github.com/hustcat/docker@v1.3.3-0.20160314103604-901c67a8eeab/man/docker-daemon.8.md (about) 1 % DOCKER(8) Docker User Manuals 2 % Shishir Mahajan 3 % SEPTEMBER 2015 4 # NAME 5 docker-daemon - Enable daemon mode 6 7 # SYNOPSIS 8 **docker daemon** 9 [**--api-cors-header**=[=*API-CORS-HEADER*]] 10 [**--authorization-plugin**[=*[]*]] 11 [**-b**|**--bridge**[=*BRIDGE*]] 12 [**--bip**[=*BIP*]] 13 [**--cgroup-parent**[=*[]*]] 14 [**--cluster-store**[=*[]*]] 15 [**--cluster-advertise**[=*[]*]] 16 [**--cluster-store-opt**[=*map[]*]] 17 [**--config-file**[=*/etc/docker/daemon.json*]] 18 [**-D**|**--debug**] 19 [**--default-gateway**[=*DEFAULT-GATEWAY*]] 20 [**--default-gateway-v6**[=*DEFAULT-GATEWAY-V6*]] 21 [**--default-ulimit**[=*[]*]] 22 [**--disable-legacy-registry**] 23 [**--dns**[=*[]*]] 24 [**--dns-opt**[=*[]*]] 25 [**--dns-search**[=*[]*]] 26 [**--exec-opt**[=*[]*]] 27 [**--exec-root**[=*/var/run/docker*]] 28 [**--fixed-cidr**[=*FIXED-CIDR*]] 29 [**--fixed-cidr-v6**[=*FIXED-CIDR-V6*]] 30 [**-G**|**--group**[=*docker*]] 31 [**-g**|**--graph**[=*/var/lib/docker*]] 32 [**-H**|**--host**[=*[]*]] 33 [**--help**] 34 [**--icc**[=*true*]] 35 [**--insecure-registry**[=*[]*]] 36 [**--ip**[=*0.0.0.0*]] 37 [**--ip-forward**[=*true*]] 38 [**--ip-masq**[=*true*]] 39 [**--iptables**[=*true*]] 40 [**--ipv6**] 41 [**-l**|**--log-level**[=*info*]] 42 [**--label**[=*[]*]] 43 [**--log-driver**[=*json-file*]] 44 [**--log-opt**[=*map[]*]] 45 [**--mtu**[=*0*]] 46 [**-p**|**--pidfile**[=*/var/run/docker.pid*]] 47 [**--raw-logs**] 48 [**--registry-mirror**[=*[]*]] 49 [**-s**|**--storage-driver**[=*STORAGE-DRIVER*]] 50 [**--selinux-enabled**] 51 [**--storage-opt**[=*[]*]] 52 [**--tls**] 53 [**--tlscacert**[=*~/.docker/ca.pem*]] 54 [**--tlscert**[=*~/.docker/cert.pem*]] 55 [**--tlskey**[=*~/.docker/key.pem*]] 56 [**--tlsverify**] 57 [**--userland-proxy**[=*true*]] 58 [**--userns-remap**[=*default*]] 59 60 # DESCRIPTION 61 **docker** has two distinct functions. It is used for starting the Docker 62 daemon and to run the CLI (i.e., to command the daemon to manage images, 63 containers etc.) So **docker** is both a server, as a daemon, and a client 64 to the daemon, through the CLI. 65 66 To run the Docker daemon you can specify **docker daemon**. 67 You can check the daemon options using **docker daemon --help**. 68 Daemon options should be specified after the **daemon** keyword in the following 69 format. 70 71 **docker daemon [OPTIONS]** 72 73 # OPTIONS 74 75 **--api-cors-header**="" 76 Set CORS headers in the remote API. Default is cors disabled. Give urls like "http://foo, http://bar, ...". Give "*" to allow all. 77 78 **--authorization-plugin**="" 79 Set authorization plugins to load 80 81 **-b**, **--bridge**="" 82 Attach containers to a pre\-existing network bridge; use 'none' to disable container networking 83 84 **--bip**="" 85 Use the provided CIDR notation address for the dynamically created bridge (docker0); Mutually exclusive of \-b 86 87 **--cgroup-parent**="" 88 Set parent cgroup for all containers. Default is "/docker" for fs cgroup driver and "system.slice" for systemd cgroup driver. 89 90 **--cluster-store**="" 91 URL of the distributed storage backend 92 93 **--cluster-advertise**="" 94 Specifies the 'host:port' or `interface:port` combination that this particular 95 daemon instance should use when advertising itself to the cluster. The daemon 96 is reached through this value. 97 98 **--cluster-store-opt**="" 99 Specifies options for the Key/Value store. 100 101 **--config-file**="/etc/docker/daemon.json" 102 Specifies the JSON file path to load the configuration from. 103 104 **-D**, **--debug**=*true*|*false* 105 Enable debug mode. Default is false. 106 107 **--default-gateway**="" 108 IPv4 address of the container default gateway; this address must be part of the bridge subnet (which is defined by \-b or \--bip) 109 110 **--default-gateway-v6**="" 111 IPv6 address of the container default gateway 112 113 **--default-ulimit**=[] 114 Set default ulimits for containers. 115 116 **--disable-legacy-registry**=*true*|*false* 117 Do not contact legacy registries 118 119 **--dns**="" 120 Force Docker to use specific DNS servers 121 122 **--dns-opt**="" 123 DNS options to use. 124 125 **--dns-search**=[] 126 DNS search domains to use. 127 128 **--exec-opt**=[] 129 Set exec driver options. See EXEC DRIVER OPTIONS. 