1DOCKERD(8) Docker User Manuals DOCKERD(8)
2
6 dockerd - Enable daemon mode
7
11 dockerd [--add-runtime[=[]]] [--allow-nondistributable-artifacts[=[]]]
12 [--api-cors-header=[=API-CORS-HEADER]] [--authorization-plugin[=[]]]
13 [-b|--bridge[=BRIDGE]] [--bip[=BIP]] [--cgroup-parent[=[]]] [--config-
14 file[=path]] [--containerd[=SOCKET-PATH]] [--data-
15 root[=/var/lib/docker]] [-D|--debug] [--default-cgroupns-mode[=host]]
16 [--default-gateway[=DEFAULT-GATEWAY]] [--default-gateway-v6[=DEFAULT-
17 GATEWAY-V6]] [--default-address-pool[=DEFAULT-ADDRESS-POOL]] [--de‐
18 fault-runtime[=runc]] [--default-ipc-mode=MODE] [--default-shm-
19 size[=64MiB]] [--default-ulimit[=[]]] [--dns[=[]]] [--dns-opt[=[]]]
20 [--dns-search[=[]]] [--exec-opt[=[]]] [--exec-root[=/var/run/docker]]
21 [--experimental[=false]] [--fixed-cidr[=FIXED-CIDR]] [--fixed-cidr-
22 v6[=FIXED-CIDR-V6]] [-G|--group[=docker]] [-H|--host[=[]]] [--help]
23 [--http-proxy[""]] [--https-proxy[""]] [--icc[=true]] [--init[=false]]
24 [--init-path[=""]] [--insecure-registry[=[]]] [--ip[=0.0.0.0]] [--ip-
25 forward[=true]] [--ip-masq[=true]] [--iptables[=true]] [--ipv6] [--iso‐
26 lation[=default]] [-l|--log-level[=info]] [--label[=[]]] [--live-re‐
27 store[=false]] [--log-driver[=json-file]] [--log-opt[=map[]]]
28 [--mtu[=0]] [--max-concurrent-downloads[=3]] [--max-concurrent-up‐
29 loads[=5]] [--max-download-attempts[=5]] [--no-proxy[""]] [--node-
30 generic-resources[=[]]] [-p|--pidfile[=/var/run/docker.pid]] [--raw-
31 logs] [--registry-mirror[=[]]] [-s|--storage-driver[=STORAGE-DRIVER]]
32 [--seccomp-profile[=SECCOMP-PROFILE-PATH]] [--selinux-enabled] [--shut‐
33 down-timeout[=15]] [--storage-opt[=[]]] [--swarm-default-advertise-
34 addr[=IP|INTERFACE]] [--tls] [--tlscacert[=~/.docker/ca.pem]]
35 [--tlscert[=~/.docker/cert.pem]] [--tlskey[=~/.docker/key.pem]]
36 [--tlsverify] [--userland-proxy[=true]] [--userland-proxy-path[=""]]
37 [--userns-remap[=default]] [--validate]
38
42 dockerd is used for starting the Docker daemon (i.e., to command the
43 daemon to manage images, containers etc). So dockerd is a server, as a
44 daemon.
45 To run the Docker daemon you can specify dockerd. You can check the
48 daemon options using dockerd --help. Daemon options should be speci‐
49 fied after the dockerd keyword in the following format.
50 dockerd [OPTIONS]
53
57 --add-runtime=[]
58 Runtimes can be registered with the daemon either via the configura‐
59 tion file or using the --add-runtime command line argument.
60 The following is an example adding 2 runtimes via the configuration:
63 {
66 "default-runtime": "runc",
67 "runtimes": {
68 "runc": {
69 "path": "runc"
70 },
71 "custom": {
72 "path": "/usr/local/bin/my-runc-replacement",
73 "runtimeArgs": [
74 "--debug"
75 ]
76 }
77 }
78 }
79 This is the same example via the command line:
83 $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
86 Note: defining runtime arguments via the command line is not supported.
90 --allow-nondistributable-artifacts=[]
93 Push nondistributable artifacts to the specified registries.
94 List can contain elements with CIDR notation to specify a whole subnet.
97 This option is useful when pushing images containing nondistributable
100 artifacts to a registry on an air-gapped network so hosts on that
101 network can
102 pull the images without connecting to another server.
