1DOCKERD(8) Docker User Manuals DOCKERD(8)
2
6 dockerd - Enable daemon mode
7
11 dockerd [--add-runtime[=[]]] [--allow-nondistributable-artifacts[=[]]]
12 [--api-cors-header=[=API-CORS-HEADER]] [--authorization-plugin[=[]]]
13 [-b|--bridge[=BRIDGE]] [--bip[=BIP]] [--cgroup-parent[=[]]] [--cluster-
14 store[=[]]] [--cluster-advertise[=[]]] [--cluster-store-opt[=map[]]]
15 [--config-file[=/etc/docker/daemon.json]] [--containerd[=SOCKET-PATH]]
16 [--data-root[=/var/lib/docker]] [-D|--debug] [--default-cgroupns-
17 mode[=host]] [--default-gateway[=DEFAULT-GATEWAY]] [--default-gateway-
18 v6[=DEFAULT-GATEWAY-V6]] [--default-address-pool[=DEFAULT-ADDRESS-
19 POOL]] [--default-runtime[=runc]] [--default-ipc-mode=MODE] [--default-
20 shm-size[=64MiB]] [--default-ulimit[=[]]] [--dns[=[]]] [--dns-opt[=[]]]
21 [--dns-search[=[]]] [--exec-opt[=[]]] [--exec-root[=/var/run/docker]]
22 [--experimental[=false]] [--fixed-cidr[=FIXED-CIDR]] [--fixed-cidr-
23 v6[=FIXED-CIDR-V6]] [-G|--group[=docker]] [-H|--host[=[]]] [--help]
24 [--icc[=true]] [--init[=false]] [--init-path[=""]] [--insecure-reg‐
25 istry[=[]]] [--ip[=0.0.0.0]] [--ip-forward[=true]] [--ip-masq[=true]]
26 [--iptables[=true]] [--ipv6] [--isolation[=default]] [-l|--log-
27 level[=info]] [--label[=[]]] [--live-restore[=false]] [--log-
28 driver[=json-file]] [--log-opt[=map[]]] [--mtu[=0]] [--max-concurrent-
29 downloads[=3]] [--max-concurrent-uploads[=5]] [--max-download-at‐
30 tempts[=5]] [--node-generic-resources[=[]]] [-p|--pid‐
31 file[=/var/run/docker.pid]] [--raw-logs] [--registry-mirror[=[]]]
32 [-s|--storage-driver[=STORAGE-DRIVER]] [--seccomp-profile[=SECCOMP-PRO‐
33 FILE-PATH]] [--selinux-enabled] [--shutdown-timeout[=15]] [--storage-
34 opt[=[]]] [--swarm-default-advertise-addr[=IP|INTERFACE]] [--tls]
35 [--tlscacert[=~/.docker/ca.pem]] [--tlscert[=~/.docker/cert.pem]]
36 [--tlskey[=~/.docker/key.pem]] [--tlsverify] [--userland-proxy[=true]]
37 [--userland-proxy-path[=""]] [--userns-remap[=default]]
38
42 dockerd is used for starting the Docker daemon (i.e., to command the
43 daemon to manage images, containers etc). So dockerd is a server, as a
44 daemon.
45 To run the Docker daemon you can specify dockerd. You can check the
48 daemon options using dockerd --help. Daemon options should be speci‐
49 fied after the dockerd keyword in the following format.
50 dockerd [OPTIONS]
53
57 --add-runtime=[]
58 Runtimes can be registered with the daemon either via the configura‐
59 tion file or using the --add-runtime command line argument.
60 The following is an example adding 2 runtimes via the configuration:
63 {
66 "default-runtime": "runc",
67 "runtimes": {
68 "runc": {
69 "path": "runc"
70 },
71 "custom": {
72 "path": "/usr/local/bin/my-runc-replacement",
73 "runtimeArgs": [
74 "--debug"
75 ]
76 }
77 }
78 }
79 This is the same example via the command line:
83 $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
86 Note: defining runtime arguments via the command line is not supported.
90 --allow-nondistributable-artifacts=[]
93 Push nondistributable artifacts to the specified registries.
94 List can contain elements with CIDR notation to specify a whole subnet.
97 This option is useful when pushing images containing nondistributable
100 artifacts to a registry on an air-gapped network so hosts on that
101 network can
102 pull the images without connecting to another server.
