|
1 .TH "DOCKER" "8" " Docker User Manuals" "Shishir Mahajan" "SEPTEMBER 2015" "" |
|
2 |
|
3 |
|
4 .SH NAME |
|
5 .PP |
|
6 docker\-daemon \- Enable daemon mode |
|
7 |
|
8 |
|
9 .SH SYNOPSIS |
|
10 .PP |
|
11 \fBdocker daemon\fP |
|
12 [\fB\-\-api\-cors\-header\fP=[=\fIAPI\-CORS\-HEADER\fP]] |
|
13 [\fB\-\-authorization\-plugin\fP[=\fI[]\fP]] |
|
14 [\fB\-b\fP|\fB\-\-bridge\fP[=\fIBRIDGE\fP]] |
|
15 [\fB\-\-bip\fP[=\fIBIP\fP]] |
|
16 [\fB\-\-cgroup\-parent\fP[=\fI[]\fP]] |
|
17 [\fB\-\-cluster\-store\fP[=\fI[]\fP]] |
|
18 [\fB\-\-cluster\-advertise\fP[=\fI[]\fP]] |
|
19 [\fB\-\-cluster\-store\-opt\fP[=\fImap[]\fP]] |
|
20 [\fB\-\-config\-file\fP[=\fI/etc/docker/daemon.json\fP]] |
|
21 [\fB\-D\fP|\fB\-\-debug\fP] |
|
22 [\fB\-\-default\-gateway\fP[=\fIDEFAULT\-GATEWAY\fP]] |
|
23 [\fB\-\-default\-gateway\-v6\fP[=\fIDEFAULT\-GATEWAY\-V6\fP]] |
|
24 [\fB\-\-default\-ulimit\fP[=\fI[]\fP]] |
|
25 [\fB\-\-disable\-legacy\-registry\fP] |
|
26 [\fB\-\-dns\fP[=\fI[]\fP]] |
|
27 [\fB\-\-dns\-opt\fP[=\fI[]\fP]] |
|
28 [\fB\-\-dns\-search\fP[=\fI[]\fP]] |
|
29 [\fB\-\-exec\-opt\fP[=\fI[]\fP]] |
|
30 [\fB\-\-exec\-root\fP[=\fI/var/run/docker\fP]] |
|
31 [\fB\-\-fixed\-cidr\fP[=\fIFIXED\-CIDR\fP]] |
|
32 [\fB\-\-fixed\-cidr\-v6\fP[=\fIFIXED\-CIDR\-V6\fP]] |
|
33 [\fB\-G\fP|\fB\-\-group\fP[=\fIdocker\fP]] |
|
34 [\fB\-g\fP|\fB\-\-graph\fP[=\fI/var/lib/docker\fP]] |
|
35 [\fB\-H\fP|\fB\-\-host\fP[=\fI[]\fP]] |
|
36 [\fB\-\-help\fP] |
|
37 [\fB\-\-icc\fP[=\fItrue\fP]] |
|
38 [\fB\-\-insecure\-registry\fP[=\fI[]\fP]] |
|
39 [\fB\-\-ip\fP[=\fI0.0.0.0\fP]] |
|
40 [\fB\-\-ip\-forward\fP[=\fItrue\fP]] |
|
41 [\fB\-\-ip\-masq\fP[=\fItrue\fP]] |
|
42 [\fB\-\-iptables\fP[=\fItrue\fP]] |
|
43 [\fB\-\-ipv6\fP] |
|
44 [\fB\-l\fP|\fB\-\-log\-level\fP[=\fIinfo\fP]] |
|
45 [\fB\-\-label\fP[=\fI[]\fP]] |
|
46 [\fB\-\-log\-driver\fP[=\fIjson\-file\fP]] |
|
47 [\fB\-\-log\-opt\fP[=\fImap[]\fP]] |
|
48 [\fB\-\-mtu\fP[=\fI0\fP]] |
|
49 [\fB\-p\fP|\fB\-\-pidfile\fP[=\fI/var/run/docker.pid\fP]] |
|
50 [\fB\-\-registry\-mirror\fP[=\fI[]\fP]] |
|
51 [\fB\-s\fP|\fB\-\-storage\-driver\fP[=\fISTORAGE\-DRIVER\fP]] |
|
52 [\fB\-\-selinux\-enabled\fP] |
|
53 [\fB\-\-storage\-opt\fP[=\fI[]\fP]] |
|
54 [\fB\-\-tls\fP] |
|
55 [\fB\-\-tlscacert\fP[=\fI\~/.docker/ca.pem\fP]] |
|
56 [\fB\-\-tlscert\fP[=\fI\~/.docker/cert.pem\fP]] |
|
57 [\fB\-\-tlskey\fP[=\fI\~/.docker/key.pem\fP]] |
|
58 [\fB\-\-tlsverify\fP] |
|
59 [\fB\-\-userland\-proxy\fP[=\fItrue\fP]] |
|
60 [\fB\-\-userns\-remap\fP[=\fIdefault\fP]] |
|
61 |
|
62 |
|
63 .SH DESCRIPTION |
|
64 .PP |
|
65 \fBdocker\fP has two distinct functions. It is used for starting the Docker |
|
66 daemon and to run the CLI (i.e., to command the daemon to manage images, |
|
67 containers etc.) So \fBdocker\fP is both a server, as a daemon, and a client |
|
68 to the daemon, through the CLI. |
|
69 |
|
70 .PP |
|
71 To run the Docker daemon you can specify \fBdocker daemon\fP. |
|
72 You can check the daemon options using \fBdocker daemon \-\-help\fP. |
|
73 Daemon options should be specified after the \fBdaemon\fP keyword in the following |
|
74 format. |
|
75 |
|
76 .PP |
|
77 \fBdocker daemon [OPTIONS]\fP |
|
78 |
|
79 |
|
80 .SH OPTIONS |
|
81 .PP |
|
82 \fB\-\-api\-cors\-header\fP="" |
|
83 Set CORS headers in the remote API. Default is cors disabled. Give urls like " |