103 Warning: Nondistributable artifacts typically have restrictions on how
106 and where they can be distributed and shared. Only use this feature
107 to push
108 artifacts to private registries and ensure that you are in compliance
109 with
110 any terms that cover redistributing nondistributable artifacts.
111 --api-cors-header=""
114 Set CORS headers in the Engine API. Default is cors disabled. Give
115 urls like
116 "http://foo, http://bar, ...". Give "*" to allow all.
117 --authorization-plugin=""
120 Set authorization plugins to load
121 -b, --bridge=""
124 Attach containers to a pre-existing network bridge; use 'none' to
125 disable
126 container networking
127 --bip=""
130 Use the provided CIDR notation address for the dynamically created
131 bridge
132 (docker0); Mutually exclusive of -b
133 --cgroup-parent=""
136 Set parent cgroup for all containers. Default is "/docker" for fs
137 cgroup
138 driver and "system.slice" for systemd cgroup driver.
139 --config-file="/etc/docker/daemon.json"
142 Specifies the JSON file path to load the configuration from. Default
143 is
144 /etc/docker/daemon.json.
145 --containerd=""
148 Path to containerd socket.
149 --data-root=""
152 Path to the directory used to store persisted Docker data such as
153 configuration for resources, swarm cluster state, and filesystem data
154 for
155 images, containers, and local volumes. Default is /var/lib/docker.
156 -D, --debug=true|false
159 Enable debug mode. Default is false.
160 --default-cgroupns-mode="host|private"
163 Set the default cgroup namespace mode for newly created containers.
164 The argument
165 can either be host or private. If unset, this defaults to host on
166 cgroup v1,
167 or private on cgroup v2.
168 --default-gateway=""
171 IPv4 address of the container default gateway; this address must be
172 part of
173 the bridge subnet (which is defined by -b or --bip)
174 --default-gateway-v6=""
177 IPv6 address of the container default gateway
178 --default-address-pool=""
181 Default address pool from which IPAM driver selects a subnet for the
182 networks.
183 Example: base=172.30.0.0/16,size=24 will set the default
184 address pools for the selected scope networks to
185 {172.30.[0-255].0/24}
186 --default-runtime="runtime"
189 Set default runtime if there're more than one specified by --add-run‐
190 time.
191 --default-ipc-mode="private|shareable"
194 Set the default IPC mode for newly created containers. The argument
195 can either be private or shareable.
196 --default-shm-size=size
199 Set the daemon-wide default shm size for containers. Default is
200 64MiB.
201 --default-ulimit=[]
204 Default ulimits for containers.
205 --dns=""
208 Force Docker to use specific DNS servers.
209 --dns-opt=""
212 DNS options to use.
213 --dns-search=[]
216 DNS search domains to use.
217 --exec-opt=[]
220 Set runtime execution options. See RUNTIME EXECUTION OPTIONS.
221 --exec-root=""
224 Path to use as the root of the Docker execution state files. Default
225 is
226 /var/run/docker.
227 --experimental=""
230 Enable the daemon experimental features.
231 --fixed-cidr=""
234 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be
235 nested in
236 the bridge subnet (which is defined by -b or --bip).
237 --fixed-cidr-v6=""
240 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
241 -G, --group=""
244 Group to assign the unix socket specified by -H when running in dae‐
245 mon mode.
246 use '' (the empty string) to disable setting of a group. Default is
247 docker.
248 -H, --host=[unix:///var/run/docker.sock]: tcp://[host:port] to bind or
251 unix://[/path/to/socket] to use.
252 The socket(s) to bind to in daemon mode specified using one or more
253 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
254 --help
257 Print usage statement
258 --http-proxy""
261 Proxy URL for HTTP requests unless overridden by NoProxy.
262 --https-proxy""
265 Proxy URL for HTTPS requests unless overridden by NoProxy.
266 --icc=true|false
269 Allow unrestricted inter-container and Docker daemon host communica‐
270 tion. If
271 disabled, containers can still be linked together using the --link
272 option
273 (see docker-run(1)). Default is true.
274 --init
277 Run an init process inside containers for signal forwarding and
278 process
279 reaping.
