1DOCKERD(8)                    Docker User Manuals                   DOCKERD(8)
2
3
4

NAME

6       dockerd - Enable daemon mode
7
8
9

SYNOPSIS

11       dockerd  [--add-runtime[=[]]] [--allow-nondistributable-artifacts[=[]]]
12       [--api-cors-header=[=API-CORS-HEADER]]    [--authorization-plugin[=[]]]
13       [-b|--bridge[=BRIDGE]] [--bip[=BIP]] [--cgroup-parent[=[]]] [--cluster-
14       store[=[]]]  [--cluster-advertise[=[]]]   [--cluster-store-opt[=map[]]]
15       [--config-file[=/etc/docker/daemon.json]]  [--containerd[=SOCKET-PATH]]
16       [--data-root[=/var/lib/docker]]    [-D|--debug]    [--default-cgroupns-
17       mode[=host]]  [--default-gateway[=DEFAULT-GATEWAY]] [--default-gateway-
18       v6[=DEFAULT-GATEWAY-V6]]      [--default-address-pool[=DEFAULT-ADDRESS-
19       POOL]] [--default-runtime[=runc]] [--default-ipc-mode=MODE] [--default-
20       shm-size[=64MiB]] [--default-ulimit[=[]]] [--dns[=[]]] [--dns-opt[=[]]]
21       [--dns-search[=[]]]  [--exec-opt[=[]]]  [--exec-root[=/var/run/docker]]
22       [--experimental[=false]]   [--fixed-cidr[=FIXED-CIDR]]   [--fixed-cidr-
23       v6[=FIXED-CIDR-V6]]   [-G|--group[=docker]]  [-H|--host[=[]]]  [--help]
24       [--icc[=true]]  [--init[=false]]  [--init-path[=""]]   [--insecure-reg‐
25       istry[=[]]]  [--ip[=0.0.0.0]]  [--ip-forward[=true]] [--ip-masq[=true]]
26       [--iptables[=true]]   [--ipv6]    [--isolation[=default]]    [-l|--log-
27       level[=info]]     [--label[=[]]]    [--live-restore[=false]]    [--log-
28       driver[=json-file]] [--log-opt[=map[]]] [--mtu[=0]]  [--max-concurrent-
29       downloads[=3]]    [--max-concurrent-uploads[=5]]    [--max-download-at‐
30       tempts[=5]]         [--node-generic-resources[=[]]]          [-p|--pid‐
31       file[=/var/run/docker.pid]]    [--raw-logs]    [--registry-mirror[=[]]]
32       [-s|--storage-driver[=STORAGE-DRIVER]] [--seccomp-profile[=SECCOMP-PRO‐
33       FILE-PATH]]  [--selinux-enabled]  [--shutdown-timeout[=15]] [--storage-
34       opt[=[]]]    [--swarm-default-advertise-addr[=IP|INTERFACE]]    [--tls]
35       [--tlscacert[=~/.docker/ca.pem]]       [--tlscert[=~/.docker/cert.pem]]
36       [--tlskey[=~/.docker/key.pem]] [--tlsverify]  [--userland-proxy[=true]]
37       [--userland-proxy-path[=""]] [--userns-remap[=default]]
38
39
40

DESCRIPTION

42       dockerd  is  used  for starting the Docker daemon (i.e., to command the
43       daemon to manage images, containers etc).  So dockerd is a server, as a
44       daemon.
45
46
47       To  run  the  Docker daemon you can specify dockerd.  You can check the
48       daemon options using dockerd --help.  Daemon options should  be  speci‐
49       fied after the dockerd keyword in the following format.
50
51
52       dockerd [OPTIONS]
53
54
55

