diff --git a/cli/command/service/create.go b/cli/command/service/create.go index 6e49558609a1..569d94d90559 100644 --- a/cli/command/service/create.go +++ b/cli/command/service/create.go @@ -68,6 +68,7 @@ func newCreateCommand(dockerCli command.Cli) *cobra.Command { flags.SetAnnotation(flagSysCtl, "version", []string{"1.40"}) flags.Var(&opts.ulimits, flagUlimit, "Ulimit options") flags.SetAnnotation(flagUlimit, "version", []string{"1.41"}) + flags.Int64Var(&opts.oomScoreAdj, flagOomScoreAdj, 0, "(-1000 to 1000) Increases/Decreases the probability of the process being killed during an OOM event ") flags.Var(cliopts.NewListOptsRef(&opts.resources.resGenericResources, ValidateSingleGenericResource), "generic-resource", "User defined resources") flags.SetAnnotation(flagHostAdd, "version", []string{"1.32"}) diff --git a/cli/command/service/opts.go b/cli/command/service/opts.go index c0a30674ec9e..79f545445a03 100644 --- a/cli/command/service/opts.go +++ b/cli/command/service/opts.go @@ -529,6 +529,7 @@ type serviceOptions struct { capAdd opts.ListOpts capDrop opts.ListOpts ulimits opts.UlimitOpt + oomScoreAdj int64 resources resourceOptions stopGrace opts.DurationOpt @@ -747,6 +748,7 @@ func (options *serviceOptions) ToService(ctx context.Context, apiClient client.N CapabilityAdd: capAdd, CapabilityDrop: capDrop, Ulimits: options.ulimits.GetList(), + OomScoreAdj: options.oomScoreAdj, }, Networks: networks, Resources: resources, @@ -1043,6 +1045,7 @@ const ( flagUlimit = "ulimit" flagUlimitAdd = "ulimit-add" flagUlimitRemove = "ulimit-rm" + flagOomScoreAdj = "oom-score-adj" ) func validateAPIVersion(c swarm.ServiceSpec, serverAPIVersion string) error { diff --git a/cli/command/service/update.go b/cli/command/service/update.go index e02e19ccc842..441ce99cc86a 100644 --- a/cli/command/service/update.go +++ b/cli/command/service/update.go @@ -108,6 +108,7 @@ func newUpdateCommand(dockerCli command.Cli) *cobra.Command { flags.SetAnnotation(flagUlimitAdd, "version", []string{"1.41"}) flags.Var(newListOptsVar(), flagUlimitRemove, "Remove a ulimit option") flags.SetAnnotation(flagUlimitRemove, "version", []string{"1.41"}) + flags.Int64Var(&options.oomScoreAdj, flagOomScoreAdj, 0, "(-1000 to 1000) Increases/Decreases the probability of the process being killed during an OOM event ") // Add needs parsing, Remove only needs the key flags.Var(newListOptsVar(), flagGenericResourcesRemove, "Remove a Generic resource") @@ -367,6 +368,10 @@ func updateService(ctx context.Context, apiClient client.NetworkAPIClient, flags updateInt64Value(flagReserveMemory, &task.Resources.Reservations.MemoryBytes) } + if anyChanged(flags, flagOomScoreAdj) { + updateInt64(flagOomScoreAdj, &task.ContainerSpec.OomScoreAdj) + } + if err := addGenericResources(flags, task); err != nil { return err } diff --git a/cli/compose/convert/service.go b/cli/compose/convert/service.go index 62cadf57e7e9..44b6de1415c6 100644 --- a/cli/compose/convert/service.go +++ b/cli/compose/convert/service.go @@ -148,6 +148,7 @@ func Service( CapabilityAdd: capAdd, CapabilityDrop: capDrop, Ulimits: convertUlimits(service.Ulimits), + OomScoreAdj: service.OomScoreAdj, }, LogDriver: logDriver, Resources: resources, diff --git a/cli/compose/loader/interpolate.go b/cli/compose/loader/interpolate.go index 445cdeb54786..68d3b8c32945 100644 --- a/cli/compose/loader/interpolate.go +++ b/cli/compose/loader/interpolate.go @@ -29,6 +29,7 @@ var interpolateTypeCastMapping = map[interp.Path]interp.Cast{ servicePath("ulimits", interp.PathMatchAll, "hard"): toInt, servicePath("ulimits", interp.PathMatchAll, "soft"): toInt, servicePath("privileged"): toBoolean, + servicePath("oom_score_adj"): toInt, servicePath("read_only"): toBoolean, servicePath("stdin_open"): toBoolean, servicePath("tty"): toBoolean, diff --git a/cli/compose/schema/data/config_schema_v3.13.json b/cli/compose/schema/data/config_schema_v3.13.json index 0a85b3e6c508..8daa8892d625 100644 --- a/cli/compose/schema/data/config_schema_v3.13.json +++ b/cli/compose/schema/data/config_schema_v3.13.json @@ -287,6 +287,7 @@ } } }, + "oom_score_adj": {"type": "integer"}, "user": {"type": "string"}, "userns_mode": {"type": "string"}, "volumes": { diff --git a/cli/compose/types/types.go b/cli/compose/types/types.go index 16417f328aaa..2b929f4d7f36 100644 --- a/cli/compose/types/types.go +++ b/cli/compose/types/types.go @@ -207,6 +207,7 @@ type ServiceConfig struct { Tty bool `mapstructure:"tty" yaml:"tty,omitempty" json:"tty,omitempty"` Ulimits map[string]*UlimitsConfig `yaml:",omitempty" json:"ulimits,omitempty"` User string `yaml:",omitempty" json:"user,omitempty"` + OomScoreAdj int64 `yaml:",omitempty" json:"oom_score_adj,omitempty"` UserNSMode string `mapstructure:"userns_mode" yaml:"userns_mode,omitempty" json:"userns_mode,omitempty"` Volumes []ServiceVolumeConfig `yaml:",omitempty" json:"volumes,omitempty"` WorkingDir string `mapstructure:"working_dir" yaml:"working_dir,omitempty" json:"working_dir,omitempty"` diff --git a/docs/reference/commandline/service_create.md b/docs/reference/commandline/service_create.md index db821e2afe41..ffd413ce61a0 100644 --- a/docs/reference/commandline/service_create.md +++ b/docs/reference/commandline/service_create.md @@ -5,80 +5,81 @@ Create a new service ### Options -| Name | Type | Default | Description | -|:----------------------------------------------------|:------------------|:-------------|:----------------------------------------------------------------------------------------------------| -| `--cap-add` | `list` | | Add Linux capabilities | -| `--cap-drop` | `list` | | Drop Linux capabilities | -| [`--config`](#config) | `config` | | Specify configurations to expose to the service | -| [`--constraint`](#constraint) | `list` | | Placement constraints | -| `--container-label` | `list` | | Container labels | -| `--credential-spec` | `credential-spec` | | Credential spec for managed service account (Windows only) | -| `-d`, `--detach` | `bool` | | Exit immediately instead of waiting for the service to converge | -| `--dns` | `list` | | Set custom DNS servers | -| `--dns-option` | `list` | | Set DNS options | -| `--dns-search` | `list` | | Set custom DNS search domains | -| `--endpoint-mode` | `string` | `vip` | Endpoint mode (vip or dnsrr) | -| `--entrypoint` | `command` | | Overwrite the default ENTRYPOINT of the image | -| [`-e`](#env), [`--env`](#env) | `list` | | Set environment variables | -| `--env-file` | `list` | | Read in a file of environment variables | -| `--generic-resource` | `list` | | User defined resources | -| `--group` | `list` | | Set one or more supplementary user groups for the container | -| `--health-cmd` | `string` | | Command to run to check health | -| `--health-interval` | `duration` | | Time between running the check (ms\|s\|m\|h) | -| `--health-retries` | `int` | `0` | Consecutive failures needed to report unhealthy | -| `--health-start-interval` | `duration` | | Time between running the check during the start period (ms\|s\|m\|h) | -| `--health-start-period` | `duration` | | Start period for the container to initialize before counting retries towards unstable (ms\|s\|m\|h) | -| `--health-timeout` | `duration` | | Maximum time to allow one check to run (ms\|s\|m\|h) | -| `--host` | `list` | | Set one or more custom host-to-IP mappings (host:ip) | -| [`--hostname`](#hostname) | `string` | | Container hostname | -| `--init` | `bool` | | Use an init inside each service container to forward signals and reap processes | -| [`--isolation`](#isolation) | `string` | | Service container isolation mode | -| [`-l`](#label), [`--label`](#label) | `list` | | Service labels | -| `--limit-cpu` | `decimal` | | Limit CPUs | -| `--limit-memory` | `bytes` | `0` | Limit Memory | -| `--limit-pids` | `int64` | `0` | Limit maximum number of processes (default 0 = unlimited) | -| `--log-driver` | `string` | | Logging driver for service | -| `--log-opt` | `list` | | Logging driver options | -| `--max-concurrent` | `uint` | | Number of job tasks to run concurrently (default equal to --replicas) | -| `--mode` | `string` | `replicated` | Service mode (`replicated`, `global`, `replicated-job`, `global-job`) | -| [`--mount`](#mount) | `mount` | | Attach a filesystem mount to the service | -| `--name` | `string` | | Service name | -| [`--network`](#network) | `network` | | Network