1DOCKERD(8)                    Docker User Manuals                   DOCKERD(8)
2
3
4

NAME

6       dockerd - Enable daemon mode
7
8
9

SYNOPSIS

11       dockerd  [--add-runtime[=[]]] [--allow-nondistributable-artifacts[=[]]]
12       [--api-cors-header=[=API-CORS-HEADER]]    [--authorization-plugin[=[]]]
13       [-b|--bridge[=BRIDGE]]  [--bip[=BIP]] [--cgroup-parent[=[]]] [--config-
14       file[=path]]           [--containerd[=SOCKET-PATH]]            [--data-
15       root[=/var/lib/docker]]  [-D|--debug]  [--default-cgroupns-mode[=host]]
16       [--default-gateway[=DEFAULT-GATEWAY]]   [--default-gateway-v6[=DEFAULT-
17       GATEWAY-V6]]   [--default-address-pool[=DEFAULT-ADDRESS-POOL]]   [--de‐
18       fault-runtime[=runc]]     [--default-ipc-mode=MODE]     [--default-shm-
19       size[=64MiB]]   [--default-ulimit[=[]]]  [--dns[=[]]]  [--dns-opt[=[]]]
20       [--dns-search[=[]]]  [--exec-opt[=[]]]  [--exec-root[=/var/run/docker]]
21       [--experimental[=false]]   [--fixed-cidr[=FIXED-CIDR]]   [--fixed-cidr-
22       v6[=FIXED-CIDR-V6]]  [-G|--group[=docker]]  [-H|--host[=[]]]   [--help]
23       [--http-proxy[""]]  [--https-proxy[""]] [--icc[=true]] [--init[=false]]
24       [--init-path[=""]] [--insecure-registry[=[]]]  [--ip[=0.0.0.0]]  [--ip-
25       forward[=true]] [--ip-masq[=true]] [--iptables[=true]] [--ipv6] [--iso‐
26       lation[=default]]  [-l|--log-level[=info]]  [--label[=[]]]  [--live-re‐
27       store[=false]]      [--log-driver[=json-file]]      [--log-opt[=map[]]]
28       [--mtu[=0]]   [--max-concurrent-downloads[=3]]    [--max-concurrent-up‐
29       loads[=5]]   [--max-download-attempts[=5]]   [--no-proxy[""]]  [--node-
30       generic-resources[=[]]]  [-p|--pidfile[=/var/run/docker.pid]]   [--raw-
31       logs]  [--registry-mirror[=[]]]  [-s|--storage-driver[=STORAGE-DRIVER]]
32       [--seccomp-profile[=SECCOMP-PROFILE-PATH]] [--selinux-enabled] [--shut‐
33       down-timeout[=15]]   [--storage-opt[=[]]]   [--swarm-default-advertise-
34       addr[=IP|INTERFACE]]      [--tls]      [--tlscacert[=~/.docker/ca.pem]]
35       [--tlscert[=~/.docker/cert.pem]]         [--tlskey[=~/.docker/key.pem]]
36       [--tlsverify]  [--userland-proxy[=true]]   [--userland-proxy-path[=""]]
37       [--userns-remap[=default]] [--validate]
38
39
40

DESCRIPTION

42       dockerd  is  used  for starting the Docker daemon (i.e., to command the
43       daemon to manage images, containers etc).  So dockerd is a server, as a
44       daemon.
45
46
47       To  run  the  Docker daemon you can specify dockerd.  You can check the
48       daemon options using dockerd --help.  Daemon options should  be  speci‐
49       fied after the dockerd keyword in the following format.
50
51
52       dockerd [OPTIONS]
53
54
55

