mirror of https://github.com/docker/docs.git
				
				
				
			
		
			
				
	
	
		
			1009 lines
		
	
	
		
			49 KiB
		
	
	
	
		
			YAML
		
	
	
	
			
		
		
	
	
			1009 lines
		
	
	
		
			49 KiB
		
	
	
	
		
			YAML
		
	
	
	
| command: docker service create
 | |
| short: Create a new service
 | |
| long: |-
 | |
|   Creates a service as described by the specified parameters. You must run this
 | |
|   command on a manager node.  
 | |
| usage: docker service create [OPTIONS] IMAGE [COMMAND] [ARG...]
 | |
| pname: docker service
 | |
| plink: docker_service.yaml
 | |
| options:
 | |
| - option: config
 | |
|   value_type: config
 | |
|   description: Specify configurations to expose to the service
 | |
|   deprecated: false
 | |
|   min_api_version: "1.30"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: constraint
 | |
|   value_type: list
 | |
|   description: Placement constraints
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: container-label
 | |
|   value_type: list
 | |
|   description: Container labels
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: credential-spec
 | |
|   value_type: credential-spec
 | |
|   description: Credential spec for managed service account (Windows only)
 | |
|   deprecated: false
 | |
|   min_api_version: "1.29"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: detach
 | |
|   shorthand: d
 | |
|   value_type: bool
 | |
|   default_value: "false"
 | |
|   description: |
 | |
|     Exit immediately instead of waiting for the service to converge    
 | |
|   deprecated: false
 | |
|   min_api_version: "1.29"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: dns
 | |
|   value_type: list
 | |
|   description: Set custom DNS servers
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: dns-option
 | |
|   value_type: list
 | |
|   description: Set DNS options
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: dns-search
 | |
|   value_type: list
 | |
|   description: Set custom DNS search domains
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: endpoint-mode
 | |
|   value_type: string
 | |
|   default_value: vip
 | |
|   description: Endpoint mode (vip or dnsrr)
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: entrypoint
 | |
|   value_type: command
 | |
|   description: Overwrite the default ENTRYPOINT of the image
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: env
 | |
|   shorthand: e
 | |
|   value_type: list
 | |
|   description: Set environment variables
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: env-file
 | |
|   value_type: list
 | |
|   description: Read in a file of environment variables
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: generic-resource
 | |
|   value_type: list
 | |
|   description: User defined resources
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: group
 | |
|   value_type: list
 | |
|   description: Set one or more supplementary user groups for the container
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: health-cmd
 | |
|   value_type: string
 | |
|   description: Command to run to check health
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: health-interval
 | |
|   value_type: duration
 | |
|   description: Time between running the check (ms|s|m|h)
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: health-retries
 | |
|   value_type: int
 | |
|   default_value: "0"
 | |
|   description: Consecutive failures needed to report unhealthy
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: health-start-period
 | |
|   value_type: duration
 | |
|   description: |
 | |
|     Start period for the container to initialize before counting retries towards unstable (ms|s|m|h)    
 | |
|   deprecated: false
 | |
|   min_api_version: "1.29"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: health-timeout
 | |
|   value_type: duration
 | |
|   description: Maximum time to allow one check to run (ms|s|m|h)
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: host
 | |
|   value_type: list
 | |
|   description: Set one or more custom host-to-IP mappings (host:ip)
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: hostname
 | |
|   value_type: string
 | |
|   description: Container hostname
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: init
 | |
|   value_type: bool
 | |
|   default_value: "false"
 | |
|   description: |
 | |
|     Use an init inside each service container to forward signals and reap processes    
 | |
|   deprecated: false
 | |
|   min_api_version: "1.37"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: isolation
 | |
|   value_type: string
 | |
|   description: Service container isolation mode
 | |
|   deprecated: false
 | |
|   min_api_version: "1.35"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: label
 | |
|   shorthand: l
 | |
|   value_type: list
 | |
|   description: Service labels
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: limit-cpu
 | |
|   value_type: decimal
 | |
|   description: Limit CPUs
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: limit-memory
 | |
|   value_type: bytes
 | |
|   default_value: "0"
 | |
|   description: Limit Memory
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: log-driver
 | |
|   value_type: string
 | |
|   description: Logging driver for service
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: log-opt
 | |
|   value_type: list
 | |
|   description: Logging driver options
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: mode
 | |
|   value_type: string
 | |
|   default_value: replicated
 | |
|   description: Service mode (replicated or global)
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: mount
 | |
|   value_type: mount
 | |
|   description: Attach a filesystem mount to the service
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: name
 | |
|   value_type: string
 | |
|   description: Service name
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: network
 | |
|   value_type: network
 | |
|   description: Network attachments
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: no-healthcheck
 | |
|   value_type: bool
 | |
|   default_value: "false"
 | |
|   description: Disable any container-specified HEALTHCHECK
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: no-resolve-image
 | |
|   value_type: bool
 | |
|   default_value: "false"
 | |
|   description: |
 | |
