Docker 配置项手册

Daemon配置

用法: dockerd COMMAND

    容器的自给自足运行时

Options:
      --add-runtime runtime                   注册一个额外的OCI兼容运行时 (默认 [])
      --allow-nondistributable-artifacts list Push nondistributable artifacts to specified registries (default [])
      --api-cors-header string                Set CORS headers in the Engine API
      --authorization-plugin list             Authorization plugins to load (default [])
      --bip string                            Specify network bridge IP
  -b, --bridge string                         Attach containers to a network bridge
      --cgroup-parent string                  Set parent cgroup for all containers
      --cluster-advertise string              Address or interface name to advertise
      --cluster-store string                  URL of the distributed storage backend
      --cluster-store-opt map                 Set cluster store options (default map[])
      --config-file string                    Daemon configuration file (default "/etc/docker/daemon.json")
      --containerd string                     Path to containerd socket
      --cpu-rt-period int                     Limit the CPU real-time period in microseconds
      --cpu-rt-runtime int                    Limit the CPU real-time runtime in microseconds
      --data-root string                      Root directory of persistent Docker state (default "/var/lib/docker")
  -D, --debug                                 Enable debug mode
      --default-gateway ip                    Container default gateway IPv4 address
      --default-gateway-v6 ip                 Container default gateway IPv6 address
      --default-address-pool                  Set the default address pool for local node networks
      --default-runtime string                Default OCI runtime for containers (default "runc")
      --default-ulimit ulimit                 Default ulimits for containers (default [])
      --dns list                              DNS server to use (default [])
      --dns-opt list                          DNS options to use (default [])
      --dns-search list                       DNS search domains to use (default [])
      --exec-opt list                         Runtime execution options (default [])
      --exec-root string                      Root directory for execution state files (default "/var/run/docker")
      --experimental                          启用实验特性 experimental features
      --fixed-cidr string                     IPv4 subnet for fixed IPs
      --fixed-cidr-v6 string                  IPv6 subnet for fixed IPs
  -G, --group string                          unix socket 组设置(default "docker")
      --help                                  Print usage
  -H, --host list                             Daemon socket(s) to connect to (default [])
      --icc                                   Enable inter-container communication (default true)
      --init                                  Run an init in the container to forward signals and reap processes
      --init-path string                      Path to the docker-init binary
      --insecure-registry list                Enable insecure registry communication (default [])
      --ip ip                                 Default IP when binding container ports (default 0.0.0.0)
      --ip-forward                            启用 net.ipv4.ip_forward (默认 true)
      --ip-masq                               启用 IP masquerading (默认 true)
      --iptables                              启用额外的防火墙规则,默认值:true
      --ipv6                                  启用 IPv6 网络
      --label list                            Set key=value labels to the daemon (default [])
      --live-restore                          Enable live restore of docker when containers are still running
      --log-driver string                     Default driver for container logs (default "json-file")
  -l, --log-level string                      Set the logging level ("debug", "info", "warn", "error", "fatal") (default "info")
      --log-opt map                           Default log driver options for containers (default map[])
      --max-concurrent-downloads int          Set the max concurrent downloads for each pull (default 3)
      --max-concurrent-uploads int            Set the max concurrent uploads for each push (default 5)
      --metrics-addr string                   Set default address and port to serve the metrics api on
      --mtu int                               Set the containers network MTU
      --node-generic-resources list           Advertise user-defined resource
      --no-new-privileges                     Set no-new-privileges by default for new containers
      --oom-score-adjust int                  Set the oom_score_adj for the daemon (default -500)
  -p, --pidfile string                        Path to use for daemon PID file (default "/var/run/docker.pid")
      --raw-logs                              Full timestamps without ANSI coloring
      --registry-mirror list                  Preferred Docker registry mirror (default [])
      --seccomp-profile string                Path to seccomp profile
      --selinux-enabled                       Enable selinux support
      --shutdown-timeout int                  Set the default shutdown timeout (default 15)
  -s, --storage-driver string                 Storage driver to use
      --storage-opt list                      Storage driver options (default [])
      --swarm-default-advertise-addr string   Set default address or interface for swarm advertised address
      --tls                                   Use TLS; implied by --tlsverify
      --tlscacert string                      Trust certs signed only by this CA (default "~/.docker/ca.pem")
      --tlscert string                        Path to TLS certificate file (default "~/.docker/cert.pem")
      --tlskey string                         Path to TLS key file (default ~/.docker/key.pem")
      --tlsverify                             用TLS并验证远端
      --userland-proxy                        Use userland proxy for loopback traffic (default true)
      --userland-proxy-path string            Path to the userland proxy binary
      --userns-remap string                   为用户命名空间设置用户/组
  -v, --version                               打印版本信息并退出
 解释:指定DD的网络地址,也就是容器可用的IP的地址段
 样例:
     dcokerd –bip=172.17.0.0/16
 解释:socket选项,常用有三类:Unix,Tcp,fd
 样例:
     dockerd –H unix:///var/run/docker.sock
     dockerd -H tcp://192.168.59.106 -H tcp://10.10.10.2
     dockerd -H fd://

