github.com/vincentwoo/docker@v0.7.3-0.20160116130405-82401a4b13c0/man/docker-daemon.8.md (about)

     1  % DOCKER(8) Docker User Manuals
     2  % Shishir Mahajan
     3  % SEPTEMBER 2015
     4  # NAME
     5  docker-daemon - Enable daemon mode
     6  
     7  # SYNOPSIS
     8  **docker daemon**
     9  [**--api-cors-header**=[=*API-CORS-HEADER*]]
    10  [**--authorization-plugin**[=*[]*]]
    11  [**-b**|**--bridge**[=*BRIDGE*]]
    12  [**--bip**[=*BIP*]]
    13  [**--cgroup-parent**[=*[]*]]
    14  [**--cluster-store**[=*[]*]]
    15  [**--cluster-advertise**[=*[]*]]
    16  [**--cluster-store-opt**[=*map[]*]]
    17  [**--config-file**[=*/etc/docker/daemon.json*]]
    18  [**-D**|**--debug**]
    19  [**--default-gateway**[=*DEFAULT-GATEWAY*]]
    20  [**--default-gateway-v6**[=*DEFAULT-GATEWAY-V6*]]
    21  [**--default-ulimit**[=*[]*]]
    22  [**--disable-legacy-registry**]
    23  [**--dns**[=*[]*]]
    24  [**--dns-opt**[=*[]*]]
    25  [**--dns-search**[=*[]*]]
    26  [**--exec-opt**[=*[]*]]
    27  [**--exec-root**[=*/var/run/docker*]]
    28  [**--fixed-cidr**[=*FIXED-CIDR*]]
    29  [**--fixed-cidr-v6**[=*FIXED-CIDR-V6*]]
    30  [**-G**|**--group**[=*docker*]]
    31  [**-g**|**--graph**[=*/var/lib/docker*]]
    32  [**-H**|**--host**[=*[]*]]
    33  [**--help**]
    34  [**--icc**[=*true*]]
    35  [**--insecure-registry**[=*[]*]]
    36  [**--ip**[=*0.0.0.0*]]
    37  [**--ip-forward**[=*true*]]
    38  [**--ip-masq**[=*true*]]
    39  [**--iptables**[=*true*]]
    40  [**--ipv6**]
    41  [**-l**|**--log-level**[=*info*]]
    42  [**--label**[=*[]*]]
    43  [**--log-driver**[=*json-file*]]
    44  [**--log-opt**[=*map[]*]]
    45  [**--mtu**[=*0*]]
    46  [**-p**|**--pidfile**[=*/var/run/docker.pid*]]
    47  [**--registry-mirror**[=*[]*]]
    48  [**-s**|**--storage-driver**[=*STORAGE-DRIVER*]]
    49  [**--selinux-enabled**]
    50  [**--storage-opt**[=*[]*]]
    51  [**--tls**]
    52  [**--tlscacert**[=*~/.docker/ca.pem*]]
    53  [**--tlscert**[=*~/.docker/cert.pem*]]
    54  [**--tlskey**[=*~/.docker/key.pem*]]
    55  [**--tlsverify**]
    56  [**--userland-proxy**[=*true*]]
    57  [**--userns-remap**[=*default*]]
    58  
    59  # DESCRIPTION
    60  **docker** has two distinct functions. It is used for starting the Docker
    61  daemon and to run the CLI (i.e., to command the daemon to manage images,
    62  containers etc.) So **docker** is both a server, as a daemon, and a client
    63  to the daemon, through the CLI.
    64  
    65  To run the Docker daemon you can specify **docker daemon**.
    66  You can check the daemon options using **docker daemon --help**.
    67  Daemon options should be specified after the **daemon** keyword in the following
    68  format.
    69  
    70  **docker daemon [OPTIONS]**
    71  
    72  # OPTIONS
    73  
    74  **--api-cors-header**=""
    75    Set CORS headers in the remote API. Default is cors disabled. Give urls like "http://foo, http://bar, ...". Give "*" to allow all.
    76  
    77  **--authorization-plugin**=""
    78    Set authorization plugins to load
    79  
    80  **-b**, **--bridge**=""
    81    Attach containers to a pre\-existing network bridge; use 'none' to disable container networking
    82  
    83  **--bip**=""
    84    Use the provided CIDR notation address for the dynamically created bridge (docker0); Mutually exclusive of \-b
    85  
    86  **--cgroup-parent**=""
    87    Set parent cgroup for all containers. Default is "/docker" for fs cgroup driver and "system.slice" for systemd cgroup driver.
