dockerd

Run Docker daemon

$ dockerd

$ dockerd [[-H|--host]] unix://[path/to/tmp.sock] [[-H|--host]] tcp://[ip_address]

$ dockerd [[-p|--pidfile]] [path/to/pid_file]

$ dockerd [[-D|--debug]]

$ dockerd [[-l|--log-level]] [debug|info|warn|error|fatal]

dockerd [OPTIONS]

--add-runtime driver=path
    Register an additional OCI runtime

--authorization-plugin plugin
    Authorization plugin name

--config-file path
    Daemon configuration file

--containerd path
    Path to containerd socket

--debug
    Enable debug mode and verbose logging

--default-runtime runtime
    Default OCI runtime for containers

--dns IP
    DNS server address

--exec-root path
    Exec root directory

--experimental
    Enable experimental features

--host list
    Daemon socket(s): unix://, tcp://, fd://

--iptables
    Enable iptables rules (default true)

--log-driver driver
    Logging driver: json-file, syslog, etc.

--log-level level
    Log level: debug, info, warn, error, fatal

--pidfile path
    Path to PID file

--registry-mirror list
    Registry mirrors

--root path
    Root directory for Docker filesystems

--runroot path
    Root directory for execution state

--storage-driver driver
    Storage driver: overlay2, aufs, btrfs, etc.

--tls
    Enable TLS for remote connections

--version
    Print version information

dockerd is the core daemon service of the Docker platform, running as a persistent background process on Linux systems. It manages the full lifecycle of Docker containers, images, networks, volumes, and plugins. The daemon exposes a REST API over Unix sockets (default: /var/run/docker.sock) or TCP ports, allowing clients like the docker CLI to interact with it.

Key responsibilities include pulling/building images from registries, creating and running OCI-compliant containers via containerd and runc, handling storage with drivers like overlay2, networking via bridge or overlay modes, and volume management. It supports features like Swarm mode for orchestration, logging drivers (json-file, syslog), and security options (SELinux, AppArmor, user namespaces).

Typically started by systemd (systemctl start docker), dockerd requires root privileges and binds to privileged ports. Configuration uses command flags or /etc/docker/daemon.json. Debug mode enables verbose logging. It's resource-intensive and must run before Docker clients. In production, secure it with TLS, firewalls, and non-root users where possible.

Requires root privileges; exposes API socket—secure with TLS/firewalls. High resource usage; conflicts if multiple instances run. Deprecated flags in newer versions; check logs for warnings.

Use daemon.json for persistent settings, e.g. {
"log-driver": "json-file",
"storage-driver": "overlay2"
}. Overrides flags; located at /etc/docker/.

Run with --userland-proxy=false, --no-new-privileges; enable user namespaces. Avoid exposing TCP socket publicly without TLS.

Originated in 2013 from dotCloud's container tools; Docker 1.0 (2014) introduced dockerd. Evolved with Docker Engine; since 2019 under Moby Project. Key milestones: Swarm integration (2016), containerd shift (2017), CRI-O compatibility.

docker(1), containerd(1), runc(8), systemd(1)