OPTIONS

57       --add-runtime=[]
58         Runtimes  can be registered with the daemon either via the configura‐
59       tion file or using the --add-runtime command line argument.
60
61
62       The following is an example adding 2 runtimes via the configuration:
63
64
65              {
66                   "default-runtime": "runc",
67                   "runtimes": {
68                        "runc": {
69                             "path": "runc"
70                        },
71                        "custom": {
72                             "path": "/usr/local/bin/my-runc-replacement",
73                             "runtimeArgs": [
74                                  "--debug"
75                             ]
76                        }
77                   }
78              }
79
80
81
82       This is the same example via the command line:
83
84
85              $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
86
87
88
89       Note: defining runtime arguments via the command line is not supported.
90
91
92       --allow-nondistributable-artifacts=[]
93         Push nondistributable artifacts to the specified registries.
94
95
96       List can contain elements with CIDR notation to specify a whole subnet.
97
98
99       This option is useful when pushing images containing nondistributable
100         artifacts to a registry on an air-gapped network  so  hosts  on  that
101       network can
102         pull the images without connecting to another server.
103
104
105       Warning: Nondistributable artifacts typically have restrictions on how
106         and  where  they can be distributed and shared. Only use this feature
107       to push
108         artifacts to private registries and ensure that you are in compliance
109       with
110         any terms that cover redistributing nondistributable artifacts.
111
112
113       --api-cors-header=""
114         Set  CORS  headers  in the Engine API. Default is cors disabled. Give
115       urls like
116         "http://foo, http://bar, ...". Give "*" to allow all.
117
118
119       --authorization-plugin=""
120         Set authorization plugins to load
121
122
123       -b, --bridge=""
124         Attach containers to a pre-existing network  bridge;  use  'none'  to
125       disable
126         container networking
127
128
129       --bip=""
130         Use  the  provided  CIDR notation address for the dynamically created
131       bridge
132         (docker0); Mutually exclusive of -b
133
134
135       --cgroup-parent=""
136         Set parent cgroup for all containers. Default  is  "/docker"  for  fs
137       cgroup
138         driver and "system.slice" for systemd cgroup driver.
139
140
141       --cluster-store=""
142         URL of the distributed storage backend
143
144
145       --cluster-advertise=""
146         Specifies the 'host:port' or interface:port combination that this
147         particular  daemon instance should use when advertising itself to the
148       cluster.
149         The daemon is reached through this value.
150
151
152       --cluster-store-opt=""
153         Specifies options for the Key/Value store.
154
155
156       --config-file="/etc/docker/daemon.json"
157         Specifies the JSON file path to load the configuration from.
158
159
160       --containerd=""
161         Path to containerd socket.
162
163
164       --data-root=""
165         Path to the directory used to store persisted Docker data such as
166         configuration for resources, swarm cluster state, and filesystem data
167       for
168         images, containers, and local volumes. Default is /var/lib/docker.
169
170
171       -D, --debug=true|false
172         Enable debug mode. Default is false.
173
174
175       --default-cgroupns-mode="host|private"
176         Set  the  default cgroup namespace mode for newly created containers.
177       The argument
178         can either be host or private. If unset, this  defaults  to  host  on
179       cgroup v1, private on cgroup v2.
180
181
182       --default-gateway=""
183         IPv4  address  of the container default gateway; this address must be
184       part of
185         the bridge subnet (which is defined by -b or --bip)
186
187
188       --default-gateway-v6=""
189         IPv6 address of the container default gateway
190
191
192       --default-address-pool=""
193         Default address pool from which IPAM driver selects a subnet for  the
194       networks.
195         Example: base=172.30.0.0/16,size=24 will set the default
196         address    pools    for    the    selected    scope    networks    to
197       {172.30.[0-255].0/24}
198
199
200       --default-runtime="runc"
201         Set default runtime if there're more than one specified by --add-run‐
202       time.
203
204
205       --default-ipc-mode="private|shareable"
206         Set the default IPC mode for newly created containers. The argument
