1DOCKER(8)(Docker) DOCKER(8)(Docker)
2Shishir Mahajan SEPTEMBER 2015
6
9 dockerd - Enable daemon mode
10
14 dockerd [--add-runtime[=[]]] [--allow-nondistributable-artifacts[=[]]]
15 [--api-cors-header=[=API-CORS-HEADER]] [--authorization-plugin[=[]]]
16 [-b|--bridge[=BRIDGE]] [--bip[=BIP]] [--cgroup-parent[=[]]] [--clus‐
17 ter-store[=[]]] [--cluster-advertise[=[]]] [--clus‐
18 ter-store-opt[=map[]]] [--config-file[=/etc/docker/daemon.json]]
19 [--containerd[=SOCKET-PATH]] [--data-root[=/var/lib/docker]]
20 [-D|--debug] [--default-gateway[=DEFAULT-GATEWAY]] [--default-gate‐
21 way-v6[=DEFAULT-GATEWAY-V6]]
22 [--default-address-pool[=DEFAULT-ADDRESS-POOL]] [--default-run‐
23 time[=runc]] [--default-ipc-mode=MODE] [--default-shm-size[=64MiB]]
24 [--default-ulimit[=[]]] [--dns[=[]]] [--dns-opt[=[]]]
25 [--dns-search[=[]]] [--exec-opt[=[]]] [--exec-root[=/var/run/docker]]
26 [--experimental[=false]] [--fixed-cidr[=FIXED-CIDR]]
27 [--fixed-cidr-v6[=FIXED-CIDR-V6]] [-G|--group[=docker]]
28 [-H|--host[=[]]] [--help] [--icc[=true]] [--init[=false]]
29 [--init-path[=""]] [--insecure-registry[=[]]] [--ip[=0.0.0.0]]
30 [--ip-forward[=true]] [--ip-masq[=true]] [--iptables[=true]] [--ipv6]
31 [--isolation[=default]] [-l|--log-level[=info]] [--label[=[]]]
32 [--live-restore[=false]] [--log-driver[=json-file]] [--log-opt[=map[]]]
33 [--mtu[=0]] [--max-concurrent-downloads[=3]] [--max-concur‐
34 rent-uploads[=5]] [--node-generic-resources[=[]]] [-p|--pid‐
35 file[=/var/run/docker.pid]] [--raw-logs] [--registry-mirror[=[]]]
36 [-s|--storage-driver[=STORAGE-DRIVER]] [--seccomp-profile[=SECCOMP-PRO‐
37 FILE-PATH]] [--selinux-enabled] [--shutdown-timeout[=15]] [--stor‐
38 age-opt[=[]]] [--swarm-default-advertise-addr[=IP|INTERFACE]] [--tls]
39 [--tlscacert[= /.docker/ca.pem]] [--tlscert[= /.docker/cert.pem]]
40 [--tlskey[= /.docker/key.pem]] [--tlsverify] [--userland-proxy[=true]]
41 [--userland-proxy-path[=""]] [--userns-remap[=default]]
42
46 dockerd is used for starting the Docker daemon (i.e., to command the
47 daemon to manage images, containers etc). So dockerd is a server, as a
48 daemon.
49 To run the Docker daemon you can specify dockerd. You can check the
52 daemon options using dockerd --help. Daemon options should be speci‐
53 fied after the dockerd keyword in the following format.
54 dockerd [OPTIONS]
57
61 --add-runtime=[]
62 Runtimes can be registered with the daemon either via the configura‐
63 tion file or using the --add-runtime command line argument.
64 The following is an example adding 2 runtimes via the configuration:
67 {
70 "default-runtime": "runc",
71 "runtimes": {
72 "runc": {
73 "path": "runc"
74 },
75 "custom": {
76 "path": "/usr/local/bin/my-runc-replacement",
77 "runtimeArgs": [
78 "--debug"
79 ]
80 }
81 }
82 }
83 This is the same example via the command line:
87 $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
90 Note: defining runtime arguments via the command line is not supported.
94 --allow-nondistributable-artifacts=[]
97 Push nondistributable artifacts to the specified registries.
98 List can contain elements with CIDR notation to specify a whole subnet.
101 This option is useful when pushing images containing nondistributable
104 artifacts to a registry on an air-gapped network so hosts on that
105 network can
106 pull the images without connecting to another server.
