/xvdb1:/dev/xvdb1:r
Limit read rate (bytes per second) from a device, specified as a list
of expressions in the format PATH:RATE
, where RATE
is either an
integer number of bytes, or a string ending in kb
, mb
, or
gb
. Can be expressed as a comma-separated list or a YAML list. The
below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- devices_read_bps: /dev/sda:1mb,/dev/sdb:5mb
foo:
docker_container.running:
- image: bar/baz:latest
- devices_read_bps:
- /dev/sda:1mb
- /dev/sdb:5mb
Limit read rate (I/O per second) from a device, specified as a list
of expressions in the format PATH:RATE
, where RATE
is a number
of I/O operations. Can be expressed as a comma-separated list or a YAML
list. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- devices_read_iops: /dev/sda:1000,/dev/sdb:500
foo:
docker_container.running:
- image: bar/baz:latest
- devices_read_iops:
- /dev/sda:1000
- /dev/sdb:500
Limit write rate (bytes per second) from a device, specified as a list
of expressions in the format PATH:RATE
, where RATE
is either an
integer number of bytes, or a string ending in kb
, mb
, or
gb
. Can be expressed as a comma-separated list or a YAML list. The
below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- devices_write_bps: /dev/sda:1mb,/dev/sdb:5mb
foo:
docker_container.running:
- image: bar/baz:latest
- devices_write_bps:
- /dev/sda:1mb
- /dev/sdb:5mb
Limit write rate (I/O per second) from a device, specified as a list
of expressions in the format PATH:RATE
, where RATE
is a number
of I/O operations. Can be expressed as a comma-separated list or a
YAML list. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- devices_write_iops: /dev/sda:1000,/dev/sdb:500
foo:
docker_container.running:
- image: bar/baz:latest
- devices_write_iops:
- /dev/sda:1000
- /dev/sdb:500
List of DNS nameservers. Can be expressed as a comma-separated list or a YAML list. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- dns: 8.8.8.8,8.8.4.4
foo:
docker_container.running:
- image: bar/baz:latest
- dns:
- 8.8.8.8
- 8.8.4.4
Note
To skip IP address validation, use validate_ip_addrs=False
Additional options to be added to the container’s resolv.conf
file.
Can be expressed as a comma-separated list or a YAML list. The below
two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- dns_opt: ndots:9
foo:
docker_container.running:
- image: bar/baz:latest
- dns_opt:
- ndots:9
List of DNS search domains. Can be expressed as a comma-separated list or a YAML list. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- dns_search: foo1.domain.tld,foo2.domain.tld
foo:
docker_container.running:
- image: bar/baz:latest
- dns_search:
- foo1.domain.tld
- foo2.domain.tld
The domain name to use for the container
foo:
docker_container.running:
- image: bar/baz:latest
- dommainname: domain.tld
Entrypoint for the container
foo:
docker_container.running:
- image: bar/baz:latest
- entrypoint: "mycmd --arg1 --arg2"
This argument can also be specified as a list:
foo:
docker_container.running:
- image: bar/baz:latest
- entrypoint:
- mycmd
- --arg1
- --arg2
Either a list of variable/value mappings, or a list of strings in the
format VARNAME=value
. The below three examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- environment:
- VAR1: value
- VAR2: value
foo:
docker_container.running:
- image: bar/baz:latest
- environment: 'VAR1=value,VAR2=value'
foo:
docker_container.running:
- image: bar/baz:latest
- environment:
- VAR1=value
- VAR2=value
Additional hosts to add to the container's /etc/hosts file. Can be expressed as a comma-separated list or a Python list. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- extra_hosts: web1:10.9.8.7,web2:10.9.8.8
foo:
docker_container.running:
- image: bar/baz:latest
- extra_hosts:
- web1:10.9.8.7
- web2:10.9.8.8
Note
To skip IP address validation, use validate_ip_addrs=False
Note
This option requires Docker 1.3.0 or newer.
List of additional group names and/or IDs that the container process will run as. Can be expressed as a comma-separated list or a YAML list. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- group_add: web,network
foo:
docker_container.running:
- image: bar/baz:latest
- group_add:
- web
- network
Hostname of the container. If not provided, the value passed as the container's``name`` will be used for the hostname.
foo:
docker_container.running:
- image: bar/baz:latest
- hostname: web1
Warning
hostname
cannot be set if network_mode
is set to host
.