103 Warning: Nondistributable artifacts typically have restrictions on how
106 and where they can be distributed and shared. Only use this feature
107 to push
108 artifacts to private registries and ensure that you are in compliance
109 with
110 any terms that cover redistributing nondistributable artifacts.
111 --api-cors-header=""
114 Set CORS headers in the Engine API. Default is cors disabled. Give
115 urls like
116 "http://foo, http://bar, ...". Give "*" to allow all.
117 --authorization-plugin=""
120 Set authorization plugins to load
121 -b, --bridge=""
124 Attach containers to a pre-existing network bridge; use 'none' to
125 disable
126 container networking
127 --bip=""
130 Use the provided CIDR notation address for the dynamically created
131 bridge
132 (docker0); Mutually exclusive of -b
133 --cgroup-parent=""
136 Set parent cgroup for all containers. Default is "/docker" for fs
137 cgroup
138 driver and "system.slice" for systemd cgroup driver.
139 --cluster-store=""
142 URL of the distributed storage backend
143 --cluster-advertise=""
146 Specifies the 'host:port' or interface:port combination that this
147 particular daemon instance should use when advertising itself to the
148 cluster.
149 The daemon is reached through this value.
150 --cluster-store-opt=""
153 Specifies options for the Key/Value store.
154 --config-file="/etc/docker/daemon.json"
157 Specifies the JSON file path to load the configuration from.
158 --containerd=""
161 Path to containerd socket.
162 --data-root=""
165 Path to the directory used to store persisted Docker data such as
166 configuration for resources, swarm cluster state, and filesystem data
167 for
168 images, containers, and local volumes. Default is /var/lib/docker.
169 -D, --debug=true|false
172 Enable debug mode. Default is false.
173 --default-cgroupns-mode="host|private"
176 Set the default cgroup namespace mode for newly created containers.
177 The argument
178 can either be host or private. If unset, this defaults to host on
179 cgroup v1, private on cgroup v2.
180 --default-gateway=""
183 IPv4 address of the container default gateway; this address must be
184 part of
185 the bridge subnet (which is defined by -b or --bip)
186 --default-gateway-v6=""
189 IPv6 address of the container default gateway
190 --default-address-pool=""
193 Default address pool from which IPAM driver selects a subnet for the
194 networks.
195 Example: base=172.30.0.0/16,size=24 will set the default
196 address pools for the selected scope networks to
197 {172.30.[0-255].0/24}
198 --default-runtime="runc"
201 Set default runtime if there're more than one specified by --add-run‐
202 time.
203 --default-ipc-mode="private|shareable"
206 Set the default IPC mode for newly created containers. The argument
207 can either be private or shareable.
208 --default-shm-size=64MiB
211 Set the daemon-wide default shm size for containers. Default is
212 64MiB.
213 --default-ulimit=[]
216 Default ulimits for containers.
217 --dns=""
220 Force Docker to use specific DNS servers
221 --dns-opt=""
224 DNS options to use.
225 --dns-search=[]
228 DNS search domains to use.
229 --exec-opt=[]
232 Set runtime execution options. See RUNTIME EXECUTION OPTIONS.
233 --exec-root=""
236 Path to use as the root of the Docker execution state files. Default
237 is
238 /var/run/docker.
239 --experimental=""
242 Enable the daemon experimental features.
243 --fixed-cidr=""
246 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be
247 nested in
248 the bridge subnet (which is defined by -b or --bip).
249 --fixed-cidr-v6=""
252 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
253 -G, --group=""
256 Group to assign the unix socket specified by -H when running in dae‐
257 mon mode.
258 use '' (the empty string) to disable setting of a group. Default is
259 docker.
260 -H, --host=[unix:///var/run/docker.sock]: tcp://[host:port] to bind or
263 unix://[/path/to/socket] to use.
264 The socket(s) to bind to in daemon mode specified using one or more
265 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
266 --help
269 Print usage statement
270 --icc=true|false
273 Allow unrestricted inter-container and Docker daemon host communica‐
274 tion. If
275 disabled, containers can still be linked together using the --link
276 option
277 (see docker-run(1)). Default is true.
278 --init
281 Run an init process inside containers for signal forwarding and
282 process
283 reaping.