|
84 \[la]http://foo\[ra], |
|
85 \[la]http://bar\[ra], ...". Give "*" to allow all. |
|
86 |
|
87 .PP |
|
88 \fB\-\-authorization\-plugin\fP="" |
|
89 Set authorization plugins to load |
|
90 |
|
91 .PP |
|
92 \fB\-b\fP, \fB\-\-bridge\fP="" |
|
93 Attach containers to a pre\-existing network bridge; use 'none' to disable container networking |
|
94 |
|
95 .PP |
|
96 \fB\-\-bip\fP="" |
|
97 Use the provided CIDR notation address for the dynamically created bridge (docker0); Mutually exclusive of \-b |
|
98 |
|
99 .PP |
|
100 \fB\-\-cgroup\-parent\fP="" |
|
101 Set parent cgroup for all containers. Default is "/docker" for fs cgroup driver and "system.slice" for systemd cgroup driver. |
|
102 |
|
103 .PP |
|
104 \fB\-\-cluster\-store\fP="" |
|
105 URL of the distributed storage backend |
|
106 |
|
107 .PP |
|
108 \fB\-\-cluster\-advertise\fP="" |
|
109 Specifies the 'host:port' or \fB\fCinterface:port\fR combination that this particular |
|
110 daemon instance should use when advertising itself to the cluster. The daemon |
|
111 is reached through this value. |
|
112 |
|
113 .PP |
|
114 \fB\-\-cluster\-store\-opt\fP="" |
|
115 Specifies options for the Key/Value store. |
|
116 |
|
117 .PP |
|
118 \fB\-\-config\-file\fP="/etc/docker/daemon.json" |
|
119 Specifies the JSON file path to load the configuration from. |
|
120 |
|
121 .PP |
|
122 \fB\-D\fP, \fB\-\-debug\fP=\fItrue\fP|\fIfalse\fP |
|
123 Enable debug mode. Default is false. |
|
124 |
|
125 .PP |
|
126 \fB\-\-default\-gateway\fP="" |
|
127 IPv4 address of the container default gateway; this address must be part of the bridge subnet (which is defined by \-b or \-\-bip) |
|
128 |
|
129 .PP |
|
130 \fB\-\-default\-gateway\-v6\fP="" |
|
131 IPv6 address of the container default gateway |
|
132 |
|
133 .PP |
|
134 \fB\-\-default\-ulimit\fP=[] |
|
135 Set default ulimits for containers. |
|
136 |
|
137 .PP |
|
138 \fB\-\-disable\-legacy\-registry\fP=\fItrue\fP|\fIfalse\fP |
|
139 Do not contact legacy registries |
|
140 |
|
141 .PP |
|
142 \fB\-\-dns\fP="" |
|
143 Force Docker to use specific DNS servers |
|
144 |
|
145 .PP |
|
146 \fB\-\-dns\-opt\fP="" |
|
147 DNS options to use. |
|
148 |
|
149 .PP |
|
150 \fB\-\-dns\-search\fP=[] |
|
151 DNS search domains to use. |
|
152 |
|
153 .PP |
|
154 \fB\-\-exec\-opt\fP=[] |
|
155 Set exec driver options. See EXEC DRIVER OPTIONS. |
|
156 |
|
157 .PP |
|
158 \fB\-\-exec\-root\fP="" |
|
159 Path to use as the root of the Docker exec driver. Default is \fB\fC/var/run/docker\fR. |
|
160 |
|
161 .PP |
|
162 \fB\-\-fixed\-cidr\fP="" |
|
163 IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be nested in the bridge subnet (which is defined by \-b or \-\-bip) |
|
164 |
|
165 .PP |
|
166 \fB\-\-fixed\-cidr\-v6\fP="" |
|
167 IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64) |
|
168 |
|
169 .PP |
|
170 \fB\-G\fP, \fB\-\-group\fP="" |
|
171 Group to assign the unix socket specified by \-H when running in daemon mode. |
|
172 use '' (the empty string) to disable setting of a group. Default is \fB\fCdocker\fR. |
|
173 |
|
174 .PP |
|
175 \fB\-g\fP, \fB\-\-graph\fP="" |
|
176 Path to use as the root of the Docker runtime. Default is \fB\fC/var/lib/docker\fR. |
|
177 |
|
178 .PP |
|
179 \fB\-H\fP, \fB\-\-host\fP=[\fIunix:///var/run/docker.sock\fP]: tcp://[host:port] to bind or |