280 --init-path
283 Path to the docker-init binary.
284 --insecure-registry=[]
287 Enable insecure registry communication, i.e., enable un-encrypted
288 and/or
289 untrusted communication.
290 List of insecure registries can contain an element with CIDR notation
293 to
294 specify a whole subnet. Insecure registries accept HTTP and/or accept
295 HTTPS
296 with certificates from unknown CAs.
297 Enabling --insecure-registry is useful when running a local registry.
300 However, because its use creates security vulnerabilities it should
301 ONLY be
302 enabled for testing purposes. For increased security, users should
303 add their
304 CA to their system's list of trusted CAs instead of using
305 --insecure-registry.
306 --ip=""
309 Default IP address to use when binding container ports. Default is
310 0.0.0.0.
311 --ip-forward=true|false
314 Enables IP forwarding on the Docker host. The default is true. This
315 flag
316 interacts with the IP forwarding setting on your host system's ker‐
317 nel. If
318 your system has IP forwarding disabled, this setting enables it. If
319 your
320 system has IP forwarding enabled, setting this flag to false
321 has no effect.
322 This setting will also enable IPv6 forwarding if you have both
325 --ip-forward=true and --fixed-cidr-v6 set. Note that this may reject
326 Router Advertisements and interfere with the host's existing IPv6
327 configuration. For more information, please consult the documentation
328 about
329 "Advanced Networking - IPv6".
330 --ip-masq=true|false
333 Enable IP masquerading for bridge's IP range. Default is true.
334 --iptables=true|false
337 Enable Docker's addition of iptables rules. Default is true.
338 --ipv6=true|false
341 Enable IPv6 support. Default is false. Docker will create an IPv6-en‐
342 abled
343 bridge with address fe80::1 which will allow you to create IPv6-en‐
344 abled
345 containers. Use together with --fixed-cidr-v6 to provide globally
346 routable
347 IPv6 addresses. IPv6 forwarding will be enabled if not used with
348 --ip-forward=false. This may collide with your host's current IPv6
349 settings. For more information please consult the documentation about
350 "Advanced Networking - IPv6".
351 --isolation="default"
354 Isolation specifies the type of isolation technology used by con‐
355 tainers.
356 Note that the default on Windows server is process, and the default
357 on
358 Windows client is hyperv. Linux only supports default.
359 -l, --log-level="debug|info|warn|error|fatal"
362 Set the logging level. Default is info.
363 --label="[]"
366 Set key=value labels to the daemon (displayed in docker info)
367 --live-restore=false
370 Enable live restore of running containers when the daemon starts so
371 that they
372 are not restarted. This option is applicable only for docker daemon
373 running
374 on Linux host.
375 --log-driver="json-file|syslog|journald|gelf|flu‐
378 entd|awslogs|splunk|etwlogs|gcplogs|none"
379 Default driver for container logs. Default is json-file.
380 Warning: docker logs command works only for json-file logging driver.
381 --log-opt=[]
384 Logging driver specific options.
385 --mtu=0
388 Set the containers network mtu. Default is 0.
389 --max-concurrent-downloads=3
392 Set the max concurrent downloads. Default is 3.
393 --max-concurrent-uploads=5
396 Set the max concurrent uploads. Default is 5.
397 --max-download-attempts=5
400 Set the max download attempts for each pull. Default is 5.
401 --no-proxy="""
404 Comma-separated values specifying hosts that should be excluded from
405 proxying.
406 --node-generic-resources=[]
409 Advertise user-defined resource. Default is [].
410 Use this if your swarm cluster has some nodes with custom
411 resources (e.g: NVIDIA GPU, SSD, ...) and you need your services to
412 land on
413 nodes advertising these resources.
414 Usage example: --node-generic-resources "NVIDIA-GPU=UUID1"
415 --node-generic-resources "NVIDIA-GPU=UUID2"
416 -p, --pidfile="path"
419 Path to use for daemon PID file. Default is /var/run/docker.pid.
420 --raw-logs
423 Output daemon logs in full timestamp format without ANSI coloring. If
424 this
425 flag is not set, the daemon outputs condensed, colorized logs if a
426 terminal
427 is detected, or full ("raw") output otherwise.