284 --init-path
287 Path to the docker-init binary.
288 --insecure-registry=[]
291 Enable insecure registry communication, i.e., enable un-encrypted
292 and/or
293 untrusted communication.
294 List of insecure registries can contain an element with CIDR notation
297 to
298 specify a whole subnet. Insecure registries accept HTTP and/or accept
299 HTTPS
300 with certificates from unknown CAs.
301 Enabling --insecure-registry is useful when running a local registry.
304 However, because its use creates security vulnerabilities it should
305 ONLY be
306 enabled for testing purposes. For increased security, users should
307 add their
308 CA to their system's list of trusted CAs instead of using
309 --insecure-registry.
310 --ip=""
313 Default IP address to use when binding container ports. Default is
314 0.0.0.0.
315 --ip-forward=true|false
318 Enables IP forwarding on the Docker host. The default is true. This
319 flag
320 interacts with the IP forwarding setting on your host system's ker‐
321 nel. If
322 your system has IP forwarding disabled, this setting enables it. If
323 your
324 system has IP forwarding enabled, setting this flag to --ip-for‐
325 ward=false
326 has no effect.
327 This setting will also enable IPv6 forwarding if you have both
330 --ip-forward=true and --fixed-cidr-v6 set. Note that this may reject
331 Router Advertisements and interfere with the host's existing IPv6
332 configuration. For more information, please consult the documentation
333 about
334 "Advanced Networking - IPv6".
335 --ip-masq=true|false
338 Enable IP masquerading for bridge's IP range. Default is true.
339 --iptables=true|false
342 Enable Docker's addition of iptables rules. Default is true.
343 --ipv6=true|false
346 Enable IPv6 support. Default is false. Docker will create an IPv6-en‐
347 abled
348 bridge with address fe80::1 which will allow you to create IPv6-en‐
349 abled
350 containers. Use together with --fixed-cidr-v6 to provide globally
351 routable
352 IPv6 addresses. IPv6 forwarding will be enabled if not used with
353 --ip-forward=false. This may collide with your host's current IPv6
354 settings. For more information please consult the documentation about
355 "Advanced Networking - IPv6".
356 --isolation="default"
359 Isolation specifies the type of isolation technology used by con‐
360 tainers.
361 Note that the default on Windows server is process, and the default
362 on
363 Windows client is hyperv. Linux only supports default.
364 -l, --log-level="debug|info|warn|error|fatal"
367 Set the logging level. Default is info.
368 --label="[]"
371 Set key=value labels to the daemon (displayed in docker info)
372 --live-restore=false
375 Enable live restore of running containers when the daemon starts so
376 that they
377 are not restarted. This option is applicable only for docker daemon
378 running
379 on Linux host.
380 --log-driver="json-file|syslog|journald|gelf|flu‐
383 entd|awslogs|splunk|etwlogs|gcplogs|none"
384 Default driver for container logs. Default is json-file.
385 Warning: docker logs command works only for json-file logging driver.
386 --log-opt=[]
389 Logging driver specific options.
390 --mtu=0
393 Set the containers network mtu. Default is 0.
394 --max-concurrent-downloads=3
397 Set the max concurrent downloads for each pull. Default is 3.
398 --max-concurrent-uploads=5
401 Set the max concurrent uploads for each push. Default is 5.
402 --max-download-attempts=5
405 Set the max download attempts for each pull. Default is 5.
406 --node-generic-resources=[]
409 Advertise user-defined resource. Default is [].
410 Use this if your swarm cluster has some nodes with custom
411 resources (e.g: NVIDIA GPU, SSD, ...) and you need your services to
412 land on
413 nodes advertising these resources.
414 Usage example: --node-generic-resources "NVIDIA-GPU=UUID1"
415 --node-generic-resources "NVIDIA-GPU=UUID2"
416 -p, --pidfile=""
419 Path to use for daemon PID file. Default is /var/run/docker.pid
420 --raw-logs
423 Output daemon logs in full timestamp format without ANSI coloring. If
424 this
425 flag is not set, the daemon outputs condensed, colorized logs if a
426 terminal
427 is detected, or full ("raw") output otherwise.
428 --registry-mirror=://
431 Prepend a registry mirror to be used for image pulls. May be speci‐
432 fied
433 multiple times.
