1DOCKERD(8) Docker User Manuals DOCKERD(8)
2
6 dockerd - Enable daemon mode
7
11 dockerd [--add-runtime[=[]]] [--allow-nondistributable-artifacts[=[]]]
12 [--api-cors-header=[=API-CORS-HEADER]] [--authorization-plugin[=[]]]
13 [-b|--bridge[=BRIDGE]] [--bip[=BIP]] [--cgroup-parent[=[]]] [--clus‐
14 ter-store[=[]]] [--cluster-advertise[=[]]] [--clus‐
15 ter-store-opt[=map[]]] [--config-file[=/etc/docker/daemon.json]]
16 [--containerd[=SOCKET-PATH]] [--data-root[=/var/lib/docker]] [-D|--de‐
17 bug] [--default-cgroupns-mode[=host]] [--default-gateway[=DEFAULT-GATE‐
18 WAY]] [--default-gateway-v6[=DEFAULT-GATEWAY-V6]] [--default-ad‐
19 dress-pool[=DEFAULT-ADDRESS-POOL]] [--default-runtime[=runc]] [--de‐
20 fault-ipc-mode=MODE] [--default-shm-size[=64MiB]] [--de‐
21 fault-ulimit[=[]]] [--dns[=[]]] [--dns-opt[=[]]] [--dns-search[=[]]]
22 [--exec-opt[=[]]] [--exec-root[=/var/run/docker]] [--experimen‐
23 tal[=false]] [--fixed-cidr[=FIXED-CIDR]]
24 [--fixed-cidr-v6[=FIXED-CIDR-V6]] [-G|--group[=docker]]
25 [-H|--host[=[]]] [--help] [--icc[=true]] [--init[=false]]
26 [--init-path[=""]] [--insecure-registry[=[]]] [--ip[=0.0.0.0]]
27 [--ip-forward[=true]] [--ip-masq[=true]] [--iptables[=true]] [--ipv6]
28 [--isolation[=default]] [-l|--log-level[=info]] [--label[=[]]]
29 [--live-restore[=false]] [--log-driver[=json-file]] [--log-opt[=map[]]]
30 [--mtu[=0]] [--max-concurrent-downloads[=3]] [--max-concurrent-up‐
31 loads[=5]] [--max-download-attempts[=5]] [--node-generic-re‐
32 sources[=[]]] [-p|--pidfile[=/var/run/docker.pid]] [--raw-logs] [--reg‐
33 istry-mirror[=[]]] [-s|--storage-driver[=STORAGE-DRIVER]] [--sec‐
34 comp-profile[=SECCOMP-PROFILE-PATH]] [--selinux-enabled] [--shut‐
35 down-timeout[=15]] [--storage-opt[=[]]] [--swarm-default-adver‐
36 tise-addr[=IP|INTERFACE]] [--tls] [--tlscacert[=~/.docker/ca.pem]]
37 [--tlscert[=~/.docker/cert.pem]] [--tlskey[=~/.docker/key.pem]]
38 [--tlsverify] [--userland-proxy[=true]] [--userland-proxy-path[=""]]
39 [--userns-remap[=default]]
40
44 dockerd is used for starting the Docker daemon (i.e., to command the
45 daemon to manage images, containers etc). So dockerd is a server, as a
46 daemon.
47 To run the Docker daemon you can specify dockerd. You can check the
50 daemon options using dockerd --help. Daemon options should be speci‐
51 fied after the dockerd keyword in the following format.
52 dockerd [OPTIONS]
55
59 --add-runtime=[]
60 Runtimes can be registered with the daemon either via the configura‐
61 tion file or using the --add-runtime command line argument.
62 The following is an example adding 2 runtimes via the configuration:
65 {
68 "default-runtime": "runc",
69 "runtimes": {
70 "runc": {
71 "path": "runc"
72 },
73 "custom": {
74 "path": "/usr/local/bin/my-runc-replacement",
75 "runtimeArgs": [
76 "--debug"
77 ]
78 }
79 }
80 }
81 This is the same example via the command line:
85 $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
88 Note: defining runtime arguments via the command line is not supported.
92 --allow-nondistributable-artifacts=[]
95 Push nondistributable artifacts to the specified registries.
96 List can contain elements with CIDR notation to specify a whole subnet.
99 This option is useful when pushing images containing nondistributable
102 artifacts to a registry on an air-gapped network so hosts on that
103 network can
104 pull the images without connecting to another server.