OPTIONS

57       --add-runtime=[]
58         Runtimes  can be registered with the daemon either via the configura‐
59       tion file or using the --add-runtime command line argument.
60
61
62       The following is an example adding 2 runtimes via the configuration:
63
64
65              {
66                   "default-runtime": "runc",
67                   "runtimes": {
68                        "runc": {
69                             "path": "runc"
70                        },
71                        "custom": {
72                             "path": "/usr/local/bin/my-runc-replacement",
73                             "runtimeArgs": [
74                                  "--debug"
75                             ]
76                        }
77                   }
78              }
79
80
81
82       This is the same example via the command line:
83
84
85              $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
86
87
88
89       Note: defining runtime arguments via the command line is not supported.
90
91
92       --allow-nondistributable-artifacts=[]
93         Push nondistributable artifacts to the specified registries.
94
95
96       List can contain elements with CIDR notation to specify a whole subnet.
97
98
99       This option is useful when pushing images containing nondistributable
100         artifacts to a registry on an air-gapped network  so  hosts  on  that
101       network can
102         pull the images without connecting to another server.
103
104
105       Warning: Nondistributable artifacts typically have restrictions on how
106         and  where  they can be distributed and shared. Only use this feature
107       to push
108         artifacts to private registries and ensure that you are in compliance
109       with
110         any terms that cover redistributing nondistributable artifacts.
111
112
113       --api-cors-header=""
114         Set  CORS  headers  in the Engine API. Default is cors disabled. Give
115       urls like
116         "http://foo, http://bar, ...". Give "*" to allow all.
117
118
119       --authorization-plugin=""
120         Set authorization plugins to load
121
122
123       -b, --bridge=""
124         Attach containers to a pre-existing network  bridge;  use  'none'  to
125       disable
126         container networking
127
128
129       --bip=""
130         Use  the  provided  CIDR notation address for the dynamically created
131       bridge
132         (docker0); Mutually exclusive of -b
133
134
135       --cgroup-parent=""
136         Set parent cgroup for all containers. Default  is  "/docker"  for  fs
137       cgroup
138         driver and "system.slice" for systemd cgroup driver.
139
140
141       --config-file="/etc/docker/daemon.json"
142         Specifies  the JSON file path to load the configuration from. Default
143       is
144         /etc/docker/daemon.json.
145
146
147       --containerd=""
148         Path to containerd socket.
149
150
151       --data-root=""
152         Path to the directory used to store persisted Docker data such as
153         configuration for resources, swarm cluster state, and filesystem data
154       for
155         images, containers, and local volumes. Default is /var/lib/docker.
156
157
158       -D, --debug=true|false
159         Enable debug mode. Default is false.
160
161
162       --default-cgroupns-mode="host|private"
163         Set  the  default cgroup namespace mode for newly created containers.
164       The argument
165         can either be host or private. If unset, this  defaults  to  host  on
166       cgroup v1,
167         or private on cgroup v2.
168
169
170       --default-gateway=""
171         IPv4  address  of the container default gateway; this address must be
172       part of
173         the bridge subnet (which is defined by -b or --bip)
174
175
176       --default-gateway-v6=""
177         IPv6 address of the container default gateway
178
179
180       --default-address-pool=""
181         Default address pool from which IPAM driver selects a subnet for  the
182       networks.
183         Example: base=172.30.0.0/16,size=24 will set the default
184         address    pools    for    the    selected    scope    networks    to
185       {172.30.[0-255].0/24}
186
187
188       --default-runtime="runtime"
189         Set default runtime if there're more than one specified by --add-run‐
190       time.
191
192
193       --default-ipc-mode="private|shareable"
194         Set the default IPC mode for newly created containers. The argument
195         can either be private or shareable.
196
197
198       --default-shm-size=size
199         Set  the  daemon-wide  default  shm  size  for containers. Default is
200       64MiB.
201
202
203       --default-ulimit=[]
204         Default ulimits for containers.
205
206
207       --dns=""
208         Force Docker to use specific DNS servers.
