github.com/vincentwoo/docker@v0.7.3-0.20160116130405-82401a4b13c0/man/docker-daemon.8.md (about) 1 % DOCKER(8) Docker User Manuals 2 % Shishir Mahajan 3 % SEPTEMBER 2015 4 # NAME 5 docker-daemon - Enable daemon mode 6 7 # SYNOPSIS 8 **docker daemon** 9 [**--api-cors-header**=[=*API-CORS-HEADER*]] 10 [**--authorization-plugin**[=*[]*]] 11 [**-b**|**--bridge**[=*BRIDGE*]] 12 [**--bip**[=*BIP*]] 13 [**--cgroup-parent**[=*[]*]] 14 [**--cluster-store**[=*[]*]] 15 [**--cluster-advertise**[=*[]*]] 16 [**--cluster-store-opt**[=*map[]*]] 17 [**--config-file**[=*/etc/docker/daemon.json*]] 18 [**-D**|**--debug**] 19 [**--default-gateway**[=*DEFAULT-GATEWAY*]] 20 [**--default-gateway-v6**[=*DEFAULT-GATEWAY-V6*]] 21 [**--default-ulimit**[=*[]*]] 22 [**--disable-legacy-registry**] 23 [**--dns**[=*[]*]] 24 [**--dns-opt**[=*[]*]] 25 [**--dns-search**[=*[]*]] 26 [**--exec-opt**[=*[]*]] 27 [**--exec-root**[=*/var/run/docker*]] 28 [**--fixed-cidr**[=*FIXED-CIDR*]] 29 [**--fixed-cidr-v6**[=*FIXED-CIDR-V6*]] 30 [**-G**|**--group**[=*docker*]] 31 [**-g**|**--graph**[=*/var/lib/docker*]] 32 [**-H**|**--host**[=*[]*]] 33 [**--help**] 34 [**--icc**[=*true*]] 35 [**--insecure-registry**[=*[]*]] 36 [**--ip**[=*0.0.0.0*]] 37 [**--ip-forward**[=*true*]] 38 [**--ip-masq**[=*true*]] 39 [**--iptables**[=*true*]] 40 [**--ipv6**] 41 [**-l**|**--log-level**[=*info*]] 42 [**--label**[=*[]*]] 43 [**--log-driver**[=*json-file*]] 44 [**--log-opt**[=*map[]*]] 45 [**--mtu**[=*0*]] 46 [**-p**|**--pidfile**[=*/var/run/docker.pid*]] 47 [**--registry-mirror**[=*[]*]] 48 [**-s**|**--storage-driver**[=*STORAGE-DRIVER*]] 49 [**--selinux-enabled**] 50 [**--storage-opt**[=*[]*]] 51 [**--tls**] 52 [**--tlscacert**[=*~/.docker/ca.pem*]] 53 [**--tlscert**[=*~/.docker/cert.pem*]] 54 [**--tlskey**[=*~/.docker/key.pem*]] 55 [**--tlsverify**] 56 [**--userland-proxy**[=*true*]] 57 [**--userns-remap**[=*default*]] 58 59 # DESCRIPTION 60 **docker** has two distinct functions. It is used for starting the Docker 61 daemon and to run the CLI (i.e., to command the daemon to manage images, 62 containers etc.) So **docker** is both a server, as a daemon, and a client 63 to the daemon, through the CLI. 64 65 To run the Docker daemon you can specify **docker daemon**. 66 You can check the daemon options using **docker daemon --help**. 67 Daemon options should be specified after the **daemon** keyword in the following 68 format. 69 70 **docker daemon [OPTIONS]** 71 72 # OPTIONS 73 74 **--api-cors-header**="" 75 Set CORS headers in the remote API. Default is cors disabled. Give urls like "http://foo, http://bar, ...". Give "*" to allow all. 76 77 **--authorization-plugin**="" 78 Set authorization plugins to load 79 80 **-b**, **--bridge**="" 81 Attach containers to a pre\-existing network bridge; use 'none' to disable container networking 82 83 **--bip**="" 84 Use the provided CIDR notation address for the dynamically created bridge (docker0); Mutually exclusive of \-b 85 86 **--cgroup-parent**="" 87 Set parent cgroup for all containers. Default is "/docker" for fs cgroup driver and "system.slice" for systemd cgroup driver. 88 89 **--cluster-store**="" 90 URL of the distributed storage backend 91 92 **--cluster-advertise**="" 93 Specifies the 'host:port' or `interface:port` combination that this particular 94 daemon instance should use when advertising itself to the cluster. The daemon 95 is reached through this value. 96 97 **--cluster-store-opt**="" 98 Specifies options for the Key/Value store. 99 100 **--config-file**="/etc/docker/daemon.json" 101 Specifies the JSON file path to load the configuration from. 102 103 **-D**, **--debug**=*true*|*false* 104 Enable debug mode. Default is false. 105 106 **--default-gateway**="" 107 IPv4 address of the container default gateway; this address must be part of the bridge subnet (which is defined by \-b or \--bip) 108 109 **--default-gateway-v6**="" 110 IPv6 address of the container default gateway 111 112 **--default-ulimit**=[] 113 Set default ulimits for containers. 114 115 **--disable-legacy-registry**=*true*|*false* 116 Do not contact legacy registries 117 118 **--dns**="" 119 Force Docker to use specific DNS servers 120 121 **--dns-opt**="" 122 DNS options to use. 123 124 **--dns-search**=[] 125 DNS search domains to use. 126 127 **--exec-opt**=[] 128 Set exec driver options. See EXEC DRIVER OPTIONS. 