Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
OrganizationAdvent CalendarQiitadon (β)
Qiita JobsQiita ZineQiita Blog
Help us understand the problem. What is going on with this article?

Docker note

More than 1 year has passed since last update.



warning: cannot increase max open fds from 1024 to 4140 ...

I found this issue on ecs-optimized ami & running unbound container.

[1555120344] unbound[1:0] warning: setrlimit: Operation not permitted
[1555120344] unbound[1:0] warning: cannot increase max open fds from 1024 to 4140
[1555120344] unbound[1:0] warning: continuing with less udp ports: 984
[1555120344] unbound[1:0] warning: increase ulimit or decrease threads, ports in config to remove this warning

Compared Docker's process on my desktop with on an ECS instance.

#my desktop
/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

/usr/bin/dockerd --default-ulimit nofile=1024:4096

ECS optimized limits nofile by /etc/sysconfig/docker.


docker run with --cap-add SYS_RESOURCE option.

iptables in docker

docker run --cap-add=NET_ADMIN --rm -ti debian:stretch-slim
apt install iptables
apt install iputils-ping

iptables -A INPUT -p tcp --dport 80 -j DROP #sample
iptables -A INPUT -j DROP
ping google.com
# time out !
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ping google.com
# OK!

(Only Mac & Linux)? How to use docker command from docker-container without DinD

When docker run, set -v /var/run/docker.socket:/var/run/docker.socket.

d run -it -v /var/run/docker.sock:/var/run/docker.sock  alpine
# in the alpine container
apk add docker
docker ps
# Display this container, too and of course we can run `docker run` !

Wait for service port will be ready! @docker-compose

depend_on, wait container just will be started, not on service ready. e.g. a container A run web server. And container B access A 's web service port own init process/startup. Unfortunately, container B exit(non zero) due to A's web service is not ready.

There are some approaches.
1. In Container B's startup-process, wait for Container A's service ready.

dockerize -wait tcp://db:5432 -wait http://web:80 -wait file:///tmp/generated-file

2. You can use docker-compose, add wait-for-dependencies container. B depends wait-for-dependencies, wait-for-dependencies depends A and wait for A's service ready.
2. wait-for-container & docker-compose up partial

version: '3.3'
 image: dwmkerr/dynamodb
 - "8000:8000"
 image: dadarek/wait-for-dependencies
 - localdynamo
 command: localdynamo:8000
 - wait-dynamo
 image: docker-ho:1.0
 - "5000"
 FLASK_APP_DYNAMO_HOST: "http://localdynamo:8000"

-v with relative path

brew install coreutils
docker run -v $(realpath ../../hoge):/work ...

Or docker-compose volume support relative path

Cannot connect to the Docker daemon. Is the docker daemon running on this host?

Add this user to docker group.


Detach : Ctrl-p + Ctrl-q
Attach : docker attach [container]

Why can not detach?

docker run with -i , -t options.


Actually, you can SIGKILL the client, and reattach later.
However, this will disrupt stdin (the container will see EOF on stdin, and if it cares about stdin, e.g. if it's a shell, it will exit).

To recap:
docker run -t -i → can be detached with ^P^Q and reattached with docker attach
docker run -i → cannot be detached with ^P^Q; will disrupt stdin
docker run → cannot be detached with ^P^Q; can SIGKILL client; can reattach with docker attach

run without -it, but attach, so can not type CTRL-C

Close your terminal! Anything OK.

To safe detach...

docker run without -i , -t, but you want to detach, If you hit CTRL-C means signal SIGTERM to primary process, so, docker process will be killed.
To avoid it, attach with --sig-proxy=false .

I want to login a container...

docker exec -it [cont-name] bash

alpaine: /bin/bash -> /bin/sh

Portforward via auto host-ports.

run via -p options.

$ docker run --name cont01 -i -t -p :80 -p :443  [image_name] /bin/bash

$ docker port cont01
443/tcp ->
80/tcp ->

run via --expose options.

$ docker run --name cont02 -i -t --expose 80 --expose 443 -P [image_name] /bin/bash

Strace on Container


Run container with these options.
--cap-add SYS_PTRACE
--security-opt seccomp:unconfined

start on os-boot

  • docker command --restart=always
  • docker compose add restart: always @ docker-compose.yaml

run single container via systemd @ container-instance

sample from

ExecStartPre=-/usr/bin/docker kill sysdig-agent
ExecStartPre=-/usr/bin/docker rm sysdig-agent
ExecStartPre=/usr/bin/docker pull sysdig/agent
ExecStart=/usr/bin/docker run --name sysdig-agent --privileged --net host --pid host -e ACCESS_KEY=[ACCESS_KEY] -e COLLECTOR=[COLLECTOR_ADDRESS] -e SECURE=false [-e TAGS=[TAGS]] -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro --shm-size=512m sysdig/agent
ExecStop=/usr/bin/docker stop sysdig-agen

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away