105 Warning: Nondistributable artifacts typically have restrictions on how
108 and where they can be distributed and shared. Only use this feature
109 to push
110 artifacts to private registries and ensure that you are in compliance
111 with
112 any terms that cover redistributing nondistributable artifacts.
113 --api-cors-header=""
116 Set CORS headers in the Engine API. Default is cors disabled. Give
117 urls like
118 "http://foo, http://bar, ...". Give "*" to allow all.
119 --authorization-plugin=""
122 Set authorization plugins to load
123 -b, --bridge=""
126 Attach containers to a pre-existing network bridge; use 'none' to
127 disable
128 container networking
129 --bip=""
132 Use the provided CIDR notation address for the dynamically created
133 bridge
134 (docker0); Mutually exclusive of -b
135 --cgroup-parent=""
138 Set parent cgroup for all containers. Default is "/docker" for fs
139 cgroup
140 driver and "system.slice" for systemd cgroup driver.
141 --cluster-store=""
144 URL of the distributed storage backend
145 --cluster-advertise=""
148 Specifies the 'host:port' or interface:port combination that this
149 particular daemon instance should use when advertising itself to the
150 cluster.
151 The daemon is reached through this value.
152 --cluster-store-opt=""
155 Specifies options for the Key/Value store.
156 --config-file="/etc/docker/daemon.json"
159 Specifies the JSON file path to load the configuration from.
160 --containerd=""
163 Path to containerd socket.
164 --data-root=""
167 Path to the directory used to store persisted Docker data such as
168 configuration for resources, swarm cluster state, and filesystem data
169 for
170 images, containers, and local volumes. Default is /var/lib/docker.
171 -D, --debug=true|false
174 Enable debug mode. Default is false.
175 --default-cgroupns-mode="host|private"
178 Set the default cgroup namespace mode for newly created containers.
179 The argument
180 can either be host or private. If unset, this defaults to host on
181 cgroup v1, private on cgroup v2.
182 --default-gateway=""
185 IPv4 address of the container default gateway; this address must be
186 part of
187 the bridge subnet (which is defined by -b or --bip)
188 --default-gateway-v6=""
191 IPv6 address of the container default gateway
192 --default-address-pool=""
195 Default address pool from which IPAM driver selects a subnet for the
196 networks.
197 Example: base=172.30.0.0/16,size=24 will set the default
198 address pools for the selected scope networks to
199 {172.30.[0-255].0/24}
200 --default-runtime="runc"
203 Set default runtime if there're more than one specified by --add-run‐
204 time.
205 --default-ipc-mode="private|shareable"
208 Set the default IPC mode for newly created containers. The argument
209 can either be private or shareable.
210 --default-shm-size=64MiB
213 Set the daemon-wide default shm size for containers. Default is
214 64MiB.
215 --default-ulimit=[]
218 Default ulimits for containers.
219 --dns=""
222 Force Docker to use specific DNS servers
223 --dns-opt=""
226 DNS options to use.
227 --dns-search=[]
230 DNS search domains to use.
231 --exec-opt=[]
234 Set runtime execution options. See RUNTIME EXECUTION OPTIONS.
235 --exec-root=""
238 Path to use as the root of the Docker execution state files. Default
239 is
240 /var/run/docker.
241 --experimental=""
244 Enable the daemon experimental features.
245 --fixed-cidr=""
248 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be
249 nested in
250 the bridge subnet (which is defined by -b or --bip).
251 --fixed-cidr-v6=""
254 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
255 -G, --group=""
258 Group to assign the unix socket specified by -H when running in dae‐
259 mon mode.
260 use '' (the empty string) to disable setting of a group. Default is
261 docker.
262 -H, --host=[unix:///var/run/docker.sock]: tcp://[host:port] to bind or
265 unix://[/path/to/socket] to use.
266 The socket(s) to bind to in daemon mode specified using one or more
267 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
268 --help
271 Print usage statement
272 --icc=true|false
275 Allow unrestricted inter-container and Docker daemon host communica‐
276 tion. If
277 disabled, containers can still be linked together using the --link
278 option
279 (see docker-run(1)). Default is true.
280 --init
283 Run an init process inside containers for signal forwarding and
284 process
285 reaping.