129 130 **--exec-root**="" 131 Path to use as the root of the Docker exec driver. Default is `/var/run/docker`. 132 133 **--fixed-cidr**="" 134 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be nested in the bridge subnet (which is defined by \-b or \-\-bip) 135 136 **--fixed-cidr-v6**="" 137 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64) 138 139 **-G**, **--group**="" 140 Group to assign the unix socket specified by -H when running in daemon mode. 141 use '' (the empty string) to disable setting of a group. Default is `docker`. 142 143 **-g**, **--graph**="" 144 Path to use as the root of the Docker runtime. Default is `/var/lib/docker`. 145 146 **-H**, **--host**=[*unix:///var/run/docker.sock*]: tcp://[host:port] to bind or 147 unix://[/path/to/socket] to use. 148 The socket(s) to bind to in daemon mode specified using one or more 149 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd. 150 151 **--help** 152 Print usage statement 153 154 **--icc**=*true*|*false* 155 Allow unrestricted inter\-container and Docker daemon host communication. If disabled, containers can still be linked together using the **--link** option (see **docker-run(1)**). Default is true. 156 157 **--insecure-registry**=[] 158 Enable insecure registry communication, i.e., enable un-encrypted and/or untrusted communication. 159 160 List of insecure registries can contain an element with CIDR notation to specify a whole subnet. Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs. 161 162 Enabling `--insecure-registry` is useful when running a local registry. However, because its use creates security vulnerabilities it should ONLY be enabled for testing purposes. For increased security, users should add their CA to their system's list of trusted CAs instead of using `--insecure-registry`. 163 164 **--ip**="" 165 Default IP address to use when binding container ports. Default is `0.0.0.0`. 166 167 **--ip-forward**=*true*|*false* 168 Enables IP forwarding on the Docker host. The default is `true`. This flag interacts with the IP forwarding setting on your host system's kernel. If your system has IP forwarding disabled, this setting enables it. If your system has IP forwarding enabled, setting this flag to `--ip-forward=false` has no effect. 169 170 This setting will also enable IPv6 forwarding if you have both `--ip-forward=true` and `--fixed-cidr-v6` set. Note that this may reject Router Advertisements and interfere with the host's existing IPv6 configuration. For more information, please consult the documentation about "Advanced Networking - IPv6". 171 172 **--ip-masq**=*true*|*false* 173 Enable IP masquerading for bridge's IP range. Default is true. 174 175 **--iptables**=*true*|*false* 176 Enable Docker's addition of iptables rules. Default is true. 177 178 **--ipv6**=*true*|*false* 179 Enable IPv6 support. Default is false. Docker will create an IPv6-enabled bridge with address fe80::1 which will allow you to create IPv6-enabled containers. Use together with `--fixed-cidr-v6` to provide globally routable IPv6 addresses. IPv6 forwarding will be enabled if not used with `--ip-forward=false`. This may collide with your host's current IPv6 settings. For more information please consult the documentation about "Advanced Networking - IPv6". 180 181 **-l**, **--log-level**="*debug*|*info*|*warn*|*error*|*fatal*" 182 Set the logging level. Default is `info`. 183 184 **--label**="[]" 185 Set key=value labels to the daemon (displayed in `docker info`) 186 187 **--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*none*" 188 Default driver for container logs. Default is `json-file`. 189 **Warning**: `docker logs` command works only for `json-file` logging driver. 190 191 **--log-opt**=[] 192 Logging driver specific options. 193 194 **--mtu**=*0* 195 Set the containers network mtu. Default is `0`. 196 197 **-p**, **--pidfile**="" 198 Path to use for daemon PID file. Default is `/var/run/docker.pid` 199 200 **--registry-mirror**=*<scheme>://<host>* 201 Prepend a registry mirror to be used for image pulls. May be specified multiple times. 202 203 **-s**, **--storage-driver**="" 204 Force the Docker runtime to use a specific storage driver. 