1DOCKERD(8) Docker User Manuals DOCKERD(8)
2
3
4
6 dockerd - Enable daemon mode
7
8
9
11 dockerd [--add-runtime[=[]]] [--allow-nondistributable-artifacts[=[]]]
12 [--api-cors-header=[=API-CORS-HEADER]] [--authorization-plugin[=[]]]
13 [-b|--bridge[=BRIDGE]] [--bip[=BIP]] [--cgroup-parent[=[]]] [--cluster-
14 store[=[]]] [--cluster-advertise[=[]]] [--cluster-store-opt[=map[]]]
15 [--config-file[=/etc/docker/daemon.json]] [--containerd[=SOCKET-PATH]]
16 [--data-root[=/var/lib/docker]] [-D|--debug] [--default-cgroupns-
17 mode[=host]] [--default-gateway[=DEFAULT-GATEWAY]] [--default-gateway-
18 v6[=DEFAULT-GATEWAY-V6]] [--default-address-pool[=DEFAULT-ADDRESS-
19 POOL]] [--default-runtime[=runc]] [--default-ipc-mode=MODE] [--default-
20 shm-size[=64MiB]] [--default-ulimit[=[]]] [--dns[=[]]] [--dns-opt[=[]]]
21 [--dns-search[=[]]] [--exec-opt[=[]]] [--exec-root[=/var/run/docker]]
22 [--experimental[=false]] [--fixed-cidr[=FIXED-CIDR]] [--fixed-cidr-
23 v6[=FIXED-CIDR-V6]] [-G|--group[=docker]] [-H|--host[=[]]] [--help]
24 [--icc[=true]] [--init[=false]] [--init-path[=""]] [--insecure-reg‐
25 istry[=[]]] [--ip[=0.0.0.0]] [--ip-forward[=true]] [--ip-masq[=true]]
26 [--iptables[=true]] [--ipv6] [--isolation[=default]] [-l|--log-
27 level[=info]] [--label[=[]]] [--live-restore[=false]] [--log-
28 driver[=json-file]] [--log-opt[=map[]]] [--mtu[=0]] [--max-concurrent-
29 downloads[=3]] [--max-concurrent-uploads[=5]] [--max-download-at‐
30 tempts[=5]] [--node-generic-resources[=[]]] [-p|--pid‐
31 file[=/var/run/docker.pid]] [--raw-logs] [--registry-mirror[=[]]]
32 [-s|--storage-driver[=STORAGE-DRIVER]] [--seccomp-profile[=SECCOMP-PRO‐
33 FILE-PATH]] [--selinux-enabled] [--shutdown-timeout[=15]] [--storage-
34 opt[=[]]] [--swarm-default-advertise-addr[=IP|INTERFACE]] [--tls]
35 [--tlscacert[=~/.docker/ca.pem]] [--tlscert[=~/.docker/cert.pem]]
36 [--tlskey[=~/.docker/key.pem]] [--tlsverify] [--userland-proxy[=true]]
37 [--userland-proxy-path[=""]] [--userns-remap[=default]]
38
39
40
42 dockerd is used for starting the Docker daemon (i.e., to command the
43 daemon to manage images, containers etc). So dockerd is a server, as a
44 daemon.
45
46
47 To run the Docker daemon you can specify dockerd. You can check the
48 daemon options using dockerd --help. Daemon options should be speci‐
49 fied after the dockerd keyword in the following format.
50
51
52 dockerd [OPTIONS]
53
54
55
57 --add-runtime=[]
58 Runtimes can be registered with the daemon either via the configura‐
59 tion file or using the --add-runtime command line argument.
