1DOCKER(8) SEPTEMBER 2015 DOCKER(8)
2
6 dockerd - Enable daemon mode
7
11 dockerd [--add-runtime[=[]]] [--add-registry[=[]]]
12 [--api-cors-header=[=API-CORS-HEADER]] [--authorization-plugin[=[]]]
13 [-b|--bridge[=BRIDGE]] [--bip[=BIP]] [--block-registry[=[]]]
14 [--cgroup-parent[=[]]] [--cluster-store[=[]]]
15 [--cluster-advertise[=[]]] [--cluster-store-opt[=map[]]]
16 [--config-file[=/etc/docker/daemon.json]] [--containerd[=SOCKET-PATH]]
17 [-D|--debug] [--default-gateway[=DEFAULT-GATEWAY]]
18 [--default-gateway-v6[=DEFAULT-GATEWAY-V6]] [--default-runtime[=runc]]
19 [--default-ulimit[=[]]] [--disable-legacy-registry] [--dns[=[]]]
20 [--dns-opt[=[]]] [--dns-search[=[]]] [--enable-secrets[=true]]
21 [--exec-opt[=[]]] [--exec-root[=/var/run/docker]]
22 [--experimental[=false]] [--fixed-cidr[=FIXED-CIDR]]
23 [--fixed-cidr-v6[=FIXED-CIDR-V6]] [-G|--group[=docker]]
24 [-g|--graph[=/var/lib/docker]] [-H|--host[=[]]] [--help] [--icc[=true]]
25 [--init[=false]] [--init-path[=""]] [--insecure-registry[=[]]]
26 [--ip[=0.0.0.0]] [--ip-forward[=true]] [--ip-masq[=true]]
27 [--iptables[=true]] [--ipv6] [--isolation[=default]]
28 [-l|--log-level[=info]] [--label[=[]]] [--live-restore[=false]]
29 [--log-driver[=json-file]] [--log-opt[=map[]]] [--mtu[=0]]
30 [--max-concurrent-downloads[=3]] [--max-concurrent-uploads[=5]]
31 [-p|--pidfile[=/var/run/docker.pid]] [--raw-logs]
32 [--registry-mirror[=[]]] [-s|--storage-driver[=STORAGE-DRIVER]]
33 [--seccomp-profile[=SECCOMP-PROFILE-PATH]] [--selinux-enabled]
34 [--shutdown-timeout[=15]] [--signature-verification]
35 [--storage-opt[=[]]] [--swarm-default-advertise-addr[=IP|INTERFACE]]
36 [--tls] [--tlscacert[= /.docker/ca.pem]]
37 [--tlscert[= /.docker/cert.pem]] [--tlskey[= /.docker/key.pem]]
38 [--tlsverify] [--userland-proxy[=true]] [--userland-proxy-path[=""]]
39 [--userns-remap[=default]]
40
44 dockerd is used for starting the Docker daemon (i.e., to command the
45 daemon to manage images, containers etc). So dockerd is a server, as a
46 daemon.
47 To run the Docker daemon you can specify dockerd. You can check the
50 daemon options using dockerd --help. Daemon options should be
51 specified after the dockerd keyword in the following format.
52 dockerd [OPTIONS]
55
59 --add-runtime=[]
60 Runtimes can be registered with the daemon either via the
61 configuration file or using the --add-runtime command line argument.
62 The following is an example adding 2 runtimes via the configuration:
65 {
68 "default-runtime": "runc",
69 "runtimes": {
70 "runc": {
71 "path": "runc"
72 },
73 "custom": {
74 "path": "/usr/local/bin/my-runc-replacement",
75 "runtimeArgs": [
76 "--debug"
77 ]
78 }
79 }
80 }
81 This is the same example via the command line:
85 $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
88 Note: defining runtime arguments via the command line is not supported.
92 --add-registry=[]
95 EXPERIMENTAL Each given registry will be queried before a public
96 Docker registry during image pulls or searches. They will be searched
97 in the order given. Registry mirrors won't apply to them.
98 --api-cors-header=""
101 Set CORS headers in the Engine API. Default is cors disabled. Give
102 urls like
103 " ⟨http://foo⟩, ⟨http://bar⟩, ...". Give "*" to allow all.
