man/dockerd.8.md - third_party/github.com/moby/moby - Git at Google

 % "DOCKERD" "8" "SEPTEMBER 2015" "Docker Community" "Docker User Manuals"

 # NAME
 dockerd - Enable daemon mode

 # SYNOPSIS
 **dockerd**
 [**--add-runtime**[=*[]*]]
 [**--allow-nondistributable-artifacts**[=*[]*]]
 [**--api-cors-header**=[=*API-CORS-HEADER*]]
 [**--authorization-plugin**[=*[]*]]
 [**-b**|**--bridge**[=*BRIDGE*]]
 [**--bip**[=*BIP*]]
 [**--cgroup-parent**[=*[]*]]
 [**--config-file**[=*path*]]
 [**--containerd**[=*SOCKET-PATH*]]
 [**--data-root**[=*/var/lib/docker*]]
 [**-D**|**--debug**]
 [**--default-cgroupns-mode**[=*host*]]
 [**--default-gateway**[=*DEFAULT-GATEWAY*]]
 [**--default-gateway-v6**[=*DEFAULT-GATEWAY-V6*]]
 [**--default-address-pool**[=*DEFAULT-ADDRESS-POOL*]]
 [**--default-network-opt**[=*DRIVER=OPT=VALUE*]]
 [**--default-runtime**[=*runc*]]
 [**--default-ipc-mode**=*MODE*]
 [**--default-shm-size**[=*64MiB*]]
 [**--default-ulimit**[=*[]*]]
 [**--dns**[=*[]*]]
 [**--dns-opt**[=*[]*]]
 [**--dns-search**[=*[]*]]
 [**--exec-opt**[=*[]*]]
 [**--exec-root**[=*/var/run/docker*]]
 [**--experimental**[=**false**]]
 [**--fixed-cidr**[=*FIXED-CIDR*]]
 [**--fixed-cidr-v6**[=*FIXED-CIDR-V6*]]
 [**-G**|**--group**[=*docker*]]
 [**-H**|**--host**[=*[]*]]
 [**--help**]
 [**--http-proxy**[*""*]]
 [**--https-proxy**[*""*]]
 [**--icc**[=**true**]]
 [**--init**[=**false**]]
 [**--init-path**[=*""*]]
 [**--insecure-registry**[=*[]*]]
 [**--ip**[=*0.0.0.0*]]
 [**--ip-forward**[=**true**]]
 [**--ip-masq**[=**true**]]
 [**--iptables**[=**true**]]
 [**--ipv6**]
 [**--isolation**[=*default*]]
 [**-l**|**--log-level**[=*info*]]
 [**--label**[=*[]*]]
 [**--live-restore**[=**false**]]
 [**--log-driver**[=*json-file*]]
 [**--log-format**="*text*|*json*"]
 [**--log-opt**[=*map[]*]]
 [**--mtu**[=*0*]]
 [**--max-concurrent-downloads**[=*3*]]
 [**--max-concurrent-uploads**[=*5*]]
 [**--max-download-attempts**[=*5*]]
 [**--no-proxy**[*""*]]
 [**--node-generic-resources**[=*[]*]]
 [**-p**|**--pidfile**[=*/var/run/docker.pid*]]
 [**--raw-logs**]
 [**--registry-mirror**[=*[]*]]
 [**-s**|**--storage-driver**[=*STORAGE-DRIVER*]]
 [**--seccomp-profile**[=*SECCOMP-PROFILE-PATH*]]
 [**--selinux-enabled**]
 [**--shutdown-timeout**[=*15*]]
 [**--storage-opt**[=*[]*]]
 [**--swarm-default-advertise-addr**[=*IP|INTERFACE*]]
 [**--tls**]
 [**--tlscacert**[=*~/.docker/ca.pem*]]
 [**--tlscert**[=*~/.docker/cert.pem*]]
 [**--tlskey**[=*~/.docker/key.pem*]]
 [**--tlsverify**]
 [**--userland-proxy**[=**true**]]
 [**--userland-proxy-path**[=*""*]]
 [**--userns-remap**[=*default*]]
 [**--validate**]

 # DESCRIPTION
 **dockerd** is used for starting the Docker daemon (i.e., to command the daemon
 to manage images, containers etc).  So **dockerd** is a server, as a daemon.

 To run the Docker daemon you can specify **dockerd**.
 You can check the daemon options using **dockerd --help**.
 Daemon options should be specified after the **dockerd** keyword in the
 following format.

