1DOCKER(8)(Docker)                                            DOCKER(8)(Docker)
2
3
4
5Shishir Mahajan SEPTEMBER 2015
6
7

NAME

9       dockerd - Enable daemon mode
10
11
12

SYNOPSIS

14       dockerd  [--add-runtime[=[]]] [--allow-nondistributable-artifacts[=[]]]
15       [--api-cors-header=[=API-CORS-HEADER]]    [--authorization-plugin[=[]]]
16       [-b|--bridge[=BRIDGE]]  [--bip[=BIP]]  [--cgroup-parent[=[]]]  [--clus‐
17       ter-store[=[]]]           [--cluster-advertise[=[]]]           [--clus‐
18       ter-store-opt[=map[]]]        [--config-file[=/etc/docker/daemon.json]]
19       [--containerd[=SOCKET-PATH]]            [--data-root[=/var/lib/docker]]
20       [-D|--debug]   [--default-gateway[=DEFAULT-GATEWAY]]   [--default-gate‐
21       way-v6[=DEFAULT-GATEWAY-V6]]
22       [--default-address-pool[=DEFAULT-ADDRESS-POOL]]         [--default-run‐
23       time[=runc]]   [--default-ipc-mode=MODE]   [--default-shm-size[=64MiB]]
24       [--default-ulimit[=[]]]          [--dns[=[]]]          [--dns-opt[=[]]]
25       [--dns-search[=[]]]  [--exec-opt[=[]]]  [--exec-root[=/var/run/docker]]
26       [--experimental[=false]]                    [--fixed-cidr[=FIXED-CIDR]]
27       [--fixed-cidr-v6[=FIXED-CIDR-V6]]                 [-G|--group[=docker]]
28       [-H|--host[=[]]]      [--help]      [--icc[=true]]     [--init[=false]]
29       [--init-path[=""]]     [--insecure-registry[=[]]]      [--ip[=0.0.0.0]]
30       [--ip-forward[=true]]  [--ip-masq[=true]]  [--iptables[=true]] [--ipv6]
31       [--isolation[=default]]     [-l|--log-level[=info]]      [--label[=[]]]
32       [--live-restore[=false]] [--log-driver[=json-file]] [--log-opt[=map[]]]
33       [--mtu[=0]]       [--max-concurrent-downloads[=3]]       [--max-concur‐
34       rent-uploads[=5]]       [--node-generic-resources[=[]]]      [-p|--pid‐
35       file[=/var/run/docker.pid]]    [--raw-logs]    [--registry-mirror[=[]]]
36       [-s|--storage-driver[=STORAGE-DRIVER]] [--seccomp-profile[=SECCOMP-PRO‐
37       FILE-PATH]]  [--selinux-enabled]   [--shutdown-timeout[=15]]   [--stor‐
38       age-opt[=[]]]  [--swarm-default-advertise-addr[=IP|INTERFACE]]  [--tls]
39       [--tlscacert[=   /.docker/ca.pem]]   [--tlscert[=   /.docker/cert.pem]]
40       [--tlskey[=  /.docker/key.pem]] [--tlsverify] [--userland-proxy[=true]]
41       [--userland-proxy-path[=""]] [--userns-remap[=default]]
42
43
44

DESCRIPTION

46       dockerd is used for starting the Docker daemon (i.e.,  to  command  the
47       daemon to manage images, containers etc).  So dockerd is a server, as a
48       daemon.
49
50
51       To run the Docker daemon you can specify dockerd.  You  can  check  the
52       daemon  options  using dockerd --help.  Daemon options should be speci‐
53       fied after the dockerd keyword in the following format.
54
55
56       dockerd [OPTIONS]
57
58
59