130 131 **--exec-root**="" 132 Path to use as the root of the Docker exec driver. Default is `/var/run/docker`. 133 134 **--fixed-cidr**="" 135 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be nested in the bridge subnet (which is defined by \-b or \-\-bip) 136 137 **--fixed-cidr-v6**="" 138 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64) 139 140 **-G**, **--group**="" 141 Group to assign the unix socket specified by -H when running in daemon mode. 142 use '' (the empty string) to disable setting of a group. Default is `docker`. 143 144 **-g**, **--graph**="" 145 Path to use as the root of the Docker runtime. Default is `/var/lib/docker`. 146 147 **-H**, **--host**=[*unix:///var/run/docker.sock*]: tcp://[host:port] to bind or 148 unix://[/path/to/socket] to use. 149 The socket(s) to bind to in daemon mode specified using one or more 150 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd. 151 152 **--help** 153 Print usage statement 154 155 **--icc**=*true*|*false* 156 Allow unrestricted inter\-container and Docker daemon host communication. If disabled, containers can still be linked together using the **--link** option (see **docker-run(1)**). Default is true. 157 158 **--insecure-registry**=[] 159 Enable insecure registry communication, i.e., enable un-encrypted and/or untrusted communication. 160 161 List of insecure registries can contain an element with CIDR notation to specify a whole subnet. Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs. 162 163 Enabling `--insecure-registry` is useful when running a local registry. However, because its use creates security vulnerabilities it should ONLY be enabled for testing purposes. For increased security, users should add their CA to their system's list of trusted CAs instead of using `--insecure-registry`. 164 165 **--ip**="" 166 Default IP address to use when binding container ports. Default is `0.0.0.0`. 167 168 **--ip-forward**=*true*|*false* 169 Enables IP forwarding on the Docker host. The default is `true`. This flag interacts with the IP forwarding setting on your host system's kernel. If your system has IP forwarding disabled, this setting enables it. If your system has IP forwarding enabled, setting this flag to `--ip-forward=false` has no effect. 170 171 This setting will also enable IPv6 forwarding if you have both `--ip-forward=true` and `--fixed-cidr-v6` set. Note that this may reject Router Advertisements and interfere with the host's existing IPv6 configuration. For more information, please consult the documentation about "Advanced Networking - IPv6". 172 173 **--ip-masq**=*true*|*false* 174 Enable IP masquerading for bridge's IP range. Default is true. 175 176 **--iptables**=*true*|*false* 177 Enable Docker's addition of iptables rules. Default is true. 178 179 **--ipv6**=*true*|*false* 180 Enable IPv6 support. Default is false. Docker will create an IPv6-enabled bridge with address fe80::1 which will allow you to create IPv6-enabled containers. Use together with `--fixed-cidr-v6` to provide globally routable IPv6 addresses. IPv6 forwarding will be enabled if not used with `--ip-forward=false`. This may collide with your host's current IPv6 settings. For more information please consult the documentation about "Advanced Networking - IPv6". 181 182 **-l**, **--log-level**="*debug*|*info*|*warn*|*error*|*fatal*" 183 Set the logging level. Default is `info`. 184 185 **--label**="[]" 186 Set key=value labels to the daemon (displayed in `docker info`) 187 188 **--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*splunk*|*etwlogs*|*gcplogs*|*none*" 189 Default driver for container logs. Default is `json-file`. 190 **Warning**: `docker logs` command works only for `json-file` logging driver. 191 192 **--log-opt**=[] 193 Logging driver specific options. 194 195 **--mtu**=*0* 196 Set the containers network mtu. Default is `0`. 197 198 **-p**, **--pidfile**="" 199 Path to use for daemon PID file. Default is `/var/run/docker.pid` 200 201 **--raw-logs** 202 Output daemon logs in full timestamp format without ANSI coloring. If this flag is not set, 203 the daemon outputs condensed, colorized logs if a terminal is detected, or full ("raw") 204 output otherwise. 205 206 **--registry-mirror**=*<scheme>://<host>* 207 Prepend a registry mirror to be used for image pulls. May be specified multiple times. 208 209 **-s**, **--storage-driver**="" 210 Force the Docker runtime to use a specific storage driver. 