1DOCKER(8) SEPTEMBER 2015 DOCKER(8)
2
6 dockerd - Enable daemon mode
7
11 dockerd [--add-runtime[=[]]] [--allow-nondistributable-artifacts[=[]]]
12 [--api-cors-header=[=API-CORS-HEADER]] [--authorization-plugin[=[]]]
13 [-b|--bridge[=BRIDGE]] [--bip[=BIP]] [--cgroup-parent[=[]]]
14 [--cluster-store[=[]]] [--cluster-advertise[=[]]]
15 [--cluster-store-opt[=map[]]] [--config-file[=/etc/docker/daemon.json]]
16 [--containerd[=SOCKET-PATH]] [--data-root[=/var/lib/docker]]
17 [-D|--debug] [--default-gateway[=DEFAULT-GATEWAY]]
18 [--default-gateway-v6[=DEFAULT-GATEWAY-V6]]
19 [--default-address-pool[=DEFAULT-ADDRESS-POOL]]
20 [--default-runtime[=runc]] [--default-ipc-mode=MODE]
21 [--default-shm-size[=64MiB]] [--default-ulimit[=[]]] [--dns[=[]]]
22 [--dns-opt[=[]]] [--dns-search[=[]]] [--exec-opt[=[]]]
23 [--exec-root[=/var/run/docker]] [--experimental[=false]]
24 [--fixed-cidr[=FIXED-CIDR]] [--fixed-cidr-v6[=FIXED-CIDR-V6]]
25 [-G|--group[=docker]] [-H|--host[=[]]] [--help] [--icc[=true]]
26 [--init[=false]] [--init-path[=""]] [--insecure-registry[=[]]]
27 [--ip[=0.0.0.0]] [--ip-forward[=true]] [--ip-masq[=true]]
28 [--iptables[=true]] [--ipv6] [--isolation[=default]]
29 [-l|--log-level[=info]] [--label[=[]]] [--live-restore[=false]]
30 [--log-driver[=json-file]] [--log-opt[=map[]]] [--mtu[=0]]
31 [--max-concurrent-downloads[=3]] [--max-concurrent-uploads[=5]]
32 [--node-generic-resources[=[]]] [-p|--pidfile[=/var/run/docker.pid]]
33 [--raw-logs] [--registry-mirror[=[]]]
34 [-s|--storage-driver[=STORAGE-DRIVER]]
35 [--seccomp-profile[=SECCOMP-PROFILE-PATH]] [--selinux-enabled]
36 [--shutdown-timeout[=15]] [--storage-opt[=[]]]
37 [--swarm-default-advertise-addr[=IP|INTERFACE]] [--tls]
38 [--tlscacert[= /.docker/ca.pem]] [--tlscert[= /.docker/cert.pem]]
39 [--tlskey[= /.docker/key.pem]] [--tlsverify] [--userland-proxy[=true]]
40 [--userland-proxy-path[=""]] [--userns-remap[=default]]
41
45 dockerd is used for starting the Docker daemon (i.e., to command the
46 daemon to manage images, containers etc). So dockerd is a server, as a
47 daemon.
48 To run the Docker daemon you can specify dockerd. You can check the
51 daemon options using dockerd --help. Daemon options should be
52 specified after the dockerd keyword in the following format.
53 dockerd [OPTIONS]
56
60 --add-runtime=[]
61 Runtimes can be registered with the daemon either via the
62 configuration file or using the --add-runtime command line argument.
63 The following is an example adding 2 runtimes via the configuration:
66 {
69 "default-runtime": "runc",
70 "runtimes": {
71 "runc": {
72 "path": "runc"
73 },
74 "custom": {
75 "path": "/usr/local/bin/my-runc-replacement",
76 "runtimeArgs": [
77 "--debug"
78 ]
79 }
80 }
81 }
82 This is the same example via the command line:
86 $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
89 Note: defining runtime arguments via the command line is not supported.
93 --allow-nondistributable-artifacts=[]
96 Push nondistributable artifacts to the specified registries.
97 List can contain elements with CIDR notation to specify a whole subnet.
100 This option is useful when pushing images containing nondistributable
103 artifacts to a registry on an air-gapped network so hosts on that
104 network can
105 pull the images without connecting to another server.