OPTIONS

61       --add-runtime=[]
62         Runtimes can be registered with the daemon either via the  configura‐
63       tion file or using the --add-runtime command line argument.
64
65
66       The following is an example adding 2 runtimes via the configuration:
67
68
69              {
70                   "default-runtime": "runc",
71                   "runtimes": {
72                        "runc": {
73                             "path": "runc"
74                        },
75                        "custom": {
76                             "path": "/usr/local/bin/my-runc-replacement",
77                             "runtimeArgs": [
78                                  "--debug"
79                             ]
80                        }
81                   }
82              }
83
84
85
86       This is the same example via the command line:
87
88
89              $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
90
91
92
93       Note: defining runtime arguments via the command line is not supported.
94
95
96       --allow-nondistributable-artifacts=[]
97         Push nondistributable artifacts to the specified registries.
98
99
100       List can contain elements with CIDR notation to specify a whole subnet.
101
102
103       This option is useful when pushing images containing nondistributable
104         artifacts  to  a  registry  on an air-gapped network so hosts on that
105       network can
106         pull the images without connecting to another server.
107
108
109       Warning: Nondistributable artifacts typically have restrictions on how
110         and where they can be distributed and shared. Only use  this  feature
111       to push
112         artifacts to private registries and ensure that you are in compliance
113       with
114         any terms that cover redistributing nondistributable artifacts.
115
116
117       --api-cors-header=""
118         Set CORS headers in the Engine API. Default is  cors  disabled.  Give
119       urls like
120         "http://foo, http://bar, ...". Give "*" to allow all.
121
122
123       --authorization-plugin=""
124         Set authorization plugins to load
125
126
127       -b, --bridge=""
128         Attach  containers  to  a  pre-existing network bridge; use 'none' to
129       disable
130         container networking
131
132
133       --bip=""
134         Use the provided CIDR notation address for  the  dynamically  created
135       bridge
136         (docker0); Mutually exclusive of -b
137
138
139       --cgroup-parent=""
140         Set  parent  cgroup  for  all containers. Default is "/docker" for fs
141       cgroup
142         driver and "system.slice" for systemd cgroup driver.
143
144
145       --cluster-store=""
146         URL of the distributed storage backend
147
148
149       --cluster-advertise=""
150         Specifies the 'host:port' or interface:port combination that this
151         particular daemon instance should use when advertising itself to  the
152       cluster.
153         The daemon is reached through this value.
154
155
156       --cluster-store-opt=""
157         Specifies options for the Key/Value store.
158
159
160       --config-file="/etc/docker/daemon.json"
161         Specifies the JSON file path to load the configuration from.
162
163
164       --containerd=""
165         Path to containerd socket.
166
167
168       --data-root=""
169         Path to the directory used to store persisted Docker data such as
170         configuration for resources, swarm cluster state, and filesystem data
171       for
172         images, containers, and local volumes. Default is /var/lib/docker.
173
174
175       -D, --debug=true|false
176         Enable debug mode. Default is false.
177
178
179       --default-gateway=""
180         IPv4 address of the container default gateway; this address  must  be
181       part of
182         the bridge subnet (which is defined by -b or --bip)
183
184
185       --default-gateway-v6=""
186         IPv6 address of the container default gateway
187
188
189       --default-address-pool=""
190         Default  address pool from which IPAM driver selects a subnet for the
191       networks.
192         Example: base=172.30.0.0/16,size=24 will set the default
193         address    pools    for    the    selected    scope    networks    to
194       {172.30.[0-255].0/24}
195
196
197       --default-runtime="runc"
198         Set default runtime if there're more than one specified by --add-run‐
199       time.
200
201
202       --default-ipc-mode="private|shareable"
203         Set the default IPC mode for newly created containers. The argument
204         can either be private or shareable.
205
206
207       --default-shm-size=64MiB