434 -s, --storage-driver=""
437 Force the Docker runtime to use a specific storage driver.
438 --seccomp-profile=""
441 Path to seccomp profile.
442 --selinux-enabled=true|false
445 Enable selinux support. Default is false.
446 --shutdown-timeout=15
449 Set the shutdown timeout value in seconds. Default is 15.
450 --storage-opt=[]
453 Set storage driver options. See STORAGE DRIVER OPTIONS.
454 --swarm-default-advertise-addr=IP|INTERFACE
457 Set default address or interface for swarm to advertise as its
458 externally-reachable address to other cluster members. This can be a
459 hostname, an IP address, or an interface such as eth0. A port cannot
460 be
461 specified with this option.
462 --tls=true|false
465 Use TLS; implied by --tlsverify. Default is false.
466 --tlscacert=~/.docker/ca.pem
469 Trust certs signed only by this CA.
470 --tlscert=~/.docker/cert.pem
473 Path to TLS certificate file.
474 --tlskey=~/.docker/key.pem
477 Path to TLS key file.
478 --tlsverify=true|false
481 Use TLS and verify the remote (daemon: verify client, client: verify
482 daemon).
483 Default is false.
484 --userland-proxy=true|false
487 Rely on a userland proxy implementation for inter-container and
488 outside-to-container loopback communications. Default is true.
489 --userland-proxy-path=""
492 Path to the userland proxy binary.
493 --userns-remap=default|uid:gid|user:group|user|uid
496 Enable user namespaces for containers on the daemon. Specifying "de‐
497 fault"
498 will cause a new user and group to be created to handle UID and GID
499 range
500 remapping for the user namespace mappings used for contained pro‐
501 cesses.
502 Specifying a user (or uid) and optionally a group (or gid) will cause
503 the
504 daemon to lookup the user and group's subordinate ID ranges for use
505 as the
506 user namespace mappings for contained processes.
507
511 Docker uses storage backends (known as "graphdrivers" in the Docker in‐
512 ternals) to create writable containers from images. Many of these
513 backends use operating system level technologies and can be configured.
514 Specify options to the storage backend with --storage-opt flags. The
517 backends that currently take options are devicemapper, zfs and btrfs.
518 Options for devicemapper are prefixed with dm, options for zfs start
519 with zfs and options for btrfs start with btrfs.
520 Specifically for devicemapper, the default is a "loopback" model which
523 requires no pre-configuration, but is extremely inefficient. Do not
524 use it in production.
525 To make the best use of Docker with the devicemapper backend, you must
528 have a recent version of LVM. Use lvm to create a thin pool; for more
529 information see man lvmthin. Then, use --storage-opt dm.thinpooldev to
530 tell the Docker engine to use that pool for allocating images and con‐
531 tainer snapshots.
532
535 dm.thinpooldev
536 Specifies a custom block storage device to use for the thin pool.
537 If using a block device for device mapper storage, it is best to use
540 lvm to create and manage the thin-pool volume. This volume is then
541 handed to Docker to exclusively create snapshot volumes needed for im‐
542 ages and containers.
543 Managing the thin-pool outside of Engine makes for the most feature-
546 rich method of having Docker utilize device mapper thin provisioning as
547 the backing storage for Docker containers. The highlights of the lvm-
548 based thin-pool management feature include: automatic or interactive
549 thin-pool resize support, dynamically changing thin-pool features, au‐
550 tomatic thinp metadata checking when lvm activates the thin-pool, etc.
551 As a fallback if no thin pool is provided, loopback files are created.
554 Loopback is very slow, but can be used without any pre-configuration of
555 storage. It is strongly recommended that you do not use loopback in
556 production. Ensure your Engine daemon has a --storage-opt dm.thin‐
557 pooldev argument provided.
558 Example use:
561 $ dockerd \
564 --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
565 dm.directlvm_device
568 As an alternative to manually creating a thin pool as above, Docker can
569 automatically configure a block device for you.
570 Example use:
573 $ dockerd \
576 --storage-opt dm.directlvm_device=/dev/xvdf
577 dm.thinp_percent
580 Sets the percentage of passed in block device to use for storage.
581 Example:
584 $ sudo dockerd \
585 --storage-opt dm.thinp_percent=95
586 dm.thinp_metapercent
589 Sets the percentage of the passed in block device to use for metadata
590 storage.