104 --authorization-plugin=""
107 Set authorization plugins to load
108 -b, --bridge=""
111 Attach containers to a pre-existing network bridge; use 'none' to
112 disable
113 container networking
114 --bip=""
117 Use the provided CIDR notation address for the dynamically created
118 bridge
119 (docker0); Mutually exclusive of -b
120 --block-registry=[]
123 EXPERIMENTAL Prevent Docker daemon from contacting specified
124 registries. There are two special keywords recognized. The first is
125 "public" and represents public Docker registry. The second is "all"
126 which causes all registries but those added with --add-registry flag to
127 be blocked.
128 --cgroup-parent=""
131 Set parent cgroup for all containers. Default is "/docker" for fs
132 cgroup
133 driver and "system.slice" for systemd cgroup driver.
134 --cluster-store=""
137 URL of the distributed storage backend
138 --cluster-advertise=""
141 Specifies the 'host:port' or interface:port combination that this
142 particular daemon instance should use when advertising itself to the
143 cluster.
144 The daemon is reached through this value.
145 --cluster-store-opt=""
148 Specifies options for the Key/Value store.
149 --config-file="/etc/docker/daemon.json"
152 Specifies the JSON file path to load the configuration from.
153 --containerd=""
156 Path to containerd socket.
157 -D, --debug=true|false
160 Enable debug mode. Default is false.
161 --default-gateway=""
164 IPv4 address of the container default gateway; this address must be
165 part of
166 the bridge subnet (which is defined by -b or --bip)
167 --default-gateway-v6=""
170 IPv6 address of the container default gateway
171 --default-runtime="runc"
174 Set default runtime if there're more than one specified by
175 --add-runtime.
176 --default-ulimit=[]
179 Default ulimits for containers.
180 --disable-legacy-registry=true|false
183 Disable contacting legacy registries
184 --dns=""
187 Force Docker to use specific DNS servers
188 --dns-opt=""
191 DNS options to use.
192 --dns-search=[]
195 DNS search domains to use.
196 --enable-secrets=true|false
199 Allow subscription-manager inside the containers to use subscriptions
200 available on the host. Default is true.
201 --exec-opt=[]
204 Set runtime execution options. See RUNTIME EXECUTION OPTIONS.
205 --exec-root=""
208 Path to use as the root of the Docker execution state files. Default
209 is
210 /var/run/docker.
211 --experimental=""
214 Enable the daemon experimental features.
215 --fixed-cidr=""
218 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be
219 nested in
220 the bridge subnet (which is defined by -b or --bip).
221 --fixed-cidr-v6=""
224 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
225 -G, --group=""
228 Group to assign the unix socket specified by -H when running in
229 daemon mode.
230 use '' (the empty string) to disable setting of a group. Default is
231 docker.
232 -g, --graph=""
235 Path to use as the root of the Docker runtime. Default is
236 /var/lib/docker.
237 -H, --host=[unix:///var/run/docker.sock]: tcp://[host:port] to bind or
240 unix://[/path/to/socket] to use.
241 The socket(s) to bind to in daemon mode specified using one or more
242 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
243 --help
246 Print usage statement
247 --icc=true|false
250 Allow unrestricted inter-container and Docker daemon host
251 communication. If
252 disabled, containers can still be linked together using the --link
253 option
254 (see docker-run(1)). Default is true.
255 --init
258 Run an init process inside containers for signal forwarding and
259 process
260 reaping.
261 --init-path
264 Path to the docker-init binary.
265 --insecure-registry=[]
268 Enable insecure registry communication, i.e., enable un-encrypted
269 and/or
270 untrusted communication.
271 List of insecure registries can contain an element with CIDR notation
274 to
275 specify a whole subnet. Insecure registries accept HTTP and/or accept
276 HTTPS
277 with certificates from unknown CAs.
278 Enabling --insecure-registry is useful when running a local registry.
281 However, because its use creates security vulnerabilities it should
282 ONLY be
283 enabled for testing purposes. For increased security, users should
284 add their
285 CA to their system's list of trusted CAs instead of using
286 --insecure-registry.
287 --ip=""
290 Default IP address to use when binding container ports. Default is
291 0.0.0.0.
