github.com/docker/docker-ce@v17.12.1-ce-rc2+incompatible/components/cli/man/dockerd.8.md (about) 1 % DOCKER(8) Docker User Manuals 2 % Shishir Mahajan 3 % SEPTEMBER 2015 4 # NAME 5 dockerd - Enable daemon mode 6 7 # SYNOPSIS 8 **dockerd** 9 [**--add-runtime**[=*[]*]] 10 [**--allow-nondistributable-artifacts**[=*[]*]] 11 [**--api-cors-header**=[=*API-CORS-HEADER*]] 12 [**--authorization-plugin**[=*[]*]] 13 [**-b**|**--bridge**[=*BRIDGE*]] 14 [**--bip**[=*BIP*]] 15 [**--cgroup-parent**[=*[]*]] 16 [**--cluster-store**[=*[]*]] 17 [**--cluster-advertise**[=*[]*]] 18 [**--cluster-store-opt**[=*map[]*]] 19 [**--config-file**[=*/etc/docker/daemon.json*]] 20 [**--containerd**[=*SOCKET-PATH*]] 21 [**--data-root**[=*/var/lib/docker*]] 22 [**-D**|**--debug**] 23 [**--default-gateway**[=*DEFAULT-GATEWAY*]] 24 [**--default-gateway-v6**[=*DEFAULT-GATEWAY-V6*]] 25 [**--default-runtime**[=*runc*]] 26 [**--default-ipc-mode**=*MODE*] 27 [**--default-shm-size**[=*64MiB*]] 28 [**--default-ulimit**[=*[]*]] 29 [**--dns**[=*[]*]] 30 [**--dns-opt**[=*[]*]] 31 [**--dns-search**[=*[]*]] 32 [**--exec-opt**[=*[]*]] 33 [**--exec-root**[=*/var/run/docker*]] 34 [**--experimental**[=*false*]] 35 [**--fixed-cidr**[=*FIXED-CIDR*]] 36 [**--fixed-cidr-v6**[=*FIXED-CIDR-V6*]] 37 [**-G**|**--group**[=*docker*]] 38 [**-H**|**--host**[=*[]*]] 39 [**--help**] 40 [**--icc**[=*true*]] 41 [**--init**[=*false*]] 42 [**--init-path**[=*""*]] 43 [**--insecure-registry**[=*[]*]] 44 [**--ip**[=*0.0.0.0*]] 45 [**--ip-forward**[=*true*]] 46 [**--ip-masq**[=*true*]] 47 [**--iptables**[=*true*]] 48 [**--ipv6**] 49 [**--isolation**[=*default*]] 50 [**-l**|**--log-level**[=*info*]] 51 [**--label**[=*[]*]] 52 [**--live-restore**[=*false*]] 53 [**--log-driver**[=*json-file*]] 54 [**--log-opt**[=*map[]*]] 55 [**--mtu**[=*0*]] 56 [**--max-concurrent-downloads**[=*3*]] 57 [**--max-concurrent-uploads**[=*5*]] 58 [**--node-generic-resources**[=*[]*]] 59 [**-p**|**--pidfile**[=*/var/run/docker.pid*]] 60 [**--raw-logs**] 61 [**--registry-mirror**[=*[]*]] 62 [**-s**|**--storage-driver**[=*STORAGE-DRIVER*]] 63 [**--seccomp-profile**[=*SECCOMP-PROFILE-PATH*]] 64 [**--selinux-enabled**] 65 [**--shutdown-timeout**[=*15*]] 66 [**--storage-opt**[=*[]*]] 67 [**--swarm-default-advertise-addr**[=*IP|INTERFACE*]] 68 [**--tls**] 69 [**--tlscacert**[=*~/.docker/ca.pem*]] 70 [**--tlscert**[=*~/.docker/cert.pem*]] 71 [**--tlskey**[=*~/.docker/key.pem*]] 72 [**--tlsverify**] 73 [**--userland-proxy**[=*true*]] 74 [**--userland-proxy-path**[=*""*]] 75 [**--userns-remap**[=*default*]] 76 77 # DESCRIPTION 78 **dockerd** is used for starting the Docker daemon (i.e., to command the daemon 79 to manage images, containers etc). So **dockerd** is a server, as a daemon. 80 81 To run the Docker daemon you can specify **dockerd**. 82 You can check the daemon options using **dockerd --help**. 83 Daemon options should be specified after the **dockerd** keyword in the 84 following format. 85 86 **dockerd [OPTIONS]** 87 88 # OPTIONS 89 90 **--add-runtime**=[] 91 Runtimes can be registered with the daemon either via the 92 configuration file or using the `--add-runtime` command line argument. 93 94 The following is an example adding 2 runtimes via the configuration: 95 96 ```json 97 { 98 "default-runtime": "runc", 99 "runtimes": { 100 "runc": { 101 "path": "runc" 102 }, 103 "custom": { 104 "path": "/usr/local/bin/my-runc-replacement", 105 "runtimeArgs": [ 106 "--debug" 107 ] 108 } 109 } 110 } 111 ``` 112 113 This is the same example via the command line: 114 115 ```bash 116 $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement 117 ``` 118 119 **Note**: defining runtime arguments via the command line is not supported. 120 121 **--allow-nondistributable-artifacts**=[] 122 Push nondistributable artifacts to the specified registries. 123 124 List can contain elements with CIDR notation to specify a whole subnet. 125 126 This option is useful when pushing images containing nondistributable 127 artifacts to a registry on an air-gapped network so hosts on that network can 128 pull the images without connecting to another server. 