github.com/endophage/docker@v1.4.2-0.20161027011718-242853499895/man/dockerd.8.md (about) 1 % DOCKER(8) Docker User Manuals 2 % Shishir Mahajan 3 % SEPTEMBER 2015 4 # NAME 5 dockerd - Enable daemon mode 6 7 # SYNOPSIS 8 **dockerd** 9 [**--add-runtime**[=*[]*]] 10 [**--api-cors-header**=[=*API-CORS-HEADER*]] 11 [**--authorization-plugin**[=*[]*]] 12 [**-b**|**--bridge**[=*BRIDGE*]] 13 [**--bip**[=*BIP*]] 14 [**--cgroup-parent**[=*[]*]] 15 [**--cluster-store**[=*[]*]] 16 [**--cluster-advertise**[=*[]*]] 17 [**--cluster-store-opt**[=*map[]*]] 18 [**--config-file**[=*/etc/docker/daemon.json*]] 19 [**--containerd**[=*SOCKET-PATH*]] 20 [**-D**|**--debug**] 21 [**--default-gateway**[=*DEFAULT-GATEWAY*]] 22 [**--default-gateway-v6**[=*DEFAULT-GATEWAY-V6*]] 23 [**--default-ulimit**[=*[]*]] 24 [**--disable-legacy-registry**] 25 [**--dns**[=*[]*]] 26 [**--dns-opt**[=*[]*]] 27 [**--dns-search**[=*[]*]] 28 [**--exec-opt**[=*[]*]] 29 [**--exec-root**[=*/var/run/docker*]] 30 [**--experimental**[=*false*]] 31 [**--fixed-cidr**[=*FIXED-CIDR*]] 32 [**--fixed-cidr-v6**[=*FIXED-CIDR-V6*]] 33 [**-G**|**--group**[=*docker*]] 34 [**-g**|**--graph**[=*/var/lib/docker*]] 35 [**-H**|**--host**[=*[]*]] 36 [**--help**] 37 [**--icc**[=*true*]] 38 [**--init**[=*false*]] 39 [**--init-path**[=*""*]] 40 [**--insecure-registry**[=*[]*]] 41 [**--ip**[=*0.0.0.0*]] 42 [**--ip-forward**[=*true*]] 43 [**--ip-masq**[=*true*]] 44 [**--iptables**[=*true*]] 45 [**--ipv6**] 46 [**--isolation**[=*default*]] 47 [**-l**|**--log-level**[=*info*]] 48 [**--label**[=*[]*]] 49 [**--live-restore**[=*false*]] 50 [**--log-driver**[=*json-file*]] 51 [**--log-opt**[=*map[]*]] 52 [**--mtu**[=*0*]] 53 [**--max-concurrent-downloads**[=*3*]] 54 [**--max-concurrent-uploads**[=*5*]] 55 [**-p**|**--pidfile**[=*/var/run/docker.pid*]] 56 [**--raw-logs**] 57 [**--registry-mirror**[=*[]*]] 58 [**-s**|**--storage-driver**[=*STORAGE-DRIVER*]] 59 [**--selinux-enabled**] 60 [**--shutdown-timeout**[=*15*]] 61 [**--storage-opt**[=*[]*]] 62 [**--swarm-default-advertise-addr**[=*IP|INTERFACE*]] 63 [**--tls**] 64 [**--tlscacert**[=*~/.docker/ca.pem*]] 65 [**--tlscert**[=*~/.docker/cert.pem*]] 66 [**--tlskey**[=*~/.docker/key.pem*]] 67 [**--tlsverify**] 68 [**--userland-proxy**[=*true*]] 69 [**--userland-proxy-path**[=*""*]] 70 [**--userns-remap**[=*default*]] 71 72 # DESCRIPTION 73 **dockerd** is used for starting the Docker daemon(i.e., to command the daemon to manage images, 74 containers etc.) So **dockerd** is a server, as a daemon. 75 76 To run the Docker daemon you can specify **dockerd**. 77 You can check the daemon options using **dockerd --help**. 78 Daemon options should be specified after the **dockerd** keyword in the following 79 format. 80 81 **dockerd [OPTIONS]** 82 83 # OPTIONS 84 85 **--add-runtime**=[] 86 Set additional OCI compatible runtime. 87 88 **--api-cors-header**="" 89 Set CORS headers in the remote API. Default is cors disabled. Give urls like "http://foo, http://bar, ...". Give "*" to allow all. 90 91 **--authorization-plugin**="" 92 Set authorization plugins to load 93 94 **-b**, **--bridge**="" 95 Attach containers to a pre\-existing network bridge; use 'none' to disable container networking 96 97 **--bip**="" 98 Use the provided CIDR notation address for the dynamically created bridge (docker0); Mutually exclusive of \-b 99 100 **--cgroup-parent**="" 101 Set parent cgroup for all containers. Default is "/docker" for fs cgroup driver and "system.slice" for systemd cgroup driver. 102 103 **--cluster-store**="" 104 URL of the distributed storage backend 105 106 **--cluster-advertise**="" 107 Specifies the 'host:port' or `interface:port` combination that this particular 108 daemon instance should use when advertising itself to the cluster. The daemon 109 is reached through this value. 110 111 **--cluster-store-opt**="" 112 Specifies options for the Key/Value store. 113 114 **--config-file**="/etc/docker/daemon.json" 115 Specifies the JSON file path to load the configuration from. 116 117 **--containerd**="" 118 Path to containerd socket. 119 120 **-D**, **--debug**=*true*|*false* 121 Enable debug mode. Default is false. 122 123 **--default-gateway**="" 124 IPv4 address of the container default gateway; this address must be part of the bridge subnet (which is defined by \-b or \--bip) 125 126 **--default-gateway-v6**="" 127 IPv6 address of the container default gateway 128 129 **--default-ulimit**=[] 130 Default ulimits for containers. 