Skip to content

Latest commit

 

History

History
2284 lines (1734 loc) · 67.2 KB

File metadata and controls

2284 lines (1734 loc) · 67.2 KB
description keywords redirect_from title toc_max toc_min
Compose file reference
fig, composition, compose, docker
/compose/yml
/compose/compose-file-v3.md
Compose file version 3 reference
4
1

Reference and guidelines

These topics describe version 3 of the Compose file format. This is the newest version.

Compose and Docker compatibility matrix

There are several versions of the Compose file format – 1, 2, 2.x, and 3.x. The table below is a quick look. For full details on what each version includes and how to upgrade, see About versions and upgrading.

{% include content/compose-matrix.md %}

Compose file structure and examples

Example Compose file version 3

version: "3"
services:

redis: image: redis:alpine ports: - "6379" networks: - frontend deploy: replicas: 2 update_config: parallelism: 2 delay: 10s restart_policy: condition: on-failure

db: image: postgres:9.4 volumes: - db-data:/var/lib/postgresql/data networks: - backend deploy: placement: constraints: [node.role == manager]

vote: image: dockersamples/examplevotingapp_vote:before ports: - 5000:80 networks: - frontend depends_on: - redis deploy: replicas: 2 update_config: parallelism: 2 restart_policy: condition: on-failure

result: image: dockersamples/examplevotingapp_result:before ports: - 5001:80 networks: - backend depends_on: - db deploy: replicas: 1 update_config: parallelism: 2 delay: 10s restart_policy: condition: on-failure

worker: image: dockersamples/examplevotingapp_worker networks: - frontend - backend deploy: mode: replicated replicas: 1 labels: [APP=VOTING] restart_policy: condition: on-failure delay: 10s max_attempts: 3 window: 120s placement: constraints: [node.role == manager]

visualizer: image: dockersamples/visualizer:stable ports: - "8080:8080" stop_grace_period: 1m30s volumes: - "/var/run/docker.sock:/var/run/docker.sock" deploy: placement: constraints: [node.role == manager]

networks: frontend: backend:

volumes: db-data:

The topics on this reference page are organized alphabetically by top-level key to reflect the structure of the Compose file itself. Top-level keys that define a section in the configuration file such as build, deploy, depends_on, networks, and so on, are listed with the options that support them as sub-topics. This maps to the <key>: <option>: <value> indent structure of the Compose file.

A good place to start is the Getting Started tutorial which uses version 3 Compose stack files to implement multi-container apps, service definitions, and swarm mode. Here are some Compose files used in the tutorial.

Another good reference is the Compose file for the voting app sample used in the Docker for Beginners lab topic on Deploying an app to a Swarm. This is also shown on the accordion at the top of this section.

Service configuration reference

The Compose file is a YAML file defining services, networks and volumes. The default path for a Compose file is ./docker-compose.yml.

Tip: You can use either a .yml or .yaml extension for this file. They both work.

A service definition contains configuration which will be applied to each container started for that service, much like passing command-line parameters to docker run. Likewise, network and volume definitions are analogous to docker network create and docker volume create.

As with docker run, options specified in the Dockerfile (e.g., CMD, EXPOSE, VOLUME, ENV) are respected by default - you don't need to specify them again in docker-compose.yml.

You can use environment variables in configuration values with a Bash-like ${VARIABLE} syntax - see variable substitution for full details.

This section contains a list of all configuration options supported by a service definition in version 3.

build

Configuration options that are applied at build time.

build can be specified either as a string containing a path to the build context:

version: '2'
services:
  webapp:
    build: ./dir

Or, as an object with the path specified under context and optionally Dockerfile and args:

version: '2'
services:
  webapp:
    build:
      context: ./dir
      dockerfile: Dockerfile-alternate
      args:
        buildno: 1

If you specify image as well as build, then Compose names the built image with the webapp and optional tag specified in image:

build: ./dir
image: webapp:tag

This will result in an image named webapp and tagged tag, built from ./dir.

Note: This option is ignored when deploying a stack in swarm mode with a (version 3) Compose file. The docker stack command accepts only pre-built images.

context

Either a path to a directory containing a Dockerfile, or a url to a git repository.

When the value supplied is a relative path, it is interpreted as relative to the location of the Compose file. This directory is also the build context that is sent to the Docker daemon.

Compose will build and tag it with a generated name, and use that image thereafter.

build:
  context: ./dir

dockerfile

Alternate Dockerfile.

Compose will use an alternate file to build with. A build path must also be specified.

build:
  context: .
  dockerfile: Dockerfile-alternate

args

Add build arguments, which are environment variables accessible only during the build process.

First, specify the arguments in your Dockerfile:

ARG buildno
ARG password

RUN echo "Build number: $buildno"
RUN script-requiring-password.sh "$password"

Then specify the arguments under the build key. You can pass either a mapping or a list:

build:
  context: .
  args:
    buildno: 1
    password: secret

build:
  context: .
  args:
    - buildno=1
    - password=secret

You can omit the value when specifying a build argument, in which case its value at build time is the value in the environment where Compose is running.

args:
  - buildno
  - password

Note: YAML boolean values (true, false, yes, no, on, off) must be enclosed in quotes, so that the parser interprets them as strings.

cache_from

Note: This option is new in v3.2

A list of images that the engine will use for cache resolution.

build:
  context: .
  cache_from:
    - alpine:latest
    - corp/web_app:3.14

labels

Note: This option is new in v3.3

Add metadata to the resulting image using Docker labels. You can use either an array or a dictionary.