|     Do not query the registry to resolve image digest and supported platforms    
 | |
|   deprecated: false
 | |
|   min_api_version: "1.30"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: placement-pref
 | |
|   value_type: pref
 | |
|   description: Add a placement preference
 | |
|   deprecated: false
 | |
|   min_api_version: "1.28"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: publish
 | |
|   shorthand: p
 | |
|   value_type: port
 | |
|   description: Publish a port as a node port
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: quiet
 | |
|   shorthand: q
 | |
|   value_type: bool
 | |
|   default_value: "false"
 | |
|   description: Suppress progress output
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: read-only
 | |
|   value_type: bool
 | |
|   default_value: "false"
 | |
|   description: Mount the container's root filesystem as read only
 | |
|   deprecated: false
 | |
|   min_api_version: "1.28"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: replicas
 | |
|   value_type: uint
 | |
|   description: Number of tasks
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: replicas-max-per-node
 | |
|   value_type: uint64
 | |
|   default_value: "0"
 | |
|   description: Maximum number of tasks per node (default 0 = unlimited)
 | |
|   deprecated: false
 | |
|   min_api_version: "1.40"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: reserve-cpu
 | |
|   value_type: decimal
 | |
|   description: Reserve CPUs
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: reserve-memory
 | |
|   value_type: bytes
 | |
|   default_value: "0"
 | |
|   description: Reserve Memory
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: restart-condition
 | |
|   value_type: string
 | |
|   description: |
 | |
|     Restart when condition is met ("none"|"on-failure"|"any") (default "any")    
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: restart-delay
 | |
|   value_type: duration
 | |
|   description: Delay between restart attempts (ns|us|ms|s|m|h) (default 5s)
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: restart-max-attempts
 | |
|   value_type: uint
 | |
|   description: Maximum number of restarts before giving up
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: restart-window
 | |
|   value_type: duration
 | |
|   description: Window used to evaluate the restart policy (ns|us|ms|s|m|h)
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: rollback-delay
 | |
|   value_type: duration
 | |
|   default_value: 0s
 | |
|   description: Delay between task rollbacks (ns|us|ms|s|m|h) (default 0s)
 | |
|   deprecated: false
 | |
|   min_api_version: "1.28"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: rollback-failure-action
 | |
|   value_type: string
 | |
|   description: |
 | |
|     Action on rollback failure ("pause"|"continue") (default "pause")    
 | |
|   deprecated: false
 | |
|   min_api_version: "1.28"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: rollback-max-failure-ratio
 | |
|   value_type: float
 | |
|   default_value: "0"
 | |
|   description: Failure rate to tolerate during a rollback (default 0)
 | |
|   deprecated: false
 | |
|   min_api_version: "1.28"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: rollback-monitor
 | |
|   value_type: duration
 | |
|   default_value: 0s
 | |
|   description: |
 | |
|     Duration after each task rollback to monitor for failure (ns|us|ms|s|m|h) (default 5s)    
 | |
|   deprecated: false
 | |
|   min_api_version: "1.28"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: rollback-order
 | |
|   value_type: string
 | |
|   description: |
 | |
|     Rollback order ("start-first"|"stop-first") (default "stop-first")    
 | |
|   deprecated: false
 | |
|   min_api_version: "1.29"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: rollback-parallelism
 | |
|   value_type: uint64
 | |
|   default_value: "1"
 | |
|   description: |
 | |
|     Maximum number of tasks rolled back simultaneously (0 to roll back all at once)    
 | |
|   deprecated: false
 | |
|   min_api_version: "1.28"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: secret
 | |
|   value_type: secret
 | |
|   description: Specify secrets to expose to the service
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: stop-grace-period
 | |
|   value_type: duration
 | |
|   description: |
 | |
|     Time to wait before force killing a container (ns|us|ms|s|m|h) (default 10s)    
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: stop-signal
 | |
|   value_type: string
 | |
|   description: Signal to stop the container
 | |
|   deprecated: false
 | |
|   min_api_version: "1.28"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: sysctl
 | |
|   value_type: list
 | |
|   description: Sysctl options
 | |
|   deprecated: false
 | |
|   min_api_version: "1.40"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: tty
 | |
|   shorthand: t
 | |
|   value_type: bool
 | |
|   default_value: "false"
 | |
|   description: Allocate a pseudo-TTY
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: update-delay
 | |
|   value_type: duration
 | |
|   default_value: 0s
 | |
|   description: Delay between updates (ns|us|ms|s|m|h) (default 0s)
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: update-failure-action
 | |
|   value_type: string
 | |
|   description: |
 | |
|     Action on update failure ("pause"|"continue"|"rollback") (default "pause")    
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: update-max-failure-ratio
 | |
|   value_type: float
 | |
|   default_value: "0"
 | |
|   description: Failure rate to tolerate during an update (default 0)
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: update-monitor
 | |
|   value_type: duration
 | |
|   default_value: 0s
 | |
|   description: |
 | |
|     Duration after each task update to monitor for failure (ns|us|ms|s|m|h) (default 5s)    
 | |
|   deprecated: false
 | |
|   min_api_version: "1.25"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: update-order
 | |
|   value_type: string
 | |
|   description: |
 | |
|     Update order ("start-first"|"stop-first") (default "stop-first")    
 | |
|   deprecated: false
 | |
|   min_api_version: "1.29"
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: update-parallelism
 | |
|   value_type: uint64
 | |
|   default_value: "1"
 | |
