dockerd-latest (8) - Linux Man Pages
dockerd-latest: Enable daemon mode
dockerd - Enable daemon mode
dockerd [--add-runtime[=]] [--add-registry[=]] [--api-cors-header=[=API-CORS-HEADER]] [--authorization-plugin[=]] [-b|--bridge[=BRIDGE]] [--bip[=BIP]] [--block-registry[=]] [--cgroup-parent[=]] [--cluster-store[=]] [--cluster-advertise[=]] [--cluster-store-opt[=map]] [--config-file[=/etc/docker/daemon.json]] [--containerd[=SOCKET-PATH]] [-D|--debug] [--default-gateway[=DEFAULT-GATEWAY]] [--default-gateway-v6[=DEFAULT-GATEWAY-V6]] [--default-ulimit[=]] [--disable-legacy-registry] [--dns[=]] [--dns-opt[=]] [--dns-search[=]] [--enable-secrets[=true]] [--exec-opt[=]] [--exec-root[=/var/run/docker]] [--fixed-cidr[=FIXED-CIDR]] [--fixed-cidr-v6[=FIXED-CIDR-V6]] [-G|--group[=docker]] [-g|--graph[=/var/lib/docker]] [-H|--host[=]] [--help] [--icc[=true]] [--insecure-registry[=]] [--ip[=0.0.0.0]] [--ip-forward[=true]] [--ip-masq[=true]] [--iptables[=true]] [--ipv6] [--isolation[=default]] [-l|--log-level[=info]] [--label[=]] [--live-restore[=false]] [--log-driver[=json-file]] [--log-opt[=map]] [--mtu[=0]] [--max-concurrent-downloads[=3]] [--max-concurrent-uploads[=5]] [-p|--pidfile[=/var/run/docker.pid]] [--raw-logs] [--registry-mirror[=]] [-s|--storage-driver[=STORAGE-DRIVER]] [--selinux-enabled] [--signature-verification] [--storage-opt[=]] [--swarm-default-advertise-addr[=IP|INTERFACE]] [--tls] [--tlscacert[=~/.docker/ca.pem]] [--tlscert[=~/.docker/cert.pem]] [--tlskey[=~/.docker/key.pem]] [--tlsverify] [--userland-proxy[=true]] [--userns-remap[=default]]
dockerd is used for starting the Docker daemon(i.e., to command the daemon to manage images, containers etc.) So dockerd is a server, as a daemon.
To run the Docker daemon you can specify dockerd. You can check the daemon options using dockerd --help. Daemon options should be specified after the dockerd keyword in the following format.
-H, --host=[unix:///var/run/docker.sock]: tcp://[host:port] to bind or
unix://[/path/to/socket] to use.
List of insecure registries can contain an element with CIDR notation to specify a whole subnet. Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
Enabling --insecure-registry is useful when running a local registry. However, because its use creates security vulnerabilities it should ONLY be enabled for testing purposes. For increased security, users should add their CA to their system's list of trusted CAs instead of using --insecure-registry.
This setting will also enable IPv6 forwarding if you have both --ip-forward=true and --fixed-cidr-v6 set. Note that this may reject Router Advertisements and interfere with the host's existing IPv6 configuration. For more information, please consult the documentation about "Advanced Networking - IPv6".
Isolation specifies the type of isolation technology used by containers. Note that the default on Windows server is process, and the default on Windows client is hyperv. Linux only supports default.
--raw-logs Output daemon logs in full timestamp format without ANSI coloring. If this flag is not set, the daemon outputs condensed, colorized logs if a terminal is detected, or full ("raw") output otherwise.
Docker supports GPG image signatures verification when --signature-verification flag is true. This functionality works only at pull time and for images being pulled from docker registries version 2. You can sign an image using skopeo(1) or atomic(1). See <https://access.redhat.com/articles/2750891>.
STORAGE DRIVER OPTIONS
Docker uses storage backends (known as "graphdrivers" in the Docker internals) to create writable containers from images. Many of these backends use operating system level technologies and can be configured.
Specify options to the storage backend with --storage-opt flags. The backends that currently take options are devicemapper, zfs and btrfs. Options for devicemapper are prefixed with dm, options for zfs start with zfs and options for btrfs start with btrfs.
Specifically for devicemapper, the default is a "loopback" model which requires no pre-configuration, but is extremely inefficient. Do not use it in production.
To make the best use of Docker with the devicemapper backend, you must have a recent version of LVM. Use lvm to create a thin pool; for more information see man lvmthin. Then, use --storage-opt dm.thinpooldev to tell the Docker engine to use that pool for allocating images and container snapshots.
