Docker Service Configuration

Master the essentials of configuring the Docker daemon (dockerd) on Linux. This guide covers systemd management, foreground debugging, socket tuning, remote access, TLS security, and persistent configuration.

Table of Contents

1. Managing Docker with systemd
2. Running the Daemon in Foreground
3. Default Unix Socket
4. Exposing the Daemon on TCP
5. Securing the Daemon with TLS
6. Persisting Configuration in daemon.json
7. Flag vs Configuration File Conflicts
8. References

Managing Docker with systemd

Use systemd to start, stop, and inspect the Docker service. By default, Docker is enabled to launch on boot.

Example status output:

● docker.service - Docker Application Container Engine
   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-10-21 04:21:01 UTC; 3 days ago
     Docs: https://docs.docker.com
 Main PID: 4197 (dockerd)
    Tasks: 13
   Memory: 129.7M
      CPU: 9min 6.980s
   CGroup: /system.slice/docker.service
           └─4197 /usr/bin/dockerd -H fd:// -H tcp://0.0.0.0 --containerd=/run/containerd/containerd.sock

Running the Daemon in Foreground

Troubleshoot or capture real-time logs by launching dockerd interactively.

# Launch daemon in foreground
dockerd

# Enable debug logging
dockerd --debug

Sample debug output:

INFO[2020-10-24T08:29:00.331Z] Starting up
DEBU[2020-10-24T08:29:00.332Z] Listener created for HTTP on unix (/var/run/docker.sock)
DEBU[2020-10-24T08:29:00.333Z] Golang's threads limit set to 6930
WARN[2020-10-24T08:29:00.364Z] Your kernel does not support cgroup runtime

Default Unix Socket

By default, Docker listens on a Unix domain socket. This restricts access to local clients only:

• Socket path: /var/run/docker.sock
• Access: Local IPC (no remote connections)

The Docker CLI uses this socket unless DOCKER_HOST is overridden.

Exposing the Daemon on TCP

To allow remote management, bind dockerd to both the Unix socket and a TCP port:

dockerd \
  --host=unix:///var/run/docker.sock \
  --host=tcp://192.168.1.10:2375

On a remote client:

export DOCKER_HOST="tcp://192.168.1.10:2375"
docker ps

Securing the Daemon with TLS

Encrypt and authenticate connections on port 2376 by enabling TLS:

1. Generate CA, server, and client certificates.
2. Place server.pem and serverkey.pem in a secure directory.
3. Start dockerd with TLS options:

dockerd \
  --host=unix:///var/run/docker.sock \
  --host=tcp://192.168.1.10:2376 \
  --tls=true \
  --tlscert=/var/docker/server.pem \
  --tlskey=/var/docker/serverkey.pem

Clients must reference the CA and their own certs:

docker --tlsverify \
  --tlscacert=ca.pem \
  --tlscert=client.pem \
  --tlskey=client-key.pem \
  -H=tcp://192.168.1.10:2376 info

Persisting Configuration in daemon.json

Avoid long startup flags by defining options in /etc/docker/daemon.json:

{
  "debug": true,
  "hosts": [
    "unix:///var/run/docker.sock",
    "tcp://192.168.1.10:2376"
  ],
  "tls": true,
  "tlscert": "/var/docker/server.pem",
  "tlskey": "/var/docker/serverkey.pem"
}

Then reload Docker:

sudo systemctl restart docker

Flag vs Configuration File Conflicts

Mixing CLI flags and daemon.json entries can lead to startup errors:

# Conflicting debug settings
dockerd --debug=false

Error:

unable to configure the Docker daemon with file /etc/docker/daemon.json:
the following directives are specified both as a flag and in the configuration file:
 debug: (from flag: false, from file: true)

Resolution: Keep all overrides in one place—either CLI flags or the JSON file.

References

• Docker Daemon Configuration
• Docker CLI Environment Variables
• Systemd Service Files
• Docker Security Best Practices