github.com/ali-iotechsys/cli@v20.10.0+incompatible/man/dockerd.8.md (about) 1 % DOCKER(8) Docker User Manuals 2 % Shishir Mahajan 3 % SEPTEMBER 2015 4 # NAME 5 dockerd - Enable daemon mode 6 7 # SYNOPSIS 8 **dockerd** 9 [**--add-runtime**[=*[]*]] 10 [**--allow-nondistributable-artifacts**[=*[]*]] 11 [**--api-cors-header**=[=*API-CORS-HEADER*]] 12 [**--authorization-plugin**[=*[]*]] 13 [**-b**|**--bridge**[=*BRIDGE*]] 14 [**--bip**[=*BIP*]] 15 [**--cgroup-parent**[=*[]*]] 16 [**--cluster-store**[=*[]*]] 17 [**--cluster-advertise**[=*[]*]] 18 [**--cluster-store-opt**[=*map[]*]] 19 [**--config-file**[=*/etc/docker/daemon.json*]] 20 [**--containerd**[=*SOCKET-PATH*]] 21 [**--data-root**[=*/var/lib/docker*]] 22 [**-D**|**--debug**] 23 [**--default-cgroupns-mode**[=*host*]] 24 [**--default-gateway**[=*DEFAULT-GATEWAY*]] 25 [**--default-gateway-v6**[=*DEFAULT-GATEWAY-V6*]] 26 [**--default-address-pool**[=*DEFAULT-ADDRESS-POOL*]] 27 [**--default-runtime**[=*runc*]] 28 [**--default-ipc-mode**=*MODE*] 29 [**--default-shm-size**[=*64MiB*]] 30 [**--default-ulimit**[=*[]*]] 31 [**--dns**[=*[]*]] 32 [**--dns-opt**[=*[]*]] 33 [**--dns-search**[=*[]*]] 34 [**--exec-opt**[=*[]*]] 35 [**--exec-root**[=*/var/run/docker*]] 36 [**--experimental**[=*false*]] 37 [**--fixed-cidr**[=*FIXED-CIDR*]] 38 [**--fixed-cidr-v6**[=*FIXED-CIDR-V6*]] 39 [**-G**|**--group**[=*docker*]] 40 [**-H**|**--host**[=*[]*]] 41 [**--help**] 42 [**--icc**[=*true*]] 43 [**--init**[=*false*]] 44 [**--init-path**[=*""*]] 45 [**--insecure-registry**[=*[]*]] 46 [**--ip**[=*0.0.0.0*]] 47 [**--ip-forward**[=*true*]] 48 [**--ip-masq**[=*true*]] 49 [**--iptables**[=*true*]] 50 [**--ipv6**] 51 [**--isolation**[=*default*]] 52 [**-l**|**--log-level**[=*info*]] 53 [**--label**[=*[]*]] 54 [**--live-restore**[=*false*]] 55 [**--log-driver**[=*json-file*]] 56 [**--log-opt**[=*map[]*]] 57 [**--mtu**[=*0*]] 58 [**--max-concurrent-downloads**[=*3*]] 59 [**--max-concurrent-uploads**[=*5*]] 60 [**--max-download-attempts**[=*5*]] 61 [**--node-generic-resources**[=*[]*]] 62 [**-p**|**--pidfile**[=*/var/run/docker.pid*]] 63 [**--raw-logs**] 64 [**--registry-mirror**[=*[]*]] 65 [**-s**|**--storage-driver**[=*STORAGE-DRIVER*]] 66 [**--seccomp-profile**[=*SECCOMP-PROFILE-PATH*]] 67 [**--selinux-enabled**] 68 [**--shutdown-timeout**[=*15*]] 69 [**--storage-opt**[=*[]*]] 70 [**--swarm-default-advertise-addr**[=*IP|INTERFACE*]] 71 [**--tls**] 72 [**--tlscacert**[=*~/.docker/ca.pem*]] 73 [**--tlscert**[=*~/.docker/cert.pem*]] 74 [**--tlskey**[=*~/.docker/key.pem*]] 75 [**--tlsverify**] 76 [**--userland-proxy**[=*true*]] 77 [**--userland-proxy-path**[=*""*]] 78 [**--userns-remap**[=*default*]] 79 80 # DESCRIPTION 81 **dockerd** is used for starting the Docker daemon (i.e., to command the daemon 82 to manage images, containers etc). So **dockerd** is a server, as a daemon. 83 84 To run the Docker daemon you can specify **dockerd**. 85 You can check the daemon options using **dockerd --help**. 86 Daemon options should be specified after the **dockerd** keyword in the 87 following format. 88 89 **dockerd [OPTIONS]** 90 91 # OPTIONS 92 93 **--add-runtime**=[] 94 Runtimes can be registered with the daemon either via the 95 configuration file or using the `--add-runtime` command line argument. 96 97 The following is an example adding 2 runtimes via the configuration: 98 99 ```json 100 { 101 "default-runtime": "runc", 102 "runtimes": { 103 "runc": { 104 "path": "runc" 105 }, 106 "custom": { 107 "path": "/usr/local/bin/my-runc-replacement", 108 "runtimeArgs": [ 109 "--debug" 110 ] 111 } 112 } 113 } 114 ``` 115 116 This is the same example via the command line: 117 118 ```bash 119 $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement 120 ``` 121 122 **Note**: defining runtime arguments via the command line is not supported. 123 124 **--allow-nondistributable-artifacts**=[] 125 Push nondistributable artifacts to the specified registries. 126 127 List can contain elements with CIDR notation to specify a whole subnet. 