208         Set the daemon-wide default  shm  size  for  containers.  Default  is
209       64MiB.
210
211
212       --default-ulimit=[]
213         Default ulimits for containers.
214
215
216       --dns=""
217         Force Docker to use specific DNS servers
218
219
220       --dns-opt=""
221         DNS options to use.
222
223
224       --dns-search=[]
225         DNS search domains to use.
226
227
228       --exec-opt=[]
229         Set runtime execution options. See RUNTIME EXECUTION OPTIONS.
230
231
232       --exec-root=""
233         Path  to use as the root of the Docker execution state files. Default
234       is
235         /var/run/docker.
236
237
238       --experimental=""
239         Enable the daemon experimental features.
240
241
242       --fixed-cidr=""
243         IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet  must  be
244       nested in
245         the bridge subnet (which is defined by -b or --bip).
246
247
248       --fixed-cidr-v6=""
249         IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
250
251
252       -G, --group=""
253         Group  to assign the unix socket specified by -H when running in dae‐
254       mon mode.
255         use '' (the empty string) to disable setting of a group.  Default  is
256       docker.
257
258
259       -H,  --host=[unix:///var/run/docker.sock]: tcp://[host:port] to bind or
260       unix://[/path/to/socket] to use.
261         The socket(s) to bind to in daemon mode specified using one or more
262         tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
263
264
265       --help
266         Print usage statement
267
268
269       --icc=true|false
270         Allow unrestricted inter-container and Docker daemon host  communica‐
271       tion. If
272         disabled,  containers  can  still be linked together using the --link
273       option
274         (see docker-run(1)). Default is true.
275
276
277       --init
278         Run an init process  inside  containers  for  signal  forwarding  and
279       process
280         reaping.
281
282
283       --init-path
284         Path to the docker-init binary.
285
286
287       --insecure-registry=[]
288         Enable  insecure  registry  communication,  i.e., enable un-encrypted
289       and/or
290         untrusted communication.
291
292
293       List of insecure registries can contain an element with  CIDR  notation
294       to
295         specify a whole subnet. Insecure registries accept HTTP and/or accept
296       HTTPS
297         with certificates from unknown CAs.
298
299
300       Enabling --insecure-registry is useful when running a local registry.
301         However, because its use creates security vulnerabilities  it  should
302       ONLY be
303         enabled  for  testing purposes.  For increased security, users should
304       add their
305         CA to their system's list of trusted CAs instead of using
306         --insecure-registry.
307
308
309       --ip=""
310         Default IP address to use when binding container  ports.  Default  is
311       0.0.0.0.
312
313
314       --ip-forward=true|false
315         Enables  IP  forwarding on the Docker host. The default is true. This
316       flag
317         interacts with the IP forwarding setting on your host  system's  ker‐
318       nel. If
319         your  system  has IP forwarding disabled, this setting enables it. If
320       your
321         system has IP forwarding enabled,  setting  this  flag  to  --ip-for‐
322       ward=false
323         has no effect.
324
325
326       This setting will also enable IPv6 forwarding if you have both
327         --ip-forward=true and --fixed-cidr-v6 set. Note that this may reject
328         Router Advertisements and interfere with the host's existing IPv6
329         configuration. For more information, please consult the documentation
330       about
331         "Advanced Networking - IPv6".
332
333
334       --ip-masq=true|false
335         Enable IP masquerading for bridge's IP range. Default is true.
336
337
338       --iptables=true|false
339         Enable Docker's addition of iptables rules. Default is true.
340
341
342       --ipv6=true|false
343         Enable  IPv6  support.  Default  is  false.  Docker  will  create  an
344       IPv6-enabled
345         bridge   with   address  fe80::1  which  will  allow  you  to  create
346       IPv6-enabled
347         containers. Use together with  --fixed-cidr-v6  to  provide  globally
348       routable
349         IPv6 addresses. IPv6 forwarding will be enabled if not used with
350         --ip-forward=false. This may collide with your host's current IPv6
351         settings. For more information please consult the documentation about
352         "Advanced Networking - IPv6".
353
354
