docker基础-dockerd守护进程

摘要

待续。。。

监听

启动参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
Usage:	dockerd COMMAND

A self-sufficient runtime for containers.

Options:
--add-runtime runtime Register an additional OCI compatible runtime (default [])
--allow-nondistributable-artifacts list Push nondistributable artifacts to specified registries (default [])
--api-cors-header string Set CORS headers in the Engine API
--authorization-plugin list Authorization plugins to load (default [])
--bip string Specify network bridge IP
-b, --bridge string Attach containers to a network bridge
--cgroup-parent string Set parent cgroup for all containers
--cluster-advertise string Address or interface name to advertise
--cluster-store string URL of the distributed storage backend
--cluster-store-opt map Set cluster store options (default map[])
--config-file string Daemon configuration file (default "/etc/docker/daemon.json")
--containerd string Path to containerd socket
--cpu-rt-period int Limit the CPU real-time period in microseconds
--cpu-rt-runtime int Limit the CPU real-time runtime in microseconds
--data-root string Root directory of persistent Docker state (default "/var/lib/docker")
-D, --debug Enable debug mode
--default-gateway ip Container default gateway IPv4 address
--default-gateway-v6 ip Container default gateway IPv6 address
--default-address-pool Set the default address pool for local node networks
--default-runtime string Default OCI runtime for containers (default "runc")
--default-ulimit ulimit Default ulimits for containers (default [])
--dns list DNS server to use (default [])
--dns-opt list DNS options to use (default [])
--dns-search list DNS search domains to use (default [])
--exec-opt list Runtime execution options (default [])
--exec-root string Root directory for execution state files (default "/var/run/docker")
--experimental Enable experimental features
--fixed-cidr string IPv4 subnet for fixed IPs
--fixed-cidr-v6 string IPv6 subnet for fixed IPs
-G, --group string Group for the unix socket (default "docker")
--help Print usage
-H, --host list Daemon socket(s) to connect to (default [])
--icc Enable inter-container communication (default true)
--init Run an init in the container to forward signals and reap processes
--init-path string Path to the docker-init binary
--insecure-registry list Enable insecure registry communication (default [])
--ip ip Default IP when binding container ports (default 0.0.0.0)
--ip-forward Enable net.ipv4.ip_forward (default true)
--ip-masq Enable IP masquerading (default true)
--iptables Enable addition of iptables rules (default true)
--ipv6 Enable IPv6 networking
--label list Set key=value labels to the daemon (default [])
--live-restore Enable live restore of docker when containers are still running
--log-driver string Default driver for container logs (default "json-file")
-l, --log-level string Set the logging level ("debug", "info", "warn", "error", "fatal") (default "info")
--log-opt map Default log driver options for containers (default map[])
--max-concurrent-downloads int Set the max concurrent downloads for each pull (default 3)
--max-concurrent-uploads int Set the max concurrent uploads for each push (default 5)
--metrics-addr string Set default address and port to serve the metrics api on
--mtu int Set the containers network MTU
--node-generic-resources list Advertise user-defined resource
--no-new-privileges Set no-new-privileges by default for new containers
--oom-score-adjust int Set the oom_score_adj for the daemon (default -500)
-p, --pidfile string Path to use for daemon PID file (default "/var/run/docker.pid")
--raw-logs Full timestamps without ANSI coloring
--registry-mirror list Preferred Docker registry mirror (default [])
--seccomp-profile string Path to seccomp profile
--selinux-enabled Enable selinux support
--shutdown-timeout int Set the default shutdown timeout (default 15)
-s, --storage-driver string Storage driver to use
--storage-opt list Storage driver options (default [])
--swarm-default-advertise-addr string Set default address or interface for swarm advertised address
--tls Use TLS; implied by --tlsverify
--tlscacert string Trust certs signed only by this CA (default "~/.docker/ca.pem")
--tlscert string Path to TLS certificate file (default "~/.docker/cert.pem")
--tlskey string Path to TLS key file (default ~/.docker/key.pem")
--tlsverify Use TLS and verify the remote
--userland-proxy Use userland proxy for loopback traffic (default true)
--userland-proxy-path string Path to the userland proxy binary
--userns-remap string User/Group setting for user namespaces
-v, --version Print version information and quit

部分参数解析

本部分的参数是下面的配置解析中没有的部分,其他的解析请看配置解析部分

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Options:
# 注册一个额外的OCI 独立的runtime
--add-runtime runtime Register an additional OCI compatible runtime (default [])
# 指定配置文件
--config-file string Daemon configuration file (default "/etc/docker/daemon.json")
# 指定容器的socket位置
--containerd string Path to containerd socket
# 限制cpu的切换周期
--cpu-rt-period int Limit the CPU real-time period in microseconds
# 限制cpu的runtime 时间
--cpu-rt-runtime int Limit the CPU real-time runtime in microseconds
# 打印帮助信息
--help Print usage
# 实验特性,指定metrics监控url
--metrics-addr string Set default address and port to serve the metrics api on
# 打印dockerd版本
-v, --version Print version information and quit