|   description: |
 | |
|     Maximum number of tasks updated simultaneously (0 to update all at once)    
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: user
 | |
|   shorthand: u
 | |
|   value_type: string
 | |
|   description: 'Username or UID (format: <name|uid>[:<group|gid>])'
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: with-registry-auth
 | |
|   value_type: bool
 | |
|   default_value: "false"
 | |
|   description: Send registry authentication details to swarm agents
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| - option: workdir
 | |
|   shorthand: w
 | |
|   value_type: string
 | |
|   description: Working directory inside the container
 | |
|   deprecated: false
 | |
|   experimental: false
 | |
|   experimentalcli: false
 | |
|   kubernetes: false
 | |
|   swarm: false
 | |
| examples: "### Create a service\n\n```bash\n$ docker service create --name redis redis:3.0.6\n\ndmu1ept4cxcfe8k8lhtux3ro3\n\n$
 | |
|   docker service create --mode global --name redis2 redis:3.0.6\n\na8q9dasaafudfs8q8w32udass\n\n$
 | |
|   docker service ls\n\nID            NAME    MODE        REPLICAS  IMAGE\ndmu1ept4cxcf
 | |
|   \ redis   replicated  1/1       redis:3.0.6\na8q9dasaafud  redis2  global      1/1
 | |
|   \      redis:3.0.6\n```\n\n#### Create a service using an image on a private registry\n\nIf
 | |
|   your image is available on a private registry which requires login, use the\n`--with-registry-auth`
 | |
|   flag with `docker service create`, after logging in. If\nyour image is stored on
 | |
|   `registry.example.com`, which is a private registry, use\na command like the following:\n\n```bash\n$
 | |
|   docker login registry.example.com\n\n$ docker service  create \\\n  --with-registry-auth
 | |
|   \\\n  --name my_service \\\n  registry.example.com/acme/my_image:latest\n```\n\nThis
 | |
|   passes the login token from your local client to the swarm nodes where the\nservice
 | |
|   is deployed, using the encrypted WAL logs. With this information, the\nnodes are
 | |
|   able to log into the registry and pull the image.\n\n### Create a service with 5
 | |
|   replica tasks (--replicas)\n\nUse the `--replicas` flag to set the number of replica
 | |
|   tasks for a replicated\nservice. The following command creates a `redis` service
 | |
|   with `5` replica tasks:\n\n```bash\n$ docker service create --name redis --replicas=5
 | |
|   redis:3.0.6\n\n4cdgfyky7ozwh3htjfw0d12qv\n```\n\nThe above command sets the *desired*
 | |
|   number of tasks for the service. Even\nthough the command returns immediately, actual
 | |
|   scaling of the service may take\nsome time. The `REPLICAS` column shows both the
 | |
|   *actual* and *desired* number\nof replica tasks for the service.\n\nIn the following
 | |
|   example the desired state is  `5` replicas, but the current\nnumber of `RUNNING`
 | |
|   tasks is `3`:\n\n```bash\n$ docker service ls\n\nID            NAME   MODE        REPLICAS
 | |
|   \ IMAGE\n4cdgfyky7ozw  redis  replicated  3/5       redis:3.0.7\n```\n\nOnce all
 | |
|   the tasks are created and `RUNNING`, the actual number of tasks is\nequal to the
 | |
|   desired number:\n\n```bash\n$ docker service ls\n\nID            NAME   MODE        REPLICAS
 | |
|   \ IMAGE\n4cdgfyky7ozw  redis  replicated  5/5       redis:3.0.7\n```\n\n### Create
 | |
|   a service with secrets\n\nUse the `--secret` flag to give a container access to
 | |
|   a\n[secret](secret_create.md).\n\nCreate a service specifying a secret:\n\n```bash\n$
 | |
|   docker service create --name redis --secret secret.json redis:3.0.6\n\n4cdgfyky7ozwh3htjfw0d12qv\n```\n\nCreate
 | |
|   a service specifying the secret, target, user/group ID, and mode:\n\n```bash\n$
 | |
|   docker service create --name redis \\\n    --secret source=ssh-key,target=ssh \\\n
 | |
|   \   --secret source=app-key,target=app,uid=1000,gid=1001,mode=0400 \\\n    redis:3.0.6\n\n4cdgfyky7ozwh3htjfw0d12qv\n```\n\nTo
 | |
|   grant a service access to multiple secrets, use multiple `--secret` flags.\n\nSecrets
 | |
|   are located in `/run/secrets` in the container.  If no target is\nspecified, the
 | |
|   name of the secret will be used as the in memory file in the\ncontainer.  If a target
 | |
|   is specified, that will be the filename.  In the\nexample above, two files will
 | |
|   be created: `/run/secrets/ssh` and\n`/run/secrets/app` for each of the secret targets
 | |
|   specified.\n\n### Create a service with a rolling update policy\n\n```bash\n$ docker
 | |
|   service create \\\n  --replicas 10 \\\n  --name redis \\\n  --update-delay 10s \\\n
 | |
|   \ --update-parallelism 2 \\\n  redis:3.0.6\n```\n\nWhen you run a [service update](service_update.md),
 | |
|   the scheduler updates a\nmaximum of 2 tasks at a time, with `10s` between updates.
 | |
|   For more information,\nrefer to the [rolling updates\ntutorial](https://docs.docker.com/engine/swarm/swarm-tutorial/rolling-update/).\n\n###
 | |
|   Set environment variables (-e, --env)\n\nThis sets an environment variable for all
 | |
|   tasks in a service. For example:\n\n```bash\n$ docker service create \\\n  --name
 | |
|   redis_2 \\\n  --replicas 5 \\\n  --env MYVAR=foo \\\n  redis:3.0.6\n```\n\nTo specify
 | |
|   multiple environment variables, specify multiple `--env` flags, each\nwith a separate
 | |
|   key-value pair.\n\n```bash\n$ docker service create \\\n  --name redis_2 \\\n  --replicas
 | |
|   5 \\\n  --env MYVAR=foo \\\n  --env MYVAR2=bar \\\n  redis:3.0.6\n```\n\n### Create
 | |
|   a service with specific hostname (--hostname)\n\nThis option sets the docker service
 | |
|   containers hostname to a specific string.\nFor example:\n\n```bash\n$ docker service
 | |
|   create --name redis --hostname myredis redis:3.0.6\n```\n\n### Set metadata on a
 | |
|   service (-l, --label)\n\nA label is a `key=value` pair that applies metadata to
 | |
|   a service. To label a\nservice with two labels:\n\n```bash\n$ docker service create
 | |
|   \\\n  --name redis_2 \\\n  --label com.example.foo=\"bar\"\n  --label bar=baz \\\n
 | |
|   \ redis:3.0.6\n```\n\nFor more information about labels, refer to [apply custom\nmetadata](https://docs.docker.com/engine/userguide/labels-custom-metadata/).\n\n###
 | |
|   Add bind mounts, volumes or memory filesystems\n\nDocker supports three different
 | |