292 --ip-forward=true|false
295 Enables IP forwarding on the Docker host. The default is true. This
296 flag
297 interacts with the IP forwarding setting on your host system's
298 kernel. If
299 your system has IP forwarding disabled, this setting enables it. If
300 your
301 system has IP forwarding enabled, setting this flag to
302 --ip-forward=false
303 has no effect.
304 This setting will also enable IPv6 forwarding if you have both
307 --ip-forward=true and --fixed-cidr-v6 set. Note that this may reject
308 Router Advertisements and interfere with the host's existing IPv6
309 configuration. For more information, please consult the documentation
310 about
311 "Advanced Networking - IPv6".
312 --ip-masq=true|false
315 Enable IP masquerading for bridge's IP range. Default is true.
316 --iptables=true|false
319 Enable Docker's addition of iptables rules. Default is true.
320 --ipv6=true|false
323 Enable IPv6 support. Default is false. Docker will create an
324 IPv6-enabled
325 bridge with address fe80::1 which will allow you to create
326 IPv6-enabled
327 containers. Use together with --fixed-cidr-v6 to provide globally
328 routable
329 IPv6 addresses. IPv6 forwarding will be enabled if not used with
330 --ip-forward=false. This may collide with your host's current IPv6
331 settings. For more information please consult the documentation about
332 "Advanced Networking - IPv6".
333 --isolation="default"
336 Isolation specifies the type of isolation technology used by
337 containers.
338 Note that the default on Windows server is process, and the default
339 on
340 Windows client is hyperv. Linux only supports default.
341 -l, --log-level="debug|info|warn|error|fatal"
344 Set the logging level. Default is info.
345 --label="[]"
348 Set key=value labels to the daemon (displayed in docker info)
349 --live-restore=false
352 Enable live restore of running containers when the daemon starts so
353 that they
354 are not restarted. This option is applicable only for docker daemon
355 running
356 on Linux host.
357 --log-driver="json-file|syslog|journald|gelf|fluentd|awslogs|splunk|etwlogs|gcplogs|none"
360 Default driver for container logs. Default is json-file.
361 Warning: docker logs command works only for json-file logging driver.
362 --log-opt=[]
365 Logging driver specific options.
366 --mtu=0
369 Set the containers network mtu. Default is 0.
370 --max-concurrent-downloads=3
373 Set the max concurrent downloads for each pull. Default is 3.
374 --max-concurrent-uploads=5
377 Set the max concurrent uploads for each push. Default is 5.
378 -p, --pidfile=""
381 Path to use for daemon PID file. Default is /var/run/docker.pid
382 --raw-logs
385 Output daemon logs in full timestamp format without ANSI coloring. If
386 this
387 flag is not set, the daemon outputs condensed, colorized logs if a
388 terminal
389 is detected, or full ("raw") output otherwise.
390 --registry-mirror=<scheme>://<host>
393 Prepend a registry mirror to be used for image pulls. May be
394 specified
395 multiple times.
396 -s, --storage-driver=""
399 Force the Docker runtime to use a specific storage driver.
400 --seccomp-profile=""
403 Path to seccomp profile.
404 --selinux-enabled=true|false
407 Enable selinux support. Default is false.
408 --shutdown-timeout=15
411 Set the shutdown timeout value in seconds. Default is 15.
412 --signature-verification=true|false
415 Enable image signature verification. Default is true. WARNING: this
416 option doesn't work
417 with images being pulled from v1 docker registries. See SIGNATURE
418 VERIFICATION.
419 --storage-opt=[]
422 Set storage driver options. See STORAGE DRIVER OPTIONS.
423 --swarm-default-advertise-addr=IP|INTERFACE
426 Set default address or interface for swarm to advertise as its
427 externally-reachable address to other cluster members. This can be a
428 hostname, an IP address, or an interface such as eth0. A port cannot
429 be
430 specified with this option.
431 --tls=true|false
434 Use TLS; implied by --tlsverify. Default is false.
435 --tlscacert= /.docker/ca.pem
438 Trust certs signed only by this CA.
439 --tlscert= /.docker/cert.pem
442 Path to TLS certificate file.
443 --tlskey= /.docker/key.pem
446 Path to TLS key file.
447 --tlsverify=true|false
450 Use TLS and verify the remote (daemon: verify client, client: verify
451 daemon).