The below example will result in an error:
foo:
docker_container.running:
- image: bar/baz:latest
- hostname: web1
- network_mode: host
Leave stdin open, even if not attached
foo:
docker_container.running:
- image: bar/baz:latest
- interactive: True
Set the IPC mode for the container. The default behavior is to create a private IPC namespace for the container, but this option can be used to change that behavior:
container:<container_name_or_id>
reuses another container shared
memory, semaphores and message queues
host
: use the host's shared memory, semaphores and message queues
foo:
docker_container.running:
- image: bar/baz:latest
- ipc_mode: container:foo
foo:
docker_container.running:
- image: bar/baz:latest
- ipc_mode: host
Warning
Using host
gives the container full access to local shared
memory and is therefore considered insecure.
Specifies the type of isolation technology used by containers
foo:
docker_container.running:
- image: bar/baz:latest
- isolation: hyperv
Note
The default value on Windows server is process
, while the
default value on Windows client is hyperv
. On Linux, only
default
is supported.
Add metadata to the container. Labels can be set both with and without
values, and labels with values can be passed either as key=value
or
key: value
pairs. For example, while the below would be very
confusing to read, it is technically valid, and demonstrates the
different ways in which labels can be passed:
mynet:
docker_network.present:
- labels:
- foo
- bar=baz
- hello: world
The labels can also simply be passed as a YAML dictionary, though this can be error-prone due to some idiosyncrasies with how PyYAML loads nested data structures:
foo:
docker_network.present:
- labels:
foo: ''
bar: baz
hello: world
Changed in version 2018.3.0: Methods for specifying labels can now be mixed. Earlier releases required either labels with or without values.
Link this container to another. Links can be specified as a list of
mappings or a comma-separated or Python list of expressions in the
format <container_name_or_id>:<link_alias>
. The below three
examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- links:
- web1: link1
- web2: link2
foo:
docker_container.running:
- image: bar/baz:latest
- links: web1:link1,web2:link2
foo:
docker_container.running:
- image: bar/baz:latest
- links:
- web1:link1
- web2:link2
Set container's logging driver and options to configure that driver. Requires Docker 1.6 or newer.
foo:
docker_container.running:
- image: bar/baz:latest
- log_driver: syslog
- log_opt:
- syslog-address: tcp://192.168.0.42
- syslog-facility: daemon
The log_opt
can also be expressed as a comma-separated or YAML list
of key=value
pairs. The below two examples are equivalent to the
above one:
foo:
docker_container.running:
- image: bar/baz:latest
- log_driver: syslog
- log_opt: "syslog-address=tcp://192.168.0.42,syslog-facility=daemon"
foo:
docker_container.running:
- image: bar/baz:latest
- log_driver: syslog
- log_opt:
- syslog-address=tcp://192.168.0.42
- syslog-facility=daemon
Note
The logging driver feature was improved in Docker 1.13 introducing option name changes. Please see Docker's Configure logging drivers documentation for more information.
Additional LXC configuration parameters to set before starting the
container. Either a list of variable/value mappings, or a list of
strings in the format VARNAME=value
. The below three examples are
equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- lxc_conf:
- lxc.utsname: docker
- lxc.arch: x86_64
foo:
docker_container.running:
- image: bar/baz:latest
- lxc_conf: lxc.utsname=docker,lxc.arch=x86_64
foo:
docker_container.running:
- image: bar/baz:latest
- lxc_conf:
- lxc.utsname=docker
- lxc.arch=x86_64
Note
These LXC configuration parameters will only have the desired effect if the container is using the LXC execution driver, which has been deprecated for some time.