|   kinds of mounts, which allow containers to read\nfrom or write to files or directories,
 | |
|   either on the host operating system, or\non memory filesystems. These types are
 | |
|   _data volumes_ (often referred to simply\nas volumes), _bind mounts_, _tmpfs_, and
 | |
|   _named pipes_.\n\nA **bind mount** makes a file or directory on the host available
 | |
|   to the\ncontainer it is mounted within. A bind mount may be either read-only or\nread-write.
 | |
|   For example, a container might share its host's DNS information by\nmeans of a bind
 | |
|   mount of the host's `/etc/resolv.conf` or a container might\nwrite logs to its host's
 | |
|   `/var/log/myContainerLogs` directory. If you use\nbind mounts and your host and
 | |
|   containers have different notions of permissions,\naccess controls, or other such
 | |
|   details, you will run into portability issues.\n\nA **named volume** is a mechanism
 | |
|   for decoupling persistent data needed by your\ncontainer from the image used to
 | |
|   create the container and from the host machine.\nNamed volumes are created and managed
 | |
|   by Docker, and a named volume persists\neven when no container is currently using
 | |
|   it. Data in named volumes can be\nshared between a container and the host machine,
 | |
|   as well as between multiple\ncontainers. Docker uses a _volume driver_ to create,
 | |
|   manage, and mount volumes.\nYou can back up or restore volumes using Docker commands.\n\nA
 | |
|   **tmpfs** mounts a tmpfs inside a container for volatile data.\n\nA **npipe** mounts
 | |
|   a named pipe from the host into the container.\n\nConsider a situation where your
 | |
|   image starts a lightweight web server. You could\nuse that image as a base image,
 | |
|   copy in your website's HTML files, and package\nthat into another image. Each time
 | |
|   your website changed, you'd need to update\nthe new image and redeploy all of the
 | |
|   containers serving your website. A better\nsolution is to store the website in a
 | |
|   named volume which is attached to each of\nyour web server containers when they
 | |
|   start. To update the website, you just\nupdate the named volume.\n\nFor more information
 | |
|   about named volumes, see\n[Data Volumes](https://docs.docker.com/engine/tutorials/dockervolumes/).\n\nThe
 | |
|   following table describes options which apply to both bind mounts and named\nvolumes
 | |
|   in a service:\n\n<table>\n  <tr>\n    <th>Option</th>\n    <th>Required</th>\n    <th>Description</th>\n
 | |
|   \ </tr>\n  <tr>\n    <td><b>type</b></td>\n    <td></td>\n    <td>\n      <p>The
 | |
|   type of mount, can be either <tt>volume</tt>, <tt>bind</tt>, <tt>tmpfs</tt>, or
 | |
|   <tt>npipe</tt>. Defaults to <tt>volume</tt> if no type is specified.\n      <ul>\n
 | |
|   \       <li><tt>volume</tt>: mounts a <a href=\"https://docs.docker.com/engine/reference/commandline/volume_create/\">managed
 | |
|   volume</a>\n        into the container.</li> <li><tt>bind</tt>:\n        bind-mounts
 | |
|   a directory or file from the host into the container.</li>\n        <li><tt>tmpfs</tt>:
 | |
|   mount a tmpfs in the container</li>\n        <li><tt>npipe</tt>: mounts named pipe
 | |
|   from the host into the container (Windows containers only).</li>\n      </ul></p>\n
 | |
|   \   </td>\n  </tr>\n  <tr>\n    <td><b>src</b> or <b>source</b></td>\n    <td>for
 | |
|   <tt>type=bind</tt> and <tt>type=npipe</tt></td>\n    <td>\n      <ul>\n        <li>\n
 | |
|   \        <tt>type=volume</tt>: <tt>src</tt> is an optional way to specify the name
 | |
|   of the volume (for example, <tt>src=my-volume</tt>).\n          If the named volume
 | |
|   does not exist, it is automatically created. If no <tt>src</tt> is specified, the
 | |
|   volume is\n          assigned a random name which is guaranteed to be unique on
 | |
|   the host, but may not be unique cluster-wide.\n          A randomly-named volume
 | |
|   has the same lifecycle as its container and is destroyed when the <i>container</i>\n
 | |
|   \         is destroyed (which is upon <tt>service update</tt>, or when scaling or
 | |
|   re-balancing the service)\n        </li>\n        <li>\n          <tt>type=bind</tt>:
 | |
|   <tt>src</tt> is required, and specifies an absolute path to the file or directory
 | |
|   to bind-mount\n          (for example, <tt>src=/path/on/host/</tt>). An error is
 | |
|   produced if the file or directory does not exist.\n        </li>\n        <li>\n
 | |
|   \         <tt>type=tmpfs</tt>: <tt>src</tt> is not supported.\n        </li>\n      </ul>\n
 | |
|   \   </td>\n  </tr>\n  <tr>\n    <td><p><b>dst</b> or <b>destination</b> or <b>target</b></p></td>\n
 | |
|   \   <td>yes</td>\n    <td>\n      <p>Mount path inside the container, for example
 | |
|   <tt>/some/path/in/container/</tt>.\n      If the path does not exist in the container's
 | |
|   filesystem, the Engine creates\n      a directory at the specified location before
 | |
|   mounting the volume or bind mount.</p>\n    </td>\n  </tr>\n  <tr>\n    <td><p><b>readonly</b>
 | |
|   or <b>ro</b></p></td>\n    <td></td>\n    <td>\n      <p>The Engine mounts binds
 | |
|   and volumes <tt>read-write</tt> unless <tt>readonly</tt> option\n      is given
 | |
|   when mounting the bind or volume. Note that setting <tt>readonly</tt> for a\n      bind-mount
 | |
|   does not make its submounts <tt>readonly</tt> on the current Linux implementation.
 | |
|   See also <tt>bind-nonrecursive</tt>.\n      <ul>\n        <li><tt>true</tt> or <tt>1</tt>
 | |
|   or no value: Mounts the bind or volume read-only.</li>\n        <li><tt>false</tt>
 | |
|   or <tt>0</tt>: Mounts the bind or volume read-write.</li>\n      </ul></p>\n    </td>\n
 | |
|   \ </tr>\n</table>\n\n#### Options for Bind Mounts\n\nThe following options can only
 | |
|   be used for bind mounts (`type=bind`):\n\n\n<table>\n  <tr>\n    <th>Option</th>\n
 | |
|   \   <th>Description</th>\n  </tr>\n  <tr>\n    <td><b>bind-propagation</b></td>\n
 | |
|   \   <td>\n      <p>See the <a href=\"#bind-propagation\">bind propagation section</a>.</p>\n
 | |
|   \   </td>\n  </tr>\n  <tr>\n    <td><b>consistency</b></td>\n    <td>\n      <p>The
 | |
|   consistency requirements for the mount; one of\n         <ul>\n           <li><tt>default</tt>:
 | |
|   Equivalent to <tt>consistent</tt>.</li>\n           <li><tt>consistent</tt>: Full