It's recommended that you use reverse-DNS notation to prevent your labels from conflicting with those used by other software.

build:
  context: .
  labels:
    com.example.description: "Accounting webapp"
    com.example.department: "Finance"
    com.example.label-with-empty-value: ""


build:
  context: .
  labels:
    - "com.example.description=Accounting webapp"
    - "com.example.department=Finance"
    - "com.example.label-with-empty-value"

shm_size

Added in version 3.5 file format

Set the size of the /dev/shm partition for this build's containers. Specify as an integer value representing the number of bytes or as a string expressing a byte value.

build:
  context: .
  shm_size: '2gb'


build:
  context: .
  shm_size: 10000000

cap_add, cap_drop

Add or drop container capabilities. See man 7 capabilities for a full list.

cap_add:
  - ALL

cap_drop:
  - NET_ADMIN
  - SYS_ADMIN

Note: These options are ignored when deploying a stack in swarm mode with a (version 3) Compose file.

command

Override the default command.

command: bundle exec thin -p 3000

The command can also be a list, in a manner similar to dockerfile:

command: ["bundle", "exec", "thin", "-p", "3000"]

configs

Grant access to configs on a per-service basis using the per-service configs configuration. Two different syntax variants are supported.

Note: The config must already exist or be defined in the top-level configs configuration of this stack file, or stack deployment will fail.

For more information on configs, see configs.

Short syntax

The short syntax variant only specifies the config name. This grants the container access to the config and mounts it at /<config_name> within the container. The source name and destination mountpoint are both set to the config name.

The following example uses the short syntax to grant the redis service access to the my_config and my_other_config configs. The value of my_config is set to the contents of the file ./my_config.txt, and my_other_config is defined as an external resource, which means that it has already been defined in Docker, either by running the docker config create command or by another stack deployment. If the external config does not exist, the stack deployment fails with a config not found error.

Note: config definitions are only supported in version 3.3 and higher of the compose file format.

version: "3.3"
services:
  redis:
    image: redis:latest
    deploy:
      replicas: 1
    configs:
      - my_config
      - my_other_config
configs:
  my_config:
    file: ./my_config.txt
  my_other_config:
    external: true

Long syntax

The long syntax provides more granularity in how the config is created within the service's task containers.

  • source: The name of the config as it exists in Docker.
  • target: The path and name of the file that will be mounted in the service's task containers. Defaults to /<source> if not specified.
  • uid and gid: The numeric UID or GID which will own the mounted config file within in the service's task containers. Both default to 0 on Linux if not specified. Not supported on Windows.
  • mode: The permissions for the file that will be mounted within the service's task containers, in octal notation. For instance, 0444 represents world-readable. The default is 0444. Configs cannot be writable because they are mounted in a temporary filesystem, so if you set the writable bit, it is ignored. The executable bit can be set. If you aren't familiar with UNIX file permission modes, you may find this permissions calculator{: target="blank" class="" } useful.

The following example sets the name of my_config to redis_config within the container, sets the mode to 0440 (group-readable) and sets the user and group to 103. The redis service does not have access to the my_other_config config.

version: "3.3"
services:
  redis:
    image: redis:latest
    deploy:
      replicas: 1
    configs:
      - source: my_config
        target: /redis_config
        uid: '103'
        gid: '103'
        mode: 0440
configs:
  my_config:
    file: ./my_config.txt
  my_other_config:
    external: true

You can grant a service access to multiple configs and you can mix long and short syntax. Defining a config does not imply granting a service access to it.

cgroup_parent

Specify an optional parent cgroup for the container.

cgroup_parent: m-executor-abcd

Note: This option is ignored when deploying a stack in swarm mode with a (version 3) Compose file.

container_name

Specify a custom container name, rather than a generated default name.

container_name: my-web-container

Because Docker container names must be unique, you cannot scale a service beyond 1 container if you have specified a custom name. Attempting to do so results in an error.

Note: This option is ignored when deploying a stack in swarm mode with a (version 3) Compose file.

credential_spec

Note: this option was added in v3.3

Configure the credential spec for managed service account. This option is only used for services using Windows containers. The credential_spec must be in the format file://<filename> or registry://<value-name>.

When using file:, the referenced file must be present in the CredentialSpecs subdirectory in the docker data directory, which defaults to C:\ProgramData\Docker\ on Windows. The following example loads the credential spec from a file named C:\ProgramData\Docker\CredentialSpecs\my-credential-spec.json:

credential_spec:
  file: my-credential-spec.json

When using registry:, the credential spec is read from the Windows registry on the daemon's host. A registry value with the given name must be located in:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Containers\CredentialSpecs

The following example load the credential spec from a value named my-credential-spec in the registry:

credential_spec:
  registry: my-credential-spec

deploy

Version 3 only.

Specify configuration related to the deployment and running of services. This only takes effect when deploying to a swarm with docker stack deploy, and is ignored by docker-compose up and docker-compose run.

version: '3'
services:
  redis:
    image: redis:alpine
    deploy:
      replicas: 6
      update_config:
        parallelism: 2
        delay: 10s
      restart_policy:
        condition: on-failure

Several sub-options are available:

endpoint_mode

Specify a service discovery method for external clients connecting to a swarm.

Version 3.3 only.

  • endpoint_mode: vip - Docker assigns the service a virtual IP (VIP), which acts as the “front end” for clients to reach the service on a network. Docker routes requests between the client and available worker nodes for the service, without client knowledge of how many nodes are participating in the service or their IP addresses or ports. (This is the default.)

  • endpoint_mode: dnsrr - DNS round-robin (DNSRR) service discovery does not use a single virtual IP. Docker sets up DNS entries for the service such that a DNS query for the service name returns a list of IP addresses, and the client connects directly to one of these. DNS round-robin is useful in cases where you want to use your own load balancer, or for Hybrid Windows and Linux applications.

version: "3.3"

services:
  wordpress:
    image: wordpress
    ports:
      - 8080:80
    networks:
      - overlay
    deploy:
      mode: replicated
      replicas: 2
      endpoint_mode: vip

  mysql:
    image: mysql
    volumes:
       - db-data:/var/lib/mysql/data
    networks:
       - overlay
    deploy:
      mode: replicated
      replicas: 2
      endpoint_mode: dnsrr

volumes:
  db-data:

networks:
  overlay:

The options for endpoint_mode also work as flags on the swarm mode CLI command docker service create. For a quick list of all swarm related docker commands, see Swarm mode CLI commands.

