1DOCKER(8)                       SEPTEMBER 2015                       DOCKER(8)
2
3
4

NAME

6       dockerd - Enable daemon mode
7
8
9

SYNOPSIS

11       dockerd [--add-runtime[=[]]] [--add-registry[=[]]]
12       [--api-cors-header=[=API-CORS-HEADER]] [--authorization-plugin[=[]]]
13       [-b|--bridge[=BRIDGE]] [--bip[=BIP]] [--block-registry[=[]]]
14       [--cgroup-parent[=[]]] [--cluster-store[=[]]]
15       [--cluster-advertise[=[]]] [--cluster-store-opt[=map[]]]
16       [--config-file[=/etc/docker/daemon.json]] [--containerd[=SOCKET-PATH]]
17       [-D|--debug] [--default-gateway[=DEFAULT-GATEWAY]]
18       [--default-gateway-v6[=DEFAULT-GATEWAY-V6]] [--default-runtime[=runc]]
19       [--default-ulimit[=[]]] [--disable-legacy-registry] [--dns[=[]]]
20       [--dns-opt[=[]]] [--dns-search[=[]]] [--enable-secrets[=true]]
21       [--exec-opt[=[]]] [--exec-root[=/var/run/docker]]
22       [--experimental[=false]] [--fixed-cidr[=FIXED-CIDR]]
23       [--fixed-cidr-v6[=FIXED-CIDR-V6]] [-G|--group[=docker]]
24       [-g|--graph[=/var/lib/docker]] [-H|--host[=[]]] [--help] [--icc[=true]]
25       [--init[=false]] [--init-path[=""]] [--insecure-registry[=[]]]
26       [--ip[=0.0.0.0]] [--ip-forward[=true]] [--ip-masq[=true]]
27       [--iptables[=true]] [--ipv6] [--isolation[=default]]
28       [-l|--log-level[=info]] [--label[=[]]] [--live-restore[=false]]
29       [--log-driver[=json-file]] [--log-opt[=map[]]] [--mtu[=0]]
30       [--max-concurrent-downloads[=3]] [--max-concurrent-uploads[=5]]
31       [-p|--pidfile[=/var/run/docker.pid]] [--raw-logs]
32       [--registry-mirror[=[]]] [-s|--storage-driver[=STORAGE-DRIVER]]
33       [--seccomp-profile[=SECCOMP-PROFILE-PATH]] [--selinux-enabled]
34       [--shutdown-timeout[=15]] [--signature-verification]
35       [--storage-opt[=[]]] [--swarm-default-advertise-addr[=IP|INTERFACE]]
36       [--tls] [--tlscacert[= /.docker/ca.pem]]
37       [--tlscert[= /.docker/cert.pem]] [--tlskey[= /.docker/key.pem]]
38       [--tlsverify] [--userland-proxy[=true]] [--userland-proxy-path[=""]]
39       [--userns-remap[=default]]
40
41
42

DESCRIPTION

44       dockerd is used for starting the Docker daemon (i.e., to command the
45       daemon to manage images, containers etc).  So dockerd is a server, as a
46       daemon.
47
48
49       To run the Docker daemon you can specify dockerd.  You can check the
50       daemon options using dockerd --help.  Daemon options should be
51       specified after the dockerd keyword in the following format.
52
53
54       dockerd [OPTIONS]
55
56
57