 **dockerd [OPTIONS]**

 # OPTIONS

 **--add-runtime**=[]
   Runtimes can be registered with the daemon either via the
 configuration file or using the `--add-runtime` command line argument.

   The following is an example adding 2 runtimes via the configuration:

 ```json
 {
 	"default-runtime": "runc",
 	"runtimes": {
 		"runc": {
 			"path": "runc"
 		},
 		"custom": {
 			"path": "/usr/local/bin/my-runc-replacement",
 			"runtimeArgs": [
 				"--debug"
 			]
 		}
 	}
 }
 ```

   This is the same example via the command line:

 ```bash
 $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
 ```

   **Note**: defining runtime arguments via the command line is not supported.

 **--allow-nondistributable-artifacts**=[]
   Push nondistributable artifacts to the specified registries.

   List can contain elements with CIDR notation to specify a whole subnet.

   This option is useful when pushing images containing nondistributable
   artifacts to a registry on an air-gapped network so hosts on that network can
   pull the images without connecting to another server.

   **Warning**: Nondistributable artifacts typically have restrictions on how
   and where they can be distributed and shared. Only use this feature to push
   artifacts to private registries and ensure that you are in compliance with
   any terms that cover redistributing nondistributable artifacts.

 **--api-cors-header**=""
   Set CORS headers in the Engine API. Default is cors disabled. Give urls like
   "http://foo, http://bar, ...". Give "\*" to allow all.

 **--authorization-plugin**=""
   Set authorization plugins to load

 **-b**, **--bridge**=""
   Attach containers to a pre\-existing network bridge; use 'none' to disable
   container networking

 **--bip**=""
   Use the provided CIDR notation address for the dynamically created bridge
   (docker0); Mutually exclusive of \-b

 **--cgroup-parent**=""
   Set parent cgroup for all containers. Default is "/docker" for fs cgroup
   driver and "system.slice" for systemd cgroup driver.

 **--config-file**=*"/etc/docker/daemon.json"*
   Specifies the JSON file path to load the configuration from. Default is
   */etc/docker/daemon.json*.

 **--containerd**=""
   Path to containerd socket.

 **--data-root**=""
   Path to the directory used to store persisted Docker data such as
   configuration for resources, swarm cluster state, and filesystem data for
   images, containers, and local volumes. Default is */var/lib/docker*.

 **-D**, **--debug**=**true**|**false**
   Enable debug mode. Default is **false**.

 **--default-cgroupns-mode**="**host**|**private**"
   Set the default cgroup namespace mode for newly created containers. The argument
   can either be **host** or **private**. If unset, this defaults to **host** on cgroup v1,
   or **private** on cgroup v2.

 **--default-gateway**=""
   IPv4 address of the container default gateway; this address must be part of
   the bridge subnet (which is defined by \-b or \-\-bip)

 **--default-gateway-v6**=""
   IPv6 address of the container default gateway

 **--default-address-pool**=""
   Default address pool from which IPAM driver selects a subnet for the networks.
   Example: base=172.30.0.0/16,size=24 will set the default
   address pools for the selected scope networks to {172.30.[0-255].0/24}

 **--default-network-opt**=*DRIVER=OPT=VALUE*
   Default network driver options

 **--default-runtime**=*"runtime"*
   Set default runtime if there're more than one specified by **--add-runtime**.

 **--default-ipc-mode**="**private**|**shareable**"
   Set the default IPC mode for newly created containers. The argument
   can either be **private** or **shareable**.

 **--default-shm-size**=*size*
   Set the daemon-wide default shm *size* for containers. Default is `64MiB`.

 **--default-ulimit**=[]
   Default ulimits for containers.

 **--dns**=""
   Force Docker to use specific DNS servers.

 **--dns-opt**=""
   DNS options to use.

 **--dns-search**=[]
   DNS search domains to use.

 **--exec-opt**=[]
   Set runtime execution options. See RUNTIME EXECUTION OPTIONS.

 **--exec-root**=""
   Path to use as the root of the Docker execution state files. Default is
   `/var/run/docker`.

 **--experimental**=""
   Enable the daemon experimental features.

 **--fixed-cidr**=""
   IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be nested in
   the bridge subnet (which is defined by \-b or \-\-bip).

 **--fixed-cidr-v6**=""
   IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)

 **-G**, **--group**=""
   Group to assign the unix socket specified by -H when running in daemon mode.
   use '' (the empty string) to disable setting of a group. Default is `docker`.

 **-H**, **--host**=[*unix:///var/run/docker.sock*]: tcp://[host:port] to bind or
 unix://[/path/to/socket] to use.
   The socket(s) to bind to in daemon mode specified using one or more
   tcp://host:port, unix:///path/to/socket, fd://\* or fd://socketfd.