207         can either be private or shareable.
208
209
210       --default-shm-size=64MiB
211         Set  the  daemon-wide  default  shm  size  for containers. Default is
212       64MiB.
213
214
215       --default-ulimit=[]
216         Default ulimits for containers.
217
218
219       --dns=""
220         Force Docker to use specific DNS servers
221
222
223       --dns-opt=""
224         DNS options to use.
225
226
227       --dns-search=[]
228         DNS search domains to use.
229
230
231       --exec-opt=[]
232         Set runtime execution options. See RUNTIME EXECUTION OPTIONS.
233
234
235       --exec-root=""
236         Path to use as the root of the Docker execution state files.  Default
237       is
238         /var/run/docker.
239
240
241       --experimental=""
242         Enable the daemon experimental features.
243
244
245       --fixed-cidr=""
246         IPv4  subnet  for fixed IPs (e.g., 10.20.0.0/16); this subnet must be
247       nested in
248         the bridge subnet (which is defined by -b or --bip).
249
250
251       --fixed-cidr-v6=""
252         IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
253
254
255       -G, --group=""
256         Group to assign the unix socket specified by -H when running in  dae‐
257       mon mode.
258         use  ''  (the empty string) to disable setting of a group. Default is
259       docker.
260
261
262       -H, --host=[unix:///var/run/docker.sock]: tcp://[host:port] to bind  or
263       unix://[/path/to/socket] to use.
264         The socket(s) to bind to in daemon mode specified using one or more
265         tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
266
267
268       --help
269         Print usage statement
270
271
272       --icc=true|false
273         Allow  unrestricted inter-container and Docker daemon host communica‐
274       tion. If
275         disabled, containers can still be linked together  using  the  --link
276       option
277         (see docker-run(1)). Default is true.
278
279
280       --init
281         Run  an  init  process  inside  containers  for signal forwarding and
282       process
283         reaping.
284
285
286       --init-path
287         Path to the docker-init binary.
288
289
290       --insecure-registry=[]
291         Enable insecure registry  communication,  i.e.,  enable  un-encrypted
292       and/or
293         untrusted communication.
294
295
296       List  of  insecure registries can contain an element with CIDR notation
297       to
298         specify a whole subnet. Insecure registries accept HTTP and/or accept
299       HTTPS
300         with certificates from unknown CAs.
301
302
303       Enabling --insecure-registry is useful when running a local registry.
304         However,  because  its use creates security vulnerabilities it should
305       ONLY be
306         enabled for testing purposes.  For increased security,  users  should
307       add their
308         CA to their system's list of trusted CAs instead of using
309         --insecure-registry.
310
311
312       --ip=""
313         Default  IP  address  to use when binding container ports. Default is
314       0.0.0.0.
315
316
317       --ip-forward=true|false
318         Enables IP forwarding on the Docker host. The default is  true.  This
319       flag
320         interacts  with  the IP forwarding setting on your host system's ker‐
321       nel. If
322         your system has IP forwarding disabled, this setting enables  it.  If
323       your
324         system  has  IP  forwarding  enabled,  setting this flag to --ip-for‐
325       ward=false
326         has no effect.
327
328
329       This setting will also enable IPv6 forwarding if you have both
330         --ip-forward=true and --fixed-cidr-v6 set. Note that this may reject
331         Router Advertisements and interfere with the host's existing IPv6
332         configuration. For more information, please consult the documentation
333       about
334         "Advanced Networking - IPv6".
335
336
337       --ip-masq=true|false
338         Enable IP masquerading for bridge's IP range. Default is true.
339
340
341       --iptables=true|false
342         Enable Docker's addition of iptables rules. Default is true.
343
344
345       --ipv6=true|false
346         Enable IPv6 support. Default is false. Docker will create an IPv6-en‐
347       abled
348         bridge with address fe80::1 which will allow you to  create  IPv6-en‐
349       abled
350         containers.  Use  together  with  --fixed-cidr-v6 to provide globally
351       routable
352         IPv6 addresses. IPv6 forwarding will be enabled if not used with
353         --ip-forward=false. This may collide with your host's current IPv6
354         settings. For more information please consult the documentation about
355         "Advanced Networking - IPv6".
356