129 130 **Warning**: Nondistributable artifacts typically have restrictions on how 131 and where they can be distributed and shared. Only use this feature to push 132 artifacts to private registries and ensure that you are in compliance with 133 any terms that cover redistributing nondistributable artifacts. 134 135 **--api-cors-header**="" 136 Set CORS headers in the Engine API. Default is cors disabled. Give urls like 137 "http://foo, http://bar, ...". Give "*" to allow all. 138 139 **--authorization-plugin**="" 140 Set authorization plugins to load 141 142 **-b**, **--bridge**="" 143 Attach containers to a pre\-existing network bridge; use 'none' to disable 144 container networking 145 146 **--bip**="" 147 Use the provided CIDR notation address for the dynamically created bridge 148 (docker0); Mutually exclusive of \-b 149 150 **--cgroup-parent**="" 151 Set parent cgroup for all containers. Default is "/docker" for fs cgroup 152 driver and "system.slice" for systemd cgroup driver. 153 154 **--cluster-store**="" 155 URL of the distributed storage backend 156 157 **--cluster-advertise**="" 158 Specifies the 'host:port' or `interface:port` combination that this 159 particular daemon instance should use when advertising itself to the cluster. 160 The daemon is reached through this value. 161 162 **--cluster-store-opt**="" 163 Specifies options for the Key/Value store. 164 165 **--config-file**="/etc/docker/daemon.json" 166 Specifies the JSON file path to load the configuration from. 167 168 **--containerd**="" 169 Path to containerd socket. 170 171 **--data-root**="" 172 Path to the directory used to store persisted Docker data such as 173 configuration for resources, swarm cluster state, and filesystem data for 174 images, containers, and local volumes. Default is `/var/lib/docker`. 175 176 **-D**, **--debug**=*true*|*false* 177 Enable debug mode. Default is false. 178 179 **--default-gateway**="" 180 IPv4 address of the container default gateway; this address must be part of 181 the bridge subnet (which is defined by \-b or \--bip) 182 183 **--default-gateway-v6**="" 184 IPv6 address of the container default gateway 185 186 **--default-runtime**="runc" 187 Set default runtime if there're more than one specified by `--add-runtime`. 188 189 **--default-ipc-mode**="**private**|**shareable**" 190 Set the default IPC mode for newly created containers. The argument 191 can either be **private** or **shareable**. 192 193 **--default-shm-size**=*64MiB* 194 Set the daemon-wide default shm size for containers. Default is `64MiB`. 195 196 **--default-ulimit**=[] 197 Default ulimits for containers. 198 199 **--dns**="" 200 Force Docker to use specific DNS servers 201 202 **--dns-opt**="" 203 DNS options to use. 204 205 **--dns-search**=[] 206 DNS search domains to use. 207 208 **--exec-opt**=[] 209 Set runtime execution options. See RUNTIME EXECUTION OPTIONS. 210 211 **--exec-root**="" 212 Path to use as the root of the Docker execution state files. Default is 213 `/var/run/docker`. 214 215 **--experimental**="" 216 Enable the daemon experimental features. 217 218 **--fixed-cidr**="" 219 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be nested in 220 the bridge subnet (which is defined by \-b or \-\-bip). 221 222 **--fixed-cidr-v6**="" 223 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64) 224 225 **-G**, **--group**="" 226 Group to assign the unix socket specified by -H when running in daemon mode. 227 use '' (the empty string) to disable setting of a group. Default is `docker`. 228 229 **-H**, **--host**=[*unix:///var/run/docker.sock*]: tcp://[host:port] to bind or 230 unix://[/path/to/socket] to use. 231 The socket(s) to bind to in daemon mode specified using one or more 232 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd. 233 234 **--help** 235 Print usage statement 236 237 **--icc**=*true*|*false* 238 Allow unrestricted inter\-container and Docker daemon host communication. If 239 disabled, containers can still be linked together using the **--link** option 240 (see **docker-run(1)**). Default is true. 241 242 **--init** 243 Run an init process inside containers for signal forwarding and process 244 reaping. 