355       --isolation="default"
356          Isolation  specifies  the  type of isolation technology used by con‐
357       tainers.
358          Note that the default on Windows server is process, and the  default
359       on
360          Windows client is hyperv. Linux only supports default.
361
362
363       -l, --log-level="debug|info|warn|error|fatal"
364         Set the logging level. Default is info.
365
366
367       --label="[]"
368         Set key=value labels to the daemon (displayed in docker info)
369
370
371       --live-restore=false
372         Enable  live  restore of running containers when the daemon starts so
373       that they
374         are not restarted. This option is applicable only for  docker  daemon
375       running
376         on Linux host.
377
378
379       --log-driver="json-file|syslog|journald|gelf|flu‐
380       entd|awslogs|splunk|etwlogs|gcplogs|none"
381         Default driver for container logs. Default is json-file.
382         Warning: docker logs command works only for json-file logging driver.
383
384
385       --log-opt=[]
386         Logging driver specific options.
387
388
389       --mtu=0
390         Set the containers network mtu. Default is 0.
391
392
393       --max-concurrent-downloads=3
394         Set the max concurrent downloads for each pull. Default is 3.
395
396
397       --max-concurrent-uploads=5
398         Set the max concurrent uploads for each push. Default is 5.
399
400
401       --node-generic-resources=[]
402         Advertise user-defined resource. Default is [].
403         Use this if your swarm cluster has some nodes with custom
404         resources (e.g: NVIDIA GPU, SSD, ...) and you need your  services  to
405       land on
406         nodes advertising these resources.
407         Usage example: --node-generic-resources "NVIDIA-GPU=UUID1"
408         --node-generic-resources "NVIDIA-GPU=UUID2"
409
410
411       -p, --pidfile=""
412         Path to use for daemon PID file. Default is /var/run/docker.pid
413
414
415       --raw-logs
416         Output daemon logs in full timestamp format without ANSI coloring. If
417       this
418         flag is not set, the daemon outputs condensed, colorized  logs  if  a
419       terminal
420         is detected, or full ("raw") output otherwise.
421
422
423       --registry-mirror=://
424         Prepend  a  registry mirror to be used for image pulls. May be speci‐
425       fied
426         multiple times.
427
428
429       -s, --storage-driver=""
430         Force the Docker runtime to use a specific storage driver.
431
432
433       --seccomp-profile=""
434         Path to seccomp profile.
435
436
437       --selinux-enabled=true|false
438         Enable selinux support. Default is false.
439
440
441       --shutdown-timeout=15
442         Set the shutdown timeout value in seconds. Default is 15.
443
444
445       --storage-opt=[]
446         Set storage driver options. See STORAGE DRIVER OPTIONS.
447
448
449       --swarm-default-advertise-addr=IP|INTERFACE
450         Set default address or interface for swarm to advertise as its
451         externally-reachable address to other cluster members. This can be a
452         hostname, an IP address, or an interface such as eth0. A port  cannot
453       be
454         specified with this option.
455
456
457       --tls=true|false
458         Use TLS; implied by --tlsverify. Default is false.
459
460
461       --tlscacert= /.docker/ca.pem
462         Trust certs signed only by this CA.
463
464
465       --tlscert= /.docker/cert.pem
466         Path to TLS certificate file.
467
468
469       --tlskey= /.docker/key.pem
470         Path to TLS key file.
471
472
473       --tlsverify=true|false
474         Use  TLS and verify the remote (daemon: verify client, client: verify
475       daemon).
476         Default is false.
477
478
479       --userland-proxy=true|false
480         Rely on a userland proxy implementation for inter-container and
481         outside-to-container loopback communications. Default is true.
482
483
484       --userland-proxy-path=""
485         Path to the userland proxy binary.
486
487
488       --userns-remap=default|uid:gid|user:group|user|uid
489         Enable user namespaces  for  containers  on  the  daemon.  Specifying
490       "default"
491         will  cause  a new user and group to be created to handle UID and GID
492       range
493         remapping for the user namespace mappings  used  for  contained  pro‐
494       cesses.
495         Specifying a user (or uid) and optionally a group (or gid) will cause
496       the
497         daemon to lookup the user and group's subordinate ID ranges  for  use
498       as the
499         user namespace mappings for contained processes.
500
501
502