106 Warning: Nondistributable artifacts typically have restrictions on how
109 and where they can be distributed and shared. Only use this feature
110 to push
111 artifacts to private registries and ensure that you are in compliance
112 with
113 any terms that cover redistributing nondistributable artifacts.
114 --api-cors-header=""
117 Set CORS headers in the Engine API. Default is cors disabled. Give
118 urls like
119 " ⟨http://foo⟩, ⟨http://bar⟩, ...". Give "*" to allow all.
120 --authorization-plugin=""
123 Set authorization plugins to load
124 -b, --bridge=""
127 Attach containers to a pre-existing network bridge; use 'none' to
128 disable
129 container networking
130 --bip=""
133 Use the provided CIDR notation address for the dynamically created
134 bridge
135 (docker0); Mutually exclusive of -b
136 --cgroup-parent=""
139 Set parent cgroup for all containers. Default is "/docker" for fs
140 cgroup
141 driver and "system.slice" for systemd cgroup driver.
142 --cluster-store=""
145 URL of the distributed storage backend
146 --cluster-advertise=""
149 Specifies the 'host:port' or interface:port combination that this
150 particular daemon instance should use when advertising itself to the
151 cluster.
152 The daemon is reached through this value.
153 --cluster-store-opt=""
156 Specifies options for the Key/Value store.
157 --config-file="/etc/docker/daemon.json"
160 Specifies the JSON file path to load the configuration from.
161 --containerd=""
164 Path to containerd socket.
165 --data-root=""
168 Path to the directory used to store persisted Docker data such as
169 configuration for resources, swarm cluster state, and filesystem data
170 for
171 images, containers, and local volumes. Default is /var/lib/docker.
172 -D, --debug=true|false
175 Enable debug mode. Default is false.
176 --default-gateway=""
179 IPv4 address of the container default gateway; this address must be
180 part of
181 the bridge subnet (which is defined by -b or --bip)
182 --default-gateway-v6=""
185 IPv6 address of the container default gateway
186 --default-address-pool=""
189 Default address pool from which IPAM driver selects a subnet for the
190 networks.
191 Example: base=172.30.0.0/16,size=24 will set the default
192 address pools for the selected scope networks to
193 {172.30.[0-255].0/24}
194 --default-runtime="runc"
197 Set default runtime if there're more than one specified by
198 --add-runtime.
199 --default-ipc-mode="private|shareable"
202 Set the default IPC mode for newly created containers. The argument
203 can either be private or shareable.
204 --default-shm-size=64MiB
207 Set the daemon-wide default shm size for containers. Default is
208 64MiB.
209 --default-ulimit=[]
212 Default ulimits for containers.
213 --dns=""
216 Force Docker to use specific DNS servers
217 --dns-opt=""
220 DNS options to use.
221 --dns-search=[]
224 DNS search domains to use.
225 --exec-opt=[]
228 Set runtime execution options. See RUNTIME EXECUTION OPTIONS.
229 --exec-root=""
232 Path to use as the root of the Docker execution state files. Default
233 is
234 /var/run/docker.
235 --experimental=""
238 Enable the daemon experimental features.
239 --fixed-cidr=""
242 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be
243 nested in
244 the bridge subnet (which is defined by -b or --bip).
245 --fixed-cidr-v6=""
248 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
249 -G, --group=""
252 Group to assign the unix socket specified by -H when running in
253 daemon mode.
254 use '' (the empty string) to disable setting of a group. Default is
255 docker.
256 -H, --host=[unix:///var/run/docker.sock]: tcp://[host:port] to bind or
259 unix://[/path/to/socket] to use.
260 The socket(s) to bind to in daemon mode specified using one or more
261 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
262 --help
265 Print usage statement
266 --icc=true|false
269 Allow unrestricted inter-container and Docker daemon host
270 communication. If
271 disabled, containers can still be linked together using the --link
272 option
273 (see docker-run(1)). Default is true.
274 --init
277 Run an init process inside containers for signal forwarding and
278 process
279 reaping.
280 --init-path
283 Path to the docker-init binary.
284 --insecure-registry=[]
287 Enable insecure registry communication, i.e., enable un-encrypted
288 and/or
289 untrusted communication.