245 246 **--init-path** 247 Path to the docker-init binary. 248 249 **--insecure-registry**=[] 250 Enable insecure registry communication, i.e., enable un-encrypted and/or 251 untrusted communication. 252 253 List of insecure registries can contain an element with CIDR notation to 254 specify a whole subnet. Insecure registries accept HTTP and/or accept HTTPS 255 with certificates from unknown CAs. 256 257 Enabling `--insecure-registry` is useful when running a local registry. 258 However, because its use creates security vulnerabilities it should ONLY be 259 enabled for testing purposes. For increased security, users should add their 260 CA to their system's list of trusted CAs instead of using 261 `--insecure-registry`. 262 263 **--ip**="" 264 Default IP address to use when binding container ports. Default is `0.0.0.0`. 265 266 **--ip-forward**=*true*|*false* 267 Enables IP forwarding on the Docker host. The default is `true`. This flag 268 interacts with the IP forwarding setting on your host system's kernel. If 269 your system has IP forwarding disabled, this setting enables it. If your 270 system has IP forwarding enabled, setting this flag to `--ip-forward=false` 271 has no effect. 272 273 This setting will also enable IPv6 forwarding if you have both 274 `--ip-forward=true` and `--fixed-cidr-v6` set. Note that this may reject 275 Router Advertisements and interfere with the host's existing IPv6 276 configuration. For more information, please consult the documentation about 277 "Advanced Networking - IPv6". 278 279 **--ip-masq**=*true*|*false* 280 Enable IP masquerading for bridge's IP range. Default is true. 281 282 **--iptables**=*true*|*false* 283 Enable Docker's addition of iptables rules. Default is true. 284 285 **--ipv6**=*true*|*false* 286 Enable IPv6 support. Default is false. Docker will create an IPv6-enabled 287 bridge with address fe80::1 which will allow you to create IPv6-enabled 288 containers. Use together with `--fixed-cidr-v6` to provide globally routable 289 IPv6 addresses. IPv6 forwarding will be enabled if not used with 290 `--ip-forward=false`. This may collide with your host's current IPv6 291 settings. For more information please consult the documentation about 292 "Advanced Networking - IPv6". 293 294 **--isolation**="*default*" 295 Isolation specifies the type of isolation technology used by containers. 296 Note that the default on Windows server is `process`, and the default on 297 Windows client is `hyperv`. Linux only supports `default`. 298 299 **-l**, **--log-level**="*debug*|*info*|*warn*|*error*|*fatal*" 300 Set the logging level. Default is `info`. 301 302 **--label**="[]" 303 Set key=value labels to the daemon (displayed in `docker info`) 304 305 **--live-restore**=*false* 306 Enable live restore of running containers when the daemon starts so that they 307 are not restarted. This option is applicable only for docker daemon running 308 on Linux host. 309 310 **--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*splunk*|*etwlogs*|*gcplogs*|*none*" 311 Default driver for container logs. Default is `json-file`. 312 **Warning**: `docker logs` command works only for `json-file` logging driver. 313 314 **--log-opt**=[] 315 Logging driver specific options. 316 317 **--mtu**=*0* 318 Set the containers network mtu. Default is `0`. 319 320 **--max-concurrent-downloads**=*3* 321 Set the max concurrent downloads for each pull. Default is `3`. 322 323 **--max-concurrent-uploads**=*5* 324 Set the max concurrent uploads for each push. Default is `5`. 325 326 **--node-generic-resources**=*[]* 327 Advertise user-defined resource. Default is `[]`. 