To learn more about service discovery and networking in swarm mode, see Configure service discovery in the swarm mode topics.

labels

Specify labels for the service. These labels will only be set on the service, and not on any containers for the service.

version: "3"
services:
  web:
    image: web
    deploy:
      labels:
        com.example.description: "This label will appear on the web service"

To set labels on containers instead, use the labels key outside of deploy:

version: "3"
services:
  web:
    image: web
    labels:
      com.example.description: "This label will appear on all containers for the web service"

mode

Either global (exactly one container per swarm node) or replicated (a specified number of containers). The default is replicated. (To learn more, see Replicated and global services in the swarm topics.)

version: '3'
services:
  worker:
    image: dockersamples/examplevotingapp_worker
    deploy:
      mode: global

placement

Specify placement of constraints and preferences. See the docker service create documentation for a full description of the syntax and available types of constraints and preferences.

version: '3'
services:
  db:
    image: postgres
    deploy:
      placement:
        constraints:
          - node.role == manager
          - engine.labels.operatingsystem == ubuntu 14.04
        preferences:
          - spread: node.labels.zone

replicas

If the service is replicated (which is the default), specify the number of containers that should be running at any given time.

version: '3'
services:
  worker:
    image: dockersamples/examplevotingapp_worker
    networks:
      - frontend
      - backend
    deploy:
      mode: replicated
      replicas: 6

resources

Configures resource constraints.

Note: This replaces the older resource constraint options for non swarm mode in Compose files prior to version 3 (cpu_shares, cpu_quota, cpuset, mem_limit, memswap_limit, mem_swappiness), as described in Upgrading version 2.x to 3.x.

Each of these is a single value, analogous to its docker service create counterpart.

In this general example, the redis service is constrained to use no more than 50M of memory and 0.50 (50%) of available processing time (CPU), and has 20M of memory and 0.25 CPU time reserved (as always available to it).

version: '3'
services:
  redis:
    image: redis:alpine
    deploy:
      resources:
        limits:
          cpus: '0.50'
          memory: 50M
        reservations:
          cpus: '0.25'
          memory: 20M

The topics below describe available options to set resource constraints on services or containers in a swarm.

Looking for options to set resources on non swarm mode containers?

The options described here are specific to the deploy key and swarm mode. If you want to set resource constraints on non swarm deployments, use Compose file format version 2 CPU, memory, and other resource options. If you have further questions, please refer to the discussion on the GitHub issue docker/compose/4513{: target="blank" class=""}. {: .important}

Out Of Memory Exceptions (OOME)

If your services or containers attempt to use more memory than the system has available, you may experience an Out Of Memory Exception (OOME) and a container, or the Docker daemon, might be killed by the kernel OOM killer. To prevent this from happening, ensure that your application runs on hosts with adequate memory and see Understand the risks of running out of memory.

restart_policy

Configures if and how to restart containers when they exit. Replaces restart.

  • condition: One of none, on-failure or any (default: any).
  • delay: How long to wait between restart attempts, specified as a duration (default: 0).
  • max_attempts: How many times to attempt to restart a container before giving up (default: never give up).
  • window: How long to wait before deciding if a restart has succeeded, specified as a duration (default: decide immediately).
version: "3"
services:
  redis:
    image: redis:alpine
    deploy:
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s

update_config

Configures how the service should be updated. Useful for configuring rolling updates.

  • parallelism: The number of containers to update at a time.
  • delay: The time to wait between updating a group of containers.
  • failure_action: What to do if an update fails. One of continue, rollback, or pause (default: pause).
  • monitor: Duration after each task update to monitor for failure (ns|us|ms|s|m|h) (default 0s).
  • max_failure_ratio: Failure rate to tolerate during an update.
  • order: Order of operations during updates. One of stop-first (old task is stopped before starting new one), or start-first (new task is started first, and the running tasks will briefly overlap) (default stop-first) Note: Only supported for v3.4 and higher.

Note: order is only supported for v3.4 and higher of the compose file format.

version: '3.4'
services:
  vote:
    image: dockersamples/examplevotingapp_vote:before
    depends_on:
      - redis
    deploy:
      replicas: 2
      update_config:
        parallelism: 2
        delay: 10s
        order: stop-first

Not supported for docker stack deploy

The following sub-options (supported for docker compose up and docker compose run) are not supported for docker stack deploy or the deploy key.

Tip: See also, the section on how to configure volumes for services, swarms, and docker-stack.yml files. Volumes are supported but in order to work with swarms and services, they must be configured properly, as named volumes or associated with services that are constrained to nodes with access to the requisite volumes.

devices

List of device mappings. Uses the same format as the --device docker client create option.

devices:
  - "/dev/ttyUSB0:/dev/ttyUSB0"

Note: This option is ignored when deploying a stack in swarm mode with a (version 3) Compose file.

depends_on

Express dependency between services, which has two effects:

  • docker-compose up will start services in dependency order. In the following example, db and redis will be started before web.

  • docker-compose up SERVICE will automatically include SERVICE's dependencies. In the following example, docker-compose up web will also create and start db and redis.

Simple example:

version: '3'
services:
  web:
    build: .
    depends_on:
      - db
      - redis
  redis:
    image: redis
  db:
    image: postgres

There are several things to be aware of when using depends_on:

  • depends_on will not wait for db and redis to be "ready" before starting web - only until they have been started. If you need to wait for a service to be ready, see Controlling startup order for more on this problem and strategies for solving it.

  • Version 3 no longer supports the condition form of depends_on.

  • The depends_on option is ignored when deploying a stack in swarm mode with a version 3 Compose file.

dns

Custom DNS servers. Can be a single value or a list.

dns: 8.8.8.8
dns:
  - 8.8.8.8
  - 9.9.9.9

dns_search

Custom DNS search domains. Can be a single value or a list.

dns_search: example.com
dns_search:
  - dc1.example.com
  - dc2.example.com

tmpfs

Version 2 file format and up.