OPTIONS

59       --add-runtime=[]
60         Runtimes can be registered with the daemon either via the
61       configuration file or using the --add-runtime command line argument.
62
63
64       The following is an example adding 2 runtimes via the configuration:
65
66
67              {
68                   "default-runtime": "runc",
69                   "runtimes": {
70                        "runc": {
71                             "path": "runc"
72                        },
73                        "custom": {
74                             "path": "/usr/local/bin/my-runc-replacement",
75                             "runtimeArgs": [
76                                  "--debug"
77                             ]
78                        }
79                   }
80              }
81
82
83
84       This is the same example via the command line:
85
86
87              $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
88
89
90
91       Note: defining runtime arguments via the command line is not supported.
92
93
94       --add-registry=[]
95         EXPERIMENTAL Each given registry will be queried before a public
96       Docker registry during image pulls or searches. They will be searched
97       in the order given. Registry mirrors won't apply to them.
98
99
100       --api-cors-header=""
101         Set CORS headers in the Engine API. Default is cors disabled. Give
102       urls like
103         " ⟨http://foo⟩, ⟨http://bar⟩, ...". Give "*" to allow all.
104
105
106       --authorization-plugin=""
107         Set authorization plugins to load
108
109
110       -b, --bridge=""
111         Attach containers to a pre-existing network bridge; use 'none' to
112       disable
113         container networking
114
115
116       --bip=""
117         Use the provided CIDR notation address for the dynamically created
118       bridge
119         (docker0); Mutually exclusive of -b
120
121
122       --block-registry=[]
123         EXPERIMENTAL Prevent Docker daemon from contacting specified
124       registries. There are two special keywords recognized. The first is
125       "public" and represents public Docker registry. The second is "all"
126       which causes all registries but those added with --add-registry flag to
127       be blocked.
128
129
130       --cgroup-parent=""
131         Set parent cgroup for all containers. Default is "/docker" for fs
132       cgroup
133         driver and "system.slice" for systemd cgroup driver.
134
135
136       --cluster-store=""
137         URL of the distributed storage backend
138
139
140       --cluster-advertise=""
141         Specifies the 'host:port' or interface:port combination that this
142         particular daemon instance should use when advertising itself to the
143       cluster.
144         The daemon is reached through this value.
145
146
147       --cluster-store-opt=""
148         Specifies options for the Key/Value store.
149
150
151       --config-file="/etc/docker/daemon.json"
152         Specifies the JSON file path to load the configuration from.
153
154
155       --containerd=""
156         Path to containerd socket.
157
158
159       -D, --debug=true|false
160         Enable debug mode. Default is false.
161
162
163       --default-gateway=""
164         IPv4 address of the container default gateway; this address must be
165       part of
166         the bridge subnet (which is defined by -b or --bip)
167
168
169       --default-gateway-v6=""
170         IPv6 address of the container default gateway
171
172
173       --default-runtime="runc"
174         Set default runtime if there're more than one specified by
175       --add-runtime.
176
177
178       --default-ulimit=[]
179         Default ulimits for containers.
180
181
182       --disable-legacy-registry=true|false
183         Disable contacting legacy registries
184
185
186       --dns=""
187         Force Docker to use specific DNS servers
188
189
190       --dns-opt=""
191         DNS options to use.
192
193
194       --dns-search=[]
195         DNS search domains to use.
196
197
198       --enable-secrets=true|false
199         Allow subscription-manager inside the containers to use subscriptions
200       available on the host. Default is true.
201
202
203       --exec-opt=[]
204         Set runtime execution options. See RUNTIME EXECUTION OPTIONS.
205
206
207       --exec-root=""
208         Path to use as the root of the Docker execution state files. Default
