1DOCKER(8) SEPTEMBER 2015 DOCKER(8)
2
3
4
6 dockerd - Enable daemon mode
7
8
9
11 dockerd [--add-runtime[=[]]] [--add-registry[=[]]]
12 [--api-cors-header=[=API-CORS-HEADER]] [--authorization-plugin[=[]]]
13 [-b|--bridge[=BRIDGE]] [--bip[=BIP]] [--block-registry[=[]]]
14 [--cgroup-parent[=[]]] [--cluster-store[=[]]]
15 [--cluster-advertise[=[]]] [--cluster-store-opt[=map[]]]
16 [--config-file[=/etc/docker/daemon.json]] [--containerd[=SOCKET-PATH]]
17 [-D|--debug] [--default-gateway[=DEFAULT-GATEWAY]]
18 [--default-gateway-v6[=DEFAULT-GATEWAY-V6]] [--default-runtime[=runc]]
19 [--default-ulimit[=[]]] [--disable-legacy-registry] [--dns[=[]]]
20 [--dns-opt[=[]]] [--dns-search[=[]]] [--enable-secrets[=true]]
21 [--exec-opt[=[]]] [--exec-root[=/var/run/docker]]
22 [--experimental[=false]] [--fixed-cidr[=FIXED-CIDR]]
23 [--fixed-cidr-v6[=FIXED-CIDR-V6]] [-G|--group[=docker]]
24 [-g|--graph[=/var/lib/docker]] [-H|--host[=[]]] [--help] [--icc[=true]]
25 [--init[=false]] [--init-path[=""]] [--insecure-registry[=[]]]
26 [--ip[=0.0.0.0]] [--ip-forward[=true]] [--ip-masq[=true]]
27 [--iptables[=true]] [--ipv6] [--isolation[=default]]
28 [-l|--log-level[=info]] [--label[=[]]] [--live-restore[=false]]
29 [--log-driver[=json-file]] [--log-opt[=map[]]] [--mtu[=0]]
30 [--max-concurrent-downloads[=3]] [--max-concurrent-uploads[=5]]
31 [-p|--pidfile[=/var/run/docker.pid]] [--raw-logs]
32 [--registry-mirror[=[]]] [-s|--storage-driver[=STORAGE-DRIVER]]
33 [--seccomp-profile[=SECCOMP-PROFILE-PATH]] [--selinux-enabled]
34 [--shutdown-timeout[=15]] [--signature-verification]
35 [--storage-opt[=[]]] [--swarm-default-advertise-addr[=IP|INTERFACE]]
36 [--tls] [--tlscacert[= /.docker/ca.pem]]
37 [--tlscert[= /.docker/cert.pem]] [--tlskey[= /.docker/key.pem]]
38 [--tlsverify] [--userland-proxy[=true]] [--userland-proxy-path[=""]]
39 [--userns-remap[=default]]
40
41
42
44 dockerd is used for starting the Docker daemon (i.e., to command the
45 daemon to manage images, containers etc). So dockerd is a server, as a
46 daemon.
47
48
49 To run the Docker daemon you can specify dockerd. You can check the
50 daemon options using dockerd --help. Daemon options should be
51 specified after the dockerd keyword in the following format.
52
53
54 dockerd [OPTIONS]
55
56
57
59 --add-runtime=[]
60 Runtimes can be registered with the daemon either via the
61 configuration file or using the --add-runtime command line argument.
62
63
64 The following is an example adding 2 runtimes via the configuration:
65
66
67 {
68 "default-runtime": "runc",
69 "runtimes": {
70 "runc": {
71 "path": "runc"
72 },
73 "custom": {
74 "path": "/usr/local/bin/my-runc-replacement",
75 "runtimeArgs": [
76 "--debug"
77 ]
78 }
79 }
80 }
81
82
83
84 This is the same example via the command line:
85
86
87 $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
88
89
90
91 Note: defining runtime arguments via the command line is not supported.
92
93
94 --add-registry=[]
95 EXPERIMENTAL Each given registry will be queried before a public
96 Docker registry during image pulls or searches. They will be searched
97 in the order given. Registry mirrors won't apply to them.