 **--help**
   Print usage statement

 **--http-proxy***""*
   Proxy URL for HTTP requests unless overridden by NoProxy.

 **--https-proxy***""*
   Proxy URL for HTTPS requests unless overridden by NoProxy.

 **--icc**=**true**|**false**
   Allow unrestricted inter\-container and Docker daemon host communication. If
   disabled, containers can still be linked together using the **--link** option
   (see **docker-run**(1)). Default is **true**.

 **--init**
   Run an init process inside containers for signal forwarding and process
   reaping.

 **--init-path**
   Path to the docker-init binary.

 **--insecure-registry**=[]
   Enable insecure registry communication, i.e., enable un-encrypted and/or
   untrusted communication.

   List of insecure registries can contain an element with CIDR notation to
   specify a whole subnet. Insecure registries accept HTTP and/or accept HTTPS
   with certificates from unknown CAs.

   Enabling `--insecure-registry` is useful when running a local registry.
   However, because its use creates security vulnerabilities it should ONLY be
   enabled for testing purposes.  For increased security, users should add their
   CA to their system's list of trusted CAs instead of using
   `--insecure-registry`.

 **--ip**=""
   Default IP address to use when binding container ports. Default is **0.0.0.0**.

 **--ip-forward**=**true**|**false**
   Enables IP forwarding on the Docker host. The default is **true**. This flag
   interacts with the IP forwarding setting on your host system's kernel. If
   your system has IP forwarding disabled, this setting enables it. If your
   system has IP forwarding enabled, setting this flag to **false**
   has no effect.

   This setting will also enable IPv6 forwarding if you have both
   **--ip-forward=true** and **--fixed-cidr-v6** set. Note that this may reject
   Router Advertisements and interfere with the host's existing IPv6
   configuration. For more information, consult the documentation about
   "Advanced Networking - IPv6".

 **--ip-masq**=**true**|**false**
   Enable IP masquerading for bridge's IP range. Default is **true**.

 **--iptables**=**true**|**false**
   Enable Docker's addition of iptables rules. Default is **true**.

 **--ipv6**=**true**|**false**
   Enable IPv6 support. Default is **false**. Docker will create an IPv6-enabled
   bridge with address fe80::1 which will allow you to create IPv6-enabled
   containers. Use together with **--fixed-cidr-v6** to provide globally routable
   IPv6 addresses. IPv6 forwarding will be enabled if not used with
   **--ip-forward=false**. This may collide with your host's current IPv6
   settings. For more information consult the documentation about
   "Advanced Networking - IPv6".

 **--isolation**="*default*"
    Isolation specifies the type of isolation technology used by containers.
    Note that the default on Windows server is `process`, and the default on
    Windows client is `hyperv`. Linux only supports `default`.

 **-l**, **--log-level**="*debug*|*info*|*warn*|*error*|*fatal*"
   Set the logging level. Default is `info`.

 **--label**="[]"
   Set key=value labels to the daemon (displayed in `docker info`)

 **--live-restore**=**false**
   Enable live restore of running containers when the daemon starts so that they
   are not restarted. This option is applicable only for docker daemon running
   on Linux host.

 **--log-driver**="**json-file**|**syslog**|**journald**|**gelf**|**fluentd**|**awslogs**|**splunk**|**etwlogs**|**gcplogs**|**none**"
   Default driver for container logs. Default is **json-file**.
   **Warning**: **docker logs** command works only for **json-file** logging driver.

 **--log-format**="*text*|*json*"
   Set the format for logs produced by the daemon. Default is "text".

 **--log-opt**=[]
   Logging driver specific options.

 **--mtu**=*0*
   Set the containers network mtu. Default is `0`.

 **--max-concurrent-downloads**=*3*
   Set the max concurrent downloads. Default is `3`.

 **--max-concurrent-uploads**=*5*
   Set the max concurrent uploads. Default is `5`.

 **--max-download-attempts**=*5*
   Set the max download attempts for each pull. Default is `5`.

 **--no-proxy**=*""*"
   Comma-separated values specifying hosts that should be excluded from proxying.

 **--node-generic-resources**=*[]*
   Advertise user-defined resource. Default is `[]`.
   Use this if your swarm cluster has some nodes with custom
   resources (e.g: NVIDIA GPU, SSD, ...) and you need your services to land on
   nodes advertising these resources.
   Usage example: `--node-generic-resources "NVIDIA-GPU=UUID1"
   --node-generic-resources "NVIDIA-GPU=UUID2"`


 **-p**, **--pidfile**="*path*"
   Path to use for daemon PID file. Default is */var/run/docker.pid*.

 **--raw-logs**
   Output daemon logs in full timestamp format without ANSI coloring. If this
   flag is not set, the daemon outputs condensed, colorized logs if a terminal
   is detected, or full ("raw") output otherwise.

