diff --git a/_data/toc.yaml b/_data/toc.yaml index cc4607c34d..3d23aee472 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -167,92 +167,6 @@ guides: path: /get-started/kube-deploy/ - title: "Deploy to Swarm" path: /get-started/swarm-deploy/ - - sectiontitle: Configure all objects - section: - - path: /config/labels-custom-metadata/ - title: Apply custom metadata to objects - - path: /config/pruning/ - title: Prune unused objects - - path: /config/formatting/ - title: Format command and log output - - sectiontitle: Configure the daemon - section: - - path: /config/daemon/ - title: Configure and run Docker - - path: /config/daemon/systemd/ - title: Control Docker with systemd - - path: /config/daemon/ipv6/ - title: Configure the daemon for IPv6 - - path: /network/iptables/ - title: Docker and iptables - - sectiontitle: Store data within containers - section: - - path: /storage/storagedriver/ - title: About storage drivers - - path: /storage/storagedriver/select-storage-driver/ - title: Select a storage driver - - path: /storage/storagedriver/aufs-driver/ - title: Use the AUFS storage driver - - path: /storage/storagedriver/btrfs-driver/ - title: Use the Btrfs storage driver - - path: /storage/storagedriver/device-mapper-driver/ - title: Use the Device mapper storage driver - - path: /storage/storagedriver/overlayfs-driver/ - title: Use the OverlayFS storage driver - - path: /storage/storagedriver/zfs-driver/ - title: Use the ZFS storage driver - - path: /storage/storagedriver/vfs-driver/ - title: Use the VFS storage driver - - path: /config/daemon/prometheus/ - title: Collect metrics with Prometheus - - sectiontitle: Configure containers - section: - - path: /config/containers/start-containers-automatically/ - title: Start containers automatically - - path: /config/containers/live-restore/ - title: Keep containers alive during daemon downtime - - path: /config/containers/multi-service_container/ - title: Run multiple services in a container - - path: /config/containers/runmetrics/ - title: Container runtime metrics - - path: /config/containers/resource_constraints/ - title: Runtime options with Memory, CPUs, and GPUs - - sectiontitle: Logging - section: - - path: /config/containers/logging/ - title: View a container's logs - - path: /config/containers/logging/configure/ - title: Configure logging drivers - - path: /config/containers/logging/dual-logging/ - title: Use docker logs with a logging driver - - path: /config/containers/logging/plugins/ - title: Use a logging driver plugin - - path: /config/containers/logging/log_tags/ - title: Customize log driver output - - sectiontitle: Logging driver details - section: - - path: /config/containers/logging/local/ - title: Local file logging driver - - path: /config/containers/logging/logentries/ - title: Logentries logging driver - - path: /config/containers/logging/json-file/ - title: JSON File logging driver - - path: /config/containers/logging/gelf/ - title: Graylog Extended Format (GELF) logging driver - - path: /config/containers/logging/syslog/ - title: Syslog logging driver - - path: /config/containers/logging/awslogs/ - title: Amazon CloudWatch logs logging driver - - path: /config/containers/logging/etwlogs/ - title: ETW logging driver - - path: /config/containers/logging/fluentd/ - title: Fluentd logging driver - - path: /config/containers/logging/gcplogs/ - title: Google Cloud logging driver - - path: /config/containers/logging/journald/ - title: Journald logging driver - - path: /config/containers/logging/splunk/ - title: Splunk logging driver - sectiontitle: Scale your app section: - path: /engine/swarm/ @@ -311,68 +225,6 @@ guides: title: Swarm administration guide - path: /engine/swarm/raft/ title: Raft consensus in swarm mode - - sectiontitle: Extend Docker - section: - - path: /engine/extend/ - title: Managed plugin system - - path: /engine/extend/plugins_authorization/ - title: Access authorization plugin - - path: /engine/extend/legacy_plugins/ - title: Extending Docker with plugins - - path: /engine/extend/plugins_network/ - title: Docker network driver plugins - - path: /engine/extend/plugins_volume/ - title: Volume plugins - - title: Plugin configuration - path: /engine/extend/config/ - - path: /engine/extend/plugin_api/ - title: Plugins - - sectiontitle: Configure networking - section: - - path: /network/ - title: Networking overview - - path: /config/containers/container-networking/ - title: Container networking - - path: /network/proxy/ - title: Configure Docker to use a proxy server - - path: /network/bridge/ - title: Use bridge networks - - path: /network/overlay/ - title: Use overlay networks - - path: /network/host/ - title: Use host networking - - path: /network/ipvlan/ - title: Use IPvlan networks - - path: /network/macvlan/ - title: Use Macvlan networks - - path: /network/none/ - title: Disable networking for a container - - sectiontitle: Networking tutorials - section: - - path: /network/network-tutorial-standalone/ - title: Bridge network tutorial - - path: /network/network-tutorial-host/ - title: Host networking tutorial - - path: /network/network-tutorial-overlay/ - title: Overlay networking tutorial - - path: /network/network-tutorial-macvlan/ - title: Macvlan network tutorial - - sectiontitle: Legacy networking content - section: - - path: /network/links/ - title: (Legacy) Container links - - sectiontitle: Configure storage - section: - - path: /storage/ - title: Overview - - path: /storage/volumes/ - title: Volumes - - path: /storage/bind-mounts/ - title: Bind mounts - - path: /storage/tmpfs/ - title: tmpfs mounts - - path: /storage/troubleshooting_volume_errors/ - title: Troubleshoot - path: /get-started/resources/ title: "Educational resources" @@ -1426,71 +1278,269 @@ manuals: - sectiontitle: Install section: - path: /engine/install/ - title: Installation Overview + title: Overview - path: /engine/install/centos/ - title: Install on CentOS + title: CentOS - path: /engine/install/debian/ - title: Install on Debian + title: Debian - path: /engine/install/fedora/ - title: Install on Fedora + title: Fedora - path: /engine/install/rhel/ - title: Install on RHEL + title: RHEL - path: /engine/install/sles/ - title: Install on SLES + title: SLES - path: /engine/install/ubuntu/ - title: Install on Ubuntu + title: Ubuntu - path: /engine/install/binaries/ - title: Install binaries + title: Binaries - path: /engine/install/linux-postinstall/ title: Post-installation steps - path: /engine/install/troubleshoot/ title: Troubleshoot installation + - sectiontitle: Storage + section: + - path: /storage/ + title: Overview + - path: /storage/volumes/ + title: Volumes + - path: /storage/bind-mounts/ + title: Bind mounts + - path: /storage/tmpfs/ + title: tmpfs mounts + - path: /storage/troubleshooting_volume_errors/ + title: Troubleshoot + - sectiontitle: Storage drivers + section: + - path: /storage/storagedriver/ + title: Overview + - path: /storage/storagedriver/select-storage-driver/ + title: Select a storage driver + - path: /storage/storagedriver/aufs-driver/ + title: Use the AUFS storage driver + - path: /storage/storagedriver/btrfs-driver/ + title: Use the Btrfs storage driver + - path: /storage/storagedriver/device-mapper-driver/ + title: Use the Device mapper storage driver + - path: /storage/storagedriver/overlayfs-driver/ + title: Use the OverlayFS storage driver + - path: /storage/storagedriver/zfs-driver/ + title: Use the ZFS storage driver + - path: /storage/storagedriver/vfs-driver/ + title: Use the VFS storage driver + - sectiontitle: Networking + section: + - path: /network/ + title: Overview + - path: /config/containers/container-networking/ + title: Container networking + - path: /network/proxy/ + title: Configure Docker to use a proxy server + - path: /network/bridge/ + title: Bridge networks + - path: /network/overlay/ + title: Overlay networks + - path: /network/host/ + title: Host networking + - path: /network/ipvlan/ + title: IPvlan networks + - path: /network/macvlan/ + title: Macvlan networks + - path: /network/none/ + title: Disable networking for a container + - sectiontitle: Networking tutorials + section: + - path: /network/network-tutorial-standalone/ + title: Bridge network tutorial + - path: /network/network-tutorial-host/ + title: Host networking tutorial + - path: /network/network-tutorial-overlay/ + title: Overlay networking tutorial + - path: /network/network-tutorial-macvlan/ + title: Macvlan network tutorial + - sectiontitle: Legacy networking content + section: + - path: /network/links/ + title: (Legacy) Container links + - sectiontitle: Working with Docker Engine + section: + - path: /config/daemon/start/ + title: Start the daemon + - path: /config/pruning/ + title: Prune unused objects + - path: /config/formatting/ + title: Format command and log output + - path: /config/containers/start-containers-automatically/ + title: Start containers automatically + - path: /config/labels-custom-metadata/ + title: Labels + - path: /engine/scan/ + title: Docker Scan + - path: /engine/sbom/ + title: Docker SBOM (Experimental) + - sectiontitle: Logging + section: + - sectiontitle: Container logs + section: + - path: /config/containers/logging/ + title: View container logs + - sectiontitle: Manage container logs + section: + - path: /config/containers/logging/configure/ + title: Configure logging drivers + - path: /config/containers/logging/dual-logging/ + title: Use a remote logging driver + - path: /config/containers/logging/plugins/ + title: Use a logging driver plugin + - path: /config/containers/logging/log_tags/ + title: Customize log driver output + - sectiontitle: Logging drivers + section: + - path: /config/containers/logging/local/ + title: Local file logging driver + - path: /config/containers/logging/logentries/ + title: Logentries logging driver + - path: /config/containers/logging/json-file/ + title: JSON File logging driver + - path: /config/containers/logging/gelf/ + title: Graylog Extended Format (GELF) logging driver + - path: /config/containers/logging/syslog/ + title: Syslog logging driver + - path: /config/containers/logging/awslogs/ + title: Amazon CloudWatch logs logging driver + - path: /config/containers/logging/etwlogs/ + title: ETW logging driver + - path: /config/containers/logging/fluentd/ + title: Fluentd logging driver + - path: /config/containers/logging/gcplogs/ + title: Google Cloud logging driver + - path: /config/containers/logging/journald/ + title: Journald logging driver + - path: /config/containers/logging/splunk/ + title: Splunk logging driver + - path: /config/daemon/logs/ + title: Daemon logs + - sectiontitle: Security + section: + - path: /engine/security/ + title: Overview + - path: /engine/security/rootless/ + title: Rootless mode + - path: /engine/security/non-events/ + title: Docker security non-events + - path: /engine/security/protect-access/ + title: Protect the Docker daemon socket + - path: /engine/security/certificates/ + title: Using certificates for repository client verification + - sectiontitle: Use trusted images + section: + - path: /engine/security/trust/ + title: Overview + - path: /engine/security/trust/trust_automation/ + title: Automation + - path: /engine/security/trust/trust_delegation/ + title: Delegations + - path: /engine/security/trust/deploying_notary/ + title: Deploy Notary + - path: /engine/security/trust/trust_key_mng/ + title: Manage content trust keys + - path: /engine/security/trust/trust_sandbox/ + title: Play in a content trust sandbox + - path: /engine/security/antivirus/ + title: Antivirus software + - path: /engine/security/apparmor/ + title: AppArmor security profiles + - path: /engine/security/seccomp/ + title: Seccomp security profiles + - path: /engine/security/userns-remap/ + title: Isolate containers with a user namespace + - sectiontitle: Advanced concepts + section: + - sectiontitle: Container runtime + section: + - path: /config/containers/resource_constraints/ + title: Configure runtime resource constraints + - path: /config/containers/runmetrics/ + title: Collect runtime metrics + - path: /config/containers/multi-service_container/ + title: Run multiple services in a container + - path: /config/daemon/prometheus/ + title: Collect metrics with Prometheus + - sectiontitle: Daemon configuration + section: + - path: /config/daemon/ + title: Configuration overview + - path: /config/daemon/systemd/ + title: Configure with systemd + - path: /config/daemon/ipv6/ + title: Use IPv6 + - path: /config/containers/live-restore/ + title: Keep containers alive during daemon downtime + - path: /config/daemon/troubleshoot/ + title: Troubleshoot + - path: /network/iptables/ + title: Docker and iptables + - path: /config/daemon/remote-access/ + title: Remote access + - path: /engine/context/working-with-contexts/ + title: Contexts + - sectiontitle: Engine plugins + section: + - path: /engine/extend/ + title: Managed plugin system + - path: /engine/extend/plugins_authorization/ + title: Access authorization plugin + - path: /engine/extend/legacy_plugins/ + title: Extending Docker with plugins + - path: /engine/extend/plugins_network/ + title: Docker network driver plugins + - path: /engine/extend/plugins_volume/ + title: Volume plugins + - title: Plugin configuration + path: /engine/extend/config/ + - path: /engine/extend/plugin_api/ + title: Plugins - path: /engine/deprecated/ title: Deprecated features - - path: /engine/context/working-with-contexts/ - title: Docker Context - - path: /engine/scan/ - title: Docker Scan - - path: /engine/sbom/ - title: Docker SBOM (Experimental) - - path: /engine/release-notes/ - title: Release notes - - sectiontitle: Previous versions + - sectiontitle: Release notes section: + - path: /engine/release-notes/ + title: Engine 20.10 + - sectiontitle: Previous versions + section: - path: /engine/release-notes/19.03/ - title: Engine 19.03 release notes + title: Engine 19.03 - path: /engine/release-notes/18.09/ - title: Engine 18.09 release notes + title: Engine 18.09 - path: /engine/release-notes/18.06/ - title: Engine 18.06 release notes + title: Engine 18.06 - path: /engine/release-notes/18.05/ - title: Engine 18.05 release notes + title: Engine 18.05 - path: /engine/release-notes/18.04/ - title: Engine 18.04 release notes + title: Engine 18.04 - path: /engine/release-notes/18.03/ - title: Engine 18.03 release notes + title: Engine 18.03 - path: /engine/release-notes/18.02/ - title: Engine 18.02 release notes + title: Engine 18.02 - path: /engine/release-notes/18.01/ - title: Engine 18.01 release notes + title: Engine 18.01 - path: /engine/release-notes/17.12/ - title: Engine 17.12 release notes + title: Engine 17.12 - path: /engine/release-notes/17.11/ - title: Engine 17.11 release notes + title: Engine 17.11 - path: /engine/release-notes/17.10/ - title: Engine 17.10 release notes + title: Engine 17.10 - path: /engine/release-notes/17.09/ - title: Engine 17.09 release notes + title: Engine 17.09 - path: /engine/release-notes/17.07/ - title: Engine 17.07 release notes + title: Engine 17.07 - path: /engine/release-notes/17.06/ - title: Engine 17.06 release notes + title: Engine 17.06 - path: /engine/release-notes/17.05/ - title: Engine 17.05 release notes + title: Engine 17.05 - path: /engine/release-notes/17.04/ - title: Engine 17.04 release notes + title: Engine 17.04 - path: /engine/release-notes/17.03/ - title: Engine 17.03 release notes + title: Engine 17.03 - path: /engine/release-notes/prior-releases/ title: Engine 1.13 and earlier - sectiontitle: Docker Build @@ -1766,44 +1816,8 @@ manuals: title: Image Access Management -- sectiontitle: Security - section: - - path: /security/ - title: Announcements - - sectiontitle: Docker Engine security - section: - - path: /engine/security/ - title: Overview - - path: /engine/security/non-events/ - title: Docker security non-events - - path: /engine/security/protect-access/ - title: Protect the Docker daemon socket - - path: /engine/security/certificates/ - title: Using certificates for repository client verification - - sectiontitle: Use trusted images - section: - - path: /engine/security/trust/ - title: Overview - - path: /engine/security/trust/trust_automation/ - title: Automation - - path: /engine/security/trust/trust_delegation/ - title: Delegations - - path: /engine/security/trust/deploying_notary/ - title: Deploy Notary - - path: /engine/security/trust/trust_key_mng/ - title: Manage content trust keys - - path: /engine/security/trust/trust_sandbox/ - title: Play in a content trust sandbox - - path: /engine/security/antivirus/ - title: Antivirus software - - path: /engine/security/apparmor/ - title: AppArmor security profiles - - path: /engine/security/seccomp/ - title: Seccomp security profiles - - path: /engine/security/userns-remap/ - title: Isolate containers with a user namespace - - path: /engine/security/rootless/ - title: Rootless mode +- title: Security announcements + path: /security/ - sectiontitle: Atomist section: diff --git a/assets/images/engine-configure-daemon.svg b/assets/images/engine-configure-daemon.svg new file mode 100644 index 0000000000..71db377dbc --- /dev/null +++ b/assets/images/engine-configure-daemon.svg @@ -0,0 +1,38 @@ + + + + + + diff --git a/assets/images/engine-deprecated.svg b/assets/images/engine-deprecated.svg new file mode 100644 index 0000000000..5179b56850 --- /dev/null +++ b/assets/images/engine-deprecated.svg @@ -0,0 +1,38 @@ + + + + + + diff --git a/assets/images/engine-logging.svg b/assets/images/engine-logging.svg new file mode 100644 index 0000000000..d37d64b7bd --- /dev/null +++ b/assets/images/engine-logging.svg @@ -0,0 +1,38 @@ + + + + + + diff --git a/assets/images/engine-networking.svg b/assets/images/engine-networking.svg new file mode 100644 index 0000000000..ccf0d1c78b --- /dev/null +++ b/assets/images/engine-networking.svg @@ -0,0 +1,38 @@ + + + + + + diff --git a/assets/images/engine-pruning.svg b/assets/images/engine-pruning.svg new file mode 100644 index 0000000000..7ca89631b8 --- /dev/null +++ b/assets/images/engine-pruning.svg @@ -0,0 +1,38 @@ + + + + + + diff --git a/assets/images/engine-rootless.svg b/assets/images/engine-rootless.svg new file mode 100644 index 0000000000..f4328c2f34 --- /dev/null +++ b/assets/images/engine-rootless.svg @@ -0,0 +1,38 @@ + + + + + + diff --git a/assets/images/engine-storage.svg b/assets/images/engine-storage.svg new file mode 100644 index 0000000000..fd714d902c --- /dev/null +++ b/assets/images/engine-storage.svg @@ -0,0 +1,38 @@ + + + + + + diff --git a/config/containers/logging/index.md b/config/containers/logging/index.md index cd2922eeab..9971f191d4 100644 --- a/config/containers/logging/index.md +++ b/config/containers/logging/index.md @@ -1,7 +1,7 @@ --- description: How to write to and view a container's logs keywords: docker, logging -title: View logs for a container or service +title: View container logs redirect_from: - /engine/admin/logging/ - /engine/admin/logging/view_container_logs/ diff --git a/config/daemon/index.md b/config/daemon/index.md index 7c5671c36e..4707933d6a 100644 --- a/config/daemon/index.md +++ b/config/daemon/index.md @@ -2,82 +2,49 @@ description: Configuring and troubleshooting