github.com/damirazo/docker@v1.9.0/man/docker-daemon.8.md (about) 1 % DOCKER(1) Docker User Manuals 2 % Shishir Mahajan 3 % SEPTEMBER 2015 4 # NAME 5 docker-daemon - Enable daemon mode 6 7 # SYNOPSIS 8 **docker daemon** 9 [**--api-cors-header**=[=*API-CORS-HEADER*]] 10 [**-b**|**--bridge**[=*BRIDGE*]] 11 [**--bip**[=*BIP*]] 12 [**--cluster-store**[=*[]*]] 13 [**--cluster-advertise**[=*[]*]] 14 [**--cluster-store-opt**[=*map[]*]] 15 [**-D**|**--debug**[=*false*]] 16 [**--default-gateway**[=*DEFAULT-GATEWAY*]] 17 [**--default-gateway-v6**[=*DEFAULT-GATEWAY-V6*]] 18 [**--default-ulimit**[=*[]*]] 19 [**--disable-legacy-registry**[=*false*]] 20 [**--dns**[=*[]*]] 21 [**--dns-opt**[=*[]*]] 22 [**--dns-search**[=*[]*]] 23 [**-e**|**--exec-driver**[=*native*]] 24 [**--exec-opt**[=*[]*]] 25 [**--exec-root**[=*/var/run/docker*]] 26 [**--fixed-cidr**[=*FIXED-CIDR*]] 27 [**--fixed-cidr-v6**[=*FIXED-CIDR-V6*]] 28 [**-G**|**--group**[=*docker*]] 29 [**-g**|**--graph**[=*/var/lib/docker*]] 30 [**-H**|**--host**[=*[]*]] 31 [**--help**] 32 [**--icc**[=*true*]] 33 [**--insecure-registry**[=*[]*]] 34 [**--ip**[=*0.0.0.0*]] 35 [**--ip-forward**[=*true*]] 36 [**--ip-masq**[=*true*]] 37 [**--iptables**[=*true*]] 38 [**--ipv6**[=*false*]] 39 [**-l**|**--log-level**[=*info*]] 40 [**--label**[=*[]*]] 41 [**--log-driver**[=*json-file*]] 42 [**--log-opt**[=*map[]*]] 43 [**--mtu**[=*0*]] 44 [**-p**|**--pidfile**[=*/var/run/docker.pid*]] 45 [**--registry-mirror**[=*[]*]] 46 [**-s**|**--storage-driver**[=*STORAGE-DRIVER*]] 47 [**--selinux-enabled**[=*false*]] 48 [**--storage-opt**[=*[]*]] 49 [**--tls**[=*false*]] 50 [**--tlscacert**[=*~/.docker/ca.pem*]] 51 [**--tlscert**[=*~/.docker/cert.pem*]] 52 [**--tlskey**[=*~/.docker/key.pem*]] 53 [**--tlsverify**[=*false*]] 54 [**--userland-proxy**[=*true*]] 55 56 # DESCRIPTION 57 **docker** has two distinct functions. It is used for starting the Docker 58 daemon and to run the CLI (i.e., to command the daemon to manage images, 59 containers etc.) So **docker** is both a server, as a daemon, and a client 60 to the daemon, through the CLI. 61 62 To run the Docker daemon you can specify **docker daemon**. 63 You can check the daemon options using **docker daemon --help**. 64 Daemon options should be specified after the **daemon** keyword in the following 65 format. 66 67 **docker daemon [OPTIONS]** 68 69 # OPTIONS 70 71 **--api-cors-header**="" 72 Set CORS headers in the remote API. Default is cors disabled. Give urls like "http://foo, http://bar, ...". Give "*" to allow all. 73 74 **-b**, **--bridge**="" 75 Attach containers to a pre\-existing network bridge; use 'none' to disable container networking 76 77 **--bip**="" 78 Use the provided CIDR notation address for the dynamically created bridge (docker0); Mutually exclusive of \-b 79 80 **--cluster-store**="" 81 URL of the distributed storage backend 82 83 **--cluster-advertise**="" 84 Specifies the 'host:port' or `interface:port` combination that this particular 85 daemon instance should use when advertising itself to the cluster. The daemon 86 is reached through this value. 87 88 **--cluster-store-opt**="" 89 Specifies options for the Key/Value store. 90 91 **-D**, **--debug**=*true*|*false* 92 Enable debug mode. Default is false. 93 94 **--default-gateway**="" 95 IPv4 address of the container default gateway; this address must be part of the bridge subnet (which is defined by \-b or \--bip) 96 97 **--default-gateway-v6**="" 98 IPv6 address of the container default gateway 99 100 **--default-ulimit**=[] 101 Set default ulimits for containers. 102 103 **--disable-legacy-registry**=*true*|*false* 104 Do not contact legacy registries 105 106 **--dns**="" 107 Force Docker to use specific DNS servers 108 109 **--dns-opt**="" 110 DNS options to use. 111 112 **--dns-search**=[] 113 DNS search domains to use. 114 115 **-e**, **--exec-driver**="" 116 Force Docker to use specific exec driver. Default is `native`. 117 118 **--exec-opt**=[] 119 Set exec driver options. See EXEC DRIVER OPTIONS. 120 121 **--exec-root**="" 122 Path to use as the root of the Docker exec driver. Default is `/var/run/docker`. 123 124 **--fixed-cidr**="" 125 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be nested in the bridge subnet (which is defined by \-b or \-\-bip) 126 127 **--fixed-cidr-v6**="" 128 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64) 129 130 **-G**, **--group**="" 131 Group to assign the unix socket specified by -H when running in daemon mode. 132 use '' (the empty string) to disable setting of a group. Default is `docker`. 133 134 **-g**, **--graph**="" 135 Path to use as the root of the Docker runtime. Default is `/var/lib/docker`. 