452 Default is false.
453 --userland-proxy=true|false
456 Rely on a userland proxy implementation for inter-container and
457 outside-to-container loopback communications. Default is true.
458 --userland-proxy-path=""
461 Path to the userland proxy binary.
462 --userns-remap=default|uid:gid|user:group|user|uid
465 Enable user namespaces for containers on the daemon. Specifying
466 a user (or uid) and optionally a group (or gid) will cause the
467 daemon to lookup the user and group's subordinate ID ranges for use
468 as the
469 user namespace mappings for contained processes. Specifying "default"
470 will cause a "dockremap" user and group to be created if not already
471 present.
472 The "dockremap" user and group, or the specified uid, gid, user or
473 group must
474 be created in the subuid(5) and subgid(5) files prior to enablement.
475
479 Docker supports GPG image signatures verification when
480 --signature-verification flag is true. This functionality works only
481 at pull time and for images being pulled from docker registries version
482 2. You can sign an image using skopeo(1) or atomic(1). See
483 ⟨https://access.redhat.com/articles/2750891⟩.
484
488 Docker uses storage backends (known as "graphdrivers" in the Docker
489 internals) to create writable containers from images. Many of these
490 backends use operating system level technologies and can be configured.
491 Specify options to the storage backend with --storage-opt flags. The
494 backends that currently take options are devicemapper, zfs and btrfs.
495 Options for devicemapper are prefixed with dm, options for zfs start
496 with zfs and options for btrfs start with btrfs.
497 Specifically for devicemapper, the default is a "loopback" model which
500 requires no pre-configuration, but is extremely inefficient. Do not
501 use it in production.
502 To make the best use of Docker with the devicemapper backend, you must
505 have a recent version of LVM. Use lvm to create a thin pool; for more
506 information see man lvmthin. Then, use --storage-opt dm.thinpooldev to
507 tell the Docker engine to use that pool for allocating images and
508 container snapshots.
509
512 dm.thinpooldev
513 Specifies a custom block storage device to use for the thin pool.
514 If using a block device for device mapper storage, it is best to use
517 lvm to create and manage the thin-pool volume. This volume is then
518 handed to Docker to exclusively create snapshot volumes needed for
519 images and containers.
520 Managing the thin-pool outside of Engine makes for the most
523 feature-rich method of having Docker utilize device mapper thin
524 provisioning as the backing storage for Docker containers. The
525 highlights of the lvm-based thin-pool management feature include:
526 automatic or interactive thin-pool resize support, dynamically changing
527 thin-pool features, automatic thinp metadata checking when lvm
528 activates the thin-pool, etc.
529 As a fallback if no thin pool is provided, loopback files are created.
532 Loopback is very slow, but can be used without any pre-configuration of
533 storage. It is strongly recommended that you do not use loopback in
534 production. Ensure your Engine daemon has a --storage-opt
535 dm.thinpooldev argument provided.
536 Example use:
539 $ dockerd \
542 --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
543 dm.basesize
546 Specifies the size to use when creating the base device, which limits
547 the size of images and containers. The default value is 10G. Note, thin
548 devices are inherently "sparse", so a 10G device which is mostly empty
549 doesn't use 10 GB of space on the pool. However, the filesystem will
550 use more space for base images the larger the device is.
551 The base device size can be increased at daemon restart which will
554 allow all future images and containers (based on those new images) to
555 be of the new base device size.
556 Example use: dockerd --storage-opt dm.basesize=50G
559 This will increase the base device size to 50G. The Docker daemon will
562 throw an error if existing base device size is larger than 50G. A user
563 can use this option to expand the base device size however shrinking is
564 not permitted.
565 This value affects the system-wide "base" empty filesystem that may
568 already be initialized and inherited by pulled images. Typically, a
569 change to this value requires additional steps to take effect:
570 $ sudo service docker stop
573 $ sudo rm -rf /var/lib/docker
574 $ sudo service docker start
575 Example use: dockerd --storage-opt dm.basesize=20G
579 dm.fs
582 Specifies the filesystem type to use for the base device. The supported
583 options are ext4 and xfs. The default is ext4.
584 Example use: dockerd --storage-opt dm.fs=xfs
587 dm.mkfsarg
590 Specifies extra mkfs arguments to be used when creating the base
591 device.