MAC address to use for the container. If not specified, a random MAC address will be used.
foo:
docker_container.running:
- image: bar/baz:latest
- mac_address: 01:23:45:67:89:0a
Memory limit. Can be specified in bytes or using single-letter units
(i.e. 512M
, 2G
, etc.). A value of 0
(the default) means no
memory limit.
foo:
docker_container.running:
- image: bar/baz:latest
- mem_limit: 512M
Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
foo:
docker_container.running:
- image: bar/baz:latest
- mem_swappiness: 60
Total memory limit (memory plus swap). Set to -1
to disable swap. A
value of 0
means no swap limit.
foo:
docker_container.running:
- image: bar/baz:latest
- memswap_limit: 1G
If True
, networking will be disabled within the container
foo:
docker_container.running:
- image: bar/baz:latest
- network_disabled: True
One of the following:
bridge
- Creates a new network stack for the container on the
docker bridge
none
- No networking (equivalent of the Docker CLI argument
--net=none
). Not to be confused with Python's None
.
container:<name_or_id>
- Reuses another container's network stack
host
- Use the host's network stack inside the container
Warning
Using host
mode gives the container full access to the
hosts system's services (such as D-bus), and is therefore
considered insecure.
foo:
docker_container.running:
- image: bar/baz:latest
- network_mode: "none"
foo:
docker_container.running:
- image: bar/baz:latest
- network_mode: container:web1
Whether to disable OOM killer
foo:
docker_container.running:
- image: bar/baz:latest
- oom_kill_disable: False
An integer value containing the score given to the container in order to tune OOM killer preferences
foo:
docker_container.running:
- image: bar/baz:latest
- oom_score_adj: 500
Set to host
to use the host container's PID namespace within the
container. Requires Docker 1.5.0 or newer.
foo:
docker_container.running:
- image: bar/baz:latest
- pid_mode: host
Note
This option requires Docker 1.5.0 or newer.
Set the container's PID limit. Set to -1
for unlimited.
foo:
docker_container.running:
- image: bar/baz:latest
- pids_limit: 2000
Bind exposed ports. Port bindings should be passed in the same way as
the --publish
argument to the docker run
CLI command:
ip:hostPort:containerPort
- Bind a specific IP and port on the
host to a specific port within the container.
ip::containerPort
- Bind a specific IP and an ephemeral port to a
specific port within the container.
hostPort:containerPort
- Bind a specific port on all of the
host's interfaces to a specific port within the container.
containerPort
- Bind an ephemeral port on all of the host's
interfaces to a specific port within the container.
Multiple bindings can be separated by commas, or expressed as a YAML list, and port ranges can be defined using dashes. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- port_bindings: "4505-4506:14505-14506,2123:2123/udp,8080"
foo:
docker_container.running:
- image: bar/baz:latest
- port_bindings:
- 4505-4506:14505-14506
- 2123:2123/udp
- 8080
Note
When specifying a protocol, it must be passed in the
containerPort
value, as seen in the examples above.
A list of ports to expose on the container. Can either be a comma-separated list or a YAML list. If the protocol is omitted, the port will be assumed to be a TCP port. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- ports: 1111,2222/udp
foo:
docker_container.running:
- image: bar/baz:latest
- ports:
- 1111
- 2222/udp
If True
, runs the exec process with extended privileges
foo:
docker_container.running:
- image: bar/baz:latest
- privileged: True
Publish all ports to the host
foo:
docker_container.running:
- image: bar/baz:latest
- ports: 8080
- publish_all_ports: True
If True
, mount the container’s root filesystem as read only
foo:
docker_container.running:
- image: bar/baz:latest
- read_only: True
Set a restart policy for the container. Must be passed as a string in
the format policy[:retry_count]
where policy
is one of
always
, unless-stopped
, or on-failure
, and retry_count
is an optional limit to the number of retries. The retry count is ignored
when using the always
or unless-stopped
restart policy.
foo:
docker_container.running:
- image: bar/baz:latest
- restart_policy: on-failure:5
bar:
docker_container.running:
- image: bar/baz:latest
- restart_policy: always
Security configuration for MLS systems such as SELinux and AppArmor. Can be expressed as a comma-separated list or a YAML list. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- security_opt: apparmor:unconfined
foo:
docker_container.running:
- image: bar/baz:latest
- security_opt:
- apparmor:unconfined
Important
Some security options can contain commas. In these cases, this argument must be passed as a Python list, as splitting by comma will result in an invalid configuration.
Note
See the documentation for security_opt at https://docs.docker.com/engine/reference/run/#security-configuration
Size of /dev/shm
foo:
docker_container.running:
- image: bar/baz:latest
- shm_size: 128M
Specify the signal docker will send to the container when stopping. Useful when running systemd as PID 1 inside the container.
foo:
docker_container.running:
- image: bar/baz:latest
- stop_signal: SIGRTMIN+3
Note
This option requires Docker 1.9.0 or newer and docker-py 1.7.0 or newer.