 | |
|   consistency.  The container runtime and the host maintain an identical view of the
 | |
|   mount at all times.</li>\n           <li><tt>cached</tt>: The host's view of the
 | |
|   mount is authoritative.  There may be delays before updates made on the host are
 | |
|   visible within a container.</li>\n           <li><tt>delegated</tt>: The container
 | |
|   runtime's view of the mount is authoritative.  There may be delays before updates
 | |
|   made in a container are visible on the host.</li>\n        </ul>\n     </p>\n    </td>\n
 | |
|   \ </tr>\n  <tr>\n    <td><b>bind-nonrecursive</b></td>\n    <td>\n      By default,
 | |
|   submounts are recursively bind-mounted as well. However, this behavior can be confusing
 | |
|   when a\n      bind mount is configured with <tt>readonly</tt> option, because submounts
 | |
|   are not mounted as read-only.\n      Set <tt>bind-nonrecursive</tt> to disable recursive
 | |
|   bind-mount.<br />\n      <br />\n      A value is optional:<br />\n      <br />\n
 | |
|   \     <ul>\n        <li><tt>true</tt> or <tt>1</tt>: Disables recursive bind-mount.</li>\n
 | |
|   \       <li><tt>false</tt> or <tt>0</tt>: Default if you do not provide a value.
 | |
|   Enables recursive bind-mount.</li>\n      </ul>\n    </td>\n  </tr>\n</table>\n\n#####
 | |
|   Bind propagation\n\nBind propagation refers to whether or not mounts created within
 | |
|   a given\nbind mount or named volume can be propagated to replicas of that mount.
 | |
|   Consider\na mount point `/mnt`, which is also mounted on `/tmp`. The propation settings\ncontrol
 | |
|   whether a mount on `/tmp/a` would also be available on `/mnt/a`. Each\npropagation
 | |
|   setting has a recursive counterpoint. In the case of recursion,\nconsider that `/tmp/a`
 | |
|   is also mounted as `/foo`. The propagation settings\ncontrol whether `/mnt/a` and/or
 | |
|   `/tmp/a` would exist.\n\nThe `bind-propagation` option defaults to `rprivate` for
 | |
|   both bind mounts and\nvolume mounts, and is only configurable for bind mounts. In
 | |
|   other words, named\nvolumes do not support bind propagation.\n\n- **`shared`**:
 | |
|   Sub-mounts of the original mount are exposed to replica mounts,\n                and
 | |
|   sub-mounts of replica mounts are also propagated to the\n                original
 | |
|   mount.\n- **`slave`**: similar to a shared mount, but only in one direction. If
 | |
|   the\n               original mount exposes a sub-mount, the replica mount can see
 | |
|   it.\n               However, if the replica mount exposes a sub-mount, the original\n
 | |
|   \              mount cannot see it.\n- **`private`**: The mount is private. Sub-mounts
 | |
|   within it are not exposed to\n                 replica mounts, and sub-mounts of
 | |
|   replica mounts are not\n                 exposed to the original mount.\n- **`rshared`**:
 | |
|   The same as shared, but the propagation also extends to and from\n                 mount
 | |
|   points nested within any of the original or replica mount\n                 points.\n-
 | |
|   **`rslave`**: The same as `slave`, but the propagation also extends to and from\n
 | |
|   \                mount points nested within any of the original or replica mount\n
 | |
|   \                points.\n- **`rprivate`**: The default. The same as `private`,
 | |
|   meaning that no mount points\n                  anywhere within the original or
 | |
|   replica mount points propagate\n                  in either direction.\n\nFor more
 | |
|   information about bind propagation, see the\n[Linux kernel documentation for shared
 | |
|   subtree](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt).\n\n####
 | |
|   Options for named volumes\n\nThe following options can only be used for named volumes
 | |
|   (`type=volume`):\n\n\n<table>\n  <tr>\n    <th>Option</th>\n    <th>Description</th>\n
 | |
|   \ </tr>\n  <tr>\n    <td><b>volume-driver</b></td>\n    <td>\n      <p>Name of the
 | |
|   volume-driver plugin to use for the volume. Defaults to\n      <tt>\"local\"</tt>,
 | |
|   to use the local volume driver to create the volume if the\n      volume does not
 | |
|   exist.</p>\n    </td>\n  </tr>\n  <tr>\n    <td><b>volume-label</b></td>\n    <td>\n
 | |
|   \     One or more custom metadata (\"labels\") to apply to the volume upon\n      creation.
 | |
|   For example,\n      <tt>volume-label=mylabel=hello-world,my-other-label=hello-mars</tt>.
 | |
|   For more\n      information about labels, refer to\n      <a href=\"https://docs.docker.com/engine/userguide/labels-custom-metadata/\">apply
 | |
|   custom metadata</a>.\n    </td>\n  </tr>\n  <tr>\n    <td><b>volume-nocopy</b></td>\n
 | |
|   \   <td>\n      By default, if you attach an empty volume to a container, and files
 | |
|   or\n      directories already existed at the mount-path in the container (<tt>dst</tt>),\n
 | |
|   \     the Engine copies those files and directories into the volume, allowing\n
 | |
|   \     the host to access them. Set <tt>volume-nocopy</tt> to disable copying files\n
 | |
|   \     from the container's filesystem to the volume and mount the empty volume.<br
 | |
|   />\n      <br />\n      A value is optional:<br />\n      <br />\n      <ul>\n        <li><tt>true</tt>
 | |
|   or <tt>1</tt>: Default if you do not provide a value. Disables copying.</li>\n        <li><tt>false</tt>
 | |
|   or <tt>0</tt>: Enables copying.</li>\n      </ul>\n    </td>\n  </tr>\n  <tr>\n
 | |
|   \   <td><b>volume-opt</b></td>\n    <td>\n      Options specific to a given volume
 | |
|   driver, which will be passed to the\n      driver when creating the volume. Options
 | |
|   are provided as a comma-separated\n      list of key/value pairs, for example,\n
 | |
|   \     <tt>volume-opt=some-option=some-value,volume-opt=some-other-option=some-other-value</tt>.\n
 | |
|   \     For available options for a given driver, refer to that driver's\n      documentation.\n
 | |
|   \   </td>\n  </tr>\n</table>\n\n\n#### Options for tmpfs\n\nThe following options
 | |
|   can only be used for tmpfs mounts (`type=tmpfs`);\n\n\n<table>\n  <tr>\n    <th>Option</th>\n
 | |
|   \   <th>Description</th>\n  </tr>\n  <tr>\n    <td><b>tmpfs-size</b></td>\n    <td>Size
 | |
