github.com/docker/docker-ce@v17.12.1-ce-rc2+incompatible/components/cli/man/dockerd.8.md (about)

     1  % DOCKER(8) Docker User Manuals
     2  % Shishir Mahajan
     3  % SEPTEMBER 2015
     4  # NAME
     5  dockerd - Enable daemon mode
     6  
     7  # SYNOPSIS
     8  **dockerd**
     9  [**--add-runtime**[=*[]*]]
    10  [**--allow-nondistributable-artifacts**[=*[]*]]
    11  [**--api-cors-header**=[=*API-CORS-HEADER*]]
    12  [**--authorization-plugin**[=*[]*]]
    13  [**-b**|**--bridge**[=*BRIDGE*]]
    14  [**--bip**[=*BIP*]]
    15  [**--cgroup-parent**[=*[]*]]
    16  [**--cluster-store**[=*[]*]]
    17  [**--cluster-advertise**[=*[]*]]
    18  [**--cluster-store-opt**[=*map[]*]]
    19  [**--config-file**[=*/etc/docker/daemon.json*]]
    20  [**--containerd**[=*SOCKET-PATH*]]
    21  [**--data-root**[=*/var/lib/docker*]]
    22  [**-D**|**--debug**]
    23  [**--default-gateway**[=*DEFAULT-GATEWAY*]]
    24  [**--default-gateway-v6**[=*DEFAULT-GATEWAY-V6*]]
    25  [**--default-runtime**[=*runc*]]
    26  [**--default-ipc-mode**=*MODE*]
    27  [**--default-shm-size**[=*64MiB*]]
    28  [**--default-ulimit**[=*[]*]]
    29  [**--dns**[=*[]*]]
    30  [**--dns-opt**[=*[]*]]
    31  [**--dns-search**[=*[]*]]
    32  [**--exec-opt**[=*[]*]]
    33  [**--exec-root**[=*/var/run/docker*]]
    34  [**--experimental**[=*false*]]
    35  [**--fixed-cidr**[=*FIXED-CIDR*]]
    36  [**--fixed-cidr-v6**[=*FIXED-CIDR-V6*]]
    37  [**-G**|**--group**[=*docker*]]
    38  [**-H**|**--host**[=*[]*]]
    39  [**--help**]
    40  [**--icc**[=*true*]]
    41  [**--init**[=*false*]]
    42  [**--init-path**[=*""*]]
    43  [**--insecure-registry**[=*[]*]]
    44  [**--ip**[=*0.0.0.0*]]
    45  [**--ip-forward**[=*true*]]
    46  [**--ip-masq**[=*true*]]
    47  [**--iptables**[=*true*]]
    48  [**--ipv6**]
    49  [**--isolation**[=*default*]]
    50  [**-l**|**--log-level**[=*info*]]
    51  [**--label**[=*[]*]]
    52  [**--live-restore**[=*false*]]
    53  [**--log-driver**[=*json-file*]]
    54  [**--log-opt**[=*map[]*]]
    55  [**--mtu**[=*0*]]
    56  [**--max-concurrent-downloads**[=*3*]]
    57  [**--max-concurrent-uploads**[=*5*]]
    58  [**--node-generic-resources**[=*[]*]]
    59  [**-p**|**--pidfile**[=*/var/run/docker.pid*]]
    60  [**--raw-logs**]
    61  [**--registry-mirror**[=*[]*]]
    62  [**-s**|**--storage-driver**[=*STORAGE-DRIVER*]]
    63  [**--seccomp-profile**[=*SECCOMP-PROFILE-PATH*]]
    64  [**--selinux-enabled**]
    65  [**--shutdown-timeout**[=*15*]]
    66  [**--storage-opt**[=*[]*]]
    67  [**--swarm-default-advertise-addr**[=*IP|INTERFACE*]]
    68  [**--tls**]
    69  [**--tlscacert**[=*~/.docker/ca.pem*]]
    70  [**--tlscert**[=*~/.docker/cert.pem*]]
    71  [**--tlskey**[=*~/.docker/key.pem*]]
    72  [**--tlsverify**]
    73  [**--userland-proxy**[=*true*]]
    74  [**--userland-proxy-path**[=*""*]]
    75  [**--userns-remap**[=*default*]]
    76  
    77  # DESCRIPTION
    78  **dockerd** is used for starting the Docker daemon (i.e., to command the daemon
    79  to manage images, containers etc).  So **dockerd** is a server, as a daemon.