配置文件解析

需要注意的是,已经在dockerd命令行参数指定的参数就不能在配置文件中定义了。

如果选项重复了,那么dockerd将无法启动

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
{
# 权限插件
"authorization-plugins": [],
# 存储镜像,卷和群集状态等持久数据的路径,默认/var/lib/docker
"data-root": "",
# 指定dns server地址
"dns": [],
# dns参数
"dns-opts": [],
# dns search domain
"dns-search": [],
# 存储容器状态的参数和路径,默认/var/run/docker
"exec-opts": [],
"exec-root": "",
# 是否开启实验特性,建议关闭,默认false
"experimental": false,
# 启动、关闭某些功能,如:{"features":{"buildkit": true}} 构建器
"features": {},
# 存储驱动的类型和参数
"storage-driver": "",
"storage-opts": [],
# 守护进程的标签
"labels": [],
# 允许守护程序停机期间保持容器处于活动状态。
"live-restore": true,
# 守护进程的日志配置
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-files":"5",
"labels": "somelabel",
"env": "os,customer"
},
# 指定容器的默认mtu
"mtu": 0,
# 指定pid文件位置
"pidfile": "",
# 用于etcd?
# 分布式存储的url
"cluster-store": "",
# 分布式存储的参数
"cluster-store-opts": {},
# 设置分布式存储的地址或者接口名
"cluster-advertise": "",
# pull镜像时的最大同时下载数
"max-concurrent-downloads": 3,
# push镜像时的最大同时上传数
"max-concurrent-uploads": 5,
"default-shm-size": "64M",
# 关闭所有容器的超时时间
"shutdown-timeout": 15,
# 调试模式。
"debug": true,
# 指定dockerd监听位置,默认为/var/run/docker.sock
"hosts": [],
# 指定dockerd日志级别
"log-level": "",
# 是否开启tls
"tls": true,
# 使用tls并且远程认证
"tlsverify": true,
# 指定ca证书位置 默认 "~/.docker/ca.pem"
"tlscacert": "",
# tls证书位置 默认"~/.docker/cert.pem"
"tlscert": "",
# 指定tls证书位置 默认 "~/.docker/key.pem"
"tlskey": "",
# 设置swarm的地址或接口
"swarm-default-advertise-addr": "",
# 设置api的 CORS headers
"api-cors-header": "",
# 是否开启selinux
"selinux-enabled": false,
# 设置用户、组的namespace
"userns-remap": "",
# 设置socket文件的用户组,默认是docker
"group": "",
# 设置所有容器的cgroup百分比
"cgroup-parent": "",
# 设置容器的默认句柄限制
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Hard": 64000,
"Soft": 64000
}
},
# 在容器中开启一个进程来转发信号和获取容器内进程信息
"init": false,
# 设置容器开启0号进程的位置
"init-path": "/usr/libexec/docker-init",
# 是否开启ipv6网络
"ipv6": false,
# 阻止Docker守护程序添加iptables规则。如果多个守护进程管理iptables规则,它们可能会覆盖另一个守护进程设置的规则。
# 请注意,禁用此选项需要您手动添加iptables规则以公开容器端口。如果阻止Docker添加iptables规则,
# 即使设置--ip-masq为,Docker也不会添加IP伪装规则 true。如果没有IP伪装规则,当使用默认网桥以外的网络时,Docker容器将无法连接到外部主机或Internet,默认true
"iptables": false,
# 开启 net.ipv4.ip_forward 默认true
"ip-forward": false,
# ip伪装,使用地址转换来允许没有公共IP的容器与Internet上的其他计算机通信。这可能会干扰某些网络拓扑,默认true
"ip-masq": false,
# 使用userland代理处理loopback流量 默认true
"userland-proxy": false,
# userland代理路径
"userland-proxy-path": "/usr/libexec/docker-proxy",
# 开放容器端口绑定的宿主机地址,默认0.0.0.0
"ip": "0.0.0.0",
# 将容器连接到网桥上
"bridge": "",
# 设置docker0网桥ip段
"bip": "",
# 指定ipv4子网
"fixed-cidr": "",
# 指定ipv6子网
"fixed-cidr-v6": "",
# 容器ipv4默认网关
"default-gateway": "",
# 容器ipv6默认网关
"default-gateway-v6": "",
# 开启容器间通信、默认true
"icc": false,
# 日志时间戳是否有颜色输出
"raw-logs": false,
# 将不可分发构件推到指定的注册中心
"allow-nondistributable-artifacts": [],
# 指定默认的镜像仓库
"registry-mirrors": [],
# 指定seccomp配置文件路径
"seccomp-profile": "",
# 指定信任的自建仓库
"insecure-registries": [],
# 是否开启容器的特权模式
"no-new-privileges": false,
# 指定默认的runtime,默认为runc
"default-runtime": "runc",
# 设置oom参数,不建议使用,用来调整容器oom的时候内核对容器的处理
"oom-score-adjust": -500,
# 在群集群中通告用户定义的资源
"node-generic-resources": ["NVIDIA-GPU=UUID1", "NVIDIA-GPU=UUID2"],
# 更新可用于运行容器的可用OCI runtime 列表。
"runtimes": {
"cc-runtime": {
"path": "/usr/bin/cc-runtime"
},
"custom": {
"path": "/usr/local/bin/my-runc-replacement",
"runtimeArgs": [
"--debug"
]
}
},
# 设置默认地址池
"default-address-pools":[{"base":"172.80.0.0/16","size":24},
{"base":"172.90.0.0/16","size":24}]
}

配置重新加载

1
2
3
4
5
6
7
8
9
10
11
12
13
debug
cluster-store
cluster-store-opts
cluster-advertise
labels
live-restore
max-concurrent-downloads
max-concurrent-uploads
default-runtime
runtimes
authorization-plugin
allow-nondistributable-artifactsinsecure-registriesregistry-mirrors
shutdown-timeout