60
61
62 The following is an example adding 2 runtimes via the configuration:
63
64
65 {
66 "default-runtime": "runc",
67 "runtimes": {
68 "runc": {
69 "path": "runc"
70 },
71 "custom": {
72 "path": "/usr/local/bin/my-runc-replacement",
73 "runtimeArgs": [
74 "--debug"
75 ]
76 }
77 }
78 }
79
80
81
82 This is the same example via the command line:
83
84
85 $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
86
87
88
89 Note: defining runtime arguments via the command line is not supported.
90
91
92 --allow-nondistributable-artifacts=[]
93 Push nondistributable artifacts to the specified registries.
94
95
96 List can contain elements with CIDR notation to specify a whole subnet.
97
98
99 This option is useful when pushing images containing nondistributable
100 artifacts to a registry on an air-gapped network so hosts on that
101 network can
102 pull the images without connecting to another server.
103
104
105 Warning: Nondistributable artifacts typically have restrictions on how
106 and where they can be distributed and shared. Only use this feature
107 to push
108 artifacts to private registries and ensure that you are in compliance
109 with
110 any terms that cover redistributing nondistributable artifacts.
111
112
113 --api-cors-header=""
114 Set CORS headers in the Engine API. Default is cors disabled. Give
115 urls like
116 "http://foo, http://bar, ...". Give "*" to allow all.
117
118
119 --authorization-plugin=""
120 Set authorization plugins to load
121
122
123 -b, --bridge=""
124 Attach containers to a pre-existing network bridge; use 'none' to
125 disable
126 container networking
127
128
129 --bip=""
130 Use the provided CIDR notation address for the dynamically created
131 bridge
132 (docker0); Mutually exclusive of -b
133
134
135 --cgroup-parent=""
136 Set parent cgroup for all containers. Default is "/docker" for fs
137 cgroup
138 driver and "system.slice" for systemd cgroup driver.
139
140
141 --cluster-store=""
142 URL of the distributed storage backend
143
144
145 --cluster-advertise=""
146 Specifies the 'host:port' or interface:port combination that this
147 particular daemon instance should use when advertising itself to the
148 cluster.
149 The daemon is reached through this value.
150
151
152 --cluster-store-opt=""
153 Specifies options for the Key/Value store.
154
155
156 --config-file="/etc/docker/daemon.json"
157 Specifies the JSON file path to load the configuration from.
158
159
160 --containerd=""
161 Path to containerd socket.
162
163
164 --data-root=""
165 Path to the directory used to store persisted Docker data such as
166 configuration for resources, swarm cluster state, and filesystem data
167 for
168 images, containers, and local volumes. Default is /var/lib/docker.
169
170
171 -D, --debug=true|false
172 Enable debug mode. Default is false.
173
174
175 --default-cgroupns-mode="host|private"
176 Set the default cgroup namespace mode for newly created containers.
177 The argument
178 can either be host or private. If unset, this defaults to host on
179 cgroup v1, private on cgroup v2.
180
181
182 --default-gateway=""
183 IPv4 address of the container default gateway; this address must be
184 part of
185 the bridge subnet (which is defined by -b or --bip)
186
187
188 --default-gateway-v6=""
189 IPv6 address of the container default gateway
190
191
192 --default-address-pool=""
193 Default address pool from which IPAM driver selects a subnet for the
194 networks.
195 Example: base=172.30.0.0/16,size=24 will set the default
196 address pools for the selected scope networks to
197 {172.30.[0-255].0/24}
198
199
200 --default-runtime="runc"
201 Set default runtime if there're more than one specified by --add-run‐
202 time.
203
204
205 --default-ipc-mode="private|shareable"
206 Set the default IPC mode for newly created containers. The argument
207 can either be private or shareable.
208
209
210 --default-shm-size=64MiB
211 Set the daemon-wide default shm size for containers. Default is
212 64MiB.
213
214
215 --default-ulimit=[]
216 Default ulimits for containers.
217
218
219 --dns=""
220 Force Docker to use specific DNS servers
221
222
223 --dns-opt=""
224 DNS options to use.
225
226
227 --dns-search=[]
228 DNS search domains to use.
229
230
231 --exec-opt=[]
232 Set runtime execution options. See RUNTIME EXECUTION OPTIONS.
233
234
235 --exec-root=""
236 Path to use as the root of the Docker execution state files. Default
237 is
238 /var/run/docker.