107 Warning: Nondistributable artifacts typically have restrictions on how
110 and where they can be distributed and shared. Only use this feature
111 to push
112 artifacts to private registries and ensure that you are in compliance
113 with
114 any terms that cover redistributing nondistributable artifacts.
115 --api-cors-header=""
118 Set CORS headers in the Engine API. Default is cors disabled. Give
119 urls like
120 "http://foo, http://bar, ...". Give "*" to allow all.
121 --authorization-plugin=""
124 Set authorization plugins to load
125 -b, --bridge=""
128 Attach containers to a pre-existing network bridge; use 'none' to
129 disable
130 container networking
131 --bip=""
134 Use the provided CIDR notation address for the dynamically created
135 bridge
136 (docker0); Mutually exclusive of -b
137 --cgroup-parent=""
140 Set parent cgroup for all containers. Default is "/docker" for fs
141 cgroup
142 driver and "system.slice" for systemd cgroup driver.
143 --cluster-store=""
146 URL of the distributed storage backend
147 --cluster-advertise=""
150 Specifies the 'host:port' or interface:port combination that this
151 particular daemon instance should use when advertising itself to the
152 cluster.
153 The daemon is reached through this value.
154 --cluster-store-opt=""
157 Specifies options for the Key/Value store.
158 --config-file="/etc/docker/daemon.json"
161 Specifies the JSON file path to load the configuration from.
162 --containerd=""
165 Path to containerd socket.
166 --data-root=""
169 Path to the directory used to store persisted Docker data such as
170 configuration for resources, swarm cluster state, and filesystem data
171 for
172 images, containers, and local volumes. Default is /var/lib/docker.
173 -D, --debug=true|false
176 Enable debug mode. Default is false.
177 --default-gateway=""
180 IPv4 address of the container default gateway; this address must be
181 part of
182 the bridge subnet (which is defined by -b or --bip)
183 --default-gateway-v6=""
186 IPv6 address of the container default gateway
187 --default-address-pool=""
190 Default address pool from which IPAM driver selects a subnet for the
191 networks.
192 Example: base=172.30.0.0/16,size=24 will set the default
193 address pools for the selected scope networks to
194 {172.30.[0-255].0/24}
195 --default-runtime="runc"
198 Set default runtime if there're more than one specified by --add-run‐
199 time.
200 --default-ipc-mode="private|shareable"
203 Set the default IPC mode for newly created containers. The argument
204 can either be private or shareable.
205 --default-shm-size=64MiB
208 Set the daemon-wide default shm size for containers. Default is
209 64MiB.
210 --default-ulimit=[]
213 Default ulimits for containers.
214 --dns=""
217 Force Docker to use specific DNS servers
218 --dns-opt=""
221 DNS options to use.
222 --dns-search=[]
225 DNS search domains to use.
226 --exec-opt=[]
229 Set runtime execution options. See RUNTIME EXECUTION OPTIONS.
230 --exec-root=""
233 Path to use as the root of the Docker execution state files. Default
234 is
235 /var/run/docker.
236 --experimental=""
239 Enable the daemon experimental features.
240 --fixed-cidr=""
243 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be
244 nested in
245 the bridge subnet (which is defined by -b or --bip).
246 --fixed-cidr-v6=""
249 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
250 -G, --group=""
253 Group to assign the unix socket specified by -H when running in dae‐
254 mon mode.
255 use '' (the empty string) to disable setting of a group. Default is
256 docker.
257 -H, --host=[unix:///var/run/docker.sock]: tcp://[host:port] to bind or
260 unix://[/path/to/socket] to use.
261 The socket(s) to bind to in daemon mode specified using one or more
262 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
263 --help
266 Print usage statement
267 --icc=true|false
270 Allow unrestricted inter-container and Docker daemon host communica‐
271 tion. If
272 disabled, containers can still be linked together using the --link
273 option
274 (see docker-run(1)). Default is true.
275 --init
278 Run an init process inside containers for signal forwarding and
279 process
280 reaping.
281 --init-path
284 Path to the docker-init binary.
285 --insecure-registry=[]
288 Enable insecure registry communication, i.e., enable un-encrypted
289 and/or
290 untrusted communication.