286 --init-path
289 Path to the docker-init binary.
290 --insecure-registry=[]
293 Enable insecure registry communication, i.e., enable un-encrypted
294 and/or
295 untrusted communication.
296 List of insecure registries can contain an element with CIDR notation
299 to
300 specify a whole subnet. Insecure registries accept HTTP and/or accept
301 HTTPS
302 with certificates from unknown CAs.
303 Enabling --insecure-registry is useful when running a local registry.
306 However, because its use creates security vulnerabilities it should
307 ONLY be
308 enabled for testing purposes. For increased security, users should
309 add their
310 CA to their system's list of trusted CAs instead of using
311 --insecure-registry.
312 --ip=""
315 Default IP address to use when binding container ports. Default is
316 0.0.0.0.
317 --ip-forward=true|false
320 Enables IP forwarding on the Docker host. The default is true. This
321 flag
322 interacts with the IP forwarding setting on your host system's ker‐
323 nel. If
324 your system has IP forwarding disabled, this setting enables it. If
325 your
326 system has IP forwarding enabled, setting this flag to --ip-for‐
327 ward=false
328 has no effect.
329 This setting will also enable IPv6 forwarding if you have both
332 --ip-forward=true and --fixed-cidr-v6 set. Note that this may reject
333 Router Advertisements and interfere with the host's existing IPv6
334 configuration. For more information, please consult the documentation
335 about
336 "Advanced Networking - IPv6".
337 --ip-masq=true|false
340 Enable IP masquerading for bridge's IP range. Default is true.
341 --iptables=true|false
344 Enable Docker's addition of iptables rules. Default is true.
345 --ipv6=true|false
348 Enable IPv6 support. Default is false. Docker will create an IPv6-en‐
349 abled
350 bridge with address fe80::1 which will allow you to create IPv6-en‐
351 abled
352 containers. Use together with --fixed-cidr-v6 to provide globally
353 routable
354 IPv6 addresses. IPv6 forwarding will be enabled if not used with
355 --ip-forward=false. This may collide with your host's current IPv6
356 settings. For more information please consult the documentation about
357 "Advanced Networking - IPv6".
358 --isolation="default"
361 Isolation specifies the type of isolation technology used by con‐
362 tainers.
363 Note that the default on Windows server is process, and the default
364 on
365 Windows client is hyperv. Linux only supports default.
366 -l, --log-level="debug|info|warn|error|fatal"
369 Set the logging level. Default is info.
370 --label="[]"
373 Set key=value labels to the daemon (displayed in docker info)
374 --live-restore=false
377 Enable live restore of running containers when the daemon starts so
378 that they
379 are not restarted. This option is applicable only for docker daemon
380 running
381 on Linux host.
382 --log-driver="json-file|syslog|journald|gelf|flu‐
385 entd|awslogs|splunk|etwlogs|gcplogs|none"
386 Default driver for container logs. Default is json-file.
387 Warning: docker logs command works only for json-file logging driver.
388 --log-opt=[]
391 Logging driver specific options.
392 --mtu=0
395 Set the containers network mtu. Default is 0.
396 --max-concurrent-downloads=3
399 Set the max concurrent downloads for each pull. Default is 3.
400 --max-concurrent-uploads=5
403 Set the max concurrent uploads for each push. Default is 5.
404 --max-download-attempts=5
407 Set the max download attempts for each pull. Default is 5.
408 --node-generic-resources=[]
411 Advertise user-defined resource. Default is [].
412 Use this if your swarm cluster has some nodes with custom
413 resources (e.g: NVIDIA GPU, SSD, ...) and you need your services to
414 land on
415 nodes advertising these resources.
416 Usage example: --node-generic-resources "NVIDIA-GPU=UUID1"
417 --node-generic-resources "NVIDIA-GPU=UUID2"
418 -p, --pidfile=""
421 Path to use for daemon PID file. Default is /var/run/docker.pid
422 --raw-logs
425 Output daemon logs in full timestamp format without ANSI coloring. If
426 this
427 flag is not set, the daemon outputs condensed, colorized logs if a
428 terminal
429 is detected, or full ("raw") output otherwise.
430 --registry-mirror=://
433 Prepend a registry mirror to be used for image pulls. May be speci‐
434 fied
435 multiple times.