357
358       --isolation="default"
359          Isolation specifies the type of isolation technology  used  by  con‐
360       tainers.
361          Note  that the default on Windows server is process, and the default
362       on
363          Windows client is hyperv. Linux only supports default.
364
365
366       -l, --log-level="debug|info|warn|error|fatal"
367         Set the logging level. Default is info.
368
369
370       --label="[]"
371         Set key=value labels to the daemon (displayed in docker info)
372
373
374       --live-restore=false
375         Enable live restore of running containers when the daemon  starts  so
376       that they
377         are  not  restarted. This option is applicable only for docker daemon
378       running
379         on Linux host.
380
381
382       --log-driver="json-file|syslog|journald|gelf|flu‐
383       entd|awslogs|splunk|etwlogs|gcplogs|none"
384         Default driver for container logs. Default is json-file.
385         Warning: docker logs command works only for json-file logging driver.
386
387
388       --log-opt=[]
389         Logging driver specific options.
390
391
392       --mtu=0
393         Set the containers network mtu. Default is 0.
394
395
396       --max-concurrent-downloads=3
397         Set the max concurrent downloads for each pull. Default is 3.
398
399
400       --max-concurrent-uploads=5
401         Set the max concurrent uploads for each push. Default is 5.
402
403
404       --max-download-attempts=5
405         Set the max download attempts for each pull. Default is 5.
406
407
408       --node-generic-resources=[]
409         Advertise user-defined resource. Default is [].
410         Use this if your swarm cluster has some nodes with custom
411         resources  (e.g:  NVIDIA GPU, SSD, ...) and you need your services to
412       land on
413         nodes advertising these resources.
414         Usage example: --node-generic-resources "NVIDIA-GPU=UUID1"
415         --node-generic-resources "NVIDIA-GPU=UUID2"
416
417
418       -p, --pidfile=""
419         Path to use for daemon PID file. Default is /var/run/docker.pid
420
421
422       --raw-logs
423         Output daemon logs in full timestamp format without ANSI coloring. If
424       this
425         flag  is  not  set, the daemon outputs condensed, colorized logs if a
426       terminal
427         is detected, or full ("raw") output otherwise.
428
429
430       --registry-mirror=://
431         Prepend a registry mirror to be used for image pulls. May  be  speci‐
432       fied
433         multiple times.
434
435
436       -s, --storage-driver=""
437         Force the Docker runtime to use a specific storage driver.
438
439
440       --seccomp-profile=""
441         Path to seccomp profile.
442
443
444       --selinux-enabled=true|false
445         Enable selinux support. Default is false.
446
447
448       --shutdown-timeout=15
449         Set the shutdown timeout value in seconds. Default is 15.
450
451
452       --storage-opt=[]
453         Set storage driver options. See STORAGE DRIVER OPTIONS.
454
455
456       --swarm-default-advertise-addr=IP|INTERFACE
457         Set default address or interface for swarm to advertise as its
458         externally-reachable address to other cluster members. This can be a
459         hostname,  an IP address, or an interface such as eth0. A port cannot
460       be
461         specified with this option.
462
463
464       --tls=true|false
465         Use TLS; implied by --tlsverify. Default is false.
466
467
468       --tlscacert=~/.docker/ca.pem
469         Trust certs signed only by this CA.
470
471
472       --tlscert=~/.docker/cert.pem
473         Path to TLS certificate file.
474
475
476       --tlskey=~/.docker/key.pem
477         Path to TLS key file.
478
479
480       --tlsverify=true|false
481         Use TLS and verify the remote (daemon: verify client, client:  verify
482       daemon).
483         Default is false.
484
485
486       --userland-proxy=true|false
487         Rely on a userland proxy implementation for inter-container and
488         outside-to-container loopback communications. Default is true.
489
490
491       --userland-proxy-path=""
492         Path to the userland proxy binary.
493
494
495       --userns-remap=default|uid:gid|user:group|user|uid
496         Enable  user namespaces for containers on the daemon. Specifying "de‐
497       fault"
498         will cause a new user and group to be created to handle UID  and  GID
499       range
500         remapping  for  the  user  namespace mappings used for contained pro‐
501       cesses.
502         Specifying a user (or uid) and optionally a group (or gid) will cause
503       the
504         daemon  to  lookup the user and group's subordinate ID ranges for use
505       as the
506         user namespace mappings for contained processes.
507
508
509

