docker.service
/usr/lib/systemd/system/docker.service 文件是 Docker 在 Linux 系统(使用 systemd 作为初始化系统)中的核心系统服务单元文件。它定义了 Docker 守护进程 (dockerd) 如何被系统启动、停止和管理。
不要直接修改 /usr/lib/systemd/system/docker.service,因为它可能被软件包更新覆盖。
用户自定义一般修改 /etc/systemd/system/docker.service 或者使用 /etc/systemd/system/docker.service.d/override.conf
# 1. 创建配置目录(如果不存在)
sudo mkdir -p /etc/systemd/system/docker.service.d
# 2. 创建覆盖文件,例如 /etc/systemd/system/docker.service.d/override.conf
sudo vi /etc/systemd/system/docker.service.d/override.conf
修改场景
需要在 override.conf 中添加的配置
修改 dockerd 启动参数
配置 Docker 守护进程启动参数,如镜像加速、数据目录登录配置。推荐使用 daemon.json 配置文件来管理。
[Service]
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock **--registry-mirror=https://xxxx.mirror.aliyuncs.com**
添加HTTP_PROXY环境变量
由于 docker 是 C/S 架构,在 docker 命令行配置的代理无法影响到 dockerd,因此需要将代理设置添加到 docker 服务中。
调整环境变量
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:8080/"
Environment="NO_PROXY=localhost,127.0.0.1"
需要注意的,添加代理后,dockerd 和 docker run 运行的容器网络都会被代理,需要合理配置 NO_PROXY。
修改资源限制
一些容器需要使用大量文件句柄或进程,因此需要修改 docker 服务的资源限制。
[Service]
LimitNOFILE=1048576
LimitNPROC=infinity
服务管理
该配置主要面向 Linux 系统的 systemd 服务管理。
重新加载 systemd 配置
sudo systemctl daemon-reload
重启 Docker 服务使配置生效
sudo systemctl restart docker
启动/停止docker服务
sudo systemctl start docker
sudo systemctl stop docker
设置 Docker开机启动/关闭
sudo systemctl enable docker
sudo systemctl disable docker
检查是否生效
sudo systemctl status docker
以及检查守护进程参数
ps aux | grep dockerd
也可以通过 systemctl 命令查看和管理服务的配置
systemctl show docker
systemctl cat docker
systemctl edit docker
配置文件详解
[Unit] 部分:依赖与描述
此部分定义服务的元信息和启动顺序依赖。
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket firewalld.service containerd.service time-set.target
Wants=network-online.target containerd.service
Requires=docker.socket
| 指令 | 说明 |
|---|---|
| Description= | 服务描述 |
| Documentation= | 官方文档链接 |
| After= | 在哪些目标/服务之后启动。确保网络就绪、防火墙和 containerd 先启动。 |
| Wants= | 弱依赖。希望网络在线,但即使网络未就绪,Docker 也会启动。 |
| Requires= | 强依赖。必须成功启动 docker.socket(用于Socket激活)和 containerd.service(容器运行时)。 |
[Service] 部分:进程行为
这是最核心、最常被修改的部分,定义了 dockerd 如何运行。
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutStartSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
OOMScoreAdjust=-500
| 指令 | 说明 |
|---|---|
| Type=notify | 服务就绪后会通知 systemd,这是守护进程的标准类型。 |
| ExecStart= | 最关键指令,定义启动命令和参数。-H fd:// 表示使用 Socket 激活。 |
| ExecReload= | 定义 systemctl reload docker 时发送 HUP 信号给主进程。 |
| Restart= | always 表示进程退出后总是重启,确保服务高可用。 |
| RestartSec= | 重启前等待的秒数。 |
| StartLimit* | 启动频率限制,防止反复失败重启。 |
| LimitNOFILE= | 资源限制。设为 infinity 允许 Docker 打开无限文件描述符(对运行大量容器至关重要)。 |
| Delegate=yes | 允许 systemd 管理 dockerd 产生的子进程(容器进程)的 cgroup,这对资源管理和日志收集很重要。 |
| KillMode=process | 只杀死主进程,不杀死其子进程(容器),允许容器在 Docker 守护进程重启期间继续运行(需配合 live-restore 功能)。 |
| OOMScoreAdjust=-500 | 调整 Docker 守护进程的 OOM(内存不足)杀手评分,使其更不容易被系统在内存不足时杀死。 |
[Install] 部分:安装目标
定义 systemctl enable docker 时,将服务链接到哪个 systemd 目标(运行级别)。
[Install]
WantedBy=multi-user.target:表示在系统进入多用户命令行模式时,此服务应被启动。
参考配置文件
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket firewalld.service containerd.service time-set.target
Wants=network-online.target containerd.service
Requires=docker.socket
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutStartSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
OOMScoreAdjust=-500
[Install]
WantedBy=multi-user.target