239
240
241 --experimental=""
242 Enable the daemon experimental features.
243
244
245 --fixed-cidr=""
246 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be
247 nested in
248 the bridge subnet (which is defined by -b or --bip).
249
250
251 --fixed-cidr-v6=""
252 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
253
254
255 -G, --group=""
256 Group to assign the unix socket specified by -H when running in dae‐
257 mon mode.
258 use '' (the empty string) to disable setting of a group. Default is
259 docker.
260
261
262 -H, --host=[unix:///var/run/docker.sock]: tcp://[host:port] to bind or
263 unix://[/path/to/socket] to use.
264 The socket(s) to bind to in daemon mode specified using one or more
265 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
266
267
268 --help
269 Print usage statement
270
271
272 --icc=true|false
273 Allow unrestricted inter-container and Docker daemon host communica‐
274 tion. If
275 disabled, containers can still be linked together using the --link
276 option
277 (see docker-run(1)). Default is true.
278
279
280 --init
281 Run an init process inside containers for signal forwarding and
282 process
283 reaping.
284
285
286 --init-path
287 Path to the docker-init binary.
288
289
290 --insecure-registry=[]
291 Enable insecure registry communication, i.e., enable un-encrypted
292 and/or
293 untrusted communication.
294
295
296 List of insecure registries can contain an element with CIDR notation
297 to
298 specify a whole subnet. Insecure registries accept HTTP and/or accept
299 HTTPS
300 with certificates from unknown CAs.
301
302
303 Enabling --insecure-registry is useful when running a local registry.
304 However, because its use creates security vulnerabilities it should
305 ONLY be
306 enabled for testing purposes. For increased security, users should
307 add their
308 CA to their system's list of trusted CAs instead of using
309 --insecure-registry.
310
311
312 --ip=""
313 Default IP address to use when binding container ports. Default is
314 0.0.0.0.
315
316
317 --ip-forward=true|false
318 Enables IP forwarding on the Docker host. The default is true. This
319 flag
320 interacts with the IP forwarding setting on your host system's ker‐
321 nel. If
322 your system has IP forwarding disabled, this setting enables it. If
323 your
324 system has IP forwarding enabled, setting this flag to --ip-for‐
325 ward=false
326 has no effect.
327
328
329 This setting will also enable IPv6 forwarding if you have both
330 --ip-forward=true and --fixed-cidr-v6 set. Note that this may reject
331 Router Advertisements and interfere with the host's existing IPv6
332 configuration. For more information, please consult the documentation
333 about
334 "Advanced Networking - IPv6".
335
336
337 --ip-masq=true|false
338 Enable IP masquerading for bridge's IP range. Default is true.
339
340
341 --iptables=true|false
342 Enable Docker's addition of iptables rules. Default is true.
343
344
345 --ipv6=true|false
346 Enable IPv6 support. Default is false. Docker will create an IPv6-en‐
347 abled
348 bridge with address fe80::1 which will allow you to create IPv6-en‐
349 abled
350 containers. Use together with --fixed-cidr-v6 to provide globally
351 routable
352 IPv6 addresses. IPv6 forwarding will be enabled if not used with
353 --ip-forward=false. This may collide with your host's current IPv6
354 settings. For more information please consult the documentation about
355 "Advanced Networking - IPv6".
356
357
358 --isolation="default"
359 Isolation specifies the type of isolation technology used by con‐
360 tainers.
361 Note that the default on Windows server is process, and the default
362 on
363 Windows client is hyperv. Linux only supports default.
364
365
366 -l, --log-level="debug|info|warn|error|fatal"
367 Set the logging level. Default is info.
368
369
370 --label="[]"
371 Set key=value labels to the daemon (displayed in docker info)
372
373
374 --live-restore=false
375 Enable live restore of running containers when the daemon starts so
376 that they
377 are not restarted. This option is applicable only for docker daemon
378 running
379 on Linux host.