STORAGE DRIVER OPTIONS

511       Docker uses storage backends (known as "graphdrivers" in the Docker in‐
512       ternals)  to  create  writable  containers  from images.  Many of these
513       backends use operating system level technologies and can be configured.
514
515
516       Specify options to the storage backend with  --storage-opt  flags.  The
517       backends  that  currently take options are devicemapper, zfs and btrfs.
518       Options for devicemapper are prefixed with dm, options  for  zfs  start
519       with zfs and options for btrfs start with btrfs.
520
521
522       Specifically  for devicemapper, the default is a "loopback" model which
523       requires no pre-configuration, but is extremely  inefficient.   Do  not
524       use it in production.
525
526
527       To  make the best use of Docker with the devicemapper backend, you must
528       have a recent version of LVM.  Use lvm to create a thin pool; for  more
529       information see man lvmthin.  Then, use --storage-opt dm.thinpooldev to
530       tell the Docker engine to use that pool for allocating images and  con‐
531       tainer snapshots.
532
533

Devicemapper options

535   dm.thinpooldev
536       Specifies a custom block storage device to use for the thin pool.
537
538
539       If  using  a  block device for device mapper storage, it is best to use
540       lvm to create and manage the thin-pool  volume.  This  volume  is  then
541       handed  to Docker to exclusively create snapshot volumes needed for im‐
542       ages and containers.
543
544
545       Managing the thin-pool outside of Engine makes for  the  most  feature-
546       rich method of having Docker utilize device mapper thin provisioning as
547       the backing storage for Docker containers. The highlights of  the  lvm-
548       based  thin-pool  management  feature include: automatic or interactive
549       thin-pool resize support, dynamically changing thin-pool features,  au‐
550       tomatic thinp metadata checking when lvm activates the thin-pool, etc.
551
552
553       As  a fallback if no thin pool is provided, loopback files are created.
554       Loopback is very slow, but can be used without any pre-configuration of
555       storage.  It  is  strongly  recommended that you do not use loopback in
556       production. Ensure your Engine  daemon  has  a  --storage-opt  dm.thin‐
557       pooldev argument provided.
558
559
560       Example use:
561
562
563       $ dockerd \
564                --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
565
566
567   dm.directlvm_device
568       As an alternative to manually creating a thin pool as above, Docker can
569       automatically configure a block device for you.
570
571
572       Example use:
573
574
575       $ dockerd \
576                --storage-opt dm.directlvm_device=/dev/xvdf
577
578
579   dm.thinp_percent
580       Sets the percentage of passed in block device to use for storage.
581
582
583   Example:
584       $ sudo dockerd \
585               --storage-opt dm.thinp_percent=95
586
587
588   dm.thinp_metapercent
589       Sets the percentage of the passed in block device to use  for  metadata
590       storage.
591
592
593   Example:
594       $ sudo dockerd \
595                --storage-opt dm.thinp_metapercent=1
596
597
598   dm.thinp_autoextend_threshold
599       Sets  the  value of the percentage of space used before lvm attempts to
600       autoextend the available space [100 = disabled]
601
602
603   Example:
604       $ sudo dockerd \
605                --storage-opt dm.thinp_autoextend_threshold=80
606
607
608   dm.thinp_autoextend_percent
609       Sets the value percentage value to increase the thin pool by  when  lvm
610       attempts to autoextend the available space [100 = disabled]
611
612
613   Example:
614       $ sudo dockerd \
615                --storage-opt dm.thinp_autoextend_percent=20
616
617
618   dm.basesize
619       Specifies  the  size to use when creating the base device, which limits
620       the size of images and containers. The default value is 10G. Note, thin
621       devices  are inherently "sparse", so a 10G device which is mostly empty
622       doesn't use 10 GB of space on the pool. However,  the  filesystem  will
623       use more space for base images the larger the device is.
624
625
626       The  base device size can be increased at daemon restart which will al‐
627       low all future images and containers (based on those new images) to  be
628       of the new base device size.
629
630
631       Example use: dockerd --storage-opt dm.basesize=50G
632
633
634       This  will increase the base device size to 50G. The Docker daemon will
635       throw an error if existing base device size is larger than 50G. A  user
636       can use this option to expand the base device size however shrinking is
637       not permitted.
638
639
640       This value affects the system-wide "base" empty filesystem that may al‐
641       ready  be  initialized  and  inherited  by  pulled images. Typically, a
642       change to this value requires additional steps to take effect:
643
644
645                  $ sudo service docker stop
646                  $ sudo rm -rf /var/lib/docker
647                  $ sudo service docker start