Unix


默认会在:/var/run/docker.sock下生成一个unix domain socket,需要root权限,或者加入docker组

Tcp


如果需要远程访问DD,需要启用Tcp socket。 默认生成的是不加密,不鉴权直接访问DD的socket。建议采用https加密socket或者在前端加一个安全的web代理。 -H tcp://0.0.0.0:2375 可以监听所有网络接口的2375端口。或者用指定的IP地址替换0.0.0.0,只能监听指定IP地址的网络接口的2375端口。 一般情况:2375:不加密的访问端口,2376:加密的访问端口


镜像仓库配置选项列表

如下是仓库的所有配置项,有些配置项是互斥的。在确定你的配置前请认真查看选项信息。

  version: 0.1
  log:
  accesslog:
  disabled: true
  level: debug
  formatter: text
  fields:
  service: registry
  environment: staging
  hooks:
  - type: mail
  disabled: true
  levels:
  - panic
  options:
  smtp:
  addr: mail.example.com:25
  username: mailuser
  password: password
  insecure: true
  from: sender@example.com
  to:
  - errors@example.com
  loglevel: debug # deprecated: use "log"
  storage:
  filesystem:
  rootdirectory: /var/lib/registry
  maxthreads: 100
  azure:
  accountname: accountname
  accountkey: base64encodedaccountkey
  container: containername
  gcs:
  bucket: bucketname
  keyfile: /path/to/keyfile
  rootdirectory: /gcs/object/name/prefix
  chunksize: 5242880
  s3:
  accesskey: awsaccesskey
  secretkey: awssecretkey
  region: us-west-1
  regionendpoint: http://myobjects.local
  bucket: bucketname
  encrypt: true
  keyid: mykeyid
  secure: true
  v4auth: true
  chunksize: 5242880
  multipartcopychunksize: 33554432
  multipartcopymaxconcurrency: 100
  multipartcopythresholdsize: 33554432
  rootdirectory: /s3/object/name/prefix
  swift:
  username: username
  password: password
  authurl: https://storage.myprovider.com/auth/v1.0 or https://storage.myprovider.com/v2.0 or https://storage.myprovider.com/v3/auth
  tenant: tenantname
  tenantid: tenantid
  domain: domain name for Openstack Identity v3 API
  domainid: domain id for Openstack Identity v3 API
  insecureskipverify: true
  region: fr
  container: containername
  rootdirectory: /swift/object/name/prefix
  oss:
  accesskeyid: accesskeyid
  accesskeysecret: accesskeysecret
  region: OSS region name
  endpoint: optional endpoints
  internal: optional internal endpoint
  bucket: OSS bucket
  encrypt: optional data encryption setting
  secure: optional ssl setting
  chunksize: optional size valye
  rootdirectory: optional root directory
  inmemory: # This driver takes no parameters
  delete:
  enabled: false
  redirect:
  disable: false
  cache:
  blobdescriptor: redis
  maintenance:
  uploadpurging:
  enabled: true
  age: 168h
  interval: 24h
  dryrun: false
  readonly:
  enabled: false
  auth:
  silly:
  realm: silly-realm
  service: silly-service
  token:
  realm: token-realm
  service: token-service
  issuer: registry-token-issuer
  rootcertbundle: /root/certs/bundle
  htpasswd:
  realm: basic-realm
  path: /path/to/htpasswd
  middleware:
  registry:
  - name: ARegistryMiddleware