    80  
    81  To run the Docker daemon you can specify **dockerd**.
    82  You can check the daemon options using **dockerd --help**.
    83  Daemon options should be specified after the **dockerd** keyword in the
    84  following format.
    85  
    86  **dockerd [OPTIONS]**
    87  
    88  # OPTIONS
    89  
    90  **--add-runtime**=[]
    91    Runtimes can be registered with the daemon either via the
    92  configuration file or using the `--add-runtime` command line argument.
    93  
    94    The following is an example adding 2 runtimes via the configuration:
    95  
    96  ```json
    97  {
    98  	"default-runtime": "runc",
    99  	"runtimes": {
   100  		"runc": {
   101  			"path": "runc"
   102  		},
   103  		"custom": {
   104  			"path": "/usr/local/bin/my-runc-replacement",
   105  			"runtimeArgs": [
   106  				"--debug"
   107  			]
   108  		}
   109  	}
   110  }
   111  ```
   112  
   113    This is the same example via the command line:
   114  
   115  ```bash
   116  $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
   117  ```
   118  
   119    **Note**: defining runtime arguments via the command line is not supported.
   120  
   121  **--allow-nondistributable-artifacts**=[]
   122    Push nondistributable artifacts to the specified registries.
   123  
   124    List can contain elements with CIDR notation to specify a whole subnet.
   125  
   126    This option is useful when pushing images containing nondistributable
   127    artifacts to a registry on an air-gapped network so hosts on that network can
   128    pull the images without connecting to another server.
   129  
   130    **Warning**: Nondistributable artifacts typically have restrictions on how
   131    and where they can be distributed and shared. Only use this feature to push
   132    artifacts to private registries and ensure that you are in compliance with
   133    any terms that cover redistributing nondistributable artifacts.
   134  
   135  **--api-cors-header**=""
   136    Set CORS headers in the Engine API. Default is cors disabled. Give urls like
   137    "http://foo, http://bar, ...". Give "*" to allow all.
   138  
   139  **--authorization-plugin**=""
   140    Set authorization plugins to load
   141  
   142  **-b**, **--bridge**=""
   143    Attach containers to a pre\-existing network bridge; use 'none' to disable
   144    container networking
   145  
   146  **--bip**=""
   147    Use the provided CIDR notation address for the dynamically created bridge
   148    (docker0); Mutually exclusive of \-b
   149  
   150  **--cgroup-parent**=""
   151    Set parent cgroup for all containers. Default is "/docker" for fs cgroup
   152    driver and "system.slice" for systemd cgroup driver.
   153  
   154  **--cluster-store**=""
   155    URL of the distributed storage backend
   156  
   157  **--cluster-advertise**=""
   158    Specifies the 'host:port' or `interface:port` combination that this
   159    particular daemon instance should use when advertising itself to the cluster.
   160    The daemon is reached through this value.
   161  
   162  **--cluster-store-opt**=""
   163    Specifies options for the Key/Value store.
   164  
   165  **--config-file**="/etc/docker/daemon.json"
   166    Specifies the JSON file path to load the configuration from.
   167  
   168  **--containerd**=""
   169    Path to containerd socket.
   170  
   171  **--data-root**=""
   172    Path to the directory used to store persisted Docker data such as
   173    configuration for resources, swarm cluster state, and filesystem data for
   174    images, containers, and local volumes. Default is `/var/lib/docker`.
   175  
   176  **-D**, **--debug**=*true*|*false*
   177    Enable debug mode. Default is false.
   178  
   179  **--default-gateway**=""
   180    IPv4 address of the container default gateway; this address must be part of
   181    the bridge subnet (which is defined by \-b or \--bip)
   182  
   183  **--default-gateway-v6**=""
   184    IPv6 address of the container default gateway
   185  
   186  **--default-runtime**="runc"
   187    Set default runtime if there're more than one specified by `--add-runtime`.
   188  
   189  **--default-ipc-mode**="**private**|**shareable**"
   190    Set the default IPC mode for newly created containers. The argument
   191    can either be **private** or **shareable**.
