# Copyright The containerd Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License.
Type=notify Delegate=yes KillMode=process Restart=always RestartSec=5 # Having non-zero Limit*s causes performance problems due to accounting overhead # in the kernel. We recommend using cgroups to do container-local accounting. LimitNPROC=infinity LimitCORE=infinity LimitNOFILE=infinity # Comment TasksMax if your systemd version does not supports it. # Only systemd 226 and above support this version. TasksMax=infinity OOMScoreAdjust=-999
[Service] Type=notify # the default is not to use systemd for cgroups because the delegate issues still # exists and systemd currently does not support the cgroup feature set required # for containers run by docker ExecStart=/usr/bin/dockerd --data-root /data/docker -H fd:// --containerd=/run/containerd/containerd.sock ExecReload=/bin/kill -s HUP $MAINPID TimeoutStartSec=0 RestartSec=2 Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229. # Both the old, and new location are accepted by systemd 229 and up, so using the old location # to make them work for either version of systemd. StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230. # Both the old, and new name are accepted by systemd 230 and up, so using the old name to make # this option work for either version of systemd. StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead # in the kernel. We recommend using cgroups to do container-local accounting. LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity
# Comment TasksMax if your systemd version does not support it. # Only systemd 226 and above support this option. TasksMax=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers Delegate=yes
# kill only the docker process, not all processes in the cgroup KillMode=process OOMScoreAdjust=-500
[Install] WantedBy=multi-user.target
/usr/lib/systemd/system/docker.socket
1 2 3 4 5 6 7 8 9 10 11 12 13
[Unit] Description=Docker Socket for the API
[Socket] # If /var/run is not implemented as a symlink to /run, you may need to # specify ListenStream=/var/run/docker.sock instead. ListenStream=/run/docker.sock SocketMode=0660 SocketUser=root SocketGroup=docker
[root@lqz-test-demo docker]# docker run hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world c1ec31eb5944: Pull complete Digest: sha256:d000bc569937abbe195e20322a0bde6b2922d805332fd6d8a68b19f524b7d21d Status: Downloaded newer image for hello-world:latest
Hello from Docker! This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. (amd64) 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal.
To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID: https://hub.docker.com/
For more examples and ideas, visit: https://docs.docker.com/get-started/
[root@lqz-test-demo docker]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES [root@lqz-test-demo docker]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 032728d558f6 hello-world "/hello" 10 seconds ago Exited (0) 9 seconds ago jolly_agnesi [root@lqz-test-demo docker]#
可能出现的错误
1 2
time="2024-03-04T20:19:19.229005631+08:00" level=warning msg="could not change group /var/run/docker.sock to docker: group docker not found" failed to start containerd: exec: "containerd": executable file not found in $PATH
1 2 3 4 5 6 7
Digest: sha256:d000bc569937abbe195e20322a0bde6b2922d805332fd6d8a68b19f524b7d21d Status: Downloaded newer image for hello-world:latest docker: Error response from daemon: runtime "io.containerd.runc.v2" binary not installed "containerd-shim-runc-v2": file does not exist: unknown. ERRO[0008] error waiting for container: context canceled [root@lqz-test-demo ~]# docker run hello-world docker: Error response from daemon: runtime "io.containerd.runc.v2" binary not installed "containerd-shim-runc-v2": file does not exist: unknown.