428 --registry-mirror=://
431 Prepend a registry mirror to be used for image pulls. May be speci‐
432 fied
433 multiple times.
434 -s, --storage-driver=""
437 Force the Docker runtime to use a specific storage driver.
438 --seccomp-profile=""
441 Path to seccomp profile.
442 --selinux-enabled=true|false
445 Enable selinux support. Default is false.
446 --shutdown-timeout=seconds
449 Set the shutdown timeout value in seconds. Default is 15.
450 --storage-opt=[]
453 Set storage driver options. See STORAGE DRIVER OPTIONS.
454 --swarm-default-advertise-addr=IP|INTERFACE
457 Set default address or interface for swarm to advertise as its
458 externally-reachable address to other cluster members. This can be a
459 hostname, an IP address, or an interface such as eth0. A port cannot
460 be
461 specified with this option.
462 --tls=true|false
465 Use TLS; implied by --tlsverify. Default is false.
466 --tlscacert=~/.docker/ca.pem
469 Trust certs signed only by this CA.
470 --tlscert=~/.docker/cert.pem
473 Path to TLS certificate file.
474 --tlskey=~/.docker/key.pem
477 Path to TLS key file.
478 --tlsverify=true|false
481 Use TLS and verify the remote (daemon: verify client, client: verify
482 daemon).
483 Default is false.
484 --userland-proxy=true|false
487 Rely on a userland proxy implementation for inter-container and
488 outside-to-container loopback communications. Default is true.
489 --userland-proxy-path=""
492 Path to the userland proxy binary.
493 --userns-remap=default|uid:gid|user:group|user|uid
496 Enable user namespaces for containers on the daemon. Specifying "de‐
497 fault"
498 will cause a new user and group to be created to handle UID and GID
499 range
500 remapping for the user namespace mappings used for contained pro‐
501 cesses.
502 Specifying a user (or uid) and optionally a group (or gid) will cause
503 the
504 daemon to lookup the user and group's subordinate ID ranges for use
505 as the
506 user namespace mappings for contained processes.
507 --validate
510 Validate daemon configuration and exit.
511
515 Docker uses storage backends (known as "graphdrivers" in the Docker in‐
516 ternals) to create writable containers from images. Many of these
517 backends use operating system level technologies and can be configured.
518 Specify options to the storage backend with --storage-opt flags. The
521 backends that currently take options are devicemapper, zfs and btrfs.
522 Options for devicemapper are prefixed with dm., options for zfs start
523 with zfs., and options for btrfs start with btrfs..
524 Specifically for devicemapper, the default is a "loopback" model which
527 requires no pre-configuration, but is extremely inefficient. Do not
528 use it in production.
529 To make the best use of Docker with the devicemapper backend, you must
532 have a recent version of LVM. Use lvm(8) to create a thin pool; for
533 more information, see lvmthin(7). Then, use --storage-opt dm.thin‐
534 pooldev to tell the Docker engine to use that pool for allocating im‐
535 ages and container snapshots.
536
539 dm.thinpooldev
540 Specifies a custom block storage device to use for the thin pool.
541 If using a block device for device mapper storage, it is best to use
544 lvm to create and manage the thin-pool volume. This volume is then
545 handed to Docker to exclusively create snapshot volumes needed for im‐
546 ages and containers.
547 Managing the thin-pool outside of Engine makes for the most feature-
550 rich method of having Docker utilize device mapper thin provisioning as
551 the backing storage for Docker containers. The highlights of the lvm-
552 based thin-pool management feature include: automatic or interactive
553 thin-pool resize support, dynamically changing thin-pool features, au‐
554 tomatic thinp metadata checking when lvm activates the thin-pool, etc.
555 As a fallback if no thin pool is provided, loopback files are created.
558 Loopback is very slow, but can be used without any pre-configuration of
559 storage. It is strongly recommended that you do not use loopback in
560 production. Ensure your Engine daemon has a --storage-opt dm.thin‐
561 pooldev argument provided.
562 Example use:
565 $ dockerd \
568 --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
569 dm.directlvm_device
572 As an alternative to manually creating a thin pool as above, Docker can
573 automatically configure a block device for you.