   192  
   193  **--default-shm-size**=*64MiB*
   194    Set the daemon-wide default shm size for containers. Default is `64MiB`.
   195  
   196  **--default-ulimit**=[]
   197    Default ulimits for containers.
   198  
   199  **--dns**=""
   200    Force Docker to use specific DNS servers
   201  
   202  **--dns-opt**=""
   203    DNS options to use.
   204  
   205  **--dns-search**=[]
   206    DNS search domains to use.
   207  
   208  **--exec-opt**=[]
   209    Set runtime execution options. See RUNTIME EXECUTION OPTIONS.
   210  
   211  **--exec-root**=""
   212    Path to use as the root of the Docker execution state files. Default is
   213    `/var/run/docker`.
   214  
   215  **--experimental**=""
   216    Enable the daemon experimental features.
   217  
   218  **--fixed-cidr**=""
   219    IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be nested in
   220    the bridge subnet (which is defined by \-b or \-\-bip).
   221  
   222  **--fixed-cidr-v6**=""
   223    IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
   224  
   225  **-G**, **--group**=""
   226    Group to assign the unix socket specified by -H when running in daemon mode.
   227    use '' (the empty string) to disable setting of a group. Default is `docker`.
   228  
   229  **-H**, **--host**=[*unix:///var/run/docker.sock*]: tcp://[host:port] to bind or
   230  unix://[/path/to/socket] to use.
   231    The socket(s) to bind to in daemon mode specified using one or more
   232    tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
   233  
   234  **--help**
   235    Print usage statement
   236  
   237  **--icc**=*true*|*false*
   238    Allow unrestricted inter\-container and Docker daemon host communication. If
   239    disabled, containers can still be linked together using the **--link** option
   240    (see **docker-run(1)**). Default is true.
   241  
   242  **--init**
   243    Run an init process inside containers for signal forwarding and process
   244    reaping.
   245  
   246  **--init-path**
   247    Path to the docker-init binary.
   248  
   249  **--insecure-registry**=[]
   250    Enable insecure registry communication, i.e., enable un-encrypted and/or
   251    untrusted communication.
   252  
   253    List of insecure registries can contain an element with CIDR notation to
   254    specify a whole subnet. Insecure registries accept HTTP and/or accept HTTPS
   255    with certificates from unknown CAs.
   256  
   257    Enabling `--insecure-registry` is useful when running a local registry.
   258    However, because its use creates security vulnerabilities it should ONLY be
   259    enabled for testing purposes.  For increased security, users should add their
   260    CA to their system's list of trusted CAs instead of using
   261    `--insecure-registry`.
   262  
   263  **--ip**=""
   264    Default IP address to use when binding container ports. Default is `0.0.0.0`.
   265  
   266  **--ip-forward**=*true*|*false*
   267    Enables IP forwarding on the Docker host. The default is `true`. This flag
   268    interacts with the IP forwarding setting on your host system's kernel. If
   269    your system has IP forwarding disabled, this setting enables it. If your
   270    system has IP forwarding enabled, setting this flag to `--ip-forward=false`
   271    has no effect.
   272  
   273    This setting will also enable IPv6 forwarding if you have both
   274    `--ip-forward=true` and `--fixed-cidr-v6` set. Note that this may reject
   275    Router Advertisements and interfere with the host's existing IPv6
   276    configuration. For more information, please consult the documentation about
   277    "Advanced Networking - IPv6".
   278  
   279  **--ip-masq**=*true*|*false*
   280    Enable IP masquerading for bridge's IP range. Default is true.
   281  
   282  **--iptables**=*true*|*false*
   283    Enable Docker's addition of iptables rules. Default is true.
   284  
   285  **--ipv6**=*true*|*false*
   286    Enable IPv6 support. Default is false. Docker will create an IPv6-enabled
   287    bridge with address fe80::1 which will allow you to create IPv6-enabled
   288    containers. Use together with `--fixed-cidr-v6` to provide globally routable
   289    IPv6 addresses. IPv6 forwarding will be enabled if not used with
   290    `--ip-forward=false`. This may collide with your host's current IPv6
   291    settings. For more information please consult the documentation about
   292    "Advanced Networking - IPv6".
   293  
   294  **--isolation**="*default*"
   295     Isolation specifies the type of isolation technology used by containers.
   296     Note that the default on Windows server is `process`, and the default on
   297     Windows client is `hyperv`. Linux only supports `default`.
   298  
   299  **-l**, **--log-level**="*debug*|*info*|*warn*|*error*|*fatal*"
   300    Set the logging level. Default is `info`.
   301  
   302  **--label**="[]"
   303    Set key=value labels to the daemon (displayed in `docker info`)
   304  
   305  **--live-restore**=*false*
   306    Enable live restore of running containers when the daemon starts so that they
   307    are not restarted. This option is applicable only for docker daemon running
   308    on Linux host.