290 List of insecure registries can contain an element with CIDR notation
293 to
294 specify a whole subnet. Insecure registries accept HTTP and/or accept
295 HTTPS
296 with certificates from unknown CAs.
297 Enabling --insecure-registry is useful when running a local registry.
300 However, because its use creates security vulnerabilities it should
301 ONLY be
302 enabled for testing purposes. For increased security, users should
303 add their
304 CA to their system's list of trusted CAs instead of using
305 --insecure-registry.
306 --ip=""
309 Default IP address to use when binding container ports. Default is
310 0.0.0.0.
311 --ip-forward=true|false
314 Enables IP forwarding on the Docker host. The default is true. This
315 flag
316 interacts with the IP forwarding setting on your host system's
317 kernel. If
318 your system has IP forwarding disabled, this setting enables it. If
319 your
320 system has IP forwarding enabled, setting this flag to
321 --ip-forward=false
322 has no effect.
323 This setting will also enable IPv6 forwarding if you have both
326 --ip-forward=true and --fixed-cidr-v6 set. Note that this may reject
327 Router Advertisements and interfere with the host's existing IPv6
328 configuration. For more information, please consult the documentation
329 about
330 "Advanced Networking - IPv6".
331 --ip-masq=true|false
334 Enable IP masquerading for bridge's IP range. Default is true.
335 --iptables=true|false
338 Enable Docker's addition of iptables rules. Default is true.
339 --ipv6=true|false
342 Enable IPv6 support. Default is false. Docker will create an
343 IPv6-enabled
344 bridge with address fe80::1 which will allow you to create
345 IPv6-enabled
346 containers. Use together with --fixed-cidr-v6 to provide globally
347 routable
348 IPv6 addresses. IPv6 forwarding will be enabled if not used with
349 --ip-forward=false. This may collide with your host's current IPv6
350 settings. For more information please consult the documentation about
351 "Advanced Networking - IPv6".
352 --isolation="default"
355 Isolation specifies the type of isolation technology used by
356 containers.
357 Note that the default on Windows server is process, and the default
358 on
359 Windows client is hyperv. Linux only supports default.
360 -l, --log-level="debug|info|warn|error|fatal"
363 Set the logging level. Default is info.
364 --label="[]"
367 Set key=value labels to the daemon (displayed in docker info)
368 --live-restore=false
371 Enable live restore of running containers when the daemon starts so
372 that they
373 are not restarted. This option is applicable only for docker daemon
374 running
375 on Linux host.
376 --log-driver="json-file|syslog|journald|gelf|fluentd|awslogs|splunk|etwlogs|gcplogs|none"
379 Default driver for container logs. Default is json-file.
380 Warning: docker logs command works only for json-file logging driver.
381 --log-opt=[]
384 Logging driver specific options.
385 --mtu=0
388 Set the containers network mtu. Default is 0.
389 --max-concurrent-downloads=3
392 Set the max concurrent downloads for each pull. Default is 3.
393 --max-concurrent-uploads=5
396 Set the max concurrent uploads for each push. Default is 5.
397 --node-generic-resources=[]
400 Advertise user-defined resource. Default is [].
401 Use this if your swarm cluster has some nodes with custom
402 resources (e.g: NVIDIA GPU, SSD, ...) and you need your services to
403 land on
404 nodes advertising these resources.
405 Usage example: --node-generic-resources "NVIDIA-GPU=UUID1"
406 --node-generic-resources "NVIDIA-GPU=UUID2"
407 -p, --pidfile=""
410 Path to use for daemon PID file. Default is /var/run/docker.pid
411 --raw-logs
414 Output daemon logs in full timestamp format without ANSI coloring. If
415 this
416 flag is not set, the daemon outputs condensed, colorized logs if a
417 terminal
418 is detected, or full ("raw") output otherwise.
419 --registry-mirror=<scheme>://<host>
422 Prepend a registry mirror to be used for image pulls. May be
423 specified
424 multiple times.