 **--registry-mirror**=*<scheme>://<host>*
   Prepend a registry mirror to be used for image pulls. May be specified
   multiple times.

 **-s**, **--storage-driver**=""
   Force the Docker runtime to use a specific storage driver.

 **--seccomp-profile**=""
   Path to seccomp profile.

 **--selinux-enabled**=**true**|**false**
   Enable selinux support. Default is **false**.

 **--shutdown-timeout**=*seconds*
   Set the shutdown timeout value in seconds. Default is **15**.

 **--storage-opt**=[]
   Set storage driver options. See STORAGE DRIVER OPTIONS.

 **--swarm-default-advertise-addr**=*IP*|*INTERFACE*
   Set default address or interface for swarm to advertise as its
   externally-reachable address to other cluster members. This can be a
   hostname, an IP address, or an interface such as `eth0`. A port cannot be
   specified with this option.

 **--tls**=**true**|**false**
   Use TLS; implied by **--tlsverify**. Default is **false**.

 **--tlscacert**=*~/.docker/ca.pem*
   Trust certs signed only by this CA.

 **--tlscert**=*~/.docker/cert.pem*
   Path to TLS certificate file.

 **--tlskey**=*~/.docker/key.pem*
   Path to TLS key file.

 **--tlsverify**=**true**|**false**
   Use TLS and verify the remote (daemon: verify client, client: verify daemon).
   Default is **false**.

 **--userland-proxy**=**true**|**false**
   Rely on a userland proxy implementation for inter-container and
   outside-to-container loopback communications. Default is **true**.

 **--userland-proxy-path**=""
   Path to the userland proxy binary.

 **--userns-remap**=*default*|*uid:gid*|*user:group*|*user*|*uid*
   Enable user namespaces for containers on the daemon. Specifying "default"
   will cause a new user and group to be created to handle UID and GID range
   remapping for the user namespace mappings used for contained processes.
   Specifying a user (or uid) and optionally a group (or gid) will cause the
   daemon to lookup the user and group's subordinate ID ranges for use as the
   user namespace mappings for contained processes.

 **--validate**
   Validate daemon configuration and exit.

 # STORAGE DRIVER OPTIONS

 Docker uses storage backends (known as "storage drivers" in the Docker
 internals) to create writable containers from images.  Many of these
 backends use operating system level technologies and can be
 configured.

 Specify options to the storage backend with **--storage-opt** flags. The
 backends that currently take options are **zfs** and **btrfs**.
 Options for **zfs** start with **zfs.**, and options for **btrfs** start
 with **btrfs.**.

 ## ZFS options

 #### zfs.fsname

 Set zfs filesystem under which docker will create its own datasets.  By default
 docker will pick up the zfs filesystem where docker graph (`/var/lib/docker`)
 is located.

 Example use: `dockerd -s zfs --storage-opt zfs.fsname=zroot/docker`

 ## Btrfs options

 #### btrfs.min\_space

 Specifies the minimum size to use when creating the subvolume which is used for
 containers. If user uses disk quota for btrfs when creating or running a
 container with **--storage-opt size** option, docker should ensure the **size**
 cannot be smaller than **btrfs.min_space**.

 Example use: `docker daemon -s btrfs --storage-opt btrfs.min_space=10G`

 # Access authorization

 Docker's access authorization can be extended by authorization plugins that
 your organization can purchase or build themselves. You can install one or more
 authorization plugins when you start the Docker `daemon` using the
 `--authorization-plugin=PLUGIN_ID` option.

 ```bash
 dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
 ```

 The `PLUGIN_ID` value is either the plugin's name or a path to its
 specification file. The plugin's implementation determines whether you can
 specify a name or path. Consult with your Docker administrator to get
 information about the plugins available to you.

 Once a plugin is installed, requests made to the `daemon` through the
 command line or Docker's Engine API are allowed or denied by the plugin.
 If you have multiple plugins installed, each plugin, in order, must
 allow the request for it to complete.

 For information about how to create an authorization plugin, see [access authorization
 plugin](https://docs.docker.com/engine/extend/plugins_authorization/) section in the
 Docker extend section of this documentation.