131 132 **--disable-legacy-registry**=*true*|*false* 133 Disable contacting legacy registries 134 135 **--dns**="" 136 Force Docker to use specific DNS servers 137 138 **--dns-opt**="" 139 DNS options to use. 140 141 **--dns-search**=[] 142 DNS search domains to use. 143 144 **--exec-opt**=[] 145 Set runtime execution options. See RUNTIME EXECUTION OPTIONS. 146 147 **--exec-root**="" 148 Path to use as the root of the Docker execution state files. Default is `/var/run/docker`. 149 150 **--experimental**="" 151 Enable the daemon experimental features. 152 153 **--fixed-cidr**="" 154 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be nested in the bridge subnet (which is defined by \-b or \-\-bip) 155 156 **--fixed-cidr-v6**="" 157 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64) 158 159 **-G**, **--group**="" 160 Group to assign the unix socket specified by -H when running in daemon mode. 161 use '' (the empty string) to disable setting of a group. Default is `docker`. 162 163 **-g**, **--graph**="" 164 Path to use as the root of the Docker runtime. Default is `/var/lib/docker`. 165 166 **-H**, **--host**=[*unix:///var/run/docker.sock*]: tcp://[host:port] to bind or 167 unix://[/path/to/socket] to use. 168 The socket(s) to bind to in daemon mode specified using one or more 169 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd. 170 171 **--help** 172 Print usage statement 173 174 **--icc**=*true*|*false* 175 Allow unrestricted inter\-container and Docker daemon host communication. If disabled, containers can still be linked together using the **--link** option (see **docker-run(1)**). Default is true. 176 177 **--init** 178 Run an init process inside containers for signal forwarding and process reaping. 179 180 **--init-path** 181 Path to the docker-init binary. 182 183 **--insecure-registry**=[] 184 Enable insecure registry communication, i.e., enable un-encrypted and/or untrusted communication. 185 186 List of insecure registries can contain an element with CIDR notation to specify a whole subnet. Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs. 187 188 Enabling `--insecure-registry` is useful when running a local registry. However, because its use creates security vulnerabilities it should ONLY be enabled for testing purposes. For increased security, users should add their CA to their system's list of trusted CAs instead of using `--insecure-registry`. 189 190 **--ip**="" 191 Default IP address to use when binding container ports. Default is `0.0.0.0`. 192 193 **--ip-forward**=*true*|*false* 194 Enables IP forwarding on the Docker host. The default is `true`. This flag interacts with the IP forwarding setting on your host system's kernel. If your system has IP forwarding disabled, this setting enables it. If your system has IP forwarding enabled, setting this flag to `--ip-forward=false` has no effect. 195 196 This setting will also enable IPv6 forwarding if you have both `--ip-forward=true` and `--fixed-cidr-v6` set. Note that this may reject Router Advertisements and interfere with the host's existing IPv6 configuration. For more information, please consult the documentation about "Advanced Networking - IPv6". 197 198 **--ip-masq**=*true*|*false* 199 Enable IP masquerading for bridge's IP range. Default is true. 200 201 **--iptables**=*true*|*false* 202 Enable Docker's addition of iptables rules. Default is true. 203 204 **--ipv6**=*true*|*false* 205 Enable IPv6 support. Default is false. Docker will create an IPv6-enabled bridge with address fe80::1 which will allow you to create IPv6-enabled containers. Use together with `--fixed-cidr-v6` to provide globally routable IPv6 addresses. IPv6 forwarding will be enabled if not used with `--ip-forward=false`. This may collide with your host's current IPv6 settings. For more information please consult the documentation about "Advanced Networking - IPv6". 206 207 **--isolation**="*default*" 208 Isolation specifies the type of isolation technology used by containers. Note 209 that the default on Windows server is `process`, and the default on Windows client 210 is `hyperv`. Linux only supports `default`. 211 212 **-l**, **--log-level**="*debug*|*info*|*warn*|*error*|*fatal*" 213 Set the logging level. Default is `info`. 