291 List of insecure registries can contain an element with CIDR notation
294 to
295 specify a whole subnet. Insecure registries accept HTTP and/or accept
296 HTTPS
297 with certificates from unknown CAs.
298 Enabling --insecure-registry is useful when running a local registry.
301 However, because its use creates security vulnerabilities it should
302 ONLY be
303 enabled for testing purposes. For increased security, users should
304 add their
305 CA to their system's list of trusted CAs instead of using
306 --insecure-registry.
307 --ip=""
310 Default IP address to use when binding container ports. Default is
311 0.0.0.0.
312 --ip-forward=true|false
315 Enables IP forwarding on the Docker host. The default is true. This
316 flag
317 interacts with the IP forwarding setting on your host system's ker‐
318 nel. If
319 your system has IP forwarding disabled, this setting enables it. If
320 your
321 system has IP forwarding enabled, setting this flag to --ip-for‐
322 ward=false
323 has no effect.
324 This setting will also enable IPv6 forwarding if you have both
327 --ip-forward=true and --fixed-cidr-v6 set. Note that this may reject
328 Router Advertisements and interfere with the host's existing IPv6
329 configuration. For more information, please consult the documentation
330 about
331 "Advanced Networking - IPv6".
332 --ip-masq=true|false
335 Enable IP masquerading for bridge's IP range. Default is true.
336 --iptables=true|false
339 Enable Docker's addition of iptables rules. Default is true.
340 --ipv6=true|false
343 Enable IPv6 support. Default is false. Docker will create an
344 IPv6-enabled
345 bridge with address fe80::1 which will allow you to create
346 IPv6-enabled
347 containers. Use together with --fixed-cidr-v6 to provide globally
348 routable
349 IPv6 addresses. IPv6 forwarding will be enabled if not used with
350 --ip-forward=false. This may collide with your host's current IPv6
351 settings. For more information please consult the documentation about
352 "Advanced Networking - IPv6".
353 --isolation="default"
356 Isolation specifies the type of isolation technology used by con‐
357 tainers.
358 Note that the default on Windows server is process, and the default
359 on
360 Windows client is hyperv. Linux only supports default.
361 -l, --log-level="debug|info|warn|error|fatal"
364 Set the logging level. Default is info.
365 --label="[]"
368 Set key=value labels to the daemon (displayed in docker info)
369 --live-restore=false
372 Enable live restore of running containers when the daemon starts so
373 that they
374 are not restarted. This option is applicable only for docker daemon
375 running
376 on Linux host.
377 --log-driver="json-file|syslog|journald|gelf|flu‐
380 entd|awslogs|splunk|etwlogs|gcplogs|none"
381 Default driver for container logs. Default is json-file.
382 Warning: docker logs command works only for json-file logging driver.
383 --log-opt=[]
386 Logging driver specific options.
387 --mtu=0
390 Set the containers network mtu. Default is 0.
391 --max-concurrent-downloads=3
394 Set the max concurrent downloads for each pull. Default is 3.
395 --max-concurrent-uploads=5
398 Set the max concurrent uploads for each push. Default is 5.
399 --node-generic-resources=[]
402 Advertise user-defined resource. Default is [].
403 Use this if your swarm cluster has some nodes with custom
404 resources (e.g: NVIDIA GPU, SSD, ...) and you need your services to
405 land on
406 nodes advertising these resources.
407 Usage example: --node-generic-resources "NVIDIA-GPU=UUID1"
408 --node-generic-resources "NVIDIA-GPU=UUID2"
409 -p, --pidfile=""
412 Path to use for daemon PID file. Default is /var/run/docker.pid
413 --raw-logs
416 Output daemon logs in full timestamp format without ANSI coloring. If
417 this
418 flag is not set, the daemon outputs condensed, colorized logs if a
419 terminal
420 is detected, or full ("raw") output otherwise.
421 --registry-mirror=://
424 Prepend a registry mirror to be used for image pulls. May be speci‐
425 fied
426 multiple times.