|
180 unix://[/path/to/socket] to use. |
|
181 The socket(s) to bind to in daemon mode specified using one or more |
|
182 tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd. |
|
183 |
|
184 .PP |
|
185 \fB\-\-help\fP |
|
186 Print usage statement |
|
187 |
|
188 .PP |
|
189 \fB\-\-icc\fP=\fItrue\fP|\fIfalse\fP |
|
190 Allow unrestricted inter\-container and Docker daemon host communication. If disabled, containers can still be linked together using the \fB\-\-link\fP option (see \fBdocker\-run(1)\fP). Default is true. |
|
191 |
|
192 .PP |
|
193 \fB\-\-insecure\-registry\fP=[] |
|
194 Enable insecure registry communication, i.e., enable un\-encrypted and/or untrusted communication. |
|
195 |
|
196 .PP |
|
197 List of insecure registries can contain an element with CIDR notation to specify a whole subnet. Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs. |
|
198 |
|
199 .PP |
|
200 Enabling \fB\fC\-\-insecure\-registry\fR is useful when running a local registry. However, because its use creates security vulnerabilities it should ONLY be enabled for testing purposes. For increased security, users should add their CA to their system's list of trusted CAs instead of using \fB\fC\-\-insecure\-registry\fR. |
|
201 |
|
202 .PP |
|
203 \fB\-\-ip\fP="" |
|
204 Default IP address to use when binding container ports. Default is \fB\fC0.0.0.0\fR. |
|
205 |
|
206 .PP |
|
207 \fB\-\-ip\-forward\fP=\fItrue\fP|\fIfalse\fP |
|
208 Enables IP forwarding on the Docker host. The default is \fB\fCtrue\fR. This flag interacts with the IP forwarding setting on your host system's kernel. If your system has IP forwarding disabled, this setting enables it. If your system has IP forwarding enabled, setting this flag to \fB\fC\-\-ip\-forward=false\fR has no effect. |
|
209 |
|
210 .PP |
|
211 This setting will also enable IPv6 forwarding if you have both \fB\fC\-\-ip\-forward=true\fR and \fB\fC\-\-fixed\-cidr\-v6\fR set. Note that this may reject Router Advertisements and interfere with the host's existing IPv6 configuration. For more information, please consult the documentation about "Advanced Networking \- IPv6". |
|
212 |
|
213 .PP |
|
214 \fB\-\-ip\-masq\fP=\fItrue\fP|\fIfalse\fP |
|
215 Enable IP masquerading for bridge's IP range. Default is true. |
|
216 |
|
217 .PP |
|
218 \fB\-\-iptables\fP=\fItrue\fP|\fIfalse\fP |
|
219 Enable Docker's addition of iptables rules. Default is true. |
|
220 |
|
221 .PP |
|
222 \fB\-\-ipv6\fP=\fItrue\fP|\fIfalse\fP |
|
223 Enable IPv6 support. Default is false. Docker will create an IPv6\-enabled bridge with address fe80::1 which will allow you to create IPv6\-enabled containers. Use together with \fB\fC\-\-fixed\-cidr\-v6\fR to provide globally routable IPv6 addresses. IPv6 forwarding will be enabled if not used with \fB\fC\-\-ip\-forward=false\fR. This may collide with your host's current IPv6 settings. For more information please consult the documentation about "Advanced Networking \- IPv6". |
|
224 |
|
225 .PP |
|
226 \fB\-l\fP, \fB\-\-log\-level\fP="\fIdebug\fP|\fIinfo\fP|\fIwarn\fP|\fIerror\fP|\fIfatal\fP" |
|
227 Set the logging level. Default is \fB\fCinfo\fR. |
|
228 |
|
229 .PP |
|
230 \fB\-\-label\fP="[]" |
|
231 Set key=value labels to the daemon (displayed in \fB\fCdocker info\fR) |
|
232 |
|
233 .PP |
|
