If I run systemctl cat docker.service to check the unit file of docker.service,
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock can be found in the default unit file of docker.
My question is what is the purpose of the switch of
--containerd=/run/containerd/containerd.sock?
According to the answer of this quesion, if I generate an override file for docker.service with the content as:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd://
The effective configuration would be:
[Service]
ExecStart=/usr/bin/dockerd -H fd://
and --containerd=/run/containerd/containerd.sock will be omitted.
What will happen caused by this configuration then? I hope that docker can work properly both locally and remotely with TLS protection enabled. I also need invoke docker daemon via ssh.
Thank you in advance.
The important part of the documentation is somewhat further down in the "Docker runtime execution options" section, where it says:
The Docker daemon relies on a OCI compliant runtime (invoked via the containerd daemon) as its interface to the Linux kernel namespaces, cgroups, and SELinux.
By default, the Docker daemon automatically starts containerd. If you want to control containerd startup, manually start containerd and pass the path to the containerd socket using the --containerd flag.
In other words, the original Docker unit probably includes --containerd=/run/containerd/containerd.sock because containerd is managed by systemd .socket and .service units.
By excluding the flag from your override, my reading of the docs is that Docker will start up its own containerd instance rather than using the one bound to /run/containerd/containerd.sock.
Probably harmless, but it's probably a better idea just to add that flag to your override command line.