592 Example use: dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
595 dm.mountopt
598 Specifies extra mount options used when mounting the thin devices.
599 Example use: dockerd --storage-opt dm.mountopt=nodiscard
602 dm.use_deferred_removal
605 Enables use of deferred device removal if libdm and the kernel driver
606 support the mechanism.
607 Deferred device removal means that if device is busy when devices are
610 being removed/deactivated, then a deferred removal is scheduled on
611 device. And devices automatically go away when last user of the device
612 exits.
613 For example, when a container exits, its associated thin device is
616 removed. If that device has leaked into some other mount namespace and
617 can't be removed, the container exit still succeeds and this option
618 causes the system to schedule the device for deferred removal. It does
619 not wait in a loop trying to remove a busy device.
620 Example use: dockerd --storage-opt dm.use_deferred_removal=true
623 dm.use_deferred_deletion
626 Enables use of deferred device deletion for thin pool devices. By
627 default, thin pool device deletion is synchronous. Before a container
628 is deleted, the Docker daemon removes any associated devices. If the
629 storage driver can not remove a device, the container deletion fails
630 and daemon returns.
631 Error deleting container: Error response from daemon: Cannot destroy
634 container
635 To avoid this failure, enable both deferred device deletion and
638 deferred device removal on the daemon.
639 dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt
642 dm.use_deferred_removal=true
643 With these two options enabled, if a device is busy when the driver is
646 deleting a container, the driver marks the device as deleted. Later,
647 when the device isn't in use, the driver deletes it.
648 In general it should be safe to enable this option by default. It will
651 help when unintentional leaking of mount point happens across multiple
652 mount namespaces.
653 dm.loopdatasize
656 Note: This option configures devicemapper loopback, which should not be
657 used in production.
658 Specifies the size to use when creating the loopback file for the
661 "data" device which is used for the thin pool. The default size is
662 100G. The file is sparse, so it will not initially take up this much
663 space.
664 Example use: dockerd --storage-opt dm.loopdatasize=200G
667 dm.loopmetadatasize
670 Note: This option configures devicemapper loopback, which should not be
671 used in production.
672 Specifies the size to use when creating the loopback file for the
675 "metadata" device which is used for the thin pool. The default size is
676 2G. The file is sparse, so it will not initially take up this much
677 space.
678 Example use: dockerd --storage-opt dm.loopmetadatasize=4G
681 dm.datadev
684 (Deprecated, use dm.thinpooldev)
685 Specifies a custom blockdevice to use for data for a Docker-managed
688 thin pool. It is better to use dm.thinpooldev - see the documentation
689 for it above for discussion of the advantages.
690 dm.metadatadev
693 (Deprecated, use dm.thinpooldev)
694 Specifies a custom blockdevice to use for metadata for a Docker-managed
697 thin pool. See dm.datadev for why this is deprecated.
698 dm.blocksize
701 Specifies a custom blocksize to use for the thin pool. The default
702 blocksize is 64K.
703 Example use: dockerd --storage-opt dm.blocksize=512K
706 dm.blkdiscard
709 Enables or disables the use of blkdiscard when removing devicemapper
710 devices. This is disabled by default due to the additional latency,
711 but as a special case with loopback devices it will be enabled, in
712 order to re-sparsify the loopback file on image/container removal.
713 Disabling this on loopback can lead to much faster container removal
716 times, but it also prevents the space used in /var/lib/docker directory
717 from being returned to the system for other use when containers are
718 removed.
719 Example use: dockerd --storage-opt dm.blkdiscard=false
722 dm.override_udev_sync_check
725 By default, the devicemapper backend attempts to synchronize with the
726 udev device manager for the Linux kernel. This option allows disabling
727 that synchronization, to continue even though the configuration may be
728 buggy.
729 To view the udev sync support of a Docker daemon that is using the
732 devicemapper driver, run:
733 $ docker info
736 [...]
737 Udev Sync Supported: true
738 [...]
739 When udev sync support is true, then devicemapper and udev can
743 coordinate the activation and deactivation of devices for containers.
744 When udev sync support is false, a race condition occurs between the
747 devicemapper and udev during create and cleanup. The race condition
748 results in errors and failures. (For information on these failures, see
749 docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩)
750 To allow the docker daemon to start, regardless of whether udev sync is
753 false, set dm.override_udev_sync_check to true:
754 $ dockerd --storage-opt dm.override_udev_sync_check=true
757 When this value is true, the driver continues and simply warns you the
761 errors are happening.