209       is
210         /var/run/docker.
211
212
213       --experimental=""
214         Enable the daemon experimental features.
215
216
217       --fixed-cidr=""
218         IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be
219       nested in
220         the bridge subnet (which is defined by -b or --bip).
221
222
223       --fixed-cidr-v6=""
224         IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
225
226
227       -G, --group=""
228         Group to assign the unix socket specified by -H when running in
229       daemon mode.
230         use '' (the empty string) to disable setting of a group. Default is
231       docker.
232
233
234       -g, --graph=""
235         Path to use as the root of the Docker runtime. Default is
236       /var/lib/docker.
237
238
239       -H, --host=[unix:///var/run/docker.sock]: tcp://[host:port] to bind or
240       unix://[/path/to/socket] to use.
241         The socket(s) to bind to in daemon mode specified using one or more
242         tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
243
244
245       --help
246         Print usage statement
247
248
249       --icc=true|false
250         Allow unrestricted inter-container and Docker daemon host
251       communication. If
252         disabled, containers can still be linked together using the --link
253       option
254         (see docker-run(1)). Default is true.
255
256
257       --init
258         Run an init process inside containers for signal forwarding and
259       process
260         reaping.
261
262
263       --init-path
264         Path to the docker-init binary.
265
266
267       --insecure-registry=[]
268         Enable insecure registry communication, i.e., enable un-encrypted
269       and/or
270         untrusted communication.
271
272
273       List of insecure registries can contain an element with CIDR notation
274       to
275         specify a whole subnet. Insecure registries accept HTTP and/or accept
276       HTTPS
277         with certificates from unknown CAs.
278
279
280       Enabling --insecure-registry is useful when running a local registry.
281         However, because its use creates security vulnerabilities it should
282       ONLY be
283         enabled for testing purposes.  For increased security, users should
284       add their
285         CA to their system's list of trusted CAs instead of using
286         --insecure-registry.
287
288
289       --ip=""
290         Default IP address to use when binding container ports. Default is
291       0.0.0.0.
292
293
294       --ip-forward=true|false
295         Enables IP forwarding on the Docker host. The default is true. This
296       flag
297         interacts with the IP forwarding setting on your host system's
298       kernel. If
299         your system has IP forwarding disabled, this setting enables it. If
300       your
301         system has IP forwarding enabled, setting this flag to
302       --ip-forward=false
303         has no effect.
304
305
306       This setting will also enable IPv6 forwarding if you have both
307         --ip-forward=true and --fixed-cidr-v6 set. Note that this may reject
308         Router Advertisements and interfere with the host's existing IPv6
309         configuration. For more information, please consult the documentation
310       about
311         "Advanced Networking - IPv6".
312
313
314       --ip-masq=true|false
315         Enable IP masquerading for bridge's IP range. Default is true.
316
317
318       --iptables=true|false
319         Enable Docker's addition of iptables rules. Default is true.
320
321
322       --ipv6=true|false
323         Enable IPv6 support. Default is false. Docker will create an
324       IPv6-enabled
325         bridge with address fe80::1 which will allow you to create
326       IPv6-enabled
327         containers. Use together with --fixed-cidr-v6 to provide globally
328       routable
329         IPv6 addresses. IPv6 forwarding will be enabled if not used with
330         --ip-forward=false. This may collide with your host's current IPv6
331         settings. For more information please consult the documentation about
332         "Advanced Networking - IPv6".
333
334
335       --isolation="default"
336          Isolation specifies the type of isolation technology used by
337       containers.
338          Note that the default on Windows server is process, and the default