128 129 This option is useful when pushing images containing nondistributable 130 artifacts to a registry on an air-gapped network so hosts on that network can 131 pull the images without connecting to another server. 132 133 **Warning**: Nondistributable artifacts typically have restrictions on how 134 and where they can be distributed and shared. Only use this feature to push 135 artifacts to private registries and ensure that you are in compliance with 136 any terms that cover redistributing nondistributable artifacts. 137 138 **--api-cors-header**="" 139 Set CORS headers in the Engine API. Default is cors disabled. Give urls like 140 "http://foo, http://bar, ...". Give "*" to allow all. 141 142 **--authorization-plugin**="" 143 Set authorization plugins to load 144 145 **-b**, **--bridge**="" 146 Attach containers to a pre\-existing network bridge; use 'none' to disable 147 container networking 148 149 **--bip**="" 150 Use the provided CIDR notation address for the dynamically created bridge 151 (docker0); Mutually exclusive of \-b 152 153 **--cgroup-parent**="" 154 Set parent cgroup for all containers. Default is "/docker" for fs cgroup 155 driver and "system.slice" for systemd cgroup driver. 156 157 **--cluster-store**="" 158 URL of the distributed storage backend 159 160 **--cluster-advertise**="" 161 Specifies the 'host:port' or `interface:port` combination that this 162 particular daemon instance should use when advertising itself to the cluster. 163 The daemon is reached through this value. 164 165 **--cluster-store-opt**="" 166 Specifies options for the Key/Value store. 167 168 **--config-file**="/etc/docker/daemon.json" 169 Specifies the JSON file path to load the configuration from. 170 171 **--containerd**="" 172 Path to containerd socket. 173 174 **--data-root**="" 175 Path to the directory used to store persisted Docker data such as 176 configuration for resources, swarm cluster state, and filesystem data for 177 images, containers, and local volumes. Default is `/var/lib/docker`. 178 179 **-D**, **--debug**=*true*|*false* 180 Enable debug mode. Default is false. 181 182 **--default-cgroupns-mode**="**host**|**private**" 183 Set the default cgroup namespace mode for newly created containers. The argument 184 can either be **host** or **private**. If unset, this defaults to `host` on cgroup v1, 185 `private` on cgroup v2. 186 187 **--default-gateway**="" 188 IPv4 address of the container default gateway; this address must be part of 189 the bridge subnet (which is defined by \-b or \--bip) 190 191 **--default-gateway-v6**="" 192 IPv6 address of the container default gateway 193 194 **--default-address-pool**="" 195 Default address pool from which IPAM driver selects a subnet for the networks. 196 Example: base=172.30.0.0/16,size=24 will set the default 197 address pools for the selected scope networks to {172.30.[0-255].0/24} 198 199 **--default-runtime**="runc" 200 Set default runtime if there're more than one specified by `--add-runtime`. 201 202 **--default-ipc-mode**="**private**|**shareable**" 203 Set the default IPC mode for newly created containers. The argument 204 can either be **private** or **shareable**. 205 206 **--default-shm-size**=*64MiB* 207 Set the daemon-wide default shm size for containers. Default is `64MiB`. 208 209 **--default-ulimit**=[] 210 Default ulimits for containers. 211 212 **--dns**="" 213 Force Docker to use specific DNS servers 214 215 **--dns-opt**="" 216 DNS options to use. 217 218 **--dns-search**=[] 219 DNS search domains to use. 220 221 **--exec-opt**=[] 222 Set runtime execution options. See RUNTIME EXECUTION OPTIONS. 223 224 **--exec-root**="" 225 Path to use as the root of the Docker execution state files. Default is 226 `/var/run/docker`. 227 228 **--experimental**="" 229 Enable the daemon experimental features. 230 231 **--fixed-cidr**="" 232 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be nested in 233 the bridge subnet (which is defined by \-b or \-\-bip). 234 235 **--fixed-cidr-v6**="" 236 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64) 237 238 **-G**, **--group**="" 239 Group to assign the unix socket specified by -H when running in daemon mode. 240 use '' (the empty string) to disable setting of a group. Default is `docker`. 