328 Use this if your swarm cluster has some nodes with custom 329 resources (e.g: NVIDIA GPU, SSD, ...) and you need your services to land on 330 nodes advertising these resources. 331 Usage example: `--node-generic-resources "NVIDIA-GPU=UUID1" 332 --node-generic-resources "NVIDIA-GPU=UUID2"` 333 334 335 **-p**, **--pidfile**="" 336 Path to use for daemon PID file. Default is `/var/run/docker.pid` 337 338 **--raw-logs** 339 Output daemon logs in full timestamp format without ANSI coloring. If this 340 flag is not set, the daemon outputs condensed, colorized logs if a terminal 341 is detected, or full ("raw") output otherwise. 342 343 **--registry-mirror**=*<scheme>://<host>* 344 Prepend a registry mirror to be used for image pulls. May be specified 345 multiple times. 346 347 **-s**, **--storage-driver**="" 348 Force the Docker runtime to use a specific storage driver. 349 350 **--seccomp-profile**="" 351 Path to seccomp profile. 352 353 **--selinux-enabled**=*true*|*false* 354 Enable selinux support. Default is false. 355 356 **--shutdown-timeout**=*15* 357 Set the shutdown timeout value in seconds. Default is `15`. 358 359 **--storage-opt**=[] 360 Set storage driver options. See STORAGE DRIVER OPTIONS. 361 362 **--swarm-default-advertise-addr**=*IP|INTERFACE* 363 Set default address or interface for swarm to advertise as its 364 externally-reachable address to other cluster members. This can be a 365 hostname, an IP address, or an interface such as `eth0`. A port cannot be 366 specified with this option. 367 368 **--tls**=*true*|*false* 369 Use TLS; implied by --tlsverify. Default is false. 370 371 **--tlscacert**=*~/.docker/ca.pem* 372 Trust certs signed only by this CA. 373 374 **--tlscert**=*~/.docker/cert.pem* 375 Path to TLS certificate file. 376 377 **--tlskey**=*~/.docker/key.pem* 378 Path to TLS key file. 379 380 **--tlsverify**=*true*|*false* 381 Use TLS and verify the remote (daemon: verify client, client: verify daemon). 382 Default is false. 383 384 **--userland-proxy**=*true*|*false* 385 Rely on a userland proxy implementation for inter-container and 386 outside-to-container loopback communications. Default is true. 387 388 **--userland-proxy-path**="" 389 Path to the userland proxy binary. 390 391 **--userns-remap**=*default*|*uid:gid*|*user:group*|*user*|*uid* 392 Enable user namespaces for containers on the daemon. Specifying "default" 393 will cause a new user and group to be created to handle UID and GID range 394 remapping for the user namespace mappings used for contained processes. 395 Specifying a user (or uid) and optionally a group (or gid) will cause the 396 daemon to lookup the user and group's subordinate ID ranges for use as the 397 user namespace mappings for contained processes. 398 399 # STORAGE DRIVER OPTIONS 400 401 Docker uses storage backends (known as "graphdrivers" in the Docker 402 internals) to create writable containers from images. Many of these 403 backends use operating system level technologies and can be 404 configured. 405 406 Specify options to the storage backend with **--storage-opt** flags. The 407 backends that currently take options are *devicemapper*, *zfs* and *btrfs*. 408 Options for *devicemapper* are prefixed with *dm*, options for *zfs* 409 start with *zfs* and options for *btrfs* start with *btrfs*. 410 411 Specifically for devicemapper, the default is a "loopback" model which 412 requires no pre-configuration, but is extremely inefficient. Do not 413 use it in production. 414 415 To make the best use of Docker with the devicemapper backend, you must 416 have a recent version of LVM. Use `lvm` to create a thin pool; for 417 more information see `man lvmthin`. Then, use `--storage-opt 418 dm.thinpooldev` to tell the Docker engine to use that pool for 419 allocating images and container snapshots. 420 421 ## Devicemapper options 422 423 #### dm.thinpooldev 424 425 Specifies a custom block storage device to use for the thin pool. 426 427 If using a block device for device mapper storage, it is best to use `lvm` 428 to create and manage the thin-pool volume. This volume is then handed to Docker 429 to exclusively create snapshot volumes needed for images and containers. 