209
210
211       --dns-opt=""
212         DNS options to use.
213
214
215       --dns-search=[]
216         DNS search domains to use.
217
218
219       --exec-opt=[]
220         Set runtime execution options. See RUNTIME EXECUTION OPTIONS.
221
222
223       --exec-root=""
224         Path to use as the root of the Docker execution state files.  Default
225       is
226         /var/run/docker.
227
228
229       --experimental=""
230         Enable the daemon experimental features.
231
232
233       --fixed-cidr=""
234         IPv4  subnet  for fixed IPs (e.g., 10.20.0.0/16); this subnet must be
235       nested in
236         the bridge subnet (which is defined by -b or --bip).
237
238
239       --fixed-cidr-v6=""
240         IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
241
242
243       -G, --group=""
244         Group to assign the unix socket specified by -H when running in  dae‐
245       mon mode.
246         use  ''  (the empty string) to disable setting of a group. Default is
247       docker.
248
249
250       -H, --host=[unix:///var/run/docker.sock]: tcp://[host:port] to bind  or
251       unix://[/path/to/socket] to use.
252         The socket(s) to bind to in daemon mode specified using one or more
253         tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
254
255
256       --help
257         Print usage statement
258
259
260       --http-proxy""
261         Proxy URL for HTTP requests unless overridden by NoProxy.
262
263
264       --https-proxy""
265         Proxy URL for HTTPS requests unless overridden by NoProxy.
266
267
268       --icc=true|false
269         Allow  unrestricted inter-container and Docker daemon host communica‐
270       tion. If
271         disabled, containers can still be linked together  using  the  --link
272       option
273         (see docker-run(1)). Default is true.
274
275
276       --init
277         Run  an  init  process  inside  containers  for signal forwarding and
278       process
279         reaping.
280
281
282       --init-path
283         Path to the docker-init binary.
284
285
286       --insecure-registry=[]
287         Enable insecure registry  communication,  i.e.,  enable  un-encrypted
288       and/or
289         untrusted communication.
290
291
292       List  of  insecure registries can contain an element with CIDR notation
293       to
294         specify a whole subnet. Insecure registries accept HTTP and/or accept
295       HTTPS
296         with certificates from unknown CAs.
297
298
299       Enabling --insecure-registry is useful when running a local registry.
300         However,  because  its use creates security vulnerabilities it should
301       ONLY be
302         enabled for testing purposes.  For increased security,  users  should
303       add their
304         CA to their system's list of trusted CAs instead of using
305         --insecure-registry.
306
307
308       --ip=""
309         Default  IP  address  to use when binding container ports. Default is
310       0.0.0.0.
311
312
313       --ip-forward=true|false
314         Enables IP forwarding on the Docker host. The default is  true.  This
315       flag
316         interacts  with  the IP forwarding setting on your host system's ker‐
317       nel. If
318         your system has IP forwarding disabled, this setting enables  it.  If
319       your
320         system has IP forwarding enabled, setting this flag to false
321         has no effect.
322
323
324       This setting will also enable IPv6 forwarding if you have both
325         --ip-forward=true and --fixed-cidr-v6 set. Note that this may reject
326         Router Advertisements and interfere with the host's existing IPv6
327         configuration. For more information, please consult the documentation
328       about
329         "Advanced Networking - IPv6".
330
331
332       --ip-masq=true|false
333         Enable IP masquerading for bridge's IP range. Default is true.
334
335
336       --iptables=true|false
337         Enable Docker's addition of iptables rules. Default is true.
338
339
340       --ipv6=true|false
341         Enable IPv6 support. Default is false. Docker will create an IPv6-en‐
342       abled
343         bridge  with  address fe80::1 which will allow you to create IPv6-en‐
344       abled
345         containers. Use together with  --fixed-cidr-v6  to  provide  globally
346       routable
347         IPv6 addresses. IPv6 forwarding will be enabled if not used with
348         --ip-forward=false. This may collide with your host's current IPv6
349         settings. For more information please consult the documentation about
350         "Advanced Networking - IPv6".
351
352
353       --isolation="default"
354          Isolation  specifies  the  type of isolation technology used by con‐
355       tainers.
356          Note that the default on Windows server is process, and the  default