339       on
340          Windows client is hyperv. Linux only supports default.
341
342
343       -l, --log-level="debug|info|warn|error|fatal"
344         Set the logging level. Default is info.
345
346
347       --label="[]"
348         Set key=value labels to the daemon (displayed in docker info)
349
350
351       --live-restore=false
352         Enable live restore of running containers when the daemon starts so
353       that they
354         are not restarted. This option is applicable only for docker daemon
355       running
356         on Linux host.
357
358
359       --log-driver="json-file|syslog|journald|gelf|fluentd|awslogs|splunk|etwlogs|gcplogs|none"
360         Default driver for container logs. Default is json-file.
361         Warning: docker logs command works only for json-file logging driver.
362
363
364       --log-opt=[]
365         Logging driver specific options.
366
367
368       --mtu=0
369         Set the containers network mtu. Default is 0.
370
371
372       --max-concurrent-downloads=3
373         Set the max concurrent downloads for each pull. Default is 3.
374
375
376       --max-concurrent-uploads=5
377         Set the max concurrent uploads for each push. Default is 5.
378
379
380       -p, --pidfile=""
381         Path to use for daemon PID file. Default is /var/run/docker.pid
382
383
384       --raw-logs
385         Output daemon logs in full timestamp format without ANSI coloring. If
386       this
387         flag is not set, the daemon outputs condensed, colorized logs if a
388       terminal
389         is detected, or full ("raw") output otherwise.
390
391
392       --registry-mirror=<scheme>://<host>
393         Prepend a registry mirror to be used for image pulls. May be
394       specified
395         multiple times.
396
397
398       -s, --storage-driver=""
399         Force the Docker runtime to use a specific storage driver.
400
401
402       --seccomp-profile=""
403         Path to seccomp profile.
404
405
406       --selinux-enabled=true|false
407         Enable selinux support. Default is false.
408
409
410       --shutdown-timeout=15
411         Set the shutdown timeout value in seconds. Default is 15.
412
413
414       --signature-verification=true|false
415         Enable image signature verification. Default is true. WARNING: this
416       option doesn't work
417         with images being pulled from v1 docker registries. See SIGNATURE
418       VERIFICATION.
419
420
421       --storage-opt=[]
422         Set storage driver options. See STORAGE DRIVER OPTIONS.
423
424
425       --swarm-default-advertise-addr=IP|INTERFACE
426         Set default address or interface for swarm to advertise as its
427         externally-reachable address to other cluster members. This can be a
428         hostname, an IP address, or an interface such as eth0. A port cannot
429       be
430         specified with this option.
431
432
433       --tls=true|false
434         Use TLS; implied by --tlsverify. Default is false.
435
436
437       --tlscacert= /.docker/ca.pem
438         Trust certs signed only by this CA.
439
440
441       --tlscert= /.docker/cert.pem
442         Path to TLS certificate file.
443
444
445       --tlskey= /.docker/key.pem
446         Path to TLS key file.
447
448
449       --tlsverify=true|false
450         Use TLS and verify the remote (daemon: verify client, client: verify
451       daemon).
452         Default is false.
453
454
455       --userland-proxy=true|false
456         Rely on a userland proxy implementation for inter-container and
457         outside-to-container loopback communications. Default is true.
458
459
460       --userland-proxy-path=""
461         Path to the userland proxy binary.
462
463
464       --userns-remap=default|uid:gid|user:group|user|uid
465         Enable user namespaces for containers on the daemon. Specifying
466         a user (or uid) and optionally a group (or gid) will cause the
467         daemon to lookup the user and group's subordinate ID ranges for use
468       as the
469         user namespace mappings for contained processes. Specifying "default"
470         will cause a "dockremap" user and group to be created if not already
471       present.
472         The "dockremap" user and group, or the specified uid, gid, user or
473       group must
474         be created in the subuid(5) and subgid(5) files prior to enablement.
475
476
477