STORAGE DRIVER OPTIONS

504       Docker  uses  storage  backends  (known as "graphdrivers" in the Docker
505       internals) to create writable containers from images.   Many  of  these
506       backends use operating system level technologies and can be configured.
507
508
509       Specify  options  to  the storage backend with --storage-opt flags. The
510       backends that currently take options are devicemapper, zfs  and  btrfs.
511       Options  for  devicemapper  are prefixed with dm, options for zfs start
512       with zfs and options for btrfs start with btrfs.
513
514
515       Specifically for devicemapper, the default is a "loopback" model  which
516       requires  no  pre-configuration,  but is extremely inefficient.  Do not
517       use it in production.
518
519
520       To make the best use of Docker with the devicemapper backend, you  must
521       have  a recent version of LVM.  Use lvm to create a thin pool; for more
522       information see man lvmthin.  Then, use --storage-opt dm.thinpooldev to
523       tell  the Docker engine to use that pool for allocating images and con‐
524       tainer snapshots.
525
526

Devicemapper options

528   dm.thinpooldev
529       Specifies a custom block storage device to use for the thin pool.
530
531
532       If using a block device for device mapper storage, it is  best  to  use
533       lvm  to  create  and  manage  the thin-pool volume. This volume is then
534       handed to Docker to exclusively  create  snapshot  volumes  needed  for
535       images and containers.
536
537
538       Managing  the  thin-pool  outside  of  Engine  makes  for the most fea‐
539       ture-rich method of having Docker utilize device mapper thin provision‐
540       ing as the backing storage for Docker containers. The highlights of the
541       lvm-based thin-pool management feature include: automatic  or  interac‐
542       tive thin-pool resize support, dynamically changing thin-pool features,
543       automatic thinp metadata checking when  lvm  activates  the  thin-pool,
544       etc.
545
546
547       As  a fallback if no thin pool is provided, loopback files are created.
548       Loopback is very slow, but can be used without any pre-configuration of
549       storage.  It  is  strongly  recommended that you do not use loopback in
550       production. Ensure your Engine  daemon  has  a  --storage-opt  dm.thin‐
551       pooldev argument provided.
552
553
554       Example use:
555
556
557       $ dockerd \
558                --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
559
560
561   dm.directlvm_device
562       As an alternative to manually creating a thin pool as above, Docker can
563       automatically configure a block device for you.
564
565
566       Example use:
567
568
569       $ dockerd \
570                --storage-opt dm.directlvm_device=/dev/xvdf
571
572
573   dm.thinp_percent
574       Sets the percentage of passed in block device to use for storage.
575
576
577   Example:
578       $ sudo dockerd \
579               --storage-opt dm.thinp_percent=95
580
581
582   dm.thinp_metapercent
583       Sets the percentage of the passed in block device to use  for  metadata
584       storage.
585
586
587   Example:
588       $ sudo dockerd \
589                --storage-opt dm.thinp_metapercent=1
590
591
592   dm.thinp_autoextend_threshold
593       Sets  the  value of the percentage of space used before lvm attempts to
594       autoextend the available space [100 = disabled]
595
596
597   Example:
598       $ sudo dockerd \
599                --storage-opt dm.thinp_autoextend_threshold=80
600
601
602   dm.thinp_autoextend_percent
603       Sets the value percentage value to increase the thin pool by  when  lvm
604       attempts to autoextend the available space [100 = disabled]
605
606
607   Example:
608       $ sudo dockerd \
609                --storage-opt dm.thinp_autoextend_percent=20
610
611
612   dm.basesize
613       Specifies  the  size to use when creating the base device, which limits
614       the size of images and containers. The default value is 10G. Note, thin
615       devices  are inherently "sparse", so a 10G device which is mostly empty
616       doesn't use 10 GB of space on the pool. However,  the  filesystem  will
617       use more space for base images the larger the device is.
618
619
620       The  base  device  size  can  be increased at daemon restart which will
621       allow all future images and containers (based on those new  images)  to
622       be of the new base device size.
623
624
625       Example use: dockerd --storage-opt dm.basesize=50G
626
627
628       This  will increase the base device size to 50G. The Docker daemon will
629       throw an error if existing base device size is larger than 50G. A  user
630       can use this option to expand the base device size however shrinking is
631       not permitted.
632
633
634       This value affects the system-wide "base"  empty  filesystem  that  may
635       already  be  initialized  and  inherited by pulled images. Typically, a
636       change to this value requires additional steps to take effect:
637
638
639                  $ sudo service docker stop
640                  $ sudo rm -rf /var/lib/docker
641                  $ sudo service docker start