|   of the tmpfs mount in bytes. Unlimited by default in Linux.</td>\n  </tr>\n  <tr>\n
 | |
|   \   <td><b>tmpfs-mode</b></td>\n    <td>File mode of the tmpfs in octal. (e.g. <tt>\"700\"</tt>
 | |
|   or <tt>\"0700\"</tt>.) Defaults to <tt>\"1777\"</tt> in Linux.</td>\n  </tr>\n</table>\n\n\n####
 | |
|   Differences between \"--mount\" and \"--volume\"\n\nThe `--mount` flag supports
 | |
|   most options that are supported by the `-v`\nor `--volume` flag for `docker run`,
 | |
|   with some important exceptions:\n\n- The `--mount` flag allows you to specify a
 | |
|   volume driver and volume driver\n  options *per volume*, without creating the volumes
 | |
|   in advance. In contrast,\n  `docker run` allows you to specify a single volume driver
 | |
|   which is shared\n  by all volumes, using the `--volume-driver` flag.\n\n- The `--mount`
 | |
|   flag allows you to specify custom metadata (\"labels\") for a volume,\n  before
 | |
|   the volume is created.\n\n- When you use `--mount` with `type=bind`, the host-path
 | |
|   must refer to an *existing*\n  path on the host. The path will not be created for
 | |
|   you and the service will fail\n  with an error if the path does not exist.\n\n-
 | |
|   The `--mount` flag does not allow you to relabel a volume with `Z` or `z` flags,\n
 | |
|   \ which are used for `selinux` labeling.\n\n#### Create a service using a named
 | |
|   volume\n\nThe following example creates a service that uses a named volume:\n\n```bash\n$
 | |
|   docker service create \\\n  --name my-service \\\n  --replicas 3 \\\n  --mount type=volume,source=my-volume,destination=/path/in/container,volume-label=\"color=red\",volume-label=\"shape=round\"
 | |
|   \\\n  nginx:alpine\n```\n\nFor each replica of the service, the engine requests
 | |
|   a volume named \"my-volume\"\nfrom the default (\"local\") volume driver where the
 | |
|   task is deployed. If the\nvolume does not exist, the engine creates a new volume
 | |
|   and applies the \"color\"\nand \"shape\" labels.\n\nWhen the task is started, the
 | |
|   volume is mounted on `/path/in/container/` inside\nthe container.\n\nBe aware that
 | |
|   the default (\"local\") volume is a locally scoped volume driver.\nThis means that
 | |
|   depending on where a task is deployed, either that task gets a\n*new* volume named
 | |
|   \"my-volume\", or shares the same \"my-volume\" with other tasks\nof the same service.
 | |
|   Multiple containers writing to a single shared volume can\ncause data corruption
 | |
|   if the software running inside the container is not\ndesigned to handle concurrent
 | |
|   processes writing to the same location. Also take\ninto account that containers
 | |
|   can be re-scheduled by the Swarm orchestrator and\nbe deployed on a different node.\n\n####
 | |
|   Create a service that uses an anonymous volume\n\nThe following command creates
 | |
|   a service with three replicas with an anonymous\nvolume on `/path/in/container`:\n\n```bash\n$
 | |
|   docker service create \\\n  --name my-service \\\n  --replicas 3 \\\n  --mount type=volume,destination=/path/in/container
 | |
|   \\\n  nginx:alpine\n```\n\nIn this example, no name (`source`) is specified for
 | |
|   the volume, so a new volume\nis created for each task. This guarantees that each
 | |
|   task gets its own volume,\nand volumes are not shared between tasks. Anonymous volumes
 | |
|   are removed after\nthe task using them is complete.\n\n#### Create a service that
 | |
|   uses a bind-mounted host directory\n\nThe following example bind-mounts a host directory
 | |
|   at `/path/in/container` in\nthe containers backing the service:\n\n```bash\n$ docker
 | |
|   service create \\\n  --name my-service \\\n  --mount type=bind,source=/path/on/host,destination=/path/in/container
 | |
|   \\\n  nginx:alpine\n```\n\n### Set service mode (--mode)\n\nThe service mode determines
 | |
|   whether this is a _replicated_ service or a _global_\nservice. A replicated service
 | |
|   runs as many tasks as specified, while a global\nservice runs on each active node
 | |
|   in the swarm.\n\nThe following command creates a global service:\n\n```bash\n$ docker
 | |
|   service create \\\n --name redis_2 \\\n --mode global \\\n redis:3.0.6\n```\n\n###
 | |
|   Specify service constraints (--constraint)\n\nYou can limit the set of nodes where
 | |
|   a task can be scheduled by defining\nconstraint expressions. Multiple constraints
 | |
|   find nodes that satisfy every\nexpression (AND match). Constraints can match node
 | |
|   or Docker Engine labels as\nfollows:\n\n\n<table>\n  <tr>\n    <th>node attribute</th>\n
 | |
|   \   <th>matches</th>\n    <th>example</th>\n  </tr>\n  <tr>\n    <td><tt>node.id</tt></td>\n
 | |
|   \   <td>Node ID</td>\n    <td><tt>node.id==2ivku8v2gvtg4</tt></td>\n  </tr>\n  <tr>\n
 | |
|   \   <td><tt>node.hostname</tt></td>\n    <td>Node hostname</td>\n    <td><tt>node.hostname!=node-2</tt></td>\n
 | |
|   \ </tr>\n  <tr>\n    <td><tt>node.role</tt></td>\n    <td>Node role</td>\n    <td><tt>node.role==manager</tt></td>\n
 | |
|   \ </tr>\n  <tr>\n    <td><tt>node.labels</tt></td>\n    <td>user defined node labels</td>\n
 | |
|   \   <td><tt>node.labels.security==high</tt></td>\n  </tr>\n  <tr>\n    <td><tt>engine.labels</tt></td>\n
 | |
|   \   <td>Docker Engine's labels</td>\n    <td><tt>engine.labels.operatingsystem==ubuntu
 | |
|   14.04</tt></td>\n  </tr>\n</table>\n\n\n`engine.labels` apply to Docker Engine labels
 | |
|   like operating system,\ndrivers, etc. Swarm administrators add `node.labels` for
 | |
|   operational purposes by\nusing the [`docker node update`](node_update.md) command.\n\nFor
 | |
|   example, the following limits tasks for the redis service to nodes where the\nnode
 | |
|   type label equals queue:\n\n```bash\n$ docker service create \\\n  --name redis_2
 | |
|   \\\n  --constraint 'node.labels.type == queue' \\\n  redis:3.0.6\n```\n\n### Specify
 | |
|   service placement preferences (--placement-pref)\n\nYou can set up the service to
 | |
|   divide tasks evenly over different categories of\nnodes. One example of where this
 | |
|   can be useful is to balance tasks over a set\nof datacenters or availability zones.
 | |
|   The example below illustrates this:\n\n```bash\n$ docker service create \\\n  --replicas
 | |
|   9 \\\n  --name redis_2 \\\n  --placement-pref 'spread=node.labels.datacenter' \\\n