   309  
   310  **--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*splunk*|*etwlogs*|*gcplogs*|*none*"
   311    Default driver for container logs. Default is `json-file`.
   312    **Warning**: `docker logs` command works only for `json-file` logging driver.
   313  
   314  **--log-opt**=[]
   315    Logging driver specific options.
   316  
   317  **--mtu**=*0*
   318    Set the containers network mtu. Default is `0`.
   319  
   320  **--max-concurrent-downloads**=*3*
   321    Set the max concurrent downloads for each pull. Default is `3`.
   322  
   323  **--max-concurrent-uploads**=*5*
   324    Set the max concurrent uploads for each push. Default is `5`.
   325  
   326  **--node-generic-resources**=*[]*
   327    Advertise user-defined resource. Default is `[]`.
   328    Use this if your swarm cluster has some nodes with custom
   329    resources (e.g: NVIDIA GPU, SSD, ...) and you need your services to land on
   330    nodes advertising these resources.
   331    Usage example: `--node-generic-resources "NVIDIA-GPU=UUID1"
   332    --node-generic-resources "NVIDIA-GPU=UUID2"`
   333  
   334  
   335  **-p**, **--pidfile**=""
   336    Path to use for daemon PID file. Default is `/var/run/docker.pid`
   337  
   338  **--raw-logs**
   339    Output daemon logs in full timestamp format without ANSI coloring. If this
   340    flag is not set, the daemon outputs condensed, colorized logs if a terminal
   341    is detected, or full ("raw") output otherwise.
   342  
   343  **--registry-mirror**=*<scheme>://<host>*
   344    Prepend a registry mirror to be used for image pulls. May be specified
   345    multiple times.
   346  
   347  **-s**, **--storage-driver**=""
   348    Force the Docker runtime to use a specific storage driver.
   349  
   350  **--seccomp-profile**=""
   351    Path to seccomp profile.
   352  
   353  **--selinux-enabled**=*true*|*false*
   354    Enable selinux support. Default is false.
   355  
   356  **--shutdown-timeout**=*15*
   357    Set the shutdown timeout value in seconds. Default is `15`.
   358  
   359  **--storage-opt**=[]
   360    Set storage driver options. See STORAGE DRIVER OPTIONS.
   361  
   362  **--swarm-default-advertise-addr**=*IP|INTERFACE*
   363    Set default address or interface for swarm to advertise as its
   364    externally-reachable address to other cluster members. This can be a
   365    hostname, an IP address, or an interface such as `eth0`. A port cannot be
   366    specified with this option.
   367  
   368  **--tls**=*true*|*false*
   369    Use TLS; implied by --tlsverify. Default is false.
   370  
   371  **--tlscacert**=*~/.docker/ca.pem*
   372    Trust certs signed only by this CA.
   373  
   374  **--tlscert**=*~/.docker/cert.pem*
   375    Path to TLS certificate file.
   376  
   377  **--tlskey**=*~/.docker/key.pem*
   378    Path to TLS key file.
   379  
   380  **--tlsverify**=*true*|*false*
   381    Use TLS and verify the remote (daemon: verify client, client: verify daemon).
   382    Default is false.
   383  
   384  **--userland-proxy**=*true*|*false*
   385    Rely on a userland proxy implementation for inter-container and
   386    outside-to-container loopback communications. Default is true.
   387  
   388  **--userland-proxy-path**=""
   389    Path to the userland proxy binary.
   390  
   391  **--userns-remap**=*default*|*uid:gid*|*user:group*|*user*|*uid*
   392    Enable user namespaces for containers on the daemon. Specifying "default"
   393    will cause a new user and group to be created to handle UID and GID range
   394    remapping for the user namespace mappings used for contained processes.
   395    Specifying a user (or uid) and optionally a group (or gid) will cause the
   396    daemon to lookup the user and group's subordinate ID ranges for use as the
   397    user namespace mappings for contained processes.
   398  
   399  # STORAGE DRIVER OPTIONS
   400  
   401  Docker uses storage backends (known as "graphdrivers" in the Docker
   402  internals) to create writable containers from images.  Many of these
   403  backends use operating system level technologies and can be
   404  configured.