    88  
    89  **--cluster-store**=""
    90    URL of the distributed storage backend
    91  
    92  **--cluster-advertise**=""
    93    Specifies the 'host:port' or `interface:port` combination that this particular
    94    daemon instance should use when advertising itself to the cluster. The daemon
    95    is reached through this value.
    96  
    97  **--cluster-store-opt**=""
    98    Specifies options for the Key/Value store.
    99  
   100  **--config-file**="/etc/docker/daemon.json"
   101    Specifies the JSON file path to load the configuration from.
   102  
   103  **-D**, **--debug**=*true*|*false*
   104    Enable debug mode. Default is false.
   105  
   106  **--default-gateway**=""
   107    IPv4 address of the container default gateway; this address must be part of the bridge subnet (which is defined by \-b or \--bip)
   108  
   109  **--default-gateway-v6**=""
   110    IPv6 address of the container default gateway
   111  
   112  **--default-ulimit**=[]
   113    Set default ulimits for containers.
   114  
   115  **--disable-legacy-registry**=*true*|*false*
   116    Do not contact legacy registries
   117  
   118  **--dns**=""
   119    Force Docker to use specific DNS servers
   120  
   121  **--dns-opt**=""
   122    DNS options to use.
   123  
   124  **--dns-search**=[]
   125    DNS search domains to use.
   126  
   127  **--exec-opt**=[]
   128    Set exec driver options. See EXEC DRIVER OPTIONS.
   129  
   130  **--exec-root**=""
   131    Path to use as the root of the Docker exec driver. Default is `/var/run/docker`.
   132  
   133  **--fixed-cidr**=""
   134    IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be nested in the bridge subnet (which is defined by \-b or \-\-bip)
   135  
   136  **--fixed-cidr-v6**=""
   137    IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
   138  
   139  **-G**, **--group**=""
   140    Group to assign the unix socket specified by -H when running in daemon mode.
   141    use '' (the empty string) to disable setting of a group. Default is `docker`.
   142  
   143  **-g**, **--graph**=""
   144    Path to use as the root of the Docker runtime. Default is `/var/lib/docker`.
   145  
   146  **-H**, **--host**=[*unix:///var/run/docker.sock*]: tcp://[host:port] to bind or
   147  unix://[/path/to/socket] to use.
   148    The socket(s) to bind to in daemon mode specified using one or more
   149    tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
   150  
   151  **--help**
   152    Print usage statement
   153  
   154  **--icc**=*true*|*false*
   155    Allow unrestricted inter\-container and Docker daemon host communication. If disabled, containers can still be linked together using the **--link** option (see **docker-run(1)**). Default is true.
   156  
   157  **--insecure-registry**=[]
   158    Enable insecure registry communication, i.e., enable un-encrypted and/or untrusted communication.
   159  
   160    List of insecure registries can contain an element with CIDR notation to specify a whole subnet. Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
   161  
   162    Enabling `--insecure-registry` is useful when running a local registry.  However, because its use creates security vulnerabilities it should ONLY be enabled for testing purposes.  For increased security, users should add their CA to their system's list of trusted CAs instead of using `--insecure-registry`.
   163  
   164  **--ip**=""
   165    Default IP address to use when binding container ports. Default is `0.0.0.0`.
   166  
   167  **--ip-forward**=*true*|*false*
   168    Enables IP forwarding on the Docker host. The default is `true`. This flag interacts with the IP forwarding setting on your host system's kernel. If your system has IP forwarding disabled, this setting enables it. If your system has IP forwarding enabled, setting this flag to `--ip-forward=false` has no effect.
   169  
   170    This setting will also enable IPv6 forwarding if you have both `--ip-forward=true` and `--fixed-cidr-v6` set. Note that this may reject Router Advertisements and interfere with the host's existing IPv6 configuration. For more information, please consult the documentation about "Advanced Networking - IPv6".
   171  
   172  **--ip-masq**=*true*|*false*
   173    Enable IP masquerading for bridge's IP range. Default is true.
   174  
   175  **--iptables**=*true*|*false*
   176    Enable Docker's addition of iptables rules. Default is true.
   177  
   178  **--ipv6**=*true*|*false*
   179    Enable IPv6 support. Default is false. Docker will create an IPv6-enabled bridge with address fe80::1 which will allow you to create IPv6-enabled containers. Use together with `--fixed-cidr-v6` to provide globally routable IPv6 addresses. IPv6 forwarding will be enabled if not used with `--ip-forward=false`. This may collide with your host's current IPv6 settings. For more information please consult the documentation about "Advanced Networking - IPv6".