the Docker daemon keywords: docker, daemon, configuration, troubleshooting redirect_from: -- /articles/chef/ -- /articles/configuring/ -- /articles/dsc/ -- /articles/puppet/ -- /config/thirdparty/ -- /config/thirdparty/ansible/ -- /config/thirdparty/chef/ -- /config/thirdparty/dsc/ -- /config/thirdparty/puppet/ -- /engine/admin/ -- /engine/admin/ansible/ -- /engine/admin/chef/ -- /engine/admin/configuring/ -- /engine/admin/dsc/ -- /engine/admin/puppet/ -- /engine/articles/chef/ -- /engine/articles/configuring/ -- /engine/articles/dsc/ -- /engine/articles/puppet/ -- /engine/userguide/ - -title: Configure and troubleshoot the Docker daemon + - /articles/chef/ + - /articles/configuring/ + - /articles/dsc/ + - /articles/puppet/ + - /config/thirdparty/ + - /config/thirdparty/ansible/ + - /config/thirdparty/chef/ + - /config/thirdparty/dsc/ + - /config/thirdparty/puppet/ + - /engine/admin/ + - /engine/admin/ansible/ + - /engine/admin/chef/ + - /engine/admin/configuring/ + - /engine/admin/dsc/ + - /engine/admin/puppet/ + - /engine/articles/chef/ + - /engine/articles/configuring/ + - /engine/articles/dsc/ + - /engine/articles/puppet/ + - /engine/userguide/ +title: Docker daemon configuration overview --- -After successfully installing and starting Docker, the `dockerd` daemon -runs with its default configuration. This topic shows how to customize -the configuration, start the daemon manually, and troubleshoot and debug the -daemon if you run into issues. - -## Start the daemon using operating system utilities - -On a typical installation the Docker daemon is started by a system utility, -not manually by a user. This makes it easier to automatically start Docker when -the machine reboots. - -The command to start Docker depends on your operating system. Check the correct -page under [Install Docker](../../engine/install/index.md). To configure Docker -to start automatically at system boot, see -[Configure Docker to start on boot](../../engine/install/linux-postinstall.md#configure-docker-to-start-on-boot-with-systemd). - -## Start the daemon manually - -If you don't want to use a system utility to manage the Docker daemon, or -just want to test things out, you can manually run it using the `dockerd` -command. You may need to use `sudo`, depending on your operating system +After successfully installing and starting Docker, the `dockerd` daemon runs +with its default configuration. This page shows how to customize the daemon configuration. -When you start Docker this way, it runs in the foreground and sends its logs -directly to your terminal. - -```console -$ dockerd - -INFO[0000] +job init_networkdriver() -INFO[0000] +job serveapi(unix:///var/run/docker.sock) -INFO[0000] Listening for HTTP on unix (/var/run/docker.sock) -``` - -To stop Docker when you have started it manually, issue a `Ctrl+C` in your -terminal. - ## Configure the Docker daemon There are two ways to configure the Docker daemon: -* Use a JSON configuration file. This is the preferred option, since it keeps -all configurations in a single place. -* Use flags when starting `dockerd`. +- Use a JSON configuration file. This is the preferred option, since it keeps + all configurations in a single place. +- Use flags when starting `dockerd`. -You can use both of these options together as long as you don't specify the -same option both as a flag and in the JSON file. If that happens, the Docker -daemon won't start and prints an error message. +You can use both of these options together as long as you don't specify the same +option both as a flag and in the JSON file. If that happens, the Docker daemon +won't start and prints an error message. To configure the Docker daemon using a JSON file, create a file at -`/etc/docker/daemon.json` on Linux systems, or `C:\ProgramData\docker\config\daemon.json` -on Windows. On MacOS go to the whale in the taskbar > Preferences > Daemon > Advanced. +`/etc/docker/daemon.json` on Linux systems, or +`C:\ProgramData\docker\config\daemon.json` on Windows. On macOS go to the whale +in the taskbar and select **Preferences** > **Daemon** > **Advanced**. Here's what the configuration file looks like: @@ -92,15 +59,15 @@ Here's what the configuration file looks like: ``` With this configuration the Docker daemon runs in debug mode, uses TLS, and -listens for traffic routed to `192.168.59.3` on port `2376`. -You can learn what configuration options are available in the +listens for traffic routed to `192.168.59.3` on port `2376`. You can learn what +configuration options are available in the [dockerd reference docs](../../engine/reference/commandline/dockerd.md#daemon-configuration-file) -You can also start the Docker daemon manually and configure it using flags. -This can be useful for troubleshooting problems. +You can also start the Docker daemon manually and configure it using flags. This +can be useful for troubleshooting problems. Here's an example of how to manually start the Docker daemon, using the same -configurations as above: +configurations as shown in the previous JSON configuration: ```console $ dockerd --debug \ @@ -111,7 +78,8 @@ $ dockerd --debug \ ``` You can learn what configuration options are available in the -[dockerd reference docs](../../engine/reference/commandline/dockerd.md), or by running: +[dockerd reference docs](../../engine/reference/commandline/dockerd.md), or by +running: ```console $ dockerd --help @@ -125,234 +93,32 @@ documentation. Some places to go next include: - [Configure storage drivers](../../storage/storagedriver/select-storage-driver.md) - [Container security](../../engine/security/index.md) -## Docker daemon directory +You can configure most daemon options using the `daemon.json` file. One thing +you can't configure using daemon.json mechanism is an HTTP proxy. For +instructions on using a proxy, see +[Configure Docker to use a proxy server](../../network/proxy.md). -The Docker daemon persists all data in a single directory. This tracks everything -related to Docker, including containers, images, volumes, service definition, -and secrets. +## Daemon data directory + +The Docker daemon persists all data in a single directory. This tracks +everything related to Docker, including containers, images, volumes, service +definition, and secrets. By default this directory is: -* `/var/lib/docker` on Linux. -* `C:\ProgramData\docker` on Windows. +- `/var/lib/docker` on