Specifies a custom block storage device to use for the thin pool.
If using a block device for device mapper storage, it is best to use lvm to create and manage the thin-pool volume. This volume is then handed to Docker to exclusively create snapshot volumes needed for images and containers.
Managing the thin-pool outside of Engine makes for the most feature-rich method of having Docker utilize device mapper thin provisioning as the backing storage for Docker containers. The highlights of the lvm-based thin-pool management feature include: automatic or interactive thin-pool resize support, dynamically changing thin-pool features, automatic thinp metadata checking when lvm activates the thin-pool, etc.
As a fallback if no thin pool is provided, loopback files are created. Loopback is very slow, but can be used without any pre-configuration of storage. It is strongly recommended that you do not use loopback in production. Ensure your Engine daemon has a --storage-opt dm.thinpooldev argument provided.
$ dockerd \
Specifies the size to use when creating the base device, which limits the size of images and containers. The default value is 10G. Note, thin devices are inherently "sparse", so a 10G device which is mostly empty doesn't use 10 GB of space on the pool. However, the filesystem will use more space for base images the larger the device is.
The base device size can be increased at daemon restart which will allow all future images and containers (based on those new images) to be of the new base device size.
Example use: dockerd --storage-opt dm.basesize=50G
This will increase the base device size to 50G. The Docker daemon will throw an error if existing base device size is larger than 50G. A user can use this option to expand the base device size however shrinking is not permitted.
This value affects the system-wide "base" empty filesystem that may already be initialized and inherited by pulled images. Typically, a change to this value requires additional steps to take effect:
$ sudo service docker stop $ sudo rm -rf /var/lib/docker $ sudo service docker start
Example use: dockerd --storage-opt dm.basesize=20G
Specifies the filesystem type to use for the base device. The supported options are ext4 and xfs. The default is ext4.
Example use: dockerd --storage-opt dm.fs=xfs
Specifies extra mkfs arguments to be used when creating the base device.
Example use: dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
Specifies extra mount options used when mounting the thin devices.
Example use: dockerd --storage-opt dm.mountopt=nodiscard
Enables use of deferred device removal if libdm and the kernel driver support the mechanism.
Deferred device removal means that if device is busy when devices are being removed/deactivated, then a deferred removal is scheduled on device. And devices automatically go away when last user of the device exits.
For example, when a container exits, its associated thin device is removed. If that device has leaked into some other mount namespace and can't be removed, the container exit still succeeds and this option causes the system to schedule the device for deferred removal. It does not wait in a loop trying to remove a busy device.
Example use: dockerd --storage-opt dm.use_deferred_removal=true
Enables use of deferred device deletion for thin pool devices. By default, thin pool device deletion is synchronous. Before a container is deleted, the Docker daemon removes any associated devices. If the storage driver can not remove a device, the container deletion fails and daemon returns.
Error deleting container: Error response from daemon: Cannot destroy container
To avoid this failure, enable both deferred device deletion and deferred device removal on the daemon.
dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt dm.use_deferred_removal=true
With these two options enabled, if a device is busy when the driver is deleting a container, the driver marks the device as deleted. Later, when the device isn't in use, the driver deletes it.
In general it should be safe to enable this option by default. It will help when unintentional leaking of mount point happens across multiple mount namespaces.
Note: This option configures devicemapper loopback, which should not be used in production.
Specifies the size to use when creating the loopback file for the "data" device which is used for the thin pool. The default size is 100G. The file is sparse, so it will not initially take up this much space.
Example use: dockerd --storage-opt dm.loopdatasize=200G
Note: This option configures devicemapper loopback, which should not be used in production.
Specifies the size to use when creating the loopback file for the "metadata" device which is used for the thin pool. The default size is 2G. The file is sparse, so it will not initially take up this much space.
Example use: dockerd --storage-opt dm.loopmetadatasize=4G
(Deprecated, use dm.thinpooldev)
Specifies a custom blockdevice to use for data for a Docker-managed thin pool. It is better to use dm.thinpooldev - see the documentation for it above for discussion of the advantages.
(Deprecated, use dm.thinpooldev)
Specifies a custom blockdevice to use for metadata for a Docker-managed thin pool. See dm.datadev for why this is deprecated.
Specifies a custom blocksize to use for the thin pool. The default blocksize is 64K.