430 431 Managing the thin-pool outside of Engine makes for the most feature-rich 432 method of having Docker utilize device mapper thin provisioning as the 433 backing storage for Docker containers. The highlights of the lvm-based 434 thin-pool management feature include: automatic or interactive thin-pool 435 resize support, dynamically changing thin-pool features, automatic thinp 436 metadata checking when lvm activates the thin-pool, etc. 437 438 As a fallback if no thin pool is provided, loopback files are 439 created. Loopback is very slow, but can be used without any 440 pre-configuration of storage. It is strongly recommended that you do 441 not use loopback in production. Ensure your Engine daemon has a 442 `--storage-opt dm.thinpooldev` argument provided. 443 444 Example use: 445 446 $ dockerd \ 447 --storage-opt dm.thinpooldev=/dev/mapper/thin-pool 448 449 #### dm.directlvm_device 450 451 As an alternative to manually creating a thin pool as above, Docker can 452 automatically configure a block device for you. 453 454 Example use: 455 456 $ dockerd \ 457 --storage-opt dm.directlvm_device=/dev/xvdf 458 459 ##### dm.thinp_percent 460 461 Sets the percentage of passed in block device to use for storage. 462 463 ###### Example: 464 465 $ sudo dockerd \ 466 --storage-opt dm.thinp_percent=95 467 468 ##### `dm.thinp_metapercent` 469 470 Sets the percentage of the passed in block device to use for metadata storage. 471 472 ###### Example: 473 474 $ sudo dockerd \ 475 --storage-opt dm.thinp_metapercent=1 476 477 ##### dm.thinp_autoextend_threshold 478 479 Sets the value of the percentage of space used before `lvm` attempts to 480 autoextend the available space [100 = disabled] 481 482 ###### Example: 483 484 $ sudo dockerd \ 485 --storage-opt dm.thinp_autoextend_threshold=80 486 487 ##### dm.thinp_autoextend_percent 488 489 Sets the value percentage value to increase the thin pool by when `lvm` 490 attempts to autoextend the available space [100 = disabled] 491 492 ###### Example: 493 494 $ sudo dockerd \ 495 --storage-opt dm.thinp_autoextend_percent=20 496 497 #### dm.basesize 498 499 Specifies the size to use when creating the base device, which limits 500 the size of images and containers. The default value is 10G. Note, 501 thin devices are inherently "sparse", so a 10G device which is mostly 502 empty doesn't use 10 GB of space on the pool. However, the filesystem 503 will use more space for base images the larger the device 504 is. 505 506 The base device size can be increased at daemon restart which will allow 507 all future images and containers (based on those new images) to be of the 508 new base device size. 509 510 Example use: `dockerd --storage-opt dm.basesize=50G` 511 512 This will increase the base device size to 50G. The Docker daemon will throw an 513 error if existing base device size is larger than 50G. A user can use 514 this option to expand the base device size however shrinking is not permitted. 515 516 This value affects the system-wide "base" empty filesystem that may already 517 be initialized and inherited by pulled images. Typically, a change to this 518 value requires additional steps to take effect: 519 520 $ sudo service docker stop 521 $ sudo rm -rf /var/lib/docker 522 $ sudo service docker start 523 524 Example use: `dockerd --storage-opt dm.basesize=20G` 525 526 #### dm.fs 527 528 Specifies the filesystem type to use for the base device. The 529 supported options are `ext4` and `xfs`. The default is `ext4`. 530 531 Example use: `dockerd --storage-opt dm.fs=xfs` 532 533 #### dm.mkfsarg 534 535 Specifies extra mkfs arguments to be used when creating the base device. 536 537 Example use: `dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"` 538 539 #### dm.mountopt 540 541 Specifies extra mount options used when mounting the thin devices. 