  options:
  foo: bar
  repository:
  - name: ARepositoryMiddleware
  options:
  foo: bar
  storage:
  - name: cloudfront
  options:
  baseurl: https://my.cloudfronted.domain.com/
  privatekey: /path/to/pem
  keypairid: cloudfrontkeypairid
  duration: 3000s
  storage:
  - name: redirect
  options:
  baseurl: https://example.com/
  reporting:
  bugsnag:
  apikey: bugsnagapikey
  releasestage: bugsnagreleasestage
  endpoint: bugsnagendpoint
  newrelic:
  licensekey: newreliclicensekey
  name: newrelicname
  verbose: true
  http:
  addr: localhost:5000
  prefix: /my/nested/registry/
  host: https://myregistryaddress.org:5000
  secret: asecretforlocaldevelopment
  relativeurls: false
  tls:
  certificate: /path/to/x509/public
  key: /path/to/x509/private
  clientcas:
  - /path/to/ca.pem
  - /path/to/another/ca.pem
  letsencrypt:
  cachefile: /path/to/cache-file
  email: emailused@letsencrypt.com
  debug:
  addr: localhost:5001
  headers:
  X-Content-Type-Options: [nosniff]
  http2:
  disabled: false
  notifications:
  endpoints:
  - name: alistener
  disabled: false
  url: https://my.listener.com/event
  headers: <http.Header>
  timeout: 500
  threshold: 5
  backoff: 1000
  ignoredmediatypes:
  - application/octet-stream
  redis:
  addr: localhost:6379
  password: asecret
  db: 0
  dialtimeout: 10ms
  readtimeout: 10ms
  writetimeout: 10ms
  pool:
  maxidle: 16
  maxactive: 64
  idletimeout: 300s
  health:
  storagedriver:
  enabled: true
  interval: 10s
  threshold: 3
  file:
  - file: /path/to/checked/file
  interval: 10s
  http:
  - uri: http://server.to.check/must/return/200
  headers:
  Authorization: [Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==]
  statuscode: 200
  timeout: 3s
  interval: 10s
  threshold: 3
  tcp:
  - addr: redis-server.domain.com:6379
  timeout: 3s
  interval: 10s
  threshold: 3
  proxy:
  remoteurl: https://registry-1.docker.io
  username: [username]
  password: [password]
  compatibility:
  schema1:
  signingkeyfile: /etc/registry/key.json
  validation:
  enabled: true
  manifests:
  urls:
  allow:
  - ^https?://([^/]+\.)*example\.com/
  deny:
  - ^https?://www\.example\.com/
log:
accesslog:
disabled: true
level: debug
formatter: text
fields:
service: registry
environment: staging

备注: * level 非必须,设置日志输出级别,支持的值:error,warn,info,debug;默认:info * formatter 非必须,设置日志输出格式。支持:text,json,logstash;默认:text * fields 非必须,包含field与值的map。这会增加到每个日志行。这是非常有用的,例如:日志输出到其它系统时,可以标注日志源。 * accesslog

accesslog:
disabled: true

日志驱动

json-file 驱动配置

docker默认使用jsonfile驱动

 文件路径: /etc/docker/daemon.json
 {
   "log-driver": "json-file",
   "log-opts": {
     "max-size": "10m",
     "max-file": "3",
     "labels": "production_status",
     "env": "os,customer"
   }
 }

附录