New in version 2016.11.0.
Timeout to stop the container, in seconds
foo:
docker_container.running:
- image: bar/baz:latest
- stop_timeout: 5
Note
In releases prior to 2017.7.0, this option was not set in the
container configuration, but rather this timeout was enforced only
when shutting down an existing container to replace it. To remove
the ambiguity, and to allow for the container to have a stop
timeout set for it, the old stop_timeout
argument has been
renamed to shutdown_timeout
, while stop_timeout
now refer's
to the container's configured stop timeout.
Storage driver options for the container. Can be either a list of
strings in the format option=value
, or a list of mappings between
option and value. The below three examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- storage_opt:
- dm.basesize: 40G
foo:
docker_container.running:
- image: bar/baz:latest
- storage_opt: dm.basesize=40G
foo:
docker_container.running:
- image: bar/baz:latest
- storage_opt:
- dm.basesize=40G
Set sysctl options for the container. Can be either a list of strings
in the format option=value
, or a list of mappings between option
and value. The below three examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- sysctls:
- fs.nr_open: 1048576
- kernel.pid_max: 32768
foo:
docker_container.running:
- image: bar/baz:latest
- sysctls: fs.nr_open=1048576,kernel.pid_max=32768
foo:
docker_container.running:
- image: bar/baz:latest
- sysctls:
- fs.nr_open=1048576
- kernel.pid_max=32768
A map of container directories which should be replaced by tmpfs mounts and their corresponding mount options.
foo:
docker_container.running:
- image: bar/baz:latest
- tmpfs:
- /run: rw,noexec,nosuid,size=65536k
Attach TTYs
foo:
docker_container.running:
- image: bar/baz:latest
- tty: True
List of ulimits. These limits should be passed in the format
<ulimit_name>:<soft_limit>:<hard_limit>
, with the hard limit being
optional. Can be expressed as a comma-separated list or a YAML list.
The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- ulimits: nofile=1024:1024,nproc=60
foo:
docker_container.running:
- image: bar/baz:latest
- ulimits:
- nofile=1024:1024
- nproc=60
User under which to run exec process
foo:
docker_container.running:
- image: bar/baz:latest
- user: foo
Sets the user namsepace mode, when the user namespace remapping option is enabled
foo:
docker_container.running:
- image: bar/baz:latest
- userns_mode: host
List of directories to expose as volumes. Can be expressed as a comma-separated list or a YAML list. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- volumes: /mnt/vol1,/mnt/vol2
foo:
docker_container.running:
- image: bar/baz:latest
- volumes:
- /mnt/vol1
- /mnt/vol2
Container names or IDs from which the container will get volumes. Can be expressed as a comma-separated list or a YAML list. The below two examples are equivalent:
foo:
docker_container.running:
- image: bar/baz:latest
- volumes_from: foo
foo:
docker_container.running:
- image: bar/baz:latest
- volumes_from:
- foo
sets the container's volume driver
foo:
docker_container.running:
- image: bar/baz:latest
- volume_driver: foobar
Working directory inside the container
foo:
docker_container.running:
- image: bar/baz:latest
- working_dir: /var/log/nginx
Ensure that a container (or containers) is stopped
Name or ID of the container
Run this state on more than one container at a time. The following two examples accomplish the same thing:
stopped_containers:
docker_container.stopped:
- names:
- foo
- bar
- baz
stopped_containers:
docker_container.stopped:
- containers:
- foo
- bar
- baz
However, the second example will be a bit quicker since Salt will stop all specified containers in a single run, rather than executing the state separately on each image (as it would in the first example).
Timeout for graceful shutdown of the container. If this timeout is
exceeded, the container will be killed. If this value is not passed,
then the container's configured stop_timeout
will be observed. If
stop_timeout
was also unset on the container, then a timeout of 10
seconds will be used.
Set to True
to unpause any paused containers before stopping. If
unset, then an error will be raised for any container that was paused.
By default, this state will return an error if any of the specified
containers are absent. Set this to False
to suppress that error.