380
381
382 --log-driver="json-file|syslog|journald|gelf|flu‐
383 entd|awslogs|splunk|etwlogs|gcplogs|none"
384 Default driver for container logs. Default is json-file.
385 Warning: docker logs command works only for json-file logging driver.
386
387
388 --log-opt=[]
389 Logging driver specific options.
390
391
392 --mtu=0
393 Set the containers network mtu. Default is 0.
394
395
396 --max-concurrent-downloads=3
397 Set the max concurrent downloads for each pull. Default is 3.
398
399
400 --max-concurrent-uploads=5
401 Set the max concurrent uploads for each push. Default is 5.
402
403
404 --max-download-attempts=5
405 Set the max download attempts for each pull. Default is 5.
406
407
408 --node-generic-resources=[]
409 Advertise user-defined resource. Default is [].
410 Use this if your swarm cluster has some nodes with custom
411 resources (e.g: NVIDIA GPU, SSD, ...) and you need your services to
412 land on
413 nodes advertising these resources.
414 Usage example: --node-generic-resources "NVIDIA-GPU=UUID1"
415 --node-generic-resources "NVIDIA-GPU=UUID2"
416
417
418 -p, --pidfile=""
419 Path to use for daemon PID file. Default is /var/run/docker.pid
420
421
422 --raw-logs
423 Output daemon logs in full timestamp format without ANSI coloring. If
424 this
425 flag is not set, the daemon outputs condensed, colorized logs if a
426 terminal
427 is detected, or full ("raw") output otherwise.
428
429
430 --registry-mirror=://
431 Prepend a registry mirror to be used for image pulls. May be speci‐
432 fied
433 multiple times.
434
435
436 -s, --storage-driver=""
437 Force the Docker runtime to use a specific storage driver.
438
439
440 --seccomp-profile=""
441 Path to seccomp profile.
442
443
444 --selinux-enabled=true|false
445 Enable selinux support. Default is false.
446
447
448 --shutdown-timeout=15
449 Set the shutdown timeout value in seconds. Default is 15.
450
451
452 --storage-opt=[]
453 Set storage driver options. See STORAGE DRIVER OPTIONS.
454
455
456 --swarm-default-advertise-addr=IP|INTERFACE
457 Set default address or interface for swarm to advertise as its
458 externally-reachable address to other cluster members. This can be a
459 hostname, an IP address, or an interface such as eth0. A port cannot
460 be
461 specified with this option.
462
463
464 --tls=true|false
465 Use TLS; implied by --tlsverify. Default is false.
466
467
468 --tlscacert=~/.docker/ca.pem
469 Trust certs signed only by this CA.
470
471
472 --tlscert=~/.docker/cert.pem
473 Path to TLS certificate file.
474
475
476 --tlskey=~/.docker/key.pem
477 Path to TLS key file.
478
479
480 --tlsverify=true|false
481 Use TLS and verify the remote (daemon: verify client, client: verify
482 daemon).
483 Default is false.
484
485
486 --userland-proxy=true|false
487 Rely on a userland proxy implementation for inter-container and
488 outside-to-container loopback communications. Default is true.
489
490
491 --userland-proxy-path=""
492 Path to the userland proxy binary.
493
494
495 --userns-remap=default|uid:gid|user:group|user|uid
496 Enable user namespaces for containers on the daemon. Specifying "de‐
497 fault"
498 will cause a new user and group to be created to handle UID and GID
499 range
500 remapping for the user namespace mappings used for contained pro‐
501 cesses.
502 Specifying a user (or uid) and optionally a group (or gid) will cause
503 the
504 daemon to lookup the user and group's subordinate ID ranges for use
505 as the
506 user namespace mappings for contained processes.
507
508
509
511 Docker uses storage backends (known as "graphdrivers" in the Docker in‐
512 ternals) to create writable containers from images. Many of these
513 backends use operating system level technologies and can be configured.
514
515
516 Specify options to the storage backend with --storage-opt flags. The
517 backends that currently take options are devicemapper, zfs and btrfs.
518 Options for devicemapper are prefixed with dm, options for zfs start
519 with zfs and options for btrfs start with btrfs.