357       on
358          Windows client is hyperv. Linux only supports default.
359
360
361       -l, --log-level="debug|info|warn|error|fatal"
362         Set the logging level. Default is info.
363
364
365       --label="[]"
366         Set key=value labels to the daemon (displayed in docker info)
367
368
369       --live-restore=false
370         Enable  live  restore of running containers when the daemon starts so
371       that they
372         are not restarted. This option is applicable only for  docker  daemon
373       running
374         on Linux host.
375
376
377       --log-driver="json-file|syslog|journald|gelf|flu‐
378       entd|awslogs|splunk|etwlogs|gcplogs|none"
379         Default driver for container logs. Default is json-file.
380         Warning: docker logs command works only for json-file logging driver.
381
382
383       --log-opt=[]
384         Logging driver specific options.
385
386
387       --mtu=0
388         Set the containers network mtu. Default is 0.
389
390
391       --max-concurrent-downloads=3
392         Set the max concurrent downloads. Default is 3.
393
394
395       --max-concurrent-uploads=5
396         Set the max concurrent uploads. Default is 5.
397
398
399       --max-download-attempts=5
400         Set the max download attempts for each pull. Default is 5.
401
402
403       --no-proxy="""
404         Comma-separated values specifying hosts that should be excluded  from
405       proxying.
406
407
408       --node-generic-resources=[]
409         Advertise user-defined resource. Default is [].
410         Use this if your swarm cluster has some nodes with custom
411         resources  (e.g:  NVIDIA GPU, SSD, ...) and you need your services to
412       land on
413         nodes advertising these resources.
414         Usage example: --node-generic-resources "NVIDIA-GPU=UUID1"
415         --node-generic-resources "NVIDIA-GPU=UUID2"
416
417
418       -p, --pidfile="path"
419         Path to use for daemon PID file. Default is /var/run/docker.pid.
420
421
422       --raw-logs
423         Output daemon logs in full timestamp format without ANSI coloring. If
424       this
425         flag  is  not  set, the daemon outputs condensed, colorized logs if a
426       terminal
427         is detected, or full ("raw") output otherwise.
428
429
430       --registry-mirror=://
431         Prepend a registry mirror to be used for image pulls. May  be  speci‐
432       fied
433         multiple times.
434
435
436       -s, --storage-driver=""
437         Force the Docker runtime to use a specific storage driver.
438
439
440       --seccomp-profile=""
441         Path to seccomp profile.
442
443
444       --selinux-enabled=true|false
445         Enable selinux support. Default is false.
446
447
448       --shutdown-timeout=seconds
449         Set the shutdown timeout value in seconds. Default is 15.
450
451
452       --storage-opt=[]
453         Set storage driver options. See STORAGE DRIVER OPTIONS.
454
455
456       --swarm-default-advertise-addr=IP|INTERFACE
457         Set default address or interface for swarm to advertise as its
458         externally-reachable address to other cluster members. This can be a
459         hostname,  an IP address, or an interface such as eth0. A port cannot
460       be
461         specified with this option.
462
463
464       --tls=true|false
465         Use TLS; implied by --tlsverify. Default is false.
466
467
468       --tlscacert=~/.docker/ca.pem
469         Trust certs signed only by this CA.
470
471
472       --tlscert=~/.docker/cert.pem
473         Path to TLS certificate file.
474
475
476       --tlskey=~/.docker/key.pem
477         Path to TLS key file.
478
479
480       --tlsverify=true|false
481         Use TLS and verify the remote (daemon: verify client, client:  verify
482       daemon).
483         Default is false.
484
485
486       --userland-proxy=true|false
487         Rely on a userland proxy implementation for inter-container and
488         outside-to-container loopback communications. Default is true.
489
490
491       --userland-proxy-path=""
492         Path to the userland proxy binary.
493
494
495       --userns-remap=default|uid:gid|user:group|user|uid
496         Enable  user namespaces for containers on the daemon. Specifying "de‐
497       fault"
498         will cause a new user and group to be created to handle UID  and  GID
499       range
500         remapping  for  the  user  namespace mappings used for contained pro‐
501       cesses.
502         Specifying a user (or uid) and optionally a group (or gid) will cause
503       the
504         daemon  to  lookup the user and group's subordinate ID ranges for use
505       as the
506         user namespace mappings for contained processes.
507
508
509       --validate
510         Validate daemon configuration and exit.
511
512
513