Mount a temporary file system inside the container. Can be a single value or a list.

tmpfs: /run
tmpfs:
  - /run
  - /tmp

Note: This option is ignored when deploying a stack in swarm mode with a (version 3) Compose file.

entrypoint

Override the default entrypoint.

entrypoint: /code/entrypoint.sh

The entrypoint can also be a list, in a manner similar to dockerfile:

entrypoint:
    - php
    - -d
    - zend_extension=/usr/local/lib/php/extensions/no-debug-non-zts-20100525/xdebug.so
    - -d
    - memory_limit=-1
    - vendor/bin/phpunit

Note: Setting entrypoint will both override any default entrypoint set on the service's image with the ENTRYPOINT Dockerfile instruction, and clear out any default command on the image - meaning that if there's a CMD instruction in the Dockerfile, it will be ignored.

env_file

Add environment variables from a file. Can be a single value or a list.

If you have specified a Compose file with docker-compose -f FILE, paths in env_file are relative to the directory that file is in.

Environment variables declared in the environment section override these values – this holds true even if those values are empty or undefined.

env_file: .env

env_file:
  - ./common.env
  - ./apps/web.env
  - /opt/secrets.env

Compose expects each line in an env file to be in VAR=VAL format. Lines beginning with # (i.e. comments) are ignored, as are blank lines.

# Set Rails/Rack environment
RACK_ENV=development

Note: If your service specifies a build option, variables defined in environment files will not be automatically visible during the build. Use the args sub-option of build to define build-time environment variables.

The value of VAL is used as is and not modified at all. For example if the value is surrounded by quotes (as is often the case of shell variables), the quotes will be included in the value passed to Compose.

Keep in mind that the order of files in the list is significant in determining the value assigned to a variable that shows up more than once. The files in the list are processed from the top down. For the same variable specified in file a.env and assigned a different value in file b.env, if b.env is listed below (after), then the value from b.env stands. For example, given the following declaration in docker_compose.yml:

services:
  some-service:
    env_file:
      - a.env
      - b.env

And the following files:

# a.env
VAR=1

and

# b.env
VAR=hello

$VAR will be hello.

environment

Add environment variables. You can use either an array or a dictionary. Any boolean values; true, false, yes no, need to be enclosed in quotes to ensure they are not converted to True or False by the YML parser.

Environment variables with only a key are resolved to their values on the machine Compose is running on, which can be helpful for secret or host-specific values.

environment:
  RACK_ENV: development
  SHOW: 'true'
  SESSION_SECRET:

environment:
  - RACK_ENV=development
  - SHOW=true
  - SESSION_SECRET

Note: If your service specifies a build option, variables defined in environment will not be automatically visible during the build. Use the args sub-option of build to define build-time environment variables.

expose

Expose ports without publishing them to the host machine - they'll only be accessible to linked services. Only the internal port can be specified.

expose:
 - "3000"
 - "8000"

external_links

Link to containers started outside this docker-compose.yml or even outside of Compose, especially for containers that provide shared or common services. external_links follow semantics similar to the legacy option links when specifying both the container name and the link alias (CONTAINER:ALIAS).

external_links:
 - redis_1
 - project_db_1:mysql
 - project_db_1:postgresql

Notes:

If you're using the version 2 or above file format, the externally-created containers must be connected to at least one of the same networks as the service which is linking to them. Links are a legacy option. We recommend using networks instead.

This option is ignored when deploying a stack in swarm mode with a (version 3) Compose file.

extra_hosts

Add hostname mappings. Use the same values as the docker client --add-host parameter.

extra_hosts:
 - "somehost:162.242.195.82"
 - "otherhost:50.31.209.229"

An entry with the ip address and hostname will be created in /etc/hosts inside containers for this service, e.g:

162.242.195.82  somehost
50.31.209.229   otherhost

healthcheck

Version 2.1 file format and up.

Configure a check that's run to determine whether or not containers for this service are "healthy". See the docs for the HEALTHCHECK Dockerfile instruction for details on how healthchecks work.

healthcheck:
  test: ["CMD", "curl", "-f", "http://localhost"]
  interval: 1m30s
  timeout: 10s
  retries: 3

interval and timeout are specified as durations.

test must be either a string or a list. If it's a list, the first item must be either NONE, CMD or CMD-SHELL. If it's a string, it's equivalent to specifying CMD-SHELL followed by that string.

# Hit the local web app
test: ["CMD", "curl", "-f", "http://localhost"]

# As above, but wrapped in /bin/sh. Both forms below are equivalent.
test: ["CMD-SHELL", "curl -f http://localhost || exit 1"]
test: curl -f https://localhost || exit 1

To disable any default healthcheck set by the image, you can use disable: true. This is equivalent to specifying test: ["NONE"].

healthcheck:
  disable: true

image

Specify the image to start the container from. Can either be a repository/tag or a partial image ID.

image: redis
image: ubuntu:14.04
image: tutum/influxdb
image: example-registry.com:4000/postgresql
image: a4bc65fd

If the image does not exist, Compose attempts to pull it, unless you have also specified build, in which case it builds it using the specified options and tags it with the specified tag.

isolation

Specify a container’s isolation technology. On Linux, the only supported value is default. On Windows, acceptable values are default, process and hyperv. Refer to the Docker Engine docs for details.

labels

Add metadata to containers using Docker labels. You can use either an array or a dictionary.

It's recommended that you use reverse-DNS notation to prevent your labels from conflicting with those used by other software.

labels:
  com.example.description: "Accounting webapp"
  com.example.department: "Finance"
  com.example.label-with-empty-value: ""

labels:
  - "com.example.description=Accounting webapp"
  - "com.example.department=Finance"
  - "com.example.label-with-empty-value"

links

Warning: >The --link flag is a legacy feature of Docker. It may eventually be removed. Unless you absolutely need to continue using it, we recommend that you use user-defined networks to facilitate communication between two containers instead of using --link. One feature that user-defined networks do not support that you can do with --link is sharing environmental variables between containers. However, you can use other mechanisms such as volumes to share environment variables between containers in a more controlled way. {:.warning}

Link to containers in another service. Either specify both the service name and a link alias (SERVICE:ALIAS), or just the service name.

web:
  links:
   - db
   - db:database
   - redis

Containers for the linked service will be reachable at a hostname identical to the alias, or the service name if no alias was specified.