 # RUNTIME EXECUTION OPTIONS

 You can configure the runtime using options specified with the `--exec-opt` flag.
 All the flag's options have the `native` prefix. A single `native.cgroupdriver`
 option is available.

 The `native.cgroupdriver` option specifies the management of the container's
 cgroups. You can only specify `cgroupfs` or `systemd`. If you specify
 `systemd` and it is not available, the system errors out. If you omit the
 `native.cgroupdriver` option,` cgroupfs` is used on cgroup v1 hosts, `systemd`
 is used on cgroup v2 hosts with systemd available.

 This example sets the `cgroupdriver` to `systemd`:

 ```bash
 $ sudo dockerd --exec-opt native.cgroupdriver=systemd
 ```

 Setting this option applies to all containers the daemon launches.

 # HISTORY
 Sept 2015, Originally compiled by Shishir Mahajan <shishir.mahajan@redhat.com>
 based on docker.com source material and internal work.
	% "DOCKERD" "8" "SEPTEMBER 2015" "Docker Community" "Docker User Manuals"

	# NAME
	dockerd - Enable daemon mode

	# SYNOPSIS
	dockerd
	[--add-runtime[=[]]]
	[--allow-nondistributable-artifacts[=[]]]
	[--api-cors-header=[=API-CORS-HEADER]]
	[--authorization-plugin[=[]]]
	[-b\|--bridge[=BRIDGE]]
	[--bip[=BIP]]
	[--cgroup-parent[=[]]]
	[--config-file[=path]]
	[--containerd[=SOCKET-PATH]]
	[--data-root[=/var/lib/docker]]
	[-D\|--debug]
	[--default-cgroupns-mode[=host]]
	[--default-gateway[=DEFAULT-GATEWAY]]
	[--default-gateway-v6[=DEFAULT-GATEWAY-V6]]
	[--default-address-pool[=DEFAULT-ADDRESS-POOL]]
	[--default-network-opt[=DRIVER=OPT=VALUE]]
	[--default-runtime[=runc]]
	[--default-ipc-mode=MODE]
	[--default-shm-size[=64MiB]]
	[--default-ulimit[=[]]]
	[--dns[=[]]]
	[--dns-opt[=[]]]
	[--dns-search[=[]]]
	[--exec-opt[=[]]]
	[--exec-root[=/var/run/docker]]
	[--experimental[=false]]
	[--fixed-cidr[=FIXED-CIDR]]
	[--fixed-cidr-v6[=FIXED-CIDR-V6]]
	[-G\|--group[=docker]]
	[-H\|--host[=[]]]
	[--help]
	[--http-proxy[""]]
	[--https-proxy[""]]
	[--icc[=true]]
	[--init[=false]]
	[--init-path[=""]]
	[--insecure-registry[=[]]]
	[--ip[=0.0.0.0]]
	[--ip-forward[=true]]
	[--ip-masq[=true]]
	[--iptables[=true]]
	[--ipv6]
	[--isolation[=default]]
	[-l\|--log-level[=info]]
	[--label[=[]]]
	[--live-restore[=false]]
	[--log-driver[=json-file]]
	[--log-format="text\|json"]
	[--log-opt[=map[]]]
	[--mtu[=0]]
	[--max-concurrent-downloads[=3]]
	[--max-concurrent-uploads[=5]]
	[--max-download-attempts[=5]]
	[--no-proxy[""]]
	[--node-generic-resources[=[]]]
	[-p\|--pidfile[=/var/run/docker.pid]]
	[--raw-logs]
	[--registry-mirror[=[]]]
	[-s\|--storage-driver[=STORAGE-DRIVER]]
	[--seccomp-profile[=SECCOMP-PROFILE-PATH]]
	[--selinux-enabled]
	[--shutdown-timeout[=15]]
	[--storage-opt[=[]]]
	[--swarm-default-advertise-addr[=IP\|INTERFACE]]
	[--tls]
	[--tlscacert[=~/.docker/ca.pem]]
	[--tlscert[=~/.docker/cert.pem]]
	[--tlskey[=~/.docker/key.pem]]
	[--tlsverify]
	[--userland-proxy[=true]]
	[--userland-proxy-path[=""]]
	[--userns-remap[=default]]
	[--validate]

	# DESCRIPTION
	dockerd is used for starting the Docker daemon (i.e., to command the daemon
	to manage images, containers etc). So dockerd is a server, as a daemon.

	To run the Docker daemon you can specify dockerd.
	You can check the daemon options using dockerd --help.
	Daemon options should be specified after the dockerd keyword in the
	following format.

	dockerd [OPTIONS]

	# OPTIONS

	--add-runtime=[]
	Runtimes can be registered with the daemon either via the
	configuration file or using the `--add-runtime` command line argument.