241 242 **-H**, **--host**=[*unix:///var/run/docker.sock*]: tcp://[host:port] to bind or 243 unix://[/path/to/socket] to use. 244 The socket(s) to bind to in daemon mode specified using one or more 245 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd. 246 247 **--help** 248 Print usage statement 249 250 **--icc**=*true*|*false* 251 Allow unrestricted inter\-container and Docker daemon host communication. If 252 disabled, containers can still be linked together using the **--link** option 253 (see **docker-run(1)**). Default is true. 254 255 **--init** 256 Run an init process inside containers for signal forwarding and process 257 reaping. 258 259 **--init-path** 260 Path to the docker-init binary. 261 262 **--insecure-registry**=[] 263 Enable insecure registry communication, i.e., enable un-encrypted and/or 264 untrusted communication. 265 266 List of insecure registries can contain an element with CIDR notation to 267 specify a whole subnet. Insecure registries accept HTTP and/or accept HTTPS 268 with certificates from unknown CAs. 269 270 Enabling `--insecure-registry` is useful when running a local registry. 271 However, because its use creates security vulnerabilities it should ONLY be 272 enabled for testing purposes. For increased security, users should add their 273 CA to their system's list of trusted CAs instead of using 274 `--insecure-registry`. 275 276 **--ip**="" 277 Default IP address to use when binding container ports. Default is `0.0.0.0`. 278 279 **--ip-forward**=*true*|*false* 280 Enables IP forwarding on the Docker host. The default is `true`. This flag 281 interacts with the IP forwarding setting on your host system's kernel. If 282 your system has IP forwarding disabled, this setting enables it. If your 283 system has IP forwarding enabled, setting this flag to `--ip-forward=false` 284 has no effect. 285 286 This setting will also enable IPv6 forwarding if you have both 287 `--ip-forward=true` and `--fixed-cidr-v6` set. Note that this may reject 288 Router Advertisements and interfere with the host's existing IPv6 289 configuration. For more information, please consult the documentation about 290 "Advanced Networking - IPv6". 291 292 **--ip-masq**=*true*|*false* 293 Enable IP masquerading for bridge's IP range. Default is true. 294 295 **--iptables**=*true*|*false* 296 Enable Docker's addition of iptables rules. Default is true. 297 298 **--ipv6**=*true*|*false* 299 Enable IPv6 support. Default is false. Docker will create an IPv6-enabled 300 bridge with address fe80::1 which will allow you to create IPv6-enabled 301 containers. Use together with `--fixed-cidr-v6` to provide globally routable 302 IPv6 addresses. IPv6 forwarding will be enabled if not used with 303 `--ip-forward=false`. This may collide with your host's current IPv6 304 settings. For more information please consult the documentation about 305 "Advanced Networking - IPv6". 306 307 **--isolation**="*default*" 308 Isolation specifies the type of isolation technology used by containers. 309 Note that the default on Windows server is `process`, and the default on 310 Windows client is `hyperv`. Linux only supports `default`. 311 312 **-l**, **--log-level**="*debug*|*info*|*warn*|*error*|*fatal*" 313 Set the logging level. Default is `info`. 314 315 **--label**="[]" 316 Set key=value labels to the daemon (displayed in `docker info`) 317 318 **--live-restore**=*false* 319 Enable live restore of running containers when the daemon starts so that they 320 are not restarted. This option is applicable only for docker daemon running 321 on Linux host. 322 323 **--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*splunk*|*etwlogs*|*gcplogs*|*none*" 324 Default driver for container logs. Default is `json-file`. 325 **Warning**: `docker logs` command works only for `json-file` logging driver. 326 327 **--log-opt**=[] 328 Logging driver specific options. 329 330 **--mtu**=*0* 331 Set the containers network mtu. Default is `0`. 