Cloud

Version: 25.09
Document Center
Cloud
Container Engine

Container Engine

Docker daemon is a system process that resides in the background. Before you run a docker subcommand, start Docker daemon.

If the Docker daemon is installed using the RPM package or system package management tool, you can run the systemctl start docker command to start the Docker daemon.

The docker command supports the following parameters:

  1. To combine parameters of a single character, run the following command:

    shell
    docker run -t -i busybox /bin/sh

    The command can be written as follows:

    shell
    docker run -ti busybox /bin/sh

  2. bool command parameters such as --icc=true, are displayed in the command help. If this parameter is not used, the default value displayed in the command help is used. If this parameter is used, the opposite value of the value displayed in the command help is used. In addition, if --icc is not added when Docker daemon is started, --icc=true is used by default. Otherwise, --icc=false is used.

  3. Parameters such as --attach=[] in the command help indicate that these parameters can be set for multiple times. For example:

    shell
    docker run --attach=stdin --attach=stdout -i -t busybox /bin/sh

  4. Parameters such as -a and --attach=[] in the command help indicate that the parameter can be specified using either -a value or --attach=value. For example:

    shell
    docker run -a stdin --attach=stdout -i -t busybox /bin/sh

  5. Parameters such as --name="" can be configured with a character string and can be configured only once. Parameters such as -c= can be configured with an integer and can be configured only once.

Table 1 Parameters specified during the Docker daemon startup

Parameter

Description

--api-cors-header

CORS header information for enabling remote API calling. This interface supports the secondary development of upper-layer applications, which sets the CORS header for a remote API.

--authorization-plugin=[]

Authentication plug-in.

-b, --bridge=""

Existing bridge device mounting to the docker container. Note: none can be used to disable the network in the container.

--bip=""

Bridge IP address, which is automatically created using the CIDR address. Note: this parameter cannot be used with -b .

--cgroup-parent

cgroup parent directory configured for all containers.

--config-file=/etc/docker/daemon.json

Configuration file for starting Docker daemon.

--containerd

Socket path of containerd.

-D, --debug=false

Specifies whether to enable the debugging mode.

--default-gateway

Default gateway of the container IPv4 address.

--default-gateway-v6

Default gateway of the container IPv6 address.

--default-ulimit=[]

Default ulimit value of the container.

--disable-legacy-registry

Disables the original registry.

--dns=[]

DNS server of the forcibly used container.

Example: --dns 8.8.x.x

--dns-opt=[]

DNS option.

--dns-search=[]

Forcibly searches DNS search domain name used by a container.

Example: --dns-search example.com

--exec-opt=[]

Parameter to be executed when a container is started.

For example, set the native.umask parameter.

#The umask value of the started container is 0022.--exec-opt native.umask=normal 
# The umask value of the started container is 0027 (default value).
--exec-opt  native.umask=secure

Note: If native.umask is also configured in docker create or docker run command, the configuration in command is used.

--exec-root=/var/run/docker

Root directory for storing the execution status file.

--fixed-cidr=""

Fixed IP address (for example, 10.20.0.0/16) of the subnet. The IP address of the subnet must belong to the network bridge.

--fixed-cidr-v6

Fixed IPv6 address.

-G, --group="docker"

Group assigned to the corresponding Unix socket in the background running mode. Note: When an empty string is configured for this parameter, the group information is removed.

-g, --graph="/var/lib/docker"

The root directory for running docker.

-H, --host=[]

Socket bound in background mode. One or more sockets can be configured using tcp://host:port, unix:///path to socket, fd://* or fd://socketfd. Example:

$ dockerd -H tcp://0.0.0.0:2375

or

$ export DOCKER_HOST="tcp://0.0.0.0:2375"

--insecure-registry=[]

Registry for insecure connections. By default, the Docker uses TLS certificates to ensure security for all connections. If the registry does not support HTTPS connections or the certificate is issued by an unknown certificate authority of the Docker daemon, you need to configure --insecure-registry=192.168.1.110:5000 when starting the daemon. This parameter needs to be configured if a private registry is used.

--image-layer-check=true

Image layer integrity check. To enable the function, set this parameter to true. Otherwise, set this parameter to false. If this parameter is not configured, the function is disabled by default.

When Docker is started, the image layer integrity is checked. If the image layer is damaged, the related images are unavailable. Docker cannot verify empty files, directories, or link files. Therefore, if the preceding files are lost due to a power failure, the integrity check of Docker image data may fail. When the Docker version changes, check whether the parameter is supported. If not supported, delete it from the configuration file.

--icc=true

Enables communication between containers.

--ip="0.0.0.0"

Default IP address used when a container is bound to a port.

--ip-forward=true

Starts the net.ipv4.ip_forward process of the container.

--ip-masq=true

Enables IP spoofing.

--iptables=true

Starts the iptables rules defined by the Docker container.

-l, --log-level=info

Log level.

--label=[]

Daemon label, in key=value format.

--log-driver=json-file

Default log driver of container logs.

--log-opt=map[]

Log drive parameters.

--mtu=0

MTU value of the container network. If this parameter is not configured, value of route MTU is used by default. If the default route is not configured, set this parameter to the constant value 1500.

-p, --pidfile="/var/run/docker.pid"

PID file path of the background process.

--raw-logs

Logs with all timestamps and without the ANSI color scheme.

--registry-mirror=[]

Image registry preferentially used by the dockerd.

-s, --storage-driver=""

Storage driver used when a container is forcibly run.

--selinux-enabled=false

Enables SELinux. If the kernel version is 3.10.0-862.14 or later, this parameter cannot be set to true.

--storage-opt=[]

Storage driver parameter. This parameter is valid only when the storage driver is devicemapper. Example: dockerd --storage-opt dm.blocksize=512K

--tls=false

Enables the TLS authentication.

--tlscacert="/root/.docker/ca.pem"

Certificate file path that has been authenticated by the CA.

--tlscert="/root/.docker/cert.pem"

File path of the TLS certificates.

--tlskey="/root/.docker/key.pem"

File path of TLS keys.

--tlsverify=false

Verifies the communication between the background processes and the client using TLS.

--insecure-skip-verify-enforce

Whether to forcibly skip the verification of the certificate host or domain name. The default value is false.

--use-decrypted-key=true

Whether to use the decryption private key.

--userland-proxy=true

Whether to use the userland proxy for the container LO device.

--userns-remap

User namespace-based user mapping table in the container.

NOTE:

This parameter is not supported in the current version.

View source on Gitee

Licensed under the MulanPSL2

Copyright © 2025 openEuler. All rights reserved.J. ICP B. No. 2020036654-1J.G.W.A.B. No. 11030102011597
品牌隐私政策法律声明关于cookies
品牌隐私政策法律声明关于cookies
Licensed underthe MulanPSL2
Copyright © 2025 openEuler. All rights reserved.
J. ICP B. No. 2020036654-1J.G.W.A.B. No. 11030102011597