520
521
522 Specifically for devicemapper, the default is a "loopback" model which
523 requires no pre-configuration, but is extremely inefficient. Do not
524 use it in production.
525
526
527 To make the best use of Docker with the devicemapper backend, you must
528 have a recent version of LVM. Use lvm to create a thin pool; for more
529 information see man lvmthin. Then, use --storage-opt dm.thinpooldev to
530 tell the Docker engine to use that pool for allocating images and con‐
531 tainer snapshots.
532
533
535 dm.thinpooldev
536 Specifies a custom block storage device to use for the thin pool.
537
538
539 If using a block device for device mapper storage, it is best to use
540 lvm to create and manage the thin-pool volume. This volume is then
541 handed to Docker to exclusively create snapshot volumes needed for im‐
542 ages and containers.
543
544
545 Managing the thin-pool outside of Engine makes for the most feature-
546 rich method of having Docker utilize device mapper thin provisioning as
547 the backing storage for Docker containers. The highlights of the lvm-
548 based thin-pool management feature include: automatic or interactive
549 thin-pool resize support, dynamically changing thin-pool features, au‐
550 tomatic thinp metadata checking when lvm activates the thin-pool, etc.
551
552
553 As a fallback if no thin pool is provided, loopback files are created.
554 Loopback is very slow, but can be used without any pre-configuration of
555 storage. It is strongly recommended that you do not use loopback in
556 production. Ensure your Engine daemon has a --storage-opt dm.thin‐
557 pooldev argument provided.
558
559
560 Example use:
561
562
563 $ dockerd \
564 --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
565
566
567 dm.directlvm_device
568 As an alternative to manually creating a thin pool as above, Docker can
569 automatically configure a block device for you.
570
571
572 Example use:
573
574
575 $ dockerd \
576 --storage-opt dm.directlvm_device=/dev/xvdf
577
578
579 dm.thinp_percent
580 Sets the percentage of passed in block device to use for storage.
581
582
583 Example:
584 $ sudo dockerd \
585 --storage-opt dm.thinp_percent=95
586
587
588 dm.thinp_metapercent
589 Sets the percentage of the passed in block device to use for metadata
590 storage.
591
592
593 Example:
594 $ sudo dockerd \
595 --storage-opt dm.thinp_metapercent=1
596
597
598 dm.thinp_autoextend_threshold
599 Sets the value of the percentage of space used before lvm attempts to
600 autoextend the available space [100 = disabled]
601
602
603 Example:
604 $ sudo dockerd \
605 --storage-opt dm.thinp_autoextend_threshold=80
606
607
608 dm.thinp_autoextend_percent
609 Sets the value percentage value to increase the thin pool by when lvm
610 attempts to autoextend the available space [100 = disabled]
611
612
613 Example:
614 $ sudo dockerd \
615 --storage-opt dm.thinp_autoextend_percent=20
616
617
618 dm.basesize
619 Specifies the size to use when creating the base device, which limits
620 the size of images and containers. The default value is 10G. Note, thin
621 devices are inherently "sparse", so a 10G device which is mostly empty
622 doesn't use 10 GB of space on the pool. However, the filesystem will
623 use more space for base images the larger the device is.
624
625
626 The base device size can be increased at daemon restart which will al‐
627 low all future images and containers (based on those new images) to be
628 of the new base device size.
629
630
631 Example use: dockerd --storage-opt dm.basesize=50G
632
633
634 This will increase the base device size to 50G. The Docker daemon will
635 throw an error if existing base device size is larger than 50G. A user
636 can use this option to expand the base device size however shrinking is
637 not permitted.
638
639
640 This value affects the system-wide "base" empty filesystem that may al‐
641 ready be initialized and inherited by pulled images. Typically, a
642 change to this value requires additional steps to take effect:
643
644
645 $ sudo service docker stop
646 $ sudo rm -rf /var/lib/docker
647 $ sudo service docker start
648
649
650
651 Example use: dockerd --storage-opt dm.basesize=20G
652
653
654 dm.fs
655 Specifies the filesystem type to use for the base device. The supported
656 options are ext4 and xfs. The default is ext4.