211 212 **--selinux-enabled**=*true*|*false* 213 Enable selinux support. Default is false. SELinux does not presently support the overlay storage driver. 214 215 **--storage-opt**=[] 216 Set storage driver options. See STORAGE DRIVER OPTIONS. 217 218 **--tls**=*true*|*false* 219 Use TLS; implied by --tlsverify. Default is false. 220 221 **--tlscacert**=*~/.docker/ca.pem* 222 Trust certs signed only by this CA. 223 224 **--tlscert**=*~/.docker/cert.pem* 225 Path to TLS certificate file. 226 227 **--tlskey**=*~/.docker/key.pem* 228 Path to TLS key file. 229 230 **--tlsverify**=*true*|*false* 231 Use TLS and verify the remote (daemon: verify client, client: verify daemon). 232 Default is false. 233 234 **--userland-proxy**=*true*|*false* 235 Rely on a userland proxy implementation for inter-container and outside-to-container loopback communications. Default is true. 236 237 **--userns-remap**=*default*|*uid:gid*|*user:group*|*user*|*uid* 238 Enable user namespaces for containers on the daemon. Specifying "default" will cause a new user and group to be created to handle UID and GID range remapping for the user namespace mappings used for contained processes. Specifying a user (or uid) and optionally a group (or gid) will cause the daemon to lookup the user and group's subordinate ID ranges for use as the user namespace mappings for contained processes. 239 240 # STORAGE DRIVER OPTIONS 241 242 Docker uses storage backends (known as "graphdrivers" in the Docker 243 internals) to create writable containers from images. Many of these 244 backends use operating system level technologies and can be 245 configured. 246 247 Specify options to the storage backend with **--storage-opt** flags. The 248 backends that currently take options are *devicemapper* and *zfs*. 249 Options for *devicemapper* are prefixed with *dm* and options for *zfs* 250 start with *zfs*. 251 252 Specifically for devicemapper, the default is a "loopback" model which 253 requires no pre-configuration, but is extremely inefficient. Do not 254 use it in production. 255 256 To make the best use of Docker with the devicemapper backend, you must 257 have a recent version of LVM. Use `lvm` to create a thin pool; for 258 more information see `man lvmthin`. Then, use `--storage-opt 259 dm.thinpooldev` to tell the Docker engine to use that pool for 260 allocating images and container snapshots. 261 262 ## Devicemapper options 263 264 #### dm.thinpooldev 265 266 Specifies a custom block storage device to use for the thin pool. 267 268 If using a block device for device mapper storage, it is best to use 269 `lvm` to create and manage the thin-pool volume. This volume is then 270 handed to Docker to create snapshot volumes needed for images and 271 containers. 272 273 Managing the thin-pool outside of Docker makes for the most feature-rich method 274 of having Docker utilize device mapper thin provisioning as the backing storage 275 for Docker's containers. The highlights of the LVM-based thin-pool management 276 feature include: automatic or interactive thin-pool resize support, dynamically 277 changing thin-pool features, automatic thinp metadata checking when lvm activates 278 the thin-pool, etc. 279 280 Example use: `docker daemon --storage-opt dm.thinpooldev=/dev/mapper/thin-pool` 281 282 #### dm.basesize 283 284 Specifies the size to use when creating the base device, which limits 285 the size of images and containers. The default value is 10G. Note, 286 thin devices are inherently "sparse", so a 10G device which is mostly 287 empty doesn't use 10 GB of space on the pool. However, the filesystem 288 will use more space for base images the larger the device 289 is. 290 291 The base device size can be increased at daemon restart which will allow 292 all future images and containers (based on those new images) to be of the 293 new base device size. 294 295 Example use: `docker daemon --storage-opt dm.basesize=50G` 296 297 This will increase the base device size to 50G. The Docker daemon will throw an 298 error if existing base device size is larger than 50G. A user can use 299 this option to expand the base device size however shrinking is not permitted. 