98
99
100 --api-cors-header=""
101 Set CORS headers in the Engine API. Default is cors disabled. Give
102 urls like
103 " ⟨http://foo⟩, ⟨http://bar⟩, ...". Give "*" to allow all.
104
105
106 --authorization-plugin=""
107 Set authorization plugins to load
108
109
110 -b, --bridge=""
111 Attach containers to a pre-existing network bridge; use 'none' to
112 disable
113 container networking
114
115
116 --bip=""
117 Use the provided CIDR notation address for the dynamically created
118 bridge
119 (docker0); Mutually exclusive of -b
120
121
122 --block-registry=[]
123 EXPERIMENTAL Prevent Docker daemon from contacting specified
124 registries. There are two special keywords recognized. The first is
125 "public" and represents public Docker registry. The second is "all"
126 which causes all registries but those added with --add-registry flag to
127 be blocked.
128
129
130 --cgroup-parent=""
131 Set parent cgroup for all containers. Default is "/docker" for fs
132 cgroup
133 driver and "system.slice" for systemd cgroup driver.
134
135
136 --cluster-store=""
137 URL of the distributed storage backend
138
139
140 --cluster-advertise=""
141 Specifies the 'host:port' or interface:port combination that this
142 particular daemon instance should use when advertising itself to the
143 cluster.
144 The daemon is reached through this value.
145
146
147 --cluster-store-opt=""
148 Specifies options for the Key/Value store.
149
150
151 --config-file="/etc/docker/daemon.json"
152 Specifies the JSON file path to load the configuration from.
153
154
155 --containerd=""
156 Path to containerd socket.
157
158
159 -D, --debug=true|false
160 Enable debug mode. Default is false.
161
162
163 --default-gateway=""
164 IPv4 address of the container default gateway; this address must be
165 part of
166 the bridge subnet (which is defined by -b or --bip)
167
168
169 --default-gateway-v6=""
170 IPv6 address of the container default gateway
171
172
173 --default-runtime="runc"
174 Set default runtime if there're more than one specified by
175 --add-runtime.
176
177
178 --default-ulimit=[]
179 Default ulimits for containers.
180
181
182 --disable-legacy-registry=true|false
183 Disable contacting legacy registries
184
185
186 --dns=""
187 Force Docker to use specific DNS servers
188
189
190 --dns-opt=""
191 DNS options to use.
192
193
194 --dns-search=[]
195 DNS search domains to use.
196
197
198 --enable-secrets=true|false
199 Allow subscription-manager inside the containers to use subscriptions
200 available on the host. Default is true.
201
202
203 --exec-opt=[]
204 Set runtime execution options. See RUNTIME EXECUTION OPTIONS.
205
206
207 --exec-root=""
208 Path to use as the root of the Docker execution state files. Default
209 is
210 /var/run/docker.
211
212
213 --experimental=""
214 Enable the daemon experimental features.
215
216
217 --fixed-cidr=""
218 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be
219 nested in
220 the bridge subnet (which is defined by -b or --bip).
221
222
223 --fixed-cidr-v6=""
224 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
225
226
227 -G, --group=""
228 Group to assign the unix socket specified by -H when running in
229 daemon mode.
230 use '' (the empty string) to disable setting of a group. Default is
231 docker.
232
233
234 -g, --graph=""
235 Path to use as the root of the Docker runtime. Default is
236 /var/lib/docker.
237
238
239 -H, --host=[unix:///var/run/docker.sock]: tcp://[host:port] to bind or
240 unix://[/path/to/socket] to use.