657
658
659 Example use: dockerd --storage-opt dm.fs=xfs
660
661
662 dm.mkfsarg
663 Specifies extra mkfs arguments to be used when creating the base de‐
664 vice.
665
666
667 Example use: dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
668
669
670 dm.mountopt
671 Specifies extra mount options used when mounting the thin devices.
672
673
674 Example use: dockerd --storage-opt dm.mountopt=nodiscard
675
676
677 dm.use_deferred_removal
678 Enables use of deferred device removal if libdm and the kernel driver
679 support the mechanism.
680
681
682 Deferred device removal means that if device is busy when devices are
683 being removed/deactivated, then a deferred removal is scheduled on de‐
684 vice. And devices automatically go away when last user of the device
685 exits.
686
687
688 For example, when a container exits, its associated thin device is re‐
689 moved. If that device has leaked into some other mount namespace and
690 can't be removed, the container exit still succeeds and this option
691 causes the system to schedule the device for deferred removal. It does
692 not wait in a loop trying to remove a busy device.
693
694
695 Example use: dockerd --storage-opt dm.use_deferred_removal=true
696
697
698 dm.use_deferred_deletion
699 Enables use of deferred device deletion for thin pool devices. By de‐
700 fault, thin pool device deletion is synchronous. Before a container is
701 deleted, the Docker daemon removes any associated devices. If the stor‐
702 age driver can not remove a device, the container deletion fails and
703 daemon returns.
704
705
706 Error deleting container: Error response from daemon: Cannot destroy
707 container
708
709
710 To avoid this failure, enable both deferred device deletion and de‐
711 ferred device removal on the daemon.
712
713
714 dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt
715 dm.use_deferred_removal=true
716
717
718 With these two options enabled, if a device is busy when the driver is
719 deleting a container, the driver marks the device as deleted. Later,
720 when the device isn't in use, the driver deletes it.
721
722
723 In general it should be safe to enable this option by default. It will
724 help when unintentional leaking of mount point happens across multiple
725 mount namespaces.
726
727
728 dm.loopdatasize
729 Note: This option configures devicemapper loopback, which should not be
730 used in production.
731
732
733 Specifies the size to use when creating the loopback file for the
734 "data" device which is used for the thin pool. The default size is
735 100G. The file is sparse, so it will not initially take up this much
736 space.
737
738
739 Example use: dockerd --storage-opt dm.loopdatasize=200G
740
741
742 dm.loopmetadatasize
743 Note: This option configures devicemapper loopback, which should not be
744 used in production.
745
746
747 Specifies the size to use when creating the loopback file for the
748 "metadata" device which is used for the thin pool. The default size is
749 2G. The file is sparse, so it will not initially take up this much
750 space.
751
752
753 Example use: dockerd --storage-opt dm.loopmetadatasize=4G
754
755
756 dm.datadev
757 (Deprecated, use dm.thinpooldev)
758
759
760 Specifies a custom blockdevice to use for data for a Docker-managed
761 thin pool. It is better to use dm.thinpooldev - see the documentation
762 for it above for discussion of the advantages.
763
764
765 dm.metadatadev
766 (Deprecated, use dm.thinpooldev)
767
768
769 Specifies a custom blockdevice to use for metadata for a Docker-managed
770 thin pool. See dm.datadev for why this is deprecated.
771
772
773 dm.blocksize
774 Specifies a custom blocksize to use for the thin pool. The default
775 blocksize is 64K.
776
777
778 Example use: dockerd --storage-opt dm.blocksize=512K
779
780
781 dm.blkdiscard
782 Enables or disables the use of blkdiscard when removing devicemapper
783 devices. This is disabled by default due to the additional latency,
784 but as a special case with loopback devices it will be enabled, in or‐
785 der to re-sparsify the loopback file on image/container removal.
786
787
788 Disabling this on loopback can lead to much faster container removal
789 times, but it also prevents the space used in /var/lib/docker directory
790 from being returned to the system for other use when containers are re‐
791 moved.