642
643
644
645       Example use: dockerd --storage-opt dm.basesize=20G
646
647
648   dm.fs
649       Specifies the filesystem type to use for the base device. The supported
650       options are ext4 and xfs. The default is ext4.
651
652
653       Example use: dockerd --storage-opt dm.fs=xfs
654
655
656   dm.mkfsarg
657       Specifies  extra  mkfs  arguments  to  be  used  when creating the base
658       device.
659
660
661       Example use: dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
662
663
664   dm.mountopt
665       Specifies extra mount options used when mounting the thin devices.
666
667
668       Example use: dockerd --storage-opt dm.mountopt=nodiscard
669
670
671   dm.use_deferred_removal
672       Enables use of deferred device removal if libdm and the  kernel  driver
673       support the mechanism.
674
675
676       Deferred  device  removal means that if device is busy when devices are
677       being removed/deactivated, then a  deferred  removal  is  scheduled  on
678       device.  And devices automatically go away when last user of the device
679       exits.
680
681
682       For example, when a container exits,  its  associated  thin  device  is
683       removed.  If that device has leaked into some other mount namespace and
684       can't be removed, the container exit still  succeeds  and  this  option
685       causes  the system to schedule the device for deferred removal. It does
686       not wait in a loop trying to remove a busy device.
687
688
689       Example use: dockerd --storage-opt dm.use_deferred_removal=true
690
691
692   dm.use_deferred_deletion
693       Enables use of deferred device  deletion  for  thin  pool  devices.  By
694       default,  thin  pool device deletion is synchronous. Before a container
695       is deleted, the Docker daemon removes any associated  devices.  If  the
696       storage  driver  can  not remove a device, the container deletion fails
697       and daemon returns.
698
699
700       Error deleting container: Error response from  daemon:  Cannot  destroy
701       container
702
703
704       To  avoid  this  failure,  enable  both  deferred  device  deletion and
705       deferred device removal on the daemon.
706
707
708       dockerd   --storage-opt   dm.use_deferred_deletion=true   --storage-opt
709       dm.use_deferred_removal=true
710
711
712       With  these two options enabled, if a device is busy when the driver is
713       deleting a container, the driver marks the device  as  deleted.  Later,
714       when the device isn't in use, the driver deletes it.
715
716
717       In  general it should be safe to enable this option by default. It will
718       help when unintentional leaking of mount point happens across  multiple
719       mount namespaces.
720
721
722   dm.loopdatasize
723       Note: This option configures devicemapper loopback, which should not be
724       used in production.
725
726
727       Specifies the size to use when  creating  the  loopback  file  for  the
728       "data"  device  which  is  used  for the thin pool. The default size is
729       100G. The file is sparse, so it will not initially take  up  this  much
730       space.
731
732
733       Example use: dockerd --storage-opt dm.loopdatasize=200G
734
735
736   dm.loopmetadatasize
737       Note: This option configures devicemapper loopback, which should not be
738       used in production.
739
740
741       Specifies the size to use when  creating  the  loopback  file  for  the
742       "metadata"  device which is used for the thin pool. The default size is
743       2G. The file is sparse, so it will not  initially  take  up  this  much
744       space.
745
746
747       Example use: dockerd --storage-opt dm.loopmetadatasize=4G
748
749
750   dm.datadev
751       (Deprecated, use dm.thinpooldev)
752
753
754       Specifies  a  custom  blockdevice  to use for data for a Docker-managed
755       thin pool.  It is better to use dm.thinpooldev - see the  documentation
756       for it above for discussion of the advantages.
757
758
759   dm.metadatadev
760       (Deprecated, use dm.thinpooldev)
761
762
763       Specifies a custom blockdevice to use for metadata for a Docker-managed
764       thin pool.  See dm.datadev for why this is deprecated.
765
766
767   dm.blocksize
768       Specifies a custom blocksize to use for the  thin  pool.   The  default
769       blocksize is 64K.
770
771
772       Example use: dockerd --storage-opt dm.blocksize=512K
773
774
775   dm.blkdiscard
776       Enables  or  disables  the use of blkdiscard when removing devicemapper
777       devices.  This is disabled by default due to  the  additional  latency,
778       but  as  a  special  case  with loopback devices it will be enabled, in
779       order to re-sparsify the loopback file on image/container removal.
780
781
782       Disabling this on loopback can lead to much  faster  container  removal
783       times, but it also prevents the space used in /var/lib/docker directory
784       from being returned to the system for other  use  when  containers  are
785       removed.
786
787
788       Example use: dockerd --storage-opt dm.blkdiscard=false
789
790
791   dm.override_udev_sync_check
792       By  default,  the devicemapper backend attempts to synchronize with the