542 543 Example use: `dockerd --storage-opt dm.mountopt=nodiscard` 544 545 #### dm.use_deferred_removal 546 547 Enables use of deferred device removal if `libdm` and the kernel driver 548 support the mechanism. 549 550 Deferred device removal means that if device is busy when devices are 551 being removed/deactivated, then a deferred removal is scheduled on 552 device. And devices automatically go away when last user of the device 553 exits. 554 555 For example, when a container exits, its associated thin device is removed. If 556 that device has leaked into some other mount namespace and can't be removed, 557 the container exit still succeeds and this option causes the system to schedule 558 the device for deferred removal. It does not wait in a loop trying to remove a 559 busy device. 560 561 Example use: `dockerd --storage-opt dm.use_deferred_removal=true` 562 563 #### dm.use_deferred_deletion 564 565 Enables use of deferred device deletion for thin pool devices. By default, 566 thin pool device deletion is synchronous. Before a container is deleted, the 567 Docker daemon removes any associated devices. If the storage driver can not 568 remove a device, the container deletion fails and daemon returns. 569 570 `Error deleting container: Error response from daemon: Cannot destroy container` 571 572 To avoid this failure, enable both deferred device deletion and deferred 573 device removal on the daemon. 574 575 `dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt dm.use_deferred_removal=true` 576 577 With these two options enabled, if a device is busy when the driver is 578 deleting a container, the driver marks the device as deleted. Later, when the 579 device isn't in use, the driver deletes it. 580 581 In general it should be safe to enable this option by default. It will help 582 when unintentional leaking of mount point happens across multiple mount 583 namespaces. 584 585 #### dm.loopdatasize 586 587 **Note**: This option configures devicemapper loopback, which should not be 588 used in production. 589 590 Specifies the size to use when creating the loopback file for the "data" device 591 which is used for the thin pool. The default size is 100G. The file is sparse, 592 so it will not initially take up this much space. 593 594 Example use: `dockerd --storage-opt dm.loopdatasize=200G` 595 596 #### dm.loopmetadatasize 597 598 **Note**: This option configures devicemapper loopback, which should not be 599 used in production. 600 601 Specifies the size to use when creating the loopback file for the "metadata" 602 device which is used for the thin pool. The default size is 2G. The file is 603 sparse, so it will not initially take up this much space. 604 605 Example use: `dockerd --storage-opt dm.loopmetadatasize=4G` 606 607 #### dm.datadev 608 609 (Deprecated, use `dm.thinpooldev`) 610 611 Specifies a custom blockdevice to use for data for a Docker-managed thin pool. 612 It is better to use `dm.thinpooldev` - see the documentation for it above for 613 discussion of the advantages. 614 615 #### dm.metadatadev 616 617 (Deprecated, use `dm.thinpooldev`) 618 619 Specifies a custom blockdevice to use for metadata for a Docker-managed thin 620 pool. See `dm.datadev` for why this is deprecated. 621 622 #### dm.blocksize 623 624 Specifies a custom blocksize to use for the thin pool. The default 625 blocksize is 64K. 626 627 Example use: `dockerd --storage-opt dm.blocksize=512K` 628 629 #### dm.blkdiscard 630 631 Enables or disables the use of `blkdiscard` when removing devicemapper devices. 632 This is disabled by default due to the additional latency, but as a special 633 case with loopback devices it will be enabled, in order to re-sparsify the 634 loopback file on image/container removal. 635 636 Disabling this on loopback can lead to *much* faster container removal times, 637 but it also prevents the space used in `/var/lib/docker` directory from being 638 returned to the system for other use when containers are removed. 