792
793
794 Example use: dockerd --storage-opt dm.blkdiscard=false
795
796
797 dm.override_udev_sync_check
798 By default, the devicemapper backend attempts to synchronize with the
799 udev device manager for the Linux kernel. This option allows disabling
800 that synchronization, to continue even though the configuration may be
801 buggy.
802
803
804 To view the udev sync support of a Docker daemon that is using the de‐
805 vicemapper driver, run:
806
807
808 $ docker info
809 [...]
810 Udev Sync Supported: true
811 [...]
812
813
814
815 When udev sync support is true, then devicemapper and udev can coordi‐
816 nate the activation and deactivation of devices for containers.
817
818
819 When udev sync support is false, a race condition occurs between the
820 devicemapper and udev during create and cleanup. The race condition re‐
821 sults in errors and failures. (For information on these failures, see
822 docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩)
823
824
825 To allow the docker daemon to start, regardless of whether udev sync is
826 false, set dm.override_udev_sync_check to true:
827
828
829 $ dockerd --storage-opt dm.override_udev_sync_check=true
830
831
832
833 When this value is true, the driver continues and simply warns you the
834 errors are happening.
835
836
837 Note: The ideal is to pursue a docker daemon and environment that does
838 support synchronizing with udev. For further discussion on this topic,
839 see docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩. Other‐
840 wise, set this flag for migrating existing Docker daemons to a daemon
841 with a supported environment.
842
843
844 dm.min_free_space
845 Specifies the min free space percent in a thin pool require for new de‐
846 vice creation to succeed. This check applies to both free data space as
847 well as free metadata space. Valid values are from 0% - 99%. Value 0%
848 disables free space checking logic. If user does not specify a value
849 for this option, the Engine uses a default value of 10%.
850
851
852 Whenever a new a thin pool device is created (during docker pull or
853 during container creation), the Engine checks if the minimum free space
854 is available. If the space is unavailable, then device creation fails
855 and any relevant docker operation fails.
856
857
858 To recover from this error, you must create more free space in the thin
859 pool to recover from the error. You can create free space by deleting
860 some images and containers from tge thin pool. You can also add more
861 storage to the thin pool.
862
863
864 To add more space to an LVM (logical volume management) thin pool, just
865 add more storage to the group container thin pool; this should auto‐
866 matically resolve any errors. If your configuration uses loop devices,
867 then stop the Engine daemon, grow the size of loop files and restart
868 the daemon to resolve the issue.
869
870
871 Example use:: dockerd --storage-opt dm.min_free_space=10%
872
873
874 dm.xfs_nospace_max_retries
875 Specifies the maximum number of retries XFS should attempt to complete
876 IO when ENOSPC (no space) error is returned by underlying storage de‐
877 vice.
878
879
880 By default XFS retries infinitely for IO to finish and this can result
881 in unkillable process. To change this behavior one can set
882 xfs_nospace_max_retries to say 0 and XFS will not retry IO after get‐
883 ting ENOSPC and will shutdown filesystem.
884
885
886 Example use:
887
888
889 $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
890
891
892
893 dm.libdm_log_level
894 Specifies the maxmimum libdm log level that will be forwarded to the
895 dockerd log (as specified by --log-level). This option is primarily in‐
896 tended for debugging problems involving libdm. Using values other than
897 the defaults may cause false-positive warnings to be logged.
898
899
900 Values specified must fall within the range of valid libdm log levels.
901 At the time of writing, the following is the list of libdm log levels
902 as well as their corresponding levels when output by dockerd.