648
649
650
651       Example use: dockerd --storage-opt dm.basesize=20G
652
653
654   dm.fs
655       Specifies the filesystem type to use for the base device. The supported
656       options are ext4 and xfs. The default is ext4.
657
658
659       Example use: dockerd --storage-opt dm.fs=xfs
660
661
662   dm.mkfsarg
663       Specifies  extra  mkfs  arguments to be used when creating the base de‐
664       vice.
665
666
667       Example use: dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
668
669
670   dm.mountopt
671       Specifies extra mount options used when mounting the thin devices.
672
673
674       Example use: dockerd --storage-opt dm.mountopt=nodiscard
675
676
677   dm.use_deferred_removal
678       Enables use of deferred device removal if libdm and the  kernel  driver
679       support the mechanism.
680
681
682       Deferred  device  removal means that if device is busy when devices are
683       being removed/deactivated, then a deferred removal is scheduled on  de‐
684       vice.  And  devices  automatically go away when last user of the device
685       exits.
686
687
688       For example, when a container exits, its associated thin device is  re‐
689       moved.  If  that  device has leaked into some other mount namespace and
690       can't be removed, the container exit still  succeeds  and  this  option
691       causes  the system to schedule the device for deferred removal. It does
692       not wait in a loop trying to remove a busy device.
693
694
695       Example use: dockerd --storage-opt dm.use_deferred_removal=true
696
697
698   dm.use_deferred_deletion
699       Enables use of deferred device deletion for thin pool devices.  By  de‐
700       fault,  thin pool device deletion is synchronous. Before a container is
701       deleted, the Docker daemon removes any associated devices. If the stor‐
702       age  driver  can  not remove a device, the container deletion fails and
703       daemon returns.
704
705
706       Error deleting container: Error response from  daemon:  Cannot  destroy
707       container
708
709
710       To  avoid  this  failure,  enable both deferred device deletion and de‐
711       ferred device removal on the daemon.
712
713
714       dockerd   --storage-opt   dm.use_deferred_deletion=true   --storage-opt
715       dm.use_deferred_removal=true
716
717
718       With  these two options enabled, if a device is busy when the driver is
719       deleting a container, the driver marks the device  as  deleted.  Later,
720       when the device isn't in use, the driver deletes it.
721
722
723       In  general it should be safe to enable this option by default. It will
724       help when unintentional leaking of mount point happens across  multiple
725       mount namespaces.
726
727
728   dm.loopdatasize
729       Note: This option configures devicemapper loopback, which should not be
730       used in production.
731
732
733       Specifies the size to use when  creating  the  loopback  file  for  the
734       "data"  device  which  is  used  for the thin pool. The default size is
735       100G. The file is sparse, so it will not initially take  up  this  much
736       space.
737
738
739       Example use: dockerd --storage-opt dm.loopdatasize=200G
740
741
742   dm.loopmetadatasize
743       Note: This option configures devicemapper loopback, which should not be
744       used in production.
745
746
747       Specifies the size to use when  creating  the  loopback  file  for  the
748       "metadata"  device which is used for the thin pool. The default size is
749       2G. The file is sparse, so it will not  initially  take  up  this  much
750       space.
751
752
753       Example use: dockerd --storage-opt dm.loopmetadatasize=4G
754
755
756   dm.datadev
757       (Deprecated, use dm.thinpooldev)
758
759
760       Specifies  a  custom  blockdevice  to use for data for a Docker-managed
761       thin pool.  It is better to use dm.thinpooldev - see the  documentation
762       for it above for discussion of the advantages.
763
764
765   dm.metadatadev
766       (Deprecated, use dm.thinpooldev)
767
768
769       Specifies a custom blockdevice to use for metadata for a Docker-managed
770       thin pool.  See dm.datadev for why this is deprecated.
771
772
773   dm.blocksize
774       Specifies a custom blocksize to use for the  thin  pool.   The  default
775       blocksize is 64K.
776
777
778       Example use: dockerd --storage-opt dm.blocksize=512K
779
780
781   dm.blkdiscard
782       Enables  or  disables  the use of blkdiscard when removing devicemapper
783       devices.  This is disabled by default due to  the  additional  latency,
784       but  as a special case with loopback devices it will be enabled, in or‐
785       der to re-sparsify the loopback file on image/container removal.
786
787
788       Disabling this on loopback can lead to much  faster  container  removal
789       times, but it also prevents the space used in /var/lib/docker directory
790       from being returned to the system for other use when containers are re‐
791       moved.
792
793
794       Example use: dockerd --storage-opt dm.blkdiscard=false
795
796
797   dm.override_udev_sync_check
798       By  default,  the devicemapper backend attempts to synchronize with the