591 Example:
594 $ sudo dockerd \
595 --storage-opt dm.thinp_metapercent=1
596 dm.thinp_autoextend_threshold
599 Sets the value of the percentage of space used before lvm attempts to
600 autoextend the available space [100 = disabled]
601 Example:
604 $ sudo dockerd \
605 --storage-opt dm.thinp_autoextend_threshold=80
606 dm.thinp_autoextend_percent
609 Sets the value percentage value to increase the thin pool by when lvm
610 attempts to autoextend the available space [100 = disabled]
611 Example:
614 $ sudo dockerd \
615 --storage-opt dm.thinp_autoextend_percent=20
616 dm.basesize
619 Specifies the size to use when creating the base device, which limits
620 the size of images and containers. The default value is 10G. Note, thin
621 devices are inherently "sparse", so a 10G device which is mostly empty
622 doesn't use 10 GB of space on the pool. However, the filesystem will
623 use more space for base images the larger the device is.
624 The base device size can be increased at daemon restart which will al‐
627 low all future images and containers (based on those new images) to be
628 of the new base device size.
629 Example use: dockerd --storage-opt dm.basesize=50G
632 This will increase the base device size to 50G. The Docker daemon will
635 throw an error if existing base device size is larger than 50G. A user
636 can use this option to expand the base device size however shrinking is
637 not permitted.
638 This value affects the system-wide "base" empty filesystem that may al‐
641 ready be initialized and inherited by pulled images. Typically, a
642 change to this value requires additional steps to take effect:
643 $ sudo service docker stop
646 $ sudo rm -rf /var/lib/docker
647 $ sudo service docker start
648 Example use: dockerd --storage-opt dm.basesize=20G
652 dm.fs
655 Specifies the filesystem type to use for the base device. The supported
656 options are ext4 and xfs. The default is ext4.
657 Example use: dockerd --storage-opt dm.fs=xfs
660 dm.mkfsarg
663 Specifies extra mkfs arguments to be used when creating the base de‐
664 vice.
665 Example use: dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
668 dm.mountopt
671 Specifies extra mount options used when mounting the thin devices.
672 Example use: dockerd --storage-opt dm.mountopt=nodiscard
675 dm.use_deferred_removal
678 Enables use of deferred device removal if libdm and the kernel driver
679 support the mechanism.
680 Deferred device removal means that if device is busy when devices are
683 being removed/deactivated, then a deferred removal is scheduled on de‐
684 vice. And devices automatically go away when last user of the device
685 exits.
686 For example, when a container exits, its associated thin device is re‐
689 moved. If that device has leaked into some other mount namespace and
690 can't be removed, the container exit still succeeds and this option
691 causes the system to schedule the device for deferred removal. It does
692 not wait in a loop trying to remove a busy device.
693 Example use: dockerd --storage-opt dm.use_deferred_removal=true
696 dm.use_deferred_deletion
699 Enables use of deferred device deletion for thin pool devices. By de‐
700 fault, thin pool device deletion is synchronous. Before a container is
701 deleted, the Docker daemon removes any associated devices. If the stor‐
702 age driver can not remove a device, the container deletion fails and
703 daemon returns.
704 Error deleting container: Error response from daemon: Cannot destroy
707 container
708 To avoid this failure, enable both deferred device deletion and de‐
711 ferred device removal on the daemon.
712 dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt
715 dm.use_deferred_removal=true
716 With these two options enabled, if a device is busy when the driver is
719 deleting a container, the driver marks the device as deleted. Later,
720 when the device isn't in use, the driver deletes it.
721 In general it should be safe to enable this option by default. It will
724 help when unintentional leaking of mount point happens across multiple
725 mount namespaces.
726 dm.loopdatasize
729 Note: This option configures devicemapper loopback, which should not be
730 used in production.
731 Specifies the size to use when creating the loopback file for the
734 "data" device which is used for the thin pool. The default size is
735 100G. The file is sparse, so it will not initially take up this much
736 space.
737 Example use: dockerd --storage-opt dm.loopdatasize=200G
740 dm.loopmetadatasize
743 Note: This option configures devicemapper loopback, which should not be
744 used in production.
745 Specifies the size to use when creating the loopback file for the
748 "metadata" device which is used for the thin pool. The default size is
749 2G. The file is sparse, so it will not initially take up this much
750 space.