   405  
   406  Specify options to the storage backend with **--storage-opt** flags. The
   407  backends that currently take options are *devicemapper*, *zfs* and *btrfs*.
   408  Options for *devicemapper* are prefixed with *dm*, options for *zfs*
   409  start with *zfs* and options for *btrfs* start with *btrfs*.
   410  
   411  Specifically for devicemapper, the default is a "loopback" model which
   412  requires no pre-configuration, but is extremely inefficient.  Do not
   413  use it in production.
   414  
   415  To make the best use of Docker with the devicemapper backend, you must
   416  have a recent version of LVM.  Use `lvm` to create a thin pool; for
   417  more information see `man lvmthin`.  Then, use `--storage-opt
   418  dm.thinpooldev` to tell the Docker engine to use that pool for
   419  allocating images and container snapshots.
   420  
   421  ## Devicemapper options
   422  
   423  #### dm.thinpooldev
   424  
   425  Specifies a custom block storage device to use for the thin pool.
   426  
   427  If using a block device for device mapper storage, it is best to use `lvm`
   428  to create and manage the thin-pool volume. This volume is then handed to Docker
   429  to exclusively create snapshot volumes needed for images and containers.
   430  
   431  Managing the thin-pool outside of Engine makes for the most feature-rich
   432  method of having Docker utilize device mapper thin provisioning as the
   433  backing storage for Docker containers. The highlights of the lvm-based
   434  thin-pool management feature include: automatic or interactive thin-pool
   435  resize support, dynamically changing thin-pool features, automatic thinp
   436  metadata checking when lvm activates the thin-pool, etc.
   437  
   438  As a fallback if no thin pool is provided, loopback files are
   439  created. Loopback is very slow, but can be used without any
   440  pre-configuration of storage. It is strongly recommended that you do
   441  not use loopback in production. Ensure your Engine daemon has a
   442  `--storage-opt dm.thinpooldev` argument provided.
   443  
   444  Example use:
   445  
   446     $ dockerd \
   447           --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
   448  
   449  #### dm.directlvm_device
   450  
   451  As an alternative to manually creating a thin pool as above, Docker can
   452  automatically configure a block device for you.
   453  
   454  Example use:
   455  
   456     $ dockerd \
   457           --storage-opt dm.directlvm_device=/dev/xvdf
   458  
   459  ##### dm.thinp_percent
   460  
   461  Sets the percentage of passed in block device to use for storage.
   462  
   463  ###### Example:
   464  
   465     $ sudo dockerd \
   466          --storage-opt dm.thinp_percent=95
   467  
   468  ##### `dm.thinp_metapercent`
   469  
   470  Sets the percentage of the passed in block device to use for metadata storage.
   471  
   472  ###### Example:
   473  
   474     $ sudo dockerd \
   475           --storage-opt dm.thinp_metapercent=1
   476  
   477  ##### dm.thinp_autoextend_threshold
   478  
   479  Sets the value of the percentage of space used before `lvm` attempts to
   480  autoextend the available space [100 = disabled]
   481  
   482  ###### Example:
   483  
   484     $ sudo dockerd \
   485           --storage-opt dm.thinp_autoextend_threshold=80
   486  
   487  ##### dm.thinp_autoextend_percent
   488  
   489  Sets the value percentage value to increase the thin pool by when `lvm`
   490  attempts to autoextend the available space [100 = disabled]
   491  
   492  ###### Example:
   493  
   494     $ sudo dockerd \
   495           --storage-opt dm.thinp_autoextend_percent=20
   496  
   497  #### dm.basesize
   498  
   499  Specifies the size to use when creating the base device, which limits
   500  the size of images and containers. The default value is 10G. Note,
   501  thin devices are inherently "sparse", so a 10G device which is mostly
   502  empty doesn't use 10 GB of space on the pool. However, the filesystem
   503  will use more space for base images the larger the device
   504  is.
   505  
   506  The base device size can be increased at daemon restart which will allow
   507  all future images and containers (based on those new images) to be of the
   508  new base device size.
   509  
   510  Example use: `dockerd --storage-opt dm.basesize=50G`
   511  
   512  This will increase the base device size to 50G. The Docker daemon will throw an
   513  error if existing base device size is larger than 50G. A user can use
   514  this option to expand the base device size however shrinking is not permitted.