attachments | -| `--no-healthcheck` | `bool` | | Disable any container-specified HEALTHCHECK | -| `--no-resolve-image` | `bool` | | Do not query the registry to resolve image digest and supported platforms | -| [`--placement-pref`](#placement-pref) | `pref` | | Add a placement preference | -| [`-p`](#publish), [`--publish`](#publish) | `port` | | Publish a port as a node port | -| `-q`, `--quiet` | `bool` | | Suppress progress output | -| `--read-only` | `bool` | | Mount the container's root filesystem as read only | -| [`--replicas`](#replicas) | `uint` | | Number of tasks | -| [`--replicas-max-per-node`](#replicas-max-per-node) | `uint64` | `0` | Maximum number of tasks per node (default 0 = unlimited) | -| `--reserve-cpu` | `decimal` | | Reserve CPUs | -| [`--reserve-memory`](#reserve-memory) | `bytes` | `0` | Reserve Memory | -| `--restart-condition` | `string` | | Restart when condition is met (`none`, `on-failure`, `any`) (default `any`) | -| `--restart-delay` | `duration` | | Delay between restart attempts (ns\|us\|ms\|s\|m\|h) (default 5s) | -| `--restart-max-attempts` | `uint` | | Maximum number of restarts before giving up | -| `--restart-window` | `duration` | | Window used to evaluate the restart policy (ns\|us\|ms\|s\|m\|h) | -| `--rollback-delay` | `duration` | `0s` | Delay between task rollbacks (ns\|us\|ms\|s\|m\|h) (default 0s) | -| `--rollback-failure-action` | `string` | | Action on rollback failure (`pause`, `continue`) (default `pause`) | -| `--rollback-max-failure-ratio` | `float` | `0` | Failure rate to tolerate during a rollback (default 0) | -| `--rollback-monitor` | `duration` | `0s` | Duration after each task rollback to monitor for failure (ns\|us\|ms\|s\|m\|h) (default 5s) | -| `--rollback-order` | `string` | | Rollback order (`start-first`, `stop-first`) (default `stop-first`) | -| `--rollback-parallelism` | `uint64` | `1` | Maximum number of tasks rolled back simultaneously (0 to roll back all at once) | -| [`--secret`](#secret) | `secret` | | Specify secrets to expose to the service | -| `--stop-grace-period` | `duration` | | Time to wait before force killing a container (ns\|us\|ms\|s\|m\|h) (default 10s) | -| `--stop-signal` | `string` | | Signal to stop the container | -| `--sysctl` | `list` | | Sysctl options | -| `-t`, `--tty` | `bool` | | Allocate a pseudo-TTY | -| `--ulimit` | `ulimit` | | Ulimit options | -| [`--update-delay`](#update-delay) | `duration` | `0s` | Delay between updates (ns\|us\|ms\|s\|m\|h) (default 0s) | -| `--update-failure-action` | `string` | | Action on update failure (`pause`, `continue`, `rollback`) (default `pause`) | -| `--update-max-failure-ratio` | `float` | `0` | Failure rate to tolerate during an update (default 0) | -| `--update-monitor` | `duration` | `0s` | Duration after each task update to monitor for failure (ns\|us\|ms\|s\|m\|h) (default 5s) | -| `--update-order` | `string` | | Update order (`start-first`, `stop-first`) (default `stop-first`) | -| `--update-parallelism` | `uint64` | `1` | Maximum number of tasks updated simultaneously (0 to update all at once) | -| `-u`, `--user` | `string` | | Username or UID (format: [:]) | -| [`--with-registry-auth`](#with-registry-auth) | `bool` | | Send registry authentication details to swarm agents | -| `-w`, `--workdir` | `string` | | Working directory inside the container | +| Name | Type | Default | Description | +|:----------------------------------------------------|:------------------|:-------------|:-----------------------------------------------------------------------------------------------------| +| `--cap-add` | `list` | | Add Linux capabilities | +| `--cap-drop` | `list` | | Drop Linux capabilities | +| [`--config`](#config) | `config` | | Specify configurations to expose to the service | +| [`--constraint`](#constraint) | `list` | | Placement constraints | +| `--container-label` | `list` | | Container labels | +| `--credential-spec` | `credential-spec` | | Credential spec for managed service account (Windows only) | +| `-d`, `--detach` | `bool` | | Exit immediately instead of waiting for the service to converge | +| `--dns` | `list` | | Set custom DNS servers | +| `--dns-option` | `list` | | Set