751 Example use: dockerd --storage-opt dm.loopmetadatasize=4G
754 dm.datadev
757 (Deprecated, use dm.thinpooldev)
758 Specifies a custom blockdevice to use for data for a Docker-managed
761 thin pool. It is better to use dm.thinpooldev - see the documentation
762 for it above for discussion of the advantages.
763 dm.metadatadev
766 (Deprecated, use dm.thinpooldev)
767 Specifies a custom blockdevice to use for metadata for a Docker-managed
770 thin pool. See dm.datadev for why this is deprecated.
771 dm.blocksize
774 Specifies a custom blocksize to use for the thin pool. The default
775 blocksize is 64K.
776 Example use: dockerd --storage-opt dm.blocksize=512K
779 dm.blkdiscard
782 Enables or disables the use of blkdiscard when removing devicemapper
783 devices. This is disabled by default due to the additional latency,
784 but as a special case with loopback devices it will be enabled, in or‐
785 der to re-sparsify the loopback file on image/container removal.
786 Disabling this on loopback can lead to much faster container removal
789 times, but it also prevents the space used in /var/lib/docker directory
790 from being returned to the system for other use when containers are re‐
791 moved.
792 Example use: dockerd --storage-opt dm.blkdiscard=false
795 dm.override_udev_sync_check
798 By default, the devicemapper backend attempts to synchronize with the
799 udev device manager for the Linux kernel. This option allows disabling
800 that synchronization, to continue even though the configuration may be
801 buggy.
802 To view the udev sync support of a Docker daemon that is using the de‐
805 vicemapper driver, run:
806 $ docker info
809 [...]
810 Udev Sync Supported: true
811 [...]
812 When udev sync support is true, then devicemapper and udev can coordi‐
816 nate the activation and deactivation of devices for containers.
817 When udev sync support is false, a race condition occurs between the
820 devicemapper and udev during create and cleanup. The race condition re‐
821 sults in errors and failures. (For information on these failures, see
822 docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩)
823 To allow the docker daemon to start, regardless of whether udev sync is
826 false, set dm.override_udev_sync_check to true:
827 $ dockerd --storage-opt dm.override_udev_sync_check=true
830 When this value is true, the driver continues and simply warns you the
834 errors are happening.
835 Note: The ideal is to pursue a docker daemon and environment that does
838 support synchronizing with udev. For further discussion on this topic,
839 see docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩. Other‐
840 wise, set this flag for migrating existing Docker daemons to a daemon
841 with a supported environment.
842 dm.min_free_space
845 Specifies the min free space percent in a thin pool require for new de‐
846 vice creation to succeed. This check applies to both free data space as
847 well as free metadata space. Valid values are from 0% - 99%. Value 0%
848 disables free space checking logic. If user does not specify a value
849 for this option, the Engine uses a default value of 10%.
850 Whenever a new a thin pool device is created (during docker pull or
853 during container creation), the Engine checks if the minimum free space
854 is available. If the space is unavailable, then device creation fails
855 and any relevant docker operation fails.
856 To recover from this error, you must create more free space in the thin
859 pool to recover from the error. You can create free space by deleting
860 some images and containers from tge thin pool. You can also add more
861 storage to the thin pool.
862 To add more space to an LVM (logical volume management) thin pool, just
865 add more storage to the group container thin pool; this should auto‐
866 matically resolve any errors. If your configuration uses loop devices,
867 then stop the Engine daemon, grow the size of loop files and restart
868 the daemon to resolve the issue.
869 Example use:: dockerd --storage-opt dm.min_free_space=10%
872 dm.xfs_nospace_max_retries
875 Specifies the maximum number of retries XFS should attempt to complete
876 IO when ENOSPC (no space) error is returned by underlying storage de‐
877 vice.
878 By default XFS retries infinitely for IO to finish and this can result
881 in unkillable process. To change this behavior one can set
882 xfs_nospace_max_retries to say 0 and XFS will not retry IO after get‐
883 ting ENOSPC and will shutdown filesystem.
884 Example use:
887 $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
890 dm.libdm_log_level
894 Specifies the maxmimum libdm log level that will be forwarded to the
895 dockerd log (as specified by --log-level). This option is primarily in‐
896 tended for debugging problems involving libdm. Using values other than
897 the defaults may cause false-positive warnings to be logged.