136 137 **-H**, **--host**=[unix:///var/run/docker.sock]: tcp://[host:port] to bind or 138 unix://[/path/to/socket] to use. 139 The socket(s) to bind to in daemon mode specified using one or more 140 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd. 141 142 **--help** 143 Print usage statement 144 145 **--icc**=*true*|*false* 146 Allow unrestricted inter\-container and Docker daemon host communication. If disabled, containers can still be linked together using the **--link** option (see **docker-run(1)**). Default is true. 147 148 **--insecure-registry**=[] 149 Enable insecure registry communication, i.e., enable un-encrypted and/or untrusted communication. 150 151 List of insecure registries can contain an element with CIDR notation to specify a whole subnet. Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs. 152 153 Enabling `--insecure-registry` is useful when running a local registry. However, because its use creates security vulnerabilities it should ONLY be enabled for testing purposes. For increased security, users should add their CA to their system's list of trusted CAs instead of using `--insecure-registry`. 154 155 **--ip**="" 156 Default IP address to use when binding container ports. Default is `0.0.0.0`. 157 158 **--ip-forward**=*true*|*false* 159 Enables IP forwarding on the Docker host. The default is `true`. This flag interacts with the IP forwarding setting on your host system's kernel. If your system has IP forwarding disabled, this setting enables it. If your system has IP forwarding enabled, setting this flag to `--ip-forward=false` has no effect. 160 161 This setting will also enable IPv6 forwarding if you have both `--ip-forward=true` and `--fixed-cidr-v6` set. Note that this may reject Router Advertisements and interfere with the host's existing IPv6 configuration. For more information, please consult the documentation about "Advanced Networking - IPv6". 162 163 **--ip-masq**=*true*|*false* 164 Enable IP masquerading for bridge's IP range. Default is true. 165 166 **--iptables**=*true*|*false* 167 Enable Docker's addition of iptables rules. Default is true. 168 169 **--ipv6**=*true*|*false* 170 Enable IPv6 support. Default is false. Docker will create an IPv6-enabled bridge with address fe80::1 which will allow you to create IPv6-enabled containers. Use together with `--fixed-cidr-v6` to provide globally routable IPv6 addresses. IPv6 forwarding will be enabled if not used with `--ip-forward=false`. This may collide with your host's current IPv6 settings. For more information please consult the documentation about "Advanced Networking - IPv6". 171 172 **-l**, **--log-level**="*debug*|*info*|*warn*|*error*|*fatal*"" 173 Set the logging level. Default is `info`. 174 175 **--label**="[]" 176 Set key=value labels to the daemon (displayed in `docker info`) 177 178 **--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*none*" 179 Default driver for container logs. Default is `json-file`. 180 **Warning**: `docker logs` command works only for `json-file` logging driver. 181 182 **--log-opt**=[] 183 Logging driver specific options. 184 185 **--mtu**=VALUE 186 Set the containers network mtu. Default is `0`. 187 188 **-p**, **--pidfile**="" 189 Path to use for daemon PID file. Default is `/var/run/docker.pid` 190 191 **--registry-mirror**=<scheme>://<host> 192 Prepend a registry mirror to be used for image pulls. May be specified multiple times. 193 194 **-s**, **--storage-driver**="" 195 Force the Docker runtime to use a specific storage driver. 196 197 **--selinux-enabled**=*true*|*false* 198 Enable selinux support. Default is false. SELinux does not presently support the BTRFS storage driver. 199 200 **--storage-opt**=[] 201 Set storage driver options. See STORAGE DRIVER OPTIONS. 202 203 **--tls**=*true*|*false* 204 Use TLS; implied by --tlsverify. Default is false. 205 206 **--tlscacert**=~/.docker/ca.pem 207 Trust certs signed only by this CA. 208 209 **--tlscert**=~/.docker/cert.pem 210 Path to TLS certificate file. 211 212 **--tlskey**=~/.docker/key.pem 213 Path to TLS key file. 214 215 **--tlsverify**=*true*|*false* 216 Use TLS and verify the remote (daemon: verify client, client: verify daemon). 217 Default is false. 218 219 **--userland-proxy**=*true*|*false* 220 Rely on a userland proxy implementation for inter-container and outside-to-container loopback communications. Default is true. 221 222 # STORAGE DRIVER OPTIONS 223 224 Docker uses storage backends (known as "graphdrivers" in the Docker 225 internals) to create writable containers from images. Many of these 226 backends use operating system level technologies and can be 227 configured. 228 229 Specify options to the storage backend with **--storage-opt** flags. The only 230 backend that currently takes options is *devicemapper*. Therefore use these 231 flags with **-s=**devicemapper. 