Example use: dockerd --storage-opt dm.blocksize=512K
Enables or disables the use of blkdiscard when removing devicemapper devices. This is disabled by default due to the additional latency, but as a special case with loopback devices it will be enabled, in order to re-sparsify the loopback file on image/container removal.
Disabling this on loopback can lead to much faster container removal times, but it also prevents the space used in /var/lib/docker directory from being returned to the system for other use when containers are removed.
Example use: dockerd --storage-opt dm.blkdiscard=false
By default, the devicemapper backend attempts to synchronize with the udev device manager for the Linux kernel. This option allows disabling that synchronization, to continue even though the configuration may be buggy.
To view the udev sync support of a Docker daemon that is using the devicemapper driver, run:
$ docker info [...] Udev Sync Supported: true [...]
When udev sync support is true, then devicemapper and udev can coordinate the activation and deactivation of devices for containers.
When udev sync support is false, a race condition occurs between the devicemapper and udev during create and cleanup. The race condition results in errors and failures. (For information on these failures, see
To allow the docker daemon to start, regardless of whether udev sync is false, set dm.override_udev_sync_check to true:
$ dockerd --storage-opt dm.override_udev_sync_check=true
When this value is true, the driver continues and simply warns you the errors are happening.
Note: The ideal is to pursue a docker daemon and environment that does support synchronizing with udev. For further discussion on this topic, see
<https://github.com/docker/docker/issues/4036>. Otherwise, set this flag for migrating existing Docker daemons to a daemon with a supported environment.
Specifies the min free space percent in a thin pool require for new device creation to succeed. This check applies to both free data space as well as free metadata space. Valid values are from 0% - 99%. Value 0% disables free space checking logic. If user does not specify a value for this option, the Engine uses a default value of 10%.
Whenever a new a thin pool device is created (during docker pull or during container creation), the Engine checks if the minimum free space is available. If the space is unavailable, then device creation fails and any relevant docker operation fails.
To recover from this error, you must create more free space in the thin pool to recover from the error. You can create free space by deleting some images and containers from tge thin pool. You can also add more storage to the thin pool.
To add more space to an LVM (logical volume management) thin pool, just add more storage to the group container thin pool; this should automatically resolve any errors. If your configuration uses loop devices, then stop the Engine daemon, grow the size of loop files and restart the daemon to resolve the issue.
Example use:: dockerd --storage-opt dm.min_free_space=10%
Specifies the maximum number of retries XFS should attempt to complete IO when ENOSPC (no space) error is returned by underlying storage device.
By default XFS retries infinitely for IO to finish and this can result in unkillable process. To change this behavior one can set xfs_nospace_max_retries to say 0 and XFS will not retry IO after getting ENOSPC and will shutdown filesystem.
$ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
Set zfs filesystem under which docker will create its own datasets. By default docker will pick up the zfs filesystem where docker graph (/var/lib/docker) is located.
Example use: dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
Specifies the mininum size to use when creating the subvolume which is used for containers. If user uses disk quota for btrfs when creating or running a container with --storage-opt size option, docker should ensure the size cannot be smaller than btrfs.min_space.
Example use: docker daemon -s btrfs --storage-opt btrfs.min_space=10G
CLUSTER STORE OPTIONS
The daemon uses libkv to advertise the node within the cluster. Some Key/Value backends support mutual TLS, and the client TLS settings used by the daemon can be configured using the --cluster-store-opt flag, specifying the paths to PEM encoded files.
Specifies the path to a local file with PEM encoded CA certificates to trust
Specifies the path to a local file with a PEM encoded certificate. This certificate is used as the client cert for communication with the Key/Value store.
Specifies the path to a local file with a PEM encoded private key. This private key is used as the client key for communication with the Key/Value store.
Docker's access authorization can be extended by authorization plugins that your organization can purchase or build themselves. You can install one or more authorization plugins when you start the Docker daemon using the --authorization-plugin=PLUGIN_ID option.
dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
The PLUGIN_ID value is either the plugin's name or a path to its specification file. The plugin's implementation determines whether you can specify a name or path. Consult with your Docker administrator to get information about the plugins available to you.
Once a plugin is installed, requests made to the daemon through the command line or Docker's remote API are allowed or denied by the plugin. If you have multiple plugins installed, at least one must allow the request for it to complete.
For information about how to create an authorization plugin, see <https://docs.docker.com/engine/extend/authorization/> section in the Docker extend section of this documentation.
Sept 2015, Originally compiled by Shishir Mahajan <shishir.mahajan [at] redhat.com> based on docker.com source material and internal work.