dockerd

[!NOTE|label:references:]

CLI

  • to verify daemon.json

    $ dockerd --validate --config-file=/etc/docker/daemon.json
configuration OK

# or
$ dockerd --debug --validate --config-file /etc/docker/daemon.json
configuration OK

daemon.json

[!TIP|label:references:]

registry-mirrors

[!NOTE|label:references:]

$ cat /etc/docker/daemon.json
{
  "registry-mirrors": ["https://artifactory.domain.com"]
}
$ sudo systemctl daemon-reload
$ sudo systemctl restart docker

# equal to `docker pull artifactory.domain.com/docker-local/image:tag`
$ docker pull docker-local/image:tag

# check status
$ docker info | sed -n '/Registry Mirrors:/{p;n;p;}'
 Registry Mirrors:
  https://artifactory.domain.com/

proxy

[!NOTE|label:references:]

{
  "proxies": {
    "http-proxy": "http://proxy.example.com:3128",
    "https-proxy": "https://proxy.example.com:3129",
    "no-proxy": "*.test.example.com,.example.org,127.0.0.0/8"
  }
}

hosts for socket

[!NOTE|label:references:]

{
  "hosts": ["unix:///var/run/docker.sock", "tcp://127.0.0.1:2375"]
}

  • or

    {
  "hosts": ["unix:///var/run/docker.sock", "fd://", "tcp://0.0.0.0:2375"]
}

storage

[!TIP]

LINUX DISTRIBUTION
RECOMMENDED STORAGE DRIVERS
ALTERNATIVE DRIVERS

Ubuntu

overlay2

zfs, vfs

Debian

overlay2

vfs

CentOS

overlay2

zfs, vfs

Fedora

overlay2

zfs, vfs

SLES 15

overlay2

vfs

RHEL

overlay2

vfs

  • to check current storage driver

    $ docker info | sed -n '/Storage Driver/{p;n;p}'
 Storage Driver: overlay2
  Backing Filesystem: extfs

  • data-root

    {
   "data-root": "/path/to/data/root/"
}

  • storage-driver

    {
  "storage-driver": "vfs",
  "storage-opts": ["size=256M"]
}

userns-remap

{
  "userns-remap": "testuser"
}

logs

[!NOTE|label:references:]

{
   "log-driver": "json-file",
   "log-opts": {
     "max-size": "1g",
     "max-file": "3"
  }
}

full sample file

{
  "allow-nondistributable-artifacts": [],
  "api-cors-header": "",
  "authorization-plugins": [],
  "bip": "",
  "bridge": "",
  "builder": {
    "gc": {
      "enabled": true,
      "defaultKeepStorage": "10GB",
      "policy": [
        { "keepStorage": "10GB", "filter": ["unused-for=2200h"] },
        { "keepStorage": "50GB", "filter": ["unused-for=3300h"] },
        { "keepStorage": "100GB", "all": true }
      ]
    }
  },
  "cgroup-parent": "",
  "containerd": "/run/containerd/containerd.sock",
  "containerd-namespace": "docker",
  "containerd-plugins-namespace": "docker-plugins",
  "data-root": "",
  "debug": true,
  "default-address-pools": [
    {
      "base": "172.30.0.0/16",
      "size": 24
    },
    {
      "base": "172.31.0.0/16",
      "size": 24
    }
  ],
  "default-cgroupns-mode": "private",
  "default-gateway": "",
  "default-gateway-v6": "",
  "default-network-opts": {},
  "default-runtime": "runc",
  "default-shm-size": "64M",
  "default-ulimits": {
    "nofile": {
      "Hard": 64000,
      "Name": "nofile",
      "Soft": 64000
    }
  },
  "dns": [],
  "dns-opts": [],
  "dns-search": [],
  "exec-opts": [],
  "exec-root": "",
  "experimental": false,
  "features": {},
  "fixed-cidr": "",
  "fixed-cidr-v6": "",
  "group": "",
  "host-gateway-ip": "",
  "hosts": [],
  "proxies": {
    "http-proxy": "http://proxy.example.com:80",
    "https-proxy": "https://proxy.example.com:443",
    "no-proxy": "*.test.example.com,.example.org"
  },
  "icc": false,
  "init": false,
  "init-path": "/usr/libexec/docker-init",
  "insecure-registries": [],
  "ip": "0.0.0.0",
  "ip-forward": false,
  "ip-masq": false,
  "iptables": false,
  "ip6tables": false,
  "ipv6": false,
  "labels": [],
  "live-restore": true,
  "log-driver": "json-file",
  "log-level": "",
  "log-opts": {
    "cache-disabled": "false",
    "cache-max-file": "5",
    "cache-max-size": "20m",
    "cache-compress": "true",
    "env": "os,customer",
    "labels": "somelabel",
    "max-file": "5",
    "max-size": "10m"
  },
  "max-concurrent-downloads": 3,
  "max-concurrent-uploads": 5,
  "max-download-attempts": 5,
  "mtu": 0,
  "no-new-privileges": false,
  "node-generic-resources": [
    "NVIDIA-GPU=UUID1",
    "NVIDIA-GPU=UUID2"
  ],
  "oom-score-adjust": 0,
  "pidfile": "",
  "raw-logs": false,
  "registry-mirrors": [],
  "runtimes": {
    "cc-runtime": {
      "path": "/usr/bin/cc-runtime"
    },
    "custom": {
      "path": "/usr/local/bin/my-runc-replacement",
      "runtimeArgs": [
        "--debug"
      ]
    }
  },
  "seccomp-profile": "",
  "selinux-enabled": false,
  "shutdown-timeout": 15,
  "storage-driver": "",
  "storage-opts": [],
  "swarm-default-advertise-addr": "",
  "tls": true,
  "tlscacert": "",
  "tlscert": "",
  "tlskey": "",
  "tlsverify": true,
  "userland-proxy": false,
  "userland-proxy-path": "/usr/libexec/docker-proxy",
  "userns-remap": ""
}
{
  "allow-nondistributable-artifacts": [],
  "authorization-plugins": [],
  "bridge": "",
  "containerd": "\\\\.\\pipe\\containerd-containerd",
  "containerd-namespace": "docker",
  "containerd-plugins-namespace": "docker-plugins",
  "data-root": "",
  "debug": true,
  "default-network-opts": {},
  "default-runtime": "",
  "default-ulimits": {},
  "dns": [],
  "dns-opts": [],
  "dns-search": [],
  "exec-opts": [],
  "experimental": false,
  "features": {},
  "fixed-cidr": "",
  "group": "",
  "host-gateway-ip": "",
  "hosts": [],
  "insecure-registries": [],
  "labels": [],
  "log-driver": "",
  "log-level": "",
  "max-concurrent-downloads": 3,
  "max-concurrent-uploads": 5,
  "max-download-attempts": 5,
  "mtu": 0,
  "pidfile": "",
  "raw-logs": false,
  "registry-mirrors": [],
  "shutdown-timeout": 15,
  "storage-driver": "",
  "storage-opts": [],
  "swarm-default-advertise-addr": "",
  "tlscacert": "",
  "tlscert": "",
  "tlskey": "",
  "tlsverify": true
}