214 215 **--label**="[]" 216 Set key=value labels to the daemon (displayed in `docker info`) 217 218 **--live-restore**=*false* 219 Enable live restore of running containers when the daemon starts so that they are not restarted. 220 221 **--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*splunk*|*etwlogs*|*gcplogs*|*none*" 222 Default driver for container logs. Default is `json-file`. 223 **Warning**: `docker logs` command works only for `json-file` logging driver. 224 225 **--log-opt**=[] 226 Logging driver specific options. 227 228 **--mtu**=*0* 229 Set the containers network mtu. Default is `0`. 230 231 **--max-concurrent-downloads**=*3* 232 Set the max concurrent downloads for each pull. Default is `3`. 233 234 **--max-concurrent-uploads**=*5* 235 Set the max concurrent uploads for each push. Default is `5`. 236 237 **-p**, **--pidfile**="" 238 Path to use for daemon PID file. Default is `/var/run/docker.pid` 239 240 **--raw-logs** 241 Output daemon logs in full timestamp format without ANSI coloring. If this flag is not set, 242 the daemon outputs condensed, colorized logs if a terminal is detected, or full ("raw") 243 output otherwise. 244 245 **--registry-mirror**=*<scheme>://<host>* 246 Prepend a registry mirror to be used for image pulls. May be specified multiple times. 247 248 **-s**, **--storage-driver**="" 249 Force the Docker runtime to use a specific storage driver. 250 251 **--selinux-enabled**=*true*|*false* 252 Enable selinux support. Default is false. 253 254 **--shutdown-timeout**=*15* 255 Set the shutdown timeout value in seconds. Default is `15`. 256 257 **--storage-opt**=[] 258 Set storage driver options. See STORAGE DRIVER OPTIONS. 259 260 **--swarm-default-advertise-addr**=*IP|INTERFACE* 261 Set default address or interface for swarm to advertise as its externally-reachable address to other cluster 262 members. This can be a hostname, an IP address, or an interface such as `eth0`. A port cannot be specified with 263 this option. 264 265 **--tls**=*true*|*false* 266 Use TLS; implied by --tlsverify. Default is false. 267 268 **--tlscacert**=*~/.docker/ca.pem* 269 Trust certs signed only by this CA. 270 271 **--tlscert**=*~/.docker/cert.pem* 272 Path to TLS certificate file. 273 274 **--tlskey**=*~/.docker/key.pem* 275 Path to TLS key file. 276 277 **--tlsverify**=*true*|*false* 278 Use TLS and verify the remote (daemon: verify client, client: verify daemon). 279 Default is false. 280 281 **--userland-proxy**=*true*|*false* 282 Rely on a userland proxy implementation for inter-container and outside-to-container loopback communications. Default is true. 283 284 **--userland-proxy-path**="" 285 Path to the userland proxy binary. 286 287 **--userns-remap**=*default*|*uid:gid*|*user:group*|*user*|*uid* 288 Enable user namespaces for containers on the daemon. Specifying "default" will cause a new user and group to be created to handle UID and GID range remapping for the user namespace mappings used for contained processes. Specifying a user (or uid) and optionally a group (or gid) will cause the daemon to lookup the user and group's subordinate ID ranges for use as the user namespace mappings for contained processes. 289 290 # STORAGE DRIVER OPTIONS 291 292 Docker uses storage backends (known as "graphdrivers" in the Docker 293 internals) to create writable containers from images. Many of these 294 backends use operating system level technologies and can be 295 configured. 296 297 Specify options to the storage backend with **--storage-opt** flags. The 298 backends that currently take options are *devicemapper*, *zfs* and *btrfs*. 299 Options for *devicemapper* are prefixed with *dm*, options for *zfs* 300 start with *zfs* and options for *btrfs* start with *btrfs*. 301 302 Specifically for devicemapper, the default is a "loopback" model which 303 requires no pre-configuration, but is extremely inefficient. Do not 304 use it in production. 305 306 To make the best use of Docker with the devicemapper backend, you must 307 have a recent version of LVM. Use `lvm` to create a thin pool; for 308 more information see `man lvmthin`. Then, use `--storage-opt 309 dm.thinpooldev` to tell the Docker engine to use that pool for 310 allocating images and container snapshots. 311 312 ## Devicemapper options 313 314 #### dm.thinpooldev 315 316 Specifies a custom block storage device to use for the thin pool. 317 318 If using a block device for device mapper storage, it is best to use `lvm` 319 to create and manage the thin-pool volume. This volume is then handed to Docker 320 to exclusively create snapshot volumes needed for images and containers. 