898 Values specified must fall within the range of valid libdm log levels.
901 At the time of writing, the following is the list of libdm log levels
902 as well as their corresponding levels when output by dockerd.
903 ┌────────────┬───────┬─────────────┐
906 │libdm Level │ Value │ --log-level │
907 ├────────────┼───────┼─────────────┤
908 │_LOG_FATAL │ 2 │ error │
909 ├────────────┼───────┼─────────────┤
910 │_LOG_ERR │ 3 │ error │
911 ├────────────┼───────┼─────────────┤
912 │_LOG_WARN │ 4 │ warn │
913 ├────────────┼───────┼─────────────┤
914 │_LOG_NOTICE │ 5 │ info │
915 ├────────────┼───────┼─────────────┤
916 │_LOG_INFO │ 6 │ info │
917 ├────────────┼───────┼─────────────┤
918 │_LOG_DEBUG │ 7 │ debug │
919 └────────────┴───────┴─────────────┘
920 Example use:
922 $ sudo dockerd \
925 --log-level debug \
926 --storage-opt dm.libdm_log_level=7
927
931 zfs.fsname
932 Set zfs filesystem under which docker will create its own datasets. By
933 default docker will pick up the zfs filesystem where docker graph
934 (/var/lib/docker) is located.
935 Example use: dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
938
941 btrfs.min_space
942 Specifies the minimum size to use when creating the subvolume which is
943 used for containers. If user uses disk quota for btrfs when creating or
944 running a container with --storage-opt size option, docker should en‐
945 sure the size cannot be smaller than btrfs.min_space.
946 Example use: docker daemon -s btrfs --storage-opt btrfs.min_space=10G
949
953 The daemon uses libkv to advertise the node within the cluster. Some
954 Key/Value backends support mutual TLS, and the client TLS settings used
955 by the daemon can be configured using the --cluster-store-opt flag,
956 specifying the paths to PEM encoded files.
957 kv.cacertfile
960 Specifies the path to a local file with PEM encoded CA certificates to
961 trust
962 kv.certfile
965 Specifies the path to a local file with a PEM encoded certificate.
966 This certificate is used as the client cert for communication with the
967 Key/Value store.
968 kv.keyfile
971 Specifies the path to a local file with a PEM encoded private key.
972 This private key is used as the client key for communication with the
973 Key/Value store.
974
978 Docker's access authorization can be extended by authorization plugins
979 that your organization can purchase or build themselves. You can in‐
980 stall one or more authorization plugins when you start the Docker dae‐
981 mon using the --authorization-plugin=PLUGIN_ID option.
982 dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
985 The PLUGIN_ID value is either the plugin's name or a path to its speci‐
989 fication file. The plugin's implementation determines whether you can
990 specify a name or path. Consult with your Docker administrator to get
991 information about the plugins available to you.
992 Once a plugin is installed, requests made to the daemon through the
995 command line or Docker's Engine API are allowed or denied by the
996 plugin. If you have multiple plugins installed, each plugin, in order,
997 must allow the request for it to complete.
998 For information about how to create an authorization plugin, see access
1001 authorization plugin ⟨https://docs.docker.com/engine/extend/plugins_au‐
1002 thorization/⟩ section in the Docker extend section of this documenta‐
1003 tion.
1004
1008 You can configure the runtime using options specified with the --exec-
1009 opt flag. All the flag's options have the native prefix. A single na‐
1010 tive.cgroupdriver option is available.
1011 The native.cgroupdriver option specifies the management of the con‐
1014 tainer's cgroups. You can only specify cgroupfs or systemd. If you
1015 specify systemd and it is not available, the system errors out. If you
1016 omit the native.cgroupdriver option,cgroupfs is used on cgroup v1
1017 hosts, systemd is used on cgroup v2 hosts with systemd available.
1018 This example sets the cgroupdriver to systemd:
1021 $ sudo dockerd --exec-opt native.cgroupdriver=systemd
1024 Setting this option applies to all containers the daemon launches.
1028
1032 Sept 2015, Originally compiled by Shishir Mahajan shishir.mahajan@red‐
1033 hat.com ⟨mailto:shishir.mahajan@redhat.com⟩ based on docker.com source
1034 material and internal work.
1035Docker Community SEPTEMBER 2015 DOCKERD(8)