427 -s, --storage-driver=""
430 Force the Docker runtime to use a specific storage driver.
431 --seccomp-profile=""
434 Path to seccomp profile.
435 --selinux-enabled=true|false
438 Enable selinux support. Default is false.
439 --shutdown-timeout=15
442 Set the shutdown timeout value in seconds. Default is 15.
443 --storage-opt=[]
446 Set storage driver options. See STORAGE DRIVER OPTIONS.
447 --swarm-default-advertise-addr=IP|INTERFACE
450 Set default address or interface for swarm to advertise as its
451 externally-reachable address to other cluster members. This can be a
452 hostname, an IP address, or an interface such as eth0. A port cannot
453 be
454 specified with this option.
455 --tls=true|false
458 Use TLS; implied by --tlsverify. Default is false.
459 --tlscacert= /.docker/ca.pem
462 Trust certs signed only by this CA.
463 --tlscert= /.docker/cert.pem
466 Path to TLS certificate file.
467 --tlskey= /.docker/key.pem
470 Path to TLS key file.
471 --tlsverify=true|false
474 Use TLS and verify the remote (daemon: verify client, client: verify
475 daemon).
476 Default is false.
477 --userland-proxy=true|false
480 Rely on a userland proxy implementation for inter-container and
481 outside-to-container loopback communications. Default is true.
482 --userland-proxy-path=""
485 Path to the userland proxy binary.
486 --userns-remap=default|uid:gid|user:group|user|uid
489 Enable user namespaces for containers on the daemon. Specifying
490 "default"
491 will cause a new user and group to be created to handle UID and GID
492 range
493 remapping for the user namespace mappings used for contained pro‐
494 cesses.
495 Specifying a user (or uid) and optionally a group (or gid) will cause
496 the
497 daemon to lookup the user and group's subordinate ID ranges for use
498 as the
499 user namespace mappings for contained processes.
500
504 Docker uses storage backends (known as "graphdrivers" in the Docker
505 internals) to create writable containers from images. Many of these
506 backends use operating system level technologies and can be configured.
507 Specify options to the storage backend with --storage-opt flags. The
510 backends that currently take options are devicemapper, zfs and btrfs.
511 Options for devicemapper are prefixed with dm, options for zfs start
512 with zfs and options for btrfs start with btrfs.
513 Specifically for devicemapper, the default is a "loopback" model which
516 requires no pre-configuration, but is extremely inefficient. Do not
517 use it in production.
518 To make the best use of Docker with the devicemapper backend, you must
521 have a recent version of LVM. Use lvm to create a thin pool; for more
522 information see man lvmthin. Then, use --storage-opt dm.thinpooldev to
523 tell the Docker engine to use that pool for allocating images and con‐
524 tainer snapshots.
525
528 dm.thinpooldev
529 Specifies a custom block storage device to use for the thin pool.
530 If using a block device for device mapper storage, it is best to use
533 lvm to create and manage the thin-pool volume. This volume is then
534 handed to Docker to exclusively create snapshot volumes needed for
535 images and containers.
536 Managing the thin-pool outside of Engine makes for the most fea‐
539 ture-rich method of having Docker utilize device mapper thin provision‐
540 ing as the backing storage for Docker containers. The highlights of the
541 lvm-based thin-pool management feature include: automatic or interac‐
542 tive thin-pool resize support, dynamically changing thin-pool features,
543 automatic thinp metadata checking when lvm activates the thin-pool,
544 etc.
545 As a fallback if no thin pool is provided, loopback files are created.
548 Loopback is very slow, but can be used without any pre-configuration of
549 storage. It is strongly recommended that you do not use loopback in
550 production. Ensure your Engine daemon has a --storage-opt dm.thin‐
551 pooldev argument provided.
552 Example use:
555 $ dockerd \
558 --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
559 dm.directlvm_device
562 As an alternative to manually creating a thin pool as above, Docker can
563 automatically configure a block device for you.
564 Example use:
567 $ dockerd \
570 --storage-opt dm.directlvm_device=/dev/xvdf
571 dm.thinp_percent
574 Sets the percentage of passed in block device to use for storage.
575 Example:
578 $ sudo dockerd \
579 --storage-opt dm.thinp_percent=95
580 dm.thinp_metapercent
583 Sets the percentage of the passed in block device to use for metadata
584 storage.