574 Example use:
577 $ dockerd \
580 --storage-opt dm.directlvm_device=/dev/xvdf
581 dm.thinp_percent
584 Sets the percentage of passed in block device to use for storage.
585 Example:
588 $ sudo dockerd \
591 --storage-opt dm.thinp_percent=95
592 dm.thinp_metapercent
595 Sets the percentage of the passed in block device to use for metadata
596 storage.
597 Example:
600 $ sudo dockerd \
603 --storage-opt dm.thinp_metapercent=1
604 dm.thinp_autoextend_threshold
607 Sets the value of the percentage of space used before lvm attempts to
608 autoextend the available space [100 = disabled]
609 Example:
612 $ sudo dockerd \
615 --storage-opt dm.thinp_autoextend_threshold=80
616 dm.thinp_autoextend_percent
619 Sets the value percentage value to increase the thin pool by when lvm
620 attempts to autoextend the available space [100 = disabled]
621 Example:
624 $ sudo dockerd \
627 --storage-opt dm.thinp_autoextend_percent=20
628 dm.basesize
631 Specifies the size to use when creating the base device, which limits
632 the size of images and containers. The default value is 10G. Note, thin
633 devices are inherently "sparse", so a 10G device which is mostly empty
634 doesn't use 10 GB of space on the pool. However, the filesystem will
635 use more space for base images the larger the device is.
636 The base device size can be increased at daemon restart which will al‐
639 low all future images and containers (based on those new images) to be
640 of the new base device size.
641 Example use: dockerd --storage-opt dm.basesize=50G
644 This will increase the base device size to 50G. The Docker daemon will
647 throw an error if existing base device size is larger than 50G. A user
648 can use this option to expand the base device size however shrinking is
649 not permitted.
650 This value affects the system-wide "base" empty filesystem that may al‐
653 ready be initialized and inherited by pulled images. Typically, a
654 change to this value requires additional steps to take effect:
655 $ sudo service docker stop
658 $ sudo rm -rf /var/lib/docker
659 $ sudo service docker start
660 Example use: dockerd --storage-opt dm.basesize=20G
664 dm.fs
667 Specifies the filesystem type to use for the base device. The supported
668 options are ext4 and xfs. The default is ext4.
669 Example use: dockerd --storage-opt dm.fs=xfs
672 dm.mkfsarg
675 Specifies extra mkfs arguments to be used when creating the base de‐
676 vice.
677 Example use: dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
680 dm.mountopt
683 Specifies extra mount options used when mounting the thin devices.
684 Example use: dockerd --storage-opt dm.mountopt=nodiscard
687 dm.use_deferred_removal
690 Enables use of deferred device removal if libdm and the kernel driver
691 support the mechanism.
692 Deferred device removal means that if device is busy when devices are
695 being removed/deactivated, then a deferred removal is scheduled on de‐
696 vice. And devices automatically go away when last user of the device
697 exits.
698 For example, when a container exits, its associated thin device is re‐
701 moved. If that device has leaked into some other mount namespace and
702 can't be removed, the container exit still succeeds and this option
703 causes the system to schedule the device for deferred removal. It does
704 not wait in a loop trying to remove a busy device.
705 Example use: dockerd --storage-opt dm.use_deferred_removal=true
708 dm.use_deferred_deletion
711 Enables use of deferred device deletion for thin pool devices. By de‐
712 fault, thin pool device deletion is synchronous. Before a container is
713 deleted, the Docker daemon removes any associated devices. If the stor‐
714 age driver can not remove a device, the container deletion fails and
715 daemon returns.
716 Error deleting container: Error response from daemon: Cannot destroy
719 container
720 To avoid this failure, enable both deferred device deletion and de‐
723 ferred device removal on the daemon.
724 dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt
727 dm.use_deferred_removal=true
728 With these two options enabled, if a device is busy when the driver is
731 deleting a container, the driver marks the device as deleted. Later,
732 when the device isn't in use, the driver deletes it.
733 In general it should be safe to enable this option by default. It will
736 help when unintentional leaking of mount point happens across multiple
737 mount namespaces.
738 dm.loopdatasize
741 Note: This option configures devicemapper loopback, which should not be
742 used in production.
743 Specifies the size to use when creating the loopback file for the
746 "data" device which is used for the thin pool. The default size is
747 100G. The file is sparse, so it will not initially take up this much
748 space.