436 -s, --storage-driver=""
439 Force the Docker runtime to use a specific storage driver.
440 --seccomp-profile=""
443 Path to seccomp profile.
444 --selinux-enabled=true|false
447 Enable selinux support. Default is false.
448 --shutdown-timeout=15
451 Set the shutdown timeout value in seconds. Default is 15.
452 --storage-opt=[]
455 Set storage driver options. See STORAGE DRIVER OPTIONS.
456 --swarm-default-advertise-addr=IP|INTERFACE
459 Set default address or interface for swarm to advertise as its
460 externally-reachable address to other cluster members. This can be a
461 hostname, an IP address, or an interface such as eth0. A port cannot
462 be
463 specified with this option.
464 --tls=true|false
467 Use TLS; implied by --tlsverify. Default is false.
468 --tlscacert=~/.docker/ca.pem
471 Trust certs signed only by this CA.
472 --tlscert=~/.docker/cert.pem
475 Path to TLS certificate file.
476 --tlskey=~/.docker/key.pem
479 Path to TLS key file.
480 --tlsverify=true|false
483 Use TLS and verify the remote (daemon: verify client, client: verify
484 daemon).
485 Default is false.
486 --userland-proxy=true|false
489 Rely on a userland proxy implementation for inter-container and
490 outside-to-container loopback communications. Default is true.
491 --userland-proxy-path=""
494 Path to the userland proxy binary.
495 --userns-remap=default|uid:gid|user:group|user|uid
498 Enable user namespaces for containers on the daemon. Specifying "de‐
499 fault"
500 will cause a new user and group to be created to handle UID and GID
501 range
502 remapping for the user namespace mappings used for contained pro‐
503 cesses.
504 Specifying a user (or uid) and optionally a group (or gid) will cause
505 the
506 daemon to lookup the user and group's subordinate ID ranges for use
507 as the
508 user namespace mappings for contained processes.
509
513 Docker uses storage backends (known as "graphdrivers" in the Docker in‐
514 ternals) to create writable containers from images. Many of these
515 backends use operating system level technologies and can be configured.
516 Specify options to the storage backend with --storage-opt flags. The
519 backends that currently take options are devicemapper, zfs and btrfs.
520 Options for devicemapper are prefixed with dm, options for zfs start
521 with zfs and options for btrfs start with btrfs.
522 Specifically for devicemapper, the default is a "loopback" model which
525 requires no pre-configuration, but is extremely inefficient. Do not
526 use it in production.
527 To make the best use of Docker with the devicemapper backend, you must
530 have a recent version of LVM. Use lvm to create a thin pool; for more
531 information see man lvmthin. Then, use --storage-opt dm.thinpooldev to
532 tell the Docker engine to use that pool for allocating images and con‐
533 tainer snapshots.
534
537 dm.thinpooldev
538 Specifies a custom block storage device to use for the thin pool.
539 If using a block device for device mapper storage, it is best to use
542 lvm to create and manage the thin-pool volume. This volume is then
543 handed to Docker to exclusively create snapshot volumes needed for im‐
544 ages and containers.
545 Managing the thin-pool outside of Engine makes for the most fea‐
548 ture-rich method of having Docker utilize device mapper thin provision‐
549 ing as the backing storage for Docker containers. The highlights of the
550 lvm-based thin-pool management feature include: automatic or interac‐
551 tive thin-pool resize support, dynamically changing thin-pool features,
552 automatic thinp metadata checking when lvm activates the thin-pool,
553 etc.
554 As a fallback if no thin pool is provided, loopback files are created.
557 Loopback is very slow, but can be used without any pre-configuration of
558 storage. It is strongly recommended that you do not use loopback in
559 production. Ensure your Engine daemon has a --storage-opt dm.thin‐
560 pooldev argument provided.
561 Example use:
564 $ dockerd \
567 --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
568 dm.directlvm_device
571 As an alternative to manually creating a thin pool as above, Docker can
572 automatically configure a block device for you.
573 Example use:
576 $ dockerd \
579 --storage-opt dm.directlvm_device=/dev/xvdf
580 dm.thinp_percent
583 Sets the percentage of passed in block device to use for storage.
584 Example:
587 $ sudo dockerd \
588 --storage-opt dm.thinp_percent=95
589 dm.thinp_metapercent
592 Sets the percentage of the passed in block device to use for metadata
593 storage.