STORAGE DRIVER OPTIONS

515       Docker uses storage backends (known as "graphdrivers" in the Docker in‐
516       ternals)  to  create  writable  containers  from images.  Many of these
517       backends use operating system level technologies and can be configured.
518
519
520       Specify options to the storage backend with  --storage-opt  flags.  The
521       backends  that  currently take options are devicemapper, zfs and btrfs.
522       Options for devicemapper are prefixed with dm., options for  zfs  start
523       with zfs., and options for btrfs start with btrfs..
524
525
526       Specifically  for devicemapper, the default is a "loopback" model which
527       requires no pre-configuration, but is extremely  inefficient.   Do  not
528       use it in production.
529
530
531       To  make the best use of Docker with the devicemapper backend, you must
532       have a recent version of LVM.  Use lvm(8) to create a  thin  pool;  for
533       more  information,  see  lvmthin(7).   Then, use --storage-opt dm.thin‐
534       pooldev to tell the Docker engine to use that pool for  allocating  im‐
535       ages and container snapshots.
536
537

Devicemapper options

539   dm.thinpooldev
540       Specifies a custom block storage device to use for the thin pool.
541
542
543       If  using  a  block device for device mapper storage, it is best to use
544       lvm to create and manage the thin-pool  volume.  This  volume  is  then
545       handed  to Docker to exclusively create snapshot volumes needed for im‐
546       ages and containers.
547
548
549       Managing the thin-pool outside of Engine makes for  the  most  feature-
550       rich method of having Docker utilize device mapper thin provisioning as
551       the backing storage for Docker containers. The highlights of  the  lvm-
552       based  thin-pool  management  feature include: automatic or interactive
553       thin-pool resize support, dynamically changing thin-pool features,  au‐
554       tomatic thinp metadata checking when lvm activates the thin-pool, etc.
555
556
557       As  a fallback if no thin pool is provided, loopback files are created.
558       Loopback is very slow, but can be used without any pre-configuration of
559       storage.  It  is  strongly  recommended that you do not use loopback in
560       production. Ensure your Engine  daemon  has  a  --storage-opt  dm.thin‐
561       pooldev argument provided.
562
563
564       Example use:
565
566
567       $ dockerd \
568                --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
569
570
571   dm.directlvm_device
572       As an alternative to manually creating a thin pool as above, Docker can
573       automatically configure a block device for you.
574
575
576       Example use:
577
578
579       $ dockerd \
580                --storage-opt dm.directlvm_device=/dev/xvdf
581
582
583   dm.thinp_percent
584       Sets the percentage of passed in block device to use for storage.
585
586
587       Example:
588
589
590       $ sudo dockerd \
591               --storage-opt dm.thinp_percent=95
592
593
594   dm.thinp_metapercent
595       Sets the percentage of the passed in block device to use  for  metadata
596       storage.
597
598
599       Example:
600
601
602       $ sudo dockerd \
603                --storage-opt dm.thinp_metapercent=1
604
605
606   dm.thinp_autoextend_threshold
607       Sets  the  value of the percentage of space used before lvm attempts to
608       autoextend the available space [100 = disabled]
609
610
611       Example:
612
613
614       $ sudo dockerd \
615                --storage-opt dm.thinp_autoextend_threshold=80
616
617
618   dm.thinp_autoextend_percent
619       Sets the value percentage value to increase the thin pool by  when  lvm
620       attempts to autoextend the available space [100 = disabled]
621
622
623       Example:
624
625
626       $ sudo dockerd \
627                --storage-opt dm.thinp_autoextend_percent=20
628
629
630   dm.basesize
631       Specifies  the  size to use when creating the base device, which limits
632       the size of images and containers. The default value is 10G. Note, thin
633       devices  are inherently "sparse", so a 10G device which is mostly empty
634       doesn't use 10 GB of space on the pool. However,  the  filesystem  will
635       use more space for base images the larger the device is.
636
637
638       The  base device size can be increased at daemon restart which will al‐
639       low all future images and containers (based on those new images) to  be
640       of the new base device size.
641
642
643       Example use: dockerd --storage-opt dm.basesize=50G
644
645
646       This  will increase the base device size to 50G. The Docker daemon will
647       throw an error if existing base device size is larger than 50G. A  user
648       can use this option to expand the base device size however shrinking is
649       not permitted.
650
651
652       This value affects the system-wide "base" empty filesystem that may al‐
653       ready  be  initialized  and  inherited  by  pulled images. Typically, a
654       change to this value requires additional steps to take effect:
655
656
657                  $ sudo service docker stop
658                  $ sudo rm -rf /var/lib/docker