749 Example use: dockerd --storage-opt dm.loopdatasize=200G
752 dm.loopmetadatasize
755 Note: This option configures devicemapper loopback, which should not be
756 used in production.
757 Specifies the size to use when creating the loopback file for the
760 "metadata" device which is used for the thin pool. The default size is
761 2G. The file is sparse, so it will not initially take up this much
762 space.
763 Example use: dockerd --storage-opt dm.loopmetadatasize=4G
766 dm.datadev
769 (Deprecated, use dm.thinpooldev)
770 Specifies a custom blockdevice to use for data for a Docker-managed
773 thin pool. It is better to use dm.thinpooldev - see the documentation
774 for it above for discussion of the advantages.
775 dm.metadatadev
778 (Deprecated, use dm.thinpooldev)
779 Specifies a custom blockdevice to use for metadata for a Docker-managed
782 thin pool. See dm.datadev for why this is deprecated.
783 dm.blocksize
786 Specifies a custom blocksize to use for the thin pool. The default
787 blocksize is 64K.
788 Example use: dockerd --storage-opt dm.blocksize=512K
791 dm.blkdiscard
794 Enables or disables the use of blkdiscard when removing devicemapper
795 devices. This is disabled by default due to the additional latency,
796 but as a special case with loopback devices it will be enabled, in or‐
797 der to re-sparsify the loopback file on image/container removal.
798 Disabling this on loopback can lead to much faster container removal
801 times, but it also prevents the space used in /var/lib/docker directory
802 from being returned to the system for other use when containers are re‐
803 moved.
804 Example use: dockerd --storage-opt dm.blkdiscard=false
807 dm.override_udev_sync_check
810 By default, the devicemapper backend attempts to synchronize with the
811 udev device manager for the Linux kernel. This option allows disabling
812 that synchronization, to continue even though the configuration may be
813 buggy.
814 To view the udev sync support of a Docker daemon that is using the de‐
817 vicemapper driver, run:
818 $ docker info
821 [...]
822 Udev Sync Supported: true
823 [...]
824 When udev sync support is true, then devicemapper and udev can coordi‐
828 nate the activation and deactivation of devices for containers.
829 When udev sync support is false, a race condition occurs between the
832 devicemapper and udev during create and cleanup. The race condition re‐
833 sults in errors and failures. (For information on these failures, see
834 docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩)
835 To allow the docker daemon to start, regardless of whether udev sync is
838 false, set dm.override_udev_sync_check to true:
839 $ dockerd --storage-opt dm.override_udev_sync_check=true
842 When this value is true, the driver continues and simply warns you the
846 errors are happening.
847 Note: The ideal is to pursue a docker daemon and environment that does
850 support synchronizing with udev. For further discussion on this topic,
851 see docker#4036 ⟨https://github.com/docker/docker/issues/4036⟩. Other‐
852 wise, set this flag for migrating existing Docker daemons to a daemon
853 with a supported environment.
854 dm.min_free_space
857 Specifies the min free space percent in a thin pool require for new de‐
858 vice creation to succeed. This check applies to both free data space as
859 well as free metadata space. Valid values are from 0% - 99%. Value 0%
860 disables free space checking logic. If user does not specify a value
861 for this option, the Engine uses a default value of 10%.
862 Whenever a new a thin pool device is created (during docker pull or
865 during container creation), the Engine checks if the minimum free space
866 is available. If the space is unavailable, then device creation fails
867 and any relevant docker operation fails.
868 To recover from this error, you must create more free space in the thin
871 pool to recover from the error. You can create free space by deleting
872 some images and containers from tge thin pool. You can also add more
873 storage to the thin pool.
874 To add more space to an LVM (logical volume management) thin pool, just
877 add more storage to the group container thin pool; this should auto‐
878 matically resolve any errors. If your configuration uses loop devices,
879 then stop the Engine daemon, grow the size of loop files and restart
880 the daemon to resolve the issue.
881 Example use:: dockerd --storage-opt dm.min_free_space=10%
884 dm.xfs_nospace_max_retries
887 Specifies the maximum number of retries XFS should attempt to complete
888 IO when ENOSPC (no space) error is returned by underlying storage de‐
889 vice.