425 -s, --storage-driver=""
428 Force the Docker runtime to use a specific storage driver.
429 --seccomp-profile=""
432 Path to seccomp profile.
433 --selinux-enabled=true|false
436 Enable selinux support. Default is false.
437 --shutdown-timeout=15
440 Set the shutdown timeout value in seconds. Default is 15.
441 --storage-opt=[]
444 Set storage driver options. See STORAGE DRIVER OPTIONS.
445 --swarm-default-advertise-addr=IP|INTERFACE
448 Set default address or interface for swarm to advertise as its
449 externally-reachable address to other cluster members. This can be a
450 hostname, an IP address, or an interface such as eth0. A port cannot
451 be
452 specified with this option.
453 --tls=true|false
456 Use TLS; implied by --tlsverify. Default is false.
457 --tlscacert= /.docker/ca.pem
460 Trust certs signed only by this CA.
461 --tlscert= /.docker/cert.pem
464 Path to TLS certificate file.
465 --tlskey= /.docker/key.pem
468 Path to TLS key file.
469 --tlsverify=true|false
472 Use TLS and verify the remote (daemon: verify client, client: verify
473 daemon).
474 Default is false.
475 --userland-proxy=true|false
478 Rely on a userland proxy implementation for inter-container and
479 outside-to-container loopback communications. Default is true.
480 --userland-proxy-path=""
483 Path to the userland proxy binary.
484 --userns-remap=default|uid:gid|user:group|user|uid
487 Enable user namespaces for containers on the daemon. Specifying
488 "default"
489 will cause a new user and group to be created to handle UID and GID
490 range
491 remapping for the user namespace mappings used for contained
492 processes.
493 Specifying a user (or uid) and optionally a group (or gid) will cause
494 the
495 daemon to lookup the user and group's subordinate ID ranges for use
496 as the
497 user namespace mappings for contained processes.
498
502 Docker uses storage backends (known as "graphdrivers" in the Docker
503 internals) to create writable containers from images. Many of these
504 backends use operating system level technologies and can be configured.
505 Specify options to the storage backend with --storage-opt flags. The
508 backends that currently take options are devicemapper, zfs and btrfs.
509 Options for devicemapper are prefixed with dm, options for zfs start
510 with zfs and options for btrfs start with btrfs.
511 Specifically for devicemapper, the default is a "loopback" model which
514 requires no pre-configuration, but is extremely inefficient. Do not
515 use it in production.
516 To make the best use of Docker with the devicemapper backend, you must
519 have a recent version of LVM. Use lvm to create a thin pool; for more
520 information see man lvmthin. Then, use --storage-opt dm.thinpooldev to
521 tell the Docker engine to use that pool for allocating images and
522 container snapshots.
523
526 dm.thinpooldev
527 Specifies a custom block storage device to use for the thin pool.
528 If using a block device for device mapper storage, it is best to use
531 lvm to create and manage the thin-pool volume. This volume is then
532 handed to Docker to exclusively create snapshot volumes needed for
533 images and containers.
534 Managing the thin-pool outside of Engine makes for the most
537 feature-rich method of having Docker utilize device mapper thin
538 provisioning as the backing storage for Docker containers. The
539 highlights of the lvm-based thin-pool management feature include:
540 automatic or interactive thin-pool resize support, dynamically changing
541 thin-pool features, automatic thinp metadata checking when lvm
542 activates the thin-pool, etc.
543 As a fallback if no thin pool is provided, loopback files are created.
546 Loopback is very slow, but can be used without any pre-configuration of
547 storage. It is strongly recommended that you do not use loopback in
548 production. Ensure your Engine daemon has a --storage-opt
549 dm.thinpooldev argument provided.
550 Example use:
553 $ dockerd \
556 --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
557 dm.directlvm_device
560 As an alternative to manually creating a thin pool as above, Docker can
561 automatically configure a block device for you.
562 Example use:
565 $ dockerd \
568 --storage-opt dm.directlvm_device=/dev/xvdf
569 dm.thinp_percent
572 Sets the percentage of passed in block device to use for storage.
573 Example:
576 $ sudo dockerd \
577 --storage-opt dm.thinp_percent=95
578 dm.thinp_metapercent
581 Sets the percentage of the passed in block device to use for metadata
582 storage.