659                  $ sudo service docker start
660
661
662
663       Example use: dockerd --storage-opt dm.basesize=20G
664
665
666   dm.fs
667       Specifies the filesystem type to use for the base device. The supported
668       options are ext4 and xfs. The default is ext4.
669
670
671       Example use: dockerd --storage-opt dm.fs=xfs
672
673
674   dm.mkfsarg
675       Specifies  extra  mkfs  arguments to be used when creating the base de‐
676       vice.
677
678
679       Example use: dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
680
681
682   dm.mountopt
683       Specifies extra mount options used when mounting the thin devices.
684
685
686       Example use: dockerd --storage-opt dm.mountopt=nodiscard
687
688
689   dm.use_deferred_removal
690       Enables use of deferred device removal if libdm and the  kernel  driver
691       support the mechanism.
692
693
694       Deferred  device  removal means that if device is busy when devices are
695       being removed/deactivated, then a deferred removal is scheduled on  de‐
696       vice.  And  devices  automatically go away when last user of the device
697       exits.
698
699
700       For example, when a container exits, its associated thin device is  re‐
701       moved.  If  that  device has leaked into some other mount namespace and
702       can't be removed, the container exit still  succeeds  and  this  option
703       causes  the system to schedule the device for deferred removal. It does
704       not wait in a loop trying to remove a busy device.
705
706
707       Example use: dockerd --storage-opt dm.use_deferred_removal=true
708
709
710   dm.use_deferred_deletion
711       Enables use of deferred device deletion for thin pool devices.  By  de‐
712       fault,  thin pool device deletion is synchronous. Before a container is
713       deleted, the Docker daemon removes any associated devices. If the stor‐
714       age  driver  can  not remove a device, the container deletion fails and
715       daemon returns.
716
717
718       Error deleting container: Error response from  daemon:  Cannot  destroy
719       container
720
721
722       To  avoid  this  failure,  enable both deferred device deletion and de‐
723       ferred device removal on the daemon.
724
725
726       dockerd   --storage-opt   dm.use_deferred_deletion=true   --storage-opt
727       dm.use_deferred_removal=true
728
729
730       With  these two options enabled, if a device is busy when the driver is
731       deleting a container, the driver marks the device  as  deleted.  Later,
732       when the device isn't in use, the driver deletes it.
733
734
735       In  general it should be safe to enable this option by default. It will
736       help when unintentional leaking of mount point happens across  multiple
737       mount namespaces.
738
739
740   dm.loopdatasize
741       Note: This option configures devicemapper loopback, which should not be
742       used in production.
743
744
745       Specifies the size to use when  creating  the  loopback  file  for  the
746       "data"  device  which  is  used  for the thin pool. The default size is
747       100G. The file is sparse, so it will not initially take  up  this  much
748       space.
749
750
751       Example use: dockerd --storage-opt dm.loopdatasize=200G
752
753
754   dm.loopmetadatasize
755       Note: This option configures devicemapper loopback, which should not be
756       used in production.
757
758
759       Specifies the size to use when  creating  the  loopback  file  for  the
760       "metadata"  device which is used for the thin pool. The default size is
761       2G. The file is sparse, so it will not  initially  take  up  this  much
762       space.
763
764
765       Example use: dockerd --storage-opt dm.loopmetadatasize=4G
766
767
768   dm.datadev
769       (Deprecated, use dm.thinpooldev)
770
771
772       Specifies  a  custom  blockdevice  to use for data for a Docker-managed
773       thin pool.  It is better to use dm.thinpooldev - see the  documentation
774       for it above for discussion of the advantages.
775
776
777   dm.metadatadev
778       (Deprecated, use dm.thinpooldev)
779
780
781       Specifies a custom blockdevice to use for metadata for a Docker-managed
782       thin pool.  See dm.datadev for why this is deprecated.
783
784
785   dm.blocksize
786       Specifies a custom blocksize to use for the  thin  pool.   The  default
787       blocksize is 64K.
788
789
790       Example use: dockerd --storage-opt dm.blocksize=512K
791
792
793   dm.blkdiscard
794       Enables  or  disables  the use of blkdiscard when removing devicemapper
795       devices.  This is disabled by default due to  the  additional  latency,
796       but  as a special case with loopback devices it will be enabled, in or‐
797       der to re-sparsify the loopback file on image/container removal.
798
799
800       Disabling this on loopback can lead to much  faster  container  removal
801       times, but it also prevents the space used in /var/lib/docker directory
802       from being returned to the system for other use when containers are re‐
803       moved.
804
805
806       Example use: dockerd --storage-opt dm.blkdiscard=false
807
808
809   dm.override_udev_sync_check