300 301 This value affects the system-wide "base" empty filesystem that may already 302 be initialized and inherited by pulled images. Typically, a change to this 303 value requires additional steps to take effect: 304 305 $ sudo service docker stop 306 $ sudo rm -rf /var/lib/docker 307 $ sudo service docker start 308 309 Example use: `docker daemon --storage-opt dm.basesize=20G` 310 311 #### dm.fs 312 313 Specifies the filesystem type to use for the base device. The 314 supported options are `ext4` and `xfs`. The default is `ext4`. 315 316 Example use: `docker daemon --storage-opt dm.fs=xfs` 317 318 #### dm.mkfsarg 319 320 Specifies extra mkfs arguments to be used when creating the base device. 321 322 Example use: `docker daemon --storage-opt "dm.mkfsarg=-O ^has_journal"` 323 324 #### dm.mountopt 325 326 Specifies extra mount options used when mounting the thin devices. 327 328 Example use: `docker daemon --storage-opt dm.mountopt=nodiscard` 329 330 #### dm.use_deferred_removal 331 332 Enables use of deferred device removal if `libdm` and the kernel driver 333 support the mechanism. 334 335 Deferred device removal means that if device is busy when devices are 336 being removed/deactivated, then a deferred removal is scheduled on 337 device. And devices automatically go away when last user of the device 338 exits. 339 340 For example, when a container exits, its associated thin device is removed. If 341 that device has leaked into some other mount namespace and can't be removed, 342 the container exit still succeeds and this option causes the system to schedule 343 the device for deferred removal. It does not wait in a loop trying to remove a busy 344 device. 345 346 Example use: `docker daemon --storage-opt dm.use_deferred_removal=true` 347 348 #### dm.use_deferred_deletion 349 350 Enables use of deferred device deletion for thin pool devices. By default, 351 thin pool device deletion is synchronous. Before a container is deleted, the 352 Docker daemon removes any associated devices. If the storage driver can not 353 remove a device, the container deletion fails and daemon returns. 354 355 `Error deleting container: Error response from daemon: Cannot destroy container` 356 357 To avoid this failure, enable both deferred device deletion and deferred 358 device removal on the daemon. 359 360 `docker daemon --storage-opt dm.use_deferred_deletion=true --storage-opt dm.use_deferred_removal=true` 361 362 With these two options enabled, if a device is busy when the driver is 363 deleting a container, the driver marks the device as deleted. Later, when the 364 device isn't in use, the driver deletes it. 365 366 In general it should be safe to enable this option by default. It will help 367 when unintentional leaking of mount point happens across multiple mount 368 namespaces. 369 370 #### dm.loopdatasize 371 372 **Note**: This option configures devicemapper loopback, which should not be used in production. 373 374 Specifies the size to use when creating the loopback file for the 375 "data" device which is used for the thin pool. The default size is 376 100G. The file is sparse, so it will not initially take up 377 this much space. 378 379 Example use: `docker daemon --storage-opt dm.loopdatasize=200G` 380 381 #### dm.loopmetadatasize 382 383 **Note**: This option configures devicemapper loopback, which should not be used in production. 384 385 Specifies the size to use when creating the loopback file for the 386 "metadata" device which is used for the thin pool. The default size 387 is 2G. The file is sparse, so it will not initially take up 388 this much space. 389 390 Example use: `docker daemon --storage-opt dm.loopmetadatasize=4G` 391 392 #### dm.datadev 393 394 (Deprecated, use `dm.thinpooldev`) 395 396 Specifies a custom blockdevice to use for data for a 397 Docker-managed thin pool. It is better to use `dm.thinpooldev` - see 398 the documentation for it above for discussion of the advantages. 399 400 #### dm.metadatadev 401 402 (Deprecated, use `dm.thinpooldev`) 403 404 Specifies a custom blockdevice to use for metadata for a 405 Docker-managed thin pool. See `dm.datadev` for why this is 406 deprecated. 407 408 #### dm.blocksize 409 410 Specifies a custom blocksize to use for the thin pool. The default 411 blocksize is 64K. 412 413 Example use: `docker daemon --storage-opt dm.blocksize=512K` 414 415 #### dm.blkdiscard 416 417 Enables or disables the use of `blkdiscard` when removing devicemapper 418 devices. This is disabled by default due to the additional latency, 419 but as a special case with loopback devices it will be enabled, in 420 order to re-sparsify the loopback file on image/container removal. 