	The following is an example adding 2 runtimes via the configuration:

	```json
	{
	"default-runtime": "runc",
	"runtimes": {
	"runc": {
	"path": "runc"
	},
	"custom": {
	"path": "/usr/local/bin/my-runc-replacement",
	"runtimeArgs": [
	"--debug"
	]
	}
	}
	}
	```

	This is the same example via the command line:

	```bash
	$ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
	```

	Note: defining runtime arguments via the command line is not supported.

	--allow-nondistributable-artifacts=[]
	Push nondistributable artifacts to the specified registries.

	List can contain elements with CIDR notation to specify a whole subnet.

	This option is useful when pushing images containing nondistributable
	artifacts to a registry on an air-gapped network so hosts on that network can
	pull the images without connecting to another server.

	Warning: Nondistributable artifacts typically have restrictions on how
	and where they can be distributed and shared. Only use this feature to push
	artifacts to private registries and ensure that you are in compliance with
	any terms that cover redistributing nondistributable artifacts.

	--api-cors-header=""
	Set CORS headers in the Engine API. Default is cors disabled. Give urls like
	"http://foo, http://bar, ...". Give "\*" to allow all.

	--authorization-plugin=""
	Set authorization plugins to load

	-b, --bridge=""
	Attach containers to a pre\-existing network bridge; use 'none' to disable
	container networking

	--bip=""
	Use the provided CIDR notation address for the dynamically created bridge
	(docker0); Mutually exclusive of \-b

	--cgroup-parent=""
	Set parent cgroup for all containers. Default is "/docker" for fs cgroup
	driver and "system.slice" for systemd cgroup driver.

	--config-file="/etc/docker/daemon.json"
	Specifies the JSON file path to load the configuration from. Default is
	/etc/docker/daemon.json.

	--containerd=""
	Path to containerd socket.

	--data-root=""
	Path to the directory used to store persisted Docker data such as
	configuration for resources, swarm cluster state, and filesystem data for
	images, containers, and local volumes. Default is /var/lib/docker.

	-D, --debug=true\|false
	Enable debug mode. Default is false.

	--default-cgroupns-mode="host\|private"
	Set the default cgroup namespace mode for newly created containers. The argument
	can either be host or private. If unset, this defaults to host on cgroup v1,
	or private on cgroup v2.

	--default-gateway=""
	IPv4 address of the container default gateway; this address must be part of
	the bridge subnet (which is defined by \-b or \-\-bip)

	--default-gateway-v6=""
	IPv6 address of the container default gateway

	--default-address-pool=""
	Default address pool from which IPAM driver selects a subnet for the networks.
	Example: base=172.30.0.0/16,size=24 will set the default
	address pools for the selected scope networks to {172.30.[0-255].0/24}

	--default-network-opt=DRIVER=OPT=VALUE
	Default network driver options

	--default-runtime="runtime"
	Set default runtime if there're more than one specified by --add-runtime.

	--default-ipc-mode="private\|shareable"
	Set the default IPC mode for newly created containers. The argument
	can either be private or shareable.

	--default-shm-size=size
	Set the daemon-wide default shm size for containers. Default is `64MiB`.

	--default-ulimit=[]
	Default ulimits for containers.

	--dns=""
	Force Docker to use specific DNS servers.

	--dns-opt=""
	DNS options to use.

	--dns-search=[]
	DNS search domains to use.

	--exec-opt=[]
	Set runtime execution options. See RUNTIME EXECUTION OPTIONS.

	--exec-root=""
	Path to use as the root of the Docker execution state files. Default is
	`/var/run/docker`.

	--experimental=""
	Enable the daemon experimental features.

	--fixed-cidr=""
	IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be nested in
	the bridge subnet (which is defined by \-b or \-\-bip).

	--fixed-cidr-v6=""
	IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)

	-G, --group=""
	Group to assign the unix socket specified by -H when running in daemon mode.
	use '' (the empty string) to disable setting of a group. Default is `docker`.

	-H, --host=[unix:///var/run/docker.sock]: tcp://[host:port] to bind or
	unix://[/path/to/socket] to use.
	The socket(s) to bind to in daemon mode specified using one or more
	tcp://host:port, unix:///path/to/socket, fd://\* or fd://socketfd.

	--help
	Print usage statement

	--http-proxy""
	Proxy URL for HTTP requests unless overridden by NoProxy.