Linux. +- `C:\ProgramData\docker` on Windows. You can configure the Docker daemon to use a different directory, using the -`data-root` configuration option. +`data-root` configuration option. For example: -Since the state of a Docker daemon is kept on this directory, make sure -you use a dedicated directory for each daemon. If two daemons share the same -directory, for example, an NFS share, you are going to experience errors that -are difficult to troubleshoot. - -## Troubleshoot the daemon - -You can enable debugging on the daemon to learn about the runtime activity of -the daemon and to aid in troubleshooting. If the daemon is completely -non-responsive, you can also -[force a full stack trace](#force-a-stack-trace-to-be-logged) of all -threads to be added to the daemon log by sending the `SIGUSR` signal to the -Docker daemon. - -### Troubleshoot conflicts between the `daemon.json` and startup scripts - -If you use a `daemon.json` file and also pass options to the `dockerd` -command manually or using start-up scripts, and these options conflict, -Docker fails to start with an error such as: - -```none -unable to configure the Docker daemon with file /etc/docker/daemon.json: -the following directives are specified both as a flag and in the configuration -file: hosts: (from flag: [unix:///var/run/docker.sock], from file: [tcp://127.0.0.1:2376]) +```json +{ + "data-root": "/mnt/docker-data" +} ``` -If you see an error similar to this one and you are starting the daemon manually with flags, -you may need to adjust your flags or the `daemon.json` to remove the conflict. - -> **Note**: If you see this specific error, continue to the -> [next section](#use-the-hosts-key-in-daemonjson-with-systemd) for a workaround. - -If you are starting Docker using your operating system's init scripts, you may -need to override the defaults in these scripts in ways that are specific to the -operating system. - -#### Use the hosts key in daemon.json with systemd - -One notable example of a configuration conflict that is difficult to troubleshoot -is when you want to specify a different daemon address from -the default. Docker listens on a socket by default. On Debian and Ubuntu systems using `systemd`, -this means that a host flag `-H` is always used when starting `dockerd`. If you specify a -`hosts` entry in the `daemon.json`, this causes a configuration conflict (as in the above message) -and Docker fails to start. - -To work around this problem, create a new file `/etc/systemd/system/docker.service.d/docker.conf` with -the following contents, to remove the `-H` argument that is used when starting the daemon by default. - -```none -[Service] -ExecStart= -ExecStart=/usr/bin/dockerd -``` - -There are other times when you might need to configure `systemd` with Docker, such as -[configuring a HTTP or HTTPS proxy](systemd.md#httphttps-proxy). - -> **Note**: If you override this option and then do not specify a `hosts` entry in the `daemon.json` -> or a `-H` flag when starting Docker manually, Docker fails to start. - -Run `sudo systemctl daemon-reload` before attempting to start Docker. If Docker starts -successfully, it is now listening on the IP address specified in the `hosts` key of the -`daemon.json` instead of a socket. - -> **Important**: Setting `hosts` in the `daemon.json` is not supported on Docker Desktop for Windows -> or Docker Desktop for Mac. -{:.important} - - - -### Out Of Memory Exceptions (OOME) - -If your containers attempt to use more memory than the system has available, -you may experience an Out Of Memory Exception (OOME) and a container, or the -Docker daemon, might be killed by the kernel OOM killer. To prevent this from -happening, ensure that your application runs on hosts with adequate memory and -see -[Understand the risks of running out of memory](../containers/resource_constraints.md#understand-the-risks-of-running-out-of-memory). - -### Read the logs - -The daemon logs may help you diagnose problems. The logs may be saved in one of -a few locations, depending on the operating system configuration and the logging -subsystem used: - -| Operating system | Location | -|:------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------| -| Linux | Use the command `journalctl -xu docker.service` (or read `/var/log/syslog` or `/var/log/messages`, depending on your Linux Distribution) | -| macOS (`dockerd` logs) | `~/Library/Containers/com.docker.docker/Data/log/vm/dockerd.log` | -| macOS (`containerd` logs) | `~/Library/Containers/com.docker.docker/Data/log/vm/containerd.log` | -| Windows (WSL2) (`dockerd` logs) | `AppData\Local\Docker\log\vm\dockerd.log` | -| Windows (WSL2) (`containerd` logs) | `AppData\Local\Docker\log\vm\containerd.log` | -| Windows (Windows containers) | Logs are in the Windows Event Log | - -To view the `dockerd` logs on macOS, open a terminal Window, and use the `tail` -command with the `-f` flag to "follow" the logs. Logs will be printed until you -terminate the command using `CTRL+c`: - -```console -$ tail -f ~/Library/Containers/com.docker.docker/Data/log/vm/dockerd.log -2021-07-28T10:21:21Z dockerd time="2021-07-28T10:21:21.497642089Z" level=debug msg="attach: stdout: begin" -2021-07-28T10:21:21Z dockerd time="2021-07-28T10:21:21.497714291Z" level=debug msg="attach: stderr: begin" -2021-07-28T10:21:21Z dockerd time="2021-07-28T10:21:21.499798390Z" level=debug msg="Calling POST /v1.41/containers/35fc5ec0ffe1ad492d0a4fbf51fd6286a087b89d4dd66367fa3b7aec70b46a40/wait?condition=removed" -2021-07-28T10:21:21Z dockerd time="2021-07-28T10:21:21.518403686Z" level=debug msg="Calling GET /v1.41/containers/35fc5ec0ffe1ad492d0a4fbf51fd6286a087b89d4dd66367fa3b7aec70b46a40/json" -2021-07-28T10:21:21Z dockerd time="2021-07-28T10:21:21.527074928Z" level=debug msg="Calling POST /v1.41/containers/35fc5ec0ffe1ad492d0a4fbf51fd6286a087b89d4dd66367fa3b7aec70b46a40/start" -2021-07-28T10:21:21Z dockerd time="2021-07-28T10:21:21.528203579Z" level=debug msg="container mounted via layerStore: &{/var/lib/docker/overlay2/6e76ffecede030507fcaa576404e141e5f87fc4d7e1760e9ce5b52acb24 -... -^C -``` - - -### Enable debugging - -There are two ways to enable debugging. The recommended approach is to set the -`debug` key to `true` in the `daemon.json` file. This method works for every -Docker platform. - -1. Edit the `daemon.json` file, which is usually located in `/etc/docker/`. - You may need