583 Example:
586 $ sudo dockerd \
587 --storage-opt dm.thinp_metapercent=1
588 dm.thinp_autoextend_threshold
591 Sets the value of the percentage of space used before lvm attempts to
592 autoextend the available space [100 = disabled]
593 Example:
596 $ sudo dockerd \
597 --storage-opt dm.thinp_autoextend_threshold=80
598 dm.thinp_autoextend_percent
601 Sets the value percentage value to increase the thin pool by when lvm
602 attempts to autoextend the available space [100 = disabled]
603 Example:
606 $ sudo dockerd \
607 --storage-opt dm.thinp_autoextend_percent=20
608 dm.basesize
611 Specifies the size to use when creating the base device, which limits
612 the size of images and containers. The default value is 10G. Note, thin
613 devices are inherently "sparse", so a 10G device which is mostly empty
614 doesn't use 10 GB of space on the pool. However, the filesystem will
615 use more space for base images the larger the device is.
616 The base device size can be increased at daemon restart which will
619 allow all future images and containers (based on those new images) to
620 be of the new base device size.
621 Example use: dockerd --storage-opt dm.basesize=50G
624 This will increase the base device size to 50G. The Docker daemon will
627 throw an error if existing base device size is larger than 50G. A user
628 can use this option to expand the base device size however shrinking is
629 not permitted.
630 This value affects the system-wide "base" empty filesystem that may
633 already be initialized and inherited by pulled images. Typically, a
634 change to this value requires additional steps to take effect:
635 $ sudo service docker stop
638 $ sudo rm -rf /var/lib/docker
639 $ sudo service docker start
640 Example use: dockerd --storage-opt dm.basesize=20G
644 dm.fs
647 Specifies the filesystem type to use for the base device. The supported
648 options are ext4 and xfs. The default is ext4.
649 Example use: dockerd --storage-opt dm.fs=xfs
652 dm.mkfsarg
655 Specifies extra mkfs arguments to be used when creating the base
656 device.
657 Example use: dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
660 dm.mountopt
663 Specifies extra mount options used when mounting the thin devices.
664 Example use: dockerd --storage-opt dm.mountopt=nodiscard
667 dm.use_deferred_removal
670 Enables use of deferred device removal if libdm and the kernel driver
671 support the mechanism.
672 Deferred device removal means that if device is busy when devices are
675 being removed/deactivated, then a deferred removal is scheduled on
676 device. And devices automatically go away when last user of the device
677 exits.
678 For example, when a container exits, its associated thin device is
681 removed. If that device has leaked into some other mount namespace and
682 can't be removed, the container exit still succeeds and this option
683 causes the system to schedule the device for deferred removal. It does
684 not wait in a loop trying to remove a busy device.
685 Example use: dockerd --storage-opt dm.use_deferred_removal=true
688 dm.use_deferred_deletion
691 Enables use of deferred device deletion for thin pool devices. By
692 default, thin pool device deletion is synchronous. Before a container
693 is deleted, the Docker daemon removes any associated devices. If the
694 storage driver can not remove a device, the container deletion fails
695 and daemon returns.
696 Error deleting container: Error response from daemon: Cannot destroy
699 container
700 To avoid this failure, enable both deferred device deletion and
703 deferred device removal on the daemon.
704 dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt
707 dm.use_deferred_removal=true
708 With these two options enabled, if a device is busy when the driver is
711 deleting a container, the driver marks the device as deleted. Later,
712 when the device isn't in use, the driver deletes it.
713 In general it should be safe to enable this option by default. It will
716 help when unintentional leaking of mount point happens across multiple
717 mount namespaces.
718 dm.loopdatasize
721 Note: This option configures devicemapper loopback, which should not be
722 used in production.
723 Specifies the size to use when creating the loopback file for the
726 "data" device which is used for the thin pool. The default size is
727 100G. The file is sparse, so it will not initially take up this much
728 space.
729 Example use: dockerd --storage-opt dm.loopdatasize=200G
732 dm.loopmetadatasize
735 Note: This option configures devicemapper loopback, which should not be
736 used in production.
737 Specifies the size to use when creating the loopback file for the
740 "metadata" device which is used for the thin pool. The default size is
741 2G. The file is sparse, so it will not initially take up this much
742 space.