232 233 Specifically for devicemapper, the default is a "loopback" model which 234 requires no pre-configuration, but is extremely inefficient. Do not 235 use it in production. 236 237 To make the best use of Docker with the devicemapper backend, you must 238 have a recent version of LVM. Use `lvm` to create a thin pool; for 239 more information see `man lvmthin`. Then, use `--storage-opt 240 dm.thinpooldev` to tell the Docker engine to use that pool for 241 allocating images and container snapshots. 242 243 Here is the list of *devicemapper* options: 244 245 #### dm.thinpooldev 246 247 Specifies a custom block storage device to use for the thin pool. 248 249 If using a block device for device mapper storage, it is best to use 250 `lvm` to create and manage the thin-pool volume. This volume is then 251 handed to Docker to create snapshot volumes needed for images and 252 containers. 253 254 Managing the thin-pool outside of Docker makes for the most feature-rich method 255 of having Docker utilize device mapper thin provisioning as the backing storage 256 for Docker's containers. The highlights of the LVM-based thin-pool management 257 feature include: automatic or interactive thin-pool resize support, dynamically 258 changing thin-pool features, automatic thinp metadata checking when lvm activates 259 the thin-pool, etc. 260 261 Example use: `docker daemon --storage-opt dm.thinpooldev=/dev/mapper/thin-pool` 262 263 #### dm.basesize 264 265 Specifies the size to use when creating the base device, which limits 266 the size of images and containers. The default value is 100G. Note, 267 thin devices are inherently "sparse", so a 100G device which is mostly 268 empty doesn't use 100 GB of space on the pool. However, the filesystem 269 will use more space for base images the larger the device 270 is. 271 272 This value affects the system-wide "base" empty filesystem that may already 273 be initialized and inherited by pulled images. Typically, a change to this 274 value requires additional steps to take effect: 275 276 $ sudo service docker stop 277 $ sudo rm -rf /var/lib/docker 278 $ sudo service docker start 279 280 Example use: `docker daemon --storage-opt dm.basesize=20G` 281 282 #### dm.fs 283 284 Specifies the filesystem type to use for the base device. The 285 supported options are `ext4` and `xfs`. The default is `ext4`. 286 287 Example use: `docker daemon --storage-opt dm.fs=xfs` 288 289 #### dm.mkfsarg 290 291 Specifies extra mkfs arguments to be used when creating the base device. 292 293 Example use: `docker daemon --storage-opt "dm.mkfsarg=-O ^has_journal"` 294 295 #### dm.mountopt 296 297 Specifies extra mount options used when mounting the thin devices. 298 299 Example use: `docker daemon --storage-opt dm.mountopt=nodiscard` 300 301 #### dm.use_deferred_removal 302 303 Enables use of deferred device removal if `libdm` and the kernel driver 304 support the mechanism. 305 306 Deferred device removal means that if device is busy when devices are 307 being removed/deactivated, then a deferred removal is scheduled on 308 device. And devices automatically go away when last user of the device 309 exits. 310 311 For example, when a container exits, its associated thin device is removed. If 312 that device has leaked into some other mount namespace and can't be removed, 313 the container exit still succeeds and this option causes the system to schedule 314 the device for deferred removal. It does not wait in a loop trying to remove a busy 315 device. 316 317 Example use: `docker daemon --storage-opt dm.use_deferred_removal=true` 318 319 #### dm.use_deferred_deletion 320 321 Enables use of deferred device deletion for thin pool devices. By default, 322 thin pool device deletion is synchronous. Before a container is deleted, the 323 Docker daemon removes any associated devices. If the storage driver can not 324 remove a device, the container deletion fails and daemon returns. 325 326 `Error deleting container: Error response from daemon: Cannot destroy container` 327 328 To avoid this failure, enable both deferred device deletion and deferred 329 device removal on the daemon. 330 331 `docker daemon --storage-opt dm.use_deferred_deletion=true --storage-opt dm.use_deferred_removal=true` 332 333 With these two options enabled, if a device is busy when the driver is 334 deleting a container, the driver marks the device as deleted. Later, when the 335 device isn't in use, the driver deletes it. 336 337 In general it should be safe to enable this option by default. It will help 338 when unintentional leaking of mount point happens across multiple mount 339 namespaces. 