DNS options | +| `--dns-search` | `list` | | Set custom DNS search domains | +| `--endpoint-mode` | `string` | `vip` | Endpoint mode (vip or dnsrr) | +| `--entrypoint` | `command` | | Overwrite the default ENTRYPOINT of the image | +| [`-e`](#env), [`--env`](#env) | `list` | | Set environment variables | +| `--env-file` | `list` | | Read in a file of environment variables | +| `--generic-resource` | `list` | | User defined resources | +| `--group` | `list` | | Set one or more supplementary user groups for the container | +| `--health-cmd` | `string` | | Command to run to check health | +| `--health-interval` | `duration` | | Time between running the check (ms\|s\|m\|h) | +| `--health-retries` | `int` | `0` | Consecutive failures needed to report unhealthy | +| `--health-start-interval` | `duration` | | Time between running the check during the start period (ms\|s\|m\|h) | +| `--health-start-period` | `duration` | | Start period for the container to initialize before counting retries towards unstable (ms\|s\|m\|h) | +| `--health-timeout` | `duration` | | Maximum time to allow one check to run (ms\|s\|m\|h) | +| `--host` | `list` | | Set one or more custom host-to-IP mappings (host:ip) | +| [`--hostname`](#hostname) | `string` | | Container hostname | +| `--init` | `bool` | | Use an init inside each service container to forward signals and reap processes | +| [`--isolation`](#isolation) | `string` | | Service container isolation mode | +| [`-l`](#label), [`--label`](#label) | `list` | | Service labels | +| `--limit-cpu` | `decimal` | | Limit CPUs | +| `--limit-memory` | `bytes` | `0` | Limit Memory | +| `--limit-pids` | `int64` | `0` | Limit maximum number of processes (default 0 = unlimited) | +| `--log-driver` | `string` | | Logging driver for service | +| `--log-opt` | `list` | | Logging driver options | +| `--max-concurrent` | `uint` | | Number of job tasks to run concurrently (default equal to --replicas) | +| `--mode` | `string` | `replicated` | Service mode (`replicated`, `global`, `replicated-job`, `global-job`) | +| [`--mount`](#mount) | `mount` | | Attach a filesystem mount to the service | +| `--name` | `string` | | Service name | +| [`--network`](#network) | `network` | | Network attachments | +| `--no-healthcheck` | `bool` | | Disable any container-specified HEALTHCHECK | +| `--no-resolve-image` | `bool` | | Do not query the registry to resolve image digest and supported platforms | +| `--oom-score-adj` | `int64` | `0` | (-1000 to 1000) Increases/Decreases the probability of the process being killed during an OOM event | +| [`--placement-pref`](#placement-pref) | `pref` | | Add a placement preference | +| [`-p`](#publish), [`--publish`](#publish) | `port` | | Publish a port as a node port | +| `-q`, `--quiet` | `bool` | | Suppress progress output | +| `--read-only` | `bool` | | Mount the container's root filesystem as read only | +| [`--replicas`](#replicas) | `uint` | | Number of tasks | +| [`--replicas-max-per-node`](#replicas-max-per-node) | `uint64` | `0` | Maximum number of tasks per node (default 0 = unlimited) | +| `--reserve-cpu` | `decimal` | | Reserve CPUs | +| [`--reserve-memory`](#reserve-memory) | `bytes` | `0` | Reserve Memory | +| `--restart-condition` | `string` | | Restart when condition is met (`none`, `on-failure`, `any`) (default `any`) | +| `--restart-delay` | `duration` | | Delay between restart attempts (ns\|us\|ms\|s\|m\|h) (default 5s) | +| `--restart-max-attempts` | `uint` | | Maximum number of restarts before giving up | +| `--restart-window` | `duration` | | Window used to evaluate the restart policy (ns\|us\|ms\|s\|m\|h) | +| `--rollback-delay` | `duration` | `0s` | Delay between task rollbacks (ns\|us\|ms\|s\|m\|h) (default 0s) | +| `--rollback-failure-action` | `string` | | Action on rollback failure (`pause`, `continue`) (default `pause`) | +| `--rollback-max-failure-ratio` | `float` | `0` | Failure rate to tolerate during a rollback (default 0) | +| `--rollback-monitor` | `duration` | `0s` | Duration after each task rollback to monitor for failure (ns\|us\|ms\|s\|m\|h) (default 5s) | +| `--rollback-order` | `string` | | Rollback order (`start-first`, `stop-first`) (default `stop-first`) | +| `--rollback-parallelism` | `uint64` | `1` | Maximum number of tasks rolled back simultaneously (0 to roll back all at once) | +| [`--secret`](#secret) | `secret` | | Specify secrets to expose to the service | +| `--stop-grace-period` | `duration` | | Time to wait before force killing a container (ns\|us\|ms\|s\|m\|h) (default 10s) | +| `--stop-signal` | `string` | | Signal to stop the container | +| `--sysctl` | `list` | | Sysctl options | +| `-t`, `--tty` | `bool` | | Allocate a pseudo-TTY | +| `--ulimit` | `ulimit` | | Ulimit options | +| [`--update-delay`](#update-delay) | `duration` | `0s` | Delay between updates (ns\|us\|ms\|s\|m\|h) (default 0s) | +| `--update-failure-action` | `string` | | Action on update failure (`pause`, `continue`, `rollback`) (default `pause`) | +| `--update-max-failure-ratio` | `float` | `0` | Failure rate to tolerate during an update (default 0) | +| `--update-monitor` | `duration` | `0s` | Duration after each task update to monitor for failure (ns\|us\|ms\|s\|m\|h) (default 5s) | +| `--update-order` | `string` | | Update order (`start-first`, `stop-first`) (default `stop-first`) | +| `--update-parallelism` | `uint64` | `1` | Maximum number of tasks updated simultaneously (0 to update all at once) | +| `-u`, `--user` | `string` | | Username or UID (format: [:]) | +| [`--with-registry-auth`](#with-registry-auth) | `bool` | | Send registry authentication details to swarm agents | +| `-w`, `--workdir` | `string` | | Working directory inside the container | diff --git a/docs/reference/commandline/service_update.md b/docs/reference/commandline/service_update.md index 634b95dac367..468f93ff9a23 100644 --- a/docs/reference/commandline/service_update.md +++ b/docs/reference/commandline/service_update.md @@ -5,99 +5,100 @@ Update a service ### Options -| Name | Type | Default | Description | -|:----------------------------------------------|:------------------|:--------|:----------------------------------------------------------------------------------------------------| -| `--args` | `command` | | Service command args | -| `--cap-add` | `list` | | Add Linux capabilities | -| `--cap-drop` | `list` | | Drop Linux capabilities | -| `--config-add` | `config` | | Add or update a config file on a service | -| `--config-rm` | `list` | | Remove a configuration file | -| `--constraint-add` | `list` | | Add or update a placement constraint | -| `--constraint-rm` | `list` | | Remove a constraint | -| `--container-label-add` | `list` | | Add or update a container label | -| `--container-label-rm` | `list` | | Remove a container label by its key | -| `--credential-spec` | `credential-spec` | | Credential spec for managed service account (Windows only) | -| `-d`, `--detach` | `bool` | | Exit immediately instead of waiting for the service to converge | -| `--dns-add` | `list` | | Add or update a custom DNS server | -| `--dns-option-add` | `list` | | Add or update a DNS option | -| `--dns-option-rm` | `list` | | Remove a DNS option | -| `--dns-rm` | `list` | | Remove a custom DNS server | -| `--dns-search-add` | `list` | | Add or update a custom DNS search domain | -| `--dns-search-rm` | `list` | | Remove a DNS search domain | -| `--endpoint-mode` | `string` | | Endpoint mode (vip or dnsrr) | -| `--entrypoint` | `command` | | Overwrite the default ENTRYPOINT of the image | -| `--env-add` | `list` | | Add or update an environment variable | -| `--env-rm` | `list` | | Remove an environment variable | -| `--force` | `bool` | | Force update even if no changes require it | -| `--generic-resource-add` | `list` | | Add a Generic resource | -| `--generic-resource-rm` | `list` | | Remove a Generic resource | -| `--group-add` | `list` | | Add an additional supplementary user group to the container | -| `--group-rm` | `list` | | Remove a previously added supplementary user group from the container | -| `--health-cmd` | `string` | | Command to run to check health | -| `--health-interval` | `duration` | | Time between running the check (ms\|s\|m\|h) | -| `--health-retries` | `int` | `0` | Consecutive failures needed to report unhealthy | -| `--health-start-interval` | `duration` | | Time between running the check during the start period (ms\|s\|m\|h) | -| `--health-start-period` | `duration` | | Start period for the container to initialize before counting retries towards unstable (ms\|s\|m\|h) | -| `--health-timeout` | `duration` | | Maximum time to allow one check to run (ms\|s\|m\|h) | -| `--host-add` | `list` | | Add a custom host-to-IP mapping (`host:ip`) | -| `--host-rm` | `list` | | Remove a custom host-to-IP mapping (`host:ip`) | -| `--hostname` | `string` | | Container hostname | -| `--image` | `string` | | Service image tag | -| `--init` | `bool` | | Use an init inside each service container to forward signals and reap processes | -| [`--isolation`](#isolation) | `string` | | Service container isolation mode | -| `--label-add` | `list` | | Add or update a service label | -| `--label-rm` | `list` | | Remove a label by its key | -| `--limit-cpu` | `decimal` | | Limit CPUs | -| `--limit-memory` | `bytes` | `0` | Limit Memory | -| `--limit-pids` | `int64` | `0` | Limit maximum number of processes (default 0 = unlimited) | -| `--log-driver` | `string` | | Logging driver for service | -| `--log-opt` | `list` | | Logging driver options | -| `--max-concurrent` | `uint` | | Number of job tasks to run concurrently (default equal to --replicas) | -| [`--mount-add`](#mount-add) | `mount` | | Add or update a mount on a service | -| `--mount-rm` | `list` | | Remove a mount by its target path | -| [`--network-add`](#network-add) | `network` | | Add a network | -| `--network-rm` | `list` | | Remove a network | -| `--no-healthcheck` | `bool` | | Disable any container-specified HEALTHCHECK | -| `--no-resolve-image` | `bool` | | Do not query the registry to resolve image digest and supported platforms | -| `--placement-pref-add` | `pref` | | Add a placement preference | -| `--placement-pref-rm` | `pref` | | Remove a placement preference | -| [`--publish-add`](#publish-add) | `port` | | Add or update a published port | -| `--publish-rm` | `port` | | Remove a published port by its target port | -| `-q`, `--quiet` | `bool` | | Suppress progress output | -| `--read-only` | `bool` | | Mount the container's root filesystem as read only | -| `--replicas` | `uint` | | Number of tasks | -| `--replicas-max-per-node` | `uint64` | `0` | Maximum number of tasks per node (default 0 = unlimited) | -| `--reserve-cpu` | `decimal` | | Reserve CPUs | -| `--reserve-memory` | `bytes` | `0` | Reserve Memory | -| `--restart-condition` | `string` | | Restart when condition is met (`none`, `on-failure`, `any`) | -| `--restart-delay` | `duration` | | Delay between restart attempts (ns\|us\|ms\|s\|m\|h) | -| `--restart-max-attempts` | `uint` | | Maximum number of restarts before giving up | -| `--restart-window` | `duration` | | Window used to evaluate the restart policy (ns\|us\|ms\|s\|m\|h) | -| [`--rollback`](#rollback) | `bool` | | Rollback to previous specification | -| `--rollback-delay` | `duration` | `0s` | Delay between task rollbacks (ns\|us\|ms\|s\|m\|h) | -| `--rollback-failure-action` | `string` | | Action on rollback failure (`pause`, `continue`) | -| `--rollback-max-failure-ratio` | `float` | `0` | Failure rate to tolerate during a rollback | -| `--rollback-monitor` | `duration` | `0s` | Duration after each task rollback to monitor for failure (ns\|us\|ms\|s\|m\|h) | -| `--rollback-order` | `string` | | Rollback order (`start-first`, `stop-first`) | -| `--rollback-parallelism` | `uint64` | `0` | Maximum number of tasks rolled back simultaneously (0 to roll back all at once) | -| [`--secret-add`](#secret-add) | `secret` | | Add or update a secret on a service | -| `--secret-rm` | `list` | | Remove a secret | -| `--stop-grace-period` | `duration` | | Time to wait before force killing a container (ns\|us\|ms\|s\|m\|h) | -| `--stop-signal` | `string` | | Signal to stop the container | -| `--sysctl-add` | `list` | | Add or update a Sysctl option | -| `--sysctl-rm` | `list` | | Remove a Sysctl option | -| `-t`, `--tty` | `bool` | | Allocate a pseudo-TTY | -| `--ulimit-add` | `ulimit` | | Add or update a ulimit option | -| `--ulimit-rm` | `list` | | Remove a ulimit option | -| `--update-delay` | `duration` | `0s` | Delay between updates (ns\|us\|ms\|s\|m\|h) | -| `--update-failure-action` | `string` | | Action on update failure (`pause`, `continue`, `rollback`) | -| `--update-max-failure-ratio` | `float` | `0` | Failure rate to tolerate during an update | -| `--update-monitor` | `duration` | `0s` | Duration after each task update to monitor for failure (ns\|us\|ms\|s\|m\|h) | -| `--update-order` | `string` | | Update order (`start-first`, `stop-first`) | -| [`--update-parallelism`](#update-parallelism) | `uint64` | `0` | Maximum number of tasks updated simultaneously (0 to update all at once) | -| `-u`, `--user` | `string` | | Username or UID (format: [:]) | -| `--with-registry-auth` | `bool` | | Send registry authentication details to swarm agents | -| `-w`, `--workdir` | `string` | | Working directory inside the container | +| Name | Type | Default | Description | +|:----------------------------------------------|:------------------|:--------|:-----------------------------------------------------------------------------------------------------| +| `--args` | `command` | | Service command args | +| `--cap-add` | `list` | | Add Linux capabilities | +| `--cap-drop` | `list` | | Drop Linux capabilities | +| `--config-add` | `config` | | Add or update a config file on a service | +| `--config-rm` | `list` | | Remove a configuration file | +| `--constraint-add` | `list` | | Add or update a placement constraint | +| `--constraint-rm` | `list` | | Remove a constraint | +| `--container-label-add` | `list` | | Add or update a container label | +| `--container-label-rm` | `list` | | Remove a container label by its key | +| `--credential-spec` | `credential-spec` | | Credential spec for managed service account (Windows only) | +| `-d`, `--detach` | `bool` | | Exit immediately instead of waiting for the service to converge | +| `--dns-add` | `list` | | Add or update a custom DNS server | +| `--dns-option-add` | `list` | | Add or update a DNS option | +| `--dns-option-rm` | `list` | | Remove a DNS option | +| `--dns-rm` | `list` | | Remove a custom DNS server | +| `--dns-search-add` | `list` | | Add or update a custom DNS search domain | +| `--dns-search-rm` | `list` | | Remove a DNS search domain | +| `--endpoint-mode` | `string` | | Endpoint mode (vip or dnsrr) | +| `--entrypoint` | `command` | | Overwrite the default ENTRYPOINT of the image | +| `--env-add` | `list` | | Add or update an environment variable | +| `--env-rm` | `list` | | Remove an environment variable | +| `--force` | `bool` | | Force update even if no changes require it | +| `--generic-resource-add` | `list` | | Add a Generic resource | +| `--generic-resource-rm` | `list` | | Remove a Generic resource | +| `--group-add` | `list` | | Add an additional supplementary user group to the container | +| `--group-rm` | `list` | | Remove a previously added supplementary user group from the container | +| `--health-cmd` | `string` | | Command to run to check health | +| `--health-interval` | `duration` | | Time between running the check (ms\|s\|m\|h) | +| `--health-retries` | `int` | `0` | Consecutive failures needed to report unhealthy | +| `--health-start-interval` | `duration` | | Time between running the check during the start period (ms\|s\|m\|h) | +| `--health-start-period` | `duration` | | Start period for the container to initialize before counting retries towards unstable (ms\|s\|m\|h) | +| `--health-timeout` | `duration` | | Maximum time to allow one check to run (ms\|s\|m\|h) | +| `--host-add` | `list` | | Add a custom host-to-IP mapping (`host:ip`) | +| `--host-rm` | `list` | | Remove a custom host-to-IP mapping (`host:ip`) | +| `--hostname` | `string` | | Container hostname | +| `--image` | `string` | | Service image tag | +| `--init` | `bool` | | Use an init inside each service container to forward signals and reap processes | +| [`--isolation`](#isolation) | `string` | | Service container isolation mode | +| `--label-add` | `list` | | Add or update a service label | +| `--label-rm` | `list` | | Remove a label by its key | +| `--limit-cpu` | `decimal` | | Limit CPUs | +| `--limit-memory` | `bytes` | `0` | Limit Memory | +| `--limit-pids` | `int64` | `0` | Limit maximum number of processes (default 0 = unlimited) | +| `--log-driver` | `string` | | Logging driver for service | +| `--log-opt` | `list` | | Logging driver options | +| `--max-concurrent` | `uint` | | Number of job tasks to run concurrently (default equal to --replicas) | +| [`--mount-add`](#mount-add) | `mount` | | Add or update a mount on a service | +| `--mount-rm` | `list` | | Remove a mount by its target path | +| [`--network-add`](#network-add) | `network` | | Add a network | +| `--network-rm` | `list` | | Remove a network | +| `--no-healthcheck` | `bool` | | Disable any container-specified HEALTHCHECK | +| `--no-resolve-image` | `bool` | | Do not query the registry to resolve image digest and supported platforms | +| `--oom-score-adj` | `int64` | `0` | (-1000 to 1000) Increases/Decreases the probability of the process being killed during an OOM event | +| `--placement-pref-add` | `pref` | | Add a placement preference | +| `--placement-pref-rm` | `pref` | | Remove a placement preference | +| [`--publish-add`](#publish-add) | `port` | | Add or update a published port | +| `--publish-rm` | `port` | | Remove a published port by its target port | +| `-q`, `--quiet` | `bool` | | Suppress progress output | +| `--read-only` | `bool` | | Mount the container's root filesystem as read only | +| `--replicas` | `uint` | | Number of tasks | +| `--replicas-max-per-node` | `uint64` | `0` | Maximum number of tasks per node (default 0 = unlimited) | +| `--reserve-cpu` | `decimal` | | Reserve CPUs | +| `--reserve-memory` | `bytes` | `0` | Reserve Memory | +| `--restart-condition` | `string` | | Restart when condition is met (`none`, `on-failure`, `any`) | +| `--restart-delay` | `duration` | | Delay between restart attempts (ns\|us\|ms\|s\|m\|h) | +| `--restart-max-attempts` | `uint` | | Maximum number of restarts before giving up | +| `--restart-window` | `duration` | | Window used to evaluate the restart policy (ns\|us\|ms\|s\|m\|h) | +| [`--rollback`](#rollback) | `bool` | | Rollback to previous specification | +| `--rollback-delay` | `duration` | `0s` | Delay between task rollbacks (ns\|us\|ms\|s\|m\|h) | +| `--rollback-failure-action` | `string` | | Action on rollback failure (`pause`, `continue`) | +| `--rollback-max-failure-ratio` | `float` | `0` | Failure rate to tolerate during a rollback | +| `--rollback-monitor` | `duration` | `0s` | Duration after each task rollback to monitor for failure (ns\|us\|ms\|s\|m\|h) | +| `--rollback-order` | `string` | | Rollback order (`start-first`, `stop-first`) | +| `--rollback-parallelism` | `uint64` | `0` | Maximum number of tasks rolled back simultaneously (0 to roll back all at once) | +| [`--secret-add`](#secret-add) | `secret` | | Add or update a secret on a service | +| `--secret-rm` | `list` | | Remove a secret | +| `--stop-grace-period` | `duration` | | Time to wait before force killing a container (ns\|us\|ms\|s\|m\|h) | +| `--stop-signal` | `string` | | Signal to stop the container | +| `--sysctl-add` | `list` | | Add or update a Sysctl option | +| `--sysctl-rm` | `list` | | Remove a Sysctl option | +| `-t`, `--tty` | `bool` | | Allocate a pseudo-TTY | +| `--ulimit-add` | `ulimit` | | Add or update a ulimit option | +| `--ulimit-rm` | `list` | | Remove a ulimit option | +| `--update-delay` | `duration` | `0s` | Delay between updates (ns\|us\|ms\|s\|m\|h) | +| `--update-failure-action` | `string` | | Action on update failure (`pause`, `continue`, `rollback`) | +| `--update-max-failure-ratio` | `float` | `0` | Failure rate to tolerate during an update | +| `--update-monitor` | `duration` | `0s` | Duration after each task update to monitor for failure (ns\|us\|ms\|s\|m\|h) | +| `--update-order` | `string` | | Update order (`start-first`, `stop-first`) | +| [`--update-parallelism`](#update-parallelism) | `uint64` | `0` | Maximum number of tasks updated simultaneously (0 to update all at once) | +| `-u`, `--user` | `string` | | Username or UID (format: [:]) | +| `--with-registry-auth` | `bool` | | Send registry authentication details to swarm agents | +| `-w`, `--workdir` | `string` | | Working directory inside the container |