762 Note: The ideal is to pursue a docker daemon and environment that does
765 support synchronizing with udev. For further discussion on this topic,
766 see docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩.
767 Otherwise, set this flag for migrating existing Docker daemons to a
768 daemon with a supported environment.
769 dm.min_free_space
772 Specifies the min free space percent in a thin pool require for new
773 device creation to succeed. This check applies to both free data space
774 as well as free metadata space. Valid values are from 0% - 99%. Value
775 0% disables free space checking logic. If user does not specify a value
776 for this option, the Engine uses a default value of 10%.
777 Whenever a new a thin pool device is created (during docker pull or
780 during container creation), the Engine checks if the minimum free space
781 is available. If the space is unavailable, then device creation fails
782 and any relevant docker operation fails.
783 To recover from this error, you must create more free space in the thin
786 pool to recover from the error. You can create free space by deleting
787 some images and containers from tge thin pool. You can also add more
788 storage to the thin pool.
789 To add more space to an LVM (logical volume management) thin pool, just
792 add more storage to the group container thin pool; this should
793 automatically resolve any errors. If your configuration uses loop
794 devices, then stop the Engine daemon, grow the size of loop files and
795 restart the daemon to resolve the issue.
796 Example use:: dockerd --storage-opt dm.min_free_space=10%
799 dm.xfs_nospace_max_retries
802 Specifies the maximum number of retries XFS should attempt to complete
803 IO when ENOSPC (no space) error is returned by underlying storage
804 device.
805 By default XFS retries infinitely for IO to finish and this can result
808 in unkillable process. To change this behavior one can set
809 xfs_nospace_max_retries to say 0 and XFS will not retry IO after
810 getting ENOSPC and will shutdown filesystem.
811 Example use:
814 $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
817
821 zfs.fsname
822 Set zfs filesystem under which docker will create its own datasets. By
823 default docker will pick up the zfs filesystem where docker graph
824 (/var/lib/docker) is located.
825 Example use: dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
828
831 btrfs.min_space
832 Specifies the mininum size to use when creating the subvolume which is
833 used for containers. If user uses disk quota for btrfs when creating or
834 running a container with --storage-opt size option, docker should
835 ensure the size cannot be smaller than btrfs.min_space.
836 Example use: docker daemon -s btrfs --storage-opt btrfs.min_space=10G
839
843 The daemon uses libkv to advertise the node within the cluster. Some
844 Key/Value backends support mutual TLS, and the client TLS settings used
845 by the daemon can be configured using the --cluster-store-opt flag,
846 specifying the paths to PEM encoded files.
847 kv.cacertfile
850 Specifies the path to a local file with PEM encoded CA certificates to
851 trust
852 kv.certfile
855 Specifies the path to a local file with a PEM encoded certificate.
856 This certificate is used as the client cert for communication with the
857 Key/Value store.
858 kv.keyfile
861 Specifies the path to a local file with a PEM encoded private key.
862 This private key is used as the client key for communication with the
863 Key/Value store.
864
868 Docker's access authorization can be extended by authorization plugins
869 that your organization can purchase or build themselves. You can
870 install one or more authorization plugins when you start the Docker
871 daemon using the --authorization-plugin=PLUGIN_ID option.
872 dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
875 The PLUGIN_ID value is either the plugin's name or a path to its
879 specification file. The plugin's implementation determines whether you
880 can specify a name or path. Consult with your Docker administrator to
881 get information about the plugins available to you.
882 Once a plugin is installed, requests made to the daemon through the
885 command line or Docker's Engine API are allowed or denied by the
886 plugin. If you have multiple plugins installed, at least one must
887 allow the request for it to complete.
888 For information about how to create an authorization plugin, see
891 authorization plugin
892 ⟨https://docs.docker.com/engine/extend/authorization/⟩ section in the
893 Docker extend section of this documentation.
894
898 Sept 2015, Originally compiled by Shishir Mahajan
899 ⟨shishir.mahajan@redhat.com⟩ based on docker.com source material and
900 internal work.
901Shishir Mahajan Docker User Manuals DOCKER(8)