205 206 **--selinux-enabled**=*true*|*false* 207 Enable selinux support. Default is false. SELinux does not presently support the overlay storage driver. 208 209 **--storage-opt**=[] 210 Set storage driver options. See STORAGE DRIVER OPTIONS. 211 212 **--tls**=*true*|*false* 213 Use TLS; implied by --tlsverify. Default is false. 214 215 **--tlscacert**=*~/.docker/ca.pem* 216 Trust certs signed only by this CA. 217 218 **--tlscert**=*~/.docker/cert.pem* 219 Path to TLS certificate file. 220 221 **--tlskey**=*~/.docker/key.pem* 222 Path to TLS key file. 223 224 **--tlsverify**=*true*|*false* 225 Use TLS and verify the remote (daemon: verify client, client: verify daemon). 226 Default is false. 227 228 **--userland-proxy**=*true*|*false* 229 Rely on a userland proxy implementation for inter-container and outside-to-container loopback communications. Default is true. 230 231 **--userns-remap**=*default*|*uid:gid*|*user:group*|*user*|*uid* 232 Enable user namespaces for containers on the daemon. Specifying "default" will cause a new user and group to be created to handle UID and GID range remapping for the user namespace mappings used for contained processes. Specifying a user (or uid) and optionally a group (or gid) will cause the daemon to lookup the user and group's subordinate ID ranges for use as the user namespace mappings for contained processes. 233 234 # STORAGE DRIVER OPTIONS 235 236 Docker uses storage backends (known as "graphdrivers" in the Docker 237 internals) to create writable containers from images. Many of these 238 backends use operating system level technologies and can be 239 configured. 240 241 Specify options to the storage backend with **--storage-opt** flags. The only 242 backend that currently takes options is *devicemapper*. Therefore use these 243 flags with **-s=**devicemapper. 244 245 Specifically for devicemapper, the default is a "loopback" model which 246 requires no pre-configuration, but is extremely inefficient. Do not 247 use it in production. 248 249 To make the best use of Docker with the devicemapper backend, you must 250 have a recent version of LVM. Use `lvm` to create a thin pool; for 251 more information see `man lvmthin`. Then, use `--storage-opt 252 dm.thinpooldev` to tell the Docker engine to use that pool for 253 allocating images and container snapshots. 254 255 Here is the list of *devicemapper* options: 256 257 #### dm.thinpooldev 258 259 Specifies a custom block storage device to use for the thin pool. 260 261 If using a block device for device mapper storage, it is best to use 262 `lvm` to create and manage the thin-pool volume. This volume is then 263 handed to Docker to create snapshot volumes needed for images and 264 containers. 265 266 Managing the thin-pool outside of Docker makes for the most feature-rich method 267 of having Docker utilize device mapper thin provisioning as the backing storage 268 for Docker's containers. The highlights of the LVM-based thin-pool management 269 feature include: automatic or interactive thin-pool resize support, dynamically 270 changing thin-pool features, automatic thinp metadata checking when lvm activates 271 the thin-pool, etc. 272 273 Example use: `docker daemon --storage-opt dm.thinpooldev=/dev/mapper/thin-pool` 274 275 #### dm.basesize 276 277 Specifies the size to use when creating the base device, which limits 278 the size of images and containers. The default value is 10G. Note, 279 thin devices are inherently "sparse", so a 10G device which is mostly 280 empty doesn't use 10 GB of space on the pool. However, the filesystem 281 will use more space for base images the larger the device 282 is. 283 284 The base device size can be increased at daemon restart which will allow 285 all future images and containers (based on those new images) to be of the 286 new base device size. 287 288 Example use: `docker daemon --storage-opt dm.basesize=50G` 289 290 This will increase the base device size to 50G. The Docker daemon will throw an 291 error if existing base device size is larger than 50G. A user can use 292 this option to expand the base device size however shrinking is not permitted. 