585 Example:
588 $ sudo dockerd \
589 --storage-opt dm.thinp_metapercent=1
590 dm.thinp_autoextend_threshold
593 Sets the value of the percentage of space used before lvm attempts to
594 autoextend the available space [100 = disabled]
595 Example:
598 $ sudo dockerd \
599 --storage-opt dm.thinp_autoextend_threshold=80
600 dm.thinp_autoextend_percent
603 Sets the value percentage value to increase the thin pool by when lvm
604 attempts to autoextend the available space [100 = disabled]
605 Example:
608 $ sudo dockerd \
609 --storage-opt dm.thinp_autoextend_percent=20
610 dm.basesize
613 Specifies the size to use when creating the base device, which limits
614 the size of images and containers. The default value is 10G. Note, thin
615 devices are inherently "sparse", so a 10G device which is mostly empty
616 doesn't use 10 GB of space on the pool. However, the filesystem will
617 use more space for base images the larger the device is.
618 The base device size can be increased at daemon restart which will
621 allow all future images and containers (based on those new images) to
622 be of the new base device size.
623 Example use: dockerd --storage-opt dm.basesize=50G
626 This will increase the base device size to 50G. The Docker daemon will
629 throw an error if existing base device size is larger than 50G. A user
630 can use this option to expand the base device size however shrinking is
631 not permitted.
632 This value affects the system-wide "base" empty filesystem that may
635 already be initialized and inherited by pulled images. Typically, a
636 change to this value requires additional steps to take effect:
637 $ sudo service docker stop
640 $ sudo rm -rf /var/lib/docker
641 $ sudo service docker start
642 Example use: dockerd --storage-opt dm.basesize=20G
646 dm.fs
649 Specifies the filesystem type to use for the base device. The supported
650 options are ext4 and xfs. The default is ext4.
651 Example use: dockerd --storage-opt dm.fs=xfs
654 dm.mkfsarg
657 Specifies extra mkfs arguments to be used when creating the base
658 device.
659 Example use: dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
662 dm.mountopt
665 Specifies extra mount options used when mounting the thin devices.
666 Example use: dockerd --storage-opt dm.mountopt=nodiscard
669 dm.use_deferred_removal
672 Enables use of deferred device removal if libdm and the kernel driver
673 support the mechanism.
674 Deferred device removal means that if device is busy when devices are
677 being removed/deactivated, then a deferred removal is scheduled on
678 device. And devices automatically go away when last user of the device
679 exits.
680 For example, when a container exits, its associated thin device is
683 removed. If that device has leaked into some other mount namespace and
684 can't be removed, the container exit still succeeds and this option
685 causes the system to schedule the device for deferred removal. It does
686 not wait in a loop trying to remove a busy device.
687 Example use: dockerd --storage-opt dm.use_deferred_removal=true
690 dm.use_deferred_deletion
693 Enables use of deferred device deletion for thin pool devices. By
694 default, thin pool device deletion is synchronous. Before a container
695 is deleted, the Docker daemon removes any associated devices. If the
696 storage driver can not remove a device, the container deletion fails
697 and daemon returns.
698 Error deleting container: Error response from daemon: Cannot destroy
701 container
702 To avoid this failure, enable both deferred device deletion and
705 deferred device removal on the daemon.
706 dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt
709 dm.use_deferred_removal=true
710 With these two options enabled, if a device is busy when the driver is
713 deleting a container, the driver marks the device as deleted. Later,
714 when the device isn't in use, the driver deletes it.
715 In general it should be safe to enable this option by default. It will
718 help when unintentional leaking of mount point happens across multiple
719 mount namespaces.
720 dm.loopdatasize
723 Note: This option configures devicemapper loopback, which should not be
724 used in production.
725 Specifies the size to use when creating the loopback file for the
728 "data" device which is used for the thin pool. The default size is
729 100G. The file is sparse, so it will not initially take up this much
730 space.
731 Example use: dockerd --storage-opt dm.loopdatasize=200G
734 dm.loopmetadatasize
737 Note: This option configures devicemapper loopback, which should not be
738 used in production.
739 Specifies the size to use when creating the loopback file for the
742 "metadata" device which is used for the thin pool. The default size is
743 2G. The file is sparse, so it will not initially take up this much
744 space.