   180  
   181  **-l**, **--log-level**="*debug*|*info*|*warn*|*error*|*fatal*"
   182    Set the logging level. Default is `info`.
   183  
   184  **--label**="[]"
   185    Set key=value labels to the daemon (displayed in `docker info`)
   186  
   187  **--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*none*"
   188    Default driver for container logs. Default is `json-file`.
   189    **Warning**: `docker logs` command works only for `json-file` logging driver.
   190  
   191  **--log-opt**=[]
   192    Logging driver specific options.
   193  
   194  **--mtu**=*0*
   195    Set the containers network mtu. Default is `0`.
   196  
   197  **-p**, **--pidfile**=""
   198    Path to use for daemon PID file. Default is `/var/run/docker.pid`
   199  
   200  **--registry-mirror**=*<scheme>://<host>*
   201    Prepend a registry mirror to be used for image pulls. May be specified multiple times.
   202  
   203  **-s**, **--storage-driver**=""
   204    Force the Docker runtime to use a specific storage driver.
   205  
   206  **--selinux-enabled**=*true*|*false*
   207    Enable selinux support. Default is false. SELinux does not presently support the overlay storage driver.
   208  
   209  **--storage-opt**=[]
   210    Set storage driver options. See STORAGE DRIVER OPTIONS.
   211  
   212  **--tls**=*true*|*false*
   213    Use TLS; implied by --tlsverify. Default is false.
   214  
   215  **--tlscacert**=*~/.docker/ca.pem*
   216    Trust certs signed only by this CA.
   217  
   218  **--tlscert**=*~/.docker/cert.pem*
   219    Path to TLS certificate file.
   220  
   221  **--tlskey**=*~/.docker/key.pem*
   222    Path to TLS key file.
   223  
   224  **--tlsverify**=*true*|*false*
   225    Use TLS and verify the remote (daemon: verify client, client: verify daemon).
   226    Default is false.
   227  
   228  **--userland-proxy**=*true*|*false*
   229      Rely on a userland proxy implementation for inter-container and outside-to-container loopback communications. Default is true.
   230  
   231  **--userns-remap**=*default*|*uid:gid*|*user:group*|*user*|*uid*
   232      Enable user namespaces for containers on the daemon. Specifying "default" will cause a new user and group to be created to handle UID and GID range remapping for the user namespace mappings used for contained processes. Specifying a user (or uid) and optionally a group (or gid) will cause the daemon to lookup the user and group's subordinate ID ranges for use as the user namespace mappings for contained processes.
   233  
   234  # STORAGE DRIVER OPTIONS
   235  
   236  Docker uses storage backends (known as "graphdrivers" in the Docker
   237  internals) to create writable containers from images.  Many of these
   238  backends use operating system level technologies and can be
   239  configured.
   240  
   241  Specify options to the storage backend with **--storage-opt** flags. The only
   242  backend that currently takes options is *devicemapper*. Therefore use these
   243  flags with **-s=**devicemapper.
   244  
   245  Specifically for devicemapper, the default is a "loopback" model which
   246  requires no pre-configuration, but is extremely inefficient.  Do not
   247  use it in production.
   248  
   249  To make the best use of Docker with the devicemapper backend, you must
   250  have a recent version of LVM.  Use `lvm` to create a thin pool; for
   251  more information see `man lvmthin`.  Then, use `--storage-opt
   252  dm.thinpooldev` to tell the Docker engine to use that pool for
   253  allocating images and container snapshots.
   254  
   255  Here is the list of *devicemapper* options:
   256  
   257  #### dm.thinpooldev
   258  
   259  Specifies a custom block storage device to use for the thin pool.
   260  
   261  If using a block device for device mapper storage, it is best to use
   262  `lvm` to create and manage the thin-pool volume. This volume is then
   263  handed to Docker to create snapshot volumes needed for images and
   264  containers.
   265  
   266  Managing the thin-pool outside of Docker makes for the most feature-rich method
   267  of having Docker utilize device mapper thin provisioning as the backing storage
   268  for Docker's containers. The highlights of the LVM-based thin-pool management
   269  feature include: automatic or interactive thin-pool resize support, dynamically
   270  changing thin-pool features, automatic thinp metadata checking when lvm activates
   271  the thin-pool, etc.
   272  
   273  Example use: `docker daemon --storage-opt dm.thinpooldev=/dev/mapper/thin-pool`
   274  
   275  #### dm.basesize
   276  
   277  Specifies the size to use when creating the base device, which limits
   278  the size of images and containers. The default value is 10G. Note,
   279  thin devices are inherently "sparse", so a 10G device which is mostly
   280  empty doesn't use 10 GB of space on the pool. However, the filesystem
   281  will use more space for base images the larger the device
   282  is.