321 322 Managing the thin-pool outside of Engine makes for the most feature-rich 323 method of having Docker utilize device mapper thin provisioning as the 324 backing storage for Docker containers. The highlights of the lvm-based 325 thin-pool management feature include: automatic or interactive thin-pool 326 resize support, dynamically changing thin-pool features, automatic thinp 327 metadata checking when lvm activates the thin-pool, etc. 328 329 As a fallback if no thin pool is provided, loopback files are 330 created. Loopback is very slow, but can be used without any 331 pre-configuration of storage. It is strongly recommended that you do 332 not use loopback in production. Ensure your Engine daemon has a 333 `--storage-opt dm.thinpooldev` argument provided. 334 335 Example use: 336 337 $ dockerd \ 338 --storage-opt dm.thinpooldev=/dev/mapper/thin-pool 339 340 #### dm.basesize 341 342 Specifies the size to use when creating the base device, which limits 343 the size of images and containers. The default value is 10G. Note, 344 thin devices are inherently "sparse", so a 10G device which is mostly 345 empty doesn't use 10 GB of space on the pool. However, the filesystem 346 will use more space for base images the larger the device 347 is. 348 349 The base device size can be increased at daemon restart which will allow 350 all future images and containers (based on those new images) to be of the 351 new base device size. 352 353 Example use: `dockerd --storage-opt dm.basesize=50G` 354 355 This will increase the base device size to 50G. The Docker daemon will throw an 356 error if existing base device size is larger than 50G. A user can use 357 this option to expand the base device size however shrinking is not permitted. 358 359 This value affects the system-wide "base" empty filesystem that may already 360 be initialized and inherited by pulled images. Typically, a change to this 361 value requires additional steps to take effect: 362 363 $ sudo service docker stop 364 $ sudo rm -rf /var/lib/docker 365 $ sudo service docker start 366 367 Example use: `dockerd --storage-opt dm.basesize=20G` 368 369 #### dm.fs 370 371 Specifies the filesystem type to use for the base device. The 372 supported options are `ext4` and `xfs`. The default is `ext4`. 373 374 Example use: `dockerd --storage-opt dm.fs=xfs` 375 376 #### dm.mkfsarg 377 378 Specifies extra mkfs arguments to be used when creating the base device. 379 380 Example use: `dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"` 381 382 #### dm.mountopt 383 384 Specifies extra mount options used when mounting the thin devices. 385 386 Example use: `dockerd --storage-opt dm.mountopt=nodiscard` 387 388 #### dm.use_deferred_removal 389 390 Enables use of deferred device removal if `libdm` and the kernel driver 391 support the mechanism. 392 393 Deferred device removal means that if device is busy when devices are 394 being removed/deactivated, then a deferred removal is scheduled on 395 device. And devices automatically go away when last user of the device 396 exits. 397 398 For example, when a container exits, its associated thin device is removed. If 399 that device has leaked into some other mount namespace and can't be removed, 400 the container exit still succeeds and this option causes the system to schedule 401 the device for deferred removal. It does not wait in a loop trying to remove a busy 402 device. 403 404 Example use: `dockerd --storage-opt dm.use_deferred_removal=true` 405 406 #### dm.use_deferred_deletion 407 408 Enables use of deferred device deletion for thin pool devices. By default, 409 thin pool device deletion is synchronous. Before a container is deleted, the 410 Docker daemon removes any associated devices. If the storage driver can not 411 remove a device, the container deletion fails and daemon returns. 412 413 `Error deleting container: Error response from daemon: Cannot destroy container` 414 415 To avoid this failure, enable both deferred device deletion and deferred 416 device removal on the daemon. 