234 \fB\-\-log\-driver\fP="\fIjson\-file\fP|\fIsyslog\fP|\fIjournald\fP|\fIgelf\fP|\fIfluentd\fP|\fIawslogs\fP|\fInone\fP" |
|
235 Default driver for container logs. Default is \fB\fCjson\-file\fR. |
|
236 \fBWarning\fP: \fB\fCdocker logs\fR command works only for \fB\fCjson\-file\fR logging driver. |
|
237 |
|
238 .PP |
|
239 \fB\-\-log\-opt\fP=[] |
|
240 Logging driver specific options. |
|
241 |
|
242 .PP |
|
243 \fB\-\-mtu\fP=\fI0\fP |
|
244 Set the containers network mtu. Default is \fB\fC0\fR. |
|
245 |
|
246 .PP |
|
247 \fB\-p\fP, \fB\-\-pidfile\fP="" |
|
248 Path to use for daemon PID file. Default is \fB\fC/var/run/docker.pid\fR |
|
249 |
|
250 .PP |
|
251 \fB\-\-registry\-mirror\fP=\fI<scheme>://<host>\fP |
|
252 Prepend a registry mirror to be used for image pulls. May be specified multiple times. |
|
253 |
|
254 .PP |
|
255 \fB\-s\fP, \fB\-\-storage\-driver\fP="" |
|
256 Force the Docker runtime to use a specific storage driver. |
|
257 |
|
258 .PP |
|
259 \fB\-\-selinux\-enabled\fP=\fItrue\fP|\fIfalse\fP |
|
260 Enable selinux support. Default is false. SELinux does not presently support the overlay storage driver. |
|
261 |
|
262 .PP |
|
263 \fB\-\-storage\-opt\fP=[] |
|
264 Set storage driver options. See STORAGE DRIVER OPTIONS. |
|
265 |
|
266 .PP |
|
267 \fB\-\-tls\fP=\fItrue\fP|\fIfalse\fP |
|
268 Use TLS; implied by \-\-tlsverify. Default is false. |
|
269 |
|
270 .PP |
|
271 \fB\-\-tlscacert\fP=\fI\~/.docker/ca.pem\fP |
|
272 Trust certs signed only by this CA. |
|
273 |
|
274 .PP |
|
275 \fB\-\-tlscert\fP=\fI\~/.docker/cert.pem\fP |
|
276 Path to TLS certificate file. |
|
277 |
|
278 .PP |
|
279 \fB\-\-tlskey\fP=\fI\~/.docker/key.pem\fP |
|
280 Path to TLS key file. |
|
281 |
|
282 .PP |
|
283 \fB\-\-tlsverify\fP=\fItrue\fP|\fIfalse\fP |
|
284 Use TLS and verify the remote (daemon: verify client, client: verify daemon). |
|
285 Default is false. |
|
286 |
|
287 .PP |
|
288 \fB\-\-userland\-proxy\fP=\fItrue\fP|\fIfalse\fP |
|
289 Rely on a userland proxy implementation for inter\-container and outside\-to\-container loopback communications. Default is true. |
|
290 |
|
291 .PP |
|
292 \fB\-\-userns\-remap\fP=\fIdefault\fP|\fIuid:gid\fP|\fIuser:group\fP|\fIuser\fP|\fIuid\fP |
|
293 Enable user namespaces for containers on the daemon. Specifying "default" will cause a new user and group to be created to handle UID and GID range remapping for the user namespace mappings used for contained processes. Specifying a user (or uid) and optionally a group (or gid) will cause the daemon to lookup the user and group's subordinate ID ranges for use as the user namespace mappings for contained processes. |
|
294 |
|
295 |
|
296 .SH STORAGE DRIVER OPTIONS |
|
297 .PP |
|
298 Docker uses storage backends (known as "graphdrivers" in the Docker |
|
299 internals) to create writable containers from images. Many of these |
|
300 backends use operating system level technologies and can be |
|
301 configured. |
|
302 |
|
303 .PP |
|
304 Specify options to the storage backend with \fB\-\-storage\-opt\fP flags. The only |
|
305 backend that currently takes options is \fIdevicemapper\fP. Therefore use these |
|
306 flags with \fB\-s=\fPdevicemapper. |
|
307 |
|
308 .PP |
|
309 Specifically for devicemapper, the default is a "loopback" model which |
|
310 requires no pre\-configuration, but is extremely inefficient. Do not |