332 333 **--max-concurrent-downloads**=*3* 334 Set the max concurrent downloads for each pull. Default is `3`. 335 336 **--max-concurrent-uploads**=*5* 337 Set the max concurrent uploads for each push. Default is `5`. 338 339 **--max-download-attempts**=*5* 340 Set the max download attempts for each pull. Default is `5`. 341 342 **--node-generic-resources**=*[]* 343 Advertise user-defined resource. Default is `[]`. 344 Use this if your swarm cluster has some nodes with custom 345 resources (e.g: NVIDIA GPU, SSD, ...) and you need your services to land on 346 nodes advertising these resources. 347 Usage example: `--node-generic-resources "NVIDIA-GPU=UUID1" 348 --node-generic-resources "NVIDIA-GPU=UUID2"` 349 350 351 **-p**, **--pidfile**="" 352 Path to use for daemon PID file. Default is `/var/run/docker.pid` 353 354 **--raw-logs** 355 Output daemon logs in full timestamp format without ANSI coloring. If this 356 flag is not set, the daemon outputs condensed, colorized logs if a terminal 357 is detected, or full ("raw") output otherwise. 358 359 **--registry-mirror**=*<scheme>://<host>* 360 Prepend a registry mirror to be used for image pulls. May be specified 361 multiple times. 362 363 **-s**, **--storage-driver**="" 364 Force the Docker runtime to use a specific storage driver. 365 366 **--seccomp-profile**="" 367 Path to seccomp profile. 368 369 **--selinux-enabled**=*true*|*false* 370 Enable selinux support. Default is false. 371 372 **--shutdown-timeout**=*15* 373 Set the shutdown timeout value in seconds. Default is `15`. 374 375 **--storage-opt**=[] 376 Set storage driver options. See STORAGE DRIVER OPTIONS. 377 378 **--swarm-default-advertise-addr**=*IP|INTERFACE* 379 Set default address or interface for swarm to advertise as its 380 externally-reachable address to other cluster members. This can be a 381 hostname, an IP address, or an interface such as `eth0`. A port cannot be 382 specified with this option. 383 384 **--tls**=*true*|*false* 385 Use TLS; implied by --tlsverify. Default is false. 386 387 **--tlscacert**=*~/.docker/ca.pem* 388 Trust certs signed only by this CA. 389 390 **--tlscert**=*~/.docker/cert.pem* 391 Path to TLS certificate file. 392 393 **--tlskey**=*~/.docker/key.pem* 394 Path to TLS key file. 395 396 **--tlsverify**=*true*|*false* 397 Use TLS and verify the remote (daemon: verify client, client: verify daemon). 398 Default is false. 399 400 **--userland-proxy**=*true*|*false* 401 Rely on a userland proxy implementation for inter-container and 402 outside-to-container loopback communications. Default is true. 403 404 **--userland-proxy-path**="" 405 Path to the userland proxy binary. 406 407 **--userns-remap**=*default*|*uid:gid*|*user:group*|*user*|*uid* 408 Enable user namespaces for containers on the daemon. Specifying "default" 409 will cause a new user and group to be created to handle UID and GID range 410 remapping for the user namespace mappings used for contained processes. 411 Specifying a user (or uid) and optionally a group (or gid) will cause the 412 daemon to lookup the user and group's subordinate ID ranges for use as the 413 user namespace mappings for contained processes. 414 415 # STORAGE DRIVER OPTIONS 416 417 Docker uses storage backends (known as "graphdrivers" in the Docker 418 internals) to create writable containers from images. Many of these 419 backends use operating system level technologies and can be 420 configured. 421 422 Specify options to the storage backend with **--storage-opt** flags. The 423 backends that currently take options are *devicemapper*, *zfs* and *btrfs*. 424 Options for *devicemapper* are prefixed with *dm*, options for *zfs* 425 start with *zfs* and options for *btrfs* start with *btrfs*. 426 427 Specifically for devicemapper, the default is a "loopback" model which 428 requires no pre-configuration, but is extremely inefficient. Do not 429 use it in production. 430 431 To make the best use of Docker with the devicemapper backend, you must 432 have a recent version of LVM. Use `lvm` to create a thin pool; for 433 more information see `man lvmthin`. Then, use `--storage-opt 434 dm.thinpooldev` to tell the Docker engine to use that pool for 435 allocating images and container snapshots. 