   283  
   284  The base device size can be increased at daemon restart which will allow
   285  all future images and containers (based on those new images) to be of the 
   286  new base device size.
   287  
   288  Example use: `docker daemon --storage-opt dm.basesize=50G` 
   289  
   290  This will increase the base device size to 50G. The Docker daemon will throw an 
   291  error if existing base device size is larger than 50G. A user can use 
   292  this option to expand the base device size however shrinking is not permitted.
   293  
   294  This value affects the system-wide "base" empty filesystem that may already
   295  be initialized and inherited by pulled images. Typically, a change to this
   296  value requires additional steps to take effect:
   297  
   298          $ sudo service docker stop
   299          $ sudo rm -rf /var/lib/docker
   300          $ sudo service docker start
   301  
   302  Example use: `docker daemon --storage-opt dm.basesize=20G`
   303  
   304  #### dm.fs
   305  
   306  Specifies the filesystem type to use for the base device. The
   307  supported options are `ext4` and `xfs`. The default is `ext4`.
   308  
   309  Example use: `docker daemon --storage-opt dm.fs=xfs`
   310  
   311  #### dm.mkfsarg
   312  
   313  Specifies extra mkfs arguments to be used when creating the base device.
   314  
   315  Example use: `docker daemon --storage-opt "dm.mkfsarg=-O ^has_journal"`
   316  
   317  #### dm.mountopt
   318  
   319  Specifies extra mount options used when mounting the thin devices.
   320  
   321  Example use: `docker daemon --storage-opt dm.mountopt=nodiscard`
   322  
   323  #### dm.use_deferred_removal
   324  
   325  Enables use of deferred device removal if `libdm` and the kernel driver
   326  support the mechanism.
   327  
   328  Deferred device removal means that if device is busy when devices are
   329  being removed/deactivated, then a deferred removal is scheduled on
   330  device. And devices automatically go away when last user of the device
   331  exits.
   332  
   333  For example, when a container exits, its associated thin device is removed. If
   334  that device has leaked into some other mount namespace and can't be removed,
   335  the container exit still succeeds and this option causes the system to schedule
   336  the device for deferred removal. It does not wait in a loop trying to remove a busy
   337  device.
   338  
   339  Example use: `docker daemon --storage-opt dm.use_deferred_removal=true`
   340  
   341  #### dm.use_deferred_deletion
   342  
   343  Enables use of deferred device deletion for thin pool devices. By default,
   344  thin pool device deletion is synchronous. Before a container is deleted, the
   345  Docker daemon removes any associated devices. If the storage driver can not
   346  remove a device, the container deletion fails and daemon returns.
   347  
   348  `Error deleting container: Error response from daemon: Cannot destroy container`
   349  
   350  To avoid this failure, enable both deferred device deletion and deferred
   351  device removal on the daemon.
   352  
   353  `docker daemon --storage-opt dm.use_deferred_deletion=true --storage-opt dm.use_deferred_removal=true`
   354  
   355  With these two options enabled, if a device is busy when the driver is
   356  deleting a container, the driver marks the device as deleted. Later, when the
   357  device isn't in use, the driver deletes it.
   358  
   359  In general it should be safe to enable this option by default. It will help
   360  when unintentional leaking of mount point happens across multiple mount
   361  namespaces.
   362  
   363  #### dm.loopdatasize
   364  
   365  **Note**: This option configures devicemapper loopback, which should not be used in production.
   366  
   367  Specifies the size to use when creating the loopback file for the
   368  "data" device which is used for the thin pool. The default size is
   369  100G. The file is sparse, so it will not initially take up
   370  this much space.
   371  
   372  Example use: `docker daemon --storage-opt dm.loopdatasize=200G`
   373  
   374  #### dm.loopmetadatasize
   375  
   376  **Note**: This option configures devicemapper loopback, which should not be used in production.
   377  
   378  Specifies the size to use when creating the loopback file for the
   379  "metadata" device which is used for the thin pool. The default size
   380  is 2G. The file is sparse, so it will not initially take up
   381  this much space.
   382  
   383  Example use: `docker daemon --storage-opt dm.loopmetadatasize=4G`
   384  
   385  #### dm.datadev
   386  
   387  (Deprecated, use `dm.thinpooldev`)
   388  
   389  Specifies a custom blockdevice to use for data for a
   390  Docker-managed thin pool.  It is better to use `dm.thinpooldev` - see
   391  the documentation for it above for discussion of the advantages.
   392  
   393  #### dm.metadatadev
   394  
   395  (Deprecated, use `dm.thinpooldev`)
   396  
   397  Specifies a custom blockdevice to use for metadata for a
   398  Docker-managed thin pool.  See `dm.datadev` for why this is
   399  deprecated.