|
311 use it in production. |
|
312 |
|
313 .PP |
|
314 To make the best use of Docker with the devicemapper backend, you must |
|
315 have a recent version of LVM. Use \fB\fClvm\fR to create a thin pool; for |
|
316 more information see \fB\fCman lvmthin\fR. Then, use \fB\fC\-\-storage\-opt |
|
317 dm.thinpooldev\fR to tell the Docker engine to use that pool for |
|
318 allocating images and container snapshots. |
|
319 |
|
320 .PP |
|
321 Here is the list of \fIdevicemapper\fP options: |
|
322 |
|
323 .SS dm.thinpooldev |
|
324 .PP |
|
325 Specifies a custom block storage device to use for the thin pool. |
|
326 |
|
327 .PP |
|
328 If using a block device for device mapper storage, it is best to use |
|
329 \fB\fClvm\fR to create and manage the thin\-pool volume. This volume is then |
|
330 handed to Docker to create snapshot volumes needed for images and |
|
331 containers. |
|
332 |
|
333 .PP |
|
334 Managing the thin\-pool outside of Docker makes for the most feature\-rich method |
|
335 of having Docker utilize device mapper thin provisioning as the backing storage |
|
336 for Docker's containers. The highlights of the LVM\-based thin\-pool management |
|
337 feature include: automatic or interactive thin\-pool resize support, dynamically |
|
338 changing thin\-pool features, automatic thinp metadata checking when lvm activates |
|
339 the thin\-pool, etc. |
|
340 |
|
341 .PP |
|
342 Example use: \fB\fCdocker daemon \-\-storage\-opt dm.thinpooldev=/dev/mapper/thin\-pool\fR |
|
343 |
|
344 .SS dm.basesize |
|
345 .PP |
|
346 Specifies the size to use when creating the base device, which limits |
|
347 the size of images and containers. The default value is 10G. Note, |
|
348 thin devices are inherently "sparse", so a 10G device which is mostly |
|
349 empty doesn't use 10 GB of space on the pool. However, the filesystem |
|
350 will use more space for base images the larger the device |
|
351 is. |
|
352 |
|
353 .PP |
|
354 The base device size can be increased at daemon restart which will allow |
|
355 all future images and containers (based on those new images) to be of the |
|
356 new base device size. |
|
357 |
|
358 .PP |
|
359 Example use: \fB\fCdocker daemon \-\-storage\-opt dm.basesize=50G\fR |
|
360 |
|
361 .PP |
|
362 This will increase the base device size to 50G. The Docker daemon will throw an |
|
363 error if existing base device size is larger than 50G. A user can use |
|
364 this option to expand the base device size however shrinking is not permitted. |
|
365 |
|
366 .PP |
|
367 This value affects the system\-wide "base" empty filesystem that may already |
|
368 be initialized and inherited by pulled images. Typically, a change to this |
|
369 value requires additional steps to take effect: |
|
370 |
|
371 .PP |
|
372 .RS |
|
373 |
|
374 .nf |
|
375 $ sudo service docker stop |
|
376 $ sudo rm \-rf /var/lib/docker |
|
377 $ sudo service docker start |
|
378 |
|
379 .fi |
|
380 .RE |
|
381 |
|
382 .PP |
|
383 Example use: \fB\fCdocker daemon \-\-storage\-opt dm.basesize=20G\fR |
|
384 |
|
385 .SS dm.fs |
|
386 .PP |
|
387 Specifies the filesystem type to use for the base device. The |
|
388 supported options are \fB\fCext4\fR and \fB\fCxfs\fR. The default is \fB\fCext4\fR. |
|
389 |
|
390 .PP |
|