594 Example:
597 $ sudo dockerd \
598 --storage-opt dm.thinp_metapercent=1
599 dm.thinp_autoextend_threshold
602 Sets the value of the percentage of space used before lvm attempts to
603 autoextend the available space [100 = disabled]
604 Example:
607 $ sudo dockerd \
608 --storage-opt dm.thinp_autoextend_threshold=80
609 dm.thinp_autoextend_percent
612 Sets the value percentage value to increase the thin pool by when lvm
613 attempts to autoextend the available space [100 = disabled]
614 Example:
617 $ sudo dockerd \
618 --storage-opt dm.thinp_autoextend_percent=20
619 dm.basesize
622 Specifies the size to use when creating the base device, which limits
623 the size of images and containers. The default value is 10G. Note, thin
624 devices are inherently "sparse", so a 10G device which is mostly empty
625 doesn't use 10 GB of space on the pool. However, the filesystem will
626 use more space for base images the larger the device is.
627 The base device size can be increased at daemon restart which will al‐
630 low all future images and containers (based on those new images) to be
631 of the new base device size.
632 Example use: dockerd --storage-opt dm.basesize=50G
635 This will increase the base device size to 50G. The Docker daemon will
638 throw an error if existing base device size is larger than 50G. A user
639 can use this option to expand the base device size however shrinking is
640 not permitted.
641 This value affects the system-wide "base" empty filesystem that may al‐
644 ready be initialized and inherited by pulled images. Typically, a
645 change to this value requires additional steps to take effect:
646 $ sudo service docker stop
649 $ sudo rm -rf /var/lib/docker
650 $ sudo service docker start
651 Example use: dockerd --storage-opt dm.basesize=20G
655 dm.fs
658 Specifies the filesystem type to use for the base device. The supported
659 options are ext4 and xfs. The default is ext4.
660 Example use: dockerd --storage-opt dm.fs=xfs
663 dm.mkfsarg
666 Specifies extra mkfs arguments to be used when creating the base de‐
667 vice.
668 Example use: dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
671 dm.mountopt
674 Specifies extra mount options used when mounting the thin devices.
675 Example use: dockerd --storage-opt dm.mountopt=nodiscard
678 dm.use_deferred_removal
681 Enables use of deferred device removal if libdm and the kernel driver
682 support the mechanism.
683 Deferred device removal means that if device is busy when devices are
686 being removed/deactivated, then a deferred removal is scheduled on de‐
687 vice. And devices automatically go away when last user of the device
688 exits.
689 For example, when a container exits, its associated thin device is re‐
692 moved. If that device has leaked into some other mount namespace and
693 can't be removed, the container exit still succeeds and this option
694 causes the system to schedule the device for deferred removal. It does
695 not wait in a loop trying to remove a busy device.
696 Example use: dockerd --storage-opt dm.use_deferred_removal=true
699 dm.use_deferred_deletion
702 Enables use of deferred device deletion for thin pool devices. By de‐
703 fault, thin pool device deletion is synchronous. Before a container is
704 deleted, the Docker daemon removes any associated devices. If the stor‐
705 age driver can not remove a device, the container deletion fails and
706 daemon returns.
707 Error deleting container: Error response from daemon: Cannot destroy
710 container
711 To avoid this failure, enable both deferred device deletion and de‐
714 ferred device removal on the daemon.
715 dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt
718 dm.use_deferred_removal=true
719 With these two options enabled, if a device is busy when the driver is
722 deleting a container, the driver marks the device as deleted. Later,
723 when the device isn't in use, the driver deletes it.
724 In general it should be safe to enable this option by default. It will
727 help when unintentional leaking of mount point happens across multiple
728 mount namespaces.
729 dm.loopdatasize
732 Note: This option configures devicemapper loopback, which should not be
733 used in production.
734 Specifies the size to use when creating the loopback file for the
737 "data" device which is used for the thin pool. The default size is
738 100G. The file is sparse, so it will not initially take up this much
739 space.
740 Example use: dockerd --storage-opt dm.loopdatasize=200G
743 dm.loopmetadatasize
746 Note: This option configures devicemapper loopback, which should not be
747 used in production.
748 Specifies the size to use when creating the loopback file for the
751 "metadata" device which is used for the thin pool. The default size is
752 2G. The file is sparse, so it will not initially take up this much
753 space.
