Potentially the most important security improvement is that, by default, container processes running as root user will have expected administrative privilege (with some restrictions) inside the container but will effectively be mapped to an unprivileged uid on the host.

For details about how to use this feature, as well as limitations, see Isolate the gastric sleeve with a user namespace. IP masquerading uses address translation to allow containers without a public IP to talk to other machines on the Internet.

Systemd represents hierarchy by slice and the name of the slice encodes the location in the tree. So --cgroup-parent for systemd cgroups should be a slice name. A name can consist of a dash-separated series of names, which describes the path to the slice from the root slice. This setting can also be set per container, using the --cgroup-parent option on docker create and docker run, and takes precedence over the --cgroup-parent option on the daemon.

The --metrics-addr option takes a tcp address to serve the metrics API. This feature is still experimental, therefore, the daemon must be running in experimental mode for this feature to work.

To serve the metrics API on localhost:9323 you would specify --metrics-addr 127. Port 9323 is the default port associated with Docker metrics to avoid collisions with other prometheus exporters and services. If you are running a prometheus server you can add this address to your scrape configs to have prometheus collect metrics on Docker. For more information on prometheus refer to the prometheus website. Please provide feedback on what you would like to see collected in the API.

This uses the same flag names as keys, except for flags that allow several entries, where it uses the plural of the flag name, e.

The options set in the configuration file must not conflict with options set via flags. The docker daemon fails to start if an option is duplicated between the file and the flags, regardless their value.

We do this to avoid silently ignore changes introduced in configuration reloads. For example, the daemon fails to start if you set daemon labels in the configuration file and also set daemon labels via the --label flag. Options that are not present in the file are ignored when the daemon starts. The --config-file flag can be used to specify a non-default location.

On systems that use systemd to start the Docker daemon, -H is already set, so you cannot use the hosts key in daemon. Some options can be reconfigured when the daemon is running without requiring to restart the process.

The options can be modified in the configuration file but still will check for conflicts with the provided flags. Updating and reloading the cluster configurations such as --cluster-store, --cluster-advertise and --cluster-store-opts will take effect only if these configurations were not previously configured.

If --cluster-store has been provided in flags and cluster-advertise not, cluster-advertise can be added in the configuration file accompanied by --cluster-store. Configuration reload will log a warning message if it detects a change in previously configured cluster configurations.

The user should be aware of unsolved problems. This solution may not work properly in all cases. Solutions are currently under development and will be delivered in the near future. This section describes how to run multiple Docker daemons on a single host. To run multiple daemons, you must configure each daemon so that it does not conflict with other daemons on the same host.

You can set these options either by providing them as flags, or by using a daemon configuration file. It is very important to properly understand the meaning of those options and to use them correctly. Make all pull requests against that repo. If you see this file in another repository, consider it read-only there, as it will periodically be overwritten by the definitive file. Pull requests which include edits to this file in other repositories will be rejected. Specifies the heartbeat timer in seconds which is used by the daemon as a keepalive mechanism to make sure discovery module treats the node as alive in the cluster.

If not configured, the default value is 20 seconds. Specifies the TTL (time-to-live) in seconds which is used by the discovery module to timeout a node if a valid heartbeat is not received within the configured ttl value.