639 640 Example use: `dockerd --storage-opt dm.blkdiscard=false` 641 642 #### dm.override_udev_sync_check 643 644 By default, the devicemapper backend attempts to synchronize with the `udev` 645 device manager for the Linux kernel. This option allows disabling that 646 synchronization, to continue even though the configuration may be buggy. 647 648 To view the `udev` sync support of a Docker daemon that is using the 649 `devicemapper` driver, run: 650 651 $ docker info 652 [...] 653 Udev Sync Supported: true 654 [...] 655 656 When `udev` sync support is `true`, then `devicemapper` and `udev` can 657 coordinate the activation and deactivation of devices for containers. 658 659 When `udev` sync support is `false`, a race condition occurs between the 660 `devicemapper` and `udev` during create and cleanup. The race condition results 661 in errors and failures. (For information on these failures, see 662 [docker#4036](https://github.com/docker/docker/issues/4036)) 663 664 To allow the `docker` daemon to start, regardless of whether `udev` sync is 665 `false`, set `dm.override_udev_sync_check` to true: 666 667 $ dockerd --storage-opt dm.override_udev_sync_check=true 668 669 When this value is `true`, the driver continues and simply warns you the errors 670 are happening. 671 672 **Note**: The ideal is to pursue a `docker` daemon and environment that does 673 support synchronizing with `udev`. For further discussion on this topic, see 674 [docker#4036](https://github.com/docker/docker/issues/4036). 675 Otherwise, set this flag for migrating existing Docker daemons to a daemon with 676 a supported environment. 677 678 #### dm.min_free_space 679 680 Specifies the min free space percent in a thin pool require for new device 681 creation to succeed. This check applies to both free data space as well 682 as free metadata space. Valid values are from 0% - 99%. Value 0% disables 683 free space checking logic. If user does not specify a value for this option, 684 the Engine uses a default value of 10%. 685 686 Whenever a new a thin pool device is created (during `docker pull` or during 687 container creation), the Engine checks if the minimum free space is available. 688 If the space is unavailable, then device creation fails and any relevant 689 `docker` operation fails. 690 691 To recover from this error, you must create more free space in the thin pool to 692 recover from the error. You can create free space by deleting some images and 693 containers from tge thin pool. You can also add more storage to the thin pool. 694 695 To add more space to an LVM (logical volume management) thin pool, just add 696 more storage to the group container thin pool; this should automatically 697 resolve any errors. If your configuration uses loop devices, then stop the 698 Engine daemon, grow the size of loop files and restart the daemon to resolve 699 the issue. 700 701 Example use:: `dockerd --storage-opt dm.min_free_space=10%` 702 703 #### dm.xfs_nospace_max_retries 704 705 Specifies the maximum number of retries XFS should attempt to complete IO when 706 ENOSPC (no space) error is returned by underlying storage device. 707 708 By default XFS retries infinitely for IO to finish and this can result in 709 unkillable process. To change this behavior one can set xfs_nospace_max_retries 710 to say 0 and XFS will not retry IO after getting ENOSPC and will shutdown 711 filesystem. 712 713 Example use: 714 715 $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0 716 717 ##### dm.libdm_log_level 718 719 Specifies the maxmimum libdm log level that will be forwarded to the dockerd 720 log (as specified by --log-level). This option is primarily intended for 721 debugging problems involving libdm. Using values other than the defaults may 722 cause false-positive warnings to be logged. 723 724 Values specified must fall within the range of valid libdm log levels. At the 725 time of writing, the following is the list of libdm log levels as well as their 726 corresponding levels when output by dockerd. 