1 2 3 4 5 6 7 8
3月 05 23:41:16 lqz-test-demo dockerd[3516]: time="2024-03-05T23:41:16.021871261+08:00" level=warning msg="failed to retrieve docker-init version: exec: \"docker-init\": executable file not found in $PATH" 3月 05 23:41:16 lqz-test-demo dockerd[3516]: time="2024-03-05T23:41:16.023921698+08:00" level=info msg="Docker daemon" commit=79ea9d3 graphdriver(s)=overlay2 version=20.10.9 3月 05 23:41:16 lqz-test-demo dockerd[3516]: time="2024-03-05T23:41:16.023947949+08:00" level=info msg="Daemon has completed initialization" 3月 05 23:41:16 lqz-test-demo dockerd[3516]: failed to find runc binary 3月 05 23:41:16 lqz-test-demo systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE 3月 05 23:41:16 lqz-test-demo systemd[1]: Failed to start Docker Application Container Engine. -- Subject: Unit docker.service has failed
Options: --add-runtime runtime Register an additional OCI compatible runtime (default []) : 注册额外的OCI兼容运行时(默认[]) --allow-nondistributable-artifacts list Allow push of nondistributable artifacts to registry : 允许将不可分发的项目推送到注册表 --api-cors-header string Set CORS headers in the Engine API : 在引擎API中设置CORS头 --authorization-plugin list Authorization plugins to load : 要加载的授权插件 --bip string Specify network bridge IP : 指定网桥IP -b, --bridge string Attach containers to a network bridge : 将容器连接到网桥 --cdi-spec-dir list CDI specification directories to use : 要使用的CDI规范目录 --cgroup-parent string Set parent cgroup for all containers : 为所有容器设置父组 --config-file string Daemon configuration file (default "/etc/docker/daemon.json") : 守护程序配置文件(默认为“/etc/docker/Daemon.json”) --containerd string containerd grpc address : containerd grpc地址 --containerd-namespace string Containerd namespace to use (default "moby") : 要使用的Container命名空间(默认为“moby”) --containerd-plugins-namespace string Containerd namespace to use for plugins (default "plugins.moby") : 包含用于插件的命名空间(默认为“plugins.moby”) --cpu-rt-period int Limit the CPU real-time period in microseconds for the : 将的CPU实时周期限制为微秒 parent cgroup for all containers (not supported with cgroups v2) : 所有容器的父cgroup(cgroups v2不支持) --cpu-rt-runtime int Limit the CPU real-time runtime in microseconds for the : 将的CPU实时运行时间限制为微秒 parent cgroup for all containers (not supported with cgroups v2) : 所有容器的父cgroup(cgroups v2不支持) --cri-containerd start containerd with cri : 用cri启动containerd --data-root string Root directory of persistent Docker state (default "/var/lib/docker") : 持久Docker状态的根目录(默认为“/var/lib/Docker”) -D, --debug Enable debug mode : 启用调试模式 --default-address-pool pool-options Default address pools for node specific local networks : 特定于节点的本地网络的默认地址池 --default-cgroupns-mode string Default mode for containers cgroup namespace ("host" | "private") (default "private") : 容器的默认模式cgroup命名空间(“host”|“private”)(默认为“private“) --default-gateway ip Container default gateway IPv4 address : 容器默认网关IPv4地址 --default-gateway-v6 ip Container default gateway IPv6 address : 容器默认网关IPv6地址 --default-ipc-mode string Default mode for containers ipc ("shareable" | "private") (default "private") : 容器的默认模式ipc(“shareable”|“private”)(默认“private) --default-network-opt mapmap Default network options (default map[]) : 默认网络选项(默认地图[]) --default-runtime string Default OCI runtime for containers (default "runc") : 容器的默认OCI运行时(默认“runc”) --default-shm-size bytes Default shm size for containers (default 64MiB) : 容器的默认shm大小(默认64MiB) --default-ulimit ulimit Default ulimits for containers (default []) : 容器的默认ulimits(默认[]) --dns list DNS server to use : 要使用的DNS服务器 --dns-opt list DNS options to use : 要使用的DNS选项 --dns-search list DNS search domains to use : 要使用的DNS搜索域 --exec-opt list Runtime execution options : 运行时执行选项 --exec-root string Root directory for execution state files (default "/var/run/docker") : 执行状态文件的根目录(默认为“/var/run/docker”) --experimental Enable experimental features : 启用实验功能 --fixed-cidr string IPv4 subnet for fixed IPs : 固定IP的IPv4子网 --fixed-cidr-v6 string IPv6 subnet for fixed IPs : 固定IP的IPv6子网 -G, --group string Group for the unix socket (default "docker") : unix套接字的组(默认的“docker”) --help Print usage : 打印使用情况 -H, --host list Daemon socket(s) to connect to : 要连接到的守护程序套接字 --host-gateway-ip ip IP address that the special 'host-gateway' string in --add-host resolves to. : 添加主机中的特殊“主机网关”字符串解析到的IP地址。 