754 Example use: dockerd --storage-opt dm.loopmetadatasize=4G
757 dm.datadev
760 (Deprecated, use dm.thinpooldev)
761 Specifies a custom blockdevice to use for data for a Docker-managed
764 thin pool. It is better to use dm.thinpooldev - see the documentation
765 for it above for discussion of the advantages.
766 dm.metadatadev
769 (Deprecated, use dm.thinpooldev)
770 Specifies a custom blockdevice to use for metadata for a Docker-managed
773 thin pool. See dm.datadev for why this is deprecated.
774 dm.blocksize
777 Specifies a custom blocksize to use for the thin pool. The default
778 blocksize is 64K.
779 Example use: dockerd --storage-opt dm.blocksize=512K
782 dm.blkdiscard
785 Enables or disables the use of blkdiscard when removing devicemapper
786 devices. This is disabled by default due to the additional latency,
787 but as a special case with loopback devices it will be enabled, in or‐
788 der to re-sparsify the loopback file on image/container removal.
789 Disabling this on loopback can lead to much faster container removal
792 times, but it also prevents the space used in /var/lib/docker directory
793 from being returned to the system for other use when containers are re‐
794 moved.
795 Example use: dockerd --storage-opt dm.blkdiscard=false
798 dm.override_udev_sync_check
801 By default, the devicemapper backend attempts to synchronize with the
802 udev device manager for the Linux kernel. This option allows disabling
803 that synchronization, to continue even though the configuration may be
804 buggy.
805 To view the udev sync support of a Docker daemon that is using the de‐
808 vicemapper driver, run:
809 $ docker info
812 [...]
813 Udev Sync Supported: true
814 [...]
815 When udev sync support is true, then devicemapper and udev can coordi‐
819 nate the activation and deactivation of devices for containers.
820 When udev sync support is false, a race condition occurs between the
823 devicemapper and udev during create and cleanup. The race condition re‐
824 sults in errors and failures. (For information on these failures, see
825 docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩)
826 To allow the docker daemon to start, regardless of whether udev sync is
829 false, set dm.override_udev_sync_check to true:
830 $ dockerd --storage-opt dm.override_udev_sync_check=true
833 When this value is true, the driver continues and simply warns you the
837 errors are happening.
838 Note: The ideal is to pursue a docker daemon and environment that does
841 support synchronizing with udev. For further discussion on this topic,
842 see docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩. Other‐
843 wise, set this flag for migrating existing Docker daemons to a daemon
844 with a supported environment.
845 dm.min_free_space
848 Specifies the min free space percent in a thin pool require for new de‐
849 vice creation to succeed. This check applies to both free data space as
850 well as free metadata space. Valid values are from 0% - 99%. Value 0%
851 disables free space checking logic. If user does not specify a value
852 for this option, the Engine uses a default value of 10%.
853 Whenever a new a thin pool device is created (during docker pull or
856 during container creation), the Engine checks if the minimum free space
857 is available. If the space is unavailable, then device creation fails
858 and any relevant docker operation fails.
859 To recover from this error, you must create more free space in the thin
862 pool to recover from the error. You can create free space by deleting
863 some images and containers from tge thin pool. You can also add more
864 storage to the thin pool.
865 To add more space to an LVM (logical volume management) thin pool, just
868 add more storage to the group container thin pool; this should auto‐
869 matically resolve any errors. If your configuration uses loop devices,
870 then stop the Engine daemon, grow the size of loop files and restart
871 the daemon to resolve the issue.
872 Example use:: dockerd --storage-opt dm.min_free_space=10%
875 dm.xfs_nospace_max_retries
878 Specifies the maximum number of retries XFS should attempt to complete
879 IO when ENOSPC (no space) error is returned by underlying storage de‐
880 vice.
881 By default XFS retries infinitely for IO to finish and this can result
884 in unkillable process. To change this behavior one can set
885 xfs_nospace_max_retries to say 0 and XFS will not retry IO after get‐
886 ting ENOSPC and will shutdown filesystem.
887 Example use:
890 $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
893 dm.libdm_log_level
897 Specifies the maxmimum libdm log level that will be forwarded to the
898 dockerd log (as specified by --log-level). This option is primarily in‐
899 tended for debugging problems involving libdm. Using values other than
900 the defaults may cause false-positive warnings to be logged.