SIGNATURE VERIFICATION

479       Docker supports GPG image signatures verification when
480       --signature-verification flag is true.  This functionality works only
481       at pull time and for images being pulled from docker registries version
482       2.  You can sign an image using skopeo(1) or atomic(1).  See
483https://access.redhat.com/articles/2750891⟩.
484
485
486

STORAGE DRIVER OPTIONS

488       Docker uses storage backends (known as "graphdrivers" in the Docker
489       internals) to create writable containers from images.  Many of these
490       backends use operating system level technologies and can be configured.
491
492
493       Specify options to the storage backend with --storage-opt flags. The
494       backends that currently take options are devicemapper, zfs and btrfs.
495       Options for devicemapper are prefixed with dm, options for zfs start
496       with zfs and options for btrfs start with btrfs.
497
498
499       Specifically for devicemapper, the default is a "loopback" model which
500       requires no pre-configuration, but is extremely inefficient.  Do not
501       use it in production.
502
503
504       To make the best use of Docker with the devicemapper backend, you must
505       have a recent version of LVM.  Use lvm to create a thin pool; for more
506       information see man lvmthin.  Then, use --storage-opt dm.thinpooldev to
507       tell the Docker engine to use that pool for allocating images and
508       container snapshots.
509
510

Devicemapper options

512   dm.thinpooldev
513       Specifies a custom block storage device to use for the thin pool.
514
515
516       If using a block device for device mapper storage, it is best to use
517       lvm to create and manage the thin-pool volume. This volume is then
518       handed to Docker to exclusively create snapshot volumes needed for
519       images and containers.
520
521
522       Managing the thin-pool outside of Engine makes for the most
523       feature-rich method of having Docker utilize device mapper thin
524       provisioning as the backing storage for Docker containers. The
525       highlights of the lvm-based thin-pool management feature include:
526       automatic or interactive thin-pool resize support, dynamically changing
527       thin-pool features, automatic thinp metadata checking when lvm
528       activates the thin-pool, etc.
529
530
531       As a fallback if no thin pool is provided, loopback files are created.
532       Loopback is very slow, but can be used without any pre-configuration of
533       storage. It is strongly recommended that you do not use loopback in
534       production. Ensure your Engine daemon has a --storage-opt
535       dm.thinpooldev argument provided.
536
537
538       Example use:
539
540
541       $ dockerd \
542                --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
543
544
545   dm.basesize
546       Specifies the size to use when creating the base device, which limits
547       the size of images and containers. The default value is 10G. Note, thin
548       devices are inherently "sparse", so a 10G device which is mostly empty
549       doesn't use 10 GB of space on the pool. However, the filesystem will
550       use more space for base images the larger the device is.
551
552
553       The base device size can be increased at daemon restart which will
554       allow all future images and containers (based on those new images) to
555       be of the new base device size.
556
557
558       Example use: dockerd --storage-opt dm.basesize=50G
559
560
561       This will increase the base device size to 50G. The Docker daemon will
562       throw an error if existing base device size is larger than 50G. A user
563       can use this option to expand the base device size however shrinking is
564       not permitted.
565
566
567       This value affects the system-wide "base" empty filesystem that may
568       already be initialized and inherited by pulled images. Typically, a
569       change to this value requires additional steps to take effect:
570
571
572                  $ sudo service docker stop
573                  $ sudo rm -rf /var/lib/docker
574                  $ sudo service docker start
575
576
577
578       Example use: dockerd --storage-opt dm.basesize=20G
579
580
581   dm.fs
582       Specifies the filesystem type to use for the base device. The supported
583       options are ext4 and xfs. The default is ext4.
584
585
586       Example use: dockerd --storage-opt dm.fs=xfs
587
588
589   dm.mkfsarg
590       Specifies extra mkfs arguments to be used when creating the base
591       device.
592
593
594       Example use: dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
595
596
597   dm.mountopt
598       Specifies extra mount options used when mounting the thin devices.
599
600
601       Example use: dockerd --storage-opt dm.mountopt=nodiscard
602
603
604   dm.use_deferred_removal
605       Enables use of deferred device removal if libdm and the kernel driver
606       support the mechanism.
607
608
609       Deferred device removal means that if device is busy when devices are
610       being removed/deactivated, then a deferred removal is scheduled on
611       device. And devices automatically go away when last user of the device
612       exits.
613
614
615       For example, when a container exits, its associated thin device is
616       removed. If that device has leaked into some other mount namespace and
617       can't be removed, the container exit still succeeds and this option
618       causes the system to schedule the device for deferred removal. It does
619       not wait in a loop trying to remove a busy device.
620
621
622       Example use: dockerd --storage-opt dm.use_deferred_removal=true
623
624
625   dm.use_deferred_deletion
626       Enables use of deferred device deletion for thin pool devices. By
627       default, thin pool device deletion is synchronous. Before a container
628       is deleted, the Docker daemon removes any associated devices. If the
629       storage driver can not remove a device, the container deletion fails
630       and daemon returns.
631
632
633       Error deleting container: Error response from daemon: Cannot destroy
634       container
635
636
637       To avoid this failure, enable both deferred device deletion and
638       deferred device removal on the daemon.
639
640
641       dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt
642       dm.use_deferred_removal=true
643
644