436 437 ## Devicemapper options 438 439 #### dm.thinpooldev 440 441 Specifies a custom block storage device to use for the thin pool. 442 443 If using a block device for device mapper storage, it is best to use `lvm` 444 to create and manage the thin-pool volume. This volume is then handed to Docker 445 to exclusively create snapshot volumes needed for images and containers. 446 447 Managing the thin-pool outside of Engine makes for the most feature-rich 448 method of having Docker utilize device mapper thin provisioning as the 449 backing storage for Docker containers. The highlights of the lvm-based 450 thin-pool management feature include: automatic or interactive thin-pool 451 resize support, dynamically changing thin-pool features, automatic thinp 452 metadata checking when lvm activates the thin-pool, etc. 453 454 As a fallback if no thin pool is provided, loopback files are 455 created. Loopback is very slow, but can be used without any 456 pre-configuration of storage. It is strongly recommended that you do 457 not use loopback in production. Ensure your Engine daemon has a 458 `--storage-opt dm.thinpooldev` argument provided. 459 460 Example use: 461 462 $ dockerd \ 463 --storage-opt dm.thinpooldev=/dev/mapper/thin-pool 464 465 #### dm.directlvm_device 466 467 As an alternative to manually creating a thin pool as above, Docker can 468 automatically configure a block device for you. 469 470 Example use: 471 472 $ dockerd \ 473 --storage-opt dm.directlvm_device=/dev/xvdf 474 475 ##### dm.thinp_percent 476 477 Sets the percentage of passed in block device to use for storage. 478 479 ###### Example: 480 481 $ sudo dockerd \ 482 --storage-opt dm.thinp_percent=95 483 484 ##### `dm.thinp_metapercent` 485 486 Sets the percentage of the passed in block device to use for metadata storage. 487 488 ###### Example: 489 490 $ sudo dockerd \ 491 --storage-opt dm.thinp_metapercent=1 492 493 ##### dm.thinp_autoextend_threshold 494 495 Sets the value of the percentage of space used before `lvm` attempts to 496 autoextend the available space [100 = disabled] 497 498 ###### Example: 499 500 $ sudo dockerd \ 501 --storage-opt dm.thinp_autoextend_threshold=80 502 503 ##### dm.thinp_autoextend_percent 504 505 Sets the value percentage value to increase the thin pool by when `lvm` 506 attempts to autoextend the available space [100 = disabled] 507 508 ###### Example: 509 510 $ sudo dockerd \ 511 --storage-opt dm.thinp_autoextend_percent=20 512 513 #### dm.basesize 514 515 Specifies the size to use when creating the base device, which limits 516 the size of images and containers. The default value is 10G. Note, 517 thin devices are inherently "sparse", so a 10G device which is mostly 518 empty doesn't use 10 GB of space on the pool. However, the filesystem 519 will use more space for base images the larger the device 520 is. 521 522 The base device size can be increased at daemon restart which will allow 523 all future images and containers (based on those new images) to be of the 524 new base device size. 525 526 Example use: `dockerd --storage-opt dm.basesize=50G` 527 528 This will increase the base device size to 50G. The Docker daemon will throw an 529 error if existing base device size is larger than 50G. A user can use 530 this option to expand the base device size however shrinking is not permitted. 531 532 This value affects the system-wide "base" empty filesystem that may already 533 be initialized and inherited by pulled images. Typically, a change to this 534 value requires additional steps to take effect: 535 536 $ sudo service docker stop 537 $ sudo rm -rf /var/lib/docker 538 $ sudo service docker start 539 540 Example use: `dockerd --storage-opt dm.basesize=20G` 541 542 #### dm.fs 543 544 Specifies the filesystem type to use for the base device. The 545 supported options are `ext4` and `xfs`. The default is `ext4`. 546 547 Example use: `dockerd --storage-opt dm.fs=xfs` 548 549 #### dm.mkfsarg 550 551 Specifies extra mkfs arguments to be used when creating the base device. 