14 KiB
obj | source | repo |
---|---|---|
application | https://docs.docker.com/compose | https://github.com/docker/compose |
Docker Compose
Compose is a tool for defining and running multi-container Docker applications. With Compose, you use a YAML file to configure your application's services. Then, with a single command, you create and start all the services from your configuration.
#todo -> add docker-compose cli usage
Docker Compose file
The Compose file is a YAML file defining:
- Version (Optional)
- Services (Required)
- Networks
- Volumes
- Secrets
Service Configuration
build
Build specifies the image that should be build for the service instead of using an image directly.
build
can be specified either as a string containing a path to the build context:
version: "3.8"
services:
webapp:
build: ./dir
Or, as an object with the path specified under context and optionally Dockerfile and args:
version: "3.8"
services:
webapp:
build:
context: ./dir
dockerfile: Dockerfile-alternate
args:
buildno: 1
command
Override the default command.
command: bundle exec thin -p 3000
The command can also be a list, in a manner similar to dockerfile:
command: ["bundle", "exec", "thin", "-p", "3000"]
depends_on
depends_on
expresses startup and shutdown dependencies between services.
services:
web:
build: .
depends_on:
- db
- redis
redis:
image: redis
db:
image: postgres
devices
devices
defines a list of device mappings for created containers in the form of HOST_PATH:CONTAINER_PATH\[:CGROUP_PERMISSIONS]
.
devices:
- "/dev/ttyUSB0:/dev/ttyUSB0"
- "/dev/sda:/dev/xvda:rwm"
entrypoint
entrypoint
declares the default entrypoint for the service container. This overrides the ENTRYPOINT instruction from the service's Dockerfile.
If entrypoint is non-null, Compose ignores any default command from the image, for example the CMD instruction in the Dockerfile.
In its short form, the value can be defined as a string:
entrypoint: /code/entrypoint.sh
env_file
env_file
adds environment variables to the container based on the file content.
env_file: .env
env_file
can also be a list. The files in the list are processed from the top down. For the same variable specified in two env files, the value from the last file in the list stands.
env_file:
- ./a.env
- ./b.env
environment
environment
defines environment variables set in the container. environment can use either an array or a map. Any boolean values; true, false, yes, no, should be enclosed in quotes to ensure they are not converted to True or False by the YAML parser.
Environment variables can be declared by a single key (no value to equals sign). In this case Compose relies on you to resolve the value. If the value is not resolved, the variable is unset and is removed from the service container environment.
Map syntax:
environment:
RACK_ENV: development
SHOW: "true"
USER_INPUT:
Array syntax:
environment:
- RACK_ENV=development
- SHOW=true
- USER_INPUT
When both env_file and environment are set for a service, values set by environment have precedence.
healthcheck
healthcheck
declares a check that's run to determine whether or not the service containers are "healthy". It works in the same way, and has the same default values, as the HEALTHCHECK Dockerfile instruction
set by the service's Docker image. Your Compose file can override the values set in the Dockerfile.
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost"]
interval: 1m30s
timeout: 10s
retries: 3
start_period: 40s
start_interval: 5s
image
image
specifies the image to start the container from. image must follow the Open Container Specification addressable image format, as [<registry>/][<project>/]<image>[:<tag>|@<digest>
.
image: redis
image: redis:5
image: redis@sha256:0ed5d5928d4737458944eb604cc8509e245c3e19d02ad83935398bc4b991aac7
image: library/redis
image: docker.io/library/redis
image: my_private.registry:5000/redis
labels
labels
add metadata to containers. You can use either an array or a map.
It's recommended that you use reverse-DNS notation to prevent your labels from conflicting with those used by other software.
labels:
com.example.description: "Accounting webapp"
com.example.department: "Finance"
com.example.label-with-empty-value: ""
labels:
- "com.example.description=Accounting webapp"
- "com.example.department=Finance"
- "com.example.label-with-empty-value"
network_mode
network_mode
sets a service container's network mode. Available values are platform specific, but Compose defines specific values which must be implemented as described if supported:
none
: Turns off all container networking.host
: Gives the container raw access to the host's network interface.service:{name}
: Gives the containers access to the specified service only.
network_mode: "host"
network_mode: "none"
network_mode: "service:[service name]"
When set, the networks
attribute is not allowed and Compose rejects any Compose file containing both attributes.
networks
networks
defines the networks that service containers are attached to, referencing entries under the top-level networks key.
services:
some-service:
networks:
- some-network
- other-network
ports
Exposes container ports.
The short syntax is a colon-separated string to set the host IP, host port, and container port in the form:
[HOST:]CONTAINER[/PROTOCOL]
where:
HOST
is[IP:](port | range)
CONTAINER
isport | range
PROTOCOL
to restrict port to specified protocol. tcp and udp values are defined by the Specification.
If host IP is not set, it binds to all network interfaces. Ports can be either a single value or a range. Host and container must use equivalent ranges.
Either specify both ports (HOST:CONTAINER)
, or just the container port. In the latter case, Compose automatically allocates any unassigned port of the host.