890 By default XFS retries infinitely for IO to finish and this can result
893 in unkillable process. To change this behavior one can set
894 xfs_nospace_max_retries to e.g. 0 and XFS will not retry IO after get‐
895 ting ENOSPC and will shutdown filesystem.
896 Example use:
899 $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
902 dm.libdm_log_level
906 Specifies the maxmimum libdm log level that will be forwarded to the
907 dockerd log (as specified by --log-level). This option is primarily in‐
908 tended for debugging problems involving libdm. Using values other than
909 the defaults may cause false-positive warnings to be logged.
910 Values specified must fall within the range of valid libdm log levels.
913 At the time of writing, the following is the list of libdm log levels
914 as well as their corresponding levels when output by dockerd.
915 ┌────────────┬───────┬─────────────┐
918 │libdm Level │ Value │ --log-level │
919 ├────────────┼───────┼─────────────┤
920 │_LOG_FATAL │ 2 │ error │
921 ├────────────┼───────┼─────────────┤
922 │_LOG_ERR │ 3 │ error │
923 ├────────────┼───────┼─────────────┤
924 │_LOG_WARN │ 4 │ warn │
925 ├────────────┼───────┼─────────────┤
926 │_LOG_NOTICE │ 5 │ info │
927 ├────────────┼───────┼─────────────┤
928 │_LOG_INFO │ 6 │ info │
929 ├────────────┼───────┼─────────────┤
930 │_LOG_DEBUG │ 7 │ debug │
931 └────────────┴───────┴─────────────┘
932 Example use:
934 $ sudo dockerd \
937 --log-level debug \
938 --storage-opt dm.libdm_log_level=7
939
943 zfs.fsname
944 Set zfs filesystem under which docker will create its own datasets. By
945 default docker will pick up the zfs filesystem where docker graph
946 (/var/lib/docker) is located.
947 Example use: dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
950
953 btrfs.min_space
954 Specifies the minimum size to use when creating the subvolume which is
955 used for containers. If user uses disk quota for btrfs when creating or
956 running a container with --storage-opt size option, docker should en‐
957 sure the size cannot be smaller than btrfs.min_space.
958 Example use: docker daemon -s btrfs --storage-opt btrfs.min_space=10G
961
965 Docker's access authorization can be extended by authorization plugins
966 that your organization can purchase or build themselves. You can in‐
967 stall one or more authorization plugins when you start the Docker dae‐
968 mon using the --authorization-plugin=PLUGIN_ID option.
969 dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
972 The PLUGIN_ID value is either the plugin's name or a path to its speci‐
976 fication file. The plugin's implementation determines whether you can
977 specify a name or path. Consult with your Docker administrator to get
978 information about the plugins available to you.
979 Once a plugin is installed, requests made to the daemon through the
982 command line or Docker's Engine API are allowed or denied by the
983 plugin. If you have multiple plugins installed, each plugin, in order,
984 must allow the request for it to complete.
985 For information about how to create an authorization plugin, see access
988 authorization plugin ⟨https://docs.docker.com/engine/extend/plugins_au‐
989 thorization/⟩ section in the Docker extend section of this documenta‐
990 tion.
991
995 You can configure the runtime using options specified with the --exec-
996 opt flag. All the flag's options have the native prefix. A single na‐
997 tive.cgroupdriver option is available.
998 The native.cgroupdriver option specifies the management of the con‐
1001 tainer's cgroups. You can only specify cgroupfs or systemd. If you
1002 specify systemd and it is not available, the system errors out. If you
1003 omit the native.cgroupdriver option,cgroupfs is used on cgroup v1
1004 hosts, systemd is used on cgroup v2 hosts with systemd available.
1005 This example sets the cgroupdriver to systemd:
1008 $ sudo dockerd --exec-opt native.cgroupdriver=systemd
1011 Setting this option applies to all containers the daemon launches.
1015
1019 Sept 2015, Originally compiled by Shishir Mahajan shishir.mahajan@red‐
1020 hat.com ⟨mailto:shishir.mahajan@redhat.com⟩ based on docker.com source
1021 material and internal work.
1022Docker Community SEPTEMBER 2015 DOCKERD(8)