743 Example use: dockerd --storage-opt dm.loopmetadatasize=4G
746 dm.datadev
749 (Deprecated, use dm.thinpooldev)
750 Specifies a custom blockdevice to use for data for a Docker-managed
753 thin pool. It is better to use dm.thinpooldev - see the documentation
754 for it above for discussion of the advantages.
755 dm.metadatadev
758 (Deprecated, use dm.thinpooldev)
759 Specifies a custom blockdevice to use for metadata for a Docker-managed
762 thin pool. See dm.datadev for why this is deprecated.
763 dm.blocksize
766 Specifies a custom blocksize to use for the thin pool. The default
767 blocksize is 64K.
768 Example use: dockerd --storage-opt dm.blocksize=512K
771 dm.blkdiscard
774 Enables or disables the use of blkdiscard when removing devicemapper
775 devices. This is disabled by default due to the additional latency,
776 but as a special case with loopback devices it will be enabled, in
777 order to re-sparsify the loopback file on image/container removal.
778 Disabling this on loopback can lead to much faster container removal
781 times, but it also prevents the space used in /var/lib/docker directory
782 from being returned to the system for other use when containers are
783 removed.
784 Example use: dockerd --storage-opt dm.blkdiscard=false
787 dm.override_udev_sync_check
790 By default, the devicemapper backend attempts to synchronize with the
791 udev device manager for the Linux kernel. This option allows disabling
792 that synchronization, to continue even though the configuration may be
793 buggy.
794 To view the udev sync support of a Docker daemon that is using the
797 devicemapper driver, run:
798 $ docker info
801 [...]
802 Udev Sync Supported: true
803 [...]
804 When udev sync support is true, then devicemapper and udev can
808 coordinate the activation and deactivation of devices for containers.
809 When udev sync support is false, a race condition occurs between the
812 devicemapper and udev during create and cleanup. The race condition
813 results in errors and failures. (For information on these failures, see
814 docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩)
815 To allow the docker daemon to start, regardless of whether udev sync is
818 false, set dm.override_udev_sync_check to true:
819 $ dockerd --storage-opt dm.override_udev_sync_check=true
822 When this value is true, the driver continues and simply warns you the
826 errors are happening.
827 Note: The ideal is to pursue a docker daemon and environment that does
830 support synchronizing with udev. For further discussion on this topic,
831 see docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩.
832 Otherwise, set this flag for migrating existing Docker daemons to a
833 daemon with a supported environment.
834 dm.min_free_space
837 Specifies the min free space percent in a thin pool require for new
838 device creation to succeed. This check applies to both free data space
839 as well as free metadata space. Valid values are from 0% - 99%. Value
840 0% disables free space checking logic. If user does not specify a value
841 for this option, the Engine uses a default value of 10%.
842 Whenever a new a thin pool device is created (during docker pull or
845 during container creation), the Engine checks if the minimum free space
846 is available. If the space is unavailable, then device creation fails
847 and any relevant docker operation fails.
848 To recover from this error, you must create more free space in the thin
851 pool to recover from the error. You can create free space by deleting
852 some images and containers from tge thin pool. You can also add more
853 storage to the thin pool.
854 To add more space to an LVM (logical volume management) thin pool, just
857 add more storage to the group container thin pool; this should
858 automatically resolve any errors. If your configuration uses loop
859 devices, then stop the Engine daemon, grow the size of loop files and
860 restart the daemon to resolve the issue.
861 Example use:: dockerd --storage-opt dm.min_free_space=10%
864 dm.xfs_nospace_max_retries
867 Specifies the maximum number of retries XFS should attempt to complete
868 IO when ENOSPC (no space) error is returned by underlying storage
869 device.
870 By default XFS retries infinitely for IO to finish and this can result
873 in unkillable process. To change this behavior one can set
874 xfs_nospace_max_retries to say 0 and XFS will not retry IO after
875 getting ENOSPC and will shutdown filesystem.
876 Example use:
879 $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
882 dm.libdm_log_level
886 Specifies the maxmimum libdm log level that will be forwarded to the
887 dockerd log (as specified by --log-level). This option is primarily
888 intended for debugging problems involving libdm. Using values other
889 than the defaults may cause false-positive warnings to be logged.