903
904
905 ┌────────────┬───────┬─────────────┐
906 │libdm Level │ Value │ --log-level │
907 ├────────────┼───────┼─────────────┤
908 │_LOG_FATAL │ 2 │ error │
909 ├────────────┼───────┼─────────────┤
910 │_LOG_ERR │ 3 │ error │
911 ├────────────┼───────┼─────────────┤
912 │_LOG_WARN │ 4 │ warn │
913 ├────────────┼───────┼─────────────┤
914 │_LOG_NOTICE │ 5 │ info │
915 ├────────────┼───────┼─────────────┤
916 │_LOG_INFO │ 6 │ info │
917 ├────────────┼───────┼─────────────┤
918 │_LOG_DEBUG │ 7 │ debug │
919 └────────────┴───────┴─────────────┘
920
921 Example use:
922
923
924 $ sudo dockerd \
925 --log-level debug \
926 --storage-opt dm.libdm_log_level=7
927
928
929
931 zfs.fsname
932 Set zfs filesystem under which docker will create its own datasets. By
933 default docker will pick up the zfs filesystem where docker graph
934 (/var/lib/docker) is located.
935
936
937 Example use: dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
938
939
941 btrfs.min_space
942 Specifies the minimum size to use when creating the subvolume which is
943 used for containers. If user uses disk quota for btrfs when creating or
944 running a container with --storage-opt size option, docker should en‐
945 sure the size cannot be smaller than btrfs.min_space.
946
947
948 Example use: docker daemon -s btrfs --storage-opt btrfs.min_space=10G
949
950
951
953 The daemon uses libkv to advertise the node within the cluster. Some
954 Key/Value backends support mutual TLS, and the client TLS settings used
955 by the daemon can be configured using the --cluster-store-opt flag,
956 specifying the paths to PEM encoded files.
957
958
959 kv.cacertfile
960 Specifies the path to a local file with PEM encoded CA certificates to
961 trust
962
963
964 kv.certfile
965 Specifies the path to a local file with a PEM encoded certificate.
966 This certificate is used as the client cert for communication with the
967 Key/Value store.
968
969
970 kv.keyfile
971 Specifies the path to a local file with a PEM encoded private key.
972 This private key is used as the client key for communication with the
973 Key/Value store.
974
975
976
978 Docker's access authorization can be extended by authorization plugins
979 that your organization can purchase or build themselves. You can in‐
980 stall one or more authorization plugins when you start the Docker dae‐
981 mon using the --authorization-plugin=PLUGIN_ID option.
982
983
984 dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
985
986
987
988 The PLUGIN_ID value is either the plugin's name or a path to its speci‐
989 fication file. The plugin's implementation determines whether you can
990 specify a name or path. Consult with your Docker administrator to get
991 information about the plugins available to you.
992
993
994 Once a plugin is installed, requests made to the daemon through the
995 command line or Docker's Engine API are allowed or denied by the
996 plugin. If you have multiple plugins installed, each plugin, in order,
997 must allow the request for it to complete.
998
999
1000 For information about how to create an authorization plugin, see access
1001 authorization plugin ⟨https://docs.docker.com/engine/extend/plugins_au‐
1002 thorization/⟩ section in the Docker extend section of this documenta‐
1003 tion.
1004
1005
1006
1008 You can configure the runtime using options specified with the --exec-
1009 opt flag. All the flag's options have the native prefix. A single na‐
1010 tive.cgroupdriver option is available.
1011
1012
1013 The native.cgroupdriver option specifies the management of the con‐
1014 tainer's cgroups. You can only specify cgroupfs or systemd. If you
1015 specify systemd and it is not available, the system errors out. If you
1016 omit the native.cgroupdriver option,cgroupfs is used on cgroup v1
1017 hosts, systemd is used on cgroup v2 hosts with systemd available.
1018
1019
1020 This example sets the cgroupdriver to systemd:
1021
1022
1023 $ sudo dockerd --exec-opt native.cgroupdriver=systemd
1024
1025
1026
1027 Setting this option applies to all containers the daemon launches.
1028
1029
1030
1032 Sept 2015, Originally compiled by Shishir Mahajan shishir.mahajan@red‐
1033 hat.com ⟨mailto:shishir.mahajan@redhat.com⟩ based on docker.com source
1034 material and internal work.
1035
1036
1037
1038Docker Community SEPTEMBER 2015 DOCKERD(8)