793       udev device manager for the Linux kernel.  This option allows disabling
794       that  synchronization, to continue even though the configuration may be
795       buggy.
796
797
798       To view the udev sync support of a Docker  daemon  that  is  using  the
799       devicemapper driver, run:
800
801
802                  $ docker info
803                  [...]
804                   Udev Sync Supported: true
805                  [...]
806
807
808
809       When  udev sync support is true, then devicemapper and udev can coordi‐
810       nate the activation and deactivation of devices for containers.
811
812
813       When udev sync support is false, a race condition  occurs  between  the
814       devicemapper  and  udev  during  create and cleanup. The race condition
815       results in errors and failures. (For information on these failures, see
816       docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩)
817
818
819       To allow the docker daemon to start, regardless of whether udev sync is
820       false, set dm.override_udev_sync_check to true:
821
822
823                  $ dockerd --storage-opt dm.override_udev_sync_check=true
824
825
826
827       When this value is true, the driver continues and simply warns you  the
828       errors are happening.
829
830
831       Note:  The ideal is to pursue a docker daemon and environment that does
832       support synchronizing with udev. For further discussion on this  topic,
833       see docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩.  Other‐
834       wise, set this flag for migrating existing Docker daemons to  a  daemon
835       with a supported environment.
836
837
838   dm.min_free_space
839       Specifies  the  min  free  space percent in a thin pool require for new
840       device creation to succeed. This check applies to both free data  space
841       as  well  as free metadata space. Valid values are from 0% - 99%. Value
842       0% disables free space checking logic. If user does not specify a value
843       for this option, the Engine uses a default value of 10%.
844
845
846       Whenever  a  new  a  thin pool device is created (during docker pull or
847       during container creation), the Engine checks if the minimum free space
848       is  available.  If the space is unavailable, then device creation fails
849       and any relevant docker operation fails.
850
851
852       To recover from this error, you must create more free space in the thin
853       pool  to  recover from the error. You can create free space by deleting
854       some images and containers from tge thin pool. You can  also  add  more
855       storage to the thin pool.
856
857
858       To add more space to an LVM (logical volume management) thin pool, just
859       add more storage to the  group container thin pool; this  should  auto‐
860       matically  resolve any errors. If your configuration uses loop devices,
861       then stop the Engine daemon, grow the size of loop  files  and  restart
862       the daemon to resolve the issue.
863
864
865       Example use:: dockerd --storage-opt dm.min_free_space=10%
866
867
868   dm.xfs_nospace_max_retries
869       Specifies  the maximum number of retries XFS should attempt to complete
870       IO when ENOSPC (no space)  error  is  returned  by  underlying  storage
871       device.
872
873
874       By  default XFS retries infinitely for IO to finish and this can result
875       in  unkillable  process.  To  change  this   behavior   one   can   set
876       xfs_nospace_max_retries  to  say 0 and XFS will not retry IO after get‐
877       ting ENOSPC and will shutdown filesystem.
878
879
880       Example use:
881
882
883              $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
884
885
886
887   dm.libdm_log_level
888       Specifies the maxmimum libdm log level that will be  forwarded  to  the
889       dockerd  log  (as  specified  by --log-level). This option is primarily
890       intended for debugging problems involving  libdm.  Using  values  other
891       than the defaults may cause false-positive warnings to be logged.
892
893
894       Values  specified must fall within the range of valid libdm log levels.
895       At the time of writing, the following is the list of libdm  log  levels
896       as well as their corresponding levels when output by dockerd.
897
898
899       ┌────────────┬───────┬─────────────┐
900libdm Level Value --log-level 
901       ├────────────┼───────┼─────────────┤
902       │_LOG_FATAL  │ 2     │ error       │
903       ├────────────┼───────┼─────────────┤
904       │_LOG_ERR    │ 3     │ error       │
905       ├────────────┼───────┼─────────────┤
906       │_LOG_WARN   │ 4     │ warn        │
907       ├────────────┼───────┼─────────────┤
908       │_LOG_NOTICE │ 5     │ info        │
909       ├────────────┼───────┼─────────────┤
910       │_LOG_INFO   │ 6     │ info        │
911       ├────────────┼───────┼─────────────┤
912       │_LOG_DEBUG  │ 7     │ debug       │
913       └────────────┴───────┴─────────────┘
914
915       Example use:
916
917
918              $ sudo dockerd \
919                    --log-level debug \
920                    --storage-opt dm.libdm_log_level=7
921
922
923

