Docs / Containers & Docker / Docker Daemon Configuration and Tuning

Docker Daemon Configuration and Tuning

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 366 views · 3 min read

The Docker daemon (dockerd) is the background process that manages Docker objects — images, containers, networks, and volumes. Proper daemon configuration is essential for security, performance, and operational stability. This guide covers the daemon configuration file, key settings, and production tuning.

Configuration File

# /etc/docker/daemon.json (create if it does not exist)
{
    "log-driver": "json-file",
    "log-opts": {
        "max-size": "50m",
        "max-file": "5"
    },
    "storage-driver": "overlay2",
    "data-root": "/var/lib/docker",
    "default-address-pools": [
        {"base": "172.20.0.0/16", "size": 24}
    ],
    "live-restore": true,
    "userland-proxy": false,
    "default-ulimits": {
        "nofile": { "Name": "nofile", "Hard": 65536, "Soft": 32768 }
    },
    "metrics-addr": "127.0.0.1:9323",
    "experimental": false
}

Key Settings

Logging

{
    "log-driver": "json-file",
    "log-opts": {
        "max-size": "50m",     // Max size per log file
        "max-file": "5",       // Keep 5 rotated files
        "compress": "true"     // Compress rotated logs
    }
}

// Without log rotation, container logs grow unbounded and fill the disk!
// Alternative drivers: syslog, journald, fluentd, gelf, awslogs

Storage

{
    "storage-driver": "overlay2",        // Best performance for most setups
    "data-root": "/data/docker",          // Move Docker data to a dedicated disk
    "storage-opts": [
        "overlay2.override_kernel_check=true"
    ]
}

Network

{
    "bip": "172.17.0.1/16",              // Default bridge network CIDR
    "default-address-pools": [
        {"base": "172.20.0.0/16", "size": 24}   // Pool for custom networks
    ],
    "dns": ["1.1.1.1", "8.8.8.8"],      // Default DNS for containers
    "userland-proxy": false               // Use iptables instead (better performance)
}

Security

{
    "icc": false,                         // Disable inter-container communication on default bridge
    "no-new-privileges": true,            // Prevent privilege escalation
    "userns-remap": "default",            // Enable user namespace remapping
    "seccomp-profile": "/etc/docker/seccomp-profile.json",
    "live-restore": true                  // Keep containers running during daemon restart
}

Remote API (Use with TLS Only)

{
    "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
    "tls": true,
    "tlscacert": "/etc/docker/tls/ca.pem",
    "tlscert": "/etc/docker/tls/server-cert.pem",
    "tlskey": "/etc/docker/tls/server-key.pem",
    "tlsverify": true
}

Performance Tuning

# Increase container limits
{
    "default-ulimits": {
        "nofile": { "Name": "nofile", "Hard": 65536, "Soft": 32768 },
        "nproc": { "Name": "nproc", "Hard": 4096, "Soft": 2048 }
    },
    "default-shm-size": "256m"    // Shared memory (default 64m)
}

# System-level tuning
# /etc/sysctl.d/docker.conf
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
vm.max_map_count = 262144               # Required for Elasticsearch
fs.file-max = 2097152
fs.inotify.max_user_watches = 524288
fs.inotify.max_user_instances = 512

Monitoring Docker Daemon

# Enable Prometheus metrics
{
    "metrics-addr": "127.0.0.1:9323"
}

# Key metrics available:
# engine_daemon_container_states_containers{state="running"}
# engine_daemon_image_actions_seconds
# builder_builds_triggered_total
# process_resident_memory_bytes

# Docker system info
docker system info
docker system df        # Disk usage
docker system df -v     # Detailed disk usage
docker system events    # Real-time events

Cleanup and Maintenance

# Remove unused resources
docker system prune              # Remove stopped containers, unused networks, dangling images
docker system prune -a           # Also remove unused images (not just dangling)
docker system prune --volumes    # Also remove unused volumes (DESTRUCTIVE)

# Automated cleanup via cron
0 3 * * * docker system prune -f --filter "until=168h"    # Remove items older than 7 days

Applying Configuration Changes

# After editing daemon.json, restart Docker
sudo systemctl restart docker

# Or reload without restarting (if live-restore is enabled)
sudo kill -SIGHUP $(pidof dockerd)

# Validate JSON before restarting
python3 -m json.tool /etc/docker/daemon.json

Best Practices

  • Always configure log rotation — without it, container logs eventually fill the disk
  • Enable live-restore to keep containers running during Docker daemon upgrades
  • Disable userland-proxy for better network performance
  • Use data-root to store Docker data on a dedicated disk or partition
  • Enable Prometheus metrics for production monitoring
  • Schedule regular docker system prune to reclaim disk space
  • Always use TLS for remote Docker API access

Was this article helpful?

Related Articles