810       By  default,  the devicemapper backend attempts to synchronize with the
811       udev device manager for the Linux kernel.  This option allows disabling
812       that  synchronization, to continue even though the configuration may be
813       buggy.
814
815
816       To view the udev sync support of a Docker daemon that is using the  de‐
817       vicemapper driver, run:
818
819
820                  $ docker info
821                  [...]
822                   Udev Sync Supported: true
823                  [...]
824
825
826
827       When  udev sync support is true, then devicemapper and udev can coordi‐
828       nate the activation and deactivation of devices for containers.
829
830
831       When udev sync support is false, a race condition  occurs  between  the
832       devicemapper and udev during create and cleanup. The race condition re‐
833       sults in errors and failures. (For information on these  failures,  see
834       docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩)
835
836
837       To allow the docker daemon to start, regardless of whether udev sync is
838       false, set dm.override_udev_sync_check to true:
839
840
841                  $ dockerd --storage-opt dm.override_udev_sync_check=true
842
843
844
845       When this value is true, the driver continues and simply warns you  the
846       errors are happening.
847
848
849       Note:  The ideal is to pursue a docker daemon and environment that does
850       support synchronizing with udev. For further discussion on this  topic,
851       see docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩.  Other‐
852       wise, set this flag for migrating existing Docker daemons to  a  daemon
853       with a supported environment.
854
855
856   dm.min_free_space
857       Specifies the min free space percent in a thin pool require for new de‐
858       vice creation to succeed. This check applies to both free data space as
859       well  as  free metadata space. Valid values are from 0% - 99%. Value 0%
860       disables free space checking logic. If user does not  specify  a  value
861       for this option, the Engine uses a default value of 10%.
862
863
864       Whenever  a  new  a  thin pool device is created (during docker pull or
865       during container creation), the Engine checks if the minimum free space
866       is  available.  If the space is unavailable, then device creation fails
867       and any relevant docker operation fails.
868
869
870       To recover from this error, you must create more free space in the thin
871       pool  to  recover from the error. You can create free space by deleting
872       some images and containers from tge thin pool. You can  also  add  more
873       storage to the thin pool.
874
875
876       To add more space to an LVM (logical volume management) thin pool, just
877       add more storage to the  group container thin pool; this  should  auto‐
878       matically  resolve any errors. If your configuration uses loop devices,
879       then stop the Engine daemon, grow the size of loop  files  and  restart
880       the daemon to resolve the issue.
881
882
883       Example use:: dockerd --storage-opt dm.min_free_space=10%
884
885
886   dm.xfs_nospace_max_retries
887       Specifies  the maximum number of retries XFS should attempt to complete
888       IO when ENOSPC (no space) error is returned by underlying  storage  de‐
889       vice.
890
891
892       By  default XFS retries infinitely for IO to finish and this can result
893       in  unkillable  process.  To  change  this   behavior   one   can   set
894       xfs_nospace_max_retries  to e.g. 0 and XFS will not retry IO after get‐
895       ting ENOSPC and will shutdown filesystem.
896
897
898       Example use:
899
900
901              $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
902
903
904
905   dm.libdm_log_level
906       Specifies the maxmimum libdm log level that will be  forwarded  to  the
907       dockerd log (as specified by --log-level). This option is primarily in‐
908       tended for debugging problems involving libdm. Using values other  than
909       the defaults may cause false-positive warnings to be logged.
910
911
912       Values  specified must fall within the range of valid libdm log levels.
913       At the time of writing, the following is the list of libdm  log  levels
914       as well as their corresponding levels when output by dockerd.
915
916
917       ┌────────────┬───────┬─────────────┐
918libdm Level Value --log-level 
919       ├────────────┼───────┼─────────────┤
920       │_LOG_FATAL  │ 2     │ error       │
921       ├────────────┼───────┼─────────────┤
922       │_LOG_ERR    │ 3     │ error       │
923       ├────────────┼───────┼─────────────┤
924       │_LOG_WARN   │ 4     │ warn        │
925       ├────────────┼───────┼─────────────┤
926       │_LOG_NOTICE │ 5     │ info        │
927       ├────────────┼───────┼─────────────┤
928       │_LOG_INFO   │ 6     │ info        │
929       ├────────────┼───────┼─────────────┤
930       │_LOG_DEBUG  │ 7     │ debug       │
931       └────────────┴───────┴─────────────┘
932
933       Example use:
934
935
936              $ sudo dockerd \
937                    --log-level debug \
938                    --storage-opt dm.libdm_log_level=7
939
940
941