   515  
   516  This value affects the system-wide "base" empty filesystem that may already
   517  be initialized and inherited by pulled images. Typically, a change to this
   518  value requires additional steps to take effect:
   519  
   520          $ sudo service docker stop
   521          $ sudo rm -rf /var/lib/docker
   522          $ sudo service docker start
   523  
   524  Example use: `dockerd --storage-opt dm.basesize=20G`
   525  
   526  #### dm.fs
   527  
   528  Specifies the filesystem type to use for the base device. The
   529  supported options are `ext4` and `xfs`. The default is `ext4`.
   530  
   531  Example use: `dockerd --storage-opt dm.fs=xfs`
   532  
   533  #### dm.mkfsarg
   534  
   535  Specifies extra mkfs arguments to be used when creating the base device.
   536  
   537  Example use: `dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"`
   538  
   539  #### dm.mountopt
   540  
   541  Specifies extra mount options used when mounting the thin devices.
   542  
   543  Example use: `dockerd --storage-opt dm.mountopt=nodiscard`
   544  
   545  #### dm.use_deferred_removal
   546  
   547  Enables use of deferred device removal if `libdm` and the kernel driver
   548  support the mechanism.
   549  
   550  Deferred device removal means that if device is busy when devices are
   551  being removed/deactivated, then a deferred removal is scheduled on
   552  device. And devices automatically go away when last user of the device
   553  exits.
   554  
   555  For example, when a container exits, its associated thin device is removed. If
   556  that device has leaked into some other mount namespace and can't be removed,
   557  the container exit still succeeds and this option causes the system to schedule
   558  the device for deferred removal. It does not wait in a loop trying to remove a
   559  busy device.
   560  
   561  Example use: `dockerd --storage-opt dm.use_deferred_removal=true`
   562  
   563  #### dm.use_deferred_deletion
   564  
   565  Enables use of deferred device deletion for thin pool devices. By default,
   566  thin pool device deletion is synchronous. Before a container is deleted, the
   567  Docker daemon removes any associated devices. If the storage driver can not
   568  remove a device, the container deletion fails and daemon returns.
   569  
   570  `Error deleting container: Error response from daemon: Cannot destroy container`
   571  
   572  To avoid this failure, enable both deferred device deletion and deferred
   573  device removal on the daemon.
   574  
   575  `dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt dm.use_deferred_removal=true`
   576  
   577  With these two options enabled, if a device is busy when the driver is
   578  deleting a container, the driver marks the device as deleted. Later, when the
   579  device isn't in use, the driver deletes it.
   580  
   581  In general it should be safe to enable this option by default. It will help
   582  when unintentional leaking of mount point happens across multiple mount
   583  namespaces.
   584  
   585  #### dm.loopdatasize
   586  
   587  **Note**: This option configures devicemapper loopback, which should not be
   588  used in production.
   589  
   590  Specifies the size to use when creating the loopback file for the "data" device
   591  which is used for the thin pool. The default size is 100G. The file is sparse,
   592  so it will not initially take up this much space.
   593  
   594  Example use: `dockerd --storage-opt dm.loopdatasize=200G`
   595  
   596  #### dm.loopmetadatasize
   597  
   598  **Note**: This option configures devicemapper loopback, which should not be
   599  used in production.
   600  
   601  Specifies the size to use when creating the loopback file for the "metadata"
   602  device which is used for the thin pool. The default size is 2G. The file is
   603  sparse, so it will not initially take up this much space.
   604  
   605  Example use: `dockerd --storage-opt dm.loopmetadatasize=4G`
   606  
   607  #### dm.datadev
   608  
   609  (Deprecated, use `dm.thinpooldev`)
   610  
   611  Specifies a custom blockdevice to use for data for a Docker-managed thin pool.
   612  It is better to use `dm.thinpooldev` - see the documentation for it above for
   613  discussion of the advantages.
   614  
   615  #### dm.metadatadev
   616  
   617  (Deprecated, use `dm.thinpooldev`)
   618  
   619  Specifies a custom blockdevice to use for metadata for a Docker-managed thin
   620  pool.  See `dm.datadev` for why this is deprecated.
   621  
   622  #### dm.blocksize
   623  
   624  Specifies a custom blocksize to use for the thin pool.  The default
   625  blocksize is 64K.