293 294 This value affects the system-wide "base" empty filesystem that may already 295 be initialized and inherited by pulled images. Typically, a change to this 296 value requires additional steps to take effect: 297 298 $ sudo service docker stop 299 $ sudo rm -rf /var/lib/docker 300 $ sudo service docker start 301 302 Example use: `docker daemon --storage-opt dm.basesize=20G` 303 304 #### dm.fs 305 306 Specifies the filesystem type to use for the base device. The 307 supported options are `ext4` and `xfs`. The default is `ext4`. 308 309 Example use: `docker daemon --storage-opt dm.fs=xfs` 310 311 #### dm.mkfsarg 312 313 Specifies extra mkfs arguments to be used when creating the base device. 314 315 Example use: `docker daemon --storage-opt "dm.mkfsarg=-O ^has_journal"` 316 317 #### dm.mountopt 318 319 Specifies extra mount options used when mounting the thin devices. 320 321 Example use: `docker daemon --storage-opt dm.mountopt=nodiscard` 322 323 #### dm.use_deferred_removal 324 325 Enables use of deferred device removal if `libdm` and the kernel driver 326 support the mechanism. 327 328 Deferred device removal means that if device is busy when devices are 329 being removed/deactivated, then a deferred removal is scheduled on 330 device. And devices automatically go away when last user of the device 331 exits. 332 333 For example, when a container exits, its associated thin device is removed. If 334 that device has leaked into some other mount namespace and can't be removed, 335 the container exit still succeeds and this option causes the system to schedule 336 the device for deferred removal. It does not wait in a loop trying to remove a busy 337 device. 338 339 Example use: `docker daemon --storage-opt dm.use_deferred_removal=true` 340 341 #### dm.use_deferred_deletion 342 343 Enables use of deferred device deletion for thin pool devices. By default, 344 thin pool device deletion is synchronous. Before a container is deleted, the 345 Docker daemon removes any associated devices. If the storage driver can not 346 remove a device, the container deletion fails and daemon returns. 347 348 `Error deleting container: Error response from daemon: Cannot destroy container` 349 350 To avoid this failure, enable both deferred device deletion and deferred 351 device removal on the daemon. 352 353 `docker daemon --storage-opt dm.use_deferred_deletion=true --storage-opt dm.use_deferred_removal=true` 354 355 With these two options enabled, if a device is busy when the driver is 356 deleting a container, the driver marks the device as deleted. Later, when the 357 device isn't in use, the driver deletes it. 358 359 In general it should be safe to enable this option by default. It will help 360 when unintentional leaking of mount point happens across multiple mount 361 namespaces. 362 363 #### dm.loopdatasize 364 365 **Note**: This option configures devicemapper loopback, which should not be used in production. 366 367 Specifies the size to use when creating the loopback file for the 368 "data" device which is used for the thin pool. The default size is 369 100G. The file is sparse, so it will not initially take up 370 this much space. 371 372 Example use: `docker daemon --storage-opt dm.loopdatasize=200G` 373 374 #### dm.loopmetadatasize 375 376 **Note**: This option configures devicemapper loopback, which should not be used in production. 377 378 Specifies the size to use when creating the loopback file for the 379 "metadata" device which is used for the thin pool. The default size 380 is 2G. The file is sparse, so it will not initially take up 381 this much space. 382 383 Example use: `docker daemon --storage-opt dm.loopmetadatasize=4G` 384 385 #### dm.datadev 386 387 (Deprecated, use `dm.thinpooldev`) 388 389 Specifies a custom blockdevice to use for data for a 390 Docker-managed thin pool. It is better to use `dm.thinpooldev` - see 391 the documentation for it above for discussion of the advantages. 392 393 #### dm.metadatadev 394 395 (Deprecated, use `dm.thinpooldev`) 396 397 Specifies a custom blockdevice to use for metadata for a 398 Docker-managed thin pool. See `dm.datadev` for why this is 399 deprecated. 400 401 #### dm.blocksize 402 403 Specifies a custom blocksize to use for the thin pool. The default 404 blocksize is 64K. 405 406 Example use: `docker daemon --storage-opt dm.blocksize=512K` 407 408 #### dm.blkdiscard 409 410 Enables or disables the use of `blkdiscard` when removing devicemapper 411 devices. This is disabled by default due to the additional latency, 412 but as a special case with loopback devices it will be enabled, in 413 order to re-sparsify the loopback file on image/container removal. 