645       With these two options enabled, if a device is busy when the driver is
646       deleting a container, the driver marks the device as deleted. Later,
647       when the device isn't in use, the driver deletes it.
648
649
650       In general it should be safe to enable this option by default. It will
651       help when unintentional leaking of mount point happens across multiple
652       mount namespaces.
653
654
655   dm.loopdatasize
656       Note: This option configures devicemapper loopback, which should not be
657       used in production.
658
659
660       Specifies the size to use when creating the loopback file for the
661       "data" device which is used for the thin pool. The default size is
662       100G. The file is sparse, so it will not initially take up this much
663       space.
664
665
666       Example use: dockerd --storage-opt dm.loopdatasize=200G
667
668
669   dm.loopmetadatasize
670       Note: This option configures devicemapper loopback, which should not be
671       used in production.
672
673
674       Specifies the size to use when creating the loopback file for the
675       "metadata" device which is used for the thin pool. The default size is
676       2G. The file is sparse, so it will not initially take up this much
677       space.
678
679
680       Example use: dockerd --storage-opt dm.loopmetadatasize=4G
681
682
683   dm.datadev
684       (Deprecated, use dm.thinpooldev)
685
686
687       Specifies a custom blockdevice to use for data for a Docker-managed
688       thin pool.  It is better to use dm.thinpooldev - see the documentation
689       for it above for discussion of the advantages.
690
691
692   dm.metadatadev
693       (Deprecated, use dm.thinpooldev)
694
695
696       Specifies a custom blockdevice to use for metadata for a Docker-managed
697       thin pool.  See dm.datadev for why this is deprecated.
698
699
700   dm.blocksize
701       Specifies a custom blocksize to use for the thin pool.  The default
702       blocksize is 64K.
703
704
705       Example use: dockerd --storage-opt dm.blocksize=512K
706
707
708   dm.blkdiscard
709       Enables or disables the use of blkdiscard when removing devicemapper
710       devices.  This is disabled by default due to the additional latency,
711       but as a special case with loopback devices it will be enabled, in
712       order to re-sparsify the loopback file on image/container removal.
713
714
715       Disabling this on loopback can lead to much faster container removal
716       times, but it also prevents the space used in /var/lib/docker directory
717       from being returned to the system for other use when containers are
718       removed.
719
720
721       Example use: dockerd --storage-opt dm.blkdiscard=false
722
723
724   dm.override_udev_sync_check
725       By default, the devicemapper backend attempts to synchronize with the
726       udev device manager for the Linux kernel.  This option allows disabling
727       that synchronization, to continue even though the configuration may be
728       buggy.
729
730
731       To view the udev sync support of a Docker daemon that is using the
732       devicemapper driver, run:
733
734
735                  $ docker info
736                  [...]
737                   Udev Sync Supported: true
738                  [...]
739
740
741
742       When udev sync support is true, then devicemapper and udev can
743       coordinate the activation and deactivation of devices for containers.
744
745
746       When udev sync support is false, a race condition occurs between the
747       devicemapper and udev during create and cleanup. The race condition
748       results in errors and failures. (For information on these failures, see
749       docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩)
750
751
752       To allow the docker daemon to start, regardless of whether udev sync is
753       false, set dm.override_udev_sync_check to true:
754
755
756                  $ dockerd --storage-opt dm.override_udev_sync_check=true
757
758
759
760       When this value is true, the driver continues and simply warns you the
761       errors are happening.
762
763
764       Note: The ideal is to pursue a docker daemon and environment that does
765       support synchronizing with udev. For further discussion on this topic,
766       see docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩.
767       Otherwise, set this flag for migrating existing Docker daemons to a
768       daemon with a supported environment.
769
770
771   dm.min_free_space
772       Specifies the min free space percent in a thin pool require for new
773       device creation to succeed. This check applies to both free data space
774       as well as free metadata space. Valid values are from 0% - 99%. Value
775       0% disables free space checking logic. If user does not specify a value
776       for this option, the Engine uses a default value of 10%.
777
778
779       Whenever a new a thin pool device is created (during docker pull or
780       during container creation), the Engine checks if the minimum free space
781       is available.  If the space is unavailable, then device creation fails
782       and any relevant docker operation fails.
783
784
785       To recover from this error, you must create more free space in the thin
786       pool to recover from the error. You can create free space by deleting
787       some images and containers from tge thin pool. You can also add more
788       storage to the thin pool.
789
790
791       To add more space to an LVM (logical volume management) thin pool, just
792       add more storage to the  group container thin pool; this should
793       automatically resolve any errors. If your configuration uses loop
794       devices, then stop the Engine daemon, grow the size of loop files and
795       restart the daemon to resolve the issue.
796
797
798       Example use:: dockerd --storage-opt dm.min_free_space=10%
799
800
801   dm.xfs_nospace_max_retries
802       Specifies the maximum number of retries XFS should attempt to complete
803       IO when ENOSPC (no space) error is returned by underlying storage
804       device.
805
806
807       By default XFS retries infinitely for IO to finish and this can result
808       in unkillable process. To change this behavior one can set
809       xfs_nospace_max_retries to say 0 and XFS will not retry IO after
810       getting ENOSPC and will shutdown filesystem.
811
812
813       Example use:
814
815
816              $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
817
818
819