552 553 Example use: `dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"` 554 555 #### dm.mountopt 556 557 Specifies extra mount options used when mounting the thin devices. 558 559 Example use: `dockerd --storage-opt dm.mountopt=nodiscard` 560 561 #### dm.use_deferred_removal 562 563 Enables use of deferred device removal if `libdm` and the kernel driver 564 support the mechanism. 565 566 Deferred device removal means that if device is busy when devices are 567 being removed/deactivated, then a deferred removal is scheduled on 568 device. And devices automatically go away when last user of the device 569 exits. 570 571 For example, when a container exits, its associated thin device is removed. If 572 that device has leaked into some other mount namespace and can't be removed, 573 the container exit still succeeds and this option causes the system to schedule 574 the device for deferred removal. It does not wait in a loop trying to remove a 575 busy device. 576 577 Example use: `dockerd --storage-opt dm.use_deferred_removal=true` 578 579 #### dm.use_deferred_deletion 580 581 Enables use of deferred device deletion for thin pool devices. By default, 582 thin pool device deletion is synchronous. Before a container is deleted, the 583 Docker daemon removes any associated devices. If the storage driver can not 584 remove a device, the container deletion fails and daemon returns. 585 586 `Error deleting container: Error response from daemon: Cannot destroy container` 587 588 To avoid this failure, enable both deferred device deletion and deferred 589 device removal on the daemon. 590 591 `dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt dm.use_deferred_removal=true` 592 593 With these two options enabled, if a device is busy when the driver is 594 deleting a container, the driver marks the device as deleted. Later, when the 595 device isn't in use, the driver deletes it. 596 597 In general it should be safe to enable this option by default. It will help 598 when unintentional leaking of mount point happens across multiple mount 599 namespaces. 600 601 #### dm.loopdatasize 602 603 **Note**: This option configures devicemapper loopback, which should not be 604 used in production. 605 606 Specifies the size to use when creating the loopback file for the "data" device 607 which is used for the thin pool. The default size is 100G. The file is sparse, 608 so it will not initially take up this much space. 609 610 Example use: `dockerd --storage-opt dm.loopdatasize=200G` 611 612 #### dm.loopmetadatasize 613 614 **Note**: This option configures devicemapper loopback, which should not be 615 used in production. 616 617 Specifies the size to use when creating the loopback file for the "metadata" 618 device which is used for the thin pool. The default size is 2G. The file is 619 sparse, so it will not initially take up this much space. 620 621 Example use: `dockerd --storage-opt dm.loopmetadatasize=4G` 622 623 #### dm.datadev 624 625 (Deprecated, use `dm.thinpooldev`) 626 627 Specifies a custom blockdevice to use for data for a Docker-managed thin pool. 628 It is better to use `dm.thinpooldev` - see the documentation for it above for 629 discussion of the advantages. 630 631 #### dm.metadatadev 632 633 (Deprecated, use `dm.thinpooldev`) 634 635 Specifies a custom blockdevice to use for metadata for a Docker-managed thin 636 pool. See `dm.datadev` for why this is deprecated. 637 638 #### dm.blocksize 639 640 Specifies a custom blocksize to use for the thin pool. The default 641 blocksize is 64K. 642 643 Example use: `dockerd --storage-opt dm.blocksize=512K` 644 645 #### dm.blkdiscard 646 647 Enables or disables the use of `blkdiscard` when removing devicemapper devices. 648 This is disabled by default due to the additional latency, but as a special 649 case with loopback devices it will be enabled, in order to re-sparsify the 650 loopback file on image/container removal. 651 652 Disabling this on loopback can lead to *much* faster container removal times, 653 but it also prevents the space used in `/var/lib/docker` directory from being 654 returned to the system for other use when containers are removed. 