Links are not required to enable services to communicate - by default, any service can reach any other service at that service’s name. (See also, the Links topic in Networking in Compose.)

Links also express dependency between services in the same way as depends_on, so they determine the order of service startup.

Notes

  • If you define both links and networks, services with links between them must share at least one network in common in order to communicate.

  • This option is ignored when deploying a stack in swarm mode with a (version 3) Compose file.

logging

Logging configuration for the service.

logging:
  driver: syslog
  options:
    syslog-address: "tcp://192.168.0.42:123"

The driver name specifies a logging driver for the service's containers, as with the --log-driver option for docker run (documented here).

The default value is json-file.

driver: "json-file"
driver: "syslog"
driver: "none"

Note: Only the json-file and journald drivers make the logs available directly from docker-compose up and docker-compose logs. Using any other driver will not print any logs.

Specify logging options for the logging driver with the options key, as with the --log-opt option for docker run.

Logging options are key-value pairs. An example of syslog options:

driver: "syslog"
options:
  syslog-address: "tcp://192.168.0.42:123"

The default driver json-file, has options to limit the amount of logs stored. To do this, use a key-value pair for maximum storage size and maximum number of files:

options:
  max-size: "200k"
  max-file: "10"

The example shown above would store log files until they reach a max-size of 200kB, and then rotate them. The amount of individual log files stored is specified by the max-file value. As logs grow beyond the max limits, older log files are removed to allow storage of new logs.

Here is an example docker-compose.yml file that limits logging storage:

services:
  some-service:
    image: some-service
    logging:
      driver: "json-file"
      options:
        max-size: "200k"
        max-file: "10"

Logging options available depend on which logging driver you use

The above example for controlling log files and sizes uses options specific to the json-file driver. These particular options are not available on other logging drivers. For a full list of supported logging drivers and their options, see logging drivers.

network_mode

Network mode. Use the same values as the docker client --net parameter, plus the special form service:[service name].

network_mode: "bridge"
network_mode: "host"
network_mode: "none"
network_mode: "service:[service name]"
network_mode: "container:[container name/id]"

Notes

networks

Networks to join, referencing entries under the top-level networks key.

services:
  some-service:
    networks:
     - some-network
     - other-network

aliases

Aliases (alternative hostnames) for this service on the network. Other containers on the same network can use either the service name or this alias to connect to one of the service's containers.

Since aliases is network-scoped, the same service can have different aliases on different networks.

Note: A network-wide alias can be shared by multiple containers, and even by multiple services. If it is, then exactly which container the name will resolve to is not guaranteed.

The general format is shown here.

services:
  some-service:
    networks:
      some-network:
        aliases:
         - alias1
         - alias3
      other-network:
        aliases:
         - alias2

In the example below, three services are provided (web, worker, and db), along with two networks (new and legacy). The db service is reachable at the hostname db or database on the new network, and at db or mysql on the legacy network.

version: '2'

services:
  web:
    build: ./web
    networks:
      - new

  worker:
    build: ./worker
    networks:
      - legacy

  db:
    image: mysql
    networks:
      new:
        aliases:
          - database
      legacy:
        aliases:
          - mysql

networks:
  new:
  legacy:

ipv4_address, ipv6_address

Specify a static IP address for containers for this service when joining the network.

The corresponding network configuration in the top-level networks section must have an ipam block with subnet configurations covering each static address. If IPv6 addressing is desired, the enable_ipv6 option must be set, and you must use a version 2.x Compose file, such as the one below.

An example:

version: '2.1'

services:
  app:
    image: busybox
    command: ifconfig
    networks:
      app_net:
        ipv4_address: 172.16.238.10
        ipv6_address: 2001:3984:3989::10

networks:
  app_net:
    driver: bridge
    enable_ipv6: true
    ipam:
      driver: default
      config:
      -
        subnet: 172.16.238.0/24
      -
        subnet: 2001:3984:3989::/64

pid

pid: "host"

Sets the PID mode to the host PID mode. This turns on sharing between container and the host operating system the PID address space. Containers launched with this flag will be able to access and manipulate other containers in the bare-metal machine's namespace and vise-versa.

ports

Expose ports.

Short syntax

Either specify both ports (HOST:CONTAINER), or just the container port (a random host port will be chosen).

Note: When mapping ports in the HOST:CONTAINER format, you may experience erroneous results when using a container port lower than 60, because YAML will parse numbers in the format xx:yy as sexagesimal (base 60). For this reason, we recommend always explicitly specifying your port mappings as strings.

ports:
 - "3000"
 - "3000-3005"
 - "8000:8000"
 - "9090-9091:8080-8081"
 - "49100:22"
 - "127.0.0.1:8001:8001"
 - "127.0.0.1:5000-5010:5000-5010"
 - "6060:6060/udp"

Long syntax

The long form syntax allows the configuration of additional fields that can't be expressed in the short form.

  • target: the port inside the container
  • published: the publicly exposed port
  • protocol: the port protocol (tcp or udp)
  • mode: host for publishing a host port on each node, or ingress for a swarm mode port which will be load balanced.
ports:
  - target: 80
    published: 8080
    protocol: tcp
    mode: host

Note: The long syntax is new in v3.2

secrets

Grant access to secrets on a per-service basis using the per-service secrets configuration. Two different syntax variants are supported.

Note: The secret must already exist or be defined in the top-level secrets configuration of this stack file, or stack deployment will fail.

For more information on secrets, see secrets.

Short syntax

The short syntax variant only specifies the secret name. This grants the container access to the secret and mounts it at /run/secrets/<secret_name> within the container. The source name and destination mountpoint are both set to the secret name.