799       udev device manager for the Linux kernel.  This option allows disabling
800       that  synchronization, to continue even though the configuration may be
801       buggy.
802
803
804       To view the udev sync support of a Docker daemon that is using the  de‐
805       vicemapper driver, run:
806
807
808                  $ docker info
809                  [...]
810                   Udev Sync Supported: true
811                  [...]
812
813
814
815       When  udev sync support is true, then devicemapper and udev can coordi‐
816       nate the activation and deactivation of devices for containers.
817
818
819       When udev sync support is false, a race condition  occurs  between  the
820       devicemapper and udev during create and cleanup. The race condition re‐
821       sults in errors and failures. (For information on these  failures,  see
822       docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩)
823
824
825       To allow the docker daemon to start, regardless of whether udev sync is
826       false, set dm.override_udev_sync_check to true:
827
828
829                  $ dockerd --storage-opt dm.override_udev_sync_check=true
830
831
832
833       When this value is true, the driver continues and simply warns you  the
834       errors are happening.
835
836
837       Note:  The ideal is to pursue a docker daemon and environment that does
838       support synchronizing with udev. For further discussion on this  topic,
839       see docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩.  Other‐
840       wise, set this flag for migrating existing Docker daemons to  a  daemon
841       with a supported environment.
842
843
844   dm.min_free_space
845       Specifies the min free space percent in a thin pool require for new de‐
846       vice creation to succeed. This check applies to both free data space as
847       well  as  free metadata space. Valid values are from 0% - 99%. Value 0%
848       disables free space checking logic. If user does not  specify  a  value
849       for this option, the Engine uses a default value of 10%.
850
851
852       Whenever  a  new  a  thin pool device is created (during docker pull or
853       during container creation), the Engine checks if the minimum free space
854       is  available.  If the space is unavailable, then device creation fails
855       and any relevant docker operation fails.
856
857
858       To recover from this error, you must create more free space in the thin
859       pool  to  recover from the error. You can create free space by deleting
860       some images and containers from tge thin pool. You can  also  add  more
861       storage to the thin pool.
862
863
864       To add more space to an LVM (logical volume management) thin pool, just
865       add more storage to the  group container thin pool; this  should  auto‐
866       matically  resolve any errors. If your configuration uses loop devices,
867       then stop the Engine daemon, grow the size of loop  files  and  restart
868       the daemon to resolve the issue.
869
870
871       Example use:: dockerd --storage-opt dm.min_free_space=10%
872
873
874   dm.xfs_nospace_max_retries
875       Specifies  the maximum number of retries XFS should attempt to complete
876       IO when ENOSPC (no space) error is returned by underlying  storage  de‐
877       vice.
878
879
880       By  default XFS retries infinitely for IO to finish and this can result
881       in  unkillable  process.  To  change  this   behavior   one   can   set
882       xfs_nospace_max_retries  to  say 0 and XFS will not retry IO after get‐
883       ting ENOSPC and will shutdown filesystem.
884
885
886       Example use:
887
888
889              $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
890
891
892
893   dm.libdm_log_level
894       Specifies the maxmimum libdm log level that will be  forwarded  to  the
895       dockerd log (as specified by --log-level). This option is primarily in‐
896       tended for debugging problems involving libdm. Using values other  than
897       the defaults may cause false-positive warnings to be logged.
898
899
900       Values  specified must fall within the range of valid libdm log levels.
901       At the time of writing, the following is the list of libdm  log  levels
902       as well as their corresponding levels when output by dockerd.
903
904
905       ┌────────────┬───────┬─────────────┐
906libdm Level Value --log-level 
907       ├────────────┼───────┼─────────────┤
908       │_LOG_FATAL  │ 2     │ error       │
909       ├────────────┼───────┼─────────────┤
910       │_LOG_ERR    │ 3     │ error       │
911       ├────────────┼───────┼─────────────┤
912       │_LOG_WARN   │ 4     │ warn        │
913       ├────────────┼───────┼─────────────┤
914       │_LOG_NOTICE │ 5     │ info        │
915       ├────────────┼───────┼─────────────┤
916       │_LOG_INFO   │ 6     │ info        │
917       ├────────────┼───────┼─────────────┤
918       │_LOG_DEBUG  │ 7     │ debug       │
919       └────────────┴───────┴─────────────┘
920
921       Example use:
922
923
924              $ sudo dockerd \
925                    --log-level debug \
926                    --storage-opt dm.libdm_log_level=7
927
928
929