   626  
   627  Example use: `dockerd --storage-opt dm.blocksize=512K`
   628  
   629  #### dm.blkdiscard
   630  
   631  Enables or disables the use of `blkdiscard` when removing devicemapper devices.
   632  This is disabled by default due to the additional latency, but as a special
   633  case with loopback devices it will be enabled, in order to re-sparsify the
   634  loopback file on image/container removal.
   635  
   636  Disabling this on loopback can lead to *much* faster container removal times,
   637  but it also prevents the space used in `/var/lib/docker` directory from being
   638  returned to the system for other use when containers are removed.
   639  
   640  Example use: `dockerd --storage-opt dm.blkdiscard=false`
   641  
   642  #### dm.override_udev_sync_check
   643  
   644  By default, the devicemapper backend attempts to synchronize with the `udev`
   645  device manager for the Linux kernel.  This option allows disabling that
   646  synchronization, to continue even though the configuration may be buggy.
   647  
   648  To view the `udev` sync support of a Docker daemon that is using the
   649  `devicemapper` driver, run:
   650  
   651          $ docker info
   652          [...]
   653           Udev Sync Supported: true
   654          [...]
   655  
   656  When `udev` sync support is `true`, then `devicemapper` and `udev` can
   657  coordinate the activation and deactivation of devices for containers.
   658  
   659  When `udev` sync support is `false`, a race condition occurs between the
   660  `devicemapper` and `udev` during create and cleanup. The race condition results
   661  in errors and failures. (For information on these failures, see
   662  [docker#4036](https://github.com/docker/docker/issues/4036))
   663  
   664  To allow the `docker` daemon to start, regardless of whether `udev` sync is
   665  `false`, set `dm.override_udev_sync_check` to true:
   666  
   667          $ dockerd --storage-opt dm.override_udev_sync_check=true
   668  
   669  When this value is `true`, the driver continues and simply warns you the errors
   670  are happening.
   671  
   672  **Note**: The ideal is to pursue a `docker` daemon and environment that does
   673  support synchronizing with `udev`. For further discussion on this topic, see
   674  [docker#4036](https://github.com/docker/docker/issues/4036).
   675  Otherwise, set this flag for migrating existing Docker daemons to a daemon with
   676  a supported environment.
   677  
   678  #### dm.min_free_space
   679  
   680  Specifies the min free space percent in a thin pool require for new device
   681  creation to succeed. This check applies to both free data space as well
   682  as free metadata space. Valid values are from 0% - 99%. Value 0% disables
   683  free space checking logic. If user does not specify a value for this option,
   684  the Engine uses a default value of 10%.
   685  
   686  Whenever a new a thin pool device is created (during `docker pull` or during
   687  container creation), the Engine checks if the minimum free space is available.
   688  If the space is unavailable, then device creation fails and any relevant
   689  `docker` operation fails.
   690  
   691  To recover from this error, you must create more free space in the thin pool to
   692  recover from the error. You can create free space by deleting some images and
   693  containers from tge thin pool. You can also add more storage to the thin pool.
   694  
   695  To add more space to an LVM (logical volume management) thin pool, just add
   696  more storage to the  group container thin pool; this should automatically
   697  resolve any errors. If your configuration uses loop devices, then stop the
   698  Engine daemon, grow the size of loop files and restart the daemon to resolve
   699  the issue.
   700  
   701  Example use:: `dockerd --storage-opt dm.min_free_space=10%`
   702  
   703  #### dm.xfs_nospace_max_retries
   704  
   705  Specifies the maximum number of retries XFS should attempt to complete IO when
   706  ENOSPC (no space) error is returned by underlying storage device.
   707  
   708  By default XFS retries infinitely for IO to finish and this can result in
   709  unkillable process. To change this behavior one can set xfs_nospace_max_retries
   710  to say 0 and XFS will not retry IO after getting ENOSPC and will shutdown
   711  filesystem.
   712  
   713  Example use:
   714  
   715      $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
   716  
   717  ##### dm.libdm_log_level
   718  
   719  Specifies the maxmimum libdm log level that will be forwarded to the dockerd
   720  log (as specified by --log-level). This option is primarily intended for
   721  debugging problems involving libdm. Using values other than the defaults may
   722  cause false-positive warnings to be logged.
   723  
   724  Values specified must fall within the range of valid libdm log levels. At the
   725  time of writing, the following is the list of libdm log levels as well as their
   726  corresponding levels when output by dockerd.