655 656 Example use: `dockerd --storage-opt dm.blkdiscard=false` 657 658 #### dm.override_udev_sync_check 659 660 By default, the devicemapper backend attempts to synchronize with the `udev` 661 device manager for the Linux kernel. This option allows disabling that 662 synchronization, to continue even though the configuration may be buggy. 663 664 To view the `udev` sync support of a Docker daemon that is using the 665 `devicemapper` driver, run: 666 667 $ docker info 668 [...] 669 Udev Sync Supported: true 670 [...] 671 672 When `udev` sync support is `true`, then `devicemapper` and `udev` can 673 coordinate the activation and deactivation of devices for containers. 674 675 When `udev` sync support is `false`, a race condition occurs between the 676 `devicemapper` and `udev` during create and cleanup. The race condition results 677 in errors and failures. (For information on these failures, see 678 [docker#4036](https://github.com/docker/docker/issues/4036)) 679 680 To allow the `docker` daemon to start, regardless of whether `udev` sync is 681 `false`, set `dm.override_udev_sync_check` to true: 682 683 $ dockerd --storage-opt dm.override_udev_sync_check=true 684 685 When this value is `true`, the driver continues and simply warns you the errors 686 are happening. 687 688 **Note**: The ideal is to pursue a `docker` daemon and environment that does 689 support synchronizing with `udev`. For further discussion on this topic, see 690 [docker#4036](https://github.com/docker/docker/issues/4036). 691 Otherwise, set this flag for migrating existing Docker daemons to a daemon with 692 a supported environment. 693 694 #### dm.min_free_space 695 696 Specifies the min free space percent in a thin pool require for new device 697 creation to succeed. This check applies to both free data space as well 698 as free metadata space. Valid values are from 0% - 99%. Value 0% disables 699 free space checking logic. If user does not specify a value for this option, 700 the Engine uses a default value of 10%. 701 702 Whenever a new a thin pool device is created (during `docker pull` or during 703 container creation), the Engine checks if the minimum free space is available. 704 If the space is unavailable, then device creation fails and any relevant 705 `docker` operation fails. 706 707 To recover from this error, you must create more free space in the thin pool to 708 recover from the error. You can create free space by deleting some images and 709 containers from tge thin pool. You can also add more storage to the thin pool. 710 711 To add more space to an LVM (logical volume management) thin pool, just add 712 more storage to the group container thin pool; this should automatically 713 resolve any errors. If your configuration uses loop devices, then stop the 714 Engine daemon, grow the size of loop files and restart the daemon to resolve 715 the issue. 716 717 Example use:: `dockerd --storage-opt dm.min_free_space=10%` 718 719 #### dm.xfs_nospace_max_retries 720 721 Specifies the maximum number of retries XFS should attempt to complete IO when 722 ENOSPC (no space) error is returned by underlying storage device. 723 724 By default XFS retries infinitely for IO to finish and this can result in 725 unkillable process. To change this behavior one can set xfs_nospace_max_retries 726 to say 0 and XFS will not retry IO after getting ENOSPC and will shutdown 727 filesystem. 728 729 Example use: 730 731 $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0 732 733 ##### dm.libdm_log_level 734 735 Specifies the maxmimum libdm log level that will be forwarded to the dockerd 736 log (as specified by --log-level). This option is primarily intended for 737 debugging problems involving libdm. Using values other than the defaults may 738 cause false-positive warnings to be logged. 739 740 Values specified must fall within the range of valid libdm log levels. At the 741 time of writing, the following is the list of libdm log levels as well as their 742 corresponding levels when output by dockerd. 