391 Example use: \fB\fCdocker daemon \-\-storage\-opt dm.fs=xfs\fR |
|
392 |
|
393 .SS dm.mkfsarg |
|
394 .PP |
|
395 Specifies extra mkfs arguments to be used when creating the base device. |
|
396 |
|
397 .PP |
|
398 Example use: \fB\fCdocker daemon \-\-storage\-opt "dm.mkfsarg=\-O ^has\_journal"\fR |
|
399 |
|
400 .SS dm.mountopt |
|
401 .PP |
|
402 Specifies extra mount options used when mounting the thin devices. |
|
403 |
|
404 .PP |
|
405 Example use: \fB\fCdocker daemon \-\-storage\-opt dm.mountopt=nodiscard\fR |
|
406 |
|
407 .SS dm.use\_deferred\_removal |
|
408 .PP |
|
409 Enables use of deferred device removal if \fB\fClibdm\fR and the kernel driver |
|
410 support the mechanism. |
|
411 |
|
412 .PP |
|
413 Deferred device removal means that if device is busy when devices are |
|
414 being removed/deactivated, then a deferred removal is scheduled on |
|
415 device. And devices automatically go away when last user of the device |
|
416 exits. |
|
417 |
|
418 .PP |
|
419 For example, when a container exits, its associated thin device is removed. If |
|
420 that device has leaked into some other mount namespace and can't be removed, |
|
421 the container exit still succeeds and this option causes the system to schedule |
|
422 the device for deferred removal. It does not wait in a loop trying to remove a busy |
|
423 device. |
|
424 |
|
425 .PP |
|
426 Example use: \fB\fCdocker daemon \-\-storage\-opt dm.use\_deferred\_removal=true\fR |
|
427 |
|
428 .SS dm.use\_deferred\_deletion |
|
429 .PP |
|
430 Enables use of deferred device deletion for thin pool devices. By default, |
|
431 thin pool device deletion is synchronous. Before a container is deleted, the |
|
432 Docker daemon removes any associated devices. If the storage driver can not |
|
433 remove a device, the container deletion fails and daemon returns. |
|
434 |
|
435 .PP |
|
436 \fB\fCError deleting container: Error response from daemon: Cannot destroy container\fR |
|
437 |
|
438 .PP |
|
439 To avoid this failure, enable both deferred device deletion and deferred |
|
440 device removal on the daemon. |
|
441 |
|
442 .PP |
|
443 \fB\fCdocker daemon \-\-storage\-opt dm.use\_deferred\_deletion=true \-\-storage\-opt dm.use\_deferred\_removal=true\fR |
|
444 |
|
445 .PP |
|
446 With these two options enabled, if a device is busy when the driver is |
|
447 deleting a container, the driver marks the device as deleted. Later, when the |
|
448 device isn't in use, the driver deletes it. |
|
449 |
|
450 .PP |
|
451 In general it should be safe to enable this option by default. It will help |
|
452 when unintentional leaking of mount point happens across multiple mount |
|
453 namespaces. |
|
454 |
|
455 .SS dm.loopdatasize |
|
456 .PP |
|
457 \fBNote\fP: This option configures devicemapper loopback, which should not be used in production. |
|
458 |
|
459 .PP |
|
460 Specifies the size to use when creating the loopback file for the |
|
461 "data" device which is used for the thin pool. The default size is |
|
462 100G. The file is sparse, so it will not initially take up |
|
463 this much space. |
|
464 |
|
465 .PP |
|
466 Example use: \fB\fCdocker daemon \-\-storage\-opt dm.loopdatasize=200G\fR |
|
467 |
|
468 .SS dm.loopmetadatasize |
|
469 .PP |
|
470 \fBNote\fP: This option configures devicemapper loopback, which should not be used in production. |