414 415 Disabling this on loopback can lead to *much* faster container removal 416 times, but it also prevents the space used in `/var/lib/docker` directory 417 from being returned to the system for other use when containers are 418 removed. 419 420 Example use: `docker daemon --storage-opt dm.blkdiscard=false` 421 422 #### dm.override_udev_sync_check 423 424 By default, the devicemapper backend attempts to synchronize with the 425 `udev` device manager for the Linux kernel. This option allows 426 disabling that synchronization, to continue even though the 427 configuration may be buggy. 428 429 To view the `udev` sync support of a Docker daemon that is using the 430 `devicemapper` driver, run: 431 432 $ docker info 433 [...] 434 Udev Sync Supported: true 435 [...] 436 437 When `udev` sync support is `true`, then `devicemapper` and `udev` can 438 coordinate the activation and deactivation of devices for containers. 439 440 When `udev` sync support is `false`, a race condition occurs between 441 the `devicemapper` and `udev` during create and cleanup. The race 442 condition results in errors and failures. (For information on these 443 failures, see 444 [docker#4036](https://github.com/docker/docker/issues/4036)) 445 446 To allow the `docker` daemon to start, regardless of whether `udev` sync is 447 `false`, set `dm.override_udev_sync_check` to true: 448 449 $ docker daemon --storage-opt dm.override_udev_sync_check=true 450 451 When this value is `true`, the driver continues and simply warns you 452 the errors are happening. 453 454 **Note**: The ideal is to pursue a `docker` daemon and environment 455 that does support synchronizing with `udev`. For further discussion on 456 this topic, see 457 [docker#4036](https://github.com/docker/docker/issues/4036). 458 Otherwise, set this flag for migrating existing Docker daemons to a 459 daemon with a supported environment. 460 461 # CLUSTER STORE OPTIONS 462 463 The daemon uses libkv to advertise 464 the node within the cluster. Some Key/Value backends support mutual 465 TLS, and the client TLS settings used by the daemon can be configured 466 using the **--cluster-store-opt** flag, specifying the paths to PEM encoded 467 files. 468 469 #### kv.cacertfile 470 471 Specifies the path to a local file with PEM encoded CA certificates to trust 472 473 #### kv.certfile 474 475 Specifies the path to a local file with a PEM encoded certificate. This 476 certificate is used as the client cert for communication with the 477 Key/Value store. 478 479 #### kv.keyfile 480 481 Specifies the path to a local file with a PEM encoded private key. This 482 private key is used as the client key for communication with the 483 Key/Value store. 484 485 # Access authorization 486 487 Docker's access authorization can be extended by authorization plugins that your 488 organization can purchase or build themselves. You can install one or more 489 authorization plugins when you start the Docker `daemon` using the 490 `--authorization-plugin=PLUGIN_ID` option. 491 492 ```bash 493 docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,... 494 ``` 495 496 The `PLUGIN_ID` value is either the plugin's name or a path to its specification 497 file. The plugin's implementation determines whether you can specify a name or 498 path. Consult with your Docker administrator to get information about the 499 plugins available to you. 500 501 Once a plugin is installed, requests made to the `daemon` through the command 502 line or Docker's remote API are allowed or denied by the plugin. If you have 503 multiple plugins installed, at least one must allow the request for it to 504 complete. 505 506 For information about how to create an authorization plugin, see [authorization 507 plugin](https://docs.docker.com/engine/extend/authorization.md) section in the 508 Docker extend section of this documentation. 509 510 511 # HISTORY 512 Sept 2015, Originally compiled by Shishir Mahajan <shishir.mahajan@redhat.com> 513 based on docker.com source material and internal work.