743 744 | libdm Level | Value | --log-level | 745 | ----------- | -----:| ----------- | 746 | _LOG_FATAL | 2 | error | 747 | _LOG_ERR | 3 | error | 748 | _LOG_WARN | 4 | warn | 749 | _LOG_NOTICE | 5 | info | 750 | _LOG_INFO | 6 | info | 751 | _LOG_DEBUG | 7 | debug | 752 753 Example use: 754 755 $ sudo dockerd \ 756 --log-level debug \ 757 --storage-opt dm.libdm_log_level=7 758 759 ## ZFS options 760 761 #### zfs.fsname 762 763 Set zfs filesystem under which docker will create its own datasets. By default 764 docker will pick up the zfs filesystem where docker graph (`/var/lib/docker`) 765 is located. 766 767 Example use: `dockerd -s zfs --storage-opt zfs.fsname=zroot/docker` 768 769 ## Btrfs options 770 771 #### btrfs.min_space 772 773 Specifies the minimum size to use when creating the subvolume which is used for 774 containers. If user uses disk quota for btrfs when creating or running a 775 container with **--storage-opt size** option, docker should ensure the **size** 776 cannot be smaller than **btrfs.min_space**. 777 778 Example use: `docker daemon -s btrfs --storage-opt btrfs.min_space=10G` 779 780 # CLUSTER STORE OPTIONS 781 782 The daemon uses libkv to advertise the node within the cluster. Some Key/Value 783 backends support mutual TLS, and the client TLS settings used by the daemon can 784 be configured using the **--cluster-store-opt** flag, specifying the paths to 785 PEM encoded files. 786 787 #### kv.cacertfile 788 789 Specifies the path to a local file with PEM encoded CA certificates to trust 790 791 #### kv.certfile 792 793 Specifies the path to a local file with a PEM encoded certificate. This 794 certificate is used as the client cert for communication with the Key/Value 795 store. 796 797 #### kv.keyfile 798 799 Specifies the path to a local file with a PEM encoded private key. This 800 private key is used as the client key for communication with the Key/Value 801 store. 802 803 # Access authorization 804 805 Docker's access authorization can be extended by authorization plugins that 806 your organization can purchase or build themselves. You can install one or more 807 authorization plugins when you start the Docker `daemon` using the 808 `--authorization-plugin=PLUGIN_ID` option. 809 810 ```bash 811 dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,... 812 ``` 813 814 The `PLUGIN_ID` value is either the plugin's name or a path to its 815 specification file. The plugin's implementation determines whether you can 816 specify a name or path. Consult with your Docker administrator to get 817 information about the plugins available to you. 818 819 Once a plugin is installed, requests made to the `daemon` through the 820 command line or Docker's Engine API are allowed or denied by the plugin. 821 If you have multiple plugins installed, each plugin, in order, must 822 allow the request for it to complete. 823 824 For information about how to create an authorization plugin, see [access authorization 825 plugin](https://docs.docker.com/engine/extend/plugins_authorization/) section in the 826 Docker extend section of this documentation. 827 828 # RUNTIME EXECUTION OPTIONS 829 830 You can configure the runtime using options specified with the `--exec-opt` flag. 831 All the flag's options have the `native` prefix. A single `native.cgroupdriver` 832 option is available. 833 834 The `native.cgroupdriver` option specifies the management of the container's 835 cgroups. You can only specify `cgroupfs` or `systemd`. If you specify 836 `systemd` and it is not available, the system errors out. If you omit the 837 `native.cgroupdriver` option,` cgroupfs` is used on cgroup v1 hosts, `systemd` 838 is used on cgroup v2 hosts with systemd available. 839 840 This example sets the `cgroupdriver` to `systemd`: 841 842 ```bash 843 $ sudo dockerd --exec-opt native.cgroupdriver=systemd 844 ``` 845 846 Setting this option applies to all containers the daemon launches. 847 848 # HISTORY 849 Sept 2015, Originally compiled by Shishir Mahajan <shishir.mahajan@redhat.com> 850 based on docker.com source material and internal work.