|
471 |
|
472 .PP |
|
473 Specifies the size to use when creating the loopback file for the |
|
474 "metadata" device which is used for the thin pool. The default size |
|
475 is 2G. The file is sparse, so it will not initially take up |
|
476 this much space. |
|
477 |
|
478 .PP |
|
479 Example use: \fB\fCdocker daemon \-\-storage\-opt dm.loopmetadatasize=4G\fR |
|
480 |
|
481 .SS dm.datadev |
|
482 .PP |
|
483 (Deprecated, use \fB\fCdm.thinpooldev\fR) |
|
484 |
|
485 .PP |
|
486 Specifies a custom blockdevice to use for data for a |
|
487 Docker\-managed thin pool. It is better to use \fB\fCdm.thinpooldev\fR \- see |
|
488 the documentation for it above for discussion of the advantages. |
|
489 |
|
490 .SS dm.metadatadev |
|
491 .PP |
|
492 (Deprecated, use \fB\fCdm.thinpooldev\fR) |
|
493 |
|
494 .PP |
|
495 Specifies a custom blockdevice to use for metadata for a |
|
496 Docker\-managed thin pool. See \fB\fCdm.datadev\fR for why this is |
|
497 deprecated. |
|
498 |
|
499 .SS dm.blocksize |
|
500 .PP |
|
501 Specifies a custom blocksize to use for the thin pool. The default |
|
502 blocksize is 64K. |
|
503 |
|
504 .PP |
|
505 Example use: \fB\fCdocker daemon \-\-storage\-opt dm.blocksize=512K\fR |
|
506 |
|
507 .SS dm.blkdiscard |
|
508 .PP |
|
509 Enables or disables the use of \fB\fCblkdiscard\fR when removing devicemapper |
|
510 devices. This is disabled by default due to the additional latency, |
|
511 but as a special case with loopback devices it will be enabled, in |
|
512 order to re\-sparsify the loopback file on image/container removal. |
|
513 |
|
514 .PP |
|
515 Disabling this on loopback can lead to \fImuch\fP faster container removal |
|
516 times, but it also prevents the space used in \fB\fC/var/lib/docker\fR directory |
|
517 from being returned to the system for other use when containers are |
|
518 removed. |
|
519 |
|
520 .PP |
|
521 Example use: \fB\fCdocker daemon \-\-storage\-opt dm.blkdiscard=false\fR |
|
522 |
|
523 .SS dm.override\_udev\_sync\_check |
|
524 .PP |
|
525 By default, the devicemapper backend attempts to synchronize with the |
|
526 \fB\fCudev\fR device manager for the Linux kernel. This option allows |
|
527 disabling that synchronization, to continue even though the |
|
528 configuration may be buggy. |
|
529 |
|
530 .PP |
|
531 To view the \fB\fCudev\fR sync support of a Docker daemon that is using the |
|
532 \fB\fCdevicemapper\fR driver, run: |
|
533 |
|
534 .PP |
|
535 .RS |
|
536 |
|
537 .nf |
|
538 $ docker info |
|
539 [...] |
|
540 Udev Sync Supported: true |
|
541 [...] |
|
542 |
|
543 .fi |
|
544 .RE |
|
545 |
|
546 .PP |
|
547 When \fB\fCudev\fR sync support is \fB\fCtrue\fR, then \fB\fCdevicemapper\fR and \fB\fCudev\fR can |
|
548 coordinate the activation and deactivation of devices for containers. |
|
549 |
|
550 .PP |
|
551 When \fB\fCudev\fR sync support is \fB\fCfalse\fR, a race condition occurs between |
|
552 the \fB\fCdevicemapper\fR and \fB\fCudev\fR during create and cleanup. The race |
|
553 condition results in errors and failures. (For information on these |
|
554 failures, see |
|
555 |
|
556 \[la]https://github.com/docker/docker/issues/4036\[ra]) |
|
557 |
|
558 .PP |
|
559 To allow the \fB\fCdocker\fR daemon to start, regardless of whether \fB\fCudev\fR sync is |
|