417 418 `dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt dm.use_deferred_removal=true` 419 420 With these two options enabled, if a device is busy when the driver is 421 deleting a container, the driver marks the device as deleted. Later, when the 422 device isn't in use, the driver deletes it. 423 424 In general it should be safe to enable this option by default. It will help 425 when unintentional leaking of mount point happens across multiple mount 426 namespaces. 427 428 #### dm.loopdatasize 429 430 **Note**: This option configures devicemapper loopback, which should not be used in production. 431 432 Specifies the size to use when creating the loopback file for the 433 "data" device which is used for the thin pool. The default size is 434 100G. The file is sparse, so it will not initially take up 435 this much space. 436 437 Example use: `dockerd --storage-opt dm.loopdatasize=200G` 438 439 #### dm.loopmetadatasize 440 441 **Note**: This option configures devicemapper loopback, which should not be used in production. 442 443 Specifies the size to use when creating the loopback file for the 444 "metadata" device which is used for the thin pool. The default size 445 is 2G. The file is sparse, so it will not initially take up 446 this much space. 447 448 Example use: `dockerd --storage-opt dm.loopmetadatasize=4G` 449 450 #### dm.datadev 451 452 (Deprecated, use `dm.thinpooldev`) 453 454 Specifies a custom blockdevice to use for data for a 455 Docker-managed thin pool. It is better to use `dm.thinpooldev` - see 456 the documentation for it above for discussion of the advantages. 457 458 #### dm.metadatadev 459 460 (Deprecated, use `dm.thinpooldev`) 461 462 Specifies a custom blockdevice to use for metadata for a 463 Docker-managed thin pool. See `dm.datadev` for why this is 464 deprecated. 465 466 #### dm.blocksize 467 468 Specifies a custom blocksize to use for the thin pool. The default 469 blocksize is 64K. 470 471 Example use: `dockerd --storage-opt dm.blocksize=512K` 472 473 #### dm.blkdiscard 474 475 Enables or disables the use of `blkdiscard` when removing devicemapper 476 devices. This is disabled by default due to the additional latency, 477 but as a special case with loopback devices it will be enabled, in 478 order to re-sparsify the loopback file on image/container removal. 479 480 Disabling this on loopback can lead to *much* faster container removal 481 times, but it also prevents the space used in `/var/lib/docker` directory 482 from being returned to the system for other use when containers are 483 removed. 484 485 Example use: `dockerd --storage-opt dm.blkdiscard=false` 486 487 #### dm.override_udev_sync_check 488 489 By default, the devicemapper backend attempts to synchronize with the 490 `udev` device manager for the Linux kernel. This option allows 491 disabling that synchronization, to continue even though the 492 configuration may be buggy. 493 494 To view the `udev` sync support of a Docker daemon that is using the 495 `devicemapper` driver, run: 496 497 $ docker info 498 [...] 499 Udev Sync Supported: true 500 [...] 501 502 When `udev` sync support is `true`, then `devicemapper` and `udev` can 503 coordinate the activation and deactivation of devices for containers. 504 505 When `udev` sync support is `false`, a race condition occurs between 506 the `devicemapper` and `udev` during create and cleanup. The race 507 condition results in errors and failures. (For information on these 508 failures, see 509 [docker#4036](https://github.com/docker/docker/issues/4036)) 510 511 To allow the `docker` daemon to start, regardless of whether `udev` sync is 512 `false`, set `dm.override_udev_sync_check` to true: 513 514 $ dockerd --storage-opt dm.override_udev_sync_check=true 515 516 When this value is `true`, the driver continues and simply warns you 517 the errors are happening. 518 519 **Note**: The ideal is to pursue a `docker` daemon and environment 520 that does support synchronizing with `udev`. For further discussion on 521 this topic, see 522 [docker#4036](https://github.com/docker/docker/issues/4036). 523 Otherwise, set this flag for migrating existing Docker daemons to a 524 daemon with a supported environment. 525 526 #### dm.min_free_space 527 528 Specifies the min free space percent in a thin pool require for new device 529 creation to succeed. This check applies to both free data space as well 530 as free metadata space. Valid values are from 0% - 99%. Value 0% disables 531 free space checking logic. If user does not specify a value for this option, 532 the Engine uses a default value of 10%. 