The following example uses the short syntax to grant the redis service access to the my_secret and my_other_secret secrets. The value of my_secret is set to the contents of the file ./my_secret.txt, and my_other_secret is defined as an external resource, which means that it has already been defined in Docker, either by running the docker secret create command or by another stack deployment. If the external secret does not exist, the stack deployment fails with a secret not found error.

version: "3.1"
services:
  redis:
    image: redis:latest
    deploy:
      replicas: 1
    secrets:
      - my_secret
      - my_other_secret
secrets:
  my_secret:
    file: ./my_secret.txt
  my_other_secret:
    external: true

Long syntax

The long syntax provides more granularity in how the secret is created within the service's task containers.

  • source: The name of the secret as it exists in Docker.
  • target: The name of the file that will be mounted in /run/secrets/ in the service's task containers. Defaults to source if not specified.
  • uid and gid: The numeric UID or GID which will own the file within /run/secrets/ in the service's task containers. Both default to 0 if not specified.
  • mode: The permissions for the file that will be mounted in /run/secrets/ in the service's task containers, in octal notation. For instance, 0444 represents world-readable. The default in Docker 1.13.1 is 0000, but will be 0444 in the future. Secrets cannot be writable because they are mounted in a temporary filesystem, so if you set the writable bit, it is ignored. The executable bit can be set. If you aren't familiar with UNIX file permission modes, you may find this permissions calculator{: target="blank" class="" } useful.

The following example sets name of the my_secret to redis_secret within the container, sets the mode to 0440 (group-readable) and sets the user and group to 103. The redis service does not have access to the my_other_secret secret.

version: "3.1"
services:
  redis:
    image: redis:latest
    deploy:
      replicas: 1
    secrets:
      - source: my_secret
        target: redis_secret
        uid: '103'
        gid: '103'
        mode: 0440
secrets:
  my_secret:
    file: ./my_secret.txt
  my_other_secret:
    external: true

You can grant a service access to multiple secrets and you can mix long and short syntax. Defining a secret does not imply granting a service access to it.

security_opt

Override the default labeling scheme for each container.

security_opt:
  - label:user:USER
  - label:role:ROLE

Note: This option is ignored when deploying a stack in swarm mode with a (version 3) Compose file.

stop_grace_period

Specify how long to wait when attempting to stop a container if it doesn't handle SIGTERM (or whatever stop signal has been specified with stop_signal), before sending SIGKILL. Specified as a duration.

stop_grace_period: 1s
stop_grace_period: 1m30s

By default, stop waits 10 seconds for the container to exit before sending SIGKILL.

stop_signal

Sets an alternative signal to stop the container. By default stop uses SIGTERM. Setting an alternative signal using stop_signal will cause stop to send that signal instead.

stop_signal: SIGUSR1

Note: This option is ignored when deploying a stack in swarm mode with a (version 3) Compose file.

sysctls

Kernel parameters to set in the container. You can use either an array or a dictionary.

sysctls:
  net.core.somaxconn: 1024
  net.ipv4.tcp_syncookies: 0

sysctls:
  - net.core.somaxconn=1024
  - net.ipv4.tcp_syncookies=0

Note: This option is ignored when deploying a stack in swarm mode with a (version 3) Compose file.

ulimits

Override the default ulimits for a container. You can either specify a single limit as an integer or soft/hard limits as a mapping.

ulimits:
  nproc: 65535
  nofile:
    soft: 20000
    hard: 40000

userns_mode

userns_mode: "host"

Disables the user namespace for this service, if Docker daemon is configured with user namespaces. See dockerd for more information.

Note: This option is ignored when deploying a stack in swarm mode with a (version 3) Compose file.

volumes

Mount host paths or named volumes, specified as sub-options to a service.

You can mount a host path as part of a definition for a single service, and there is no need to define it in the top level volumes key.

But, if you want to reuse a volume across multiple services, then define a named volume in the top-level volumes key. Use named volumes with services, swarms, and stack files.

Note: The top-level volumes key defines a named volume and references it from each service's volumes list. This replaces volumes_from in earlier versions of the Compose file format. See Use volumes and Volume Plugins for general information on volumes.

This example shows a named volume (mydata) being used by the web service, and a bind mount defined for a single service (first path under db service volumes). The db service also uses a named volume called dbdata (second path under db service volumes), but defines it using the old string format for mounting a named volume. Named volumes must be listed under the top-level volumes key, as shown.

version: "3.2"
services:
  web:
    image: nginx:alpine
    volumes:
      - type: volume
        source: mydata
        target: /data
        volume:
          nocopy: true
      - type: bind
        source: ./static
        target: /opt/app/static

  db:
    image: postgres:latest
    volumes:
      - "/var/run/postgres/postgres.sock:/var/run/postgres/postgres.sock"
      - "dbdata:/var/lib/postgresql/data"

volumes:
  mydata:
  dbdata:

Note: See Use volumes and Volume Plugins for general information on volumes.

Short syntax

Optionally specify a path on the host machine (HOST:CONTAINER), or an access mode (HOST:CONTAINER:ro).

You can mount a relative path on the host, which will expand relative to the directory of the Compose configuration file being used. Relative paths should always begin with . or ...

volumes:
  # Just specify a path and let the Engine create a volume
  - /var/lib/mysql

  # Specify an absolute path mapping
  - /opt/data:/var/lib/mysql

  # Path on the host, relative to the Compose file
  - ./cache:/tmp/cache

  # User-relative path
  - ~/configs:/etc/configs/:ro

  # Named volume
  - datavolume:/var/lib/mysql

Long syntax

The long form syntax allows the configuration of additional fields that can't be expressed in the short form.

  • type: the mount type volume, bind or tmpfs
  • source: the source of the mount, a path on the host for a bind mount, or the name of a volume defined in the top-level volumes key. Not applicable for a tmpfs mount.
  • target: the path in the container where the volume will be mounted
  • read_only: flag to set the volume as read-only
  • bind: configure additional bind options
    • propagation: the propagation mode used for the bind
  • volume: configure additional volume options
    • nocopy: flag to disable copying of data from a container when a volume is created
version: "3.2"
services:
  web:
    image: nginx:alpine
    ports:
      - "80:80"
    volumes:
      - type: volume
        source: mydata
        target: /data
        volume:
          nocopy: true
      - type: bind
        source: ./static
        target: /opt/app/static

networks:
  webnet:

volumes:
  mydata:

Note: The long syntax is new in v3.2

Volumes for services, swarms, and stack files

When working with services, swarms, and docker-stack.yml files, keep in mind that the tasks (containers) backing a service can be deployed on any node in a swarm, which may be a different node each time the service is updated.