	--https-proxy""
	Proxy URL for HTTPS requests unless overridden by NoProxy.

	--icc=true\|false
	Allow unrestricted inter\-container and Docker daemon host communication. If
	disabled, containers can still be linked together using the --link option
	(see docker-run(1)). Default is true.

	--init
	Run an init process inside containers for signal forwarding and process
	reaping.

	--init-path
	Path to the docker-init binary.

	--insecure-registry=[]
	Enable insecure registry communication, i.e., enable un-encrypted and/or
	untrusted communication.

	List of insecure registries can contain an element with CIDR notation to
	specify a whole subnet. Insecure registries accept HTTP and/or accept HTTPS
	with certificates from unknown CAs.

	Enabling `--insecure-registry` is useful when running a local registry.
	However, because its use creates security vulnerabilities it should ONLY be
	enabled for testing purposes. For increased security, users should add their
	CA to their system's list of trusted CAs instead of using
	`--insecure-registry`.

	--ip=""
	Default IP address to use when binding container ports. Default is 0.0.0.0.

	--ip-forward=true\|false
	Enables IP forwarding on the Docker host. The default is true. This flag
	interacts with the IP forwarding setting on your host system's kernel. If
	your system has IP forwarding disabled, this setting enables it. If your
	system has IP forwarding enabled, setting this flag to false
	has no effect.

	This setting will also enable IPv6 forwarding if you have both
	--ip-forward=true and --fixed-cidr-v6 set. Note that this may reject
	Router Advertisements and interfere with the host's existing IPv6
	configuration. For more information, consult the documentation about
	"Advanced Networking - IPv6".

	--ip-masq=true\|false
	Enable IP masquerading for bridge's IP range. Default is true.

	--iptables=true\|false
	Enable Docker's addition of iptables rules. Default is true.

	--ipv6=true\|false
	Enable IPv6 support. Default is false. Docker will create an IPv6-enabled
	bridge with address fe80::1 which will allow you to create IPv6-enabled
	containers. Use together with --fixed-cidr-v6 to provide globally routable
	IPv6 addresses. IPv6 forwarding will be enabled if not used with
	--ip-forward=false. This may collide with your host's current IPv6
	settings. For more information consult the documentation about
	"Advanced Networking - IPv6".

	--isolation="default"
	Isolation specifies the type of isolation technology used by containers.
	Note that the default on Windows server is `process`, and the default on
	Windows client is `hyperv`. Linux only supports `default`.

	-l, --log-level="debug\|info\|warn\|error\|fatal"
	Set the logging level. Default is `info`.

	--label="[]"
	Set key=value labels to the daemon (displayed in `docker info`)

	--live-restore=false
	Enable live restore of running containers when the daemon starts so that they
	are not restarted. This option is applicable only for docker daemon running
	on Linux host.

	--log-driver="json-file\|syslog\|journald\|gelf\|fluentd\|awslogs\|splunk\|etwlogs\|gcplogs\|none"
	Default driver for container logs. Default is json-file.
	Warning: docker logs command works only for json-file logging driver.

	--log-format="text\|json"
	Set the format for logs produced by the daemon. Default is "text".

	--log-opt=[]
	Logging driver specific options.

	--mtu=0
	Set the containers network mtu. Default is `0`.

	--max-concurrent-downloads=3
	Set the max concurrent downloads. Default is `3`.

	--max-concurrent-uploads=5
	Set the max concurrent uploads. Default is `5`.

	--max-download-attempts=5
	Set the max download attempts for each pull. Default is `5`.

	--no-proxy="""
	Comma-separated values specifying hosts that should be excluded from proxying.

	--node-generic-resources=[]
	Advertise user-defined resource. Default is `[]`.
	Use this if your swarm cluster has some nodes with custom
	resources (e.g: NVIDIA GPU, SSD, ...) and you need your services to land on
	nodes advertising these resources.
	Usage example: `--node-generic-resources "NVIDIA-GPU=UUID1"
	--node-generic-resources "NVIDIA-GPU=UUID2"`


	-p, --pidfile="path"
	Path to use for daemon PID file. Default is /var/run/docker.pid.

	--raw-logs
	Output daemon logs in full timestamp format without ANSI coloring. If this
	flag is not set, the daemon outputs condensed, colorized logs if a terminal
	is detected, or full ("raw") output otherwise.

	--registry-mirror=<scheme>://<host>
	Prepend a registry mirror to be used for image pulls. May be specified
	multiple times.

	-s, --storage-driver=""
	Force the Docker runtime to use a specific storage driver.

