Skip to main content

Controlling the Docker Daemon

First of all, let's try to understand what a daemon is. We know that in multitask operating systems, that is, in an operating system capable of executing more than one task at a time (not really), a daemon is software that runs independently in the background. It executes certain predefined actions in response to certain events. Well, the Docker daemon is exactly that: a kind of parent process that controls everything, containers, images, etc., etc., etc.

Up to Docker 1.7, configurations specifically related to the daemon were quite confused with global configurations -- this is because when you typed "docker -help" a bunch of things would return, and you didn't know what was what. Starting with version 1.8, we had "docker daemon", and now, more recently, we believe in version 18.03 of Docker, it was replaced by "dockerd", which definitively solves this problem and deals specifically with configurations related, obviously, to the Docker daemon.

11.1. Does Docker always use 172.16.X.X or can I configure another IP range?​

Yes, you can configure another range to be used by the "docker0" bridge and also by the container interfaces.

To be able to configure a different range for Docker usage, you need to start it with the "--bip" parameter.

# dockerd --bip 192.168.0.1/24

This way, you will be informing Docker that you want to use the IP "192.168.0.1" for your "docker0" bridge and, consequently, for the container subnet.

You can also use the "--fixed-cidr" parameter to restrict the range that Docker will use for the "docker0" bridge and for the container subnet.

# dockerd --fixed-cidr 192.168.0.0/24

11.2. Socket options​

Sockets are end-points with which two or more applications or processes communicate in an environment, usually an "IP:port" or a file, as in the case of Unix Domain Sockets.

Currently, Docker can work with three types of sockets, Unix, TCP and FD, and by default it uses unix sockets. You should have noticed that, when starting your Docker, a file was created in "/var/run/docker.sock". To make changes to it, you will need either root permission or the user executing the actions to be part of the "docker" group, as we mentioned at the beginning of this book, remember?

As practical as this may be, there are some limitations, such as, for example, the daemon can only be accessed locally. To solve this, we generally use TCP. In this model, we define an IP, which can be either "any" (0.0.0.0 and a port) or a specific IP and a port.

In systemd-based systems, you can also benefit from systemd socket activation, a technology aimed at saving resources. It basically consists of activating a socket only while a new connection arrives and deactivating it when it's no longer being used.

In addition to all this, depending on your environment, you can also make Docker listen on different types of sockets, which is done through the "-H" parameter of the "dockerd" command.

Examples:

11.2.1. Unix Domain Socket​

root@linuxtips:~# dockerd -H unix:///var/run/docker.sock
INFO[0000] [graphdriver] using prior storage driver "aufs"
INFO[0000] Graph migration to content-addressability took 0.00 seconds
INFO[0000] Firewalld running: false
INFO[0000] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP
address
WARN[0000] Your kernel does not support swap memory limit.
INFO[0000] Loading containers: start.
..........................
INFO[0000] Loading containers: done.
INFO[0000] Daemon has completed initialization
INFO[0000] Docker daemon commit=c3959b1 execdriver=native-0.2 graphdriver=aufs version=1.10.2
INFO[0000] API listen on /var/run/docker.sock

11.2.2. TCP​

root@linuxtips:~# dockerd -H tcp://0.0.0.0:2375
WARN[0000] /! DON'T BIND ON ANY IP ADDRESS WITHOUT setting -tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING /!
INFO[0000] [graphdriver] using prior storage driver "aufs"
INFO[0000] Graph migration to content-addressability took 0.01 seconds
INFO[0000] Firewalld running: false
INFO[0000] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address
WARN[0000] Your kernel does not support swap memory limit.
INFO[0000] Loading containers: start.
..........................
INFO[0000] Loading containers: done.
INFO[0000] Daemon has completed initialization
INFO[0000] Docker daemon commit=c3959b1 execdriver=native-0.2 graphdriver=aufs version=1.10.2
INFO[0000] API listen on [::]:2375

11.3. Storage options​

Being the one that controls everything, naturally it's possible to pass options that change the way Docker behaves when working with storages. As we mentioned earlier, Docker supports some storage drivers, all based on the layers scheme.

These options are passed to the daemon by the "--storage-opt" parameter, with which items related to Device Mapper receive the "dm" prefix and "zfs" for (guess what?) ZFS. Below we will demonstrate some of the most common options:

  • dm.thinpooldev -- With this option you can specify the device that will be used by Device Mapper to develop the thin-pool that it uses to create the snapshots used by containers and images.

Example:

root@linuxtips:~# dockerd --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
INFO[0000] [graphdriver] using prior storage driver "aufs"
INFO[0000] Graph migration to content-addressability took 0.00 seconds
INFO[0000] Firewalld running: false
INFO[0000] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address
WARN[0000] Your kernel does not support swap memory limit.
INFO[0000] Loading containers: start.
................................
INFO[0000] Loading containers: done.
INFO[0000] Daemon has completed initialization
INFO[0000] Docker daemon commit=c3959b1 execdriver=native-0.2 graphdriver=aufs version=1.10.2
INFO[0000] API listen on /var/run/docker.sock
  • dm.basesize -- This parameter defines the maximum container size. The annoying thing is that you need to delete everything inside "/var/lib/docker" (which implies killing all containers and images) and restart the Docker service.
root@linuxtips:~# dockerd --storage-opt dm.basesize=10G
INFO[0000] [graphdriver] using prior storage driver "aufs"
INFO[0000] Graph migration to content-addressability took 0.00 seconds
INFO[0000] Firewalld running: false
INFO[0000] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address
WARN[0000] Your kernel does not support swap memory limit.
INFO[0000] Loading containers: start.
..........................
INFO[0000] Loading containers: done.
INFO[0000] Daemon has completed initialization
INFO[0000] Docker daemon commit=c3959b1 execdriver=native-0.2 graphdriver=aufs version=1.10.2
INFO[0000] API listen on /var/run/docker.sock
  • dm.fs -- Specifies the container filesystem. The supported options are: EXT4 and XFS.

11.4. Network options​

It's also possible to control how the daemon will behave in relation to the network:

  • --default-gateway -- Self-explanatory, right? All containers will receive this IP as the gateway.

  • --dns -- Also no secret: it's the DNS that will be used for queries.

  • --dns-search -- Specifies the domain to be searched, so you can search for machines without using the fqdn.

  • --ip-forward -- This option enables routing between containers. By default, it is already set to true.

11.5. Miscellaneous options​

  • --default-ulimit -- Passing this to the daemon, all containers will be started with this value for "ulimit". This option is overwritten by the "--ulimit" parameter of the "docker container run" command, which will generally provide a more specific view.

  • --icc -- "icc" stands for inter container communication. By default, it is marked as true; if you don't want this type of communication, you can mark it in the daemon as false.

  • --log-level -- It's also possible to change the way Docker works with log; in some situations (usually troubleshooting) you may need a more "verbose" log, for example.