In the absence of having named volumes with specified sources, Docker creates an anonymous volume for each task backing a service. Anonymous volumes do not persist after the associated containers are removed.

If you want your data to persist, use a named volume and a volume driver that is multi-host aware, so that the data is accessible from any node. Or, set constraints on the service so that its tasks are deployed on a node that has the volume present.

As an example, the docker-stack.yml file for the votingapp sample in Docker Labs defines a service called db that runs a postgres database. It is configured as a named volume in order to persist the data on the swarm, and is constrained to run only on manager nodes. Here is the relevant snip-it from that file:

version: "3"
services:
  db:
    image: postgres:9.4
    volumes:
      - db-data:/var/lib/postgresql/data
    networks:
      - backend
    deploy:
      placement:
        constraints: [node.role == manager]

Caching options for volume mounts (Docker for Mac)

On Docker 17.04 CE Edge and up, including 17.06 CE Edge and Stable, you can configure container-and-host consistency requirements for bind-mounted directories in Compose files to allow for better performance on read/write of volume mounts. These options address issues specific to osxfs file sharing, and therefore are only applicable on Docker for Mac.

The flags are:

  • consistent: Full consistency. The container runtime and the host maintain an identical view of the mount at all times. This is the default.

  • cached: The host's view of the mount is authoritative. There may be delays before updates made on the host are visible within a container.

  • delegated: The container runtime's view of the mount is authoritative. There may be delays before updates made in a container are visible on the host.

Here is an example of configuring a volume as cached:

version: '3'
services:
  php:
    image: php:7.1-fpm
    ports:
      - 9000
    volumes:
      - .:/var/www/project:cached

Full detail on these flags, the problems they solve, and their docker run counterparts is in the Docker for Mac topic Performance tuning for volume mounts (shared filesystems).

restart

no is the default restart policy, and it will not restart a container under any circumstance. When always is specified, the container always restarts. The on-failure policy restarts a container if the exit code indicates an on-failure error.

restart: "no"
restart: always
restart: on-failure
restart: unless-stopped

domainname, hostname, ipc, mac_address, privileged, read_only, shm_size, stdin_open, tty, user, working_dir

Each of these is a single value, analogous to its docker run counterpart.

user: postgresql
working_dir: /code

domainname: foo.com
hostname: foo
ipc: host
mac_address: 02:42:ac:11:65:43

privileged: true


read_only: true
shm_size: 64M
stdin_open: true
tty: true

Specifying durations

Some configuration options, such as the interval and timeout sub-options for check, accept a duration as a string in a format that looks like this:

2.5s
10s
1m30s
2h32m
5h34m56s

The supported units are us, ms, s, m and h.

Specifying byte values

Some configuration options, such as the shm_size sub-option for build, accept a byte value as a string in a format that looks like this:

2b
1024kb
2048k
300m
1gb

The supported units are b, k, m and g, and their alternative notation kb, mb and gb. Please note that decimal values are not supported at this time.

Volume configuration reference

While it is possible to declare volumes on the file as part of the service declaration, this section allows you to create named volumes (without relying on volumes_from) that can be reused across multiple services, and are easily retrieved and inspected using the docker command line or API. See the docker volume subcommand documentation for more information.

See Use volumes and Volume Plugins for general information on volumes.

Here's an example of a two-service setup where a database's data directory is shared with another service as a volume so that it can be periodically backed up:

version: "3"

services:
  db:
    image: db
    volumes:
      - data-volume:/var/lib/db
  backup:
    image: backup-service
    volumes:
      - data-volume:/var/lib/backup/data

volumes:
  data-volume:

An entry under the top-level volumes key can be empty, in which case it will use the default driver configured by the Engine (in most cases, this is the local driver). Optionally, you can configure it with the following keys:

driver

Specify which volume driver should be used for this volume. Defaults to whatever driver the Docker Engine has been configured to use, which in most cases is local. If the driver is not available, the Engine will return an error when docker-compose up tries to create the volume.

 driver: foobar

driver_opts

Specify a list of options as key-value pairs to pass to the driver for this volume. Those options are driver-dependent - consult the driver's documentation for more information. Optional.

 driver_opts:
   foo: "bar"
   baz: 1

external

If set to true, specifies that this volume has been created outside of Compose. docker-compose up will not attempt to create it, and will raise an error if it doesn't exist.

external cannot be used in conjunction with other volume configuration keys (driver, driver_opts).

In the example below, instead of attempting to create a volume called [projectname]_data, Compose will look for an existing volume simply called data and mount it into the db service's containers.

version: '2'

services:
  db:
    image: postgres
    volumes:
      - data:/var/lib/postgresql/data

volumes:
  data:
    external: true

You can also specify the name of the volume separately from the name used to refer to it within the Compose file:

volumes:
  data:
    external:
      name: actual-name-of-volume

External volumes are always created with docker stack deploy

External volumes that do not exist will be created if you use docker stack deploy to launch the app in swarm mode (instead of docker compose up). In swarm mode, a volume is automatically created when it is defined by a service. As service tasks are scheduled on new nodes, swarmkit creates the volume on the local node. To learn more, see moby/moby#29976.

labels

Add metadata to containers using Docker labels. You can use either an array or a dictionary.

It's recommended that you use reverse-DNS notation to prevent your labels from conflicting with those used by other software.

labels:
  com.example.description: "Database volume"
  com.example.department: "IT/Ops"
  com.example.label-with-empty-value: ""

labels:
  - "com.example.description=Database volume"
  - "com.example.department=IT/Ops"
  - "com.example.label-with-empty-value"

name

Added in version 3.4 file format

Set a custom name for this volume.

version: '3.4'
volumes:
  data:
    name: my-app-data

It can also be used in conjuction with the external property:

version: '3.4'
volumes:
  data:
    external: true
    name: my-app-data

Network configuration reference

The top-level networks key lets you specify networks to be created.

driver

Specify which driver should be used for this network.