901 Values specified must fall within the range of valid libdm log levels.
904 At the time of writing, the following is the list of libdm log levels
905 as well as their corresponding levels when output by dockerd.
906 ┌────────────┬───────┬─────────────┐
909 │libdm Level │ Value │ --log-level │
910 ├────────────┼───────┼─────────────┤
911 │_LOG_FATAL │ 2 │ error │
912 ├────────────┼───────┼─────────────┤
913 │_LOG_ERR │ 3 │ error │
914 ├────────────┼───────┼─────────────┤
915 │_LOG_WARN │ 4 │ warn │
916 ├────────────┼───────┼─────────────┤
917 │_LOG_NOTICE │ 5 │ info │
918 ├────────────┼───────┼─────────────┤
919 │_LOG_INFO │ 6 │ info │
920 ├────────────┼───────┼─────────────┤
921 │_LOG_DEBUG │ 7 │ debug │
922 ├────────────┼───────┼─────────────┤
923 │ │ │ │
924 └────────────┴───────┴─────────────┘
925 Example use:
927 $ sudo dockerd \
930 --log-level debug \
931 --storage-opt dm.libdm_log_level=7
932
936 zfs.fsname
937 Set zfs filesystem under which docker will create its own datasets. By
938 default docker will pick up the zfs filesystem where docker graph
939 (/var/lib/docker) is located.
940 Example use: dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
943
946 btrfs.min_space
947 Specifies the minimum size to use when creating the subvolume which is
948 used for containers. If user uses disk quota for btrfs when creating or
949 running a container with --storage-opt size option, docker should en‐
950 sure the size cannot be smaller than btrfs.min_space.
951 Example use: docker daemon -s btrfs --storage-opt btrfs.min_space=10G
954
958 The daemon uses libkv to advertise the node within the cluster. Some
959 Key/Value backends support mutual TLS, and the client TLS settings used
960 by the daemon can be configured using the --cluster-store-opt flag,
961 specifying the paths to PEM encoded files.
962 kv.cacertfile
965 Specifies the path to a local file with PEM encoded CA certificates to
966 trust
967 kv.certfile
970 Specifies the path to a local file with a PEM encoded certificate.
971 This certificate is used as the client cert for communication with the
972 Key/Value store.
973 kv.keyfile
976 Specifies the path to a local file with a PEM encoded private key.
977 This private key is used as the client key for communication with the
978 Key/Value store.
979
983 Docker's access authorization can be extended by authorization plugins
984 that your organization can purchase or build themselves. You can in‐
985 stall one or more authorization plugins when you start the Docker dae‐
986 mon using the --authorization-plugin=PLUGIN_ID option.
987 dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
990 The PLUGIN_ID value is either the plugin's name or a path to its speci‐
994 fication file. The plugin's implementation determines whether you can
995 specify a name or path. Consult with your Docker administrator to get
996 information about the plugins available to you.
997 Once a plugin is installed, requests made to the daemon through the
1000 command line or Docker's Engine API are allowed or denied by the
1001 plugin. If you have multiple plugins installed, each plugin, in order,
1002 must allow the request for it to complete.
1003 For information about how to create an authorization plugin, see access
1006 authorization plugin ⟨https://docs.docker.com/engine/extend/plugins_au‐
1007 thorization/⟩ section in the Docker extend section of this documenta‐
1008 tion.
1009
1013 You can configure the runtime using options specified with the
1014 --exec-opt flag. All the flag's options have the native prefix. A sin‐
1015 gle native.cgroupdriver option is available.
1016 The native.cgroupdriver option specifies the management of the con‐
1019 tainer's cgroups. You can only specify cgroupfs or systemd. If you
1020 specify systemd and it is not available, the system errors out. If you
1021 omit the native.cgroupdriver option,cgroupfs is used on cgroup v1
1022 hosts, systemd is used on cgroup v2 hosts with systemd available.
1023 This example sets the cgroupdriver to systemd:
1026 $ sudo dockerd --exec-opt native.cgroupdriver=systemd
1029 Setting this option applies to all containers the daemon launches.
1033
1037 Sept 2015, Originally compiled by Shishir Mahajan shishir.mahajan@red‐
1038 hat.com ⟨mailto:shishir.mahajan@redhat.com⟩ based on docker.com source
1039 material and internal work.
1040Docker Community SEPTEMBER 2015 DOCKERD(8)