Docker Server Configuration: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(5 intermediate revisions by the same user not shown)
Line 16: Line 16:


=Server Startup Configuration=
=Server Startup Configuration=
{{Note|[[daemon.json]] also contains server configuration and it is an alternative to configuration specified as command line parameters and in various startup configuration files read when the server is started.}}


==OS-Dependent Startup Configuration Files Details==
==OS-Dependent Startup Configuration Files Details==
Line 40: Line 42:
The file can be edited and committed, and the daemon restart.
The file can be edited and committed, and the daemon restart.


==<span id='Server_Command_Line_Options'></span>Server Configuration Options==
=<span id='Server_Command_Line_Options'></span>Server Configuration Options=


The following options are Docker server command line options and should be provided on the dockerd daemon command line, [[#Server_Startup_Sequence|when started]].
The following options are Docker server command line options and should be provided on the dockerd daemon command line, [[#Server_Startup_Sequence|when started]].


===--insecure-registry===
==--insecure-registry==


This option instructs the Docker daemon to trust any Docker registry on the indicated subnet, rather than requiring a certificate. The default value is []. For OpenShift-integrated Docker, the subnet where Docker expects this registry is the [[OpenShift_Concepts#The_Services_Subnet|OpenShift SDN services subnet]].
This option instructs the Docker daemon to trust any Docker registry on the indicated subnet, rather than requiring a certificate. The default value is []. For OpenShift-integrated Docker, the subnet where Docker expects this registry is the [[OpenShift_Concepts#The_Services_Subnet|OpenShift SDN services subnet]].
Line 54: Line 56:
The same option can be configured in [[daemon.json#Overview|daemon.json]] with [[daemon.json#insecure-registries|insecure-registries]].
The same option can be configured in [[daemon.json#Overview|daemon.json]] with [[daemon.json#insecure-registries|insecure-registries]].


===--net===
==--net==


Also see: {{Internal|Docker_Networking_Concepts#Network_Drivers|Docker Networking Concepts}}
<font color='darkgray'>Not found in Docker 18.03-ce. Also see [[Docker_Networking_Concepts#Network_Drivers|Docker Networking Concepts]]</font>.


===--selinux-enabled===
==--selinux-enabled==


===--add-registry===
==--add-registry==


When asked to search for or pull images, the docker runtime uses the Docker registry (docker.io) to complete those activities. Additional registries can be added to the list with --add-registry.
When asked to search for or pull images, the docker runtime uses the Docker registry (docker.io) to complete those activities. Additional registries can be added to the list with --add-registry.


Also see {{Internal|Docker_Concepts#Image_Registry|Docker Image Registry}}
Also see: {{Internal|Docker_Concepts#Image_Registry|Docker Image Registry}}


===--block-registry===
==--block-registry==


To prevent users from pulling images from the Docker registry, after presumably other registry has been configured with [[#--add-registry|--add-registry]], use
To prevent users from pulling images from the Docker registry, after presumably other registry has been configured with [[#--add-registry|--add-registry]], use
Line 72: Line 74:
  --block-registry docker.io
  --block-registry docker.io


===--log-driver===
==--log-driver==


===--signature-verification===
==--signature-verification==


=daemon.json=
=daemon.json=

Latest revision as of 20:51, 2 October 2018

External

Internal

Overview

Server Startup Sequence

RedHat/Centos systemd

systemd Docker Unit File: /usr/lib/systemd/system/docker.service. Depending on the distribution, the unit file may or may not refer configuration from /etc/sysconfig/docker.

Server Startup Configuration


daemon.json also contains server configuration and it is an alternative to configuration specified as command line parameters and in various startup configuration files read when the server is started.

OS-Dependent Startup Configuration Files Details

RedHat/Centos

Daemon configuration parameters are usually provided in /etc/sysconfig/docker. However, the availability of this file may depend on distribution and installation procedure.

Mac

The simples possible way to configure the Docker daemon on Mac is to use the UI: the whale icon-> Preferences -> Daemon.

The "Basic" section has UI elements to configure insecure registries and registry mirrors. A configuration change applied here propagates to the "Advanced" section after daemon restart.

The "Advanced" section gives access to the content of daemon.json file, which can be edited freely. However, the danger is that a configuration error saved here will prevent the daemon to start. If that happens, the file-system version of the same file can be accessed as follows:

cd ~/Library/Containers/com.docker.docker/Data/database 
git reset --hard HEAD

The daemon.json becomes available as:

~/Library/Containers/com.docker.docker/Data/database/com.docker.driver.amd64-linux/etc/docker/daemon.json

The file can be edited and committed, and the daemon restart.

Server Configuration Options

The following options are Docker server command line options and should be provided on the dockerd daemon command line, when started.

--insecure-registry

This option instructs the Docker daemon to trust any Docker registry on the indicated subnet, rather than requiring a certificate. The default value is []. For OpenShift-integrated Docker, the subnet where Docker expects this registry is the OpenShift SDN services subnet.

... --insecure-registry <list> ...
--insecure-registry 172.30.0.0/16

The same option can be configured in daemon.json with insecure-registries.

--net

Not found in Docker 18.03-ce. Also see Docker Networking Concepts.

--selinux-enabled

--add-registry

When asked to search for or pull images, the docker runtime uses the Docker registry (docker.io) to complete those activities. Additional registries can be added to the list with --add-registry.

Also see:

Docker Image Registry

--block-registry

To prevent users from pulling images from the Docker registry, after presumably other registry has been configured with --add-registry, use

--block-registry docker.io

--log-driver

--signature-verification

daemon.json

daemon.json

Docker Container Configuration

Docker Container Configuration