745 Example use: dockerd --storage-opt dm.loopmetadatasize=4G
748 dm.datadev
751 (Deprecated, use dm.thinpooldev)
752 Specifies a custom blockdevice to use for data for a Docker-managed
755 thin pool. It is better to use dm.thinpooldev - see the documentation
756 for it above for discussion of the advantages.
757 dm.metadatadev
760 (Deprecated, use dm.thinpooldev)
761 Specifies a custom blockdevice to use for metadata for a Docker-managed
764 thin pool. See dm.datadev for why this is deprecated.
765 dm.blocksize
768 Specifies a custom blocksize to use for the thin pool. The default
769 blocksize is 64K.
770 Example use: dockerd --storage-opt dm.blocksize=512K
773 dm.blkdiscard
776 Enables or disables the use of blkdiscard when removing devicemapper
777 devices. This is disabled by default due to the additional latency,
778 but as a special case with loopback devices it will be enabled, in
779 order to re-sparsify the loopback file on image/container removal.
780 Disabling this on loopback can lead to much faster container removal
783 times, but it also prevents the space used in /var/lib/docker directory
784 from being returned to the system for other use when containers are
785 removed.
786 Example use: dockerd --storage-opt dm.blkdiscard=false
789 dm.override_udev_sync_check
792 By default, the devicemapper backend attempts to synchronize with the
793 udev device manager for the Linux kernel. This option allows disabling
794 that synchronization, to continue even though the configuration may be
795 buggy.
796 To view the udev sync support of a Docker daemon that is using the
799 devicemapper driver, run:
800 $ docker info
803 [...]
804 Udev Sync Supported: true
805 [...]
806 When udev sync support is true, then devicemapper and udev can coordi‐
810 nate the activation and deactivation of devices for containers.
811 When udev sync support is false, a race condition occurs between the
814 devicemapper and udev during create and cleanup. The race condition
815 results in errors and failures. (For information on these failures, see
816 docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩)
817 To allow the docker daemon to start, regardless of whether udev sync is
820 false, set dm.override_udev_sync_check to true:
821 $ dockerd --storage-opt dm.override_udev_sync_check=true
824 When this value is true, the driver continues and simply warns you the
828 errors are happening.
829 Note: The ideal is to pursue a docker daemon and environment that does
832 support synchronizing with udev. For further discussion on this topic,
833 see docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩. Other‐
834 wise, set this flag for migrating existing Docker daemons to a daemon
835 with a supported environment.
836 dm.min_free_space
839 Specifies the min free space percent in a thin pool require for new
840 device creation to succeed. This check applies to both free data space
841 as well as free metadata space. Valid values are from 0% - 99%. Value
842 0% disables free space checking logic. If user does not specify a value
843 for this option, the Engine uses a default value of 10%.
844 Whenever a new a thin pool device is created (during docker pull or
847 during container creation), the Engine checks if the minimum free space
848 is available. If the space is unavailable, then device creation fails
849 and any relevant docker operation fails.
850 To recover from this error, you must create more free space in the thin
853 pool to recover from the error. You can create free space by deleting
854 some images and containers from tge thin pool. You can also add more
855 storage to the thin pool.
856 To add more space to an LVM (logical volume management) thin pool, just
859 add more storage to the group container thin pool; this should auto‐
860 matically resolve any errors. If your configuration uses loop devices,
861 then stop the Engine daemon, grow the size of loop files and restart
862 the daemon to resolve the issue.
863 Example use:: dockerd --storage-opt dm.min_free_space=10%
866 dm.xfs_nospace_max_retries
869 Specifies the maximum number of retries XFS should attempt to complete
870 IO when ENOSPC (no space) error is returned by underlying storage
871 device.
872 By default XFS retries infinitely for IO to finish and this can result
875 in unkillable process. To change this behavior one can set
876 xfs_nospace_max_retries to say 0 and XFS will not retry IO after get‐
877 ting ENOSPC and will shutdown filesystem.
878 Example use:
881 $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
884 dm.libdm_log_level
888 Specifies the maxmimum libdm log level that will be forwarded to the
889 dockerd log (as specified by --log-level). This option is primarily
890 intended for debugging problems involving libdm. Using values other
891 than the defaults may cause false-positive warnings to be logged.