421 422 Disabling this on loopback can lead to *much* faster container removal 423 times, but it also prevents the space used in `/var/lib/docker` directory 424 from being returned to the system for other use when containers are 425 removed. 426 427 Example use: `docker daemon --storage-opt dm.blkdiscard=false` 428 429 #### dm.override_udev_sync_check 430 431 By default, the devicemapper backend attempts to synchronize with the 432 `udev` device manager for the Linux kernel. This option allows 433 disabling that synchronization, to continue even though the 434 configuration may be buggy. 435 436 To view the `udev` sync support of a Docker daemon that is using the 437 `devicemapper` driver, run: 438 439 $ docker info 440 [...] 441 Udev Sync Supported: true 442 [...] 443 444 When `udev` sync support is `true`, then `devicemapper` and `udev` can 445 coordinate the activation and deactivation of devices for containers. 446 447 When `udev` sync support is `false`, a race condition occurs between 448 the `devicemapper` and `udev` during create and cleanup. The race 449 condition results in errors and failures. (For information on these 450 failures, see 451 [docker#4036](https://github.com/docker/docker/issues/4036)) 452 453 To allow the `docker` daemon to start, regardless of whether `udev` sync is 454 `false`, set `dm.override_udev_sync_check` to true: 455 456 $ docker daemon --storage-opt dm.override_udev_sync_check=true 457 458 When this value is `true`, the driver continues and simply warns you 459 the errors are happening. 460 461 **Note**: The ideal is to pursue a `docker` daemon and environment 462 that does support synchronizing with `udev`. For further discussion on 463 this topic, see 464 [docker#4036](https://github.com/docker/docker/issues/4036). 465 Otherwise, set this flag for migrating existing Docker daemons to a 466 daemon with a supported environment. 467 468 ## ZFS options 469 470 #### zfs.fsname 471 472 Set zfs filesystem under which docker will create its own datasets. 473 By default docker will pick up the zfs filesystem where docker graph 474 (`/var/lib/docker`) is located. 475 476 Example use: `docker daemon -s zfs --storage-opt zfs.fsname=zroot/docker` 477 478 # CLUSTER STORE OPTIONS 479 480 The daemon uses libkv to advertise 481 the node within the cluster. Some Key/Value backends support mutual 482 TLS, and the client TLS settings used by the daemon can be configured 483 using the **--cluster-store-opt** flag, specifying the paths to PEM encoded 484 files. 485 486 #### kv.cacertfile 487 488 Specifies the path to a local file with PEM encoded CA certificates to trust 489 490 #### kv.certfile 491 492 Specifies the path to a local file with a PEM encoded certificate. This 493 certificate is used as the client cert for communication with the 494 Key/Value store. 495 496 #### kv.keyfile 497 498 Specifies the path to a local file with a PEM encoded private key. This 499 private key is used as the client key for communication with the 500 Key/Value store. 501 502 # Access authorization 503 504 Docker's access authorization can be extended by authorization plugins that your 505 organization can purchase or build themselves. You can install one or more 506 authorization plugins when you start the Docker `daemon` using the 507 `--authorization-plugin=PLUGIN_ID` option. 508 509 ```bash 510 docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,... 511 ``` 512 513 The `PLUGIN_ID` value is either the plugin's name or a path to its specification 514 file. The plugin's implementation determines whether you can specify a name or 515 path. Consult with your Docker administrator to get information about the 516 plugins available to you. 517 518 Once a plugin is installed, requests made to the `daemon` through the command 519 line or Docker's remote API are allowed or denied by the plugin. If you have 520 multiple plugins installed, at least one must allow the request for it to 521 complete. 522 523 For information about how to create an authorization plugin, see [authorization 524 plugin](https://docs.docker.com/engine/extend/authorization/) section in the 525 Docker extend section of this documentation. 526 527 528 # HISTORY 529 Sept 2015, Originally compiled by Shishir Mahajan <shishir.mahajan@redhat.com> 530 based on docker.com source material and internal work.