ZFS options

925   zfs.fsname
926       Set zfs filesystem under which docker will create its own datasets.  By
927       default docker will pick up  the  zfs  filesystem  where  docker  graph
928       (/var/lib/docker) is located.
929
930
931       Example use: dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
932
933

Btrfs options

935   btrfs.min_space
936       Specifies  the minimum size to use when creating the subvolume which is
937       used for containers. If user uses disk quota for btrfs when creating or
938       running  a  container  with  --storage-opt  size  option, docker should
939       ensure the size cannot be smaller than btrfs.min_space.
940
941
942       Example use: docker daemon -s btrfs --storage-opt btrfs.min_space=10G
943
944
945

CLUSTER STORE OPTIONS

947       The daemon uses libkv to advertise the node within the  cluster.   Some
948       Key/Value backends support mutual TLS, and the client TLS settings used
949       by the daemon can be configured  using  the  --cluster-store-opt  flag,
950       specifying the paths to PEM encoded files.
951
952
953   kv.cacertfile
954       Specifies  the path to a local file with PEM encoded CA certificates to
955       trust
956
957
958   kv.certfile
959       Specifies the path to a local file  with  a  PEM  encoded  certificate.
960       This  certificate is used as the client cert for communication with the
961       Key/Value store.
962
963
964   kv.keyfile
965       Specifies the path to a local file with  a  PEM  encoded  private  key.
966       This  private  key is used as the client key for communication with the
967       Key/Value store.
968
969
970

Access authorization

972       Docker's access authorization can be extended by authorization  plugins
973       that  your  organization  can  purchase  or  build  themselves. You can
974       install one or more authorization plugins when  you  start  the  Docker
975       daemon using the --authorization-plugin=PLUGIN_ID option.
976
977
978              dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
979
980
981
982       The PLUGIN_ID value is either the plugin's name or a path to its speci‐
983       fication file. The plugin's implementation determines whether  you  can
984       specify  a  name or path. Consult with your Docker administrator to get
985       information about the plugins available to you.
986
987
988       Once a plugin is installed, requests made to  the  daemon  through  the
989       command  line or Docker's Engine API are allowed or denied by the plug‐
990       in.  If you have multiple plugins installed,  each  plugin,  in  order,
991       must allow the request for it to complete.
992
993
994       For information about how to create an authorization plugin, see access
995       authorization    plugin    ⟨https://docs.docker.com/engine/extend/plug
996       ins_authorization/⟩  section in the Docker extend section of this docu‐
997       mentation.
998
999
1000

RUNTIME EXECUTION OPTIONS

1002       You  can  configure  the  runtime  using  options  specified  with  the
1003       --exec-opt flag.  All the flag's options have the native prefix. A sin‐
1004       gle native.cgroupdriver option is available.
1005
1006
1007       The native.cgroupdriver option specifies the  management  of  the  con‐
1008       tainer's  cgroups.  You  can  only  specify cgroupfs or systemd. If you
1009       specify systemd and it is not available, the system errors out. If  you
1010       omit the native.cgroupdriver option,cgroupfs is used.
1011
1012
1013       This example sets the cgroupdriver to systemd:
1014
1015
1016              $ sudo dockerd --exec-opt native.cgroupdriver=systemd
1017
1018
1019
1020       Setting this option applies to all containers the daemon launches.
1021
1022
1023

HISTORY

1025       Sept  2015, Originally compiled by Shishir Mahajan shishir.mahajan@red‐
1026       hat.com ⟨mailto:shishir.mahajan@redhat.com⟩ based on docker.com  source
1027       material and internal work.
1028
1029
1030
1031Manuals                              User                    DOCKER(8)(Docker)
Impressum