   727  
   728  | libdm Level | Value | --log-level |
   729  | ----------- | -----:| ----------- |
   730  | _LOG_FATAL  |     2 | error       |
   731  | _LOG_ERR    |     3 | error       |
   732  | _LOG_WARN   |     4 | warn        |
   733  | _LOG_NOTICE |     5 | info        |
   734  | _LOG_INFO   |     6 | info        |
   735  | _LOG_DEBUG  |     7 | debug       |
   736  
   737  Example use:
   738  
   739      $ sudo dockerd \
   740  	      --log-level debug \
   741            --storage-opt dm.libdm_log_level=7
   742  
   743  ## ZFS options
   744  
   745  #### zfs.fsname
   746  
   747  Set zfs filesystem under which docker will create its own datasets.  By default
   748  docker will pick up the zfs filesystem where docker graph (`/var/lib/docker`)
   749  is located.
   750  
   751  Example use: `dockerd -s zfs --storage-opt zfs.fsname=zroot/docker`
   752  
   753  ## Btrfs options
   754  
   755  #### btrfs.min_space
   756  
   757  Specifies the minimum size to use when creating the subvolume which is used for
   758  containers. If user uses disk quota for btrfs when creating or running a
   759  container with **--storage-opt size** option, docker should ensure the **size**
   760  cannot be smaller than **btrfs.min_space**.
   761  
   762  Example use: `docker daemon -s btrfs --storage-opt btrfs.min_space=10G`
   763  
   764  # CLUSTER STORE OPTIONS
   765  
   766  The daemon uses libkv to advertise the node within the cluster.  Some Key/Value
   767  backends support mutual TLS, and the client TLS settings used by the daemon can
   768  be configured using the **--cluster-store-opt** flag, specifying the paths to
   769  PEM encoded files.
   770  
   771  #### kv.cacertfile
   772  
   773  Specifies the path to a local file with PEM encoded CA certificates to trust
   774  
   775  #### kv.certfile
   776  
   777  Specifies the path to a local file with a PEM encoded certificate.  This
   778  certificate is used as the client cert for communication with the Key/Value
   779  store.
   780  
   781  #### kv.keyfile
   782  
   783  Specifies the path to a local file with a PEM encoded private key.  This
   784  private key is used as the client key for communication with the Key/Value
   785  store.
   786  
   787  # Access authorization
   788  
   789  Docker's access authorization can be extended by authorization plugins that
   790  your organization can purchase or build themselves. You can install one or more
   791  authorization plugins when you start the Docker `daemon` using the
   792  `--authorization-plugin=PLUGIN_ID` option.
   793  
   794  ```bash
   795  dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
   796  ```
   797  
   798  The `PLUGIN_ID` value is either the plugin's name or a path to its
   799  specification file. The plugin's implementation determines whether you can
   800  specify a name or path. Consult with your Docker administrator to get
   801  information about the plugins available to you.
   802  
   803  Once a plugin is installed, requests made to the `daemon` through the
   804  command line or Docker's Engine API are allowed or denied by the plugin.
   805  If you have multiple plugins installed, each plugin, in order, must
   806  allow the request for it to complete.
   807  
   808  For information about how to create an authorization plugin, see [authorization
   809  plugin](https://docs.docker.com/engine/extend/authorization/) section in the
   810  Docker extend section of this documentation.
   811  
   812  # RUNTIME EXECUTION OPTIONS
   813  
   814  You can configure the runtime using options specified with the `--exec-opt` flag.
   815  All the flag's options have the `native` prefix. A single `native.cgroupdriver`
   816  option is available.
   817  
   818  The `native.cgroupdriver` option specifies the management of the container's
   819  cgroups. You can only specify `cgroupfs` or `systemd`. If you specify
   820  `systemd` and it is not available, the system errors out. If you omit the
   821  `native.cgroupdriver` option,` cgroupfs` is used.
   822  
   823  This example sets the `cgroupdriver` to `systemd`:
   824  
   825  ```bash
   826  $ sudo dockerd --exec-opt native.cgroupdriver=systemd
   827  ```
   828  
   829  Setting this option applies to all containers the daemon launches.
   830  
   831  # HISTORY
   832  Sept 2015, Originally compiled by Shishir Mahajan <shishir.mahajan@redhat.com>
   833  based on docker.com source material and internal work.