560 \fB\fCfalse\fR, set \fB\fCdm.override\_udev\_sync\_check\fR to true: |
|
561 |
|
562 .PP |
|
563 .RS |
|
564 |
|
565 .nf |
|
566 $ docker daemon \-\-storage\-opt dm.override\_udev\_sync\_check=true |
|
567 |
|
568 .fi |
|
569 .RE |
|
570 |
|
571 .PP |
|
572 When this value is \fB\fCtrue\fR, the driver continues and simply warns you |
|
573 the errors are happening. |
|
574 |
|
575 .PP |
|
576 \fBNote\fP: The ideal is to pursue a \fB\fCdocker\fR daemon and environment |
|
577 that does support synchronizing with \fB\fCudev\fR. For further discussion on |
|
578 this topic, see |
|
579 |
|
580 \[la]https://github.com/docker/docker/issues/4036\[ra]. |
|
581 Otherwise, set this flag for migrating existing Docker daemons to a |
|
582 daemon with a supported environment. |
|
583 |
|
584 |
|
585 .SH CLUSTER STORE OPTIONS |
|
586 .PP |
|
587 The daemon uses libkv to advertise |
|
588 the node within the cluster. Some Key/Value backends support mutual |
|
589 TLS, and the client TLS settings used by the daemon can be configured |
|
590 using the \fB\-\-cluster\-store\-opt\fP flag, specifying the paths to PEM encoded |
|
591 files. |
|
592 |
|
593 .SS kv.cacertfile |
|
594 .PP |
|
595 Specifies the path to a local file with PEM encoded CA certificates to trust |
|
596 |
|
597 .SS kv.certfile |
|
598 .PP |
|
599 Specifies the path to a local file with a PEM encoded certificate. This |
|
600 certificate is used as the client cert for communication with the |
|
601 Key/Value store. |
|
602 |
|
603 .SS kv.keyfile |
|
604 .PP |
|
605 Specifies the path to a local file with a PEM encoded private key. This |
|
606 private key is used as the client key for communication with the |
|
607 Key/Value store. |
|
608 |
|
609 |
|
610 .SH Access authorization |
|
611 .PP |
|
612 Docker's access authorization can be extended by authorization plugins that your |
|
613 organization can purchase or build themselves. You can install one or more |
|
614 authorization plugins when you start the Docker \fB\fCdaemon\fR using the |
|
615 \fB\fC\-\-authorization\-plugin=PLUGIN\_ID\fR option. |
|
616 |
|
617 .PP |
|
618 .RS |
|
619 |
|
620 .nf |
|
621 docker daemon \-\-authorization\-plugin=plugin1 \-\-authorization\-plugin=plugin2,... |
|
622 |
|
623 .fi |
|
624 .RE |
|
625 |
|
626 .PP |
|
627 The \fB\fCPLUGIN\_ID\fR value is either the plugin's name or a path to its specification |
|
628 file. The plugin's implementation determines whether you can specify a name or |
|
629 path. Consult with your Docker administrator to get information about the |
|
630 plugins available to you. |
|
631 |
|
632 .PP |
|
633 Once a plugin is installed, requests made to the \fB\fCdaemon\fR through the command |
|
634 line or Docker's remote API are allowed or denied by the plugin. If you have |
|
635 multiple plugins installed, at least one must allow the request for it to |
|
636 complete. |
|
637 |
|
638 .PP |
|
639 For information about how to create an authorization plugin, see |
|
640 \[la]https://docs.docker.com/engine/extend/authorization.md\[ra] section in the |
|
641 Docker extend section of this documentation. |
|
642 |
|
643 |
|
644 .SH HISTORY |
|
645 .PP |
|
646 Sept 2015, Originally compiled by Shishir Mahajan |
|
647 \[la][email protected]\[ra] |
|
648 based on docker.com source material and internal work. |