892 Values specified must fall within the range of valid libdm log levels.
895 At the time of writing, the following is the list of libdm log levels
896 as well as their corresponding levels when output by dockerd.
897 ┌────────────┬───────┬─────────────┐
900 │libdm Level │ Value │ --log-level │
901 ├────────────┼───────┼─────────────┤
902 │_LOG_FATAL │ 2 │ error │
903 ├────────────┼───────┼─────────────┤
904 │_LOG_ERR │ 3 │ error │
905 ├────────────┼───────┼─────────────┤
906 │_LOG_WARN │ 4 │ warn │
907 ├────────────┼───────┼─────────────┤
908 │_LOG_NOTICE │ 5 │ info │
909 ├────────────┼───────┼─────────────┤
910 │_LOG_INFO │ 6 │ info │
911 ├────────────┼───────┼─────────────┤
912 │_LOG_DEBUG │ 7 │ debug │
913 └────────────┴───────┴─────────────┘
914 Example use:
916 $ sudo dockerd \
919 --log-level debug \
920 --storage-opt dm.libdm_log_level=7
921
925 zfs.fsname
926 Set zfs filesystem under which docker will create its own datasets. By
927 default docker will pick up the zfs filesystem where docker graph
928 (/var/lib/docker) is located.
929 Example use: dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
932
935 btrfs.min_space
936 Specifies the minimum size to use when creating the subvolume which is
937 used for containers. If user uses disk quota for btrfs when creating or
938 running a container with --storage-opt size option, docker should
939 ensure the size cannot be smaller than btrfs.min_space.
940 Example use: docker daemon -s btrfs --storage-opt btrfs.min_space=10G
943
947 The daemon uses libkv to advertise the node within the cluster. Some
948 Key/Value backends support mutual TLS, and the client TLS settings used
949 by the daemon can be configured using the --cluster-store-opt flag,
950 specifying the paths to PEM encoded files.
951 kv.cacertfile
954 Specifies the path to a local file with PEM encoded CA certificates to
955 trust
956 kv.certfile
959 Specifies the path to a local file with a PEM encoded certificate.
960 This certificate is used as the client cert for communication with the
961 Key/Value store.
962 kv.keyfile
965 Specifies the path to a local file with a PEM encoded private key.
966 This private key is used as the client key for communication with the
967 Key/Value store.
968
972 Docker's access authorization can be extended by authorization plugins
973 that your organization can purchase or build themselves. You can
974 install one or more authorization plugins when you start the Docker
975 daemon using the --authorization-plugin=PLUGIN_ID option.
976 dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
979 The PLUGIN_ID value is either the plugin's name or a path to its speci‐
983 fication file. The plugin's implementation determines whether you can
984 specify a name or path. Consult with your Docker administrator to get
985 information about the plugins available to you.
986 Once a plugin is installed, requests made to the daemon through the
989 command line or Docker's Engine API are allowed or denied by the plug‐
990 in. If you have multiple plugins installed, each plugin, in order,
991 must allow the request for it to complete.
992 For information about how to create an authorization plugin, see access
995 authorization plugin ⟨https://docs.docker.com/engine/extend/plug‐
996 ins_authorization/⟩ section in the Docker extend section of this docu‐
997 mentation.
998
1002 You can configure the runtime using options specified with the
1003 --exec-opt flag. All the flag's options have the native prefix. A sin‐
1004 gle native.cgroupdriver option is available.
1005 The native.cgroupdriver option specifies the management of the con‐
1008 tainer's cgroups. You can only specify cgroupfs or systemd. If you
1009 specify systemd and it is not available, the system errors out. If you
1010 omit the native.cgroupdriver option,cgroupfs is used.
1011 This example sets the cgroupdriver to systemd:
1014 $ sudo dockerd --exec-opt native.cgroupdriver=systemd
1017 Setting this option applies to all containers the daemon launches.
1021
1025 Sept 2015, Originally compiled by Shishir Mahajan shishir.mahajan@red‐
1026 hat.com ⟨mailto:shishir.mahajan@redhat.com⟩ based on docker.com source
1027 material and internal work.
1028Manuals User DOCKER(8)(Docker)