533 534 Whenever a new a thin pool device is created (during `docker pull` or during 535 container creation), the Engine checks if the minimum free space is 536 available. If the space is unavailable, then device creation fails and any 537 relevant `docker` operation fails. 538 539 To recover from this error, you must create more free space in the thin pool to 540 recover from the error. You can create free space by deleting some images 541 and containers from tge thin pool. You can also add 542 more storage to the thin pool. 543 544 To add more space to an LVM (logical volume management) thin pool, just add 545 more storage to the group container thin pool; this should automatically 546 resolve any errors. If your configuration uses loop devices, then stop the 547 Engine daemon, grow the size of loop files and restart the daemon to resolve 548 the issue. 549 550 Example use:: `dockerd --storage-opt dm.min_free_space=10%` 551 552 #### dm.xfs_nospace_max_retries 553 554 Specifies the maximum number of retries XFS should attempt to complete 555 IO when ENOSPC (no space) error is returned by underlying storage device. 556 557 By default XFS retries infinitely for IO to finish and this can result 558 in unkillable process. To change this behavior one can set 559 xfs_nospace_max_retries to say 0 and XFS will not retry IO after getting 560 ENOSPC and will shutdown filesystem. 561 562 Example use: 563 564 $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0 565 566 567 ## ZFS options 568 569 #### zfs.fsname 570 571 Set zfs filesystem under which docker will create its own datasets. 572 By default docker will pick up the zfs filesystem where docker graph 573 (`/var/lib/docker`) is located. 574 575 Example use: `dockerd -s zfs --storage-opt zfs.fsname=zroot/docker` 576 577 ## Btrfs options 578 579 #### btrfs.min_space 580 581 Specifies the mininum size to use when creating the subvolume which is used 582 for containers. If user uses disk quota for btrfs when creating or running 583 a container with **--storage-opt size** option, docker should ensure the 584 **size** cannot be smaller than **btrfs.min_space**. 585 586 Example use: `docker daemon -s btrfs --storage-opt btrfs.min_space=10G` 587 588 # CLUSTER STORE OPTIONS 589 590 The daemon uses libkv to advertise 591 the node within the cluster. Some Key/Value backends support mutual 592 TLS, and the client TLS settings used by the daemon can be configured 593 using the **--cluster-store-opt** flag, specifying the paths to PEM encoded 594 files. 595 596 #### kv.cacertfile 597 598 Specifies the path to a local file with PEM encoded CA certificates to trust 599 600 #### kv.certfile 601 602 Specifies the path to a local file with a PEM encoded certificate. This 603 certificate is used as the client cert for communication with the 604 Key/Value store. 605 606 #### kv.keyfile 607 608 Specifies the path to a local file with a PEM encoded private key. This 609 private key is used as the client key for communication with the 610 Key/Value store. 611 612 # Access authorization 613 614 Docker's access authorization can be extended by authorization plugins that your 615 organization can purchase or build themselves. You can install one or more 616 authorization plugins when you start the Docker `daemon` using the 617 `--authorization-plugin=PLUGIN_ID` option. 618 619 ```bash 620 dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,... 621 ``` 622 623 The `PLUGIN_ID` value is either the plugin's name or a path to its specification 624 file. The plugin's implementation determines whether you can specify a name or 625 path. Consult with your Docker administrator to get information about the 626 plugins available to you. 627 628 Once a plugin is installed, requests made to the `daemon` through the command 629 line or Docker's remote API are allowed or denied by the plugin. If you have 630 multiple plugins installed, at least one must allow the request for it to 631 complete. 632 633 For information about how to create an authorization plugin, see [authorization 634 plugin](https://docs.docker.com/engine/extend/authorization/) section in the 635 Docker extend section of this documentation. 636 637 638 # HISTORY 639 Sept 2015, Originally compiled by Shishir Mahajan <shishir.mahajan@redhat.com> 640 based on docker.com source material and internal work.