enable tcp port 2375 for external connection to docker

references:

[!TIP]

  • to check service

    $ sudo systemd-analyze verify <name.service>

  • enable service if necessary

    $ sudo systemctl enable containerd.service
Created symlink /etc/systemd/system/multi-user.target.wants/containerd.service → /usr/lib/systemd/system/containerd.service
# prepare
$ sudo systemctl stop docker.service
$ sudo systemctl stop docker.socket

  • via daemon.json

    $ cat /etc/docker/daemon.json
{
  "hosts": ["unix:///var/run/docker.sock", "tcp://127.0.0.1:2375"]
}
# or
$ cat /etc/docker/daemon.json
{
  "hosts": ["unix:///var/run/docker.sock", "fd://", "tcp://127.0.0.1:2375"]
}

$ sudo systemctl edit docker.service

  • via override.conf

    $ cat /etc/systemd/system/docker.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://127.0.0.1:2375 [--containerd=/run/containerd/containerd.sock] [--config-file /etc/docker/daemon.json]

$ sudo systemctl daemon-reload
$ sudo systemctl restart docker.service

# result
$ sudo netstat -lntp | grep dockerd
tcp6       0      0 :::2375                 :::*                    LISTEN      5649/dockerd

  • result

    $ sudo cat /etc/docker/daemon.json
{
  "hosts": ["unix:///var/run/docker.sock", "fd://", "tcp://0.0.0.0:2375"]
}

$ sudo cat /etc/systemd/system/docker.service.d/docker.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd

$ docker -H tcp://0.0.0.0:2376 pull ubuntu:18.04
18.04: Pulling from library/ubuntu
a404e5416296: Pull complete
Digest: sha256:ca70a834041dd1bf16cc38dfcd24f0888ec4fa431e09f3344f354cf8d1724499
Status: Downloaded newer image for ubuntu:18.04

    • verify

      $ ip -4 a s en1
5: en1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet x.x.x.x/24 brd x.x.x.255 scope global noprefixroute en1
       valid_lft forever preferred_lft forever

$ nc -zv <domain.com> 2375
Connection to domain.com 2375 port [tcp/*] succeeded!

$ docker -H tcp://<domain.com>:2375 images
REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
ubuntu       18.04     71eaf13299f4   2 weeks ago   63.1MB

  • or modify in /lib/systemd/system/docker.service

    [!TIP]

    --- Replacing this line:
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
---                        ╰╴╴╴╴╴╴╯
---                     remove `-H fd://`

+++ With this line:
ExecStart=/usr/bin/dockerd --containerd=/run/containerd/containerd.sock [--tls=false]

  • or via socat

    exec socat -d TCP-LISTEN:2375,fork UNIX-CONNECT:/var/run/docker.sock
$ sudo cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket firewalld.service containerd.service time-set.target
Wants=network-online.target containerd.service
Requires=docker.socket

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
#         remove if enable remote access in /etc/docker/daemon.json
#                          ╭╴╴╴╴╴╴╮
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutStartSec=0
RestartSec=2
Restart=always

# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3

# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s

# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity

# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity

# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes

# kill only the docker process, not all processes in the cgroup
KillMode=process
OOMScoreAdjust=-500

[Install]
WantedBy=multi-user.target
PreviousdockerfileNexttricky

Last updated

Was this helpful?