241 The socket(s) to bind to in daemon mode specified using one or more
242 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
243
244
245 --help
246 Print usage statement
247
248
249 --icc=true|false
250 Allow unrestricted inter-container and Docker daemon host
251 communication. If
252 disabled, containers can still be linked together using the --link
253 option
254 (see docker-run(1)). Default is true.
255
256
257 --init
258 Run an init process inside containers for signal forwarding and
259 process
260 reaping.
261
262
263 --init-path
264 Path to the docker-init binary.
265
266
267 --insecure-registry=[]
268 Enable insecure registry communication, i.e., enable un-encrypted
269 and/or
270 untrusted communication.
271
272
273 List of insecure registries can contain an element with CIDR notation
274 to
275 specify a whole subnet. Insecure registries accept HTTP and/or accept
276 HTTPS
277 with certificates from unknown CAs.
278
279
280 Enabling --insecure-registry is useful when running a local registry.
281 However, because its use creates security vulnerabilities it should
282 ONLY be
283 enabled for testing purposes. For increased security, users should
284 add their
285 CA to their system's list of trusted CAs instead of using
286 --insecure-registry.
287
288
289 --ip=""
290 Default IP address to use when binding container ports. Default is
291 0.0.0.0.
292
293
294 --ip-forward=true|false
295 Enables IP forwarding on the Docker host. The default is true. This
296 flag
297 interacts with the IP forwarding setting on your host system's
298 kernel. If
299 your system has IP forwarding disabled, this setting enables it. If
300 your
301 system has IP forwarding enabled, setting this flag to
302 --ip-forward=false
303 has no effect.
304
305
306 This setting will also enable IPv6 forwarding if you have both
307 --ip-forward=true and --fixed-cidr-v6 set. Note that this may reject
308 Router Advertisements and interfere with the host's existing IPv6
309 configuration. For more information, please consult the documentation
310 about
311 "Advanced Networking - IPv6".
312
313
314 --ip-masq=true|false
315 Enable IP masquerading for bridge's IP range. Default is true.
316
317
318 --iptables=true|false
319 Enable Docker's addition of iptables rules. Default is true.
320
321
322 --ipv6=true|false
323 Enable IPv6 support. Default is false. Docker will create an
324 IPv6-enabled
325 bridge with address fe80::1 which will allow you to create
326 IPv6-enabled
327 containers. Use together with --fixed-cidr-v6 to provide globally
328 routable
329 IPv6 addresses. IPv6 forwarding will be enabled if not used with
330 --ip-forward=false. This may collide with your host's current IPv6
331 settings. For more information please consult the documentation about
332 "Advanced Networking - IPv6".
333
334
335 --isolation="default"
336 Isolation specifies the type of isolation technology used by
337 containers.
338 Note that the default on Windows server is process, and the default
339 on
340 Windows client is hyperv. Linux only supports default.
341
342
343 -l, --log-level="debug|info|warn|error|fatal"
344 Set the logging level. Default is info.
345
346
347 --label="[]"
348 Set key=value labels to the daemon (displayed in docker info)
349
350
351 --live-restore=false
352 Enable live restore of running containers when the daemon starts so
353 that they
354 are not restarted. This option is applicable only for docker daemon
355 running
356 on Linux host.
357
358
359 --log-driver="json-file|syslog|journald|gelf|fluentd|awslogs|splunk|etwlogs|gcplogs|none"
360 Default driver for container logs. Default is json-file.
361 Warning: docker logs command works only for json-file logging driver.
362
363
364 --log-opt=[]
365 Logging driver specific options.
366
367
368 --mtu=0
369 Set the containers network mtu. Default is 0.
370
371
372 --max-concurrent-downloads=3
373 Set the max concurrent downloads for each pull. Default is 3.
374
375
376 --max-concurrent-uploads=5
377 Set the max concurrent uploads for each push. Default is 5.
378
379
380 -p, --pidfile=""
381 Path to use for daemon PID file. Default is /var/run/docker.pid
382
383
384 --raw-logs
385 Output daemon logs in full timestamp format without ANSI coloring. If
386 this
387 flag is not set, the daemon outputs condensed, colorized logs if a
388 terminal
389 is detected, or full ("raw") output otherwise.