ZFS options

943   zfs.fsname
944       Set zfs filesystem under which docker will create its own datasets.  By
945       default docker will pick up  the  zfs  filesystem  where  docker  graph
946       (/var/lib/docker) is located.
947
948
949       Example use: dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
950
951

Btrfs options

953   btrfs.min_space
954       Specifies  the minimum size to use when creating the subvolume which is
955       used for containers. If user uses disk quota for btrfs when creating or
956       running  a  container with --storage-opt size option, docker should en‐
957       sure the size cannot be smaller than btrfs.min_space.
958
959
960       Example use: docker daemon -s btrfs --storage-opt btrfs.min_space=10G
961
962
963

Access authorization

965       Docker's access authorization can be extended by authorization  plugins
966       that  your  organization  can purchase or build themselves. You can in‐
967       stall one or more authorization plugins when you start the Docker  dae‐
968       mon using the --authorization-plugin=PLUGIN_ID option.
969
970
971              dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
972
973
974
975       The PLUGIN_ID value is either the plugin's name or a path to its speci‐
976       fication file. The plugin's implementation determines whether  you  can
977       specify  a  name or path. Consult with your Docker administrator to get
978       information about the plugins available to you.
979
980
981       Once a plugin is installed, requests made to  the  daemon  through  the
982       command  line  or  Docker's  Engine  API  are  allowed or denied by the
983       plugin.  If you have multiple plugins installed, each plugin, in order,
984       must allow the request for it to complete.
985
986
987       For information about how to create an authorization plugin, see access
988       authorization plugin ⟨https://docs.docker.com/engine/extend/plugins_au
989       thorization/⟩  section  in the Docker extend section of this documenta‐
990       tion.
991
992
993

RUNTIME EXECUTION OPTIONS

995       You can configure the runtime using options specified with the  --exec-
996       opt  flag.  All the flag's options have the native prefix. A single na‐
997       tive.cgroupdriver option is available.
998
999
1000       The native.cgroupdriver option specifies the  management  of  the  con‐
1001       tainer's  cgroups.  You  can  only  specify cgroupfs or systemd. If you
1002       specify systemd and it is not available, the system errors out. If  you
1003       omit  the  native.cgroupdriver  option,cgroupfs  is  used  on cgroup v1
1004       hosts, systemd is used on cgroup v2 hosts with systemd available.
1005
1006
1007       This example sets the cgroupdriver to systemd:
1008
1009
1010              $ sudo dockerd --exec-opt native.cgroupdriver=systemd
1011
1012
1013
1014       Setting this option applies to all containers the daemon launches.
1015
1016
1017

HISTORY

1019       Sept 2015, Originally compiled by Shishir Mahajan  shishir.mahajan@red‐
1020       hat.com  ⟨mailto:shishir.mahajan@redhat.com⟩ based on docker.com source
1021       material and internal work.
1022
1023
1024
1025Docker Community                SEPTEMBER 2015                      DOCKERD(8)
Impressum