ZFS options

931   zfs.fsname
932       Set zfs filesystem under which docker will create its own datasets.  By
933       default docker will pick up  the  zfs  filesystem  where  docker  graph
934       (/var/lib/docker) is located.
935
936
937       Example use: dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
938
939

Btrfs options

941   btrfs.min_space
942       Specifies  the minimum size to use when creating the subvolume which is
943       used for containers. If user uses disk quota for btrfs when creating or
944       running  a  container with --storage-opt size option, docker should en‐
945       sure the size cannot be smaller than btrfs.min_space.
946
947
948       Example use: docker daemon -s btrfs --storage-opt btrfs.min_space=10G
949
950
951

CLUSTER STORE OPTIONS

953       The daemon uses libkv to advertise the node within the  cluster.   Some
954       Key/Value backends support mutual TLS, and the client TLS settings used
955       by the daemon can be configured  using  the  --cluster-store-opt  flag,
956       specifying the paths to PEM encoded files.
957
958
959   kv.cacertfile
960       Specifies  the path to a local file with PEM encoded CA certificates to
961       trust
962
963
964   kv.certfile
965       Specifies the path to a local file  with  a  PEM  encoded  certificate.
966       This  certificate is used as the client cert for communication with the
967       Key/Value store.
968
969
970   kv.keyfile
971       Specifies the path to a local file with  a  PEM  encoded  private  key.
972       This  private  key is used as the client key for communication with the
973       Key/Value store.
974
975
976

Access authorization

978       Docker's access authorization can be extended by authorization  plugins
979       that  your  organization  can purchase or build themselves. You can in‐
980       stall one or more authorization plugins when you start the Docker  dae‐
981       mon using the --authorization-plugin=PLUGIN_ID option.
982
983
984              dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
985
986
987
988       The PLUGIN_ID value is either the plugin's name or a path to its speci‐
989       fication file. The plugin's implementation determines whether  you  can
990       specify  a  name or path. Consult with your Docker administrator to get
991       information about the plugins available to you.
992
993
994       Once a plugin is installed, requests made to  the  daemon  through  the
995       command  line  or  Docker's  Engine  API  are  allowed or denied by the
996       plugin.  If you have multiple plugins installed, each plugin, in order,
997       must allow the request for it to complete.
998
999
1000       For information about how to create an authorization plugin, see access
1001       authorization plugin ⟨https://docs.docker.com/engine/extend/plugins_au
1002       thorization/⟩  section  in the Docker extend section of this documenta‐
1003       tion.
1004
1005
1006

RUNTIME EXECUTION OPTIONS

1008       You can configure the runtime using options specified with the  --exec-
1009       opt  flag.  All the flag's options have the native prefix. A single na‐
1010       tive.cgroupdriver option is available.
1011
1012
1013       The native.cgroupdriver option specifies the  management  of  the  con‐
1014       tainer's  cgroups.  You  can  only  specify cgroupfs or systemd. If you
1015       specify systemd and it is not available, the system errors out. If  you
1016       omit  the  native.cgroupdriver  option,cgroupfs  is  used  on cgroup v1
1017       hosts, systemd is used on cgroup v2 hosts with systemd available.
1018
1019
1020       This example sets the cgroupdriver to systemd:
1021
1022
1023              $ sudo dockerd --exec-opt native.cgroupdriver=systemd
1024
1025
1026
1027       Setting this option applies to all containers the daemon launches.
1028
1029
1030

HISTORY

1032       Sept 2015, Originally compiled by Shishir Mahajan  shishir.mahajan@red‐
1033       hat.com  ⟨mailto:shishir.mahajan@redhat.com⟩ based on docker.com source
1034       material and internal work.
1035
1036
1037
1038Docker Community                SEPTEMBER 2015                      DOCKERD(8)
Impressum