390
391
392 --registry-mirror=<scheme>://<host>
393 Prepend a registry mirror to be used for image pulls. May be
394 specified
395 multiple times.
396
397
398 -s, --storage-driver=""
399 Force the Docker runtime to use a specific storage driver.
400
401
402 --seccomp-profile=""
403 Path to seccomp profile.
404
405
406 --selinux-enabled=true|false
407 Enable selinux support. Default is false.
408
409
410 --shutdown-timeout=15
411 Set the shutdown timeout value in seconds. Default is 15.
412
413
414 --signature-verification=true|false
415 Enable image signature verification. Default is true. WARNING: this
416 option doesn't work
417 with images being pulled from v1 docker registries. See SIGNATURE
418 VERIFICATION.
419
420
421 --storage-opt=[]
422 Set storage driver options. See STORAGE DRIVER OPTIONS.
423
424
425 --swarm-default-advertise-addr=IP|INTERFACE
426 Set default address or interface for swarm to advertise as its
427 externally-reachable address to other cluster members. This can be a
428 hostname, an IP address, or an interface such as eth0. A port cannot
429 be
430 specified with this option.
431
432
433 --tls=true|false
434 Use TLS; implied by --tlsverify. Default is false.
435
436
437 --tlscacert= /.docker/ca.pem
438 Trust certs signed only by this CA.
439
440
441 --tlscert= /.docker/cert.pem
442 Path to TLS certificate file.
443
444
445 --tlskey= /.docker/key.pem
446 Path to TLS key file.
447
448
449 --tlsverify=true|false
450 Use TLS and verify the remote (daemon: verify client, client: verify
451 daemon).
452 Default is false.
453
454
455 --userland-proxy=true|false
456 Rely on a userland proxy implementation for inter-container and
457 outside-to-container loopback communications. Default is true.
458
459
460 --userland-proxy-path=""
461 Path to the userland proxy binary.
462
463
464 --userns-remap=default|uid:gid|user:group|user|uid
465 Enable user namespaces for containers on the daemon. Specifying
466 a user (or uid) and optionally a group (or gid) will cause the
467 daemon to lookup the user and group's subordinate ID ranges for use
468 as the
469 user namespace mappings for contained processes. Specifying "default"
470 will cause a "dockremap" user and group to be created if not already
471 present.
472 The "dockremap" user and group, or the specified uid, gid, user or
473 group must
474 be created in the subuid(5) and subgid(5) files prior to enablement.
475
476
477
479 Docker supports GPG image signatures verification when
480 --signature-verification flag is true. This functionality works only
481 at pull time and for images being pulled from docker registries version
482 2. You can sign an image using skopeo(1) or atomic(1). See
483 ⟨https://access.redhat.com/articles/2750891⟩.
484
485
486
488 Docker uses storage backends (known as "graphdrivers" in the Docker
489 internals) to create writable containers from images. Many of these
490 backends use operating system level technologies and can be configured.
491
492
493 Specify options to the storage backend with --storage-opt flags. The
494 backends that currently take options are devicemapper, zfs and btrfs.
495 Options for devicemapper are prefixed with dm, options for zfs start
496 with zfs and options for btrfs start with btrfs.
497
498
499 Specifically for devicemapper, the default is a "loopback" model which
500 requires no pre-configuration, but is extremely inefficient. Do not
501 use it in production.
502
503
504 To make the best use of Docker with the devicemapper backend, you must
505 have a recent version of LVM. Use lvm to create a thin pool; for more
506 information see man lvmthin. Then, use --storage-opt dm.thinpooldev to
507 tell the Docker engine to use that pool for allocating images and
508 container snapshots.