 | |
|   \ redis:3.0.6\n```\n\nThis uses `--placement-pref` with a `spread` strategy (currently
 | |
|   the only\nsupported strategy) to spread tasks evenly over the values of the `datacenter`\nnode
 | |
|   label. In this example, we assume that every node has a `datacenter` node\nlabel
 | |
|   attached to it. If there are three different values of this label among\nnodes in
 | |
|   the swarm, one third of the tasks will be placed on the nodes\nassociated with each
 | |
|   value. This is true even if there are more nodes with one\nvalue than another. For
 | |
|   example, consider the following set of nodes:\n\n- Three nodes with `node.labels.datacenter=east`\n-
 | |
|   Two nodes with `node.labels.datacenter=south`\n- One node with `node.labels.datacenter=west`\n\nSince
 | |
|   we are spreading over the values of the `datacenter` label and the\nservice has
 | |
|   9 replicas, 3 replicas will end up in each datacenter. There are\nthree nodes associated
 | |
|   with the value `east`, so each one will get one of the\nthree replicas reserved
 | |
|   for this value. There are two nodes with the value\n`south`, and the three replicas
 | |
|   for this value will be divided between them,\nwith one receiving two replicas and
 | |
|   another receiving just one. Finally, `west`\nhas a single node that will get all
 | |
|   three replicas reserved for `west`.\n\nIf the nodes in one category (for example,
 | |
|   those with\n`node.labels.datacenter=south`) can't handle their fair share of tasks
 | |
|   due to\nconstraints or resource limitations, the extra tasks will be assigned to
 | |
|   other\nnodes instead, if possible.\n\nBoth engine labels and node labels are supported
 | |
|   by placement preferences. The\nexample above uses a node label, because the label
 | |
|   is referenced with\n`node.labels.datacenter`. To spread over the values of an engine
 | |
|   label, use\n`--placement-pref spread=engine.labels.<labelname>`.\n\nIt is possible
 | |
|   to add multiple placement preferences to a service. This\nestablishes a hierarchy
 | |
|   of preferences, so that tasks are first divided over\none category, and then further
 | |
|   divided over additional categories. One example\nof where this may be useful is
 | |
|   dividing tasks fairly between datacenters, and\nthen splitting the tasks within
 | |
|   each datacenter over a choice of racks. To add\nmultiple placement preferences,
 | |
|   specify the `--placement-pref` flag multiple\ntimes. The order is significant, and
 | |
|   the placement preferences will be applied\nin the order given when making scheduling
 | |
|   decisions.\n\nThe following example sets up a service with multiple placement preferences.\nTasks
 | |
|   are spread first over the various datacenters, and then over racks\n(as indicated
 | |
|   by the respective labels):\n\n```bash\n$ docker service create \\\n  --replicas
 | |
|   9 \\\n  --name redis_2 \\\n  --placement-pref 'spread=node.labels.datacenter' \\\n
 | |
|   \ --placement-pref 'spread=node.labels.rack' \\\n  redis:3.0.6\n```\n\nWhen updating
 | |
|   a service with `docker service update`, `--placement-pref-add`\nappends a new placement
 | |
|   preference after all existing placement preferences.\n`--placement-pref-rm` removes
 | |
|   an existing placement preference that matches the\nargument.\n\n### Specify maximum
 | |
|   replicas per node (--replicas-max-per-node)\n\nUse the `--replicas-max-per-node`
 | |
|   flag to set the maximum number of replica tasks that can run on a node.\nThe following
 | |
|   command creates a nginx service with 2 replica tasks but only one replica task per
 | |
|   node.\n\nOne example where this can be useful is to balance tasks over a set of
 | |
|   data centers together with `--placement-pref`\nand let `--replicas-max-per-node`
 | |
|   setting make sure that replicas are not migrated to another datacenter during\nmaintenance
 | |
|   or datacenter failure.\n\nThe example below illustrates this:\n\n```bash\n$ docker
 | |
|   service create \\\n  --name nginx \\\n  --replicas 2 \\\n  --replicas-max-per-node
 | |
|   1 \\\n  --placement-pref 'spread=node.labels.datacenter' \\\n  nginx\n```\n\n###
 | |
|   Attach a service to an existing network (--network)\n\nYou can use overlay networks
 | |
|   to connect one or more services within the swarm.\n\nFirst, create an overlay network
 | |
|   on a manager node the docker network create\ncommand:\n\n```bash\n$ docker network
 | |
|   create --driver overlay my-network\n\netjpu59cykrptrgw0z0hk5snf\n```\n\nAfter you
 | |
|   create an overlay network in swarm mode, all manager nodes have\naccess to the network.\n\nWhen
 | |
|   you create a service and pass the `--network` flag to attach the service to\nthe
 | |
|   overlay network:\n\n```bash\n$ docker service create \\\n  --replicas 3 \\\n  --network
 | |
|   my-network \\\n  --name my-web \\\n  nginx\n\n716thylsndqma81j6kkkb5aus\n```\n\nThe
 | |
|   swarm extends my-network to each node running the service.\n\nContainers on the
 | |
|   same network can access each other using\n[service discovery](https://docs.docker.com/engine/swarm/networking/#use-swarm-mode-service-discovery).\n\nLong
 | |
|   form syntax of `--network` allows to specify list of aliases and driver options:
 | |
|   \ \n`--network name=my-network,alias=web1,driver-opt=field1=value1`\n\n### Publish
 | |
|   service ports externally to the swarm (-p, --publish)\n\nYou can publish service
 | |
|   ports to make them available externally to the swarm\nusing the `--publish` flag.
 | |
|   The `--publish` flag can take two different styles\nof arguments. The short version
 | |
|   is positional, and allows you to specify the\npublished port and target port separated
 | |
|   by a colon.\n\n```bash\n$ docker service create --name my_web --replicas 3 --publish
 | |
|   8080:80 nginx\n```\n\nThere is also a long format, which is easier to read and allows
 | |
|   you to specify\nmore options. The long format is preferred. You cannot specify the
 | |
|   service's\nmode when using the short format. Here is an example of using the long
 | |
|   format\nfor the same service as above:\n\n```bash\n$ docker service create --name
 | |
|   my_web --replicas 3 --publish published=8080,target=80 nginx\n```\n\nThe options
 | |
