Container Engine

Docker daemon is a system process that resides in the background. Before you run a docker subcommand, start Docker daemon.


If the Docker daemon is installed using the RPM package or system package management tool, you can run the systemctl start docker command to start the Docker daemon.

The docker command supports the following parameters:

  1. To combine parameters of a single character, run the following command:

    docker run -t -i busybox /bin/sh

    The command can be written as follows:

    docker run -ti busybox /bin/sh
  2. bool command parameters such as –icc=true, are displayed in the command help. If this parameter is not used, the default value displayed in the command help is used. If this parameter is used, the opposite value of the value displayed in the command help is used. In addition, if –icc is not added when Docker daemon is started, –icc=true is used by default. Otherwise, –icc=false is used.

  3. Parameters such as –attach=[] in the command help indicate that these parameters can be set for multiple times. For example:

    docker run --attach=stdin --attach=stdout -i -t busybox /bin/sh
  4. Parameters such as -a and –attach=[] in the command help indicate that the parameter can be specified using either -a value or –attach=value. For example:

    docker run -a stdin --attach=stdout -i -t busybox /bin/sh
  5. Parameters such as –name="" can be configured with a character string and can be configured only once. Parameters such as -c= can be configured with an integer and can be configured only once.

Table 1 Parameters specified during the Docker daemon startup




CORS header information for enabling remote API calling. This interface supports the secondary development of upper-layer applications, which sets the CORS header for a remote API.


Authentication plug-in.

-b, --bridge=""

Existing bridge device mounting to the docker container. Note: none can be used to disable the network in the container.


Bridge IP address, which is automatically created using the CIDR address. Note: this parameter cannot be used with -b .


cgroup parent directory configured for all containers.


Configuration file for starting Docker daemon.


Socket path of containerd.

-D, --debug=false

Specifies whether to enable the debugging mode.


Default gateway of the container IPv4 address.


Default gateway of the container IPv6 address.


Default ulimit value of the container.


Disables the original registry.


DNS server of the forcibly used container.

Example: --dns 8.8.x.x


DNS option.


Forcibly searches DNS search domain name used by a container.

Example: --dns-search


Parameter to be executed when a container is started.

For example, set the native.umask parameter.

#The umask value of the started container is 0022.--exec-opt native.umask=normal 
#The umask value of the started container is 0027 (default value).
--exec-opt  native.umask=secure    

Note: If native.umask is also configured in docker create or docker run command, the configuration in command is used.


Root directory for storing the execution status file.


Fixed IP address (for example, of the subnet. The IP address of the subnet must belong to the network bridge.


Fixed IPv6 address.

-G, --group="docker"

Group assigned to the corresponding Unix socket in the background running mode. Note: When an empty string is configured for this parameter, the group information is removed.

-g, --graph="/var/lib/docker"

The root directory for running docker.

-H, --host=[]

Socket bound in background mode. One or more sockets can be configured using tcp://host:port, unix:///path to socket, fd://* or fd://socketfd. Example:

$ dockerd -H tcp://


$ export DOCKER_HOST="tcp://"


Registry for insecure connections. By default, the Docker uses TLS certificates to ensure security for all connections. If the registry does not support HTTPS connections or the certificate is issued by an unknown certificate authority of the Docker daemon, you need to configure --insecure-registry= when starting the daemon. This parameter needs to be configured if a private registry is used.


Image layer integrity check. To enable the function, set this parameter to true. Otherwise, set this parameter to false. If this parameter is not configured, the function is disabled by default.

When Docker is started, the image layer integrity is checked. If the image layer is damaged, the related images are unavailable. Docker cannot verify empty files, directories, or link files. Therefore, if the preceding files are lost due to a power failure, the integrity check of Docker image data may fail. When the Docker version changes, check whether the parameter is supported. If not supported, delete it from the configuration file.


Enables communication between containers.


Default IP address used when a container is bound to a port.


Starts the net.ipv4.ip_forward process of the container.


Enables IP spoofing.


Starts the iptables rules defined by the Docker container.

-l, --log-level=info

Log level.


Daemon label, in key=value format.


Default log driver of container logs.


Log drive parameters.


MTU value of the container network. If this parameter is not configured, value of route MTU is used by default. If the default route is not configured, set this parameter to the constant value 1500.

-p, --pidfile="/var/run/"

PID file path of the background process.


Logs with all timestamps and without the ANSI color scheme.


Image registry preferentially used by the dockerd.

-s, --storage-driver=""

Storage driver used when a container is forcibly run.


Enables SELinux. If the kernel version is 3.10.0-862.14 or later, this parameter cannot be set to true.


Storage driver parameter. This parameter is valid only when the storage driver is devicemapper. Example: dockerd --storage-opt dm.blocksize=512K


Enables the TLS authentication.


Certificate file path that has been authenticated by the CA.


File path of the TLS certificates.


File path of TLS keys.


Verifies the communication between the background processes and the client using TLS.


Whether to forcibly skip the verification of the certificate host or domain name. The default value is false.


Whether to use the decryption private key.


Whether to use the userland proxy for the container LO device.


User namespace-based user mapping table in the container.


This parameter is not supported in the current version.




提交类型 issue

● 错别字或拼写错误;标点符号使用错误;

● 链接错误、空单元格、格式错误;

● 英文中包含中文字符;

● 界面和描述不一致,但不影响操作;

● 表述不通顺,但不影响理解;

● 版本号不匹配:如软件包名称、界面版本号;


● 关键步骤错误或缺失,无法指导用户完成任务;

● 缺少必要的前提条件、注意事项等;

● 图形、表格、文字等晦涩难懂;

● 逻辑不清晰,该分类、分项、分步骤的没有给出;


● 技术原理、功能、规格等描述和软件不一致,存在错误;

● 原理图、架构图等存在错误;

● 命令、命令参数等错误;

● 代码片段错误;

● 命令无法完成对应功能;

● 界面错误,无法指导操作;


● 对重要数据或系统存在风险的操作,缺少安全提示;


● 违反法律法规,涉及政治、领土主权等敏感词;

● 内容侵权;