   400  
   401  #### dm.blocksize
   402  
   403  Specifies a custom blocksize to use for the thin pool.  The default
   404  blocksize is 64K.
   405  
   406  Example use: `docker daemon --storage-opt dm.blocksize=512K`
   407  
   408  #### dm.blkdiscard
   409  
   410  Enables or disables the use of `blkdiscard` when removing devicemapper
   411  devices.  This is disabled by default due to the additional latency,
   412  but as a special case with loopback devices it will be enabled, in
   413  order to re-sparsify the loopback file on image/container removal.
   414  
   415  Disabling this on loopback can lead to *much* faster container removal
   416  times, but it also prevents the space used in `/var/lib/docker` directory
   417  from being returned to the system for other use when containers are
   418  removed.
   419  
   420  Example use: `docker daemon --storage-opt dm.blkdiscard=false`
   421  
   422  #### dm.override_udev_sync_check
   423  
   424  By default, the devicemapper backend attempts to synchronize with the
   425  `udev` device manager for the Linux kernel.  This option allows
   426  disabling that synchronization, to continue even though the
   427  configuration may be buggy.
   428  
   429  To view the `udev` sync support of a Docker daemon that is using the
   430  `devicemapper` driver, run:
   431  
   432          $ docker info
   433          [...]
   434           Udev Sync Supported: true
   435          [...]
   436  
   437  When `udev` sync support is `true`, then `devicemapper` and `udev` can
   438  coordinate the activation and deactivation of devices for containers.
   439  
   440  When `udev` sync support is `false`, a race condition occurs between
   441  the `devicemapper` and `udev` during create and cleanup. The race
   442  condition results in errors and failures. (For information on these
   443  failures, see
   444  [docker#4036](https://github.com/docker/docker/issues/4036))
   445  
   446  To allow the `docker` daemon to start, regardless of whether `udev` sync is
   447  `false`, set `dm.override_udev_sync_check` to true:
   448  
   449          $ docker daemon --storage-opt dm.override_udev_sync_check=true
   450  
   451  When this value is `true`, the driver continues and simply warns you
   452  the errors are happening.
   453  
   454  **Note**: The ideal is to pursue a `docker` daemon and environment
   455  that does support synchronizing with `udev`. For further discussion on
   456  this topic, see
   457  [docker#4036](https://github.com/docker/docker/issues/4036).
   458  Otherwise, set this flag for migrating existing Docker daemons to a
   459  daemon with a supported environment.
   460  
   461  # CLUSTER STORE OPTIONS
   462  
   463  The daemon uses libkv to advertise
   464  the node within the cluster.  Some Key/Value backends support mutual
   465  TLS, and the client TLS settings used by the daemon can be configured
   466  using the **--cluster-store-opt** flag, specifying the paths to PEM encoded
   467  files.
   468  
   469  #### kv.cacertfile
   470  
   471  Specifies the path to a local file with PEM encoded CA certificates to trust
   472  
   473  #### kv.certfile
   474  
   475  Specifies the path to a local file with a PEM encoded certificate.  This
   476  certificate is used as the client cert for communication with the
   477  Key/Value store.
   478  
   479  #### kv.keyfile
   480  
   481  Specifies the path to a local file with a PEM encoded private key.  This
   482  private key is used as the client key for communication with the
   483  Key/Value store.
   484  
   485  # Access authorization
   486  
   487  Docker's access authorization can be extended by authorization plugins that your
   488  organization can purchase or build themselves. You can install one or more
   489  authorization plugins when you start the Docker `daemon` using the
   490  `--authorization-plugin=PLUGIN_ID` option.
   491  
   492  ```bash
   493  docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
   494  ```
   495  
   496  The `PLUGIN_ID` value is either the plugin's name or a path to its specification
   497  file. The plugin's implementation determines whether you can specify a name or
   498  path. Consult with your Docker administrator to get information about the
   499  plugins available to you.
   500  
   501  Once a plugin is installed, requests made to the `daemon` through the command
   502  line or Docker's remote API are allowed or denied by the plugin.  If you have
   503  multiple plugins installed, at least one must allow the request for it to
   504  complete.
   505  
   506  For information about how to create an authorization plugin, see [authorization
   507  plugin](https://docs.docker.com/engine/extend/authorization.md) section in the
   508  Docker extend section of this documentation.
   509  
   510  
   511  # HISTORY
   512  Sept 2015, Originally compiled by Shishir Mahajan <shishir.mahajan@redhat.com>
   513  based on docker.com source material and internal work.