509
510
512 dm.thinpooldev
513 Specifies a custom block storage device to use for the thin pool.
514
515
516 If using a block device for device mapper storage, it is best to use
517 lvm to create and manage the thin-pool volume. This volume is then
518 handed to Docker to exclusively create snapshot volumes needed for
519 images and containers.
520
521
522 Managing the thin-pool outside of Engine makes for the most
523 feature-rich method of having Docker utilize device mapper thin
524 provisioning as the backing storage for Docker containers. The
525 highlights of the lvm-based thin-pool management feature include:
526 automatic or interactive thin-pool resize support, dynamically changing
527 thin-pool features, automatic thinp metadata checking when lvm
528 activates the thin-pool, etc.
529
530
531 As a fallback if no thin pool is provided, loopback files are created.
532 Loopback is very slow, but can be used without any pre-configuration of
533 storage. It is strongly recommended that you do not use loopback in
534 production. Ensure your Engine daemon has a --storage-opt
535 dm.thinpooldev argument provided.
536
537
538 Example use:
539
540
541 $ dockerd \
542 --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
543
544
545 dm.basesize
546 Specifies the size to use when creating the base device, which limits
547 the size of images and containers. The default value is 10G. Note, thin
548 devices are inherently "sparse", so a 10G device which is mostly empty
549 doesn't use 10 GB of space on the pool. However, the filesystem will
550 use more space for base images the larger the device is.
551
552
553 The base device size can be increased at daemon restart which will
554 allow all future images and containers (based on those new images) to
555 be of the new base device size.
556
557
558 Example use: dockerd --storage-opt dm.basesize=50G
559
560
561 This will increase the base device size to 50G. The Docker daemon will
562 throw an error if existing base device size is larger than 50G. A user
563 can use this option to expand the base device size however shrinking is
564 not permitted.
565
566
567 This value affects the system-wide "base" empty filesystem that may
568 already be initialized and inherited by pulled images. Typically, a
569 change to this value requires additional steps to take effect:
570
571
572 $ sudo service docker stop
573 $ sudo rm -rf /var/lib/docker
574 $ sudo service docker start
575
576
577
578 Example use: dockerd --storage-opt dm.basesize=20G
579
580
581 dm.fs
582 Specifies the filesystem type to use for the base device. The supported
583 options are ext4 and xfs. The default is ext4.
584
585
586 Example use: dockerd --storage-opt dm.fs=xfs
587
588
589 dm.mkfsarg
590 Specifies extra mkfs arguments to be used when creating the base
591 device.
592
593
594 Example use: dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
595
596
597 dm.mountopt
598 Specifies extra mount options used when mounting the thin devices.
599
600
601 Example use: dockerd --storage-opt dm.mountopt=nodiscard
602
603
604 dm.use_deferred_removal
605 Enables use of deferred device removal if libdm and the kernel driver
606 support the mechanism.
607
608
609 Deferred device removal means that if device is busy when devices are
610 being removed/deactivated, then a deferred removal is scheduled on
611 device. And devices automatically go away when last user of the device
612 exits.
613
614
615 For example, when a container exits, its associated thin device is
616 removed. If that device has leaked into some other mount namespace and
617 can't be removed, the container exit still succeeds and this option
618 causes the system to schedule the device for deferred removal. It does
619 not wait in a loop trying to remove a busy device.
620
621
622 Example use: dockerd --storage-opt dm.use_deferred_removal=true
623
624
625 dm.use_deferred_deletion
626 Enables use of deferred device deletion for thin pool devices. By
627 default, thin pool device deletion is synchronous. Before a container
628 is deleted, the Docker daemon removes any associated devices. If the
629 storage driver can not remove a device, the container deletion fails
630 and daemon returns.
631
632
633 Error deleting container: Error response from daemon: Cannot destroy
634 container
635
636
637 To avoid this failure, enable both deferred device deletion and
638 deferred device removal on the daemon.