HOST:CONTAINER
should always be specified as a (quoted) string, to avoid conflicts with yaml base-60 float
ports:
- "3000"
- "3000-3005"
- "8000:8000"
- "9090-9091:8080-8081"
- "49100:22"
- "8000-9000:80"
- "127.0.0.1:8001:8001"
- "127.0.0.1:5000-5010:5000-5010"
- "6060:6060/udp"
privileged
privileged
configures the service container to run with elevated privileges.
restart
restart
defines the policy that the platform applies on container termination.
no
: The default restart policy. It does not restart the container under any circumstances.always
: The policy always restarts the container until its removal.on-failure
: The policy restarts the container if the exit code indicates an error.unless-stopped
: The policy restarts the container irrespective of the exit code but stops restarting when the service is stopped or removed.
restart: "no"
restart: always
restart: on-failure
restart: unless-stopped
secrets
secrets
grants access to sensitive data defined by secrets on a per-service basis. Two different syntax variants are supported; the short syntax and the long syntax.
Compose reports an error if the secret doesn't exist on the platform or isn't defined in the secrets section of the Compose file.
Services can be granted access to multiple secrets. Long and short syntax for secrets may be used in the same Compose file. Defining a secret in the top-level secrets must not imply granting any service access to it. Such grant must be explicit within service specification as secrets service element.
The short syntax variant only specifies the secret name. This grants the container access to the secret and mounts it as read-only to /run/secrets/<secret_name>
within the container. The source name and destination mountpoint are both set to the secret name.
The following example uses the short syntax to grant the frontend service access to the server-certificate secret. The value of server-certificate is set to the contents of the file ./server.cert
.
services:
frontend:
image: example/webapp
secrets:
- server-certificate
secrets:
server-certificate:
file: ./server.cert
The long syntax provides more granularity in how the secret is created within the service's containers.
source
: The name of the secret as it exists on the platform.target
: The name of the file to be mounted in/run/secrets/
in the service's task container, or absolute path of the file if an alternate location is required. Defaults to source if not specified.uid
andgid
: The numeric UID or GID that owns the file within/run/secrets/
in the service's task containers. Default value is USER running container.mode
: The permissions for the file to be mounted in/run/secrets/
in the service's task containers, in octal notation. The default value is world-readable permissions (mode0444
). The writable bit must be ignored if set. The executable bit may be set.
The following example sets the name of the server-certificate secret file to server.crt within the container, sets the mode to 0440 (group-readable), and sets the user and group to 103. The value of server-certificate secret is provided by the platform through a lookup and the secret's lifecycle is not directly managed by Compose.
services:
frontend:
image: example/webapp
secrets:
- source: server-certificate
target: server.cert
uid: "103"
gid: "103"
mode: 0440
secrets:
server-certificate:
external: true
volumes
volumes
define mount host paths or named volumes that are accessible by service containers. You can use volumes
to define multiple types of mounts; volume
, bind
, tmpfs
, or npipe
.
The short syntax uses a single string with colon-separated values to specify a volume mount (VOLUME:CONTAINER_PATH)
, or an access mode (VOLUME:CONTAINER_PATH:ACCESS_MODE)
.
VOLUME
: Can be either a host path on the platform hosting containers (bind mount) or a volume name.CONTAINER_PATH
: The path in the container where the volume is mounted.ACCESS_MODE
: A comma-separated , list of options:-
rw
: Read and write access. This is the default if none is specified.
-
ro
: Read-only access.
volumes:
- ./volume:/mnt
Secrets
The top-level secrets declaration defines or references sensitive data that is granted to the services in your Compose application. The source of the secret is either file or environment.
file
: The secret is created with the contents of the file at the specified path.environment
: The secret is created with the value of an environment variable.external
: If set to true, external specifies that this secret has already been created. Compose does not attempt to create it, and if it does not exist, an error occurs.
secrets:
server-certificate:
file: ./server.cert
Docker Compose Deploy
The Compose Deploy Specification lets you declare additional metadata on services so Compose gets relevant data to allocate adequate resources on the platform and configure them to match your needs.
mode
mode
defines the replication model used to run the service on the platform. Either global
, exactly one container per physical node, or replicated
, a specified number of containers. The default is replicated
.
services:
frontend:
image: example/webapp
deploy:
mode: global
replicas
If the service is replicated
(which is the default), replicas
specifies the number of containers that should be running at any given time.
services:
frontend:
image: example/webapp
deploy:
mode: replicated
replicas: 6
restart_policy
restart_policy
configures if and how to restart containers when they exit. If restart_policy
is not set, Compose considers the restart field set by the service configuration.
condition
. When set to:-
none
, containers are not automatically restarted regardless of the exit status.
-
on-failure
, the container is restarted if it exits due to an error, which manifests as a non-zero exit code.
-
any
(default), containers are restarted regardless of the exit status.
delay
: How long to wait between restart attempts, specified as a duration. The default is 0, meaning restart attempts can occur immediately.max_attempts
: How many times to attempt to restart a container before giving up (default: never give up). If the restart does not succeed within the configuredwindow
, this attempt doesn't count toward the configuredmax_attempts
value. For example, ifmax_attempts
is set to '2', and the restart fails on the first attempt, more than two restarts must be attempted.window
: How long to wait before deciding if a restart has succeeded, specified as a duration (default: decide immediately).
deploy:
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
placement
placement
specifies constraints and preferences for the platform to select a physical node to run service containers.
constraints
constraints
defines a required property the platform's node must fulfill to run the service container. It can be set either by a list or a map with string values.
deploy:
placement:
constraints:
- disktype=ssd
deploy:
placement:
constraints:
disktype: ssd
preferences
defines a property the platform's node should fulfill to run service container. It can be set either by a list or a map with string values.
deploy:
placement:
preferences:
- datacenter=us-east
deploy:
placement:
preferences:
datacenter: us-east