ZFS options

821   zfs.fsname
822       Set zfs filesystem under which docker will create its own datasets.  By
823       default docker will pick up the zfs filesystem where docker graph
824       (/var/lib/docker) is located.
825
826
827       Example use: dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
828
829

Btrfs options

831   btrfs.min_space
832       Specifies the mininum size to use when creating the subvolume which is
833       used for containers. If user uses disk quota for btrfs when creating or
834       running a container with --storage-opt size option, docker should
835       ensure the size cannot be smaller than btrfs.min_space.
836
837
838       Example use: docker daemon -s btrfs --storage-opt btrfs.min_space=10G
839
840
841

CLUSTER STORE OPTIONS

843       The daemon uses libkv to advertise the node within the cluster.  Some
844       Key/Value backends support mutual TLS, and the client TLS settings used
845       by the daemon can be configured using the --cluster-store-opt flag,
846       specifying the paths to PEM encoded files.
847
848
849   kv.cacertfile
850       Specifies the path to a local file with PEM encoded CA certificates to
851       trust
852
853
854   kv.certfile
855       Specifies the path to a local file with a PEM encoded certificate.
856       This certificate is used as the client cert for communication with the
857       Key/Value store.
858
859
860   kv.keyfile
861       Specifies the path to a local file with a PEM encoded private key.
862       This private key is used as the client key for communication with the
863       Key/Value store.
864
865
866

Access authorization

868       Docker's access authorization can be extended by authorization plugins
869       that your organization can purchase or build themselves. You can
870       install one or more authorization plugins when you start the Docker
871       daemon using the --authorization-plugin=PLUGIN_ID option.
872
873
874              dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
875
876
877
878       The PLUGIN_ID value is either the plugin's name or a path to its
879       specification file. The plugin's implementation determines whether you
880       can specify a name or path. Consult with your Docker administrator to
881       get information about the plugins available to you.
882
883
884       Once a plugin is installed, requests made to the daemon through the
885       command line or Docker's Engine API are allowed or denied by the
886       plugin.  If you have multiple plugins installed, at least one must
887       allow the request for it to complete.
888
889
890       For information about how to create an authorization plugin, see
891       authorization plugin
892https://docs.docker.com/engine/extend/authorization/⟩ section in the
893       Docker extend section of this documentation.
894
895
896

HISTORY

898       Sept 2015, Originally compiled by Shishir Mahajan
899       ⟨shishir.mahajan@redhat.com⟩ based on docker.com source material and
900       internal work.
901
902
903
904Shishir Mahajan               Docker User Manuals                    DOCKER(8)
Impressum