639
640
641 dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt
642 dm.use_deferred_removal=true
643
644
645 With these two options enabled, if a device is busy when the driver is
646 deleting a container, the driver marks the device as deleted. Later,
647 when the device isn't in use, the driver deletes it.
648
649
650 In general it should be safe to enable this option by default. It will
651 help when unintentional leaking of mount point happens across multiple
652 mount namespaces.
653
654
655 dm.loopdatasize
656 Note: This option configures devicemapper loopback, which should not be
657 used in production.
658
659
660 Specifies the size to use when creating the loopback file for the
661 "data" device which is used for the thin pool. The default size is
662 100G. The file is sparse, so it will not initially take up this much
663 space.
664
665
666 Example use: dockerd --storage-opt dm.loopdatasize=200G
667
668
669 dm.loopmetadatasize
670 Note: This option configures devicemapper loopback, which should not be
671 used in production.
672
673
674 Specifies the size to use when creating the loopback file for the
675 "metadata" device which is used for the thin pool. The default size is
676 2G. The file is sparse, so it will not initially take up this much
677 space.
678
679
680 Example use: dockerd --storage-opt dm.loopmetadatasize=4G
681
682
683 dm.datadev
684 (Deprecated, use dm.thinpooldev)
685
686
687 Specifies a custom blockdevice to use for data for a Docker-managed
688 thin pool. It is better to use dm.thinpooldev - see the documentation
689 for it above for discussion of the advantages.
690
691
692 dm.metadatadev
693 (Deprecated, use dm.thinpooldev)
694
695
696 Specifies a custom blockdevice to use for metadata for a Docker-managed
697 thin pool. See dm.datadev for why this is deprecated.
698
699
700 dm.blocksize
701 Specifies a custom blocksize to use for the thin pool. The default
702 blocksize is 64K.
703
704
705 Example use: dockerd --storage-opt dm.blocksize=512K
706
707
708 dm.blkdiscard
709 Enables or disables the use of blkdiscard when removing devicemapper
710 devices. This is disabled by default due to the additional latency,
711 but as a special case with loopback devices it will be enabled, in
712 order to re-sparsify the loopback file on image/container removal.
713
714
715 Disabling this on loopback can lead to much faster container removal
716 times, but it also prevents the space used in /var/lib/docker directory
717 from being returned to the system for other use when containers are
718 removed.
719
720
721 Example use: dockerd --storage-opt dm.blkdiscard=false
722
723
724 dm.override_udev_sync_check
725 By default, the devicemapper backend attempts to synchronize with the
726 udev device manager for the Linux kernel. This option allows disabling
727 that synchronization, to continue even though the configuration may be
728 buggy.
729
730
731 To view the udev sync support of a Docker daemon that is using the
732 devicemapper driver, run:
733
734
735 $ docker info
736 [...]
737 Udev Sync Supported: true
738 [...]
739
740
741
742 When udev sync support is true, then devicemapper and udev can
743 coordinate the activation and deactivation of devices for containers.
744
745
746 When udev sync support is false, a race condition occurs between the
747 devicemapper and udev during create and cleanup. The race condition
748 results in errors and failures. (For information on these failures, see
749 docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩)
750
751
752 To allow the docker daemon to start, regardless of whether udev sync is
753 false, set dm.override_udev_sync_check to true:
754
755
756 $ dockerd --storage-opt dm.override_udev_sync_check=true
757
758
759
760 When this value is true, the driver continues and simply warns you the
761 errors are happening.
762
763
764 Note: The ideal is to pursue a docker daemon and environment that does
765 support synchronizing with udev. For further discussion on this topic,
766 see docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩.
767 Otherwise, set this flag for migrating existing Docker daemons to a
768 daemon with a supported environment.
769
770
771 dm.min_free_space
772 Specifies the min free space percent in a thin pool require for new
773 device creation to succeed. This check applies to both free data space
774 as well as free metadata space. Valid values are from 0% - 99%. Value
775 0% disables free space checking logic. If user does not specify a value
776 for this option, the Engine uses a default value of 10%.