The default driver depends on how the Docker Engine you're using is configured, but in most instances it will be bridge on a single host and overlay on a Swarm.

The Docker Engine will return an error if the driver is not available.

driver: overlay

bridge

Docker defaults to using a bridge network on a single host. For examples of how to work with bridge networks, see the Docker Labs tutorial on Bridge networking.

overlay

The overlay driver creates a named network across multiple nodes in a swarm.

host or none

Use the host's networking stack, or no networking. Equivalent to docker run --net=host or docker run --net=none. Only used if you use docker stack commands. If you use the docker-compose command, use network_mode instead.

The syntax for using built-in networks like host and none is a little different. Define an external network with the name host or none (which Docker has already created automatically) and an alias that Compose can use (hostnet or nonet in these examples), then grant the service access to that network, using the alias.

services:
  web:
    ...
    networks:
      hostnet: {}

networks:
  hostnet:
    external:
      name: host
services:
  web:
    ...
    networks:
      nonet: {}

networks:
  nonet:
    external:
      name: none

driver_opts

Specify a list of options as key-value pairs to pass to the driver for this network. Those options are driver-dependent - consult the driver's documentation for more information. Optional.

  driver_opts:
    foo: "bar"
    baz: 1

attachable

Note: Only supported for v3.2 and higher.

Only used when the driver is set to overlay. If set to true, then standalone containers can attach to this network, in addition to services. If a standalone container attaches to an overlay network, it can communicate with services and standalone containers which are also attached to the overlay network from other Docker daemons.

networks:
  mynet1:
    driver: overlay
    attachable: true

enable_ipv6

Enable IPv6 networking on this network.

Not supported in Compose File version 3

enable_ipv6 requires you to use a version 2 Compose file, as this directive is not yet supported in Swarm mode. {: .warning }

ipam

Specify custom IPAM config. This is an object with several properties, each of which is optional:

  • driver: Custom IPAM driver, instead of the default.
  • config: A list with zero or more config blocks, each containing any of the following keys:
    • subnet: Subnet in CIDR format that represents a network segment

A full example:

ipam:
  driver: default
  config:
    - subnet: 172.28.0.0/16

Note: Additional IPAM configurations, such as gateway, are only honored for version 2 at the moment.

internal

By default, Docker also connects a bridge network to it to provide external connectivity. If you want to create an externally isolated overlay network, you can set this option to true.

labels

Add metadata to containers using Docker labels. You can use either an array or a dictionary.

It's recommended that you use reverse-DNS notation to prevent your labels from conflicting with those used by other software.

labels:
  com.example.description: "Financial transaction network"
  com.example.department: "Finance"
  com.example.label-with-empty-value: ""

labels:
  - "com.example.description=Financial transaction network"
  - "com.example.department=Finance"
  - "com.example.label-with-empty-value"

external

If set to true, specifies that this network has been created outside of Compose. docker-compose up will not attempt to create it, and will raise an error if it doesn't exist.

external cannot be used in conjunction with other network configuration keys (driver, driver_opts, ipam, internal).

In the example below, proxy is the gateway to the outside world. Instead of attempting to create a network called [projectname]_outside, Compose will look for an existing network simply called outside and connect the proxy service's containers to it.

version: '2'

services:
  proxy:
    build: ./proxy
    networks:
      - outside
      - default
  app:
    build: ./app
    networks:
      - default

networks:
  outside:
    external: true

You can also specify the name of the network separately from the name used to refer to it within the Compose file:

networks:
  outside:
    external:
      name: actual-name-of-network

name

Added in version 3.5 file format

Set a custom name for this network.

version: '3.5'
networks:
  network1:
    name: my-app-net

It can also be used in conjuction with the external property:

version: '3.5'
networks:
  network1:
    external: true
    name: my-app-net

configs configuration reference

The top-level configs declaration defines or references configs which can be granted to the services in this stack. The source of the config is either file or external.

  • file: The config is created with the contents of the file at the specified path.
  • external: If set to true, specifies that this config has already been created. Docker will not attempt to create it, and if it does not exist, a config not found error occurs.
  • name: The actual name of the config object in Docker. Introduced with the 3.5 file format.

In this example, my_first_config will be created (as <stack_name>_my_first_config)when the stack is deployed, and my_second_config already exists in Docker.

configs:
  my_first_config:
    file: ./config_data
  my_second_config:
    external: true

Another variant for external configs is when the name of the config in Docker is different from the name that will exist within the service. The following example modifies the previous one to use the external config called redis_config.

configs:
  my_first_config:
    file: ./config_data
  my_second_config:
    external:
      name: redis_config

You still need to grant access to the config to each service in the stack.

secrets configuration reference

The top-level secrets declaration defines or references secrets which can be granted to the services in this stack. The source of the secret is either file or external.

  • file: The secret is created with the contents of the file at the specified path.
  • external: If set to true, specifies that this secret has already been created. Docker will not attempt to create it, and if it does not exist, a secret not found error occurs.
  • name: The actual name of the config object in Docker. Introduced with the 3.5 file format.

In this example, my_first_secret will be created (as <stack_name>_my_first_secret)when the stack is deployed, and my_second_secret already exists in Docker.

secrets:
  my_first_secret:
    file: ./secret_data
  my_second_secret:
    external: true

Another variant for external secrets is when the name of the secret in Docker is different from the name that will exist within the service. The following example modifies the previous one to use the external secret called redis_secret.

secrets:
  my_first_secret:
    file: ./secret_data
  my_second_secret:
    external:
      name: redis_secret

You still need to grant access to the secrets to each service in the stack.

Variable substitution

{% include content/compose-var-sub.md %}

Extension fields

Added in version 3.4 file format.

{% include content/compose-extfields-sub.md %}

Compose documentation