890 Values specified must fall within the range of valid libdm log levels.
893 At the time of writing, the following is the list of libdm log levels
894 as well as their corresponding levels when output by dockerd.
895 ┌────────────┬───────┬─────────────┐
898 │libdm Level │ Value │ --log-level │
899 ├────────────┼───────┼─────────────┤
900 │_LOG_FATAL │ 2 │ error │
901 ├────────────┼───────┼─────────────┤
902 │_LOG_ERR │ 3 │ error │
903 ├────────────┼───────┼─────────────┤
904 │_LOG_WARN │ 4 │ warn │
905 ├────────────┼───────┼─────────────┤
906 │_LOG_NOTICE │ 5 │ info │
907 ├────────────┼───────┼─────────────┤
908 │_LOG_INFO │ 6 │ info │
909 ├────────────┼───────┼─────────────┤
910 │_LOG_DEBUG │ 7 │ debug │
911 └────────────┴───────┴─────────────┘
912 Example use:
914 $ sudo dockerd \
917 --log-level debug \
918 --storage-opt dm.libdm_log_level=7
919
923 zfs.fsname
924 Set zfs filesystem under which docker will create its own datasets. By
925 default docker will pick up the zfs filesystem where docker graph
926 (/var/lib/docker) is located.
927 Example use: dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
930
933 btrfs.min_space
934 Specifies the minimum size to use when creating the subvolume which is
935 used for containers. If user uses disk quota for btrfs when creating or
936 running a container with --storage-opt size option, docker should
937 ensure the size cannot be smaller than btrfs.min_space.
938 Example use: docker daemon -s btrfs --storage-opt btrfs.min_space=10G
941
945 The daemon uses libkv to advertise the node within the cluster. Some
946 Key/Value backends support mutual TLS, and the client TLS settings used
947 by the daemon can be configured using the --cluster-store-opt flag,
948 specifying the paths to PEM encoded files.
949 kv.cacertfile
952 Specifies the path to a local file with PEM encoded CA certificates to
953 trust
954 kv.certfile
957 Specifies the path to a local file with a PEM encoded certificate.
958 This certificate is used as the client cert for communication with the
959 Key/Value store.
960 kv.keyfile
963 Specifies the path to a local file with a PEM encoded private key.
964 This private key is used as the client key for communication with the
965 Key/Value store.
966
970 Docker's access authorization can be extended by authorization plugins
971 that your organization can purchase or build themselves. You can
972 install one or more authorization plugins when you start the Docker
973 daemon using the --authorization-plugin=PLUGIN_ID option.
974 dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
977 The PLUGIN_ID value is either the plugin's name or a path to its
981 specification file. The plugin's implementation determines whether you
982 can specify a name or path. Consult with your Docker administrator to
983 get information about the plugins available to you.
984 Once a plugin is installed, requests made to the daemon through the
987 command line or Docker's Engine API are allowed or denied by the
988 plugin. If you have multiple plugins installed, each plugin, in order,
989 must allow the request for it to complete.
990 For information about how to create an authorization plugin, see access
993 authorization plugin
994 ⟨https://docs.docker.com/engine/extend/plugins_authorization/⟩ section
995 in the Docker extend section of this documentation.
996
1000 You can configure the runtime using options specified with the
1001 --exec-opt flag. All the flag's options have the native prefix. A
1002 single native.cgroupdriver option is available.
1003 The native.cgroupdriver option specifies the management of the
1006 container's cgroups. You can only specify cgroupfs or systemd. If you
1007 specify systemd and it is not available, the system errors out. If you
1008 omit the native.cgroupdriver option,cgroupfs is used.
1009 This example sets the cgroupdriver to systemd:
1012 $ sudo dockerd --exec-opt native.cgroupdriver=systemd
1015 Setting this option applies to all containers the daemon launches.
1019
1023 Sept 2015, Originally compiled by Shishir Mahajan
1024 ⟨shishir.mahajan@redhat.com⟩ based on docker.com source material and
1025 internal work.
1026Shishir Mahajan Docker User Manuals DOCKER(8)