777
778
779 Whenever a new a thin pool device is created (during docker pull or
780 during container creation), the Engine checks if the minimum free space
781 is available. If the space is unavailable, then device creation fails
782 and any relevant docker operation fails.
783
784
785 To recover from this error, you must create more free space in the thin
786 pool to recover from the error. You can create free space by deleting
787 some images and containers from tge thin pool. You can also add more
788 storage to the thin pool.
789
790
791 To add more space to an LVM (logical volume management) thin pool, just
792 add more storage to the group container thin pool; this should
793 automatically resolve any errors. If your configuration uses loop
794 devices, then stop the Engine daemon, grow the size of loop files and
795 restart the daemon to resolve the issue.
796
797
798 Example use:: dockerd --storage-opt dm.min_free_space=10%
799
800
801 dm.xfs_nospace_max_retries
802 Specifies the maximum number of retries XFS should attempt to complete
803 IO when ENOSPC (no space) error is returned by underlying storage
804 device.
805
806
807 By default XFS retries infinitely for IO to finish and this can result
808 in unkillable process. To change this behavior one can set
809 xfs_nospace_max_retries to say 0 and XFS will not retry IO after
810 getting ENOSPC and will shutdown filesystem.
811
812
813 Example use:
814
815
816 $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
817
818
819
821 zfs.fsname
822 Set zfs filesystem under which docker will create its own datasets. By
823 default docker will pick up the zfs filesystem where docker graph
824 (/var/lib/docker) is located.
825
826
827 Example use: dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
828
829
831 btrfs.min_space
832 Specifies the mininum size to use when creating the subvolume which is
833 used for containers. If user uses disk quota for btrfs when creating or
834 running a container with --storage-opt size option, docker should
835 ensure the size cannot be smaller than btrfs.min_space.
836
837
838 Example use: docker daemon -s btrfs --storage-opt btrfs.min_space=10G
839
840
841
843 The daemon uses libkv to advertise the node within the cluster. Some
844 Key/Value backends support mutual TLS, and the client TLS settings used
845 by the daemon can be configured using the --cluster-store-opt flag,
846 specifying the paths to PEM encoded files.
847
848
849 kv.cacertfile
850 Specifies the path to a local file with PEM encoded CA certificates to
851 trust
852
853
854 kv.certfile
855 Specifies the path to a local file with a PEM encoded certificate.
856 This certificate is used as the client cert for communication with the
857 Key/Value store.
858
859
860 kv.keyfile
861 Specifies the path to a local file with a PEM encoded private key.
862 This private key is used as the client key for communication with the
863 Key/Value store.
864
865
866
868 Docker's access authorization can be extended by authorization plugins
869 that your organization can purchase or build themselves. You can
870 install one or more authorization plugins when you start the Docker
871 daemon using the --authorization-plugin=PLUGIN_ID option.
872
873
874 dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
875
876
877
878 The PLUGIN_ID value is either the plugin's name or a path to its
879 specification file. The plugin's implementation determines whether you
880 can specify a name or path. Consult with your Docker administrator to
881 get information about the plugins available to you.
882
883
884 Once a plugin is installed, requests made to the daemon through the
885 command line or Docker's Engine API are allowed or denied by the
886 plugin. If you have multiple plugins installed, at least one must
887 allow the request for it to complete.
888
889
890 For information about how to create an authorization plugin, see
891 authorization plugin
892 ⟨https://docs.docker.com/engine/extend/authorization/⟩ section in the
893 Docker extend section of this documentation.
894
895
896
898 Sept 2015, Originally compiled by Shishir Mahajan
899 ⟨shishir.mahajan@redhat.com⟩ based on docker.com source material and
900 internal work.
901
902
903
904Shishir Mahajan Docker User Manuals DOCKER(8)