Defaults to the IP address of the default bridge : 默认为默认网桥的IP地址 --http-proxy string HTTP proxy URL to use for outgoing traffic : 用于传出流量的HTTP代理URL --https-proxy string HTTPS proxy URL to use for outgoing traffic : 用于传出流量的HTTPS代理URL --icc Enable inter-container communication (default true) : 启用容器间通信(默认为true) --init Run an init in the container to forward signals and reap processes : 在容器中运行init以转发信号和获取进程 --init-path string Path to the docker-init binary : docker init二进制文件的路径 --insecure-registry list Enable insecure registry communication : 启用不安全的注册表通信 --ip ip Default IP when binding container ports (default 0.0.0.0) : 绑定容器端口时的默认IP(默认0.0.0.0) --ip-forward Enable net.ipv4.ip_forward (default true) : 启用net.ipv4.ip_forward(默认为true) --ip-masq Enable IP masquerading (default true) : 启用IP伪装(默认为true) --ip6tables Enable addition of ip6tables rules (experimental) : 启用添加ip6tables规则(实验) --iptables Enable addition of iptables rules (default true) : 启用添加iptables规则(默认为true) --ipv6 Enable IPv6 networking : 启用IPv6网络 --label list Set key=value labels to the daemon : 为守护进程设置key=value标签 --live-restore Enable live restore of docker when containers are still running : 当容器仍在运行时启用docker的实时恢复 --log-driver string Default driver for container logs (default "json-file") : 容器日志的默认驱动程序(默认的“json文件”) -l, --log-level string Set the logging level ("debug"|"info"|"warn"|"error"|"fatal") (default "info") : 设置日志记录级别(“debug”|“info”|“warn”|“error”|“fatal”)(默认为“info”) --log-opt map Default log driver options for containers (default map[]) : 容器的默认日志驱动程序选项(默认映射[]) --max-concurrent-downloads int Set the max concurrent downloads (default 3) : 设置最大并发下载量(默认为3) --max-concurrent-uploads int Set the max concurrent uploads (default 5) : 设置最大并发上传(默认值为5) --max-download-attempts int Set the max download attempts for each pull (default 5) : 设置每次拉取的最大下载尝试次数(默认为5次) --metrics-addr string Set default address and port to serve the metrics api on : 设置默认地址和端口以在上提供度量api --mtu int Set the containers network MTU (default 1500) : 设置容器网络MTU(默认1500) --network-control-plane-mtu int Network Control plane MTU (default 1500) : 网络控制平面MTU(默认1500) --no-new-privileges Set no-new-privileges by default for new containers : 默认情况下不为新容器设置新权限 --no-proxy string Comma-separated list of hosts or IP addresses for which the proxy is skipped : 跳过代理的主机或IP地址的逗号分隔列表 --node-generic-resource list Advertise user-defined resource : 播发用户定义的资源 --oom-score-adjust int Set the oom_score_adj for the daemon : 设置守护程序的oom_score_adj -p, --pidfile string Path to use for daemon PID file (default "/var/run/docker.pid") : 用于守护进程PID文件的路径(默认为“/var/run/docker.PID”) --raw-logs Full timestamps without ANSI coloring : 无ANSI着色的完整时间戳 --registry-mirror list Preferred registry mirror : 首选注册表镜像 --rootless Enable rootless mode; typically used with RootlessKit : 启用无根模式;通常与RootlessKit一起使用 --seccomp-profile string Path to seccomp profile. Use "unconfined" to disable the default seccomp profile (default "builtin") : seccomp配置文件的路径。使用“unconfined”禁用默认的seccomp配置文件(默认的“内置”) --selinux-enabled Enable selinux support : 启用selinux支持 --shutdown-timeout int Set the default shutdown timeout (default 15) : 设置默认关机超时(默认15) -s, --storage-driver string Storage driver to use : 要使用的存储驱动程序 --storage-opt list Storage driver options : 存储驱动程序选项 --swarm-default-advertise-addr string Set default address or interface for swarm advertised address : 为群通告地址设置默认地址或接口 --tls Use TLS; implied by --tlsverify : 使用TLS;由--tlsverify暗示 --tlscacert string Trust certs signed only by this CA (default "~/.docker/ca.pem") : 仅由该CA签名的信任证书(默认为“~/.docker/CA.pem”) --tlscert string Path to TLS certificate file (default "~/.docker/cert.pem") : TLS证书文件的路径(默认为“~/.docker/cert.pem”) --tlskey string Path to TLS key file (default "~/.docker/key.pem") : TLS密钥文件的路径(默认为“~/.docker/key.pem”) --tlsverify Use TLS and verify the remote : 使用TLS并验证远程 --userland-proxy Use userland proxy for loopback traffic (default true) : 对环回流量使用userland代理(默认为true) --userland-proxy-path string Path to the userland proxy binary : userland代理二进制文件的路径 --userns-remap string User/Group setting for user namespaces : 用户命名空间的用户/组设置 --validate Validate daemon configuration and exit : 验证守护程序配置并退出 -v, --version Print version information and quit : 打印版本信息并退出