|   you can specify are:\n\n<table>\n<thead>\n<tr>\n  <th>Option</th>\n  <th>Short syntax</th>\n
 | |
|   \ <th>Long syntax</th>\n  <th>Description</th>\n</tr>\n</thead>\n<tr>\n  <td>published
 | |
|   and target port</td>\n  <td><tt>--publish 8080:80</tt></td>\n  <td><tt>--publish
 | |
|   published=8080,target=80</tt></td>\n  <td><p>\n    The target port within the container
 | |
|   and the port to map it to on the\n    nodes, using the routing mesh (<tt>ingress</tt>)
 | |
|   or host-level networking.\n    More options are available, later in this table.
 | |
|   The key-value syntax is\n    preferred, because it is somewhat self-documenting.\n
 | |
|   \ </p></td>\n</tr>\n<tr>\n  <td>mode</td>\n  <td>Not possible to set using short
 | |
|   syntax.</td>\n  <td><tt>--publish published=8080,target=80,mode=host</tt></td>\n
 | |
|   \ <td><p>\n    The mode to use for binding the port, either <tt>ingress</tt> or
 | |
|   <tt>host</tt>.\n    Defaults to <tt>ingress</tt> to use the routing mesh.\n  </p></td>\n</tr>\n<tr>\n
 | |
|   \ <td>protocol</td>\n  <td><tt>--publish 8080:80/tcp</tt></td>\n  <td><tt>--publish
 | |
|   published=8080,target=80,protocol=tcp</tt></td>\n  <td><p>\n    The protocol to
 | |
|   use, <tt>tcp</tt> , <tt>udp</tt>, or <tt>sctp</tt>. Defaults to\n    <tt>tcp</tt>.
 | |
|   To bind a port for both protocols, specify the <tt>-p</tt> or\n    <tt>--publish</tt>
 | |
|   flag twice.\n  </p></td>\n</tr>\n</table>\n\nWhen you publish a service port using
 | |
|   `ingress` mode, the swarm routing mesh\nmakes the service accessible at the published
 | |
|   port on every node regardless if\nthere is a task for the service running on the
 | |
|   node. If you use `host` mode,\nthe port is only bound on nodes where the service
 | |
|   is running, and a given port\non a node can only be bound once. You can only set
 | |
|   the publication mode using\nthe long syntax. For more information refer to\n[Use
 | |
|   swarm mode routing mesh](https://docs.docker.com/engine/swarm/ingress/).\n\n###
 | |
|   Provide credential specs for managed service accounts (Windows only)\n\nThis option
 | |
|   is only used for services using Windows containers. The\n`--credential-spec` must
 | |
|   be in the format `file://<filename>` or\n`registry://<value-name>`.\n\nWhen using
 | |
|   the `file://<filename>` format, the referenced file must be\npresent in the `CredentialSpecs`
 | |
|   subdirectory in the docker data directory,\nwhich defaults to `C:\\ProgramData\\Docker\\`
 | |
|   on Windows. For example,\nspecifying `file://spec.json` loads `C:\\ProgramData\\Docker\\CredentialSpecs\\spec.json`.\n\nWhen
 | |
|   using the `registry://<value-name>` format, the credential spec is\nread from the
 | |
|   Windows registry on the daemon's host. The specified\nregistry value must be located
 | |
|   in:\n\n    HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Virtualization\\Containers\\CredentialSpecs\n\n\n###
 | |
|   Create services using templates\n\nYou can use templates for some flags of `service
 | |
|   create`, using the syntax\nprovided by the Go's [text/template](http://golang.org/pkg/text/template/)
 | |
|   package.\n\nThe supported flags are the following :\n\n- `--hostname`\n- `--mount`\n-
 | |
|   `--env`\n\nValid placeholders for the Go template are listed below:\n\n\n<table>\n
 | |
|   \ <tr>\n    <th>Placeholder</th>\n    <th>Description</th>\n  </tr>\n  <tr>\n    <td><tt>.Service.ID</tt></td>\n
 | |
|   \   <td>Service ID</td>\n  </tr>\n  <tr>\n    <td><tt>.Service.Name</tt></td>\n
 | |
|   \   <td>Service name</td>\n  </tr>\n  <tr>\n    <td><tt>.Service.Labels</tt></td>\n
 | |
|   \   <td>Service labels</td>\n  </tr>\n  <tr>\n    <td><tt>.Node.ID</tt></td>\n    <td>Node
 | |
|   ID</td>\n  </tr>\n  <tr>\n    <td><tt>.Node.Hostname</tt></td>\n    <td>Node Hostname</td>\n
 | |
|   \ </tr>\n  <tr>\n    <td><tt>.Task.ID</tt></td>\n    <td>Task ID</td>\n  </tr>\n
 | |
|   \ <tr>\n    <td><tt>.Task.Name</tt></td>\n    <td>Task name</td>\n  </tr>\n  <tr>\n
 | |
|   \   <td><tt>.Task.Slot</tt></td>\n    <td>Task slot</td>\n  </tr>\n</table>\n\n\n####
 | |
|   Template example\n\nIn this example, we are going to set the template of the created
 | |
|   containers based on the\nservice's name, the node's ID and hostname where it sits.\n\n```bash\n$
 | |
|   docker service create --name hosttempl \\\n                        --hostname=\"{{.Node.Hostname}}-{{.Node.ID}}-{{.Service.Name}}\"\\\n
 | |
|   \                        busybox top\n\nva8ew30grofhjoychbr6iot8c\n\n$ docker service
 | |
|   ps va8ew30grofhjoychbr6iot8c\n\nID            NAME         IMAGE                                                                                   NODE
 | |
|   \         DESIRED STATE  CURRENT STATE               ERROR  PORTS\nwo41w8hg8qan
 | |
|   \ hosttempl.1  busybox:latest@sha256:29f5d56d12684887bdfa50dcd29fc31eea4aaf4ad3bec43daf19026a7ce69912
 | |
|   \ 2e7a8a9c4da2  Running        Running about a minute ago\n\n$ docker inspect --format=\"{{.Config.Hostname}}\"
 | |
|   2e7a8a9c4da2-wo41w8hg8qanxwjwsg4kxpprj-hosttempl\n\nx3ti0erg11rjpg64m75kej2mz-hosttempl\n```\n\n###
 | |
|   Specify isolation mode (Windows)\n\nBy default, tasks scheduled on Windows nodes
 | |
|   are run using the default isolation mode\nconfigured for this particular node. To
 | |
|   force a specific isolation mode, you can use\nthe `--isolation` flag:\n\n```bash\n$
 | |
|   docker service create --name myservice --isolation=process microsoft/nanoserver\n```\n\nSupported
 | |
|   isolation modes on Windows are:\n- `default`: use default settings specified on
 | |
|   the node running the task\n- `process`: use process isolation (Windows server only)\n-
 | |
|   `hyperv`: use Hyper-V isolation\n\n### Create services requesting Generic Resources\n\nYou
 | |
|   can narrow the kind of nodes your task can land on through the using the\n`--generic-resource`
 | |
|   flag (if the nodes advertise these resources):\n\n```bash\n$ docker service create
 | |
|   --name cuda \\\n                        --generic-resource \"NVIDIA-GPU=2\" \\\n
 | |
|   \                       --generic-resource \"SSD=1\" \\\n                        nvidia/cuda\n```"
 | |
| deprecated: false
 | |
| min_api_version: "1.24"
 | |
| experimental: false
 | |
| experimentalcli: false
 | |
| kubernetes: false
 | |
| swarm: true
 | |
| 
 |