	--seccomp-profile=""
	Path to seccomp profile.

	--selinux-enabled=true\|false
	Enable selinux support. Default is false.

	--shutdown-timeout=seconds
	Set the shutdown timeout value in seconds. Default is 15.

	--storage-opt=[]
	Set storage driver options. See STORAGE DRIVER OPTIONS.

	--swarm-default-advertise-addr=IP\|INTERFACE
	Set default address or interface for swarm to advertise as its
	externally-reachable address to other cluster members. This can be a
	hostname, an IP address, or an interface such as `eth0`. A port cannot be
	specified with this option.

	--tls=true\|false
	Use TLS; implied by --tlsverify. Default is false.

	--tlscacert=~/.docker/ca.pem
	Trust certs signed only by this CA.

	--tlscert=~/.docker/cert.pem
	Path to TLS certificate file.

	--tlskey=~/.docker/key.pem
	Path to TLS key file.

	--tlsverify=true\|false
	Use TLS and verify the remote (daemon: verify client, client: verify daemon).
	Default is false.

	--userland-proxy=true\|false
	Rely on a userland proxy implementation for inter-container and
	outside-to-container loopback communications. Default is true.

	--userland-proxy-path=""
	Path to the userland proxy binary.

	--userns-remap=default\|uid:gid\|user:group\|user\|uid
	Enable user namespaces for containers on the daemon. Specifying "default"
	will cause a new user and group to be created to handle UID and GID range
	remapping for the user namespace mappings used for contained processes.
	Specifying a user (or uid) and optionally a group (or gid) will cause the
	daemon to lookup the user and group's subordinate ID ranges for use as the
	user namespace mappings for contained processes.

	--validate
	Validate daemon configuration and exit.

	# STORAGE DRIVER OPTIONS

	Docker uses storage backends (known as "storage drivers" in the Docker
	internals) to create writable containers from images. Many of these
	backends use operating system level technologies and can be
	configured.

	Specify options to the storage backend with --storage-opt flags. The
	backends that currently take options are zfs and btrfs.
	Options for zfs start with zfs., and options for btrfs start
	with btrfs..

	## ZFS options

	#### zfs.fsname

	Set zfs filesystem under which docker will create its own datasets. By default
	docker will pick up the zfs filesystem where docker graph (`/var/lib/docker`)
	is located.

	Example use: `dockerd -s zfs --storage-opt zfs.fsname=zroot/docker`

	## Btrfs options

	#### btrfs.min\_space

	Specifies the minimum size to use when creating the subvolume which is used for
	containers. If user uses disk quota for btrfs when creating or running a
	container with --storage-opt size option, docker should ensure the size
	cannot be smaller than btrfs.min_space.

	Example use: `docker daemon -s btrfs --storage-opt btrfs.min_space=10G`

	# Access authorization

	Docker's access authorization can be extended by authorization plugins that
	your organization can purchase or build themselves. You can install one or more
	authorization plugins when you start the Docker `daemon` using the
	`--authorization-plugin=PLUGIN_ID` option.

	```bash
	dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
	```

	The `PLUGIN_ID` value is either the plugin's name or a path to its
	specification file. The plugin's implementation determines whether you can
	specify a name or path. Consult with your Docker administrator to get
	information about the plugins available to you.

	Once a plugin is installed, requests made to the `daemon` through the
	command line or Docker's Engine API are allowed or denied by the plugin.
	If you have multiple plugins installed, each plugin, in order, must
	allow the request for it to complete.

	For information about how to create an authorization plugin, see [access authorization
	plugin](https://docs.docker.com/engine/extend/plugins_authorization/) section in the
	Docker extend section of this documentation.

	# RUNTIME EXECUTION OPTIONS

	You can configure the runtime using options specified with the `--exec-opt` flag.
	All the flag's options have the `native` prefix. A single `native.cgroupdriver`
	option is available.

	The `native.cgroupdriver` option specifies the management of the container's
	cgroups. You can only specify `cgroupfs` or `systemd`. If you specify
	`systemd` and it is not available, the system errors out. If you omit the
	`native.cgroupdriver` option,` cgroupfs` is used on cgroup v1 hosts, `systemd`
	is used on cgroup v2 hosts with systemd available.

	This example sets the `cgroupdriver` to `systemd`:

	```bash
	$ sudo dockerd --exec-opt native.cgroupdriver=systemd
	```

	Setting this option applies to all containers the daemon launches.

	# HISTORY
	Sept 2015, Originally compiled by Shishir Mahajan <shishir.mahajan@redhat.com>
	based on docker.com source material and internal work.