to create this file, if it does not yet exist. On macOS or - Windows, do not edit the file directly. Instead, go to - **Preferences** / **Daemon** / **Advanced**. - -2. If the file is empty, add the following: - - ```json - { - "debug": true - } - ``` - - If the file already contains JSON, just add the key `"debug": true`, being - careful to add a comma to the end of the line if it is not the last line - before the closing bracket. Also verify that if the `log-level` key is set, - it is set to either `info` or `debug`. `info` is the default, and possible - values are `debug`, `info`, `warn`, `error`, `fatal`. - -3. Send a `HUP` signal to the daemon to cause it to reload its configuration. - On Linux hosts, use the following command. - - ```console - $ sudo kill -SIGHUP $(pidof dockerd) - ``` - - On Windows hosts, restart Docker. - -Instead of following this procedure, you can also stop the Docker daemon and -restart it manually with the debug flag `-D`. However, this may result in Docker -restarting with a different environment than the one the hosts' startup scripts -create, and this may make debugging more difficult. - -### Force a stack trace to be logged - -If the daemon is unresponsive, you can force a full stack trace to be logged -by sending a `SIGUSR1` signal to the daemon. - -- **Linux**: - - ```console - $ sudo kill -SIGUSR1 $(pidof dockerd) - ``` - -- **Windows Server**: - - Download [docker-signal](https://github.com/moby/docker-signal). - - Get the process ID of dockerd `Get-Process dockerd`. - - Run the executable with the flag `--pid=`. - -This forces a stack trace to be logged but does not stop the daemon. -Daemon logs show the stack trace or the path to a file containing the -stack trace if it was logged to a file. - -The daemon continues operating after handling the `SIGUSR1` signal and -dumping the stack traces to the log. The stack traces can be used to determine -the state of all goroutines and threads within the daemon. - -### View stack traces - -The Docker daemon log can be viewed by using one of the following methods: - -- By running `journalctl -u docker.service` on Linux systems using `systemctl` -- `/var/log/messages`, `/var/log/daemon.log`, or `/var/log/docker.log` on older - Linux systems - -> **Note** -> -> It is not possible to manually generate a stack trace on Docker Desktop for -> Mac or Docker Desktop for Windows. However, you can click the Docker taskbar -> icon and choose **Troubleshoot** to send information to Docker if you -> run into issues. - -Look in the Docker logs for a message like the following: - -```none -...goroutine stacks written to /var/run/docker/goroutine-stacks-2017-06-02T193336z.log -...daemon datastructure dump written to /var/run/docker/daemon-data-2017-06-02T193336z.log -``` - -The locations where Docker saves these stack traces and dumps depends on your -operating system and configuration. You can sometimes get useful diagnostic -information straight from the stack traces and dumps. Otherwise, you can provide -this information to Docker for help diagnosing the problem. - - -## Check whether Docker is running - -The operating-system independent way to check whether Docker is running is to -ask Docker, using the `docker info` command. - -You can also use operating system utilities, such as -`sudo systemctl is-active docker` or `sudo status docker` or -`sudo service docker status`, or checking the service status using Windows -utilities. - -Finally, you can check in the process list for the `dockerd` process, using -commands like `ps` or `top`. +Since the state of a Docker daemon is kept on this directory, make sure you use +a dedicated directory for each daemon. If two daemons share the same directory, +for example, an NFS share, you are going to experience errors that are difficult +to troubleshoot. diff --git a/config/daemon/logs.md b/config/daemon/logs.md new file mode 100644 index 0000000000..2a6c590e82 --- /dev/null +++ b/config/daemon/logs.md @@ -0,0 +1,127 @@ +--- +title: Read the daemon logs +description: How to read the container logs for the Docker daemon. +keywords: docker, daemon, configuration, troubleshooting, logging +--- + +The daemon logs may help you diagnose problems. The logs may be saved in one of +a few locations, depending on the operating system configuration and the logging +subsystem used: + +| Operating system | Location | +| :--------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------- | +| Linux | Use the command `journalctl -xu docker.service` (or read `/var/log/syslog` or `/var/log/messages`, depending on your Linux Distribution) | +| macOS (`dockerd` logs) | `~/Library/Containers/com.docker.docker/Data/log/vm/dockerd.log` | +| macOS (`containerd` logs) | `~/Library/Containers/com.docker.docker/Data/log/vm/containerd.log` | +| Windows (WSL2) (`dockerd` logs) | `AppData\Local\Docker\log\vm\dockerd.log` | +| Windows (WSL2) (`containerd` logs) | `AppData\Local\Docker\log\vm\containerd.log` | +| Windows (Windows containers) | Logs are in the Windows Event Log | + +To view the `dockerd` logs on macOS, open a terminal Window, and use the `tail` +command with the `-f` flag to "follow" the logs. Logs will be printed until you +terminate the command using `CTRL+c`: + +```console +$ tail -f ~/Library/Containers/com.docker.docker/Data/log/vm/dockerd.log +2021-07-28T10:21:21Z dockerd time="2021-07-28T10:21:21.497642089Z" level=debug msg="attach: stdout: begin" +2021-07-28T10:21:21Z dockerd time="2021-07-28T10:21:21.497714291Z" level=debug msg="attach: stderr: begin" +2021-07-28T10:21:21Z dockerd time="2021-07-28T10:21:21.499798390Z" level=debug msg="Calling POST /v1.41/containers/35fc5ec0ffe1ad492d0a4fbf51fd6286a087b89d4dd66367fa3b7aec70b46a40/wait?condition=removed" +2021-07-28T10:21:21Z dockerd time="2021-07-28T10:21:21.518403686Z" level=debug msg="Calling GET /v1.41/containers/35fc5ec0ffe1ad492d0a4fbf51fd6286a087b89d4dd66367fa3b7aec70b46a40/json" +2021-07-28T10:21:21Z dockerd time="2021-07-28T10:21:21.527074928Z" level=debug msg="Calling POST /v1.41/containers/35fc5ec0ffe1ad492d0a4fbf51fd6286a087b89d4dd66367fa3b7aec70b46a40/start" +2021-07-28T10:21:21Z dockerd time="2021-07-28T10:21:21.528203579Z" level=debug msg="container mounted via layerStore: &{/var/lib/docker/overlay2/6e76ffecede030507fcaa576404e141e5f87fc4d7e1760e9ce5b52acb24 +... +^C +``` + +## Enable debugging + +There are two ways to