727 728 | libdm Level | Value | --log-level | 729 | ----------- | -----:| ----------- | 730 | _LOG_FATAL | 2 | error | 731 | _LOG_ERR | 3 | error | 732 | _LOG_WARN | 4 | warn | 733 | _LOG_NOTICE | 5 | info | 734 | _LOG_INFO | 6 | info | 735 | _LOG_DEBUG | 7 | debug | 736 737 Example use: 738 739 $ sudo dockerd \ 740 --log-level debug \ 741 --storage-opt dm.libdm_log_level=7 742 743 ## ZFS options 744 745 #### zfs.fsname 746 747 Set zfs filesystem under which docker will create its own datasets. By default 748 docker will pick up the zfs filesystem where docker graph (`/var/lib/docker`) 749 is located. 750 751 Example use: `dockerd -s zfs --storage-opt zfs.fsname=zroot/docker` 752 753 ## Btrfs options 754 755 #### btrfs.min_space 756 757 Specifies the minimum size to use when creating the subvolume which is used for 758 containers. If user uses disk quota for btrfs when creating or running a 759 container with **--storage-opt size** option, docker should ensure the **size** 760 cannot be smaller than **btrfs.min_space**. 761 762 Example use: `docker daemon -s btrfs --storage-opt btrfs.min_space=10G` 763 764 # CLUSTER STORE OPTIONS 765 766 The daemon uses libkv to advertise the node within the cluster. Some Key/Value 767 backends support mutual TLS, and the client TLS settings used by the daemon can 768 be configured using the **--cluster-store-opt** flag, specifying the paths to 769 PEM encoded files. 770 771 #### kv.cacertfile 772 773 Specifies the path to a local file with PEM encoded CA certificates to trust 774 775 #### kv.certfile 776 777 Specifies the path to a local file with a PEM encoded certificate. This 778 certificate is used as the client cert for communication with the Key/Value 779 store. 780 781 #### kv.keyfile 782 783 Specifies the path to a local file with a PEM encoded private key. This 784 private key is used as the client key for communication with the Key/Value 785 store. 786 787 # Access authorization 788 789 Docker's access authorization can be extended by authorization plugins that 790 your organization can purchase or build themselves. You can install one or more 791 authorization plugins when you start the Docker `daemon` using the 792 `--authorization-plugin=PLUGIN_ID` option. 793 794 ```bash 795 dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,... 796 ``` 797 798 The `PLUGIN_ID` value is either the plugin's name or a path to its 799 specification file. The plugin's implementation determines whether you can 800 specify a name or path. Consult with your Docker administrator to get 801 information about the plugins available to you. 802 803 Once a plugin is installed, requests made to the `daemon` through the 804 command line or Docker's Engine API are allowed or denied by the plugin. 805 If you have multiple plugins installed, each plugin, in order, must 806 allow the request for it to complete. 807 808 For information about how to create an authorization plugin, see [authorization 809 plugin](https://docs.docker.com/engine/extend/authorization/) section in the 810 Docker extend section of this documentation. 811 812 # RUNTIME EXECUTION OPTIONS 813 814 You can configure the runtime using options specified with the `--exec-opt` flag. 815 All the flag's options have the `native` prefix. A single `native.cgroupdriver` 816 option is available. 817 818 The `native.cgroupdriver` option specifies the management of the container's 819 cgroups. You can only specify `cgroupfs` or `systemd`. If you specify 820 `systemd` and it is not available, the system errors out. If you omit the 821 `native.cgroupdriver` option,` cgroupfs` is used. 822 823 This example sets the `cgroupdriver` to `systemd`: 824 825 ```bash 826 $ sudo dockerd --exec-opt native.cgroupdriver=systemd 827 ``` 828 829 Setting this option applies to all containers the daemon launches. 830 831 # HISTORY 832 Sept 2015, Originally compiled by Shishir Mahajan <shishir.mahajan@redhat.com> 833 based on docker.com source material and internal work.