340 341 #### dm.loopdatasize 342 343 **Note**: This option configures devicemapper loopback, which should not be used in production. 344 345 Specifies the size to use when creating the loopback file for the 346 "data" device which is used for the thin pool. The default size is 347 100G. The file is sparse, so it will not initially take up 348 this much space. 349 350 Example use: `docker daemon --storage-opt dm.loopdatasize=200G` 351 352 #### dm.loopmetadatasize 353 354 **Note**: This option configures devicemapper loopback, which should not be used in production. 355 356 Specifies the size to use when creating the loopback file for the 357 "metadata" device which is used for the thin pool. The default size 358 is 2G. The file is sparse, so it will not initially take up 359 this much space. 360 361 Example use: `docker daemon --storage-opt dm.loopmetadatasize=4G` 362 363 #### dm.datadev 364 365 (Deprecated, use `dm.thinpooldev`) 366 367 Specifies a custom blockdevice to use for data for a 368 Docker-managed thin pool. It is better to use `dm.thinpooldev` - see 369 the documentation for it above for discussion of the advantages. 370 371 #### dm.metadatadev 372 373 (Deprecated, use `dm.thinpooldev`) 374 375 Specifies a custom blockdevice to use for metadata for a 376 Docker-managed thin pool. See `dm.datadev` for why this is 377 deprecated. 378 379 #### dm.blocksize 380 381 Specifies a custom blocksize to use for the thin pool. The default 382 blocksize is 64K. 383 384 Example use: `docker daemon --storage-opt dm.blocksize=512K` 385 386 #### dm.blkdiscard 387 388 Enables or disables the use of `blkdiscard` when removing devicemapper 389 devices. This is disabled by default due to the additional latency, 390 but as a special case with loopback devices it will be enabled, in 391 order to re-sparsify the loopback file on image/container removal. 392 393 Disabling this on loopback can lead to *much* faster container removal 394 times, but it also prevents the space used in `/var/lib/docker` directory 395 from being returned to the system for other use when containers are 396 removed. 397 398 Example use: `docker daemon --storage-opt dm.blkdiscard=false` 399 400 #### dm.override_udev_sync_check 401 402 By default, the devicemapper backend attempts to synchronize with the 403 `udev` device manager for the Linux kernel. This option allows 404 disabling that synchronization, to continue even though the 405 configuration may be buggy. 406 407 To view the `udev` sync support of a Docker daemon that is using the 408 `devicemapper` driver, run: 409 410 $ docker info 411 [...] 412 Udev Sync Supported: true 413 [...] 414 415 When `udev` sync support is `true`, then `devicemapper` and `udev` can 416 coordinate the activation and deactivation of devices for containers. 417 418 When `udev` sync support is `false`, a race condition occurs between 419 the `devicemapper` and `udev` during create and cleanup. The race 420 condition results in errors and failures. (For information on these 421 failures, see 422 [docker#4036](https://github.com/docker/docker/issues/4036)) 423 424 To allow the `docker` daemon to start, regardless of whether `udev` sync is 425 `false`, set `dm.override_udev_sync_check` to true: 426 427 $ docker daemon --storage-opt dm.override_udev_sync_check=true 428 429 When this value is `true`, the driver continues and simply warns you 430 the errors are happening. 431 432 **Note**: The ideal is to pursue a `docker` daemon and environment 433 that does support synchronizing with `udev`. For further discussion on 434 this topic, see 435 [docker#4036](https://github.com/docker/docker/issues/4036). 436 Otherwise, set this flag for migrating existing Docker daemons to a 437 daemon with a supported environment. 438 439 # CLUSTER STORE OPTIONS 440 441 The daemon uses libkv to advertise 442 the node within the cluster. Some Key/Value backends support mutual 443 TLS, and the client TLS settings used by the daemon can be configured 444 using the **--cluster-store-opt** flag, specifying the paths to PEM encoded 445 files. 446 447 #### kv.cacertfile 448 449 Specifies the path to a local file with PEM encoded CA certificates to trust 450 451 #### kv.certfile 452 453 Specifies the path to a local file with a PEM encoded certificate. This 454 certificate is used as the client cert for communication with the 455 Key/Value store. 456 457 #### kv.keyfile 458 459 Specifies the path to a local file with a PEM encoded private key. This 460 private key is used as the client key for communication with the 461 Key/Value store. 462 463 464 # HISTORY 465 Sept 2015, Originally compiled by Shishir Mahajan <shishir.mahajan@redhat.com> 466 based on docker.com source material and internal work.