enable debugging. The recommended approach is to set the +`debug` key to `true` in the `daemon.json` file. This method works for every +Docker platform. + +1. Edit the `daemon.json` file, which is usually located in `/etc/docker/`. You + may need to create this file, if it does not yet exist. On macOS or Windows, + do not edit the file directly. Instead, go to **Preferences** / **Daemon** / + **Advanced**. + +2. If the file is empty, add the following: + + ```json + { + "debug": true + } + ``` + + If the file already contains JSON, just add the key `"debug": true`, being + careful to add a comma to the end of the line if it is not the last line + before the closing bracket. Also verify that if the `log-level` key is set, + it is set to either `info` or `debug`. `info` is the default, and possible + values are `debug`, `info`, `warn`, `error`, `fatal`. + +3. Send a `HUP` signal to the daemon to cause it to reload its configuration. + On Linux hosts, use the following command. + + ```console + $ sudo kill -SIGHUP $(pidof dockerd) + ``` + + On Windows hosts, restart Docker. + +Instead of following this procedure, you can also stop the Docker daemon and +restart it manually with the debug flag `-D`. However, this may result in Docker +restarting with a different environment than the one the hosts' startup scripts +create, and this may make debugging more difficult. + +## Force a stack trace to be logged + +If the daemon is unresponsive, you can force a full stack trace to be logged by +sending a `SIGUSR1` signal to the daemon. + +- **Linux**: + + ```console + $ sudo kill -SIGUSR1 $(pidof dockerd) + ``` + +- **Windows Server**: + + Download [docker-signal](https://github.com/moby/docker-signal). + + Get the process ID of dockerd `Get-Process dockerd`. + + Run the executable with the flag `--pid=`. + +This forces a stack trace to be logged but does not stop the daemon. Daemon logs +show the stack trace or the path to a file containing the stack trace if it was +logged to a file. + +The daemon continues operating after handling the `SIGUSR1` signal and dumping +the stack traces to the log. The stack traces can be used to determine the state +of all goroutines and threads within the daemon. + +## View stack traces + +The Docker daemon log can be viewed by using one of the following methods: + +- By running `journalctl -u docker.service` on Linux systems using `systemctl` +- `/var/log/messages`, `/var/log/daemon.log`, or `/var/log/docker.log` on older + Linux systems + +> **Note** +> +> It is not possible to manually generate a stack trace on Docker Desktop for +> Mac or Docker Desktop for Windows. However, you can click the Docker taskbar +> icon and choose **Troubleshoot** to send information to Docker if you run into +> issues. + +Look in the Docker logs for a message like the following: + +```none +...goroutine stacks written to /var/run/docker/goroutine-stacks-2017-06-02T193336z.log +...daemon datastructure dump written to /var/run/docker/daemon-data-2017-06-02T193336z.log +``` + +The locations where Docker saves these stack traces and dumps depends on your +operating system and configuration. You can sometimes get useful diagnostic +information straight from the stack traces and dumps. Otherwise, you can provide +this information to Docker for help diagnosing the problem. diff --git a/config/daemon/remote-access.md b/config/daemon/remote-access.md new file mode 100644 index 0000000000..f0f3f1a1b4 --- /dev/null +++ b/config/daemon/remote-access.md @@ -0,0 +1,91 @@ +--- +description: > + Configuring remote access allows Docker to accept requests from remote hosts + by configuring it to listen on an IP address and port as well as the Unix + socket +keywords: configuration, daemon, remote access, engine +title: Configure remote access for Docker daemon +--- + +By default, the Docker daemon listens for connections on a Unix socket to accept +requests from local clients. It's possible to allow Docker to accept requests +from remote hosts by configuring it to listen on an IP address and port as well +as the Unix socket. For more detailed information on this configuration option, +refer to the +[dockerd CLI reference](/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket). + + +> Secure your connection +> +> Before configuring Docker to accept connections from remote hosts it's +> critically important that you understand the security implications of opening +> Docker to the network. If steps aren't taken to secure the connection, it's +> possible for remote non-root users to gain root access on the host. For more +> information on how to use TLS certificates to secure this connection, check +> [Protect the Docker daemon socket](../../engine/security/protect-access.md). +{: .warning} + +You can configure Docker to accept remote connections. This can be done using +the `docker.service` systemd unit file for Linux distributions using systemd. Or +you can use the `daemon.json` file, if your distribution doesn't use systemd. + +> systemd vs `daemon.json` +> +> Configuring Docker to listen for connections using both the systemd unit file +> and the `daemon.json` file causes a conflict that prevents Docker from +> starting. + +### Configuring remote access with systemd unit file + +1. Use the command `sudo systemctl edit docker.service` to open an override file + for `docker.service` in a text editor. + +2. Add or modify the following lines, substituting your own values. + + ```systemd + [Service] + ExecStart= + ExecStart=/usr/bin/dockerd -H fd:// -H tcp://127.0.0.1:2375 + ``` + +3. Save the file. + +4. Reload the `systemctl` configuration. + + ```console + $ sudo systemctl daemon-reload + ``` + +5. Restart Docker. + + ```console + $ sudo systemctl restart docker.service + ``` + +6. Verify that the change has gone through. + + ```console + $ sudo netstat -lntp | grep dockerd + tcp 0 0 127.0.0.1:2375 0.0.0.0:* LISTEN 3758/dockerd + ``` + +### Configuring remote access with `daemon.json` + +1. Set the `hosts` array in the `/etc/docker/daemon.json` to connect to the Unix + socket and an IP address, as follows: + + ```json + { + "hosts": ["unix:///var/run/docker.sock", "tcp://127.0.0.1:2375"] + } + ``` + +2. Restart Docker. + +3. Verify that the change has gone through. + + ```console + $ sudo netstat -lntp | grep dockerd + tcp 0 0 127.0.0.1:2375 0.0.0.0:* LISTEN 3758/dockerd + ``` + diff --git a/config/daemon/start.md b/config/daemon/start.md new file mode 100644 index 0000000000..2236f0a8cc --- /dev/null +++ b/config/daemon/start.md @@ -0,0 +1,48 @@ +--- +title: Start the daemon +description: Starting the Docker daemon manually +keywords: docker, daemon, configuration, troubleshooting +--- + +This page shows how to start the daemon, either manually or using OS utilities. + +## Start the daemon using operating system utilities + +On a typical installation the Docker daemon is started by a system utility, not +manually by a user. This makes it easier to automatically start Docker when the +machine reboots. + +The command to start Docker depends on your operating system. Check the correct +page under [Install Docker](../../engine/install/index.md). + +### Start with systemd + +On some operating systems, like Ubuntu and Debian, the Docker daemon service +starts automatically. Use the following command to start it manually: + +```console +$ sudo systemctl start docker +``` + +If you want Docker to start at boot, see +[Configure Docker to start on boot](../../engine/install/linux-postinstall.md#configure-docker-to-start-on-boot-with-systemd). + +## Start the daemon manually + +If you don't want to use a system utility to manage the Docker daemon, or just +want to test things out, you can manually run it using the `dockerd` command. +You may need to use `sudo`, depending on your operating system configuration. + +When you start Docker this way, it runs in the foreground and sends its logs +directly to your terminal. + +```console +$ dockerd + +INFO[0000] +job init_networkdriver() +INFO[0000] +job serveapi(unix:///var/run/docker.sock) +INFO[0000] Listening for HTTP on unix (/var/run/docker.sock) +``` + +To stop Docker when you have started it manually, issue a `Ctrl+C` in your +terminal. diff --git a/config/daemon/systemd.md b/config/daemon/systemd.md index 4877bff285..10f9530d11 100644 --- a/config/daemon/systemd.md +++ b/config/daemon/systemd.md @@ -2,77 +2,50 @@ description: Controlling and configuring Docker using systemd keywords: docker, daemon, systemd, configuration redirect_from: -- /articles/host_integration/ -- /articles/systemd/ -- /engine/admin/systemd/ -- /engine/articles/systemd/ -title: Control Docker with systemd + - /articles/host_integration/ + - /articles/systemd/ + - /engine/admin/systemd/ + - /engine/articles/systemd/ +title: Configure the daemon with systemd --- -Many Linux distributions use systemd to start the Docker daemon. This document -shows a few examples of how to customize Docker's settings. - -## Start the Docker daemon - -### Start manually - -Once Docker is installed, you need to start the Docker daemon. -Most Linux distributions use `systemctl` to start services. - -```console -$ sudo systemctl start docker -``` - -### Start automatically at system boot - -If you want Docker to start at boot, see -[Configure Docker to start on boot](../../engine/install/linux-postinstall.md#configure-docker-to-start-on-boot-with-systemd). +This page describes how to customize daemon settings when using systemd. ## Custom Docker daemon options -There are a number of ways to configure the daemon flags and environment variables -for your Docker daemon. The recommended way is to use the platform-independent -`daemon.json` file, which is located in `/etc/docker/` on Linux by default. See -[Daemon configuration file](../../engine/reference/commandline/dockerd.md#daemon-configuration-file). +Most configuration options for the Docker daemon are set using the `daemon.json` +configuration file. See [Docker daemon configuration overview](./index.md) for +more information. -You can configure nearly all daemon configuration options using `daemon.json`. The following -example configures two options. One thing you cannot configure using `daemon.json` mechanism is -a [HTTP proxy](#httphttps-proxy). +## Manually create the systemd unit files -### Runtime directory and storage driver +When installing the binary without a package manager, you may want to integrate +Docker with systemd. For this, install the two unit files (`service` and +`socket`) from +[the github repository](https://github.com/moby/moby/tree/master/contrib/init/systemd) +to `/etc/systemd/system`. -You may want to control the disk space used for Docker images, containers, -and volumes by moving it to a separate partition. +## HTTP/HTTPS proxy -To accomplish this, set the following flags in the `daemon.json` file: - -```json -{ - "data-root": "/mnt/docker-data", - "storage-driver": "overlay2" -} -``` - -### HTTP/HTTPS proxy - -The Docker daemon uses the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environmental variables in -its start-up environment to configure HTTP or HTTPS proxy behavior. You cannot configure -these environment variables using the `daemon.json` file. +The Docker daemon uses the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` +environmental variables in its start-up environment to configure HTTP or HTTPS +proxy behavior. You can't configure these environment variables using the +`daemon.json` file. This example overrides the default `docker.service` file. -If you are behind an HTTP or HTTPS proxy server, for example in corporate settings, -you need to add this configuration in the Docker systemd service file. +If you are behind an HTTP or HTTPS proxy server, for example in corporate +settings, you need to add this configuration in the Docker systemd service file. > **Note for rootless mode** > > The location of systemd configuration files are different when running Docker -> in [rootless mode](../../engine/security/rootless.md). When running in rootless -> mode, Docker is started as a user-mode systemd service, and uses files stored -> in each users' home directory in `~/.config/systemd/user/docker.service.d/`. -> In addition, `systemctl` must be executed without `sudo` and with the `--user` -> flag. Select the _"rootless mode"_ tab below if you are running Docker in rootless mode. - +> in [rootless mode](../../engine/security/rootless.md). When running in +> rootless mode, Docker is started as a user-mode systemd service, and uses +> files stored in each users' home directory in +> `~/.config/systemd/user/docker.service.d/`. In addition, `systemctl` must be +> executed without `sudo` and with the `--user` flag. Select the _"rootless +> mode"_ tab below if you are running Docker in rootless mode.